Eric Lee / smarc-fsl-linux-kernel

16 Jul, 2020

1 commit

  • 7bcb2c99f   crypto: algapi - use common mechanism for inheriting flags ... Browse Code »

    The flag CRYPTO_ALG_ASYNC is "inherited" in the sense that when a
    template is instantiated, the template will have CRYPTO_ALG_ASYNC set if
    any of the algorithms it uses has CRYPTO_ALG_ASYNC set.

    We'd like to add a second flag (CRYPTO_ALG_ALLOCATES_MEMORY) that gets
    "inherited" in the same way. This is difficult because the handling of
    CRYPTO_ALG_ASYNC is hardcoded everywhere. Address this by:

    - Add CRYPTO_ALG_INHERITED_FLAGS, which contains the set of flags that
    have these inheritance semantics.

    - Add crypto_algt_inherited_mask(), for use by template ->create()
    methods. It returns any of these flags that the user asked to be
    unset and thus must be passed in the 'mask' to crypto_grab_*().

    - Also modify crypto_check_attr_type() to handle computing the 'mask'
    so that most templates can just use this.

    - Make crypto_grab_*() propagate these flags to the template instance
    being created so that templates don't have to do this themselves.

    Make crypto/simd.c propagate these flags too, since it "wraps" another
    algorithm, similar to a template.

    Based on a patch by Mikulas Patocka
    (https://lore.kernel.org/r/alpine.LRH.2.02.2006301414580.30526@file01.intranet.prod.int.rdu2.redhat.com).

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

06 Mar, 2020

1 commit

09 Jan, 2020

4 commits

  • 370738824   crypto: authencesn - use crypto_grab_ahash() and simplify error paths ... Browse Code »

    Make the authencesn template use the new function crypto_grab_ahash() to
    initialize its ahash spawn.

    This is needed to make all spawns be initialized in a consistent way.

    Also simplify the error handling by taking advantage of crypto_drop_*()
    now accepting (as a no-op) spawns that haven't been initialized yet, and
    by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     
  • b9f76dddb   crypto: skcipher - pass instance to crypto_grab_skcipher() ... Browse Code »

    Initializing a crypto_skcipher_spawn currently requires:

    1. Set spawn->base.inst to point to the instance.
    2. Call crypto_grab_skcipher().

    But there's no reason for these steps to be separate, and in fact this
    unneeded complication has caused at least one bug, the one fixed by
    commit 6db43410179b ("crypto: adiantum - initialize crypto_spawn::inst")

    So just make crypto_grab_skcipher() take the instance as an argument.

    To keep the function calls from getting too unwieldy due to this extra
    argument, also introduce a 'mask' variable into the affected places
    which weren't already using one.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     
  • af5034e8e   crypto: remove propagation of CRYPTO_TFM_RES_* flags ... Browse Code »

    The CRYPTO_TFM_RES_* flags were apparently meant as a way to make the
    ->setkey() functions provide more information about errors. But these
    flags weren't actually being used or tested, and in many cases they
    weren't being set correctly anyway. So they've now been removed.

    Also, if someone ever actually needs to start better distinguishing
    ->setkey() errors (which is somewhat unlikely, as this has been unneeded
    for a long time), we'd be much better off just defining different return
    values, like -EINVAL if the key is invalid for the algorithm vs.
    -EKEYREJECTED if the key was rejected by a policy like "no weak keys".
    That would be much simpler, less error-prone, and easier to test.

    So just remove CRYPTO_TFM_RES_MASK and all the unneeded logic that
    propagates these flags around.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     
  • 674f368a9   crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN ... Browse Code »

    The CRYPTO_TFM_RES_BAD_KEY_LEN flag was apparently meant as a way to
    make the ->setkey() functions provide more information about errors.

    However, no one actually checks for this flag, which makes it pointless.

    Also, many algorithms fail to set this flag when given a bad length key.
    Reviewing just the generic implementations, this is the case for
    aes-fixed-time, cbcmac, echainiv, nhpoly1305, pcrypt, rfc3686, rfc4309,
    rfc7539, rfc7539esp, salsa20, seqiv, and xcbc. But there are probably
    many more in arch/*/crypto/ and drivers/crypto/.

