09 Jan, 2020

1 commit

  • The CRYPTO_TFM_RES_BAD_KEY_LEN flag was apparently meant as a way to
    make the ->setkey() functions provide more information about errors.

    However, no one actually checks for this flag, which makes it pointless.

    Also, many algorithms fail to set this flag when given a bad length key.
    Reviewing just the generic implementations, this is the case for
    aes-fixed-time, cbcmac, echainiv, nhpoly1305, pcrypt, rfc3686, rfc4309,
    rfc7539, rfc7539esp, salsa20, seqiv, and xcbc. But there are probably
    many more in arch/*/crypto/ and drivers/crypto/.

    Some algorithms can even set this flag when the key is the correct
    length. For example, authenc and authencesn set it when the key payload
    is malformed in any way (not just a bad length), the atmel-sha and ccree
    drivers can set it if a memory allocation fails, and the chelsio driver
    sets it for bad auth tag lengths, not just bad key lengths.

    So even if someone actually wanted to start checking this flag (which
    seems unlikely, since it's been unused for a long time), there would be
    a lot of work needed to get it working correctly. But it would probably
    be much better to go back to the drawing board and just define different
    return values, like -EINVAL if the key is invalid for the algorithm vs.
    -EKEYREJECTED if the key was rejected by a policy like "no weak keys".
    That would be much simpler, less error-prone, and easier to test.

    So just remove this flag.

    Signed-off-by: Eric Biggers
    Reviewed-by: Horia Geantă
    Signed-off-by: Herbert Xu

    Eric Biggers
     

27 Jul, 2019

1 commit

  • To help avoid confusion, add a comment to ghash-generic.c which explains
    the convention that the kernel's implementation of GHASH uses.

    Also update the Kconfig help text and module descriptions to call GHASH
    a "hash function" rather than a "message digest", since the latter
    normally means a real cryptographic hash function, which GHASH is not.

    Cc: Pascal Van Leeuwen
    Signed-off-by: Eric Biggers
    Reviewed-by: Ard Biesheuvel
    Acked-by: Pascal Van Leeuwen
    Signed-off-by: Herbert Xu

    Eric Biggers
     

09 Jul, 2019

1 commit

  • Pull crypto updates from Herbert Xu:
    "Here is the crypto update for 5.3:

    API:
    - Test shash interface directly in testmgr
    - cra_driver_name is now mandatory

    Algorithms:
    - Replace arc4 crypto_cipher with library helper
    - Implement 5 way interleave for ECB, CBC and CTR on arm64
    - Add xxhash
    - Add continuous self-test on noise source to drbg
    - Update jitter RNG

    Drivers:
    - Add support for SHA204A random number generator
    - Add support for 7211 in iproc-rng200
    - Fix fuzz test failures in inside-secure
    - Fix fuzz test failures in talitos
    - Fix fuzz test failures in qat"

    * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (143 commits)
    crypto: stm32/hash - remove interruptible condition for dma
    crypto: stm32/hash - Fix hmac issue more than 256 bytes
    crypto: stm32/crc32 - rename driver file
    crypto: amcc - remove memset after dma_alloc_coherent
    crypto: ccp - Switch to SPDX license identifiers
    crypto: ccp - Validate the the error value used to index error messages
    crypto: doc - Fix formatting of new crypto engine content
    crypto: doc - Add parameter documentation
    crypto: arm64/aes-ce - implement 5 way interleave for ECB, CBC and CTR
    crypto: arm64/aes-ce - add 5 way interleave routines
    crypto: talitos - drop icv_ool
    crypto: talitos - fix hash on SEC1.
    crypto: talitos - move struct talitos_edesc into talitos.h
    lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
    crypto/NX: Set receive window credits to max number of CRBs in RxFIFO
    crypto: asymmetric_keys - select CRYPTO_HASH where needed
    crypto: serpent - mark __serpent_setkey_sbox noinline
    crypto: testmgr - dynamically allocate crypto_shash
    crypto: testmgr - dynamically allocate testvec_config
    crypto: talitos - eliminate unneeded 'done' functions at build time
    ...

    Linus Torvalds
     

19 Jun, 2019

1 commit

  • Based on 2 normalized pattern(s):

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license version 2 as
    published by the free software foundation

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license version 2 as
    published by the free software foundation #

    extracted by the scancode license scanner the SPDX license identifier

    GPL-2.0-only

    has been chosen to replace the boilerplate/reference in 4122 file(s).

