X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fesp_encrypt.c;h=4d1aa31ea50acd3a9c77f3c4a7ddb9f46a702efd;hb=59fa121f8953f7b07f0cc02149ca28182f959f42;hp=6e5007151b95325f74ca6b44c8cb7cc8157281df;hpb=d709cbcb1ef80633af657c5427608831e5bbd919;p=vpp.git diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 6e5007151b9..4d1aa31ea50 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -112,19 +112,26 @@ esp_add_footer_and_icv (vlib_buffer_t * b, u8 block_size, u8 icv_sz) static_always_inline void esp_update_ip4_hdr (ip4_header_t * ip4, u16 len, int is_transport, int is_udp) { - ip_csum_t sum = ip4->checksum; - u16 old_len = 0; + ip_csum_t sum; + u16 old_len; + + len = clib_net_to_host_u16 (len); + old_len = ip4->length; if (is_transport) { u8 prot = is_udp ? IP_PROTOCOL_UDP : IP_PROTOCOL_IPSEC_ESP; - old_len = ip4->length; - sum = ip_csum_update (sum, ip4->protocol, prot, ip4_header_t, protocol); + + sum = ip_csum_update (ip4->checksum, ip4->protocol, + prot, ip4_header_t, protocol); ip4->protocol = prot; + + sum = ip_csum_update (sum, old_len, len, ip4_header_t, length); } + else + sum = ip_csum_update (ip4->checksum, old_len, len, ip4_header_t, length); - ip4->length = len = clib_net_to_host_u16 (len); - sum = ip_csum_update (ip4->checksum, old_len, len, ip4_header_t, length); + ip4->length = len; ip4->checksum = ip_csum_fold (sum); } @@ -218,9 +225,17 @@ esp_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node, } } +typedef struct +{ + u32 salt; + u64 iv; +} __clib_packed esp_gcm_nonce_t; + +STATIC_ASSERT_SIZEOF (esp_gcm_nonce_t, 12); + always_inline uword esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, - vlib_frame_t * frame, int is_ip6) + vlib_frame_t * frame, int is_ip6, int is_tun) { ipsec_main_t *im = &ipsec_main; ipsec_per_thread_data_t *ptd = vec_elt_at_index (im->ptd, vm->thread_index); @@ -228,6 +243,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, u32 n_left = frame->n_vectors; vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs; u16 nexts[VLIB_FRAME_SIZE], *next = nexts; + esp_gcm_nonce_t nonces[VLIB_FRAME_SIZE], *nonce = nonces; u32 thread_index = vm->thread_index; u16 buffer_data_size = vlib_buffer_get_default_data_size (vm); u32 current_sa_index = ~0, current_sa_packets = 0; @@ -241,7 +257,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, while (n_left > 0) { - u32 sa_index0 = vnet_buffer (b[0])->ipsec.sad_index; + u32 sa_index0; dpo_id_t *dpo; esp_header_t *esp; u8 *payload, *next_hdr_ptr; @@ -258,7 +274,19 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, CLIB_PREFETCH (p, CLIB_CACHE_LINE_BYTES, LOAD); } - if (vnet_buffer (b[0])->ipsec.sad_index != current_sa_index) + if (is_tun) + { + /* we are on a ipsec tunnel's feature arc */ + u32 next0; + sa_index0 = *(u32 *) vnet_feature_next_with_data (&next0, b[0], + sizeof + (sa_index0)); + next[0] = next0; + } + else + sa_index0 = vnet_buffer (b[0])->ipsec.sad_index; + + if (sa_index0 != current_sa_index) { sa0 = pool_elt_at_index (im->sad, sa_index0); current_sa_index = sa_index0; @@ -268,7 +296,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, current_sa_packets = current_sa_bytes = 0; spi = clib_net_to_host_u32 (sa0->spi); block_sz = sa0->crypto_block_size; - icv_sz = sa0->integ_trunc_size; + icv_sz = sa0->integ_icv_size; iv_sz = sa0->crypto_iv_size; } @@ -318,7 +346,8 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, hdr_len += len; ip6 = (ip6_header_t *) (payload - hdr_len); clib_memcpy_fast (ip6, &sa0->ip6_hdr, len); - *next_hdr_ptr = IP_PROTOCOL_IPV6; + *next_hdr_ptr = (is_ip6 ? + IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP); len = payload_len + hdr_len - len; ip6->payload_length = clib_net_to_host_u16 (len); } @@ -329,14 +358,18 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, hdr_len += len; ip4 = (ip4_header_t *) (payload - hdr_len); clib_memcpy_fast (ip4, &sa0->ip4_hdr, len); - *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP; + *next_hdr_ptr = (is_ip6 ? + IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP); len = payload_len + hdr_len; esp_update_ip4_hdr (ip4, len, /* is_transport */ 0, 0); } dpo = sa0->dpo + IPSEC_PROTOCOL_ESP; - next[0] = dpo->dpoi_next_node; - vnet_buffer (b[0])->ip.adj_index[VLIB_TX] = dpo->dpoi_index; + if (!is_tun) + { + next[0] = dpo->dpoi_next_node; + vnet_buffer (b[0])->ip.adj_index[VLIB_TX] = dpo->dpoi_index; + } } else /* transport mode */ { @@ -385,14 +418,16 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, ip6_header_t *ip6 = (ip6_header_t *) (ip_hdr); *next_hdr_ptr = ip6->protocol; ip6->protocol = IP_PROTOCOL_IPSEC_ESP; - ip6->payload_length = payload_len + hdr_len - l2_len - ip_len; + ip6->payload_length = + clib_host_to_net_u16 (payload_len + hdr_len - l2_len - + ip_len); } else { u16 len; ip4_header_t *ip4 = (ip4_header_t *) (ip_hdr); *next_hdr_ptr = ip4->protocol; - len = payload_len + hdr_len + l2_len; + len = payload_len + hdr_len - l2_len; if (udp) { esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 1); @@ -408,36 +443,57 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, esp->spi = spi; esp->seq = clib_net_to_host_u32 (sa0->seq); - if (sa0->crypto_enc_op_type) + if (sa0->crypto_enc_op_id) { vnet_crypto_op_t *op; vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES); - op->op = sa0->crypto_enc_op_type; - op->iv = payload - iv_sz; + vnet_crypto_op_init (op, sa0->crypto_enc_op_id); op->src = op->dst = payload; - op->key = sa0->crypto_key.data; + op->key_index = sa0->crypto_key_index; op->len = payload_len - icv_sz; - op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV; op->user_data = b - bufs; + + if (ipsec_sa_is_set_IS_AEAD (sa0)) + { + /* + * construct the AAD in a scratch space in front + * of the IP header. + */ + op->aad = payload - hdr_len - sizeof (esp_aead_t); + + esp_aad_fill (op, esp, sa0); + + op->tag = payload + op->len; + op->tag_len = 16; + + u64 *iv = (u64 *) (payload - iv_sz); + nonce->salt = sa0->salt; + nonce->iv = *iv = clib_host_to_net_u64 (sa0->gcm_iv_counter++); + op->iv = (u8 *) nonce; + nonce++; + } + else + { + op->iv = payload - iv_sz; + op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV; + } } - if (sa0->integ_op_type) + if (sa0->integ_op_id) { vnet_crypto_op_t *op; vec_add2_aligned (ptd->integ_ops, op, 1, CLIB_CACHE_LINE_BYTES); - op->op = sa0->integ_op_type; + vnet_crypto_op_init (op, sa0->integ_op_id); op->src = payload - iv_sz - sizeof (esp_header_t); - op->dst = payload + payload_len - icv_sz; - op->key = sa0->integ_key.data; - op->key_len = sa0->integ_key.len; - op->hmac_trunc_len = icv_sz; + op->digest = payload + payload_len - icv_sz; + op->key_index = sa0->integ_key_index; + op->digest_len = icv_sz; op->len = payload_len - icv_sz + iv_sz + sizeof (esp_header_t); - op->flags = 0; op->user_data = b - bufs; - if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0)) + if (ipsec_sa_is_set_USE_ESN (sa0)) { u32 seq_hi = clib_net_to_host_u32 (sa0->seq_hi); - clib_memcpy_fast (op->dst, &seq_hi, sizeof (seq_hi)); + clib_memcpy_fast (op->digest, &seq_hi, sizeof (seq_hi)); op->len += sizeof (seq_hi); } } @@ -468,7 +524,6 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_increment_combined_counter (&ipsec_sa_counters, thread_index, current_sa_index, current_sa_packets, current_sa_bytes); - esp_process_ops (vm, node, ptd->crypto_ops, bufs, nexts); esp_process_ops (vm, node, ptd->integ_ops, bufs, nexts); @@ -483,7 +538,7 @@ VLIB_NODE_FN (esp4_encrypt_node) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame) { - return esp_encrypt_inline (vm, node, from_frame, 0 /* is_ip6 */ ); + return esp_encrypt_inline (vm, node, from_frame, 0 /* is_ip6 */ , 0); } /* *INDENT-OFF* */ @@ -509,7 +564,7 @@ VLIB_NODE_FN (esp6_encrypt_node) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame) { - return esp_encrypt_inline (vm, node, from_frame, 1 /* is_ip6 */ ); + return esp_encrypt_inline (vm, node, from_frame, 1 /* is_ip6 */ , 0); } /* *INDENT-OFF* */ @@ -531,6 +586,68 @@ VLIB_REGISTER_NODE (esp6_encrypt_node) = { }; /* *INDENT-ON* */ +VLIB_NODE_FN (esp4_encrypt_tun_node) (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * from_frame) +{ + return esp_encrypt_inline (vm, node, from_frame, 0 /* is_ip6 */ , 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (esp4_encrypt_tun_node) = { + .name = "esp4-encrypt-tun", + .vector_size = sizeof (u32), + .format_trace = format_esp_encrypt_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + + .n_errors = ARRAY_LEN(esp_encrypt_error_strings), + .error_strings = esp_encrypt_error_strings, + + .n_next_nodes = 1, + .next_nodes = { + [ESP_ENCRYPT_NEXT_DROP] = "ip4-drop", + }, +}; + +VNET_FEATURE_INIT (esp4_encrypt_tun_feat_node, static) = +{ + .arc_name = "ip4-output", + .node_name = "esp4-encrypt-tun", + .runs_before = VNET_FEATURES ("adj-midchain-tx"), +}; +/* *INDENT-ON* */ + +VLIB_NODE_FN (esp6_encrypt_tun_node) (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * from_frame) +{ + return esp_encrypt_inline (vm, node, from_frame, 1 /* is_ip6 */ , 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (esp6_encrypt_tun_node) = { + .name = "esp6-encrypt-tun", + .vector_size = sizeof (u32), + .format_trace = format_esp_encrypt_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + + .n_errors = ARRAY_LEN(esp_encrypt_error_strings), + .error_strings = esp_encrypt_error_strings, + + .n_next_nodes = 1, + .next_nodes = { + [ESP_ENCRYPT_NEXT_DROP] = "ip6-drop", + }, +}; + +VNET_FEATURE_INIT (esp6_encrypt_tun_feat_node, static) = +{ + .arc_name = "ip6-output", + .node_name = "esp6-encrypt-tun", + .runs_before = VNET_FEATURES ("adj-midchain-tx"), +}; +/* *INDENT-ON* */ + /* * fd.io coding-style-patch-verification: ON *