summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pfkeyv2.h5
-rw-r--r--sys/net/pfkeyv2_convert.c21
-rw-r--r--sys/netinet/ip_ah.c41
-rw-r--r--sys/netinet/ip_esp.c107
-rw-r--r--sys/netinet/ip_ipsp.c19
-rw-r--r--sys/netinet/ip_ipsp.h5
-rw-r--r--sys/netinet/ipsec_output.c12
7 files changed, 46 insertions, 164 deletions
diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h
index 5720d37dd69..1cd95ed971b 100644
--- a/sys/net/pfkeyv2.h
+++ b/sys/net/pfkeyv2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.h,v 1.61 2012/06/29 14:48:04 mikeb Exp $ */
+/* $OpenBSD: pfkeyv2.h,v 1.62 2012/09/18 09:24:45 markus Exp $ */
/*
* @(#)COPYRIGHT 1.1 (NRL) January 1998
*
@@ -331,11 +331,8 @@ struct sadb_x_tap {
#define SADB_X_CALG_MAX 3
#define SADB_SAFLAGS_PFS 0x001 /* perfect forward secrecy */
-#define SADB_X_SAFLAGS_HALFIV 0x002 /* Used for ESP-old */
#define SADB_X_SAFLAGS_TUNNEL 0x004 /* Force tunneling */
#define SADB_X_SAFLAGS_CHAINDEL 0x008 /* Delete whole SA chain */
-#define SADB_X_SAFLAGS_RANDOMPADDING 0x080 /* Random ESP padding */
-#define SADB_X_SAFLAGS_NOREPLAY 0x100 /* No replay counter */
#define SADB_X_SAFLAGS_UDPENCAP 0x200 /* ESP in UDP */
#define SADB_X_SAFLAGS_ESN 0x400 /* Extended Sequence Number */
diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c
index d265d58985d..2f3dc890e6a 100644
--- a/sys/net/pfkeyv2_convert.c
+++ b/sys/net/pfkeyv2_convert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2_convert.c,v 1.36 2012/06/29 14:48:04 mikeb Exp $ */
+/* $OpenBSD: pfkeyv2_convert.c,v 1.37 2012/09/18 09:24:45 markus Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@keromytis.org)
*
@@ -135,18 +135,9 @@ import_sa(struct tdb *tdb, struct sadb_sa *sadb_sa, struct ipsecinit *ii)
if (sadb_sa->sadb_sa_flags & SADB_SAFLAGS_PFS)
tdb->tdb_flags |= TDBF_PFS;
- if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_HALFIV)
- tdb->tdb_flags |= TDBF_HALFIV;
-
if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_TUNNEL)
tdb->tdb_flags |= TDBF_TUNNELING;
- if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_RANDOMPADDING)
- tdb->tdb_flags |= TDBF_RANDOMPADDING;
-
- if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_NOREPLAY)
- tdb->tdb_flags |= TDBF_NOREPLAY;
-
if (sadb_sa->sadb_sa_flags & SADB_X_SAFLAGS_UDPENCAP)
tdb->tdb_flags |= TDBF_UDPENCAP;
@@ -279,19 +270,9 @@ export_sa(void **p, struct tdb *tdb)
if (tdb->tdb_flags & TDBF_PFS)
sadb_sa->sadb_sa_flags |= SADB_SAFLAGS_PFS;
- /* Only relevant for the "old" IPsec transforms. */
- if (tdb->tdb_flags & TDBF_HALFIV)
- sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_HALFIV;
-
if (tdb->tdb_flags & TDBF_TUNNELING)
sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_TUNNEL;
- if (tdb->tdb_flags & TDBF_RANDOMPADDING)
- sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_RANDOMPADDING;
-
- if (tdb->tdb_flags & TDBF_NOREPLAY)
- sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_NOREPLAY;
-
if (tdb->tdb_flags & TDBF_UDPENCAP)
sadb_sa->sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP;
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index 03c64e94a33..b966764f217 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ah.c,v 1.100 2012/06/29 14:48:04 mikeb Exp $ */
+/* $OpenBSD: ip_ah.c,v 1.101 2012/09/18 09:24:45 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -166,8 +166,7 @@ ah_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii)
cria.cri_klen = ii->ii_authkeylen * 8;
cria.cri_key = ii->ii_authkey;
- if ((tdbp->tdb_wnd > 0) && !(tdbp->tdb_flags & TDBF_NOREPLAY) &&
- (tdbp->tdb_flags & TDBF_ESN)) {
