summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Yourtchenko <ayourtch@gmail.com>2022-02-02 13:32:39 +0100
committerAndrew Yourtchenko <ayourtch@gmail.com>2022-02-02 19:30:49 +0000
commitc556fa49b462c6ebc206c9a5b3f6ff951d31f56a (patch)
treed100623cf00259cc986fb181fe8eb2702fa679b9
parentbd8013ee8cf3522230f413cf2b7ec0b895cd5979 (diff)
bfd: restore the data within the packet after hash verification
The BFD delayed auth change test was failing intermittently within CI. Debugging has shown it depends on the initial random seed, e.g. the below will consistently fail: RND_SEED=1643734669.7126195 TEST='bfd.BFDAuthOnOffTestCase.test_auth_change_key_delayed' Same thing will happen with: RND_SEED=1643736595.1363552 RND_SEED=1643722239.8224792 The analysis of the behavior shown that the function that is doing the hash verification, modifies the content of the packet for the purposes of hash computation. In case of the auth rollover, this function may be called twice - resulting in the second comparison to be made with a bogus packet data, thus failing the check and the test. The above values of random seed are the ones where the test makes it to the point of this double comparison. The solution is to restore the data within the packet after the check from the array where we have copied it into before modifying the packet. Change-Id: Ibb09beb4b1230032db04527bbf38fa335651866b Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
-rw-r--r--src/vnet/bfd/bfd_main.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/vnet/bfd/bfd_main.c b/src/vnet/bfd/bfd_main.c
index 3ed9c039528..530b2978068 100644
--- a/src/vnet/bfd/bfd_main.c
+++ b/src/vnet/bfd/bfd_main.c
@@ -1634,6 +1634,11 @@ bfd_verify_pkt_auth_key_sha1 (vlib_main_t *vm, const bfd_pkt_t *pkt,
op.len = sizeof (*with_sha1);
op.digest = calculated_hash;
vnet_crypto_process_ops (vm, &op, 1);
+
+ /* Restore the modified data within the packet */
+ clib_memcpy (with_sha1->sha1_auth.hash, hash_from_packet,
+ sizeof (with_sha1->sha1_auth.hash));
+
if (0 ==
memcmp (calculated_hash, hash_from_packet, sizeof (calculated_hash)))
{