From 80f6fd53feaa10b4a798582100724075897c0944 Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Tue, 16 Apr 2019 02:41:34 +0000 Subject: IPSEC: Pass the algorithm salt (used in GCM) over the API Change-Id: Ia8cea13f7b937294e6a080a55fb2ceff30063acf Signed-off-by: Neale Ranns --- src/vnet/ipsec/esp_decrypt.c | 4 +--- src/vnet/ipsec/ipsec.api | 4 ++++ src/vnet/ipsec/ipsec_api.c | 4 ++-- src/vnet/ipsec/ipsec_cli.c | 7 +++++-- src/vnet/ipsec/ipsec_format.c | 3 ++- src/vnet/ipsec/ipsec_sa.h | 4 ++-- 6 files changed, 16 insertions(+), 10 deletions(-) (limited to 'src/vnet') diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index d2365fce2d8..e74c1bb908a 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -239,7 +239,6 @@ esp_decrypt_inline (vlib_main_t * vm, esp_header_t *esp0; esp_aead_t *aad; u8 *scratch; - u32 salt; /* * construct the AAD and the nonce (Salt || IV) in a scratch @@ -258,9 +257,8 @@ esp_decrypt_inline (vlib_main_t * vm, * can overwrite it with the salt and use the IV where it is * to form the nonce = (Salt + IV) */ - salt = clib_host_to_net_u32 (sa0->salt); op->iv -= sizeof (sa0->salt); - clib_memcpy_fast (op->iv, &salt, sizeof (sa0->salt)); + clib_memcpy_fast (op->iv, &sa0->salt, sizeof (sa0->salt)); op->iv_len = cpd.iv_sz + sizeof (sa0->salt); op->tag = payload + len; diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index bc407f1d272..3a2c993f99c 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -262,6 +262,7 @@ typedef key @param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero @param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero @param tx_table_id - the FIB id used for encapsulated packets + @param salt - for use with counter mode ciphers */ typedef ipsec_sad_entry { @@ -282,6 +283,7 @@ typedef ipsec_sad_entry vl_api_address_t tunnel_src; vl_api_address_t tunnel_dst; u32 tx_table_id; + u32 salt; }; /** \brief IPsec: Add/delete Security Association Database entry @@ -374,6 +376,7 @@ define ipsec_spd_interface_details { @param show_instance - instance to display for intf if renumber is set @param udp_encap - enable UDP encapsulation for NAT traversal @param tx_table_id - the FIB id used after packet encap + @param salt - for use with counter mode ciphers */ define ipsec_tunnel_if_add_del { u32 client_index; @@ -399,6 +402,7 @@ define ipsec_tunnel_if_add_del { u32 show_instance; u8 udp_encap; u32 tx_table_id; + u32 salt; }; /** \brief Add/delete IPsec tunnel interface response diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index 767cd2fb076..4a15beb6631 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -385,12 +385,11 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler ip_address_decode (&mp->entry.tunnel_src, &tun_src); ip_address_decode (&mp->entry.tunnel_dst, &tun_dst); - if (mp->is_add) rv = ipsec_sa_add (id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags, - 0, 0, &tun_src, &tun_dst, &sa_index); + 0, mp->entry.salt, &tun_src, &tun_dst, &sa_index); else rv = ipsec_sa_del (id); @@ -644,6 +643,7 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * tun.remote_integ_key_len = mp->remote_integ_key_len; tun.udp_encap = mp->udp_encap; tun.tx_table_id = ntohl (mp->tx_table_id); + tun.salt = mp->salt; itype = ip_address_decode (&mp->local_ip, &tun.local_ip); itype = ip_address_decode (&mp->remote_ip, &tun.remote_ip); tun.is_ip6 = (IP46_TYPE_IP6 == itype); diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 096060865e9..b6bdc40fd1a 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -84,8 +84,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, clib_error_t *error; ipsec_key_t ck = { 0 }; ipsec_key_t ik = { 0 }; + u32 id, spi, salt; int is_add, rv; - u32 id, spi; error = NULL; is_add = 0; @@ -103,6 +103,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, is_add = 0; else if (unformat (line_input, "spi %u", &spi)) ; + else if (unformat (line_input, "salt %u", &salt)) + ; else if (unformat (line_input, "esp")) proto = IPSEC_PROTOCOL_ESP; else if (unformat (line_input, "ah")) @@ -141,7 +143,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, if (is_add) rv = ipsec_sa_add (id, spi, proto, crypto_alg, &ck, integ_alg, &ik, flags, - 0, 0, &tun_src, &tun_dst, NULL); + 0, clib_host_to_net_u32 (salt), + &tun_src, &tun_dst, NULL); else rv = ipsec_sa_del (id); diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c index 93b1efd6902..44f064d6112 100644 --- a/src/vnet/ipsec/ipsec_format.c +++ b/src/vnet/ipsec/ipsec_format.c @@ -290,7 +290,7 @@ format_ipsec_sa (u8 * s, va_list * args) if (!(flags & IPSEC_FORMAT_DETAIL)) goto done; - s = format (s, "\n salt 0x%x", sa->salt); + s = format (s, "\n salt 0x%x", clib_net_to_host_u32 (sa->salt)); s = format (s, "\n seq %u seq-hi %u", sa->seq, sa->seq_hi); s = format (s, "\n last-seq %u last-seq-hi %u window %U", sa->last_seq, sa->last_seq_hi, @@ -303,6 +303,7 @@ format_ipsec_sa (u8 * s, va_list * args) format_ipsec_integ_alg, sa->integ_alg); if (sa->integ_alg) s = format (s, " key %U", format_ipsec_key, &sa->integ_key); + vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts); s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes); diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index f87e12e0204..d1b44c3165f 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -160,9 +160,9 @@ typedef struct u32 sibling; u32 tx_fib_index; - u32 salt; - /* runtime */ + /* Salt used in GCM modes - stored in network byte order */ + u32 salt; } ipsec_sa_t; STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline1, CLIB_CACHE_LINE_BYTES); -- cgit 1.2.3-korg