aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/vnet/ipsec/esp_encrypt.c19
-rw-r--r--test/test_ipsec_esp.py1
2 files changed, 12 insertions, 8 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index e9feb8b40a1..e80f98624b9 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -695,18 +695,10 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
if (n_bufs > 1)
{
- crypto_ops = &ptd->chained_crypto_ops;
- integ_ops = &ptd->chained_integ_ops;
-
/* find last buffer in the chain */
while (lb->flags & VLIB_BUFFER_NEXT_PRESENT)
lb = vlib_get_buffer (vm, lb->next_buffer);
}
- else
- {
- crypto_ops = &ptd->crypto_ops;
- integ_ops = &ptd->integ_ops;
- }
if (PREDICT_FALSE (esp_seq_advance (sa0)))
{
@@ -879,6 +871,17 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
next[0] = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT;
}
+ if (lb != b[0])
+ {
+ crypto_ops = &ptd->chained_crypto_ops;
+ integ_ops = &ptd->chained_integ_ops;
+ }
+ else
+ {
+ crypto_ops = &ptd->crypto_ops;
+ integ_ops = &ptd->integ_ops;
+ }
+
esp->spi = spi;
esp->seq = clib_net_to_host_u32 (sa0->seq);
diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index 036fbf36e55..7448df1d09a 100644
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -585,6 +585,7 @@ class RunTestIpsecEspAll(ConfigIpsecESP,
LARGE_PKT_SZ = [
1970, # results in 2 chained buffers entering decrypt node
# but leaving as simple buffer due to ICV removal (tra4)
+ 2004, # footer+ICV will be added to 2nd buffer (tun4)
4010, # ICV ends up splitted accross 2 buffers in esp_decrypt
# for transport4; transport6 takes normal path
4020, # same as above but tra4 and tra6 are switched