From f535637a394eecca1af182fb09b175b53e9fbf1f Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Fri, 25 Feb 2022 18:44:12 +0100 Subject: lib: Encrypt bare FRCP messages on encrypted flows Bare FRCP messages (ACKs without data, Rendez-vous packets) were not encrypted on encrypted flows, causing the receiver to fail decryption. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- src/lib/crypt.c | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) (limited to 'src/lib/crypt.c') diff --git a/src/lib/crypt.c b/src/lib/crypt.c index 043eae13..e19981bc 100644 --- a/src/lib/crypt.c +++ b/src/lib/crypt.c @@ -217,8 +217,7 @@ static int openssl_encrypt(struct flow * f, in = shm_du_buff_head(sdb); in_sz = shm_du_buff_tail(sdb) - in; - if (in_sz == 0) - return 0; + assert(in_sz > 0); if (random_buffer(iv, IVSZ) < 0) goto fail_iv; @@ -229,11 +228,7 @@ static int openssl_encrypt(struct flow * f, EVP_CIPHER_CTX_reset(f->ctx); - ret = EVP_EncryptInit_ex(f->ctx, - EVP_aes_256_cbc(), - NULL, - f->key, - iv); + ret = EVP_EncryptInit_ex(f->ctx, EVP_aes_256_cbc(), NULL, f->key, iv); if (ret != 1) goto fail_encrypt_init; @@ -287,13 +282,17 @@ static int openssl_decrypt(struct flow * f, int in_sz; int tmp_sz; + in = shm_du_buff_head(sdb); + in_sz = shm_du_buff_tail(sdb) - in; + if (in_sz < IVSZ) + return -ECRYPT; + in = shm_du_buff_head_release(sdb, IVSZ); memcpy(iv, in, IVSZ); in = shm_du_buff_head(sdb); - - in_sz = shm_du_buff_tail(sdb) - shm_du_buff_head(sdb); + in_sz = shm_du_buff_tail(sdb) - in; out = malloc(in_sz); if (out == NULL) @@ -301,11 +300,7 @@ static int openssl_decrypt(struct flow * f, EVP_CIPHER_CTX_reset(f->ctx); - ret = EVP_DecryptInit_ex(f->ctx, - EVP_aes_256_cbc(), - NULL, - f->key, - iv); + ret = EVP_DecryptInit_ex(f->ctx, EVP_aes_256_cbc(), NULL, f->key, iv); if (ret != 1) goto fail_decrypt_init; -- cgit v1.2.3