[PATCH 0/6] crypto: additional fixes for omap-aes

[PATCH 0/6] crypto: additional fixes for omap-aes

[Ard Biesheuvel]

This series applies onto Tero's series [0], and addresses a number of
additional issues that exist in the omap-aes driver that aren't being
addresses by Tero's fixes.

Note that the resulting code is still not 100% correct: an issue remains
where inputs into GCM consisting solely of assocdata are not being processed
correctly, e.g.,

alg: aead: gcm-aes-omap encryption test failed (wrong result) on test vector
  "random: alen=38 plen=0 authsize=16 klen=32",
   cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+19] iv_offset=31"

I have no idea how to fix this, so I'll leave this to people that know this
hardware and have access to the Sitara TRM.

Note that I also spotted some issues in the SHAM driver, i.e.,

alg: ahash: omap-sha1 test failed (wrong result) on test vector
  "random: psize=7928 ksize=0", cfg="random: inplace use_final 
      src_divs=[5.64%@+13, 59.70%@+18, <flush>31.53%@+4072,
      <flush,nosimd>3.13%@alignmask+263]"
alg: ahash: omap-hmac-sha256 test failed (wrong result) on test vector
  "random: psize=960 ksize=37", cfg="random: inplace use_final
      src_divs=[32.54%@+2449, 17.18%@+4, <flush>50.28%@+1] iv_offset=31"

All of these failures are triggered by CONFIG_CRYPTO_MANAGER_EXTRA_TESTS,
so they will not show up when using the standard set of test vectors.

[0] https://lore.kernel.org/linux-crypto/20191017122549.4634-1-t-kristo@ti.com/

Cc: linux-omap@vger.kernel.org
Cc: Tero Kristo <t-kristo@ti.com>

Ard Biesheuvel (6):
  crypto: omap-aes - reject invalid input sizes for block modes
  crypto: omap-aes-ctr - set blocksize to 1
  crypto: omap-aes-gcm - deal with memory allocation failure
  crypto: omap-aes-gcm - add missing .setauthsize hooks
  crypto: omap-aes-gcm - check length of assocdata in RFC4106 mode
  crypto: omap-aes-gcm - use the AES library to encrypt the tag

 drivers/crypto/omap-aes-gcm.c | 119 ++++++++------------
 drivers/crypto/omap-aes.c     |  33 ++----
 drivers/crypto/omap-aes.h     |  10 +-
 3 files changed, 61 insertions(+), 101 deletions(-)

-- 
2.17.1

[PATCH 1/6] crypto: omap-aes - reject invalid input sizes for block modes

[Ard Biesheuvel]

Block modes such as ECB and CBC only support input sizes that are
a round multiple of the block size, so align with the generic code
which returns -EINVAL when encountering inputs that violate this
rule.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/crypto/omap-aes.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/crypto/omap-aes.c b/drivers/crypto/omap-aes.c
index de05b35283bf..067f4cd7c005 100644
--- a/drivers/crypto/omap-aes.c
+++ b/drivers/crypto/omap-aes.c
@@ -525,6 +525,9 @@ static int omap_aes_crypt(struct skcipher_request *req, unsigned long mode)
 	struct omap_aes_dev *dd;
 	int ret;
 
+	if ((req->cryptlen % AES_BLOCK_SIZE) && !(mode & FLAGS_CTR))
+		return -EINVAL;
+
 	pr_debug("nbytes: %d, enc: %d, cbc: %d\n", req->cryptlen,
 		  !!(mode & FLAGS_ENCRYPT),
 		  !!(mode & FLAGS_CBC));
-- 
2.17.1

[PATCH 2/6] crypto: omap-aes-ctr - set blocksize to 1

[Ard Biesheuvel]

CTR is a streamcipher mode of AES, so set the blocksize accordingly.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/crypto/omap-aes.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/omap-aes.c b/drivers/crypto/omap-aes.c
index 067f4cd7c005..33cba7a2d6df 100644
--- a/drivers/crypto/omap-aes.c
+++ b/drivers/crypto/omap-aes.c
@@ -747,7 +747,7 @@ static struct skcipher_alg algs_ctr[] = {
 	.base.cra_flags		= CRYPTO_ALG_KERN_DRIVER_ONLY |
 				  CRYPTO_ALG_ASYNC |
 				  CRYPTO_ALG_NEED_FALLBACK,
-	.base.cra_blocksize	= AES_BLOCK_SIZE,
+	.base.cra_blocksize	= 1,
 	.base.cra_ctxsize	= sizeof(struct omap_aes_ctx),
 	.base.cra_module	= THIS_MODULE,
 
-- 
2.17.1

[PATCH 3/6] crypto: omap-aes-gcm - deal with memory allocation failure

[Ard Biesheuvel]

The OMAP gcm(aes) driver invokes omap_crypto_align_sg() without
dealing with the errors it may return, resulting in a crash if
the routine fails in a __get_free_pages(GFP_ATOMIC) call. So
bail and return the error rather than limping on if one occurs.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/crypto/omap-aes-gcm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/crypto/omap-aes-gcm.c b/drivers/crypto/omap-aes-gcm.c
index dfd4d1cac421..05d2fe78b105 100644
--- a/drivers/crypto/omap-aes-gcm.c
+++ b/drivers/crypto/omap-aes-gcm.c
@@ -120,6 +120,8 @@ static int omap_aes_gcm_copy_buffers(struct omap_aes_dev *dd,
 					   OMAP_CRYPTO_FORCE_SINGLE_ENTRY,
 					   FLAGS_ASSOC_DATA_ST_SHIFT,
 					   &dd->flags);
+		if (ret)
+			return ret;
 	}
 
 	if (cryptlen) {
@@ -132,6 +134,8 @@ static int omap_aes_gcm_copy_buffers(struct omap_aes_dev *dd,
 					   OMAP_CRYPTO_FORCE_SINGLE_ENTRY,
 					   FLAGS_IN_DATA_ST_SHIFT,
 					   &dd->flags);
+		if (ret)
+			return ret;
 	}
 
 	dd->in_sg = dd->in_sgl;
-- 
2.17.1

[PATCH 4/6] crypto: omap-aes-gcm - add missing .setauthsize hooks

[Ard Biesheuvel]

GCM only permits certain tag lengths, so populate the .setauthsize
hooks which ensure that only permitted sizes are accepted by the
implementation.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/crypto/omap-aes-gcm.c | 11 +++++++++++
 drivers/crypto/omap-aes.c     |  2 ++
 drivers/crypto/omap-aes.h     |  3 +++
 3 files changed, 16 insertions(+)

diff --git a/drivers/crypto/omap-aes-gcm.c b/drivers/crypto/omap-aes-gcm.c
index 05d2fe78b105..70398fbd669d 100644
--- a/drivers/crypto/omap-aes-gcm.c
+++ b/drivers/crypto/omap-aes-gcm.c
@@ -413,3 +413,14 @@ int omap_aes_4106gcm_setkey(struct crypto_aead *tfm, const u8 *key,
 
 	return 0;
 }
+
+int omap_aes_gcm_setauthsize(struct crypto_aead *tfm, unsigned int authsize)
+{
+	return crypto_gcm_check_authsize(authsize);
+}
+
+int omap_aes_4106gcm_setauthsize(struct crypto_aead *parent,
+				 unsigned int authsize)
+{
+	return crypto_rfc4106_check_authsize(authsize);
+}
diff --git a/drivers/crypto/omap-aes.c b/drivers/crypto/omap-aes.c
index 33cba7a2d6df..161af3bf667c 100644
--- a/drivers/crypto/omap-aes.c
+++ b/drivers/crypto/omap-aes.c
@@ -787,6 +787,7 @@ static struct aead_alg algs_aead_gcm[] = {
 	.ivsize		= GCM_AES_IV_SIZE,
 	.maxauthsize	= AES_BLOCK_SIZE,
 	.setkey		= omap_aes_gcm_setkey,
+	.setauthsize	= omap_aes_gcm_setauthsize,
 	.encrypt	= omap_aes_gcm_encrypt,
 	.decrypt	= omap_aes_gcm_decrypt,
 },
@@ -807,6 +808,7 @@ static struct aead_alg algs_aead_gcm[] = {
 	.maxauthsize	= AES_BLOCK_SIZE,
 	.ivsize		= GCM_RFC4106_IV_SIZE,
 	.setkey		= omap_aes_4106gcm_setkey,
+	.setauthsize	= omap_aes_4106gcm_setauthsize,
 	.encrypt	= omap_aes_4106gcm_encrypt,
 	.decrypt	= omap_aes_4106gcm_decrypt,
 },
diff --git a/drivers/crypto/omap-aes.h b/drivers/crypto/omap-aes.h
index 2d3575231e31..1bcca7957e92 100644
--- a/drivers/crypto/omap-aes.h
+++ b/drivers/crypto/omap-aes.h
@@ -202,8 +202,11 @@ int omap_aes_4106gcm_setkey(struct crypto_aead *tfm, const u8 *key,
 			    unsigned int keylen);
 int omap_aes_gcm_encrypt(struct aead_request *req);
 int omap_aes_gcm_decrypt(struct aead_request *req);
+int omap_aes_gcm_setauthsize(struct crypto_aead *tfm, unsigned int authsize);
 int omap_aes_4106gcm_encrypt(struct aead_request *req);
 int omap_aes_4106gcm_decrypt(struct aead_request *req);
+int omap_aes_4106gcm_setauthsize(struct crypto_aead *parent,
+				 unsigned int authsize);
 int omap_aes_write_ctrl(struct omap_aes_dev *dd);
 int omap_aes_crypt_dma_start(struct omap_aes_dev *dd);
 int omap_aes_crypt_dma_stop(struct omap_aes_dev *dd);
-- 
2.17.1

[PATCH 5/6] crypto: omap-aes-gcm - check length of assocdata in RFC4106 mode

[Ard Biesheuvel]

RFC4106 requires the associated data to be a certain size, so reject
inputs that are wrong. This also prevents crashes or other problems due
to assoclen becoming negative after subtracting 8 bytes.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/crypto/omap-aes-gcm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/omap-aes-gcm.c b/drivers/crypto/omap-aes-gcm.c
index 70398fbd669d..1aabf9a72066 100644
--- a/drivers/crypto/omap-aes-gcm.c
+++ b/drivers/crypto/omap-aes-gcm.c
@@ -365,7 +365,8 @@ int omap_aes_4106gcm_encrypt(struct aead_request *req)
 
 	memcpy(rctx->iv, ctx->nonce, 4);
 	memcpy(rctx->iv + 4, req->iv, 8);
-	return omap_aes_gcm_crypt(req, FLAGS_ENCRYPT | FLAGS_GCM |
+	return crypto_ipsec_check_assoclen(req->assoclen) ?:
+	       omap_aes_gcm_crypt(req, FLAGS_ENCRYPT | FLAGS_GCM |
 				  FLAGS_RFC4106_GCM);
 }
 
@@ -376,7 +377,8 @@ int omap_aes_4106gcm_decrypt(struct aead_request *req)
 
 	memcpy(rctx->iv, ctx->nonce, 4);
 	memcpy(rctx->iv + 4, req->iv, 8);
-	return omap_aes_gcm_crypt(req, FLAGS_GCM | FLAGS_RFC4106_GCM);
+	return crypto_ipsec_check_assoclen(req->assoclen) ?:
+	       omap_aes_gcm_crypt(req, FLAGS_GCM | FLAGS_RFC4106_GCM);
 }
 
 int omap_aes_gcm_setkey(struct crypto_aead *tfm, const u8 *key,
-- 
2.17.1

[PATCH 6/6] crypto: omap-aes-gcm - use the AES library to encrypt the tag

[Ard Biesheuvel]

The OMAP AES-GCM implementation uses a fallback ecb(aes) skcipher to
produce the keystream to encrypt the output tag. Let's use the new
AES library instead - this is much simpler, and shouldn't affect
performance given that it only involves a single block.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/crypto/omap-aes-gcm.c | 98 +++++---------------
 drivers/crypto/omap-aes.c     | 26 +-----
 drivers/crypto/omap-aes.h     |  7 +-
 3 files changed, 33 insertions(+), 98 deletions(-)

diff --git a/drivers/crypto/omap-aes-gcm.c b/drivers/crypto/omap-aes-gcm.c
index 1aabf9a72066..6da05149b195 100644
--- a/drivers/crypto/omap-aes-gcm.c
+++ b/drivers/crypto/omap-aes-gcm.c
@@ -167,62 +167,12 @@ static int omap_aes_gcm_copy_buffers(struct omap_aes_dev *dd,
 	return 0;
 }
 
-static void omap_aes_gcm_complete(struct crypto_async_request *req, int err)
-{
-	struct omap_aes_gcm_result *res = req->data;
-
-	if (err == -EINPROGRESS)
-		return;
-
-	res->err = err;
-	complete(&res->completion);
-}
-
 static int do_encrypt_iv(struct aead_request *req, u32 *tag, u32 *iv)
 {
-	struct scatterlist iv_sg, tag_sg;
-	struct skcipher_request *sk_req;
-	struct omap_aes_gcm_result result;
-	struct omap_aes_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
-	int ret = 0;
-
-	sk_req = skcipher_request_alloc(ctx->ctr, GFP_KERNEL);
-	if (!sk_req) {
-		pr_err("skcipher: Failed to allocate request\n");
-		return -ENOMEM;
-	}
-
-	init_completion(&result.completion);
-
-	sg_init_one(&iv_sg, iv, AES_BLOCK_SIZE);
-	sg_init_one(&tag_sg, tag, AES_BLOCK_SIZE);
-	skcipher_request_set_callback(sk_req, CRYPTO_TFM_REQ_MAY_BACKLOG,
-				      omap_aes_gcm_complete, &result);
-	ret = crypto_skcipher_setkey(ctx->ctr, (u8 *)ctx->key, ctx->keylen);
-	skcipher_request_set_crypt(sk_req, &iv_sg, &tag_sg, AES_BLOCK_SIZE,
-				   NULL);
-	ret = crypto_skcipher_encrypt(sk_req);
-	switch (ret) {
-	case 0:
-		break;
-	case -EINPROGRESS:
-	case -EBUSY:
-		ret = wait_for_completion_interruptible(&result.completion);
-		if (!ret) {
-			ret = result.err;
-			if (!ret) {
-				reinit_completion(&result.completion);
-				break;
-			}
-		}
-		/* fall through */
-	default:
-		pr_err("Encryption of IV failed for GCM mode\n");
-		break;
-	}
+	struct omap_aes_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
 
-	skcipher_request_free(sk_req);
-	return ret;
+	aes_encrypt(&ctx->actx, (u8 *)tag, (u8 *)iv);
+	return 0;
 }
 
 void omap_aes_gcm_dma_out_callback(void *data)
@@ -252,7 +202,7 @@ void omap_aes_gcm_dma_out_callback(void *data)
 static int omap_aes_gcm_handle_queue(struct omap_aes_dev *dd,
 				     struct aead_request *req)
 {
-	struct omap_aes_ctx *ctx;
+	struct omap_aes_gcm_ctx *ctx;
 	struct aead_request *backlog;
 	struct omap_aes_reqctx *rctx;
 	unsigned long flags;
@@ -281,7 +231,7 @@ static int omap_aes_gcm_handle_queue(struct omap_aes_dev *dd,
 	ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
 	rctx = aead_request_ctx(req);
 
-	dd->ctx = ctx;
+	dd->ctx = &ctx->octx;
 	rctx->dd = dd;
 	dd->aead_req = req;
 
