diff mbox series

[API-NEXT,v12,6/18] linux-gen: ipsec: support replay window checks

Message ID 1510488023-21204-7-git-send-email-odpbot@yandex.ru
State Superseded
Headers show
Series [API-NEXT,v12,1/18] linux-gen: ipsec: use counter instead of random IV for GCM | expand

Commit Message

Github ODP bot Nov. 12, 2017, noon UTC
From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>


Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

---
/** Email created from pull request 243 (lumag:ipsec-packet-impl-3)
 ** https://github.com/Linaro/odp/pull/243
 ** Patch: https://github.com/Linaro/odp/pull/243.patch
 ** Base sha: a908a4dead95321e84d6a8a23de060051dcd8969
 ** Merge commit sha: e8722a0cdda227e01e7d308573aec08112d3c5b0
 **/
 platform/linux-generic/odp_ipsec.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
diff mbox series

Patch

diff --git a/platform/linux-generic/odp_ipsec.c b/platform/linux-generic/odp_ipsec.c
index 8810d73be..ef6a60249 100644
--- a/platform/linux-generic/odp_ipsec.c
+++ b/platform/linux-generic/odp_ipsec.c
@@ -42,6 +42,8 @@  int odp_ipsec_capability(odp_ipsec_capability_t *capa)
 
 	capa->max_num_sa = ODP_CONFIG_IPSEC_SAS;
 
+	capa->max_antireplay_ws = IPSEC_ANTIREPLAY_WS;
+
 	rc = odp_crypto_capability(&crypto_capa);
 	if (rc < 0)
 		return rc;
@@ -402,6 +404,12 @@  static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
 		ip->frag_offset = 0;
 		ip->ttl = 0;
 
+		aad.spi = ah.spi;
+		aad.seq_no = ah.seq_no;
+
+		param.aad.ptr = (uint8_t *)&aad;
+		param.aad.length = sizeof(aad);
+
 		param.auth_range.offset = ip_offset;
 		param.auth_range.length = odp_be_to_cpu_16(ip->tot_len);
 		param.hash_result_offset = ipsec_offset + _ODP_AHHDR_LEN;
@@ -412,6 +420,11 @@  static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
 		goto out;
 	}
 
+	if (_odp_ipsec_sa_replay_precheck(ipsec_sa,
+					  odp_be_to_cpu_32(aad.seq_no),
+					  status) < 0)
+		goto out;
+
 	if (_odp_ipsec_sa_stats_precheck(ipsec_sa, status) < 0)
 		goto out;
 
@@ -450,6 +463,11 @@  static ipsec_sa_t *ipsec_in_single(odp_packet_t pkt,
 	if (_odp_ipsec_sa_stats_update(ipsec_sa, stats_length, status) < 0)
 		goto out;
 
+	if (_odp_ipsec_sa_replay_update(ipsec_sa,
+					odp_be_to_cpu_32(aad.seq_no),
+					status) < 0)
+		goto out;
+
 	ip_offset = odp_packet_l3_offset(pkt);
 	ip = odp_packet_l3_ptr(pkt, NULL);
 	ip_hdr_len = ipv4_hdr_len(ip);
@@ -809,6 +827,12 @@  static ipsec_sa_t *ipsec_out_single(odp_packet_t pkt,
 		ah.next_header = ip->proto;
 		ip->proto = _ODP_IPPROTO_AH;
 
+		aad.spi = ah.spi;
+		aad.seq_no = ah.seq_no;
+
+		param.aad.ptr = (uint8_t *)&aad;
+		param.aad.length = sizeof(aad);
+
 		odp_packet_copy_from_mem(pkt,
 					 ipsec_offset, _ODP_AHHDR_LEN,
 					 &ah);