clib_memcpy_fast (aad, esp0, 8);
/* _aad[3] should always be 0 */
- if (PREDICT_FALSE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0)))
+ if (PREDICT_FALSE (ipsec_sa_is_set_USE_ESN (sa0)))
_aad[2] = clib_host_to_net_u32 (sa0->seq_hi);
else
_aad[2] = 0;
{
auth_len = sizeof (esp_header_t) + iv_size + payload_len;
- if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0))
+ if (ipsec_sa_is_set_USE_ESN (sa0))
{
clib_memcpy_fast (priv->icv, digest, trunc_size);
u32 *_digest = (u32 *) digest;
aad[1] = clib_host_to_net_u32 (sa0->seq);
/* aad[3] should always be 0 */
- if (PREDICT_FALSE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0)))
+ if (PREDICT_FALSE (ipsec_sa_is_set_USE_ESN (sa0)))
aad[2] = clib_host_to_net_u32 (sa0->seq_hi);
else
aad[2] = 0;
{
auth_len =
vlib_buffer_get_tail (b0) - ((u8 *) esp0) - trunc_size;
- if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0))
+ if (ipsec_sa_is_set_USE_ESN (sa0))
{
u32 *_digest = (u32 *) digest;
_digest[0] = clib_host_to_net_u32 (sa0->seq_hi);
crypto_op_get_priv_offset () + offsetof (dpdk_op_priv_t, cb);
xform->aead.iv.length = 12;
xform->aead.digest_length = c->trunc_size;
- xform->aead.aad_length = ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa) ? 12 : 8;
+ xform->aead.aad_length = ipsec_sa_is_set_USE_ESN (sa) ? 12 : 8;
xform->next = NULL;
if (is_outbound)
ntohl (mp->entry.integrity_algorithm));
flags = ntohl (mp->entry.flags);
vat_json_object_add_uint (node, "use_esn",
- ! !(flags &
- IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM));
+ ! !(flags & IPSEC_API_SAD_FLAG_USE_ESN));
vat_json_object_add_uint (node, "use_anti_replay",
! !(flags & IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY));
vat_json_object_add_uint (node, "is_tunnel",
always_inline int
esp_seq_advance (ipsec_sa_t * sa)
{
- if (PREDICT_TRUE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa)))
+ if (PREDICT_TRUE (ipsec_sa_is_set_USE_ESN (sa)))
{
if (PREDICT_FALSE (sa->seq == ESP_SEQ_MAX))
{
op->dst = signature;
op->hmac_trunc_len = sa->integ_trunc_size;
- if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa))
+ if (ipsec_sa_is_set_USE_ESN (sa))
{
u32 seq_hi = clib_host_to_net_u32 (sa->seq_hi);
op->len = payload_len - icv_sz + iv_sz + sizeof (esp_header_t);
op->flags = 0;
op->user_data = b - bufs;
- if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0))
+ if (ipsec_sa_is_set_USE_ESN (sa0))
{
u32 seq_hi = clib_net_to_host_u32 (sa0->seq_hi);
clib_memcpy_fast (op->dst, &seq_hi, sizeof (seq_hi));
{
IPSEC_API_SAD_FLAG_NONE = 0,
/* Enable extended sequence numbers */
- IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM = 0x01,
+ IPSEC_API_SAD_FLAG_USE_ESN = 0x01,
/* Enable Anti-replay */
IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02,
/* IPsec tunnel mode if non-zero, else transport mode */
{
vl_api_ipsec_sad_flags_t flags = IPSEC_API_SAD_FLAG_NONE;
- if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa))
- flags |= IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM;
+ if (ipsec_sa_is_set_USE_ESN (sa))
+ flags |= IPSEC_API_SAD_FLAG_USE_ESN;
if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
if (ipsec_sa_is_set_IS_TUNNEL (sa))
mp->salt = clib_host_to_net_u32 (sa->salt);
mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
- if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa))
+ if (ipsec_sa_is_set_USE_ESN (sa))
{
mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
sa->protocol ? "esp" : "ah",
ipsec_sa_is_set_UDP_ENCAP (sa) ? " udp-encap-enabled" : "",
ipsec_sa_is_set_USE_ANTI_REPLAY (sa) ? " anti-replay" : "",
- ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa) ?
+ ipsec_sa_is_set_USE_ESN (sa) ?
" extended-sequence-number" : "");
s = format (s, "\n seq %u seq-hi %u", sa->seq, sa->seq_hi);
s = format (s, "\n last-seq %u last-seq-hi %u window %U",
if (args->udp_encap)
flags |= IPSEC_SA_FLAG_UDP_ENCAP;
if (args->esn)
- flags |= IPSEC_SA_FLAG_USE_EXTENDED_SEQ_NUM;
+ flags |= IPSEC_SA_FLAG_USE_ESN;
if (args->anti_replay)
flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
ip46_address_copy (&sa->tunnel_src_addr, tun_src);
ip46_address_copy (&sa->tunnel_dst_addr, tun_dst);
- if (flags & IPSEC_SA_FLAG_USE_EXTENDED_SEQ_NUM)
- ipsec_sa_set_USE_EXTENDED_SEQ_NUM (sa);
+ if (flags & IPSEC_SA_FLAG_USE_ESN)
+ ipsec_sa_set_USE_ESN (sa);
if (flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY)
ipsec_sa_set_USE_ANTI_REPLAY (sa);
if (flags & IPSEC_SA_FLAG_IS_TUNNEL)
*/
#define foreach_ipsec_sa_flags \
_ (0, NONE, "none") \
- _ (1, USE_EXTENDED_SEQ_NUM, "esn") \
+ _ (1, USE_ESN, "esn") \
_ (2, USE_ANTI_REPLAY, "anti-replay") \
_ (4, IS_TUNNEL, "tunnel") \
_ (8, IS_TUNNEL_V6, "tunnel-v6") \
seq = clib_net_to_host_u32 (*seqp);
- if ((sa->flags & IPSEC_SA_FLAG_USE_EXTENDED_SEQ_NUM) == 0)
+ if ((sa->flags & IPSEC_SA_FLAG_USE_ESN) == 0)
{
if (PREDICT_TRUE (seq > sa->last_seq))
return;
seq = clib_host_to_net_u32 (*seqp);
- if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_EXTENDED_SEQ_NUM))
+ if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ESN))
{
int wrap = sa->seq_hi - sa->last_seq_hi;
def config_tun_params(p, encryption_type, tun_if):
ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
- IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM))
+ IPSEC_API_SAD_FLAG_USE_ESN))
p.scapy_tun_sa = SecurityAssociation(
encryption_type, spi=p.vpp_tun_spi,
crypt_algo=p.crypt_algo, crypt_key=p.crypt_key,
def config_tra_params(p, encryption_type):
use_esn = p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
- IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM)
+ IPSEC_API_SAD_FLAG_USE_ESN)
p.scapy_tra_sa = SecurityAssociation(
encryption_type,
spi=p.vpp_tra_spi,
self.ipv6_params.addr_type: self.ipv6_params}
for _, p in self.params.items():
p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
- IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM)
+ IPSEC_API_SAD_FLAG_USE_ESN)
if __name__ == '__main__':
unittest.main(testRunner=VppTestRunner)