From patchwork Tue Jan 12 03:05:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thara Gopinath X-Patchwork-Id: 361141 Delivered-To: patch@linaro.org Received: by 2002:a02:85a7:0:0:0:0:0 with SMTP id d36csp3400180jai; Mon, 11 Jan 2021 19:07:28 -0800 (PST) X-Google-Smtp-Source: ABdhPJzT8XAqsxh8pjTpbZ69BVN5zGI7sbTBfjCVPHWqhYrKgCvQc9IuynT7ZuWtloEn+qgdlGkd X-Received: by 2002:a17:906:3bcd:: with SMTP id v13mr1673343ejf.181.1610420848191; Mon, 11 Jan 2021 19:07:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610420848; cv=none; d=google.com; s=arc-20160816; b=c3PEra5sDOM2DpXDh5K5gAp0rwPcDC7fiG5dLIWKQmALDZHiOjXJHPU5c/l0cqI3FL PyaYrvYuvW9S6QGHvgSXFppTEROM5E4dCQXpKET4Bn5HYS888Dg8F5URVt3o00WguFEv apJQQKyE3FeNib/yjXC+E06dBrgS/KBLBEeQJgA7kaK6RRz8ykiK13f0Dsac+6Tk+Lzq BEBAxrsyOpIO7iT7T8hi3KR0yZfX7qyiAtjJHStGzAV5VuZfUiZhxtjzi3B3ChG9buvc kwlE7QKSL+a5kHrZd2cb+Z0nN7Ro+51lJlaBxF94JzsOk/GLP/r9/dGEPY2F6p74pJqE gfrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=U+6t2Ro0fRT+FUrbsbn2zgmBqk6HPbwcTPoVJfJrGfA=; b=CGJcH7ROm1t8znmJIQVZnvYJxf9nqRt8QsupY4uxsdTGzUjlIA37WMfcudOCBb3KdX EVYzjkOtMFCxfnljASHasvAjo67TGID0snASu3JD0CoAdtBgMtgfVgeFRd92K/LypAwK MyC2n4WKM+5tFXDZhqy3I4GQRSoAe+xcNbuoLkWt28ANuQaazRJyTws5wjAZrivQ0Lu/ Qi34OK/btT5Y59Dk5MJKlkROf1PF1A8empBPPDPgbY4teWVqs64Wg29LoYSkyuhvyOkt oMHD+rwuNqT35nd5V6H3Dbob3iNC/NgZmRSyyHlpYU5z/9l2Zd2CzLRXtWW4tyyQRouo 8RWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=qQVsREep; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g3si542697ejf.612.2021.01.11.19.07.28; Mon, 11 Jan 2021 19:07:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=qQVsREep; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733279AbhALDGe (ORCPT + 2 others); Mon, 11 Jan 2021 22:06:34 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59418 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731674AbhALDG3 (ORCPT ); Mon, 11 Jan 2021 22:06:29 -0500 Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7235AC061794 for ; Mon, 11 Jan 2021 19:05:48 -0800 (PST) Received: by mail-qt1-x82b.google.com with SMTP id a6so742568qtw.6 for ; Mon, 11 Jan 2021 19:05:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=U+6t2Ro0fRT+FUrbsbn2zgmBqk6HPbwcTPoVJfJrGfA=; b=qQVsREepuk6monN1RMMdMSpkfXgi+K/brCAbYu3BlJMQk0qtxhPxVuiYpxLR5GTtoQ Bn1PYR1L0Eo3+kJ+RTQjfCvCdm80Cf+dauF1l2G5LlBhySu27luCq6VL4BarBgcd2gKq eNdeCPuyDNlbTylh/BS5swkXupkAfMwd4UYz7ikEapPZLaw4OHg7vhiaGlbkObBKV2PT KaDuceLCzDxPlMbgE9oLaR9dqND7/To65UfiSzu3I4CUojkLdaqGTAuxlH1QF78OAYob mIFXo8xmxHIEKElAA10k8ILLA5vUT3G02qhSuj7/E4/RI/h+yraYiVVLSheyNO+Du3jZ LnhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=U+6t2Ro0fRT+FUrbsbn2zgmBqk6HPbwcTPoVJfJrGfA=; b=j+qMhzolOz8tMBns3aV+ycZwg0753cfXub4sEsfPxN/Yjt4M3XIZdCYjDEs3QQJmri x4mK3tbwATv6jDNClfkt+cWhuQwbaqDP7jM8wMJiahlD0P83eL8o8d3Q362qw9Ld7lP9 cYKM/QYgHBdzpUiXuvX1AKIPr8+Ut+u7FjU/Zth+pM0HAUIp6y0rMHljKPINqIRa9ZFy hFv8S0Xxe7rluCuQnzqa8p4Ftxmm5lOrLKMDuVseTaV1WRR1TAPzSPZ9fSr0q8+Xg+0W SQ0S9SxJoWo0qXsUOJki9rfEgeR0G8kkQd3kTZBjhU9VHD2kfvqjc4e3GVwiPytqJCFN Jj4Q== X-Gm-Message-State: AOAM530Ajfwo4kI3nsznAhtT4TDWbDuYSPFG7sbEkL1tW0czNYLe0cZQ EPEwMcjVdQSyrXXujOj3wvJAvg== X-Received: by 2002:ac8:37f4:: with SMTP id e49mr2678821qtc.193.1610420747715; Mon, 11 Jan 2021 19:05:47 -0800 (PST) Received: from pop-os.fios-router.home (pool-71-163-245-5.washdc.fios.verizon.net. [71.163.245.5]) by smtp.googlemail.com with ESMTPSA id c7sm814235qkm.99.2021.01.11.19.05.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Jan 2021 19:05:46 -0800 (PST) From: Thara Gopinath To: herbert@gondor.apana.org.au, davem@davemloft.net, bjorn.andersson@linaro.org Cc: ebiggers@google.com, ardb@kernel.org, sivaprak@codeaurora.