FD.io VPP  v21.10.1-2-g0a485f517
Vector Packet Processing
Data Structures | Macros | Typedefs | Enumerations | Functions | Variables
ipsec_sa.h File Reference
+ Include dependency graph for ipsec_sa.h:
+ This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  ipsec_key_t_
 
struct  ipsec_sa_t
 

Macros

#define foreach_ipsec_crypto_alg
 
#define IPSEC_CRYPTO_ALG_IS_GCM(_alg)
 
#define IPSEC_CRYPTO_ALG_IS_CTR(_alg)
 
#define foreach_ipsec_integ_alg
 
#define IPSEC_KEY_MAX_LEN   128
 
#define foreach_ipsec_sa_flags
 
#define IPSEC_UDP_PORT_NONE   ((u16)~0)
 
#define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE   (64)
 
#define IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX   (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE-1)
 
#define IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND(_tl)   (_tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1)
 

Typedefs

typedef struct ipsec_key_t_ ipsec_key_t
 
typedef enum ipsec_sad_flags_t_ ipsec_sa_flags_t
 
typedef walk_rc_t(* ipsec_sa_walk_cb_t) (ipsec_sa_t *sa, void *ctx)
 

Enumerations

enum  ipsec_sad_flags_t_ { foreach_ipsec_sa_flags }
 

Functions

 STATIC_ASSERT (sizeof(ipsec_sa_flags_t)==2, "IPSEC SA flags != 2 byte")
 
 STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline1, CLIB_CACHE_LINE_BYTES)
 
 STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline2, 2 *CLIB_CACHE_LINE_BYTES)
 
 STATIC_ASSERT (STRUCT_OFFSET_OF(vnet_buffer_opaque_t, ipsec.sad_index)==STRUCT_OFFSET_OF(vnet_buffer_opaque_t, ip.save_protocol), "IPSec data is overlapping with IP data")
 
void ipsec_mk_key (ipsec_key_t *key, const u8 *data, u8 len)
 
int ipsec_sa_add_and_lock (u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 salt, u16 src_port, u16 dst_port, const tunnel_t *tun, u32 *sa_out_index)
 
index_t ipsec_sa_find_and_lock (u32 id)
 
int ipsec_sa_unlock_id (u32 id)
 
void ipsec_sa_unlock (index_t sai)
 
void ipsec_sa_lock (index_t sai)
 
void ipsec_sa_clear (index_t sai)
 
void ipsec_sa_set_crypto_alg (ipsec_sa_t *sa, ipsec_crypto_alg_t crypto_alg)
 
void ipsec_sa_set_integ_alg (ipsec_sa_t *sa, ipsec_integ_alg_t integ_alg)
 
void ipsec_sa_walk (ipsec_sa_walk_cb_t cd, void *ctx)
 
u8format_ipsec_replay_window (u8 *s, va_list *args)
 
u8format_ipsec_crypto_alg (u8 *s, va_list *args)
 
u8format_ipsec_integ_alg (u8 *s, va_list *args)
 
u8format_ipsec_sa (u8 *s, va_list *args)
 
u8format_ipsec_key (u8 *s, va_list *args)
 
uword unformat_ipsec_crypto_alg (unformat_input_t *input, va_list *args)
 
uword unformat_ipsec_integ_alg (unformat_input_t *input, va_list *args)
 
uword unformat_ipsec_key (unformat_input_t *input, va_list *args)
 
static int ipsec_sa_anti_replay_check (const ipsec_sa_t *sa, u32 seq)
 
static int ipsec_sa_anti_replay_and_sn_advance (const ipsec_sa_t *sa, u32 seq, u32 hi_seq_used, bool post_decrypt, u32 *hi_seq_req)
 
static void ipsec_sa_anti_replay_advance (ipsec_sa_t *sa, u32 seq, u32 hi_seq)
 
static u32 ipsec_sa_assign_thread (u32 thread_id)
 
static ipsec_sa_tipsec_sa_get (u32 sa_index)
 

Variables

ipsec_sa_tipsec_sa_pool
 Pool of IPSec SAs. More...
 
foreach_ipsec_sa_flags vlib_combined_counter_main_t ipsec_sa_counters
 SA packet & bytes counters. More...
 

Macro Definition Documentation

◆ foreach_ipsec_crypto_alg

#define foreach_ipsec_crypto_alg
Value:
_ (0, NONE, "none") \
_ (1, AES_CBC_128, "aes-cbc-128") \
_ (2, AES_CBC_192, "aes-cbc-192") \
_ (3, AES_CBC_256, "aes-cbc-256") \
_ (4, AES_CTR_128, "aes-ctr-128") \
_ (5, AES_CTR_192, "aes-ctr-192") \
_ (6, AES_CTR_256, "aes-ctr-256") \
_ (7, AES_GCM_128, "aes-gcm-128") \
_ (8, AES_GCM_192, "aes-gcm-192") \
_ (9, AES_GCM_256, "aes-gcm-256") \
_ (10, DES_CBC, "des-cbc") \
_ (11, 3DES_CBC, "3des-cbc")

Definition at line 24 of file ipsec_sa.h.

