ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ikev2: dump state and profile name in CLI and API

Browse Source 
Type: improvement

Change-Id: Ide4b45da99e3a67376281f6438997f3148be08e5
Signed-off-by: Denys Haryachyy <garyachy@gmail.com>
This commit is contained in:
Denys Haryachyy
2024-01-24 16:31:47 +02:00
committed by Denys Haryachyy
parent e81f27ffb2
commit f40a354dab
6 changed files with 344 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/plugins/ikev2/ikev2.api
View File

@ -76,6 +76,16 @@ define ikev2_sa_dump
option status = "in_progress"; option status = "in_progress";
}; };
/** \brief Dump all SAs
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
*/
define ikev2_sa_v2_dump
{
u32 client_index;
u32 context;
};
/** \brief Details about IKE SA /** \brief Details about IKE SA
@param context - sender context, to match reply w/ request @param context - sender context, to match reply w/ request
@param retval - return code @param retval - return code
@ -90,6 +100,19 @@ define ikev2_sa_details
option status = "in_progress"; option status = "in_progress";
}; };
/** \brief Details about IKE SA
@param context - sender context, to match reply w/ request
@param retval - return code
@param sa - SA data
*/
define ikev2_sa_v2_details
{
u32 context;
i32 retval;
vl_api_ikev2_sa_v2_t sa;
};
/** \brief Dump child SA of specific SA /** \brief Dump child SA of specific SA
@param client_index - opaque cookie to identify the sender @param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request @param context - sender context, to match reply w/ request

