18 Dec, 2016
1 commit
-
Pull more documentation updates from Jonathan Corbet:
"This converts the crypto DocBook to Sphinx"* tag 'docs-4.10-2' of git://git.lwn.net/linux:
crypto: doc - optimize compilation
crypto: doc - clarify AEAD memory structure
crypto: doc - remove crypto_alloc_ablkcipher
crypto: doc - add KPP documentation
crypto: doc - fix separation of cipher / req API
crypto: doc - fix source comments for Sphinx
crypto: doc - remove crypto API DocBook
crypto: doc - convert crypto API documentation to Sphinx
16 Dec, 2016
1 commit
-
Pull crypto fixes from Herbert Xu:
"This fixes the following issues:- a crash regression in the new skcipher walker
- incorrect return value in public_key_verify_signature
- fix for in-place signing in the sign-file utility"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: skcipher - fix crash in virtual walk
sign-file: Fix inplace signing when src and dst names are both specified
crypto: asymmetric_keys - set error code on failure
15 Dec, 2016
1 commit
-
Pull crypto updates from Herbert Xu:
"Here is the crypto update for 4.10:API:
- add skcipher walk interface
- add asynchronous compression (acomp) interface
- fix algif_aed AIO handling of zero bufferAlgorithms:
- fix unaligned access in poly1305
- fix DRBG output to large buffersDrivers:
- add support for iMX6UL to caam
- fix givenc descriptors (used by IPsec) in caam
- accelerated SHA256/SHA512 for ARM64 from OpenSSL
- add SSE CRCT10DIF and CRC32 to ARM/ARM64
- add AEAD support to Chelsio chcr
- add Armada 8K support to omap-rng"* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (148 commits)
crypto: testmgr - fix overlap in chunked tests again
crypto: arm/crc32 - accelerated support based on x86 SSE implementation
crypto: arm64/crc32 - accelerated support based on x86 SSE implementation
crypto: arm/crct10dif - port x86 SSE implementation to ARM
crypto: arm64/crct10dif - port x86 SSE implementation to arm64
crypto: testmgr - add/enhance test cases for CRC-T10DIF
crypto: testmgr - avoid overlap in chunked tests
crypto: chcr - checking for IS_ERR() instead of NULL
crypto: caam - check caam_emi_slow instead of re-lookup platform
crypto: algif_aead - fix AIO handling of zero buffer
crypto: aes-ce - Make aes_simd_algs static
crypto: algif_skcipher - set error code when kcalloc fails
crypto: caam - make aamalg_desc a proper module
crypto: caam - pass key buffers with typesafe pointers
crypto: arm64/aes-ce-ccm - Fix AEAD decryption length
MAINTAINERS: add crypto headers to crypto entry
crypt: doc - remove misleading mention of async API
crypto: doc - fix header file name
crypto: api - fix comment typo
crypto: skcipher - Add separate walker for AEAD decryption
..
14 Dec, 2016
3 commits
-
The new skcipher walk API may crash in the following way. (Interestingly,
the tcrypt boot time tests seem unaffected, while an explicit test using
the module triggers it)Unable to handle kernel NULL pointer dereference at virtual address 00000000
...
[] __memcpy+0x84/0x180
[] skcipher_walk_done+0x328/0x340
[] ctr_encrypt+0x84/0x100
[] simd_skcipher_encrypt+0x88/0x98
[] crypto_rfc3686_crypt+0x8c/0x98
[] test_skcipher_speed+0x518/0x820 [tcrypt]
[] do_test+0x1408/0x3b70 [tcrypt]
[] tcrypt_mod_init+0x50/0x1000 [tcrypt]
[] do_one_initcall+0x44/0x138
[] do_init_module+0x68/0x1e0
[] load_module+0x1fd0/0x2458
[] SyS_finit_module+0xe0/0xf0
[] el0_svc_naked+0x24/0x28This is due to the fact that skcipher_done_slow() may be entered with
walk->buffer unset. Since skcipher_walk_done() already deals with the
case where walk->buffer == walk->page, it appears to be the intention
that walk->buffer point to walk->page after skcipher_next_slow(), so
ensure that is the case.Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
In function public_key_verify_signature(), returns variable ret on
error paths. When the call to kmalloc() fails, the value of ret is 0,
and it is not set to an errno before returning. This patch fixes the
bug.Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188891
Signed-off-by: Pan Bian
Signed-off-by: David Howells
Signed-off-by: Herbert Xu -
The previous description have been misleading and partially incorrect.
Reported-by: Harsh Jain
Signed-off-by: Stephan Mueller
Signed-off-by: Jonathan Corbet
11 Dec, 2016
2 commits
-
Pull crypto fixes from Herbert Xu:
"This fixes the following issues:- Fix pointer size when caam is used with AArch64 boot loader on
AArch32 kernel.- Fix ahash state corruption in marvell driver.
- Fix buggy algif_aed tag handling.
- Prevent mcryptd from being used with incompatible algorithms which
can cause crashes"* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: algif_aead - fix uninitialized variable warning
crypto: mcryptd - Check mcryptd algorithm compatibility
crypto: algif_aead - fix AEAD tag memory handling
crypto: caam - fix pointer size for AArch64 boot loader, AArch32 kernel
crypto: marvell - Don't corrupt state of an STD req for re-stepped ahash
crypto: marvell - Don't copy hash operation twice into the SRAM
08 Dec, 2016
2 commits
-
Commit 7e4c7f17cde2 ("crypto: testmgr - avoid overlap in chunked tests")
attempted to address a problem in the crypto testmgr code where chunked
test cases are copied to memory in a way that results in overlap.However, the fix recreated the exact same issue for other chunked tests,
by putting IDX3 within 492 bytes of IDX1, which causes overlap if the
first chunk exceeds 492 bytes, which is the case for at least one of
the xts(aes) test cases.So increase IDX3 by another 1000 bytes.
Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
In case the user provided insufficient data, the code may return
prematurely without any operation. In this case, the processed
data indicated with outlen is zero.Reported-by: Stephen Rothwell
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
07 Dec, 2016
5 commits
-
The existing test cases only exercise a small slice of the various
possible code paths through the x86 SSE/PCLMULQDQ implementation,
and the upcoming ports of it for arm64. So add one that exceeds 256
bytes in size, and convert another to a chunked test.Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
The IDXn offsets are chosen such that tap values (which may go up to
255) end up overlapping in the xbuf allocation. In particular, IDX1
and IDX3 are too close together, so update IDX3 to avoid this issue.Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
Algorithms not compatible with mcryptd could be spawned by mcryptd
with a direct crypto_alloc_tfm invocation using a "mcryptd(alg)" name
construct. This causes mcryptd to crash the kernel if an arbitrary
"alg" is incompatible and not intended to be used with mcryptd. It is
an issue if AF_ALG tries to spawn mcryptd(alg) to expose it externally.
But such algorithms must be used internally and not be exposed.We added a check to enforce that only internal algorithms are allowed
with mcryptd at the time mcryptd is spawning an algorithm.Link: http://marc.info/?l=linux-crypto-vger&m=148063683310477&w=2
Cc: stable@vger.kernel.org
Reported-by: Mikulas Patocka
Signed-off-by: Tim Chen
Signed-off-by: Herbert Xu -
For encryption, the AEAD ciphers require AAD || PT as input and generate
AAD || CT || Tag as output and vice versa for decryption. Prior to this
patch, the AF_ALG interface for AEAD ciphers requires the buffer to be
present as input for encryption. Similarly, the output buffer for
decryption required the presence of the tag buffer too. This implies
that the kernel reads / writes data buffers from/to kernel space
even though this operation is not required.This patch changes the AF_ALG AEAD interface to be consistent with the
in-kernel AEAD cipher requirements.Due to this handling, he changes are transparent to user space with one
exception: the return code of recv indicates the mount of output buffer.
That output buffer has a different size compared to before the patch
which implies that the return code of recv will also be different.
For example, a decryption operation uses 16 bytes AAD, 16 bytes CT and
16 bytes tag, the AF_ALG AEAD interface before showed a recv return
code of 48 (bytes) whereas after this patch, the return code is 32
since the tag is not returned any more.Reported-by: Mat Martineau
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
06 Dec, 2016
1 commit
-
Pull crypto fixes from Herbert Xu:
"This fixes the following issues:- Intermittent build failure in RSA
- Memory corruption in chelsio crypto driver
- Regression in DRBG due to vmalloced stack"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: rsa - Add Makefile dependencies to fix parallel builds
crypto: chcr - Fix memory corruption
crypto: drbg - prevent invalid SG mappings
01 Dec, 2016
3 commits
-
Handle the case when the caller provided a zero buffer to
sendmsg/sendpage. Such scenario is legal for AEAD ciphers when no
plaintext / ciphertext and no AAD is provided and the caller only
requests the generation of the tag value.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
Fix bug https://bugzilla.kernel.org/show_bug.cgi?id=188521. In function
skcipher_recvmsg_async(), variable err takes the return value, and its
value should be negative on failures. Because variable err may be
reassigned and checked before calling kcalloc(), its value may be 0
(indicates no error) even if kcalloc() fails. This patch fixes the bug
by explicitly assigning -ENOMEM to err when kcalloc() returns a NULL
pointer.Signed-off-by: Pan Bian
Signed-off-by: Herbert Xu -
The AEAD decrypt interface includes the authentication tag in
req->cryptlen. Therefore we need to exlucde that when doing
a walk over it.This patch adds separate walker functions for AEAD encryption
and decryption.Signed-off-by: Herbert Xu
Reviewed-by: Ard Biesheuvel
30 Nov, 2016
4 commits
-
The new skcipher_walk_aead() may crash in the following way due to
the walk flag SKCIPHER_WALK_PHYS not being cleared at the start of the
walk:Unable to handle kernel NULL pointer dereference at virtual address 00000001
[..]
Internal error: Oops: 96000044 [#1] PREEMPT SMP
[..]
PC is at skcipher_walk_next+0x208/0x450
LR is at skcipher_walk_next+0x1e4/0x450
pc : [] lr : [] pstate: 40000045
sp : ffffb925fa517940
[...]
[] skcipher_walk_next+0x208/0x450
[] skcipher_walk_first+0x54/0x148
[] skcipher_walk_aead+0xd4/0x108
[] ccm_encrypt+0x68/0x158So clear the flag at the appropriate time.
Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
Merge the crypto tree to pull in chelsio chcr fix.
-
Both asn1 headers are included by rsa_helper.c, so rsa_helper.o
should explicitly depend on them.Signed-off-by: David Michael
Signed-off-by: Herbert Xu -
When using SGs, only heap memory (memory that is valid as per
virt_addr_valid) is allowed to be referenced. The CTR DRBG used to
reference the caller-provided memory directly in an SG. In case the
caller provided stack memory pointers, the SG mapping is not considered
to be valid. In some cases, this would even cause a paging fault.The change adds a new scratch buffer that is used unconditionally to
catch the cases where the caller-provided buffer is not suitable for
use in an SG. The crypto operation of the CTR DRBG produces its output
with that scratch buffer and finally copies the content of the
scratch buffer to the caller's buffer.The scratch buffer is allocated during allocation time of the CTR DRBG
as its access is protected with the DRBG mutex.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
28 Nov, 2016
14 commits
-
With virtually-mapped stacks (CONFIG_VMAP_STACK=y), using the
scatterlist crypto API with stack buffers is not allowed, and with
appropriate debugging options will cause the
'BUG_ON(!virt_addr_valid(buf));' in sg_set_buf() to be triggered.
Use a heap buffer instead.Fixes: d7db7a882deb ("crypto: acomp - update testmgr with support for acomp")
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
This patch moves the core CBC implementation into a header file
so that it can be reused by drivers implementing CBC.Signed-off-by: Herbert Xu
-
This patch converts cbc over to the skcipher interface. It also
rearranges the code to allow it to be reused by drivers.Signed-off-by: Herbert Xu
-
This patch converts aesni (including fpu) over to the skcipher
interface. The LRW implementation has been removed as the generic
LRW code can now be used directly on top of the accelerated ECB
implementation.Signed-off-by: Herbert Xu
-
Currently we manually filter out internal algorithms using a list
in testmgr. This is dangerous as internal algorithms cannot be
safely used even by testmgr. This patch ensures that they're never
processed by testmgr at all.This patch also removes an obsolete bypass for nivciphers which
no longer exist.Signed-off-by: Herbert Xu
-
This patch adds xts helpers that use the skcipher interface rather
than blkcipher. This will be used by aesni_intel.Signed-off-by: Herbert Xu
-
This patch converts lrw over to the skcipher interface.
Signed-off-by: Herbert Xu
-
This patch adds the simd skcipher helper which is meant to be
a replacement for ablk helper. It replaces the underlying blkcipher
interface with skcipher, and also presents the top-level algorithm
as an skcipher.Signed-off-by: Herbert Xu
-
This patch adds skcipher support to cryptd alongside ablkcipher.
Signed-off-by: Herbert Xu
-
Currently all bits not set in mask are cleared in crypto_larval_lookup.
This is unnecessary as wherever the type bits are used it is always
masked anyway.This patch removes the clearing so that we may use bits set in the
type but not in the mask for special purposes, e.g., picking up
internal algorithms.Signed-off-by: Herbert Xu
-
This patch converts xts over to the skcipher interface. It also
optimises the implementation to be based on ECB instead of the
underlying cipher. For compatibility the existing naming scheme
of xts(aes) is maintained as opposed to the more obvious one of
xts(ecb(aes)).Signed-off-by: Herbert Xu
-
This patch converts lrw over to the skcipher interface. It also
optimises the implementation to be based on ECB instead of the
underlying cipher. For compatibility the existing naming scheme
of lrw(aes) is maintained as opposed to the more obvious one of
lrw(ecb(aes)).Signed-off-by: Herbert Xu
-
This patch adds the skcipher walk interface which replaces both
blkcipher walk and ablkcipher walk. Just like blkcipher walk it
can also be used for AEAD algorithms.Signed-off-by: Herbert Xu
-
For consistency with the other 246 kernel configuration options,
rename CRYPT_CRC32C_VPMSUM to CRYPTO_CRC32C_VPMSUM.Signed-off-by: Jean Delvare
Cc: Anton Blanchard
Cc: Herbert Xu
Acked-by: Anton Blanchard
Signed-off-by: Herbert Xu
27 Nov, 2016
1 commit
-
udplite conflict is resolved by taking what 'net-next' did
which removed the backlog receive method assignment, since
it is no longer necessary.Two entries were added to the non-priv ethtool operations
switch statement, one in 'net' and one in 'net-next, so
simple overlapping changes.Signed-off-by: David S. Miller
25 Nov, 2016
1 commit
-
We shouldn't free cert->pub->key in x509_cert_parse() because
x509_free_certificate() also does this:
BUG: Double free or freeing an invalid pointer
...
Call Trace:
[] dump_stack+0x63/0x83
[] kasan_object_err+0x21/0x70
[] kasan_report_double_free+0x49/0x60
[] kasan_slab_free+0x9d/0xc0
[] kfree+0x8a/0x1a0
[] public_key_free+0x1f/0x30
[] x509_free_certificate+0x24/0x90
[] x509_cert_parse+0x2bc/0x300
[] x509_key_preparse+0x3e/0x330
[] asymmetric_key_preparse+0x6f/0x100
[] key_create_or_update+0x260/0x5f0
[] SyS_add_key+0x199/0x2a0
[] entry_SYSCALL_64_fastpath+0x1e/0xad
Object at ffff880110bd1900, in cache kmalloc-512 size: 512
....
Freed:
PID = 2579
[] save_stack_trace+0x1b/0x20
[] save_stack+0x46/0xd0
[] kasan_slab_free+0x73/0xc0
[] kfree+0x8a/0x1a0
[] x509_cert_parse+0x2a3/0x300
[] x509_key_preparse+0x3e/0x330
[] asymmetric_key_preparse+0x6f/0x100
[] key_create_or_update+0x260/0x5f0
[] SyS_add_key+0x199/0x2a0
[] entry_SYSCALL_64_fastpath+0x1e/0xadFixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api")
Signed-off-by: Andrey Ryabinin
Cc:
Signed-off-by: David Howells
Signed-off-by: James Morris
23 Nov, 2016
1 commit
-
All conflicts were simple overlapping changes except perhaps
for the Thunder driver.That driver has a change_mtu method explicitly for sending
a message to the hardware. If that fails it returns an
error.Normally a driver doesn't need an ndo_change_mtu method becuase those
are usually just range changes, which are now handled generically.
But since this extra operation is needed in the Thunder driver, it has
to stay.However, if the message send fails we have to restore the original
MTU before the change because the entire call chain expects that if
an error is thrown by ndo_change_mtu then the MTU did not change.
Therefore code is added to nicvf_change_mtu to remember the original
MTU, and to restore it upon nicvf_update_hw_max_frs() failue.Signed-off-by: David S. Miller