* PATCH: IPSec not using padding when Null Encryption
@ 2003-02-27 21:29 latten
2003-02-28 1:01 ` James Morris
2003-03-03 9:28 ` David S. Miller
0 siblings, 2 replies; 3+ messages in thread
From: latten @ 2003-02-27 21:29 UTC (permalink / raw)
To: davem, kuznet, linux-kernel, netdev
Hi,
When using the Null Encryption algorithm, the ESP packet is
not on a 4-byte boundary. That is, the ciphertext, pad-length and
next-header fields are not right aligned on a 4-byte boundary and
no padding is used to ensure it.
RFC 2406, section 2.4 states irrespective of encryption algorithm
requirements, padding may be required to ensure that
resulting ciphertext terminates on a 4-byte boundary. Specifically,
the Pad Length and Next Header fields must be right aligned within
a 4-byte word to ensure that the Authentication Data field (if present)
is aligned on a 4-byte boundary.
Ok, anyway, this fix just pretty much makes sure that
when Null Encryption or any algorithm with a blocksize less
than 4 is used, that the ciphertext, any padding, and next-header
and pad-length fields terminate on a 4-byte boundary.
I have tested it. Please let me know if all is well.
Thanks,
Joy
--- esp.c.orig 2003-02-20 16:07:59.000000000 -0600
+++ esp.c 2003-02-27 10:30:25.000000000 -0600
@@ -360,7 +360,7 @@
esp = x->data;
alen = esp->auth.icv_trunc_len;
tfm = esp->conf.tfm;
- blksize = crypto_tfm_alg_blocksize(tfm);
+ blksize = (crypto_tfm_alg_blocksize(tfm) + 3) & ~3;
clen = (clen + 2 + blksize-1)&~(blksize-1);
if (esp->conf.padlen)
clen = (clen + esp->conf.padlen-1)&~(esp->conf.padlen-1);
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: PATCH: IPSec not using padding when Null Encryption
2003-02-27 21:29 PATCH: IPSec not using padding when Null Encryption latten
@ 2003-02-28 1:01 ` James Morris
2003-03-03 9:28 ` David S. Miller
1 sibling, 0 replies; 3+ messages in thread
From: James Morris @ 2003-02-28 1:01 UTC (permalink / raw)
To: latten; +Cc: davem, kuznet, linux-kernel, netdev
On Thu, 27 Feb 2003 latten@austin.ibm.com wrote:
> I have tested it. Please let me know if all is well.
Looks fine to me.
(Perhaps change the name of the blksize variable to padto or similar, in
case someone later thinks it's the real block size).
> --- esp.c.orig 2003-02-20 16:07:59.000000000 -0600
> +++ esp.c 2003-02-27 10:30:25.000000000 -0600
> @@ -360,7 +360,7 @@
> esp = x->data;
> alen = esp->auth.icv_trunc_len;
> tfm = esp->conf.tfm;
> - blksize = crypto_tfm_alg_blocksize(tfm);
> + blksize = (crypto_tfm_alg_blocksize(tfm) + 3) & ~3;
> clen = (clen + 2 + blksize-1)&~(blksize-1);
> if (esp->conf.padlen)
> clen = (clen + esp->conf.padlen-1)&~(esp->conf.padlen-1);
>
--
James Morris
<jmorris@intercode.com.au>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: PATCH: IPSec not using padding when Null Encryption
2003-02-27 21:29 PATCH: IPSec not using padding when Null Encryption latten
2003-02-28 1:01 ` James Morris
@ 2003-03-03 9:28 ` David S. Miller
1 sibling, 0 replies; 3+ messages in thread
From: David S. Miller @ 2003-03-03 9:28 UTC (permalink / raw)
To: latten; +Cc: kuznet, linux-kernel, netdev
From: latten@austin.ibm.com
Date: Thu, 27 Feb 2003 15:29:19 -0600
Ok, anyway, this fix just pretty much makes sure that
when Null Encryption or any algorithm with a blocksize less
than 4 is used, that the ciphertext, any padding, and next-header
and pad-length fields terminate on a 4-byte boundary.
I have tested it. Please let me know if all is well.
Applied, thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-03-03 9:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-02-27 21:29 PATCH: IPSec not using padding when Null Encryption latten
2003-02-28 1:01 ` James Morris
2003-03-03 9:28 ` David S. Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).