Age | Commit message (Collapse) | Author | Files | Lines |
|
- Fix AAD initialization. With use-esn the aad data consists of the SPI
and the 64-bit sequence number in big-endian order. Fix the u32 swapped
code.
- Remove salt-reinitialization. The GCM code seems inspired by the GCM
RFCs recommendations on IKE keydata and how to produce a salt
value (create an extra 4 octets of keying material). This is not IKE
code though and the SA already holds the configured salt value which
this code is blowing away. Use the configured value instead.
Type: fix
Change-Id: I5e75518aa7c1d91037bb24b2a40fe4fc90bdfdb0
Signed-off-by: Christian Hopps <chopps@labn.net>
|
|
Type: feature
If an attempt was made to send an IPv6 packet over an IPv4 tunnel,
the DPDK esp_encrypt did not complete setting up
the crypto operation for a buffer, but still queued the crypto
operations that were allocated. This results in a SEGV when
attempting to dequeue them in dpdk-crypto-input.
Allow IPv6 packets to be sent over a v4 tunnel when using the DPDK
plugin esp crypto nodes.
Change-Id: Ic9a4cd69b7fc06a17ab2f64ae806ec2ceacfef27
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
Several Fixes:
1 - Anti-replay did not work with GCM becuase it overwrote the sequence
number in the ESP header. To fix i added the seq num to the per-packet
data so it is preserved
2 - The high sequence number was not byte swapped during ESP encrypt.
3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM
the others return BAD_HMAC. removed the former
4 - improved tracing to show the low and high seq numbers
5 - documented the anti-replay window checks
6 - fixed scapy patch for ESN support for GCM
7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo
Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
When the same worker thread processes packet for encrypt and decrypt,
ie. single worker with bi-directional traffic, given that the queue is
shared results in packets to be decrypted being dropped as the encrypt
always happens first for each main loop.
With this change, each crypto device queue is logically split into two
queues, each half the real size, avoiding the described problem.
Change-Id: Ifd3f15e316c92fbd6ca05802456b10a7f73f85da
Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
|
|
Change-Id: Id406eb8c69a89c57305d8f138e8e6730037aa799
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Ib828ea5106f3ae280e4ce233f2462dee363580b7
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ib73352d6be26d639a7f9d47ca0570a1248bff04a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I81ecdf9fdcfcb017117b47dc031f93208e004d7c
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
1) stats are accessed via the stat segment which is more condusive to
monitoring
2) stats are accurate in the presence of multiple threads. There's no
guarantee that an SA is access from only one worker.
Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
don't have to convert from mbuf to vlib_buffer then buffer index
save a few clock cycles in crypto-input
plus, a bit improvements of CLI
1. show more information, resource placement & qp stats
2. clear dpdk qp statistics
cleanup cli as sugguested by Sergio Gonzalez Monroy
Change-Id: Ic4fd65bfa9a6b05b344a9a40c554990dde072d19
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
Change-Id: I2c796583087c70fbc5cf09e8afd0f2a1f389d346
Signed-off-by: Sergio Gonzalez Monroy <sgmonroy@gmail.com>
|
|
Change-Id: I998658ad7860b23425444e218ce2e1ec655b885a
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
fix coding style
Change-Id: I458d81fa80c509b71edb2021468a89715cb32ae3
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
crypto-input,esp encrypt/decrypt are indicated in CMakefiles
Change-Id: I18ba851c1d4e5633d07c5de61cdaeae938e94982
Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
|
|
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Fixes debug build crash.
Change-Id: Ia5c5da82beda5992f9e67456af9a4676b9b82722
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ibef46e068cd72415af28920b0146adf48105bf68
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
The function dpdk_ipsec_process() attempts to initialize some
globals that store node indexes after looking up the node
dpdk-esp6-decrypt. No such node was declared, so a segv
occurs after dereferencing the result of the lookup.
Add a node function that invokes dpdk_esp_decrypt_inline()
with is_ip6 set to 1. Add a declaration of node dpdk-esp6-decrypt
that uses the node function.
Change-Id: I31ce23a458c2d4181bf40cbc2118c4ef3b9baf97
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: I70bc5af646894811d373456ec66aa83f2d75a477
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change-Id: I024c1d398fcb51e5a20f9049d16a87b3b1ba0c20
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
The pointer to IP header was derived from l3_hdr_offset,
which would be ok, if l3_hdr_offset was valid. But it does not
have to be, so it was a bad solution. Now the previous nodes
mark whether it is a IPv6 or IPv4 packet tyle, and in esp_decrypt
we count get ip header pointer by substracting the size
of the ip header from the pointer to esp header (which lies
in front of the ip header).
Change-Id: I6d425b90931053711e8ce9126811b77ae6002a16
Signed-off-by: Szymon Sliwa <szs@semihalf.com>
|
|
Changes the source of the l3 offset to a more
proper one, same as I5d9f41599ba8d8eb14ce2d9d523f82ea6e0fd10d.
Change-Id: I5ff05d7d89507ecb378a2bd62f5b149189ca9e99
Signed-off-by: Szymon Sliwa <szs@semihalf.com>
|
|
- fix ESP transport mode
- safely free crypto sessions
- use rte_mempool_virt2phy/rte_mempool_virt2iova
- align DPDK QAT capabilities for IPsec usage (DPDK 17.08)
- reserve 16B for aad (reference cryptodev doc)
Change-Id: I3822a7456fb5a255c767f5a44a429f91a140fe64
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
Also remove DPDK 17.05 support.
Change-Id: I4f96cb3f002cd90b12d800d6904f2364d7c4e270
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
VPP-1034
Change-Id: I02b4db9e52446ab8578df1f011dd27f39de64c70
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
Ubuntu 17.04, gcc version 6.3.0 20170406 (Ubuntu 6.3.0-12ubuntu2),
"make build" fails with the few of the errors below:
error: suggest parentheses around comparison in operand of ‘|’
[-Werror=parentheses]
is_aead = (sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128 |
Solution: use the logical rather than the bitwise or.
Change-Id: Iffcc1ed2e68b14b248159cb117593d32c623c553
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
This follows commit d3c008d108aa2187d1a2afe2833b4de25ca2c2ab by
Christophe Fontaine.
Change-Id: I0c4df40df44be2ac0ab25817fa050a1f619eca4d
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
|
|
Change-Id: Ica3bc74ffbb1c0df4e198b0abff8df10cdeb2182
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
This patch reworks the DPDK ipsec implementation including the cryptodev
management as well as replacing new cli commands for better usability.
For the data path:
- The dpdk-esp-encrypt-post node is not necessary anymore.
- IPv4 packets in the decrypt path are sent to ip4-input-no-checksum instead
of ip4-input.
The DPDK cryptodev cli commands are replaced by the following new commands:
- show dpdk crypto devices
- show dpdk crypto placement [verbose]
- set dpdk crypto placement (<device> <thread> | auto)
- clear dpdk crypto placement <device> [<thread>]
- show dpdk crypto pools
Change-Id: I47324517ede82d3e6e0e9f9c71c1a3433714b27b
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
DPDK 17.08 breaks ethdev and cryptodev APIs.
Address those changes while keeping backwards compatibility for
DPDK 17.02 and 17.05.
Change-Id: Idd6ac264d0d047fe586c41d4c4ca74e8fc778a54
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
- Fix buffer trace from esp_decrypt node
- Fix VLIB_REGISTER_NODE macro format
- Remove unnecessary code since we do not reconfigure graph
unless requirements are met
Change-Id: Ic1c2afffb8265e40a6ced0c8a58775c05fadc9e2
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
|
|
This patch deprecates stack-based thread identification,
Also removes requirement that thread stacks are adjacent.
Finally, possibly annoying for some folks, it renames
all occurences of cpu_index and cpu_number with thread
index. Using word "cpu" is misleading here as thread can
be migrated ti different CPU, and also it is not related
to linux cpu index.
Change-Id: I68cdaf661e701d2336fc953dcb9978d10a70f7c1
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I238258cdeb77035adc5e88903d824593d0a1da90
Signed-off-by: Damjan Marion <damarion@cisco.com>
|