u32 sa_index;
u32 spi;
u32 seq;
+ u32 sa_seq_hi;
u8 udp_encap;
ipsec_crypto_alg_t crypto_alg;
ipsec_integ_alg_t integ_alg;
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
esp_encrypt_trace_t *t = va_arg (*args, esp_encrypt_trace_t *);
- s = format (s, "esp: sa-index %d spi %u seq %u crypto %U integrity %U%s",
- t->sa_index, t->spi, t->seq,
- format_ipsec_crypto_alg, t->crypto_alg,
- format_ipsec_integ_alg, t->integ_alg,
- t->udp_encap ? " udp-encap-enabled" : "");
+ s =
+ format (s,
+ "esp: sa-index %d spi %u (0x%08x) seq %u sa-seq-hi %u crypto %U integrity %U%s",
+ t->sa_index, t->spi, t->spi, t->seq, t->sa_seq_hi,
+ format_ipsec_crypto_alg,
+ t->crypto_alg, format_ipsec_integ_alg, t->integ_alg,
+ t->udp_encap ? " udp-encap-enabled" : "");
return s;
}
}
}
+typedef struct
+{
+ u32 salt;
+ u64 iv;
+} __clib_packed esp_gcm_nonce_t;
+
+STATIC_ASSERT_SIZEOF (esp_gcm_nonce_t, 12);
+
always_inline uword
esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
vlib_frame_t * frame, int is_ip6, int is_tun)
u32 n_left = frame->n_vectors;
vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
+ esp_gcm_nonce_t nonces[VLIB_FRAME_SIZE], *nonce = nonces;
u32 thread_index = vm->thread_index;
u16 buffer_data_size = vlib_buffer_get_default_data_size (vm);
u32 current_sa_index = ~0, current_sa_packets = 0;
while (n_left > 0)
{
- u32 sa_index0 = vnet_buffer (b[0])->ipsec.sad_index;
+ u32 sa_index0;
dpo_id_t *dpo;
esp_header_t *esp;
u8 *payload, *next_hdr_ptr;
if (sa_index0 != current_sa_index)
{
+ if (current_sa_packets)
+ vlib_increment_combined_counter (&ipsec_sa_counters, thread_index,
+ current_sa_index,
+ current_sa_packets,
+ current_sa_bytes);
+ current_sa_packets = current_sa_bytes = 0;
+
sa0 = pool_elt_at_index (im->sad, sa_index0);
current_sa_index = sa_index0;
- vlib_increment_combined_counter (&ipsec_sa_counters, thread_index,
- sa_index0, current_sa_packets,
- current_sa_bytes);
- current_sa_packets = current_sa_bytes = 0;
spi = clib_net_to_host_u32 (sa0->spi);
block_sz = sa0->crypto_block_size;
icv_sz = sa0->integ_icv_size;
esp_update_ip4_hdr (ip4, len, /* is_transport */ 0, 0);
}
- dpo = sa0->dpo + IPSEC_PROTOCOL_ESP;
+ dpo = &sa0->dpo;
if (!is_tun)
{
next[0] = dpo->dpoi_next_node;
ip_hdr = payload - hdr_len;
/* L2 header */
- l2_len = vnet_buffer (b[0])->ip.save_rewrite_length;
- hdr_len += l2_len;
- l2_hdr = payload - hdr_len;
+ if (!is_tun)
+ {
+ l2_len = vnet_buffer (b[0])->ip.save_rewrite_length;
+ hdr_len += l2_len;
+ l2_hdr = payload - hdr_len;
+
+ /* copy l2 and ip header */
+ clib_memcpy_le32 (l2_hdr, old_ip_hdr - l2_len, l2_len);
+ }
+ else
+ l2_len = 0;
- /* copy l2 and ip header */
- clib_memcpy_le32 (l2_hdr, old_ip_hdr - l2_len, l2_len);
clib_memcpy_le64 (ip_hdr, old_ip_hdr, ip_len);
if (is_ip6)
esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 0);
}
- next[0] = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT;
+ if (!is_tun)
+ next[0] = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT;
}
esp->spi = spi;
vnet_crypto_op_t *op;
vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES);
vnet_crypto_op_init (op, sa0->crypto_enc_op_id);
- op->iv = payload - iv_sz;
op->src = op->dst = payload;
- op->key = sa0->crypto_key.data;
+ op->key_index = sa0->crypto_key_index;
op->len = payload_len - icv_sz;
- op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV;
op->user_data = b - bufs;
- op->salt = sa0->salt;
if (ipsec_sa_is_set_IS_AEAD (sa0))
{
op->tag = payload + op->len;
op->tag_len = 16;
+
+ u64 *iv = (u64 *) (payload - iv_sz);
+ nonce->salt = sa0->salt;
+ nonce->iv = *iv = clib_host_to_net_u64 (sa0->gcm_iv_counter++);
+ op->iv = (u8 *) nonce;
+ nonce++;
+ }
+ else
+ {
+ op->iv = payload - iv_sz;
+ op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV;
}
}
vnet_crypto_op_init (op, sa0->integ_op_id);
op->src = payload - iv_sz - sizeof (esp_header_t);
op->digest = payload + payload_len - icv_sz;
- op->key = sa0->integ_key.data;
- op->key_len = sa0->integ_key.len;
+ op->key_index = sa0->integ_key_index;
op->digest_len = icv_sz;
op->len = payload_len - icv_sz + iv_sz + sizeof (esp_header_t);
op->user_data = b - bufs;
sizeof (*tr));
tr->sa_index = sa_index0;
tr->spi = sa0->spi;
- tr->seq = sa0->seq - 1;
+ tr->seq = sa0->seq;
+ tr->sa_seq_hi = sa0->seq_hi;
tr->udp_encap = ipsec_sa_is_set_UDP_ENCAP (sa0);
tr->crypto_alg = sa0->crypto_alg;
tr->integ_alg = sa0->integ_alg;
.node_name = "esp4-encrypt-tun",
.runs_before = VNET_FEATURES ("adj-midchain-tx"),
};
+
+VNET_FEATURE_INIT (esp6o4_encrypt_tun_feat_node, static) =
+{
+ .arc_name = "ip6-output",
+ .node_name = "esp4-encrypt-tun",
+ .runs_before = VNET_FEATURES ("adj-midchain-tx"),
+};
+
+VNET_FEATURE_INIT (esp4_ethernet_encrypt_tun_feat_node, static) =
+{
+ .arc_name = "ethernet-output",
+ .node_name = "esp4-encrypt-tun",
+ .runs_before = VNET_FEATURES ("adj-midchain-tx", "adj-midchain-tx-no-count"),
+};
/* *INDENT-ON* */
VLIB_NODE_FN (esp6_encrypt_tun_node) (vlib_main_t * vm,
.node_name = "esp6-encrypt-tun",
.runs_before = VNET_FEATURES ("adj-midchain-tx"),
};
+
+VNET_FEATURE_INIT (esp4o6_encrypt_tun_feat_node, static) =
+{
+ .arc_name = "ip4-output",
+ .node_name = "esp6-encrypt-tun",
+ .runs_before = VNET_FEATURES ("adj-midchain-tx"),
+};
+
+/* *INDENT-ON* */
+
+typedef struct
+{
+ u32 sa_index;
+} esp_no_crypto_trace_t;
+
+static u8 *
+format_esp_no_crypto_trace (u8 * s, va_list * args)
+{
+ CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
+ CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
+ esp_no_crypto_trace_t *t = va_arg (*args, esp_no_crypto_trace_t *);
+
+ s = format (s, "esp-no-crypto: sa-index %u", t->sa_index);
