FD.io VPP  v21.06-3-gbb25fbf28
Vector Packet Processing
ipsec_sa.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <vnet/ipsec/ipsec.h>
17 #include <vnet/ipsec/esp.h>
18 #include <vnet/udp/udp_local.h>
19 #include <vnet/fib/fib_table.h>
21 #include <vnet/ipsec/ipsec_tun.h>
22 
23 /**
24  * @brief
25  * SA packet & bytes counters
26  */
28  .name = "SA",
29  .stat_segment_name = "/net/ipsec/sa",
30 };
31 
33 
34 static clib_error_t *
36  u32 sa_index, int is_add)
37 {
40  switch (sa->protocol)
41  {
42  case IPSEC_PROTOCOL_AH:
43  ab = pool_elt_at_index (im->ah_backends, im->ah_current_backend);
44  if (ab->add_del_sa_sess_cb)
45  return ab->add_del_sa_sess_cb (sa_index, is_add);
46  break;
47  case IPSEC_PROTOCOL_ESP:
48  eb = pool_elt_at_index (im->esp_backends, im->esp_current_backend);
49  if (eb->add_del_sa_sess_cb)
50  return eb->add_del_sa_sess_cb (sa_index, is_add);
51  break;
52  }
53  return 0;
54 }
55 
56 void
58 {
59  memset (key, 0, sizeof (*key));
60 
61  if (len > sizeof (key->data))
62  key->len = sizeof (key->data);
63  else
64  key->len = len;
65 
66  memcpy (key->data, data, key->len);
67 }
68 
69 /**
70  * 'stack' (resolve the recursion for) the SA tunnel destination
71  */
72 static void
74 {
77 
79 
80  if (IPSEC_PROTOCOL_AH == sa->protocol)
81  dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
82  im->ah6_encrypt_node_index :
83  im->ah4_encrypt_node_index), &sa->dpo, &tmp);
84  else
85  dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
86  im->esp6_encrypt_node_index :
87  im->esp4_encrypt_node_index), &sa->dpo, &tmp);
88  dpo_reset (&tmp);
89 }
90 
91 void
92 ipsec_sa_set_crypto_alg (ipsec_sa_t * sa, ipsec_crypto_alg_t crypto_alg)
93 {
95  sa->crypto_alg = crypto_alg;
96  sa->crypto_iv_size = im->crypto_algs[crypto_alg].iv_size;
97  sa->esp_block_align = clib_max (4, im->crypto_algs[crypto_alg].block_align);
98  sa->sync_op_data.crypto_enc_op_id = im->crypto_algs[crypto_alg].enc_op_id;
99  sa->sync_op_data.crypto_dec_op_id = im->crypto_algs[crypto_alg].dec_op_id;
100  sa->crypto_calg = im->crypto_algs[crypto_alg].alg;
103  if (IPSEC_CRYPTO_ALG_IS_GCM (crypto_alg))
104  {
105  sa->integ_icv_size = im->crypto_algs[crypto_alg].icv_size;
106  ipsec_sa_set_IS_CTR (sa);
107  ipsec_sa_set_IS_AEAD (sa);
108  }
109  else if (IPSEC_CRYPTO_ALG_IS_CTR (crypto_alg))
110  {
111  ipsec_sa_set_IS_CTR (sa);
112  }
113 }
114 
115 void
116 ipsec_sa_set_integ_alg (ipsec_sa_t * sa, ipsec_integ_alg_t integ_alg)
117 {
119  sa->integ_alg = integ_alg;
120  sa->integ_icv_size = im->integ_algs[integ_alg].icv_size;
121  sa->sync_op_data.integ_op_id = im->integ_algs[integ_alg].op_id;
122  sa->integ_calg = im->integ_algs[integ_alg].alg;
124 }
125 
126 void
128 {
129  /* *INDENT-OFF* */
130  if (ipsec_sa_is_set_USE_ESN (sa))
131  {
132 #define _(n, s, k) \
133  if( sa->sync_op_data.crypto_enc_op_id == VNET_CRYPTO_OP_##n##_ENC ) \
134  sa->async_op_data.crypto_async_enc_op_id = \
135  VNET_CRYPTO_OP_##n##_TAG16_AAD12_ENC; \
136  if( sa->sync_op_data.crypto_dec_op_id == VNET_CRYPTO_OP_##n##_DEC ) \
137  sa->async_op_data.crypto_async_dec_op_id = \
138  VNET_CRYPTO_OP_##n##_TAG16_AAD12_DEC;
140 #undef _
141  }
142  else
143  {
144 #define _(n, s, k) \
145  if( sa->sync_op_data.crypto_enc_op_id == VNET_CRYPTO_OP_##n##_ENC ) \
146  sa->async_op_data.crypto_async_enc_op_id = \
147  VNET_CRYPTO_OP_##n##_TAG16_AAD8_ENC; \
148  if( sa->sync_op_data.crypto_dec_op_id == VNET_CRYPTO_OP_##n##_DEC ) \
149  sa->async_op_data.crypto_async_dec_op_id = \
150  VNET_CRYPTO_OP_##n##_TAG16_AAD8_DEC;
152 #undef _
153  }
154 
155 #define _(c, h, s, k ,d) \
156  if( sa->sync_op_data.crypto_enc_op_id == VNET_CRYPTO_OP_##c##_ENC && \
157  sa->sync_op_data.integ_op_id == VNET_CRYPTO_OP_##h##_HMAC) \
158  sa->async_op_data.crypto_async_enc_op_id = \
159  VNET_CRYPTO_OP_##c##_##h##_TAG##d##_ENC; \
160  if( sa->sync_op_data.crypto_dec_op_id == VNET_CRYPTO_OP_##c##_DEC && \
161  sa->sync_op_data.integ_op_id == VNET_CRYPTO_OP_##h##_HMAC) \
162  sa->async_op_data.crypto_async_dec_op_id = \
163  VNET_CRYPTO_OP_##c##_##h##_TAG##d##_DEC;
165 #undef _
166  /* *INDENT-ON* */
167 }
168 
169 int
170 ipsec_sa_add_and_lock (u32 id, u32 spi, ipsec_protocol_t proto,
171  ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck,
172  ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik,
174  u16 dst_port, const tunnel_t *tun, u32 *sa_out_index)
175 {
178  clib_error_t *err;
179  ipsec_sa_t *sa;
180  u32 sa_index;
181  uword *p;
182  int rv;
183 
184  p = hash_get (im->sa_index_by_sa_id, id);
185  if (p)
186  return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
187 
189 
191  fib_node_lock (&sa->node);
192  sa_index = sa - ipsec_sa_pool;
193 
196 
197  tunnel_copy (tun, &sa->tunnel);
198  sa->id = id;
199  sa->spi = spi;
200  sa->stat_index = sa_index;
201  sa->protocol = proto;
202  sa->flags = flags;
203  sa->salt = salt;
204  sa->thread_index = (vlib_num_workers ()) ? ~0 : 0;
205  if (integ_alg != IPSEC_INTEG_ALG_NONE)
206  {
208  clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key));
209  }
210  ipsec_sa_set_crypto_alg (sa, crypto_alg);
212 
213  clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
214 
216  im->crypto_algs[crypto_alg].alg,
217  (u8 *) ck->data, ck->len);
218  if (~0 == sa->crypto_key_index)
219  {
220  pool_put (ipsec_sa_pool, sa);
221  return VNET_API_ERROR_KEY_LENGTH;
222  }
223 
224  if (integ_alg != IPSEC_INTEG_ALG_NONE)
225  {
227  im->
228  integ_algs[integ_alg].alg,
229  (u8 *) ik->data, ik->len);
230  if (~0 == sa->integ_key_index)
231  {
232  pool_put (ipsec_sa_pool, sa);
233  return VNET_API_ERROR_KEY_LENGTH;
234  }
235  }
236 
238  !ipsec_sa_is_set_IS_AEAD (sa))
239  { //AES-CBC & HMAC
242  sa->integ_key_index);
243  }
244 
245  if (im->async_mode)
247  else
248  {
249  if (ipsec_sa_is_set_IS_ASYNC (sa))
250  {
253  }
254  else
255  sa->crypto_op_data = sa->sync_op_data.data;
256  }
257 
258  err = ipsec_check_support_cb (im, sa);
259  if (err)
260  {
261  clib_warning ("%s", err->what);
262  pool_put (ipsec_sa_pool, sa);
263  return VNET_API_ERROR_UNIMPLEMENTED;
264  }
265 
266  err = ipsec_call_add_del_callbacks (im, sa, sa_index, 1);
267  if (err)
268  {
269  pool_put (ipsec_sa_pool, sa);
270  return VNET_API_ERROR_SYSCALL_ERROR_1;
271  }
272 
273  if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
274  {
276 
277  rv = tunnel_resolve (&sa->tunnel, FIB_NODE_TYPE_IPSEC_SA, sa_index);
278 
279  if (rv)
280  {
281  pool_put (ipsec_sa_pool, sa);
282  return rv;
283  }
284  ipsec_sa_stack (sa);
285 
286  /* generate header templates */
287  if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
288  {
290  (ipsec_sa_is_set_UDP_ENCAP (sa) ?
291  IP_PROTOCOL_UDP :
292  IP_PROTOCOL_IPSEC_ESP),
293  &sa->ip6_hdr);
294  }
295  else
296  {
298  (ipsec_sa_is_set_UDP_ENCAP (sa) ?
299  IP_PROTOCOL_UDP :
300  IP_PROTOCOL_IPSEC_ESP),
301  &sa->ip4_hdr);
302  }
303  }
304 
305  if (ipsec_sa_is_set_UDP_ENCAP (sa))
306  {
308  sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
309  else
310  sa->udp_hdr.dst_port = clib_host_to_net_u16 (dst_port);
311 
313  sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
314  else
315  sa->udp_hdr.src_port = clib_host_to_net_u16 (src_port);
316 
317  if (ipsec_sa_is_set_IS_INBOUND (sa))
318  ipsec_register_udp_port (clib_host_to_net_u16 (sa->udp_hdr.dst_port));
319  }
320 
321  hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
322 
323  if (sa_out_index)
324  *sa_out_index = sa_index;
325 
326  return (0);
327 }
328 
329 static void
331 {
334  u32 sa_index;
335 
336  sa_index = sa - ipsec_sa_pool;
337  hash_unset (im->sa_index_by_sa_id, sa->id);
338  tunnel_unresolve (&sa->tunnel);
339 
340  /* no recovery possible when deleting an SA */
341  (void) ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
342 
343  if (ipsec_sa_is_set_IS_ASYNC (sa))
345  if (ipsec_sa_is_set_UDP_ENCAP (sa) && ipsec_sa_is_set_IS_INBOUND (sa))
346  ipsec_unregister_udp_port (clib_net_to_host_u16 (sa->udp_hdr.dst_port));
347 
348  if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
349  dpo_reset (&sa->dpo);
351  if (sa->integ_alg != IPSEC_INTEG_ALG_NONE)
353  pool_put (ipsec_sa_pool, sa);
354 }
355 
356 void
358 {
359  ipsec_sa_t *sa;
360 
361  if (INDEX_INVALID == sai)
362  return;
363 
364  sa = ipsec_sa_get (sai);
365 
366  fib_node_unlock (&sa->node);
367 }
368 
369 void
371 {
372  ipsec_sa_t *sa;
373 
374  if (INDEX_INVALID == sai)
375  return;
376 
377  sa = ipsec_sa_get (sai);
378 
379  fib_node_lock (&sa->node);
380 }
381 
382 index_t
384 {
386  ipsec_sa_t *sa;
387  uword *p;
388 
389  p = hash_get (im->sa_index_by_sa_id, id);
390 
391  if (!p)
392  return INDEX_INVALID;
393 
394  sa = ipsec_sa_get (p[0]);
395 
396  fib_node_lock (&sa->node);
397 
398  return (p[0]);
399 }
400 
401 int
403 {
405  uword *p;
406 
407  p = hash_get (im->sa_index_by_sa_id, id);
408 
409  if (!p)
410  return VNET_API_ERROR_NO_SUCH_ENTRY;
411 
412  ipsec_sa_unlock (p[0]);
413 
414  return (0);
415 }
416 
417 void
419 {
421 }
422 
423 void
425 {
426  ipsec_sa_t *sa;
427 
428  /* *INDENT-OFF* */
430  {
431  if (WALK_CONTINUE != cb (sa, ctx))
432  break;
433  }
434  /* *INDENT-ON* */
435 }
436 
437 /**
438  * Function definition to get a FIB node from its index
439  */
440 static fib_node_t *
442 {
443  ipsec_sa_t *sa;
444 
445  sa = ipsec_sa_get (index);
446 
447  return (&sa->node);
448 }
449 
450 static ipsec_sa_t *
452 {
453  ASSERT (FIB_NODE_TYPE_IPSEC_SA == node->fn_type);
454  return ((ipsec_sa_t *) (((char *) node) -
456 
457 }
458 
459 /**
460  * Function definition to inform the FIB node that its last lock has gone.
