aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/esp_decrypt.c
AgeCommit message (Collapse)AuthorFilesLines
2020-09-04ipsec: fix trace of GRE_teb packetsChristian Hopps1-2/+5
The issue is not easily hit. When GRE_teb packets are received the post crypto processing adjusts the l2.l2_len value in the vnet_buffer opaque data. This is overwriting the ipsec opaque data. Later the trace code fetches the sa_index from the ipsec opaque data. It's just an accident that this currently works, if the ipsec data is changed so that the sa_index moves around it will be overwritten by the l2_len modification. Indeed, this was found b/c local development changes had moved the sa_index so it was over-lapping with the l2_len memory space, and the UT failed. Type: fix Change-Id: Iaecfa750cf0b36653fd9e75b4d799f323a14d932 Signed-off-by: Christian Hopps <chopps@labn.net>
2020-04-30crypto: introduce async crypto infraFan Zhang1-558/+1015
Type: feature Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Signed-off-by: Dariusz Kazimierski <dariuszx.kazimierski@intel.com> Signed-off-by: Piotr Kleski <piotrx.kleski@intel.com> Change-Id: I4c3fcccf55c36842b7b48aed260fef2802b5c54b
2020-04-28ipsec: fix buffer allocFilip Tehlar1-1/+7
Type: fix Change-Id: I0f12c19b79df19b692f18ac13d6c32341853b764 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-31ipsec: fix chained ESPFilip Tehlar1-36/+120
This fixes a special case when buffer chain enters decrypt node and becomes a single buffer after decryption. Type: fix Change-Id: Id5da9e8a074f83ec3561949631ce613f35528312 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-23ipsec: Revert "ipsec: fix chained ESP"Florin Coras1-119/+36
This reverts commit c2c1bfd9b72aec88526c06479b128725eb525866. Reason for revert: Seems it's breaking ipsec esp tests Type: fix Change-Id: Iac590eee23cbf92a10c62dafa789aa9c3b2284dd Signed-off-by: Florin Coras <fcoras@cisco.com>
2020-03-23ipsec: fix chained ESPFilip Tehlar1-36/+119
This fixes a special case when buffer chain enters decrypt node and becomes a single buffer after decryption. Type: fix Change-Id: I1d4da029b952baa97400adb7173aa63fd97d916b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-03-21ipsec: efficient layout of ESP per thread dataRajesh Goel1-3/+4
Type: fix Change-Id: I1ba921503a41ca37ce5c920682893617740571a9 Signed-off-by: Rajesh Goel <rajegoel@cisco.com>
2020-02-11ipsec: add support for chained buffersFilip Tehlar1-75/+369
Type: feature Change-Id: Ie072a7c2bbb1e4a77f7001754f01897efd30fc53 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2020-02-05ipsec: set l2_len for GRE-TEB tunnel decapJohn Lo1-0/+2
Type: fix Ticket: VPP-1831 Signed-off-by: John Lo <loj@cisco.com> Change-Id: I655964b22021ac38cbced577091a1156286d4fd6
2020-01-04ipsec: Targeted unit testingNeale Ranns1-7/+22
Type: fix 1 - big packets; chained buffers and those without enoguh space to add ESP header 2 - IPv6 extension headers in packets that are encrypted/decrypted 3 - Interface protection with SAs that have null algorithms Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
2019-12-23ipsec: Test and fix IPSec worker hand-offNeale Ranns1-2/+2
Type: fix Change-Id: I5cb9a3845ddbc5f4de4eb4e9c481f606fe5cec9a Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-12-18ipsec: Fix decap of IPSEC/GRE in transport modeNeale Ranns1-6/+44
Type: fix in transport mode the header sequence is: MAC - IP (tun) - ESP - GRE - L2 so popping the GRE header is done in the ESP decrypt node. Change-Id: Ia125eb65b9300368617d2bffca09683851e43be0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-12-17ipsec: bind an SA to a workerNeale Ranns1-9/+39
the sequence number increment and the anti-replay window checks must be atomic. Given the vector nature of VPP we can't simply use atomic increments for sequence numbers, since a vector on thread 1 with lower sequence numbers could be 'overtaken' by packets on thread 2 with higher sequence numbers. The anti-replay logic requires a critical section, not just atomics, and we don't want that. So when the SA see the first packet it is bound to that worker all subsequent packets, that arrive on a different worker, are subject to a handoff. Type: feature Change-Id: Ia20a8645fb50622ea6235ab015a537f033d531a4 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-08ipsec: remove dedicated IPSec tunnelsNeale Ranns1-20/+14
