Author: sef
Date: Mon Feb 25 19:14:16 2019
New Revision: 344547
URL: https://svnweb.freebsd.org/changeset/base/344547
Log:
Fix another bug introduced during the review process of r344140:
the tag wasn't being computed properly due to chaning a >= comparison
to an == comparison.
Specifically: CBC-MAC encodes the length of the authorization data
into the the stream to be encrypted/hashed. For short data, this is
two bytes (big-endian 16 bit value); for larger data, it's 6 bytes
(a prefix of 0xff, 0xfe, followed by a 32-bit big-endian length). And
there's a larger size, which is 10 bytes. These extra bytes weren't
being accounted for with the post-review code. The other bit that then came
into play was that OCF only calls the Update code with blksiz=16, which
meant that I had to ignore the length variable. (It also means that it
can't be called with a single buffer containing the AAD and payload;
however, OCF doesn't do this for the software-only algorithsm.)
I tested with this script:
ALG=aes-ccm
DEV=soft
for aad in 0 1 2 3 4 14 16 24 30 32 34 36 1020
do
for dln in 16 32 1024 2048 10240
do
echo "Testing AAD length ${aad} data length ${dln}"
/root/cryptocheck -A ${aad} -a ${ALG} -d ${DEV} ${dln}
done
done
Reviewed by: cem
Sponsored by: iXsystems Inc.
Modified:
head/sys/opencrypto/cbc_mac.c
Modified: head/sys/opencrypto/cbc_mac.c
==============================================================================
--- head/sys/opencrypto/cbc_mac.c Mon Feb 25 19:07:52 2019
(r344546)
+++ head/sys/opencrypto/cbc_mac.c Mon Feb 25 19:14:16 2019
(r344547)
@@ -124,23 +124,31 @@ AES_CBC_MAC_Reinit(struct aes_cbc_mac_ctx *ctx, const
rijndaelEncrypt(ctx->keysched, ctx->rounds, b0, ctx->block);
/* If there is auth data, we need to set up the staging block */
if (ctx->authDataLength) {
+ size_t addLength;
if (ctx->authDataLength < ((1<<16) - (1<<8))) {
uint16_t sizeVal = htobe16(ctx->authDataLength);
bcopy(&sizeVal, ctx->staging_block, sizeof(sizeVal));
- ctx->blockIndex = sizeof(sizeVal);
+ addLength = sizeof(sizeVal);
} else if (ctx->authDataLength < (1ULL<<32)) {
uint32_t sizeVal = htobe32(ctx->authDataLength);
ctx->staging_block[0] = 0xff;
ctx->staging_block[1] = 0xfe;
bcopy(&sizeVal, ctx->staging_block+2, sizeof(sizeVal));
- ctx->blockIndex = 2 + sizeof(sizeVal);
+ addLength = 2 + sizeof(sizeVal);
} else {
uint64_t sizeVal = htobe64(ctx->authDataLength);
ctx->staging_block[0] = 0xff;
ctx->staging_block[1] = 0xff;
bcopy(&sizeVal, ctx->staging_block+2, sizeof(sizeVal));
- ctx->blockIndex = 2 + sizeof(sizeVal);
+ addLength = 2 + sizeof(sizeVal);
}
+ ctx->blockIndex = addLength;
+ /*
+ * The length descriptor goes into the AAD buffer, so we
+ * need to account for it.
+ */
+ ctx->authDataLength += addLength;
+ ctx->authDataCount = addLength;
}
}
@@ -181,10 +189,9 @@ AES_CBC_MAC_Update(struct aes_cbc_mac_ctx *ctx, const
ctx->authDataCount += copy_amt;
ctx->blockIndex += copy_amt;
ctx->blockIndex %= sizeof(ctx->staging_block);
- if (ctx->authDataCount == ctx->authDataLength)
- length = 0;
+
if (ctx->blockIndex == 0 ||
- ctx->authDataCount >= ctx->authDataLength) {
+ ctx->authDataCount == ctx->authDataLength) {
/*
* We're done with this block, so we
* xor staging_block with block, and then
@@ -193,8 +200,17 @@ AES_CBC_MAC_Update(struct aes_cbc_mac_ctx *ctx, const
xor_and_encrypt(ctx, ctx->staging_block,
ctx->block);
bzero(ctx->staging_block,
sizeof(ctx->staging_block));
ctx->blockIndex = 0;
+ if (ctx->authDataCount >= ctx->authDataLength)
+ break;
}
}
+ /*
+ * We'd like to be able to check length == 0 and return
+ * here, but the way OCF calls us, length is always
+ * blksize (16, in this case). So we have to count on
+ * the fact that OCF calls us separately for the AAD and
+ * for the real data.
+ */
return (0);
}
/*
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
