X-Git-Url: https://gerrit.fd.io/r/gitweb?p=vpp.git;a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_api.c;h=177300aeb9adc870ab2a15bd406184a818caacdf;hp=9bcf63b45c29e60e4250dd19044ef8cb20b7bf33;hb=e5d34919b;hpb=a9a951f8e5ed6e172fbfbdbb6cb690c67fa2f715 diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index 9bcf63b45c2..177300aeb9a 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -23,12 +23,16 @@ #include #include #include +#include +#include +#include +#include #include #if WITH_LIBSSL > 0 #include -#include +#include #endif /* IPSEC */ #define vl_typedefs /* define message structures */ @@ -47,21 +51,25 @@ #include -#define foreach_vpe_api_msg \ -_(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \ -_(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \ -_(IPSEC_SPD_ADD_DEL_ENTRY, ipsec_spd_add_del_entry) \ -_(IPSEC_SAD_ADD_DEL_ENTRY, ipsec_sad_add_del_entry) \ -_(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \ -_(IPSEC_SPD_DUMP, ipsec_spd_dump) \ -_(IKEV2_PROFILE_ADD_DEL, ikev2_profile_add_del) \ -_(IKEV2_PROFILE_SET_AUTH, ikev2_profile_set_auth) \ -_(IKEV2_PROFILE_SET_ID, ikev2_profile_set_id) \ -_(IKEV2_PROFILE_SET_TS, ikev2_profile_set_ts) \ -_(IKEV2_SET_LOCAL_KEY, ikev2_set_local_key) - -static void vl_api_ipsec_spd_add_del_t_handler - (vl_api_ipsec_spd_add_del_t * mp) +#define foreach_vpe_api_msg \ +_(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \ +_(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \ +_(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \ +_(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \ +_(IPSEC_SA_DUMP, ipsec_sa_dump) \ +_(IPSEC_SPDS_DUMP, ipsec_spds_dump) \ +_(IPSEC_SPD_DUMP, ipsec_spd_dump) \ +_(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \ +_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \ +_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \ +_(IPSEC_SELECT_BACKEND, ipsec_select_backend) \ +_(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \ +_(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \ +_(IPSEC_TUNNEL_PROTECT_DEL, ipsec_tunnel_protect_del) \ +_(IPSEC_TUNNEL_PROTECT_DUMP, ipsec_tunnel_protect_dump) + +static void +vl_api_ipsec_spd_add_del_t_handler (vl_api_ipsec_spd_add_del_t * mp) { #if WITH_LIBSSL == 0 clib_warning ("unimplemented"); @@ -71,11 +79,7 @@ static void vl_api_ipsec_spd_add_del_t_handler vl_api_ipsec_spd_add_del_reply_t *rmp; int rv; -#if DPDK > 0 rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add); -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY); #endif @@ -106,227 +110,391 @@ static void vl_api_ipsec_interface_add_del_spd_t_handler REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY); } -static void vl_api_ipsec_spd_add_del_entry_t_handler - (vl_api_ipsec_spd_add_del_entry_t * mp) +static void vl_api_ipsec_tunnel_protect_update_t_handler + (vl_api_ipsec_tunnel_protect_update_t * mp) { vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); - vl_api_ipsec_spd_add_del_entry_reply_t *rmp; + vl_api_ipsec_tunnel_protect_update_reply_t *rmp; + u32 sw_if_index, ii, *sa_ins = NULL; + ip_address_t nh; int rv; + sw_if_index = ntohl (mp->tunnel.sw_if_index); + + VALIDATE_SW_IF_INDEX (&(mp->tunnel)); + #if WITH_LIBSSL > 0 - ipsec_policy_t p; - memset (&p, 0, sizeof (p)); + for (ii = 0; ii < mp->tunnel.n_sa_in; ii++) + vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii])); + + ip_address_decode2 (&mp->tunnel.nh, &nh); + + rv = ipsec_tun_protect_update (sw_if_index, &nh, + ntohl (mp->tunnel.sa_out), sa_ins); +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + + BAD_SW_IF_INDEX_LABEL; + + REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_UPDATE_REPLY); +} + +static void vl_api_ipsec_tunnel_protect_del_t_handler + (vl_api_ipsec_tunnel_protect_del_t * mp) +{ + vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); + vl_api_ipsec_tunnel_protect_del_reply_t *rmp; + ip_address_t nh; + u32 sw_if_index; + int rv; + + sw_if_index = ntohl (mp->sw_if_index); + + VALIDATE_SW_IF_INDEX (mp); + +#if WITH_LIBSSL > 0 + ip_address_decode2 (&mp->nh, &nh); + rv = ipsec_tun_protect_del (sw_if_index, &nh); +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + + BAD_SW_IF_INDEX_LABEL; + + REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_DEL_REPLY); +} + +typedef struct ipsec_dump_walk_ctx_t_ +{ + vl_api_registration_t *reg; + u32 context; +} ipsec_dump_walk_ctx_t; + +static walk_rc_t +send_ipsec_tunnel_protect_details (index_t itpi, void *arg) +{ + ipsec_dump_walk_ctx_t *ctx = arg; + vl_api_ipsec_tunnel_protect_details_t *mp; + ipsec_tun_protect_t *itp; + u32 sai, ii = 0; + + itp = ipsec_tun_protect_get (itpi); - p.id = ntohl (mp->spd_id); - p.priority = ntohl (mp->priority); - p.is_outbound = mp->is_outbound; - p.is_ipv6 = mp->is_ipv6; + mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in)); + clib_memset (mp, 0, sizeof (*mp)); + mp->_vl_msg_id = ntohs (VL_API_IPSEC_TUNNEL_PROTECT_DETAILS); + mp->context = ctx->context; - if (mp->is_ipv6 || mp->is_ip_any) + mp->tun.sw_if_index = htonl (itp->itp_sw_if_index); + ip_address_encode2 (itp->itp_key, &mp->tun.nh); + + mp->tun.sa_out = htonl (itp->itp_out_sa); + mp->tun.n_sa_in = itp->itp_n_sa_in; + /* *INDENT-OFF* */ + FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai, + ({ + mp->tun.sa_in[ii++] = htonl (sai); + })); + /* *INDENT-ON* */ + + vl_api_send_msg (ctx->reg, (u8 *) mp); + + return (WALK_CONTINUE); +} + +static void +vl_api_ipsec_tunnel_protect_dump_t_handler (vl_api_ipsec_tunnel_protect_dump_t + * mp) +{ + vl_api_registration_t *reg; + u32 sw_if_index; + +#if WITH_LIBSSL > 0 + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) + return; + + ipsec_dump_walk_ctx_t ctx = { + .reg = reg, + .context = mp->context, + }; + + sw_if_index = ntohl (mp->sw_if_index); + + if (~0 == sw_if_index) { - clib_memcpy (&p.raddr.start, mp->remote_address_start, 16); - clib_memcpy (&p.raddr.stop, mp->remote_address_stop, 16); - clib_memcpy (&p.laddr.start, mp->local_address_start, 16); - clib_memcpy (&p.laddr.stop, mp->local_address_stop, 16); + ipsec_tun_protect_walk (send_ipsec_tunnel_protect_details, &ctx); } else { - clib_memcpy (&p.raddr.start.ip4.data, mp->remote_address_start, 4); - clib_memcpy (&p.raddr.stop.ip4.data, mp->remote_address_stop, 4); - clib_memcpy (&p.laddr.start.ip4.data, mp->local_address_start, 4); - clib_memcpy (&p.laddr.stop.ip4.data, mp->local_address_stop, 4); + ipsec_tun_protect_walk_itf (sw_if_index, + send_ipsec_tunnel_protect_details, &ctx); + } +#else + clib_warning ("unimplemented"); +#endif +} + +static int +ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in, + ipsec_policy_action_t * out) +{ + in = clib_net_to_host_u32 (in); + + switch (in) + { +#define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \ + *out = IPSEC_POLICY_ACTION_##f; \ + return (0); + foreach_ipsec_policy_action +#undef _ } - p.protocol = mp->protocol; - p.rport.start = ntohs (mp->remote_port_start); - p.rport.stop = ntohs (mp->remote_port_stop); - p.lport.start = ntohs (mp->local_port_start); - p.lport.stop = ntohs (mp->local_port_stop); + return (VNET_API_ERROR_UNIMPLEMENTED); +} + +static void vl_api_ipsec_spd_entry_add_del_t_handler + (vl_api_ipsec_spd_entry_add_del_t * mp) +{ + vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); + vl_api_ipsec_spd_entry_add_del_reply_t *rmp; + ip46_type_t itype; + u32 stat_index; + int rv; + + stat_index = ~0; + +#if WITH_LIBSSL > 0 + ipsec_policy_t p; + + clib_memset (&p, 0, sizeof (p)); + + p.id = ntohl (mp->entry.spd_id); + p.priority = ntohl (mp->entry.priority); + + itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start); + ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop); + ip_address_decode (&mp->entry.local_address_start, &p.laddr.start); + ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop); + + p.is_ipv6 = (itype == IP46_TYPE_IP6); + + p.protocol = mp->entry.protocol; + p.rport.start = ntohs (mp->entry.remote_port_start); + p.rport.stop = ntohs (mp->entry.remote_port_stop); + p.lport.start = ntohs (mp->entry.local_port_start); + p.lport.stop = ntohs (mp->entry.local_port_stop); + + rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy); + + if (rv) + goto out; + /* policy action resolve unsupported */ - if (mp->policy == IPSEC_POLICY_ACTION_RESOLVE) + if (p.policy == IPSEC_POLICY_ACTION_RESOLVE) { clib_warning ("unsupported action: 'resolve'"); rv = VNET_API_ERROR_UNIMPLEMENTED; goto out; } - p.policy = mp->policy; - p.sa_id = ntohl (mp->sa_id); + p.sa_id = ntohl (mp->entry.sa_id); + rv = + ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy, + &p.type); + if (rv) + goto out; - rv = ipsec_add_del_policy (vm, &p, mp->is_add); + rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index); if (rv) goto out; - if (mp->is_ip_any) - { - p.is_ipv6 = 1; - rv = ipsec_add_del_policy (vm, &p, mp->is_add); - } #else rv = VNET_API_ERROR_UNIMPLEMENTED; goto out; #endif out: - REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_ENTRY_REPLY); + /* *INDENT-OFF* */ + REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY, + ({ + rmp->stat_index = ntohl(stat_index); + })); + /* *INDENT-ON* */ } -static void vl_api_ipsec_sad_add_del_entry_t_handler - (vl_api_ipsec_sad_add_del_entry_t * mp) +static void vl_api_ipsec_sad_entry_add_del_t_handler + (vl_api_ipsec_sad_entry_add_del_t * mp) { vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); - vl_api_ipsec_sad_add_del_entry_reply_t *rmp; + vl_api_ipsec_sad_entry_add_del_reply_t *rmp; + ip46_address_t tun_src = { }, tun_dst = + { + }; + ipsec_key_t crypto_key, integ_key; + ipsec_crypto_alg_t crypto_alg; + ipsec_integ_alg_t integ_alg; + ipsec_protocol_t proto; + ipsec_sa_flags_t flags; + u32 id, spi, sa_index = ~0; int rv; + #if WITH_LIBSSL > 0 - ipsec_sa_t sa; - memset (&sa, 0, sizeof (sa)); + id = ntohl (mp->entry.sad_id); + spi = ntohl (mp->entry.spi); - sa.id = ntohl (mp->sad_id); - sa.spi = ntohl (mp->spi); - /* security protocol AH unsupported */ - if (mp->protocol == IPSEC_PROTOCOL_AH) - { - clib_warning ("unsupported security protocol 'AH'"); - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } - sa.protocol = mp->protocol; - /* check for unsupported crypto-alg */ - if (mp->crypto_algorithm < IPSEC_CRYPTO_ALG_AES_CBC_128 || - mp->crypto_algorithm >= IPSEC_CRYPTO_N_ALG) - { - clib_warning ("unsupported crypto-alg: '%U'", format_ipsec_crypto_alg, - mp->crypto_algorithm); - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } - sa.crypto_alg = mp->crypto_algorithm; - sa.crypto_key_len = mp->crypto_key_length; - clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key)); - /* check for unsupported integ-alg */ -#if DPDK_CRYPTO==1 - if (mp->integrity_algorithm < IPSEC_INTEG_ALG_NONE || -#else - if (mp->integrity_algorithm < IPSEC_INTEG_ALG_SHA1_96 || -#endif - mp->integrity_algorithm >= IPSEC_INTEG_N_ALG) - { - clib_warning ("unsupported integ-alg: '%U'", format_ipsec_integ_alg, - mp->integrity_algorithm); - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } + rv = ipsec_proto_decode (mp->entry.protocol, &proto); -#if DPDK_CRYPTO==1 - /*Special cases, aes-gcm-128 encryption */ - if (mp->crypto_algorithm == IPSEC_CRYPTO_ALG_AES_GCM_128) - { - if (mp->integrity_algorithm != IPSEC_INTEG_ALG_NONE - && mp->integrity_algorithm != IPSEC_INTEG_ALG_AES_GCM_128) - { - clib_warning - ("unsupported: aes-gcm-128 crypto-alg needs none as integ-alg"); - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } - else /*set integ-alg internally to aes-gcm-128 */ - mp->integrity_algorithm = IPSEC_INTEG_ALG_AES_GCM_128; - } - else if (mp->integrity_algorithm == IPSEC_INTEG_ALG_AES_GCM_128) - { - clib_warning ("unsupported integ-alg: aes-gcm-128"); - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } - else if (mp->integrity_algorithm == IPSEC_INTEG_ALG_NONE) - { - clib_warning ("unsupported integ-alg: none"); - rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; - } -#endif + if (rv) + goto out; - sa.integ_alg = mp->integrity_algorithm; - sa.integ_key_len = mp->integrity_key_length; - clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key)); - sa.use_esn = mp->use_extended_sequence_number; - sa.is_tunnel = mp->is_tunnel; - sa.is_tunnel_ip6 = mp->is_tunnel_ipv6; - if (sa.is_tunnel_ip6) - { - clib_memcpy (&sa.tunnel_src_addr, mp->tunnel_src_address, 16); - clib_memcpy (&sa.tunnel_dst_addr, mp->tunnel_dst_address, 16); - } + rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg); + + if (rv) + goto out; + + rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg); + + if (rv) + goto out; + + ipsec_key_decode (&mp->entry.crypto_key, &crypto_key); + ipsec_key_decode (&mp->entry.integrity_key, &integ_key); + + flags = ipsec_sa_flags_decode (mp->entry.flags); + + ip_address_decode (&mp->entry.tunnel_src, &tun_src); + ip_address_decode (&mp->entry.tunnel_dst, &tun_dst); + + if (mp->is_add) + rv = ipsec_sa_add_and_lock (id, spi, proto, + crypto_alg, &crypto_key, + integ_alg, &integ_key, flags, + 0, mp->entry.salt, &tun_src, &tun_dst, + &sa_index, IPSEC_UDP_PORT_NONE); else - { - clib_memcpy (&sa.tunnel_src_addr.ip4.data, mp->tunnel_src_address, 4); - clib_memcpy (&sa.tunnel_dst_addr.ip4.data, mp->tunnel_dst_address, 4); - } + rv = ipsec_sa_unlock_id (id); - rv = ipsec_add_del_sa (vm, &sa, mp->is_add); #else rv = VNET_API_ERROR_UNIMPLEMENTED; - goto out; #endif out: - REPLY_MACRO (VL_API_IPSEC_SAD_ADD_DEL_ENTRY_REPLY); + /* *INDENT-OFF* */ + REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY, + { + rmp->stat_index = htonl (sa_index); + }); + /* *INDENT-ON* */ } static void -send_ipsec_spd_details (ipsec_policy_t * p, unix_shared_memory_queue_t * q, +send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg, + u32 context) +{ + vl_api_ipsec_spds_details_t *mp; + u32 n_policies = 0; + + mp = vl_msg_api_alloc (sizeof (*mp)); + clib_memset (mp, 0, sizeof (*mp)); + mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPDS_DETAILS); + mp->context = context; + + mp->spd_id = htonl (spd->id); +#define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]); + foreach_ipsec_spd_policy_type +#undef _ + mp->npolicies = htonl (n_policies); + + vl_api_send_msg (reg, (u8 *) mp); +} + +static void +vl_api_ipsec_spds_dump_t_handler (vl_api_ipsec_spds_dump_t * mp) +{ + vl_api_registration_t *reg; + ipsec_main_t *im = &ipsec_main; + ipsec_spd_t *spd; +#if WITH_LIBSSL > 0 + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) + return; + + /* *INDENT-OFF* */ + pool_foreach (spd, im->spds, ({ + send_ipsec_spds_details (spd, reg, mp->context); + })); + /* *INDENT-ON* */ +#else + clib_warning ("unimplemented"); +#endif +} + +vl_api_ipsec_spd_action_t +ipsec_spd_action_encode (ipsec_policy_action_t in) +{ + vl_api_ipsec_spd_action_t out = IPSEC_API_SPD_ACTION_BYPASS; + + switch (in) + { +#define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \ + out = IPSEC_API_SPD_ACTION_##f; \ + break; + foreach_ipsec_policy_action +#undef _ + } + return (clib_host_to_net_u32 (out)); +} + +static void +send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg, u32 context) { vl_api_ipsec_spd_details_t *mp; mp = vl_msg_api_alloc (sizeof (*mp)); - memset (mp, 0, sizeof (*mp)); + clib_memset (mp, 0, sizeof (*mp)); mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS); mp->context = context; - mp->spd_id = htonl (p->id); - mp->priority = htonl (p->priority); - mp->is_outbound = p->is_outbound; - mp->is_ipv6 = p->is_ipv6; - if (p->is_ipv6) - { - memcpy (mp->local_start_addr, &p->laddr.start.ip6, 16); - memcpy (mp->local_stop_addr, &p->laddr.stop.ip6, 16); - memcpy (mp->remote_start_addr, &p->raddr.start.ip6, 16); - memcpy (mp->remote_stop_addr, &p->raddr.stop.ip6, 16); - } - else - { - memcpy (mp->local_start_addr, &p->laddr.start.ip4, 4); - memcpy (mp->local_stop_addr, &p->laddr.stop.ip4, 4); - memcpy (mp->remote_start_addr, &p->raddr.start.ip4, 4); - memcpy (mp->remote_stop_addr, &p->raddr.stop.ip4, 4); - } - mp->local_start_port = htons (p->lport.start); - mp->local_stop_port = htons (p->lport.stop); - mp->remote_start_port = htons (p->rport.start); - mp->remote_stop_port = htons (p->rport.stop); - mp->protocol = p->protocol; - mp->policy = p->policy; - mp->sa_id = htonl (p->sa_id); - mp->bytes = clib_host_to_net_u64 (p->counter.bytes); - mp->packets = clib_host_to_net_u64 (p->counter.packets); - - vl_msg_api_send_shmem (q, (u8 *) & mp); + mp->entry.spd_id = htonl (p->id); + mp->entry.priority = htonl (p->priority); + mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) || + (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND)); + + ip_address_encode (&p->laddr.start, IP46_TYPE_ANY, + &mp->entry.local_address_start); + ip_address_encode (&p->laddr.stop, IP46_TYPE_ANY, + &mp->entry.local_address_stop); + ip_address_encode (&p->raddr.start, IP46_TYPE_ANY, + &mp->entry.remote_address_start); + ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY, + &mp->entry.remote_address_stop); + mp->entry.local_port_start = htons (p->lport.start); + mp->entry.local_port_stop = htons (p->lport.stop); + mp->entry.remote_port_start = htons (p->rport.start); + mp->entry.remote_port_stop = htons (p->rport.stop); + mp->entry.protocol = p->protocol; + mp->entry.policy = ipsec_spd_action_encode (p->policy); + mp->entry.sa_id = htonl (p->sa_id); + + vl_api_send_msg (reg, (u8 *) mp); } static void vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp) { - unix_shared_memory_queue_t *q; + vl_api_registration_t *reg; ipsec_main_t *im = &ipsec_main; + ipsec_spd_policy_type_t ptype; ipsec_policy_t *policy; ipsec_spd_t *spd; uword *p; - u32 spd_index; + u32 spd_index, *ii; #if WITH_LIBSSL > 0 - q = vl_api_client_index_to_input_queue (mp->client_index); - if (q == 0) + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) return; p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id)); @@ -337,12 +505,15 @@ vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp) spd = pool_elt_at_index (im->spds, spd_index); /* *INDENT-OFF* */ - pool_foreach (policy, spd->policies, - ({ - if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id) - send_ipsec_spd_details (policy, q, - mp->context);} - )); + FOR_EACH_IPSEC_SPD_POLICY_TYPE(ptype) { + vec_foreach(ii, spd->policies[ptype]) + { + policy = pool_elt_at_index(im->policies, *ii); + + if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id) + send_ipsec_spd_details (policy, reg, mp->context); + } + } /* *INDENT-ON* */ #else clib_warning ("unimplemented"); @@ -350,144 +521,449 @@ vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp) } static void -vl_api_ipsec_sa_set_key_t_handler (vl_api_ipsec_sa_set_key_t * mp) +send_ipsec_spd_interface_details (vl_api_registration_t * reg, u32 spd_index, + u32 sw_if_index, u32 context) { - vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); - vl_api_ipsec_sa_set_key_reply_t *rmp; - int rv; -#if WITH_LIBSSL > 0 - ipsec_sa_t sa; - sa.id = ntohl (mp->sa_id); - sa.crypto_key_len = mp->crypto_key_length; - clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key)); - sa.integ_key_len = mp->integrity_key_length; - clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key)); - - rv = ipsec_set_sa_key (vm, &sa); -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif + vl_api_ipsec_spd_interface_details_t *mp; + + mp = vl_msg_api_alloc (sizeof (*mp)); + clib_memset (mp, 0, sizeof (*mp)); + mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_INTERFACE_DETAILS); + mp->context = context; + + mp->spd_index = htonl (spd_index); + mp->sw_if_index = htonl (sw_if_index); - REPLY_MACRO (VL_API_IPSEC_SA_SET_KEY_REPLY); + vl_api_send_msg (reg, (u8 *) mp); } static void -vl_api_ikev2_profile_add_del_t_handler (vl_api_ikev2_profile_add_del_t * mp) +vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t * + mp) { - vl_api_ikev2_profile_add_del_reply_t *rmp; - int rv = 0; + ipsec_main_t *im = &ipsec_main; + vl_api_registration_t *reg; + u32 k, v, spd_index; #if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - u8 *tmp = format (0, "%s", mp->name); - error = ikev2_add_del_profile (vm, tmp, mp->is_add); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) + return; + + if (mp->spd_index_valid) + { + spd_index = ntohl (mp->spd_index); + /* *INDENT-OFF* */ + hash_foreach(k, v, im->spd_index_by_sw_if_index, ({ + if (v == spd_index) + send_ipsec_spd_interface_details(reg, v, k, mp->context); + })); + /* *INDENT-ON* */ + } + else + { + /* *INDENT-OFF* */ + hash_foreach(k, v, im->spd_index_by_sw_if_index, ({ + send_ipsec_spd_interface_details(reg, v, k, mp->context); + })); + /* *INDENT-ON* */ + } + #else - rv = VNET_API_ERROR_UNIMPLEMENTED; + clib_warning ("unimplemented"); #endif +} - REPLY_MACRO (VL_API_IKEV2_PROFILE_ADD_DEL_REPLY); +static u32 +ipsec_tun_mk_input_sa_id (u32 ti) +{ + return (0x80000000 | ti); +} + +static u32 +ipsec_tun_mk_output_sa_id (u32 ti) +{ + return (0xc0000000 | ti); } static void - vl_api_ikev2_profile_set_auth_t_handler - (vl_api_ikev2_profile_set_auth_t * mp) +vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * + mp) { - vl_api_ikev2_profile_set_auth_reply_t *rmp; - int rv = 0; + vl_api_ipsec_tunnel_if_add_del_reply_t *rmp; + u32 sw_if_index = ~0; + int rv; #if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - u8 *tmp = format (0, "%s", mp->name); - u8 *data = vec_new (u8, mp->data_len); - clib_memcpy (data, mp->data, mp->data_len); - error = ikev2_set_profile_auth (vm, tmp, mp->auth_method, data, mp->is_hex); - vec_free (tmp); - vec_free (data); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; + ip46_address_t local_ip = ip46_address_initializer; + ip46_address_t remote_ip = ip46_address_initializer; + ipsec_key_t crypto_key, integ_key; + ipsec_sa_flags_t flags; + ip46_type_t local_ip_type, remote_ip_type; + ipip_transport_t transport; + u32 fib_index; + + local_ip_type = ip_address_decode (&mp->local_ip, &local_ip); + remote_ip_type = ip_address_decode (&mp->remote_ip, &remote_ip); + transport = (IP46_TYPE_IP6 == local_ip_type ? + IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4); + + if (local_ip_type != remote_ip_type) + { + rv = VNET_API_ERROR_INVALID_VALUE; + goto done; + } + + flags = IPSEC_SA_FLAG_NONE; + + if (mp->udp_encap) + flags |= IPSEC_SA_FLAG_UDP_ENCAP; + if (mp->esn) + flags |= IPSEC_SA_FLAG_USE_ESN; + if (mp->anti_replay) + flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY; + + ipsec_mk_key (&crypto_key, mp->remote_crypto_key, + mp->remote_crypto_key_len); + ipsec_mk_key (&integ_key, mp->remote_integ_key, mp->remote_integ_key_len); + ipsec_mk_key (&crypto_key, mp->local_crypto_key, mp->local_crypto_key_len); + ipsec_mk_key (&integ_key, mp->local_integ_key, mp->local_integ_key_len); + + fib_index = + fib_table_find (fib_proto_from_ip46 (local_ip_type), + ntohl (mp->tx_table_id)); + + if (~0 == fib_index) + { + rv = VNET_API_ERROR_NO_SUCH_FIB; + goto done; + } + + if (mp->is_add) + { + // remote = input, local = output + /* create an ip-ip tunnel, then the two SA, then bind them */ + rv = ipip_add_tunnel (transport, + (mp->renumber ? ntohl (mp->show_instance) : ~0), + &local_ip, + &remote_ip, fib_index, + TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0, + TUNNEL_MODE_P2P, &sw_if_index); + + if (rv) + goto done; + + rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (sw_if_index), + ntohl (mp->remote_spi), + IPSEC_PROTOCOL_ESP, + mp->crypto_alg, + &crypto_key, + mp->integ_alg, + &integ_key, + (flags | IPSEC_SA_FLAG_IS_INBOUND), + ntohl (mp->tx_table_id), + mp->salt, &remote_ip, &local_ip, NULL, + IPSEC_UDP_PORT_NONE); + + if (rv) + goto done; + + rv = ipsec_sa_add_and_lock (ipsec_tun_mk_output_sa_id (sw_if_index), + ntohl (mp->local_spi), + IPSEC_PROTOCOL_ESP, + mp->crypto_alg, + &crypto_key, + mp->integ_alg, + &integ_key, + flags, + ntohl (mp->tx_table_id), + mp->salt, &local_ip, &remote_ip, NULL, + IPSEC_UDP_PORT_NONE); + + if (rv) + goto done; + + rv = ipsec_tun_protect_update_one (sw_if_index, NULL, + ipsec_tun_mk_output_sa_id + (sw_if_index), + ipsec_tun_mk_input_sa_id + (sw_if_index)); + if (rv) + goto done; + + /* the SAs are locked as a result of being used for proection, + * they cannot be removed from the API, since they cannot be refered + * to by the API. unlock them now, so that if the tunnel is rekeyed + * they-ll disapper + */ + ipsec_sa_unlock_id (ipsec_tun_mk_input_sa_id (sw_if_index)); + ipsec_sa_unlock_id (ipsec_tun_mk_output_sa_id (sw_if_index)); + } + else + { + /* *INDENT-OFF* */ + ipip_tunnel_key_t key = { + .transport = transport, + .fib_index = fib_index, + .src = local_ip, + .dst = remote_ip + }; + /* *INDENT-ON* */ + + ipip_tunnel_t *t = ipip_tunnel_db_find (&key); + + if (NULL != t) + { + rv = ipsec_tun_protect_del (t->sw_if_index, NULL); + ipip_del_tunnel (t->sw_if_index); + } + else + rv = VNET_API_ERROR_NO_SUCH_ENTRY; + } + #else rv = VNET_API_ERROR_UNIMPLEMENTED; #endif +done: + /* *INDENT-OFF* */ + REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY, + ({ + rmp->sw_if_index = htonl (sw_if_index); + })); + /* *INDENT-ON* */ +} + +typedef struct ipsec_sa_dump_match_ctx_t_ +{ + index_t sai; + u32 sw_if_index; +} ipsec_sa_dump_match_ctx_t; + +static walk_rc_t +ipsec_sa_dump_match_sa (index_t itpi, void *arg) +{ + ipsec_sa_dump_match_ctx_t *ctx = arg; + ipsec_tun_protect_t *itp; + index_t sai; + + itp = ipsec_tun_protect_get (itpi); + + if (itp->itp_out_sa == ctx->sai) + { + ctx->sw_if_index = itp->itp_sw_if_index; + return (WALK_STOP); + } + /* *INDENT-OFF* */ + FOR_EACH_IPSEC_PROTECT_INPUT_SAI (itp, sai, + ({ + if (sai == ctx->sai) + { + ctx->sw_if_index = itp->itp_sw_if_index; + return (WALK_STOP); + } + })); + /* *INDENT-OFF* */ + + return (WALK_CONTINUE); +} + +static walk_rc_t +send_ipsec_sa_details (ipsec_sa_t * sa, void *arg) +{ + ipsec_dump_walk_ctx_t *ctx = arg; + vl_api_ipsec_sa_details_t *mp; + ipsec_main_t *im = &ipsec_main; + + mp = vl_msg_api_alloc (sizeof (*mp)); + clib_memset (mp, 0, sizeof (*mp)); + mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS); + mp->context = ctx->context; + + mp->entry.sad_id = htonl (sa->id); + mp->entry.spi = htonl (sa->spi); + mp->entry.protocol = ipsec_proto_encode (sa->protocol); + mp->entry.tx_table_id = + htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4)); + + mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg); + ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key); - REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_AUTH_REPLY); + mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg); + ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key); + + mp->entry.flags = ipsec_sad_flags_encode (sa); + mp->entry.salt = clib_host_to_net_u32 (sa->salt); + + if (ipsec_sa_is_set_IS_PROTECT (sa)) + { + ipsec_sa_dump_match_ctx_t ctx = { + .sai = sa - im->sad, + .sw_if_index = ~0, + }; + ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx); + + mp->sw_if_index = htonl (ctx.sw_if_index); + } + else + mp->sw_if_index = ~0; + + if (ipsec_sa_is_set_IS_TUNNEL (sa)) + { + ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY, + &mp->entry.tunnel_src); + ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY, + &mp->entry.tunnel_dst); + } + + mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq)); + mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq)); + if (ipsec_sa_is_set_USE_ESN (sa)) + { + mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); + mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi)); + } + if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa)) + mp->replay_window = clib_host_to_net_u64 (sa->replay_window); + + vl_api_send_msg (ctx->reg, (u8 *) mp); + + return (WALK_CONTINUE); } static void -vl_api_ikev2_profile_set_id_t_handler (vl_api_ikev2_profile_set_id_t * mp) +vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) { - vl_api_ikev2_profile_add_del_reply_t *rmp; - int rv = 0; + vl_api_registration_t *reg; #if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - u8 *tmp = format (0, "%s", mp->name); - u8 *data = vec_new (u8, mp->data_len); - clib_memcpy (data, mp->data, mp->data_len); - error = ikev2_set_profile_id (vm, tmp, mp->id_type, data, mp->is_local); - vec_free (tmp); - vec_free (data); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) + return; + + ipsec_dump_walk_ctx_t ctx = { + .reg = reg, + .context = mp->context, + }; + + ipsec_sa_walk (send_ipsec_sa_details, &ctx); + #else - rv = VNET_API_ERROR_UNIMPLEMENTED; + clib_warning ("unimplemented"); #endif - - REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_ID_REPLY); } static void -vl_api_ikev2_profile_set_ts_t_handler (vl_api_ikev2_profile_set_ts_t * mp) +vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp) { - vl_api_ikev2_profile_set_ts_reply_t *rmp; - int rv = 0; + vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp; + int rv; #if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; - u8 *tmp = format (0, "%s", mp->name); - error = ikev2_set_profile_ts (vm, tmp, mp->proto, mp->start_port, - mp->end_port, (ip4_address_t) mp->start_addr, - (ip4_address_t) mp->end_addr, mp->is_local); - vec_free (tmp); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; + VALIDATE_SW_IF_INDEX(mp); + + if (mp->is_outbound) + rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index), NULL, + ntohl (mp->sa_id)); + else + rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index), NULL, + ntohl (mp->sa_id)); + #else - rv = VNET_API_ERROR_UNIMPLEMENTED; + clib_warning ("unimplemented"); #endif - REPLY_MACRO (VL_API_IKEV2_PROFILE_SET_TS_REPLY); + BAD_SW_IF_INDEX_LABEL; + + REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY); +} + +static void +vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp) +{ + vl_api_registration_t *rp; + ipsec_main_t *im = &ipsec_main; + u32 context = mp->context; + + rp = vl_api_client_index_to_registration (mp->client_index); + + if (rp == 0) + { + clib_warning ("Client %d AWOL", mp->client_index); + return; + } + + ipsec_ah_backend_t *ab; + ipsec_esp_backend_t *eb; + /* *INDENT-OFF* */ + pool_foreach (ab, im->ah_backends, { + vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp)); + clib_memset (mp, 0, sizeof (*mp)); + mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS); + mp->context = context; + snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name), + ab->name); + mp->protocol = ntohl (IPSEC_API_PROTO_AH); + mp->index = ab - im->ah_backends; + mp->active = mp->index == im->ah_current_backend ? 1 : 0; + vl_api_send_msg (rp, (u8 *)mp); + }); + pool_foreach (eb, im->esp_backends, { + vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp)); + clib_memset (mp, 0, sizeof (*mp)); + mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS); + mp->context = context; + snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name), + eb->name); + mp->protocol = ntohl (IPSEC_API_PROTO_ESP); + mp->index = eb - im->esp_backends; + mp->active = mp->index == im->esp_current_backend ? 1 : 0; + vl_api_send_msg (rp, (u8 *)mp); + }); + /* *INDENT-ON* */ } static void -vl_api_ikev2_set_local_key_t_handler (vl_api_ikev2_set_local_key_t * mp) +vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp) { - vl_api_ikev2_profile_set_ts_reply_t *rmp; + ipsec_main_t *im = &ipsec_main; + vl_api_ipsec_select_backend_reply_t *rmp; + ipsec_protocol_t protocol; int rv = 0; + if (pool_elts (im->sad) > 0) + { + rv = VNET_API_ERROR_INSTANCE_IN_USE; + goto done; + } -#if WITH_LIBSSL > 0 - vlib_main_t *vm = vlib_get_main (); - clib_error_t *error; + rv = ipsec_proto_decode (mp->protocol, &protocol); - error = ikev2_set_local_key (vm, mp->key_file); - if (error) - rv = VNET_API_ERROR_UNSPECIFIED; + if (rv) + goto done; + +#if WITH_LIBSSL > 0 + switch (protocol) + { + case IPSEC_PROTOCOL_ESP: + rv = ipsec_select_esp_backend (im, mp->index); + break; + case IPSEC_PROTOCOL_AH: + rv = ipsec_select_ah_backend (im, mp->index); + break; + default: + rv = VNET_API_ERROR_INVALID_PROTOCOL; + break; + } #else - rv = VNET_API_ERROR_UNIMPLEMENTED; + clib_warning ("unimplemented"); /* FIXME */ #endif - - REPLY_MACRO (VL_API_IKEV2_SET_LOCAL_KEY_REPLY); +done: + REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY); } /* * ipsec_api_hookup * Add vpe's API message handlers to the table. - * vlib has alread mapped shared memory and + * vlib has already mapped shared memory and * added the client registration handlers. * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process() */ @@ -506,7 +982,7 @@ setup_message_id_table (api_main_t * am) static clib_error_t * ipsec_api_hookup (vlib_main_t * vm) { - api_main_t *am = &api_main; + api_main_t *am = vlibapi_get_main (); #define _(N,n) \ vl_msg_api_set_handlers(VL_API_##N, #n, \ @@ -518,6 +994,13 @@ ipsec_api_hookup (vlib_main_t * vm) foreach_vpe_api_msg; #undef _ + /* + * Adding and deleting SAs is MP safe since when they are added/delete + * no traffic is using them + */ + am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL] = 1; + am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY] = 1; + /* * Set up the (msg_name, crc, message-id) table */