APIs for dedicated IPSec tunnels will remain in this release and are used to programme the IPIP tunnel protect. APIs will be removed in a future release. see: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-08-01ipsec: Redo the anit-replay check post decryptNeale Ranns1-0/+29
Type: fix Change-Id: I1fa8c5326d6f22cfb8dd40e97d8a22d11a716922 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-24ipsec: GCM, Anti-replay and ESN fixessNeale Ranns1-11/+18
Type: fix Several Fixes: 1 - Anti-replay did not work with GCM becuase it overwrote the sequence number in the ESP header. To fix i added the seq num to the per-packet data so it is preserved 2 - The high sequence number was not byte swapped during ESP encrypt. 3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM the others return BAD_HMAC. removed the former 4 - improved tracing to show the low and high seq numbers 5 - documented the anti-replay window checks 6 - fixed scapy patch for ESN support for GCM 7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-18ipsec: ipsec-tun protectNeale Ranns1-18/+102
please consult the new tunnel proposal at: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-05ipsec: fix sa counters in esp-decryptDamjan Marion1-6/+7
Type: fix Fixes: b4fff3a Change-Id: I2552cbc0a02e7445825a5a4ce290cde3d10c5f0b Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-05-30IPsec: modify post-decrypt buf len calculationMatthew G Smith1-2/+2
For tunnel mode, after decryption the buffer length was being adjusted by adding (iv length + esp header size). Subtract it instead. Required for BFD to work on an IPsec tunnel interface. BFD verifies that the amount of received data is the expected size. It drops the packet if the buffer metadata says that the packet buffer contains more data than the packet headers say it should. Change-Id: I3146d5c3cbf1cceccc9989eefbc9a59e604e9975 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-05-14IPSEC: remove unecessary pass by reference of sequence numberNeale Ranns1-1/+1
Change-Id: Id406eb8c69a89c57305d8f138e8e6730037aa799 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-25crypto: AES GCM IV length is always 12Damjan Marion1-1/+0
... at least for use cases we are interested in Change-Id: I1156ff354635e8f990ce2664ebc8dcd3786ddca5 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-25ipsec: drop runts in esp-decryptDamjan Marion1-0/+8
Change-Id: Id7fcaf8590f9f2dcccdebea0ad31c7ecd1cbc8af Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-25crypto: improve key handlingDamjan Marion1-3/+2
Change-Id: If96f661d507305da4b96cac7b1a8f14ba90676ad Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-17IPSEC: Pass the algorithm salt (used in GCM) over the APINeale Ranns1-3/+1
Change-Id: Ia8cea13f7b937294e6a080a55fb2ceff30063acf Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-16IPSEC: support GCM in ESPNeale Ranns1-1/+34
Change-Id: Id2ddb77b4ec3dd543d6e638bc882923f2bac011d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-15IPSEC: crypto overflowNeale Ranns1-1/+1
decrypting too many bytes. Change-Id: I4663e70271d9734eda7f9a127967b9224c0e5efc Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-11IPSEC: ESP with ESN tests and fixesNeale Ranns1-3/+3
Change-Id: Ie42b26e6d5cdb7b23f370ea2933c65079e8d1089 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-11IPSEC-MB: Use random & non-repeating IV (VPP-1642)Neale Ranns1-3/+1
hard code IV and key lengths based on cipher. Init IV from random data, use AES instruction to rotate. Change-Id: I13a6507d12267b823c528660a903787baeba47a0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-10crypto: Intel IPSEC-MB engineNeale Ranns1-2/+11
A plugin to use Intel IPSec MB library as a VPP crypto engine This changes uses concepts from: https://gerrit.fd.io/r/#/c/17301/ hence that author's work is acknowledge below Change-Id: I2bf3beeb10f3c9706fa5efbdc9bc023e310f5a92 Signed-off-by: Neale Ranns <nranns@cisco.com> Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-04-07crypto: add support for AEAD and AES-GCMDamjan Marion1-6/+5
Change-Id: Iff6f81a49b9cff5522fbb4914d47472423eac5db Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-04-04ipsec: trunc_size -> icv_sizeDamjan Marion1-1/+1
