aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-03-21 14:34:09 +0000
committerDamjan Marion <dmarion@me.com>2019-03-25 20:03:24 +0000
commit3833ffd6c648c5066448e598976810c85c66bd58 (patch)
tree60d55db908ec188a36a87fca60157f0379ec551b /src
parent20ab31e8f6d96e95d0f921a7c8a7680d4f46790a (diff)
IPSEC tests fnd fix or Extended Sequence Numbers
Change-Id: Iad6c4b867961ec8036110a4e15a829ddb93193ed Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src')
-rw-r--r--src/vnet/ipsec/ah_decrypt.c12
-rw-r--r--src/vnet/ipsec/ah_encrypt.c13
-rw-r--r--src/vnet/ipsec/esp.h4
3 files changed, 14 insertions, 15 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c
index b128dfaf26b..b0916f99ef6 100644
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -162,8 +162,7 @@ ah_decrypt_inline (vlib_main_t * vm,
if (PREDICT_FALSE (rv))
{
- vlib_node_increment_counter (vm, node->node_index,
- AH_DECRYPT_ERROR_REPLAY, 1);
+ i_b0->error = node->errors[AH_DECRYPT_ERROR_REPLAY];
goto trace;
}
}
@@ -207,9 +206,7 @@ ah_decrypt_inline (vlib_main_t * vm,
if (PREDICT_FALSE (memcmp (digest, sig, icv_size)))
{
- vlib_node_increment_counter (vm, node->node_index,
- AH_DECRYPT_ERROR_INTEG_ERROR,
- 1);
+ i_b0->error = node->errors[AH_DECRYPT_ERROR_INTEG_ERROR];
goto trace;
}
@@ -236,9 +233,8 @@ ah_decrypt_inline (vlib_main_t * vm,
next0 = AH_DECRYPT_NEXT_IP6_INPUT;
else
{
- vlib_node_increment_counter (vm, node->node_index,
- AH_DECRYPT_ERROR_DECRYPTION_FAILED,
- 1);
+ i_b0->error =
+ node->errors[AH_DECRYPT_ERROR_DECRYPTION_FAILED];
goto trace;
}
}
diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c
index c6dbe57f73b..95be1412c90 100644
--- a/src/vnet/ipsec/ah_encrypt.c
+++ b/src/vnet/ipsec/ah_encrypt.c
@@ -61,7 +61,8 @@ typedef struct
{
u32 sa_index;
u32 spi;
- u32 seq;
+ u32 seq_lo;
+ u32 seq_hi;
ipsec_integ_alg_t integ_alg;
} ah_encrypt_trace_t;
@@ -73,8 +74,8 @@ format_ah_encrypt_trace (u8 * s, va_list * args)
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
ah_encrypt_trace_t *t = va_arg (*args, ah_encrypt_trace_t *);
- s = format (s, "ah: sa-index %d spi %u seq %u integrity %U",
- t->sa_index, t->spi, t->seq,
+ s = format (s, "ah: sa-index %d spi %u seq %u:%u integrity %U",
+ t->sa_index, t->spi, t->seq_hi, t->seq_lo,
format_ipsec_integ_alg, t->integ_alg);
return s;
}
@@ -127,8 +128,7 @@ ah_encrypt_inline (vlib_main_t * vm,
if (PREDICT_FALSE (esp_seq_advance (sa0)))
{
- vlib_node_increment_counter (vm, node->node_index,
- AH_ENCRYPT_ERROR_SEQ_CYCLED, 1);
+ i_b0->error = node->errors[AH_ENCRYPT_ERROR_SEQ_CYCLED];
goto trace;
}
vlib_increment_combined_counter
@@ -294,7 +294,8 @@ ah_encrypt_inline (vlib_main_t * vm,
ah_encrypt_trace_t *tr =
vlib_add_trace (vm, node, i_b0, sizeof (*tr));
tr->spi = sa0->spi;
- tr->seq = sa0->seq - 1;
+ tr->seq_lo = sa0->seq;
+ tr->seq_hi = sa0->seq_hi;
tr->integ_alg = sa0->integ_alg;
tr->sa_index = sa_index0;
}
diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h
index b0364b59d29..8f900da428c 100644
--- a/src/vnet/ipsec/esp.h
+++ b/src/vnet/ipsec/esp.h
@@ -223,8 +223,10 @@ hmac_calc (vlib_main_t * vm, ipsec_sa_t * sa, u8 * data, int data_len,
if (sa->use_esn)
{
+ u32 seq_hi = clib_host_to_net_u32 (sa->seq_hi);
+
op->len += 4;
- clib_memcpy (data + data_len, &sa->seq_hi, 4);
+ clib_memcpy (data + data_len, &seq_hi, 4);
}
vnet_crypto_process_ops (vm, op, 1);