461  */
462 static void
464 {
465  /*
466  * The ipsec SA is a root of the graph. As such
467  * it never has children and thus is never locked.
468  */
470 }
471 
472 /**
473  * Function definition to backwalk a FIB node
474  */
477 {
479 
481 }
482 
483 /*
484  * Virtual function table registered by SAs
485  * for participation in the FIB object graph.
486  */
487 const static fib_node_vft_t ipsec_sa_vft = {
489  .fnv_last_lock = ipsec_sa_last_lock_gone,
490  .fnv_back_walk = ipsec_sa_back_walk,
491 };
492 
493 /* force inclusion from application's main.c */
494 clib_error_t *
496 {
498 
499  return 0;
500 }
501 
503 
504 /*
505  * fd.io coding-style-patch-verification: ON
506  *
507  * Local Variables:
508  * eval: (c-set-style "gnu")
509  * End:
510  */
ipsec.h
tmp
u32 * tmp
Definition: interface_output.c:1078
im
vnet_interface_main_t * im
Definition: interface_output.c:395
udp_header_t::src_port
u16 src_port
Definition: udp_packet.h:48
vlib_num_workers
static u32 vlib_num_workers()
Definition: threads.h:354
ipsec_tun.h
ipsec_sa_t::integ_key_index
vnet_crypto_key_index_t integ_key_index
Definition: ipsec_sa.h:140
ipsec_sa_t::async_op_data
union ipsec_sa_t::@446 async_op_data
ipsec_sa_t::protocol
ipsec_protocol_t protocol
Definition: ipsec_sa.h:176
DPO_INVALID
#define DPO_INVALID
An initialiser for DPOs declared on the stack.
Definition: dpo.h:204
dst_port
vl_api_ip_port_and_mask_t dst_port
Definition: flow_types.api:92
WALK_CONTINUE
@ WALK_CONTINUE
Definition: interface_funcs.h:174
fib_node_back_walk_rc_t
enum fib_node_back_walk_rc_t_ fib_node_back_walk_rc_t
Return code from a back walk function.
clib_memcpy
#define clib_memcpy(d, s, n)
Definition: string.h:197
vnet_crypto_key_del
void vnet_crypto_key_del(vlib_main_t *vm, vnet_crypto_key_index_t index)
Definition: crypto.c:386
pool_get_aligned_zero
#define pool_get_aligned_zero(P, E, A)
Allocate an object E from a pool P with alignment A and zero it.
Definition: pool.h:252
foreach_crypto_link_async_alg
#define foreach_crypto_link_async_alg
Definition: crypto.h:96
ipsec_sa_t::thread_index
u32 thread_index
Definition: ipsec_sa.h:129
clib_max
#define clib_max(x, y)
Definition: clib.h:335
ipsec_sa_interface_init
clib_error_t * ipsec_sa_interface_init(vlib_main_t *vm)
Definition: ipsec_sa.c:495
pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:553
tunnel_t_
A representation of an IP tunnel config.
