freebsd-skq/sys/crypto
John Baldwin d2e076c37b ossl: Don't encryt/decrypt too much data for chacha20.
The loops for Chacha20 and Chacha20+Poly1305 which encrypted/decrypted
full blocks of data used the minimum of the input and output segment
lengths to determine the size of the next chunk ('todo') to pass to
Chacha20_ctr32().  However, the input and output segments could extend
past the end of the ciphertext region into the tag (e.g.  if a "plain"
single mbuf contained an entire TLS record).  If the length of the tag
plus the length of the last partial block together were at least as
large as a full Chacha20 block (64 bytes), then an extra block was
encrypted/decrypted overlapping with the tag.  Fix this by also
capping the amount of data to encrypt/decrypt by the amount of
remaining data in the ciphertext region ('resid').

Reported by:	gallatin
Reviewed by:	cem, gallatin, markj
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D29517
2021-04-01 15:49:07 -07:00
..
aesni aesni: Ensure that key schedules are aligned 2021-01-18 17:07:56 -05:00
armv8 armv8crypto: note derivation in armv8_crypto_wrap.c 2021-03-19 10:53:49 -03:00
blake2
camellia
ccp
chacha20
des
libsodium
openssl ossl: Don't encryt/decrypt too much data for chacha20. 2021-04-01 15:49:07 -07:00
rc4
rijndael
sha2
siphash
skein
via
intake.h
sha1.c
sha1.h