Module Name: src
Committed By: riastradh
Date: Sun Jun 14 23:19:11 UTC 2020
Modified Files:
src/sys/arch/i386/pci: glxsb.c
Log Message:
glxsb(4): Don't use prev msg's last block as IV for next msg in CBC.
This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.
XXX Compile-tested only.
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 src/sys/arch/i386/pci/glxsb.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/i386/pci/glxsb.c
diff -u src/sys/arch/i386/pci/glxsb.c:1.14 src/sys/arch/i386/pci/glxsb.c:1.15
--- src/sys/arch/i386/pci/glxsb.c:1.14 Thu Jul 14 10:19:05 2016
+++ src/sys/arch/i386/pci/glxsb.c Sun Jun 14 23:19:11 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: glxsb.c,v 1.14 2016/07/14 10:19:05 msaitoh Exp $ */
+/* $NetBSD: glxsb.c,v 1.15 2020/06/14 23:19:11 riastradh Exp $ */
/* $OpenBSD: glxsb.c,v 1.7 2007/02/12 14:31:45 tom Exp $ */
/*
@@ -25,7 +25,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: glxsb.c,v 1.14 2016/07/14 10:19:05 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: glxsb.c,v 1.15 2020/06/14 23:19:11 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -149,7 +149,6 @@ struct glxsb_dma_map {
};
struct glxsb_session {
uint32_t ses_key[4];
- uint8_t ses_iv[SB_AES_BLOCK_SIZE];
int ses_klen;
int ses_used;
};
@@ -346,7 +345,6 @@ glxsb_crypto_newsession(void *aux, uint3
memset(ses, 0, sizeof(*ses));
ses->ses_used = 1;
- cprng_fast(ses->ses_iv, sizeof(ses->ses_iv));
ses->ses_klen = cri->cri_klen;
/* Copy the key (Geode LX wants the primary key only) */
@@ -450,7 +448,7 @@ glxsb_crypto_process(void *aux, struct c
struct cryptodesc *crd;
char *op_src, *op_dst;
uint32_t op_psrc, op_pdst;
- uint8_t op_iv[SB_AES_BLOCK_SIZE], *piv;
+ uint8_t op_iv[SB_AES_BLOCK_SIZE];
int sesn, err = 0;
int len, tlen, xlen;
int offset;
@@ -497,7 +495,7 @@ glxsb_crypto_process(void *aux, struct c
if (crd->crd_flags & CRD_F_IV_EXPLICIT)
memcpy(op_iv, crd->crd_iv, sizeof(op_iv));
else
- memcpy(op_iv, ses->ses_iv, sizeof(op_iv));
+ cprng_fast(op_iv, sizeof(op_iv));
if ((crd->crd_flags & CRD_F_IV_PRESENT) == 0) {
if (crp->crp_flags & CRYPTO_F_IMBUF)
@@ -530,7 +528,6 @@ glxsb_crypto_process(void *aux, struct c
offset = 0;
tlen = crd->crd_len;
- piv = op_iv;
/* Process the data in GLXSB_MAX_AES_LEN chunks */
while (tlen > 0) {
@@ -566,25 +563,13 @@ glxsb_crypto_process(void *aux, struct c
offset += len;
tlen -= len;
- if (tlen <= 0) { /* Ideally, just == 0 */
- /* Finished - put the IV in session IV */
- piv = ses->ses_iv;
- }
-
- /*
- * Copy out last block for use as next iteration/session IV.
- *
- * piv is set to op_iv[] before the loop starts, but is
- * set to ses->ses_iv if we're going to exit the loop this
- * time.
- */
if (crd->crd_flags & CRD_F_ENCRYPT) {
- memcpy(piv, op_dst + len - sizeof(op_iv),
+ memcpy(op_iv, op_dst + len - sizeof(op_iv),
sizeof(op_iv));
} else {
/* Decryption, only need this if another iteration */
if (tlen > 0) {
- memcpy(piv, op_src + len - sizeof(op_iv),
+ memcpy(op_iv, op_src + len - sizeof(op_iv),
sizeof(op_iv));
}
}
