diff options
| author |   Damjan Marion <damarion@cisco.com> | 2025-02-13 18:56:16 +0100 |
|---|---|---|
| committer | Damjan Marion <damarion@cisco.com> | 2025-02-13 23:36:26 +0100 |
| commit | 46fc39c347729184c796df297d77edf8ba625b6d (patch) | |
| tree | ccea83c6220d01f31f5c842137a48c5e74c14685 /src/vnet/ipsec/esp_decrypt.c | |
| parent | 508facbdde97b7d007e081940c264ab6559c1b23 (diff) | |
ipsec: combine huge and normal anti-replay-window handling
Type: improvement
Change-Id: Idfbaf56e3b56e77c8deaca9d3e41f7a78d8c4e0b
Signed-off-by: Damjan Marion <damarion@cisco.com>
Diffstat (limited to 'src/vnet/ipsec/esp_decrypt.c')
| -rw-r--r-- | src/vnet/ipsec/esp_decrypt.c | 44 |
1 files changed, 10 insertions, 34 deletions
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index 345a60a7fdd..1f436701970 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -810,32 +810,16 @@ esp_decrypt_post_crypto (vlib_main_t *vm, vlib_node_runtime_t *node, * a sequence s, s+1, s+2, s+3, ... s+n and nothing will prevent any * implementation, sequential or batching, from decrypting these. */ - if (PREDICT_FALSE (irt->anti_reply_huge)) + if (ipsec_sa_anti_replay_and_sn_advance (irt, pd->seq, pd->seq_hi, true, + NULL)) { - if (ipsec_sa_anti_replay_and_sn_advance (irt, pd->seq, pd->seq_hi, true, - NULL, true)) - { - esp_decrypt_set_next_index (b, node, vm->thread_index, - ESP_DECRYPT_ERROR_REPLAY, 0, next, - ESP_DECRYPT_NEXT_DROP, pd->sa_index); - return; - } - n_lost = ipsec_sa_anti_replay_advance (irt, vm->thread_index, pd->seq, - pd->seq_hi, true); - } - else - { - if (ipsec_sa_anti_replay_and_sn_advance (irt, pd->seq, pd->seq_hi, true, - NULL, false)) - { - esp_decrypt_set_next_index (b, node, vm->thread_index, - ESP_DECRYPT_ERROR_REPLAY, 0, next, - ESP_DECRYPT_NEXT_DROP, pd->sa_index); - return; - } - n_lost = ipsec_sa_anti_replay_advance (irt, vm->thread_index, pd->seq, - pd->seq_hi, false); + esp_decrypt_set_next_index (b, node, vm->thread_index, + ESP_DECRYPT_ERROR_REPLAY, 0, next, + ESP_DECRYPT_NEXT_DROP, pd->sa_index); + return; } + n_lost = + ipsec_sa_anti_replay_advance (irt, vm->thread_index, pd->seq, pd->seq_hi); vlib_prefetch_simple_counter (&ipsec_sa_err_counters[IPSEC_SA_ERROR_LOST], vm->thread_index, pd->sa_index); @@ -1205,16 +1189,8 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, pd->current_length = b[0]->current_length; /* anti-reply check */ - if (PREDICT_FALSE (irt->anti_reply_huge)) - { - anti_replay_result = ipsec_sa_anti_replay_and_sn_advance ( - irt, pd->seq, ~0, false, &pd->seq_hi, true); - } - else - { - anti_replay_result = ipsec_sa_anti_replay_and_sn_advance ( - irt, pd->seq, ~0, false, &pd->seq_hi, false); - } + anti_replay_result = ipsec_sa_anti_replay_and_sn_advance ( + irt, pd->seq, ~0, false, &pd->seq_hi); if (anti_replay_result) { |