src - OpenBSD base system

diff options


context:
space:
mode:

author	Markus Friedl <markus@cvs.openbsd.org>	2010-01-10 12:43:08 +0000
committer	Markus Friedl <markus@cvs.openbsd.org>	2010-01-10 12:43:08 +0000
commit	e984d91179e6d0cd1106eb8a8f90cd3cdebf4ad2 (patch)
tree	bda04e5dbaef37b20c5c45e7c0dd7c34f727ff0d /sys/crypto
parent	e86b036f8f31495d41041510999f7ece130f9cc9 (diff)

Fix two bugs in IPsec/HMAC-SHA2:

(1) use correct (message) block size of 128 byte (instead of 64 bytes) for HMAC-SHA512/384 (RFC4634). (2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to nnn/2 bits, while we still use 96 bits. 96 bits have been specified in draft-ietf-ipsec-ciph-sha-256-00 while draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits. WARNING: this change makes IPsec with SHA-256 (the default) incompatible with older OpenBSD versions and other IPsec-implementations that share this bug. ok+tests naddy, fries; requested by reyk/deraadt

Diffstat (limited to 'sys/crypto')

-rw-r--r--

sys/crypto/cryptodev.h

-rw-r--r--

sys/crypto/cryptosoft.c

-rw-r--r--

sys/crypto/cryptosoft.h

-rw-r--r--

sys/crypto/xform.c

-rw-r--r--

sys/crypto/xform.h

5 files changed, 54 insertions, 31 deletions

diff --git a/sys/crypto/cryptodev.h b/sys/crypto/cryptodev.h
index 1a736c985cc..c2418a04f03 100644
--- a/sys/crypto/cryptodev.h
+++ b/sys/crypto/cryptodev.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: cryptodev.h,v 1.48 2009/09/03 07:47:27 dlg Exp $ */

+/* $OpenBSD: cryptodev.h,v 1.49 2010/01/10 12:43:07 markus Exp $ */

* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)

@@ -60,7 +60,13 @@

#define CRYPTO_SW_SESSIONS 32

/* HMAC values */

-#define HMAC_BLOCK_LEN 64

+#define HMAC_MD5_BLOCK_LEN 64

+#define HMAC_SHA1_BLOCK_LEN 64

+#define HMAC_RIPEMD160_BLOCK_LEN 64

+#define HMAC_SHA2_256_BLOCK_LEN 64

+#define HMAC_SHA2_384_BLOCK_LEN 128

+#define HMAC_SHA2_512_BLOCK_LEN 128

+#define HMAC_MAX_BLOCK_LEN HMAC_SHA2_512_BLOCK_LEN /* keep in sync */

#define HMAC_IPAD_VAL 0x36

#define HMAC_OPAD_VAL 0x5C

diff --git a/sys/crypto/cryptosoft.c b/sys/crypto/cryptosoft.c
index b8303d54a0f..e392747d7c5 100644
--- a/sys/crypto/cryptosoft.c
+++ b/sys/crypto/cryptosoft.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: cryptosoft.c,v 1.51 2008/06/09 16:07:00 djm Exp $ */

+/* $OpenBSD: cryptosoft.c,v 1.52 2010/01/10 12:43:07 markus Exp $ */

* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)

@@ -38,7 +38,15 @@

#include <crypto/cryptosoft.h>

#include <crypto/xform.h>

-const u_int8_t hmac_ipad_buffer[64] = {

+const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN] = {

+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,

0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,

@@ -49,7 +57,15 @@ const u_int8_t hmac_ipad_buffer[64] = {

0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36

};

-const u_int8_t hmac_opad_buffer[64] = {

+const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN] = {

+ 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,

0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C, 0x5C,

@@ -660,13 +676,13 @@ swcr_newsession(u_int32_t *sid, struct cryptoini *cri)

axf = &auth_hash_hmac_ripemd_160_96;

goto authcommon;

case CRYPTO_SHA2_256_HMAC:

- axf = &auth_hash_hmac_sha2_256_96;

+ axf = &auth_hash_hmac_sha2_256_128;

goto authcommon;

case CRYPTO_SHA2_384_HMAC:

- axf = &auth_hash_hmac_sha2_384_96;

+ axf = &auth_hash_hmac_sha2_384_192;

goto authcommon;

case CRYPTO_SHA2_512_HMAC:

- axf = &auth_hash_hmac_sha2_512_96;

+ axf = &auth_hash_hmac_sha2_512_256;

authcommon:

(*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,

M_NOWAIT);

@@ -689,7 +705,7 @@ swcr_newsession(u_int32_t *sid, struct cryptoini *cri)

axf->Update((*swd)->sw_ictx, cri->cri_key,

cri->cri_klen / 8);

axf->Update((*swd)->sw_ictx, hmac_ipad_buffer,

- HMAC_BLOCK_LEN - (cri->cri_klen / 8));

+ axf->blocksize - (cri->cri_klen / 8));

for (k = 0; k < cri->cri_klen / 8; k++)

cri->cri_key[k] ^= (HMAC_IPAD_VAL ^ HMAC_OPAD_VAL);

@@ -698,7 +714,7 @@ swcr_newsession(u_int32_t *sid, struct cryptoini *cri)

axf->Update((*swd)->sw_octx, cri->cri_key,

cri->cri_klen / 8);

axf->Update((*swd)->sw_octx, hmac_opad_buffer,

- HMAC_BLOCK_LEN - (cri->cri_klen / 8));

+ axf->blocksize - (cri->cri_klen / 8));

for (k = 0; k < cri->cri_klen / 8; k++)

cri->cri_key[k] ^= HMAC_OPAD_VAL;

diff --git a/sys/crypto/cryptosoft.h b/sys/crypto/cryptosoft.h
index b5764fc8830..d7133645a27 100644
--- a/sys/crypto/cryptosoft.h
+++ b/sys/crypto/cryptosoft.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: cryptosoft.h,v 1.11 2007/09/10 22:19:42 henric Exp $ */

+/* $OpenBSD: cryptosoft.h,v 1.12 2010/01/10 12:43:07 markus Exp $ */

* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)

@@ -57,8 +57,8 @@ struct swcr_data {

};

#ifdef _KERNEL

-extern const u_int8_t hmac_ipad_buffer[64];

-extern const u_int8_t hmac_opad_buffer[64];

+extern const u_int8_t hmac_ipad_buffer[HMAC_MAX_BLOCK_LEN];

+extern const u_int8_t hmac_opad_buffer[HMAC_MAX_BLOCK_LEN];

int swcr_encdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);

int swcr_authcompute(struct cryptop *, struct cryptodesc *, struct swcr_data *,

diff --git a/sys/crypto/xform.c b/sys/crypto/xform.c
index 900b993ee3e..dd5bb9aa054 100644
--- a/sys/crypto/xform.c
+++ b/sys/crypto/xform.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: xform.c,v 1.36 2008/09/06 22:23:21 djm Exp $ */

+/* $OpenBSD: xform.c,v 1.37 2010/01/10 12:43:07 markus Exp $ */

* The authors of this code are John Ioannidis (ji@tla.org),

* Angelos D. Keromytis (kermit@csd.uch.gr),

@@ -228,70 +228,70 @@ struct enc_xform enc_xform_null = {

/* Authentication instances */

struct auth_hash auth_hash_hmac_md5_96 = {

CRYPTO_MD5_HMAC, "HMAC-MD5",

- 16, 16, 12, sizeof(MD5_CTX),

+ 16, 16, 12, sizeof(MD5_CTX), HMAC_MD5_BLOCK_LEN,

(void (*) (void *)) MD5Init, MD5Update_int,

(void (*) (u_int8_t *, void *)) MD5Final

};

struct auth_hash auth_hash_hmac_sha1_96 = {

CRYPTO_SHA1_HMAC, "HMAC-SHA1",

- 20, 20, 12, sizeof(SHA1_CTX),

+ 20, 20, 12, sizeof(SHA1_CTX), HMAC_SHA1_BLOCK_LEN,

(void (*) (void *)) SHA1Init, SHA1Update_int,

(void (*) (u_int8_t *, void *)) SHA1Final

};

struct auth_hash auth_hash_hmac_ripemd_160_96 = {

CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160",

- 20, 20, 12, sizeof(RMD160_CTX),

+ 20, 20, 12, sizeof(RMD160_CTX), HMAC_RIPEMD160_BLOCK_LEN,

(void (*)(void *)) RMD160Init, RMD160Update_int,

(void (*)(u_int8_t *, void *)) RMD160Final

};

