1. 12 Jan, 2018 1 commit
    • Eric Biggers's avatar
      crypto: aead - prevent using AEADs without setting key · dc26c17f
      Eric Biggers authored
      Similar to what was done for the hash API, update the AEAD API to track
      whether each transform has been keyed, and reject encryption/decryption
      if a key is needed but one hasn't been set.
      This isn't quite as important as the equivalent fix for the hash API
      because AEADs always require a key, so are unlikely to be used without
      one.  Still, tracking the key will prevent accidental unkeyed use.
      algif_aead also had to track the key anyway, so the new flag replaces
      that and slightly simplifies the algif_aead implementation.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  2. 22 Dec, 2017 2 commits
  3. 11 Dec, 2017 2 commits
  4. 29 Nov, 2017 1 commit
  5. 24 Nov, 2017 2 commits
    • Stephan Mueller's avatar
      crypto: af_alg - remove locking in async callback · 7d2c3f54
      Stephan Mueller authored
      The code paths protected by the socket-lock do not use or modify the
      socket in a non-atomic fashion. The actions pertaining the socket do not
      even need to be handled as an atomic operation. Thus, the socket-lock
      can be safely ignored.
      This fixes a bug regarding scheduling in atomic as the callback function
      may be invoked in interrupt context.
      In addition, the sock_hold is moved before the AIO encrypt/decrypt
      operation to ensure that the socket is always present. This avoids a
      tiny race window where the socket is unprotected and yet used by the AIO
      Finally, the release of resources for a crypto operation is moved into a
      common function of af_alg_free_resources.
      Cc: <stable@vger.kernel.org>
      Fixes: e870456d ("crypto: algif_skcipher - overhaul memory management")
      Fixes: d887c52d ("crypto: algif_aead - overhaul memory management")
      Reported-by: default avatarRomain Izard <romain.izard.pro@gmail.com>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Tested-by: default avatarRomain Izard <romain.izard.pro@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Stephan Mueller's avatar
      crypto: algif_aead - skip SGL entries with NULL page · 8e1fa89a
      Stephan Mueller authored
      The TX SGL may contain SGL entries that are assigned a NULL page. This
      may happen if a multi-stage AIO operation is performed where the data
      for each stage is pointed to by one SGL entry. Upon completion of that
      stage, af_alg_pull_tsgl will assign NULL to the SGL entry.
      The NULL cipher used to copy the AAD from TX SGL to the destination
      buffer, however, cannot handle the case where the SGL starts with an SGL
      entry having a NULL page. Thus, the code needs to advance the start
      pointer into the SGL to the first non-NULL entry.
      This fixes a crash visible on Intel x86 32 bit using the libkcapi test
      Cc: <stable@vger.kernel.org>
      Fixes: 72548b09 ("crypto: algif_aead - copy AAD from src to dst")
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  6. 03 Nov, 2017 1 commit
  7. 22 Aug, 2017 1 commit
  8. 09 Aug, 2017 3 commits
    • Stephan Mueller's avatar
      crypto: af_alg - consolidation of duplicate code · 2d97591e
      Stephan Mueller authored
      Consolidate following data structures:
      skcipher_async_req, aead_async_req -> af_alg_async_req
      skcipher_rsgl, aead_rsql -> af_alg_rsgl
      skcipher_tsgl, aead_tsql -> af_alg_tsgl
      skcipher_ctx, aead_ctx -> af_alg_ctx
      Consolidate following functions:
      skcipher_sndbuf, aead_sndbuf -> af_alg_sndbuf
      skcipher_writable, aead_writable -> af_alg_writable
      skcipher_rcvbuf, aead_rcvbuf -> af_alg_rcvbuf
      skcipher_readable, aead_readable -> af_alg_readable
      aead_alloc_tsgl, skcipher_alloc_tsgl -> af_alg_alloc_tsgl
      aead_count_tsgl, skcipher_count_tsgl -> af_alg_count_tsgl
      aead_pull_tsgl, skcipher_pull_tsgl -> af_alg_pull_tsgl
      aead_free_areq_sgls, skcipher_free_areq_sgls -> af_alg_free_areq_sgls
      aead_wait_for_wmem, skcipher_wait_for_wmem -> af_alg_wait_for_wmem
      aead_wmem_wakeup, skcipher_wmem_wakeup -> af_alg_wmem_wakeup
      aead_wait_for_data, skcipher_wait_for_data -> af_alg_wait_for_data
      aead_data_wakeup, skcipher_data_wakeup -> af_alg_data_wakeup
      aead_sendmsg, skcipher_sendmsg -> af_alg_sendmsg
      aead_sendpage, skcipher_sendpage -> af_alg_sendpage
      aead_async_cb, skcipher_async_cb -> af_alg_async_cb
      aead_poll, skcipher_poll -> af_alg_poll
      Split out the following common code from recvmsg:
      af_alg_alloc_areq: allocation of the request data structure for the
      cipher operation
      af_alg_get_rsgl: creation of the RX SGL anchored in the request data
      The following changes to the implementation without affecting the
      functionality have been applied to synchronize slightly different code
      bases in algif_skcipher and algif_aead:
      The wakeup in af_alg_wait_for_data is triggered when either more data
      is received or the indicator that more data is to be expected is
      released. The first is triggered by user space, the second is
      triggered by the kernel upon finishing the processing of data
      (i.e. the kernel is ready for more).
      af_alg_sendmsg uses size_t in min_t calculation for obtaining len.
      Return code determination is consistent with algif_skcipher. The
      scope of the variable i is reduced to match algif_aead. The type of the
      variable i is switched from int to unsigned int to match algif_aead.
      af_alg_sendpage does not contain the superfluous err = 0 from
      af_alg_async_cb requires to store the number of output bytes in
      areq->outlen before the AIO callback is triggered.
      The POLLIN / POLLRDNORM is now set when either not more data is given or
      the kernel is supplied with data. This is consistent to the wakeup from
      sleep when the kernel waits for data.
      The request data structure is extended by the field last_rsgl which
      points to the last RX SGL list entry. This shall help recvmsg
      implementation to chain the RX SGL to other SG(L)s if needed. It is
      currently used by algif_aead which chains the tag SGL to the RX SGL
      during decryption.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Stephan Mueller's avatar
      crypto: algif_aead - copy AAD from src to dst · 72548b09
      Stephan Mueller authored
      Use the NULL cipher to copy the AAD and PT/CT from the TX SGL
      to the RX SGL. This allows an in-place crypto operation on the
      RX SGL for encryption, because the TX data is always smaller or
      equal to the RX data (the RX data will hold the tag).
      For decryption, a per-request TX SGL is created which will only hold
      the tag value. As the RX SGL will have no space for the tag value and
      an in-place operation will not write the tag buffer, the TX SGL with the
      tag value is chained to the RX SGL. This now allows an in-place
      crypto operation.
      For example:
      * without the patch:
      kcapi -x 2 -e -c "gcm(aes)" -p 89154d0d4129d322e4487bafaa4f6b46 -k c0ece3e63198af382b5603331cc23fa8 -i 7e489b83622e7228314d878d -a afcd7202d621e06ca53b70c2bdff7fb2 -l 16 -u -s
      * with the patch:
      kcapi -x 2 -e -c "gcm(aes)" -p 89154d0d4129d322e4487bafaa4f6b46 -k c0ece3e63198af382b5603331cc23fa8 -i 7e489b83622e7228314d878d -a afcd7202d621e06ca53b70c2bdff7fb2 -l 16 -u -s
      Tests covering this functionality have been added to libkcapi.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Stephan Mueller's avatar
      crypto: algif - return error code when no data was processed · 5703c826
      Stephan Mueller authored
      If no data has been processed during recvmsg, return the error code.
      This covers all errors received during non-AIO operations.
      If any error occurs during a synchronous operation in addition to
      -EIOCBQUEUED or -EBADMSG (like -ENOMEM), it should be relayed to the
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  9. 28 Jul, 2017 1 commit
    • Stephan Mueller's avatar
      crypto: algif_aead - overhaul memory management · d887c52d
      Stephan Mueller authored
      The updated memory management is described in the top part of the code.
      As one benefit of the changed memory management, the AIO and synchronous
      operation is now implemented in one common function. The AF_ALG
      operation uses the async kernel crypto API interface for each cipher
      operation. Thus, the only difference between the AIO and sync operation
      types visible from user space is:
      1. the callback function to be invoked when the asynchronous operation
         is completed
      2. whether to wait for the completion of the kernel crypto API operation
         or not
      The change includes the overhaul of the TX and RX SGL handling. The TX
      SGL holding the data sent from user space to the kernel is now dynamic
      similar to algif_skcipher. This dynamic nature allows a continuous
      operation of a thread sending data and a second thread receiving the
      data. These threads do not need to synchronize as the kernel processes
      as much data from the TX SGL to fill the RX SGL.
      The caller reading the data from the kernel defines the amount of data
      to be processed. Considering that the interface covers AEAD
      authenticating ciphers, the reader must provide the buffer in the
      correct size. Thus the reader defines the encryption size.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  10. 01 Jul, 2017 1 commit
  11. 24 Apr, 2017 1 commit
  12. 10 Apr, 2017 1 commit
    • Herbert Xu's avatar
      crypto: algif_aead - Fix bogus request dereference in completion function · e6534aeb
      Herbert Xu authored
      The algif_aead completion function tries to deduce the aead_request
      from the crypto_async_request argument.  This is broken because
      the API does not guarantee that the same request will be pased to
      the completion function.  Only the value of req->data can be used
      in the completion function.
      This patch fixes it by storing a pointer to sk in areq and using
      that instead of passing in sk through req->data.
