On Wed 20 Jan 12:48 CST 2021, Thara Gopinath wrote:
Please drop "drivers: " from $subject.
> Export and import interfaces save and restore partial transformation
> states. The partial states were being stored and restored in struct
> sha1_state for sha1/hmac(sha1) transformations and sha256_state for
> sha256/hmac(sha256) transformations.This led to a bunch of corner cases
> where improper state was being stored and restored. A few of the corner
> cases that turned up during testing are:
>
> - wrong byte_count restored if export/import is called twice without h/w
> transaction in between
> - wrong buflen restored back if the pending buffer
> length is exactly the block size.
> - wrong state restored if buffer length is 0.
>
> To fix these issues, save and restore the partial transformation state
> using the newly introduced qce_sha_saved_state struct. This ensures that
> all the pieces required to properly restart the transformation is captured
> and restored back
>
> Signed-off-by: Thara Gopinath <thara.gopinath@xxxxxxxxxx>
> ---
>
> v1->v2:
> - Introduced custom struct qce_sha_saved_state to store and
> restore partial sha transformation. v1 was re-using
> qce_sha_reqctx to save and restore partial states and this
> could lead to potential memcpy issues around pointer copying.
>
> drivers/crypto/qce/sha.c | 122 +++++++++++----------------------------
> 1 file changed, 34 insertions(+), 88 deletions(-)
>
> diff --git a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c
> index 61c418c12345..08aed03e2b59 100644
> --- a/drivers/crypto/qce/sha.c
> +++ b/drivers/crypto/qce/sha.c
> @@ -12,9 +12,15 @@
> #include "core.h"
> #include "sha.h"
>
> -/* crypto hw padding constant for first operation */
> -#define SHA_PADDING 64
> -#define SHA_PADDING_MASK (SHA_PADDING - 1)
> +struct qce_sha_saved_state {
> + u8 pending_buf[QCE_SHA_MAX_BLOCKSIZE];
> + u8 partial_digest[QCE_SHA_MAX_DIGESTSIZE];
> + __be32 byte_count[2];
> + unsigned int pending_buflen;
> + unsigned int flags;
> + u64 count;
> + bool first_blk;
> +};
>
> static LIST_HEAD(ahash_algs);
>
> @@ -139,97 +145,37 @@ static int qce_ahash_init(struct ahash_request *req)
>
> static int qce_ahash_export(struct ahash_request *req, void *out)
> {
> - struct crypto_ahash *ahash = crypto_ahash_reqtfm(req);
> struct qce_sha_reqctx *rctx = ahash_request_ctx(req);
> - unsigned long flags = rctx->flags;
> - unsigned int digestsize = crypto_ahash_digestsize(ahash);
> - unsigned int blocksize =
> - crypto_tfm_alg_blocksize(crypto_ahash_tfm(ahash));
> -
> - if (IS_SHA1(flags) || IS_SHA1_HMAC(flags)) {
> - struct sha1_state *out_state = out;
> -
> - out_state->count = rctx->count;
> - qce_cpu_to_be32p_array((__be32 *)out_state->state,
> - rctx->digest, digestsize);
> - memcpy(out_state->buffer, rctx->buf, blocksize);
> - } else if (IS_SHA256(flags) || IS_SHA256_HMAC(flags)) {
> - struct sha256_state *out_state = out;
> -
> - out_state->count = rctx->count;
> - qce_cpu_to_be32p_array((__be32 *)out_state->state,
> - rctx->digest, digestsize);
> - memcpy(out_state->buf, rctx->buf, blocksize);
> - } else {
> - return -EINVAL;
> - }
> -
> - return 0;
> -}
> -
> -static int qce_import_common(struct ahash_request *req, u64 in_count,
> - const u32 *state, const u8 *buffer, bool hmac)
> -{
> - struct crypto_ahash *ahash = crypto_ahash_reqtfm(req);
> - struct qce_sha_reqctx *rctx = ahash_request_ctx(req);
> - unsigned int digestsize = crypto_ahash_digestsize(ahash);
> - unsigned int blocksize;
> - u64 count = in_count;
> -
> - blocksize = crypto_tfm_alg_blocksize(crypto_ahash_tfm(ahash));
> - rctx->count = in_count;
> - memcpy(rctx->buf, buffer, blocksize);
> -
> - if (in_count <= blocksize) {
> - rctx->first_blk = 1;
> - } else {
> - rctx->first_blk = 0;
> - /*
> - * For HMAC, there is a hardware padding done when first block
> - * is set. Therefore the byte_count must be incremened by 64
> - * after the first block operation.
> - */
> - if (hmac)
> - count += SHA_PADDING;
> - }
> + struct qce_sha_saved_state *export_state = out;
>
> - rctx->byte_count[0] = (__force __be32)(count & ~SHA_PADDING_MASK);
> - rctx->byte_count[1] = (__force __be32)(count >> 32);
> - qce_cpu_to_be32p_array((__be32 *)rctx->digest, (const u8 *)state,
> - digestsize);
> - rctx->buflen = (unsigned int)(in_count & (blocksize - 1));
> + memcpy(export_state->pending_buf, rctx->buf, rctx->buflen);
> + memcpy(export_state->partial_digest, rctx->digest,
> + sizeof(rctx->digest));
No need to wrap this line.
> + memcpy(export_state->byte_count, rctx->byte_count, 2);
You're only stashing 2 of the 8 bytes here. So you should either copy
sizeof(byte_count) bytes, or perhaps it's more obvious if you just
assigned byte_count[0] and byte_count[1]?
> + export_state->pending_buflen = rctx->buflen;
> + export_state->count = rctx->count;
> + export_state->first_blk = rctx->first_blk;
> + export_state->flags = rctx->flags;
>
> return 0;
> }
>
> static int qce_ahash_import(struct ahash_request *req, const void *in)
> {
> - struct qce_sha_reqctx *rctx;
> - unsigned long flags;
> - bool hmac;
> - int ret;
> -
> - ret = qce_ahash_init(req);
> - if (ret)
> - return ret;
> -
> - rctx = ahash_request_ctx(req);
> - flags = rctx->flags;
> - hmac = IS_SHA_HMAC(flags);
> -
> - if (IS_SHA1(flags) || IS_SHA1_HMAC(flags)) {
> - const struct sha1_state *state = in;
> -
> - ret = qce_import_common(req, state->count, state->state,
> - state->buffer, hmac);
> - } else if (IS_SHA256(flags) || IS_SHA256_HMAC(flags)) {
> - const struct sha256_state *state = in;
> + struct qce_sha_reqctx *rctx = ahash_request_ctx(req);
> + struct qce_sha_saved_state *import_state = in;
>
> - ret = qce_import_common(req, state->count, state->state,
> - state->buf, hmac);
> - }
> + memset(rctx, 0, sizeof(*rctx));
> + rctx->count = import_state->count;
> + rctx->buflen = import_state->pending_buflen;
> + rctx->first_blk = import_state->first_blk;
> + rctx->flags = import_state->flags;
> + memcpy(rctx->buf, import_state->pending_buf, rctx->buflen);
> + memcpy(rctx->digest, import_state->partial_digest,
> + sizeof(rctx->digest));
> + memcpy(rctx->byte_count, import_state->byte_count, 2);
Same as above, you're just restoring 2 of the 8 bytes.
Regards,
Bjorn
>
> - return ret;
> + return 0;
> }
>
> static int qce_ahash_update(struct ahash_request *req)
> @@ -450,7 +396,7 @@ static const struct qce_ahash_def ahash_def[] = {
> .drv_name = "sha1-qce",
> .digestsize = SHA1_DIGEST_SIZE,
> .blocksize = SHA1_BLOCK_SIZE,
> - .statesize = sizeof(struct sha1_state),
> + .statesize = sizeof(struct qce_sha_saved_state),
> .std_iv = std_iv_sha1,
> },
> {
> @@ -459,7 +405,7 @@ static const struct qce_ahash_def ahash_def[] = {
> .drv_name = "sha256-qce",
> .digestsize = SHA256_DIGEST_SIZE,
> .blocksize = SHA256_BLOCK_SIZE,
> - .statesize = sizeof(struct sha256_state),
> + .statesize = sizeof(struct qce_sha_saved_state),
> .std_iv = std_iv_sha256,
> },
> {
> @@ -468,7 +414,7 @@ static const struct qce_ahash_def ahash_def[] = {
> .drv_name = "hmac-sha1-qce",
> .digestsize = SHA1_DIGEST_SIZE,
> .blocksize = SHA1_BLOCK_SIZE,
> - .statesize = sizeof(struct sha1_state),
> + .statesize = sizeof(struct qce_sha_saved_state),
> .std_iv = std_iv_sha1,
> },
> {
> @@ -477,7 +423,7 @@ static const struct qce_ahash_def ahash_def[] = {
> .drv_name = "hmac-sha256-qce",
> .digestsize = SHA256_DIGEST_SIZE,
> .blocksize = SHA256_BLOCK_SIZE,
> - .statesize = sizeof(struct sha256_state),
> + .statesize = sizeof(struct qce_sha_saved_state),
> .std_iv = std_iv_sha256,
> },
> };
> --
> 2.25.1
>
