2019-05-27 14:55:01 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2015-08-20 15:21:45 +08:00
|
|
|
/*
|
|
|
|
* Symmetric key cipher operations.
|
|
|
|
*
|
|
|
|
* Generic encrypt/decrypt wrapper for ciphers, handles operations across
|
|
|
|
* multiple page boundaries by using temporary blocks. In user context,
|
|
|
|
* the kernel is given a chance to schedule us once per page.
|
|
|
|
*
|
|
|
|
* Copyright (c) 2015 Herbert Xu <herbert@gondor.apana.org.au>
|
|
|
|
*/
|
|
|
|
|
2016-11-22 20:08:12 +08:00
|
|
|
#include <crypto/internal/aead.h>
|
2015-08-20 15:21:45 +08:00
|
|
|
#include <crypto/internal/skcipher.h>
|
2016-11-22 20:08:12 +08:00
|
|
|
#include <crypto/scatterwalk.h>
|
2015-08-20 15:21:45 +08:00
|
|
|
#include <linux/bug.h>
|
2016-07-12 13:17:31 +08:00
|
|
|
#include <linux/cryptouser.h>
|
2016-12-31 23:56:23 +08:00
|
|
|
#include <linux/compiler.h>
|
2016-11-22 20:08:12 +08:00
|
|
|
#include <linux/list.h>
|
2015-08-20 15:21:45 +08:00
|
|
|
#include <linux/module.h>
|
2016-07-12 13:17:31 +08:00
|
|
|
#include <linux/rtnetlink.h>
|
|
|
|
#include <linux/seq_file.h>
|
|
|
|
#include <net/netlink.h>
|
2015-08-20 15:21:45 +08:00
|
|
|
|
|
|
|
#include "internal.h"
|
|
|
|
|
2016-11-22 20:08:12 +08:00
|
|
|
enum {
|
|
|
|
SKCIPHER_WALK_PHYS = 1 << 0,
|
|
|
|
SKCIPHER_WALK_SLOW = 1 << 1,
|
|
|
|
SKCIPHER_WALK_COPY = 1 << 2,
|
|
|
|
SKCIPHER_WALK_DIFF = 1 << 3,
|
|
|
|
SKCIPHER_WALK_SLEEP = 1 << 4,
|
|
|
|
};
|
|
|
|
|
|
|
|
struct skcipher_walk_buffer {
|
|
|
|
struct list_head entry;
|
|
|
|
struct scatter_walk dst;
|
|
|
|
unsigned int len;
|
|
|
|
u8 *data;
|
|
|
|
u8 buffer[];
|
|
|
|
};
|
|
|
|
|
|
|
|
static int skcipher_walk_next(struct skcipher_walk *walk);
|
|
|
|
|
|
|
|
static inline void skcipher_unmap(struct scatter_walk *walk, void *vaddr)
|
|
|
|
{
|
|
|
|
if (PageHighMem(scatterwalk_page(walk)))
|
|
|
|
kunmap_atomic(vaddr);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void *skcipher_map(struct scatter_walk *walk)
|
|
|
|
{
|
|
|
|
struct page *page = scatterwalk_page(walk);
|
|
|
|
|
|
|
|
return (PageHighMem(page) ? kmap_atomic(page) : page_address(page)) +
|
|
|
|
offset_in_page(walk->offset);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void skcipher_map_src(struct skcipher_walk *walk)
|
|
|
|
{
|
|
|
|
walk->src.virt.addr = skcipher_map(&walk->in);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void skcipher_map_dst(struct skcipher_walk *walk)
|
|
|
|
{
|
|
|
|
walk->dst.virt.addr = skcipher_map(&walk->out);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void skcipher_unmap_src(struct skcipher_walk *walk)
|
|
|
|
{
|
|
|
|
skcipher_unmap(&walk->in, walk->src.virt.addr);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void skcipher_unmap_dst(struct skcipher_walk *walk)
|
|
|
|
{
|
|
|
|
skcipher_unmap(&walk->out, walk->dst.virt.addr);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline gfp_t skcipher_walk_gfp(struct skcipher_walk *walk)
|
|
|
|
{
|
|
|
|
return walk->flags & SKCIPHER_WALK_SLEEP ? GFP_KERNEL : GFP_ATOMIC;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Get a spot of the specified length that does not straddle a page.
|
|
|
|
* The caller needs to ensure that there is enough space for this operation.
|
|
|
|
*/
|
|
|
|
static inline u8 *skcipher_get_spot(u8 *start, unsigned int len)
|
|
|
|
{
|
|
|
|
u8 *end_page = (u8 *)(((unsigned long)(start + len - 1)) & PAGE_MASK);
|
|
|
|
|
|
|
|
return max(start, end_page);
|
|
|
|
}
|
|
|
|
|
2019-09-06 11:13:06 +08:00
|
|
|
static int skcipher_done_slow(struct skcipher_walk *walk, unsigned int bsize)
|
2016-11-22 20:08:12 +08:00
|
|
|
{
|
|
|
|
u8 *addr;
|
|
|
|
|
|
|
|
addr = (u8 *)ALIGN((unsigned long)walk->buffer, walk->alignmask + 1);
|
|
|
|
addr = skcipher_get_spot(addr, bsize);
|
|
|
|
scatterwalk_copychunks(addr, &walk->out, bsize,
|
|
|
|
(walk->flags & SKCIPHER_WALK_PHYS) ? 2 : 1);
|
2019-09-06 11:13:06 +08:00
|
|
|
return 0;
|
2016-11-22 20:08:12 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
int skcipher_walk_done(struct skcipher_walk *walk, int err)
|
|
|
|
{
|
2019-09-06 11:13:06 +08:00
|
|
|
unsigned int n = walk->nbytes;
|
|
|
|
unsigned int nbytes = 0;
|
crypto: skcipher - fix crash flushing dcache in error path
scatterwalk_done() is only meant to be called after a nonzero number of
bytes have been processed, since scatterwalk_pagedone() will flush the
dcache of the *previous* page. But in the error case of
skcipher_walk_done(), e.g. if the input wasn't an integer number of
blocks, scatterwalk_done() was actually called after advancing 0 bytes.
This caused a crash ("BUG: unable to handle kernel paging request")
during '!PageSlab(page)' on architectures like arm and arm64 that define
ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
page-aligned as in that case walk->offset == 0.
Fix it by reorganizing skcipher_walk_done() to skip the
scatterwalk_advance() and scatterwalk_done() if an error has occurred.
This bug was found by syzkaller fuzzing.
Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
struct sockaddr_alg addr = {
.salg_type = "skcipher",
.salg_name = "cbc(aes-generic)",
};
char buffer[4096] __attribute__((aligned(4096))) = { 0 };
int fd;
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
fd = accept(fd, NULL, NULL);
write(fd, buffer, 15);
read(fd, buffer, 15);
}
Reported-by: Liu Chao <liuchao741@huawei.com>
Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface")
Cc: <stable@vger.kernel.org> # v4.10+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-07-24 01:54:56 +08:00
|
|
|
|
2019-09-06 11:13:06 +08:00
|
|
|
if (!n)
|
crypto: skcipher - fix crash flushing dcache in error path
scatterwalk_done() is only meant to be called after a nonzero number of
bytes have been processed, since scatterwalk_pagedone() will flush the
dcache of the *previous* page. But in the error case of
skcipher_walk_done(), e.g. if the input wasn't an integer number of
blocks, scatterwalk_done() was actually called after advancing 0 bytes.
This caused a crash ("BUG: unable to handle kernel paging request")
during '!PageSlab(page)' on architectures like arm and arm64 that define
ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
page-aligned as in that case walk->offset == 0.
Fix it by reorganizing skcipher_walk_done() to skip the
scatterwalk_advance() and scatterwalk_done() if an error has occurred.
This bug was found by syzkaller fuzzing.
Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
struct sockaddr_alg addr = {
.salg_type = "skcipher",
.salg_name = "cbc(aes-generic)",
};
char buffer[4096] __attribute__((aligned(4096))) = { 0 };
int fd;
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
fd = accept(fd, NULL, NULL);
write(fd, buffer, 15);
read(fd, buffer, 15);
}
Reported-by: Liu Chao <liuchao741@huawei.com>
Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface")
Cc: <stable@vger.kernel.org> # v4.10+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-07-24 01:54:56 +08:00
|
|
|
goto finish;
|
|
|
|
|
2019-09-06 11:13:06 +08:00
|
|
|
if (likely(err >= 0)) {
|
|
|
|
n -= err;
|
|
|
|
nbytes = walk->total - n;
|
|
|
|
}
|
crypto: skcipher - fix crash flushing dcache in error path
scatterwalk_done() is only meant to be called after a nonzero number of
bytes have been processed, since scatterwalk_pagedone() will flush the
dcache of the *previous* page. But in the error case of
skcipher_walk_done(), e.g. if the input wasn't an integer number of
blocks, scatterwalk_done() was actually called after advancing 0 bytes.
This caused a crash ("BUG: unable to handle kernel paging request")
during '!PageSlab(page)' on architectures like arm and arm64 that define
ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
page-aligned as in that case walk->offset == 0.
Fix it by reorganizing skcipher_walk_done() to skip the
scatterwalk_advance() and scatterwalk_done() if an error has occurred.
This bug was found by syzkaller fuzzing.
Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
struct sockaddr_alg addr = {
.salg_type = "skcipher",
.salg_name = "cbc(aes-generic)",
};
char buffer[4096] __attribute__((aligned(4096))) = { 0 };
int fd;
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
fd = accept(fd, NULL, NULL);
write(fd, buffer, 15);
read(fd, buffer, 15);
}
Reported-by: Liu Chao <liuchao741@huawei.com>
Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface")
Cc: <stable@vger.kernel.org> # v4.10+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-07-24 01:54:56 +08:00
|
|
|
|
|
|
|
if (likely(!(walk->flags & (SKCIPHER_WALK_PHYS |
|
|
|
|
SKCIPHER_WALK_SLOW |
|
|
|
|
SKCIPHER_WALK_COPY |
|
|
|
|
SKCIPHER_WALK_DIFF)))) {
|
2016-11-22 20:08:12 +08:00
|
|
|
unmap_src:
|
|
|
|
skcipher_unmap_src(walk);
|
|
|
|
} else if (walk->flags & SKCIPHER_WALK_DIFF) {
|
|
|
|
skcipher_unmap_dst(walk);
|
|
|
|
goto unmap_src;
|
|
|
|
} else if (walk->flags & SKCIPHER_WALK_COPY) {
|
|
|
|
skcipher_map_dst(walk);
|
|
|
|
memcpy(walk->dst.virt.addr, walk->page, n);
|
|
|
|
skcipher_unmap_dst(walk);
|
|
|
|
} else if (unlikely(walk->flags & SKCIPHER_WALK_SLOW)) {
|
2019-09-06 11:13:06 +08:00
|
|
|
if (err > 0) {
|
crypto: skcipher - don't WARN on unprocessed data after slow walk step
skcipher_walk_done() assumes it's a bug if, after the "slow" path is
executed where the next chunk of data is processed via a bounce buffer,
the algorithm says it didn't process all bytes. Thus it WARNs on this.
However, this can happen legitimately when the message needs to be
evenly divisible into "blocks" but isn't, and the algorithm has a
'walksize' greater than the block size. For example, ecb-aes-neonbs
sets 'walksize' to 128 bytes and only supports messages evenly divisible
into 16-byte blocks. If, say, 17 message bytes remain but they straddle
scatterlist elements, the skcipher_walk code will take the "slow" path
and pass the algorithm all 17 bytes in the bounce buffer. But the
algorithm will only be able to process 16 bytes, triggering the WARN.
Fix this by just removing the WARN_ON(). Returning -EINVAL, as the code
already does, is the right behavior.
This bug was detected by my patches that improve testmgr to fuzz
algorithms against their generic implementation.
Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface")
Cc: <stable@vger.kernel.org> # v4.10+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-04-01 04:04:15 +08:00
|
|
|
/*
|
|
|
|
* Didn't process all bytes. Either the algorithm is
|
|
|
|
* broken, or this was the last step and it turned out
|
|
|
|
* the message wasn't evenly divisible into blocks but
|
|
|
|
* the algorithm requires it.
|
|
|
|
*/
|
2016-11-22 20:08:12 +08:00
|
|
|
err = -EINVAL;
|
2019-09-06 11:13:06 +08:00
|
|
|
nbytes = 0;
|
|
|
|
} else
|
|
|
|
n = skcipher_done_slow(walk, n);
|
2016-11-22 20:08:12 +08:00
|
|
|
}
|
|
|
|
|
2019-09-06 11:13:06 +08:00
|
|
|
if (err > 0)
|
|
|
|
err = 0;
|
|
|
|
|
|
|
|
walk->total = nbytes;
|
|
|
|
walk->nbytes = 0;
|
|
|
|
|
2016-11-22 20:08:12 +08:00
|
|
|
scatterwalk_advance(&walk->in, n);
|
|
|
|
scatterwalk_advance(&walk->out, n);
|
2019-09-06 11:13:06 +08:00
|
|
|
scatterwalk_done(&walk->in, 0, nbytes);
|
|
|
|
scatterwalk_done(&walk->out, 1, nbytes);
|
2016-11-22 20:08:12 +08:00
|
|
|
|
2019-09-06 11:13:06 +08:00
|
|
|
if (nbytes) {
|
2016-11-22 20:08:12 +08:00
|
|
|
crypto_yield(walk->flags & SKCIPHER_WALK_SLEEP ?
|
|
|
|
CRYPTO_TFM_REQ_MAY_SLEEP : 0);
|
|
|
|
return skcipher_walk_next(walk);
|
|
|
|
}
|
|
|
|
|
2019-09-06 11:13:06 +08:00
|
|
|
finish:
|
2016-11-22 20:08:12 +08:00
|
|
|
/* Short-circuit for the common/fast path. */
|
|
|
|
if (!((unsigned long)walk->buffer | (unsigned long)walk->page))
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
if (walk->flags & SKCIPHER_WALK_PHYS)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
if (walk->iv != walk->oiv)
|
|
|
|
memcpy(walk->oiv, walk->iv, walk->ivsize);
|
|
|
|
if (walk->buffer != walk->page)
|
|
|
|
kfree(walk->buffer);
|
|
|
|
if (walk->page)
|
|
|
|
free_page((unsigned long)walk->page);
|
|
|
|
|
|
|
|
out:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(skcipher_walk_done);
|
|
|
|
|
|
|
|
void skcipher_walk_complete(struct skcipher_walk *walk, int err)
|
|
|
|
{
|
|
|
|
struct skcipher_walk_buffer *p, *tmp;
|
|
|
|
|
|
|
|
list_for_each_entry_safe(p, tmp, &walk->buffers, entry) {
|
|
|
|
u8 *data;
|
|
|
|
|
|
|
|
if (err)
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
data = p->data;
|
|
|
|
if (!data) {
|
|
|
|
data = PTR_ALIGN(&p->buffer[0], walk->alignmask + 1);
|
2016-12-29 22:09:08 +08:00
|
|
|
data = skcipher_get_spot(data, walk->stride);
|
2016-11-22 20:08:12 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
scatterwalk_copychunks(data, &p->dst, p->len, 1);
|
|
|
|
|
2016-12-29 22:09:08 +08:00
|
|
|
if (offset_in_page(p->data) + p->len + walk->stride >
|
2016-11-22 20:08:12 +08:00
|
|
|
PAGE_SIZE)
|
|
|
|
free_page((unsigned long)p->data);
|
|
|
|
|
|
|
|
done:
|
|
|
|
list_del(&p->entry);
|
|
|
|
kfree(p);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!err && walk->iv != walk->oiv)
|
|
|
|
memcpy(walk->oiv, walk->iv, walk->ivsize);
|
|
|
|
if (walk->buffer != walk->page)
|
|
|
|
kfree(walk->buffer);
|
|
|
|
if (walk->page)
|
|
|
|
free_page((unsigned long)walk->page);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(skcipher_walk_complete);
|
|
|
|
|
|
|
|
static void skcipher_queue_write(struct skcipher_walk *walk,
|
|
|
|
struct skcipher_walk_buffer *p)
|
|
|
|
{
|
|
|
|
p->dst = walk->out;
|
|
|
|
list_add_tail(&p->entry, &walk->buffers);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int skcipher_next_slow(struct skcipher_walk *walk, unsigned int bsize)
|
|
|
|
{
|
|
|
|
bool phys = walk->flags & SKCIPHER_WALK_PHYS;
|
|
|
|
unsigned alignmask = walk->alignmask;
|
|
|
|
struct skcipher_walk_buffer *p;
|
|
|
|
unsigned a;
|
|
|
|
unsigned n;
|
|
|
|
u8 *buffer;
|
|
|
|
void *v;
|
|
|
|
|
|
|
|
if (!phys) {
|
2016-12-13 21:34:02 +08:00
|
|
|
if (!walk->buffer)
|
|
|
|
walk->buffer = walk->page;
|
|
|
|
buffer = walk->buffer;
|
2016-11-22 20:08:12 +08:00
|
|
|
if (buffer)
|
|
|
|
goto ok;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Start with the minimum alignment of kmalloc. */
|
|
|
|
a = crypto_tfm_ctx_alignment() - 1;
|
|
|
|
n = bsize;
|
|
|
|
|
|
|
|
if (phys) {
|
|
|
|
/* Calculate the minimum alignment of p->buffer. */
|
|
|
|
a &= (sizeof(*p) ^ (sizeof(*p) - 1)) >> 1;
|
|
|
|
n += sizeof(*p);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Minimum size to align p->buffer by alignmask. */
|
|
|
|
n += alignmask & ~a;
|
|
|
|
|
|
|
|
/* Minimum size to ensure p->buffer does not straddle a page. */
|
|
|
|
n += (bsize - 1) & ~(alignmask | a);
|
|
|
|
|
|
|
|
v = kzalloc(n, skcipher_walk_gfp(walk));
|
|
|
|
if (!v)
|
|
|
|
return skcipher_walk_done(walk, -ENOMEM);
|
|
|
|
|
|
|
|
if (phys) {
|
|
|
|
p = v;
|
|
|
|
p->len = bsize;
|
|
|
|
skcipher_queue_write(walk, p);
|
|
|
|
buffer = p->buffer;
|
|
|
|
} else {
|
|
|
|
walk->buffer = v;
|
|
|
|
buffer = v;
|
|
|
|
}
|
|
|
|
|
|
|
|
ok:
|
|
|
|
walk->dst.virt.addr = PTR_ALIGN(buffer, alignmask + 1);
|
|
|
|
walk->dst.virt.addr = skcipher_get_spot(walk->dst.virt.addr, bsize);
|
|
|
|
walk->src.virt.addr = walk->dst.virt.addr;
|
|
|
|
|
|
|
|
scatterwalk_copychunks(walk->src.virt.addr, &walk->in, bsize, 0);
|
|
|
|
|
|
|
|
walk->nbytes = bsize;
|
|
|
|
walk->flags |= SKCIPHER_WALK_SLOW;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int skcipher_next_copy(struct skcipher_walk *walk)
|
|
|
|
{
|
|
|
|
struct skcipher_walk_buffer *p;
|
|
|
|
u8 *tmp = walk->page;
|
|
|
|
|
|
|
|
skcipher_map_src(walk);
|
|
|
|
memcpy(tmp, walk->src.virt.addr, walk->nbytes);
|
|
|
|
skcipher_unmap_src(walk);
|
|
|
|
|
|
|
|
walk->src.virt.addr = tmp;
|
|
|
|
walk->dst.virt.addr = tmp;
|
|
|
|
|
|
|
|
if (!(walk->flags & SKCIPHER_WALK_PHYS))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
p = kmalloc(sizeof(*p), skcipher_walk_gfp(walk));
|
|
|
|
if (!p)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
p->data = walk->page;
|
|
|
|
p->len = walk->nbytes;
|
|
|
|
skcipher_queue_write(walk, p);
|
|
|
|
|
2016-12-29 22:09:08 +08:00
|
|
|
if (offset_in_page(walk->page) + walk->nbytes + walk->stride >
|
2016-11-22 20:08:12 +08:00
|
|
|
PAGE_SIZE)
|
|
|
|
walk->page = NULL;
|
|
|
|
else
|
|
|
|
walk->page += walk->nbytes;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int skcipher_next_fast(struct skcipher_walk *walk)
|
|
|
|
{
|
|
|
|
unsigned long diff;
|
|
|
|
|
|
|
|
walk->src.phys.page = scatterwalk_page(&walk->in);
|
|
|
|
walk->src.phys.offset = offset_in_page(walk->in.offset);
|
|
|
|
walk->dst.phys.page = scatterwalk_page(&walk->out);
|
|
|
|
walk->dst.phys.offset = offset_in_page(walk->out.offset);
|
|
|
|
|
|
|
|
if (walk->flags & SKCIPHER_WALK_PHYS)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
diff = walk->src.phys.offset - walk->dst.phys.offset;
|
|
|
|
diff |= walk->src.virt.page - walk->dst.virt.page;
|
|
|
|
|
|
|
|
skcipher_map_src(walk);
|
|
|
|
walk->dst.virt.addr = walk->src.virt.addr;
|
|
|
|
|
|
|
|
if (diff) {
|
|
|
|
walk->flags |= SKCIPHER_WALK_DIFF;
|
|
|
|
skcipher_map_dst(walk);
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int skcipher_walk_next(struct skcipher_walk *walk)
|
|
|
|
{
|
|
|
|
unsigned int bsize;
|
|
|
|
unsigned int n;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
walk->flags &= ~(SKCIPHER_WALK_SLOW | SKCIPHER_WALK_COPY |
|
|
|
|
SKCIPHER_WALK_DIFF);
|
|
|
|
|
|
|
|
n = walk->total;
|
2016-12-29 22:09:08 +08:00
|
|
|
bsize = min(walk->stride, max(n, walk->blocksize));
|
2016-11-22 20:08:12 +08:00
|
|
|
n = scatterwalk_clamp(&walk->in, n);
|
|
|
|
n = scatterwalk_clamp(&walk->out, n);
|
|
|
|
|
|
|
|
if (unlikely(n < bsize)) {
|
|
|
|
if (unlikely(walk->total < walk->blocksize))
|
|
|
|
return skcipher_walk_done(walk, -EINVAL);
|
|
|
|
|
|
|
|
slow_path:
|
|
|
|
err = skcipher_next_slow(walk, bsize);
|
|
|
|
goto set_phys_lowmem;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (unlikely((walk->in.offset | walk->out.offset) & walk->alignmask)) {
|
|
|
|
if (!walk->page) {
|
|
|
|
gfp_t gfp = skcipher_walk_gfp(walk);
|
|
|
|
|
|
|
|
walk->page = (void *)__get_free_page(gfp);
|
|
|
|
if (!walk->page)
|
|
|
|
goto slow_path;
|
|
|
|
}
|
|
|
|
|
|
|
|
walk->nbytes = min_t(unsigned, n,
|
|
|
|
PAGE_SIZE - offset_in_page(walk->page));
|
|
|
|
walk->flags |= SKCIPHER_WALK_COPY;
|
|
|
|
err = skcipher_next_copy(walk);
|
|
|
|
goto set_phys_lowmem;
|
|
|
|
}
|
|
|
|
|
|
|
|
walk->nbytes = n;
|
|
|
|
|
|
|
|
return skcipher_next_fast(walk);
|
|
|
|
|
|
|
|
set_phys_lowmem:
|
|
|
|
if (!err && (walk->flags & SKCIPHER_WALK_PHYS)) {
|
|
|
|
walk->src.phys.page = virt_to_page(walk->src.virt.addr);
|
|
|
|
walk->dst.phys.page = virt_to_page(walk->dst.virt.addr);
|
|
|
|
walk->src.phys.offset &= PAGE_SIZE - 1;
|
|
|
|
walk->dst.phys.offset &= PAGE_SIZE - 1;
|
|
|
|
}
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int skcipher_copy_iv(struct skcipher_walk *walk)
|
|
|
|
{
|
|
|
|
unsigned a = crypto_tfm_ctx_alignment() - 1;
|
|
|
|
unsigned alignmask = walk->alignmask;
|
|
|
|
unsigned ivsize = walk->ivsize;
|
2016-12-29 22:09:08 +08:00
|
|
|
unsigned bs = walk->stride;
|
2016-11-22 20:08:12 +08:00
|
|
|
unsigned aligned_bs;
|
|
|
|
unsigned size;
|
|
|
|
u8 *iv;
|
|
|
|
|
2018-07-24 00:57:50 +08:00
|
|
|
aligned_bs = ALIGN(bs, alignmask + 1);
|
2016-11-22 20:08:12 +08:00
|
|
|
|
|
|
|
/* Minimum size to align buffer by alignmask. */
|
|
|
|
size = alignmask & ~a;
|
|
|
|
|
|
|
|
if (walk->flags & SKCIPHER_WALK_PHYS)
|
|
|
|
size += ivsize;
|
|
|
|
else {
|
|
|
|
size += aligned_bs + ivsize;
|
|
|
|
|
|
|
|
/* Minimum size to ensure buffer does not straddle a page. */
|
|
|
|
size += (bs - 1) & ~(alignmask | a);
|
|
|
|
}
|
|
|
|
|
|
|
|
walk->buffer = kmalloc(size, skcipher_walk_gfp(walk));
|
|
|
|
if (!walk->buffer)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
iv = PTR_ALIGN(walk->buffer, alignmask + 1);
|
|
|
|
iv = skcipher_get_spot(iv, bs) + aligned_bs;
|
|
|
|
|
|
|
|
walk->iv = memcpy(iv, walk->iv, walk->ivsize);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int skcipher_walk_first(struct skcipher_walk *walk)
|
|
|
|
{
|
|
|
|
if (WARN_ON_ONCE(in_irq()))
|
|
|
|
return -EDEADLK;
|
|
|
|
|
|
|
|
walk->buffer = NULL;
|
|
|
|
if (unlikely(((unsigned long)walk->iv & walk->alignmask))) {
|
|
|
|
int err = skcipher_copy_iv(walk);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
walk->page = NULL;
|
|
|
|
|
|
|
|
return skcipher_walk_next(walk);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int skcipher_walk_skcipher(struct skcipher_walk *walk,
|
|
|
|
struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
|
|
|
|
|
2017-10-07 11:29:48 +08:00
|
|
|
walk->total = req->cryptlen;
|
|
|
|
walk->nbytes = 0;
|
2017-11-29 17:18:57 +08:00
|
|
|
walk->iv = req->iv;
|
|
|
|
walk->oiv = req->iv;
|
2017-10-07 11:29:48 +08:00
|
|
|
|
|
|
|
if (unlikely(!walk->total))
|
|
|
|
return 0;
|
|
|
|
|
2016-11-22 20:08:12 +08:00
|
|
|
scatterwalk_start(&walk->in, req->src);
|
|
|
|
scatterwalk_start(&walk->out, req->dst);
|
|
|
|
|
|
|
|
walk->flags &= ~SKCIPHER_WALK_SLEEP;
|
|
|
|
walk->flags |= req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ?
|
|
|
|
SKCIPHER_WALK_SLEEP : 0;
|
|
|
|
|
|
|
|
walk->blocksize = crypto_skcipher_blocksize(tfm);
|
2016-12-29 22:09:08 +08:00
|
|
|
walk->stride = crypto_skcipher_walksize(tfm);
|
2016-11-22 20:08:12 +08:00
|
|
|
walk->ivsize = crypto_skcipher_ivsize(tfm);
|
|
|
|
walk->alignmask = crypto_skcipher_alignmask(tfm);
|
|
|
|
|
|
|
|
return skcipher_walk_first(walk);
|
|
|
|
}
|
|
|
|
|
|
|
|
int skcipher_walk_virt(struct skcipher_walk *walk,
|
|
|
|
struct skcipher_request *req, bool atomic)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
2018-12-16 04:41:53 +08:00
|
|
|
might_sleep_if(req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP);
|
|
|
|
|
2016-11-22 20:08:12 +08:00
|
|
|
walk->flags &= ~SKCIPHER_WALK_PHYS;
|
|
|
|
|
|
|
|
err = skcipher_walk_skcipher(walk, req);
|
|
|
|
|
|
|
|
walk->flags &= atomic ? ~SKCIPHER_WALK_SLEEP : ~0;
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(skcipher_walk_virt);
|
|
|
|
|
|
|
|
void skcipher_walk_atomise(struct skcipher_walk *walk)
|
|
|
|
{
|
|
|
|
walk->flags &= ~SKCIPHER_WALK_SLEEP;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(skcipher_walk_atomise);
|
|
|
|
|
|
|
|
int skcipher_walk_async(struct skcipher_walk *walk,
|
|
|
|
struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
walk->flags |= SKCIPHER_WALK_PHYS;
|
|
|
|
|
|
|
|
INIT_LIST_HEAD(&walk->buffers);
|
|
|
|
|
|
|
|
return skcipher_walk_skcipher(walk, req);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(skcipher_walk_async);
|
|
|
|
|
2016-11-30 21:14:07 +08:00
|
|
|
static int skcipher_walk_aead_common(struct skcipher_walk *walk,
|
|
|
|
struct aead_request *req, bool atomic)
|
2016-11-22 20:08:12 +08:00
|
|
|
{
|
|
|
|
struct crypto_aead *tfm = crypto_aead_reqtfm(req);
|
|
|
|
int err;
|
|
|
|
|
2017-10-07 11:29:48 +08:00
|
|
|
walk->nbytes = 0;
|
2017-11-29 17:18:57 +08:00
|
|
|
walk->iv = req->iv;
|
|
|
|
walk->oiv = req->iv;
|
2017-10-07 11:29:48 +08:00
|
|
|
|
|
|
|
if (unlikely(!walk->total))
|
|
|
|
return 0;
|
|
|
|
|
2016-11-29 21:05:31 +08:00
|
|
|
walk->flags &= ~SKCIPHER_WALK_PHYS;
|
|
|
|
|
2016-11-22 20:08:12 +08:00
|
|
|
scatterwalk_start(&walk->in, req->src);
|
|
|
|
scatterwalk_start(&walk->out, req->dst);
|
|
|
|
|
|
|
|
scatterwalk_copychunks(NULL, &walk->in, req->assoclen, 2);
|
|
|
|
scatterwalk_copychunks(NULL, &walk->out, req->assoclen, 2);
|
|
|
|
|
2017-11-23 20:49:06 +08:00
|
|
|
scatterwalk_done(&walk->in, 0, walk->total);
|
|
|
|
scatterwalk_done(&walk->out, 0, walk->total);
|
|
|
|
|
2016-11-22 20:08:12 +08:00
|
|
|
if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP)
|
|
|
|
walk->flags |= SKCIPHER_WALK_SLEEP;
|
|
|
|
else
|
|
|
|
walk->flags &= ~SKCIPHER_WALK_SLEEP;
|
|
|
|
|
|
|
|
walk->blocksize = crypto_aead_blocksize(tfm);
|
2016-12-29 22:09:08 +08:00
|
|
|
walk->stride = crypto_aead_chunksize(tfm);
|
2016-11-22 20:08:12 +08:00
|
|
|
walk->ivsize = crypto_aead_ivsize(tfm);
|
|
|
|
walk->alignmask = crypto_aead_alignmask(tfm);
|
|
|
|
|
|
|
|
err = skcipher_walk_first(walk);
|
|
|
|
|
|
|
|
if (atomic)
|
|
|
|
walk->flags &= ~SKCIPHER_WALK_SLEEP;
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
2016-11-30 21:14:07 +08:00
|
|
|
|
|
|
|
int skcipher_walk_aead(struct skcipher_walk *walk, struct aead_request *req,
|
|
|
|
bool atomic)
|
|
|
|
{
|
|
|
|
walk->total = req->cryptlen;
|
|
|
|
|
|
|
|
return skcipher_walk_aead_common(walk, req, atomic);
|
|
|
|
}
|
2016-11-22 20:08:12 +08:00
|
|
|
EXPORT_SYMBOL_GPL(skcipher_walk_aead);
|
|
|
|
|
2016-11-30 21:14:07 +08:00
|
|
|
int skcipher_walk_aead_encrypt(struct skcipher_walk *walk,
|
|
|
|
struct aead_request *req, bool atomic)
|
|
|
|
{
|
|
|
|
walk->total = req->cryptlen;
|
|
|
|
|
|
|
|
return skcipher_walk_aead_common(walk, req, atomic);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(skcipher_walk_aead_encrypt);
|
|
|
|
|
|
|
|
int skcipher_walk_aead_decrypt(struct skcipher_walk *walk,
|
|
|
|
struct aead_request *req, bool atomic)
|
|
|
|
{
|
|
|
|
struct crypto_aead *tfm = crypto_aead_reqtfm(req);
|
|
|
|
|
|
|
|
walk->total = req->cryptlen - crypto_aead_authsize(tfm);
|
|
|
|
|
|
|
|
return skcipher_walk_aead_common(walk, req, atomic);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(skcipher_walk_aead_decrypt);
|
|
|
|
|
2015-08-20 15:21:45 +08:00
|
|
|
static unsigned int crypto_skcipher_extsize(struct crypto_alg *alg)
|
|
|
|
{
|
2016-07-12 13:17:31 +08:00
|
|
|
return crypto_alg_extsize(alg);
|
2015-08-20 15:21:45 +08:00
|
|
|
}
|
|
|
|
|
crypto: skcipher - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
Some algorithms have a ->setkey() method that is not atomic, in the
sense that setting a key can fail after changes were already made to the
tfm context. In this case, if a key was already set the tfm can end up
in a state that corresponds to neither the old key nor the new key.
For example, in lrw.c, if gf128mul_init_64k_bbe() fails due to lack of
memory, then priv::table will be left NULL. After that, encryption with
that tfm will cause a NULL pointer dereference.
It's not feasible to make all ->setkey() methods atomic, especially ones
that have to key multiple sub-tfms. Therefore, make the crypto API set
CRYPTO_TFM_NEED_KEY if ->setkey() fails and the algorithm requires a
key, to prevent the tfm from being used until a new key is set.
[Cc stable mainly because when introducing the NEED_KEY flag I changed
AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG
previously didn't have this problem. So these "incompletely keyed"
states became theoretically accessible via AF_ALG -- though, the
opportunities for causing real mischief seem pretty limited.]
Fixes: f8d33fac8480 ("crypto: skcipher - prevent using skciphers without setting key")
Cc: <stable@vger.kernel.org> # v4.16+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-01-07 10:47:43 +08:00
|
|
|
static void skcipher_set_needkey(struct crypto_skcipher *tfm)
|
|
|
|
{
|
|
|
|
if (tfm->keysize)
|
|
|
|
crypto_skcipher_set_flags(tfm, CRYPTO_TFM_NEED_KEY);
|
|
|
|
}
|
|
|
|
|
2017-05-10 03:48:23 +08:00
|
|
|
static int skcipher_setkey_unaligned(struct crypto_skcipher *tfm,
|
|
|
|
const u8 *key, unsigned int keylen)
|
|
|
|
{
|
|
|
|
unsigned long alignmask = crypto_skcipher_alignmask(tfm);
|
|
|
|
struct skcipher_alg *cipher = crypto_skcipher_alg(tfm);
|
|
|
|
u8 *buffer, *alignbuffer;
|
|
|
|
unsigned long absize;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
absize = keylen + alignmask;
|
|
|
|
buffer = kmalloc(absize, GFP_ATOMIC);
|
|
|
|
if (!buffer)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
|
|
|
|
memcpy(alignbuffer, key, keylen);
|
|
|
|
ret = cipher->setkey(tfm, alignbuffer, keylen);
|
|
|
|
kzfree(buffer);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int skcipher_setkey(struct crypto_skcipher *tfm, const u8 *key,
|
|
|
|
unsigned int keylen)
|
|
|
|
{
|
|
|
|
struct skcipher_alg *cipher = crypto_skcipher_alg(tfm);
|
|
|
|
unsigned long alignmask = crypto_skcipher_alignmask(tfm);
|
2018-01-04 03:16:29 +08:00
|
|
|
int err;
|
2017-05-10 03:48:23 +08:00
|
|
|
|
|
|
|
if (keylen < cipher->min_keysize || keylen > cipher->max_keysize) {
|
|
|
|
crypto_skcipher_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((unsigned long)key & alignmask)
|
2018-01-04 03:16:29 +08:00
|
|
|
err = skcipher_setkey_unaligned(tfm, key, keylen);
|
|
|
|
else
|
|
|
|
err = cipher->setkey(tfm, key, keylen);
|
|
|
|
|
crypto: skcipher - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
Some algorithms have a ->setkey() method that is not atomic, in the
sense that setting a key can fail after changes were already made to the
tfm context. In this case, if a key was already set the tfm can end up
in a state that corresponds to neither the old key nor the new key.
For example, in lrw.c, if gf128mul_init_64k_bbe() fails due to lack of
memory, then priv::table will be left NULL. After that, encryption with
that tfm will cause a NULL pointer dereference.
It's not feasible to make all ->setkey() methods atomic, especially ones
that have to key multiple sub-tfms. Therefore, make the crypto API set
CRYPTO_TFM_NEED_KEY if ->setkey() fails and the algorithm requires a
key, to prevent the tfm from being used until a new key is set.
[Cc stable mainly because when introducing the NEED_KEY flag I changed
AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG
previously didn't have this problem. So these "incompletely keyed"
states became theoretically accessible via AF_ALG -- though, the
opportunities for causing real mischief seem pretty limited.]
Fixes: f8d33fac8480 ("crypto: skcipher - prevent using skciphers without setting key")
Cc: <stable@vger.kernel.org> # v4.16+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-01-07 10:47:43 +08:00
|
|
|
if (unlikely(err)) {
|
|
|
|
skcipher_set_needkey(tfm);
|
2018-01-04 03:16:29 +08:00
|
|
|
return err;
|
crypto: skcipher - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
Some algorithms have a ->setkey() method that is not atomic, in the
sense that setting a key can fail after changes were already made to the
tfm context. In this case, if a key was already set the tfm can end up
in a state that corresponds to neither the old key nor the new key.
For example, in lrw.c, if gf128mul_init_64k_bbe() fails due to lack of
memory, then priv::table will be left NULL. After that, encryption with
that tfm will cause a NULL pointer dereference.
It's not feasible to make all ->setkey() methods atomic, especially ones
that have to key multiple sub-tfms. Therefore, make the crypto API set
CRYPTO_TFM_NEED_KEY if ->setkey() fails and the algorithm requires a
key, to prevent the tfm from being used until a new key is set.
[Cc stable mainly because when introducing the NEED_KEY flag I changed
AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG
previously didn't have this problem. So these "incompletely keyed"
states became theoretically accessible via AF_ALG -- though, the
opportunities for causing real mischief seem pretty limited.]
Fixes: f8d33fac8480 ("crypto: skcipher - prevent using skciphers without setting key")
Cc: <stable@vger.kernel.org> # v4.16+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-01-07 10:47:43 +08:00
|
|
|
}
|
2017-05-10 03:48:23 +08:00
|
|
|
|
2018-01-04 03:16:29 +08:00
|
|
|
crypto_skcipher_clear_flags(tfm, CRYPTO_TFM_NEED_KEY);
|
|
|
|
return 0;
|
2017-05-10 03:48:23 +08:00
|
|
|
}
|
|
|
|
|
2019-06-03 13:45:51 +08:00
|
|
|
int crypto_skcipher_encrypt(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
|
|
|
|
struct crypto_alg *alg = tfm->base.__crt_alg;
|
|
|
|
unsigned int cryptlen = req->cryptlen;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
crypto_stats_get(alg);
|
|
|
|
if (crypto_skcipher_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
|
|
|
|
ret = -ENOKEY;
|
|
|
|
else
|
|
|
|
ret = tfm->encrypt(req);
|
|
|
|
crypto_stats_skcipher_encrypt(cryptlen, ret, alg);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_skcipher_encrypt);
|
|
|
|
|
|
|
|
int crypto_skcipher_decrypt(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
|
|
|
|
struct crypto_alg *alg = tfm->base.__crt_alg;
|
|
|
|
unsigned int cryptlen = req->cryptlen;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
crypto_stats_get(alg);
|
|
|
|
if (crypto_skcipher_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
|
|
|
|
ret = -ENOKEY;
|
|
|
|
else
|
|
|
|
ret = tfm->decrypt(req);
|
|
|
|
crypto_stats_skcipher_decrypt(cryptlen, ret, alg);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_skcipher_decrypt);
|
|
|
|
|
2016-07-12 13:17:31 +08:00
|
|
|
static void crypto_skcipher_exit_tfm(struct crypto_tfm *tfm)
|
|
|
|
{
|
|
|
|
struct crypto_skcipher *skcipher = __crypto_skcipher_cast(tfm);
|
|
|
|
struct skcipher_alg *alg = crypto_skcipher_alg(skcipher);
|
|
|
|
|
|
|
|
alg->exit(skcipher);
|
|
|
|
}
|
|
|
|
|
2015-08-20 15:21:45 +08:00
|
|
|
static int crypto_skcipher_init_tfm(struct crypto_tfm *tfm)
|
|
|
|
{
|
2016-07-12 13:17:31 +08:00
|
|
|
struct crypto_skcipher *skcipher = __crypto_skcipher_cast(tfm);
|
|
|
|
struct skcipher_alg *alg = crypto_skcipher_alg(skcipher);
|
|
|
|
|
2017-05-10 03:48:23 +08:00
|
|
|
skcipher->setkey = skcipher_setkey;
|
2016-07-12 13:17:31 +08:00
|
|
|
skcipher->encrypt = alg->encrypt;
|
|
|
|
skcipher->decrypt = alg->decrypt;
|
|
|
|
skcipher->ivsize = alg->ivsize;
|
|
|
|
skcipher->keysize = alg->max_keysize;
|
|
|
|
|
crypto: skcipher - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
Some algorithms have a ->setkey() method that is not atomic, in the
sense that setting a key can fail after changes were already made to the
tfm context. In this case, if a key was already set the tfm can end up
in a state that corresponds to neither the old key nor the new key.
For example, in lrw.c, if gf128mul_init_64k_bbe() fails due to lack of
memory, then priv::table will be left NULL. After that, encryption with
that tfm will cause a NULL pointer dereference.
It's not feasible to make all ->setkey() methods atomic, especially ones
that have to key multiple sub-tfms. Therefore, make the crypto API set
CRYPTO_TFM_NEED_KEY if ->setkey() fails and the algorithm requires a
key, to prevent the tfm from being used until a new key is set.
[Cc stable mainly because when introducing the NEED_KEY flag I changed
AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG
previously didn't have this problem. So these "incompletely keyed"
states became theoretically accessible via AF_ALG -- though, the
opportunities for causing real mischief seem pretty limited.]
Fixes: f8d33fac8480 ("crypto: skcipher - prevent using skciphers without setting key")
Cc: <stable@vger.kernel.org> # v4.16+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-01-07 10:47:43 +08:00
|
|
|
skcipher_set_needkey(skcipher);
|
2018-01-04 03:16:29 +08:00
|
|
|
|
2016-07-12 13:17:31 +08:00
|
|
|
if (alg->exit)
|
|
|
|
skcipher->base.exit = crypto_skcipher_exit_tfm;
|
2015-08-20 15:21:45 +08:00
|
|
|
|
2016-07-12 13:17:31 +08:00
|
|
|
if (alg->init)
|
|
|
|
return alg->init(skcipher);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void crypto_skcipher_free_instance(struct crypto_instance *inst)
|
|
|
|
{
|
|
|
|
struct skcipher_instance *skcipher =
|
|
|
|
container_of(inst, struct skcipher_instance, s.base);
|
|
|
|
|
|
|
|
skcipher->free(skcipher);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void crypto_skcipher_show(struct seq_file *m, struct crypto_alg *alg)
|
2016-12-31 23:56:23 +08:00
|
|
|
__maybe_unused;
|
2016-07-12 13:17:31 +08:00
|
|
|
static void crypto_skcipher_show(struct seq_file *m, struct crypto_alg *alg)
|
|
|
|
{
|
|
|
|
struct skcipher_alg *skcipher = container_of(alg, struct skcipher_alg,
|
|
|
|
base);
|
|
|
|
|
|
|
|
seq_printf(m, "type : skcipher\n");
|
|
|
|
seq_printf(m, "async : %s\n",
|
|
|
|
alg->cra_flags & CRYPTO_ALG_ASYNC ? "yes" : "no");
|
|
|
|
seq_printf(m, "blocksize : %u\n", alg->cra_blocksize);
|
|
|
|
seq_printf(m, "min keysize : %u\n", skcipher->min_keysize);
|
|
|
|
seq_printf(m, "max keysize : %u\n", skcipher->max_keysize);
|
|
|
|
seq_printf(m, "ivsize : %u\n", skcipher->ivsize);
|
|
|
|
seq_printf(m, "chunksize : %u\n", skcipher->chunksize);
|
2016-12-29 22:09:08 +08:00
|
|
|
seq_printf(m, "walksize : %u\n", skcipher->walksize);
|
2015-08-20 15:21:45 +08:00
|
|
|
}
|
|
|
|
|
2016-07-12 13:17:31 +08:00
|
|
|
#ifdef CONFIG_NET
|
|
|
|
static int crypto_skcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
|
|
|
|
{
|
|
|
|
struct crypto_report_blkcipher rblkcipher;
|
|
|
|
struct skcipher_alg *skcipher = container_of(alg, struct skcipher_alg,
|
|
|
|
base);
|
|
|
|
|
2018-11-04 05:56:03 +08:00
|
|
|
memset(&rblkcipher, 0, sizeof(rblkcipher));
|
|
|
|
|
|
|
|
strscpy(rblkcipher.type, "skcipher", sizeof(rblkcipher.type));
|
|
|
|
strscpy(rblkcipher.geniv, "<none>", sizeof(rblkcipher.geniv));
|
2016-07-12 13:17:31 +08:00
|
|
|
|
|
|
|
rblkcipher.blocksize = alg->cra_blocksize;
|
|
|
|
rblkcipher.min_keysize = skcipher->min_keysize;
|
|
|
|
rblkcipher.max_keysize = skcipher->max_keysize;
|
|
|
|
rblkcipher.ivsize = skcipher->ivsize;
|
|
|
|
|
2018-11-04 05:56:03 +08:00
|
|
|
return nla_put(skb, CRYPTOCFGA_REPORT_BLKCIPHER,
|
|
|
|
sizeof(rblkcipher), &rblkcipher);
|
2016-07-12 13:17:31 +08:00
|
|
|
}
|
|
|
|
#else
|
|
|
|
static int crypto_skcipher_report(struct sk_buff *skb, struct crypto_alg *alg)
|
|
|
|
{
|
|
|
|
return -ENOSYS;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2019-10-26 03:41:11 +08:00
|
|
|
static const struct crypto_type crypto_skcipher_type = {
|
2015-08-20 15:21:45 +08:00
|
|
|
.extsize = crypto_skcipher_extsize,
|
|
|
|
.init_tfm = crypto_skcipher_init_tfm,
|
2016-07-12 13:17:31 +08:00
|
|
|
.free = crypto_skcipher_free_instance,
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
|
|
.show = crypto_skcipher_show,
|
|
|
|
#endif
|
|
|
|
.report = crypto_skcipher_report,
|
2015-08-20 15:21:45 +08:00
|
|
|
.maskclear = ~CRYPTO_ALG_TYPE_MASK,
|
crypto: skcipher - remove the "blkcipher" algorithm type
Now that all "blkcipher" algorithms have been converted to "skcipher",
remove the blkcipher algorithm type.
