Before decrypting the packet, Ipsec will check if the inbound protected packet is mal-format. If yes, discard it.

Signed-off-by: qianouyang
Reviewed-by: zhangchaointel jyao1

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12464 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
qianouyang 2011-09-28 03:20:22 +00:00
parent f7bb98019a
commit 4cb0548d01
1 changed files with 37 additions and 11 deletions

View File

@ -783,7 +783,7 @@ IpSecEspAuthVerifyPayload (
IN UINT8 *EspBuffer, IN UINT8 *EspBuffer,
IN UINTN EspSize, IN UINTN EspSize,
IN IPSEC_SAD_ENTRY *SadEntry, IN IPSEC_SAD_ENTRY *SadEntry,
IN UINTN *IcvSize IN UINTN IcvSize
) )
{ {
EFI_STATUS Status; EFI_STATUS Status;
@ -794,8 +794,7 @@ IpSecEspAuthVerifyPayload (
// //
// Calculate the size of authentication payload. // Calculate the size of authentication payload.
// //
*IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId); AuthSize = EspSize - IcvSize;
AuthSize = EspSize - *IcvSize;
// //
// Calculate the icv buffer and size of the payload. // Calculate the icv buffer and size of the payload.
@ -810,7 +809,7 @@ IpSecEspAuthVerifyPayload (
HashFragment, HashFragment,
1, 1,
IcvBuffer, IcvBuffer,
*IcvSize IcvSize
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
return Status; return Status;
@ -819,7 +818,7 @@ IpSecEspAuthVerifyPayload (
// //
// Compare the calculated icv and the appended original icv. // Compare the calculated icv and the appended original icv.
// //
if (CompareMem (EspBuffer + AuthSize, IcvBuffer, *IcvSize) == 0) { if (CompareMem (EspBuffer + AuthSize, IcvBuffer, IcvSize) == 0) {
return EFI_SUCCESS; return EFI_SUCCESS;
} }
@ -1371,7 +1370,7 @@ IpSecTunnelOutboundPacket (
@retval EFI_SUCCESS The operation was successful. @retval EFI_SUCCESS The operation was successful.
@retval EFI_ACCESS_DENIED One or more following conditions is TRUE: @retval EFI_ACCESS_DENIED One or more following conditions is TRUE:
- ESP header was not found. - ESP header was not found or mal-format.
- The related SAD entry was not found. - The related SAD entry was not found.
- The related SAD entry does not support the ESP protocol. - The related SAD entry does not support the ESP protocol.
@retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated. @retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.
@ -1394,6 +1393,8 @@ IpSecEspInboundPacket (
NET_BUF *Payload; NET_BUF *Payload;
UINTN EspSize; UINTN EspSize;
UINTN IvSize; UINTN IvSize;
UINTN BlockSize;
UINTN MiscSize;
UINTN PlainPayloadSize; UINTN PlainPayloadSize;
UINTN PaddingSize; UINTN PaddingSize;
UINTN IcvSize; UINTN IcvSize;
@ -1486,15 +1487,36 @@ IpSecEspInboundPacket (
NetbufCopy (Payload, 0, (UINT32) EspSize, ProcessBuffer); NetbufCopy (Payload, 0, (UINT32) EspSize, ProcessBuffer);
// //
// Authenticate the esp wrapped buffer by the auth keys which is from SAD entry. // Get the IcvSize for authentication and BlockSize/IvSize for Decryption.
//
IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId);
IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
BlockSize = IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
//
// Make sure the ESP packet is not mal-formt.
// 1. Check whether the Espsize is larger than ESP header + IvSize + EspTail + IcvSize.
// 2. Check whether the left payload size is multiple of IvSize.
//
MiscSize = sizeof (EFI_ESP_HEADER) + IvSize + IcvSize;
if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL))) {
Status = EFI_ACCESS_DENIED;
goto ON_EXIT;
}
if ((EspSize - MiscSize) % BlockSize != 0) {
Status = EFI_ACCESS_DENIED;
goto ON_EXIT;
}
//
// Authenticate the ESP packet.
// //
IcvSize = 0;
if (SadData->AlgoInfo.EspAlgoInfo.AuthKey != NULL) { if (SadData->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {
Status = IpSecEspAuthVerifyPayload ( Status = IpSecEspAuthVerifyPayload (
ProcessBuffer, ProcessBuffer,
EspSize, EspSize,
SadEntry, SadEntry,
&IcvSize IcvSize
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
goto ON_EXIT; goto ON_EXIT;
@ -1503,7 +1525,6 @@ IpSecEspInboundPacket (
// //
// Decrypt the payload by the SAD entry if it has decrypt key. // Decrypt the payload by the SAD entry if it has decrypt key.
// //
IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
if (SadData->AlgoInfo.EspAlgoInfo.EncKey != NULL) { if (SadData->AlgoInfo.EspAlgoInfo.EncKey != NULL) {
Status = IpSecCryptoIoDecrypt ( Status = IpSecCryptoIoDecrypt (
SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId, SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId,
@ -1525,7 +1546,12 @@ IpSecEspInboundPacket (
EspTail = (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSize - sizeof (EFI_ESP_TAIL)); EspTail = (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSize - sizeof (EFI_ESP_TAIL));
PaddingSize = EspTail->PaddingLength; PaddingSize = EspTail->PaddingLength;
NextHeader = EspTail->NextHeader; NextHeader = EspTail->NextHeader;
PlainPayloadSize = EspSize - sizeof (EFI_ESP_HEADER) - IvSize - IcvSize - sizeof (EFI_ESP_TAIL) - PaddingSize;
if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL) + PaddingSize)) {
Status = EFI_ACCESS_DENIED;
goto ON_EXIT;
}
PlainPayloadSize = EspSize - MiscSize - sizeof (EFI_ESP_TAIL) - PaddingSize;
// //
// TODO: handle anti-replay window // TODO: handle anti-replay window