FD.io VPP  v20.09-64-g4f7b92f0a
Vector Packet Processing
ipsec_sa.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <vnet/ipsec/ipsec.h>
17 #include <vnet/ipsec/esp.h>
18 #include <vnet/udp/udp.h>
19 #include <vnet/fib/fib_table.h>
21 #include <vnet/ipsec/ipsec_tun.h>
22 
23 /**
24  * @brief
25  * SA packet & bytes counters
26  */
27 vlib_combined_counter_main_t ipsec_sa_counters = {
28  .name = "SA",
29  .stat_segment_name = "/net/ipsec/sa",
30 };
31 
32 
33 static clib_error_t *
35  u32 sa_index, int is_add)
36 {
39  switch (sa->protocol)
40  {
41  case IPSEC_PROTOCOL_AH:
43  if (ab->add_del_sa_sess_cb)
44  return ab->add_del_sa_sess_cb (sa_index, is_add);
45  break;
46  case IPSEC_PROTOCOL_ESP:
48  if (eb->add_del_sa_sess_cb)
49  return eb->add_del_sa_sess_cb (sa_index, is_add);
50  break;
51  }
52  return 0;
53 }
54 
55 void
57 {
58  memset (key, 0, sizeof (*key));
59 
60  if (len > sizeof (key->data))
61  key->len = sizeof (key->data);
62  else
63  key->len = len;
64 
65  memcpy (key->data, data, key->len);
66 }
67 
68 /**
69  * 'stack' (resolve the recursion for) the SA tunnel destination
70  */
71 static void
73 {
74  ipsec_main_t *im = &ipsec_main;
76  dpo_id_t tmp = DPO_INVALID;
77 
78  fct =
79  fib_forw_chain_type_from_fib_proto ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
82 
84 
85  if (IPSEC_PROTOCOL_AH == sa->protocol)
86  dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
88  im->ah4_encrypt_node_index), &sa->dpo, &tmp);
89  else
90  dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
92  im->esp4_encrypt_node_index), &sa->dpo, &tmp);
93  dpo_reset (&tmp);
94 }
95 
96 void
98 {
99  ipsec_main_t *im = &ipsec_main;
100  sa->crypto_alg = crypto_alg;
101  sa->crypto_iv_size = im->crypto_algs[crypto_alg].iv_size;
102  sa->esp_block_align = clib_max (4, im->crypto_algs[crypto_alg].block_align);
103  sa->sync_op_data.crypto_enc_op_id = im->crypto_algs[crypto_alg].enc_op_id;
104  sa->sync_op_data.crypto_dec_op_id = im->crypto_algs[crypto_alg].dec_op_id;
105  sa->crypto_calg = im->crypto_algs[crypto_alg].alg;
108  if (IPSEC_CRYPTO_ALG_IS_GCM (crypto_alg))
109  {
110  sa->integ_icv_size = im->crypto_algs[crypto_alg].icv_size;
111  ipsec_sa_set_IS_AEAD (sa);
112  }
113 }
114 
115 void
117 {
118  ipsec_main_t *im = &ipsec_main;
119  sa->integ_alg = integ_alg;
122  sa->integ_calg = im->integ_algs[integ_alg].alg;
124 }
125 
126 void
128 {
129  /* *INDENT-OFF* */
130  if (ipsec_sa_is_set_USE_ESN (sa))
131  {
132 #define _(n, s, k) \
133  if( sa->sync_op_data.crypto_enc_op_id == VNET_CRYPTO_OP_##n##_ENC ) \
134  sa->async_op_data.crypto_async_enc_op_id = \
135  VNET_CRYPTO_OP_##n##_TAG16_AAD12_ENC; \
136  if( sa->sync_op_data.crypto_dec_op_id == VNET_CRYPTO_OP_##n##_DEC ) \
137  sa->async_op_data.crypto_async_dec_op_id = \
138  VNET_CRYPTO_OP_##n##_TAG16_AAD12_DEC;
140 #undef _
141  }
142  else
143  {
144 #define _(n, s, k) \
145  if( sa->sync_op_data.crypto_enc_op_id == VNET_CRYPTO_OP_##n##_ENC ) \
146  sa->async_op_data.crypto_async_enc_op_id = \
147  VNET_CRYPTO_OP_##n##_TAG16_AAD8_ENC; \
148  if( sa->sync_op_data.crypto_dec_op_id == VNET_CRYPTO_OP_##n##_DEC ) \
149  sa->async_op_data.crypto_async_dec_op_id = \
150  VNET_CRYPTO_OP_##n##_TAG16_AAD8_DEC;
152 #undef _
153  }
154 
155 #define _(c, h, s, k ,d) \
