summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorin Coras <florin.coras@gmail.com>2019-01-02 17:43:01 +0000
committerDave Barach <openvpp@barachs.net>2019-01-02 18:50:37 +0000
commit4a7cbcd06b3fa1f44366a606d5c148cce816503b (patch)
tree69875f8c2342ddf376770e0d55876fdc53fc4aa2
parentd9818dd68c162079f3ddb5443a78d0d91d55d0fe (diff)
Revert "add ipsecmb plugin"
This reverts commit be16020c5034bc69df25a8ecd7081aec9898d93c. The arm verify job actually failed but the result was overwritten by an x86 ubuntu retry. Change-Id: Idcae7691fc575053563b8ff8bcad661c15891668 Signed-off-by: Florin Coras <fcoras@cisco.com>
-rw-r--r--src/plugins/ipsecmb/CMakeLists.txt46
-rw-r--r--src/plugins/ipsecmb/ah_decrypt.c493
-rw-r--r--src/plugins/ipsecmb/ah_encrypt.c466
-rw-r--r--src/plugins/ipsecmb/esp_decrypt.c471
-rw-r--r--src/plugins/ipsecmb/esp_encrypt.c651
-rw-r--r--src/plugins/ipsecmb/ipsecmb.c322
-rw-r--r--src/plugins/ipsecmb/ipsecmb.h97
-rw-r--r--src/vnet/buffer.h4
-rw-r--r--test/test_ipsec_nat.py9
-rw-r--r--test/test_ipsecmb_ah.py31
-rw-r--r--test/test_ipsecmb_esp.py30
-rw-r--r--test/test_ipsecmb_nat.py13
12 files changed, 2 insertions, 2631 deletions
diff --git a/src/plugins/ipsecmb/CMakeLists.txt b/src/plugins/ipsecmb/CMakeLists.txt
deleted file mode 100644
index 38ecf644896..00000000000
--- a/src/plugins/ipsecmb/CMakeLists.txt
+++ /dev/null
@@ -1,46 +0,0 @@
-# Copyright (c) 2018 Cisco and/or its affiliates.
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-find_path(IPSECMB_INCLUDE_DIR NAMES intel-ipsec-mb.h HINTS ${IPSECMB_INCLUDE_DIR_HINT})
-find_library(IPSECMB_LIB NAMES libIPSec_MB.a HINTS ${IPSECMB_LIB_DIR_HINT})
-
-if(IPSECMB_INCLUDE_DIR AND IPSECMB_LIB)
-
- get_filename_component(IPSECMB_LIB_DIR ${IPSECMB_LIB} DIRECTORY)
- set(IPSECMB_LINK_FLAGS "${IPSECMB_LINK_FLAGS} -L${IPSECMB_LIB_DIR} -Wl,--whole-archive ${IPSECMB_LIB} -Wl,--no-whole-archive")
- set(IPSECMB_LINK_FLAGS "${IPSECMB_LINK_FLAGS} -Wl,--exclude-libs,libIPSec_MB.a,-l:libIPSec_MB.a")
- include_directories(${IPSECMB_INCLUDE_DIR})
- add_vpp_plugin(ipsecmb
- SOURCES
- ipsecmb.c
- ah_encrypt.c
- ah_decrypt.c
- esp_encrypt.c
- esp_decrypt.c
-
- MULTIARCH_SOURCES
- ah_encrypt.c
- ah_decrypt.c
- esp_encrypt.c
- esp_decrypt.c
-
- LINK_FLAGS
- ${IPSECMB_LINK_FLAGS}
- )
-
- message(STATUS "Intel IPSecMB found: ${IPSECMB_INCLUDE_DIR}")
-else()
- message(STATUS "Intel IPSecMB not found")
-endif()
-
-
diff --git a/src/plugins/ipsecmb/ah_decrypt.c b/src/plugins/ipsecmb/ah_decrypt.c
deleted file mode 100644
index e991671aa63..00000000000
--- a/src/plugins/ipsecmb/ah_decrypt.c
+++ /dev/null
@@ -1,493 +0,0 @@
-/*
- * ah_decrypt.c : ipsecmb AH decrypt node
- *
- * Copyright (c) 2015 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <vnet/vnet.h>
-#include <vnet/api_errno.h>
-#include <vnet/ip/ip.h>
-
-#include <vnet/ipsec/ipsec.h>
-#include <vnet/ipsec/esp.h>
-#include <vnet/ipsec/ah.h>
-
-#include <ipsecmb/ipsecmb.h>
-
-#define foreach_ah_decrypt_next \
- _ (DROP, "error-drop") \
- _ (IP4_INPUT, "ip4-input") \
- _ (IP6_INPUT, "ip6-input") \
- _ (IPSEC_GRE_INPUT, "ipsec-gre-input")
-
-#define _(v, s) AH_DECRYPT_NEXT_##v,
-typedef enum
-{
- foreach_ah_decrypt_next
-#undef _
- AH_DECRYPT_N_NEXT,
-} ah_decrypt_next_t;
-
-#define foreach_ah_decrypt_error \
- _ (RX_PKTS, "AH pkts received") \
- _ (DECRYPTION_FAILED, "AH decryption failed") \
- _ (INTEG_ERROR, "Integrity check failed") \
- _ (REPLAY, "SA replayed packet") \
- _ (NOT_IP, "Not IP packet (dropped)")
-
-typedef enum
-{
-#define _(sym, str) AH_DECRYPT_ERROR_##sym,
- foreach_ah_decrypt_error
-#undef _
- AH_DECRYPT_N_ERROR,
-} ah_decrypt_error_t;
-
-static char *ah_decrypt_error_strings[] = {
-#define _(sym, string) string,
- foreach_ah_decrypt_error
-#undef _
-};
-
-typedef struct
-{
- ipsec_integ_alg_t integ_alg;
-} ah_decrypt_trace_t;
-
-/* packet trace format function */
-static u8 *
-format_ah_decrypt_trace (u8 * s, va_list * args)
-{
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
- ah_decrypt_trace_t *t = va_arg (*args, ah_decrypt_trace_t *);
-
- s = format (s, "ah: integrity %U", format_ipsec_integ_alg, t->integ_alg);
- return s;
-}
-
-typedef struct
-{
- u8 tos;
- u8 ttl;
- u32 ip_version_traffic_class_and_flow_label;
- u8 hop_limit;
-} ip_mutable_data_t;
-
-#ifdef CLIB_MARCH_VARIANT
-always_inline void
-remove_ah (vlib_main_t * vm, vlib_node_runtime_t * node, u32 * bi0,
- u32 * next0, ipsec_sa_t * sa0, u32 ip_hdr_size, u32 icv_size,
- u8 icv_padding_len, ah_header_t * ah0, int is_ip6)
-{
- vlib_buffer_t *b0 = vlib_get_buffer (vm, *bi0);
-
- if (sa0->is_tunnel)
- { /* tunnel mode */
- vlib_buffer_advance (b0, ip_hdr_size + sizeof (ah_header_t) + icv_size +
- icv_padding_len);
- if (ah0->nexthdr == IP_PROTOCOL_IP_IN_IP)
- *next0 = AH_DECRYPT_NEXT_IP4_INPUT;
- else if (ah0->nexthdr == IP_PROTOCOL_IPV6)
- *next0 = AH_DECRYPT_NEXT_IP6_INPUT;
- else
- {
- clib_warning ("next header: 0x%x", ah0->nexthdr);
- vlib_node_increment_counter (vm, node->node_index,
- AH_DECRYPT_ERROR_DECRYPTION_FAILED, 1);
- *next0 = AH_DECRYPT_NEXT_DROP;
- return;
- }
- }
- else
- { /* transport mode */
- const size_t ip_hdr_offset =
- sizeof (ah_header_t) + icv_size + icv_padding_len;
- if (is_ip6)
- { /* ipv6 */
- ip6_header_t *ih6 =
- (ip6_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
- ip_hdr_offset);
- u8 nexthdr = ah0->nexthdr;
- memmove (ih6, vlib_buffer_get_current (b0), sizeof (ip6_header_t));
- vlib_buffer_advance (b0, ip_hdr_offset);
-
- *next0 = AH_DECRYPT_NEXT_IP6_INPUT;
- ih6->protocol = nexthdr;
- ih6->payload_length =
- clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0) -
- sizeof (ip6_header_t));
- }
- else
- { /* ipv4 */
- ip4_header_t *ih4 =
- (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
- ip_hdr_offset);
- u8 nexthdr = ah0->nexthdr;
- memmove (ih4, vlib_buffer_get_current (b0), sizeof (ip4_header_t));
- vlib_buffer_advance (b0, ip_hdr_offset);
-
- *next0 = AH_DECRYPT_NEXT_IP4_INPUT;
- ih4->ip_version_and_header_length = 0x45;
- ih4->fragment_id = 0;
- ih4->flags_and_fragment_offset = 0;
- ih4->protocol = nexthdr;
- ih4->length =
- clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0));
- ih4->checksum = ip4_header_checksum (ih4);
- }
- }
-
- /* for IPSec-GRE tunnel next node is ipsec-gre-input */
- if (PREDICT_FALSE
- ((vnet_buffer (b0)->ipsec.flags & IPSEC_FLAG_IPSEC_GRE_TUNNEL)))
- {
- *next0 = AH_DECRYPT_NEXT_IPSEC_GRE_INPUT;
- }
-}
-
-always_inline void
-ah_finish_decrypt (vlib_main_t * vm, vlib_node_runtime_t * node,
- JOB_AES_HMAC * job, u32 * bi0, u32 * next0, int is_ip6)
-{
- ipsec_main_t *im = &ipsec_main;
- *bi0 = (uintptr_t) job->user_data;
- vlib_buffer_t *b0 = vlib_get_buffer (vm, *bi0);
- ipsec_sa_t *sa0 =
- pool_elt_at_index (im->sad, vnet_buffer (b0)->ipsec.sad_index);
- ipsec_proto_main_t *em = &ipsec_proto_main;
- u32 icv_size = em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size;
- u32 ip_hdr_size = 0;
- ip4_header_t *ih4 = vlib_buffer_get_current (b0);
- size_t seq_size = 0;
- if (PREDICT_TRUE (sa0->use_esn))
- {
- seq_size = sizeof (u32);
- }
- ip_mutable_data_t *md =
- (ip_mutable_data_t *) ((u8 *) vlib_buffer_get_current (b0) +
- b0->current_length + seq_size + icv_size);
- if (is_ip6)
- {
- ip_hdr_size = sizeof (ip6_header_t);
- ip6_header_t *ih6 = vlib_buffer_get_current (b0);
- ih6->ip_version_traffic_class_and_flow_label =
- md->ip_version_traffic_class_and_flow_label;
- ih6->hop_limit = md->hop_limit;
- }
- else
- {
- ip_hdr_size = ip4_header_bytes (ih4);
- ih4->ttl = md->ttl;
- ih4->tos = md->tos;
- }
-
- u8 icv_padding_len = ah_calc_icv_padding_len (icv_size, is_ip6);
- ah_header_t *ah0 =
- (ah_header_t *) ((u8 *) vlib_buffer_get_current (b0) + ip_hdr_size);
- void *digest = ah0 + 1;
- void *sig = vlib_buffer_get_current (b0) + b0->current_length + seq_size;
-
- if (PREDICT_FALSE (memcmp (digest, sig, icv_size)))
- {
- vlib_node_increment_counter (vm, node->node_index,
- AH_DECRYPT_ERROR_INTEG_ERROR, 1);
- *next0 = AH_DECRYPT_NEXT_DROP;
- return;
- }
-
- if (PREDICT_TRUE (sa0->use_anti_replay))
- {
- if (PREDICT_TRUE (sa0->use_esn))
- esp_replay_advance_esn (sa0, clib_host_to_net_u32 (ah0->seq_no));
- else
- esp_replay_advance (sa0, clib_host_to_net_u32 (ah0->seq_no));
- }
- remove_ah (vm, node, bi0, next0, sa0, ip_hdr_size, icv_size,
- icv_padding_len, ah0, is_ip6);
- vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
-}
-
-always_inline uword
-ah_decrypt_ipsecmb_inline (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * from_frame, int is_ip6)
-{
- u32 n_left_from, *from, next_index, *to_next;
- ipsec_main_t *im = &ipsec_main;
- ipsecmb_main_t *imbm = &ipsecmb_main;
- ipsec_proto_main_t *em = &ipsec_proto_main;
- from = vlib_frame_vector_args (from_frame);
- n_left_from = from_frame->n_vectors;
- int icv_size = 0;
- u32 thread_index = vlib_get_thread_index ();
- MB_MGR *mgr = imbm->mb_mgr[thread_index];
- u32 packets_in_flight = 0;
-
- next_index = node->cached_next_index;
-
- while (n_left_from > 0 || packets_in_flight > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0;
- u32 next0;
- vlib_buffer_t *b0;
- ah_header_t *ah0;
- ipsec_sa_t *sa0;
- ipsecmb_sa_t *samb0;
- u32 sa_index0 = ~0;
- u32 seq;
- ip4_header_t *ih4 = 0;
- ip6_header_t *ih6 = 0;
- u8 ip_hdr_size = 0;
-
- bi0 = from[0];
- from += 1;
- n_left_from -= 1;
-
- next0 = AH_DECRYPT_NEXT_DROP;
-
- b0 = vlib_get_buffer (vm, bi0);
- ih4 = vlib_buffer_get_current (b0);
- ih6 = vlib_buffer_get_current (b0);
-
- sa_index0 = vnet_buffer (b0)->ipsec.sad_index;
- sa0 = pool_elt_at_index (im->sad, sa_index0);
- samb0 = pool_elt_at_index (imbm->sad, sa_index0);
-
- if (is_ip6)
- {
- ip6_ext_header_t *prev = NULL;
- ip6_ext_header_find_t (ih6, prev, ah0, IP_PROTOCOL_IPSEC_AH);
- ip_hdr_size = sizeof (ip6_header_t);
- ASSERT ((u8 *) ah0 - (u8 *) ih6 == ip_hdr_size);
- }
- else
- {
- ip_hdr_size = ip4_header_bytes (ih4);
- ah0 = (ah_header_t *) (ih4 + 1);
- }
-
- seq = clib_host_to_net_u32 (ah0->seq_no);
- /* anti-replay check */
- // TODO UT remaining
- if (sa0->use_anti_replay)
- {
- int rv = 0;
-
- if (PREDICT_TRUE (sa0->use_esn))
- rv = esp_replay_check_esn (sa0, seq);
- else
- rv = esp_replay_check (sa0, seq);
-
- if (PREDICT_FALSE (rv))
- {
- clib_warning ("anti-replay SPI %u seq %u", sa0->spi, seq);
- vlib_node_increment_counter (vm, node->node_index,
- AH_DECRYPT_ERROR_REPLAY, 1);
- goto trace;
- }
- }
-
- sa0->total_data_size += b0->current_length;
- icv_size =
- em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size;
- if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
- {
- u8 *icv = (u8 *) vlib_buffer_get_current (b0) + ip_hdr_size +
- sizeof (ah_header_t);
- size_t seq_size = 0;
- if (PREDICT_TRUE (sa0->use_esn))
- {
- *(u32 *) (vlib_buffer_get_current (b0) +
- b0->current_length) = sa0->seq_hi;
- seq_size = sizeof (u32);
- }
- clib_memcpy (vlib_buffer_get_current (b0) + b0->current_length +
- seq_size, icv, icv_size);
- memset (icv, 0, icv_size);
-
- ip_mutable_data_t *md =
- (ip_mutable_data_t *) ((u8 *) vlib_buffer_get_current (b0) +
- b0->current_length + seq_size +
- icv_size);
- if (is_ip6)
- {
- md->ip_version_traffic_class_and_flow_label =
- ih6->ip_version_traffic_class_and_flow_label;
- md->hop_limit = ih6->hop_limit;
- ih6->ip_version_traffic_class_and_flow_label = 0x60;
- ih6->hop_limit = 0;
- }
- else
- {
- md->tos = ih4->tos;
- md->ttl = ih4->ttl;
- ih4->tos = 0;
- ih4->ttl = 0;
- ih4->checksum = 0;
- ih4->flags_and_fragment_offset = 0;
- }
-
- JOB_AES_HMAC *job = IPSECMB_FUNC (get_next_job) (mgr);
- job->src = vlib_buffer_get_current (b0);
- job->hash_start_src_offset_in_bytes = 0;
- job->cipher_mode = NULL_CIPHER;
- job->hash_alg = imbm->integ_algs[sa0->integ_alg].hash_alg;
- job->auth_tag_output_len_in_bytes =
- imbm->integ_algs[sa0->integ_alg].hash_output_length;
- job->auth_tag_output = icv;
- job->msg_len_to_hash_in_bytes = b0->current_length + seq_size;
- job->cipher_direction = DECRYPT;
- job->chain_order = HASH_CIPHER;
- job->u.HMAC._hashed_auth_key_xor_ipad = samb0->ipad_hash;
- job->u.HMAC._hashed_auth_key_xor_opad = samb0->opad_hash;
-
- job->user_data = (void *) (uintptr_t) bi0;
- job->user_data2 = (void *) (uintptr_t) next0;
- vnet_buffer (b0)->ipsec.sad_index = sa_index0;
- job = IPSECMB_FUNC (submit_job) (mgr);
- ++packets_in_flight;
-
- if (!job)
- {
- continue;
- }
- --packets_in_flight;
- ASSERT (STS_COMPLETED == job->status);
- ah_finish_decrypt (vm, node, job, &bi0, &next0, is_ip6);
- }
- else
- {
- remove_ah (vm, node, &bi0, &next0, sa0, ip_hdr_size, icv_size,
- 0, ah0, is_ip6);
- }
- trace:
- to_next[0] = bi0;
- to_next += 1;
- n_left_to_next -= 1;
- if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
- {
- b0->flags |= VLIB_BUFFER_IS_TRACED;
- ah_decrypt_trace_t *tr =
- vlib_add_trace (vm, node, b0, sizeof (*tr));
- tr->integ_alg = sa0->integ_alg;
- }
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
- n_left_to_next, bi0, next0);
- }
-
- if (0 == n_left_from)
- {
- JOB_AES_HMAC *job = NULL;
- while (n_left_to_next > 0 && (job = IPSECMB_FUNC (flush_job) (mgr)))
- {
- --packets_in_flight;
- ASSERT (STS_COMPLETED == job->status);
- u32 bi0, next0;
- ah_finish_decrypt (vm, node, job, &bi0, &next0, is_ip6);
- to_next[0] = bi0;
- to_next += 1;
- n_left_to_next -= 1;
- vlib_buffer_t *b0 = vlib_get_buffer (vm, bi0);
- if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
- {
- ipsec_sa_t *sa0 = pool_elt_at_index (im->sad,
- vnet_buffer
- (b0)->ipsec.sad_index);
- b0->flags |= VLIB_BUFFER_IS_TRACED;
- ah_decrypt_trace_t *tr =
- vlib_add_trace (vm, node, b0, sizeof (*tr));
- tr->integ_alg = sa0->integ_alg;
- }
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
- n_left_to_next, bi0, next0);
- }
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
- vlib_node_increment_counter (vm, node->node_index, AH_DECRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
-
- return from_frame->n_vectors;
-}
-
-VLIB_NODE_FN (ah4_decrypt_ipsecmb_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * from_frame)
-{
- return ah_decrypt_ipsecmb_inline (vm, node, from_frame, 0 /*is_ip6 */ );
-}
-
-VLIB_NODE_FN (ah6_decrypt_ipsecmb_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * from_frame)
-{
- return ah_decrypt_ipsecmb_inline (vm, node, from_frame, 1 /*is_ip6 */ );
-}
-#endif
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (ah4_decrypt_ipsecmb_node) = {
- .name = "ah4-decrypt-ipsecmb",
- .vector_size = sizeof (u32),
- .format_trace = format_ah_decrypt_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
-
- .n_errors = ARRAY_LEN (ah_decrypt_error_strings),
- .error_strings = ah_decrypt_error_strings,
-
- .n_next_nodes = AH_DECRYPT_N_NEXT,
- .next_nodes =
- {
-#define _(s, n) [AH_DECRYPT_NEXT_##s] = n,
- foreach_ah_decrypt_next
-#undef _
- },
-};
-/* *INDENT-ON* */
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (ah6_decrypt_ipsecmb_node) = {
- .name = "ah6-decrypt-ipsecmb",
- .vector_size = sizeof (u32),
- .format_trace = format_ah_decrypt_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
-
- .n_errors = ARRAY_LEN (ah_decrypt_error_strings),
- .error_strings = ah_decrypt_error_strings,
-
- .n_next_nodes = AH_DECRYPT_N_NEXT,
- .next_nodes =
- {
-#define _(s, n) [AH_DECRYPT_NEXT_##s] = n,
- foreach_ah_decrypt_next
-#undef _
- },
-};
-/* *INDENT-ON* */
-
-/*
- * fd.io coding-style-patch-verification: ON
- *
- * Local Variables:
- * eval: (c-set-style "gnu")
- * End:
- */
diff --git a/src/plugins/ipsecmb/ah_encrypt.c b/src/plugins/ipsecmb/ah_encrypt.c
deleted file mode 100644
index 927deae188f..00000000000
--- a/src/plugins/ipsecmb/ah_encrypt.c
+++ /dev/null
@@ -1,466 +0,0 @@
-/*
- * ah_encrypt.c : ipsecmb AH encrypt node
- *
- * Copyright (c) 2015 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <vnet/vnet.h>
-#include <vnet/api_errno.h>
-#include <vnet/ip/ip.h>
-
-#include <vnet/ipsec/ipsec.h>
-#include <vnet/ipsec/esp.h>
-#include <vnet/ipsec/ah.h>
-
-#include <ipsecmb/ipsecmb.h>
-
-#define foreach_ah_encrypt_next \
-_(DROP, "error-drop") \
-_(IP4_LOOKUP, "ip4-lookup") \
-_(IP6_LOOKUP, "ip6-lookup") \
-_(INTERFACE_OUTPUT, "interface-output")
-
-#define _(v, s) AH_ENCRYPT_NEXT_##v,
-typedef enum
-{
- foreach_ah_encrypt_next
-#undef _
- AH_ENCRYPT_N_NEXT,
-} ah_encrypt_next_t;
-
-#define foreach_ah_encrypt_error \
- _(RX_PKTS, "AH pkts received") \
- _(SEQ_CYCLED, "sequence number cycled")
-
-
-typedef enum
-{
-#define _(sym,str) AH_ENCRYPT_ERROR_##sym,
- foreach_ah_encrypt_error
-#undef _
- AH_ENCRYPT_N_ERROR,
-} ah_encrypt_error_t;
-
-static char *ah_encrypt_error_strings[] = {
-#define _(sym,string) string,
- foreach_ah_encrypt_error
-#undef _
-};
-
-typedef struct
-{
- u32 spi;
- u32 seq;
- ipsec_integ_alg_t integ_alg;
-} ah_encrypt_trace_t;
-
-/* packet trace format function */
-static u8 *
-format_ah_encrypt_trace (u8 * s, va_list * args)
-{
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
- ah_encrypt_trace_t *t = va_arg (*args, ah_encrypt_trace_t *);
-
- s = format (s, "ah: spi %u seq %u integrity %U",
- t->spi, t->seq, format_ipsec_integ_alg, t->integ_alg);
- return s;
-}
-
-#ifdef CLIB_MARCH_VARIANT
-always_inline void
-ah_finish_encrypt (vlib_main_t * vm, vlib_buffer_t * b0, ipsec_sa_t * sa0,
- int is_ip6)
-{
- if (is_ip6)
- {
- ip6_header_t *oh6 = 0;
- oh6 = vlib_buffer_get_current (b0);
- oh6->ip_version_traffic_class_and_flow_label =
- vnet_buffer (b0)->ipsec.ip_version_traffic_class_and_flow_label;
- oh6->hop_limit = vnet_buffer (b0)->ipsec.ttl_or_hop_limit;
- }
- else
- {
- ip4_header_t *oh4 = 0;
- oh4 = vlib_buffer_get_current (b0);
- oh4->ttl = vnet_buffer (b0)->ipsec.ttl_or_hop_limit;
- oh4->tos = vnet_buffer (b0)->ipsec.tos;
- oh4->checksum = ip4_header_checksum (oh4);
- }
-}
-
-always_inline uword
-ah_encrypt_ipsecmb_inline (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * from_frame, int is_ip6)
-{
- u32 n_left_from, *from, *to_next = 0, next_index;
- int icv_size = 0;
- from = vlib_frame_vector_args (from_frame);
- n_left_from = from_frame->n_vectors;
- ipsec_main_t *im = &ipsec_main;
- ipsecmb_main_t *imbm = &ipsecmb_main;
- ipsec_proto_main_t *em = &ipsec_proto_main;
- next_index = node->cached_next_index;
- u32 thread_index = vlib_get_thread_index ();
- MB_MGR *mgr = imbm->mb_mgr[thread_index];
- u32 packets_in_flight = 0;
-
- while (n_left_from > 0 || packets_in_flight > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0, next0;
- vlib_buffer_t *b0 = 0;
- u32 sa_index0;