116
src/plugins/ikev2/ikev2_api.c
View File

@ -207,6 +207,32 @@ ikev2_copy_stats (vl_api_ikev2_sa_stats_t *dst, const ikev2_stats_t *src)
dst->n_sa_auth_req = src->n_sa_auth_req; dst->n_sa_auth_req = src->n_sa_auth_req;
} }
static vl_api_ikev2_state_t
ikev2_state_encode (ikev2_state_t state)
{
switch (state)
{
case IKEV2_STATE_UNKNOWN:
return UNKNOWN;
case IKEV2_STATE_SA_INIT:
return SA_INIT;
case IKEV2_STATE_DELETED:
return DELETED;
case IKEV2_STATE_AUTH_FAILED:
return AUTH_FAILED;
case IKEV2_STATE_AUTHENTICATED:
return AUTHENTICATED;
case IKEV2_STATE_NOTIFY_AND_DELETE:
return NOTIFY_AND_DELETE;
case IKEV2_STATE_TS_UNACCEPTABLE:
return TS_UNACCEPTABLE;
case IKEV2_STATE_NO_PROPOSAL_CHOSEN:
return NO_PROPOSAL_CHOSEN;
}
return UNKNOWN;
}
static void static void
send_sa (ikev2_sa_t * sa, vl_api_ikev2_sa_dump_t * mp, u32 api_sa_index) send_sa (ikev2_sa_t * sa, vl_api_ikev2_sa_dump_t * mp, u32 api_sa_index)
{ {
@ -293,6 +319,96 @@ vl_api_ikev2_sa_dump_t_handler (vl_api_ikev2_sa_dump_t * mp)
} }
} }
static void
send_sa_v2 (ikev2_sa_t *sa, vl_api_ikev2_sa_v2_dump_t *mp, u32 api_sa_index)
{
ikev2_main_t *km = &ikev2_main;
vl_api_ikev2_sa_v2_details_t *rmp = 0;
int rv = 0;
ikev2_sa_transform_t *tr;
ikev2_profile_t *p;
p = pool_elt_at_index (km->profiles, sa->profile_index);
REPLY_MACRO2_ZERO (VL_API_IKEV2_SA_V2_DETAILS, {
vl_api_ikev2_sa_v2_t *rsa = &rmp->sa;
vl_api_ikev2_keys_t *k = &rsa->keys;
int size_data = sizeof (rsa->profile_name) - 1;
if (vec_len (p->name) < size_data)
size_data = vec_len (p->name);
clib_memcpy (rsa->profile_name, p->name, size_data);
rsa->state = ikev2_state_encode (sa->state);
rsa->sa_index = api_sa_index;
ip_address_encode2 (&sa->iaddr, &rsa->iaddr);
ip_address_encode2 (&sa->raddr, &rsa->raddr);
rsa->ispi = sa->ispi;
rsa->rspi = sa->rspi;
cp_id (&rsa->i_id, &sa->i_id);
cp_id (&rsa->r_id, &sa->r_id);
tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR);
if (tr)
cp_sa_transform (&rsa->encryption, tr);
tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF);
if (tr)
cp_sa_transform (&rsa->prf, tr);
tr =
ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG);
if (tr)
cp_sa_transform (&rsa->integrity, tr);
tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH);
if (tr)
cp_sa_transform (&rsa->dh, tr);
k->sk_d_len = vec_len (sa->sk_d);
clib_memcpy (&k->sk_d, sa->sk_d, k->sk_d_len);
k->sk_ai_len = vec_len (sa->sk_ai);
clib_memcpy (&k->sk_ai, sa->sk_ai, k->sk_ai_len);
k->sk_ar_len = vec_len (sa->sk_ar);
clib_memcpy (&k->sk_ar, sa->sk_ar, k->sk_ar_len);
k->sk_ei_len = vec_len (sa->sk_ei);
clib_memcpy (&k->sk_ei, sa->sk_ei, k->sk_ei_len);
k->sk_er_len = vec_len (sa->sk_er);
clib_memcpy (&k->sk_er, sa->sk_er, k->sk_er_len);
k->sk_pi_len = vec_len (sa->sk_pi);
clib_memcpy (&k->sk_pi, sa->sk_pi, k->sk_pi_len);
k->sk_pr_len = vec_len (sa->sk_pr);
clib_memcpy (&k->sk_pr, sa->sk_pr, k->sk_pr_len);
ikev2_copy_stats (&rsa->stats, &sa->stats);
vl_api_ikev2_sa_v2_t_endian (rsa);
});
}
static void
vl_api_ikev2_sa_v2_dump_t_handler (vl_api_ikev2_sa_v2_dump_t *mp)
{
ikev2_main_t *km = &ikev2_main;
ikev2_main_per_thread_data_t *tkm;
ikev2_sa_t *sa;
vec_foreach (tkm, km->per_thread_data)
{
pool_foreach (sa, tkm->sas)
{
u32 api_sa_index =
ikev2_encode_sa_index (sa - tkm->sas, tkm - km->per_thread_data);
send_sa_v2 (sa, mp, api_sa_index);
}
}
}
static void static void
send_child_sa (ikev2_child_sa_t * child, send_child_sa (ikev2_child_sa_t * child,

7
src/plugins/ikev2/ikev2_cli.c
View File

@ -136,6 +136,11 @@ format_ikev2_sa (u8 * s, va_list * va)
ikev2_child_sa_t *child; ikev2_child_sa_t *child;
u32 indent = 1; u32 indent = 1;
ikev2_main_t *km = &ikev2_main;
ikev2_profile_t *p;
p = pool_elt_at_index (km->profiles, sa->profile_index);
s = format (s, "iip %U ispi %lx rip %U rspi %lx", s = format (s, "iip %U ispi %lx rip %U rspi %lx",
format_ip_address, &sa->iaddr, sa->ispi, format_ip_address, &sa->iaddr, sa->ispi,
format_ip_address, &sa->raddr, sa->rspi); format_ip_address, &sa->raddr, sa->rspi);
@ -156,6 +161,8 @@ format_ikev2_sa (u8 * s, va_list * va)
tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH); tr = ikev2_sa_get_td_for_type (sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH);
s = format (s, "%U", format_ikev2_sa_transform, tr); s = format (s, "%U", format_ikev2_sa_transform, tr);
s = format (s, "\n profile: %v", p->name);
if (sa->state <= IKEV2_STATE_NO_PROPOSAL_CHOSEN) if (sa->state <= IKEV2_STATE_NO_PROPOSAL_CHOSEN)
{ {
s = format (s, "\n state: %s", stateNames[sa->state]); s = format (s, "\n state: %s", stateNames[sa->state]);