+ if ((tdbp->tdb_wnd > 0) && (tdbp->tdb_flags & TDBF_ESN)) {
bzero(&crin, sizeof(crin));
crin.cri_alg = CRYPTO_ESN;
cria.cri_next = &crin;
@@ -557,17 +556,14 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
struct cryptodesc *crda = NULL;
struct cryptop *crp;
- if (!(tdb->tdb_flags & TDBF_NOREPLAY))
- rplen = AH_FLENGTH + sizeof(u_int32_t);
- else
- rplen = AH_FLENGTH;
+ rplen = AH_FLENGTH + sizeof(u_int32_t);
/* Save the AH header, we use it throughout. */
m_copydata(m, skip + offsetof(struct ah, ah_hl), sizeof(u_int8_t),
(caddr_t) &hl);
/* Replay window checking, if applicable. */
- if ((tdb->tdb_wnd > 0) && (!(tdb->tdb_flags & TDBF_NOREPLAY))) {
+ if (tdb->tdb_wnd > 0) {
m_copydata(m, skip + offsetof(struct ah, ah_rpl),
sizeof(u_int32_t), (caddr_t) &btsx);
btsx = ntohl(btsx);
@@ -659,8 +655,7 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
crda->crd_key = tdb->tdb_amxkey;
crda->crd_klen = tdb->tdb_amxkeylen * 8;
- if ((tdb->tdb_wnd > 0) && !(tdb->tdb_flags & TDBF_NOREPLAY) &&
- (tdb->tdb_flags & TDBF_ESN)) {
+ if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) {
esn = htonl(esn);
bcopy(&esn, crda->crd_esn, 4);
crda->crd_flags |= CRD_F_ESN;
@@ -813,10 +808,7 @@ ah_input_cb(void *op)
crp = NULL;
}
- if (!(tdb->tdb_flags & TDBF_NOREPLAY))
- rplen = AH_FLENGTH + sizeof(u_int32_t);
- else
- rplen = AH_FLENGTH;
+ rplen = AH_FLENGTH + sizeof(u_int32_t);
/* Copy authenticator off the packet. */
m_copydata(m, skip + rplen, ahx->authsize, calc);
@@ -855,7 +847,7 @@ ah_input_cb(void *op)
free(tc, M_XDATA);
/* Replay window checking, if applicable. */
- if ((tdb->tdb_wnd > 0) && (!(tdb->tdb_flags & TDBF_NOREPLAY))) {
+ if (tdb->tdb_wnd > 0) {
m_copydata(m, skip + offsetof(struct ah, ah_rpl),
sizeof(u_int32_t), (caddr_t) &btsx);
btsx = ntohl(btsx);
@@ -1029,8 +1021,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
* Check for replay counter wrap-around in automatic (not
* manual) keying.
*/
- if ((tdb->tdb_rpl == 0) && (tdb->tdb_wnd > 0) &&
- (!(tdb->tdb_flags & TDBF_NOREPLAY))) {
+ if ((tdb->tdb_rpl == 0) && (tdb->tdb_wnd > 0)) {
DPRINTF(("ah_output(): SA %s/%08x should have expired\n",
ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
m_freem(m);
@@ -1038,10 +1029,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
return EINVAL;
}
- if (!(tdb->tdb_flags & TDBF_NOREPLAY))
- rplen = AH_FLENGTH + sizeof(u_int32_t);
- else
- rplen = AH_FLENGTH;
+ rplen = AH_FLENGTH + sizeof(u_int32_t);
switch (tdb->tdb_dst.sa.sa_family) {
#ifdef INET
@@ -1157,13 +1145,11 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
/* Zeroize authenticator. */
m_copyback(m, skip + rplen, ahx->authsize, ipseczeroes, M_NOWAIT);
- if (!(tdb->tdb_flags & TDBF_NOREPLAY)) {
- tdb->tdb_rpl++;
- ah->ah_rpl = htonl((u_int32_t)(tdb->tdb_rpl & 0xffffffff));
+ tdb->tdb_rpl++;
+ ah->ah_rpl = htonl((u_int32_t)(tdb->tdb_rpl & 0xffffffff));
#if NPFSYNC > 0
- pfsync_update_tdb(tdb,1);
+ pfsync_update_tdb(tdb,1);
#endif
- }
/* Get crypto descriptors. */
crp = crypto_getreq(1);
@@ -1186,8 +1172,7 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
crda->crd_key = tdb->tdb_amxkey;
crda->crd_klen = tdb->tdb_amxkeylen * 8;
- if ((tdb->tdb_wnd > 0) && !(tdb->tdb_flags & TDBF_NOREPLAY) &&
- (tdb->tdb_flags & TDBF_ESN)) {
+ if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) {
u_int32_t esn;
esn = htonl((u_int32_t)(tdb->tdb_rpl >> 32));
diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index 6edbb9e74b7..e568ee281cb 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_esp.c,v 1.117 2012/06/29 14:48:04 mikeb Exp $ */
+/* $OpenBSD: ip_esp.c,v 1.118 2012/09/18 09:24:45 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -185,8 +185,6 @@ esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii)
txform->name));
tdbp->tdb_ivlen = txform->ivsize;
- if (tdbp->tdb_flags & TDBF_HALFIV)
- tdbp->tdb_ivlen /= 2;
}
if (ii->ii_authalg) {
@@ -280,8 +278,7 @@ esp_init(struct tdb *tdbp, struct xformsw *xsp, struct ipsecinit *ii)
cria.cri_alg = tdbp->tdb_authalgxform->type;
- if ((tdbp->tdb_wnd > 0) && !(tdbp->tdb_flags & TDBF_NOREPLAY) &&
- (tdbp->tdb_flags & TDBF_ESN)) {
+ if ((tdbp->tdb_wnd > 0) && (tdbp->tdb_flags & TDBF_ESN)) {
bzero(&crin, sizeof(crin));
crin.cri_alg = CRYPTO_ESN;
cria.cri_next = &crin;
@@ -338,11 +335,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
u_int32_t btsx, esn;
/* Determine the ESP header length */
- if (tdb->tdb_flags & TDBF_NOREPLAY)
- hlen = sizeof(u_int32_t) + tdb->tdb_ivlen; /* "old" ESP */
- else
- hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */
-
+ hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */
alen = esph ? esph->authsize : 0;
plen = m->m_pkthdr.len - (skip + hlen + alen);
if (plen <= 0) {
@@ -366,7 +359,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
}
/* Replay window checking, if appropriate -- no value commitment. */
- if ((tdb->tdb_wnd > 0) && (!(tdb->tdb_flags & TDBF_NOREPLAY))) {
+ if (tdb->tdb_wnd > 0) {
m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
(unsigned char *) &btsx);
btsx = ntohl(btsx);
@@ -469,8 +462,7 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
crda->crd_key = tdb->tdb_amxkey;
crda->crd_klen = tdb->tdb_amxkeylen * 8;
- if ((tdb->tdb_wnd > 0) && !(tdb->tdb_flags & TDBF_NOREPLAY) &&
- (tdb->tdb_flags & TDBF_ESN)) {
+ if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) {
esn = htonl(esn);
bcopy(&esn, crda->crd_esn, 4);
crda->crd_flags |= CRD_F_ESN;
@@ -507,18 +499,6 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int protoff)
if (espx) {
crde->crd_skip = skip + hlen;
crde->crd_inject = skip + hlen - tdb->tdb_ivlen;
-
- if (tdb->tdb_flags & TDBF_HALFIV) {
- /* Copy half-IV from packet */
- m_copydata(m, crde->crd_inject, tdb->tdb_ivlen, crde->crd_iv);
-
- /* Cook IV */
- for (btsx = 0; btsx < tdb->tdb_ivlen; btsx++)
- crde->crd_iv[tdb->tdb_ivlen + btsx] = ~crde->crd_iv[btsx];
-
- crde->crd_flags |= CRD_F_IV_EXPLICIT;
- }
-
crde->crd_alg = espx->type;
crde->crd_key = tdb->tdb_emxkey;
crde->crd_klen = tdb->tdb_emxkeylen * 8;
@@ -628,7 +608,7 @@ esp_input_cb(void *op)
free(tc, M_XDATA);
/* Replay window checking, if appropriate */
- if ((tdb->tdb_wnd > 0) && (!(tdb->tdb_flags & TDBF_NOREPLAY))) {
+ if (tdb->tdb_wnd > 0) {
m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
(unsigned char *) &btsx);
btsx = ntohl(btsx);
@@ -665,10 +645,7 @@ esp_input_cb(void *op)
crypto_freereq(crp);
/* Determine the ESP header length */
- if (tdb->tdb_flags & TDBF_NOREPLAY)
- hlen = sizeof(u_int32_t) + tdb->tdb_ivlen; /* "old" ESP */
- else
- hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */
+ hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen;
/* Find beginning of ESP header */
m1 = m_getptr(m, skip, &roff);
@@ -737,14 +714,12 @@ esp_input_cb(void *op)
}
/* Verify correct decryption by checking the last padding bytes */
- if (!(tdb->tdb_flags & TDBF_RANDOMPADDING)) {
- if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) {
- espstat.esps_badenc++;
- splx(s);
- DPRINTF(("esp_input(): decryption failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
- m_freem(m);
- return EINVAL;
- }
+ if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) {
+ espstat.esps_badenc++;
+ splx(s);
+ DPRINTF(("esp_input(): decryption failed for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ m_freem(m);
+ return EINVAL;
}
/* Trim the mbuf chain to remove the trailing authenticator and padding */
@@ -779,6 +754,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
struct enc_xform *espx = (struct enc_xform *) tdb->tdb_encalgxform;
struct auth_hash *esph = (struct auth_hash *) tdb->tdb_authalgxform;
int ilen, hlen, rlen, padding, blks, alen;
+ u_int32_t replay;
struct mbuf *mi, *mo = (struct mbuf *) NULL;
struct tdb_crypto *tc;
unsigned char *pad;
@@ -811,10 +787,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
}
#endif
- if (tdb->tdb_flags & TDBF_NOREPLAY)
- hlen = sizeof(u_int32_t) + tdb->tdb_ivlen;
- else
- hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen;
+ hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen;
rlen = m->m_pkthdr.len - skip; /* Raw payload length. */
if (espx)
@@ -929,16 +902,14 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
/* Initialize ESP header. */
bcopy((caddr_t) &tdb->tdb_spi, mtod(mo, caddr_t), sizeof(u_int32_t));
- if (!(tdb->tdb_flags & TDBF_NOREPLAY)) {
- u_int32_t replay;
- tdb->tdb_rpl++;
- replay = htonl((u_int32_t)tdb->tdb_rpl);
- bcopy((caddr_t) &replay, mtod(mo, caddr_t) + sizeof(u_int32_t),
- sizeof(u_int32_t));
+ tdb->tdb_rpl++;
+ replay = htonl((u_int32_t)tdb->tdb_rpl);
+ bcopy((caddr_t) &replay, mtod(mo, caddr_t) + sizeof(u_int32_t),
+ sizeof(u_int32_t));
+
#if NPFSYNC > 0
- pfsync_update_tdb(tdb,1);
+ pfsync_update_tdb(tdb,1);
#endif
- }
/*
* Add padding -- better to do it ourselves than use the crypto engine,
@@ -953,12 +924,9 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
}
pad = mtod(mo, u_char *);
- /* Self-describing or random padding ? */
- if (!(tdb->tdb_flags & TDBF_RANDOMPADDING))
- for (ilen = 0; ilen < padding - 2; ilen++)
- pad[ilen] = ilen + 1;
- else
- arc4random_buf((void *) pad, padding - 2);
+ /* Apply self-describing padding */
+ for (ilen = 0; ilen < padding - 2; ilen++)
+ pad[ilen] = ilen + 1;
/* Fix padding length and Next Protocol in padding itself. */
pad[padding - 2] = padding - 2;
@@ -987,21 +955,6 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
crde->crd_flags = CRD_F_ENCRYPT;
crde->crd_inject = skip + hlen - tdb->tdb_ivlen;
- if (tdb->tdb_flags & TDBF_HALFIV) {
- /* Copy half-iv in the packet. */
- m_copyback(m, crde->crd_inject, tdb->tdb_ivlen,
- tdb->tdb_iv, M_NOWAIT);
-
- /* Cook half-iv. */
- bcopy(tdb->tdb_iv, crde->crd_iv, tdb->tdb_ivlen);
- for (ilen = 0; ilen < tdb->tdb_ivlen; ilen++)
- crde->crd_iv[tdb->tdb_ivlen + ilen] =
- ~crde->crd_iv[ilen];
-
- crde->crd_flags |=
- CRD_F_IV_PRESENT | CRD_F_IV_EXPLICIT;
- }
-
/* Encryption operation. */
crde->crd_alg = espx->type;
crde->crd_key = tdb->tdb_emxkey;
@@ -1048,8 +1001,7 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int skip,
crda->crd_key = tdb->tdb_amxkey;
crda->crd_klen = tdb->tdb_amxkeylen * 8;
- if ((tdb->tdb_wnd > 0) && !(tdb->tdb_flags & TDBF_NOREPLAY) &&
- (tdb->tdb_flags & TDBF_ESN)) {
+ if ((tdb->tdb_wnd > 0) && (tdb->tdb_flags & TDBF_ESN)) {
u_int32_t esn;
esn = htonl((u_int32_t)(tdb->tdb_rpl >> 32));
@@ -1127,15 +1079,6 @@ esp_output_cb(void *op)
/* Release crypto descriptors. */
crypto_freereq(crp);
- /*
- * If we're doing half-iv, keep a copy of the last few bytes of the
- * encrypted part, for use as the next IV. Note that HALF-IV is only
- * supposed to be used without authentication (the old ESP specs).
- */
- if (tdb->tdb_flags & TDBF_HALFIV)
- m_copydata(m, m->m_pkthdr.len - tdb->tdb_ivlen, tdb->tdb_ivlen,
- tdb->tdb_iv);
-
/* Call the IPsec input callback. */
error = ipsp_process_done(m, tdb);
splx(s);
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index e93c5b0c571..c4e8be54237 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.c,v 1.183 2011/05/11 07:37:04 blambert Exp $ */
+/* $OpenBSD: ip_ipsp.c,v 1.184 2012/09/18 09:24:45 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -1240,22 +1240,7 @@ ipsp_parse_headers(struct mbuf *m, int off, u_int8_t proto)
}
/* How large is the ESP header ? We use this later. */
- if (tdb->tdb_flags & TDBF_NOREPLAY)
- esphlen = sizeof(u_int32_t) + tdb->tdb_ivlen;
- else
- esphlen = 2 * sizeof(u_int32_t) +
- tdb->tdb_ivlen;
-
- /*
- * Verify decryption. If the SA is using
- * random padding (as the "old" ESP SAs were
- * bound to do, there's nothing we can do to
- * see if the payload has been decrypted.
- */
- if (tdb->tdb_flags & TDBF_RANDOMPADDING) {
- splx(s);
- return SLIST_FIRST(&tags);
- }
+ esphlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen;
/* Update the length of trailing ESP authenticators. */
if (tdb->tdb_authalgxform)
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index 83b112262e6..dbf2d19739d 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.h,v 1.148 2012/07/16 18:05:36 markus Exp $ */
+/* $OpenBSD: ip_ipsp.h,v 1.149 2012/09/18 09:24:45 markus Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -293,15 +293,12 @@ struct tdb { /* tunnel descriptor block */
#define TDBF_ALLOCATIONS 0x00008 /* Check the flows counters */
#define TDBF_INVALID 0x00010 /* This SPI is not valid yet/anymore */
#define TDBF_FIRSTUSE 0x00020 /* Expire after first use */
-#define TDBF_HALFIV 0x00040 /* Use half-length IV (ESP old only) */
#define TDBF_SOFT_TIMER 0x00080 /* Soft expiration */
#define TDBF_SOFT_BYTES 0x00100 /* Soft expiration */
#define TDBF_SOFT_ALLOCATIONS 0x00200 /* Soft expiration */
#define TDBF_SOFT_FIRSTUSE 0x00400 /* Soft expiration */
#define TDBF_PFS 0x00800 /* Ask for PFS from Key Mgmt. */
#define TDBF_TUNNELING 0x01000 /* Force IP-IP encapsulation */
-#define TDBF_NOREPLAY 0x02000 /* No replay counter present */
-#define TDBF_RANDOMPADDING 0x04000 /* Random data in the ESP padding */
#define TDBF_SKIPCRYPTO 0x08000 /* Skip actual crypto processing */
#define TDBF_USEDTUNNEL 0x10000 /* Appended a tunnel header in past */
#define TDBF_UDPENCAP 0x20000 /* UDP encapsulation */
diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c
index 530b17336b4..2bb2bb93e08 100644
--- a/sys/netinet/ipsec_output.c
+++ b/sys/netinet/ipsec_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec_output.c,v 1.44 2011/03/05 01:53:16 bluhm Exp $ */
+/* $OpenBSD: ipsec_output.c,v 1.45 2012/09/18 09:24:45 markus Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
@@ -543,10 +543,7 @@ ipsec_hdrsz(struct tdb *tdbp)
return (-1);
/* Header length */
- if (tdbp->tdb_flags & TDBF_NOREPLAY)
- adjust = sizeof(u_int32_t) + tdbp->tdb_ivlen;
- else
- adjust = 2 * sizeof(u_int32_t) + tdbp->tdb_ivlen;
+ adjust = 2 * sizeof(u_int32_t) + tdbp->tdb_ivlen;
if (tdbp->tdb_flags & TDBF_UDPENCAP)
adjust += sizeof(struct udphdr);
/* Authenticator */
@@ -560,10 +557,7 @@ ipsec_hdrsz(struct tdb *tdbp)
if (tdbp->tdb_authalgxform == NULL)
return (-1);
- if (!(tdbp->tdb_flags & TDBF_NOREPLAY))
- adjust = AH_FLENGTH + sizeof(u_int32_t);
- else
- adjust = AH_FLENGTH;
+ adjust = AH_FLENGTH + sizeof(u_int32_t);
adjust += tdbp->tdb_authalgxform->authsize;
break;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-23 14:47:14 +0000