Fixes for AES CTR mode from mikeb:

o Fix up counter increment for buffers larger then 64 bytes, by
  calling the increment routine before loading the IV into the
  encryption routine input register.

o In aesni_encdec() regenerate the IV for every new request.

Also use nice defines instead of magic constants for the size
of ses_iv.

diff --git a/sys/arch/amd64/amd64/aes_intel.S b/sys/arch/amd64/amd64/aes_intel.S
index 9747b8d..6b3c989 100644 (file)
--- a/sys/arch/amd64/amd64/aes_intel.S
+++ b/sys/arch/amd64/amd64/aes_intel.S
@@ -1,4 +1,4 @@
-/*     $OpenBSD: aes_intel.S,v 1.1 2010/06/29 21:34:11 thib Exp $      */
+/*     $OpenBSD: aes_intel.S,v 1.2 2010/07/22 12:47:40 thib Exp $      */
 
 /*
  * Implement AES algorithm in Intel AES-NI instructions.
@@ -832,17 +832,17 @@ ENTRY(aesni_ctr_enc)
        jb .Lctr_enc_loop1
 .align 4
 .Lctr_enc_loop4:
-       movaps IV, STATE1
        call _aesni_inc
+       movaps IV, STATE1
        movups (INP), IN1
-       movaps IV, STATE2
        call _aesni_inc
+       movaps IV, STATE2
        movups 0x10(INP), IN2
-       movaps IV, STATE3
        call _aesni_inc
+       movaps IV, STATE3
        movups 0x20(INP), IN3
-       movaps IV, STATE4
        call _aesni_inc
+       movaps IV, STATE4
        movups 0x30(INP), IN4
        call _aesni_enc4
        pxor IN1, STATE1

diff --git a/sys/arch/amd64/amd64/aesni.c b/sys/arch/amd64/amd64/aesni.c
index fa74f04..bb84d68 100644 (file)
--- a/sys/arch/amd64/amd64/aesni.c
+++ b/sys/arch/amd64/amd64/aesni.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: aesni.c,v 1.7 2010/07/08 08:15:18 thib Exp $  */
+/*     $OpenBSD: aesni.c,v 1.8 2010/07/22 12:47:40 thib Exp $  */
 /*-
  * Copyright (c) 2003 Jason Wright
  * Copyright (c) 2003, 2004 Theo de Raadt
@@ -46,7 +46,7 @@ struct aesni_sess {
        uint32_t                 ses_dkey[4 * (AES_MAXROUNDS + 1)];
        uint32_t                 ses_klen;
        uint8_t                  ses_nonce[AESCTR_NONCESIZE];
-       uint8_t                  ses_iv[16];
+       uint8_t                  ses_iv[EALG_MAX_BLOCK_LEN];
        int                      ses_sid;
        int                      ses_used;
        struct swcr_data        *ses_swd;
@@ -411,19 +411,25 @@ aesni_encdec(struct cryptop *crp, struct cryptodesc *crd,
        else
                bcopy(buf, crp->crp_buf + crd->crd_skip, crd->crd_len);
 
-       /* Copy out last block for use as next session IV for CBC */
-       if (crd->crd_alg == CRYPTO_AES_CBC && crd->crd_flags & CRD_F_ENCRYPT) {
-               if (crp->crp_flags & CRYPTO_F_IMBUF)
-                       m_copydata((struct mbuf *)crp->crp_buf,
-                           crd->crd_skip + crd->crd_len - ivlen, ivlen,
-                           ses->ses_iv);
-               else if (crp->crp_flags & CRYPTO_F_IOV)
-                       cuio_copydata((struct uio *)crp->crp_buf,
-                           crd->crd_skip + crd->crd_len - ivlen, ivlen,
-                           ses->ses_iv);
-               else
-                       bcopy(crp->crp_buf + crd->crd_skip +
-                           crd->crd_len - ivlen, ses->ses_iv, ivlen);
+       /*
+        * Copy out last block for use as next session IV for CBC,
+        * generate new IV for CTR.
+        */
+       if (crd->crd_flags & CRD_F_ENCRYPT) {
+               if (crd->crd_alg == CRYPTO_AES_CBC) {
+                       if (crp->crp_flags & CRYPTO_F_IMBUF)
+                               m_copydata((struct mbuf *)crp->crp_buf,
+                                   crd->crd_skip + crd->crd_len - ivlen, ivlen,
+                                   ses->ses_iv);
+                       else if (crp->crp_flags & CRYPTO_F_IOV)
+                               cuio_copydata((struct uio *)crp->crp_buf,
+                                   crd->crd_skip + crd->crd_len - ivlen, ivlen,
+                                   ses->ses_iv);
+                       else
+                               bcopy(crp->crp_buf + crd->crd_skip +
+                                   crd->crd_len - ivlen, ses->ses_iv, ivlen);
+               } else if (crd->crd_alg == CRYPTO_AES_CTR)
+                       arc4random_buf(ses->ses_iv, ivlen);
        }
 
 out: