blob: 633f640ced2579a7fc457483ed0df07cf217adcf [file] [log] [blame]
/*
* Copyright (c) 2015 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/esp.h>
#include <vnet/udp/udp.h>
#include <vnet/fib/fib_table.h>
/**
* @brief
* SA packet & bytes counters
*/
vlib_combined_counter_main_t ipsec_sa_counters = {
.name = "SA",
.stat_segment_name = "/net/ipsec/sa",
};
static clib_error_t *
ipsec_call_add_del_callbacks (ipsec_main_t * im, ipsec_sa_t * sa,
u32 sa_index, int is_add)
{
ipsec_ah_backend_t *ab;
ipsec_esp_backend_t *eb;
switch (sa->protocol)
{
case IPSEC_PROTOCOL_AH:
ab = pool_elt_at_index (im->ah_backends, im->ah_current_backend);
if (ab->add_del_sa_sess_cb)
return ab->add_del_sa_sess_cb (sa_index, is_add);
break;
case IPSEC_PROTOCOL_ESP:
eb = pool_elt_at_index (im->esp_backends, im->esp_current_backend);
if (eb->add_del_sa_sess_cb)
return eb->add_del_sa_sess_cb (sa_index, is_add);
break;
}
return 0;
}
void
ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len)
{
memset (key, 0, sizeof (*key));
if (len > sizeof (key->data))
key->len = sizeof (key->data);
else
key->len = len;
memcpy (key->data, data, key->len);
}
/**
* 'stack' (resolve the recursion for) the SA tunnel destination
*/
static void
ipsec_sa_stack (ipsec_sa_t * sa)
{
ipsec_main_t *im = &ipsec_main;
fib_forward_chain_type_t fct;
dpo_id_t tmp = DPO_INVALID;
fct =
fib_forw_chain_type_from_fib_proto ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
FIB_PROTOCOL_IP6 :
FIB_PROTOCOL_IP4));
fib_entry_contribute_forwarding (sa->fib_entry_index, fct, &tmp);
dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
im->ah6_encrypt_node_index :
im->ah4_encrypt_node_index),
&sa->dpo[IPSEC_PROTOCOL_AH], &tmp);
dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
im->esp6_encrypt_node_index :
im->esp4_encrypt_node_index),
&sa->dpo[IPSEC_PROTOCOL_ESP], &tmp);
dpo_reset (&tmp);
}
void
ipsec_sa_set_crypto_alg (ipsec_sa_t * sa, ipsec_crypto_alg_t crypto_alg)
{
ipsec_main_t *im = &ipsec_main;
sa->crypto_alg = crypto_alg;
sa->crypto_iv_size = im->crypto_algs[crypto_alg].iv_size;
sa->crypto_block_size = im->crypto_algs[crypto_alg].block_size;
sa->crypto_enc_op_id = im->crypto_algs[crypto_alg].enc_op_id;
sa->crypto_dec_op_id = im->crypto_algs[crypto_alg].dec_op_id;
sa->crypto_calg = im->crypto_algs[crypto_alg].alg;
ASSERT (sa->crypto_iv_size <= ESP_MAX_IV_SIZE);
ASSERT (sa->crypto_block_size <= ESP_MAX_BLOCK_SIZE);
if (IPSEC_CRYPTO_ALG_IS_GCM (crypto_alg))
{
sa->integ_icv_size = im->crypto_algs[crypto_alg].icv_size;
ipsec_sa_set_IS_AEAD (sa);
}
}
void
ipsec_sa_set_integ_alg (ipsec_sa_t * sa, ipsec_integ_alg_t integ_alg)
{
ipsec_main_t *im = &ipsec_main;
sa->integ_alg = integ_alg;
sa->integ_icv_size = im->integ_algs[integ_alg].icv_size;
sa->integ_op_id = im->integ_algs[integ_alg].op_id;
sa->integ_calg = im->integ_algs[integ_alg].alg;
ASSERT (sa->integ_icv_size <= ESP_MAX_ICV_SIZE);
}
int
ipsec_sa_add (u32 id,
u32 spi,
ipsec_protocol_t proto,
ipsec_crypto_alg_t crypto_alg,
const ipsec_key_t * ck,
ipsec_integ_alg_t integ_alg,
const ipsec_key_t * ik,
ipsec_sa_flags_t flags,
u32 tx_table_id,
u32 salt,
const ip46_address_t * tun_src,
const ip46_address_t * tun_dst, u32 * sa_out_index)
{
vlib_main_t *vm = vlib_get_main ();
ipsec_main_t *im = &ipsec_main;
clib_error_t *err;
ipsec_sa_t *sa;
u32 sa_index;
uword *p;
p = hash_get (im->sa_index_by_sa_id, id);
if (p)
return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
pool_get_aligned_zero (im->sad, sa, CLIB_CACHE_LINE_BYTES);
fib_node_init (&sa->node, FIB_NODE_TYPE_IPSEC_SA);
sa_index = sa - im->sad;
vlib_validate_combined_counter (&ipsec_sa_counters, sa_index);
vlib_zero_combined_counter (&ipsec_sa_counters, sa_index);
sa->id = id;
sa->spi = spi;
sa->stat_index = sa_index;
sa->protocol = proto;
sa->flags = flags;
sa->salt = salt;
ipsec_sa_set_integ_alg (sa, integ_alg);
clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key));
ipsec_sa_set_crypto_alg (sa, crypto_alg);
clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
ip46_address_copy (&sa->tunnel_src_addr, tun_src);
ip46_address_copy (&sa->tunnel_dst_addr, tun_dst);
sa->crypto_key_index = vnet_crypto_key_add (vm,
im->crypto_algs[crypto_alg].alg,
(u8 *) ck->data, ck->len);
if (~0 == sa->crypto_key_index)
{
pool_put (im->sad, sa);
return VNET_API_ERROR_KEY_LENGTH;
}
sa->integ_key_index = vnet_crypto_key_add (vm,
im->integ_algs[integ_alg].alg,
(u8 *) ik->data, ik->len);
if (~0 == sa->integ_key_index)
{
pool_put (im->sad, sa);
return VNET_API_ERROR_KEY_LENGTH;
}
err = ipsec_check_support_cb (im, sa);
if (err)
{
clib_warning ("%s", err->what);
pool_put (im->sad, sa);
return VNET_API_ERROR_UNIMPLEMENTED;
}
err = ipsec_call_add_del_callbacks (im, sa, sa_index, 1);
if (err)
{
pool_put (im->sad, sa);
return VNET_API_ERROR_SYSCALL_ERROR_1;
}
if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
{
fib_protocol_t fproto = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
FIB_PROTOCOL_IP6 : FIB_PROTOCOL_IP4);
fib_prefix_t pfx = {
.fp_addr = sa->tunnel_dst_addr,
.fp_len = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ? 128 : 32),
.fp_proto = fproto,
};
sa->tx_fib_index = fib_table_find (fproto, tx_table_id);
if (sa->tx_fib_index == ~((u32) 0))
{
pool_put (im->sad, sa);
return VNET_API_ERROR_NO_SUCH_FIB;
}
sa->fib_entry_index = fib_table_entry_special_add (sa->tx_fib_index,
&pfx,
FIB_SOURCE_RR,
FIB_ENTRY_FLAG_NONE);
sa->sibling = fib_entry_child_add (sa->fib_entry_index,
FIB_NODE_TYPE_IPSEC_SA, sa_index);
ipsec_sa_stack (sa);
/* generate header templates */
if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
{
sa->ip6_hdr.ip_version_traffic_class_and_flow_label = 0x60;
sa->ip6_hdr.hop_limit = 254;
sa->ip6_hdr.src_address.as_u64[0] =
sa->tunnel_src_addr.ip6.as_u64[0];
sa->ip6_hdr.src_address.as_u64[1] =
sa->tunnel_src_addr.ip6.as_u64[1];
sa->ip6_hdr.dst_address.as_u64[0] =
sa->tunnel_dst_addr.ip6.as_u64[0];
sa->ip6_hdr.dst_address.as_u64[1] =
sa->tunnel_dst_addr.ip6.as_u64[1];
if (ipsec_sa_is_set_UDP_ENCAP (sa))
sa->ip6_hdr.protocol = IP_PROTOCOL_UDP;
else
sa->ip6_hdr.protocol = IP_PROTOCOL_IPSEC_ESP;
}
else
{
sa->ip4_hdr.ip_version_and_header_length = 0x45;
sa->ip4_hdr.ttl = 254;
sa->ip4_hdr.src_address.as_u32 = sa->tunnel_src_addr.ip4.as_u32;
sa->ip4_hdr.dst_address.as_u32 = sa->tunnel_dst_addr.ip4.as_u32;
if (ipsec_sa_is_set_UDP_ENCAP (sa))
sa->ip4_hdr.protocol = IP_PROTOCOL_UDP;
else
sa->ip4_hdr.protocol = IP_PROTOCOL_IPSEC_ESP;
sa->ip4_hdr.checksum = ip4_header_checksum (&sa->ip4_hdr);
}
}
if (ipsec_sa_is_set_UDP_ENCAP (sa))
{
sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
}
hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
if (sa_out_index)
*sa_out_index = sa_index;
return (0);
}
u32