@@ -360,10 +310,10 @@ int omap_aes_gcm_decrypt(struct aead_request *req)
 
 int omap_aes_4106gcm_encrypt(struct aead_request *req)
 {
-	struct omap_aes_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
+	struct omap_aes_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
 	struct omap_aes_reqctx *rctx = aead_request_ctx(req);
 
-	memcpy(rctx->iv, ctx->nonce, 4);
+	memcpy(rctx->iv, ctx->octx.nonce, 4);
 	memcpy(rctx->iv + 4, req->iv, 8);
 	return crypto_ipsec_check_assoclen(req->assoclen) ?:
 	       omap_aes_gcm_crypt(req, FLAGS_ENCRYPT | FLAGS_GCM |
@@ -372,10 +322,10 @@ int omap_aes_4106gcm_encrypt(struct aead_request *req)
 
 int omap_aes_4106gcm_decrypt(struct aead_request *req)
 {
-	struct omap_aes_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
+	struct omap_aes_gcm_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
 	struct omap_aes_reqctx *rctx = aead_request_ctx(req);
 
-	memcpy(rctx->iv, ctx->nonce, 4);
+	memcpy(rctx->iv, ctx->octx.nonce, 4);
 	memcpy(rctx->iv + 4, req->iv, 8);
 	return crypto_ipsec_check_assoclen(req->assoclen) ?:
 	       omap_aes_gcm_crypt(req, FLAGS_GCM | FLAGS_RFC4106_GCM);
@@ -384,14 +334,15 @@ int omap_aes_4106gcm_decrypt(struct aead_request *req)
 int omap_aes_gcm_setkey(struct crypto_aead *tfm, const u8 *key,
 			unsigned int keylen)
 {
-	struct omap_aes_ctx *ctx = crypto_aead_ctx(tfm);
+	struct omap_aes_gcm_ctx *ctx = crypto_aead_ctx(tfm);
+	int ret;
 
-	if (keylen != AES_KEYSIZE_128 && keylen != AES_KEYSIZE_192 &&
-	    keylen != AES_KEYSIZE_256)
-		return -EINVAL;
+	ret = aes_expandkey(&ctx->actx, key, keylen);
+	if (ret)
+		return ret;
 
-	memcpy(ctx->key, key, keylen);
-	ctx->keylen = keylen;
+	memcpy(ctx->octx.key, key, keylen);
+	ctx->octx.keylen = keylen;
 
 	return 0;
 }
@@ -399,19 +350,20 @@ int omap_aes_gcm_setkey(struct crypto_aead *tfm, const u8 *key,
 int omap_aes_4106gcm_setkey(struct crypto_aead *tfm, const u8 *key,
 			    unsigned int keylen)
 {
-	struct omap_aes_ctx *ctx = crypto_aead_ctx(tfm);
+	struct omap_aes_gcm_ctx *ctx = crypto_aead_ctx(tfm);
+	int ret;
 
 	if (keylen < 4)
 		return -EINVAL;
-
 	keylen -= 4;
-	if (keylen != AES_KEYSIZE_128 && keylen != AES_KEYSIZE_192 &&
-	    keylen != AES_KEYSIZE_256)
-		return -EINVAL;
 
-	memcpy(ctx->key, key, keylen);
-	memcpy(ctx->nonce, key + keylen, 4);
-	ctx->keylen = keylen;
+	ret = aes_expandkey(&ctx->actx, key, keylen);
+	if (ret)
+		return ret;
+
+	memcpy(ctx->octx.key, key, keylen);
+	memcpy(ctx->octx.nonce, key + keylen, 4);
+	ctx->octx.keylen = keylen;
 
 	return 0;
 }
diff --git a/drivers/crypto/omap-aes.c b/drivers/crypto/omap-aes.c
index 161af3bf667c..d63ab370030e 100644
--- a/drivers/crypto/omap-aes.c
+++ b/drivers/crypto/omap-aes.c
@@ -645,7 +645,6 @@ static int omap_aes_init_tfm(struct crypto_skcipher *tfm)
 static int omap_aes_gcm_cra_init(struct crypto_aead *tfm)
 {
 	struct omap_aes_dev *dd = NULL;
-	struct omap_aes_ctx *ctx = crypto_aead_ctx(tfm);
 	int err;
 
 	/* Find AES device, currently picks the first device */
@@ -663,12 +662,6 @@ static int omap_aes_gcm_cra_init(struct crypto_aead *tfm)
 	}
 
 	tfm->reqsize = sizeof(struct omap_aes_reqctx);
-	ctx->ctr = crypto_alloc_skcipher("ecb(aes)", 0, 0);
-	if (IS_ERR(ctx->ctr)) {
-		pr_warn("could not load aes driver for encrypting IV\n");
-		return PTR_ERR(ctx->ctr);
-	}
-
 	return 0;
 }
 
@@ -682,19 +675,6 @@ static void omap_aes_exit_tfm(struct crypto_skcipher *tfm)
 	ctx->fallback = NULL;
 }
 
-static void omap_aes_gcm_cra_exit(struct crypto_aead *tfm)
-{
-	struct omap_aes_ctx *ctx = crypto_aead_ctx(tfm);
-
-	if (ctx->fallback)
-		crypto_free_sync_skcipher(ctx->fallback);
-
-	ctx->fallback = NULL;
-
-	if (ctx->ctr)
-		crypto_free_skcipher(ctx->ctr);
-}
-
 /* ********************** ALGS ************************************ */
 
 static struct skcipher_alg algs_ecb_cbc[] = {
@@ -778,12 +758,11 @@ static struct aead_alg algs_aead_gcm[] = {
 		.cra_flags		= CRYPTO_ALG_ASYNC |
 					  CRYPTO_ALG_KERN_DRIVER_ONLY,
 		.cra_blocksize		= 1,
-		.cra_ctxsize		= sizeof(struct omap_aes_ctx),
+		.cra_ctxsize		= sizeof(struct omap_aes_gcm_ctx),
 		.cra_alignmask		= 0xf,
 		.cra_module		= THIS_MODULE,
 	},
 	.init		= omap_aes_gcm_cra_init,
-	.exit		= omap_aes_gcm_cra_exit,
 	.ivsize		= GCM_AES_IV_SIZE,
 	.maxauthsize	= AES_BLOCK_SIZE,
 	.setkey		= omap_aes_gcm_setkey,
@@ -799,12 +778,11 @@ static struct aead_alg algs_aead_gcm[] = {
 		.cra_flags		= CRYPTO_ALG_ASYNC |
 					  CRYPTO_ALG_KERN_DRIVER_ONLY,
 		.cra_blocksize		= 1,
-		.cra_ctxsize		= sizeof(struct omap_aes_ctx),
+		.cra_ctxsize		= sizeof(struct omap_aes_gcm_ctx),
 		.cra_alignmask		= 0xf,
 		.cra_module		= THIS_MODULE,
 	},
 	.init		= omap_aes_gcm_cra_init,
-	.exit		= omap_aes_gcm_cra_exit,
 	.maxauthsize	= AES_BLOCK_SIZE,
 	.ivsize		= GCM_RFC4106_IV_SIZE,
 	.setkey		= omap_aes_4106gcm_setkey,
diff --git a/drivers/crypto/omap-aes.h b/drivers/crypto/omap-aes.h
index 1bcca7957e92..b0d7c7d08d46 100644
--- a/drivers/crypto/omap-aes.h
+++ b/drivers/crypto/omap-aes.h
@@ -9,6 +9,7 @@
 #ifndef __OMAP_AES_H__
 #define __OMAP_AES_H__
 
+#include <crypto/aes.h>
 #include <crypto/engine.h>
 
 #define DST_MAXBURST			4
@@ -98,7 +99,11 @@ struct omap_aes_ctx {
 	u32		key[AES_KEYSIZE_256 / sizeof(u32)];
 	u8		nonce[4];
 	struct crypto_sync_skcipher	*fallback;
-	struct crypto_skcipher	*ctr;
+};
+
+struct omap_aes_gcm_ctx {
+	struct omap_aes_ctx	octx;
+	struct crypto_aes_ctx	actx;
 };
 
 struct omap_aes_reqctx {
-- 
2.17.1

Re: [PATCH 0/6] crypto: additional fixes for omap-aes

[Tero Kristo]

On 26/10/2019 17:52, Ard Biesheuvel wrote:
> This series applies onto Tero's series [0], and addresses a number of
> additional issues that exist in the omap-aes driver that aren't being
> addresses by Tero's fixes.
> 
> Note that the resulting code is still not 100% correct: an issue remains
> where inputs into GCM consisting solely of assocdata are not being processed
> correctly, e.g.,
> 
> alg: aead: gcm-aes-omap encryption test failed (wrong result) on test vector
>    "random: alen=38 plen=0 authsize=16 klen=32",
>     cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+19] iv_offset=31"
> 
> I have no idea how to fix this, so I'll leave this to people that know this
> hardware and have access to the Sitara TRM.
> 
> Note that I also spotted some issues in the SHAM driver, i.e.,
> 
> alg: ahash: omap-sha1 test failed (wrong result) on test vector
>    "random: psize=7928 ksize=0", cfg="random: inplace use_final
>        src_divs=[5.64%@+13, 59.70%@+18, <flush>31.53%@+4072,
>        <flush,nosimd>3.13%@alignmask+263]"
> alg: ahash: omap-hmac-sha256 test failed (wrong result) on test vector
>    "random: psize=960 ksize=37", cfg="random: inplace use_final
>        src_divs=[32.54%@+2449, 17.18%@+4, <flush>50.28%@+1] iv_offset=31"
> 
> All of these failures are triggered by CONFIG_CRYPTO_MANAGER_EXTRA_TESTS,
> so they will not show up when using the standard set of test vectors.
> 
> [0] https://lore.kernel.org/linux-crypto/20191017122549.4634-1-t-kristo@ti.com/
> 
> Cc: linux-omap@vger.kernel.org
> Cc: Tero Kristo <t-kristo@ti.com>

For the whole series:

Reviewed-by: Tero Kristo <t-kristo@ti.com>
Tested-by: Tero Kristo <t-kristo@ti.com>

-Tero

> 
> Ard Biesheuvel (6):
>    crypto: omap-aes - reject invalid input sizes for block modes
>    crypto: omap-aes-ctr - set blocksize to 1
>    crypto: omap-aes-gcm - deal with memory allocation failure
>    crypto: omap-aes-gcm - add missing .setauthsize hooks
>    crypto: omap-aes-gcm - check length of assocdata in RFC4106 mode
>    crypto: omap-aes-gcm - use the AES library to encrypt the tag
> 
>   drivers/crypto/omap-aes-gcm.c | 119 ++++++++------------
>   drivers/crypto/omap-aes.c     |  33 ++----
>   drivers/crypto/omap-aes.h     |  10 +-
>   3 files changed, 61 insertions(+), 101 deletions(-)
> 

--
Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki. Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki

Re: [PATCH 0/6] crypto: additional fixes for omap-aes

[Herbert Xu]

On Tue, Nov 05, 2019 at 02:19:54PM +0200, Tero Kristo wrote:
> On 26/10/2019 17:52, Ard Biesheuvel wrote:
> > This series applies onto Tero's series [0], and addresses a number of
> > additional issues that exist in the omap-aes driver that aren't being
> > addresses by Tero's fixes.
> > 
> > Note that the resulting code is still not 100% correct: an issue remains
> > where inputs into GCM consisting solely of assocdata are not being processed
> > correctly, e.g.,
> > 
> > alg: aead: gcm-aes-omap encryption test failed (wrong result) on test vector
> >    "random: alen=38 plen=0 authsize=16 klen=32",
> >     cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+19] iv_offset=31"
> > 
> > I have no idea how to fix this, so I'll leave this to people that know this
> > hardware and have access to the Sitara TRM.
> > 
> > Note that I also spotted some issues in the SHAM driver, i.e.,
> > 
> > alg: ahash: omap-sha1 test failed (wrong result) on test vector
> >    "random: psize=7928 ksize=0", cfg="random: inplace use_final
> >        src_divs=[5.64%@+13, 59.70%@+18, <flush>31.53%@+4072,
> >        <flush,nosimd>3.13%@alignmask+263]"
> > alg: ahash: omap-hmac-sha256 test failed (wrong result) on test vector
> >    "random: psize=960 ksize=37", cfg="random: inplace use_final
> >        src_divs=[32.54%@+2449, 17.18%@+4, <flush>50.28%@+1] iv_offset=31"
> > 
> > All of these failures are triggered by CONFIG_CRYPTO_MANAGER_EXTRA_TESTS,
> > so they will not show up when using the standard set of test vectors.
> > 
> > [0] https://lore.kernel.org/linux-crypto/20191017122549.4634-1-t-kristo@ti.com/
> > 
> > Cc: linux-omap@vger.kernel.org
> > Cc: Tero Kristo <t-kristo@ti.com>
> 
> For the whole series:
> 
> Reviewed-by: Tero Kristo <t-kristo@ti.com>
> Tested-by: Tero Kristo <t-kristo@ti.com>

Actually I've lost track of both of your patch series.  Please
repost both in the correct order for merging.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH 0/6] crypto: additional fixes for omap-aes

[Tero Kristo]

On 05/11/2019 15:20, Herbert Xu wrote:
> On Tue, Nov 05, 2019 at 02:19:54PM +0200, Tero Kristo wrote:
>> On 26/10/2019 17:52, Ard Biesheuvel wrote:
>>> This series applies onto Tero's series [0], and addresses a number of
>>> additional issues that exist in the omap-aes driver that aren't being
>>> addresses by Tero's fixes.
>>>
>>> Note that the resulting code is still not 100% correct: an issue remains
>>> where inputs into GCM consisting solely of assocdata are not being processed
>>> correctly, e.g.,
>>>
>>> alg: aead: gcm-aes-omap encryption test failed (wrong result) on test vector
>>>     "random: alen=38 plen=0 authsize=16 klen=32",
>>>      cfg="random: inplace may_sleep use_digest src_divs=[100.0%@+19] iv_offset=31"
>>>
>>> I have no idea how to fix this, so I'll leave this to people that know this
>>> hardware and have access to the Sitara TRM.
>>>
>>> Note that I also spotted some issues in the SHAM driver, i.e.,
>>>
>>> alg: ahash: omap-sha1 test failed (wrong result) on test vector
>>>     "random: psize=7928 ksize=0", cfg="random: inplace use_final
>>>         src_divs=[5.64%@+13, 59.70%@+18, <flush>31.53%@+4072,
>>>         <flush,nosimd>3.13%@alignmask+263]"
>>> alg: ahash: omap-hmac-sha256 test failed (wrong result) on test vector
>>>     "random: psize=960 ksize=37", cfg="random: inplace use_final
>>>         src_divs=[32.54%@+2449, 17.18%@+4, <flush>50.28%@+1] iv_offset=31"
>>>
>>> All of these failures are triggered by CONFIG_CRYPTO_MANAGER_EXTRA_TESTS,
>>> so they will not show up when using the standard set of test vectors.
>>>
>>> [0] https://lore.kernel.org/linux-crypto/20191017122549.4634-1-t-kristo@ti.com/
>>>
>>> Cc: linux-omap@vger.kernel.org
>>> Cc: Tero Kristo <t-kristo@ti.com>
>>
>> For the whole series:
>>
>> Reviewed-by: Tero Kristo <t-kristo@ti.com>
>> Tested-by: Tero Kristo <t-kristo@ti.com>
> 
> Actually I've lost track of both of your patch series.  Please
> repost both in the correct order for merging.

Yeah, I was kinda expecting this. :)

Will repost all as single series.

-Tero
--
Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki. Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki