From 02950406c49a743f631395ed52073921744e1afd Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Fri, 20 Dec 2019 00:54:57 +0000 Subject: ipsec: Targeted unit testing Type: fix 1 - big packets; chained buffers and those without enoguh space to add ESP header 2 - IPv6 extension headers in packets that are encrypted/decrypted 3 - Interface protection with SAs that have null algorithms Signed-off-by: Neale Ranns Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973 --- src/vnet/ipsec/ipsec_tun_in.c | 52 ------------------------------------------- 1 file changed, 52 deletions(-) (limited to 'src/vnet/ipsec/ipsec_tun_in.c') diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c index f25a76319f1..e6ad67b433a 100644 --- a/src/vnet/ipsec/ipsec_tun_in.c +++ b/src/vnet/ipsec/ipsec_tun_in.c @@ -311,58 +311,6 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, n_bytes = len0; } - /* - * compare the packet's outer IP headers to that of the tunnels - */ - if (is_ip6) - { - if (PREDICT_FALSE - (!ip46_address_is_equal_v6 - (&itp0->itp_crypto.dst, &ip60->src_address) - || !ip46_address_is_equal_v6 (&itp0->itp_crypto.src, - &ip60->dst_address))) - { - b[0]->error = - node->errors - [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH]; - next[0] = IPSEC_INPUT_NEXT_DROP; - goto trace00; - } - } - else - { - if (PREDICT_FALSE - (!ip46_address_is_equal_v4 - (&itp0->itp_crypto.dst, &ip40->src_address) - || !ip46_address_is_equal_v4 (&itp0->itp_crypto.src, - &ip40->dst_address))) - { - b[0]->error = - node->errors - [IPSEC_TUN_PROTECT_INPUT_ERROR_TUNNEL_MISMATCH]; - next[0] = IPSEC_INPUT_NEXT_DROP; - goto trace00; - } - } - - /* - * There are two encap possibilities - * 1) the tunnel and ths SA are prodiving encap, i.e. it's - * MAC | SA-IP | TUN-IP | ESP | PAYLOAD - * implying the SA is in tunnel mode (on a tunnel interface) - * 2) only the tunnel provides encap - * MAC | TUN-IP | ESP | PAYLOAD - * implying the SA is in transport mode. - * - * For 2) we need only strip the tunnel encap and we're good. - * since the tunnel and crypto ecnap (int the tun=protect - * object) are the same and we verified above that these match - * for 1) we need to strip the SA-IP outer headers, to - * reveal the tunnel IP and then check that this matches - * the configured tunnel. this we can;t do here since it - * involves a lookup in the per-tunnel-type DB - so ship - * the packet to the tunnel-types provided node to do that - */ next[0] = IPSEC_TUN_PROTECT_NEXT_DECRYPT; } trace00: -- cgit 1.2.3-korg