From nobody Tue Feb 8 18:36:50 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6ABA719AA623; Tue, 8 Feb 2022 18:36:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JtWv650RRz3qD4; Tue, 8 Feb 2022 18:36:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644345411; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/GBPPtzQ9oYyE1xJcPTEKQobeLgYJFntYPZLD6+ITAs=; b=RFXRVeasUwhI6PoQC/AfZZ9D2EV3JTlIqzkgMXTIT0jSBwl9uqCAGNnmQp83Gt1bi48+b4 FPrZ7/sKx6JRwyYGGCwRW+sxkC8tURrsnexX4hjL2oUOd4Sf0KDmsCBwkfIQnZH28ByoS7 a2sKg1oD8ynolYWrMiJHuV1XX97zyKAQ0rNVlxoKxkPLZZC8xpSpg/fHvY7tZCmMl+hCIs OvfncZJ/KtJfj+ednTLfA89PduyWP0PrT2kbMZrHKHHI/eKmAXVdsebFO9DGSrQavrok8P 5beAmZB5j8EL8CnnAykXEWInnc4oxchSXrkr+9HAuIWDNyOd+HpdbyUTFUohhw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 850721E763; Tue, 8 Feb 2022 18:36:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 218IaoEL089133; Tue, 8 Feb 2022 18:36:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 218IaoSC089132; Tue, 8 Feb 2022 18:36:50 GMT (envelope-from git) Date: Tue, 8 Feb 2022 18:36:50 GMT Message-Id: <202202081836.218IaoSC089132@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 5de79eeddb9d - main - ktls: Disallow transmitting empty frames outside of TLS 1.0/CBC mode List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 5de79eeddb9de079d108d1312148bcbefce45c27 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644345411; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/GBPPtzQ9oYyE1xJcPTEKQobeLgYJFntYPZLD6+ITAs=; b=BFe7kM9zXRJUFJvdhU8vo/kcTr/SMVLmSzyzAneEwXeG5TlPN3/AqXTkme4Y2bjX5IOvv2 wFjm+nNqim4QZuDdylSlm+jwjxdNh0194jK9uumAWozzEyvLrc7zXu0aDx/OnBO/4aRCTz SAjJYX7VdwWgv3UqqIUIgiot98pX/cEy2pYpuGSbdeMJbnDdaM1I/BizZ8jt7NtLWLWD6G LRba0tPJzDk7lieEh//Lp/tkCniP7gMW7FG9JXY2/FdMOLQmFHzMsDTWCrQ1HuW78XWpeR q+cs0BOpiXpP60Ta1WechE2D1GgBMdgpY3mzLO4OEK67EIT7N3sZXccPFDKj3A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644345411; a=rsa-sha256; cv=none; b=VCAgIWctZYRv2gLT0yDuTTnYvbqrwN1Vqwu2iSUdYw8b25uSmvN7AQz/4Mb1B3dsHSjQmm yMj6/A5fLWMLGvPgosEm2zBCou0G8SIlcK5RNPJIzLZCniuDXsPagop3JudykJzFYVT4uS tfpW5wwTWAeF27xCkiSGneu8QNscgowHFkR09uEMJgWhw2RzuROgY2hCE4AiGW/LwmGEk2 U0EkN6DlmURFl3G0opSIh9TZNrurnT0/AM1hl2YY5PMNWrepu+CTDmFXd//c0ZLOuZiq8s mJS626Kc8WWihvFoXL3SGVU7oi0QBARxsp614xM3KS2UAtfcblNEbuEiuAh2Rg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=5de79eeddb9de079d108d1312148bcbefce45c27 commit 5de79eeddb9de079d108d1312148bcbefce45c27 Author: Mark Johnston AuthorDate: 2022-02-08 17:36:41 +0000 Commit: Mark Johnston CommitDate: 2022-02-08 17:40:41 +0000 ktls: Disallow transmitting empty frames outside of TLS 1.0/CBC mode There was nothing preventing one from sending an empty fragment on an arbitrary KTLS TX-enabled socket, but ktls_frame() asserts that this could not happen. Though the transmit path handles this case for TLS 1.0 with AES-CBC, we should be strict and allow empty fragments only in modes where it is explicitly allowed. Modify sosend_generic() to reject writes to a KTLS-enabled socket if the number of data bytes is zero, so that userspace cannot trigger the aforementioned assertion. Add regression tests to exercise this case. Reported by: syzkaller Reviewed by: gallatin, jhb MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34195 --- sys/kern/uipc_ktls.c | 18 ++++++++++++------ sys/kern/uipc_socket.c | 5 +++++ sys/sys/ktls.h | 1 + tests/sys/kern/ktls_test.c | 31 +++++++++++++++++++++++-------- 4 files changed, 41 insertions(+), 14 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index b3235e8a1e0c..2495e940a6a0 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -1691,19 +1691,18 @@ ktls_frame(struct mbuf *top, struct ktls_session *tls, int *enq_cnt, * All mbufs in the chain should be TLS records whose * payload does not exceed the maximum frame length. * - * Empty TLS records are permitted when using CBC. + * Empty TLS 1.0 records are permitted when using CBC. */ - KASSERT(m->m_len <= maxlen && - (tls->params.cipher_algorithm == CRYPTO_AES_CBC ? - m->m_len >= 0 : m->m_len > 0), - ("ktls_frame: m %p len %d\n", m, m->m_len)); + KASSERT(m->m_len <= maxlen && m->m_len >= 0 && + (m->m_len > 0 || ktls_permit_empty_frames(tls)), + ("ktls_frame: m %p len %d", m, m->m_len)); /* * TLS frames require unmapped mbufs to store session * info. */ KASSERT((m->m_flags & M_EXTPG) != 0, - ("ktls_frame: mapped mbuf %p (top = %p)\n", m, top)); + ("ktls_frame: mapped mbuf %p (top = %p)", m, top)); tls_len = m->m_len; @@ -1797,6 +1796,13 @@ ktls_frame(struct mbuf *top, struct ktls_session *tls, int *enq_cnt, } } +bool +ktls_permit_empty_frames(struct ktls_session *tls) +{ + return (tls->params.cipher_algorithm == CRYPTO_AES_CBC && + tls->params.tls_vminor == TLS_MINOR_VER_ZERO); +} + void ktls_check_rx(struct sockbuf *sb) { diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 33dfe6cb2176..ab8e5d6e1b69 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1667,6 +1667,11 @@ sosend_generic(struct socket *so, struct sockaddr *addr, struct uio *uio, atomic = 1; } } + + if (resid == 0 && !ktls_permit_empty_frames(tls)) { + error = EINVAL; + goto release; + } } #endif diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h index 5cfca2d860a0..4fa52f13e127 100644 --- a/sys/sys/ktls.h +++ b/sys/sys/ktls.h @@ -213,6 +213,7 @@ int ktls_enable_tx(struct socket *so, struct tls_enable *en); void ktls_destroy(struct ktls_session *tls); void ktls_frame(struct mbuf *m, struct ktls_session *tls, int *enqueue_cnt, uint8_t record_type); +bool ktls_permit_empty_frames(struct ktls_session *tls); void ktls_seq(struct sockbuf *sb, struct mbuf *m); void ktls_enqueue(struct mbuf *m, struct socket *so, int page_count); void ktls_enqueue_to_free(struct mbuf *m); diff --git a/tests/sys/kern/ktls_test.c b/tests/sys/kern/ktls_test.c index 9525258a64bc..759a23455f25 100644 --- a/tests/sys/kern/ktls_test.c +++ b/tests/sys/kern/ktls_test.c @@ -1105,9 +1105,19 @@ test_ktls_transmit_empty_fragment(struct tls_enable *en, uint64_t seqno) fd_set_blocking(sockets[0]); fd_set_blocking(sockets[1]); - /* A write of zero bytes should send an empty fragment. */ + /* + * A write of zero bytes should send an empty fragment only for + * TLS 1.0, otherwise an error should be raised. + */ rv = write(sockets[1], NULL, 0); - ATF_REQUIRE(rv == 0); + if (rv == 0) { + ATF_REQUIRE(en->cipher_algorithm == CRYPTO_AES_CBC); + ATF_REQUIRE(en->tls_vminor == TLS_MINOR_VER_ZERO); + } else { + ATF_REQUIRE(rv == -1); + ATF_REQUIRE(errno == EINVAL); + goto out; + } /* * First read the header to determine how much additional data @@ -1129,6 +1139,7 @@ test_ktls_transmit_empty_fragment(struct tls_enable *en, uint64_t seqno) "read %zd decrypted bytes for an empty fragment", rv); ATF_REQUIRE(record_type == TLS_RLTYPE_APP); +out: free(outbuf); ATF_REQUIRE(close(sockets[1]) == 0); @@ -1369,7 +1380,7 @@ ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \ ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name); #define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ - key_size, auth_alg) \ + key_size, auth_alg, minor) \ ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment); \ ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc) \ { \ @@ -1378,14 +1389,14 @@ ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc) \ \ ATF_REQUIRE_KTLS(); \ seqno = random(); \ - build_tls_enable(cipher_alg, key_size, auth_alg, \ - TLS_MINOR_VER_ZERO, seqno, &en); \ + build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ + &en); \ test_ktls_transmit_empty_fragment(&en, seqno); \ free_tls_enable(&en); \ } #define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ - key_size, auth_alg) \ + key_size, auth_alg, minor) \ ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment); #define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ @@ -1506,7 +1517,9 @@ AES_CBC_TESTS(GEN_TRANSMIT_PADDING_TESTS); * Test "empty fragments" which are TLS records with no payload that * OpenSSL can send for TLS 1.0 connections. */ -TLS_10_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); +AES_CBC_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); +AES_GCM_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); +CHACHA20_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); static void test_ktls_invalid_transmit_cipher_suite(struct tls_enable *en) @@ -1768,7 +1781,9 @@ ATF_TP_ADD_TCS(tp) AES_GCM_TESTS(ADD_TRANSMIT_TESTS); CHACHA20_TESTS(ADD_TRANSMIT_TESTS); AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS); - TLS_10_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); + AES_CBC_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); + AES_GCM_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); + CHACHA20_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); INVALID_CIPHER_SUITES(ADD_INVALID_TRANSMIT_TEST); /* Receive tests */