[src/trunk]: src/sys/opencrypto Change the way the IV is generated for AES-CT...

[drochner <drochner%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/a0bbae67c3fc
branches:  trunk
changeset: 765381:a0bbae67c3fc
user:      drochner <drochner%NetBSD.org@localhost>
date:      Tue May 24 18:52:51 2011 +0000

description:
Change the way the IV is generated for AES-CTR: use a simple counter
instead of arc4random(). AES-CTR is sensitive against IV recurrence
(with the same key / nonce), and a random number doesn't give that
guarantee.
This needs a little API change in cryptosoft -- I've suggested it to
Open/FreeBSD, might change it depending on feedback.
Thanks to Steven Bellovin for hints.

diffstat:

 sys/opencrypto/cryptosoft.c       |  17 ++++++++++-------
 sys/opencrypto/cryptosoft_xform.c |  21 ++++++++++++++++-----
 2 files changed, 26 insertions(+), 12 deletions(-)

diffs (123 lines):

diff -r f8a1dc690e4d -r a0bbae67c3fc sys/opencrypto/cryptosoft.c
--- a/sys/opencrypto/cryptosoft.c       Tue May 24 18:37:52 2011 +0000
+++ b/sys/opencrypto/cryptosoft.c       Tue May 24 18:52:51 2011 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: cryptosoft.c,v 1.33 2011/05/23 13:51:10 drochner Exp $ */
+/*     $NetBSD: cryptosoft.c,v 1.34 2011/05/24 18:52:51 drochner Exp $ */
 /*     $FreeBSD: src/sys/opencrypto/cryptosoft.c,v 1.2.2.1 2002/11/21 23:34:23 sam Exp $       */
 /*     $OpenBSD: cryptosoft.c,v 1.35 2002/04/26 08:43:50 deraadt Exp $ */
 
@@ -24,7 +24,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: cryptosoft.c,v 1.33 2011/05/23 13:51:10 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: cryptosoft.c,v 1.34 2011/05/24 18:52:51 drochner Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -92,9 +92,13 @@
        /* Initialize the IV */
        if (crd->crd_flags & CRD_F_ENCRYPT) {
                /* IV explicitly provided ? */
-               if (crd->crd_flags & CRD_F_IV_EXPLICIT)
+               if (crd->crd_flags & CRD_F_IV_EXPLICIT) {
                        memcpy(iv, crd->crd_iv, ivlen);
-               else {
+                       if (exf->reinit)
+                               exf->reinit(sw->sw_kschedule, iv, 0);
+               } else if (exf->reinit) {
+                       exf->reinit(sw->sw_kschedule, 0, iv);
+               } else {
                        /* Get random IV */
                        for (i = 0;
                            i + sizeof (u_int32_t) <= EALG_MAX_BLOCK_LEN;
@@ -129,13 +133,12 @@
                        /* Get IV off buf */
                        COPYDATA(outtype, buf, crd->crd_inject, ivlen, iv);
                }
+               if (exf->reinit)
+                       exf->reinit(sw->sw_kschedule, iv, 0);
        }
 
        ivp = iv;
 
-       if (exf->reinit)
-               exf->reinit(sw->sw_kschedule, iv);
-
        if (outtype == CRYPTO_BUF_CONTIG) {
                if (exf->reinit) {
                        for (i = crd->crd_skip;
diff -r f8a1dc690e4d -r a0bbae67c3fc sys/opencrypto/cryptosoft_xform.c
--- a/sys/opencrypto/cryptosoft_xform.c Tue May 24 18:37:52 2011 +0000
+++ b/sys/opencrypto/cryptosoft_xform.c Tue May 24 18:52:51 2011 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: cryptosoft_xform.c,v 1.19 2011/05/23 15:37:36 drochner Exp $ */
+/*     $NetBSD: cryptosoft_xform.c,v 1.20 2011/05/24 18:52:51 drochner Exp $ */
 /*     $FreeBSD: src/sys/opencrypto/xform.c,v 1.1.2.1 2002/11/21 23:34:23 sam Exp $    */
 /*     $OpenBSD: xform.c,v 1.19 2002/08/16 22:47:25 dhartmei Exp $     */
 
@@ -40,7 +40,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.19 2011/05/23 15:37:36 drochner Exp $");
+__KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.20 2011/05/24 18:52:51 drochner Exp $");
 
 #include <crypto/blowfish/blowfish.h>
 #include <crypto/cast128/cast128.h>
@@ -68,7 +68,7 @@
        void (*decrypt)(void *, uint8_t *);
        int  (*setkey)(uint8_t **, const uint8_t *, int);
        void (*zerokey)(uint8_t **);
-       void (*reinit)(void *, const uint8_t *);
+       void (*reinit)(void *, const uint8_t *, uint8_t *);
 };
 
 struct swcr_comp_algo {
@@ -113,7 +113,7 @@
 static void rijndael128_zerokey(u_int8_t **);
 static  void cml_zerokey(u_int8_t **);
 static  void aes_ctr_zerokey(u_int8_t **);
-static  void aes_ctr_reinit(void *, const u_int8_t *);
+static  void aes_ctr_reinit(void *, const u_int8_t *, u_int8_t *);
 
 static void null_init(void *);
 static int null_update(void *, const u_int8_t *, u_int16_t);
@@ -638,6 +638,9 @@
        u_int32_t ac_ek[4*(RIJNDAEL_MAXNR + 1)];
        u_int8_t ac_block[AESCTR_BLOCKSIZE];
        int ac_nr;
+       struct {
+               u_int64_t lastiv;
+       } ivgenctx;
 };
 
 static void
@@ -678,6 +681,8 @@
                return EINVAL;
        }
        memcpy(ctx->ac_block, key + len - AESCTR_NONCESIZE, AESCTR_NONCESIZE);
+       /* random start value for simple counter */
+       arc4randbytes(&ctx->ivgenctx.lastiv, sizeof(ctx->ivgenctx.lastiv));
        *sched = (void *)ctx;
        return 0;
 }
@@ -692,10 +697,16 @@
 }
 
 void
-aes_ctr_reinit(void *key, const u_int8_t *iv)
+aes_ctr_reinit(void *key, const u_int8_t *iv, u_int8_t *ivout)
 {
        struct aes_ctr_ctx *ctx = key;
 
+       if (!iv) {
+               ctx->ivgenctx.lastiv++;
+               iv = (const u_int8_t *)&ctx->ivgenctx.lastiv;
+       }
+       if (ivout)
+               memcpy(ivout, iv, AESCTR_IVSIZE);
        memcpy(ctx->ac_block + AESCTR_NONCESIZE, iv, AESCTR_IVSIZE);
        /* reset counter */
        memset(ctx->ac_block + AESCTR_NONCESIZE + AESCTR_IVSIZE, 0, 4);