Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/pci ubsec(4): Don't use prev msg's last block as IV ...
details: https://anonhg.NetBSD.org/src/rev/a70df3d71927
branches: trunk
changeset: 972977:a70df3d71927
user: riastradh <riastradh%NetBSD.org@localhost>
date: Sun Jun 14 23:22:09 2020 +0000
description:
ubsec(4): Don't use prev msg's last block as IV for next msg in CBC.
This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.
XXX Compile-tested only.
diffstat:
sys/dev/pci/ubsec.c | 35 ++++-------------------------------
sys/dev/pci/ubsecvar.h | 4 +---
2 files changed, 5 insertions(+), 34 deletions(-)
diffs (90 lines):
diff -r 2d9a90a3710e -r a70df3d71927 sys/dev/pci/ubsec.c
--- a/sys/dev/pci/ubsec.c Sun Jun 14 23:20:15 2020 +0000
+++ b/sys/dev/pci/ubsec.c Sun Jun 14 23:22:09 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ubsec.c,v 1.51 2020/05/25 19:13:28 thorpej Exp $ */
+/* $NetBSD: ubsec.c,v 1.52 2020/06/14 23:22:09 riastradh Exp $ */
/* $FreeBSD: src/sys/dev/ubsec/ubsec.c,v 1.6.2.6 2003/01/23 21:06:43 sam Exp $ */
/* $OpenBSD: ubsec.c,v 1.143 2009/03/27 13:31:30 reyk Exp$ */
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ubsec.c,v 1.51 2020/05/25 19:13:28 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ubsec.c,v 1.52 2020/06/14 23:22:09 riastradh Exp $");
#undef UBSEC_DEBUG
@@ -1031,9 +1031,6 @@
memset(ses, 0, sizeof(struct ubsec_session));
ses->ses_used = 1;
if (encini) {
- /* get an IV, network byte order */
- cprng_fast(ses->ses_iv, sizeof(ses->ses_iv));
-
/* Go ahead and compute key in ubsec's byte order */
if (encini->cri_alg == CRYPTO_AES_CBC) {
memcpy(ses->ses_key, encini->cri_key,
@@ -1294,14 +1291,10 @@
encoffset = enccrd->crd_skip;
if (enccrd->crd_flags & CRD_F_ENCRYPT) {
- q->q_flags |= UBSEC_QFLAGS_COPYOUTIV;
-
if (enccrd->crd_flags & CRD_F_IV_EXPLICIT)
memcpy(key.ses_iv, enccrd->crd_iv, ivlen);
- else {
- for (i = 0; i < (ivlen / 4); i++)
- key.ses_iv[i] = ses->ses_iv[i];
- }
+ else
+ cprng_fast(key.ses_iv, ivlen);
if ((enccrd->crd_flags & CRD_F_IV_PRESENT) == 0) {
if (crp->crp_flags & CRYPTO_F_IMBUF)
@@ -1835,26 +1828,6 @@
crp->crp_buf = (void *)q->q_dst_m;
}
- /* copy out IV for future use */
- if (q->q_flags & UBSEC_QFLAGS_COPYOUTIV) {
- for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
- if (crd->crd_alg != CRYPTO_DES_CBC &&
- crd->crd_alg != CRYPTO_3DES_CBC &&
- crd->crd_alg != CRYPTO_AES_CBC)
- continue;
- if (crp->crp_flags & CRYPTO_F_IMBUF)
- m_copydata((struct mbuf *)crp->crp_buf,
- crd->crd_skip + crd->crd_len - 8, 8,
- (void *)sc->sc_sessions[q->q_sesn].ses_iv);
- else if (crp->crp_flags & CRYPTO_F_IOV) {
- cuio_copydata((struct uio *)crp->crp_buf,
- crd->crd_skip + crd->crd_len - 8, 8,
- (void *)sc->sc_sessions[q->q_sesn].ses_iv);
- }
- break;
- }
- }
-
for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
if (crd->crd_alg != CRYPTO_MD5_HMAC_96 &&
crd->crd_alg != CRYPTO_SHA1_HMAC_96)
diff -r 2d9a90a3710e -r a70df3d71927 sys/dev/pci/ubsecvar.h
--- a/sys/dev/pci/ubsecvar.h Sun Jun 14 23:20:15 2020 +0000
+++ b/sys/dev/pci/ubsecvar.h Sun Jun 14 23:22:09 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ubsecvar.h,v 1.10 2015/04/13 15:43:43 riastradh Exp $ */
+/* $NetBSD: ubsecvar.h,v 1.11 2020/06/14 23:22:09 riastradh Exp $ */
/* $OpenBSD: ubsecvar.h,v 1.38 2009/03/27 13:31:30 reyk Exp $ */
/*
@@ -201,8 +201,6 @@
bus_size_t sc_memsize; /* size mapped by sc_sh */
};
-#define UBSEC_QFLAGS_COPYOUTIV 0x1
-
struct ubsec_session {
u_int32_t ses_used;
u_int32_t ses_key[8]; /* 3DES/AES key */
Home |
Main Index |
Thread Index |
Old Index