ipsec: GCM, Anti-replay and ESN fixess

Type: fix

Several Fixes:
 1 - Anti-replay did not work with GCM becuase it overwrote the sequence
number in the ESP header. To fix i added the seq num to the per-packet
data so it is preserved
 2 - The high sequence number was not byte swapped during ESP encrypt.
 3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM
the others return BAD_HMAC. removed the former
 4 - improved tracing to show the low and high seq numbers
 5 - documented the anti-replay window checks
 6 - fixed scapy patch for ESN support for GCM
 7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo

Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b
Signed-off-by: Neale Ranns <nranns@cisco.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c
index 741fa91b95c..bc6b5c4ec9d 100644
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -203,7 +203,7 @@ ah_decrypt_inline (vlib_main_t * vm,
       pd->seq = clib_host_to_net_u32 (ah0->seq_no);
 
       /* anti-replay check */
-      if (ipsec_sa_anti_replay_check (sa0, &ah0->seq_no))
+      if (ipsec_sa_anti_replay_check (sa0, pd->seq))
 	{
 	  b[0]->error = node->errors[AH_DECRYPT_ERROR_REPLAY];
 	  next[0] = AH_DECRYPT_NEXT_DROP;
@@ -303,7 +303,7 @@ ah_decrypt_inline (vlib_main_t * vm,
 
       if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
 	{
-	  ipsec_sa_anti_replay_advance (sa0, clib_host_to_net_u32 (pd->seq));
+	  ipsec_sa_anti_replay_advance (sa0, pd->seq);
 	}
 
       u16 ah_hdr_len = sizeof (ah_header_t) + pd->icv_size