Page MenuHomeFreeBSD
Differential D29517

ossl: Don't encryt/decrypt too much data for chacha20.
ClosedPublic
Actions

Authored by jhb on Mar 31 2021, 5:26 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Mar 29, 10:24 AM
Unknown Object (File)
Feb 27 2024, 4:38 AM
Unknown Object (File)
Feb 13 2024, 8:33 PM
Unknown Object (File)
Feb 10 2024, 5:54 PM
Unknown Object (File)
Jan 12 2024, 2:45 AM
Unknown Object (File)
Jan 7 2024, 12:14 AM
Unknown Object (File)
Dec 20 2023, 8:44 AM
Unknown Object (File)
Nov 16 2023, 2:57 AM
View All 33 Files
Subscribers
imp
jmg

Details

Reviewers
gallatin
cem
markj
Commits
rGe3d927fac1da: ossl: Don't encryt/decrypt too much data for chacha20.
rGd2e076c37b09: ossl: Don't encryt/decrypt too much data for chacha20.
Summary

The loops for Chacha20 and Chacha20+Poly1305 which encrypted/decrypted
full blocks of data used the minimum of the input and output segment
lengths to determine the size of the next chunk ('todo') to pass to
Chacha20_ctr32(). However, the input and output segments could extend
past the end of the ciphertext region into the tag (e.g. if a "plain"
single mbuf contained an entire TLS record). If the length of the tag
plus the length of the last partial block together were at least as
large as a full Chacha20 block (64 bytes), then an extra block was
encrypted/decrypted overlapping with the tag. Fix this by also
capping the amount of data to encrypt/decrypt by the amount of
remaining data in the ciphertext region ('resid').

Reported by: gallatin
Sponsored by: Netflix

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb created this revision.Mar 31 2021, 5:26 PM
Herald added subscribers: jmg, imp. · View Herald TranscriptMar 31 2021, 5:26 PM
jhb requested review of this revision.Mar 31 2021, 5:26 PM
Harbormaster completed remote builds in B38219: Diff 86628.Mar 31 2021, 5:26 PM
jhb added a child revision: D29518: cryptocheck: Expand the set of sizes tested by -z..Mar 31 2021, 5:26 PM
jhb added a comment.Mar 31 2021, 5:30 PM

Drew had a panic in production where the relevant mbuf had a cipher text payload of 0x1b7 bytes in length. I was able to reproduce with a size of 112 (one full block plus enough of a partial block that the poly1305 hash equaled a second full block). I've tested this fix with both sizes. The following review for cryptocheck expands the sizes covered to handle this case, but it in a slightly more general way.

cem accepted this revision.Mar 31 2021, 6:09 PM
This revision is now accepted and ready to land.Mar 31 2021, 6:09 PM
gallatin accepted this revision.Mar 31 2021, 8:58 PM
markj accepted this revision.Mar 31 2021, 9:54 PM
Closed by commit rGd2e076c37b09: ossl: Don't encryt/decrypt too much data for chacha20. (authored by jhb). · Explain WhyApr 1 2021, 10:49 PM
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rGd2e076c37b09: ossl: Don't encryt/decrypt too much data for chacha20..
jhb added a commit: rGe3d927fac1da: ossl: Don't encryt/decrypt too much data for chacha20..Oct 21 2021, 5:07 PM

Revision Contents
Changeset List

PathSize
sys/
crypto/
openssl/
9 lines

Diff 86722

View Options

sys/crypto/openssl/ossl_chacha20.c

Loading...