2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
15 #ifndef __IPSEC_SPD_SA_H__
16 #define __IPSEC_SPD_SA_H__
18 #include <vlib/vlib.h>
19 #include <vppinfra/pcg.h>
20 #include <vnet/crypto/crypto.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/fib/fib_node.h>
23 #include <vnet/tunnel/tunnel.h>
25 #define ESP_MAX_ICV_SIZE (32)
26 #define ESP_MAX_IV_SIZE (16)
27 #define ESP_MAX_BLOCK_SIZE (16)
29 #define foreach_ipsec_crypto_alg \
31 _ (1, AES_CBC_128, "aes-cbc-128") \
32 _ (2, AES_CBC_192, "aes-cbc-192") \
33 _ (3, AES_CBC_256, "aes-cbc-256") \
34 _ (4, AES_CTR_128, "aes-ctr-128") \
35 _ (5, AES_CTR_192, "aes-ctr-192") \
36 _ (6, AES_CTR_256, "aes-ctr-256") \
37 _ (7, AES_GCM_128, "aes-gcm-128") \
38 _ (8, AES_GCM_192, "aes-gcm-192") \
39 _ (9, AES_GCM_256, "aes-gcm-256") \
40 _ (10, DES_CBC, "des-cbc") \
41 _ (11, 3DES_CBC, "3des-cbc") \
42 _ (12, CHACHA20_POLY1305, "chacha20-poly1305")
46 #define _(v, f, s) IPSEC_CRYPTO_ALG_##f = v,
47 foreach_ipsec_crypto_alg
50 } __clib_packed ipsec_crypto_alg_t;
52 #define IPSEC_CRYPTO_ALG_IS_GCM(_alg) \
53 (((_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) || \
54 (_alg == IPSEC_CRYPTO_ALG_AES_GCM_192) || \
55 (_alg == IPSEC_CRYPTO_ALG_AES_GCM_256)))
57 #define IPSEC_CRYPTO_ALG_IS_CTR(_alg) \
58 (((_alg == IPSEC_CRYPTO_ALG_AES_CTR_128) || \
59 (_alg == IPSEC_CRYPTO_ALG_AES_CTR_192) || \
60 (_alg == IPSEC_CRYPTO_ALG_AES_CTR_256)))
62 #define IPSEC_CRYPTO_ALG_CTR_AEAD_OTHERS(_alg) \
63 (_alg == IPSEC_CRYPTO_ALG_CHACHA20_POLY1305)
65 #define foreach_ipsec_integ_alg \
67 _ (1, MD5_96, "md5-96") /* RFC2403 */ \
68 _ (2, SHA1_96, "sha1-96") /* RFC2404 */ \
69 _ (3, SHA_256_96, "sha-256-96") /* draft-ietf-ipsec-ciph-sha-256-00 */ \
70 _ (4, SHA_256_128, "sha-256-128") /* RFC4868 */ \
71 _ (5, SHA_384_192, "sha-384-192") /* RFC4868 */ \
72 _ (6, SHA_512_256, "sha-512-256") /* RFC4868 */
76 #define _(v, f, s) IPSEC_INTEG_ALG_##f = v,
77 foreach_ipsec_integ_alg
80 } __clib_packed ipsec_integ_alg_t;
84 IPSEC_PROTOCOL_AH = 0,
85 IPSEC_PROTOCOL_ESP = 1
86 } __clib_packed ipsec_protocol_t;
88 #define IPSEC_KEY_MAX_LEN 128
89 typedef struct ipsec_key_t_
92 u8 data[IPSEC_KEY_MAX_LEN];
96 * Enable extended sequence numbers
98 * IPsec tunnel mode if non-zero, else transport mode
99 * IPsec tunnel mode is IPv6 if non-zero,
100 * else IPv4 tunnel only valid if is_tunnel is non-zero
101 * enable UDP encapsulation for NAT traversal
103 #define foreach_ipsec_sa_flags \
104 _ (0, NONE, "none") \
105 _ (1, USE_ESN, "esn") \
106 _ (2, USE_ANTI_REPLAY, "anti-replay") \
107 _ (4, IS_TUNNEL, "tunnel") \
108 _ (8, IS_TUNNEL_V6, "tunnel-v6") \
109 _ (16, UDP_ENCAP, "udp-encap") \
110 _ (32, IS_PROTECT, "Protect") \
111 _ (64, IS_INBOUND, "inbound") \
112 _ (128, IS_AEAD, "aead") \
113 _ (256, IS_CTR, "ctr") \
114 _ (512, IS_ASYNC, "async") \
115 _ (1024, NO_ALGO_NO_DROP, "no-algo-no-drop")
117 typedef enum ipsec_sad_flags_t_
119 #define _(v, f, s) IPSEC_SA_FLAG_##f = v,
120 foreach_ipsec_sa_flags
122 } __clib_packed ipsec_sa_flags_t;
124 STATIC_ASSERT (sizeof (ipsec_sa_flags_t) == 2, "IPSEC SA flags != 2 byte");
