summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
AgeCommit message (Collapse)AuthorFilesLines
2019-01-28Add Ipsec IKE support to openssl 3.0.0 master branchPing Yu1-0/+24
Change-Id: I7bd43f57d23b1ecf031530c4a7508f949ddf616f Signed-off-by: Ping Yu <ping.yu@intel.com>
2019-01-25IPSEC: tests use opbject registryNeale Ranns1-1/+11
this means we test the dumps - to some extent Change-Id: I8d90745701012012b41a7b3aaf9be97b4dd2bdf8 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-24IPSEC Tests: to per-test setup and tearDownNeale Ranns1-4/+4
don't do the setup and teardown in class methods so that with each test the config is added and deleted. that way we test that delete actually removes state. more helpful error codes from VPP for existing IPSEC state. Change-Id: I5de1578f73b935b420d4cdd85aa98d5fdcc682f6 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-23AH encrypt; don't double enqueue nor emit clib_warnings when seq-num max ↵Neale Ranns1-5/+0
exceeded Change-Id: Id5b47f78521a0cbedf7bd2c72babfb2ffe9fa67d Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-01-20fix data_length in IpSec API call (VPP-1548)Michal Cmarada1-4/+6
Change-Id: Idb2839f6082bd2e052be2bc5417f0ebb43d1c0a6 Signed-off-by: Michal Cmarada <mcmarada@cisco.com>
2019-01-02ipsec: fix support check when using AES-GCMMatthew Smith1-10/+15
When adding an IPsec SA, ipsec_check_support_cb() is called. This invokes a callback for AH and a callback for ESP to check if the algorithms are supported. When using AES-GCM on an ESP SA with the DPDK IPsec backend selected, the AH callback fails. The DPDK IPsec backend has no AH support, so the callback for the default OpenSSL backend is invoked. This checks whether the crypto algorithm is AES-GCM and returns failure. Only invoke the callback to check support for the IPsec protocol of the SA - either AH or ESP rather than doing both. Change-Id: Ic10be6a17b580d06ffb7e82ef5866e53a4f8b525 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-12-12fix spurious error setting SA on ipsec intfMatthew Smith1-1/+1
Reverse the polarity on test to determine if old SA session deletion succeeded. 0 == success, not failure. Change-Id: I499cb04c7f13165e6c92367d4385057b77fe3836 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-12-12Change ipsec feature node namesPierre Pfister4-24/+24
ipsec4-output and ipsec6-output were conflicting with ipsec interface names ("ipsec<id>") and vnet/interface.c autogenerated output node ("<ifname>-output"). Changing feature names seems to be the less invasive option. This patch also changes "input" feature names for consistency. Change-Id: I4ba10d07e9ba09df20aa2500104252b06b55f8f7 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-12-11Add IPSec interface FIB index for TX packetPierre Pfister6-6/+36
This patch adds a configuration parameter to IPSec tunnels, enabling custom FIB selection for encapsulated packets. Although this option could also be used for policy-based IPSec, this change only enables it for virtual-tunnel-interface mode. Note that this patch does change the API default behavior regarding TX fib selection for encapsulated packets. Previous behavior was to use the same FIB after and before encap. The new default behavior consists in using the FIB 0 as default. Change-Id: I5c212af909940a8cf6c7e3971bdc7623a2296452 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-12-11Fix [csit-dev] CSIT IPv6 IPSec transport mode tests are failingjackiechen19851-1/+9
Change-Id: I7893a8fd5b3e15063675597c0e9bd1cd0b49ef0e Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
2018-12-07Fix VPP-1515 IPSec receive packet error in transport mode with udp encapjackiechen19852-4/+14
Change-Id: Ife66395b89e1e9f9206666e5f0fd441b3c241bb2 Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
2018-12-04ipsec: simplify bumping counters - cosmetic changeKlement Sekera4-116/+35
Change-Id: Ibb55427ed49d0277854a352922c6c4bb007bf072 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-12-03Add UDP encap flagFilip Tehlar2-0/+3
Change-Id: Ic6a8b9aaec7e5dee4fb1971168988dbe4f931f86 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2018-12-02IPSEC-AH: anti-replay testingNeale Ranns2-6/+9
Change-Id: Ia5d45db73e4bdb32214ed4f365d5eec8e28115f3 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-11-30IPSEC-AH: fix packet dropNeale Ranns2-7/+0
