Module Name: src Committed By: riastradh Date: Tue Sep 8 22:48:24 UTC 2020
Modified Files: src/sys/crypto/aes: aes_selftest.c src/sys/crypto/aes/arch/x86: aes_sse2_subr.c Log Message: aes(9): Fix edge case in bitsliced SSE2 AES-CBC decryption. Make sure self-tests exercise this edge case. Discovered by confusion over code inspection of jak's adaptation of aes_armv8_64.S for big-endian. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/crypto/aes/aes_selftest.c cvs rdiff -u -r1.3 -r1.4 src/sys/crypto/aes/arch/x86/aes_sse2_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/crypto/aes/aes_selftest.c diff -u src/sys/crypto/aes/aes_selftest.c:1.5 src/sys/crypto/aes/aes_selftest.c:1.6 --- src/sys/crypto/aes/aes_selftest.c:1.5 Sat Jul 25 22:36:42 2020 +++ src/sys/crypto/aes/aes_selftest.c Tue Sep 8 22:48:24 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: aes_selftest.c,v 1.5 2020/07/25 22:36:42 riastradh Exp $ */ +/* $NetBSD: aes_selftest.c,v 1.6 2020/09/08 22:48:24 riastradh Exp $ */ /*- * Copyright (c) 2020 The NetBSD Foundation, Inc. @@ -27,7 +27,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(1, "$NetBSD: aes_selftest.c,v 1.5 2020/07/25 22:36:42 riastradh Exp $"); +__KERNEL_RCSID(1, "$NetBSD: aes_selftest.c,v 1.6 2020/09/08 22:48:24 riastradh Exp $"); #ifdef _KERNEL @@ -210,7 +210,7 @@ aes_selftest_encdec_cbc(const struct aes uint8_t in[144]; uint8_t outbuf[146] = { [0] = 0x1a, [145] = 0x1a }, *out = outbuf + 1; uint8_t iv0[16], iv[16]; - unsigned i; + unsigned i, j; for (i = 0; i < 32; i++) key[i] = i; @@ -237,21 +237,26 @@ aes_selftest_encdec_cbc(const struct aes "AES-%u-CBC dec", aes_keybits[i]); /* Try incrementally, with IV update. */ - memcpy(iv, iv0, 16); - impl->ai_cbc_enc(&enc, in, out, 16, iv, aes_nrounds[i]); - impl->ai_cbc_enc(&enc, in + 16, out + 16, 128, iv, - aes_nrounds[i]); - if (memcmp(out, expected[i], 144)) - return aes_selftest_fail(impl, out, expected[i], 144, - "AES-%u-CBC enc incremental", aes_keybits[i]); - - memcpy(iv, iv0, 16); - impl->ai_cbc_dec(&dec, out, out, 128, iv, aes_nrounds[i]); - impl->ai_cbc_dec(&dec, out + 128, out + 128, 16, iv, - aes_nrounds[i]); - if (memcmp(out, in, 144)) - return aes_selftest_fail(impl, out, in, 144, - "AES-%u-CBC dec incremental", aes_keybits[i]); + for (j = 0; j < 144; j += 16) { + memcpy(iv, iv0, 16); + impl->ai_cbc_enc(&enc, in, out, j, iv, aes_nrounds[i]); + impl->ai_cbc_enc(&enc, in + j, out + j, 144 - j, iv, + aes_nrounds[i]); + if (memcmp(out, expected[i], 144)) + return aes_selftest_fail(impl, out, + expected[i], 144, "AES-%u-CBC enc inc %u", + aes_keybits[i], j); + + memcpy(iv, iv0, 16); + impl->ai_cbc_dec(&dec, out, out, j, iv, + aes_nrounds[i]); + impl->ai_cbc_dec(&dec, out + j, out + j, 144 - j, iv, + aes_nrounds[i]); + if (memcmp(out, in, 144)) + return aes_selftest_fail(impl, out, + in, 144, "AES-%u-CBC dec inc %u", + aes_keybits[i], j); + } } if (outbuf[0] != 0x1a) Index: src/sys/crypto/aes/arch/x86/aes_sse2_subr.c diff -u src/sys/crypto/aes/arch/x86/aes_sse2_subr.c:1.3 src/sys/crypto/aes/arch/x86/aes_sse2_subr.c:1.4 --- src/sys/crypto/aes/arch/x86/aes_sse2_subr.c:1.3 Sat Jul 25 22:29:56 2020 +++ src/sys/crypto/aes/arch/x86/aes_sse2_subr.c Tue Sep 8 22:48:24 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: aes_sse2_subr.c,v 1.3 2020/07/25 22:29:56 riastradh Exp $ */ +/* $NetBSD: aes_sse2_subr.c,v 1.4 2020/09/08 22:48:24 riastradh Exp $ */ /*- * Copyright (c) 2020 The NetBSD Foundation, Inc. @@ -27,7 +27,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(1, "$NetBSD: aes_sse2_subr.c,v 1.3 2020/07/25 22:29:56 riastradh Exp $"); +__KERNEL_RCSID(1, "$NetBSD: aes_sse2_subr.c,v 1.4 2020/09/08 22:48:24 riastradh Exp $"); #ifdef _KERNEL #include <sys/systm.h> @@ -200,11 +200,13 @@ aes_sse2_cbc_dec(const struct aesdec *de case 48: w = _mm_loadu_epi8(in + nbytes - 32); q[1] = aes_sse2_interleave_in(w); - /*FALLTHROUGH*/ - case 32: w = _mm_loadu_epi8(in + nbytes - 48); q[0] = aes_sse2_interleave_in(w); - /*FALLTHROUGH*/ + break; + case 32: + w = _mm_loadu_epi8(in + nbytes - 32); + q[0] = aes_sse2_interleave_in(w); + break; case 16: break; }