Page MenuHomeFreeBSD
Differential D32123

opencrypto: Relax checks for zero-length payloads
AbandonedPublic
Actions

Authored by markj on Sep 24 2021, 6:26 PM.
Tags
None
Referenced Files
F81932491: D32123.diff
Tue, Apr 23, 9:46 AM
Unknown Object (File)
Feb 21 2024, 9:09 AM
Unknown Object (File)
Dec 22 2023, 10:42 AM
Unknown Object (File)
Dec 20 2023, 4:21 AM
Unknown Object (File)
Aug 8 2023, 4:16 PM
Unknown Object (File)
Jun 27 2023, 8:19 PM
Unknown Object (File)
May 23 2023, 5:31 PM
Unknown Object (File)
May 13 2023, 4:14 AM
View All 9 Files
Subscribers
imp
jmg

Details

Reviewers
jhb
Summary

In general it is permitted to submit crypto ops with zero-length
payloads. However, our handling of them is inconsistent. In
particular, crypto_op() checks for an input length of zero and returns
EINVAL in that case, but one can bypass this check by passing an inline
IV, resulting in a cryptop with payload_start != 0 && payload_length ==
0. cryptoaead_op() does not check for a length of zero at all.

In the aforementioned case where a crypto op has length zero but an
inline IV, the operation will trigger a KASSERT in crp_sanity() since
crp_payload_start != 0 && crp_payload_len == 0. Relax the assertion to
permit this. Remove the check in crypto_op(), reverting commit
e6d944d7c3eae828d8353abd414f634067ec6f7d.

Reported by: syzbot+d4b94fbd9a44b032f428@syzkaller.appspotmail.com

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 41725
Build 38614: arc lint + arc unit

Event Timeline

markj created this revision.Sep 24 2021, 6:26 PM
Herald added subscribers: jmg, imp. · View Herald TranscriptSep 24 2021, 6:26 PM
markj requested review of this revision.Sep 24 2021, 6:26 PM
Harbormaster completed remote builds in B41725: Diff 95659.Sep 24 2021, 6:26 PM
markj added a child revision: D32124: opencrypto: Disallow requests which pass VERIFY_DIGEST without a MAC.Sep 24 2021, 6:26 PM
jhb added inline comments.Sep 24 2021, 6:38 PM
sys/opencrypto/crypto.c
1299

Hmmm, I do think it's kind of odd to give a payload_start if payload_length is 0 fwiw. See for example the assertion about aad at 1266-1268. My intention was to require start fields to be 0 if the associated length was 0. Of course, that would require a special case in cryptodev for an empty payload to leave the start as 0. Hmmm.

sys/opencrypto/cryptodev.c
756

Hmm, I do think a payload of 0 should be an error if there isn't an associated MAC. Perhaps as a followup to my pending change we could change the == 0 case I moved into the CSP_CIPHER case further below to take into account the implicit IV?

markj added inline comments.Sep 24 2021, 7:04 PM
sys/opencrypto/cryptodev.c
756

Isn't the problem broader than just the CSP_CIPHER case though?

jhb added inline comments.Sep 27 2021, 5:38 PM
sys/opencrypto/cryptodev.c
756

An empty payload is permitted for ETA and AEAD modes (you still generate a MAC/tag output even with an empty payload). DIGEST doesn't have a txform, so it's really just CIPHER mode for which this is relevant.

jhb mentioned this in D32109: cryptodev: Allow some CIOCCRYPT operations with an empty payload..Sep 27 2021, 9:38 PM
markj abandoned this revision.Oct 1 2021, 9:36 PM

Superseded by D32109.

Revision Contents
Changeset List

PathSize
sys/
opencrypto/
4 lines
8 lines

Diff 95659

View Options

sys/opencrypto/crypto.c

Loading...
View Options

sys/opencrypto/cryptodev.c

Loading...