1. 17 Aug, 2018 2 commits
    • Eric Biggers's avatar
      crypto: skcipher - fix crash flushing dcache in error path · 744ff5f0
      Eric Biggers authored
      commit 8088d3dd upstream.
      
      scatterwalk_done() is only meant to be called after a nonzero number of
      bytes have been processed, since scatterwalk_pagedone() will flush the
      dcache of the *previous* page.  But in the error case of
      skcipher_walk_done(), e.g. if the input wasn't an integer number of
      blocks, scatterwalk_done() was actually called after advancing 0 bytes.
      This caused a crash ("BUG: unable to handle kernel paging request")
      during '!PageSlab(page)' on architectures like arm and arm64 that define
      ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
      page-aligned as in that case walk->offset == 0.
      
      Fix it by reorganizing skcipher_walk_done() to skip the
      scatterwalk_advance() and scatterwalk_done() if an error has occurred.
      
      This bug was found by syzkaller fuzzing.
      
      Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
      
      	#include <linux/if_alg.h>
      	#include <sys/socket.h>
      	#include <unistd.h>
      
      	int main()
      	{
      		struct sockaddr_alg addr = {
      			.salg_type = "skcipher",
      			.salg_name = "cbc(aes-generic)",
      		};
      		char buffer[4096] __attribute__((aligned(4096))) = { 0 };
      		int fd;
      
      		fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
      		bind(fd, (void *)&addr, sizeof(addr));
      		setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
      		fd = accept(fd, NULL, NULL);
      		write(fd, buffer, 15);
      		read(fd, buffer, 15);
      	}
      Reported-by: 's avatarLiu Chao <liuchao741@huawei.com>
      Fixes: b286d8b1 ("crypto: skcipher - Add skcipher walk interface")
      Cc: <stable@vger.kernel.org> # v4.10+
      Signed-off-by: 's avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      744ff5f0
    • Eric Biggers's avatar
      crypto: skcipher - fix aligning block size in skcipher_copy_iv() · d5cceea6
      Eric Biggers authored
      commit 0567fc9e upstream.
      
      The ALIGN() macro needs to be passed the alignment, not the alignmask
      (which is the alignment minus 1).
      
      Fixes: b286d8b1 ("crypto: skcipher - Add skcipher walk interface")
      Cc: <stable@vger.kernel.org> # v4.10+
      Signed-off-by: 's avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d5cceea6
  2. 12 Jan, 2018 1 commit
    • Eric Biggers's avatar
      crypto: skcipher - prevent using skciphers without setting key · f8d33fac
      Eric Biggers authored
      Similar to what was done for the hash API, update the skcipher API to
      track whether each transform has been keyed, and reject
      encryption/decryption if a key is needed but one hasn't been set.
      
      This isn't as important as the equivalent fix for the hash API because
      symmetric ciphers almost always require a key (the "null cipher" is the
      only exception), so are unlikely to be used without one.  Still,
      tracking the key will prevent accidental unkeyed use.  algif_skcipher
      also had to track the key anyway, so the new flag replaces that and
      simplifies the algif_skcipher implementation.
      Signed-off-by: 's avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      f8d33fac
  3. 11 Dec, 2017 1 commit
    • Eric Biggers's avatar
      crypto: skcipher - set walk.iv for zero-length inputs · 2b4f27c3
      Eric Biggers authored
      All the ChaCha20 algorithms as well as the ARM bit-sliced AES-XTS
      algorithms call skcipher_walk_virt(), then access the IV (walk.iv)
      before checking whether any bytes need to be processed (walk.nbytes).
      
      But if the input is empty, then skcipher_walk_virt() doesn't set the IV,
      and the algorithms crash trying to use the uninitialized IV pointer.
      
      Fix it by setting the IV earlier in skcipher_walk_virt().  Also fix it
      for the AEAD walk functions.
      
      This isn't a perfect solution because we can't actually align the IV to
      ->cra_alignmask unless there are bytes to process, for one because the
      temporary buffer for the aligned IV is freed by skcipher_walk_done(),
      which is only called when there are bytes to process.  Thus, algorithms
      that require aligned IVs will still need to avoid accessing the IV when
      walk.nbytes == 0.  Still, many algorithms/architectures are fine with
      IVs having any alignment, and even for those that aren't, a misaligned
      pointer bug is much less severe than an uninitialized pointer bug.
      
      This change also matches the behavior of the older blkcipher_walk API.
      
