diff options
-rw-r--r-- | sys/netinet/ip_esp.h | 4 | ||||
-rw-r--r-- | sys/netinet/ip_esp_new.c | 62 |
2 files changed, 58 insertions, 8 deletions
diff --git a/sys/netinet/ip_esp.h b/sys/netinet/ip_esp.h index 6782059fdcf..81263e7068d 100644 --- a/sys/netinet/ip_esp.h +++ b/sys/netinet/ip_esp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.h,v 1.11 1997/09/23 21:42:20 angelos Exp $ */ +/* $OpenBSD: ip_esp.h,v 1.12 1997/09/24 18:39:38 angelos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -126,6 +126,8 @@ struct esp_new_xencap #define ESP_NEW_XENCAP_LEN (6 * sizeof(u_int32_t)) #define ESP_NEW_FLAG_AUTH 0x00000001 /* Doing authentication too */ +#define ESP_NEW_FLAG_OPADDING 0x00000002 /* Old style padding */ + struct esp_new_xdata { u_int32_t edx_enc_algorithm; diff --git a/sys/netinet/ip_esp_new.c b/sys/netinet/ip_esp_new.c index 60ce4b4ba9c..cf34d6b85ef 100644 --- a/sys/netinet/ip_esp_new.c +++ b/sys/netinet/ip_esp_new.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp_new.c,v 1.4 1997/09/24 00:05:34 angelos Exp $ */ +/* $OpenBSD: ip_esp_new.c,v 1.5 1997/09/24 18:39:40 angelos Exp $ */ /* * The author of this code is John Ioannidis, ji@tla.org, @@ -706,9 +706,39 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) * blk[7] contains the next protocol, and blk[6] contains the * amount of padding the original chain had. Chop off the * appropriate parts of the chain, and return. + * Verify correct decryption by checking the last padding bytes. */ - m_adj(m, - blk[6] - 2 - alen); + if (xd->edx_flags & ESP_NEW_FLAG_OPADDING) + { + if (blk[6] != blk[5]) + { + log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + m_freem(m); + return NULL; + } + + m_adj(m, - blk[6] - 2 - alen); /* Old type padding */ + } + else + { + if (blk[6] == 0) + { + log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x -- peer is probably using old style padding\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + m_freem(m); + return NULL; + } + else + if ((blk[6] == 0) || (blk[6] != blk[5] + 1)) + { + log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi)); + m_freem(m); + return NULL; + } + + m_adj(m, - blk[6] - 1 - alen); + } + m_adj(m, 2 * sizeof(u_int32_t) + xd->edx_ivlen); if (m->m_len < (ipo.ip_hl << 2)) @@ -729,7 +759,11 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) ipo.ip_id = htons(ipo.ip_id); ipo.ip_off = 0; ipo.ip_len += (ipo.ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen - - blk[6] - 2 - alen; + blk[6] - 1 - alen; + + if (xd->edx_flags & ESP_NEW_FLAG_OPADDING) + ipo.ip_len -= 1; + ipo.ip_len = htons(ipo.ip_len); ipo.ip_sum = 0; *ip = ipo; @@ -743,9 +777,15 @@ esp_new_input(struct mbuf *m, struct tdb *tdb) /* Update the counters */ tdb->tdb_cur_packets++; tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + - blk[6] + 2 + alen; + blk[6] + 1 + alen; espstat.esps_ibytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) + - blk[6] + 2 + alen; + blk[6] + 1 + alen; + + if (xd->edx_flags & ESP_NEW_FLAG_OPADDING) + { + tdb->tdb_cur_bytes++; + espstat.esps_ibytes++; + } /* Notify on expiration */ if (tdb->tdb_flags & TDBF_SOFT_PACKETS) @@ -911,8 +951,16 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb, return ENOBUFS; } - pad[padding-2] = padding - 2; - pad[padding-1] = nh; + /* Self describing padding */ + for (i = 0; i < padding - 2; i++) + pad[i] = i + 1; + + if (xd->edx_flags & ESP_NEW_FLAG_OPADDING) + pad[padding - 2] = padding - 2; + else + pad[padding - 2] = padding - 1; + + pad[padding - 1] = nh; mi = mo = m; plen = rlen + padding; |