24 Nov, 2013
1 commit
-
Pull crypto update from Herbert Xu:
- Made x86 ablk_helper generic for ARM
- Phase out chainiv in favour of eseqiv (affects IPsec)
- Fixed aes-cbc IV corruption on s390
- Added constant-time crypto_memneq which replaces memcmp
- Fixed aes-ctr in omap-aes
- Added OMAP3 ROM RNG support
- Add PRNG support for MSM SoC's
- Add and use Job Ring API in caam
- Misc fixes[ NOTE! This pull request was sent within the merge window, but Herbert
has some questionable email sending setup that makes him public enemy
#1 as far as gmail is concerned. So most of his emails seem to be
trapped by gmail as spam, resulting in me not seeing them. - Linus ]* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (49 commits)
crypto: s390 - Fix aes-cbc IV corruption
crypto: omap-aes - Fix CTR mode counter length
crypto: omap-sham - Add missing modalias
padata: make the sequence counter an atomic_t
crypto: caam - Modify the interface layers to use JR API's
crypto: caam - Add API's to allocate/free Job Rings
crypto: caam - Add Platform driver for Job Ring
hwrng: msm - Add PRNG support for MSM SoC's
ARM: DT: msm: Add Qualcomm's PRNG driver binding document
crypto: skcipher - Use eseqiv even on UP machines
crypto: talitos - Simplify key parsing
crypto: picoxcell - Simplify and harden key parsing
crypto: ixp4xx - Simplify and harden key parsing
crypto: authencesn - Simplify key parsing
crypto: authenc - Export key parsing helper function
crypto: mv_cesa: remove deprecated IRQF_DISABLED
hwrng: OMAP3 ROM Random Number Generator support
crypto: sha256_ssse3 - also test for BMI2
crypto: mv_cesa - Remove redundant of_match_ptr
crypto: sahara - Remove redundant of_match_ptr
...
26 Oct, 2013
2 commits
-
This patch makes use of the newly defined common hash algorithm info,
replacing, for example, PKEY_HASH with HASH_ALGO.Changelog:
- Lindent fixes - MimiCC: David Howells
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
This patch provides a single place for information about hash algorithms,
such as hash sizes and kernel driver names, which will be used by IMA
and the public key code.Changelog:
- Fix sparse and checkpatch warnings
- Move hash algo enums to uapi for userspace signing functions.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
Acked-by: Herbert Xu
16 Oct, 2013
1 commit
-
AEAD key parsing is duplicated to multiple places in the kernel. Add a
common helper function to consolidate that functionality.Cc: Herbert Xu
Cc: "David S. Miller"
Signed-off-by: Mathias Krause
Signed-off-by: Herbert Xu
07 Oct, 2013
1 commit
-
When comparing MAC hashes, AEAD authentication tags, or other hash
values in the context of authentication or integrity checking, it
is important not to leak timing information to a potential attacker,
i.e. when communication happens over a network.Bytewise memory comparisons (such as memcmp) are usually optimized so
that they return a nonzero value as soon as a mismatch is found. E.g,
on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
and up to ~850 cyc for a full match (cold). This early-return behavior
can leak timing information as a side channel, allowing an attacker to
iteratively guess the correct result.This patch adds a new method crypto_memneq ("memory not equal to each
other") to the crypto API that compares memory areas of the same length
in roughly "constant time" (cache misses could change the timing, but
since they don't reveal information about the content of the strings
being compared, they are effectively benign). Iow, best and worst case
behaviour take the same amount of time to complete (in contrast to
memcmp).Note that crypto_memneq (unlike memcmp) can only be used to test for
equality or inequality, NOT for lexicographical order. This, however,
is not an issue for its use-cases within the crypto API.We tried to locate all of the places in the crypto API where memcmp was
being used for authentication or integrity checking, and convert them
over to crypto_memneq.crypto_memneq is declared noinline, placed in its own source file,
and compiled with optimizations that might increase code size disabled
("Os") because a smart compiler (or LTO) might notice that the return
value is always compared against zero/nonzero, and might then
