2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
18 #include <vnet/ip/ip.h>
19 #include <vnet/crypto/crypto.h>
20 #include <vnet/ipsec/ipsec.h>
36 typedef CLIB_PACKED (struct {
39 }) ip4_and_esp_header_t;
43 typedef CLIB_PACKED (struct {
47 }) ip4_and_udp_and_esp_header_t;
51 typedef CLIB_PACKED (struct {
54 }) ip6_and_esp_header_t;
57 #define ESP_WINDOW_SIZE (64)
58 #define ESP_SEQ_MAX (4294967295UL)
60 u8 *format_esp_header (u8 * s, va_list * args);
63 esp_replay_check (ipsec_sa_t * sa, u32 seq)
67 if (PREDICT_TRUE (seq > sa->last_seq))
70 diff = sa->last_seq - seq;
72 if (ESP_WINDOW_SIZE > diff)
73 return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
81 esp_replay_check_esn (ipsec_sa_t * sa, u32 seq)
83 u32 tl = sa->last_seq;
84 u32 th = sa->last_seq_hi;
87 if (PREDICT_TRUE (tl >= (ESP_WINDOW_SIZE - 1)))
89 if (seq >= (tl - ESP_WINDOW_SIZE + 1))
93 return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
105 if (seq >= (tl - ESP_WINDOW_SIZE + 1))
108 return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
114 return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
123 /* TODO seq increment should be atomic to be accessed by multiple workers */
125 esp_replay_advance (ipsec_sa_t * sa, u32 seq)
129 if (seq > sa->last_seq)
131 pos = seq - sa->last_seq;
132 if (pos < ESP_WINDOW_SIZE)
133 sa->replay_window = ((sa->replay_window) << pos) | 1;
135 sa->replay_window = 1;
140 pos = sa->last_seq - seq;
141 sa->replay_window |= (1ULL << pos);
146 esp_replay_advance_esn (ipsec_sa_t * sa, u32 seq)
148 int wrap = sa->seq_hi - sa->last_seq_hi;
151 if (wrap == 0 && seq > sa->last_seq)
153 pos = seq - sa->last_seq;
154 if (pos < ESP_WINDOW_SIZE)
155 sa->replay_window = ((sa->replay_window) << pos) | 1;
157 sa->replay_window = 1;
162 pos = ~seq + sa->last_seq + 1;
163 if (pos < ESP_WINDOW_SIZE)
164 sa->replay_window = ((sa->replay_window) << pos) | 1;
166 sa->replay_window = 1;
168 sa->last_seq_hi = sa->seq_hi;
172 pos = ~seq + sa->last_seq + 1;
173 sa->replay_window |= (1ULL << pos);
177 pos = sa->last_seq - seq;
178 sa->replay_window |= (1ULL << pos);
183 esp_seq_advance (ipsec_sa_t * sa)
185 if (PREDICT_TRUE (sa->use_esn))
187 if (PREDICT_FALSE (sa->seq == ESP_SEQ_MAX))
190 (sa->use_anti_replay && sa->seq_hi == ESP_SEQ_MAX))
198 if (PREDICT_FALSE (sa->use_anti_replay && sa->seq == ESP_SEQ_MAX))
207 always_inline unsigned int
208 hmac_calc (vlib_main_t * vm, ipsec_integ_alg_t alg, u8 * key, int key_len,
209 u8 * data, int data_len, u8 * signature, u8 use_esn, u32 seq_hi)
211 ipsec_main_t *im = &ipsec_main;
212 vnet_crypto_op_t _op, *op = &_op;
213 ASSERT (alg < IPSEC_INTEG_N_ALG);
215 if (PREDICT_FALSE (im->integ_algs[alg].op_type == 0))
218 op->op = im->integ_algs[alg].op_type;
220 op->key_len = key_len;
226 HMAC_Init_ex (ctx, key, key_len, md, NULL);
228 HMAC_Update (ctx, data, data_len);
230 if (PREDICT_TRUE (use_esn))
231 HMAC_Update (ctx, (u8 *) & seq_hi, sizeof (seq_hi));
232 HMAC_Final (ctx, signature, &len);
235 vnet_crypto_process_ops (vm, op, 1);
236 return im->integ_algs[alg].trunc_size;
239 #endif /* __ESP_H__ */
242 * fd.io coding-style-patch-verification: ON
245 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob