From nobody Wed Nov 29 17:58:26 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SgRrg0T6Nz532cL; Wed, 29 Nov 2023 17:58:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SgRrg01CQz4FYC; Wed, 29 Nov 2023 17:58:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701280707; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VxO8EQjQ3pCH5a1KTE4mbccQ2rtpSqh4Q/5Ld9xDhcw=; b=SBTJm911Q8qiIhcZ93Oadwb3JjeOFZEtwvWkx668ujzc+elREnxzhi+agDLpVoap1TdauC EbfgDUjIH0YjPLn6xCQ187W//ab9SlGouX5jxxBN3RBTj0gHyEyI5WRWl3lhsjaJptSNur dAviSKhr9AVDg6jj667870qdAsKSibBrIlPWYe1a8Hes5W1W7mCYtHm9X47B4OImOUbFZr 2qDN59AYqZk9aavEM3N5zriX/7NFCbCYu4X8a/5YwZ2TNYadXz0G0GgyFAApJ0SQoU+pk1 YE8z+xozhioucHMWbeor/RSf1abwBZXPke/tn7x6zLDENK6lFbj8e0Q8Iju3oA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701280707; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VxO8EQjQ3pCH5a1KTE4mbccQ2rtpSqh4Q/5Ld9xDhcw=; b=Y3xUnE6pnTuhXNTqCvLJT4Z8S91eY7MsDQAwVSrMSW28YYPN2o3/Ve9NbdIHrGjS7lwGuV rwiuHCaVglmnvK5YzvDOAyK26gA3T+azBxO8G63bobgYgktiknTWe+NuPot7XzprVFfXf+ 2NDgs0HEKX4X2C7eOwwdVm6kv1EgEXjOF7FRmc9EXn3y7xcvt04fw/s8EBylgTv5KuHy/k 9Y0J8c5njr2fSZFbP4aPZzzrAjZcC/ADY/kIKtr/MPMugyiOzka0jquvAwW3/Os3VuYKyv BVJeOEbqwk7oLUXirjJZ1c6QXyQme2lDmXAHSP94BeySqt2ZPQcgbBDTG3p+gQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1701280707; a=rsa-sha256; cv=none; b=oi86zjOpu+pRN8Jlzm1rgqlegFBclEWv9ROVf+ChYcF9Ajmqfyv+hdwejxE1zFoUp9woFT X2REUvjgysfGjWQqwyp5A9eONKv+QIZYnedQWiHlI6//jXluFGvPBcwFSE15vgOplr8dPk BIdWHvPjh/8zTf6XCK4Zf9MeuXTd5Q84qFjX1yKWCTifohVKHUoEC94Hq/epFNnRz3Wgl3 AVSI07gUjXK6Fjm2Tyu/r18OVmyk8PzevxpVuSTImvDZ8KVijRGWp864RarPfxbcQVFjgl 2lx1gyd9Oz3fRBVAuPI2s+I95/ynAnF5tKzkJv+5i+v/BAZ73AM80kDpbYyXpw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SgRrf6B0Qz1RF; Wed, 29 Nov 2023 17:58:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3ATHwQcp081082; Wed, 29 Nov 2023 17:58:26 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3ATHwQ0k081079; Wed, 29 Nov 2023 17:58:26 GMT (envelope-from git) Date: Wed, 29 Nov 2023 17:58:26 GMT Message-Id: <202311291758.3ATHwQ0k081079@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: 5c0dac0b7a01 - main - ossl: Keep mutable AES-GCM state on the stack List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 5c0dac0b7a012f326edab06ad85aee5ad68ff120 Auto-Submitted: auto-generated The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=5c0dac0b7a012f326edab06ad85aee5ad68ff120 commit 5c0dac0b7a012f326edab06ad85aee5ad68ff120 Author: Mark Johnston AuthorDate: 2023-11-29 17:51:55 +0000 Commit: Mark Johnston CommitDate: 2023-11-29 17:55:51 +0000 ossl: Keep mutable AES-GCM state on the stack ossl(4)'s AES-GCM implementation keeps mutable state in the session structure, together with the key schedule. This was done for convenience, as both are initialized together. However, some OCF consumers, particularly ZFS, assume that requests may be dispatched to the same session in parallel. Without serialization, this results in incorrect output. Fix the problem by explicitly copying per-session state onto the stack at the beginning of each operation. PR: 275306 Reviewed by: jhb Fixes: 9a3444d91c70 ("ossl: Add a VAES-based AES-GCM implementation for amd64") MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D42783 --- sys/crypto/openssl/ossl_aes.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/sys/crypto/openssl/ossl_aes.c b/sys/crypto/openssl/ossl_aes.c index c0cb8ba08d35..65b6f126736e 100644 --- a/sys/crypto/openssl/ossl_aes.c +++ b/sys/crypto/openssl/ossl_aes.c @@ -167,10 +167,9 @@ static int ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, const struct crypto_session_params *csp) { - struct ossl_cipher_context key; + struct ossl_gcm_context ctx; struct crypto_buffer_cursor cc_in, cc_out; unsigned char iv[AES_BLOCK_LEN], tag[AES_BLOCK_LEN]; - struct ossl_gcm_context *ctx; const unsigned char *inseg; unsigned char *outseg; size_t inlen, outlen, seglen; @@ -182,24 +181,25 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, if (crp->crp_cipher_key != NULL) { if (encrypt) error = s->cipher->set_encrypt_key(crp->crp_cipher_key, - 8 * csp->csp_cipher_klen, &key); + 8 * csp->csp_cipher_klen, + (struct ossl_cipher_context *)&ctx); else error = s->cipher->set_decrypt_key(crp->crp_cipher_key, - 8 * csp->csp_cipher_klen, &key); + 8 * csp->csp_cipher_klen, + (struct ossl_cipher_context *)&ctx); if (error) return (error); - ctx = (struct ossl_gcm_context *)&key; } else if (encrypt) { - ctx = (struct ossl_gcm_context *)&s->enc_ctx; + memcpy(&ctx, &s->enc_ctx, sizeof(struct ossl_gcm_context)); } else { - ctx = (struct ossl_gcm_context *)&s->dec_ctx; + memcpy(&ctx, &s->dec_ctx, sizeof(struct ossl_gcm_context)); } crypto_read_iv(crp, iv); - ctx->ops->setiv(ctx, iv, csp->csp_ivlen); + ctx.ops->setiv(&ctx, iv, csp->csp_ivlen); if (crp->crp_aad != NULL) { - if (ctx->ops->aad(ctx, crp->crp_aad, crp->crp_aad_length) != 0) + if (ctx.ops->aad(&ctx, crp->crp_aad, crp->crp_aad_length) != 0) return (EINVAL); } else { crypto_cursor_init(&cc_in, &crp->crp_buf); @@ -208,7 +208,7 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, alen -= seglen) { inseg = crypto_cursor_segment(&cc_in, &inlen); seglen = MIN(alen, inlen); - if (ctx->ops->aad(ctx, inseg, seglen) != 0) + if (ctx.ops->aad(&ctx, inseg, seglen) != 0) return (EINVAL); crypto_cursor_advance(&cc_in, seglen); } @@ -229,10 +229,10 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, seglen = MIN(plen, MIN(inlen, outlen)); if (encrypt) { - if (ctx->ops->encrypt(ctx, inseg, outseg, seglen) != 0) + if (ctx.ops->encrypt(&ctx, inseg, outseg, seglen) != 0) return (EINVAL); } else { - if (ctx->ops->decrypt(ctx, inseg, outseg, seglen) != 0) + if (ctx.ops->decrypt(&ctx, inseg, outseg, seglen) != 0) return (EINVAL); } @@ -242,18 +242,19 @@ ossl_aes_gcm(struct ossl_session_cipher *s, struct cryptop *crp, error = 0; if (encrypt) { - ctx->ops->tag(ctx, tag, GMAC_DIGEST_LEN); + ctx.ops->tag(&ctx, tag, GMAC_DIGEST_LEN); crypto_copyback(crp, crp->crp_digest_start, GMAC_DIGEST_LEN, tag); } else { crypto_copydata(crp, crp->crp_digest_start, GMAC_DIGEST_LEN, tag); - if (ctx->ops->finish(ctx, tag, GMAC_DIGEST_LEN) != 0) + if (ctx.ops->finish(&ctx, tag, GMAC_DIGEST_LEN) != 0) error = EBADMSG; } explicit_bzero(iv, sizeof(iv)); explicit_bzero(tag, sizeof(tag)); + explicit_bzero(&ctx, sizeof(ctx)); return (error); }