+
+ return s;
+}
+
+enum
+{
+ ESP_NO_CRYPTO_NEXT_DROP,
+ ESP_NO_CRYPTO_N_NEXT,
+};
+
+enum
+{
+ ESP_NO_CRYPTO_ERROR_RX_PKTS,
+};
+
+static char *esp_no_crypto_error_strings[] = {
+ "Outbound ESP packets received",
+};
+
+always_inline uword
+esp_no_crypto_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
+ vlib_frame_t * frame)
+{
+ vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
+ u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
+ u32 *from = vlib_frame_vector_args (frame);
+ u32 n_left = frame->n_vectors;
+
+ vlib_get_buffers (vm, from, b, n_left);
+
+ while (n_left > 0)
+ {
+ u32 next0;
+ u32 sa_index0;
+
+ /* packets are always going to be dropped, but get the sa_index */
+ sa_index0 = *(u32 *) vnet_feature_next_with_data (&next0, b[0],
+ sizeof (sa_index0));
+
+ next[0] = ESP_NO_CRYPTO_NEXT_DROP;
+
+ if (PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED))
+ {
+ esp_no_crypto_trace_t *tr = vlib_add_trace (vm, node, b[0],
+ sizeof (*tr));
+ tr->sa_index = sa_index0;
+ }
+
+ n_left -= 1;
+ next += 1;
+ b += 1;
+ }
+
+ vlib_node_increment_counter (vm, node->node_index,
+ ESP_NO_CRYPTO_ERROR_RX_PKTS, frame->n_vectors);
+
+ vlib_buffer_enqueue_to_next (vm, node, from, nexts, frame->n_vectors);
+
+ return frame->n_vectors;
+}
+
+VLIB_NODE_FN (esp4_no_crypto_tun_node) (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * from_frame)
+{
+ return esp_no_crypto_inline (vm, node, from_frame);
+}
+
+/* *INDENT-OFF* */
+VLIB_REGISTER_NODE (esp4_no_crypto_tun_node) =
+{
+ .name = "esp4-no-crypto",
+ .vector_size = sizeof (u32),
+ .format_trace = format_esp_no_crypto_trace,
+ .n_errors = ARRAY_LEN(esp_no_crypto_error_strings),
+ .error_strings = esp_no_crypto_error_strings,
+ .n_next_nodes = ESP_NO_CRYPTO_N_NEXT,
+ .next_nodes = {
+ [ESP_NO_CRYPTO_NEXT_DROP] = "ip4-drop",
+ },
+};
+
+VNET_FEATURE_INIT (esp4_no_crypto_tun_feat_node, static) =
+{
+ .arc_name = "ip4-output",
+ .node_name = "esp4-no-crypto",
+ .runs_before = VNET_FEATURES ("adj-midchain-tx"),
+};
+
+VLIB_NODE_FN (esp6_no_crypto_tun_node) (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * from_frame)
+{
+ return esp_no_crypto_inline (vm, node, from_frame);
+}
+
+/* *INDENT-OFF* */
+VLIB_REGISTER_NODE (esp6_no_crypto_tun_node) =
+{
+ .name = "esp6-no-crypto",
+ .vector_size = sizeof (u32),
+ .format_trace = format_esp_no_crypto_trace,
+ .n_errors = ARRAY_LEN(esp_no_crypto_error_strings),
+ .error_strings = esp_no_crypto_error_strings,
+ .n_next_nodes = ESP_NO_CRYPTO_N_NEXT,
+ .next_nodes = {
+ [ESP_NO_CRYPTO_NEXT_DROP] = "ip6-drop",
+ },
+};
+
+VNET_FEATURE_INIT (esp6_no_crypto_tun_feat_node, static) =
+{
+ .arc_name = "ip6-output",
+ .node_name = "esp6-no-crypto",
+ .runs_before = VNET_FEATURES ("adj-midchain-tx"),
+};
/* *INDENT-ON* */
/*
Code Review / vpp.git / blobdiff