summaryrefslogtreecommitdiffstats
path: root/src/vnet/crypto
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-07-17 15:07:14 +0000
committerDamjan Marion <dmarion@me.com>2019-07-24 11:01:47 +0000
commit6afaae156a9ab9de79474367d8873407f3b12a71 (patch)
tree016e506a1636bf72944217c7e324091d61d21b69 /src/vnet/crypto
parentae3eaacaf1df7b83d6ef6b30290e1390d38197df (diff)
ipsec: GCM, Anti-replay and ESN fixess
Type: fix Several Fixes: 1 - Anti-replay did not work with GCM becuase it overwrote the sequence number in the ESP header. To fix i added the seq num to the per-packet data so it is preserved 2 - The high sequence number was not byte swapped during ESP encrypt. 3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM the others return BAD_HMAC. removed the former 4 - improved tracing to show the low and high seq numbers 5 - documented the anti-replay window checks 6 - fixed scapy patch for ESN support for GCM 7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet/crypto')
-rw-r--r--src/vnet/crypto/crypto.h3
1 files changed, 1 insertions, 2 deletions
diff --git a/src/vnet/crypto/crypto.h b/src/vnet/crypto/crypto.h
index 9c15d53a6c1..9326a078f8a 100644
--- a/src/vnet/crypto/crypto.h
+++ b/src/vnet/crypto/crypto.h
@@ -65,8 +65,7 @@ typedef enum
_(PENDING, "pending") \
_(COMPLETED, "completed") \
_(FAIL_NO_HANDLER, "no-handler") \
- _(FAIL_BAD_HMAC, "bad-hmac") \
- _(FAIL_DECRYPT, "decrypt-fail")
+ _(FAIL_BAD_HMAC, "bad-hmac")
typedef enum
{