aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2019-03-22ipsec: fix esn handlingDamjan Marion1-9/+5
Change-Id: I27f24095309082363ba0d0ba4bd69e2c0741dc1c Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-22IPSEC: test for packet drop on sequence number wrapNeale Ranns1-1/+2
Change-Id: Id546c56a4904d13d4278055f3c5a5e4548e2efd0 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-21ipsec: add ipv6 support for ipsec tunnel interfaceKingwel Xie7-147/+415
Change-Id: I6a76907dc7bed2a81282b63669bea2219d6903c9 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com> Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
2019-03-20crypto: add hmac truncate optionDamjan Marion1-0/+1
This reverts commit 785368e559dbdf50676f74f43f13423c817abb52. Change-Id: I782ac2be4e161790c73ccd4b08492e2188a6d79d Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-20IPSEC: Tunnel SA not deletedNeale Ranns1-3/+6
p is overwritten by hash_unset so an incorrect value is passed to ipsec_sa_del Change-Id: I97300dd4421c62d7cfa47b8e7e9789becb2370e9 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-20ipsec: keep crypto data inside SADamjan Marion8-58/+65
Change-Id: Ie8986bd3652d25c4befe681cea77df95aba37ebc Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-20ipsec: bug fix ipsec-init sequenceKingwel Xie1-2/+0
ipsec_tunnel_if_init might be called before ipsec_init this memset in ipsec-init therefore zero the memory allocated by ipsec_tunnel_if_init Change-Id: Ie889f1bf624c76842ef77e5a51ed1d41fed4758d Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-19crypto: introduce crypto infraDamjan Marion8-233/+123
Change-Id: Ibf320b3e7b054b686f3af9a55afd5d5bda9b1048 Signed-off-by: Damjan Marion <damarion@cisco.com> Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-19IPSEC: remove byte swap operations in DP during SPD classifyNeale Ranns5-46/+35
Change-Id: I4bfde738f9585b045cb5ba62cf51b141d639b1b2 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-19IPSEC: tidy the policy typesNeale Ranns6-78/+102
Change-Id: I5e981f12ff44243623cfd18d5e0ae06a7dfd1eb8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-13VPP-1576: fix a set of coverity warningsDave Barach1-1/+1
Change-Id: Ifd34aed8692d5acaa370d4976d974ac573e43705 Signed-off-by: Dave Barach <dave@barachs.net>
2019-03-08updates now that flags are supported on the APINeale Ranns1-5/+0
Change-Id: I9c45f390a6454c114f12f9c46c3a93fcecffa73f Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-07ipsec: cli bug fixesKingwel Xie2-5/+9
1. fix wrong assignemnt of lik/rik 2. keys initialized to 0, to avoid using random data in stack. could cause memory overlapped then crash 3. show sa->id in hex format Change-Id: Id0430aa49bb55c27cee4f97f8c0e4ec87515dcd2 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-07ipsec: ipsec-if optimizations & bug fixesKingwel Xie2-254/+309
1. changed to vlib_buffer_enqueue_to_next 2. error counter fixes; stats added to last_sw_if_index when interface changed 3. udp-encap support Change-Id: I70b0814aa37181fea4d70fa3c96c608adb5afe49 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-06ipsec: esp-encrypt and esp-decrypt cleanupDamjan Marion4-558/+447
Change-Id: I1e431aa36a282ca7565c6618a940d591674b8cd2 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-06IPSEC: tunnel encap/decap dual loop speedupsNeale Ranns3-89/+255
baseline: ipsec0-tx 1.27e1 ipsec-if-input 8.19e1 this change: ipsec0-tx 6.17e0 ipsec-if-input 6.39e1 this also fixes the double tunnel TX counts by removing the duplicate from the TX node. Change-Id: Ie4608acda08dc653b6fb9e2c85185d83625efd40 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-05ipsec: cleanup, remove unnecessary code,Kingwel Xie5-13/+7
ipsec_proto_main moved to ipsec.c fix missing '\0' of backend name Change-Id: I90760b3045973a46792c2f098d9b0b1b3d209ad0 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-04IPSEC: script to bounce IPSEC traffic through a pipe to test encrypt and decrpytNeale Ranns1-0/+33
Change-Id: I262a9412951b5df616920a8fad16c61eae96d0cc Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-01IPSEC: tunnel-input; don't load the HW interface structNeale Ranns4-43/+41
also fix the stats to include all the data in the tunnel. And don't load the SA. Change-Id: I7cd2e8d879f19683175fd0de78a606a2836e6da2 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-28TEST: IPSEC NAT-T with UDP headerNeale Ranns1-0/+1
Change-Id: I5ef8b3f4be40a7a0b0f1cb90dc0e15a4711e8664 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-25IKEv2 to pluginNeale Ranns10-7245/+19
for easy integration with ptoducts running their own Ike stack. Without the VPP IKE plugin loaded, the product is free to handle IKE packets as it pleases. Change-Id: Id0839f4d58b797f4c2da0382eb499fc08b05f66f Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-22IPSEC: header exportsNeale Ranns7-1/+6
Change-Id: I7d48a4e236c6e7b11b0c9750a30fb68e829d64a5 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-20IPSEC: API coverity error of unitialised stat_index valueNeale Ranns1-0/+2
Change-Id: If884a3840f34090e33ce7808d38e50f919290d9f Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-18IPSEC: move SA counters into the stats segmentNeale Ranns11-18/+66
1) stats are accessed via the stat segment which is more condusive to monitoring 2) stats are accurate in the presence of multiple threads. There's no guarantee that an SA is access from only one worker. Change-Id: Id5e217ea253ddfc9480aaedb0d008dea031b1148 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-14ipsec: memory leak fixupKingwel Xie1-1/+4
Change-Id: Ib2ad196bec1005d6678589d5b5c199b8a541c720 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-14Add -fno-common compile optionBenoît Ganne1-0/+2
-fno-common makes sure we do not have multiple declarations of the same global symbol across compilation units. It helps debug nasty linkage bugs by guaranteeing that all reference to a global symbol use the same underlying object. It also helps avoiding benign mistakes such as declaring enum as global objects instead of types in headers (hence the minor fixes scattered across the source). Change-Id: I55c16406dc54ff8a6860238b90ca990fa6b179f1 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2019-02-13IPSEC: restack SAs on backend changeNeale Ranns3-13/+42
Change-Id: I5852ca02d684fa9d59e1690efcaca06371c5faff Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-12ipsec: cli bug fixKingwel Xie1-6/+23
1. unformat_ip46_address must have ip-type specified 2. cannot unformat ip46_address_t with unformat_ip4_address Change-Id: I5f1eecfe71a808302428afb39f910ebf0c7cef71 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-11IPSEC-tun: The tunnel DB uses the network order SPI to save the byte swap in ↵Neale Ranns2-8/+11
the DP Change-Id: I78a1c39682d5afd356a3cfe70097fc682e8cb938 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-11ipsec: multi-arch, next-node-index cleanupKingwel Xie4-27/+52
1. specify ipsec_xxx_node.c in MULTIARCH_SOURCES 2. cleanup foreach_ipsec_output_next & foreach_ipsec_input_next, as next-nodes are actually added by ipsec_register_xx_backend dynamically thus, ipsec4-input-feature will point to ah4/esp4-encrypt, instead of pointing to ah6/esp6-encrypt 3. remove an unused count and add counter IPSEC_INPUT_ERROR_RX_MATCH_PKTS in ipsec-input Change-Id: Ifcf167812d2cc18187c2cea84b657a52b67e17d4 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-07IPSEC: remove unused members of main structNeale Ranns1-4/+0
Change-Id: Ib55deb620f4f58cac07da7cb69418a3a30ff3136 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-07IPSEC: no second lookup after tunnel encapNeale Ranns14-443/+713
in the same maaner as with other tunnel tyeps we use the FIB to cache and track the destination used to reach the tunnel endpoint. Post encap we can then ship the packet straight to this adjacency and thus elide the costly second lookup. - SA add and del function so they can be used both directly from the API and for tunnels. - API change for the SA dump to use the SA type - ipsec_key_t type for convenience (copying, [un]formating) - no matching tunnel counters in ipsec-if-input Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-05IPSEC: SPD counters in the stats sgementNeale Ranns12-505/+411
- return the stats_index of each SPD in the create API call - no ip_any in the API as this creates 2 SPD entries. client must add both v4 and v6 explicitly - only one pool of SPD entries (rhter than one per-SPD) to support this - no packets/bytes in the dump API. Polling the stats segment is much more efficient (if the SA lifetime is based on packet/bytes) - emit the policy index in the packet trace and CLI commands. Change-Id: I7eaf52c9d0495fa24450facf55229941279b8569 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-04ipsec: cli 'create ipsec tunnel' more optionsKingwel Xie1-3/+7
use-esp use-anti-replay Change-Id: I977b65eee926adaded0cb923e14feb0ee90fc32c Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-02-01IPSEC: minor refactorNeale Ranns10-754/+999
No function change. Only breaking the monster ipsec.[hc] into smaller constituent parts Change-Id: I3fd4d2d041673db5865d46a4002f6bd383f378af Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-31IPSEC: API modernisationNeale Ranns3-257/+396
- use enums to enumerate the algoritms and protocols that are supported - use address_t types to simplify encode/deocde - use typedefs of entry objects to get consistency between add/del API and dump Change-Id: I7e7c58c06a150e2439633ba9dca58bc1049677ee Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-30ipsec: fix check support functionsKlement Sekera2-5/+17
Change-Id: If94c57fbb07a7376a9f2873e1489c00b28152620 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-01-28Add Ipsec IKE support to openssl 3.0.0 master branchPing Yu1-0/+24
Change-Id: I7bd43f57d23b1ecf031530c4a7508f949ddf616f Signed-off-by: Ping Yu <ping.yu@intel.com>
2019-01-25IPSEC: tests use opbject registryNeale Ranns1-1/+11
this means we test the dumps - to some extent Change-Id: I8d90745701012012b41a7b3aaf9be97b4dd2bdf8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-24IPSEC Tests: to per-test setup and tearDownNeale Ranns1-4/+4
don't do the setup and teardown in class methods so that with each test the config is added and deleted. that way we test that delete actually removes state. more helpful error codes from VPP for existing IPSEC state. Change-Id: I5de1578f73b935b420d4cdd85aa98d5fdcc682f6 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-23AH encrypt; don't double enqueue nor emit clib_warnings when seq-num max ↵Neale Ranns1-5/+0
exceeded Change-Id: Id5b47f78521a0cbedf7bd2c72babfb2ffe9fa67d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-20fix data_length in IpSec API call (VPP-1548)Michal Cmarada1-4/+6
Change-Id: Idb2839f6082bd2e052be2bc5417f0ebb43d1c0a6 Signed-off-by: Michal Cmarada <mcmarada@cisco.com>
2019-01-02ipsec: fix support check when using AES-GCMMatthew Smith1-10/+15
When adding an IPsec SA, ipsec_check_support_cb() is called. This invokes a callback for AH and a callback for ESP to check if the algorithms are supported. When using AES-GCM on an ESP SA with the DPDK IPsec backend selected, the AH callback fails. The DPDK IPsec backend has no AH support, so the callback for the default OpenSSL backend is invoked. This checks whether the crypto algorithm is AES-GCM and returns failure. Only invoke the callback to check support for the IPsec protocol of the SA - either AH or ESP rather than doing both. Change-Id: Ic10be6a17b580d06ffb7e82ef5866e53a4f8b525 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-12-12fix spurious error setting SA on ipsec intfMatthew Smith1-1/+1
Reverse the polarity on test to determine if old SA session deletion succeeded. 0 == success, not failure. Change-Id: I499cb04c7f13165e6c92367d4385057b77fe3836 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-12-12Change ipsec feature node namesPierre Pfister4-24/+24
ipsec4-output and ipsec6-output were conflicting with ipsec interface names ("ipsec<id>") and vnet/interface.c autogenerated output node ("<ifname>-output"). Changing feature names seems to be the less invasive option. This patch also changes "input" feature names for consistency. Change-Id: I4ba10d07e9ba09df20aa2500104252b06b55f8f7 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-12-11Add IPSec interface FIB index for TX packetPierre Pfister6-6/+36
This patch adds a configuration parameter to IPSec tunnels, enabling custom FIB selection for encapsulated packets. Although this option could also be used for policy-based IPSec, this change only enables it for virtual-tunnel-interface mode. Note that this patch does change the API default behavior regarding TX fib selection for encapsulated packets. Previous behavior was to use the same FIB after and before encap. The new default behavior consists in using the FIB 0 as default. Change-Id: I5c212af909940a8cf6c7e3971bdc7623a2296452 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-12-11Fix [csit-dev] CSIT IPv6 IPSec transport mode tests are failingjackiechen19851-1/+9
Change-Id: I7893a8fd5b3e15063675597c0e9bd1cd0b49ef0e Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
2018-12-07Fix VPP-1515 IPSec receive packet error in transport mode with udp encapjackiechen19852-4/+14
Change-Id: Ife66395b89e1e9f9206666e5f0fd441b3c241bb2 Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
2018-12-04ipsec: simplify bumping counters - cosmetic changeKlement Sekera4-116/+35
Change-Id: Ibb55427ed49d0277854a352922c6c4bb007bf072 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-12-03Add UDP encap flagFilip Tehlar2-0/+3
Change-Id: Ic6a8b9aaec7e5dee4fb1971168988dbe4f931f86 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>