Change-Id: I45b97cfd0c3785bfbf6d142d362bd3d4d56bae00 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-11-29ipsec: move ipsec defs to ipsec.hKlement Sekera2-51/+54
Change-Id: Ia3dcd98edb6188deb96a3a99d831e71b2ffa0060 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-11-26Fix IPSec CLI key parsingPierre Pfister2-4/+11
strncpy stops copying when a byte set to 0 is read. The fix is to use mempcy instead. This patch also adds spd id to ipsec input trace. Change-Id: Ibed071d3607fa76c3f6ee065f94128f1aca9b2e2 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
2018-11-20IPSEC: remove duplicate memcyNeale Ranns1-6/+0
Change-Id: If91257fa23ba74c09e5c3b5528eb2fd4c4b36b6a Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-11-15ipsec: infra for selecting backendsKlement Sekera6-177/+622
Change-Id: Ifa6d8391b1b2413a88b7720fc434e0bc849a149a Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-11-14Remove c-11 memcpy checks from perf-critical codeDave Barach4-42/+43
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1 Signed-off-by: Dave Barach <dave@barachs.net>
2018-11-13ipsec: fix typoKlement Sekera1-1/+1
Change-Id: I04c59bbe1780e7289cb27a0a912803812fdc297e Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-11-05VPP-1450: binary api call for dumping SPD to interface registrationFilip Varga2-1/+81
Change-Id: Idd4a5f8bab5d39e5f33f5c130601175af70a20d4 Signed-off-by: Filip Varga <filip.varga@pantheon.tech>
2018-10-29migrate ipsec to new multiarch infraKlement Sekera7-73/+42
Change-Id: Ibef46e068cd72415af28920b0146adf48105bf68 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-25buffer trace is broken in ipsec-output. copy it from node->flags to ↵Kingwel Xie1-0/+5
frame->frame_flags Change-Id: I56b573b5da04a27766bcbcafbd5438555424f2e7 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-10-23c11 safe string handling supportDave Barach11-39/+39
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-23ipsec: fix wrong counter bumpKlement Sekera1-1/+1
Change-Id: I5105b688ef3df2c949ba09e1e90c1b8913502388 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-22ipsec: split ipsec nodes into ip4/ip6 nodesKlement Sekera10-311/+502
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-03ipsec: add missing ipv6 ah code & ipv6 testsKlement Sekera4-27/+103
Change-Id: I89e90193ded1beb6cb0950c15737f9467efac1c3 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-10-02IPsec: add API for SPDs dump (VPP-1363)Matus Fabian2-1/+60
Change-Id: I36e6878712c394de629a9182d2af24c53a8f811d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-26forget to assign spd_index to configKingwel Xie1-0/+2
Change-Id: I35dcb987edf11097f34a633ac36d87cecd12088f Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2018-09-24Trivial: Clean up some typos.Paul Vinciguerra6-10/+10
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2018-08-30Add SHA2 support to IKEv2 implementationBerenger Foucher2-8/+89
The following patch adds a stronger cryptographic suite to IKEv2 implementation. The following algorithms can now be used for integrity checking in IKEv2 implementation (responder and initiator): - hmac-sha2-256-128 - hmac-sha2-384-192 - hmac-sha2-512-256 The default integrity checking method was set to hmac-sha2-256-128. The default PRF function was set sha2-256. Change-Id: Ia82b4cbbf3067b19b8487040dbefbaf4c9319548 Signed-off-by: Berenger Foucher <berenger.foucher@stagiaires.ssi.gouv.fr>
2018-08-03ipsec: add udp-encap option to debug cli commandsRadu Nicolau5-10/+17
Change-Id: I3195afd952f6783da87224d7ceb9df13ddd39459 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-07-19Remove unused argument to vlib_feature_nextDamjan Marion2-10/+3
Change-Id: Ieb8b53977fc8484c19780941e232ee072b667de3 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-13VPP-1338: fix ipsec api coverity warningsDave Barach1-4/+3
Remove useless unsigned comparisions: "(unsigned) value < 0", correct a couple of incorrect limit checks. Change-Id: I9606c4057df157f770d59535457cb9df1cfd1f35 Signed-off-by: Dave Barach <dave@barachs.net>
2018-07-11avoid using thread local storage for thread indexDamjan Marion4-7/+7