74
src/plugins/ikev2/ikev2_test.c
View File

@ -396,8 +396,78 @@ vl_api_ikev2_sa_details_t_handler (vl_api_ikev2_sa_details_t * mp)
ip_address_decode2 (&sa->iaddr, &iaddr); ip_address_decode2 (&sa->iaddr, &iaddr);
ip_address_decode2 (&sa->raddr, &raddr); ip_address_decode2 (&sa->raddr, &raddr);
fformat (vam->ofp, "profile index %d sa index: %d\n", fformat (vam->ofp, "profile index %u sa index: %d\n", mp->sa.profile_index,
mp->sa.profile_index, mp->sa.sa_index); mp->sa.sa_index);
fformat (vam->ofp, " iip %U ispi %lx rip %U rspi %lx\n", format_ip_address,
&iaddr, sa->ispi, format_ip_address, &raddr, sa->rspi);
fformat (vam->ofp, " %U ", format_ikev2_sa_transform, &sa->encryption);
fformat (vam->ofp, "%U ", format_ikev2_sa_transform, &sa->prf);
fformat (vam->ofp, "%U ", format_ikev2_sa_transform, &sa->integrity);
fformat (vam->ofp, "%U \n", format_ikev2_sa_transform, &sa->dh);
fformat (vam->ofp, " SK_d %U\n", format_hex_bytes, k->sk_d, k->sk_d_len);
fformat (vam->ofp, " SK_a i:%U\n r:%U\n", format_hex_bytes,
k->sk_ai, k->sk_ai_len, format_hex_bytes, k->sk_ar, k->sk_ar_len);
fformat (vam->ofp, " SK_e i:%U\n r:%U\n", format_hex_bytes,
k->sk_ei, k->sk_ei_len, format_hex_bytes, k->sk_er, k->sk_er_len);
fformat (vam->ofp, " SK_p i:%U\n r:%U\n", format_hex_bytes,
k->sk_pi, k->sk_pi_len, format_hex_bytes, k->sk_pr, k->sk_pr_len);
fformat (vam->ofp, " identifier (i) %U\n", format_ikev2_id_type_and_data,
&sa->i_id);
fformat (vam->ofp, " identifier (r) %U\n", format_ikev2_id_type_and_data,
&sa->r_id);
vam->result_ready = 1;
}
static int
api_ikev2_sa_v2_dump (vat_main_t *vam)
{
ikev2_test_main_t *im = &ikev2_test_main;
vl_api_ikev2_sa_v2_dump_t *mp;
vl_api_control_ping_t *mp_ping;
int ret;
/* Construct the API message */
M (IKEV2_SA_V2_DUMP, mp);
/* send it... */
S (mp);
/* Use a control ping for synchronization */
if (!im->ping_id)
im->ping_id = vl_msg_api_get_msg_index ((u8 *) (VL_API_CONTROL_PING_CRC));
mp_ping = vl_msg_api_alloc_as_if_client (sizeof (*mp_ping));
mp_ping->_vl_msg_id = htons (im->ping_id);
mp_ping->client_index = vam->my_client_index;
vam->result_ready = 0;
S (mp_ping);
/* Wait for a reply... */
W (ret);
return ret;
}
static void
vl_api_ikev2_sa_v2_details_t_handler (vl_api_ikev2_sa_v2_details_t *mp)
{
vat_main_t *vam = ikev2_test_main.vat_main;
vl_api_ikev2_sa_v2_t *sa = &mp->sa;
ip_address_t iaddr;
ip_address_t raddr;
vl_api_ikev2_keys_t *k = &sa->keys;
vl_api_ikev2_sa_v2_t_endian (sa);
ip_address_decode2 (&sa->iaddr, &iaddr);
ip_address_decode2 (&sa->raddr, &raddr);
fformat (vam->ofp, "profile name %s sa index: %d\n", mp->sa.profile_name,
mp->sa.sa_index);
fformat (vam->ofp, " iip %U ispi %lx rip %U rspi %lx\n", format_ip_address, fformat (vam->ofp, " iip %U ispi %lx rip %U rspi %lx\n", format_ip_address,
&iaddr, sa->ispi, format_ip_address, &raddr, sa->rspi); &iaddr, sa->ispi, format_ip_address, &raddr, sa->rspi);
fformat (vam->ofp, " %U ", format_ikev2_sa_transform, &sa->encryption); fformat (vam->ofp, " %U ", format_ikev2_sa_transform, &sa->encryption);