156  if( sa->sync_op_data.crypto_enc_op_id == VNET_CRYPTO_OP_##c##_ENC && \
157  sa->sync_op_data.integ_op_id == VNET_CRYPTO_OP_##h##_HMAC) \
158  sa->async_op_data.crypto_async_enc_op_id = \
159  VNET_CRYPTO_OP_##c##_##h##_TAG##d##_ENC; \
160  if( sa->sync_op_data.crypto_dec_op_id == VNET_CRYPTO_OP_##c##_DEC && \
161  sa->sync_op_data.integ_op_id == VNET_CRYPTO_OP_##h##_HMAC) \
162  sa->async_op_data.crypto_async_dec_op_id = \
163  VNET_CRYPTO_OP_##c##_##h##_TAG##d##_DEC;
165 #undef _
166  /* *INDENT-ON* */
167 }
168 
169 int
171  u32 spi,
173  ipsec_crypto_alg_t crypto_alg,
174  const ipsec_key_t * ck,
176  const ipsec_key_t * ik,
179  u32 salt,
180  const ip46_address_t * tun_src,
181  const ip46_address_t * tun_dst, u32 * sa_out_index,
183 {
185  ipsec_main_t *im = &ipsec_main;
186  clib_error_t *err;
187  ipsec_sa_t *sa;
188  u32 sa_index;
189  uword *p;
190 
191  p = hash_get (im->sa_index_by_sa_id, id);
192  if (p)
193  return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
194 
196 
198  fib_node_lock (&sa->node);
199  sa_index = sa - im->sad;
200 
201  vlib_validate_combined_counter (&ipsec_sa_counters, sa_index);
202  vlib_zero_combined_counter (&ipsec_sa_counters, sa_index);
203 
204  sa->id = id;
205  sa->spi = spi;
206  sa->stat_index = sa_index;
207  sa->protocol = proto;
208  sa->flags = flags;
209  sa->salt = salt;
210  sa->encrypt_thread_index = (vlib_num_workers ())? ~0 : 0;
211  sa->decrypt_thread_index = (vlib_num_workers ())? ~0 : 0;
212  if (integ_alg != IPSEC_INTEG_ALG_NONE)
213  {
214  ipsec_sa_set_integ_alg (sa, integ_alg);
215  clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key));
216  }
217  ipsec_sa_set_crypto_alg (sa, crypto_alg);
219 
220  clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
221  ip46_address_copy (&sa->tunnel_src_addr, tun_src);
222  ip46_address_copy (&sa->tunnel_dst_addr, tun_dst);
223 
225  im->crypto_algs[crypto_alg].alg,
226  (u8 *) ck->data, ck->len);
227  if (~0 == sa->crypto_key_index)
228  {
229  pool_put (im->sad, sa);
230  return VNET_API_ERROR_KEY_LENGTH;
231  }
232 
233  if (integ_alg != IPSEC_INTEG_ALG_NONE)
234  {
236  im->
237  integ_algs[integ_alg].alg,
238  (u8 *) ik->data, ik->len);
239  if (~0 == sa->integ_key_index)
240  {
241  pool_put (im->sad, sa);
242  return VNET_API_ERROR_KEY_LENGTH;
243  }
244  }
245 
247  !ipsec_sa_is_set_IS_AEAD (sa))
248  { //AES-CBC & HMAC
251  sa->integ_key_index);
252  }
253 
254  if (im->async_mode)
256  else
257  sa->crypto_op_data = sa->sync_op_data.data;
258 
259  err = ipsec_check_support_cb (im, sa);
260  if (err)
261  {
262  clib_warning ("%s", err->what);
263  pool_put (im->sad, sa);
264  return VNET_API_ERROR_UNIMPLEMENTED;
265  }
266 
267  err = ipsec_call_add_del_callbacks (im, sa, sa_index, 1);
268  if (err)
269  {
270  pool_put (im->sad, sa);
271  return VNET_API_ERROR_SYSCALL_ERROR_1;
272  }
273 
274  if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
275  {
276  fib_protocol_t fproto = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
278  fib_prefix_t pfx = {
279  .fp_addr = sa->tunnel_dst_addr,
280  .fp_len = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ? 128 : 32),
281  .fp_proto = fproto,
282  };
283  sa->tx_fib_index = fib_table_find (fproto, tx_table_id);
284  if (sa->tx_fib_index == ~((u32) 0))
285  {
