02 Apr, 2020
1 commit
-
Pull crypto updates from Herbert Xu:
"API:
- Fix out-of-sync IVs in self-test for IPsec AEAD algorithmsAlgorithms:
- Use formally verified implementation of x86/curve25519Drivers:
- Enhance hwrng support in caam- Use crypto_engine for skcipher/aead/rsa/hash in caam
- Add Xilinx AES driver
- Add uacce driver
- Register zip engine to uacce in hisilicon
- Add support for OCTEON TX CPT engine in marvell"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (162 commits)
crypto: af_alg - bool type cosmetics
crypto: arm[64]/poly1305 - add artifact to .gitignore files
crypto: caam - limit single JD RNG output to maximum of 16 bytes
crypto: caam - enable prediction resistance in HRWNG
bus: fsl-mc: add api to retrieve mc version
crypto: caam - invalidate entropy register during RNG initialization
crypto: caam - check if RNG job failed
crypto: caam - simplify RNG implementation
crypto: caam - drop global context pointer and init_done
crypto: caam - use struct hwrng's .init for initialization
crypto: caam - allocate RNG instantiation descriptor with GFP_DMA
crypto: ccree - remove duplicated include from cc_aead.c
crypto: chelsio - remove set but not used variable 'adap'
crypto: marvell - enable OcteonTX cpt options for build
crypto: marvell - add the Virtual Function driver for CPT
crypto: marvell - add support for OCTEON TX CPT engine
crypto: marvell - create common Kconfig and Makefile for Marvell
crypto: arm/neon - memzero_explicit aes-cbc key
crypto: bcm - Use scnprintf() for avoiding potential buffer overflow
crypto: atmel-i2c - Fix wakeup fail
...
30 Mar, 2020
1 commit
-
When working with bool values the true and false definitions should be used
instead of 1 and 0.Hopefully I fixed my mailer and apologize for that.
Signed-off-by: Lothar Rubusch
Signed-off-by: Herbert Xu
12 Mar, 2020
2 commits
-
Do test_aead_vs_generic_impl() before test_aead_inauthentic_inputs() so
that any differences with the generic driver are detected before getting
to the inauthentic input tests, which intentionally use only the driver
being tested (so that they run even if a generic driver is unavailable).Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
rfc4543 was missing from the list of algorithms that may treat the end
of the AAD buffer specially.Also, with rfc4106, rfc4309, rfc4543, and rfc7539esp, the end of the AAD
buffer is actually supposed to contain a second copy of the IV, and
we've concluded that if the IV copies don't match the behavior is
implementation-defined. So, the fuzz tests can't easily test that case.So, make the fuzz tests only use inputs where the two IV copies match.
Reported-by: Geert Uytterhoeven
Fixes: 40153b10d91c ("crypto: testmgr - fuzz AEADs against their generic implementation")
Cc: Stephan Mueller
Originally-from: Gilad Ben-Yossef
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu
06 Mar, 2020
12 commits
-
Simplify the error handling in the XTS template's ->create() function by
taking advantage of crypto_drop_skcipher() now accepting (as a no-op) a
spawn that hasn't been grabbed yet.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Simplify the error handling in pkcs1pad_create() by taking advantage of
crypto_grab_akcipher() now handling an ERR_PTR() name and by taking
advantage of crypto_drop_akcipher() now accepting (as a no-op) a spawn
that hasn't been grabbed yet.While we're at it, also simplify the way the hash_name optional argument
is handled. We only need to check whether it's present in one place,
and we can just assign directly to ctx->digest_info.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Simplify the error handling in pcrypt_create_aead() by taking advantage
of crypto_grab_aead() now handling an ERR_PTR() name and by taking
advantage of crypto_drop_aead() now accepting (as a no-op) a spawn that
hasn't been grabbed yet.This required also making padata_free_shell() accept a NULL argument.
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Simplify the error handling in the LRW template's ->create() function by
taking advantage of crypto_drop_skcipher() now accepting (as a no-op) a
spawn that hasn't been grabbed yet.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Simplify the error handling in aead_geniv_alloc() by taking advantage of
crypto_grab_aead() now handling an ERR_PTR() name and by taking
advantage of crypto_drop_aead() now accepting (as a no-op) a spawn that
hasn't been grabbed yet.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Simplify the error handling in crypto_rfc4543_create() by taking
advantage of crypto_grab_aead() now handling an ERR_PTR() name and by
taking advantage of crypto_drop_aead() now accepting (as a no-op) a
spawn that hasn't been grabbed yet.Conveniently, this eliminates the 'ccm_name' variable which was
incorrectly named (it should have been 'gcm_name').Also fix a weird case where a line was terminated by a comma rather than
a semicolon, causing the statement to be continued on the next line.
Fortunately the code still behaved as intended, though.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Simplify the error handling in crypto_rfc4106_create() by taking
advantage of crypto_grab_aead() now handling an ERR_PTR() name and by
taking advantage of crypto_drop_aead() now accepting (as a no-op) a
spawn that hasn't been grabbed yet.Conveniently, this eliminates the 'ccm_name' variable which was
incorrectly named (it should have been 'gcm_name').Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Simplify the error handling in crypto_cts_create() by taking advantage
of crypto_grab_skcipher() now handling an ERR_PTR() name and by taking
advantage of crypto_drop_skcipher() now accepting (as a no-op) a spawn
that hasn't been grabbed yet.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Simplify the error handling in crypto_rfc3686_create() by taking
advantage of crypto_grab_skcipher() now handling an ERR_PTR() name and
by taking advantage of crypto_drop_skcipher() now accepting (as a no-op)
a spawn that hasn't been grabbed yet.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Simplify the error handling in the various cryptd_create_*() functions
by taking advantage of crypto_grab_*() now handling an ERR_PTR() name
and by taking advantage of crypto_drop_*() now accepting (as a no-op) a
spawn that hasn't been grabbed yet.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Simplify the error handling in crypto_rfc4309_create() by taking
advantage of crypto_grab_aead() now handling an ERR_PTR() name and by
taking advantage of crypto_drop_aead() now accepting (as a no-op) a
spawn that hasn't been grabbed yet.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Fix a weird case where a line was terminated by a comma rather than a
semicolon, causing the statement to be continued on the next line.
Fortunately the code still behaved as intended, though.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu
28 Feb, 2020
1 commit
-
crypto/md5.c:26:0: warning: macro "MD5_DIGEST_WORDS" is not used [-Wunused-macros]
crypto/md5.c:27:0: warning: macro "MD5_MESSAGE_BYTES" is not used [-Wunused-macros]They are never used since commit 3c7eb3cc8360 ("md5: remove from
lib and only live in crypto").Signed-off-by: YueHaibing
Signed-off-by: Herbert Xu
21 Feb, 2020
1 commit
-
Pull IMA fixes from Mimi Zohar:
"Two bug fixes and an associated change for each.The one that adds SM3 to the IMA list of supported hash algorithms is
a simple change, but could be considered a new feature"* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
ima: add sm3 algorithm to hash algorithm configuration list
crypto: rename sm3-256 to sm3 in hash_algo_name
efi: Only print errors about failing to get certs if EFI vars are found
x86/ima: use correct identifier for SetupMode variable
18 Feb, 2020
1 commit
-
The name sm3-256 is defined in hash_algo_name in hash_info, but the
algorithm name implemented in sm3_generic.c is sm3, which will cause
the sm3-256 algorithm to be not found in some application scenarios of
the hash algorithm, and an ENOENT error will occur. For example,
IMA, keys, and other subsystems that reference hash_algo_name all use
the hash algorithm of sm3.Fixes: 5ca4c20cfd37 ("keys, trusted: select hash algorithm for TPM2 chips")
Signed-off-by: Tianjia Zhang
Reviewed-by: Pascal van Leeuwen
Signed-off-by: Mimi Zohar
16 Feb, 2020
1 commit
-
Pull s390 updates from Vasily Gorbik:
- Enable paes-s390 cipher selftests in testmgr (acked-by Herbert Xu).
- Fix protected key length update in PKEY_SEC2PROTK ioctl and increase
card/queue requests counter to 64-bit in crypto code.- Fix clang warning in get_tod_clock.
- Fix ultravisor info length extensions handling.
- Fix style of SPDX License Identifier in vfio-ccw.
- Avoid unnecessary GFP_ATOMIC and simplify ACK tracking in qdio.
* tag 's390-5.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
crypto/testmgr: enable selftests for paes-s390 ciphers
s390/time: Fix clk type in get_tod_clock
s390/uv: Fix handling of length extensions
s390/qdio: don't allocate *aob array with GFP_ATOMIC
s390/qdio: simplify ACK tracking
s390/zcrypt: fix card and queue total counter wrap
s390/pkey: fix missing length of protected key on return
vfio-ccw: Use the correct style for SPDX License Identifier
14 Feb, 2020
2 commits
-
Pull crypto fix from Herbert Xu:
"This fixes a Kconfig anomaly when lib/crypto is enabled without Crypto
API"* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: Kconfig - allow tests to be disabled when manager is disabled -
This patch enables the selftests for the s390 specific protected key
AES (PAES) cipher implementations:
* cbc-paes-s390
* ctr-paes-s390
* ecb-paes-s390
* xts-paes-s390
PAES is an AES cipher but with encrypted ('protected') key
material. However, the paes ciphers are able to derive an protected
key from clear key material with the help of the pkey kernel module.So this patch now enables the generic AES tests for the paes
ciphers. Under the hood the setkey() functions rearrange the clear key
values as clear key token and so the pkey kernel module is able to
provide protected key blobs from the given clear key values. The
derived protected key blobs are then used within the paes cipers and
should produce the very same results as the generic AES implementation
with the clear key values.The s390-paes cipher testlist entries are surrounded
by #if IS_ENABLED(CONFIG_CRYPTO_PAES_S390) because they don't
make any sense on non s390 platforms or without the PAES
cipher implementation.Link: http://lkml.kernel.org/r/20200213083946.zicarnnt3wizl5ty@gondor.apana.org.au
Acked-by: Herbert Xu
Signed-off-by: Harald Freudenberger
Signed-off-by: Vasily Gorbik
13 Feb, 2020
3 commits
-
When running tcrypt skcipher speed tests, logs contain things like:
testing speed of async ecb(des3_ede) (ecb(des3_ede-generic)) encryption
or:
testing speed of async ecb(aes) (ecb(aes-ce)) encryptionThe algorithm implementations are sync, not async.
Fix this inaccuracy.Fixes: 7166e589da5b6 ("crypto: tcrypt - Use skcipher")
Signed-off-by: Horia Geantă
Signed-off-by: Herbert Xu -
The path with the CRYPTO_ALG_LARVAL flag has jumped to the end before
Signed-off-by: Tianjia Zhang
Signed-off-by: Herbert Xu -
We need to decrement this refcounter on these error paths.
Fixes: f7d76e05d058 ("crypto: user - fix use_after_free of struct xxx_request")
Cc:
Signed-off-by: Dan Carpenter
Acked-by: Neil Horman
Signed-off-by: Herbert Xu
05 Feb, 2020
1 commit
-
The library code uses CRYPTO_MANAGER_DISABLE_TESTS to conditionalize its
tests, but the library code can also exist without CRYPTO_MANAGER. That
means on minimal configs, the test code winds up being built with no way
to disable it.Signed-off-by: Jason A. Donenfeld
Signed-off-by: Herbert Xu
04 Feb, 2020
1 commit
-
'PTR_ERR(p) == -E*' is a stronger condition than IS_ERR(p).
Hence, IS_ERR(p) is unneeded.The semantic patch that generates this commit is as follows:
//
@@
expression ptr;
constant error_code;
@@
-IS_ERR(ptr) && (PTR_ERR(ptr) == - error_code)
+PTR_ERR(ptr) == - error_code
//Link: http://lkml.kernel.org/r/20200106045833.1725-1-masahiroy@kernel.org
Signed-off-by: Masahiro Yamada
Cc: Julia Lawall
Acked-by: Stephen Boyd [drivers/clk/clk.c]
Acked-by: Bartosz Golaszewski [GPIO]
Acked-by: Wolfram Sang [drivers/i2c]
Acked-by: Rafael J. Wysocki [acpi/scan.c]
Acked-by: Rob Herring
Cc: Eric Biggers
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
29 Jan, 2020
1 commit
-
Pull crypto updates from Herbert Xu:
"API:
- Removed CRYPTO_TFM_RES flags
- Extended spawn grabbing to all algorithm types
- Moved hash descsize verification into API codeAlgorithms:
- Fixed recursive pcrypt dead-lock
- Added new 32 and 64-bit generic versions of poly1305
- Added cryptogams implementation of x86/poly1305Drivers:
- Added support for i.MX8M Mini in caam
- Added support for i.MX8M Nano in caam
- Added support for i.MX8M Plus in caam
- Added support for A33 variant of SS in sun4i-ss
- Added TEE support for Raven Ridge in ccp
- Added in-kernel API to submit TEE commands in ccp
- Added AMD-TEE driver
- Added support for BCM2711 in iproc-rng200
- Added support for AES256-GCM based ciphers for chtls
- Added aead support on SEC2 in hisilicon"* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (244 commits)
crypto: arm/chacha - fix build failured when kernel mode NEON is disabled
crypto: caam - add support for i.MX8M Plus
crypto: x86/poly1305 - emit does base conversion itself
crypto: hisilicon - fix spelling mistake "disgest" -> "digest"
crypto: chacha20poly1305 - add back missing test vectors and test chunking
crypto: x86/poly1305 - fix .gitignore typo
tee: fix memory allocation failure checks on drv_data and amdtee
crypto: ccree - erase unneeded inline funcs
crypto: ccree - make cc_pm_put_suspend() void
crypto: ccree - split overloaded usage of irq field
crypto: ccree - fix PM race condition
crypto: ccree - fix FDE descriptor sequence
crypto: ccree - cc_do_send_request() is void func
crypto: ccree - fix pm wrongful error reporting
crypto: ccree - turn errors to debug msgs
crypto: ccree - fix AEAD decrypt auth fail
crypto: ccree - fix typo in comment
crypto: ccree - fix typos in error msgs
crypto: atmel-{aes,sha,tdes} - Retire crypto_platform_data
crypto: x86/sha - Eliminate casts on asm implementations
...
16 Jan, 2020
2 commits
-
"AEAD" is capitalized everywhere else.
Use "an" when followed by a written or spoken vowel.Fixes: be1eb7f78aa8fbe3 ("crypto: essiv - create wrapper template for ESSIV generation")
Signed-off-by: Geert Uytterhoeven
Signed-off-by: Herbert Xu -
These two C implementations from Zinc -- a 32x32 one and a 64x64 one,
depending on the platform -- come from Andrew Moon's public domain
poly1305-donna portable code, modified for usage in the kernel. The
precomputation in the 32-bit version and the use of 64x64 multiplies in
the 64-bit version make these perform better than the code it replaces.
Moon's code is also very widespread and has received many eyeballs of
scrutiny.There's a bit of interference between the x86 implementation, which
relies on internal details of the old scalar implementation. In the next
commit, the x86 implementation will be replaced with a faster one that
doesn't rely on this, so none of this matters much. But for now, to keep
this passing the tests, we inline the bits of the old implementation
that the x86 implementation relied on. Also, since we now support a
slightly larger key space, via the union, some offsets had to be fixed
up.Nonce calculation was folded in with the emit function, to take
advantage of 64x64 arithmetic. However, Adiantum appeared to rely on no
nonce handling in emit, so this path was conditionalized. We also
introduced a new struct, poly1305_core_key, to represent the precise
amount of space that particular implementation uses.Testing with kbench9000, depending on the CPU, the update function for
the 32x32 version has been improved by 4%-7%, and for the 64x64 by
19%-30%. The 32x32 gains are small, but I think there's great value in
having a parallel implementation to the 64x64 one so that the two can be
compared side-by-side as nice stand-alone units.Signed-off-by: Jason A. Donenfeld
Signed-off-by: Herbert Xu
09 Jan, 2020
10 commits
-
All instances need to have a ->free() method, but people could forget to
set it and then not notice if the instance is never unregistered. To
help detect this bug earlier, don't allow an instance without a ->free()
method to be registered, and complain loudly if someone tries to do it.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Now that all templates provide a ->create() method which creates an
instance, installs a strongly-typed ->free() method directly to it, and
registers it, the older ->alloc() and ->free() methods in
'struct crypto_template' are no longer used. Remove them.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Convert shash_free_instance() and its users to the new way of freeing
instances, where a ->free() method is installed to the instance struct
itself. This replaces the weakly-typed method crypto_template::free().This will allow removing support for the old way of freeing instances.
Also give shash_free_instance() a more descriptive name to reflect that
it's only for instances with a single spawn, not for any instance.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Convert the "cryptd" template to the new way of freeing instances, where
a ->free() method is installed to the instance struct itself. This
replaces the weakly-typed method crypto_template::free().This will allow removing support for the old way of freeing instances.
Note that the 'default' case in cryptd_free() was already unreachable.
So, we aren't missing anything by keeping only the ahash and aead parts.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Convert the "seqiv" template to the new way of freeing instances where a
->free() method is installed to the instance struct itself. Also remove
the unused implementation of the old way of freeing instances from the
"echainiv" template, since it's already using the new way too.In doing this, also simplify the code by making the helper function
aead_geniv_alloc() install the ->free() method, instead of making seqiv
and echainiv do this themselves. This is analogous to how
skcipher_alloc_instance_simple() works.This will allow removing support for the old way of freeing instances.
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Add support to shash and ahash for the new way of freeing instances
(already used for skcipher, aead, and akcipher) where a ->free() method
is installed to the instance struct itself. These methods are more
strongly-typed than crypto_template::free(), which they replace.This will allow removing support for the old way of freeing instances.
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Now that crypto_init_spawn() is only called by crypto_grab_spawn(),
simplify things by moving its functionality into crypto_grab_spawn().In the process of doing this, also be more consistent about when the
spawn and instance are updated, and remove the crypto_spawn::dropref
flag since now it's always set.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Now that all the templates that need ahash spawns have been converted to
use crypto_grab_ahash() rather than look up the algorithm directly,
crypto_ahash_type is no longer used outside of ahash.c. Make it static.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Remove lots of helper functions that were previously used for
instantiating crypto templates, but are now unused:- crypto_get_attr_alg() and similar functions looked up an inner
algorithm directly from a template parameter. These were replaced
with getting the algorithm's name, then calling crypto_grab_*().- crypto_init_spawn2() and similar functions initialized a spawn, given
an algorithm. Similarly, these were replaced with crypto_grab_*().- crypto_alloc_instance() and similar functions allocated an instance
with a single spawn, given the inner algorithm. These aren't useful
anymore since crypto_grab_*() need the instance allocated first.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Now that all users of single-block cipher spawns have been converted to
use 'struct crypto_cipher_spawn' rather than the less specifically typed
'struct crypto_spawn', make crypto_spawn_cipher() take a pointer to a
'struct crypto_cipher_spawn' rather than a 'struct crypto_spawn'.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu