Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/arch/i386/pci glxsb(4): Don't use prev msg's last block ...
details: https://anonhg.NetBSD.org/src/rev/ede21016b34a
branches: trunk
changeset: 934629:ede21016b34a
user: riastradh <riastradh%NetBSD.org@localhost>
date: Sun Jun 14 23:19:11 2020 +0000
description:
glxsb(4): Don't use prev msg's last block as IV for next msg in CBC.
This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.
XXX Compile-tested only.
diffstat:
sys/arch/i386/pci/glxsb.c | 27 ++++++---------------------
1 files changed, 6 insertions(+), 21 deletions(-)
diffs (88 lines):
diff -r 731fd739c53e -r ede21016b34a sys/arch/i386/pci/glxsb.c
--- a/sys/arch/i386/pci/glxsb.c Sun Jun 14 23:17:01 2020 +0000
+++ b/sys/arch/i386/pci/glxsb.c Sun Jun 14 23:19:11 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: glxsb.c,v 1.14 2016/07/14 10:19:05 msaitoh Exp $ */
+/* $NetBSD: glxsb.c,v 1.15 2020/06/14 23:19:11 riastradh Exp $ */
/* $OpenBSD: glxsb.c,v 1.7 2007/02/12 14:31:45 tom Exp $ */
/*
@@ -25,7 +25,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: glxsb.c,v 1.14 2016/07/14 10:19:05 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: glxsb.c,v 1.15 2020/06/14 23:19:11 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -149,7 +149,6 @@
};
struct glxsb_session {
uint32_t ses_key[4];
- uint8_t ses_iv[SB_AES_BLOCK_SIZE];
int ses_klen;
int ses_used;
};
@@ -346,7 +345,6 @@
memset(ses, 0, sizeof(*ses));
ses->ses_used = 1;
- cprng_fast(ses->ses_iv, sizeof(ses->ses_iv));
ses->ses_klen = cri->cri_klen;
/* Copy the key (Geode LX wants the primary key only) */
@@ -450,7 +448,7 @@
struct cryptodesc *crd;
char *op_src, *op_dst;
uint32_t op_psrc, op_pdst;
- uint8_t op_iv[SB_AES_BLOCK_SIZE], *piv;
+ uint8_t op_iv[SB_AES_BLOCK_SIZE];
int sesn, err = 0;
int len, tlen, xlen;
int offset;
@@ -497,7 +495,7 @@
if (crd->crd_flags & CRD_F_IV_EXPLICIT)
memcpy(op_iv, crd->crd_iv, sizeof(op_iv));
else
- memcpy(op_iv, ses->ses_iv, sizeof(op_iv));
+ cprng_fast(op_iv, sizeof(op_iv));
if ((crd->crd_flags & CRD_F_IV_PRESENT) == 0) {
if (crp->crp_flags & CRYPTO_F_IMBUF)
@@ -530,7 +528,6 @@
offset = 0;
tlen = crd->crd_len;
- piv = op_iv;
/* Process the data in GLXSB_MAX_AES_LEN chunks */
while (tlen > 0) {
@@ -566,25 +563,13 @@
offset += len;
tlen -= len;
- if (tlen <= 0) { /* Ideally, just == 0 */
- /* Finished - put the IV in session IV */
- piv = ses->ses_iv;
- }
-
- /*
- * Copy out last block for use as next iteration/session IV.
- *
- * piv is set to op_iv[] before the loop starts, but is
- * set to ses->ses_iv if we're going to exit the loop this
- * time.
- */
if (crd->crd_flags & CRD_F_ENCRYPT) {
- memcpy(piv, op_dst + len - sizeof(op_iv),
+ memcpy(op_iv, op_dst + len - sizeof(op_iv),
sizeof(op_iv));
} else {
/* Decryption, only need this if another iteration */
if (tlen > 0) {
- memcpy(piv, op_src + len - sizeof(op_iv),
+ memcpy(op_iv, op_src + len - sizeof(op_iv),
sizeof(op_iv));
}
}
Home |
Main Index |
Thread Index |
Old Index