From owner-dev-commits-src-all@freebsd.org  Thu Apr  1 22:49:30 2021
Return-Path: <owner-dev-commits-src-all@freebsd.org>
Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id E19AA5B98DA;
 Thu,  1 Apr 2021 22:49:30 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FBJK663bvz3Cfg;
 Thu,  1 Apr 2021 22:49:30 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C2C0815603;
 Thu,  1 Apr 2021 22:49:30 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 131MnUAj081514;
 Thu, 1 Apr 2021 22:49:30 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 131MnU5O081513;
 Thu, 1 Apr 2021 22:49:30 GMT (envelope-from git)
Date: Thu, 1 Apr 2021 22:49:30 GMT
Message-Id: <202104012249.131MnU5O081513@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-main@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: d2e076c37b09 - main - ossl: Don't encryt/decrypt too much data
 for chacha20.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: d2e076c37b0963a8be89684a656c4e1640dc7a3e
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-all@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for all branches of the src repository
 <dev-commits-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-all/>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Help: <mailto:dev-commits-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 22:49:30 -0000

The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=d2e076c37b0963a8be89684a656c4e1640dc7a3e

commit d2e076c37b0963a8be89684a656c4e1640dc7a3e
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-04-01 22:42:18 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2021-04-01 22:49:07 +0000

    ossl: Don't encryt/decrypt too much data for chacha20.
    
    The loops for Chacha20 and Chacha20+Poly1305 which encrypted/decrypted
    full blocks of data used the minimum of the input and output segment
    lengths to determine the size of the next chunk ('todo') to pass to
    Chacha20_ctr32().  However, the input and output segments could extend
    past the end of the ciphertext region into the tag (e.g.  if a "plain"
    single mbuf contained an entire TLS record).  If the length of the tag
    plus the length of the last partial block together were at least as
    large as a full Chacha20 block (64 bytes), then an extra block was
    encrypted/decrypted overlapping with the tag.  Fix this by also
    capping the amount of data to encrypt/decrypt by the amount of
    remaining data in the ciphertext region ('resid').
    
    Reported by:    gallatin
    Reviewed by:    cem, gallatin, markj
    Sponsored by:   Netflix
    Differential Revision:  https://reviews.freebsd.org/D29517
---
 sys/crypto/openssl/ossl_chacha20.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/sys/crypto/openssl/ossl_chacha20.c b/sys/crypto/openssl/ossl_chacha20.c
index a2bfb52cacd6..7fa1a297052e 100644
--- a/sys/crypto/openssl/ossl_chacha20.c
+++ b/sys/crypto/openssl/ossl_chacha20.c
@@ -88,7 +88,8 @@ ossl_chacha20(struct cryptop *crp, const struct crypto_session_params *csp)
 			out = outseg;
 
 		/* Figure out how many blocks we can encrypt/decrypt at once. */
-		todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE);
+		todo = rounddown(MIN(resid, MIN(inlen, outlen)),
+		    CHACHA_BLK_SIZE);
 
 #ifdef __LP64__
 		/* ChaCha20_ctr32() assumes length is <= 4GB. */
@@ -218,7 +219,8 @@ ossl_chacha20_poly1305_encrypt(struct cryptop *crp,
 			out = outseg;
 
 		/* Figure out how many blocks we can encrypt/decrypt at once. */
-		todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE);
+		todo = rounddown(MIN(resid, MIN(inlen, outlen)),
+		    CHACHA_BLK_SIZE);
 
 #ifdef __LP64__
 		/* ChaCha20_ctr32() assumes length is <= 4GB. */
@@ -389,7 +391,8 @@ ossl_chacha20_poly1305_decrypt(struct cryptop *crp,
 			out = outseg;
 
 		/* Figure out how many blocks we can encrypt/decrypt at once. */
-		todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE);
+		todo = rounddown(MIN(resid, MIN(inlen, outlen)),
+		    CHACHA_BLK_SIZE);
 
 #ifdef __LP64__
 		/* ChaCha20_ctr32() assumes length is <= 4GB. */