blob: a51edcbc247aefc4f06c4f4ca0c61ffaac0175ad [file] [log] [blame]
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001/*
2 * Copyright (c) 2022 Intel and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#include <daemon.h>
17#include <utils/debug.h>
18#include <vlibapi/api.h>
19#include <vlibmemory/api.h>
20#include <vnet/ipsec/ipsec.h>
21#include <vnet/vnet.h>
22#include <collections/hashtable.h>
23#include <threading/mutex.h>
24#include <processing/jobs/callback_job.h>
25#include <vpp-api/client/stat_client.h>
26
27#define vl_typedefs
28#define vl_endianfun
29/* Include the (first) vlib-api API definition layer */
30#include <vlibmemory/vl_memory_api_h.h>
31/* Include the current layer (third) vpp API definition layer */
32#include <vpp/api/vpe_types.api.h>
33#include <vpp/api/vpe.api.h>
34
35#include <vnet/ip-neighbor/ip_neighbor.api_enum.h>
36#include <vnet/ip-neighbor/ip_neighbor.api_types.h>
37#include <vnet/ipsec/ipsec.api_enum.h>
38#include <vnet/ipsec/ipsec.api_types.h>
39#include <vnet/interface.api_enum.h>
40#include <vnet/interface.api_types.h>
41#undef vl_typedefs
42#undef vl_endianfun
43
44#include "kernel_vpp_ipsec.h"
45#include "kernel_vpp_shared.h"
46
47#include <stdio.h>
48#include <stdlib.h>
49#include <string.h>
50#include <sys/socket.h>
51#include <netinet/in.h>
52#include <arpa/inet.h>
53#include <sys/ioctl.h>
54#include <net/if.h>
55#include <net/route.h>
56#include <unistd.h>
57#include <fcntl.h>
58#include <sys/types.h>
59#include <net/if_arp.h>
60#include <sys/stat.h>
61#include <dirent.h>
62
63#define PRIO_BASE 384
64
65u32 natt_port;
66
67/**
68 * One and only instance of the daemon.
69 */
70daemon_t *charon;
71
72typedef struct private_kernel_vpp_ipsec_t private_kernel_vpp_ipsec_t;
73
74/**
75 * Private variables of kernel_vpp_ipsec class.
76 */
77struct private_kernel_vpp_ipsec_t
78{
79
80 /**
81 * Public interface
82 */
83 kernel_vpp_ipsec_t public;
84
85 /**
86 * Next security association database entry ID to allocate
87 */
88 refcount_t next_sad_id;
89
90 /**
91 * Next security policy database entry ID to allocate
92 */
93 refcount_t next_spd_id;
94
95 /**
96 * Mutex to lock access to installed policies
97 */
98 mutex_t *mutex;
99
100 /**
101 * Hash table of instaled SA, as kernel_ipsec_sa_id_t => sa_t
102 */
103 hashtable_t *sas;
104
105 /**
106 * Hash table of security policy databases, as nterface => spd_t
107 */
108 hashtable_t *spds;
109
110 /**
111 * Linked list of installed routes
112 */
113 linked_list_t *routes;
114
115 /**
116 * Next SPI to allocate
117 */
118 refcount_t nextspi;
119
120 /**
121 * Mix value to distribute SPI allocation randomly
122 */
123 uint32_t mixspi;
124
125 /**
126 * Whether to install routes along policies
127 */
128 bool install_routes;
Atzm Watanabefc2d95d2023-01-25 14:11:10 +0900129
130 /**
131 * Whether to install SAs with tunnel flag. Disabling this can be useful
132 * in some scenarios e.g. using SAs to "ipsec tunnel protect" for the
133 * route-based IPsec
134 */
135 bool use_tunnel_mode_sa;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000136};
137
138/**
139 * Security association entry
140 */
141typedef struct
142{
143 /** VPP SA ID */
144 uint32_t sa_id;
145 uint32_t stat_index;
146} sa_t;
147
148/**
149 * Security policy database
150 */
151typedef struct
152{
153 /** VPP SPD ID */
154 uint32_t spd_id;
155 /** Networking interface ID restricting policy */
156 uint32_t sw_if_index;
157 /** Policy count for this SPD */
158 refcount_t policy_num;
159} spd_t;
160
161/**
162 * Installed route
163 */
164typedef struct
165{
166 /** Name of the interface the route is bound to */
167 char *if_name;
168 /** Gateway of route */
169 host_t *gateway;
170 /** Destination network of route */
171 host_t *dst_net;
172 /** Prefix length of dst_net */
173 uint8_t prefixlen;
174 /** References for route */
175 refcount_t refs;
176} route_entry_t;
177
178#define htonll(x) \
179 ((1 == htonl (1)) ? \
180 (x) : \
181 ((uint64_t) htonl ((x) &0xFFFFFFFF) << 32) | htonl ((x) >> 32))
182#define ntohll(x) \
183 ((1 == ntohl (1)) ? \
184 (x) : \
185 ((uint64_t) ntohl ((x) &0xFFFFFFFF) << 32) | ntohl ((x) >> 32))
186
187CALLBACK (route_equals, bool, route_entry_t *a, va_list args)
188{
189 host_t *dst_net, *gateway;
190 uint8_t *prefixlen;
191 char *if_name;
192
193 VA_ARGS_VGET (args, if_name, gateway, dst_net, prefixlen);
194
195 return a->if_name && if_name && streq (a->if_name, if_name) &&
196 a->gateway->ip_equals (a->gateway, gateway) &&
197 a->dst_net->ip_equals (a->dst_net, dst_net) &&
198 a->prefixlen == *prefixlen;
199}
200
201/**
202 * Clean up a route entry
203 */
204static void
205route_destroy (route_entry_t *this)
206{
207 this->dst_net->destroy (this->dst_net);
208 this->gateway->destroy (this->gateway);
209 free (this->if_name);
210 free (this);
211}
212
213static uint32_t get_sw_if_index ();
214
215static int
216set_arp (char *ipStr, char *if_name, bool add)
217{
218 char *out = NULL;
219 int out_len = 0;
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000220 vl_api_ip_neighbor_add_del_t *mp = NULL;
221 vl_api_ip_neighbor_add_del_reply_t *rmp = NULL;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000222 int rc = SUCCESS;
223 uint32_t sw_if_index = ~0;
224
225 FILE *fp;
226 int nread = 0;
227 ssize_t len = 0;
228 char *buffer = NULL;
229 char buf[2][20];
230 char *file = "/proc/net/arp";
231 unsigned char mac[8] = {
232 0,
233 };
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000234 uint32_t addr = 0;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000235
236 if (if_name == NULL || ipStr == NULL)
237 {
238 DBG2 (DBG_KNL, "para is null\n");
239 rc = FAILED;
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000240 goto error;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000241 }
242 DBG2 (DBG_KNL, "from kernel read mac\n");
243
244 mp = vl_msg_api_alloc (sizeof (*mp));
245 memset (mp, 0, sizeof (*mp));
246 sw_if_index = get_sw_if_index (if_name);
247 if (sw_if_index == ~0)
248 {
249 DBG1 (DBG_KNL, "sw_if_index for %s not found", if_name);
250 goto error;
251 }
252
253 fp = fopen (file, "rb");
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000254 while (fp && ((nread = getline (&buffer, &len, fp)) != -1))
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000255 {
256 sscanf (buffer, "%s %*s %*s %s %*s %*s", &buf[0], &buf[1]);
257 inet_aton (&buf[0], &addr);
258
259 if (addr == *((u32 *) (ipStr)))
260 {
