aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/esp.h19
-rw-r--r--src/vnet/ipsec/esp_decrypt.c28
-rw-r--r--src/vnet/ipsec/esp_encrypt.c32
-rw-r--r--src/vnet/ipsec/ipsec.h4
4 files changed, 57 insertions, 26 deletions
diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h
index 82e3c961e1a..10f2f2df88a 100644
--- a/src/vnet/ipsec/esp.h
+++ b/src/vnet/ipsec/esp.h
@@ -52,6 +52,8 @@ typedef CLIB_PACKED (struct {
typedef struct
{
const EVP_CIPHER *type;
+ u8 iv_size;
+ u8 block_size;
} ipsec_proto_main_crypto_alg_t;
typedef struct
@@ -258,6 +260,23 @@ ipsec_proto_init ()
EVP_aes_192_cbc ();
em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].type =
EVP_aes_256_cbc ();
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].iv_size = 16;
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].iv_size = 16;
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].iv_size = 16;
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_128].block_size =
+ 16;
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_192].block_size =
+ 16;
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_AES_CBC_256].block_size =
+ 16;
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_DES_CBC].type =
+ EVP_des_cbc ();
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_3DES_CBC].type =
+ EVP_des_ede3_cbc ();
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_DES_CBC].block_size = 8;
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_3DES_CBC].block_size = 8;
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_DES_CBC].iv_size = 8;
+ em->ipsec_proto_main_crypto_algs[IPSEC_CRYPTO_ALG_3DES_CBC].iv_size = 8;
vec_validate (em->ipsec_proto_main_integ_algs, IPSEC_INTEG_N_ALG - 1);
ipsec_proto_main_integ_alg_t *i;
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index fac40358f16..a769e6bd51a 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -81,8 +81,8 @@ format_esp_decrypt_trace (u8 * s, va_list * args)
}
always_inline void
-esp_decrypt_aes_cbc (ipsec_crypto_alg_t alg,
- u8 * in, u8 * out, size_t in_len, u8 * key, u8 * iv)
+esp_decrypt_cbc (ipsec_crypto_alg_t alg,
+ u8 * in, u8 * out, size_t in_len, u8 * key, u8 * iv)
{
ipsec_proto_main_t *em = &ipsec_proto_main;
u32 thread_index = vlib_get_thread_index ();
@@ -246,11 +246,15 @@ esp_decrypt_node_fn (vlib_main_t * vm,
/* add old buffer to the recycle list */
vec_add1 (recycle, i_bi0);
- if (sa0->crypto_alg >= IPSEC_CRYPTO_ALG_AES_CBC_128 &&
- sa0->crypto_alg <= IPSEC_CRYPTO_ALG_AES_CBC_256)
+ if ((sa0->crypto_alg >= IPSEC_CRYPTO_ALG_AES_CBC_128 &&
+ sa0->crypto_alg <= IPSEC_CRYPTO_ALG_AES_CBC_256) ||
+ (sa0->crypto_alg >= IPSEC_CRYPTO_ALG_DES_CBC &&
+ sa0->crypto_alg <= IPSEC_CRYPTO_ALG_3DES_CBC))
{
- const int BLOCK_SIZE = 16;
- const int IV_SIZE = 16;
+ const int BLOCK_SIZE =
+ em->ipsec_proto_main_crypto_algs[sa0->crypto_alg].block_size;;
+ const int IV_SIZE =
+ em->ipsec_proto_main_crypto_algs[sa0->crypto_alg].iv_size;
esp_footer_t *f0;
u8 ip_hdr_size = 0;
@@ -298,13 +302,13 @@ esp_decrypt_node_fn (vlib_main_t * vm,
}
}
- esp_decrypt_aes_cbc (sa0->crypto_alg,
- esp0->data + IV_SIZE,
- (u8 *) vlib_buffer_get_current (o_b0) +
