Don't keep the last blocksize-bytes of ciphertext for use as the next

plaintext's IV, in CBC mode. Use arc4random() to acquire fresh IVs per
message instead (particularly useful for IPsec).

This avoids the CBC oracle attack. provos@ ok

2 files changed, 18 insertions, 18 deletions

diff --git a/sys/crypto/cryptosoft.c b/sys/crypto/cryptosoft.c
index edd3d5619c0..42774e19524 100644
--- a/sys/crypto/cryptosoft.c
+++ b/sys/crypto/cryptosoft.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cryptosoft.c,v 1.31 2002/03/05 15:59:41 markus Exp $	*/
+/*	$OpenBSD: cryptosoft.c,v 1.32 2002/03/19 23:24:53 angelos Exp $	*/
 
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
@@ -105,8 +105,22 @@ swcr_encdec(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
 		if (crd->crd_flags & CRD_F_IV_EXPLICIT)
 			bcopy(crd->crd_iv, iv, blks);
 		else {
-			/* Use IV from context */
-			bcopy(sw->sw_iv, iv, blks);
+			/* Get random IV */
+			for (i = 0;
+			    i + sizeof (u_int32_t) < EALG_MAX_BLOCK_LEN;
+			    i += sizeof (u_int32_t))
+				*((u_int32_t *) (iv + i)) = arc4random();
+			/*
+			 * What if the block size is not a multiple
+			 * of sizeof (u_int32_t), which is the size of
+			 * what arc4random() returns ?
+			 */
+			if (EALG_MAX_BLOCK_LEN % sizeof (u_int32_t) != 0) {
+				u_int32_t temp = arc4random();
+
+				bcopy (&temp, iv + i,
+				    EALG_MAX_BLOCK_LEN - i);
+			}
 		}
 
 		/* Do we need to write the IV */
@@ -364,10 +378,6 @@ swcr_encdec(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
 		}
 	}
 
-	/* Keep the last block */
-	if (crd->crd_flags & CRD_F_ENCRYPT)
-		bcopy(ivp, sw->sw_iv, blks);
-
 	return 0; /* Done with encryption/decryption */
 }
 
@@ -602,13 +612,7 @@ swcr_newsession(u_int32_t *sid, struct cryptoini *cri)
 		enccommon:
 			txf->setkey(&((*swd)->sw_kschedule), cri->cri_key,
 			    cri->cri_klen / 8);
-			(*swd)->sw_iv = malloc(txf->blocksize, M_CRYPTO_DATA, M_NOWAIT);
-			if ((*swd)->sw_iv == NULL) {
-				swcr_freesession(i);
-				return ENOBUFS;
-			}
 			(*swd)->sw_exf = txf;
-			get_random_bytes((*swd)->sw_iv, txf->blocksize);
 			break;
 	
 		case CRYPTO_MD5_HMAC:
@@ -756,8 +760,6 @@ swcr_freesession(u_int64_t tid)
 
 			if (swd->sw_kschedule)
 				txf->zerokey(&(swd->sw_kschedule));
-			if (swd->sw_iv)
-				free(swd->sw_iv, M_CRYPTO_DATA);
 			break;
 
 		case CRYPTO_MD5_HMAC:
diff --git a/sys/crypto/cryptosoft.h b/sys/crypto/cryptosoft.h
index 6b3fe4b193a..6a445672918 100644
--- a/sys/crypto/cryptosoft.h
+++ b/sys/crypto/cryptosoft.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: cryptosoft.h,v 1.8 2002/03/05 15:59:41 markus Exp $	*/
+/*	$OpenBSD: cryptosoft.h,v 1.9 2002/03/19 23:24:53 angelos Exp $	*/
 
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
@@ -36,7 +36,6 @@ struct swcr_data {
 		} SWCR_AUTH;
 		struct {
 			u_int8_t	 *SW_kschedule;
-			u_int8_t	 *SW_iv;
 			struct enc_xform *SW_exf;
 		} SWCR_ENC;
 		struct {
@@ -50,7 +49,6 @@ struct swcr_data {
 #define sw_klen		SWCR_UN.SWCR_AUTH.SW_klen
 #define sw_axf		SWCR_UN.SWCR_AUTH.SW_axf
 #define sw_kschedule	SWCR_UN.SWCR_ENC.SW_kschedule
-#define sw_iv		SWCR_UN.SWCR_ENC.SW_iv
 #define sw_exf		SWCR_UN.SWCR_ENC.SW_exf
 #define sw_size		SWCR_UN.SWCR_COMP.SW_size
 #define sw_cxf		SWCR_UN.SWCR_COMP.SW_cxf