2019-05-27 08:55:01 +02:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2005-04-16 15:20:36 -07:00
|
|
|
/*
|
|
|
|
* Scatterlist Cryptographic API.
|
|
|
|
*
|
|
|
|
* Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
|
|
|
|
* Copyright (c) 2002 David S. Miller (davem@redhat.com)
|
2005-11-05 16:58:14 +11:00
|
|
|
* Copyright (c) 2005 Herbert Xu <herbert@gondor.apana.org.au>
|
2005-04-16 15:20:36 -07:00
|
|
|
*
|
|
|
|
* Portions derived from Cryptoapi, by Alexander Kjeldaas <astor@fast.no>
|
2007-10-19 23:06:17 +02:00
|
|
|
* and Nettle, by Niels Möller.
|
2005-04-16 15:20:36 -07:00
|
|
|
*/
|
2005-07-06 13:54:31 -07:00
|
|
|
|
2006-09-21 11:39:29 +10:00
|
|
|
#include <linux/err.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
#include <linux/errno.h>
|
2021-09-17 08:26:19 +08:00
|
|
|
#include <linux/jump_label.h>
|
2005-11-05 16:58:14 +11:00
|
|
|
#include <linux/kernel.h>
|
2005-07-06 13:53:09 -07:00
|
|
|
#include <linux/kmod.h>
|
2006-09-21 11:31:44 +10:00
|
|
|
#include <linux/module.h>
|
2006-08-06 21:23:26 +10:00
|
|
|
#include <linux/param.h>
|
2017-02-02 19:15:33 +01:00
|
|
|
#include <linux/sched/signal.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
#include <linux/slab.h>
|
2005-11-05 16:58:14 +11:00
|
|
|
#include <linux/string.h>
|
2017-10-18 08:00:38 +01:00
|
|
|
#include <linux/completion.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
#include "internal.h"
|
|
|
|
|
|
|
|
LIST_HEAD(crypto_alg_list);
|
2006-08-21 21:08:13 +10:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_alg_list);
|
2005-04-16 15:20:36 -07:00
|
|
|
DECLARE_RWSEM(crypto_alg_sem);
|
2006-08-21 21:08:13 +10:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_alg_sem);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2006-08-06 21:23:26 +10:00
|
|
|
BLOCKING_NOTIFIER_HEAD(crypto_chain);
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_chain);
|
|
|
|
|
2024-05-21 10:54:50 +08:00
|
|
|
#if IS_BUILTIN(CONFIG_CRYPTO_ALGAPI) && \
|
|
|
|
!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS)
|
2022-11-13 16:12:35 -08:00
|
|
|
DEFINE_STATIC_KEY_FALSE(__crypto_boot_test_finished);
|
|
|
|
#endif
|
2021-09-17 08:26:19 +08:00
|
|
|
|
2013-09-08 14:33:50 +10:00
|
|
|
static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg);
|
2024-08-17 14:56:51 +08:00
|
|
|
static struct crypto_alg *crypto_alg_lookup(const char *name, u32 type,
|
|
|
|
u32 mask);
|
2013-09-08 14:33:50 +10:00
|
|
|
|
2006-08-06 21:23:26 +10:00
|
|
|
struct crypto_alg *crypto_mod_get(struct crypto_alg *alg)
|
2006-08-06 20:28:44 +10:00
|
|
|
{
|
|
|
|
return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2006-08-06 21:23:26 +10:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_mod_get);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2006-08-06 21:23:26 +10:00
|
|
|
void crypto_mod_put(struct crypto_alg *alg)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2007-05-19 14:51:00 +10:00
|
|
|
struct module *module = alg->cra_module;
|
|
|
|
|
2006-08-06 20:28:44 +10:00
|
|
|
crypto_alg_put(alg);
|
2007-05-19 14:51:00 +10:00
|
|
|
module_put(module);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2006-08-06 21:23:26 +10:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_mod_put);
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2008-08-04 11:44:59 +08:00
|
|
|
static struct crypto_alg *__crypto_alg_lookup(const char *name, u32 type,
|
|
|
|
u32 mask)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
|
|
|
struct crypto_alg *q, *alg = NULL;
|
2006-08-06 21:23:26 +10:00
|
|
|
int best = -2;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
list_for_each_entry(q, &crypto_alg_list, cra_list) {
|
2005-11-05 16:58:14 +11:00
|
|
|
int exact, fuzzy;
|
|
|
|
|
2006-09-21 11:39:29 +10:00
|
|
|
if (crypto_is_moribund(q))
|
|
|
|
continue;
|
|
|
|
|
2006-09-21 11:35:17 +10:00
|
|
|
if ((q->cra_flags ^ type) & mask)
|
|
|
|
continue;
|
|
|
|
|
2005-11-05 16:58:14 +11:00
|
|
|
exact = !strcmp(q->cra_driver_name, name);
|
|
|
|
fuzzy = !strcmp(q->cra_name, name);
|
|
|
|
if (!exact && !(fuzzy && q->cra_priority > best))
|
|
|
|
continue;
|
|
|
|
|
2006-05-28 09:05:24 +10:00
|
|
|
if (unlikely(!crypto_mod_get(q)))
|
2005-11-05 16:58:14 +11:00
|
|
|
continue;
|
|
|
|
|
|
|
|
best = q->cra_priority;
|
|
|
|
if (alg)
|
2006-05-28 09:05:24 +10:00
|
|
|
crypto_mod_put(alg);
|
2005-11-05 16:58:14 +11:00
|
|
|
alg = q;
|
|
|
|
|
|
|
|
if (exact)
|
2005-04-16 15:20:36 -07:00
|
|
|
break;
|
|
|
|
}
|
2006-08-06 21:23:26 +10:00
|
|
|
|
|
|
|
return alg;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void crypto_larval_destroy(struct crypto_alg *alg)
|
|
|
|
{
|
|
|
|
struct crypto_larval *larval = (void *)alg;
|
|
|
|
|
|
|
|
BUG_ON(!crypto_is_larval(alg));
|
2019-12-11 10:50:11 +08:00
|
|
|
if (!IS_ERR_OR_NULL(larval->adult))
|
2006-08-06 21:23:26 +10:00
|
|
|
crypto_mod_put(larval->adult);
|
|
|
|
kfree(larval);
|
|
|
|
}
|
|
|
|
|
2008-08-03 21:15:23 +08:00
|
|
|
struct crypto_larval *crypto_larval_alloc(const char *name, u32 type, u32 mask)
|
2006-08-06 21:23:26 +10:00
|
|
|
{
|
|
|
|
struct crypto_larval *larval;
|
|
|
|
|
|
|
|
larval = kzalloc(sizeof(*larval), GFP_KERNEL);
|
|
|
|
if (!larval)
|
2006-09-21 11:39:29 +10:00
|
|
|
return ERR_PTR(-ENOMEM);
|
2006-08-06 21:23:26 +10:00
|
|
|
|
crypto: api - Fix generic algorithm self-test races
On Fri, Aug 30, 2024 at 10:51:54AM -0700, Eric Biggers wrote:
>
> Given below in defconfig form, use 'make olddefconfig' to apply. The failures
> are nondeterministic and sometimes there are different ones, for example:
>
> [ 0.358017] alg: skcipher: failed to allocate transform for cbc(twofish-generic): -2
> [ 0.358365] alg: self-tests for cbc(twofish) using cbc(twofish-generic) failed (rc=-2)
> [ 0.358535] alg: skcipher: failed to allocate transform for cbc(camellia-generic): -2
> [ 0.358918] alg: self-tests for cbc(camellia) using cbc(camellia-generic) failed (rc=-2)
> [ 0.371533] alg: skcipher: failed to allocate transform for xts(ecb(aes-generic)): -2
> [ 0.371922] alg: self-tests for xts(aes) using xts(ecb(aes-generic)) failed (rc=-2)
>
> Modules are not enabled, maybe that matters (I haven't checked yet).
Yes I think that was the key. This triggers a massive self-test
run which executes in parallel and reveals a few race conditions
in the system. I think it boils down to the following scenario:
Base algorithm X-generic, X-optimised
Template Y
Optimised algorithm Y-X-optimised
Everything gets registered, and then the self-tests are started.
When Y-X-optimised gets tested, it requests the creation of the
generic Y(X-generic). Which then itself undergoes testing.
The race is that after Y(X-generic) gets registered, but just
before it gets tested, X-optimised finally finishes self-testing
which then causes all spawns of X-generic to be destroyed. So
by the time the self-test for Y(X-generic) comes along, it can
no longer find the algorithm. This error then bubbles up all
the way up to the self-test of Y-X-optimised which then fails.
Note that there is some complexity that I've omitted here because
when the generic self-test fails to find Y(X-generic) it actually
triggers the construction of it again which then fails for various
other reasons (these are not important because the construction
should *not* be triggered at this point).
So in a way the error is expected, and we should probably remove
the pr_err for the case where ENOENT is returned for the algorithm
that we're currently testing.
The solution is two-fold. First when an algorithm undergoes
self-testing it should not trigger its construction. Secondly
if an instance larval fails to materialise due to it being destroyed
by a more optimised algorithm coming along, it should obviously
retry the construction.
Remove the check in __crypto_alg_lookup that stops a larval from
matching new requests based on differences in the mask. It is better
to block new requests even if it is wrong and then simply retry the
lookup. If this ends up being the wrong larval it will sort iself
out during the retry.
Reduce the CRYPTO_ALG_TYPE_MASK bits in type during larval creation
as otherwise LSKCIPHER algorithms may not match SKCIPHER larvals.
Also block the instance creation during self-testing in the function
crypto_larval_lookup by checking for CRYPTO_ALG_TESTED in the mask
field.
Finally change the return value when crypto_alg_lookup fails in
crypto_larval_wait to EAGAIN to redo the lookup.
Fixes: 37da5d0ffa7b ("crypto: api - Do not wait for tests during registration")
Reported-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2024-09-01 16:05:40 +08:00
|
|
|
type &= ~CRYPTO_ALG_TYPE_MASK | (mask ?: CRYPTO_ALG_TYPE_MASK);
|
|
|
|
|
2006-09-21 11:35:17 +10:00
|
|
|
larval->mask = mask;
|
|
|
|
larval->alg.cra_flags = CRYPTO_ALG_LARVAL | type;
|
2006-08-06 21:23:26 +10:00
|
|
|
larval->alg.cra_priority = -1;
|
|
|
|
larval->alg.cra_destroy = crypto_larval_destroy;
|
|
|
|
|
2022-08-18 22:59:54 +02:00
|
|
|
strscpy(larval->alg.cra_name, name, CRYPTO_MAX_ALG_NAME);
|
2006-08-06 21:23:26 +10:00
|
|
|
init_completion(&larval->completion);
|
|
|
|
|
2008-08-03 21:15:23 +08:00
|
|
|
return larval;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_larval_alloc);
|
|
|
|
|
|
|
|
static struct crypto_alg *crypto_larval_add(const char *name, u32 type,
|
|
|
|
u32 mask)
|
|
|
|
{
|
|
|
|
struct crypto_alg *alg;
|
|
|
|
struct crypto_larval *larval;
|
|
|
|
|
|
|
|
larval = crypto_larval_alloc(name, type, mask);
|
|
|
|
if (IS_ERR(larval))
|
|
|
|
return ERR_CAST(larval);
|
|
|
|
|
2017-12-29 10:00:46 -06:00
|
|
|
refcount_set(&larval->alg.cra_refcnt, 2);
|
2008-08-03 21:15:23 +08:00
|
|
|
|
2006-08-06 21:23:26 +10:00
|
|
|
down_write(&crypto_alg_sem);
|
2006-09-21 11:35:17 +10:00
|
|
|
alg = __crypto_alg_lookup(name, type, mask);
|
2006-08-06 21:23:26 +10:00
|
|
|
if (!alg) {
|
|
|
|
alg = &larval->alg;
|
|
|
|
list_add(&alg->cra_list, &crypto_alg_list);
|
|
|
|
}
|
|
|
|
up_write(&crypto_alg_sem);
|
|
|
|
|
2013-09-08 14:33:50 +10:00
|
|
|
if (alg != &larval->alg) {
|
2006-08-06 21:23:26 +10:00
|
|
|
kfree(larval);
|
2013-09-08 14:33:50 +10:00
|
|
|
if (crypto_is_larval(alg))
|
|
|
|
alg = crypto_larval_wait(alg);
|
|
|
|
}
|
2006-08-06 21:23:26 +10:00
|
|
|
|
|
|
|
return alg;
|
|
|
|
}
|
|
|
|
|
2024-08-17 14:57:40 +08:00
|
|
|
static void crypto_larval_kill(struct crypto_larval *larval)
|
2006-08-06 21:23:26 +10:00
|
|
|
{
|
2024-08-17 14:57:40 +08:00
|
|
|
bool unlinked;
|
2006-08-06 21:23:26 +10:00
|
|
|
|
|
|
|
down_write(&crypto_alg_sem);
|
2024-08-17 14:57:40 +08:00
|
|
|
unlinked = list_empty(&larval->alg.cra_list);
|
|
|
|
if (!unlinked)
|
|
|
|
list_del_init(&larval->alg.cra_list);
|
2006-08-06 21:23:26 +10:00
|
|
|
up_write(&crypto_alg_sem);
|
2024-08-17 14:57:40 +08:00
|
|
|
|
|
|
|
if (unlinked)
|
|
|
|
return;
|
|
|
|
|
2007-05-19 17:51:40 +10:00
|
|
|
complete_all(&larval->completion);
|
2024-08-17 14:57:40 +08:00
|
|
|
crypto_alg_put(&larval->alg);
|
2006-08-06 21:23:26 +10:00
|
|
|
}
|
|
|
|
|
2024-08-17 14:57:40 +08:00
|
|
|
void crypto_schedule_test(struct crypto_larval *larval)
|
2021-09-17 08:26:19 +08:00
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = crypto_probing_notify(CRYPTO_MSG_ALG_REGISTER, larval->adult);
|
2024-08-17 14:57:40 +08:00
|
|
|
WARN_ON_ONCE(err != NOTIFY_STOP);
|
2021-09-17 08:26:19 +08:00
|
|
|
}
|
2024-08-17 14:57:40 +08:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_schedule_test);
|
2021-09-17 08:26:19 +08:00
|
|
|
|
|
|
|
static void crypto_start_test(struct crypto_larval *larval)
|
|
|
|
{
|
|
|
|
if (!crypto_is_test_larval(larval))
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (larval->test_started)
|
|
|
|
return;
|
|
|
|
|
|
|
|
down_write(&crypto_alg_sem);
|
|
|
|
if (larval->test_started) {
|
|
|
|
up_write(&crypto_alg_sem);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
larval->test_started = true;
|
|
|
|
up_write(&crypto_alg_sem);
|
|
|
|
|
2024-08-17 14:57:40 +08:00
|
|
|
crypto_schedule_test(larval);
|
2021-09-17 08:26:19 +08:00
|
|
|
}
|
|
|
|
|
2006-08-06 21:23:26 +10:00
|
|
|
static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg)
|
|
|
|
{
|
2024-08-17 14:56:51 +08:00
|
|
|
struct crypto_larval *larval;
|
2024-04-30 14:14:42 +02:00
|
|
|
long time_left;
|
2008-08-03 21:15:23 +08:00
|
|
|
|
2024-08-17 14:56:51 +08:00
|
|
|
again:
|
|
|
|
larval = container_of(alg, struct crypto_larval, alg);
|
|
|
|
|
2022-11-13 16:12:35 -08:00
|
|
|
if (!crypto_boot_test_finished())
|
2021-09-17 08:26:19 +08:00
|
|
|
crypto_start_test(larval);
|
|
|
|
|
2024-04-30 14:14:42 +02:00
|
|
|
time_left = wait_for_completion_killable_timeout(
|
2008-08-03 21:15:23 +08:00
|
|
|
&larval->completion, 60 * HZ);
|
2006-08-06 21:23:26 +10:00
|
|
|
|
|
|
|
alg = larval->adult;
|
2024-04-30 14:14:42 +02:00
|
|
|
if (time_left < 0)
|
2008-08-03 21:15:23 +08:00