-struct auth_hash auth_hash_hmac_sha2_256_96 = {

+struct auth_hash auth_hash_hmac_sha2_256_128 = {

CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",

- 32, 32, 12, sizeof(SHA2_CTX),

+ 32, 32, 16, sizeof(SHA2_CTX), HMAC_SHA2_256_BLOCK_LEN,

(void (*)(void *)) SHA256Init, SHA256Update_int,

(void (*)(u_int8_t *, void *)) SHA256Final

};

-struct auth_hash auth_hash_hmac_sha2_384_96 = {

+struct auth_hash auth_hash_hmac_sha2_384_192 = {

CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384",

- 48, 48, 12, sizeof(SHA2_CTX),

+ 48, 48, 24, sizeof(SHA2_CTX), HMAC_SHA2_384_BLOCK_LEN,

(void (*)(void *)) SHA384Init, SHA384Update_int,

(void (*)(u_int8_t *, void *)) SHA384Final

};

-struct auth_hash auth_hash_hmac_sha2_512_96 = {

+struct auth_hash auth_hash_hmac_sha2_512_256 = {

CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512",

- 64, 64, 12, sizeof(SHA2_CTX),

+ 64, 64, 32, sizeof(SHA2_CTX), HMAC_SHA2_512_BLOCK_LEN,

(void (*)(void *)) SHA512Init, SHA512Update_int,

(void (*)(u_int8_t *, void *)) SHA512Final

};

struct auth_hash auth_hash_key_md5 = {

CRYPTO_MD5_KPDK, "Keyed MD5",

- 0, 16, 16, sizeof(MD5_CTX),

+ 0, 16, 16, sizeof(MD5_CTX), 0,

(void (*)(void *)) MD5Init, MD5Update_int,

(void (*)(u_int8_t *, void *)) MD5Final

};

struct auth_hash auth_hash_key_sha1 = {

CRYPTO_SHA1_KPDK, "Keyed SHA1",

- 0, 20, 20, sizeof(SHA1_CTX),

+ 0, 20, 20, sizeof(SHA1_CTX), 0,

(void (*)(void *)) SHA1Init, SHA1Update_int,

(void (*)(u_int8_t *, void *)) SHA1Final

};

struct auth_hash auth_hash_md5 = {

CRYPTO_MD5, "MD5",

- 0, 16, 16, sizeof(MD5_CTX),

+ 0, 16, 16, sizeof(MD5_CTX), 0,

(void (*) (void *)) MD5Init, MD5Update_int,

(void (*) (u_int8_t *, void *)) MD5Final

};

struct auth_hash auth_hash_sha1 = {

CRYPTO_SHA1, "SHA1",

- 0, 20, 20, sizeof(SHA1_CTX),

+ 0, 20, 20, sizeof(SHA1_CTX), 0,

(void (*)(void *)) SHA1Init, SHA1Update_int,

(void (*)(u_int8_t *, void *)) SHA1Final

};

diff --git a/sys/crypto/xform.h b/sys/crypto/xform.h
index aed3ec6678c..d7abcf4c36d 100644
--- a/sys/crypto/xform.h
+++ b/sys/crypto/xform.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: xform.h,v 1.19 2008/09/06 22:23:21 djm Exp $ */

+/* $OpenBSD: xform.h,v 1.20 2010/01/10 12:43:07 markus Exp $ */

* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)

@@ -37,6 +37,7 @@ struct auth_hash {

u_int16_t hashsize;

u_int16_t authsize;

u_int16_t ctxsize;

+ u_int16_t blocksize;

void (*Init) (void *);

int (*Update) (void *, const u_int8_t *, u_int16_t);

void (*Final) (u_int8_t *, void *);

@@ -87,9 +88,9 @@ extern struct auth_hash auth_hash_key_sha1;

extern struct auth_hash auth_hash_hmac_md5_96;

extern struct auth_hash auth_hash_hmac_sha1_96;

extern struct auth_hash auth_hash_hmac_ripemd_160_96;

-extern struct auth_hash auth_hash_hmac_sha2_256_96;

-extern struct auth_hash auth_hash_hmac_sha2_384_96;

-extern struct auth_hash auth_hash_hmac_sha2_512_96;

+extern struct auth_hash auth_hash_hmac_sha2_256_128;

+extern struct auth_hash auth_hash_hmac_sha2_384_192;

+extern struct auth_hash auth_hash_hmac_sha2_512_256;

extern struct comp_algo comp_algo_deflate;

extern struct comp_algo comp_algo_lzs;