From nobody Thu Oct 21 17:07:03 2021 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BD7A61806E41; Thu, 21 Oct 2021 17:07:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HZv6K6MTsz4hL5; Thu, 21 Oct 2021 17:07:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A233D1ED71; Thu, 21 Oct 2021 17:07:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 19LH73Oc080351; Thu, 21 Oct 2021 17:07:03 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 19LH73hO080350; Thu, 21 Oct 2021 17:07:03 GMT (envelope-from git) Date: Thu, 21 Oct 2021 17:07:03 GMT Message-Id: <202110211707.19LH73hO080350@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: John Baldwin Subject: git: e3d927fac1da - stable/13 - ossl: Don't encryt/decrypt too much data for chacha20. List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: e3d927fac1da765f40addb147e0bacb69a9236fb Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=e3d927fac1da765f40addb147e0bacb69a9236fb commit e3d927fac1da765f40addb147e0bacb69a9236fb Author: John Baldwin AuthorDate: 2021-04-01 22:42:18 +0000 Commit: John Baldwin CommitDate: 2021-10-21 15:51:24 +0000 ossl: Don't encryt/decrypt too much data for chacha20. The loops for Chacha20 and Chacha20+Poly1305 which encrypted/decrypted full blocks of data used the minimum of the input and output segment lengths to determine the size of the next chunk ('todo') to pass to Chacha20_ctr32(). However, the input and output segments could extend past the end of the ciphertext region into the tag (e.g. if a "plain" single mbuf contained an entire TLS record). If the length of the tag plus the length of the last partial block together were at least as large as a full Chacha20 block (64 bytes), then an extra block was encrypted/decrypted overlapping with the tag. Fix this by also capping the amount of data to encrypt/decrypt by the amount of remaining data in the ciphertext region ('resid'). Reported by: gallatin Reviewed by: cem, gallatin, markj Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D29517 (cherry picked from commit d2e076c37b0963a8be89684a656c4e1640dc7a3e) --- sys/crypto/openssl/ossl_chacha20.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/crypto/openssl/ossl_chacha20.c b/sys/crypto/openssl/ossl_chacha20.c index a2bfb52cacd6..7fa1a297052e 100644 --- a/sys/crypto/openssl/ossl_chacha20.c +++ b/sys/crypto/openssl/ossl_chacha20.c @@ -88,7 +88,8 @@ ossl_chacha20(struct cryptop *crp, const struct crypto_session_params *csp) out = outseg; /* Figure out how many blocks we can encrypt/decrypt at once. */ - todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE); + todo = rounddown(MIN(resid, MIN(inlen, outlen)), + CHACHA_BLK_SIZE); #ifdef __LP64__ /* ChaCha20_ctr32() assumes length is <= 4GB. */ @@ -218,7 +219,8 @@ ossl_chacha20_poly1305_encrypt(struct cryptop *crp, out = outseg; /* Figure out how many blocks we can encrypt/decrypt at once. */ - todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE); + todo = rounddown(MIN(resid, MIN(inlen, outlen)), + CHACHA_BLK_SIZE); #ifdef __LP64__ /* ChaCha20_ctr32() assumes length is <= 4GB. */ @@ -389,7 +391,8 @@ ossl_chacha20_poly1305_decrypt(struct cryptop *crp, out = outseg; /* Figure out how many blocks we can encrypt/decrypt at once. */ - todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE); + todo = rounddown(MIN(resid, MIN(inlen, outlen)), + CHACHA_BLK_SIZE); #ifdef __LP64__ /* ChaCha20_ctr32() assumes length is <= 4GB. */