ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ipsec: fix AES CBC IV generation (CVE-2022-46397)

Browse Source 
For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.

Fixes: VPP-2037
Type: fix

Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>
This commit is contained in:
Benoît Ganne
2022-01-18 15:56:41 +01:00
parent e88582faca
commit 70fc5aff89
2 changed files with 30 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/vnet/ipsec/esp_encrypt.c
View File

@ -198,6 +198,24 @@ esp_trailer_icv_overflow (vlib_node_runtime_t * node, vlib_buffer_t * b,
return 1; return 1;
} }
/* IPsec IV generation: IVs requirements differ depending of the
* encryption mode: IVs must be unpredictable for AES-CBC whereas it can
* be predictable but should never be reused with the same key material
* for CTR and GCM.
* We use a packet counter as the IV for CTR and GCM, and to ensure the
* IV is unpredictable for CBC, it is then encrypted using the same key
* as the message. You can refer to NIST SP800-38a and NIST SP800-38d
* for more details. */
static_always_inline void *
esp_generate_iv (ipsec_sa_t * sa, void *payload, int iv_sz)
{
ASSERT (iv_sz >= sizeof (u64));
u64 *iv = (u64 *) (payload - iv_sz);
clib_memset_u8 (iv, 0, iv_sz);
*iv = sa->iv_counter++;
return iv;
}
static_always_inline void static_always_inline void
esp_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node, esp_process_ops (vlib_main_t * vm, vlib_node_runtime_t * node,
vnet_crypto_op_t * ops, vlib_buffer_t * b[], u16 * nexts) vnet_crypto_op_t * ops, vlib_buffer_t * b[], u16 * nexts)
@ -439,11 +457,10 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
vnet_crypto_op_t *op; vnet_crypto_op_t *op;
vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES); vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES);
vnet_crypto_op_init (op, sa0->crypto_enc_op_id); vnet_crypto_op_init (op, sa0->crypto_enc_op_id);
op->iv = payload - iv_sz; op->iv = esp_generate_iv (sa0, payload, iv_sz);
op->src = op->dst = payload; op->src = op->dst = payload;
op->key = sa0->crypto_key.data; op->key = sa0->crypto_key.data;
op->len = payload_len - icv_sz; op->len = payload_len - icv_sz;
op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV;
op->user_data = b - bufs; op->user_data = b - bufs;
op->salt = sa0->salt; op->salt = sa0->salt;
@ -460,6 +477,15 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
op->tag = payload + op->len; op->tag = payload + op->len;
op->tag_len = 16; op->tag_len = 16;
} }
else
{
/* construct zero iv in front of the IP header */
op->iv -= hdr_len - iv_sz;
clib_memset_u8 (op->iv, 0, iv_sz);
/* include iv field in crypto */
op->src -= iv_sz;
op->len += iv_sz;
}
} }
if (sa0->integ_op_id) if (sa0->integ_op_id)

2
src/vnet/ipsec/ipsec_sa.h
View File

@ -134,6 +134,8 @@ typedef struct
/* data accessed by dataplane code should be above this comment */ /* data accessed by dataplane code should be above this comment */
CLIB_CACHE_LINE_ALIGN_MARK (cacheline1); CLIB_CACHE_LINE_ALIGN_MARK (cacheline1);
u64 iv_counter;
union union
{ {
ip4_header_t ip4_hdr; ip4_header_t ip4_hdr;