esp: improve spi and ip checks.#126
Open
philljj wants to merge 3 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Improves wolfIP’s ESP Security Association (SA) handling by rejecting invalid (all-zero) SPIs and tightening SA selection to require both source and destination IP address matches during ESP transport wrap/unwrap, aligning behavior with the PR’s stated RFC4303 constraints and SA-slot semantics.
Changes:
- Introduces a shared
zero_spiconstant and addsesp_spi_valid()to reject all-zero SPIs for SA creation and inbound packet processing. - Updates inbound SA lookup to require
(SPI, src, dst)match and outbound SA selection to require(src, dst)match. - Extends unit tests to cover SA creation failures when SPI is all zeros.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| src/wolfesp.c | Adds SPI validation, strengthens SA matching on wrap/unwrap, and adjusts unknown-SPI logging text. |
| src/test/unit/unit_esp.c | Adds negative test cases for all-zero SPI during SA creation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
1368
to
+1372
| for (size_t i = 0; i < in_sa_num; ++i) { | ||
| if (memcmp(spi, in_sa_list[i].spi, sizeof(spi)) == 0) { | ||
| ESP_DEBUG("info: found sa: 0x%02x%02x%02x%02x\n", | ||
| spi[0], spi[1], spi[2], spi[3]); | ||
| esp_sa = &in_sa_list[i]; | ||
| break; | ||
| if (esp_spi_valid(out_sa_list[i].spi) < 0) { | ||
| /* skip empty slots */ | ||
| continue; | ||
| } |
Comment on lines
1598
to
1602
| for (size_t i = 0; i < out_sa_num; ++i) { | ||
| if (ip->dst == ee32(out_sa_list[i].dst)) { | ||
| esp_sa = &out_sa_list[i]; | ||
| ESP_DEBUG("info: found out sa: 0x%02x%02x%02x%02x\n", | ||
| esp_sa->spi[0], esp_sa->spi[1], esp_sa->spi[2], | ||
| esp_sa->spi[3]); | ||
| break; | ||
| if (esp_spi_valid(out_sa_list[i].spi) < 0) { | ||
| /* skip empty slots */ | ||
| continue; | ||
| } |
Comment on lines
+1604
to
+1608
| if (out_sa_list[i].dst != 0 && | ||
| ip->dst != ee32(out_sa_list[i].dst)) { | ||
| /* SA ip dst is configured, and doesn't match */ | ||
| continue; | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add some improved checks to
src/wolfesp.c:0x00).ip->srcandip->dstmatch in esp wrap and unwrap.Allow for configurable ip matching in ESP wrap / unwrap. E.g. an SA provisioned with 0 src address will allow matching any src address.
Fixes Fenrir 4780, 5737.
An all zero SPI is not valid per rfc4303, and practically it's used to mark an empty slot in the SA array.
Technically SPI values 1-255 are reserved by IANA for future use, but I don't think it's worth checking and restricting these. IMO we should allow any SPI as long as it's non-zero.