Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 243a0433ff05a37113d6890bbeb163bbea033687 / . / extras / strongswan / vpp_sswan / kernel_vpp_ipsec.c
blob: 7849dd6b898fd79d3997fe32807e901ef57227ad [file] [log] [blame]
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000[diff] [blame]1/*
2 * Copyright (c) 2022 Intel and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#include <daemon.h>
17#include <utils/debug.h>
18#include <vlibapi/api.h>
19#include <vlibmemory/api.h>
20#include <vnet/ipsec/ipsec.h>
21#include <vnet/vnet.h>
22#include <collections/hashtable.h>
23#include <threading/mutex.h>
24#include <processing/jobs/callback_job.h>
25#include <vpp-api/client/stat_client.h>
26
27#define vl_typedefs
28#define vl_endianfun
29/* Include the (first) vlib-api API definition layer */
30#include <vlibmemory/vl_memory_api_h.h>
31/* Include the current layer (third) vpp API definition layer */
32#include <vpp/api/vpe_types.api.h>
33#include <vpp/api/vpe.api.h>
34
35#include <vnet/ip-neighbor/ip_neighbor.api_enum.h>
36#include <vnet/ip-neighbor/ip_neighbor.api_types.h>
37#include <vnet/ipsec/ipsec.api_enum.h>
38#include <vnet/ipsec/ipsec.api_types.h>
39#include <vnet/interface.api_enum.h>
40#include <vnet/interface.api_types.h>
41#undef vl_typedefs
42#undef vl_endianfun
43
44#include "kernel_vpp_ipsec.h"
45#include "kernel_vpp_shared.h"
46
47#include <stdio.h>
48#include <stdlib.h>
49#include <string.h>
50#include <sys/socket.h>
51#include <netinet/in.h>
52#include <arpa/inet.h>
53#include <sys/ioctl.h>
54#include <net/if.h>
55#include <net/route.h>
56#include <unistd.h>
57#include <fcntl.h>
58#include <sys/types.h>
59#include <net/if_arp.h>
60#include <sys/stat.h>
61#include <dirent.h>
62
63#define PRIO_BASE 384
64
65u32 natt_port;
66
67/**
68 * One and only instance of the daemon.
69 */
70daemon_t *charon;
71
72typedef struct private_kernel_vpp_ipsec_t private_kernel_vpp_ipsec_t;
73
74/**
75 * Private variables of kernel_vpp_ipsec class.
76 */
77struct private_kernel_vpp_ipsec_t
78{
79
80 /**
81 * Public interface
82 */
83 kernel_vpp_ipsec_t public;
84
85 /**
86 * Next security association database entry ID to allocate
87 */
88 refcount_t next_sad_id;
89
90 /**
91 * Next security policy database entry ID to allocate
92 */
93 refcount_t next_spd_id;
94
95 /**
96 * Mutex to lock access to installed policies
97 */
98 mutex_t *mutex;
99
100 /**
101 * Hash table of instaled SA, as kernel_ipsec_sa_id_t => sa_t
102 */
103 hashtable_t *sas;
104
105 /**
106 * Hash table of security policy databases, as nterface => spd_t
107 */
108 hashtable_t *spds;
109
110 /**
111 * Linked list of installed routes
112 */
113 linked_list_t *routes;
114
115 /**
116 * Next SPI to allocate
117 */
118 refcount_t nextspi;
119
120 /**
121 * Mix value to distribute SPI allocation randomly
122 */
123 uint32_t mixspi;
124
125 /**
126 * Whether to install routes along policies
127 */
128 bool install_routes;
129};
130
131/**
132 * Security association entry
133 */
134typedef struct
135{
136 /** VPP SA ID */
137 uint32_t sa_id;
138 uint32_t stat_index;
139} sa_t;
140
141/**
142 * Security policy database
143 */
144typedef struct
145{
146 /** VPP SPD ID */
147 uint32_t spd_id;
148 /** Networking interface ID restricting policy */
149 uint32_t sw_if_index;
150 /** Policy count for this SPD */
151 refcount_t policy_num;
152} spd_t;
153
154/**
155 * Installed route
156 */
157typedef struct
158{
159 /** Name of the interface the route is bound to */
160 char *if_name;
161 /** Gateway of route */
162 host_t *gateway;
163 /** Destination network of route */
164 host_t *dst_net;
165 /** Prefix length of dst_net */
166 uint8_t prefixlen;
167 /** References for route */
168 refcount_t refs;
169} route_entry_t;
170
171#define htonll(x) \
172 ((1 == htonl (1)) ? \
173 (x) : \
174 ((uint64_t) htonl ((x) &0xFFFFFFFF) << 32) | htonl ((x) >> 32))
175#define ntohll(x) \
176 ((1 == ntohl (1)) ? \
177 (x) : \
178 ((uint64_t) ntohl ((x) &0xFFFFFFFF) << 32) | ntohl ((x) >> 32))
179
180CALLBACK (route_equals, bool, route_entry_t *a, va_list args)
181{
182 host_t *dst_net, *gateway;
183 uint8_t *prefixlen;
184 char *if_name;
185
186 VA_ARGS_VGET (args, if_name, gateway, dst_net, prefixlen);
187
188 return a->if_name && if_name && streq (a->if_name, if_name) &&
189 a->gateway->ip_equals (a->gateway, gateway) &&
190 a->dst_net->ip_equals (a->dst_net, dst_net) &&
191 a->prefixlen == *prefixlen;
192}
193
194/**
195 * Clean up a route entry
196 */
197static void
198route_destroy (route_entry_t *this)
199{
200 this->dst_net->destroy (this->dst_net);
201 this->gateway->destroy (this->gateway);
202 free (this->if_name);
203 free (this);
204}
205
206static uint32_t get_sw_if_index ();
207
208static int
209set_arp (char *ipStr, char *if_name, bool add)
210{
211 char *out = NULL;
212 int out_len = 0;
213 vl_api_ip_neighbor_add_del_t *mp;
214 vl_api_ip_neighbor_add_del_reply_t *rmp;
215 int rc = SUCCESS;
216 uint32_t sw_if_index = ~0;
217
218 FILE *fp;
219 int nread = 0;
220 ssize_t len = 0;
221 char *buffer = NULL;
222 char buf[2][20];
223 char *file = "/proc/net/arp";
224 unsigned char mac[8] = {
225 0,
226 };
227 uint32_t addr;
228
229 if (if_name == NULL || ipStr == NULL)
230 {
231 DBG2 (DBG_KNL, "para is null\n");
232 rc = FAILED;
233 }
234 DBG2 (DBG_KNL, "from kernel read mac\n");
235
236 mp = vl_msg_api_alloc (sizeof (*mp));
237 memset (mp, 0, sizeof (*mp));
238 sw_if_index = get_sw_if_index (if_name);
239 if (sw_if_index == ~0)
240 {
241 DBG1 (DBG_KNL, "sw_if_index for %s not found", if_name);
242 goto error;
243 }
244
245 fp = fopen (file, "rb");
246 while ((nread = getline (&buffer, &len, fp)) != -1)
247 {
248 sscanf (buffer, "%s %*s %*s %s %*s %*s", &buf[0], &buf[1]);
249 inet_aton (&buf[0], &addr);
250
251 if (addr == *((u32 *) (ipStr)))
252 {
253 sscanf (buf[1], "%02x:%02x:%02x:%02x:%02x:%02x", &mac[0], &mac[1],
254 &mac[2], &mac[3], &mac[4], &mac[5]);
255 u16 msg_id =
256 vl_msg_api_get_msg_index ((u8 *) "ip_neighbor_add_del_0607c257");
257 mp->_vl_msg_id = htons (msg_id);
258 mp->is_add = add;
259 memcpy (mp->neighbor.ip_address.un.ip4, (u8 *) &addr, sizeof (addr));
260 mp->neighbor.ip_address.af = 0;
261 memcpy (mp->neighbor.mac_address, mac, 6);
262 mp->neighbor.sw_if_index = htonl (sw_if_index);
263 mp->neighbor.flags = 1;
264
265 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
266 {
267 DBG1 (DBG_KNL, "vac %s neighbor entry",
268 add ? "adding" : "removing");
269 goto error;
270 }
271 rmp = (void *) out;
272 if (rmp->retval)
273 {
274 DBG1 (DBG_KNL, "%s neighbor add rv:%d", add ? "add" : "remove",
275 ntohl (rmp->retval));
276 goto error;
277 }
278 fclose (fp);
279 return rc;
280 }
281 }
282 return rc;
283
284error:
285 free (out);
286 vl_msg_api_free (mp);
287 return rc;
288}
289
290static int
291add_Route (char *ipAddr, int len, char *mask, char *gateWay)
292{
293 int fd;
294 int rc = SUCCESS;
295 struct sockaddr_in _sin;
296 struct sockaddr_in *sin = &_sin;
297 struct rtentry rt;
298
299 do
300 {
301 fd = socket (AF_INET, SOCK_DGRAM, 0);
302 if (fd < 0)
303 {
304 DBG2 (DBG_KNL, "addRoute: socket error\n");
305 rc = FAILED;
306 break;
307 }
308 memset (&rt, 0, sizeof (struct rtentry));
309 memset (sin, 0, sizeof (struct sockaddr_in));
310 sin->sin_family = AF_INET;
311 sin->sin_port = 0;
312
313 if (inet_aton (gateWay, &sin->sin_addr) < 0)
314 {
315 rc = FAILED;
316 break;
317 }
318 memcpy (&rt.rt_gateway, sin, sizeof (struct sockaddr_in));
319
320 ((struct sockaddr_in *) &rt.rt_dst)->sin_family = AF_INET;
321 memcpy (&((struct sockaddr_in *) &rt.rt_dst)->sin_addr, ipAddr, len);
322
323 ((struct sockaddr_in *) &rt.rt_genmask)->sin_family = AF_INET;
324 if (inet_aton (mask,
325 &((struct sockaddr_in *) &rt.rt_genmask)->sin_addr) < 0)
326 {
327 rc = FAILED;
328 break;
329 }
330 rt.rt_flags = RTF_GATEWAY;
331 if (ioctl (fd, SIOCADDRT, &rt) < 0)
332 {
333 rc = FAILED;
334 }
335 }
336 while (0);
337
338 close (fd);
339 return rc;
340}
341
342static int
343set_address (u32 ipAddr, u32 sw_if_index, bool add)
344{
345 char *out = NULL;
346 int out_len = 0;
347 vl_api_sw_interface_add_del_address_t *mp;
348 vl_api_sw_interface_add_del_address_reply_t *rmp;
349
350 int rc = SUCCESS;
351
352 uint32_t addr;
353
354 mp = vl_msg_api_alloc (sizeof (*mp));
355 memset (mp, 0, sizeof (*mp));
356
357 u16 msg_id =
358 vl_msg_api_get_msg_index ((u8 *) "sw_interface_add_del_address_5463d73b");
359 mp->_vl_msg_id = htons (msg_id);
360 mp->is_add = add;
361 memcpy (mp->prefix.address.un.ip4, (u8 *) &ipAddr, sizeof (ipAddr));
362 mp->prefix.len = 24;
363 mp->sw_if_index = sw_if_index;
364
365 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
366 {
367 DBG2 (DBG_KNL, "vac %s neighbor entry", add ? "adding" : "removing");
368 goto error;
369 }
370 rmp = (void *) out;
371 if (rmp->retval)
372 {
373 DBG2 (DBG_KNL, "%s neighbor add rv:%d", add ? "add" : "remove",
374 ntohl (rmp->retval));
375 goto error;
376 }
377 return rc;
378
379error:
380 free (out);
381 vl_msg_api_free (mp);
382 return rc;
383}
384
385/**
386 * (Un)-install a single route
387 */
388static void
389manage_route (private_kernel_vpp_ipsec_t *this, bool add,
390 traffic_selector_t *dst_ts, host_t *src, host_t *dst)
391{
392 host_t *dst_net, *gateway;
393 uint8_t prefixlen;
394 char *if_name;
395 route_entry_t *route;
396 bool route_exist = FALSE;
397
398 char *netmask = "255.255.255.0";
399 char *tap_gateway = "1.1.1.1";
400 int arp_rc = 0;
401 if (dst->is_anyaddr (dst))
402 {
403 return;
404 }
405 gateway =
406 charon->kernel->get_nexthop (charon->kernel, dst, -1, NULL, &if_name);
407 dst_ts->to_subnet (dst_ts, &dst_net, &prefixlen);
408 if (!if_name)
409 {
410 if (src->is_anyaddr (src))
411 {
412 return;
413 }
414 if (!charon->kernel->get_interface (charon->kernel, src, &if_name))
415 {
416 return;
417 }
418 }
419 route_exist =
420 this->routes->find_first (this->routes, route_equals, (void **) &route,
421 if_name, gateway, dst_net, &prefixlen);
422 if (add)
423 {
424 DBG2 (DBG_KNL, "installing route: %H/%d via %H dev %s", dst_net,
425 prefixlen, gateway, if_name);
426 if (route_exist)
427 {
428 unsigned int refs_num = ref_get (&route->refs);
429 DBG2 (DBG_KNL, "add route but it exist %d", refs_num);
430 }
431 else
432 {
433 INIT (route, .if_name = strdup (if_name),
434 .gateway = gateway->clone (gateway),
435 .dst_net = dst_net->clone (dst_net), .prefixlen = prefixlen,
436 .refs = 1, );
437 this->routes->insert_last (this->routes, route);
438 charon->kernel->add_route (charon->kernel,
439 dst_net->get_address (dst_net), prefixlen,
440 gateway, dst, if_name, 1);
441 }
442
443 add_Route (dst_net->get_address (dst_net).ptr,
444 dst_net->get_address (dst_net).len, netmask, tap_gateway);
445
446 arp_rc = set_arp (gateway->get_address (gateway).ptr, if_name, TRUE);
447 if (arp_rc)
448 DBG2 (DBG_KNL, "arpGet success!\n");
449 }
450 else
451 {
452 DBG2 (DBG_KNL, "uninstalling route: %H/%d via %H dev %s", dst_net,
453 prefixlen, gateway, if_name);
454 if (!route_exist)
455 {
456 DBG2 (DBG_KNL, "del route but it not exist");
457 return;
458 }
459 if (ref_put (&route->refs))
460 {
461 this->routes->remove (this->routes, route, NULL);
462 route_destroy (route);
463 charon->kernel->del_route (charon->kernel,
464 dst_net->get_address (dst_net), prefixlen,
465 gateway, dst, if_name, 1);
466 }
467 }
468}
469
470/**
471 * Hash function for IPsec SA
472 */
473static u_int
474sa_hash (kernel_ipsec_sa_id_t *sa)
475{
476 return chunk_hash_inc (
477 sa->src->get_address (sa->src),
478 chunk_hash_inc (
479 sa->dst->get_address (sa->dst),
480 chunk_hash_inc (chunk_from_thing (sa->spi),
481 chunk_hash (chunk_from_thing (sa->proto)))));
482}
483
484/**
485 * Equality function for IPsec SA
486 */
487static bool
488sa_equals (kernel_ipsec_sa_id_t *sa, kernel_ipsec_sa_id_t *other_sa)
489{
490 return sa->src->ip_equals (sa->src, other_sa->src) &&
