diff options
author | Damjan Marion <damarion@cisco.com> | 2019-03-28 19:19:31 +0100 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2019-03-28 19:59:04 +0000 |
commit | 1f4e1cbf576fc6ab4e871ba0603028112074b43b (patch) | |
tree | c433fb1f14c57dfa134ee6d436bb1c389b16b716 /src/plugins/dpdk/ipsec/esp_decrypt.c | |
parent | b38ee6642553cd38da195af1fcb2b2cd124aa307 (diff) |
ipsec: anti-replay code cleanup
Change-Id: Ib73352d6be26d639a7f9d47ca0570a1248bff04a
Signed-off-by: Damjan Marion <damarion@cisco.com>
Diffstat (limited to 'src/plugins/dpdk/ipsec/esp_decrypt.c')
-rw-r--r-- | src/plugins/dpdk/ipsec/esp_decrypt.c | 50 |
1 files changed, 15 insertions, 35 deletions
diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c index dcc276f99bc..349f04c0f8c 100644 --- a/src/plugins/dpdk/ipsec/esp_decrypt.c +++ b/src/plugins/dpdk/ipsec/esp_decrypt.c @@ -140,7 +140,7 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm, while (n_left_from > 0 && n_left_to_next > 0) { clib_error_t *error; - u32 bi0, sa_index0, seq, iv_size; + u32 bi0, sa_index0, iv_size; u8 trunc_size; vlib_buffer_t *b0; esp_header_t *esp0; @@ -234,33 +234,21 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm, } /* anti-replay check */ - if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa0)) + if (ipsec_sa_anti_replay_check (sa0, &esp0->seq)) { - int rv = 0; - - seq = clib_net_to_host_u32 (esp0->seq); - - if (PREDICT_TRUE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0))) - rv = esp_replay_check_esn (sa0, seq); + clib_warning ("failed anti-replay check"); + if (is_ip6) + vlib_node_increment_counter (vm, + dpdk_esp6_decrypt_node.index, + ESP_DECRYPT_ERROR_REPLAY, 1); else - rv = esp_replay_check (sa0, seq); - - if (PREDICT_FALSE (rv)) - { - clib_warning ("failed anti-replay check"); - if (is_ip6) - vlib_node_increment_counter (vm, - dpdk_esp6_decrypt_node.index, - ESP_DECRYPT_ERROR_REPLAY, 1); - else - vlib_node_increment_counter (vm, - dpdk_esp4_decrypt_node.index, - ESP_DECRYPT_ERROR_REPLAY, 1); - to_next[0] = bi0; - to_next += 1; - n_left_to_next -= 1; - goto trace; - } + vlib_node_increment_counter (vm, + dpdk_esp4_decrypt_node.index, + ESP_DECRYPT_ERROR_REPLAY, 1); + to_next[0] = bi0; + to_next += 1; + n_left_to_next -= 1; + goto trace; } if (is_ip6) @@ -560,15 +548,7 @@ dpdk_esp_decrypt_post_inline (vlib_main_t * vm, iv_size = cipher_alg->iv_len; - if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa0)) - { - u32 seq; - seq = clib_host_to_net_u32 (esp0->seq); - if (PREDICT_TRUE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0))) - esp_replay_advance_esn (sa0, seq); - else - esp_replay_advance (sa0, seq); - } + ipsec_sa_anti_replay_advance (sa0, &esp0->seq); /* if UDP encapsulation is used adjust the address of the IP header */ if (ipsec_sa_is_set_UDP_ENCAP (sa0) |