aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_sa.c
AgeCommit message (Expand)AuthorFilesLines
2023-08-08ipsec: add support for RFC-4543 ENCR_NULL_AUTH_AES_GMACBenoît Ganne1-1/+8
2023-06-23ipsec: manually binding an SA to a workerMaxime Peim1-6/+31
2023-06-01crypto: make crypto-dispatch node working in adaptive modeXiaoming Jiang1-2/+0
2023-03-23ipsec: make pre-shared keys harder to misuseBenoît Ganne1-55/+74
2023-03-23ipsec: add per-SA error countersArthur de Kerhor1-11/+22
2023-02-06ipsec: fix async crypto linked keys memory leakBenoît Ganne1-1/+6
2022-12-16ipsec: new api for sa ips and ports updatesArthur de Kerhor1-0/+131
2022-09-14ipsec: make chacha20-poly1305 available via APIVladimir Ratnikov1-1/+2
2022-08-19ipsec: enable UDP encap for IPv6 ESP tun protectMatthew Smith1-2/+4
2021-09-29ipsec: Record the number of packets lost from an SANeale Ranns1-0/+7
2021-06-30ipsec: Derive the TUNNEL_V6 flag from the configured address typesNeale Ranns1-0/+4
2021-03-05ipsec: Support async mode per-SANeale Ranns1-1/+11
2021-02-26ipsec: move the IPSec SA pool out of ipsec_mainNeale Ranns1-23/+19
2021-02-10ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-72/+26
2021-02-09Revert "ipsec: Use the new tunnel API types to add flow label and TTL copy"Matthew Smith1-26/+72
2021-02-08ipsec: Use the new tunnel API types to add flow label and TTL copyNeale Ranns1-72/+26
2021-02-05ipsec: add support for AES CTRBenoît Ganne1-0/+5
2021-02-04ipsec: one thread index per-SANeale Ranns1-2/+1
2020-12-14misc: move to new pool_foreach macrosDamjan Marion1-3/+3
2020-11-02ipsec: Tunnel SA DSCP behaviourNeale Ranns1-2/+9
2020-10-21misc: minimize dependencies on udp.hFlorin Coras1-1/+1
2020-09-07ipsec: fix padding/alignment for native IPsec encryptionChristian Hopps1-2/+2
2020-05-05ipsec: User can choose the UDP source portNeale Ranns1-9/+14
2020-04-30crypto: introduce async crypto infraFan Zhang1-3/+61
2020-03-21ikev2: add support for custom ipsec-over-udp portFilip Tehlar1-3/+12
2019-12-17ipsec: bind an SA to a workerNeale Ranns1-0/+2
2019-11-08ipsec: remove dedicated IPSec tunnelsNeale Ranns1-0/+14
2019-10-22ikev2: fix GCM cipherFilip Tehlar1-9/+17
2019-07-19fib: FIB Entry trackingNeale Ranns1-10/+6
2019-07-12ipsec: Reference count the SAsNeale Ranns1-83/+65
2019-06-18ipsec: ipsec-tun protectNeale Ranns1-2/+23
2019-06-17ipsec: One DPO per SANeale Ranns1-10/+9
2019-06-07ipsec: remove the set_key APINeale Ranns1-46/+0
2019-06-05IPSEC: some CLI fixesNeale Ranns1-2/+8
2019-06-02IPSec: memcpy of integ key borkNeale Ranns1-1/+1
2019-04-30crypto: enforce per-alg crypto key lengthBenoît Ganne1-0/+5
2019-04-25IPSEC; dpdk backend for tunnel interface encryptionNeale Ranns1-1/+1
2019-04-25crypto: improve key handlingDamjan Marion1-0/+18
2019-04-16IPSEC: support GCM in ESPNeale Ranns1-2/+9
2019-04-10IPSEC: for each engine and algorithm testsNeale Ranns1-1/+1
2019-04-07crypto: add support for AEAD and AES-GCMDamjan Marion1-3/+3
2019-04-04ipsec: trunc_size -> icv_sizeDamjan Marion1-2/+2
2019-04-02IPSEC: tunnel scaling - don't stack the inbould SANeale Ranns1-13/+3
2019-03-29ipsec: esp-decrypt reworkDamjan Marion1-0/+1
2019-03-28ipsec: USE_EXTENDED_SEQ_NUM -> USE_ESNDamjan Marion1-2/+2
2019-03-27ipsec: compress ipsec_sa_t so data used by dataplane code fits in cachelineDamjan Marion1-19/+21
2019-03-26ipsec: esp-encrypt reworkDamjan Marion1-0/+43
2019-03-20ipsec: keep crypto data inside SADamjan Marion1-2/+22
2019-02-18IPSEC: move SA counters into the stats segmentNeale Ranns1-0/+14
2019-02-14ipsec: memory leak fixupKingwel Xie1-1/+4
