In case there is no free space in first buffer for ICV and footer,
additional buffer will be added, but esp_encrypt will stay in single
buffer mode.
The issue happens for the following payload sizes:
- TCP packets with payload 1992
- ICMP packets with payload 2004
This fix moves the single/chained buffer ops selection to after
esp_add_footer_and_icv call.
Type: fix
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Signed-off-by: PiotrX Kleski <piotrx.kleski@intel.com>
Change-Id: Ic5ceba418f738933f96edb3e489ca2d149033b79
(cherry picked from commit
fdca4dd1a1a817e65bf44e435261d893fc0c51d6)
if (n_bufs > 1)
{
- crypto_ops = &ptd->chained_crypto_ops;
- integ_ops = &ptd->chained_integ_ops;
-
/* find last buffer in the chain */
while (lb->flags & VLIB_BUFFER_NEXT_PRESENT)
lb = vlib_get_buffer (vm, lb->next_buffer);
}
- else
- {
- crypto_ops = &ptd->crypto_ops;
- integ_ops = &ptd->integ_ops;
- }
if (PREDICT_FALSE (esp_seq_advance (sa0)))
{
next[0] = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT;
}
+ if (lb != b[0])
+ {
+ crypto_ops = &ptd->chained_crypto_ops;
+ integ_ops = &ptd->chained_integ_ops;
+ }
+ else
+ {
+ crypto_ops = &ptd->crypto_ops;
+ integ_ops = &ptd->integ_ops;
+ }
+
esp->spi = spi;
esp->seq = clib_net_to_host_u32 (sa0->seq);
LARGE_PKT_SZ = [
1970, # results in 2 chained buffers entering decrypt node
# but leaving as simple buffer due to ICV removal (tra4)
+ 2004, # footer+ICV will be added to 2nd buffer (tun4)
4010, # ICV ends up splitted accross 2 buffers in esp_decrypt
# for transport4; transport6 takes normal path
4020, # same as above but tra4 and tra6 are switched