Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src-draft/trunk]: src/sys/dev/marvell mvcesa(4): Don't use prev msg's last b...
details: https://anonhg.NetBSD.org/src-all/rev/d5614d7171f0
branches: trunk
changeset: 934598:d5614d7171f0
user: Taylor R Campbell <riastradh%NetBSD.org@localhost>
date: Sun Jun 14 19:41:37 2020 +0000
description:
mvcesa(4): Don't use prev msg's last block as IV for next msg in CBC.
This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.
XXX Not even compile-tested.
diffstat:
sys/dev/marvell/mvcesa.c | 13 ++++---------
1 files changed, 4 insertions(+), 9 deletions(-)
diffs (43 lines):
diff -r 2bc64456b636 -r d5614d7171f0 sys/dev/marvell/mvcesa.c
--- a/sys/dev/marvell/mvcesa.c Sun Jun 14 19:40:32 2020 +0000
+++ b/sys/dev/marvell/mvcesa.c Sun Jun 14 19:41:37 2020 +0000
@@ -56,7 +56,6 @@
int ses_used;
int ses_klen;
- uint32_t ses_iv[4];
uint32_t ses_key[8];
uint32_t ses_hminner[5]; /* HMAC inner state */
@@ -236,9 +235,6 @@
return EINVAL;
enc = 1;
- cprng_fast(ses->ses_iv,
- c->cri_alg == CRYPTO_AES_CBC ? 16 : 8);
-
/* Go ahead and compute key in CESA's byte order */
ses->ses_klen = c->cri_klen;
memcpy(ses->ses_key, c->cri_key, c->cri_klen / 8);
@@ -406,8 +402,10 @@
dir = MVCESA_DESE_C_DIRECTION_ENC;
if (crd->crd_flags & CRD_F_IV_EXPLICIT)
iv = (uint32_t *)crd->crd_iv;
- else
- iv = ses->ses_iv;
+ else {
+ cprng_fast(ivbuf, sizeof(ivbuf));
+ iv = ivbuf;
+ }
if (!(crd->crd_flags & CRD_F_IV_PRESENT)) {
if (m != NULL)
m_copyback(m, crd->crd_inject,
@@ -760,8 +758,5 @@
}
}
- if (dir == MVCESA_DESE_C_DIRECTION_ENC)
- memcpy(ses->ses_iv, iv, sizeof(ses->ses_iv));
-
return 0;
}
Home |
Main Index |
Thread Index |
Old Index