archive mirror
 help / color / mirror / Atom feed
Subject: PATCH: IPSec not using padding when Null Encryption
Date: Thu, 27 Feb 2003 15:29:19 -0600	[thread overview]
Message-ID: <> (raw)


When using the Null Encryption algorithm, the ESP packet is
not on a 4-byte boundary. That is, the ciphertext, pad-length and
next-header fields are not right aligned on a 4-byte boundary and
no padding is used to ensure it.

RFC 2406, section 2.4 states irrespective of encryption algorithm
requirements,  padding may be required to ensure that
resulting ciphertext terminates on a 4-byte boundary. Specifically,
the Pad Length and Next Header fields must be right aligned within
a 4-byte word to ensure that the Authentication Data field (if present)
is aligned on a 4-byte boundary.

Ok, anyway, this fix just pretty much makes sure that
when Null Encryption or any algorithm with a blocksize less
than 4 is used, that the ciphertext, any padding, and next-header
and pad-length fields terminate on a 4-byte boundary.
I have tested it. Please let me know if all is well. 

--- esp.c.orig	2003-02-20 16:07:59.000000000 -0600
+++ esp.c	2003-02-27 10:30:25.000000000 -0600
@@ -360,7 +360,7 @@
 	esp = x->data;
 	alen = esp->auth.icv_trunc_len;
 	tfm = esp->conf.tfm;
-	blksize = crypto_tfm_alg_blocksize(tfm);
+	blksize = (crypto_tfm_alg_blocksize(tfm) + 3) & ~3;
 	clen = (clen + 2 + blksize-1)&~(blksize-1);
 	if (esp->conf.padlen)
 		clen = (clen + esp->conf.padlen-1)&~(esp->conf.padlen-1);

             reply	other threads:[~2003-02-27 21:20 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-02-27 21:29 latten [this message]
2003-02-28  1:01 ` James Morris
2003-03-03  9:28 ` David S. Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \
    --subject='Re: PATCH: IPSec not using padding when Null Encryption' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).