iv_gen: Mask sequential IVs with a random salt

This makes it harder to attack a HA setup, even if the sequence numbers were
not fully in sync.

diff --git a/src/libstrongswan/crypto/iv/iv_gen_seq.c b/src/libstrongswan/crypto/iv/iv_gen_seq.c
index cbbc2dc7e0352f957c864e6a098b1a7d4e58a068..98d0c15a60ac4493af5d26d307301aea9f367683 100644 (file)
--- a/src/libstrongswan/crypto/iv/iv_gen_seq.c
+++ b/src/libstrongswan/crypto/iv/iv_gen_seq.c
@@ -26,6 +26,11 @@ struct private_iv_gen_t {
         * Public iv_gen_t interface.
         */
        iv_gen_t public;
+
+       /**
+        * Salt to mask counter
+        */
+       u_int8_t *salt;
 };
 
 METHOD(iv_gen_t, get_iv, bool,
@@ -34,12 +39,17 @@ METHOD(iv_gen_t, get_iv, bool,
        u_int8_t iv[sizeof(u_int64_t)];
        size_t len = size;
 
+       if (!this->salt)
+       {
+               return FALSE;
+       }
        if (len > sizeof(u_int64_t))
        {
                len = sizeof(u_int64_t);
                memset(buffer, 0, size - len);
        }
        htoun64(iv, seq);
+       memxor(iv, this->salt, sizeof(u_int64_t));
        memcpy(buffer + size - len, iv + sizeof(u_int64_t) - len, len);
        return TRUE;
 }
@@ -59,12 +69,14 @@ METHOD(iv_gen_t, allocate_iv, bool,
 METHOD(iv_gen_t, destroy, void,
        private_iv_gen_t *this)
 {
+       free(this->salt);
        free(this);
 }
 
 iv_gen_t *iv_gen_seq_create()
 {
        private_iv_gen_t *this;
+       rng_t *rng;
 
        INIT(this,
                .public = {
@@ -74,5 +86,17 @@ iv_gen_t *iv_gen_seq_create()
                },
        );
 
+       rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+       if (rng)
+       {
+               this->salt = malloc(sizeof(u_int64_t));
+               if (!rng->get_bytes(rng, sizeof(u_int64_t), this->salt))
+               {
+                       free(this->salt);
+                       this->salt = NULL;
+               }
+               rng->destroy(rng);
+       }
+
        return &this->public;
 }