[Swan-dev] location of block-alignment check when decrypting?
Andrew Cagney
andrew.cagney at gmail.com
Wed Dec 31 18:50:27 EET 2014
Hi,
The function ikev2_decrypt_msg does the sequence:
- check for too small, if invalid, fail
- check integrity
- if no integrity, fail
- if needed, check payload block alignment, if invalid, fail
- decrypt
- if invalid pad-length, fail
as part of integrating GCM, I'm moving the block-alignment check to
before the integrity check vis:
- check for too small, if invalid, fail
- if needed, check payload block alignment, if invalid, fail
- check integrity
- if no integrity, fail
- decrypt
- if invalid pad-length, fail
First, it makes inserting Authenticated Encryption with Associated
Data algorithms (i.e., GCM) easier; and, second, like the small packet
check, alignment requirements aren't exactly secret.
Also, giving the remote end the ability to craft a packet so that only
integrity is run just bugs me. With that in mind, I'm windering if
the code should be changed further to:
- check for too small, if invalid, fail
- if needed, check payload block alignment, if invalid, fail
- check integrity
- decrypt
- if no integrity, fail
- if invalid pad-length, fail
i.e, always run both integrity and decrypt; I suspect I'm being paranoid :-)
Andrew
More information about the Swan-dev
mailing list