From c161c46d4cda2a52a43337ed9c11be84e3d701e3 Mon Sep 17 00:00:00 2001 From: John Baldwin Date: Mon, 20 Apr 2020 22:57:15 +0000 Subject: [PATCH] Update comments about IVs used in IPsec ESP. Add some prose and a diagram describing the layout of the cipher IV for AES-CTR and AES-GCM and how it relates to the ESP IV stored in the packet after the ESP header. Also, remove an XXX comment about the initial block counter value used for AES-CTR in esp_output as the current code matches the RFC (and the equivalent code in esp_input didn't have the XXX comment). Discussed with: cem --- sys/netipsec/xform_esp.c | 46 ++++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index a36fb8c7d9e3..6e3f2ece5acb 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -406,22 +406,38 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) crp->crp_payload_start = skip + hlen; crp->crp_payload_length = m->m_pkthdr.len - (skip + hlen + alen); + /* Generate or read cipher IV. */ if (SAV_ISCTRORGCM(sav)) { ivp = &crp->crp_iv[0]; - /* GCM IV Format: RFC4106 4 */ - /* CTR IV Format: RFC3686 4 */ - /* Salt is last four bytes of key, RFC4106 8.1 */ - /* Nonce is last four bytes of key, RFC3686 5.1 */ + /* + * AES-GCM and AES-CTR use similar cipher IV formats + * defined in RFC 4106 section 4 and RFC 3686 section + * 4, respectively. + * + * The first 4 bytes of the cipher IV contain an + * implicit salt, or nonce, obtained from the last 4 + * bytes of the encryption key. The next 8 bytes hold + * an explicit IV unique to each packet. This + * explicit IV is used as the ESP IV for the packet. + * The last 4 bytes hold a big-endian block counter + * incremented for each block. For AES-GCM, the block + * counter's initial value is defined as part of the + * algorithm. For AES-CTR, the block counter's + * initial value for each packet is defined as 1 by + * RFC 3686. + * + * ------------------------------------------ + * | Salt | Explicit ESP IV | Block Counter | + * ------------------------------------------ + * 4 bytes 8 bytes 4 bytes + */ memcpy(ivp, sav->key_enc->key_data + _KEYLEN(sav->key_enc) - 4, 4); - + m_copydata(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]); if (SAV_ISCTR(sav)) { - /* Initial block counter is 1, RFC3686 4 */ be32enc(&ivp[sav->ivlen + 4], 1); } - - m_copydata(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]); crp->crp_flags |= CRYPTO_F_IV_SEPARATE; } else if (sav->ivlen != 0) crp->crp_iv_start = skip + hlen - sav->ivlen; @@ -813,22 +829,20 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, crp->crp_payload_length = m->m_pkthdr.len - (skip + hlen + alen); crp->crp_op = CRYPTO_OP_ENCRYPT; - /* Generate IV / nonce. */ + /* Generate cipher and ESP IVs. */ ivp = &crp->crp_iv[0]; if (SAV_ISCTRORGCM(sav)) { - /* GCM IV Format: RFC4106 4 */ - /* CTR IV Format: RFC3686 4 */ - /* Salt is last four bytes of key, RFC4106 8.1 */ - /* Nonce is last four bytes of key, RFC3686 5.1 */ + /* + * See comment in esp_input() for details on the + * cipher IV. A simple per-SA counter stored in + * 'cntr' is used as the explicit ESP IV. + */ memcpy(ivp, sav->key_enc->key_data + _KEYLEN(sav->key_enc) - 4, 4); be64enc(&ivp[4], cntr); if (SAV_ISCTR(sav)) { - /* Initial block counter is 1, RFC3686 4 */ - /* XXXAE: should we use this only for first packet? */ be32enc(&ivp[sav->ivlen + 4], 1); } - m_copyback(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]); crp->crp_flags |= CRYPTO_F_IV_SEPARATE; } else if (sav->ivlen != 0) {