mirror of https://github.com/acidanthera/audk.git
Before decrypting the packet, Ipsec will check if the inbound protected packet is mal-format. If yes, discard it.
Signed-off-by: qianouyang Reviewed-by: zhangchaointel jyao1 git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12464 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
parent
f7bb98019a
commit
4cb0548d01
|
@ -783,7 +783,7 @@ IpSecEspAuthVerifyPayload (
|
||||||
IN UINT8 *EspBuffer,
|
IN UINT8 *EspBuffer,
|
||||||
IN UINTN EspSize,
|
IN UINTN EspSize,
|
||||||
IN IPSEC_SAD_ENTRY *SadEntry,
|
IN IPSEC_SAD_ENTRY *SadEntry,
|
||||||
IN UINTN *IcvSize
|
IN UINTN IcvSize
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
EFI_STATUS Status;
|
EFI_STATUS Status;
|
||||||
|
@ -794,8 +794,7 @@ IpSecEspAuthVerifyPayload (
|
||||||
//
|
//
|
||||||
// Calculate the size of authentication payload.
|
// Calculate the size of authentication payload.
|
||||||
//
|
//
|
||||||
*IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId);
|
AuthSize = EspSize - IcvSize;
|
||||||
AuthSize = EspSize - *IcvSize;
|
|
||||||
|
|
||||||
//
|
//
|
||||||
// Calculate the icv buffer and size of the payload.
|
// Calculate the icv buffer and size of the payload.
|
||||||
|
@ -810,7 +809,7 @@ IpSecEspAuthVerifyPayload (
|
||||||
HashFragment,
|
HashFragment,
|
||||||
1,
|
1,
|
||||||
IcvBuffer,
|
IcvBuffer,
|
||||||
*IcvSize
|
IcvSize
|
||||||
);
|
);
|
||||||
if (EFI_ERROR (Status)) {
|
if (EFI_ERROR (Status)) {
|
||||||
return Status;
|
return Status;
|
||||||
|
@ -819,7 +818,7 @@ IpSecEspAuthVerifyPayload (
|
||||||
//
|
//
|
||||||
// Compare the calculated icv and the appended original icv.
|
// Compare the calculated icv and the appended original icv.
|
||||||
//
|
//
|
||||||
if (CompareMem (EspBuffer + AuthSize, IcvBuffer, *IcvSize) == 0) {
|
if (CompareMem (EspBuffer + AuthSize, IcvBuffer, IcvSize) == 0) {
|
||||||
return EFI_SUCCESS;
|
return EFI_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1371,7 +1370,7 @@ IpSecTunnelOutboundPacket (
|
||||||
|
|
||||||
@retval EFI_SUCCESS The operation was successful.
|
@retval EFI_SUCCESS The operation was successful.
|
||||||
@retval EFI_ACCESS_DENIED One or more following conditions is TRUE:
|
@retval EFI_ACCESS_DENIED One or more following conditions is TRUE:
|
||||||
- ESP header was not found.
|
- ESP header was not found or mal-format.
|
||||||
- The related SAD entry was not found.
|
- The related SAD entry was not found.
|
||||||
- The related SAD entry does not support the ESP protocol.
|
- The related SAD entry does not support the ESP protocol.
|
||||||
@retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.
|
@retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.
|
||||||
|
@ -1394,6 +1393,8 @@ IpSecEspInboundPacket (
|
||||||
NET_BUF *Payload;
|
NET_BUF *Payload;
|
||||||
UINTN EspSize;
|
UINTN EspSize;
|
||||||
UINTN IvSize;
|
UINTN IvSize;
|
||||||
|
UINTN BlockSize;
|
||||||
|
UINTN MiscSize;
|
||||||
UINTN PlainPayloadSize;
|
UINTN PlainPayloadSize;
|
||||||
UINTN PaddingSize;
|
UINTN PaddingSize;
|
||||||
UINTN IcvSize;
|
UINTN IcvSize;
|
||||||
|
@ -1486,15 +1487,36 @@ IpSecEspInboundPacket (
|
||||||
NetbufCopy (Payload, 0, (UINT32) EspSize, ProcessBuffer);
|
NetbufCopy (Payload, 0, (UINT32) EspSize, ProcessBuffer);
|
||||||
|
|
||||||
//
|
//
|
||||||
// Authenticate the esp wrapped buffer by the auth keys which is from SAD entry.
|
// Get the IcvSize for authentication and BlockSize/IvSize for Decryption.
|
||||||
|
//
|
||||||
|
IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId);
|
||||||
|
IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
|
||||||
|
BlockSize = IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Make sure the ESP packet is not mal-formt.
|
||||||
|
// 1. Check whether the Espsize is larger than ESP header + IvSize + EspTail + IcvSize.
|
||||||
|
// 2. Check whether the left payload size is multiple of IvSize.
|
||||||
|
//
|
||||||
|
MiscSize = sizeof (EFI_ESP_HEADER) + IvSize + IcvSize;
|
||||||
|
if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL))) {
|
||||||
|
Status = EFI_ACCESS_DENIED;
|
||||||
|
goto ON_EXIT;
|
||||||
|
}
|
||||||
|
if ((EspSize - MiscSize) % BlockSize != 0) {
|
||||||
|
Status = EFI_ACCESS_DENIED;
|
||||||
|
goto ON_EXIT;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Authenticate the ESP packet.
|
||||||
//
|
//
|
||||||
IcvSize = 0;
|
|
||||||
if (SadData->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {
|
if (SadData->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {
|
||||||
Status = IpSecEspAuthVerifyPayload (
|
Status = IpSecEspAuthVerifyPayload (
|
||||||
ProcessBuffer,
|
ProcessBuffer,
|
||||||
EspSize,
|
EspSize,
|
||||||
SadEntry,
|
SadEntry,
|
||||||
&IcvSize
|
IcvSize
|
||||||
);
|
);
|
||||||
if (EFI_ERROR (Status)) {
|
if (EFI_ERROR (Status)) {
|
||||||
goto ON_EXIT;
|
goto ON_EXIT;
|
||||||
|
@ -1503,7 +1525,6 @@ IpSecEspInboundPacket (
|
||||||
//
|
//
|
||||||
// Decrypt the payload by the SAD entry if it has decrypt key.
|
// Decrypt the payload by the SAD entry if it has decrypt key.
|
||||||
//
|
//
|
||||||
IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
|
|
||||||
if (SadData->AlgoInfo.EspAlgoInfo.EncKey != NULL) {
|
if (SadData->AlgoInfo.EspAlgoInfo.EncKey != NULL) {
|
||||||
Status = IpSecCryptoIoDecrypt (
|
Status = IpSecCryptoIoDecrypt (
|
||||||
SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId,
|
SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId,
|
||||||
|
@ -1525,7 +1546,12 @@ IpSecEspInboundPacket (
|
||||||
EspTail = (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSize - sizeof (EFI_ESP_TAIL));
|
EspTail = (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSize - sizeof (EFI_ESP_TAIL));
|
||||||
PaddingSize = EspTail->PaddingLength;
|
PaddingSize = EspTail->PaddingLength;
|
||||||
NextHeader = EspTail->NextHeader;
|
NextHeader = EspTail->NextHeader;
|
||||||
PlainPayloadSize = EspSize - sizeof (EFI_ESP_HEADER) - IvSize - IcvSize - sizeof (EFI_ESP_TAIL) - PaddingSize;
|
|
||||||
|
if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL) + PaddingSize)) {
|
||||||
|
Status = EFI_ACCESS_DENIED;
|
||||||
|
goto ON_EXIT;
|
||||||
|
}
|
||||||
|
PlainPayloadSize = EspSize - MiscSize - sizeof (EFI_ESP_TAIL) - PaddingSize;
|
||||||
|
|
||||||
//
|
//
|
||||||
// TODO: handle anti-replay window
|
// TODO: handle anti-replay window
|
||||||
|
|
Loading…
Reference in New Issue