It is cheaper to get thread index from vlib_main_t if available... Change-Id: I4582e160d06d9d7fccdc54271912f0635da79b50 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-08Fix IPsec intf tx node setup at intf creationMatthew Smith1-2/+2
When using a DPDK cryptodev with IPsec, sending outbound packets results in a crash on division by zero if using an algorithm not supported by the OpenSSL ESP nodes. This includes AES-GCM and MD5. At IPsec intf creation time, the next node at slot IPSEC_OUTPUT_NEXT_ESP_ENCRYPT for ipsec_if_tx_node_fn is set to the node named esp-encrypt. This is the OpenSSL ESP encrypt function. If DPDK cryptodevs are configured, dpdk-esp-encrypt is the correct next node. Change to setting the next node according to the value in ipsec_main.esp_encrypt_node_index. That value is set to esp-encrypt by default. If DPDK cryptodevs are configured it gets set to dpdk-esp-encrypt. Change-Id: I83896c76b975d74aead247a162c85eccca9575a8 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-07-04fix VPP-1312 Invalid UDP packet length in ipsecKlement Sekera1-1/+2
Change-Id: Ibfd0a2e7010e6e74c32244c538f60e0713bea03f Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-29ipsec: fix VPP-1333 - crash in ipsec policy cliKlement Sekera1-0/+6
Change-Id: I843d094b6bbd1cefba82d6026174be005e66d510 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-24Revert "Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums""Klement Sekera5-194/+180
This reverts commit e0d2bd6bd7fc59c0c6ac48195d7f825dc99bfd91. Change-Id: If491e16f9ea66b2493a6a7c7f3c684ed585f8f51 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-22Revert "ipsec: VPP-1316 calculate IP/TCP/UDP inner checksums"Ole Troan5-180/+194
This reverts commit a98346f664aae148d26a8e158008b773d73db96f. Change-Id: Iee5b3a5ddff0e8fd3a30fe5973cee24de434fe12 Signed-off-by: Ole Troan <ot@cisco.com>
2018-06-21ipsec: VPP-1316 calculate IP/TCP/UDP inner checksumsKlement Sekera5-194/+180
Calculate IP/TCP/UDP checksums in software before adding authentication. Change-Id: I3e121cb00aeba667764f39ade8d62170f18f8b6b Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-06-20ipsec: VPP-1308 fix sorting of SPD entriesKlement Sekera2-10/+11
Change-Id: I761aced55b7cef51a9b47048283b2cb9430bcde2 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-29ipsec: fix IKEv2 crash when rsa cert is used for authenticationRadu Nicolau1-0/+1
Cause: EVP_MD_CTX object used but not initialized. Change-Id: I390b2acf580f16415685563fa52e56717efc7be7 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-05-22CSIT-928 dpdk/ipsec: performance improvementRadu Nicolau1-7/+5
Replace hash with a vector to improve performance. Plus other minor performance improvements. Change-Id: I3f0ebd909782ce3727f6360ce5ff5ddd131f8574 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
2018-05-16Drop IPsec packets when interface is downMatthew Smith1-10/+32
Packets arriving on an IPsec tunnel interface are decrypted and forwarded even if the interface is down. Check interface flags. If the interface is down, cause packet to be dropped and increment the counters for drops. Change-Id: I94456bda3bd8eade0f3f522ad7cc341251174e6e Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-05-11VPP-1275 Fix memory leaks in IPsec CLIKlement Sekera1-54/+83
Change-Id: I1f7c634328f25b33580a215af2daeb498cd3b181 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-10Change the way IP header pointer is calculated in esp_decrypt nodesSzymon Sliwa2-3/+11
The pointer to IP header was derived from l3_hdr_offset, which would be ok, if l3_hdr_offset was valid. But it does not have to be, so it was a bad solution. Now the previous nodes mark whether it is a IPv6 or IPv4 packet tyle, and in esp_decrypt we count get ip header pointer by substracting the size of the ip header from the pointer to esp header (which lies in front of the ip header). Change-Id: I6d425b90931053711e8ce9126811b77ae6002a16 Signed-off-by: Szymon Sliwa <szs@semihalf.com>
2018-05-09ipsec: support UDP encap/decap for NAT traversalKlement Sekera8-33/+89
Change-Id: I65c12617ad49e4d5ef242e53988782f0cefa5684 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-05-04ipsec: allow null/null for crypto/integ algorithms pairRadu Nicolau2-3/+3
Change-Id: Ic1e189c22e3d344d165e0eab05ccb667eef088a9 Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>