From nobody Tue Feb 08 18:36:50 2022
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6ABA719AA623;
	Tue,  8 Feb 2022 18:36:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JtWv650RRz3qD4;
	Tue,  8 Feb 2022 18:36:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1644345411;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/GBPPtzQ9oYyE1xJcPTEKQobeLgYJFntYPZLD6+ITAs=;
	b=RFXRVeasUwhI6PoQC/AfZZ9D2EV3JTlIqzkgMXTIT0jSBwl9uqCAGNnmQp83Gt1bi48+b4
	FPrZ7/sKx6JRwyYGGCwRW+sxkC8tURrsnexX4hjL2oUOd4Sf0KDmsCBwkfIQnZH28ByoS7
	a2sKg1oD8ynolYWrMiJHuV1XX97zyKAQ0rNVlxoKxkPLZZC8xpSpg/fHvY7tZCmMl+hCIs
	OvfncZJ/KtJfj+ednTLfA89PduyWP0PrT2kbMZrHKHHI/eKmAXVdsebFO9DGSrQavrok8P
	5beAmZB5j8EL8CnnAykXEWInnc4oxchSXrkr+9HAuIWDNyOd+HpdbyUTFUohhw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 850721E763;
	Tue,  8 Feb 2022 18:36:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 218IaoEL089133;
	Tue, 8 Feb 2022 18:36:50 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 218IaoSC089132;
	Tue, 8 Feb 2022 18:36:50 GMT
	(envelope-from git)
Date: Tue, 8 Feb 2022 18:36:50 GMT
Message-Id: <202202081836.218IaoSC089132@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 5de79eeddb9d - main - ktls: Disallow transmitting empty frames outside of TLS 1.0/CBC mode
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 5de79eeddb9de079d108d1312148bcbefce45c27
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1644345411;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/GBPPtzQ9oYyE1xJcPTEKQobeLgYJFntYPZLD6+ITAs=;
	b=BFe7kM9zXRJUFJvdhU8vo/kcTr/SMVLmSzyzAneEwXeG5TlPN3/AqXTkme4Y2bjX5IOvv2
	wFjm+nNqim4QZuDdylSlm+jwjxdNh0194jK9uumAWozzEyvLrc7zXu0aDx/OnBO/4aRCTz
	SAjJYX7VdwWgv3UqqIUIgiot98pX/cEy2pYpuGSbdeMJbnDdaM1I/BizZ8jt7NtLWLWD6G
	LRba0tPJzDk7lieEh//Lp/tkCniP7gMW7FG9JXY2/FdMOLQmFHzMsDTWCrQ1HuW78XWpeR
	q+cs0BOpiXpP60Ta1WechE2D1GgBMdgpY3mzLO4OEK67EIT7N3sZXccPFDKj3A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644345411; a=rsa-sha256; cv=none;
	b=VCAgIWctZYRv2gLT0yDuTTnYvbqrwN1Vqwu2iSUdYw8b25uSmvN7AQz/4Mb1B3dsHSjQmm
	yMj6/A5fLWMLGvPgosEm2zBCou0G8SIlcK5RNPJIzLZCniuDXsPagop3JudykJzFYVT4uS
	tfpW5wwTWAeF27xCkiSGneu8QNscgowHFkR09uEMJgWhw2RzuROgY2hCE4AiGW/LwmGEk2
	U0EkN6DlmURFl3G0opSIh9TZNrurnT0/AM1hl2YY5PMNWrepu+CTDmFXd//c0ZLOuZiq8s
	mJS626Kc8WWihvFoXL3SGVU7oi0QBARxsp614xM3KS2UAtfcblNEbuEiuAh2Rg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=5de79eeddb9de079d108d1312148bcbefce45c27

commit 5de79eeddb9de079d108d1312148bcbefce45c27
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-02-08 17:36:41 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-02-08 17:40:41 +0000

    ktls: Disallow transmitting empty frames outside of TLS 1.0/CBC mode
    
    There was nothing preventing one from sending an empty fragment on an
    arbitrary KTLS TX-enabled socket, but ktls_frame() asserts that this
    could not happen.  Though the transmit path handles this case for TLS
    1.0 with AES-CBC, we should be strict and allow empty fragments only in
    modes where it is explicitly allowed.
    
    Modify sosend_generic() to reject writes to a KTLS-enabled socket if the
    number of data bytes is zero, so that userspace cannot trigger the
    aforementioned assertion.
    
    Add regression tests to exercise this case.
    
    Reported by:    syzkaller
    Reviewed by:    gallatin, jhb
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D34195
---
 sys/kern/uipc_ktls.c       | 18 ++++++++++++------
 sys/kern/uipc_socket.c     |  5 +++++
 sys/sys/ktls.h             |  1 +
 tests/sys/kern/ktls_test.c | 31 +++++++++++++++++++++++--------
 4 files changed, 41 insertions(+), 14 deletions(-)

diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
index b3235e8a1e0c..2495e940a6a0 100644
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -1691,19 +1691,18 @@ ktls_frame(struct mbuf *top, struct ktls_session *tls, int *enq_cnt,
 		 * All mbufs in the chain should be TLS records whose
 		 * payload does not exceed the maximum frame length.
 		 *
-		 * Empty TLS records are permitted when using CBC.
+		 * Empty TLS 1.0 records are permitted when using CBC.
 		 */
-		KASSERT(m->m_len <= maxlen &&
-		    (tls->params.cipher_algorithm == CRYPTO_AES_CBC ?
-		    m->m_len >= 0 : m->m_len > 0),
-		    ("ktls_frame: m %p len %d\n", m, m->m_len));
+		KASSERT(m->m_len <= maxlen && m->m_len >= 0 &&
+		    (m->m_len > 0 || ktls_permit_empty_frames(tls)),
+		    ("ktls_frame: m %p len %d", m, m->m_len));
 
 		/*
 		 * TLS frames require unmapped mbufs to store session
 		 * info.
 		 */
 		KASSERT((m->m_flags & M_EXTPG) != 0,
-		    ("ktls_frame: mapped mbuf %p (top = %p)\n", m, top));
+		    ("ktls_frame: mapped mbuf %p (top = %p)", m, top));
 
 		tls_len = m->m_len;
 
@@ -1797,6 +1796,13 @@ ktls_frame(struct mbuf *top, struct ktls_session *tls, int *enq_cnt,
 	}
 }
 
+bool
+ktls_permit_empty_frames(struct ktls_session *tls)
+{
+	return (tls->params.cipher_algorithm == CRYPTO_AES_CBC &&
+	    tls->params.tls_vminor == TLS_MINOR_VER_ZERO);
+}
+
 void
 ktls_check_rx(struct sockbuf *sb)
 {
diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index 33dfe6cb2176..ab8e5d6e1b69 100644
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -1667,6 +1667,11 @@ sosend_generic(struct socket *so, struct sockaddr *addr, struct uio *uio,
 				atomic = 1;
 			}
 		}
+
+		if (resid == 0 && !ktls_permit_empty_frames(tls)) {
+			error = EINVAL;
+			goto release;
+		}
 	}
 #endif
 
diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h
index 5cfca2d860a0..4fa52f13e127 100644
--- a/sys/sys/ktls.h
+++ b/sys/sys/ktls.h
@@ -213,6 +213,7 @@ int ktls_enable_tx(struct socket *so, struct tls_enable *en);
 void ktls_destroy(struct ktls_session *tls);
 void ktls_frame(struct mbuf *m, struct ktls_session *tls, int *enqueue_cnt,
     uint8_t record_type);
+bool ktls_permit_empty_frames(struct ktls_session *tls);
 void ktls_seq(struct sockbuf *sb, struct mbuf *m);
 void ktls_enqueue(struct mbuf *m, struct socket *so, int page_count);
 void ktls_enqueue_to_free(struct mbuf *m);
diff --git a/tests/sys/kern/ktls_test.c b/tests/sys/kern/ktls_test.c
index 9525258a64bc..759a23455f25 100644
--- a/tests/sys/kern/ktls_test.c
+++ b/tests/sys/kern/ktls_test.c
@@ -1105,9 +1105,19 @@ test_ktls_transmit_empty_fragment(struct tls_enable *en, uint64_t seqno)
 	fd_set_blocking(sockets[0]);
 	fd_set_blocking(sockets[1]);
 
-	/* A write of zero bytes should send an empty fragment. */
+	/*
+	 * A write of zero bytes should send an empty fragment only for
+	 * TLS 1.0, otherwise an error should be raised.
+	 */
 	rv = write(sockets[1], NULL, 0);
-	ATF_REQUIRE(rv == 0);
+	if (rv == 0) {
+		ATF_REQUIRE(en->cipher_algorithm == CRYPTO_AES_CBC);
+		ATF_REQUIRE(en->tls_vminor == TLS_MINOR_VER_ZERO);
+	} else {
+		ATF_REQUIRE(rv == -1);
+		ATF_REQUIRE(errno == EINVAL);
+		goto out;
+	}
 
 	/*
 	 * First read the header to determine how much additional data
@@ -1129,6 +1139,7 @@ test_ktls_transmit_empty_fragment(struct tls_enable *en, uint64_t seqno)
 	    "read %zd decrypted bytes for an empty fragment", rv);
 	ATF_REQUIRE(record_type == TLS_RLTYPE_APP);
 
+out:
 	free(outbuf);
 
 	ATF_REQUIRE(close(sockets[1]) == 0);
@@ -1369,7 +1380,7 @@ ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc)			\
 	ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name);
 
 #define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg,	\
-	    key_size, auth_alg)						\
+	    key_size, auth_alg, minor)					\
 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment);	\
 ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc)		\
 {									\
@@ -1378,14 +1389,14 @@ ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc)		\
 									\
 	ATF_REQUIRE_KTLS();						\
 	seqno = random();						\
-	build_tls_enable(cipher_alg, key_size, auth_alg,		\
-	    TLS_MINOR_VER_ZERO,	seqno, &en);				\
+	build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno,	\
+	    &en);							\
 	test_ktls_transmit_empty_fragment(&en, seqno);			\
 	free_tls_enable(&en);						\
 }
 
 #define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg,	\
-	    key_size, auth_alg)						\
+	    key_size, auth_alg, minor)					\
 	ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment);
 
 #define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg,	\
@@ -1506,7 +1517,9 @@ AES_CBC_TESTS(GEN_TRANSMIT_PADDING_TESTS);
  * Test "empty fragments" which are TLS records with no payload that
  * OpenSSL can send for TLS 1.0 connections.
  */
-TLS_10_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
+AES_CBC_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
+AES_GCM_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
+CHACHA20_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
 
 static void
 test_ktls_invalid_transmit_cipher_suite(struct tls_enable *en)
@@ -1768,7 +1781,9 @@ ATF_TP_ADD_TCS(tp)
 	AES_GCM_TESTS(ADD_TRANSMIT_TESTS);
 	CHACHA20_TESTS(ADD_TRANSMIT_TESTS);
 	AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS);
-	TLS_10_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
+	AES_CBC_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
+	AES_GCM_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
+	CHACHA20_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
 	INVALID_CIPHER_SUITES(ADD_INVALID_TRANSMIT_TEST);
 
 	/* Receive tests */