From nobody Tue Jan 24 05:43:13 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P1G8y0CnKz3bNKZ; Tue, 24 Jan 2023 05:43:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P1G8x6fqZz4Sxx; Tue, 24 Jan 2023 05:43:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674538993; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6qc5CvXI7kOmvkplm5CtyGSsAiEtM3moSWnDT1ErY9c=; b=FTgejU8Y5GGE8bTMQ2d8/IOIInPdybJEbph6kk6zmG40PpB85WvVShCEDCiKwpgDkNkBSw cZI9+UZJ/Vt/m6J2SKBNLFwQGKeQ17F+azANoj2erK3cgchsLxQzPxmH/oWzz12zCRLQtG YNYHBlfvfNLSbn/23B3GUX4F1FrSg8RyhQzTaOr4NoYFfWVP/FR9CBeqIKl3AxgFkuhb9F olv9sGq0sWHWFf4j4I62UDW1gKAHR3jTpEf3TTy+7FoikkCXrWm4PNAZWelX/N6q0ncBf0 whfO1+YB16SxhjwCVHk+BkrTuNd9LiyhYkiSmKOTY8WF8vBcuarp+h+/1x5n+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674538993; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6qc5CvXI7kOmvkplm5CtyGSsAiEtM3moSWnDT1ErY9c=; b=yaJpqtmsJVqRiextbMB6UGQhDtd777zKQwCS/BkbFAZZWvxIaWlBeOvIUMIkl+vmQHcC+b 9dL+PXyo4y62lJUslVYlwx/OSM25NTxZVey/qqw+eODxa++5wGXM0NrdLiVKXz5t7fd321 8U5WDR/WMSq2zkSemdpUkbR8kSCi4xd+3n7wGErmq5AnQLbLkQz8FyqEgMHxG63PXo2MiT W1GAt/ZEZtdTgkAbL5oEachbmTRflvJAUMTaDKzh7woA6W5axSZlHeFZxdgeLtHemFgzeJ GI9yxpFPz1YicdjChL3IKveSMdFoAbkp+tLV28Jy1V2AC823mCn8wMEaIrhnsw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674538993; a=rsa-sha256; cv=none; b=NSdmEalisg45DrzHjBW1oRK/C1g2tcRXv0qF3Gmx+dNMTWvVpblIYIMBSEr+A5XVtMUGQ/ aE/CaE0YxkHaWQ8JJi9R3zbT6IemoE6O3oXiC0CBZZLy0uhZ8g8Jw3x2L5wNiq/AvHrMEB qigDegjsQKaO/EwChOT8Vj1qfswcTyaswrIucHeXXA7ptPMkUjOYgViUVvtJSZCFkKtyRp WtxcDruiGwlOV8cX1Umwug2A9rE2ZNCa8cpA4OXhJmBBhk0/qZcITiRJmdsJuG765MVRal RVE9Upvs+FTSCpieiFBsHlRSuhhC0T/5oZZElY9LZDi8Ynt6sXG4WBcUwfxQNw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P1G8x5lQgzyHP; Tue, 24 Jan 2023 05:43:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30O5hDpl061785; Tue, 24 Jan 2023 05:43:13 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30O5hDGD061784; Tue, 24 Jan 2023 05:43:13 GMT (envelope-from git) Date: Tue, 24 Jan 2023 05:43:13 GMT Message-Id: <202301240543.30O5hDGD061784@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: John Baldwin Subject: git: 107daeb474b2 - stable/13 - ktls_ocf: Reject encrypted TLS records using AEAD that are too small. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 107daeb474b29ec587dfe7d8cf686eda99094249 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=107daeb474b29ec587dfe7d8cf686eda99094249 commit 107daeb474b29ec587dfe7d8cf686eda99094249 Author: John Baldwin AuthorDate: 2022-11-15 20:02:57 +0000 Commit: John Baldwin CommitDate: 2023-01-24 05:08:09 +0000 ktls_ocf: Reject encrypted TLS records using AEAD that are too small. If a TLS record is too small to contain the required explicit IV, record_type (TLS 1.3), and MAC, reject attempts to decrypt it with EMSGSIZE without submitting it to OCF. OCF drivers may not properly detect that regions in the crypto request are outside the bounds of the mbuf chain. The caller isn't supposed to submit such requests. Reviewed by: markj Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D37372 (cherry picked from commit 4e47414648894943413091984124d93bd43e5da1) --- sys/opencrypto/ktls_ocf.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/sys/opencrypto/ktls_ocf.c b/sys/opencrypto/ktls_ocf.c index 56156b6a4988..805fab2ddac8 100644 --- a/sys/opencrypto/ktls_ocf.c +++ b/sys/opencrypto/ktls_ocf.c @@ -458,13 +458,19 @@ ktls_ocf_tls12_aead_decrypt(struct ktls_session *tls, struct ocf_session *os; struct ocf_operation oo; int error; - uint16_t tls_comp_len; + uint16_t tls_comp_len, tls_len; os = tls->cipher; oo.os = os; oo.done = false; + /* Ensure record contains at least an explicit IV and tag. */ + tls_len = ntohs(hdr->tls_length); + if (tls_len + sizeof(*hdr) < tls->params.tls_hlen + + tls->params.tls_tlen) + return (EMSGSIZE); + crypto_initreq(&crp, os->sid); /* Setup the IV. */ @@ -484,10 +490,10 @@ ktls_ocf_tls12_aead_decrypt(struct ktls_session *tls, /* Setup the AAD. */ if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16) - tls_comp_len = ntohs(hdr->tls_length) - + tls_comp_len = tls_len - (AES_GMAC_HASH_LEN + sizeof(uint64_t)); else - tls_comp_len = ntohs(hdr->tls_length) - POLY1305_HASH_LEN; + tls_comp_len = tls_len - POLY1305_HASH_LEN; ad.seq = htobe64(seqno); ad.type = hdr->tls_type; ad.tls_vmajor = hdr->tls_vmajor; @@ -619,14 +625,16 @@ ktls_ocf_tls13_aead_decrypt(struct ktls_session *tls, struct ocf_session *os; int error; u_int tag_len; + uint16_t tls_len; os = tls->cipher; tag_len = tls->params.tls_tlen - 1; /* Payload must contain at least one byte for the record type. */ - if (ntohs(hdr->tls_length) < tag_len + 1) - return (EBADMSG); + tls_len = ntohs(hdr->tls_length); + if (tls_len < tag_len + 1) + return (EMSGSIZE); crypto_initreq(&crp, os->sid); @@ -643,7 +651,7 @@ ktls_ocf_tls13_aead_decrypt(struct ktls_session *tls, crp.crp_aad_length = sizeof(ad); crp.crp_payload_start = tls->params.tls_hlen; - crp.crp_payload_length = ntohs(hdr->tls_length) - tag_len; + crp.crp_payload_length = tls_len - tag_len; crp.crp_digest_start = crp.crp_payload_start + crp.crp_payload_length; crp.crp_op = CRYPTO_OP_DECRYPT | CRYPTO_OP_VERIFY_DIGEST;