src/sys/opencrypto/cryptodev.c, branch release/13.1.0 FreeBSD source tree cryptodev: Allow some CIOCCRYPT operations with an empty payload. 2021-10-21T21:07:18+00:00 John Baldwin jhb@FreeBSD.org 2021-10-06T21:08:47+00:00 5f9a612037793b51c70e26846334d0e0c4232950 If an operation would generate a MAC output (e.g. for digest operation or for an AEAD or EtA operation), then an empty payload buffer is valid. Only reject requests with an empty buffer for "plain" cipher sessions. Some of the AES-CCM NIST KAT vectors use an empty payload. While here, don't advance crp_payload_start for requests that use an empty payload with an inline IV. (*) Reported by: syzbot+d4b94fbd9a44b032f428@syzkaller.appspotmail.com (*) Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32109 (cherry picked from commit a0cbcbb7917b0b8566ec0853425a73d7958ddbed) 
If an operation would generate a MAC output (e.g. for digest operation
or for an AEAD or EtA operation), then an empty payload buffer is
valid.  Only reject requests with an empty buffer for "plain" cipher
sessions.

Some of the AES-CCM NIST KAT vectors use an empty payload.

While here, don't advance crp_payload_start for requests that use an
empty payload with an inline IV. (*)

Reported by:	syzbot+d4b94fbd9a44b032f428@syzkaller.appspotmail.com (*)
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32109

(cherry picked from commit a0cbcbb7917b0b8566ec0853425a73d7958ddbed)
cryptodev: Permit CIOCCRYPT for AEAD ciphers. 2021-10-21T21:07:11+00:00 John Baldwin jhb@FreeBSD.org 2021-10-06T21:08:47+00:00 ac648e3affe358fb373cf369fb2ea46daceba250 A request without AAD for an AEAD cipher can be submitted via CIOCCRYPT rather than CIOCCRYPTAEAD. Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32108 (cherry picked from commit 70dbebea124236184a66a30175ba307793971f00) 
A request without AAD for an AEAD cipher can be submitted via
CIOCCRYPT rather than CIOCCRYPTAEAD.

Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32108

(cherry picked from commit 70dbebea124236184a66a30175ba307793971f00)
cryptodev: Permit explicit IV/nonce and MAC/tag lengths. 2021-10-21T21:05:11+00:00 John Baldwin jhb@FreeBSD.org 2021-10-06T21:08:46+00:00 38b8a2be5c48436a5db059080b97ff0f8c02ef27 Add 'ivlen' and 'maclen' fields to the structure used for CIOGSESSION2 to specify the explicit IV/nonce and MAC/tag lengths for crypto sessions. If these fields are zero, the default lengths are used. This permits selecting an alternate nonce length for AEAD ciphers such as AES-CCM which support multiple nonce leengths. It also supports truncated MACs as input to AEAD or ETA requests. Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32107 (cherry picked from commit 16676123fc85233334983e0071cb446357abec8d) 
Add 'ivlen' and 'maclen' fields to the structure used for CIOGSESSION2
to specify the explicit IV/nonce and MAC/tag lengths for crypto
sessions.  If these fields are zero, the default lengths are used.

This permits selecting an alternate nonce length for AEAD ciphers such
as AES-CCM which support multiple nonce leengths.  It also supports
truncated MACs as input to AEAD or ETA requests.

Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32107

(cherry picked from commit 16676123fc85233334983e0071cb446357abec8d)
cryptodev: Use 'csp' in the handlers for requests. 2021-10-21T15:51:25+00:00 John Baldwin jhb@FreeBSD.org 2021-10-06T21:08:46+00:00 11db133ecad7930dd4f289815e2a1b531390f124 - Retire cse->mode and use csp->csp_mode instead. - Use csp->csp_cipher_algorithm instead of the ivsize when checking for the fixup for the IV length for AES-XTS. Reviewed by: markj Sponsored by: Chelsio Communications, The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32103 (cherry picked from commit b4e0a27c5be5090a9db16dd0ad417543b1fb0c4a) 
- Retire cse->mode and use csp->csp_mode instead.
- Use csp->csp_cipher_algorithm instead of the ivsize when checking
  for the fixup for the IV length for AES-XTS.

Reviewed by:	markj
Sponsored by:	Chelsio Communications, The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32103

(cherry picked from commit b4e0a27c5be5090a9db16dd0ad417543b1fb0c4a)
Add an OCF algorithm for ChaCha20-Poly1305 AEAD. 2021-10-21T15:51:22+00:00 John Baldwin jhb@FreeBSD.org 2021-02-18T17:21:56+00:00 ec3872a696a9b931ca8366c616bf9efc2dbfe8f8 Note that this algorithm implements the mode defined in RFC 8439. Reviewed by: cem Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D27836 (cherry picked from commit fc8fc743d89388c0c5b97a491428fab2b36beac8) 
Note that this algorithm implements the mode defined in RFC 8439.

Reviewed by:	cem
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D27836

(cherry picked from commit fc8fc743d89388c0c5b97a491428fab2b36beac8)
opencrypto: Disallow requests which pass VERIFY_DIGEST without a MAC 2021-10-01T14:08:30+00:00 Mark Johnston markj@FreeBSD.org 2021-09-24T19:04:45+00:00 d04c12765cfa2bf0f33f7489d48843648073ce06 Otherwise we can end up comparing the computed digest with an uninitialized kernel buffer. In cryptoaead_op() we already unconditionally fail the request if a pointer to a digest buffer is not specified. Based on a patch by Simran Kathpalia. Reported by: syzkaller Reviewed by: jhb Pull Request: https://github.com/freebsd/freebsd-src/pull/529 (cherry picked from commit 7c2f227a17ded0934c5941c7911797edb7d770a2) 
Otherwise we can end up comparing the computed digest with an
uninitialized kernel buffer.

