ipsec: Targeted unit testing

[vpp.git] / src / vnet / ipsec / ipsec_tun_in.c

diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c
index 04f7a92..e6ad67b 100644 (file)
--- a/src/vnet/ipsec/ipsec_tun_in.c
+++ b/src/vnet/ipsec/ipsec_tun_in.c
@@ -68,6 +68,7 @@ typedef struct
   };
   u8 is_ip6;
   u32 seq;
+  u32 sa_index;
 } ipsec_tun_protect_input_trace_t;
 
 static u8 *
@@ -79,11 +80,11 @@ format_ipsec_tun_protect_input_trace (u8 * s, va_list * args)
     va_arg (*args, ipsec_tun_protect_input_trace_t *);
 
   if (t->is_ip6)
-    s = format (s, "IPSec: %U seq %u",
-               format_ipsec6_tunnel_key, &t->key6, t->seq);
+    s = format (s, "IPSec: %U seq %u sa %d",
+               format_ipsec6_tunnel_key, &t->key6, t->seq, t->sa_index);
   else
-    s = format (s, "IPSec: %U seq %u",
-               format_ipsec4_tunnel_key, &t->key4, t->seq);
+    s = format (s, "IPSec: %U seq %u sa %d",
+               format_ipsec4_tunnel_key, &t->key4, t->seq, t->sa_index);
   return s;
 }
 
@@ -310,58 +311,6 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
              n_bytes = len0;
            }
 
-         /*
-          * compare the packet's outer IP headers to that of the tunnels
-          */
-         if (is_ip6)
-           {
-             if (PREDICT_FALSE
-                 (!ip46_address_is_equal_v6
-                  (&itp0->itp_crypto.dst, &ip60->src_address)
-                  || !ip46_address_is_equal_v6 (&itp0->itp_crypto.src,
-                                                &ip60->dst_address)))
-               {
-                 b[0]->error =
-                   node->errors
-                   [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH];
-                 next[0] = IPSEC_INPUT_NEXT_DROP;
-                 goto trace00;
-               }
-           }
-         else
-           {
-             if (PREDICT_FALSE
-                 (!ip46_address_is_equal_v4
-                  (&itp0->itp_crypto.dst, &ip40->src_address)
-                  || !ip46_address_is_equal_v4 (&itp0->itp_crypto.src,
-                                                &ip40->dst_address)))
-               {
-                 b[0]->error =
-                   node->errors
-                   [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH];
-                 next[0] = IPSEC_INPUT_NEXT_DROP;
-                 goto trace00;
-               }
-           }
-
-         /*
-          * There are two encap possibilities
-          * 1) the tunnel and ths SA are prodiving encap, i.e. it's
-          *   MAC | SA-IP | TUN-IP | ESP | PAYLOAD
-          * implying the SA is in tunnel mode (on a tunnel interface)
-          * 2) only the tunnel provides encap
-          *   MAC | TUN-IP | ESP | PAYLOAD
-          * implying the SA is in transport mode.
-          *
-          * For 2) we need only strip the tunnel encap and we're good.
-          *  since the tunnel and crypto ecnap (int the tun=protect
-          * object) are the same and we verified above that these match
-          * for 1) we need to strip the SA-IP outer headers, to
-          * reveal the tunnel IP and then check that this matches
-          * the configured tunnel. this we can;t do here since it
-          * involves a lookup in the per-tunnel-type DB - so ship
-          * the packet to the tunnel-types provided node to do that
-          */
          next[0] = IPSEC_TUN_PROTECT_NEXT_DECRYPT;
        }
     trace00:
@@ -376,7 +325,9 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
              else
                clib_memcpy (&tr->key4, &key40, sizeof (tr->key4));
              tr->is_ip6 = is_ip6;
-             tr->seq = clib_host_to_net_u32 (esp0->seq);
+             tr->seq = (len0 >= sizeof (*esp0) ?
+                        clib_host_to_net_u32 (esp0->seq) : ~0);
+             tr->sa_index = vnet_buffer (b[0])->ipsec.sad_index;
            }
        }