From: "Herbert Xu" <herbert@gondor.apana.org.au>
To: Eric Biggers <ebiggers@kernel.org>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
Ard Biesheuvel <ardb@kernel.org>
Subject: [v2 PATCH 4/4] crypto: algif_skcipher - Fix stream cipher chaining
Date: Thu, 30 Nov 2023 17:56:26 +0800 [thread overview]
Message-ID: <E1r8dmL-005FBE-Kr@formenos.hmeau.com> (raw)
In-Reply-To: ZWhcDoBp8wPiWiYa@gondor.apana.org.au
Unlike algif_aead which is always issued in one go (thus limiting
the maximum size of the request), algif_skcipher has always allowed
unlimited input data by cutting them up as necessary and feeding
the fragments to the underlying algorithm one at a time.
However, because of deficiencies in the API, this has been broken
for most stream ciphers such as arc4 or chacha. This is because
they have an internal state in addition to the IV that must be
preserved in order to continue processing.
Fix this by using the new skcipher state API.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
crypto/algif_skcipher.c | 71 +++++++++++++++++++++++++++++++++++++++++++++---
include/crypto/if_alg.h | 2 +
2 files changed, 70 insertions(+), 3 deletions(-)
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index 9ada9b741af8..59dcc6fc74a2 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -47,6 +47,52 @@ static int skcipher_sendmsg(struct socket *sock, struct msghdr *msg,
return af_alg_sendmsg(sock, msg, size, ivsize);
}
+static int algif_skcipher_export(struct sock *sk, struct skcipher_request *req)
+{
+ struct alg_sock *ask = alg_sk(sk);
+ struct crypto_skcipher *tfm;
+ struct af_alg_ctx *ctx;
+ struct alg_sock *pask;
+ unsigned statesize;
+ struct sock *psk;
+ int err;
+
+ if (!(req->base.flags & CRYPTO_SKCIPHER_REQ_NOTFINAL))
+ return 0;
+
+ ctx = ask->private;
+ psk = ask->parent;
+ pask = alg_sk(psk);
+ tfm = pask->private;
+
+ statesize = crypto_skcipher_statesize(tfm);
+ ctx->state = sock_kmalloc(sk, statesize, GFP_ATOMIC);
+ if (!ctx->state)
+ return -ENOMEM;
+
+ err = crypto_skcipher_export(req, ctx->state);
+ if (err) {
+ sock_kzfree_s(sk, ctx->state, statesize);
+ ctx->state = NULL;
+ }
+
+ return err;
+}
+
+static void algif_skcipher_done(void *data, int err)
+{
+ struct af_alg_async_req *areq = data;
+ struct sock *sk = areq->sk;
+
+ if (err)
+ goto out;
+
+ err = algif_skcipher_export(sk, &areq->cra_u.skcipher_req);
+
+out:
+ af_alg_async_cb(data, err);
+}
+
static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
size_t ignored, int flags)
{
@@ -58,6 +104,7 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
struct crypto_skcipher *tfm = pask->private;
unsigned int bs = crypto_skcipher_chunksize(tfm);
struct af_alg_async_req *areq;
+ unsigned cflags = 0;
int err = 0;
size_t len = 0;
@@ -82,8 +129,10 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
* If more buffers are to be expected to be processed, process only
* full block size buffers.
*/
- if (ctx->more || len < ctx->used)
+ if (ctx->more || len < ctx->used) {
len -= len % bs;
+ cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;
+ }
/*
* Create a per request TX SGL for this request which tracks the
@@ -107,6 +156,16 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
skcipher_request_set_crypt(&areq->cra_u.skcipher_req, areq->tsgl,
areq->first_rsgl.sgl.sgt.sgl, len, ctx->iv);
+ if (ctx->state) {
+ err = crypto_skcipher_import(&areq->cra_u.skcipher_req,
+ ctx->state);
+ sock_kzfree_s(sk, ctx->state, crypto_skcipher_statesize(tfm));
+ ctx->state = NULL;
+ if (err)
+ goto free;
+ cflags |= CRYPTO_SKCIPHER_REQ_CONT;
+ }
+
if (msg->msg_iocb && !is_sync_kiocb(msg->msg_iocb)) {
/* AIO operation */
sock_hold(sk);
@@ -116,8 +175,9 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
areq->outlen = len;
skcipher_request_set_callback(&areq->cra_u.skcipher_req,
+ cflags |
CRYPTO_TFM_REQ_MAY_SLEEP,
- af_alg_async_cb, areq);
+ algif_skcipher_done, areq);
err = ctx->enc ?
crypto_skcipher_encrypt(&areq->cra_u.skcipher_req) :
crypto_skcipher_decrypt(&areq->cra_u.skcipher_req);
@@ -130,6 +190,7 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
} else {
/* Synchronous operation */
skcipher_request_set_callback(&areq->cra_u.skcipher_req,
+ cflags |
CRYPTO_TFM_REQ_MAY_SLEEP |
CRYPTO_TFM_REQ_MAY_BACKLOG,
crypto_req_done, &ctx->wait);
@@ -137,8 +198,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg,
crypto_skcipher_encrypt(&areq->cra_u.skcipher_req) :
crypto_skcipher_decrypt(&areq->cra_u.skcipher_req),
&ctx->wait);
- }
+ if (!err)
+ err = algif_skcipher_export(
+ sk, &areq->cra_u.skcipher_req);
+ }
free:
af_alg_free_resources(areq);
@@ -301,6 +365,7 @@ static void skcipher_sock_destruct(struct sock *sk)
af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm));
+ sock_kzfree_s(sk, ctx->state, crypto_skcipher_statesize(tfm));
sock_kfree_s(sk, ctx, ctx->len);
af_alg_release_parent(sk);
}
diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h
index 08b803a4fcde..78ecaf5db04c 100644
--- a/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -121,6 +121,7 @@ struct af_alg_async_req {
*
* @tsgl_list: Link to TX SGL
* @iv: IV for cipher operation
+ * @state: Existing state for continuing operation
* @aead_assoclen: Length of AAD for AEAD cipher operations
* @completion: Work queue for synchronous operation
* @used: TX bytes sent to kernel. This variable is used to
@@ -142,6 +143,7 @@ struct af_alg_ctx {
struct list_head tsgl_list;
void *iv;
+ void *state;
size_t aead_assoclen;
struct crypto_wait wait;
next prev parent reply other threads:[~2023-11-30 9:56 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-14 8:28 [PATCH 0/8] crypto: Add lskcipher API type Herbert Xu
2023-09-14 8:28 ` [PATCH 1/8] crypto: aead - Add crypto_has_aead Herbert Xu
2023-09-14 8:28 ` [PATCH 2/8] ipsec: Stop using crypto_has_alg Herbert Xu
2023-09-14 8:28 ` [PATCH 3/8] crypto: hash - Hide CRYPTO_ALG_TYPE_AHASH_MASK Herbert Xu
2023-09-14 8:28 ` [PATCH 4/8] crypto: skcipher - Add lskcipher Herbert Xu
2023-09-20 6:25 ` Eric Biggers
2023-09-21 4:32 ` Herbert Xu
2023-09-22 3:10 ` Eric Biggers
2023-11-17 5:19 ` Herbert Xu
2023-11-17 5:42 ` Eric Biggers
2023-11-17 9:07 ` Herbert Xu
2023-11-24 10:27 ` Herbert Xu
2023-11-27 22:28 ` Eric Biggers
2023-11-29 6:24 ` [PATCH 0/4] crypto: Fix chaining support for stream ciphers (arc4 only for now) Herbert Xu
2023-11-29 6:29 ` [PATCH 1/4] crypto: skcipher - Add internal state support Herbert Xu
2023-11-29 6:29 ` [PATCH 2/4] crypto: skcipher - Make use of internal state Herbert Xu
2023-11-29 6:29 ` [PATCH 3/4] crypto: arc4 - Add " Herbert Xu
2023-11-29 6:29 ` [PATCH 4/4] crypto: algif_skcipher - Fix stream cipher chaining Herbert Xu
2023-11-29 21:04 ` [PATCH 0/4] crypto: Fix chaining support for stream ciphers (arc4 only for now) Eric Biggers
2023-11-30 2:17 ` Herbert Xu
2023-11-30 9:55 ` [v2 PATCH " Herbert Xu
2023-11-30 9:56 ` [v2 PATCH 1/4] crypto: skcipher - Add internal state support Herbert Xu
2023-11-30 9:56 ` [v2 PATCH 2/4] crypto: skcipher - Make use of internal state Herbert Xu
2023-11-30 9:56 ` [v2 PATCH 3/4] crypto: arc4 - Add " Herbert Xu
2023-11-30 9:56 ` Herbert Xu [this message]
2023-12-02 3:49 ` [v3 PATCH 0/4] crypto: Fix chaining support for stream ciphers (arc4 only for now) Herbert Xu
2023-12-02 3:50 ` [v3 PATCH 1/4] crypto: skcipher - Add internal state support Herbert Xu
2023-12-02 3:50 ` [v3 PATCH 2/4] crypto: skcipher - Make use of internal state Herbert Xu
2023-12-02 3:50 ` [v3 PATCH 3/4] crypto: arc4 - Add " Herbert Xu
2023-12-02 3:50 ` [v3 PATCH 4/4] crypto: algif_skcipher - Fix stream cipher chaining Herbert Xu
2023-12-10 13:53 ` [LTP] " kernel test robot
2023-12-10 13:53 ` kernel test robot
2023-12-05 8:41 ` [PATCH 4/8] crypto: skcipher - Add lskcipher Herbert Xu
2023-12-05 20:17 ` Eric Biggers
2023-12-06 1:44 ` Herbert Xu
2023-09-14 8:28 ` [PATCH 5/8] crypto: lskcipher - Add compatibility wrapper around ECB Herbert Xu
2023-09-14 8:28 ` [PATCH 6/8] crypto: testmgr - Add support for lskcipher algorithms Herbert Xu
2023-09-14 8:28 ` [PATCH 7/8] crypto: ecb - Convert from skcipher to lskcipher Herbert Xu
2023-09-14 8:28 ` [PATCH 8/8] crypto: cbc " Herbert Xu
2023-10-02 20:25 ` Nathan Chancellor
2023-10-03 3:31 ` [PATCH] crypto: skcipher - Add dependency on ecb Herbert Xu
2023-10-03 15:25 ` Nathan Chancellor
2023-09-14 8:51 ` [PATCH 0/8] crypto: Add lskcipher API type Ard Biesheuvel
2023-09-14 8:56 ` Herbert Xu
2023-09-14 9:18 ` Ard Biesheuvel
2023-09-14 9:29 ` Herbert Xu
2023-09-14 9:31 ` Ard Biesheuvel
2023-09-14 9:34 ` Herbert Xu
2023-09-17 16:24 ` Ard Biesheuvel
2023-09-19 4:03 ` Herbert Xu
2023-09-14 9:32 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1r8dmL-005FBE-Kr@formenos.hmeau.com \
--to=herbert@gondor.apana.org.au \
--cc=ardb@kernel.org \
--cc=ebiggers@kernel.org \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.