diff options
| author |   Maxime Peim <mpeim@cisco.com> | 2022-12-22 11:26:57 +0000 |
|---|---|---|
| committer |   Beno�t Ganne <bganne@cisco.com> | 2023-10-30 15:23:13 +0000 |
| commit | 0e2f188f7c9872d7c946c14d785c6dc7c7c68847 (patch) | |
| tree | 1adc39db5e2e0e243811c8ce001d0bd056c0402e /src/vnet/ipsec/ah_decrypt.c | |
| parent | 21922cec7339f48989f230248de36a98816c4b1b (diff) | |
ipsec: huge anti-replay window support
Type: improvement
Since RFC4303 does not specify the anti-replay window size, VPP should
support multiple window size. It is done through a clib_bitmap.
Signed-off-by: Maxime Peim <mpeim@cisco.com>
Change-Id: I3dfe30efd20018e345418bef298ec7cec19b1cfc
Diffstat (limited to 'src/vnet/ipsec/ah_decrypt.c')
| -rw-r--r-- | src/vnet/ipsec/ah_decrypt.c | 46 |
1 files changed, 36 insertions, 10 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c index 5f98693204a..62a6b706362 100644 --- a/src/vnet/ipsec/ah_decrypt.c +++ b/src/vnet/ipsec/ah_decrypt.c @@ -128,6 +128,7 @@ ah_decrypt_inline (vlib_main_t * vm, from = vlib_frame_vector_args (from_frame); n_left = from_frame->n_vectors; ipsec_sa_t *sa0 = 0; + bool anti_replay_result; u32 current_sa_index = ~0, current_sa_bytes = 0, current_sa_pkts = 0; clib_memset (pkt_data, 0, VLIB_FRAME_SIZE * sizeof (pkt_data[0])); @@ -201,8 +202,17 @@ ah_decrypt_inline (vlib_main_t * vm, pd->seq = clib_host_to_net_u32 (ah0->seq_no); /* anti-replay check */ - if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, ~0, false, - &pd->seq_hi)) + if (PREDICT_FALSE (ipsec_sa_is_set_ANTI_REPLAY_HUGE (sa0))) + { + anti_replay_result = ipsec_sa_anti_replay_and_sn_advance ( + sa0, pd->seq, ~0, false, &pd->seq_hi, true); + } + else + { + anti_replay_result = ipsec_sa_anti_replay_and_sn_advance ( + sa0, pd->seq, ~0, false, &pd->seq_hi, false); + } + if (anti_replay_result) { ah_decrypt_set_next_index (b[0], node, vm->thread_index, AH_DECRYPT_ERROR_REPLAY, 0, next, @@ -306,16 +316,32 @@ ah_decrypt_inline (vlib_main_t * vm, if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE)) { /* redo the anti-reply check. see esp_decrypt for details */ - if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, pd->seq_hi, - true, NULL)) + if (PREDICT_FALSE (ipsec_sa_is_set_ANTI_REPLAY_HUGE (sa0))) { - ah_decrypt_set_next_index (b[0], node, vm->thread_index, - AH_DECRYPT_ERROR_REPLAY, 0, next, - AH_DECRYPT_NEXT_DROP, pd->sa_index); - goto trace; + if (ipsec_sa_anti_replay_and_sn_advance ( + sa0, pd->seq, pd->seq_hi, true, NULL, true)) + { + ah_decrypt_set_next_index ( + b[0], node, vm->thread_index, AH_DECRYPT_ERROR_REPLAY, 0, + next, AH_DECRYPT_NEXT_DROP, pd->sa_index); + goto trace; + } + n_lost = ipsec_sa_anti_replay_advance ( + sa0, thread_index, pd->seq, pd->seq_hi, true); + } + else + { + if (ipsec_sa_anti_replay_and_sn_advance ( + sa0, pd->seq, pd->seq_hi, true, NULL, false)) + { + ah_decrypt_set_next_index ( + b[0], node, vm->thread_index, AH_DECRYPT_ERROR_REPLAY, 0, + next, AH_DECRYPT_NEXT_DROP, pd->sa_index); + goto trace; + } + n_lost = ipsec_sa_anti_replay_advance ( + sa0, thread_index, pd->seq, pd->seq_hi, false); } - n_lost = ipsec_sa_anti_replay_advance (sa0, thread_index, pd->seq, - pd->seq_hi); vlib_prefetch_simple_counter ( &ipsec_sa_err_counters[IPSEC_SA_ERROR_LOST], thread_index, pd->sa_index); |