- ipsec_sa_t *sa0;
- ipsecmb_sa_t *samb0;
- ip4_header_t *ih4, *oh4 = 0;
- ip6_header_t *ih6, *oh6 = 0;
- ah_header_t *ah = 0;
- u8 next_hdr_type;
- u8 transport_mode = 0;
-
- bi0 = from[0];
- from += 1;
- n_left_from -= 1;
-
- next0 = AH_ENCRYPT_NEXT_DROP;
-
- b0 = vlib_get_buffer (vm, bi0);
- sa_index0 = vnet_buffer (b0)->ipsec.sad_index;
- sa0 = pool_elt_at_index (im->sad, sa_index0);
- samb0 = pool_elt_at_index (imbm->sad, sa_index0);
-
- if (PREDICT_FALSE (esp_seq_advance (sa0)))
- {
- clib_warning ("sequence number counter has cycled SPI %u",
- sa0->spi);
- vlib_node_increment_counter (vm, node->node_index,
- AH_ENCRYPT_ERROR_SEQ_CYCLED, 1);
- to_next[0] = bi0;
- to_next += 1;
- goto trace;
- }
-
-
- sa0->total_data_size += b0->current_length;
-
- ssize_t adv;
- ih4 = vlib_buffer_get_current (b0);
-
- if (PREDICT_TRUE (sa0->is_tunnel))
- {
- if (!is_ip6)
- adv = -sizeof (ip4_and_ah_header_t);
- else
- adv = -sizeof (ip6_and_ah_header_t);
- }
- else
- {
- adv = -sizeof (ah_header_t);
- }
-
- const u8 padding_len = ah_calc_icv_padding_len (icv_size, is_ip6);
- adv -= padding_len;
-
- icv_size =
- em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size;
- /* transport mode save the eth header before it is overwritten */
- if (PREDICT_FALSE (!sa0->is_tunnel))
- {
- ethernet_header_t *ieh0 = (ethernet_header_t *)
- ((u8 *) vlib_buffer_get_current (b0) -
- sizeof (ethernet_header_t));
- ethernet_header_t *oeh0 =
- (ethernet_header_t *) ((u8 *) ieh0 + (adv - icv_size));
- clib_memcpy (oeh0, ieh0, sizeof (ethernet_header_t));
- }
-
- vlib_buffer_advance (b0, adv - icv_size);
-
- if (is_ip6)
- {
- ih6 = (ip6_header_t *) ih4;
- oh6 = vlib_buffer_get_current (b0);
- ah = (ah_header_t *) (oh6 + 1);
- vnet_buffer (b0)->ipsec.ttl_or_hop_limit = ih6->hop_limit;
- vnet_buffer (b0)->
- ipsec.ip_version_traffic_class_and_flow_label =
- ih6->ip_version_traffic_class_and_flow_label;
-
- if (PREDICT_TRUE (sa0->is_tunnel))
- {
- next_hdr_type = IP_PROTOCOL_IPV6;
- }
- else
- {
- next_hdr_type = ih6->protocol;
- memmove (oh6, ih6, sizeof (ip6_header_t));
- }
-
- oh6->protocol = IP_PROTOCOL_IPSEC_AH;
- oh6->ip_version_traffic_class_and_flow_label = 0x60;
- oh6->hop_limit = 0;
- ah->reserved = 0;
- ah->nexthdr = next_hdr_type;
- ah->spi = clib_net_to_host_u32 (sa0->spi);
- ah->seq_no = clib_net_to_host_u32 (sa0->seq);
- ah->hdrlen =
- (sizeof (ah_header_t) + icv_size + padding_len) / 4 - 2;
- oh6->payload_length =
- clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0) -
- sizeof (ip6_header_t));
- }
- else
- {
- oh4 = vlib_buffer_get_current (b0);
- memset (oh4, 0, sizeof (*oh4));
- ah = (ah_header_t *) (oh4 + 1);
- memset (ah, 0, sizeof (*ah));
- vnet_buffer (b0)->ipsec.ttl_or_hop_limit = ih4->ttl;
- vnet_buffer (b0)->ipsec.tos = ih4->tos;
-
- if (PREDICT_TRUE (sa0->is_tunnel))
- {
- next_hdr_type = IP_PROTOCOL_IP_IN_IP;
- }
- else
- {
- next_hdr_type = ih4->protocol;
- memmove (oh4, ih4, sizeof (ip4_header_t));
- }
-
- oh4->length =
- clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0));
- oh4->ip_version_and_header_length = 0x45;
- oh4->fragment_id = 0;
- oh4->flags_and_fragment_offset = 0;
- oh4->ttl = 0;
- oh4->tos = 0;
- oh4->protocol = IP_PROTOCOL_IPSEC_AH;
- ah->spi = clib_net_to_host_u32 (sa0->spi);
- ah->seq_no = clib_net_to_host_u32 (sa0->seq);
- oh4->checksum = 0;
- ah->nexthdr = next_hdr_type;
- ah->hdrlen =
- (sizeof (ah_header_t) + icv_size + padding_len) / 4 - 2;
- }
-
- if (PREDICT_TRUE (!is_ip6 && sa0->is_tunnel && !sa0->is_tunnel_ip6))
- {
- oh4->src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32;
- oh4->dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32;
-
- next0 = AH_ENCRYPT_NEXT_IP4_LOOKUP;
- vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
- }
- else if (is_ip6 && sa0->is_tunnel && sa0->is_tunnel_ip6)
- {
- oh6->src_address.as_u64[0] = sa0->tunnel_src_addr.ip6.as_u64[0];
- oh6->src_address.as_u64[1] = sa0->tunnel_src_addr.ip6.as_u64[1];
- oh6->dst_address.as_u64[0] = sa0->tunnel_dst_addr.ip6.as_u64[0];
- oh6->dst_address.as_u64[1] = sa0->tunnel_dst_addr.ip6.as_u64[1];
- next0 = AH_ENCRYPT_NEXT_IP6_LOOKUP;
- vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
- }
- else
- {
- transport_mode = 1;
- }
-
- memset (ah + 1, 0, icv_size);
-
- JOB_AES_HMAC *job = IPSECMB_FUNC (get_next_job) (mgr);
- job->src = vlib_buffer_get_current (b0);
- job->hash_start_src_offset_in_bytes = 0;
- job->cipher_mode = NULL_CIPHER;
- job->hash_alg = imbm->integ_algs[sa0->integ_alg].hash_alg;
- job->auth_tag_output_len_in_bytes =
- imbm->integ_algs[sa0->integ_alg].hash_output_length;
- job->auth_tag_output = (u8 *) (ah + 1);
- if (PREDICT_TRUE (sa0->use_esn))
- {
- *(u32 *) (vlib_buffer_get_current (b0) + b0->current_length) =
- sa0->seq_hi;
- b0->current_length += sizeof (u32);
- }
- job->msg_len_to_hash_in_bytes = b0->current_length;
- job->cipher_direction = ENCRYPT;
- job->chain_order = HASH_CIPHER;
- job->u.HMAC._hashed_auth_key_xor_ipad = samb0->ipad_hash;
- job->u.HMAC._hashed_auth_key_xor_opad = samb0->opad_hash;
-
-
- job->user_data = (void *) (uintptr_t) bi0;
- job->user_data2 = (void *) (uintptr_t) next0;
- vnet_buffer (b0)->ipsec.sad_index = sa_index0;
-
- job = IPSECMB_FUNC (submit_job) (mgr);
- ++packets_in_flight;
-
- if (!job)
- {
- continue;
- }
-
- --packets_in_flight;
- ASSERT (STS_COMPLETED == job->status);
- bi0 = (uintptr_t) job->user_data;
- next0 = (uintptr_t) job->user_data2;
- b0 = vlib_get_buffer (vm, bi0);
- sa0 =
- pool_elt_at_index (im->sad, vnet_buffer (b0)->ipsec.sad_index);
- ah_finish_encrypt (vm, b0, sa0, is_ip6);
- if (!sa0->is_tunnel && !sa0->is_tunnel_ip6)
- {
- next0 = AH_ENCRYPT_NEXT_INTERFACE_OUTPUT;
- vlib_buffer_advance (b0, -sizeof (ethernet_header_t));
- }
-
- to_next[0] = bi0;
- to_next += 1;
- n_left_to_next -= 1;
-
- trace:
- if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
- {
- ah_encrypt_trace_t *tr =
- vlib_add_trace (vm, node, b0, sizeof (*tr));
- tr->spi = sa0->spi;
- tr->seq = sa0->seq - 1;
- tr->integ_alg = sa0->integ_alg;
- }
-
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
- to_next, n_left_to_next, bi0,
- next0);
- }
-
- if (PREDICT_FALSE (n_left_from == 0))
- {
- JOB_AES_HMAC *job = NULL;
- while (n_left_to_next > 0 && (job = IPSECMB_FUNC (flush_job) (mgr)))
- {
- --packets_in_flight;
- u32 bi0, next0;
- vlib_buffer_t *b0;
- ipsec_sa_t *sa0;
-
- ASSERT (STS_COMPLETED == job->status);
- bi0 = (uintptr_t) job->user_data;
- next0 = (uintptr_t) job->user_data2;
- b0 = vlib_get_buffer (vm, bi0);
- sa0 =
- pool_elt_at_index (im->sad,
- vnet_buffer (b0)->ipsec.sad_index);
- ah_finish_encrypt (vm, b0, sa0, is_ip6);
- if (!sa0->is_tunnel && !sa0->is_tunnel_ip6)
- {
- next0 = AH_ENCRYPT_NEXT_INTERFACE_OUTPUT;
- vlib_buffer_advance (b0, -sizeof (ethernet_header_t));
- }
-
- to_next[0] = bi0;
- to_next += 1;
- n_left_to_next -= 1;
-
- if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
- {
- ah_encrypt_trace_t *tr =
- vlib_add_trace (vm, node, b0, sizeof (*tr));
- tr->spi = sa0->spi;
- tr->seq = sa0->seq - 1;
- tr->integ_alg = sa0->integ_alg;
- }
-
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
- to_next, n_left_to_next, bi0,
- next0);
- }
- }
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
- vlib_node_increment_counter (vm, node->node_index, AH_ENCRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
-
- return from_frame->n_vectors;
-}
-
-VLIB_NODE_FN (ah4_encrypt_ipsecmb_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * from_frame)
-{
- return ah_encrypt_ipsecmb_inline (vm, node, from_frame, 0 /*is_ip6 */ );
-}
-
-VLIB_NODE_FN (ah6_encrypt_ipsecmb_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * from_frame)
-{
- return ah_encrypt_ipsecmb_inline (vm, node, from_frame, 1 /*is_ip6 */ );
-}
-
-#endif
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (ah4_encrypt_ipsecmb_node) = {
- .name = "ah4-encrypt-ipsecmb",
- .vector_size = sizeof (u32),
- .format_trace = format_ah_encrypt_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
-
- .n_errors = ARRAY_LEN(ah_encrypt_error_strings),
- .error_strings = ah_encrypt_error_strings,
-
- .n_next_nodes = AH_ENCRYPT_N_NEXT,
- .next_nodes = {
-#define _(s,n) [AH_ENCRYPT_NEXT_##s] = n,
- foreach_ah_encrypt_next
-#undef _
- },
-};
-/* *INDENT-ON* */
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (ah6_encrypt_ipsecmb_node) = {
- .name = "ah6-encrypt-ipsecmb",
- .vector_size = sizeof (u32),
- .format_trace = format_ah_encrypt_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
-
- .n_errors = ARRAY_LEN(ah_encrypt_error_strings),
- .error_strings = ah_encrypt_error_strings,
-
- .n_next_nodes = AH_ENCRYPT_N_NEXT,
- .next_nodes = {
-#define _(s,n) [AH_ENCRYPT_NEXT_##s] = n,
- foreach_ah_encrypt_next
-#undef _
- },
-};
-/* *INDENT-ON* */
-
-/*
- * fd.io coding-style-patch-verification: ON
- *
- * Local Variables:
- * eval: (c-set-style "gnu")
- * End:
- */
diff --git a/src/plugins/ipsecmb/esp_decrypt.c b/src/plugins/ipsecmb/esp_decrypt.c
deleted file mode 100644
index 835f41eb35d..00000000000
--- a/src/plugins/ipsecmb/esp_decrypt.c
+++ /dev/null
@@ -1,471 +0,0 @@
-/*
- * esp_decrypt.c : ipsecmb ESP decrypt node
- *
- * Copyright (c) 2015 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <vnet/vnet.h>
-#include <vnet/api_errno.h>
-#include <vnet/ip/ip.h>
-
-#include <vnet/ipsec/ipsec.h>
-#include <vnet/ipsec/esp.h>
-#include <ipsecmb/ipsecmb.h>
-
-#define foreach_esp_decrypt_next \
-_(DROP, "error-drop") \
-_(IP4_INPUT, "ip4-input") \
-_(IP6_INPUT, "ip6-input") \
-_(IPSEC_GRE_INPUT, "ipsec-gre-input")
-
-#define _(v, s) ESP_DECRYPT_NEXT_##v,
-typedef enum
-{
- foreach_esp_decrypt_next
-#undef _
- ESP_DECRYPT_N_NEXT,
-} esp_decrypt_next_t;
-
-
-#define foreach_esp_decrypt_error \
- _(RX_PKTS, "ESP pkts received") \
- _(NO_BUFFER, "No buffer (packed dropped)") \
- _(DECRYPTION_FAILED, "ESP decryption failed") \
- _(INTEG_ERROR, "Integrity check failed") \
- _(REPLAY, "SA replayed packet") \
- _(NOT_IP, "Not IP packet (dropped)")
-
-typedef enum
-{
-#define _(sym,str) ESP_DECRYPT_ERROR_##sym,
- foreach_esp_decrypt_error
-#undef _
- ESP_DECRYPT_N_ERROR,
-} esp_decrypt_error_t;
-
-static char *esp_decrypt_error_strings[] = {
-#define _(sym,string) string,
- foreach_esp_decrypt_error
-#undef _
-};
-
-typedef struct
-{
- ipsec_crypto_alg_t crypto_alg;
- ipsec_integ_alg_t integ_alg;
-} esp_decrypt_trace_t;
-
-/* packet trace format function */
-static u8 *
-format_esp_decrypt_trace (u8 * s, va_list * args)
-{
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
- esp_decrypt_trace_t *t = va_arg (*args, esp_decrypt_trace_t *);
-
- s = format (s, "esp: crypto %U integrity %U",
- format_ipsec_crypto_alg, t->crypto_alg,
- format_ipsec_integ_alg, t->integ_alg);
- return s;
-}
-
-#ifdef CLIB_MARCH_VARIANT
-always_inline void
-esp_finish_decrypt (vlib_main_t * vm, vlib_node_runtime_t * node,
- JOB_AES_HMAC * job, u32 * next0, ipsec_sa_t * sa0,
- int is_ip6)
-{
- u32 bi0 = (uintptr_t) job->user_data;
- vlib_buffer_t *b0 = vlib_get_buffer (vm, bi0);
- esp_footer_t *f0;
- ip4_header_t *ih4 = vlib_buffer_get_current (b0);
- ip6_header_t *ih6 = vlib_buffer_get_current (b0);
-
- if (NULL_HASH != job->hash_alg)
- {
- if (0 !=
- memcmp (job->auth_tag_output,
- job->auth_tag_output - job->auth_tag_output_len_in_bytes,
- job->auth_tag_output_len_in_bytes))
- {
- vlib_node_increment_counter (vm, node->node_index,
- ESP_DECRYPT_ERROR_INTEG_ERROR, 1);
- *next0 = ESP_DECRYPT_NEXT_DROP;
- return;
- }
- }
-
- f0 = (esp_footer_t *) ((u8 *) vlib_buffer_get_current (b0) +
- b0->current_length);
- b0->current_length -= f0->pad_length;
-
- /* tunnel mode */
- if (sa0->is_tunnel)
- {
- if (f0->next_header == IP_PROTOCOL_IP_IN_IP)
- {
- *next0 = ESP_DECRYPT_NEXT_IP4_INPUT;
- }
- else if (f0->next_header == IP_PROTOCOL_IPV6)
- {
- *next0 = ESP_DECRYPT_NEXT_IP6_INPUT;
- }
- else
- {
- vlib_node_increment_counter (vm, node->node_index,
- ESP_DECRYPT_ERROR_DECRYPTION_FAILED,
- 1);
- *next0 = ESP_DECRYPT_NEXT_DROP;
- return;
- }
- }
- /* transport mode */
- else
- {
- if (is_ip6)
- {
- *next0 = ESP_DECRYPT_NEXT_IP6_INPUT;
- ih6->protocol = f0->next_header;
- ih6->payload_length =
- clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0) -
- sizeof (ip6_header_t));
- }
- else
- {
- *next0 = ESP_DECRYPT_NEXT_IP4_INPUT;
- ih4->fragment_id = 0;
- ih4->flags_and_fragment_offset = 0;
- ih4->protocol = f0->next_header;
- ih4->length =
- clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0));
- ih4->checksum = ip4_header_checksum (ih4);
- }
- }
-
- /* for IPSec-GRE tunnel next node is ipsec-gre-input */
- if ((vnet_buffer (b0)->ipsec.flags & IPSEC_FLAG_IPSEC_GRE_TUNNEL))
- {
- *next0 = ESP_DECRYPT_NEXT_IPSEC_GRE_INPUT;
- }
-
- vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
- if (sa0->use_anti_replay)
- {
- if (sa0->use_esn)
- esp_replay_advance_esn (sa0, vnet_buffer (b0)->ipsec.seq);
- else
- esp_replay_advance (sa0, vnet_buffer (b0)->ipsec.seq);
- }
-}
-
-always_inline uword
-esp_decrypt_ipsecmb_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
- vlib_frame_t * from_frame, int is_ip6)
-{
- u32 n_left_from, *from, next_index, *to_next;
- u32 packets_in_flight = 0;
- ipsec_main_t *im = &ipsec_main;
- ipsecmb_main_t *imbm = &ipsecmb_main;
- ipsec_proto_main_t *em = &ipsec_proto_main;
- from = vlib_frame_vector_args (from_frame);
- n_left_from = from_frame->n_vectors;
- u32 thread_index = vlib_get_thread_index ();
- MB_MGR *mgr = imbm->mb_mgr[thread_index];
- u32 *to_be_freed = NULL;
-
- next_index = node->cached_next_index;
-
- while (n_left_from > 0 || packets_in_flight > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0, next0;
- vlib_buffer_t *b0;
- esp_header_t *esp0;
- ipsec_sa_t *sa0;
- ipsecmb_sa_t *samb0;
- u32 sa_index0 = ~0;
- u32 seq;
-
- bi0 = from[0];
- from += 1;
- n_left_from -= 1;
-
- next0 = ESP_DECRYPT_NEXT_DROP;
-
- b0 = vlib_get_buffer (vm, bi0);
- esp0 = vlib_buffer_get_current (b0);
-
- sa_index0 = vnet_buffer (b0)->ipsec.sad_index;
- sa0 = pool_elt_at_index (im->sad, sa_index0);
- samb0 = pool_elt_at_index (imbm->sad, sa_index0);
-
- vnet_buffer (b0)->ipsec.seq = seq =
- clib_host_to_net_u32 (esp0->seq);
-
- /* anti-replay check */
- if (sa0->use_anti_replay)
- {
- int rv = 0;
-
- if (sa0->use_esn)
- rv = esp_replay_check_esn (sa0, seq);
- else
- rv = esp_replay_check (sa0, seq);
-
- if (PREDICT_FALSE (rv))
- {
- vlib_node_increment_counter (vm, node->node_index,
- ESP_DECRYPT_ERROR_REPLAY, 1);
- goto trace;
- }
- }
-
- sa0->total_data_size += b0->current_length;
-
- if (PREDICT_FALSE (b0->n_add_refs > 0))
- {
- vec_add1 (to_be_freed, bi0);
- b0 = vlib_buffer_copy (vm, b0);
- bi0 = vlib_get_buffer_index (vm, b0);
- }
-
- JOB_AES_HMAC *job = IPSECMB_FUNC (get_next_job) (mgr);
- int trunc_size = 0;
- if (sa0->integ_alg != IPSEC_INTEG_ALG_NONE)
- {
- trunc_size =
- em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size;
- // put calculated auth tag after in-packet auth tag
- job->auth_tag_output =
- vlib_buffer_get_current (b0) + b0->current_length;
- b0->current_length -= trunc_size;
- job->msg_len_to_hash_in_bytes = b0->current_length;
- job->auth_tag_output_len_in_bytes = trunc_size;
- job->u.HMAC._hashed_auth_key_xor_ipad = samb0->ipad_hash;
- job->u.HMAC._hashed_auth_key_xor_opad = samb0->opad_hash;
- }
-
- job->hash_alg = imbm->integ_algs[sa0->integ_alg].hash_alg;
- u8 ip_hdr_size = 0;
-
- if ((sa0->crypto_alg >= IPSEC_CRYPTO_ALG_AES_CBC_128 &&
- sa0->crypto_alg <= IPSEC_CRYPTO_ALG_AES_CBC_256) ||
- (sa0->crypto_alg >= IPSEC_CRYPTO_ALG_DES_CBC &&
- sa0->crypto_alg <= IPSEC_CRYPTO_ALG_3DES_CBC))
- {
- const int block_size =
- em->ipsec_proto_main_crypto_algs[sa0->crypto_alg].block_size;
- const int iv_size =
- em->ipsec_proto_main_crypto_algs[sa0->crypto_alg].iv_size;
-
- int blocks =
- (b0->current_length - sizeof (esp_header_t) -
- iv_size) / block_size;
- if (b0->current_length - sizeof (esp_header_t) - iv_size <
- block_size || blocks <= 0)
- {
- vlib_node_increment_counter (vm, node->node_index,
- ESP_DECRYPT_ERROR_INTEG_ERROR,
- 1);
- goto trace;
- }
-
- /* transport mode */
- if (!sa0->is_tunnel)
- {
- if (b0->flags & VNET_BUFFER_F_L3_HDR_OFFSET_VALID)
- {
- if (is_ip6)
- {
- ip_hdr_size = sizeof (ip6_header_t);
- }
- else
- {
- ip_hdr_size = sizeof (ip4_header_t);
- }
- }
- else
- {
- vlib_node_increment_counter (vm, node->node_index,
- ESP_DECRYPT_ERROR_NOT_IP,
- 1);
- goto trace;
- }
- }
-
- job->chain_order = HASH_CIPHER;
- job->cipher_direction = DECRYPT;
- job->src = (u8 *) esp0;
- job->dst = (u8 *) esp0;
- vlib_buffer_advance (b0, -ip_hdr_size);
- job->cipher_mode =
- imbm->crypto_algs[sa0->crypto_alg].cipher_mode;
- job->aes_enc_key_expanded = samb0->aes_enc_key_expanded;
- job->aes_dec_key_expanded = samb0->aes_dec_key_expanded;
- job->aes_key_len_in_bytes = sa0->crypto_key_len;
- job->iv = esp0->data;
- job->iv_len_in_bytes = iv_size;
- job->msg_len_to_cipher_in_bytes = blocks * block_size;
- job->cipher_start_src_offset_in_bytes =
- sizeof (esp_header_t) + iv_size;
- job->hash_start_src_offset_in_bytes = 0;
-
- job->user_data = (void *) (uintptr_t) bi0;
- job->user_data2 = sa0;
- b0->current_length =
- (blocks * block_size) - sizeof (esp_footer_t) + ip_hdr_size;
- ASSERT ((u8 *) vlib_buffer_get_current (b0) +
- b0->current_length < job->auth_tag_output);
- b0->flags |= VLIB_BUFFER_TOTAL_LENGTH_VALID;
-
- job = IPSECMB_FUNC (submit_job) (mgr);
- ++packets_in_flight;
-
- if (!job)
- {
- continue;
- }
-
- --packets_in_flight;
-
- sa0 = job->user_data2;
- bi0 = (uintptr_t) job->user_data;
- b0 = vlib_get_buffer (vm, bi0);
- esp_finish_decrypt (vm, node, job, &next0, sa0, is_ip6);
-
- trace:
- to_next[0] = bi0;
- to_next += 1;
- n_left_to_next -= 1;
-
- if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
- {
- esp_decrypt_trace_t *tr =
- vlib_add_trace (vm, node, b0, sizeof (*tr));
- tr->crypto_alg = sa0->crypto_alg;
- tr->integ_alg = sa0->integ_alg;
- }
-
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
- n_left_to_next, bi0, next0);
- }
- }
-
- if (PREDICT_FALSE (n_left_from == 0 && packets_in_flight > 0))
- {
- JOB_AES_HMAC *job = NULL;
- while (n_left_to_next > 0 && (job = IPSECMB_FUNC (flush_job) (mgr)))
- {
- --packets_in_flight;
- u32 bi0, next0;
- bi0 = (uintptr_t) job->user_data;
- vlib_buffer_t *i_b0 = vlib_get_buffer (vm, bi0);
-
- ipsec_sa_t *sa0 = job->user_data2;
- esp_finish_decrypt (vm, node, job, &next0, sa0, is_ip6);
-
- to_next[0] = bi0;
- to_next += 1;
- n_left_to_next -= 1;
-
- if (PREDICT_FALSE (i_b0->flags & VLIB_BUFFER_IS_TRACED))
- {
- esp_decrypt_trace_t *tr =
- vlib_add_trace (vm, node, i_b0, sizeof (*tr));
- tr->crypto_alg = sa0->crypto_alg;
- tr->integ_alg = sa0->integ_alg;
- }
-
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
- n_left_to_next, bi0, next0);
- }
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
- vlib_node_increment_counter (vm, node->node_index,
- ESP_DECRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
-
- if (to_be_freed)
- vlib_buffer_free (vm, to_be_freed, vec_len (to_be_freed));
- vec_free (to_be_freed);
- return from_frame->n_vectors;
-}
-
-VLIB_NODE_FN (esp4_decrypt_ipsecmb_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * from_frame)
-{
- return esp_decrypt_ipsecmb_inline (vm, node, from_frame, 0 /*is_ip6 */ );
-}
-
-VLIB_NODE_FN (esp6_decrypt_ipsecmb_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * from_frame)
-{
- return esp_decrypt_ipsecmb_inline (vm, node, from_frame, 1 /*is_ip6 */ );
-}
-#endif
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (esp4_decrypt_ipsecmb_node) = {
- .name = "esp4-decrypt-ipsecmb",
- .vector_size = sizeof (u32),
- .format_trace = format_esp_decrypt_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
-
- .n_errors = ARRAY_LEN(esp_decrypt_error_strings),
- .error_strings = esp_decrypt_error_strings,
-
- .n_next_nodes = ESP_DECRYPT_N_NEXT,
- .next_nodes = {
-#define _(s,n) [ESP_DECRYPT_NEXT_##s] = n,
- foreach_esp_decrypt_next
-#undef _
- },
-};
-/* *INDENT-ON* */
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (esp6_decrypt_ipsecmb_node) = {
- .name = "esp6-decrypt-ipsecmb",
- .vector_size = sizeof (u32),
- .format_trace = format_esp_decrypt_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
-
- .n_errors = ARRAY_LEN(esp_decrypt_error_strings),
- .error_strings = esp_decrypt_error_strings,
-
- .n_next_nodes = ESP_DECRYPT_N_NEXT,
- .next_nodes = {
-#define _(s,n) [ESP_DECRYPT_NEXT_##s] = n,
- foreach_esp_decrypt_next
-#undef _
- },
-};
-/* *INDENT-ON* */
-
-/*
- * fd.io coding-style-patch-verification: ON
- *
- * Local Variables:
- * eval: (c-set-style "gnu")
- * End:
- */
diff --git a/src/plugins/ipsecmb/esp_encrypt.c b/src/plugins/ipsecmb/esp_encrypt.c
deleted file mode 100644
index 312471c6dcd..00000000000
--- a/src/plugins/ipsecmb/esp_encrypt.c
+++ /dev/null
@@ -1,651 +0,0 @@
-/*
- * esp_encrypt.c : ipsecmb ESP encrypt node
- *
- * Copyright (c) 2015 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <vnet/vnet.h>
-#include <vnet/api_errno.h>
-#include <vnet/ip/ip.h>
-#include <vnet/udp/udp.h>
-
-#include <vnet/ipsec/ipsec.h>
-#include <vnet/ipsec/esp.h>
-
-#include <ipsecmb/ipsecmb.h>
-
-#define foreach_esp_encrypt_next \
- _ (DROP, "error-drop") \
- _ (IP4_LOOKUP, "ip4-lookup") \
- _ (IP6_LOOKUP, "ip6-lookup") \
- _ (INTERFACE_OUTPUT, "interface-output")
-
-#define _(v, s) ESP_ENCRYPT_NEXT_##v,
-typedef enum
-{
- foreach_esp_encrypt_next
-#undef _
- ESP_ENCRYPT_N_NEXT,
-} esp_encrypt_next_t;
-
-#define foreach_esp_encrypt_error \
- _ (RX_PKTS, "ESP pkts received") \
- _ (NO_BUFFER, "No buffer (packet dropped)") \
- _ (DECRYPTION_FAILED, "ESP encryption failed") \
- _ (SEQ_CYCLED, "sequence number cycled")
-
-typedef enum
-{
-#define _(sym, str) ESP_ENCRYPT_ERROR_##sym,
- foreach_esp_encrypt_error
-#undef _
- ESP_ENCRYPT_N_ERROR,
-} esp_encrypt_error_t;
-
-typedef struct
-{
- u32 spi;
- u32 seq;
- u8 udp_encap;
- ipsec_crypto_alg_t crypto_alg;
- ipsec_integ_alg_t integ_alg;
-} esp_encrypt_trace_t;
-
-#ifdef CLIB_MARCH_VARIANT
-static inline void
-add_random_bytes_from_traffic (ipsecmb_main_t * imbm,
- u32 thread_index, void *from, u8 size)
-{
- ASSERT (STRUCT_SIZE_OF (random_bytes_t, data) == size);
- u32 idx;
- random_bytes_t *rb;
- ipsecmb_per_thread_data_t *t = &imbm->per_thread_data[thread_index];;
- if (PREDICT_TRUE (vec_len (t->rb_recycle_list)))
- {
- idx = vec_pop (t->rb_recycle_list);
- rb = pool_elt_at_index (t->rb_pool, idx);
- }
- else
- {
- pool_get (t->rb_pool, rb);
- idx = rb - t->rb_pool;
- }
- clib_memcpy (rb->data, from, STRUCT_SIZE_OF (random_bytes_t, data));
- vec_add1 (t->rb_from_traffic, idx);
-}
-
-static inline int
-random_bytes (ipsecmb_main_t * imbm, u32 thread_index, u8 * where, u8 size)
-{
- ASSERT (STRUCT_SIZE_OF (random_bytes_t, data) == size);
- const u8 block_size = STRUCT_SIZE_OF (random_bytes_t, data);
- ipsecmb_per_thread_data_t *t = &imbm->per_thread_data[thread_index];;
- if (PREDICT_TRUE (vec_len (t->rb_from_traffic)))
- {
- u32 idx = vec_pop (t->rb_from_traffic);
- random_bytes_t *rb = pool_elt_at_index (t->rb_pool, idx);
- clib_memcpy (where, rb->data, block_size);
- vec_add1 (t->rb_recycle_list, idx);
- return 0;
- }
- if (PREDICT_FALSE (0 == vec_len (t->rb_from_dev_urandom)))
- {
- ssize_t bytes_read = read (imbm->dev_urandom_fd, t->urandom_buffer,
- sizeof (t->urandom_buffer));
- if (bytes_read < 0)
- {
- clib_unix_warning ("read() from /dev/urandom failed");
- return -1;
- }
- if (bytes_read < block_size)
- {
- clib_unix_warning
- ("read() from /dev/urandom produced only %zd bytes", bytes_read);
- return -1;
- }
- const ssize_t limit = clib_min (bytes_read, sizeof (t->urandom_buffer));
- int i;
- for (i = 0; limit - i >= block_size && vec_len (t->rb_recycle_list) > 0;
- i += block_size)
- {
- u32 idx = vec_pop (t->rb_recycle_list);
- random_bytes_t *rb = pool_elt_at_index (t->rb_pool, idx);
- clib_memcpy (rb->data, t->urandom_buffer + i, block_size);
- vec_add1 (t->rb_from_dev_urandom, idx);
- }
- for (; limit - i >= block_size; i += block_size)
- {
- random_bytes_t *rb;
- pool_get (t->rb_pool, rb);
- clib_memcpy (rb->data, t->urandom_buffer + i, block_size);
- vec_add1 (t->rb_from_dev_urandom, rb - t->rb_pool);
- }
- }
- u32 idx = vec_pop (t->rb_from_dev_urandom);
- random_bytes_t *rb = pool_elt_at_index (t->rb_pool, idx);
- clib_memcpy (where, rb->data, block_size);
- vec_add1 (t->rb_recycle_list, idx);
- return 0;
-}
-
-static inline void
-esp_finish_encrypt (vlib_main_t * vm, JOB_AES_HMAC * job,
- ipsecmb_main_t * imbm, int thread_index,
- u32 * bi0, u32 * next0, ipsec_sa_t ** sa0, int is_ip6)
-{
- ip4_header_t *oh4 = 0;
- udp_header_t *udp = 0;
- ip6_header_t *oh6 = 0;
- ipsec_main_t *im = &ipsec_main;
- *bi0 = (uintptr_t) job->user_data;
- vlib_buffer_t *b0 = vlib_get_buffer (vm, *bi0);
- u32 sa_index0 = vnet_buffer (b0)->ipsec.sad_index;
- *sa0 = pool_elt_at_index (im->sad, sa_index0);
- oh4 = vlib_buffer_get_current (b0);
- oh6 = vlib_buffer_get_current (b0);
- if (is_ip6)
- {
- oh6->payload_length =
- clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0) -
- sizeof (ip6_header_t));
- }
- else
- {
- oh4->length =
- clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b0));
- oh4->checksum = ip4_header_checksum (oh4);
- if ((*sa0)->udp_encap)
- {
- udp = (udp_header_t *) (oh4 + 1);
- udp->length =
- clib_host_to_net_u16 (clib_net_to_host_u16 (oh4->length) -
- ip4_header_bytes (oh4));
- }
- }
-
- *next0 = (uintptr_t) job->user_data2;
- const int iv_size = imbm->crypto_algs[(*sa0)->crypto_alg].iv_size;
- add_random_bytes_from_traffic (imbm, thread_index,
- vlib_buffer_get_current (b0) +
- b0->current_length - iv_size, iv_size);
- if (!(*sa0)->is_tunnel)
- {
- *next0 = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT;
- vlib_buffer_advance (b0, -sizeof (ethernet_header_t));
- }
-}
-
-always_inline void
-ipsemb_ip4_fill_comon_values (ip4_header_t * oh4, u8 tos)
-{
- oh4->ip_version_and_header_length = 0x45;
- oh4->tos = tos;
- oh4->fragment_id = 0;
- oh4->flags_and_fragment_offset = 0;
- oh4->ttl = 254;
-}
-
-always_inline void
-ipsemb_handle_udp_encap (ipsec_sa_t * sa0, esp_header_t ** esp,
- ip4_header_t ** oh4)
-{
- if (sa0->udp_encap)
- {
- *esp = (esp_header_t *) ((u8 *) esp + sizeof (udp_header_t));
- udp_header_t *udp = (udp_header_t *) ((*oh4) + 1);
- udp->src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
- udp->dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
- udp->checksum = 0;
- (*oh4)->protocol = IP_PROTOCOL_UDP;
- }
- else
- {
- (*oh4)->protocol = IP_PROTOCOL_IPSEC_ESP;
- }
-}
-
-always_inline void
-esp_prepare_tunneL_headers (vlib_buffer_t * b0, ipsec_sa_t * sa0, u32 * next0,
- u8 * next_hdr_type, ip4_header_t * ih4,
- ip4_header_t ** oh4, ip6_header_t * ih6,
- ip6_header_t ** oh6, esp_header_t ** esp,
- u32 iv_size, int is_ip6)
-{
- if (is_ip6)
- {
- *next0 = ESP_ENCRYPT_NEXT_IP6_LOOKUP;
- *next_hdr_type = IP_PROTOCOL_IPV6;
- *oh6 = (ip6_header_t *) ((u8 *) ih6 - sizeof (esp_header_t) -
- sizeof (ip6_header_t) - iv_size);
- (*oh6)->src_address.as_u64[0] = sa0->tunnel_src_addr.ip6.as_u64[0];
- (*oh6)->src_address.as_u64[1] = sa0->tunnel_src_addr.ip6.as_u64[1];
- (*oh6)->dst_address.as_u64[0] = sa0->tunnel_dst_addr.ip6.as_u64[0];
- (*oh6)->dst_address.as_u64[1] = sa0->tunnel_dst_addr.ip6.as_u64[1];
-
- vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
- vlib_buffer_advance (b0, -(sizeof (esp_header_t) +
- sizeof (ip6_header_t) + iv_size));
- (*oh6)->ip_version_traffic_class_and_flow_label =
- ih6->ip_version_traffic_class_and_flow_label;
- (*oh6)->protocol = IP_PROTOCOL_IPSEC_ESP;
- (*oh6)->hop_limit = 254;
- *esp = (esp_header_t *) ((*oh6) + 1);
