Page MenuHomeFreeBSD

cryptodev: Allow some CIOCCRYPT operations with an empty payload.
ClosedPublic

Authored by jhb on Sep 24 2021, 6:04 PM.

Details

Summary

If an operation would generate a MAC output (e.g. for digest operation
or for an AEAD or EtA operation), then an empty payload buffer is
valid. Only reject requests with an empty buffer for "plain" cipher
sessions.

Some of the AES-CCM NIST KAT vectors use an empty payload.

While here, don't advance crp_payload_start for requests that use an
empty payload with an inline IV. (*)

Reported by: syzbot+d4b94fbd9a44b032f428@syzkaller.appspotmail.com (*)
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 41710
Build 38599: arc lint + arc unit

Event Timeline

Similar to D32108. this was triggered by AES-CCM tests via cryptotest.py.

sys/opencrypto/cryptodev.c
841

This is the change I talked about over in D32123 where I had relaxed this requirement for all but CSP_MODE_CIPHER.

I think we could further refine this to check for cop->len == cse->ivsize if cop->iv is NULL.

923

In your other review we could perhaps make this conditional on the updated crp_payload_length != 0 if we wanted to keep the assertion in crp_sanity()?

sys/opencrypto/cryptodev.c
841

Yes, I think that is necessary.

923

I think that's fine. To be clear, the idea is to have this instead:

crp->crp_payload_length -= cse->ivsize;
if (crp->crp_payload_length > 0)
    crp->crp_payload_start += cse->ivsize;

Do you want to just handle this in this review?

jhb marked 2 inline comments as done.Oct 1 2021, 9:27 PM
  • Check for cop->len == cse->ivsize.
  • Don't bump payload_start for an empty payload.
This revision is now accepted and ready to land.Oct 1 2021, 9:36 PM