diff options
author | Benoît Ganne <bganne@cisco.com> | 2022-01-18 15:56:41 +0100 |
---|---|---|
committer | Benoît Ganne <bganne@cisco.com> | 2023-02-06 16:27:55 +0100 |
commit | 70fc5aff89103acaa5768522e45497134b48a982 (patch) | |
tree | 217b84b8f04dd34b0e993c262789389356a98e00 | |
parent | e88582facad678701457fa68cbe4ed24f6ec4266 (diff) |
ipsec: fix AES CBC IV generation (CVE-2022-46397)stable/1904
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.
Fixes: VPP-2037
Type: fix
Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>
-rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 30 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.h | 2 |
2 files changed, 30 insertions, 2 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 5db10b520e3..4a91f52df4f 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -198,6 +198,24 @@ esp_trailer_icv_overflow (vlib_node_runtime_t * node, vlib_buffer_t * b, return 1; } +/* IPsec IV generation: IVs requirements differ depending of the + * encryption mode: IVs must be unpredictable for AES-CBC whereas it can + * be predictable but should never be reused with the same key material + * for CTR and GCM. + * We use a packet counter as the IV for CTR and GCM, and to ensure the + * IV is unpredictable for CBC, it is then encrypted using the same key + * as the message. You can refer to NIST SP800-38a and NIST SP800-38d + * for more details. */ +static_always_inline void * +esp_generate_iv (ipsec_sa_t * sa, void *payload, int iv_sz) +{ + ASSERT (iv_sz >= sizeof (u64)); + u64 *iv = (u64 *) (payload - iv_sz); + clib_memset_u8 (iv, 0, iv_sz); + *iv = sa->iv_counter++; + return iv; +} + static_always_inline void esp_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node, vnet_crypto_op_t * ops, vlib_buffer_t * b[], u16 * nexts) @@ -439,11 +457,10 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vnet_crypto_op_t *op; vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES); vnet_crypto_op_init (op, sa0->crypto_enc_op_id); - op->iv = payload - iv_sz; + op->iv = esp_generate_iv (sa0, payload, iv_sz); op->src = op->dst = payload; op->key = sa0->crypto_key.data; op->len = payload_len - icv_sz; - op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV; op->user_data = b - bufs; op->salt = sa0->salt; @@ -460,6 +477,15 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, op->tag = payload + op->len; op->tag_len = 16; } + else + { + /* construct zero iv in front of the IP header */ + op->iv -= hdr_len - iv_sz; + clib_memset_u8 (op->iv, 0, iv_sz); + /* include iv field in crypto */ + op->src -= iv_sz; + op->len += iv_sz; + } } if (sa0->integ_op_id) diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index f25a760592e..1bc34e328f7 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -134,6 +134,8 @@ typedef struct /* data accessed by dataplane code should be above this comment */ CLIB_CACHE_LINE_ALIGN_MARK (cacheline1); + u64 iv_counter; + union { ip4_header_t ip4_hdr; |