126 #define foreach_ipsec_sa_err \
127 _ (0, LOST, lost, "packets lost") \
128 _ (1, HANDOFF, handoff, "hand-off") \
129 _ (2, INTEG_ERROR, integ_error, "Integrity check failed") \
130 _ (3, DECRYPTION_FAILED, decryption_failed, "Decryption failed") \
131 _ (4, CRYPTO_ENGINE_ERROR, crypto_engine_error, \
132 "crypto engine error (dropped)") \
133 _ (5, REPLAY, replay, "SA replayed packet") \
134 _ (6, RUNT, runt, "undersized packet") \
135 _ (7, NO_BUFFERS, no_buffers, "no buffers (dropped)") \
136 _ (8, OVERSIZED_HEADER, oversized_header, \
137 "buffer with oversized header (dropped)") \
138 _ (9, NO_TAIL_SPACE, no_tail_space, \
139 "no enough buffer tail space (dropped)") \
140 _ (10, TUN_NO_PROTO, tun_no_proto, "no tunnel protocol") \
141 _ (11, UNSUP_PAYLOAD, unsup_payload, "unsupported payload") \
142 _ (12, SEQ_CYCLED, seq_cycled, "sequence number cycled (dropped)") \
143 _ (13, CRYPTO_QUEUE_FULL, crypto_queue_full, "crypto queue full (dropped)") \
144 _ (14, NO_ENCRYPTION, no_encryption, "no Encrypting SA (dropped)") \
145 _ (15, DROP_FRAGMENTS, drop_fragments, "IP fragments drop")
149 #define _(v, f, s, d) IPSEC_SA_ERROR_##f = v,
153 } __clib_packed ipsec_sa_err_t;
157 CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
159 clib_pcg64i_random_t iv_prng;
164 vnet_crypto_key_index_t crypto_key_index;
165 vnet_crypto_key_index_t integ_key_index;
171 u16 crypto_enc_op_id;
172 u16 crypto_dec_op_id;
174 ipsec_sa_flags_t flags;
177 u16 integ_icv_size : 6;
178 u16 crypto_iv_size : 5;
179 u16 esp_block_align : 5;
181 CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
185 ip4_header_t ip4_hdr;
186 ip6_header_t ip6_hdr;
188 udp_header_t udp_hdr;
190 /* Salt used in CTR modes (incl. GCM) - stored in network byte order */
193 ipsec_protocol_t protocol;
194 tunnel_encap_decap_flags_t tunnel_flags;
197 /* data accessed by dataplane code should be above this comment */
198 CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
200 /* Elements with u64 size multiples */
204 /* elements with u32 size */
207 vnet_crypto_alg_t integ_calg;
208 vnet_crypto_alg_t crypto_calg;
209 u32 crypto_sync_key_index;
210 u32 integ_sync_key_index;
211 u32 crypto_async_key_index;
213 /* elements with u16 size */
214 u16 crypto_sync_enc_op_id;
215 u16 crypto_sync_dec_op_id;
216 u16 integ_sync_op_id;
217 u16 crypto_async_enc_op_id;
218 u16 crypto_async_dec_op_id;
221 ipsec_crypto_alg_t crypto_alg;
222 ipsec_integ_alg_t integ_alg;
224 ipsec_key_t integ_key;
225 ipsec_key_t crypto_key;
228 STATIC_ASSERT (VNET_CRYPTO_N_OP_IDS < (1 << 16), "crypto ops overflow");
229 STATIC_ASSERT (ESP_MAX_ICV_SIZE < (1 << 6), "integer icv overflow");
230 STATIC_ASSERT (ESP_MAX_IV_SIZE < (1 << 5), "esp iv overflow");
231 STATIC_ASSERT (ESP_MAX_BLOCK_SIZE < (1 << 5), "esp alignment overflow");
232 STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline1, CLIB_CACHE_LINE_BYTES);
233 STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline2, 2 * CLIB_CACHE_LINE_BYTES);
238 extern ipsec_sa_t *ipsec_sa_pool;
241 * Ensure that the IPsec data does not overlap with the IP data in
242 * the buffer meta data
244 STATIC_ASSERT (STRUCT_OFFSET_OF (vnet_buffer_opaque_t, ipsec.sad_index) ==
245 STRUCT_OFFSET_OF (vnet_buffer_opaque_t, ip.save_protocol),
246 "IPSec data is overlapping with IP data");
250 ipsec_sa_is_set_##v (const ipsec_sa_t *sa) { \
251 return (sa->flags & IPSEC_SA_FLAG_##v); \
253 foreach_ipsec_sa_flags
257 ipsec_sa_set_##v (ipsec_sa_t *sa) { \
258 return (sa->flags |= IPSEC_SA_FLAG_##v); \
260 foreach_ipsec_sa_flags
264 ipsec_sa_unset_##v (ipsec_sa_t *sa) { \
265 return (sa->flags &= ~IPSEC_SA_FLAG_##v); \
267 foreach_ipsec_sa_flags
271 * SA packet & bytes counters
273 extern vlib_combined_counter_main_t ipsec_sa_counters;
274 extern vlib_simple_counter_main_t ipsec_sa_err_counters[IPSEC_SA_N_ERRORS];
276 extern void ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len);
278 extern int ipsec_sa_update (u32 id, u16 src_port, u16 dst_port,
279 const tunnel_t *tun, bool is_tun);
281 ipsec_sa_add_and_lock (u32 id, u32 spi, ipsec_protocol_t proto,
282 ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck,
283 ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik,
284 ipsec_sa_flags_t flags, u32 salt, u16 src_port,
285 u16 dst_port, const tunnel_t *tun, u32 *sa_out_index);
286 extern index_t ipsec_sa_find_and_lock (u32 id);
287 extern int ipsec_sa_unlock_id (u32 id);
288 extern void ipsec_sa_unlock (index_t sai);
289 extern void ipsec_sa_lock (index_t sai);
290 extern void ipsec_sa_clear (index_t sai);
291 extern void ipsec_sa_set_crypto_alg (ipsec_sa_t * sa,
292 ipsec_crypto_alg_t crypto_alg);
293 extern void ipsec_sa_set_integ_alg (ipsec_sa_t * sa,
294 ipsec_integ_alg_t integ_alg);
295 extern void ipsec_sa_set_async_mode (ipsec_sa_t *sa, int is_enabled);
297 typedef walk_rc_t (*ipsec_sa_walk_cb_t) (ipsec_sa_t * sa, void *ctx);
298 extern void ipsec_sa_walk (ipsec_sa_walk_cb_t cd, void *ctx);
300 extern u8 *format_ipsec_replay_window (u8 *s, va_list *args);
301 extern u8 *format_ipsec_crypto_alg (u8 * s, va_list * args);
302 extern u8 *format_ipsec_integ_alg (u8 * s, va_list * args);
303 extern u8 *format_ipsec_sa (u8 * s, va_list * args);
304 extern u8 *format_ipsec_key (u8 * s, va_list * args);
305 extern uword unformat_ipsec_crypto_alg (unformat_input_t * input,
307 extern uword unformat_ipsec_integ_alg (unformat_input_t * input,
309 extern uword unformat_ipsec_key (unformat_input_t * input, va_list * args);
311 #define IPSEC_UDP_PORT_NONE ((u16)~0)
314 * Anti Replay definitions
317 #define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE (64)
318 #define IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE-1)
321 * sequence number less than the lower bound are outside of the window
322 * From RFC4303 Appendix A:
325 #define IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND(_tl) (_tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1)
328 ipsec_sa_anti_replay_check (const ipsec_sa_t *sa, u32 seq)
330 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa) &&
331 sa->replay_window & (1ULL << (sa->seq - seq)))
339 * inputs need to be in host byte order.
341 * The function runs in two contexts. pre and post decrypt.
343 * 1 - determines if a packet is a replay - a simple check in the window
344 * 2 - returns the hi-seq number that should be used to decrypt.
346 * Checks whether the packet is a replay or falls out of window
348 * This funcion should be called even without anti-replay enabled to ensure
349 * the high sequence number is set.
352 ipsec_sa_anti_replay_and_sn_advance (const ipsec_sa_t *sa, u32 seq,
353 u32 hi_seq_used, bool post_decrypt,
356 ASSERT ((post_decrypt == false) == (hi_seq_req != 0));
358 if (!ipsec_sa_is_set_USE_ESN (sa))
361 /* no ESN, therefore the hi-seq is always 0 */
364 if (!ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
367 if (PREDICT_TRUE (seq > sa->seq))
370 u32 diff = sa->seq - seq;
372 if (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE > diff)
373 return ((sa->replay_window & (1ULL << diff)) ? 1 : 0);
380 if (!ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
382 /* there's no AR configured for this SA, but in order
383 * to know whether a packet has wrapped the hi ESN we need
384 * to know whether it is out of window. if we use the default
385 * lower bound then we are effectively forcing AR because
386 * out of window packets will get the increased hi seq number
387 * and will thus fail to decrypt. IOW we need a window to know
388 * if the SN has wrapped, but we don't want a window to check for
389 * anti replay. to resolve the contradiction we use a huge window.
390 * if the packet is not within 2^30 of the current SN, we'll consider
396 /* The packet's sequence number is larger that the SA's.
397 * that can't be a warp - unless we lost more than
398 * 2^32 packets ... how could we know? */
399 *hi_seq_req = sa->seq_hi;
402 /* The packet's SN is less than the SAs, so either the SN has
403 * wrapped or the SN is just old. */
404 if (sa->seq - seq > (1 << 30))
405 /* It's really really really old => it wrapped */
406 *hi_seq_req = sa->seq_hi + 1;
408 *hi_seq_req = sa->seq_hi;
413 * this is post-decrpyt and since it decrypted we accept it
417 if (PREDICT_TRUE (sa->seq >= (IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX)))
420 * the last sequence number VPP recieved is more than one
421 * window size greater than zero.
422 * Case A from RFC4303 Appendix A.
424 if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (sa->seq))
427 * the received sequence number is lower than the lower bound
428 * of the window, this could mean either a replay packet or that
429 * the high sequence number has wrapped. if it decrypts corrently
430 * then it's the latter.
434 if (hi_seq_used == sa->seq_hi)
435 /* the high sequence number used to succesfully decrypt this
436 * packet is the same as the last-sequnence number of the SA.
437 * that means this packet did not cause a wrap.
438 * this packet is thus out of window and should be dropped */
441 /* The packet decrypted with a different high sequence number
442 * to the SA, that means it is the wrap packet and should be
448 /* pre-decrypt it might be the might that casues a wrap, we
449 * need to decrpyt to find out */
451 *hi_seq_req = sa->seq_hi + 1;
458 * the recieved sequence number greater than the low
462 *hi_seq_req = sa->seq_hi;
465 * The recieved seq number is within bounds of the window
466 * check if it's a duplicate
468 return (ipsec_sa_anti_replay_check (sa, seq));
471 * The received sequence number is greater than the window
472 * upper bound. this packet will move the window along, assuming
473 * it decrypts correctly.
481 * the last sequence number VPP recieved is within one window
482 * size of zero, i.e. 0 < TL < WINDOW_SIZE, the lower bound is thus a
483 * large sequence number.
484 * Note that the check below uses unsiged integer arthimetic, so the
485 * RHS will be a larger number.
486 * Case B from RFC4303 Appendix A.
488 if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (sa->seq))
491 * the sequence number is less than the lower bound.
496 * the packet is within the window upper bound.
497 * check for duplicates.
500 *hi_seq_req = sa->seq_hi;
501 return (ipsec_sa_anti_replay_check (sa, seq));
506 * the packet is less the window lower bound or greater than
507 * the higher bound, depending on how you look at it...
508 * We're assuming, given that the last sequence number received,
509 * TL < WINDOW_SIZE, that a largeer seq num is more likely to be
510 * a packet that moves the window forward, than a packet that has
511 * wrapped the high sequence again. If it were the latter then
512 * we've lost close to 2^32 packets.
515 *hi_seq_req = sa->seq_hi;
522 * the packet seq number is between the lower bound (a large nubmer)
523 * and MAX_SEQ_NUM. This is in the window since the window upper bound
525 * However, since TL is the other side of 0 to the received
526 * packet, the SA has moved on to a higher sequence number.
529 *hi_seq_req = sa->seq_hi - 1;
530 return (ipsec_sa_anti_replay_check (sa, seq));
540 ipsec_sa_anti_replay_window_shift (ipsec_sa_t *sa, u32 inc)
544 if (inc < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
546 if (sa->seq > IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
549 * count how many holes there are in the portion
550 * of the window that we will right shift of the end
551 * as a result of this increments
553 u64 mask = (((u64) 1 << inc) - 1) << (BITS (u64) - inc);
554 u64 old = sa->replay_window & mask;
555 /* the number of packets we saw in this section of the window */
556 u64 seen = count_set_bits (old);
559 * the number we missed is the size of the window section
560 * minus the number we saw.
564 sa->replay_window = ((sa->replay_window) << inc) | 1;
568 /* holes in the replay window are lost packets */
569 n_lost = BITS (u64) - count_set_bits (sa->replay_window);
571 /* any sequence numbers that now fall outside the window
572 * are forever lost */
573 n_lost += inc - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE;
575 sa->replay_window = 1;
582 * Anti replay window advance
583 * inputs need to be in host byte order.
584 * This function both advances the anti-replay window and the sequence number
585 * We always need to move on the SN but the window updates are only needed
587 * However, updating the window is trivial, so we do it anyway to save
591 ipsec_sa_anti_replay_advance (ipsec_sa_t *sa, u32 thread_index, u32 seq,
597 if (ipsec_sa_is_set_USE_ESN (sa))
599 int wrap = hi_seq - sa->seq_hi;
601 if (wrap == 0 && seq > sa->seq)
604 n_lost = ipsec_sa_anti_replay_window_shift (sa, pos);
609 pos = ~seq + sa->seq + 1;
610 n_lost = ipsec_sa_anti_replay_window_shift (sa, pos);
616 pos = ~seq + sa->seq + 1;
617 sa->replay_window |= (1ULL << pos);
622 sa->replay_window |= (1ULL << pos);
630 n_lost = ipsec_sa_anti_replay_window_shift (sa, pos);
636 sa->replay_window |= (1ULL << pos);
645 * Makes choice for thread_id should be assigned.
646 * if input ~0, gets random worker_id based on unix_time_now_nsec
649 ipsec_sa_assign_thread (u16 thread_id)
651 return ((thread_id) ? thread_id
652 : (unix_time_now_nsec () % vlib_num_workers ()) + 1);
655 always_inline ipsec_sa_t *
656 ipsec_sa_get (u32 sa_index)
658 return (pool_elt_at_index (ipsec_sa_pool, sa_index));
661 #endif /* __IPSEC_SPD_SA_H__ */
664 * fd.io coding-style-patch-verification: ON
667 * eval: (c-set-style "gnu")