From 0e2f188f7c9872d7c946c14d785c6dc7c7c68847 Mon Sep 17 00:00:00 2001
From: Maxime Peim <mpeim@cisco.com>
Date: Thu, 22 Dec 2022 11:26:57 +0000
Subject: ipsec: huge anti-replay window support

Type: improvement

Since RFC4303 does not specify the anti-replay window size, VPP should
support multiple window size. It is done through a clib_bitmap.

Signed-off-by: Maxime Peim <mpeim@cisco.com>
Change-Id: I3dfe30efd20018e345418bef298ec7cec19b1cfc
---
 src/vnet/ipsec/ah_decrypt.c | 46 +++++++++++++++++++++++++++++++++++----------
 1 file changed, 36 insertions(+), 10 deletions(-)

(limited to 'src/vnet/ipsec/ah_decrypt.c')

diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c
index 5f98693204a..62a6b706362 100644
--- a/src/vnet/ipsec/ah_decrypt.c
+++ b/src/vnet/ipsec/ah_decrypt.c
@@ -128,6 +128,7 @@ ah_decrypt_inline (vlib_main_t * vm,
   from = vlib_frame_vector_args (from_frame);
   n_left = from_frame->n_vectors;
   ipsec_sa_t *sa0 = 0;
+  bool anti_replay_result;
   u32 current_sa_index = ~0, current_sa_bytes = 0, current_sa_pkts = 0;
 
   clib_memset (pkt_data, 0, VLIB_FRAME_SIZE * sizeof (pkt_data[0]));
@@ -201,8 +202,17 @@ ah_decrypt_inline (vlib_main_t * vm,
       pd->seq = clib_host_to_net_u32 (ah0->seq_no);
 
       /* anti-replay check */
-      if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, ~0, false,
-					       &pd->seq_hi))
+      if (PREDICT_FALSE (ipsec_sa_is_set_ANTI_REPLAY_HUGE (sa0)))
+	{
+	  anti_replay_result = ipsec_sa_anti_replay_and_sn_advance (
+	    sa0, pd->seq, ~0, false, &pd->seq_hi, true);
+	}
+      else
+	{
+	  anti_replay_result = ipsec_sa_anti_replay_and_sn_advance (
+	    sa0, pd->seq, ~0, false, &pd->seq_hi, false);
+	}
+      if (anti_replay_result)
 	{
 	  ah_decrypt_set_next_index (b[0], node, vm->thread_index,
 				     AH_DECRYPT_ERROR_REPLAY, 0, next,
@@ -306,16 +316,32 @@ ah_decrypt_inline (vlib_main_t * vm,
       if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
 	{
 	  /* redo the anti-reply check. see esp_decrypt for details */
-	  if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, pd->seq_hi,
-						   true, NULL))
+	  if (PREDICT_FALSE (ipsec_sa_is_set_ANTI_REPLAY_HUGE (sa0)))
 	    {
-	      ah_decrypt_set_next_index (b[0], node, vm->thread_index,
-					 AH_DECRYPT_ERROR_REPLAY, 0, next,
-					 AH_DECRYPT_NEXT_DROP, pd->sa_index);
-	      goto trace;
+	      if (ipsec_sa_anti_replay_and_sn_advance (
+		    sa0, pd->seq, pd->seq_hi, true, NULL, true))
+		{
+		  ah_decrypt_set_next_index (
+		    b[0], node, vm->thread_index, AH_DECRYPT_ERROR_REPLAY, 0,
+		    next, AH_DECRYPT_NEXT_DROP, pd->sa_index);
+		  goto trace;
+		}
+	      n_lost = ipsec_sa_anti_replay_advance (
+		sa0, thread_index, pd->seq, pd->seq_hi, true);
+	    }
+	  else
+	    {
+	      if (ipsec_sa_anti_replay_and_sn_advance (
+		    sa0, pd->seq, pd->seq_hi, true, NULL, false))
+		{
+		  ah_decrypt_set_next_index (
+		    b[0], node, vm->thread_index, AH_DECRYPT_ERROR_REPLAY, 0,
+		    next, AH_DECRYPT_NEXT_DROP, pd->sa_index);
+		  goto trace;
+		}
+	      n_lost = ipsec_sa_anti_replay_advance (
+		sa0, thread_index, pd->seq, pd->seq_hi, false);
 	    }
-	  n_lost = ipsec_sa_anti_replay_advance (sa0, thread_index, pd->seq,
-						 pd->seq_hi);
 	  vlib_prefetch_simple_counter (
 	    &ipsec_sa_err_counters[IPSEC_SA_ERROR_LOST], thread_index,
 	    pd->sa_index);
-- 
cgit 1.2.3-korg