git: a41ff1661bc0 - stable/13 - crypto: Validate AES-GCM IV length in check_csp().

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: John Baldwin <jhb_at_FreeBSD.org>
Date: Fri, 29 Apr 2022 20:55:02 UTC
The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=a41ff1661bc019abbfbc3d6df2ad7e58126cc4ef

commit a41ff1661bc019abbfbc3d6df2ad7e58126cc4ef
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-12-09 19:52:41 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-04-29 20:50:04 +0000

    crypto: Validate AES-GCM IV length in check_csp().
    
    This centralizes the check for valid nonce lengths for AES-GCM.
    
    While here, remove some duplicate checks for valid AES-GCM tag lengths
    from ccp(4) and ccr(4).
    
    Reviewed by:    markj
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D33194
    
    (cherry picked from commit 6e17a2e00d62fd3041e0bb511fe925079ad1c0d7)
---
 sys/crypto/aesni/aesni.c         | 3 +--
 sys/crypto/armv8/armv8_crypto.c  | 2 --
 sys/crypto/ccp/ccp.c             | 5 -----
 sys/dev/cxgbe/crypto/t4_crypto.c | 6 ------
 sys/dev/qat/qat.c                | 2 --
 sys/dev/safexcel/safexcel.c      | 3 ---
 sys/opencrypto/crypto.c          | 5 ++++-
 sys/opencrypto/cryptosoft.c      | 3 ---
 8 files changed, 5 insertions(+), 24 deletions(-)

diff --git a/sys/crypto/aesni/aesni.c b/sys/crypto/aesni/aesni.c
index de797abd1af5..eea32532131f 100644
--- a/sys/crypto/aesni/aesni.c
+++ b/sys/crypto/aesni/aesni.c
@@ -305,8 +305,7 @@ aesni_probesession(device_t dev, const struct crypto_session_params *csp)
 			if (csp->csp_auth_mlen != 0 &&
 			    csp->csp_auth_mlen != GMAC_DIGEST_LEN)
 				return (EINVAL);
-			if (csp->csp_ivlen != AES_GCM_IV_LEN ||
-			    !sc->has_aes)
+			if (!sc->has_aes)
 				return (EINVAL);
 			break;
 		case CRYPTO_AES_CCM_16:
diff --git a/sys/crypto/armv8/armv8_crypto.c b/sys/crypto/armv8/armv8_crypto.c
index 077667a4bb2a..18b0870f380b 100644
--- a/sys/crypto/armv8/armv8_crypto.c
+++ b/sys/crypto/armv8/armv8_crypto.c
@@ -217,8 +217,6 @@ armv8_crypto_probesession(device_t dev,
 		case CRYPTO_AES_NIST_GCM_16:
 			if (!sc->has_pmul)
 				return (EINVAL);
-			if (csp->csp_ivlen != AES_GCM_IV_LEN)
-				return (EINVAL);
 			if (csp->csp_auth_mlen != 0 &&
 			    csp->csp_auth_mlen != GMAC_DIGEST_LEN)
 				return (EINVAL);
diff --git a/sys/crypto/ccp/ccp.c b/sys/crypto/ccp/ccp.c
index 7cc38b14f3fd..2b059dcee2ca 100644
--- a/sys/crypto/ccp/ccp.c
+++ b/sys/crypto/ccp/ccp.c
@@ -378,11 +378,6 @@ ccp_probesession(device_t dev, const struct crypto_session_params *csp)
 	case CSP_MODE_AEAD:
 		switch (csp->csp_cipher_alg) {
 		case CRYPTO_AES_NIST_GCM_16:
-			if (csp->csp_ivlen != AES_GCM_IV_LEN)
-				return (EINVAL);
-			if (csp->csp_auth_mlen < 0 ||
-			    csp->csp_auth_mlen > AES_GMAC_HASH_LEN)
-				return (EINVAL);
 			if ((sc->hw_features & VERSION_CAP_AES) == 0)
 				return (EINVAL);
 			break;
diff --git a/sys/dev/cxgbe/crypto/t4_crypto.c b/sys/dev/cxgbe/crypto/t4_crypto.c
index 7c233897dff6..325aba60a742 100644
--- a/sys/dev/cxgbe/crypto/t4_crypto.c
+++ b/sys/dev/cxgbe/crypto/t4_crypto.c
@@ -2542,12 +2542,6 @@ ccr_probesession(device_t dev, const struct crypto_session_params *csp)
 	case CSP_MODE_AEAD:
 		switch (csp->csp_cipher_alg) {
 		case CRYPTO_AES_NIST_GCM_16:
-			if (csp->csp_ivlen != AES_GCM_IV_LEN)
-				return (EINVAL);
-			if (csp->csp_auth_mlen < 0 ||
-			    csp->csp_auth_mlen > AES_GMAC_HASH_LEN)
-				return (EINVAL);
-			break;
 		case CRYPTO_AES_CCM_16:
 			break;
 		default:
diff --git a/sys/dev/qat/qat.c b/sys/dev/qat/qat.c
index b5d3f4d9629a..dddfe4da1083 100644
--- a/sys/dev/qat/qat.c
+++ b/sys/dev/qat/qat.c
@@ -1900,8 +1900,6 @@ qat_probesession(device_t dev, const struct crypto_session_params *csp)
 	case CSP_MODE_AEAD:
 		switch (csp->csp_cipher_alg) {
 		case CRYPTO_AES_NIST_GCM_16:
-			if (csp->csp_ivlen != AES_GCM_IV_LEN)
-				return EINVAL;
 			break;
 		default:
 			return EINVAL;
diff --git a/sys/dev/safexcel/safexcel.c b/sys/dev/safexcel/safexcel.c
index 242f1bcfb90a..16978632a1be 100644
--- a/sys/dev/safexcel/safexcel.c
+++ b/sys/dev/safexcel/safexcel.c
@@ -2304,9 +2304,6 @@ safexcel_probesession(device_t dev, const struct crypto_session_params *csp)
 	case CSP_MODE_AEAD:
 		switch (csp->csp_cipher_alg) {
 		case CRYPTO_AES_NIST_GCM_16:
-			if (csp->csp_ivlen != AES_GCM_IV_LEN)
-				return (EINVAL);
-			break;
 		case CRYPTO_AES_CCM_16:
 			break;
 		default:
diff --git a/sys/opencrypto/crypto.c b/sys/opencrypto/crypto.c
index 576382406d88..5332ab5f07ce 100644
--- a/sys/opencrypto/crypto.c
+++ b/sys/opencrypto/crypto.c
@@ -881,7 +881,10 @@ check_csp(const struct crypto_session_params *csp)
 				return (false);
 			break;
 		case CRYPTO_AES_NIST_GCM_16:
-			if (csp->csp_auth_mlen > 16)
+			if (csp->csp_auth_mlen > AES_GMAC_HASH_LEN)
+				return (false);
+
+			if (csp->csp_ivlen != AES_GCM_IV_LEN)
 				return (false);
 			break;
 		case CRYPTO_CHACHA20_POLY1305:
diff --git a/sys/opencrypto/cryptosoft.c b/sys/opencrypto/cryptosoft.c
index 567a0f4748d5..b6c964b540bc 100644
--- a/sys/opencrypto/cryptosoft.c
+++ b/sys/opencrypto/cryptosoft.c
@@ -1308,9 +1308,6 @@ swcr_setup_gcm(struct swcr_session *ses,
 	struct swcr_auth *swa;
 	struct auth_hash *axf;
 
-	if (csp->csp_ivlen != AES_GCM_IV_LEN)
-		return (EINVAL);
-
 	/* First, setup the auth side. */
 	swa = &ses->swcr_auth;
 	switch (csp->csp_cipher_klen * 8) {