CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
esp_decrypt_trace_t * t = va_arg (*args, esp_decrypt_trace_t *);
- uword indent = format_get_indent (s);
+ u32 indent = format_get_indent (s);
s = format (s, "cipher %U auth %U\n",
format_ipsec_crypto_alg, t->crypto_alg,
if (sa_index0 != last_sa_index)
{
- last_sa_index = sa_index0;
-
sa0 = pool_elt_at_index (im->sad, sa_index0);
cipher_alg = vec_elt_at_index (dcm->cipher_algs, sa0->crypto_alg);
auth_alg = vec_elt_at_index (dcm->auth_algs, sa0->integ_alg);
-#if DPDK_NO_AEAD
- is_aead = (sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128 |
- sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_192 |
- sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_256);
-#else
is_aead = (cipher_alg->type == RTE_CRYPTO_SYM_XFORM_AEAD);
-#endif
if (is_aead)
auth_alg = cipher_alg;
n_left_to_next -= 1;
goto trace;
}
+
+ last_sa_index = sa_index0;
}
/* anti-replay check */
}
u32 cipher_off, cipher_len;
- u32 auth_len = 0, aad_size = 0;
- u8 *aad = NULL, *digest = NULL;
- u64 digest_paddr = 0;
+ u32 auth_len = 0;
+ u8 *aad = NULL;
u8 *iv = (u8 *) (esp0 + 1);
cipher_off = sizeof (esp_header_t) + iv_size;
cipher_len = payload_len;
- digest = vlib_buffer_get_tail (b0) - trunc_size;
+ u8 *digest = vlib_buffer_get_tail (b0) - trunc_size;
+ u64 digest_paddr =
+ mb0->buf_physaddr + digest - ((u8 *) mb0->buf_addr);
- if (cipher_alg->alg == RTE_CRYPTO_CIPHER_AES_CBC)
+ if (!is_aead && cipher_alg->alg == RTE_CRYPTO_CIPHER_AES_CBC)
clib_memcpy(icb, iv, 16);
else /* CTR/GCM */
{
u32 *_iv = (u32 *) iv;
crypto_set_icb (icb, sa0->salt, _iv[0], _iv[1]);
-#if DPDK_NO_AEAD
- iv_size = 16;
-#else
- iv_size = 12;
-#endif
}
if (is_aead)
{
aad = priv->aad;
- clib_memcpy(aad, esp0, 8);
+ u32 * _aad = (u32 *) aad;
+ clib_memcpy (aad, esp0, 8);
+
+ /* _aad[3] should always be 0 */
if (PREDICT_FALSE (sa0->use_esn))
- {
- *((u32*)&aad[8]) = sa0->seq_hi;
- aad_size = 12;
- }
+ _aad[2] = clib_host_to_net_u32 (sa0->seq_hi);
else
- aad_size = 8;
+ _aad[2] = 0;
}
else
{
if (sa0->use_esn)
{
clib_memcpy (priv->icv, digest, trunc_size);
- *((u32*) digest) = sa0->seq_hi;
+ u32 *_digest = (u32 *) digest;
+ _digest[0] = clib_host_to_net_u32 (sa0->seq_hi);
auth_len += sizeof(sa0->seq_hi);
digest = priv->icv;
}
}
- crypto_op_setup (is_aead, mb0, op, session,
- cipher_off, cipher_len, (u8 *) icb, iv_size,
- 0, auth_len, aad, aad_size,
- digest, digest_paddr, trunc_size);
+ crypto_op_setup (is_aead, mb0, op, session, cipher_off, cipher_len,
+ 0, auth_len, aad, digest, digest_paddr);
trace:
if (PREDICT_FALSE(b0->flags & VLIB_BUFFER_IS_TRACED))
{
CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
esp_decrypt_trace_t * t = va_arg (*args, esp_decrypt_trace_t *);
- uword indent = format_get_indent (s);
+ u32 indent = format_get_indent (s);
s = format (s, "cipher %U auth %U\n",
format_ipsec_crypto_alg, t->crypto_alg,
cipher_alg = vec_elt_at_index (dcm->cipher_algs, sa0->crypto_alg);
auth_alg = vec_elt_at_index (dcm->auth_algs, sa0->integ_alg);
-#if DPDK_NO_AEAD
- is_aead = (sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128 |
- sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_192 |
- sa0->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_256);
-#else
is_aead = cipher_alg->type == RTE_CRYPTO_SYM_XFORM_AEAD;
-#endif
if (is_aead)
auth_alg = cipher_alg;
esp_replay_advance(sa0, seq);
}
- /* FIXME ip header */
- ih4 = (ip4_header_t *) (b0->data + sizeof(ethernet_header_t));
+ ih4 = (ip4_header_t *) (b0->data + vnet_buffer(b0)->l3_hdr_offset);
vlib_buffer_advance (b0, sizeof (esp_header_t) + iv_size);
b0->flags |= VLIB_BUFFER_TOTAL_LENGTH_VALID;
memmove(oh4, ih4, ih4_len);
next0 = ESP_DECRYPT_NEXT_IP4_INPUT;
- u16 old_ttl_prot =
- ((u16) oh4->ttl) << 8 | (u16) oh4->protocol;
- u16 new_ttl_prot =
- ((u16) oh4->ttl) << 8 | (u16) f0->next_header;
oh4->protocol = f0->next_header;
- u16 new_len = clib_host_to_net_u16 (b0->current_length);
- oh4->length = new_len;
- /* rfc1264 incremental checksum update */
- oh4->checksum = ~(~oh4->checksum + ~oh4->length + new_len +
- ~old_ttl_prot + new_ttl_prot);
-
+ oh4->length = clib_host_to_net_u16 (b0->current_length);
+ oh4->checksum = ip4_header_checksum(oh4);
}
else if ((ih4->ip_version_and_header_length & 0xF0) == 0x60)
{
- /* FIXME find ip header */
- ih6 = (ip6_header_t *) (b0->data + sizeof(ethernet_header_t));
+ ih6 = (ip6_header_t *) ih4;
vlib_buffer_advance (b0, -sizeof(ip6_header_t));
oh6 = vlib_buffer_get_current (b0);
memmove(oh6, ih6, sizeof(ip6_header_t));