- }
- else
- { /* is ipv4 */
- *next0 = ESP_ENCRYPT_NEXT_IP4_LOOKUP;
- u32 udp_hdr_size = 0;
- if (sa0->udp_encap)
- {
- udp_hdr_size = sizeof (udp_header_t);
- }
- *next_hdr_type = IP_PROTOCOL_IP_IN_IP;
- (*oh4) =
- (ip4_header_t *) (((u8 *) ih4) - sizeof (ip4_header_t) -
- sizeof (esp_header_t) - udp_hdr_size - iv_size);
- (*oh4)->src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32;
- (*oh4)->dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32;
- vlib_buffer_advance (b0, -(sizeof (ip4_header_t) +
- sizeof (esp_header_t) +
- udp_hdr_size + iv_size));
- vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
- *esp = (esp_header_t *) ((*oh4) + 1);
-
- ipsemb_ip4_fill_comon_values (*oh4, ih4->tos);
- ipsemb_handle_udp_encap (sa0, esp, oh4);
- }
-}
-
-always_inline void
-esp_prepare_transport_headers (vlib_buffer_t * b0, ipsec_sa_t * sa0,
- u32 * next0, u8 * next_hdr_type,
- ip4_header_t * ih4, ip4_header_t ** oh4,
- ip6_header_t * ih6, ip6_header_t ** oh6,
- esp_header_t ** esp, u32 iv_size, int is_ip6)
-{
- if (is_ip6)
- {
- *next0 = ESP_ENCRYPT_NEXT_IP6_LOOKUP;
- *next_hdr_type = ih6->protocol;
- (*oh6) = (ip6_header_t *) ((u8 *) ih6 - sizeof (esp_header_t) -
- iv_size);
- if (vnet_buffer (b0)->sw_if_index[VLIB_TX] != ~0)
- {
- ethernet_header_t *ieh0, *oeh0;
- ieh0 = (ethernet_header_t *) vlib_buffer_get_current (b0) - 1;
- oeh0 = (ethernet_header_t *) (*oh6) - 1;
- clib_memcpy (oeh0, ieh0, sizeof (ethernet_header_t));
- }
- (*oh6)->src_address.as_u64[0] = ih6->src_address.as_u64[0];
- (*oh6)->src_address.as_u64[1] = ih6->src_address.as_u64[1];
- (*oh6)->dst_address.as_u64[0] = ih6->dst_address.as_u64[0];
- (*oh6)->dst_address.as_u64[1] = ih6->dst_address.as_u64[1];
- vlib_buffer_advance (b0, -(sizeof (esp_header_t) + iv_size));
- (*oh6)->ip_version_traffic_class_and_flow_label =
- ih6->ip_version_traffic_class_and_flow_label;
- (*oh6)->protocol = IP_PROTOCOL_IPSEC_ESP;
- (*oh6)->hop_limit = 254;
- *esp = (esp_header_t *) ((*oh6) + 1);
- }
- else
- { /* is ipv4 */
- *next0 = ESP_ENCRYPT_NEXT_IP4_LOOKUP;
- u32 udp_hdr_size = 0;
- if (sa0->udp_encap)
- {
- udp_hdr_size = sizeof (udp_header_t);
- }
- *next_hdr_type = ih4->protocol;
- (*oh4) = (ip4_header_t *) (((u8 *) ih4) - sizeof (esp_header_t) -
- udp_hdr_size - iv_size);
- if (vnet_buffer (b0)->sw_if_index[VLIB_TX] != ~0)
- {
- ethernet_header_t *ieh0, *oeh0;
- ieh0 = (ethernet_header_t *) vlib_buffer_get_current (b0) - 1;
- oeh0 = (ethernet_header_t *) (*oh4) - 1;
- clib_memcpy (oeh0, ieh0, sizeof (ethernet_header_t));
- }
- (*oh4)->src_address.as_u32 = ih4->src_address.as_u32;
- (*oh4)->dst_address.as_u32 = ih4->dst_address.as_u32;
- vlib_buffer_advance (b0,
- -(sizeof (esp_header_t) + udp_hdr_size + iv_size));
- *esp = (esp_header_t *) ((*oh4) + 1);
-
- ipsemb_ip4_fill_comon_values (*oh4, ih4->tos);
- ipsemb_handle_udp_encap (sa0, esp, oh4);
- }
-}
-
-static uword
-esp_encrypt_ipsecmb_inline (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * from_frame, int is_ip6)
-{
- u32 n_left_from, *from, *to_next = 0, next_index;
- from = vlib_frame_vector_args (from_frame);
- n_left_from = from_frame->n_vectors;
- ipsecmb_main_t *imbm = &ipsecmb_main;
- ipsec_main_t *im = &ipsec_main;
- u32 packets_in_flight = 0;
- next_index = node->cached_next_index;
- u32 thread_index = vlib_get_thread_index ();
- ipsec_alloc_empty_buffers (vm, im);
- u32 *to_be_freed = NULL;
- ipsecmb_per_thread_data_t *t = &imbm->per_thread_data[thread_index];;
-
- MB_MGR *mgr = imbm->mb_mgr[thread_index];
-
- while (n_left_from > 0 || packets_in_flight > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0, next0;
- vlib_buffer_t *b0 = 0;
- u32 sa_index0;
- ipsec_sa_t *sa0;
- ipsecmb_sa_t *samb0;
- ip4_header_t *ih4, *oh4 = 0;
- ip6_header_t *ih6, *oh6 = 0;
- esp_header_t *esp;
- u8 next_hdr_type;
-
- bi0 = from[0];
- from += 1;
- n_left_from -= 1;
-
- next0 = ESP_ENCRYPT_NEXT_DROP;
-
- b0 = vlib_get_buffer (vm, bi0);
- sa_index0 = vnet_buffer (b0)->ipsec.sad_index;
- sa0 = pool_elt_at_index (im->sad, sa_index0);
- samb0 = pool_elt_at_index (imbm->sad, sa_index0);
-
- if (esp_seq_advance (sa0))
- {
- clib_warning ("sequence number counter has cycled SPI %u",
- sa0->spi);
- vlib_node_increment_counter (vm, node->node_index,
- ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1);
- // TODO: rekey SA
- to_next[0] = bi0;
- to_next += 1;
- goto trace;
- }
-
- sa0->total_data_size += b0->current_length;
-
- if (PREDICT_FALSE (b0->n_add_refs > 0))
- {
- vec_add1 (to_be_freed, bi0);
- b0 = vlib_buffer_copy (vm, b0);
- bi0 = vlib_get_buffer_index (vm, b0);
- }
-
- ih4 = vlib_buffer_get_current (b0);
- ih6 = vlib_buffer_get_current (b0);
-
- const int iv_size = imbm->crypto_algs[sa0->crypto_alg].iv_size;
- if (sa0->is_tunnel)
- esp_prepare_tunneL_headers (b0, sa0, &next0, &next_hdr_type, ih4,
- &oh4, ih6, &oh6, &esp, iv_size,
- is_ip6);
- else
- esp_prepare_transport_headers (b0, sa0, &next0, &next_hdr_type,
- ih4, &oh4, ih6, &oh6, &esp,
- iv_size, is_ip6);
-
-
- esp->spi = clib_net_to_host_u32 (sa0->spi);
- esp->seq = clib_net_to_host_u32 (sa0->seq);
- ASSERT (sa0->crypto_alg < IPSEC_CRYPTO_N_ALG);
-
- esp_footer_t *f0;
- const u32 payload_offset =
- (u8 *) (esp + 1) + iv_size - (u8 *) vlib_buffer_get_current (b0);
- JOB_AES_HMAC *job = IPSECMB_FUNC (get_next_job) (mgr);
- if (PREDICT_TRUE (sa0->crypto_alg != IPSEC_CRYPTO_ALG_NONE))
- {
- const int block_size =
- imbm->crypto_algs[sa0->crypto_alg].block_size;
- u32 payload_length = b0->current_length - payload_offset;
- int blocks = 1 + (payload_length + 1) / block_size;
-
- /* pad packet in input buffer */
- u8 pad_bytes =
- block_size * blocks - sizeof (esp_footer_t) - payload_length;
- u8 i;
- u8 *padding = vlib_buffer_get_current (b0) + b0->current_length;
- b0->current_length = payload_offset + block_size * blocks;
- for (i = 0; i < pad_bytes; ++i)
- {
- padding[i] = i + 1;
- }
- f0 = vlib_buffer_get_current (b0) + b0->current_length -
- sizeof (esp_footer_t);
- f0->pad_length = pad_bytes;
- f0->next_header = next_hdr_type;
-
- random_bytes (imbm, thread_index, (u8 *) (esp + 1), iv_size);
- job->iv = (u8 *) (esp + 1);
- job->iv_len_in_bytes = iv_size;
- }
-
- job->chain_order = CIPHER_HASH;
- job->cipher_direction = ENCRYPT;
- job->src = (u8 *) esp;
- job->dst = (u8 *) ((u8 *) (esp + 1) + iv_size);
- job->cipher_mode = imbm->crypto_algs[sa0->crypto_alg].cipher_mode;
- job->aes_enc_key_expanded = samb0->aes_enc_key_expanded;
- job->aes_dec_key_expanded = samb0->aes_dec_key_expanded;
- job->aes_key_len_in_bytes = sa0->crypto_key_len;
- job->cipher_start_src_offset_in_bytes =
- sizeof (esp_header_t) + iv_size;
- job->hash_start_src_offset_in_bytes = 0;
- job->msg_len_to_cipher_in_bytes =
- b0->current_length - payload_offset;
- if (PREDICT_TRUE (IPSEC_INTEG_ALG_NONE != sa0->integ_alg))
- {
- if (sa0->use_esn)
- {
- *(u32 *) (vlib_buffer_get_current (b0) +
- b0->current_length) = sa0->seq_hi;
- b0->current_length += sizeof (u32);
- }
- job->msg_len_to_hash_in_bytes = b0->current_length -
- payload_offset + sizeof (esp_header_t) + iv_size;
- job->u.HMAC._hashed_auth_key_xor_ipad = samb0->ipad_hash;
- job->u.HMAC._hashed_auth_key_xor_opad = samb0->opad_hash;
- job->auth_tag_output =
- vlib_buffer_get_current (b0) + b0->current_length;
- job->auth_tag_output_len_in_bytes =
- imbm->integ_algs[sa0->integ_alg].hash_output_length;
- b0->current_length +=
- imbm->integ_algs[sa0->integ_alg].hash_output_length;
- }
- job->hash_alg = imbm->integ_algs[sa0->integ_alg].hash_alg;
- job->user_data = (void *) (uintptr_t) bi0;
- job->user_data2 = (void *) (uintptr_t) next0;
- job = IPSECMB_FUNC (submit_job) (mgr);
- ++packets_in_flight;
-
- if (!job)
- {
- continue;
- }
-
- --packets_in_flight;
- esp_finish_encrypt (vm, job, imbm, thread_index, &bi0, &next0, &sa0,
- is_ip6);
-
- to_next[0] = bi0;
- to_next += 1;
- n_left_to_next -= 1;
-
- trace:
- if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
- {
- esp_encrypt_trace_t *tr =
- vlib_add_trace (vm, node, b0, sizeof (*tr));
- tr->spi = sa0->spi;
- tr->seq = sa0->seq - 1;
- tr->udp_encap = sa0->udp_encap;
- tr->crypto_alg = sa0->crypto_alg;
- tr->integ_alg = sa0->integ_alg;
- }
-
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
- n_left_to_next, bi0, next0);
- }
-
- if (PREDICT_FALSE (n_left_from == 0))
- {
- JOB_AES_HMAC *job = NULL;
- while (n_left_to_next > 0 && (job = IPSECMB_FUNC (flush_job) (mgr)))
- {
- --packets_in_flight;
- u32 bi0, next0;
- vlib_buffer_t *b0;
- ipsec_sa_t *sa0;
-
- esp_finish_encrypt (vm, job, imbm, thread_index, &bi0, &next0,
- &sa0, is_ip6);
- b0 = vlib_get_buffer (vm, bi0);
-
- to_next[0] = bi0;
- to_next += 1;
- n_left_to_next -= 1;
-
- if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
- {
- esp_encrypt_trace_t *tr =
- vlib_add_trace (vm, node, b0, sizeof (*tr));
- tr->spi = sa0->spi;
- tr->seq = sa0->seq - 1;
- tr->udp_encap = sa0->udp_encap;
- tr->crypto_alg = sa0->crypto_alg;
- tr->integ_alg = sa0->integ_alg;
- }
-
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
- n_left_to_next, bi0, next0);
- }
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
- vlib_node_increment_counter (vm, node->node_index,
- ESP_ENCRYPT_ERROR_RX_PKTS,
- from_frame->n_vectors);
-
- if (to_be_freed)
- vlib_buffer_free (vm, to_be_freed, vec_len (to_be_freed));
- vec_free (to_be_freed);
- if (PREDICT_TRUE (vec_len (t->rb_from_traffic) > 0))
- {
- /* recycle traffic generated buffers, because once the packets are sent
- * out, bytes from these packets are no longer unpredictable */
- vec_add (t->rb_recycle_list, t->rb_from_traffic,
- vec_len (t->rb_from_traffic));
- _vec_len (t->rb_from_traffic) = 0;
- }
- return from_frame->n_vectors;
-}
-
-VLIB_NODE_FN (esp4_encrypt_ipsecmb_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * from_frame)
-{
- return esp_encrypt_ipsecmb_inline (vm, node, from_frame, 0 /*is_ip6 */ );
-}
-
-VLIB_NODE_FN (esp6_encrypt_ipsecmb_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * from_frame)
-{
- return esp_encrypt_ipsecmb_inline (vm, node, from_frame, 1 /*is_ip6 */ );
-}
-#endif
-
-static char *esp_encrypt_error_strings[] = {
-#define _(sym, string) string,
- foreach_esp_encrypt_error
-#undef _
-};
-
-/* packet trace format function */
-static u8 *
-format_esp_encrypt_trace (u8 * s, va_list * args)
-{
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
- esp_encrypt_trace_t *t = va_arg (*args, esp_encrypt_trace_t *);
-
- s =
- format (s, "esp: spi %u seq %u crypto %U integrity %U%s", t->spi, t->seq,
- format_ipsec_crypto_alg, t->crypto_alg, format_ipsec_integ_alg,
- t->integ_alg, t->udp_encap ? " udp-encap-enabled" : "");
- return s;
-}
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (esp4_encrypt_ipsecmb_node) = {
- .name = "esp4-encrypt-ipsecmb",
- .vector_size = sizeof (u32),
- .format_trace = format_esp_encrypt_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
-
- .n_errors = ARRAY_LEN (esp_encrypt_error_strings),
- .error_strings = esp_encrypt_error_strings,
-
- .n_next_nodes = ESP_ENCRYPT_N_NEXT,
- .next_nodes =
- {
-#define _(s, n) [ESP_ENCRYPT_NEXT_##s] = n,
- foreach_esp_encrypt_next
-#undef _
- },
-};
-/* *INDENT-ON* */
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (esp6_encrypt_ipsecmb_node) = {
- .name = "esp6-encrypt-ipsecmb",
- .vector_size = sizeof (u32),
- .format_trace = format_esp_encrypt_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
-
- .n_errors = ARRAY_LEN (esp_encrypt_error_strings),
- .error_strings = esp_encrypt_error_strings,
-
- .n_next_nodes = ESP_ENCRYPT_N_NEXT,
- .next_nodes =
- {
-#define _(s, n) [ESP_ENCRYPT_NEXT_##s] = n,
- foreach_esp_encrypt_next
-#undef _
- },
-};
-/* *INDENT-ON* */
-
-/*
- * fd.io coding-style-patch-verification: ON
- *
- * Local Variables:
- * eval: (c-set-style "gnu")
- * End:
- */
diff --git a/src/plugins/ipsecmb/ipsecmb.c b/src/plugins/ipsecmb/ipsecmb.c
deleted file mode 100644
index 17b8fb8ce3d..00000000000
--- a/src/plugins/ipsecmb/ipsecmb.c
+++ /dev/null
@@ -1,322 +0,0 @@
-/*
- * init.c : ipsecmb common code
- *
- * Copyright (c) 2015 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <vnet/plugin/plugin.h>
-#include <vpp/app/version.h>
-#include <ipsecmb/ipsecmb.h>
-ipsecmb_main_t ipsecmb_main;
-
-int
-sa_expand_keys (u32 sa_index)
-{
- ipsecmb_main_t *imbm = &ipsecmb_main;
- ipsec_sa_t *sa = pool_elt_at_index (ipsec_main.sad, sa_index);
- ipsecmb_sa_t *samb = pool_elt_at_index (imbm->sad, sa_index);
- if (sa->crypto_key_len > 0)
- {
- const keyexp_t keyexp_fn = imbm->crypto_algs[sa->crypto_alg].keyexp_fn;
- keyexp_fn (sa->crypto_key, samb->aes_enc_key_expanded,
- samb->aes_dec_key_expanded);
- }
- if (sa->integ_key_len > 0)
- {
- const u8 block_size = imbm->integ_algs[sa->integ_alg].block_size;
- const hash_one_block_t hash_one_block_fn =
- imbm->integ_algs[sa->integ_alg].hash_one_block_fn;
- u8 buf[block_size];
- int i = 0;
- if (sa->integ_key_len > block_size)
- {
- return VNET_API_ERROR_SYSCALL_ERROR_1; // FIXME use correct value
- }
- memset (buf, 0x36, sizeof (buf));
- for (i = 0; i < sa->integ_key_len; i++)
- {
- buf[i] ^= sa->integ_key[i];
- }
- hash_one_block_fn (buf, samb->ipad_hash);
-
- memset (buf, 0x5c, sizeof (buf));
- for (i = 0; i < sa->integ_key_len; i++)
- {
- buf[i] ^= sa->integ_key[i];
- }
- hash_one_block_fn (buf, samb->opad_hash);
- }
- return 0;
-}
-
-static clib_error_t *
-ipsecmb_add_del_sa_session (u32 sa_index, u8 is_add)
-{
- ipsecmb_main_t *imbm = &ipsecmb_main;
- if (is_add)
- {
- ipsecmb_sa_t *samb = NULL;
- pool_get (imbm->sad, samb);
- ASSERT (samb == pool_elt_at_index (imbm->sad, sa_index));
- sa_expand_keys (sa_index);
- }
- else
- {
- pool_put_index (imbm->sad, sa_index);
- }
- return 0;
-}
-
-clib_error_t *
-ipsecmb_check_esp_support (ipsec_sa_t * sa)
-{
- switch (sa->crypto_alg)
- {
- case IPSEC_CRYPTO_ALG_NONE:
- break;
- case IPSEC_CRYPTO_ALG_DES_CBC:
- case IPSEC_CRYPTO_ALG_3DES_CBC:
- return clib_error_return (0, "unsupported (3)des crypto-alg");
- case IPSEC_CRYPTO_ALG_AES_CBC_128:
- case IPSEC_CRYPTO_ALG_AES_CBC_192:
- case IPSEC_CRYPTO_ALG_AES_CBC_256:
- break;
- case IPSEC_CRYPTO_ALG_AES_CTR_128:
- case IPSEC_CRYPTO_ALG_AES_CTR_192:
- case IPSEC_CRYPTO_ALG_AES_CTR_256:
- return clib_error_return (0, "unsupported aes-ctr crypto-alg");
- case IPSEC_CRYPTO_ALG_AES_GCM_128:
- case IPSEC_CRYPTO_ALG_AES_GCM_192:
- case IPSEC_CRYPTO_ALG_AES_GCM_256:
- return clib_error_return (0, "unsupported aes-gcm crypto-alg");
- case IPSEC_CRYPTO_N_ALG:
- return clib_error_return (0, "invalid crypto-alg");
- }
-
- switch (sa->integ_alg)
- {
- case IPSEC_INTEG_ALG_NONE:
- return clib_error_return (0, "unsupported none integ-alg");
- case IPSEC_INTEG_ALG_MD5_96:
- return clib_error_return (0, "unsupported md5 integ-alg");
- case IPSEC_INTEG_ALG_SHA1_96:
- case IPSEC_INTEG_ALG_SHA_256_96:
- case IPSEC_INTEG_ALG_SHA_256_128:
- case IPSEC_INTEG_ALG_SHA_384_192:
- case IPSEC_INTEG_ALG_SHA_512_256:
- break;
- case IPSEC_INTEG_N_ALG:
- return clib_error_return (0, "invalid integ-alg");
- }
- return 0;
-}
-
-clib_error_t *
-ipsecmb_check_ah_support (ipsec_sa_t * sa)
-{
- switch (sa->integ_alg)
- {
- case IPSEC_INTEG_ALG_NONE:
- return clib_error_return (0, "unsupported none integ-alg");
- case IPSEC_INTEG_ALG_MD5_96:
- return clib_error_return (0, "unsupported md5 integ-alg");
- case IPSEC_INTEG_ALG_SHA1_96:
- case IPSEC_INTEG_ALG_SHA_256_96:
- case IPSEC_INTEG_ALG_SHA_256_128:
- case IPSEC_INTEG_ALG_SHA_384_192:
- case IPSEC_INTEG_ALG_SHA_512_256:
- break;
- case IPSEC_INTEG_N_ALG:
- return clib_error_return (0, "invalid integ-alg");
- }
- return 0;
-}
-
-static clib_error_t *
-ipsecmb_init (vlib_main_t * vm)
-{
- ipsecmb_main_t *imbm = &ipsecmb_main;
- imbm->dev_urandom_fd = open ("/dev/urandom", O_RDONLY);
- if (!imbm->dev_urandom_fd)
- {
- return clib_error_return_unix_fatal (0,
- "Can't open /dev/urandom for read");
- }
-
- vlib_thread_main_t *tm = vlib_get_thread_main ();
-
- imbm->crypto_algs = NULL;
- imbm->integ_algs = NULL;
-
- vec_validate (imbm->crypto_algs, IPSEC_CRYPTO_N_ALG - 1);
- vec_validate (imbm->integ_algs, IPSEC_INTEG_N_ALG - 1);
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].block_size = 16;
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].block_size = 16;
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].block_size = 16;
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_DES_CBC].block_size = 8;
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_3DES_CBC].block_size = 8;
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].iv_size = 16;
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].iv_size = 16;
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].iv_size = 16;
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_DES_CBC].iv_size = 8;
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_3DES_CBC].iv_size = 8;
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].cipher_mode = CBC;
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].cipher_mode = CBC;
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].cipher_mode = CBC;
-
- ipsecmb_integ_alg_t *i;
- i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA1_96];
- i->hash_alg = SHA1;
- i->block_size = SHA1_BLOCK_SIZE;
-
- i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_256_96];
- i->hash_alg = SHA_256;
- i->block_size = SHA_256_BLOCK_SIZE;
-
- i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_256_128];
- i->hash_alg = SHA_256;
- i->block_size = SHA_256_BLOCK_SIZE;
-
- i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_384_192];
- i->hash_alg = SHA_384;
- i->block_size = SHA_384_BLOCK_SIZE;
-
- i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_512_256];
- i->hash_alg = SHA_512;
- i->block_size = SHA_512_BLOCK_SIZE;
-
- vec_validate (imbm->mb_mgr, tm->n_vlib_mains - 1);
- MB_MGR **mgr;
-#define __set_funcs(arch) \
- do \
- { \
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].keyexp_fn = \
- aes_keyexp_128_##arch; \
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].keyexp_fn = \
- aes_keyexp_192_##arch; \
- imbm->crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].keyexp_fn = \
- aes_keyexp_256_##arch; \
- imbm->integ_algs[IPSEC_INTEG_ALG_SHA1_96].hash_one_block_fn = \
- sha1_one_block_##arch; \
- imbm->integ_algs[IPSEC_INTEG_ALG_SHA_256_96].hash_one_block_fn = \
- sha256_one_block_##arch; \
- imbm->integ_algs[IPSEC_INTEG_ALG_SHA_256_128].hash_one_block_fn = \
