31 May, 2009

1 commit

  • A quirk that we've always supported is having an sg entry that's
    bigger than a page, or more generally an sg entry that crosses
    page boundaries. Even though it would be better to explicitly have
    to sg entries for this, we need to support it for the existing users,
    in particular, IPsec.

    The new ahash sg walking code did try to handle this, but there was
    a bug where we didn't increment the page so kept on walking on the
    first page over an dover again.

    This patch fixes it.

    Tested-by: Martin Willi
    Signed-off-by: Herbert Xu

    Herbert Xu
     

18 May, 2009

1 commit


21 Apr, 2009

1 commit

  • The commit a760a6656e6f00bb0144a42a048cf0266646e22c (crypto:
    api - Fix module load deadlock with fallback algorithms) broke
    the auto-loading of algorithms that require fallbacks. The
    problem is that the fallback mask check is missing an and which
    cauess bits that should be considered to interfere with the
    result.

    Reported-by: Chuck Ebbert
    Signed-off-by: Herbert Xu

    Herbert Xu
     

15 Apr, 2009

1 commit

  • If crypto_ablkcipher_encrypt() returns synchronous,
    eseqiv_complete2() is called even if req->giv is already the
    pointer to the generated IV. The generated IV is overwritten
    with some random data in this case. This patch fixes this by
    calling eseqiv_complete2() just if the generated IV has to be
    copied to req->giv.

    Signed-off-by: Steffen Klassert
    Signed-off-by: Herbert Xu

    Steffen Klassert
     

04 Apr, 2009

3 commits

  • * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx:
    dma: Add SoF and EoF debugging to ipu_idmac.c, minor cleanup
    dw_dmac: add cyclic API to DW DMA driver
    dmaengine: Add privatecnt to revert DMA_PRIVATE property
    dmatest: add dma interrupts and callbacks
    dmatest: add xor test
    dmaengine: allow dma support for async_tx to be toggled
    async_tx: provide __async_inline for HAS_DMA=n archs
    dmaengine: kill some unused headers
    dmaengine: initialize tx_list in dma_async_tx_descriptor_init
    dma: i.MX31 IPU DMA robustness improvements
    dma: improve section assignment in i.MX31 IPU DMA driver
    dma: ipu_idmac driver cosmetic clean-up
    dmaengine: fail device registration if channel registration fails

    Linus Torvalds
     
  • * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
    crypto: ixp4xx - Fix handling of chained sg buffers
    crypto: shash - Fix unaligned calculation with short length
    hwrng: timeriomem - Use phys address rather than virt

    Linus Torvalds
     
  • * 'for-linus' of git://neil.brown.name/md: (53 commits)
    md/raid5 revise rules for when to update metadata during reshape
    md/raid5: minor code cleanups in make_request.
    md: remove CONFIG_MD_RAID_RESHAPE config option.
    md/raid5: be more careful about write ordering when reshaping.
    md: don't display meaningless values in sysfs files resync_start and sync_speed
    md/raid5: allow layout and chunksize to be changed on active array.
    md/raid5: reshape using largest of old and new chunk size
    md/raid5: prepare for allowing reshape to change layout
    md/raid5: prepare for allowing reshape to change chunksize.
    md/raid5: clearly differentiate 'before' and 'after' stripes during reshape.
    Documentation/md.txt update
    md: allow number of drives in raid5 to be reduced
    md/raid5: change reshape-progress measurement to cope with reshaping backwards.
    md: add explicit method to signal the end of a reshape.
    md/raid5: enhance raid5_size to work correctly with negative delta_disks
    md/raid5: drop qd_idx from r6_state
    md/raid6: move raid6 data processing to raid6_pq.ko
    md: raid5 run(): Fix max_degraded for raid level 4.
    md: 'array_size' sysfs attribute
    md: centralize ->array_sectors modifications
    ...

    Linus Torvalds
     

31 Mar, 2009

1 commit


27 Mar, 2009

2 commits

  • When the total length is shorter than the calculated number of unaligned bytes, the call to shash->update breaks. For example, calling crc32c on unaligned buffer with length of 1 can result in a system crash.

    Signed-off-by: Yehuda Sadeh
    Signed-off-by: Herbert Xu

    Yehuda Sadeh
     
  • * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (29 commits)
    crypto: sha512-s390 - Add missing block size
    hwrng: timeriomem - Breaks an allyesconfig build on s390:
    nlattr: Fix build error with NET off
    crypto: testmgr - add zlib test
    crypto: zlib - New zlib crypto module, using pcomp
    crypto: testmgr - Add support for the pcomp interface
    crypto: compress - Add pcomp interface
    netlink: Move netlink attribute parsing support to lib
    crypto: Fix dead links
    hwrng: timeriomem - New driver
    crypto: chainiv - Use kcrypto_wq instead of keventd_wq
    crypto: cryptd - Per-CPU thread implementation based on kcrypto_wq
    crypto: api - Use dedicated workqueue for crypto subsystem
    crypto: testmgr - Test skciphers with no IVs
    crypto: aead - Avoid infinite loop when nivaead fails selftest
    crypto: skcipher - Avoid infinite loop when cipher fails selftest
    crypto: api - Fix crypto_alloc_tfm/create_create_tfm return convention
    crypto: api - crypto_alg_mod_lookup either tested or untested
    crypto: amcc - Add crypt4xx driver
    crypto: ansi_cprng - Add maintainer
    ...

    Linus Torvalds
     

26 Mar, 2009

2 commits


04 Mar, 2009

5 commits

  • Signed-off-by: Geert Uytterhoeven
    Signed-off-by: Herbert Xu

    Geert Uytterhoeven
     
  • Signed-off-by: Geert Uytterhoeven
    Cc: James Morris
    Signed-off-by: Herbert Xu

    Geert Uytterhoeven
     
  • Signed-off-by: Geert Uytterhoeven
    Signed-off-by: Herbert Xu

    Geert Uytterhoeven
     
  • The current "comp" crypto interface supports one-shot (de)compression only,
    i.e. the whole data buffer to be (de)compressed must be passed at once, and
    the whole (de)compressed data buffer will be received at once.
    In several use-cases (e.g. compressed file systems that store files in big
    compressed blocks), this workflow is not suitable.
    Furthermore, the "comp" type doesn't provide for the configuration of
    (de)compression parameters, and always allocates workspace memory for both
    compression and decompression, which may waste memory.

    To solve this, add a "pcomp" partial (de)compression interface that provides
    the following operations:
    - crypto_compress_{init,update,final}() for compression,
    - crypto_decompress_{init,update,final}() for decompression,
    - crypto_{,de}compress_setup(), to configure (de)compression parameters
    (incl. allocating workspace memory).

    The (de)compression methods take a struct comp_request, which was mimicked
    after the z_stream object in zlib, and contains buffer pointer and length
    pairs for input and output.

    The setup methods take an opaque parameter pointer and length pair. Parameters
    are supposed to be encoded using netlink attributes, whose meanings depend on
    the actual (name of the) (de)compression algorithm.

    Signed-off-by: Geert Uytterhoeven
    Signed-off-by: Herbert Xu

    Geert Uytterhoeven
     
  • Signed-off-by: Adrian-Ken Rueegsegger
    Signed-off-by: Herbert Xu

    Adrian-Ken Rueegsegger
     

26 Feb, 2009

1 commit

  • With the mandatory algorithm testing at registration, we have
    now created a deadlock with algorithms requiring fallbacks.
    This can happen if the module containing the algorithm requiring
    fallback is loaded first, without the fallback module being loaded
    first. The system will then try to test the new algorithm, find
    that it needs to load a fallback, and then try to load that.

    As both algorithms share the same module alias, it can attempt
    to load the original algorithm again and block indefinitely.

    As algorithms requiring fallbacks are a special case, we can fix
    this by giving them a different module alias than the rest. Then
    it's just a matter of using the right aliases according to what
    algorithms we're trying to find.

    Signed-off-by: Herbert Xu

    Herbert Xu
     

19 Feb, 2009

4 commits

  • crypto_ahash_show changed to use cra_ahash for digestsize reference.

