X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fesp_encrypt.c;h=8a1ac7e1ebb93397345c9fd7acc97ef9e4dee4a0;hb=dac9e566cd16fc375fff14280b37cb5135584fc6;hp=86f9094cedc042d8839d799b00c924f940d73abd;hpb=3a6bc6f1276e571b00643e4859ed193bfa76406c;p=vpp.git

diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index 86f9094cedc..8a1ac7e1ebb 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -415,6 +415,12 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
 	      op->aad_len = esp_aad_fill (op->aad, esp, sa0, seq_hi);
 	      op->tag = payload + crypto_len;
 	      op->tag_len = 16;
+	      if (PREDICT_FALSE (ipsec_sa_is_set_IS_NULL_GMAC (sa0)))
+		{
+		  /* RFC-4543 ENCR_NULL_AUTH_AES_GMAC: IV is part of AAD */
+		  crypto_start -= iv_sz;
+		  crypto_len += iv_sz;
+		}
 	    }
 	  else
 	    {
@@ -522,6 +528,12 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd,
 	  /* constuct aad in a scratch space in front of the nonce */
 	  aad = (u8 *) nonce - sizeof (esp_aead_t);
 	  esp_aad_fill (aad, esp, sa, sa->seq_hi);
+	  if (PREDICT_FALSE (ipsec_sa_is_set_IS_NULL_GMAC (sa)))
+	    {
+	      /* RFC-4543 ENCR_NULL_AUTH_AES_GMAC: IV is part of AAD */
+	      crypto_start_offset -= iv_sz;
+	      crypto_total_len += iv_sz;
+	    }
 	}
       else
 	{
@@ -678,6 +690,7 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
 	  current_sa_packets = current_sa_bytes = 0;
 
 	  sa0 = ipsec_sa_get (sa_index0);
+	  current_sa_index = sa_index0;
 
 	  if (PREDICT_FALSE ((sa0->crypto_alg == IPSEC_CRYPTO_ALG_NONE &&
 			      sa0->integ_alg == IPSEC_INTEG_ALG_NONE) &&
@@ -689,7 +702,6 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
 					  sa_index0);
 	      goto trace;
 	    }
-	  current_sa_index = sa_index0;
 	  vlib_prefetch_combined_counter (&ipsec_sa_counters, thread_index,
 					  current_sa_index);