|
|
|
alg = ERR_PTR(-EINTR);
|
2024-08-17 14:57:40 +08:00
|
|
|
else if (!time_left) {
|
|
|
|
if (crypto_is_test_larval(larval))
|
|
|
|
crypto_larval_kill(larval);
|
2008-08-03 21:15:23 +08:00
|
|
|
alg = ERR_PTR(-ETIMEDOUT);
|
2024-08-17 14:57:40 +08:00
|
|
|
} else if (!alg) {
|
2024-08-17 14:56:51 +08:00
|
|
|
u32 type;
|
|
|
|
u32 mask;
|
|
|
|
|
|
|
|
alg = &larval->alg;
|
|
|
|
type = alg->cra_flags & ~(CRYPTO_ALG_LARVAL | CRYPTO_ALG_DEAD);
|
|
|
|
mask = larval->mask;
|
|
|
|
alg = crypto_alg_lookup(alg->cra_name, type, mask) ?:
|
crypto: api - Fix generic algorithm self-test races
On Fri, Aug 30, 2024 at 10:51:54AM -0700, Eric Biggers wrote:
>
> Given below in defconfig form, use 'make olddefconfig' to apply. The failures
> are nondeterministic and sometimes there are different ones, for example:
>
> [ 0.358017] alg: skcipher: failed to allocate transform for cbc(twofish-generic): -2
> [ 0.358365] alg: self-tests for cbc(twofish) using cbc(twofish-generic) failed (rc=-2)
> [ 0.358535] alg: skcipher: failed to allocate transform for cbc(camellia-generic): -2
> [ 0.358918] alg: self-tests for cbc(camellia) using cbc(camellia-generic) failed (rc=-2)
> [ 0.371533] alg: skcipher: failed to allocate transform for xts(ecb(aes-generic)): -2
> [ 0.371922] alg: self-tests for xts(aes) using xts(ecb(aes-generic)) failed (rc=-2)
>
> Modules are not enabled, maybe that matters (I haven't checked yet).
Yes I think that was the key. This triggers a massive self-test
run which executes in parallel and reveals a few race conditions
in the system. I think it boils down to the following scenario:
Base algorithm X-generic, X-optimised
Template Y
Optimised algorithm Y-X-optimised
Everything gets registered, and then the self-tests are started.
When Y-X-optimised gets tested, it requests the creation of the
generic Y(X-generic). Which then itself undergoes testing.
The race is that after Y(X-generic) gets registered, but just
before it gets tested, X-optimised finally finishes self-testing
which then causes all spawns of X-generic to be destroyed. So
by the time the self-test for Y(X-generic) comes along, it can
no longer find the algorithm. This error then bubbles up all
the way up to the self-test of Y-X-optimised which then fails.
Note that there is some complexity that I've omitted here because
when the generic self-test fails to find Y(X-generic) it actually
triggers the construction of it again which then fails for various
other reasons (these are not important because the construction
should *not* be triggered at this point).
So in a way the error is expected, and we should probably remove
the pr_err for the case where ENOENT is returned for the algorithm
that we're currently testing.
The solution is two-fold. First when an algorithm undergoes
self-testing it should not trigger its construction. Secondly
if an instance larval fails to materialise due to it being destroyed
by a more optimised algorithm coming along, it should obviously
retry the construction.
Remove the check in __crypto_alg_lookup that stops a larval from
matching new requests based on differences in the mask. It is better
to block new requests even if it is wrong and then simply retry the
lookup. If this ends up being the wrong larval it will sort iself
out during the retry.
Reduce the CRYPTO_ALG_TYPE_MASK bits in type during larval creation
as otherwise LSKCIPHER algorithms may not match SKCIPHER larvals.
Also block the instance creation during self-testing in the function
crypto_larval_lookup by checking for CRYPTO_ALG_TESTED in the mask
field.
Finally change the return value when crypto_alg_lookup fails in
crypto_larval_wait to EAGAIN to redo the lookup.
Fixes: 37da5d0ffa7b ("crypto: api - Do not wait for tests during registration")
Reported-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2024-09-01 16:05:40 +08:00
|
|
|
ERR_PTR(-EAGAIN);
|
2024-08-17 14:56:51 +08:00
|
|
|
} else if (IS_ERR(alg))
|
2019-12-11 10:50:11 +08:00
|
|
|
;
|
2008-08-03 21:15:23 +08:00
|
|
|
else if (crypto_is_test_larval(larval) &&
|
|
|
|
!(alg->cra_flags & CRYPTO_ALG_TESTED))
|
|
|
|
alg = ERR_PTR(-EAGAIN);
|
crypto: api - allow algs only in specific constructions in FIPS mode
Currently we do not distinguish between algorithms that fail on
the self-test vs. those which are disabled in FIPS mode (not allowed).
Both are marked as having failed the self-test.
Recently the need arose to allow the usage of certain algorithms only
as arguments to specific template instantiations in FIPS mode. For
example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is
allowed. Other potential use cases include "cbcmac(aes)", which must
only be used with ccm(), or "ghash", which must be used only for
gcm().
This patch allows this scenario by adding a new flag FIPS_INTERNAL to
indicate those algorithms that are not FIPS-allowed. They can then be
used as template arguments only, i.e. when looked up via
crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets
propagated upwards recursively into the surrounding template
instances, until the construction eventually matches an explicit
testmgr entry with ->fips_allowed being set, if any.
The behaviour to skip !->fips_allowed self-test executions in FIPS
mode will be retained. Note that this effectively means that
FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL
ones in this regard. It is expected that the FIPS_INTERNAL algorithms
will receive sufficient testing when the larger constructions they're
a part of, if any, get exercised by testmgr.
Note that as a side-effect of this patch algorithms which are not
FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully
this is not an issue as some people were relying on this already.
Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.au
Originally-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-02-21 13:10:58 +01:00
|
|
|
else if (alg->cra_flags & CRYPTO_ALG_FIPS_INTERNAL)
|
|
|
|
alg = ERR_PTR(-EAGAIN);
|
2008-08-03 21:15:23 +08:00
|
|
|
else if (!crypto_mod_get(alg))
|
|
|
|
alg = ERR_PTR(-EAGAIN);
|
2006-08-06 21:23:26 +10:00
|
|
|
crypto_mod_put(&larval->alg);
|
|
|
|
|
2024-08-17 14:56:51 +08:00
|
|
|
if (!IS_ERR(alg) && crypto_is_larval(alg))
|
|
|
|
goto again;
|
|
|
|
|
2006-08-06 21:23:26 +10:00
|
|
|
return alg;
|
|
|
|
}
|
|
|
|
|
2018-03-20 08:05:39 +08:00
|
|
|
static struct crypto_alg *crypto_alg_lookup(const char *name, u32 type,
|
|
|
|
u32 mask)
|
2006-08-06 21:23:26 +10:00
|
|
|
{
|
crypto: api - allow algs only in specific constructions in FIPS mode
Currently we do not distinguish between algorithms that fail on
the self-test vs. those which are disabled in FIPS mode (not allowed).
