From nobody Thu Dec 9 20:17:42 2021 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DE71818DA2E3; Thu, 9 Dec 2021 20:17:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4J951g0M23z4qrD; Thu, 9 Dec 2021 20:17:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B2305547D; Thu, 9 Dec 2021 20:17:42 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1B9KHgpW053729; Thu, 9 Dec 2021 20:17:42 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1B9KHgAg053728; Thu, 9 Dec 2021 20:17:42 GMT (envelope-from git) Date: Thu, 9 Dec 2021 20:17:42 GMT Message-Id: <202112092017.1B9KHgAg053728@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: John Baldwin Subject: git: 356c922f74bf - main - GMAC: Reset initial hash value and counter in AES_GMAC_Reinit(). List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 356c922f74bfcece1f139026897a79c62adbdf50 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639081063; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UKs8KyQ7xWLPiv+M8btS2wfj9YgUQ4GVeGs6GyNgjrs=; b=deNuJVZgmDSsoDW/GZWu2T/RY1LVVHs2WGihVXwloqz7++qVmk+lCEPsu1bCaKI7XsorkQ Yts4Yix6CyTcVc10oXj807T1h6myfSCuFZHajjTV3GErNS5dxaDHo2syNZY2agOs4umIs8 gM5EquSZBX0A0CJJkthv2CMuSxQ9oHN4r3s9/JW2gZWuFNThbVY86hEv7fbIlRCc+ibGiG ga/asR3e4JNQJ/11ceGOLyD+FKshezQGAw2Dc8g/2xdPI6a1HF9DWCDTyX072nkSxEuA8D OMIO0v/Dhw+yNdMNUIiZR5bVcMICzQkwZpyuCNWHjTa95x+NcjtucUiId+T20Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639081063; a=rsa-sha256; cv=none; b=EfPAN29Bq98k3PkPkE1Ug0D3VJj/+jDh3Ux4cCduBxBFd6F2ibmzxoPcFafmoJvkiWzoBN dFUwwAhnTG1svm866H+rn1a/VbFNRXeXpq4XPvivjAs2QvJuLTYM18cubs/1t/VxuM4GOX 8VUvx+HVbooAUWD1GSszbnQ4GafTwsXAdO28VVhOJVi8G+yXdfNTa7BRjj752kBCVJNaf8 deGv6Ulms+YFyVtfbWdf+cJjR5ld2JNtvUB9nvMJBDmoDIbLz7oHPnbJ+8qOlPRdMHmabr F6LqRfuPfX86SJHb0zMXx8qgF1Xm84S2T6Xo+Q+1Ppxo1XBo0KVipET3/yaeeQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=356c922f74bfcece1f139026897a79c62adbdf50 commit 356c922f74bfcece1f139026897a79c62adbdf50 Author: John Baldwin AuthorDate: 2021-12-09 19:52:42 +0000 Commit: John Baldwin CommitDate: 2021-12-09 19:52:42 +0000 GMAC: Reset initial hash value and counter in AES_GMAC_Reinit(). Previously, these values were only cleared in AES_GMAC_Init(), so a second set of operations could reuse the final hash as the initial hash. Currently this bug does not trigger in cryptosoft as existing GMAC and GCM operations always use an on-stack auth context initialized from a template context. Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33315 --- sys/opencrypto/gmac.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sys/opencrypto/gmac.c b/sys/opencrypto/gmac.c index 07fa6bffb6e7..690be855288b 100644 --- a/sys/opencrypto/gmac.c +++ b/sys/opencrypto/gmac.c @@ -70,7 +70,11 @@ AES_GMAC_Reinit(void *ctx, const uint8_t *iv, u_int ivlen) agc = ctx; KASSERT(ivlen <= sizeof agc->counter, ("passed ivlen too large!")); + memset(agc->counter, 0, sizeof(agc->counter)); bcopy(iv, agc->counter, ivlen); + agc->counter[GMAC_BLOCK_LEN - 1] = 1; + + memset(&agc->hash, 0, sizeof(agc->hash)); } int @@ -118,9 +122,7 @@ AES_GMAC_Final(uint8_t *digest, void *ctx) uint8_t enccntr[GMAC_BLOCK_LEN]; struct gf128 a; - /* XXX - zero additional bytes? */ agc = ctx; - agc->counter[GMAC_BLOCK_LEN - 1] = 1; rijndaelEncrypt(agc->keysched, agc->rounds, agc->counter, enccntr); a = gf128_add(agc->hash, gf128_read(enccntr));