aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2019-11-19ipsec: fix trailing data overflowFilip Tehlar1-23/+21
IPsec writes trailing data at the end of the buffer without checking if there is enough space. If the packet length equals buffer size this leads to rewiting of the next buffer header in the pool. Type: fix Change-Id: Iceb27bb724c7243863a4b532aad0808051b7d74c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-11-18ipsec: ipsec-input: check for too-short packetsBenoît Ganne1-12/+25
Make sure packet is big enough before processing it. Policy matching is done speculatively but is discarded if packet is too short. Type: fix Change-Id: I647db2c4e568b0d9bf2cfd5056e1b1c2e25132fe Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit f7f49640bbb4339d71f8b713b04b8f401d5fc270)
2019-11-05ipsec: fix esp trace seq number overflowBenoît Ganne2-4/+12
Do not copy invalid seq number if packet is too small. Type: fix Change-Id: I1e78f5920e9645521f57efccaf35bbf9ce0676a8 Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit c520fe7ab9db6fa60f9e69be990dd5c83eb40522)
2019-11-03ipsec: fix tunnel protection removalFilip Tehlar1-1/+1
Type: fix Change-Id: I4d5546d1f9b3a162291997f6f0c094c5c3d6cf31 Signed-off-by: Filip Tehlar <ftehlar@cisco.com> (cherry picked from commit 89b24950005914317c142149fa1ba8a167a978ca)
2019-10-07ipsec: fix use-after-freeBenoît Ganne1-3/+7
When deleting interface from the API, 'hi' gets removed before 'h->sw_if_index' is copied. Type: fix Change-Id: I8e10108e9bdf95ab2fe002790d98262d583ca58c Signed-off-by: Benoît Ganne <bganne@cisco.com> (cherry picked from commit 8133c780a22480496c74a4ead321e8350d5beeb4)
2019-10-04ipsec: support 4o6 and 6o4 for tunnel protectNeale Ranns2-25/+31
Type: feature Change-Id: Ib2352ca4c7abf4645f21fa16aaaf27408890a2bf Signed-off-by: Neale Ranns <nranns@cisco.com> (cherry picked from commit b325983a4461dd806e86a31abc47533b09482157)
2019-10-03ip: respect buffer boundary when searching for ipv6 headersKlement Sekera1-1/+2
Type: fix Change-Id: I5a5461652f8115fa1270e20f748178fb5f5450f2 Signed-off-by: Klement Sekera <ksekera@cisco.com> (cherry picked from commit 769145cdbc28324bd0b6304951199ec3d6e0e883)
2019-10-03ipsec: add insecure option for format of SAChristian E. Hopps3-3/+9
If specified, shows keys, otherwise redacts. This change sets this flag in the existing CLI code (thus maintaining the old behavior). The use case for not specifying the insecure flag (and thus redacting the keys from the show output) is for log messages. Type: feature Signed-off-by: Christian E. Hopps <chopps@chopps.org> Change-Id: I8c0ab6a9a8aba7c687a2559fa1a23fac9d0aa111 (cherry picked from commit 01d61e7881432a2c508fecbbab804d9c776abe1a)
2019-09-28ipsec ip tcp l2: multiarch nodes cannot be declared as staticDamjan Marion1-4/+4
Credits to ray.kinsella@intel.com who spotted the issue and identified root cause. Type: fix Change-Id: I4afe74c47769484309f6aebca2de56ad32c8041f Signed-off-by: Damjan Marion <damarion@cisco.com> (cherry picked from commit d770cfc96257f9bd9e0c96c8ebe50e4531dc1bc5)
2019-09-25ipsec: Fix NULL encryption algorithmNeale Ranns2-1/+9
Type: fix Ticket: VPP-1756 the block-size was set to 0 resulting in incorrect placement of the ESP footer. add tests for NULL encrypt + integ. Change-Id: I8ab3afda8e68f9ff649540cba3f2cac68f12bbba Signed-off-by: Neale Ranns <nranns@cisco.com> (cherry picked from commit 2cdcd0cf4004b2c0d1d3b891e381aac5735c21f1)
2019-09-25ipsec: Add 'detail' option to 'sh ipsec sa'Neale Ranns1-4/+8
Type: feature with detail option prints all details for all SAs Change-Id: Ic3c423c085dfc849cf9c3e18a6f624b82150d961 Signed-off-by: Neale Ranns <nranns@cisco.com> (cherry picked from commit 670027a50682b88c3082aad70072139ce87a0d52)