The skcipher (symmetric key cipher) algorithm type was introduced a few
years ago to replace both blkcipher and ablkcipher (synchronous and
asynchronous block cipher). The advantages of skcipher include:
- A much less confusing name, since none of these algorithm types have
ever actually been for raw block ciphers, but rather for all
length-preserving encryption modes including block cipher modes of
operation, stream ciphers, and other length-preserving modes.
- It unified blkcipher and ablkcipher into a single algorithm type
which supports both synchronous and asynchronous implementations.
Note, blkcipher already operated only on scatterlists, so the fact
that skcipher does too isn't a regression in functionality.
- Better type safety by using struct skcipher_alg, struct
crypto_skcipher, etc. instead of crypto_alg, crypto_tfm, etc.
- It sometimes simplifies the implementations of algorithms.
Also, the blkcipher API was no longer being tested.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-10-26 03:41:12 +08:00
|
|
|
.maskset = CRYPTO_ALG_TYPE_MASK,
|
2016-07-12 13:17:31 +08:00
|
|
|
.type = CRYPTO_ALG_TYPE_SKCIPHER,
|
2015-08-20 15:21:45 +08:00
|
|
|
.tfmsize = offsetof(struct crypto_skcipher, base),
|
|
|
|
};
|
|
|
|
|
2016-07-12 13:17:50 +08:00
|
|
|
int crypto_grab_skcipher(struct crypto_skcipher_spawn *spawn,
|
2016-07-12 13:17:31 +08:00
|
|
|
const char *name, u32 type, u32 mask)
|
|
|
|
{
|
2019-10-26 03:41:11 +08:00
|
|
|
spawn->base.frontend = &crypto_skcipher_type;
|
2016-07-12 13:17:31 +08:00
|
|
|
return crypto_grab_spawn(&spawn->base, name, type, mask);
|
|
|
|
}
|
2016-07-12 13:17:50 +08:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_grab_skcipher);
|
2016-07-12 13:17:31 +08:00
|
|
|
|
2015-08-20 15:21:45 +08:00
|
|
|
struct crypto_skcipher *crypto_alloc_skcipher(const char *alg_name,
|
|
|
|
u32 type, u32 mask)
|
|
|
|
{
|
2019-10-26 03:41:11 +08:00
|
|
|
return crypto_alloc_tfm(alg_name, &crypto_skcipher_type, type, mask);
|
2015-08-20 15:21:45 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_alloc_skcipher);
|
|
|
|
|
2018-09-19 10:10:38 +08:00
|
|
|
struct crypto_sync_skcipher *crypto_alloc_sync_skcipher(
|
|
|
|
const char *alg_name, u32 type, u32 mask)
|
|
|
|
{
|
|
|
|
struct crypto_skcipher *tfm;
|
|
|
|
|
|
|
|
/* Only sync algorithms allowed. */
|
|
|
|
mask |= CRYPTO_ALG_ASYNC;
|
|
|
|
|
2019-10-26 03:41:11 +08:00
|
|
|
tfm = crypto_alloc_tfm(alg_name, &crypto_skcipher_type, type, mask);
|
2018-09-19 10:10:38 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Make sure we do not allocate something that might get used with
|
|
|
|
* an on-stack request: check the request size.
|
|
|
|
*/
|
|
|
|
if (!IS_ERR(tfm) && WARN_ON(crypto_skcipher_reqsize(tfm) >
|
|
|
|
MAX_SYNC_SKCIPHER_REQSIZE)) {
|
|
|
|
crypto_free_skcipher(tfm);
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
}
|
|
|
|
|
|
|
|
return (struct crypto_sync_skcipher *)tfm;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_alloc_sync_skcipher);
|
|
|
|
|
2019-10-26 03:41:09 +08:00
|
|
|
int crypto_has_skcipher(const char *alg_name, u32 type, u32 mask)
|
2016-07-12 13:17:31 +08:00
|
|
|
{
|
2019-10-26 03:41:11 +08:00
|
|
|
return crypto_type_has_alg(alg_name, &crypto_skcipher_type, type, mask);
|
2016-07-12 13:17:31 +08:00
|
|
|
}
|
2019-10-26 03:41:09 +08:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_has_skcipher);
|
2016-07-12 13:17:31 +08:00
|
|
|
|
|
|
|
static int skcipher_prepare_alg(struct skcipher_alg *alg)
|
|
|
|
{
|
|
|
|
struct crypto_alg *base = &alg->base;
|
|
|
|
|
2016-12-29 22:09:08 +08:00
|
|
|
if (alg->ivsize > PAGE_SIZE / 8 || alg->chunksize > PAGE_SIZE / 8 ||
|
|
|
|
alg->walksize > PAGE_SIZE / 8)
|
2016-07-12 13:17:31 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!alg->chunksize)
|
|
|
|
alg->chunksize = base->cra_blocksize;
|
2016-12-29 22:09:08 +08:00
|
|
|
if (!alg->walksize)
|
|
|
|
alg->walksize = alg->chunksize;
|
2016-07-12 13:17:31 +08:00
|
|
|
|
2019-10-26 03:41:11 +08:00
|
|
|
base->cra_type = &crypto_skcipher_type;
|
2016-07-12 13:17:31 +08:00
|
|
|
base->cra_flags &= ~CRYPTO_ALG_TYPE_MASK;
|
|
|
|
base->cra_flags |= CRYPTO_ALG_TYPE_SKCIPHER;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int crypto_register_skcipher(struct skcipher_alg *alg)
|
|
|
|
{
|
|
|
|
struct crypto_alg *base = &alg->base;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = skcipher_prepare_alg(alg);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
return crypto_register_alg(base);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_register_skcipher);
|
|
|
|
|
|
|
|
void crypto_unregister_skcipher(struct skcipher_alg *alg)
|
|
|
|
{
|
|
|
|
crypto_unregister_alg(&alg->base);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_unregister_skcipher);
|
|
|
|
|
|
|
|
int crypto_register_skciphers(struct skcipher_alg *algs, int count)
|
|
|
|
{
|
|
|
|
int i, ret;
|
|
|
|
|
|
|
|
for (i = 0; i < count; i++) {
|
|
|
|
ret = crypto_register_skcipher(&algs[i]);
|
|
|
|
if (ret)
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
err:
|
|
|
|
for (--i; i >= 0; --i)
|
|
|
|
crypto_unregister_skcipher(&algs[i]);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_register_skciphers);
|
|
|
|
|
|
|
|
void crypto_unregister_skciphers(struct skcipher_alg *algs, int count)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = count - 1; i >= 0; --i)
|
|
|
|
crypto_unregister_skcipher(&algs[i]);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_unregister_skciphers);
|
|
|
|
|
|
|
|
int skcipher_register_instance(struct crypto_template *tmpl,
