Author: jhb
Date: Thu Nov 5 23:31:58 2020
New Revision: 367406
URL: https://svnweb.freebsd.org/changeset/base/367406
Log:
Check cipher key lengths during probesession.
OCF drivers in general should perform as many session parameter checks
as possible during probesession rather than when creating a new
session. I got this wrong for aesni(4) in r359374. In addition,
aesni(4) was performing the check for digest-only requests and failing
to create digest-only sessions as a result.
Reported by: jkim
Tested by: jkim
Sponsored by: Chelsio Communications
Modified:
head/sys/crypto/aesni/aesni.c
Modified: head/sys/crypto/aesni/aesni.c
==============================================================================
--- head/sys/crypto/aesni/aesni.c Thu Nov 5 23:28:46 2020
(r367405)
+++ head/sys/crypto/aesni/aesni.c Thu Nov 5 23:31:58 2020
(r367406)
@@ -237,16 +237,35 @@ aesni_cipher_supported(struct aesni_softc *sc,
switch (csp->csp_cipher_alg) {
case CRYPTO_AES_CBC:
case CRYPTO_AES_ICM:
+ switch (csp->csp_cipher_klen * 8) {
+ case 128:
+ case 192:
+ case 256:
+ break;
+ default:
+ CRYPTDEB("invalid CBC/ICM key length");
+ return (false);
+ }
if (csp->csp_ivlen != AES_BLOCK_LEN)
return (false);
- return (sc->has_aes);
+ break;
case CRYPTO_AES_XTS:
+ switch (csp->csp_cipher_klen * 8) {
+ case 256:
+ case 512:
+ break;
+ default:
+ CRYPTDEB("invalid XTS key length");
+ return (false);
+ }
if (csp->csp_ivlen != AES_XTS_IV_LEN)
return (false);
- return (sc->has_aes);
+ break;
default:
return (false);
}
+
+ return (true);
}
#define SUPPORTED_SES (CSP_F_SEPARATE_OUTPUT | CSP_F_SEPARATE_AAD | CSP_F_ESN)
@@ -271,6 +290,15 @@ aesni_probesession(device_t dev, const struct crypto_s
case CSP_MODE_AEAD:
switch (csp->csp_cipher_alg) {
case CRYPTO_AES_NIST_GCM_16:
+ switch (csp->csp_cipher_klen * 8) {
+ case 128:
+ case 192:
+ case 256:
+ break;
+ default:
+ CRYPTDEB("invalid GCM key length");
+ return (EINVAL);
+ }
if (csp->csp_auth_mlen != 0 &&
csp->csp_auth_mlen != GMAC_DIGEST_LEN)
return (EINVAL);
@@ -279,6 +307,15 @@ aesni_probesession(device_t dev, const struct crypto_s
return (EINVAL);
break;
case CRYPTO_AES_CCM_16:
+ switch (csp->csp_cipher_klen * 8) {
+ case 128:
+ case 192:
+ case 256:
+ break;
+ default:
+ CRYPTDEB("invalid CCM key length");
+ return (EINVAL);
+ }
if (csp->csp_auth_mlen != 0 &&
csp->csp_auth_mlen != AES_CBC_MAC_HASH_LEN)
return (EINVAL);
@@ -519,41 +556,6 @@ aesni_authprepare(struct aesni_session *ses, int klen)
}
static int
-aesni_cipherprepare(const struct crypto_session_params *csp)
-{
-
- switch (csp->csp_cipher_alg) {
- case CRYPTO_AES_ICM:
- case CRYPTO_AES_NIST_GCM_16:
- case CRYPTO_AES_CCM_16:
- case CRYPTO_AES_CBC:
- switch (csp->csp_cipher_klen * 8) {
- case 128:
- case 192:
- case 256:
- break;
- default:
- CRYPTDEB("invalid CBC/ICM/GCM key length");
- return (EINVAL);
- }
- break;
- case CRYPTO_AES_XTS:
- switch (csp->csp_cipher_klen * 8) {
- case 256:
- case 512:
- break;
- default:
- CRYPTDEB("invalid XTS key length");
- return (EINVAL);
- }
- break;
- default:
- return (EINVAL);
- }
- return (0);
-}
-
-static int
aesni_cipher_setup(struct aesni_session *ses,
const struct crypto_session_params *csp)
{
@@ -600,10 +602,6 @@ aesni_cipher_setup(struct aesni_session *ses,
if (error != 0)
return (error);
}
-
- error = aesni_cipherprepare(csp);
- if (error != 0)
- return (error);
kt = is_fpu_kern_thread(0) || (csp->csp_cipher_alg == 0);
if (!kt) {
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
