[PATCH 5/8] smb: client: Use MD5 library for SMB1 signature calculation

[Eric Biggers <ebiggers@kernel.org>]

Convert cifs_calc_signature() to use the MD5 library instead of a "md5"
crypto_shash.  This is simpler and faster.  With the library there's no
need to allocate memory, no need to handle errors, and the MD5 code is
accessed directly without inefficient indirect calls and other
unnecessary API overhead.

To preserve the existing behavior of MD5 signature support being
disabled when the kernel is booted with "fips=1", make
cifs_calc_signature() check fips_enabled itself.  Previously it relied
on the error from cifs_alloc_hash("md5", &server->secmech.md5).

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 fs/smb/client/cifsencrypt.c | 34 +++++++++++++++++-----------------
 fs/smb/client/cifsproto.h   |  1 +
 2 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/fs/smb/client/cifsencrypt.c b/fs/smb/client/cifsencrypt.c
index 9522088a1cfb7..80215ba7a5744 100644
--- a/fs/smb/client/cifsencrypt.c
+++ b/fs/smb/client/cifsencrypt.c
@@ -22,24 +22,33 @@
 #include <linux/highmem.h>
 #include <linux/fips.h>
 #include <linux/iov_iter.h>
 #include <crypto/aead.h>
 #include <crypto/arc4.h>
+#include <crypto/md5.h>
 #include <crypto/sha2.h>
 
 static int cifs_sig_update(struct cifs_calc_sig_ctx *ctx,
 			   const u8 *data, size_t len)
 {
+	if (ctx->md5) {
+		md5_update(ctx->md5, data, len);
+		return 0;
+	}
 	if (ctx->hmac) {
 		hmac_sha256_update(ctx->hmac, data, len);
 		return 0;
 	}
 	return crypto_shash_update(ctx->shash, data, len);
 }
 
 static int cifs_sig_final(struct cifs_calc_sig_ctx *ctx, u8 *out)
 {
+	if (ctx->md5) {
+		md5_final(ctx->md5, out);
+		return 0;
+	}
 	if (ctx->hmac) {
 		hmac_sha256_final(ctx->hmac, out);
 		return 0;
 	}
 	return crypto_shash_final(ctx->shash, out);
@@ -128,35 +137,26 @@ int __cifs_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,
  * should be called with the server->srv_mutex held.
  */
 static int cifs_calc_signature(struct smb_rqst *rqst,
 			struct TCP_Server_Info *server, char *signature)
 {
-	int rc;
+	struct md5_ctx ctx;
 
 	if (!rqst->rq_iov || !signature || !server)
 		return -EINVAL;
-
-	rc = cifs_alloc_hash("md5", &server->secmech.md5);
-	if (rc)
-		return -1;
-
-	rc = crypto_shash_init(server->secmech.md5);
-	if (rc) {
-		cifs_dbg(VFS, "%s: Could not init md5\n", __func__);
-		return rc;
+	if (fips_enabled) {
+		cifs_dbg(VFS,
+			 "MD5 signature support is disabled due to FIPS\n");
+		return -EOPNOTSUPP;
 	}
 
-	rc = crypto_shash_update(server->secmech.md5,
-		server->session_key.response, server->session_key.len);
-	if (rc) {
-		cifs_dbg(VFS, "%s: Could not update with response\n", __func__);
-		return rc;
-	}
+	md5_init(&ctx);
+	md5_update(&ctx, server->session_key.response, server->session_key.len);
 
 	return __cifs_calc_signature(
 		rqst, server, signature,
-		&(struct cifs_calc_sig_ctx){ .shash = server->secmech.md5 });
+		&(struct cifs_calc_sig_ctx){ .md5 = &ctx });
 }
 
 /* must be called with server->srv_mutex held */
 int cifs_sign_rqst(struct smb_rqst *rqst, struct TCP_Server_Info *server,
 		   __u32 *pexpected_response_sequence_number)
diff --git a/fs/smb/client/cifsproto.h b/fs/smb/client/cifsproto.h
index 3bb74eea0e4ff..4976be2c47c14 100644
--- a/fs/smb/client/cifsproto.h
+++ b/fs/smb/client/cifsproto.h
@@ -631,10 +631,11 @@ int cifs_query_mf_symlink(unsigned int xid, struct cifs_tcon *tcon,
 int cifs_create_mf_symlink(unsigned int xid, struct cifs_tcon *tcon,
 			   struct cifs_sb_info *cifs_sb,
 			   const unsigned char *path, char *pbuf,
 			   unsigned int *pbytes_written);
 struct cifs_calc_sig_ctx {
+	struct md5_ctx *md5;
 	struct hmac_sha256_ctx *hmac;
 	struct shash_desc *shash;
 };
 int __cifs_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,
 			  char *signature, struct cifs_calc_sig_ctx *ctx);
-- 
2.51.0