Module Name: src
Committed By: maxv
Date: Wed May 30 17:17:11 UTC 2018
Modified Files:
src/sys/netipsec: xform.h xform_ah.c xform_esp.c
Log Message:
Introduce ah_authsiz, which computes the length of the ICV only. Use it in
esp_hdrsiz, and clarify.
Until now we were using ah_hdrsiz, and were relying on the fact that the
size of the AH header happens to be equal to that of the ESP trailer.
Now the size of the ESP trailer is added manually. This also fixes one
branch in esp_hdrsiz: we always append an ESP trailer, so it must always
be taken into account, and not just when an ICV is here.
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/sys/netipsec/xform.h
cvs rdiff -u -r1.103 -r1.104 src/sys/netipsec/xform_ah.c
cvs rdiff -u -r1.93 -r1.94 src/sys/netipsec/xform_esp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/xform.h
diff -u src/sys/netipsec/xform.h:1.19 src/sys/netipsec/xform.h:1.20
--- src/sys/netipsec/xform.h:1.19 Mon May 7 09:25:04 2018
+++ src/sys/netipsec/xform.h Wed May 30 17:17:11 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: xform.h,v 1.19 2018/05/07 09:25:04 maxv Exp $ */
+/* $NetBSD: xform.h,v 1.20 2018/05/30 17:17:11 maxv Exp $ */
/* $FreeBSD: xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */
/*
@@ -96,6 +96,7 @@ int ipip_output(struct mbuf *, struct se
int ah_init0(struct secasvar *, const struct xformsw *, struct cryptoini *);
int ah_zeroize(struct secasvar *);
const struct auth_hash *ah_algorithm_lookup(int);
+size_t ah_authsiz(const struct secasvar *);
size_t ah_hdrsiz(const struct secasvar *);
/* XF_ESP */
Index: src/sys/netipsec/xform_ah.c
diff -u src/sys/netipsec/xform_ah.c:1.103 src/sys/netipsec/xform_ah.c:1.104
--- src/sys/netipsec/xform_ah.c:1.103 Tue May 29 16:50:38 2018
+++ src/sys/netipsec/xform_ah.c Wed May 30 17:17:11 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ah.c,v 1.103 2018/05/29 16:50:38 maxv Exp $ */
+/* $NetBSD: xform_ah.c,v 1.104 2018/05/30 17:17:11 maxv Exp $ */
/* $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
/*
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.103 2018/05/29 16:50:38 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.104 2018/05/30 17:17:11 maxv Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -149,6 +149,19 @@ ah_algorithm_lookup(int alg)
}
size_t
+ah_authsiz(const struct secasvar *sav)
+{
+ size_t size;
+
+ if (sav == NULL) {
+ return ah_max_authsize;
+ }
+
+ size = AUTHSIZE(sav);
+ return roundup(size, sizeof(uint32_t));
+}
+
+size_t
ah_hdrsiz(const struct secasvar *sav)
{
size_t size;
Index: src/sys/netipsec/xform_esp.c
diff -u src/sys/netipsec/xform_esp.c:1.93 src/sys/netipsec/xform_esp.c:1.94
--- src/sys/netipsec/xform_esp.c:1.93 Wed May 30 16:49:38 2018
+++ src/sys/netipsec/xform_esp.c Wed May 30 17:17:11 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_esp.c,v 1.93 2018/05/30 16:49:38 maxv Exp $ */
+/* $NetBSD: xform_esp.c,v 1.94 2018/05/30 17:17:11 maxv Exp $ */
/* $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.93 2018/05/30 16:49:38 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.94 2018/05/30 17:17:11 maxv Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -141,25 +141,34 @@ esp_hdrsiz(const struct secasvar *sav)
if (sav != NULL) {
/*XXX not right for null algorithm--does it matter??*/
KASSERT(sav->tdb_encalgxform != NULL);
+
+ /*
+ * base header size
+ * + iv length for CBC mode
+ * + max pad length
+ * + sizeof(esp trailer)
+ * + icv length (if any).
+ */
if (sav->flags & SADB_X_EXT_OLD)
size = sizeof(struct esp);
else
size = sizeof(struct newesp);
- size += sav->tdb_encalgxform->ivsize + 9;
+ size += sav->tdb_encalgxform->ivsize + 9 +
+ sizeof(struct esptail);
+
/*XXX need alg check???*/
if (sav->tdb_authalgxform != NULL && sav->replay)
- size += ah_hdrsiz(sav);
+ size += ah_authsiz(sav);
} else {
/*
* base header size
* + max iv length for CBC mode
* + max pad length
- * + sizeof(pad length field)
- * + sizeof(next header field)
+ * + sizeof(esp trailer)
* + max icv supported.
*/
size = sizeof(struct newesp) + esp_max_ivlen + 9 +
- ah_hdrsiz(NULL);
+ sizeof(struct esptail) + ah_authsiz(NULL);
}
return size;
}
