ipsec: allow to align IPv4 AH on 32 bits

The Linux IPv4 AH stack aligns the AH header on a 64 bit boundary
(like in IPv6). This is not RFC compliant (see RFC4302, Section
3.3.3.2.1), it should be aligned on 32 bits.

For most of the authentication algorithms, the ICV size is 96 bits.
The AH header alignment on 32 or 64 bits gives the same results.

However for SHA-256-128 for instance, the wrong 64 bit alignment results
in adding useless padding in IPv4 AH, which is forbidden by the RFC.

To avoid breaking backward compatibility, we use a new flag
(XFRM_STATE_ALIGN4) do change original behavior.

Initial patch from Dang Hongwu <hongwu.dang@6wind.com> and
Christophe Gouault <christophe.gouault@6wind.com>.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index 930fdd2de79c1182d19c95093d311f835b95285d..b93d6f5980851e5c7fe4ea1cfe11235ebada4fd3 100644 (file)
--- a/include/linux/xfrm.h
+++ b/include/linux/xfrm.h
@@ -350,6 +350,7 @@ struct xfrm_usersa_info {
 #define XFRM_STATE_WILDRECV    8
 #define XFRM_STATE_ICMP                16
 #define XFRM_STATE_AF_UNSPEC   32
+#define XFRM_STATE_ALIGN4      64
 };
 
 struct xfrm_usersa_id {

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index b9f385da758ede5c9286c8801b5bbe28d4f2c128..1f6e8a0eb54434a300fce943777de4a8b6bd4765 100644 (file)
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -36,6 +36,7 @@
 #define XFRM_PROTO_ROUTING     IPPROTO_ROUTING
 #define XFRM_PROTO_DSTOPTS     IPPROTO_DSTOPTS
 
+#define XFRM_ALIGN4(len)       (((len) + 3) & ~3)
 #define XFRM_ALIGN8(len)       (((len) + 7) & ~7)
 #define MODULE_ALIAS_XFRM_MODE(family, encap) \
        MODULE_ALIAS("xfrm-mode-" __stringify(family) "-" __stringify(encap))

diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index 86961bec70abbdda253b68da69ba6780ece39726..325053df6e705f6a413f73f4abb9db4651ee9bb4 100644 (file)
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -201,7 +201,10 @@ static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
        top_iph->ttl = 0;
        top_iph->check = 0;
 
-       ah->hdrlen  = (XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
+       if (x->props.flags & XFRM_STATE_ALIGN4)
+               ah->hdrlen  = (XFRM_ALIGN4(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
+       else
+               ah->hdrlen  = (XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
 
        ah->reserved = 0;
        ah->spi = x->id.spi;
@@ -299,9 +302,15 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
        nexthdr = ah->nexthdr;
        ah_hlen = (ah->hdrlen + 2) << 2;
 
-       if (ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_full_len) &&
-           ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len))
-               goto out;
+       if (x->props.flags & XFRM_STATE_ALIGN4) {
+               if (ah_hlen != XFRM_ALIGN4(sizeof(*ah) + ahp->icv_full_len) &&
+                   ah_hlen != XFRM_ALIGN4(sizeof(*ah) + ahp->icv_trunc_len))
+                       goto out;
+       } else {
+               if (ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_full_len) &&
+                   ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len))
+                       goto out;
+       }
 
        if (!pskb_may_pull(skb, ah_hlen))
                goto out;
@@ -450,8 +459,12 @@ static int ah_init_state(struct xfrm_state *x)
 
        BUG_ON(ahp->icv_trunc_len > MAX_AH_AUTH_LEN);
 
-       x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
-                                         ahp->icv_trunc_len);
+       if (x->props.flags & XFRM_STATE_ALIGN4)
+               x->props.header_len = XFRM_ALIGN4(sizeof(struct ip_auth_hdr) +
+                                                 ahp->icv_trunc_len);
+       else
+               x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
+                                                 ahp->icv_trunc_len);
        if (x->props.mode == XFRM_MODE_TUNNEL)
                x->props.header_len += sizeof(struct iphdr);
        x->data = ahp;