git: 4cce6043c7d9 - stable/13 - aesni: Support multiple nonce lengths for AES-CCM.

From: John Baldwin <jhb_at_FreeBSD.org>
Date: Thu, 21 Oct 2021 22:04:17 UTC
The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=4cce6043c7d9be191883ad3a7ed46e8e4a1709af

commit 4cce6043c7d9be191883ad3a7ed46e8e4a1709af
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-10-06 21:08:47 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2021-10-21 21:07:45 +0000

    aesni: Support multiple nonce lengths for AES-CCM.
    
    Reviewed by:    sef
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D32112
    
    (cherry picked from commit 8e6af6adfc2cc3d0ea89c20eaa5914e453c48b49)
---
 sys/crypto/aesni/aesni.c     | 13 +++++++++----
 sys/crypto/aesni/aesni_ccm.c | 32 ++++++++------------------------
 2 files changed, 17 insertions(+), 28 deletions(-)

diff --git a/sys/crypto/aesni/aesni.c b/sys/crypto/aesni/aesni.c
index 4debbae12c2b..67dcef123429 100644
--- a/sys/crypto/aesni/aesni.c
+++ b/sys/crypto/aesni/aesni.c
@@ -1,7 +1,7 @@
 /*-
  * Copyright (c) 2005-2008 Pawel Jakub Dawidek <pjd@FreeBSD.org>
  * Copyright (c) 2010 Konstantin Belousov <kib@FreeBSD.org>
- * Copyright (c) 2014 The FreeBSD Foundation
+ * Copyright (c) 2014-2021 The FreeBSD Foundation
  * Copyright (c) 2017 Conrad Meyer <cem@FreeBSD.org>
  * All rights reserved.
  *
@@ -9,6 +9,9 @@
  * under sponsorship of the FreeBSD Foundation and
  * Rubicon Communications, LLC (Netgate).
  *
+ * Portions of this software were developed by Ararat River
+ * Consulting, LLC under sponsorship of the FreeBSD Foundation.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -319,8 +322,7 @@ aesni_probesession(device_t dev, const struct crypto_session_params *csp)
 			if (csp->csp_auth_mlen != 0 &&
 			    csp->csp_auth_mlen != AES_CBC_MAC_HASH_LEN)
 				return (EINVAL);
-			if (csp->csp_ivlen != AES_CCM_IV_LEN ||
-			    !sc->has_aes)
+			if (!sc->has_aes)
 				return (EINVAL);
 			break;
 		default:
@@ -639,9 +641,12 @@ aesni_cipher_process(struct aesni_session *ses, struct cryptop *crp)
 
 	csp = crypto_get_params(crp->crp_session);
 	switch (csp->csp_cipher_alg) {
+	case CRYPTO_AES_CCM_16:
+		if (crp->crp_payload_length > ccm_max_payload_length(csp))
+			return (EMSGSIZE);
+		/* FALLTHROUGH */
 	case CRYPTO_AES_ICM:
 	case CRYPTO_AES_NIST_GCM_16:
-	case CRYPTO_AES_CCM_16:
 		if ((crp->crp_flags & CRYPTO_F_IV_SEPARATE) == 0)
 			return (EINVAL);
 		break;
diff --git a/sys/crypto/aesni/aesni_ccm.c b/sys/crypto/aesni/aesni_ccm.c
index fc01e92c697f..9e2fa317b2ed 100644
--- a/sys/crypto/aesni/aesni_ccm.c
+++ b/sys/crypto/aesni/aesni_ccm.c
@@ -1,11 +1,15 @@
 /*-
- * Copyright (c) 2014 The FreeBSD Foundation
+ * Copyright (c) 2014-2021 The FreeBSD Foundation
  * Copyright (c) 2018 iXsystems, Inc
  * All rights reserved.
  *
- * This software was developed by John-Mark Gurney under
- * the sponsorship of the FreeBSD Foundation and
+ * Portions of this software were developed by John-Mark Gurney
+ * under the sponsorship of the FreeBSD Foundation and
  * Rubicon Communications, LLC (Netgate).
+ *
+ * Portions of this software were developed by Ararat River
+ * Consulting, LLC under sponsorship of the FreeBSD Foundation.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -185,12 +189,7 @@ cbc_mac_start(const unsigned char *auth_data, size_t auth_len,
  * however, they're always truncated from 16 bytes, and the tag
  * length isn't passed in.  (This could be fixed by changing the
  * code in aesni.c:aesni_cipher_crypt().)
- * Similarly, although the nonce length is passed in, the
- * OpenCrypto API that calls us doesn't have a way to set the nonce
- * other than by having different crypto algorithm types.  As a result,
- * this is currently always called with nlen=12; this means that we
- * also have a maximum message length of 16 megabytes.  And similarly,
- * since abytes is limited to a 32 bit value here, the AAD is
+ * Since abytes is limited to a 32 bit value here, the AAD is
  * limited to 4 gigabytes or less.
  */
 void
@@ -222,14 +221,6 @@ AES_CCM_encrypt(const unsigned char *in, unsigned char *out,
 	 */
 	L = sizeof(__m128i) - 1 - nlen;
 
-	/*
-	 * Now, this shouldn't happen, but let's make sure that
-	 * the data length isn't too big.
-	 */
-	KASSERT(nbytes <= ((1 << (8 * L)) - 1),
-	    ("%s: nbytes is %u, but length field is %d bytes",
-		__FUNCTION__, nbytes, L));
-
 	/*
 	 * Clear out the blocks
 	 */
@@ -399,13 +390,6 @@ AES_CCM_decrypt(const unsigned char *in, unsigned char *out,
 	 */
 	L = sizeof(__m128i) - 1 - nlen;
 
-	/*
-	 * Now, this shouldn't happen, but let's make sure that
-	 * the data length isn't too big.
-	 */
-	if (nbytes > ((1 << (8 * L)) - 1))
-		panic("%s: nbytes is %u, but length field is %d bytes",
-		      __FUNCTION__, nbytes, L);
 	/*
 	 * Clear out the blocks
 	 */