Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1943297imm; Thu, 24 May 2018 03:20:40 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr/2/j9ASc/F7hNC+dotOQnuRuNh1XOa62Wcrk1xyZo4t7LImrH2exCCC46vbS7FC6ujb9p X-Received: by 2002:a62:b610:: with SMTP id j16-v6mr6600399pff.17.1527157240699; Thu, 24 May 2018 03:20:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527157240; cv=none; d=google.com; s=arc-20160816; b=04RtqAfx4VxGa8abmBBOBM+vsF27LIUJOp78m4RX3bBfH3Tf3igJB6Fx6sQYvziIfQ bUuwKS1ZQFRRMk1Na/5kVT32SgkGpL1W+i5RzWE/Fd88JlM0y879lAhmM82oS283+rrf flbiScdSIPMXcKdEVMcVdPYRpDyX/4H2ZQi2PpzXvQAWN6yo22QPn7acZgBjxfa+hAs0 g5UoasarbbX2BEclbUUZDd8iUoZJidbm9e3gu+6LGQ/B8KNO7pJlHzgJZEDdkr+qnqHQ LWx50pYFFYjeDVvEgzj4WM9I+PfTJvgFhPNYcZTFOKk7lOWF01CMbxKMNm2fNA4HC5Ag R+mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=A8I29wLE7loH0VsUyp+mitLmInkljwNlFR2DBRzGfBw=; b=UP/y8bTx4ji5qYIt9b/E5iUVN/7nEhrP8DeiGb0n0yvwLb2FGTqas0vDXOhqctgtLz +9ONXo42qymj1OEMbteO76xfQZ8pX51bS5xDIhuKgSUohft+VdD9LCFCnDVsjwGXEyrj DLToIl4MjdfhyLrBhHvyHDhN8PDWB8vHrUEqnmoathXaz2deSjXuCJcxqzZ4DjALWpy0 gNMPQLNBsGCD2uB2GM2TF1TviPCaGJFQdyeM/+1oGXsEOXldBpqgw/Rnffsvh5j1CUub j/iKOT+0YfsKHSr65Pi/P8xDG8mL0xPeRSmfFQ/sMFeT9JYu+0UqxEFmWZBJ6zaoiYKp tS+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kmE60q+w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n7-v6si139998pgu.362.2018.05.24.03.20.26; Thu, 24 May 2018 03:20:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kmE60q+w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1031501AbeEXKTm (ORCPT + 99 others); Thu, 24 May 2018 06:19:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:52606 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1031283AbeEXKDc (ORCPT ); Thu, 24 May 2018 06:03:32 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id ABF1F20890; Thu, 24 May 2018 10:03:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527156212; bh=pdlViNKukW2SWSXUzUGWmliYkTScAcdHavV3eX5yQM8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kmE60q+wZIifqu7o7MzIemxJo+pqm456QdS6j9fVmKLo0u7ykuZIt/bN1INbf6oMw mAFuWTPTtOPR0gnKTh3V20pBGfWWUz3aqVnF7qGsZsxlMc3D8H1D0VjmJSgWChHDRm Fs1gDd1zXQk5zF4NkU+G+3Wm8rGQA+snzvHLjaOw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ofer Heifetz , Antoine Tenart , Herbert Xu , Sasha Levin Subject: [PATCH 4.16 097/161] crypto: inside-secure - move the digest to the request context Date: Thu, 24 May 2018 11:38:42 +0200 Message-Id: <20180524093030.038506488@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180524093018.331893860@linuxfoundation.org> References: <20180524093018.331893860@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Antoine Tenart [ Upstream commit b869648c060fbb00bf6578d13cbe83e6f85914bc ] This patches moves the digest information from the transformation context to the request context. This fixes cases where HMAC init functions were called and override the digest value for a short period of time, as the HMAC init functions call the SHA init one which reset the value. This lead to a small percentage of HMAC being incorrectly computed under heavy load. Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver") Suggested-by: Ofer Heifetz Signed-off-by: Antoine Tenart [Ofer here did all the work, from seeing the issue to understanding the root cause. I only made the patch.] Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/crypto/inside-secure/safexcel_hash.c | 30 ++++++++++++++++----------- 1 file changed, 18 insertions(+), 12 deletions(-) --- a/drivers/crypto/inside-secure/safexcel_hash.c +++ b/drivers/crypto/inside-secure/safexcel_hash.c @@ -21,7 +21,6 @@ struct safexcel_ahash_ctx { struct safexcel_crypto_priv *priv; u32 alg; - u32 digest; u32 ipad[SHA1_DIGEST_SIZE / sizeof(u32)]; u32 opad[SHA1_DIGEST_SIZE / sizeof(u32)]; @@ -35,6 +34,8 @@ struct safexcel_ahash_req { int nents; + u32 digest; + u8 state_sz; /* expected sate size, only set once */ u32 state[SHA256_DIGEST_SIZE / sizeof(u32)] __aligned(sizeof(u32)); @@ -49,6 +50,8 @@ struct safexcel_ahash_export_state { u64 len; u64 processed; + u32 digest; + u32 state[SHA256_DIGEST_SIZE / sizeof(u32)]; u8 cache[SHA256_BLOCK_SIZE]; }; @@ -82,9 +85,9 @@ static void safexcel_context_control(str cdesc->control_data.control0 |= CONTEXT_CONTROL_TYPE_HASH_OUT; cdesc->control_data.control0 |= ctx->alg; - cdesc->control_data.control0 |= ctx->digest; + cdesc->control_data.control0 |= req->digest; - if (ctx->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) { + if (req->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) { if (req->processed) { if (ctx->alg == CONTEXT_CONTROL_CRYPTO_ALG_SHA1) cdesc->control_data.control0 |= CONTEXT_CONTROL_SIZE(6); @@ -112,7 +115,7 @@ static void safexcel_context_control(str if (req->finish) ctx->base.ctxr->data[i] = cpu_to_le32(req->processed / blocksize); } - } else if (ctx->digest == CONTEXT_CONTROL_DIGEST_HMAC) { + } else if (req->digest == CONTEXT_CONTROL_DIGEST_HMAC) { cdesc->control_data.control0 |= CONTEXT_CONTROL_SIZE(10); memcpy(ctx->base.ctxr->data, ctx->ipad, digestsize); @@ -550,7 +553,7 @@ static int safexcel_ahash_enqueue(struct if (ctx->base.ctxr) { if (priv->version == EIP197 && !ctx->base.needs_inv && req->processed && - ctx->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) + req->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) /* We're still setting needs_inv here, even though it is * cleared right away, because the needs_inv flag can be * set in other functions and we want to keep the same @@ -585,7 +588,6 @@ static int safexcel_ahash_enqueue(struct static int safexcel_ahash_update(struct ahash_request *areq) { - struct safexcel_ahash_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq)); struct safexcel_ahash_req *req = ahash_request_ctx(areq); struct crypto_ahash *ahash = crypto_ahash_reqtfm(areq); @@ -601,7 +603,7 @@ static int safexcel_ahash_update(struct * We're not doing partial updates when performing an hmac request. * Everything will be handled by the final() call. */ - if (ctx->digest == CONTEXT_CONTROL_DIGEST_HMAC) + if (req->digest == CONTEXT_CONTROL_DIGEST_HMAC) return 0; if (req->hmac) @@ -660,6 +662,8 @@ static int safexcel_ahash_export(struct export->len = req->len; export->processed = req->processed; + export->digest = req->digest; + memcpy(export->state, req->state, req->state_sz); memcpy(export->cache, req->cache, crypto_ahash_blocksize(ahash)); @@ -680,6 +684,8 @@ static int safexcel_ahash_import(struct req->len = export->len; req->processed = export->processed; + req->digest = export->digest; + memcpy(req->cache, export->cache, crypto_ahash_blocksize(ahash)); memcpy(req->state, export->state, req->state_sz); @@ -716,7 +722,7 @@ static int safexcel_sha1_init(struct aha req->state[4] = SHA1_H4; ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA1; - ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; + req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; req->state_sz = SHA1_DIGEST_SIZE; return 0; @@ -783,10 +789,10 @@ struct safexcel_alg_template safexcel_al static int safexcel_hmac_sha1_init(struct ahash_request *areq) { - struct safexcel_ahash_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq)); + struct safexcel_ahash_req *req = ahash_request_ctx(areq); safexcel_sha1_init(areq); - ctx->digest = CONTEXT_CONTROL_DIGEST_HMAC; + req->digest = CONTEXT_CONTROL_DIGEST_HMAC; return 0; } @@ -1024,7 +1030,7 @@ static int safexcel_sha256_init(struct a req->state[7] = SHA256_H7; ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA256; - ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; + req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; req->state_sz = SHA256_DIGEST_SIZE; return 0; @@ -1086,7 +1092,7 @@ static int safexcel_sha224_init(struct a req->state[7] = SHA224_H7; ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA224; - ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; + req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; req->state_sz = SHA256_DIGEST_SIZE; return 0;