IPSEC: support GCM in ESP

[vpp.git] / src / vnet / ipsec / ipsec_if.c

diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index 304c52e..f7cd958 100644 (file)
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -69,11 +69,15 @@ ipsec_if_tunnel_stack (adj_index_t ai)
 
       sa = ipsec_sa_get (it->output_sa_index);
 
+      /* *INDENT-OFF* */
       fib_prefix_t pfx = {
        .fp_addr = sa->tunnel_dst_addr,
-       .fp_len = (sa->is_tunnel_ip6 ? 128 : 32),
-       .fp_proto = (sa->is_tunnel_ip6 ? FIB_PROTOCOL_IP6 : FIB_PROTOCOL_IP4),
+       .fp_len = (ipsec_sa_is_set_IS_TUNNEL_V6(sa) ? 128 : 32),
+       .fp_proto = (ipsec_sa_is_set_IS_TUNNEL_V6(sa) ?
+                     FIB_PROTOCOL_IP6 :
+                     FIB_PROTOCOL_IP4),
       };
+      /* *INDENT-ON* */
 
       adj_midchain_delegate_stack (ai, sa->tx_fib_index, &pfx);
     }
@@ -286,7 +290,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
       if (args->udp_encap)
        flags |= IPSEC_SA_FLAG_UDP_ENCAP;
       if (args->esn)
-       flags |= IPSEC_SA_FLAG_USE_EXTENDED_SEQ_NUM;
+       flags |= IPSEC_SA_FLAG_USE_ESN;
       if (args->anti_replay)
        flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
 
@@ -302,8 +306,9 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
                         &crypto_key,
                         args->integ_alg,
                         &integ_key,
-                        flags,
+                        (flags | IPSEC_SA_FLAG_IS_INBOUND),
                         args->tx_table_id,
+                        args->salt,
                         &args->remote_ip,
                         &args->local_ip, &t->input_sa_index);
 
@@ -324,6 +329,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
                         &integ_key,
                         flags,
                         args->tx_table_id,
+                        args->salt,
                         &args->local_ip,
                         &args->remote_ip, &t->output_sa_index);
 
@@ -348,6 +354,9 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
       t->hw_if_index = hw_if_index;
       t->sw_if_index = hi->sw_if_index;
 
+      /* Standard default jumbo MTU. */
+      vnet_sw_interface_set_mtu (vnm, t->sw_if_index, 9000);
+
       /* Add the new tunnel to the DB of tunnels per sw_if_index ... */
       vec_validate_init_empty (im->ipsec_if_by_sw_if_index, t->sw_if_index,
                               ~0);
@@ -422,7 +431,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
 
 int
 ipsec_add_del_ipsec_gre_tunnel (vnet_main_t * vnm,
-                               ipsec_add_del_ipsec_gre_tunnel_args_t * args)
+                               const ipsec_gre_tunnel_add_del_args_t * args)
 {
   ipsec_tunnel_if_t *t = 0;
   ipsec_main_t *im = &ipsec_main;
@@ -434,22 +443,27 @@ ipsec_add_del_ipsec_gre_tunnel (vnet_main_t * vnm,
   p = hash_get (im->sa_index_by_sa_id, args->local_sa_id);
   if (!p)
     return VNET_API_ERROR_INVALID_VALUE;
-  isa = p[0];
+  osa = p[0];
+  sa = pool_elt_at_index (im->sad, p[0]);
+  ipsec_sa_set_IS_GRE (sa);
 
   p = hash_get (im->sa_index_by_sa_id, args->remote_sa_id);
   if (!p)
     return VNET_API_ERROR_INVALID_VALUE;
-  osa = p[0];
+  isa = p[0];
   sa = pool_elt_at_index (im->sad, p[0]);
+  ipsec_sa_set_IS_GRE (sa);
 
+  /* we form the key from the input/remote SA whose tunnel is srouce
+   * at the remote end */
   if (ipsec_sa_is_set_IS_TUNNEL (sa))
     {
-      key.remote_ip = sa->tunnel_dst_addr.ip4.as_u32;
+      key.remote_ip = sa->tunnel_src_addr.ip4.as_u32;
       key.spi = clib_host_to_net_u32 (sa->spi);
     }
   else
     {
-      key.remote_ip = args->remote_ip.as_u32;
+      key.remote_ip = args->src.as_u32;
       key.spi = clib_host_to_net_u32 (sa->spi);
     }