ipsec: ipsec.h tidy up

[vpp.git] / src / vnet / ipsec / ah_decrypt.c
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c

index bc6b5c4..a5e277e 100644 (file)
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -24,10 +24,11 @@
  #include <vnet/ipsec/ah.h>
  #include <vnet/ipsec/ipsec_io.h>
  
-#define foreach_ah_decrypt_next \
-  _ (DROP, "error-drop")        \
-  _ (IP4_INPUT, "ip4-input")    \
-  _ (IP6_INPUT, "ip6-input")
+#define foreach_ah_decrypt_next                 \
+  _(DROP, "error-drop")                         \
+  _(IP4_INPUT, "ip4-input")                     \
+  _(IP6_INPUT, "ip6-input")                     \
+  _(HANDOFF, "handoff")
  
  #define _(v, s) AH_DECRYPT_NEXT_##v,
  typedef enum
@@ -175,6 +176,22 @@ ah_decrypt_inline (vlib_main_t * vm,
                                           thread_index, current_sa_index);
         }
  
+      if (PREDICT_FALSE (~0 == sa0->thread_index))
+       {
+         /* this is the first packet to use this SA, claim the SA
+          * for this thread. this could happen simultaneously on
+          * another thread */
+         clib_atomic_cmp_and_swap (&sa0->thread_index, ~0,
+                                   ipsec_sa_assign_thread (thread_index));
+       }
+
+      if (PREDICT_TRUE (thread_index != sa0->thread_index))
+       {
+         vnet_buffer (b[0])->ipsec.thread_index = sa0->thread_index;
+         next[0] = AH_DECRYPT_NEXT_HANDOFF;
+         goto next;
+       }
+
        pd->sa_index = current_sa_index;
  
        ih4 = vlib_buffer_get_current (b[0]);
@@ -184,7 +201,8 @@ ah_decrypt_inline (vlib_main_t * vm,
        if (is_ip6)
         {
           ip6_ext_header_t *prev = NULL;
-         ip6_ext_header_find_t (ih6, prev, ah0, IP_PROTOCOL_IPSEC_AH);
+         ah0 =
+           ip6_ext_header_find (vm, b[0], ih6, IP_PROTOCOL_IPSEC_AH, &prev);
           pd->ip_hdr_size = sizeof (ip6_header_t);
           ASSERT ((u8 *) ah0 - (u8 *) ih6 == pd->ip_hdr_size);
         }
@@ -303,6 +321,13 @@ ah_decrypt_inline (vlib_main_t * vm,
  
        if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
         {
+         /* redo the anit-reply check. see esp_decrypt for details */
+         if (ipsec_sa_anti_replay_check (sa0, pd->seq))
+           {
+             b[0]->error = node->errors[AH_DECRYPT_ERROR_REPLAY];
+             next[0] = AH_DECRYPT_NEXT_DROP;
+             goto trace;
+           }
           ipsec_sa_anti_replay_advance (sa0, pd->seq);
         }
  
@@ -413,9 +438,10 @@ VLIB_REGISTER_NODE (ah4_decrypt_node) = {
  
    .n_next_nodes = AH_DECRYPT_N_NEXT,
    .next_nodes = {
-#define _(s,n) [AH_DECRYPT_NEXT_##s] = n,
-    foreach_ah_decrypt_next
-#undef _
+    [AH_DECRYPT_NEXT_DROP] = "ip4-drop",
+    [AH_DECRYPT_NEXT_IP4_INPUT] = "ip4-input-no-checksum",
+    [AH_DECRYPT_NEXT_IP6_INPUT] = "ip6-input",
+    [AH_DECRYPT_NEXT_HANDOFF] = "ah4-decrypt-handoff",
    },
  };
  /* *INDENT-ON* */
@@ -439,13 +465,33 @@ VLIB_REGISTER_NODE (ah6_decrypt_node) = {
  
    .n_next_nodes = AH_DECRYPT_N_NEXT,
    .next_nodes = {
-#define _(s,n) [AH_DECRYPT_NEXT_##s] = n,
-    foreach_ah_decrypt_next
-#undef _
+    [AH_DECRYPT_NEXT_DROP] = "ip6-drop",
+    [AH_DECRYPT_NEXT_IP4_INPUT] = "ip4-input-no-checksum",
+    [AH_DECRYPT_NEXT_IP6_INPUT] = "ip6-input",
+    [AH_DECRYPT_NEXT_HANDOFF] = "ah6-decrypt-handoff",
    },
  };
  /* *INDENT-ON* */
  
+#ifndef CLIB_MARCH_VARIANT
+
+static clib_error_t *
+ah_decrypt_init (vlib_main_t *vm)
+{
+  ipsec_main_t *im = &ipsec_main;
+
+  im->ah4_dec_fq_index =
+    vlib_frame_queue_main_init (ah4_decrypt_node.index, 0);
+  im->ah6_dec_fq_index =
+    vlib_frame_queue_main_init (ah6_decrypt_node.index, 0);
+
+  return 0;
+}
+
+VLIB_INIT_FUNCTION (ah_decrypt_init);
+
+#endif
+
  /*
   * fd.io coding-style-patch-verification: ON
   *