small cleanup.

philljj · philljj · commit 1f0859083d08 · 2025-09-18T12:31:45.000-05:00
diff --git a/src/wolfesp.c b/src/wolfesp.c
@@ -429,7 +429,6 @@ static int esp_unwrap(struct wolfIP *s, struct wolfIP_ip_packet *ip,
     pad_len = *(ip->data + esp_len - esp_sa->icv_len - ESP_NEXT_HEADER_LEN
                 - ESP_PADDING_LEN);
     nxt_hdr = *(ip->data + esp_len - esp_sa->icv_len - ESP_NEXT_HEADER_LEN);
-    ip->proto = nxt_hdr;
 
     #ifdef WOLFIP_DEBUG_ESP
     wolfIP_print_esp(esp_sa, ip->data, esp_len, pad_len, nxt_hdr);
@@ -452,7 +451,12 @@ static int esp_unwrap(struct wolfIP *s, struct wolfIP_ip_packet *ip,
                                ESP_NEXT_HEADER_LEN + esp_sa->icv_len);
     ip->len = ip->len - (pad_len + ESP_PADDING_LEN +
                          ESP_NEXT_HEADER_LEN + esp_sa->icv_len);
+
+    /* update len, set proto to next header, recalculate iphdr checksum. */
     ip->len = ee16(ip->len);
+    ip->proto = nxt_hdr;
+    ip->csum = 0;
+    iphdr_set_checksum(ip);
 
     #ifdef WOLFIP_DEBUG_ESP_VERBOSE
     esp_dump_data_verbose("esp_packet after unwrap", ip->data,
@@ -608,4 +612,48 @@ static int esp_wrap(struct wolfIP_ip_packet *ip, uint16_t * ip_len)
 
     return 0;
 }
+
+/**
+ * Copy frame to new packet so we can expand and wrap in place
+ * without stepping on the fifo tcp circular buffer.
+ * */
+static int esp_output(struct wolfIP *s, const struct wolfIP_ip_packet *ip,
+                      uint16_t len)
+{
+    /**
+     * 56 is reasonable max ESP overhead (for now), rounded up to 4 bytes.
+     *      8 bytes (esp header)
+     *   + 16 bytes (iv, prepended to payload)
+     *   + 15 bytes (max padding with block cipher)
+     *   +  2 bytes (pad_len + nxt_hdr fields)
+     *   + 12 bytes (icv)
+     * may need to increase depending on algs supported.
+     * */
+    struct wolfIP_ip_packet * esp;
+    uint8_t                   frame[LINK_MTU + 56];
+    uint16_t                  ip_final_len = len;
+    int                       esp_rc = 0;
+
+    esp = (struct wolfIP_ip_packet *) frame;
+    memcpy(esp, ip, sizeof(struct wolfIP_ip_packet) + len);
+
+    esp_rc = esp_wrap(esp, &ip_final_len);
+
+    if (esp_rc) {
+        #ifdef WOLFIP_DEBUG_ESP
+        printf("error: esp_wrap returned: %d\n", esp_rc);
+        #endif /* WOLFIP_DEBUG_ESP */
+        return esp_rc;
+    }
+
+    /* update len, set proto to ESP 0x32 (50), recalculate iphdr checksum. */
+    esp->len = ee16(ip_final_len);
+    esp->proto = 0x32;
+    esp->csum = 0;
+    iphdr_set_checksum(esp);
+
+    s->ll_dev.send(&s->ll_dev, esp, ip_final_len + ETH_HEADER_LEN);
+
+    return 0;
+}
 #endif /* WOLFIP_ESP && !WOLFESP_SRC */
diff --git a/src/wolfip.c b/src/wolfip.c
@@ -958,52 +958,6 @@ static int ip_output_add_header(struct tsocket *t, struct wolfIP_ip_packet *ip,
     return 0;
 }
 
-#ifdef  WOLFIP_ESP
-/**
- * Copy frame to new packet so we can expand and wrap in place
- * without stepping on the fifo tcp circular buffer.
- * */
-static int esp_output(struct wolfIP *s, const struct wolfIP_ip_packet *ip,
-                      uint16_t len)
-{
-    /**
-     * 56 is reasonable max ESP overhead (for now), rounded up to 4 bytes.
-     *      8 bytes (esp header)
-     *   + 16 bytes (iv, prepended to payload)
-     *   + 15 bytes (max padding with block cipher)
-     *   +  2 bytes (pad_len + nxt_hdr fields)
-     *   + 12 bytes (icv)
-     * may need to increase depending on algs supported.
-     * */
-    struct wolfIP_ip_packet * esp;
-    uint8_t                   frame[LINK_MTU + 56];
-    uint16_t                  ip_final_len = len;
-    int                       esp_rc = 0;
-
-    esp = (struct wolfIP_ip_packet *) frame;
-    memcpy(esp, ip, sizeof(struct wolfIP_ip_packet) + len);
-
-    esp_rc = esp_wrap(esp, &ip_final_len);
-
-    if (esp_rc) {
-        #ifdef WOLFIP_DEBUG_ESP
-        printf("error: esp_wrap returned: %d\n", esp_rc);
-        #endif /* WOLFIP_DEBUG_ESP */
-        return esp_rc;
-    }
-
-    /* update len, set proto to ESP 0x32 (50), recalculate iphdr checksum. */
-    esp->len = ee16(ip_final_len);
-    esp->proto = 0x32;
-    esp->csum = 0;
-    iphdr_set_checksum(esp);
-
-    s->ll_dev.send(&s->ll_dev, esp, ip_final_len + ETH_HEADER_LEN);
-
-    return 0;
-}
-#endif /* WOLFIP_ESP */
-
 /* Process timestamp option, calculate RTT */
 static int tcp_process_ts(struct tsocket *t, const struct wolfIP_tcp_seg *tcp)
 {
@@ -2093,6 +2047,7 @@ static inline void ip_recv(struct wolfIP *s, struct wolfIP_ip_packet *ip,
 
     #ifdef WOLFIP_ESP
     if (ip->proto == 0x32) {
+        /* proto is ESP 0x32 (50), try to unwrap. */
         int esp_rc = 0;
         esp_rc = esp_unwrap(s, ip, &len);
         if (esp_rc) {
