From: Damjan Marion Date: Thu, 28 Mar 2019 09:58:59 +0000 (+0100) Subject: ipsec: USE_EXTENDED_SEQ_NUM -> USE_ESN X-Git-Tag: v19.04-rc1~101 X-Git-Url: https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commitdiff_plain;h=1e3aa5e213c23588981ee17d1413a0441a40527a ipsec: USE_EXTENDED_SEQ_NUM -> USE_ESN Change-Id: Ib828ea5106f3ae280e4ce233f2462dee363580b7 Signed-off-by: Damjan Marion --- diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c index 349f04c0f8c..47aff174e9e 100644 --- a/src/plugins/dpdk/ipsec/esp_decrypt.c +++ b/src/plugins/dpdk/ipsec/esp_decrypt.c @@ -327,7 +327,7 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm, clib_memcpy_fast (aad, esp0, 8); /* _aad[3] should always be 0 */ - if (PREDICT_FALSE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0))) + if (PREDICT_FALSE (ipsec_sa_is_set_USE_ESN (sa0))) _aad[2] = clib_host_to_net_u32 (sa0->seq_hi); else _aad[2] = 0; @@ -336,7 +336,7 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm, { auth_len = sizeof (esp_header_t) + iv_size + payload_len; - if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0)) + if (ipsec_sa_is_set_USE_ESN (sa0)) { clib_memcpy_fast (priv->icv, digest, trunc_size); u32 *_digest = (u32 *) digest; diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c index 25815d98748..908f846e315 100644 --- a/src/plugins/dpdk/ipsec/esp_encrypt.c +++ b/src/plugins/dpdk/ipsec/esp_encrypt.c @@ -513,7 +513,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, aad[1] = clib_host_to_net_u32 (sa0->seq); /* aad[3] should always be 0 */ - if (PREDICT_FALSE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0))) + if (PREDICT_FALSE (ipsec_sa_is_set_USE_ESN (sa0))) aad[2] = clib_host_to_net_u32 (sa0->seq_hi); else aad[2] = 0; @@ -522,7 +522,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, { auth_len = vlib_buffer_get_tail (b0) - ((u8 *) esp0) - trunc_size; - if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0)) + if (ipsec_sa_is_set_USE_ESN (sa0)) { u32 *_digest = (u32 *) digest; _digest[0] = clib_host_to_net_u32 (sa0->seq_hi); diff --git a/src/plugins/dpdk/ipsec/ipsec.c b/src/plugins/dpdk/ipsec/ipsec.c index cc06a4a87d5..682bcaf21c8 100644 --- a/src/plugins/dpdk/ipsec/ipsec.c +++ b/src/plugins/dpdk/ipsec/ipsec.c @@ -258,7 +258,7 @@ crypto_set_aead_xform (struct rte_crypto_sym_xform *xform, crypto_op_get_priv_offset () + offsetof (dpdk_op_priv_t, cb); xform->aead.iv.length = 12; xform->aead.digest_length = c->trunc_size; - xform->aead.aad_length = ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa) ? 12 : 8; + xform->aead.aad_length = ipsec_sa_is_set_USE_ESN (sa) ? 12 : 8; xform->next = NULL; if (is_outbound) diff --git a/src/vat/api_format.c b/src/vat/api_format.c index 46974d2d299..bfc9e3cb644 100644 --- a/src/vat/api_format.c +++ b/src/vat/api_format.c @@ -15231,8 +15231,7 @@ static void vl_api_ipsec_sa_details_t_handler_json ntohl (mp->entry.integrity_algorithm)); flags = ntohl (mp->entry.flags); vat_json_object_add_uint (node, "use_esn", - ! !(flags & - IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM)); + ! !(flags & IPSEC_API_SAD_FLAG_USE_ESN)); vat_json_object_add_uint (node, "use_anti_replay", ! !(flags & IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)); vat_json_object_add_uint (node, "is_tunnel", diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h index cc12785aaa4..2f734aa05ce 100644 --- a/src/vnet/ipsec/esp.h +++ b/src/vnet/ipsec/esp.h @@ -64,7 +64,7 @@ u8 *format_esp_header (u8 * s, va_list * args); always_inline int esp_seq_advance (ipsec_sa_t * sa) { - if (PREDICT_TRUE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa))) + if (PREDICT_TRUE (ipsec_sa_is_set_USE_ESN (sa))) { if (PREDICT_FALSE (sa->seq == ESP_SEQ_MAX)) { @@ -104,7 +104,7 @@ hmac_calc (vlib_main_t * vm, ipsec_sa_t * sa, u8 * data, int data_len, op->dst = signature; op->hmac_trunc_len = sa->integ_trunc_size; - if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa)) + if (ipsec_sa_is_set_USE_ESN (sa)) { u32 seq_hi = clib_host_to_net_u32 (sa->seq_hi); diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index c08ea7f6c10..fc1fe392f16 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -451,7 +451,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, op->len = payload_len - icv_sz + iv_sz + sizeof (esp_header_t); op->flags = 0; op->user_data = b - bufs; - if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0)) + if (ipsec_sa_is_set_USE_ESN (sa0)) { u32 seq_hi = clib_net_to_host_u32 (sa0->seq_hi); clib_memcpy_fast (op->dst, &seq_hi, sizeof (seq_hi)); diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index e6e1ce3667b..bc407f1d272 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -222,7 +222,7 @@ enum ipsec_sad_flags { IPSEC_API_SAD_FLAG_NONE = 0, /* Enable extended sequence numbers */ - IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM = 0x01, + IPSEC_API_SAD_FLAG_USE_ESN = 0x01, /* Enable Anti-replay */ IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY = 0x02, /* IPsec tunnel mode if non-zero, else transport mode */ diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index