Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: fix
1 - big packets; chained buffers and those without enoguh space to add
ESP header
2 - IPv6 extension headers in packets that are encrypted/decrypted
3 - Interface protection with SAs that have null algorithms
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
|
|
Type: fix
Change-Id: I5cb9a3845ddbc5f4de4eb4e9c481f606fe5cec9a
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
in transport mode the header sequence is:
MAC - IP (tun) - ESP - GRE - L2
so popping the GRE header is done in the ESP decrypt node.
Change-Id: Ia125eb65b9300368617d2bffca09683851e43be0
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
the sequence number increment and the anti-replay window
checks must be atomic. Given the vector nature of VPP we
can't simply use atomic increments for sequence numbers,
since a vector on thread 1 with lower sequence numbers could
be 'overtaken' by packets on thread 2 with higher sequence
numbers.
The anti-replay logic requires a critical section, not just
atomics, and we don't want that.
So when the SA see the first packet it is bound to that worker
all subsequent packets, that arrive on a different worker,
are subject to a handoff.
Type: feature
Change-Id: Ia20a8645fb50622ea6235ab015a537f033d531a4
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Change-Id: Idf4d0b59a1eb2c739a67a4786470884050f81561
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I2272521d6e69edcd385ef684af6dd4eea5eaa953
|
|
This helps GCC understand the memcpy will not overflow pad_data. GCC-6
(default on Debian 9) in particular got confused.
Type: fix
Change-Id: I176eb01531b9d5c7ebec40f015e510b2d56e77c4
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: feature
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I9467f11775936754406892b8e9e275f989ac9b30
|
|
Type: fix
Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com>
Change-Id: I81b937fc8cfec36f8fb5de711ffbb02f23f3664e
Signed-off-by: Prashant Maheshwari <pmahesh2@cisco.com>
|
|
IPsec writes trailing data at the end of the buffer without checking
if there is enough space. If the packet length equals buffer size this
leads to rewiting of the next buffer header in the pool.
Type: fix
Change-Id: Iceb27bb724c7243863a4b532aad0808051b7d74c
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: If41f154c354772f5b32cfd35ea231b8f59c2c0c5
|
|
Type: fix
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I6bb6c6be62f98ac9a059469c81a5f4476b96e96e
|
|
APIs for dedicated IPSec tunnels will remain in this release and are
used to programme the IPIP tunnel protect. APIs will be removed in a
future release.
see:
https://wiki.fd.io/view/VPP/IPSec
Type: feature
Change-Id: I0f01f597946fdd15dfa5cae3643104d5a9c83089
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Make sure packet is big enough before processing it.
Policy matching is done speculatively but is discarded if packet is too
short.
Type: fix
Change-Id: I647db2c4e568b0d9bf2cfd5056e1b1c2e25132fe
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Do not copy invalid seq number if packet is too small.
Type: fix
Change-Id: I1e78f5920e9645521f57efccaf35bbf9ce0676a8
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Change-Id: I382499061ff4b1c2cc1b70ebbf9725ff0e1be325
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
Type: fix
Change-Id: I4d5546d1f9b3a162291997f6f0c094c5c3d6cf31
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
When deleting interface from the API, 'hi' gets removed before
'h->sw_if_index' is copied.
Type: fix
Change-Id: I8e10108e9bdf95ab2fe002790d98262d583ca58c
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
If specified, shows keys, otherwise redacts. This change sets this flag
in the existing CLI code (thus maintaining the old behavior). The use
case for not specifying the insecure flag (and thus redacting the keys
from the show output) is for log messages.
Type: feature
Signed-off-by: Christian E. Hopps <chopps@chopps.org>
Change-Id: I8c0ab6a9a8aba7c687a2559fa1a23fac9d0aa111
|
|
Type: feature
Change-Id: Ib2352ca4c7abf4645f21fa16aaaf27408890a2bf
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Change-Id: I5a5461652f8115fa1270e20f748178fb5f5450f2
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Credits to ray.kinsella@intel.com who spotted the issue and identified
root cause.
Type: fix
Change-Id: I4afe74c47769484309f6aebca2de56ad32c8041f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: feature
with detail option prints all details for all SAs
Change-Id: Ic3c423c085dfc849cf9c3e18a6f624b82150d961
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Ticket: VPP-1756
the block-size was set to 0 resulting in incorrect placement of the ESP
footer.
add tests for NULL encrypt + integ.
Change-Id: I8ab3afda8e68f9ff649540cba3f2cac68f12bbba
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
This algorithm was missed in last improvements.
Type:fix
Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
Change-Id: Ib818cbdcdd1a6f298e8b0086dac4189cc201baa3
|
|
Type: fix
Change-Id: I1fa8c5326d6f22cfb8dd40e97d8a22d11a716922
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Change-Id: I0c9353598d3c9b7ea587ea8a2b6e1faa5454843d
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Several Fixes:
1 - Anti-replay did not work with GCM becuase it overwrote the sequence
number in the ESP header. To fix i added the seq num to the per-packet
data so it is preserved
2 - The high sequence number was not byte swapped during ESP encrypt.
