From owner-svn-src-all@freebsd.org Mon Apr 20 22:57:15 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F0A822B2553; Mon, 20 Apr 2020 22:57:15 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 495hsl67s7z4GhC; Mon, 20 Apr 2020 22:57:15 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C92AB1EF65; Mon, 20 Apr 2020 22:57:15 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 03KMvFmc021676; Mon, 20 Apr 2020 22:57:15 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 03KMvFCj021675; Mon, 20 Apr 2020 22:57:15 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <202004202257.03KMvFCj021675@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Mon, 20 Apr 2020 22:57:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r360137 - head/sys/netipsec X-SVN-Group: head X-SVN-Commit-Author: jhb X-SVN-Commit-Paths: head/sys/netipsec X-SVN-Commit-Revision: 360137 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Apr 2020 22:57:16 -0000 Author: jhb Date: Mon Apr 20 22:57:15 2020 New Revision: 360137 URL: https://svnweb.freebsd.org/changeset/base/360137 Log: Update comments about IVs used in IPsec ESP. Add some prose and a diagram describing the layout of the cipher IV for AES-CTR and AES-GCM and how it relates to the ESP IV stored in the packet after the ESP header. Also, remove an XXX comment about the initial block counter value used for AES-CTR in esp_output as the current code matches the RFC (and the equivalent code in esp_input didn't have the XXX comment). Discussed with: cem Modified: head/sys/netipsec/xform_esp.c Modified: head/sys/netipsec/xform_esp.c ============================================================================== --- head/sys/netipsec/xform_esp.c Mon Apr 20 22:24:49 2020 (r360136) +++ head/sys/netipsec/xform_esp.c Mon Apr 20 22:57:15 2020 (r360137) @@ -406,22 +406,38 @@ esp_input(struct mbuf *m, struct secasvar *sav, int sk crp->crp_payload_start = skip + hlen; crp->crp_payload_length = m->m_pkthdr.len - (skip + hlen + alen); + /* Generate or read cipher IV. */ if (SAV_ISCTRORGCM(sav)) { ivp = &crp->crp_iv[0]; - /* GCM IV Format: RFC4106 4 */ - /* CTR IV Format: RFC3686 4 */ - /* Salt is last four bytes of key, RFC4106 8.1 */ - /* Nonce is last four bytes of key, RFC3686 5.1 */ + /* + * AES-GCM and AES-CTR use similar cipher IV formats + * defined in RFC 4106 section 4 and RFC 3686 section + * 4, respectively. + * + * The first 4 bytes of the cipher IV contain an + * implicit salt, or nonce, obtained from the last 4 + * bytes of the encryption key. The next 8 bytes hold + * an explicit IV unique to each packet. This + * explicit IV is used as the ESP IV for the packet. + * The last 4 bytes hold a big-endian block counter + * incremented for each block. For AES-GCM, the block + * counter's initial value is defined as part of the + * algorithm. For AES-CTR, the block counter's + * initial value for each packet is defined as 1 by + * RFC 3686. + * + * ------------------------------------------ + * | Salt | Explicit ESP IV | Block Counter | + * ------------------------------------------ + * 4 bytes 8 bytes 4 bytes + */ memcpy(ivp, sav->key_enc->key_data + _KEYLEN(sav->key_enc) - 4, 4); - + m_copydata(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]); if (SAV_ISCTR(sav)) { - /* Initial block counter is 1, RFC3686 4 */ be32enc(&ivp[sav->ivlen + 4], 1); } - - m_copydata(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]); crp->crp_flags |= CRYPTO_F_IV_SEPARATE; } else if (sav->ivlen != 0) crp->crp_iv_start = skip + hlen - sav->ivlen; @@ -813,22 +829,20 @@ esp_output(struct mbuf *m, struct secpolicy *sp, struc crp->crp_payload_length = m->m_pkthdr.len - (skip + hlen + alen); crp->crp_op = CRYPTO_OP_ENCRYPT; - /* Generate IV / nonce. */ + /* Generate cipher and ESP IVs. */ ivp = &crp->crp_iv[0]; if (SAV_ISCTRORGCM(sav)) { - /* GCM IV Format: RFC4106 4 */ - /* CTR IV Format: RFC3686 4 */ - /* Salt is last four bytes of key, RFC4106 8.1 */ - /* Nonce is last four bytes of key, RFC3686 5.1 */ + /* + * See comment in esp_input() for details on the + * cipher IV. A simple per-SA counter stored in + * 'cntr' is used as the explicit ESP IV. + */ memcpy(ivp, sav->key_enc->key_data + _KEYLEN(sav->key_enc) - 4, 4); be64enc(&ivp[4], cntr); if (SAV_ISCTR(sav)) { - /* Initial block counter is 1, RFC3686 4 */ - /* XXXAE: should we use this only for first packet? */ be32enc(&ivp[sav->ivlen + 4], 1); } - m_copyback(m, skip + hlen - sav->ivlen, sav->ivlen, &ivp[4]); crp->crp_flags |= CRYPTO_F_IV_SEPARATE; } else if (sav->ivlen != 0) {