X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fesp_encrypt.c;h=861b3e98650b080b59175f6f4d5857773fdf6359;hb=5527a78ed96043d2c26e3271066c50b44dd7fc0b;hp=7fa5ec98c29295c75ef749e0d886316ddb9c6269;hpb=c14b8cfe601b7b56e946e5f518e82a47e223c721;p=vpp.git diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 7fa5ec98c29..861b3e98650 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -23,6 +23,7 @@ #include #include +#include #include #include @@ -43,31 +44,6 @@ typedef enum ESP_ENCRYPT_N_NEXT, } esp_encrypt_next_t; -#define foreach_esp_encrypt_error \ - _ (RX_PKTS, "ESP pkts received") \ - _ (POST_RX_PKTS, "ESP-post pkts received") \ - _ (HANDOFF, "Hand-off") \ - _ (SEQ_CYCLED, "sequence number cycled (packet dropped)") \ - _ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \ - _ (CRYPTO_QUEUE_FULL, "crypto queue full (packet dropped)") \ - _ (NO_BUFFERS, "no buffers (packet dropped)") \ - _ (NO_PROTECTION, "no protecting SA (packet dropped)") \ - _ (NO_ENCRYPTION, "no Encrypting SA (packet dropped)") - -typedef enum -{ -#define _(sym,str) ESP_ENCRYPT_ERROR_##sym, - foreach_esp_encrypt_error -#undef _ - ESP_ENCRYPT_N_ERROR, -} esp_encrypt_error_t; - -static char *esp_encrypt_error_strings[] = { -#define _(sym,string) string, - foreach_esp_encrypt_error -#undef _ -}; - typedef struct { u32 sa_index; @@ -84,6 +60,8 @@ typedef struct u32 next_index; } esp_encrypt_post_trace_t; +typedef vl_counter_esp_encrypt_enum_t esp_encrypt_error_t; + /* packet trace format function */ static u8 * format_esp_encrypt_trace (u8 * s, va_list * args) @@ -237,6 +215,25 @@ esp_get_ip6_hdr_len (ip6_header_t * ip6, ip6_ext_header_t ** ext_hdr) return len; } +/* IPsec IV generation: IVs requirements differ depending of the + * encryption mode: IVs must be unpredictable for AES-CBC whereas it can + * be predictable but should never be reused with the same key material + * for CTR and GCM. + * To avoid reusing the same IVs between multiple VPP instances and between + * restarts, we use a properly chosen PRNG to generate IVs. To ensure the IV is + * unpredictable for CBC, it is then encrypted using the same key as the + * message. You can refer to NIST SP800-38a and NIST SP800-38d for more + * details. */ +static_always_inline void * +esp_generate_iv (ipsec_sa_t *sa, void *payload, int iv_sz) +{ + ASSERT (iv_sz >= sizeof (u64)); + u64 *iv = (u64 *) (payload - iv_sz); + clib_memset_u8 (iv, 0, iv_sz); + *iv = clib_pcg64i_random_r (&sa->iv_prng); + return iv; +} + static_always_inline void esp_process_chained_ops (vlib_main_t * vm, vlib_node_runtime_t * node, vnet_crypto_op_t * ops, vlib_buffer_t * b[], @@ -258,8 +255,10 @@ esp_process_chained_ops (vlib_main_t * vm, vlib_node_runtime_t * node, if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED) { u32 bi = op->user_data; - b[bi]->error = node->errors[ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR]; - nexts[bi] = drop_next; + esp_encrypt_set_next_index (b[bi], node, vm->thread_index, + ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR, + bi, nexts, drop_next, + vnet_buffer (b[bi])->ipsec.sad_index); n_fail--; } op++; @@ -286,8 +285,10 @@ esp_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node, if (op->status != VNET_CRYPTO_OP_STATUS_COMPLETED) { u32 bi = op->user_data; - b[bi]->error = node->errors[ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR]; - nexts[bi] = drop_next; + esp_encrypt_set_next_index (b[bi], node, vm->thread_index, + ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR, + bi, nexts, drop_next, + vnet_buffer (b[bi])->ipsec.sad_index); n_fail--; } op++; @@ -390,27 +391,29 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, vnet_crypto_op_t *op; vec_add2_aligned (crypto_ops[0], op, 1, CLIB_CACHE_LINE_BYTES); vnet_crypto_op_init (op, sa0->crypto_enc_op_id); + u8 *crypto_start = payload; + /* esp_add_footer_and_icv() in esp_encrypt_inline() makes sure we always + * have enough space for ESP header and footer which includes ICV */ + ASSERT (payload_len > icv_sz); + u16 crypto_len = payload_len - icv_sz; + + /* generate the IV in front of the payload */ + void *pkt_iv = esp_generate_iv (sa0, payload, iv_sz); - op->src = op->dst = payload; op->key_index = sa0->crypto_key_index; - op->len = payload_len - icv_sz; op->user_data = bi; if (ipsec_sa_is_set_IS_CTR (sa0)) { - ASSERT (sizeof (u64) == iv_sz); /* construct nonce in a scratch space in front of the IP header */ esp_ctr_nonce_t *nonce = - (esp_ctr_nonce_t *) (payload - sizeof (u64) - hdr_len - - sizeof (*nonce)); - u64 *pkt_iv = (u64 *) (payload - sizeof (u64)); - + (esp_ctr_nonce_t *) (pkt_iv - hdr_len - sizeof (*nonce)); if (ipsec_sa_is_set_IS_AEAD (sa0)) { /* constuct aad in a scratch space in front of the nonce */ op->aad = (u8 *) nonce - sizeof (esp_aead_t); op->aad_len = esp_aad_fill (op->aad, esp, sa0, seq_hi); - op->tag = payload + op->len; + op->tag = payload + crypto_len; op->tag_len = 16; } else @@ -419,23 +422,34 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, } nonce->salt = sa0->salt; - nonce->iv = *pkt_iv = clib_host_to_net_u64 (sa0->ctr_iv_counter++); + nonce->iv = *(u64 *) pkt_iv; op->iv = (u8 *) nonce; } else { - op->iv = payload - iv_sz; - op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV; + /* construct zero iv in front of the IP header */ + op->iv = pkt_iv - hdr_len - iv_sz; + clib_memset_u8 (op->iv, 0, iv_sz); + /* include iv field in crypto */ + crypto_start -= iv_sz; + crypto_len += iv_sz; } - if (lb != b[0]) + if (PREDICT_FALSE (lb != b[0])) { /* is chained */ op->flags |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS; op->chunk_index = vec_len (ptd->chunks); op->tag = vlib_buffer_get_tail (lb) - icv_sz; - esp_encrypt_chain_crypto (vm, ptd, sa0, b[0], lb, icv_sz, payload, - payload_len, &op->n_chunks); + esp_encrypt_chain_crypto (vm, ptd, sa0, b[0], lb, icv_sz, + crypto_start, crypto_len + icv_sz, + &op->n_chunks); + } + else + { + /* not chained */ + op->src = op->dst = crypto_start; + op->len = crypto_len; } } @@ -484,33 +498,30 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, esp_post_data_t *post = esp_post_data (b); u8 *tag, *iv, *aad = 0; u8 flag = 0; - u32 key_index; - i16 crypto_start_offset, integ_start_offset = 0; + const u32 key_index = sa->crypto_key_index; + i16 crypto_start_offset, integ_start_offset; u16 crypto_total_len, integ_total_len; post->next_index = next; /* crypto */ - crypto_start_offset = payload - b->data; + crypto_start_offset = integ_start_offset = payload - b->data; crypto_total_len = integ_total_len = payload_len - icv_sz; tag = payload + crypto_total_len; - key_index = sa->linked_key_index; + /* generate the IV in front of the payload */ + void *pkt_iv = esp_generate_iv (sa, payload, iv_sz); if (ipsec_sa_is_set_IS_CTR (sa)) { - ASSERT (sizeof (u64) == iv_sz); /* construct nonce in a scratch space in front of the IP header */ - esp_ctr_nonce_t *nonce = (esp_ctr_nonce_t *) (payload - sizeof (u64) - - hdr_len - sizeof (*nonce)); - u64 *pkt_iv = (u64 *) (payload - sizeof (u64)); - + esp_ctr_nonce_t *nonce = + (esp_ctr_nonce_t *) (pkt_iv - hdr_len - sizeof (*nonce)); if (ipsec_sa_is_set_IS_AEAD (sa)) { /* constuct aad in a scratch space in front of the nonce */ aad = (u8 *) nonce - sizeof (esp_aead_t); esp_aad_fill (aad, esp, sa, sa->seq_hi); - key_index = sa->crypto_key_index; } else { @@ -518,13 +529,17 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, } nonce->salt = sa->salt; - nonce->iv = *pkt_iv = clib_host_to_net_u64 (sa->ctr_iv_counter++); + nonce->iv = *(u64 *) pkt_iv; iv = (u8 *) nonce; } else { - iv = payload - iv_sz; - flag |= VNET_CRYPTO_OP_FLAG_INIT_IV; + /* construct zero iv in front of the IP header */ + iv = pkt_iv - hdr_len - iv_sz; + clib_memset_u8 (iv, 0, iv_sz); + /* include iv field in crypto */ + crypto_start_offset -= iv_sz; + crypto_total_len += iv_sz; } if (lb != b) @@ -532,13 +547,14 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, /* chain */ flag |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS; tag = vlib_buffer_get_tail (lb) - icv_sz; - crypto_total_len = esp_encrypt_chain_crypto (vm, ptd, sa, b, lb, icv_sz, - payload, payload_len, 0); + crypto_total_len = esp_encrypt_chain_crypto ( + vm, ptd, sa, b, lb, icv_sz, b->data + crypto_start_offset, + crypto_total_len + icv_sz, 0); } if (sa->integ_op_id) { - integ_start_offset = crypto_start_offset - iv_sz - sizeof (esp_header_t); + integ_start_offset -= iv_sz + sizeof (esp_header_t); integ_total_len += iv_sz + sizeof (esp_header_t); if (b != lb) @@ -595,8 +611,8 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, ESP_ENCRYPT_NEXT_HANDOFF_MPLS)); vlib_buffer_t *sync_bufs[VLIB_FRAME_SIZE]; u16 sync_nexts[VLIB_FRAME_SIZE], *sync_next = sync_nexts, n_sync = 0; - u16 async_nexts[VLIB_FRAME_SIZE], *async_next = async_nexts, n_async = 0; - u16 noop_nexts[VLIB_FRAME_SIZE], *noop_next = noop_nexts, n_noop = 0; + u16 n_async = 0; + u16 noop_nexts[VLIB_FRAME_SIZE], n_noop = 0; u32 sync_bi[VLIB_FRAME_SIZE]; u32 noop_bi[VLIB_FRAME_SIZE]; esp_encrypt_error_t err; @@ -645,8 +661,8 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (PREDICT_FALSE (INDEX_INVALID == sa_index0)) { err = ESP_ENCRYPT_ERROR_NO_PROTECTION; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - drop_next); + noop_nexts[n_noop] = drop_next; + b[0]->error = node->errors[err]; goto trace; } } @@ -656,10 +672,9 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (sa_index0 != current_sa_index) { if (current_sa_packets) - vlib_increment_combined_counter (&ipsec_sa_counters, thread_index, - current_sa_index, - current_sa_packets, - current_sa_bytes); + vlib_increment_combined_counter ( + &ipsec_sa_counters, thread_index, current_sa_index, + current_sa_packets, current_sa_bytes); current_sa_packets = current_sa_bytes = 0; sa0 = ipsec_sa_get (sa_index0); @@ -669,14 +684,18 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, !ipsec_sa_is_set_NO_ALGO_NO_DROP (sa0))) { err = ESP_ENCRYPT_ERROR_NO_ENCRYPTION; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - drop_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, + n_noop, noop_nexts, drop_next, + sa_index0); goto trace; } + current_sa_index = sa_index0; + vlib_prefetch_combined_counter (&ipsec_sa_counters, thread_index, + current_sa_index); + /* fetch the second cacheline ASAP */ clib_prefetch_load (sa0->cacheline1); - current_sa_index = sa_index0; spi = clib_net_to_host_u32 (sa0->spi); esp_align = sa0->esp_block_align; icv_sz = sa0->integ_icv_size; @@ -684,7 +703,7 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, is_async = im->async_mode | ipsec_sa_is_set_IS_ASYNC (sa0); } - if (PREDICT_FALSE (~0 == sa0->thread_index)) + if (PREDICT_FALSE ((u16) ~0 == sa0->thread_index)) { /* this is the first packet to use this SA, claim the SA * for this thread. this could happen simultaneously on @@ -697,8 +716,9 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { vnet_buffer (b[0])->ipsec.thread_index = sa0->thread_index; err = ESP_ENCRYPT_ERROR_HANDOFF; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - handoff_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, n_noop, + noop_nexts, handoff_next, + current_sa_index); goto trace; } @@ -707,7 +727,8 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (n_bufs == 0) { err = ESP_ENCRYPT_ERROR_NO_BUFFERS; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, drop_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, n_noop, + noop_nexts, drop_next, current_sa_index); goto trace; } @@ -721,7 +742,8 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (PREDICT_FALSE (esp_seq_advance (sa0))) { err = ESP_ENCRYPT_ERROR_SEQ_CYCLED; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, drop_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, n_noop, + noop_nexts, drop_next, current_sa_index); goto trace; } @@ -737,8 +759,9 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (!next_hdr_ptr) { err = ESP_ENCRYPT_ERROR_NO_BUFFERS; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - drop_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, + n_noop, noop_nexts, drop_next, + current_sa_index); goto trace; } b[0]->flags &= ~VLIB_BUFFER_TOTAL_LENGTH_VALID; @@ -859,8 +882,9 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if ((old_ip_hdr - ip_len) < &b[0]->pre_data[0]) { err = ESP_ENCRYPT_ERROR_NO_BUFFERS; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - drop_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, + n_noop, noop_nexts, drop_next, + current_sa_index); goto trace; } @@ -872,8 +896,9 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, if (!next_hdr_ptr) { err = ESP_ENCRYPT_ERROR_NO_BUFFERS; - esp_set_next_index (b[0], node, err, n_noop, noop_nexts, - drop_next); + esp_encrypt_set_next_index (b[0], node, thread_index, err, + n_noop, noop_nexts, drop_next, + current_sa_index); goto trace; } @@ -909,42 +934,40 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, else l2_len = 0; + u16 len; + len = payload_len_total + hdr_len - l2_len; + if (VNET_LINK_IP6 == lt) { ip6_header_t *ip6 = (ip6_header_t *) (old_ip_hdr); if (PREDICT_TRUE (NULL == ext_hdr)) { *next_hdr_ptr = ip6->protocol; - ip6->protocol = IP_PROTOCOL_IPSEC_ESP; + ip6->protocol = + (udp) ? IP_PROTOCOL_UDP : IP_PROTOCOL_IPSEC_ESP; } else { *next_hdr_ptr = ext_hdr->next_hdr; - ext_hdr->next_hdr = IP_PROTOCOL_IPSEC_ESP; + ext_hdr->next_hdr = + (udp) ? IP_PROTOCOL_UDP : IP_PROTOCOL_IPSEC_ESP; } ip6->payload_length = - clib_host_to_net_u16 (payload_len_total + hdr_len - l2_len - - sizeof (ip6_header_t)); + clib_host_to_net_u16 (len - sizeof (ip6_header_t)); } else if (VNET_LINK_IP4 == lt) { - u16 len; ip4_header_t *ip4 = (ip4_header_t *) (old_ip_hdr); *next_hdr_ptr = ip4->protocol; - len = payload_len_total + hdr_len - l2_len; - if (udp) - { - esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 1); - udp_len = len - ip_len; - } - else - esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 0); + esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, + (udp != NULL)); } clib_memcpy_le64 (ip_hdr, old_ip_hdr, ip_len); if (udp) { + udp_len = len - ip_len; esp_fill_udp_hdr (sa0, udp, udp_len); } @@ -1006,7 +1029,6 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { tr->sa_index = sa_index0; tr->spi = sa0->spi; - tr->spi = sa0->spi; tr->seq = sa0->seq; tr->sa_seq_hi = sa0->seq_hi; tr->udp_encap = ipsec_sa_is_set_UDP_ENCAP (sa0); @@ -1020,7 +1042,6 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { noop_bi[n_noop] = from[b - bufs]; n_noop++; - noop_next++; } else if (!is_async) { @@ -1032,7 +1053,6 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, else { n_async++; - async_next++; } n_left -= 1; b += 1; @@ -1067,7 +1087,8 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { n_noop += esp_async_recycle_failed_submit ( vm, *async_frame, node, ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR, - n_noop, noop_bi, noop_nexts, drop_next); + IPSEC_SA_ERROR_CRYPTO_ENGINE_ERROR, n_noop, noop_bi, + noop_nexts, drop_next); vnet_crypto_async_reset_frame (*async_frame); vnet_crypto_async_free_frame (vm, *async_frame); } @@ -1183,8 +1204,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN (esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { [ESP_ENCRYPT_NEXT_DROP4] = "ip4-drop", @@ -1212,8 +1233,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp4-encrypt", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1233,8 +1254,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp4-encrypt", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1253,8 +1274,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp4-encrypt", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1273,8 +1294,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_tun_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { @@ -1303,8 +1324,8 @@ VLIB_REGISTER_NODE (esp4_encrypt_tun_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp4-encrypt-tun", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1323,8 +1344,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { @@ -1355,8 +1376,8 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp-mpls-encrypt-tun", - .n_errors = ARRAY_LEN (esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; /* *INDENT-ON* */ @@ -1373,8 +1394,8 @@ VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, .n_next_nodes = ESP_ENCRYPT_N_NEXT, .next_nodes = { @@ -1401,8 +1422,8 @@ VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_post_node) = { .type = VLIB_NODE_TYPE_INTERNAL, .sibling_of = "esp-mpls-encrypt-tun", - .n_errors = ARRAY_LEN (esp_encrypt_error_strings), - .error_strings = esp_encrypt_error_strings, + .n_errors = ESP_ENCRYPT_N_ERROR, + .error_counters = esp_encrypt_error_counters, }; #ifndef CLIB_MARCH_VARIANT