    Signed-off-by: Lee Nipper
    Signed-off-by: Herbert Xu

    Lee Nipper
     
  • keventd_wq has potential starvation problem, so use dedicated
    kcrypto_wq instead.

    Signed-off-by: Huang Ying
    Signed-off-by: Herbert Xu

    Huang Ying
     
  • Original cryptd thread implementation has scalability issue, this
    patch solve the issue with a per-CPU thread implementation.

    struct cryptd_queue is defined to be a per-CPU queue, which holds one
    struct cryptd_cpu_queue for each CPU. In struct cryptd_cpu_queue, a
    struct crypto_queue holds all requests for the CPU, a struct
    work_struct is used to run all requests for the CPU.

    Testing based on dm-crypt on an Intel Core 2 E6400 (two cores) machine
    shows 19.2% performance gain. The testing script is as follow:

    -------------------- script begin ---------------------------
    #!/bin/sh

    dmc_create()
    {
    # Create a crypt device using dmsetup
    dmsetup create $2 --table "0 `blockdev --getsize $1` crypt cbc(aes-asm)?cryptd?plain:plain babebabebabebabebabebabebabebabe 0 $1 0"
    }

    dmsetup remove crypt0
    dmsetup remove crypt1

    dd if=/dev/zero of=/dev/ram0 bs=1M count=4 >& /dev/null
    dd if=/dev/zero of=/dev/ram1 bs=1M count=4 >& /dev/null

    dmc_create /dev/ram0 crypt0
    dmc_create /dev/ram1 crypt1

    cat >tr.sh <& /dev/null &
    dd if=/dev/dm-1 of=/dev/null >& /dev/null &
    done
    wait
    EOF

    for n in $(seq 10); do
    /usr/bin/time sh tr.sh
    done
    rm tr.sh
    -------------------- script end ---------------------------

    The separator of dm-crypt parameter is changed from "-" to "?", because
    "-" is used in some cipher driver name too, and cryptds need to specify
    cipher driver name instead of cipher name.

    The test result on an Intel Core2 E6400 (two cores) is as follow:

    without patch:
    -----------------wo begin --------------------------
    0.04user 0.38system 0:00.39elapsed 107%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6566minor)pagefaults 0swaps
    0.07user 0.35system 0:00.35elapsed 121%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6567minor)pagefaults 0swaps
    0.06user 0.34system 0:00.30elapsed 135%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6562minor)pagefaults 0swaps
    0.05user 0.37system 0:00.36elapsed 119%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6607minor)pagefaults 0swaps
    0.06user 0.36system 0:00.35elapsed 120%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6562minor)pagefaults 0swaps
    0.05user 0.37system 0:00.31elapsed 136%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6594minor)pagefaults 0swaps
    0.04user 0.34system 0:00.30elapsed 126%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6597minor)pagefaults 0swaps
    0.06user 0.32system 0:00.31elapsed 125%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6571minor)pagefaults 0swaps
    0.06user 0.34system 0:00.31elapsed 134%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6581minor)pagefaults 0swaps
    0.05user 0.38system 0:00.31elapsed 138%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6600minor)pagefaults 0swaps
    -----------------wo end --------------------------

    with patch:
    ------------------w begin --------------------------
    0.02user 0.31system 0:00.24elapsed 141%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6554minor)pagefaults 0swaps
    0.05user 0.34system 0:00.31elapsed 127%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6606minor)pagefaults 0swaps
    0.07user 0.33system 0:00.26elapsed 155%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6559minor)pagefaults 0swaps
    0.07user 0.32system 0:00.26elapsed 151%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6562minor)pagefaults 0swaps
    0.05user 0.34system 0:00.26elapsed 150%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6603minor)pagefaults 0swaps
    0.03user 0.36system 0:00.31elapsed 124%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6562minor)pagefaults 0swaps
    0.04user 0.35system 0:00.26elapsed 147%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6586minor)pagefaults 0swaps
    0.03user 0.37system 0:00.27elapsed 146%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6562minor)pagefaults 0swaps
    0.04user 0.36system 0:00.26elapsed 154%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6594minor)pagefaults 0swaps
    0.04user 0.35system 0:00.26elapsed 154%CPU (0avgtext+0avgdata 0maxresident)k
    0inputs+0outputs (0major+6557minor)pagefaults 0swaps
    ------------------w end --------------------------

    The middle value of elapsed time is:
    wo cryptwq: 0.31
    w cryptwq: 0.26

    The performance gain is about (0.31-0.26)/0.26 = 0.192.

    Signed-off-by: Huang Ying
    Signed-off-by: Herbert Xu

    Huang Ying
     
  • Use dedicated workqueue for crypto subsystem

    A dedicated workqueue named kcrypto_wq is created to be used by crypto
    subsystem. The system shared keventd_wq is not suitable for
    encryption/decryption, because of potential starvation problem.

    Signed-off-by: Huang Ying
    Signed-off-by: Herbert Xu

    Huang Ying
     

18 Feb, 2009

10 commits

  • As it is an skcipher with no IV escapes testing altogether because
    we only test givcipher objects. This patch fixes the bypass logic
    to test these algorithms.

    Conversely, we're currently testing nivaead algorithms with IVs,
    which would have deadlocked had it not been for the fact that no
    nivaead algorithms have any test vectors. This patch also fixes
    that case.

    Both fixes are ugly as hell, but this ugliness should hopefully
    disappear once we move them into the per-type code (i.e., the
    AEAD test would live in aead.c and the skcipher stuff in ablkcipher.c).

    Signed-off-by: Herbert Xu

    Herbert Xu
     
  • When an aead constructed through crypto_nivaead_default fails
    its selftest, we'll loop forever trying to construct new aead
    objects but failing because it already exists.

    The crux of the issue is that once an aead fails the selftest,
    we'll ignore it on the next run through crypto_aead_lookup and
    attempt to construct a new aead.

    We should instead return an error to the caller if we find an
    an that has failed the test.

    This bug hasn't manifested itself yet because we don't have any
    test vectors for the existing nivaead algorithms. They're tested
    through the underlying algorithms only.

    Signed-off-by: Herbert Xu

    Herbert Xu
     
  • When an skcipher constructed through crypto_givcipher_default fails
    its selftest, we'll loop forever trying to construct new skcipher
    objects but failing because it already exists.

    The crux of the issue is that once a givcipher fails the selftest,
    we'll ignore it on the next run through crypto_skcipher_lookup and
    attempt to construct a new givcipher.

    We should instead return an error to the caller if we find a
    givcipher that has failed the test.

    Signed-off-by: Herbert Xu

    Herbert Xu
     
  • This is based on a report and patch by Geert Uytterhoeven.

    The functions crypto_alloc_tfm and create_create_tfm return a
    pointer that needs to be adjusted by the caller when successful
    and otherwise an error value. This means that the caller has
    to check for the error and only perform the adjustment if the
    pointer returned is valid.

    Since all callers want to make the adjustment and we know how
    to adjust it ourselves, it's much easier to just return adjusted
    pointer directly.

    The only caveat is that we have to return a void * instead of
    struct crypto_tfm *. However, this isn't that bad because both
    of these functions are for internal use only (by types code like
    shash.c, not even algorithms code).

    This patch also moves crypto_alloc_tfm into crypto/internal.h
    (crypto_create_tfm is already there) to reflect this.

    Signed-off-by: Herbert Xu

    Herbert Xu
     
  • As it stands crypto_alg_mod_lookup will search either tested or
    untested algorithms, but never both at the same time. However,
    we need exactly that when constructing givcipher and aead so
    this patch adds support for that by setting the tested bit in
    type but clearing it in mask. This combination is currently
    unused.

    Signed-off-by: Herbert Xu

    Herbert Xu
     
  • FIPS 140-2 specifies that all access to various cryptographic modules be
    prevented in the event that any of the provided self tests fail on the various
    implemented algorithms. We already panic when any of the test in testmgr.c
    fail when we are operating in fips mode. The continuous test in the cprng here
    was missed when that was implmented. This code simply checks for the
    fips_enabled flag if the test fails, and warns us via syslog or panics the box
    accordingly.

