diff options
author | Daiki Ueno <ueno@gnu.org> | 2021-04-23 09:40:09 +0000 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2021-04-23 09:40:09 +0000 |
commit | c1a3f1e3173d779af5d3f1d7e5c26d4bbf0fcad3 (patch) | |
tree | c7aa0f925f8f89c5e75c4ddc970bc9a69c9c9426 | |
parent | cb0f9fc4081dd6776a5c61daf3e6252943ef9b9d (diff) | |
parent | c6af60677a9a7a6d245acd901fbe0a2e514eddd0 (diff) | |
download | gnutls-c1a3f1e3173d779af5d3f1d7e5c26d4bbf0fcad3.tar.gz |
Merge branch 'wip/dueno/afalg-fixes' into 'master'
afalg: minor follow-up fixes
Closes #1209 and #1207
See merge request gnutls/gnutls!1414
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | lib/accelerated/Makefile.am | 3 | ||||
-rw-r--r-- | lib/accelerated/afalg.c | 47 | ||||
-rw-r--r-- | m4/hooks.m4 | 3 |
4 files changed, 35 insertions, 22 deletions
@@ -10,6 +10,10 @@ See the end for copying conditions. ** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added to disable TLS 1.3 middlebox compatibility mode +** libgnutls: The Linux kernel AF_ALG based acceleration has been added. + This can be enabled with --enable-afalg configure option, when libkcapi + package is installed (#308). + * Version 3.7.1 (released 2021-03-10) ** libgnutls: Fixed potential use-after-free in sending "key_share" diff --git a/lib/accelerated/Makefile.am b/lib/accelerated/Makefile.am index 69d05960e9..a7f8e5a732 100644 --- a/lib/accelerated/Makefile.am +++ b/lib/accelerated/Makefile.am @@ -62,5 +62,6 @@ AM_CFLAGS += -DASM_X86_64 endif if ENABLE_AFALG -libaccelerated_la_LDFLAGS = -lkcapi +AM_CPPFLAGS += $(LIBKCAPI_CFLAGS) +libaccelerated_la_LIBADD += $(LIBKCAPI_LIBS) endif diff --git a/lib/accelerated/afalg.c b/lib/accelerated/afalg.c index fe72f8f344..12d4df7a5d 100644 --- a/lib/accelerated/afalg.c +++ b/lib/accelerated/afalg.c @@ -17,19 +17,19 @@ * along with this program. If not, see <http://www.gnu.org/licenses/>. */ -#include "errors.h" -#include "gnutls_int.h" -#include <gnutls/crypto.h> -#include "errors.h" -#include <accelerated/afalg.h> -#include "malloca.h" +#include "config.h" -#include <sys/uio.h> +#include <accelerated/afalg.h> #ifdef ENABLE_AFALG +#include "errors.h" +#include "gnutls_int.h" + +#include <gnutls/crypto.h> #include <kcapi.h> #include <limits.h> +#include "malloca.h" /************************ Symmetric cipher algorithms ************************/ @@ -49,12 +49,14 @@ static const char *gnutls_cipher_map[] = { [GNUTLS_CIPHER_CAMELLIA_192_CBC] = "cbc(camellia)", [GNUTLS_CIPHER_CAMELLIA_256_CBC] = "cbc(camellia)", [GNUTLS_CIPHER_SALSA20_256] = "salsa20", + [GNUTLS_CIPHER_AES_128_XTS] = "xts(aes)", + [GNUTLS_CIPHER_AES_256_XTS] = "xts(aes)", }; static int afalg_cipher_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, int enc) { - struct kcapi_handle *handle = NULL; + struct kcapi_handle *handle; struct kcapi_ctx *ctx; if (kcapi_cipher_init(&handle, gnutls_cipher_map[algorithm], 0) < 0) { @@ -62,8 +64,12 @@ afalg_cipher_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, int enc) return GNUTLS_E_MEMORY_ERROR; } - ctx = (struct kcapi_ctx *)gnutls_calloc(1, sizeof(struct kcapi_ctx) + - kcapi_cipher_ivsize(handle)); + if (unlikely(kcapi_cipher_ivsize(handle) > MAX_CIPHER_IV_SIZE)) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + ctx = gnutls_malloc(sizeof(struct kcapi_ctx)); if (ctx == NULL) { gnutls_assert(); kcapi_cipher_destroy(handle); @@ -192,7 +198,7 @@ static int afalg_cipher_register(void) for (i = 0; i < sizeof(gnutls_cipher_map) / sizeof(gnutls_cipher_map[0]); i++) { - struct kcapi_handle *handle = NULL; + struct kcapi_handle *handle; if (gnutls_cipher_map[i] == 0) continue; @@ -245,7 +251,7 @@ static void afalg_aead_deinit(void *_ctx) static int afalg_aead_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, int enc) { - struct kcapi_handle *handle = NULL; + struct kcapi_handle *handle; struct kcapi_aead_ctx *ctx; if (kcapi_aead_init(&handle, gnutls_aead_map[algorithm], 0) < 0) { @@ -253,8 +259,7 @@ afalg_aead_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, int enc) return GNUTLS_E_MEMORY_ERROR; } - ctx = (struct kcapi_aead_ctx *)gnutls_calloc(1, - sizeof(struct kcapi_aead_ctx)); + ctx = gnutls_malloc(sizeof(struct kcapi_aead_ctx)); if (ctx == NULL) { gnutls_assert(); kcapi_aead_destroy(handle); @@ -527,7 +532,7 @@ static int afalg_aead_register(void) for (i = 0; i < sizeof(gnutls_aead_map) / sizeof(gnutls_aead_map[0]); i++) { - struct kcapi_handle *handle = NULL; + struct kcapi_handle *handle; if (gnutls_aead_map[i] == 0) continue; @@ -563,7 +568,7 @@ static const char *gnutls_mac_map[] = { static int afalg_mac_init(gnutls_mac_algorithm_t algorithm, void **ctx) { - struct kcapi_handle *handle = NULL; + struct kcapi_handle *handle; if (kcapi_md_init(&handle, gnutls_mac_map[algorithm], 0) < 0) { gnutls_assert(); @@ -632,7 +637,7 @@ static int afalg_mac_fast(gnutls_mac_algorithm_t algorithm, const void *nonce, size_t nonce_size, const void *key, size_t keysize, const void *text, size_t textsize, void *digest) { - struct kcapi_handle *handle = NULL; + struct kcapi_handle *handle; int ret = GNUTLS_E_ENCRYPTION_FAILED; if (kcapi_md_init(&handle, gnutls_mac_map[algorithm], 0) < 0) { @@ -689,7 +694,7 @@ static int afalg_mac_register(void) for (i = 0; i < sizeof(gnutls_mac_map) / sizeof(gnutls_mac_map[0]); i++) { - struct kcapi_handle *handle = NULL; + struct kcapi_handle *handle; if (gnutls_mac_map[i] == 0) continue; @@ -725,7 +730,7 @@ static const char *gnutls_digest_map[] = { static int afalg_digest_init(gnutls_digest_algorithm_t algorithm, void **ctx) { - struct kcapi_handle *handle = NULL; + struct kcapi_handle *handle; if (kcapi_md_init(&handle, gnutls_digest_map[algorithm], 0) < 0) { gnutls_assert(); @@ -740,7 +745,7 @@ static int afalg_digest_init(gnutls_digest_algorithm_t algorithm, void **ctx) static int afalg_digest_fast(gnutls_digest_algorithm_t algorithm, const void *text, size_t textsize, void *digest) { - struct kcapi_handle *handle = NULL; + struct kcapi_handle *handle; int ret = GNUTLS_E_ENCRYPTION_FAILED; if (kcapi_md_init(&handle, gnutls_digest_map[algorithm], 0) < 0) { @@ -791,7 +796,7 @@ static int afalg_digest_register(void) for (i = 0; i < sizeof(gnutls_digest_map) / sizeof(gnutls_digest_map[0]); i++) { - struct kcapi_handle *handle = NULL; + struct kcapi_handle *handle; if (gnutls_digest_map[i] == 0) continue; diff --git a/m4/hooks.m4 b/m4/hooks.m4 index c90a2c9209..5377a9d33b 100644 --- a/m4/hooks.m4 +++ b/m4/hooks.m4 @@ -352,6 +352,9 @@ LIBTASN1_MINIMUM=4.9 AC_MSG_RESULT($enable_afalg) if test "$enable_afalg" = "yes"; then + PKG_CHECK_MODULES(LIBKCAPI, [libkcapi >= 1.2.1], [], [enable_afalg=no]) + fi + if test "$enable_afalg" = "yes"; then AC_DEFINE([ENABLE_AFALG], 1, [Enable AF_ALG support]) fi AM_CONDITIONAL(ENABLE_AFALG, test "$enable_afalg" != "no") |