Page MenuHomeFreeBSD

cryptodev: Allow some CIOCCRYPT operations with an empty payload.
ClosedPublic

Authored by jhb on Sep 24 2021, 6:04 PM.

Details

Summary

If an operation would generate a MAC output (e.g. for digest operation
or for an AEAD or EtA operation), then an empty payload buffer is
valid. Only reject requests with an empty buffer for "plain" cipher
sessions.

Some of the AES-CCM NIST KAT vectors use an empty payload.

While here, don't advance crp_payload_start for requests that use an
empty payload with an inline IV. (*)

Reported by: syzbot+d4b94fbd9a44b032f428@syzkaller.appspotmail.com (*)
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
R10 FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Similar to D32108. this was triggered by AES-CCM tests via cryptotest.py.

sys/opencrypto/cryptodev.c
838

This is the change I talked about over in D32123 where I had relaxed this requirement for all but CSP_MODE_CIPHER.

I think we could further refine this to check for cop->len == cse->ivsize if cop->iv is NULL.

927–928

In your other review we could perhaps make this conditional on the updated crp_payload_length != 0 if we wanted to keep the assertion in crp_sanity()?

sys/opencrypto/cryptodev.c
838

Yes, I think that is necessary.

927–928

I think that's fine. To be clear, the idea is to have this instead:

crp->crp_payload_length -= cse->ivsize;
if (crp->crp_payload_length > 0)
    crp->crp_payload_start += cse->ivsize;

Do you want to just handle this in this review?

jhb marked 2 inline comments as done.Oct 1 2021, 9:27 PM
  • Check for cop->len == cse->ivsize.
  • Don't bump payload_start for an empty payload.
This revision is now accepted and ready to land.Oct 1 2021, 9:36 PM