ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

IPSEC: minor refactor

Browse Source 
No function change. Only breaking the monster ipsec.[hc]
into smaller constituent parts

Change-Id: I3fd4d2d041673db5865d46a4002f6bd383f378af
Signed-off-by: Neale Ranns <nranns@cisco.com>
This commit is contained in:
Neale Ranns
2019-02-01 03:31:24 -08:00
committed by Florin Coras
parent e7ada526ac
commit 999c8ee6d6
11 changed files with 1002 additions and 754 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/vnet/CMakeLists.txt
View File

@ -480,6 +480,9 @@ list(APPEND VNET_SOURCES
ipsec/ipsec_input.c
ipsec/ipsec_if.c
ipsec/ipsec_if_in.c
ipsec/ipsec_sa.c
ipsec/ipsec_spd.c
ipsec/ipsec_spd_policy.c
ipsec/esp_format.c
ipsec/esp_encrypt.c
ipsec/esp_decrypt.c

489
src/vnet/ipsec/ipsec.c
View File

File diff suppressed because it is too large Load Diff

271
src/vnet/ipsec/ipsec.h
View File

@ -25,244 +25,11 @@
#include <vppinfra/types.h>
#include <vppinfra/cache.h>
#define IPSEC_FLAG_IPSEC_GRE_TUNNEL (1 << 0)
#define foreach_ipsec_output_next \
_ (DROP, "error-drop") \
_ (ESP4_ENCRYPT, "esp4-encrypt") \
_ (AH4_ENCRYPT, "ah4-encrypt") \
_ (ESP6_ENCRYPT, "esp6-encrypt") \
_ (AH6_ENCRYPT, "ah6-encrypt")
#define _(v, s) IPSEC_OUTPUT_NEXT_##v,
typedef enum
{
foreach_ipsec_output_next
#undef _
IPSEC_OUTPUT_N_NEXT,
} ipsec_output_next_t;
#define foreach_ipsec_input_next \
_ (DROP, "error-drop") \
_ (ESP4_DECRYPT, "esp4-decrypt") \
_ (AH4_DECRYPT, "ah4-decrypt") \
_ (ESP6_DECRYPT, "esp6-decrypt") \
_ (AH6_DECRYPT, "ah6-decrypt")
#define _(v, s) IPSEC_INPUT_NEXT_##v,
typedef enum
{
foreach_ipsec_input_next
#undef _
IPSEC_INPUT_N_NEXT,
} ipsec_input_next_t;
#define foreach_ipsec_policy_action \
_ (0, BYPASS, "bypass") \
_ (1, DISCARD, "discard") \
_ (2, RESOLVE, "resolve") \
_ (3, PROTECT, "protect")
typedef enum
{
#define _(v, f, s) IPSEC_POLICY_ACTION_##f = v,
foreach_ipsec_policy_action
#undef _
} ipsec_policy_action_t;
#define IPSEC_POLICY_N_ACTION (IPSEC_POLICY_ACTION_PROTECT + 1)
#define foreach_ipsec_crypto_alg \
_ (0, NONE, "none") \
_ (1, AES_CBC_128, "aes-cbc-128") \
_ (2, AES_CBC_192, "aes-cbc-192") \
_ (3, AES_CBC_256, "aes-cbc-256") \
_ (4, AES_CTR_128, "aes-ctr-128") \
_ (5, AES_CTR_192, "aes-ctr-192") \
_ (6, AES_CTR_256, "aes-ctr-256") \
_ (7, AES_GCM_128, "aes-gcm-128") \
_ (8, AES_GCM_192, "aes-gcm-192") \
_ (9, AES_GCM_256, "aes-gcm-256") \
_ (10, DES_CBC, "des-cbc") \
_ (11, 3DES_CBC, "3des-cbc")
typedef enum
{
#define _(v, f, s) IPSEC_CRYPTO_ALG_##f = v,
foreach_ipsec_crypto_alg
#undef _
IPSEC_CRYPTO_N_ALG,
} ipsec_crypto_alg_t;
#define foreach_ipsec_integ_alg \
_ (0, NONE, "none") \
_ (1, MD5_96, "md5-96") /* RFC2403 */ \
_ (2, SHA1_96, "sha1-96") /* RFC2404 */ \
_ (3, SHA_256_96, "sha-256-96") /* draft-ietf-ipsec-ciph-sha-256-00 */ \
_ (4, SHA_256_128, "sha-256-128") /* RFC4868 */ \
_ (5, SHA_384_192, "sha-384-192") /* RFC4868 */ \
_ (6, SHA_512_256, "sha-512-256") /* RFC4868 */
typedef enum
{
#define _(v, f, s) IPSEC_INTEG_ALG_##f = v,
foreach_ipsec_integ_alg
#undef _
IPSEC_INTEG_N_ALG,
} ipsec_integ_alg_t;
typedef enum
{
IPSEC_PROTOCOL_AH = 0,
IPSEC_PROTOCOL_ESP = 1
} ipsec_protocol_t;
typedef struct
{
u32 id;
u32 spi;
ipsec_protocol_t protocol;
ipsec_crypto_alg_t crypto_alg;
u8 crypto_key_len;
u8 crypto_key[128];
ipsec_integ_alg_t integ_alg;
u8 integ_key_len;
u8 integ_key[128];
u8 use_esn;
u8 use_anti_replay;
u8 is_tunnel;
u8 is_tunnel_ip6;
u8 udp_encap;
ip46_address_t tunnel_src_addr;
ip46_address_t tunnel_dst_addr;
u32 tx_fib_index;
u32 salt;
/* runtime */
u32 seq;
u32 seq_hi;
u32 last_seq;
u32 last_seq_hi;
u64 replay_window;
/* lifetime data */
u64 total_data_size;
} ipsec_sa_t;
typedef struct
{
ip46_address_t start, stop;
} ip46_address_range_t;
typedef struct
{
u16 start, stop;
} port_range_t;
typedef struct
{
u8 is_add;
u8 esn;
u8 anti_replay;
ip4_address_t local_ip, remote_ip;
u32 local_spi;
u32 remote_spi;
ipsec_crypto_alg_t crypto_alg;
u8 local_crypto_key_len;
u8 local_crypto_key[128];
u8 remote_crypto_key_len;
u8 remote_crypto_key[128];
ipsec_integ_alg_t integ_alg;
u8 local_integ_key_len;
u8 local_integ_key[128];
u8 remote_integ_key_len;
u8 remote_integ_key[128];
u8 renumber;
u32 show_instance;
u8 udp_encap;
u32 tx_table_id;
} ipsec_add_del_tunnel_args_t;
typedef struct
{
u8 is_add;
u32 local_sa_id;
u32 remote_sa_id;
ip4_address_t local_ip;
ip4_address_t remote_ip;
} ipsec_add_del_ipsec_gre_tunnel_args_t;
typedef enum
{
IPSEC_IF_SET_KEY_TYPE_NONE,
IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO,
IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO,
IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG,
IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG,
} ipsec_if_set_key_type_t;
typedef struct
{
u32 id;
i32 priority;
u8 is_outbound;
// Selector
u8 is_ipv6;
ip46_address_range_t laddr;
ip46_address_range_t raddr;
u8 protocol;
port_range_t lport;
port_range_t rport;
// Policy
ipsec_policy_action_t policy;
u32 sa_id;
u32 sa_index;
// Counter
vlib_counter_t counter;
} ipsec_policy_t;
typedef struct
{
u32 id;
/* pool of policies */
ipsec_policy_t *policies;
/* vectors of policy indices */
u32 *ipv4_outbound_policies;
u32 *ipv6_outbound_policies;
u32 *ipv4_inbound_protect_policy_indices;
u32 *ipv4_inbound_policy_discard_and_bypass_indices;
u32 *ipv6_inbound_protect_policy_indices;
u32 *ipv6_inbound_policy_discard_and_bypass_indices;
} ipsec_spd_t;
typedef struct
{
u32 spd_index;
} ip4_ipsec_config_t;
typedef struct
{
u32 spd_index;
} ip6_ipsec_config_t;
typedef struct
{
/* Required for pool_get_aligned */
CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
u32 input_sa_index;
u32 output_sa_index;
u32 hw_if_index;
u32 show_instance;
} ipsec_tunnel_if_t;
#include <vnet/ipsec/ipsec_spd.h>
#include <vnet/ipsec/ipsec_spd_policy.h>
#include <vnet/ipsec/ipsec_sa.h>
#include <vnet/ipsec/ipsec_if.h>
#include <vnet/ipsec/ipsec_io.h>
typedef clib_error_t *(*add_del_sa_sess_cb_t) (u32 sa_index, u8 is_add);
typedef clib_error_t *(*check_support_cb_t) (ipsec_sa_t * sa);
@ -433,35 +200,7 @@ extern vlib_node_registration_t ipsec_if_input_node;
/*
* functions
*/
int ipsec_set_interface_spd (vlib_main_t * vm, u32 sw_if_index, u32 spd_id,
int is_add);
int ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add);
int ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy,
int is_add);
int ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add);
int ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update);
u32 ipsec_get_sa_index_by_sa_id (u32 sa_id);
u8 ipsec_is_sa_used (u32 sa_index);
u8 *format_ipsec_policy_action (u8 * s, va_list * args);
u8 *format_ipsec_crypto_alg (u8 * s, va_list * args);
u8 *format_ipsec_integ_alg (u8 * s, va_list * args);
u8 *format_ipsec_replay_window (u8 * s, va_list * args);
uword unformat_ipsec_policy_action (unformat_input_t * input, va_list * args);
uword unformat_ipsec_crypto_alg (unformat_input_t * input, va_list * args);
uword unformat_ipsec_integ_alg (unformat_input_t * input, va_list * args);
int ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
ipsec_add_del_tunnel_args_t * args,
u32 * sw_if_index);
int ipsec_add_del_tunnel_if (ipsec_add_del_tunnel_args_t * args);
int ipsec_add_del_ipsec_gre_tunnel (vnet_main_t * vnm,
ipsec_add_del_ipsec_gre_tunnel_args_t *
args);
int ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index,
ipsec_if_set_key_type_t type, u8 alg, u8 * key);
int ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, u32 sa_id,
u8 is_outbound);
/*
* inline functions

