summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2018-11-28 01:38:34 -0800
committerFlorin Coras <florin.coras@gmail.com>2018-12-02 20:43:32 +0000
commitde847277c9879c014fb4557e884360a4e6492783 (patch)
tree1a6d5680bf1a0ef6b0ae65e87a2887f0d774f0cc /src
parentb0598497afde60146fe8480331c9f96e7a79475a (diff)
IPSEC-AH: anti-replay testing
Change-Id: Ia5d45db73e4bdb32214ed4f365d5eec8e28115f3 Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src')
-rw-r--r--src/vnet/ipsec/ah_decrypt.c9
-rw-r--r--src/vnet/ipsec/ipsec_cli.c6
2 files changed, 9 insertions, 6 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c
index 9b0c16e37a5..a2fc07faebf 100644
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -60,6 +60,7 @@ static char *ah_decrypt_error_strings[] = {
typedef struct
{
ipsec_integ_alg_t integ_alg;
+ u32 seq_num;
} ah_decrypt_trace_t;
/* packet trace format function */
@@ -70,7 +71,8 @@ format_ah_decrypt_trace (u8 * s, va_list * args)
CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
ah_decrypt_trace_t *t = va_arg (*args, ah_decrypt_trace_t *);
- s = format (s, "ah: integrity %U", format_ipsec_integ_alg, t->integ_alg);
+ s = format (s, "ah: integrity %U seq-num %d",
+ format_ipsec_integ_alg, t->integ_alg, t->seq_num);
return s;
}
@@ -143,8 +145,8 @@ ah_decrypt_inline (vlib_main_t * vm,
}
seq = clib_host_to_net_u32 (ah0->seq_no);
+
/* anti-replay check */
- //TODO UT remaining
if (sa0->use_anti_replay)
{
int rv = 0;
@@ -223,7 +225,6 @@ ah_decrypt_inline (vlib_main_t * vm,
goto trace;
}
- //TODO UT remaining
if (PREDICT_TRUE (sa0->use_anti_replay))
{
if (PREDICT_TRUE (sa0->use_esn))
@@ -247,7 +248,6 @@ ah_decrypt_inline (vlib_main_t * vm,
next0 = AH_DECRYPT_NEXT_IP6_INPUT;
else
{
- clib_warning ("next header: 0x%x", ah0->nexthdr);
if (is_ip6)
vlib_node_increment_counter (vm,
ah6_decrypt_node.index,
@@ -313,6 +313,7 @@ ah_decrypt_inline (vlib_main_t * vm,
ah_decrypt_trace_t *tr =
vlib_add_trace (vm, node, i_b0, sizeof (*tr));
tr->integ_alg = sa0->integ_alg;
+ tr->seq_num = seq;
}
vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
n_left_to_next, i_bi0, next0);
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 9c64822c37f..f96551429af 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -462,10 +462,12 @@ show_ipsec_command_fn (vlib_main_t * vm,
/* *INDENT-OFF* */
pool_foreach (sa, im->sad, ({
if (sa->id) {
- vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s", sa->id, sa->spi,
+ vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s%s%s", sa->id, sa->spi,
sa->is_tunnel ? "tunnel" : "transport",
sa->protocol ? "esp" : "ah",
- sa->udp_encap ? " udp-encap-enabled" : "");
+ sa->udp_encap ? " udp-encap-enabled" : "",
+ sa->use_anti_replay ? " anti-replay" : "",
+ sa->use_esn ? " extended-sequence-number" : "");
if (sa->protocol == IPSEC_PROTOCOL_ESP) {
vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U",
format_ipsec_crypto_alg, sa->crypto_alg,