Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: fix
If a tunnel interface has the crypto alg set on the outbound SA to
IPSEC_CRYPTO_ALG_NONE and packets are sent out that interface,
the attempt to write an ESP trailer on the packet occurs at the
wrong offset and the vnet buffer opaque data is corrupted, which
can result in a SEGV when a subsequent node attempts to use that
data.
When an outbound SA is set on a tunnel interface which has no crypto
alg set, add a node to the ip{4,6}-output feature arcs which drops all
packets leaving that interface instead of adding the node which would
try to encrypt the packets.
Change-Id: Ie0ac8d8fdc8a035ab8bb83b72b6a94161bebaa48
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
- this remove the need to iterate through all state when deleting an SA
- and ensures that if the SA is deleted by the client is remains for use
in any state until that state is also removed.
Type: feature
Change-Id: I438cb67588cb65c701e49a7a9518f88641925419
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
There's no call for an SPI-0 punt reason with UDP encap, since
it's only with UDP encap that the ambiguity between IKE or IPSEC
occurs (and SPI=0 determines IKE).
Enhance the punt API to dum ponly the reason requested, so a client
can use this as a get-ID API
Change-Id: I5c6d72b03885e88c489117677e72f1ef5da90dfc
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Fixes: 231c4696872cb344f28648949603840136c0795d
This reverts commit 231c4696872cb344f28648949603840136c0795d.
Change-Id: I136344555983dd10a31dbc000ee40e2de2c91291
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
This reverts commit 9b208ced585d3b4620d6fde586cd047fe2027ecf.
Type: fix
Fixes: 9b208ced585d3b4620d6fde586cd047fe2027ecf
Change-Id: I94a17039b4727bff0877423da5ba6cfceb188b17
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Print the SPI in hexadecimal and decimal.
Type: feature
Change-Id: I012e94f9147058064e06c6bb4622ab6b6507957d
Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
|
|
requested alogrithm.
Type: feature
Change-Id: I19a9c14b2bb52ba2fc66246845b7ada73d5095d1
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Use proper length for copying l2 layer in ah encrypt code. Previously
code assumed that there is alywas just one ethernet header preceding IP
header, which might not be true always.
Change-Id: I176fd93b25cf1b9d9c2dc4e420ad48a94d5f4fb8
Ticket: VPP-1539
Type: fix
Fixes: N/A
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
please consult the new tunnel proposal at:
https://wiki.fd.io/view/VPP/IPSec
Type: feature
Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
An SA can be used only for ESP or AH nver both, so it needs only one
coresponding DPO.
Type: refactor
Change-Id: I689060f795ee352245a0eaed0890a6b234c63d71
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
rather than SRC/DST address error which is not so helpfull
Type: fix
Fixes: af3f0783
Change-Id: Ie2143e4e29de87d93e79bd96284c041bdbffd98e
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Fixes: 8d7c502002
Change-Id: Ia6de250f20200c17937d9d7b2aab17ccd81d7823
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
encapped SPI-0 packets
Type: fix
Fixes: b71fa75d48
Change-Id: I2d81b373f7659e702759939c096b315afa36f621
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Fixes: 999c8ee6d6
Change-Id: Idcdddbe45f2e0adfd375b07199bb30f77c28702d
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
This patch refactors AH decrypt node in such way that it calls crypto
backend only once per node call.
Type: refactor
Change-Id: I0dc72ff699042a151e64d44f76f791c5136ec009
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
there's no use case to just change the key of an SA. instead the SA
should be renegociated and the new SA applied to the existing SPD entry
or tunnel.
the set_key functions were untested.
Type: refactor
Change-Id: Ib096eebaafb20be7b5501ece5a24aea038373002
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Fixes: 1197449
Change-Id: Icdda3c667ba76542ea3af5d66cc7c3fb10ade1ca
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Fixes: c59b9a2
Change-Id: I6021e67196a4d31ab11d4e3cfbda34b678150701
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Fixes: b4fff3a
Change-Id: I2552cbc0a02e7445825a5a4ce290cde3d10c5f0b
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I45618347e37440263270baf07b2f82f653f754a5
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Because of the initialisation of the end of the range, the command show ipsec spd
on an ipv4 SPD didn't work correctly.
Change-Id: I3582382197bb6edef4fb077aac1e927ef4581cbf
Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
|
|
Change-Id: Icd76769d841792eb2d59ffc23c557dcca9ddc580
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
For tunnel mode, after decryption the buffer length was being adjusted
by adding (iv length + esp header size). Subtract it instead.
Required for BFD to work on an IPsec tunnel interface. BFD verifies
that the amount of received data is the expected size. It drops the
packet if the buffer metadata says that the packet buffer contains
more data than the packet headers say it should.
Change-Id: I3146d5c3cbf1cceccc9989eefbc9a59e604e9975
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
Fixes: 47feb11
Change-Id: I6b3b97cd361eef19c910c14fd06edb001a4c191b
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
call crypto backend only once per node call
Change-Id: I0faab89f603424f6c6ac0db28cc1a2b2c025093e
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
- add to the Punt API to allow different descriptions of the desired packets: UDP or exceptions
- move the punt nodes into punt_node.c
- improve tests (test that the correct packets are punted to the registered socket)
Change-Id: I1a133dec88106874993cba1f5a439cd26b2fef72
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I3a4883426b558476040af5b89bb7ccc8f151c5cc
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I72ec95d4a3009a55b0f1fa7e45f9c53f31ef5fc1
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I753fbce091c0ba1004690be5ddeb04f463cf95a3
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Id406eb8c69a89c57305d8f138e8e6730037aa799
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
ipsec_init fails if vnet_feature_init hasn't occurred. Can happen if a
particular set of plugins are loaded.
Change-Id: I67b289d640c28d04e248b9a09ebcc8f205834fd2
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: I2d7e873fca6ab266af75814fac5d4cb5cda93cef
Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
|
|
hi->name is not NULL-terminated. Use specialized format function which
does the right thing.
Change-Id: Iadda51461af0c1ad4f38a6d24b76e816020f35c8
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Crypto algorithms have different requirements on key length. As we do
not support key stretching (eg. PBKDF2), user must provide the exact
key length used by the algorithm.
Failing that means low-level crypto functions might read garbage (eg.
aes128_key_expand() will read 16-bytes, regardless of the key provided
by the user).
Change-Id: I347a1ea7a59720a1ed07ceaad8b00a31f78458c9
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
- nonce construction out of salt and iv is ipsec specific so it should be
handled in ipsec code
- fixes GCM unit tests
- GCM IV is constructed out of simple counter, per RFC4106 section 3.1
Change-Id: Ib7712cc9612830daa737f5171d8384f1d361bb61
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
... at least for use cases we are interested in
Change-Id: I1156ff354635e8f990ce2664ebc8dcd3786ddca5
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ie1d34b7e71554516595e0cd228e2cd54a3b8d629
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ide2a9df18db371c8428855d7f12f246006d7c04c
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Id7fcaf8590f9f2dcccdebea0ad31c7ecd1cbc8af
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: If96f661d507305da4b96cac7b1a8f14ba90676ad
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: I6151e57643ebed42f51b795980db2c52084295ab
Signed-off-by: Vratko Polak <vrpolak@cisco.com>
|
|
Change-Id: Ic75df36e06a77730ff8764f96d3cf53c4e59923b
Signed-off-by: Simon Zhang <yuwei1.zhang@intel.com>
|
|
The graph node running IPsec encap in tunnel mode can be saved
from 65.8 to 57.3 clocks/pkt on Haswell platform.
The graph node can be saved 10 clockes/pkt on DVN as well in the
same case.
Change-Id: I4804879c4d489465ee56a8f8317596b7e79b9331
Signed-off-by: Zhiyong Yang <zhiyong.yang@intel.com>
|
|
Change-Id: Ia3474e5bfea5764eae9b2987bf78296535df6778
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I8977100d7a22b50260858bd1ea9db419b53284ff
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I1c2b3e40c689bedcdcea7887792b6b6b6aeb48d5
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Ia8cea13f7b937294e6a080a55fb2ceff30063acf
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: I4d1d22cb24564896264e77c1810804ea3f54cb37
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Change-Id: Id2ddb77b4ec3dd543d6e638bc882923f2bac011d
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
decrypting too many bytes.
Change-Id: I4663e70271d9734eda7f9a127967b9224c0e5efc
Signed-off-by: Neale Ranns <nranns@cisco.com>
|