diff options
| author |   Neale Ranns <nranns@cisco.com> | 2019-12-20 00:54:57 +0000 |
|---|---|---|
| committer | Neale Ranns <nranns@cisco.com> | 2020-01-04 04:50:47 +0000 |
| commit | 02950406c49a743f631395ed52073921744e1afd (patch) | |
| tree | 2891403e2fe8cc879f43d4e46e314a2f412763cb /src/vnet/ipsec/esp_decrypt.c | |
| parent | 2f04cb9f142abef82cd379432cecdafef9e776db (diff) | |
ipsec: Targeted unit testing
Type: fix
1 - big packets; chained buffers and those without enoguh space to add
ESP header
2 - IPv6 extension headers in packets that are encrypted/decrypted
3 - Interface protection with SAs that have null algorithms
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
Diffstat (limited to 'src/vnet/ipsec/esp_decrypt.c')
| -rw-r--r-- | src/vnet/ipsec/esp_decrypt.c | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index 16ae3a3d9eb..ee53b018552 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -53,6 +53,7 @@ typedef enum _(OVERSIZED_HEADER, "buffer with oversized header (dropped)") \ _(NO_TAIL_SPACE, "no enough buffer tail space (dropped)") \ _(TUN_NO_PROTO, "no tunnel protocol") \ + _(UNSUP_PAYLOAD, "unsupported payload") \ typedef enum @@ -311,9 +312,10 @@ esp_decrypt_inline (vlib_main_t * vm, b += 1; } - vlib_increment_combined_counter (&ipsec_sa_counters, thread_index, - current_sa_index, current_sa_pkts, - current_sa_bytes); + if (PREDICT_TRUE (~0 != current_sa_index)) + vlib_increment_combined_counter (&ipsec_sa_counters, thread_index, + current_sa_index, current_sa_pkts, + current_sa_bytes); if ((n = vec_len (ptd->integ_ops))) { @@ -513,6 +515,8 @@ esp_decrypt_inline (vlib_main_t * vm, next[0] = ESP_DECRYPT_NEXT_IP6_INPUT; break; default: + b[0]->error = + node->errors[ESP_DECRYPT_ERROR_UNSUP_PAYLOAD]; next[0] = ESP_DECRYPT_NEXT_DROP; break; } @@ -520,8 +524,7 @@ esp_decrypt_inline (vlib_main_t * vm, else { next[0] = ESP_DECRYPT_NEXT_DROP; - b[0]->error = - node->errors[ESP_DECRYPT_ERROR_DECRYPTION_FAILED]; + b[0]->error = node->errors[ESP_DECRYPT_ERROR_UNSUP_PAYLOAD]; goto trace; } } @@ -530,8 +533,20 @@ esp_decrypt_inline (vlib_main_t * vm, if (ipsec_sa_is_set_IS_PROTECT (sa0)) { /* - * Check that the reveal IP header matches that - * of the tunnel we are protecting + * There are two encap possibilities + * 1) the tunnel and ths SA are prodiving encap, i.e. it's + * MAC | SA-IP | TUN-IP | ESP | PAYLOAD + * implying the SA is in tunnel mode (on a tunnel interface) + * 2) only the tunnel provides encap + * MAC | TUN-IP | ESP | PAYLOAD + * implying the SA is in transport mode. + * + * For 2) we need only strip the tunnel encap and we're good. + * since the tunnel and crypto ecnap (int the tun=protect + * object) are the same and we verified above that these match + * for 1) we need to strip the SA-IP outer headers, to + * reveal the tunnel IP and then check that this matches + * the configured tunnel. */ const ipsec_tun_protect_t *itp; |