Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 Jul 2015 19:30:30 +0000 (UTC)
From:      John-Mark Gurney <jmg@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r285216 - head/sys/crypto/aesni
Message-ID:  <201507061930.t66JUU5D046062@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jmg
Date: Mon Jul  6 19:30:29 2015
New Revision: 285216
URL: https://svnweb.freebsd.org/changeset/base/285216

Log:
  Fix for non-random IV's when CRD_F_IV_PRESENT and CRD_F_IV_EXPLICIT
  flags are not specified... This bug was introduced in r275732...
  
  This only affects IPsec ESP only policies w/ the aesni module loaded,
  other subsystems specify one or both of the flags...
  
  Reviewed by:	gnn, delphij, eri

Modified:
  head/sys/crypto/aesni/aesni.c
  head/sys/crypto/aesni/aesni.h

Modified: head/sys/crypto/aesni/aesni.c
==============================================================================
--- head/sys/crypto/aesni/aesni.c	Mon Jul  6 19:17:56 2015	(r285215)
+++ head/sys/crypto/aesni/aesni.c	Mon Jul  6 19:30:29 2015	(r285216)
@@ -450,6 +450,7 @@ static int
 aesni_cipher_process(struct aesni_session *ses, struct cryptodesc *enccrd,
     struct cryptodesc *authcrd, struct cryptop *crp)
 {
+	uint8_t iv[AES_BLOCK_LEN];
 	uint8_t tag[GMAC_DIGEST_LEN];
 	struct thread *td;
 	uint8_t *buf, *authbuf;
@@ -504,15 +505,23 @@ aesni_cipher_process(struct aesni_sessio
 		break;
 	}
 
-	/* Setup ses->iv */
-	bzero(ses->iv, sizeof ses->iv);
-	if ((enccrd->crd_flags & CRD_F_IV_EXPLICIT) != 0)
-		bcopy(enccrd->crd_iv, ses->iv, ivlen);
-	else if (encflag && ((enccrd->crd_flags & CRD_F_IV_PRESENT) != 0))
-		arc4rand(ses->iv, ivlen, 0);
-	else
-		crypto_copydata(crp->crp_flags, crp->crp_buf,
-		    enccrd->crd_inject, ivlen, ses->iv);
+	/* Setup iv */
+	if (encflag) {
+		if ((enccrd->crd_flags & CRD_F_IV_EXPLICIT) != 0)
+			bcopy(enccrd->crd_iv, iv, ivlen);
+		else
+			arc4rand(iv, ivlen, 0);
+		
+		if ((enccrd->crd_flags & CRD_F_IV_PRESENT) == 0)
+			crypto_copyback(crp->crp_flags, crp->crp_buf,
+			    enccrd->crd_inject, ivlen, iv);
+	} else {
+		if ((enccrd->crd_flags & CRD_F_IV_EXPLICIT) != 0)
+			bcopy(enccrd->crd_iv, iv, ivlen);
+		else
+			crypto_copydata(crp->crp_flags, crp->crp_buf,
+			    enccrd->crd_inject, ivlen, iv);
+	}
 
 	if (authcrd != NULL && !encflag)
 		crypto_copydata(crp->crp_flags, crp->crp_buf,
@@ -525,33 +534,33 @@ aesni_cipher_process(struct aesni_sessio
 	case CRYPTO_AES_CBC:
 		if (encflag)
 			aesni_encrypt_cbc(ses->rounds, ses->enc_schedule,
-			    enccrd->crd_len, buf, buf, ses->iv);
+			    enccrd->crd_len, buf, buf, iv);
 		else
 			aesni_decrypt_cbc(ses->rounds, ses->dec_schedule,
-			    enccrd->crd_len, buf, ses->iv);
+			    enccrd->crd_len, buf, iv);
 		break;
 	case CRYPTO_AES_ICM:
 		/* encryption & decryption are the same */
 		aesni_encrypt_icm(ses->rounds, ses->enc_schedule,
-		    enccrd->crd_len, buf, buf, ses->iv);
+		    enccrd->crd_len, buf, buf, iv);
 		break;
 	case CRYPTO_AES_XTS:
 		if (encflag)
 			aesni_encrypt_xts(ses->rounds, ses->enc_schedule,
 			    ses->xts_schedule, enccrd->crd_len, buf, buf,
-			    ses->iv);
+			    iv);
 		else
 			aesni_decrypt_xts(ses->rounds, ses->dec_schedule,
 			    ses->xts_schedule, enccrd->crd_len, buf, buf,
-			    ses->iv);
+			    iv);
 		break;
 	case CRYPTO_AES_NIST_GCM_16:
 		if (encflag)
-			AES_GCM_encrypt(buf, buf, authbuf, ses->iv, tag,
+			AES_GCM_encrypt(buf, buf, authbuf, iv, tag,
 			    enccrd->crd_len, authcrd->crd_len, ivlen,
 			    ses->enc_schedule, ses->rounds);
 		else {
-			if (!AES_GCM_decrypt(buf, buf, authbuf, ses->iv, tag,
+			if (!AES_GCM_decrypt(buf, buf, authbuf, iv, tag,
 			    enccrd->crd_len, authcrd->crd_len, ivlen,
 			    ses->enc_schedule, ses->rounds))
 				error = EBADMSG;
@@ -563,13 +572,6 @@ aesni_cipher_process(struct aesni_sessio
 		crypto_copyback(crp->crp_flags, crp->crp_buf, enccrd->crd_skip,
 		    enccrd->crd_len, buf);
 
-	/*
-	 * OpenBSD doesn't copy this back.  This primes the IV for the next
-	 * chain.  Why do we not do it for decrypt?
-	 */
-	if (encflag && enccrd->crd_alg == CRYPTO_AES_CBC)
-		bcopy(buf + enccrd->crd_len - AES_BLOCK_LEN, ses->iv, AES_BLOCK_LEN);
-
 	if (!error && authcrd != NULL) {
 		crypto_copyback(crp->crp_flags, crp->crp_buf,
 		    authcrd->crd_inject, GMAC_DIGEST_LEN, tag);

Modified: head/sys/crypto/aesni/aesni.h
==============================================================================
--- head/sys/crypto/aesni/aesni.h	Mon Jul  6 19:17:56 2015	(r285215)
+++ head/sys/crypto/aesni/aesni.h	Mon Jul  6 19:30:29 2015	(r285216)
@@ -56,7 +56,6 @@ struct aesni_session {
 	uint8_t enc_schedule[AES_SCHED_LEN] __aligned(16);
 	uint8_t dec_schedule[AES_SCHED_LEN] __aligned(16);
 	uint8_t xts_schedule[AES_SCHED_LEN] __aligned(16);
-	uint8_t iv[AES_BLOCK_LEN];
 	int algo;
 	int rounds;
 	/* uint8_t *ses_ictx; */



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507061930.t66JUU5D046062>