286  pool_put (im->sad, sa);
287  return VNET_API_ERROR_NO_SUCH_FIB;
288  }
289 
291  &pfx,
293  sa_index, &sa->sibling);
294  ipsec_sa_stack (sa);
295 
296  /* generate header templates */
297  if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
298  {
300  sa->ip6_hdr.hop_limit = 254;
301  sa->ip6_hdr.src_address.as_u64[0] =
302  sa->tunnel_src_addr.ip6.as_u64[0];
303  sa->ip6_hdr.src_address.as_u64[1] =
304  sa->tunnel_src_addr.ip6.as_u64[1];
305  sa->ip6_hdr.dst_address.as_u64[0] =
306  sa->tunnel_dst_addr.ip6.as_u64[0];
307  sa->ip6_hdr.dst_address.as_u64[1] =
308  sa->tunnel_dst_addr.ip6.as_u64[1];
309  if (ipsec_sa_is_set_UDP_ENCAP (sa))
310  sa->ip6_hdr.protocol = IP_PROTOCOL_UDP;
311  else
312  sa->ip6_hdr.protocol = IP_PROTOCOL_IPSEC_ESP;
313  }
314  else
315  {
317  sa->ip4_hdr.ttl = 254;
318  sa->ip4_hdr.src_address.as_u32 = sa->tunnel_src_addr.ip4.as_u32;
319  sa->ip4_hdr.dst_address.as_u32 = sa->tunnel_dst_addr.ip4.as_u32;
320 
321  if (ipsec_sa_is_set_UDP_ENCAP (sa))
322  sa->ip4_hdr.protocol = IP_PROTOCOL_UDP;
323  else
324  sa->ip4_hdr.protocol = IP_PROTOCOL_IPSEC_ESP;
326  }
327  }
328 
329  if (ipsec_sa_is_set_UDP_ENCAP (sa))
330  {
331  if (dst_port == IPSEC_UDP_PORT_NONE)
332  sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
333  else
334  sa->udp_hdr.dst_port = clib_host_to_net_u16 (dst_port);
335 
336  if (src_port == IPSEC_UDP_PORT_NONE)
337  sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
338  else
339  sa->udp_hdr.src_port = clib_host_to_net_u16 (src_port);
340 
341  if (ipsec_sa_is_set_IS_INBOUND (sa))
342  ipsec_register_udp_port (clib_host_to_net_u16 (sa->udp_hdr.dst_port));
343  }
344 
345  hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
346 
347  if (sa_out_index)
348  *sa_out_index = sa_index;
349 
350  return (0);
351 }
352 
353 static void
355 {
357  ipsec_main_t *im = &ipsec_main;
358  u32 sa_index;
359 
360  sa_index = sa - im->sad;
361  hash_unset (im->sa_index_by_sa_id, sa->id);
362 
363  /* no recovery possible when deleting an SA */
364  (void) ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
365 
366  if (ipsec_sa_is_set_UDP_ENCAP (sa) && ipsec_sa_is_set_IS_INBOUND (sa))
367  ipsec_unregister_udp_port (clib_net_to_host_u16 (sa->udp_hdr.dst_port));
368 
369  if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
370  {
372  dpo_reset (&sa->dpo);
373  }
375  if (sa->integ_alg != IPSEC_INTEG_ALG_NONE)
377  pool_put (im->sad, sa);
378 }
379 
380 void
382 {
383  ipsec_main_t *im = &ipsec_main;
384  ipsec_sa_t *sa;
385 
386  if (INDEX_INVALID == sai)
387  return;
388 
389  sa = pool_elt_at_index (im->sad, sai);
390 
391  fib_node_unlock (&sa->node);
392 }
393 
394 void
396 {
397  ipsec_main_t *im = &ipsec_main;
398  ipsec_sa_t *sa;
399 
400  if (INDEX_INVALID == sai)
401  return;
402 
403  sa = pool_elt_at_index (im->sad, sai);
404 
405  fib_node_lock (&sa->node);
406 }
407 
408 index_t
410 {
411  ipsec_main_t *im = &ipsec_main;
412  ipsec_sa_t *sa;
413  uword *p;
414 
415  p = hash_get (im->sa_index_by_sa_id, id);
416 
417  if (!p)
418  return INDEX_INVALID;
419 
420  sa = pool_elt_at_index (im->sad, p[0]);
421 
422  fib_node_lock (&sa->node);
423 
424  return (p[0]);
425 }
426 
427 int
429 {
430  ipsec_main_t *im = &ipsec_main;
431  uword *p;
432 
433  p = hash_get (im->sa_index_by_sa_id, id);
434 
435  if (!p)
436  return VNET_API_ERROR_NO_SUCH_ENTRY;
437 
438  ipsec_sa_unlock (p[0]);
439 
440  return (0);
441 }
442 
443 void
445 {
446  vlib_zero_combined_counter (&ipsec_sa_counters, sai);
447 }
448 
449 void
451 {
452  ipsec_main_t *im = &ipsec_main;
453  ipsec_sa_t *sa;
454 
455  /* *INDENT-OFF* */
456  pool_foreach (sa, im->sad,
457  ({
458  if (WALK_CONTINUE != cb(sa, ctx))
459  break;
460  }));
461  /* *INDENT-ON* */
462 }
463 
464 /**
465  * Function definition to get a FIB node from its index
466  */
467 static fib_node_t *
469 {
470  ipsec_main_t *im;
471  ipsec_sa_t *sa;
472 
473  im = &ipsec_main;
474  sa = pool_elt_at_index (im->sad, index);
475 
476  return (&sa->node);
477 }
478 
479 static ipsec_sa_t *
481 {
483  return ((ipsec_sa_t *) (((char *) node) -
484  STRUCT_OFFSET_OF (ipsec_sa_t, node)));
485 
486 }
487 
488 /**
489  * Function definition to inform the FIB node that its last lock has gone.
490  */
491 static void
493 {
494  /*
495  * The ipsec SA is a root of the graph. As such
496  * it never has children and thus is never locked.
497  */
499 }
500 
501 /**
502  * Function definition to backwalk a FIB node
503  */
506 {
508 
510 }
511 
512 /*
513  * Virtual function table registered by SAs
514  * for participation in the FIB object graph.
515  */
516 const static fib_node_vft_t ipsec_sa_vft = {
518  .fnv_last_lock = ipsec_sa_last_lock_gone,
519  .fnv_back_walk = ipsec_sa_back_walk,
520 };
521 
522 /* force inclusion from application's main.c */
523 clib_error_t *
525 {
527 
528  return 0;
529 }
530 
532 
533 /*
534  * fd.io coding-style-patch-verification: ON
535  *
536  * Local Variables:
537  * eval: (c-set-style "gnu")
538  * End:
539  */
void dpo_stack_from_node(u32 child_node_index, dpo_id_t *dpo, const dpo_id_t *parent)
Stack one DPO object on another, and thus establish a child parent relationship.
Definition: dpo.c:531
union ipsec_sa_t::@433 sync_op_data
fib_node_index_t fib_entry_track(u32 fib_index, const fib_prefix_t *prefix, fib_node_type_t child_type, index_t child_index, u32 *sibling)
Trackers are used on FIB entries by objects that which to track the changing state of the entry...
static void ipsec_sa_last_lock_gone(fib_node_t *node)
Function definition to inform the FIB node that its last lock has gone.
Definition: ipsec_sa.c:492
union ipsec_sa_t::@434 async_op_data
fib_node_t node
Definition: ipsec_sa.h:162
#define hash_set(h, key, value)
Definition: hash.h:255
ipsec_main_crypto_alg_t * crypto_algs
Definition: ipsec.h:179
#define foreach_crypto_link_async_alg
Definition: crypto.h:87
ip46_address_t tunnel_src_addr
Definition: ipsec_sa.h:175
void vlib_validate_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
validate a combined counter
Definition: counter.c:108
#define hash_unset(h, key)
Definition: hash.h:261
vl_api_wireguard_peer_flags_t flags
Definition: wireguard.api:103
ip4_address_t src_address
Definition: ip4_packet.h:125
void ipsec_unregister_udp_port(u16 port)
Definition: ipsec.c:139
void fib_node_init(fib_node_t *node, fib_node_type_t type)
Definition: fib_node.c:185
ipsec_integ_alg_t
Definition: ipsec_sa.h:59
vl_api_ip_port_and_mask_t dst_port
Definition: flow_types.api:92
enum fib_node_back_walk_rc_t_ fib_node_back_walk_rc_t
Return code from a back walk function.
void fib_entry_contribute_forwarding(fib_node_index_t fib_entry_index, fib_forward_chain_type_t fct, dpo_id_t *dpo)
Definition: fib_entry.c:437
ipsec_key_t crypto_key
Definition: ipsec_sa.h:168
static void ipsec_sa_del(ipsec_sa_t *sa)
Definition: ipsec_sa.c:354
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:171
void ipsec_sa_lock(index_t sai)
Definition: ipsec_sa.c:395
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
Definition: dpo.h:41
ipsec_protocol_t
Definition: ipsec_sa.h:67
void ipsec_sa_clear(index_t sai)
Definition: ipsec_sa.c:444
u32 tx_table_id
#define STRUCT_OFFSET_OF(t, f)
Definition: clib.h:70
vlib_main_t * vm
Definition: in2out_ed.c:1582
u32 ah_current_backend
Definition: ipsec.h:170
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index, u16 src_port, u16 dst_port)
Definition: ipsec_sa.c:170
u32 esp_current_backend
Definition: ipsec.h:172
vnet_crypto_op_id_t integ_op_id
Definition: ipsec_sa.h:139
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
Definition: ipsec_sa.c:56
ip6_address_t src_address
Definition: ip6_packet.h:310
unsigned char u8
Definition: types.h:56
u8 data[128]
Definition: ipsec_types.api:89
enum fib_protocol_t_ fib_protocol_t
Protocol Type.
u8 id[64]
Definition: dhcp.api:160
void fib_node_register_type(fib_node_type_t type, const fib_node_vft_t *vft)
fib_node_register_type
Definition: fib_node.c:60
#define clib_memcpy(d, s, n)
Definition: string.h:180
vnet_crypto_key_index_t linked_key_index
Definition: ipsec_sa.h:146
vnet_crypto_alg_t alg
Definition: ipsec.h:88
vnet_crypto_key_index_t crypto_key_index
Definition: ipsec_sa.h:128
walk_rc_t(* ipsec_sa_walk_cb_t)(ipsec_sa_t *sa, void *ctx)
Definition: ipsec_sa.h:264
static ipsec_sa_t * ipsec_sa_from_fib_node(fib_node_t *node)
Definition: ipsec_sa.c:480
void ipsec_sa_walk(ipsec_sa_walk_cb_t cb, void *ctx)
Definition: ipsec_sa.c:450
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:513
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:173
#define foreach_crypto_aead_alg
Definition: crypto.h:35
ipsec_main_t ipsec_main
Definition: ipsec.c:28
ip4_address_t dst_address
Definition: ip4_packet.h:125
void ipsec_register_udp_port(u16 port)
Definition: ipsec.c:164
u32 esp6_encrypt_node_index
Definition: ipsec.h:139
Aggregate type for a prefix.
Definition: fib_types.h:203
int ipsec_sa_unlock_id(u32 id)
Definition: ipsec_sa.c:428
u32 salt
unsigned int u32
Definition: types.h:88
#define IPSEC_CRYPTO_ALG_IS_GCM(_alg)
Definition: ipsec_sa.h:45
u32 fib_table_find(fib_protocol_t proto, u32 table_id)
Get the index of the FIB for a Table-ID.
Definition: fib_table.c:1097
ipsec_sa_flags_t flags
Definition: ipsec_sa.h:113
u32 vnet_crypto_key_add(vlib_main_t *vm, vnet_crypto_alg_t alg, u8 *data, u16 length)
Definition: crypto.c:345
u32 stat_index
Definition: ipsec_sa.h:164
The identity of a DPO is a combination of its type and its instance number/index of objects of that t...
Definition: dpo.h:170
#define ESP_MAX_IV_SIZE
Definition: esp.h:77
#define hash_get(h, key)
Definition: hash.h:249
u32 encrypt_thread_index
Definition: ipsec_sa.h:118
u32 tx_fib_index
Definition: ipsec_sa.h:181
#define ESP_MAX_ICV_SIZE
Definition: esp.h:78
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:534
static void vlib_zero_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
Clear a combined counter Clears the set of per-thread counters.
Definition: counter.h:285
static_always_inline void ip46_address_copy(ip46_address_t *dst, const ip46_address_t *src)
Definition: ip46_address.h:123
index_t ipsec_sa_find_and_lock(u32 id)
Definition: ipsec_sa.c:409
u8 integ_alg
Definition: ikev2_types.api:59
ip46_address_t fp_addr
The address type is not deriveable from the fp_addr member.
Definition: fib_types.h:226
vl_api_ip_proto_t proto
Definition: acl_types.api:50
void fib_node_lock(fib_node_t *node)
Definition: fib_node.c:203
long ctx[MAX_CONNS]
Definition: main.c:144
u32 esp4_encrypt_node_index
Definition: ipsec.h:133
u32 salt
Definition: ipsec_sa.h:184
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
Definition: ipsec.c:91
vnet_crypto_op_id_t enc_op_id
Definition: ipsec.h:77
unsigned short u16
Definition: types.h:57
void vnet_crypto_key_del(vlib_main_t *vm, vnet_crypto_key_index_t index)
Definition: crypto.c:371
fib_node_index_t fib_entry_index
Definition: ipsec_sa.h:178
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:302
static clib_error_t * ipsec_call_add_del_callbacks(ipsec_main_t *im, ipsec_sa_t *sa, u32 sa_index, int is_add)
Definition: ipsec_sa.c:34
#define pool_get_aligned_zero(P, E, A)
Allocate an object E from a pool P with alignment A and zero it.
Definition: pool.h:249
fib_node_type_t fn_type
The node&#39;s type.
Definition: fib_node.h:299
An node in the FIB graph.
Definition: fib_node.h:295
void fib_node_unlock(fib_node_t *node)
Definition: fib_node.c:209
u8 len
Definition: ip_types.api:92
ip46_address_t tunnel_dst_addr
Definition: ipsec_sa.h:176
vl_api_ip_port_and_mask_t src_port
Definition: flow_types.api:91
void ipsec_sa_set_integ_alg(ipsec_sa_t *sa, ipsec_integ_alg_t integ_alg)
Definition: ipsec_sa.c:116
u8 esp_block_align
Definition: ipsec_sa.h:116
ipsec_ah_backend_t * ah_backends
Definition: ipsec.h:166
static fib_node_t * ipsec_sa_fib_node_get(fib_node_index_t index)
Function definition to get a FIB node from its index.
Definition: ipsec_sa.c:468
void ipsec_sa_set_async_op_ids(ipsec_sa_t *sa)
Definition: ipsec_sa.c:127
static fib_node_back_walk_rc_t ipsec_sa_back_walk(fib_node_t *node, fib_node_back_walk_ctx_t *ctx)
Function definition to backwalk a FIB node.
Definition: ipsec_sa.c:505
u64 data
Definition: ipsec_sa.h:195
#define clib_warning(format, args...)
Definition: error.h:59
fib_node_get_t fnv_get
Definition: fib_node.h:283
udp_header_t udp_hdr
Definition: ipsec_sa.h:160
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
uword * sa_index_by_sa_id
Definition: ipsec.h:123
u32 spi
Definition: flow_types.api:140
u32 fib_node_index_t
A typedef of a node index.
Definition: fib_types.h:30
#define ESP_MAX_BLOCK_SIZE
Definition: esp.h:76
vlib_main_t vlib_node_runtime_t * node
Definition: in2out_ed.c:1582
void ipsec_sa_unlock(index_t sai)
Definition: ipsec_sa.c:381
Context passed between object during a back walk.