reintroduce the same early-return optimization that we are trying to
avoid.Using #pragma or __attribute__ optimization annotations of the code
for disabling optimization was avoided as it seems to be considered
broken or unmaintained for long time in GCC [1]. Therefore, we work
around that by specifying the compile flag for memneq.o directly in
the Makefile. We found that this seems to be most appropriate.As we use ("Os"), this patch also provides a loop-free "fast-path" for
frequently used 16 byte digests. Similarly to kernel library string
functions, leave an option for future even further optimized architecture
specific assembler implementations.This was a joint work of James Yonan and Daniel Borkmann. Also thanks
for feedback from Florian Weimer on this and earlier proposals [2].[1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
[2] https://lkml.org/lkml/2013/2/10/131Signed-off-by: James Yonan
Signed-off-by: Daniel Borkmann
Cc: Florian Weimer
Signed-off-by: Herbert Xu
26 Sep, 2013
2 commits
-
Store public key algorithm ID in public_key_signature struct for reference
purposes. This allows a public_key_signature struct to be embedded in
struct x509_certificate and other places more easily.Signed-off-by: David Howells
Reviewed-by: Kees Cook
Reviewed-by: Josh Boyer -
Store public key algo ID in public_key struct for reference purposes. This
allows it to be removed from the x509_certificate struct and used to find a
default in public_key_verify_signature().Signed-off-by: David Howells
Reviewed-by: Kees Cook
Reviewed-by: Josh Boyer
25 Sep, 2013
2 commits
-
Move the public-key algorithm pointer array from x509_public_key.c to
public_key.c as it isn't X.509 specific.Note that to make this configure correctly, the public key part must be
dependent on the RSA module rather than the other way round. This needs a
further patch to make use of the crypto module loading stuff rather than using
a fixed table.Signed-off-by: David Howells
Reviewed-by: Kees Cook
Reviewed-by: Josh Boyer -
Rename the arrays of public key parameters (public key algorithm names, hash
algorithm names and ID type names) so that the array name ends in "_name".Signed-off-by: David Howells
Reviewed-by: Kees Cook
Reviewed-by: Josh Boyer
24 Sep, 2013
1 commit
-
Create a generic version of ablk_helper so it can be reused
by other architectures.Acked-by: Jussi Kivilinna
Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu
21 Aug, 2013
1 commit
-
Crypto layer only passes nbytes to encrypt but in omap-aes driver we need to
know number of SG elements to pass to dmaengine slave API. We add function for
the same to scatterwalk library.Signed-off-by: Joel Fernandes
Signed-off-by: Herbert Xu
25 Apr, 2013
1 commit
-
Other SHA512 routines may need to use the generic routine when
FPU is not available.Signed-off-by: Tim Chen
Signed-off-by: Herbert Xu
03 Apr, 2013
1 commit
-
Other SHA256 routine may need to use the generic routine when
FPU is not available.Signed-off-by: Tim Chen
Signed-off-by: Herbert Xu
06 Dec, 2012
1 commit
-
CAST5 and CAST6 both use same lookup tables, which can be moved shared module
'cast_common'.Signed-off-by: Jussi Kivilinna
Acked-by: David S. Miller
Signed-off-by: Herbert Xu
15 Oct, 2012
2 commits
-
VMAC implementation, as it is, does not work with blocks that
are not multiples of 128-bytes. Furthermore, this is a problem
when using the implementation on scatterlists, even
when the complete plain text is 128-byte multiple, as the pieces
that get passed to vmac_update can be pretty much any size.I also added test cases for unaligned blocks.
Signed-off-by: Salman Qazi
Signed-off-by: Herbert Xu -
Pull module signing support from Rusty Russell:
"module signing is the highlight, but it's an all-over David Howells frenzy..."Hmm "Magrathea: Glacier signing key". Somebody has been reading too much HHGTTG.
* 'modules-next' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux: (37 commits)
X.509: Fix indefinite length element skip error handling
X.509: Convert some printk calls to pr_devel
asymmetric keys: fix printk format warning
MODSIGN: Fix 32-bit overflow in X.509 certificate validity date checking
MODSIGN: Make mrproper should remove generated files.
MODSIGN: Use utf8 strings in signer's name in autogenerated X.509 certs
MODSIGN: Use the same digest for the autogen key sig as for the module sig
MODSIGN: Sign modules during the build process
MODSIGN: Provide a script for generating a key ID from an X.509 cert
MODSIGN: Implement module signature checking
MODSIGN: Provide module signing public keys to the kernel
MODSIGN: Automatically generate module signing keys if missing
MODSIGN: Provide Kconfig options
MODSIGN: Provide gitignore and make clean rules for extra files
MODSIGN: Add FIPS policy
module: signature checking hook
X.509: Add a crypto key parser for binary (DER) X.509 certificates
MPILIB: Provide a function to read raw data into an MPI
X.509: Add an ASN.1 decoder
X.509: Add simple ASN.1 grammar compiler
...
08 Oct, 2012
2 commits
-
Provide signature verification using an asymmetric-type key to indicate the
public key to be used.The API is a single function that can be found in crypto/public_key.h:
int verify_signature(const struct key *key,
const struct public_key_signature *sig)The first argument is the appropriate key to be used and the second argument
is the parsed signature data:struct public_key_signature {
u8 *digest;
u16 digest_size;
enum pkey_hash_algo pkey_hash_algo : 8;
union {
MPI mpi[2];
struct {
MPI s; /* m^d mod n */
} rsa;
struct {
MPI r;
MPI s;
} dsa;
};
};This should be filled in prior to calling the function. The hash algorithm
should already have been called and the hash finalised and the output should
be in a buffer pointed to by the 'digest' member.Any extra data to be added to the hash by the hash format (eg. PGP) should
have been added by the caller prior to finalising the hash.It is assumed that the signature is made up of a number of MPI values. If an
algorithm becomes available for which this is not the case, the above structure
will have to change.It is also assumed that it will have been checked that the signature algorithm
matches the key algorithm.Signed-off-by: David Howells
Signed-off-by: Rusty Russell -
Add a subtype for supporting asymmetric public-key encryption algorithms such
as DSA (FIPS-186) and RSA (PKCS#1 / RFC1337).Signed-off-by: David Howells
Signed-off-by: Rusty Russell
07 Sep, 2012
2 commits
-
Fix "symbol 'x' was not declared. Should it be static?" sparse warnings.
Signed-off-by: Jussi Kivilinna
Signed-off-by: Herbert Xu -
Fix "symbol 'x' was not declared. Should it be static?" sparse warnings.
Signed-off-by: Jussi Kivilinna
Signed-off-by: Herbert Xu
01 Aug, 2012
3 commits
-
Rename cast6 module to cast6_generic to allow autoloading of optimized
implementations. Generic functions and s-boxes are exported to be able to use
them within optimized implementations.Signed-off-by: Johannes Goetzfried
Signed-off-by: Herbert Xu -
Rename cast5 module to cast5_generic to allow autoloading of optimized
implementations. Generic functions and s-boxes are exported to be able to use
them within optimized implementations.Signed-off-by: Johannes Goetzfried
Signed-off-by: Herbert Xu -
Add crypto_[un]register_shashes() to allow simplifying init/exit code of shash
crypto modules that register multiple algorithms.Signed-off-by: Jussi Kivilinna
Signed-off-by: Herbert Xu
29 Mar, 2012
1 commit
-
We lookup algorithms with crypto_alg_mod_lookup() when instantiating via
crypto_add_alg(). However, algorithms that are wrapped by an IV genearator
(e.g. aead or genicv type algorithms) need special care. The userspace
process hangs until it gets a timeout when we use crypto_alg_mod_lookup()
to lookup these algorithms. So export the lookup functions for these
algorithms and use them in crypto_add_alg().Signed-off-by: Steffen Klassert
Signed-off-by: Herbert Xu
20 Mar, 2012
1 commit
-
Signed-off-by: Cong Wang
21 Nov, 2011
1 commit
-
Patch adds LRW support for serpent-sse2 by using lrw_crypt(). Patch has been
tested with tcrypt and automated filesystem tests.Tcrypt benchmarks results (serpent-sse2/serpent_generic speed ratios):
Benchmark results with tcrypt:
Intel Celeron T1600 (x86_64) (fam:6, model:15, step:13):
size lrw-enc lrw-dec
16B 1.00x 0.96x
64B 1.01x 1.01x
256B 3.01x 2.97x
1024B 3.39x 3.33x
8192B 3.35x 3.33xAMD Phenom II 1055T (x86_64) (fam:16, model:10):
size lrw-enc lrw-dec
16B 0.98x 1.03x
64B 1.01x 1.04x
256B 2.10x 2.14x
1024B 2.28x 2.33x
8192B 2.30x 2.33xIntel Atom N270 (i586):
size lrw-enc lrw-dec
16B 0.97x 0.97x
64B 1.47x 1.50x
256B 1.72x 1.69x
1024B 1.88x 1.81x
8192B 1.84x 1.79xSigned-off-by: Jussi Kivilinna
Signed-off-by: Herbert Xu
09 Nov, 2011
5 commits
-
We leak the crypto instance when we unregister an instance with
crypto_del_alg(). Therefore we introduce crypto_unregister_instance()
to unlink the crypto instance from the template's instances list and
to free the recources of the instance properly.Signed-off-by: Steffen Klassert
Signed-off-by: Herbert Xu -
Add xts_crypt() function that can be used by cipher implementations that can
benefit from parallelized cipher operations.Signed-off-by: Jussi Kivilinna
Signed-off-by: Herbert Xu -
Patch adds LRW support for twofish-x86_64-3way by using lrw_crypt(). Patch has
been tested with tcrypt and automated filesystem tests.Tcrypt benchmarks results (twofish-3way/twofish-asm speed ratios):
Intel Celeron T1600 (fam:6, model:15, step:13):
size lrw-enc lrw-dec
16B 0.99x 1.00x
64B 1.17x 1.17x
256B 1.26x 1.27x
1024B 1.30x 1.31x
8192B 1.31x 1.32xAMD Phenom II 1055T (fam:16, model:10):
size lrw-enc lrw-dec
16B 1.06x 1.01x
64B 1.08x 1.14x
256B 1.19x 1.20x
1024B 1.21x 1.22x
8192B 1.23x 1.24xSigned-off-by: Jussi Kivilinna
Signed-off-by: Herbert Xu -
Export gf128mul table initialization routines and add lrw_crypt() function
that can be used by cipher implementations that can benefit from parallelized
cipher operations.Signed-off-by: Jussi Kivilinna
Signed-off-by: Herbert Xu -
Serpent SSE2 assembler implementations only provide 4-way/8-way parallel
functions and need setkey and one-block encrypt/decrypt functions.CC: Dag Arne Osvik
Signed-off-by: Jussi Kivilinna
Signed-off-by: Herbert Xu
21 Oct, 2011
1 commit
-
We add a report function pointer to struct crypto_type. This function
pointer is used from the crypto userspace configuration API to report
crypto algorithms to userspace.Signed-off-by: Steffen Klassert
Signed-off-by: Herbert Xu
22 Sep, 2011
1 commit
-
Patch splits up the blowfish crypto routine into a common part (key setup)
which will be used by blowfish crypto modules (x86_64 assembly and generic-c).Also fixes errors/warnings reported by checkpatch.
Signed-off-by: Jussi Kivilinna
Signed-off-by: Herbert Xu
16 Aug, 2011
1 commit
-
On Tue, Aug 16, 2011 at 03:22:34PM +1000, Stephen Rothwell wrote:
>
> After merging the final tree, today's linux-next build (powerpc
> allyesconfig) produced this warning:
>
> In file included from security/integrity/ima/../integrity.h:16:0,
> from security/integrity/ima/ima.h:27,
> from security/integrity/ima/ima_policy.c:20:
> include/crypto/sha.h:86:10: warning: 'struct shash_desc' declared inside parameter list
> include/crypto/sha.h:86:10: warning: its scope is only this definition or declaration, which is probably not what you want
>
> Introduced by commit 7c390170b493 ("crypto: sha1 - export sha1_update for
> reuse"). I guess you need to include crypto/hash.h in crypto/sha.h.This patch fixes this by providing a declaration for struct shash_desc.
Reported-by: Stephen Rothwell
Signed-off-by: Herbert Xu
10 Aug, 2011
1 commit
-
Export the update function as crypto_sha1_update() to not have the need
to reimplement the same algorithm for each SHA-1 implementation. This
way the generic SHA-1 implementation can be used as fallback for other
implementations that fail to run under certain circumstances, like the
need for an FPU context while executing in IRQ context.Signed-off-by: Mathias Krause
Signed-off-by: Herbert Xu
22 Jun, 2011
1 commit
-
Remove linux/mm.h inclusion from netdevice.h -- it's unused (I've checked manually).
To prevent mm.h inclusion via other channels also extract "enum dma_data_direction"
definition into separate header. This tiny piece is what gluing netdevice.h with mm.h
via "netdevice.h => dmaengine.h => dma-mapping.h => scatterlist.h => mm.h".
Removal of mm.h from scatterlist.h was tried and was found not feasible
on most archs, so the link was cutoff earlier.Hope people are OK with tiny include file.
Note, that mm_types.h is still dragged in, but it is a separate story.
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
07 Jan, 2011
1 commit
-
This patch moves padlock.h from drivers/crypto into include/crypto
so that it may be used by the via-rng driver.Signed-off-by: Herbert Xu
02 Dec, 2010
1 commit
-
A lot of crypto algorithms implement their own chaining function.
So add a generic one that can be used from all the algorithms that
need scatterlist chaining.Signed-off-by: Steffen Klassert
Signed-off-by: Herbert Xu
19 Nov, 2010
1 commit
-
This patch creates the backbone of the user-space interface for
the Crypto API, through a new socket family AF_ALG.Each session corresponds to one or more connections obtained from
that socket. The number depends on the number of inputs/outputs
of that particular type of operation. For most types there will
be a s ingle connection/file descriptor that is used for both input
and output. AEAD is one of the few that require two inputs.Each algorithm type will provide its own implementation that plugs
into af_alg. They're keyed using a string such as "skcipher" or
"hash".IOW this patch only contains the boring bits that is required
to hold everything together.Thakns to Miloslav Trmac for reviewing this and contributing
fixes and improvements.Signed-off-by: Herbert Xu
Acked-by: David S. Miller
Tested-by: Martin Willi
25 Oct, 2010
1 commit
-
* 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (39 commits)
Update broken web addresses in arch directory.
Update broken web addresses in the kernel.
Revert "drivers/usb: Remove unnecessary return's from void functions" for musb gadget
Revert "Fix typo: configuation => configuration" partially
ida: document IDA_BITMAP_LONGS calculation
ext2: fix a typo on comment in ext2/inode.c
drivers/scsi: Remove unnecessary casts of private_data
drivers/s390: Remove unnecessary casts of private_data
net/sunrpc/rpc_pipe.c: Remove unnecessary casts of private_data
drivers/infiniband: Remove unnecessary casts of private_data
drivers/gpu/drm: Remove unnecessary casts of private_data
kernel/pm_qos_params.c: Remove unnecessary casts of private_data
fs/ecryptfs: Remove unnecessary casts of private_data
fs/seq_file.c: Remove unnecessary casts of private_data
arm: uengine.c: remove C99 comments
arm: scoop.c: remove C99 comments
Fix typo configue => configure in comments
Fix typo: configuation => configuration
Fix typo interrest[ing|ed] => interest[ing|ed]
Fix various typos of valid in comments
...Fix up trivial conflicts in:
drivers/char/ipmi/ipmi_si_intf.c
drivers/usb/gadget/rndis.c
net/irda/irnet/irnet_ppp.c