From patchwork Thu Feb 26 07:22:05 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 45159
Return-Path: <patchwork-forward+bncBDYNJBOFRECBBKUTXOTQKGQEY7ZR32Y@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-we0-f200.google.com (mail-we0-f200.google.com
 [74.125.82.200])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id D52BA2142B
 for <linaro@patches.linaro.org>; Thu, 26 Feb 2015 07:22:19 +0000 (UTC)
Received: by wesu56 with SMTP id u56sf6354462wes.1
 for <linaro@patches.linaro.org>; Wed, 25 Feb 2015 23:22:19 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject
 :date:message-id:sender:precedence:list-id:x-original-sender
 :x-original-authentication-results:mailing-list:list-post:list-help
 :list-archive:list-unsubscribe;
 bh=16SLEm1/5tqVLb61oraQCnz2THgsoyFI+KBrsXTMJFo=;
 b=AiWm+m4PG3eWhWfunV+eHAgTdJZd35tUIMXrXdUzigT932bRSEGGVfXulr+M7dw60/
 derHuEzWq02uGeXuLUwF2ciY/SJBNrZBeWkYZUYYzi+A0lpqBx/ySeB9B+t6vKtI6YGD
 I9jnyLhPtN1jAUG2kR9EErLBQR2w4KWuJipOVubpBI6FlZvdUjDDEvrAze8JuMX1wCX6
 aAIMEmw4YtNPXGtWZZ+0WdvoqPa11WIX752lveyqUz4YsAHW8eNvQ8OA88KDk7wjG/kH
 tVAkSgueWr4HnaXVz61QMSAh1+hB4J84xlC8f+vQKVacoIqrxLoH7j0Vm9GUgc84gJZL
 EuzQ==
X-Gm-Message-State: ALoCoQl3n3CYQqCcIzbO/qVz8b4SlC26dmPZ4jiXWyDu2gPy0x35vVhPr3LSO4D/0BQfibf0zh5v
X-Received: by 10.112.181.198 with SMTP id dy6mr1059968lbc.22.1424935339073; 
 Wed, 25 Feb 2015 23:22:19 -0800 (PST)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.21.130 with SMTP id v2ls736931lae.98.gmail; Wed, 25 Feb
 2015 23:22:18 -0800 (PST)
X-Received: by 10.152.5.129 with SMTP id s1mr6023573las.105.1424935338858;
 Wed, 25 Feb 2015 23:22:18 -0800 (PST)
Received: from mail-la0-f51.google.com (mail-la0-f51.google.com.
 [209.85.215.51]) by mx.google.com with ESMTPS id
 bn7si30824634lbc.124.2015.02.25.23.22.18
 for <patchwork-forward@linaro.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 25 Feb 2015 23:22:18 -0800 (PST)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.51 as permitted sender) client-ip=209.85.215.51; 
Received: by labgq15 with SMTP id gq15so9134032lab.6
 for <patchwork-forward@linaro.org>;
 Wed, 25 Feb 2015 23:22:18 -0800 (PST)
X-Received: by 10.152.87.3 with SMTP id t3mr6172415laz.19.1424935338705;
 Wed, 25 Feb 2015 23:22:18 -0800 (PST)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.35.133 with SMTP id h5csp3125033lbj;
 Wed, 25 Feb 2015 23:22:17 -0800 (PST)
X-Received: by 10.70.98.239 with SMTP id el15mr12288679pdb.133.1424935336909; 
 Wed, 25 Feb 2015 23:22:16 -0800 (PST)
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 qt3si12019541pbb.206.2015.02.25.23.22.15 for <patch@linaro.org>;
 Wed, 25 Feb 2015 23:22:16 -0800 (PST)
Received-SPF: none (google.com: linux-crypto-owner@vger.kernel.org does not
 designate permitted sender hosts) client-ip=209.132.180.67; 
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1751216AbbBZHWO (ORCPT <rfc822;patch@linaro.org>);
 Thu, 26 Feb 2015 02:22:14 -0500
Received: from mail-wg0-f51.google.com ([74.125.82.51]:40617 "EHLO
 mail-wg0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1750768AbbBZHWN (ORCPT
 <rfc822;linux-crypto@vger.kernel.org>);
 Thu, 26 Feb 2015 02:22:13 -0500
Received: by wghl18 with SMTP id l18so8219869wgh.7
 for <linux-crypto@vger.kernel.org>;
 Wed, 25 Feb 2015 23:22:12 -0800 (PST)
X-Received: by 10.195.12.71 with SMTP id eo7mr13923202wjd.3.1424935332074;
 Wed, 25 Feb 2015 23:22:12 -0800 (PST)
Received: from ards-macbook-pro.lan (bl11-65-113.dsl.telepac.pt.
 [85.244.65.113]) by mx.google.com with ESMTPSA id
 v5sm1407791wiw.24.2015.02.25.23.22.09
 (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Wed, 25 Feb 2015 23:22:11 -0800 (PST)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux@arm.linux.org.uk, herbert@gondor.apana.org.au,
 linux-crypto@vger.kernel.org, linux-arm-kernel@lists.infradead.org
Cc: nico@linaro.org, Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: [PATCH] ARM: crypto: update NEON AES module to latest OpenSSL version
Date: Thu, 26 Feb 2015 07:22:05 +0000
Message-Id: <1424935325-14437-1-git-send-email-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 1.8.3.2
Sender: linux-crypto-owner@vger.kernel.org
Precedence: list
List-ID: <patchwork-forward.linaro.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: ard.biesheuvel@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.51 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>

This updates the bit sliced AES module to the latest version in the
upstream OpenSSL repository (e620e5ae37bc). This is needed to fix a
bug in the XTS decryption path, where data chunked in a certain way
could trigger the ciphertext stealing code, which is not supposed to
be active in the kernel build (The kernel implementation of XTS only
supports round multiples of the AES block size of 16 bytes, whereas
the conformant OpenSSL implementation of XTS supports inputs of
arbitrary size by applying ciphertext stealing). This is fixed in
the upstream version by adding the missing #ifndef XTS_CHAIN_TWEAK
around the offending instructions.

The upstream code also contains the change applied by Russell to
build the code unconditionally, i.e., even if __LINUX_ARM_ARCH__ < 7,
but implemented slightly differently.

Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions")
Reported-by: Adrian Kotelba <adrian.kotelba@gmail.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---

This was found using the tcrypt test code, to which I recently added additional
chunking modes. However, XTS typically operates on pages or at least on sectors,
so this bug is unlikely to affect anyone in real life.

Still, please add cc stable when applying,

Thanks,
Ard.


 arch/arm/crypto/aesbs-core.S_shipped | 12 ++++++++----
 arch/arm/crypto/bsaes-armv7.pl       | 12 ++++++++----
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/arch/arm/crypto/aesbs-core.S_shipped b/arch/arm/crypto/aesbs-core.S_shipped
index 71e5fc7cfb18..1d1800f71c5b 100644
--- a/arch/arm/crypto/aesbs-core.S_shipped
+++ b/arch/arm/crypto/aesbs-core.S_shipped
@@ -58,14 +58,18 @@
 # define VFP_ABI_FRAME	0
 # define BSAES_ASM_EXTENDED_KEY
 # define XTS_CHAIN_TWEAK
-# define __ARM_ARCH__	7
+# define __ARM_ARCH__ __LINUX_ARM_ARCH__
+# define __ARM_MAX_ARCH__ 7
 #endif
 
 #ifdef __thumb__
 # define adrl adr
 #endif
 
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
+.arch	armv7-a
+.fpu	neon
+
 .text
 .syntax	unified 	@ ARMv7-capable assembler is expected to handle this
 #ifdef __thumb2__
@@ -74,8 +78,6 @@
 .code   32
 #endif
 
-.fpu	neon
-
 .type	_bsaes_decrypt8,%function
 .align	4
 _bsaes_decrypt8:
@@ -2095,9 +2097,11 @@ bsaes_xts_decrypt:
 	vld1.8	{q8}, [r0]			@ initial tweak
 	adr	r2, .Lxts_magic
 
+#ifndef	XTS_CHAIN_TWEAK
 	tst	r9, #0xf			@ if not multiple of 16
 	it	ne				@ Thumb2 thing, sanity check in ARM
 	subne	r9, #0x10			@ subtract another 16 bytes
+#endif
 	subs	r9, #0x80
 
 	blo	.Lxts_dec_short
diff --git a/arch/arm/crypto/bsaes-armv7.pl b/arch/arm/crypto/bsaes-armv7.pl
index be068db960ee..a4d3856e7d24 100644
--- a/arch/arm/crypto/bsaes-armv7.pl
+++ b/arch/arm/crypto/bsaes-armv7.pl
@@ -701,14 +701,18 @@ $code.=<<___;
 # define VFP_ABI_FRAME	0
 # define BSAES_ASM_EXTENDED_KEY
 # define XTS_CHAIN_TWEAK
-# define __ARM_ARCH__	7
+# define __ARM_ARCH__ __LINUX_ARM_ARCH__
+# define __ARM_MAX_ARCH__ 7
 #endif
 
 #ifdef __thumb__
 # define adrl adr
 #endif
 
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
+.arch	armv7-a
+.fpu	neon
+
 .text
 .syntax	unified 	@ ARMv7-capable assembler is expected to handle this
 #ifdef __thumb2__
@@ -717,8 +721,6 @@ $code.=<<___;
 .code   32
 #endif
 
-.fpu	neon
-
 .type	_bsaes_decrypt8,%function
 .align	4
 _bsaes_decrypt8:
@@ -2076,9 +2078,11 @@ bsaes_xts_decrypt:
 	vld1.8	{@XMM[8]}, [r0]			@ initial tweak
 	adr	$magic, .Lxts_magic
 
+#ifndef	XTS_CHAIN_TWEAK
 	tst	$len, #0xf			@ if not multiple of 16
 	it	ne				@ Thumb2 thing, sanity check in ARM
 	subne	$len, #0x10			@ subtract another 16 bytes
+#endif
 	subs	$len, #0x80
 
 	blo	.Lxts_dec_short