|
|
@@ -2,6 +2,7 @@ package overlay
|
|
|
|
|
|
import (
|
|
|
"bytes"
|
|
|
+ "encoding/binary"
|
|
|
"encoding/hex"
|
|
|
"fmt"
|
|
|
"net"
|
|
|
@@ -216,7 +217,6 @@ func programMangle(vni uint32, add bool) (err error) {
|
|
|
|
|
|
func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (fSA *netlink.XfrmState, rSA *netlink.XfrmState, err error) {
|
|
|
var (
|
|
|
- crypt *netlink.XfrmStateAlgo
|
|
|
action = "Removing"
|
|
|
xfrmProgram = ns.NlHandle().XfrmStateDel
|
|
|
)
|
|
|
@@ -224,7 +224,6 @@ func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (f
|
|
|
if add {
|
|
|
action = "Adding"
|
|
|
xfrmProgram = ns.NlHandle().XfrmStateAdd
|
|
|
- crypt = &netlink.XfrmStateAlgo{Name: "cbc(aes)", Key: k.value}
|
|
|
}
|
|
|
|
|
|
if dir&reverse > 0 {
|
|
|
@@ -236,7 +235,7 @@ func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (f
|
|
|
Mode: netlink.XFRM_MODE_TRANSPORT,
|
|
|
}
|
|
|
if add {
|
|
|
- rSA.Crypt = crypt
|
|
|
+ rSA.Aead = buildAeadAlgo(k, spi.reverse)
|
|
|
}
|
|
|
|
|
|
exists, err := saExists(rSA)
|
|
|
@@ -261,7 +260,7 @@ func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (f
|
|
|
Mode: netlink.XFRM_MODE_TRANSPORT,
|
|
|
}
|
|
|
if add {
|
|
|
- fSA.Crypt = crypt
|
|
|
+ fSA.Aead = buildAeadAlgo(k, spi.forward)
|
|
|
}
|
|
|
|
|
|
exists, err := saExists(fSA)
|
|
|
@@ -363,6 +362,16 @@ func buildSPI(src, dst net.IP, st uint32) int {
|
|
|
return spi
|
|
|
}
|
|
|
|
|
|
+func buildAeadAlgo(k *key, s int) *netlink.XfrmStateAlgo {
|
|
|
+ salt := make([]byte, 4)
|
|
|
+ binary.BigEndian.PutUint32(salt, uint32(s))
|
|
|
+ return &netlink.XfrmStateAlgo{
|
|
|
+ Name: "rfc4106(gcm(aes))",
|
|
|
+ Key: append(k.value, salt...),
|
|
|
+ ICVLen: 64,
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
func (d *driver) secMapWalk(f func(string, []*spi) ([]*spi, bool)) error {
|
|
|
d.secMap.Lock()
|
|
|
for node, indices := range d.secMap.nodes {
|
Alessandro Boch