From: Andrei Botila <[email protected]>
This patch set is a follow-up on the previous RFC discussion which can be found
here: https://lore.kernel.org/r/[email protected]
This series converts all XTS implementations to return 0 when the input length
is equal to 0. This change is necessary in order to standardize the way
skcipher algorithms handle this corner case. This check is made for other
algorithms such as CBC, ARC4, CFB, OFB, SALSA20, CTR, ECB and PCBC, XTS being
the outlier here.
Although some drivers do not explicitly check for requests with zero input
length, their implementations might be able to deal with this case.
Since we don't have the HW to test which ones are able and which ones are not
we rely on the maintainers of these drivers to verify and comment if the changes
are necessary in their driver or not.
One important thing to keep in mind is that in some implementations we make
this check only for XTS algorithms although probably all skcipher algorithms
should return 0 in case of zero input length.
This fix has been tested only on ARMv8 CE, the rest of the patches have
been build tested *only*, and should be tested on actual hardware before
being merged.
Andrei Botila (22):
crypto: arm/aes-ce - add check for xts input length equal to zero
crypto: arm/aes-neonbs - add check for xts input length equal to zero
crypto: arm64/aes - add check for xts input length equal to zero
crypto: arm64/aes-neonbs - add check for xts input length equal to
zero
crypto: powerpc/aes-spe - add check for xts input length equal to zero
crypto: s390/aes - add check for xts input length equal to zero
crypto: s390/paes - add check for xts input length equal to zero
crypto: x86/glue_helper - add check for xts input length equal to zero
crypto: xts - add check for block length equal to zero
crypto: atmel-aes - add check for xts input length equal to zero
crypto: artpec6 - add check for xts input length equal to zero
crypto: bcm - add check for xts input length equal to zero
crypto: cavium/cpt - add check for xts input length equal to zero
crypto: cavium/nitrox - add check for xts input length equal to zero
crypto: ccp - add check for xts input length equal to zero
crypto: ccree - add check for xts input length equal to zero
crypto: chelsio - add check for xts input length equal to zero
crypto: hisilicon/sec - add check for xts input length equal to zero
crypto: inside-secure - add check for xts input length equal to zero
crypto: octeontx - add check for xts input length equal to zero
crypto: qce - add check for xts input length equal to zero
crypto: vmx - add check for xts input length equal to zero
arch/arm/crypto/aes-ce-glue.c | 6 ++++++
arch/arm/crypto/aes-neonbs-glue.c | 3 +++
arch/arm64/crypto/aes-glue.c | 6 ++++++
arch/arm64/crypto/aes-neonbs-glue.c | 3 +++
arch/powerpc/crypto/aes-spe-glue.c | 6 ++++++
arch/s390/crypto/aes_s390.c | 3 +++
arch/s390/crypto/paes_s390.c | 3 +++
arch/x86/crypto/glue_helper.c | 3 +++
crypto/xts.c | 6 ++++++
drivers/crypto/atmel-aes.c | 4 ++++
drivers/crypto/axis/artpec6_crypto.c | 6 ++++++
drivers/crypto/bcm/cipher.c | 3 +++
drivers/crypto/cavium/cpt/cptvf_algs.c | 4 ++++
drivers/crypto/cavium/nitrox/nitrox_skcipher.c | 6 ++++++
drivers/crypto/ccp/ccp-crypto-aes-xts.c | 3 +++
drivers/crypto/ccree/cc_cipher.c | 11 ++++++-----
drivers/crypto/chelsio/chcr_algo.c | 4 ++++
drivers/crypto/hisilicon/sec/sec_algs.c | 4 ++++
drivers/crypto/inside-secure/safexcel_cipher.c | 6 ++++++
drivers/crypto/marvell/octeontx/otx_cptvf_algs.c | 5 +++++
drivers/crypto/qce/skcipher.c | 3 +++
drivers/crypto/vmx/aes_xts.c | 3 +++
22 files changed, 96 insertions(+), 5 deletions(-)
