Details

Reviewers

ae
bz
mw

Group Reviewers

Contributor Reviews (src)

Summary

This patch provides support of TFC padding in ESP packets as specified by RFC 4303
Padding is added between payload and cipher padding to force packet size

To control TFC padding length, a new SADB extension structure is defined (struct sadb_x_sa_tfc_length, SADB_X_EXT_SA_TFC_LENGTH)
Received packets with TFC padding is already supported as it doesn't need any specific code

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

aurelien.cazuc.external_stormshield.eu created this revision.Nov 19 2019, 2:48 PM

Herald added a subscriber: ae. · View Herald TranscriptNov 19 2019, 2:48 PM

lwhsu added reviewers: ae, bz, Contributor Reviews (src).Nov 20 2019, 11:31 AM

ae added inline comments.Dec 2 2019, 8:14 AM

sys/net/pfkeyv2.h
304	Is there any reason not to make the length unsigned?
sys/netipsec/key.c
2958	sav is allocated with M_ZERO flag, there is no need to initialize tfc field explicitly. IMHO.
3415	I think we should not override specified value and just return error to the app here.
3572	It would be good move this adjustment into key_setnatt() and fix the style(9).
7412	Is this header really needed for SADB_EXPIRE message? Also wrong style.
sys/netipsec/keydb.h
189	the same question, why we use signed length here?

Remarks from ae

aurelien.cazuc.external_stormshield.eu added inline comments.Dec 2 2019, 9:33 AM

sys/net/pfkeyv2.h
304	I set it to signed because strongswan use -1 as magic value for "pad to MTU" It could be set to unsigned but it would need checks for -1 instead of > 0
sys/netipsec/key.c
7412	Not really, I removed it

aurelien.cazuc.external_stormshield.eu edited the summary of this revision. (Show Details)Dec 16 2019, 8:22 AM

damien.deville_stormshield.eu added a reviewer: mw.May 14 2020, 7:42 AM

Herald added a subscriber: melifaro. · View Herald TranscriptMay 14 2020, 7:42 AM

aurelien.cazuc.external_stormshield.eu planned changes to this revision.May 14 2020, 12:08 PM

Padding is now done per block of MHLEN bytes to avoid buffer overflow due to m_pad allocating at most 1 mbuf

kd added a subscriber: kd.May 26 2020, 10:25 AM

Using mbuf cluster in m_pad for long padding

Check for maximum padding size in m_pad

Fixed buffer overflow

Add ESP TFC padding support
Needs ReviewPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 72609

lib/libipsec/pfkey.c

lib/libipsec/pfkey_dump.c

sys/net/pfkeyv2.h

sys/netipsec/ipsec_mbuf.c

sys/netipsec/key.c

sys/netipsec/key_debug.c

sys/netipsec/keydb.h

sys/netipsec/xform_esp.c

Add ESP TFC padding supportNeeds ReviewPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 72609

lib/libipsec/pfkey.c

lib/libipsec/pfkey_dump.c

sys/net/pfkeyv2.h

sys/netipsec/ipsec_mbuf.c

sys/netipsec/key.c

sys/netipsec/key_debug.c

sys/netipsec/keydb.h

sys/netipsec/xform_esp.c

Add ESP TFC padding support
Needs ReviewPublic
Actions

Revision Contents
Changeset List