diff options
author | Neale Ranns <nranns@cisco.com> | 2019-03-21 14:34:09 +0000 |
---|---|---|
committer | Damjan Marion <dmarion@me.com> | 2019-03-25 20:03:24 +0000 |
commit | 3833ffd6c648c5066448e598976810c85c66bd58 (patch) | |
tree | 60d55db908ec188a36a87fca60157f0379ec551b /src/vnet | |
parent | 20ab31e8f6d96e95d0f921a7c8a7680d4f46790a (diff) |
IPSEC tests fnd fix or Extended Sequence Numbers
Change-Id: Iad6c4b867961ec8036110a4e15a829ddb93193ed
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet')
-rw-r--r-- | src/vnet/ipsec/ah_decrypt.c | 12 | ||||
-rw-r--r-- | src/vnet/ipsec/ah_encrypt.c | 13 | ||||
-rw-r--r-- | src/vnet/ipsec/esp.h | 4 |
3 files changed, 14 insertions, 15 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c index b128dfaf26b..b0916f99ef6 100644 --- a/src/vnet/ipsec/ah_decrypt.c +++ b/src/vnet/ipsec/ah_decrypt.c @@ -162,8 +162,7 @@ ah_decrypt_inline (vlib_main_t * vm, if (PREDICT_FALSE (rv)) { - vlib_node_increment_counter (vm, node->node_index, - AH_DECRYPT_ERROR_REPLAY, 1); + i_b0->error = node->errors[AH_DECRYPT_ERROR_REPLAY]; goto trace; } } @@ -207,9 +206,7 @@ ah_decrypt_inline (vlib_main_t * vm, if (PREDICT_FALSE (memcmp (digest, sig, icv_size))) { - vlib_node_increment_counter (vm, node->node_index, - AH_DECRYPT_ERROR_INTEG_ERROR, - 1); + i_b0->error = node->errors[AH_DECRYPT_ERROR_INTEG_ERROR]; goto trace; } @@ -236,9 +233,8 @@ ah_decrypt_inline (vlib_main_t * vm, next0 = AH_DECRYPT_NEXT_IP6_INPUT; else { - vlib_node_increment_counter (vm, node->node_index, - AH_DECRYPT_ERROR_DECRYPTION_FAILED, - 1); + i_b0->error = + node->errors[AH_DECRYPT_ERROR_DECRYPTION_FAILED]; goto trace; } } diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c index c6dbe57f73b..95be1412c90 100644 --- a/src/vnet/ipsec/ah_encrypt.c +++ b/src/vnet/ipsec/ah_encrypt.c @@ -61,7 +61,8 @@ typedef struct { u32 sa_index; u32 spi; - u32 seq; + u32 seq_lo; + u32 seq_hi; ipsec_integ_alg_t integ_alg; } ah_encrypt_trace_t; @@ -73,8 +74,8 @@ format_ah_encrypt_trace (u8 * s, va_list * args) CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); ah_encrypt_trace_t *t = va_arg (*args, ah_encrypt_trace_t *); - s = format (s, "ah: sa-index %d spi %u seq %u integrity %U", - t->sa_index, t->spi, t->seq, + s = format (s, "ah: sa-index %d spi %u seq %u:%u integrity %U", + t->sa_index, t->spi, t->seq_hi, t->seq_lo, format_ipsec_integ_alg, t->integ_alg); return s; } @@ -127,8 +128,7 @@ ah_encrypt_inline (vlib_main_t * vm, if (PREDICT_FALSE (esp_seq_advance (sa0))) { - vlib_node_increment_counter (vm, node->node_index, - AH_ENCRYPT_ERROR_SEQ_CYCLED, 1); + i_b0->error = node->errors[AH_ENCRYPT_ERROR_SEQ_CYCLED]; goto trace; } vlib_increment_combined_counter @@ -294,7 +294,8 @@ ah_encrypt_inline (vlib_main_t * vm, ah_encrypt_trace_t *tr = vlib_add_trace (vm, node, i_b0, sizeof (*tr)); tr->spi = sa0->spi; - tr->seq = sa0->seq - 1; + tr->seq_lo = sa0->seq; + tr->seq_hi = sa0->seq_hi; tr->integ_alg = sa0->integ_alg; tr->sa_index = sa_index0; } diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h index b0364b59d29..8f900da428c 100644 --- a/src/vnet/ipsec/esp.h +++ b/src/vnet/ipsec/esp.h @@ -223,8 +223,10 @@ hmac_calc (vlib_main_t * vm, ipsec_sa_t * sa, u8 * data, int data_len, if (sa->use_esn) { + u32 seq_hi = clib_host_to_net_u32 (sa->seq_hi); + op->len += 4; - clib_memcpy (data + data_len, &sa->seq_hi, 4); + clib_memcpy (data + data_len, &seq_hi, 4); } vnet_crypto_process_ops (vm, op, 1); |