- ip_hdr_size, BLOCK_SIZE * blocks,
- sa0->crypto_key, esp0->data);
+ esp_decrypt_cbc (sa0->crypto_alg,
+ esp0->data + IV_SIZE,
+ (u8 *) vlib_buffer_get_current (o_b0) +
+ ip_hdr_size, BLOCK_SIZE * blocks,
+ sa0->crypto_key, esp0->data);
- o_b0->current_length = (blocks * 16) - 2 + ip_hdr_size;
+ o_b0->current_length = (blocks * BLOCK_SIZE) - 2 + ip_hdr_size;
o_b0->flags = VLIB_BUFFER_TOTAL_LENGTH_VALID;
f0 =
(esp_footer_t *) ((u8 *) vlib_buffer_get_current (o_b0) +
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index 3e196b34869..44a0451d29a 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -85,8 +85,8 @@ format_esp_encrypt_trace (u8 * s, va_list * args)
}
always_inline void
-esp_encrypt_aes_cbc (ipsec_crypto_alg_t alg,
- u8 * in, u8 * out, size_t in_len, u8 * key, u8 * iv)
+esp_encrypt_cbc (ipsec_crypto_alg_t alg,
+ u8 * in, u8 * out, size_t in_len, u8 * key, u8 * iv)
{
ipsec_proto_main_t *em = &ipsec_proto_main;
u32 thread_index = vlib_get_thread_index ();
@@ -125,6 +125,7 @@ esp_encrypt_node_fn (vlib_main_t * vm,
from = vlib_frame_vector_args (from_frame);
n_left_from = from_frame->n_vectors;
ipsec_main_t *im = &ipsec_main;
+ ipsec_proto_main_t *em = &ipsec_proto_main;
u32 *recycle = 0;
u32 thread_index = vlib_get_thread_index ();
@@ -306,8 +307,10 @@ esp_encrypt_node_fn (vlib_main_t * vm,
if (PREDICT_TRUE (sa0->crypto_alg != IPSEC_CRYPTO_ALG_NONE))
{
- const int BLOCK_SIZE = 16;
- const int IV_SIZE = 16;
+ const int BLOCK_SIZE =
+ em->ipsec_proto_main_crypto_algs[sa0->crypto_alg].block_size;
+ const int IV_SIZE =
+ em->ipsec_proto_main_crypto_algs[sa0->crypto_alg].iv_size;
int blocks = 1 + (i_b0->current_length + 1) / BLOCK_SIZE;
/* pad packet in input buffer */
@@ -330,18 +333,21 @@ esp_encrypt_node_fn (vlib_main_t * vm,
vnet_buffer (o_b0)->sw_if_index[VLIB_RX] =
vnet_buffer (i_b0)->sw_if_index[VLIB_RX];
- u8 iv[16];
+ u8 iv[em->
+ ipsec_proto_main_crypto_algs[sa0->crypto_alg].iv_size];
RAND_bytes (iv, sizeof (iv));
clib_memcpy ((u8 *) vlib_buffer_get_current (o_b0) +
- ip_hdr_size + sizeof (esp_header_t), iv, 16);
-
- esp_encrypt_aes_cbc (sa0->crypto_alg,
- (u8 *) vlib_buffer_get_current (i_b0),
- (u8 *) vlib_buffer_get_current (o_b0) +
- ip_hdr_size + sizeof (esp_header_t) +
- IV_SIZE, BLOCK_SIZE * blocks,
- sa0->crypto_key, iv);
+ ip_hdr_size + sizeof (esp_header_t), iv,
+ em->ipsec_proto_main_crypto_algs[sa0->
+ crypto_alg].iv_size);
+
+ esp_encrypt_cbc (sa0->crypto_alg,
+ (u8 *) vlib_buffer_get_current (i_b0),
+ (u8 *) vlib_buffer_get_current (o_b0) +
+ ip_hdr_size + sizeof (esp_header_t) +
+ IV_SIZE, BLOCK_SIZE * blocks,
+ sa0->crypto_key, iv);
}
o_b0->current_length += hmac_calc (sa0->integ_alg, sa0->integ_key,
diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h
index e59cfcc4520..32bdee9c062 100644
--- a/src/vnet/ipsec/ipsec.h
+++ b/src/vnet/ipsec/ipsec.h
@@ -73,7 +73,9 @@ typedef enum
_(6, AES_CTR_256, "aes-ctr-256") \
_(7, AES_GCM_128, "aes-gcm-128") \
_(8, AES_GCM_192, "aes-gcm-192") \
- _(9, AES_GCM_256, "aes-gcm-256")
+ _(9, AES_GCM_256, "aes-gcm-256") \
+ _(10, DES_CBC, "des-cbc") \
+ _(11, 3DES_CBC, "3des-cbc")
typedef enum
{