Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Jan 2018 20:08:10 +0000 (UTC)
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r328355 - head/sys/dev/cxgbe/crypto
Message-ID:  <201801242008.w0OK8AuB032388@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jhb
Date: Wed Jan 24 20:08:10 2018
New Revision: 328355
URL: https://svnweb.freebsd.org/changeset/base/328355

Log:
  Reject requests with AAD and IV larger than 511 bytes.
  
  The T6 crypto engine's control messages only support a total AAD
  length (including the prefixed IV) of 511 bytes.  Reject requests with
  large AAD rather than returning incorrect results.
  
  Sponsored by:	Chelsio Communications

Modified:
  head/sys/dev/cxgbe/crypto/t4_crypto.c

Modified: head/sys/dev/cxgbe/crypto/t4_crypto.c
==============================================================================
--- head/sys/dev/cxgbe/crypto/t4_crypto.c	Wed Jan 24 20:06:02 2018	(r328354)
+++ head/sys/dev/cxgbe/crypto/t4_crypto.c	Wed Jan 24 20:08:10 2018	(r328355)
@@ -111,6 +111,11 @@ __FBSDID("$FreeBSD$");
  */
 
 /*
+ * The crypto engine supports a maximum AAD size of 511 bytes.
+ */
+#define	MAX_AAD_LEN		511
+
+/*
  * The documentation for CPL_RX_PHYS_DSGL claims a maximum of 32
  * SG entries.
  */
@@ -760,11 +765,23 @@ ccr_authenc(struct ccr_softc *sc, uint32_t sid, struct
 		return (EINVAL);
 
 	/*
-	 * AAD is only permitted before the cipher/plain text, not
-	 * after.
+	 * Compute the length of the AAD (data covered by the
+	 * authentication descriptor but not the encryption
+	 * descriptor).  To simplify the logic, AAD is only permitted
+	 * before the cipher/plain text, not after.  This is true of
+	 * all currently-generated requests.
 	 */
 	if (crda->crd_len + crda->crd_skip > crde->crd_len + crde->crd_skip)
 		return (EINVAL);
+	if (crda->crd_skip < crde->crd_skip) {
+		if (crda->crd_skip + crda->crd_len > crde->crd_skip)
+			aad_len = (crde->crd_skip - crda->crd_skip);
+		else
+			aad_len = crda->crd_len;
+	} else
+		aad_len = 0;
+	if (aad_len + s->blkcipher.iv_len > MAX_AAD_LEN)
+		return (EINVAL);
 
 	axf = s->hmac.auth_hash;
 	hash_size_in_response = s->hmac.hash_len;
@@ -836,13 +853,6 @@ ccr_authenc(struct ccr_softc *sc, uint32_t sid, struct
 	 * cipher/plain text.  For decryption requests the hash is
 	 * appended after the cipher text.
 	 */
-	if (crda->crd_skip < crde->crd_skip) {
-		if (crda->crd_skip + crda->crd_len > crde->crd_skip)
-			aad_len = (crde->crd_skip - crda->crd_skip);
-		else
-			aad_len = crda->crd_len;
-	} else
-		aad_len = 0;
 	input_len = aad_len + crde->crd_len;
 
 	/*
@@ -1080,6 +1090,9 @@ ccr_gcm(struct ccr_softc *sc, uint32_t sid, struct ccr
 	 * after.
 	 */
 	if (crda->crd_len + crda->crd_skip > crde->crd_len + crde->crd_skip)
+		return (EINVAL);
+
+	if (crda->crd_len + AES_BLOCK_LEN > MAX_AAD_LEN)
 		return (EINVAL);
 
 	hash_size_in_response = s->gmac.hash_len;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801242008.w0OK8AuB032388>