    Signed-off-by: Neil Horman
    Signed-off-by: Herbert Xu

    Neil Horman
     
  • Pseudo RNGs provide predictable outputs based on input parateters {key, V, DT},
    the idea behind them is that only the user should know what the inputs are.
    While its nice to have default known values for testing purposes, it seems
    dangerous to allow the use of those default values without some sort of safety
    measure in place, lest an attacker easily guess the output of the cprng. This
    patch forces the NEED_RESET flag on when allocating a cprng context, so that any
    user is forced to reseed it before use. The defaults can still be used for
    testing, but this will prevent their inadvertent use, and be more secure.

    Signed-off-by: Neil Horman
    Signed-off-by: Herbert Xu

    Neil Horman
     
  • Intel AES-NI is a new set of Single Instruction Multiple Data (SIMD)
    instructions that are going to be introduced in the next generation of
    Intel processor, as of 2009. These instructions enable fast and secure
    data encryption and decryption, using the Advanced Encryption Standard
    (AES), defined by FIPS Publication number 197. The architecture
    introduces six instructions that offer full hardware support for
    AES. Four of them support high performance data encryption and
    decryption, and the other two instructions support the AES key
    expansion procedure.

    The white paper can be downloaded from:

    http://softwarecommunity.intel.com/isn/downloads/intelavx/AES-Instructions-Set_WP.pdf

    AES may be used in soft_irq context, but MMX/SSE context can not be
    touched safely in soft_irq context. So in_interrupt() is checked, if
    in IRQ or soft_irq context, the general x86_64 implementation are used
    instead.

    Signed-off-by: Huang Ying
    Signed-off-by: Herbert Xu

    Huang Ying
     
  • cryptd_alloc_ablkcipher() will allocate a cryptd-ed ablkcipher for
    specified algorithm name. The new allocated one is guaranteed to be
    cryptd-ed ablkcipher, so the blkcipher underlying can be gotten via
    cryptd_ablkcipher_child().

    Signed-off-by: Huang Ying
    Signed-off-by: Herbert Xu

    Huang Ying
     
  • We're currently checking the frontend type in init_tfm. This is
    completely pointless because the fact that we're called at all
    means that the frontend is ours so the type must match as well.

    Signed-off-by: Herbert Xu

    Herbert Xu
     

17 Feb, 2009

1 commit

  • It turns out that LRW has never worked properly on big endian.
    This was never discussed because nobody actually used it that
    way. In fact, it was only discovered when Geert Uytterhoeven
    loaded it through tcrypt which failed the test on it.

    The fix is straightforward, on big endian the to find the nth
    bit we should be grouping them by words instead of bytes. So
    setbit128_bbe should xor with 128 - BITS_PER_LONG instead of
    128 - BITS_PER_BYTE == 0x78.

    Tested-by: Geert Uytterhoeven
    Signed-off-by: Herbert Xu

    Herbert Xu
     

09 Feb, 2009

1 commit


05 Feb, 2009

2 commits


28 Jan, 2009

1 commit

  • When we complete a test we'll notify everyone waiting on it, drop
    the mutex, and then remove the test larval (after reacquiring the
    mutex). If one of the notified parties tries to register another
    algorithm with the same driver name prior to the removal of the
    test larval, they will fail with EEXIST as only one algorithm of
    a given name can be tested at any time.

    This broke the initialisation of aead and givcipher algorithms as
    they will register two algorithms with the same driver name, in
    sequence.

    This patch fixes the problem by marking the larval as dead before
    we drop the mutex, and also ignoring all dead or dying algorithms
    on the registration path.

    Tested-by: Andreas Steffen
    Signed-off-by: Herbert Xu

    Herbert Xu
     

27 Jan, 2009

2 commits

  • Its a valid use case to have null associated data in a ccm vector, but
    this case isn't being handled properly right now.

    The following ccm decryption/verification test vector, using the
    rfc4309 implementation regularly triggers a panic, as will any
    other vector with null assoc data:

    * key: ab2f8a74b71cd2b1ff802e487d82f8b9
    * iv: c6fb7d800d13abd8a6b2d8
    * Associated Data: [NULL]
    * Tag Length: 8
    * input: d5e8939fc7892e2b

    The resulting panic looks like so:

    Unable to handle kernel paging request at ffff810064ddaec0 RIP:
    [] :ccm:get_data_to_compute+0x1a6/0x1d6
    PGD 8063 PUD 0
    Oops: 0002 [1] SMP
    last sysfs file: /module/libata/version
    CPU 0
    Modules linked in: crypto_tester_kmod(U) seqiv krng ansi_cprng chainiv rng ctr aes_generic aes_x86_64 ccm cryptomgr testmgr_cipher testmgr aead crypto_blkcipher crypto_a
    lgapi des ipv6 xfrm_nalgo crypto_api autofs4 hidp l2cap bluetooth nfs lockd fscache nfs_acl sunrpc ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink xt_
    tcpudp iptable_filter ip_tables x_tables dm_mirror dm_log dm_multipath scsi_dh dm_mod video hwmon backlight sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp sg
    snd_intel8x0 snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss joydev snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss ide_cd snd_pcm floppy parport_p
    c shpchp e752x_edac snd_timer e1000 i2c_i801 edac_mc snd soundcore snd_page_alloc i2c_core cdrom parport serio_raw pcspkr ata_piix libata sd_mod scsi_mod ext3 jbd uhci_h
    cd ohci_hcd ehci_hcd
    Pid: 12844, comm: crypto-tester Tainted: G 2.6.18-128.el5.fips1 #1
    RIP: 0010:[] [] :ccm:get_data_to_compute+0x1a6/0x1d6
    RSP: 0018:ffff8100134434e8 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: ffff8100104898b0 RCX: ffffffffab6aea10
    RDX: 0000000000000010 RSI: ffff8100104898c0 RDI: ffff810064ddaec0
    RBP: 0000000000000000 R08: ffff8100104898b0 R09: 0000000000000000
    R10: ffff8100103bac84 R11: ffff8100104898b0 R12: ffff810010489858
    R13: ffff8100104898b0 R14: ffff8100103bac00 R15: 0000000000000000
    FS: 00002ab881adfd30(0000) GS:ffffffff803ac000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: ffff810064ddaec0 CR3: 0000000012a88000 CR4: 00000000000006e0
    Process crypto-tester (pid: 12844, threadinfo ffff810013442000, task ffff81003d165860)
    Stack: ffff8100103bac00 ffff8100104898e8 ffff8100134436f8 ffffffff00000000
    0000000000000000 ffff8100104898b0 0000000000000000 ffff810010489858
    0000000000000000 ffff8100103bac00 ffff8100134436f8 ffffffff8864c634
    Call Trace:
    [] :ccm:crypto_ccm_auth+0x12d/0x140
    [] :ccm:crypto_ccm_decrypt+0x161/0x23a
    [] :crypto_tester_kmod:cavs_test_rfc4309_ccm+0x4a5/0x559
    [...]

    The above is from a RHEL5-based kernel, but upstream is susceptible too.

    The fix is trivial: in crypto/ccm.c:crypto_ccm_auth(), pctx->ilen contains
    whatever was in memory when pctx was allocated if assoclen is 0. The tested
    fix is to simply add an else clause setting pctx->ilen to 0 for the
    assoclen == 0 case, so that get_data_to_compute() doesn't try doing
    things its not supposed to.

    Signed-off-by: Jarod Wilson
    Acked-by: Neil Horman
    Signed-off-by: Herbert Xu

    Jarod Wilson
     
  • When we get left-over bits from a slow walk, it means that the
    underlying cipher has gone troppo. However, as we're handling
    that case we should ensure that the caller terminates the walk.

    This patch does this by setting walk->nbytes to zero.

    Reported-by: Roel Kluin
    Reported-by: Huang Ying
    Signed-off-by: Herbert Xu

    Herbert Xu
     

15 Jan, 2009

1 commit

  • As it is if an algorithm with a zero-length IV is used (e.g.,
    NULL encryption) with authenc, authenc may generate an SG entry
    of length zero, which will trigger a BUG check in the hash layer.

    This patch fixes it by skipping the IV SG generation if the IV
    size is zero.

    Signed-off-by: Herbert Xu

    Herbert Xu