summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPiotrX Kleski <piotrx.kleski@intel.com>2020-05-05 14:14:22 +0200
committerAndrew Yourtchenko <ayourtch@gmail.com>2020-05-25 16:01:25 +0000
commit8b4221ee8f6cd4564dc9b91d1887e88035abca84 (patch)
treee1808f92b9b93c4c742a5ba2c87f0688a42be025
parent04d4d92f961905d93da313a89ecd0951a2a12bc6 (diff)
ipsec: fixed chaining ops after add footer and icv
In case there is no free space in first buffer for ICV and footer, additional buffer will be added, but esp_encrypt will stay in single buffer mode. The issue happens for the following payload sizes: - TCP packets with payload 1992 - ICMP packets with payload 2004 This fix moves the single/chained buffer ops selection to after esp_add_footer_and_icv call. Type: fix Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com> Change-Id: Ic5ceba418f738933f96edb3e489ca2d149033b79 (cherry picked from commit fdca4dd1a1a817e65bf44e435261d893fc0c51d6)
-rw-r--r--src/vnet/ipsec/esp_encrypt.c19
-rw-r--r--test/test_ipsec_esp.py1
2 files changed, 12 insertions, 8 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index e9feb8b40a1..e80f98624b9 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -695,18 +695,10 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
if (n_bufs > 1)
{
- crypto_ops = &ptd->chained_crypto_ops;
- integ_ops = &ptd->chained_integ_ops;
-
/* find last buffer in the chain */
while (lb->flags & VLIB_BUFFER_NEXT_PRESENT)
lb = vlib_get_buffer (vm, lb->next_buffer);
}
- else
- {
- crypto_ops = &ptd->crypto_ops;
- integ_ops = &ptd->integ_ops;
- }
if (PREDICT_FALSE (esp_seq_advance (sa0)))
{
@@ -879,6 +871,17 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
next[0] = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT;
}
+ if (lb != b[0])
+ {
+ crypto_ops = &ptd->chained_crypto_ops;
+ integ_ops = &ptd->chained_integ_ops;
+ }
+ else
+ {
+ crypto_ops = &ptd->crypto_ops;
+ integ_ops = &ptd->integ_ops;
+ }
+
esp->spi = spi;
esp->seq = clib_net_to_host_u32 (sa0->seq);
diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index 036fbf36e55..7448df1d09a 100644
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -585,6 +585,7 @@ class RunTestIpsecEspAll(ConfigIpsecESP,
LARGE_PKT_SZ = [
1970, # results in 2 chained buffers entering decrypt node
# but leaving as simple buffer due to ICV removal (tra4)
+ 2004, # footer+ICV will be added to 2nd buffer (tun4)
4010, # ICV ends up splitted accross 2 buffers in esp_decrypt
# for transport4; transport6 takes normal path
4020, # same as above but tra4 and tra6 are switched