Code Review / vpp.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: ae3eaac) | patch
ipsec: GCM, Anti-replay and ESN fixess 30/20730/4
authorNeale Ranns <nranns@cisco.com>
Wed, 17 Jul 2019 15:07:14 +0000 (15:07 +0000)
committerDamjan Marion <dmarion@me.com>
Wed, 24 Jul 2019 11:01:47 +0000 (11:01 +0000)
commit6afaae156a9ab9de79474367d8873407f3b12a71
tree016e506a1636bf72944217c7e324091d61d21b69tree | snapshot
parentae3eaacaf1df7b83d6ef6b30290e1390d38197dfcommit | diff
ipsec: GCM, Anti-replay and ESN fixess

Type: fix

Several Fixes:
 1 - Anti-replay did not work with GCM becuase it overwrote the sequence
number in the ESP header. To fix i added the seq num to the per-packet
data so it is preserved
 2 - The high sequence number was not byte swapped during ESP encrypt.
 3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM
the others return BAD_HMAC. removed the former
 4 - improved tracing to show the low and high seq numbers
 5 - documented the anti-replay window checks
 6 - fixed scapy patch for ESN support for GCM
 7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo

Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b
Signed-off-by: Neale Ranns <nranns@cisco.com>
src/plugins/crypto_openssl/main.c diff | blob | history
src/plugins/dpdk/ipsec/esp_decrypt.c diff | blob | history
src/vnet/crypto/crypto.h diff | blob | history
src/vnet/ipsec/ah_decrypt.c diff | blob | history
src/vnet/ipsec/esp_decrypt.c diff | blob | history
src/vnet/ipsec/esp_encrypt.c diff | blob | history
src/vnet/ipsec/ipsec_sa.h diff | blob | history
test/patches/scapy-2.4/ipsec.patch diff | blob | history
test/template_ipsec.py diff | blob | history
test/test_ipsec_esp.py diff | blob | history
Vector Packet Processing