491 sa->dst->ip_equals (sa->dst, other_sa->dst) &&
492 sa->spi == other_sa->spi && sa->proto == other_sa->proto;
493}
494
495/**
496 * Hash function for interface
497 */
498static u_int
499interface_hash (char *interface)
500{
501 return chunk_hash (chunk_from_str (interface));
502}
503
504/**
505 * Equality function for interface
506 */
507static bool
508interface_equals (char *interface1, char *interface2)
509{
510 return streq (interface1, interface2);
511}
512
513/**
514 * Map an integer x with a one-to-one function using quadratic residues
515 */
516static u_int
517permute (u_int x, u_int p)
518{
519 u_int qr;
520
521 x = x % p;
522 qr = ((uint64_t) x * x) % p;
523 if (x <= p / 2)
524 {
525 return qr;
526 }
527 return p - qr;
528}
529
530/**
531 * Initialize seeds for SPI generation
532 */
533static bool
534init_spi (private_kernel_vpp_ipsec_t *this)
535{
536 bool ok = TRUE;
537 rng_t *rng;
538
539 rng = lib->crypto->create_rng (lib->crypto, RNG_STRONG);
540 if (!rng)
541 {
542 return FALSE;
543 }
544 ok =
545 rng->get_bytes (rng, sizeof (this->nextspi), (uint8_t *) &this->nextspi);
546 if (ok)
547 {
548 ok =
549 rng->get_bytes (rng, sizeof (this->mixspi), (uint8_t *) &this->mixspi);
550 }
551 rng->destroy (rng);
552 return ok;
553}
554
555/**
556 * Calculate policy priority
557 */
558static uint32_t
559calculate_priority (policy_priority_t policy_priority, traffic_selector_t *src,
560 traffic_selector_t *dst)
561{
562 uint32_t priority = PRIO_BASE;
563 uint16_t port;
564 uint8_t mask, proto;
565 host_t *net;
566
567 switch (policy_priority)
568 {
569 case POLICY_PRIORITY_FALLBACK:
570 priority <<= 1;
571 /* fall-through */
572 case POLICY_PRIORITY_ROUTED:
573 priority <<= 1;
574 /* fall-through */
575 case POLICY_PRIORITY_DEFAULT:
576 priority <<= 1;
577 /* fall-through */
578 case POLICY_PRIORITY_PASS:
579 break;
580 }
581 /* calculate priority based on selector size, small size = high prio */
582 src->to_subnet (src, &net, &mask);
583 priority -= mask;
584 proto = src->get_protocol (src);
585 port = net->get_port (net);
586 net->destroy (net);
587
588 dst->to_subnet (dst, &net, &mask);
589 priority -= mask;
590 proto = max (proto, dst->get_protocol (dst));
591 port = max (port, net->get_port (net));
592 net->destroy (net);
593
594 priority <<= 2; /* make some room for the two flags */
595 priority += port ? 0 : 2;
596 priority += proto ? 0 : 1;
597 return priority;
598}
599
600/**
601 * Get sw_if_index from interface name
602 */
603static uint32_t
604get_sw_if_index (char *interface)
605{
606 char *out = NULL;
607 int out_len, name_filter_len = 0, msg_len = 0;
608 vl_api_sw_interface_dump_t *mp;
609 vl_api_sw_interface_details_t *rmp;
610 uint32_t sw_if_index = ~0;
611
612 name_filter_len = strlen (interface);
613 msg_len = sizeof (*mp) + name_filter_len;
614 mp = vl_msg_api_alloc (msg_len);
615 clib_memset (mp, 0, msg_len);
616 u16 msg_id = vl_msg_api_get_msg_index ((u8 *) "sw_interface_dump_aa610c27");
617 mp->_vl_msg_id = htons (msg_id);
618 mp->name_filter_valid = TRUE;
619 mp->name_filter.length = htonl (name_filter_len);
620 memcpy ((char *) mp->name_filter.buf, interface, name_filter_len);
621
622 if (vac->send (vac, (char *) mp, msg_len, &out, &out_len))
623 {
624 goto error;
625 }
626 if (!out_len)
627 {
628 goto error;
629 }
630 rmp = (vl_api_sw_interface_details_t *) out;
631 sw_if_index = ntohl (rmp->sw_if_index);
632
633error:
634 free (out);
635 vl_msg_api_free (mp);
636 return sw_if_index;
637}
638/**
639 * (Un)-install a security policy database
640 */
641static status_t
642spd_add_del (bool add, uint32_t spd_id)
643{
644 char *out = NULL;
645 int out_len;
646 vl_api_ipsec_spd_add_del_t *mp;
647 vl_api_ipsec_spd_add_del_reply_t *rmp;
648 status_t rv = FAILED;
649
650 mp = vl_msg_api_alloc (sizeof (*mp));
651 memset (mp, 0, sizeof (*mp));
652
653 u16 msg_id = vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_add_del_20e89a95");
654 mp->_vl_msg_id = htons (msg_id);
655 mp->is_add = add;
656 mp->spd_id = htonl (spd_id);
657 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
658 {
659 DBG1 (DBG_KNL, "vac %s SPD failed", add ? "adding" : "removing");
660 goto error;
661 }
662 rmp = (void *) out;
663 if (rmp->retval)
664 {
665 DBG1 (DBG_KNL, "%s SPD failed rv:%d", add ? "add" : "remove",
666 ntohl (rmp->retval));
667 goto error;
668 }
669 rv = SUCCESS;
670
671error:
672 free (out);
673 vl_msg_api_free (mp);
674 return rv;
675}
676
677/**
678 * Enable or disable SPD on an insterface
679 */
680static status_t
681interface_add_del_spd (bool add, uint32_t spd_id, uint32_t sw_if_index)
682{
683 char *out = NULL;
684 int out_len;
685 vl_api_ipsec_interface_add_del_spd_t *mp;
686 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
687 status_t rv = FAILED;
688
689 mp = vl_msg_api_alloc (sizeof (*mp));
690 memset (mp, 0, sizeof (*mp));
691 u16 msg_id =
692 vl_msg_api_get_msg_index ((u8 *) "ipsec_interface_add_del_spd_80f80cbb");
693 mp->_vl_msg_id = htons (msg_id);
694 mp->is_add = add;
695 mp->spd_id = htonl (spd_id);
696 mp->sw_if_index = htonl (sw_if_index);
697 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
698 {
699 DBG1 (DBG_KNL, "vac %s interface SPD failed",
700 add ? "adding" : "removing");
701 goto error;
702 }
703 rmp = (void *) out;
704 if (rmp->retval)
705 {
706 DBG1 (DBG_KNL, "%s interface SPD failed rv:%d", add ? "add" : "remove",
707 ntohl (rmp->retval));
708 goto error;
709 }
710 rv = SUCCESS;
711
712error:
713 free (out);
714 vl_msg_api_free (mp);
715 return rv;
716}
717
718static int
719bypass_all (bool add, uint32_t spd_id, uint32_t sa_id)
720{
721 vl_api_ipsec_spd_entry_add_del_t *mp;
722 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
723 char *out = NULL;
724 int out_len;
725 status_t rv = FAILED;
726
727 DBG2 (DBG_KNL, "bypass_all [%s] spd_id %d sa_id %d", add ? "ADD" : "DEL",
728 spd_id, sa_id);
729
730 mp = vl_msg_api_alloc (sizeof (*mp));
731 memset (mp, 0, sizeof (*mp));
732
733 u16 msg_id =
734 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
735 mp->_vl_msg_id = ntohs (msg_id);
736 mp->is_add = add;
737 mp->entry.sa_id = ntohl (sa_id);
738 mp->entry.spd_id = ntohl (spd_id);
739 mp->entry.priority = ntohl (INT_MAX - POLICY_PRIORITY_PASS - 1);
740 mp->entry.is_outbound = 0;
741 mp->entry.policy = ntohl (IPSEC_API_SPD_ACTION_BYPASS);
742 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
743 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
744 mp->entry.remote_port_start = mp->entry.local_port_start = ntohs (0);
745 mp->entry.remote_port_stop = mp->entry.local_port_stop = ntohs (0xFFFF);
746 mp->entry.protocol = IP_API_PROTO_ESP;
747 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
748 {
749 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
750 goto error;
751 }
752 rmp = (void *) out;
753 if (rmp->retval)
754 {
755 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
756 ntohl (rmp->retval));
757 goto error;
758 }
759 mp->entry.is_outbound = 1;
760 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
761 {
762 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
763 goto error;
764 }
765 rmp = (void *) out;
766 if (rmp->retval)
767 {
768 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
769 ntohl (rmp->retval));
770 goto error;
771 }
772 mp->entry.is_outbound = 0;
773 mp->entry.protocol = IP_API_PROTO_AH;
774 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
775 {
776 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
777 goto error;
778 }
779 rmp = (void *) out;
780 if (rmp->retval)
781 {
782 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
783 ntohl (rmp->retval));
784 goto error;
785 }
786 mp->entry.is_outbound = 1;
787 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
788 {
789 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
790 goto error;
791 }
792 rmp = (void *) out;
793 if (rmp->retval)
794 {
795 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
796 ntohl (rmp->retval));
797 goto error;
798 }
799
800 rv = SUCCESS;
801
802error:
803 if (out)
804 free (out);
805 vl_msg_api_free (mp);
806
807 return rv;
808}
809
810static int
811bypass_port (bool add, uint32_t spd_id, uint32_t sa_id, uint16_t port)
812{
813 vl_api_ipsec_spd_entry_add_del_t *mp;
814 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
815 char *out = NULL;
816 int out_len;
817 status_t rv = FAILED;
818
819 mp = vl_msg_api_alloc (sizeof (*mp));
820 memset (mp, 0, sizeof (*mp));
821
822 u16 msg_id =
823 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
824 mp->_vl_msg_id = ntohs (msg_id);
825 mp->is_add = add;
826 mp->entry.sa_id = ntohl (sa_id);
827 mp->entry.spd_id = ntohl (spd_id);
828 mp->entry.priority = ntohl (INT_MAX - POLICY_PRIORITY_PASS - 1);
829 mp->entry.policy = ntohl (IPSEC_API_SPD_ACTION_BYPASS);
830 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
831 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
832 mp->entry.is_outbound = 0;
833 mp->entry.remote_port_start = mp->entry.local_port_start = ntohs (0);
834 mp->entry.remote_port_stop = mp->entry.local_port_stop = ntohs (0xFFFF);
835 mp->entry.protocol = IP_API_PROTO_HOPOPT;
836
837 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
838 {
839 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
840 goto error;
841 }
842 rmp = (void *) out;
843 if (rmp->retval)
844 {
845 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
846 ntohl (rmp->retval));
847 goto error;
848 }
849 mp->entry.is_outbound = 1;
850 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
851 {
852 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
853 goto error;
854 }
855 rmp = (void *) out;
856 if (rmp->retval)
857 {
858 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
859 ntohl (rmp->retval));
860 goto error;
861 }
862 rv = SUCCESS;
863
864error:
865 if (out)
866 free (out);
867 vl_msg_api_free (mp);
868
869 return rv;
870}
871
872/**
873 * Add or remove a bypass policy
874 */
875static status_t
876manage_bypass (bool add, uint32_t spd_id, uint32_t sa_id)
877{
878 uint16_t port;
879 status_t rv;
880
881 bypass_all (add, spd_id, sa_id);
882
883 port =
884 lib->settings->get_int (lib->settings, "%s.port", IKEV2_UDP_PORT, lib->ns);
885
886 if (port)
887 {
888 rv = bypass_port (add, spd_id, sa_id, port);
889 if (rv != SUCCESS)
890 {
891 return rv;
892 }
893 }
894
895 port = lib->settings->get_int (lib->settings, "%s.port_nat_t",
896 IKEV2_NATT_PORT, lib->ns);
897 if (port)
898 {
899 rv = bypass_port (add, spd_id, sa_id, port);
900 if (rv != SUCCESS)
901 {
902 return rv;
903 }
904 }
905
906 return SUCCESS;
907}
908
909/**
910 * Add or remove a policy
911 */
912static status_t
913manage_policy (private_kernel_vpp_ipsec_t *this, bool add,
914 kernel_ipsec_policy_id_t *id,
915 kernel_ipsec_manage_policy_t *data)
916{
917 spd_t *spd;
918 char *out = NULL, *interface = NULL;
919 int out_len;
920 uint32_t sw_if_index, spd_id = ~0, sad_id = ~0;
921 status_t rv = FAILED;
922 uint32_t priority, auto_priority;
923 chunk_t src_from, src_to, dst_from, dst_to;
924 host_t *src, *dst, *addr;
925 vl_api_ipsec_spd_entry_add_del_t *mp;
926 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
927 bool n_spd = false;
928
929 mp = vl_msg_api_alloc (sizeof (*mp));
930 memset (mp, 0, sizeof (*mp));
931
932 this->mutex->lock (this->mutex);
933 if (!id->interface)
934 {
935 addr = id->dir == POLICY_IN ? data->dst : data->src;
936 for (int i = 0; i < 5; i++)
937 {
938 if (!charon->kernel->get_interface (charon->kernel, addr,
939 &interface))
940 {
941 DBG1 (DBG_KNL, "policy no interface %H", addr);
942 interface = NULL;
943 sleep (1);
944 }
945
946 if (interface)
947 {
948 DBG1 (DBG_KNL, "policy have interface %H", addr);
949 break;
950 }
951 }
952 if (!interface)
953 goto error;
954 id->interface = interface;
955 }
956
957 DBG2 (DBG_KNL, "manage policy [%s] interface [%s]", add ? "ADD" : "DEL",
958 id->interface);
959
960 spd = this->spds->get (this->spds, id->interface);
961 if (!spd)
962 {
963 if (!add)
964 {
965 DBG1 (DBG_KNL, "SPD for %s not found, should not be deleted",
966 id->interface);
967 goto error;
968 }
969 sw_if_index = get_sw_if_index (id->interface);
970 DBG1 (DBG_KNL, "firstly created, spd for %s found sw_if_index is %d",
971 id->interface, sw_if_index);
972 if (sw_if_index == ~0)
973 {
974 DBG1 (DBG_KNL, "sw_if_index for %s not found", id->interface);
975 goto error;
976 }
977 spd_id = ref_get (&this->next_spd_id);
978 if (spd_add_del (TRUE, spd_id))
979 {
980 DBG1 (DBG_KNL, "spd_add_del %d failed!!!!!", spd_id);
981 goto error;
982 }
983 if (interface_add_del_spd (TRUE, spd_id, sw_if_index))
984 {
985 DBG1 (DBG_KNL, "interface_add_del_spd %d %d failed!!!!!", spd_id,
986 sw_if_index);
987 goto error;
988 }
989 INIT (spd, .spd_id = spd_id, .sw_if_index = sw_if_index,
990 .policy_num = 0, );
991 this->spds->put (this->spds, id->interface, spd);
992 n_spd = true;
993 }
994
995 auto_priority = calculate_priority (data->prio, id->src_ts, id->dst_ts);
996 priority = data->manual_prio ? data->manual_prio : auto_priority;
997
998 u16 msg_id =
999 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
1000 mp->_vl_msg_id = htons (msg_id);
1001 mp->is_add = add;
1002 mp->entry.spd_id = htonl (spd->spd_id);
1003 mp->entry.priority = htonl (INT_MAX - POLICY_PRIORITY_PASS);
1004 mp->entry.is_outbound = id->dir == POLICY_OUT;
1005 switch (data->type)
1006 {
1007 case POLICY_IPSEC:
1008 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_PROTECT);
1009 break;
1010 case POLICY_PASS:
1011 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_BYPASS);
1012 break;
1013 case POLICY_DROP:
1014 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_DISCARD);
1015 break;
1016 }
1017 if ((data->type == POLICY_IPSEC) && data->sa)
1018 {
1019 kernel_ipsec_sa_id_t id = {
1020 .src = data->src,
1021 .dst = data->dst,
1022 .proto = data->sa->esp.use ? IPPROTO_ESP : IPPROTO_AH,
1023 .spi = data->sa->esp.use ? data->sa->esp.spi : data->sa->ah.spi,
1024 };
1025 sa_t *sa = NULL;
1026 sa = this->sas->get (this->sas, &id);
1027 if (!sa)
1028 {
1029 DBG1 (DBG_KNL, "SA ID not found");
1030 goto error;
1031 }
1032 sad_id = sa->sa_id;
1033 if (n_spd)
1034 {
1035 if (manage_bypass (TRUE, spd_id, ~0))
1036 {
1037 DBG1 (DBG_KNL, "manage_bypass %d failed!!!!", spd_id);
1038 goto error;
1039 }
1040 }
1041 }
1042
1043 mp->entry.sa_id = htonl (sad_id);
1044
1045 bool is_ipv6 = false;
1046 if (id->src_ts->get_type (id->src_ts) == TS_IPV6_ADDR_RANGE)
1047 {
1048 is_ipv6 = true;
1049 mp->entry.local_address_start.af = htonl (ADDRESS_IP6);
1050 mp->entry.local_address_stop.af = htonl (ADDRESS_IP6);
1051 mp->entry.remote_address_start.af = htonl (ADDRESS_IP6);
1052 mp->entry.remote_address_stop.af = htonl (ADDRESS_IP6);
1053 }
1054 else
1055 {
1056 mp->entry.local_address_start.af = htonl (ADDRESS_IP4);
1057 mp->entry.local_address_stop.af = htonl (ADDRESS_IP4);
1058 mp->entry.remote_address_start.af = htonl (ADDRESS_IP4);
1059 mp->entry.remote_address_stop.af = htonl (ADDRESS_IP4);
1060 }
1061 mp->entry.protocol = id->src_ts->get_protocol (id->src_ts);
1062
1063 if (id->dir == POLICY_OUT)
1064 {
1065 src_from = id->src_ts->get_from_address (id->src_ts);
1066 src_to = id->src_ts->get_to_address (id->src_ts);
1067 src = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, src_to, 0);
1068 dst_from = id->dst_ts->get_from_address (id->dst_ts);
1069 dst_to = id->dst_ts->get_to_address (id->dst_ts);
1070 dst = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, dst_to, 0);
1071 }
1072 else
1073 {
1074 dst_from = id->src_ts->get_from_address (id->src_ts);
1075 dst_to = id->src_ts->get_to_address (id->src_ts);
1076 dst = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, dst_from, 0);
1077 src_from = id->dst_ts->get_from_address (id->dst_ts);
1078 src_to = id->dst_ts->get_to_address (id->dst_ts);
1079 src = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, src_from, 0);
1080 }
1081
1082 if (src->is_anyaddr (src) && dst->is_anyaddr (dst))
1083 {
1084 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
1085 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
1086 }
1087 else
1088 {
1089 memcpy (is_ipv6 ? mp->entry.local_address_start.un.ip6 :
1090 mp->entry.local_address_start.un.ip4,
1091 src_from.ptr, src_from.len);
1092 memcpy (is_ipv6 ? mp->entry.local_address_stop.un.ip6 :
1093 mp->entry.local_address_stop.un.ip4,
1094 src_to.ptr, src_to.len);
1095 memcpy (is_ipv6 ? mp->entry.remote_address_start.un.ip6 :
1096 mp->entry.remote_address_start.un.ip4,
1097 dst_from.ptr, dst_from.len);
1098 memcpy (is_ipv6 ? mp->entry.remote_address_stop.un.ip6 :
1099 mp->entry.remote_address_stop.un.ip4,
1100 dst_to.ptr, dst_to.len);
1101 }
1102 mp->entry.local_port_start = htons (id->src_ts->get_from_port (id->src_ts));
1103 mp->entry.local_port_stop = htons (id->src_ts->get_to_port (id->src_ts));
1104 mp->entry.remote_port_start = htons (id->dst_ts->get_from_port (id->dst_ts));
1105 mp->entry.remote_port_stop = htons (id->dst_ts->get_to_port (id->dst_ts));
1106
1107 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1108 {
1109 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
1110 goto error;
1111 }
1112 rmp = (void *) out;
1113 if (rmp->retval)
1114 {
1115 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
1116 ntohl (rmp->retval));
1117 goto error;
1118 }
1119
1120 if (add)
1121 {
1122 ref_get (&spd->policy_num);
1123 }
1124 else
1125 {
1126 if (ref_put (&spd->policy_num))
1127 {
1128 DBG1 (
1129 DBG_KNL,
1130 "policy_num's ref is 0, delete spd_id %d sw_if_index %d sad_id %x",
1131 spd->spd_id, spd->sw_if_index, sad_id);
1132 interface_add_del_spd (FALSE, spd->spd_id, spd->sw_if_index);
1133 manage_bypass (FALSE, spd->spd_id, sad_id);
1134 spd_add_del (FALSE, spd->spd_id);
1135 this->spds->remove (this->spds, id->interface);
1136 }
1137 }
1138
1139 if (this->install_routes && id->dir == POLICY_OUT && !mp->entry.protocol)
1140 {
1141 if (data->type == POLICY_IPSEC && data->sa->mode != MODE_TRANSPORT)
1142 {
1143 manage_route (this, add, id->dst_ts, data->src, data->dst);
1144 }
1145 }
1146 rv = SUCCESS;
1147error:
1148 free (out);
1149 vl_msg_api_free (mp);
1150 this->mutex->unlock (this->mutex);
1151 return rv;
1152}
1153
1154METHOD (kernel_ipsec_t, get_features, kernel_feature_t,
1155 private_kernel_vpp_ipsec_t *this)
1156{
1157 return KERNEL_ESP_V3_TFC;
1158}
1159
1160METHOD (kernel_ipsec_t, get_spi, status_t, private_kernel_vpp_ipsec_t *this,
1161 host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi)
1162{
1163 static const u_int p = 268435399, offset = 0xc0000000;
1164
1165 *spi = htonl (offset + permute (ref_get (&this->nextspi) ^ this->mixspi, p));
1166 return SUCCESS;
1167}
1168
1169METHOD (kernel_ipsec_t, get_cpi, status_t, private_kernel_vpp_ipsec_t *this,
1170 host_t *src, host_t *dst, uint16_t *cpi)
1171{
1172 DBG1 (DBG_KNL, "get_cpi is not supported!!!!!!!!!!!!!!!!!!!!!!!!");
1173 return NOT_SUPPORTED;
1174}
1175
1176/**
1177 * Helper struct for expiration events
1178 */
1179typedef struct
1180{
1181
1182 private_kernel_vpp_ipsec_t *manager;
1183
1184 kernel_ipsec_sa_id_t *sa_id;
1185
1186 /**
1187 * 0 if this is a hard expire, otherwise the offset in s (soft->hard)
1188 */
1189 uint32_t hard_offset;
1190
1191} vpp_sa_expired_t;
1192
1193/**
1194 * Callback for expiration events
1195 */
1196static job_requeue_t
1197sa_expired (vpp_sa_expired_t *expired)
1198{
1199 private_kernel_vpp_ipsec_t *this = expired->manager;
1200 sa_t *sa;
1201 kernel_ipsec_sa_id_t *id = expired->sa_id;
1202
1203 this->mutex->lock (this->mutex);
1204 sa = this->sas->get (this->sas, id);
1205
1206 if (sa)
1207 {
1208 charon->kernel->expire (charon->kernel, id->proto, id->spi, id->dst,
1209 FALSE);
1210 }
1211
1212 free (id);
1213 this->mutex->unlock (this->mutex);
1214 return JOB_REQUEUE_NONE;
1215}
1216
1217/**
1218 * Schedule a job to handle IPsec SA expiration
1219 */
1220static void
1221schedule_expiration (private_kernel_vpp_ipsec_t *this,
1222 kernel_ipsec_add_sa_t *entry,
1223 kernel_ipsec_sa_id_t *entry2)
1224{
1225 lifetime_cfg_t *lifetime = entry->lifetime;
1226 vpp_sa_expired_t *expired;
1227 callback_job_t *job;
1228 uint32_t timeout;
1229 kernel_ipsec_sa_id_t *id;
1230
1231 if (!lifetime->time.life)
1232 { /* no expiration at all */
1233 return;
1234 }
1235
1236 INIT (id, .src = entry2->src->clone (entry2->src),
1237 .dst = entry2->dst->clone (entry2->dst), .spi = entry2->spi,
1238 .proto = entry2->proto, );
1239
1240 INIT (expired, .manager = this, .sa_id = id, );
1241
1242 /* schedule a rekey first, a hard timeout will be scheduled then, if any */
1243 expired->hard_offset = lifetime->time.life - lifetime->time.rekey;
1244 timeout = lifetime->time.rekey;
1245
1246 if (lifetime->time.life <= lifetime->time.rekey || lifetime->time.rekey == 0)
1247 { /* no rekey, schedule hard timeout */
1248 expired->hard_offset = 0;
1249 timeout = lifetime->time.life;
1250 }
1251
1252 job = callback_job_create ((callback_job_cb_t) sa_expired, expired,
1253 (callback_job_cleanup_t) free, NULL);
1254 lib->scheduler->schedule_job (lib->scheduler, (job_t *) job, timeout);
1255}
1256
1257METHOD (kernel_ipsec_t, add_sa, status_t, private_kernel_vpp_ipsec_t *this,
1258 kernel_ipsec_sa_id_t *id, kernel_ipsec_add_sa_t *data)
1259{
1260 char *out = NULL;
1261 int out_len;
1262 vl_api_ipsec_sad_entry_add_del_t *mp;
1263 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
1264 uint32_t sad_id = ref_get (&this->next_sad_id);
1265 uint8_t ca = 0, ia = 0;
1266 status_t rv = FAILED;
1267 chunk_t src, dst;
1268 kernel_ipsec_sa_id_t *sa_id;
1269 sa_t *sa;
1270 int key_len = data->enc_key.len;
1271
1272 if ((data->enc_alg == ENCR_AES_CTR) ||
1273 (data->enc_alg == ENCR_AES_GCM_ICV8) ||
1274 (data->enc_alg == ENCR_AES_GCM_ICV12) ||
1275 (data->enc_alg == ENCR_AES_GCM_ICV16))
1276 {
1277 static const int SALT_SIZE =
1278 4; /* See how enc_size is calculated at keymat_v2.derive_child_keys */
1279 key_len = key_len - SALT_SIZE;
1280 }
1281 natt_port = lib->settings->get_int (
1282 lib->settings, "%s.plugins.socket-default.natt", IKEV2_NATT_PORT, lib->ns);
1283 mp = vl_msg_api_alloc (sizeof (*mp));
1284 memset (mp, 0, sizeof (*mp));
1285 u16 msg_id =
1286 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1287 mp->_vl_msg_id = htons (msg_id);
1288 mp->is_add = 1;
1289 mp->entry.sad_id = htonl (sad_id);
1290 mp->entry.spi = id->spi;
1291 mp->entry.protocol = id->proto == IPPROTO_ESP ? htonl (IPSEC_API_PROTO_ESP) :
1292 htonl (IPSEC_API_PROTO_AH);
1293
1294 switch (data->enc_alg)
1295 {
1296 case ENCR_NULL:
1297 ca = IPSEC_API_CRYPTO_ALG_NONE;
1298 break;
1299 case ENCR_AES_CBC:
1300 switch (key_len * 8)
1301 {
1302 case 128:
1303 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_128;
1304 break;
1305 case 192:
1306 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_192;
1307 break;
1308 case 256:
1309 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_256;
1310 break;
1311 default:
1312 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1313 key_len * 8);
1314 goto error;
1315 }
1316 break;
1317 case ENCR_AES_CTR:
1318 switch (key_len * 8)
1319 {
1320 case 128:
1321 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_128;
1322 break;
1323 case 192:
1324 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_192;
1325 break;
1326 case 256:
1327 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_256;
1328 break;
1329 default:
1330 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1331 key_len * 8);
1332 goto error;
1333 }
1334 break;
1335 case ENCR_AES_GCM_ICV8:
1336 case ENCR_AES_GCM_ICV12:
1337 case ENCR_AES_GCM_ICV16:
1338 switch (key_len * 8)
1339 {
1340 case 128:
1341 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_128;
1342 break;