Definition: tunnel.h:85
node
vlib_main_t vlib_node_runtime_t * node
Definition: nat44_ei.c:3047
fib_node_vft_t_
A FIB graph nodes virtual function table.
Definition: fib_node.h:288
ipsec_sa_t::ip4_hdr
ip4_header_t ip4_hdr
Definition: ipsec_sa.h:168
fib_table.h
u16
unsigned short u16
Definition: types.h:57
ESP_MAX_ICV_SIZE
#define ESP_MAX_ICV_SIZE
Definition: esp.h:90
vlib_validate_combined_counter
void vlib_validate_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
validate a combined counter
Definition: counter.c:119
pool_put
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:305
ipsec_sa_find_and_lock
index_t ipsec_sa_find_and_lock(u32 id)
Definition: ipsec_sa.c:383
tunnel_contribute_forwarding
void tunnel_contribute_forwarding(const tunnel_t *t, dpo_id_t *dpo)
Definition: tunnel.c:218
vm
vlib_main_t * vm
X-connect all packets from the HOST to the PHY.
Definition: nat44_ei.c:3047
vlib_combined_counter_main_t::name
char * name
The counter collection's name.
Definition: counter.h:206
ipsec_sa_last_lock_gone
static void ipsec_sa_last_lock_gone(fib_node_t *node)
Function definition to inform the FIB node that its last lock has gone.
Definition: ipsec_sa.c:463
ipsec_sa_t::integ_icv_size
u8 integ_icv_size
Definition: ipsec_sa.h:125
IPSEC_PROTOCOL_ESP
@ IPSEC_PROTOCOL_ESP
Definition: ipsec_sa.h:76
ipsec_sa_walk
void ipsec_sa_walk(ipsec_sa_walk_cb_t cb, void *ctx)
Definition: ipsec_sa.c:424
tunnel_copy
void tunnel_copy(const tunnel_t *src, tunnel_t *dst)
Definition: tunnel.c:131
ipsec_sa_t::crypto_key
ipsec_key_t crypto_key
Definition: ipsec_sa.h:221
ipsec_sa_t::crypto_dec_op_id
vnet_crypto_op_id_t crypto_dec_op_id
Definition: ipsec_sa.h:149
ipsec_sa_from_fib_node
static ipsec_sa_t * ipsec_sa_from_fib_node(fib_node_t *node)
Definition: ipsec_sa.c:451
ipsec_sa_set_crypto_alg
void ipsec_sa_set_crypto_alg(ipsec_sa_t *sa, ipsec_crypto_alg_t crypto_alg)
Definition: ipsec_sa.c:92
ipsec_sa_t::esp_block_align
u8 esp_block_align
Definition: ipsec_sa.h:124
ipsec_ah_backend_t
Definition: ipsec.h:37
ipsec_sa_t::tunnel
tunnel_t tunnel
Definition: ipsec_sa.h:206
ipsec_sa_t::udp_hdr
udp_header_t udp_hdr
Definition: ipsec_sa.h:171
key
typedef key
Definition: ipsec_types.api:88
ipsec_unregister_udp_port
void ipsec_unregister_udp_port(u16 port)
Definition: ipsec.c:128
ipsec_check_support_cb
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
Definition: ipsec.c:91
ipsec_key_t_::data
u8 data[IPSEC_KEY_MAX_LEN]
Definition: ipsec_sa.h:83
ipsec_sa_fib_node_get
static fib_node_t * ipsec_sa_fib_node_get(fib_node_index_t index)
Function definition to get a FIB node from its index.
Definition: ipsec_sa.c:441
hash_set
#define hash_set(h, key, value)
Definition: hash.h:255
esp.h
STRUCT_OFFSET_OF
#define STRUCT_OFFSET_OF(t, f)
Definition: clib.h:73
IPSEC_UDP_PORT_NONE
#define IPSEC_UDP_PORT_NONE
Definition: ipsec_sa.h:299
tunnel_build_v4_hdr
void tunnel_build_v4_hdr(const tunnel_t *t, ip_protocol_t next_proto, ip4_header_t *ip)
Definition: tunnel.c:247
pool_foreach
#define pool_foreach(VAR, POOL)
Iterate through pool.
Definition: pool.h:534
ipsec_sa_flags_t
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
ipsec_sa_back_walk
static fib_node_back_walk_rc_t ipsec_sa_back_walk(fib_node_t *node, fib_node_back_walk_ctx_t *ctx)
Function definition to backwalk a FIB node.
Definition: ipsec_sa.c:476
len
u8 len
Definition: ip_types.api:103
ipsec_sa_stack
static void ipsec_sa_stack(ipsec_sa_t *sa)
'stack' (resolve the recursion for) the SA tunnel destination
Definition: ipsec_sa.c:73
ipsec_sa_get
static ipsec_sa_t * ipsec_sa_get(u32 sa_index)
Definition: ipsec_sa.h:519
ipsec_sa_clear
void ipsec_sa_clear(index_t sai)
Definition: ipsec_sa.c:418
vnet_crypto_key_add_linked
u32 vnet_crypto_key_add_linked(vlib_main_t *vm, vnet_crypto_key_index_t index_crypto, vnet_crypto_key_index_t index_integ)
Use 2 created keys to generate new key for linked algs (cipher + integ) The returned key index is to ...
Definition: crypto.c:425
ipsec_sa_counters
vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
Definition: ipsec_sa.c:27
FIB_NODE_TYPE_IPSEC_SA
@ FIB_NODE_TYPE_IPSEC_SA
Definition: fib_node.h:50
ipsec_sa_t::integ_key
ipsec_key_t integ_key
Definition: ipsec_sa.h:220
ipsec_sa_walk_cb_t
walk_rc_t(* ipsec_sa_walk_cb_t)(ipsec_sa_t *sa, void *ctx)
Definition: ipsec_sa.h:285
foreach_crypto_aead_alg
#define foreach_crypto_aead_alg
Definition: crypto.h:36
ipsec_main_t
Definition: ipsec.h:108
ipsec_sa_t::crypto_iv_size
u8 crypto_iv_size
Definition: ipsec_sa.h:123
ipsec_call_add_del_callbacks
static clib_error_t * ipsec_call_add_del_callbacks(ipsec_main_t *im, ipsec_sa_t *sa, u32 sa_index, int is_add)
Definition: ipsec_sa.c:35
index_t
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
Definition: dpo.h:43
ipsec_sa_t::tunnel_flags
tunnel_encap_decap_flags_t tunnel_flags
Definition: ipsec_sa.h:177
ipsec_sa_set_async_op_ids
void ipsec_sa_set_async_op_ids(ipsec_sa_t *sa)
Definition: ipsec_sa.c:127
IPSEC_CRYPTO_ALG_IS_CTR
#define IPSEC_CRYPTO_ALG_IS_CTR(_alg)
Definition: ipsec_sa.h:51
ipsec_sa_vft
const static fib_node_vft_t ipsec_sa_vft
Definition: ipsec_sa.c:487
udp_local.h
fib_node_index_t
u32 fib_node_index_t
A typedef of a node index.
Definition: fib_types.h:29
uword
u64 uword
Definition: types.h:112
vlib_zero_combined_counter
static void vlib_zero_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
Clear a combined counter Clears the set of per-thread counters.
Definition: counter.h:298
ipsec_sa_t::crypto_calg
vnet_crypto_alg_t crypto_calg
Definition: ipsec_sa.h:214
hash_get
#define hash_get(h, key)
Definition: hash.h:249
ipsec_main
ipsec_main_t ipsec_main
Definition: ipsec.c:28
src_port
vl_api_ip_port_and_mask_t src_port
Definition: flow_types.api:91
ipsec_sa_unlock
void ipsec_sa_unlock(index_t sai)
Definition: ipsec_sa.c:357
ipsec_key_t_
Definition: ipsec_sa.h:80
vnet_crypto_request_async_mode
void vnet_crypto_request_async_mode(int is_enable)
Definition: crypto.c:571
ESP_MAX_IV_SIZE
#define ESP_MAX_IV_SIZE
Definition: esp.h:89
ipsec_register_udp_port
void ipsec_register_udp_port(u16 port)
Definition: ipsec.c:153
dpo_stack_from_node
void dpo_stack_from_node(u32 child_node_index, dpo_id_t *dpo, const dpo_id_t *parent)
Stack one DPO object on another, and thus establish a child parent relationship.
