summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/esp_decrypt.c
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-12-20 00:54:57 +0000
committerNeale Ranns <nranns@cisco.com>2020-01-04 04:50:47 +0000
commit02950406c49a743f631395ed52073921744e1afd (patch)
tree2891403e2fe8cc879f43d4e46e314a2f412763cb /src/vnet/ipsec/esp_decrypt.c
parent2f04cb9f142abef82cd379432cecdafef9e776db (diff)
ipsec: Targeted unit testing
Type: fix 1 - big packets; chained buffers and those without enoguh space to add ESP header 2 - IPv6 extension headers in packets that are encrypted/decrypted 3 - Interface protection with SAs that have null algorithms Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
Diffstat (limited to 'src/vnet/ipsec/esp_decrypt.c')
-rw-r--r--src/vnet/ipsec/esp_decrypt.c29
1 files changed, 22 insertions, 7 deletions
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 16ae3a3d9eb..ee53b018552 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -53,6 +53,7 @@ typedef enum
_(OVERSIZED_HEADER, "buffer with oversized header (dropped)") \
_(NO_TAIL_SPACE, "no enough buffer tail space (dropped)") \
_(TUN_NO_PROTO, "no tunnel protocol") \
+ _(UNSUP_PAYLOAD, "unsupported payload") \
typedef enum
@@ -311,9 +312,10 @@ esp_decrypt_inline (vlib_main_t * vm,
b += 1;
}
- vlib_increment_combined_counter (&ipsec_sa_counters, thread_index,
- current_sa_index, current_sa_pkts,
- current_sa_bytes);
+ if (PREDICT_TRUE (~0 != current_sa_index))
+ vlib_increment_combined_counter (&ipsec_sa_counters, thread_index,
+ current_sa_index, current_sa_pkts,
+ current_sa_bytes);
if ((n = vec_len (ptd->integ_ops)))
{
@@ -513,6 +515,8 @@ esp_decrypt_inline (vlib_main_t * vm,
next[0] = ESP_DECRYPT_NEXT_IP6_INPUT;
break;
default:
+ b[0]->error =
+ node->errors[ESP_DECRYPT_ERROR_UNSUP_PAYLOAD];
next[0] = ESP_DECRYPT_NEXT_DROP;
break;
}
@@ -520,8 +524,7 @@ esp_decrypt_inline (vlib_main_t * vm,
else
{
next[0] = ESP_DECRYPT_NEXT_DROP;
- b[0]->error =
- node->errors[ESP_DECRYPT_ERROR_DECRYPTION_FAILED];
+ b[0]->error = node->errors[ESP_DECRYPT_ERROR_UNSUP_PAYLOAD];
goto trace;
}
}
@@ -530,8 +533,20 @@ esp_decrypt_inline (vlib_main_t * vm,
if (ipsec_sa_is_set_IS_PROTECT (sa0))
{
/*
- * Check that the reveal IP header matches that
- * of the tunnel we are protecting
+ * There are two encap possibilities
+ * 1) the tunnel and ths SA are prodiving encap, i.e. it's
+ * MAC | SA-IP | TUN-IP | ESP | PAYLOAD
+ * implying the SA is in tunnel mode (on a tunnel interface)
+ * 2) only the tunnel provides encap
+ * MAC | TUN-IP | ESP | PAYLOAD
+ * implying the SA is in transport mode.
+ *
+ * For 2) we need only strip the tunnel encap and we're good.
+ * since the tunnel and crypto ecnap (int the tun=protect
+ * object) are the same and we verified above that these match
+ * for 1) we need to strip the SA-IP outer headers, to
+ * reveal the tunnel IP and then check that this matches
+ * the configured tunnel.
*/
const ipsec_tun_protect_t *itp;