[src-draft/trunk]: src/sys/arch/x86/x86 padlock(4): Don't use prev msg's last...

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src-all/rev/2bc64456b636
branches:  trunk
changeset: 934597:2bc64456b636
user:      Taylor R Campbell <riastradh%NetBSD.org@localhost>
date:      Sun Jun 14 19:40:32 2020 +0000

description:
padlock(4): Don't use prev msg's last block as IV for next msg in CBC.

This violates the security contract of the CBC construction, which
requires that the IV be unpredictable in advance; an adaptive adversary
can exploit this to verify plaintext guesses.

XXX Compile-tested only.

diffstat:

 sys/arch/x86/x86/via_padlock.c |  18 +-----------------
 1 files changed, 1 insertions(+), 17 deletions(-)

diffs (42 lines):

diff -r 6a4cf73107d5 -r 2bc64456b636 sys/arch/x86/x86/via_padlock.c
--- a/sys/arch/x86/x86/via_padlock.c    Sun Jun 14 19:38:54 2020 +0000
+++ b/sys/arch/x86/x86/via_padlock.c    Sun Jun 14 19:40:32 2020 +0000
@@ -191,7 +191,6 @@
                                C3_CRYPT_CWLO_KEYGEN_SW |
                                C3_CRYPT_CWLO_NORMAL;
 
-                       cprng_fast(ses->ses_iv, sizeof(ses->ses_iv));
                        ses->ses_klen = c->cri_klen;
                        ses->ses_cw0 = cw0;
 
@@ -384,7 +383,7 @@
                if (crd->crd_flags & CRD_F_IV_EXPLICIT)
                        memcpy(sc->op_iv, crd->crd_iv, 16);
                else
-                       memcpy(sc->op_iv, ses->ses_iv, 16);
+                       cprng_fast(sc->op_iv, 16);
 
                if ((crd->crd_flags & CRD_F_IV_PRESENT) == 0) {
                        if (crp->crp_flags & CRYPTO_F_IMBUF)
@@ -439,21 +438,6 @@
                memcpy((char *)crp->crp_buf + crd->crd_skip, sc->op_buf,
                    crd->crd_len);
 
-       /* copy out last block for use as next session IV */
-       if (crd->crd_flags & CRD_F_ENCRYPT) {
-               if (crp->crp_flags & CRYPTO_F_IMBUF)
-                       m_copydata((struct mbuf *)crp->crp_buf,
-                           crd->crd_skip + crd->crd_len - 16, 16,
-                           ses->ses_iv);
-               else if (crp->crp_flags & CRYPTO_F_IOV)
-                       cuio_copydata((struct uio *)crp->crp_buf,
-                           crd->crd_skip + crd->crd_len - 16, 16,
-                           ses->ses_iv);
-               else
-                       memcpy(ses->ses_iv, (char *)crp->crp_buf +
-                           crd->crd_skip + crd->crd_len - 16, 16);
-       }
-
        if (sc->op_buf != NULL) {
                memset(sc->op_buf, 0, crd->crd_len);
                free(sc->op_buf, M_DEVBUF);