d2e076c37b
The loops for Chacha20 and Chacha20+Poly1305 which encrypted/decrypted
full blocks of data used the minimum of the input and output segment
lengths to determine the size of the next chunk ('todo') to pass to
Chacha20_ctr32(). However, the input and output segments could extend
past the end of the ciphertext region into the tag (e.g. if a "plain"
single mbuf contained an entire TLS record). If the length of the tag
plus the length of the last partial block together were at least as
large as a full Chacha20 block (64 bytes), then an extra block was
encrypted/decrypted overlapping with the tag. Fix this by also
capping the amount of data to encrypt/decrypt by the amount of
remaining data in the ciphertext region ('resid').
Reported by: gallatin
Reviewed by: cem, gallatin, markj
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D29517
|
||
|---|---|---|
| .. | ||
| aarch64 | ||
| amd64 | ||
| arm | ||
| i386 | ||
| ossl_aarch64.c | ||
| ossl_chacha20.c | ||
| ossl_chacha.h | ||
| ossl_hash.h | ||
| ossl_poly1305.c | ||
| ossl_poly1305.h | ||
| ossl_sha1.c | ||
| ossl_sha256.c | ||
| ossl_sha512.c | ||
| ossl_sha.h | ||
| ossl_x86.c | ||
| ossl.c | ||
| ossl.h | ||