ipsec: fix AES CBC IV generation (CVE-2022-46397)

For AES-CBC, the IV must be unpredictable (see NIST SP800-38a Appendix
C). Chaining IVs like is done by ipsecmb and native backends for the
VNET_CRYPTO_OP_FLAG_INIT_IV is fully predictable.
Encrypt a counter as part of the message, making the (predictable)
counter-generated IV unpredictable.

Fixes: VPP-2037
Type: fix

Change-Id: If4f192d62bf97dda553e7573331c75efa11822ae
Signed-off-by: Benoît Ganne <bganne@cisco.com>

Makefile

@@ -135,6 +135,11 @@ endif
 # +ganglia-devel if building the ganglia plugin
 
 RPM_DEPENDS += chrpath libffi-devel rpm-build
+
+RPM_DEPENDS_DEBUG  = glibc-debuginfo e2fsprogs-debuginfo
+RPM_DEPENDS_DEBUG += krb5-debuginfo openssl-debuginfo
+RPM_DEPENDS_DEBUG += zlib-debuginfo nss-softokn-debuginfo
+RPM_DEPENDS_DEBUG += yum-plugin-auto-update-debug-info
 # lowercase- replace spaces with dashes.
 SUSE_NAME= $(shell grep '^NAME=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g' | sed -e 's/ /-/' | awk '{print tolower($$0)}')
 SUSE_ID= $(shell grep '^VERSION_ID=' /etc/os-release | cut -f2- -d= | sed -e 's/\"//g' | cut -d' ' -f2)
@@ -323,7 +328,7 @@ else ifeq ($(OS_ID),centos)
 	@sudo -E yum install $(CONFIRM) centos-release-scl-rh epel-release
 	@sudo -E yum groupinstall $(CONFIRM) $(RPM_DEPENDS_GROUPS)
 	@sudo -E yum install $(CONFIRM) $(RPM_DEPENDS)
-	@sudo -E debuginfo-install $(CONFIRM) glibc openssl-libs mbedtls-devel zlib
+	@sudo -E yum install $(CONFIRM) --enablerepo=base-debuginfo $(RPM_DEPENDS_DEBUG)
 else ifeq ($(OS_ID),fedora)
 	@sudo -E dnf groupinstall $(CONFIRM) $(RPM_DEPENDS_GROUPS)
 	@sudo -E dnf install $(CONFIRM) $(RPM_DEPENDS)

RELEASE.md

@@ -3,6 +3,7 @@
 * @subpage release_notes_20051
 * @subpage release_notes_2005
 * @subpage release_notes_2001
+* @subpage release_notes_19083
 * @subpage release_notes_19082
 * @subpage release_notes_19081
 * @subpage release_notes_1908
@@ -2079,6 +2080,14 @@ Found 493 api message signature differences
 | [a47a5f20a](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=a47a5f20a) | api papi: add alias for timestamp(datetime)/timedelta |
 | [3cf9e67f5](https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commit;h=3cf9e67f5) | api: add vl_api_version_t type |
 
+@page release_notes_19083 Release notes for VPP 19.08.3
+
+This is bug fix release.
+
+For the full list of fixed issues please refer to:
+- fd.io [JIRA](https://jira.fd.io)
+- git [commit log](https://git.fd.io/vpp/log/?h=stable/1908)
+
 @page release_notes_19082 Release notes for VPP 19.08.2
 
 The 19.08.2 is an LTS release. It contains numerous fixes,
@@ -6785,15 +6794,6 @@ For the full list of fixed issues please reffer to:
 - git [commit log](https://git.fd.io/vpp/log/?h=stable/1701)
 
 
-@page release_notes_17011 Release notes for VPP 17.01.1
-
-This is bug fix release.
-
-For the full list of fixed issues please reffer to:
-- fd.io [JIRA](https://jira.fd.io)
-- git [commit log](https://git.fd.io/vpp/log/?h=stable/1701)
-
-
 @page release_notes_1701 Release notes for VPP 17.01
 
 @note This release was for a while known as 16.12.

extras/rpm/vpp.spec

@@ -169,7 +169,10 @@ Requires(post): python3-policycoreutils
 This package contains a tailored VPP SELinux policy
 
 %prep
-%setup -q -n %{name}-%{_version}
+%setup -q -c -T -n %{name}-%{_version}
+cd ..
+unxz --stdout ./SOURCES/%{name}-%{_version}-%{_release}.tar.xz | tar --extract --touch
+cd -
 
 %pre
 # Add the vpp group
@@ -180,7 +183,7 @@ groupadd -f -r vpp
 . /opt/rh/devtoolset-9/enable
 %endif
 %if %{with aesni}
-    make bootstrap
+    make install-dep
     make -C build-root PLATFORM=vpp TAG=%{_vpp_tag} install-packages
 %else
     make bootstrap AESNI=n

src/vcl/vppcom.c

@@ -2967,7 +2967,7 @@ vppcom_epoll_wait_condvar (vcl_worker_t * wrk, struct epoll_event *events,
 	continue;
 
       now = clib_time_now (&wrk->clib_time);
-      wait -= now - start;
+      wait -= (now - start) * 1e3;
       start = now;
     }
   while (wait > 0);

src/vnet/crypto/crypto.h

@@ -304,7 +304,7 @@ typedef struct
   i16 integ_start_offset;
   u32 crypto_total_length;
   /* adj total_length for integ, e.g.4 bytes for IPSec ESN */
-  u16 integ_length_adj;
+  i16 integ_length_adj;
   u8 *iv;
   union
   {
@@ -573,7 +573,7 @@ vnet_crypto_async_add_to_frame (vlib_main_t * vm,
 				u32 key_index,
 				u32 crypto_len, i16 integ_len_adj,
 				i16 crypto_start_offset,
-				u16 integ_start_offset,
+				i16 integ_start_offset,
 				u32 buffer_index,
 				u16 next_node,
 				u8 * iv, u8 * tag, u8 * aad, u8 flags)

src/vnet/ipsec/esp_encrypt.c

@@ -118,7 +118,7 @@ esp_add_footer_and_icv (vlib_main_t * vm, vlib_buffer_t ** last,
 {
   static const u8 pad_data[ESP_MAX_BLOCK_SIZE] = {
     0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
-    0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x00, 0x00,
+    0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00,
   };
 
   u16 min_length = total_len + sizeof (esp_footer_t);
@@ -234,6 +234,24 @@ esp_get_ip6_hdr_len (ip6_header_t * ip6, ip6_ext_header_t ** ext_hdr)
   return len;
 }
 
+/* IPsec IV generation: IVs requirements differ depending of the
+ * encryption mode: IVs must be unpredictable for AES-CBC whereas it can
+ * be predictable but should never be reused with the same key material
+ * for CTR and GCM.
+ * We use a packet counter as the IV for CTR and GCM, and to ensure the
+ * IV is unpredictable for CBC, it is then encrypted using the same key
+ * as the message. You can refer to NIST SP800-38a and NIST SP800-38d
+ * for more details. */
+static_always_inline void *
+esp_generate_iv (ipsec_sa_t * sa, void *payload, int iv_sz)
+{
+  ASSERT (iv_sz >= sizeof (u64));
+  u64 *iv = (u64 *) (payload - iv_sz);
+  clib_memset_u8 (iv, 0, iv_sz);
+  *iv = sa->iv_counter++;
+  return iv;
+}
+
 static_always_inline void
 esp_process_chained_ops (vlib_main_t * vm, vlib_node_runtime_t * node,
 			 vnet_crypto_op_t * ops, vlib_buffer_t * b[],
@@ -396,10 +414,16 @@ esp_prepare_sync_op (vlib_main_t * vm, ipsec_per_thread_data_t * ptd,
       vnet_crypto_op_t *op;
       vec_add2_aligned (crypto_ops[0], op, 1, CLIB_CACHE_LINE_BYTES);
       vnet_crypto_op_init (op, sa0->crypto_enc_op_id);
+      u8 *crypto_start = payload;
+      /* esp_add_footer_and_icv() in esp_encrypt_inline() makes sure we always
+       * have enough space for ESP header and footer which includes ICV */
+      ASSERT (payload_len > icv_sz);
+      u16 crypto_len = payload_len - icv_sz;
+
+      /* generate the IV in front of the payload */
+      void *pkt_iv = esp_generate_iv (sa0, payload, iv_sz);
 
-      op->src = op->dst = payload;
       op->key_index = sa0->crypto_key_index;
-      op->len = payload_len - icv_sz;
       op->user_data = b - bufs;
 
       if (ipsec_sa_is_set_IS_AEAD (sa0))
@@ -411,18 +435,21 @@ esp_prepare_sync_op (vlib_main_t * vm, ipsec_per_thread_data_t * ptd,
 	  op->aad = payload - hdr_len - sizeof (esp_aead_t);
 	  op->aad_len = esp_aad_fill (op->aad, esp, sa0);
 
-	  op->tag = payload + op->len;
+	  op->tag = payload + crypto_len;
 	  op->tag_len = 16;
 
-	  u64 *iv = (u64 *) (payload - iv_sz);
 	  nonce->salt = sa0->salt;
-	  nonce->iv = *iv = clib_host_to_net_u64 (sa0->gcm_iv_counter++);
+	  nonce->iv = *(u64 *) pkt_iv;
 	  op->iv = (u8 *) nonce;
 	}
       else
 	{
-	  op->iv = payload - iv_sz;
-	  op->flags = VNET_CRYPTO_OP_FLAG_INIT_IV;
+	  /* construct zero iv in front of the IP header */
+	  op->iv = pkt_iv - hdr_len - iv_sz;
+	  clib_memset_u8 (op->iv, 0, iv_sz);
+	  /* include iv field in crypto */
+	  crypto_start -= iv_sz;
+	  crypto_len += iv_sz;
 	}
 
       if (lb != b[0])
@@ -431,8 +458,15 @@ esp_prepare_sync_op (vlib_main_t * vm, ipsec_per_thread_data_t * ptd,
 	  op->flags |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS;
 	  op->chunk_index = vec_len (ptd->chunks);
 	  op->tag = vlib_buffer_get_tail (lb) - icv_sz;
-	  esp_encrypt_chain_crypto (vm, ptd, sa0, b[0], lb, icv_sz, payload,
-				    payload_len, &op->n_chunks);
+	  esp_encrypt_chain_crypto (vm, ptd, sa0, b[0], lb, icv_sz,
+				    crypto_start, crypto_len + icv_sz,
+				    &op->n_chunks);
+	}
+      else
+	{
+	  /* not chained */
+	  op->src = op->dst = crypto_start;
+	  op->len = crypto_len;
 	}
     }
 
@@ -482,17 +516,20 @@ esp_prepare_async_frame (vlib_main_t * vm, ipsec_per_thread_data_t * ptd,
   u8 *tag, *iv, *aad = 0;
   u8 flag = 0;
   u32 key_index;
-  i16 crypto_start_offset, integ_start_offset = 0;
+  i16 crypto_start_offset, integ_start_offset;
   u16 crypto_total_len, integ_total_len;
 
   post->next_index = next[0];
   next[0] = ESP_ENCRYPT_NEXT_PENDING;
 
   /* crypto */
-  crypto_start_offset = payload - b->data;
+  crypto_start_offset = integ_start_offset = payload - b->data;
   crypto_total_len = integ_total_len = payload_len - icv_sz;
   tag = payload + crypto_total_len;
 
+  /* generate the IV in front of the payload */
+  void *pkt_iv = esp_generate_iv (sa, payload, iv_sz);
+
   /* aead */
   if (ipsec_sa_is_set_IS_AEAD (sa))
     {
@@ -503,7 +540,7 @@ esp_prepare_async_frame (vlib_main_t * vm, ipsec_per_thread_data_t * ptd,
       esp_aad_fill (aad, esp, sa);
       nonce = (esp_gcm_nonce_t *) (aad - sizeof (*nonce));
       nonce->salt = sa->salt;
-      nonce->iv = *pkt_iv = clib_host_to_net_u64 (sa->gcm_iv_counter++);
+      nonce->iv = *(u64 *) pkt_iv;
       iv = (u8 *) nonce;
       key_index = sa->crypto_key_index;
 
@@ -513,25 +550,38 @@ esp_prepare_async_frame (vlib_main_t * vm, ipsec_per_thread_data_t * ptd,
 	  flag |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS;
 	  tag = vlib_buffer_get_tail (lb) - icv_sz;
 	  crypto_total_len = esp_encrypt_chain_crypto (vm, ptd, sa, b, lb,
-						       icv_sz, payload,
-						       payload_len, 0);
+						       icv_sz,
+						       b->data +
+						       crypto_start_offset,
+						       crypto_total_len +
+						       icv_sz, 0);
 	}
       goto out;
     }
+  else
+    {
+      /* construct zero iv in front of the IP header */
+      iv = pkt_iv - hdr_len - iv_sz;
+      clib_memset_u8 (iv, 0, iv_sz);
+      /* include iv field in crypto */
+      crypto_start_offset -= iv_sz;
+      crypto_total_len += iv_sz;
+    }
 
   /* cipher then hash */
-  iv = payload - iv_sz;
-  integ_start_offset = crypto_start_offset - iv_sz - sizeof (esp_header_t);
+  integ_start_offset -= iv_sz + sizeof (esp_header_t);
   integ_total_len += iv_sz + sizeof (esp_header_t);
-  flag |= VNET_CRYPTO_OP_FLAG_INIT_IV;
   key_index = sa->linked_key_index;
 
   if (b != lb)
     {
       flag |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS;
       crypto_total_len = esp_encrypt_chain_crypto (vm, ptd, sa, b, lb,
-						   icv_sz, payload,
-						   payload_len, 0);
+						   icv_sz,
+						   b->data +
+						   crypto_start_offset,
+						   crypto_total_len + icv_sz,
+						   0);
       tag = vlib_buffer_get_tail (lb) - icv_sz;
       integ_total_len = esp_encrypt_chain_integ (vm, ptd, sa, b, lb, icv_sz,
 						 payload - iv_sz -

src/vnet/ipsec/ipsec_sa.h

@@ -182,7 +182,7 @@ typedef struct
 
   /* Salt used in GCM modes - stored in network byte order */
   u32 salt;
-  u64 gcm_iv_counter;
+  u64 iv_counter;
 
   union
   {

src/vpp/stats/stat_segment.c

@@ -295,20 +295,28 @@ stat_validate_counter_vector (stat_segment_directory_entry_t * ep, u32 max)
 {
   stat_segment_main_t *sm = &stat_segment_main;
   stat_segment_shared_header_t *shared_header = sm->shared_header;
-  counter_t **counters = 0;
+  counter_t **counters =
+    ep->offset ? stat_segment_pointer (shared_header, ep->offset) : 0;
   vlib_thread_main_t *tm = vlib_get_thread_main ();
   int i;
   u64 *offset_vector = 0;
 
   vec_validate_aligned (counters, tm->n_vlib_mains - 1,
 			CLIB_CACHE_LINE_BYTES);
+  ep->offset = stat_segment_offset (shared_header, counters);
+
   for (i = 0; i < tm->n_vlib_mains; i++)
     {
       vec_validate_aligned (counters[i], max, CLIB_CACHE_LINE_BYTES);
       vec_add1 (offset_vector,
 		stat_segment_offset (shared_header, counters[i]));
     }
-  ep->offset = stat_segment_offset (shared_header, counters);
+
+  if (ep->offset_vector)
+    {
+      u64 *p = stat_segment_pointer (sm->shared_header, ep->offset_vector);
+      vec_free (p);
+    }
   ep->offset_vector = stat_segment_offset (shared_header, offset_vector);
 }