    Some algorithms can even set this flag when the key is the correct
    length. For example, authenc and authencesn set it when the key payload
    is malformed in any way (not just a bad length), the atmel-sha and ccree
    drivers can set it if a memory allocation fails, and the chelsio driver
    sets it for bad auth tag lengths, not just bad key lengths.

    So even if someone actually wanted to start checking this flag (which
    seems unlikely, since it's been unused for a long time), there would be
    a lot of work needed to get it working correctly. But it would probably
    be much better to go back to the drawing board and just define different
    return values, like -EINVAL if the key is invalid for the algorithm vs.
    -EKEYREJECTED if the key was rejected by a policy like "no weak keys".
    That would be much simpler, less error-prone, and easier to test.

    So just remove this flag.

    Signed-off-by: Eric Biggers
    Reviewed-by: Horia Geantă
    Signed-off-by: Herbert Xu

    Eric Biggers
     

31 May, 2019

1 commit

  • 2874c5fd2   treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 ... Browse Code »

    Based on 1 normalized pattern(s):

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license as published by
    the free software foundation either version 2 of the license or at
    your option any later version

    extracted by the scancode license scanner the SPDX license identifier

    GPL-2.0-or-later

    has been chosen to replace the boilerplate/reference in 3029 file(s).

    Signed-off-by: Thomas Gleixner
    Reviewed-by: Allison Randal
    Cc: linux-spdx@vger.kernel.org
    Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de
    Signed-off-by: Greg Kroah-Hartman

    Thomas Gleixner
     

18 Apr, 2019

1 commit

  • c4741b230   crypto: run initcalls for generic implementations earlier ... Browse Code »

    Use subsys_initcall for registration of all templates and generic
    algorithm implementations, rather than module_init. Then change
    cryptomgr to use arch_initcall, to place it before the subsys_initcalls.

    This is needed so that when both a generic and optimized implementation
    of an algorithm are built into the kernel (not loadable modules), the
    generic implementation is registered before the optimized one.
    Otherwise, the self-tests for the optimized implementation are unable to
    allocate the generic implementation for the new comparison fuzz tests.

    Note that on arm, a side effect of this change is that self-tests for
    generic implementations may run before the unaligned access handler has
    been installed. So, unaligned accesses will crash the kernel. This is
    arguably a good thing as it makes it easier to detect that type of bug.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

10 Jan, 2019

1 commit

  • a77733636   crypto: authencesn - Avoid twice completion call in decrypt path ... Browse Code »

    Authencesn template in decrypt path unconditionally calls aead_request_complete
    after ahash_verify which leads to following kernel panic in after decryption.