Change-Id: Idb661261c2191adda963a7815822fd7a27a9e7a0 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-29IPSEC-GRE: fixes and API update to common types.Neale Ranns1-1/+1
Change-Id: Icdcbac7453baa837a9c0c4a2401dff4a6aa6cba0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-29ipsec: esp-decrypt reworkDamjan Marion1-199/+297
Change-Id: Icf83c876d0880d1872b84e0a3d34be654b76149f Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-28crypto: add vnet_crypto_op_init (...)Damjan Marion1-2/+1
Change-Id: I2018d8367bb010e1ab30d9c7c23d9501fc38a2e5 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-28ipsec: anti-replay code cleanupDamjan Marion1-28/+10
Change-Id: Ib73352d6be26d639a7f9d47ca0570a1248bff04a Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-27ipsec: compress ipsec_sa_t so data used by dataplane code fits in cachelineDamjan Marion1-6/+7
Change-Id: I81ecdf9fdcfcb017117b47dc031f93208e004d7c Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-20ipsec: keep crypto data inside SADamjan Marion1-16/+8
Change-Id: Ie8986bd3652d25c4befe681cea77df95aba37ebc Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-19crypto: introduce crypto infraDamjan Marion1-32/+20
Change-Id: Ibf320b3e7b054b686f3af9a55afd5d5bda9b1048 Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-06ipsec: esp-encrypt and esp-decrypt cleanupDamjan Marion1-248/+207
Change-Id: I1e431aa36a282ca7565c6618a940d591674b8cd2 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-05ipsec: cleanup, remove unnecessary code,Kingwel Xie1-1/+1
ipsec_proto_main moved to ipsec.c fix missing '\0' of backend name Change-Id: I90760b3045973a46792c2f098d9b0b1b3d209ad0 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-22IPSEC: header exportsNeale Ranns1-0/+1
Change-Id: I7d48a4e236c6e7b11b0c9750a30fb68e829d64a5 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-18IPSEC: move SA counters into the stats segmentNeale Ranns1-1/+3
1) stats are accessed via the stat segment which is more condusive to monitoring 2) stats are accurate in the presence of multiple threads. There's no guarantee that an SA is access from only one worker. Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-07IPSEC: no second lookup after tunnel encapNeale Ranns1-3/+4
in the same maaner as with other tunnel tyeps we use the FIB to cache and track the destination used to reach the tunnel endpoint. Post encap we can then ship the packet straight to this adjacency and thus elide the costly second lookup. - SA add and del function so they can be used both directly from the API and for tunnels. - API change for the SA dump to use the SA type - ipsec_key_t type for convenience (copying, [un]formating) - no matching tunnel counters in ipsec-if-input Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-12-07Fix VPP-1515 IPSec receive packet error in transport mode with udp encapjackiechen19851-3/+13
Change-Id: Ife66395b89e1e9f9206666e5f0fd441b3c241bb2 Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
2018-12-04ipsec: simplify bumping counters - cosmetic changeKlement Sekera1-44/+13
Change-Id: Ibb55427ed49d0277854a352922c6c4bb007bf072 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-11-30IPSEC-AH: fix packet dropNeale Ranns1-2/+0
Change-Id: I45b97cfd0c3785bfbf6d142d362bd3d4d56bae00 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-10-29migrate ipsec to new multiarch infraKlement Sekera1-11/+6
Change-Id: Ibef46e068cd72415af28920b0146adf48105bf68 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-23c11 safe string handling supportDave Barach1-1/+1
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-22ipsec: split ipsec nodes into ip4/ip6 nodesKlement Sekera1-50/+98
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-10Change the way IP header pointer is calculated in esp_decrypt nodesSzymon Sliwa1-3/+7
The pointer to IP header was derived from l3_hdr_offset, which would be ok, if l3_hdr_offset was valid. But it does not have to be, so it was a bad solution. Now the previous nodes mark whether it is a IPv6 or IPv4 packet tyle, and in esp_decrypt we count get ip header pointer by substracting the size of the ip header from the pointer to esp header (which lies in front of the ip header). Change-Id: I6d425b90931053711e8ce9126811b77ae6002a16 Signed-off-by: Szymon Sliwa <szs@semihalf.com>