X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fesp_encrypt.c;h=a836453b58e5f6595eb8dd646a33aa7fbc28a057;hb=84e665848675afdc8e76fcbfb2bd65bccd4f25a8;hp=4ed3bf72c3fe34dfa924cec5ae5f0720776f5e9a;hpb=6f1eb484c85cfdb091cbef18252a02b3310b9aae;p=vpp.git diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 4ed3bf72c3f..a836453b58e 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -182,9 +182,9 @@ ext_hdr_is_pre_esp (u8 nexthdr) return !u8x16_is_all_zero (ext_hdr_types == u8x16_splat (nexthdr)); #else - return ((nexthdr ^ IP_PROTOCOL_IP6_HOP_BY_HOP_OPTIONS) | - (nexthdr ^ IP_PROTOCOL_IPV6_ROUTE) | - ((nexthdr ^ IP_PROTOCOL_IPV6_FRAGMENTATION) != 0)); + return (!(nexthdr ^ IP_PROTOCOL_IP6_HOP_BY_HOP_OPTIONS) || + !(nexthdr ^ IP_PROTOCOL_IPV6_ROUTE) || + !(nexthdr ^ IP_PROTOCOL_IPV6_FRAGMENTATION)); #endif } @@ -215,6 +215,25 @@ esp_get_ip6_hdr_len (ip6_header_t * ip6, ip6_ext_header_t ** ext_hdr) return len; } +/* IPsec IV generation: IVs requirements differ depending of the + * encryption mode: IVs must be unpredictable for AES-CBC whereas it can + * be predictable but should never be reused with the same key material + * for CTR and GCM. + * To avoid reusing the same IVs between multiple VPP instances and between + * restarts, we use a properly chosen PRNG to generate IVs. To ensure the IV is + * unpredictable for CBC, it is then encrypted using the same key as the + * message. You can refer to NIST SP800-38a and NIST SP800-38d for more + * details. */ +static_always_inline void * +esp_generate_iv (ipsec_sa_t *sa, void *payload, int iv_sz) +{ + ASSERT (iv_sz >= sizeof (u64)); + u64 *iv = (u64 *) (payload - iv_sz); + clib_memset_u8 (iv, 0, iv_sz); + *iv = clib_pcg64i_random_r (&sa->iv_prng); + return iv; +} + static_always_inline void esp_process_chained_ops (vlib_main_t * vm, vlib_node_runtime_t * node, vnet_crypto_op_t * ops, vlib_buffer_t * b[], @@ -236,8 +255,10 @@ esp_process_chained_ops (vlib_main_t * vm, vlib_node_runtime_t * node, if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED) { u32 bi = op->user_data; - b[bi]->error = node->errors[ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR]; - nexts[bi] = drop_next; + esp_encrypt_set_next_index (b[bi], node, vm->thread_index, + ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR, + bi, nexts, drop_next, + vnet_buffer (b[bi])->ipsec.sad_index); n_fail--; } op++; @@ -264,8 +285,10 @@ esp_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node, if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED) { u32 bi = op->user_data; - b[bi]->error = node->errors[ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR]; - nexts[bi] = drop_next; + esp_encrypt_set_next_index (b[bi], node, vm->thread_index, + ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR, + bi, nexts, drop_next, + vnet_buffer (b[bi])->ipsec.sad_index); n_fail--; } op++; @@ -368,28 +391,36 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, vnet_crypto_op_t *op; vec_add2_aligned (crypto_ops[0], op, 1, CLIB_CACHE_LINE_BYTES); vnet_crypto_op_init (op, sa0->crypto_enc_op_id); + u8 *crypto_start = payload; + /* esp_add_footer_and_icv() in esp_encrypt_inline() makes sure we always + * have enough space for ESP header and footer which includes ICV */ + ASSERT (payload_len > icv_sz); + u16 crypto_len = payload_len - icv_sz; + + /* generate the IV in front of the payload */ + void *pkt_iv = esp_generate_iv (sa0, payload, iv_sz); - op->src = op->dst = payload; op->key_index = sa0->crypto_key_index; - op->len = payload_len - icv_sz; op->user_data = bi; if (ipsec_sa_is_set_IS_CTR (sa0)) { - ASSERT (sizeof (u64) == iv_sz); /* construct nonce in a scratch space in front of the IP header */ esp_ctr_nonce_t *nonce = - (esp_ctr_nonce_t *) (payload - sizeof (u64) - hdr_len - - sizeof (*nonce)); - u64 *pkt_iv = (u64 *) (payload - sizeof (u64)); - + (esp_ctr_nonce_t *) (pkt_iv - hdr_len - sizeof (*nonce)); if (ipsec_sa_is_set_IS_AEAD (sa0)) { /* constuct aad in a scratch space in front of the nonce */ op->aad = (u8 *) nonce - sizeof (esp_aead_t); op->aad_len = esp_aad_fill (op->aad, esp, sa0, seq_hi); - op->tag = payload + op->len; + op->tag = payload + crypto_len; op->tag_len = 16; + if (PREDICT_FALSE (ipsec_sa_is_set_IS_NULL_GMAC (sa0))) + { + /* RFC-4543 ENCR_NULL_AUTH_AES_GMAC: IV is part of AAD */ + crypto_start -= iv_sz; + crypto_len += iv_sz; + } } else { @@ -397,23 +428,34 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, } nonce->salt = sa0->salt; - nonce->iv = *pkt_iv = clib_host_to_net_u64 (sa0->ctr_iv_counter++); + nonce->iv = *(u64 *) pkt_iv; op->iv = (u8 *) nonce; } else { - op->iv = payload - iv_sz; - op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV; + /* construct zero iv in front of the IP header */ + op->iv = pkt_iv - hdr_len - iv_sz; + clib_memset_u8 (op->iv, 0, iv_sz); + /* include iv field in crypto */ + crypto_start -= iv_sz; + crypto_len += iv_sz; } - if (lb != b[0]) + if (PREDICT_FALSE (lb != b[0])) { /* is chained */ op->flags |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS; op->chunk_index = vec_len (ptd->chunks); op->tag = vlib_buffer_get_tail (lb) - icv_sz; - esp_encrypt_chain_crypto (vm, ptd, sa0, b[0], lb, icv_sz, payload, - payload_len, &op->n_chunks); + esp_encrypt_chain_crypto (vm, ptd, sa0, b[0], lb, icv_sz, + crypto_start, crypto_len + icv_sz, + &op->n_chunks); + } + else + { + /* not chained */ + op->src = op->dst = crypto_start; + op->len = crypto_len; } } @@ -462,33 +504,36 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, esp_post_data_t *post = esp_post_data (b); u8 *tag, *iv, *aad = 0; u8 flag = 0; - u32 key_index; - i16 crypto_start_offset, integ_start_offset = 0; + const u32 key_index = sa->crypto_key_index; + i16 crypto_start_offset, integ_start_offset; u16 crypto_total_len, integ_total_len; post->next_index = next; /* crypto */ - crypto_start_offset = payload - b->data; + crypto_start_offset = integ_start_offset = payload - b->data; crypto_total_len = integ_total_len = payload_len - icv_sz; tag = payload + crypto_total_len; - key_index = sa->linked_key_index; + /* generate the IV in front of the payload */ + void *pkt_iv = esp_generate_iv (sa, payload, iv_sz); if (ipsec_sa_is_set_IS_CTR (sa)) { - ASSERT (sizeof (u64) == iv_sz); /* construct nonce in a scratch space in front of the IP header */ - esp_ctr_nonce_t *nonce = (esp_ctr_nonce_t *) (payload - sizeof (u64) - - hdr_len - sizeof (*nonce)); - u64 *pkt_iv = (u64 *) (payload - sizeof (u64)); - + esp_ctr_nonce_t *nonce = + (esp_ctr_nonce_t *) (pkt_iv - hdr_len - sizeof (*nonce)); if (ipsec_sa_is_set_IS_AEAD (sa)) { /* constuct aad in a scratch space in front of the nonce */ aad = (u8 *) nonce - sizeof (esp_aead_t); esp_aad_fill (aad, esp, sa, sa->seq_hi); - key_index = sa->crypto_key_index; + if (PREDICT_FALSE (ipsec_sa_is_set_IS_NULL_GMAC (sa))) + { + /* RFC-4543 ENCR_NULL_AUTH_AES_GMAC: IV is part of AAD */ + crypto_start_offset -= iv_sz; + crypto_total_len += iv_sz; + } } else { @@ -496,13 +541,17 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, } nonce->salt = sa->salt; - nonce->iv = *pkt_iv = clib_host_to_net_u64 (sa->ctr_iv_counter++); + nonce->iv = *(u64 *) pkt_iv; iv = (u8 *) nonce; } else { - iv = payload - iv_sz; - flag |= VNET_CRYPTO_OP_FLAG_INIT_IV; + /* construct zero iv in front of the IP header */ + iv = pkt_iv - hdr_len - iv_sz; + clib_memset_u8 (iv, 0, iv_sz); + /* include iv field in crypto */ + crypto_start_offset -= iv_sz; + crypto_total_len += iv_sz; } if (lb != b) @@ -510,13 +559,14 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, /* chain */ flag |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS; tag = vlib_buffer_get_tail (lb) - icv_sz; - crypto_total_len = esp_encrypt_chain_crypto (vm, ptd, sa, b, lb, icv_sz, - payload, payload_len, 0); + crypto_total_len = esp_encrypt_chain_crypto ( + vm, ptd, sa, b, lb, icv_sz, b->data + crypto_start_offset, + crypto_total_len + icv_sz, 0); } if (sa->integ_op_id) { - integ_start_offset = crypto_start_offset - iv_sz - sizeof (esp_header_t); + integ_start_offset -= iv_sz + sizeof (esp_header_t); integ_total_len += iv_sz + sizeof (esp_header_t); if (b != lb) @@ -573,8 +623,8 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, ESP_ENCRYPT_NEXT_HANDOFF_MPLS)); vlib_buffer_t *sync_bufs[VLIB_FRAME_SIZE]; u16 sync_nexts[VLIB_FRAME_SIZE], *sync_next = sync_nexts, n_sync = 0; - u16 async_nexts[VLIB_FRAME_SIZE], *async_next = async_nexts, n_async = 0; - u16 noop_nexts[VLIB_FRAME_SIZE], *noop_next = noop_nexts, n_noop = 0; + u16 n_async = 0; + u16 noop_nexts[VLIB_FRAME_SIZE], n_noop = 0; u32 sync_bi[VLIB_FRAME_SIZE]; u32 noop_bi[VLIB_FRAME_SIZE]; esp_encrypt_error_t err; @@ -623,8 +673,8 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (PREDICT_FALSE (INDEX_INVALID == sa_index0)) { err = ESP_ENCRYPT_ERROR_NO_PROTECTION; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - drop_next); + noop_nexts[n_noop] = drop_next; + b[0]->error = node->errors[err]; goto trace; } } @@ -634,10 +684,9 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (sa_index0 != current_sa_index) { if (current_sa_packets) - vlib_increment_combined_counter (&ipsec_sa_counters, thread_index, - current_sa_index, - current_sa_packets, - current_sa_bytes); + vlib_increment_combined_counter ( + &ipsec_sa_counters, thread_index, current_sa_index, + current_sa_packets, current_sa_bytes); current_sa_packets = current_sa_bytes = 0; sa0 = ipsec_sa_get (sa_index0); @@ -647,14 +696,18 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, !ipsec_sa_is_set_NO_ALGO_NO_DROP (sa0))) { err = ESP_ENCRYPT_ERROR_NO_ENCRYPTION; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - drop_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, + n_noop, noop_nexts, drop_next, + sa_index0); goto trace; } + current_sa_index = sa_index0; + vlib_prefetch_combined_counter (&ipsec_sa_counters, thread_index, + current_sa_index); + /* fetch the second cacheline ASAP */ clib_prefetch_load (sa0->cacheline1); - current_sa_index = sa_index0; spi = clib_net_to_host_u32 (sa0->spi); esp_align = sa0->esp_block_align; icv_sz = sa0->integ_icv_size; @@ -662,7 +715,7 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, is_async = im->async_mode | ipsec_sa_is_set_IS_ASYNC (sa0); } - if (PREDICT_FALSE (~0 == sa0->thread_index)) + if (PREDICT_FALSE ((u16) ~0 == sa0->thread_index)) { /* this is the first packet to use this SA, claim the SA * for this thread. this could happen simultaneously on @@ -675,8 +728,9 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { vnet_buffer (b[0])->ipsec.thread_index = sa0->thread_index; err = ESP_ENCRYPT_ERROR_HANDOFF; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - handoff_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, n_noop, + noop_nexts, handoff_next, + current_sa_index); goto trace; } @@ -685,7 +739,8 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (n_bufs == 0) { err = ESP_ENCRYPT_ERROR_NO_BUFFERS; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, drop_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, n_noop, + noop_nexts, drop_next, current_sa_index); goto trace; } @@ -699,7 +754,8 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (PREDICT_FALSE (esp_seq_advance (sa0))) { err = ESP_ENCRYPT_ERROR_SEQ_CYCLED; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, drop_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, n_noop, + noop_nexts, drop_next, current_sa_index); goto trace; } @@ -715,8 +771,9 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (!next_hdr_ptr) { err = ESP_ENCRYPT_ERROR_NO_BUFFERS; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - drop_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, + n_noop, noop_nexts, drop_next, + current_sa_index); goto trace; } b[0]->flags &= ~VLIB_BUFFER_TOTAL_LENGTH_VALID; @@ -837,8 +894,9 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if ((old_ip_hdr - ip_len) < &b[0]->pre_data[0]) { err = ESP_ENCRYPT_ERROR_NO_BUFFERS; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - drop_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, + n_noop, noop_nexts, drop_next, + current_sa_index); goto trace; } @@ -850,8 +908,9 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (!next_hdr_ptr) { err = ESP_ENCRYPT_ERROR_NO_BUFFERS; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - drop_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, + n_noop, noop_nexts, drop_next, + current_sa_index); goto trace; } @@ -952,6 +1011,16 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { async_frames[async_op] = vnet_crypto_async_get_frame (vm, async_op); + + if (PREDICT_FALSE (!async_frames[async_op])) + { + err = ESP_ENCRYPT_ERROR_NO_AVAIL_FRAME; + esp_encrypt_set_next_index (b[0], node, thread_index, err, + n_noop, noop_nexts, drop_next, + current_sa_index); + goto trace; + } + /* Save the frame to the list we'll submit at the end */ vec_add1 (ptd->async_frames, async_frames[async_op]); } @@ -995,7 +1064,6 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { noop_bi[n_noop] = from[b - bufs]; n_noop++; - noop_next++; } else if (!is_async) { @@ -1007,7 +1075,6 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, else { n_async++; - async_next++; } n_left -= 1; b += 1; @@ -1042,7 +1109,8 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { n_noop += esp_async_recycle_failed_submit ( vm, *async_frame, node, ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR, - n_noop, noop_bi, noop_nexts, drop_next); + IPSEC_SA_ERROR_CRYPTO_ENGINE_ERROR, n_noop, noop_bi, + noop_nexts, drop_next, true); vnet_crypto_async_reset_frame (*async_frame); vnet_crypto_async_free_frame (vm, *async_frame); }