3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM
the others return BAD_HMAC. removed the former
4 - improved tracing to show the low and high seq numbers
5 - documented the anti-replay window checks
6 - fixed scapy patch for ESN support for GCM
7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo
Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Instead of all clients directly RR sourcing the entry they are tracking,
use a deidcated 'tracker' object. This tracker object is a entry
delegate and a child of the entry. The clients are then children of the
tracker.
The benefit of this aproach is that each time a new client tracks the
entry it doesn't RR source it. When an entry is sourced all its children
are updated. Thus, new clients tracking an entry is O(n^2). With the
tracker as indirection, the entry is sourced only once.
Type: feature
Change-Id: I5b80bdda6c02057152e5f721e580e786cd840a3b
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Fixes: 41afb33
Change-Id: Iceb99ead32f1858a5b4f85911d7cb2b39cc9add5
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: feature
Change-Id: I87cc1168466f267e8c4bbec318401982f4bdf03a
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Fixes: 4b0b0d4
Change-Id: Ibd37c9099f9847ed23fa8357fd8e57ee516e52ab
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Fixes: a6bee0a1
Change-Id: I1959e28b82825d7928d471d3dfa827ea4cdd74b7
Signed-off-by: Giles Heron <giheron@cisco.com>
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
If a tunnel interface has the crypto alg set on the outbound SA to
IPSEC_CRYPTO_ALG_NONE and packets are sent out that interface,
the attempt to write an ESP trailer on the packet occurs at the
wrong offset and the vnet buffer opaque data is corrupted, which
can result in a SEGV when a subsequent node attempts to use that
data.
When an outbound SA is set on a tunnel interface which has no crypto
alg set, add a node to the ip{4,6}-output feature arcs which drops all
packets leaving that interface instead of adding the node which would
try to encrypt the packets.
Change-Id: Ie0ac8d8fdc8a035ab8bb83b72b6a94161bebaa48
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
- this remove the need to iterate through all state when deleting an SA
- and ensures that if the SA is deleted by the client is remains for use
in any state until that state is also removed.
Type: feature
Change-Id: I438cb67588cb65c701e49a7a9518f88641925419
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
There's no call for an SPI-0 punt reason with UDP encap, since
it's only with UDP encap that the ambiguity between IKE or IPSEC
occurs (and SPI=0 determines IKE).
Enhance the punt API to dum ponly the reason requested, so a client
can use this as a get-ID API
Change-Id: I5c6d72b03885e88c489117677e72f1ef5da90dfc
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Fixes: 231c4696872cb344f28648949603840136c0795d
This reverts commit 231c4696872cb344f28648949603840136c0795d.
Change-Id: I136344555983dd10a31dbc000ee40e2de2c91291
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
This reverts commit 9b208ced585d3b4620d6fde586cd047fe2027ecf.
Type: fix
Fixes: 9b208ced585d3b4620d6fde586cd047fe2027ecf
Change-Id: I94a17039b4727bff0877423da5ba6cfceb188b17
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Print the SPI in hexadecimal and decimal.
Type: feature
Change-Id: I012e94f9147058064e06c6bb4622ab6b6507957d
Signed-off-by: Guillaume Solignac <gsoligna@cisco.com>
|
|
requested alogrithm.
Type: feature
Change-Id: I19a9c14b2bb52ba2fc66246845b7ada73d5095d1
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Use proper length for copying l2 layer in ah encrypt code. Previously
code assumed that there is alywas just one ethernet header preceding IP
header, which might not be true always.
Change-Id: I176fd93b25cf1b9d9c2dc4e420ad48a94d5f4fb8
Ticket: VPP-1539
Type: fix
Fixes: N/A
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
please consult the new tunnel proposal at:
https://wiki.fd.io/view/VPP/IPSec
Type: feature
Change-Id: I52857fc92ae068b85f59be08bdbea1bd5932e291
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
An SA can be used only for ESP or AH nver both, so it needs only one
coresponding DPO.
Type: refactor
Change-Id: I689060f795ee352245a0eaed0890a6b234c63d71
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
rather than SRC/DST address error which is not so helpfull
Type: fix
Fixes: af3f0783
Change-Id: Ie2143e4e29de87d93e79bd96284c041bdbffd98e
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Fixes: 8d7c502002
Change-Id: Ia6de250f20200c17937d9d7b2aab17ccd81d7823
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
encapped SPI-0 packets
Type: fix
Fixes: b71fa75d48
Change-Id: I2d81b373f7659e702759939c096b315afa36f621
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Fixes: 999c8ee6d6
Change-Id: Idcdddbe45f2e0adfd375b07199bb30f77c28702d
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
This patch refactors AH decrypt node in such way that it calls crypto
backend only once per node call.
Type: refactor
Change-Id: I0dc72ff699042a151e64d44f76f791c5136ec009
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|
|
there's no use case to just change the key of an SA. instead the SA
should be renegociated and the new SA applied to the existing SPD entry
or tunnel.
the set_key functions were untested.
Type: refactor
Change-Id: Ib096eebaafb20be7b5501ece5a24aea038373002
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Fixes: 1197449
Change-Id: Icdda3c667ba76542ea3af5d66cc7c3fb10ade1ca
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
|