Code Review
/
vpp.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
review
|
tree
raw
|
inline
| side by side
IPSEC-AH: anti-replay testing
[vpp.git]
/
src
/
vnet
/
ipsec
/
ah_decrypt.c
diff --git
a/src/vnet/ipsec/ah_decrypt.c
b/src/vnet/ipsec/ah_decrypt.c
index
941368a
..
a2fc07f
100644
(file)
--- a/
src/vnet/ipsec/ah_decrypt.c
+++ b/
src/vnet/ipsec/ah_decrypt.c
@@
-60,6
+60,7
@@
static char *ah_decrypt_error_strings[] = {
typedef struct
{
ipsec_integ_alg_t integ_alg;
typedef struct
{
ipsec_integ_alg_t integ_alg;
+ u32 seq_num;
} ah_decrypt_trace_t;
/* packet trace format function */
} ah_decrypt_trace_t;
/* packet trace format function */
@@
-70,7
+71,8
@@
format_ah_decrypt_trace (u8 * s, va_list * args)
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
ah_decrypt_trace_t *t = va_arg (*args, ah_decrypt_trace_t *);
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
ah_decrypt_trace_t *t = va_arg (*args, ah_decrypt_trace_t *);
- s = format (s, "ah: integrity %U", format_ipsec_integ_alg, t->integ_alg);
+ s = format (s, "ah: integrity %U seq-num %d",
+ format_ipsec_integ_alg, t->integ_alg, t->seq_num);
return s;
}
return s;
}
@@
-143,8
+145,8
@@
ah_decrypt_inline (vlib_main_t * vm,
}
seq = clib_host_to_net_u32 (ah0->seq_no);
}
seq = clib_host_to_net_u32 (ah0->seq_no);
+
/* anti-replay check */
/* anti-replay check */
- //TODO UT remaining
if (sa0->use_anti_replay)
{
int rv = 0;
if (sa0->use_anti_replay)
{
int rv = 0;
@@
-156,7
+158,6
@@
ah_decrypt_inline (vlib_main_t * vm,
if (PREDICT_FALSE (rv))
{
if (PREDICT_FALSE (rv))
{
- clib_warning ("anti-replay SPI %u seq %u", sa0->spi, seq);
if (is_ip6)
vlib_node_increment_counter (vm,
ah6_decrypt_node.index,
if (is_ip6)
vlib_node_increment_counter (vm,
ah6_decrypt_node.index,
@@
-165,8
+166,6
@@
ah_decrypt_inline (vlib_main_t * vm,
vlib_node_increment_counter (vm,
ah4_decrypt_node.index,
AH_DECRYPT_ERROR_REPLAY, 1);
vlib_node_increment_counter (vm,
ah4_decrypt_node.index,
AH_DECRYPT_ERROR_REPLAY, 1);
- to_next[0] = i_bi0;
- to_next += 1;
goto trace;
}
}
goto trace;
}
}
@@
-179,11
+178,11
@@
ah_decrypt_inline (vlib_main_t * vm,
{
u8 sig[64];
u8 digest[64];
{
u8 sig[64];
u8 digest[64];
- memset (sig, 0, sizeof (sig));
- memset (digest, 0, sizeof (digest));
+
clib_
memset (sig, 0, sizeof (sig));
+
clib_
memset (digest, 0, sizeof (digest));
u8 *icv = ah0->auth_data;
memcpy (digest, icv, icv_size);
u8 *icv = ah0->auth_data;
memcpy (digest, icv, icv_size);
- memset (icv, 0, icv_size);
+
clib_
memset (icv, 0, icv_size);
if (is_ip6)
{
if (is_ip6)
{
@@
-223,12
+222,9
@@
ah_decrypt_inline (vlib_main_t * vm,
ah4_decrypt_node.index,
AH_DECRYPT_ERROR_INTEG_ERROR,
1);
ah4_decrypt_node.index,
AH_DECRYPT_ERROR_INTEG_ERROR,
1);
- to_next[0] = i_bi0;
- to_next += 1;
goto trace;
}
goto trace;
}
- //TODO UT remaining
if (PREDICT_TRUE (sa0->use_anti_replay))
{
if (PREDICT_TRUE (sa0->use_esn))
if (PREDICT_TRUE (sa0->use_anti_replay))
{
if (PREDICT_TRUE (sa0->use_esn))
@@
-252,7
+248,6
@@
ah_decrypt_inline (vlib_main_t * vm,
next0 = AH_DECRYPT_NEXT_IP6_INPUT;
else
{
next0 = AH_DECRYPT_NEXT_IP6_INPUT;
else
{
- clib_warning ("next header: 0x%x", ah0->nexthdr);
if (is_ip6)
vlib_node_increment_counter (vm,
ah6_decrypt_node.index,
if (is_ip6)
vlib_node_increment_counter (vm,
ah6_decrypt_node.index,
@@
-318,6
+313,7
@@
ah_decrypt_inline (vlib_main_t * vm,
ah_decrypt_trace_t *tr =
vlib_add_trace (vm, node, i_b0, sizeof (*tr));
tr->integ_alg = sa0->integ_alg;
ah_decrypt_trace_t *tr =
vlib_add_trace (vm, node, i_b0, sizeof (*tr));
tr->integ_alg = sa0->integ_alg;
+ tr->seq_num = seq;
}
vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
n_left_to_next, i_bi0, next0);
}
vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
n_left_to_next, i_bi0, next0);
@@
-336,16
+332,15
@@
ah_decrypt_inline (vlib_main_t * vm,
return from_frame->n_vectors;
}
return from_frame->n_vectors;
}
-static uword
-
ah4_decrypt_node_fn (vlib_main_t * vm
,
-
vlib_node_runtime_t * node,
vlib_frame_t * from_frame)
+VLIB_NODE_FN (ah4_decrypt_node) (vlib_main_t * vm,
+
vlib_node_runtime_t * node
,
+
vlib_frame_t * from_frame)
{
return ah_decrypt_inline (vm, node, from_frame, 0 /* is_ip6 */ );
}
/* *INDENT-OFF* */
VLIB_REGISTER_NODE (ah4_decrypt_node) = {
{
return ah_decrypt_inline (vm, node, from_frame, 0 /* is_ip6 */ );
}
/* *INDENT-OFF* */
VLIB_REGISTER_NODE (ah4_decrypt_node) = {
- .function = ah4_decrypt_node_fn,
.name = "ah4-decrypt",
.vector_size = sizeof (u32),
.format_trace = format_ah_decrypt_trace,
.name = "ah4-decrypt",
.vector_size = sizeof (u32),
.format_trace = format_ah_decrypt_trace,
@@
-363,18
+358,15
@@
VLIB_REGISTER_NODE (ah4_decrypt_node) = {
};
/* *INDENT-ON* */
};
/* *INDENT-ON* */
-VLIB_NODE_FUNCTION_MULTIARCH (ah4_decrypt_node, ah4_decrypt_node_fn);
-
-static uword
-ah6_decrypt_node_fn (vlib_main_t * vm,
- vlib_node_runtime_t * node, vlib_frame_t * from_frame)
+VLIB_NODE_FN (ah6_decrypt_node) (vlib_main_t * vm,
+ vlib_node_runtime_t * node,
+ vlib_frame_t * from_frame)
{
return ah_decrypt_inline (vm, node, from_frame, 1 /* is_ip6 */ );
}
/* *INDENT-OFF* */
VLIB_REGISTER_NODE (ah6_decrypt_node) = {
{
return ah_decrypt_inline (vm, node, from_frame, 1 /* is_ip6 */ );
}
/* *INDENT-OFF* */
VLIB_REGISTER_NODE (ah6_decrypt_node) = {
- .function = ah6_decrypt_node_fn,
.name = "ah6-decrypt",
.vector_size = sizeof (u32),
.format_trace = format_ah_decrypt_trace,
.name = "ah6-decrypt",
.vector_size = sizeof (u32),
.format_trace = format_ah_decrypt_trace,
@@
-392,7
+384,6
@@
VLIB_REGISTER_NODE (ah6_decrypt_node) = {
};
/* *INDENT-ON* */
};
/* *INDENT-ON* */
-VLIB_NODE_FUNCTION_MULTIARCH (ah6_decrypt_node, ah6_decrypt_node_fn);
/*
* fd.io coding-style-patch-verification: ON
*
/*
* fd.io coding-style-patch-verification: ON
*