Skip to content

Commit eaa6bec

Browse files
committed
esp: remove iv_len from esp_sa struct.
1 parent 3985096 commit eaa6bec

3 files changed

Lines changed: 61 additions & 40 deletions

File tree

src/test/esp_sa_list.c

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ static struct wolfIP_esp_sa test_in_sa_list[WOLFIP_ESP_NUM_SA] =
88
0x010A0A0A, /* src */
99
0x020A0A0A, /* dst */
1010
0,0, /* oseq, seq */
11-
0, /* iv len */
1211
0, {0}, 0, /* null enc */
1312
ESP_AUTH_SHA256_RFC4868,
1413
{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
@@ -22,7 +21,6 @@ static struct wolfIP_esp_sa test_in_sa_list[WOLFIP_ESP_NUM_SA] =
2221
0x010A0A0A, /* src */
2322
0x020A0A0A, /* dst */
2423
0,0, /* oseq, seq */
25-
ESP_CBC_RFC3602_IV_LEN, /* iv len */
2624
ESP_ENC_CBC_AES,
2725
{0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
2826
0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03},
@@ -39,7 +37,6 @@ static struct wolfIP_esp_sa test_in_sa_list[WOLFIP_ESP_NUM_SA] =
3937
0x010A0A0A, /* src */
4038
0x020A0A0A, /* dst */
4139
0,0, /* oseq, seq */
42-
ESP_GCM_RFC4106_IV_LEN, /* iv len */
4340
ESP_ENC_GCM_RFC4106,
4441
{0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
4542
0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
@@ -61,7 +58,6 @@ static struct wolfIP_esp_sa test_out_sa_list[WOLFIP_ESP_NUM_SA] =
6158
0x020A0A0A, /* src */
6259
0x030A0A0A, /* dst */
6360
0,0, /* oseq, seq */
64-
0, /* iv len */
6561
0, {0}, 0, /* null enc */
6662
ESP_AUTH_SHA256_RFC4868,
6763
{0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
@@ -75,7 +71,6 @@ static struct wolfIP_esp_sa test_out_sa_list[WOLFIP_ESP_NUM_SA] =
7571
0x020A0A0A, /* src */
7672
0x030A0A0A, /* dst */
7773
0,0, /* oseq, seq */
78-
ESP_CBC_RFC3602_IV_LEN, /* iv len */
7974
ESP_ENC_CBC_AES,
8075
{0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
8176
0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04},
@@ -93,7 +88,6 @@ static struct wolfIP_esp_sa test_out_sa_list[WOLFIP_ESP_NUM_SA] =
9388
0x020A0A0A, /* src */
9489
0x010A0A0A, /* dst */
9590
0,0, /* oseq, seq */
96-
ESP_GCM_RFC4106_IV_LEN, /* iv len */
9791
ESP_ENC_GCM_RFC4106,
9892
{0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
9993
0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,

src/wolfesp.c

Lines changed: 61 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,14 @@
22
#define WOLFESP_SRC
33

44
#include "wolfesp.h"
5+
static uint8_t esp_iv_len_from_enc(esp_enc_t enc);
56

6-
static WC_RNG wc_rng;
7-
static volatile int rng_inited = 0;
7+
static WC_RNG wc_rng;
8+
static volatile int rng_inited = 0;
9+
static struct wolfIP_esp_sa * in_sa_list = NULL;
10+
static struct wolfIP_esp_sa * out_sa_list = NULL;
11+
static uint16_t in_sa_num = 0;
12+
static uint16_t out_sa_num = 0;
813

914
int
1015
wolfIP_esp_init(void)
@@ -25,11 +30,6 @@ wolfIP_esp_init(void)
2530
return err;
2631
}
2732

28-
static struct wolfIP_esp_sa * in_sa_list = NULL;
29-
static struct wolfIP_esp_sa * out_sa_list = NULL;
30-
static uint16_t in_sa_num = 0;
31-
static uint16_t out_sa_num = 0;
32-
3333
void
3434
wolfIP_esp_load_sa_list(struct wolfIP_esp_sa * sa_list, uint16_t num, int in)
3535
{
@@ -111,15 +111,18 @@ static void wolfIP_print_esp(const struct wolfIP_esp_sa * esp_sa,
111111
const uint8_t * payload = esp_data + ESP_SPI_LEN + ESP_SEQ_LEN;
112112
const uint8_t * iv = NULL;
113113
const uint8_t * icv = NULL;
114+
uint8_t iv_len = 0;
114115
const uint8_t * padding = NULL;
115116
uint32_t payload_len = esp_len - ESP_SPI_LEN - ESP_SEQ_LEN
116117
- pad_len - ESP_PADDING_LEN
117118
- ESP_NEXT_HEADER_LEN ;
118119

119-
if (esp_sa->iv_len) {
120+
iv_len = esp_iv_len_from_enc(esp_sa->enc);
121+
122+
if (iv_len) {
120123
iv = payload;
121-
payload += esp_sa->iv_len;
122-
payload_len -= esp_sa->iv_len;
124+
payload += iv_len;
125+
payload_len -= iv_len;
123126
}
124127

125128
if (esp_sa->icv_len) {
@@ -143,7 +146,7 @@ static void wolfIP_print_esp(const struct wolfIP_esp_sa * esp_sa,
143146
* ESP payload (includes IV).
144147
* */
145148
if (iv) {
146-
esp_print_field("iv", iv, esp_sa->iv_len);
149+
esp_print_field("iv", iv, iv_len);
147150
}
148151

149152
esp_print_field("payload", payload, payload_len);
@@ -194,6 +197,30 @@ esp_block_len_from_enc(esp_enc_t enc)
194197
return block_len;
195198
}
196199

200+
static uint8_t
201+
esp_iv_len_from_enc(esp_enc_t enc)
202+
{
203+
uint8_t iv_len = 0;
204+
205+
switch (enc) {
206+
case ESP_ENC_CBC_AES:
207+
iv_len = ESP_CBC_RFC3602_IV_LEN;
208+
break;
209+
210+
case ESP_ENC_GCM_RFC4106:
211+
case ESP_ENC_GCM_RFC4543:
212+
iv_len = ESP_GCM_RFC4106_IV_LEN;
213+
break;
214+
215+
case ESP_ENC_NONE:
216+
default:
217+
iv_len = 0;
218+
break;
219+
}
220+
221+
return iv_len;
222+
}
223+
197224
/*
198225
* esp_data covers from start of ESP header to end of ESP trailer, but does not
199226
* include the ESP ICV after trailer.
@@ -311,7 +338,7 @@ esp_aes_rfc3602_dec(const struct wolfIP_esp_sa * esp_sa, uint8_t * esp_data,
311338
Aes cbc_dec;
312339
int ret = -1;
313340
uint8_t icv_len = esp_sa->icv_len;
314-
uint8_t iv_len = esp_sa->iv_len;
341+
uint8_t iv_len = ESP_CBC_RFC3602_IV_LEN;
315342
uint8_t * enc_payload = NULL;
316343
uint8_t * iv = NULL;
317344
uint16_t enc_len = 0;
@@ -365,7 +392,7 @@ esp_aes_rfc3602_enc(const struct wolfIP_esp_sa * esp_sa, uint8_t * esp_data,
365392
Aes cbc_enc;
366393
int ret = -1;
367394
uint8_t icv_len = esp_sa->icv_len;
368-
uint8_t iv_len = esp_sa->iv_len;
395+
uint8_t iv_len = ESP_CBC_RFC3602_IV_LEN;
369396
uint8_t * enc_payload = NULL;
370397
uint8_t * iv = NULL;
371398
uint16_t enc_len = 0;
@@ -437,7 +464,7 @@ esp_aes_rfc4106_dec(const struct wolfIP_esp_sa * esp_sa, uint8_t * esp_data,
437464
int err = -1;
438465
uint8_t * icv = NULL;
439466
uint8_t icv_len = esp_sa->icv_len;
440-
uint8_t iv_len = esp_sa->iv_len;
467+
uint8_t iv_len = ESP_GCM_RFC4106_IV_LEN;
441468
uint8_t * enc_payload = NULL;
442469
uint8_t * iv = NULL;
443470
uint16_t enc_len = 0;
@@ -514,7 +541,7 @@ esp_aes_rfc4106_enc(const struct wolfIP_esp_sa * esp_sa, uint8_t * esp_data,
514541
int err = -1;
515542
uint8_t * icv = NULL;
516543
uint8_t icv_len = esp_sa->icv_len;
517-
uint8_t iv_len = esp_sa->iv_len;
544+
uint8_t iv_len = ESP_GCM_RFC4106_IV_LEN;
518545
uint8_t * enc_payload = NULL;
519546
uint8_t * iv = NULL;
520547
uint16_t enc_len = 0;
@@ -674,6 +701,7 @@ esp_transport_unwrap(struct wolfIP *s, struct wolfIP_ip_packet *ip,
674701
uint32_t esp_len = 0;
675702
uint8_t pad_len = 0;
676703
uint8_t nxt_hdr = 0;
704+
uint8_t iv_len = 0;
677705

678706
memset(spi, 0, sizeof(spi));
679707

@@ -722,11 +750,13 @@ esp_transport_unwrap(struct wolfIP *s, struct wolfIP_ip_packet *ip,
722750
return -1;
723751
}
724752

753+
iv_len = esp_iv_len_from_enc(esp_sa->enc);
754+
725755
{
726756
/* calculate min expected length based on the security association. */
727757
uint32_t min_len = 0;
728758

729-
min_len = (ESP_SPI_LEN + ESP_SEQ_LEN + esp_sa->iv_len +
759+
min_len = (ESP_SPI_LEN + ESP_SEQ_LEN + iv_len +
730760
ESP_PADDING_LEN + ESP_NEXT_HEADER_LEN + esp_sa->icv_len);
731761

732762
if (esp_len < min_len) {
@@ -761,7 +791,7 @@ esp_transport_unwrap(struct wolfIP *s, struct wolfIP_ip_packet *ip,
761791
}
762792
}
763793

764-
if (esp_sa->iv_len != 0) {
794+
if (iv_len != 0) {
765795
/* Decrypt the payload in place. */
766796
int err = -1;
767797

@@ -800,12 +830,12 @@ esp_transport_unwrap(struct wolfIP *s, struct wolfIP_ip_packet *ip,
800830
#endif /* WOLFIP_DEBUG_ESP */
801831

802832
/* move ip payload forward to hide ESP header (SPI, SEQ, IV). */
803-
memmove(ip->data, ip->data + ESP_SPI_LEN + ESP_SEQ_LEN + esp_sa->iv_len,
804-
esp_len - (ESP_SPI_LEN + ESP_SEQ_LEN + esp_sa->iv_len));
833+
memmove(ip->data, ip->data + ESP_SPI_LEN + ESP_SEQ_LEN + iv_len,
834+
esp_len - (ESP_SPI_LEN + ESP_SEQ_LEN + iv_len));
805835

806836
/* subtract ESP header from frame_len and ip.len. */
807-
*frame_len = *frame_len - (esp_sa->iv_len + ESP_SPI_LEN + ESP_SEQ_LEN);
808-
ip->len = ee16(ip->len) - (esp_sa->iv_len + ESP_SPI_LEN + ESP_SEQ_LEN);
837+
*frame_len = *frame_len - (iv_len + ESP_SPI_LEN + ESP_SEQ_LEN);
838+
ip->len = ee16(ip->len) - (iv_len + ESP_SPI_LEN + ESP_SEQ_LEN);
809839

810840
/* subtract ESP trailer from frame_len and ip.len. */
811841
*frame_len = *frame_len - (pad_len + ESP_PADDING_LEN +
@@ -856,6 +886,7 @@ esp_transport_wrap(struct wolfIP_ip_packet *ip, uint16_t * ip_len)
856886
uint32_t seq_n = 0; /* sequence num in network order */
857887
uint16_t icv_offset = 0;
858888
struct wolfIP_esp_sa * esp_sa = NULL;
889+
uint8_t iv_len = 0;
859890

860891
/* TODO: priority, tcp/udp port-filtering? currently this grabs
861892
* the first dst match. */
@@ -881,13 +912,10 @@ esp_transport_wrap(struct wolfIP_ip_packet *ip, uint16_t * ip_len)
881912
return 0;
882913
}
883914

884-
#if 0
885-
/* return early, do nothing. */
886-
return 0;
887-
#endif
915+
iv_len = esp_iv_len_from_enc(esp_sa->enc);
888916

889917
/* move ip payload back to make room for ESP header (SPI, SEQ) + IV. */
890-
memmove(ip->data + ESP_SPI_LEN + ESP_SEQ_LEN + esp_sa->iv_len,
918+
memmove(ip->data + ESP_SPI_LEN + ESP_SEQ_LEN + iv_len,
891919
ip->data, orig_payload_len);
892920

893921
/* Copy in SPI and sequence number fields. */
@@ -899,9 +927,9 @@ esp_transport_wrap(struct wolfIP_ip_packet *ip, uint16_t * ip_len)
899927
memcpy(payload, &seq_n, sizeof(seq_n));
900928
payload += ESP_SEQ_LEN;
901929

902-
if (esp_sa->iv_len) {
930+
if (iv_len) {
903931
/* skip iv field, will generate later. */
904-
payload += esp_sa->iv_len;
932+
payload += iv_len;
905933
}
906934

907935
block_len = esp_block_len_from_enc(esp_sa->enc);
@@ -910,7 +938,7 @@ esp_transport_wrap(struct wolfIP_ip_packet *ip, uint16_t * ip_len)
910938
/* Block cipher. Calculate padding and encrypted length, then
911939
* icv_offset. */
912940
uint32_t enc_len = 0;
913-
enc_len = esp_sa->iv_len + orig_payload_len + pad_len
941+
enc_len = iv_len + orig_payload_len + pad_len
914942
+ ESP_PADDING_LEN + ESP_NEXT_HEADER_LEN;
915943

916944
/* Determine padding. This needs to be flexible for
@@ -919,13 +947,13 @@ esp_transport_wrap(struct wolfIP_ip_packet *ip, uint16_t * ip_len)
919947
pad_len = block_len - (enc_len % block_len);
920948
}
921949

922-
icv_offset = ESP_SPI_LEN + ESP_SEQ_LEN + esp_sa->iv_len
950+
icv_offset = ESP_SPI_LEN + ESP_SEQ_LEN + iv_len
923951
+ orig_payload_len + pad_len + ESP_PADDING_LEN
924952
+ ESP_NEXT_HEADER_LEN;
925953
}
926954
else {
927955
/* Stream cipher or auth-only. Calculate the icv offset directly. */
928-
icv_offset = ESP_SPI_LEN + ESP_SEQ_LEN + esp_sa->iv_len
956+
icv_offset = ESP_SPI_LEN + ESP_SEQ_LEN + iv_len
929957
+ orig_payload_len + pad_len + ESP_PADDING_LEN
930958
+ ESP_NEXT_HEADER_LEN;
931959

@@ -957,12 +985,12 @@ esp_transport_wrap(struct wolfIP_ip_packet *ip, uint16_t * ip_len)
957985

958986
/* calculate final esp payload length. */
959987
payload_len = orig_ip_len - IP_HEADER_LEN;
960-
payload_len += ESP_SPI_LEN + ESP_SEQ_LEN + esp_sa->iv_len +
988+
payload_len += ESP_SPI_LEN + ESP_SEQ_LEN + iv_len +
961989
pad_len + ESP_PADDING_LEN + ESP_NEXT_HEADER_LEN +
962990
esp_sa->icv_len;
963991

964992
/* encrypt from payload to end of ESP trailer. */
965-
if (esp_sa->iv_len) {
993+
if (iv_len) {
966994
int err = -1;
967995

968996
switch(esp_sa->enc) {

wolfesp.h

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,6 @@ struct wolfIP_esp_sa {
4747
ip4 dst;
4848
uint32_t oseq; /* outbound sequence number */
4949
uint32_t seq; /* inbound sequence number */
50-
uint8_t iv_len;
5150
esp_enc_t enc;
5251
uint8_t enc_key[ESP_MAX_KEY_LEN + ESP_GCM_RFC4106_SALT_LEN];
5352
uint8_t enc_key_len;

0 commit comments

Comments
 (0)