• Ilan Tayari's avatar
    esp4/6: Fix GSO path for non-GSO SW-crypto packets · 8f92e03e
    Ilan Tayari authored
    If esp*_offload module is loaded, outbound packets take the
    GSO code path, being encapsulated at layer 3, but encrypted
    in layer 2. validate_xmit_xfrm calls esp*_xmit for that.
    
    esp*_xmit was wrongfully detecting these packets as going
    through hardware crypto offload, while in fact they should
    be encrypted in software, causing plaintext leakage to
    the network, and also dropping at the receiver side.
    
    Perform the encryption in esp*_xmit, if the SA doesn't have
    a hardware offload_handle.
    
    Also, align esp6 code to esp4 logic.
    
    Fixes: fca11ebd ("esp4: Reorganize esp_output")
    Fixes: 383d0350 ("esp6: Reorganize esp_output")
    Signed-off-by: default avatarIlan Tayari <ilant@mellanox.com>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    8f92e03e
esp6_offload.c 6.75 KB