261 sscanf (buf[1], "%02x:%02x:%02x:%02x:%02x:%02x", &mac[0], &mac[1],
262 &mac[2], &mac[3], &mac[4], &mac[5]);
263 u16 msg_id =
264 vl_msg_api_get_msg_index ((u8 *) "ip_neighbor_add_del_0607c257");
265 mp->_vl_msg_id = htons (msg_id);
266 mp->is_add = add;
267 memcpy (mp->neighbor.ip_address.un.ip4, (u8 *) &addr, sizeof (addr));
268 mp->neighbor.ip_address.af = 0;
269 memcpy (mp->neighbor.mac_address, mac, 6);
270 mp->neighbor.sw_if_index = htonl (sw_if_index);
271 mp->neighbor.flags = 1;
272
273 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
274 {
275 DBG1 (DBG_KNL, "vac %s neighbor entry",
276 add ? "adding" : "removing");
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000277 fclose (fp);
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000278 goto error;
279 }
280 rmp = (void *) out;
281 if (rmp->retval)
282 {
283 DBG1 (DBG_KNL, "%s neighbor add rv:%d", add ? "add" : "remove",
284 ntohl (rmp->retval));
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000285 fclose (fp);
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000286 goto error;
287 }
288 fclose (fp);
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000289 free (out);
290 vl_msg_api_free (mp);
291 free (buffer);
292
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000293 return rc;
294 }
295 }
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000296
297 if (fp != NULL)
298 {
299 fclose (fp);
300 fp = NULL;
301 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000302
303error:
304 free (out);
305 vl_msg_api_free (mp);
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000306 if (buffer != NULL)
307 {
308 free (buffer);
309 buffer = NULL;
310 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000311 return rc;
312}
313
314static int
315add_Route (char *ipAddr, int len, char *mask, char *gateWay)
316{
317 int fd;
318 int rc = SUCCESS;
319 struct sockaddr_in _sin;
320 struct sockaddr_in *sin = &_sin;
321 struct rtentry rt;
322
323 do
324 {
325 fd = socket (AF_INET, SOCK_DGRAM, 0);
326 if (fd < 0)
327 {
328 DBG2 (DBG_KNL, "addRoute: socket error\n");
329 rc = FAILED;
330 break;
331 }
332 memset (&rt, 0, sizeof (struct rtentry));
333 memset (sin, 0, sizeof (struct sockaddr_in));
334 sin->sin_family = AF_INET;
335 sin->sin_port = 0;
336
337 if (inet_aton (gateWay, &sin->sin_addr) < 0)
338 {
339 rc = FAILED;
340 break;
341 }
342 memcpy (&rt.rt_gateway, sin, sizeof (struct sockaddr_in));
343
344 ((struct sockaddr_in *) &rt.rt_dst)->sin_family = AF_INET;
345 memcpy (&((struct sockaddr_in *) &rt.rt_dst)->sin_addr, ipAddr, len);
346
347 ((struct sockaddr_in *) &rt.rt_genmask)->sin_family = AF_INET;
348 if (inet_aton (mask,
349 &((struct sockaddr_in *) &rt.rt_genmask)->sin_addr) < 0)
350 {
351 rc = FAILED;
352 break;
353 }
354 rt.rt_flags = RTF_GATEWAY;
355 if (ioctl (fd, SIOCADDRT, &rt) < 0)
356 {
357 rc = FAILED;
358 }
359 }
360 while (0);
361
362 close (fd);
363 return rc;
364}
365
366static int
367set_address (u32 ipAddr, u32 sw_if_index, bool add)
368{
369 char *out = NULL;
370 int out_len = 0;
371 vl_api_sw_interface_add_del_address_t *mp;
372 vl_api_sw_interface_add_del_address_reply_t *rmp;
373
374 int rc = SUCCESS;
375
376 uint32_t addr;
377
378 mp = vl_msg_api_alloc (sizeof (*mp));
379 memset (mp, 0, sizeof (*mp));
380
381 u16 msg_id =
382 vl_msg_api_get_msg_index ((u8 *) "sw_interface_add_del_address_5463d73b");
383 mp->_vl_msg_id = htons (msg_id);
384 mp->is_add = add;
385 memcpy (mp->prefix.address.un.ip4, (u8 *) &ipAddr, sizeof (ipAddr));
386 mp->prefix.len = 24;
387 mp->sw_if_index = sw_if_index;
388
389 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
390 {
391 DBG2 (DBG_KNL, "vac %s neighbor entry", add ? "adding" : "removing");
392 goto error;
393 }
394 rmp = (void *) out;
395 if (rmp->retval)
396 {
397 DBG2 (DBG_KNL, "%s neighbor add rv:%d", add ? "add" : "remove",
398 ntohl (rmp->retval));
399 goto error;
400 }
401 return rc;
402
403error:
404 free (out);
405 vl_msg_api_free (mp);
406 return rc;
407}
408
409/**
410 * (Un)-install a single route
411 */
412static void
413manage_route (private_kernel_vpp_ipsec_t *this, bool add,
414 traffic_selector_t *dst_ts, host_t *src, host_t *dst)
415{
416 host_t *dst_net, *gateway;
417 uint8_t prefixlen;
418 char *if_name;
419 route_entry_t *route;
420 bool route_exist = FALSE;
421
422 char *netmask = "255.255.255.0";
423 char *tap_gateway = "1.1.1.1";
424 int arp_rc = 0;
425 if (dst->is_anyaddr (dst))
426 {
427 return;
428 }
429 gateway =
430 charon->kernel->get_nexthop (charon->kernel, dst, -1, NULL, &if_name);
431 dst_ts->to_subnet (dst_ts, &dst_net, &prefixlen);
432 if (!if_name)
433 {
434 if (src->is_anyaddr (src))
435 {
436 return;
437 }
438 if (!charon->kernel->get_interface (charon->kernel, src, &if_name))
439 {
440 return;
441 }
442 }
443 route_exist =
444 this->routes->find_first (this->routes, route_equals, (void **) &route,
445 if_name, gateway, dst_net, &prefixlen);
446 if (add)
447 {
448 DBG2 (DBG_KNL, "installing route: %H/%d via %H dev %s", dst_net,
449 prefixlen, gateway, if_name);
450 if (route_exist)
451 {
452 unsigned int refs_num = ref_get (&route->refs);
453 DBG2 (DBG_KNL, "add route but it exist %d", refs_num);
454 }
455 else
456 {
457 INIT (route, .if_name = strdup (if_name),
458 .gateway = gateway->clone (gateway),
459 .dst_net = dst_net->clone (dst_net), .prefixlen = prefixlen,
460 .refs = 1, );
461 this->routes->insert_last (this->routes, route);
462 charon->kernel->add_route (charon->kernel,
463 dst_net->get_address (dst_net), prefixlen,
464 gateway, dst, if_name, 1);
465 }
466
467 add_Route (dst_net->get_address (dst_net).ptr,
468 dst_net->get_address (dst_net).len, netmask, tap_gateway);
469
470 arp_rc = set_arp (gateway->get_address (gateway).ptr, if_name, TRUE);
471 if (arp_rc)
472 DBG2 (DBG_KNL, "arpGet success!\n");
473 }
474 else
475 {
476 DBG2 (DBG_KNL, "uninstalling route: %H/%d via %H dev %s", dst_net,
477 prefixlen, gateway, if_name);
478 if (!route_exist)
479 {
480 DBG2 (DBG_KNL, "del route but it not exist");
481 return;
482 }
483 if (ref_put (&route->refs))
484 {
485 this->routes->remove (this->routes, route, NULL);
486 route_destroy (route);
487 charon->kernel->del_route (charon->kernel,
488 dst_net->get_address (dst_net), prefixlen,
489 gateway, dst, if_name, 1);
490 }
491 }
492}
493
494/**
495 * Hash function for IPsec SA
496 */
497static u_int
498sa_hash (kernel_ipsec_sa_id_t *sa)
499{
500 return chunk_hash_inc (
501 sa->src->get_address (sa->src),