      Fixes: 0cabf2af ("crypto: skcipher - Fix crash on zero-length input")
      Reported-by: 's avatarsyzbot <syzkaller@googlegroups.com>
      Cc: <stable@vger.kernel.org> # v4.14+
      Signed-off-by: 's avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      2b4f27c3
  4. 25 Nov, 2017 1 commit
    • Ondrej Mosnáček's avatar
      crypto: skcipher - Fix skcipher_walk_aead_common · c14ca838
      Ondrej Mosnáček authored
      The skcipher_walk_aead_common function calls scatterwalk_copychunks on
      the input and output walks to skip the associated data. If the AD end
      at an SG list entry boundary, then after these calls the walks will
      still be pointing to the end of the skipped region.
      
      These offsets are later checked for alignment in skcipher_walk_next,
      so the skcipher_walk may detect the alignment incorrectly.
      
      This patch fixes it by calling scatterwalk_done after the copychunks
      calls to ensure that the offsets refer to the right SG list entry.
      
      Fixes: b286d8b1 ("crypto: skcipher - Add skcipher walk interface")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: 's avatarOndrej Mosnacek <omosnacek@gmail.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      c14ca838
  5. 07 Oct, 2017 1 commit
  6. 18 May, 2017 1 commit
  7. 12 Jan, 2017 1 commit
    • Gideon Israel Dsouza's avatar
      crypto: Replaced gcc specific attributes with macros from compiler.h · d8c34b94
      Gideon Israel Dsouza authored
      Continuing from this commit: 52f5684c
      ("kernel: use macros from compiler.h instead of __attribute__((...))")
      
      I submitted 4 total patches. They are part of task I've taken up to
      increase compiler portability in the kernel. I've cleaned up the
      subsystems under /kernel /mm /block and /security, this patch targets
      /crypto.
      
      There is <linux/compiler.h> which provides macros for various gcc specific
      constructs. Eg: __weak for __attribute__((weak)). I've cleaned all
      instances of gcc specific attributes with the right macros for the crypto
      subsystem.
      
      I had to make one additional change into compiler-gcc.h for the case when
      one wants to use this: __attribute__((aligned) and not specify an alignment
      factor. From the gcc docs, this will result in the largest alignment for
      that data type on the target machine so I've named the macro
      __aligned_largest. Please advise if another name is more appropriate.
      Signed-off-by: 's avatarGideon Israel Dsouza <gidisrael@gmail.com>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      d8c34b94
  8. 30 Dec, 2016 1 commit
    • Ard Biesheuvel's avatar
      crypto: skcipher - introduce walksize attribute for SIMD algos · c821f6ab
      Ard Biesheuvel authored
      In some cases, SIMD algorithms can only perform optimally when
      allowed to operate on multiple input blocks in parallel. This is
      especially true for bit slicing algorithms, which typically take
      the same amount of time processing a single block or 8 blocks in
      parallel. However, other SIMD algorithms may benefit as well from
      bigger strides.
      
      So add a walksize attribute to the skcipher algorithm definition, and
      wire it up to the skcipher walk API. To avoid confusion between the
      skcipher and AEAD attributes, rename the skcipher_walk chunksize
      attribute to 'stride', and set it from the walksize (in the skcipher
      case) or from the chunksize (in the AEAD case).
      Signed-off-by: 's avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      c821f6ab
  9. 14 Dec, 2016 1 commit
    • Ard Biesheuvel's avatar
      crypto: skcipher - fix crash in virtual walk · 18e615ad
      Ard Biesheuvel authored
      The new skcipher walk API may crash in the following way. (Interestingly,
      the tcrypt boot time tests seem unaffected, while an explicit test using
      the module triggers it)
      
        Unable to handle kernel NULL pointer dereference at virtual address 00000000
        ...
        [<ffff000008431d84>] __memcpy+0x84/0x180
        [<ffff0000083ec0d0>] skcipher_walk_done+0x328/0x340
        [<ffff0000080c5c04>] ctr_encrypt+0x84/0x100
        [<ffff000008406d60>] simd_skcipher_encrypt+0x88/0x98
        [<ffff0000083fa05c>] crypto_rfc3686_crypt+0x8c/0x98
        [<ffff0000009b0900>] test_skcipher_speed+0x518/0x820 [tcrypt]
        [<ffff0000009b31c0>] do_test+0x1408/0x3b70 [tcrypt]
        [<ffff0000009bd050>] tcrypt_mod_init+0x50/0x1000 [tcrypt]
        [<ffff0000080838f4>] do_one_initcall+0x44/0x138
        [<ffff0000081aee60>] do_init_module+0x68/0x1e0
        [<ffff0000081524d0>] load_module+0x1fd0/0x2458
        [<ffff000008152c38>] SyS_finit_module+0xe0/0xf0
        [<ffff0000080836f0>] el0_svc_naked+0x24/0x28
      
      This is due to the fact that skcipher_done_slow() may be entered with
      walk->buffer unset. Since skcipher_walk_done() already deals with the
      case where walk->buffer == walk->page, it appears to be the intention
      that walk->buffer point to walk->page after skcipher_next_slow(), so
      ensure that is the case.
      Signed-off-by: 's avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      18e615ad
  10. 01 Dec, 2016 1 commit
  11. 30 Nov, 2016 1 commit
    • Ard Biesheuvel's avatar
      crypto: skcipher - fix crash in skcipher_walk_aead() · 3cbf61fb
      Ard Biesheuvel authored
      The new skcipher_walk_aead() may crash in the following way due to
      the walk flag SKCIPHER_WALK_PHYS not being cleared at the start of the
      walk:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000001
      [..]
      Internal error: Oops: 96000044 [#1] PREEMPT SMP
      [..]
      PC is at skcipher_walk_next+0x208/0x450
      LR is at skcipher_walk_next+0x1e4/0x450
      pc : [<ffff2b93b7104e20>] lr : [<ffff2b93b7104dfc>] pstate: 40000045
      sp : ffffb925fa517940
      [...]
      [<ffff2b93b7104e20>] skcipher_walk_next+0x208/0x450
      [<ffff2b93b710535c>] skcipher_walk_first+0x54/0x148
      [<ffff2b93b7105664>] skcipher_walk_aead+0xd4/0x108
      [<ffff2b93b6e77928>] ccm_encrypt+0x68/0x158
      
      So clear the flag at the appropriate time.
      Signed-off-by: 's avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      3cbf61fb
  12. 28 Nov, 2016 1 commit
  13. 18 Jul, 2016 2 commits
    • Herbert Xu's avatar
      crypto: skcipher - Remove top-level givcipher interface · 3a01d0ee
      Herbert Xu authored
      This patch removes the old crypto_grab_skcipher helper and replaces
      it with crypto_grab_skcipher2.
      
      As this is the final entry point into givcipher this patch also
      removes all traces of the top-level givcipher interface, including
      all implicit IV generators such as chainiv.
      
      The bottom-level givcipher interface remains until the drivers
      using it are converted.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      3a01d0ee
    • Herbert Xu's avatar
      crypto: skcipher - Add low-level skcipher interface · 4e6c3df4
      Herbert Xu authored
      This patch allows skcipher algorithms and instances to be created
      and registered with the crypto API.  They are accessible through
      the top-level skcipher interface, along with ablkcipher/blkcipher
      algorithms and instances.
      
      This patch also introduces a new parameter called chunk size
      which is meant for ciphers such as CTR and CTS which ostensibly
      can handle arbitrary lengths, but still behave like block ciphers
      in that you can only process a partial block at the very end.
      
      For these ciphers the block size will continue to be set to 1
      as it is now while the chunk size will be set to the underlying
      block size.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      4e6c3df4
  14. 25 Jan, 2016 1 commit
    • Herbert Xu's avatar
      crypto: skcipher - Add default key size helper · 973fb3fb
      Herbert Xu authored
      While converting ecryptfs over to skcipher I found that it needs
      to pick a default key size if one isn't given.  Rather than having
      it poke into the guts of the algorithm to get max_keysize, let's
      provide a helper that is meant to give a sane default (just in
      case we ever get an algorithm that has no maximum key size).
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      973fb3fb
  15. 18 Jan, 2016 1 commit
  16. 01 Oct, 2015 1 commit
  17. 21 Aug, 2015 1 commit
    • Herbert Xu's avatar
      crypto: skcipher - Add top-level skcipher interface · 7a7ffe65
      Herbert Xu authored
      This patch introduces the crypto skcipher interface which aims
      to replace both blkcipher and ablkcipher.
      
      It's very similar to the existing ablkcipher interface.  The
      main difference is the removal of the givcrypt interface.  In
      order to make the transition easier for blkcipher users, there
      is a helper SKCIPHER_REQUEST_ON_STACK which can be used to place
      a request on the stack for synchronous transforms.
      Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
      7a7ffe65