aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins
diff options
context:
space:
mode:
authorChristian Hopps <chopps@labn.net>2019-11-03 01:02:18 -0400
committerAndrew Yourtchenko <ayourtch@gmail.com>2019-11-18 13:30:59 +0000
commit8f6b9a39e63190639bfc19e162bfb63ccbf26871 (patch)
tree3f20e2727d9cd4f39de3845679ca7e8f6a59d4db /src/plugins
parentcde7068bbe8d76d84c2e44f79e32c60a1525bcc9 (diff)
dpdk: ipsec gcm fixes
- Fix AAD initialization. With use-esn the aad data consists of the SPI and the 64-bit sequence number in big-endian order. Fix the u32 swapped code. - Remove salt-reinitialization. The GCM code seems inspired by the GCM RFCs recommendations on IKE keydata and how to produce a salt value (create an extra 4 octets of keying material). This is not IKE code though and the SA already holds the configured salt value which this code is blowing away. Use the configured value instead. Type: fix Change-Id: I5e75518aa7c1d91037bb24b2a40fe4fc90bdfdb0 Signed-off-by: Christian Hopps <chopps@labn.net> (cherry picked from commit d58419f19b33560d224471bc16674a525427308e)
Diffstat (limited to 'src/plugins')
-rw-r--r--src/plugins/dpdk/ipsec/esp_decrypt.c5
-rw-r--r--src/plugins/dpdk/ipsec/esp_encrypt.c13
-rw-r--r--src/plugins/dpdk/ipsec/ipsec.c21
3 files changed, 14 insertions, 25 deletions
diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c
index afbab963009..112b96a12bd 100644
--- a/src/plugins/dpdk/ipsec/esp_decrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_decrypt.c
@@ -330,7 +330,10 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm,
/* _aad[3] should always be 0 */
if (PREDICT_FALSE (ipsec_sa_is_set_USE_ESN (sa0)))
- _aad[2] = clib_host_to_net_u32 (sa0->seq_hi);
+ {
+ _aad[2] = _aad[1];
+ _aad[1] = clib_host_to_net_u32 (sa0->seq_hi);
+ }
else
_aad[2] = 0;
}
diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c
index 1d29841c5d7..dd37f081a15 100644
--- a/src/plugins/dpdk/ipsec/esp_encrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_encrypt.c
@@ -530,14 +530,19 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
if (is_aead)
{
aad = (u32 *) priv->aad;
- aad[0] = clib_host_to_net_u32 (sa0->spi);
- aad[1] = clib_host_to_net_u32 (sa0->seq);
+ aad[0] = esp0->spi;
/* aad[3] should always be 0 */
if (PREDICT_FALSE (ipsec_sa_is_set_USE_ESN (sa0)))
- aad[2] = clib_host_to_net_u32 (sa0->seq_hi);
+ {
+ aad[1] = clib_host_to_net_u32 (sa0->seq_hi);
+ aad[2] = esp0->seq;
+ }
else
- aad[2] = 0;
+ {
+ aad[1] = esp0->seq;
+ aad[2] = 0;
+ }
}
else
{
diff --git a/src/plugins/dpdk/ipsec/ipsec.c b/src/plugins/dpdk/ipsec/ipsec.c
index 93efc6bcf7e..260775b0695 100644
--- a/src/plugins/dpdk/ipsec/ipsec.c
+++ b/src/plugins/dpdk/ipsec/ipsec.c
@@ -494,7 +494,6 @@ dpdk_crypto_session_disposal (crypto_session_disposal_t * v, u64 ts)
static clib_error_t *
add_del_sa_session (u32 sa_index, u8 is_add)
{
- ipsec_main_t *im = &ipsec_main;
dpdk_crypto_main_t *dcm = &dpdk_crypto_main;
crypto_data_t *data;
struct rte_cryptodev_sym_session *s;
@@ -502,25 +501,7 @@ add_del_sa_session (u32 sa_index, u8 is_add)
u32 drv_id;
if (is_add)
- {
-#if 1
- ipsec_sa_t *sa = pool_elt_at_index (im->sad, sa_index);
- u32 seed;
- switch (sa->crypto_alg)
- {
- case IPSEC_CRYPTO_ALG_AES_GCM_128:
- case IPSEC_CRYPTO_ALG_AES_GCM_192:
- case IPSEC_CRYPTO_ALG_AES_GCM_256:
- clib_memcpy (&sa->salt,
- &sa->crypto_key.data[sa->crypto_key.len - 4], 4);
- break;
- default:
- seed = (u32) clib_cpu_time_now ();
- sa->salt = random_u32 (&seed);
- }
-#endif
- return 0;
- }
+ return 0;
/* *INDENT-OFF* */
vec_foreach (data, dcm->data)