>mask = ~0; else return 0; am->addr.as_u32 = addr; am->mask.as_u32 = mask; return 1; } /* Format an IP4 header. */ u8 * format_ip4_header (u8 * s, va_list * args) { ip4_header_t *ip = va_arg (*args, ip4_header_t *); u32 max_header_bytes = va_arg (*args, u32); u32 ip_version, header_bytes; u32 indent; /* Nothing to do. */ if (max_header_bytes < sizeof (ip[0])) return format (s, "IP header truncated"); indent = format_get_indent (s); indent += 2; ip_version = (ip->ip_version_and_header_length >> 4); header_bytes = (ip->ip_version_and_header_length & 0xf) * sizeof (u32); s = format (s, "%U: %U -> %U", format_ip_protocol, ip->protocol, format_ip4_address, ip->src_address.data, format_ip4_address, ip->dst_address.data); /* Show IP version and header length only with unexpected values. */ if (ip_version != 4 || header_bytes != sizeof (ip4_header_t)) s = format (s, "\n%Uversion %d, header length %d", format_white_space, indent, ip_version, header_bytes); s = format (s, "\n%Utos 0x%02x, ttl %d, length %d, checksum 0x%04x", format_white_space, indent, ip->tos, ip->ttl, clib_net_to_host_u16 (ip->length), clib_net_to_host_u16 (ip->checksum)); /* Check and report invalid checksums. */ { u16 c = ip4_header_checksum (ip); if (c != ip->checksum) s = format (s, " (should be 0x%04x)", clib_net_to_host_u16 (c)); } s = format (s, " dscp %U ecn %U", format_ip_dscp, ip4_header_get_dscp (ip), format_ip_ecn, ip4_header_get_ecn (ip)); { u32 f = clib_net_to_host_u16 (ip->flags_and_fragment_offset); u32 o; s = format (s, "\n%Ufragment id 0x%04x", format_white_space, indent, clib_net_to_host_u16 (ip->fragment_id)); /* Fragment offset. */ o = 8 * (f & 0x1fff); f ^= f & 0x1fff; if (o != 0) s = format (s, " offset %d", o); if (f != 0) { s = format (s, ", flags "); #define _(l) if (f & IP4_HEADER_FLAG_##l) s = format (s, #l); _(MORE_FRAGMENTS); _(DONT_FRAGMENT); _(CONGESTION); #undef _ } /* Fragment packet but not the first. */ if (o != 0) return s; } /* Recurse into next protocol layer. */ if (max_header_bytes != 0 && header_bytes < max_header_bytes) { ip_main_t *im = &ip_main; ip_protocol_info_t *pi = ip_get_protocol_info (im, ip->protocol); if (pi && pi->format_header) s = format (s, "\n%U%U", format_white_space, indent - 2, pi->format_header, /* next protocol header */ (void *) ip + header_bytes, max_header_bytes - header_bytes); } return s; } /* Parse an IP4 header. */ uword unformat_ip4_header (unformat_input_t * input, va_list * args) { u8 **result = va_arg (*args, u8 **); ip4_header_t *ip; int old_length; /* Allocate space for IP header. */ { void *p; old_length = vec_len (*result); vec_add2 (*result, p, sizeof (ip4_header_t)); ip = p; } clib_memset (ip, 0, sizeof (ip[0])); ip->ip_version_and_header_length = IP4_VERSION_AND_HEADER_LENGTH_NO_OPTIONS; if (!unformat (input, "%U: %U -> %U", unformat_ip_protocol, &ip->protocol, unformat_ip4_address, &ip->src_address, unformat_ip4_address, &ip->dst_address)) return 0; /* Parse options. */ while (1) { int i, j; if (unformat (input, "tos %U", unformat_vlib_number, &i)) ip->tos = i; else if (unformat (input, "ttl %U", unformat_vlib_number, &i)) ip->ttl = i; else if (unformat (input, "fragment id %U offset %U", unformat_vlib_number, &i, unformat_vlib_number, &j)) { ip->fragment_id = clib_host_to_net_u16 (i); ip->flags_and_fragment_offset |= clib_host_to_net_u16 ((i / 8) & 0x1fff); } /* Flags. */ else if (unformat (input, "mf") || unformat (input, "MF")) ip->flags_and_fragment_offset |= clib_host_to_net_u16 (IP4_HEADER_FLAG_MORE_FRAGMENTS); else if (unformat (input, "df") || unformat (input, "DF")) ip->flags_and_fragment_offset |= clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT); else if (unformat (input, "ce") || unformat (input, "CE")) ip->flags_and_fragment_offset |= clib_host_to_net_u16 (IP4_HEADER_FLAG_CONGESTION); /* Can't parse input: try next protocol level. */ else break; } /* Fill in checksum. */ ip->checksum = ip4_header_checksum (ip); /* Recurse into next protocol layer. */ { ip_main_t *im = &ip_main; ip_protocol_info_t *pi = ip_get_protocol_info (im, ip->protocol); if (pi && pi->unformat_header) { if (!unformat_user (input, pi->unformat_header, result)) return 0; /* Result may have moved. */ ip = (void *) *result + old_length; } } /* Fill in IP length. */ ip->length = clib_host_to_net_u16 (vec_len (*result) - old_length); return 1; } /* * fd.io coding-style-patch-verification: ON * * Local Variables: * eval: (c-set-style "gnu") * End: */