      Fixes: 83094e5e ("crypto: af_alg - add async support to...")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  13. 02 Mar, 2017 1 commit
  14. 03 Feb, 2017 1 commit
  15. 13 Dec, 2016 1 commit
  16. 08 Dec, 2016 1 commit
  17. 07 Dec, 2016 1 commit
    • Stephan Mueller's avatar
      crypto: algif_aead - fix AEAD tag memory handling · 0c1e16cd
      Stephan Mueller authored
      For encryption, the AEAD ciphers require AAD || PT as input and generate
      AAD || CT || Tag as output and vice versa for decryption. Prior to this
      patch, the AF_ALG interface for AEAD ciphers requires the buffer to be
      present as input for encryption. Similarly, the output buffer for
      decryption required the presence of the tag buffer too. This implies
      that the kernel reads / writes data buffers from/to kernel space
      even though this operation is not required.
      This patch changes the AF_ALG AEAD interface to be consistent with the
      in-kernel AEAD cipher requirements.
      Due to this handling, he changes are transparent to user space with one
      exception: the return code of recv indicates the mount of output buffer.
      That output buffer has a different size compared to before the patch
      which implies that the return code of recv will also be different.
      For example, a decryption operation uses 16 bytes AAD, 16 bytes CT and
      16 bytes tag, the AF_ALG AEAD interface before showed a recv return
      code of 48 (bytes) whereas after this patch, the return code is 32
      since the tag is not returned any more.
      Reported-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  18. 01 Dec, 2016 1 commit
  19. 14 Nov, 2016 1 commit
  20. 05 Apr, 2016 1 commit
    • Tadeusz Struk's avatar
      crypto: af_alg - add async support to algif_aead · 83094e5e
      Tadeusz Struk authored
      Following the async change for algif_skcipher
      this patch adds similar async read to algif_aead.
      changes in v3:
      - add call to aead_reset_ctx directly from aead_put_sgl instead of calling
        them separatelly one after the other
      - remove wait from aead_sock_destruct function as it is not needed
        when sock_hold is used
      changes in v2:
      - change internal data structures from fixed size arrays, limited to
        RSGL_MAX_ENTRIES, to linked list model with no artificial limitation.
      - use sock_kmalloc instead of kmalloc for memory allocation
      - use sock_hold instead of separate atomic ctr to wait for outstanding
      Signed-off-by: default avatarTadeusz Struk <tadeusz.struk@intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  21. 01 Dec, 2015 1 commit
    • Eric Dumazet's avatar
      net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA · 9cd3e072
      Eric Dumazet authored
      This patch is a cleanup to make following patch easier to
      from (struct socket)->flags to a (struct socket_wq)->flags
      to benefit from RCU protection in sock_wake_async()
      To ease backports, we rename both constants.
      Two new helpers, sk_set_bit(int nr, struct sock *sk)
      and sk_clear_bit(int net, struct sock *sk) are added so that
      following patch can change their implementation.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  22. 30 Nov, 2015 1 commit
  23. 17 Nov, 2015 1 commit
  24. 25 Aug, 2015 1 commit
  25. 17 Aug, 2015 1 commit
  26. 22 Jun, 2015 1 commit
  27. 28 May, 2015 1 commit
  28. 18 May, 2015 1 commit
  29. 23 Apr, 2015 1 commit
  30. 15 Apr, 2015 1 commit
    • Linus Torvalds's avatar
      crypto: fix mis-merge with the networking merge · eccd02f3
      Linus Torvalds authored
      The networking updates from David Miller removed the iocb argument from
      sendmsg and recvmsg (in commit 1b784140: "net: Remove iocb argument
      from sendmsg and recvmsg"), but the crypto code had added new instances
      of them.
      When I pulled the crypto update, it was a silent semantic mis-merge, and
      I overlooked the new warning messages in my test-build.  I try to fix
      those in the merge itself, but that relies on me noticing. Oh well.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  31. 04 Mar, 2015 1 commit
    • Stephan Mueller's avatar
      crypto: algif - add AEAD support · 400c40cf
      Stephan Mueller authored
      This patch adds the AEAD support for AF_ALG.
      The implementation is based on algif_skcipher, but contains heavy
      modifications to streamline the interface for AEAD uses.
      To use AEAD, the user space consumer has to use the salg_type named
      The AEAD implementation includes some overhead to calculate the size of
      the ciphertext, because the AEAD implementation of the kernel crypto API
      makes implied assumption on the location of the authentication tag. When
      performing an encryption, the tag will be added to the created
      ciphertext (note, the tag is placed adjacent to the ciphertext). For
      decryption, the caller must hand in the ciphertext with the tag appended
      to the ciphertext. Therefore, the selection of the used memory
      needs to add/subtract the tag size from the source/destination buffers
      depending on the encryption type. The code is provided with comments
      explaining when and how that operation is performed.
      A fully working example using all aspects of AEAD is provided at
      http://www.chronox.de/libkcapi.htmlSigned-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>