summaryrefslogtreecommitdiff
path: root/net/ipv4/esp4_offload.c
diff options
context:
space:
mode:
authorIlan Tayari <ilant@mellanox.com>2017-04-19 08:41:01 +0300
committerSteffen Klassert <steffen.klassert@secunet.com>2017-04-19 07:48:57 +0200
commit8f92e03ecca390beed3d5ccc81023d050f0369fd (patch)
tree59af1b45995e4ba7491f7540616aa11ad3bdc048 /net/ipv4/esp4_offload.c
parentffa6f571e4e20bbe5b3d8b5e112e66b3b6c29632 (diff)
downloadlwn-8f92e03ecca390beed3d5ccc81023d050f0369fd.tar.gz
lwn-8f92e03ecca390beed3d5ccc81023d050f0369fd.zip
esp4/6: Fix GSO path for non-GSO SW-crypto packets
If esp*_offload module is loaded, outbound packets take the GSO code path, being encapsulated at layer 3, but encrypted in layer 2. validate_xmit_xfrm calls esp*_xmit for that. esp*_xmit was wrongfully detecting these packets as going through hardware crypto offload, while in fact they should be encrypted in software, causing plaintext leakage to the network, and also dropping at the receiver side. Perform the encryption in esp*_xmit, if the SA doesn't have a hardware offload_handle. Also, align esp6 code to esp4 logic. Fixes: fca11ebde3f0 ("esp4: Reorganize esp_output") Fixes: 383d0350f2cc ("esp6: Reorganize esp_output") Signed-off-by: Ilan Tayari <ilant@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/ipv4/esp4_offload.c')
-rw-r--r--net/ipv4/esp4_offload.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
index f3e33c26dc33..e0666016a764 100644
--- a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@@ -209,8 +209,8 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_
if (!xo)
return -EINVAL;
- if (!(features & NETIF_F_HW_ESP) ||
- (x->xso.offload_handle && x->xso.dev != skb->dev)) {
+ if (!(features & NETIF_F_HW_ESP) || !x->xso.offload_handle ||
+ (x->xso.dev != skb->dev)) {
xo->flags |= CRYPTO_FALLBACK;
hw_offload = false;
}