94
src/vnet/ipsec/ipsec_if.h Normal file
View File

@ -0,0 +1,94 @@
/*
* Copyright (c) 2015 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef __IPSEC_IF_H__
#define __IPSEC_IF_H__
#include <vnet/ipsec/ipsec_sa.h>
typedef enum
{
IPSEC_IF_SET_KEY_TYPE_NONE,
IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO,
IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO,
IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG,
IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG,
} ipsec_if_set_key_type_t;
typedef struct
{
/* Required for pool_get_aligned */
CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
u32 input_sa_index;
u32 output_sa_index;
u32 hw_if_index;
u32 show_instance;
} ipsec_tunnel_if_t;
typedef struct
{
u8 is_add;
u8 esn;
u8 anti_replay;
ip4_address_t local_ip, remote_ip;
u32 local_spi;
u32 remote_spi;
ipsec_crypto_alg_t crypto_alg;
u8 local_crypto_key_len;
u8 local_crypto_key[128];
u8 remote_crypto_key_len;
u8 remote_crypto_key[128];
ipsec_integ_alg_t integ_alg;
u8 local_integ_key_len;
u8 local_integ_key[128];
u8 remote_integ_key_len;
u8 remote_integ_key[128];
u8 renumber;
u32 show_instance;
u8 udp_encap;
u32 tx_table_id;
} ipsec_add_del_tunnel_args_t;
typedef struct
{
u8 is_add;
u32 local_sa_id;
u32 remote_sa_id;
ip4_address_t local_ip;
ip4_address_t remote_ip;
} ipsec_add_del_ipsec_gre_tunnel_args_t;
extern int ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
ipsec_add_del_tunnel_args_t *
args, u32 * sw_if_index);
extern int ipsec_add_del_tunnel_if (ipsec_add_del_tunnel_args_t * args);
extern int ipsec_add_del_ipsec_gre_tunnel (vnet_main_t * vnm,
ipsec_add_del_ipsec_gre_tunnel_args_t
* args);
extern int ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index,
ipsec_if_set_key_type_t type,
u8 alg, u8 * key);
extern int ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index,
u32 sa_id, u8 is_outbound);
#endif /* __IPSEC_IF_H__ */
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/

69
src/vnet/ipsec/ipsec_io.h Normal file
View File

@ -0,0 +1,69 @@
/*
* Copyright (c) 2015 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef __IPSEC_IO_H__
#define __IPSEC_IO_H__
#define IPSEC_FLAG_IPSEC_GRE_TUNNEL (1 << 0)
#define foreach_ipsec_output_next \
_ (DROP, "error-drop") \
_ (ESP4_ENCRYPT, "esp4-encrypt") \
_ (AH4_ENCRYPT, "ah4-encrypt") \
_ (ESP6_ENCRYPT, "esp6-encrypt") \
_ (AH6_ENCRYPT, "ah6-encrypt")
#define _(v, s) IPSEC_OUTPUT_NEXT_##v,
typedef enum
{
foreach_ipsec_output_next
#undef _
IPSEC_OUTPUT_N_NEXT,
} ipsec_output_next_t;
#define foreach_ipsec_input_next \
_ (DROP, "error-drop") \
_ (ESP4_DECRYPT, "esp4-decrypt") \
_ (AH4_DECRYPT, "ah4-decrypt") \
_ (ESP6_DECRYPT, "esp6-decrypt") \
_ (AH6_DECRYPT, "ah6-decrypt")
#define _(v, s) IPSEC_INPUT_NEXT_##v,
typedef enum
{
foreach_ipsec_input_next
#undef _
IPSEC_INPUT_N_NEXT,
} ipsec_input_next_t;
typedef struct
{
u32 spd_index;
} ip4_ipsec_config_t;
typedef struct
{
u32 spd_index;
} ip6_ipsec_config_t;
#endif /* __IPSEC_IO_H__ */
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/

