svn commit: r285216 - head/sys/crypto/aesni

Mon, 06 Jul 2015 12:30:53 -0700 

Author: jmg
Date: Mon Jul  6 19:30:29 2015
New Revision: 285216
URL: https://svnweb.freebsd.org/changeset/base/285216

Log:
  Fix for non-random IV's when CRD_F_IV_PRESENT and CRD_F_IV_EXPLICIT
  flags are not specified... This bug was introduced in r275732...
  
  This only affects IPsec ESP only policies w/ the aesni module loaded,
  other subsystems specify one or both of the flags...
  
  Reviewed by:  gnn, delphij, eri

Modified:
  head/sys/crypto/aesni/aesni.c
  head/sys/crypto/aesni/aesni.h

Modified: head/sys/crypto/aesni/aesni.c
==============================================================================
--- head/sys/crypto/aesni/aesni.c       Mon Jul  6 19:17:56 2015        
(r285215)
+++ head/sys/crypto/aesni/aesni.c       Mon Jul  6 19:30:29 2015        
(r285216)
@@ -450,6 +450,7 @@ static int
 aesni_cipher_process(struct aesni_session *ses, struct cryptodesc *enccrd,
     struct cryptodesc *authcrd, struct cryptop *crp)
 {
+       uint8_t iv[AES_BLOCK_LEN];
        uint8_t tag[GMAC_DIGEST_LEN];
        struct thread *td;
        uint8_t *buf, *authbuf;
@@ -504,15 +505,23 @@ aesni_cipher_process(struct aesni_sessio
                break;
        }
 
-       /* Setup ses->iv */
-       bzero(ses->iv, sizeof ses->iv);
-       if ((enccrd->crd_flags & CRD_F_IV_EXPLICIT) != 0)
-               bcopy(enccrd->crd_iv, ses->iv, ivlen);
-       else if (encflag && ((enccrd->crd_flags & CRD_F_IV_PRESENT) != 0))
-               arc4rand(ses->iv, ivlen, 0);
-       else
-               crypto_copydata(crp->crp_flags, crp->crp_buf,
-                   enccrd->crd_inject, ivlen, ses->iv);
+       /* Setup iv */
+       if (encflag) {
+               if ((enccrd->crd_flags & CRD_F_IV_EXPLICIT) != 0)
+                       bcopy(enccrd->crd_iv, iv, ivlen);
+               else
+                       arc4rand(iv, ivlen, 0);
+               
+               if ((enccrd->crd_flags & CRD_F_IV_PRESENT) == 0)
+                       crypto_copyback(crp->crp_flags, crp->crp_buf,
+                           enccrd->crd_inject, ivlen, iv);
+       } else {
+               if ((enccrd->crd_flags & CRD_F_IV_EXPLICIT) != 0)
+                       bcopy(enccrd->crd_iv, iv, ivlen);
+               else
+                       crypto_copydata(crp->crp_flags, crp->crp_buf,
+                           enccrd->crd_inject, ivlen, iv);
+       }
 
        if (authcrd != NULL && !encflag)
                crypto_copydata(crp->crp_flags, crp->crp_buf,
@@ -525,33 +534,33 @@ aesni_cipher_process(struct aesni_sessio
        case CRYPTO_AES_CBC:
                if (encflag)
                        aesni_encrypt_cbc(ses->rounds, ses->enc_schedule,
-                           enccrd->crd_len, buf, buf, ses->iv);
+                           enccrd->crd_len, buf, buf, iv);
                else
                        aesni_decrypt_cbc(ses->rounds, ses->dec_schedule,
-                           enccrd->crd_len, buf, ses->iv);
+                           enccrd->crd_len, buf, iv);
                break;
        case CRYPTO_AES_ICM:
                /* encryption & decryption are the same */
                aesni_encrypt_icm(ses->rounds, ses->enc_schedule,
-                   enccrd->crd_len, buf, buf, ses->iv);
+                   enccrd->crd_len, buf, buf, iv);
                break;
        case CRYPTO_AES_XTS:
                if (encflag)
                        aesni_encrypt_xts(ses->rounds, ses->enc_schedule,
                            ses->xts_schedule, enccrd->crd_len, buf, buf,
-                           ses->iv);
+                           iv);
                else
                        aesni_decrypt_xts(ses->rounds, ses->dec_schedule,
                            ses->xts_schedule, enccrd->crd_len, buf, buf,
-                           ses->iv);
+                           iv);
                break;
        case CRYPTO_AES_NIST_GCM_16:
                if (encflag)
-                       AES_GCM_encrypt(buf, buf, authbuf, ses->iv, tag,
+                       AES_GCM_encrypt(buf, buf, authbuf, iv, tag,
                            enccrd->crd_len, authcrd->crd_len, ivlen,
                            ses->enc_schedule, ses->rounds);
                else {
-                       if (!AES_GCM_decrypt(buf, buf, authbuf, ses->iv, tag,
+                       if (!AES_GCM_decrypt(buf, buf, authbuf, iv, tag,
                            enccrd->crd_len, authcrd->crd_len, ivlen,
                            ses->enc_schedule, ses->rounds))
                                error = EBADMSG;
@@ -563,13 +572,6 @@ aesni_cipher_process(struct aesni_sessio
                crypto_copyback(crp->crp_flags, crp->crp_buf, enccrd->crd_skip,
                    enccrd->crd_len, buf);
 
-       /*
-        * OpenBSD doesn't copy this back.  This primes the IV for the next
-        * chain.  Why do we not do it for decrypt?
-        */
-       if (encflag && enccrd->crd_alg == CRYPTO_AES_CBC)
-               bcopy(buf + enccrd->crd_len - AES_BLOCK_LEN, ses->iv, 
AES_BLOCK_LEN);
-
        if (!error && authcrd != NULL) {
                crypto_copyback(crp->crp_flags, crp->crp_buf,
                    authcrd->crd_inject, GMAC_DIGEST_LEN, tag);

Modified: head/sys/crypto/aesni/aesni.h
==============================================================================
--- head/sys/crypto/aesni/aesni.h       Mon Jul  6 19:17:56 2015        
(r285215)
+++ head/sys/crypto/aesni/aesni.h       Mon Jul  6 19:30:29 2015        
(r285216)
@@ -56,7 +56,6 @@ struct aesni_session {
        uint8_t enc_schedule[AES_SCHED_LEN] __aligned(16);
        uint8_t dec_schedule[AES_SCHED_LEN] __aligned(16);
        uint8_t xts_schedule[AES_SCHED_LEN] __aligned(16);
-       uint8_t iv[AES_BLOCK_LEN];
        int algo;
        int rounds;
        /* uint8_t *ses_ictx; */
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to