diff options
-rw-r--r-- | src/vnet/CMakeLists.txt | 3 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.c | 489 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.h | 271 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_if.h | 94 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_io.h | 69 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.c | 174 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.h | 124 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_spd.c | 118 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_spd.h | 58 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_spd_policy.c | 266 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_spd_policy.h | 90 |
11 files changed, 1002 insertions, 754 deletions
diff --git a/src/vnet/CMakeLists.txt b/src/vnet/CMakeLists.txt index a595df25344..bc581620488 100644 --- a/src/vnet/CMakeLists.txt +++ b/src/vnet/CMakeLists.txt @@ -480,6 +480,9 @@ list(APPEND VNET_SOURCES ipsec/ipsec_input.c ipsec/ipsec_if.c ipsec/ipsec_if_in.c + ipsec/ipsec_sa.c + ipsec/ipsec_spd.c + ipsec/ipsec_spd_policy.c ipsec/esp_format.c ipsec/esp_encrypt.c ipsec/esp_decrypt.c diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c index 31fc513c628..e88a72e8bac 100644 --- a/src/vnet/ipsec/ipsec.c +++ b/src/vnet/ipsec/ipsec.c @@ -1,5 +1,5 @@ /* - * decap.c : IPSec tunnel support + * ipsec.c : IPSEC module functions * * Copyright (c) 2015 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); @@ -26,495 +26,8 @@ #include <vnet/ipsec/esp.h> #include <vnet/ipsec/ah.h> - ipsec_main_t ipsec_main; -u32 -ipsec_get_sa_index_by_sa_id (u32 sa_id) -{ - ipsec_main_t *im = &ipsec_main; - uword *p = hash_get (im->sa_index_by_sa_id, sa_id); - if (!p) - return ~0; - - return p[0]; -} - -int -ipsec_set_interface_spd (vlib_main_t * vm, u32 sw_if_index, u32 spd_id, - int is_add) -{ - ipsec_main_t *im = &ipsec_main; - ip4_ipsec_config_t config; - - u32 spd_index; - uword *p; - - p = hash_get (im->spd_index_by_spd_id, spd_id); - if (!p) - return VNET_API_ERROR_SYSCALL_ERROR_1; /* no such spd-id */ - - spd_index = p[0]; - - p = hash_get (im->spd_index_by_sw_if_index, sw_if_index); - if (p && is_add) - return VNET_API_ERROR_SYSCALL_ERROR_1; /* spd already assigned */ - - if (is_add) - { - hash_set (im->spd_index_by_sw_if_index, sw_if_index, spd_index); - } - else - { - hash_unset (im->spd_index_by_sw_if_index, sw_if_index); - } - - clib_warning ("sw_if_index %u spd_id %u spd_index %u", - sw_if_index, spd_id, spd_index); - - /* enable IPsec on TX */ - vnet_feature_enable_disable ("ip4-output", "ipsec4-output-feature", - sw_if_index, is_add, 0, 0); - vnet_feature_enable_disable ("ip6-output", "ipsec6-output-feature", - sw_if_index, is_add, 0, 0); - - config.spd_index = spd_index; - - /* enable IPsec on RX */ - vnet_feature_enable_disable ("ip4-unicast", "ipsec4-input-feature", - sw_if_index, is_add, &config, sizeof (config)); - vnet_feature_enable_disable ("ip6-unicast", "ipsec6-input-feature", - sw_if_index, is_add, &config, sizeof (config)); - - return 0; -} - -int -ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add) -{ - ipsec_main_t *im = &ipsec_main; - ipsec_spd_t *spd = 0; - uword *p; - u32 spd_index, k, v; - - p = hash_get (im->spd_index_by_spd_id, spd_id); - if (p && is_add) - return VNET_API_ERROR_ENTRY_ALREADY_EXISTS; - if (!p && !is_add) - return VNET_API_ERROR_NO_SUCH_ENTRY; - - if (!is_add) /* delete */ - { - spd_index = p[0]; - spd = pool_elt_at_index (im->spds, spd_index); - if (!spd) - return VNET_API_ERROR_INVALID_VALUE; - /* *INDENT-OFF* */ - hash_foreach (k, v, im->spd_index_by_sw_if_index, ({ - if (v == spd_index) - ipsec_set_interface_spd(vm, k, spd_id, 0); - })); - /* *INDENT-ON* */ - hash_unset (im->spd_index_by_spd_id, spd_id); - pool_free (spd->policies); - vec_free (spd->ipv4_outbound_policies); - vec_free (spd->ipv6_outbound_policies); - vec_free (spd->ipv4_inbound_protect_policy_indices); - vec_free (spd->ipv4_inbound_policy_discard_and_bypass_indices); - pool_put (im->spds, spd); - } - else /* create new SPD */ - { - pool_get (im->spds, spd); - clib_memset (spd, 0, sizeof (*spd)); - spd_index = spd - im->spds; - spd->id = spd_id; - hash_set (im->spd_index_by_spd_id, spd_id, spd_index); - } - return 0; -} - -static int -ipsec_spd_entry_sort (void *a1, void *a2) -{ - u32 *id1 = a1; - u32 *id2 = a2; - ipsec_spd_t *spd = ipsec_main.spd_to_sort; - ipsec_policy_t *p1, *p2; - - p1 = pool_elt_at_index (spd->policies, *id1); - p2 = pool_elt_at_index (spd->policies, *id2); - if (p1 && p2) - return p2->priority - p1->priority; - - return 0; -} - -int -ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add) -{ - ipsec_main_t *im = &ipsec_main; - ipsec_spd_t *spd = 0; - ipsec_policy_t *vp; - uword *p; - u32 spd_index; - - clib_warning ("policy-id %u priority %d is_outbound %u", policy->id, - policy->priority, policy->is_outbound); - - if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) - { - p = hash_get (im->sa_index_by_sa_id, policy->sa_id); - if (!p) - return VNET_API_ERROR_SYSCALL_ERROR_1; - policy->sa_index = p[0]; - } - - p = hash_get (im->spd_index_by_spd_id, policy->id); - - if (!p) - return VNET_API_ERROR_SYSCALL_ERROR_1; - - spd_index = p[0]; - spd = pool_elt_at_index (im->spds, spd_index); - if (!spd) - return VNET_API_ERROR_SYSCALL_ERROR_1; - - if (is_add) - { - u32 policy_index; - - pool_get (spd->policies, vp); - clib_memcpy (vp, policy, sizeof (*vp)); - policy_index = vp - spd->policies; - - ipsec_main.spd_to_sort = spd; - - if (policy->is_outbound) - { - if (policy->is_ipv6) - { - vec_add1 (spd->ipv6_outbound_policies, policy_index); - vec_sort_with_function (spd->ipv6_outbound_policies, - ipsec_spd_entry_sort); - } - else - { - vec_add1 (spd->ipv4_outbound_policies, policy_index); - vec_sort_with_function (spd->ipv4_outbound_policies, - ipsec_spd_entry_sort); - } - } - else - { - if (policy->is_ipv6) - { - if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) - { - vec_add1 (spd->ipv6_inbound_protect_policy_indices, - policy_index); - vec_sort_with_function - (spd->ipv6_inbound_protect_policy_indices, - ipsec_spd_entry_sort); - } - else - { - vec_add1 - (spd->ipv6_inbound_policy_discard_and_bypass_indices, - policy_index); - vec_sort_with_function - (spd->ipv6_inbound_policy_discard_and_bypass_indices, - ipsec_spd_entry_sort); - } - } - else - { - if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) - { - vec_add1 (spd->ipv4_inbound_protect_policy_indices, - policy_index); - vec_sort_with_function - (spd->ipv4_inbound_protect_policy_indices, - ipsec_spd_entry_sort); - } - else - { - vec_add1 - (spd->ipv4_inbound_policy_discard_and_bypass_indices, - policy_index); - vec_sort_with_function - (spd->ipv4_inbound_policy_discard_and_bypass_indices, - ipsec_spd_entry_sort); - } - } - } - - ipsec_main.spd_to_sort = NULL; - } - else - { - u32 i, j; - /* *INDENT-OFF* */ - pool_foreach_index(i, spd->policies, ({ - vp = pool_elt_at_index(spd->policies, i); - if (vp->priority != policy->priority) - continue; - if (vp->is_outbound != policy->is_outbound) - continue; - if (vp->policy != policy->policy) - continue; - if (vp->sa_id != policy->sa_id) - continue; - if (vp->protocol != policy->protocol) - continue; - if (vp->lport.start != policy->lport.start) - continue; - if (vp->lport.stop != policy->lport.stop) - continue; - if (vp->rport.start != policy->rport.start) - continue; - if (vp->rport.stop != policy->rport.stop) - continue; - if (vp->is_ipv6 != policy->is_ipv6) - continue; - if (policy->is_ipv6) - { - if (vp->laddr.start.ip6.as_u64[0] != policy->laddr.start.ip6.as_u64[0]) - continue; - if (vp->laddr.start.ip6.as_u64[1] != policy->laddr.start.ip6.as_u64[1]) - continue; - if (vp->laddr.stop.ip6.as_u64[0] != policy->laddr.stop.ip6.as_u64[0]) - continue; - if (vp->laddr.stop.ip6.as_u64[1] != policy->laddr.stop.ip6.as_u64[1]) - continue; - if (vp->raddr.start.ip6.as_u64[0] != policy->raddr.start.ip6.as_u64[0]) - continue; - if (vp->raddr.start.ip6.as_u64[1] != policy->raddr.start.ip6.as_u64[1]) - continue; - if (vp->raddr.stop.ip6.as_u64[0] != policy->raddr.stop.ip6.as_u64[0]) - continue; - if (vp->laddr.stop.ip6.as_u64[1] != policy->laddr.stop.ip6.as_u64[1]) - continue; - if (policy->is_outbound) - { - vec_foreach_index(j, spd->ipv6_outbound_policies) { - if (vec_elt(spd->ipv6_outbound_policies, j) == i) { - vec_del1 (spd->ipv6_outbound_policies, j); - break; - } - } - } - else - { - if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) - { - vec_foreach_index(j, spd->ipv6_inbound_protect_policy_indices) { - if (vec_elt(spd->ipv6_inbound_protect_policy_indices, j) == i) { - vec_del1 (spd->ipv6_inbound_protect_policy_indices, j); - break; - } - } - } - else - { - vec_foreach_index(j, spd->ipv6_inbound_policy_discard_and_bypass_indices) { - if (vec_elt(spd->ipv6_inbound_policy_discard_and_bypass_indices, j) == i) { - vec_del1 (spd->ipv6_inbound_policy_discard_and_bypass_indices, j); - break; - } - } - } - } - } - else - { - if (vp->laddr.start.ip4.as_u32 != policy->laddr.start.ip4.as_u32) - continue; - if (vp->laddr.stop.ip4.as_u32 != policy->laddr.stop.ip4.as_u32) - continue; - if (vp->raddr.start.ip4.as_u32 != policy->raddr.start.ip4.as_u32) - continue; - if (vp->raddr.stop.ip4.as_u32 != policy->raddr.stop.ip4.as_u32) - continue; - if (policy->is_outbound) - { - vec_foreach_index(j, spd->ipv4_outbound_policies) { - if (vec_elt(spd->ipv4_outbound_policies, j) == i) { - vec_del1 (spd->ipv4_outbound_policies, j); - break; - } - } - } - else - { - if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) - { - vec_foreach_index(j, spd->ipv4_inbound_protect_policy_indices) { - if (vec_elt(spd->ipv4_inbound_protect_policy_indices, j) == i) { - vec_del1 (spd->ipv4_inbound_protect_policy_indices, j); - break; - } - } - } - else - { - vec_foreach_index(j, spd->ipv4_inbound_policy_discard_and_bypass_indices) { - if (vec_elt(spd->ipv4_inbound_policy_discard_and_bypass_indices, j) == i) { - vec_del1 (spd->ipv4_inbound_policy_discard_and_bypass_indices, j); - break; - } - } - } - } - } - pool_put (spd->policies, vp); - break; - })); - /* *INDENT-ON* */ - } - - return 0; -} - -u8 -ipsec_is_sa_used (u32 sa_index) -{ - ipsec_main_t *im = &ipsec_main; - ipsec_spd_t *spd; - ipsec_policy_t *p; - ipsec_tunnel_if_t *t; - - /* *INDENT-OFF* */ - pool_foreach(spd, im->spds, ({ - pool_foreach(p, spd->policies, ({ - if (p->policy == IPSEC_POLICY_ACTION_PROTECT) - { - if (p->sa_index == sa_index) - return 1; - } - })); - })); - - pool_foreach(t, im->tunnel_interfaces, ({ - if (t->input_sa_index == sa_index) - return 1; - if (t->output_sa_index == sa_index) - return 1; - })); - /* *INDENT-ON* */ - - return 0; -} - -clib_error_t * -ipsec_call_add_del_callbacks (ipsec_main_t * im, ipsec_sa_t * sa, - u32 sa_index, int is_add) -{ - ipsec_ah_backend_t *ab; - ipsec_esp_backend_t *eb; - switch (sa->protocol) - { - case IPSEC_PROTOCOL_AH: - ab = pool_elt_at_index (im->ah_backends, im->ah_current_backend); - if (ab->add_del_sa_sess_cb) - return ab->add_del_sa_sess_cb (sa_index, is_add); - break; - case IPSEC_PROTOCOL_ESP: - eb = pool_elt_at_index (im->esp_backends, im->esp_current_backend); - if (eb->add_del_sa_sess_cb) - return eb->add_del_sa_sess_cb (sa_index, is_add); - break; - } - return 0; -} - -int -ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add) -{ - ipsec_main_t *im = &ipsec_main; - ipsec_sa_t *sa = 0; - uword *p; - u32 sa_index; - clib_error_t *err; - - clib_warning ("id %u spi %u", new_sa->id, new_sa->spi); - - p = hash_get (im->sa_index_by_sa_id, new_sa->id); - if (p && is_add) - return VNET_API_ERROR_ENTRY_ALREADY_EXISTS; - if (!p && !is_add) - return VNET_API_ERROR_NO_SUCH_ENTRY; - - if (!is_add) /* delete */ - { - sa_index = p[0]; - sa = pool_elt_at_index (im->sad, sa_index); - if (ipsec_is_sa_used (sa_index)) - { - clib_warning ("sa_id %u used in policy", sa->id); - return VNET_API_ERROR_SYSCALL_ERROR_1; /* sa used in policy */ - } - hash_unset (im->sa_index_by_sa_id, sa->id); - err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0); - if (err) - return VNET_API_ERROR_SYSCALL_ERROR_1; - pool_put (im->sad, sa); - } - else /* create new SA */ - { - pool_get (im->sad, sa); - clib_memcpy (sa, new_sa, sizeof (*sa)); - sa_index = sa - im->sad; - hash_set (im->sa_index_by_sa_id, sa->id, sa_index); - err = ipsec_call_add_del_callbacks (im, sa, sa_index, 1); - if (err) - return VNET_API_ERROR_SYSCALL_ERROR_1; - } - return 0; -} - -int -ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update) -{ - ipsec_main_t *im = &ipsec_main; - uword *p; - u32 sa_index; - ipsec_sa_t *sa = 0; - clib_error_t *err; - - p = hash_get (im->sa_index_by_sa_id, sa_update->id); - if (!p) - return VNET_API_ERROR_SYSCALL_ERROR_1; /* no such sa-id */ - - sa_index = p[0]; - sa = pool_elt_at_index (im->sad, sa_index); - - /* new crypto key */ - if (0 < sa_update->crypto_key_len) - { - clib_memcpy (sa->crypto_key, sa_update->crypto_key, - sa_update->crypto_key_len); - sa->crypto_key_len = sa_update->crypto_key_len; - } - - /* new integ key */ - if (0 < sa_update->integ_key_len) - { - clib_memcpy (sa->integ_key, sa_update->integ_key, - sa_update->integ_key_len); - sa->integ_key_len = sa_update->integ_key_len; - } - - if (0 < sa_update->crypto_key_len || 0 < sa_update->integ_key_len) - { - err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0); - if (err) - return VNET_API_ERROR_SYSCALL_ERROR_1; - } - - return 0; -} - static void ipsec_rand_seed (void) { diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h index 93369fe9f8c..fd709675b8e 100644 --- a/src/vnet/ipsec/ipsec.h +++ b/src/vnet/ipsec/ipsec.h @@ -25,244 +25,11 @@ #include <vppinfra/types.h> #include <vppinfra/cache.h> -#define IPSEC_FLAG_IPSEC_GRE_TUNNEL (1 << 0) - -#define foreach_ipsec_output_next \ - _ (DROP, "error-drop") \ - _ (ESP4_ENCRYPT, "esp4-encrypt") \ - _ (AH4_ENCRYPT, "ah4-encrypt") \ - _ (ESP6_ENCRYPT, "esp6-encrypt") \ - _ (AH6_ENCRYPT, "ah6-encrypt") - -#define _(v, s) IPSEC_OUTPUT_NEXT_##v, -typedef enum -{ - foreach_ipsec_output_next -#undef _ - IPSEC_OUTPUT_N_NEXT, -} ipsec_output_next_t; - -#define foreach_ipsec_input_next \ - _ (DROP, "error-drop") \ - _ (ESP4_DECRYPT, "esp4-decrypt") \ - _ (AH4_DECRYPT, "ah4-decrypt") \ - _ (ESP6_DECRYPT, "esp6-decrypt") \ - _ (AH6_DECRYPT, "ah6-decrypt") - -#define _(v, s) IPSEC_INPUT_NEXT_##v, -typedef enum -{ - foreach_ipsec_input_next -#undef _ - IPSEC_INPUT_N_NEXT, -} ipsec_input_next_t; - -#define foreach_ipsec_policy_action \ - _ (0, BYPASS, "bypass") \ - _ (1, DISCARD, "discard") \ - _ (2, RESOLVE, "resolve") \ - _ (3, PROTECT, "protect") - -typedef enum -{ -#define _(v, f, s) IPSEC_POLICY_ACTION_##f = v, - foreach_ipsec_policy_action -#undef _ -} ipsec_policy_action_t; - -#define IPSEC_POLICY_N_ACTION (IPSEC_POLICY_ACTION_PROTECT + 1) - - -#define foreach_ipsec_crypto_alg \ - _ (0, NONE, "none") \ - _ (1, AES_CBC_128, "aes-cbc-128") \ - _ (2, AES_CBC_192, "aes-cbc-192") \ - _ (3, AES_CBC_256, "aes-cbc-256") \ - _ (4, AES_CTR_128, "aes-ctr-128") \ - _ (5, AES_CTR_192, "aes-ctr-192") \ - _ (6, AES_CTR_256, "aes-ctr-256") \ - _ (7, AES_GCM_128, "aes-gcm-128") \ - _ (8, AES_GCM_192, "aes-gcm-192") \ - _ (9, AES_GCM_256, "aes-gcm-256") \ - _ (10, DES_CBC, "des-cbc") \ - _ (11, 3DES_CBC, "3des-cbc") - -typedef enum -{ -#define _(v, f, s) IPSEC_CRYPTO_ALG_##f = v, - foreach_ipsec_crypto_alg -#undef _ - IPSEC_CRYPTO_N_ALG, -} ipsec_crypto_alg_t; - -#define foreach_ipsec_integ_alg \ - _ (0, NONE, "none") \ - _ (1, MD5_96, "md5-96") /* RFC2403 */ \ - _ (2, SHA1_96, "sha1-96") /* RFC2404 */ \ - _ (3, SHA_256_96, "sha-256-96") /* draft-ietf-ipsec-ciph-sha-256-00 */ \ - _ (4, SHA_256_128, "sha-256-128") /* RFC4868 */ \ - _ (5, SHA_384_192, "sha-384-192") /* RFC4868 */ \ - _ (6, SHA_512_256, "sha-512-256") /* RFC4868 */ - -typedef enum -{ -#define _(v, f, s) IPSEC_INTEG_ALG_##f = v, - foreach_ipsec_integ_alg -#undef _ - IPSEC_INTEG_N_ALG, -} ipsec_integ_alg_t; - -typedef enum -{ - IPSEC_PROTOCOL_AH = 0, - IPSEC_PROTOCOL_ESP = 1 -} ipsec_protocol_t; - -typedef struct -{ - u32 id; - u32 spi; - ipsec_protocol_t protocol; - - ipsec_crypto_alg_t crypto_alg; - u8 crypto_key_len; - u8 crypto_key[128]; - - ipsec_integ_alg_t integ_alg; - u8 integ_key_len; - u8 integ_key[128]; - - u8 use_esn; - u8 use_anti_replay; - - u8 is_tunnel; - u8 is_tunnel_ip6; - u8 udp_encap; - ip46_address_t tunnel_src_addr; - ip46_address_t tunnel_dst_addr; - - u32 tx_fib_index; - u32 salt; - - /* runtime */ - u32 seq; - u32 seq_hi; - u32 last_seq; - u32 last_seq_hi; - u64 replay_window; - - /* lifetime data */ - u64 total_data_size; -} ipsec_sa_t; - -typedef struct -{ - ip46_address_t start, stop; -} ip46_address_range_t; - -typedef struct -{ - u16 start, stop; -} port_range_t; - -typedef struct -{ - u8 is_add; - u8 esn; - u8 anti_replay; - ip4_address_t local_ip, remote_ip; - u32 local_spi; - u32 remote_spi; - ipsec_crypto_alg_t crypto_alg; - u8 local_crypto_key_len; - u8 local_crypto_key[128]; - u8 remote_crypto_key_len; - u8 remote_crypto_key[128]; - ipsec_integ_alg_t integ_alg; - u8 local_integ_key_len; - u8 local_integ_key[128]; - u8 remote_integ_key_len; - u8 remote_integ_key[128]; - u8 renumber; - u32 show_instance; - u8 udp_encap; - u32 tx_table_id; -} ipsec_add_del_tunnel_args_t; - -typedef struct -{ - u8 is_add; - u32 local_sa_id; - u32 remote_sa_id; - ip4_address_t local_ip; - ip4_address_t remote_ip; -} ipsec_add_del_ipsec_gre_tunnel_args_t; - -typedef enum -{ - IPSEC_IF_SET_KEY_TYPE_NONE, - IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO, - IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO, - IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG, - IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG, -} ipsec_if_set_key_type_t; - -typedef struct -{ - u32 id; - i32 priority; - u8 is_outbound; - - // Selector - u8 is_ipv6; - ip46_address_range_t laddr; - ip46_address_range_t raddr; - u8 protocol; - port_range_t lport; - port_range_t rport; - - // Policy - ipsec_policy_action_t policy; - u32 sa_id; - u32 sa_index; - - // Counter - vlib_counter_t counter; -} ipsec_policy_t; - -typedef struct -{ - u32 id; - /* pool of policies */ - ipsec_policy_t *policies; - /* vectors of policy indices */ - u32 *ipv4_outbound_policies; - u32 *ipv6_outbound_policies; - u32 *ipv4_inbound_protect_policy_indices; - u32 *ipv4_inbound_policy_discard_and_bypass_indices; - u32 *ipv6_inbound_protect_policy_indices; - u32 *ipv6_inbound_policy_discard_and_bypass_indices; -} ipsec_spd_t; - -typedef struct -{ - u32 spd_index; -} ip4_ipsec_config_t; - -typedef struct -{ - u32 spd_index; -} ip6_ipsec_config_t; - -typedef struct -{ - /* Required for pool_get_aligned */ - CLIB_CACHE_LINE_ALIGN_MARK (cacheline0); - u32 input_sa_index; - u32 output_sa_index; - u32 hw_if_index; - u32 show_instance; -} ipsec_tunnel_if_t; +#include <vnet/ipsec/ipsec_spd.h> +#include <vnet/ipsec/ipsec_spd_policy.h> +#include <vnet/ipsec/ipsec_sa.h> +#include <vnet/ipsec/ipsec_if.h> +#include <vnet/ipsec/ipsec_io.h> typedef clib_error_t *(*add_del_sa_sess_cb_t) (u32 sa_index, u8 is_add); typedef clib_error_t *(*check_support_cb_t) (ipsec_sa_t * sa); @@ -433,35 +200,7 @@ extern vlib_node_registration_t ipsec_if_input_node; /* * functions */ -int ipsec_set_interface_spd (vlib_main_t * vm, u32 sw_if_index, u32 spd_id, - int is_add); -int ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add); -int ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, - int is_add); -int ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add); -int ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update); - -u32 ipsec_get_sa_index_by_sa_id (u32 sa_id); -u8 ipsec_is_sa_used (u32 sa_index); -u8 *format_ipsec_policy_action (u8 * s, va_list * args); -u8 *format_ipsec_crypto_alg (u8 * s, va_list * args); -u8 *format_ipsec_integ_alg (u8 * s, va_list * args); u8 *format_ipsec_replay_window (u8 * s, va_list * args); -uword unformat_ipsec_policy_action (unformat_input_t * input, va_list * args); -uword unformat_ipsec_crypto_alg (unformat_input_t * input, va_list * args); -uword unformat_ipsec_integ_alg (unformat_input_t * input, va_list * args); - -int ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, - ipsec_add_del_tunnel_args_t * args, - u32 * sw_if_index); -int ipsec_add_del_tunnel_if (ipsec_add_del_tunnel_args_t * args); -int ipsec_add_del_ipsec_gre_tunnel (vnet_main_t * vnm, - ipsec_add_del_ipsec_gre_tunnel_args_t * - args); -int ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index, - ipsec_if_set_key_type_t type, u8 alg, u8 * key); -int ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, u32 sa_id, - u8 is_outbound); /* * inline functions diff --git a/src/vnet/ipsec/ipsec_if.h b/src/vnet/ipsec/ipsec_if.h new file mode 100644 index 00000000000..96a109ddaf5 --- /dev/null +++ b/src/vnet/ipsec/ipsec_if.h @@ -0,0 +1,94 @@ +/* + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __IPSEC_IF_H__ +#define __IPSEC_IF_H__ + +#include <vnet/ipsec/ipsec_sa.h> + +typedef enum +{ + IPSEC_IF_SET_KEY_TYPE_NONE, + IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO, + IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO, + IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG, + IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG, +} ipsec_if_set_key_type_t; + +typedef struct +{ + /* Required for pool_get_aligned */ + CLIB_CACHE_LINE_ALIGN_MARK (cacheline0); + u32 input_sa_index; + u32 output_sa_index; + u32 hw_if_index; + u32 show_instance; +} ipsec_tunnel_if_t; + +typedef struct +{ + u8 is_add; + u8 esn; + u8 anti_replay; + ip4_address_t local_ip, remote_ip; + u32 local_spi; + u32 remote_spi; + ipsec_crypto_alg_t crypto_alg; + u8 local_crypto_key_len; + u8 local_crypto_key[128]; + u8 remote_crypto_key_len; + u8 remote_crypto_key[128]; + ipsec_integ_alg_t integ_alg; + u8 local_integ_key_len; + u8 local_integ_key[128]; + u8 remote_integ_key_len; + u8 remote_integ_key[128]; + u8 renumber; + u32 show_instance; + u8 udp_encap; + u32 tx_table_id; +} ipsec_add_del_tunnel_args_t; + +typedef struct +{ + u8 is_add; + u32 local_sa_id; + u32 remote_sa_id; + ip4_address_t local_ip; + ip4_address_t remote_ip; +} ipsec_add_del_ipsec_gre_tunnel_args_t; + +extern int ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, + ipsec_add_del_tunnel_args_t * + args, u32 * sw_if_index); +extern int ipsec_add_del_tunnel_if (ipsec_add_del_tunnel_args_t * args); +extern int ipsec_add_del_ipsec_gre_tunnel (vnet_main_t * vnm, + ipsec_add_del_ipsec_gre_tunnel_args_t + * args); + +extern int ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index, + ipsec_if_set_key_type_t type, + u8 alg, u8 * key); +extern int ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, + u32 sa_id, u8 is_outbound); + +#endif /* __IPSEC_IF_H__ */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vnet/ipsec/ipsec_io.h b/src/vnet/ipsec/ipsec_io.h new file mode 100644 index 00000000000..aa6fa8df7c7 --- /dev/null +++ b/src/vnet/ipsec/ipsec_io.h @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __IPSEC_IO_H__ +#define __IPSEC_IO_H__ + +#define IPSEC_FLAG_IPSEC_GRE_TUNNEL (1 << 0) + +#define foreach_ipsec_output_next \ + _ (DROP, "error-drop") \ + _ (ESP4_ENCRYPT, "esp4-encrypt") \ + _ (AH4_ENCRYPT, "ah4-encrypt") \ + _ (ESP6_ENCRYPT, "esp6-encrypt") \ + _ (AH6_ENCRYPT, "ah6-encrypt") + +#define _(v, s) IPSEC_OUTPUT_NEXT_##v, +typedef enum +{ + foreach_ipsec_output_next +#undef _ + IPSEC_OUTPUT_N_NEXT, +} ipsec_output_next_t; + +#define foreach_ipsec_input_next \ + _ (DROP, "error-drop") \ + _ (ESP4_DECRYPT, "esp4-decrypt") \ + _ (AH4_DECRYPT, "ah4-decrypt") \ + _ (ESP6_DECRYPT, "esp6-decrypt") \ + _ (AH6_DECRYPT, "ah6-decrypt") + +#define _(v, s) IPSEC_INPUT_NEXT_##v, +typedef enum +{ + foreach_ipsec_input_next +#undef _ + IPSEC_INPUT_N_NEXT, +} ipsec_input_next_t; + + +typedef struct +{ + u32 spd_index; +} ip4_ipsec_config_t; + +typedef struct +{ + u32 spd_index; +} ip6_ipsec_config_t; + +#endif /* __IPSEC_IO_H__ */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c new file mode 100644 index 00000000000..a76197b9f50 --- /dev/null +++ b/src/vnet/ipsec/ipsec_sa.c @@ -0,0 +1,174 @@ +/* + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <vnet/ipsec/ipsec.h> + +static clib_error_t * +ipsec_call_add_del_callbacks (ipsec_main_t * im, ipsec_sa_t * sa, + u32 sa_index, int is_add) +{ + ipsec_ah_backend_t *ab; + ipsec_esp_backend_t *eb; + switch (sa->protocol) + { + case IPSEC_PROTOCOL_AH: + ab = pool_elt_at_index (im->ah_backends, im->ah_current_backend); + if (ab->add_del_sa_sess_cb) + return ab->add_del_sa_sess_cb (sa_index, is_add); + break; + case IPSEC_PROTOCOL_ESP: + eb = pool_elt_at_index (im->esp_backends, im->esp_current_backend); + if (eb->add_del_sa_sess_cb) + return eb->add_del_sa_sess_cb (sa_index, is_add); + break; + } + return 0; +} + +int +ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add) +{ + ipsec_main_t *im = &ipsec_main; + ipsec_sa_t *sa = 0; + uword *p; + u32 sa_index; + clib_error_t *err; + + clib_warning ("id %u spi %u", new_sa->id, new_sa->spi); + + p = hash_get (im->sa_index_by_sa_id, new_sa->id); + if (p && is_add) + return VNET_API_ERROR_ENTRY_ALREADY_EXISTS; + if (!p && !is_add) + return VNET_API_ERROR_NO_SUCH_ENTRY; + + if (!is_add) /* delete */ + { + sa_index = p[0]; + sa = pool_elt_at_index (im->sad, sa_index); + if (ipsec_is_sa_used (sa_index)) + { + clib_warning ("sa_id %u used in policy", sa->id); + return VNET_API_ERROR_SYSCALL_ERROR_1; /* sa used in policy */ + } + hash_unset (im->sa_index_by_sa_id, sa->id); + err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0); + if (err) + return VNET_API_ERROR_SYSCALL_ERROR_1; + pool_put (im->sad, sa); + } + else /* create new SA */ + { + pool_get (im->sad, sa); + clib_memcpy (sa, new_sa, sizeof (*sa)); + sa_index = sa - im->sad; + hash_set (im->sa_index_by_sa_id, sa->id, sa_index); + err = ipsec_call_add_del_callbacks (im, sa, sa_index, 1); + if (err) + return VNET_API_ERROR_SYSCALL_ERROR_1; + } + return 0; +} + +u8 +ipsec_is_sa_used (u32 sa_index) +{ + ipsec_main_t *im = &ipsec_main; + ipsec_spd_t *spd; + ipsec_policy_t *p; + ipsec_tunnel_if_t *t; + + /* *INDENT-OFF* */ + pool_foreach(spd, im->spds, ({ + pool_foreach(p, spd->policies, ({ + if (p->policy == IPSEC_POLICY_ACTION_PROTECT) + { + if (p->sa_index == sa_index) + return 1; + } + })); + })); + + pool_foreach(t, im->tunnel_interfaces, ({ + if (t->input_sa_index == sa_index) + return 1; + if (t->output_sa_index == sa_index) + return 1; + })); + /* *INDENT-ON* */ + + return 0; +} + +int +ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update) +{ + ipsec_main_t *im = &ipsec_main; + uword *p; + u32 sa_index; + ipsec_sa_t *sa = 0; + clib_error_t *err; + + p = hash_get (im->sa_index_by_sa_id, sa_update->id); + if (!p) + return VNET_API_ERROR_SYSCALL_ERROR_1; /* no such sa-id */ + + sa_index = p[0]; + sa = pool_elt_at_index (im->sad, sa_index); + + /* new crypto key */ + if (0 < sa_update->crypto_key_len) + { + clib_memcpy (sa->crypto_key, sa_update->crypto_key, + sa_update->crypto_key_len); + sa->crypto_key_len = sa_update->crypto_key_len; + } + + /* new integ key */ + if (0 < sa_update->integ_key_len) + { + clib_memcpy (sa->integ_key, sa_update->integ_key, + sa_update->integ_key_len); + sa->integ_key_len = sa_update->integ_key_len; + } + + if (0 < sa_update->crypto_key_len || 0 < sa_update->integ_key_len) + { + err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0); + if (err) + return VNET_API_ERROR_SYSCALL_ERROR_1; + } + + return 0; +} + +u32 +ipsec_get_sa_index_by_sa_id (u32 sa_id) +{ + ipsec_main_t *im = &ipsec_main; + uword *p = hash_get (im->sa_index_by_sa_id, sa_id); + if (!p) + return ~0; + + return p[0]; +} + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h new file mode 100644 index 00000000000..43d699be928 --- /dev/null +++ b/src/vnet/ipsec/ipsec_sa.h @@ -0,0 +1,124 @@ +/* + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __IPSEC_SPD_SA_H__ +#define __IPSEC_SPD_SA_H__ + +#include <vlib/vlib.h> +#include <vnet/ip/ip.h> + +#define foreach_ipsec_crypto_alg \ + _ (0, NONE, "none") \ + _ (1, AES_CBC_128, "aes-cbc-128") \ + _ (2, AES_CBC_192, "aes-cbc-192") \ + _ (3, AES_CBC_256, "aes-cbc-256") \ + _ (4, AES_CTR_128, "aes-ctr-128") \ + _ (5, AES_CTR_192, "aes-ctr-192") \ + _ (6, AES_CTR_256, "aes-ctr-256") \ + _ (7, AES_GCM_128, "aes-gcm-128") \ + _ (8, AES_GCM_192, "aes-gcm-192") \ + _ (9, AES_GCM_256, "aes-gcm-256") \ + _ (10, DES_CBC, "des-cbc") \ + _ (11, 3DES_CBC, "3des-cbc") + +typedef enum +{ +#define _(v, f, s) IPSEC_CRYPTO_ALG_##f = v, + foreach_ipsec_crypto_alg +#undef _ + IPSEC_CRYPTO_N_ALG, +} ipsec_crypto_alg_t; + +#define foreach_ipsec_integ_alg \ + _ (0, NONE, "none") \ + _ (1, MD5_96, "md5-96") /* RFC2403 */ \ + _ (2, SHA1_96, "sha1-96") /* RFC2404 */ \ + _ (3, SHA_256_96, "sha-256-96") /* draft-ietf-ipsec-ciph-sha-256-00 */ \ + _ (4, SHA_256_128, "sha-256-128") /* RFC4868 */ \ + _ (5, SHA_384_192, "sha-384-192") /* RFC4868 */ \ + _ (6, SHA_512_256, "sha-512-256") /* RFC4868 */ + +typedef enum +{ +#define _(v, f, s) IPSEC_INTEG_ALG_##f = v, + foreach_ipsec_integ_alg +#undef _ + IPSEC_INTEG_N_ALG, +} ipsec_integ_alg_t; + +typedef enum +{ + IPSEC_PROTOCOL_AH = 0, + IPSEC_PROTOCOL_ESP = 1 +} ipsec_protocol_t; + +typedef struct +{ + u32 id; + u32 spi; + ipsec_protocol_t protocol; + + ipsec_crypto_alg_t crypto_alg; + u8 crypto_key_len; + u8 crypto_key[128]; + + ipsec_integ_alg_t integ_alg; + u8 integ_key_len; + u8 integ_key[128]; + + u8 use_esn; + u8 use_anti_replay; + + u8 is_tunnel; + u8 is_tunnel_ip6; + u8 udp_encap; + ip46_address_t tunnel_src_addr; + ip46_address_t tunnel_dst_addr; + + u32 tx_fib_index; + u32 salt; + + /* runtime */ + u32 seq; + u32 seq_hi; + u32 last_seq; + u32 last_seq_hi; + u64 replay_window; + + /* lifetime data */ + u64 total_data_size; +} ipsec_sa_t; + +extern int ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, + int is_add); +extern u8 ipsec_is_sa_used (u32 sa_index); +extern int ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update); +extern u32 ipsec_get_sa_index_by_sa_id (u32 sa_id); + +extern u8 *format_ipsec_crypto_alg (u8 * s, va_list * args); +extern u8 *format_ipsec_integ_alg (u8 * s, va_list * args); +extern uword unformat_ipsec_crypto_alg (unformat_input_t * input, + va_list * args); +extern uword unformat_ipsec_integ_alg (unformat_input_t * input, + va_list * args); + +#endif /* __IPSEC_SPD_SA_H__ */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vnet/ipsec/ipsec_spd.c b/src/vnet/ipsec/ipsec_spd.c new file mode 100644 index 00000000000..7e17bb91fdb --- /dev/null +++ b/src/vnet/ipsec/ipsec_spd.c @@ -0,0 +1,118 @@ +/* + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <vnet/ipsec/ipsec.h> + +int +ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add) +{ + ipsec_main_t *im = &ipsec_main; + ipsec_spd_t *spd = 0; + uword *p; + u32 spd_index, k, v; + + p = hash_get (im->spd_index_by_spd_id, spd_id); + if (p && is_add) + return VNET_API_ERROR_ENTRY_ALREADY_EXISTS; + if (!p && !is_add) + return VNET_API_ERROR_NO_SUCH_ENTRY; + + if (!is_add) /* delete */ + { + spd_index = p[0]; + spd = pool_elt_at_index (im->spds, spd_index); + if (!spd) + return VNET_API_ERROR_INVALID_VALUE; + /* *INDENT-OFF* */ + hash_foreach (k, v, im->spd_index_by_sw_if_index, ({ + if (v == spd_index) + ipsec_set_interface_spd(vm, k, spd_id, 0); + })); + /* *INDENT-ON* */ + hash_unset (im->spd_index_by_spd_id, spd_id); + pool_free (spd->policies); + vec_free (spd->ipv4_outbound_policies); + vec_free (spd->ipv6_outbound_policies); + vec_free (spd->ipv4_inbound_protect_policy_indices); + vec_free (spd->ipv4_inbound_policy_discard_and_bypass_indices); + pool_put (im->spds, spd); + } + else /* create new SPD */ + { + pool_get (im->spds, spd); + clib_memset (spd, 0, sizeof (*spd)); + spd_index = spd - im->spds; + spd->id = spd_id; + hash_set (im->spd_index_by_spd_id, spd_id, spd_index); + } + return 0; +} + +int +ipsec_set_interface_spd (vlib_main_t * vm, u32 sw_if_index, u32 spd_id, + int is_add) +{ + ipsec_main_t *im = &ipsec_main; + ip4_ipsec_config_t config; + + u32 spd_index; + uword *p; + + p = hash_get (im->spd_index_by_spd_id, spd_id); + if (!p) + return VNET_API_ERROR_SYSCALL_ERROR_1; /* no such spd-id */ + + spd_index = p[0]; + + p = hash_get (im->spd_index_by_sw_if_index, sw_if_index); + if (p && is_add) + return VNET_API_ERROR_SYSCALL_ERROR_1; /* spd already assigned */ + + if (is_add) + { + hash_set (im->spd_index_by_sw_if_index, sw_if_index, spd_index); + } + else + { + hash_unset (im->spd_index_by_sw_if_index, sw_if_index); + } + + clib_warning ("sw_if_index %u spd_id %u spd_index %u", + sw_if_index, spd_id, spd_index); + + /* enable IPsec on TX */ + vnet_feature_enable_disable ("ip4-output", "ipsec4-output-feature", + sw_if_index, is_add, 0, 0); + vnet_feature_enable_disable ("ip6-output", "ipsec6-output-feature", + sw_if_index, is_add, 0, 0); + + config.spd_index = spd_index; + + /* enable IPsec on RX */ + vnet_feature_enable_disable ("ip4-unicast", "ipsec4-input-feature", + sw_if_index, is_add, &config, sizeof (config)); + vnet_feature_enable_disable ("ip6-unicast", "ipsec6-input-feature", + sw_if_index, is_add, &config, sizeof (config)); + + return 0; +} + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vnet/ipsec/ipsec_spd.h b/src/vnet/ipsec/ipsec_spd.h new file mode 100644 index 00000000000..854076ece6d --- /dev/null +++ b/src/vnet/ipsec/ipsec_spd.h @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __IPSEC_SPD_H__ +#define __IPSEC_SPD_H__ + +#include <vlib/vlib.h> + +struct ipsec_policy_t_; + +/** + * @brief A Secruity Policy Database + */ +typedef struct ipsec_spd_t_ +{ + u32 id; + /* pool of policies */ + struct ipsec_policy_t_ *policies; + /* vectors of policy indices */ + u32 *ipv4_outbound_policies; + u32 *ipv6_outbound_policies; + u32 *ipv4_inbound_protect_policy_indices; + u32 *ipv4_inbound_policy_discard_and_bypass_indices; + u32 *ipv6_inbound_protect_policy_indices; + u32 *ipv6_inbound_policy_discard_and_bypass_indices; +} ipsec_spd_t; + +/** + * @brief Add/Delete a SPD + */ +extern int ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add); + +/** + * @brief Bind/attach a SPD to an interface + */ +extern int ipsec_set_interface_spd (vlib_main_t * vm, + u32 sw_if_index, u32 spd_id, int is_add); + +#endif /* __IPSEC_SPD_H__ */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vnet/ipsec/ipsec_spd_policy.c b/src/vnet/ipsec/ipsec_spd_policy.c new file mode 100644 index 00000000000..0a576595a5a --- /dev/null +++ b/src/vnet/ipsec/ipsec_spd_policy.c @@ -0,0 +1,266 @@ +/* + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <vnet/ipsec/ipsec.h> + +static int +ipsec_spd_entry_sort (void *a1, void *a2) +{ + u32 *id1 = a1; + u32 *id2 = a2; + ipsec_spd_t *spd = ipsec_main.spd_to_sort; + ipsec_policy_t *p1, *p2; + + p1 = pool_elt_at_index (spd->policies, *id1); + p2 = pool_elt_at_index (spd->policies, *id2); + if (p1 && p2) + return p2->priority - p1->priority; + + return 0; +} + +int +ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add) +{ + ipsec_main_t *im = &ipsec_main; + ipsec_spd_t *spd = 0; + ipsec_policy_t *vp; + uword *p; + u32 spd_index; + + clib_warning ("policy-id %u priority %d is_outbound %u", policy->id, + policy->priority, policy->is_outbound); + + if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) + { + p = hash_get (im->sa_index_by_sa_id, policy->sa_id); + if (!p) + return VNET_API_ERROR_SYSCALL_ERROR_1; + policy->sa_index = p[0]; + } + + p = hash_get (im->spd_index_by_spd_id, policy->id); + + if (!p) + return VNET_API_ERROR_SYSCALL_ERROR_1; + + spd_index = p[0]; + spd = pool_elt_at_index (im->spds, spd_index); + if (!spd) + return VNET_API_ERROR_SYSCALL_ERROR_1; + + if (is_add) + { + u32 policy_index; + + pool_get (spd->policies, vp); + clib_memcpy (vp, policy, sizeof (*vp)); + policy_index = vp - spd->policies; + + ipsec_main.spd_to_sort = spd; + + if (policy->is_outbound) + { + if (policy->is_ipv6) + { + vec_add1 (spd->ipv6_outbound_policies, policy_index); + vec_sort_with_function (spd->ipv6_outbound_policies, + ipsec_spd_entry_sort); + } + else + { + vec_add1 (spd->ipv4_outbound_policies, policy_index); + vec_sort_with_function (spd->ipv4_outbound_policies, + ipsec_spd_entry_sort); + } + } + else + { + if (policy->is_ipv6) + { + if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) + { + vec_add1 (spd->ipv6_inbound_protect_policy_indices, + policy_index); + vec_sort_with_function + (spd->ipv6_inbound_protect_policy_indices, + ipsec_spd_entry_sort); + } + else + { + vec_add1 + (spd->ipv6_inbound_policy_discard_and_bypass_indices, + policy_index); + vec_sort_with_function + (spd->ipv6_inbound_policy_discard_and_bypass_indices, + ipsec_spd_entry_sort); + } + } + else + { + if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) + { + vec_add1 (spd->ipv4_inbound_protect_policy_indices, + policy_index); + vec_sort_with_function + (spd->ipv4_inbound_protect_policy_indices, + ipsec_spd_entry_sort); + } + else + { + vec_add1 + (spd->ipv4_inbound_policy_discard_and_bypass_indices, + policy_index); + vec_sort_with_function + (spd->ipv4_inbound_policy_discard_and_bypass_indices, + ipsec_spd_entry_sort); + } + } + } + + ipsec_main.spd_to_sort = NULL; + } + else + { + u32 i, j; + /* *INDENT-OFF* */ + pool_foreach_index(i, spd->policies, ({ + vp = pool_elt_at_index(spd->policies, i); + if (vp->priority != policy->priority) + continue; + if (vp->is_outbound != policy->is_outbound) + continue; + if (vp->policy != policy->policy) + continue; + if (vp->sa_id != policy->sa_id) + continue; + if (vp->protocol != policy->protocol) + continue; + if (vp->lport.start != policy->lport.start) + continue; + if (vp->lport.stop != policy->lport.stop) + continue; + if (vp->rport.start != policy->rport.start) + continue; + if (vp->rport.stop != policy->rport.stop) + continue; + if (vp->is_ipv6 != policy->is_ipv6) + continue; + if (policy->is_ipv6) + { + if (vp->laddr.start.ip6.as_u64[0] != policy->laddr.start.ip6.as_u64[0]) + continue; + if (vp->laddr.start.ip6.as_u64[1] != policy->laddr.start.ip6.as_u64[1]) + continue; + if (vp->laddr.stop.ip6.as_u64[0] != policy->laddr.stop.ip6.as_u64[0]) + continue; + if (vp->laddr.stop.ip6.as_u64[1] != policy->laddr.stop.ip6.as_u64[1]) + continue; + if (vp->raddr.start.ip6.as_u64[0] != policy->raddr.start.ip6.as_u64[0]) + continue; + if (vp->raddr.start.ip6.as_u64[1] != policy->raddr.start.ip6.as_u64[1]) + continue; + if (vp->raddr.stop.ip6.as_u64[0] != policy->raddr.stop.ip6.as_u64[0]) + continue; + if (vp->laddr.stop.ip6.as_u64[1] != policy->laddr.stop.ip6.as_u64[1]) + continue; + if (policy->is_outbound) + { + vec_foreach_index(j, spd->ipv6_outbound_policies) { + if (vec_elt(spd->ipv6_outbound_policies, j) == i) { + vec_del1 (spd->ipv6_outbound_policies, j); + break; + } + } + } + else + { + if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) + { + vec_foreach_index(j, spd->ipv6_inbound_protect_policy_indices) { + if (vec_elt(spd->ipv6_inbound_protect_policy_indices, j) == i) { + vec_del1 (spd->ipv6_inbound_protect_policy_indices, j); + break; + } + } + } + else + { + vec_foreach_index(j, spd->ipv6_inbound_policy_discard_and_bypass_indices) { + if (vec_elt(spd->ipv6_inbound_policy_discard_and_bypass_indices, j) == i) { + vec_del1 (spd->ipv6_inbound_policy_discard_and_bypass_indices, j); + break; + } + } + } + } + } + else + { + if (vp->laddr.start.ip4.as_u32 != policy->laddr.start.ip4.as_u32) + continue; + if (vp->laddr.stop.ip4.as_u32 != policy->laddr.stop.ip4.as_u32) + continue; + if (vp->raddr.start.ip4.as_u32 != policy->raddr.start.ip4.as_u32) + continue; + if (vp->raddr.stop.ip4.as_u32 != policy->raddr.stop.ip4.as_u32) + continue; + if (policy->is_outbound) + { + vec_foreach_index(j, spd->ipv4_outbound_policies) { + if (vec_elt(spd->ipv4_outbound_policies, j) == i) { + vec_del1 (spd->ipv4_outbound_policies, j); + break; + } + } + } + else + { + if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) + { + vec_foreach_index(j, spd->ipv4_inbound_protect_policy_indices) { + if (vec_elt(spd->ipv4_inbound_protect_policy_indices, j) == i) { + vec_del1 (spd->ipv4_inbound_protect_policy_indices, j); + break; + } + } + } + else + { + vec_foreach_index(j, spd->ipv4_inbound_policy_discard_and_bypass_indices) { + if (vec_elt(spd->ipv4_inbound_policy_discard_and_bypass_indices, j) == i) { + vec_del1 (spd->ipv4_inbound_policy_discard_and_bypass_indices, j); + break; + } + } + } + } + } + pool_put (spd->policies, vp); + break; + })); + /* *INDENT-ON* */ + } + + return 0; +} + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vnet/ipsec/ipsec_spd_policy.h b/src/vnet/ipsec/ipsec_spd_policy.h new file mode 100644 index 00000000000..fee059e0e56 --- /dev/null +++ b/src/vnet/ipsec/ipsec_spd_policy.h @@ -0,0 +1,90 @@ +/* + * Copyright (c) 2015 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef __IPSEC_SPD_POLICY_H__ +#define __IPSEC_SPD_POLICY_H__ + +#include <vlib/vlib.h> + +#define foreach_ipsec_policy_action \ + _ (0, BYPASS, "bypass") \ + _ (1, DISCARD, "discard") \ + _ (2, RESOLVE, "resolve") \ + _ (3, PROTECT, "protect") + +typedef enum +{ +#define _(v, f, s) IPSEC_POLICY_ACTION_##f = v, + foreach_ipsec_policy_action +#undef _ +} ipsec_policy_action_t; + +#define IPSEC_POLICY_N_ACTION (IPSEC_POLICY_ACTION_PROTECT + 1) + +typedef struct +{ + ip46_address_t start, stop; +} ip46_address_range_t; + +typedef struct +{ + u16 start, stop; +} port_range_t; + +/** + * @brief A Secruity Policy. An entry in an SPD + */ +typedef struct ipsec_policy_t_ +{ + u32 id; + i32 priority; + u8 is_outbound; + + // Selector + u8 is_ipv6; + ip46_address_range_t laddr; + ip46_address_range_t raddr; + u8 protocol; + port_range_t lport; + port_range_t rport; + + // Policy + ipsec_policy_action_t policy; + u32 sa_id; + u32 sa_index; + + // Counter + vlib_counter_t counter; +} ipsec_policy_t; + +/** + * @brief Add/Delete a SPD + */ +extern int ipsec_add_del_policy (vlib_main_t * vm, + ipsec_policy_t * policy, int is_add); + +extern u8 *format_ipsec_policy_action (u8 * s, va_list * args); +extern uword unformat_ipsec_policy_action (unformat_input_t * input, + va_list * args); + + +#endif /* __IPSEC_SPD_POLICY_H__ */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ |