Merge branch 'ipsec' into PR #768

- update Lisper according to API change
Igalia · May 16, 2016 · 5f1e3a3 · 5f1e3a3
2 parents 5e51a6a + 29653a7
commit 5f1e3a3
Show file tree

Hide file tree

Showing 16 changed files with 420 additions and 240 deletions.
diff --git a/src/README.md b/src/README.md
@@ -337,6 +337,12 @@ Returns the payload length of *packet*.
 
 Returns an exact copy of *packet*.
 
+— Function **packet.resize** *packet*, *length*
+
+Sets the payload length of *packet*, truncating or extending its payload. In
+the latter case the contents of the extended area at the end of the payload are
+filled with zeros.
+
 — Function **packet.append** *packet*, *pointer*, *length*
 
 Appends *length* bytes starting at *pointer* to the end of *packet*. An

diff --git a/src/core/lib.c b/src/core/lib.c
@@ -79,15 +79,3 @@ void nop()
 {
 }
 
-/* Bitswap uint64_t. */
-uint64_t bswap64 (uint64_t b)
-{
-  return ((((uint64_t) b & (uint64_t) 0x00000000000000ff) << 56) |
-          (((uint64_t) b & (uint64_t) 0x000000000000ff00) << 40) |
-          (((uint64_t) b & (uint64_t) 0x0000000000ff0000) << 24) |
-          (((uint64_t) b & (uint64_t) 0x00000000ff000000) <<  8) |
-          (((uint64_t) b & (uint64_t) 0x000000ff00000000) >>  8) |
-          (((uint64_t) b & (uint64_t) 0x0000ff0000000000) >> 24) |
-          (((uint64_t) b & (uint64_t) 0x00ff000000000000) >> 40) |
-          (((uint64_t) b & (uint64_t) 0xff00000000000000) >> 56));
-}
diff --git a/src/core/lib.h b/src/core/lib.h
@@ -8,4 +8,3 @@ void full_memory_barrier();
 void prefetch_for_read(const void *address);
 void prefetch_for_write(const void *address);
 unsigned int stat_mtime(const char *path);
-uint64_t bswap64 (uint64_t b);
diff --git a/src/core/lib.lua b/src/core/lib.lua
@@ -357,19 +357,15 @@ end
 -- avoid C function call overhead while using C.xxxx counterparts
 if ffi.abi("be") then
    -- nothing to do
-   function htonll(b) return b end
    function htonl(b) return b end
    function htons(b) return b end
 else
-   function htonll(b) return C.bswap64(b) end
    function htonl(b) return bswap(b) end
    function htons(b) return rshift(bswap(b), 16) end
 end
-ntohll = htonll
 ntohl = htonl
 ntohs = htons
 
-
 -- Manipulation of bit fields in uint{8,16,32)_t stored in network
 -- byte order.  Using bit fields in C structs is compiler-dependent
 -- and a little awkward for handling endianness and fields that cross

diff --git a/src/core/packet.lua b/src/core/packet.lua
@@ -135,6 +135,13 @@ function data (p) return p.data end
 -- Return packet data length.
 function length (p) return p.length end
 
+-- Set packet data length.
+function resize (p, len)
+   assert(len <= max_payload, "packet payload overflow")
+   ffi.fill(p.data + p.length, math.max(0, len - p.length))
+   p.length = len
+end
+
 function preallocate_step()
    assert(packets_allocated + packet_allocation_step <= max_packets,
           "packet allocation overflow")

diff --git a/src/doc/genbook.sh b/src/doc/genbook.sh
@@ -70,6 +70,10 @@ $(cat $mdroot/lib/hardware/README.md)
 
 $(cat $mdroot/lib/protocol/README.md)
 
+## IPsec
+
+$(cat ../lib/ipsec/README.md)
+
 ## Snabb NFV
 
 $(cat $mdroot/program/snabbnfv/README.md)

diff --git a/src/lib/ipsec/README.md b/src/lib/ipsec/README.md
@@ -1,4 +1,4 @@
-### IPsec/ESP (lib.ipsec.esp)
+### Encapsulating Security Payload (lib.ipsec.esp)
 
 The `lib.ipsec.esp` module contains two classes `esp_v6_encrypt` and
 `esp_v6_decrypt` which implement implement packet encryption and
@@ -13,6 +13,9 @@ UDP, L2TPv3) and also encrypts the contents of the inner protocol
 header. The decrypt class does the reverse: it decrypts the inner
 protocol header and removes the ESP protocol header.
 
+Anti-replay protection as well as recovery from synchronization loss due to
+excessive packet loss are *not* implemented.
+
 References:
 
 - [IPsec Wikipedia page](https://en.wikipedia.org/wiki/IPsec).
@@ -26,22 +29,22 @@ References:
 Returns a new encryption/decryption context respectively. *Config* must a
 be a table with the following keys:
 
-* `spi` - “Security Parameter Index” as specified in RFC 4303.
 * `mode` - Encryption mode (string). The only accepted value is the
   string `"aes-128-gcm"`.
 * `keymat` - Hex string containing 16 bytes of key material as specified
   in RFC 4106.
 * `salt` - Hex string containing four bytes of salt as specified in
   RFC 4106.
+* `spi` - “Security Parameter Index” as specified in RFC 4303.
+* `window_size` - *Optional*. Width of the window in which out of order packets
+  are accepted. The default is 128. (`esp_v6_decrypt` only.)
 
 — Method **esp_v6_encrypt:encapsulate** *packet*
 
-Returns a freshly allocated packet that is the encrypted and encapsulated
-version of *packet* or `nil` if header parsing failed. The contents of *packet*
-are destroyed in the process.
+Encapsulates *packet* and encrypts its payload. Returns `true` on success and
+`false` otherwise.
 
 — Method **esp_v6_decrypt:decapsulate** *packet*
 
-Returns a freshly allocated packet that is the decrypted and decapsulated
-version of *packet* or `nil` if header parsing or authentication failed. The
-contents of *packet* are destroyed in the process.
+Decapsulates *packet* and decrypts its payload. Returns `true` on success and
+`false` otherwise.