37
src/plugins/ikev2/ikev2_types.api
View File

@ -138,6 +138,18 @@ typedef ikev2_sa_stats
u16 n_init_sa_retransmit; u16 n_init_sa_retransmit;
}; };
enum ikev2_state
{
UNKNOWN,
SA_INIT,
DELETED,
AUTH_FAILED,
AUTHENTICATED,
NOTIFY_AND_DELETE,
TS_UNACCEPTABLE,
NO_PROPOSAL_CHOSEN,
};
typedef ikev2_sa typedef ikev2_sa
{ {
u32 sa_index; u32 sa_index;
@ -161,3 +173,28 @@ typedef ikev2_sa
vl_api_ikev2_sa_stats_t stats; vl_api_ikev2_sa_stats_t stats;
}; };
typedef ikev2_sa_v2
{
u32 sa_index;
string profile_name[64];
vl_api_ikev2_state_t state;
u64 ispi;
u64 rspi;
vl_api_address_t iaddr;
vl_api_address_t raddr;
vl_api_ikev2_keys_t keys;
/* ID */
vl_api_ikev2_id_t i_id;
vl_api_ikev2_id_t r_id;
vl_api_ikev2_sa_transform_t encryption;
vl_api_ikev2_sa_transform_t integrity;
vl_api_ikev2_sa_transform_t prf;
vl_api_ikev2_sa_transform_t dh;
vl_api_ikev2_sa_stats_t stats;
};

