From 461caa5f98202ac758076ad96b82c57251f2f19a Mon Sep 17 00:00:00 2001 From: Matthew Smith Date: Fri, 21 Dec 2018 11:53:16 -0600 Subject: [PATCH] ipsec: fix support check when using AES-GCM When adding an IPsec SA, ipsec_check_support_cb() is called. This invokes a callback for AH and a callback for ESP to check if the algorithms are supported. When using AES-GCM on an ESP SA with the DPDK IPsec backend selected, the AH callback fails. The DPDK IPsec backend has no AH support, so the callback for the default OpenSSL backend is invoked. This checks whether the crypto algorithm is AES-GCM and returns failure. Only invoke the callback to check support for the IPsec protocol of the SA - either AH or ESP rather than doing both. Change-Id: Ic10be6a17b580d06ffb7e82ef5866e53a4f8b525 Signed-off-by: Matthew Smith --- src/vnet/ipsec/ipsec.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c index a88164b6b0f..fdd18c2f8fa 100644 --- a/src/vnet/ipsec/ipsec.c +++ b/src/vnet/ipsec/ipsec.c @@ -569,16 +569,21 @@ clib_error_t * ipsec_check_support_cb (ipsec_main_t * im, ipsec_sa_t * sa) { clib_error_t *error = 0; - ipsec_ah_backend_t *ah = - pool_elt_at_index (im->ah_backends, im->ah_current_backend); - ASSERT (ah->check_support_cb); - error = ah->check_support_cb (sa); - if (error) - return error; - ipsec_esp_backend_t *esp = - pool_elt_at_index (im->esp_backends, im->esp_current_backend); - ASSERT (esp->check_support_cb); - error = esp->check_support_cb (sa); + + if (PREDICT_FALSE (sa->protocol == IPSEC_PROTOCOL_AH)) + { + ipsec_ah_backend_t *ah = + pool_elt_at_index (im->ah_backends, im->ah_current_backend); + ASSERT (ah->check_support_cb); + error = ah->check_support_cb (sa); + } + else + { + ipsec_esp_backend_t *esp = + pool_elt_at_index (im->esp_backends, im->esp_current_backend); + ASSERT (esp->check_support_cb); + error = esp->check_support_cb (sa); + } return error; } -- 2.16.6