mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-11-01 00:48:50 +00:00
c4913c7b71
Steps to reproduce: modprobe tcrypt # with CONFIG_DEBUG_SG=y testing cts(cbc(aes)) encryption test 1 (128 bit key): ------------[ cut here ]------------ kernel BUG at include/linux/scatterlist.h:65! invalid opcode: 0000 [1] PREEMPT SMP DEBUG_PAGEALLOC CPU 0 Modules linked in: tea xts twofish twofish_common tcrypt(+) [maaaany] Pid: 16151, comm: modprobe Not tainted 2.6.26-rc4-fat #7 RIP: 0010:[<ffffffffa0bf032e>] [<ffffffffa0bf032e>] :cts:cts_cbc_encrypt+0x151/0x355 RSP: 0018:ffff81016f497a88 EFLAGS: 00010286 RAX: ffffe20009535d58 RBX: ffff81016f497af0 RCX: 0000000087654321 RDX: ffff8100010d4f28 RSI: ffff81016f497ee8 RDI: ffff81016f497ac0 RBP: ffff81016f497c38 R08: 0000000000000000 R09: 0000000000000011 R10: ffffffff00000008 R11: ffff8100010d4f28 R12: ffff81016f497ac0 R13: ffff81016f497b30 R14: 0000000000000010 R15: 0000000000000010 FS: 00007fac6fa276f0(0000) GS:ffffffff8060e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00007f12ca7cc000 CR3: 000000016f441000 CR4: 00000000000026e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 Process modprobe (pid: 16151, threadinfo ffff81016f496000, task ffff8101755b4ae0) Stack: 0000000000000001 ffff81016f496000 ffffffff80719f78 0000000000000001 0000000000000001 ffffffff8020c87c ffff81016f99c918 20646c756f772049 65687420656b696c 0000000000000020 0000000000000000 0000000033341102 Call Trace: [<ffffffff8020c87c>] ? restore_args+0x0/0x30 [<ffffffffa04aa311>] ? :aes_generic:crypto_aes_expand_key+0x311/0x369 [<ffffffff802ab453>] ? check_object+0x15a/0x213 [<ffffffff802aad22>] ? init_object+0x6e/0x76 [<ffffffff802ac3ae>] ? __slab_free+0xfc/0x371 [<ffffffffa0bf05ed>] :cts:crypto_cts_encrypt+0xbb/0xca [<ffffffffa07108de>] ? :crypto_blkcipher:setkey+0xc7/0xec [<ffffffffa07110b8>] :crypto_blkcipher:async_encrypt+0x38/0x3a [<ffffffffa2ce9341>] :tcrypt:test_cipher+0x261/0x7c6 [<ffffffffa2cfd9df>] :tcrypt:tcrypt_mod_init+0x9df/0x1b30 [<ffffffff80261e35>] sys_init_module+0x9e/0x1b2 [<ffffffff8020c15a>] system_call_after_swapgs+0x8a/0x8f Code: 45 c0 e8 aa 24 63 df 48 c1 e8 0c 48 b9 00 00 00 00 00 e2 ff ff 48 8b 55 88 48 6b c0 68 48 01 c8 b9 21 43 65 87 48 39 4d 80 74 04 <0f> 0b eb fe f6 c2 01 74 04 0f 0b eb fe 83 e2 03 4c 89 ef 44 89 RIP [<ffffffffa0bf032e>] :cts:cts_cbc_encrypt+0x151/0x355 RSP <ffff81016f497a88> ---[ end trace e8bahiarjand37fd ]--- Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
353 lines
9.8 KiB
C
353 lines
9.8 KiB
C
/*
|
|
* CTS: Cipher Text Stealing mode
|
|
*
|
|
* COPYRIGHT (c) 2008
|
|
* The Regents of the University of Michigan
|
|
* ALL RIGHTS RESERVED
|
|
*
|
|
* Permission is granted to use, copy, create derivative works
|
|
* and redistribute this software and such derivative works
|
|
* for any purpose, so long as the name of The University of
|
|
* Michigan is not used in any advertising or publicity
|
|
* pertaining to the use of distribution of this software
|
|
* without specific, written prior authorization. If the
|
|
* above copyright notice or any other identification of the
|
|
* University of Michigan is included in any copy of any
|
|
* portion of this software, then the disclaimer below must
|
|
* also be included.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
|
|
* FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
|
|
* PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
|
|
* MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
|
|
* WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
|
|
* REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
|
|
* FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
|
|
* CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
|
|
* OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
|
|
* IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGES.
|
|
*/
|
|
|
|
/* Derived from various:
|
|
* Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
|
|
*/
|
|
|
|
/*
|
|
* This is the Cipher Text Stealing mode as described by
|
|
* Section 8 of rfc2040 and referenced by rfc3962.
