svn commit: r242330 - user/andre/tcp_workqueue/sys/netipsec

Andre Oppermann andre at FreeBSD.org
Mon Oct 29 21:48:25 UTC 2012 

Author: andre
Date: Mon Oct 29 21:48:24 2012
New Revision: 242330
URL: http://svn.freebsd.org/changeset/base/242330

Log:
  Remove support for really old RFC1827 ESP protocol version.  It was
  obsoleted in 1998 by RFC2406, which in turn has been obsoleted in
  2005 by RFC4303.  The RFC1827 header didn't support the sequence
  field making it vulnerable to replay attacks.
  
  Also rename the ESP header from struct esp into struct ipsec_esp.

Modified:
  user/andre/tcp_workqueue/sys/netipsec/esp.h
  user/andre/tcp_workqueue/sys/netipsec/ipsec_input.c
  user/andre/tcp_workqueue/sys/netipsec/xform_ah.c
  user/andre/tcp_workqueue/sys/netipsec/xform_esp.c

Modified: user/andre/tcp_workqueue/sys/netipsec/esp.h
==============================================================================
--- user/andre/tcp_workqueue/sys/netipsec/esp.h	Mon Oct 29 21:11:37 2012	(r242329)
+++ user/andre/tcp_workqueue/sys/netipsec/esp.h	Mon Oct 29 21:48:24 2012	(r242330)
@@ -37,18 +37,7 @@
 #ifndef _NETIPSEC_ESP_H_
 #define _NETIPSEC_ESP_H_
 
-struct esp {
-	u_int32_t	esp_spi;	/* ESP */
-	/*variable size, 32bit bound*/	/* Initialization Vector */
-	/*variable size*/		/* Payload data */
-	/*variable size*/		/* padding */
-	/*8bit*/			/* pad size */
-	/*8bit*/			/* next header */
-	/*8bit*/			/* next header */
-	/*variable size, 32bit bound*/	/* Authentication data (new IPsec) */
-};
-
-struct newesp {
+struct ipsec_esp {
 	u_int32_t	esp_spi;	/* ESP */
 	u_int32_t	esp_seq;	/* Sequence number */
 	/*variable size*/		/* (IV and) Payload data */

Modified: user/andre/tcp_workqueue/sys/netipsec/ipsec_input.c
==============================================================================
--- user/andre/tcp_workqueue/sys/netipsec/ipsec_input.c	Mon Oct 29 21:11:37 2012	(r242329)
+++ user/andre/tcp_workqueue/sys/netipsec/ipsec_input.c	Mon Oct 29 21:48:24 2012	(r242330)
@@ -861,9 +861,9 @@ esp6_ctlinput(int cmd, struct sockaddr *
 			int valid;
 
 			/* check header length before using m_copydata */
-			if (m->m_pkthdr.len < off + sizeof (struct esp))
+			if (m->m_pkthdr.len < off + sizeof (struct ipsec_esp))
 				return;
-			m_copydata(m, off + offsetof(struct esp, esp_spi),
+			m_copydata(m, off + offsetof(struct ipsec_esp, esp_spi),
 				sizeof(u_int32_t), (caddr_t) &spi);
 			/*
 			 * Check to see if we have a valid SA corresponding to

Modified: user/andre/tcp_workqueue/sys/netipsec/xform_ah.c
==============================================================================
--- user/andre/tcp_workqueue/sys/netipsec/xform_ah.c	Mon Oct 29 21:11:37 2012	(r242329)
+++ user/andre/tcp_workqueue/sys/netipsec/xform_ah.c	Mon Oct 29 21:48:24 2012	(r242330)
@@ -99,9 +99,6 @@ ah_authsize(struct secasvar *sav)
 
 	IPSEC_ASSERT(sav != NULL, ("%s: sav == NULL", __func__));
 
-	if (sav->flags & SADB_X_EXT_OLD)
-		return 16;
-
 	switch (sav->alg_auth) {
 	case SADB_X_AALG_SHA2_256:
 		return 16;
@@ -185,11 +182,9 @@ ah_init0(struct secasvar *sav, struct xf
 	 * later during protocol processing.
 	 */
 	/* NB: replay state is setup elsewhere (sigh) */
-	if (((sav->flags&SADB_X_EXT_OLD) == 0) ^ (sav->replay != NULL)) {
-		DPRINTF(("%s: replay state block inconsistency, "
-			"%s algorithm %s replay state\n", __func__,
-			(sav->flags & SADB_X_EXT_OLD) ? "old" : "new",
-			sav->replay == NULL ? "without" : "with"));
+	if (sav->replay == NULL) {
+		DPRINTF(("%s: replay state block inconsistency\n",
+			 __func__));
 		return EINVAL;
 	}
 	if (sav->key_auth == NULL) {

Modified: user/andre/tcp_workqueue/sys/netipsec/xform_esp.c
==============================================================================
--- user/andre/tcp_workqueue/sys/netipsec/xform_esp.c	Mon Oct 29 21:11:37 2012	(r242329)
+++ user/andre/tcp_workqueue/sys/netipsec/xform_esp.c	Mon Oct 29 21:48:24 2012	(r242330)
@@ -127,10 +127,7 @@ esp_hdrsiz(struct secasvar *sav)
 		/*XXX not right for null algorithm--does it matter??*/
 		IPSEC_ASSERT(sav->tdb_encalgxform != NULL,
 			("SA with null xform"));
-		if (sav->flags & SADB_X_EXT_OLD)
-			size = sizeof (struct esp);
-		else
-			size = sizeof (struct newesp);
+		size = sizeof (struct ipsec_esp);
 		size += sav->tdb_encalgxform->blocksize + 9;
 		/*XXX need alg check???*/
 		if (sav->tdb_authalgxform != NULL && sav->replay)
@@ -144,7 +141,7 @@ esp_hdrsiz(struct secasvar *sav)
 		 * + sizeof (next header field)
 		 * + max icv supported.
 		 */
-		size = sizeof (struct newesp) + EALG_MAX_BLOCK_LEN + 9 + 16;
+		size = sizeof (struct ipsec_esp) + EALG_MAX_BLOCK_LEN + 9 + 16;
 	}
 	return size;
 }
@@ -171,7 +168,7 @@ esp_init(struct secasvar *sav, struct xf
 			 __func__, txform->name));
 		return EINVAL;
 	}
-	if ((sav->flags&(SADB_X_EXT_OLD|SADB_X_EXT_IV4B)) == SADB_X_EXT_IV4B) {
+	if ((sav->flags & SADB_X_EXT_IV4B) == SADB_X_EXT_IV4B) {
 		DPRINTF(("%s: 4-byte IV not supported with protocol\n",
 			__func__));
 		return EINVAL;
@@ -267,7 +264,7 @@ esp_input(struct mbuf *m, struct secasva
 	struct tdb_crypto *tc;
 	int plen, alen, hlen;
 	struct m_tag *mtag;
-	struct newesp *esp;
+	struct ipsec_esp *esp;
 
 	struct cryptodesc *crde;
 	struct cryptop *crp;
@@ -285,16 +282,13 @@ esp_input(struct mbuf *m, struct secasva
 	}
 
 	/* XXX don't pullup, just copy header */
-	IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp));
+	IP6_EXTHDR_GET(esp, struct ipsec_esp *, m, skip, sizeof (struct ipsec_esp));
 
 	esph = sav->tdb_authalgxform;
 	espx = sav->tdb_encalgxform;
 
 	/* Determine the ESP header length */
-	if (sav->flags & SADB_X_EXT_OLD)
-		hlen = sizeof (struct esp) + sav->ivlen;
-	else
-		hlen = sizeof (struct newesp) + sav->ivlen;
+	hlen = sizeof (struct ipsec_esp) + sav->ivlen;
 	/* Authenticator hash size */
 	if (esph != NULL) {
 		switch (esph->type) {
@@ -564,7 +558,7 @@ esp_input_cb(struct cryptop *crp)
 	if (sav->replay) {
 		u_int32_t seq;
 
-		m_copydata(m, skip + offsetof(struct newesp, esp_seq),
+		m_copydata(m, skip + offsetof(struct ipsec_esp, esp_seq),
 			   sizeof (seq), (caddr_t) &seq);
 		if (ipsec_updatereplay(ntohl(seq), sav)) {
 			DPRINTF(("%s: packet replay check for %s\n", __func__,
@@ -576,10 +570,7 @@ esp_input_cb(struct cryptop *crp)
 	}
 
 	/* Determine the ESP header length */
-	if (sav->flags & SADB_X_EXT_OLD)
-		hlen = sizeof (struct esp) + sav->ivlen;
-	else
-		hlen = sizeof (struct newesp) + sav->ivlen;
+	hlen = sizeof (struct ipsec_esp) + sav->ivlen;
 
 	/* Remove the ESP header and IV from the mbuf. */
 	error = m_striphdr(m, skip, hlen);
@@ -687,10 +678,7 @@ esp_output(
 	espx = sav->tdb_encalgxform;
 	IPSEC_ASSERT(espx != NULL, ("null encoding xform"));
 
-	if (sav->flags & SADB_X_EXT_OLD)
-		hlen = sizeof (struct esp) + sav->ivlen;
-	else
-		hlen = sizeof (struct newesp) + sav->ivlen;
+	hlen = sizeof (struct ipsec_esp) + sav->ivlen;
 
 	rlen = m->m_pkthdr.len - skip;	/* Raw payload length. */
 	/*

More information about the svn-src-user mailing list