502 chunk_hash_inc (
503 sa->dst->get_address (sa->dst),
504 chunk_hash_inc (chunk_from_thing (sa->spi),
505 chunk_hash (chunk_from_thing (sa->proto)))));
506}
507
508/**
509 * Equality function for IPsec SA
510 */
511static bool
512sa_equals (kernel_ipsec_sa_id_t *sa, kernel_ipsec_sa_id_t *other_sa)
513{
514 return sa->src->ip_equals (sa->src, other_sa->src) &&
515 sa->dst->ip_equals (sa->dst, other_sa->dst) &&
516 sa->spi == other_sa->spi && sa->proto == other_sa->proto;
517}
518
519/**
Gabriel Oginski8de66c02023-02-03 08:12:36 +0000520 * Equality function for policy SPD
521 */
522static bool
523policy_equals (vl_api_ipsec_spd_entry_t *policy,
524 vl_api_ipsec_spd_entry_t *other_policy)
525{
526
527 /* change protocol due to legacy implementation of ANY protocol inside VPP */
528 if (other_policy->protocol == 255)
529 other_policy->protocol = 0;
530
531 /* return true if both policies are equal */
532 return !memcmp (policy, other_policy, sizeof (*policy));
533}
534
535/**
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000536 * Hash function for interface
537 */
538static u_int
539interface_hash (char *interface)
540{
541 return chunk_hash (chunk_from_str (interface));
542}
543
544/**
545 * Equality function for interface
546 */
547static bool
548interface_equals (char *interface1, char *interface2)
549{
550 return streq (interface1, interface2);
551}
552
553/**
554 * Map an integer x with a one-to-one function using quadratic residues
555 */
556static u_int
557permute (u_int x, u_int p)
558{
559 u_int qr;
560
561 x = x % p;
562 qr = ((uint64_t) x * x) % p;
563 if (x <= p / 2)
564 {
565 return qr;
566 }
567 return p - qr;
568}
569
570/**
571 * Initialize seeds for SPI generation
572 */
573static bool
574init_spi (private_kernel_vpp_ipsec_t *this)
575{
576 bool ok = TRUE;
577 rng_t *rng;
578
579 rng = lib->crypto->create_rng (lib->crypto, RNG_STRONG);
580 if (!rng)
581 {
582 return FALSE;
583 }
584 ok =
585 rng->get_bytes (rng, sizeof (this->nextspi), (uint8_t *) &this->nextspi);
586 if (ok)
587 {
588 ok =
589 rng->get_bytes (rng, sizeof (this->mixspi), (uint8_t *) &this->mixspi);
590 }
591 rng->destroy (rng);
592 return ok;
593}
594
595/**
596 * Calculate policy priority
597 */
598static uint32_t
599calculate_priority (policy_priority_t policy_priority, traffic_selector_t *src,
600 traffic_selector_t *dst)
601{
602 uint32_t priority = PRIO_BASE;
603 uint16_t port;
604 uint8_t mask, proto;
605 host_t *net;
606
607 switch (policy_priority)
608 {
609 case POLICY_PRIORITY_FALLBACK:
610 priority <<= 1;
611 /* fall-through */
612 case POLICY_PRIORITY_ROUTED:
613 priority <<= 1;
614 /* fall-through */
615 case POLICY_PRIORITY_DEFAULT:
616 priority <<= 1;
617 /* fall-through */
618 case POLICY_PRIORITY_PASS:
619 break;
620 }
621 /* calculate priority based on selector size, small size = high prio */
622 src->to_subnet (src, &net, &mask);
623 priority -= mask;
624 proto = src->get_protocol (src);
625 port = net->get_port (net);
626 net->destroy (net);
627
628 dst->to_subnet (dst, &net, &mask);
629 priority -= mask;
630 proto = max (proto, dst->get_protocol (dst));
631 port = max (port, net->get_port (net));
632 net->destroy (net);
633
634 priority <<= 2; /* make some room for the two flags */
635 priority += port ? 0 : 2;
636 priority += proto ? 0 : 1;
637 return priority;
638}
639
640/**
641 * Get sw_if_index from interface name
642 */
643static uint32_t
644get_sw_if_index (char *interface)
645{
646 char *out = NULL;
647 int out_len, name_filter_len = 0, msg_len = 0;
648 vl_api_sw_interface_dump_t *mp;
649 vl_api_sw_interface_details_t *rmp;
650 uint32_t sw_if_index = ~0;
651
652 name_filter_len = strlen (interface);
653 msg_len = sizeof (*mp) + name_filter_len;
654 mp = vl_msg_api_alloc (msg_len);
655 clib_memset (mp, 0, msg_len);
656 u16 msg_id = vl_msg_api_get_msg_index ((u8 *) "sw_interface_dump_aa610c27");
657 mp->_vl_msg_id = htons (msg_id);
658 mp->name_filter_valid = TRUE;
659 mp->name_filter.length = htonl (name_filter_len);
660 memcpy ((char *) mp->name_filter.buf, interface, name_filter_len);
661
662 if (vac->send (vac, (char *) mp, msg_len, &out, &out_len))
663 {
664 goto error;
665 }
666 if (!out_len)
667 {
668 goto error;
669 }
670 rmp = (vl_api_sw_interface_details_t *) out;
671 sw_if_index = ntohl (rmp->sw_if_index);
672
673error:
674 free (out);
675 vl_msg_api_free (mp);
676 return sw_if_index;
677}
678/**
679 * (Un)-install a security policy database
680 */
681static status_t
682spd_add_del (bool add, uint32_t spd_id)
683{
684 char *out = NULL;
685 int out_len;
686 vl_api_ipsec_spd_add_del_t *mp;
687 vl_api_ipsec_spd_add_del_reply_t *rmp;
688 status_t rv = FAILED;
689
690 mp = vl_msg_api_alloc (sizeof (*mp));
691 memset (mp, 0, sizeof (*mp));
692
693 u16 msg_id = vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_add_del_20e89a95");
694 mp->_vl_msg_id = htons (msg_id);
695 mp->is_add = add;
696 mp->spd_id = htonl (spd_id);
697 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
698 {
699 DBG1 (DBG_KNL, "vac %s SPD failed", add ? "adding" : "removing");
700 goto error;
701 }
702 rmp = (void *) out;
703 if (rmp->retval)
704 {
705 DBG1 (DBG_KNL, "%s SPD failed rv:%d", add ? "add" : "remove",
706 ntohl (rmp->retval));
707 goto error;
708 }
709 rv = SUCCESS;
710
711error:
712 free (out);
713 vl_msg_api_free (mp);
714 return rv;
715}
716
717/**
718 * Enable or disable SPD on an insterface
719 */
720static status_t
721interface_add_del_spd (bool add, uint32_t spd_id, uint32_t sw_if_index)
722{
723 char *out = NULL;
724 int out_len;
725 vl_api_ipsec_interface_add_del_spd_t *mp;
726 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
727 status_t rv = FAILED;
728
729 mp = vl_msg_api_alloc (sizeof (*mp));
730 memset (mp, 0, sizeof (*mp));
731 u16 msg_id =
732 vl_msg_api_get_msg_index ((u8 *) "ipsec_interface_add_del_spd_80f80cbb");
733 mp->_vl_msg_id = htons (msg_id);
734 mp->is_add = add;
735 mp->spd_id = htonl (spd_id);
736 mp->sw_if_index = htonl (sw_if_index);
737 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
738 {
739 DBG1 (DBG_KNL, "vac %s interface SPD failed",
740 add ? "adding" : "removing");
741 goto error;
742 }
743 rmp = (void *) out;
744 if (rmp->retval)
745 {
746 DBG1 (DBG_KNL, "%s interface SPD failed rv:%d", add ? "add" : "remove",
747 ntohl (rmp->retval));
748 goto error;
749 }
750 rv = SUCCESS;
751
752error:
753 free (out);
754 vl_msg_api_free (mp);
755 return rv;
756}
757
758static int
