From nobody Tue Nov 15 20:04:19 2022
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NBcZr0Xbdz4hdP3;
	Tue, 15 Nov 2022 20:04:20 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4NBcZq6snSz4Mvm;
	Tue, 15 Nov 2022 20:04:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1668542660;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=H0gxO7RIWAQbavNE7O5svh+nfJAgBWz0JBGms2fZN6M=;
	b=gE6KTgAVH9HCBr8zd9sLn1wsjDbNoUj8MvWlknqIsyB9cqUeX1l0Yln+HOSNxESD/vkOS2
	pOMZghRyN6xeMdNJOxjMfrrrmaTv9ZnV2zyjCBNkbOt96GYihbYEWgUzQGEM8SmKQCqipP
	rlVgTO64Ii1aXR5eT0XnMzs8nVIM5jh7AG8b5Ybk991E8EP29jjaCx6LysbGK08izmwZzv
	Yxcgna4U+sOP61qXCVD0R88mOcvLqnfuUsB3L4EDymieWXNjKP3Gyy2vWYZBs/AvRBbqmn
	S47gPOe5B0nLsAhn2EMLQ1J435MACEuepNDxn2gjbduIB68T0oZ1KydSZB1M+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1668542660;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=H0gxO7RIWAQbavNE7O5svh+nfJAgBWz0JBGms2fZN6M=;
	b=e4aLm6uRbePShfYRW8HfpmQ544Kk4dldRL6uvMe4dBxTrKNeF39ksU6RQUH7GUq13FSnFR
	4iUgIyxSzNnzlmQCN5gMBOznM0fcKoQ8NNp8DX5obGFNheOdxnhWAwQxrgh7BDzHIlqpZO
	fPkiPehbT/EdqtCa7nLNXtR8d03C2hTPUKg3XD2u3jA4wV32RcSelNinlrksQ6GLHpzmXh
	TWEX+OJWCtUOlV3YgwybOMlvyNwdhMBtOXg4i9lBMv4Sahdsjfz8hZWGo86o2iQt4DYRYf
	Gp8aIsIuqlYhlRr65/wxc8cPMgYPT9wk14ebVGz9tAHcT8XI/jClm4e+AvOLvQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668542660; a=rsa-sha256; cv=none;
	b=a6EmZsU5uf/A3IjgdZhNZIUTBIjxXZNE7gSFgkL8bZsJ6ZKHX9868sDGt10ur32q1GYNet
	EfT18dOw9KmQ7wX7rOaXxQs7Oh0HtNYNZfLhUtSx6Ljuwx68BkoVvm5SjM9O/LFDAkK1LU
	rv5qA+NLm6hceTX6q5RAprn0bweUnAs4osxz9KyS4tf5Gv8C3tYL5NERyGstUv5Tfy6v9O
	qnzz47XGw1n5zUEc/rhGRVqm25WTRVc+0SGBT3GpjaOPwgFa1KjVJByyyBBXcjs8B0PPo0
	LqTt0/8XHDw069z2LTWXDi6wHy8EnLVp5pfnx3O/PZppRRtucdVLZWSsTerY+w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NBcZq5zj0zZr4;
	Tue, 15 Nov 2022 20:04:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2AFK4JK4029349;
	Tue, 15 Nov 2022 20:04:19 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2AFK4Jf4029348;
	Tue, 15 Nov 2022 20:04:19 GMT
	(envelope-from git)
Date: Tue, 15 Nov 2022 20:04:19 GMT
Message-Id: <202211152004.2AFK4Jf4029348@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: 4e4741464889 - main - ktls_ocf: Reject encrypted TLS records using AEAD that are too small.
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 4e47414648894943413091984124d93bd43e5da1
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=4e47414648894943413091984124d93bd43e5da1

commit 4e47414648894943413091984124d93bd43e5da1
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-11-15 20:02:57 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-11-15 20:02:57 +0000

    ktls_ocf: Reject encrypted TLS records using AEAD that are too small.
    
    If a TLS record is too small to contain the required explicit IV,
    record_type (TLS 1.3), and MAC, reject attempts to decrypt it with
    EMSGSIZE without submitting it to OCF.  OCF drivers may not properly
    detect that regions in the crypto request are outside the bounds of
    the mbuf chain.  The caller isn't supposed to submit such requests.
    
    Reviewed by:    markj
    Sponsored by:   Chelsio Communications
    Differential Revision:  https://reviews.freebsd.org/D37372
---
 sys/opencrypto/ktls_ocf.c | 37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/sys/opencrypto/ktls_ocf.c b/sys/opencrypto/ktls_ocf.c
index 938133fa451a..25d50adba5ca 100644
--- a/sys/opencrypto/ktls_ocf.c
+++ b/sys/opencrypto/ktls_ocf.c
@@ -638,10 +638,16 @@ ktls_ocf_tls12_aead_decrypt(struct ktls_session *tls,
 	struct cryptop crp;
 	struct ktls_ocf_session *os;
 	int error;
-	uint16_t tls_comp_len;
+	uint16_t tls_comp_len, tls_len;
 
 	os = tls->ocf_session;
 
+	/* Ensure record contains at least an explicit IV and tag. */
+	tls_len = ntohs(hdr->tls_length);
+	if (tls_len + sizeof(*hdr) < tls->params.tls_hlen +
+	    tls->params.tls_tlen)
+		return (EMSGSIZE);
+
 	crypto_initreq(&crp, os->sid);
 
 	/* Setup the IV. */
@@ -661,10 +667,10 @@ ktls_ocf_tls12_aead_decrypt(struct ktls_session *tls,
 
 	/* Setup the AAD. */
 	if (tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
-		tls_comp_len = ntohs(hdr->tls_length) -
+		tls_comp_len = tls_len -
 		    (AES_GMAC_HASH_LEN + sizeof(uint64_t));
 	else
-		tls_comp_len = ntohs(hdr->tls_length) - POLY1305_HASH_LEN;
+		tls_comp_len = tls_len - POLY1305_HASH_LEN;
 	ad.seq = htobe64(seqno);
 	ad.type = hdr->tls_type;
 	ad.tls_vmajor = hdr->tls_vmajor;
@@ -730,9 +736,15 @@ ktls_ocf_tls12_aead_recrypt(struct ktls_session *tls,
 	char *buf;
 	u_int payload_len;
 	int error;
+	uint16_t tls_len;
 
 	os = tls->ocf_session;
 
+	/* Ensure record contains at least an explicit IV and tag. */
+	tls_len = ntohs(hdr->tls_length);
+	if (tls_len < sizeof(uint64_t) + AES_GMAC_HASH_LEN)
+		return (EMSGSIZE);
+
 	crypto_initreq(&crp, os->recrypt_sid);
 
 	KASSERT(tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16,
@@ -743,8 +755,7 @@ ktls_ocf_tls12_aead_recrypt(struct ktls_session *tls,
 	memcpy(crp.crp_iv + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t));
 	be32enc(crp.crp_iv + AES_GCM_IV_LEN, 2);
 
-	payload_len = ntohs(hdr->tls_length) -
-	    (AES_GMAC_HASH_LEN + sizeof(uint64_t));
+	payload_len = tls_len - (AES_GMAC_HASH_LEN + sizeof(uint64_t));
 	crp.crp_op = CRYPTO_OP_ENCRYPT;
 	crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE;
 	crypto_use_mbuf(&crp, m);
@@ -858,14 +869,16 @@ ktls_ocf_tls13_aead_decrypt(struct ktls_session *tls,
 	struct ktls_ocf_session *os;
 	int error;
 	u_int tag_len;
+	uint16_t tls_len;
 
 	os = tls->ocf_session;
 
 	tag_len = tls->params.tls_tlen - 1;
 
 	/* Payload must contain at least one byte for the record type. */
-	if (ntohs(hdr->tls_length) < tag_len + 1)
-		return (EBADMSG);
+	tls_len = ntohs(hdr->tls_length);
+	if (tls_len < tag_len + 1)
+		return (EMSGSIZE);
 
 	crypto_initreq(&crp, os->sid);
 
@@ -882,7 +895,7 @@ ktls_ocf_tls13_aead_decrypt(struct ktls_session *tls,
 	crp.crp_aad_length = sizeof(ad);
 
 	crp.crp_payload_start = tls->params.tls_hlen;
-	crp.crp_payload_length = ntohs(hdr->tls_length) - tag_len;
+	crp.crp_payload_length = tls_len - tag_len;
 	crp.crp_digest_start = crp.crp_payload_start + crp.crp_payload_length;
 
 	crp.crp_op = CRYPTO_OP_DECRYPT | CRYPTO_OP_VERIFY_DIGEST;
@@ -910,9 +923,15 @@ ktls_ocf_tls13_aead_recrypt(struct ktls_session *tls,
 	char *buf;
 	u_int payload_len;
 	int error;
+	uint16_t tls_len;
 
 	os = tls->ocf_session;
 
+	/* Payload must contain at least one byte for the record type. */
+	tls_len = ntohs(hdr->tls_length);
+	if (tls_len < AES_GMAC_HASH_LEN + 1)
+		return (EMSGSIZE);
+
 	crypto_initreq(&crp, os->recrypt_sid);
 
 	KASSERT(tls->params.cipher_algorithm == CRYPTO_AES_NIST_GCM_16,
@@ -923,7 +942,7 @@ ktls_ocf_tls13_aead_recrypt(struct ktls_session *tls,
 	*(uint64_t *)(crp.crp_iv + 4) ^= htobe64(seqno);
 	be32enc(crp.crp_iv + 12, 2);
 
-	payload_len = ntohs(hdr->tls_length) - AES_GMAC_HASH_LEN;
+	payload_len = tls_len - AES_GMAC_HASH_LEN;
 	crp.crp_op = CRYPTO_OP_ENCRYPT;
 	crp.crp_flags = CRYPTO_F_CBIMM | CRYPTO_F_IV_SEPARATE;
 	crypto_use_mbuf(&crp, m);