29 Oct, 2018
3 commits
-
The reverted commits was disabling some code because it was
not compatible. Now it is.This reverts commit 2570172aabd1962b953625283587541424f7b6a4.
Signed-off-by: Franck LENORMAND
-
If the test manager is not disable, it is not possible to
determine if tcrypt result is suitable or not.This patch fix this issue printing a message to the user.
Signed-off-by: Franck LENORMAND
-
Because the old rfc4543 implementation always injected an IV into
the AD, while the new one does not, we have to disable the test
while it is converted over to the new AEAD interface.Signed-off-by: Herbert Xu
28 Jun, 2017
1 commit
-
The combination of sha1 and aes was disabled in FIPS Mode
accidentally. This patch reenables it.Fixes: 284a0f6e87b0 ("crypto: testmgr - Disable fips-allowed for...")
Signed-off-by: Herbert Xu
Acked-by: Stephan Müller
20 Jun, 2017
1 commit
-
The PKCS#1 RSA implementation is provided with a self test with RSA 2048
and SHA-256. This self test implicitly covers other RSA keys and other
hashes. Also, this self test implies that the pkcs1pad(rsa) is FIPS
140-2 compliant.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
19 Jun, 2017
1 commit
-
Fix inconsistent format and spelling in hash tests error messages.
Signed-off-by: Gilad Ben-Yossef
Signed-off-by: Herbert Xu
10 Jun, 2017
1 commit
-
The test considers a party that already has a private-public
key pair and a party that provides a NULL key. The kernel will
generate the private-public key pair for the latter, computes
the shared secret on both ends and verifies if it's the same.The explicit private-public key pair was copied from
the previous test vector.Signed-off-by: Tudor Ambarus
Signed-off-by: Herbert Xu
24 Apr, 2017
2 commits
-
Add scomp backend for zlib-deflate compression algorithm.
This backend outputs data using the format defined in rfc1950
(raw deflate surrounded by zlib header and footer).Signed-off-by: Giovanni Cabiddu
Signed-off-by: Herbert Xu -
The cipher_null is not a real cipher, FIPS mode should not restrict its use.
It is used for several tests (for example in cryptsetup testsuite) and also
temporarily for reencryption of not yet encrypted device in cryptsetup-reencrypt tool.Problem is easily reproducible with
cryptsetup benchmark -c nullSigned-off-by: Milan Broz
Acked-by: Stephan Müller
Signed-off-by: Herbert Xu
21 Apr, 2017
1 commit
-
Compression implementations might return valid outputs that
do not match what specified in the test vectors.
For this reason, the testmgr might report that a compression
implementation failed the test even if the data produced
by the compressor is correct.
This implements a decompress-and-verify test for acomp
compression tests rather than a known answer test.Signed-off-by: Giovanni Cabiddu
Signed-off-by: Herbert Xu
24 Mar, 2017
1 commit
-
3DES is missing the fips_allowed flag for CTR mode.
Signed-off-by: Marcelo Henrique Cerri
Acked-by: Stephan Mueller
Signed-off-by: Herbert Xu
09 Mar, 2017
1 commit
-
Cryptographic test vectors should never be modified, so constify them to
enforce this at both compile-time and run-time. This moves a significant
amount of data from .data to .rodata when the crypto tests are enabled.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu
11 Feb, 2017
1 commit
-
In preparation of splitting off the CBC-MAC transform in the CCM
driver into a separate algorithm, define some test cases for the
AES incarnation of cbcmac.Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu
13 Jan, 2017
3 commits
-
When working on AES in CCM mode for ARM, my code passed the internal
tcrypt test before I had even bothered to implement the AES-192 and
AES-256 code paths, which is strange because the tcrypt does contain
AES-192 and AES-256 test vectors for CCM.As it turned out, the define AES_CCM_ENC_TEST_VECTORS was out of sync
with the actual number of test vectors, causing only the AES-128 ones
to be executed.So get rid of the defines, and wrap the test vector references in a
macro that calculates the number of vectors automatically.The following test vector counts were out of sync with the respective
defines:BF_CTR_ENC_TEST_VECTORS 2 -> 3
BF_CTR_DEC_TEST_VECTORS 2 -> 3
TF_CTR_ENC_TEST_VECTORS 2 -> 3
TF_CTR_DEC_TEST_VECTORS 2 -> 3
SERPENT_CTR_ENC_TEST_VECTORS 2 -> 3
SERPENT_CTR_DEC_TEST_VECTORS 2 -> 3
AES_CCM_ENC_TEST_VECTORS 8 -> 14
AES_CCM_DEC_TEST_VECTORS 7 -> 17
AES_CCM_4309_ENC_TEST_VECTORS 7 -> 23
AES_CCM_4309_DEC_TEST_VECTORS 10 -> 23
CAMELLIA_CTR_ENC_TEST_VECTORS 2 -> 3
CAMELLIA_CTR_DEC_TEST_VECTORS 2 -> 3Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
There are some hashes (e.g. sha224) that have some internal trickery
to make sure that only the correct number of output bytes are
generated. If something goes wrong, they could potentially overrun
the output buffer.Make the test more robust by allocating only enough space for the
correct output size so that memory debugging will catch the error if
the output is overrun.Tested by intentionally breaking sha224 to output all 256
internally-generated bits while running on KASAN.Cc: Ard Biesheuvel
Cc: Herbert Xu
Signed-off-by: Andy Lutomirski
Signed-off-by: Herbert Xu -
It's recommended to use kmemdup instead of kmalloc followed by memcpy.