    [ 338.539800] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
    [ 338.548372] PGD 0 P4D 0
    [ 338.551157] Oops: 0000 [#1] SMP PTI
    [ 338.554919] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Tainted: G W I 4.19.7+ #13
    [ 338.564431] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0 07/29/10
    [ 338.572212] RIP: 0010:esp_input_done2+0x350/0x410 [esp4]
    [ 338.578030] Code: ff 0f b6 68 10 48 8b 83 c8 00 00 00 e9 8e fe ff ff 8b 04 25 04 00 00 00 83 e8 01 48 98 48 8b 3c c5 10 00 00 00 e9 f7 fd ff ff 04 25 04 00 00 00 83 e8 01 48 98 4c 8b 24 c5 10 00 00 00 e9 3b
    [ 338.598547] RSP: 0018:ffff911c97803c00 EFLAGS: 00010246
    [ 338.604268] RAX: 0000000000000002 RBX: ffff911c4469ee00 RCX: 0000000000000000
    [ 338.612090] RDX: 0000000000000000 RSI: 0000000000000130 RDI: ffff911b87c20400
    [ 338.619874] RBP: 0000000000000000 R08: ffff911b87c20498 R09: 000000000000000a
    [ 338.627610] R10: 0000000000000001 R11: 0000000000000004 R12: 0000000000000000
    [ 338.635402] R13: ffff911c89590000 R14: ffff911c91730000 R15: 0000000000000000
    [ 338.643234] FS: 0000000000000000(0000) GS:ffff911c97800000(0000) knlGS:0000000000000000
    [ 338.652047] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 338.658299] CR2: 0000000000000004 CR3: 00000001ec20a000 CR4: 00000000000006f0
    [ 338.666382] Call Trace:
    [ 338.669051]
    [ 338.671254] esp_input_done+0x12/0x20 [esp4]
    [ 338.675922] chcr_handle_resp+0x3b5/0x790 [chcr]
    [ 338.680949] cpl_fw6_pld_handler+0x37/0x60 [chcr]
    [ 338.686080] chcr_uld_rx_handler+0x22/0x50 [chcr]
    [ 338.691233] uldrx_handler+0x8c/0xc0 [cxgb4]
    [ 338.695923] process_responses+0x2f0/0x5d0 [cxgb4]
    [ 338.701177] ? bitmap_find_next_zero_area_off+0x3a/0x90
    [ 338.706882] ? matrix_alloc_area.constprop.7+0x60/0x90
    [ 338.712517] ? apic_update_irq_cfg+0x82/0xf0
    [ 338.717177] napi_rx_handler+0x14/0xe0 [cxgb4]
    [ 338.722015] net_rx_action+0x2aa/0x3e0
    [ 338.726136] __do_softirq+0xcb/0x280
    [ 338.730054] irq_exit+0xde/0xf0
    [ 338.733504] do_IRQ+0x54/0xd0
    [ 338.736745] common_interrupt+0xf/0xf

    Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD...")
    Signed-off-by: Harsh Jain
    Cc: stable@vger.kernel.org
    Signed-off-by: Herbert Xu

    Harsh Jain
     

28 Sep, 2018

1 commit

  • 8d6053984   crypto: null - Remove VLA usage of skcipher ... Browse Code »

    In the quest to remove all stack VLA usage from the kernel[1], this
    replaces struct crypto_skcipher and SKCIPHER_REQUEST_ON_STACK() usage
    with struct crypto_sync_skcipher and SYNC_SKCIPHER_REQUEST_ON_STACK(),
    which uses a fixed stack size.

    [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com

    Signed-off-by: Kees Cook
    Signed-off-by: Herbert Xu

    Kees Cook
     

21 Apr, 2018

1 commit

22 Dec, 2017

1 commit

18 Jul, 2017

1 commit

  • 41cdf7a45   crypto: authencesn - Fix digest_null crash ... Browse Code »

    When authencesn is used together with digest_null a crash will
    occur on the decrypt path. This is because normally we perform
    a special setup to preserve the ESN, but this is skipped if there
    is no authentication. However, on the post-authentication path
    it always expects the preservation to be in place, thus causing
    a crash when digest_null is used.

    This patch fixes this by also skipping the post-processing when
    there is no authentication.

    Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD...")
    Cc:
    Reported-by: Jan Tluka
    Signed-off-by: Herbert Xu

    Herbert Xu
     

01 Nov, 2016

2 commits

18 Jul, 2016

1 commit

  • e75445a84   crypto: authencesn - Use skcipher ... Browse Code »

    This patch converts authencesn to use the new skcipher interface as
    opposed to ablkcipher.

    It also fixes a little bug where if a sync version of authencesn
    is requested we may still end up using an async ahash. This should
    have no effect as none of the authencesn users can request for a
    sync authencesn.

    Signed-off-by: Herbert Xu

    Herbert Xu
     

01 Jul, 2016

1 commit

  • 927ef32dc   crypto: authenc - Consider ahash ASYNC bit ... Browse Code »

    As it is, if you get an async ahash with a sync skcipher you'll
    end up with a sync authenc, which is wrong.

    This patch fixes it by considering the ASYNC bit from ahash as
    well.

    It also fixes a little bug where if a sync version of authenc
    is requested we may still end up using an async ahash.

    Neither of them should have any effect as none of the authenc
    users can request for a sync authenc.

