summaryrefslogtreecommitdiffstats
path: root/src/plugins/dpdk/ipsec
diff options
context:
space:
mode:
authorChristian Hopps <chopps@labn.net>2019-11-03 01:02:18 -0400
committerDamjan Marion <dmarion@me.com>2019-11-07 21:39:40 +0000
commitd58419f19b33560d224471bc16674a525427308e (patch)
treeeeb78abb002c0e6d05b64d99280ab31aac989883 /src/plugins/dpdk/ipsec
parentbc2e640db7533394a3de7bdffd78fadf2a2ffd9f (diff)
dpdk: ipsec gcm fixes
- Fix AAD initialization. With use-esn the aad data consists of the SPI and the 64-bit sequence number in big-endian order. Fix the u32 swapped code. - Remove salt-reinitialization. The GCM code seems inspired by the GCM RFCs recommendations on IKE keydata and how to produce a salt value (create an extra 4 octets of keying material). This is not IKE code though and the SA already holds the configured salt value which this code is blowing away. Use the configured value instead. Type: fix Change-Id: I5e75518aa7c1d91037bb24b2a40fe4fc90bdfdb0 Signed-off-by: Christian Hopps <chopps@labn.net>
Diffstat (limited to 'src/plugins/dpdk/ipsec')
-rw-r--r--src/plugins/dpdk/ipsec/esp_decrypt.c5
-rw-r--r--src/plugins/dpdk/ipsec/esp_encrypt.c13
-rw-r--r--src/plugins/dpdk/ipsec/ipsec.c21
3 files changed, 14 insertions, 25 deletions
diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c
index afbab963009..112b96a12bd 100644
--- a/src/plugins/dpdk/ipsec/esp_decrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_decrypt.c
@@ -330,7 +330,10 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm,
/* _aad[3] should always be 0 */
if (PREDICT_FALSE (ipsec_sa_is_set_USE_ESN (sa0)))
- _aad[2] = clib_host_to_net_u32 (sa0->seq_hi);
+ {
+ _aad[2] = _aad[1];
+ _aad[1] = clib_host_to_net_u32 (sa0->seq_hi);
+ }
else
_aad[2] = 0;
}
diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c
index 1d29841c5d7..dd37f081a15 100644
--- a/src/plugins/dpdk/ipsec/esp_encrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_encrypt.c
@@ -530,14 +530,19 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
if (is_aead)
{
aad = (u32 *) priv->aad;
- aad[0] = clib_host_to_net_u32 (sa0->spi);
- aad[1] = clib_host_to_net_u32 (sa0->seq);
+ aad[0] = esp0->spi;
/* aad[3] should always be 0 */
if (PREDICT_FALSE (ipsec_sa_is_set_USE_ESN (sa0)))
- aad[2] = clib_host_to_net_u32 (sa0->seq_hi);
+ {
+ aad[1] = clib_host_to_net_u32 (sa0->seq_hi);
+ aad[2] = esp0->seq;
+ }
else
- aad[2] = 0;
+ {
+ aad[1] = esp0->seq;
+ aad[2] = 0;
+ }
}
else
{
diff --git a/src/plugins/dpdk/ipsec/ipsec.c b/src/plugins/dpdk/ipsec/ipsec.c
index 93efc6bcf7e..260775b0695 100644
--- a/src/plugins/dpdk/ipsec/ipsec.c
+++ b/src/plugins/dpdk/ipsec/ipsec.c
@@ -494,7 +494,6 @@ dpdk_crypto_session_disposal (crypto_session_disposal_t * v, u64 ts)
static clib_error_t *
add_del_sa_session (u32 sa_index, u8 is_add)
{
- ipsec_main_t *im = &ipsec_main;
dpdk_crypto_main_t *dcm = &dpdk_crypto_main;
crypto_data_t *data;
struct rte_cryptodev_sym_session *s;
@@ -502,25 +501,7 @@ add_del_sa_session (u32 sa_index, u8 is_add)
u32 drv_id;
if (is_add)
- {
-#if 1
- ipsec_sa_t *sa = pool_elt_at_index (im->sad, sa_index);
- u32 seed;
- switch (sa->crypto_alg)
- {
- case IPSEC_CRYPTO_ALG_AES_GCM_128:
- case IPSEC_CRYPTO_ALG_AES_GCM_192:
- case IPSEC_CRYPTO_ALG_AES_GCM_256:
- clib_memcpy (&sa->salt,
- &sa->crypto_key.data[sa->crypto_key.len - 4], 4);
- break;
- default:
- seed = (u32) clib_cpu_time_now ();
- sa->salt = random_u32 (&seed);
- }
-#endif
- return 0;
- }
+ return 0;
/* *INDENT-OFF* */
vec_foreach (data, dcm->data)