[Swan-dev] location of block-alignment check when decrypting?

Andrew Cagney andrew.cagney at gmail.com
Wed Dec 31 18:50:27 EET 2014


Hi,

The function ikev2_decrypt_msg does the sequence:

- check for too small, if invalid, fail
- check integrity
- if no integrity, fail
- if needed, check payload block alignment, if invalid, fail
- decrypt
- if invalid pad-length, fail

as part of integrating GCM, I'm moving the block-alignment check to
before the integrity check vis:

- check for too small, if invalid, fail
- if needed, check payload block alignment, if invalid, fail
- check integrity
- if no integrity, fail
- decrypt
- if invalid pad-length, fail

First, it makes inserting Authenticated Encryption with Associated
Data algorithms (i.e., GCM) easier; and, second, like the small packet
check, alignment requirements aren't exactly secret.

Also, giving the remote end the ability to craft a packet so that only
integrity is run just bugs me.  With that in mind, I'm windering if
the code should be changed further to:

- check for too small, if invalid, fail
- if needed, check payload block alignment, if invalid, fail
- check integrity
- decrypt
- if no integrity, fail
- if invalid pad-length, fail

i.e, always run both integrity and decrypt; I suspect I'm being paranoid :-)

Andrew


More information about the Swan-dev mailing list