Definition: fib_node.h:208
void ipsec_sa_set_crypto_alg(ipsec_sa_t *sa, ipsec_crypto_alg_t crypto_alg)
Definition: ipsec_sa.c:97
u8 data[IPSEC_KEY_MAX_LEN]
Definition: ipsec_sa.h:77
vnet_crypto_op_id_t op_id
Definition: ipsec.h:87
#define ASSERT(truth)
void fib_entry_untrack(fib_node_index_t fei, u32 sibling)
Stop tracking a FIB entry.
u32 ah4_encrypt_node_index
Definition: ipsec.h:137
ipsec_main_integ_alg_t * integ_algs
Definition: ipsec.h:182
u64 crypto_op_data
Definition: ipsec_sa.h:149
ip6_header_t ip6_hdr
Definition: ipsec_sa.h:158
ipsec_sa_t * sad
Definition: ipsec.h:107
enum fib_forward_chain_type_t_ fib_forward_chain_type_t
FIB output chain type.
static void ipsec_sa_stack(ipsec_sa_t *sa)
&#39;stack&#39; (resolve the recursion for) the SA tunnel destination
Definition: ipsec_sa.c:72
ipsec_protocol_t protocol
Definition: ipsec_sa.h:165
u32 sibling
Definition: ipsec_sa.h:179
vnet_crypto_key_index_t integ_key_index
Definition: ipsec_sa.h:129
vnet_crypto_alg_t integ_calg
Definition: ipsec_sa.h:173
add_del_sa_sess_cb_t add_del_sa_sess_cb
Definition: ipsec.h:54
vnet_crypto_op_id_t dec_op_id
Definition: ipsec.h:78
#define clib_max(x, y)
Definition: clib.h:320
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23
vnet_crypto_alg_t crypto_calg
Definition: ipsec_sa.h:169
typedef key
Definition: ipsec_types.api:85
u32 vnet_crypto_key_add_linked(vlib_main_t *vm, vnet_crypto_key_index_t index_crypto, vnet_crypto_key_index_t index_integ)
Use 2 created keys to generate new key for linked algs (cipher + integ) The returned key index is to ...
Definition: crypto.c:410
u32 ip_version_traffic_class_and_flow_label
Definition: ip6_packet.h:297
u32 ah6_encrypt_node_index
Definition: ipsec.h:143
#define INDEX_INVALID
Invalid index - used when no index is known blazoned capitals INVALID speak volumes where ~0 does not...
Definition: dpo.h:47
u64 uword
Definition: types.h:112
ipsec_crypto_alg_t
Definition: ipsec_sa.h:37
#define DPO_INVALID
An initialiser for DPOs declared on the stack.
Definition: dpo.h:197
char * name
The counter collection&#39;s name.
Definition: counter.h:193
u32 index
Definition: flow_types.api:221
vnet_crypto_op_id_t crypto_enc_op_id
Definition: ipsec_sa.h:137
A collection of combined counters.
Definition: counter.h:188
A FIB graph nodes virtual function table.
Definition: fib_node.h:282
dpo_id_t dpo
Definition: ipsec_sa.h:126
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:167
vnet_crypto_async_op_id_t crypto_async_enc_op_id
Definition: ipsec_sa.h:144
ip4_header_t ip4_hdr
Definition: ipsec_sa.h:157
static u32 vlib_num_workers()
Definition: threads.h:377
void dpo_reset(dpo_id_t *dpo)
reset a DPO ID The DPO will be unlocked.
Definition: dpo.c:232
clib_error_t * ipsec_sa_interface_init(vlib_main_t *vm)
Definition: ipsec_sa.c:524
vnet_crypto_alg_t alg
Definition: ipsec.h:79
add_del_sa_sess_cb_t add_del_sa_sess_cb
Definition: ipsec.h:37
u8 ip_version_and_header_length
Definition: ip4_packet.h:93
ipsec_esp_backend_t * esp_backends
Definition: ipsec.h:168
u8 crypto_iv_size
Definition: ipsec_sa.h:115
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
ipsec_key_t integ_key
Definition: ipsec_sa.h:172
u8 async_mode
Definition: ipsec.h:202
vnet_crypto_op_id_t crypto_dec_op_id
Definition: ipsec_sa.h:138
u8 integ_icv_size
Definition: ipsec_sa.h:117
#define IPSEC_UDP_PORT_NONE
Definition: ipsec_sa.h:277
static u16 ip4_header_checksum(ip4_header_t *i)
Definition: ip4_packet.h:314
u32 decrypt_thread_index
Definition: ipsec_sa.h:119
fib_forward_chain_type_t fib_forw_chain_type_from_fib_proto(fib_protocol_t proto)
Convert from a fib-protocol to a chain type.
Definition: fib_types.c:430
ip6_address_t dst_address
Definition: ip6_packet.h:310