{
current_sa_index = vnet_buffer (b[0])->ipsec.sad_index;
sa0 = pool_elt_at_index (im->sad, current_sa_index);
- cpd.icv_sz = sa0->integ_trunc_size;
+ cpd.icv_sz = sa0->integ_icv_size;
cpd.iv_sz = sa0->crypto_iv_size;
cpd.flags = sa0->flags;
cpd.sa_index = current_sa_index;
vnet_crypto_op_t *op;
vec_add2_aligned (ptd->integ_ops, op, 1, CLIB_CACHE_LINE_BYTES);
- vnet_crypto_op_init (op, sa0->integ_op_type);
+ vnet_crypto_op_init (op, sa0->integ_op_id);
op->key = sa0->integ_key.data;
op->key_len = sa0->integ_key.len;
op->src = payload;
- op->hmac_trunc_len = cpd.icv_sz;
op->flags = VNET_CRYPTO_OP_FLAG_HMAC_CHECK;
op->user_data = b - bufs;
- op->dst = payload + len;
+ op->digest = payload + len;
+ op->digest_len = cpd.icv_sz;
op->len = len;
if (PREDICT_TRUE (sa0->flags & IPSEC_SA_FLAG_USE_ESN))
{
payload += esp_sz;
len -= esp_sz;
- if (sa0->crypto_enc_op_type != VNET_CRYPTO_OP_NONE)
+ if (sa0->crypto_enc_op_id != VNET_CRYPTO_OP_NONE)
{
vnet_crypto_op_t *op;
vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES);
- vnet_crypto_op_init (op, sa0->crypto_dec_op_type);
+ vnet_crypto_op_init (op, sa0->crypto_dec_op_id);
op->key = sa0->crypto_key.data;
+ op->key_len = sa0->crypto_key.len;
op->iv = payload;
+ op->iv_len = cpd.iv_sz;
op->src = op->dst = payload += cpd.iv_sz;
op->len = len;
op->user_data = b - bufs;
op++;
}
}
-
if ((n = vec_len (ptd->crypto_ops)))
{
vnet_crypto_op_t *op = ptd->crypto_ops;
ASSERT (op - ptd->crypto_ops < vec_len (ptd->crypto_ops));
if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED)
{
- u32 bi = op->user_data;
- u32 err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR;
+ u32 err, bi;
+
+ bi = op->user_data;
+
+ if (op->status == VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC)
+ err = ESP_DECRYPT_ERROR_INTEG_ERROR;
+ else
+ err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR;
+
bufs[bi]->error = node->errors[err];
nexts[bi] = ESP_DECRYPT_NEXT_DROP;
n--;
}
}
- if (vnet_buffer (b[0])->ipsec.flags & IPSEC_FLAG_IPSEC_GRE_TUNNEL)
+ if (PREDICT_FALSE (ipsec_sa_is_set_IS_GRE (sa0)))
next[0] = ESP_DECRYPT_NEXT_IPSEC_GRE_INPUT;
trace: