15 Feb, 2015
1 commit
-
Pull crypto update from Herbert Xu:
"Here is the crypto update for 3.20:- Added 192/256-bit key support to aesni GCM.
- Added MIPS OCTEON MD5 support.
- Fixed hwrng starvation and race conditions.
- Added note that memzero_explicit is not a subsitute for memset.
- Added user-space interface for crypto_rng.
- Misc fixes"* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (71 commits)
crypto: tcrypt - do not allocate iv on stack for aead speed tests
crypto: testmgr - limit IV copy length in aead tests
crypto: tcrypt - fix buflen reminder calculation
crypto: testmgr - mark rfc4106(gcm(aes)) as fips_allowed
crypto: caam - fix resource clean-up on error path for caam_jr_init
crypto: caam - pair irq map and dispose in the same function
crypto: ccp - terminate ccp_support array with empty element
crypto: caam - remove unused local variable
crypto: caam - remove dead code
crypto: caam - don't emit ICV check failures to dmesg
hwrng: virtio - drop extra empty line
crypto: replace scatterwalk_sg_next with sg_next
crypto: atmel - Free memory in error path
crypto: doc - remove colons in comments
crypto: seqiv - Ensure that IV size is at least 8 bytes
crypto: cts - Weed out non-CBC algorithms
MAINTAINERS: add linux-crypto to hw random
crypto: cts - Remove bogus use of seqiv
crypto: qat - don't need qat_auth_state struct
crypto: algif_rng - fix sparse non static symbol warning
...
11 Feb, 2015
1 commit
-
Commit 1d10eb2f156f ("crypto: switch af_alg_make_sg() to iov_iter")
broke af_alg_make_sg() and skcipher_recvmsg() in the process of moving
them to the iov_iter interfaces. The 'npages' calculation in the formar
calculated the number of *bytes* in the pages, and in the latter case
the conversion didn't re-read the value of 'ctx->used' after waiting for
it to become non-zero.This reverts to the original code for both these cases.
Cc: Al Viro
Cc: David Miller
Signed-off-by: Linus Torvalds
04 Feb, 2015
4 commits
-
See also: 9bac019dad8098a77cce555d929f678e22111783
Signed-off-by: Cristian Stoica
Signed-off-by: Herbert Xu -
The working copy of IV is the same size as the transformation's IV.
It is not necessary to copy more than that from the template since
iv_len is usually less than MAX_IVLEN and the rest of the copied data
is garbage.Signed-off-by: Cristian Stoica
Signed-off-by: Herbert Xu -
- This fixes the intent of the code to limit the last scatterlist to
either a full PAGE or a fraction of it, depending on the number of
pages needed by buflen and the available space advertised by XBUFLEN.The original code always sets the last scatterlist to a fraction of a
PAGE because the first 'if' is never executed.- Rearrange the second part of the code to remove the conditional from
the loopSigned-off-by: Cristian Stoica
Signed-off-by: Herbert Xu -
With that, all ->sendmsg() instances are converted to iov_iter primitives
and are agnostic wrt the kind of iov_iter they are working with.
So's the last remaining ->recvmsg() instance that wasn't kind-agnostic yet.
