From nobody Thu Oct 21 22:04:22 2021
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 91F381801698;
	Thu, 21 Oct 2021 22:04:24 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Hb1jM2qcHz3tNS;
	Thu, 21 Oct 2021 22:04:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 95BCD22E1E;
	Thu, 21 Oct 2021 22:04:22 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 19LM4M8i079656;
	Thu, 21 Oct 2021 22:04:22 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 19LM4M1B079655;
	Thu, 21 Oct 2021 22:04:22 GMT
	(envelope-from git)
Date: Thu, 21 Oct 2021 22:04:22 GMT
Message-Id: <202110212204.19LM4M1B079655@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: 61c8f61518c5 - stable/13 - ccr: Support multiple nonce lengths for AES-CCM.
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 61c8f61518c5f230d76690cc57e01b6e735c760f
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=61c8f61518c5f230d76690cc57e01b6e735c760f

commit 61c8f61518c5f230d76690cc57e01b6e735c760f
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-10-06 21:08:48 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2021-10-21 21:16:54 +0000

    ccr: Support multiple nonce lengths for AES-CCM.
    
    Sponsored by:   Chelsio Communications, The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D32116
    
    (cherry picked from commit 3e6a97b3a7bc80b1c12dd7b5208bfe99019c42b4)
---
 sys/dev/cxgbe/crypto/t4_crypto.c | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/sys/dev/cxgbe/crypto/t4_crypto.c b/sys/dev/cxgbe/crypto/t4_crypto.c
index 33c03c3903e5..6d5f82f6857c 100644
--- a/sys/dev/cxgbe/crypto/t4_crypto.c
+++ b/sys/dev/cxgbe/crypto/t4_crypto.c
@@ -1528,17 +1528,18 @@ static void
 generate_ccm_b0(struct cryptop *crp, u_int hash_size_in_response,
     const char *iv, char *b0)
 {
-	u_int i, payload_len;
+	u_int i, payload_len, L;
 
 	/* NB: L is already set in the first byte of the IV. */
 	memcpy(b0, iv, CCM_B0_SIZE);
+	L = iv[0] + 1;
 
 	/* Set length of hash in bits 3 - 5. */
 	b0[0] |= (((hash_size_in_response - 2) / 2) << 3);
 
 	/* Store the payload length as a big-endian value. */
 	payload_len = crp->crp_payload_length;
-	for (i = 0; i < iv[0]; i++) {
+	for (i = 0; i < L; i++) {
 		b0[CCM_CBC_BLOCK_LEN - 1 - i] = payload_len;
 		payload_len >>= 8;
 	}
@@ -1559,6 +1560,7 @@ static int
 ccr_ccm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
 {
 	char iv[CHCR_MAX_CRYPTO_IV_LEN];
+	const struct crypto_session_params *csp;
 	struct ulptx_idata *idata;
 	struct chcr_wr *crwr;
 	struct wrqe *wr;
@@ -1571,6 +1573,8 @@ ccr_ccm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
 	int sgl_nsegs, sgl_len;
 	int error;
 
+	csp = crypto_get_params(crp->crp_session);
+
 	if (s->blkcipher.key_len == 0)
 		return (EINVAL);
 
@@ -1581,6 +1585,10 @@ ccr_ccm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
 	if (crp->crp_payload_length == 0)
 		return (EMSGSIZE);
 
+	/* The length has to fit within the length field in block 0. */
+	if (crp->crp_payload_length > ccm_max_payload_length(csp))
+		return (EMSGSIZE);
+
 	/*
 	 * CCM always includes block 0 in the AAD before AAD from the
 	 * request.
@@ -1598,9 +1606,8 @@ ccr_ccm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
 		return (EINVAL);
 
 	/*
-	 * Always assume a 12 byte input nonce for now since that is
-	 * what OCF always generates.  The full IV in the work request
-	 * is 16 bytes.
+	 * The IV in the work request is 16 bytes and not just the
+	 * nonce.
 	 */
 	iv_len = AES_BLOCK_LEN;
 
@@ -1745,7 +1752,7 @@ ccr_ccm(struct ccr_softc *sc, struct ccr_session *s, struct cryptop *crp)
 	 * the full IV with the counter set to 0.
 	 */
 	memset(iv, 0, iv_len);
-	iv[0] = (15 - AES_CCM_IV_LEN) - 1;
+	iv[0] = (15 - csp->csp_ivlen) - 1;
 	crypto_read_iv(crp, iv + 1);
 
 	ccr_populate_wreq(sc, s, crwr, kctx_len, wr_len, imm_len, sgl_len, 0,
@@ -1868,6 +1875,7 @@ ccr_ccm_done(struct ccr_softc *sc, struct ccr_session *s,
 static void
 ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp)
 {
+	const struct crypto_session_params *csp;
 	struct auth_hash *axf;
 	struct enc_xform *exf;
 	union authctx *auth_ctx;
@@ -1879,6 +1887,12 @@ ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp)
 	auth_ctx = NULL;
 	kschedule = NULL;
 
+	csp = crypto_get_params(crp->crp_session);
+	if (crp->crp_payload_length > ccm_max_payload_length(csp)) {
+		error = EMSGSIZE;
+		goto out;
+	}
+
 	/* Initialize the MAC. */
 	switch (s->blkcipher.key_len) {
 	case 16:
@@ -1921,7 +1935,7 @@ ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp)
 
 	auth_ctx->aes_cbc_mac_ctx.authDataLength = crp->crp_aad_length;
 	auth_ctx->aes_cbc_mac_ctx.cryptDataLength = crp->crp_payload_length;
-	axf->Reinit(auth_ctx, crp->crp_iv, AES_CCM_IV_LEN);
+	axf->Reinit(auth_ctx, crp->crp_iv, csp->csp_ivlen);
 
 	/* MAC the AAD. */
 	if (crp->crp_aad != NULL)
@@ -1933,7 +1947,7 @@ ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp)
 	if (error)
 		goto out;
 
-	exf->reinit(kschedule, crp->crp_iv, AES_CCM_IV_LEN);
+	exf->reinit(kschedule, crp->crp_iv, csp->csp_ivlen);
 
 	/* Do encryption/decryption with MAC */
 	for (i = 0; i < crp->crp_payload_length; i += sizeof(block)) {
@@ -1968,7 +1982,7 @@ ccr_ccm_soft(struct ccr_session *s, struct cryptop *crp)
 			error = 0;
 
 			/* Tag matches, decrypt data. */
-			exf->reinit(kschedule, crp->crp_iv, AES_CCM_IV_LEN);
+			exf->reinit(kschedule, crp->crp_iv, csp->csp_ivlen);
 			for (i = 0; i < crp->crp_payload_length;
 			     i += sizeof(block)) {
 				len = imin(crp->crp_payload_length - i,
@@ -2445,8 +2459,6 @@ ccr_probesession(device_t dev, const struct crypto_session_params *csp)
 				return (EINVAL);
 			break;
 		case CRYPTO_AES_CCM_16:
-			if (csp->csp_ivlen != AES_CCM_IV_LEN)
-				return (EINVAL);
 			if (csp->csp_auth_mlen < 0 ||
 			    csp->csp_auth_mlen > AES_CBC_MAC_HASH_LEN)
 				return (EINVAL);