IPSEC: IPv6 ESP transport mode incorrect packet length and checksum (VPP-1654) Change-Id: Ia3474e5bfea5764eae9b2987bf78296535df6778 Signed-off-by: Neale Ranns <nranns@cisco.com>

commit: 1b582b8e9264ca2514a5118ca0de0a3a5b8f5ba4 [log] [tgz]
author: Neale Ranns <nranns@cisco.com> Thu Apr 18 19:49:13 2019 -0700
committer: Dave Wallace <dwallacelf@gmail.com> Fri Apr 19 18:29:19 2019 +0000
tree: eeb42ff6223d4e37869f94308379bd4ca460ea09
parent: 1b52ca965c907812f8279dfeeee95341f15b3439 [diff]
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index f1153d9..5db10b5 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c

@@ -112,19 +112,26 @@
 static_always_inline void
 esp_update_ip4_hdr (ip4_header_t * ip4, u16 len, int is_transport, int is_udp)
 {
-  ip_csum_t sum = ip4->checksum;
-  u16 old_len = 0;
+  ip_csum_t sum;
+  u16 old_len;
+
+  len = clib_net_to_host_u16 (len);
+  old_len = ip4->length;
 
   if (is_transport)
     {
       u8 prot = is_udp ? IP_PROTOCOL_UDP : IP_PROTOCOL_IPSEC_ESP;
-      old_len = ip4->length;
-      sum = ip_csum_update (sum, ip4->protocol, prot, ip4_header_t, protocol);
-      ip4->protocol = prot;
-    }
 
-  ip4->length = len = clib_net_to_host_u16 (len);
-  sum = ip_csum_update (ip4->checksum, old_len, len, ip4_header_t, length);
+      sum = ip_csum_update (ip4->checksum, ip4->protocol,
+			    prot, ip4_header_t, protocol);
+      ip4->protocol = prot;
+
+      sum = ip_csum_update (sum, old_len, len, ip4_header_t, length);
+    }
+  else
+    sum = ip_csum_update (ip4->checksum, old_len, len, ip4_header_t, length);
+
+  ip4->length = len;
   ip4->checksum = ip_csum_fold (sum);
 }
 
@@ -411,7 +418,7 @@
 	      u16 len;
 	      ip4_header_t *ip4 = (ip4_header_t *) (ip_hdr);
 	      *next_hdr_ptr = ip4->protocol;
-	      len = payload_len + hdr_len + l2_len;
+	      len = payload_len + hdr_len - l2_len;
 	      if (udp)
 		{
 		  esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 1);

diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index 17470d9..3a97820 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py

@@ -412,6 +412,8 @@
             recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
                                              self.tra_if)
             for rx in recv_pkts:
+                self.assertEqual(len(rx) - len(Ether()), rx[IP].len)
+                self.assert_packet_checksums_valid(rx)
                 try:
                     decrypted = p.vpp_tra_sa.decrypt(rx[IP])
                     self.assert_packet_checksums_valid(decrypted)
@@ -534,6 +536,8 @@
     def verify_encrypted(self, p, sa, rxs):
         decrypt_pkts = []
         for rx in rxs:
+            self.assert_packet_checksums_valid(rx)
+            self.assertEqual(len(rx) - len(Ether()), rx[IP].len)
             try:
                 decrypt_pkt = p.vpp_tun_sa.decrypt(rx[IP])
                 if not decrypt_pkt.haslayer(IP):
commit	1b582b8e9264ca2514a5118ca0de0a3a5b8f5ba4	[log] [tgz]
author	Neale Ranns <nranns@cisco.com>	Thu Apr 18 19:49:13 2019 -0700
committer	Dave Wallace <dwallacelf@gmail.com>	Fri Apr 19 18:29:19 2019 +0000
tree	eeb42ff6223d4e37869f94308379bd4ca460ea09
parent	1b52ca965c907812f8279dfeeee95341f15b3439 [diff]