From 84e665848675afdc8e76fcbfb2bd65bccd4f25a8 Mon Sep 17 00:00:00 2001
From: Benoît Ganne <bganne@cisco.com>
Date: Fri, 10 Mar 2023 17:33:03 +0100
Subject: ipsec: add support for RFC-4543 ENCR_NULL_AUTH_AES_GMAC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Type: improvement

Change-Id: I830f7a2ea3ac0aff5185698b9fa7a278c45116b0
Signed-off-by: Benoît Ganne <bganne@cisco.com>
---
 src/vnet/ipsec/esp_decrypt.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/vnet/ipsec/esp_decrypt.c')

diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 43d292d27e8..2c1efa2f4be 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -562,6 +562,12 @@ esp_decrypt_prepare_sync_op (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      op->aad_len = esp_aad_fill (op->aad, esp0, sa0, pd->seq_hi);
 	      op->tag = payload + len;
 	      op->tag_len = 16;
+	      if (PREDICT_FALSE (ipsec_sa_is_set_IS_NULL_GMAC (sa0)))
+		{
+		  /* RFC-4543 ENCR_NULL_AUTH_AES_GMAC: IV is part of AAD */
+		  payload -= iv_sz;
+		  len += iv_sz;
+		}
 	    }
 	  else
 	    {
@@ -682,6 +688,12 @@ out:
 	  aad = (u8 *) nonce - sizeof (esp_aead_t);
 	  esp_aad_fill (aad, esp0, sa0, pd->seq_hi);
 	  tag = payload + len;
+	  if (PREDICT_FALSE (ipsec_sa_is_set_IS_NULL_GMAC (sa0)))
+	    {
+	      /* RFC-4543 ENCR_NULL_AUTH_AES_GMAC: IV is part of AAD */
+	      payload -= iv_sz;
+	      len += iv_sz;
+	    }
 	}
       else
 	{
-- 
cgit 1.2.3-korg