blob: 28ac93185ec3f91295847f7370203992582a675b [file] [log] [blame]
Neale Ranns999c8ee2019-02-01 03:31:24 -08001/*
2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15#ifndef __IPSEC_SPD_SA_H__
16#define __IPSEC_SPD_SA_H__
17
18#include <vlib/vlib.h>
Filip Tehlare5d34912020-03-02 15:17:37 +000019#include <vnet/crypto/crypto.h>
Neale Ranns999c8ee2019-02-01 03:31:24 -080020#include <vnet/ip/ip.h>
Neale Ranns8d7c5022019-02-06 01:41:05 -080021#include <vnet/fib/fib_node.h>
Neale Ranns041add72020-01-02 04:06:10 +000022#include <vnet/tunnel/tunnel.h>
Neale Ranns999c8ee2019-02-01 03:31:24 -080023
24#define foreach_ipsec_crypto_alg \
25 _ (0, NONE, "none") \
26 _ (1, AES_CBC_128, "aes-cbc-128") \
27 _ (2, AES_CBC_192, "aes-cbc-192") \
28 _ (3, AES_CBC_256, "aes-cbc-256") \
29 _ (4, AES_CTR_128, "aes-ctr-128") \
30 _ (5, AES_CTR_192, "aes-ctr-192") \
31 _ (6, AES_CTR_256, "aes-ctr-256") \
32 _ (7, AES_GCM_128, "aes-gcm-128") \
33 _ (8, AES_GCM_192, "aes-gcm-192") \
34 _ (9, AES_GCM_256, "aes-gcm-256") \
35 _ (10, DES_CBC, "des-cbc") \
36 _ (11, 3DES_CBC, "3des-cbc")
37
38typedef enum
39{
40#define _(v, f, s) IPSEC_CRYPTO_ALG_##f = v,
41 foreach_ipsec_crypto_alg
42#undef _
43 IPSEC_CRYPTO_N_ALG,
Neale Ranns123b5eb2020-10-16 14:03:55 +000044} __clib_packed ipsec_crypto_alg_t;
Neale Ranns999c8ee2019-02-01 03:31:24 -080045
Neale Ranns47feb112019-04-11 15:14:07 +000046#define IPSEC_CRYPTO_ALG_IS_GCM(_alg) \
47 (((_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) || \
48 (_alg == IPSEC_CRYPTO_ALG_AES_GCM_192) || \
49 (_alg == IPSEC_CRYPTO_ALG_AES_GCM_256)))
50
Neale Ranns999c8ee2019-02-01 03:31:24 -080051#define foreach_ipsec_integ_alg \
52 _ (0, NONE, "none") \
53 _ (1, MD5_96, "md5-96") /* RFC2403 */ \
54 _ (2, SHA1_96, "sha1-96") /* RFC2404 */ \
55 _ (3, SHA_256_96, "sha-256-96") /* draft-ietf-ipsec-ciph-sha-256-00 */ \
56 _ (4, SHA_256_128, "sha-256-128") /* RFC4868 */ \
57 _ (5, SHA_384_192, "sha-384-192") /* RFC4868 */ \
58 _ (6, SHA_512_256, "sha-512-256") /* RFC4868 */
59
60typedef enum
61{
62#define _(v, f, s) IPSEC_INTEG_ALG_##f = v,
63 foreach_ipsec_integ_alg
64#undef _
65 IPSEC_INTEG_N_ALG,
Neale Ranns123b5eb2020-10-16 14:03:55 +000066} __clib_packed ipsec_integ_alg_t;
Neale Ranns999c8ee2019-02-01 03:31:24 -080067
68typedef enum
69{
70 IPSEC_PROTOCOL_AH = 0,
71 IPSEC_PROTOCOL_ESP = 1
Neale Ranns123b5eb2020-10-16 14:03:55 +000072} __clib_packed ipsec_protocol_t;
Neale Ranns999c8ee2019-02-01 03:31:24 -080073
Neale Ranns8d7c5022019-02-06 01:41:05 -080074#define IPSEC_KEY_MAX_LEN 128
75typedef struct ipsec_key_t_
76{
77 u8 len;
78 u8 data[IPSEC_KEY_MAX_LEN];
79} ipsec_key_t;
80
81/*
82 * Enable extended sequence numbers
83 * Enable Anti-replay
84 * IPsec tunnel mode if non-zero, else transport mode
85 * IPsec tunnel mode is IPv6 if non-zero,
86 * else IPv4 tunnel only valid if is_tunnel is non-zero
87 * enable UDP encapsulation for NAT traversal
88 */
89#define foreach_ipsec_sa_flags \
90 _ (0, NONE, "none") \
Damjan Marion1e3aa5e2019-03-28 10:58:59 +010091 _ (1, USE_ESN, "esn") \
Neale Ranns8d7c5022019-02-06 01:41:05 -080092 _ (2, USE_ANTI_REPLAY, "anti-replay") \
93 _ (4, IS_TUNNEL, "tunnel") \
94 _ (8, IS_TUNNEL_V6, "tunnel-v6") \
95 _ (16, UDP_ENCAP, "udp-encap") \
Neale Rannsc87b66c2019-02-07 07:26:12 -080096 _ (32, IS_PROTECT, "Protect") \
Neale Ranns6b43ce52019-07-31 01:04:43 -070097 _ (64, IS_INBOUND, "inbound") \
Neale Ranns47feb112019-04-11 15:14:07 +000098 _ (128, IS_AEAD, "aead") \
Neale Ranns8d7c5022019-02-06 01:41:05 -080099
100typedef enum ipsec_sad_flags_t_
101{
102#define _(v, f, s) IPSEC_SA_FLAG_##f = v,
103 foreach_ipsec_sa_flags
104#undef _
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100105} __clib_packed ipsec_sa_flags_t;
Damjan Mariond709cbc2019-03-26 13:16:42 +0100106
107STATIC_ASSERT (sizeof (ipsec_sa_flags_t) == 1, "IPSEC SA flags > 1 byte");
Neale Ranns8d7c5022019-02-06 01:41:05 -0800108
Neale Ranns999c8ee2019-02-01 03:31:24 -0800109typedef struct
110{
Damjan Mariond709cbc2019-03-26 13:16:42 +0100111 CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
Neale Ranns999c8ee2019-02-01 03:31:24 -0800112
Damjan Mariond709cbc2019-03-26 13:16:42 +0100113 /* flags */
114 ipsec_sa_flags_t flags;
115
Damjan Marionb966e8b2019-03-20 16:07:09 +0100116 u8 crypto_iv_size;
Christian Hoppsfb7e7ed2019-11-03 07:02:15 -0500117 u8 esp_block_align;
Damjan Marion7c22ff72019-04-04 12:25:44 +0200118 u8 integ_icv_size;
Neale Ranns1a52d372021-02-04 11:33:32 +0000119 u32 thread_index;
120 u32 __pad_u32;
Damjan Mariond709cbc2019-03-26 13:16:42 +0100121 u32 spi;
Neale Ranns999c8ee2019-02-01 03:31:24 -0800122 u32 seq;
123 u32 seq_hi;
124 u32 last_seq;
125 u32 last_seq_hi;
126 u64 replay_window;
Neale Ranns72f2a3a2019-06-17 15:43:38 +0000127 dpo_id_t dpo;
Damjan Mariond709cbc2019-03-26 13:16:42 +0100128
Damjan Mariond1bed682019-04-24 15:20:35 +0200129 vnet_crypto_key_index_t crypto_key_index;
130 vnet_crypto_key_index_t integ_key_index;
Fan Zhangf5395782020-04-29 14:00:03 +0100131
132 /* Union data shared by sync and async ops, updated when mode is
133 * changed. */
134 union
135 {
136 struct
137 {
138 vnet_crypto_op_id_t crypto_enc_op_id:16;
139 vnet_crypto_op_id_t crypto_dec_op_id:16;
140 vnet_crypto_op_id_t integ_op_id:16;
141 };
142
143 struct
144 {
145 vnet_crypto_async_op_id_t crypto_async_enc_op_id:16;
146 vnet_crypto_async_op_id_t crypto_async_dec_op_id:16;
147 vnet_crypto_key_index_t linked_key_index;
148 };
149
150 u64 crypto_op_data;
151 };
Damjan Mariond709cbc2019-03-26 13:16:42 +0100152
Damjan Mariond709cbc2019-03-26 13:16:42 +0100153 CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
154
Neale Ranns123b5eb2020-10-16 14:03:55 +0000155 u64 gcm_iv_counter;
Damjan Mariond709cbc2019-03-26 13:16:42 +0100156 union
157 {
158 ip4_header_t ip4_hdr;
159 ip6_header_t ip6_hdr;
160 };
161 udp_header_t udp_hdr;
162
Neale Ranns80f6fd52019-04-16 02:41:34 +0000163 /* Salt used in GCM modes - stored in network byte order */
164 u32 salt;
Fan Zhangf5395782020-04-29 14:00:03 +0100165
Neale Ranns123b5eb2020-10-16 14:03:55 +0000166 ipsec_protocol_t protocol;
Neale Ranns041add72020-01-02 04:06:10 +0000167 tunnel_encap_decap_flags_t tunnel_flags;
168 ip_dscp_t dscp;
169 u8 __pad[1];
Neale Ranns123b5eb2020-10-16 14:03:55 +0000170
171 /* data accessed by dataplane code should be above this comment */
172 CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
173
174 /* Elements with u64 size multiples */
Fan Zhangf5395782020-04-29 14:00:03 +0100175 union
176 {
177 struct
178 {
179 vnet_crypto_op_id_t crypto_enc_op_id:16;
180 vnet_crypto_op_id_t crypto_dec_op_id:16;
181 vnet_crypto_op_id_t integ_op_id:16;
182 };
183 u64 data;
184 } sync_op_data;
185
186 union
187 {
188 struct
189 {
190 vnet_crypto_async_op_id_t crypto_async_enc_op_id:16;
191 vnet_crypto_async_op_id_t crypto_async_dec_op_id:16;
192 vnet_crypto_key_index_t linked_key_index;
193 };
194 u64 data;
195 } async_op_data;
Neale Ranns123b5eb2020-10-16 14:03:55 +0000196
197 ip46_address_t tunnel_src_addr;
198 ip46_address_t tunnel_dst_addr;
199
200 fib_node_t node;
201
202 /* elements with u32 size */
203 u32 id;
204 u32 stat_index;
205 vnet_crypto_alg_t integ_calg;
206 vnet_crypto_alg_t crypto_calg;
207
208 fib_node_index_t fib_entry_index;
209 u32 sibling;
210 u32 tx_fib_index;
211
212 /* else u8 packed */
213 ipsec_crypto_alg_t crypto_alg;
214 ipsec_integ_alg_t integ_alg;
215
216 ipsec_key_t integ_key;
217 ipsec_key_t crypto_key;
Neale Ranns999c8ee2019-02-01 03:31:24 -0800218} ipsec_sa_t;
219
Damjan Mariond709cbc2019-03-26 13:16:42 +0100220STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline1, CLIB_CACHE_LINE_BYTES);
Neale Ranns123b5eb2020-10-16 14:03:55 +0000221STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline2, 2 * CLIB_CACHE_LINE_BYTES);
Damjan Mariond709cbc2019-03-26 13:16:42 +0100222
223#define _(a,v,s) \
224 always_inline int \
225 ipsec_sa_is_set_##v (const ipsec_sa_t *sa) { \
226 return (sa->flags & IPSEC_SA_FLAG_##v); \
227 }
228foreach_ipsec_sa_flags
229#undef _
230#define _(a,v,s) \
231 always_inline int \
232 ipsec_sa_set_##v (ipsec_sa_t *sa) { \
233 return (sa->flags |= IPSEC_SA_FLAG_##v); \
234 }
235 foreach_ipsec_sa_flags
236#undef _
Neale Rannsc87b66c2019-02-07 07:26:12 -0800237#define _(a,v,s) \
238 always_inline int \
239 ipsec_sa_unset_##v (ipsec_sa_t *sa) { \
240 return (sa->flags &= ~IPSEC_SA_FLAG_##v); \
241 }
242 foreach_ipsec_sa_flags
243#undef _
Neale Rannseba31ec2019-02-17 18:04:27 +0000244/**
245 * @brief
246 * SA packet & bytes counters
247 */
248extern vlib_combined_counter_main_t ipsec_sa_counters;
249
Neale Ranns8d7c5022019-02-06 01:41:05 -0800250extern void ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len);
251
Neale Ranns495d7ff2019-07-12 09:15:26 +0000252extern int ipsec_sa_add_and_lock (u32 id,
253 u32 spi,
254 ipsec_protocol_t proto,
255 ipsec_crypto_alg_t crypto_alg,
256 const ipsec_key_t * ck,
257 ipsec_integ_alg_t integ_alg,
258 const ipsec_key_t * ik,
259 ipsec_sa_flags_t flags,
260 u32 tx_table_id,
261 u32 salt,
262 const ip46_address_t * tunnel_src_addr,
263 const ip46_address_t * tunnel_dst_addr,
Neale Ranns041add72020-01-02 04:06:10 +0000264 tunnel_encap_decap_flags_t tunnel_flags,
265 ip_dscp_t dscp,
Neale Rannsabc56602020-04-01 09:45:23 +0000266 u32 * sa_index, u16 src_port, u16 dst_port);
Neale Ranns495d7ff2019-07-12 09:15:26 +0000267extern index_t ipsec_sa_find_and_lock (u32 id);
268extern int ipsec_sa_unlock_id (u32 id);
269extern void ipsec_sa_unlock (index_t sai);
Neale Ranns12989b52019-09-26 16:20:19 +0000270extern void ipsec_sa_lock (index_t sai);
Neale Rannsc87b66c2019-02-07 07:26:12 -0800271extern void ipsec_sa_clear (index_t sai);
Damjan Marionb966e8b2019-03-20 16:07:09 +0100272extern void ipsec_sa_set_crypto_alg (ipsec_sa_t * sa,
273 ipsec_crypto_alg_t crypto_alg);
274extern void ipsec_sa_set_integ_alg (ipsec_sa_t * sa,
275 ipsec_integ_alg_t integ_alg);
Neale Ranns8d7c5022019-02-06 01:41:05 -0800276
Neale Rannsb4cfd552019-02-13 02:08:06 -0800277typedef walk_rc_t (*ipsec_sa_walk_cb_t) (ipsec_sa_t * sa, void *ctx);
278extern void ipsec_sa_walk (ipsec_sa_walk_cb_t cd, void *ctx);
279
Neale Ranns999c8ee2019-02-01 03:31:24 -0800280extern u8 *format_ipsec_crypto_alg (u8 * s, va_list * args);
281extern u8 *format_ipsec_integ_alg (u8 * s, va_list * args);
Neale Ranns8d7c5022019-02-06 01:41:05 -0800282extern u8 *format_ipsec_sa (u8 * s, va_list * args);
283extern u8 *format_ipsec_key (u8 * s, va_list * args);
Neale Ranns999c8ee2019-02-01 03:31:24 -0800284extern uword unformat_ipsec_crypto_alg (unformat_input_t * input,
285 va_list * args);
286extern uword unformat_ipsec_integ_alg (unformat_input_t * input,
287 va_list * args);
Neale Ranns8d7c5022019-02-06 01:41:05 -0800288extern uword unformat_ipsec_key (unformat_input_t * input, va_list * args);
Neale Ranns999c8ee2019-02-01 03:31:24 -0800289
Filip Tehlare5d34912020-03-02 15:17:37 +0000290#define IPSEC_UDP_PORT_NONE ((u16)~0)
291
Neale Ranns6afaae12019-07-17 15:07:14 +0000292/*
293 * Anti Replay definitions
294 */
295
296#define IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE (64)
297#define IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE-1)
298
299/*
300 * sequence number less than the lower bound are outside of the window
301 * From RFC4303 Appendix A:
302 * Bl = Tl - W + 1
303 */
304#define IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND(_tl) (_tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1)
305
306/*
307 * Anti replay check.
308 * inputs need to be in host byte order.
309 */
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100310always_inline int
Neale Ranns6afaae12019-07-17 15:07:14 +0000311ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq)
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100312{
Neale Ranns6afaae12019-07-17 15:07:14 +0000313 u32 diff, tl, th;
314
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100315 if ((sa->flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0)
316 return 0;
317
Neale Ranns6afaae12019-07-17 15:07:14 +0000318 if (!ipsec_sa_is_set_USE_ESN (sa))
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100319 {
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100320 if (PREDICT_TRUE (seq > sa->last_seq))
321 return 0;
322
323 diff = sa->last_seq - seq;
324
325 if (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE > diff)
326 return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
327 else
328 return 1;
329
330 return 0;
331 }
332
333 tl = sa->last_seq;
334 th = sa->last_seq_hi;
335 diff = tl - seq;
336
Neale Ranns6afaae12019-07-17 15:07:14 +0000337 if (PREDICT_TRUE (tl >= (IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX)))
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100338 {
Neale Ranns6afaae12019-07-17 15:07:14 +0000339 /*
340 * the last sequence number VPP recieved is more than one
341 * window size greater than zero.
342 * Case A from RFC4303 Appendix A.
343 */
344 if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100345 {
Neale Ranns6afaae12019-07-17 15:07:14 +0000346 /*
347 * the received sequence number is lower than the lower bound
348 * of the window, this could mean either a replay packet or that
349 * the high sequence number has wrapped. if it decrypts corrently
350 * then it's the latter.
351 */
352 sa->seq_hi = th + 1;
353 return 0;
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100354 }
355 else
356 {
Neale Ranns6afaae12019-07-17 15:07:14 +0000357 /*
358 * the recieved sequence number greater than the low
359 * end of the window.
360 */
361 sa->seq_hi = th;
362 if (seq <= tl)
363 /*
364 * The recieved seq number is within bounds of the window
365 * check if it's a duplicate
366 */
367 return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
368 else
369 /*
370 * The received sequence number is greater than the window
371 * upper bound. this packet will move the window along, assuming
372 * it decrypts correctly.
373 */
374 return 0;
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100375 }
376 }
377 else
378 {
Neale Ranns6afaae12019-07-17 15:07:14 +0000379 /*
380 * the last sequence number VPP recieved is within one window
381 * size of zero, i.e. 0 < TL < WINDOW_SIZE, the lower bound is thus a
382 * large sequence number.
383 * Note that the check below uses unsiged integer arthimetic, so the
384 * RHS will be a larger number.
385 * Case B from RFC4303 Appendix A.
386 */
387 if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100388 {
Neale Ranns6afaae12019-07-17 15:07:14 +0000389 /*
390 * the sequence number is less than the lower bound.
391 */
392 if (seq <= tl)
393 {
394 /*
395 * the packet is within the window upper bound.
396 * check for duplicates.
397 */
398 sa->seq_hi = th;
399 return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
400 }
401 else
402 {
403 /*
404 * the packet is less the window lower bound or greater than
405 * the higher bound, depending on how you look at it...
406 * We're assuming, given that the last sequence number received,
407 * TL < WINDOW_SIZE, that a largeer seq num is more likely to be
408 * a packet that moves the window forward, than a packet that has
409 * wrapped the high sequence again. If it were the latter then
410 * we've lost close to 2^32 packets.
411 */
412 sa->seq_hi = th;
413 return 0;
414 }
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100415 }
416 else
417 {
Neale Ranns6afaae12019-07-17 15:07:14 +0000418 /*
419 * the packet seq number is between the lower bound (a large nubmer)
420 * and MAX_SEQ_NUM. This is in the window since the window upper bound
421 * tl > 0.
422 * However, since TL is the other side of 0 to the received
423 * packet, the SA has moved on to a higher sequence number.
424 */
425 sa->seq_hi = th - 1;
426 return (sa->replay_window & (1ULL << diff)) ? 1 : 0;
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100427 }
428 }
429
430 return 0;
431}
432
Neale Ranns6afaae12019-07-17 15:07:14 +0000433/*
434 * Anti replay window advance
435 * inputs need to be in host byte order.
436 */
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100437always_inline void
Neale Ranns6afaae12019-07-17 15:07:14 +0000438ipsec_sa_anti_replay_advance (ipsec_sa_t * sa, u32 seq)
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100439{
Neale Ranns6afaae12019-07-17 15:07:14 +0000440 u32 pos;
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100441 if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0)
442 return;
443
Damjan Marion1e3aa5e2019-03-28 10:58:59 +0100444 if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ESN))
Damjan Marion1f4e1cb2019-03-28 19:19:31 +0100445 {
446 int wrap = sa->seq_hi - sa->last_seq_hi;
447
448 if (wrap == 0 && seq > sa->last_seq)
449 {
450 pos = seq - sa->last_seq;
451 if (pos < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
452 sa->replay_window = ((sa->replay_window) << pos) | 1;
453 else
454 sa->replay_window = 1;
455 sa->last_seq = seq;
456 }
457 else if (wrap > 0)
458 {
459 pos = ~seq + sa->last_seq + 1;
460 if (pos < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
461 sa->replay_window = ((sa->replay_window) << pos) | 1;
462 else
463 sa->replay_window = 1;
464 sa->last_seq = seq;
465 sa->last_seq_hi = sa->seq_hi;
466 }
467 else if (wrap < 0)
468 {
469 pos = ~seq + sa->last_seq + 1;
470 sa->replay_window |= (1ULL << pos);
471 }
472 else
473 {
474 pos = sa->last_seq - seq;
475 sa->replay_window |= (1ULL << pos);
476 }
477 }
478 else
479 {
480 if (seq > sa->last_seq)
481 {
482 pos = seq - sa->last_seq;
483 if (pos < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE)
484 sa->replay_window = ((sa->replay_window) << pos) | 1;
485 else
486 sa->replay_window = 1;
487 sa->last_seq = seq;
488 }
489 else
490 {
491 pos = sa->last_seq - seq;
492 sa->replay_window |= (1ULL << pos);
493 }
494 }
495}
496
Neale Rannsf62a8c02019-04-02 08:13:33 +0000497
498/*
499 * Makes choice for thread_id should be assigned.
500 * if input ~0, gets random worker_id based on unix_time_now_nsec
501*/
502always_inline u32
503ipsec_sa_assign_thread (u32 thread_id)
504{
505 return ((thread_id) ? thread_id
506 : (unix_time_now_nsec () % vlib_num_workers ()) + 1);
507}
508
Neale Ranns999c8ee2019-02-01 03:31:24 -0800509#endif /* __IPSEC_SPD_SA_H__ */
510
511/*
512 * fd.io coding-style-patch-verification: ON
513 *
514 * Local Variables:
515 * eval: (c-set-style "gnu")
516 * End:
517 */