2019-05-27 08:55:01 +02:00
// SPDX-License-Identifier: GPL-2.0-or-later
2007-09-19 20:23:13 +08:00
/* XTS: as defined in IEEE1619/D16
* http : //grouper.ieee.org/groups/1619/email/pdf00086.pdf
*
* Copyright ( c ) 2007 Rik Snel < rsnel @ cube . dyndns . org >
*
2016-08-10 11:29:33 +02:00
* Based on ecb . c
2007-09-19 20:23:13 +08:00
* Copyright ( c ) 2006 Herbert Xu < herbert @ gondor . apana . org . au >
*/
2020-12-11 13:27:15 +01:00
# include <crypto/internal/cipher.h>
2016-11-22 20:08:19 +08:00
# include <crypto/internal/skcipher.h>
# include <crypto/scatterwalk.h>
2007-09-19 20:23:13 +08:00
# include <linux/err.h>
# include <linux/init.h>
# include <linux/kernel.h>
# include <linux/module.h>
# include <linux/scatterlist.h>
# include <linux/slab.h>
2011-11-09 11:56:06 +08:00
# include <crypto/xts.h>
2007-09-19 20:23:13 +08:00
# include <crypto/b128ops.h>
# include <crypto/gf128mul.h>
2020-07-10 20:34:28 -07:00
struct xts_tfm_ctx {
2016-11-22 20:08:19 +08:00
struct crypto_skcipher * child ;
2007-09-19 20:23:13 +08:00
struct crypto_cipher * tweak ;
} ;
2016-11-22 20:08:19 +08:00
struct xts_instance_ctx {
struct crypto_skcipher_spawn spawn ;
crypto: xts - use 'spawn' for underlying single-block cipher
Since commit adad556efcdd ("crypto: api - Fix built-in testing
dependency failures"), the following warning appears when booting an
x86_64 kernel that is configured with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y and CONFIG_CRYPTO_AES_NI_INTEL=y,
even when CONFIG_CRYPTO_XTS=y and CONFIG_CRYPTO_AES=y:
alg: skcipher: skipping comparison tests for xts-aes-aesni because xts(ecb(aes-generic)) is unavailable
This is caused by an issue in the xts template where it allocates an
"aes" single-block cipher without declaring a dependency on it via the
crypto_spawn mechanism. This issue was exposed by the above commit
because it reversed the order that the algorithms are tested in.
Specifically, when "xts(ecb(aes-generic))" is instantiated and tested
during the comparison tests for "xts-aes-aesni", the "xts" template
allocates an "aes" crypto_cipher for encrypting tweaks. This resolves
to "aes-aesni". (Getting "aes-aesni" instead of "aes-generic" here is a
bit weird, but it's apparently intended.) Due to the above-mentioned
commit, the testing of "aes-aesni", and the finalization of its
registration, now happens at this point instead of before. At the end
of that, crypto_remove_spawns() unregisters all algorithm instances that
depend on a lower-priority "aes" implementation such as "aes-generic"
but that do not depend on "aes-aesni". However, because "xts" does not
use the crypto_spawn mechanism for its "aes", its dependency on
"aes-aesni" is not recognized by crypto_remove_spawns(). Thus,
crypto_remove_spawns() unexpectedly unregisters "xts(ecb(aes-generic))".
Fix this issue by making the "xts" template use the crypto_spawn
mechanism for its "aes" dependency, like what other templates do.
Note, this fix could be applied as far back as commit f1c131b45410
("crypto: xts - Convert to skcipher"). However, the issue only got
exposed by the much more recent changes to how the crypto API runs the
self-tests, so there should be no need to backport this to very old
kernels. Also, an alternative fix would be to flip the list iteration
order in crypto_start_tests() to restore the original testing order.
I'm thinking we should do that too, since the original order seems more
natural, but it shouldn't be relied on for correctness.
Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-10-08 19:31:16 -07:00
struct crypto_cipher_spawn tweak_spawn ;
2016-11-22 20:08:19 +08:00
} ;
2020-07-10 20:34:28 -07:00
struct xts_request_ctx {
2017-04-02 21:19:14 +02:00
le128 t ;
2019-08-09 20:14:57 +03:00
struct scatterlist * tail ;
struct scatterlist sg [ 2 ] ;
2016-11-22 20:08:19 +08:00
struct skcipher_request subreq ;
} ;
2020-07-10 20:34:28 -07:00
static int xts_setkey ( struct crypto_skcipher * parent , const u8 * key ,
unsigned int keylen )
2007-09-19 20:23:13 +08:00
{
2020-07-10 20:34:28 -07:00
struct xts_tfm_ctx * ctx = crypto_skcipher_ctx ( parent ) ;
2016-11-22 20:08:19 +08:00
struct crypto_skcipher * child ;
struct crypto_cipher * tweak ;
2007-09-19 20:23:13 +08:00
int err ;
2016-11-22 20:08:19 +08:00
err = xts_verify_key ( parent , key , keylen ) ;
2016-02-09 15:37:47 +01:00
if ( err )
return err ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
keylen / = 2 ;
2011-03-30 22:57:33 -03:00
/* we need two cipher instances: one to compute the initial 'tweak'
2007-09-19 20:23:13 +08:00
* by encrypting the IV ( usually the ' plain ' iv ) and the other
* one to encrypt and decrypt the data */
/* tweak cipher, uses Key2 i.e. the second half of *key */
2016-11-22 20:08:19 +08:00
tweak = ctx - > tweak ;
crypto_cipher_clear_flags ( tweak , CRYPTO_TFM_REQ_MASK ) ;
crypto_cipher_set_flags ( tweak , crypto_skcipher_get_flags ( parent ) &
2007-09-19 20:23:13 +08:00
CRYPTO_TFM_REQ_MASK ) ;
2016-11-22 20:08:19 +08:00
err = crypto_cipher_setkey ( tweak , key + keylen , keylen ) ;
2007-09-19 20:23:13 +08:00
if ( err )
return err ;
2016-11-22 20:08:19 +08:00
/* data cipher, uses Key1 i.e. the first half of *key */
2007-09-19 20:23:13 +08:00
child = ctx - > child ;
2016-11-22 20:08:19 +08:00
crypto_skcipher_clear_flags ( child , CRYPTO_TFM_REQ_MASK ) ;
crypto_skcipher_set_flags ( child , crypto_skcipher_get_flags ( parent ) &
CRYPTO_TFM_REQ_MASK ) ;
2019-12-30 21:19:38 -06:00
return crypto_skcipher_setkey ( child , key , keylen ) ;
2016-11-22 20:08:19 +08:00
}
2007-09-19 20:23:13 +08:00
2018-09-11 09:40:08 +02:00
/*
* We compute the tweak masks twice ( both before and after the ECB encryption or
* decryption ) to avoid having to allocate a temporary buffer and / or make
* mutliple calls to the ' ecb ( . . ) ' instance , which usually would be slower than
* just doing the gf128mul_x_ble ( ) calls again .
*/
2020-07-10 20:34:28 -07:00
static int xts_xor_tweak ( struct skcipher_request * req , bool second_pass ,
bool enc )
2016-11-22 20:08:19 +08:00
{
2020-07-10 20:34:28 -07:00
struct xts_request_ctx * rctx = skcipher_request_ctx ( req ) ;
2018-09-11 09:40:08 +02:00
struct crypto_skcipher * tfm = crypto_skcipher_reqtfm ( req ) ;
2019-08-09 20:14:57 +03:00
const bool cts = ( req - > cryptlen % XTS_BLOCK_SIZE ) ;
2016-11-22 20:08:19 +08:00
const int bs = XTS_BLOCK_SIZE ;
struct skcipher_walk w ;
2018-09-11 09:40:08 +02:00
le128 t = rctx - > t ;
2016-11-22 20:08:19 +08:00
int err ;
2007-09-19 20:23:13 +08:00
2018-09-11 09:40:08 +02:00
if ( second_pass ) {
req = & rctx - > subreq ;
/* set to our TFM to enforce correct alignment: */
skcipher_request_set_tfm ( req , tfm ) ;
2016-11-22 20:08:19 +08:00
}
2018-09-11 09:40:08 +02:00
err = skcipher_walk_virt ( & w , req , false ) ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
while ( w . nbytes ) {
unsigned int avail = w . nbytes ;
2017-04-02 21:19:14 +02:00
le128 * wsrc ;
le128 * wdst ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
wsrc = w . src . virt . addr ;
wdst = w . dst . virt . addr ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
do {
2019-08-09 20:14:57 +03:00
if ( unlikely ( cts ) & &
w . total - w . nbytes + avail < 2 * XTS_BLOCK_SIZE ) {
if ( ! enc ) {
if ( second_pass )
rctx - > t = t ;
gf128mul_x_ble ( & t , & t ) ;
}
le128_xor ( wdst , & t , wsrc ) ;
if ( enc & & second_pass )
gf128mul_x_ble ( & rctx - > t , & t ) ;
skcipher_walk_done ( & w , avail - bs ) ;
return 0 ;
}
2018-09-11 09:40:08 +02:00
le128_xor ( wdst + + , & t , wsrc + + ) ;
gf128mul_x_ble ( & t , & t ) ;
2007-09-19 20:23:13 +08:00
} while ( ( avail - = bs ) > = bs ) ;
2016-11-22 20:08:19 +08:00
err = skcipher_walk_done ( & w , avail ) ;
}
2007-09-19 20:23:13 +08:00
return err ;
}
2020-07-10 20:34:28 -07:00
static int xts_xor_tweak_pre ( struct skcipher_request * req , bool enc )
2019-08-09 20:14:57 +03:00
{
2020-07-10 20:34:28 -07:00
return xts_xor_tweak ( req , false , enc ) ;
2019-08-09 20:14:57 +03:00
}
2020-07-10 20:34:28 -07:00
static int xts_xor_tweak_post ( struct skcipher_request * req , bool enc )
2019-08-09 20:14:57 +03:00
{
2020-07-10 20:34:28 -07:00
return xts_xor_tweak ( req , true , enc ) ;
2019-08-09 20:14:57 +03:00
}
2023-02-08 13:58:44 +08:00
static void xts_cts_done ( void * data , int err )
2007-09-19 20:23:13 +08:00
{
2023-02-08 13:58:44 +08:00
struct skcipher_request * req = data ;
2019-08-09 20:14:57 +03:00
le128 b ;
if ( ! err ) {
2020-07-10 20:34:28 -07:00
struct xts_request_ctx * rctx = skcipher_request_ctx ( req ) ;
2019-08-09 20:14:57 +03:00
scatterwalk_map_and_copy ( & b , rctx - > tail , 0 , XTS_BLOCK_SIZE , 0 ) ;
le128_xor ( & b , & rctx - > t , & b ) ;
scatterwalk_map_and_copy ( & b , rctx - > tail , 0 , XTS_BLOCK_SIZE , 1 ) ;
}
skcipher_request_complete ( req , err ) ;
}
2020-07-10 20:34:28 -07:00
static int xts_cts_final ( struct skcipher_request * req ,
int ( * crypt ) ( struct skcipher_request * req ) )
2019-08-09 20:14:57 +03:00
{
2020-07-10 20:34:28 -07:00
const struct xts_tfm_ctx * ctx =
crypto_skcipher_ctx ( crypto_skcipher_reqtfm ( req ) ) ;
2019-08-09 20:14:57 +03:00
int offset = req - > cryptlen & ~ ( XTS_BLOCK_SIZE - 1 ) ;
2020-07-10 20:34:28 -07:00
struct xts_request_ctx * rctx = skcipher_request_ctx ( req ) ;
2019-08-09 20:14:57 +03:00
struct skcipher_request * subreq = & rctx - > subreq ;
int tail = req - > cryptlen % XTS_BLOCK_SIZE ;
le128 b [ 2 ] ;
int err ;
rctx - > tail = scatterwalk_ffwd ( rctx - > sg , req - > dst ,
offset - XTS_BLOCK_SIZE ) ;
scatterwalk_map_and_copy ( b , rctx - > tail , 0 , XTS_BLOCK_SIZE , 0 ) ;
2020-07-21 09:05:54 +03:00
b [ 1 ] = b [ 0 ] ;
2019-08-09 20:14:57 +03:00
scatterwalk_map_and_copy ( b , req - > src , offset , tail , 0 ) ;
le128_xor ( b , & rctx - > t , b ) ;
scatterwalk_map_and_copy ( b , rctx - > tail , 0 , XTS_BLOCK_SIZE + tail , 1 ) ;
skcipher_request_set_tfm ( subreq , ctx - > child ) ;
2020-07-10 20:34:28 -07:00
skcipher_request_set_callback ( subreq , req - > base . flags , xts_cts_done ,
req ) ;
2019-08-09 20:14:57 +03:00
skcipher_request_set_crypt ( subreq , rctx - > tail , rctx - > tail ,
XTS_BLOCK_SIZE , NULL ) ;
err = crypt ( subreq ) ;
if ( err )
return err ;
scatterwalk_map_and_copy ( b , rctx - > tail , 0 , XTS_BLOCK_SIZE , 0 ) ;
le128_xor ( b , & rctx - > t , b ) ;
scatterwalk_map_and_copy ( b , rctx - > tail , 0 , XTS_BLOCK_SIZE , 1 ) ;
return 0 ;
2016-11-22 20:08:19 +08:00
}
2023-02-08 13:58:44 +08:00
static void xts_encrypt_done ( void * data , int err )
2016-11-22 20:08:19 +08:00
{
2023-02-08 13:58:44 +08:00
struct skcipher_request * req = data ;
2019-08-09 20:14:57 +03:00
if ( ! err ) {
2020-07-10 20:34:28 -07:00
struct xts_request_ctx * rctx = skcipher_request_ctx ( req ) ;
2019-08-09 20:14:57 +03:00
2023-01-22 16:07:37 +08:00
rctx - > subreq . base . flags & = CRYPTO_TFM_REQ_MAY_BACKLOG ;
2020-07-10 20:34:28 -07:00
err = xts_xor_tweak_post ( req , true ) ;
2019-08-09 20:14:57 +03:00
if ( ! err & & unlikely ( req - > cryptlen % XTS_BLOCK_SIZE ) ) {
2020-07-10 20:34:28 -07:00
err = xts_cts_final ( req , crypto_skcipher_encrypt ) ;
2023-01-22 16:07:37 +08:00
if ( err = = - EINPROGRESS | | err = = - EBUSY )
2019-08-09 20:14:57 +03:00
return ;
}
}
skcipher_request_complete ( req , err ) ;
2016-11-22 20:08:19 +08:00
}
2023-02-08 13:58:44 +08:00
static void xts_decrypt_done ( void * data , int err )
2016-11-22 20:08:19 +08:00
{
2023-02-08 13:58:44 +08:00
struct skcipher_request * req = data ;
2017-04-08 10:02:46 +08:00
2019-04-15 14:35:19 +08:00
if ( ! err ) {
2020-07-10 20:34:28 -07:00
struct xts_request_ctx * rctx = skcipher_request_ctx ( req ) ;
2019-04-15 14:35:19 +08:00
2023-01-22 16:07:37 +08:00
rctx - > subreq . base . flags & = CRYPTO_TFM_REQ_MAY_BACKLOG ;
2020-07-10 20:34:28 -07:00
err = xts_xor_tweak_post ( req , false ) ;
2019-08-09 20:14:57 +03:00
if ( ! err & & unlikely ( req - > cryptlen % XTS_BLOCK_SIZE ) ) {
2020-07-10 20:34:28 -07:00
err = xts_cts_final ( req , crypto_skcipher_decrypt ) ;
2023-01-22 16:07:37 +08:00
if ( err = = - EINPROGRESS | | err = = - EBUSY )
2019-08-09 20:14:57 +03:00
return ;
}
2019-04-15 14:35:19 +08:00
}
2016-11-22 20:08:19 +08:00
skcipher_request_complete ( req , err ) ;
}
2020-07-10 20:34:28 -07:00
static int xts_init_crypt ( struct skcipher_request * req ,
crypto_completion_t compl )
2016-11-22 20:08:19 +08:00
{
2020-07-10 20:34:28 -07:00
const struct xts_tfm_ctx * ctx =
crypto_skcipher_ctx ( crypto_skcipher_reqtfm ( req ) ) ;
struct xts_request_ctx * rctx = skcipher_request_ctx ( req ) ;
2018-09-11 09:40:08 +02:00
struct skcipher_request * subreq = & rctx - > subreq ;
2016-11-22 20:08:19 +08:00
2019-08-09 20:14:57 +03:00
if ( req - > cryptlen < XTS_BLOCK_SIZE )
return - EINVAL ;
2018-09-11 09:40:08 +02:00
skcipher_request_set_tfm ( subreq , ctx - > child ) ;
2019-08-09 20:14:57 +03:00
skcipher_request_set_callback ( subreq , req - > base . flags , compl , req ) ;
2018-09-11 09:40:08 +02:00
skcipher_request_set_crypt ( subreq , req - > dst , req - > dst ,
2019-08-09 20:14:57 +03:00
req - > cryptlen & ~ ( XTS_BLOCK_SIZE - 1 ) , NULL ) ;
2016-11-22 20:08:19 +08:00
2018-09-11 09:40:08 +02:00
/* calculate first value of T */
crypto_cipher_encrypt_one ( ctx - > tweak , ( u8 * ) & rctx - > t , req - > iv ) ;
2019-08-09 20:14:57 +03:00
return 0 ;
2016-11-22 20:08:19 +08:00
}
2020-07-10 20:34:28 -07:00
static int xts_encrypt ( struct skcipher_request * req )
2016-11-22 20:08:19 +08:00
{
2020-07-10 20:34:28 -07:00
struct xts_request_ctx * rctx = skcipher_request_ctx ( req ) ;
2018-09-11 09:40:08 +02:00
struct skcipher_request * subreq = & rctx - > subreq ;
2019-08-09 20:14:57 +03:00
int err ;
2020-07-10 20:34:28 -07:00
err = xts_init_crypt ( req , xts_encrypt_done ) ? :
xts_xor_tweak_pre ( req , true ) ? :
2019-08-09 20:14:57 +03:00
crypto_skcipher_encrypt ( subreq ) ? :
2020-07-10 20:34:28 -07:00
xts_xor_tweak_post ( req , true ) ;
2016-11-22 20:08:19 +08:00
2019-08-09 20:14:57 +03:00
if ( err | | likely ( ( req - > cryptlen % XTS_BLOCK_SIZE ) = = 0 ) )
return err ;
2020-07-10 20:34:28 -07:00
return xts_cts_final ( req , crypto_skcipher_encrypt ) ;
2016-11-22 20:08:19 +08:00
}
2020-07-10 20:34:28 -07:00
static int xts_decrypt ( struct skcipher_request * req )
2016-11-22 20:08:19 +08:00
{
2020-07-10 20:34:28 -07:00
struct xts_request_ctx * rctx = skcipher_request_ctx ( req ) ;
2018-09-11 09:40:08 +02:00
struct skcipher_request * subreq = & rctx - > subreq ;
2019-08-09 20:14:57 +03:00
int err ;
2020-07-10 20:34:28 -07:00
err = xts_init_crypt ( req , xts_decrypt_done ) ? :
xts_xor_tweak_pre ( req , false ) ? :
2019-08-09 20:14:57 +03:00
crypto_skcipher_decrypt ( subreq ) ? :
2020-07-10 20:34:28 -07:00
xts_xor_tweak_post ( req , false ) ;
2019-08-09 20:14:57 +03:00
if ( err | | likely ( ( req - > cryptlen % XTS_BLOCK_SIZE ) = = 0 ) )
return err ;
2018-09-11 09:40:08 +02:00
2020-07-10 20:34:28 -07:00
return xts_cts_final ( req , crypto_skcipher_decrypt ) ;
2007-09-19 20:23:13 +08:00
}
2020-07-10 20:34:28 -07:00
static int xts_init_tfm ( struct crypto_skcipher * tfm )
2007-09-19 20:23:13 +08:00
{
2016-11-22 20:08:19 +08:00
struct skcipher_instance * inst = skcipher_alg_instance ( tfm ) ;
struct xts_instance_ctx * ictx = skcipher_instance_ctx ( inst ) ;
2020-07-10 20:34:28 -07:00
struct xts_tfm_ctx * ctx = crypto_skcipher_ctx ( tfm ) ;
2016-11-22 20:08:19 +08:00
struct crypto_skcipher * child ;
struct crypto_cipher * tweak ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
child = crypto_spawn_skcipher ( & ictx - > spawn ) ;
if ( IS_ERR ( child ) )
return PTR_ERR ( child ) ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
ctx - > child = child ;
2007-09-19 20:23:13 +08:00
crypto: xts - use 'spawn' for underlying single-block cipher
Since commit adad556efcdd ("crypto: api - Fix built-in testing
dependency failures"), the following warning appears when booting an
x86_64 kernel that is configured with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y and CONFIG_CRYPTO_AES_NI_INTEL=y,
even when CONFIG_CRYPTO_XTS=y and CONFIG_CRYPTO_AES=y:
alg: skcipher: skipping comparison tests for xts-aes-aesni because xts(ecb(aes-generic)) is unavailable
This is caused by an issue in the xts template where it allocates an
"aes" single-block cipher without declaring a dependency on it via the
crypto_spawn mechanism. This issue was exposed by the above commit
because it reversed the order that the algorithms are tested in.
Specifically, when "xts(ecb(aes-generic))" is instantiated and tested
during the comparison tests for "xts-aes-aesni", the "xts" template
allocates an "aes" crypto_cipher for encrypting tweaks. This resolves
to "aes-aesni". (Getting "aes-aesni" instead of "aes-generic" here is a
bit weird, but it's apparently intended.) Due to the above-mentioned
commit, the testing of "aes-aesni", and the finalization of its
registration, now happens at this point instead of before. At the end
of that, crypto_remove_spawns() unregisters all algorithm instances that
depend on a lower-priority "aes" implementation such as "aes-generic"
but that do not depend on "aes-aesni". However, because "xts" does not
use the crypto_spawn mechanism for its "aes", its dependency on
"aes-aesni" is not recognized by crypto_remove_spawns(). Thus,
crypto_remove_spawns() unexpectedly unregisters "xts(ecb(aes-generic))".
Fix this issue by making the "xts" template use the crypto_spawn
mechanism for its "aes" dependency, like what other templates do.
Note, this fix could be applied as far back as commit f1c131b45410
("crypto: xts - Convert to skcipher"). However, the issue only got
exposed by the much more recent changes to how the crypto API runs the
self-tests, so there should be no need to backport this to very old
kernels. Also, an alternative fix would be to flip the list iteration
order in crypto_start_tests() to restore the original testing order.
I'm thinking we should do that too, since the original order seems more
natural, but it shouldn't be relied on for correctness.
Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-10-08 19:31:16 -07:00
tweak = crypto_spawn_cipher ( & ictx - > tweak_spawn ) ;
2016-11-22 20:08:19 +08:00
if ( IS_ERR ( tweak ) ) {
crypto_free_skcipher ( ctx - > child ) ;
return PTR_ERR ( tweak ) ;
2007-09-19 20:23:13 +08:00
}
2016-11-22 20:08:19 +08:00
ctx - > tweak = tweak ;
crypto_skcipher_set_reqsize ( tfm , crypto_skcipher_reqsize ( child ) +
2020-07-10 20:34:28 -07:00
sizeof ( struct xts_request_ctx ) ) ;
2007-09-19 20:23:13 +08:00
return 0 ;
}
2020-07-10 20:34:28 -07:00
static void xts_exit_tfm ( struct crypto_skcipher * tfm )
2007-09-19 20:23:13 +08:00
{
2020-07-10 20:34:28 -07:00
struct xts_tfm_ctx * ctx = crypto_skcipher_ctx ( tfm ) ;
2016-11-22 20:08:19 +08:00
crypto_free_skcipher ( ctx - > child ) ;
2007-09-19 20:23:13 +08:00
crypto_free_cipher ( ctx - > tweak ) ;
}
2020-07-10 20:34:28 -07:00
static void xts_free_instance ( struct skcipher_instance * inst )
2016-11-22 20:08:19 +08:00
{
2020-07-10 20:34:28 -07:00
struct xts_instance_ctx * ictx = skcipher_instance_ctx ( inst ) ;
crypto_drop_skcipher ( & ictx - > spawn ) ;
crypto: xts - use 'spawn' for underlying single-block cipher
Since commit adad556efcdd ("crypto: api - Fix built-in testing
dependency failures"), the following warning appears when booting an
x86_64 kernel that is configured with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y and CONFIG_CRYPTO_AES_NI_INTEL=y,
even when CONFIG_CRYPTO_XTS=y and CONFIG_CRYPTO_AES=y:
alg: skcipher: skipping comparison tests for xts-aes-aesni because xts(ecb(aes-generic)) is unavailable
This is caused by an issue in the xts template where it allocates an
"aes" single-block cipher without declaring a dependency on it via the
crypto_spawn mechanism. This issue was exposed by the above commit
because it reversed the order that the algorithms are tested in.
Specifically, when "xts(ecb(aes-generic))" is instantiated and tested
during the comparison tests for "xts-aes-aesni", the "xts" template
allocates an "aes" crypto_cipher for encrypting tweaks. This resolves
to "aes-aesni". (Getting "aes-aesni" instead of "aes-generic" here is a
bit weird, but it's apparently intended.) Due to the above-mentioned
commit, the testing of "aes-aesni", and the finalization of its
registration, now happens at this point instead of before. At the end
of that, crypto_remove_spawns() unregisters all algorithm instances that
depend on a lower-priority "aes" implementation such as "aes-generic"
but that do not depend on "aes-aesni". However, because "xts" does not
use the crypto_spawn mechanism for its "aes", its dependency on
"aes-aesni" is not recognized by crypto_remove_spawns(). Thus,
crypto_remove_spawns() unexpectedly unregisters "xts(ecb(aes-generic))".
