PR/39525: Joachim Schueth, Frederik Sausmikat:

cgd inadvertently encrypts blkno eight times to generate IV
2008-09-12 16:51:54 +00:00 · 2008-09-12 16:51:54 +00:00 · 8c6fb6faa5
parent fc978808f9
commit 8c6fb6faa5
3 changed files with 48 additions and 22 deletions
--- a/sbin/cgdconfig/cgdconfig.8
+++ b/sbin/cgdconfig/cgdconfig.8
@ -1,4 +1,4 @@
-.\" $NetBSD: cgdconfig.8,v 1.27 2008/05/13 09:31:06 wiz Exp $
+.\" $NetBSD: cgdconfig.8,v 1.28 2008/09/12 16:51:55 christos Exp $
 .\"
 .\" Copyright (c) 2002, The NetBSD Foundation, Inc.
 .\" All rights reserved.
@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd May 10, 2008
+.Dd September 12, 2008
 .Dt CGDCONFIG 8
 .Os
 .Sh NAME
@ -97,7 +97,7 @@ This may need to prompt for multiple passphrases.
 .It Fl g
 Generate a paramsfile (to stdout).
 .It Fl i Ar ivmeth
-Specify the IV method (default: encblkno).
+Specify the IV method (default: encblkno1).
 .It Fl k Ar kgmeth
 Specify the key generation method (default: pkcs5_pbkdf2/sha1).
 .It Fl o Ar outfile
@ -316,7 +316,7 @@ cgd configuration file.
 .Sh EXAMPLES
 To set up and configure a cgd that uses AES with a 192 bit key
 in CBC mode with the IV Method
-.Sq encblkno
+.Sq encblkno1
 (encrypted block number):
 .Bd -literal
 	# cgdconfig -g -o /etc/cgd/wd0e aes-cbc 192
@ -359,7 +359,7 @@ reads from stdin:
 An example parameters file which uses PKCS#5 PBKDF2:
 .Bd -literal
 	algorithm aes-cbc;
-	iv-method encblkno;
+	iv-method encblkno1;
 	keylength 128;
 	verify_method none;
 	keygen pkcs5_pbkdf2/sha1 {
@ -372,7 +372,7 @@ An example parameters file which uses PKCS#5 PBKDF2:
 An example parameters file which stores its key locally:
 .Bd -literal
 	algorithm       aes-cbc;
-	iv-method       encblkno;
+	iv-method       encblkno1;
 	keylength       256;
 	verify_method   none;
 	keygen storedkey key AAABAK3QO6d7xzLfrXTdsgg4 \\
--- a/sbin/cgdconfig/params.c
+++ b/sbin/cgdconfig/params.c
@ -1,4 +1,4 @@
-/* $NetBSD: params.c,v 1.23 2008/05/11 03:15:21 elric Exp $ */
+/* $NetBSD: params.c,v 1.24 2008/09/12 16:51:55 christos Exp $ */

 /*-
 * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
@ -31,7 +31,7 @@

 #include <sys/cdefs.h>
 #ifndef lint
-__RCSID("$NetBSD: params.c,v 1.23 2008/05/11 03:15:21 elric Exp $");
+__RCSID("$NetBSD: params.c,v 1.24 2008/09/12 16:51:55 christos Exp $");
 #endif

 #include <sys/types.h>
@ -152,7 +152,7 @@ params_filldefaults(struct params *p)
 	if (p->verify_method == VERIFY_UNKNOWN)
 		p->verify_method = VERIFY_NONE;
 	if (!p->ivmeth)
-		p->ivmeth = string_fromcharstar("encblkno");
+		p->ivmeth = string_fromcharstar("encblkno1");
 	if (p->keylen == (size_t)-1) {
 		i = crypt_defaults_lookup(string_tocharstar(p->algorithm));
 		if (i != (size_t)-1) {
@ -178,6 +178,11 @@ params_filldefaults(struct params *p)
 int
 params_verify(const struct params *p)
 {
+	static const char *encblkno[] = {
+	    "encblkno", "encblkno1", "encblkno8"
+	};
+	static size_t i;
+	const char *meth;

 	if (!p->algorithm) {
 		warnx("unspecified algorithm");
@ -196,9 +201,15 @@ params_verify(const struct params *p)
 		warnx("unspecified IV method");
 		return 0;
 	}
-	if (strcmp("encblkno", string_tocharstar(p->ivmeth)))
-		warnx("unknown IV method \"%s\" (warning)",
-		    string_tocharstar(p->ivmeth));
+
+	meth = string_tocharstar(p->ivmeth);
+	for (i = 0; i < __arraycount(encblkno); i++)
+		if (strcmp(encblkno[i], meth) == 0)
+			break;
+
+	if (i == __arraycount(encblkno))
+		warnx("unknown IV method \"%s\" (warning)", meth);
+
 	if (p->keylen == (size_t)-1) {
 		warnx("unspecified key length");
 		return 0;
--- a/share/man/man4/cgd.4
+++ b/share/man/man4/cgd.4
@ -1,4 +1,4 @@
-.\" $NetBSD: cgd.4,v 1.10 2008/04/30 13:10:53 martin Exp $
+.\" $NetBSD: cgd.4,v 1.11 2008/09/12 16:51:55 christos Exp $
 .\"
 .\" Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd March 11, 2006
+.Dd September 12, 2008
 .Dt CGD 4
 .Os
 .Sh NAME
@ -76,14 +76,29 @@ There are no performance advantages of using shorter keys.
 The default key length is 128 bits.
 .El
 .Ss IV Methods
-Currently, the only IV Method supported is
-.Ar encblkno
-(Encrypted Block Number).
-This method encrypts the block number of the
-physical disk block with the cipher and key provided and uses that as the
-IV for CBC mode.
-This method should ensure that each block has a different
-IV and that the IV is reasonably unpredictable.
+Currently, the following IV Methods are supported:
+.Bl -tag -width encblkno1
+.It encblkno1
+This method  encrypts the block number of the physical disk block once with
+the cipher and key provided and uses the result as the IV for CBC mode.
+This method should ensure that each block has a different IV and that the IV
+is reasonably unpredictable.
+This is the default method used by
+.Xr cgdconfig 8
+when configuring new
+.Nm Ns 's .
+.It encblkno8
+This is the original IV method used by
+.Nm
+and provided for backward compatibility. It repeatedly encrypts the block
+number of the physical disk block eight times and uses the result as the IV
+for CBC mode.
+This method should ensure that each block has a different IV and that the IV 
+is reasonably unpredictable.
+The eightfold encryption was not intended and causes a notable
+performance loss with little (if any) increase in security over a
+single encryption.
+.El
 .Ss IOCTLS
 A
 .Nm