Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src-draft/trunk]: src/sys/dev/pci ubsec(4): Don't use prev msg's last block ...
details: https://anonhg.NetBSD.org/src-all/rev/213955aeae1a
branches: trunk
changeset: 934600:213955aeae1a
user: Taylor R Campbell <riastradh%NetBSD.org@localhost>
date: Sun Jun 14 19:43:32 2020 +0000
description:
ubsec(4): Don't use prev msg's last block as IV for next msg in CBC.
This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.
XXX Compile-tested only.
diffstat:
sys/dev/pci/ubsec.c | 31 ++-----------------------------
sys/dev/pci/ubsecvar.h | 2 --
2 files changed, 2 insertions(+), 31 deletions(-)
diffs (69 lines):
diff -r 37ab55ad6474 -r 213955aeae1a sys/dev/pci/ubsec.c
--- a/sys/dev/pci/ubsec.c Sun Jun 14 21:17:37 2020 +0000
+++ b/sys/dev/pci/ubsec.c Sun Jun 14 19:43:32 2020 +0000
@@ -1031,9 +1031,6 @@
memset(ses, 0, sizeof(struct ubsec_session));
ses->ses_used = 1;
if (encini) {
- /* get an IV, network byte order */
- cprng_fast(ses->ses_iv, sizeof(ses->ses_iv));
-
/* Go ahead and compute key in ubsec's byte order */
if (encini->cri_alg == CRYPTO_AES_CBC) {
memcpy(ses->ses_key, encini->cri_key,
@@ -1294,14 +1291,10 @@
encoffset = enccrd->crd_skip;
if (enccrd->crd_flags & CRD_F_ENCRYPT) {
- q->q_flags |= UBSEC_QFLAGS_COPYOUTIV;
-
if (enccrd->crd_flags & CRD_F_IV_EXPLICIT)
memcpy(key.ses_iv, enccrd->crd_iv, ivlen);
- else {
- for (i = 0; i < (ivlen / 4); i++)
- key.ses_iv[i] = ses->ses_iv[i];
- }
+ else
+ cprng_fast(key.ses_iv, ivlen);
if ((enccrd->crd_flags & CRD_F_IV_PRESENT) == 0) {
if (crp->crp_flags & CRYPTO_F_IMBUF)
@@ -1835,26 +1828,6 @@
crp->crp_buf = (void *)q->q_dst_m;
}
- /* copy out IV for future use */
- if (q->q_flags & UBSEC_QFLAGS_COPYOUTIV) {
- for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
- if (crd->crd_alg != CRYPTO_DES_CBC &&
- crd->crd_alg != CRYPTO_3DES_CBC &&
- crd->crd_alg != CRYPTO_AES_CBC)
- continue;
- if (crp->crp_flags & CRYPTO_F_IMBUF)
- m_copydata((struct mbuf *)crp->crp_buf,
- crd->crd_skip + crd->crd_len - 8, 8,
- (void *)sc->sc_sessions[q->q_sesn].ses_iv);
- else if (crp->crp_flags & CRYPTO_F_IOV) {
- cuio_copydata((struct uio *)crp->crp_buf,
- crd->crd_skip + crd->crd_len - 8, 8,
- (void *)sc->sc_sessions[q->q_sesn].ses_iv);
- }
- break;
- }
- }
-
for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
if (crd->crd_alg != CRYPTO_MD5_HMAC_96 &&
crd->crd_alg != CRYPTO_SHA1_HMAC_96)
diff -r 37ab55ad6474 -r 213955aeae1a sys/dev/pci/ubsecvar.h
--- a/sys/dev/pci/ubsecvar.h Sun Jun 14 21:17:37 2020 +0000
+++ b/sys/dev/pci/ubsecvar.h Sun Jun 14 19:43:32 2020 +0000
@@ -201,8 +201,6 @@
bus_size_t sc_memsize; /* size mapped by sc_sh */
};
-#define UBSEC_QFLAGS_COPYOUTIV 0x1
-
struct ubsec_session {
u_int32_t ses_used;
u_int32_t ses_key[8]; /* 3DES/AES key */
Home |
Main Index |
Thread Index |
Old Index