CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	John Baldwin <jhb@FreeBSD.org>
	Thu, 1 Apr 2021 22:42:18 +0000 (15:42 -0700)
committer	John Baldwin <jhb@FreeBSD.org>
	Thu, 1 Apr 2021 22:49:07 +0000 (15:49 -0700)
commit	d2e076c37b0963a8be89684a656c4e1640dc7a3e
tree	4d1f5e97e1645c663b44b97991a15d4b7ed96087	tree \| snapshot
parent	4e6c2a1ee9af05bf42187e8201af1d03a617834f	commit \| diff

ossl: Don't encryt/decrypt too much data for chacha20.

The loops for Chacha20 and Chacha20+Poly1305 which encrypted/decrypted
full blocks of data used the minimum of the input and output segment
lengths to determine the size of the next chunk ('todo') to pass to
Chacha20_ctr32().  However, the input and output segments could extend
past the end of the ciphertext region into the tag (e.g.  if a "plain"
single mbuf contained an entire TLS record).  If the length of the tag
plus the length of the last partial block together were at least as
large as a full Chacha20 block (64 bytes), then an extra block was
encrypted/decrypted overlapping with the tag.  Fix this by also
capping the amount of data to encrypt/decrypt by the amount of
remaining data in the ciphertext region ('resid').

Reported by: gallatin
Reviewed by: cem, gallatin, markj
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D29517