89
test/test_ikev2.py
View File

@ -662,6 +662,8 @@ class IkePeer(VppTestCase):
self.initiate_del_sa_from_initiator() self.initiate_del_sa_from_initiator()
r = self.vapi.ikev2_sa_dump() r = self.vapi.ikev2_sa_dump()
self.assertEqual(len(r), 0) self.assertEqual(len(r), 0)
r = self.vapi.ikev2_sa_v2_dump()
self.assertEqual(len(r), 0)
sas = self.vapi.ipsec_sa_dump() sas = self.vapi.ipsec_sa_dump()
self.assertEqual(len(sas), 0) self.assertEqual(len(sas), 0)
self.p.remove_vpp_config() self.p.remove_vpp_config()
@ -968,6 +970,76 @@ class IkePeer(VppTestCase):
self.assertEqual(len(r), 1) self.assertEqual(len(r), 1)
self.verify_ts(r[0].ts, tsr[0], False) self.verify_ts(r[0].ts, tsr[0], False)
def verify_ike_sas_v2(self):
r = self.vapi.ikev2_sa_v2_dump()
self.assertEqual(len(r), 1)
sa = r[0].sa
self.assertEqual(self.p.profile_name, sa.profile_name)
self.assertEqual(self.sa.ispi, (sa.ispi).to_bytes(8, "big"))
self.assertEqual(self.sa.rspi, (sa.rspi).to_bytes(8, "big"))
if self.ip6:
if self.sa.is_initiator:
self.assertEqual(sa.iaddr, IPv6Address(self.pg0.remote_ip6))
self.assertEqual(sa.raddr, IPv6Address(self.pg0.local_ip6))
else:
self.assertEqual(sa.iaddr, IPv6Address(self.pg0.local_ip6))
self.assertEqual(sa.raddr, IPv6Address(self.pg0.remote_ip6))
else:
if self.sa.is_initiator:
self.assertEqual(sa.iaddr, IPv4Address(self.pg0.remote_ip4))
self.assertEqual(sa.raddr, IPv4Address(self.pg0.local_ip4))
else:
self.assertEqual(sa.iaddr, IPv4Address(self.pg0.local_ip4))
self.assertEqual(sa.raddr, IPv4Address(self.pg0.remote_ip4))
self.verify_keymat(sa.keys, self.sa, "sk_d")
self.verify_keymat(sa.keys, self.sa, "sk_ai")
self.verify_keymat(sa.keys, self.sa, "sk_ar")
self.verify_keymat(sa.keys, self.sa, "sk_ei")
self.verify_keymat(sa.keys, self.sa, "sk_er")
self.verify_keymat(sa.keys, self.sa, "sk_pi")
self.verify_keymat(sa.keys, self.sa, "sk_pr")
self.assertEqual(sa.i_id.type, self.sa.id_type)
self.assertEqual(sa.r_id.type, self.sa.id_type)
self.assertEqual(sa.i_id.data_len, len(self.sa.i_id))
self.assertEqual(sa.r_id.data_len, len(self.idr))
self.assertEqual(bytes(sa.i_id.data, "ascii"), self.sa.i_id)
self.assertEqual(bytes(sa.r_id.data, "ascii"), self.idr)
r = self.vapi.ikev2_child_sa_dump(sa_index=sa.sa_index)
self.assertEqual(len(r), 1)
csa = r[0].child_sa
self.assertEqual(csa.sa_index, sa.sa_index)
c = self.sa.child_sas[0]
if hasattr(c, "sk_ai"):
self.verify_keymat(csa.keys, c, "sk_ai")
self.verify_keymat(csa.keys, c, "sk_ar")
self.verify_keymat(csa.keys, c, "sk_ei")
self.verify_keymat(csa.keys, c, "sk_er")
self.assertEqual(csa.i_spi.to_bytes(4, "big"), c.ispi)
self.assertEqual(csa.r_spi.to_bytes(4, "big"), c.rspi)
tsi, tsr = self.sa.generate_ts(self.p.ts_is_ip4)
tsi = tsi[0]
tsr = tsr[0]
r = self.vapi.ikev2_traffic_selector_dump(
is_initiator=True, sa_index=sa.sa_index, child_sa_index=csa.child_sa_index
)
self.assertEqual(len(r), 1)
ts = r[0].ts
self.verify_ts(r[0].ts, tsi[0], True)
r = self.vapi.ikev2_traffic_selector_dump(
is_initiator=False, sa_index=sa.sa_index, child_sa_index=csa.child_sa_index
)
self.assertEqual(len(r), 1)
self.verify_ts(r[0].ts, tsr[0], False)
n = self.vapi.ikev2_nonce_get(is_initiator=True, sa_index=sa.sa_index)
self.verify_nonce(n, self.sa.i_nonce)
n = self.vapi.ikev2_nonce_get(is_initiator=False, sa_index=sa.sa_index)
self.verify_nonce(n, self.sa.r_nonce)
def verify_nonce(self, api_nonce, nonce): def verify_nonce(self, api_nonce, nonce):
self.assertEqual(api_nonce.data_len, len(nonce)) self.assertEqual(api_nonce.data_len, len(nonce))
self.assertEqual(api_nonce.nonce, nonce) self.assertEqual(api_nonce.nonce, nonce)
@ -1289,6 +1361,7 @@ class TemplateInitiator(IkePeer):
self.sa.calc_child_keys() self.sa.calc_child_keys()
self.send_auth_response() self.send_auth_response()
self.verify_ike_sas() self.verify_ike_sas()
self.verify_ike_sas_v2()
class TemplateResponder(IkePeer): class TemplateResponder(IkePeer):
@ -1598,11 +1671,17 @@ class TemplateResponder(IkePeer):
self.assertEqual(1, s.n_sa_auth_req) self.assertEqual(1, s.n_sa_auth_req)
self.assertEqual(1, s.n_sa_init_req) self.assertEqual(1, s.n_sa_init_req)
r = self.vapi.ikev2_sa_v2_dump()
s = r[0].sa.stats
self.assertEqual(1, s.n_sa_auth_req)
self.assertEqual(1, s.n_sa_init_req)
def test_responder(self): def test_responder(self):
self.send_sa_init_req() self.send_sa_init_req()
self.send_sa_auth() self.send_sa_auth()
self.verify_ipsec_sas() self.verify_ipsec_sas()
self.verify_ike_sas() self.verify_ike_sas()
self.verify_ike_sas_v2()
self.verify_counters() self.verify_counters()
@ -2063,6 +2142,7 @@ class TestInitiatorRequestWindowSize(TestInitiatorPsk):
# verify that only the second request was accepted # verify that only the second request was accepted
self.verify_ike_sas() self.verify_ike_sas()
self.verify_ike_sas_v2()
self.verify_ipsec_sas(is_rekey=True) self.verify_ipsec_sas(is_rekey=True)
@ -2107,6 +2187,7 @@ class TestInitiatorRekey(TestInitiatorPsk):
super(TestInitiatorRekey, self).test_initiator() super(TestInitiatorRekey, self).test_initiator()
self.rekey_from_initiator() self.rekey_from_initiator()
self.verify_ike_sas() self.verify_ike_sas()
self.verify_ike_sas_v2()
self.verify_ipsec_sas(is_rekey=True) self.verify_ipsec_sas(is_rekey=True)
@ -2188,6 +2269,8 @@ class TestResponderDpd(TestResponderPsk):
time.sleep(3) time.sleep(3)
ike_sas = self.vapi.ikev2_sa_dump() ike_sas = self.vapi.ikev2_sa_dump()
self.assertEqual(len(ike_sas), 0) self.assertEqual(len(ike_sas), 0)
ike_sas = self.vapi.ikev2_sa_v2_dump()
self.assertEqual(len(ike_sas), 0)
ipsec_sas = self.vapi.ipsec_sa_dump() ipsec_sas = self.vapi.ipsec_sa_dump()
self.assertEqual(len(ipsec_sas), 0) self.assertEqual(len(ipsec_sas), 0)
@ -2225,10 +2308,13 @@ class TestResponderRekey(TestResponderPsk):
super(TestResponderRekey, self).test_responder() super(TestResponderRekey, self).test_responder()
self.process_rekey_response(self.send_rekey_from_initiator()) self.process_rekey_response(self.send_rekey_from_initiator())
self.verify_ike_sas() self.verify_ike_sas()
self.verify_ike_sas_v2()
self.verify_ipsec_sas(is_rekey=True) self.verify_ipsec_sas(is_rekey=True)
self.assert_counter(1, "rekey_req", "ip4") self.assert_counter(1, "rekey_req", "ip4")
r = self.vapi.ikev2_sa_dump() r = self.vapi.ikev2_sa_dump()
self.assertEqual(r[0].sa.stats.n_rekey_req, 1) self.assertEqual(r[0].sa.stats.n_rekey_req, 1)
r = self.vapi.ikev2_sa_v2_dump()
self.assertEqual(r[0].sa.stats.n_rekey_req, 1)
@tag_fixme_vpp_workers @tag_fixme_vpp_workers
@ -2253,6 +2339,7 @@ class TestResponderRekeyRepeat(TestResponderRekey):
self.fail("old IPsec SA not expired") self.fail("old IPsec SA not expired")
self.process_rekey_response(self.send_rekey_from_initiator()) self.process_rekey_response(self.send_rekey_from_initiator())
self.verify_ike_sas() self.verify_ike_sas()
self.verify_ike_sas_v2()
self.verify_ipsec_sas(sa_count=3) self.verify_ipsec_sas(sa_count=3)
@ -2456,6 +2543,8 @@ class TestInitiatorKeepaliveMsg(TestInitiatorPsk):
self.assert_counter(1, "keepalive", "ip4") self.assert_counter(1, "keepalive", "ip4")
r = self.vapi.ikev2_sa_dump() r = self.vapi.ikev2_sa_dump()
self.assertEqual(1, r[0].sa.stats.n_keepalives) self.assertEqual(1, r[0].sa.stats.n_keepalives)
r = self.vapi.ikev2_sa_v2_dump()
self.assertEqual(1, r[0].sa.stats.n_keepalives)
def test_initiator(self): def test_initiator(self):
super(TestInitiatorKeepaliveMsg, self).test_initiator() super(TestInitiatorKeepaliveMsg, self).test_initiator()