- sha256_one_block_##arch; \
- imbm->integ_algs[IPSEC_INTEG_ALG_SHA_384_192].hash_one_block_fn = \
- sha384_one_block_##arch; \
- imbm->integ_algs[IPSEC_INTEG_ALG_SHA_512_256].hash_one_block_fn = \
- sha512_one_block_##arch; \
- } \
- while (0);
-
- if (clib_cpu_supports_avx512f ())
- {
- __set_funcs (avx512);
- vec_foreach (mgr, imbm->mb_mgr)
- {
- *mgr = alloc_mb_mgr (0);
- init_mb_mgr_avx512 (*mgr);
- }
- }
- else if (clib_cpu_supports_avx2 ())
- {
- __set_funcs (avx2);
- vec_foreach (mgr, imbm->mb_mgr)
- {
- *mgr = alloc_mb_mgr (0);
- init_mb_mgr_avx2 (*mgr);
- }
- }
- else
- {
- __set_funcs (sse);
- vec_foreach (mgr, imbm->mb_mgr)
- {
- *mgr = alloc_mb_mgr (0);
- init_mb_mgr_sse (*mgr);
- }
- }
-#undef __set_funcs
-
-
- i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA1_96];
- i->hash_output_length = 12;
-
- i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_256_96];
- i->hash_output_length = 12;
-
- i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_256_128];
- i->hash_output_length = 16;
-
- i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_384_192];
- i->hash_output_length = 24;
-
- i = &imbm->integ_algs[IPSEC_INTEG_ALG_SHA_512_256];
- i->hash_output_length = 32;
-
- vec_validate (imbm->per_thread_data, tm->n_vlib_mains - 1);
-
- return 0;
-}
-
-VLIB_INIT_FUNCTION (ipsecmb_init);
-
-static uword
-ipsecmb_process (vlib_main_t * vm, vlib_node_runtime_t * rt, vlib_frame_t * f)
-{
- ipsec_main_t *im = &ipsec_main;
- ipsec_register_ah_backend (vm, im, "ipsecmb backend",
- "ah4-encrypt-ipsecmb",
- "ah4-decrypt-ipsecmb",
- "ah6-encrypt-ipsecmb",
- "ah6-decrypt-ipsecmb",
- ipsecmb_check_ah_support,
- ipsecmb_add_del_sa_session);
-
- ipsec_register_esp_backend (vm, im, "ipsecmb backend",
- "esp4-encrypt-ipsecmb",
- "esp4-decrypt-ipsecmb",
- "esp6-encrypt-ipsecmb",
- "esp6-decrypt-ipsecmb",
- ipsecmb_check_esp_support,
- ipsecmb_add_del_sa_session);
-
- return 0;
-}
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (ipsecmb_process_node, static) = {
- .function = ipsecmb_process,
- .type = VLIB_NODE_TYPE_PROCESS,
- .name = "ipsecmb-process",
- .process_log2_n_stack_bytes = 17,
-};
-
-/* *INDENT-OFF* */
-VLIB_PLUGIN_REGISTER () = {
- .version = VPP_BUILD_VER,
- .description = "IPsecMB plugin",
- .default_disabled = 1,
-};
-/* *INDENT-ON* */
-
-/*
- * fd.io coding-style-patch-verification: ON
- *
- * Local Variables:
- * eval: (c-set-style "gnu")
- * End:
- */
diff --git a/src/plugins/ipsecmb/ipsecmb.h b/src/plugins/ipsecmb/ipsecmb.h
deleted file mode 100644
index 23e7ede9e99..00000000000
--- a/src/plugins/ipsecmb/ipsecmb.h
+++ /dev/null
@@ -1,97 +0,0 @@
-#ifndef __included_ipsecmb_h__
-#define __included_ipsecmb_h__
-
-#include <vppinfra/types.h>
-#include <vppinfra/vec.h>
-#include <vppinfra/clib.h>
-#include <vppinfra/warnings.h>
-#include <vnet/ipsec/ipsec.h>
-
-WARN_OFF (attributes);
-
-#ifdef always_inline
-#undef always_inline
-#define __need_redefine__
-#endif
-
-#include <intel-ipsec-mb.h>
-
-#ifdef __need_redefine__
-#if CLIB_DEBUG > 0
-#define always_inline static inline
-#else
-#define always_inline static inline __attribute__ ((__always_inline__))
-#endif
-#endif // __need_redefine__
-WARN_ON (attributes);
-
-typedef struct
-{
- keyexp_t keyexp_fn;
- JOB_CIPHER_MODE cipher_mode;
- u8 key_len;
- u8 iv_size;
- u8 block_size;
-} ipsecmb_crypto_alg_t;
-
-typedef struct
-{
- hash_one_block_t hash_one_block_fn;
- u8 block_size;
- JOB_HASH_ALG hash_alg;
- u8 hash_output_length;
-} ipsecmb_integ_alg_t;
-
-typedef struct
-{
- u8 aes_enc_key_expanded[16 * 15] __attribute__ ((aligned (16)));
- u8 aes_dec_key_expanded[16 * 15] __attribute__ ((aligned (16)));
- u8 ipad_hash[256] __attribute__ ((aligned (16)));
- u8 opad_hash[256] __attribute__ ((aligned (16)));
-} ipsecmb_sa_t;
-
-typedef struct
-{
- u8 data[16];
-} random_bytes_t;
-
-typedef u8 urandom_buffer_t[4096];
-
-typedef struct
-{
- /** read buffer for random data from /dev/urandom */
- urandom_buffer_t urandom_buffer;
- /** pool of all the random_bytes_t objects ever allocated */
- random_bytes_t *rb_pool;
- /** vector of random_bytes_t objects containing random bytes */
- u32 *rb_from_dev_urandom;
- /** vector of used random_bytes_t objects */
- u32 *rb_recycle_list;
- /** vector of random bytes collected from encrypted data */
- u32 *rb_from_traffic;
-} ipsecmb_per_thread_data_t;
-
-typedef struct
-{
- ipsecmb_crypto_alg_t *crypto_algs;
- ipsecmb_integ_alg_t *integ_algs;
- MB_MGR **mb_mgr;
- ipsecmb_sa_t *sad;
- ipsecmb_per_thread_data_t *per_thread_data;
- int dev_urandom_fd;
-} ipsecmb_main_t;
-
-extern ipsecmb_main_t ipsecmb_main;
-
-#define P(x,y) x ## _ ## y
-#define E(x,y) P(x,y)
-#define IPSECMB_FUNC(f) E(f,CLIB_MARCH_VARIANT)
-/*
- * fd.io coding-style-patch-verification: ON
- *
- * Local Variables:
- * eval: (c-set-style "gnu")
- * End:
- */
-
-#endif /* __included_ipsecmb_h__ */
diff --git a/src/vnet/buffer.h b/src/vnet/buffer.h
index d1edbe54805..89dd84567bc 100644
--- a/src/vnet/buffer.h
+++ b/src/vnet/buffer.h
@@ -274,10 +274,6 @@ typedef struct
{
u32 flags;
u32 sad_index;
- u32 ip_version_traffic_class_and_flow_label;
- u8 tos;
- u8 ttl_or_hop_limit;
- u32 seq;
} ipsec;
/* MAP */
diff --git a/test/test_ipsec_nat.py b/test/test_ipsec_nat.py
index 7e6e1d4d912..e9efa032a13 100644
--- a/test/test_ipsec_nat.py
+++ b/test/test_ipsec_nat.py
@@ -9,7 +9,7 @@ from util import ppp, ppc
from template_ipsec import TemplateIpsec
-class TemplateIPSecNAT(TemplateIpsec):
+class IPSecNATTestCase(TemplateIpsec):
""" IPSec/NAT
TUNNEL MODE:
@@ -33,7 +33,7 @@ class TemplateIPSecNAT(TemplateIpsec):
@classmethod
def setUpClass(cls):
- super(TemplateIPSecNAT, cls).setUpClass()
+ super(IPSecNATTestCase, cls).setUpClass()
cls.tun_if = cls.pg0
cls.vapi.ipsec_spd_add_del(cls.tun_spd_id)
cls.vapi.ipsec_interface_add_del_spd(cls.tun_spd_id,
@@ -236,8 +236,3 @@ class TemplateIPSecNAT(TemplateIpsec):
self.pg_start()
capture = self.pg1.get_capture(len(pkts))
self.verify_capture_plain(capture)
-
-
-class IPSecNAT(TemplateIPSecNAT):
- """ IPSec/NAT """
- pass
diff --git a/test/test_ipsecmb_ah.py b/test/test_ipsecmb_ah.py
deleted file mode 100644
index 294d5ceeb89..00000000000
--- a/test/test_ipsecmb_ah.py
+++ /dev/null
@@ -1,31 +0,0 @@
-from test_ipsec_ah import TemplateIpsecAh
-from template_ipsec import IpsecTraTests, IpsecTunTests, IpsecTcpTests
-
-
-class TestIpsecMBAh1(TemplateIpsecAh, IpsecTraTests, IpsecTunTests):
- """ IpsecMB AH - TUN & TRA tests """
- extra_vpp_plugin_config = [
- "plugin", "ipsecmb_plugin.so", "{", "enable", "}"]
-
- tra4_encrypt_node_name = "ah4-encrypt-ipsecmb"
- tra4_decrypt_node_name = "ah4-decrypt-ipsecmb"
- tra6_encrypt_node_name = "ah6-encrypt-ipsecmb"
- tra6_decrypt_node_name = "ah6-decrypt-ipsecmb"
- tun4_encrypt_node_name = "ah4-encrypt-ipsecmb"
- tun4_decrypt_node_name = "ah4-decrypt-ipsecmb"
- tun6_encrypt_node_name = "ah6-encrypt-ipsecmb"
- tun6_decrypt_node_name = "ah6-decrypt-ipsecmb"
-
- @classmethod
- def ipsec_select_backend(cls):
- cls.vapi.ipsec_select_backend(protocol=cls.vpp_ah_protocol, index=1)
-
-
-class TestIpsecMBAh2(TemplateIpsecAh, IpsecTcpTests):
- """ IpsecMB AH - TCP tests """
- extra_vpp_plugin_config = [
- "plugin", "ipsecmb_plugin.so", "{", "enable", "}"]
-
- @classmethod
- def ipsec_select_backend(cls):
- cls.vapi.ipsec_select_backend(protocol=cls.vpp_ah_protocol, index=1)
diff --git a/test/test_ipsecmb_esp.py b/test/test_ipsecmb_esp.py
deleted file mode 100644
index cf60724fca6..00000000000
--- a/test/test_ipsecmb_esp.py
+++ /dev/null
@@ -1,30 +0,0 @@
-from test_ipsec_esp import TemplateIpsecEsp
-from template_ipsec import IpsecTraTests, IpsecTunTests, IpsecTcpTests
-
-
-class TestIpsecMBEsp1(TemplateIpsecEsp, IpsecTraTests, IpsecTunTests):
- """ IpsecMB ESP - TUN & TRA tests """
- extra_vpp_plugin_config = [
- "plugin", "ipsecmb_plugin.so", "{", "enable", "}"]
- tra4_encrypt_node_name = "esp4-encrypt-ipsecmb"
- tra4_decrypt_node_name = "esp4-decrypt-ipsecmb"
- tra6_encrypt_node_name = "esp6-encrypt-ipsecmb"
- tra6_decrypt_node_name = "esp6-decrypt-ipsecmb"
- tun4_encrypt_node_name = "esp4-encrypt-ipsecmb"
- tun4_decrypt_node_name = "esp4-decrypt-ipsecmb"
- tun6_encrypt_node_name = "esp6-encrypt-ipsecmb"
- tun6_decrypt_node_name = "esp6-decrypt-ipsecmb"
-
- @classmethod
- def ipsec_select_backend(cls):
- cls.vapi.ipsec_select_backend(protocol=cls.vpp_esp_protocol, index=1)
-
-
-class TestIpsecMBEsp2(TemplateIpsecEsp, IpsecTcpTests):
- """ IpsecMB ESP - TCP tests """
- extra_vpp_plugin_config = [
- "plugin", "ipsecmb_plugin.so", "{", "enable", "}"]
-
- @classmethod
- def ipsec_select_backend(cls):
- cls.vapi.ipsec_select_backend(protocol=cls.vpp_esp_protocol, index=1)
diff --git a/test/test_ipsecmb_nat.py b/test/test_ipsecmb_nat.py
deleted file mode 100644
index 82f5daa0fb1..00000000000
--- a/test/test_ipsecmb_nat.py
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/usr/bin/env python
-
-from test_ipsec_nat import TemplateIPSecNAT
-
-
-class IPSecMBNATTestCase(TemplateIPSecNAT):
- """ IPSecMB/NAT """
- extra_vpp_plugin_config = [
- "plugin", "ipsecmb_plugin.so", "{", "enable", "}"]
-
- @classmethod
- def ipsec_select_backend(cls):
- cls.vapi.ipsec_select_backend(protocol=cls.vpp_ah_protocol, index=1)