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 1/6] drivers: crypto: qce: sha: Restore/save ahash state with custom struct in export/import Date: Mon, 11 Jan 2021 22:05:40 -0500 Message-Id: <20210112030545.669480-2-thara.gopinath@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210112030545.669480-1-thara.gopinath@linaro.org> References: <20210112030545.669480-1-thara.gopinath@linaro.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Export and import interfaces save and restore partial transformation states. The partial states were being stored and restored in struct sha1_state for sha1/hmac(sha1) transformations and sha256_state for sha256/hmac(sha256) transformations.This led to a bunch of corner cases where improper state was being stored and restored. A few of the corner cases that turned up during testing are: - wrong byte_count restored if export/import is called twice without h/w transaction in between - wrong buflen restored back if the pending buffer length is exactly the block size. - wrong state restored if buffer length is 0. To fix these issues, save and restore the partial transformation state using the newly introduced qce_sha_saved_state struct. This ensures that all the pieces required to properly restart the transformation is captured and restored back Signed-off-by: Thara Gopinath --- v1->v2: - Introduced custom struct qce_sha_saved_state to store and restore partial sha transformation. v1 was re-using qce_sha_reqctx to save and restore partial states and this could lead to potential memcpy issues around pointer copying. drivers/crypto/qce/sha.c | 122 +++++++++++---------------------------- 1 file changed, 34 insertions(+), 88 deletions(-) -- 2.25.1 Reported-by: kernel test robot Reported-by: kernel test robot Reported-by: kernel test robot diff --git a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c index 61c418c12345..08aed03e2b59 100644 --- a/drivers/crypto/qce/sha.c +++ b/drivers/crypto/qce/sha.c @@ -12,9 +12,15 @@ #include "core.h" #include "sha.h" -/* crypto hw padding constant for first operation */ -#define SHA_PADDING 64 -#define SHA_PADDING_MASK (SHA_PADDING - 1) +struct qce_sha_saved_state { + u8 pending_buf[QCE_SHA_MAX_BLOCKSIZE]; + u8 partial_digest[QCE_SHA_MAX_DIGESTSIZE]; + __be32 byte_count[2]; + unsigned int pending_buflen; + unsigned int flags; + u64 count; + bool first_blk; +}; static LIST_HEAD(ahash_algs); @@ -139,97 +145,37 @@ static int qce_ahash_init(struct ahash_request *req) static int qce_ahash_export(struct ahash_request *req, void *out) { - struct crypto_ahash *ahash = crypto_ahash_reqtfm(req); struct qce_sha_reqctx *rctx = ahash_request_ctx(req); - unsigned long flags = rctx->flags; - unsigned int digestsize = crypto_ahash_digestsize(ahash); - unsigned int blocksize = - crypto_tfm_alg_blocksize(crypto_ahash_tfm(ahash)); - - if (IS_SHA1(flags) || IS_SHA1_HMAC(flags)) { - struct sha1_state *out_state = out; - - out_state->count = rctx->count; - qce_cpu_to_be32p_array((__be32 *)out_state->state, - rctx->digest, digestsize); - memcpy(out_state->buffer, rctx->buf, blocksize); - } else if (IS_SHA256(flags) || IS_SHA256_HMAC(flags)) { - struct sha256_state *out_state = out; - - out_state->count = rctx->count; - qce_cpu_to_be32p_array((__be32 *)out_state->state, - rctx->digest, digestsize); - memcpy(out_state->buf, rctx->buf, blocksize); - } else { - return -EINVAL; - } - - return 0; -} - -static int qce_import_common(struct ahash_request *req, u64 in_count, - const u32 *state, const u8 *buffer, bool hmac) -{ - struct crypto_ahash *ahash = crypto_ahash_reqtfm(req); - struct qce_sha_reqctx *rctx = ahash_request_ctx(req); - unsigned int digestsize = crypto_ahash_digestsize(ahash); - unsigned int blocksize; - u64 count = in_count; - - blocksize = crypto_tfm_alg_blocksize(crypto_ahash_tfm(ahash)); - rctx->count = in_count; - memcpy(rctx->buf, buffer, blocksize); - - if (in_count <= blocksize) { - rctx->first_blk = 1; - } else { - rctx->first_blk = 0; - /* - * For HMAC, there is a hardware padding done when first block - * is set. Therefore the byte_count must be incremened by 64 - * after the first block operation. - */ - if (hmac) - count += SHA_PADDING; - } + struct qce_sha_saved_state *export_state = out; - rctx->byte_count[0] = (__force __be32)(count & ~SHA_PADDING_MASK); - rctx->byte_count[1] = (__force __be32)(count >> 32); - qce_cpu_to_be32p_array((__be32 *)rctx->digest, (const u8 *)state, - digestsize); - rctx->buflen = (unsigned int)(in_count & (blocksize - 1)); + memcpy(export_state->pending_buf, rctx->buf, rctx->buflen); + memcpy(export_state->partial_digest, rctx->digest, + sizeof(rctx->digest)); + memcpy(export_state->byte_count, rctx->byte_count, 2); + export_state->pending_buflen = rctx->buflen; + export_state->count = rctx->count; + export_state->first_blk = rctx->first_blk; + export_state->flags = rctx->flags; return 0; } static int qce_ahash_import(struct ahash_request *req, const void *in) { - struct qce_sha_reqctx *rctx; - unsigned long flags; - bool hmac; - int ret; - - ret = qce_ahash_init(req); - if (ret) - return ret; - - rctx = ahash_request_ctx(req); - flags = rctx->flags; - hmac = IS_SHA_HMAC(flags); - - if (IS_SHA1(flags) || IS_SHA1_HMAC(flags)) { - const struct sha1_state *state = in; - - ret = qce_import_common(req, state->count, state->state, - state->buffer, hmac); - } else if (IS_SHA256(flags) || IS_SHA256_HMAC(flags)) { - const struct sha256_state *state = in; + struct qce_sha_reqctx *rctx = ahash_request_ctx(req); + struct qce_sha_saved_state *import_state = in; - ret = qce_import_common(req, state->count, state->state, - state->buf, hmac); - } + memset(rctx, 0, sizeof(*rctx)); + rctx->count = import_state->count; + rctx->buflen = import_state->pending_buflen; + rctx->first_blk = import_state->first_blk; + rctx->flags = import_state->flags; + memcpy(rctx->buf, import_state->pending_buf, rctx->buflen); + memcpy(rctx->digest, import_state->partial_digest, + sizeof(rctx->digest)); + memcpy(rctx->byte_count, import_state->byte_count, 2); - return ret; + return 0; } static int qce_ahash_update(struct ahash_request *req) @@ -450,7 +396,7 @@ static const struct qce_ahash_def ahash_def[] = { .drv_name = "sha1-qce", .digestsize = SHA1_DIGEST_SIZE, .blocksize = SHA1_BLOCK_SIZE, - .statesize = sizeof(struct sha1_state), + .statesize = sizeof(struct qce_sha_saved_state), .std_iv = std_iv_sha1, }, { @@ -459,7 +405,7 @@ static const struct qce_ahash_def ahash_def[] = { .drv_name = "sha256-qce", .digestsize = SHA256_DIGEST_SIZE, .blocksize = SHA256_BLOCK_SIZE, - .statesize = sizeof(struct sha256_state), + .statesize = sizeof(struct qce_sha_saved_state), .std_iv = std_iv_sha256, }, { @@ -468,7 +414,7 @@ static const struct qce_ahash_def ahash_def[] = { .drv_name = "hmac-sha1-qce", .digestsize = SHA1_DIGEST_SIZE, .blocksize = SHA1_BLOCK_SIZE, - .statesize = sizeof(struct sha1_state), + .statesize = sizeof(struct qce_sha_saved_state), .std_iv = std_iv_sha1, }, { @@ -477,7 +423,7 @@ static const struct qce_ahash_def ahash_def[] = { .drv_name = "hmac-sha256-qce", .digestsize = SHA256_DIGEST_SIZE, .blocksize = SHA256_BLOCK_SIZE, - .statesize = sizeof(struct sha256_state), + .statesize = sizeof(struct qce_sha_saved_state), .std_iv = std_iv_sha256, }, };