summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sys/netinet/ip_esp.h4
-rw-r--r--sys/netinet/ip_esp_new.c62
2 files changed, 58 insertions, 8 deletions
diff --git a/sys/netinet/ip_esp.h b/sys/netinet/ip_esp.h
index 6782059fdcf..81263e7068d 100644
--- a/sys/netinet/ip_esp.h
+++ b/sys/netinet/ip_esp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp.h,v 1.11 1997/09/23 21:42:20 angelos Exp $ */
+/* $OpenBSD: ip_esp.h,v 1.12 1997/09/24 18:39:38 angelos Exp $ */
/*
* The author of this code is John Ioannidis, ji@tla.org,
@@ -126,6 +126,8 @@ struct esp_new_xencap
#define ESP_NEW_XENCAP_LEN (6 * sizeof(u_int32_t))
#define ESP_NEW_FLAG_AUTH 0x00000001 /* Doing authentication too */
+#define ESP_NEW_FLAG_OPADDING 0x00000002 /* Old style padding */
+
struct esp_new_xdata
{
u_int32_t edx_enc_algorithm;
diff --git a/sys/netinet/ip_esp_new.c b/sys/netinet/ip_esp_new.c
index 60ce4b4ba9c..cf34d6b85ef 100644
--- a/sys/netinet/ip_esp_new.c
+++ b/sys/netinet/ip_esp_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp_new.c,v 1.4 1997/09/24 00:05:34 angelos Exp $ */
+/* $OpenBSD: ip_esp_new.c,v 1.5 1997/09/24 18:39:40 angelos Exp $ */
/*
* The author of this code is John Ioannidis, ji@tla.org,
@@ -706,9 +706,39 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
* blk[7] contains the next protocol, and blk[6] contains the
* amount of padding the original chain had. Chop off the
* appropriate parts of the chain, and return.
+ * Verify correct decryption by checking the last padding bytes.
*/
- m_adj(m, - blk[6] - 2 - alen);
+ if (xd->edx_flags & ESP_NEW_FLAG_OPADDING)
+ {
+ if (blk[6] != blk[5])
+ {
+ log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ m_freem(m);
+ return NULL;
+ }
+
+ m_adj(m, - blk[6] - 2 - alen); /* Old type padding */
+ }
+ else
+ {
+ if (blk[6] == 0)
+ {
+ log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x -- peer is probably using old style padding\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ m_freem(m);
+ return NULL;
+ }
+ else
+ if ((blk[6] == 0) || (blk[6] != blk[5] + 1))
+ {
+ log(LOG_ALERT, "esp_new_input(): decryption failed for packet from %x to %x, SA %x/%08x\n", ipo.ip_src, ipo.ip_dst, tdb->tdb_dst, ntohl(tdb->tdb_spi));
+ m_freem(m);
+ return NULL;
+ }
+
+ m_adj(m, - blk[6] - 1 - alen);
+ }
+
m_adj(m, 2 * sizeof(u_int32_t) + xd->edx_ivlen);
if (m->m_len < (ipo.ip_hl << 2))
@@ -729,7 +759,11 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
ipo.ip_id = htons(ipo.ip_id);
ipo.ip_off = 0;
ipo.ip_len += (ipo.ip_hl << 2) - 2 * sizeof(u_int32_t) - xd->edx_ivlen -
- blk[6] - 2 - alen;
+ blk[6] - 1 - alen;
+
+ if (xd->edx_flags & ESP_NEW_FLAG_OPADDING)
+ ipo.ip_len -= 1;
+
ipo.ip_len = htons(ipo.ip_len);
ipo.ip_sum = 0;
*ip = ipo;
@@ -743,9 +777,15 @@ esp_new_input(struct mbuf *m, struct tdb *tdb)
/* Update the counters */
tdb->tdb_cur_packets++;
tdb->tdb_cur_bytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) +
- blk[6] + 2 + alen;
+ blk[6] + 1 + alen;
espstat.esps_ibytes += ntohs(ip->ip_len) - (ip->ip_hl << 2) +
- blk[6] + 2 + alen;
+ blk[6] + 1 + alen;
+
+ if (xd->edx_flags & ESP_NEW_FLAG_OPADDING)
+ {
+ tdb->tdb_cur_bytes++;
+ espstat.esps_ibytes++;
+ }
/* Notify on expiration */
if (tdb->tdb_flags & TDBF_SOFT_PACKETS)
@@ -911,8 +951,16 @@ esp_new_output(struct mbuf *m, struct sockaddr_encap *gw, struct tdb *tdb,
return ENOBUFS;
}
- pad[padding-2] = padding - 2;
- pad[padding-1] = nh;
+ /* Self describing padding */
+ for (i = 0; i < padding - 2; i++)
+ pad[i] = i + 1;
+
+ if (xd->edx_flags & ESP_NEW_FLAG_OPADDING)
+ pad[padding - 2] = padding - 2;
+ else
+ pad[padding - 2] = padding - 1;
+
+ pad[padding - 1] = nh;
mi = mo = m;
plen = rlen + padding;