X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fesp_decrypt.c;h=a0eeed464da6b11cdd8bf7dc6193c99b0994d516;hb=a9a0b2ce2daabc5479aa7722e3ec7023f8c6c0d5;hp=de4cc6dd4ddfd077966ce90e3eaab3bd292ff8ba;hpb=02e14b526dc6f30c534e483c8e4a77678e27352e;p=vpp.git diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index de4cc6dd4dd..a0eeed464da 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -81,24 +81,28 @@ format_esp_decrypt_trace (u8 * s, va_list * args) } always_inline void -esp_decrypt_aes_cbc (ipsec_crypto_alg_t alg, - u8 * in, u8 * out, size_t in_len, u8 * key, u8 * iv) +esp_decrypt_cbc (ipsec_crypto_alg_t alg, + u8 * in, u8 * out, size_t in_len, u8 * key, u8 * iv) { - esp_main_t *em = &esp_main; + ipsec_proto_main_t *em = &ipsec_proto_main; u32 thread_index = vlib_get_thread_index (); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_CIPHER_CTX *ctx = em->per_thread_data[thread_index].decrypt_ctx; +#else EVP_CIPHER_CTX *ctx = &(em->per_thread_data[thread_index].decrypt_ctx); +#endif const EVP_CIPHER *cipher = NULL; int out_len; ASSERT (alg < IPSEC_CRYPTO_N_ALG); - if (PREDICT_FALSE (em->esp_crypto_algs[alg].type == 0)) + if (PREDICT_FALSE (em->ipsec_proto_main_crypto_algs[alg].type == 0)) return; if (PREDICT_FALSE (alg != em->per_thread_data[thread_index].last_decrypt_alg)) { - cipher = em->esp_crypto_algs[alg].type; + cipher = em->ipsec_proto_main_crypto_algs[alg].type; em->per_thread_data[thread_index].last_decrypt_alg = alg; } @@ -114,7 +118,7 @@ esp_decrypt_node_fn (vlib_main_t * vm, { u32 n_left_from, *from, next_index, *to_next; ipsec_main_t *im = &ipsec_main; - esp_main_t *em = &esp_main; + ipsec_proto_main_t *em = &ipsec_proto_main; u32 *recycle = 0; from = vlib_frame_vector_args (from_frame); n_left_from = from_frame->n_vectors; @@ -196,7 +200,8 @@ esp_decrypt_node_fn (vlib_main_t * vm, if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE)) { u8 sig[64]; - int icv_size = em->esp_integ_algs[sa0->integ_alg].trunc_size; + int icv_size = + em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size; memset (sig, 0, sizeof (sig)); u8 *icv = vlib_buffer_get_current (i_b0) + i_b0->current_length - @@ -241,11 +246,15 @@ esp_decrypt_node_fn (vlib_main_t * vm, /* add old buffer to the recycle list */ vec_add1 (recycle, i_bi0); - if (sa0->crypto_alg >= IPSEC_CRYPTO_ALG_AES_CBC_128 && - sa0->crypto_alg <= IPSEC_CRYPTO_ALG_AES_CBC_256) + if ((sa0->crypto_alg >= IPSEC_CRYPTO_ALG_AES_CBC_128 && + sa0->crypto_alg <= IPSEC_CRYPTO_ALG_AES_CBC_256) || + (sa0->crypto_alg >= IPSEC_CRYPTO_ALG_DES_CBC && + sa0->crypto_alg <= IPSEC_CRYPTO_ALG_3DES_CBC)) { - const int BLOCK_SIZE = 16; - const int IV_SIZE = 16; + const int BLOCK_SIZE = + em->ipsec_proto_main_crypto_algs[sa0->crypto_alg].block_size;; + const int IV_SIZE = + em->ipsec_proto_main_crypto_algs[sa0->crypto_alg].iv_size; esp_footer_t *f0; u8 ip_hdr_size = 0; @@ -259,9 +268,14 @@ esp_decrypt_node_fn (vlib_main_t * vm, if (PREDICT_FALSE (!sa0->is_tunnel && !sa0->is_tunnel_ip6)) { tunnel_mode = 0; - ih4 = - (ip4_header_t *) (i_b0->data + - sizeof (ethernet_header_t)); + + if (i_b0->flags & VNET_BUFFER_F_IS_IP4) + ih4 = + (ip4_header_t *) ((u8 *) esp0 - sizeof (ip4_header_t)); + else + ih4 = + (ip4_header_t *) ((u8 *) esp0 - sizeof (ip6_header_t)); + if (PREDICT_TRUE ((ih4->ip_version_and_header_length & 0xF0) != 0x40)) { @@ -271,9 +285,7 @@ esp_decrypt_node_fn (vlib_main_t * vm, { transport_ip6 = 1; ip_hdr_size = sizeof (ip6_header_t); - ih6 = - (ip6_header_t *) (i_b0->data + - sizeof (ethernet_header_t)); + ih6 = (ip6_header_t *) ih4; oh6 = vlib_buffer_get_current (o_b0); } else @@ -293,13 +305,13 @@ esp_decrypt_node_fn (vlib_main_t * vm, } } - esp_decrypt_aes_cbc (sa0->crypto_alg, - esp0->data + IV_SIZE, - (u8 *) vlib_buffer_get_current (o_b0) + - ip_hdr_size, BLOCK_SIZE * blocks, - sa0->crypto_key, esp0->data); + esp_decrypt_cbc (sa0->crypto_alg, + esp0->data + IV_SIZE, + (u8 *) vlib_buffer_get_current (o_b0) + + ip_hdr_size, BLOCK_SIZE * blocks, + sa0->crypto_key, esp0->data); - o_b0->current_length = (blocks * 16) - 2 + ip_hdr_size; + o_b0->current_length = (blocks * BLOCK_SIZE) - 2 + ip_hdr_size; o_b0->flags = VLIB_BUFFER_TOTAL_LENGTH_VALID; f0 = (esp_footer_t *) ((u8 *) vlib_buffer_get_current (o_b0) +