1343 case 192:
1344 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_192;
1345 break;
1346 case 256:
1347 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_256;
1348 break;
1349 default:
1350 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1351 key_len * 8);
1352 goto error;
1353 }
1354 break;
1355 case ENCR_DES:
1356 ca = IPSEC_API_CRYPTO_ALG_DES_CBC;
1357 break;
1358 case ENCR_3DES:
1359 ca = IPSEC_API_CRYPTO_ALG_3DES_CBC;
1360 break;
1361 default:
1362 DBG1 (DBG_KNL, "algorithm %N not supported by VPP!",
1363 encryption_algorithm_names, data->enc_alg);
1364 goto error;
1365 }
1366 mp->entry.crypto_algorithm = htonl (ca);
1367 mp->entry.crypto_key.length = key_len < 128 ? key_len : 128;
1368 memcpy (mp->entry.crypto_key.data, data->enc_key.ptr,
1369 mp->entry.crypto_key.length);
1370
1371 /* copy salt for AEAD algorithms */
1372 if ((data->enc_alg == ENCR_AES_CTR) ||
1373 (data->enc_alg == ENCR_AES_GCM_ICV8) ||
1374 (data->enc_alg == ENCR_AES_GCM_ICV12) ||
1375 (data->enc_alg == ENCR_AES_GCM_ICV16))
1376 {
1377 memcpy (&mp->entry.salt, data->enc_key.ptr + mp->entry.crypto_key.length,
1378 4);
1379 }
1380
1381 switch (data->int_alg)
1382 {
1383 case AUTH_UNDEFINED:
1384 ia = IPSEC_API_INTEG_ALG_NONE;
1385 break;
1386 case AUTH_HMAC_MD5_96:
1387 ia = IPSEC_API_INTEG_ALG_MD5_96;
1388 break;
1389 case AUTH_HMAC_SHA1_96:
1390 ia = IPSEC_API_INTEG_ALG_SHA1_96;
1391 break;
1392 case AUTH_HMAC_SHA2_256_96:
1393 ia = IPSEC_API_INTEG_ALG_SHA_256_96;
1394 break;
1395 case AUTH_HMAC_SHA2_256_128:
1396 ia = IPSEC_API_INTEG_ALG_SHA_256_128;
1397 break;
1398 case AUTH_HMAC_SHA2_384_192:
1399 ia = IPSEC_API_INTEG_ALG_SHA_384_192;
1400 break;
1401 case AUTH_HMAC_SHA2_512_256:
1402 ia = IPSEC_API_INTEG_ALG_SHA_512_256;
1403 break;
1404 default:
1405 DBG1 (DBG_KNL, "algorithm %N not supported by VPP!",
1406 integrity_algorithm_names, data->int_alg);
1407 goto error;
1408 break;
1409 }
1410 mp->entry.integrity_algorithm = htonl (ia);
1411 mp->entry.integrity_key.length =
1412 data->int_key.len < 128 ? data->int_key.len : 128;
1413 memcpy (mp->entry.integrity_key.data, data->int_key.ptr,
1414 mp->entry.integrity_key.length);
1415
1416 int flags = IPSEC_API_SAD_FLAG_NONE;
1417 if (data->esn)
1418 flags |= IPSEC_API_SAD_FLAG_USE_ESN;
1419 if (data->mode == MODE_TUNNEL)
1420 {
1421 if (id->src->get_family (id->src) == AF_INET6)
1422 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
1423 else
1424 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL;
1425 }
1426 if (data->encap)
1427 {
1428 DBG1 (DBG_KNL, "UDP encap!!!!!!!!!!!!!!!!!!!!");
1429 flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
1430 }
1431 mp->entry.flags = htonl (flags);
1432
1433 bool is_ipv6 = false;
1434 if (id->src->get_family (id->src) == AF_INET6)
1435 {
1436 is_ipv6 = true;
1437 mp->entry.tunnel_src.af = htonl (ADDRESS_IP6);
1438 mp->entry.tunnel_dst.af = htonl (ADDRESS_IP6);
1439 }
1440 else
1441 {
1442 mp->entry.tunnel_src.af = htonl (ADDRESS_IP4);
1443 mp->entry.tunnel_dst.af = htonl (ADDRESS_IP4);
1444 }
1445 src = id->src->get_address (id->src);
1446 memcpy (is_ipv6 ? mp->entry.tunnel_src.un.ip6 : mp->entry.tunnel_src.un.ip4,
1447 src.ptr, src.len);
1448 dst = id->dst->get_address (id->dst);
1449 memcpy (is_ipv6 ? mp->entry.tunnel_dst.un.ip6 : mp->entry.tunnel_dst.un.ip4,
1450 dst.ptr, dst.len);
1451 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1452 {
1453 DBG1 (DBG_KNL, "vac adding SA failed");
1454 goto error;
1455 }
1456 rmp = (void *) out;
1457 if (rmp->retval)
1458 {
1459 DBG1 (DBG_KNL, "add SA failed rv:%d", ntohl (rmp->retval));
1460 goto error;
1461 }
1462
1463 this->mutex->lock (this->mutex);
1464 INIT (sa_id, .src = id->src->clone (id->src),
1465 .dst = id->dst->clone (id->dst), .spi = id->spi, .proto = id->proto, );
1466 INIT (sa, .sa_id = sad_id, .stat_index = ntohl (rmp->stat_index), );
1467 DBG4 (DBG_KNL, "put sa by its sa_id %x !!!!!!", sad_id);
1468 this->sas->put (this->sas, sa_id, sa);
1469 schedule_expiration (this, data, id);
1470 this->mutex->unlock (this->mutex);
1471 rv = SUCCESS;
1472
1473error:
1474 free (out);
1475 vl_msg_api_free (mp);
1476 return rv;
1477}
1478
1479METHOD (kernel_ipsec_t, update_sa, status_t, private_kernel_vpp_ipsec_t *this,
1480 kernel_ipsec_sa_id_t *id, kernel_ipsec_update_sa_t *data)
1481{
1482 DBG1 (DBG_KNL,
1483 "update sa not supported!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1484 return NOT_SUPPORTED;
1485}
1486
1487METHOD (kernel_ipsec_t, query_sa, status_t, private_kernel_vpp_ipsec_t *this,
1488 kernel_ipsec_sa_id_t *id, kernel_ipsec_query_sa_t *data,
1489 uint64_t *bytes, uint64_t *packets, time_t *time)
1490{
1491 status_t rv = FAILED;
1492 sa_t *sa;
1493 u32 *dir;
1494 int i, k;
1495 stat_segment_data_t *res;
1496 u8 **pattern = 0;
1497 uint64_t res_bytes = 0;
1498 uint64_t res_packets = 0;
1499
1500 this->mutex->lock (this->mutex);
1501 sa = this->sas->get (this->sas, id);
1502 this->mutex->unlock (this->mutex);
1503 if (!sa)
1504 {
1505 DBG1 (DBG_KNL, "SA not found");
1506 return NOT_FOUND;
1507 }
1508
1509 int rv_stat = stat_segment_connect ("/run/vpp/stats.sock");
1510 if (rv_stat != 0)
1511 {
1512 DBG1 (DBG_KNL, "Not connecting with stats segmentation");
1513 return NOT_FOUND;
1514 }
1515 vec_add1 (pattern, (u8 *) "/net/ipsec/sa");
1516 dir = stat_segment_ls ((u8 **) pattern);
1517 res = stat_segment_dump (dir);
1518 /* i-loop for each results find by pattern - here two:
1519 * 1. /net/ipsec/sa
1520 * 2. /net/ipsec/sa/lost
1521 */
1522 for (i = 0; i < vec_len (res); i++)
1523 {
1524 switch (res[i].type)
1525 {
1526 /* type for how many packets are lost */
1527 case STAT_DIR_TYPE_COUNTER_VECTOR_SIMPLE:
1528 if (res[i].simple_counter_vec == 0)
1529 continue;
1530 break;
1531 /* type for counter for each SA */
1532 case STAT_DIR_TYPE_COUNTER_VECTOR_COMBINED:
1533 if (res[i].combined_counter_vec == 0)
1534 continue;
1535 /* k-loop for each threads - that you run VPP */
