IPSEC: ESP IPv6 transport mode payload length incorrect (VPP-1653)

[vpp.git] / src / vnet / ipsec / esp_encrypt.c

diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index bb1effd..f1153d9 100644 (file)
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -402,7 +402,9 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
              ip6_header_t *ip6 = (ip6_header_t *) (ip_hdr);
              *next_hdr_ptr = ip6->protocol;
              ip6->protocol = IP_PROTOCOL_IPSEC_ESP;
-             ip6->payload_length = payload_len + hdr_len - l2_len - ip_len;
+             ip6->payload_length =
+               clib_host_to_net_u16 (payload_len + hdr_len - l2_len -
+                                     ip_len);
            }
          else
            {
@@ -436,6 +438,21 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
          op->len = payload_len - icv_sz;
          op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV;
          op->user_data = b - bufs;
+         op->salt = sa0->salt;
+
+         if (ipsec_sa_is_set_IS_AEAD (sa0))
+           {
+             /*
+              * construct the AAD in a scratch space in front
+              * of the IP header.
+              */
+             op->aad = payload - hdr_len - sizeof (esp_aead_t);
+
+             esp_aad_fill (op, esp, sa0);
+
+             op->tag = payload + op->len;
+             op->tag_len = 16;
+           }
        }
 
       if (sa0->integ_op_id)
@@ -453,7 +470,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
          if (ipsec_sa_is_set_USE_ESN (sa0))
            {
              u32 seq_hi = clib_net_to_host_u32 (sa0->seq_hi);
-             clib_memcpy_fast (op->dst, &seq_hi, sizeof (seq_hi));
+             clib_memcpy_fast (op->digest, &seq_hi, sizeof (seq_hi));
              op->len += sizeof (seq_hi);
            }
        }