759bypass_all (bool add, uint32_t spd_id, uint32_t sa_id)
760{
761 vl_api_ipsec_spd_entry_add_del_t *mp;
762 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
763 char *out = NULL;
764 int out_len;
765 status_t rv = FAILED;
766
767 DBG2 (DBG_KNL, "bypass_all [%s] spd_id %d sa_id %d", add ? "ADD" : "DEL",
768 spd_id, sa_id);
769
770 mp = vl_msg_api_alloc (sizeof (*mp));
771 memset (mp, 0, sizeof (*mp));
772
773 u16 msg_id =
774 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
775 mp->_vl_msg_id = ntohs (msg_id);
776 mp->is_add = add;
777 mp->entry.sa_id = ntohl (sa_id);
778 mp->entry.spd_id = ntohl (spd_id);
779 mp->entry.priority = ntohl (INT_MAX - POLICY_PRIORITY_PASS - 1);
780 mp->entry.is_outbound = 0;
781 mp->entry.policy = ntohl (IPSEC_API_SPD_ACTION_BYPASS);
782 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
783 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
784 mp->entry.remote_port_start = mp->entry.local_port_start = ntohs (0);
785 mp->entry.remote_port_stop = mp->entry.local_port_stop = ntohs (0xFFFF);
786 mp->entry.protocol = IP_API_PROTO_ESP;
787 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
788 {
789 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
790 goto error;
791 }
792 rmp = (void *) out;
793 if (rmp->retval)
794 {
795 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
796 ntohl (rmp->retval));
797 goto error;
798 }
799 mp->entry.is_outbound = 1;
800 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
801 {
802 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
803 goto error;
804 }
805 rmp = (void *) out;
806 if (rmp->retval)
807 {
808 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
809 ntohl (rmp->retval));
810 goto error;
811 }
812 mp->entry.is_outbound = 0;
813 mp->entry.protocol = IP_API_PROTO_AH;
814 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
815 {
816 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
817 goto error;
818 }
819 rmp = (void *) out;
820 if (rmp->retval)
821 {
822 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
823 ntohl (rmp->retval));
824 goto error;
825 }
826 mp->entry.is_outbound = 1;
827 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
828 {
829 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
830 goto error;
831 }
832 rmp = (void *) out;
833 if (rmp->retval)
834 {
835 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
836 ntohl (rmp->retval));
837 goto error;
838 }
839
840 rv = SUCCESS;
841
842error:
843 if (out)
844 free (out);
845 vl_msg_api_free (mp);
846
847 return rv;
848}
849
850static int
851bypass_port (bool add, uint32_t spd_id, uint32_t sa_id, uint16_t port)
852{
853 vl_api_ipsec_spd_entry_add_del_t *mp;
854 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
855 char *out = NULL;
856 int out_len;
857 status_t rv = FAILED;
858
859 mp = vl_msg_api_alloc (sizeof (*mp));
860 memset (mp, 0, sizeof (*mp));
861
862 u16 msg_id =
863 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
864 mp->_vl_msg_id = ntohs (msg_id);
865 mp->is_add = add;
866 mp->entry.sa_id = ntohl (sa_id);
867 mp->entry.spd_id = ntohl (spd_id);
868 mp->entry.priority = ntohl (INT_MAX - POLICY_PRIORITY_PASS - 1);
869 mp->entry.policy = ntohl (IPSEC_API_SPD_ACTION_BYPASS);
870 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
871 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
872 mp->entry.is_outbound = 0;
873 mp->entry.remote_port_start = mp->entry.local_port_start = ntohs (0);
874 mp->entry.remote_port_stop = mp->entry.local_port_stop = ntohs (0xFFFF);
875 mp->entry.protocol = IP_API_PROTO_HOPOPT;
876
877 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
878 {
879 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
880 goto error;
881 }
882 rmp = (void *) out;
883 if (rmp->retval)
884 {
885 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
886 ntohl (rmp->retval));
887 goto error;
888 }
889 mp->entry.is_outbound = 1;
890 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
891 {
892 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
893 goto error;
894 }
895 rmp = (void *) out;
896 if (rmp->retval)
897 {
898 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
899 ntohl (rmp->retval));
900 goto error;
901 }
902 rv = SUCCESS;
903
904error:
905 if (out)
906 free (out);
907 vl_msg_api_free (mp);
908
909 return rv;
910}
911
912/**
913 * Add or remove a bypass policy
914 */
915static status_t
916manage_bypass (bool add, uint32_t spd_id, uint32_t sa_id)
917{
918 uint16_t port;
919 status_t rv;
920
921 bypass_all (add, spd_id, sa_id);
922
923 port =
924 lib->settings->get_int (lib->settings, "%s.port", IKEV2_UDP_PORT, lib->ns);
925
926 if (port)
927 {
928 rv = bypass_port (add, spd_id, sa_id, port);
929 if (rv != SUCCESS)
930 {
931 return rv;
932 }
933 }
934
935 port = lib->settings->get_int (lib->settings, "%s.port_nat_t",
936 IKEV2_NATT_PORT, lib->ns);
937 if (port)
938 {
939 rv = bypass_port (add, spd_id, sa_id, port);
940 if (rv != SUCCESS)
941 {
942 return rv;
943 }
944 }
945
946 return SUCCESS;
947}
948
949/**
950 * Add or remove a policy
951 */
952static status_t
953manage_policy (private_kernel_vpp_ipsec_t *this, bool add,
954 kernel_ipsec_policy_id_t *id,
955 kernel_ipsec_manage_policy_t *data)
956{
957 spd_t *spd;
958 char *out = NULL, *interface = NULL;
959 int out_len;
960 uint32_t sw_if_index, spd_id = ~0, sad_id = ~0;
961 status_t rv = FAILED;
962 uint32_t priority, auto_priority;
963 chunk_t src_from, src_to, dst_from, dst_to;
964 host_t *src, *dst, *addr;
965 vl_api_ipsec_spd_entry_add_del_t *mp;
966 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
967 bool n_spd = false;
968
969 mp = vl_msg_api_alloc (sizeof (*mp));
970 memset (mp, 0, sizeof (*mp));
971
972 this->mutex->lock (this->mutex);
973 if (!id->interface)
974 {
975 addr = id->dir == POLICY_IN ? data->dst : data->src;
976 for (int i = 0; i < 5; i++)
977 {
978 if (!charon->kernel->get_interface (charon->kernel, addr,
979 &interface))
980 {
981 DBG1 (DBG_KNL, "policy no interface %H", addr);
982 interface = NULL;
983 sleep (1);
984 }
985
986 if (interface)
987 {
988 DBG1 (DBG_KNL, "policy have interface %H", addr);
989 break;
990 }
991 }
992 if (!interface)
993 goto error;
994 id->interface = interface;
995 }
996
997 DBG2 (DBG_KNL, "manage policy [%s] interface [%s]", add ? "ADD" : "DEL",
998 id->interface);
999
1000 spd = this->spds->get (this->spds, id->interface);
1001 if (!spd)
1002 {
1003 if (!add)
1004 {
