- u8 sig[64];
- u8 digest[64];
- clib_memset (sig, 0, sizeof (sig));
- clib_memset (digest, 0, sizeof (digest));
- u8 *icv = ah0->auth_data;
- memcpy (digest, icv, icv_size);
- clib_memset (icv, 0, icv_size);
-
- if (is_ip6)
- {
- ip_version_traffic_class_and_flow_label =
- ih6->ip_version_traffic_class_and_flow_label;
- hop_limit = ih6->hop_limit;
- ih6->ip_version_traffic_class_and_flow_label = 0x60;
- ih6->hop_limit = 0;
- nexthdr = ah0->nexthdr;
- icv_padding_len =
- ah_calc_icv_padding_len (icv_size, 1 /* is_ipv6 */ );
- }
- else
- {
- tos = ih4->tos;
- ttl = ih4->ttl;
- ih4->tos = 0;
- ih4->ttl = 0;
- ih4->checksum = 0;
- ih4->flags_and_fragment_offset = 0;
- icv_padding_len =
- ah_calc_icv_padding_len (icv_size, 0 /* is_ipv6 */ );
- }
- hmac_calc (sa0->integ_alg, sa0->integ_key, sa0->integ_key_len,
- (u8 *) ih4, i_b0->current_length, sig, sa0->use_esn,
- sa0->seq_hi);
-
- if (PREDICT_FALSE (memcmp (digest, sig, icv_size)))
- {
- if (is_ip6)
- vlib_node_increment_counter (vm,
- ah6_decrypt_node.index,
- AH_DECRYPT_ERROR_INTEG_ERROR,
- 1);
- else
- vlib_node_increment_counter (vm,
- ah4_decrypt_node.index,
- AH_DECRYPT_ERROR_INTEG_ERROR,
- 1);
- to_next[0] = i_bi0;
- to_next += 1;
- goto trace;
- }
-
- //TODO UT remaining
- if (PREDICT_TRUE (sa0->use_anti_replay))
- {
- if (PREDICT_TRUE (sa0->use_esn))
- esp_replay_advance_esn (sa0, seq);
- else
- esp_replay_advance (sa0, seq);
- }
+ pd->ip_version_traffic_class_and_flow_label =
+ ih6->ip_version_traffic_class_and_flow_label;
+ pd->hop_limit = ih6->hop_limit;
+ ih6->ip_version_traffic_class_and_flow_label = 0x60;
+ ih6->hop_limit = 0;
+ pd->nexthdr = ah0->nexthdr;
+ pd->icv_padding_len =
+ ah_calc_icv_padding_len (pd->icv_size, 1 /* is_ipv6 */ );
+ }
+ else
+ {
+ pd->tos = ih4->tos;
+ pd->ttl = ih4->ttl;
+ ih4->tos = 0;
+ ih4->ttl = 0;
+ ih4->checksum = 0;
+ pd->icv_padding_len =
+ ah_calc_icv_padding_len (pd->icv_size, 0 /* is_ipv6 */ );
+ }
+ }
+
+ next:
+ n_left -= 1;
+ pd += 1;
+ next += 1;
+ b += 1;
+ }
+
+ n_left = from_frame->n_vectors;
+ next = nexts;
+ pd = pkt_data;
+ b = bufs;
+
+ vlib_node_increment_counter (vm, node->node_index, AH_DECRYPT_ERROR_RX_PKTS,
+ n_left);
+ vlib_increment_combined_counter (&ipsec_sa_counters, thread_index,
+ current_sa_index, current_sa_pkts,
+ current_sa_bytes);
+
+ ah_process_ops (vm, node, ptd->integ_ops, bufs, nexts);