Both are marked as having failed the self-test.
Recently the need arose to allow the usage of certain algorithms only
as arguments to specific template instantiations in FIPS mode. For
example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is
allowed. Other potential use cases include "cbcmac(aes)", which must
only be used with ccm(), or "ghash", which must be used only for
gcm().
This patch allows this scenario by adding a new flag FIPS_INTERNAL to
indicate those algorithms that are not FIPS-allowed. They can then be
used as template arguments only, i.e. when looked up via
crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets
propagated upwards recursively into the surrounding template
instances, until the construction eventually matches an explicit
testmgr entry with ->fips_allowed being set, if any.
The behaviour to skip !->fips_allowed self-test executions in FIPS
mode will be retained. Note that this effectively means that
FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL
ones in this regard. It is expected that the FIPS_INTERNAL algorithms
will receive sufficient testing when the larger constructions they're
a part of, if any, get exercised by testmgr.
Note that as a side-effect of this patch algorithms which are not
FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully
this is not an issue as some people were relying on this already.
Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.au
Originally-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-02-21 13:10:58 +01:00
|
|
|
const u32 fips = CRYPTO_ALG_FIPS_INTERNAL;
|
2006-08-06 21:23:26 +10:00
|
|
|
struct crypto_alg *alg;
|
2018-03-20 15:52:45 +08:00
|
|
|
u32 test = 0;
|
|
|
|
|
|
|
|
if (!((type | mask) & CRYPTO_ALG_TESTED))
|
|
|
|
test |= CRYPTO_ALG_TESTED;
|
2006-08-06 21:23:26 +10:00
|
|
|
|
|
|
|
down_read(&crypto_alg_sem);
|
crypto: api - allow algs only in specific constructions in FIPS mode
Currently we do not distinguish between algorithms that fail on
the self-test vs. those which are disabled in FIPS mode (not allowed).
Both are marked as having failed the self-test.
Recently the need arose to allow the usage of certain algorithms only
as arguments to specific template instantiations in FIPS mode. For
example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is
allowed. Other potential use cases include "cbcmac(aes)", which must
only be used with ccm(), or "ghash", which must be used only for
gcm().
This patch allows this scenario by adding a new flag FIPS_INTERNAL to
indicate those algorithms that are not FIPS-allowed. They can then be
used as template arguments only, i.e. when looked up via
crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets
propagated upwards recursively into the surrounding template
instances, until the construction eventually matches an explicit
testmgr entry with ->fips_allowed being set, if any.
The behaviour to skip !->fips_allowed self-test executions in FIPS
mode will be retained. Note that this effectively means that
FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL
ones in this regard. It is expected that the FIPS_INTERNAL algorithms
will receive sufficient testing when the larger constructions they're
a part of, if any, get exercised by testmgr.
Note that as a side-effect of this patch algorithms which are not
FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully
this is not an issue as some people were relying on this already.
Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.au
Originally-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-02-21 13:10:58 +01:00
|
|
|
alg = __crypto_alg_lookup(name, (type | test) & ~fips,
|
|
|
|
(mask | test) & ~fips);
|
|
|
|
if (alg) {
|
|
|
|
if (((type | mask) ^ fips) & fips)
|
|
|
|
mask |= fips;
|
|
|
|
mask &= fips;
|
|
|
|
|
|
|
|
if (!crypto_is_larval(alg) &&
|
|
|
|
((type ^ alg->cra_flags) & mask)) {
|
|
|
|
/* Algorithm is disallowed in FIPS mode. */
|
|
|
|
crypto_mod_put(alg);
|
|
|
|
alg = ERR_PTR(-ENOENT);
|
|
|
|
}
|
|
|
|
} else if (test) {
|
2018-04-16 16:59:13 -07:00
|
|
|
alg = __crypto_alg_lookup(name, type, mask);
|
|
|
|
if (alg && !crypto_is_larval(alg)) {
|
|
|
|
/* Test failed */
|
|
|
|
crypto_mod_put(alg);
|
|
|
|
alg = ERR_PTR(-ELIBBAD);
|
|
|
|
}
|
|
|
|
}
|
2005-04-16 15:20:36 -07:00
|
|
|
up_read(&crypto_alg_sem);
|
2006-08-06 21:23:26 +10:00
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
return alg;
|
|
|
|
}
|
|
|
|
|
2017-12-07 10:55:59 -08:00
|
|
|
static struct crypto_alg *crypto_larval_lookup(const char *name, u32 type,
|
|
|
|
u32 mask)
|
2005-07-06 13:53:09 -07:00
|
|
|
{
|
2006-08-06 21:23:26 +10:00
|
|
|
struct crypto_alg *alg;
|
|
|
|
|
2006-09-21 11:39:29 +10:00
|
|
|
if (!name)
|
|
|
|
return ERR_PTR(-ENOENT);
|
|
|
|
|
2016-11-22 20:08:21 +08:00
|
|
|
type &= ~(CRYPTO_ALG_LARVAL | CRYPTO_ALG_DEAD);
|
2006-09-21 11:39:29 +10:00
|
|
|
mask &= ~(CRYPTO_ALG_LARVAL | CRYPTO_ALG_DEAD);
|
2006-09-21 11:35:17 +10:00
|
|
|
|
2009-02-26 14:06:31 +08:00
|
|
|
alg = crypto_alg_lookup(name, type, mask);
|
2018-06-08 14:57:42 -07:00
|
|
|
if (!alg && !(mask & CRYPTO_NOLOAD)) {
|
2014-11-20 17:05:53 -08:00
|
|
|
request_module("crypto-%s", name);
|
2009-02-26 14:06:31 +08:00
|
|
|
|
2009-04-21 13:27:16 +08:00
|
|
|
if (!((type ^ CRYPTO_ALG_NEED_FALLBACK) & mask &
|
2009-06-02 14:13:14 +10:00
|
|
|
CRYPTO_ALG_NEED_FALLBACK))
|
2014-11-20 17:05:53 -08:00
|
|
|
request_module("crypto-%s-all", name);
|
2009-02-26 14:06:31 +08:00
|
|
|
|
|
|
|
alg = crypto_alg_lookup(name, type, mask);
|
|
|
|
}
|
|
|
|
|
2018-03-20 15:52:45 +08:00
|
|
|
if (!IS_ERR_OR_NULL(alg) && crypto_is_larval(alg))
|
|
|
|
alg = crypto_larval_wait(alg);
|
crypto: api - Fix generic algorithm self-test races
On Fri, Aug 30, 2024 at 10:51:54AM -0700, Eric Biggers wrote:
>
> Given below in defconfig form, use 'make olddefconfig' to apply. The failures
> are nondeterministic and sometimes there are different ones, for example:
>
> [ 0.358017] alg: skcipher: failed to allocate transform for cbc(twofish-generic): -2
> [ 0.358365] alg: self-tests for cbc(twofish) using cbc(twofish-generic) failed (rc=-2)
> [ 0.358535] alg: skcipher: failed to allocate transform for cbc(camellia-generic): -2
> [ 0.358918] alg: self-tests for cbc(camellia) using cbc(camellia-generic) failed (rc=-2)
> [ 0.371533] alg: skcipher: failed to allocate transform for xts(ecb(aes-generic)): -2
> [ 0.371922] alg: self-tests for xts(aes) using xts(ecb(aes-generic)) failed (rc=-2)
>
> Modules are not enabled, maybe that matters (I haven't checked yet).
Yes I think that was the key. This triggers a massive self-test
run which executes in parallel and reveals a few race conditions
in the system. I think it boils down to the following scenario:
Base algorithm X-generic, X-optimised
Template Y
Optimised algorithm Y-X-optimised
Everything gets registered, and then the self-tests are started.