1005 DBG1 (DBG_KNL, "SPD for %s not found, should not be deleted",
1006 id->interface);
1007 goto error;
1008 }
1009 sw_if_index = get_sw_if_index (id->interface);
1010 DBG1 (DBG_KNL, "firstly created, spd for %s found sw_if_index is %d",
1011 id->interface, sw_if_index);
1012 if (sw_if_index == ~0)
1013 {
1014 DBG1 (DBG_KNL, "sw_if_index for %s not found", id->interface);
1015 goto error;
1016 }
1017 spd_id = ref_get (&this->next_spd_id);
1018 if (spd_add_del (TRUE, spd_id))
1019 {
1020 DBG1 (DBG_KNL, "spd_add_del %d failed!!!!!", spd_id);
1021 goto error;
1022 }
1023 if (interface_add_del_spd (TRUE, spd_id, sw_if_index))
1024 {
1025 DBG1 (DBG_KNL, "interface_add_del_spd %d %d failed!!!!!", spd_id,
1026 sw_if_index);
1027 goto error;
1028 }
1029 INIT (spd, .spd_id = spd_id, .sw_if_index = sw_if_index,
1030 .policy_num = 0, );
1031 this->spds->put (this->spds, id->interface, spd);
1032 n_spd = true;
1033 }
1034
1035 auto_priority = calculate_priority (data->prio, id->src_ts, id->dst_ts);
1036 priority = data->manual_prio ? data->manual_prio : auto_priority;
1037
1038 u16 msg_id =
1039 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
1040 mp->_vl_msg_id = htons (msg_id);
1041 mp->is_add = add;
1042 mp->entry.spd_id = htonl (spd->spd_id);
1043 mp->entry.priority = htonl (INT_MAX - POLICY_PRIORITY_PASS);
1044 mp->entry.is_outbound = id->dir == POLICY_OUT;
1045 switch (data->type)
1046 {
1047 case POLICY_IPSEC:
1048 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_PROTECT);
1049 break;
1050 case POLICY_PASS:
1051 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_BYPASS);
1052 break;
1053 case POLICY_DROP:
1054 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_DISCARD);
1055 break;
1056 }
1057 if ((data->type == POLICY_IPSEC) && data->sa)
1058 {
1059 kernel_ipsec_sa_id_t id = {
1060 .src = data->src,
1061 .dst = data->dst,
1062 .proto = data->sa->esp.use ? IPPROTO_ESP : IPPROTO_AH,
1063 .spi = data->sa->esp.use ? data->sa->esp.spi : data->sa->ah.spi,
1064 };
1065 sa_t *sa = NULL;
1066 sa = this->sas->get (this->sas, &id);
1067 if (!sa)
1068 {
1069 DBG1 (DBG_KNL, "SA ID not found");
1070 goto error;
1071 }
1072 sad_id = sa->sa_id;
1073 if (n_spd)
1074 {
1075 if (manage_bypass (TRUE, spd_id, ~0))
1076 {
1077 DBG1 (DBG_KNL, "manage_bypass %d failed!!!!", spd_id);
1078 goto error;
1079 }
1080 }
1081 }
1082
1083 mp->entry.sa_id = htonl (sad_id);
1084
1085 bool is_ipv6 = false;
1086 if (id->src_ts->get_type (id->src_ts) == TS_IPV6_ADDR_RANGE)
1087 {
1088 is_ipv6 = true;
1089 mp->entry.local_address_start.af = htonl (ADDRESS_IP6);
1090 mp->entry.local_address_stop.af = htonl (ADDRESS_IP6);
1091 mp->entry.remote_address_start.af = htonl (ADDRESS_IP6);
1092 mp->entry.remote_address_stop.af = htonl (ADDRESS_IP6);
1093 }
1094 else
1095 {
1096 mp->entry.local_address_start.af = htonl (ADDRESS_IP4);
1097 mp->entry.local_address_stop.af = htonl (ADDRESS_IP4);
1098 mp->entry.remote_address_start.af = htonl (ADDRESS_IP4);
1099 mp->entry.remote_address_stop.af = htonl (ADDRESS_IP4);
1100 }
1101 mp->entry.protocol = id->src_ts->get_protocol (id->src_ts);
1102
1103 if (id->dir == POLICY_OUT)
1104 {
1105 src_from = id->src_ts->get_from_address (id->src_ts);
1106 src_to = id->src_ts->get_to_address (id->src_ts);
1107 src = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, src_to, 0);
1108 dst_from = id->dst_ts->get_from_address (id->dst_ts);
1109 dst_to = id->dst_ts->get_to_address (id->dst_ts);
1110 dst = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, dst_to, 0);
1111 }
1112 else
1113 {
1114 dst_from = id->src_ts->get_from_address (id->src_ts);
1115 dst_to = id->src_ts->get_to_address (id->src_ts);
1116 dst = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, dst_from, 0);
1117 src_from = id->dst_ts->get_from_address (id->dst_ts);
1118 src_to = id->dst_ts->get_to_address (id->dst_ts);
1119 src = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, src_from, 0);
1120 }
1121
1122 if (src->is_anyaddr (src) && dst->is_anyaddr (dst))
1123 {
1124 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
1125 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
1126 }
1127 else
1128 {
1129 memcpy (is_ipv6 ? mp->entry.local_address_start.un.ip6 :
1130 mp->entry.local_address_start.un.ip4,
1131 src_from.ptr, src_from.len);
1132 memcpy (is_ipv6 ? mp->entry.local_address_stop.un.ip6 :
1133 mp->entry.local_address_stop.un.ip4,
1134 src_to.ptr, src_to.len);
1135 memcpy (is_ipv6 ? mp->entry.remote_address_start.un.ip6 :
1136 mp->entry.remote_address_start.un.ip4,
1137 dst_from.ptr, dst_from.len);
1138 memcpy (is_ipv6 ? mp->entry.remote_address_stop.un.ip6 :
1139 mp->entry.remote_address_stop.un.ip4,
1140 dst_to.ptr, dst_to.len);
1141 }
1142 mp->entry.local_port_start = htons (id->src_ts->get_from_port (id->src_ts));
1143 mp->entry.local_port_stop = htons (id->src_ts->get_to_port (id->src_ts));
1144 mp->entry.remote_port_start = htons (id->dst_ts->get_from_port (id->dst_ts));
1145 mp->entry.remote_port_stop = htons (id->dst_ts->get_to_port (id->dst_ts));
1146
Gabriel Oginski8de66c02023-02-03 08:12:36 +00001147 /* check if policy exists in SPD */
1148 vl_api_ipsec_spd_dump_t *mp_dump;
1149 vl_api_ipsec_spd_details_t *rmp_dump, *tmp;
1150
1151 mp_dump = vl_msg_api_alloc (sizeof (*mp_dump));
1152 memset (mp_dump, 0, sizeof (*mp_dump));
1153
1154 msg_id = vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_dump_afefbf7d");
1155 mp_dump->_vl_msg_id = htons (msg_id);
1156 mp_dump->spd_id = htonl (spd->spd_id);
1157 mp_dump->sa_id = htonl (sad_id);
1158
1159 if (vac->send_dump (vac, (char *) mp_dump, sizeof (*mp_dump), &out,
1160 &out_len))
1161 {
1162 DBG1 (DBG_KNL, "vac %s SPD lookup failed", add ? "adding" : "removing");
1163 goto error;
1164 }
1165
1166 int num = out_len / sizeof (*rmp_dump);
1167 tmp = (void *) out;
1168
1169 /* found existing policy */
1170 if (add && num)
1171 {
1172 int i;
1173 for (i = 0; i < num; i++)
1174 {
1175 rmp_dump = tmp;
1176 tmp += 1;
1177 /* check if found entry equals the new one */
1178 if (policy_equals (&mp->entry, &rmp_dump->entry))
1179 goto next;
1180 }
1181 }
1182 else if (!add && num == 0)
1183 {
1184 /* VPP doesn't have any policy to delete */
1185 goto next;
1186 }
1187
1188 free (out);
1189
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001190 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1191 {
1192 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
1193 goto error;
1194 }
1195 rmp = (void *) out;
1196 if (rmp->retval)
1197 {
1198 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
1199 ntohl (rmp->retval));
1200 goto error;
1201 }
1202
Gabriel Oginski8de66c02023-02-03 08:12:36 +00001203next:
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001204 if (add)
1205 {
1206 ref_get (&spd->policy_num);
1207 }
1208 else
1209 {
1210 if (ref_put (&spd->policy_num))
1211 {
1212 DBG1 (
1213 DBG_KNL,
1214 "policy_num's ref is 0, delete spd_id %d sw_if_index %d sad_id %x",
1215 spd->spd_id, spd->sw_if_index, sad_id);
1216 interface_add_del_spd (FALSE, spd->spd_id, spd->sw_if_index);
1217 manage_bypass (FALSE, spd->spd_id, sad_id);
1218 spd_add_del (FALSE, spd->spd_id);
1219 this->spds->remove (this->spds, id->interface);
1220 }
1221 }
1222
1223 if (this->install_routes && id->dir == POLICY_OUT && !mp->entry.protocol)
1224 {
1225 if (data->type == POLICY_IPSEC && data->sa->mode != MODE_TRANSPORT)
1226 {
1227 manage_route (this, add, id->dst_ts, data->src, data->dst);
1228 }
1229 }
1230 rv = SUCCESS;
1231error:
1232 free (out);
Gabriel Oginski8de66c02023-02-03 08:12:36 +00001233 vl_msg_api_free (mp_dump);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001234 vl_msg_api_free (mp);
1235 this->mutex->unlock (this->mutex);
1236 return rv;
1237}
1238
1239METHOD (kernel_ipsec_t, get_features, kernel_feature_t,
1240 private_kernel_vpp_ipsec_t *this)
1241{
1242 return KERNEL_ESP_V3_TFC;
1243}
1244
1245METHOD (kernel_ipsec_t, get_spi, status_t, private_kernel_vpp_ipsec_t *this,
1246 host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi)
1247{
1248 static const u_int p = 268435399, offset = 0xc0000000;
1249
1250 *spi = htonl (offset + permute (ref_get (&this->nextspi) ^ this->mixspi, p));
1251 return SUCCESS;
1252}
1253
1254METHOD (kernel_ipsec_t, get_cpi, status_t, private_kernel_vpp_ipsec_t *this,
1255 host_t *src, host_t *dst, uint16_t *cpi)
1256{
1257 DBG1 (DBG_KNL, "get_cpi is not supported!!!!!!!!!!!!!!!!!!!!!!!!");
1258 return NOT_SUPPORTED;
1259}
1260
1261/**
1262 * Helper struct for expiration events
1263 */
1264typedef struct
1265{
1266
1267 private_kernel_vpp_ipsec_t *manager;
1268
1269 kernel_ipsec_sa_id_t *sa_id;
1270
1271 /**
1272 * 0 if this is a hard expire, otherwise the offset in s (soft->hard)
1273 */
1274 uint32_t hard_offset;
1275
1276} vpp_sa_expired_t;
1277
1278/**
1279 * Callback for expiration events
1280 */
1281static job_requeue_t
1282sa_expired (vpp_sa_expired_t *expired)
1283{
1284 private_kernel_vpp_ipsec_t *this = expired->manager;
1285 sa_t *sa;
1286 kernel_ipsec_sa_id_t *id = expired->sa_id;
1287
1288 this->mutex->lock (this->mutex);
1289 sa = this->sas->get (this->sas, id);
1290
1291 if (sa)
1292 {
1293 charon->kernel->expire (charon->kernel, id->proto, id->spi, id->dst,
1294 FALSE);
1295 }
1296
1297 free (id);
1298 this->mutex->unlock (this->mutex);
1299 return JOB_REQUEUE_NONE;
1300}
1301
1302/**
1303 * Schedule a job to handle IPsec SA expiration
1304 */
1305static void
1306schedule_expiration (private_kernel_vpp_ipsec_t *this,
1307 kernel_ipsec_add_sa_t *entry,
1308 kernel_ipsec_sa_id_t *entry2)
1309{
1310 lifetime_cfg_t *lifetime = entry->lifetime;
1311 vpp_sa_expired_t *expired;
1312 callback_job_t *job;
1313 uint32_t timeout;
1314 kernel_ipsec_sa_id_t *id;
1315
1316 if (!lifetime->time.life)
1317 { /* no expiration at all */
1318 return;
1319 }
1320
1321 INIT (id, .src = entry2->src->clone (entry2->src),
1322 .dst = entry2->dst->clone (entry2->dst), .spi = entry2->spi,
1323 .proto = entry2->proto, );
1324
1325 INIT (expired, .manager = this, .sa_id = id, );
1326
1327 /* schedule a rekey first, a hard timeout will be scheduled then, if any */
1328 expired->hard_offset = lifetime->time.life - lifetime->time.rekey;
1329 timeout = lifetime->time.rekey;
1330
1331 if (lifetime->time.life <= lifetime->time.rekey || lifetime->time.rekey == 0)
1332 { /* no rekey, schedule hard timeout */
1333 expired->hard_offset = 0;
1334 timeout = lifetime->time.life;
1335 }
1336
1337 job = callback_job_create ((callback_job_cb_t) sa_expired, expired,
1338 (callback_job_cleanup_t) free, NULL);
1339 lib->scheduler->schedule_job (lib->scheduler, (job_t *) job, timeout);
1340}
1341
1342METHOD (kernel_ipsec_t, add_sa, status_t, private_kernel_vpp_ipsec_t *this,
1343 kernel_ipsec_sa_id_t *id, kernel_ipsec_add_sa_t *data)
1344{
1345 char *out = NULL;
1346 int out_len;
1347 vl_api_ipsec_sad_entry_add_del_t *mp;
1348 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
1349 uint32_t sad_id = ref_get (&this->next_sad_id);
1350 uint8_t ca = 0, ia = 0;
1351 status_t rv = FAILED;
1352 chunk_t src, dst;
1353 kernel_ipsec_sa_id_t *sa_id;
1354 sa_t *sa;
1355 int key_len = data->enc_key.len;
1356
1357 if ((data->enc_alg == ENCR_AES_CTR) ||
1358 (data->enc_alg == ENCR_AES_GCM_ICV8) ||
1359 (data->enc_alg == ENCR_AES_GCM_ICV12) ||
1360 (data->enc_alg == ENCR_AES_GCM_ICV16))
1361 {
1362 static const int SALT_SIZE =
1363 4; /* See how enc_size is calculated at keymat_v2.derive_child_keys */
1364 key_len = key_len - SALT_SIZE;
1365 }
1366 natt_port = lib->settings->get_int (
1367 lib->settings, "%s.plugins.socket-default.natt", IKEV2_NATT_PORT, lib->ns);
1368 mp = vl_msg_api_alloc (sizeof (*mp));
1369 memset (mp, 0, sizeof (*mp));
1370 u16 msg_id =
1371 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1372 mp->_vl_msg_id = htons (msg_id);
1373 mp->is_add = 1;
1374 mp->entry.sad_id = htonl (sad_id);
1375 mp->entry.spi = id->spi;
1376 mp->entry.protocol = id->proto == IPPROTO_ESP ? htonl (IPSEC_API_PROTO_ESP) :
1377 htonl (IPSEC_API_PROTO_AH);
1378
1379 switch (data->enc_alg)
1380 {
1381 case ENCR_NULL:
1382 ca = IPSEC_API_CRYPTO_ALG_NONE;
1383 break;
1384 case ENCR_AES_CBC:
1385 switch (key_len * 8)
1386 {
1387 case 128:
1388 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_128;
1389 break;
1390 case 192:
1391 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_192;
1392 break;
1393 case 256:
1394 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_256;
1395 break;
1396 default:
1397 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1398 key_len * 8);
1399 goto error;
1400 }
1401 break;
1402 case ENCR_AES_CTR:
1403 switch (key_len * 8)
1404 {
1405 case 128:
1406 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_128;
1407 break;
1408 case 192:
1409 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_192;
1410 break;
1411 case 256:
1412 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_256;
1413 break;
1414 default:
1415 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1416 key_len * 8);
1417 goto error;
1418 }
1419 break;
1420 case ENCR_AES_GCM_ICV8:
1421 case ENCR_AES_GCM_ICV12:
1422 case ENCR_AES_GCM_ICV16:
1423 switch (key_len * 8)
1424 {
1425 case 128:
1426 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_128;
1427 break;
1428 case 192:
1429 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_192;
1430 break;
1431 case 256:
1432 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_256;
1433 break;
1434 default:
1435 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1436 key_len * 8);
1437 goto error;
1438 }
1439 break;
1440 case ENCR_DES:
1441 ca = IPSEC_API_CRYPTO_ALG_DES_CBC;
1442 break;
1443 case ENCR_3DES:
1444 ca = IPSEC_API_CRYPTO_ALG_3DES_CBC;
1445 break;
1446 default:
1447 DBG1 (DBG_KNL, "algorithm %N not supported by VPP!",
1448 encryption_algorithm_names, data->enc_alg);
1449 goto error;
1450 }
1451 mp->entry.crypto_algorithm = htonl (ca);
1452 mp->entry.crypto_key.length = key_len < 128 ? key_len : 128;
1453 memcpy (mp->entry.crypto_key.data, data->enc_key.ptr,
1454 mp->entry.crypto_key.length);
1455
1456 /* copy salt for AEAD algorithms */
1457 if ((data->enc_alg == ENCR_AES_CTR) ||
1458 (data->enc_alg == ENCR_AES_GCM_ICV8) ||
1459 (data->enc_alg == ENCR_AES_GCM_ICV12) ||
1460 (data->enc_alg == ENCR_AES_GCM_ICV16))
1461 {
1462 memcpy (&mp->entry.salt, data->enc_key.ptr + mp->entry.crypto_key.length,
1463 4);
1464 }
1465
1466 switch (data->int_alg)
1467 {
1468 case AUTH_UNDEFINED:
1469 ia = IPSEC_API_INTEG_ALG_NONE;
1470 break;
1471 case AUTH_HMAC_MD5_96:
1472 ia = IPSEC_API_INTEG_ALG_MD5_96;
1473 break;
1474 case AUTH_HMAC_SHA1_96:
1475 ia = IPSEC_API_INTEG_ALG_SHA1_96;
1476 break;
1477 case AUTH_HMAC_SHA2_256_96:
1478 ia = IPSEC_API_INTEG_ALG_SHA_256_96;
1479 break;
1480 case AUTH_HMAC_SHA2_256_128:
1481 ia = IPSEC_API_INTEG_ALG_SHA_256_128;
1482 break;
1483 case AUTH_HMAC_SHA2_384_192:
1484 ia = IPSEC_API_INTEG_ALG_SHA_384_192;
1485 break;
1486 case AUTH_HMAC_SHA2_512_256:
1487 ia = IPSEC_API_INTEG_ALG_SHA_512_256;
1488 break;
1489 default:
1490 DBG1 (DBG_KNL, "algorithm %N not supported by VPP!",
1491 integrity_algorithm_names, data->int_alg);
1492 goto error;
1493 break;
1494 }
1495 mp->entry.integrity_algorithm = htonl (ia);
1496 mp->entry.integrity_key.length =
1497 data->int_key.len < 128 ? data->int_key.len : 128;
1498 memcpy (mp->entry.integrity_key.data, data->int_key.ptr,
1499 mp->entry.integrity_key.length);
1500
1501 int flags = IPSEC_API_SAD_FLAG_NONE;
Atzm Watanabefc2d95d2023-01-25 14:11:10 +09001502 if (data->inbound)
1503 flags |= IPSEC_API_SAD_FLAG_IS_INBOUND;
1504 /* like the kernel-netlink plugin, anti-replay can be disabled with zero
1505 * replay_window, but window size cannot be customized for vpp */
1506 if (data->replay_window)
1507 flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001508 if (data->esn)
1509 flags |= IPSEC_API_SAD_FLAG_USE_ESN;
Atzm Watanabefc2d95d2023-01-25 14:11:10 +09001510 if (this->use_tunnel_mode_sa && data->mode == MODE_TUNNEL)
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001511 {
1512 if (id->src->get_family (id->src) == AF_INET6)
1513 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
1514 else
1515 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL;
1516 }
1517 if (data->encap)
1518 {
1519 DBG1 (DBG_KNL, "UDP encap!!!!!!!!!!!!!!!!!!!!");
1520 flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
1521 }
1522 mp->entry.flags = htonl (flags);
1523
1524 bool is_ipv6 = false;
1525 if (id->src->get_family (id->src) == AF_INET6)
1526 {
1527 is_ipv6 = true;
1528 mp->entry.tunnel_src.af = htonl (ADDRESS_IP6);
1529 mp->entry.tunnel_dst.af = htonl (ADDRESS_IP6);
1530 }
1531 else
1532 {
1533 mp->entry.tunnel_src.af = htonl (ADDRESS_IP4);
1534 mp->entry.tunnel_dst.af = htonl (ADDRESS_IP4);
1535 }
1536 src = id->src->get_address (id->src);
1537 memcpy (is_ipv6 ? mp->entry.tunnel_src.un.ip6 : mp->entry.tunnel_src.un.ip4,
1538 src.ptr, src.len);
1539 dst = id->dst->get_address (id->dst);
1540 memcpy (is_ipv6 ? mp->entry.tunnel_dst.un.ip6 : mp->entry.tunnel_dst.un.ip4,
1541 dst.ptr, dst.len);
1542 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1543 {
1544 DBG1 (DBG_KNL, "vac adding SA failed");
1545 goto error;
1546 }
1547 rmp = (void *) out;
1548 if (rmp->retval)
1549 {
1550 DBG1 (DBG_KNL, "add SA failed rv:%d", ntohl (rmp->retval));
1551 goto error;
1552 }
1553
1554 this->mutex->lock (this->mutex);
1555 INIT (sa_id, .src = id->src->clone (id->src),
1556 .dst = id->dst->clone (id->dst), .spi = id->spi, .proto = id->proto, );
1557 INIT (sa, .sa_id = sad_id, .stat_index = ntohl (rmp->stat_index), );
1558 DBG4 (DBG_KNL, "put sa by its sa_id %x !!!!!!", sad_id);
1559 this->sas->put (this->sas, sa_id, sa);
1560 schedule_expiration (this, data, id);
1561 this->mutex->unlock (this->mutex);
1562 rv = SUCCESS;
1563
1564error:
1565 free (out);
1566 vl_msg_api_free (mp);
1567 return rv;
1568}
1569
1570METHOD (kernel_ipsec_t, update_sa, status_t, private_kernel_vpp_ipsec_t *this,
1571 kernel_ipsec_sa_id_t *id, kernel_ipsec_update_sa_t *data)
1572{
1573 DBG1 (DBG_KNL,
1574 "update sa not supported!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1575 return NOT_SUPPORTED;
1576}
1577
1578METHOD (kernel_ipsec_t, query_sa, status_t, private_kernel_vpp_ipsec_t *this,
1579 kernel_ipsec_sa_id_t *id, kernel_ipsec_query_sa_t *data,
1580 uint64_t *bytes, uint64_t *packets, time_t *time)
1581{
1582 status_t rv = FAILED;
1583 sa_t *sa;
1584 u32 *dir;
1585 int i, k;
1586 stat_segment_data_t *res;
1587 u8 **pattern = 0;
1588 uint64_t res_bytes = 0;
1589 uint64_t res_packets = 0;
1590
1591 this->mutex->lock (this->mutex);
1592 sa = this->sas->get (this->sas, id);
1593 this->mutex->unlock (this->mutex);
1594 if (!sa)
1595 {
1596 DBG1 (DBG_KNL, "SA not found");
1597 return NOT_FOUND;
1598 }
1599
1600 int rv_stat = stat_segment_connect ("/run/vpp/stats.sock");
1601 if (rv_stat != 0)
1602 {
1603 DBG1 (DBG_KNL, "Not connecting with stats segmentation");
1604 return NOT_FOUND;
1605 }
1606 vec_add1 (pattern, (u8 *) "/net/ipsec/sa");
1607 dir = stat_segment_ls ((u8 **) pattern);
1608 res = stat_segment_dump (dir);
1609 /* i-loop for each results find by pattern - here two:
1610 * 1. /net/ipsec/sa
1611 * 2. /net/ipsec/sa/lost
1612 */
1613 for (i = 0; i < vec_len (res); i++)
1614 {
1615 switch (res[i].type)
1616 {
1617 /* type for how many packets are lost */
1618 case STAT_DIR_TYPE_COUNTER_VECTOR_SIMPLE:
1619 if (res[i].simple_counter_vec == 0)
1620 continue;
1621 break;
1622 /* type for counter for each SA */
1623 case STAT_DIR_TYPE_COUNTER_VECTOR_COMBINED:
1624 if (res[i].combined_counter_vec == 0)
1625 continue;
1626 /* k-loop for each threads - that you run VPP */
1627 for (k = 0; k < vec_len (res[i].combined_counter_vec); k++)
1628 {
1629 if (sa->stat_index <= vec_len (res[i].combined_counter_vec[k]))
1630 {
1631 DBG4 (DBG_KNL, "Thread: %d, Packets: %lu, Bytes: %lu", k,
1632 res[i].combined_counter_vec[k][sa->stat_index].packets,
1633 res[i].combined_counter_vec[k][sa->stat_index].bytes);
1634 res_bytes +=
1635 res[i].combined_counter_vec[k][sa->stat_index].bytes;
1636 res_packets +=
1637 res[i].combined_counter_vec[k][sa->stat_index].packets;
1638 }
1639 }
1640 break;
1641 case STAT_DIR_TYPE_NAME_VECTOR:
1642 if (res[i].name_vector == 0)
1643 continue;
1644 break;
1645 }
1646 }
1647 stat_segment_data_free (res);
1648 stat_segment_disconnect ();
1649
1650 vec_free (pattern);
1651 vec_free (dir);
1652
1653 if (bytes)
1654 {
1655 *bytes = res_bytes;
1656 }
1657 if (packets)
1658 {
1659 *packets = res_packets;
1660 }
1661 if (time)
1662 {
1663 *time = 0;
1664 }
1665
1666 rv = SUCCESS;
1667 return rv;
1668}
1669
1670METHOD (kernel_ipsec_t, del_sa, status_t, private_kernel_vpp_ipsec_t *this,
1671 kernel_ipsec_sa_id_t *id, kernel_ipsec_del_sa_t *data)
1672{
1673 char *out = NULL;
1674 int out_len;
1675 vl_api_ipsec_sad_entry_add_del_t *mp;
1676 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
1677 status_t rv = FAILED;
1678 sa_t *sa;
1679
1680 this->mutex->lock (this->mutex);
1681 sa = this->sas->get (this->sas, id);
1682 if (!sa)
1683 {
1684 DBG1 (DBG_KNL, "SA not found");
1685 rv = NOT_FOUND;
1686 goto error;
1687 }
1688 mp = vl_msg_api_alloc (sizeof (*mp));
1689 memset (mp, 0, sizeof (*mp));
1690 mp->is_add = 0;
1691 u16 msg_id =
1692 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1693 mp->_vl_msg_id = htons (msg_id);
1694 mp->entry.sad_id = htonl (sa->sa_id);
1695
1696 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1697 {
1698 DBG1 (DBG_KNL, "vac removing SA failed");
1699 goto error;
1700 }
1701 rmp = (void *) out;
1702 if (rmp->retval)
1703 {
1704 DBG1 (DBG_KNL, "del SA failed rv:%d", ntohl (rmp->retval));
1705 goto error;
1706 }
1707
1708 vl_msg_api_free (mp);
1709 this->sas->remove (this->sas, id);
1710 rv = SUCCESS;
1711error:
1712 free (out);
1713 this->mutex->unlock (this->mutex);
1714 return rv;
1715}
1716
1717METHOD (kernel_ipsec_t, flush_sas, status_t, private_kernel_vpp_ipsec_t *this)
1718{
1719 enumerator_t *enumerator;
1720 int out_len;
1721 char *out;
1722 vl_api_ipsec_sad_entry_add_del_t *mp;
1723 sa_t *sa = NULL;
1724
1725 this->mutex->lock (this->mutex);
1726 enumerator = this->sas->create_enumerator (this->sas);
1727 while (enumerator->enumerate (enumerator, sa, NULL))
1728 {
1729 mp = vl_msg_api_alloc (sizeof (*mp));
1730 memset (mp, 0, sizeof (*mp));
1731 u16 msg_id =
1732 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1733 mp->_vl_msg_id = htons (msg_id);
1734 mp->entry.sad_id = htonl (sa->sa_id);
1735 mp->is_add = 0;
1736 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1737 {
1738 DBG1 (DBG_KNL, "flush_sas failed!!!!");
1739 return FALSE;
1740 }
1741 free (out);
1742 vl_msg_api_free (mp);
1743 this->sas->remove_at (this->sas, enumerator);
1744 }
1745 enumerator->destroy (enumerator);
1746 this->mutex->unlock (this->mutex);
1747
1748 return SUCCESS;
1749}
1750
1751METHOD (kernel_ipsec_t, add_policy, status_t, private_kernel_vpp_ipsec_t *this,
1752 kernel_ipsec_policy_id_t *id, kernel_ipsec_manage_policy_t *data)
1753{
1754 return manage_policy (this, TRUE, id, data);
1755}
1756
1757METHOD (kernel_ipsec_t, query_policy, status_t,
1758 private_kernel_vpp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
1759 kernel_ipsec_query_policy_t *data, time_t *use_time)
1760{
1761 return NOT_SUPPORTED;
1762}
1763
1764METHOD (kernel_ipsec_t, del_policy, status_t, private_kernel_vpp_ipsec_t *this,
1765 kernel_ipsec_policy_id_t *id, kernel_ipsec_manage_policy_t *data)
1766{
1767 return manage_policy (this, FALSE, id, data);
1768}
1769
1770METHOD (kernel_ipsec_t, flush_policies, status_t,
1771 private_kernel_vpp_ipsec_t *this)
1772{
1773 return NOT_SUPPORTED;
1774}
1775
1776METHOD (kernel_ipsec_t, bypass_socket, bool, private_kernel_vpp_ipsec_t *this,
1777 int fd, int family)
1778{
1779 return FALSE;
1780}
1781
1782METHOD (kernel_ipsec_t, enable_udp_decap, bool,
1783 private_kernel_vpp_ipsec_t *this, int fd, int family, u_int16_t port)
1784{
1785 DBG1 (DBG_KNL, "enable_udp_decap not supported!!!!!!!!!!!!!!!!!!!!!!!!!");
1786 return FALSE;
1787}
1788
1789METHOD (kernel_ipsec_t, destroy, void, private_kernel_vpp_ipsec_t *this)
1790{
1791 this->mutex->destroy (this->mutex);
1792 this->sas->destroy (this->sas);
1793 this->spds->destroy (this->spds);
1794 this->routes->destroy (this->routes);
1795 free (this);
1796}
1797
1798kernel_vpp_ipsec_t *
1799kernel_vpp_ipsec_create ()
1800{
1801 private_kernel_vpp_ipsec_t *this;
1802
1803 INIT(this,
1804 .public = {
1805 .interface = {
1806 .get_features = _get_features,
1807 .get_spi = _get_spi,
1808 .get_cpi = _get_cpi,
1809 .add_sa = _add_sa,
1810 .update_sa = _update_sa,
1811 .query_sa = _query_sa,
1812 .del_sa = _del_sa,
1813 .flush_sas = _flush_sas,
1814 .add_policy = _add_policy,
1815 .query_policy = _query_policy,
1816 .del_policy = _del_policy,
1817 .flush_policies = _flush_policies,
1818 .bypass_socket = _bypass_socket,
1819 .enable_udp_decap = _enable_udp_decap,
1820 .destroy = _destroy,
1821 },
1822 },
1823 .next_sad_id = 0,
1824 .next_spd_id = 0,
1825 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
1826 .sas = hashtable_create((hashtable_hash_t)sa_hash,
1827 (hashtable_equals_t)sa_equals, 32),
1828 .spds = hashtable_create((hashtable_hash_t)interface_hash,
1829 (hashtable_equals_t)interface_equals, 4),
1830 .routes = linked_list_create(),
1831 .install_routes = lib->settings->get_bool(lib->settings,
1832 "%s.install_routes", TRUE, lib->ns),
Atzm Watanabefc2d95d2023-01-25 14:11:10 +09001833 .use_tunnel_mode_sa = lib->settings->get_bool(lib->settings,
1834 "%s.plugins.kernel-vpp.use_tunnel_mode_sa",
1835 TRUE, lib->ns),
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001836 );
1837
1838 if (!init_spi (this))
1839 {
1840 destroy (this);
1841 return NULL;
1842 }
1843
1844 return &this->public;
1845}