git: e718aa62a3eb - stable/13 - GMAC: Reset initial hash value and counter in AES_GMAC_Reinit().
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 29 Apr 2022 20:55:05 UTC
The branch stable/13 has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=e718aa62a3eb06519b63eb09d4add042df3b25f1
commit e718aa62a3eb06519b63eb09d4add042df3b25f1
Author: John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-12-09 19:52:42 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-04-29 20:50:04 +0000
GMAC: Reset initial hash value and counter in AES_GMAC_Reinit().
Previously, these values were only cleared in AES_GMAC_Init(), so a
second set of operations could reuse the final hash as the initial
hash. Currently this bug does not trigger in cryptosoft as existing
GMAC and GCM operations always use an on-stack auth context
initialized from a template context.
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33315
(cherry picked from commit 356c922f74bfcece1f139026897a79c62adbdf50)
---
sys/opencrypto/gmac.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/sys/opencrypto/gmac.c b/sys/opencrypto/gmac.c
index 07fa6bffb6e7..690be855288b 100644
--- a/sys/opencrypto/gmac.c
+++ b/sys/opencrypto/gmac.c
@@ -70,7 +70,11 @@ AES_GMAC_Reinit(void *ctx, const uint8_t *iv, u_int ivlen)
agc = ctx;
KASSERT(ivlen <= sizeof agc->counter, ("passed ivlen too large!"));
+ memset(agc->counter, 0, sizeof(agc->counter));
bcopy(iv, agc->counter, ivlen);
+ agc->counter[GMAC_BLOCK_LEN - 1] = 1;
+
+ memset(&agc->hash, 0, sizeof(agc->hash));
}
int
@@ -118,9 +122,7 @@ AES_GMAC_Final(uint8_t *digest, void *ctx)
uint8_t enccntr[GMAC_BLOCK_LEN];
struct gf128 a;
- /* XXX - zero additional bytes? */
agc = ctx;
- agc->counter[GMAC_BLOCK_LEN - 1] = 1;
rijndaelEncrypt(agc->keysched, agc->rounds, agc->counter, enccntr);
a = gf128_add(agc->hash, gf128_read(enccntr));