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Russell King <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
arch/arm/crypto/aes-neonbs-glue.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm/crypto/aes-neonbs-glue.c b/arch/arm/crypto/aes-neonbs-glue.c
index e6fd32919c81..98ca6e6cca90 100644
--- a/arch/arm/crypto/aes-neonbs-glue.c
+++ b/arch/arm/crypto/aes-neonbs-glue.c
@@ -339,6 +339,9 @@ static int __xts_crypt(struct skcipher_request *req, bool encrypt,
struct skcipher_walk walk;
int err;
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < AES_BLOCK_SIZE)
return -EINVAL;
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Catalin Marinas <[email protected]>
Cc: Will Deacon <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
arch/arm64/crypto/aes-neonbs-glue.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm64/crypto/aes-neonbs-glue.c b/arch/arm64/crypto/aes-neonbs-glue.c
index fb507d569922..197bf24e7dae 100644
--- a/arch/arm64/crypto/aes-neonbs-glue.c
+++ b/arch/arm64/crypto/aes-neonbs-glue.c
@@ -330,6 +330,9 @@ static int __xts_crypt(struct skcipher_request *req, bool encrypt,
int first = 1;
u8 *out, *in;
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < AES_BLOCK_SIZE)
return -EINVAL;
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Catalin Marinas <[email protected]>
Cc: Will Deacon <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
arch/arm64/crypto/aes-glue.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/arm64/crypto/aes-glue.c b/arch/arm64/crypto/aes-glue.c
index 395bbf64b2ab..44c9644c74b1 100644
--- a/arch/arm64/crypto/aes-glue.c
+++ b/arch/arm64/crypto/aes-glue.c
@@ -515,6 +515,9 @@ static int __maybe_unused xts_encrypt(struct skcipher_request *req)
struct scatterlist *src, *dst;
struct skcipher_walk walk;
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < AES_BLOCK_SIZE)
return -EINVAL;
@@ -587,6 +590,9 @@ static int __maybe_unused xts_decrypt(struct skcipher_request *req)
struct scatterlist *src, *dst;
struct skcipher_walk walk;
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < AES_BLOCK_SIZE)
return -EINVAL;
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Benjamin Herrenschmidt <[email protected]>
Cc: Paul Mackerras <[email protected]>
Cc: Michael Ellerman <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
arch/powerpc/crypto/aes-spe-glue.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/powerpc/crypto/aes-spe-glue.c b/arch/powerpc/crypto/aes-spe-glue.c
index c2b23b69d7b1..f37d8bef322b 100644
--- a/arch/powerpc/crypto/aes-spe-glue.c
+++ b/arch/powerpc/crypto/aes-spe-glue.c
@@ -327,6 +327,9 @@ static int ppc_xts_encrypt(struct skcipher_request *req)
u8 b[2][AES_BLOCK_SIZE];
int err;
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < AES_BLOCK_SIZE)
return -EINVAL;
@@ -366,6 +369,9 @@ static int ppc_xts_decrypt(struct skcipher_request *req)
le128 twk;
int err;
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < AES_BLOCK_SIZE)
return -EINVAL;
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Signed-off-by: Andrei Botila <[email protected]>
---
crypto/xts.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/crypto/xts.c b/crypto/xts.c
index 3c3ed02c7663..7df68f52fddc 100644
--- a/crypto/xts.c
+++ b/crypto/xts.c
@@ -263,6 +263,9 @@ static int xts_encrypt(struct skcipher_request *req)
struct skcipher_request *subreq = &rctx->subreq;
int err;
+ if (!req->cryptlen)
+ return 0;
+
err = xts_init_crypt(req, xts_encrypt_done) ?:
xts_xor_tweak_pre(req, true) ?:
crypto_skcipher_encrypt(subreq) ?:
@@ -280,6 +283,9 @@ static int xts_decrypt(struct skcipher_request *req)
struct skcipher_request *subreq = &rctx->subreq;
int err;
+ if (!req->cryptlen)
+ return 0;
+
err = xts_init_crypt(req, xts_decrypt_done) ?:
xts_xor_tweak_pre(req, false) ?:
crypto_skcipher_decrypt(subreq) ?:
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Jesper Nilsson <[email protected]>
Cc: Lars Persson <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
drivers/crypto/axis/artpec6_crypto.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/crypto/axis/artpec6_crypto.c b/drivers/crypto/axis/artpec6_crypto.c
index 1a46eeddf082..243880c97629 100644
--- a/drivers/crypto/axis/artpec6_crypto.c
+++ b/drivers/crypto/axis/artpec6_crypto.c
@@ -1090,6 +1090,9 @@ static int artpec6_crypto_encrypt(struct skcipher_request *req)
void (*complete)(struct crypto_async_request *req);
int ret;
+ if (!req->cryptlen)
+ return 0;
+
req_ctx = skcipher_request_ctx(req);
switch (ctx->crypto_type) {
@@ -1135,6 +1138,9 @@ static int artpec6_crypto_decrypt(struct skcipher_request *req)
struct artpec6_crypto_request_context *req_ctx = NULL;
void (*complete)(struct crypto_async_request *req);
+ if (!req->cryptlen)
+ return 0;
+
req_ctx = skcipher_request_ctx(req);
switch (ctx->crypto_type) {
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Thomas Gleixner <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: "H. Peter Anvin" <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
arch/x86/crypto/glue_helper.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/crypto/glue_helper.c b/arch/x86/crypto/glue_helper.c
index d3d91a0abf88..cc5042c72910 100644
--- a/arch/x86/crypto/glue_helper.c
+++ b/arch/x86/crypto/glue_helper.c
@@ -275,6 +275,9 @@ int glue_xts_req_128bit(const struct common_glue_ctx *gctx,
unsigned int nbytes, tail;
int err;
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < XTS_BLOCK_SIZE)
return -EINVAL;
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Signed-off-by: Andrei Botila <[email protected]>
---
drivers/crypto/hisilicon/sec/sec_algs.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/crypto/hisilicon/sec/sec_algs.c b/drivers/crypto/hisilicon/sec/sec_algs.c
index 8ca945ac297e..419ec4f23164 100644
--- a/drivers/crypto/hisilicon/sec/sec_algs.c
+++ b/drivers/crypto/hisilicon/sec/sec_algs.c
@@ -723,6 +723,10 @@ static int sec_alg_skcipher_crypto(struct skcipher_request *skreq,
bool split = skreq->src != skreq->dst;
gfp_t gfp = skreq->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL : GFP_ATOMIC;
+ if (!skreq->cryptlen && (ctx->cipher_alg == SEC_C_AES_XTS_128 ||
+ ctx->cipher_alg == SEC_C_AES_XTS_256))
+ return 0;
+
mutex_init(&sec_req->lock);
sec_req->req_base = &skreq->base;
sec_req->err = 0;
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Boris Brezillon <[email protected]>
Cc: Arnaud Ebalard <[email protected]>
Cc: Srujana Challa <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
drivers/crypto/marvell/octeontx/otx_cptvf_algs.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c b/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c
index 90bb31329d4b..ec13bc3f1766 100644
--- a/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c
+++ b/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c
@@ -340,11 +340,16 @@ static inline int cpt_enc_dec(struct skcipher_request *req, u32 enc)
{
struct crypto_skcipher *stfm = crypto_skcipher_reqtfm(req);
struct otx_cpt_req_ctx *rctx = skcipher_request_ctx(req);
+ struct crypto_tfm *tfm = crypto_skcipher_tfm(stfm);
+ struct otx_cpt_enc_ctx *ctx = crypto_tfm_ctx(tfm);
struct otx_cpt_req_info *req_info = &rctx->cpt_req;
u32 enc_iv_len = crypto_skcipher_ivsize(stfm);
struct pci_dev *pdev;
int status, cpu_num;
