Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/arch/x86/x86 padlock(4): Don't use prev msg's last block...



details:   https://anonhg.NetBSD.org/src/rev/2d9a90a3710e
branches:  trunk
changeset: 972976:2d9a90a3710e
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sun Jun 14 23:20:15 2020 +0000

description:
padlock(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

diffstat:

 sys/arch/x86/x86/via_padlock.c |  22 +++-------------------
 1 files changed, 3 insertions(+), 19 deletions(-)

diffs (58 lines):

diff -r 374379490497 -r 2d9a90a3710e sys/arch/x86/x86/via_padlock.c
--- a/sys/arch/x86/x86/via_padlock.c    Sun Jun 14 23:19:11 2020 +0000
+++ b/sys/arch/x86/x86/via_padlock.c    Sun Jun 14 23:20:15 2020 +0000
@@ -1,5 +1,5 @@
 /*     $OpenBSD: via.c,v 1.8 2006/11/17 07:47:56 tom Exp $     */
-/*     $NetBSD: via_padlock.c,v 1.28 2020/03/07 13:28:45 maya Exp $ */
+/*     $NetBSD: via_padlock.c,v 1.29 2020/06/14 23:20:15 riastradh Exp $ */
 
 /*-
  * Copyright (c) 2003 Jason Wright
@@ -20,7 +20,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: via_padlock.c,v 1.28 2020/03/07 13:28:45 maya Exp $");
+__KERNEL_RCSID(0, "$NetBSD: via_padlock.c,v 1.29 2020/06/14 23:20:15 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -191,7 +191,6 @@
                                C3_CRYPT_CWLO_KEYGEN_SW |
                                C3_CRYPT_CWLO_NORMAL;
 
-                       cprng_fast(ses->ses_iv, sizeof(ses->ses_iv));
                        ses->ses_klen = c->cri_klen;
                        ses->ses_cw0 = cw0;
 
@@ -384,7 +383,7 @@
                if (crd->crd_flags & CRD_F_IV_EXPLICIT)
                        memcpy(sc->op_iv, crd->crd_iv, 16);
                else
-                       memcpy(sc->op_iv, ses->ses_iv, 16);
+                       cprng_fast(sc->op_iv, 16);
 
                if ((crd->crd_flags & CRD_F_IV_PRESENT) == 0) {
                        if (crp->crp_flags & CRYPTO_F_IMBUF)
@@ -439,21 +438,6 @@
                memcpy((char *)crp->crp_buf + crd->crd_skip, sc->op_buf,
                    crd->crd_len);
 
-       /* copy out last block for use as next session IV */
-       if (crd->crd_flags & CRD_F_ENCRYPT) {
-               if (crp->crp_flags & CRYPTO_F_IMBUF)
-                       m_copydata((struct mbuf *)crp->crp_buf,
-                           crd->crd_skip + crd->crd_len - 16, 16,
-                           ses->ses_iv);
-               else if (crp->crp_flags & CRYPTO_F_IOV)
-                       cuio_copydata((struct uio *)crp->crp_buf,
-                           crd->crd_skip + crd->crd_len - 16, 16,
-                           ses->ses_iv);
-               else
-                       memcpy(ses->ses_iv, (char *)crp->crp_buf +
-                           crd->crd_skip + crd->crd_len - 16, 16);
-       }
-
        if (sc->op_buf != NULL) {
                memset(sc->op_buf, 0, crd->crd_len);
                free(sc->op_buf, M_DEVBUF);



Home | Main Index | Thread Index | Old Index