From: Tobias Brunner Date: Mon, 21 Sep 2015 09:02:45 +0000 (+0200) Subject: libipsec: Fix crypter lookup for AES-CTR X-Git-Tag: 5.3.4dr1~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e80127691cfe7fea9ce3a2f67d8b527db34faf4;p=thirdparty%2Fstrongswan.git libipsec: Fix crypter lookup for AES-CTR Due to the nonce, the ESP key material is four bytes longer than needed for the actual AES key. The crypto plugins, however, register their AES-CTR implementations with the AES key length, so the lookup here failed. For IKEv2 the key material is allocated after creating a crypter instance with the negotiated AES key size. The length of the actual key material is retrieved via get_key_size(), which adds the four bytes to the AES key length. Fixes #1124. --- diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c index b742d15768..a9e0e5b4d3 100644 --- a/src/libipsec/esp_context.c +++ b/src/libipsec/esp_context.c @@ -247,7 +247,18 @@ static bool create_traditional(private_esp_context_t *this, int enc_alg, signer_t *signer = NULL; iv_gen_t *ivg; - crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_key.len); + switch (enc_alg) + { + case ENCR_AES_CTR: + /* the key includes a 4 byte salt */ + crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, + enc_key.len - 4); + break; + default: + crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, + enc_key.len); + break; + } if (!crypter) { DBG1(DBG_ESP, "failed to create ESP context: unsupported encryption "