diff options
author | Neale Ranns <nranns@cisco.com> | 2018-11-28 01:38:34 -0800 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2018-12-02 20:43:32 +0000 |
commit | de847277c9879c014fb4557e884360a4e6492783 (patch) | |
tree | 1a6d5680bf1a0ef6b0ae65e87a2887f0d774f0cc /src | |
parent | b0598497afde60146fe8480331c9f96e7a79475a (diff) |
IPSEC-AH: anti-replay testing
Change-Id: Ia5d45db73e4bdb32214ed4f365d5eec8e28115f3
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/vnet/ipsec/ah_decrypt.c | 9 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 6 |
2 files changed, 9 insertions, 6 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c index 9b0c16e37a5..a2fc07faebf 100644 --- a/src/vnet/ipsec/ah_decrypt.c +++ b/src/vnet/ipsec/ah_decrypt.c @@ -60,6 +60,7 @@ static char *ah_decrypt_error_strings[] = { typedef struct { ipsec_integ_alg_t integ_alg; + u32 seq_num; } ah_decrypt_trace_t; /* packet trace format function */ @@ -70,7 +71,8 @@ format_ah_decrypt_trace (u8 * s, va_list * args) CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); ah_decrypt_trace_t *t = va_arg (*args, ah_decrypt_trace_t *); - s = format (s, "ah: integrity %U", format_ipsec_integ_alg, t->integ_alg); + s = format (s, "ah: integrity %U seq-num %d", + format_ipsec_integ_alg, t->integ_alg, t->seq_num); return s; } @@ -143,8 +145,8 @@ ah_decrypt_inline (vlib_main_t * vm, } seq = clib_host_to_net_u32 (ah0->seq_no); + /* anti-replay check */ - //TODO UT remaining if (sa0->use_anti_replay) { int rv = 0; @@ -223,7 +225,6 @@ ah_decrypt_inline (vlib_main_t * vm, goto trace; } - //TODO UT remaining if (PREDICT_TRUE (sa0->use_anti_replay)) { if (PREDICT_TRUE (sa0->use_esn)) @@ -247,7 +248,6 @@ ah_decrypt_inline (vlib_main_t * vm, next0 = AH_DECRYPT_NEXT_IP6_INPUT; else { - clib_warning ("next header: 0x%x", ah0->nexthdr); if (is_ip6) vlib_node_increment_counter (vm, ah6_decrypt_node.index, @@ -313,6 +313,7 @@ ah_decrypt_inline (vlib_main_t * vm, ah_decrypt_trace_t *tr = vlib_add_trace (vm, node, i_b0, sizeof (*tr)); tr->integ_alg = sa0->integ_alg; + tr->seq_num = seq; } vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, i_bi0, next0); diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 9c64822c37f..f96551429af 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -462,10 +462,12 @@ show_ipsec_command_fn (vlib_main_t * vm, /* *INDENT-OFF* */ pool_foreach (sa, im->sad, ({ if (sa->id) { - vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s", sa->id, sa->spi, + vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s%s%s", sa->id, sa->spi, sa->is_tunnel ? "tunnel" : "transport", sa->protocol ? "esp" : "ah", - sa->udp_encap ? " udp-encap-enabled" : ""); + sa->udp_encap ? " udp-encap-enabled" : "", + sa->use_anti_replay ? " anti-replay" : "", + sa->use_esn ? " extended-sequence-number" : ""); if (sa->protocol == IPSEC_PROTOCOL_ESP) { vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U", format_ipsec_crypto_alg, sa->crypto_alg, |