Fix this issue by making the "xts" template use the crypto_spawn
mechanism for its "aes" dependency, like what other templates do.
Note, this fix could be applied as far back as commit f1c131b45410
("crypto: xts - Convert to skcipher"). However, the issue only got
exposed by the much more recent changes to how the crypto API runs the
self-tests, so there should be no need to backport this to very old
kernels. Also, an alternative fix would be to flip the list iteration
order in crypto_start_tests() to restore the original testing order.
I'm thinking we should do that too, since the original order seems more
natural, but it shouldn't be relied on for correctness.
Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-10-08 19:31:16 -07:00
crypto_drop_cipher ( & ictx - > tweak_spawn ) ;
2016-11-22 20:08:19 +08:00
kfree ( inst ) ;
}
2020-07-10 20:34:28 -07:00
static int xts_create ( struct crypto_template * tmpl , struct rtattr * * tb )
2007-09-19 20:23:13 +08:00
{
2023-10-03 11:43:32 +08:00
struct skcipher_alg_common * alg ;
crypto: xts - use 'spawn' for underlying single-block cipher
Since commit adad556efcdd ("crypto: api - Fix built-in testing
dependency failures"), the following warning appears when booting an
x86_64 kernel that is configured with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y and CONFIG_CRYPTO_AES_NI_INTEL=y,
even when CONFIG_CRYPTO_XTS=y and CONFIG_CRYPTO_AES=y:
alg: skcipher: skipping comparison tests for xts-aes-aesni because xts(ecb(aes-generic)) is unavailable
This is caused by an issue in the xts template where it allocates an
"aes" single-block cipher without declaring a dependency on it via the
crypto_spawn mechanism. This issue was exposed by the above commit
because it reversed the order that the algorithms are tested in.
Specifically, when "xts(ecb(aes-generic))" is instantiated and tested
during the comparison tests for "xts-aes-aesni", the "xts" template
allocates an "aes" crypto_cipher for encrypting tweaks. This resolves
to "aes-aesni". (Getting "aes-aesni" instead of "aes-generic" here is a
bit weird, but it's apparently intended.) Due to the above-mentioned
commit, the testing of "aes-aesni", and the finalization of its
registration, now happens at this point instead of before. At the end
of that, crypto_remove_spawns() unregisters all algorithm instances that
depend on a lower-priority "aes" implementation such as "aes-generic"
but that do not depend on "aes-aesni". However, because "xts" does not
use the crypto_spawn mechanism for its "aes", its dependency on
"aes-aesni" is not recognized by crypto_remove_spawns(). Thus,
crypto_remove_spawns() unexpectedly unregisters "xts(ecb(aes-generic))".
Fix this issue by making the "xts" template use the crypto_spawn
mechanism for its "aes" dependency, like what other templates do.
Note, this fix could be applied as far back as commit f1c131b45410
("crypto: xts - Convert to skcipher"). However, the issue only got
exposed by the much more recent changes to how the crypto API runs the
self-tests, so there should be no need to backport this to very old
kernels. Also, an alternative fix would be to flip the list iteration
order in crypto_start_tests() to restore the original testing order.
I'm thinking we should do that too, since the original order seems more
natural, but it shouldn't be relied on for correctness.
Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-10-08 19:31:16 -07:00
char name [ CRYPTO_MAX_ALG_NAME ] ;
2016-11-22 20:08:19 +08:00
struct skcipher_instance * inst ;
struct xts_instance_ctx * ctx ;
const char * cipher_name ;
2017-02-26 12:24:10 +08:00
u32 mask ;
2007-09-19 20:23:13 +08:00
int err ;
2020-07-09 23:20:38 -07:00
err = crypto_check_attr_type ( tb , CRYPTO_ALG_TYPE_SKCIPHER , & mask ) ;
if ( err )
return err ;
2016-11-22 20:08:19 +08:00
cipher_name = crypto_attr_alg_name ( tb [ 1 ] ) ;
if ( IS_ERR ( cipher_name ) )
return PTR_ERR ( cipher_name ) ;
inst = kzalloc ( sizeof ( * inst ) + sizeof ( * ctx ) , GFP_KERNEL ) ;
if ( ! inst )
return - ENOMEM ;
ctx = skcipher_instance_ctx ( inst ) ;
2020-01-02 19:58:45 -08:00
err = crypto_grab_skcipher ( & ctx - > spawn , skcipher_crypto_instance ( inst ) ,
cipher_name , 0 , mask ) ;
2016-11-22 20:08:19 +08:00
if ( err = = - ENOENT ) {
err = - ENAMETOOLONG ;
crypto: xts - use 'spawn' for underlying single-block cipher
Since commit adad556efcdd ("crypto: api - Fix built-in testing
dependency failures"), the following warning appears when booting an
x86_64 kernel that is configured with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y and CONFIG_CRYPTO_AES_NI_INTEL=y,
even when CONFIG_CRYPTO_XTS=y and CONFIG_CRYPTO_AES=y:
alg: skcipher: skipping comparison tests for xts-aes-aesni because xts(ecb(aes-generic)) is unavailable
This is caused by an issue in the xts template where it allocates an
"aes" single-block cipher without declaring a dependency on it via the
crypto_spawn mechanism. This issue was exposed by the above commit
because it reversed the order that the algorithms are tested in.
Specifically, when "xts(ecb(aes-generic))" is instantiated and tested
during the comparison tests for "xts-aes-aesni", the "xts" template
allocates an "aes" crypto_cipher for encrypting tweaks. This resolves
to "aes-aesni". (Getting "aes-aesni" instead of "aes-generic" here is a
bit weird, but it's apparently intended.) Due to the above-mentioned
commit, the testing of "aes-aesni", and the finalization of its
registration, now happens at this point instead of before. At the end
of that, crypto_remove_spawns() unregisters all algorithm instances that
depend on a lower-priority "aes" implementation such as "aes-generic"
but that do not depend on "aes-aesni". However, because "xts" does not
use the crypto_spawn mechanism for its "aes", its dependency on
"aes-aesni" is not recognized by crypto_remove_spawns(). Thus,
crypto_remove_spawns() unexpectedly unregisters "xts(ecb(aes-generic))".
Fix this issue by making the "xts" template use the crypto_spawn
mechanism for its "aes" dependency, like what other templates do.
Note, this fix could be applied as far back as commit f1c131b45410
("crypto: xts - Convert to skcipher"). However, the issue only got
exposed by the much more recent changes to how the crypto API runs the
self-tests, so there should be no need to backport this to very old
kernels. Also, an alternative fix would be to flip the list iteration
order in crypto_start_tests() to restore the original testing order.
