diff options
author | PiotrX Kleski <piotrx.kleski@intel.com> | 2020-05-05 14:14:22 +0200 |
---|---|---|
committer | Andrew Yourtchenko <ayourtch@gmail.com> | 2020-05-25 16:01:25 +0000 |
commit | 8b4221ee8f6cd4564dc9b91d1887e88035abca84 (patch) | |
tree | e1808f92b9b93c4c742a5ba2c87f0688a42be025 | |
parent | 04d4d92f961905d93da313a89ecd0951a2a12bc6 (diff) |
ipsec: fixed chaining ops after add footer and icv
In case there is no free space in first buffer for ICV and footer,
additional buffer will be added, but esp_encrypt will stay in single
buffer mode.
The issue happens for the following payload sizes:
- TCP packets with payload 1992
- ICMP packets with payload 2004
This fix moves the single/chained buffer ops selection to after
esp_add_footer_and_icv call.
Type: fix
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Change-Id: Ic5ceba418f738933f96edb3e489ca2d149033b79
(cherry picked from commit fdca4dd1a1a817e65bf44e435261d893fc0c51d6)
-rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 19 | ||||
-rw-r--r-- | test/test_ipsec_esp.py | 1 |
2 files changed, 12 insertions, 8 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index e9feb8b40a1..e80f98624b9 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -695,18 +695,10 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (n_bufs > 1) { - crypto_ops = &ptd->chained_crypto_ops; - integ_ops = &ptd->chained_integ_ops; - /* find last buffer in the chain */ while (lb->flags & VLIB_BUFFER_NEXT_PRESENT) lb = vlib_get_buffer (vm, lb->next_buffer); } - else - { - crypto_ops = &ptd->crypto_ops; - integ_ops = &ptd->integ_ops; - } if (PREDICT_FALSE (esp_seq_advance (sa0))) { @@ -879,6 +871,17 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, next[0] = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT; } + if (lb != b[0]) + { + crypto_ops = &ptd->chained_crypto_ops; + integ_ops = &ptd->chained_integ_ops; + } + else + { + crypto_ops = &ptd->crypto_ops; + integ_ops = &ptd->integ_ops; + } + esp->spi = spi; esp->seq = clib_net_to_host_u32 (sa0->seq); diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py index 036fbf36e55..7448df1d09a 100644 --- a/test/test_ipsec_esp.py +++ b/test/test_ipsec_esp.py @@ -585,6 +585,7 @@ class RunTestIpsecEspAll(ConfigIpsecESP, LARGE_PKT_SZ = [ 1970, # results in 2 chained buffers entering decrypt node # but leaving as simple buffer due to ICV removal (tra4) + 2004, # footer+ICV will be added to 2nd buffer (tun4) 4010, # ICV ends up splitted accross 2 buffers in esp_decrypt # for transport4; transport6 takes normal path 4020, # same as above but tra4 and tra6 are switched |