    Signed-off-by: Herbert Xu

    Herbert Xu
     

17 Aug, 2015

1 commit

10 Aug, 2015

2 commits

13 May, 2015

2 commits

26 Nov, 2014

1 commit

  • 4943ba16b   crypto: include crypto- module prefix in template ... Browse Code »

    This adds the module loading prefix "crypto-" to the template lookup
    as well.

    For example, attempting to load 'vfat(blowfish)' via AF_ALG now correctly
    includes the "crypto-" prefix at every level, correctly rejecting "vfat":

    net-pf-38
    algif-hash
    crypto-vfat(blowfish)
    crypto-vfat(blowfish)-all
    crypto-vfat

    Reported-by: Mathias Krause
    Signed-off-by: Kees Cook
    Acked-by: Mathias Krause
    Signed-off-by: Herbert Xu

    Kees Cook
     

16 Oct, 2013

1 commit

07 Oct, 2013

1 commit

  • 6bf37e5aa   crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks ... Browse Code »

    When comparing MAC hashes, AEAD authentication tags, or other hash
    values in the context of authentication or integrity checking, it
    is important not to leak timing information to a potential attacker,
    i.e. when communication happens over a network.

    Bytewise memory comparisons (such as memcmp) are usually optimized so
    that they return a nonzero value as soon as a mismatch is found. E.g,
    on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
    and up to ~850 cyc for a full match (cold). This early-return behavior
    can leak timing information as a side channel, allowing an attacker to
    iteratively guess the correct result.

    This patch adds a new method crypto_memneq ("memory not equal to each
    other") to the crypto API that compares memory areas of the same length
    in roughly "constant time" (cache misses could change the timing, but
    since they don't reveal information about the content of the strings
    being compared, they are effectively benign). Iow, best and worst case
    behaviour take the same amount of time to complete (in contrast to
    memcmp).

    Note that crypto_memneq (unlike memcmp) can only be used to test for
    equality or inequality, NOT for lexicographical order. This, however,
    is not an issue for its use-cases within the crypto API.

    We tried to locate all of the places in the crypto API where memcmp was
    being used for authentication or integrity checking, and convert them
    over to crypto_memneq.

    crypto_memneq is declared noinline, placed in its own source file,
    and compiled with optimizations that might increase code size disabled
    ("Os") because a smart compiler (or LTO) might notice that the return
    value is always compared against zero/nonzero, and might then
    reintroduce the same early-return optimization that we are trying to
    avoid.

    Using #pragma or __attribute__ optimization annotations of the code
    for disabling optimization was avoided as it seems to be considered
    broken or unmaintained for long time in GCC [1]. Therefore, we work
    around that by specifying the compile flag for memneq.o directly in
    the Makefile. We found that this seems to be most appropriate.

    As we use ("Os"), this patch also provides a loop-free "fast-path" for
    frequently used 16 byte digests. Similarly to kernel library string
    functions, leave an option for future even further optimized architecture
    specific assembler implementations.

    This was a joint work of James Yonan and Daniel Borkmann. Also thanks
    for feedback from Florian Weimer on this and earlier proposals [2].

    [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
    [2] https://lkml.org/lkml/2013/2/10/131

    Signed-off-by: James Yonan
    Signed-off-by: Daniel Borkmann
    Cc: Florian Weimer
    Signed-off-by: Herbert Xu

    James Yonan
     

04 Feb, 2013

1 commit

  • 3e8afe35c   crypto: use ERR_CAST ... Browse Code »

    Replace PTR_ERR followed by ERR_PTR by ERR_CAST, to be more concise.

    The semantic patch that makes this change is as follows:
    (http://coccinelle.lip6.fr/)

    //
    @@
    expression err,x;
    @@
    - err = PTR_ERR(x);
    if (IS_ERR(x))
    - return ERR_PTR(err);
    + return ERR_CAST(x);
    //

    Signed-off-by: Julia Lawall
    Signed-off-by: Herbert Xu

    Julia Lawall
     

14 Mar, 2011

1 commit