Definition: dpo.c:550
ipsec_ah_backend_t::add_del_sa_sess_cb
add_del_sa_sess_cb_t add_del_sa_sess_cb
Definition: ipsec.h:41
fib_node_register_type
void fib_node_register_type(fib_node_type_t type, const fib_node_vft_t *vft)
fib_node_register_type
Definition: fib_node.c:60
ipsec_sa_lock
void ipsec_sa_lock(index_t sai)
Definition: ipsec_sa.c:370
CLIB_CACHE_LINE_BYTES
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
FIB_NODE_BACK_WALK_CONTINUE
@ FIB_NODE_BACK_WALK_CONTINUE
Definition: fib_node.h:259
ipsec_sa_t::crypto_alg
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:217
ipsec_sa_t::crypto_async_enc_op_id
vnet_crypto_async_op_id_t crypto_async_enc_op_id
Definition: ipsec_sa.h:155
ESP_MAX_BLOCK_SIZE
#define ESP_MAX_BLOCK_SIZE
Definition: esp.h:88
fib_entry_track.h
data
u8 data[128]
Definition: ipsec_types.api:92
ipsec_sa_t
Definition: ipsec_sa.h:116
id
u8 id[64]
Definition: dhcp.api:160
vnet_crypto_key_add
u32 vnet_crypto_key_add(vlib_main_t *vm, vnet_crypto_alg_t alg, u8 *data, u16 length)
Definition: crypto.c:360
index
u32 index
Definition: flow_types.api:221
ipsec_mk_key
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
Definition: ipsec_sa.c:57
spi
u32 spi
Definition: flow_types.api:140
ipsec_key_t_::len
u8 len
Definition: ipsec_sa.h:82
ASSERT
#define ASSERT(truth)
Definition: error_bootstrap.h:69
vlib_combined_counter_main_t
A collection of combined counters.
Definition: counter.h:203
tunnel_build_v6_hdr
void tunnel_build_v6_hdr(const tunnel_t *t, ip_protocol_t next_proto, ip6_header_t *ip)
Definition: tunnel.c:229
ipsec_esp_backend_t::add_del_sa_sess_cb
add_del_sa_sess_cb_t add_del_sa_sess_cb
Definition: ipsec.h:58
u32
unsigned int u32
Definition: types.h:88
VLIB_INIT_FUNCTION
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:172
udp_header_t::dst_port
u16 dst_port
Definition: udp_packet.h:48
integ_alg
u8 integ_alg
Definition: ikev2_types.api:59
ipsec_esp_backend_t
Definition: ipsec.h:54
tunnel_resolve
int tunnel_resolve(tunnel_t *t, fib_node_type_t child_type, index_t child_index)
Definition: tunnel.c:189
ctx
long ctx[MAX_CONNS]
Definition: main.c:144
ipsec_sa_t::node
fib_node_t node
Definition: ipsec_sa.h:208
ipsec_sa_t::integ_op_id
vnet_crypto_op_id_t integ_op_id
Definition: ipsec_sa.h:150
fib_node_lock
void fib_node_lock(fib_node_t *node)
Definition: fib_node.c:203
IPSEC_PROTOCOL_AH
@ IPSEC_PROTOCOL_AH
Definition: ipsec_sa.h:75
ipsec_sa_t::salt
u32 salt
Definition: ipsec_sa.h:174
ipsec_sa_t::linked_key_index
vnet_crypto_key_index_t linked_key_index
Definition: ipsec_sa.h:157
ipsec_sa_t::id
u32 id
Definition: ipsec_sa.h:211
salt
u32 salt
Definition: ipsec_types.api:136
fib_node_t_
An node in the FIB graph.
Definition: fib_node.h:301
hash_unset
#define hash_unset(h, key)
Definition: hash.h:261
vlib_main_t
Definition: main.h:102
fib_node_init
void fib_node_init(fib_node_t *node, fib_node_type_t type)
Definition: fib_node.c:185
vlib_get_main
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:38
u8
unsigned char u8
Definition: types.h:56
clib_error_t
Definition: clib_error.h:21
fib_node_unlock
void fib_node_unlock(fib_node_t *node)
Definition: fib_node.c:209
ipsec_sa_t::ip6_hdr
ip6_header_t ip6_hdr
Definition: ipsec_sa.h:169
vlib_init_function_t
clib_error_t *() vlib_init_function_t(struct vlib_main_t *vm)
Definition: init.h:51
tunnel_t_::t_encap_decap_flags
tunnel_encap_decap_flags_t t_encap_decap_flags
Definition: tunnel.h:89
fib_node_back_walk_ctx_t_
Context passed between object during a back walk.
Definition: fib_node.h:214
fib_node_vft_t_::fnv_get
fib_node_get_t fnv_get
Definition: fib_node.h:289
ipsec_sa_t::integ_alg
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:218
ipsec_sa_t::sync_op_data
union ipsec_sa_t::@445 sync_op_data
clib_warning
#define clib_warning(format, args...)
Definition: error.h:59
dpo_id_t_
The identity of a DPO is a combination of its type and its instance number/index of objects of that t...
Definition: dpo.h:172
ipsec_sa_t::integ_calg
vnet_crypto_alg_t integ_calg
Definition: ipsec_sa.h:213
rv
int __clib_unused rv
Definition: application.c:491
ipsec_sa_t::stat_index
u32 stat_index
Definition: ipsec_sa.h:212
ipsec_sa_t::flags
ipsec_sa_flags_t flags
Definition: ipsec_sa.h:121
ipsec_sa_add_and_lock
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 salt, u16 src_port, u16 dst_port, const tunnel_t *tun, u32 *sa_out_index)
Definition: ipsec_sa.c:170
proto
vl_api_ip_proto_t proto
Definition: acl_types.api:51
ipsec_sa_t::data
u64 data
Definition: ipsec_sa.h:192
INDEX_INVALID
#define INDEX_INVALID
Invalid index - used when no index is known blazoned capitals INVALID speak volumes where ~0 does not...
Definition: dpo.h:49
tun
vl_api_gbp_endpoint_tun_t tun
Definition: gbp.api:134
dpo_reset
void dpo_reset(dpo_id_t *dpo)
reset a DPO ID The DPO will be unlocked.
Definition: dpo.c:234
ipsec_sa_unlock_id
int ipsec_sa_unlock_id(u32 id)
Definition: ipsec_sa.c:402
ipsec_sa_t::spi
u32 spi
Definition: ipsec_sa.h:131
ipsec_sa_t::crypto_enc_op_id
vnet_crypto_op_id_t crypto_enc_op_id
Definition: ipsec_sa.h:148
ipsec_sa_pool
ipsec_sa_t * ipsec_sa_pool
Pool of IPSec SAs.
Definition: ipsec_sa.c:32
clib_error_t::what
u8 * what
Definition: clib_error.h:24
tunnel_unresolve
void tunnel_unresolve(tunnel_t *t)
Definition: tunnel.c:209
IPSEC_CRYPTO_ALG_IS_GCM
#define IPSEC_CRYPTO_ALG_IS_GCM(_alg)
Definition: ipsec_sa.h:46
ipsec_sa_set_integ_alg
void ipsec_sa_set_integ_alg(ipsec_sa_t *sa, ipsec_integ_alg_t integ_alg)
Definition: ipsec_sa.c:116
ipsec_sa_t::crypto_key_index
vnet_crypto_key_index_t crypto_key_index
Definition: ipsec_sa.h:139
ipsec_sa_t::dpo
dpo_id_t dpo
Definition: ipsec_sa.h:137
ipsec_sa_del
static void ipsec_sa_del(ipsec_sa_t *sa)
Definition: ipsec_sa.c:330
ipsec_sa_t::crypto_op_data
u64 crypto_op_data
Definition: ipsec_sa.h:160
flags
vl_api_wireguard_peer_flags_t flags
Definition: wireguard.api:105