esp4: Use high-order sequence number bits for IV generation

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* esp4: Use high-order sequence number bits for IV generation
@ 2015-05-13  7:26 Herbert Xu
  2015-05-13 10:18 ` Steffen Klassert
  2015-05-20 16:38 ` xfrm: Always zero high-order sequence number bits Herbert Xu
  0 siblings, 2 replies; 4+ messages in thread
From: Herbert Xu @ 2015-05-13  7:26 UTC (permalink / raw)
  To: Steffen Klassert, netdev

I noticed we were only using the low-order bits for IV generation
when ESN is enabled.  This is very bad because it means that the
IV can repeat.  We must use the full 64 bits.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 421a80b..30b544f 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -256,7 +256,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
 	aead_givcrypt_set_crypt(req, sg, sg, clen, iv);
 	aead_givcrypt_set_assoc(req, asg, assoclen);
 	aead_givcrypt_set_giv(req, esph->enc_data,
-			      XFRM_SKB_CB(skb)->seq.output.low);
+			      XFRM_SKB_CB(skb)->seq.output.low +
+			      ((u64)XFRM_SKB_CB(skb)->seq.output.hi << 32));
 
 	ESP_SKB_CB(skb)->tmp = tmp;
 	err = crypto_aead_givencrypt(req);
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: esp4: Use high-order sequence number bits for IV generation
  2015-05-13  7:26 esp4: Use high-order sequence number bits for IV generation Herbert Xu
@ 2015-05-13 10:18 ` Steffen Klassert
  2015-05-20 16:38 ` xfrm: Always zero high-order sequence number bits Herbert Xu
  1 sibling, 0 replies; 4+ messages in thread
From: Steffen Klassert @ 2015-05-13 10:18 UTC (permalink / raw)
  To: Herbert Xu; +Cc: netdev

On Wed, May 13, 2015 at 03:26:10PM +0800, Herbert Xu wrote:
> I noticed we were only using the low-order bits for IV generation
> when ESN is enabled.  This is very bad because it means that the
> IV can repeat.  We must use the full 64 bits.

Ugh. This is bad, indeed.

> 
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Patch applied to the ipsec tree, thanks!

^ permalink raw reply	[flat|nested] 4+ messages in thread

* xfrm: Always zero high-order sequence number bits
  2015-05-13  7:26 esp4: Use high-order sequence number bits for IV generation Herbert Xu
  2015-05-13 10:18 ` Steffen Klassert
@ 2015-05-20 16:38 ` Herbert Xu
  2015-05-21 10:16   ` Steffen Klassert
  1 sibling, 1 reply; 4+ messages in thread
From: Herbert Xu @ 2015-05-20 16:38 UTC (permalink / raw)
  To: Steffen Klassert, netdev

As we're now always including the high bits of the sequence number
in the IV generation process we need to ensure that they don't
contain crap.

This patch ensures that the high sequence bits are always zeroed
so that we don't leak random data into the IV.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index dab57da..4fd725a 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -99,6 +99,7 @@ static int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb)
 
 	if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
 		XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq;
+		XFRM_SKB_CB(skb)->seq.output.hi = 0;
 		if (unlikely(x->replay.oseq == 0)) {
 			x->replay.oseq--;
 			xfrm_audit_state_replay_overflow(x, skb);
@@ -177,6 +178,7 @@ static int xfrm_replay_overflow_bmp(struct xfrm_state *x, struct sk_buff *skb)
 
 	if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
 		XFRM_SKB_CB(skb)->seq.output.low = ++replay_esn->oseq;
+		XFRM_SKB_CB(skb)->seq.output.hi = 0;
 		if (unlikely(replay_esn->oseq == 0)) {
 			replay_esn->oseq--;
 			xfrm_audit_state_replay_overflow(x, skb);

-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: xfrm: Always zero high-order sequence number bits
  2015-05-20 16:38 ` xfrm: Always zero high-order sequence number bits Herbert Xu
@ 2015-05-21 10:16   ` Steffen Klassert
  0 siblings, 0 replies; 4+ messages in thread
From: Steffen Klassert @ 2015-05-21 10:16 UTC (permalink / raw)
  To: Herbert Xu; +Cc: netdev

On Thu, May 21, 2015 at 12:38:12AM +0800, Herbert Xu wrote:
> As we're now always including the high bits of the sequence number
> in the IV generation process we need to ensure that they don't
> contain crap.
> 
> This patch ensures that the high sequence bits are always zeroed
> so that we don't leak random data into the IV.
> 
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Applied, thanks Herbert!

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-05-21 10:16 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-13  7:26 esp4: Use high-order sequence number bits for IV generation Herbert Xu
2015-05-13 10:18 ` Steffen Klassert
2015-05-20 16:38 ` xfrm: Always zero high-order sequence number bits Herbert Xu
2015-05-21 10:16   ` Steffen Klassert

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).