◆ foreach_ipsec_integ_alg

#define foreach_ipsec_integ_alg
Value:
_ (0, NONE, "none") \
_ (1, MD5_96, "md5-96") /* RFC2403 */ \
_ (2, SHA1_96, "sha1-96") /* RFC2404 */ \
_ (3, SHA_256_96, "sha-256-96") /* draft-ietf-ipsec-ciph-sha-256-00 */ \
_ (4, SHA_256_128, "sha-256-128") /* RFC4868 */ \
_ (5, SHA_384_192, "sha-384-192") /* RFC4868 */ \
_ (6, SHA_512_256, "sha-512-256") /* RFC4868 */

Definition at line 56 of file ipsec_sa.h.

◆ foreach_ipsec_sa_flags

#define foreach_ipsec_sa_flags
Value:
_ (0, NONE, "none") \
_ (1, USE_ESN, "esn") \
_ (2, USE_ANTI_REPLAY, "anti-replay") \
_ (4, IS_TUNNEL, "tunnel") \
_ (8, IS_TUNNEL_V6, "tunnel-v6") \
_ (16, UDP_ENCAP, "udp-encap") \
_ (32, IS_PROTECT, "Protect") \
_ (64, IS_INBOUND, "inbound") \
_ (128, IS_AEAD, "aead") \
_ (256, IS_CTR, "ctr") \
_ (512, IS_ASYNC, "async")

Definition at line 94 of file ipsec_sa.h.

◆ IPSEC_CRYPTO_ALG_IS_CTR

#define IPSEC_CRYPTO_ALG_IS_CTR (   _alg)
Value:
(((_alg == IPSEC_CRYPTO_ALG_AES_CTR_128) || \
(_alg == IPSEC_CRYPTO_ALG_AES_CTR_192) || \
(_alg == IPSEC_CRYPTO_ALG_AES_CTR_256)))

Definition at line 51 of file ipsec_sa.h.

◆ IPSEC_CRYPTO_ALG_IS_GCM

#define IPSEC_CRYPTO_ALG_IS_GCM (   _alg)
Value:
(((_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) || \
(_alg == IPSEC_CRYPTO_ALG_AES_GCM_192) || \
(_alg == IPSEC_CRYPTO_ALG_AES_GCM_256)))

Definition at line 46 of file ipsec_sa.h.

◆ IPSEC_KEY_MAX_LEN

#define IPSEC_KEY_MAX_LEN   128

Definition at line 79 of file ipsec_sa.h.

◆ IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND

#define IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (   _tl)    (_tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1)

Definition at line 311 of file ipsec_sa.h.

◆ IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX

#define IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX   (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE-1)

Definition at line 304 of file ipsec_sa.h.

◆ IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE

#define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE   (64)

Definition at line 303 of file ipsec_sa.h.

◆ IPSEC_UDP_PORT_NONE

#define IPSEC_UDP_PORT_NONE   ((u16)~0)

Definition at line 297 of file ipsec_sa.h.

Typedef Documentation

◆ ipsec_key_t

typedef struct ipsec_key_t_ ipsec_key_t

◆ ipsec_sa_flags_t

typedef enum ipsec_sad_flags_t_ ipsec_sa_flags_t

◆ ipsec_sa_walk_cb_t

typedef walk_rc_t(* ipsec_sa_walk_cb_t) (ipsec_sa_t *sa, void *ctx)

Definition at line 283 of file ipsec_sa.h.

Enumeration Type Documentation

◆ ipsec_sad_flags_t_

enum ipsec_sad_flags_t_
Enumerator
foreach_ipsec_sa_flags 

Definition at line 107 of file ipsec_sa.h.

Function Documentation

◆ format_ipsec_crypto_alg()

u8* format_ipsec_crypto_alg ( u8 s,
va_list *  args 
)

Definition at line 79 of file ipsec_format.c.

+ Here is the caller graph for this function:

◆ format_ipsec_integ_alg()

u8* format_ipsec_integ_alg ( u8 s,
va_list *  args 
)

Definition at line 111 of file ipsec_format.c.

+ Here is the caller graph for this function:

◆ format_ipsec_key()

u8* format_ipsec_key ( u8 s,
va_list *  args 
)

Definition at line 235 of file ipsec_format.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ format_ipsec_replay_window()

u8* format_ipsec_replay_window ( u8 s,
va_list *  args 
)

Definition at line 143 of file ipsec_format.c.

+ Here is the caller graph for this function:

◆ format_ipsec_sa()

u8* format_ipsec_sa ( u8 s,
va_list *  args 
)

Definition at line 270 of file ipsec_format.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ipsec_mk_key()

void ipsec_mk_key ( ipsec_key_t key,
const u8 data,
u8  len 
)

Definition at line 57 of file ipsec_sa.c.

+ Here is the caller graph for this function:

◆ ipsec_sa_add_and_lock()

int ipsec_sa_add_and_lock ( u32  id,
u32  spi,
ipsec_protocol_t  proto,
ipsec_crypto_alg_t  crypto_alg,
const ipsec_key_t ck,
ipsec_integ_alg_t  integ_alg,
const ipsec_key_t ik,
ipsec_sa_flags_t  flags,
u32  salt,
u16  src_port,
u16  dst_port,
const tunnel_t tun,
u32 sa_out_index 
)

Definition at line 170 of file ipsec_sa.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ipsec_sa_anti_replay_advance()

static void ipsec_sa_anti_replay_advance ( ipsec_sa_t sa,
u32  seq,
u32  hi_seq 
)
inlinestatic

Definition at line 535 of file ipsec_sa.h.

+ Here is the caller graph for this function:

◆ ipsec_sa_anti_replay_and_sn_advance()

static int ipsec_sa_anti_replay_and_sn_advance ( const ipsec_sa_t sa,
u32  seq,
u32  hi_seq_used,
bool  post_decrypt,
u32 hi_seq_req 
)
inlinestatic

Definition at line 338 of file ipsec_sa.h.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ipsec_sa_anti_replay_check()

static int ipsec_sa_anti_replay_check ( const ipsec_sa_t sa,
u32  seq 
)
inlinestatic

Definition at line 314 of file ipsec_sa.h.

+ Here is the caller graph for this function:

◆ ipsec_sa_assign_thread()

static u32 ipsec_sa_assign_thread ( u32  thread_id)
inlinestatic

Definition at line 598 of file ipsec_sa.h.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ipsec_sa_clear()

void ipsec_sa_clear ( index_t  sai)

Definition at line 422 of file ipsec_sa.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ipsec_sa_find_and_lock()

index_t ipsec_sa_find_and_lock ( u32  id)

Definition at line 387 of file ipsec_sa.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ipsec_sa_get()

static ipsec_sa_t* ipsec_sa_get ( u32  sa_index)
inlinestatic

Definition at line 605 of file ipsec_sa.h.

+ Here is the caller graph for this function:

◆ ipsec_sa_lock()

void ipsec_sa_lock ( index_t  sai)

Definition at line 374 of file ipsec_sa.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ipsec_sa_set_crypto_alg()

void ipsec_sa_set_crypto_alg ( ipsec_sa_t sa,
ipsec_crypto_alg_t  crypto_alg 
)

Definition at line 92 of file ipsec_sa.c.

+ Here is the caller graph for this function:

◆ ipsec_sa_set_integ_alg()

void ipsec_sa_set_integ_alg ( ipsec_sa_t sa,
ipsec_integ_alg_t  integ_alg 
)

Definition at line 116 of file ipsec_sa.c.

+ Here is the caller graph for this function:

◆ ipsec_sa_unlock()

void ipsec_sa_unlock ( index_t  sai)

Definition at line 361 of file ipsec_sa.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ipsec_sa_unlock_id()

int ipsec_sa_unlock_id ( u32  id)

Definition at line 406 of file ipsec_sa.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ ipsec_sa_walk()

void ipsec_sa_walk ( ipsec_sa_walk_cb_t  cd,
void *  ctx 
)

Definition at line 428 of file ipsec_sa.c.

+ Here is the caller graph for this function:

◆ STATIC_ASSERT() [1/2]

STATIC_ASSERT ( sizeof(ipsec_sa_flags_t = =2)

◆ STATIC_ASSERT() [2/2]

STATIC_ASSERT ( STRUCT_OFFSET_OF(vnet_buffer_opaque_t, ipsec.sad_index)  = =STRUCT_OFFSET_OF(vnet_buffer_opaque_t, ip.save_protocol),
"IPSec data is overlapping with IP data  
)

◆ STATIC_ASSERT_OFFSET_OF() [1/2]

STATIC_ASSERT_OFFSET_OF ( ipsec_sa_t  ,
cacheline1  ,
CLIB_CACHE_LINE_BYTES   
)

◆ STATIC_ASSERT_OFFSET_OF() [2/2]

STATIC_ASSERT_OFFSET_OF ( ipsec_sa_t  ,
cacheline2  ,
2 *  CLIB_CACHE_LINE_BYTES 
)

◆ unformat_ipsec_crypto_alg()

uword unformat_ipsec_crypto_alg ( unformat_input_t input,
va_list *  args 
)

Definition at line 97 of file ipsec_format.c.

+ Here is the caller graph for this function:

◆ unformat_ipsec_integ_alg()

uword unformat_ipsec_integ_alg ( unformat_input_t input,
va_list *  args 
)

Definition at line 129 of file ipsec_format.c.

+ Here is the caller graph for this function:

◆ unformat_ipsec_key()

uword unformat_ipsec_key ( unformat_input_t input,
va_list *  args 
)

Definition at line 243 of file ipsec_format.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Variable Documentation

◆ ipsec_sa_counters

foreach_ipsec_sa_flags vlib_combined_counter_main_t ipsec_sa_counters

SA packet & bytes counters.

Definition at line 27 of file ipsec_sa.c.

◆ ipsec_sa_pool

ipsec_sa_t* ipsec_sa_pool

Pool of IPSec SAs.

Definition at line 32 of file ipsec_sa.c.