diff options
author | Christian Hopps <chopps@labn.net> | 2019-11-03 01:02:18 -0400 |
---|---|---|
committer | Damjan Marion <dmarion@me.com> | 2019-11-07 21:39:40 +0000 |
commit | d58419f19b33560d224471bc16674a525427308e (patch) | |
tree | eeb78abb002c0e6d05b64d99280ab31aac989883 /src/plugins/dpdk/ipsec/esp_encrypt.c | |
parent | bc2e640db7533394a3de7bdffd78fadf2a2ffd9f (diff) |
dpdk: ipsec gcm fixes
- Fix AAD initialization. With use-esn the aad data consists of the SPI
and the 64-bit sequence number in big-endian order. Fix the u32 swapped
code.
- Remove salt-reinitialization. The GCM code seems inspired by the GCM
RFCs recommendations on IKE keydata and how to produce a salt
value (create an extra 4 octets of keying material). This is not IKE
code though and the SA already holds the configured salt value which
this code is blowing away. Use the configured value instead.
Type: fix
Change-Id: I5e75518aa7c1d91037bb24b2a40fe4fc90bdfdb0
Signed-off-by: Christian Hopps <chopps@labn.net>
Diffstat (limited to 'src/plugins/dpdk/ipsec/esp_encrypt.c')
-rw-r--r-- | src/plugins/dpdk/ipsec/esp_encrypt.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c index 1d29841c5d7..dd37f081a15 100644 --- a/src/plugins/dpdk/ipsec/esp_encrypt.c +++ b/src/plugins/dpdk/ipsec/esp_encrypt.c @@ -530,14 +530,19 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, if (is_aead) { aad = (u32 *) priv->aad; - aad[0] = clib_host_to_net_u32 (sa0->spi); - aad[1] = clib_host_to_net_u32 (sa0->seq); + aad[0] = esp0->spi; /* aad[3] should always be 0 */ if (PREDICT_FALSE (ipsec_sa_is_set_USE_ESN (sa0))) - aad[2] = clib_host_to_net_u32 (sa0->seq_hi); + { + aad[1] = clib_host_to_net_u32 (sa0->seq_hi); + aad[2] = esp0->seq; + } else - aad[2] = 0; + { + aad[1] = esp0->seq; + aad[2] = 0; + } } else { |