Eric Lee / smarc-fsl-linux-kernel

12 Feb, 2019

1 commit

  • 7d165ab80   MLK-19365: crypto: ccm: Cache aligned auth_data ... Browse Code »

    Generic GCM is likely to end up using a hardware accelerator to do
    part of the job. Allocating hash, iv and result in a contiguous memory
    area increases the risk of dma mapping multiple ranges on the same
    cacheline. Also having dma and cpu written data on the same cacheline
    will cause coherence issues.

    Signed-off-by: Franck LENORMAND

    Franck LENORMAND
     

03 Nov, 2017

1 commit

  • 441f99c90   crypto: ccm - preserve the IV buffer ... Browse Code »

    The IV buffer used during CCM operations is used twice, during both the
    hashing step and the ciphering step.

    When using a hardware accelerator that updates the contents of the IV
    buffer at the end of ciphering operations, the value will be modified.
    In the decryption case, the subsequent setup of the hashing algorithm
    will interpret the updated IV instead of the original value, which can
    lead to out-of-bounds writes.

    Reuse the idata buffer, only used in the hashing step, to preserve the
    IV's value during the ciphering step in the decryption case.

    Signed-off-by: Romain Izard
    Reviewed-by: Tudor Ambarus
    Cc:
    Signed-off-by: Herbert Xu

    Romain Izard
     

28 Feb, 2017

1 commit

  • 3b30460c5   crypto: ccm - move cbcmac input off the stack ... Browse Code »

    Commit f15f05b0a5de ("crypto: ccm - switch to separate cbcmac driver")
    refactored the CCM driver to allow separate implementations of the
    underlying MAC to be provided by a platform. However, in doing so, it
    moved some data from the linear region to the stack, which violates the
    SG constraints when the stack is virtually mapped.

    So move idata/odata back to the request ctx struct, of which we can
    reasonably expect that it has been allocated using kmalloc() et al.

    Reported-by: Johannes Berg
    Fixes: f15f05b0a5de ("crypto: ccm - switch to separate cbcmac driver")
    Signed-off-by: Ard Biesheuvel
    Tested-by: Johannes Berg
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     

15 Feb, 2017

2 commits

  • 5ba8e2a05   crypto: ccm - drop unnecessary minimum 32-bit alignment ... Browse Code »

    The CCM driver forces 32-bit alignment even if the underlying ciphers
    don't care about alignment. This is because crypto_xor() used to require
    this, but since this is no longer the case, drop the hardcoded minimum
    of 32 bits.

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     
  • 5338ad706   crypto: ccm - honour alignmask of subordinate MAC cipher ... Browse Code »

    The CCM driver was recently updated to defer the MAC part of the algorithm
    to a dedicated crypto transform, and a template for instantiating such
    transforms was added at the same time.

    However, this new cbcmac template fails to take the alignmask of the
    encapsulated cipher into account, which may result in buffer addresses
    being passed down that are not sufficiently aligned.

    So update the code to ensure that the digest buffer in the desc ctx
    appears at a sufficiently aligned offset, and tweak the code so that all
    calls to crypto_cipher_encrypt_one() operate on this buffer exclusively.

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     

11 Feb, 2017

1 commit

  • f15f05b0a   crypto: ccm - switch to separate cbcmac driver ... Browse Code »

    Update the generic CCM driver to defer CBC-MAC processing to a
    dedicated CBC-MAC ahash transform rather than open coding this
    transform (and much of the associated scatterwalk plumbing) in
    the CCM driver itself.

    This cleans up the code considerably, but more importantly, it allows
    the use of alternative CBC-MAC implementations that don't suffer from
    performance degradation due to significant setup time (e.g., the NEON
    based AES code needs to enable/disable the NEON, and load the S-box
    into 16 SIMD registers, which cannot be amortized over the entire input
    when using the cipher interface)

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     

01 Nov, 2016

2 commits

18 Jul, 2016

1 commit

17 Aug, 2015

1 commit

17 Jul, 2015

1 commit

13 May, 2015

1 commit

26 Nov, 2014

1 commit

  • 4943ba16b   crypto: include crypto- module prefix in template ... Browse Code »

    This adds the module loading prefix "crypto-" to the template lookup
    as well.

    For example, attempting to load 'vfat(blowfish)' via AF_ALG now correctly
    includes the "crypto-" prefix at every level, correctly rejecting "vfat":

    net-pf-38
    algif-hash
    crypto-vfat(blowfish)
    crypto-vfat(blowfish)-all
    crypto-vfat

    Reported-by: Mathias Krause
    Signed-off-by: Kees Cook
    Acked-by: Mathias Krause
    Signed-off-by: Herbert Xu

    Kees Cook
     

24 Nov, 2014

1 commit

28 Nov, 2013

1 commit

  • 5638cabf3   crypto: ccm - Fix handling of zero plaintext when computing mac ... Browse Code »

    There are cases when cryptlen can be zero in crypto_ccm_auth():
    -encryptiom: input scatterlist length is zero (no plaintext)
    -decryption: input scatterlist contains only the mac
    plus the condition of having different source and destination buffers
    (or else scatterlist length = max(plaintext_len, ciphertext_len)).

    These are not handled correctly, leading to crashes like:

    root@p4080ds:~/crypto# insmod tcrypt.ko mode=45
    ------------[ cut here ]------------
    kernel BUG at crypto/scatterwalk.c:37!
    Oops: Exception in kernel mode, sig: 5 [#1]
    SMP NR_CPUS=8 P4080 DS
    Modules linked in: tcrypt(+) crc32c xts xcbc vmac pcbc ecb gcm ghash_generic gf128mul ccm ctr seqiv
    CPU: 3 PID: 1082 Comm: cryptomgr_test Not tainted 3.11.0 #14
    task: ee12c5b0 ti: eecd0000 task.ti: eecd0000
    NIP: c0204d98 LR: f9225848 CTR: c0204d80
    REGS: eecd1b70 TRAP: 0700 Not tainted (3.11.0)
    MSR: 00029002 CR: 22044022 XER: 20000000

    GPR00: f9225c94 eecd1c20 ee12c5b0 eecd1c28 ee879400 ee879400 00000000 ee607464
    GPR08: 00000001 00000001 00000000 006b0000 c0204d80 00000000 00000002 c0698e20
    GPR16: ee987000 ee895000 fffffff4 ee879500 00000100 eecd1d58 00000001 00000000
    GPR24: ee879400 00000020 00000000 00000000 ee5b2800 ee607430 00000004 ee607460
    NIP [c0204d98] scatterwalk_start+0x18/0x30
    LR [f9225848] get_data_to_compute+0x28/0x2f0 [ccm]
    Call Trace:
    [eecd1c20] [f9225974] get_data_to_compute+0x154/0x2f0 [ccm] (unreliable)
    [eecd1c70] [f9225c94] crypto_ccm_auth+0x184/0x1d0 [ccm]
    [eecd1cb0] [f9225d40] crypto_ccm_encrypt+0x60/0x2d0 [ccm]
    [eecd1cf0] [c020d77c] __test_aead+0x3ec/0xe20
    [eecd1e20] [c020f35c] test_aead+0x6c/0xe0
    [eecd1e40] [c020f420] alg_test_aead+0x50/0xd0
    [eecd1e60] [c020e5e4] alg_test+0x114/0x2e0
    [eecd1ee0] [c020bd1c] cryptomgr_test+0x4c/0x60
    [eecd1ef0] [c0047058] kthread+0xa8/0xb0
    [eecd1f40] [c000eb0c] ret_from_kernel_thread+0x5c/0x64
    Instruction dump:
    0f080000 81290024 552807fe 0f080000 5529003a 4bffffb4 90830000 39400000
    39000001 8124000c 2f890000 7d28579e 81240008 91230004 4e800020
    ---[ end trace 6d652dfcd1be37bd ]---

    Cc:
    Cc: Jussi Kivilinna
    Signed-off-by: Horia Geanta
    Signed-off-by: Herbert Xu

    Horia Geanta
     

07 Oct, 2013

1 commit

  • 6bf37e5aa   crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks ... Browse Code »

    When comparing MAC hashes, AEAD authentication tags, or other hash
    values in the context of authentication or integrity checking, it
    is important not to leak timing information to a potential attacker,
    i.e. when communication happens over a network.

    Bytewise memory comparisons (such as memcmp) are usually optimized so
    that they return a nonzero value as soon as a mismatch is found. E.g,
    on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
    and up to ~850 cyc for a full match (cold). This early-return behavior
    can leak timing information as a side channel, allowing an attacker to
    iteratively guess the correct result.

    This patch adds a new method crypto_memneq ("memory not equal to each
    other") to the crypto API that compares memory areas of the same length
    in roughly "constant time" (cache misses could change the timing, but
    since they don't reveal information about the content of the strings
    being compared, they are effectively benign). Iow, best and worst case
    behaviour take the same amount of time to complete (in contrast to
    memcmp).

    Note that crypto_memneq (unlike memcmp) can only be used to test for
    equality or inequality, NOT for lexicographical order. This, however,
    is not an issue for its use-cases within the crypto API.

    We tried to locate all of the places in the crypto API where memcmp was
    being used for authentication or integrity checking, and convert them
    over to crypto_memneq.

    crypto_memneq is declared noinline, placed in its own source file,
    and compiled with optimizations that might increase code size disabled
    ("Os") because a smart compiler (or LTO) might notice that the return
    value is always compared against zero/nonzero, and might then
    reintroduce the same early-return optimization that we are trying to
    avoid.

    Using #pragma or __attribute__ optimization annotations of the code
    for disabling optimization was avoided as it seems to be considered
    broken or unmaintained for long time in GCC [1]. Therefore, we work
    around that by specifying the compile flag for memneq.o directly in
    the Makefile. We found that this seems to be most appropriate.

    As we use ("Os"), this patch also provides a loop-free "fast-path" for
    frequently used 16 byte digests. Similarly to kernel library string
    functions, leave an option for future even further optimized architecture
    specific assembler implementations.

    This was a joint work of James Yonan and Daniel Borkmann. Also thanks
    for feedback from Florian Weimer on this and earlier proposals [2].

    [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
    [2] https://lkml.org/lkml/2013/2/10/131

    Signed-off-by: James Yonan
    Signed-off-by: Daniel Borkmann
    Cc: Florian Weimer
    Signed-off-by: Herbert Xu

    James Yonan
     

04 Feb, 2013

1 commit

  • 3e8afe35c   crypto: use ERR_CAST ... Browse Code »

    Replace PTR_ERR followed by ERR_PTR by ERR_CAST, to be more concise.

    The semantic patch that makes this change is as follows:
    (http://coccinelle.lip6.fr/)

    //
    @@
    expression err,x;
    @@
    - err = PTR_ERR(x);
    if (IS_ERR(x))
    - return ERR_PTR(err);
    + return ERR_CAST(x);
    //

    Signed-off-by: Julia Lawall
    Signed-off-by: Herbert Xu

    Julia Lawall
     

20 Mar, 2012

1 commit

27 Jan, 2009

1 commit

  • 516280e73   crypto: ccm - Fix handling of null assoc data ... Browse Code »

    Its a valid use case to have null associated data in a ccm vector, but
    this case isn't being handled properly right now.

    The following ccm decryption/verification test vector, using the
    rfc4309 implementation regularly triggers a panic, as will any
    other vector with null assoc data:

    * key: ab2f8a74b71cd2b1ff802e487d82f8b9
    * iv: c6fb7d800d13abd8a6b2d8
    * Associated Data: [NULL]
    * Tag Length: 8
    * input: d5e8939fc7892e2b

    The resulting panic looks like so:

    Unable to handle kernel paging request at ffff810064ddaec0 RIP:
    [] :ccm:get_data_to_compute+0x1a6/0x1d6
    PGD 8063 PUD 0
    Oops: 0002 [1] SMP
    last sysfs file: /module/libata/version
    CPU 0
    Modules linked in: crypto_tester_kmod(U) seqiv krng ansi_cprng chainiv rng ctr aes_generic aes_x86_64 ccm cryptomgr testmgr_cipher testmgr aead crypto_blkcipher crypto_a
    lgapi des ipv6 xfrm_nalgo crypto_api autofs4 hidp l2cap bluetooth nfs lockd fscache nfs_acl sunrpc ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink xt_
    tcpudp iptable_filter ip_tables x_tables dm_mirror dm_log dm_multipath scsi_dh dm_mod video hwmon backlight sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp sg
    snd_intel8x0 snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss joydev snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss ide_cd snd_pcm floppy parport_p
    c shpchp e752x_edac snd_timer e1000 i2c_i801 edac_mc snd soundcore snd_page_alloc i2c_core cdrom parport serio_raw pcspkr ata_piix libata sd_mod scsi_mod ext3 jbd uhci_h
    cd ohci_hcd ehci_hcd
    Pid: 12844, comm: crypto-tester Tainted: G 2.6.18-128.el5.fips1 #1
    RIP: 0010:[] [] :ccm:get_data_to_compute+0x1a6/0x1d6
    RSP: 0018:ffff8100134434e8 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: ffff8100104898b0 RCX: ffffffffab6aea10
    RDX: 0000000000000010 RSI: ffff8100104898c0 RDI: ffff810064ddaec0
    RBP: 0000000000000000 R08: ffff8100104898b0 R09: 0000000000000000
    R10: ffff8100103bac84 R11: ffff8100104898b0 R12: ffff810010489858
    R13: ffff8100104898b0 R14: ffff8100103bac00 R15: 0000000000000000
    FS: 00002ab881adfd30(0000) GS:ffffffff803ac000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: ffff810064ddaec0 CR3: 0000000012a88000 CR4: 00000000000006e0
    Process crypto-tester (pid: 12844, threadinfo ffff810013442000, task ffff81003d165860)
    Stack: ffff8100103bac00 ffff8100104898e8 ffff8100134436f8 ffffffff00000000
    0000000000000000 ffff8100104898b0 0000000000000000 ffff810010489858
    0000000000000000 ffff8100103bac00 ffff8100134436f8 ffffffff8864c634
    Call Trace:
    [] :ccm:crypto_ccm_auth+0x12d/0x140
    [] :ccm:crypto_ccm_decrypt+0x161/0x23a
    [] :crypto_tester_kmod:cavs_test_rfc4309_ccm+0x4a5/0x559
    [...]

    The above is from a RHEL5-based kernel, but upstream is susceptible too.

    The fix is trivial: in crypto/ccm.c:crypto_ccm_auth(), pctx->ilen contains
    whatever was in memory when pctx was allocated if assoclen is 0. The tested
    fix is to simply add an else clause setting pctx->ilen to 0 for the
    assoclen == 0 case, so that get_data_to_compute() doesn't try doing
    things its not supposed to.

    Signed-off-by: Jarod Wilson
    Acked-by: Neil Horman
    Signed-off-by: Herbert Xu

    Jarod Wilson
     

11 Jan, 2008

1 commit