#include <vnet/ipsec/esp.h>
#include <vnet/udp/udp.h>
#include <vnet/fib/fib_table.h>
+#include <vnet/fib/fib_entry_track.h>
+#include <vnet/ipsec/ipsec_tun.h>
/**
* @brief
/**
* 'stack' (resolve the recursion for) the SA tunnel destination
*/
-void
+static void
ipsec_sa_stack (ipsec_sa_t * sa)
{
ipsec_main_t *im = &ipsec_main;
fib_entry_contribute_forwarding (sa->fib_entry_index, fct, &tmp);
- dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
- im->ah6_encrypt_node_index :
- im->ah4_encrypt_node_index),
- &sa->dpo[IPSEC_PROTOCOL_AH], &tmp);
- dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
- im->esp6_encrypt_node_index :
- im->esp4_encrypt_node_index),
- &sa->dpo[IPSEC_PROTOCOL_ESP], &tmp);
+ if (IPSEC_PROTOCOL_AH == sa->protocol)
+ dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
+ im->ah6_encrypt_node_index :
+ im->ah4_encrypt_node_index), &sa->dpo, &tmp);
+ else
+ dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
+ im->esp6_encrypt_node_index :
+ im->esp4_encrypt_node_index), &sa->dpo, &tmp);
dpo_reset (&tmp);
}
sa->crypto_block_size = im->crypto_algs[crypto_alg].block_size;
sa->crypto_enc_op_id = im->crypto_algs[crypto_alg].enc_op_id;
sa->crypto_dec_op_id = im->crypto_algs[crypto_alg].dec_op_id;
+ sa->crypto_calg = im->crypto_algs[crypto_alg].alg;
ASSERT (sa->crypto_iv_size <= ESP_MAX_IV_SIZE);
ASSERT (sa->crypto_block_size <= ESP_MAX_BLOCK_SIZE);
+ if (IPSEC_CRYPTO_ALG_IS_GCM (crypto_alg))
+ {
+ sa->integ_icv_size = im->crypto_algs[crypto_alg].icv_size;
+ ipsec_sa_set_IS_AEAD (sa);
+ }
}
void
sa->integ_alg = integ_alg;
sa->integ_icv_size = im->integ_algs[integ_alg].icv_size;
sa->integ_op_id = im->integ_algs[integ_alg].op_id;
+ sa->integ_calg = im->integ_algs[integ_alg].alg;
ASSERT (sa->integ_icv_size <= ESP_MAX_ICV_SIZE);
}
int
-ipsec_sa_add (u32 id,
- u32 spi,
- ipsec_protocol_t proto,
- ipsec_crypto_alg_t crypto_alg,
- const ipsec_key_t * ck,
- ipsec_integ_alg_t integ_alg,
- const ipsec_key_t * ik,
- ipsec_sa_flags_t flags,
- u32 tx_table_id,
- const ip46_address_t * tun_src,
- const ip46_address_t * tun_dst, u32 * sa_out_index)
+ipsec_sa_add_and_lock (u32 id,
+ u32 spi,
+ ipsec_protocol_t proto,
+ ipsec_crypto_alg_t crypto_alg,
+ const ipsec_key_t * ck,
+ ipsec_integ_alg_t integ_alg,
+ const ipsec_key_t * ik,
+ ipsec_sa_flags_t flags,
+ u32 tx_table_id,
+ u32 salt,
+ const ip46_address_t * tun_src,
+ const ip46_address_t * tun_dst, u32 * sa_out_index,
+ u16 dst_port)
{
+ vlib_main_t *vm = vlib_get_main ();
ipsec_main_t *im = &ipsec_main;
clib_error_t *err;
ipsec_sa_t *sa;
pool_get_aligned_zero (im->sad, sa, CLIB_CACHE_LINE_BYTES);
fib_node_init (&sa->node, FIB_NODE_TYPE_IPSEC_SA);
+ fib_node_lock (&sa->node);
sa_index = sa - im->sad;
vlib_validate_combined_counter (&ipsec_sa_counters, sa_index);
sa->stat_index = sa_index;
sa->protocol = proto;
sa->flags = flags;
+ sa->salt = salt;
+ sa->encrypt_thread_index = (vlib_num_workers ())? ~0 : 0;
+ sa->decrypt_thread_index = (vlib_num_workers ())? ~0 : 0;
+ if (integ_alg != IPSEC_INTEG_ALG_NONE)
+ {
+ ipsec_sa_set_integ_alg (sa, integ_alg);
+ clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key));
+ }
ipsec_sa_set_crypto_alg (sa, crypto_alg);
clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
- ipsec_sa_set_integ_alg (sa, integ_alg);
- clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key));
ip46_address_copy (&sa->tunnel_src_addr, tun_src);
ip46_address_copy (&sa->tunnel_dst_addr, tun_dst);
+ sa->crypto_key_index = vnet_crypto_key_add (vm,
+ im->crypto_algs[crypto_alg].alg,
+ (u8 *) ck->data, ck->len);
+ if (~0 == sa->crypto_key_index)
+ {
+ pool_put (im->sad, sa);
+ return VNET_API_ERROR_KEY_LENGTH;
+ }
+
+ if (integ_alg != IPSEC_INTEG_ALG_NONE)
+ {
+ sa->integ_key_index = vnet_crypto_key_add (vm,
+ im->
+ integ_algs[integ_alg].alg,
+ (u8 *) ik->data, ik->len);
+ if (~0 == sa->integ_key_index)
+ {
+ pool_put (im->sad, sa);
+ return VNET_API_ERROR_KEY_LENGTH;
+ }
+ }
+
err = ipsec_check_support_cb (im, sa);
if (err)
{
return VNET_API_ERROR_NO_SUCH_FIB;
}
- sa->fib_entry_index = fib_table_entry_special_add (sa->tx_fib_index,
- &pfx,
- FIB_SOURCE_RR,
- FIB_ENTRY_FLAG_NONE);
- sa->sibling = fib_entry_child_add (sa->fib_entry_index,
- FIB_NODE_TYPE_IPSEC_SA, sa_index);
+ sa->fib_entry_index = fib_entry_track (sa->tx_fib_index,
+ &pfx,
+ FIB_NODE_TYPE_IPSEC_SA,
+ sa_index, &sa->sibling);
ipsec_sa_stack (sa);
/* generate header templates */
if (ipsec_sa_is_set_UDP_ENCAP (sa))
{
- sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
- sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
+ if (dst_port == IPSEC_UDP_PORT_NONE)
+ {
+ sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
+ sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
+ }
+ else
+ {
+ sa->udp_hdr.src_port = clib_host_to_net_u16 (dst_port);
+ sa->udp_hdr.dst_port = clib_host_to_net_u16 (dst_port);
+ }
}
hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
return (0);
}
-u32
-ipsec_sa_del (u32 id)
+static void
+ipsec_sa_del (ipsec_sa_t * sa)
{
+ vlib_main_t *vm = vlib_get_main ();
ipsec_main_t *im = &ipsec_main;
- ipsec_sa_t *sa = 0;
- uword *p;
u32 sa_index;
- clib_error_t *err;
- p = hash_get (im->sa_index_by_sa_id, id);
-
- if (!p)
- return VNET_API_ERROR_NO_SUCH_ENTRY;
-
- sa_index = p[0];
- sa = pool_elt_at_index (im->sad, sa_index);
- if (ipsec_is_sa_used (sa_index))
- {
- clib_warning ("sa_id %u used in policy", sa->id);
- /* sa used in policy */
- return VNET_API_ERROR_SYSCALL_ERROR_1;
- }
+ sa_index = sa - im->sad;
hash_unset (im->sa_index_by_sa_id, sa->id);
- err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
- if (err)
- return VNET_API_ERROR_SYSCALL_ERROR_2;
+
+ /* no recovery possible when deleting an SA */
+ (void) ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
{
- fib_entry_child_remove (sa->fib_entry_index, sa->sibling);
- fib_table_entry_special_remove
- (sa->tx_fib_index,
- fib_entry_get_prefix (sa->fib_entry_index), FIB_SOURCE_RR);
- dpo_reset (&sa->dpo[IPSEC_PROTOCOL_AH]);
- dpo_reset (&sa->dpo[IPSEC_PROTOCOL_ESP]);
+ fib_entry_untrack (sa->fib_entry_index, sa->sibling);
+ dpo_reset (&sa->dpo);
}
+ vnet_crypto_key_del (vm, sa->crypto_key_index);
+ if (sa->integ_alg != IPSEC_INTEG_ALG_NONE)
+ vnet_crypto_key_del (vm, sa->integ_key_index);
pool_put (im->sad, sa);
