2 * ipsec.c : IPSEC module functions
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
22 #include <vnet/udp/udp.h>
24 #include <vnet/ipsec/ipsec.h>
25 #include <vnet/ipsec/esp.h>
26 #include <vnet/ipsec/ah.h>
28 ipsec_main_t ipsec_main;
29 esp_async_post_next_t esp_encrypt_async_next;
30 esp_async_post_next_t esp_decrypt_async_next;
33 ipsec_check_ah_support (ipsec_sa_t * sa)
35 ipsec_main_t *im = &ipsec_main;
37 if (sa->integ_alg == IPSEC_INTEG_ALG_NONE)
38 return clib_error_return (0, "unsupported none integ-alg");
40 if (!vnet_crypto_is_set_handler (im->integ_algs[sa->integ_alg].alg))
41 return clib_error_return (0, "No crypto engine support for %U",
42 format_ipsec_integ_alg, sa->integ_alg);
48 ipsec_check_esp_support (ipsec_sa_t * sa)
50 ipsec_main_t *im = &ipsec_main;
52 if (IPSEC_INTEG_ALG_NONE != sa->integ_alg)
54 if (!vnet_crypto_is_set_handler (im->integ_algs[sa->integ_alg].alg))
55 return clib_error_return (0, "No crypto engine support for %U",
56 format_ipsec_integ_alg, sa->integ_alg);
58 if (IPSEC_CRYPTO_ALG_NONE != sa->crypto_alg)
60 if (!vnet_crypto_is_set_handler (im->crypto_algs[sa->crypto_alg].alg))
61 return clib_error_return (0, "No crypto engine support for %U",
62 format_ipsec_crypto_alg, sa->crypto_alg);
69 ipsec_add_del_sa_sess_cb (ipsec_main_t * im, u32 sa_index, u8 is_add)
71 ipsec_ah_backend_t *ah =
72 pool_elt_at_index (im->ah_backends, im->ah_current_backend);
73 if (ah->add_del_sa_sess_cb)
75 clib_error_t *err = ah->add_del_sa_sess_cb (sa_index, is_add);
79 ipsec_esp_backend_t *esp =
80 pool_elt_at_index (im->esp_backends, im->esp_current_backend);
81 if (esp->add_del_sa_sess_cb)
83 clib_error_t *err = esp->add_del_sa_sess_cb (sa_index, is_add);
91 ipsec_check_support_cb (ipsec_main_t * im, ipsec_sa_t * sa)
93 clib_error_t *error = 0;
95 if (PREDICT_FALSE (sa->protocol == IPSEC_PROTOCOL_AH))
97 ipsec_ah_backend_t *ah =
98 pool_elt_at_index (im->ah_backends, im->ah_current_backend);
99 ASSERT (ah->check_support_cb);
100 error = ah->check_support_cb (sa);
104 ipsec_esp_backend_t *esp =
105 pool_elt_at_index (im->esp_backends, im->esp_current_backend);
106 ASSERT (esp->check_support_cb);
107 error = esp->check_support_cb (sa);
114 ipsec_add_node (vlib_main_t * vm, const char *node_name,
115 const char *prev_node_name, u32 * out_node_index,
116 u32 * out_next_index)
118 vlib_node_t *prev_node, *node;
119 prev_node = vlib_get_node_by_name (vm, (u8 *) prev_node_name);
121 node = vlib_get_node_by_name (vm, (u8 *) node_name);
123 *out_node_index = node->index;
124 *out_next_index = vlib_node_add_next (vm, prev_node->index, node->index);
128 ipsec_register_ah_backend (vlib_main_t * vm, ipsec_main_t * im,
130 const char *ah4_encrypt_node_name,
131 const char *ah4_decrypt_node_name,
132 const char *ah6_encrypt_node_name,
133 const char *ah6_decrypt_node_name,
134 check_support_cb_t ah_check_support_cb,
135 add_del_sa_sess_cb_t ah_add_del_sa_sess_cb)
137 ipsec_ah_backend_t *b;
138 pool_get (im->ah_backends, b);
139 b->name = format (0, "%s%c", name, 0);
141 ipsec_add_node (vm, ah4_encrypt_node_name, "ipsec4-output-feature",
142 &b->ah4_encrypt_node_index, &b->ah4_encrypt_next_index);
143 ipsec_add_node (vm, ah4_decrypt_node_name, "ipsec4-input-feature",
144 &b->ah4_decrypt_node_index, &b->ah4_decrypt_next_index);
145 ipsec_add_node (vm, ah6_encrypt_node_name, "ipsec6-output-feature",
146 &b->ah6_encrypt_node_index, &b->ah6_encrypt_next_index);
147 ipsec_add_node (vm, ah6_decrypt_node_name, "ipsec6-input-feature",
148 &b->ah6_decrypt_node_index, &b->ah6_decrypt_next_index);
150 b->check_support_cb = ah_check_support_cb;
151 b->add_del_sa_sess_cb = ah_add_del_sa_sess_cb;
152 return b - im->ah_backends;
156 ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im,
158 const char *esp4_encrypt_node_name,
159 const char *esp4_encrypt_node_tun_name,
160 const char *esp4_decrypt_node_name,
161 const char *esp4_decrypt_tun_node_name,
162 const char *esp6_encrypt_node_name,
163 const char *esp6_encrypt_node_tun_name,
164 const char *esp6_decrypt_node_name,
165 const char *esp6_decrypt_tun_node_name,
166 check_support_cb_t esp_check_support_cb,
167 add_del_sa_sess_cb_t esp_add_del_sa_sess_cb,
168 enable_disable_cb_t enable_disable_cb)
170 ipsec_esp_backend_t *b;
172 pool_get (im->esp_backends, b);
173 b->name = format (0, "%s%c", name, 0);
175 ipsec_add_node (vm, esp4_encrypt_node_name, "ipsec4-output-feature",
176 &b->esp4_encrypt_node_index, &b->esp4_encrypt_next_index);
177 ipsec_add_node (vm, esp4_decrypt_node_name, "ipsec4-input-feature",
178 &b->esp4_decrypt_node_index, &b->esp4_decrypt_next_index);
179 ipsec_add_node (vm, esp6_encrypt_node_name, "ipsec6-output-feature",
180 &b->esp6_encrypt_node_index, &b->esp6_encrypt_next_index);
181 ipsec_add_node (vm, esp6_decrypt_node_name, "ipsec6-input-feature",
182 &b->esp6_decrypt_node_index, &b->esp6_decrypt_next_index);
183 ipsec_add_node (vm, esp4_decrypt_tun_node_name, "ipsec4-tun-input",
184 &b->esp4_decrypt_tun_node_index,
185 &b->esp4_decrypt_tun_next_index);
186 ipsec_add_node (vm, esp6_decrypt_tun_node_name, "ipsec6-tun-input",
187 &b->esp6_decrypt_tun_node_index,
188 &b->esp6_decrypt_tun_next_index);
190 b->esp6_encrypt_tun_node_index =
191 vlib_get_node_by_name (vm, (u8 *) esp6_encrypt_node_tun_name)->index;
192 b->esp4_encrypt_tun_node_index =
193 vlib_get_node_by_name (vm, (u8 *) esp4_encrypt_node_tun_name)->index;
195 b->check_support_cb = esp_check_support_cb;
196 b->add_del_sa_sess_cb = esp_add_del_sa_sess_cb;
197 b->enable_disable_cb = enable_disable_cb;
199 return b - im->esp_backends;
203 ipsec_rsc_in_use (ipsec_main_t * im)
205 /* return an error is crypto resource are in use */
206 if (pool_elts (im->sad) > 0)
207 return clib_error_return (0,
208 "%d SA entries configured",
209 pool_elts (im->sad));
215 ipsec_select_ah_backend (ipsec_main_t * im, u32 backend_idx)
217 if (ipsec_rsc_in_use (im))
218 return VNET_API_ERROR_RSRC_IN_USE;
220 if (pool_is_free_index (im->ah_backends, backend_idx))
221 return VNET_API_ERROR_INVALID_VALUE;
223 ipsec_ah_backend_t *b = pool_elt_at_index (im->ah_backends, backend_idx);
224 im->ah_current_backend = backend_idx;
225 im->ah4_encrypt_node_index = b->ah4_encrypt_node_index;
226 im->ah4_decrypt_node_index = b->ah4_decrypt_node_index;
227 im->ah4_encrypt_next_index = b->ah4_encrypt_next_index;
228 im->ah4_decrypt_next_index = b->ah4_decrypt_next_index;
229 im->ah6_encrypt_node_index = b->ah6_encrypt_node_index;
230 im->ah6_decrypt_node_index = b->ah6_decrypt_node_index;
231 im->ah6_encrypt_next_index = b->ah6_encrypt_next_index;
232 im->ah6_decrypt_next_index = b->ah6_decrypt_next_index;
238 ipsec_select_esp_backend (ipsec_main_t * im, u32 backend_idx)
240 if (ipsec_rsc_in_use (im))
241 return VNET_API_ERROR_RSRC_IN_USE;
243 if (pool_is_free_index (im->esp_backends, backend_idx))
244 return VNET_API_ERROR_INVALID_VALUE;
246 /* disable current backend */
247 if (im->esp_current_backend != ~0)
249 ipsec_esp_backend_t *cb = pool_elt_at_index (im->esp_backends,
250 im->esp_current_backend);
251 if (cb->enable_disable_cb)
253 if ((cb->enable_disable_cb) (0) != 0)
258 ipsec_esp_backend_t *b = pool_elt_at_index (im->esp_backends, backend_idx);
259 im->esp_current_backend = backend_idx;
260 im->esp4_encrypt_node_index = b->esp4_encrypt_node_index;
261 im->esp4_decrypt_node_index = b->esp4_decrypt_node_index;
262 im->esp4_encrypt_next_index = b->esp4_encrypt_next_index;
263 im->esp4_decrypt_next_index = b->esp4_decrypt_next_index;
264 im->esp6_encrypt_node_index = b->esp6_encrypt_node_index;
265 im->esp6_decrypt_node_index = b->esp6_decrypt_node_index;
266 im->esp6_encrypt_next_index = b->esp6_encrypt_next_index;
267 im->esp6_decrypt_next_index = b->esp6_decrypt_next_index;
268 im->esp4_decrypt_tun_node_index = b->esp4_decrypt_tun_node_index;
269 im->esp4_decrypt_tun_next_index = b->esp4_decrypt_tun_next_index;
270 im->esp6_decrypt_tun_node_index = b->esp6_decrypt_tun_node_index;
271 im->esp6_decrypt_tun_next_index = b->esp6_decrypt_tun_next_index;
272 im->esp4_encrypt_tun_node_index = b->esp4_encrypt_tun_node_index;
273 im->esp6_encrypt_tun_node_index = b->esp6_encrypt_tun_node_index;
275 if (b->enable_disable_cb)
277 if ((b->enable_disable_cb) (1) != 0)
284 ipsec_set_async_mode (u32 is_enabled)
286 ipsec_main_t *im = &ipsec_main;
289 /* lock all SAs before change im->async_mode */
290 pool_foreach (sa, im->sad, (
292 fib_node_lock (&sa->node);
295 im->async_mode = is_enabled;
297 /* change SA crypto op data before unlock them */
298 pool_foreach (sa, im->sad, (
300 sa->crypto_op_data = is_enabled ?
301 sa->async_op_data.data : sa->sync_op_data.data;
302 fib_node_unlock (&sa->node);
307 crypto_engine_backend_register_post_node (vlib_main_t * vm)
309 esp_async_post_next_t *eit;
310 esp_async_post_next_t *dit;
312 eit = &esp_encrypt_async_next;
313 eit->esp4_post_next =
314 vnet_crypto_register_post_node (vm, "esp4-encrypt-post");
315 eit->esp6_post_next =
316 vnet_crypto_register_post_node (vm, "esp6-encrypt-post");
317 eit->esp4_tun_post_next =
318 vnet_crypto_register_post_node (vm, "esp4-encrypt-tun-post");
319 eit->esp6_tun_post_next =
320 vnet_crypto_register_post_node (vm, "esp6-encrypt-tun-post");
322 dit = &esp_decrypt_async_next;
323 dit->esp4_post_next =
324 vnet_crypto_register_post_node (vm, "esp4-decrypt-post");
325 dit->esp6_post_next =
326 vnet_crypto_register_post_node (vm, "esp6-decrypt-post");
327 dit->esp4_tun_post_next =
328 vnet_crypto_register_post_node (vm, "esp4-decrypt-tun-post");
329 dit->esp6_tun_post_next =
330 vnet_crypto_register_post_node (vm, "esp6-decrypt-tun-post");
333 static clib_error_t *
334 ipsec_init (vlib_main_t * vm)
337 ipsec_main_t *im = &ipsec_main;
338 ipsec_main_crypto_alg_t *a;
340 /* Backend registration requires the feature arcs to be set up */
341 if ((error = vlib_call_init_function (vm, vnet_feature_init)))
344 im->vnet_main = vnet_get_main ();
347 im->spd_index_by_spd_id = hash_create (0, sizeof (uword));
348 im->sa_index_by_sa_id = hash_create (0, sizeof (uword));
349 im->spd_index_by_sw_if_index = hash_create (0, sizeof (uword));
351 vlib_node_t *node = vlib_get_node_by_name (vm, (u8 *) "error-drop");
353 im->error_drop_node_index = node->index;
355 im->ah_current_backend = ~0;
356 im->esp_current_backend = ~0;
358 u32 idx = ipsec_register_ah_backend (vm, im, "crypto engine backend",
363 ipsec_check_ah_support,
366 im->ah_default_backend = idx;
367 int rv = ipsec_select_ah_backend (im, idx);
369 (void) (rv); // avoid warning
371 idx = ipsec_register_esp_backend (vm, im, "crypto engine backend",
380 ipsec_check_esp_support,
381 NULL, crypto_dispatch_enable_disable);
382 im->esp_default_backend = idx;
384 rv = ipsec_select_esp_backend (im, idx);
386 (void) (rv); // avoid warning
388 if ((error = vlib_call_init_function (vm, ipsec_cli_init)))
391 vec_validate (im->crypto_algs, IPSEC_CRYPTO_N_ALG - 1);
393 a = im->crypto_algs + IPSEC_CRYPTO_ALG_NONE;
394 a->enc_op_id = VNET_CRYPTO_OP_NONE;
395 a->dec_op_id = VNET_CRYPTO_OP_NONE;
396 a->alg = VNET_CRYPTO_ALG_NONE;
400 a = im->crypto_algs + IPSEC_CRYPTO_ALG_DES_CBC;
401 a->enc_op_id = VNET_CRYPTO_OP_DES_CBC_ENC;
402 a->dec_op_id = VNET_CRYPTO_OP_DES_CBC_DEC;
403 a->alg = VNET_CRYPTO_ALG_DES_CBC;
404 a->iv_size = a->block_size = 8;
406 a = im->crypto_algs + IPSEC_CRYPTO_ALG_3DES_CBC;
407 a->enc_op_id = VNET_CRYPTO_OP_3DES_CBC_ENC;
408 a->dec_op_id = VNET_CRYPTO_OP_3DES_CBC_DEC;
409 a->alg = VNET_CRYPTO_ALG_3DES_CBC;
410 a->iv_size = a->block_size = 8;
412 a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_128;
413 a->enc_op_id = VNET_CRYPTO_OP_AES_128_CBC_ENC;
414 a->dec_op_id = VNET_CRYPTO_OP_AES_128_CBC_DEC;
415 a->alg = VNET_CRYPTO_ALG_AES_128_CBC;
416 a->iv_size = a->block_size = 16;
418 a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_192;
419 a->enc_op_id = VNET_CRYPTO_OP_AES_192_CBC_ENC;
