7f9195f715
the tag wasn't being computed properly due to chaning a >= comparison to an == comparison. Specifically: CBC-MAC encodes the length of the authorization data into the the stream to be encrypted/hashed. For short data, this is two bytes (big-endian 16 bit value); for larger data, it's 6 bytes (a prefix of 0xff, 0xfe, followed by a 32-bit big-endian length). And there's a larger size, which is 10 bytes. These extra bytes weren't being accounted for with the post-review code. The other bit that then came into play was that OCF only calls the Update code with blksiz=16, which meant that I had to ignore the length variable. (It also means that it can't be called with a single buffer containing the AAD and payload; however, OCF doesn't do this for the software-only algorithsm.) I tested with this script: ALG=aes-ccm DEV=soft for aad in 0 1 2 3 4 14 16 24 30 32 34 36 1020 do for dln in 16 32 1024 2048 10240 do echo "Testing AAD length ${aad} data length ${dln}" /root/cryptocheck -A ${aad} -a ${ALG} -d ${DEV} ${dln} done done Reviewed by: cem Sponsored by: iXsystems Inc. |
||
---|---|---|
.. | ||
_cryptodev.h | ||
cast.c | ||
cast.h | ||
castsb.h | ||
cbc_mac.c | ||
cbc_mac.h | ||
criov.c | ||
crypto.c | ||
cryptodeflate.c | ||
cryptodev_if.m | ||
cryptodev.c | ||
cryptodev.h | ||
cryptosoft.c | ||
cryptosoft.h | ||
deflate.h | ||
gfmult.c | ||
gfmult.h | ||
gmac.c | ||
gmac.h | ||
rmd160.c | ||
rmd160.h | ||
skipjack.c | ||
skipjack.h | ||
xform_aes_icm.c | ||
xform_aes_xts.c | ||
xform_auth.h | ||
xform_blf.c | ||
xform_cast5.c | ||
xform_cbc_mac.c | ||
xform_cml.c | ||
xform_comp.h | ||
xform_deflate.c | ||
xform_des1.c | ||
xform_des3.c | ||
xform_enc.h | ||
xform_gmac.c | ||
xform_md5.c | ||
xform_null.c | ||
xform_poly1305.c | ||
xform_poly1305.h | ||
xform_rijndael.c | ||
xform_rmd160.c | ||
xform_sha1.c | ||
xform_sha2.c | ||
xform_skipjack.c | ||
xform_userland.h | ||
xform.c | ||
xform.h |