summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-04-16 02:41:34 +0000
committerDamjan Marion <dmarion@me.com>2019-04-17 13:05:07 +0000
commit80f6fd53feaa10b4a798582100724075897c0944 (patch)
tree1cd1a7f4b910cf5fbf32aa4b4e2c1028c6c980b7 /src
parentd8cfbebce78e26a6ef7f6693e7c90dc3c6435d51 (diff)
IPSEC: Pass the algorithm salt (used in GCM) over the API
Change-Id: Ia8cea13f7b937294e6a080a55fb2ceff30063acf Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src')
-rw-r--r--src/vnet/ipsec/esp_decrypt.c4
-rw-r--r--src/vnet/ipsec/ipsec.api4
-rw-r--r--src/vnet/ipsec/ipsec_api.c4
-rw-r--r--src/vnet/ipsec/ipsec_cli.c7
-rw-r--r--src/vnet/ipsec/ipsec_format.c3
-rw-r--r--src/vnet/ipsec/ipsec_sa.h4
6 files changed, 16 insertions, 10 deletions
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index d2365fce2d8..e74c1bb908a 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -239,7 +239,6 @@ esp_decrypt_inline (vlib_main_t * vm,
esp_header_t *esp0;
esp_aead_t *aad;
u8 *scratch;
- u32 salt;
/*
* construct the AAD and the nonce (Salt || IV) in a scratch
@@ -258,9 +257,8 @@ esp_decrypt_inline (vlib_main_t * vm,
* can overwrite it with the salt and use the IV where it is
* to form the nonce = (Salt + IV)
*/
- salt = clib_host_to_net_u32 (sa0->salt);
op->iv -= sizeof (sa0->salt);
- clib_memcpy_fast (op->iv, &salt, sizeof (sa0->salt));
+ clib_memcpy_fast (op->iv, &sa0->salt, sizeof (sa0->salt));
op->iv_len = cpd.iv_sz + sizeof (sa0->salt);
op->tag = payload + len;
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index bc407f1d272..3a2c993f99c 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -262,6 +262,7 @@ typedef key
@param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
@param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
@param tx_table_id - the FIB id used for encapsulated packets
+ @param salt - for use with counter mode ciphers
*/
typedef ipsec_sad_entry
{
@@ -282,6 +283,7 @@ typedef ipsec_sad_entry
vl_api_address_t tunnel_src;
vl_api_address_t tunnel_dst;
u32 tx_table_id;
+ u32 salt;
};
/** \brief IPsec: Add/delete Security Association Database entry
@@ -374,6 +376,7 @@ define ipsec_spd_interface_details {
@param show_instance - instance to display for intf if renumber is set
@param udp_encap - enable UDP encapsulation for NAT traversal
@param tx_table_id - the FIB id used after packet encap
+ @param salt - for use with counter mode ciphers
*/
define ipsec_tunnel_if_add_del {
u32 client_index;
@@ -399,6 +402,7 @@ define ipsec_tunnel_if_add_del {
u32 show_instance;
u8 udp_encap;
u32 tx_table_id;
+ u32 salt;
};
/** \brief Add/delete IPsec tunnel interface response
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 767cd2fb076..4a15beb6631 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -385,12 +385,11 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
ip_address_decode (&mp->entry.tunnel_src, &tun_src);
ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
-
if (mp->is_add)
rv = ipsec_sa_add (id, spi, proto,
crypto_alg, &crypto_key,
integ_alg, &integ_key, flags,
- 0, 0, &tun_src, &tun_dst, &sa_index);
+ 0, mp->entry.salt, &tun_src, &tun_dst, &sa_index);
else
rv = ipsec_sa_del (id);
@@ -644,6 +643,7 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
tun.remote_integ_key_len = mp->remote_integ_key_len;
tun.udp_encap = mp->udp_encap;
tun.tx_table_id = ntohl (mp->tx_table_id);
+ tun.salt = mp->salt;
itype = ip_address_decode (&mp->local_ip, &tun.local_ip);
itype = ip_address_decode (&mp->remote_ip, &tun.remote_ip);
tun.is_ip6 = (IP46_TYPE_IP6 == itype);
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 096060865e9..b6bdc40fd1a 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -84,8 +84,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
clib_error_t *error;
ipsec_key_t ck = { 0 };
ipsec_key_t ik = { 0 };
+ u32 id, spi, salt;
int is_add, rv;
- u32 id, spi;
error = NULL;
is_add = 0;
@@ -103,6 +103,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
is_add = 0;
else if (unformat (line_input, "spi %u", &spi))
;
+ else if (unformat (line_input, "salt %u", &salt))
+ ;
else if (unformat (line_input, "esp"))
proto = IPSEC_PROTOCOL_ESP;
else if (unformat (line_input, "ah"))
@@ -141,7 +143,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
if (is_add)
rv = ipsec_sa_add (id, spi, proto, crypto_alg,
&ck, integ_alg, &ik, flags,
- 0, 0, &tun_src, &tun_dst, NULL);
+ 0, clib_host_to_net_u32 (salt),
+ &tun_src, &tun_dst, NULL);
else
rv = ipsec_sa_del (id);
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index 93b1efd6902..44f064d6112 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -290,7 +290,7 @@ format_ipsec_sa (u8 * s, va_list * args)
if (!(flags & IPSEC_FORMAT_DETAIL))
goto done;
- s = format (s, "\n salt 0x%x", sa->salt);
+ s = format (s, "\n salt 0x%x", clib_net_to_host_u32 (sa->salt));
s = format (s, "\n seq %u seq-hi %u", sa->seq, sa->seq_hi);
s = format (s, "\n last-seq %u last-seq-hi %u window %U",
sa->last_seq, sa->last_seq_hi,
@@ -303,6 +303,7 @@ format_ipsec_sa (u8 * s, va_list * args)
format_ipsec_integ_alg, sa->integ_alg);
if (sa->integ_alg)
s = format (s, " key %U", format_ipsec_key, &sa->integ_key);
+
vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts);
s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes);
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index f87e12e0204..d1b44c3165f 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -160,9 +160,9 @@ typedef struct
u32 sibling;
u32 tx_fib_index;
- u32 salt;
- /* runtime */
+ /* Salt used in GCM modes - stored in network byte order */
+ u32 salt;
} ipsec_sa_t;
STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline1, CLIB_CACHE_LINE_BYTES);