When Y-X-optimised gets tested, it requests the creation of the
generic Y(X-generic). Which then itself undergoes testing.
The race is that after Y(X-generic) gets registered, but just
before it gets tested, X-optimised finally finishes self-testing
which then causes all spawns of X-generic to be destroyed. So
by the time the self-test for Y(X-generic) comes along, it can
no longer find the algorithm. This error then bubbles up all
the way up to the self-test of Y-X-optimised which then fails.
Note that there is some complexity that I've omitted here because
when the generic self-test fails to find Y(X-generic) it actually
triggers the construction of it again which then fails for various
other reasons (these are not important because the construction
should *not* be triggered at this point).
So in a way the error is expected, and we should probably remove
the pr_err for the case where ENOENT is returned for the algorithm
that we're currently testing.
The solution is two-fold. First when an algorithm undergoes
self-testing it should not trigger its construction. Secondly
if an instance larval fails to materialise due to it being destroyed
by a more optimised algorithm coming along, it should obviously
retry the construction.
Remove the check in __crypto_alg_lookup that stops a larval from
matching new requests based on differences in the mask. It is better
to block new requests even if it is wrong and then simply retry the
lookup. If this ends up being the wrong larval it will sort iself
out during the retry.
Reduce the CRYPTO_ALG_TYPE_MASK bits in type during larval creation
as otherwise LSKCIPHER algorithms may not match SKCIPHER larvals.
Also block the instance creation during self-testing in the function
crypto_larval_lookup by checking for CRYPTO_ALG_TESTED in the mask
field.
Finally change the return value when crypto_alg_lookup fails in
crypto_larval_wait to EAGAIN to redo the lookup.
Fixes: 37da5d0ffa7b ("crypto: api - Do not wait for tests during registration")
Reported-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2024-09-01 16:05:40 +08:00
|
|
|
else if (alg)
|
|
|
|
;
|
|
|
|
else if (!(mask & CRYPTO_ALG_TESTED))
|
2018-03-20 15:52:45 +08:00
|
|
|
alg = crypto_larval_add(name, type, mask);
|
crypto: api - Fix generic algorithm self-test races
On Fri, Aug 30, 2024 at 10:51:54AM -0700, Eric Biggers wrote:
>
> Given below in defconfig form, use 'make olddefconfig' to apply. The failures
> are nondeterministic and sometimes there are different ones, for example:
>
> [ 0.358017] alg: skcipher: failed to allocate transform for cbc(twofish-generic): -2
> [ 0.358365] alg: self-tests for cbc(twofish) using cbc(twofish-generic) failed (rc=-2)
> [ 0.358535] alg: skcipher: failed to allocate transform for cbc(camellia-generic): -2
> [ 0.358918] alg: self-tests for cbc(camellia) using cbc(camellia-generic) failed (rc=-2)
> [ 0.371533] alg: skcipher: failed to allocate transform for xts(ecb(aes-generic)): -2
> [ 0.371922] alg: self-tests for xts(aes) using xts(ecb(aes-generic)) failed (rc=-2)
>
> Modules are not enabled, maybe that matters (I haven't checked yet).
Yes I think that was the key. This triggers a massive self-test
run which executes in parallel and reveals a few race conditions
in the system. I think it boils down to the following scenario:
Base algorithm X-generic, X-optimised
Template Y
Optimised algorithm Y-X-optimised
Everything gets registered, and then the self-tests are started.
When Y-X-optimised gets tested, it requests the creation of the
generic Y(X-generic). Which then itself undergoes testing.
The race is that after Y(X-generic) gets registered, but just
before it gets tested, X-optimised finally finishes self-testing
which then causes all spawns of X-generic to be destroyed. So
by the time the self-test for Y(X-generic) comes along, it can
no longer find the algorithm. This error then bubbles up all
the way up to the self-test of Y-X-optimised which then fails.
Note that there is some complexity that I've omitted here because
when the generic self-test fails to find Y(X-generic) it actually
triggers the construction of it again which then fails for various
other reasons (these are not important because the construction
should *not* be triggered at this point).
So in a way the error is expected, and we should probably remove
the pr_err for the case where ENOENT is returned for the algorithm
that we're currently testing.
The solution is two-fold. First when an algorithm undergoes
self-testing it should not trigger its construction. Secondly
if an instance larval fails to materialise due to it being destroyed
by a more optimised algorithm coming along, it should obviously
retry the construction.
Remove the check in __crypto_alg_lookup that stops a larval from
matching new requests based on differences in the mask. It is better
to block new requests even if it is wrong and then simply retry the
lookup. If this ends up being the wrong larval it will sort iself
out during the retry.
Reduce the CRYPTO_ALG_TYPE_MASK bits in type during larval creation
as otherwise LSKCIPHER algorithms may not match SKCIPHER larvals.
Also block the instance creation during self-testing in the function
crypto_larval_lookup by checking for CRYPTO_ALG_TESTED in the mask
field.
Finally change the return value when crypto_alg_lookup fails in
crypto_larval_wait to EAGAIN to redo the lookup.
Fixes: 37da5d0ffa7b ("crypto: api - Do not wait for tests during registration")
Reported-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2024-09-01 16:05:40 +08:00
|
|
|
else
|
|
|
|
alg = ERR_PTR(-ENOENT);
|
2006-08-06 21:23:26 +10:00
|
|
|
|
2018-03-20 15:52:45 +08:00
|
|
|
return alg;
|
2007-12-04 12:46:48 +11:00
|
|
|
}
|
|
|
|
|
2008-08-03 21:15:23 +08:00
|
|
|
int crypto_probing_notify(unsigned long val, void *v)
|
|
|
|
{
|
|
|
|
int ok;
|
|
|
|
|
|
|
|
ok = blocking_notifier_call_chain(&crypto_chain, val, v);
|
|
|
|
if (ok == NOTIFY_DONE) {
|
|
|
|
request_module("cryptomgr");
|
|
|
|
ok = blocking_notifier_call_chain(&crypto_chain, val, v);
|
|
|
|
}
|
|
|
|
|
|
|
|
return ok;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_probing_notify);
|
|
|
|
|
2007-12-04 12:46:48 +11:00
|
|
|
struct crypto_alg *crypto_alg_mod_lookup(const char *name, u32 type, u32 mask)
|
|
|
|
{
|
|
|
|
struct crypto_alg *alg;
|
|
|
|
struct crypto_alg *larval;
|
|
|
|
int ok;
|
|
|
|
|
2015-03-30 21:55:52 +02:00
|
|
|
/*
|
|
|
|
* If the internal flag is set for a cipher, require a caller to
|
2022-08-11 20:13:49 +08:00
|
|
|
* invoke the cipher with the internal flag to use that cipher.
|
2015-03-30 21:55:52 +02:00
|
|
|
* Also, if a caller wants to allocate a cipher that may or may
|
|
|
|
* not be an internal cipher, use type | CRYPTO_ALG_INTERNAL and
|
|
|
|
* !(mask & CRYPTO_ALG_INTERNAL).
