From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: stable@vger.kernel.org, Gilad Ben-Yossef <gilad@benyossef.com>
Subject: [PATCH 03/16] crypto: ofb - fix handling partial blocks and make thread-safe
Date: Thu, 3 Jan 2019 20:16:12 -0800 [thread overview]
Message-ID: <20190104041625.3259-4-ebiggers@kernel.org> (raw)
In-Reply-To: <20190104041625.3259-1-ebiggers@kernel.org>
From: Eric Biggers <ebiggers@google.com>
Fix multiple bugs in the OFB implementation:
1. It stored the per-request state 'cnt' in the tfm context, which can be
used by multiple threads concurrently (e.g. via AF_ALG).
2. It didn't support messages not a multiple of the block cipher size,
despite being a stream cipher.
3. It didn't set cra_blocksize to 1 to indicate it is a stream cipher.
To fix these, set the 'chunksize' property to the cipher block size to
guarantee that when walking through the scatterlist, a partial block can
only occur at the end. Then change the implementation to XOR a block at
a time at first, then XOR the partial block at the end if needed. This
is the same way CTR and CFB are implemented. As a bonus, this also
improves performance in most cases over the current approach.
Fixes: e497c51896b3 ("crypto: ofb - add output feedback mode")
Cc: <stable@vger.kernel.org> # v4.20+
Cc: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
crypto/ofb.c | 91 ++++++++++++++++++++----------------------------
crypto/testmgr.h | 28 +++++++++++++--
2 files changed, 63 insertions(+), 56 deletions(-)
diff --git a/crypto/ofb.c b/crypto/ofb.c
index 886631708c5e9..cab0b80953fed 100644
--- a/crypto/ofb.c
+++ b/crypto/ofb.c
@@ -5,9 +5,6 @@
*
* Copyright (C) 2018 ARM Limited or its affiliates.
* All rights reserved.
- *
- * Based loosely on public domain code gleaned from libtomcrypt
- * (https://github.com/libtom/libtomcrypt).
*/
#include <crypto/algapi.h>
@@ -21,7 +18,6 @@
struct crypto_ofb_ctx {
struct crypto_cipher *child;
- int cnt;
};
@@ -41,58 +37,40 @@ static int crypto_ofb_setkey(struct crypto_skcipher *parent, const u8 *key,
return err;
}
-static int crypto_ofb_encrypt_segment(struct crypto_ofb_ctx *ctx,
- struct skcipher_walk *walk,
- struct crypto_cipher *tfm)
+static int crypto_ofb_crypt(struct skcipher_request *req)
{
- int bsize = crypto_cipher_blocksize(tfm);
- int nbytes = walk->nbytes;
-
- u8 *src = walk->src.virt.addr;
- u8 *dst = walk->dst.virt.addr;
- u8 *iv = walk->iv;
-
- do {
- if (ctx->cnt == bsize) {
- if (nbytes < bsize)
- break;
- crypto_cipher_encrypt_one(tfm, iv, iv);
- ctx->cnt = 0;
- }
- *dst = *src ^ iv[ctx->cnt];
- src++;
- dst++;
- ctx->cnt++;
- } while (--nbytes);
- return nbytes;
-}
-
-static int crypto_ofb_encrypt(struct skcipher_request *req)
-{
- struct skcipher_walk walk;
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
- unsigned int bsize;
struct crypto_ofb_ctx *ctx = crypto_skcipher_ctx(tfm);
- struct crypto_cipher *child = ctx->child;
- int ret = 0;
+ struct crypto_cipher *cipher = ctx->child;
+ const unsigned int bsize = crypto_cipher_blocksize(cipher);
+ struct skcipher_walk walk;
+ int err;
- bsize = crypto_cipher_blocksize(child);
- ctx->cnt = bsize;
+ err = skcipher_walk_virt(&walk, req, false);
- ret = skcipher_walk_virt(&walk, req, false);
+ while (walk.nbytes >= bsize) {
+ const u8 *src = walk.src.virt.addr;
+ u8 *dst = walk.dst.virt.addr;
+ u8 * const iv = walk.iv;
+ unsigned int nbytes = walk.nbytes;
- while (walk.nbytes) {
- ret = crypto_ofb_encrypt_segment(ctx, &walk, child);
- ret = skcipher_walk_done(&walk, ret);
- }
+ do {
+ crypto_cipher_encrypt_one(cipher, iv, iv);
+ crypto_xor_cpy(dst, src, iv, bsize);
+ dst += bsize;
+ src += bsize;
+ } while ((nbytes -= bsize) >= bsize);
- return ret;
-}
+ err = skcipher_walk_done(&walk, nbytes);
+ }
-/* OFB encrypt and decrypt are identical */
-static int crypto_ofb_decrypt(struct skcipher_request *req)
-{
- return crypto_ofb_encrypt(req);
+ if (walk.nbytes) {
+ crypto_cipher_encrypt_one(cipher, walk.iv, walk.iv);
+ crypto_xor_cpy(walk.dst.virt.addr, walk.src.virt.addr, walk.iv,
+ walk.nbytes);
+ err = skcipher_walk_done(&walk, 0);
+ }
+ return err;
}
static int crypto_ofb_init_tfm(struct crypto_skcipher *tfm)
@@ -165,13 +143,18 @@ static int crypto_ofb_create(struct crypto_template *tmpl, struct rtattr **tb)
if (err)
goto err_drop_spawn;
+ /* OFB mode is a stream cipher. */
+ inst->alg.base.cra_blocksize = 1;
+
+ /*
+ * To simplify the implementation, configure the skcipher walk to only
+ * give a partial block at the very end, never earlier.
+ */
+ inst->alg.chunksize = alg->cra_blocksize;
+
inst->alg.base.cra_priority = alg->cra_priority;
- inst->alg.base.cra_blocksize = alg->cra_blocksize;
inst->alg.base.cra_alignmask = alg->cra_alignmask;
- /* We access the data as u32s when xoring. */
- inst->alg.base.cra_alignmask |= __alignof__(u32) - 1;
-
inst->alg.ivsize = alg->cra_blocksize;
inst->alg.min_keysize = alg->cra_cipher.cia_min_keysize;
inst->alg.max_keysize = alg->cra_cipher.cia_max_keysize;
@@ -182,8 +165,8 @@ static int crypto_ofb_create(struct crypto_template *tmpl, struct rtattr **tb)
inst->alg.exit = crypto_ofb_exit_tfm;
inst->alg.setkey = crypto_ofb_setkey;
- inst->alg.encrypt = crypto_ofb_encrypt;
- inst->alg.decrypt = crypto_ofb_decrypt;
+ inst->alg.encrypt = crypto_ofb_crypt;
+ inst->alg.decrypt = crypto_ofb_crypt;
inst->free = crypto_ofb_free;
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 7f4dae7a57a1c..ca8e8ebef309d 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -16681,8 +16681,7 @@ static const struct cipher_testvec aes_ctr_rfc3686_tv_template[] = {
};
static const struct cipher_testvec aes_ofb_tv_template[] = {
- /* From NIST Special Publication 800-38A, Appendix F.5 */
- {
+ { /* From NIST Special Publication 800-38A, Appendix F.5 */
.key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
"\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
.klen = 16,
@@ -16705,6 +16704,31 @@ static const struct cipher_testvec aes_ofb_tv_template[] = {
"\x30\x4c\x65\x28\xf6\x59\xc7\x78"
"\x66\xa5\x10\xd9\xc1\xd6\xae\x5e",
.len = 64,
+ .also_non_np = 1,
+ .np = 2,
+ .tap = { 31, 33 },
+ }, { /* > 16 bytes, not a multiple of 16 bytes */
+ .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
+ "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
+ .klen = 16,
+ .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+ .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96"
+ "\xe9\x3d\x7e\x11\x73\x93\x17\x2a"
+ "\xae",
+ .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20"
+ "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a"
+ "\x77",
+ .len = 17,
+ }, { /* < 16 bytes */
+ .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6"
+ "\xab\xf7\x15\x88\x09\xcf\x4f\x3c",
+ .klen = 16,
+ .iv = "\x00\x01\x02\x03\x04\x05\x06\x07"
+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+ .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f",
+ .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad",
+ .len = 7,
}
};
--
2.20.1
next prev parent reply other threads:[~2019-01-04 4:20 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-04 4:16 [PATCH 00/16] crypto: skcipher template simplifications and conversions Eric Biggers
2019-01-04 4:16 ` [PATCH 01/16] crypto: cfb - add missing 'chunksize' property Eric Biggers
[not found] ` <20190104210311.5AC542087F@mail.kernel.org>
2019-01-05 3:07 ` Eric Biggers
2019-01-05 3:40 ` Herbert Xu
2019-01-04 4:16 ` [PATCH 02/16] crypto: cfb - remove bogus memcpy() with src == dest Eric Biggers
2019-01-04 4:16 ` Eric Biggers [this message]
2019-01-06 10:38 ` [PATCH 03/16] crypto: ofb - fix handling partial blocks and make thread-safe Gilad Ben-Yossef
2019-01-04 4:16 ` [PATCH 04/16] crypto: pcbc - remove bogus memcpy()s with src == dest Eric Biggers
2019-01-04 9:57 ` David Howells
2019-01-04 17:07 ` Eric Biggers
2019-01-04 17:24 ` David Howells
2019-01-04 4:16 ` [PATCH 05/16] crypto: skcipher - add helper for simple block cipher modes Eric Biggers
2019-01-05 12:03 ` Stephan Mueller
2019-01-06 21:09 ` Eric Biggers
2019-01-04 4:16 ` [PATCH 06/16] crypto: cbc - convert to skcipher_alloc_instance_simple() Eric Biggers
2019-01-04 4:16 ` [PATCH 07/16] crypto: cfb " Eric Biggers
2019-01-04 4:16 ` [PATCH 08/16] crypto: ctr - convert to skcipher API Eric Biggers
2019-01-04 4:16 ` [PATCH 09/16] crypto: ecb " Eric Biggers
2019-01-04 4:16 ` [PATCH 10/16] crypto: keywrap " Eric Biggers
2019-01-05 11:40 ` Stephan Mueller
2019-01-04 4:16 ` [PATCH 11/16] crypto: ofb - convert to skcipher_alloc_instance_simple() Eric Biggers
2019-01-04 4:16 ` [PATCH 12/16] crypto: pcbc - remove ability to wrap internal ciphers Eric Biggers
2019-01-04 4:16 ` [PATCH 13/16] crypto: pcbc - convert to skcipher_alloc_instance_simple() Eric Biggers
2019-01-04 4:16 ` [PATCH 14/16] crypto: arc4 - convert to skcipher API Eric Biggers
2019-01-04 4:16 ` [PATCH 15/16] crypto: null - convert ecb-cipher_null " Eric Biggers
2019-01-04 4:16 ` [PATCH 16/16] crypto: algapi - remove crypto_alloc_instance() Eric Biggers
2019-01-11 6:33 ` [PATCH 00/16] crypto: skcipher template simplifications and conversions Herbert Xu
2019-01-11 17:58 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190104041625.3259-4-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=gilad@benyossef.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.