diff options
| author | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2010-12-15 23:34:24 +0000 |
|---|---|---|
| committer | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2010-12-15 23:34:24 +0000 |
| commit | 8b8c111bf0798c616b2dac6ee3a3dde2c77e2549 (patch) | |
| tree | 7658a07dd754754b1453f8fd3351f9e04319cf3a /sys/arch/i386/pci | |
| parent | 33bb214769f38803e01f13bbd076504dce27571e (diff) | |
Bring CBC oracle attack countermeasure from r1.32 of cryptosoft.c to
the hardware crypto accelerator land. This fixes aes-ni, via xcrypt,
glxsb(4), hifn(4), safe(4) and ubsec(4) drivers.
Original commit message by angelos:
Don't keep the last blocksize-bytes of ciphertext for use as the next
plaintext's IV, in CBC mode. Use arc4random() to acquire fresh IVs per
message.
with and ok deraadt, ok markus, djm
Diffstat (limited to 'sys/arch/i386/pci')
| -rw-r--r-- | sys/arch/i386/pci/glxsb.c | 35 |
1 files changed, 10 insertions, 25 deletions
diff --git a/sys/arch/i386/pci/glxsb.c b/sys/arch/i386/pci/glxsb.c index c1e52d45cf5..51c5cec9970 100644 --- a/sys/arch/i386/pci/glxsb.c +++ b/sys/arch/i386/pci/glxsb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: glxsb.c,v 1.20 2010/09/20 02:46:50 deraadt Exp $ */ +/* $OpenBSD: glxsb.c,v 1.21 2010/12/15 23:34:23 mikeb Exp $ */ /* * Copyright (c) 2006 Tom Cosgrove <tom@openbsd.org> @@ -150,7 +150,6 @@ struct glxsb_dma_map { }; struct glxsb_session { uint32_t ses_key[4]; - uint8_t ses_iv[SB_AES_BLOCK_SIZE]; int ses_klen; int ses_used; struct swcr_data *ses_swd_auth; @@ -417,7 +416,6 @@ glxsb_crypto_newsession(uint32_t *sidp, struct cryptoini *cri) break; } - arc4random_buf(ses->ses_iv, sizeof(ses->ses_iv)); ses->ses_klen = c->cri_klen; /* Copy the key (Geode LX wants the primary key only) */ @@ -641,7 +639,7 @@ glxsb_crypto_encdec(struct cryptop *crp, struct cryptodesc *crd, { char *op_src, *op_dst; uint32_t op_psrc, op_pdst; - uint8_t op_iv[SB_AES_BLOCK_SIZE], *piv; + uint8_t op_iv[SB_AES_BLOCK_SIZE]; int err = 0; int len, tlen, xlen; int offset; @@ -671,7 +669,7 @@ glxsb_crypto_encdec(struct cryptop *crp, struct cryptodesc *crd, if (crd->crd_flags & CRD_F_IV_EXPLICIT) bcopy(crd->crd_iv, op_iv, sizeof(op_iv)); else - bcopy(ses->ses_iv, op_iv, sizeof(op_iv)); + arc4random_buf(op_iv, sizeof(op_iv)); if ((crd->crd_flags & CRD_F_IV_PRESENT) == 0) { if (crp->crp_flags & CRYPTO_F_IMBUF) @@ -704,7 +702,6 @@ glxsb_crypto_encdec(struct cryptop *crp, struct cryptodesc *crd, offset = 0; tlen = crd->crd_len; - piv = op_iv; /* Process the data in GLXSB_MAX_AES_LEN chunks */ while (tlen > 0) { @@ -740,26 +737,14 @@ glxsb_crypto_encdec(struct cryptop *crp, struct cryptodesc *crd, offset += len; tlen -= len; - if (tlen <= 0) { /* Ideally, just == 0 */ - /* Finished - put the IV in session IV */ - piv = ses->ses_iv; - } - - /* - * Copy out last block for use as next iteration/session IV. - * - * piv is set to op_iv[] before the loop starts, but is - * set to ses->ses_iv if we're going to exit the loop this - * time. - */ - if (crd->crd_flags & CRD_F_ENCRYPT) { - bcopy(op_dst + len - sizeof(op_iv), piv, sizeof(op_iv)); - } else { - /* Decryption, only need this if another iteration */ - if (tlen > 0) { - bcopy(op_src + len - sizeof(op_iv), piv, + if (tlen > 0) { + /* Copy out last block for use as next iteration */ + if (crd->crd_flags & CRD_F_ENCRYPT) + bcopy(op_dst + len - sizeof(op_iv), op_iv, + sizeof(op_iv)); + else + bcopy(op_src + len - sizeof(op_iv), op_iv, sizeof(op_iv)); - } } } |