Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 21 Oct 2021 17:07:03 GMT
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: e3d927fac1da - stable/13 - ossl: Don't encryt/decrypt too much data for chacha20.
Message-ID:  <202110211707.19LH73hO080350@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=e3d927fac1da765f40addb147e0bacb69a9236fb

commit e3d927fac1da765f40addb147e0bacb69a9236fb
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-04-01 22:42:18 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2021-10-21 15:51:24 +0000

    ossl: Don't encryt/decrypt too much data for chacha20.
    
    The loops for Chacha20 and Chacha20+Poly1305 which encrypted/decrypted
    full blocks of data used the minimum of the input and output segment
    lengths to determine the size of the next chunk ('todo') to pass to
    Chacha20_ctr32().  However, the input and output segments could extend
    past the end of the ciphertext region into the tag (e.g.  if a "plain"
    single mbuf contained an entire TLS record).  If the length of the tag
    plus the length of the last partial block together were at least as
    large as a full Chacha20 block (64 bytes), then an extra block was
    encrypted/decrypted overlapping with the tag.  Fix this by also
    capping the amount of data to encrypt/decrypt by the amount of
    remaining data in the ciphertext region ('resid').
    
    Reported by:    gallatin
    Reviewed by:    cem, gallatin, markj
    Sponsored by:   Netflix
    Differential Revision:  https://reviews.freebsd.org/D29517
    
    (cherry picked from commit d2e076c37b0963a8be89684a656c4e1640dc7a3e)
---
 sys/crypto/openssl/ossl_chacha20.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/sys/crypto/openssl/ossl_chacha20.c b/sys/crypto/openssl/ossl_chacha20.c
index a2bfb52cacd6..7fa1a297052e 100644
--- a/sys/crypto/openssl/ossl_chacha20.c
+++ b/sys/crypto/openssl/ossl_chacha20.c
@@ -88,7 +88,8 @@ ossl_chacha20(struct cryptop *crp, const struct crypto_session_params *csp)
 			out = outseg;
 
 		/* Figure out how many blocks we can encrypt/decrypt at once. */
-		todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE);
+		todo = rounddown(MIN(resid, MIN(inlen, outlen)),
+		    CHACHA_BLK_SIZE);
 
 #ifdef __LP64__
 		/* ChaCha20_ctr32() assumes length is <= 4GB. */
@@ -218,7 +219,8 @@ ossl_chacha20_poly1305_encrypt(struct cryptop *crp,
 			out = outseg;
 
 		/* Figure out how many blocks we can encrypt/decrypt at once. */
-		todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE);
+		todo = rounddown(MIN(resid, MIN(inlen, outlen)),
+		    CHACHA_BLK_SIZE);
 
 #ifdef __LP64__
 		/* ChaCha20_ctr32() assumes length is <= 4GB. */
@@ -389,7 +391,8 @@ ossl_chacha20_poly1305_decrypt(struct cryptop *crp,
 			out = outseg;
 
 		/* Figure out how many blocks we can encrypt/decrypt at once. */
-		todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE);
+		todo = rounddown(MIN(resid, MIN(inlen, outlen)),
+		    CHACHA_BLK_SIZE);
 
 #ifdef __LP64__
 		/* ChaCha20_ctr32() assumes length is <= 4GB. */



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202110211707.19LH73hO080350>