git: d2e076c37b09 - main - ossl: Don't encryt/decrypt too much data for chacha20.
John Baldwin
jhb at FreeBSD.org
Thu Apr 1 22:49:30 UTC 2021
The branch main has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=d2e076c37b0963a8be89684a656c4e1640dc7a3e
commit d2e076c37b0963a8be89684a656c4e1640dc7a3e
Author: John Baldwin <jhb at FreeBSD.org>
AuthorDate: 2021-04-01 22:42:18 +0000
Commit: John Baldwin <jhb at FreeBSD.org>
CommitDate: 2021-04-01 22:49:07 +0000
ossl: Don't encryt/decrypt too much data for chacha20.
The loops for Chacha20 and Chacha20+Poly1305 which encrypted/decrypted
full blocks of data used the minimum of the input and output segment
lengths to determine the size of the next chunk ('todo') to pass to
Chacha20_ctr32(). However, the input and output segments could extend
past the end of the ciphertext region into the tag (e.g. if a "plain"
single mbuf contained an entire TLS record). If the length of the tag
plus the length of the last partial block together were at least as
large as a full Chacha20 block (64 bytes), then an extra block was
encrypted/decrypted overlapping with the tag. Fix this by also
capping the amount of data to encrypt/decrypt by the amount of
remaining data in the ciphertext region ('resid').
Reported by: gallatin
Reviewed by: cem, gallatin, markj
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D29517
---
sys/crypto/openssl/ossl_chacha20.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/sys/crypto/openssl/ossl_chacha20.c b/sys/crypto/openssl/ossl_chacha20.c
index a2bfb52cacd6..7fa1a297052e 100644
--- a/sys/crypto/openssl/ossl_chacha20.c
+++ b/sys/crypto/openssl/ossl_chacha20.c
@@ -88,7 +88,8 @@ ossl_chacha20(struct cryptop *crp, const struct crypto_session_params *csp)
out = outseg;
/* Figure out how many blocks we can encrypt/decrypt at once. */
- todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE);
+ todo = rounddown(MIN(resid, MIN(inlen, outlen)),
+ CHACHA_BLK_SIZE);
#ifdef __LP64__
/* ChaCha20_ctr32() assumes length is <= 4GB. */
@@ -218,7 +219,8 @@ ossl_chacha20_poly1305_encrypt(struct cryptop *crp,
out = outseg;
/* Figure out how many blocks we can encrypt/decrypt at once. */
- todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE);
+ todo = rounddown(MIN(resid, MIN(inlen, outlen)),
+ CHACHA_BLK_SIZE);
#ifdef __LP64__
/* ChaCha20_ctr32() assumes length is <= 4GB. */
@@ -389,7 +391,8 @@ ossl_chacha20_poly1305_decrypt(struct cryptop *crp,
out = outseg;
/* Figure out how many blocks we can encrypt/decrypt at once. */
- todo = rounddown(MIN(inlen, outlen), CHACHA_BLK_SIZE);
+ todo = rounddown(MIN(resid, MIN(inlen, outlen)),
+ CHACHA_BLK_SIZE);
#ifdef __LP64__
/* ChaCha20_ctr32() assumes length is <= 4GB. */
More information about the dev-commits-src-main
mailing list