diff options
author | Florin Coras <florin.coras@gmail.com> | 2019-01-02 17:43:01 +0000 |
---|---|---|
committer | Dave Barach <openvpp@barachs.net> | 2019-01-02 18:50:37 +0000 |
commit | 4a7cbcd06b3fa1f44366a606d5c148cce816503b (patch) | |
tree | 69875f8c2342ddf376770e0d55876fdc53fc4aa2 | |
parent | d9818dd68c162079f3ddb5443a78d0d91d55d0fe (diff) |
Revert "add ipsecmb plugin"
This reverts commit be16020c5034bc69df25a8ecd7081aec9898d93c.
The arm verify job actually failed but the result was overwritten by an x86 ubuntu retry.
Change-Id: Idcae7691fc575053563b8ff8bcad661c15891668
Signed-off-by: Florin Coras <fcoras@cisco.com>
-rw-r--r-- | src/plugins/ipsecmb/CMakeLists.txt | 46 | ||||
-rw-r--r-- | src/plugins/ipsecmb/ah_decrypt.c | 493 | ||||
-rw-r--r-- | src/plugins/ipsecmb/ah_encrypt.c | 466 | ||||
-rw-r--r-- | src/plugins/ipsecmb/esp_decrypt.c | 471 | ||||
-rw-r--r-- | src/plugins/ipsecmb/esp_encrypt.c | 651 | ||||
-rw-r--r-- | src/plugins/ipsecmb/ipsecmb.c | 322 | ||||
-rw-r--r-- | src/plugins/ipsecmb/ipsecmb.h | 97 | ||||
-rw-r--r-- | src/vnet/buffer.h | 4 | ||||
-rw-r--r-- | test/test_ipsec_nat.py | 9 | ||||
-rw-r--r-- | test/test_ipsecmb_ah.py | 31 | ||||
-rw-r--r-- | test/test_ipsecmb_esp.py | 30 | ||||
-rw-r--r-- | test/test_ipsecmb_nat.py | 13 |
12 files changed, 2 insertions, 2631 deletions
diff --git a/src/plugins/ipsecmb/CMakeLists.txt b/src/plugins/ipsecmb/CMakeLists.txt deleted file mode 100644 index 38ecf644896..00000000000 --- a/src/plugins/ipsecmb/CMakeLists.txt +++ /dev/null @@ -1,46 +0,0 @@ -# Copyright (c) 2018 Cisco and/or its affiliates. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at: -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -find_path(IPSECMB_INCLUDE_DIR NAMES intel-ipsec-mb.h HINTS ${IPSECMB_INCLUDE_DIR_HINT}) -find_library(IPSECMB_LIB NAMES libIPSec_MB.a HINTS ${IPSECMB_LIB_DIR_HINT}) - -if(IPSECMB_INCLUDE_DIR AND IPSECMB_LIB) - - get_filename_component(IPSECMB_LIB_DIR ${IPSECMB_LIB} DIRECTORY) - set(IPSECMB_LINK_FLAGS "${IPSECMB_LINK_FLAGS} -L${IPSECMB_LIB_DIR} -Wl,--whole-archive ${IPSECMB_LIB} -Wl,--no-whole-archive") - set(IPSECMB_LINK_FLAGS "${IPSECMB_LINK_FLAGS} -Wl,--exclude-libs,libIPSec_MB.a,-l:libIPSec_MB.a") - include_directories(${IPSECMB_INCLUDE_DIR}) - add_vpp_plugin(ipsecmb - SOURCES - ipsecmb.c - ah_encrypt.c - ah_decrypt.c - esp_encrypt.c - esp_decrypt.c - - MULTIARCH_SOURCES - ah_encrypt.c - ah_decrypt.c - esp_encrypt.c - esp_decrypt.c - - LINK_FLAGS - ${IPSECMB_LINK_FLAGS} - ) - - message(STATUS "Intel IPSecMB found: ${IPSECMB_INCLUDE_DIR}") -else() - message(STATUS "Intel IPSecMB not found") -endif() - - diff --git a/src/plugins/ipsecmb/ah_decrypt.c b/src/plugins/ipsecmb/ah_decrypt.c deleted file mode 100644 index e991671aa63..00000000000 --- a/src/plugins/ipsecmb/ah_decrypt.c +++ /dev/null @@ -1,493 +0,0 @@ -/* - * ah_decrypt.c : ipsecmb AH decrypt node - * - * Copyright (c) 2015 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <vnet/vnet.h> -#include <vnet/api_errno.h> -#include <vnet/ip/ip.h> - -#include <vnet/ipsec/ipsec.h> -#include <vnet/ipsec/esp.h> -#include <vnet/ipsec/ah.h> - -#include <ipsecmb/ipsecmb.h> - -#define foreach_ah_decrypt_next \ - _ (DROP, "error-drop") \ - _ (IP4_INPUT, "ip4-input") \ - _ (IP6_INPUT, "ip6-input") \ - _ (IPSEC_GRE_INPUT, "ipsec-gre-input") - -#define _(v, s) AH_DECRYPT_NEXT_##v, -typedef enum -{ - foreach_ah_decrypt_next -#undef _ - AH_DECRYPT_N_NEXT, -} ah_decrypt_next_t; - -#define foreach_ah_decrypt_error \ - _ (RX_PKTS, "AH pkts received") \ - _ (DECRYPTION_FAILED, "AH decryption failed") \ - _ (INTEG_ERROR, "Integrity check failed") \ - _ (REPLAY, "SA replayed packet") \ - _ (NOT_IP, "Not IP packet (dropped)") - -typedef enum -{ -#define _(sym, str) AH_DECRYPT_ERROR_##sym, - foreach_ah_decrypt_error -#undef _ - AH_DECRYPT_N_ERROR, -} ah_decrypt_error_t; - -static char *ah_decrypt_error_strings[] = { -#define _(sym, string) string, - foreach_ah_decrypt_error -#undef _ -}; - -typedef struct -{ - ipsec_integ_alg_t integ_alg; -} ah_decrypt_trace_t; - -/* packet trace format function */ -static u8 * -format_ah_decrypt_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - ah_decrypt_trace_t *t = va_arg (*args, ah_decrypt_trace_t *); - - s = format (s, "ah: integrity %U", format_ipsec_integ_alg, t->integ_alg); - return s; -} - -typedef struct -{ - u8 tos; - u8 ttl; - u32 ip_version_traffic_class_and_flow_label; - u8 hop_limit; -} ip_mutable_data_t; - -#ifdef CLIB_MARCH_VARIANT -always_inline void -remove_ah (vlib_main_t * vm, vlib_node_runtime_t * node, u32 * bi0, - u32 * next0, ipsec_sa_t * sa0, u32 ip_hdr_size, u32 icv_size, - u8 icv_padding_len, ah_header_t * ah0, int is_ip6) -{ - vlib_buffer_t *b0 = vlib_get_buffer (vm, *bi0); - - if (sa0->is_tunnel) - { /* tunnel mode */ - vlib_buffer_advance (b0, ip_hdr_size + sizeof (ah_header_t) + icv_size + - icv_padding_len); - if (ah0->nexthdr == IP_PROTOCOL_IP_IN_IP) - *next0 = AH_DECRYPT_NEXT_IP4_INPUT; - else if (ah0->nexthdr == IP_PROTOCOL_IPV6) - *next0 = AH_DECRYPT_NEXT_IP6_INPUT; - else - { - clib_warning ("next header: 0x%x", ah0->nexthdr); - vlib_node_increment_counter (vm, node->node_index, - AH_DECRYPT_ERROR_DECRYPTION_FAILED, 1); - *next0 = AH_DECRYPT_NEXT_DROP; - return; - } - } - else - { /* transport mode */ - const size_t ip_hdr_offset = - sizeof (ah_header_t) + icv_size + icv_padding_len; - if (is_ip6) - { /* ipv6 */ - ip6_header_t *ih6 = - (ip6_header_t *) ((u8 *) vlib_buffer_get_current (b0) + - ip_hdr_offset); - u8 nexthdr = ah0->nexthdr; - memmove (ih6, vlib_buffer_get_current (b0), sizeof (ip6_header_t)); - vlib_buffer_advance (b0, ip_hdr_offset); - - *next0 = AH_DECRYPT_NEXT_IP6_INPUT; - ih6->protocol = nexthdr; - ih6->payload_length = - clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0) - - sizeof (ip6_header_t)); - } - else - { /* ipv4 */ - ip4_header_t *ih4 = - (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + - ip_hdr_offset); - u8 nexthdr = ah0->nexthdr; - memmove (ih4, vlib_buffer_get_current (b0), sizeof (ip4_header_t)); - vlib_buffer_advance (b0, ip_hdr_offset); - - *next0 = AH_DECRYPT_NEXT_IP4_INPUT; - ih4->ip_version_and_header_length = 0x45; - ih4->fragment_id = 0; - ih4->flags_and_fragment_offset = 0; - ih4->protocol = nexthdr; - ih4->length = - clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0)); - ih4->checksum = ip4_header_checksum (ih4); - } - } - - /* for IPSec-GRE tunnel next node is ipsec-gre-input */ - if (PREDICT_FALSE - ((vnet_buffer (b0)->ipsec.flags & IPSEC_FLAG_IPSEC_GRE_TUNNEL))) - { - *next0 = AH_DECRYPT_NEXT_IPSEC_GRE_INPUT; - } -} - -always_inline void -ah_finish_decrypt (vlib_main_t * vm, vlib_node_runtime_t * node, - JOB_AES_HMAC * job, u32 * bi0, u32 * next0, int is_ip6) -{ - ipsec_main_t *im = &ipsec_main; - *bi0 = (uintptr_t) job->user_data; - vlib_buffer_t *b0 = vlib_get_buffer (vm, *bi0); - ipsec_sa_t *sa0 = - pool_elt_at_index (im->sad, vnet_buffer (b0)->ipsec.sad_index); - ipsec_proto_main_t *em = &ipsec_proto_main; - u32 icv_size = em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size; - u32 ip_hdr_size = 0; - ip4_header_t *ih4 = vlib_buffer_get_current (b0); - size_t seq_size = 0; - if (PREDICT_TRUE (sa0->use_esn)) - { - seq_size = sizeof (u32); - } - ip_mutable_data_t *md = - (ip_mutable_data_t *) ((u8 *) vlib_buffer_get_current (b0) + - b0->current_length + seq_size + icv_size); - if (is_ip6) - { - ip_hdr_size = sizeof (ip6_header_t); - ip6_header_t *ih6 = vlib_buffer_get_current (b0); - ih6->ip_version_traffic_class_and_flow_label = - md->ip_version_traffic_class_and_flow_label; - ih6->hop_limit = md->hop_limit; - } - else - { - ip_hdr_size = ip4_header_bytes (ih4); - ih4->ttl = md->ttl; - ih4->tos = md->tos; - } - - u8 icv_padding_len = ah_calc_icv_padding_len (icv_size, is_ip6); - ah_header_t *ah0 = - (ah_header_t *) ((u8 *) vlib_buffer_get_current (b0) + ip_hdr_size); - void *digest = ah0 + 1; - void *sig = vlib_buffer_get_current (b0) + b0->current_length + seq_size; - - if (PREDICT_FALSE (memcmp (digest, sig, icv_size))) - { - vlib_node_increment_counter (vm, node->node_index, - AH_DECRYPT_ERROR_INTEG_ERROR, 1); - *next0 = AH_DECRYPT_NEXT_DROP; - return; - } - - if (PREDICT_TRUE (sa0->use_anti_replay)) - { - if (PREDICT_TRUE (sa0->use_esn)) - esp_replay_advance_esn (sa0, clib_host_to_net_u32 (ah0->seq_no)); - else - esp_replay_advance (sa0, clib_host_to_net_u32 (ah0->seq_no)); - } - remove_ah (vm, node, bi0, next0, sa0, ip_hdr_size, icv_size, - icv_padding_len, ah0, is_ip6); - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; -} - -always_inline uword -ah_decrypt_ipsecmb_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame, int is_ip6) -{ - u32 n_left_from, *from, next_index, *to_next; - ipsec_main_t *im = &ipsec_main; - ipsecmb_main_t *imbm = &ipsecmb_main; - ipsec_proto_main_t *em = &ipsec_proto_main; - from = vlib_frame_vector_args (from_frame); - n_left_from = from_frame->n_vectors; - int icv_size = 0; - u32 thread_index = vlib_get_thread_index (); - MB_MGR *mgr = imbm->mb_mgr[thread_index]; - u32 packets_in_flight = 0; - - next_index = node->cached_next_index; - - while (n_left_from > 0 || packets_in_flight > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0; - u32 next0; - vlib_buffer_t *b0; - ah_header_t *ah0; - ipsec_sa_t *sa0; - ipsecmb_sa_t *samb0; - u32 sa_index0 = ~0; - u32 seq; - ip4_header_t *ih4 = 0; - ip6_header_t *ih6 = 0; - u8 ip_hdr_size = 0; - - bi0 = from[0]; - from += 1; - n_left_from -= 1; - - next0 = AH_DECRYPT_NEXT_DROP; - - b0 = vlib_get_buffer (vm, bi0); - ih4 = vlib_buffer_get_current (b0); - ih6 = vlib_buffer_get_current (b0); - - sa_index0 = vnet_buffer (b0)->ipsec.sad_index; - sa0 = pool_elt_at_index (im->sad, sa_index0); - samb0 = pool_elt_at_index (imbm->sad, sa_index0); - - if (is_ip6) - { - ip6_ext_header_t *prev = NULL; - ip6_ext_header_find_t (ih6, prev, ah0, IP_PROTOCOL_IPSEC_AH); - ip_hdr_size = sizeof (ip6_header_t); - ASSERT ((u8 *) ah0 - (u8 *) ih6 == ip_hdr_size); - } - else - { - ip_hdr_size = ip4_header_bytes (ih4); - ah0 = (ah_header_t *) (ih4 + 1); - } - - seq = clib_host_to_net_u32 (ah0->seq_no); - /* anti-replay check */ - // TODO UT remaining - if (sa0->use_anti_replay) - { - int rv = 0; - - if (PREDICT_TRUE (sa0->use_esn)) - rv = esp_replay_check_esn (sa0, seq); - else - rv = esp_replay_check (sa0, seq); - - if (PREDICT_FALSE (rv)) - { - clib_warning ("anti-replay SPI %u seq %u", sa0->spi, seq); - vlib_node_increment_counter (vm, node->node_index, - AH_DECRYPT_ERROR_REPLAY, 1); - goto trace; - } - } - - sa0->total_data_size += b0->current_length; - icv_size = - em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size; - if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE)) - { - u8 *icv = (u8 *) vlib_buffer_get_current (b0) + ip_hdr_size + - sizeof (ah_header_t); - size_t seq_size = 0; - if (PREDICT_TRUE (sa0->use_esn)) - { - *(u32 *) (vlib_buffer_get_current (b0) + - b0->current_length) = sa0->seq_hi; - seq_size = sizeof (u32); - } - clib_memcpy (vlib_buffer_get_current (b0) + b0->current_length + - seq_size, icv, icv_size); - memset (icv, 0, icv_size); - - ip_mutable_data_t *md = - (ip_mutable_data_t *) ((u8 *) vlib_buffer_get_current (b0) + - b0->current_length + seq_size + - icv_size); - if (is_ip6) - { - md->ip_version_traffic_class_and_flow_label = - ih6->ip_version_traffic_class_and_flow_label; - md->hop_limit = ih6->hop_limit; - ih6->ip_version_traffic_class_and_flow_label = 0x60; - ih6->hop_limit = 0; - } - else - { - md->tos = ih4->tos; - md->ttl = ih4->ttl; - ih4->tos = 0; - ih4->ttl = 0; - ih4->checksum = 0; - ih4->flags_and_fragment_offset = 0; - } - - JOB_AES_HMAC *job = IPSECMB_FUNC (get_next_job) (mgr); - job->src = vlib_buffer_get_current (b0); - job->hash_start_src_offset_in_bytes = 0; - job->cipher_mode = NULL_CIPHER; - job->hash_alg = imbm->integ_algs[sa0->integ_alg].hash_alg; - job->auth_tag_output_len_in_bytes = - imbm->integ_algs[sa0->integ_alg].hash_output_length; - job->auth_tag_output = icv; - job->msg_len_to_hash_in_bytes = b0->current_length + seq_size; - job->cipher_direction = DECRYPT; - job->chain_order = HASH_CIPHER; - job->u.HMAC._hashed_auth_key_xor_ipad = samb0->ipad_hash; - job->u.HMAC._hashed_auth_key_xor_opad = samb0->opad_hash; - - job->user_data = (void *) (uintptr_t) bi0; - job->user_data2 = (void *) (uintptr_t) next0; - vnet_buffer (b0)->ipsec.sad_index = sa_index0; - job = IPSECMB_FUNC (submit_job) (mgr); - ++packets_in_flight; - - if (!job) - { - continue; - } - --packets_in_flight; - ASSERT (STS_COMPLETED == job->status); - ah_finish_decrypt (vm, node, job, &bi0, &next0, is_ip6); - } - else - { - remove_ah (vm, node, &bi0, &next0, sa0, ip_hdr_size, icv_size, - 0, ah0, is_ip6); - } - trace: - to_next[0] = bi0; - to_next += 1; - n_left_to_next -= 1; - if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) - { - b0->flags |= VLIB_BUFFER_IS_TRACED; - ah_decrypt_trace_t *tr = - vlib_add_trace (vm, node, b0, sizeof (*tr)); - tr->integ_alg = sa0->integ_alg; - } - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, - n_left_to_next, bi0, next0); - } - - if (0 == n_left_from) - { - JOB_AES_HMAC *job = NULL; - while (n_left_to_next > 0 && (job = IPSECMB_FUNC (flush_job) (mgr))) - { - --packets_in_flight; - ASSERT (STS_COMPLETED == job->status); - u32 bi0, next0; - ah_finish_decrypt (vm, node, job, &bi0, &next0, is_ip6); - to_next[0] = bi0; - to_next += 1; - n_left_to_next -= 1; - vlib_buffer_t *b0 = vlib_get_buffer (vm, bi0); - if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) - { - ipsec_sa_t *sa0 = pool_elt_at_index (im->sad, - vnet_buffer - (b0)->ipsec.sad_index); - b0->flags |= VLIB_BUFFER_IS_TRACED; - ah_decrypt_trace_t *tr = - vlib_add_trace (vm, node, b0, sizeof (*tr)); - tr->integ_alg = sa0->integ_alg; - } - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, - n_left_to_next, bi0, next0); - } - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - vlib_node_increment_counter (vm, node->node_index, AH_DECRYPT_ERROR_RX_PKTS, - from_frame->n_vectors); - - return from_frame->n_vectors; -} - -VLIB_NODE_FN (ah4_decrypt_ipsecmb_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame) -{ - return ah_decrypt_ipsecmb_inline (vm, node, from_frame, 0 /*is_ip6 */ ); -} - -VLIB_NODE_FN (ah6_decrypt_ipsecmb_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame) -{ - return ah_decrypt_ipsecmb_inline (vm, node, from_frame, 1 /*is_ip6 */ ); -} -#endif - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (ah4_decrypt_ipsecmb_node) = { - .name = "ah4-decrypt-ipsecmb", - .vector_size = sizeof (u32), - .format_trace = format_ah_decrypt_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN (ah_decrypt_error_strings), - .error_strings = ah_decrypt_error_strings, - - .n_next_nodes = AH_DECRYPT_N_NEXT, - .next_nodes = - { -#define _(s, n) [AH_DECRYPT_NEXT_##s] = n, - foreach_ah_decrypt_next -#undef _ - }, -}; -/* *INDENT-ON* */ - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (ah6_decrypt_ipsecmb_node) = { - .name = "ah6-decrypt-ipsecmb", - .vector_size = sizeof (u32), - .format_trace = format_ah_decrypt_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN (ah_decrypt_error_strings), - .error_strings = ah_decrypt_error_strings, - - .n_next_nodes = AH_DECRYPT_N_NEXT, - .next_nodes = - { -#define _(s, n) [AH_DECRYPT_NEXT_##s] = n, - foreach_ah_decrypt_next -#undef _ - }, -}; -/* *INDENT-ON* */ - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/plugins/ipsecmb/ah_encrypt.c b/src/plugins/ipsecmb/ah_encrypt.c deleted file mode 100644 index 927deae188f..00000000000 --- a/src/plugins/ipsecmb/ah_encrypt.c +++ /dev/null @@ -1,466 +0,0 @@ -/* - * ah_encrypt.c : ipsecmb AH encrypt node - * - * Copyright (c) 2015 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <vnet/vnet.h> -#include <vnet/api_errno.h> -#include <vnet/ip/ip.h> - -#include <vnet/ipsec/ipsec.h> -#include <vnet/ipsec/esp.h> -#include <vnet/ipsec/ah.h> - -#include <ipsecmb/ipsecmb.h> - -#define foreach_ah_encrypt_next \ -_(DROP, "error-drop") \ -_(IP4_LOOKUP, "ip4-lookup") \ -_(IP6_LOOKUP, "ip6-lookup") \ -_(INTERFACE_OUTPUT, "interface-output") - -#define _(v, s) AH_ENCRYPT_NEXT_##v, -typedef enum -{ - foreach_ah_encrypt_next -#undef _ - AH_ENCRYPT_N_NEXT, -} ah_encrypt_next_t; - -#define foreach_ah_encrypt_error \ - _(RX_PKTS, "AH pkts received") \ - _(SEQ_CYCLED, "sequence number cycled") - - -typedef enum -{ -#define _(sym,str) AH_ENCRYPT_ERROR_##sym, - foreach_ah_encrypt_error -#undef _ - AH_ENCRYPT_N_ERROR, -} ah_encrypt_error_t; - -static char *ah_encrypt_error_strings[] = { -#define _(sym,string) string, - foreach_ah_encrypt_error -#undef _ -}; - -typedef struct -{ - u32 spi; - u32 seq; - ipsec_integ_alg_t integ_alg; -} ah_encrypt_trace_t; - -/* packet trace format function */ -static u8 * -format_ah_encrypt_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - ah_encrypt_trace_t *t = va_arg (*args, ah_encrypt_trace_t *); - - s = format (s, "ah: spi %u seq %u integrity %U", - t->spi, t->seq, format_ipsec_integ_alg, t->integ_alg); - return s; -} - -#ifdef CLIB_MARCH_VARIANT -always_inline void -ah_finish_encrypt (vlib_main_t * vm, vlib_buffer_t * b0, ipsec_sa_t * sa0, - int is_ip6) -{ - if (is_ip6) - { - ip6_header_t *oh6 = 0; - oh6 = vlib_buffer_get_current (b0); - oh6->ip_version_traffic_class_and_flow_label = - vnet_buffer (b0)->ipsec.ip_version_traffic_class_and_flow_label; - oh6->hop_limit = vnet_buffer (b0)->ipsec.ttl_or_hop_limit; - } - else - { - ip4_header_t *oh4 = 0; - oh4 = vlib_buffer_get_current (b0); - oh4->ttl = vnet_buffer (b0)->ipsec.ttl_or_hop_limit; - oh4->tos = vnet_buffer (b0)->ipsec.tos; - oh4->checksum = ip4_header_checksum (oh4); - } -} - -always_inline uword -ah_encrypt_ipsecmb_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame, int is_ip6) -{ - u32 n_left_from, *from, *to_next = 0, next_index; - int icv_size = 0; - from = vlib_frame_vector_args (from_frame); - n_left_from = from_frame->n_vectors; - ipsec_main_t *im = &ipsec_main; - ipsecmb_main_t *imbm = &ipsecmb_main; - ipsec_proto_main_t *em = &ipsec_proto_main; - next_index = node->cached_next_index; - u32 thread_index = vlib_get_thread_index (); - MB_MGR *mgr = imbm->mb_mgr[thread_index]; - u32 packets_in_flight = 0; - - while (n_left_from > 0 || packets_in_flight > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0, next0; - vlib_buffer_t *b0 = 0; - u32 sa_index0; - ipsec_sa_t *sa0; - ipsecmb_sa_t *samb0; - ip4_header_t *ih4, *oh4 = 0; - ip6_header_t *ih6, *oh6 = 0; - ah_header_t *ah = 0; - u8 next_hdr_type; - u8 transport_mode = 0; - - bi0 = from[0]; - from += 1; - n_left_from -= 1; - - next0 = AH_ENCRYPT_NEXT_DROP; - - b0 = vlib_get_buffer (vm, bi0); - sa_index0 = vnet_buffer (b0)->ipsec.sad_index; - sa0 = pool_elt_at_index (im->sad, sa_index0); - samb0 = pool_elt_at_index (imbm->sad, sa_index0); - - if (PREDICT_FALSE (esp_seq_advance (sa0))) - { - clib_warning ("sequence number counter has cycled SPI %u", - sa0->spi); - vlib_node_increment_counter (vm, node->node_index, - AH_ENCRYPT_ERROR_SEQ_CYCLED, 1); - to_next[0] = bi0; - to_next += 1; - goto trace; - } - - - sa0->total_data_size += b0->current_length; - - ssize_t adv; - ih4 = vlib_buffer_get_current (b0); - - if (PREDICT_TRUE (sa0->is_tunnel)) - { - if (!is_ip6) - adv = -sizeof (ip4_and_ah_header_t); - else - adv = -sizeof (ip6_and_ah_header_t); - } - else - { - adv = -sizeof (ah_header_t); - } - - const u8 padding_len = ah_calc_icv_padding_len (icv_size, is_ip6); - adv -= padding_len; - - icv_size = - em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size; - /* transport mode save the eth header before it is overwritten */ - if (PREDICT_FALSE (!sa0->is_tunnel)) - { - ethernet_header_t *ieh0 = (ethernet_header_t *) - ((u8 *) vlib_buffer_get_current (b0) - - sizeof (ethernet_header_t)); - ethernet_header_t *oeh0 = - (ethernet_header_t *) ((u8 *) ieh0 + (adv - icv_size)); - clib_memcpy (oeh0, ieh0, sizeof (ethernet_header_t)); - } - - vlib_buffer_advance (b0, adv - icv_size); - - if (is_ip6) - { - ih6 = (ip6_header_t *) ih4; - oh6 = vlib_buffer_get_current (b0); - ah = (ah_header_t *) (oh6 + 1); - vnet_buffer (b0)->ipsec.ttl_or_hop_limit = ih6->hop_limit; - vnet_buffer (b0)-> - ipsec.ip_version_traffic_class_and_flow_label = - ih6->ip_version_traffic_class_and_flow_label; - - if (PREDICT_TRUE (sa0->is_tunnel)) - { - next_hdr_type = IP_PROTOCOL_IPV6; - } - else - { - next_hdr_type = ih6->protocol; - memmove (oh6, ih6, sizeof (ip6_header_t)); - } - - oh6->protocol = IP_PROTOCOL_IPSEC_AH; - oh6->ip_version_traffic_class_and_flow_label = 0x60; - oh6->hop_limit = 0; - ah->reserved = 0; - ah->nexthdr = next_hdr_type; - ah->spi = clib_net_to_host_u32 (sa0->spi); - ah->seq_no = clib_net_to_host_u32 (sa0->seq); - ah->hdrlen = - (sizeof (ah_header_t) + icv_size + padding_len) / 4 - 2; - oh6->payload_length = - clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0) - - sizeof (ip6_header_t)); - } - else - { - oh4 = vlib_buffer_get_current (b0); - memset (oh4, 0, sizeof (*oh4)); - ah = (ah_header_t *) (oh4 + 1); - memset (ah, 0, sizeof (*ah)); - vnet_buffer (b0)->ipsec.ttl_or_hop_limit = ih4->ttl; - vnet_buffer (b0)->ipsec.tos = ih4->tos; - - if (PREDICT_TRUE (sa0->is_tunnel)) - { - next_hdr_type = IP_PROTOCOL_IP_IN_IP; - } - else - { - next_hdr_type = ih4->protocol; - memmove (oh4, ih4, sizeof (ip4_header_t)); - } - - oh4->length = - clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0)); - oh4->ip_version_and_header_length = 0x45; - oh4->fragment_id = 0; - oh4->flags_and_fragment_offset = 0; - oh4->ttl = 0; - oh4->tos = 0; - oh4->protocol = IP_PROTOCOL_IPSEC_AH; - ah->spi = clib_net_to_host_u32 (sa0->spi); - ah->seq_no = clib_net_to_host_u32 (sa0->seq); - oh4->checksum = 0; - ah->nexthdr = next_hdr_type; - ah->hdrlen = - (sizeof (ah_header_t) + icv_size + padding_len) / 4 - 2; - } - - if (PREDICT_TRUE (!is_ip6 && sa0->is_tunnel && !sa0->is_tunnel_ip6)) - { - oh4->src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32; - oh4->dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32; - - next0 = AH_ENCRYPT_NEXT_IP4_LOOKUP; - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - } - else if (is_ip6 && sa0->is_tunnel && sa0->is_tunnel_ip6) - { - oh6->src_address.as_u64[0] = sa0->tunnel_src_addr.ip6.as_u64[0]; - oh6->src_address.as_u64[1] = sa0->tunnel_src_addr.ip6.as_u64[1]; - oh6->dst_address.as_u64[0] = sa0->tunnel_dst_addr.ip6.as_u64[0]; - oh6->dst_address.as_u64[1] = sa0->tunnel_dst_addr.ip6.as_u64[1]; - next0 = AH_ENCRYPT_NEXT_IP6_LOOKUP; - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - } - else - { - transport_mode = 1; - } - - memset (ah + 1, 0, icv_size); - - JOB_AES_HMAC *job = IPSECMB_FUNC (get_next_job) (mgr); - job->src = vlib_buffer_get_current (b0); - job->hash_start_src_offset_in_bytes = 0; - job->cipher_mode = NULL_CIPHER; - job->hash_alg = imbm->integ_algs[sa0->integ_alg].hash_alg; - job->auth_tag_output_len_in_bytes = - imbm->integ_algs[sa0->integ_alg].hash_output_length; - job->auth_tag_output = (u8 *) (ah + 1); - if (PREDICT_TRUE (sa0->use_esn)) - { - *(u32 *) (vlib_buffer_get_current (b0) + b0->current_length) = - sa0->seq_hi; - b0->current_length += sizeof (u32); - } - job->msg_len_to_hash_in_bytes = b0->current_length; - job->cipher_direction = ENCRYPT; - job->chain_order = HASH_CIPHER; - job->u.HMAC._hashed_auth_key_xor_ipad = samb0->ipad_hash; - job->u.HMAC._hashed_auth_key_xor_opad = samb0->opad_hash; - - - job->user_data = (void *) (uintptr_t) bi0; - job->user_data2 = (void *) (uintptr_t) next0; - vnet_buffer (b0)->ipsec.sad_index = sa_index0; - - job = IPSECMB_FUNC (submit_job) (mgr); - ++packets_in_flight; - - if (!job) - { - continue; - } - - --packets_in_flight; - ASSERT (STS_COMPLETED == job->status); - bi0 = (uintptr_t) job->user_data; - next0 = (uintptr_t) job->user_data2; - b0 = vlib_get_buffer (vm, bi0); - sa0 = - pool_elt_at_index (im->sad, vnet_buffer (b0)->ipsec.sad_index); - ah_finish_encrypt (vm, b0, sa0, is_ip6); - if (!sa0->is_tunnel && !sa0->is_tunnel_ip6) - { - next0 = AH_ENCRYPT_NEXT_INTERFACE_OUTPUT; - vlib_buffer_advance (b0, -sizeof (ethernet_header_t)); - } - - to_next[0] = bi0; - to_next += 1; - n_left_to_next -= 1; - - trace: - if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) - { - ah_encrypt_trace_t *tr = - vlib_add_trace (vm, node, b0, sizeof (*tr)); - tr->spi = sa0->spi; - tr->seq = sa0->seq - 1; - tr->integ_alg = sa0->integ_alg; - } - - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, bi0, - next0); - } - - if (PREDICT_FALSE (n_left_from == 0)) - { - JOB_AES_HMAC *job = NULL; - while (n_left_to_next > 0 && (job = IPSECMB_FUNC (flush_job) (mgr))) - { - --packets_in_flight; - u32 bi0, next0; - vlib_buffer_t *b0; - ipsec_sa_t *sa0; - - ASSERT (STS_COMPLETED == job->status); - bi0 = (uintptr_t) job->user_data; - next0 = (uintptr_t) job->user_data2; - b0 = vlib_get_buffer (vm, bi0); - sa0 = - pool_elt_at_index (im->sad, - vnet_buffer (b0)->ipsec.sad_index); - ah_finish_encrypt (vm, b0, sa0, is_ip6); - if (!sa0->is_tunnel && !sa0->is_tunnel_ip6) - { - next0 = AH_ENCRYPT_NEXT_INTERFACE_OUTPUT; - vlib_buffer_advance (b0, -sizeof (ethernet_header_t)); - } - - to_next[0] = bi0; - to_next += 1; - n_left_to_next -= 1; - - if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) - { - ah_encrypt_trace_t *tr = - vlib_add_trace (vm, node, b0, sizeof (*tr)); - tr->spi = sa0->spi; - tr->seq = sa0->seq - 1; - tr->integ_alg = sa0->integ_alg; - } - - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, bi0, - next0); - } - } - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - vlib_node_increment_counter (vm, node->node_index, AH_ENCRYPT_ERROR_RX_PKTS, - from_frame->n_vectors); - - return from_frame->n_vectors; -} - -VLIB_NODE_FN (ah4_encrypt_ipsecmb_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame) -{ - return ah_encrypt_ipsecmb_inline (vm, node, from_frame, 0 /*is_ip6 */ ); -} - -VLIB_NODE_FN (ah6_encrypt_ipsecmb_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame) -{ - return ah_encrypt_ipsecmb_inline (vm, node, from_frame, 1 /*is_ip6 */ ); -} - -#endif - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (ah4_encrypt_ipsecmb_node) = { - .name = "ah4-encrypt-ipsecmb", - .vector_size = sizeof (u32), - .format_trace = format_ah_encrypt_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(ah_encrypt_error_strings), - .error_strings = ah_encrypt_error_strings, - - .n_next_nodes = AH_ENCRYPT_N_NEXT, - .next_nodes = { -#define _(s,n) [AH_ENCRYPT_NEXT_##s] = n, - foreach_ah_encrypt_next -#undef _ - }, -}; -/* *INDENT-ON* */ - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (ah6_encrypt_ipsecmb_node) = { - .name = "ah6-encrypt-ipsecmb", - .vector_size = sizeof (u32), - .format_trace = format_ah_encrypt_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(ah_encrypt_error_strings), - .error_strings = ah_encrypt_error_strings, - - .n_next_nodes = AH_ENCRYPT_N_NEXT, - .next_nodes = { -#define _(s,n) [AH_ENCRYPT_NEXT_##s] = n, - foreach_ah_encrypt_next -#undef _ - }, -}; -/* *INDENT-ON* */ - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/plugins/ipsecmb/esp_decrypt.c b/src/plugins/ipsecmb/esp_decrypt.c deleted file mode 100644 index 835f41eb35d..00000000000 --- a/src/plugins/ipsecmb/esp_decrypt.c +++ /dev/null @@ -1,471 +0,0 @@ -/* - * esp_decrypt.c : ipsecmb ESP decrypt node - * - * Copyright (c) 2015 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <vnet/vnet.h> -#include <vnet/api_errno.h> -#include <vnet/ip/ip.h> - -#include <vnet/ipsec/ipsec.h> -#include <vnet/ipsec/esp.h> -#include <ipsecmb/ipsecmb.h> - -#define foreach_esp_decrypt_next \ -_(DROP, "error-drop") \ -_(IP4_INPUT, "ip4-input") \ -_(IP6_INPUT, "ip6-input") \ -_(IPSEC_GRE_INPUT, "ipsec-gre-input") - -#define _(v, s) ESP_DECRYPT_NEXT_##v, -typedef enum -{ - foreach_esp_decrypt_next -#undef _ - ESP_DECRYPT_N_NEXT, -} esp_decrypt_next_t; - - -#define foreach_esp_decrypt_error \ - _(RX_PKTS, "ESP pkts received") \ - _(NO_BUFFER, "No buffer (packed dropped)") \ - _(DECRYPTION_FAILED, "ESP decryption failed") \ - _(INTEG_ERROR, "Integrity check failed") \ - _(REPLAY, "SA replayed packet") \ - _(NOT_IP, "Not IP packet (dropped)") - -typedef enum -{ -#define _(sym,str) ESP_DECRYPT_ERROR_##sym, - foreach_esp_decrypt_error -#undef _ - ESP_DECRYPT_N_ERROR, -} esp_decrypt_error_t; - -static char *esp_decrypt_error_strings[] = { -#define _(sym,string) string, - foreach_esp_decrypt_error -#undef _ -}; - -typedef struct -{ - ipsec_crypto_alg_t crypto_alg; - ipsec_integ_alg_t integ_alg; -} esp_decrypt_trace_t; - -/* packet trace format function */ -static u8 * -format_esp_decrypt_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - esp_decrypt_trace_t *t = va_arg (*args, esp_decrypt_trace_t *); - - s = format (s, "esp: crypto %U integrity %U", - format_ipsec_crypto_alg, t->crypto_alg, - format_ipsec_integ_alg, t->integ_alg); - return s; -} - -#ifdef CLIB_MARCH_VARIANT -always_inline void -esp_finish_decrypt (vlib_main_t * vm, vlib_node_runtime_t * node, - JOB_AES_HMAC * job, u32 * next0, ipsec_sa_t * sa0, - int is_ip6) -{ - u32 bi0 = (uintptr_t) job->user_data; - vlib_buffer_t *b0 = vlib_get_buffer (vm, bi0); - esp_footer_t *f0; - ip4_header_t *ih4 = vlib_buffer_get_current (b0); - ip6_header_t *ih6 = vlib_buffer_get_current (b0); - - if (NULL_HASH != job->hash_alg) - { - if (0 != - memcmp (job->auth_tag_output, - job->auth_tag_output - job->auth_tag_output_len_in_bytes, - job->auth_tag_output_len_in_bytes)) - { - vlib_node_increment_counter (vm, node->node_index, - ESP_DECRYPT_ERROR_INTEG_ERROR, 1); - *next0 = ESP_DECRYPT_NEXT_DROP; - return; - } - } - - f0 = (esp_footer_t *) ((u8 *) vlib_buffer_get_current (b0) + - b0->current_length); - b0->current_length -= f0->pad_length; - - /* tunnel mode */ - if (sa0->is_tunnel) - { - if (f0->next_header == IP_PROTOCOL_IP_IN_IP) - { - *next0 = ESP_DECRYPT_NEXT_IP4_INPUT; - } - else if (f0->next_header == IP_PROTOCOL_IPV6) - { - *next0 = ESP_DECRYPT_NEXT_IP6_INPUT; - } - else - { - vlib_node_increment_counter (vm, node->node_index, - ESP_DECRYPT_ERROR_DECRYPTION_FAILED, - 1); - *next0 = ESP_DECRYPT_NEXT_DROP; - return; - } - } - /* transport mode */ - else - { - if (is_ip6) - { - *next0 = ESP_DECRYPT_NEXT_IP6_INPUT; - ih6->protocol = f0->next_header; - ih6->payload_length = - clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0) - - sizeof (ip6_header_t)); - } - else - { - *next0 = ESP_DECRYPT_NEXT_IP4_INPUT; - ih4->fragment_id = 0; - ih4->flags_and_fragment_offset = 0; - ih4->protocol = f0->next_header; - ih4->length = - clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0)); - ih4->checksum = ip4_header_checksum (ih4); - } - } - - /* for IPSec-GRE tunnel next node is ipsec-gre-input */ - if ((vnet_buffer (b0)->ipsec.flags & IPSEC_FLAG_IPSEC_GRE_TUNNEL)) - { - *next0 = ESP_DECRYPT_NEXT_IPSEC_GRE_INPUT; - } - - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - if (sa0->use_anti_replay) - { - if (sa0->use_esn) - esp_replay_advance_esn (sa0, vnet_buffer (b0)->ipsec.seq); - else - esp_replay_advance (sa0, vnet_buffer (b0)->ipsec.seq); - } -} - -always_inline uword -esp_decrypt_ipsecmb_inline (vlib_main_t * vm, vlib_node_runtime_t * node, - vlib_frame_t * from_frame, int is_ip6) -{ - u32 n_left_from, *from, next_index, *to_next; - u32 packets_in_flight = 0; - ipsec_main_t *im = &ipsec_main; - ipsecmb_main_t *imbm = &ipsecmb_main; - ipsec_proto_main_t *em = &ipsec_proto_main; - from = vlib_frame_vector_args (from_frame); - n_left_from = from_frame->n_vectors; - u32 thread_index = vlib_get_thread_index (); - MB_MGR *mgr = imbm->mb_mgr[thread_index]; - u32 *to_be_freed = NULL; - - next_index = node->cached_next_index; - - while (n_left_from > 0 || packets_in_flight > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0, next0; - vlib_buffer_t *b0; - esp_header_t *esp0; - ipsec_sa_t *sa0; - ipsecmb_sa_t *samb0; - u32 sa_index0 = ~0; - u32 seq; - - bi0 = from[0]; - from += 1; - n_left_from -= 1; - - next0 = ESP_DECRYPT_NEXT_DROP; - - b0 = vlib_get_buffer (vm, bi0); - esp0 = vlib_buffer_get_current (b0); - - sa_index0 = vnet_buffer (b0)->ipsec.sad_index; - sa0 = pool_elt_at_index (im->sad, sa_index0); - samb0 = pool_elt_at_index (imbm->sad, sa_index0); - - vnet_buffer (b0)->ipsec.seq = seq = - clib_host_to_net_u32 (esp0->seq); - - /* anti-replay check */ - if (sa0->use_anti_replay) - { - int rv = 0; - - if (sa0->use_esn) - rv = esp_replay_check_esn (sa0, seq); - else - rv = esp_replay_check (sa0, seq); - - if (PREDICT_FALSE (rv)) - { - vlib_node_increment_counter (vm, node->node_index, - ESP_DECRYPT_ERROR_REPLAY, 1); - goto trace; - } - } - - sa0->total_data_size += b0->current_length; - - if (PREDICT_FALSE (b0->n_add_refs > 0)) - { - vec_add1 (to_be_freed, bi0); - b0 = vlib_buffer_copy (vm, b0); - bi0 = vlib_get_buffer_index (vm, b0); - } - - JOB_AES_HMAC *job = IPSECMB_FUNC (get_next_job) (mgr); - int trunc_size = 0; - if (sa0->integ_alg != IPSEC_INTEG_ALG_NONE) - { - trunc_size = - em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size; - // put calculated auth tag after in-packet auth tag - job->auth_tag_output = - vlib_buffer_get_current (b0) + b0->current_length; - b0->current_length -= trunc_size; - job->msg_len_to_hash_in_bytes = b0->current_length; - job->auth_tag_output_len_in_bytes = trunc_size; - job->u.HMAC._hashed_auth_key_xor_ipad = samb0->ipad_hash; - job->u.HMAC._hashed_auth_key_xor_opad = samb0->opad_hash; - } - - job->hash_alg = imbm->integ_algs[sa0->integ_alg].hash_alg; - u8 ip_hdr_size = 0; - - if ((sa0->crypto_alg >= IPSEC_CRYPTO_ALG_AES_CBC_128 && - sa0->crypto_alg <= IPSEC_CRYPTO_ALG_AES_CBC_256) || - (sa0->crypto_alg >= IPSEC_CRYPTO_ALG_DES_CBC && - sa0->crypto_alg <= IPSEC_CRYPTO_ALG_3DES_CBC)) - { - const int block_size = - em->ipsec_proto_main_crypto_algs[sa0->crypto_alg].block_size; - const int iv_size = - em->ipsec_proto_main_crypto_algs[sa0->crypto_alg].iv_size; - - int blocks = - (b0->current_length - sizeof (esp_header_t) - - iv_size) / block_size; - if (b0->current_length - sizeof (esp_header_t) - iv_size < - block_size || blocks <= 0) - { - vlib_node_increment_counter (vm, node->node_index, - ESP_DECRYPT_ERROR_INTEG_ERROR, - 1); - goto trace; - } - - /* transport mode */ - if (!sa0->is_tunnel) - { - if (b0->flags & VNET_BUFFER_F_L3_HDR_OFFSET_VALID) - { - if (is_ip6) - { - ip_hdr_size = sizeof (ip6_header_t); - } - else - { - ip_hdr_size = sizeof (ip4_header_t); - } - } - else - { - vlib_node_increment_counter (vm, node->node_index, - ESP_DECRYPT_ERROR_NOT_IP, - 1); - goto trace; - } - } - - job->chain_order = HASH_CIPHER; - job->cipher_direction = DECRYPT; - job->src = (u8 *) esp0; - job->dst = (u8 *) esp0; - vlib_buffer_advance (b0, -ip_hdr_size); - job->cipher_mode = - imbm->crypto_algs[sa0->crypto_alg].cipher_mode; - job->aes_enc_key_expanded = samb0->aes_enc_key_expanded; - job->aes_dec_key_expanded = samb0->aes_dec_key_expanded; - job->aes_key_len_in_bytes = sa0->crypto_key_len; - job->iv = esp0->data; - job->iv_len_in_bytes = iv_size; - job->msg_len_to_cipher_in_bytes = blocks * block_size; - job->cipher_start_src_offset_in_bytes = - sizeof (esp_header_t) + iv_size; - job->hash_start_src_offset_in_bytes = 0; - - job->user_data = (void *) (uintptr_t) bi0; - job->user_data2 = sa0; - b0->current_length = - (blocks * block_size) - sizeof (esp_footer_t) + ip_hdr_size; - ASSERT ((u8 *) vlib_buffer_get_current (b0) + - b0->current_length < job->auth_tag_output); - b0->flags |= VLIB_BUFFER_TOTAL_LENGTH_VALID; - - job = IPSECMB_FUNC (submit_job) (mgr); - ++packets_in_flight; - - if (!job) - { - continue; - } - - --packets_in_flight; - - sa0 = job->user_data2; - bi0 = (uintptr_t) job->user_data; - b0 = vlib_get_buffer (vm, bi0); - esp_finish_decrypt (vm, node, job, &next0, sa0, is_ip6); - - trace: - to_next[0] = bi0; - to_next += 1; - n_left_to_next -= 1; - - if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) - { - esp_decrypt_trace_t *tr = - vlib_add_trace (vm, node, b0, sizeof (*tr)); - tr->crypto_alg = sa0->crypto_alg; - tr->integ_alg = sa0->integ_alg; - } - - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, - n_left_to_next, bi0, next0); - } - } - - if (PREDICT_FALSE (n_left_from == 0 && packets_in_flight > 0)) - { - JOB_AES_HMAC *job = NULL; - while (n_left_to_next > 0 && (job = IPSECMB_FUNC (flush_job) (mgr))) - { - --packets_in_flight; - u32 bi0, next0; - bi0 = (uintptr_t) job->user_data; - vlib_buffer_t *i_b0 = vlib_get_buffer (vm, bi0); - - ipsec_sa_t *sa0 = job->user_data2; - esp_finish_decrypt (vm, node, job, &next0, sa0, is_ip6); - - to_next[0] = bi0; - to_next += 1; - n_left_to_next -= 1; - - if (PREDICT_FALSE (i_b0->flags & VLIB_BUFFER_IS_TRACED)) - { - esp_decrypt_trace_t *tr = - vlib_add_trace (vm, node, i_b0, sizeof (*tr)); - tr->crypto_alg = sa0->crypto_alg; - tr->integ_alg = sa0->integ_alg; - } - - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, - n_left_to_next, bi0, next0); - } - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - vlib_node_increment_counter (vm, node->node_index, - ESP_DECRYPT_ERROR_RX_PKTS, - from_frame->n_vectors); - - if (to_be_freed) - vlib_buffer_free (vm, to_be_freed, vec_len (to_be_freed)); - vec_free (to_be_freed); - return from_frame->n_vectors; -} - -VLIB_NODE_FN (esp4_decrypt_ipsecmb_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame) -{ - return esp_decrypt_ipsecmb_inline (vm, node, from_frame, 0 /*is_ip6 */ ); -} - -VLIB_NODE_FN (esp6_decrypt_ipsecmb_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame) -{ - return esp_decrypt_ipsecmb_inline (vm, node, from_frame, 1 /*is_ip6 */ ); -} -#endif - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (esp4_decrypt_ipsecmb_node) = { - .name = "esp4-decrypt-ipsecmb", - .vector_size = sizeof (u32), - .format_trace = format_esp_decrypt_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, - - .n_next_nodes = ESP_DECRYPT_N_NEXT, - .next_nodes = { -#define _(s,n) [ESP_DECRYPT_NEXT_##s] = n, - foreach_esp_decrypt_next -#undef _ - }, -}; -/* *INDENT-ON* */ - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (esp6_decrypt_ipsecmb_node) = { - .name = "esp6-decrypt-ipsecmb", - .vector_size = sizeof (u32), - .format_trace = format_esp_decrypt_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(esp_decrypt_error_strings), - .error_strings = esp_decrypt_error_strings, - - .n_next_nodes = ESP_DECRYPT_N_NEXT, - .next_nodes = { -#define _(s,n) [ESP_DECRYPT_NEXT_##s] = n, - foreach_esp_decrypt_next -#undef _ - }, -}; -/* *INDENT-ON* */ - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/plugins/ipsecmb/esp_encrypt.c b/src/plugins/ipsecmb/esp_encrypt.c deleted file mode 100644 index 312471c6dcd..00000000000 --- a/src/plugins/ipsecmb/esp_encrypt.c +++ /dev/null @@ -1,651 +0,0 @@ -/* - * esp_encrypt.c : ipsecmb ESP encrypt node - * - * Copyright (c) 2015 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <vnet/vnet.h> -#include <vnet/api_errno.h> -#include <vnet/ip/ip.h> -#include <vnet/udp/udp.h> - -#include <vnet/ipsec/ipsec.h> -#include <vnet/ipsec/esp.h> - -#include <ipsecmb/ipsecmb.h> - -#define foreach_esp_encrypt_next \ - _ (DROP, "error-drop") \ - _ (IP4_LOOKUP, "ip4-lookup") \ - _ (IP6_LOOKUP, "ip6-lookup") \ - _ (INTERFACE_OUTPUT, "interface-output") - -#define _(v, s) ESP_ENCRYPT_NEXT_##v, -typedef enum -{ - foreach_esp_encrypt_next -#undef _ - ESP_ENCRYPT_N_NEXT, -} esp_encrypt_next_t; - -#define foreach_esp_encrypt_error \ - _ (RX_PKTS, "ESP pkts received") \ - _ (NO_BUFFER, "No buffer (packet dropped)") \ - _ (DECRYPTION_FAILED, "ESP encryption failed") \ - _ (SEQ_CYCLED, "sequence number cycled") - -typedef enum -{ -#define _(sym, str) ESP_ENCRYPT_ERROR_##sym, - foreach_esp_encrypt_error -#undef _ - ESP_ENCRYPT_N_ERROR, -} esp_encrypt_error_t; - -typedef struct -{ - u32 spi; - u32 seq; - u8 udp_encap; - ipsec_crypto_alg_t crypto_alg; - ipsec_integ_alg_t integ_alg; -} esp_encrypt_trace_t; - -#ifdef CLIB_MARCH_VARIANT -static inline void -add_random_bytes_from_traffic (ipsecmb_main_t * imbm, - u32 thread_index, void *from, u8 size) -{ - ASSERT (STRUCT_SIZE_OF (random_bytes_t, data) == size); - u32 idx; - random_bytes_t *rb; - ipsecmb_per_thread_data_t *t = &imbm->per_thread_data[thread_index];; - if (PREDICT_TRUE (vec_len (t->rb_recycle_list))) - { - idx = vec_pop (t->rb_recycle_list); - rb = pool_elt_at_index (t->rb_pool, idx); - } - else - { - pool_get (t->rb_pool, rb); - idx = rb - t->rb_pool; - } - clib_memcpy (rb->data, from, STRUCT_SIZE_OF (random_bytes_t, data)); - vec_add1 (t->rb_from_traffic, idx); -} - -static inline int -random_bytes (ipsecmb_main_t * imbm, u32 thread_index, u8 * where, u8 size) -{ - ASSERT (STRUCT_SIZE_OF (random_bytes_t, data) == size); - const u8 block_size = STRUCT_SIZE_OF (random_bytes_t, data); - ipsecmb_per_thread_data_t *t = &imbm->per_thread_data[thread_index];; - if (PREDICT_TRUE (vec_len (t->rb_from_traffic))) - { - u32 idx = vec_pop (t->rb_from_traffic); - random_bytes_t *rb = pool_elt_at_index (t->rb_pool, idx); - clib_memcpy (where, rb->data, block_size); - vec_add1 (t->rb_recycle_list, idx); - return 0; - } - if (PREDICT_FALSE (0 == vec_len (t->rb_from_dev_urandom))) - { - ssize_t bytes_read = read (imbm->dev_urandom_fd, t->urandom_buffer, - sizeof (t->urandom_buffer)); - if (bytes_read < 0) - { - clib_unix_warning ("read() from /dev/urandom failed"); - return -1; - } - if (bytes_read < block_size) - { - clib_unix_warning - ("read() from /dev/urandom produced only %zd bytes", bytes_read); - return -1; - } - const ssize_t limit = clib_min (bytes_read, sizeof (t->urandom_buffer)); - int i; - for (i = 0; limit - i >= block_size && vec_len (t->rb_recycle_list) > 0; - i += block_size) - { - u32 idx = vec_pop (t->rb_recycle_list); - random_bytes_t *rb = pool_elt_at_index (t->rb_pool, idx); - clib_memcpy (rb->data, t->urandom_buffer + i, block_size); - vec_add1 (t->rb_from_dev_urandom, idx); - } - for (; limit - i >= block_size; i += block_size) - { - random_bytes_t *rb; - pool_get (t->rb_pool, rb); - clib_memcpy (rb->data, t->urandom_buffer + i, block_size); - vec_add1 (t->rb_from_dev_urandom, rb - t->rb_pool); - } - } - u32 idx = vec_pop (t->rb_from_dev_urandom); - random_bytes_t *rb = pool_elt_at_index (t->rb_pool, idx); - clib_memcpy (where, rb->data, block_size); - vec_add1 (t->rb_recycle_list, idx); - return 0; -} - -static inline void -esp_finish_encrypt (vlib_main_t * vm, JOB_AES_HMAC * job, - ipsecmb_main_t * imbm, int thread_index, - u32 * bi0, u32 * next0, ipsec_sa_t ** sa0, int is_ip6) -{ - ip4_header_t *oh4 = 0; - udp_header_t *udp = 0; - ip6_header_t *oh6 = 0; - ipsec_main_t *im = &ipsec_main; - *bi0 = (uintptr_t) job->user_data; - vlib_buffer_t *b0 = vlib_get_buffer (vm, *bi0); - u32 sa_index0 = vnet_buffer (b0)->ipsec.sad_index; - *sa0 = pool_elt_at_index (im->sad, sa_index0); - oh4 = vlib_buffer_get_current (b0); - oh6 = vlib_buffer_get_current (b0); - if (is_ip6) - { - oh6->payload_length = - clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0) - - sizeof (ip6_header_t)); - } - else - { - oh4->length = - clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0)); - oh4->checksum = ip4_header_checksum (oh4); - if ((*sa0)->udp_encap) - { - udp = (udp_header_t *) (oh4 + 1); - udp->length = - clib_host_to_net_u16 (clib_net_to_host_u16 (oh4->length) - - ip4_header_bytes (oh4)); - } - } - - *next0 = (uintptr_t) job->user_data2; - const int iv_size = imbm->crypto_algs[(*sa0)->crypto_alg].iv_size; - add_random_bytes_from_traffic (imbm, thread_index, - vlib_buffer_get_current (b0) + - b0->current_length - iv_size, iv_size); - if (!(*sa0)->is_tunnel) - { - *next0 = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT; - vlib_buffer_advance (b0, -sizeof (ethernet_header_t)); - } -} - -always_inline void -ipsemb_ip4_fill_comon_values (ip4_header_t * oh4, u8 tos) -{ - oh4->ip_version_and_header_length = 0x45; - oh4->tos = tos; - oh4->fragment_id = 0; - oh4->flags_and_fragment_offset = 0; - oh4->ttl = 254; -} - -always_inline void -ipsemb_handle_udp_encap (ipsec_sa_t * sa0, esp_header_t ** esp, - ip4_header_t ** oh4) -{ - if (sa0->udp_encap) - { - *esp = (esp_header_t *) ((u8 *) esp + sizeof (udp_header_t)); - udp_header_t *udp = (udp_header_t *) ((*oh4) + 1); - udp->src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec); - udp->dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec); - udp->checksum = 0; - (*oh4)->protocol = IP_PROTOCOL_UDP; - } - else - { - (*oh4)->protocol = IP_PROTOCOL_IPSEC_ESP; - } -} - -always_inline void -esp_prepare_tunneL_headers (vlib_buffer_t * b0, ipsec_sa_t * sa0, u32 * next0, - u8 * next_hdr_type, ip4_header_t * ih4, - ip4_header_t ** oh4, ip6_header_t * ih6, - ip6_header_t ** oh6, esp_header_t ** esp, - u32 iv_size, int is_ip6) -{ - if (is_ip6) - { - *next0 = ESP_ENCRYPT_NEXT_IP6_LOOKUP; - *next_hdr_type = IP_PROTOCOL_IPV6; - *oh6 = (ip6_header_t *) ((u8 *) ih6 - sizeof (esp_header_t) - - sizeof (ip6_header_t) - iv_size); - (*oh6)->src_address.as_u64[0] = sa0->tunnel_src_addr.ip6.as_u64[0]; - (*oh6)->src_address.as_u64[1] = sa0->tunnel_src_addr.ip6.as_u64[1]; - (*oh6)->dst_address.as_u64[0] = sa0->tunnel_dst_addr.ip6.as_u64[0]; - (*oh6)->dst_address.as_u64[1] = sa0->tunnel_dst_addr.ip6.as_u64[1]; - - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - vlib_buffer_advance (b0, -(sizeof (esp_header_t) + - sizeof (ip6_header_t) + iv_size)); - (*oh6)->ip_version_traffic_class_and_flow_label = - ih6->ip_version_traffic_class_and_flow_label; - (*oh6)->protocol = IP_PROTOCOL_IPSEC_ESP; - (*oh6)->hop_limit = 254; - *esp = (esp_header_t *) ((*oh6) + 1); - } - else - { /* is ipv4 */ - *next0 = ESP_ENCRYPT_NEXT_IP4_LOOKUP; - u32 udp_hdr_size = 0; - if (sa0->udp_encap) - { - udp_hdr_size = sizeof (udp_header_t); - } - *next_hdr_type = IP_PROTOCOL_IP_IN_IP; - (*oh4) = - (ip4_header_t *) (((u8 *) ih4) - sizeof (ip4_header_t) - - sizeof (esp_header_t) - udp_hdr_size - iv_size); - (*oh4)->src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32; - (*oh4)->dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32; - vlib_buffer_advance (b0, -(sizeof (ip4_header_t) + - sizeof (esp_header_t) + - udp_hdr_size + iv_size)); - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - *esp = (esp_header_t *) ((*oh4) + 1); - - ipsemb_ip4_fill_comon_values (*oh4, ih4->tos); - ipsemb_handle_udp_encap (sa0, esp, oh4); - } -} - -always_inline void -esp_prepare_transport_headers (vlib_buffer_t * b0, ipsec_sa_t * sa0, - u32 * next0, u8 * next_hdr_type, - ip4_header_t * ih4, ip4_header_t ** oh4, - ip6_header_t * ih6, ip6_header_t ** oh6, - esp_header_t ** esp, u32 iv_size, int is_ip6) -{ - if (is_ip6) - { - *next0 = ESP_ENCRYPT_NEXT_IP6_LOOKUP; - *next_hdr_type = ih6->protocol; - (*oh6) = (ip6_header_t *) ((u8 *) ih6 - sizeof (esp_header_t) - - iv_size); - if (vnet_buffer (b0)->sw_if_index[VLIB_TX] != ~0) - { - ethernet_header_t *ieh0, *oeh0; - ieh0 = (ethernet_header_t *) vlib_buffer_get_current (b0) - 1; - oeh0 = (ethernet_header_t *) (*oh6) - 1; - clib_memcpy (oeh0, ieh0, sizeof (ethernet_header_t)); - } - (*oh6)->src_address.as_u64[0] = ih6->src_address.as_u64[0]; - (*oh6)->src_address.as_u64[1] = ih6->src_address.as_u64[1]; - (*oh6)->dst_address.as_u64[0] = ih6->dst_address.as_u64[0]; - (*oh6)->dst_address.as_u64[1] = ih6->dst_address.as_u64[1]; - vlib_buffer_advance (b0, -(sizeof (esp_header_t) + iv_size)); - (*oh6)->ip_version_traffic_class_and_flow_label = - ih6->ip_version_traffic_class_and_flow_label; - (*oh6)->protocol = IP_PROTOCOL_IPSEC_ESP; - (*oh6)->hop_limit = 254; - *esp = (esp_header_t *) ((*oh6) + 1); - } - else - { /* is ipv4 */ - *next0 = ESP_ENCRYPT_NEXT_IP4_LOOKUP; - u32 udp_hdr_size = 0; - if (sa0->udp_encap) - { - udp_hdr_size = sizeof (udp_header_t); - } - *next_hdr_type = ih4->protocol; - (*oh4) = (ip4_header_t *) (((u8 *) ih4) - sizeof (esp_header_t) - - udp_hdr_size - iv_size); - if (vnet_buffer (b0)->sw_if_index[VLIB_TX] != ~0) - { - ethernet_header_t *ieh0, *oeh0; - ieh0 = (ethernet_header_t *) vlib_buffer_get_current (b0) - 1; - oeh0 = (ethernet_header_t *) (*oh4) - 1; - clib_memcpy (oeh0, ieh0, sizeof (ethernet_header_t)); - } - (*oh4)->src_address.as_u32 = ih4->src_address.as_u32; - (*oh4)->dst_address.as_u32 = ih4->dst_address.as_u32; - vlib_buffer_advance (b0, - -(sizeof (esp_header_t) + udp_hdr_size + iv_size)); - *esp = (esp_header_t *) ((*oh4) + 1); - - ipsemb_ip4_fill_comon_values (*oh4, ih4->tos); - ipsemb_handle_udp_encap (sa0, esp, oh4); - } -} - -static uword -esp_encrypt_ipsecmb_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame, int is_ip6) -{ - u32 n_left_from, *from, *to_next = 0, next_index; - from = vlib_frame_vector_args (from_frame); - n_left_from = from_frame->n_vectors; - ipsecmb_main_t *imbm = &ipsecmb_main; - ipsec_main_t *im = &ipsec_main; - u32 packets_in_flight = 0; - next_index = node->cached_next_index; - u32 thread_index = vlib_get_thread_index (); - ipsec_alloc_empty_buffers (vm, im); - u32 *to_be_freed = NULL; - ipsecmb_per_thread_data_t *t = &imbm->per_thread_data[thread_index];; - - MB_MGR *mgr = imbm->mb_mgr[thread_index]; - - while (n_left_from > 0 || packets_in_flight > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0, next0; - vlib_buffer_t *b0 = 0; - u32 sa_index0; - ipsec_sa_t *sa0; - ipsecmb_sa_t *samb0; - ip4_header_t *ih4, *oh4 = 0; - ip6_header_t *ih6, *oh6 = 0; - esp_header_t *esp; - u8 next_hdr_type; - - bi0 = from[0]; - from += 1; - n_left_from -= 1; - - next0 = ESP_ENCRYPT_NEXT_DROP; - - b0 = vlib_get_buffer (vm, bi0); - sa_index0 = vnet_buffer (b0)->ipsec.sad_index; - sa0 = pool_elt_at_index (im->sad, sa_index0); - samb0 = pool_elt_at_index (imbm->sad, sa_index0); - - if (esp_seq_advance (sa0)) - { - clib_warning ("sequence number counter has cycled SPI %u", - sa0->spi); - vlib_node_increment_counter (vm, node->node_index, - ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1); - // TODO: rekey SA - to_next[0] = bi0; - to_next += 1; - goto trace; - } - - sa0->total_data_size += b0->current_length; - - if (PREDICT_FALSE (b0->n_add_refs > 0)) - { - vec_add1 (to_be_freed, bi0); - b0 = vlib_buffer_copy (vm, b0); - bi0 = vlib_get_buffer_index (vm, b0); - } - - ih4 = vlib_buffer_get_current (b0); - ih6 = vlib_buffer_get_current (b0); - - const int iv_size = imbm->crypto_algs[sa0->crypto_alg].iv_size; - if (sa0->is_tunnel) - esp_prepare_tunneL_headers (b0, sa0, &next0, &next_hdr_type, ih4, - &oh4, ih6, &oh6, &esp, iv_size, - is_ip6); - else - esp_prepare_transport_headers (b0, sa0, &next0, &next_hdr_type, - ih4, &oh4, ih6, &oh6, &esp, - iv_size, is_ip6); - - - esp->spi = clib_net_to_host_u32 (sa0->spi); - esp->seq = clib_net_to_host_u32 (sa0->seq); - ASSERT (sa0->crypto_alg < IPSEC_CRYPTO_N_ALG); - - esp_footer_t *f0; - const u32 payload_offset = - (u8 *) (esp + 1) + iv_size - (u8 *) vlib_buffer_get_current (b0); - JOB_AES_HMAC *job = IPSECMB_FUNC (get_next_job) (mgr); - if (PREDICT_TRUE (sa0->crypto_alg != IPSEC_CRYPTO_ALG_NONE)) - { - const int block_size = - imbm->crypto_algs[sa0->crypto_alg].block_size; - u32 payload_length = b0->current_length - payload_offset; - int blocks = 1 + (payload_length + 1) / block_size; - - /* pad packet in input buffer */ - u8 pad_bytes = - block_size * blocks - sizeof (esp_footer_t) - payload_length; - u8 i; - u8 *padding = vlib_buffer_get_current (b0) + b0->current_length; - b0->current_length = payload_offset + block_size * blocks; - for (i = 0; i < pad_bytes; ++i) - { - padding[i] = i + 1; - } - f0 = vlib_buffer_get_current (b0) + b0->current_length - - sizeof (esp_footer_t); - f0->pad_length = pad_bytes; - f0->next_header = next_hdr_type; - - random_bytes (imbm, thread_index, (u8 *) (esp + 1), iv_size); - job->iv = (u8 *) (esp + 1); - job->iv_len_in_bytes = iv_size; - } - - job->chain_order = CIPHER_HASH; - job->cipher_direction = ENCRYPT; - job->src = (u8 *) esp; - job->dst = (u8 *) ((u8 *) (esp + 1) + iv_size); - job->cipher_mode = imbm->crypto_algs[sa0->crypto_alg].cipher_mode; - job->aes_enc_key_expanded = samb0->aes_enc_key_expanded; - job->aes_dec_key_expanded = samb0->aes_dec_key_expanded; - job->aes_key_len_in_bytes = sa0->crypto_key_len; - job->cipher_start_src_offset_in_bytes = - sizeof (esp_header_t) + iv_size; - job->hash_start_src_offset_in_bytes = 0; - job->msg_len_to_cipher_in_bytes = - b0->current_length - payload_offset; - if (PREDICT_TRUE (IPSEC_INTEG_ALG_NONE != sa0->integ_alg)) - { - if (sa0->use_esn) - { - *(u32 *) (vlib_buffer_get_current (b0) + - b0->current_length) = sa0->seq_hi; - b0->current_length += sizeof (u32); - } - job->msg_len_to_hash_in_bytes = b0->current_length - - payload_offset + sizeof (esp_header_t) + iv_size; - job->u.HMAC._hashed_auth_key_xor_ipad = samb0->ipad_hash; - job->u.HMAC._hashed_auth_key_xor_opad = samb0->opad_hash; - job->auth_tag_output = - vlib_buffer_get_current (b0) + b0->current_length; - job->auth_tag_output_len_in_bytes = - imbm->integ_algs[sa0->integ_alg].hash_output_length; - b0->current_length += - imbm->integ_algs[sa0->integ_alg].hash_output_length; - } - job->hash_alg = imbm->integ_algs[sa0->integ_alg].hash_alg; - job->user_data = (void *) (uintptr_t) bi0; - job->user_data2 = (void *) (uintptr_t) next0; - job = IPSECMB_FUNC (submit_job) (mgr); - ++packets_in_flight; - - if (!job) - { - continue; - } - - --packets_in_flight; - esp_finish_encrypt (vm, job, imbm, thread_index, &bi0, &next0, &sa0, - is_ip6); - - to_next[0] = bi0; - to_next += 1; - n_left_to_next -= 1; - - trace: - if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) - { - esp_encrypt_trace_t *tr = - vlib_add_trace (vm, node, b0, sizeof (*tr)); - tr->spi = sa0->spi; - tr->seq = sa0->seq - 1; - tr->udp_encap = sa0->udp_encap; - tr->crypto_alg = sa0->crypto_alg; - tr->integ_alg = sa0->integ_alg; - } - - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, - n_left_to_next, bi0, next0); - } - - if (PREDICT_FALSE (n_left_from == 0)) - { - JOB_AES_HMAC *job = NULL; - while (n_left_to_next > 0 && (job = IPSECMB_FUNC (flush_job) (mgr))) - { - --packets_in_flight; - u32 bi0, next0; - vlib_buffer_t *b0; - ipsec_sa_t *sa0; - - esp_finish_encrypt (vm, job, imbm, thread_index, &bi0, &next0, - &sa0, is_ip6); - b0 = vlib_get_buffer (vm, bi0); - - to_next[0] = bi0; - to_next += 1; - n_left_to_next -= 1; - - if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED)) - { - esp_encrypt_trace_t *tr = - vlib_add_trace (vm, node, b0, sizeof (*tr)); - tr->spi = sa0->spi; - tr->seq = sa0->seq - 1; - tr->udp_encap = sa0->udp_encap; - tr->crypto_alg = sa0->crypto_alg; - tr->integ_alg = sa0->integ_alg; - } - - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, - n_left_to_next, bi0, next0); - } - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - vlib_node_increment_counter (vm, node->node_index, - ESP_ENCRYPT_ERROR_RX_PKTS, - from_frame->n_vectors); - - if (to_be_freed) - vlib_buffer_free (vm, to_be_freed, vec_len (to_be_freed)); - vec_free (to_be_freed); - if (PREDICT_TRUE (vec_len (t->rb_from_traffic) > 0)) - { - /* recycle traffic generated buffers, because once the packets are sent - * out, bytes from these packets are no longer unpredictable */ - vec_add (t->rb_recycle_list, t->rb_from_traffic, - vec_len (t->rb_from_traffic)); - _vec_len (t->rb_from_traffic) = 0; - } - return from_frame->n_vectors; -} - -VLIB_NODE_FN (esp4_encrypt_ipsecmb_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame) -{ - return esp_encrypt_ipsecmb_inline (vm, node, from_frame, 0 /*is_ip6 */ ); -} - -VLIB_NODE_FN (esp6_encrypt_ipsecmb_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame) -{ - return esp_encrypt_ipsecmb_inline (vm, node, from_frame, 1 /*is_ip6 */ ); -} -#endif - -static char *esp_encrypt_error_strings[] = { -#define _(sym, string) string, - foreach_esp_encrypt_error -#undef _ -}; - -/* packet trace format function */ -static u8 * -format_esp_encrypt_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - esp_encrypt_trace_t *t = va_arg (*args, esp_encrypt_trace_t *); - - s = - format (s, "esp: spi %u seq %u crypto %U integrity %U%s", t->spi, t->seq, - format_ipsec_crypto_alg, t->crypto_alg, format_ipsec_integ_alg, - t->integ_alg, t->udp_encap ? " udp-encap-enabled" : ""); - return s; -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (esp4_encrypt_ipsecmb_node) = { - .name = "esp4-encrypt-ipsecmb", - .vector_size = sizeof (u32), - .format_trace = format_esp_encrypt_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN (esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, - - .n_next_nodes = ESP_ENCRYPT_N_NEXT, - .next_nodes = - { -#define _(s, n) [ESP_ENCRYPT_NEXT_##s] = n, - foreach_esp_encrypt_next -#undef _ - }, -}; -/* *INDENT-ON* */ - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (esp6_encrypt_ipsecmb_node) = { - .name = "esp6-encrypt-ipsecmb", - .vector_size = sizeof (u32), - .format_trace = format_esp_encrypt_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN (esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, - - .n_next_nodes = ESP_ENCRYPT_N_NEXT, - .next_nodes = - { -#define _(s, n) [ESP_ENCRYPT_NEXT_##s] = n, - foreach_esp_encrypt_next -#undef _ - }, -}; -/* *INDENT-ON* */ - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/plugins/ipsecmb/ipsecmb.c b/src/plugins/ipsecmb/ipsecmb.c deleted file mode 100644 index 17b8fb8ce3d..00000000000 --- a/src/plugins/ipsecmb/ipsecmb.c +++ /dev/null @@ -1,322 +0,0 @@ -/* - * init.c : ipsecmb common code - * - * Copyright (c) 2015 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <vnet/plugin/plugin.h> -#include <vpp/app/version.h> -#include <ipsecmb/ipsecmb.h> -ipsecmb_main_t ipsecmb_main; - -int -sa_expand_keys (u32 sa_index) -{ - ipsecmb_main_t *imbm = &ipsecmb_main; - ipsec_sa_t *sa = pool_elt_at_index (ipsec_main.sad, sa_index); - ipsecmb_sa_t *samb = pool_elt_at_index (imbm->sad, sa_index); - if (sa->crypto_key_len > 0) - { - const keyexp_t keyexp_fn = imbm->crypto_algs[sa->crypto_alg].keyexp_fn; - keyexp_fn (sa->crypto_key, samb->aes_enc_key_expanded, - samb->aes_dec_key_expanded); - } - if (sa->integ_key_len > 0) - { - const u8 block_size = imbm->integ_algs[sa->integ_alg].block_size; - const hash_one_block_t hash_one_block_fn = - imbm->integ_algs[sa->integ_alg].hash_one_block_fn; - u8 buf[block_size]; - int i = 0; - if (sa->integ_key_len > block_size) - { - return VNET_API_ERROR_SYSCALL_ERROR_1; // FIXME use correct value - } - memset (buf, 0x36, sizeof (buf)); - for (i = 0; i < sa->integ_key_len; i++) - { - buf[i] ^= sa->integ_key[i]; - } - hash_one_block_fn (buf, samb->ipad_hash); - - memset (buf, 0x5c, sizeof (buf)); - for (i = 0; i < sa->integ_key_len; i++) - { - buf[i] ^= sa->integ_key[i]; - } - hash_one_block_fn (buf, samb->opad_hash); - } - return 0; -} - -static clib_error_t * -ipsecmb_add_del_sa_session (u32 sa_index, u8 is_add) -{ - ipsecmb_main_t *imbm = &ipsecmb_main; - if (is_add) - { - ipsecmb_sa_t *samb = NULL; - pool_get (imbm->sad, samb); - ASSERT (samb == pool_elt_at_index (imbm->sad, sa_index)); - sa_expand_keys (sa_index); - } - else - { - pool_put_index (imbm->sad, sa_index); - } - return 0; -} - -clib_error_t * -ipsecmb_check_esp_support (ipsec_sa_t * sa) -{ - switch (sa->crypto_alg) - { - case IPSEC_CRYPTO_ALG_NONE: - break; - case IPSEC_CRYPTO_ALG_DES_CBC: - case IPSEC_CRYPTO_ALG_3DES_CBC: - return clib_error_return (0, "unsupported (3)des crypto-alg"); - case IPSEC_CRYPTO_ALG_AES_CBC_128: - case IPSEC_CRYPTO_ALG_AES_CBC_192: - case IPSEC_CRYPTO_ALG_AES_CBC_256: - break; - case IPSEC_CRYPTO_ALG_AES_CTR_128: - case IPSEC_CRYPTO_ALG_AES_CTR_192: - case IPSEC_CRYPTO_ALG_AES_CTR_256: - return clib_error_return (0, "unsupported aes-ctr crypto-alg"); - case IPSEC_CRYPTO_ALG_AES_GCM_128: - case IPSEC_CRYPTO_ALG_AES_GCM_192: - case IPSEC_CRYPTO_ALG_AES_GCM_256: - return clib_error_return (0, "unsupported aes-gcm crypto-alg"); - case IPSEC_CRYPTO_N_ALG: - return clib_error_return (0, "invalid crypto-alg"); - } - - switch (sa->integ_alg) - { - case IPSEC_INTEG_ALG_NONE: - return clib_error_return (0, "unsupported none integ-alg"); - case IPSEC_INTEG_ALG_MD5_96: - return clib_error_return (0, "unsupported md5 integ-alg"); - case IPSEC_INTEG_ALG_SHA1_96: - case IPSEC_INTEG_ALG_SHA_256_96: - case IPSEC_INTEG_ALG_SHA_256_128: - case IPSEC_INTEG_ALG_SHA_384_192: - case IPSEC_INTEG_ALG_SHA_512_256: - break; - case IPSEC_INTEG_N_ALG: - return clib_error_return (0, "invalid integ-alg"); - } - return 0; -} - -clib_error_t * -ipsecmb_check_ah_support (ipsec_sa_t * sa) -{ - switch (sa->integ_alg) - { - case IPSEC_INTEG_ALG_NONE: - return clib_error_return (0, "unsupported none integ-alg"); - case IPSEC_INTEG_ALG_MD5_96: - return clib_error_return (0, "unsupported md5 integ-alg"); - case IPSEC_INTEG_ALG_SHA1_96: - case IPSEC_INTEG_ALG_SHA_256_96: - case IPSEC_INTEG_ALG_SHA_256_128: - case IPSEC_INTEG_ALG_SHA_384_192: - case IPSEC_INTEG_ALG_SHA_512_256: - break; - case IPSEC_INTEG_N_ALG: - return clib_error_return (0, "invalid integ-alg"); - } - return 0; -} - -static clib_error_t * -ipsecmb_init (vlib_main_t * vm) -{ - ipsecmb_main_t *imbm = &ipsecmb_main; - imbm->dev_urandom_fd = open ("/dev/urandom", O_RDONLY); - if (!imbm->dev_urandom_fd) - { - return clib_error_return_unix_fatal (0, - "Can't open /dev/urandom for read"); - } - - vlib_thread_main_t *tm = vlib_get_thread_main (); - - imbm->crypto_algs = NULL; - imbm->integ_algs = NULL; - - vec_validate (imbm->crypto_algs, IPSEC_CRYPTO_N_ALG - 1); - vec_validate (imbm->integ_algs, IPSEC_INTEG_N_ALG - 1); - imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].block_size = 16; - imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].block_size = 16; - imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].block_size = 16; - imbm->crypto_algs[IPSEC_CRYPTO_ALG_DES_CBC].block_size = 8; - imbm->crypto_algs[IPSEC_CRYPTO_ALG_3DES_CBC].block_size = 8; - imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].iv_size = 16; - imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].iv_size = 16; - imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].iv_size = 16; - imbm->crypto_algs[IPSEC_CRYPTO_ALG_DES_CBC].iv_size = 8; - imbm->crypto_algs[IPSEC_CRYPTO_ALG_3DES_CBC].iv_size = 8; - imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].cipher_mode = CBC; - imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].cipher_mode = CBC; - imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].cipher_mode = CBC; - - ipsecmb_integ_alg_t *i; - i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA1_96]; - i->hash_alg = SHA1; - i->block_size = SHA1_BLOCK_SIZE; - - i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_256_96]; - i->hash_alg = SHA_256; - i->block_size = SHA_256_BLOCK_SIZE; - - i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_256_128]; - i->hash_alg = SHA_256; - i->block_size = SHA_256_BLOCK_SIZE; - - i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_384_192]; - i->hash_alg = SHA_384; - i->block_size = SHA_384_BLOCK_SIZE; - - i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_512_256]; - i->hash_alg = SHA_512; - i->block_size = SHA_512_BLOCK_SIZE; - - vec_validate (imbm->mb_mgr, tm->n_vlib_mains - 1); - MB_MGR **mgr; -#define __set_funcs(arch) \ - do \ - { \ - imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].keyexp_fn = \ - aes_keyexp_128_##arch; \ - imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].keyexp_fn = \ - aes_keyexp_192_##arch; \ - imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].keyexp_fn = \ - aes_keyexp_256_##arch; \ - imbm->integ_algs[IPSEC_INTEG_ALG_SHA1_96].hash_one_block_fn = \ - sha1_one_block_##arch; \ - imbm->integ_algs[IPSEC_INTEG_ALG_SHA_256_96].hash_one_block_fn = \ - sha256_one_block_##arch; \ - imbm->integ_algs[IPSEC_INTEG_ALG_SHA_256_128].hash_one_block_fn = \ - sha256_one_block_##arch; \ - imbm->integ_algs[IPSEC_INTEG_ALG_SHA_384_192].hash_one_block_fn = \ - sha384_one_block_##arch; \ - imbm->integ_algs[IPSEC_INTEG_ALG_SHA_512_256].hash_one_block_fn = \ - sha512_one_block_##arch; \ - } \ - while (0); - - if (clib_cpu_supports_avx512f ()) - { - __set_funcs (avx512); - vec_foreach (mgr, imbm->mb_mgr) - { - *mgr = alloc_mb_mgr (0); - init_mb_mgr_avx512 (*mgr); - } - } - else if (clib_cpu_supports_avx2 ()) - { - __set_funcs (avx2); - vec_foreach (mgr, imbm->mb_mgr) - { - *mgr = alloc_mb_mgr (0); - init_mb_mgr_avx2 (*mgr); - } - } - else - { - __set_funcs (sse); - vec_foreach (mgr, imbm->mb_mgr) - { - *mgr = alloc_mb_mgr (0); - init_mb_mgr_sse (*mgr); - } - } -#undef __set_funcs - - - i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA1_96]; - i->hash_output_length = 12; - - i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_256_96]; - i->hash_output_length = 12; - - i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_256_128]; - i->hash_output_length = 16; - - i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_384_192]; - i->hash_output_length = 24; - - i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_512_256]; - i->hash_output_length = 32; - - vec_validate (imbm->per_thread_data, tm->n_vlib_mains - 1); - - return 0; -} - -VLIB_INIT_FUNCTION (ipsecmb_init); - -static uword -ipsecmb_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f) -{ - ipsec_main_t *im = &ipsec_main; - ipsec_register_ah_backend (vm, im, "ipsecmb backend", - "ah4-encrypt-ipsecmb", - "ah4-decrypt-ipsecmb", - "ah6-encrypt-ipsecmb", - "ah6-decrypt-ipsecmb", - ipsecmb_check_ah_support, - ipsecmb_add_del_sa_session); - - ipsec_register_esp_backend (vm, im, "ipsecmb backend", - "esp4-encrypt-ipsecmb", - "esp4-decrypt-ipsecmb", - "esp6-encrypt-ipsecmb", - "esp6-decrypt-ipsecmb", - ipsecmb_check_esp_support, - ipsecmb_add_del_sa_session); - - return 0; -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (ipsecmb_process_node, static) = { - .function = ipsecmb_process, - .type = VLIB_NODE_TYPE_PROCESS, - .name = "ipsecmb-process", - .process_log2_n_stack_bytes = 17, -}; - -/* *INDENT-OFF* */ -VLIB_PLUGIN_REGISTER () = { - .version = VPP_BUILD_VER, - .description = "IPsecMB plugin", - .default_disabled = 1, -}; -/* *INDENT-ON* */ - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/plugins/ipsecmb/ipsecmb.h b/src/plugins/ipsecmb/ipsecmb.h deleted file mode 100644 index 23e7ede9e99..00000000000 --- a/src/plugins/ipsecmb/ipsecmb.h +++ /dev/null @@ -1,97 +0,0 @@ -#ifndef __included_ipsecmb_h__ -#define __included_ipsecmb_h__ - -#include <vppinfra/types.h> -#include <vppinfra/vec.h> -#include <vppinfra/clib.h> -#include <vppinfra/warnings.h> -#include <vnet/ipsec/ipsec.h> - -WARN_OFF (attributes); - -#ifdef always_inline -#undef always_inline -#define __need_redefine__ -#endif - -#include <intel-ipsec-mb.h> - -#ifdef __need_redefine__ -#if CLIB_DEBUG > 0 -#define always_inline static inline -#else -#define always_inline static inline __attribute__ ((__always_inline__)) -#endif -#endif // __need_redefine__ -WARN_ON (attributes); - -typedef struct -{ - keyexp_t keyexp_fn; - JOB_CIPHER_MODE cipher_mode; - u8 key_len; - u8 iv_size; - u8 block_size; -} ipsecmb_crypto_alg_t; - -typedef struct -{ - hash_one_block_t hash_one_block_fn; - u8 block_size; - JOB_HASH_ALG hash_alg; - u8 hash_output_length; -} ipsecmb_integ_alg_t; - -typedef struct -{ - u8 aes_enc_key_expanded[16 * 15] __attribute__ ((aligned (16))); - u8 aes_dec_key_expanded[16 * 15] __attribute__ ((aligned (16))); - u8 ipad_hash[256] __attribute__ ((aligned (16))); - u8 opad_hash[256] __attribute__ ((aligned (16))); -} ipsecmb_sa_t; - -typedef struct -{ - u8 data[16]; -} random_bytes_t; - -typedef u8 urandom_buffer_t[4096]; - -typedef struct -{ - /** read buffer for random data from /dev/urandom */ - urandom_buffer_t urandom_buffer; - /** pool of all the random_bytes_t objects ever allocated */ - random_bytes_t *rb_pool; - /** vector of random_bytes_t objects containing random bytes */ - u32 *rb_from_dev_urandom; - /** vector of used random_bytes_t objects */ - u32 *rb_recycle_list; - /** vector of random bytes collected from encrypted data */ - u32 *rb_from_traffic; -} ipsecmb_per_thread_data_t; - -typedef struct -{ - ipsecmb_crypto_alg_t *crypto_algs; - ipsecmb_integ_alg_t *integ_algs; - MB_MGR **mb_mgr; - ipsecmb_sa_t *sad; - ipsecmb_per_thread_data_t *per_thread_data; - int dev_urandom_fd; -} ipsecmb_main_t; - -extern ipsecmb_main_t ipsecmb_main; - -#define P(x,y) x ## _ ## y -#define E(x,y) P(x,y) -#define IPSECMB_FUNC(f) E(f,CLIB_MARCH_VARIANT) -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ - -#endif /* __included_ipsecmb_h__ */ diff --git a/src/vnet/buffer.h b/src/vnet/buffer.h index d1edbe54805..89dd84567bc 100644 --- a/src/vnet/buffer.h +++ b/src/vnet/buffer.h @@ -274,10 +274,6 @@ typedef struct { u32 flags; u32 sad_index; - u32 ip_version_traffic_class_and_flow_label; - u8 tos; - u8 ttl_or_hop_limit; - u32 seq; } ipsec; /* MAP */ diff --git a/test/test_ipsec_nat.py b/test/test_ipsec_nat.py index 7e6e1d4d912..e9efa032a13 100644 --- a/test/test_ipsec_nat.py +++ b/test/test_ipsec_nat.py @@ -9,7 +9,7 @@ from util import ppp, ppc from template_ipsec import TemplateIpsec -class TemplateIPSecNAT(TemplateIpsec): +class IPSecNATTestCase(TemplateIpsec): """ IPSec/NAT TUNNEL MODE: @@ -33,7 +33,7 @@ class TemplateIPSecNAT(TemplateIpsec): @classmethod def setUpClass(cls): - super(TemplateIPSecNAT, cls).setUpClass() + super(IPSecNATTestCase, cls).setUpClass() cls.tun_if = cls.pg0 cls.vapi.ipsec_spd_add_del(cls.tun_spd_id) cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id, @@ -236,8 +236,3 @@ class TemplateIPSecNAT(TemplateIpsec): self.pg_start() capture = self.pg1.get_capture(len(pkts)) self.verify_capture_plain(capture) - - -class IPSecNAT(TemplateIPSecNAT): - """ IPSec/NAT """ - pass diff --git a/test/test_ipsecmb_ah.py b/test/test_ipsecmb_ah.py deleted file mode 100644 index 294d5ceeb89..00000000000 --- a/test/test_ipsecmb_ah.py +++ /dev/null @@ -1,31 +0,0 @@ -from test_ipsec_ah import TemplateIpsecAh -from template_ipsec import IpsecTraTests, IpsecTunTests, IpsecTcpTests - - -class TestIpsecMBAh1(TemplateIpsecAh, IpsecTraTests, IpsecTunTests): - """ IpsecMB AH - TUN & TRA tests """ - extra_vpp_plugin_config = [ - "plugin", "ipsecmb_plugin.so", "{", "enable", "}"] - - tra4_encrypt_node_name = "ah4-encrypt-ipsecmb" - tra4_decrypt_node_name = "ah4-decrypt-ipsecmb" - tra6_encrypt_node_name = "ah6-encrypt-ipsecmb" - tra6_decrypt_node_name = "ah6-decrypt-ipsecmb" - tun4_encrypt_node_name = "ah4-encrypt-ipsecmb" - tun4_decrypt_node_name = "ah4-decrypt-ipsecmb" - tun6_encrypt_node_name = "ah6-encrypt-ipsecmb" - tun6_decrypt_node_name = "ah6-decrypt-ipsecmb" - - @classmethod - def ipsec_select_backend(cls): - cls.vapi.ipsec_select_backend(protocol=cls.vpp_ah_protocol, index=1) - - -class TestIpsecMBAh2(TemplateIpsecAh, IpsecTcpTests): - """ IpsecMB AH - TCP tests """ - extra_vpp_plugin_config = [ - "plugin", "ipsecmb_plugin.so", "{", "enable", "}"] - - @classmethod - def ipsec_select_backend(cls): - cls.vapi.ipsec_select_backend(protocol=cls.vpp_ah_protocol, index=1) diff --git a/test/test_ipsecmb_esp.py b/test/test_ipsecmb_esp.py deleted file mode 100644 index cf60724fca6..00000000000 --- a/test/test_ipsecmb_esp.py +++ /dev/null @@ -1,30 +0,0 @@ -from test_ipsec_esp import TemplateIpsecEsp -from template_ipsec import IpsecTraTests, IpsecTunTests, IpsecTcpTests - - -class TestIpsecMBEsp1(TemplateIpsecEsp, IpsecTraTests, IpsecTunTests): - """ IpsecMB ESP - TUN & TRA tests """ - extra_vpp_plugin_config = [ - "plugin", "ipsecmb_plugin.so", "{", "enable", "}"] - tra4_encrypt_node_name = "esp4-encrypt-ipsecmb" - tra4_decrypt_node_name = "esp4-decrypt-ipsecmb" - tra6_encrypt_node_name = "esp6-encrypt-ipsecmb" - tra6_decrypt_node_name = "esp6-decrypt-ipsecmb" - tun4_encrypt_node_name = "esp4-encrypt-ipsecmb" - tun4_decrypt_node_name = "esp4-decrypt-ipsecmb" - tun6_encrypt_node_name = "esp6-encrypt-ipsecmb" - tun6_decrypt_node_name = "esp6-decrypt-ipsecmb" - - @classmethod - def ipsec_select_backend(cls): - cls.vapi.ipsec_select_backend(protocol=cls.vpp_esp_protocol, index=1) - - -class TestIpsecMBEsp2(TemplateIpsecEsp, IpsecTcpTests): - """ IpsecMB ESP - TCP tests """ - extra_vpp_plugin_config = [ - "plugin", "ipsecmb_plugin.so", "{", "enable", "}"] - - @classmethod - def ipsec_select_backend(cls): - cls.vapi.ipsec_select_backend(protocol=cls.vpp_esp_protocol, index=1) diff --git a/test/test_ipsecmb_nat.py b/test/test_ipsecmb_nat.py deleted file mode 100644 index 82f5daa0fb1..00000000000 --- a/test/test_ipsecmb_nat.py +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env python - -from test_ipsec_nat import TemplateIPSecNAT - - -class IPSecMBNATTestCase(TemplateIPSecNAT): - """ IPSecMB/NAT """ - extra_vpp_plugin_config = [ - "plugin", "ipsecmb_plugin.so", "{", "enable", "}"] - - @classmethod - def ipsec_select_backend(cls): - cls.vapi.ipsec_select_backend(protocol=cls.vpp_ah_protocol, index=1) |