    Signed-off-by: Thomas Gleixner
    Reviewed-by: Enrico Weigelt
    Reviewed-by: Kate Stewart
    Reviewed-by: Allison Randal
    Cc: linux-spdx@vger.kernel.org
    Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
    Signed-off-by: Greg Kroah-Hartman

    Thomas Gleixner
     

06 Jun, 2019

1 commit

  • Changing ghash_mod_init() to be subsys_initcall made it start running
    before the alignment fault handler has been installed on ARM. In kernel
    builds where the keys in the ghash test vectors happened to be
    misaligned in the kernel image, this exposed the longstanding bug that
    ghash_setkey() is incorrectly casting the key buffer (which can have any
    alignment) to be128 for passing to gf128mul_init_4k_lle().

    Fix this by memcpy()ing the key to a temporary buffer.

    Don't fix it by setting an alignmask on the algorithm instead because
    that would unnecessarily force alignment of the data too.

    Fixes: 2cdc6899a88e ("crypto: ghash - Add GHASH digest algorithm for GCM")
    Reported-by: Peter Robinson
    Cc: stable@vger.kernel.org
    Signed-off-by: Eric Biggers
    Tested-by: Peter Robinson
    Signed-off-by: Herbert Xu

    Eric Biggers
     

18 Apr, 2019

1 commit

  • Use subsys_initcall for registration of all templates and generic
    algorithm implementations, rather than module_init. Then change
    cryptomgr to use arch_initcall, to place it before the subsys_initcalls.

    This is needed so that when both a generic and optimized implementation
    of an algorithm are built into the kernel (not loadable modules), the
    generic implementation is registered before the optimized one.
    Otherwise, the self-tests for the optimized implementation are unable to
    allocate the generic implementation for the new comparison fuzz tests.

    Note that on arm, a side effect of this change is that self-tests for
    generic implementations may run before the unaligned access handler has
    been installed. So, unaligned accesses will crash the kernel. This is
    arguably a good thing as it makes it easier to detect that type of bug.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

09 Jul, 2018

1 commit

  • Many shash algorithms set .cra_flags = CRYPTO_ALG_TYPE_SHASH. But this
    is redundant with the C structure type ('struct shash_alg'), and
    crypto_register_shash() already sets the type flag automatically,
    clearing any type flag that was already there. Apparently the useless
    assignment has just been copy+pasted around.

    So, remove the useless assignment from all the shash algorithms.

    This patch shouldn't change any actual behavior.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

12 Jan, 2018

1 commit


02 Oct, 2016

1 commit


13 Jan, 2015

1 commit

  • Commit 5d26a105b5a7 ("crypto: prefix module autoloading with "crypto-"")
    changed the automatic module loading when requesting crypto algorithms
    to prefix all module requests with "crypto-". This requires all crypto
    modules to have a crypto specific module alias even if their file name
    would otherwise match the requested crypto algorithm.

    Even though commit 5d26a105b5a7 added those aliases for a vast amount of
    modules, it was missing a few. Add the required MODULE_ALIAS_CRYPTO
    annotations to those files to make them get loaded automatically, again.
    This fixes, e.g., requesting 'ecb(blowfish-generic)', which used to work
    with kernels v3.18 and below.

    Also change MODULE_ALIAS() lines to MODULE_ALIAS_CRYPTO(). The former
    won't work for crypto modules any more.

    Fixes: 5d26a105b5a7 ("crypto: prefix module autoloading with "crypto-"")
    Cc: Kees Cook
    Signed-off-by: Mathias Krause
    Signed-off-by: Herbert Xu

    Mathias Krause
     

24 Nov, 2014

1 commit


01 Aug, 2012

1 commit

  • Initialization of cra_list is currently mixed, most ciphers initialize this
    field and most shashes do not. Initialization however is not needed at all
    since cra_list is initialized/overwritten in __crypto_register_alg() with
    list_add(). Therefore perform cleanup to remove all unneeded initializations
    of this field in 'crypto/'.