+ if (!req->cryptlen && ctx->cipher_type == OTX_CPT_AES_XTS)
+ return 0;
+
/* Validate that request doesn't exceed maximum CPT supported size */
if (req->cryptlen > OTX_CPT_MAX_REQ_SIZE)
return -E2BIG;
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Heiko Carstens <[email protected]>
Cc: Vasily Gorbik <[email protected]>
Cc: Christian Borntraeger <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
arch/s390/crypto/aes_s390.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c
index 73044634d342..bc8855f4b7d1 100644
--- a/arch/s390/crypto/aes_s390.c
+++ b/arch/s390/crypto/aes_s390.c
@@ -437,6 +437,9 @@ static int xts_aes_crypt(struct skcipher_request *req, unsigned long modifier)
u8 init[16];
} xts_param;
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < AES_BLOCK_SIZE)
return -EINVAL;
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: "Breno Leitão" <[email protected]>
Cc: Nayna Jain <[email protected]>
Cc: Paulo Flabiano Smorigo <[email protected]>
Cc: Benjamin Herrenschmidt <[email protected]>
Cc: Paul Mackerras <[email protected]>
Cc: Michael Ellerman <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
drivers/crypto/vmx/aes_xts.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/crypto/vmx/aes_xts.c b/drivers/crypto/vmx/aes_xts.c
index 9fee1b1532a4..33107c9e2656 100644
--- a/drivers/crypto/vmx/aes_xts.c
+++ b/drivers/crypto/vmx/aes_xts.c
@@ -84,6 +84,9 @@ static int p8_aes_xts_crypt(struct skcipher_request *req, int enc)
u8 tweak[AES_BLOCK_SIZE];
int ret;
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < AES_BLOCK_SIZE)
return -EINVAL;
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Tom Lendacky <[email protected]>
Cc: John Allen <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
drivers/crypto/ccp/ccp-crypto-aes-xts.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/crypto/ccp/ccp-crypto-aes-xts.c b/drivers/crypto/ccp/ccp-crypto-aes-xts.c
index 6849261ca47d..6a93b54d388a 100644
--- a/drivers/crypto/ccp/ccp-crypto-aes-xts.c
+++ b/drivers/crypto/ccp/ccp-crypto-aes-xts.c
@@ -113,6 +113,9 @@ static int ccp_aes_xts_crypt(struct skcipher_request *req,
u32 unit_size;
int ret;
+ if (!req->cryptlen)
+ return 0;
+
if (!ctx->u.aes.key_len)
return -EINVAL;
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Signed-off-by: Andrei Botila <[email protected]>
---
drivers/crypto/qce/skcipher.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/crypto/qce/skcipher.c b/drivers/crypto/qce/skcipher.c
index 5630c5addd28..887fd4dc9b43 100644
--- a/drivers/crypto/qce/skcipher.c
+++ b/drivers/crypto/qce/skcipher.c
@@ -223,6 +223,9 @@ static int qce_skcipher_crypt(struct skcipher_request *req, int encrypt)
int keylen;
int ret;
+ if (!req->cryptlen && IS_XTS(rctx->flags))
+ return 0;
+
rctx->flags = tmpl->alg_flags;
rctx->flags |= encrypt ? QCE_ENCRYPT : QCE_DECRYPT;
keylen = IS_XTS(rctx->flags) ? ctx->enc_keylen >> 1 : ctx->enc_keylen;
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Ayush Sawal <[email protected]>
Cc: Vinay Kumar Yadav <[email protected]>
Cc: Rohit Maheshwari <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
drivers/crypto/chelsio/chcr_algo.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/crypto/chelsio/chcr_algo.c b/drivers/crypto/chelsio/chcr_algo.c
index 13b908ea4873..e9746580870a 100644
--- a/drivers/crypto/chelsio/chcr_algo.c
+++ b/drivers/crypto/chelsio/chcr_algo.c
@@ -1372,8 +1372,12 @@ static int chcr_aes_encrypt(struct skcipher_request *req)
int err;
struct uld_ctx *u_ctx = ULD_CTX(c_ctx(tfm));
struct chcr_context *ctx = c_ctx(tfm);
+ int subtype = get_cryptoalg_subtype(tfm);
unsigned int cpu;
+ if (!req->cryptlen && subtype == CRYPTO_ALG_SUB_TYPE_XTS)
+ return 0;
+
cpu = get_cpu();
reqctx->txqidx = cpu % ctx->ntxq;
reqctx->rxqidx = cpu % ctx->nrxq;
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Antoine Tenart <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
drivers/crypto/inside-secure/safexcel_cipher.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/crypto/inside-secure/safexcel_cipher.c b/drivers/crypto/inside-secure/safexcel_cipher.c
index 1ac3253b7903..03d06556ea98 100644
--- a/drivers/crypto/inside-secure/safexcel_cipher.c
+++ b/drivers/crypto/inside-secure/safexcel_cipher.c
@@ -2533,6 +2533,9 @@ static int safexcel_skcipher_aes_xts_cra_init(struct crypto_tfm *tfm)
static int safexcel_encrypt_xts(struct skcipher_request *req)
{
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < XTS_BLOCK_SIZE)
return -EINVAL;
return safexcel_queue_req(&req->base, skcipher_request_ctx(req),
@@ -2541,6 +2544,9 @@ static int safexcel_encrypt_xts(struct skcipher_request *req)
static int safexcel_decrypt_xts(struct skcipher_request *req)
{
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < XTS_BLOCK_SIZE)
return -EINVAL;
return safexcel_queue_req(&req->base, skcipher_request_ctx(req),
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Zhang Shengju <[email protected]>
Cc: Tang Bin <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
drivers/crypto/bcm/cipher.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/crypto/bcm/cipher.c b/drivers/crypto/bcm/cipher.c
index 8a7fa1ae1ade..8a6f225f4db7 100644
--- a/drivers/crypto/bcm/cipher.c
+++ b/drivers/crypto/bcm/cipher.c
@@ -1754,6 +1754,9 @@ static int skcipher_enqueue(struct skcipher_request *req, bool encrypt)
crypto_skcipher_ctx(crypto_skcipher_reqtfm(req));
int err;
+ if (!req->cryptlen && ctx->cipher.mode == CIPHER_MODE_XTS)
+ return 0;
+
flow_log("%s() enc:%u\n", __func__, encrypt);
rctx->gfp = (req->base.flags & (CRYPTO_TFM_REQ_MAY_BACKLOG |
--
2.17.1
From: Andrei Botila <[email protected]>
Standardize the way input lengths equal to 0 are handled in all skcipher
algorithms. All the algorithms return 0 for input lengths equal to zero.
Cc: Russell King <[email protected]>
Signed-off-by: Andrei Botila <[email protected]>
---
arch/arm/crypto/aes-ce-glue.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/arm/crypto/aes-ce-glue.c b/arch/arm/crypto/aes-ce-glue.c
index b668c97663ec..57a9cf7fe98a 100644
--- a/arch/arm/crypto/aes-ce-glue.c
+++ b/arch/arm/crypto/aes-ce-glue.c
@@ -452,6 +452,9 @@ static int xts_encrypt(struct skcipher_request *req)
struct scatterlist *src, *dst;
struct skcipher_walk walk;
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < AES_BLOCK_SIZE)
return -EINVAL;
@@ -524,6 +527,9 @@ static int xts_decrypt(struct skcipher_request *req)
struct scatterlist *src, *dst;
struct skcipher_walk walk;
+ if (!req->cryptlen)
+ return 0;
+
if (req->cryptlen < AES_BLOCK_SIZE)
return -EINVAL;
--
2.17.1
> -----Original Message-----
> From: [email protected] <[email protected]> On Behalf Of Andrei Botila
> Sent: Friday, August 7, 2020 6:20 PM
> To: Herbert Xu <[email protected]>; David S. Miller <[email protected]>
> Cc: [email protected]; [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; [email protected]; Andrei Botila <[email protected]>; Antoine Tenart
> <[email protected]>
> Subject: [PATCH 19/22] crypto: inside-secure - add check for xts input length equal to zero
>
> <<< External Email >>>
> From: Andrei Botila <[email protected]>
>
> Standardize the way input lengths equal to 0 are handled in all skcipher
> algorithms. All the algorithms return 0 for input lengths equal to zero.
>
> Cc: Antoine Tenart <[email protected]>
> Signed-off-by: Andrei Botila <[email protected]>
> ---
> drivers/crypto/inside-secure/safexcel_cipher.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/crypto/inside-secure/safexcel_cipher.c b/drivers/crypto/inside-secure/safexcel_cipher.c
> index 1ac3253b7903..03d06556ea98 100644
> --- a/drivers/crypto/inside-secure/safexcel_cipher.c
> +++ b/drivers/crypto/inside-secure/safexcel_cipher.c
> @@ -2533,6 +2533,9 @@ static int safexcel_skcipher_aes_xts_cra_init(struct crypto_tfm *tfm)
>
> static int safexcel_encrypt_xts(struct skcipher_request *req)
> {
> +if (!req->cryptlen)
> +return 0;
> +
> if (req->cryptlen < XTS_BLOCK_SIZE)
> return -EINVAL;
> return safexcel_queue_req(&req->base, skcipher_request_ctx(req),
> @@ -2541,6 +2544,9 @@ static int safexcel_encrypt_xts(struct skcipher_request *req)
>
> static int safexcel_decrypt_xts(struct skcipher_request *req)
> {
> +if (!req->cryptlen)
> +return 0;
> +
> if (req->cryptlen < XTS_BLOCK_SIZE)
> return -EINVAL;
> return safexcel_queue_req(&req->base, skcipher_request_ctx(req),
> --
> 2.17.1
With all due respect, but this makes no sense.
For XTS, any length below 16 is illegal, as applying CTS in order to handle non-cipher
block multiples (16 bytes in case of AES) requires _more_ data than 1 cipher block.
There is no benefit to explicitly check for zero length if there is already a check for
less-than-16. That's just wasting CPU cycles and a branch predictor entry, for no
benefit whatsoever. (except for academic "alignment with other ciphers").
XTS has very specific use cases. No one in their right mind would call it for a
situation where it can't be applied in the first place, e.g. anything < 16 bytes.
Regards,
Pascal van Leeuwen
Silicon IP Architect Multi-Protocol Engines, Rambus Security
Rambus ROTW Holding BV
+31-73 6581953
Note: The Inside Secure/Verimatrix Silicon IP team was recently acquired by Rambus.
Please be so kind to update your e-mail address book with my new e-mail address.
** This message and any attachments are for the sole use of the intended recipient(s). It may contain information that is confidential and privileged. If you are not the intended recipient of this message, you are prohibited from printing, copying, forwarding or saving it. Please delete the message and attachments and notify the sender immediately. **
Rambus Inc.<http://www.rambus.com>
On Mon, Aug 10, 2020 at 10:20:20AM +0000, Van Leeuwen, Pascal wrote:
>
> With all due respect, but this makes no sense.
I agree. This is a lot of churn for no gain.
Thanks,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On 8/10/2020 4:45 PM, Herbert Xu wrote:
> On Mon, Aug 10, 2020 at 10:20:20AM +0000, Van Leeuwen, Pascal wrote:
>>
>> With all due respect, but this makes no sense.
>
> I agree. This is a lot of churn for no gain.
>
I would say the gain is that all skcipher algorithms would behave the same
when input length equals zero - i.e. treat the request as a no-op.
We can't say "no input" has any meaning to the other skcipher algorithms,
but the convention is to accept this case and just return 0.
I don't see why XTS has to be handled differently.
Thanks,
Horia
On Mon, Aug 10, 2020 at 05:33:39PM +0300, Horia Geantă wrote:
> On 8/10/2020 4:45 PM, Herbert Xu wrote:
> > On Mon, Aug 10, 2020 at 10:20:20AM +0000, Van Leeuwen, Pascal wrote:
> >>
> >> With all due respect, but this makes no sense.
> >
> > I agree. This is a lot of churn for no gain.
> >
> I would say the gain is that all skcipher algorithms would behave the same
> when input length equals zero - i.e. treat the request as a no-op.
>
> We can't say "no input" has any meaning to the other skcipher algorithms,
> but the convention is to accept this case and just return 0.
> I don't see why XTS has to be handled differently.
>
CTS also rejects empty inputs.
The rule it follows is just that all input lengths >= blocksize are allowed.
Input lengths < blocksize aren't allowed.
- Eric
> -----Original Message-----
> From: Horia Geantă <[email protected]>
> Sent: Monday, August 10, 2020 4:34 PM
> To: Herbert Xu <[email protected]>; Van Leeuwen, Pascal <[email protected]>
> Cc: Andrei Botila (OSS) <[email protected]>; David S. Miller <[email protected]>; [email protected]; linux-
> [email protected]; [email protected]; [email protected]; [email protected];
> [email protected]; [email protected]; Andrei Botila <[email protected]>; Antoine Tenart <[email protected]>
> Subject: Re: [PATCH 19/22] crypto: inside-secure - add check for xts input length equal to zero
>
> <<< External Email >>>
> On 8/10/2020 4:45 PM, Herbert Xu wrote:
> > On Mon, Aug 10, 2020 at 10:20:20AM +0000, Van Leeuwen, Pascal wrote:
> >>
> >> With all due respect, but this makes no sense.
> >
> > I agree. This is a lot of churn for no gain.
> >
> I would say the gain is that all skcipher algorithms would behave the same
> when input length equals zero - i.e. treat the request as a no-op.
>
XTS already behaves differently because it can accept any byte amount as long
as it is not in the range 0 -16. So far, you got an EINVAL error for lengths < 16.
The special exception on top of that for length 0 does not improve anything.
Treating a request of length 0 as a no-op is not a useful feature here, as there
is no use case where that would make sense. XTS encrypts blocks (usually disk
sectors), and cannot be chained. So an attempt to encrypt a zero length block
is most certainly some kind of error (e.g. trying to use XTS for something it
was not designed to do - big security mistake!).
> We can't say "no input" has any meaning to the other skcipher algorithms,
> but the convention is to accept this case and just return 0.
> I don't see why XTS has to be handled differently.
>
I don't see why you would blindly follow some historical convention ...
unless maybe there was some existing real use case that would benefit?
BTW: for generic ciphers I could think of some use cases where the zero
length request being a no-op makes sense if the application does not
bother to check how much data it has gathered to process (which may be
nothing), but I can't see how this could apply to XTS, being block-based.
> Thanks,
> Horia
Regards,
Pascal van Leeuwen
Silicon IP Architect Multi-Protocol Engines, Rambus Security
Rambus ROTW Holding BV
+31-73 6581953
Note: The Inside Secure/Verimatrix Silicon IP team was recently acquired by Rambus.
Please be so kind to update your e-mail address book with my new e-mail address.
** This message and any attachments are for the sole use of the intended recipient(s). It may contain information that is confidential and privileged. If you are not the intended recipient of this message, you are prohibited from printing, copying, forwarding or saving it. Please delete the message and attachments and notify the sender immediately. **
Rambus Inc.<http://www.rambus.com>
On 8/10/2020 8:03 PM, Eric Biggers wrote:
> On Mon, Aug 10, 2020 at 05:33:39PM +0300, Horia Geantă wrote:
>> On 8/10/2020 4:45 PM, Herbert Xu wrote:
>>> On Mon, Aug 10, 2020 at 10:20:20AM +0000, Van Leeuwen, Pascal wrote:
>>>>
>>>> With all due respect, but this makes no sense.
>>>
>>> I agree. This is a lot of churn for no gain.
>>>
>> I would say the gain is that all skcipher algorithms would behave the same
>> when input length equals zero - i.e. treat the request as a no-op.
>>
>> We can't say "no input" has any meaning to the other skcipher algorithms,
>> but the convention is to accept this case and just return 0.
>> I don't see why XTS has to be handled differently.
>>
>
> CTS also rejects empty inputs.
>
> The rule it follows is just that all input lengths >= blocksize are allowed.
> Input lengths < blocksize aren't allowed.
>
Indeed, thanks.
What about, for example, CBC?
AFAICT cbc(aes) with input length = 0 is valid.
Same for CTR (with the note that blocksize = 1) and several other algorithms
mentioned in the cover letter.
What's the rule in these cases?
Thanks,
Horia
On Tue, Aug 11, 2020 at 06:28:39PM +0300, Horia Geantă wrote:
>
> What about, for example, CBC?
> AFAICT cbc(aes) with input length = 0 is valid.
That's just because CBC accepts any input which is a multiple
of blocksize.
> Same for CTR (with the note that blocksize = 1) and several other algorithms
> mentioned in the cover letter.
CTR accepts any input size.
> What's the rule in these cases?
What input size is accepted depends on the algorithm.
Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt