PERFORCE change 1199449 for review

John-Mark Gurney jmg at FreeBSD.org
Mon Sep 8 04:52:31 UTC 2014 

http://p4web.freebsd.org/@@1199449?ac=10

Change 1199449 by jmg at jmg_carbon2 on 2014/08/27 22:59:03

	document that we support ICM...
	
	use encflag, since we have it...
	
	directly test the return, we don't need it else where...
	
	comment out some debugging...
	
	don't copy back the IV.. if we have a block < 16 bytes, it'll
	panic the machine...  I'm not sure if this is even useful, as
	the next bit of lines overwrites it...  this will need more
	investigation...
	
	also, only copyback data if we didn't get an error (tag
	matched)..  We only decrypt when a tag match, so we would
	have been leaking data to userland...

Affected files ...

.. //depot/projects/opencrypto/sys/crypto/aesni/aesni.c#6 edit

Differences ...

==== //depot/projects/opencrypto/sys/crypto/aesni/aesni.c#6 (text+ko) ====

@@ -89,7 +89,7 @@
 		return (EINVAL);
 	}
 
-	device_set_desc_copy(dev, "AES-CBC,AES-XTS,AES-GCM");
+	device_set_desc_copy(dev, "AES-CBC,AES-XTS,AES-GCM,AES-ICM");
 	return (0);
 }
 
@@ -459,7 +459,6 @@
 	uint8_t *buf, *authbuf;
 	int error, allocated, authallocated;
 	int ivlen, encflag;
-	int r;
 
 	encflag = (enccrd->crd_flags & CRD_F_ENCRYPT) == CRD_F_ENCRYPT;
 
@@ -511,7 +510,7 @@
 	/* Setup ses->iv */
 	bzero(ses->iv, sizeof ses->iv);
 	/*printf("crd_flags: %#x, ivlen: %d, iv: ", enccrd->crd_flags, ivlen);*/
-	if ((enccrd->crd_flags & CRD_F_ENCRYPT) != 0) {
+	if (encflag) {
 		if ((enccrd->crd_flags & CRD_F_IV_EXPLICIT) != 0)
 			bcopy(enccrd->crd_iv, ses->iv, ivlen);
 		if ((enccrd->crd_flags & CRD_F_IV_PRESENT) == 0)
@@ -579,10 +578,10 @@
 			    enccrd->crd_len, authcrd->crd_len, ivlen,
 			    ses->enc_schedule, ses->rounds);
 		else {
-			r = AES_GCM_decrypt(buf, buf, authbuf, ses->iv, tag,
+			if (!AES_GCM_decrypt(buf, buf, authbuf, ses->iv, tag,
 			    enccrd->crd_len, authcrd->crd_len, ivlen,
-			    ses->enc_schedule, ses->rounds);
-			/*printf("dec r: %d\n", r);*/
+			    ses->enc_schedule, ses->rounds))
+				error = EBADMSG;
 		}
 		break;
 	}
@@ -592,12 +591,13 @@
 		    enccrd->crd_len, buf);
 
 	/* OpenBSD doesn't copy this back.  Why not? */
-	if ((enccrd->crd_flags & CRD_F_ENCRYPT) != 0)
+	/*printf("t: %d, %d, %d, %d\n", enccrd->crd_skip, enccrd->crd_len, enccrd->crd_skip + enccrd->crd_len - AES_BLOCK_LEN, AES_BLOCK_LEN);*/
+	if (encflag && 0)
 		crypto_copydata(crp->crp_flags, crp->crp_buf,
 		    enccrd->crd_skip + enccrd->crd_len - AES_BLOCK_LEN,
 		    AES_BLOCK_LEN, ses->iv);
 
-	if (authcrd != NULL) {
+	if (!error && authcrd != NULL) {
 		crypto_copyback(crp->crp_flags, crp->crp_buf,
 		    authcrd->crd_inject, GMAC_DIGEST_LEN, tag);
 	}

More information about the p4-projects mailing list