- return 0;
}
-u8
-ipsec_is_sa_used (u32 sa_index)
+void
+ipsec_sa_unlock (index_t sai)
{
ipsec_main_t *im = &ipsec_main;
- ipsec_tunnel_if_t *t;
- ipsec_policy_t *p;
+ ipsec_sa_t *sa;
- /* *INDENT-OFF* */
- pool_foreach(p, im->policies, ({
- if (p->policy == IPSEC_POLICY_ACTION_PROTECT)
- {
- if (p->sa_index == sa_index)
- return 1;
- }
- }));
+ if (INDEX_INVALID == sai)
+ return;
- pool_foreach(t, im->tunnel_interfaces, ({
- if (t->input_sa_index == sa_index)
- return 1;
- if (t->output_sa_index == sa_index)
- return 1;
- }));
- /* *INDENT-ON* */
+ sa = pool_elt_at_index (im->sad, sai);
- return 0;
+ fib_node_unlock (&sa->node);
}
-int
-ipsec_set_sa_key (u32 id, const ipsec_key_t * ck, const ipsec_key_t * ik)
+void
+ipsec_sa_lock (index_t sai)
{
ipsec_main_t *im = &ipsec_main;
+ ipsec_sa_t *sa;
+
+ if (INDEX_INVALID == sai)
+ return;
+
+ sa = pool_elt_at_index (im->sad, sai);
+
+ fib_node_lock (&sa->node);
+}
+
+index_t
+ipsec_sa_find_and_lock (u32 id)
+{
+ ipsec_main_t *im = &ipsec_main;
+ ipsec_sa_t *sa;
uword *p;
- u32 sa_index;
- ipsec_sa_t *sa = 0;
- clib_error_t *err;
p = hash_get (im->sa_index_by_sa_id, id);
- if (!p)
- return VNET_API_ERROR_SYSCALL_ERROR_1; /* no such sa-id */
- sa_index = p[0];
- sa = pool_elt_at_index (im->sad, sa_index);
+ if (!p)
+ return INDEX_INVALID;
- /* new crypto key */
- if (ck)
- {
- clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
- }
+ sa = pool_elt_at_index (im->sad, p[0]);
- /* new integ key */
- if (ik)
- {
- clib_memcpy (&sa->integ_key, 0, sizeof (sa->integ_key));
- }
+ fib_node_lock (&sa->node);
- if (ck || ik)
- {
- err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
- if (err)
- {
- clib_error_free (err);
- return VNET_API_ERROR_SYSCALL_ERROR_1;
- }
- }
-
- return 0;
+ return (p[0]);
}
-u32
-ipsec_get_sa_index_by_sa_id (u32 sa_id)
+int
+ipsec_sa_unlock_id (u32 id)
{
ipsec_main_t *im = &ipsec_main;
- uword *p = hash_get (im->sa_index_by_sa_id, sa_id);
+ uword *p;
+
+ p = hash_get (im->sa_index_by_sa_id, id);
+
if (!p)
- return ~0;
+ return VNET_API_ERROR_NO_SUCH_ENTRY;
- return p[0];
+ ipsec_sa_unlock (p[0]);
+
+ return (0);
+}
+
+void
+ipsec_sa_clear (index_t sai)
+{
+ vlib_zero_combined_counter (&ipsec_sa_counters, sai);
}
void
return (&sa->node);
}
+static ipsec_sa_t *
+ipsec_sa_from_fib_node (fib_node_t * node)
+{
+ ASSERT (FIB_NODE_TYPE_IPSEC_SA == node->fn_type);
+ return ((ipsec_sa_t *) (((char *) node) -
+ STRUCT_OFFSET_OF (ipsec_sa_t, node)));
+
+}
+
/**
* Function definition to inform the FIB node that its last lock has gone.
*/
* The ipsec SA is a root of the graph. As such
* it never has children and thus is never locked.
*/
- ASSERT (0);
-}
-
-static ipsec_sa_t *
-ipsec_sa_from_fib_node (fib_node_t * node)
-{
- ASSERT (FIB_NODE_TYPE_IPSEC_SA == node->fn_type);
- return ((ipsec_sa_t *) (((char *) node) -
- STRUCT_OFFSET_OF (ipsec_sa_t, node)));
-
+ ipsec_sa_del (ipsec_sa_from_fib_node (node));
}
/**
}
/*
- * Virtual function table registered by MPLS GRE tunnels
+ * Virtual function table registered by SAs
* for participation in the FIB object graph.
*/
const static fib_node_vft_t ipsec_sa_vft = {