ipsec: allow to configure salt for encryption algorithm

Signed-off-by: Milan Lenco <milan.lenco@pantheon.tech>

plugins/vpp/ipsecplugin/vppcalls/vpp1908/dump_vppcalls.go

@@ -61,6 +61,7 @@ func (h *IPSecVppHandler) DumpIPSecSAWithIndex(saID uint32) (saList []*vppcalls.
 			Protocol:       ipsec.SecurityAssociation_IPSecProtocol(saData.Entry.Protocol),
 			CryptoAlg:      ipsec.CryptoAlg(saData.Entry.CryptoAlgorithm),
 			CryptoKey:      hex.EncodeToString(saData.Entry.CryptoKey.Data[:saData.Entry.CryptoKey.Length]),
+			CryptoSalt:     saData.Entry.Salt,
 			IntegAlg:       ipsec.IntegAlg(saData.Entry.IntegrityAlgorithm),
 			IntegKey:       hex.EncodeToString(saData.Entry.IntegrityKey.Data[:saData.Entry.IntegrityKey.Length]),
 			UseEsn:         (saData.Entry.Flags & ipsecapi.IPSEC_API_SAD_FLAG_USE_ESN) != 0,

plugins/vpp/ipsecplugin/vppcalls/vpp1908/ipsec_vppcalls.go

@@ -235,6 +235,7 @@ func (h *IPSecVppHandler) sadAddDelEntry(sa *ipsec.SecurityAssociation, isAdd bo
 				Data:   cryptoKey,
 				Length: uint8(len(cryptoKey)),
 			},
+			Salt: sa.CryptoSalt,
 			IntegrityAlgorithm: api.IpsecIntegAlg(sa.IntegAlg),
 			IntegrityKey: api.Key{
 				Data:   integKey,

plugins/vpp/ipsecplugin/vppcalls/vpp2001/dump_vppcalls.go

@@ -62,6 +62,7 @@ func (h *IPSecVppHandler) DumpIPSecSAWithIndex(saID uint32) (saList []*vppcalls.
 			Protocol:       ipsec.SecurityAssociation_IPSecProtocol(saData.Entry.Protocol),
 			CryptoAlg:      ipsec.CryptoAlg(saData.Entry.CryptoAlgorithm),
 			CryptoKey:      hex.EncodeToString(saData.Entry.CryptoKey.Data[:saData.Entry.CryptoKey.Length]),
+			CryptoSalt:     saData.Entry.Salt,
 			IntegAlg:       ipsec.IntegAlg(saData.Entry.IntegrityAlgorithm),
 			IntegKey:       hex.EncodeToString(saData.Entry.IntegrityKey.Data[:saData.Entry.IntegrityKey.Length]),
 			UseEsn:         (saData.Entry.Flags & ipsec_types.IPSEC_API_SAD_FLAG_USE_ESN) != 0,

plugins/vpp/ipsecplugin/vppcalls/vpp2001/ipsec_vppcalls.go

@@ -235,6 +235,7 @@ func (h *IPSecVppHandler) sadAddDelEntry(sa *ipsec.SecurityAssociation, isAdd bo
 				Data:   cryptoKey,
 				Length: uint8(len(cryptoKey)),
 			},
+			Salt: sa.CryptoSalt,
 			IntegrityAlgorithm: vpp_ipsec.IpsecIntegAlg(sa.IntegAlg),
 			IntegrityKey: vpp_ipsec.Key{
 				Data:   integKey,

plugins/vpp/ipsecplugin/vppcalls/vpp2005/dump_vppcalls.go

@@ -61,11 +61,14 @@ func (h *IPSecVppHandler) DumpIPSecSAWithIndex(saID uint32) (saList []*vppcalls.
 			Protocol:       ipsecProtoToProtocol(saData.Entry.Protocol),
 			CryptoAlg:      ipsec.CryptoAlg(saData.Entry.CryptoAlgorithm),
 			CryptoKey:      hex.EncodeToString(saData.Entry.CryptoKey.Data[:saData.Entry.CryptoKey.Length]),
+			CryptoSalt:     saData.Entry.Salt,
 			IntegAlg:       ipsec.IntegAlg(saData.Entry.IntegrityAlgorithm),
 			IntegKey:       hex.EncodeToString(saData.Entry.IntegrityKey.Data[:saData.Entry.IntegrityKey.Length]),
 			UseEsn:         (saData.Entry.Flags & ipsec_types.IPSEC_API_SAD_FLAG_USE_ESN) != 0,
 			UseAntiReplay:  (saData.Entry.Flags & ipsec_types.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY) != 0,
 			EnableUdpEncap: (saData.Entry.Flags & ipsec_types.IPSEC_API_SAD_FLAG_UDP_ENCAP) != 0,
+			TunnelSrcPort:  uint32(saData.Entry.UDPSrcPort),
+			TunnelDstPort:  uint32(saData.Entry.UDPDstPort),
 		}
 		if !tunnelSrcAddr.IsUnspecified() {
 			sa.TunnelSrcAddr = tunnelSrcAddr.String()

plugins/vpp/ipsecplugin/vppcalls/vpp2005/ipsec_vppcalls.go

@@ -245,6 +245,7 @@ func (h *IPSecVppHandler) sadAddDelEntry(sa *ipsec.SecurityAssociation, isAdd bo
 				Data:   cryptoKey,
 				Length: uint8(len(cryptoKey)),
 			},
+			Salt: sa.CryptoSalt,
 			IntegrityAlgorithm: vpp_ipsec.IpsecIntegAlg(sa.IntegAlg),
 			IntegrityKey: vpp_ipsec.Key{
 				Data:   integKey,

proto/ligato/vpp/ipsec/ipsec.proto

@@ -113,6 +113,7 @@ message SecurityAssociation {
 
     CryptoAlg crypto_alg = 4;       /* Cryptographic algorithm for encryption */
     string crypto_key = 5;
+    uint32 crypto_salt = 15;
 
     IntegAlg integ_alg = 6;         /* Cryptographic algorithm for authentication */
     string integ_key = 7;

tests/e2e/070_ipsec_test.go

@@ -56,21 +56,28 @@ func TestIPSec(t *testing.T) {
 		Index:          10,
 		Spi:            123,
 		Protocol:       vpp_ipsec.SecurityAssociation_ESP,
-		CryptoAlg:      vpp_ipsec.CryptoAlg_AES_CBC_128,
+		CryptoAlg:      vpp_ipsec.CryptoAlg_AES_GCM_128,
 		CryptoKey:      "d9a4ec50aed76f1bf80bc915d8fcfe1c",
+		CryptoSalt:     1500,
 		IntegAlg:       vpp_ipsec.IntegAlg_SHA1_96,
 		IntegKey:       "bf9b150aaf5c2a87d79898b11eabd055e70abdbe",
 		EnableUdpEncap: true,
+		TunnelSrcPort:  4500,
+		TunnelDstPort:  8777,
+
 	}
 	saIn := &vpp_ipsec.SecurityAssociation{
 		Index:          20,
 		Spi:            456,
 		Protocol:       vpp_ipsec.SecurityAssociation_ESP,
-		CryptoAlg:      vpp_ipsec.CryptoAlg_AES_CBC_128,
+		CryptoAlg:      vpp_ipsec.CryptoAlg_AES_GCM_128,
 		CryptoKey:      "d9a4ec50aed76f1bf80bc915d8fcfe1c",
+		CryptoSalt:     8900,
 		IntegAlg:       vpp_ipsec.IntegAlg_SHA1_96,
 		IntegKey:       "bf9b150aaf5c2a87d79898b11eabd055e70abdbe",
 		EnableUdpEncap: true,
+		TunnelSrcPort:  8777,
+		TunnelDstPort:  4500,
 	}
 	spOut := &vpp_ipsec.SecurityPolicy{
 		SpdIndex:        100,