Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 9 Dec 2021 20:17:42 GMT
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 356c922f74bf - main - GMAC: Reset initial hash value and counter in AES_GMAC_Reinit().
Message-ID:  <202112092017.1B9KHgAg053728@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=356c922f74bfcece1f139026897a79c62adbdf50

commit 356c922f74bfcece1f139026897a79c62adbdf50
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-12-09 19:52:42 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2021-12-09 19:52:42 +0000

    GMAC: Reset initial hash value and counter in AES_GMAC_Reinit().
    
    Previously, these values were only cleared in AES_GMAC_Init(), so a
    second set of operations could reuse the final hash as the initial
    hash.  Currently this bug does not trigger in cryptosoft as existing
    GMAC and GCM operations always use an on-stack auth context
    initialized from a template context.
    
    Reviewed by:    markj
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D33315
---
 sys/opencrypto/gmac.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/opencrypto/gmac.c b/sys/opencrypto/gmac.c
index 07fa6bffb6e7..690be855288b 100644
--- a/sys/opencrypto/gmac.c
+++ b/sys/opencrypto/gmac.c
@@ -70,7 +70,11 @@ AES_GMAC_Reinit(void *ctx, const uint8_t *iv, u_int ivlen)
 
 	agc = ctx;
 	KASSERT(ivlen <= sizeof agc->counter, ("passed ivlen too large!"));
+	memset(agc->counter, 0, sizeof(agc->counter));
 	bcopy(iv, agc->counter, ivlen);
+	agc->counter[GMAC_BLOCK_LEN - 1] = 1;
+
+	memset(&agc->hash, 0, sizeof(agc->hash));
 }
 
 int
@@ -118,9 +122,7 @@ AES_GMAC_Final(uint8_t *digest, void *ctx)
 	uint8_t enccntr[GMAC_BLOCK_LEN];
 	struct gf128 a;
 
-	/* XXX - zero additional bytes? */
 	agc = ctx;
-	agc->counter[GMAC_BLOCK_LEN - 1] = 1;
 
 	rijndaelEncrypt(agc->keysched, agc->rounds, agc->counter, enccntr);
 	a = gf128_add(agc->hash, gf128_read(enccntr));

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202112092017.1B9KHgAg053728>