<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/crypto/skcipher.c, branch v4.16</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>crypto: skcipher - prevent using skciphers without setting key</title>
<updated>2018-01-12T12:03:39+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@google.com</email>
</author>
<published>2018-01-03T19:16:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=f8d33fac84806eebd2ba31a3136066eeca19255f'/>
<id>f8d33fac84806eebd2ba31a3136066eeca19255f</id>
<content type='text'>
Similar to what was done for the hash API, update the skcipher API to
track whether each transform has been keyed, and reject
encryption/decryption if a key is needed but one hasn't been set.

This isn't as important as the equivalent fix for the hash API because
symmetric ciphers almost always require a key (the "null cipher" is the
only exception), so are unlikely to be used without one.  Still,
tracking the key will prevent accidental unkeyed use.  algif_skcipher
also had to track the key anyway, so the new flag replaces that and
simplifies the algif_skcipher implementation.

Signed-off-by: Eric Biggers &lt;ebiggers@google.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Similar to what was done for the hash API, update the skcipher API to
track whether each transform has been keyed, and reject
encryption/decryption if a key is needed but one hasn't been set.

This isn't as important as the equivalent fix for the hash API because
symmetric ciphers almost always require a key (the "null cipher" is the
only exception), so are unlikely to be used without one.  Still,
tracking the key will prevent accidental unkeyed use.  algif_skcipher
also had to track the key anyway, so the new flag replaces that and
simplifies the algif_skcipher implementation.

Signed-off-by: Eric Biggers &lt;ebiggers@google.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>crypto: skcipher - set walk.iv for zero-length inputs</title>
<updated>2017-12-11T11:29:53+00:00</updated>
<author>
<name>Eric Biggers</name>
<email>ebiggers@google.com</email>
</author>
<published>2017-11-29T09:18:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2b4f27c36bcd46e820ddb9a8e6fe6a63fa4250b8'/>
<id>2b4f27c36bcd46e820ddb9a8e6fe6a63fa4250b8</id>
<content type='text'>
All the ChaCha20 algorithms as well as the ARM bit-sliced AES-XTS
algorithms call skcipher_walk_virt(), then access the IV (walk.iv)
before checking whether any bytes need to be processed (walk.nbytes).

But if the input is empty, then skcipher_walk_virt() doesn't set the IV,
and the algorithms crash trying to use the uninitialized IV pointer.

Fix it by setting the IV earlier in skcipher_walk_virt().  Also fix it
for the AEAD walk functions.

This isn't a perfect solution because we can't actually align the IV to
-&gt;cra_alignmask unless there are bytes to process, for one because the
temporary buffer for the aligned IV is freed by skcipher_walk_done(),
which is only called when there are bytes to process.  Thus, algorithms
that require aligned IVs will still need to avoid accessing the IV when
walk.nbytes == 0.  Still, many algorithms/architectures are fine with
IVs having any alignment, and even for those that aren't, a misaligned
pointer bug is much less severe than an uninitialized pointer bug.

This change also matches the behavior of the older blkcipher_walk API.

Fixes: 0cabf2af6f5a ("crypto: skcipher - Fix crash on zero-length input")
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v4.14+
Signed-off-by: Eric Biggers &lt;ebiggers@google.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
All the ChaCha20 algorithms as well as the ARM bit-sliced AES-XTS
algorithms call skcipher_walk_virt(), then access the IV (walk.iv)
before checking whether any bytes need to be processed (walk.nbytes).

But if the input is empty, then skcipher_walk_virt() doesn't set the IV,
and the algorithms crash trying to use the uninitialized IV pointer.

Fix it by setting the IV earlier in skcipher_walk_virt().  Also fix it
for the AEAD walk functions.

This isn't a perfect solution because we can't actually align the IV to
-&gt;cra_alignmask unless there are bytes to process, for one because the
temporary buffer for the aligned IV is freed by skcipher_walk_done(),
which is only called when there are bytes to process.  Thus, algorithms
that require aligned IVs will still need to avoid accessing the IV when
walk.nbytes == 0.  Still, many algorithms/architectures are fine with
IVs having any alignment, and even for those that aren't, a misaligned
pointer bug is much less severe than an uninitialized pointer bug.

This change also matches the behavior of the older blkcipher_walk API.

Fixes: 0cabf2af6f5a ("crypto: skcipher - Fix crash on zero-length input")
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Cc: &lt;stable@vger.kernel.org&gt; # v4.14+
Signed-off-by: Eric Biggers &lt;ebiggers@google.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6</title>
<updated>2017-11-29T00:22:10+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2017-11-29T00:22:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=43570f0383d6d5879ae585e6c3cf027ba321546f'/>
<id>43570f0383d6d5879ae585e6c3cf027ba321546f</id>
<content type='text'>
Pull crypto fixes from Herbert Xu:

 - avoid potential bogus alignment for some AEAD operations

 - fix crash in algif_aead

 - avoid sleeping in softirq context with async af_alg

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: skcipher - Fix skcipher_walk_aead_common
  crypto: af_alg - remove locking in async callback
  crypto: algif_aead - skip SGL entries with NULL page
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull crypto fixes from Herbert Xu:

 - avoid potential bogus alignment for some AEAD operations

 - fix crash in algif_aead

 - avoid sleeping in softirq context with async af_alg

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: skcipher - Fix skcipher_walk_aead_common
  crypto: af_alg - remove locking in async callback
  crypto: algif_aead - skip SGL entries with NULL page
</pre>
</div>
</content>
</entry>
<entry>
<title>crypto: skcipher - Fix skcipher_walk_aead_common</title>
<updated>2017-11-25T00:08:52+00:00</updated>
<author>
<name>Ondrej Mosnáček</name>
<email>omosnacek@gmail.com</email>
</author>
<published>2017-11-23T12:49:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c14ca8386539a298c1c19b003fe55e37d0f0e89c'/>
<id>c14ca8386539a298c1c19b003fe55e37d0f0e89c</id>
<content type='text'>
The skcipher_walk_aead_common function calls scatterwalk_copychunks on
the input and output walks to skip the associated data. If the AD end
at an SG list entry boundary, then after these calls the walks will
still be pointing to the end of the skipped region.

These offsets are later checked for alignment in skcipher_walk_next,
so the skcipher_walk may detect the alignment incorrectly.

This patch fixes it by calling scatterwalk_done after the copychunks
calls to ensure that the offsets refer to the right SG list entry.

Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface")
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Ondrej Mosnacek &lt;omosnacek@gmail.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The skcipher_walk_aead_common function calls scatterwalk_copychunks on
the input and output walks to skip the associated data. If the AD end
at an SG list entry boundary, then after these calls the walks will
still be pointing to the end of the skipped region.

These offsets are later checked for alignment in skcipher_walk_next,
so the skcipher_walk may detect the alignment incorrectly.

This patch fixes it by calling scatterwalk_done after the copychunks
calls to ensure that the offsets refer to the right SG list entry.

Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface")
Cc: &lt;stable@vger.kernel.org&gt;
Signed-off-by: Ondrej Mosnacek &lt;omosnacek@gmail.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>crypto: skcipher - Fix crash on zero-length input</title>
<updated>2017-10-07T04:04:32+00:00</updated>
<author>
<name>Herbert Xu</name>
<email>herbert@gondor.apana.org.au</email>
</author>
<published>2017-10-07T03:29:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=0cabf2af6f5ac3c88cb106c4e06087a5a39b8e1e'/>
<id>0cabf2af6f5ac3c88cb106c4e06087a5a39b8e1e</id>
<content type='text'>
The skcipher walk interface doesn't handle zero-length input
properly as the old blkcipher walk interface did.  This is due
to the fact that the length check is done too late.

This patch moves the length check forward so that it does the
right thing.

Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk...")
Cc: &lt;stable@vger.kernel.org&gt;
Reported-by: Stephan Müller &lt;smueller@chronox.de&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The skcipher walk interface doesn't handle zero-length input
properly as the old blkcipher walk interface did.  This is due
to the fact that the length check is done too late.

This patch moves the length check forward so that it does the
right thing.

Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk...")
Cc: &lt;stable@vger.kernel.org&gt;
Reported-by: Stephan Müller &lt;smueller@chronox.de&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>crypto: skcipher - Add missing API setkey checks</title>
<updated>2017-05-18T05:04:05+00:00</updated>
<author>
<name>Herbert Xu</name>
<email>herbert@gondor.apana.org.au</email>
</author>
<published>2017-05-09T19:48:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=9933e113c2e87a9f46a40fde8dafbf801dca1ab9'/>
<id>9933e113c2e87a9f46a40fde8dafbf801dca1ab9</id>
<content type='text'>
The API setkey checks for key sizes and alignment went AWOL during the
skcipher conversion.  This patch restores them.

Cc: &lt;stable@vger.kernel.org&gt;
Fixes: 4e6c3df4d729 ("crypto: skcipher - Add low-level skcipher...")
Reported-by: Baozeng &lt;sploving1@gmail.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The API setkey checks for key sizes and alignment went AWOL during the
skcipher conversion.  This patch restores them.

Cc: &lt;stable@vger.kernel.org&gt;
Fixes: 4e6c3df4d729 ("crypto: skcipher - Add low-level skcipher...")
Reported-by: Baozeng &lt;sploving1@gmail.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>crypto: Replaced gcc specific attributes with macros from compiler.h</title>
<updated>2017-01-12T16:24:39+00:00</updated>
<author>
<name>Gideon Israel Dsouza</name>
<email>gidisrael@gmail.com</email>
</author>
<published>2016-12-31T15:56:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=d8c34b949d8c9f61e099e00f22770e400adf2b76'/>
<id>d8c34b949d8c9f61e099e00f22770e400adf2b76</id>
<content type='text'>
Continuing from this commit: 52f5684c8e1e
("kernel: use macros from compiler.h instead of __attribute__((...))")

I submitted 4 total patches. They are part of task I've taken up to
increase compiler portability in the kernel. I've cleaned up the
subsystems under /kernel /mm /block and /security, this patch targets
/crypto.

There is &lt;linux/compiler.h&gt; which provides macros for various gcc specific
constructs. Eg: __weak for __attribute__((weak)). I've cleaned all
instances of gcc specific attributes with the right macros for the crypto
subsystem.

I had to make one additional change into compiler-gcc.h for the case when
one wants to use this: __attribute__((aligned) and not specify an alignment
factor. From the gcc docs, this will result in the largest alignment for
that data type on the target machine so I've named the macro
__aligned_largest. Please advise if another name is more appropriate.

Signed-off-by: Gideon Israel Dsouza &lt;gidisrael@gmail.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Continuing from this commit: 52f5684c8e1e
("kernel: use macros from compiler.h instead of __attribute__((...))")

I submitted 4 total patches. They are part of task I've taken up to
increase compiler portability in the kernel. I've cleaned up the
subsystems under /kernel /mm /block and /security, this patch targets
/crypto.

There is &lt;linux/compiler.h&gt; which provides macros for various gcc specific
constructs. Eg: __weak for __attribute__((weak)). I've cleaned all
instances of gcc specific attributes with the right macros for the crypto
subsystem.

I had to make one additional change into compiler-gcc.h for the case when
one wants to use this: __attribute__((aligned) and not specify an alignment
factor. From the gcc docs, this will result in the largest alignment for
that data type on the target machine so I've named the macro
__aligned_largest. Please advise if another name is more appropriate.

Signed-off-by: Gideon Israel Dsouza &lt;gidisrael@gmail.com&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>crypto: skcipher - introduce walksize attribute for SIMD algos</title>
<updated>2016-12-30T11:52:47+00:00</updated>
<author>
<name>Ard Biesheuvel</name>
<email>ard.biesheuvel@linaro.org</email>
</author>
<published>2016-12-29T14:09:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c821f6ab2e47946f35ee2f30781c5185e5d07f65'/>
<id>c821f6ab2e47946f35ee2f30781c5185e5d07f65</id>
<content type='text'>
In some cases, SIMD algorithms can only perform optimally when
allowed to operate on multiple input blocks in parallel. This is
especially true for bit slicing algorithms, which typically take
the same amount of time processing a single block or 8 blocks in
parallel. However, other SIMD algorithms may benefit as well from
bigger strides.

So add a walksize attribute to the skcipher algorithm definition, and
wire it up to the skcipher walk API. To avoid confusion between the
skcipher and AEAD attributes, rename the skcipher_walk chunksize
attribute to 'stride', and set it from the walksize (in the skcipher
case) or from the chunksize (in the AEAD case).

Signed-off-by: Ard Biesheuvel &lt;ard.biesheuvel@linaro.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In some cases, SIMD algorithms can only perform optimally when
allowed to operate on multiple input blocks in parallel. This is
especially true for bit slicing algorithms, which typically take
the same amount of time processing a single block or 8 blocks in
parallel. However, other SIMD algorithms may benefit as well from
bigger strides.

So add a walksize attribute to the skcipher algorithm definition, and
wire it up to the skcipher walk API. To avoid confusion between the
skcipher and AEAD attributes, rename the skcipher_walk chunksize
attribute to 'stride', and set it from the walksize (in the skcipher
case) or from the chunksize (in the AEAD case).

Signed-off-by: Ard Biesheuvel &lt;ard.biesheuvel@linaro.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>crypto: skcipher - fix crash in virtual walk</title>
<updated>2016-12-14T10:33:14+00:00</updated>
<author>
<name>Ard Biesheuvel</name>
<email>ard.biesheuvel@linaro.org</email>
</author>
<published>2016-12-13T13:34:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=18e615ad87bce9125ef3990377a4a946ec0f21f3'/>
<id>18e615ad87bce9125ef3990377a4a946ec0f21f3</id>
<content type='text'>
The new skcipher walk API may crash in the following way. (Interestingly,
the tcrypt boot time tests seem unaffected, while an explicit test using
the module triggers it)

  Unable to handle kernel NULL pointer dereference at virtual address 00000000
  ...
  [&lt;ffff000008431d84&gt;] __memcpy+0x84/0x180
  [&lt;ffff0000083ec0d0&gt;] skcipher_walk_done+0x328/0x340
  [&lt;ffff0000080c5c04&gt;] ctr_encrypt+0x84/0x100
  [&lt;ffff000008406d60&gt;] simd_skcipher_encrypt+0x88/0x98
  [&lt;ffff0000083fa05c&gt;] crypto_rfc3686_crypt+0x8c/0x98
  [&lt;ffff0000009b0900&gt;] test_skcipher_speed+0x518/0x820 [tcrypt]
  [&lt;ffff0000009b31c0&gt;] do_test+0x1408/0x3b70 [tcrypt]
  [&lt;ffff0000009bd050&gt;] tcrypt_mod_init+0x50/0x1000 [tcrypt]
  [&lt;ffff0000080838f4&gt;] do_one_initcall+0x44/0x138
  [&lt;ffff0000081aee60&gt;] do_init_module+0x68/0x1e0
  [&lt;ffff0000081524d0&gt;] load_module+0x1fd0/0x2458
  [&lt;ffff000008152c38&gt;] SyS_finit_module+0xe0/0xf0
  [&lt;ffff0000080836f0&gt;] el0_svc_naked+0x24/0x28

This is due to the fact that skcipher_done_slow() may be entered with
walk-&gt;buffer unset. Since skcipher_walk_done() already deals with the
case where walk-&gt;buffer == walk-&gt;page, it appears to be the intention
that walk-&gt;buffer point to walk-&gt;page after skcipher_next_slow(), so
ensure that is the case.

Signed-off-by: Ard Biesheuvel &lt;ard.biesheuvel@linaro.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The new skcipher walk API may crash in the following way. (Interestingly,
the tcrypt boot time tests seem unaffected, while an explicit test using
the module triggers it)

  Unable to handle kernel NULL pointer dereference at virtual address 00000000
  ...
  [&lt;ffff000008431d84&gt;] __memcpy+0x84/0x180
  [&lt;ffff0000083ec0d0&gt;] skcipher_walk_done+0x328/0x340
  [&lt;ffff0000080c5c04&gt;] ctr_encrypt+0x84/0x100
  [&lt;ffff000008406d60&gt;] simd_skcipher_encrypt+0x88/0x98
  [&lt;ffff0000083fa05c&gt;] crypto_rfc3686_crypt+0x8c/0x98
  [&lt;ffff0000009b0900&gt;] test_skcipher_speed+0x518/0x820 [tcrypt]
  [&lt;ffff0000009b31c0&gt;] do_test+0x1408/0x3b70 [tcrypt]
  [&lt;ffff0000009bd050&gt;] tcrypt_mod_init+0x50/0x1000 [tcrypt]
  [&lt;ffff0000080838f4&gt;] do_one_initcall+0x44/0x138
  [&lt;ffff0000081aee60&gt;] do_init_module+0x68/0x1e0
  [&lt;ffff0000081524d0&gt;] load_module+0x1fd0/0x2458
  [&lt;ffff000008152c38&gt;] SyS_finit_module+0xe0/0xf0
  [&lt;ffff0000080836f0&gt;] el0_svc_naked+0x24/0x28

This is due to the fact that skcipher_done_slow() may be entered with
walk-&gt;buffer unset. Since skcipher_walk_done() already deals with the
case where walk-&gt;buffer == walk-&gt;page, it appears to be the intention
that walk-&gt;buffer point to walk-&gt;page after skcipher_next_slow(), so
ensure that is the case.

Signed-off-by: Ard Biesheuvel &lt;ard.biesheuvel@linaro.org&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>crypto: skcipher - Add separate walker for AEAD decryption</title>
<updated>2016-12-01T13:06:17+00:00</updated>
<author>
<name>Herbert Xu</name>
<email>herbert@gondor.apana.org.au</email>
</author>
<published>2016-11-30T13:14:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=34bc085c839cef85e3e795b1cee29514f69c3081'/>
<id>34bc085c839cef85e3e795b1cee29514f69c3081</id>
<content type='text'>
The AEAD decrypt interface includes the authentication tag in
req-&gt;cryptlen.  Therefore we need to exlucde that when doing
a walk over it.

This patch adds separate walker functions for AEAD encryption
and decryption.

Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Reviewed-by: Ard Biesheuvel &lt;ard.biesheuvel@linaro.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The AEAD decrypt interface includes the authentication tag in
req-&gt;cryptlen.  Therefore we need to exlucde that when doing
a walk over it.

This patch adds separate walker functions for AEAD encryption
and decryption.

Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Reviewed-by: Ard Biesheuvel &lt;ard.biesheuvel@linaro.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
