commit 6ebc97006b196aafa9df0497fdfa866cf26f259b upstream.

Some algorithms have a ->setkey() method that is not atomic, in the
sense that setting a key can fail after changes were already made to the
tfm context.  In this case, if a key was already set the tfm can end up
in a state that corresponds to neither the old key nor the new key.

For example, in gcm.c, if the kzalloc() fails due to lack of memory,
then the CTR part of GCM will have the new key but GHASH will not.

It's not feasible to make all ->setkey() methods atomic, especially ones
that have to key multiple sub-tfms.  Therefore, make the crypto API set
CRYPTO_TFM_NEED_KEY if ->setkey() fails, to prevent the tfm from being
used until a new key is set.

[Cc stable mainly because when introducing the NEED_KEY flag I changed
 AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG
 previously didn't have this problem.  So these "incompletely keyed"
 states became theoretically accessible via AF_ALG -- though, the
 opportunities for causing real mischief seem pretty limited.]

Fixes: dc26c17f ("crypto: aead - prevent using AEADs without setting key")
Cc: <stable@vger.kernel.org> # v4.16+
Signed-off-by: NEric Biggers <ebiggers@google.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Similar to what was done for the hash API, update the AEAD API to track
whether each transform has been keyed, and reject encryption/decryption
if a key is needed but one hasn't been set.

This isn't quite as important as the equivalent fix for the hash API
because AEADs always require a key, so are unlikely to be used without
one.  Still, tracking the key will prevent accidental unkeyed use.
algif_aead also had to track the key anyway, so the new flag replaces
that and slightly simplifies the algif_aead implementation.
Signed-off-by: NEric Biggers <ebiggers@google.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Since commit 499a66e6 ("crypto: null - Remove default null
blkcipher"), crypto_get_default_null_skcipher2() and
crypto_put_default_null_skcipher2() are the same as their non-2
equivalents.  So switch callers of the "2" versions over to the original
versions and remove the "2" versions.
Signed-off-by: NEric Biggers <ebiggers@google.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Continuing from this commit: 52f5684c
("kernel: use macros from compiler.h instead of __attribute__((...))")

I submitted 4 total patches. They are part of task I've taken up to
increase compiler portability in the kernel. I've cleaned up the
subsystems under /kernel /mm /block and /security, this patch targets
/crypto.

There is <linux/compiler.h> which provides macros for various gcc specific
constructs. Eg: __weak for __attribute__((weak)). I've cleaned all
instances of gcc specific attributes with the right macros for the crypto
subsystem.

I had to make one additional change into compiler-gcc.h for the case when
one wants to use this: __attribute__((aligned) and not specify an alignment
factor. From the gcc docs, this will result in the largest alignment for
that data type on the target machine so I've named the macro
__aligned_largest. Please advise if another name is more appropriate.
Signed-off-by: NGideon Israel Dsouza <gidisrael@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The blkcipher null object is no longer used and can now be removed.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds an skcipher null object alongside the existing
null blkcipher so that IV generators using it can switch over
to skcipher.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds a chunk size parameter to aead algorithms, just
like the chunk size for skcipher algorithms.

However, unlike skcipher we do not currently export this to AEAD
users.  It is only meant to be used by AEAD implementors for now.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch removes the CRYPTO_ALG_AEAD_NEW flag now that everyone
has been converted.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Now that the AEAD conversion is complete we can rip out the old
AEAD interafce and associated code.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the helpers aead_init_geniv and aead_exit_geniv
which are type-safe and intended the replace the existing geniv
init/exit helpers.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch allows the CRYPTO_ALG_AEAD_NEW flag to be propagated.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds a type-safe function for freeing AEAD instances
to struct aead_instance.  This replaces the existing free function
in struct crypto_template which does not know the type of the
instance that it's freeing.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the helpers that allow the registration and removal
of multiple algorithms.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

No new code should be using the return value of crypto_unregister_alg
as it will become void soon.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

As it stands the only non-type safe functions left in the new
AEAD interface are the cra_init/cra_exit functions.  It means
exposing the ugly __crypto_aead_cast to every AEAD implementor.

This patch adds type-safe init/exit functions to AEAD.  Existing
algorithms are unaffected while new implementations can simply
fill in these two instead of cra_init/cra_exit.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds some common IV generation code currently duplicated
by seqiv and echainiv.  For example, the setkey and setauthsize
functions are completely identical.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch tries to preserve in-place processing in old_crypt as
various algorithms are optimised for in-place processing where
src == dst.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch removes the cryptoff parameter now that all users
set it to zero.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The function aead_geniv_alloc currently sets cra_type even for
new style instances.  This is unnecessary and may hide bugs such
as when our caller uses crypto_register_instance instead of the
correct aead_register_instance.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Newer templates use tmpl->create and have a NULL tmpl->alloc.  So
we must use tmpl->create if it is set.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

AEAD algorithm implementors need to figure out a given algorithm's
IV size and maximum authentication size.  During the transition
this is difficult to do as an algorithm could be new style or old
style.

This patch creates two helpers to make this easier.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch converts the seqiv IV generator to work with the new
AEAD interface where IV generators are just normal AEAD algorithms.

Full backwards compatibility is paramount at this point since
no users have yet switched over to the new interface.  Nor can
they switch to the new interface until IV generation is fully
supported by it.

So this means we are adding two versions of seqiv alongside the
existing one.  The first one is the one that will be used when
the underlying AEAD algorithm has switched over to the new AEAD
interface.  The second one handles the current case where the
underlying AEAD algorithm still uses the old interface.

Both versions export themselves through the new AEAD interface.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the basic structure of the new AEAD type.  Unlike
the current version, there is no longer any concept of geniv.  IV
generation will still be carried out by wrappers but they will be
normal AEAD algorithms that simply take the IPsec sequence number
as the IV.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch is the first step in the introduction of a new AEAD
alg type.  Unlike normal conversions this patch only renames the
existing aead_alg structure because there are external references
to it.

Those references will be removed after this patch.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The primary user of AEAD, IPsec includes the IV in the AD in
most cases, except where it is implicitly authenticated by the
underlying algorithm.

The way it is currently implemented is a hack because we pass
the data in piecemeal and the underlying algorithms try to stitch
them back up into one piece.

This is why this patch is adding a new interface that allows a
single SG list to be passed in that contains everything so the
algorithm implementors do not have to stitch.

The new interface accepts a single source SG list and a single
destination SG list.  Both must be laid out as follows:

	AD, skipped data, plain/cipher text, ICV

The ICV is not present from the source during encryption and from
the destination during decryption.

For the top-level IPsec AEAD algorithm the plain/cipher text will
contain the generated (or received) IV.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch converts the top-level aead interface to the new style.
All user-level AEAD interface code have been moved into crypto/aead.h.

The allocation/free functions have switched over to the new way of
allocating tfms.

This patch also removes the double indrection on setkey so the
indirection now exists only at the alg level.

Apart from these there are no user-visible changes.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

When the user explicitly states that they don't care whether the
algorithm has been tested (type = CRYPTO_ALG_TESTED and mask = 0),
there is a corner case where we may erroneously return ENOENT.

This patch fixes it by correcting the logic in the test.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed style error identified by checkpatch.

ERROR: do not use assignment in if condition
+       if ((err = crypto_register_instance(tmpl, inst))) {
Signed-off-by: NJoshua I. James <joshua@cybercrimetech.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Three errors resulting in kernel memory disclosure:

1/ The structures used for the netlink based crypto algorithm report API
are located on the stack. As snprintf() does not fill the remainder of
the buffer with null bytes, those stack bytes will be disclosed to users
of the API. Switch to strncpy() to fix this.

2/ crypto_report_one() does not initialize all field of struct
crypto_user_alg. Fix this to fix the heap info leak.

3/ For the module name we should copy only as many bytes as
module_name() returns -- not as much as the destination buffer could
hold. But the current code does not and therefore copies random data
from behind the end of the module name, as the module name is always
shorter than CRYPTO_MAX_ALG_NAME.

Also switch to use strncpy() to copy the algorithm's name and
driver_name. They are strings, after all.
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Replace PTR_ERR followed by ERR_PTR by ERR_CAST, to be more concise.

The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@@
expression err,x;
@@
-       err = PTR_ERR(x);
        if (IS_ERR(x))
-                return ERR_PTR(err);
+                return ERR_CAST(x);
// </smpl>
Signed-off-by: NJulia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

We lookup algorithms with crypto_alg_mod_lookup() when instantiating via
crypto_add_alg(). However, algorithms that are wrapped by an IV genearator
(e.g. aead or genicv type algorithms) need special care. The userspace
process hangs until it gets a timeout when we use crypto_alg_mod_lookup()
to lookup these algorithms. So export the lookup functions for these
algorithms and use them in crypto_add_alg().
Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The report functions use NLA_PUT so we need to ensure that NET
is enabled.
Reported-by: NLuis Henriques <henrix@camandro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Signed-off-by: NRichard Hartmann <richih.mailinglist@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

After m68k's task_thread_info() doesn't refer to current,
it's possible to remove sched.h from interrupt.h and not break m68k!
Many thanks to Heiko Carstens for allowing this.
Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>

When an aead constructed through crypto_nivaead_default fails
its selftest, we'll loop forever trying to construct new aead
objects but failing because it already exists.

The crux of the issue is that once an aead fails the selftest,
we'll ignore it on the next run through crypto_aead_lookup and
attempt to construct a new aead.

We should instead return an error to the caller if we find an
an that has failed the test.

This bug hasn't manifested itself yet because we don't have any
test vectors for the existing nivaead algorithms.  They're tested
through the underlying algorithms only.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds an async field to /proc/crypto for ablkcipher and aead
algorithms.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch makes crypto_alloc_aead always return algorithms that is
capable of generating their own IVs through givencrypt and givdecrypt.
All existing AEAD algorithms already do.  New ones must either supply
their own or specify a generic IV generator with the geniv field.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>