I'm thinking we should do that too, since the original order seems more
natural, but it shouldn't be relied on for correctness.
Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-10-08 19:31:16 -07:00
if ( snprintf ( name , CRYPTO_MAX_ALG_NAME , " ecb(%s) " ,
2016-11-22 20:08:19 +08:00
cipher_name ) > = CRYPTO_MAX_ALG_NAME )
goto err_free_inst ;
2020-01-02 19:58:45 -08:00
err = crypto_grab_skcipher ( & ctx - > spawn ,
skcipher_crypto_instance ( inst ) ,
crypto: xts - use 'spawn' for underlying single-block cipher
Since commit adad556efcdd ("crypto: api - Fix built-in testing
dependency failures"), the following warning appears when booting an
x86_64 kernel that is configured with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y and CONFIG_CRYPTO_AES_NI_INTEL=y,
even when CONFIG_CRYPTO_XTS=y and CONFIG_CRYPTO_AES=y:
alg: skcipher: skipping comparison tests for xts-aes-aesni because xts(ecb(aes-generic)) is unavailable
This is caused by an issue in the xts template where it allocates an
"aes" single-block cipher without declaring a dependency on it via the
crypto_spawn mechanism. This issue was exposed by the above commit
because it reversed the order that the algorithms are tested in.
Specifically, when "xts(ecb(aes-generic))" is instantiated and tested
during the comparison tests for "xts-aes-aesni", the "xts" template
allocates an "aes" crypto_cipher for encrypting tweaks. This resolves
to "aes-aesni". (Getting "aes-aesni" instead of "aes-generic" here is a
bit weird, but it's apparently intended.) Due to the above-mentioned
commit, the testing of "aes-aesni", and the finalization of its
registration, now happens at this point instead of before. At the end
of that, crypto_remove_spawns() unregisters all algorithm instances that
depend on a lower-priority "aes" implementation such as "aes-generic"
but that do not depend on "aes-aesni". However, because "xts" does not
use the crypto_spawn mechanism for its "aes", its dependency on
"aes-aesni" is not recognized by crypto_remove_spawns(). Thus,
crypto_remove_spawns() unexpectedly unregisters "xts(ecb(aes-generic))".
Fix this issue by making the "xts" template use the crypto_spawn
mechanism for its "aes" dependency, like what other templates do.
Note, this fix could be applied as far back as commit f1c131b45410
("crypto: xts - Convert to skcipher"). However, the issue only got
exposed by the much more recent changes to how the crypto API runs the
self-tests, so there should be no need to backport this to very old
kernels. Also, an alternative fix would be to flip the list iteration
order in crypto_start_tests() to restore the original testing order.
I'm thinking we should do that too, since the original order seems more
natural, but it shouldn't be relied on for correctness.
Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-10-08 19:31:16 -07:00
name , 0 , mask ) ;
2016-11-22 20:08:19 +08:00
}
2007-09-19 20:23:13 +08:00
if ( err )
2016-11-22 20:08:19 +08:00
goto err_free_inst ;
2007-09-19 20:23:13 +08:00
2023-10-03 11:43:32 +08:00
alg = crypto_spawn_skcipher_alg_common ( & ctx - > spawn ) ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
err = - EINVAL ;
if ( alg - > base . cra_blocksize ! = XTS_BLOCK_SIZE )
2020-02-25 20:59:24 -08:00
goto err_free_inst ;
2007-09-19 20:23:13 +08:00
2023-10-03 11:43:32 +08:00
if ( alg - > ivsize )
2020-02-25 20:59:24 -08:00
goto err_free_inst ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
err = crypto_inst_setname ( skcipher_crypto_instance ( inst ) , " xts " ,
& alg - > base ) ;
if ( err )
2020-02-25 20:59:24 -08:00
goto err_free_inst ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
err = - EINVAL ;
cipher_name = alg - > base . cra_name ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
/* Alas we screwed up the naming so we have to mangle the
* cipher name .
*/
if ( ! strncmp ( cipher_name , " ecb( " , 4 ) ) {
2023-06-20 20:08:32 +00:00
int len ;
2007-09-19 20:23:13 +08:00
crypto: xts - use 'spawn' for underlying single-block cipher
Since commit adad556efcdd ("crypto: api - Fix built-in testing
dependency failures"), the following warning appears when booting an
x86_64 kernel that is configured with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y and CONFIG_CRYPTO_AES_NI_INTEL=y,
even when CONFIG_CRYPTO_XTS=y and CONFIG_CRYPTO_AES=y:
alg: skcipher: skipping comparison tests for xts-aes-aesni because xts(ecb(aes-generic)) is unavailable
This is caused by an issue in the xts template where it allocates an
"aes" single-block cipher without declaring a dependency on it via the
crypto_spawn mechanism. This issue was exposed by the above commit
because it reversed the order that the algorithms are tested in.
Specifically, when "xts(ecb(aes-generic))" is instantiated and tested
during the comparison tests for "xts-aes-aesni", the "xts" template
allocates an "aes" crypto_cipher for encrypting tweaks. This resolves
to "aes-aesni". (Getting "aes-aesni" instead of "aes-generic" here is a
bit weird, but it's apparently intended.) Due to the above-mentioned
commit, the testing of "aes-aesni", and the finalization of its
registration, now happens at this point instead of before. At the end
of that, crypto_remove_spawns() unregisters all algorithm instances that
depend on a lower-priority "aes" implementation such as "aes-generic"
but that do not depend on "aes-aesni". However, because "xts" does not
use the crypto_spawn mechanism for its "aes", its dependency on
"aes-aesni" is not recognized by crypto_remove_spawns(). Thus,
crypto_remove_spawns() unexpectedly unregisters "xts(ecb(aes-generic))".
Fix this issue by making the "xts" template use the crypto_spawn
mechanism for its "aes" dependency, like what other templates do.
Note, this fix could be applied as far back as commit f1c131b45410
("crypto: xts - Convert to skcipher"). However, the issue only got
exposed by the much more recent changes to how the crypto API runs the
self-tests, so there should be no need to backport this to very old
kernels. Also, an alternative fix would be to flip the list iteration
order in crypto_start_tests() to restore the original testing order.
I'm thinking we should do that too, since the original order seems more
natural, but it shouldn't be relied on for correctness.
Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-10-08 19:31:16 -07:00
len = strscpy ( name , cipher_name + 4 , sizeof ( name ) ) ;
2023-06-20 20:08:32 +00:00
if ( len < 2 )
2020-02-25 20:59:24 -08:00
goto err_free_inst ;
2007-09-19 20:23:13 +08:00
crypto: xts - use 'spawn' for underlying single-block cipher
Since commit adad556efcdd ("crypto: api - Fix built-in testing
dependency failures"), the following warning appears when booting an
x86_64 kernel that is configured with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y and CONFIG_CRYPTO_AES_NI_INTEL=y,
even when CONFIG_CRYPTO_XTS=y and CONFIG_CRYPTO_AES=y:
alg: skcipher: skipping comparison tests for xts-aes-aesni because xts(ecb(aes-generic)) is unavailable
This is caused by an issue in the xts template where it allocates an
"aes" single-block cipher without declaring a dependency on it via the
crypto_spawn mechanism. This issue was exposed by the above commit
because it reversed the order that the algorithms are tested in.
Specifically, when "xts(ecb(aes-generic))" is instantiated and tested
during the comparison tests for "xts-aes-aesni", the "xts" template
allocates an "aes" crypto_cipher for encrypting tweaks. This resolves
to "aes-aesni". (Getting "aes-aesni" instead of "aes-generic" here is a
bit weird, but it's apparently intended.) Due to the above-mentioned
commit, the testing of "aes-aesni", and the finalization of its
registration, now happens at this point instead of before. At the end
of that, crypto_remove_spawns() unregisters all algorithm instances that
depend on a lower-priority "aes" implementation such as "aes-generic"
but that do not depend on "aes-aesni". However, because "xts" does not
use the crypto_spawn mechanism for its "aes", its dependency on
"aes-aesni" is not recognized by crypto_remove_spawns(). Thus,
crypto_remove_spawns() unexpectedly unregisters "xts(ecb(aes-generic))".
Fix this issue by making the "xts" template use the crypto_spawn
mechanism for its "aes" dependency, like what other templates do.
Note, this fix could be applied as far back as commit f1c131b45410
("crypto: xts - Convert to skcipher"). However, the issue only got
exposed by the much more recent changes to how the crypto API runs the
self-tests, so there should be no need to backport this to very old
kernels. Also, an alternative fix would be to flip the list iteration
order in crypto_start_tests() to restore the original testing order.
I'm thinking we should do that too, since the original order seems more
natural, but it shouldn't be relied on for correctness.
Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-10-08 19:31:16 -07:00
if ( name [ len - 1 ] ! = ' ) ' )
2020-02-25 20:59:24 -08:00
goto err_free_inst ;
2007-09-19 20:23:13 +08:00
crypto: xts - use 'spawn' for underlying single-block cipher
Since commit adad556efcdd ("crypto: api - Fix built-in testing
dependency failures"), the following warning appears when booting an
x86_64 kernel that is configured with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y and CONFIG_CRYPTO_AES_NI_INTEL=y,
even when CONFIG_CRYPTO_XTS=y and CONFIG_CRYPTO_AES=y:
alg: skcipher: skipping comparison tests for xts-aes-aesni because xts(ecb(aes-generic)) is unavailable
This is caused by an issue in the xts template where it allocates an
"aes" single-block cipher without declaring a dependency on it via the
crypto_spawn mechanism. This issue was exposed by the above commit
because it reversed the order that the algorithms are tested in.
Specifically, when "xts(ecb(aes-generic))" is instantiated and tested
during the comparison tests for "xts-aes-aesni", the "xts" template
allocates an "aes" crypto_cipher for encrypting tweaks. This resolves
to "aes-aesni". (Getting "aes-aesni" instead of "aes-generic" here is a
bit weird, but it's apparently intended.) Due to the above-mentioned
commit, the testing of "aes-aesni", and the finalization of its
registration, now happens at this point instead of before. At the end
of that, crypto_remove_spawns() unregisters all algorithm instances that
depend on a lower-priority "aes" implementation such as "aes-generic"
but that do not depend on "aes-aesni". However, because "xts" does not
use the crypto_spawn mechanism for its "aes", its dependency on
"aes-aesni" is not recognized by crypto_remove_spawns(). Thus,
crypto_remove_spawns() unexpectedly unregisters "xts(ecb(aes-generic))".
Fix this issue by making the "xts" template use the crypto_spawn
mechanism for its "aes" dependency, like what other templates do.
Note, this fix could be applied as far back as commit f1c131b45410
("crypto: xts - Convert to skcipher"). However, the issue only got
exposed by the much more recent changes to how the crypto API runs the
self-tests, so there should be no need to backport this to very old
kernels. Also, an alternative fix would be to flip the list iteration
order in crypto_start_tests() to restore the original testing order.
I'm thinking we should do that too, since the original order seems more
natural, but it shouldn't be relied on for correctness.
Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-10-08 19:31:16 -07:00
name [ len - 1 ] = 0 ;
2007-09-19 20:23:13 +08:00
2016-11-22 20:08:19 +08:00
if ( snprintf ( inst - > alg . base . cra_name , CRYPTO_MAX_ALG_NAME ,
crypto: xts - use 'spawn' for underlying single-block cipher
Since commit adad556efcdd ("crypto: api - Fix built-in testing
dependency failures"), the following warning appears when booting an
x86_64 kernel that is configured with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y and CONFIG_CRYPTO_AES_NI_INTEL=y,
even when CONFIG_CRYPTO_XTS=y and CONFIG_CRYPTO_AES=y:
alg: skcipher: skipping comparison tests for xts-aes-aesni because xts(ecb(aes-generic)) is unavailable
This is caused by an issue in the xts template where it allocates an
"aes" single-block cipher without declaring a dependency on it via the
crypto_spawn mechanism. This issue was exposed by the above commit
because it reversed the order that the algorithms are tested in.
Specifically, when "xts(ecb(aes-generic))" is instantiated and tested
during the comparison tests for "xts-aes-aesni", the "xts" template
allocates an "aes" crypto_cipher for encrypting tweaks. This resolves
to "aes-aesni". (Getting "aes-aesni" instead of "aes-generic" here is a
bit weird, but it's apparently intended.) Due to the above-mentioned
commit, the testing of "aes-aesni", and the finalization of its
registration, now happens at this point instead of before. At the end
of that, crypto_remove_spawns() unregisters all algorithm instances that
depend on a lower-priority "aes" implementation such as "aes-generic"
but that do not depend on "aes-aesni". However, because "xts" does not
use the crypto_spawn mechanism for its "aes", its dependency on
"aes-aesni" is not recognized by crypto_remove_spawns(). Thus,
crypto_remove_spawns() unexpectedly unregisters "xts(ecb(aes-generic))".
Fix this issue by making the "xts" template use the crypto_spawn
mechanism for its "aes" dependency, like what other templates do.
