From: Stephan Mueller Subject: [PATCH v8 0/2] crypto: AF_ALG: add AEAD and RNG support Date: Wed, 07 Jan 2015 16:51:05 +0100 Message-ID: <33040723.pAXIT3fl8h@tachyon.chronox.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7Bit Cc: 'Quentin Gouchet' , Daniel Borkmann , linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, linux-crypto@vger.kernel.org To: 'Herbert Xu' Return-path: Received: from mail.eperm.de ([89.247.134.16]:59405 "EHLO mail.eperm.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753600AbbAGPwm (ORCPT ); Wed, 7 Jan 2015 10:52:42 -0500 Received: from tachyon.chronox.de by mail.eperm.de with [XMail 1.27 ESMTP Server] id for from ; Wed, 7 Jan 2015 16:52:39 +0100 Sender: linux-crypto-owner@vger.kernel.org List-ID: Hi, This patch set adds AEAD and RNG support to the AF_ALG interface exported by the kernel crypto API. By extending AF_ALG with AEAD and RNG support, all cipher types the kernel crypto API allows access to are now accessible from userspace. Both, AEAD and RNG implementations are stand-alone and do not depend other AF_ALG interfaces (like hash or skcipher). The AEAD implementation uses the same approach as provided with skcipher by offering the following interfaces: * sendmsg and recvmsg interfaces allowing multiple invocations supporting a threaded user space. To support multi-threaded user space, kernel-side buffering is implemented similarly to skcipher. * splice / vmsplice interfaces allowing a zero-copy invocation The RNG interface only implements the recvmsg interface as zero-copy is not applicable. The new AEAD and RNG interfaces are fully tested with the test application provided at [1]. That test application exercises all newly added user space interfaces. The testing covers: * use of the sendmsg/recvmsg interface * use of the splice / vmsplice interface * invocation of all AF_ALG types (aead, rng, skcipher, hash) * using all types of operation (encryption, decryption, keyed MD, MD, random numbers, AEAD decryption with positive and negative authentication verification) * stress testing by running all tests for 30 minutes in an endless loop * test execution on 64 bit and 32 bit [1] http://www.chronox.de/libkcapi.html Changes v2: * rebase to current cryptodev-2.6 tree * use memzero_explicit to zeroize AEAD associated data * use sizeof for determining length of AEAD associated data * update algif_rng.c covering all suggestions from Daniel Borkmann * addition of patch 9: add digestsize interface for hashes * addition of patch to update documentation covering the userspace interface * change numbers of getsockopt options: separate them from sendmsg interface definitions Changes v3: * remove getsockopt interface * AEAD: associated data is set prepended to the plain/ciphertext * AEAD: allowing arbitrary associated data lengths * remove setkey patch as protection was already in the existing code Changes v4: * stand-alone implementation of AEAD * testing of all interfaces offered by AEAD * stress testing of AEAD and RNG Changes v5: * AEAD: add outer while(size) loop in aead_sendmsg to ensure all data is copied into the kernel (reporter Herbert Xu) * AEAD: aead_sendmsg bug fix: change size -= len; to size -= plen; * AF_ALG / AEAD: add aead_setauthsize and associated extension to struct af_alg_type as well as alg_setsockopt (reporter Herbert Xu) * RNG: rng_recvmsg: use 128 byte stack variable for output of RNG instead of ctx->result (reporter Herbert Xu) * RNG / AF_ALG: allow user space to seed RNG via setsockopt * RNG: rng_recvmsg bug fix: use genlen as result variable for crypto_rng_get_bytes as previously no negative errors were obtained * AF_ALG: alg_setop: zeroize buffer before free Changes v6: * AEAD/RNG: port to 3.19-rc1 with the iov_iter handling * RNG: use the setkey interface to obtain the seed and drop the patch adding a separate reseeding interface * extract the zeroization patch for alg_setkey into a stand-alone patch submission * fix bug in aead_sufficient_data (reporter Herbert Xu) * testing of all interfaces with test application provided with libkcapi version 0.6.2 Changes v7: * AEAD: aead_recvmsg: change error code from ENOMEM to EINVAL * AEAD: drop aead_readable/aead_sufficient_data and only use ctx->more to decide whether the read side shall become active. This change requires that the patch for crypto_aead_decrypt ensuring that the ciphertext contains the authentication tag was added -- see https://lkml.org/lkml/2014/12/30/200. Otherwise, user space can trigger a kernel crash. * RNG: patch dropped as it was applied * AEAD: port Kconfig/Makefile patch forward to current code base Changes v8: * Removed check for aead_assoclen in aead_sendmsg * Fix endless loop bug in aead_sendmsg (check for sgl->cur > ALG_MAX_PAGES in while condition removed -- this condition is checked within the loop already) * Resurrect aead_sufficient_data and call it in aead_sendmsg, aead_sendpage to notify caller about wrong invocation * Re-add aead_sufficient_data to aead_recvmsg to verify user input data before using them to ensure the kernel protects against malicious parameters * Allow arbitrary size of AD (i.e. up to the maximum buffer size of ALG_MAX_PAGES) * When aead_recvmsg receives an error from decryption, release all pages if the error is EBADMSG -- this error implies that a proper decryption was performed but the integrity of the message is lost. This error is considered to be a valid decryption result. * Add test cases for sendmsg and splice interface to test large AD sizes (in case of sendmsg, use 65504 bytes AD and 32 bytes plaintext; in case of splice use 15 pages AD and 32 bytes in the 16th page for plaintext). See [1] for updated test case. Stephan Mueller (2): crypto: AF_ALG: add AEAD support crypto: AF_ALG: enable AEAD interface compilation crypto/Kconfig | 9 + crypto/Makefile | 1 + crypto/algif_aead.c | 666 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 676 insertions(+) create mode 100644 crypto/algif_aead.c -- 2.1.0