diff options
| author |   Neale Ranns <nranns@cisco.com> | 2019-07-17 15:07:14 +0000 |
|---|---|---|
| committer |   Damjan Marion <dmarion@me.com> | 2019-07-24 11:01:47 +0000 |
| commit | 6afaae156a9ab9de79474367d8873407f3b12a71 (patch) | |
| tree | 016e506a1636bf72944217c7e324091d61d21b69 /src/plugins | |
| parent | ae3eaacaf1df7b83d6ef6b30290e1390d38197df (diff) | |
ipsec: GCM, Anti-replay and ESN fixess
Type: fix
Several Fixes:
1 - Anti-replay did not work with GCM becuase it overwrote the sequence
number in the ESP header. To fix i added the seq num to the per-packet
data so it is preserved
2 - The high sequence number was not byte swapped during ESP encrypt.
3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM
the others return BAD_HMAC. removed the former
4 - improved tracing to show the low and high seq numbers
5 - documented the anti-replay window checks
6 - fixed scapy patch for ESN support for GCM
7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo
Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/crypto_openssl/main.c | 2 | ||||
| -rw-r--r-- | src/plugins/dpdk/ipsec/esp_decrypt.c | 6 |
2 files changed, 5 insertions, 3 deletions
diff --git a/src/plugins/crypto_openssl/main.c b/src/plugins/crypto_openssl/main.c index fd749d04926..7362d6bd16e 100644 --- a/src/plugins/crypto_openssl/main.c +++ b/src/plugins/crypto_openssl/main.c @@ -169,7 +169,7 @@ openssl_ops_dec_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops, else { n_fail++; - op->status = VNET_CRYPTO_OP_STATUS_FAIL_DECRYPT; + op->status = VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC; } } return n_ops - n_fail; diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c index 4982db7ee6d..a82f63e6e5b 100644 --- a/src/plugins/dpdk/ipsec/esp_decrypt.c +++ b/src/plugins/dpdk/ipsec/esp_decrypt.c @@ -235,7 +235,8 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm, } /* anti-replay check */ - if (ipsec_sa_anti_replay_check (sa0, &esp0->seq)) + if (ipsec_sa_anti_replay_check + (sa0, clib_host_to_net_u32 (esp0->seq))) { clib_warning ("failed anti-replay check"); if (is_ip6) @@ -549,7 +550,8 @@ dpdk_esp_decrypt_post_inline (vlib_main_t * vm, iv_size = cipher_alg->iv_len; - ipsec_sa_anti_replay_advance (sa0, esp0->seq); + ipsec_sa_anti_replay_advance (sa0, + clib_host_to_net_u32 (esp0->seq)); /* if UDP encapsulation is used adjust the address of the IP header */ if (ipsec_sa_is_set_UDP_ENCAP (sa0) |