Note, this fix could be applied as far back as commit f1c131b45410
("crypto: xts - Convert to skcipher"). However, the issue only got
exposed by the much more recent changes to how the crypto API runs the
self-tests, so there should be no need to backport this to very old
kernels. Also, an alternative fix would be to flip the list iteration
order in crypto_start_tests() to restore the original testing order.
I'm thinking we should do that too, since the original order seems more
natural, but it shouldn't be relied on for correctness.
Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-10-08 19:31:16 -07:00
" xts(%s) " , name ) > = CRYPTO_MAX_ALG_NAME ) {
2017-09-26 08:17:44 +02:00
err = - ENAMETOOLONG ;
2020-02-25 20:59:24 -08:00
goto err_free_inst ;
2017-09-26 08:17:44 +02:00
}
2016-11-22 20:08:19 +08:00
} else
2020-02-25 20:59:24 -08:00
goto err_free_inst ;
2007-09-19 20:23:13 +08:00
crypto: xts - use 'spawn' for underlying single-block cipher
Since commit adad556efcdd ("crypto: api - Fix built-in testing
dependency failures"), the following warning appears when booting an
x86_64 kernel that is configured with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y and CONFIG_CRYPTO_AES_NI_INTEL=y,
even when CONFIG_CRYPTO_XTS=y and CONFIG_CRYPTO_AES=y:
alg: skcipher: skipping comparison tests for xts-aes-aesni because xts(ecb(aes-generic)) is unavailable
This is caused by an issue in the xts template where it allocates an
"aes" single-block cipher without declaring a dependency on it via the
crypto_spawn mechanism. This issue was exposed by the above commit
because it reversed the order that the algorithms are tested in.
Specifically, when "xts(ecb(aes-generic))" is instantiated and tested
during the comparison tests for "xts-aes-aesni", the "xts" template
allocates an "aes" crypto_cipher for encrypting tweaks. This resolves
to "aes-aesni". (Getting "aes-aesni" instead of "aes-generic" here is a
bit weird, but it's apparently intended.) Due to the above-mentioned
commit, the testing of "aes-aesni", and the finalization of its
registration, now happens at this point instead of before. At the end
of that, crypto_remove_spawns() unregisters all algorithm instances that
depend on a lower-priority "aes" implementation such as "aes-generic"
but that do not depend on "aes-aesni". However, because "xts" does not
use the crypto_spawn mechanism for its "aes", its dependency on
"aes-aesni" is not recognized by crypto_remove_spawns(). Thus,
crypto_remove_spawns() unexpectedly unregisters "xts(ecb(aes-generic))".
Fix this issue by making the "xts" template use the crypto_spawn
mechanism for its "aes" dependency, like what other templates do.
Note, this fix could be applied as far back as commit f1c131b45410
("crypto: xts - Convert to skcipher"). However, the issue only got
exposed by the much more recent changes to how the crypto API runs the
self-tests, so there should be no need to backport this to very old
kernels. Also, an alternative fix would be to flip the list iteration
order in crypto_start_tests() to restore the original testing order.
I'm thinking we should do that too, since the original order seems more
natural, but it shouldn't be relied on for correctness.
Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-10-08 19:31:16 -07:00
err = crypto_grab_cipher ( & ctx - > tweak_spawn ,
skcipher_crypto_instance ( inst ) , name , 0 , mask ) ;
if ( err )
goto err_free_inst ;
2016-11-22 20:08:19 +08:00
inst - > alg . base . cra_priority = alg - > base . cra_priority ;
inst - > alg . base . cra_blocksize = XTS_BLOCK_SIZE ;
inst - > alg . base . cra_alignmask = alg - > base . cra_alignmask |
( __alignof__ ( u64 ) - 1 ) ;
inst - > alg . ivsize = XTS_BLOCK_SIZE ;
2023-10-03 11:43:32 +08:00
inst - > alg . min_keysize = alg - > min_keysize * 2 ;
inst - > alg . max_keysize = alg - > max_keysize * 2 ;
2016-11-22 20:08:19 +08:00
2020-07-10 20:34:28 -07:00
inst - > alg . base . cra_ctxsize = sizeof ( struct xts_tfm_ctx ) ;
2016-11-22 20:08:19 +08:00
2020-07-10 20:34:28 -07:00
inst - > alg . init = xts_init_tfm ;
inst - > alg . exit = xts_exit_tfm ;
2016-11-22 20:08:19 +08:00
2020-07-10 20:34:28 -07:00
inst - > alg . setkey = xts_setkey ;
inst - > alg . encrypt = xts_encrypt ;
inst - > alg . decrypt = xts_decrypt ;
2016-11-22 20:08:19 +08:00
2020-07-10 20:34:28 -07:00
inst - > free = xts_free_instance ;
2016-11-22 20:08:19 +08:00
err = skcipher_register_instance ( tmpl , inst ) ;
2020-02-25 20:59:24 -08:00
if ( err ) {
2016-11-22 20:08:19 +08:00
err_free_inst :
2020-07-10 20:34:28 -07:00
xts_free_instance ( inst ) ;
2020-02-25 20:59:24 -08:00
}
return err ;
2007-09-19 20:23:13 +08:00
}
2020-07-10 20:34:28 -07:00
static struct crypto_template xts_tmpl = {
2007-09-19 20:23:13 +08:00
. name = " xts " ,
2020-07-10 20:34:28 -07:00
. create = xts_create ,
2007-09-19 20:23:13 +08:00
. module = THIS_MODULE ,
} ;
2020-07-10 20:34:28 -07:00
static int __init xts_module_init ( void )
2007-09-19 20:23:13 +08:00
{
2020-07-10 20:34:28 -07:00
return crypto_register_template ( & xts_tmpl ) ;
2007-09-19 20:23:13 +08:00
}
2020-07-10 20:34:28 -07:00
static void __exit xts_module_exit ( void )
2007-09-19 20:23:13 +08:00
{
2020-07-10 20:34:28 -07:00
crypto_unregister_template ( & xts_tmpl ) ;
2007-09-19 20:23:13 +08:00
}
2020-07-10 20:34:28 -07:00
subsys_initcall ( xts_module_init ) ;
module_exit ( xts_module_exit ) ;
2007-09-19 20:23:13 +08:00
MODULE_LICENSE ( " GPL " ) ;
MODULE_DESCRIPTION ( " XTS block cipher mode " ) ;
2014-11-24 16:32:38 -08:00
MODULE_ALIAS_CRYPTO ( " xts " ) ;
2020-12-11 13:27:15 +01:00
MODULE_IMPORT_NS ( CRYPTO_INTERNAL ) ;
2022-02-10 13:09:40 +11:00
MODULE_SOFTDEP ( " pre: ecb " ) ;