Skip to content

Commit

Permalink
esp4: Use high-order sequence number bits for IV generation
Browse files Browse the repository at this point in the history 
I noticed we were only using the low-order bits for IV generation
when ESN is enabled.  This is very bad because it means that the
IV can repeat.  We must use the full 64 bits.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
  • Loading branch information
Herbert Xu authored and Steffen Klassert committed May 13, 2015
1 parent bdddbf6 commit 64aa423
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion net/ipv4/esp4.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
aead_givcrypt_set_crypt(req, sg, sg, clen, iv);
aead_givcrypt_set_assoc(req, asg, assoclen);
aead_givcrypt_set_giv(req, esph->enc_data,
XFRM_SKB_CB(skb)->seq.output.low);
XFRM_SKB_CB(skb)->seq.output.low +
((u64)XFRM_SKB_CB(skb)->seq.output.hi << 32));

ESP_SKB_CB(skb)->tmp = tmp;
err = crypto_aead_givencrypt(req);
Expand Down

0 comments on commit 64aa423

Please sign in to comment.