174
src/vnet/ipsec/ipsec_sa.c Normal file
View File

@ -0,0 +1,174 @@
/*
* Copyright (c) 2015 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <vnet/ipsec/ipsec.h>
static clib_error_t *
ipsec_call_add_del_callbacks (ipsec_main_t * im, ipsec_sa_t * sa,
u32 sa_index, int is_add)
{
ipsec_ah_backend_t *ab;
ipsec_esp_backend_t *eb;
switch (sa->protocol)
{
case IPSEC_PROTOCOL_AH:
ab = pool_elt_at_index (im->ah_backends, im->ah_current_backend);
if (ab->add_del_sa_sess_cb)
return ab->add_del_sa_sess_cb (sa_index, is_add);
break;
case IPSEC_PROTOCOL_ESP:
eb = pool_elt_at_index (im->esp_backends, im->esp_current_backend);
if (eb->add_del_sa_sess_cb)
return eb->add_del_sa_sess_cb (sa_index, is_add);
break;
}
return 0;
}
int
ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
{
ipsec_main_t *im = &ipsec_main;
ipsec_sa_t *sa = 0;
uword *p;
u32 sa_index;
clib_error_t *err;
clib_warning ("id %u spi %u", new_sa->id, new_sa->spi);
p = hash_get (im->sa_index_by_sa_id, new_sa->id);
if (p && is_add)
return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
if (!p && !is_add)
return VNET_API_ERROR_NO_SUCH_ENTRY;
if (!is_add) /* delete */
{
sa_index = p[0];
sa = pool_elt_at_index (im->sad, sa_index);
if (ipsec_is_sa_used (sa_index))
{
clib_warning ("sa_id %u used in policy", sa->id);
return VNET_API_ERROR_SYSCALL_ERROR_1; /* sa used in policy */
}
hash_unset (im->sa_index_by_sa_id, sa->id);
err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
if (err)
return VNET_API_ERROR_SYSCALL_ERROR_1;
pool_put (im->sad, sa);
}
else /* create new SA */
{
pool_get (im->sad, sa);
clib_memcpy (sa, new_sa, sizeof (*sa));
sa_index = sa - im->sad;
hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
err = ipsec_call_add_del_callbacks (im, sa, sa_index, 1);
if (err)
return VNET_API_ERROR_SYSCALL_ERROR_1;
}
return 0;
}
u8
ipsec_is_sa_used (u32 sa_index)
{
ipsec_main_t *im = &ipsec_main;
ipsec_spd_t *spd;
ipsec_policy_t *p;
ipsec_tunnel_if_t *t;
/* *INDENT-OFF* */
pool_foreach(spd, im->spds, ({
pool_foreach(p, spd->policies, ({
if (p->policy == IPSEC_POLICY_ACTION_PROTECT)
{
if (p->sa_index == sa_index)
return 1;
}
}));
}));
pool_foreach(t, im->tunnel_interfaces, ({
if (t->input_sa_index == sa_index)
return 1;
if (t->output_sa_index == sa_index)
return 1;
}));
/* *INDENT-ON* */
return 0;
}
int
ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update)
{
ipsec_main_t *im = &ipsec_main;
uword *p;
u32 sa_index;
ipsec_sa_t *sa = 0;
clib_error_t *err;
p = hash_get (im->sa_index_by_sa_id, sa_update->id);
if (!p)
return VNET_API_ERROR_SYSCALL_ERROR_1; /* no such sa-id */
sa_index = p[0];
sa = pool_elt_at_index (im->sad, sa_index);
/* new crypto key */
if (0 < sa_update->crypto_key_len)
{
clib_memcpy (sa->crypto_key, sa_update->crypto_key,
sa_update->crypto_key_len);
sa->crypto_key_len = sa_update->crypto_key_len;
}
/* new integ key */
if (0 < sa_update->integ_key_len)
{
clib_memcpy (sa->integ_key, sa_update->integ_key,
sa_update->integ_key_len);
sa->integ_key_len = sa_update->integ_key_len;
}
if (0 < sa_update->crypto_key_len || 0 < sa_update->integ_key_len)
{
err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
if (err)
return VNET_API_ERROR_SYSCALL_ERROR_1;
}
return 0;
}
u32
ipsec_get_sa_index_by_sa_id (u32 sa_id)
{
ipsec_main_t *im = &ipsec_main;
uword *p = hash_get (im->sa_index_by_sa_id, sa_id);
if (!p)
return ~0;
return p[0];
}
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/