In cryptoaead_op() we already unconditionally fail the request if a
pointer to a digest buffer is not specified.

Based on a patch by Simran Kathpalia.

Reported by:	syzkaller
Reviewed by:	jhb
Pull Request:	https://github.com/freebsd/freebsd-src/pull/529

(cherry picked from commit 7c2f227a17ded0934c5941c7911797edb7d770a2)
cryptodev: Fix some input validation bugs 2021-05-14T13:58:54+00:00 Mark Johnston markj@FreeBSD.org 2021-05-11T21:36:12+00:00 abd116de1d42489c641adadca515fcfc76000904 - When we do not have a separate IV, make sure that the IV length specified by the session is not larger than the payload size. - Disallow AEAD requests without a separate IV. crp_sanity() asserts that CRYPTO_F_IV_SEPARATE is set for AEAD requests, and some (but not all) drivers require it. - Return EINVAL for AEAD requests if an IV is specified but the transform does not expect one. Reported by: syzbot+c9e8f6ff5cb7fa6a1250@syzkaller.appspotmail.com Reported by: syzbot+007341439ae295cee74f@syzkaller.appspotmail.com Reported by: syzbot+46e0cc42a428b3b0a40d@syzkaller.appspotmail.com Reported by: syzbot+2c4d670173b8bdb947df@syzkaller.appspotmail.com Reported by: syzbot+220faa5eeb4d47b23877@syzkaller.appspotmail.com Reported by: syzbot+e83434b40f05843722f7@syzkaller.appspotmail.com Reviewed by: jhb Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D30154 (cherry picked from commit 1a04f0156c4e6abfc01d5841341a94179f317f31) 
- When we do not have a separate IV, make sure that the IV length
  specified by the session is not larger than the payload size.
- Disallow AEAD requests without a separate IV.  crp_sanity() asserts
  that CRYPTO_F_IV_SEPARATE is set for AEAD requests, and some (but not
  all) drivers require it.
- Return EINVAL for AEAD requests if an IV is specified but the
  transform does not expect one.

Reported by:	syzbot+c9e8f6ff5cb7fa6a1250@syzkaller.appspotmail.com
Reported by:	syzbot+007341439ae295cee74f@syzkaller.appspotmail.com
Reported by:	syzbot+46e0cc42a428b3b0a40d@syzkaller.appspotmail.com
Reported by:	syzbot+2c4d670173b8bdb947df@syzkaller.appspotmail.com
Reported by:	syzbot+220faa5eeb4d47b23877@syzkaller.appspotmail.com
Reported by:	syzbot+e83434b40f05843722f7@syzkaller.appspotmail.com
Reviewed by:	jhb
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D30154

(cherry picked from commit 1a04f0156c4e6abfc01d5841341a94179f317f31)
Remove the cloned file descriptors for /dev/crypto. 2020-11-25T00:10:54+00:00 John Baldwin jhb@FreeBSD.org 2020-11-25T00:10:54+00:00 688f8b822cea550753e7f3495339141cb6b565b7 Crypto file descriptors were added in the original OCF import as a way to provide per-open data (specifically the list of symmetric sessions). However, this gives a bit of a confusing API where one has to open /dev/crypto and then invoke an ioctl to obtain a second file descriptor. This also does not match the API used with /dev/crypto on other BSDs or with Linux's /dev/crypto driver. Character devices have gained support for per-open data via cdevpriv since OCF was imported, so use cdevpriv to simplify the userland API by permitting ioctls directly on /dev/crypto descriptors. To provide backwards compatibility, CRIOGET now opens another /dev/crypto descriptor via kern_openat() rather than dup'ing the existing file descriptor. This preserves prior semantics in case CRIOGET is invoked multiple times on a single file descriptor. Reviewed by: markj Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D27302 
Crypto file descriptors were added in the original OCF import as a way
to provide per-open data (specifically the list of symmetric
sessions).  However, this gives a bit of a confusing API where one has
to open /dev/crypto and then invoke an ioctl to obtain a second file
descriptor.  This also does not match the API used with /dev/crypto on
other BSDs or with Linux's /dev/crypto driver.

Character devices have gained support for per-open data via cdevpriv
since OCF was imported, so use cdevpriv to simplify the userland API
by permitting ioctls directly on /dev/crypto descriptors.

To provide backwards compatibility, CRIOGET now opens another
/dev/crypto descriptor via kern_openat() rather than dup'ing the
existing file descriptor.  This preserves prior semantics in case
CRIOGET is invoked multiple times on a single file descriptor.

Reviewed by:	markj
Relnotes:	yes
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D27302
Group session management routines together before first use. 2020-11-06T18:05:29+00:00 John Baldwin jhb@FreeBSD.org 2020-11-06T18:05:29+00:00 c423784dc509ffd156c54c373bbb73068394065f - Rename cse*() to cse_*() to more closely match other local APIs in this file. - Merge the old csecreate() into cryptodev_create_session() and rename the new function to cse_create(). Reviewed by: markj Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D27070 
- Rename cse*() to cse_*() to more closely match other local APIs in
  this file.

- Merge the old csecreate() into cryptodev_create_session() and rename
  the new function to cse_create().

Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D27070
Move cryptof_ioctl() below the routines it calls. 2020-11-06T00:15:52+00:00 John Baldwin jhb@FreeBSD.org 2020-11-06T00:15:52+00:00 f5074add758bbe64816245bd864638a42f6dc318 Reviewed by: markj Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D27069 
Reviewed by:	markj
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D27069