From nobody Sat Dec 02 19:28:30 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SjKjC1Q9fz53VH7; Sat, 2 Dec 2023 19:28:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SjKjC0zbjz4Sx0; Sat, 2 Dec 2023 19:28:31 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701545311; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=lfmkPBBBbSlwNKef6iJcR1tmYXB3383LLVODhWIEFi4=; b=UlCg2of31sQR1V9Ynm4zhHX61eL1GgnRXqfJvp3IL5pfcoNVSfCo9Hf18QVSK8Xmq48P8w SGe3StOjiDEWKPtuSIzJ/TgJW3iKIzS/zY+eMA25FbZa4mkH8ikPI9gq0ONguM7T0IoNV7 OlAZq1lEMH5ULT4TZun83HcMAjsE6NfPVlc02O3Jd+Yiys0JSXNSWImUhfJjdoB9goECxS YG85bwHQQuVROB9Q4jidsy7dbyYgqS6AY+rzDc2W4K0I35nX0gkhRrMBFukmX0rrvujpum AT3XaHkW9nJ50lut19iHORLJciUUTiOywFKQq8ZghJYLNZpRQFJUEwkEJ1fRDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701545311; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=lfmkPBBBbSlwNKef6iJcR1tmYXB3383LLVODhWIEFi4=; b=iRzonHo/fomQJIVAFE7knDVsa47x9UpeJX3iQYFx+qPjfCfMgqUOrCBX4stNxIMQNg5FnW rSQy7xB5PsZf5gxBOfrbBI6W4DlbNr91tjOvYn4ePsCbqNSwbN2vLlCCqiinvowdDWhRgJ +n94HrS3VPNSOvoIJgjnEPtt6sbtQLGlTzBtkej6LswvR2ehOPByrS26fzX8h4dPQePX0G zNTAQTF12vRvSLcQAftl04+iWORU0admHXAjZuN8980B2yCj4HceWIJiPgf00QYrNfzCOV G0wzpSV5eJ5tZZqub7qPoEAyQEVPP47qo6BL17S6h8gV8QIDiJHs9OmAw0dfZg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1701545311; a=rsa-sha256; cv=none; b=FCk1EMPaZF2FpL5ak5D4NN58XS2zMLV6gBDrsWOqGdFpmARI2SyhQW/oEpZxRMrzY3G7M0 onBOhRG6VWFc0ilZrQ2gW1gX9oMnGJxs8iC1Br4zvRY0eQrdRKTfgCEzL1Dgn2AJPVgV51 4MNYSb3YSae4gbbjbGKxBDckfCDkRyrnw+DTX0YxnuL1v81L6Ougjy/JYMuusw2vtpZuFn D0iP0O1xz5udU6YQmfQvYcAX9kjthq5h6xWqWzA2SQcmoIaTBqeq+RfVh1KdFxWO0c9Yi7 PT3RI8BhAhIP2tIeVw7On2MKpGNU1ujupCfhQ14nyOVaFNPafFzn/8qy4KstqA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SjKjC02pWzTyD; Sat, 2 Dec 2023 19:28:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3B2JSUuE084956; Sat, 2 Dec 2023 19:28:30 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3B2JSUdC084953; Sat, 2 Dec 2023 19:28:30 GMT (envelope-from git) Date: Sat, 2 Dec 2023 19:28:30 GMT Message-Id: <202312021928.3B2JSUdC084953@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 84ef0a84ecaa - stable/14 - ossl: Keep mutable AES-GCM state on the stack List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 84ef0a84ecaa4f5d9bcfed3ce10c288953491e7e Auto-Submitted: auto-generated The branch stable/14 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=84ef0a84ecaa4f5d9bcfed3ce10c288953491e7e commit 84ef0a84ecaa4f5d9bcfed3ce10c288953491e7e Author: Mark Johnston AuthorDate: 2023-11-29 17:51:55 +0000 Commit: Mark Johnston CommitDate: 2023-12-02 19:25:42 +0000 ossl: Keep mutable AES-GCM state on the stack ossl(4)'s AES-GCM implementation keeps mutable state in the session structure, together with the key schedule. This was done for convenience, as both are initialized together. However, some OCF consumers, particularly ZFS, assume that requests may be dispatched to the same session in parallel. Without serialization, this results in incorrect output. Fix the problem by explicitly copying per-session state onto the stack at the beginning of each operation. PR: 275306 Reviewed by: jhb Fixes: 9a3444d91c70 ("ossl: Add a VAES-based AES-GCM implementation for amd64") MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D42783 (cherry picked from commit 5c0dac0b7a012f326edab06ad85aee5ad68ff120) --- sys/crypto/openssl/ossl_aes.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/sys/crypto/openssl/ossl_aes.c b/sys/crypto/openssl/ossl_aes.c index 40162b6943df..800518e51205 100644 --- a/sys/crypto/openssl/ossl_aes.c +++ b/sys/crypto/openssl/ossl_aes.c @@ -168,10 +168,9 @@ static int ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, const struct crypto_session_params *csp) { - struct ossl_cipher_context key; + struct ossl_gcm_context ctx; struct crypto_buffer_cursor cc_in, cc_out; unsigned char iv[AES_BLOCK_LEN], tag[AES_BLOCK_LEN]; - struct ossl_gcm_context *ctx; const unsigned char *inseg; unsigned char *outseg; size_t inlen, outlen, seglen; @@ -183,24 +182,25 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, if (crp->crp_cipher_key != NULL) { if (encrypt) error = s->cipher->set_encrypt_key(crp->crp_cipher_key, - 8 * csp->csp_cipher_klen, &key); + 8 * csp->csp_cipher_klen, + (struct ossl_cipher_context *)&ctx); else error = s->cipher->set_decrypt_key(crp->crp_cipher_key, - 8 * csp->csp_cipher_klen, &key); + 8 * csp->csp_cipher_klen, + (struct ossl_cipher_context *)&ctx); if (error) return (error); - ctx = (struct ossl_gcm_context *)&key; } else if (encrypt) { - ctx = (struct ossl_gcm_context *)&s->enc_ctx; + memcpy(&ctx, &s->enc_ctx, sizeof(struct ossl_gcm_context)); } else { - ctx = (struct ossl_gcm_context *)&s->dec_ctx; + memcpy(&ctx, &s->dec_ctx, sizeof(struct ossl_gcm_context)); } crypto_read_iv(crp, iv); - ctx->ops->setiv(ctx, iv, csp->csp_ivlen); + ctx.ops->setiv(&ctx, iv, csp->csp_ivlen); if (crp->crp_aad != NULL) { - if (ctx->ops->aad(ctx, crp->crp_aad, crp->crp_aad_length) != 0) + if (ctx.ops->aad(&ctx, crp->crp_aad, crp->crp_aad_length) != 0) return (EINVAL); } else { crypto_cursor_init(&cc_in, &crp->crp_buf); @@ -209,7 +209,7 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, alen -= seglen) { inseg = crypto_cursor_segment(&cc_in, &inlen); seglen = MIN(alen, inlen); - if (ctx->ops->aad(ctx, inseg, seglen) != 0) + if (ctx.ops->aad(&ctx, inseg, seglen) != 0) return (EINVAL); crypto_cursor_advance(&cc_in, seglen); } @@ -230,10 +230,10 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, seglen = MIN(plen, MIN(inlen, outlen)); if (encrypt) { - if (ctx->ops->encrypt(ctx, inseg, outseg, seglen) != 0) + if (ctx.ops->encrypt(&ctx, inseg, outseg, seglen) != 0) return (EINVAL); } else { - if (ctx->ops->decrypt(ctx, inseg, outseg, seglen) != 0) + if (ctx.ops->decrypt(&ctx, inseg, outseg, seglen) != 0) return (EINVAL); } @@ -243,18 +243,19 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, error = 0; if (encrypt) { - ctx->ops->tag(ctx, tag, GMAC_DIGEST_LEN); + ctx.ops->tag(&ctx, tag, GMAC_DIGEST_LEN); crypto_copyback(crp, crp->crp_digest_start, GMAC_DIGEST_LEN, tag); } else { crypto_copydata(crp, crp->crp_digest_start, GMAC_DIGEST_LEN, tag); - if (ctx->ops->finish(ctx, tag, GMAC_DIGEST_LEN) != 0) + if (ctx.ops->finish(&ctx, tag, GMAC_DIGEST_LEN) != 0) error = EBADMSG; } explicit_bzero(iv, sizeof(iv)); explicit_bzero(tag, sizeof(tag)); + explicit_bzero(&ctx, sizeof(ctx)); return (error); }