diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2021-04-27 00:04:25 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2021-04-27 19:10:16 +0000 |
| commit | 62e32cf9140e6c13663dcd69ec3b3c7ca4579782 (patch) | |
| tree | fa9ea65dba49f4df62fb763bde9e2d67421505cd | |
| parent | 2414241b0e56cae959710f13903597f767b53e54 (diff) | |
| download | src-62e32cf9140e6c13663dcd69ec3b3c7ca4579782.tar.gz src-62e32cf9140e6c13663dcd69ec3b3c7ca4579782.zip | |
aesni: Avoid modifying session keys in hmac_update()
Otherwise aesni_process() is not thread-safe for AES+SHA-HMAC
transforms, since hmac_update() updates the caller-supplied key directly
to create the derived key. Use a buffer on the stack to store a copy of
the key used for computing inner and outer digests.
This is a direct commit to stable/12 as the bug is not present in later
branches.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D30001
| -rw-r--r-- | sys/crypto/aesni/aesni.c | 18 | ||||
| -rw-r--r-- | sys/crypto/aesni/aesni.h | 6 |
2 files changed, 14 insertions, 10 deletions
diff --git a/sys/crypto/aesni/aesni.c b/sys/crypto/aesni/aesni.c index 76e637861879..594aa59b7046 100644 --- a/sys/crypto/aesni/aesni.c +++ b/sys/crypto/aesni/aesni.c @@ -655,10 +655,10 @@ hmac_internal(void *ctx, uint32_t *res, { size_t i; - for (i = 0; i < 64; i++) + for (i = 0; i < AESNI_SHA_BLOCK_LEN; i++) key[i] ^= xorbyte; - update(ctx, key, 64); - for (i = 0; i < 64; i++) + update(ctx, key, AESNI_SHA_BLOCK_LEN); + for (i = 0; i < AESNI_SHA_BLOCK_LEN; i++) key[i] ^= xorbyte; crypto_apply(crpflags, __DECONST(void *, buf), off, buflen, @@ -883,6 +883,7 @@ aesni_cipher_mac(struct aesni_session *ses, struct cryptodesc *crd, struct SHA256Context sha2 __aligned(16); struct sha1_ctxt sha1 __aligned(16); } sctx; + uint8_t hmac_key[AESNI_SHA_BLOCK_LEN] __aligned(16); uint32_t res[SHA2_256_HASH_LEN / sizeof(uint32_t)]; int hashlen, error; void *ctx; @@ -946,15 +947,16 @@ aesni_cipher_mac(struct aesni_session *ses, struct cryptodesc *crd, } if (hmac) { + memcpy(hmac_key, ses->hmac_key, AESNI_SHA_BLOCK_LEN); + /* Inner hash: (K ^ IPAD) || data */ InitFn(ctx); - hmac_internal(ctx, res, UpdateFn, FinalizeFn, ses->hmac_key, - 0x36, crp->crp_buf, crd->crd_skip, crd->crd_len, - crp->crp_flags); + hmac_internal(ctx, res, UpdateFn, FinalizeFn, hmac_key, 0x36, + crp->crp_buf, crd->crd_skip, crd->crd_len, crp->crp_flags); /* Outer hash: (K ^ OPAD) || inner hash */ InitFn(ctx); - hmac_internal(ctx, res, UpdateFn, FinalizeFn, ses->hmac_key, - 0x5C, res, 0, hashlen, 0); + hmac_internal(ctx, res, UpdateFn, FinalizeFn, hmac_key, 0x5C, + res, 0, hashlen, 0); } else { InitFn(ctx); crypto_apply(crp->crp_flags, crp->crp_buf, crd->crd_skip, diff --git a/sys/crypto/aesni/aesni.h b/sys/crypto/aesni/aesni.h index eeb5b4361879..d1e7abaa6062 100644 --- a/sys/crypto/aesni/aesni.h +++ b/sys/crypto/aesni/aesni.h @@ -52,12 +52,14 @@ #define AES256_ROUNDS 14 #define AES_SCHED_LEN ((AES256_ROUNDS + 1) * AES_BLOCK_LEN) +/* SHA1, SHA2-224 and SHA2-256 only. */ +#define AESNI_SHA_BLOCK_LEN 64 + struct aesni_session { uint8_t enc_schedule[AES_SCHED_LEN] __aligned(16); uint8_t dec_schedule[AES_SCHED_LEN] __aligned(16); uint8_t xts_schedule[AES_SCHED_LEN] __aligned(16); - /* Same as the SHA256 Blocksize. */ - uint8_t hmac_key[SHA1_BLOCK_LEN] __aligned(16); + uint8_t hmac_key[AESNI_SHA_BLOCK_LEN]; int algo; int rounds; /* uint8_t *ses_ictx; */ |