|
|
* rfc3962 includes errata information in its Appendix A.
|
|
*/
|
|
|
|
#include <crypto/algapi.h>
|
|
#include <linux/err.h>
|
|
#include <linux/init.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/log2.h>
|
|
#include <linux/module.h>
|
|
#include <linux/scatterlist.h>
|
|
#include <crypto/scatterwalk.h>
|
|
#include <linux/slab.h>
|
|
|
|
struct crypto_cts_ctx {
|
|
struct crypto_blkcipher *child;
|
|
};
|
|
|
|
static int crypto_cts_setkey(struct crypto_tfm *parent, const u8 *key,
|
|
unsigned int keylen)
|
|
{
|
|
struct crypto_cts_ctx *ctx = crypto_tfm_ctx(parent);
|
|
struct crypto_blkcipher *child = ctx->child;
|
|
int err;
|
|
|
|
crypto_blkcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
|
|
crypto_blkcipher_set_flags(child, crypto_tfm_get_flags(parent) &
|
|
CRYPTO_TFM_REQ_MASK);
|
|
err = crypto_blkcipher_setkey(child, key, keylen);
|
|
crypto_tfm_set_flags(parent, crypto_blkcipher_get_flags(child) &
|
|
CRYPTO_TFM_RES_MASK);
|
|
return err;
|
|
}
|
|
|
|
static int cts_cbc_encrypt(struct crypto_cts_ctx *ctx,
|
|
struct blkcipher_desc *desc,
|
|
struct scatterlist *dst,
|
|
struct scatterlist *src,
|
|
unsigned int offset,
|
|
unsigned int nbytes)
|
|
{
|
|
int bsize = crypto_blkcipher_blocksize(desc->tfm);
|
|
u8 tmp[bsize], tmp2[bsize];
|
|
struct blkcipher_desc lcldesc;
|
|
struct scatterlist sgsrc[1], sgdst[1];
|
|
int lastn = nbytes - bsize;
|
|
u8 iv[bsize];
|
|
u8 s[bsize * 2], d[bsize * 2];
|
|
int err;
|
|
|
|
if (lastn < 0)
|
|
return -EINVAL;
|
|
|
|
sg_init_table(sgsrc, 1);
|
|
sg_init_table(sgdst, 1);
|
|
|
|
memset(s, 0, sizeof(s));
|
|
scatterwalk_map_and_copy(s, src, offset, nbytes, 0);
|
|
|
|
memcpy(iv, desc->info, bsize);
|
|
|
|
lcldesc.tfm = ctx->child;
|
|
lcldesc.info = iv;
|
|
lcldesc.flags = desc->flags;
|
|
|
|
sg_set_buf(&sgsrc[0], s, bsize);
|
|
sg_set_buf(&sgdst[0], tmp, bsize);
|
|
err = crypto_blkcipher_encrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
|
|
|
|
memcpy(d + bsize, tmp, lastn);
|
|
|
|
lcldesc.info = tmp;
|
|
|
|
sg_set_buf(&sgsrc[0], s + bsize, bsize);
|
|
sg_set_buf(&sgdst[0], tmp2, bsize);
|
|
err = crypto_blkcipher_encrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
|
|
|
|
memcpy(d, tmp2, bsize);
|
|
|
|
scatterwalk_map_and_copy(d, dst, offset, nbytes, 1);
|
|
|
|
memcpy(desc->info, tmp2, bsize);
|
|
|
|
return err;
|
|
}
|
|
|
|
static int crypto_cts_encrypt(struct blkcipher_desc *desc,
|
|
struct scatterlist *dst, struct scatterlist *src,
|
|
unsigned int nbytes)
|
|
{
|
|
struct crypto_cts_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
|
|
int bsize = crypto_blkcipher_blocksize(desc->tfm);
|
|
int tot_blocks = (nbytes + bsize - 1) / bsize;
|
|
int cbc_blocks = tot_blocks > 2 ? tot_blocks - 2 : 0;
|
|
struct blkcipher_desc lcldesc;
|
|
int err;
|
|
|
|
lcldesc.tfm = ctx->child;
|
|
lcldesc.info = desc->info;
|
|
lcldesc.flags = desc->flags;
|
|
|
|
if (tot_blocks == 1) {
|
|
err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src, bsize);
|
|
} else if (nbytes <= bsize * 2) {
|
|
err = cts_cbc_encrypt(ctx, desc, dst, src, 0, nbytes);
|
|
} else {
|
|
/* do normal function for tot_blocks - 2 */
|
|
err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src,
|
|
cbc_blocks * bsize);
|
|
if (err == 0) {
|
|
/* do cts for final two blocks */
|
|
err = cts_cbc_encrypt(ctx, desc, dst, src,
|
|
cbc_blocks * bsize,
|
|
nbytes - (cbc_blocks * bsize));
|
|
}
|
|
}
|
|
|
|
return err;
|
|
}
|
|
|
|
static int cts_cbc_decrypt(struct crypto_cts_ctx *ctx,
|
|
struct blkcipher_desc *desc,
|
|
struct scatterlist *dst,
|
|
struct scatterlist *src,
|
|
unsigned int offset,
|
|
unsigned int nbytes)
|
|
{
|
|
int bsize = crypto_blkcipher_blocksize(desc->tfm);
|
|
u8 tmp[bsize];
|
|
struct blkcipher_desc lcldesc;
|
|
struct scatterlist sgsrc[1], sgdst[1];
|
|
int lastn = nbytes - bsize;
|
|
u8 iv[bsize];
|
|
u8 s[bsize * 2], d[bsize * 2];
|
|
int err;
|
|
|
|
if (lastn < 0)
|
|
return -EINVAL;
|
|
|
|
sg_init_table(sgsrc, 1);
|
|
sg_init_table(sgdst, 1);
|
|
|
|
scatterwalk_map_and_copy(s, src, offset, nbytes, 0);
|
|
|
|
lcldesc.tfm = ctx->child;
|
|
lcldesc.info = iv;
|
|
lcldesc.flags = desc->flags;
|
|
|
|
/* 1. Decrypt Cn-1 (s) to create Dn (tmp)*/
|
|
memset(iv, 0, sizeof(iv));
|
|
sg_set_buf(&sgsrc[0], s, bsize);
|
|
sg_set_buf(&sgdst[0], tmp, bsize);
|
|
err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
|
|
if (err)
|
|
return err;
|
|
/* 2. Pad Cn with zeros at the end to create C of length BB */
|
|
memset(iv, 0, sizeof(iv));
|
|
memcpy(iv, s + bsize, lastn);
|
|
/* 3. Exclusive-or Dn (tmp) with C (iv) to create Xn (tmp) */
|
|
crypto_xor(tmp, iv, bsize);
|
|
/* 4. Select the first Ln bytes of Xn (tmp) to create Pn */
|
|
memcpy(d + bsize, tmp, lastn);
|
|
|
|
/* 5. Append the tail (BB - Ln) bytes of Xn (tmp) to Cn to create En */
|
|
memcpy(s + bsize + lastn, tmp + lastn, bsize - lastn);
|
|
/* 6. Decrypt En to create Pn-1 */
|
|
memset(iv, 0, sizeof(iv));
|
|
sg_set_buf(&sgsrc[0], s + bsize, bsize);
|
|
sg_set_buf(&sgdst[0], d, bsize);
|
|
err = crypto_blkcipher_decrypt_iv(&lcldesc, sgdst, sgsrc, bsize);
|
|
|
|
/* XOR with previous block */
|
|
crypto_xor(d, desc->info, bsize);
|
|
|
|
scatterwalk_map_and_copy(d, dst, offset, nbytes, 1);
|
|
|
|
memcpy(desc->info, s, bsize);
|
|
return err;
|
|
}
|
|
|
|
static int crypto_cts_decrypt(struct blkcipher_desc *desc,
|
|
struct scatterlist *dst, struct scatterlist *src,
|
|
unsigned int nbytes)
|
|
{
|
|
struct crypto_cts_ctx *ctx = crypto_blkcipher_ctx(desc->tfm);
|
|
int bsize = crypto_blkcipher_blocksize(desc->tfm);
|
|
int tot_blocks = (nbytes + bsize - 1) / bsize;
|
|
int cbc_blocks = tot_blocks > 2 ? tot_blocks - 2 : 0;
|
|
struct blkcipher_desc lcldesc;
|
|
int err;
|
|
|
|
lcldesc.tfm = ctx->child;
|
|
lcldesc.info = desc->info;
|
|
lcldesc.flags = desc->flags;
|
|
|
|
if (tot_blocks == 1) {
|
|
err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src, bsize);
|
|
} else if (nbytes <= bsize * 2) {
|
|
err = cts_cbc_decrypt(ctx, desc, dst, src, 0, nbytes);
|
|
} else {
|
|
/* do normal function for tot_blocks - 2 */
|
|
err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src,
|
|
cbc_blocks * bsize);
|
|
if (err == 0) {
|
|
/* do cts for final two blocks */
|
|
err = cts_cbc_decrypt(ctx, desc, dst, src,
|
|
cbc_blocks * bsize,
|
|
nbytes - (cbc_blocks * bsize));
|
|
}
|
|
}
|
|
return err;
|
|
}
|
|
|
|
static int crypto_cts_init_tfm(struct crypto_tfm *tfm)
|
|
{
|
|
struct crypto_instance *inst = (void *)tfm->__crt_alg;
|
|
struct crypto_spawn *spawn = crypto_instance_ctx(inst);
|
|
struct crypto_cts_ctx *ctx = crypto_tfm_ctx(tfm);
|
|
struct crypto_blkcipher *cipher;
|
|
|
|
cipher = crypto_spawn_blkcipher(spawn);
|
|
if (IS_ERR(cipher))
|
|
return PTR_ERR(cipher);
|
|
|
|
ctx->child = cipher;
|
|
return 0;
|
|
}
|
|
|
|
static void crypto_cts_exit_tfm(struct crypto_tfm *tfm)
|
|
{
|
|
struct crypto_cts_ctx *ctx = crypto_tfm_ctx(tfm);
|
|
crypto_free_blkcipher(ctx->child);
|
|
}
|
|
|
|
static struct crypto_instance *crypto_cts_alloc(struct rtattr **tb)
|
|
{
|
|
struct crypto_instance *inst;
|
|
struct crypto_alg *alg;
|
|
int err;
|
|
|
|
err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_BLKCIPHER);
|
|
if (err)
|
|
return ERR_PTR(err);
|
|
|
|
alg = crypto_attr_alg(tb[1], CRYPTO_ALG_TYPE_BLKCIPHER,
|
|
CRYPTO_ALG_TYPE_MASK);
|
|
err = PTR_ERR(alg);
|
|
if (IS_ERR(alg))
|
|
return ERR_PTR(err);
|
|
|
|
inst = ERR_PTR(-EINVAL);
|
|
if (!is_power_of_2(alg->cra_blocksize))
|
|
goto out_put_alg;
|
|
|
|
inst = crypto_alloc_instance("cts", alg);
|
|
if (IS_ERR(inst))
|
|
goto out_put_alg;
|
|
|
|
inst->alg.cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER;
|
|
inst->alg.cra_priority = alg->cra_priority;
|
|
inst->alg.cra_blocksize = alg->cra_blocksize;
|
|
inst->alg.cra_alignmask = alg->cra_alignmask;
|
|
inst->alg.cra_type = &crypto_blkcipher_type;
|
|
|
|
/* We access the data as u32s when xoring. */
|
|
inst->alg.cra_alignmask |= __alignof__(u32) - 1;
|
|
|
|
inst->alg.cra_blkcipher.ivsize = alg->cra_blocksize;
|
|
inst->alg.cra_blkcipher.min_keysize = alg->cra_blkcipher.min_keysize;
|
|
inst->alg.cra_blkcipher.max_keysize = alg->cra_blkcipher.max_keysize;
|
|
|
|
inst->alg.cra_blkcipher.geniv = "seqiv";
|
|
|
|
inst->alg.cra_ctxsize = sizeof(struct crypto_cts_ctx);
|
|
|
|
inst->alg.cra_init = crypto_cts_init_tfm;
|
|
inst->alg.cra_exit = crypto_cts_exit_tfm;
|
|
|
|
inst->alg.cra_blkcipher.setkey = crypto_cts_setkey;
|
|
inst->alg.cra_blkcipher.encrypt = crypto_cts_encrypt;
|
|
inst->alg.cra_blkcipher.decrypt = crypto_cts_decrypt;
|
|
|
|
out_put_alg:
|
|
crypto_mod_put(alg);
|
|
return inst;
|
|
}
|
|
|
|
static void crypto_cts_free(struct crypto_instance *inst)
|
|
{
|
|
crypto_drop_spawn(crypto_instance_ctx(inst));
|
|
kfree(inst);
|
|
}
|
|
|
|
static struct crypto_template crypto_cts_tmpl = {
|
|
.name = "cts",
|
|
.alloc = crypto_cts_alloc,
|
|
.free = crypto_cts_free,
|
|
.module = THIS_MODULE,
|
|
};
|
|
|
|
static int __init crypto_cts_module_init(void)
|
|
{
|
|
return crypto_register_template(&crypto_cts_tmpl);
|
|
}
|
|
|
|
static void __exit crypto_cts_module_exit(void)
|
|
{
|
|
crypto_unregister_template(&crypto_cts_tmpl);
|
|
}
|
|
|
|
module_init(crypto_cts_module_init);
|
|
module_exit(crypto_cts_module_exit);
|
|
|
|
MODULE_LICENSE("Dual BSD/GPL");
|
|
MODULE_DESCRIPTION("CTS-CBC CipherText Stealing for CBC");
|