cryptodev: Allow some CIOCCRYPT operations with an empty payload.

If an operation would generate a MAC output (e.g. for digest operation or for an AEAD or EtA operation), then an empty payload buffer is valid. Only reject requests with an empty buffer for "plain" cipher sessions. Some of the AES-CCM NIST KAT vectors use an empty payload. While here, don't advance crp_payload_start for requests that use an empty payload with an inline IV. (*) Reported by: syzbot+d4b94fbd9a44b032f428@syzkaller.appspotmail.com (*) Reviewed by: markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32109
2021-10-06 14:08:47 -07:00 · 2021-10-06 14:08:47 -07:00 · a0cbcbb791
commit a0cbcbb791
parent 70dbebea12
1 changed files with 9 additions and 2 deletions
--- a/sys/opencrypto/cryptodev.c
+++ b/sys/opencrypto/cryptodev.c
@ -781,7 +781,7 @@ cryptodev_op(struct csession *cse, const struct crypt_op *cop)
 	}

 	if (cse->txform) {
-		if (cop->len == 0 || (cop->len % cse->txform->blocksize) != 0) {
+		if ((cop->len % cse->txform->blocksize) != 0) {
 			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
 			return (EINVAL);
 		}
@ -836,6 +836,12 @@ cryptodev_op(struct csession *cse, const struct crypt_op *cop)
 		}
 		break;
 	case CSP_MODE_CIPHER:
+		if (cop->len == 0 ||
+		    (cop->iv == NULL && cop->len == cse->ivsize)) {
+			SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__);
+			error = EINVAL;
+			goto bail;
+		}
 		switch (cop->op) {
 		case COP_ENCRYPT:
 			crp->crp_op = CRYPTO_OP_ENCRYPT;
@ -919,8 +925,9 @@ cryptodev_op(struct csession *cse, const struct crypt_op *cop)
 			goto bail;
 		}
 		crp->crp_iv_start = 0;
-		crp->crp_payload_start += cse->ivsize;
 		crp->crp_payload_length -= cse->ivsize;
+		if (crp->crp_payload_length != 0)
+			crp->crp_payload_start = cse->ivsize;
 		dst += cse->ivsize;
 	}