2019-09-19ipsec: fix missed IPSEC_INTEG_ALG_MD5_96Dmitry Vakhrushev1-0/+5
This algorithm was missed in last improvements. Type:fix Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com> Change-Id: Ib818cbdcdd1a6f298e8b0086dac4189cc201baa3 (cherry picked from commit 77cc14a2b29a65073539e6e3f4683a380875b3dc)
2019-08-01ipsec: Redo the anit-replay check post decryptNeale Ranns2-0/+36
Type: fix Change-Id: I1fa8c5326d6f22cfb8dd40e97d8a22d11a716922 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-31ipsec: Typo in flag nameNeale Ranns1-1/+1
Type: fix Change-Id: I0c9353598d3c9b7ea587ea8a2b6e1faa5454843d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-24ipsec: GCM, Anti-replay and ESN fixessNeale Ranns4-42/+129
Type: fix Several Fixes: 1 - Anti-replay did not work with GCM becuase it overwrote the sequence number in the ESP header. To fix i added the seq num to the per-packet data so it is preserved 2 - The high sequence number was not byte swapped during ESP encrypt. 3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM the others return BAD_HMAC. removed the former 4 - improved tracing to show the low and high seq numbers 5 - documented the anti-replay window checks 6 - fixed scapy patch for ESN support for GCM 7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-19fib: FIB Entry trackingNeale Ranns1-10/+6
Instead of all clients directly RR sourcing the entry they are tracking, use a deidcated 'tracker' object. This tracker object is a entry delegate and a child of the entry. The clients are then children of the tracker. The benefit of this aproach is that each time a new client tracks the entry it doesn't RR source it. When an entry is sourced all its children are updated. Thus, new clients tracking an entry is O(n^2). With the tracker as indirection, the entry is sourced only once. Type: feature Change-Id: I5b80bdda6c02057152e5f721e580e786cd840a3b Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-19ipsec: register for port 4500 at INITNeale Ranns1-13/+5
Type: fix Fixes: 41afb33 Change-Id: Iceb99ead32f1858a5b4f85911d7cb2b39cc9add5 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-16ipsec: handle UDP keepalivesNeale Ranns8-38/+227
Type: feature Change-Id: I87cc1168466f267e8c4bbec318401982f4bdf03a Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-16ipsec: coverity found c-n-p errorNeale Ranns1-1/+1
Type: fix Fixes: 4b0b0d4 Change-Id: Ibd37c9099f9847ed23fa8357fd8e57ee516e52ab Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-15ipsec: rewind missing from dual loopNeale Ranns1-4/+9
Type: fix Fixes: a6bee0a1 Change-Id: I1959e28b82825d7928d471d3dfa827ea4cdd74b7 Signed-off-by: Giles Heron <giheron@cisco.com> Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-12ipsec: drop outbound ESP when no crypto alg setMatthew Smith4-5/+162
Type: fix If a tunnel interface has the crypto alg set on the outbound SA to IPSEC_CRYPTO_ALG_NONE and packets are sent out that interface, the attempt to write an ESP trailer on the packet occurs at the wrong offset and the vnet buffer opaque data is corrupted, which can result in a SEGV when a subsequent node attempts to use that data. When an outbound SA is set on a tunnel interface which has no crypto alg set, add a node to the ip{4,6}-output feature arcs which drops all packets leaving that interface instead of adding the node which would try to encrypt the packets. Change-Id: Ie0ac8d8fdc8a035ab8bb83b72b6a94161bebaa48 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-07-12ipsec: Reference count the SAsNeale Ranns9-166/+155
