Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

Pull crypto update from Herbert Xu: - Made x86 ablk_helper generic for ARM - Phase out chainiv in favour of eseqiv (affects IPsec) - Fixed aes-cbc IV corruption on s390 - Added constant-time crypto_memneq which replaces memcmp - Fixed aes-ctr in omap-aes - Added OMAP3 ROM RNG support - Add PRNG support for MSM SoC's - Add and use Job Ring API in caam - Misc fixes [ NOTE! This pull request was sent within the merge window, but Herbert has some questionable email sending setup that makes him public enemy #1 as far as gmail is concerned. So most of his emails seem to be trapped by gmail as spam, resulting in me not seeing them. - Linus ] * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (49 commits) crypto: s390 - Fix aes-cbc IV corruption crypto: omap-aes - Fix CTR mode counter length crypto: omap-sham - Add missing modalias padata: make the sequence counter an atomic_t crypto: caam - Modify the interface layers to use JR API's crypto: caam - Add API's to allocate/free Job Rings crypto: caam - Add Platform driver for Job Ring hwrng: msm - Add PRNG support for MSM SoC's ARM: DT: msm: Add Qualcomm's PRNG driver binding document crypto: skcipher - Use eseqiv even on UP machines crypto: talitos - Simplify key parsing crypto: picoxcell - Simplify and harden key parsing crypto: ixp4xx - Simplify and harden key parsing crypto: authencesn - Simplify key parsing crypto: authenc - Export key parsing helper function crypto: mv_cesa: remove deprecated IRQF_DISABLED hwrng: OMAP3 ROM Random Number Generator support crypto: sha256_ssse3 - also test for BMI2 crypto: mv_cesa - Remove redundant of_match_ptr crypto: sahara - Remove redundant of_match_ptr ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2013-11-23 19:18:25 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2013-11-23 19:18:25 -0500
commit: 26b265cd29dde56bf0901c421eabc7ae815f38c4 (patch)
tree: 83a5418c96ccde8522bda6614063b665fe5e0ec9 /crypto
parent: 2e7babfa892a55588467ef03b545002e32f31528 (diff)
parent: f262f0f5cad0c9eca61d1d383e3b67b57dcbe5ea (diff)
11 files changed, 356 insertions, 87 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 4ae5734fb473..7bcb70d216e1 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -174,9 +174,8 @@ config CRYPTO_TEST
        help
          Quick & dirty crypto test module.
-config CRYPTO_ABLK_HELPER_X86
+config CRYPTO_ABLK_HELPER
        tristate
-        depends on X86
        select CRYPTO_CRYPTD
 config CRYPTO_GLUE_HELPER_X86
@@ -695,7 +694,7 @@ config CRYPTO_AES_NI_INTEL
        select CRYPTO_AES_X86_64 if 64BIT
        select CRYPTO_AES_586 if !64BIT
        select CRYPTO_CRYPTD
-        select CRYPTO_ABLK_HELPER_X86
+        select CRYPTO_ABLK_HELPER
        select CRYPTO_ALGAPI
        select CRYPTO_GLUE_HELPER_X86 if 64BIT
        select CRYPTO_LRW
@@ -895,7 +894,7 @@ config CRYPTO_CAMELLIA_AESNI_AVX_X86_64
        depends on CRYPTO
        select CRYPTO_ALGAPI
        select CRYPTO_CRYPTD
-        select CRYPTO_ABLK_HELPER_X86
