summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/esp_decrypt.c
diff options
context:
space:
mode:
authorDamjan Marion <damarion@cisco.com>2019-03-28 19:19:31 +0100
committerFlorin Coras <florin.coras@gmail.com>2019-03-28 19:59:04 +0000
commit1f4e1cbf576fc6ab4e871ba0603028112074b43b (patch)
treec433fb1f14c57dfa134ee6d436bb1c389b16b716 /src/vnet/ipsec/esp_decrypt.c
parentb38ee6642553cd38da195af1fcb2b2cd124aa307 (diff)
ipsec: anti-replay code cleanup
Change-Id: Ib73352d6be26d639a7f9d47ca0570a1248bff04a Signed-off-by: Damjan Marion <damarion@cisco.com>
Diffstat (limited to 'src/vnet/ipsec/esp_decrypt.c')
-rw-r--r--src/vnet/ipsec/esp_decrypt.c38
1 files changed, 10 insertions, 28 deletions
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 7f3c320e12c..93666194e4f 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -134,7 +134,6 @@ esp_decrypt_inline (vlib_main_t * vm,
esp_header_t *esp0;
ipsec_sa_t *sa0;
u32 sa_index0 = ~0;
- u32 seq;
ip4_header_t *ih4 = 0, *oh4 = 0;
ip6_header_t *ih6 = 0, *oh6 = 0;
u8 tunnel_mode = 1;
@@ -144,29 +143,18 @@ esp_decrypt_inline (vlib_main_t * vm,
esp0 = vlib_buffer_get_current (ib[0]);
sa_index0 = vnet_buffer (ib[0])->ipsec.sad_index;
sa0 = pool_elt_at_index (im->sad, sa_index0);
- seq = clib_host_to_net_u32 (esp0->seq);
/* anti-replay check */
- if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa0))
+ if (ipsec_sa_anti_replay_check (sa0, &esp0->seq))
{
- int rv = 0;
-
- if (PREDICT_TRUE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0)))
- rv = esp_replay_check_esn (sa0, seq);
- else
- rv = esp_replay_check (sa0, seq);
-
- if (PREDICT_FALSE (rv))
- {
- u32 tmp, off = n_alloc - n_left_from;
- /* send original packet to drop node */
- tmp = from[off];
- from[off] = new_bufs[off];
- new_bufs[off] = tmp;
- ib[0]->error = node->errors[ESP_DECRYPT_ERROR_REPLAY];
- next[0] = ESP_DECRYPT_NEXT_DROP;
- goto trace;
- }
+ u32 tmp, off = n_alloc - n_left_from;
+ /* send original packet to drop node */
+ tmp = from[off];
+ from[off] = new_bufs[off];
+ new_bufs[off] = tmp;
+ ib[0]->error = node->errors[ESP_DECRYPT_ERROR_REPLAY];
+ next[0] = ESP_DECRYPT_NEXT_DROP;
+ goto trace;
}
vlib_increment_combined_counter
@@ -197,13 +185,7 @@ esp_decrypt_inline (vlib_main_t * vm,
}
}
- if (PREDICT_TRUE (ipsec_sa_is_set_USE_ANTI_REPLAY (sa0)))
- {
- if (PREDICT_TRUE (ipsec_sa_is_set_USE_EXTENDED_SEQ_NUM (sa0)))
- esp_replay_advance_esn (sa0, seq);
- else
- esp_replay_advance (sa0, seq);
- }
+ ipsec_sa_anti_replay_advance (sa0, &esp0->seq);
if ((sa0->crypto_alg >= IPSEC_CRYPTO_ALG_AES_CBC_128 &&
sa0->crypto_alg <= IPSEC_CRYPTO_ALG_AES_CBC_256) ||