ipsec: fix support check when using AES-GCM

When adding an IPsec SA, ipsec_check_support_cb() is called. This
invokes a callback for AH and a callback for ESP to check if the
algorithms are supported.

When using AES-GCM on an ESP SA with the DPDK IPsec backend selected,
the AH callback fails. The DPDK IPsec backend has no AH support,
so the callback for the default OpenSSL backend is invoked. This
checks whether the crypto algorithm is AES-GCM and returns failure.

Only invoke the callback to check support for the IPsec protocol
of the SA - either AH or ESP rather than doing both.

Change-Id: Ic10be6a17b580d06ffb7e82ef5866e53a4f8b525
Signed-off-by: Matthew Smith <mgsmith@netgate.com>

1 files changed, 15 insertions, 10 deletions

diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index a88164b6b0f..fdd18c2f8fa 100644
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -569,16 +569,21 @@ clib_error_t *
 ipsec_check_support_cb (ipsec_main_t * im, ipsec_sa_t * sa)
 {
   clib_error_t *error = 0;
-  ipsec_ah_backend_t *ah =
-    pool_elt_at_index (im->ah_backends, im->ah_current_backend);
-  ASSERT (ah->check_support_cb);
-  error = ah->check_support_cb (sa);
-  if (error)
-    return error;
-  ipsec_esp_backend_t *esp =
-    pool_elt_at_index (im->esp_backends, im->esp_current_backend);
-  ASSERT (esp->check_support_cb);
-  error = esp->check_support_cb (sa);
+
+  if (PREDICT_FALSE (sa->protocol == IPSEC_PROTOCOL_AH))
+    {
+      ipsec_ah_backend_t *ah =
+	pool_elt_at_index (im->ah_backends, im->ah_current_backend);
+      ASSERT (ah->check_support_cb);
+      error = ah->check_support_cb (sa);
+    }
+  else
+    {
+      ipsec_esp_backend_t *esp =
+	pool_elt_at_index (im->esp_backends, im->esp_current_backend);
+      ASSERT (esp->check_support_cb);
+      error = esp->check_support_cb (sa);
+    }
   return error;
 }