[src/trunk]: src/sys/arch/i386/pci glxsb(4): Don't use prev msg's last block ...

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/1a2b57e064a6
branches:  trunk
changeset: 1011010:1a2b57e064a6
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sun Jun 14 23:19:11 2020 +0000

description:
glxsb(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

diffstat:

 sys/arch/i386/pci/glxsb.c |  27 ++++++---------------------
 1 files changed, 6 insertions(+), 21 deletions(-)

diffs (88 lines):

diff -r 42236d936f77 -r 1a2b57e064a6 sys/arch/i386/pci/glxsb.c
--- a/sys/arch/i386/pci/glxsb.c Sun Jun 14 23:17:01 2020 +0000
+++ b/sys/arch/i386/pci/glxsb.c Sun Jun 14 23:19:11 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: glxsb.c,v 1.14 2016/07/14 10:19:05 msaitoh Exp $       */
+/*     $NetBSD: glxsb.c,v 1.15 2020/06/14 23:19:11 riastradh Exp $     */
 /* $OpenBSD: glxsb.c,v 1.7 2007/02/12 14:31:45 tom Exp $ */
 
 /*
@@ -25,7 +25,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: glxsb.c,v 1.14 2016/07/14 10:19:05 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: glxsb.c,v 1.15 2020/06/14 23:19:11 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -149,7 +149,6 @@
 };
 struct glxsb_session {
        uint32_t        ses_key[4];
-       uint8_t         ses_iv[SB_AES_BLOCK_SIZE];
        int             ses_klen;
        int             ses_used;
 };
@@ -346,7 +345,6 @@
        memset(ses, 0, sizeof(*ses));
        ses->ses_used = 1;
 
-       cprng_fast(ses->ses_iv, sizeof(ses->ses_iv));
        ses->ses_klen = cri->cri_klen;
 
        /* Copy the key (Geode LX wants the primary key only) */
@@ -450,7 +448,7 @@
        struct cryptodesc *crd;
        char *op_src, *op_dst;
        uint32_t op_psrc, op_pdst;
-       uint8_t op_iv[SB_AES_BLOCK_SIZE], *piv;
+       uint8_t op_iv[SB_AES_BLOCK_SIZE];
        int sesn, err = 0;
        int len, tlen, xlen;
        int offset;
@@ -497,7 +495,7 @@
                if (crd->crd_flags & CRD_F_IV_EXPLICIT)
                        memcpy(op_iv, crd->crd_iv, sizeof(op_iv));
                else
-                       memcpy(op_iv, ses->ses_iv, sizeof(op_iv));
+                       cprng_fast(op_iv, sizeof(op_iv));
 
                if ((crd->crd_flags & CRD_F_IV_PRESENT) == 0) {
                        if (crp->crp_flags & CRYPTO_F_IMBUF)
@@ -530,7 +528,6 @@
 
        offset = 0;
        tlen = crd->crd_len;
-       piv = op_iv;
 
        /* Process the data in GLXSB_MAX_AES_LEN chunks */
        while (tlen > 0) {
@@ -566,25 +563,13 @@
                offset += len;
                tlen -= len;
 
-               if (tlen <= 0) {        /* Ideally, just == 0 */
-                       /* Finished - put the IV in session IV */
-                       piv = ses->ses_iv;
-               }
-
-               /*
-                * Copy out last block for use as next iteration/session IV.
-                *
-                * piv is set to op_iv[] before the loop starts, but is
-                * set to ses->ses_iv if we're going to exit the loop this
-                * time.
-                */
                if (crd->crd_flags & CRD_F_ENCRYPT) {
-                       memcpy(piv, op_dst + len - sizeof(op_iv),
+                       memcpy(op_iv, op_dst + len - sizeof(op_iv),
                            sizeof(op_iv));
                } else {
                        /* Decryption, only need this if another iteration */
                        if (tlen > 0) {
-                               memcpy(piv, op_src + len - sizeof(op_iv),
+                               memcpy(op_iv, op_src + len - sizeof(op_iv),
                                    sizeof(op_iv));
                        }
                }