|
|
|
|
struct skcipher_instance *inst)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = skcipher_prepare_alg(&inst->alg);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
return crypto_register_instance(tmpl, skcipher_crypto_instance(inst));
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(skcipher_register_instance);
|
|
|
|
|
2019-01-04 12:16:14 +08:00
|
|
|
static int skcipher_setkey_simple(struct crypto_skcipher *tfm, const u8 *key,
|
|
|
|
unsigned int keylen)
|
|
|
|
{
|
|
|
|
struct crypto_cipher *cipher = skcipher_cipher_simple(tfm);
|
|
|
|
int err;
|
|
|
|
|
|
|
|
crypto_cipher_clear_flags(cipher, CRYPTO_TFM_REQ_MASK);
|
|
|
|
crypto_cipher_set_flags(cipher, crypto_skcipher_get_flags(tfm) &
|
|
|
|
CRYPTO_TFM_REQ_MASK);
|
|
|
|
err = crypto_cipher_setkey(cipher, key, keylen);
|
|
|
|
crypto_skcipher_set_flags(tfm, crypto_cipher_get_flags(cipher) &
|
|
|
|
CRYPTO_TFM_RES_MASK);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int skcipher_init_tfm_simple(struct crypto_skcipher *tfm)
|
|
|
|
{
|
|
|
|
struct skcipher_instance *inst = skcipher_alg_instance(tfm);
|
|
|
|
struct crypto_spawn *spawn = skcipher_instance_ctx(inst);
|
|
|
|
struct skcipher_ctx_simple *ctx = crypto_skcipher_ctx(tfm);
|
|
|
|
struct crypto_cipher *cipher;
|
|
|
|
|
|
|
|
cipher = crypto_spawn_cipher(spawn);
|
|
|
|
if (IS_ERR(cipher))
|
|
|
|
return PTR_ERR(cipher);
|
|
|
|
|
|
|
|
ctx->cipher = cipher;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void skcipher_exit_tfm_simple(struct crypto_skcipher *tfm)
|
|
|
|
{
|
|
|
|
struct skcipher_ctx_simple *ctx = crypto_skcipher_ctx(tfm);
|
|
|
|
|
|
|
|
crypto_free_cipher(ctx->cipher);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void skcipher_free_instance_simple(struct skcipher_instance *inst)
|
|
|
|
{
|
|
|
|
crypto_drop_spawn(skcipher_instance_ctx(inst));
|
|
|
|
kfree(inst);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* skcipher_alloc_instance_simple - allocate instance of simple block cipher mode
|
|
|
|
*
|
|
|
|
* Allocate an skcipher_instance for a simple block cipher mode of operation,
|
|
|
|
* e.g. cbc or ecb. The instance context will have just a single crypto_spawn,
|
|
|
|
* that for the underlying cipher. The {min,max}_keysize, ivsize, blocksize,
|
|
|
|
* alignmask, and priority are set from the underlying cipher but can be
|
|
|
|
* overridden if needed. The tfm context defaults to skcipher_ctx_simple, and
|
|
|
|
* default ->setkey(), ->init(), and ->exit() methods are installed.
|
|
|
|
*
|
|
|
|
* @tmpl: the template being instantiated
|
|
|
|
* @tb: the template parameters
|
|
|
|
* @cipher_alg_ret: on success, a pointer to the underlying cipher algorithm is
|
|
|
|
* returned here. It must be dropped with crypto_mod_put().
|
|
|
|
*
|
|
|
|
* Return: a pointer to the new instance, or an ERR_PTR(). The caller still
|
|
|
|
* needs to register the instance.
|
|
|
|
*/
|
|
|
|
struct skcipher_instance *
|
|
|
|
skcipher_alloc_instance_simple(struct crypto_template *tmpl, struct rtattr **tb,
|
|
|
|
struct crypto_alg **cipher_alg_ret)
|
|
|
|
{
|
|
|
|
struct crypto_attr_type *algt;
|
|
|
|
struct crypto_alg *cipher_alg;
|
|
|
|
struct skcipher_instance *inst;
|
|
|
|
struct crypto_spawn *spawn;
|
|
|
|
u32 mask;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
algt = crypto_get_attr_type(tb);
|
|
|
|
if (IS_ERR(algt))
|
|
|
|
return ERR_CAST(algt);
|
|
|
|
|
|
|
|
if ((algt->type ^ CRYPTO_ALG_TYPE_SKCIPHER) & algt->mask)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
mask = CRYPTO_ALG_TYPE_MASK |
|
|
|
|
crypto_requires_off(algt->type, algt->mask,
|
|
|
|
CRYPTO_ALG_NEED_FALLBACK);
|
|
|
|
|
|
|
|
cipher_alg = crypto_get_attr_alg(tb, CRYPTO_ALG_TYPE_CIPHER, mask);
|
|
|
|
if (IS_ERR(cipher_alg))
|
|
|
|
return ERR_CAST(cipher_alg);
|
|
|
|
|
|
|
|
inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
|
|
|
|
if (!inst) {
|
|
|
|
err = -ENOMEM;
|
|
|
|
goto err_put_cipher_alg;
|
|
|
|
}
|
|
|
|
spawn = skcipher_instance_ctx(inst);
|
|
|
|
|
|
|
|
err = crypto_inst_setname(skcipher_crypto_instance(inst), tmpl->name,
|
|
|
|
cipher_alg);
|
|
|
|
if (err)
|
|
|
|
goto err_free_inst;
|
|
|
|
|
|
|
|
err = crypto_init_spawn(spawn, cipher_alg,
|
|
|
|
skcipher_crypto_instance(inst),
|
|
|
|
CRYPTO_ALG_TYPE_MASK);
|
|
|
|
if (err)
|
|
|
|
goto err_free_inst;
|
|
|
|
inst->free = skcipher_free_instance_simple;
|
|
|
|
|
|
|
|
/* Default algorithm properties, can be overridden */
|
|
|
|
inst->alg.base.cra_blocksize = cipher_alg->cra_blocksize;
|
|
|
|
inst->alg.base.cra_alignmask = cipher_alg->cra_alignmask;
|
|
|
|
inst->alg.base.cra_priority = cipher_alg->cra_priority;
|
|
|
|
inst->alg.min_keysize = cipher_alg->cra_cipher.cia_min_keysize;
|
|
|
|
inst->alg.max_keysize = cipher_alg->cra_cipher.cia_max_keysize;
|
|
|
|
inst->alg.ivsize = cipher_alg->cra_blocksize;
|
|
|
|
|
|
|
|
/* Use skcipher_ctx_simple by default, can be overridden */
|
|
|
|
inst->alg.base.cra_ctxsize = sizeof(struct skcipher_ctx_simple);
|
|
|
|
inst->alg.setkey = skcipher_setkey_simple;
|
|
|
|
inst->alg.init = skcipher_init_tfm_simple;
|
|
|
|
inst->alg.exit = skcipher_exit_tfm_simple;
|
|
|
|
|
|
|
|
*cipher_alg_ret = cipher_alg;
|
|
|
|
return inst;
|
|
|
|
|
|
|
|
err_free_inst:
|
|
|
|
kfree(inst);
|
|
|
|
err_put_cipher_alg:
|
|
|
|
crypto_mod_put(cipher_alg);
|
|
|
|
return ERR_PTR(err);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(skcipher_alloc_instance_simple);
|
|
|
|
|
2015-08-20 15:21:45 +08:00
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_DESCRIPTION("Symmetric key cipher type");
|