diff options
author | Neale Ranns <nranns@cisco.com> | 2019-04-11 15:14:07 +0000 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2019-04-17 00:12:05 +0000 |
commit | 32b13bba2e3013a1b2a67eca8fe6a177d8e927ed (patch) | |
tree | 97dbae11a361e7537be09329c80ae7c3a3acb799 /src/vnet/ipsec/esp_decrypt.c | |
parent | 07a4d675c8d1b1bc19fa1846369f610ab91a9aba (diff) |
IPSEC: support GCM in ESP
Change-Id: Id2ddb77b4ec3dd543d6e638bc882923f2bac011d
Signed-off-by: Neale Ranns <nranns@cisco.com>
(cherry picked from commit 47feb1146ec3b0e1cf2ebd83cd5211e1df261194)
Diffstat (limited to 'src/vnet/ipsec/esp_decrypt.c')
-rw-r--r-- | src/vnet/ipsec/esp_decrypt.c | 35 |
1 files changed, 34 insertions, 1 deletions
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index c94577a5d5a..d2365fce2d8 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -197,7 +197,7 @@ esp_decrypt_inline (vlib_main_t * vm, current_sa_pkts += 1; current_sa_bytes += pd->current_length; - if (PREDICT_TRUE (cpd.icv_sz > 0)) + if (PREDICT_TRUE (sa0->integ_op_id != VNET_CRYPTO_OP_NONE)) { vnet_crypto_op_t *op; vec_add2_aligned (ptd->integ_ops, op, 1, CLIB_CACHE_LINE_BYTES); @@ -233,6 +233,39 @@ esp_decrypt_inline (vlib_main_t * vm, vnet_crypto_op_init (op, sa0->crypto_dec_op_id); op->key = sa0->crypto_key.data; op->iv = payload; + + if (ipsec_sa_is_set_IS_AEAD (sa0)) + { + esp_header_t *esp0; + esp_aead_t *aad; + u8 *scratch; + u32 salt; + + /* + * construct the AAD and the nonce (Salt || IV) in a scratch + * space in front of the IP header. + */ + scratch = payload - esp_sz; + esp0 = (esp_header_t *) (scratch); + + scratch -= (sizeof (*aad) + pd->hdr_sz); + op->aad = scratch; + + esp_aad_fill (op, esp0, sa0); + + /* + * we don't need to refer to the ESP header anymore so we + * can overwrite it with the salt and use the IV where it is + * to form the nonce = (Salt + IV) + */ + salt = clib_host_to_net_u32 (sa0->salt); + op->iv -= sizeof (sa0->salt); + clib_memcpy_fast (op->iv, &salt, sizeof (sa0->salt)); + op->iv_len = cpd.iv_sz + sizeof (sa0->salt); + + op->tag = payload + len; + op->tag_len = 16; + } op->src = op->dst = payload += cpd.iv_sz; op->len = len - cpd.iv_sz; op->user_data = b - bufs; |