da175b2e5b9..4c7242da30a 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -320,8 +320,8 @@ ipsec_sad_flags_encode (const ipsec_sa_t * sa) { vl_api_ipsec_sad_flags_t flags = IPSEC_API_SAD_FLAG_NONE; - if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa)) - flags |= IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM; + if (ipsec_sa_is_set_USE_ESN (sa)) + flags |= IPSEC_API_SAD_FLAG_USE_ESN; if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa)) flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY; if (ipsec_sa_is_set_IS_TUNNEL (sa)) @@ -702,7 +702,7 @@ send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg, mp->salt = clib_host_to_net_u32 (sa->salt); mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq)); mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq)); - if (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa)) + if (ipsec_sa_is_set_USE_ESN (sa)) { mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi)); diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c index 1ad3a53c45b..dd99f780be6 100644 --- a/src/vnet/ipsec/ipsec_format.c +++ b/src/vnet/ipsec/ipsec_format.c @@ -261,7 +261,7 @@ format_ipsec_sa (u8 * s, va_list * args) sa->protocol ? "esp" : "ah", ipsec_sa_is_set_UDP_ENCAP (sa) ? " udp-encap-enabled" : "", ipsec_sa_is_set_USE_ANTI_REPLAY (sa) ? " anti-replay" : "", - ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa) ? + ipsec_sa_is_set_USE_ESN (sa) ? " extended-sequence-number" : ""); s = format (s, "\n seq %u seq-hi %u", sa->seq, sa->seq_hi); s = format (s, "\n last-seq %u last-seq-hi %u window %U", diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c index af61178fbc8..7d6c725e539 100644 --- a/src/vnet/ipsec/ipsec_if.c +++ b/src/vnet/ipsec/ipsec_if.c @@ -290,7 +290,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, if (args->udp_encap) flags |= IPSEC_SA_FLAG_UDP_ENCAP; if (args->esn) - flags |= IPSEC_SA_FLAG_USE_EXTENDED_SEQ_NUM; + flags |= IPSEC_SA_FLAG_USE_ESN; if (args->anti_replay) flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY; diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index 3d62395bd7c..eb21ecf81a4 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -155,8 +155,8 @@ ipsec_sa_add (u32 id, ip46_address_copy (&sa->tunnel_src_addr, tun_src); ip46_address_copy (&sa->tunnel_dst_addr, tun_dst); - if (flags & IPSEC_SA_FLAG_USE_EXTENDED_SEQ_NUM) - ipsec_sa_set_USE_EXTENDED_SEQ_NUM (sa); + if (flags & IPSEC_SA_FLAG_USE_ESN) + ipsec_sa_set_USE_ESN (sa); if (flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) ipsec_sa_set_USE_ANTI_REPLAY (sa); if (flags & IPSEC_SA_FLAG_IS_TUNNEL) diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index 44f9642ce47..94f1554112f 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -85,7 +85,7 @@ typedef struct ipsec_key_t_ */ #define foreach_ipsec_sa_flags \ _ (0, NONE, "none") \ - _ (1, USE_EXTENDED_SEQ_NUM, "esn") \ + _ (1, USE_ESN, "esn") \ _ (2, USE_ANTI_REPLAY, "anti-replay") \ _ (4, IS_TUNNEL, "tunnel") \ _ (8, IS_TUNNEL_V6, "tunnel-v6") \ @@ -227,7 +227,7 @@ ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 * seqp) seq = clib_net_to_host_u32 (*seqp); - if ((sa->flags & IPSEC_SA_FLAG_USE_EXTENDED_SEQ_NUM) == 0) + if ((sa->flags & IPSEC_SA_FLAG_USE_ESN) == 0) { if (PREDICT_TRUE (seq > sa->last_seq)) @@ -291,7 +291,7 @@ ipsec_sa_anti_replay_advance (ipsec_sa_t * sa, u32 * seqp) return; seq = clib_host_to_net_u32 (*seqp); - if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_EXTENDED_SEQ_NUM)) + if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ESN)) { int wrap = sa->seq_hi - sa->last_seq_hi; diff --git a/test/template_ipsec.py b/test/template_ipsec.py index 39db4ddc6f6..40e787eebb7 100644 --- a/test/template_ipsec.py +++ b/test/template_ipsec.py @@ -84,7 +84,7 @@ class IPsecIPv6Params(object): def config_tun_params(p, encryption_type, tun_if): ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6} use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t. - IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM)) + IPSEC_API_SAD_FLAG_USE_ESN)) p.scapy_tun_sa = SecurityAssociation( encryption_type, spi=p.vpp_tun_spi, crypt_algo=p.crypt_algo, crypt_key=p.crypt_key, @@ -107,7 +107,7 @@ def config_tun_params(p, encryption_type, tun_if): def config_tra_params(p, encryption_type): use_esn = p.flags & (VppEnum.vl_api_ipsec_sad_flags_t. - IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM) + IPSEC_API_SAD_FLAG_USE_ESN) p.scapy_tra_sa = SecurityAssociation( encryption_type, spi=p.vpp_tra_spi, diff --git a/test/test_ipsec_ah.py b/test/test_ipsec_ah.py index af65850253c..0fb084199d8 100644 --- a/test/test_ipsec_ah.py +++ b/test/test_ipsec_ah.py @@ -243,7 +243,7 @@ class TestIpsecAh3(TemplateIpsecAh, IpsecTra46Tests, IpsecTun46Tests): self.ipv6_params.addr_type: self.ipv6_params} for _, p in self.params.items(): p.flags = (VppEnum.vl_api_ipsec_sad_flags_t. - IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM) + IPSEC_API_SAD_FLAG_USE_ESN) if __name__ == '__main__': unittest.main(testRunner=VppTestRunner)