+        select CRYPTO_ABLK_HELPER
        select CRYPTO_GLUE_HELPER_X86
        select CRYPTO_CAMELLIA_X86_64
        select CRYPTO_LRW
@@ -917,7 +916,7 @@ config CRYPTO_CAMELLIA_AESNI_AVX2_X86_64
        depends on CRYPTO
        select CRYPTO_ALGAPI
        select CRYPTO_CRYPTD
-        select CRYPTO_ABLK_HELPER_X86
+        select CRYPTO_ABLK_HELPER
        select CRYPTO_GLUE_HELPER_X86
        select CRYPTO_CAMELLIA_X86_64
        select CRYPTO_CAMELLIA_AESNI_AVX_X86_64
@@ -969,7 +968,7 @@ config CRYPTO_CAST5_AVX_X86_64
        depends on X86 && 64BIT
        select CRYPTO_ALGAPI
        select CRYPTO_CRYPTD
-        select CRYPTO_ABLK_HELPER_X86
+        select CRYPTO_ABLK_HELPER
        select CRYPTO_CAST_COMMON
        select CRYPTO_CAST5
        help
@@ -992,7 +991,7 @@ config CRYPTO_CAST6_AVX_X86_64
        depends on X86 && 64BIT
        select CRYPTO_ALGAPI
        select CRYPTO_CRYPTD
-        select CRYPTO_ABLK_HELPER_X86
+        select CRYPTO_ABLK_HELPER
        select CRYPTO_GLUE_HELPER_X86
        select CRYPTO_CAST_COMMON
        select CRYPTO_CAST6
@@ -1110,7 +1109,7 @@ config CRYPTO_SERPENT_SSE2_X86_64
        depends on X86 && 64BIT
        select CRYPTO_ALGAPI
        select CRYPTO_CRYPTD
-        select CRYPTO_ABLK_HELPER_X86
+        select CRYPTO_ABLK_HELPER
        select CRYPTO_GLUE_HELPER_X86
        select CRYPTO_SERPENT
        select CRYPTO_LRW
@@ -1132,7 +1131,7 @@ config CRYPTO_SERPENT_SSE2_586
        depends on X86 && !64BIT
        select CRYPTO_ALGAPI
        select CRYPTO_CRYPTD
-        select CRYPTO_ABLK_HELPER_X86
+        select CRYPTO_ABLK_HELPER
        select CRYPTO_GLUE_HELPER_X86
        select CRYPTO_SERPENT
        select CRYPTO_LRW
@@ -1154,7 +1153,7 @@ config CRYPTO_SERPENT_AVX_X86_64
        depends on X86 && 64BIT
        select CRYPTO_ALGAPI
        select CRYPTO_CRYPTD
-        select CRYPTO_ABLK_HELPER_X86
+        select CRYPTO_ABLK_HELPER
        select CRYPTO_GLUE_HELPER_X86
        select CRYPTO_SERPENT
        select CRYPTO_LRW
@@ -1176,7 +1175,7 @@ config CRYPTO_SERPENT_AVX2_X86_64
        depends on X86 && 64BIT
        select CRYPTO_ALGAPI
        select CRYPTO_CRYPTD
-        select CRYPTO_ABLK_HELPER_X86
+        select CRYPTO_ABLK_HELPER
        select CRYPTO_GLUE_HELPER_X86
        select CRYPTO_SERPENT
        select CRYPTO_SERPENT_AVX_X86_64
@@ -1292,7 +1291,7 @@ config CRYPTO_TWOFISH_AVX_X86_64
        depends on X86 && 64BIT
        select CRYPTO_ALGAPI
        select CRYPTO_CRYPTD
-        select CRYPTO_ABLK_HELPER_X86
+        select CRYPTO_ABLK_HELPER
        select CRYPTO_GLUE_HELPER_X86
        select CRYPTO_TWOFISH_COMMON
        select CRYPTO_TWOFISH_X86_64
diff --git a/crypto/Makefile b/crypto/Makefile
index b3a7e807e08b..989c510da8cc 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -2,8 +2,13 @@
 # Cryptographic API
 #
+# memneq MUST be built with -Os or -O0 to prevent early-return optimizations
+# that will defeat memneq's actual purpose to prevent timing attacks.
+CFLAGS_REMOVE_memneq.o := -O1 -O2 -O3
+CFLAGS_memneq.o := -Os
 obj-$(CONFIG_CRYPTO) += crypto.o
-crypto-y := api.o cipher.o compress.o
+crypto-y := api.o cipher.o compress.o memneq.o
 obj-$(CONFIG_CRYPTO_WORKQUEUE) += crypto_wq.o
@@ -105,3 +110,4 @@ obj-$(CONFIG_XOR_BLOCKS) += xor.o
 obj-$(CONFIG_ASYNC_CORE) += async_tx/
 obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys/
 obj-$(CONFIG_CRYPTO_HASH_INFO) += hash_info.o
+obj-$(CONFIG_CRYPTO_ABLK_HELPER) += ablk_helper.o
diff --git a/crypto/ablk_helper.c b/crypto/ablk_helper.c
new file mode 100644
index 000000000000..ffe7278d4bd8
--- /dev/null
+++ b/crypto/ablk_helper.c
@@ -0,0 +1,150 @@
+/*
+ * Shared async block cipher helpers
+ *
+ * Copyright (c) 2012 Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
+ *
+ * Based on aesni-intel_glue.c by:
+ *  Copyright (C) 2008, Intel Corp.
+ *    Author: Huang Ying <ying.huang@intel.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307
+ * USA
+ *
+ */
+#include <linux/kernel.h>
+#include <linux/crypto.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/hardirq.h>
+#include <crypto/algapi.h>
+#include <crypto/cryptd.h>
+#include <crypto/ablk_helper.h>
+#include <asm/simd.h>
+int ablk_set_key(struct crypto_ablkcipher *tfm, const u8 *key,
+                 unsigned int key_len)
+{
+        struct async_helper_ctx *ctx = crypto_ablkcipher_ctx(tfm);
+        struct crypto_ablkcipher *child = &ctx->cryptd_tfm->base;
+        int err;
+        crypto_ablkcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
+        crypto_ablkcipher_set_flags(child, crypto_ablkcipher_get_flags(tfm)
+                                    & CRYPTO_TFM_REQ_MASK);
+        err = crypto_ablkcipher_setkey(child, key, key_len);
+        crypto_ablkcipher_set_flags(tfm, crypto_ablkcipher_get_flags(child)
+                                    & CRYPTO_TFM_RES_MASK);
+        return err;
+}
+EXPORT_SYMBOL_GPL(ablk_set_key);
+int __ablk_encrypt(struct ablkcipher_request *req)
+{
+        struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req);
+        struct async_helper_ctx *ctx = crypto_ablkcipher_ctx(tfm);
+        struct blkcipher_desc desc;
+        desc.tfm = cryptd_ablkcipher_child(ctx->cryptd_tfm);
+        desc.info = req->info;
+        desc.flags = 0;
+        return crypto_blkcipher_crt(desc.tfm)->encrypt(
+                &desc, req->dst, req->src, req->nbytes);
+}
+EXPORT_SYMBOL_GPL(__ablk_encrypt);
+int ablk_encrypt(struct ablkcipher_request *req)
+{
+        struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req);
+        struct async_helper_ctx *ctx = crypto_ablkcipher_ctx(tfm);
+        if (!may_use_simd()) {
+                struct ablkcipher_request *cryptd_req =
+                        ablkcipher_request_ctx(req);
+                *cryptd_req = *req;
+                ablkcipher_request_set_tfm(cryptd_req, &ctx->cryptd_tfm->base);
+                return crypto_ablkcipher_encrypt(cryptd_req);
+        } else {
+                return __ablk_encrypt(req);
+        }
+}
+EXPORT_SYMBOL_GPL(ablk_encrypt);
+int ablk_decrypt(struct ablkcipher_request *req)
+{
+        struct crypto_ablkcipher *tfm = crypto_ablkcipher_reqtfm(req);
+        struct async_helper_ctx *ctx = crypto_ablkcipher_ctx(tfm);
+        if (!may_use_simd()) {
+                struct ablkcipher_request *cryptd_req =
+                        ablkcipher_request_ctx(req);
+                *cryptd_req = *req;
+                ablkcipher_request_set_tfm(cryptd_req, &ctx->cryptd_tfm->base);
+                return crypto_ablkcipher_decrypt(cryptd_req);
+        } else {
+                struct blkcipher_desc desc;
+                desc.tfm = cryptd_ablkcipher_child(ctx->cryptd_tfm);
+                desc.info = req->info;
+                desc.flags = 0;
+                return crypto_blkcipher_crt(desc.tfm)->decrypt(
+                        &desc, req->dst, req->src, req->nbytes);
+        }
+}
+EXPORT_SYMBOL_GPL(ablk_decrypt);
+void ablk_exit(struct crypto_tfm *tfm)
+{
+        struct async_helper_ctx *ctx = crypto_tfm_ctx(tfm);
+        cryptd_free_ablkcipher(ctx->cryptd_tfm);
+}
+EXPORT_SYMBOL_GPL(ablk_exit);
+int ablk_init_common(struct crypto_tfm *tfm, const char *drv_name)
+{
+        struct async_helper_ctx *ctx = crypto_tfm_ctx(tfm);
+        struct cryptd_ablkcipher *cryptd_tfm;
+        cryptd_tfm = cryptd_alloc_ablkcipher(drv_name, 0, 0);
+        if (IS_ERR(cryptd_tfm))
+                return PTR_ERR(cryptd_tfm);
+        ctx->cryptd_tfm = cryptd_tfm;
+        tfm->crt_ablkcipher.reqsize = sizeof(struct ablkcipher_request) +
+                crypto_ablkcipher_reqsize(&cryptd_tfm->base);
+        return 0;
+}
+EXPORT_SYMBOL_GPL(ablk_init_common);
+int ablk_init(struct crypto_tfm *tfm)
+{
+        char drv_name[CRYPTO_MAX_ALG_NAME];
+        snprintf(drv_name, sizeof(drv_name), "__driver-%s",
+                                        crypto_tfm_alg_driver_name(tfm));
+        return ablk_init_common(tfm, drv_name);
+}
+EXPORT_SYMBOL_GPL(ablk_init);
+MODULE_LICENSE("GPL");
diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c
index 7d4a8d28277e..40886c489903 100644
--- a/crypto/ablkcipher.c
+++ b/crypto/ablkcipher.c
@@ -16,9 +16,7 @@
 #include <crypto/internal/skcipher.h>
 #include <linux/cpumask.h>
 #include <linux/err.h>
-#include <linux/init.h>
 #include <linux/kernel.h>
-#include <linux/module.h>
 #include <linux/rtnetlink.h>
 #include <linux/sched.h>
 #include <linux/slab.h>
@@ -30,8 +28,6 @@
 #include "internal.h"
-static const char *skcipher_default_geniv __read_mostly;
 struct ablkcipher_buffer {
        struct list_head        entry;
        struct scatter_walk     dst;
@@ -527,8 +523,7 @@ const char *crypto_default_geniv(const struct crypto_alg *alg)
            alg->cra_blocksize)
                return "chainiv";
-        return alg->cra_flags & CRYPTO_ALG_ASYNC ?
+        return "eseqiv";
-               "eseqiv" : skcipher_default_geniv;
 }
 static int crypto_givcipher_default(struct crypto_alg *alg, u32 type, u32 mask)
@@ -709,17 +704,3 @@ err:
        return ERR_PTR(err);
 }
 EXPORT_SYMBOL_GPL(crypto_alloc_ablkcipher);
-static int __init skcipher_module_init(void)
-{
-        skcipher_default_geniv = num_possible_cpus() > 1 ?
-                                 "eseqiv" : "chainiv";
-        return 0;
-}
-static void skcipher_module_exit(void)
-{
-}
-module_init(skcipher_module_init);
-module_exit(skcipher_module_exit);
diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c
index c0bb3778f1ae..666f1962a160 100644
--- a/crypto/ansi_cprng.c
+++ b/crypto/ansi_cprng.c
@@ -230,11 +230,11 @@ remainder:
         */
        if (byte_count < DEFAULT_BLK_SZ) {
 empty_rbuf:
-                for (; ctx->rand_data_valid < DEFAULT_BLK_SZ;
+                while (ctx->rand_data_valid < DEFAULT_BLK_SZ) {
-                        ctx->rand_data_valid++) {
                        *ptr = ctx->rand_data[ctx->rand_data_valid];
                        ptr++;
                        byte_count--;
+                        ctx->rand_data_valid++;
                        if (byte_count == 0)
                                goto done;
                }
diff --git a/crypto/asymmetric_keys/rsa.c b/crypto/asymmetric_keys/rsa.c
index 90a17f59ba28..459cf97a75e2 100644
--- a/crypto/asymmetric_keys/rsa.c
+++ b/crypto/asymmetric_keys/rsa.c
@@ -13,6 +13,7 @@
 #include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/slab.h>
+#include <crypto/algapi.h>
 #include "public_key.h"
 MODULE_LICENSE("GPL");
@@ -189,12 +190,12 @@ static int RSA_verify(const u8 *H, const u8 *EM, size_t k, size_t hash_size,
                }
        }
-        if (memcmp(asn1_template, EM + T_offset, asn1_size) != 0) {
+        if (crypto_memneq(asn1_template, EM + T_offset, asn1_size) != 0) {
                kleave(" = -EBADMSG [EM[T] ASN.1 mismatch]");
                return -EBADMSG;
        }
-        if (memcmp(H, EM + T_offset + asn1_size, hash_size) != 0) {
+        if (crypto_memneq(H, EM + T_offset + asn1_size, hash_size) != 0) {
                kleave(" = -EKEYREJECTED [EM[T] hash mismatch]");
                return -EKEYREJECTED;
        }
diff --git a/crypto/authenc.c b/crypto/authenc.c
index ffce19de05cf..1875e7026e8f 100644
--- a/crypto/authenc.c
+++ b/crypto/authenc.c
@@ -52,40 +52,52 @@ static void authenc_request_complete(struct aead_request *req, int err)
                aead_request_complete(req, err);
 }
-static int crypto_authenc_setkey(struct crypto_aead *authenc, const u8 *key,
+int crypto_authenc_extractkeys(struct crypto_authenc_keys *keys, const u8 *key,
-                                 unsigned int keylen)
+                               unsigned int keylen)
 {
-        unsigned int authkeylen;
+        struct rtattr *rta = (struct rtattr *)key;
-        unsigned int enckeylen;
-        struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
-        struct crypto_ahash *auth = ctx->auth;
-        struct crypto_ablkcipher *enc = ctx->enc;
-        struct rtattr *rta = (void *)key;
        struct crypto_authenc_key_param *param;
-        int err = -EINVAL;
        if (!RTA_OK(rta, keylen))
-                goto badkey;
+                return -EINVAL;
        if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
-                goto badkey;
+                return -EINVAL;
        if (RTA_PAYLOAD(rta) < sizeof(*param))
-                goto badkey;
+                return -EINVAL;
        param = RTA_DATA(rta);
-        enckeylen = be32_to_cpu(param->enckeylen);
+        keys->enckeylen = be32_to_cpu(param->enckeylen);
        key += RTA_ALIGN(rta->rta_len);
        keylen -= RTA_ALIGN(rta->rta_len);
-        if (keylen < enckeylen)
+        if (keylen < keys->enckeylen)
-                goto badkey;
+                return -EINVAL;
-        authkeylen = keylen - enckeylen;
+        keys->authkeylen = keylen - keys->enckeylen;
+        keys->authkey = key;
+        keys->enckey = key + keys->authkeylen;
+        return 0;
+}
+EXPORT_SYMBOL_GPL(crypto_authenc_extractkeys);
+static int crypto_authenc_setkey(struct crypto_aead *authenc, const u8 *key,
+                                 unsigned int keylen)
+{
+        struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
+        struct crypto_ahash *auth = ctx->auth;
+        struct crypto_ablkcipher *enc = ctx->enc;
+        struct crypto_authenc_keys keys;
+        int err = -EINVAL;
+        if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
+                goto badkey;
        crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
        crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc) &
                                    CRYPTO_TFM_REQ_MASK);
-        err = crypto_ahash_setkey(auth, key, authkeylen);
+        err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
        crypto_aead_set_flags(authenc, crypto_ahash_get_flags(auth) &
                                       CRYPTO_TFM_RES_MASK);
@@ -95,7 +107,7 @@ static int crypto_authenc_setkey(struct crypto_aead *authenc, const u8 *key,
        crypto_ablkcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
        crypto_ablkcipher_set_flags(enc, crypto_aead_get_flags(authenc) &
                                         CRYPTO_TFM_REQ_MASK);
-        err = crypto_ablkcipher_setkey(enc, key + authkeylen, enckeylen);
+        err = crypto_ablkcipher_setkey(enc, keys.enckey, keys.enckeylen);
        crypto_aead_set_flags(authenc, crypto_ablkcipher_get_flags(enc) &
                                       CRYPTO_TFM_RES_MASK);
@@ -188,7 +200,7 @@ static void authenc_verify_ahash_update_done(struct crypto_async_request *areq,
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
        if (err)
                goto out;
@@ -227,7 +239,7 @@ static void authenc_verify_ahash_done(struct crypto_async_request *areq,
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
        if (err)
                goto out;
@@ -462,7 +474,7 @@ static int crypto_authenc_verify(struct aead_request *req,
        ihash = ohash + authsize;
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        return memcmp(ihash, ohash, authsize) ? -EBADMSG : 0;
+        return crypto_memneq(ihash, ohash, authsize) ? -EBADMSG : 0;
 }
 static int crypto_authenc_iverify(struct aead_request *req, u8 *iv,
diff --git a/crypto/authencesn.c b/crypto/authencesn.c
index ab53762fc309..4be0dd4373a9 100644
--- a/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -59,37 +59,19 @@ static void authenc_esn_request_complete(struct aead_request *req, int err)
 static int crypto_authenc_esn_setkey(struct crypto_aead *authenc_esn, const u8 *key,
                                     unsigned int keylen)
 {
-        unsigned int authkeylen;
-        unsigned int enckeylen;
        struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
        struct crypto_ahash *auth = ctx->auth;
        struct crypto_ablkcipher *enc = ctx->enc;
-        struct rtattr *rta = (void *)key;
+        struct crypto_authenc_keys keys;
-        struct crypto_authenc_key_param *param;
        int err = -EINVAL;
-        if (!RTA_OK(rta, keylen))
+        if (crypto_authenc_extractkeys(&keys, key, keylen) != 0)
                goto badkey;
-        if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
-                goto badkey;
-        if (RTA_PAYLOAD(rta) < sizeof(*param))
-                goto badkey;
-        param = RTA_DATA(rta);
-        enckeylen = be32_to_cpu(param->enckeylen);
-        key += RTA_ALIGN(rta->rta_len);
-        keylen -= RTA_ALIGN(rta->rta_len);
-        if (keylen < enckeylen)
-                goto badkey;
-        authkeylen = keylen - enckeylen;
        crypto_ahash_clear_flags(auth, CRYPTO_TFM_REQ_MASK);
        crypto_ahash_set_flags(auth, crypto_aead_get_flags(authenc_esn) &
                                     CRYPTO_TFM_REQ_MASK);
-        err = crypto_ahash_setkey(auth, key, authkeylen);
+        err = crypto_ahash_setkey(auth, keys.authkey, keys.authkeylen);
        crypto_aead_set_flags(authenc_esn, crypto_ahash_get_flags(auth) &
                                           CRYPTO_TFM_RES_MASK);
@@ -99,7 +81,7 @@ static int crypto_authenc_esn_setkey(struct crypto_aead *authenc_esn, const u8 *
        crypto_ablkcipher_clear_flags(enc, CRYPTO_TFM_REQ_MASK);
        crypto_ablkcipher_set_flags(enc, crypto_aead_get_flags(authenc_esn) &
                                         CRYPTO_TFM_REQ_MASK);
-        err = crypto_ablkcipher_setkey(enc, key + authkeylen, enckeylen);
+        err = crypto_ablkcipher_setkey(enc, keys.enckey, keys.enckeylen);
        crypto_aead_set_flags(authenc_esn, crypto_ablkcipher_get_flags(enc) &
                                           CRYPTO_TFM_RES_MASK);
@@ -247,7 +229,7 @@ static void authenc_esn_verify_ahash_update_done(struct crypto_async_request *ar
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
        if (err)
                goto out;
@@ -296,7 +278,7 @@ static void authenc_esn_verify_ahash_update_done2(struct crypto_async_request *a
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
        if (err)
                goto out;
@@ -336,7 +318,7 @@ static void authenc_esn_verify_ahash_done(struct crypto_async_request *areq,
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        err = memcmp(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
+        err = crypto_memneq(ihash, ahreq->result, authsize) ? -EBADMSG : 0;
        if (err)
                goto out;
@@ -568,7 +550,7 @@ static int crypto_authenc_esn_verify(struct aead_request *req)
        ihash = ohash + authsize;
        scatterwalk_map_and_copy(ihash, areq_ctx->sg, areq_ctx->cryptlen,
                                 authsize, 0);
-        return memcmp(ihash, ohash, authsize) ? -EBADMSG : 0;
+        return crypto_memneq(ihash, ohash, authsize) ? -EBADMSG : 0;
 }
 static int crypto_authenc_esn_iverify(struct aead_request *req, u8 *iv,
diff --git a/crypto/ccm.c b/crypto/ccm.c
index 499c91717d93..3e05499d183a 100644
--- a/crypto/ccm.c
+++ b/crypto/ccm.c
@@ -363,7 +363,7 @@ static void crypto_ccm_decrypt_done(struct crypto_async_request *areq,
        if (!err) {
                err = crypto_ccm_auth(req, req->dst, cryptlen);
-                if (!err && memcmp(pctx->auth_tag, pctx->odata, authsize))
+                if (!err && crypto_memneq(pctx->auth_tag, pctx->odata, authsize))
                        err = -EBADMSG;
        }
        aead_request_complete(req, err);
@@ -422,7 +422,7 @@ static int crypto_ccm_decrypt(struct aead_request *req)
                return err;
        /* verify */
-        if (memcmp(authtag, odata, authsize))
+        if (crypto_memneq(authtag, odata, authsize))
                return -EBADMSG;
        return err;
diff --git a/crypto/gcm.c b/crypto/gcm.c
index 43e1fb05ea54..b4f017939004 100644
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -582,7 +582,7 @@ static int crypto_gcm_verify(struct aead_request *req,
        crypto_xor(auth_tag, iauth_tag, 16);
        scatterwalk_map_and_copy(iauth_tag, req->src, cryptlen, authsize, 0);
-        return memcmp(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
+        return crypto_memneq(iauth_tag, auth_tag, authsize) ? -EBADMSG : 0;
 }
 static void gcm_decrypt_done(struct crypto_async_request *areq, int err)
diff --git a/crypto/memneq.c b/crypto/memneq.c
new file mode 100644
index 000000000000..cd0162221c14
--- /dev/null
+++ b/crypto/memneq.c
@@ -0,0 +1,138 @@
+/*
+ * Constant-time equality testing of memory regions.
+ *
+ * Authors:
+ *
+ *   James Yonan <james@openvpn.net>
+ *   Daniel Borkmann <dborkman@redhat.com>
+ *
+ * This file is provided under a dual BSD/GPLv2 license.  When using or
+ * redistributing this file, you may do so under either license.
+ *
+ * GPL LICENSE SUMMARY
+ *
+ * Copyright(c) 2013 OpenVPN Technologies, Inc. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
+ * The full GNU General Public License is included in this distribution
+ * in the file called LICENSE.GPL.
+ *
+ * BSD LICENSE
+ *
+ * Copyright(c) 2013 OpenVPN Technologies, Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   * Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in
+ *     the documentation and/or other materials provided with the
+ *     distribution.
+ *   * Neither the name of OpenVPN Technologies nor the names of its
+ *     contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include <crypto/algapi.h>
+#ifndef __HAVE_ARCH_CRYPTO_MEMNEQ
+/* Generic path for arbitrary size */
+static inline unsigned long
+__crypto_memneq_generic(const void *a, const void *b, size_t size)
+{
+        unsigned long neq = 0;
+#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+        while (size >= sizeof(unsigned long)) {
+                neq |= *(unsigned long *)a ^ *(unsigned long *)b;
+                a += sizeof(unsigned long);
+                b += sizeof(unsigned long);
+                size -= sizeof(unsigned long);
+        }
+#endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
+        while (size > 0) {
+                neq |= *(unsigned char *)a ^ *(unsigned char *)b;
+                a += 1;
+                b += 1;
+                size -= 1;
+        }
+        return neq;
+}
+/* Loop-free fast-path for frequently used 16-byte size */
+static inline unsigned long __crypto_memneq_16(const void *a, const void *b)
+{
+#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+        if (sizeof(unsigned long) == 8)
+                return ((*(unsigned long *)(a)   ^ *(unsigned long *)(b))
+                      | (*(unsigned long *)(a+8) ^ *(unsigned long *)(b+8)));
+        else if (sizeof(unsigned int) == 4)
+                return ((*(unsigned int *)(a)    ^ *(unsigned int *)(b))
+                      | (*(unsigned int *)(a+4)  ^ *(unsigned int *)(b+4))
+                      | (*(unsigned int *)(a+8)  ^ *(unsigned int *)(b+8))
+                      | (*(unsigned int *)(a+12) ^ *(unsigned int *)(b+12)));
+        else
+#endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
+                return ((*(unsigned char *)(a)    ^ *(unsigned char *)(b))
+                      | (*(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1))
+                      | (*(unsigned char *)(a+2)  ^ *(unsigned char *)(b+2))
+                      | (*(unsigned char *)(a+3)  ^ *(unsigned char *)(b+3))
+                      | (*(unsigned char *)(a+4)  ^ *(unsigned char *)(b+4))
+                      | (*(unsigned char *)(a+5)  ^ *(unsigned char *)(b+5))
+                      | (*(unsigned char *)(a+6)  ^ *(unsigned char *)(b+6))
+                      | (*(unsigned char *)(a+7)  ^ *(unsigned char *)(b+7))
+                      | (*(unsigned char *)(a+8)  ^ *(unsigned char *)(b+8))
+                      | (*(unsigned char *)(a+9)  ^ *(unsigned char *)(b+9))
+                      | (*(unsigned char *)(a+10) ^ *(unsigned char *)(b+10))
+                      | (*(unsigned char *)(a+11) ^ *(unsigned char *)(b+11))
+                      | (*(unsigned char *)(a+12) ^ *(unsigned char *)(b+12))
+                      | (*(unsigned char *)(a+13) ^ *(unsigned char *)(b+13))
+                      | (*(unsigned char *)(a+14) ^ *(unsigned char *)(b+14))
+                      | (*(unsigned char *)(a+15) ^ *(unsigned char *)(b+15)));
+}
+/* Compare two areas of memory without leaking timing information,
+ * and with special optimizations for common sizes.  Users should
+ * not call this function directly, but should instead use
+ * crypto_memneq defined in crypto/algapi.h.
+ */
+noinline unsigned long __crypto_memneq(const void *a, const void *b,
+                                       size_t size)
+{
+        switch (size) {
+        case 16:
+                return __crypto_memneq_16(a, b);
+        default:
+                return __crypto_memneq_generic(a, b, size);
+        }
+}
+EXPORT_SYMBOL(__crypto_memneq);
+#endif /* __HAVE_ARCH_CRYPTO_MEMNEQ */
author	Linus Torvalds <torvalds@linux-foundation.org>	2013-11-23 19:18:25 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2013-11-23 19:18:25 -0500
commit	26b265cd29dde56bf0901c421eabc7ae815f38c4 (patch)
tree	83a5418c96ccde8522bda6614063b665fe5e0ec9 /crypto
parent	2e7babfa892a55588467ef03b545002e32f31528 (diff)
parent	f262f0f5cad0c9eca61d1d383e3b67b57dcbe5ea (diff)