Re: [PATCH] [RESEND] crypto: qat - don't use userspace pointer
On Wed, Oct 21, 2015 at 02:57:09PM -0700, Tadeusz Struk wrote: > Bugfix - don't dereference userspace pointer. > > Resend with the correct way for inclusion in the stable kernel. Applied to crypto. -- Email: Herbert XuHome Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 3/4] crypto: akcipher: add crypto_akcipher_type methods needed by templates.
Add two dummy methods that are required by the crypto API internals: .ctxsize and .init (just because the framework calls them without checking if they were provided). They're only required by the complicated code path needed to instantiate a template algorithm. Also expose crypto_akcipher_type like other crypto types are exposed to be used from outside modules. Signed-off-by: Andrew Zaborowski--- crypto/akcipher.c | 16 +++- include/crypto/algapi.h | 1 + 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/crypto/akcipher.c b/crypto/akcipher.c index 120ec04..6ef7f99 100644 --- a/crypto/akcipher.c +++ b/crypto/akcipher.c @@ -53,6 +53,11 @@ static void crypto_akcipher_show(struct seq_file *m, struct crypto_alg *alg) seq_puts(m, "type : akcipher\n"); } +static int crypto_akcipher_init(struct crypto_tfm *tfm, u32 type, u32 mask) +{ + return 0; +} + static void crypto_akcipher_exit_tfm(struct crypto_tfm *tfm) { struct crypto_akcipher *akcipher = __crypto_akcipher_tfm(tfm); @@ -75,8 +80,16 @@ static int crypto_akcipher_init_tfm(struct crypto_tfm *tfm) return 0; } -static const struct crypto_type crypto_akcipher_type = { +static unsigned int crypto_akcipher_ctxsize(struct crypto_alg *alg, u32 type, + u32 mask) +{ + return alg->cra_ctxsize; +} + +const struct crypto_type crypto_akcipher_type = { + .ctxsize = crypto_akcipher_ctxsize, .extsize = crypto_alg_extsize, + .init = crypto_akcipher_init, .init_tfm = crypto_akcipher_init_tfm, #ifdef CONFIG_PROC_FS .show = crypto_akcipher_show, @@ -87,6 +100,7 @@ static const struct crypto_type crypto_akcipher_type = { .type = CRYPTO_ALG_TYPE_AKCIPHER, .tfmsize = offsetof(struct crypto_akcipher, base), }; +EXPORT_SYMBOL_GPL(crypto_akcipher_type); struct crypto_akcipher *crypto_alloc_akcipher(const char *alg_name, u32 type, u32 mask) diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h index c9fe145..1089f20 100644 --- a/include/crypto/algapi.h +++ b/include/crypto/algapi.h @@ -130,6 +130,7 @@ struct ablkcipher_walk { extern const struct crypto_type crypto_ablkcipher_type; extern const struct crypto_type crypto_blkcipher_type; +extern const struct crypto_type crypto_akcipher_type; void crypto_mod_put(struct crypto_alg *alg); -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/4] crypto: rsa: only require output buffers as big as needed.
rhe RSA operations explicitly left-align the integers being written skipping any leading zero bytes, but still require the output buffers to include just enough space for the integer + the leading zero bytes. Since the size of integer + the leading zero bytes (i.e. the key modulus size) can now be obtained more easily through crypto_akcipher_maxsize change the operations to only require as big a buffer as actually needed if the caller has that information. The semantics for request->dst_len don't change. Signed-off-by: Andrew Zaborowski--- crypto/rsa.c | 24 1 file changed, 24 deletions(-) diff --git a/crypto/rsa.c b/crypto/rsa.c index 1093e04..58aad69 100644 --- a/crypto/rsa.c +++ b/crypto/rsa.c @@ -91,12 +91,6 @@ static int rsa_enc(struct akcipher_request *req) goto err_free_c; } - if (req->dst_len < mpi_get_size(pkey->n)) { - req->dst_len = mpi_get_size(pkey->n); - ret = -EOVERFLOW; - goto err_free_c; - } - ret = -ENOMEM; m = mpi_read_raw_from_sgl(req->src, req->src_len); if (!m) @@ -136,12 +130,6 @@ static int rsa_dec(struct akcipher_request *req) goto err_free_m; } - if (req->dst_len < mpi_get_size(pkey->n)) { - req->dst_len = mpi_get_size(pkey->n); - ret = -EOVERFLOW; - goto err_free_m; - } - ret = -ENOMEM; c = mpi_read_raw_from_sgl(req->src, req->src_len); if (!c) @@ -180,12 +168,6 @@ static int rsa_sign(struct akcipher_request *req) goto err_free_s; } - if (req->dst_len < mpi_get_size(pkey->n)) { - req->dst_len = mpi_get_size(pkey->n); - ret = -EOVERFLOW; - goto err_free_s; - } - ret = -ENOMEM; m = mpi_read_raw_from_sgl(req->src, req->src_len); if (!m) @@ -225,12 +207,6 @@ static int rsa_verify(struct akcipher_request *req) goto err_free_m; } - if (req->dst_len < mpi_get_size(pkey->n)) { - req->dst_len = mpi_get_size(pkey->n); - ret = -EOVERFLOW; - goto err_free_m; - } - ret = -ENOMEM; s = mpi_read_raw_from_sgl(req->src, req->src_len); if (!s) { -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 4/4] crypto: RSA padding algorithm
This patch adds PKCS#1 v1.5 standard RSA padding as a separate template. This way an RSA cipher with padding can be obtained by instantiating "pkcs1pad(rsa)". The reason for adding this is that RSA is almost never used without this padding (or OAEP) so it will be needed for either certificate work in the kernel or the userspace, and also I hear that it is likely implemented by hardware RSA in which case an implementation of the whole of pkcs1pad(rsa) can be provided. Signed-off-by: Andrew Zaborowski--- crypto/Makefile | 1 + crypto/rsa-pkcs1pad.c | 593 ++ crypto/rsa.c | 16 +- include/crypto/internal/rsa.h | 2 + 4 files changed, 611 insertions(+), 1 deletion(-) create mode 100644 crypto/rsa-pkcs1pad.c diff --git a/crypto/Makefile b/crypto/Makefile index f7aba92..2acdbbd 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -40,6 +40,7 @@ rsa_generic-y := rsapubkey-asn1.o rsa_generic-y += rsaprivkey-asn1.o rsa_generic-y += rsa.o rsa_generic-y += rsa_helper.o +rsa_generic-y += rsa-pkcs1pad.o obj-$(CONFIG_CRYPTO_RSA) += rsa_generic.o cryptomgr-y := algboss.o testmgr.o diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c new file mode 100644 index 000..d8e0c71 --- /dev/null +++ b/crypto/rsa-pkcs1pad.c @@ -0,0 +1,593 @@ +/* + * RSA padding templates. + * + * Copyright (c) 2015 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +struct pkcs1pad_ctx { + struct crypto_akcipher *child; + + unsigned int key_size; +}; + +struct pkcs1pad_request { + struct akcipher_request child_req; + + struct scatterlist in_sg[3], out_sg[2]; + uint8_t *in_buf, *out_buf; +}; + +static int pkcs1pad_set_pub_key(struct crypto_akcipher *tfm, const void *key, + unsigned int keylen) +{ + struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); + int err, size; + + err = crypto_akcipher_set_pub_key(ctx->child, key, keylen); + + if (!err) { + /* Find out new modulus size from rsa implementation */ + size = crypto_akcipher_maxsize(ctx->child); + + ctx->key_size = size > 0 ? size : 0; + if (size <= 0) + err = size; + } + + return err; +} + +static int pkcs1pad_set_priv_key(struct crypto_akcipher *tfm, const void *key, + unsigned int keylen) +{ + struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); + int err, size; + + err = crypto_akcipher_set_priv_key(ctx->child, key, keylen); + + if (!err) { + /* Find out new modulus size from rsa implementation */ + size = crypto_akcipher_maxsize(ctx->child); + + ctx->key_size = size > 0 ? size : 0; + if (size <= 0) + err = size; + } + + return err; +} + +static int pkcs1pad_get_max_size(struct crypto_akcipher *tfm) +{ + struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); + + /* +* The maximum destination buffer size for the encrypt/sign operations +* will be the same as for RSA, even though it's smaller for +* decrypt/verify. +*/ + + return ctx->key_size ?: -EINVAL; +} + +static void pkcs1pad_sg_set_buf(struct scatterlist *sg, void *buf, size_t len, + struct scatterlist *next) +{ + int nsegs = next ? 1 : 0; + + if (offset_in_page(buf) + len <= PAGE_SIZE) { + nsegs += 1; + sg_init_table(sg, nsegs); + sg_set_buf(sg, buf, len); + } else { + nsegs += 2; + sg_init_table(sg, nsegs); + sg_set_buf(sg + 0, buf, PAGE_SIZE - offset_in_page(buf)); + sg_set_buf(sg + 1, buf + PAGE_SIZE - offset_in_page(buf), + offset_in_page(buf) + len - PAGE_SIZE); + } + + if (next) + sg_chain(sg, nsegs, next); +} + +static int pkcs1pad_encrypt_sign_complete(struct akcipher_request *req, int err) +{ + struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); + struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); + struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); + uint8_t zeros[ctx->key_size - req_ctx->child_req.dst_len]; + + if (!err) { + if (req_ctx->child_req.dst_len < ctx->key_size) { + memset(zeros, 0, sizeof(zeros)); + sg_copy_from_buffer(req->dst, + sg_nents_for_len(req->dst, +
[PATCH 1/4] lib/mpi: only require buffers as big as needed for the integer
Since mpi_write_to_sgl and mpi_read_buffer explicitly left-align the integers being written it makes no sense to require a buffer big enough for the number + the leading zero bytes which are not written. The error returned also doesn't convey any information. So instead require only the size needed and return -EOVERFLOW to signal when buffer too short. Signed-off-by: Andrew Zaborowski--- lib/mpi/mpicoder.c | 21 + 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c index c7e0a70..074d2df 100644 --- a/lib/mpi/mpicoder.c +++ b/lib/mpi/mpicoder.c @@ -135,7 +135,9 @@ EXPORT_SYMBOL_GPL(mpi_read_from_buffer); * @buf: bufer to which the output will be written to. Needs to be at * leaset mpi_get_size(a) long. * @buf_len: size of the buf. - * @nbytes:receives the actual length of the data written. + * @nbytes:receives the actual length of the data written on success and + * the data to-be-written on -EOVERFLOW in case buf_len was too + * small. * @sign: if not NULL, it will be set to the sign of a. * * Return: 0 on success or error code in case of error @@ -148,7 +150,7 @@ int mpi_read_buffer(MPI a, uint8_t *buf, unsigned buf_len, unsigned *nbytes, unsigned int n = mpi_get_size(a); int i, lzeros = 0; - if (buf_len < n || !buf || !nbytes) + if (!buf || !nbytes) return -EINVAL; if (sign) @@ -163,6 +165,11 @@ int mpi_read_buffer(MPI a, uint8_t *buf, unsigned buf_len, unsigned *nbytes, break; } + if (buf_len < n - lzeros) { + *nbytes = n - lzeros; + return -EOVERFLOW; + } + p = buf; *nbytes = n - lzeros; @@ -332,7 +339,8 @@ EXPORT_SYMBOL_GPL(mpi_set_buffer); * @nbytes:in/out param - it has the be set to the maximum number of * bytes that can be written to sgl. This has to be at least * the size of the integer a. On return it receives the actual - * length of the data written. + * length of the data written on success or the data that would + * be written if buffer was too small. * @sign: if not NULL, it will be set to the sign of a. * * Return: 0 on success or error code in case of error @@ -345,7 +353,7 @@ int mpi_write_to_sgl(MPI a, struct scatterlist *sgl, unsigned *nbytes, unsigned int n = mpi_get_size(a); int i, x, y = 0, lzeros = 0, buf_len; - if (!nbytes || *nbytes < n) + if (!nbytes) return -EINVAL; if (sign) @@ -360,6 +368,11 @@ int mpi_write_to_sgl(MPI a, struct scatterlist *sgl, unsigned *nbytes, break; } + if (*nbytes < n - lzeros) { + *nbytes = n - lzeros; + return -EOVERFLOW; + } + *nbytes = n - lzeros; buf_len = sgl->length; p2 = sg_virt(sgl); -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 4/4] crypto: RSA padding algorithm
Hi Stephan, On 11 November 2015 at 14:19, Stephan Muellerwrote: > Am Mittwoch, 11. November 2015, 01:58:45 schrieb Andrew Zaborowski: > > Hi Andrew, > >>This patch adds PKCS#1 v1.5 standard RSA padding as a separate template. >>This way an RSA cipher with padding can be obtained by instantiating >>"pkcs1pad(rsa)". The reason for adding this is that RSA is almost >>never used without this padding (or OAEP) so it will be needed for >>either certificate work in the kernel or the userspace, and also I hear >>that it is likely implemented by hardware RSA in which case an >>implementation of the whole "pkcs1pad(rsa)" can be provided. > > In general, I think that there is a PKCS 1 implementation in the kernel in > crypto/asymmetric_keys/rsa.c > > Shouldn't that all somehow being synchronized? Probably as Marcel says the certificate code should use the crypto algorithm API. In its current form it won't be able to take advantage of hardware acceleration but it must have tons of overhead less than if it used the crypto API. > > Maybe this patch should go in but then crypto/asymmetric_keys/rsa.c should > kind of being removed or point to kernel crypto API? >> >>Signed-off-by: Andrew Zaborowski >>--- >> crypto/Makefile | 1 + >> crypto/rsa-padding.c | 586 >>++ crypto/rsa.c | >>16 +- >> include/crypto/internal/rsa.h | 2 + >> 4 files changed, 604 insertions(+), 1 deletion(-) >> create mode 100644 crypto/rsa-padding.c >> >>diff --git a/crypto/Makefile b/crypto/Makefile >>index f7aba92..46fe0b4 100644 >>--- a/crypto/Makefile >>+++ b/crypto/Makefile >>@@ -40,6 +40,7 @@ rsa_generic-y := rsapubkey-asn1.o >> rsa_generic-y += rsaprivkey-asn1.o >> rsa_generic-y += rsa.o >> rsa_generic-y += rsa_helper.o >>+rsa_generic-y += rsa-padding.o >> obj-$(CONFIG_CRYPTO_RSA) += rsa_generic.o >> >> cryptomgr-y := algboss.o testmgr.o >>diff --git a/crypto/rsa-padding.c b/crypto/rsa-padding.c >>new file mode 100644 >>index 000..b9f9f31 >>--- /dev/null >>+++ b/crypto/rsa-padding.c >>@@ -0,0 +1,586 @@ >>+/* >>+ * RSA padding templates. >>+ * >>+ * Copyright (c) 2015 Intel Corporation >>+ * >>+ * This program is free software; you can redistribute it and/or modify it >>+ * under the terms of the GNU General Public License as published by the >>Free + * Software Foundation; either version 2 of the License, or (at your >>option) + * any later version. >>+ */ >>+ >>+#include >>+#include >>+#include >>+#include >>+#include >>+#include >>+#include >>+#include >>+ >>+struct pkcs1pad_ctx { >>+ struct crypto_akcipher *child; >>+ >>+ unsigned int key_size; >>+}; >>+ >>+struct pkcs1pad_request { >>+ struct akcipher_request child_req; >>+ >>+ struct scatterlist in_sg[3], out_sg[2]; >>+ uint8_t *in_buf, *out_buf; >>+}; >>+ >>+static int pkcs1pad_set_pub_key(struct crypto_akcipher *tfm, const void >>*key, +unsigned int keylen) >>+{ >>+ struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); >>+ int err, size; >>+ >>+ err = crypto_akcipher_set_pub_key(ctx->child, key, keylen); >>+ >>+ if (!err) { >>+ /* Find out new modulus size from rsa implementation */ >>+ size = crypto_akcipher_maxsize(ctx->child); >>+ >>+ ctx->key_size = size > 0 ? size : 0; >>+ if (size <= 0) >>+ err = size; >>+ } >>+ >>+ return err; >>+} >>+ >>+static int pkcs1pad_set_priv_key(struct crypto_akcipher *tfm, const void >>*key, +unsigned int keylen) >>+{ >>+ struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); >>+ int err, size; >>+ >>+ err = crypto_akcipher_set_priv_key(ctx->child, key, keylen); >>+ >>+ if (!err) { >>+ /* Find out new modulus size from rsa implementation */ >>+ size = crypto_akcipher_maxsize(ctx->child); >>+ >>+ ctx->key_size = size > 0 ? size : 0; >>+ if (size <= 0) >>+ err = size; >>+ } >>+ >>+ return err; >>+} >>+ >>+static int pkcs1pad_get_max_size(struct crypto_akcipher *tfm) >>+{ >>+ struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); >>+ >>+ /* >>+ * The maximum destination buffer size for the encrypt/sign operations >>+ * will be the same as for RSA, even though it's smaller for >>+ * decrypt/verify. >>+ */ >>+ >>+ return ctx->key_size ?: -EINVAL; >>+} >>+ >>+static void pkcs1pad_sg_set_buf(struct scatterlist *sg, void *buf, size_t >>len, + struct scatterlist *next) >>+{ >>+ int nsegs = next ? 1 : 0; >>+ >>+ if (offset_in_page(buf) + len <= PAGE_SIZE) { >>+ nsegs += 1; >>+ sg_init_table(sg, nsegs); >>+ sg_set_buf(sg, buf, len); >>+ } else { >>+ nsegs += 2; >>+ sg_init_table(sg, nsegs); >>+ sg_set_buf(sg + 0, buf, PAGE_SIZE -
Re: [PATCH 1/4] lib/mpi: only require buffers as big as needed for the integer
Hi Stephan, On 13 November 2015 at 13:47, Stephan Muellerwrote: > Sorry to be picky here, but is this v2? If yes, may I ask (at least for the > future) for brief notation of the changes as well as a marking of the patches. There are no changes in patches 1-3, I wasn't sure if it was okay to resend just that one patch that was affected. I'll include some indication of that next time for the clients that don't make it apparent that a message is a plain resend. Best regards -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/4] lib/mpi: only require buffers as big as needed for the integer
Am Freitag, 13. November 2015, 12:01:32 schrieb Andrew Zaborowski: Hi Andrew, >Since mpi_write_to_sgl and mpi_read_buffer explicitly left-align the >integers being written it makes no sense to require a buffer big enough for >the number + the leading zero bytes which are not written. The error >returned also doesn't convey any information. So instead require only the >size needed and return -EOVERFLOW to signal when buffer too short. Sorry to be picky here, but is this v2? If yes, may I ask (at least for the future) for brief notation of the changes as well as a marking of the patches. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] crypto: sun4i-ss: add missing statesize
sun4i-ss implementaton of md5/sha1 is via ahash algorithms. Commit 8996eafdcbad ("crypto: ahash - ensure statesize is non-zero") made impossible to load them without giving statesize. This patch specifiy statesize for sha1 and md5. Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") Cc:# v4.3+ Tested-by: Chen-Yu Tsai Signed-off-by: LABBE Corentin --- drivers/crypto/sunxi-ss/sun4i-ss-core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/crypto/sunxi-ss/sun4i-ss-core.c b/drivers/crypto/sunxi-ss/sun4i-ss-core.c index eab6fe2..107cd2a 100644 --- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c +++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c @@ -39,6 +39,7 @@ static struct sun4i_ss_alg_template ss_algs[] = { .import = sun4i_hash_import_md5, .halg = { .digestsize = MD5_DIGEST_SIZE, + .statesize = sizeof(struct md5_state), .base = { .cra_name = "md5", .cra_driver_name = "md5-sun4i-ss", @@ -66,6 +67,7 @@ static struct sun4i_ss_alg_template ss_algs[] = { .import = sun4i_hash_import_sha1, .halg = { .digestsize = SHA1_DIGEST_SIZE, + .statesize = sizeof(struct sha1_state), .base = { .cra_name = "sha1", .cra_driver_name = "sha1-sun4i-ss", -- 2.4.10 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html