From owner-svn-src-head@freebsd.org Mon Jul 6 19:30:30 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE0E2ACB4; Mon, 6 Jul 2015 19:30:30 +0000 (UTC) (envelope-from jmg@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B38ED12BB; Mon, 6 Jul 2015 19:30:30 +0000 (UTC) (envelope-from jmg@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t66JUULT046065; Mon, 6 Jul 2015 19:30:30 GMT (envelope-from jmg@FreeBSD.org) Received: (from jmg@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t66JUU5D046062; Mon, 6 Jul 2015 19:30:30 GMT (envelope-from jmg@FreeBSD.org) Message-Id: <201507061930.t66JUU5D046062@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jmg set sender to jmg@FreeBSD.org using -f From: John-Mark Gurney Date: Mon, 6 Jul 2015 19:30:30 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r285216 - head/sys/crypto/aesni X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2015 19:30:30 -0000 Author: jmg Date: Mon Jul 6 19:30:29 2015 New Revision: 285216 URL: https://svnweb.freebsd.org/changeset/base/285216 Log: Fix for non-random IV's when CRD_F_IV_PRESENT and CRD_F_IV_EXPLICIT flags are not specified... This bug was introduced in r275732... This only affects IPsec ESP only policies w/ the aesni module loaded, other subsystems specify one or both of the flags... Reviewed by: gnn, delphij, eri Modified: head/sys/crypto/aesni/aesni.c head/sys/crypto/aesni/aesni.h Modified: head/sys/crypto/aesni/aesni.c ============================================================================== --- head/sys/crypto/aesni/aesni.c Mon Jul 6 19:17:56 2015 (r285215) +++ head/sys/crypto/aesni/aesni.c Mon Jul 6 19:30:29 2015 (r285216) @@ -450,6 +450,7 @@ static int aesni_cipher_process(struct aesni_session *ses, struct cryptodesc *enccrd, struct cryptodesc *authcrd, struct cryptop *crp) { + uint8_t iv[AES_BLOCK_LEN]; uint8_t tag[GMAC_DIGEST_LEN]; struct thread *td; uint8_t *buf, *authbuf; @@ -504,15 +505,23 @@ aesni_cipher_process(struct aesni_sessio break; } - /* Setup ses->iv */ - bzero(ses->iv, sizeof ses->iv); - if ((enccrd->crd_flags & CRD_F_IV_EXPLICIT) != 0) - bcopy(enccrd->crd_iv, ses->iv, ivlen); - else if (encflag && ((enccrd->crd_flags & CRD_F_IV_PRESENT) != 0)) - arc4rand(ses->iv, ivlen, 0); - else - crypto_copydata(crp->crp_flags, crp->crp_buf, - enccrd->crd_inject, ivlen, ses->iv); + /* Setup iv */ + if (encflag) { + if ((enccrd->crd_flags & CRD_F_IV_EXPLICIT) != 0) + bcopy(enccrd->crd_iv, iv, ivlen); + else + arc4rand(iv, ivlen, 0); + + if ((enccrd->crd_flags & CRD_F_IV_PRESENT) == 0) + crypto_copyback(crp->crp_flags, crp->crp_buf, + enccrd->crd_inject, ivlen, iv); + } else { + if ((enccrd->crd_flags & CRD_F_IV_EXPLICIT) != 0) + bcopy(enccrd->crd_iv, iv, ivlen); + else + crypto_copydata(crp->crp_flags, crp->crp_buf, + enccrd->crd_inject, ivlen, iv); + } if (authcrd != NULL && !encflag) crypto_copydata(crp->crp_flags, crp->crp_buf, @@ -525,33 +534,33 @@ aesni_cipher_process(struct aesni_sessio case CRYPTO_AES_CBC: if (encflag) aesni_encrypt_cbc(ses->rounds, ses->enc_schedule, - enccrd->crd_len, buf, buf, ses->iv); + enccrd->crd_len, buf, buf, iv); else aesni_decrypt_cbc(ses->rounds, ses->dec_schedule, - enccrd->crd_len, buf, ses->iv); + enccrd->crd_len, buf, iv); break; case CRYPTO_AES_ICM: /* encryption & decryption are the same */ aesni_encrypt_icm(ses->rounds, ses->enc_schedule, - enccrd->crd_len, buf, buf, ses->iv); + enccrd->crd_len, buf, buf, iv); break; case CRYPTO_AES_XTS: if (encflag) aesni_encrypt_xts(ses->rounds, ses->enc_schedule, ses->xts_schedule, enccrd->crd_len, buf, buf, - ses->iv); + iv); else aesni_decrypt_xts(ses->rounds, ses->dec_schedule, ses->xts_schedule, enccrd->crd_len, buf, buf, - ses->iv); + iv); break; case CRYPTO_AES_NIST_GCM_16: if (encflag) - AES_GCM_encrypt(buf, buf, authbuf, ses->iv, tag, + AES_GCM_encrypt(buf, buf, authbuf, iv, tag, enccrd->crd_len, authcrd->crd_len, ivlen, ses->enc_schedule, ses->rounds); else { - if (!AES_GCM_decrypt(buf, buf, authbuf, ses->iv, tag, + if (!AES_GCM_decrypt(buf, buf, authbuf, iv, tag, enccrd->crd_len, authcrd->crd_len, ivlen, ses->enc_schedule, ses->rounds)) error = EBADMSG; @@ -563,13 +572,6 @@ aesni_cipher_process(struct aesni_sessio crypto_copyback(crp->crp_flags, crp->crp_buf, enccrd->crd_skip, enccrd->crd_len, buf); - /* - * OpenBSD doesn't copy this back. This primes the IV for the next - * chain. Why do we not do it for decrypt? - */ - if (encflag && enccrd->crd_alg == CRYPTO_AES_CBC) - bcopy(buf + enccrd->crd_len - AES_BLOCK_LEN, ses->iv, AES_BLOCK_LEN); - if (!error && authcrd != NULL) { crypto_copyback(crp->crp_flags, crp->crp_buf, authcrd->crd_inject, GMAC_DIGEST_LEN, tag); Modified: head/sys/crypto/aesni/aesni.h ============================================================================== --- head/sys/crypto/aesni/aesni.h Mon Jul 6 19:17:56 2015 (r285215) +++ head/sys/crypto/aesni/aesni.h Mon Jul 6 19:30:29 2015 (r285216) @@ -56,7 +56,6 @@ struct aesni_session { uint8_t enc_schedule[AES_SCHED_LEN] __aligned(16); uint8_t dec_schedule[AES_SCHED_LEN] __aligned(16); uint8_t xts_schedule[AES_SCHED_LEN] __aligned(16); - uint8_t iv[AES_BLOCK_LEN]; int algo; int rounds; /* uint8_t *ses_ictx; */