From owner-p4-projects@FreeBSD.ORG Fri Sep 19 06:28:25 2014 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id D3580237; Fri, 19 Sep 2014 06:28:24 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 94660235 for ; Fri, 19 Sep 2014 06:28:24 +0000 (UTC) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [IPv6:2001:1900:2254:2068::682:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 663E9E7C for ; Fri, 19 Sep 2014 06:28:24 +0000 (UTC) Received: from skunkworks.freebsd.org ([127.0.1.74]) by skunkworks.freebsd.org (8.14.9/8.14.9) with ESMTP id s8J6SOUb008395 for ; Fri, 19 Sep 2014 06:28:24 GMT (envelope-from jmg@freebsd.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.9/8.14.9/Submit) id s8J6SOdH008392 for perforce@freebsd.org; Fri, 19 Sep 2014 06:28:24 GMT (envelope-from jmg@freebsd.org) Date: Fri, 19 Sep 2014 06:28:24 GMT Message-Id: <201409190628.s8J6SOdH008392@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to jmg@freebsd.org using -f From: John-Mark Gurney Subject: PERFORCE change 1200499 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2014 06:28:25 -0000 http://p4web.freebsd.org/@@1200499?ac=10 Change 1200499 by jmg@jmg_carbon2 on 2014/09/19 06:28:20 don't directly return, set error and goto out so that we can clean up properly... Move the IV initalization to a common location, and generate a random one when one isn't provided... Previous two items were caught by rrs and friends at Netflix... enforce that both ICM and GCM have an explicit IV... only schedule the decryption key when used... Sponsored by: FreeBSD Foundation Sponsored by: Rubicon Communications, LLC (Netgate) Affected files ... .. //depot/projects/opencrypto/sys/crypto/aesni/aesni.c#8 edit .. //depot/projects/opencrypto/sys/crypto/aesni/aesni_wrap.c#4 edit Differences ... ==== //depot/projects/opencrypto/sys/crypto/aesni/aesni.c#8 (text+ko) ==== @@ -326,7 +326,8 @@ break; default: - return (EINVAL); + error = EINVAL; + goto out; } } @@ -462,7 +463,8 @@ encflag = (enccrd->crd_flags & CRD_F_ENCRYPT) == CRD_F_ENCRYPT; - if (enccrd->crd_alg == CRYPTO_AES_ICM && + if ((enccrd->crd_alg == CRYPTO_AES_ICM || + enccrd->crd_alg == CRYPTO_AES_NIST_GCM_16) && (enccrd->crd_flags & CRD_F_IV_EXPLICIT) == 0) return (EINVAL); @@ -513,6 +515,8 @@ if (encflag) { if ((enccrd->crd_flags & CRD_F_IV_EXPLICIT) != 0) bcopy(enccrd->crd_iv, ses->iv, ivlen); + else + arc4rand(ses->iv, ivlen, 0); if ((enccrd->crd_flags & CRD_F_IV_PRESENT) == 0) crypto_copyback(crp->crp_flags, crp->crp_buf, enccrd->crd_inject, ivlen, ses->iv); ==== //depot/projects/opencrypto/sys/crypto/aesni/aesni_wrap.c#4 (text+ko) ==== @@ -438,11 +438,16 @@ aesni_cipher_setup_common(struct aesni_session *ses, const uint8_t *key, int keylen) { + int decsched; + + decsched = 1; switch (ses->algo) { - case CRYPTO_AES_CBC: case CRYPTO_AES_ICM: case CRYPTO_AES_NIST_GCM_16: + decsched = 0; + /* FALLTHROUGH */ + case CRYPTO_AES_CBC: switch (keylen) { case 128: ses->rounds = AES128_ROUNDS; @@ -476,12 +481,11 @@ } aesni_set_enckey(key, ses->enc_schedule, ses->rounds); - aesni_set_deckey(ses->enc_schedule, ses->dec_schedule, ses->rounds); + if (decsched) + aesni_set_deckey(ses->enc_schedule, ses->dec_schedule, + ses->rounds); - /* setup IV */ - if (ses->algo == CRYPTO_AES_CBC || ses->algo == CRYPTO_AES_NIST_GCM_16) - arc4rand(ses->iv, sizeof(ses->iv), 0); - else if (ses->algo == CRYPTO_AES_XTS) + if (ses->algo == CRYPTO_AES_XTS) aesni_set_enckey(key + keylen / 16, ses->xts_schedule, ses->rounds);