Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/dev/pci ubsec(4): Don't use prev msg's last block as IV ...



details:   https://anonhg.NetBSD.org/src/rev/3c876d62eecd
branches:  trunk
changeset: 1011012:3c876d62eecd
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Sun Jun 14 23:22:09 2020 +0000

description:
ubsec(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

diffstat:

 sys/dev/pci/ubsec.c    |  35 ++++-------------------------------
 sys/dev/pci/ubsecvar.h |   4 +---
 2 files changed, 5 insertions(+), 34 deletions(-)

diffs (90 lines):

diff -r 91207004fc32 -r 3c876d62eecd sys/dev/pci/ubsec.c
--- a/sys/dev/pci/ubsec.c       Sun Jun 14 23:20:15 2020 +0000
+++ b/sys/dev/pci/ubsec.c       Sun Jun 14 23:22:09 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ubsec.c,v 1.51 2020/05/25 19:13:28 thorpej Exp $       */
+/*     $NetBSD: ubsec.c,v 1.52 2020/06/14 23:22:09 riastradh Exp $     */
 /* $FreeBSD: src/sys/dev/ubsec/ubsec.c,v 1.6.2.6 2003/01/23 21:06:43 sam Exp $ */
 /*     $OpenBSD: ubsec.c,v 1.143 2009/03/27 13:31:30 reyk Exp$ */
 
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ubsec.c,v 1.51 2020/05/25 19:13:28 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ubsec.c,v 1.52 2020/06/14 23:22:09 riastradh Exp $");
 
 #undef UBSEC_DEBUG
 
@@ -1031,9 +1031,6 @@
        memset(ses, 0, sizeof(struct ubsec_session));
        ses->ses_used = 1;
        if (encini) {
-               /* get an IV, network byte order */
-               cprng_fast(ses->ses_iv, sizeof(ses->ses_iv));
-
                /* Go ahead and compute key in ubsec's byte order */
                if (encini->cri_alg == CRYPTO_AES_CBC) {
                        memcpy(ses->ses_key, encini->cri_key,
@@ -1294,14 +1291,10 @@
                encoffset = enccrd->crd_skip;
 
                if (enccrd->crd_flags & CRD_F_ENCRYPT) {
-                       q->q_flags |= UBSEC_QFLAGS_COPYOUTIV;
-
                        if (enccrd->crd_flags & CRD_F_IV_EXPLICIT)
                                memcpy(key.ses_iv, enccrd->crd_iv, ivlen);
-                       else {
-                               for (i = 0; i < (ivlen / 4); i++)
-                                       key.ses_iv[i] = ses->ses_iv[i];
-                       }
+                       else
+                               cprng_fast(key.ses_iv, ivlen);
 
                        if ((enccrd->crd_flags & CRD_F_IV_PRESENT) == 0) {
                                if (crp->crp_flags & CRYPTO_F_IMBUF)
@@ -1835,26 +1828,6 @@
                crp->crp_buf = (void *)q->q_dst_m;
        }
 
-       /* copy out IV for future use */
-       if (q->q_flags & UBSEC_QFLAGS_COPYOUTIV) {
-               for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
-                       if (crd->crd_alg != CRYPTO_DES_CBC &&
-                           crd->crd_alg != CRYPTO_3DES_CBC &&
-                           crd->crd_alg != CRYPTO_AES_CBC)
-                               continue;
-                       if (crp->crp_flags & CRYPTO_F_IMBUF)
-                               m_copydata((struct mbuf *)crp->crp_buf,
-                                   crd->crd_skip + crd->crd_len - 8, 8,
-                                   (void *)sc->sc_sessions[q->q_sesn].ses_iv);
-                       else if (crp->crp_flags & CRYPTO_F_IOV) {
-                               cuio_copydata((struct uio *)crp->crp_buf,
-                                   crd->crd_skip + crd->crd_len - 8, 8,
-                                   (void *)sc->sc_sessions[q->q_sesn].ses_iv);
-                       }
-                       break;
-               }
-       }
-
        for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
                if (crd->crd_alg != CRYPTO_MD5_HMAC_96 &&
                    crd->crd_alg != CRYPTO_SHA1_HMAC_96)
diff -r 91207004fc32 -r 3c876d62eecd sys/dev/pci/ubsecvar.h
--- a/sys/dev/pci/ubsecvar.h    Sun Jun 14 23:20:15 2020 +0000
+++ b/sys/dev/pci/ubsecvar.h    Sun Jun 14 23:22:09 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ubsecvar.h,v 1.10 2015/04/13 15:43:43 riastradh Exp $  */
+/*     $NetBSD: ubsecvar.h,v 1.11 2020/06/14 23:22:09 riastradh Exp $  */
 /*     $OpenBSD: ubsecvar.h,v 1.38 2009/03/27 13:31:30 reyk Exp $      */
 
 /*
@@ -201,8 +201,6 @@
        bus_size_t              sc_memsize;     /* size mapped by sc_sh */
 };
 
-#define        UBSEC_QFLAGS_COPYOUTIV          0x1
-
 struct ubsec_session {
        u_int32_t       ses_used;
        u_int32_t       ses_key[8];             /* 3DES/AES key */



Home | Main Index | Thread Index | Old Index