{
u32 n_left_from, *from, next_index, *to_next, thread_index;
ipsec_main_t *im = &ipsec_main;
- ipsec_proto_main_t *em = &ipsec_proto_main;
from = vlib_frame_vector_args (from_frame);
n_left_from = from_frame->n_vectors;
int icv_size;
seq = clib_host_to_net_u32 (ah0->seq_no);
/* anti-replay check */
- if (sa0->use_anti_replay)
+ if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa0))
{
int rv = 0;
- if (PREDICT_TRUE (sa0->use_esn))
+ if (PREDICT_TRUE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0)))
rv = esp_replay_check_esn (sa0, seq);
else
rv = esp_replay_check (sa0, seq);
if (PREDICT_FALSE (rv))
{
- vlib_node_increment_counter (vm, node->node_index,
- AH_DECRYPT_ERROR_REPLAY, 1);
+ i_b0->error = node->errors[AH_DECRYPT_ERROR_REPLAY];
goto trace;
}
}
(&ipsec_sa_counters, thread_index, sa_index0,
1, i_b0->current_length);
- icv_size =
- em->ipsec_proto_main_integ_algs[sa0->integ_alg].trunc_size;
+ icv_size = sa0->integ_trunc_size;
if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
{
u8 sig[64];
icv_padding_len =
ah_calc_icv_padding_len (icv_size, 0 /* is_ipv6 */ );
}
- hmac_calc (sa0->integ_alg, sa0->integ_key.data,
- sa0->integ_key.len, (u8 *) ih4, i_b0->current_length,
- sig, sa0->use_esn, sa0->seq_hi);
+ hmac_calc (vm, sa0, (u8 *) ih4, i_b0->current_length, sig);
if (PREDICT_FALSE (memcmp (digest, sig, icv_size)))
{
- vlib_node_increment_counter (vm, node->node_index,
- AH_DECRYPT_ERROR_INTEG_ERROR,
- 1);
+ i_b0->error = node->errors[AH_DECRYPT_ERROR_INTEG_ERROR];
goto trace;
}
- if (PREDICT_TRUE (sa0->use_anti_replay))
+ if (PREDICT_TRUE (ipsec_sa_is_set_USE_ANTI_REPLAY (sa0)))
{
- if (PREDICT_TRUE (sa0->use_esn))
+ if (PREDICT_TRUE
+ (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0)))
esp_replay_advance_esn (sa0, seq);
else
esp_replay_advance (sa0, seq);
icv_padding_len);
i_b0->flags |= VLIB_BUFFER_TOTAL_LENGTH_VALID;
- if (PREDICT_TRUE (sa0->is_tunnel))
+ if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0)))
{ /* tunnel mode */
if (PREDICT_TRUE (ah0->nexthdr == IP_PROTOCOL_IP_IN_IP))
next0 = AH_DECRYPT_NEXT_IP4_INPUT;
next0 = AH_DECRYPT_NEXT_IP6_INPUT;
else
{
- vlib_node_increment_counter (vm, node->node_index,
- AH_DECRYPT_ERROR_DECRYPTION_FAILED,
- 1);
+ i_b0->error =
+ node->errors[AH_DECRYPT_ERROR_DECRYPTION_FAILED];
goto trace;
}
}