2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
18 #include <vnet/ip/ip.h>
19 #include <vnet/crypto/crypto.h>
20 #include <vnet/ipsec/ipsec.h>
36 typedef CLIB_PACKED (struct {
39 }) ip4_and_esp_header_t;
43 typedef CLIB_PACKED (struct {
47 }) ip4_and_udp_and_esp_header_t;
51 typedef CLIB_PACKED (struct {
54 }) ip6_and_esp_header_t;
57 #define ESP_WINDOW_SIZE (64)
58 #define ESP_SEQ_MAX (4294967295UL)
59 #define ESP_MAX_BLOCK_SIZE (16)
60 #define ESP_MAX_ICV_SIZE (16)
62 u8 *format_esp_header (u8 * s, va_list * args);
65 esp_replay_check (ipsec_sa_t * sa, u32 seq)
69 if (PREDICT_TRUE (seq > sa->last_seq))
72 diff = sa->last_seq - seq;
74 if (ESP_WINDOW_SIZE > diff)
75 return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
83 esp_replay_check_esn (ipsec_sa_t * sa, u32 seq)
85 u32 tl = sa->last_seq;
86 u32 th = sa->last_seq_hi;
89 if (PREDICT_TRUE (tl >= (ESP_WINDOW_SIZE - 1)))
91 if (seq >= (tl - ESP_WINDOW_SIZE + 1))
95 return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
107 if (seq >= (tl - ESP_WINDOW_SIZE + 1))
110 return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
116 return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
125 /* TODO seq increment should be atomic to be accessed by multiple workers */
127 esp_replay_advance (ipsec_sa_t * sa, u32 seq)
131 if (seq > sa->last_seq)
133 pos = seq - sa->last_seq;
134 if (pos < ESP_WINDOW_SIZE)
135 sa->replay_window = ((sa->replay_window) << pos) | 1;
137 sa->replay_window = 1;
142 pos = sa->last_seq - seq;
143 sa->replay_window |= (1ULL << pos);
148 esp_replay_advance_esn (ipsec_sa_t * sa, u32 seq)
150 int wrap = sa->seq_hi - sa->last_seq_hi;
153 if (wrap == 0 && seq > sa->last_seq)
155 pos = seq - sa->last_seq;
156 if (pos < ESP_WINDOW_SIZE)
157 sa->replay_window = ((sa->replay_window) << pos) | 1;
159 sa->replay_window = 1;
164 pos = ~seq + sa->last_seq + 1;
165 if (pos < ESP_WINDOW_SIZE)
166 sa->replay_window = ((sa->replay_window) << pos) | 1;
168 sa->replay_window = 1;
170 sa->last_seq_hi = sa->seq_hi;
174 pos = ~seq + sa->last_seq + 1;
175 sa->replay_window |= (1ULL << pos);
179 pos = sa->last_seq - seq;
180 sa->replay_window |= (1ULL << pos);
185 esp_seq_advance (ipsec_sa_t * sa)
187 if (PREDICT_TRUE (sa->use_esn))
189 if (PREDICT_FALSE (sa->seq == ESP_SEQ_MAX))
192 (sa->use_anti_replay && sa->seq_hi == ESP_SEQ_MAX))
200 if (PREDICT_FALSE (sa->use_anti_replay && sa->seq == ESP_SEQ_MAX))
209 always_inline unsigned int
210 hmac_calc (vlib_main_t * vm, ipsec_sa_t * sa, u8 * data, int data_len,
213 vnet_crypto_op_t _op, *op = &_op;
215 if (PREDICT_FALSE (sa->integ_op_type == 0))
218 op->op = sa->integ_op_type;
219 op->key = sa->integ_key.data;
220 op->key_len = sa->integ_key.len;
224 op->hmac_trunc_len = sa->integ_trunc_size;
228 u32 seq_hi = clib_host_to_net_u32 (sa->seq_hi);
231 clib_memcpy (data + data_len, &seq_hi, 4);
234 vnet_crypto_process_ops (vm, op, 1);
235 return sa->integ_trunc_size;
238 #endif /* __ESP_H__ */
241 * fd.io coding-style-patch-verification: ON
244 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob