packetgen-plugin-ipsec 1.0.2 → 1.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dd286b833bca903e5c88756962344db3e80d78d7c97d905547a4698903861fb4
-  data.tar.gz: edb09dcf8b3ed16776da97748567d3b57ec911f2239b61b7afb97d2741d4db4d
+  metadata.gz: 6000090bef8439281eed6482a399f0e05b188e7594d3de3e92d32a9088e32b88
+  data.tar.gz: 0a753bf7266628b968ca9937f9d8f41c657c0bdd166b233b4c1e94eef4c71f89
 SHA512:
-  metadata.gz: aa5b3e67ac032978a6a5f8618d48645ba5f750b300cd409e32d12d37de35ba25266cca409b677b7f90aabbf7737d8026398a702540435e1078bb12b86e3eb2ed
-  data.tar.gz: 3ea743b743d19223c39ce245239f183c1029a4f2abf1293cce75ede601e2c60d6e8cba86e867c7d514f5554c51499cb3bc3355b1d45a4616ddba13cf56000ae9
+  metadata.gz: fdb0b0828199209621044b6c8a916018225cd025afd403a1f30d0137f5fad3f30bbcba0d58d924d1b2c6cef04690277d3b6de036c016ac20ced6d868b8576224
+  data.tar.gz: 2b76622be17f0fdb03b9703bc25eceddd9cafbc968b5d99991d387926d886b4fea3c6fc2437528b9ab662584997a374387a053991dc896fe164cd7cdf6b47f2b

data/.github/workflows/specs.yml

@@ -0,0 +1,28 @@
+name: Specs
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+        ruby: [2.4, 2.5, 2.6, 2.7]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v2
+    - name: Install dependencies
+      run: sudo apt-get update -qq && sudo apt-get install libpcap-dev -qq
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Run tests
+      run: |
+        bundle config set path 'vendor/bundle'
+        bundle config set --local without noci
+        bundle install
+        bundle exec rake

data/.rubocop.yml

@@ -1,4 +1,9 @@
-TargetRubyVersion: 2.3
+require:
+  - rubocop-performance
+AllCops:
+  TargetRubyVersion: 2.4
+Layout/LineLength:
+  Max: 150
 Layout/SpaceAroundEqualsInParameterDefault:
   EnforcedStyle: no_space
 Lint/EmptyWhen:
@@ -9,6 +14,8 @@ Metrics:
   Enabled: false
 Style/AsciiComments:
   Enabled: false
+Style/ClassAndModuleChildren:
+  EnforcedStyle: compact
 Style/Encoding:
   Enabled: false
 Style/EvalWithLocation:

data/.travis.yml

@@ -8,7 +8,7 @@ rvm:
 install:
   - sudo apt-get update -qq
   - sudo apt-get install libpcap-dev -qq
-  - gem install bundler --version "~>1.17.3"
+  - gem install bundler
   - bundle install --path vendor/bundle --jobs=3 --retry=3
 script:
   - bundle exec rake

data/Gemfile

@@ -1,3 +1,14 @@
 source 'https://rubygems.org'
 
 gemspec
+
+gem 'bundler', '>= 1.17', '< 3'
+gem 'rake', '~> 12.3'
+gem 'rspec', '~> 3.10'
+
+group :noci do
+  gem 'rubocop', '~> 1.6'
+  gem 'rubocop-performance', '~> 1.9'
+  gem 'simplecov', '~> 0.18'
+  gem 'yard', '~> 0.9'
+end

data/Rakefile

@@ -1,13 +1,19 @@
+# frozen_string_literal: true
 
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
-require 'yard'
 
 task default: :spec
 
 RSpec::Core::RakeTask.new
 
-YARD::Rake::YardocTask.new do |t|
-  t.options = ['--no-private']
-  t.files = ['lib/**/*.rb', '-', 'LICENSE']
+begin
+  require 'yard'
+
+  YARD::Rake::YardocTask.new do |t|
+    t.options = ['--no-private']
+    t.files = ['lib/**/*.rb', '-', 'LICENSE']
+  end
+rescue LoadError
+  # no yard, so no yard task
 end

data/lib/packetgen/plugin/crypto.rb

@@ -1,11 +1,11 @@
 # coding: utf-8
+# frozen_string_literal: true
+
 # This file is part of IPsec packetgen plugin.
 # See https://github.com/sdaubert/packetgen-plugin-ipsec for more informations
 # Copyright (c) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
 # This program is published under MIT license.
 
-# frozen_string_literal: true
-
 module PacketGen::Plugin
   # Mixin for cryptographic classes
   # @api private
@@ -22,6 +22,7 @@ module PacketGen::Plugin
       @conf = conf
       @intg = intg
       return unless conf.authenticated?
+
       # #auth_tag_len only supported from ruby 2.4.0
       @conf.auth_tag_len = @trunc if @conf.respond_to? :auth_tag_len
     end
@@ -31,6 +32,7 @@ module PacketGen::Plugin
     def confidentiality_mode
       mode = @conf.name.match(/-([^-]*)$/)[1]
       raise Error, 'unknown cipher mode' if mode.nil?
+
       mode.downcase
     end
 
@@ -59,7 +61,7 @@ module PacketGen::Plugin
     # @return [String] enciphered data
     def encipher(data)
       enciphered_data = @conf.update(data)
-      @intg.update(enciphered_data) if @intg
+      @intg&.update(enciphered_data)
       enciphered_data
     end
 
@@ -67,7 +69,7 @@ module PacketGen::Plugin
     # @param [String] data
     # @return [String] deciphered data
     def decipher(data)
-      @intg.update(data) if @intg
+      @intg&.update(data)
       @conf.update(data)
     end
   end

data/lib/packetgen/plugin/esp.rb

@@ -1,413 +1,416 @@
+# frozen_string_literal: true
+
 # This file is part of IPsec packetgen plugin.
 # See https://github.com/sdaubert/packetgen-plugin-ipsec for more informations
 # Copyright (c) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
 # This program is published under MIT license.
 
-# frozen_string_literal: true
-
 require_relative 'crypto'
 
-module PacketGen
-  module Plugin
-    # A ESP header consists of:
-    # * a Security Parameters Index (#{spi}, {PacketGen::Types::Int32} type),
-    # * a Sequence Number ({#sn}, +Int32+ type),
-    # * a {#body} (variable length),
-    # * an optional TFC padding ({#tfc}, variable length),
-    # * an optional {#padding} (to align ESP on 32-bit boundary, variable length),
-    # * a {#pad_length} ({PacketGen::Types::Int8}),
-    # * a Next header field ({#next}, +Int8+),
-    # * and an optional Integrity Check Value ({#icv}, variable length).
-    #
-    # == Create an ESP header
-    #  # standalone
-    #  esp = PacketGen::Plugin::ESP.new
-    #  # in a packet
-    #  pkt = PacketGen.gen('IP').add('ESP')
-    #  # access to ESP header
-    #  pkt.esp   # => PacketGen::Plugin::ESP
-    #
-    # == Examples
-    # === Create an enciphered UDP packet (ESP transport mode), using CBC mode
-    #  icmp = PacketGen.gen('IP', src: '192.168.1.1', dst: '192.168.2.1').
-    #                   add('ESP', spi: 0xff456e01, sn: 12345678).
-    #                   add('UDP', dport: 4567, sport: 45362, body 'abcdef')
-    #  cipher = OpenSSL::Cipher.new('aes-128-cbc')
-    #  cipher.encrypt
-    #  cipher.key = 16bytes_key
-    #  iv = 16bytes_iv
-    #  esp.esp.encrypt! cipher, iv
-    #
-    # === Create a ESP packet tunneling a UDP one, using GCM combined mode
-    #  # create inner UDP packet
-    #  icmp = PacketGen.gen('IP', src: '192.168.1.1', dst: '192.168.2.1').
-    #                   add('UDP', dport: 4567, sport: 45362, body 'abcdef')
-    #
-    #  # create outer ESP packet
-    #  esp = PacketGen.gen('IP', src '198.76.54.32', dst: '1.2.3.4').add('ESP')
-    #  esp.esp.spi = 0x87654321
-    #  esp.esp.sn  = 0x123
-    #  esp.esp.icv_length = 16
-    #  # encapsulate ICMP packet in ESP one
-    #  esp.encapsulate icmp
-    #
-    #  # encrypt ESP payload
-    #  cipher = OpenSSL::Cipher.new('aes-128-gcm')
-    #  cipher.encrypt
-    #  cipher.key = 16bytes_key
-    #  iv = 8bytes_iv
-    #  esp.esp.encrypt! cipher, iv, salt: 4bytes_gcm_salt
+module PacketGen::Plugin
+  # A ESP header consists of:
+  # * a Security Parameters Index (#{spi}, {PacketGen::Types::Int32} type),
+  # * a Sequence Number ({#sn}, +Int32+ type),
+  # * a {#body} (variable length),
+  # * an optional TFC padding ({#tfc}, variable length),
+  # * an optional {#padding} (to align ESP on 32-bit boundary, variable length),
+  # * a {#pad_length} ({PacketGen::Types::Int8}),
+  # * a Next header field ({#next}, +Int8+),
+  # * and an optional Integrity Check Value ({#icv}, variable length).
+  #
+  # == Create an ESP header
+  #  # standalone
+  #  esp = PacketGen::Plugin::ESP.new
+  #  # in a packet
+  #  pkt = PacketGen.gen('IP').add('ESP')
+  #  # access to ESP header
+  #  pkt.esp   # => PacketGen::Plugin::ESP
+  #
+  # == Examples
+  # === Create an enciphered UDP packet (ESP transport mode), using CBC mode
+  #  icmp = PacketGen.gen('IP', src: '192.168.1.1', dst: '192.168.2.1').
+  #                   add('ESP', spi: 0xff456e01, sn: 12345678).
+  #                   add('UDP', dport: 4567, sport: 45362, body 'abcdef')
+  #  cipher = OpenSSL::Cipher.new('aes-128-cbc')
+  #  cipher.encrypt
+  #  cipher.key = 16bytes_key
+  #  iv = 16bytes_iv
+  #  esp.esp.encrypt! cipher, iv
+  #
+  # === Create a ESP packet tunneling a UDP one, using GCM combined mode
+  #  # create inner UDP packet
+  #  icmp = PacketGen.gen('IP', src: '192.168.1.1', dst: '192.168.2.1').
+  #                   add('UDP', dport: 4567, sport: 45362, body 'abcdef')
+  #
+  #  # create outer ESP packet
+  #  esp = PacketGen.gen('IP', src '198.76.54.32', dst: '1.2.3.4').add('ESP')
+  #  esp.esp.spi = 0x87654321
+  #  esp.esp.sn  = 0x123
+  #  esp.esp.icv_length = 16
+  #  # encapsulate ICMP packet in ESP one
+  #  esp.encapsulate icmp
+  #
+  #  # encrypt ESP payload
+  #  cipher = OpenSSL::Cipher.new('aes-128-gcm')
+  #  cipher.encrypt
+  #  cipher.key = 16bytes_key
+  #  iv = 8bytes_iv
+  #  esp.esp.encrypt! cipher, iv, salt: 4bytes_gcm_salt
+  #
+  # === Decrypt a ESP packet using CBC mode and HMAC-SHA-256
+  #  cipher = OpenSSL::Cipher.new('aes-128-cbc')
+  #  cipher.decrypt
+  #  cipher.key = 16bytes_key
+  #
+  #  hmac = OpenSSL::HMAC.new(hmac_key, OpenSSL::Digest::SHA256.new)
+  #
+  #  pkt.esp.decrypt! cipher, intmode: hmac    # => true if ICV check OK
+  # @author Sylvain Daubert
+  class ESP < PacketGen::Header::Base
+    include Crypto
+
+    # IP protocol number for ESP
+    IP_PROTOCOL = 50
+
+    # Well-known UDP port for ESP
+    UDP_PORT = 4500
+
+    # @!attribute spi
+    #  32-bit Security Parameter Index
+    #  @return [Integer]
+    define_field :spi, PacketGen::Types::Int32
+    # @!attribute sn
+    #  32-bit Sequence Number
+    #  @return [Integer]
+    define_field :sn, PacketGen::Types::Int32
+    # @!attribute body
+    #  @return [PacketGen::Types::String,PacketGen::Header::Base]
+    define_field :body, PacketGen::Types::String
+    # @!attribute tfc
+    #  Traffic Flow Confidentiality padding
+    #  @return [PacketGen::Types::String,PacketGen::Header::Base]
+    define_field :tfc, PacketGen::Types::String
+    # @!attribute padding
+    #  ESP padding
+    #  @return [PacketGen::Types::String,PacketGen::Header::Base]
+    define_field :padding, PacketGen::Types::String
+    # @!attribute pad_length
+    #  8-bit padding length
+    #  @return [Integer]
+    define_field :pad_length, PacketGen::Types::Int8
+    # @!attribute next
+    #  8-bit next protocol value
+    #  @return [Integer]
+    define_field :next, PacketGen::Types::Int8
+    # @!attribute icv
+    #  Integrity Check Value
+    #  @return [PacketGen::Types::String,PacketGen::Header::Base]
+    define_field :icv, PacketGen::Types::String
+
+    # ICV (Integrity Check Value) length
+    # @return [Integer]
+    attr_accessor :icv_length
+
+    # @param [Hash] options
+    # @option options [Integer] :icv_length ICV length
+    # @option options [Integer] :spi Security Parameters Index
+    # @option options [Integer] :sn Sequence Number
+    # @option options [::String] :body ESP payload data
+    # @option options [::String] :tfc Traffic Flow Confidentiality, random padding
+    #    up to MTU
+    # @option options [::String] :padding ESP padding to align ESP on 32-bit
+    #    boundary
+    # @option options [Integer] :pad_length padding length
+    # @option options [Integer] :next Next Header field
+    # @option options [::String] :icv Integrity Check Value
+    def initialize(options={})
+      @icv_length = options[:icv_length] || 0
+      super
+    end
+
+    # Read a ESP packet from string.
     #
-    # === Decrypt a ESP packet using CBC mode and HMAC-SHA-256
-    #  cipher = OpenSSL::Cipher.new('aes-128-cbc')
-    #  cipher.decrypt
-    #  cipher.key = 16bytes_key
+    # {#padding} and {#tfc} are not set as they are enciphered (impossible
+    # to guess their respective size). {#pad_length} and {#next} are also
+    # enciphered.
+    # @param [String] str
+    # @return [self]
+    def read(str)
+      return self if str.nil?
+
+      force_binary str
+      self[:spi].read str[0, 4]
+      self[:sn].read str[4, 4]
+      self[:body].read str[8...-@icv_length - 2]
+      self[:tfc].read ''
+      self[:padding].read ''
+      self[:pad_length].read str[-@icv_length - 2, 1]
+      self[:next].read str[-@icv_length - 1, 1]
+      self[:icv].read str[-@icv_length, @icv_length] if @icv_length
+      self
+    end
+
+    # Encrypt in-place ESP payload and trailer.
     #
-    #  hmac = OpenSSL::HMAC.new(hmac_key, OpenSSL::Digest::SHA256.new)
+    # This method removes all data from +tfc+ and +padding+ fields, as their
+    # enciphered values are concatenated into +body+.
     #
-    #  pkt.esp.decrypt! cipher, intmode: hmac    # => true if ICV check OK
-    # @author Sylvain Daubert
-    class ESP < PacketGen::Header::Base
-      include Crypto
-
-      # IP protocol number for ESP
-      IP_PROTOCOL = 50
-
-      # Well-known UDP port for ESP
-      UDP_PORT = 4500
-
-      # @!attribute spi
-      #  32-bit Security Parameter Index
-      #  @return [Integer]
-      define_field :spi, PacketGen::Types::Int32
-      # @!attribute sn
-      #  32-bit Sequence Number
-      #  @return [Integer]
-      define_field :sn, PacketGen::Types::Int32
-      # @!attribute body
-      #  @return [PacketGen::Types::String,PacketGen::Header::Base]
-      define_field :body, PacketGen::Types::String
-      # @!attribute tfc
-      #  Traffic Flow Confidentiality padding
-      #  @return [PacketGen::Types::String,PacketGen::Header::Base]
-      define_field :tfc, PacketGen::Types::String
-      # @!attribute padding
-      #  ESP padding
-      #  @return [PacketGen::Types::String,PacketGen::Header::Base]
-      define_field :padding, PacketGen::Types::String
-      # @!attribute pad_length
-      #  8-bit padding length
-      #  @return [Integer]
-      define_field :pad_length, PacketGen::Types::Int8
-      # @!attribute next
-      #  8-bit next protocol value
-      #  @return [Integer]
-      define_field :next, PacketGen::Types::Int8
-      # @!attribute icv
-      #  Integrity Check Value
-      #  @return [PacketGen::Types::String,PacketGen::Header::Base]
-      define_field :icv, PacketGen::Types::String
-
-      # ICV (Integrity Check Value) length
-      # @return [Integer]
-      attr_accessor :icv_length
-
-      # @param [Hash] options
-      # @option options [Integer] :icv_length ICV length
-      # @option options [Integer] :spi Security Parameters Index
-      # @option options [Integer] :sn Sequence Number
-      # @option options [::String] :body ESP payload data
-      # @option options [::String] :tfc Traffic Flow Confidentiality, random padding
-      #    up to MTU
-      # @option options [::String] :padding ESP padding to align ESP on 32-bit
-      #    boundary
-      # @option options [Integer] :pad_length padding length
-      # @option options [Integer] :next Next Header field
-      # @option options [::String] :icv Integrity Check Value
-      def initialize(options={})
-        @icv_length = options[:icv_length] || 0
-        super
+    # It also removes headers under ESP from packet, as they are enciphered in
+    # ESP body, and then are no more accessible.
+    # @param [OpenSSL::Cipher] cipher keyed cipher.
+    #   This cipher is confidentiality-only one, or AEAD one. To use a second
+    #   cipher to add integrity, use +:intmode+ option.
+    # @param [String] iv full IV for encryption
+    #  * CTR and GCM modes: +iv+ is 8-bytes long.
+    # @param [Hash] options
+    # @option options [String] :salt salt value for CTR and GCM modes
+    # @option options [Boolean] :tfc
+    # @option options [Fixnum] :tfc_size ESP body size used for TFC
+    #   (default 1444, max size for a tunneled IPv4/ESP packet).
+    #   This is the maximum size for ESP packet (without IP header
+    #   nor Eth one).
+    # @option options [Fixnum] :esn 32 high-orber bits of ESN
+    # @option options [Fixnum] :pad_length set a padding length
+    # @option options [String] :padding set a padding. No check with
+    #   +:pad_length+ is made. If +:pad_length+ is not set, +:padding+
+    #   length is shortened to correct padding length
+    # @option options [OpenSSL::HMAC] :intmode integrity mode to use with a
+    #   confidentiality-only cipher. Only HMAC are supported.
+    # @return [self]
+    def encrypt!(cipher, iv, options={})
+      opt = { salt: '', tfc_size: 1444 }.merge(options)
+
+      set_crypto cipher, opt[:intmode]
+
+      real_iv = force_binary(opt[:salt]) + force_binary(iv)
+      real_iv += [1].pack('N') if confidentiality_mode == 'ctr'
+      cipher.iv = real_iv
+
+      authenticate_esp_header_if_needed options, iv
+
+      case confidentiality_mode
+      when 'cbc'
+        cipher_len = self[:body].sz + 2
+        self.pad_length = (16 - (cipher_len % 16)) % 16
+      else
+        mod4 = to_s.size % 4
+        self.pad_length = 4 - mod4 if mod4.positive?
       end
 
-      # Read a ESP packet from string.
-      #
-      # {#padding} and {#tfc} are not set as they are enciphered (impossible
-      # to guess their respective size). {#pad_length} and {#next} are also
-      # enciphered.
-      # @param [String] str
-      # @return [self]
-      def read(str)
-        return self if str.nil?
-
-        force_binary str
-        self[:spi].read str[0, 4]
-        self[:sn].read str[4, 4]
-        self[:body].read str[8...-@icv_length - 2]
-        self[:tfc].read ''
-        self[:padding].read ''
-        self[:pad_length].read str[-@icv_length - 2, 1]
-        self[:next].read str[-@icv_length - 1, 1]
-        self[:icv].read str[-@icv_length, @icv_length] if @icv_length
-        self
+      if opt[:pad_length]
+        self.pad_length = opt[:pad_length]
+        padding = force_binary(opt[:padding] || (1..self.pad_length).to_a.pack('C*'))
+        self[:padding].read padding
+      else
+        padding = force_binary(opt[:padding] || (1..self.pad_length).to_a.pack('C*'))
+        self[:padding].read padding[0...self.pad_length]
       end
 
-      # Encrypt in-place ESP payload and trailer.
-      #
-      # This method removes all data from +tfc+ and +padding+ fields, as their
-      # enciphered values are concatenated into +body+.
-      #
-      # It also removes headers under ESP from packet, as they are enciphered in
-      # ESP body, and then are no more accessible.
-      # @param [OpenSSL::Cipher] cipher keyed cipher.
-      #   This cipher is confidentiality-only one, or AEAD one. To use a second
-      #   cipher to add integrity, use +:intmode+ option.
-      # @param [String] iv full IV for encryption
-      #  * CTR and GCM modes: +iv+ is 8-bytes long.
-      # @param [Hash] options
-      # @option options [String] :salt salt value for CTR and GCM modes
-      # @option options [Boolean] :tfc
-      # @option options [Fixnum] :tfc_size ESP body size used for TFC
-      #   (default 1444, max size for a tunneled IPv4/ESP packet).
-      #   This is the maximum size for ESP packet (without IP header
-      #   nor Eth one).
-      # @option options [Fixnum] :esn 32 high-orber bits of ESN
-      # @option options [Fixnum] :pad_length set a padding length
-      # @option options [String] :padding set a padding. No check with
-      #   +:pad_length+ is made. If +:pad_length+ is not set, +:padding+
-      #   length is shortened to correct padding length
-      # @option options [OpenSSL::HMAC] :intmode integrity mode to use with a
-      #   confidentiality-only cipher. Only HMAC are supported.
-      # @return [self]
-      def encrypt!(cipher, iv, options={})
-        opt = { salt: '', tfc_size: 1444 }.merge(options)
-
-        set_crypto cipher, opt[:intmode]
-
-        real_iv = force_binary(opt[:salt]) + force_binary(iv)
-        real_iv += [1].pack('N') if confidentiality_mode == 'ctr'
-        cipher.iv = real_iv
-
-        authenticate_esp_header_if_needed options, iv
-
-        case confidentiality_mode
-        when 'cbc'
-          cipher_len = self[:body].sz + 2
-          self.pad_length = (16 - (cipher_len % 16)) % 16
-        else
-          mod4 = to_s.size % 4
-          self.pad_length = 4 - mod4 if mod4 > 0
-        end
-
-        if opt[:pad_length]
-          self.pad_length = opt[:pad_length]
-          padding = force_binary(opt[:padding] || (1..self.pad_length).to_a.pack('C*'))
-          self[:padding].read padding
-        else
-          padding = force_binary(opt[:padding] || (1..self.pad_length).to_a.pack('C*'))
-          self[:padding].read padding[0...self.pad_length]
-        end
-
-        tfc = ''
-        if opt[:tfc]
-          tfc_size = opt[:tfc_size] - self[:body].sz
-          if tfc_size > 0
-            tfc_size = case confidentiality_mode
-                       when 'cbc'
-                         (tfc_size / 16) * 16
-                       else
-                         (tfc_size / 4) * 4
-                       end
-            tfc = force_binary("\0" * tfc_size)
-          end
+      tfc = ''
+      if opt[:tfc]
+        tfc_size = opt[:tfc_size] - self[:body].sz
+        if tfc_size.positive?
+          tfc_size = case confidentiality_mode
+                     when 'cbc'
+                       (tfc_size / 16) * 16
+                     else
+                       (tfc_size / 4) * 4
+                     end
+          tfc = force_binary("\0" * tfc_size)
         end
+      end
 
-        msg = self[:body].to_s + tfc
-        msg += self[:padding].to_s + self[:pad_length].to_s + self[:next].to_s
-        enc_msg = encipher(msg)
-        # as padding is used to pad for CBC mode, this is unused
-        cipher.final
+      msg = self[:body].to_s + tfc
+      msg += self[:padding].to_s + self[:pad_length].to_s + self[:next].to_s
+      enc_msg = encipher(msg)
+      # as padding is used to pad for CBC mode, this is unused
+      cipher.final
 
-        self[:body] = PacketGen::Types::String.new.read(iv) << enc_msg[0..-3]
-        self[:pad_length].read enc_msg[-2]
-        self[:next].read enc_msg[-1]
+      self[:body] = PacketGen::Types::String.new.read(iv)
+      self[:body] << enc_msg[0..-3]
+      self[:pad_length].read enc_msg[-2]
+      self[:next].read enc_msg[-1]
 
-        # reset padding field as it has no sense in encrypted ESP
-        self[:padding].read ''
+      # reset padding field as it has no sense in encrypted ESP
+      self[:padding].read ''
 
-        set_esp_icv_if_needed
+      set_esp_icv_if_needed
 
-        # Remove enciphered headers from packet
-        id = header_id(self)
-        if id < packet.headers.size - 1
-          (packet.headers.size - 1).downto(id + 1) do |index|
-            packet.headers.delete_at index
-          end
+      # Remove enciphered headers from packet
+      id = header_id(self)
+      if id < packet.headers.size - 1
+        (packet.headers.size - 1).downto(id + 1) do |index|
+          packet.headers.delete_at index
         end
-
-        self
       end
 
-      # Decrypt in-place ESP payload and trailer.
-      # @param [OpenSSL::Cipher] cipher keyed cipher
-      #   This cipher is confidentiality-only one, or AEAD one. To use a second
-      #   cipher to add integrity, use +:intmode+ option.
-      # @param [Hash] options
-      # @option options [Boolean] :parse parse deciphered payload to retrieve
-      #   headers (default: +true+)
-      # @option options [Fixnum] :icv_length ICV length for captured packets,
-      #   or read from PCapNG files
-      # @option options [String] :salt salt value for CTR and GCM modes
-      # @option options [Fixnum] :esn 32 high-orber bits of ESN
-      # @option options [OpenSSL::HMAC] :intmode integrity mode to use with a
-      #   confidentiality-only cipher. Only HMAC are supported.
-      # @return [Boolean] +true+ if ESP packet is authenticated
-      def decrypt!(cipher, options={})
-        opt = { salt: '', parse: true }.merge(options)
-
-        set_crypto cipher, opt[:intmode]
-
-        case confidentiality_mode
-        when 'gcm'
-          iv = self[:body].slice!(0, 8)
-          real_iv = opt[:salt] + iv
-        when 'cbc'
-          cipher.padding = 0
-          real_iv = iv = self[:body].slice!(0, 16)
-        when 'ctr'
-          iv = self[:body].slice!(0, 8)
-          real_iv = opt[:salt] + iv + [1].pack('N')
-        else
-          real_iv = iv = self[:body].slice!(0, 16)
-        end
-        cipher.iv = real_iv
-
-        if authenticated? && (@icv_length.zero? || opt[:icv_length])
-          raise ParseError, 'unknown ICV size' unless opt[:icv_length]
-          @icv_length = opt[:icv_length].to_i
-          # reread ESP to handle new ICV size
-          msg = self[:body].to_s + self[:pad_length].to_s
-          msg += self[:next].to_s
-          self[:icv].read msg.slice!(-@icv_length, @icv_length)
-          self[:body].read msg[0..-3]
-          self[:pad_length].read msg[-2]
-          self[:next].read msg[-1]
-        end
+      self
+    end
 
-        authenticate_esp_header_if_needed options, iv, icv
-        private_decrypt opt
+    # Decrypt in-place ESP payload and trailer.
+    # @param [OpenSSL::Cipher] cipher keyed cipher
+    #   This cipher is confidentiality-only one, or AEAD one. To use a second
+    #   cipher to add integrity, use +:intmode+ option.
+    # @param [Hash] options
+    # @option options [Boolean] :parse parse deciphered payload to retrieve
+    #   headers (default: +true+)
+    # @option options [Fixnum] :icv_length ICV length for captured packets,
+    #   or read from PCapNG files
+    # @option options [String] :salt salt value for CTR and GCM modes
+    # @option options [Fixnum] :esn 32 high-orber bits of ESN
+    # @option options [OpenSSL::HMAC] :intmode integrity mode to use with a
+    #   confidentiality-only cipher. Only HMAC are supported.
+    # @return [Boolean] +true+ if ESP packet is authenticated
+    def decrypt!(cipher, options={})
+      opt = { salt: '', parse: true }.merge(options)
+
+      set_crypto cipher, opt[:intmode]
+
+      case confidentiality_mode
+      when 'gcm'
+        iv = self[:body].slice!(0, 8)
+        real_iv = opt[:salt] + iv
+      when 'cbc'
+        cipher.padding = 0
+        real_iv = iv = self[:body].slice!(0, 16)
+      when 'ctr'
+        iv = self[:body].slice!(0, 8)
+        real_iv = opt[:salt] + iv + [1].pack('N')
+      else
+        real_iv = iv = self[:body].slice!(0, 16)
+      end
+      cipher.iv = real_iv
+
+      if authenticated? && (@icv_length.zero? || opt[:icv_length])
+        raise PacketGen::ParseError, 'unknown ICV size' unless opt[:icv_length]
+
+        @icv_length = opt[:icv_length].to_i
+        # reread ESP to handle new ICV size
+        msg = self[:body].to_s + self[:pad_length].to_s
+        msg += self[:next].to_s
+        self[:icv].read msg.slice!(-@icv_length, @icv_length)
+        self[:body].read msg[0..-3]
+        self[:pad_length].read msg[-2]
+        self[:next].read msg[-1]
       end
 
-      private
+      authenticate_esp_header_if_needed options, iv, icv
+      private_decrypt opt
+    end
 
-      def get_auth_data(opt)
-        ad = self[:spi].to_s
-        if opt[:esn]
-          @esn = PacketGen::Types::Int32.new(opt[:esn])
-          ad << @esn.to_s if @conf.authenticated?
-        end
-        ad << self[:sn].to_s
-      end
+    private
 
-      def authenticate_esp_header_if_needed(opt, iv, icv=nil)
-        if @conf.authenticated?
-          @conf.auth_tag = icv if icv
-          @conf.auth_data = get_auth_data(opt)
-        elsif @intg
-          @intg.reset
-          @intg.update get_auth_data(opt)
-          @intg.update iv
-          @icv = icv
-        else
-          @icv = nil
-        end
+    def get_auth_data(opt)
+      ad = self[:spi].to_s
+      if opt[:esn]
+        @esn = PacketGen::Types::Int32.new(opt[:esn])
+        ad << @esn.to_s if @conf.authenticated?
       end
+      ad << self[:sn].to_s
+    end
 
-      def set_esp_icv_if_needed
-        return unless authenticated?
-        if @conf.authenticated?
-          self[:icv].read @conf.auth_tag[0, @icv_length]
-        else
-          self[:icv].read @intg.digest[0, @icv_length]
-        end
+    def authenticate_esp_header_if_needed(opt, iv, icv=nil)
+      if @conf.authenticated?
+        @conf.auth_tag = icv if icv
+        @conf.auth_data = get_auth_data(opt)
+      elsif @intg
+        @intg.reset
+        @intg.update get_auth_data(opt)
+        @intg.update iv
+        @icv = icv
+      else
+        @icv = nil
       end
+    end
 
-      def private_decrypt(options)
-        # decrypt
-        msg = self.body.to_s
-        msg += self.padding + self[:pad_length].to_s + self[:next].to_s
-        plain_msg = decipher(msg)
+    def set_esp_icv_if_needed
+      return unless authenticated?
 
-        # check authentication tag
-        return false if authenticated? && !authenticate!
+      if @conf.authenticated?
+        self[:icv].read @conf.auth_tag[0, @icv_length]
+      else
+        self[:icv].read @intg.digest[0, @icv_length]
+      end
+    end
 
-        # Set ESP fields
-        self[:body].read plain_msg[0..-3]
-        self[:pad_length].read plain_msg[-2]
-        self[:next].read plain_msg[-1]
+    def private_decrypt(options)
+      # decrypt
+      msg = self.body.to_s
+      msg += self.padding + self[:pad_length].to_s + self[:next].to_s
+      plain_msg = decipher(msg)
 
-        # Set padding
-        if self.pad_length > 0
-          len = self.pad_length
-          self[:padding].read self[:body].slice!(-len, len)
-        end
+      # check authentication tag
+      return false if authenticated? && !authenticate!
 
-        # Set TFC padding
-        encap_length = 0
-        pkt = nil
-        case self.next
-        when 4   # IPv4
-          pkt = Packet.parse(body, first_header: 'IP')
-          encap_length = pkt.ip.length
-        when 41  # IPv6
-          pkt = Packet.parse(body, first_header: 'IPv6')
-          encap_length = pkt.ipv6.length + pkt.ipv6.sz
-        when PacketGen::Header::ICMP::IP_PROTOCOL
-          pkt = Packet.parse(body, first_header: 'ICMP')
-          # no size field. cannot recover TFC padding
-          encap_length = self[:body].sz
-        when PacketGen::Header::UDP::IP_PROTOCOL
-          pkt = Packet.parse(body, first_header: 'UDP')
-          encap_length = pkt.udp.length
-        when PacketGen::Header::TCP::IP_PROTOCOL
-          # No length in TCP header, so TFC may not be used.
-          # Or underlayer protocol should have a size information...
-          pkt = Packet.parse(body, first_header: 'TCP')
-          encap_length = pkt.sz
-        when PacketGen::Header::ICMPv6::IP_PROTOCOL
-          pkt = Packet.parse(body, first_header: 'ICMPv6')
-          # no size field. cannot recover TFC padding
-          encap_length = self[:body].sz
-        else
-          # Unmanaged encapsulated protocol
-          encap_length = self[:body].sz
-        end
+      # Set ESP fields
+      self[:body].read plain_msg[0..-3]
+      self[:pad_length].read plain_msg[-2]
+      self[:next].read plain_msg[-1]
 
-        if encap_length < self[:body].sz
-          tfc_len = self[:body].sz - encap_length
-          self[:tfc].read self[:body].slice!(encap_length, tfc_len)
-        end
+      # Set padding
+      if self.pad_length.positive?
+        len = self.pad_length
+        self[:padding].read self[:body].slice!(-len, len)
+      end
 
-        if options[:parse]
-          packet.encapsulate pkt unless pkt.nil?
-        end
+      # Set TFC padding
+      encap_length = 0
+      pkt = nil
+      case self.next
+      when 4   # IPv4
+        pkt = PacketGen::Packet.parse(body, first_header: 'IP')
+        encap_length = pkt.ip.length
+      when 41  # IPv6
+        pkt = PacketGen::Packet.parse(body, first_header: 'IPv6')
+        encap_length = pkt.ipv6.length + pkt.ipv6.sz
+      when PacketGen::Header::ICMP::IP_PROTOCOL
+        pkt = PacketGen::Packet.parse(body, first_header: 'ICMP')
+        # no size field. cannot recover TFC padding
+        encap_length = self[:body].sz
+      when PacketGen::Header::UDP::IP_PROTOCOL
+        pkt = PacketGen::Packet.parse(body, first_header: 'UDP')
+        encap_length = pkt.udp.length
+      when PacketGen::Header::TCP::IP_PROTOCOL
+        # No length in TCP header, so TFC may not be used.
+        # Or underlayer protocol should have a size information...
+        pkt = PacketGen::Packet.parse(body, first_header: 'TCP')
+        encap_length = pkt.sz
+      when PacketGen::Header::ICMPv6::IP_PROTOCOL
+        pkt = PacketGen::Packet.parse(body, first_header: 'ICMPv6')
+        # no size field. cannot recover TFC padding
+        encap_length = self[:body].sz
+      else
+        # Unmanaged encapsulated protocol
+        encap_length = self[:body].sz
+      end
 
-        true
+      if encap_length < self[:body].sz
+        tfc_len = self[:body].sz - encap_length
+        self[:tfc].read self[:body].slice!(encap_length, tfc_len)
+      end
+
+      if options[:parse]
+        packet.encapsulate pkt unless pkt.nil?
       end
-    end
 
-    Header.add_class ESP
-
-    PacketGen::Header::IP.bind ESP, protocol: ESP::IP_PROTOCOL
-    PacketGen::Header::IPv6.bind ESP, next: ESP::IP_PROTOCOL
-    PacketGen::Header::UDP.bind ESP, procs: [->(f) { f.dport = f.sport = ESP::UDP_PORT },
-                                             ->(f) { (f.dport == ESP::UDP_PORT ||
-                                                        f.sport == ESP::UDP_PORT) &&
-                                                      PacketGen::Types::Int32.new.read(f.body[0..3]).to_i > 0 }]
-    ESP.bind PacketGen::Header::IP, next: 4
-    ESP.bind PacketGen::Header::IPv6, next: 41
-    ESP.bind PacketGen::Header::TCP, next: PacketGen::Header::TCP::IP_PROTOCOL
-    ESP.bind PacketGen::Header::UDP, next: PacketGen::Header::TCP::IP_PROTOCOL
-    ESP.bind PacketGen::Header::ICMP, next: PacketGen::Header::ICMP::IP_PROTOCOL
-    ESP.bind PacketGen::Header::ICMPv6, next: PacketGen::Header::ICMPv6::IP_PROTOCOL
+      true
+    end
   end
+
+  PacketGen::Header.add_class ESP
+
+  PacketGen::Header::IP.bind ESP, protocol: ESP::IP_PROTOCOL
+  PacketGen::Header::IPv6.bind ESP, next: ESP::IP_PROTOCOL
+  PacketGen::Header::UDP.bind ESP, procs: [->(f) { f.dport = f.sport = ESP::UDP_PORT },
+                                           lambda { |f|
+                                             (f.dport == ESP::UDP_PORT ||
+                                             f.sport == ESP::UDP_PORT) &&
+                                               PacketGen::Types::Int32.new.read(f.body[0..3]).to_i.positive?
+                                           }]
+  ESP.bind PacketGen::Header::IP, next: 4
+  ESP.bind PacketGen::Header::IPv6, next: 41
+  ESP.bind PacketGen::Header::TCP, next: PacketGen::Header::TCP::IP_PROTOCOL
+  ESP.bind PacketGen::Header::UDP, next: PacketGen::Header::TCP::IP_PROTOCOL
+  ESP.bind PacketGen::Header::ICMP, next: PacketGen::Header::ICMP::IP_PROTOCOL
+  ESP.bind PacketGen::Header::ICMPv6, next: PacketGen::Header::ICMPv6::IP_PROTOCOL
 end