From 6afaae156a9ab9de79474367d8873407f3b12a71 Mon Sep 17 00:00:00 2001
From: Neale Ranns <nranns@cisco.com>
Date: Wed, 17 Jul 2019 15:07:14 +0000
Subject: ipsec: GCM, Anti-replay and ESN fixess

Type: fix

Several Fixes:
 1 - Anti-replay did not work with GCM becuase it overwrote the sequence
number in the ESP header. To fix i added the seq num to the per-packet
data so it is preserved
 2 - The high sequence number was not byte swapped during ESP encrypt.
 3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM
the others return BAD_HMAC. removed the former
 4 - improved tracing to show the low and high seq numbers
 5 - documented the anti-replay window checks
 6 - fixed scapy patch for ESN support for GCM
 7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo

Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b
Signed-off-by: Neale Ranns <nranns@cisco.com>
---
 src/plugins/dpdk/ipsec/esp_decrypt.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src/plugins/dpdk/ipsec')

diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c
index 4982db7ee6d..a82f63e6e5b 100644
--- a/src/plugins/dpdk/ipsec/esp_decrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_decrypt.c
@@ -235,7 +235,8 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm,
 	    }
 
 	  /* anti-replay check */
-	  if (ipsec_sa_anti_replay_check (sa0, &esp0->seq))
+	  if (ipsec_sa_anti_replay_check
+	      (sa0, clib_host_to_net_u32 (esp0->seq)))
 	    {
 	      clib_warning ("failed anti-replay check");
 	      if (is_ip6)
@@ -549,7 +550,8 @@ dpdk_esp_decrypt_post_inline (vlib_main_t * vm,
 
 	  iv_size = cipher_alg->iv_len;
 
-	  ipsec_sa_anti_replay_advance (sa0, esp0->seq);
+	  ipsec_sa_anti_replay_advance (sa0,
+					clib_host_to_net_u32 (esp0->seq));
 
 	  /* if UDP encapsulation is used adjust the address of the IP header */
 	  if (ipsec_sa_is_set_UDP_ENCAP (sa0)
-- 
cgit 1.2.3-korg