summaryrefslogtreecommitdiffstats
path: root/src/plugins/dpdk/ipsec
diff options
context:
space:
mode:
authorDamjan Marion <damarion@cisco.com>2019-03-28 19:19:31 +0100
committerFlorin Coras <florin.coras@gmail.com>2019-03-28 19:59:04 +0000
commit1f4e1cbf576fc6ab4e871ba0603028112074b43b (patch)
treec433fb1f14c57dfa134ee6d436bb1c389b16b716 /src/plugins/dpdk/ipsec
parentb38ee6642553cd38da195af1fcb2b2cd124aa307 (diff)
ipsec: anti-replay code cleanup
Change-Id: Ib73352d6be26d639a7f9d47ca0570a1248bff04a Signed-off-by: Damjan Marion <damarion@cisco.com>
Diffstat (limited to 'src/plugins/dpdk/ipsec')
-rw-r--r--src/plugins/dpdk/ipsec/esp_decrypt.c50
1 files changed, 15 insertions, 35 deletions
diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c
index dcc276f99bc..349f04c0f8c 100644
--- a/src/plugins/dpdk/ipsec/esp_decrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_decrypt.c
@@ -140,7 +140,7 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm,
while (n_left_from > 0 && n_left_to_next > 0)
{
clib_error_t *error;
- u32 bi0, sa_index0, seq, iv_size;
+ u32 bi0, sa_index0, iv_size;
u8 trunc_size;
vlib_buffer_t *b0;
esp_header_t *esp0;
@@ -234,33 +234,21 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm,
}
/* anti-replay check */
- if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa0))
+ if (ipsec_sa_anti_replay_check (sa0, &esp0->seq))
{
- int rv = 0;
-
- seq = clib_net_to_host_u32 (esp0->seq);
-
- if (PREDICT_TRUE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0)))
- rv = esp_replay_check_esn (sa0, seq);
+ clib_warning ("failed anti-replay check");
+ if (is_ip6)
+ vlib_node_increment_counter (vm,
+ dpdk_esp6_decrypt_node.index,
+ ESP_DECRYPT_ERROR_REPLAY, 1);
else
- rv = esp_replay_check (sa0, seq);
-
- if (PREDICT_FALSE (rv))
- {
- clib_warning ("failed anti-replay check");
- if (is_ip6)
- vlib_node_increment_counter (vm,
- dpdk_esp6_decrypt_node.index,
- ESP_DECRYPT_ERROR_REPLAY, 1);
- else
- vlib_node_increment_counter (vm,
- dpdk_esp4_decrypt_node.index,
- ESP_DECRYPT_ERROR_REPLAY, 1);
- to_next[0] = bi0;
- to_next += 1;
- n_left_to_next -= 1;
- goto trace;
- }
+ vlib_node_increment_counter (vm,
+ dpdk_esp4_decrypt_node.index,
+ ESP_DECRYPT_ERROR_REPLAY, 1);
+ to_next[0] = bi0;
+ to_next += 1;
+ n_left_to_next -= 1;
+ goto trace;
}
if (is_ip6)
@@ -560,15 +548,7 @@ dpdk_esp_decrypt_post_inline (vlib_main_t * vm,
iv_size = cipher_alg->iv_len;
- if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa0))
- {
- u32 seq;
- seq = clib_host_to_net_u32 (esp0->seq);
- if (PREDICT_TRUE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0)))
- esp_replay_advance_esn (sa0, seq);
- else
- esp_replay_advance (sa0, seq);
- }
+ ipsec_sa_anti_replay_advance (sa0, &esp0->seq);
/* if UDP encapsulation is used adjust the address of the IP header */
if (ipsec_sa_is_set_UDP_ENCAP (sa0)