diff mbox series

[1/6] drivers: crypto: qce: sha: Restore/save sha1_state/sha256_state with qce_sha_reqctx in export/import

Message ID 20201219033027.3066042-2-thara.gopinath@linaro.org
State New
Headers show
Series Regression fixes/clean ups in the Qualcomm crypto engine driver | expand

Commit Message

Thara Gopinath Dec. 19, 2020, 3:30 a.m. UTC 
Export and import interfaces save and restore partial transformation
states. The partial states were being stored and restored in struct
sha1_state for sha1/hmac(sha1) transformations and sha256_state for
sha256/hmac(sha256) transformations.This led to a bunch of corner cases
where improper state was being stored and restored. A few of the corner
cases that turned up during testing are:

- wrong byte_count restored if export/import is called twice without h/w
transaction in between
- wrong buflen restored back if the pending buffer
length is exactly the block size.
- wrong state restored if buffer length is 0.

To fix these issues, save and restore the entire qce_sha_rctx structure
instead of parts of it in sha1_state and sha256_state structures.
This in turn simplifies the export and import apis.

Signed-off-by: Thara Gopinath <thara.gopinath@linaro.org>

---
 drivers/crypto/qce/sha.c | 93 ++++------------------------------------
 1 file changed, 8 insertions(+), 85 deletions(-)

-- 
2.25.1

Comments

Herbert Xu Jan. 2, 2021, 9:25 p.m. UTC | #1 
On Fri, Dec 18, 2020 at 10:30:22PM -0500, Thara Gopinath wrote:
> Export and import interfaces save and restore partial transformation

> states. The partial states were being stored and restored in struct

> sha1_state for sha1/hmac(sha1) transformations and sha256_state for

> sha256/hmac(sha256) transformations.This led to a bunch of corner cases

> where improper state was being stored and restored. A few of the corner

> cases that turned up during testing are:

> 

> - wrong byte_count restored if export/import is called twice without h/w

> transaction in between

> - wrong buflen restored back if the pending buffer

> length is exactly the block size.

> - wrong state restored if buffer length is 0.

> 

> To fix these issues, save and restore the entire qce_sha_rctx structure

> instead of parts of it in sha1_state and sha256_state structures.

> This in turn simplifies the export and import apis.

> 

> Signed-off-by: Thara Gopinath <thara.gopinath@linaro.org>

> ---

>  drivers/crypto/qce/sha.c | 93 ++++------------------------------------

>  1 file changed, 8 insertions(+), 85 deletions(-)


How is this safe when the reqctx structure contains pointers?

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Thara Gopinath Jan. 8, 2021, 3:50 p.m. UTC | #2 
On 1/2/21 4:25 PM, Herbert Xu wrote:
> On Fri, Dec 18, 2020 at 10:30:22PM -0500, Thara Gopinath wrote:

>> Export and import interfaces save and restore partial transformation

>> states. The partial states were being stored and restored in struct

>> sha1_state for sha1/hmac(sha1) transformations and sha256_state for

>> sha256/hmac(sha256) transformations.This led to a bunch of corner cases

>> where improper state was being stored and restored. A few of the corner

>> cases that turned up during testing are:

>>

>> - wrong byte_count restored if export/import is called twice without h/w

>> transaction in between

>> - wrong buflen restored back if the pending buffer

>> length is exactly the block size.

>> - wrong state restored if buffer length is 0.

>>

>> To fix these issues, save and restore the entire qce_sha_rctx structure

>> instead of parts of it in sha1_state and sha256_state structures.

>> This in turn simplifies the export and import apis.

>>

>> Signed-off-by: Thara Gopinath <thara.gopinath@linaro.org>

>> ---

>>   drivers/crypto/qce/sha.c | 93 ++++------------------------------------

>>   1 file changed, 8 insertions(+), 85 deletions(-)

> 

> How is this safe when the reqctx structure contains pointers?


Hi Herbert,

You are right. Also more I think about this, it is better to have 
another struct to export and import the relevant pieces.
I will fix this and send across a v2.

> 

> Cheers,

> 


-- 
Warm Regards
Thara
diff mbox series

Patch

diff --git a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c
index 61c418c12345..b8428da6716d 100644
--- a/drivers/crypto/qce/sha.c
+++ b/drivers/crypto/qce/sha.c
@@ -139,97 +139,20 @@  static int qce_ahash_init(struct ahash_request *req)
 
 static int qce_ahash_export(struct ahash_request *req, void *out)
 {
-	struct crypto_ahash *ahash = crypto_ahash_reqtfm(req);
-	struct qce_sha_reqctx *rctx = ahash_request_ctx(req);
-	unsigned long flags = rctx->flags;
-	unsigned int digestsize = crypto_ahash_digestsize(ahash);
-	unsigned int blocksize =
-			crypto_tfm_alg_blocksize(crypto_ahash_tfm(ahash));
-
-	if (IS_SHA1(flags) || IS_SHA1_HMAC(flags)) {
-		struct sha1_state *out_state = out;
-
-		out_state->count = rctx->count;
-		qce_cpu_to_be32p_array((__be32 *)out_state->state,
-				       rctx->digest, digestsize);
-		memcpy(out_state->buffer, rctx->buf, blocksize);
-	} else if (IS_SHA256(flags) || IS_SHA256_HMAC(flags)) {
-		struct sha256_state *out_state = out;
-
-		out_state->count = rctx->count;
-		qce_cpu_to_be32p_array((__be32 *)out_state->state,
-				       rctx->digest, digestsize);
-		memcpy(out_state->buf, rctx->buf, blocksize);
-	} else {
-		return -EINVAL;
-	}
-
-	return 0;
-}
-
-static int qce_import_common(struct ahash_request *req, u64 in_count,
-			     const u32 *state, const u8 *buffer, bool hmac)
-{
-	struct crypto_ahash *ahash = crypto_ahash_reqtfm(req);
 	struct qce_sha_reqctx *rctx = ahash_request_ctx(req);
-	unsigned int digestsize = crypto_ahash_digestsize(ahash);
-	unsigned int blocksize;
-	u64 count = in_count;
-
-	blocksize = crypto_tfm_alg_blocksize(crypto_ahash_tfm(ahash));
-	rctx->count = in_count;
-	memcpy(rctx->buf, buffer, blocksize);
-
-	if (in_count <= blocksize) {
-		rctx->first_blk = 1;
-	} else {
-		rctx->first_blk = 0;
-		/*
-		 * For HMAC, there is a hardware padding done when first block
-		 * is set. Therefore the byte_count must be incremened by 64
-		 * after the first block operation.
-		 */
-		if (hmac)
-			count += SHA_PADDING;
-	}
 
-	rctx->byte_count[0] = (__force __be32)(count & ~SHA_PADDING_MASK);
-	rctx->byte_count[1] = (__force __be32)(count >> 32);
-	qce_cpu_to_be32p_array((__be32 *)rctx->digest, (const u8 *)state,
-			       digestsize);
-	rctx->buflen = (unsigned int)(in_count & (blocksize - 1));
+	memcpy(out, rctx, sizeof(struct qce_sha_reqctx));
 
 	return 0;
 }
 
 static int qce_ahash_import(struct ahash_request *req, const void *in)
 {
-	struct qce_sha_reqctx *rctx;
-	unsigned long flags;
-	bool hmac;
-	int ret;
-
-	ret = qce_ahash_init(req);
-	if (ret)
-		return ret;
-
-	rctx = ahash_request_ctx(req);
-	flags = rctx->flags;
-	hmac = IS_SHA_HMAC(flags);
-
-	if (IS_SHA1(flags) || IS_SHA1_HMAC(flags)) {
-		const struct sha1_state *state = in;
+	struct qce_sha_reqctx *rctx = ahash_request_ctx(req);
 
-		ret = qce_import_common(req, state->count, state->state,
-					state->buffer, hmac);
-	} else if (IS_SHA256(flags) || IS_SHA256_HMAC(flags)) {
-		const struct sha256_state *state = in;
+	memcpy(rctx, in, sizeof(struct qce_sha_reqctx));
 
-		ret = qce_import_common(req, state->count, state->state,
-					state->buf, hmac);
-	}
-
-	return ret;
+	return 0;
 }
 
 static int qce_ahash_update(struct ahash_request *req)
@@ -450,7 +373,7 @@  static const struct qce_ahash_def ahash_def[] = {
 		.drv_name	= "sha1-qce",
 		.digestsize	= SHA1_DIGEST_SIZE,
 		.blocksize	= SHA1_BLOCK_SIZE,
-		.statesize	= sizeof(struct sha1_state),
+		.statesize	= sizeof(struct qce_sha_reqctx),
 		.std_iv		= std_iv_sha1,
 	},
 	{
@@ -459,7 +382,7 @@  static const struct qce_ahash_def ahash_def[] = {
 		.drv_name	= "sha256-qce",
 		.digestsize	= SHA256_DIGEST_SIZE,
 		.blocksize	= SHA256_BLOCK_SIZE,
-		.statesize	= sizeof(struct sha256_state),
+		.statesize	= sizeof(struct qce_sha_reqctx),
 		.std_iv		= std_iv_sha256,
 	},
 	{
@@ -468,7 +391,7 @@  static const struct qce_ahash_def ahash_def[] = {
 		.drv_name	= "hmac-sha1-qce",
 		.digestsize	= SHA1_DIGEST_SIZE,
 		.blocksize	= SHA1_BLOCK_SIZE,
-		.statesize	= sizeof(struct sha1_state),
+		.statesize	= sizeof(struct qce_sha_reqctx),
 		.std_iv		= std_iv_sha1,
 	},
 	{
@@ -477,7 +400,7 @@  static const struct qce_ahash_def ahash_def[] = {
 		.drv_name	= "hmac-sha256-qce",
 		.digestsize	= SHA256_DIGEST_SIZE,
 		.blocksize	= SHA256_BLOCK_SIZE,
-		.statesize	= sizeof(struct sha256_state),
+		.statesize	= sizeof(struct qce_sha_reqctx),
 		.std_iv		= std_iv_sha256,
 	},
 };