29 .stat_segment_name =
"/net/ipsec/sa",
36 u32 sa_index,
int is_add)
59 memset (key, 0,
sizeof (*key));
61 if (len >
sizeof (key->
data))
66 memcpy (key->
data, data, key->
len);
106 ipsec_sa_set_IS_CTR (sa);
107 ipsec_sa_set_IS_AEAD (sa);
111 ipsec_sa_set_IS_CTR (sa);
130 if (ipsec_sa_is_set_USE_ESN (sa))
133 if( sa->sync_op_data.crypto_enc_op_id == VNET_CRYPTO_OP_##n##_ENC ) \ 134 sa->async_op_data.crypto_async_enc_op_id = \ 135 VNET_CRYPTO_OP_##n##_TAG16_AAD12_ENC; \ 136 if( sa->sync_op_data.crypto_dec_op_id == VNET_CRYPTO_OP_##n##_DEC ) \ 137 sa->async_op_data.crypto_async_dec_op_id = \ 138 VNET_CRYPTO_OP_##n##_TAG16_AAD12_DEC; 145 if( sa->sync_op_data.crypto_enc_op_id == VNET_CRYPTO_OP_##n##_ENC ) \ 146 sa->async_op_data.crypto_async_enc_op_id = \ 147 VNET_CRYPTO_OP_##n##_TAG16_AAD8_ENC; \ 148 if( sa->sync_op_data.crypto_dec_op_id == VNET_CRYPTO_OP_##n##_DEC ) \ 149 sa->async_op_data.crypto_async_dec_op_id = \ 150 VNET_CRYPTO_OP_##n##_TAG16_AAD8_DEC; 155 #define _(c, h, s, k ,d) \ 156 if( sa->sync_op_data.crypto_enc_op_id == VNET_CRYPTO_OP_##c##_ENC && \ 157 sa->sync_op_data.integ_op_id == VNET_CRYPTO_OP_##h##_HMAC) \ 158 sa->async_op_data.crypto_async_enc_op_id = \ 159 VNET_CRYPTO_OP_##c##_##h##_TAG##d##_ENC; \ 160 if( sa->sync_op_data.crypto_dec_op_id == VNET_CRYPTO_OP_##c##_DEC && \ 161 sa->sync_op_data.integ_op_id == VNET_CRYPTO_OP_##h##_HMAC) \ 162 sa->async_op_data.crypto_async_dec_op_id = \ 163 VNET_CRYPTO_OP_##c##_##h##_TAG##d##_DEC; 171 ipsec_crypto_alg_t crypto_alg,
const ipsec_key_t *ck,
186 return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
205 if (integ_alg != IPSEC_INTEG_ALG_NONE)
221 return VNET_API_ERROR_KEY_LENGTH;
224 if (integ_alg != IPSEC_INTEG_ALG_NONE)
228 integ_algs[integ_alg].alg,
233 return VNET_API_ERROR_KEY_LENGTH;
238 !ipsec_sa_is_set_IS_AEAD (sa))
249 if (ipsec_sa_is_set_IS_ASYNC (sa))
263 return VNET_API_ERROR_UNIMPLEMENTED;
270 return VNET_API_ERROR_SYSCALL_ERROR_1;
273 if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
287 if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
290 (ipsec_sa_is_set_UDP_ENCAP (sa) ?
292 IP_PROTOCOL_IPSEC_ESP),
298 (ipsec_sa_is_set_UDP_ENCAP (sa) ?
300 IP_PROTOCOL_IPSEC_ESP),
305 if (ipsec_sa_is_set_UDP_ENCAP (sa))
317 if (ipsec_sa_is_set_IS_INBOUND (sa))
324 *sa_out_index = sa_index;
343 if (ipsec_sa_is_set_IS_ASYNC (sa))
345 if (ipsec_sa_is_set_UDP_ENCAP (sa) && ipsec_sa_is_set_IS_INBOUND (sa))
348 if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
351 if (sa->
integ_alg != IPSEC_INTEG_ALG_NONE)
410 return VNET_API_ERROR_NO_SUCH_ENTRY;
void dpo_stack_from_node(u32 child_node_index, dpo_id_t *dpo, const dpo_id_t *parent)
Stack one DPO object on another, and thus establish a child parent relationship.
static void ipsec_sa_last_lock_gone(fib_node_t *node)
Function definition to inform the FIB node that its last lock has gone.
#define hash_set(h, key, value)
ipsec_main_crypto_alg_t * crypto_algs
#define foreach_crypto_link_async_alg
void ipsec_register_udp_port(u16 port)
void vlib_validate_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
validate a combined counter
#define hash_unset(h, key)
vl_api_wireguard_peer_flags_t flags
#define pool_foreach(VAR, POOL)
Iterate through pool.
void fib_node_init(fib_node_t *node, fib_node_type_t type)
#define IPSEC_CRYPTO_ALG_IS_CTR(_alg)
vl_api_ip_port_and_mask_t dst_port
enum fib_node_back_walk_rc_t_ fib_node_back_walk_rc_t
Return code from a back walk function.
static void ipsec_sa_del(ipsec_sa_t *sa)
ipsec_integ_alg_t integ_alg
void vnet_crypto_request_async_mode(int is_enable)
void ipsec_sa_lock(index_t sai)
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
A representation of an IP tunnel config.
void ipsec_sa_clear(index_t sai)
ipsec_sa_t * ipsec_sa_pool
Pool of IPSec SAs.
void tunnel_build_v4_hdr(const tunnel_t *t, ip_protocol_t next_proto, ip4_header_t *ip)
#define STRUCT_OFFSET_OF(t, f)
vnet_crypto_op_id_t integ_op_id
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
void fib_node_register_type(fib_node_type_t type, const fib_node_vft_t *vft)
fib_node_register_type
#define clib_memcpy(d, s, n)
vnet_crypto_key_index_t linked_key_index
vnet_crypto_key_index_t crypto_key_index
walk_rc_t(* ipsec_sa_walk_cb_t)(ipsec_sa_t *sa, void *ctx)
static ipsec_sa_t * ipsec_sa_from_fib_node(fib_node_t *node)
union ipsec_sa_t::@446 async_op_data
void ipsec_sa_walk(ipsec_sa_walk_cb_t cb, void *ctx)
#define VLIB_INIT_FUNCTION(x)
#define foreach_crypto_aead_alg
u32 esp6_encrypt_node_index
tunnel_encap_decap_flags_t tunnel_flags
int ipsec_sa_unlock_id(u32 id)
#define IPSEC_CRYPTO_ALG_IS_GCM(_alg)
u32 vnet_crypto_key_add(vlib_main_t *vm, vnet_crypto_alg_t alg, u8 *data, u16 length)
The identity of a DPO is a combination of its type and its instance number/index of objects of that t...
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
static void vlib_zero_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
Clear a combined counter Clears the set of per-thread counters.
void tunnel_build_v6_hdr(const tunnel_t *t, ip_protocol_t next_proto, ip6_header_t *ip)
index_t ipsec_sa_find_and_lock(u32 id)
void fib_node_lock(fib_node_t *node)
u32 esp4_encrypt_node_index
vnet_crypto_op_id_t enc_op_id
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 salt, u16 src_port, u16 dst_port, const tunnel_t *tun, u32 *sa_out_index)
void vnet_crypto_key_del(vlib_main_t *vm, vnet_crypto_key_index_t index)
#define pool_put(P, E)
Free an object E in pool P.
static clib_error_t * ipsec_call_add_del_callbacks(ipsec_main_t *im, ipsec_sa_t *sa, u32 sa_index, int is_add)
#define pool_get_aligned_zero(P, E, A)
Allocate an object E from a pool P with alignment A and zero it.
vlib_main_t * vm
X-connect all packets from the HOST to the PHY.
fib_node_type_t fn_type
The node's type.
An node in the FIB graph.
void fib_node_unlock(fib_node_t *node)
void ipsec_unregister_udp_port(u16 port)
vl_api_ip_port_and_mask_t src_port
void ipsec_sa_set_integ_alg(ipsec_sa_t *sa, ipsec_integ_alg_t integ_alg)
ipsec_ah_backend_t * ah_backends
static fib_node_t * ipsec_sa_fib_node_get(fib_node_index_t index)
Function definition to get a FIB node from its index.
void ipsec_sa_set_async_op_ids(ipsec_sa_t *sa)
static fib_node_back_walk_rc_t ipsec_sa_back_walk(fib_node_t *node, fib_node_back_walk_ctx_t *ctx)
Function definition to backwalk a FIB node.
#define clib_warning(format, args...)
vnet_interface_main_t * im
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
uword * sa_index_by_sa_id
u32 fib_node_index_t
A typedef of a node index.
tunnel_encap_decap_flags_t t_encap_decap_flags
#define ESP_MAX_BLOCK_SIZE
void ipsec_sa_unlock(index_t sai)
Context passed between object during a back walk.
void ipsec_sa_set_crypto_alg(ipsec_sa_t *sa, ipsec_crypto_alg_t crypto_alg)
u8 data[IPSEC_KEY_MAX_LEN]
vnet_crypto_op_id_t op_id
u32 ah4_encrypt_node_index
ipsec_main_integ_alg_t * integ_algs
static void ipsec_sa_stack(ipsec_sa_t *sa)
'stack' (resolve the recursion for) the SA tunnel destination
ipsec_protocol_t protocol
vnet_crypto_key_index_t integ_key_index
vnet_crypto_alg_t integ_calg
void tunnel_unresolve(tunnel_t *t)
add_del_sa_sess_cb_t add_del_sa_sess_cb
int tunnel_resolve(tunnel_t *t, fib_node_type_t child_type, index_t child_index)
vnet_crypto_op_id_t dec_op_id
static vlib_main_t * vlib_get_main(void)
vnet_crypto_alg_t crypto_calg
u32 vnet_crypto_key_add_linked(vlib_main_t *vm, vnet_crypto_key_index_t index_crypto, vnet_crypto_key_index_t index_integ)
Use 2 created keys to generate new key for linked algs (cipher + integ) The returned key index is to ...
u32 ah6_encrypt_node_index
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
static ipsec_sa_t * ipsec_sa_get(u32 sa_index)
vlib_main_t vlib_node_runtime_t * node
#define INDEX_INVALID
Invalid index - used when no index is known blazoned capitals INVALID speak volumes where ~0 does not...
union ipsec_sa_t::@445 sync_op_data
#define DPO_INVALID
An initialiser for DPOs declared on the stack.
char * name
The counter collection's name.
vnet_crypto_op_id_t crypto_enc_op_id
A collection of combined counters.
vl_api_gbp_endpoint_tun_t tun
A FIB graph nodes virtual function table.
void tunnel_contribute_forwarding(const tunnel_t *t, dpo_id_t *dpo)
ipsec_crypto_alg_t crypto_alg
vnet_crypto_async_op_id_t crypto_async_enc_op_id
static u32 vlib_num_workers()
void dpo_reset(dpo_id_t *dpo)
reset a DPO ID The DPO will be unlocked.
clib_error_t * ipsec_sa_interface_init(vlib_main_t *vm)
void tunnel_copy(const tunnel_t *src, tunnel_t *dst)
add_del_sa_sess_cb_t add_del_sa_sess_cb
ipsec_esp_backend_t * esp_backends
#define CLIB_CACHE_LINE_BYTES
vnet_crypto_op_id_t crypto_dec_op_id
#define IPSEC_UDP_PORT_NONE