420 a->dec_op_id = VNET_CRYPTO_OP_AES_192_CBC_DEC;
421 a->alg = VNET_CRYPTO_ALG_AES_192_CBC;
422 a->iv_size = a->block_size = 16;
424 a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_256;
425 a->enc_op_id = VNET_CRYPTO_OP_AES_256_CBC_ENC;
426 a->dec_op_id = VNET_CRYPTO_OP_AES_256_CBC_DEC;
427 a->alg = VNET_CRYPTO_ALG_AES_256_CBC;
428 a->iv_size = a->block_size = 16;
430 a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_128;
431 a->enc_op_id = VNET_CRYPTO_OP_AES_128_GCM_ENC;
432 a->dec_op_id = VNET_CRYPTO_OP_AES_128_GCM_DEC;
433 a->alg = VNET_CRYPTO_ALG_AES_128_GCM;
438 a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_192;
439 a->enc_op_id = VNET_CRYPTO_OP_AES_192_GCM_ENC;
440 a->dec_op_id = VNET_CRYPTO_OP_AES_192_GCM_DEC;
441 a->alg = VNET_CRYPTO_ALG_AES_192_GCM;
446 a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_256;
447 a->enc_op_id = VNET_CRYPTO_OP_AES_256_GCM_ENC;
448 a->dec_op_id = VNET_CRYPTO_OP_AES_256_GCM_DEC;
449 a->alg = VNET_CRYPTO_ALG_AES_256_GCM;
454 vec_validate (im->integ_algs, IPSEC_INTEG_N_ALG - 1);
455 ipsec_main_integ_alg_t *i;
457 i = &im->integ_algs[IPSEC_INTEG_ALG_MD5_96];
458 i->op_id = VNET_CRYPTO_OP_MD5_HMAC;
459 i->alg = VNET_CRYPTO_ALG_HMAC_MD5;
462 i = &im->integ_algs[IPSEC_INTEG_ALG_SHA1_96];
463 i->op_id = VNET_CRYPTO_OP_SHA1_HMAC;
464 i->alg = VNET_CRYPTO_ALG_HMAC_SHA1;
467 i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_256_96];
468 i->op_id = VNET_CRYPTO_OP_SHA1_HMAC;
469 i->alg = VNET_CRYPTO_ALG_HMAC_SHA256;
472 i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_256_128];
473 i->op_id = VNET_CRYPTO_OP_SHA256_HMAC;
474 i->alg = VNET_CRYPTO_ALG_HMAC_SHA256;
477 i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_384_192];
478 i->op_id = VNET_CRYPTO_OP_SHA384_HMAC;
479 i->alg = VNET_CRYPTO_ALG_HMAC_SHA384;
482 i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_512_256];
483 i->op_id = VNET_CRYPTO_OP_SHA512_HMAC;
484 i->alg = VNET_CRYPTO_ALG_HMAC_SHA512;
487 vec_validate_aligned (im->ptd, vlib_num_workers (), CLIB_CACHE_LINE_BYTES);
489 im->ah4_enc_fq_index =
490 vlib_frame_queue_main_init (ah4_encrypt_node.index, 0);
491 im->ah4_dec_fq_index =
492 vlib_frame_queue_main_init (ah4_decrypt_node.index, 0);
493 im->ah6_enc_fq_index =
494 vlib_frame_queue_main_init (ah6_encrypt_node.index, 0);
495 im->ah6_dec_fq_index =
496 vlib_frame_queue_main_init (ah6_decrypt_node.index, 0);
498 im->esp4_enc_fq_index =
499 vlib_frame_queue_main_init (esp4_encrypt_node.index, 0);
500 im->esp4_dec_fq_index =
501 vlib_frame_queue_main_init (esp4_decrypt_node.index, 0);
502 im->esp6_enc_fq_index =
503 vlib_frame_queue_main_init (esp6_encrypt_node.index, 0);
504 im->esp6_dec_fq_index =
505 vlib_frame_queue_main_init (esp6_decrypt_node.index, 0);
506 im->esp4_enc_tun_fq_index =
507 vlib_frame_queue_main_init (esp4_encrypt_tun_node.index, 0);
508 im->esp6_enc_tun_fq_index =
509 vlib_frame_queue_main_init (esp6_encrypt_tun_node.index, 0);
510 im->esp4_dec_tun_fq_index =
511 vlib_frame_queue_main_init (esp4_decrypt_tun_node.index, 0);
512 im->esp6_dec_tun_fq_index =
513 vlib_frame_queue_main_init (esp6_decrypt_tun_node.index, 0);
516 crypto_engine_backend_register_post_node (vm);
521 VLIB_INIT_FUNCTION (ipsec_init);
524 * fd.io coding-style-patch-verification: ON
527 * eval: (c-set-style "gnu")