Date: Wed, 24 Jan 2018 20:08:10 +0000 (UTC) From: John Baldwin <jhb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r328355 - head/sys/dev/cxgbe/crypto Message-ID: <201801242008.w0OK8AuB032388@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jhb Date: Wed Jan 24 20:08:10 2018 New Revision: 328355 URL: https://svnweb.freebsd.org/changeset/base/328355 Log: Reject requests with AAD and IV larger than 511 bytes. The T6 crypto engine's control messages only support a total AAD length (including the prefixed IV) of 511 bytes. Reject requests with large AAD rather than returning incorrect results. Sponsored by: Chelsio Communications Modified: head/sys/dev/cxgbe/crypto/t4_crypto.c Modified: head/sys/dev/cxgbe/crypto/t4_crypto.c ============================================================================== --- head/sys/dev/cxgbe/crypto/t4_crypto.c Wed Jan 24 20:06:02 2018 (r328354) +++ head/sys/dev/cxgbe/crypto/t4_crypto.c Wed Jan 24 20:08:10 2018 (r328355) @@ -111,6 +111,11 @@ __FBSDID("$FreeBSD$"); */ /* + * The crypto engine supports a maximum AAD size of 511 bytes. + */ +#define MAX_AAD_LEN 511 + +/* * The documentation for CPL_RX_PHYS_DSGL claims a maximum of 32 * SG entries. */ @@ -760,11 +765,23 @@ ccr_authenc(struct ccr_softc *sc, uint32_t sid, struct return (EINVAL); /* - * AAD is only permitted before the cipher/plain text, not - * after. + * Compute the length of the AAD (data covered by the + * authentication descriptor but not the encryption + * descriptor). To simplify the logic, AAD is only permitted + * before the cipher/plain text, not after. This is true of + * all currently-generated requests. */ if (crda->crd_len + crda->crd_skip > crde->crd_len + crde->crd_skip) return (EINVAL); + if (crda->crd_skip < crde->crd_skip) { + if (crda->crd_skip + crda->crd_len > crde->crd_skip) + aad_len = (crde->crd_skip - crda->crd_skip); + else + aad_len = crda->crd_len; + } else + aad_len = 0; + if (aad_len + s->blkcipher.iv_len > MAX_AAD_LEN) + return (EINVAL); axf = s->hmac.auth_hash; hash_size_in_response = s->hmac.hash_len; @@ -836,13 +853,6 @@ ccr_authenc(struct ccr_softc *sc, uint32_t sid, struct * cipher/plain text. For decryption requests the hash is * appended after the cipher text. */ - if (crda->crd_skip < crde->crd_skip) { - if (crda->crd_skip + crda->crd_len > crde->crd_skip) - aad_len = (crde->crd_skip - crda->crd_skip); - else - aad_len = crda->crd_len; - } else - aad_len = 0; input_len = aad_len + crde->crd_len; /* @@ -1080,6 +1090,9 @@ ccr_gcm(struct ccr_softc *sc, uint32_t sid, struct ccr * after. */ if (crda->crd_len + crda->crd_skip > crde->crd_len + crde->crd_skip) + return (EINVAL); + + if (crda->crd_len + AES_BLOCK_LEN > MAX_AAD_LEN) return (EINVAL); hash_size_in_response = s->gmac.hash_len;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801242008.w0OK8AuB032388>