- this remove the need to iterate through all state when deleting an SA - and ensures that if the SA is deleted by the client is remains for use in any state until that state is also removed. Type: feature Change-Id: I438cb67588cb65c701e49a7a9518f88641925419 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-12ip ipsec: Remove IPSec SPI-0 punt reasonNeale Ranns3-24/+9
Type: fix There's no call for an SPI-0 punt reason with UDP encap, since it's only with UDP encap that the ambiguity between IKE or IPSEC occurs (and SPI=0 determines IKE). Enhance the punt API to dum ponly the reason requested, so a client can use this as a get-ID API Change-Id: I5c6d72b03885e88c489117677e72f1ef5da90dfc Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-11ipsec: Revert "IPSEC: remove byte swap operations in DP during SPD classify"Neale Ranns5-27/+26
Type: fix Fixes: 231c4696872cb344f28648949603840136c0795d This reverts commit 231c4696872cb344f28648949603840136c0795d. Change-Id: I136344555983dd10a31dbc000ee40e2de2c91291 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-11ipsec: Revert "IPSEC: remove double byte swap of IP addresses"Neale Ranns1-10/+18
This reverts commit 9b208ced585d3b4620d6fde586cd047fe2027ecf. Type: fix Fixes: 9b208ced585d3b4620d6fde586cd047fe2027ecf Change-Id: I94a17039b4727bff0877423da5ba6cfceb188b17 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-25ipsec: print spi in hexadecimalGuillaume Solignac6-15/+16
Print the SPI in hexadecimal and decimal. Type: feature Change-Id: I012e94f9147058064e06c6bb4622ab6b6507957d Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
2019-06-25ipsec: return error if the engine backend has no handler for theNeale Ranns1-1/+23
requested alogrithm. Type: feature Change-Id: I19a9c14b2bb52ba2fc66246845b7ada73d5095d1 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-19ipsec: fix l2 header handling in ah encryptKlement Sekera1-6/+6
Use proper length for copying l2 layer in ah encrypt code. Previously code assumed that there is alywas just one ethernet header preceding IP header, which might not be true always. Change-Id: I176fd93b25cf1b9d9c2dc4e420ad48a94d5f4fb8 Ticket: VPP-1539 Type: fix Fixes: N/A Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-06-18ipsec: ipsec-tun protectNeale Ranns16-131/+1481
please consult the new tunnel proposal at: https://wiki.fd.io/view/VPP/IPSec Type: feature Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-17ipsec: One DPO per SANeale Ranns5-24/+16
An SA can be used only for ESP or AH nver both, so it needs only one coresponding DPO. Type: refactor Change-Id: I689060f795ee352245a0eaed0890a6b234c63d71 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-17ipsec: return original SA create error for tunnel createNeale Ranns1-2/+2
rather than SRC/DST address error which is not so helpfull Type: fix Fixes: af3f0783 Change-Id: Ie2143e4e29de87d93e79bd96284c041bdbffd98e Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-14ipsec: Display user specified SPI ID not VPP's indexNeale Ranns1-1/+3
Type: fix Fixes: 8d7c502002 Change-Id: Ia6de250f20200c17937d9d7b2aab17ccd81d7823 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-14ipsec: Correctly rewind the buffer to the IP header when punting UDP ↵Neale Ranns1-3/+5
encapped SPI-0 packets Type: fix Fixes: b71fa75d48 Change-Id: I2d81b373f7659e702759939c096b315afa36f621 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-13ipsec: remove spurious warningsNeale Ranns3-7/+0
Type: fix Fixes: 999c8ee6d6 Change-Id: Idcdddbe45f2e0adfd375b07199bb30f77c28702d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-05ipsec: ah_decrypt reworkFilip Tehlar1-167/+283
This patch refactors AH decrypt node in such way that it calls crypto backend only once per node call. Type: refactor Change-Id: I0dc72ff699042a151e64d44f76f791c5136ec009 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-06-07ipsec: remove the set_key APINeale Ranns7-371/+0
