From 5aa80da6d9309a6b3da440a3341a051d5918f791 Mon Sep 17 00:00:00 2001 From: thib Date: Thu, 22 Jul 2010 12:47:40 +0000 Subject: [PATCH] Fixes for AES CTR mode from mikeb: o Fix up counter increment for buffers larger then 64 bytes, by calling the increment routine before loading the IV into the encryption routine input register. o In aesni_encdec() regenerate the IV for every new request. Also use nice defines instead of magic constants for the size of ses_iv. --- sys/arch/amd64/amd64/aes_intel.S | 10 ++++----- sys/arch/amd64/amd64/aesni.c | 36 +++++++++++++++++++------------- 2 files changed, 26 insertions(+), 20 deletions(-) diff --git a/sys/arch/amd64/amd64/aes_intel.S b/sys/arch/amd64/amd64/aes_intel.S index 9747b8d93e9..6b3c9897aeb 100644 --- a/sys/arch/amd64/amd64/aes_intel.S +++ b/sys/arch/amd64/amd64/aes_intel.S @@ -1,4 +1,4 @@ -/* $OpenBSD: aes_intel.S,v 1.1 2010/06/29 21:34:11 thib Exp $ */ +/* $OpenBSD: aes_intel.S,v 1.2 2010/07/22 12:47:40 thib Exp $ */ /* * Implement AES algorithm in Intel AES-NI instructions. @@ -832,17 +832,17 @@ ENTRY(aesni_ctr_enc) jb .Lctr_enc_loop1 .align 4 .Lctr_enc_loop4: - movaps IV, STATE1 call _aesni_inc + movaps IV, STATE1 movups (INP), IN1 - movaps IV, STATE2 call _aesni_inc + movaps IV, STATE2 movups 0x10(INP), IN2 - movaps IV, STATE3 call _aesni_inc + movaps IV, STATE3 movups 0x20(INP), IN3 - movaps IV, STATE4 call _aesni_inc + movaps IV, STATE4 movups 0x30(INP), IN4 call _aesni_enc4 pxor IN1, STATE1 diff --git a/sys/arch/amd64/amd64/aesni.c b/sys/arch/amd64/amd64/aesni.c index fa74f041c76..bb84d680e54 100644 --- a/sys/arch/amd64/amd64/aesni.c +++ b/sys/arch/amd64/amd64/aesni.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aesni.c,v 1.7 2010/07/08 08:15:18 thib Exp $ */ +/* $OpenBSD: aesni.c,v 1.8 2010/07/22 12:47:40 thib Exp $ */ /*- * Copyright (c) 2003 Jason Wright * Copyright (c) 2003, 2004 Theo de Raadt @@ -46,7 +46,7 @@ struct aesni_sess { uint32_t ses_dkey[4 * (AES_MAXROUNDS + 1)]; uint32_t ses_klen; uint8_t ses_nonce[AESCTR_NONCESIZE]; - uint8_t ses_iv[16]; + uint8_t ses_iv[EALG_MAX_BLOCK_LEN]; int ses_sid; int ses_used; struct swcr_data *ses_swd; @@ -411,19 +411,25 @@ aesni_encdec(struct cryptop *crp, struct cryptodesc *crd, else bcopy(buf, crp->crp_buf + crd->crd_skip, crd->crd_len); - /* Copy out last block for use as next session IV for CBC */ - if (crd->crd_alg == CRYPTO_AES_CBC && crd->crd_flags & CRD_F_ENCRYPT) { - if (crp->crp_flags & CRYPTO_F_IMBUF) - m_copydata((struct mbuf *)crp->crp_buf, - crd->crd_skip + crd->crd_len - ivlen, ivlen, - ses->ses_iv); - else if (crp->crp_flags & CRYPTO_F_IOV) - cuio_copydata((struct uio *)crp->crp_buf, - crd->crd_skip + crd->crd_len - ivlen, ivlen, - ses->ses_iv); - else - bcopy(crp->crp_buf + crd->crd_skip + - crd->crd_len - ivlen, ses->ses_iv, ivlen); + /* + * Copy out last block for use as next session IV for CBC, + * generate new IV for CTR. + */ + if (crd->crd_flags & CRD_F_ENCRYPT) { + if (crd->crd_alg == CRYPTO_AES_CBC) { + if (crp->crp_flags & CRYPTO_F_IMBUF) + m_copydata((struct mbuf *)crp->crp_buf, + crd->crd_skip + crd->crd_len - ivlen, ivlen, + ses->ses_iv); + else if (crp->crp_flags & CRYPTO_F_IOV) + cuio_copydata((struct uio *)crp->crp_buf, + crd->crd_skip + crd->crd_len - ivlen, ivlen, + ses->ses_iv); + else + bcopy(crp->crp_buf + crd->crd_skip + + crd->crd_len - ivlen, ses->ses_iv, ivlen); + } else if (crd->crd_alg == CRYPTO_AES_CTR) + arc4random_buf(ses->ses_iv, ivlen); } out: -- 2.20.1