- sa0->total_data_size += i_b0->current_length;
- icv_size =
- em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size;
- if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
- {
- u8 sig[64];
- u8 digest[64];
- clib_memset (sig, 0, sizeof (sig));
- clib_memset (digest, 0, sizeof (digest));
- u8 *icv = ah0->auth_data;
- memcpy (digest, icv, icv_size);
- clib_memset (icv, 0, icv_size);
-
- if (is_ip6)
- {
- ip_version_traffic_class_and_flow_label =
- ih6->ip_version_traffic_class_and_flow_label;
- hop_limit = ih6->hop_limit;
- ih6->ip_version_traffic_class_and_flow_label = 0x60;
- ih6->hop_limit = 0;
- nexthdr = ah0->nexthdr;
- icv_padding_len =
- ah_calc_icv_padding_len (icv_size, 1 /* is_ipv6 */ );
- }
- else
- {
- tos = ih4->tos;
- ttl = ih4->ttl;
- ih4->tos = 0;
- ih4->ttl = 0;
- ih4->checksum = 0;
- ih4->flags_and_fragment_offset = 0;
- icv_padding_len =
- ah_calc_icv_padding_len (icv_size, 0 /* is_ipv6 */ );
- }
- hmac_calc (sa0->integ_alg, sa0->integ_key, sa0->integ_key_len,
- (u8 *) ih4, i_b0->current_length, sig, sa0->use_esn,
- sa0->seq_hi);
-
- if (PREDICT_FALSE (memcmp (digest, sig, icv_size)))
- {
- if (is_ip6)
- vlib_node_increment_counter (vm,
- ah6_decrypt_node.index,
- AH_DECRYPT_ERROR_INTEG_ERROR,
- 1);
- else
- vlib_node_increment_counter (vm,
- ah4_decrypt_node.index,
- AH_DECRYPT_ERROR_INTEG_ERROR,
- 1);
- to_next[0] = i_bi0;
- to_next += 1;
- goto trace;
- }
-
- //TODO UT remaining
- if (PREDICT_TRUE (sa0->use_anti_replay))
- {
- if (PREDICT_TRUE (sa0->use_esn))
- esp_replay_advance_esn (sa0, seq);
- else
- esp_replay_advance (sa0, seq);
- }