_(DECRYPTION_FAILED, "ESP decryption failed") \
_(REPLAY, "SA replayed packet") \
_(NOT_IP, "Not IP packet (dropped)") \
- _(ENQ_FAIL, "Enqueue failed (buffer full)") \
- _(DISCARD, "Not enough crypto operations, discarding frame") \
+ _(ENQ_FAIL, "Enqueue decrypt failed (queue full)") \
+ _(DISCARD, "Not enough crypto operations") \
_(BAD_LEN, "Invalid ciphertext length") \
_(SESSION, "Failed to get crypto session") \
_(NOSUP, "Cipher/Auth not supported")
{
if (is_ip6)
vlib_node_increment_counter (vm, dpdk_esp6_decrypt_node.index,
- ESP_DECRYPT_ERROR_DISCARD, 1);
+ ESP_DECRYPT_ERROR_DISCARD, n_left_from);
else
vlib_node_increment_counter (vm, dpdk_esp4_decrypt_node.index,
- ESP_DECRYPT_ERROR_DISCARD, 1);
+ ESP_DECRYPT_ERROR_DISCARD, n_left_from);
/* Discard whole frame */
+ vlib_buffer_free (vm, from, n_left_from);
return n_left_from;
}
if (PREDICT_FALSE (res_idx == (u16) ~ 0))
{
- clib_warning ("unsupported SA by thread index %u",
- thread_idx);
if (is_ip6)
vlib_node_increment_counter (vm,
dpdk_esp6_decrypt_node.index,
error = crypto_get_session (&session, sa_index0, res, cwm, 0);
if (PREDICT_FALSE (error || !session))
{
- clib_warning ("failed to get crypto session");
if (is_ip6)
vlib_node_increment_counter (vm,
dpdk_esp6_decrypt_node.index,
}
/* anti-replay check */
- if (ipsec_sa_anti_replay_check (sa0, &esp0->seq))
+ if (ipsec_sa_anti_replay_check
+ (sa0, clib_host_to_net_u32 (esp0->seq)))
{
- clib_warning ("failed anti-replay check");
if (is_ip6)
vlib_node_increment_counter (vm,
dpdk_esp6_decrypt_node.index,
if (is_ip6)
priv->next = DPDK_CRYPTO_INPUT_NEXT_DECRYPT6_POST;
else
- priv->next = DPDK_CRYPTO_INPUT_NEXT_DECRYPT4_POST;
+ {
+ priv->next = DPDK_CRYPTO_INPUT_NEXT_DECRYPT4_POST;
+ b0->flags |= VNET_BUFFER_F_IS_IP4;
+ }
/* FIXME multi-seg */
vlib_increment_combined_counter
if (payload_len & (cipher_alg->boundary - 1))
{
- clib_warning ("payload %u not multiple of %d\n",
- payload_len, cipher_alg->boundary);
if (is_ip6)
vlib_node_increment_counter (vm, dpdk_esp6_decrypt_node.index,
ESP_DECRYPT_ERROR_BAD_LEN, 1);
/* _aad[3] should always be 0 */
if (PREDICT_FALSE (ipsec_sa_is_set_USE_ESN (sa0)))
- _aad[2] = clib_host_to_net_u32 (sa0->seq_hi);
+ {
+ _aad[2] = _aad[1];
+ _aad[1] = clib_host_to_net_u32 (sa0->seq_hi);
+ }
else
_aad[2] = 0;
}
iv_size = cipher_alg->iv_len;
- ipsec_sa_anti_replay_advance (sa0, esp0->seq);
+ ipsec_sa_anti_replay_advance (sa0,
+ clib_host_to_net_u32 (esp0->seq));
/* if UDP encapsulation is used adjust the address of the IP header */
if (ipsec_sa_is_set_UDP_ENCAP (sa0)
{
if (f0->next_header == IP_PROTOCOL_IP_IN_IP)
next0 = ESP_DECRYPT_NEXT_IP4_INPUT;
- else if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa0)
- && f0->next_header == IP_PROTOCOL_IPV6)
+ else if (f0->next_header == IP_PROTOCOL_IPV6)
next0 = ESP_DECRYPT_NEXT_IP6_INPUT;
else
{
if ((ih4->ip_version_and_header_length & 0xF0) == 0x40)
{
u16 ih4_len = ip4_header_bytes (ih4);
- vlib_buffer_advance (b0, -ih4_len - udp_encap_adv);
+ vlib_buffer_advance (b0, -ih4_len);
next0 = ESP_DECRYPT_NEXT_IP4_INPUT;
- if (!ipsec_sa_is_set_UDP_ENCAP (sa0))
- {
- oh4 = vlib_buffer_get_current (b0);
- memmove (oh4, ih4, ih4_len);
- oh4->protocol = f0->next_header;
- oh4->length = clib_host_to_net_u16 (b0->current_length);
- oh4->checksum = ip4_header_checksum (oh4);
- }
+
+ oh4 = vlib_buffer_get_current (b0);
+ memmove (oh4, ih4, ih4_len);
+ oh4->protocol = f0->next_header;
+ oh4->length = clib_host_to_net_u16 (b0->current_length);
+ oh4->checksum = ip4_header_checksum (oh4);
}
else if ((ih4->ip_version_and_header_length & 0xF0) == 0x60)
{