there's no use case to just change the key of an SA. instead the SA should be renegociated and the new SA applied to the existing SPD entry or tunnel. the set_key functions were untested. Type: refactor Change-Id: Ib096eebaafb20be7b5501ece5a24aea038373002 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-05ipsec: fix combined counters in ah-encrypt nodeFilip Tehlar1-3/+5
Type: fix Fixes: 1197449 Change-Id: Icdda3c667ba76542ea3af5d66cc7c3fb10ade1ca Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-06-05ipsec: fix sa counters in esp-encryptDamjan Marion1-4/+7
Type: fix Fixes: c59b9a2 Change-Id: I6021e67196a4d31ab11d4e3cfbda34b678150701 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-06-05ipsec: fix sa counters in esp-decryptDamjan Marion1-6/+7
Type: fix Fixes: b4fff3a Change-Id: I2552cbc0a02e7445825a5a4ce290cde3d10c5f0b Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-06-05IPSEC: some CLI fixesNeale Ranns2-6/+11
Change-Id: I45618347e37440263270baf07b2f82f653f754a5 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-04Fix: bug prevented IPsec ipv4 SPDs to show correctlyGuillaume Solignac1-4/+9
Because of the initialisation of the end of the range, the command show ipsec spd on an ipv4 SPD didn't work correctly. Change-Id: I3582382197bb6edef4fb077aac1e927ef4581cbf Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
2019-06-02IPSec: memcpy of integ key borkNeale Ranns1-1/+1
Change-Id: Icd76769d841792eb2d59ffc23c557dcca9ddc580 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-05-30IPsec: modify post-decrypt buf len calculationMatthew G Smith1-2/+2
For tunnel mode, after decryption the buffer length was being adjusted by adding (iv length + esp header size). Subtract it instead. Required for BFD to work on an IPsec tunnel interface. BFD verifies that the amount of received data is the expected size. It drops the packet if the buffer metadata says that the packet buffer contains more data than the packet headers say it should. Change-Id: I3146d5c3cbf1cceccc9989eefbc9a59e604e9975 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-05-29ipsec: fix perf issue in esp_aad_fillDamjan Marion1-4/+7
Type: fix Fixes: 47feb11 Change-Id: I6b3b97cd361eef19c910c14fd06edb001a4c191b Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-05-28ipsec: ah_encrypt reworkFilip Tehlar1-194/+280
call crypto backend only once per node call Change-Id: I0faab89f603424f6c6ac0db28cc1a2b2c025093e Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-05-28Punt: socket register for exception dispatched/punted packets based on reasonNeale Ranns1-5/+5
- add to the Punt API to allow different descriptions of the desired packets: UDP or exceptions - move the punt nodes into punt_node.c - improve tests (test that the correct packets are punted to the registered socket) Change-Id: I1a133dec88106874993cba1f5a439cd26b2fef72 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-05-20IPSEC: rename default backendNeale Ranns1-2/+2
Change-Id: I3a4883426b558476040af5b89bb7ccc8f151c5cc Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-05-15IPSEC: remove CLI check for unsupported IPv6-AH - it is supportedNeale Ranns1-22/+0
Change-Id: I72ec95d4a3009a55b0f1fa7e45f9c53f31ef5fc1 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-05-14IPSEC coverity fixesNeale Ranns2-2/+4
Change-Id: I753fbce091c0ba1004690be5ddeb04f463cf95a3 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-05-14IPSEC: remove unecessary pass by reference of sequence numberNeale Ranns3-4/+4
Change-Id: Id406eb8c69a89c57305d8f138e8e6730037aa799 Signed-off-by: Neale Ranns <nranns@cisco.com>