1536 for (k = 0; k < vec_len (res[i].combined_counter_vec); k++)
1537 {
1538 if (sa->stat_index <= vec_len (res[i].combined_counter_vec[k]))
1539 {
1540 DBG4 (DBG_KNL, "Thread: %d, Packets: %lu, Bytes: %lu", k,
1541 res[i].combined_counter_vec[k][sa->stat_index].packets,
1542 res[i].combined_counter_vec[k][sa->stat_index].bytes);
1543 res_bytes +=
1544 res[i].combined_counter_vec[k][sa->stat_index].bytes;
1545 res_packets +=
1546 res[i].combined_counter_vec[k][sa->stat_index].packets;
1547 }
1548 }
1549 break;
1550 case STAT_DIR_TYPE_NAME_VECTOR:
1551 if (res[i].name_vector == 0)
1552 continue;
1553 break;
1554 }
1555 }
1556 stat_segment_data_free (res);
1557 stat_segment_disconnect ();
1558
1559 vec_free (pattern);
1560 vec_free (dir);
1561
1562 if (bytes)
1563 {
1564 *bytes = res_bytes;
1565 }
1566 if (packets)
1567 {
1568 *packets = res_packets;
1569 }
1570 if (time)
1571 {
1572 *time = 0;
1573 }
1574
1575 rv = SUCCESS;
1576 return rv;
1577}
1578
1579METHOD (kernel_ipsec_t, del_sa, status_t, private_kernel_vpp_ipsec_t *this,
1580 kernel_ipsec_sa_id_t *id, kernel_ipsec_del_sa_t *data)
1581{
1582 char *out = NULL;
1583 int out_len;
1584 vl_api_ipsec_sad_entry_add_del_t *mp;
1585 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
1586 status_t rv = FAILED;
1587 sa_t *sa;
1588
1589 this->mutex->lock (this->mutex);
1590 sa = this->sas->get (this->sas, id);
1591 if (!sa)
1592 {
1593 DBG1 (DBG_KNL, "SA not found");
1594 rv = NOT_FOUND;
1595 goto error;
1596 }
1597 mp = vl_msg_api_alloc (sizeof (*mp));
1598 memset (mp, 0, sizeof (*mp));
1599 mp->is_add = 0;
1600 u16 msg_id =
1601 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1602 mp->_vl_msg_id = htons (msg_id);
1603 mp->entry.sad_id = htonl (sa->sa_id);
1604
1605 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1606 {
1607 DBG1 (DBG_KNL, "vac removing SA failed");
1608 goto error;
1609 }
1610 rmp = (void *) out;
1611 if (rmp->retval)
1612 {
1613 DBG1 (DBG_KNL, "del SA failed rv:%d", ntohl (rmp->retval));
1614 goto error;
1615 }
1616
1617 vl_msg_api_free (mp);
1618 this->sas->remove (this->sas, id);
1619 rv = SUCCESS;
1620error:
1621 free (out);
1622 this->mutex->unlock (this->mutex);
1623 return rv;
1624}
1625
1626METHOD (kernel_ipsec_t, flush_sas, status_t, private_kernel_vpp_ipsec_t *this)
1627{
1628 enumerator_t *enumerator;
1629 int out_len;
1630 char *out;
1631 vl_api_ipsec_sad_entry_add_del_t *mp;
1632 sa_t *sa = NULL;
1633
1634 this->mutex->lock (this->mutex);
1635 enumerator = this->sas->create_enumerator (this->sas);
1636 while (enumerator->enumerate (enumerator, sa, NULL))
1637 {
1638 mp = vl_msg_api_alloc (sizeof (*mp));
1639 memset (mp, 0, sizeof (*mp));
1640 u16 msg_id =
1641 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1642 mp->_vl_msg_id = htons (msg_id);
1643 mp->entry.sad_id = htonl (sa->sa_id);
1644 mp->is_add = 0;
1645 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1646 {
1647 DBG1 (DBG_KNL, "flush_sas failed!!!!");
1648 return FALSE;
1649 }
1650 free (out);
1651 vl_msg_api_free (mp);
1652 this->sas->remove_at (this->sas, enumerator);
1653 }
1654 enumerator->destroy (enumerator);
1655 this->mutex->unlock (this->mutex);
1656
1657 return SUCCESS;
1658}
1659
1660METHOD (kernel_ipsec_t, add_policy, status_t, private_kernel_vpp_ipsec_t *this,
1661 kernel_ipsec_policy_id_t *id, kernel_ipsec_manage_policy_t *data)
1662{
1663 return manage_policy (this, TRUE, id, data);
1664}
1665
1666METHOD (kernel_ipsec_t, query_policy, status_t,
1667 private_kernel_vpp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
1668 kernel_ipsec_query_policy_t *data, time_t *use_time)
1669{
1670 return NOT_SUPPORTED;
1671}
1672
1673METHOD (kernel_ipsec_t, del_policy, status_t, private_kernel_vpp_ipsec_t *this,
1674 kernel_ipsec_policy_id_t *id, kernel_ipsec_manage_policy_t *data)
1675{
1676 return manage_policy (this, FALSE, id, data);
1677}
1678
1679METHOD (kernel_ipsec_t, flush_policies, status_t,
1680 private_kernel_vpp_ipsec_t *this)
1681{
1682 return NOT_SUPPORTED;
1683}
1684
1685METHOD (kernel_ipsec_t, bypass_socket, bool, private_kernel_vpp_ipsec_t *this,
1686 int fd, int family)
1687{
1688 return FALSE;
1689}
1690
1691METHOD (kernel_ipsec_t, enable_udp_decap, bool,
1692 private_kernel_vpp_ipsec_t *this, int fd, int family, u_int16_t port)
1693{
1694 DBG1 (DBG_KNL, "enable_udp_decap not supported!!!!!!!!!!!!!!!!!!!!!!!!!");
1695 return FALSE;
1696}
1697
1698METHOD (kernel_ipsec_t, destroy, void, private_kernel_vpp_ipsec_t *this)
1699{
1700 this->mutex->destroy (this->mutex);
1701 this->sas->destroy (this->sas);
1702 this->spds->destroy (this->spds);
1703 this->routes->destroy (this->routes);
1704 free (this);
1705}
1706
1707kernel_vpp_ipsec_t *
1708kernel_vpp_ipsec_create ()
1709{
1710 private_kernel_vpp_ipsec_t *this;
1711
1712 INIT(this,
1713 .public = {
1714 .interface = {
1715 .get_features = _get_features,
1716 .get_spi = _get_spi,
1717 .get_cpi = _get_cpi,
1718 .add_sa = _add_sa,
1719 .update_sa = _update_sa,
1720 .query_sa = _query_sa,
1721 .del_sa = _del_sa,
1722 .flush_sas = _flush_sas,
1723 .add_policy = _add_policy,
1724 .query_policy = _query_policy,
1725 .del_policy = _del_policy,
1726 .flush_policies = _flush_policies,
1727 .bypass_socket = _bypass_socket,
1728 .enable_udp_decap = _enable_udp_decap,
1729 .destroy = _destroy,
1730 },
1731 },
1732 .next_sad_id = 0,
1733 .next_spd_id = 0,
1734 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
1735 .sas = hashtable_create((hashtable_hash_t)sa_hash,
1736 (hashtable_equals_t)sa_equals, 32),
1737 .spds = hashtable_create((hashtable_hash_t)interface_hash,
1738 (hashtable_equals_t)interface_equals, 4),
1739 .routes = linked_list_create(),
1740 .install_routes = lib->settings->get_bool(lib->settings,
1741 "%s.install_routes", TRUE, lib->ns),
1742 );
1743
1744 if (!init_spi (this))
1745 {
1746 destroy (this);
1747 return NULL;
1748 }
1749
1750 return &this->public;
1751}