diff options
Diffstat (limited to 'src/vnet/ipsec/esp.h')
-rw-r--r-- | src/vnet/ipsec/esp.h | 90 |
1 files changed, 77 insertions, 13 deletions
diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h index 8d7e0563a59..05773a2a328 100644 --- a/src/vnet/ipsec/esp.h +++ b/src/vnet/ipsec/esp.h @@ -18,6 +18,7 @@ #include <vnet/ip/ip.h> #include <vnet/crypto/crypto.h> #include <vnet/ipsec/ipsec.h> +#include <vnet/ipsec/ipsec.api_enum.h> typedef struct { @@ -141,33 +142,96 @@ esp_aad_fill (u8 *data, const esp_header_t *esp, const ipsec_sa_t *sa, } } -/* Special case to drop or hand off packets for sync/async modes. - * - * Different than sync mode, async mode only enqueue drop or hand-off packets - * to next nodes. - */ +always_inline u32 +esp_encrypt_err_to_sa_err (u32 err) +{ + switch (err) + { + case ESP_ENCRYPT_ERROR_HANDOFF: + return IPSEC_SA_ERROR_HANDOFF; + case ESP_ENCRYPT_ERROR_SEQ_CYCLED: + return IPSEC_SA_ERROR_SEQ_CYCLED; + case ESP_ENCRYPT_ERROR_CRYPTO_ENGINE_ERROR: + return IPSEC_SA_ERROR_CRYPTO_ENGINE_ERROR; + case ESP_ENCRYPT_ERROR_CRYPTO_QUEUE_FULL: + return IPSEC_SA_ERROR_CRYPTO_QUEUE_FULL; + case ESP_ENCRYPT_ERROR_NO_BUFFERS: + return IPSEC_SA_ERROR_NO_BUFFERS; + case ESP_ENCRYPT_ERROR_NO_ENCRYPTION: + return IPSEC_SA_ERROR_NO_ENCRYPTION; + } + return ~0; +} + +always_inline u32 +esp_decrypt_err_to_sa_err (u32 err) +{ + switch (err) + { + case ESP_DECRYPT_ERROR_HANDOFF: + return IPSEC_SA_ERROR_HANDOFF; + case ESP_DECRYPT_ERROR_DECRYPTION_FAILED: + return IPSEC_SA_ERROR_DECRYPTION_FAILED; + case ESP_DECRYPT_ERROR_INTEG_ERROR: + return IPSEC_SA_ERROR_INTEG_ERROR; + case ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR: + return IPSEC_SA_ERROR_CRYPTO_ENGINE_ERROR; + case ESP_DECRYPT_ERROR_REPLAY: + return IPSEC_SA_ERROR_REPLAY; + case ESP_DECRYPT_ERROR_RUNT: + return IPSEC_SA_ERROR_RUNT; + case ESP_DECRYPT_ERROR_NO_BUFFERS: + return IPSEC_SA_ERROR_NO_BUFFERS; + case ESP_DECRYPT_ERROR_OVERSIZED_HEADER: + return IPSEC_SA_ERROR_OVERSIZED_HEADER; + case ESP_DECRYPT_ERROR_NO_TAIL_SPACE: + return IPSEC_SA_ERROR_NO_TAIL_SPACE; + case ESP_DECRYPT_ERROR_TUN_NO_PROTO: + return IPSEC_SA_ERROR_TUN_NO_PROTO; + case ESP_DECRYPT_ERROR_UNSUP_PAYLOAD: + return IPSEC_SA_ERROR_UNSUP_PAYLOAD; + } + return ~0; +} + +always_inline void +esp_encrypt_set_next_index (vlib_buffer_t *b, vlib_node_runtime_t *node, + u32 thread_index, u32 err, u16 index, u16 *nexts, + u16 drop_next, u32 sa_index) +{ + ipsec_set_next_index (b, node, thread_index, err, + esp_encrypt_err_to_sa_err (err), index, nexts, + drop_next, sa_index); +} + always_inline void -esp_set_next_index (vlib_buffer_t *b, vlib_node_runtime_t *node, u32 err, - u16 index, u16 *nexts, u16 drop_next) +esp_decrypt_set_next_index (vlib_buffer_t *b, vlib_node_runtime_t *node, + u32 thread_index, u32 err, u16 index, u16 *nexts, + u16 drop_next, u32 sa_index) { - nexts[index] = drop_next; - b->error = node->errors[err]; + ipsec_set_next_index (b, node, thread_index, err, + esp_decrypt_err_to_sa_err (err), index, nexts, + drop_next, sa_index); } /* when submitting a frame is failed, drop all buffers in the frame */ always_inline u32 esp_async_recycle_failed_submit (vlib_main_t *vm, vnet_crypto_async_frame_t *f, - vlib_node_runtime_t *node, u32 err, u16 index, - u32 *from, u16 *nexts, u16 drop_next_index) + vlib_node_runtime_t *node, u32 err, + u32 ipsec_sa_err, u16 index, u32 *from, + u16 *nexts, u16 drop_next_index) { + vlib_buffer_t *b; u32 n_drop = f->n_elts; u32 *bi = f->buffer_indices; while (n_drop--) { from[index] = bi[0]; - esp_set_next_index (vlib_get_buffer (vm, bi[0]), node, err, index, nexts, - drop_next_index); + b = vlib_get_buffer (vm, bi[0]); + ipsec_set_next_index (b, node, vm->thread_index, err, ipsec_sa_err, + index, nexts, drop_next_index, + vnet_buffer (b)->ipsec.sad_index); bi++; index++; } |