GMAC: Reset initial hash value and counter in AES_GMAC_Reinit().

Previously, these values were only cleared in AES_GMAC_Init(), so a second set of operations could reuse the final hash as the initial hash. Currently this bug does not trigger in cryptosoft as existing GMAC and GCM operations always use an on-stack auth context initialized from a template context. Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33315
2021-12-09 11:52:42 -08:00 · 2021-12-09 11:52:42 -08:00 · 356c922f74
commit 356c922f74
parent c172a407fb
1 changed files with 4 additions and 2 deletions
--- a/sys/opencrypto/gmac.c
+++ b/sys/opencrypto/gmac.c
@ -70,7 +70,11 @@ AES_GMAC_Reinit(void *ctx, const uint8_t *iv, u_int ivlen)

 	agc = ctx;
 	KASSERT(ivlen <= sizeof agc->counter, ("passed ivlen too large!"));
+	memset(agc->counter, 0, sizeof(agc->counter));
 	bcopy(iv, agc->counter, ivlen);
+	agc->counter[GMAC_BLOCK_LEN - 1] = 1;
+
+	memset(&agc->hash, 0, sizeof(agc->hash));
 }

 int
@ -118,9 +122,7 @@ AES_GMAC_Final(uint8_t *digest, void *ctx)
 	uint8_t enccntr[GMAC_BLOCK_LEN];
 	struct gf128 a;

-	/* XXX - zero additional bytes? */
 	agc = ctx;
-	agc->counter[GMAC_BLOCK_LEN - 1] = 1;

 	rijndaelEncrypt(agc->keysched, agc->rounds, agc->counter, enccntr);
 	a = gf128_add(agc->hash, gf128_read(enccntr));