Page MenuHomeFreeBSD

ossl: Keep mutable AES-GCM state on the stack
ClosedPublic

Authored by markj on Nov 27 2023, 10:57 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Oct 2, 10:03 PM
Unknown Object (File)
Fri, Sep 27, 3:31 PM
Unknown Object (File)
Fri, Sep 27, 3:30 PM
Unknown Object (File)
Wed, Sep 25, 4:24 AM
Unknown Object (File)
Tue, Sep 24, 11:35 PM
Unknown Object (File)
Tue, Sep 24, 7:32 PM
Unknown Object (File)
Tue, Sep 24, 4:44 PM
Unknown Object (File)
Tue, Sep 24, 2:35 AM
Subscribers

Details

Summary

ossl(4)'s AES-GCM implementation keeps mutable state in the session
structure, together with the key schedule. This was done for
convenience, as both are initialized together. However, some OCF
consumers, particularly ZFS, assume that requests may be dispatched to
the same session in parallel. Without serialization, this results in
incorrect output.

Fix the problem by explicitly copying per-session state onto the stack
at the beginning of each operation.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

I'm working on a new mode for cryptocheck which has it try issuing requests from multiple threads in a single session.

Yes, this is similar to changes I made to cryptosoft and other drivers earlier in 14.0-current I think to permit concurrent calls (e.g. dc475c9bee02f1a480362450b3680f0e3bfee529).

sys/crypto/openssl/ossl_aes.c
170

Can you make this struct ossl_gcm_context ctx and use a cast when calling set_encrypt_key and set_decrypt_key? I think it would be a bit less confusig perhaps.

256–257

Does this need an explicit_bzero of state/ctx?

markj marked an inline comment as done.

Address feedback.

This revision is now accepted and ready to land.Nov 29 2023, 5:40 PM
This revision was automatically updated to reflect the committed changes.