From nobody Tue Dec 5 18:27:32 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Sl8CT1XQcz53JPR; Tue, 5 Dec 2023 18:27:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Sl8CT0pG1z3Ysx; Tue, 5 Dec 2023 18:27:33 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701800853; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GlOdJTsAg0ZIS8hhjNpGZ5iJCtigRia3LhBpGxue9ag=; b=rllcIFYvZ7pBrL5tCGyN6YQDY2xet1EBYqNuQxRtHl6Gu98SQ6oOPZp5wEuNxy7NLkbRxU UcEuHwULnXAuwolwTNkSYPGgnbHBUnAUdOFAzB+TbxWWqzqFaYanfbq4hBAOcjb+w2bAc8 Ui0hAnWuxkyqAgLJKF5oYG01ydrXZztXiJfhgiUbJFcw3pN1zRDe4jwFf7ocAZL6ssD7iP KP59ttz4ii91lxemSp0/jjrKoHYO72vxcW16Ey4xQVR42CIML7+hYdpuBR0ckpjo/E6wno Bgh/UN3QgAWl0MsbPNDcryF8XTT8YXUzCU/2Dg+vFoyReuc1K8ZUx/OKaAy60g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1701800853; a=rsa-sha256; cv=none; b=ZnJJvGhmDrgsZwLqnPJwsELWi8j+4TnBPtaXnfBkCfeeJXsyVT1Tp6wcmq6lMKcLR7CQvf uVrZfbjSDOJ8ibDHu+utmOzcbLL59DzJzLjX2cMAKPBXa/wMPllqQ3iqYF40hxKDDtkp+T v0HWUZn1b696uAWBV8qKdmV3NeMdkMrk4Cr2jTDmP2wqdyBnilpjec6Qr77y30tGDJCRmJ NA8rlOZl0Nwto28PFMqsR4HlLQEJks7u/vG/aRKOj/gPJtJyWRQCEs1A1AAaKn5MvM6vlU C2+fmJBksYx+4Wkmi2cEKBFFRWR3uHne6IoqwK1JxmciJ5IiF+Et0lSvV4MKLg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701800853; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GlOdJTsAg0ZIS8hhjNpGZ5iJCtigRia3LhBpGxue9ag=; b=wlRMuC9kq/axHxmXDHm+X4cm7OE5fwIKECcM5neKFXF6yVybMRtk7Dku56ufSmPh3k7pqH Wx5Y0ooRtiIze8hYY6HOt1Ht05soXyMqvKfNtjoM9VYX8ItyOV+z2Sw04c4MUR54jQnTsy Tn6HlLhFloG3z8GB4PRpVyE3YgM9qY6rrYTOaY1PyL9HkM4Q6NOSHOwmAYKy37DvW9SdTN ZNiC8FGvUYWUcE8zyUB9kelRFNhvMuuuo0e49WlHN1M5aBaYlf91e9YGe5OeK3aBIFIVH3 lsugqZzPY4ROzNX5/cGW1wWSBmJ9CuNkTlqHt9hsXgCLxHXyZdQwcTUR1aoa/Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Sl8CS70CWz5St; Tue, 5 Dec 2023 18:27:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3B5IRWHm009195; Tue, 5 Dec 2023 18:27:32 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3B5IRWpL009192; Tue, 5 Dec 2023 18:27:32 GMT (envelope-from git) Date: Tue, 5 Dec 2023 18:27:32 GMT Message-Id: <202312051827.3B5IRWpL009192@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 9fd62386ad6e - releng/14.0 - ossl: Keep mutable AES-GCM state on the stack List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.0 X-Git-Reftype: branch X-Git-Commit: 9fd62386ad6e6f5c5298cda66c5c1894373e4379 Auto-Submitted: auto-generated The branch releng/14.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=9fd62386ad6e6f5c5298cda66c5c1894373e4379 commit 9fd62386ad6e6f5c5298cda66c5c1894373e4379 Author: Mark Johnston AuthorDate: 2023-11-29 17:51:55 +0000 Commit: Mark Johnston CommitDate: 2023-12-04 14:02:05 +0000 ossl: Keep mutable AES-GCM state on the stack ossl(4)'s AES-GCM implementation keeps mutable state in the session structure, together with the key schedule. This was done for convenience, as both are initialized together. However, some OCF consumers, particularly ZFS, assume that requests may be dispatched to the same session in parallel. Without serialization, this results in incorrect output. Fix the problem by explicitly copying per-session state onto the stack at the beginning of each operation. PR: 275306 Reviewed by: jhb Fixes: 9a3444d91c70 ("ossl: Add a VAES-based AES-GCM implementation for amd64") MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D42783 Approved by: so Security: FreeBSD-EN-23:17.ossl (cherry picked from commit 5c0dac0b7a012f326edab06ad85aee5ad68ff120) (cherry picked from commit 84ef0a84ecaa4f5d9bcfed3ce10c288953491e7e) --- sys/crypto/openssl/ossl_aes.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/sys/crypto/openssl/ossl_aes.c b/sys/crypto/openssl/ossl_aes.c index 40162b6943df..800518e51205 100644 --- a/sys/crypto/openssl/ossl_aes.c +++ b/sys/crypto/openssl/ossl_aes.c @@ -168,10 +168,9 @@ static int ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, const struct crypto_session_params *csp) { - struct ossl_cipher_context key; + struct ossl_gcm_context ctx; struct crypto_buffer_cursor cc_in, cc_out; unsigned char iv[AES_BLOCK_LEN], tag[AES_BLOCK_LEN]; - struct ossl_gcm_context *ctx; const unsigned char *inseg; unsigned char *outseg; size_t inlen, outlen, seglen; @@ -183,24 +182,25 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, if (crp->crp_cipher_key != NULL) { if (encrypt) error = s->cipher->set_encrypt_key(crp->crp_cipher_key, - 8 * csp->csp_cipher_klen, &key); + 8 * csp->csp_cipher_klen, + (struct ossl_cipher_context *)&ctx); else error = s->cipher->set_decrypt_key(crp->crp_cipher_key, - 8 * csp->csp_cipher_klen, &key); + 8 * csp->csp_cipher_klen, + (struct ossl_cipher_context *)&ctx); if (error) return (error); - ctx = (struct ossl_gcm_context *)&key; } else if (encrypt) { - ctx = (struct ossl_gcm_context *)&s->enc_ctx; + memcpy(&ctx, &s->enc_ctx, sizeof(struct ossl_gcm_context)); } else { - ctx = (struct ossl_gcm_context *)&s->dec_ctx; + memcpy(&ctx, &s->dec_ctx, sizeof(struct ossl_gcm_context)); } crypto_read_iv(crp, iv); - ctx->ops->setiv(ctx, iv, csp->csp_ivlen); + ctx.ops->setiv(&ctx, iv, csp->csp_ivlen); if (crp->crp_aad != NULL) { - if (ctx->ops->aad(ctx, crp->crp_aad, crp->crp_aad_length) != 0) + if (ctx.ops->aad(&ctx, crp->crp_aad, crp->crp_aad_length) != 0) return (EINVAL); } else { crypto_cursor_init(&cc_in, &crp->crp_buf); @@ -209,7 +209,7 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, alen -= seglen) { inseg = crypto_cursor_segment(&cc_in, &inlen); seglen = MIN(alen, inlen); - if (ctx->ops->aad(ctx, inseg, seglen) != 0) + if (ctx.ops->aad(&ctx, inseg, seglen) != 0) return (EINVAL); crypto_cursor_advance(&cc_in, seglen); } @@ -230,10 +230,10 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, seglen = MIN(plen, MIN(inlen, outlen)); if (encrypt) { - if (ctx->ops->encrypt(ctx, inseg, outseg, seglen) != 0) + if (ctx.ops->encrypt(&ctx, inseg, outseg, seglen) != 0) return (EINVAL); } else { - if (ctx->ops->decrypt(ctx, inseg, outseg, seglen) != 0) + if (ctx.ops->decrypt(&ctx, inseg, outseg, seglen) != 0) return (EINVAL); } @@ -243,18 +243,19 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, error = 0; if (encrypt) { - ctx->ops->tag(ctx, tag, GMAC_DIGEST_LEN); + ctx.ops->tag(&ctx, tag, GMAC_DIGEST_LEN); crypto_copyback(crp, crp->crp_digest_start, GMAC_DIGEST_LEN, tag); } else { crypto_copydata(crp, crp->crp_digest_start, GMAC_DIGEST_LEN, tag); - if (ctx->ops->finish(ctx, tag, GMAC_DIGEST_LEN) != 0) + if (ctx.ops->finish(&ctx, tag, GMAC_DIGEST_LEN) != 0) error = EBADMSG; } explicit_bzero(iv, sizeof(iv)); explicit_bzero(tag, sizeof(tag)); + explicit_bzero(&ctx, sizeof(ctx)); return (error); }