ipsec_sa_del (u32 id)
{
vlib_main_t *vm = vlib_get_main ();
ipsec_main_t *im = &ipsec_main;
ipsec_sa_t *sa = 0;
uword *p;
u32 sa_index;
clib_error_t *err;
p = hash_get (im->sa_index_by_sa_id, id);
if (!p)
return VNET_API_ERROR_NO_SUCH_ENTRY;
sa_index = p[0];
sa = pool_elt_at_index (im->sad, sa_index);
if (ipsec_is_sa_used (sa_index))
{
clib_warning ("sa_id %u used in policy", sa->id);
/* sa used in policy */
return VNET_API_ERROR_SYSCALL_ERROR_1;
}
hash_unset (im->sa_index_by_sa_id, sa->id);
err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
if (err)
return VNET_API_ERROR_SYSCALL_ERROR_2;
if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
{
fib_entry_child_remove (sa->fib_entry_index, sa->sibling);
fib_table_entry_special_remove
(sa->tx_fib_index,
fib_entry_get_prefix (sa->fib_entry_index), FIB_SOURCE_RR);
dpo_reset (&sa->dpo[IPSEC_PROTOCOL_AH]);
dpo_reset (&sa->dpo[IPSEC_PROTOCOL_ESP]);
}
vnet_crypto_key_del (vm, sa->crypto_key_index);
vnet_crypto_key_del (vm, sa->integ_key_index);
pool_put (im->sad, sa);
return 0;
}
u8
ipsec_is_sa_used (u32 sa_index)
{
ipsec_main_t *im = &ipsec_main;
ipsec_tunnel_if_t *t;
ipsec_policy_t *p;
/* *INDENT-OFF* */
pool_foreach(p, im->policies, ({
if (p->policy == IPSEC_POLICY_ACTION_PROTECT)
{
if (p->sa_index == sa_index)
return 1;
}
}));
pool_foreach(t, im->tunnel_interfaces, ({
if (t->input_sa_index == sa_index)
return 1;
if (t->output_sa_index == sa_index)
return 1;
}));
/* *INDENT-ON* */
return 0;
}
u32
ipsec_get_sa_index_by_sa_id (u32 sa_id)
{
ipsec_main_t *im = &ipsec_main;
uword *p = hash_get (im->sa_index_by_sa_id, sa_id);
if (!p)
return ~0;
return p[0];
}
void
ipsec_sa_walk (ipsec_sa_walk_cb_t cb, void *ctx)
{
ipsec_main_t *im = &ipsec_main;
ipsec_sa_t *sa;
/* *INDENT-OFF* */
pool_foreach (sa, im->sad,
({
if (WALK_CONTINUE != cb(sa, ctx))
break;
}));
/* *INDENT-ON* */
}
/**
* Function definition to get a FIB node from its index
*/
static fib_node_t *
ipsec_sa_fib_node_get (fib_node_index_t index)
{
ipsec_main_t *im;
ipsec_sa_t *sa;
im = &ipsec_main;
sa = pool_elt_at_index (im->sad, index);
return (&sa->node);
}
/**
* Function definition to inform the FIB node that its last lock has gone.
*/
static void
ipsec_sa_last_lock_gone (fib_node_t * node)
{
/*
* The ipsec SA is a root of the graph. As such
* it never has children and thus is never locked.
*/
ASSERT (0);
}
static ipsec_sa_t *
ipsec_sa_from_fib_node (fib_node_t * node)
{
ASSERT (FIB_NODE_TYPE_IPSEC_SA == node->fn_type);
return ((ipsec_sa_t *) (((char *) node) -
STRUCT_OFFSET_OF (ipsec_sa_t, node)));
}
/**
* Function definition to backwalk a FIB node
*/
static fib_node_back_walk_rc_t
ipsec_sa_back_walk (fib_node_t * node, fib_node_back_walk_ctx_t * ctx)
{
ipsec_sa_stack (ipsec_sa_from_fib_node (node));
return (FIB_NODE_BACK_WALK_CONTINUE);
}
/*
* Virtual function table registered by MPLS GRE tunnels
* for participation in the FIB object graph.
*/
const static fib_node_vft_t ipsec_sa_vft = {
.fnv_get = ipsec_sa_fib_node_get,
.fnv_last_lock = ipsec_sa_last_lock_gone,
.fnv_back_walk = ipsec_sa_back_walk,
};
/* force inclusion from application's main.c */
clib_error_t *
ipsec_sa_interface_init (vlib_main_t * vm)
{
fib_node_register_type (FIB_NODE_TYPE_IPSEC_SA, &ipsec_sa_vft);
return 0;
}
VLIB_INIT_FUNCTION (ipsec_sa_interface_init);
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/