X-Git-Url: https://gerrit.fd.io/r/gitweb?p=vpp.git;a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_sa.h;h=0997eb7d8bc81241e93e4206c4d341a705e10485;hp=e09b5391df32b0071672adfafade7cee3ea8b46a;hb=e5d34919b;hpb=3fb65bea2be23cc6ea8a93e840afc93cf89f9ea5

diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index e09b5391df3..0997eb7d8bc 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -16,11 +16,10 @@
 #define __IPSEC_SPD_SA_H__
 
 #include <vlib/vlib.h>
+#include <vnet/crypto/crypto.h>
 #include <vnet/ip/ip.h>
 #include <vnet/fib/fib_node.h>
 
-#define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE (64)
-
 #define foreach_ipsec_crypto_alg    \
   _ (0, NONE, "none")               \
   _ (1, AES_CBC_128, "aes-cbc-128") \
@@ -71,8 +70,6 @@ typedef enum
   IPSEC_PROTOCOL_ESP = 1
 } ipsec_protocol_t;
 
-#define IPSEC_N_PROTOCOLS (IPSEC_PROTOCOL_ESP+1)
-
 #define IPSEC_KEY_MAX_LEN 128
 typedef struct ipsec_key_t_
 {
@@ -95,8 +92,8 @@ typedef struct ipsec_key_t_
   _ (4, IS_TUNNEL, "tunnel")                              \
   _ (8, IS_TUNNEL_V6, "tunnel-v6")                        \
   _ (16, UDP_ENCAP, "udp-encap")                          \
-  _ (32, IS_GRE, "GRE")                                   \
-  _ (64, IS_INBOUND, "inboud")                            \
+  _ (32, IS_PROTECT, "Protect")                           \
+  _ (64, IS_INBOUND, "inbound")                           \
   _ (128, IS_AEAD, "aead")                                \
 
 typedef enum ipsec_sad_flags_t_
@@ -118,12 +115,15 @@ typedef struct
   u8 crypto_iv_size;
   u8 crypto_block_size;
   u8 integ_icv_size;
+  u32 encrypt_thread_index;
+  u32 decrypt_thread_index;
   u32 spi;
   u32 seq;
   u32 seq_hi;
   u32 last_seq;
   u32 last_seq_hi;
   u64 replay_window;
+  dpo_id_t dpo;
 
   vnet_crypto_key_index_t crypto_key_index;
   vnet_crypto_key_index_t integ_key_index;
@@ -131,8 +131,6 @@ typedef struct
   vnet_crypto_op_id_t crypto_dec_op_id:16;
   vnet_crypto_op_id_t integ_op_id:16;
 
-  dpo_id_t dpo[IPSEC_N_PROTOCOLS];
-
   /* data accessed by dataplane code should be above this comment */
     CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
 
@@ -143,7 +141,6 @@ typedef struct
   };
   udp_header_t udp_hdr;
 
-
   fib_node_t node;
   u32 id;
   u32 stat_index;
@@ -186,6 +183,13 @@ foreach_ipsec_sa_flags
   }
   foreach_ipsec_sa_flags
 #undef _
+#define _(a,v,s)                                                        \
+  always_inline int                                                     \
+  ipsec_sa_unset_##v (ipsec_sa_t *sa) {                                 \
+    return (sa->flags &= ~IPSEC_SA_FLAG_##v);                           \
+  }
+  foreach_ipsec_sa_flags
+#undef _
 /**
  * @brief
  * SA packet & bytes counters
@@ -194,30 +198,29 @@ extern vlib_combined_counter_main_t ipsec_sa_counters;
 
 extern void ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len);
 
-extern int ipsec_sa_add (u32 id,
-			 u32 spi,
-			 ipsec_protocol_t proto,
-			 ipsec_crypto_alg_t crypto_alg,
-			 const ipsec_key_t * ck,
-			 ipsec_integ_alg_t integ_alg,
-			 const ipsec_key_t * ik,
-			 ipsec_sa_flags_t flags,
-			 u32 tx_table_id,
-			 u32 salt,
-			 const ip46_address_t * tunnel_src_addr,
-			 const ip46_address_t * tunnel_dst_addr,
-			 u32 * sa_index);
-extern u32 ipsec_sa_del (u32 id);
+extern int ipsec_sa_add_and_lock (u32 id,
+				  u32 spi,
+				  ipsec_protocol_t proto,
+				  ipsec_crypto_alg_t crypto_alg,
+				  const ipsec_key_t * ck,
+				  ipsec_integ_alg_t integ_alg,
+				  const ipsec_key_t * ik,
+				  ipsec_sa_flags_t flags,
+				  u32 tx_table_id,
+				  u32 salt,
+				  const ip46_address_t * tunnel_src_addr,
+				  const ip46_address_t * tunnel_dst_addr,
+				  u32 * sa_index, u16 dst_port);
+extern index_t ipsec_sa_find_and_lock (u32 id);
+extern int ipsec_sa_unlock_id (u32 id);
+extern void ipsec_sa_unlock (index_t sai);
+extern void ipsec_sa_lock (index_t sai);
+extern void ipsec_sa_clear (index_t sai);
 extern void ipsec_sa_set_crypto_alg (ipsec_sa_t * sa,
 				     ipsec_crypto_alg_t crypto_alg);
 extern void ipsec_sa_set_integ_alg (ipsec_sa_t * sa,
 				    ipsec_integ_alg_t integ_alg);
 
-extern u8 ipsec_is_sa_used (u32 sa_index);
-extern int ipsec_set_sa_key (u32 id,
-			     const ipsec_key_t * ck, const ipsec_key_t * ik);
-extern u32 ipsec_get_sa_index_by_sa_id (u32 sa_id);
-
 typedef walk_rc_t (*ipsec_sa_walk_cb_t) (ipsec_sa_t * sa, void *ctx);
 extern void ipsec_sa_walk (ipsec_sa_walk_cb_t cd, void *ctx);
 
@@ -231,18 +234,36 @@ extern uword unformat_ipsec_integ_alg (unformat_input_t * input,
 				       va_list * args);
 extern uword unformat_ipsec_key (unformat_input_t * input, va_list * args);
 
+#define IPSEC_UDP_PORT_NONE ((u16)~0)
+
+/*
+ * Anti Replay definitions
+ */
+
+#define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE (64)
+#define IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE-1)
+
+/*
+ * sequence number less than the lower bound are outside of the window
+ * From RFC4303 Appendix A:
+ *  Bl = Tl - W + 1
+ */
+#define IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND(_tl) (_tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1)
+
+/*
+ * Anti replay check.
+ *  inputs need to be in host byte order.
+ */
 always_inline int
-ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 * seqp)
+ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq)
 {
-  u32 seq, diff, tl, th;
+  u32 diff, tl, th;
+
   if ((sa->flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0)
     return 0;
 
-  seq = clib_net_to_host_u32 (*seqp);
-
-  if ((sa->flags & IPSEC_SA_FLAG_USE_ESN) == 0)
+  if (!ipsec_sa_is_set_USE_ESN (sa))
     {
-
       if (PREDICT_TRUE (seq > sa->last_seq))
 	return 0;
 
@@ -260,50 +281,113 @@ ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 * seqp)
   th = sa->last_seq_hi;
   diff = tl - seq;
 
-  if (PREDICT_TRUE (tl >= (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE - 1)))
+  if (PREDICT_TRUE (tl >= (IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX)))
     {
-      if (seq >= (tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1))
+      /*
+       * the last sequence number VPP recieved is more than one
+       * window size greater than zero.
+       * Case A from RFC4303 Appendix A.
+       */
+      if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
 	{
+	  /*
+	   * the received sequence number is lower than the lower bound
+	   * of the window, this could mean either a replay packet or that
+	   * the high sequence number has wrapped. if it decrypts corrently
+	   * then it's the latter.
+	   */
+	  sa->seq_hi = th + 1;
+	  return 0;
+	}
+      else
+	{
+	  /*
+	   * the recieved sequence number greater than the low
+	   * end of the window.
+	   */
 	  sa->seq_hi = th;
 	  if (seq <= tl)
+	    /*
+	     * The recieved seq number is within bounds of the window
+	     * check if it's a duplicate
+	     */
 	    return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
 	  else
+	    /*
+	     * The received sequence number is greater than the window
+	     * upper bound. this packet will move the window along, assuming
+	     * it decrypts correctly.
+	     */
 	    return 0;
 	}
-      else
-	{
-	  sa->seq_hi = th + 1;
-	  return 0;
-	}
     }
   else
     {
-      if (seq >= (tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1))
+      /*
+       * the last sequence number VPP recieved is within one window
+       * size of zero, i.e. 0 < TL < WINDOW_SIZE, the lower bound is thus a
+       * large sequence number.
+       * Note that the check below uses unsiged integer arthimetic, so the
+       * RHS will be a larger number.
+       * Case B from RFC4303 Appendix A.
+       */
+      if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
 	{
-	  sa->seq_hi = th - 1;
-	  return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+	  /*
+	   * the sequence number is less than the lower bound.
+	   */
+	  if (seq <= tl)
+	    {
+	      /*
+	       * the packet is within the window upper bound.
+	       * check for duplicates.
+	       */
+	      sa->seq_hi = th;
+	      return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
+	    }
+	  else
+	    {
+	      /*
+	       * the packet is less the window lower bound or greater than
+	       * the higher bound, depending on how you look at it...
+	       * We're assuming, given that the last sequence number received,
+	       * TL < WINDOW_SIZE, that a largeer seq num is more likely to be
+	       * a packet that moves the window forward, than a packet that has
+	       * wrapped the high sequence again. If it were the latter then
+	       * we've lost close to 2^32 packets.
+	       */
+	      sa->seq_hi = th;
+	      return 0;
+	    }
 	}
       else
 	{
-	  sa->seq_hi = th;
-	  if (seq <= tl)
-	    return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
-	  else
-	    return 0;
+	  /*
+	   * the packet seq number is between the lower bound (a large nubmer)
+	   * and MAX_SEQ_NUM. This is in the window since the window upper bound
+	   * tl > 0.
+	   * However, since TL is the other side of 0 to the received
+	   * packet, the SA has moved on to a higher sequence number.
+	   */
+	  sa->seq_hi = th - 1;
+	  return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
 	}
     }
 
   return 0;
 }
 
+/*
+ * Anti replay window advance
+ *  inputs need to be in host byte order.
+ */
 always_inline void
-ipsec_sa_anti_replay_advance (ipsec_sa_t * sa, u32 seqp)
+ipsec_sa_anti_replay_advance (ipsec_sa_t * sa, u32 seq)
 {
-  u32 pos, seq;
+  u32 pos;
   if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0)
     return;
 
-  seq = clib_host_to_net_u32 (seqp);
   if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ESN))
     {
       int wrap = sa->seq_hi - sa->last_seq_hi;
@@ -357,6 +441,18 @@ ipsec_sa_anti_replay_advance (ipsec_sa_t * sa, u32 seqp)
     }
 }
 
+
+/*
+ * Makes choice for thread_id should be assigned.
+ *  if input ~0, gets random worker_id based on unix_time_now_nsec
+*/
+always_inline u32
+ipsec_sa_assign_thread (u32 thread_id)
+{
+  return ((thread_id) ? thread_id
+	  : (unix_time_now_nsec () % vlib_num_workers ()) + 1);
+}
+
 #endif /* __IPSEC_SPD_SA_H__ */
 
 /*