Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 8de66c090ef25977d8cc9c10084edbe146999c61 / . / extras / strongswan / vpp_sswan / kernel_vpp_ipsec.c
blob: 2a0d86d7ef031bf19491934e90c3dcf1b067310b [file] [log] [blame]
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000[diff] [blame]1/*
2 * Copyright (c) 2022 Intel and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#include <daemon.h>
17#include <utils/debug.h>
18#include <vlibapi/api.h>
19#include <vlibmemory/api.h>
20#include <vnet/ipsec/ipsec.h>
21#include <vnet/vnet.h>
22#include <collections/hashtable.h>
23#include <threading/mutex.h>
24#include <processing/jobs/callback_job.h>
25#include <vpp-api/client/stat_client.h>
26
27#define vl_typedefs
28#define vl_endianfun
29/* Include the (first) vlib-api API definition layer */
30#include <vlibmemory/vl_memory_api_h.h>
31/* Include the current layer (third) vpp API definition layer */
32#include <vpp/api/vpe_types.api.h>
33#include <vpp/api/vpe.api.h>
34
35#include <vnet/ip-neighbor/ip_neighbor.api_enum.h>
36#include <vnet/ip-neighbor/ip_neighbor.api_types.h>
37#include <vnet/ipsec/ipsec.api_enum.h>
38#include <vnet/ipsec/ipsec.api_types.h>
39#include <vnet/interface.api_enum.h>
40#include <vnet/interface.api_types.h>
41#undef vl_typedefs
42#undef vl_endianfun
43
44#include "kernel_vpp_ipsec.h"
45#include "kernel_vpp_shared.h"
46
47#include <stdio.h>
48#include <stdlib.h>
49#include <string.h>
50#include <sys/socket.h>
51#include <netinet/in.h>
52#include <arpa/inet.h>
53#include <sys/ioctl.h>
54#include <net/if.h>
55#include <net/route.h>
56#include <unistd.h>
57#include <fcntl.h>
58#include <sys/types.h>
59#include <net/if_arp.h>
60#include <sys/stat.h>
61#include <dirent.h>
62
63#define PRIO_BASE 384
64
65u32 natt_port;
66
67/**
68 * One and only instance of the daemon.
69 */
70daemon_t *charon;
71
72typedef struct private_kernel_vpp_ipsec_t private_kernel_vpp_ipsec_t;
73
74/**
75 * Private variables of kernel_vpp_ipsec class.
76 */
77struct private_kernel_vpp_ipsec_t
78{
79
80 /**
81 * Public interface
82 */
83 kernel_vpp_ipsec_t public;
84
85 /**
86 * Next security association database entry ID to allocate
87 */
88 refcount_t next_sad_id;
89
90 /**
91 * Next security policy database entry ID to allocate
92 */
93 refcount_t next_spd_id;
94
95 /**
96 * Mutex to lock access to installed policies
97 */
98 mutex_t *mutex;
99
100 /**
101 * Hash table of instaled SA, as kernel_ipsec_sa_id_t => sa_t
102 */
103 hashtable_t *sas;
104
105 /**
106 * Hash table of security policy databases, as nterface => spd_t
107 */
108 hashtable_t *spds;
109
110 /**
111 * Linked list of installed routes
112 */
113 linked_list_t *routes;
114
115 /**
116 * Next SPI to allocate
117 */
118 refcount_t nextspi;
119
120 /**
121 * Mix value to distribute SPI allocation randomly
122 */
123 uint32_t mixspi;
124
125 /**
126 * Whether to install routes along policies
127 */
128 bool install_routes;
Atzm Watanabefc2d95d2023-01-25 14:11:10 +0900[diff] [blame]129
130 /**
131 * Whether to install SAs with tunnel flag. Disabling this can be useful
132 * in some scenarios e.g. using SAs to "ipsec tunnel protect" for the
133 * route-based IPsec
134 */
135 bool use_tunnel_mode_sa;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000[diff] [blame]136};
137
138/**
139 * Security association entry
140 */
141typedef struct
142{
143 /** VPP SA ID */
144 uint32_t sa_id;
145 uint32_t stat_index;
146} sa_t;
147
148/**
149 * Security policy database
150 */
151typedef struct
152{
153 /** VPP SPD ID */
154 uint32_t spd_id;
155 /** Networking interface ID restricting policy */
156 uint32_t sw_if_index;
157 /** Policy count for this SPD */
158 refcount_t policy_num;
159} spd_t;
160
161/**
162 * Installed route
163 */
164typedef struct
165{
166 /** Name of the interface the route is bound to */
167 char *if_name;
168 /** Gateway of route */
169 host_t *gateway;
170 /** Destination network of route */
171 host_t *dst_net;
172 /** Prefix length of dst_net */
173 uint8_t prefixlen;
174 /** References for route */
175 refcount_t refs;
176} route_entry_t;
177
178#define htonll(x) \
179 ((1 == htonl (1)) ? \
180 (x) : \
181 ((uint64_t) htonl ((x) &0xFFFFFFFF) << 32) | htonl ((x) >> 32))
182#define ntohll(x) \
183 ((1 == ntohl (1)) ? \
184 (x) : \
185 ((uint64_t) ntohl ((x) &0xFFFFFFFF) << 32) | ntohl ((x) >> 32))
186
187CALLBACK (route_equals, bool, route_entry_t *a, va_list args)
188{
189 host_t *dst_net, *gateway;
190 uint8_t *prefixlen;
191 char *if_name;
192
193 VA_ARGS_VGET (args, if_name, gateway, dst_net, prefixlen);
194
195 return a->if_name && if_name && streq (a->if_name, if_name) &&
196 a->gateway->ip_equals (a->gateway, gateway) &&
197 a->dst_net->ip_equals (a->dst_net, dst_net) &&
198 a->prefixlen == *prefixlen;
199}
200
201/**
202 * Clean up a route entry
203 */
204static void
205route_destroy (route_entry_t *this)
206{
207 this->dst_net->destroy (this->dst_net);
208 this->gateway->destroy (this->gateway);
209 free (this->if_name);
210 free (this);
211}
212
213static uint32_t get_sw_if_index ();
214
215static int
216set_arp (char *ipStr, char *if_name, bool add)
217{
218 char *out = NULL;
219 int out_len = 0;
220 vl_api_ip_neighbor_add_del_t *mp;
221 vl_api_ip_neighbor_add_del_reply_t *rmp;
222 int rc = SUCCESS;
223 uint32_t sw_if_index = ~0;
224
225 FILE *fp;
226 int nread = 0;
227 ssize_t len = 0;
228 char *buffer = NULL;
229 char buf[2][20];
230 char *file = "/proc/net/arp";
231 unsigned char mac[8] = {
232 0,
233 };
234 uint32_t addr;
235
236 if (if_name == NULL || ipStr == NULL)
237 {
238 DBG2 (DBG_KNL, "para is null\n");
239 rc = FAILED;
240 }
241 DBG2 (DBG_KNL, "from kernel read mac\n");
242
243 mp = vl_msg_api_alloc (sizeof (*mp));
244 memset (mp, 0, sizeof (*mp));
245 sw_if_index = get_sw_if_index (if_name);
246 if (sw_if_index == ~0)
247 {
248 DBG1 (DBG_KNL, "sw_if_index for %s not found", if_name);
249 goto error;
250 }
251
252 fp = fopen (file, "rb");
253 while ((nread = getline (&buffer, &len, fp)) != -1)
254 {
255 sscanf (buffer, "%s %*s %*s %s %*s %*s", &buf[0], &buf[1]);
256 inet_aton (&buf[0], &addr);
257
258 if (addr == *((u32 *) (ipStr)))
259 {
260 sscanf (buf[1], "%02x:%02x:%02x:%02x:%02x:%02x", &mac[0], &mac[1],
261 &mac[2], &mac[3], &mac[4], &mac[5]);
262 u16 msg_id =
263 vl_msg_api_get_msg_index ((u8 *) "ip_neighbor_add_del_0607c257");
264 mp->_vl_msg_id = htons (msg_id);
265 mp->is_add = add;
266 memcpy (mp->neighbor.ip_address.un.ip4, (u8 *) &addr, sizeof (addr));
267 mp->neighbor.ip_address.af = 0;
268 memcpy (mp->neighbor.mac_address, mac, 6);
269 mp->neighbor.sw_if_index = htonl (sw_if_index);
270 mp->neighbor.flags = 1;
271
272 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
273 {
274 DBG1 (DBG_KNL, "vac %s neighbor entry",
275 add ? "adding" : "removing");
276 goto error;
277 }
278 rmp = (void *) out;
279 if (rmp->retval)
280 {
281 DBG1 (DBG_KNL, "%s neighbor add rv:%d", add ? "add" : "remove",
282 ntohl (rmp->retval));
283 goto error;
284 }
285 fclose (fp);
286 return rc;
287 }
288 }
289 return rc;
290
291error:
292 free (out);
293 vl_msg_api_free (mp);
294 return rc;
295}
296
297static int
298add_Route (char *ipAddr, int len, char *mask, char *gateWay)
299{
300 int fd;
301 int rc = SUCCESS;
302 struct sockaddr_in _sin;
303 struct sockaddr_in *sin = &_sin;
304 struct rtentry rt;
305
306 do
307 {
308 fd = socket (AF_INET, SOCK_DGRAM, 0);
309 if (fd < 0)
310 {
311 DBG2 (DBG_KNL, "addRoute: socket error\n");
312 rc = FAILED;
313 break;
314 }
315 memset (&rt, 0, sizeof (struct rtentry));
316 memset (sin, 0, sizeof (struct sockaddr_in));
317 sin->sin_family = AF_INET;
318 sin->sin_port = 0;
319
320 if (inet_aton (gateWay, &sin->sin_addr) < 0)
321 {
322 rc = FAILED;
323 break;
324 }
325 memcpy (&rt.rt_gateway, sin, sizeof (struct sockaddr_in));
326
327 ((struct sockaddr_in *) &rt.rt_dst)->sin_family = AF_INET;
328 memcpy (&((struct sockaddr_in *) &rt.rt_dst)->sin_addr, ipAddr, len);
329
330 ((struct sockaddr_in *) &rt.rt_genmask)->sin_family = AF_INET;
331 if (inet_aton (mask,
332 &((struct sockaddr_in *) &rt.rt_genmask)->sin_addr) < 0)
333 {
334 rc = FAILED;
335 break;
336 }
337 rt.rt_flags = RTF_GATEWAY;
338 if (ioctl (fd, SIOCADDRT, &rt) < 0)
339 {
340 rc = FAILED;
341 }
342 }
343 while (0);
344
345 close (fd);
346 return rc;
347}
348
349static int
350set_address (u32 ipAddr, u32 sw_if_index, bool add)
351{
352 char *out = NULL;
353 int out_len = 0;
354 vl_api_sw_interface_add_del_address_t *mp;
355 vl_api_sw_interface_add_del_address_reply_t *rmp;
356
357 int rc = SUCCESS;
358
359 uint32_t addr;
360
361 mp = vl_msg_api_alloc (sizeof (*mp));
362 memset (mp, 0, sizeof (*mp));
363
364 u16 msg_id =
365 vl_msg_api_get_msg_index ((u8 *) "sw_interface_add_del_address_5463d73b");
366 mp->_vl_msg_id = htons (msg_id);
367 mp->is_add = add;
368 memcpy (mp->prefix.address.un.ip4, (u8 *) &ipAddr, sizeof (ipAddr));
369 mp->prefix.len = 24;
370 mp->sw_if_index = sw_if_index;
371
372 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
373 {
374 DBG2 (DBG_KNL, "vac %s neighbor entry", add ? "adding" : "removing");
375 goto error;
376 }
377 rmp = (void *) out;
378 if (rmp->retval)
379 {
380 DBG2 (DBG_KNL, "%s neighbor add rv:%d", add ? "add" : "remove",
381 ntohl (rmp->retval));
382 goto error;
383 }
384 return rc;
385
386error:
387 free (out);
388 vl_msg_api_free (mp);
389 return rc;
390}
391
392/**
393 * (Un)-install a single route
394 */
395static void
396manage_route (private_kernel_vpp_ipsec_t *this, bool add,
397 traffic_selector_t *dst_ts, host_t *src, host_t *dst)
398{
399 host_t *dst_net, *gateway;
400 uint8_t prefixlen;
401 char *if_name;
402 route_entry_t *route;
403 bool route_exist = FALSE;
404
405 char *netmask = "255.255.255.0";
406 char *tap_gateway = "1.1.1.1";
407 int arp_rc = 0;
408 if (dst->is_anyaddr (dst))
409 {
410 return;
411 }
412 gateway =
413 charon->kernel->get_nexthop (charon->kernel, dst, -1, NULL, &if_name);
414 dst_ts->to_subnet (dst_ts, &dst_net, &prefixlen);
415 if (!if_name)
416 {
417 if (src->is_anyaddr (src))
418 {
419 return;
420 }
421 if (!charon->kernel->get_interface (charon->kernel, src, &if_name))
422 {
423 return;
424 }
425 }
426 route_exist =
427 this->routes->find_first (this->routes, route_equals, (void **) &route,
428 if_name, gateway, dst_net, &prefixlen);
429 if (add)
430 {
431 DBG2 (DBG_KNL, "installing route: %H/%d via %H dev %s", dst_net,
432 prefixlen, gateway, if_name);
433 if (route_exist)
434 {
435 unsigned int refs_num = ref_get (&route->refs);
436 DBG2 (DBG_KNL, "add route but it exist %d", refs_num);
437 }
438 else
439 {
440 INIT (route, .if_name = strdup (if_name),
441 .gateway = gateway->clone (gateway),
442 .dst_net = dst_net->clone (dst_net), .prefixlen = prefixlen,
443 .refs = 1, );
444 this->routes->insert_last (this->routes, route);
445 charon->kernel->add_route (charon->kernel,
446 dst_net->get_address (dst_net), prefixlen,
447 gateway, dst, if_name, 1);
448 }
449
450 add_Route (dst_net->get_address (dst_net).ptr,
451 dst_net->get_address (dst_net).len, netmask, tap_gateway);
452
453 arp_rc = set_arp (gateway->get_address (gateway).ptr, if_name, TRUE);
454 if (arp_rc)
455 DBG2 (DBG_KNL, "arpGet success!\n");
456 }
457 else
458 {
459 DBG2 (DBG_KNL, "uninstalling route: %H/%d via %H dev %s", dst_net,
460 prefixlen, gateway, if_name);
461 if (!route_exist)
462 {
463 DBG2 (DBG_KNL, "del route but it not exist");
464 return;
465 }
466 if (ref_put (&route->refs))
467 {
468 this->routes->remove (this->routes, route, NULL);
469 route_destroy (route);
470 charon->kernel->del_route (charon->kernel,
471 dst_net->get_address (dst_net), prefixlen,
472 gateway, dst, if_name, 1);
473 }
474 }
475}
476
477/**
478 * Hash function for IPsec SA
479 */
480static u_int
481sa_hash (kernel_ipsec_sa_id_t *sa)
482{
483 return chunk_hash_inc (
484 sa->src->get_address (sa->src),
485 chunk_hash_inc (
486 sa->dst->get_address (sa->dst),
487 chunk_hash_inc (chunk_from_thing (sa->spi),
488 chunk_hash (chunk_from_thing (sa->proto)))));
489}
490
491/**
492 * Equality function for IPsec SA
493 */
494static bool
495sa_equals (kernel_ipsec_sa_id_t *sa, kernel_ipsec_sa_id_t *other_sa)
496{
497 return sa->src->ip_equals (sa->src, other_sa->src) &&
498 sa->dst->ip_equals (sa->dst, other_sa->dst) &&
499 sa->spi == other_sa->spi && sa->proto == other_sa->proto;
500}
501
502/**
Gabriel Oginski8de66c02023-02-03 08:12:36 +0000[diff] [blame^]503 * Equality function for policy SPD
504 */
505static bool
506policy_equals (vl_api_ipsec_spd_entry_t *policy,
507 vl_api_ipsec_spd_entry_t *other_policy)
508{
509
510 /* change protocol due to legacy implementation of ANY protocol inside VPP */
511 if (other_policy->protocol == 255)
512 other_policy->protocol = 0;
513
514 /* return true if both policies are equal */
515 return !memcmp (policy, other_policy, sizeof (*policy));
516}
517
518/**
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000[diff] [blame]519 * Hash function for interface
520 */
521static u_int
522interface_hash (char *interface)
523{
524 return chunk_hash (chunk_from_str (interface));
525}
526
527/**
528 * Equality function for interface
529 */
530static bool
531interface_equals (char *interface1, char *interface2)
532{
533 return streq (interface1, interface2);
534}
535
536/**
537 * Map an integer x with a one-to-one function using quadratic residues
538 */
539static u_int
540permute (u_int x, u_int p)
541{
542 u_int qr;
543
544 x = x % p;
545 qr = ((uint64_t) x * x) % p;
546 if (x <= p / 2)
547 {
548 return qr;
549 }
550 return p - qr;
551}
552
553/**
554 * Initialize seeds for SPI generation
555 */
556static bool
557init_spi (private_kernel_vpp_ipsec_t *this)
558{
559 bool ok = TRUE;
560 rng_t *rng;
561
562 rng = lib->crypto->create_rng (lib->crypto, RNG_STRONG);
563 if (!rng)
564 {
565 return FALSE;
566 }
567 ok =
568 rng->get_bytes (rng, sizeof (this->nextspi), (uint8_t *) &this->nextspi);
569 if (ok)
570 {
571 ok =
572 rng->get_bytes (rng, sizeof (this->mixspi), (uint8_t *) &this->mixspi);
573 }
574 rng->destroy (rng);
575 return ok;
576}
577
578/**
579 * Calculate policy priority
580 */
581static uint32_t
582calculate_priority (policy_priority_t policy_priority, traffic_selector_t *src,
583 traffic_selector_t *dst)
584{
585 uint32_t priority = PRIO_BASE;
586 uint16_t port;
587 uint8_t mask, proto;
588 host_t *net;
589
590 switch (policy_priority)
591 {
592 case POLICY_PRIORITY_FALLBACK:
593 priority <<= 1;
594 /* fall-through */
595 case POLICY_PRIORITY_ROUTED:
596 priority <<= 1;
597 /* fall-through */
598 case POLICY_PRIORITY_DEFAULT:
599 priority <<= 1;
600 /* fall-through */
601 case POLICY_PRIORITY_PASS:
602 break;
603 }
604 /* calculate priority based on selector size, small size = high prio */
605 src->to_subnet (src, &net, &mask);
606 priority -= mask;
607 proto = src->get_protocol (src);
608 port = net->get_port (net);
609 net->destroy (net);
610
611 dst->to_subnet (dst, &net, &mask);
612 priority -= mask;
613 proto = max (proto, dst->get_protocol (dst));
614 port = max (port, net->get_port (net));
615 net->destroy (net);
616
617 priority <<= 2; /* make some room for the two flags */
618 priority += port ? 0 : 2;
619 priority += proto ? 0 : 1;
620 return priority;
621}
622
623/**
624 * Get sw_if_index from interface name
625 */
626static uint32_t
627get_sw_if_index (char *interface)
628{
629 char *out = NULL;
630 int out_len, name_filter_len = 0, msg_len = 0;
631 vl_api_sw_interface_dump_t *mp;
632 vl_api_sw_interface_details_t *rmp;
633 uint32_t sw_if_index = ~0;
634
635 name_filter_len = strlen (interface);
636 msg_len = sizeof (*mp) + name_filter_len;
637 mp = vl_msg_api_alloc (msg_len);
638 clib_memset (mp, 0, msg_len);
639 u16 msg_id = vl_msg_api_get_msg_index ((u8 *) "sw_interface_dump_aa610c27");
640 mp->_vl_msg_id = htons (msg_id);
641 mp->name_filter_valid = TRUE;
642 mp->name_filter.length = htonl (name_filter_len);
643 memcpy ((char *) mp->name_filter.buf, interface, name_filter_len);
644
645 if (vac->send (vac, (char *) mp, msg_len, &out, &out_len))
646 {
647 goto error;
648 }
649 if (!out_len)
650 {
651 goto error;
652 }
653 rmp = (vl_api_sw_interface_details_t *) out;
654 sw_if_index = ntohl (rmp->sw_if_index);
655
656error:
657 free (out);
658 vl_msg_api_free (mp);
659 return sw_if_index;
660}
661/**
662 * (Un)-install a security policy database
663 */
664static status_t
665spd_add_del (bool add, uint32_t spd_id)
666{
667 char *out = NULL;
668 int out_len;
669 vl_api_ipsec_spd_add_del_t *mp;
670 vl_api_ipsec_spd_add_del_reply_t *rmp;
671 status_t rv = FAILED;
672
673 mp = vl_msg_api_alloc (sizeof (*mp));
674 memset (mp, 0, sizeof (*mp));
675
676 u16 msg_id = vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_add_del_20e89a95");
677 mp->_vl_msg_id = htons (msg_id);
678 mp->is_add = add;
679 mp->spd_id = htonl (spd_id);
680 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
681 {
682 DBG1 (DBG_KNL, "vac %s SPD failed", add ? "adding" : "removing");
683 goto error;
684 }
685 rmp = (void *) out;
686 if (rmp->retval)
687 {
688 DBG1 (DBG_KNL, "%s SPD failed rv:%d", add ? "add" : "remove",
689 ntohl (rmp->retval));
690 goto error;
691 }
692 rv = SUCCESS;
693
694error:
695 free (out);
696 vl_msg_api_free (mp);
697 return rv;
698}
699
700/**
701 * Enable or disable SPD on an insterface
702 */
703static status_t
704interface_add_del_spd (bool add, uint32_t spd_id, uint32_t sw_if_index)
705{
706 char *out = NULL;
707 int out_len;
708 vl_api_ipsec_interface_add_del_spd_t *mp;
709 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
710 status_t rv = FAILED;
711
712 mp = vl_msg_api_alloc (sizeof (*mp));
713 memset (mp, 0, sizeof (*mp));
714 u16 msg_id =
715 vl_msg_api_get_msg_index ((u8 *) "ipsec_interface_add_del_spd_80f80cbb");
716 mp->_vl_msg_id = htons (msg_id);
717 mp->is_add = add;
718 mp->spd_id = htonl (spd_id);
719 mp->sw_if_index = htonl (sw_if_index);
720 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
721 {
722 DBG1 (DBG_KNL, "vac %s interface SPD failed",
723 add ? "adding" : "removing");
724 goto error;
725 }
726 rmp = (void *) out;
727 if (rmp->retval)
728 {
729 DBG1 (DBG_KNL, "%s interface SPD failed rv:%d", add ? "add" : "remove",
730 ntohl (rmp->retval));
731 goto error;
732 }
733 rv = SUCCESS;
734
735error:
736 free (out);
737 vl_msg_api_free (mp);
738 return rv;
739}
740
741static int
742bypass_all (bool add, uint32_t spd_id, uint32_t sa_id)
743{
744 vl_api_ipsec_spd_entry_add_del_t *mp;
745 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
746 char *out = NULL;
747 int out_len;
748 status_t rv = FAILED;
749
750 DBG2 (DBG_KNL, "bypass_all [%s] spd_id %d sa_id %d", add ? "ADD" : "DEL",
751 spd_id, sa_id);
752
753 mp = vl_msg_api_alloc (sizeof (*mp));
754 memset (mp, 0, sizeof (*mp));
755
756 u16 msg_id =
757 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
758 mp->_vl_msg_id = ntohs (msg_id);
759 mp->is_add = add;
760 mp->entry.sa_id = ntohl (sa_id);
761 mp->entry.spd_id = ntohl (spd_id);
762 mp->entry.priority = ntohl (INT_MAX - POLICY_PRIORITY_PASS - 1);
763 mp->entry.is_outbound = 0;
764 mp->entry.policy = ntohl (IPSEC_API_SPD_ACTION_BYPASS);
765 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
766 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
767 mp->entry.remote_port_start = mp->entry.local_port_start = ntohs (0);
768 mp->entry.remote_port_stop = mp->entry.local_port_stop = ntohs (0xFFFF);
769 mp->entry.protocol = IP_API_PROTO_ESP;
770 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
771 {
772 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
773 goto error;
774 }
775 rmp = (void *) out;
776 if (rmp->retval)
777 {
778 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
779 ntohl (rmp->retval));
780 goto error;
781 }
782 mp->entry.is_outbound = 1;
783 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
784 {
785 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
786 goto error;
787 }
788 rmp = (void *) out;
789 if (rmp->retval)
790 {
791 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
792 ntohl (rmp->retval));
793 goto error;
794 }
795 mp->entry.is_outbound = 0;
796 mp->entry.protocol = IP_API_PROTO_AH;
797 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
798 {
799 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
800 goto error;
801 }
802 rmp = (void *) out;
803 if (rmp->retval)
804 {
805 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
806 ntohl (rmp->retval));
807 goto error;
808 }
809 mp->entry.is_outbound = 1;
810 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
811 {
812 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
813 goto error;
814 }
815 rmp = (void *) out;
816 if (rmp->retval)
817 {
818 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
819 ntohl (rmp->retval));
820 goto error;
821 }
822
823 rv = SUCCESS;
824
825error:
826 if (out)
827 free (out);
828 vl_msg_api_free (mp);
829
830 return rv;
831}
832
833static int
834bypass_port (bool add, uint32_t spd_id, uint32_t sa_id, uint16_t port)
835{
836 vl_api_ipsec_spd_entry_add_del_t *mp;
837 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
838 char *out = NULL;
839 int out_len;
840 status_t rv = FAILED;
841
842 mp = vl_msg_api_alloc (sizeof (*mp));
843 memset (mp, 0, sizeof (*mp));
844
845 u16 msg_id =
846 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
847 mp->_vl_msg_id = ntohs (msg_id);
848 mp->is_add = add;
849 mp->entry.sa_id = ntohl (sa_id);
850 mp->entry.spd_id = ntohl (spd_id);
851 mp->entry.priority = ntohl (INT_MAX - POLICY_PRIORITY_PASS - 1);
852 mp->entry.policy = ntohl (IPSEC_API_SPD_ACTION_BYPASS);
853 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
854 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
855 mp->entry.is_outbound = 0;
856 mp->entry.remote_port_start = mp->entry.local_port_start = ntohs (0);
857 mp->entry.remote_port_stop = mp->entry.local_port_stop = ntohs (0xFFFF);
858 mp->entry.protocol = IP_API_PROTO_HOPOPT;
859
860 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
861 {
862 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
863 goto error;
864 }
865 rmp = (void *) out;
866 if (rmp->retval)
867 {
868 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
869 ntohl (rmp->retval));
870 goto error;
871 }
872 mp->entry.is_outbound = 1;
873 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
874 {
875 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
876 goto error;
877 }
878 rmp = (void *) out;
879 if (rmp->retval)
880 {
881 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
882 ntohl (rmp->retval));
883 goto error;
884 }
885 rv = SUCCESS;
886
887error:
888 if (out)
889 free (out);
890 vl_msg_api_free (mp);
891
892 return rv;
893}
894
895/**
896 * Add or remove a bypass policy
897 */
898static status_t
899manage_bypass (bool add, uint32_t spd_id, uint32_t sa_id)
900{
901 uint16_t port;
902 status_t rv;
903
904 bypass_all (add, spd_id, sa_id);
905
906 port =
907 lib->settings->get_int (lib->settings, "%s.port", IKEV2_UDP_PORT, lib->ns);
908
909 if (port)
910 {
911 rv = bypass_port (add, spd_id, sa_id, port);
912 if (rv != SUCCESS)
913 {
914 return rv;
915 }
916 }
917
918 port = lib->settings->get_int (lib->settings, "%s.port_nat_t",
919 IKEV2_NATT_PORT, lib->ns);
920 if (port)
921 {
922 rv = bypass_port (add, spd_id, sa_id, port);
923 if (rv != SUCCESS)
924 {
925 return rv;
926 }
927 }
928
929 return SUCCESS;
930}
931
932/**
933 * Add or remove a policy
934 */
935static status_t
936manage_policy (private_kernel_vpp_ipsec_t *this, bool add,
937 kernel_ipsec_policy_id_t *id,
938 kernel_ipsec_manage_policy_t *data)
939{
940 spd_t *spd;
941 char *out = NULL, *interface = NULL;
942 int out_len;
943 uint32_t sw_if_index, spd_id = ~0, sad_id = ~0;
944 status_t rv = FAILED;
945 uint32_t priority, auto_priority;
946 chunk_t src_from, src_to, dst_from, dst_to;
947 host_t *src, *dst, *addr;
948 vl_api_ipsec_spd_entry_add_del_t *mp;
949 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
950 bool n_spd = false;
951
952 mp = vl_msg_api_alloc (sizeof (*mp));
953 memset (mp, 0, sizeof (*mp));
954
955 this->mutex->lock (this->mutex);
956 if (!id->interface)
957 {
958 addr = id->dir == POLICY_IN ? data->dst : data->src;
959 for (int i = 0; i < 5; i++)
960 {
961 if (!charon->kernel->get_interface (charon->kernel, addr,
962 &interface))
963 {
964 DBG1 (DBG_KNL, "policy no interface %H", addr);
965 interface = NULL;
966 sleep (1);
967 }
968
969 if (interface)
970 {
971 DBG1 (DBG_KNL, "policy have interface %H", addr);
972 break;
973 }
974 }
975 if (!interface)
976 goto error;
977 id->interface = interface;
978 }
979
980 DBG2 (DBG_KNL, "manage policy [%s] interface [%s]", add ? "ADD" : "DEL",
981 id->interface);
982
983 spd = this->spds->get (this->spds, id->interface);
984 if (!spd)
985 {
986 if (!add)
987 {
988 DBG1 (DBG_KNL, "SPD for %s not found, should not be deleted",
989 id->interface);
990 goto error;
991 }
992 sw_if_index = get_sw_if_index (id->interface);
993 DBG1 (DBG_KNL, "firstly created, spd for %s found sw_if_index is %d",
994 id->interface, sw_if_index);
995 if (sw_if_index == ~0)
996 {
997 DBG1 (DBG_KNL, "sw_if_index for %s not found", id->interface);
998 goto error;
999 }
1000 spd_id = ref_get (&this->next_spd_id);
1001 if (spd_add_del (TRUE, spd_id))
1002 {
1003 DBG1 (DBG_KNL, "spd_add_del %d failed!!!!!", spd_id);
1004 goto error;
1005 }
1006 if (interface_add_del_spd (TRUE, spd_id, sw_if_index))
1007 {
1008 DBG1 (DBG_KNL, "interface_add_del_spd %d %d failed!!!!!", spd_id,
1009 sw_if_index);
1010 goto error;
1011 }
1012 INIT (spd, .spd_id = spd_id, .sw_if_index = sw_if_index,
1013 .policy_num = 0, );
1014 this->spds->put (this->spds, id->interface, spd);
1015 n_spd = true;
1016 }
1017
1018 auto_priority = calculate_priority (data->prio, id->src_ts, id->dst_ts);
1019 priority = data->manual_prio ? data->manual_prio : auto_priority;
1020
1021 u16 msg_id =
1022 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
1023 mp->_vl_msg_id = htons (msg_id);
1024 mp->is_add = add;
1025 mp->entry.spd_id = htonl (spd->spd_id);
1026 mp->entry.priority = htonl (INT_MAX - POLICY_PRIORITY_PASS);
1027 mp->entry.is_outbound = id->dir == POLICY_OUT;
1028 switch (data->type)
1029 {
1030 case POLICY_IPSEC:
1031 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_PROTECT);
1032 break;
1033 case POLICY_PASS:
1034 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_BYPASS);
1035 break;
1036 case POLICY_DROP:
1037 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_DISCARD);
1038 break;
1039 }
1040 if ((data->type == POLICY_IPSEC) && data->sa)
1041 {
1042 kernel_ipsec_sa_id_t id = {
1043 .src = data->src,
1044 .dst = data->dst,
1045 .proto = data->sa->esp.use ? IPPROTO_ESP : IPPROTO_AH,
1046 .spi = data->sa->esp.use ? data->sa->esp.spi : data->sa->ah.spi,
1047 };
1048 sa_t *sa = NULL;
1049 sa = this->sas->get (this->sas, &id);
1050 if (!sa)
1051 {
1052 DBG1 (DBG_KNL, "SA ID not found");
1053 goto error;
1054 }
1055 sad_id = sa->sa_id;
1056 if (n_spd)
1057 {
1058 if (manage_bypass (TRUE, spd_id, ~0))
1059 {
1060 DBG1 (DBG_KNL, "manage_bypass %d failed!!!!", spd_id);
1061 goto error;
1062 }
1063 }
1064 }
1065
1066 mp->entry.sa_id = htonl (sad_id);
1067
1068 bool is_ipv6 = false;
1069 if (id->src_ts->get_type (id->src_ts) == TS_IPV6_ADDR_RANGE)
1070 {
1071 is_ipv6 = true;
1072 mp->entry.local_address_start.af = htonl (ADDRESS_IP6);
1073 mp->entry.local_address_stop.af = htonl (ADDRESS_IP6);
1074 mp->entry.remote_address_start.af = htonl (ADDRESS_IP6);
1075 mp->entry.remote_address_stop.af = htonl (ADDRESS_IP6);
1076 }
1077 else
1078 {
1079 mp->entry.local_address_start.af = htonl (ADDRESS_IP4);
1080 mp->entry.local_address_stop.af = htonl (ADDRESS_IP4);
1081 mp->entry.remote_address_start.af = htonl (ADDRESS_IP4);
1082 mp->entry.remote_address_stop.af = htonl (ADDRESS_IP4);
1083 }
1084 mp->entry.protocol = id->src_ts->get_protocol (id->src_ts);
1085
1086 if (id->dir == POLICY_OUT)
1087 {
1088 src_from = id->src_ts->get_from_address (id->src_ts);
1089 src_to = id->src_ts->get_to_address (id->src_ts);
1090 src = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, src_to, 0);
1091 dst_from = id->dst_ts->get_from_address (id->dst_ts);
1092 dst_to = id->dst_ts->get_to_address (id->dst_ts);
1093 dst = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, dst_to, 0);
1094 }
1095 else
1096 {
1097 dst_from = id->src_ts->get_from_address (id->src_ts);
1098 dst_to = id->src_ts->get_to_address (id->src_ts);
1099 dst = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, dst_from, 0);
1100 src_from = id->dst_ts->get_from_address (id->dst_ts);
1101 src_to = id->dst_ts->get_to_address (id->dst_ts);
1102 src = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, src_from, 0);
1103 }
1104
1105 if (src->is_anyaddr (src) && dst->is_anyaddr (dst))
1106 {
1107 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
1108 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
1109 }
1110 else
1111 {
1112 memcpy (is_ipv6 ? mp->entry.local_address_start.un.ip6 :
1113 mp->entry.local_address_start.un.ip4,
1114 src_from.ptr, src_from.len);
1115 memcpy (is_ipv6 ? mp->entry.local_address_stop.un.ip6 :
1116 mp->entry.local_address_stop.un.ip4,
1117 src_to.ptr, src_to.len);
1118 memcpy (is_ipv6 ? mp->entry.remote_address_start.un.ip6 :
1119 mp->entry.remote_address_start.un.ip4,
1120 dst_from.ptr, dst_from.len);
1121 memcpy (is_ipv6 ? mp->entry.remote_address_stop.un.ip6 :
1122 mp->entry.remote_address_stop.un.ip4,
1123 dst_to.ptr, dst_to.len);
1124 }
1125 mp->entry.local_port_start = htons (id->src_ts->get_from_port (id->src_ts));
1126 mp->entry.local_port_stop = htons (id->src_ts->get_to_port (id->src_ts));
1127 mp->entry.remote_port_start = htons (id->dst_ts->get_from_port (id->dst_ts));
1128 mp->entry.remote_port_stop = htons (id->dst_ts->get_to_port (id->dst_ts));
1129
Gabriel Oginski8de66c02023-02-03 08:12:36 +0000[diff] [blame^]1130 /* check if policy exists in SPD */
1131 vl_api_ipsec_spd_dump_t *mp_dump;
1132 vl_api_ipsec_spd_details_t *rmp_dump, *tmp;
1133
1134 mp_dump = vl_msg_api_alloc (sizeof (*mp_dump));
1135 memset (mp_dump, 0, sizeof (*mp_dump));
1136
1137 msg_id = vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_dump_afefbf7d");
1138 mp_dump->_vl_msg_id = htons (msg_id);
1139 mp_dump->spd_id = htonl (spd->spd_id);
1140 mp_dump->sa_id = htonl (sad_id);
1141
1142 if (vac->send_dump (vac, (char *) mp_dump, sizeof (*mp_dump), &out,
1143 &out_len))
1144 {
1145 DBG1 (DBG_KNL, "vac %s SPD lookup failed", add ? "adding" : "removing");
1146 goto error;
1147 }
1148
1149 int num = out_len / sizeof (*rmp_dump);
1150 tmp = (void *) out;
1151
1152 /* found existing policy */
1153 if (add && num)
1154 {
1155 int i;
1156 for (i = 0; i < num; i++)
1157 {
1158 rmp_dump = tmp;
1159 tmp += 1;
1160 /* check if found entry equals the new one */
1161 if (policy_equals (&mp->entry, &rmp_dump->entry))
1162 goto next;
1163 }
1164 }
1165 else if (!add && num == 0)
1166 {
1167 /* VPP doesn't have any policy to delete */
1168 goto next;
1169 }
1170
1171 free (out);
1172
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000[diff] [blame]1173 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1174 {
1175 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
1176 goto error;
1177 }
1178 rmp = (void *) out;
1179 if (rmp->retval)
1180 {
1181 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
1182 ntohl (rmp->retval));
1183 goto error;
1184 }
1185
Gabriel Oginski8de66c02023-02-03 08:12:36 +0000[diff] [blame^]1186next:
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000[diff] [blame]1187 if (add)
1188 {
1189 ref_get (&spd->policy_num);
1190 }
1191 else
1192 {
1193 if (ref_put (&spd->policy_num))
1194 {
1195 DBG1 (
1196 DBG_KNL,
1197 "policy_num's ref is 0, delete spd_id %d sw_if_index %d sad_id %x",
1198 spd->spd_id, spd->sw_if_index, sad_id);
1199 interface_add_del_spd (FALSE, spd->spd_id, spd->sw_if_index);
1200 manage_bypass (FALSE, spd->spd_id, sad_id);
1201 spd_add_del (FALSE, spd->spd_id);
1202 this->spds->remove (this->spds, id->interface);
1203 }
1204 }
1205
1206 if (this->install_routes && id->dir == POLICY_OUT && !mp->entry.protocol)
1207 {
1208 if (data->type == POLICY_IPSEC && data->sa->mode != MODE_TRANSPORT)
1209 {
1210 manage_route (this, add, id->dst_ts, data->src, data->dst);
1211 }
1212 }
1213 rv = SUCCESS;
1214error:
1215 free (out);
Gabriel Oginski8de66c02023-02-03 08:12:36 +0000[diff] [blame^]1216 vl_msg_api_free (mp_dump);
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000[diff] [blame]1217 vl_msg_api_free (mp);
1218 this->mutex->unlock (this->mutex);
1219 return rv;
1220}
1221
1222METHOD (kernel_ipsec_t, get_features, kernel_feature_t,
1223 private_kernel_vpp_ipsec_t *this)
1224{
1225 return KERNEL_ESP_V3_TFC;
1226}
1227
1228METHOD (kernel_ipsec_t, get_spi, status_t, private_kernel_vpp_ipsec_t *this,
1229 host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi)
1230{
1231 static const u_int p = 268435399, offset = 0xc0000000;
1232
1233 *spi = htonl (offset + permute (ref_get (&this->nextspi) ^ this->mixspi, p));
1234 return SUCCESS;
1235}
1236
1237METHOD (kernel_ipsec_t, get_cpi, status_t, private_kernel_vpp_ipsec_t *this,
1238 host_t *src, host_t *dst, uint16_t *cpi)
1239{
1240 DBG1 (DBG_KNL, "get_cpi is not supported!!!!!!!!!!!!!!!!!!!!!!!!");
1241 return NOT_SUPPORTED;
1242}
1243
1244/**
1245 * Helper struct for expiration events
1246 */
1247typedef struct
1248{
1249
1250 private_kernel_vpp_ipsec_t *manager;
1251
1252 kernel_ipsec_sa_id_t *sa_id;
1253
1254 /**
1255 * 0 if this is a hard expire, otherwise the offset in s (soft->hard)
1256 */
1257 uint32_t hard_offset;
1258
1259} vpp_sa_expired_t;
1260
1261/**
1262 * Callback for expiration events
1263 */
1264static job_requeue_t
1265sa_expired (vpp_sa_expired_t *expired)
1266{
1267 private_kernel_vpp_ipsec_t *this = expired->manager;
1268 sa_t *sa;
1269 kernel_ipsec_sa_id_t *id = expired->sa_id;
1270
1271 this->mutex->lock (this->mutex);
1272 sa = this->sas->get (this->sas, id);
1273
1274 if (sa)
1275 {
1276 charon->kernel->expire (charon->kernel, id->proto, id->spi, id->dst,
1277 FALSE);
1278 }
1279
1280 free (id);
1281 this->mutex->unlock (this->mutex);
1282 return JOB_REQUEUE_NONE;
1283}
1284
1285/**
1286 * Schedule a job to handle IPsec SA expiration
1287 */
1288static void
1289schedule_expiration (private_kernel_vpp_ipsec_t *this,
1290 kernel_ipsec_add_sa_t *entry,
1291 kernel_ipsec_sa_id_t *entry2)
1292{
1293 lifetime_cfg_t *lifetime = entry->lifetime;
1294 vpp_sa_expired_t *expired;
1295 callback_job_t *job;
1296 uint32_t timeout;
1297 kernel_ipsec_sa_id_t *id;
1298
1299 if (!lifetime->time.life)
1300 { /* no expiration at all */
1301 return;
1302 }
1303
1304 INIT (id, .src = entry2->src->clone (entry2->src),
1305 .dst = entry2->dst->clone (entry2->dst), .spi = entry2->spi,
1306 .proto = entry2->proto, );
1307
1308 INIT (expired, .manager = this, .sa_id = id, );
1309
1310 /* schedule a rekey first, a hard timeout will be scheduled then, if any */
1311 expired->hard_offset = lifetime->time.life - lifetime->time.rekey;
1312 timeout = lifetime->time.rekey;
1313
1314 if (lifetime->time.life <= lifetime->time.rekey || lifetime->time.rekey == 0)
1315 { /* no rekey, schedule hard timeout */
1316 expired->hard_offset = 0;
1317 timeout = lifetime->time.life;
1318 }
1319
1320 job = callback_job_create ((callback_job_cb_t) sa_expired, expired,
1321 (callback_job_cleanup_t) free, NULL);
1322 lib->scheduler->schedule_job (lib->scheduler, (job_t *) job, timeout);
1323}
1324
1325METHOD (kernel_ipsec_t, add_sa, status_t, private_kernel_vpp_ipsec_t *this,
1326 kernel_ipsec_sa_id_t *id, kernel_ipsec_add_sa_t *data)
1327{
1328 char *out = NULL;
1329 int out_len;
1330 vl_api_ipsec_sad_entry_add_del_t *mp;
1331 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
1332 uint32_t sad_id = ref_get (&this->next_sad_id);
1333 uint8_t ca = 0, ia = 0;
1334 status_t rv = FAILED;
1335 chunk_t src, dst;
1336 kernel_ipsec_sa_id_t *sa_id;
1337 sa_t *sa;
1338 int key_len = data->enc_key.len;
1339
1340 if ((data->enc_alg == ENCR_AES_CTR) ||
1341 (data->enc_alg == ENCR_AES_GCM_ICV8) ||
1342 (data->enc_alg == ENCR_AES_GCM_ICV12) ||
1343 (data->enc_alg == ENCR_AES_GCM_ICV16))
1344 {
1345 static const int SALT_SIZE =
1346 4; /* See how enc_size is calculated at keymat_v2.derive_child_keys */
1347 key_len = key_len - SALT_SIZE;
1348 }
1349 natt_port = lib->settings->get_int (
1350 lib->settings, "%s.plugins.socket-default.natt", IKEV2_NATT_PORT, lib->ns);
1351 mp = vl_msg_api_alloc (sizeof (*mp));
1352 memset (mp, 0, sizeof (*mp));
1353 u16 msg_id =
1354 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1355 mp->_vl_msg_id = htons (msg_id);
1356 mp->is_add = 1;
1357 mp->entry.sad_id = htonl (sad_id);
1358 mp->entry.spi = id->spi;
1359 mp->entry.protocol = id->proto == IPPROTO_ESP ? htonl (IPSEC_API_PROTO_ESP) :
1360 htonl (IPSEC_API_PROTO_AH);
1361
1362 switch (data->enc_alg)
1363 {
1364 case ENCR_NULL:
1365 ca = IPSEC_API_CRYPTO_ALG_NONE;
1366 break;
1367 case ENCR_AES_CBC:
1368 switch (key_len * 8)
1369 {
1370 case 128:
1371 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_128;
1372 break;
1373 case 192:
1374 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_192;
1375 break;
1376 case 256:
1377 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_256;
1378 break;
1379 default:
1380 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1381 key_len * 8);
1382 goto error;
1383 }
1384 break;
1385 case ENCR_AES_CTR:
1386 switch (key_len * 8)
1387 {
1388 case 128:
1389 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_128;
1390 break;
1391 case 192:
1392 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_192;
1393 break;
1394 case 256:
1395 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_256;
1396 break;
1397 default:
1398 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1399 key_len * 8);
1400 goto error;
1401 }
1402 break;
1403 case ENCR_AES_GCM_ICV8:
1404 case ENCR_AES_GCM_ICV12:
1405 case ENCR_AES_GCM_ICV16:
1406 switch (key_len * 8)
1407 {
1408 case 128:
1409 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_128;
1410 break;
1411 case 192:
1412 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_192;
1413 break;
1414 case 256:
1415 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_256;
1416 break;
1417 default:
1418 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1419 key_len * 8);
1420 goto error;
1421 }
1422 break;
1423 case ENCR_DES:
1424 ca = IPSEC_API_CRYPTO_ALG_DES_CBC;
1425 break;
1426 case ENCR_3DES:
1427 ca = IPSEC_API_CRYPTO_ALG_3DES_CBC;
1428 break;
1429 default:
1430 DBG1 (DBG_KNL, "algorithm %N not supported by VPP!",
1431 encryption_algorithm_names, data->enc_alg);
1432 goto error;
1433 }
1434 mp->entry.crypto_algorithm = htonl (ca);
1435 mp->entry.crypto_key.length = key_len < 128 ? key_len : 128;
1436 memcpy (mp->entry.crypto_key.data, data->enc_key.ptr,
1437 mp->entry.crypto_key.length);
1438
1439 /* copy salt for AEAD algorithms */
1440 if ((data->enc_alg == ENCR_AES_CTR) ||
1441 (data->enc_alg == ENCR_AES_GCM_ICV8) ||
1442 (data->enc_alg == ENCR_AES_GCM_ICV12) ||
1443 (data->enc_alg == ENCR_AES_GCM_ICV16))
1444 {
1445 memcpy (&mp->entry.salt, data->enc_key.ptr + mp->entry.crypto_key.length,
1446 4);
1447 }
1448
1449 switch (data->int_alg)
1450 {
1451 case AUTH_UNDEFINED:
1452 ia = IPSEC_API_INTEG_ALG_NONE;
1453 break;
1454 case AUTH_HMAC_MD5_96:
1455 ia = IPSEC_API_INTEG_ALG_MD5_96;
1456 break;
1457 case AUTH_HMAC_SHA1_96:
1458 ia = IPSEC_API_INTEG_ALG_SHA1_96;
1459 break;
1460 case AUTH_HMAC_SHA2_256_96:
1461 ia = IPSEC_API_INTEG_ALG_SHA_256_96;
1462 break;
1463 case AUTH_HMAC_SHA2_256_128:
1464 ia = IPSEC_API_INTEG_ALG_SHA_256_128;
1465 break;
1466 case AUTH_HMAC_SHA2_384_192:
1467 ia = IPSEC_API_INTEG_ALG_SHA_384_192;
1468 break;
1469 case AUTH_HMAC_SHA2_512_256:
1470 ia = IPSEC_API_INTEG_ALG_SHA_512_256;
1471 break;
1472 default:
1473 DBG1 (DBG_KNL, "algorithm %N not supported by VPP!",
1474 integrity_algorithm_names, data->int_alg);
1475 goto error;
1476 break;
1477 }
1478 mp->entry.integrity_algorithm = htonl (ia);
1479 mp->entry.integrity_key.length =
1480 data->int_key.len < 128 ? data->int_key.len : 128;
1481 memcpy (mp->entry.integrity_key.data, data->int_key.ptr,
1482 mp->entry.integrity_key.length);
1483
1484 int flags = IPSEC_API_SAD_FLAG_NONE;
Atzm Watanabefc2d95d2023-01-25 14:11:10 +0900[diff] [blame]1485 if (data->inbound)
1486 flags |= IPSEC_API_SAD_FLAG_IS_INBOUND;
1487 /* like the kernel-netlink plugin, anti-replay can be disabled with zero
1488 * replay_window, but window size cannot be customized for vpp */
1489 if (data->replay_window)
1490 flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000[diff] [blame]1491 if (data->esn)
1492 flags |= IPSEC_API_SAD_FLAG_USE_ESN;
Atzm Watanabefc2d95d2023-01-25 14:11:10 +0900[diff] [blame]1493 if (this->use_tunnel_mode_sa && data->mode == MODE_TUNNEL)
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000[diff] [blame]1494 {
1495 if (id->src->get_family (id->src) == AF_INET6)
1496 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
1497 else
1498 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL;
1499 }
1500 if (data->encap)
1501 {
1502 DBG1 (DBG_KNL, "UDP encap!!!!!!!!!!!!!!!!!!!!");
1503 flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
1504 }
1505 mp->entry.flags = htonl (flags);
1506
1507 bool is_ipv6 = false;
1508 if (id->src->get_family (id->src) == AF_INET6)
1509 {
1510 is_ipv6 = true;
1511 mp->entry.tunnel_src.af = htonl (ADDRESS_IP6);
1512 mp->entry.tunnel_dst.af = htonl (ADDRESS_IP6);
1513 }
1514 else
1515 {
1516 mp->entry.tunnel_src.af = htonl (ADDRESS_IP4);
1517 mp->entry.tunnel_dst.af = htonl (ADDRESS_IP4);
1518 }
1519 src = id->src->get_address (id->src);
1520 memcpy (is_ipv6 ? mp->entry.tunnel_src.un.ip6 : mp->entry.tunnel_src.un.ip4,
1521 src.ptr, src.len);
1522 dst = id->dst->get_address (id->dst);
1523 memcpy (is_ipv6 ? mp->entry.tunnel_dst.un.ip6 : mp->entry.tunnel_dst.un.ip4,
1524 dst.ptr, dst.len);
1525 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1526 {
1527 DBG1 (DBG_KNL, "vac adding SA failed");
1528 goto error;
1529 }
1530 rmp = (void *) out;
1531 if (rmp->retval)
1532 {
1533 DBG1 (DBG_KNL, "add SA failed rv:%d", ntohl (rmp->retval));
1534 goto error;
1535 }
1536
1537 this->mutex->lock (this->mutex);
1538 INIT (sa_id, .src = id->src->clone (id->src),
1539 .dst = id->dst->clone (id->dst), .spi = id->spi, .proto = id->proto, );
1540 INIT (sa, .sa_id = sad_id, .stat_index = ntohl (rmp->stat_index), );
1541 DBG4 (DBG_KNL, "put sa by its sa_id %x !!!!!!", sad_id);
1542 this->sas->put (this->sas, sa_id, sa);
1543 schedule_expiration (this, data, id);
1544 this->mutex->unlock (this->mutex);
1545 rv = SUCCESS;
1546
1547error:
1548 free (out);
1549 vl_msg_api_free (mp);
1550 return rv;
1551}
1552
1553METHOD (kernel_ipsec_t, update_sa, status_t, private_kernel_vpp_ipsec_t *this,
1554 kernel_ipsec_sa_id_t *id, kernel_ipsec_update_sa_t *data)
1555{
1556 DBG1 (DBG_KNL,
1557 "update sa not supported!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1558 return NOT_SUPPORTED;
1559}
1560
1561METHOD (kernel_ipsec_t, query_sa, status_t, private_kernel_vpp_ipsec_t *this,
1562 kernel_ipsec_sa_id_t *id, kernel_ipsec_query_sa_t *data,
1563 uint64_t *bytes, uint64_t *packets, time_t *time)
1564{
1565 status_t rv = FAILED;
1566 sa_t *sa;
1567 u32 *dir;
1568 int i, k;
1569 stat_segment_data_t *res;
1570 u8 **pattern = 0;
1571 uint64_t res_bytes = 0;
1572 uint64_t res_packets = 0;
1573
1574 this->mutex->lock (this->mutex);
1575 sa = this->sas->get (this->sas, id);
1576 this->mutex->unlock (this->mutex);
1577 if (!sa)
1578 {
1579 DBG1 (DBG_KNL, "SA not found");
1580 return NOT_FOUND;
1581 }
1582
1583 int rv_stat = stat_segment_connect ("/run/vpp/stats.sock");
1584 if (rv_stat != 0)
1585 {
1586 DBG1 (DBG_KNL, "Not connecting with stats segmentation");
1587 return NOT_FOUND;
1588 }
1589 vec_add1 (pattern, (u8 *) "/net/ipsec/sa");
1590 dir = stat_segment_ls ((u8 **) pattern);
1591 res = stat_segment_dump (dir);
1592 /* i-loop for each results find by pattern - here two:
1593 * 1. /net/ipsec/sa
1594 * 2. /net/ipsec/sa/lost
1595 */
1596 for (i = 0; i < vec_len (res); i++)
1597 {
1598 switch (res[i].type)
1599 {
1600 /* type for how many packets are lost */
1601 case STAT_DIR_TYPE_COUNTER_VECTOR_SIMPLE:
1602 if (res[i].simple_counter_vec == 0)
1603 continue;
1604 break;
1605 /* type for counter for each SA */
1606 case STAT_DIR_TYPE_COUNTER_VECTOR_COMBINED:
1607 if (res[i].combined_counter_vec == 0)
1608 continue;
1609 /* k-loop for each threads - that you run VPP */
1610 for (k = 0; k < vec_len (res[i].combined_counter_vec); k++)
1611 {
1612 if (sa->stat_index <= vec_len (res[i].combined_counter_vec[k]))
1613 {
1614 DBG4 (DBG_KNL, "Thread: %d, Packets: %lu, Bytes: %lu", k,
1615 res[i].combined_counter_vec[k][sa->stat_index].packets,
1616 res[i].combined_counter_vec[k][sa->stat_index].bytes);
1617 res_bytes +=
1618 res[i].combined_counter_vec[k][sa->stat_index].bytes;
1619 res_packets +=
1620 res[i].combined_counter_vec[k][sa->stat_index].packets;
1621 }
1622 }
1623 break;
1624 case STAT_DIR_TYPE_NAME_VECTOR:
1625 if (res[i].name_vector == 0)
1626 continue;
1627 break;
1628 }
1629 }
1630 stat_segment_data_free (res);
1631 stat_segment_disconnect ();
1632
1633 vec_free (pattern);
1634 vec_free (dir);
1635
1636 if (bytes)
1637 {
1638 *bytes = res_bytes;
1639 }
1640 if (packets)
1641 {
1642 *packets = res_packets;
1643 }
1644 if (time)
1645 {
1646 *time = 0;
1647 }
1648
1649 rv = SUCCESS;
1650 return rv;
1651}
1652
1653METHOD (kernel_ipsec_t, del_sa, status_t, private_kernel_vpp_ipsec_t *this,
1654 kernel_ipsec_sa_id_t *id, kernel_ipsec_del_sa_t *data)
1655{
1656 char *out = NULL;
1657 int out_len;
1658 vl_api_ipsec_sad_entry_add_del_t *mp;
1659 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
1660 status_t rv = FAILED;
1661 sa_t *sa;
1662
1663 this->mutex->lock (this->mutex);
1664 sa = this->sas->get (this->sas, id);
1665 if (!sa)
1666 {
1667 DBG1 (DBG_KNL, "SA not found");
1668 rv = NOT_FOUND;
1669 goto error;
1670 }
1671 mp = vl_msg_api_alloc (sizeof (*mp));
1672 memset (mp, 0, sizeof (*mp));
1673 mp->is_add = 0;
1674 u16 msg_id =
1675 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1676 mp->_vl_msg_id = htons (msg_id);
1677 mp->entry.sad_id = htonl (sa->sa_id);
1678
1679 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1680 {
1681 DBG1 (DBG_KNL, "vac removing SA failed");
1682 goto error;
1683 }
1684 rmp = (void *) out;
1685 if (rmp->retval)
1686 {
1687 DBG1 (DBG_KNL, "del SA failed rv:%d", ntohl (rmp->retval));
1688 goto error;
1689 }
1690
1691 vl_msg_api_free (mp);
1692 this->sas->remove (this->sas, id);
1693 rv = SUCCESS;
1694error:
1695 free (out);
1696 this->mutex->unlock (this->mutex);
1697 return rv;
1698}
1699
1700METHOD (kernel_ipsec_t, flush_sas, status_t, private_kernel_vpp_ipsec_t *this)
1701{
1702 enumerator_t *enumerator;
1703 int out_len;
1704 char *out;
1705 vl_api_ipsec_sad_entry_add_del_t *mp;
1706 sa_t *sa = NULL;
1707
1708 this->mutex->lock (this->mutex);
1709 enumerator = this->sas->create_enumerator (this->sas);
1710 while (enumerator->enumerate (enumerator, sa, NULL))
1711 {
1712 mp = vl_msg_api_alloc (sizeof (*mp));
1713 memset (mp, 0, sizeof (*mp));
1714 u16 msg_id =
1715 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1716 mp->_vl_msg_id = htons (msg_id);
1717 mp->entry.sad_id = htonl (sa->sa_id);
1718 mp->is_add = 0;
1719 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1720 {
1721 DBG1 (DBG_KNL, "flush_sas failed!!!!");
1722 return FALSE;
1723 }
1724 free (out);
1725 vl_msg_api_free (mp);
1726 this->sas->remove_at (this->sas, enumerator);
1727 }
1728 enumerator->destroy (enumerator);
1729 this->mutex->unlock (this->mutex);
1730
1731 return SUCCESS;
1732}
1733
1734METHOD (kernel_ipsec_t, add_policy, status_t, private_kernel_vpp_ipsec_t *this,
1735 kernel_ipsec_policy_id_t *id, kernel_ipsec_manage_policy_t *data)
1736{
1737 return manage_policy (this, TRUE, id, data);
1738}
1739
1740METHOD (kernel_ipsec_t, query_policy, status_t,
1741 private_kernel_vpp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
1742 kernel_ipsec_query_policy_t *data, time_t *use_time)
1743{
1744 return NOT_SUPPORTED;
1745}
1746
1747METHOD (kernel_ipsec_t, del_policy, status_t, private_kernel_vpp_ipsec_t *this,
1748 kernel_ipsec_policy_id_t *id, kernel_ipsec_manage_policy_t *data)
1749{
1750 return manage_policy (this, FALSE, id, data);
1751}
1752
1753METHOD (kernel_ipsec_t, flush_policies, status_t,
1754 private_kernel_vpp_ipsec_t *this)
1755{
1756 return NOT_SUPPORTED;
1757}
1758
1759METHOD (kernel_ipsec_t, bypass_socket, bool, private_kernel_vpp_ipsec_t *this,
1760 int fd, int family)
1761{
1762 return FALSE;
1763}
1764
1765METHOD (kernel_ipsec_t, enable_udp_decap, bool,
1766 private_kernel_vpp_ipsec_t *this, int fd, int family, u_int16_t port)
1767{
1768 DBG1 (DBG_KNL, "enable_udp_decap not supported!!!!!!!!!!!!!!!!!!!!!!!!!");
1769 return FALSE;
1770}
1771
1772METHOD (kernel_ipsec_t, destroy, void, private_kernel_vpp_ipsec_t *this)
1773{
1774 this->mutex->destroy (this->mutex);
1775 this->sas->destroy (this->sas);
1776 this->spds->destroy (this->spds);
1777 this->routes->destroy (this->routes);
1778 free (this);
1779}
1780
1781kernel_vpp_ipsec_t *
1782kernel_vpp_ipsec_create ()
1783{
1784 private_kernel_vpp_ipsec_t *this;
1785
1786 INIT(this,
1787 .public = {
1788 .interface = {
1789 .get_features = _get_features,
1790 .get_spi = _get_spi,
1791 .get_cpi = _get_cpi,
1792 .add_sa = _add_sa,
1793 .update_sa = _update_sa,
1794 .query_sa = _query_sa,
1795 .del_sa = _del_sa,
1796 .flush_sas = _flush_sas,
1797 .add_policy = _add_policy,
1798 .query_policy = _query_policy,
1799 .del_policy = _del_policy,
1800 .flush_policies = _flush_policies,
1801 .bypass_socket = _bypass_socket,
1802 .enable_udp_decap = _enable_udp_decap,
1803 .destroy = _destroy,
1804 },
1805 },
1806 .next_sad_id = 0,
1807 .next_spd_id = 0,
1808 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
1809 .sas = hashtable_create((hashtable_hash_t)sa_hash,
1810 (hashtable_equals_t)sa_equals, 32),
1811 .spds = hashtable_create((hashtable_hash_t)interface_hash,
1812 (hashtable_equals_t)interface_equals, 4),
1813 .routes = linked_list_create(),
1814 .install_routes = lib->settings->get_bool(lib->settings,
1815 "%s.install_routes", TRUE, lib->ns),
Atzm Watanabefc2d95d2023-01-25 14:11:10 +0900[diff] [blame]1816 .use_tunnel_mode_sa = lib->settings->get_bool(lib->settings,
1817 "%s.plugins.kernel-vpp.use_tunnel_mode_sa",
1818 TRUE, lib->ns),
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000[diff] [blame]1819 );
1820
1821 if (!init_spi (this))
1822 {
1823 destroy (this);
1824 return NULL;
1825 }
1826
1827 return &this->public;
1828}