linux-2.6/crypto/ghash-generic.c

/*
 * GHASH: digest algorithm for GCM (Galois/Counter Mode).
 *
 * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>
 * Copyright (c) 2009 Intel Corp.
 *   Author: Huang Ying <ying.huang@intel.com>
 *
 * The algorithm implementation is copied from gcm.c.
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 as published
 * by the Free Software Foundation.
 */

#include <crypto/algapi.h>
#include <crypto/gf128mul.h>
#include <crypto/internal/hash.h>
#include <linux/crypto.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>

#define GHASH_BLOCK_SIZE	16
#define GHASH_DIGEST_SIZE	16

struct ghash_ctx {
	struct gf128mul_4k *gf128;
};

struct ghash_desc_ctx {
	u8 buffer[GHASH_BLOCK_SIZE];
	u32 bytes;
};

static int ghash_init(struct shash_desc *desc)
{
	struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);

	memset(dctx, 0, sizeof(*dctx));

	return 0;
}

static int ghash_setkey(struct crypto_shash *tfm,
			const u8 *key, unsigned int keylen)
{
	struct ghash_ctx *ctx = crypto_shash_ctx(tfm);

	if (keylen != GHASH_BLOCK_SIZE) {
		crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
		return -EINVAL;
	}

	if (ctx->gf128)
		gf128mul_free_4k(ctx->gf128);
	ctx->gf128 = gf128mul_init_4k_lle((be128 *)key);
	if (!ctx->gf128)
		return -ENOMEM;

	return 0;
}

static int ghash_update(struct shash_desc *desc,
			 const u8 *src, unsigned int srclen)
{
	struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
	struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);
	u8 *dst = dctx->buffer;

	if (!ctx->gf128)
		return -ENOKEY;

	if (dctx->bytes) {
		int n = min(srclen, dctx->bytes);
		u8 *pos = dst + (GHASH_BLOCK_SIZE - dctx->bytes);

		dctx->bytes -= n;
		srclen -= n;

		while (n--)
			*pos++ ^= *src++;

		if (!dctx->bytes)
			gf128mul_4k_lle((be128 *)dst, ctx->gf128);
	}

	while (srclen >= GHASH_BLOCK_SIZE) {
		crypto_xor(dst, src, GHASH_BLOCK_SIZE);
		gf128mul_4k_lle((be128 *)dst, ctx->gf128);
		src += GHASH_BLOCK_SIZE;
		srclen -= GHASH_BLOCK_SIZE;
	}

	if (srclen) {
		dctx->bytes = GHASH_BLOCK_SIZE - srclen;
		while (srclen--)
			*dst++ ^= *src++;
	}

	return 0;
}

static void ghash_flush(struct ghash_ctx *ctx, struct ghash_desc_ctx *dctx)
{
	u8 *dst = dctx->buffer;

	if (dctx->bytes) {
		u8 *tmp = dst + (GHASH_BLOCK_SIZE - dctx->bytes);

		while (dctx->bytes--)
			*tmp++ ^= 0;

		gf128mul_4k_lle((be128 *)dst, ctx->gf128);
	}

	dctx->bytes = 0;
}

static int ghash_final(struct shash_desc *desc, u8 *dst)
{
	struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);
	struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);
	u8 *buf = dctx->buffer;

	if (!ctx->gf128)
		return -ENOKEY;

	ghash_flush(ctx, dctx);
	memcpy(dst, buf, GHASH_BLOCK_SIZE);

	return 0;
}

static void ghash_exit_tfm(struct crypto_tfm *tfm)
{
	struct ghash_ctx *ctx = crypto_tfm_ctx(tfm);
	if (ctx->gf128)
		gf128mul_free_4k(ctx->gf128);
}

static struct shash_alg ghash_alg = {
	.digestsize	= GHASH_DIGEST_SIZE,
	.init		= ghash_init,
	.update		= ghash_update,
	.final		= ghash_final,
	.setkey		= ghash_setkey,
	.descsize	= sizeof(struct ghash_desc_ctx),
	.base		= {
		.cra_name		= "ghash",
		.cra_driver_name	= "ghash-generic",
		.cra_priority		= 100,
		.cra_flags		= CRYPTO_ALG_TYPE_SHASH,
		.cra_blocksize		= GHASH_BLOCK_SIZE,
		.cra_ctxsize		= sizeof(struct ghash_ctx),
		.cra_module		= THIS_MODULE,
		.cra_exit		= ghash_exit_tfm,
	},
};

static int __init ghash_mod_init(void)
{
	return crypto_register_shash(&ghash_alg);
}

static void __exit ghash_mod_exit(void)
{
	crypto_unregister_shash(&ghash_alg);
}

module_init(ghash_mod_init);
module_exit(ghash_mod_exit);

MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("GHASH Message Digest Algorithm");
MODULE_ALIAS("ghash");
crypto: ghash - Add GHASH digest algorithm for GCM GHASH is implemented as a shash algorithm. The actual implementation is copied from gcm.c. This makes it possible to add architecture/hardware accelerated GHASH implementation. Signed-off-by: Huang Ying <ying.huang@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2009-08-06 05:32:38 +00:00			`/*`
			`* GHASH: digest algorithm for GCM (Galois/Counter Mode).`
			`*`
			`* Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>`
			`* Copyright (c) 2009 Intel Corp.`
			`* Author: Huang Ying <ying.huang@intel.com>`
			`*`
			`* The algorithm implementation is copied from gcm.c.`
			`*`
			`* This program is free software; you can redistribute it and/or modify it`
			`* under the terms of the GNU General Public License version 2 as published`
			`* by the Free Software Foundation.`
			`*/`

			`#include <crypto/algapi.h>`
			`#include <crypto/gf128mul.h>`
			`#include <crypto/internal/hash.h>`
			`#include <linux/crypto.h>`
			`#include <linux/init.h>`
			`#include <linux/kernel.h>`
			`#include <linux/module.h>`

			`#define GHASH_BLOCK_SIZE 16`
			`#define GHASH_DIGEST_SIZE 16`

			`struct ghash_ctx {`
			`struct gf128mul_4k *gf128;`
			`};`

			`struct ghash_desc_ctx {`
			`u8 buffer[GHASH_BLOCK_SIZE];`
			`u32 bytes;`
			`};`

			`static int ghash_init(struct shash_desc *desc)`
			`{`
			`struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);`

			`memset(dctx, 0, sizeof(*dctx));`

			`return 0;`
			`}`

			`static int ghash_setkey(struct crypto_shash *tfm,`
			`const u8 *key, unsigned int keylen)`
			`{`
			`struct ghash_ctx *ctx = crypto_shash_ctx(tfm);`

			`if (keylen != GHASH_BLOCK_SIZE) {`
			`crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);`
			`return -EINVAL;`
			`}`

			`if (ctx->gf128)`
			`gf128mul_free_4k(ctx->gf128);`
			`ctx->gf128 = gf128mul_init_4k_lle((be128 *)key);`
			`if (!ctx->gf128)`
			`return -ENOMEM;`

			`return 0;`
			`}`

			`static int ghash_update(struct shash_desc *desc,`
			`const u8 *src, unsigned int srclen)`
			`{`
			`struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);`
			`struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);`
			`u8 *dst = dctx->buffer;`

crypto: ghash - Avoid null pointer dereference if no key is set The ghash_update function passes a pointer to gf128mul_4k_lle which will be NULL if ghash_setkey is not called or if the most recent call to ghash_setkey failed to allocate memory. This causes an oops. Fix this up by returning an error code in the null case. This is trivially triggered from unprivileged userspace through the AF_ALG interface by simply writing to the socket without setting a key. The ghash_final function has a similar issue, but triggering it requires a memory allocation failure in ghash_setkey _after_ at least one successful call to ghash_update. BUG: unable to handle kernel NULL pointer dereference at 00000670 IP: [<d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP Modules linked in: ghash_generic gf128mul algif_hash af_alg nfs lockd nfs_acl sunrpc bridge ipv6 stp llc Pid: 1502, comm: hashatron Tainted: G W 3.1.0-rc9-00085-ge9308cf #32 Bochs Bochs EIP: 0060:[<d88c92d4>] EFLAGS: 00000202 CPU: 0 EIP is at gf128mul_4k_lle+0x23/0x60 [gf128mul] EAX: d69db1f0 EBX: d6b8ddac ECX: 00000004 EDX: 00000000 ESI: 00000670 EDI: d6b8ddac EBP: d6b8ddc8 ESP: d6b8dda4 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process hashatron (pid: 1502, ti=d6b8c000 task=d6810000 task.ti=d6b8c000) Stack: 00000000 d69db1f0 00000163 00000000 d6b8ddc8 c101a520 d69db1f0 d52aa000 00000ff0 d6b8dde8 d88d310f d6b8a3f8 d52aa000 00001000 d88d502c d6b8ddfc 00001000 d6b8ddf4 c11676ed d69db1e8 d6b8de24 c11679ad d52aa000 00000000 Call Trace: [<c101a520>] ? kmap_atomic_prot+0x37/0xa6 [<d88d310f>] ghash_update+0x85/0xbe [ghash_generic] [<c11676ed>] crypto_shash_update+0x18/0x1b [<c11679ad>] shash_ahash_update+0x22/0x36 [<c11679cc>] shash_async_update+0xb/0xd [<d88ce0ba>] hash_sendpage+0xba/0xf2 [algif_hash] [<c121b24c>] kernel_sendpage+0x39/0x4e [<d88ce000>] ? 0xd88cdfff [<c121b298>] sock_sendpage+0x37/0x3e [<c121b261>] ? kernel_sendpage+0x4e/0x4e [<c10b4dbc>] pipe_to_sendpage+0x56/0x61 [<c10b4e1f>] splice_from_pipe_feed+0x58/0xcd [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10 [<c10b51f5>] __splice_from_pipe+0x36/0x55 [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10 [<c10b6383>] splice_from_pipe+0x51/0x64 [<c10b63c2>] ? default_file_splice_write+0x2c/0x2c [<c10b63d5>] generic_splice_sendpage+0x13/0x15 [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10 [<c10b527f>] do_splice_from+0x5d/0x67 [<c10b6865>] sys_splice+0x2bf/0x363 [<c129373b>] ? sysenter_exit+0xf/0x16 [<c104dc1e>] ? trace_hardirqs_on_caller+0x10e/0x13f [<c129370c>] sysenter_do_call+0x12/0x32 Code: 83 c4 0c 5b 5e 5f c9 c3 55 b9 04 00 00 00 89 e5 57 8d 7d e4 56 53 8d 5d e4 83 ec 18 89 45 e0 89 55 dc 0f b6 70 0f c1 e6 04 01 d6 <f3> a5 be 0f 00 00 00 4e 89 d8 e8 48 ff ff ff 8b 45 e0 89 da 0f EIP: [<d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul] SS:ESP 0068:d6b8dda4 CR2: 0000000000000670 ---[ end trace 4eaa2a86a8e2da24 ]--- note: hashatron[1502] exited with preempt_count 1 BUG: scheduling while atomic: hashatron/1502/0x10000002 INFO: lockdep is turned off. [...] Signed-off-by: Nick Bowler <nbowler@elliptictech.com> Cc: stable@kernel.org [2.6.37+] Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2011-10-20 12:16:55 +00:00			`if (!ctx->gf128)`
			`return -ENOKEY;`

crypto: ghash - Add GHASH digest algorithm for GCM GHASH is implemented as a shash algorithm. The actual implementation is copied from gcm.c. This makes it possible to add architecture/hardware accelerated GHASH implementation. Signed-off-by: Huang Ying <ying.huang@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2009-08-06 05:32:38 +00:00			`if (dctx->bytes) {`
			`int n = min(srclen, dctx->bytes);`
			`u8 *pos = dst + (GHASH_BLOCK_SIZE - dctx->bytes);`

			`dctx->bytes -= n;`
			`srclen -= n;`

			`while (n--)`
			`pos++ ^= src++;`

			`if (!dctx->bytes)`
			`gf128mul_4k_lle((be128 *)dst, ctx->gf128);`
			`}`

			`while (srclen >= GHASH_BLOCK_SIZE) {`
			`crypto_xor(dst, src, GHASH_BLOCK_SIZE);`
			`gf128mul_4k_lle((be128 *)dst, ctx->gf128);`
			`src += GHASH_BLOCK_SIZE;`
			`srclen -= GHASH_BLOCK_SIZE;`
			`}`

			`if (srclen) {`
			`dctx->bytes = GHASH_BLOCK_SIZE - srclen;`
			`while (srclen--)`
			`dst++ ^= src++;`
			`}`

			`return 0;`
			`}`

			`static void ghash_flush(struct ghash_ctx ctx, struct ghash_desc_ctx dctx)`
			`{`
			`u8 *dst = dctx->buffer;`

			`if (dctx->bytes) {`
			`u8 *tmp = dst + (GHASH_BLOCK_SIZE - dctx->bytes);`

			`while (dctx->bytes--)`
			`*tmp++ ^= 0;`

			`gf128mul_4k_lle((be128 *)dst, ctx->gf128);`
			`}`

			`dctx->bytes = 0;`
			`}`

			`static int ghash_final(struct shash_desc desc, u8 dst)`
			`{`
			`struct ghash_desc_ctx *dctx = shash_desc_ctx(desc);`
			`struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);`
			`u8 *buf = dctx->buffer;`

crypto: ghash - Avoid null pointer dereference if no key is set The ghash_update function passes a pointer to gf128mul_4k_lle which will be NULL if ghash_setkey is not called or if the most recent call to ghash_setkey failed to allocate memory. This causes an oops. Fix this up by returning an error code in the null case. This is trivially triggered from unprivileged userspace through the AF_ALG interface by simply writing to the socket without setting a key. The ghash_final function has a similar issue, but triggering it requires a memory allocation failure in ghash_setkey _after_ at least one successful call to ghash_update. BUG: unable to handle kernel NULL pointer dereference at 00000670 IP: [<d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP Modules linked in: ghash_generic gf128mul algif_hash af_alg nfs lockd nfs_acl sunrpc bridge ipv6 stp llc Pid: 1502, comm: hashatron Tainted: G W 3.1.0-rc9-00085-ge9308cf #32 Bochs Bochs EIP: 0060:[<d88c92d4>] EFLAGS: 00000202 CPU: 0 EIP is at gf128mul_4k_lle+0x23/0x60 [gf128mul] EAX: d69db1f0 EBX: d6b8ddac ECX: 00000004 EDX: 00000000 ESI: 00000670 EDI: d6b8ddac EBP: d6b8ddc8 ESP: d6b8dda4 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process hashatron (pid: 1502, ti=d6b8c000 task=d6810000 task.ti=d6b8c000) Stack: 00000000 d69db1f0 00000163 00000000 d6b8ddc8 c101a520 d69db1f0 d52aa000 00000ff0 d6b8dde8 d88d310f d6b8a3f8 d52aa000 00001000 d88d502c d6b8ddfc 00001000 d6b8ddf4 c11676ed d69db1e8 d6b8de24 c11679ad d52aa000 00000000 Call Trace: [<c101a520>] ? kmap_atomic_prot+0x37/0xa6 [<d88d310f>] ghash_update+0x85/0xbe [ghash_generic] [<c11676ed>] crypto_shash_update+0x18/0x1b [<c11679ad>] shash_ahash_update+0x22/0x36 [<c11679cc>] shash_async_update+0xb/0xd [<d88ce0ba>] hash_sendpage+0xba/0xf2 [algif_hash] [<c121b24c>] kernel_sendpage+0x39/0x4e [<d88ce000>] ? 0xd88cdfff [<c121b298>] sock_sendpage+0x37/0x3e [<c121b261>] ? kernel_sendpage+0x4e/0x4e [<c10b4dbc>] pipe_to_sendpage+0x56/0x61 [<c10b4e1f>] splice_from_pipe_feed+0x58/0xcd [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10 [<c10b51f5>] __splice_from_pipe+0x36/0x55 [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10 [<c10b6383>] splice_from_pipe+0x51/0x64 [<c10b63c2>] ? default_file_splice_write+0x2c/0x2c [<c10b63d5>] generic_splice_sendpage+0x13/0x15 [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10 [<c10b527f>] do_splice_from+0x5d/0x67 [<c10b6865>] sys_splice+0x2bf/0x363 [<c129373b>] ? sysenter_exit+0xf/0x16 [<c104dc1e>] ? trace_hardirqs_on_caller+0x10e/0x13f [<c129370c>] sysenter_do_call+0x12/0x32 Code: 83 c4 0c 5b 5e 5f c9 c3 55 b9 04 00 00 00 89 e5 57 8d 7d e4 56 53 8d 5d e4 83 ec 18 89 45 e0 89 55 dc 0f b6 70 0f c1 e6 04 01 d6 <f3> a5 be 0f 00 00 00 4e 89 d8 e8 48 ff ff ff 8b 45 e0 89 da 0f EIP: [<d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul] SS:ESP 0068:d6b8dda4 CR2: 0000000000000670 ---[ end trace 4eaa2a86a8e2da24 ]--- note: hashatron[1502] exited with preempt_count 1 BUG: scheduling while atomic: hashatron/1502/0x10000002 INFO: lockdep is turned off. [...] Signed-off-by: Nick Bowler <nbowler@elliptictech.com> Cc: stable@kernel.org [2.6.37+] Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2011-10-20 12:16:55 +00:00			`if (!ctx->gf128)`
			`return -ENOKEY;`

crypto: ghash - Add GHASH digest algorithm for GCM GHASH is implemented as a shash algorithm. The actual implementation is copied from gcm.c. This makes it possible to add architecture/hardware accelerated GHASH implementation. Signed-off-by: Huang Ying <ying.huang@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2009-08-06 05:32:38 +00:00			`ghash_flush(ctx, dctx);`
			`memcpy(dst, buf, GHASH_BLOCK_SIZE);`

			`return 0;`
			`}`

			`static void ghash_exit_tfm(struct crypto_tfm *tfm)`
			`{`
			`struct ghash_ctx *ctx = crypto_tfm_ctx(tfm);`
			`if (ctx->gf128)`
			`gf128mul_free_4k(ctx->gf128);`
			`}`

			`static struct shash_alg ghash_alg = {`
			`.digestsize = GHASH_DIGEST_SIZE,`
			`.init = ghash_init,`
			`.update = ghash_update,`
			`.final = ghash_final,`
			`.setkey = ghash_setkey,`
			`.descsize = sizeof(struct ghash_desc_ctx),`
			`.base = {`
			`.cra_name = "ghash",`
			`.cra_driver_name = "ghash-generic",`
			`.cra_priority = 100,`
			`.cra_flags = CRYPTO_ALG_TYPE_SHASH,`
			`.cra_blocksize = GHASH_BLOCK_SIZE,`
			`.cra_ctxsize = sizeof(struct ghash_ctx),`
			`.cra_module = THIS_MODULE,`
			`.cra_exit = ghash_exit_tfm,`
			`},`
			`};`

			`static int __init ghash_mod_init(void)`
			`{`
			`return crypto_register_shash(&ghash_alg);`
			`}`

			`static void __exit ghash_mod_exit(void)`
			`{`
			`crypto_unregister_shash(&ghash_alg);`
			`}`

			`module_init(ghash_mod_init);`
			`module_exit(ghash_mod_exit);`

			`MODULE_LICENSE("GPL");`
			`MODULE_DESCRIPTION("GHASH Message Digest Algorithm");`
			`MODULE_ALIAS("ghash");`