All ->sendmsg() and ->recvmsg() advance ->msg_iter by the amount actually
copied and none of them modifies the underlying iovec, etc.Cc: linux-crypto@vger.kernel.org
Signed-off-by: Al Viro
26 Jan, 2015
2 commits
-
This gcm variant is popular for ipsec use, and there are folks who would
like to use it while in fips mode. Mark it with fips_allowed=1 to
facilitate that.CC: LKML
CC: Stephan Mueller
Signed-off-by: Jarod Wilson
Acked-by: Stephan Mueller
Signed-off-by: Herbert Xu -
Modify crypto drivers to use the generic SG helper since
both of them are equivalent and the one from crypto is redundant.See also:
468577abe37ff7b453a9ac613e0ea155349203ae reverted in
b2ab4a57b018aafbba35bff088218f5cc3d2142eSigned-off-by: Cristian Stoica
Signed-off-by: Herbert Xu
20 Jan, 2015
3 commits
-
Since seqiv is designed for IPsec we need to be able to accomodate
the whole IPsec sequence number in order to ensure the uniqueness
of the IV.This patch forbids any algorithm with an IV size of less than 8
from using it. This should have no impact on existing users since
they all have an IV size of 8.Reported-by: Maciej ?enczykowski
Signed-off-by: Herbert Xu
Acked-by: Maciej ?enczykowski -
The cts algorithm as currently implemented assumes the underlying
is a CBC-mode algorithm. So this patch adds a check for that to
eliminate bogus combinations of cts with non-CBC modes.Signed-off-by: Herbert Xu
-
The seqiv generator is completely inappropriate for cts as it's
designed for IPsec algorithms. Since cts users do not actually
use the IV generator we can just fall back to the default.Signed-off-by: Herbert Xu
Acked-by: Maciej ?enczykowski
14 Jan, 2015
1 commit
-
Fixes the following sparse warnings:
crypto/algif_rng.c:185:13: warning:
symbol 'rng_exit' was not declared. Should it be static?Signed-off-by: Wei Yongjun
Acked-by: Stephan Mueller
Acked-by: Neil Horman
Signed-off-by: Herbert Xu
13 Jan, 2015
2 commits
-
tcrypt/testmgr uses wait_for_completion_interruptible() everywhere when
it waits for a request to be completed. If it's interrupted, then the
test is aborted and the request is freed.However, if any of these calls actually do get interrupted, the result
will likely be a kernel crash, when the driver handles the now-freed
request. Use wait_for_completion() instead.Signed-off-by: Rabin Vincent
Signed-off-by: Herbert Xu -
Commit 5d26a105b5a7 ("crypto: prefix module autoloading with "crypto-"")
changed the automatic module loading when requesting crypto algorithms
to prefix all module requests with "crypto-". This requires all crypto
modules to have a crypto specific module alias even if their file name
would otherwise match the requested crypto algorithm.Even though commit 5d26a105b5a7 added those aliases for a vast amount of
modules, it was missing a few. Add the required MODULE_ALIAS_CRYPTO
annotations to those files to make them get loaded automatically, again.
This fixes, e.g., requesting 'ecb(blowfish-generic)', which used to work
with kernels v3.18 and below.Also change MODULE_ALIAS() lines to MODULE_ALIAS_CRYPTO(). The former
won't work for crypto modules any more.Fixes: 5d26a105b5a7 ("crypto: prefix module autoloading with "crypto-"")
Cc: Kees Cook
Signed-off-by: Mathias Krause
Signed-off-by: Herbert Xu
05 Jan, 2015
1 commit
-
This reverts commit 421d82f5b3e75f94e31875e37d45cdf6a557c120.
None of the data zeroed are on the stack so the compiler cannot
optimise them away.Signed-off-by: Herbert Xu
29 Dec, 2014
2 commits
-
Enable compilation of the RNG AF_ALG support and provide a Kconfig
option to compile the RNG AF_ALG support.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
This patch adds the random number generator support for AF_ALG.
A random number generator's purpose is to generate data without
requiring the caller to provide any data. Therefore, the AF_ALG
interface handler for RNGs only implements a callback handler for
recvmsg.The following parameters provided with a recvmsg are processed by the
RNG callback handler:* sock - to resolve the RNG context data structure accessing the
RNG instance private to the socket* len - this parameter allows userspace callers to specify how
many random bytes the RNG shall produce and return. As the
kernel context for the RNG allocates a buffer of 128 bytes to
store random numbers before copying them to userspace, the len
parameter is checked that it is not larger than 128. If a
caller wants more random numbers, a new request for recvmsg
shall be made.The size of 128 bytes is chose because of the following considerations:
* to increase the memory footprint of the kernel too much (note,
that would be 128 bytes per open socket)* 128 is divisible by any typical cryptographic block size an
RNG may have* A request for random numbers typically only shall supply small
amount of data like for keys or IVs that should only require
one invocation of the recvmsg function.Note, during instantiation of the RNG, the code checks whether the RNG
implementation requires seeding. If so, the RNG is seeded with output
from get_random_bytes.A fully working example using all aspects of the RNG interface is
provided at http://www.chronox.de/libkcapi.htmlSigned-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
26 Dec, 2014
1 commit
-
alg_setkey should zeroize the sensitive data after use.
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
24 Dec, 2014
1 commit
-
Enable user to select OCTEON MD5 module.
Signed-off-by: Aaro Koskinen
Signed-off-by: Herbert Xu
22 Dec, 2014
9 commits
-
algif_skcipher sends 127 sgl buffers for encryption regardless of how
many buffers acctually have data to process, where the few first with
valid len and the rest with zero len. This is not very eficient.
This patch marks the last one with data as the last one to process.Signed-off-by: Tadeusz Struk
Signed-off-by: Herbert Xu -
Use setsockopt on the tfm FD to provide the authentication tag size for
an AEAD cipher. This is achieved by adding a callback function which is
intended to be used by the AEAD AF_ALG implementation.The optlen argument of the setsockopt specifies the authentication tag
size to be used with the AEAD tfm.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
This patch adds a panic if the FIPS 140-2 self test error failed.
Note, that entire code is only executed with fips_enabled (i.e. when the
kernel is booted with fips=1. It is therefore not executed for 99.9% of
all user base.As mathematically such failure cannot occur, this panic should never be
triggered. But to comply with NISTs current requirements, an endless
loop must be replaced with the panic.When the new version of FIPS 140 will be released, this entire
continuous self test function will be ripped out as it will not be
needed any more.This patch is functionally equivalent as implemented in ansi_cprng.c and drivers/char/random.c.
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
Fixed style error identified by checkpatch.
WARNING: Missing a blank line after declarations
+ int err = crypto_remove_alg(&inst->alg, &users);
+ BUG_ON(err);Signed-off-by: Joshua I. James
Signed-off-by: Herbert Xu -
Fixed style error identified by checkpatch.
WARNING: Missing a blank line after declarations
+ unsigned int unaligned = alignmask + 1 - (offset & alignmask);
+ if (nbytes > unaligned)Signed-off-by: Joshua I. James
Signed-off-by: Herbert Xu -
Fixed style error identified by checkpatch.
ERROR: space required before the open parenthesis '('
+ switch(cmsg->cmsg_type) {Signed-off-by: Joshua I. James
Signed-off-by: Herbert Xu -
Fixed style error identified by checkpatch.
ERROR: do not use assignment in if condition
+ if ((err = crypto_register_instance(tmpl, inst))) {Signed-off-by: Joshua I. James
Signed-off-by: Herbert Xu -
Fixed style errors reported by checkpatch.
WARNING: Missing a blank line after declarations
+ u8 *end_page = (u8 *)(((unsigned long)(start + len - 1)) & PAGE_MASK);
+ return max(start, end_page);WARNING: line over 80 characters
+ scatterwalk_start(&walk->out, scatterwalk_sg_next(walk->out.sg));WARNING: Missing a blank line after declarations
+ int err = ablkcipher_copy_iv(walk, tfm, alignmask);
+ if (err)ERROR: do not use assignment in if condition
+ if ((err = crypto_register_instance(tmpl, inst))) {Signed-off-by: Joshua I. James
Signed-off-by: Herbert Xu -
If a request is backlogged, it's complete() handler will get called
twice: once with -EINPROGRESS, and once with the final error code.af_alg's complete handler, unlike other users, does not handle the
-EINPROGRESS but instead always completes the completion that recvmsg()
is waiting on. This can lead to a return to user space while the
request is still pending in the driver. If userspace closes the sockets
before the requests are handled by the driver, this will lead to
use-after-frees (and potential crashes) in the kernel due to the tfm
having been freed.The crashes can be easily reproduced (for example) by reducing the max
queue length in cryptod.c and running the following (from
http://www.chronox.de/libkcapi.html) on AES-NI capable hardware:$ while true; do kcapi -x 1 -e -c '__ecb-aes-aesni' \
-k 00000000000000000000000000000000 \
-p 00000000000000000000000000000000 >/dev/null & doneCc: stable@vger.kernel.org
Signed-off-by: Rabin Vincent
Signed-off-by: Herbert Xu
14 Dec, 2014
1 commit
-
Pull crypto update from Herbert Xu:
- The crypto API is now documented :)
- Disallow arbitrary module loading through crypto API.
- Allow get request with empty driver name through crypto_user.
- Allow speed testing of arbitrary hash functions.
- Add caam support for ctr(aes), gcm(aes) and their derivatives.
- nx now supports concurrent hashing properly.
- Add sahara support for SHA1/256.
- Add ARM64 version of CRC32.
- Misc fixes.* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (77 commits)
crypto: tcrypt - Allow speed testing of arbitrary hash functions
crypto: af_alg - add user space interface for AEAD
crypto: qat - fix problem with coalescing enable logic
crypto: sahara - add support for SHA1/256
crypto: sahara - replace tasklets with kthread
crypto: sahara - add support for i.MX53
crypto: sahara - fix spinlock initialization
crypto: arm - replace memset by memzero_explicit
crypto: powerpc - replace memset by memzero_explicit
crypto: sha - replace memset by memzero_explicit
crypto: sparc - replace memset by memzero_explicit
crypto: algif_skcipher - initialize upon init request
crypto: algif_skcipher - removed unneeded code
crypto: algif_skcipher - Fixed blocking recvmsg
crypto: drbg - use memzero_explicit() for clearing sensitive data
crypto: drbg - use MODULE_ALIAS_CRYPTO
crypto: include crypto- module prefix in template
crypto: user - add MODULE_ALIAS
crypto: sha-mb - remove a bogus NULL check
crytpo: qat - Fix 64 bytes requests
...
11 Dec, 2014
1 commit
-
Introduce helper macro for_each_cmsghdr as a wrapper of the enumerating
cmsghdr from msghdr, just cleanup.Signed-off-by: Gu Zheng
Signed-off-by: David S. Miller
10 Dec, 2014
1 commit
-
Note that the code _using_ ->msg_iter at that point will be very
unhappy with anything other than unshifted iovec-backed iov_iter.
We still need to convert users to proper primitives.Signed-off-by: Al Viro
05 Dec, 2014
2 commits
-
This patch allows the testing of arbitrary hash functions specified
by the alg module parameter by using them in mode 300 (for sync hash)
and mode 400 (for async hash).For example, you could do
modprobe tcrypt mode=300 alg='vmac(aes)'Signed-off-by: Herbert Xu
-
AEAD requires the caller to specify the following information separate
from the data stream. This information allows the AEAD interface handler
to identify the AAD, ciphertext/plaintext and the authentication tag:* Associated authentication data of arbitrary length and
length* Length of authentication tag for encryption
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
02 Dec, 2014
1 commit
-
When using the algif_skcipher, the following call sequence causess a
re-initialization:1. sendmsg with ALG_SET_OP and iov == NULL, iovlen == 0 (i.e
initializing the cipher, but not sending data)2. sendmsg with msg->msg-controllen == 0 and iov != NULL (using the initalized
cipher handle by sending data)In step 2, the cipher operation type (encryption or decryption) is reset
to always decryption, because the local variable of enc is put into
ctx->enc as ctx->user is still zero.The same applies when all send data is processed and ctx->used falls to
zero followed by user space to send new data.This patch changes the behavior to only reset the cipher operation type
(and the IV) if such configuration request is received.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
01 Dec, 2014
1 commit
-
Remover unneeded code.
Signed-off-by: Tadeusz Struk
Signed-off-by: Herbert Xu
28 Nov, 2014
1 commit
-
As most (all?) users of algif_skcipher are single-threaded and
therefore always write before reading from an algif_skcipher
socket, they never block and exercise that code-path.It turns out that code path doesn't even work because we never
reload ctx->used after waking up so we never even see the new
data and immediately return an error (and a loud WARN_ON).This patch fixes this by always reloading ctx->used.
Reported-by: Stephan Mueller
Signed-off-by: Herbert Xu
Acked-by: Stephan Mueller
27 Nov, 2014
1 commit
-
Compiler dead store optimization can sometimes remove final calls
to memset() used to clear sensitive data at the end of a function.
Replace trailing memset() calls with memzero_explicit() to
preclude unwanted removal.Signed-off-by: Nickolaus Woodruff
Signed-off-by: Herbert Xu
26 Nov, 2014
3 commits
-
Use the crypto- prefix for the DRBG implementations.
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
This adds the module loading prefix "crypto-" to the template lookup
as well.For example, attempting to load 'vfat(blowfish)' via AF_ALG now correctly
includes the "crypto-" prefix at every level, correctly rejecting "vfat":net-pf-38
algif-hash
crypto-vfat(blowfish)
crypto-vfat(blowfish)-all
crypto-vfatReported-by: Mathias Krause
Signed-off-by: Kees Cook
Acked-by: Mathias Krause
Signed-off-by: Herbert Xu -
To allow automatic loading of the crypto_user kernel module, the netlink
MODULE_ALIAS is added.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu