From 5a266059bd5cc069a56fe89cdf53689915ee1a8e Mon Sep 17 00:00:00 2001
From: Robin Jarry <robin.jarry@6wind.com>
Date: Fri, 23 May 2014 09:57:46 +0200
Subject: [PATCH] ipsec: fix esp payload padding length

According to the RFC4303, the length of an ESP payload must be a
multiple of 4 bytes so that the signature starts on the beginning
of a 32 bits word.

--HG--
branch : ipsec
---
 scapy/layers/ipsec.py | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/scapy/layers/ipsec.py b/scapy/layers/ipsec.py
index b826ab43..ac677ccb 100644
--- a/scapy/layers/ipsec.py
+++ b/scapy/layers/ipsec.py
@@ -256,7 +256,7 @@ class CryptAlgo(object):
         else:
             return self.cipher.new(key, self.mode, iv)
 
-    def pad(self, esp, ip_version=4):
+    def pad(self, esp):
         """
         Add the correct amount of padding so that the data to encrypt is
         exactly a multiple of the algorithm's block size.
@@ -270,14 +270,8 @@ class CryptAlgo(object):
         data_len = len(esp.data) + 2
 
         # according to the RFC4303, section 2.4. Padding (for Encryption)
-        # the size of the ESP payload must be a multiple of 32 or 64 bits
-        # on IPv4 or IPv6 respectively.
-        if ip_version == 4:
-            ip_align = 4
-        else:
-            ip_align = 8
-
-        align = _lcm(self.block_size, ip_align)
+        # the size of the ESP payload must be a multiple of 32 bits
+        align = _lcm(self.block_size, 4)
 
         # pad for block size
         esp.padlen = -data_len % align
@@ -290,8 +284,8 @@ class CryptAlgo(object):
         # If the following test fails, it means that this algo does not comply
         # with the RFC
         payload_len = len(esp.iv) + len(esp.data) + len(esp.padding) + 2
-        if payload_len % ip_align != 0:
-            raise ValueError('The size of the ESP data is not aligned to %s bytes after padding.', align)
+        if payload_len % 4 != 0:
+            raise ValueError('The size of the ESP data is not aligned to 32 bits after padding.')
 
         return esp
 
@@ -784,7 +778,7 @@ class SecurityAssociation(object):
         esp.data = payload
         esp.nh = nh
 
-        esp = self.crypt_algo.pad(esp, ip_header.version)
+        esp = self.crypt_algo.pad(esp)
         esp = self.crypt_algo.encrypt(esp, self.crypt_key)
 
         self.auth_algo.sign(esp, self.auth_key)
-- 
GitLab