CVS commit: src/sys/arch/x86/x86

Sun, 14 Jun 2020 16:21:03 -0700 

Module Name:    src
Committed By:   riastradh
Date:           Sun Jun 14 23:20:15 UTC 2020

Modified Files:
        src/sys/arch/x86/x86: via_padlock.c

Log Message:
padlock(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 src/sys/arch/x86/x86/via_padlock.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/arch/x86/x86/via_padlock.c
diff -u src/sys/arch/x86/x86/via_padlock.c:1.28 src/sys/arch/x86/x86/via_padlock.c:1.29
--- src/sys/arch/x86/x86/via_padlock.c:1.28	Sat Mar  7 13:28:45 2020
+++ src/sys/arch/x86/x86/via_padlock.c	Sun Jun 14 23:20:15 2020
@@ -1,5 +1,5 @@
 /*	$OpenBSD: via.c,v 1.8 2006/11/17 07:47:56 tom Exp $	*/
-/*	$NetBSD: via_padlock.c,v 1.28 2020/03/07 13:28:45 maya Exp $ */
+/*	$NetBSD: via_padlock.c,v 1.29 2020/06/14 23:20:15 riastradh Exp $ */
 
 /*-
  * Copyright (c) 2003 Jason Wright
@@ -20,7 +20,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: via_padlock.c,v 1.28 2020/03/07 13:28:45 maya Exp $");
+__KERNEL_RCSID(0, "$NetBSD: via_padlock.c,v 1.29 2020/06/14 23:20:15 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -191,7 +191,6 @@ via_padlock_crypto_newsession(void *arg,
 				C3_CRYPT_CWLO_KEYGEN_SW |
 				C3_CRYPT_CWLO_NORMAL;
 
-			cprng_fast(ses->ses_iv, sizeof(ses->ses_iv));
 			ses->ses_klen = c->cri_klen;
 			ses->ses_cw0 = cw0;
 
@@ -384,7 +383,7 @@ via_padlock_crypto_encdec(struct cryptop
 		if (crd->crd_flags & CRD_F_IV_EXPLICIT)
 			memcpy(sc->op_iv, crd->crd_iv, 16);
 		else
-			memcpy(sc->op_iv, ses->ses_iv, 16);
+			cprng_fast(sc->op_iv, 16);
 
 		if ((crd->crd_flags & CRD_F_IV_PRESENT) == 0) {
 			if (crp->crp_flags & CRYPTO_F_IMBUF)
@@ -439,21 +438,6 @@ via_padlock_crypto_encdec(struct cryptop
 		memcpy((char *)crp->crp_buf + crd->crd_skip, sc->op_buf,
 		    crd->crd_len);
 
-	/* copy out last block for use as next session IV */
-	if (crd->crd_flags & CRD_F_ENCRYPT) {
-		if (crp->crp_flags & CRYPTO_F_IMBUF)
-			m_copydata((struct mbuf *)crp->crp_buf,
-			    crd->crd_skip + crd->crd_len - 16, 16,
-			    ses->ses_iv);
-		else if (crp->crp_flags & CRYPTO_F_IOV)
-			cuio_copydata((struct uio *)crp->crp_buf,
-			    crd->crd_skip + crd->crd_len - 16, 16,
-			    ses->ses_iv);
-		else
-			memcpy(ses->ses_iv, (char *)crp->crp_buf +
-			    crd->crd_skip + crd->crd_len - 16, 16);
-	}
-
 	if (sc->op_buf != NULL) {
 		memset(sc->op_buf, 0, crd->crd_len);
 		free(sc->op_buf, M_DEVBUF);

Reply via email to