    Signed-off-by: Jussi Kivilinna
    Signed-off-by: Herbert Xu

    Jussi Kivilinna
     

21 Oct, 2011

1 commit

  • The ghash_update function passes a pointer to gf128mul_4k_lle which will
    be NULL if ghash_setkey is not called or if the most recent call to
    ghash_setkey failed to allocate memory. This causes an oops. Fix this
    up by returning an error code in the null case.

    This is trivially triggered from unprivileged userspace through the
    AF_ALG interface by simply writing to the socket without setting a key.

    The ghash_final function has a similar issue, but triggering it requires
    a memory allocation failure in ghash_setkey _after_ at least one
    successful call to ghash_update.

    BUG: unable to handle kernel NULL pointer dereference at 00000670
    IP: [] gf128mul_4k_lle+0x23/0x60 [gf128mul]
    *pde = 00000000
    Oops: 0000 [#1] PREEMPT SMP
    Modules linked in: ghash_generic gf128mul algif_hash af_alg nfs lockd nfs_acl sunrpc bridge ipv6 stp llc

    Pid: 1502, comm: hashatron Tainted: G W 3.1.0-rc9-00085-ge9308cf #32 Bochs Bochs
    EIP: 0060:[] EFLAGS: 00000202 CPU: 0
    EIP is at gf128mul_4k_lle+0x23/0x60 [gf128mul]
    EAX: d69db1f0 EBX: d6b8ddac ECX: 00000004 EDX: 00000000
    ESI: 00000670 EDI: d6b8ddac EBP: d6b8ddc8 ESP: d6b8dda4
    DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
    Process hashatron (pid: 1502, ti=d6b8c000 task=d6810000 task.ti=d6b8c000)
    Stack:
    00000000 d69db1f0 00000163 00000000 d6b8ddc8 c101a520 d69db1f0 d52aa000
    00000ff0 d6b8dde8 d88d310f d6b8a3f8 d52aa000 00001000 d88d502c d6b8ddfc
    00001000 d6b8ddf4 c11676ed d69db1e8 d6b8de24 c11679ad d52aa000 00000000
    Call Trace:
    [] ? kmap_atomic_prot+0x37/0xa6
    [] ghash_update+0x85/0xbe [ghash_generic]
    [] crypto_shash_update+0x18/0x1b
    [] shash_ahash_update+0x22/0x36
    [] shash_async_update+0xb/0xd
    [] hash_sendpage+0xba/0xf2 [algif_hash]
    [] kernel_sendpage+0x39/0x4e
    [] ? 0xd88cdfff
    [] sock_sendpage+0x37/0x3e
    [] ? kernel_sendpage+0x4e/0x4e
    [] pipe_to_sendpage+0x56/0x61
    [] splice_from_pipe_feed+0x58/0xcd
    [] ? splice_from_pipe_begin+0x10/0x10
    [] __splice_from_pipe+0x36/0x55
    [] ? splice_from_pipe_begin+0x10/0x10
    [] splice_from_pipe+0x51/0x64
    [] ? default_file_splice_write+0x2c/0x2c
    [] generic_splice_sendpage+0x13/0x15
    [] ? splice_from_pipe_begin+0x10/0x10
    [] do_splice_from+0x5d/0x67
    [] sys_splice+0x2bf/0x363
    [] ? sysenter_exit+0xf/0x16
    [] ? trace_hardirqs_on_caller+0x10e/0x13f
    [] sysenter_do_call+0x12/0x32
    Code: 83 c4 0c 5b 5e 5f c9 c3 55 b9 04 00 00 00 89 e5 57 8d 7d e4 56 53 8d 5d e4 83 ec 18 89 45 e0 89 55 dc 0f b6 70 0f c1 e6 04 01 d6 a5 be 0f 00 00 00 4e 89 d8 e8 48 ff ff ff 8b 45 e0 89 da 0f
    EIP: [] gf128mul_4k_lle+0x23/0x60 [gf128mul] SS:ESP 0068:d6b8dda4
    CR2: 0000000000000670
    ---[ end trace 4eaa2a86a8e2da24 ]---
    note: hashatron[1502] exited with preempt_count 1
    BUG: scheduling while atomic: hashatron/1502/0x10000002
    INFO: lockdep is turned off.
    [...]

    Signed-off-by: Nick Bowler
    Cc: stable@kernel.org [2.6.37+]
    Signed-off-by: Herbert Xu

    Nick Bowler
     

06 Aug, 2009

1 commit