Merge branch 'wip/dueno/afalg-fixes' into 'master'

afalg: minor follow-up fixes Closes #1209 and #1207 See merge request gnutls/gnutls!1414
author: Daiki Ueno <ueno@gnu.org> 2021-04-23 09:40:09 +0000
committer: Daiki Ueno <ueno@gnu.org> 2021-04-23 09:40:09 +0000
commit: c1a3f1e3173d779af5d3f1d7e5c26d4bbf0fcad3 (patch)
tree: c7aa0f925f8f89c5e75c4ddc970bc9a69c9c9426
parent: cb0f9fc4081dd6776a5c61daf3e6252943ef9b9d (diff)
parent: c6af60677a9a7a6d245acd901fbe0a2e514eddd0 (diff)
download: gnutls-c1a3f1e3173d779af5d3f1d7e5c26d4bbf0fcad3.tar.gz
4 files changed, 35 insertions, 22 deletions
diff --git a/NEWS b/NEWS
index b3590a316a..8b3538d05d 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,10 @@ See the end for copying conditions.
 ** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added
    to disable TLS 1.3 middlebox compatibility mode
 
+** libgnutls: The Linux kernel AF_ALG based acceleration has been added.
+   This can be enabled with --enable-afalg configure option, when libkcapi
+   package is installed (#308).
+
 * Version 3.7.1 (released 2021-03-10)
 
 ** libgnutls: Fixed potential use-after-free in sending "key_share"
diff --git a/lib/accelerated/Makefile.am b/lib/accelerated/Makefile.am
index 69d05960e9..a7f8e5a732 100644
--- a/lib/accelerated/Makefile.am
+++ b/lib/accelerated/Makefile.am
@@ -62,5 +62,6 @@ AM_CFLAGS += -DASM_X86_64
 endif
 
 if ENABLE_AFALG
-libaccelerated_la_LDFLAGS = -lkcapi
+AM_CPPFLAGS += $(LIBKCAPI_CFLAGS)
+libaccelerated_la_LIBADD += $(LIBKCAPI_LIBS)
 endif
diff --git a/lib/accelerated/afalg.c b/lib/accelerated/afalg.c
index fe72f8f344..12d4df7a5d 100644
--- a/lib/accelerated/afalg.c
+++ b/lib/accelerated/afalg.c
@@ -17,19 +17,19 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-#include "errors.h"
-#include "gnutls_int.h"
-#include <gnutls/crypto.h>
-#include "errors.h"
-#include <accelerated/afalg.h>
-#include "malloca.h"
+#include "config.h"
 
-#include <sys/uio.h>
+#include <accelerated/afalg.h>
 
 #ifdef ENABLE_AFALG
 
+#include "errors.h"
+#include "gnutls_int.h"
+
+#include <gnutls/crypto.h>
 #include <kcapi.h>
 #include <limits.h>
+#include "malloca.h"
 
 /************************ Symmetric cipher algorithms ************************/
 
@@ -49,12 +49,14 @@ static const char *gnutls_cipher_map[] = {
 	[GNUTLS_CIPHER_CAMELLIA_192_CBC] = "cbc(camellia)",
 	[GNUTLS_CIPHER_CAMELLIA_256_CBC] = "cbc(camellia)",
 	[GNUTLS_CIPHER_SALSA20_256] = "salsa20",
+	[GNUTLS_CIPHER_AES_128_XTS] = "xts(aes)",
+	[GNUTLS_CIPHER_AES_256_XTS] = "xts(aes)",
 };
 
 static int
 afalg_cipher_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, int enc)
 {
-	struct kcapi_handle *handle = NULL;
+	struct kcapi_handle *handle;
 	struct kcapi_ctx *ctx;
 
 	if (kcapi_cipher_init(&handle, gnutls_cipher_map[algorithm], 0) < 0) {
@@ -62,8 +64,12 @@ afalg_cipher_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, int enc)
 		return GNUTLS_E_MEMORY_ERROR;
 	}
 
-	ctx = (struct kcapi_ctx *)gnutls_calloc(1, sizeof(struct kcapi_ctx) +
-						   kcapi_cipher_ivsize(handle));
+	if (unlikely(kcapi_cipher_ivsize(handle) > MAX_CIPHER_IV_SIZE)) {
+		gnutls_assert();
+		return GNUTLS_E_INTERNAL_ERROR;
+	}
+
+	ctx = gnutls_malloc(sizeof(struct kcapi_ctx));
 	if (ctx == NULL) {
 		gnutls_assert();
 		kcapi_cipher_destroy(handle);
@@ -192,7 +198,7 @@ static int afalg_cipher_register(void)
 	for (i = 0;
 	     i < sizeof(gnutls_cipher_map) / sizeof(gnutls_cipher_map[0]);
 	     i++) {
-		struct kcapi_handle *handle = NULL;
+		struct kcapi_handle *handle;
 
 		if (gnutls_cipher_map[i] == 0)
 			continue;
@@ -245,7 +251,7 @@ static void afalg_aead_deinit(void *_ctx)
 static int
 afalg_aead_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, int enc)
 {
-	struct kcapi_handle *handle = NULL;
+	struct kcapi_handle *handle;
 	struct kcapi_aead_ctx *ctx;
 
 	if (kcapi_aead_init(&handle, gnutls_aead_map[algorithm], 0) < 0) {
@@ -253,8 +259,7 @@ afalg_aead_init(gnutls_cipher_algorithm_t algorithm, void **_ctx, int enc)
 		return GNUTLS_E_MEMORY_ERROR;
 	}
 
-	ctx = (struct kcapi_aead_ctx *)gnutls_calloc(1,
-					sizeof(struct kcapi_aead_ctx));
+	ctx = gnutls_malloc(sizeof(struct kcapi_aead_ctx));
 	if (ctx == NULL) {
 		gnutls_assert();
 		kcapi_aead_destroy(handle);
@@ -527,7 +532,7 @@ static int afalg_aead_register(void)
 	for (i = 0;
 	     i < sizeof(gnutls_aead_map) / sizeof(gnutls_aead_map[0]);
 	     i++) {
-		struct kcapi_handle *handle = NULL;
+		struct kcapi_handle *handle;
 
 		if (gnutls_aead_map[i] == 0)
 			continue;
@@ -563,7 +568,7 @@ static const char *gnutls_mac_map[] = {
 
 static int afalg_mac_init(gnutls_mac_algorithm_t algorithm, void **ctx)
 {
-	struct kcapi_handle *handle = NULL;
+	struct kcapi_handle *handle;
 
 	if (kcapi_md_init(&handle, gnutls_mac_map[algorithm], 0) < 0) {
 		gnutls_assert();
@@ -632,7 +637,7 @@ static int afalg_mac_fast(gnutls_mac_algorithm_t algorithm, const void *nonce,
 			  size_t nonce_size, const void *key, size_t keysize,
 			  const void *text, size_t textsize, void *digest)
 {
-	struct kcapi_handle *handle = NULL;
+	struct kcapi_handle *handle;
 	int ret = GNUTLS_E_ENCRYPTION_FAILED;
 
 	if (kcapi_md_init(&handle, gnutls_mac_map[algorithm], 0) < 0) {
@@ -689,7 +694,7 @@ static int afalg_mac_register(void)
 	for (i = 0;
 	     i < sizeof(gnutls_mac_map) / sizeof(gnutls_mac_map[0]);
 	     i++) {
-		struct kcapi_handle *handle = NULL;
+		struct kcapi_handle *handle;
 
 		if (gnutls_mac_map[i] == 0)
 			continue;
@@ -725,7 +730,7 @@ static const char *gnutls_digest_map[] = {
 
 static int afalg_digest_init(gnutls_digest_algorithm_t algorithm, void **ctx)
 {
-	struct kcapi_handle *handle = NULL;
+	struct kcapi_handle *handle;
 
 	if (kcapi_md_init(&handle, gnutls_digest_map[algorithm], 0) < 0) {
 		gnutls_assert();
@@ -740,7 +745,7 @@ static int afalg_digest_init(gnutls_digest_algorithm_t algorithm, void **ctx)
 static int afalg_digest_fast(gnutls_digest_algorithm_t algorithm,
 			     const void *text, size_t textsize, void *digest)
 {
-	struct kcapi_handle *handle = NULL;
+	struct kcapi_handle *handle;
 	int ret = GNUTLS_E_ENCRYPTION_FAILED;
 
 	if (kcapi_md_init(&handle, gnutls_digest_map[algorithm], 0) < 0) {
@@ -791,7 +796,7 @@ static int afalg_digest_register(void)
 	for (i = 0;
 	     i < sizeof(gnutls_digest_map) / sizeof(gnutls_digest_map[0]);
 	     i++) {
-		struct kcapi_handle *handle = NULL;
+		struct kcapi_handle *handle;
 
 		if (gnutls_digest_map[i] == 0)
 			continue;
diff --git a/m4/hooks.m4 b/m4/hooks.m4
index c90a2c9209..5377a9d33b 100644
--- a/m4/hooks.m4
+++ b/m4/hooks.m4
@@ -352,6 +352,9 @@ LIBTASN1_MINIMUM=4.9
   AC_MSG_RESULT($enable_afalg)
 
   if test "$enable_afalg" = "yes"; then
+    PKG_CHECK_MODULES(LIBKCAPI, [libkcapi >= 1.2.1], [], [enable_afalg=no])
+  fi
+  if test "$enable_afalg" = "yes"; then
     AC_DEFINE([ENABLE_AFALG], 1, [Enable AF_ALG support])
   fi
   AM_CONDITIONAL(ENABLE_AFALG, test "$enable_afalg" != "no")
author	Daiki Ueno <ueno@gnu.org>	2021-04-23 09:40:09 +0000
committer	Daiki Ueno <ueno@gnu.org>	2021-04-23 09:40:09 +0000
commit	c1a3f1e3173d779af5d3f1d7e5c26d4bbf0fcad3 (patch)
tree	c7aa0f925f8f89c5e75c4ddc970bc9a69c9c9426
parent	cb0f9fc4081dd6776a5c61daf3e6252943ef9b9d (diff)
parent	c6af60677a9a7a6d245acd901fbe0a2e514eddd0 (diff)
download	gnutls-c1a3f1e3173d779af5d3f1d7e5c26d4bbf0fcad3.tar.gz