124
src/vnet/ipsec/ipsec_sa.h Normal file
View File

@ -0,0 +1,124 @@
/*
* Copyright (c) 2015 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef __IPSEC_SPD_SA_H__
#define __IPSEC_SPD_SA_H__
#include <vlib/vlib.h>
#include <vnet/ip/ip.h>
#define foreach_ipsec_crypto_alg \
_ (0, NONE, "none") \
_ (1, AES_CBC_128, "aes-cbc-128") \
_ (2, AES_CBC_192, "aes-cbc-192") \
_ (3, AES_CBC_256, "aes-cbc-256") \
_ (4, AES_CTR_128, "aes-ctr-128") \
_ (5, AES_CTR_192, "aes-ctr-192") \
_ (6, AES_CTR_256, "aes-ctr-256") \
_ (7, AES_GCM_128, "aes-gcm-128") \
_ (8, AES_GCM_192, "aes-gcm-192") \
_ (9, AES_GCM_256, "aes-gcm-256") \
_ (10, DES_CBC, "des-cbc") \
_ (11, 3DES_CBC, "3des-cbc")
typedef enum
{
#define _(v, f, s) IPSEC_CRYPTO_ALG_##f = v,
foreach_ipsec_crypto_alg
#undef _
IPSEC_CRYPTO_N_ALG,
} ipsec_crypto_alg_t;
#define foreach_ipsec_integ_alg \
_ (0, NONE, "none") \
_ (1, MD5_96, "md5-96") /* RFC2403 */ \
_ (2, SHA1_96, "sha1-96") /* RFC2404 */ \
_ (3, SHA_256_96, "sha-256-96") /* draft-ietf-ipsec-ciph-sha-256-00 */ \
_ (4, SHA_256_128, "sha-256-128") /* RFC4868 */ \
_ (5, SHA_384_192, "sha-384-192") /* RFC4868 */ \
_ (6, SHA_512_256, "sha-512-256") /* RFC4868 */
typedef enum
{
#define _(v, f, s) IPSEC_INTEG_ALG_##f = v,
foreach_ipsec_integ_alg
#undef _
IPSEC_INTEG_N_ALG,
} ipsec_integ_alg_t;
typedef enum
{
IPSEC_PROTOCOL_AH = 0,
IPSEC_PROTOCOL_ESP = 1
} ipsec_protocol_t;
typedef struct
{
u32 id;
u32 spi;
ipsec_protocol_t protocol;
ipsec_crypto_alg_t crypto_alg;
u8 crypto_key_len;
u8 crypto_key[128];
ipsec_integ_alg_t integ_alg;
u8 integ_key_len;
u8 integ_key[128];
u8 use_esn;
u8 use_anti_replay;
u8 is_tunnel;
u8 is_tunnel_ip6;
u8 udp_encap;
ip46_address_t tunnel_src_addr;
ip46_address_t tunnel_dst_addr;
u32 tx_fib_index;
u32 salt;
/* runtime */
u32 seq;
u32 seq_hi;
u32 last_seq;
u32 last_seq_hi;
u64 replay_window;
/* lifetime data */
u64 total_data_size;
} ipsec_sa_t;
extern int ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa,
int is_add);
extern u8 ipsec_is_sa_used (u32 sa_index);
extern int ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update);
extern u32 ipsec_get_sa_index_by_sa_id (u32 sa_id);
extern u8 *format_ipsec_crypto_alg (u8 * s, va_list * args);
extern u8 *format_ipsec_integ_alg (u8 * s, va_list * args);
extern uword unformat_ipsec_crypto_alg (unformat_input_t * input,
va_list * args);
extern uword unformat_ipsec_integ_alg (unformat_input_t * input,
va_list * args);
#endif /* __IPSEC_SPD_SA_H__ */
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/

118
src/vnet/ipsec/ipsec_spd.c Normal file
View File

@ -0,0 +1,118 @@
/*
* Copyright (c) 2015 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <vnet/ipsec/ipsec.h>
int
ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add)
{
ipsec_main_t *im = &ipsec_main;
ipsec_spd_t *spd = 0;
uword *p;
u32 spd_index, k, v;
p = hash_get (im->spd_index_by_spd_id, spd_id);
if (p && is_add)
return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
if (!p && !is_add)
return VNET_API_ERROR_NO_SUCH_ENTRY;
if (!is_add) /* delete */
{
spd_index = p[0];
spd = pool_elt_at_index (im->spds, spd_index);
if (!spd)
return VNET_API_ERROR_INVALID_VALUE;
/* *INDENT-OFF* */
hash_foreach (k, v, im->spd_index_by_sw_if_index, ({
if (v == spd_index)
ipsec_set_interface_spd(vm, k, spd_id, 0);
}));
/* *INDENT-ON* */
hash_unset (im->spd_index_by_spd_id, spd_id);
pool_free (spd->policies);
vec_free (spd->ipv4_outbound_policies);
vec_free (spd->ipv6_outbound_policies);
vec_free (spd->ipv4_inbound_protect_policy_indices);
vec_free (spd->ipv4_inbound_policy_discard_and_bypass_indices);
pool_put (im->spds, spd);
}
else /* create new SPD */
{
pool_get (im->spds, spd);
clib_memset (spd, 0, sizeof (*spd));
spd_index = spd - im->spds;
spd->id = spd_id;
hash_set (im->spd_index_by_spd_id, spd_id, spd_index);
}
return 0;
}
int
ipsec_set_interface_spd (vlib_main_t * vm, u32 sw_if_index, u32 spd_id,
int is_add)
{
ipsec_main_t *im = &ipsec_main;
ip4_ipsec_config_t config;
u32 spd_index;
uword *p;
p = hash_get (im->spd_index_by_spd_id, spd_id);
if (!p)
return VNET_API_ERROR_SYSCALL_ERROR_1; /* no such spd-id */
spd_index = p[0];
p = hash_get (im->spd_index_by_sw_if_index, sw_if_index);
if (p && is_add)
return VNET_API_ERROR_SYSCALL_ERROR_1; /* spd already assigned */
if (is_add)
{
hash_set (im->spd_index_by_sw_if_index, sw_if_index, spd_index);
}
else
{
hash_unset (im->spd_index_by_sw_if_index, sw_if_index);
}
clib_warning ("sw_if_index %u spd_id %u spd_index %u",
sw_if_index, spd_id, spd_index);
/* enable IPsec on TX */
vnet_feature_enable_disable ("ip4-output", "ipsec4-output-feature",
sw_if_index, is_add, 0, 0);
vnet_feature_enable_disable ("ip6-output", "ipsec6-output-feature",
sw_if_index, is_add, 0, 0);
config.spd_index = spd_index;
/* enable IPsec on RX */
vnet_feature_enable_disable ("ip4-unicast", "ipsec4-input-feature",
sw_if_index, is_add, &config, sizeof (config));
vnet_feature_enable_disable ("ip6-unicast", "ipsec6-input-feature",
sw_if_index, is_add, &config, sizeof (config));
return 0;
}
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/

58
src/vnet/ipsec/ipsec_spd.h Normal file
View File

@ -0,0 +1,58 @@
/*
* Copyright (c) 2015 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef __IPSEC_SPD_H__
#define __IPSEC_SPD_H__
#include <vlib/vlib.h>
struct ipsec_policy_t_;
/**
* @brief A Secruity Policy Database
*/
typedef struct ipsec_spd_t_
{
u32 id;
/* pool of policies */
struct ipsec_policy_t_ *policies;
/* vectors of policy indices */
u32 *ipv4_outbound_policies;
u32 *ipv6_outbound_policies;
u32 *ipv4_inbound_protect_policy_indices;
u32 *ipv4_inbound_policy_discard_and_bypass_indices;
u32 *ipv6_inbound_protect_policy_indices;
u32 *ipv6_inbound_policy_discard_and_bypass_indices;
} ipsec_spd_t;
/**
* @brief Add/Delete a SPD
*/
extern int ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add);
/**
* @brief Bind/attach a SPD to an interface
*/
extern int ipsec_set_interface_spd (vlib_main_t * vm,
u32 sw_if_index, u32 spd_id, int is_add);
#endif /* __IPSEC_SPD_H__ */
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/

266
src/vnet/ipsec/ipsec_spd_policy.c Normal file
View File

@ -0,0 +1,266 @@
/*
* Copyright (c) 2015 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <vnet/ipsec/ipsec.h>
static int
ipsec_spd_entry_sort (void *a1, void *a2)
{
u32 *id1 = a1;
u32 *id2 = a2;
ipsec_spd_t *spd = ipsec_main.spd_to_sort;
ipsec_policy_t *p1, *p2;
p1 = pool_elt_at_index (spd->policies, *id1);
p2 = pool_elt_at_index (spd->policies, *id2);
if (p1 && p2)
return p2->priority - p1->priority;
return 0;
}
int
ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add)
{
ipsec_main_t *im = &ipsec_main;
ipsec_spd_t *spd = 0;
ipsec_policy_t *vp;
uword *p;
u32 spd_index;
clib_warning ("policy-id %u priority %d is_outbound %u", policy->id,
policy->priority, policy->is_outbound);
if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
{
p = hash_get (im->sa_index_by_sa_id, policy->sa_id);
if (!p)
return VNET_API_ERROR_SYSCALL_ERROR_1;
policy->sa_index = p[0];
}
p = hash_get (im->spd_index_by_spd_id, policy->id);
if (!p)
return VNET_API_ERROR_SYSCALL_ERROR_1;
spd_index = p[0];
spd = pool_elt_at_index (im->spds, spd_index);
if (!spd)
return VNET_API_ERROR_SYSCALL_ERROR_1;
if (is_add)
{
u32 policy_index;
pool_get (spd->policies, vp);
clib_memcpy (vp, policy, sizeof (*vp));
policy_index = vp - spd->policies;
ipsec_main.spd_to_sort = spd;
if (policy->is_outbound)
{
if (policy->is_ipv6)
{
vec_add1 (spd->ipv6_outbound_policies, policy_index);
vec_sort_with_function (spd->ipv6_outbound_policies,
ipsec_spd_entry_sort);
}
else
{
vec_add1 (spd->ipv4_outbound_policies, policy_index);
vec_sort_with_function (spd->ipv4_outbound_policies,
ipsec_spd_entry_sort);
}
}
else
{
if (policy->is_ipv6)
{
if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
{
vec_add1 (spd->ipv6_inbound_protect_policy_indices,
policy_index);
vec_sort_with_function
(spd->ipv6_inbound_protect_policy_indices,
ipsec_spd_entry_sort);
}
else
{
vec_add1
(spd->ipv6_inbound_policy_discard_and_bypass_indices,
policy_index);
vec_sort_with_function
(spd->ipv6_inbound_policy_discard_and_bypass_indices,
ipsec_spd_entry_sort);
}
}
else
{
if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
{
vec_add1 (spd->ipv4_inbound_protect_policy_indices,
policy_index);
vec_sort_with_function
(spd->ipv4_inbound_protect_policy_indices,
ipsec_spd_entry_sort);
}
else
{
vec_add1
(spd->ipv4_inbound_policy_discard_and_bypass_indices,
policy_index);
vec_sort_with_function
(spd->ipv4_inbound_policy_discard_and_bypass_indices,
ipsec_spd_entry_sort);
}
}
}
ipsec_main.spd_to_sort = NULL;
}
else
{
u32 i, j;
/* *INDENT-OFF* */
pool_foreach_index(i, spd->policies, ({
vp = pool_elt_at_index(spd->policies, i);
if (vp->priority != policy->priority)
continue;
if (vp->is_outbound != policy->is_outbound)
continue;
if (vp->policy != policy->policy)
continue;
if (vp->sa_id != policy->sa_id)
continue;
if (vp->protocol != policy->protocol)
continue;
if (vp->lport.start != policy->lport.start)
continue;
if (vp->lport.stop != policy->lport.stop)
continue;
if (vp->rport.start != policy->rport.start)
continue;
if (vp->rport.stop != policy->rport.stop)
continue;
if (vp->is_ipv6 != policy->is_ipv6)
continue;
if (policy->is_ipv6)
{
if (vp->laddr.start.ip6.as_u64[0] != policy->laddr.start.ip6.as_u64[0])
continue;
if (vp->laddr.start.ip6.as_u64[1] != policy->laddr.start.ip6.as_u64[1])
continue;
if (vp->laddr.stop.ip6.as_u64[0] != policy->laddr.stop.ip6.as_u64[0])
continue;
if (vp->laddr.stop.ip6.as_u64[1] != policy->laddr.stop.ip6.as_u64[1])
continue;
if (vp->raddr.start.ip6.as_u64[0] != policy->raddr.start.ip6.as_u64[0])
continue;
if (vp->raddr.start.ip6.as_u64[1] != policy->raddr.start.ip6.as_u64[1])
continue;
if (vp->raddr.stop.ip6.as_u64[0] != policy->raddr.stop.ip6.as_u64[0])
continue;
if (vp->laddr.stop.ip6.as_u64[1] != policy->laddr.stop.ip6.as_u64[1])
continue;
if (policy->is_outbound)
{
vec_foreach_index(j, spd->ipv6_outbound_policies) {
if (vec_elt(spd->ipv6_outbound_policies, j) == i) {
vec_del1 (spd->ipv6_outbound_policies, j);
break;
}
}
}
else
{
if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
{
vec_foreach_index(j, spd->ipv6_inbound_protect_policy_indices) {
if (vec_elt(spd->ipv6_inbound_protect_policy_indices, j) == i) {
vec_del1 (spd->ipv6_inbound_protect_policy_indices, j);
break;
}
}
}
else
{
vec_foreach_index(j, spd->ipv6_inbound_policy_discard_and_bypass_indices) {
if (vec_elt(spd->ipv6_inbound_policy_discard_and_bypass_indices, j) == i) {
vec_del1 (spd->ipv6_inbound_policy_discard_and_bypass_indices, j);
break;
}
}
}
}
}
else
{
if (vp->laddr.start.ip4.as_u32 != policy->laddr.start.ip4.as_u32)
continue;
if (vp->laddr.stop.ip4.as_u32 != policy->laddr.stop.ip4.as_u32)
continue;
if (vp->raddr.start.ip4.as_u32 != policy->raddr.start.ip4.as_u32)
continue;
if (vp->raddr.stop.ip4.as_u32 != policy->raddr.stop.ip4.as_u32)
continue;
if (policy->is_outbound)
{
vec_foreach_index(j, spd->ipv4_outbound_policies) {
if (vec_elt(spd->ipv4_outbound_policies, j) == i) {
vec_del1 (spd->ipv4_outbound_policies, j);
break;
}
}
}
else
{
if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
{
vec_foreach_index(j, spd->ipv4_inbound_protect_policy_indices) {
if (vec_elt(spd->ipv4_inbound_protect_policy_indices, j) == i) {
vec_del1 (spd->ipv4_inbound_protect_policy_indices, j);
break;
}
}
}
else
{
vec_foreach_index(j, spd->ipv4_inbound_policy_discard_and_bypass_indices) {
if (vec_elt(spd->ipv4_inbound_policy_discard_and_bypass_indices, j) == i) {
vec_del1 (spd->ipv4_inbound_policy_discard_and_bypass_indices, j);
break;
}
}
}
}
}
pool_put (spd->policies, vp);
break;
}));
/* *INDENT-ON* */
}
return 0;
}
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/

90
src/vnet/ipsec/ipsec_spd_policy.h Normal file
View File

@ -0,0 +1,90 @@
/*
* Copyright (c) 2015 Cisco and/or its affiliates.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef __IPSEC_SPD_POLICY_H__
#define __IPSEC_SPD_POLICY_H__
#include <vlib/vlib.h>
#define foreach_ipsec_policy_action \
_ (0, BYPASS, "bypass") \
_ (1, DISCARD, "discard") \
_ (2, RESOLVE, "resolve") \
_ (3, PROTECT, "protect")
typedef enum
{
#define _(v, f, s) IPSEC_POLICY_ACTION_##f = v,
foreach_ipsec_policy_action
#undef _
} ipsec_policy_action_t;
#define IPSEC_POLICY_N_ACTION (IPSEC_POLICY_ACTION_PROTECT + 1)
typedef struct
{
ip46_address_t start, stop;
} ip46_address_range_t;
typedef struct
{
u16 start, stop;
} port_range_t;
/**
* @brief A Secruity Policy. An entry in an SPD
*/
typedef struct ipsec_policy_t_
{
u32 id;
i32 priority;
u8 is_outbound;
// Selector
u8 is_ipv6;
ip46_address_range_t laddr;
ip46_address_range_t raddr;
u8 protocol;
port_range_t lport;
port_range_t rport;
// Policy
ipsec_policy_action_t policy;
u32 sa_id;
u32 sa_index;
// Counter
vlib_counter_t counter;
} ipsec_policy_t;
/**
* @brief Add/Delete a SPD
*/
extern int ipsec_add_del_policy (vlib_main_t * vm,
ipsec_policy_t * policy, int is_add);
extern u8 *format_ipsec_policy_action (u8 * s, va_list * args);
extern uword unformat_ipsec_policy_action (unformat_input_t * input,
va_list * args);
#endif /* __IPSEC_SPD_POLICY_H__ */
/*
* fd.io coding-style-patch-verification: ON
*
* Local Variables:
* eval: (c-set-style "gnu")
* End:
*/