ipsec: add support for RFC-4543 ENCR_NULL_AUTH_AES_GMAC

Type: improvement Change-Id: I830f7a2ea3ac0aff5185698b9fa7a278c45116b0 Signed-off-by: Benoît Ganne <bganne@cisco.com>
author: Benoît Ganne <bganne@cisco.com> 2023-03-10 17:33:03 +0100
committer: Beno�t Ganne <bganne@cisco.com> 2023-08-08 10:16:26 +0000
commit: 84e665848675afdc8e76fcbfb2bd65bccd4f25a8 (patch)
tree: dffd7c6fcd73a6a8c0d56470539b83bc1deed32e /src/vnet/ipsec/esp_encrypt.c
parent: 96600f907743729d25be38db292e093279e97d54 (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index 86f9094cedc..a836453b58e 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -415,6 +415,12 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
 	      op->aad_len = esp_aad_fill (op->aad, esp, sa0, seq_hi);
 	      op->tag = payload + crypto_len;
 	      op->tag_len = 16;
+	      if (PREDICT_FALSE (ipsec_sa_is_set_IS_NULL_GMAC (sa0)))
+		{
+		  /* RFC-4543 ENCR_NULL_AUTH_AES_GMAC: IV is part of AAD */
+		  crypto_start -= iv_sz;
+		  crypto_len += iv_sz;
+		}
 	    }
 	  else
 	    {
@@ -522,6 +528,12 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
 	  /* constuct aad in a scratch space in front of the nonce */
 	  aad = (u8 *) nonce - sizeof (esp_aead_t);
 	  esp_aad_fill (aad, esp, sa, sa->seq_hi);
+	  if (PREDICT_FALSE (ipsec_sa_is_set_IS_NULL_GMAC (sa)))
+	    {
+	      /* RFC-4543 ENCR_NULL_AUTH_AES_GMAC: IV is part of AAD */
+	      crypto_start_offset -= iv_sz;
+	      crypto_total_len += iv_sz;
+	    }
 	}
       else
 	{
author	Benoît Ganne <bganne@cisco.com>	2023-03-10 17:33:03 +0100
committer	Beno�t Ganne <bganne@cisco.com>	2023-08-08 10:16:26 +0000
commit	84e665848675afdc8e76fcbfb2bd65bccd4f25a8 (patch)
tree	dffd7c6fcd73a6a8c0d56470539b83bc1deed32e /src/vnet/ipsec/esp_encrypt.c
parent	96600f907743729d25be38db292e093279e97d54 (diff)