|
|
|
|
*/
|
|
|
|
if (!((type | mask) & CRYPTO_ALG_INTERNAL))
|
|
|
|
mask |= CRYPTO_ALG_INTERNAL;
|
|
|
|
|
2007-12-04 12:46:48 +11:00
|
|
|
larval = crypto_larval_lookup(name, type, mask);
|
2006-09-21 11:39:29 +10:00
|
|
|
if (IS_ERR(larval) || !crypto_is_larval(larval))
|
2006-08-06 21:23:26 +10:00
|
|
|
return larval;
|
|
|
|
|
2008-08-03 21:15:23 +08:00
|
|
|
ok = crypto_probing_notify(CRYPTO_MSG_ALG_REQUEST, larval);
|
2006-09-21 11:31:44 +10:00
|
|
|
|
|
|
|
if (ok == NOTIFY_STOP)
|
2006-08-06 21:23:26 +10:00
|
|
|
alg = crypto_larval_wait(larval);
|
|
|
|
else {
|
|
|
|
crypto_mod_put(larval);
|
2006-09-21 11:39:29 +10:00
|
|
|
alg = ERR_PTR(-ENOENT);
|
2006-08-06 21:23:26 +10:00
|
|
|
}
|
2024-08-17 14:57:40 +08:00
|
|
|
crypto_larval_kill(container_of(larval, struct crypto_larval, alg));
|
2006-08-06 21:23:26 +10:00
|
|
|
return alg;
|
2005-07-06 13:53:09 -07:00
|
|
|
}
|
2006-09-21 11:35:17 +10:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_alg_mod_lookup);
|
2005-07-06 13:53:09 -07:00
|
|
|
|
2005-04-16 15:20:36 -07:00
|
|
|
static void crypto_exit_ops(struct crypto_tfm *tfm)
|
|
|
|
{
|
2006-08-22 00:06:54 +10:00
|
|
|
const struct crypto_type *type = tfm->__crt_alg->cra_type;
|
|
|
|
|
2016-10-07 14:13:35 -07:00
|
|
|
if (type && tfm->exit)
|
|
|
|
tfm->exit(tfm);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
2007-01-24 20:50:26 +11:00
|
|
|
static unsigned int crypto_ctxsize(struct crypto_alg *alg, u32 type, u32 mask)
|
2005-07-06 13:53:29 -07:00
|
|
|
{
|
2007-01-24 20:50:26 +11:00
|
|
|
const struct crypto_type *type_obj = alg->cra_type;
|
2005-07-06 13:53:29 -07:00
|
|
|
unsigned int len;
|
|
|
|
|
2006-08-22 00:06:54 +10:00
|
|
|
len = alg->cra_alignmask & ~(crypto_tfm_ctx_alignment() - 1);
|
2007-01-24 20:50:26 +11:00
|
|
|
if (type_obj)
|
|
|
|
return len + type_obj->ctxsize(alg, type, mask);
|
2006-08-22 00:06:54 +10:00
|
|
|
|
2005-07-06 13:53:29 -07:00
|
|
|
switch (alg->cra_flags & CRYPTO_ALG_TYPE_MASK) {
|
|
|
|
default:
|
|
|
|
BUG();
|
|
|
|
|
|
|
|
case CRYPTO_ALG_TYPE_CIPHER:
|
2007-01-27 10:05:15 +11:00
|
|
|
len += crypto_cipher_ctxsize(alg);
|
2005-07-06 13:53:29 -07:00
|
|
|
break;
|
2009-07-12 13:58:04 +08:00
|
|
|
|
2005-07-06 13:53:29 -07:00
|
|
|
case CRYPTO_ALG_TYPE_COMPRESS:
|
2007-01-27 10:05:15 +11:00
|
|
|
len += crypto_compress_ctxsize(alg);
|
2005-07-06 13:53:29 -07:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2006-08-22 00:06:54 +10:00
|
|
|
return len;
|
2005-07-06 13:53:29 -07:00
|
|
|
}
|
|
|
|
|
2020-04-10 16:09:42 +10:00
|
|
|
void crypto_shoot_alg(struct crypto_alg *alg)
|
2006-09-21 11:39:29 +10:00
|
|
|
{
|
|
|
|
down_write(&crypto_alg_sem);
|
|
|
|
alg->cra_flags |= CRYPTO_ALG_DYING;
|
|
|
|
up_write(&crypto_alg_sem);
|
|
|
|
}
|
2020-04-10 16:09:42 +10:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_shoot_alg);
|
2006-09-21 11:39:29 +10:00
|
|
|
|
2023-06-15 17:00:51 +08:00
|
|
|
struct crypto_tfm *__crypto_alloc_tfmgfp(struct crypto_alg *alg, u32 type,
|
|
|
|
u32 mask, gfp_t gfp)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2023-09-14 02:17:27 +08:00
|
|
|
struct crypto_tfm *tfm;
|
2005-07-06 13:53:29 -07:00
|
|
|
unsigned int tfm_size;
|
2006-09-21 11:39:29 +10:00
|
|
|
int err = -ENOMEM;
|
2005-07-06 13:53:29 -07:00
|
|
|
|
2007-01-24 20:50:26 +11:00
|
|
|
tfm_size = sizeof(*tfm) + crypto_ctxsize(alg, type, mask);
|
2023-06-15 17:00:51 +08:00
|
|
|
tfm = kzalloc(tfm_size, gfp);
|
2005-04-16 15:20:36 -07:00
|
|
|
if (tfm == NULL)
|
2006-10-11 22:29:51 +10:00
|
|
|
goto out_err;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
tfm->__crt_alg = alg;
|
2023-04-13 14:24:15 +08:00
|
|
|
refcount_set(&tfm->refcnt, 1);
|
2006-09-21 11:39:29 +10:00
|
|
|
|
2008-09-13 18:19:03 -07:00
|
|
|
if (!tfm->exit && alg->cra_init && (err = alg->cra_init(tfm)))
|
2006-05-24 13:02:26 +10:00
|
|
|
goto cra_init_failed;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
|
|
|
goto out;
|
|
|
|
|
2006-05-24 13:02:26 +10:00
|
|
|
cra_init_failed:
|
|
|
|
crypto_exit_ops(tfm);
|
2008-09-13 18:19:03 -07:00
|
|
|
if (err == -EAGAIN)
|
|
|
|
crypto_shoot_alg(alg);
|
2005-04-16 15:20:36 -07:00
|
|
|
kfree(tfm);
|
2006-10-11 22:29:51 +10:00
|
|
|
out_err:
|
2006-09-21 11:39:29 +10:00
|
|
|
tfm = ERR_PTR(err);
|
2005-04-16 15:20:36 -07:00
|
|
|
out:
|
|
|
|
return tfm;
|
|
|
|
}
|
2023-06-15 17:00:51 +08:00
|
|
|
EXPORT_SYMBOL_GPL(__crypto_alloc_tfmgfp);
|
|
|
|
|
|
|
|
struct crypto_tfm *__crypto_alloc_tfm(struct crypto_alg *alg, u32 type,
|
|
|
|
u32 mask)
|
|
|
|
{
|
|
|
|
return __crypto_alloc_tfmgfp(alg, type, mask, GFP_KERNEL);
|
|
|
|
}
|
2006-09-21 11:39:29 +10:00
|
|
|
EXPORT_SYMBOL_GPL(__crypto_alloc_tfm);
|
|
|
|
|
2006-07-30 11:53:01 +10:00
|
|
|
/*
|
|
|
|
* crypto_alloc_base - Locate algorithm and allocate transform
|
|
|
|
* @alg_name: Name of algorithm
|
|
|
|
* @type: Type of algorithm
|
|
|
|
* @mask: Mask for type comparison
|
|
|
|
*
|
2008-09-21 06:52:53 +09:00
|
|
|
* This function should not be used by new algorithm types.
|
2013-06-28 15:56:20 +03:00
|
|
|
* Please use crypto_alloc_tfm instead.
|
2008-09-21 06:52:53 +09:00
|
|
|
*
|
2006-07-30 11:53:01 +10:00
|
|
|
* crypto_alloc_base() will first attempt to locate an already loaded
|
|
|
|
* algorithm. If that fails and the kernel supports dynamically loadable
|
|
|
|
* modules, it will then attempt to load a module of the same name or
|
|
|
|
* alias. If that fails it will send a query to any loaded crypto manager
|
|
|
|
* to construct an algorithm on the fly. A refcount is grabbed on the
|
|
|
|
* algorithm which is then associated with the new transform.
|
|
|
|
*
|
|
|
|
* The returned transform is of a non-determinate type. Most people
|
|
|
|
* should use one of the more specific allocation functions such as
|
crypto: skcipher - remove the "blkcipher" algorithm type
Now that all "blkcipher" algorithms have been converted to "skcipher",
remove the blkcipher algorithm type.
The skcipher (symmetric key cipher) algorithm type was introduced a few
years ago to replace both blkcipher and ablkcipher (synchronous and
asynchronous block cipher). The advantages of skcipher include:
- A much less confusing name, since none of these algorithm types have
ever actually been for raw block ciphers, but rather for all
length-preserving encryption modes including block cipher modes of
operation, stream ciphers, and other length-preserving modes.
- It unified blkcipher and ablkcipher into a single algorithm type
which supports both synchronous and asynchronous implementations.
Note, blkcipher already operated only on scatterlists, so the fact
that skcipher does too isn't a regression in functionality.
- Better type safety by using struct skcipher_alg, struct
crypto_skcipher, etc. instead of crypto_alg, crypto_tfm, etc.
- It sometimes simplifies the implementations of algorithms.
Also, the blkcipher API was no longer being tested.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-10-25 12:41:12 -07:00
|
|
|
* crypto_alloc_skcipher().
|
2006-07-30 11:53:01 +10:00
|
|
|
*
|
|
|
|
* In case of error the return value is an error pointer.
|
|
|
|
*/
|
|
|
|
struct crypto_tfm *crypto_alloc_base(const char *alg_name, u32 type, u32 mask)
|
|
|
|
{
|
|
|
|
struct crypto_tfm *tfm;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
struct crypto_alg *alg;
|
|
|
|
|
|
|
|
alg = crypto_alg_mod_lookup(alg_name, type, mask);
|
2006-10-11 22:29:51 +10:00
|
|
|
if (IS_ERR(alg)) {
|
|
|
|
err = PTR_ERR(alg);
|
2006-07-30 11:53:01 +10:00
|
|
|
goto err;
|
2006-10-11 22:29:51 +10:00
|
|
|
}
|
2006-07-30 11:53:01 +10:00
|
|
|
|
2007-01-24 20:50:26 +11:00
|
|
|
tfm = __crypto_alloc_tfm(alg, type, mask);
|
2006-07-30 11:53:01 +10:00
|
|
|
if (!IS_ERR(tfm))
|
2006-10-11 22:29:51 +10:00
|
|
|
return tfm;
|
2006-07-30 11:53:01 +10:00
|
|
|
|
|
|
|
crypto_mod_put(alg);
|
|
|
|
err = PTR_ERR(tfm);
|
|
|
|
|
|
|
|
err:
|
|
|
|
if (err != -EAGAIN)
|
|
|
|
break;
|
2015-10-19 18:23:57 +08:00
|
|
|
if (fatal_signal_pending(current)) {
|
2006-07-30 11:53:01 +10:00
|
|
|
err = -EINTR;
|
|
|
|
break;
|
|
|
|
}
|
2006-10-11 22:29:51 +10:00
|
|
|
}
|
2006-07-30 11:53:01 +10:00
|
|
|
|
2006-10-11 22:29:51 +10:00
|
|
|
return ERR_PTR(err);
|
2006-07-30 11:53:01 +10:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_alloc_base);
|
2008-09-21 06:52:53 +09:00
|
|
|
|
2023-04-13 14:24:17 +08:00
|
|
|
static void *crypto_alloc_tfmmem(struct crypto_alg *alg,
|
|
|
|
const struct crypto_type *frontend, int node,
|
|
|
|
gfp_t gfp)
|
2008-09-21 06:52:53 +09:00
|
|
|
{
|
2023-04-13 14:24:17 +08:00
|
|
|
struct crypto_tfm *tfm;
|
2008-09-21 06:52:53 +09:00
|
|
|
unsigned int tfmsize;
|
|
|
|
unsigned int total;
|
2023-04-13 14:24:17 +08:00
|
|
|
char *mem;
|
2008-09-21 06:52:53 +09:00
|
|
|
|
|
|
|
tfmsize = frontend->tfmsize;
|
2009-07-13 20:46:25 +08:00
|
|
|
total = tfmsize + sizeof(*tfm) + frontend->extsize(alg);
|
2008-09-21 06:52:53 +09:00
|
|
|
|
2023-04-13 14:24:17 +08:00
|
|
|
mem = kzalloc_node(total, gfp, node);
|
2008-09-21 06:52:53 +09:00
|
|
|
if (mem == NULL)
|
2023-04-13 14:24:17 +08:00
|
|
|
return ERR_PTR(-ENOMEM);
|
2008-09-21 06:52:53 +09:00
|
|
|
|
|
|
|
tfm = (struct crypto_tfm *)(mem + tfmsize);
|
|
|
|
tfm->__crt_alg = alg;
|
2020-07-05 21:18:58 +12:00
|
|
|
tfm->node = node;
|
2023-04-13 14:24:15 +08:00
|
|
|
refcount_set(&tfm->refcnt, 1);
|
2008-09-21 06:52:53 +09:00
|
|
|
|
2023-04-13 14:24:17 +08:00
|
|
|
return mem;
|
|
|
|
}
|
|
|
|
|
|
|
|
void *crypto_create_tfm_node(struct crypto_alg *alg,
|
|
|
|
const struct crypto_type *frontend,
|
|
|
|
int node)
|
|
|
|
{
|
|
|
|
struct crypto_tfm *tfm;
|
|
|
|
char *mem;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
mem = crypto_alloc_tfmmem(alg, frontend, node, GFP_KERNEL);
|
|
|
|
if (IS_ERR(mem))
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
tfm = (struct crypto_tfm *)(mem + frontend->tfmsize);
|
|
|
|
|
2009-07-13 20:46:25 +08:00
|
|
|
err = frontend->init_tfm(tfm);
|
2008-09-21 06:52:53 +09:00
|
|
|
if (err)
|
|
|
|
goto out_free_tfm;
|
|
|
|
|
|
|
|
if (!tfm->exit && alg->cra_init && (err = alg->cra_init(tfm)))
|
|
|
|
goto cra_init_failed;
|
|
|
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
cra_init_failed:
|
|
|
|
crypto_exit_ops(tfm);
|
|
|
|
out_free_tfm:
|
|
|
|
if (err == -EAGAIN)
|
|
|
|
crypto_shoot_alg(alg);
|
|
|
|
kfree(mem);
|
2009-02-18 16:56:59 +08:00
|
|
|
mem = ERR_PTR(err);
|
2008-09-21 06:52:53 +09:00
|
|
|
out:
|
2009-02-18 16:56:59 +08:00
|
|
|
return mem;
|
2008-09-21 06:52:53 +09:00
|
|
|
}
|
2020-07-05 21:18:58 +12:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_create_tfm_node);
|
2008-09-21 06:52:53 +09:00
|
|
|
|
2023-04-13 14:24:17 +08:00
|
|
|
void *crypto_clone_tfm(const struct crypto_type *frontend,
|
|
|
|
struct crypto_tfm *otfm)
|
|
|
|
{
|
|
|
|
struct crypto_alg *alg = otfm->__crt_alg;
|
|
|
|
struct crypto_tfm *tfm;
|
|
|
|
char *mem;
|
|
|
|
|
|
|
|
mem = ERR_PTR(-ESTALE);
|
|
|
|
if (unlikely(!crypto_mod_get(alg)))
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
mem = crypto_alloc_tfmmem(alg, frontend, otfm->node, GFP_ATOMIC);
|
|
|
|
if (IS_ERR(mem)) {
|
|
|
|
crypto_mod_put(alg);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
tfm = (struct crypto_tfm *)(mem + frontend->tfmsize);
|
|
|
|
tfm->crt_flags = otfm->crt_flags;
|
|
|
|
tfm->exit = otfm->exit;
|
|
|
|
|
|
|
|
out:
|
|
|
|
return mem;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_clone_tfm);
|
|
|
|
|
2009-07-08 17:53:16 +08:00
|
|
|
struct crypto_alg *crypto_find_alg(const char *alg_name,
|
|
|
|
const struct crypto_type *frontend,
|
|
|
|
u32 type, u32 mask)
|
|
|
|
{
|
|
|
|
if (frontend) {
|
|
|
|
type &= frontend->maskclear;
|
|
|
|
mask &= frontend->maskclear;
|
|
|
|
type |= frontend->type;
|
|
|
|
mask |= frontend->maskset;
|
|
|
|
}
|
|
|
|
|
2018-03-20 07:41:00 +08:00
|
|
|
return crypto_alg_mod_lookup(alg_name, type, mask);
|
2009-07-08 17:53:16 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_find_alg);
|
|
|
|
|
2008-09-21 06:52:53 +09:00
|
|
|
/*
|
2020-07-05 21:18:58 +12:00
|
|
|
* crypto_alloc_tfm_node - Locate algorithm and allocate transform
|
2008-09-21 06:52:53 +09:00
|
|
|
* @alg_name: Name of algorithm
|
|
|
|
* @frontend: Frontend algorithm type
|
|
|
|
* @type: Type of algorithm
|
|
|
|
* @mask: Mask for type comparison
|
2020-07-05 21:18:58 +12:00
|
|
|
* @node: NUMA node in which users desire to put requests, if node is
|
|
|
|
* NUMA_NO_NODE, it means users have no special requirement.
|
2008-09-21 06:52:53 +09:00
|
|
|
*
|
|
|
|
* crypto_alloc_tfm() will first attempt to locate an already loaded
|
|
|
|
* algorithm. If that fails and the kernel supports dynamically loadable
|
|
|
|
* modules, it will then attempt to load a module of the same name or
|
|
|
|
* alias. If that fails it will send a query to any loaded crypto manager
|
|
|
|
* to construct an algorithm on the fly. A refcount is grabbed on the
|
|
|
|
* algorithm which is then associated with the new transform.
|
|
|
|
*
|
|
|
|
* The returned transform is of a non-determinate type. Most people
|
|
|
|
* should use one of the more specific allocation functions such as
|
2019-11-29 10:16:48 -08:00
|
|
|
* crypto_alloc_skcipher().
|
2008-09-21 06:52:53 +09:00
|
|
|
*
|
|
|
|
* In case of error the return value is an error pointer.
|
|
|
|
*/
|
2020-07-05 21:18:58 +12:00
|
|
|
|
|
|
|
void *crypto_alloc_tfm_node(const char *alg_name,
|
|
|
|
const struct crypto_type *frontend, u32 type, u32 mask,
|
|
|
|
int node)
|
2008-09-21 06:52:53 +09:00
|
|
|
{
|
2009-02-18 16:56:59 +08:00
|
|
|
void *tfm;
|
2008-09-21 06:52:53 +09:00
|
|
|
int err;
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
struct crypto_alg *alg;
|
|
|
|
|
2009-07-08 17:53:16 +08:00
|
|
|
alg = crypto_find_alg(alg_name, frontend, type, mask);
|
2008-09-21 06:52:53 +09:00
|
|
|
if (IS_ERR(alg)) {
|
|
|
|
err = PTR_ERR(alg);
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
2020-07-05 21:18:58 +12:00
|
|
|
tfm = crypto_create_tfm_node(alg, frontend, node);
|
2008-09-21 06:52:53 +09:00
|
|
|
if (!IS_ERR(tfm))
|
|
|
|
return tfm;
|
|
|
|
|
|
|
|
crypto_mod_put(alg);
|
|
|
|
err = PTR_ERR(tfm);
|
|
|
|
|
|
|
|
err:
|
|
|
|
if (err != -EAGAIN)
|
|
|
|
break;
|
2015-10-19 18:23:57 +08:00
|
|
|
if (fatal_signal_pending(current)) {
|
2008-09-21 06:52:53 +09:00
|
|
|
err = -EINTR;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return ERR_PTR(err);
|
|
|
|
}
|
2020-07-05 21:18:58 +12:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_alloc_tfm_node);
|
2009-02-05 16:48:24 +11:00
|
|
|
|
2006-07-30 11:53:01 +10:00
|
|
|
/*
|
2009-02-05 16:48:24 +11:00
|
|
|
* crypto_destroy_tfm - Free crypto transform
|
|
|
|
* @mem: Start of tfm slab
|
2006-07-30 11:53:01 +10:00
|
|
|
* @tfm: Transform to free
|
|
|
|
*
|
2009-02-05 16:48:24 +11:00
|
|
|
* This function frees up the transform and any associated resources,
|
2006-07-30 11:53:01 +10:00
|
|
|
* then drops the refcount on the associated algorithm.
|
|
|
|
*/
|
2009-02-05 16:48:24 +11:00
|
|
|
void crypto_destroy_tfm(void *mem, struct crypto_tfm *tfm)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2005-07-06 13:54:31 -07:00
|
|
|
struct crypto_alg *alg;
|
|
|
|
|
2021-03-02 21:33:03 +01:00
|
|
|
if (IS_ERR_OR_NULL(mem))
|
2005-07-06 13:54:31 -07:00
|
|
|
return;
|
|
|
|
|
2023-04-13 14:24:15 +08:00
|
|
|
if (!refcount_dec_and_test(&tfm->refcnt))
|
|
|
|
return;
|
2005-07-06 13:54:31 -07:00
|
|
|
alg = tfm->__crt_alg;
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2008-09-13 18:19:03 -07:00
|
|
|
if (!tfm->exit && alg->cra_exit)
|
2006-05-24 13:02:26 +10:00
|
|
|
alg->cra_exit(tfm);
|
2005-04-16 15:20:36 -07:00
|
|
|
crypto_exit_ops(tfm);
|
2006-05-28 09:05:24 +10:00
|
|
|
crypto_mod_put(alg);
|
2020-08-06 23:18:13 -07:00
|
|
|
kfree_sensitive(mem);
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
2009-02-05 16:48:24 +11:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_destroy_tfm);
|
2006-08-26 17:35:45 +10:00
|
|
|
|
|
|
|
int crypto_has_alg(const char *name, u32 type, u32 mask)
|
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
struct crypto_alg *alg = crypto_alg_mod_lookup(name, type, mask);
|
2010-02-16 20:26:46 +08:00
|
|
|
|
2006-08-26 17:35:45 +10:00
|
|
|
if (!IS_ERR(alg)) {
|
|
|
|
crypto_mod_put(alg);
|
|
|
|
ret = 1;
|
|
|
|
}
|
2010-02-16 20:26:46 +08:00
|
|
|
|
2006-08-26 17:35:45 +10:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_has_alg);
|
2008-03-30 16:36:09 +08:00
|
|
|
|
2023-02-08 13:58:44 +08:00
|
|
|
void crypto_req_done(void *data, int err)
|
2017-10-18 08:00:38 +01:00
|
|
|
{
|
2023-02-08 13:58:44 +08:00
|
|
|
struct crypto_wait *wait = data;
|
2017-10-18 08:00:38 +01:00
|
|
|
|
|
|
|
if (err == -EINPROGRESS)
|
|
|
|
return;
|
|
|
|
|
|
|
|
wait->err = err;
|
|
|
|
complete(&wait->completion);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_req_done);
|
|
|
|
|
2008-03-30 16:36:09 +08:00
|
|
|
MODULE_DESCRIPTION("Cryptographic core API");
|
|
|
|
MODULE_LICENSE("GPL");
|