From 1496376fee5af11aeeff579937776a2bfc6ba1c4 Mon Sep 17 00:00:00 2001
From: John Baldwin <jhb@FreeBSD.org>
Date: Thu, 8 Jun 2017 21:33:10 +0000
Subject: [PATCH] Fix the software fallback for GCM to validate the existing
 tag for decrypts.

Sponsored by:	Chelsio Communications
---
 sys/dev/cxgbe/crypto/t4_crypto.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/sys/dev/cxgbe/crypto/t4_crypto.c b/sys/dev/cxgbe/crypto/t4_crypto.c
index d549ce4032c7..eb341f9720e2 100644
--- a/sys/dev/cxgbe/crypto/t4_crypto.c
+++ b/sys/dev/cxgbe/crypto/t4_crypto.c
@@ -1398,9 +1398,20 @@ ccr_gcm_soft(struct ccr_session *s, struct cryptop *crp,
 	AES_GMAC_Update(&gmac_ctx, block, sizeof(block));
 	AES_GMAC_Final(digest, &gmac_ctx);
 
-	crypto_copyback(crp->crp_flags, crp->crp_buf, crda->crd_inject,
-	    sizeof(digest), digest);
-	crp->crp_etype = 0;
+	if (crde->crd_flags & CRD_F_ENCRYPT) {
+		crypto_copyback(crp->crp_flags, crp->crp_buf, crda->crd_inject,
+		    sizeof(digest), digest);
+		crp->crp_etype = 0;
+	} else {
+		char digest2[GMAC_DIGEST_LEN];
+
+		crypto_copydata(crp->crp_flags, crp->crp_buf, crda->crd_inject,
+		    sizeof(digest2), digest2);
+		if (timingsafe_bcmp(digest, digest2, sizeof(digest)) == 0)
+			crp->crp_etype = 0;
+		else
+			crp->crp_etype = EBADMSG;
+	}
 	crypto_done(crp);
 }