From owner-dev-commits-src-branches@freebsd.org Wed Apr 21 19:12:51 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1BAB25EECF8; Wed, 21 Apr 2021 19:12:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FQVYv0F19z3vBk; Wed, 21 Apr 2021 19:12:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EF2473874; Wed, 21 Apr 2021 19:12:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 13LJCoiw022732; Wed, 21 Apr 2021 19:12:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 13LJCovp022731; Wed, 21 Apr 2021 19:12:50 GMT (envelope-from git) Date: Wed, 21 Apr 2021 19:12:50 GMT Message-Id: <202104211912.13LJCovp022731@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: d74d1284386a - stable/12 - safexcel: Fix the SHA-HMAC digest computation when AAD is present MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: d74d1284386aa37e6ec8ffa7739c51b3fa54fcb3 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2021 19:12:51 -0000 The branch stable/12 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=d74d1284386aa37e6ec8ffa7739c51b3fa54fcb3 commit d74d1284386aa37e6ec8ffa7739c51b3fa54fcb3 Author: Mark Johnston AuthorDate: 2021-04-21 18:50:48 +0000 Commit: Mark Johnston CommitDate: 2021-04-21 19:11:58 +0000 safexcel: Fix the SHA-HMAC digest computation when AAD is present The driver would fail to include the AAD in the input stream, resulting in incorrect digests for requests combining SHA-HMAC with AES-CBC or -CTR. Ensure that the AAD is included in the processor's input stream, and fix the corresponding instruction sequence to include the AAD as input to the digest computation. This is a direct commit to stable/12 since the bug was introduced while merging there and is not present in later branches. --- sys/dev/safexcel/safexcel.c | 47 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 36 insertions(+), 11 deletions(-) diff --git a/sys/dev/safexcel/safexcel.c b/sys/dev/safexcel/safexcel.c index 0d209513ebdb..8c9094da9138 100644 --- a/sys/dev/safexcel/safexcel.c +++ b/sys/dev/safexcel/safexcel.c @@ -1590,16 +1590,27 @@ safexcel_instr_eta(struct safexcel_request *req, struct safexcel_instr *instr, start = instr; - /* Encrypt any data left in the request. */ + /* Insert the AAD into the input stream. */ instr->opcode = SAFEXCEL_INSTR_OPCODE_DIRECTION; - instr->length = req->enc->crd_len; - instr->status = SAFEXCEL_INSTR_STATUS_LAST_HASH; + instr->length = req->mac->crd_len - req->enc->crd_len; + instr->status = req->enc->crd_len == 0 ? + SAFEXCEL_INSTR_STATUS_LAST_HASH : 0; instr->instructions = SAFEXCEL_INSTR_INS_LAST | - SAFEXCEL_INSTR_DEST_CRYPTO | - SAFEXCEL_INSTR_DEST_HASH | - SAFEXCEL_INSTR_DEST_OUTPUT; + SAFEXCEL_INSTR_DEST_HASH; instr++; + /* Encrypt any data left in the request. */ + if (req->enc->crd_len > 0) { + instr->opcode = SAFEXCEL_INSTR_OPCODE_DIRECTION; + instr->length = req->enc->crd_len; + instr->status = SAFEXCEL_INSTR_STATUS_LAST_HASH; + instr->instructions = SAFEXCEL_INSTR_INS_LAST | + SAFEXCEL_INSTR_DEST_CRYPTO | + SAFEXCEL_INSTR_DEST_HASH | + SAFEXCEL_INSTR_DEST_OUTPUT; + instr++; + } + /* * Compute the digest, or extract it and place it in the output stream. */ @@ -2029,16 +2040,30 @@ safexcel_create_chain_cb(void *arg, bus_dma_segment_t *segs, int nseg, * consumers place the digest first in the input buffer, in which case * we have to create an extra descriptor. * + * Note that for encrypt-then-auth algorithms, mac->crd_len corresponds + * to the sum of the lengths of the AAD and payload, while for GCM and + * CCM it is the length of the AAD. + * * As an optimization, unmodified data is not passed to the output * stream. */ sglist_reset(ring->cmd_data); sglist_reset(ring->res_data); - if (req->mac != NULL && (req->enc == NULL || - req->enc->crd_alg == CRYPTO_AES_NIST_GCM_16 || - req->enc->crd_alg == CRYPTO_AES_CCM_16)) { - safexcel_append_segs(segs, nseg, ring->cmd_data, - req->mac->crd_skip, req->mac->crd_len); + if (req->mac != NULL) { + if (req->enc == NULL || + req->enc->crd_alg == CRYPTO_AES_NIST_GCM_16 || + req->enc->crd_alg == CRYPTO_AES_CCM_16) { + safexcel_append_segs(segs, nseg, ring->cmd_data, + req->mac->crd_skip, req->mac->crd_len); + } else { + if (req->mac->crd_len < req->enc->crd_len) { + req->error = EINVAL; + return; + } + safexcel_append_segs(segs, nseg, ring->cmd_data, + req->mac->crd_skip, + req->mac->crd_len - req->enc->crd_len); + } } if (req->enc != NULL) { safexcel_append_segs(segs, nseg, ring->cmd_data,