X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fesp_encrypt.c;h=4f1bb802bcbf8859c99226b4f6959a0bf1efd5f2;hb=4a56f4e48f39f9e0560833115f85270c0c04b57f;hp=041b268975d82286c0e18fc10c72c550ef25d574;hpb=401aedfb032d69daa876544e8e0a2973d69c50ac;p=vpp.git diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 041b268975d..4f1bb802bcb 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -27,8 +27,7 @@ #define foreach_esp_encrypt_next \ _(DROP, "error-drop") \ -_(IP4_LOOKUP, "ip4-lookup") \ -_(IP6_LOOKUP, "ip6-lookup") \ +_(HANDOFF, "handoff") \ _(INTERFACE_OUTPUT, "interface-output") #define _(v, s) ESP_ENCRYPT_NEXT_##v, @@ -65,6 +64,7 @@ typedef struct u32 sa_index; u32 spi; u32 seq; + u32 sa_seq_hi; u8 udp_encap; ipsec_crypto_alg_t crypto_alg; ipsec_integ_alg_t integ_alg; @@ -80,8 +80,9 @@ format_esp_encrypt_trace (u8 * s, va_list * args) s = format (s, - "esp: sa-index %d spi %u (0x%08x) seq %u crypto %U integrity %U%s", - t->sa_index, t->spi, t->spi, t->seq, format_ipsec_crypto_alg, + "esp: sa-index %d spi %u (0x%08x) seq %u sa-seq-hi %u crypto %U integrity %U%s", + t->sa_index, t->spi, t->spi, t->seq, t->sa_seq_hi, + format_ipsec_crypto_alg, t->crypto_alg, format_ipsec_integ_alg, t->integ_alg, t->udp_encap ? " udp-encap-enabled" : ""); return s; @@ -89,7 +90,9 @@ format_esp_encrypt_trace (u8 * s, va_list * args) /* pad packet in input buffer */ static_always_inline u8 * -esp_add_footer_and_icv (vlib_buffer_t * b, u8 block_size, u8 icv_sz) +esp_add_footer_and_icv (vlib_buffer_t * b, u8 block_size, u8 icv_sz, + u16 * next, vlib_node_runtime_t * node, + u16 buffer_data_size) { static const u8 pad_data[ESP_MAX_BLOCK_SIZE] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, @@ -102,8 +105,19 @@ esp_add_footer_and_icv (vlib_buffer_t * b, u8 block_size, u8 icv_sz) esp_footer_t *f = (esp_footer_t *) (vlib_buffer_get_current (b) + new_length - sizeof (esp_footer_t)); + if (b->current_data + new_length + icv_sz > buffer_data_size) + { + b->error = node->errors[ESP_ENCRYPT_ERROR_NO_TRAILER_SPACE]; + next[0] = ESP_ENCRYPT_NEXT_DROP; + return 0; + } + if (pad_bytes) - clib_memcpy_fast ((u8 *) f - pad_bytes, pad_data, ESP_MAX_BLOCK_SIZE); + { + ASSERT (pad_bytes <= ESP_MAX_BLOCK_SIZE); + pad_bytes = clib_min (ESP_MAX_BLOCK_SIZE, pad_bytes); + clib_memcpy_fast ((u8 *) f - pad_bytes, pad_data, pad_bytes); + } f->pad_length = pad_bytes; b->current_length = new_length + icv_sz; @@ -186,19 +200,6 @@ esp_get_ip6_hdr_len (ip6_header_t * ip6) return len; } -static_always_inline int -esp_trailer_icv_overflow (vlib_node_runtime_t * node, vlib_buffer_t * b, - u16 * next, u16 buffer_data_size) -{ - if (b->current_data + b->current_length <= buffer_data_size) - return 0; - - b->current_length -= buffer_data_size - b->current_data; - b->error = node->errors[ESP_ENCRYPT_ERROR_NO_TRAILER_SPACE]; - next[0] = ESP_ENCRYPT_NEXT_DROP; - return 1; -} - static_always_inline void esp_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node, vnet_crypto_op_t * ops, vlib_buffer_t * b[], u16 * nexts) @@ -263,7 +264,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, esp_header_t *esp; u8 *payload, *next_hdr_ptr; u16 payload_len; - u32 hdr_len; + u32 hdr_len, config_index; if (n_left > 2) { @@ -279,9 +280,11 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, { /* we are on a ipsec tunnel's feature arc */ u32 next0; + config_index = b[0]->current_config_index; sa_index0 = *(u32 *) vnet_feature_next_with_data (&next0, b[0], sizeof (sa_index0)); + vnet_buffer (b[0])->ipsec.sad_index = sa_index0; next[0] = next0; } else @@ -304,6 +307,25 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, iv_sz = sa0->crypto_iv_size; } + if (PREDICT_FALSE (~0 == sa0->encrypt_thread_index)) + { + /* this is the first packet to use this SA, claim the SA + * for this thread. this could happen simultaneously on + * another thread */ + clib_atomic_cmp_and_swap (&sa0->encrypt_thread_index, ~0, + ipsec_sa_assign_thread (thread_index)); + } + + if (PREDICT_TRUE (thread_index != sa0->encrypt_thread_index)) + { + next[0] = ESP_ENCRYPT_NEXT_HANDOFF; + if (is_tun) + { + b[0]->current_config_index = config_index; + } + goto trace; + } + if (vlib_buffer_chain_linearize (vm, b[0]) != 1) { b[0]->error = node->errors[ESP_ENCRYPT_ERROR_CHAINED_BUFFER]; @@ -324,11 +346,12 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (ipsec_sa_is_set_IS_TUNNEL (sa0)) { payload = vlib_buffer_get_current (b[0]); - next_hdr_ptr = esp_add_footer_and_icv (b[0], block_sz, icv_sz); - payload_len = b[0]->current_length; - - if (esp_trailer_icv_overflow (node, b[0], next, buffer_data_size)) + next_hdr_ptr = esp_add_footer_and_icv (b[0], block_sz, icv_sz, + next, node, + buffer_data_size); + if (!next_hdr_ptr) goto trace; + payload_len = b[0]->current_length; /* ESP header */ hdr_len += sizeof (*esp); @@ -387,11 +410,12 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_buffer_advance (b[0], ip_len); payload = vlib_buffer_get_current (b[0]); - next_hdr_ptr = esp_add_footer_and_icv (b[0], block_sz, icv_sz); - payload_len = b[0]->current_length; - - if (esp_trailer_icv_overflow (node, b[0], next, buffer_data_size)) + next_hdr_ptr = esp_add_footer_and_icv (b[0], block_sz, icv_sz, + next, node, + buffer_data_size); + if (!next_hdr_ptr) goto trace; + payload_len = b[0]->current_length; /* ESP header */ hdr_len += sizeof (*esp); @@ -521,7 +545,8 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, sizeof (*tr)); tr->sa_index = sa_index0; tr->spi = sa0->spi; - tr->seq = sa0->seq - 1; + tr->seq = sa0->seq; + tr->sa_seq_hi = sa0->seq_hi; tr->udp_encap = ipsec_sa_is_set_UDP_ENCAP (sa0); tr->crypto_alg = sa0->crypto_alg; tr->integ_alg = sa0->integ_alg; @@ -564,9 +589,9 @@ VLIB_REGISTER_NODE (esp4_encrypt_node) = { .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { -#define _(s,n) [ESP_ENCRYPT_NEXT_##s] = n, - foreach_esp_encrypt_next -#undef _ + [ESP_ENCRYPT_NEXT_DROP] = "ip4-drop", + [ESP_ENCRYPT_NEXT_HANDOFF] = "esp4-encrypt-handoff", + [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "interface-output", }, }; /* *INDENT-ON* */ @@ -590,9 +615,9 @@ VLIB_REGISTER_NODE (esp6_encrypt_node) = { .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { -#define _(s,n) [ESP_ENCRYPT_NEXT_##s] = n, - foreach_esp_encrypt_next -#undef _ + [ESP_ENCRYPT_NEXT_DROP] = "ip6-drop", + [ESP_ENCRYPT_NEXT_HANDOFF] = "esp6-encrypt-handoff", + [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "interface-output", }, }; /* *INDENT-ON* */ @@ -614,9 +639,11 @@ VLIB_REGISTER_NODE (esp4_encrypt_tun_node) = { .n_errors = ARRAY_LEN(esp_encrypt_error_strings), .error_strings = esp_encrypt_error_strings, - .n_next_nodes = 1, + .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { [ESP_ENCRYPT_NEXT_DROP] = "ip4-drop", + [ESP_ENCRYPT_NEXT_HANDOFF] = "esp4-encrypt-tun-handoff", + [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "error-drop", }, }; @@ -627,6 +654,13 @@ VNET_FEATURE_INIT (esp4_encrypt_tun_feat_node, static) = .runs_before = VNET_FEATURES ("adj-midchain-tx"), }; +VNET_FEATURE_INIT (esp6o4_encrypt_tun_feat_node, static) = +{ + .arc_name = "ip6-output", + .node_name = "esp4-encrypt-tun", + .runs_before = VNET_FEATURES ("adj-midchain-tx"), +}; + VNET_FEATURE_INIT (esp4_ethernet_encrypt_tun_feat_node, static) = { .arc_name = "ethernet-output", @@ -652,9 +686,11 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_node) = { .n_errors = ARRAY_LEN(esp_encrypt_error_strings), .error_strings = esp_encrypt_error_strings, - .n_next_nodes = 1, + .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { [ESP_ENCRYPT_NEXT_DROP] = "ip6-drop", + [ESP_ENCRYPT_NEXT_HANDOFF] = "esp6-encrypt-tun-handoff", + [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "error-drop", }, }; @@ -664,6 +700,14 @@ VNET_FEATURE_INIT (esp6_encrypt_tun_feat_node, static) = .node_name = "esp6-encrypt-tun", .runs_before = VNET_FEATURES ("adj-midchain-tx"), }; + +VNET_FEATURE_INIT (esp4o6_encrypt_tun_feat_node, static) = +{ + .arc_name = "ip4-output", + .node_name = "esp6-encrypt-tun", + .runs_before = VNET_FEATURES ("adj-midchain-tx"), +}; + /* *INDENT-ON* */ typedef struct