Date: Thu, 1 Apr 2021 22:49:30 GMT From: John Baldwin <jhb@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: d2e076c37b09 - main - ossl: Don't encryt/decrypt too much data for chacha20. Message-ID: <202104012249.131MnU5O081513@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=d2e076c37b0963a8be89684a656c4e1640dc7a3e commit d2e076c37b0963a8be89684a656c4e1640dc7a3e Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2021-04-01 22:42:18 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2021-04-01 22:49:07 +0000 ossl: Don't encryt/decrypt too much data for chacha20. The loops for Chacha20 and Chacha20+Poly1305 which encrypted/decrypted full blocks of data used the minimum of the input and output segment lengths to determine the size of the next chunk ('todo') to pass to Chacha20_ctr32(). However, the input and output segments could extend past the end of the ciphertext region into the tag (e.g. if a "plain" single mbuf contained an entire TLS record). If the length of the tag plus the length of the last partial block together were at least as large as a full Chacha20 block (64 bytes), then an extra block was encrypted/decrypted overlapping with the tag. Fix this by also capping the amount of data to encrypt/decrypt by the amount of remaining data in the ciphertext region ('resid'). Reported by: gallatin Reviewed by: cem, gallatin, markj Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D29517 --- sys/crypto/openssl/ossl_chacha20.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/crypto/openssl/ossl_chacha20.c b/sys/crypto/openssl/ossl_chacha20.c index a2bfb52cacd6..7fa1a297052e 100644 --- a/sys/crypto/openssl/ossl_chacha20.c +++ b/sys/crypto/openssl/ossl_chacha20.c @@ -88,7 +88,8 @@ ossl_chacha20(struct cryptop *crp, const struct crypto_session_params *csp) out = outseg; /* Figure out how many blocks we can encrypt/decrypt at once. */ - todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE); + todo = rounddown(MIN(resid, MIN(inlen, outlen)), + CHACHA_BLK_SIZE); #ifdef __LP64__ /* ChaCha20_ctr32() assumes length is <= 4GB. */ @@ -218,7 +219,8 @@ ossl_chacha20_poly1305_encrypt(struct cryptop *crp, out = outseg; /* Figure out how many blocks we can encrypt/decrypt at once. */ - todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE); + todo = rounddown(MIN(resid, MIN(inlen, outlen)), + CHACHA_BLK_SIZE); #ifdef __LP64__ /* ChaCha20_ctr32() assumes length is <= 4GB. */ @@ -389,7 +391,8 @@ ossl_chacha20_poly1305_decrypt(struct cryptop *crp, out = outseg; /* Figure out how many blocks we can encrypt/decrypt at once. */ - todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE); + todo = rounddown(MIN(resid, MIN(inlen, outlen)), + CHACHA_BLK_SIZE); #ifdef __LP64__ /* ChaCha20_ctr32() assumes length is <= 4GB. */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104012249.131MnU5O081513>