ossl: Keep mutable AES-GCM state on the stack
ClosedPublic
Actions

Authored by markj on Nov 27 2023, 10:57 PM.

Details

Reviewers

Commits

rG9fd62386ad6e: ossl: Keep mutable AES-GCM state on the stack
rG84ef0a84ecaa: ossl: Keep mutable AES-GCM state on the stack
rG5c0dac0b7a01: ossl: Keep mutable AES-GCM state on the stack

Summary

ossl(4)'s AES-GCM implementation keeps mutable state in the session
structure, together with the key schedule. This was done for
convenience, as both are initialized together. However, some OCF
consumers, particularly ZFS, assume that requests may be dispatched to
the same session in parallel. Without serialization, this results in
incorrect output.

Fix the problem by explicitly copying per-session state onto the stack
at the beginning of each operation.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Nov 27 2023, 10:57 PM

Herald added a subscriber: imp. · View Herald TranscriptNov 27 2023, 10:57 PM

markj requested review of this revision.Nov 27 2023, 10:57 PM

Harbormaster completed remote builds in B54635: Diff 130630.Nov 27 2023, 10:57 PM

I'm working on a new mode for cryptocheck which has it try issuing requests from multiple threads in a single session.

Yes, this is similar to changes I made to cryptosoft and other drivers earlier in 14.0-current I think to permit concurrent calls (e.g. dc475c9bee02f1a480362450b3680f0e3bfee529).

sys/crypto/openssl/ossl_aes.c
170	Can you make this `struct ossl_gcm_context ctx` and use a cast when calling set_encrypt_key and set_decrypt_key? I think it would be a bit less confusig perhaps.
256–257	Does this need an explicit_bzero of `state`/`ctx`?