Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/netipsec Introduce ah_authsiz, which computes the length...



details:   https://anonhg.NetBSD.org/src/rev/32983a467ae4
branches:  trunk
changeset: 319451:32983a467ae4
user:      maxv <maxv%NetBSD.org@localhost>
date:      Wed May 30 17:17:11 2018 +0000

description:
Introduce ah_authsiz, which computes the length of the ICV only. Use it in
esp_hdrsiz, and clarify.

Until now we were using ah_hdrsiz, and were relying on the fact that the
size of the AH header happens to be equal to that of the ESP trailer.

Now the size of the ESP trailer is added manually. This also fixes one
branch in esp_hdrsiz: we always append an ESP trailer, so it must always
be taken into account, and not just when an ICV is here.

diffstat:

 sys/netipsec/xform.h     |   3 ++-
 sys/netipsec/xform_ah.c  |  17 +++++++++++++++--
 sys/netipsec/xform_esp.c |  23 ++++++++++++++++-------
 3 files changed, 33 insertions(+), 10 deletions(-)

diffs (113 lines):

diff -r 62c5c2d0f20a -r 32983a467ae4 sys/netipsec/xform.h
--- a/sys/netipsec/xform.h      Wed May 30 16:49:38 2018 +0000
+++ b/sys/netipsec/xform.h      Wed May 30 17:17:11 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform.h,v 1.19 2018/05/07 09:25:04 maxv Exp $  */
+/*     $NetBSD: xform.h,v 1.20 2018/05/30 17:17:11 maxv Exp $  */
 /*     $FreeBSD: xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $       */
 /*     $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $   */
 /*
@@ -96,6 +96,7 @@
 int ah_init0(struct secasvar *, const struct xformsw *, struct cryptoini *);
 int ah_zeroize(struct secasvar *);
 const struct auth_hash *ah_algorithm_lookup(int);
+size_t ah_authsiz(const struct secasvar *);
 size_t ah_hdrsiz(const struct secasvar *);
 
 /* XF_ESP */
diff -r 62c5c2d0f20a -r 32983a467ae4 sys/netipsec/xform_ah.c
--- a/sys/netipsec/xform_ah.c   Wed May 30 16:49:38 2018 +0000
+++ b/sys/netipsec/xform_ah.c   Wed May 30 17:17:11 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_ah.c,v 1.103 2018/05/29 16:50:38 maxv Exp $      */
+/*     $NetBSD: xform_ah.c,v 1.104 2018/05/30 17:17:11 maxv Exp $      */
 /*     $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $    */
 /*     $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.103 2018/05/29 16:50:38 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.104 2018/05/30 17:17:11 maxv Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -149,6 +149,19 @@
 }
 
 size_t
+ah_authsiz(const struct secasvar *sav)
+{
+       size_t size;
+
+       if (sav == NULL) {
+               return ah_max_authsize;
+       }
+
+       size = AUTHSIZE(sav);
+       return roundup(size, sizeof(uint32_t));
+}
+
+size_t
 ah_hdrsiz(const struct secasvar *sav)
 {
        size_t size;
diff -r 62c5c2d0f20a -r 32983a467ae4 sys/netipsec/xform_esp.c
--- a/sys/netipsec/xform_esp.c  Wed May 30 16:49:38 2018 +0000
+++ b/sys/netipsec/xform_esp.c  Wed May 30 17:17:11 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_esp.c,v 1.93 2018/05/30 16:49:38 maxv Exp $      */
+/*     $NetBSD: xform_esp.c,v 1.94 2018/05/30 17:17:11 maxv Exp $      */
 /*     $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $   */
 /*     $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.93 2018/05/30 16:49:38 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_esp.c,v 1.94 2018/05/30 17:17:11 maxv Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -141,25 +141,34 @@
        if (sav != NULL) {
                /*XXX not right for null algorithm--does it matter??*/
                KASSERT(sav->tdb_encalgxform != NULL);
+
+               /*
+                *   base header size
+                * + iv length for CBC mode
+                * + max pad length
+                * + sizeof(esp trailer)
+                * + icv length (if any).
+                */
                if (sav->flags & SADB_X_EXT_OLD)
                        size = sizeof(struct esp);
                else
                        size = sizeof(struct newesp);
-               size += sav->tdb_encalgxform->ivsize + 9;
+               size += sav->tdb_encalgxform->ivsize + 9 +
+                   sizeof(struct esptail);
+
                /*XXX need alg check???*/
                if (sav->tdb_authalgxform != NULL && sav->replay)
-                       size += ah_hdrsiz(sav);
+                       size += ah_authsiz(sav);
        } else {
                /*
                 *   base header size
                 * + max iv length for CBC mode
                 * + max pad length
-                * + sizeof(pad length field)
-                * + sizeof(next header field)
+                * + sizeof(esp trailer)
                 * + max icv supported.
                 */
                size = sizeof(struct newesp) + esp_max_ivlen + 9 +
-                   ah_hdrsiz(NULL);
+                   sizeof(struct esptail) + ah_authsiz(NULL);
        }
        return size;
 }



Home | Main Index | Thread Index | Old Index