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu
27 Dec, 2016
1 commit
-
Christopher Covington reported a crash on aarch64 on recent Fedora
kernels:kernel BUG at ./include/linux/scatterlist.h:140!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in:
CPU: 2 PID: 752 Comm: cryptomgr_test Not tainted 4.9.0-11815-ge93b1cc #162
Hardware name: linux,dummy-virt (DT)
task: ffff80007c650080 task.stack: ffff800008910000
PC is at sg_init_one+0xa0/0xb8
LR is at sg_init_one+0x24/0xb8
...
[] sg_init_one+0xa0/0xb8
[] test_acomp+0x10c/0x438
[] alg_test_comp+0xb0/0x118
[] alg_test+0x17c/0x2f0
[] cryptomgr_test+0x44/0x50
[] kthread+0xf8/0x128
[] ret_from_fork+0x10/0x50The test vectors used for input are part of the kernel image. These
inputs are passed as a buffer to sg_init_one which eventually blows up
with BUG_ON(!virt_addr_valid(buf)). On arm64, virt_addr_valid returns
false for the kernel image since virt_to_page will not return the
correct page. Fix this by copying the input vectors to heap buffer
before setting up the scatterlist.Reported-by: Christopher Covington
Fixes: d7db7a882deb ("crypto: acomp - update testmgr with support for acomp")
Signed-off-by: Laura Abbott
Signed-off-by: Herbert Xu
08 Dec, 2016
1 commit
-
Commit 7e4c7f17cde2 ("crypto: testmgr - avoid overlap in chunked tests")
attempted to address a problem in the crypto testmgr code where chunked
test cases are copied to memory in a way that results in overlap.However, the fix recreated the exact same issue for other chunked tests,
by putting IDX3 within 492 bytes of IDX1, which causes overlap if the
first chunk exceeds 492 bytes, which is the case for at least one of
the xts(aes) test cases.So increase IDX3 by another 1000 bytes.
Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu
07 Dec, 2016
1 commit
-
The IDXn offsets are chosen such that tap values (which may go up to
255) end up overlapping in the xbuf allocation. In particular, IDX1
and IDX3 are too close together, so update IDX3 to avoid this issue.Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu
28 Nov, 2016
2 commits
-
With virtually-mapped stacks (CONFIG_VMAP_STACK=y), using the
scatterlist crypto API with stack buffers is not allowed, and with
appropriate debugging options will cause the
'BUG_ON(!virt_addr_valid(buf));' in sg_set_buf() to be triggered.
Use a heap buffer instead.Fixes: d7db7a882deb ("crypto: acomp - update testmgr with support for acomp")
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Currently we manually filter out internal algorithms using a list
in testmgr. This is dangerous as internal algorithms cannot be
safely used even by testmgr. This patch ensures that they're never
processed by testmgr at all.This patch also removes an obsolete bypass for nivciphers which
no longer exist.Signed-off-by: Herbert Xu
25 Oct, 2016
1 commit
-
Add tests to the test manager for algorithms exposed through acomp.
Signed-off-by: Giovanni Cabiddu
Signed-off-by: Herbert Xu
02 Oct, 2016
1 commit
-
Add a guard to 'state' buffer and warn if its consistency after
call to crypto_ahash_export() changes, so that any write that
goes beyond advertised statesize (and thus causing potential
memory corruption [1]) is more visible.[1] https://marc.info/?l=linux-crypto-vger&m=147467656516085
Signed-off-by: Jan Stancek
Cc: Herbert Xu
Cc: Marcelo Cerri
Signed-off-by: Herbert Xu
31 Aug, 2016
1 commit
-
In FIPS mode, additional restrictions may apply. If these restrictions
are violated, the kernel will panic(). This patch allows test vectors
for symmetric ciphers to be marked as to be skipped in FIPS mode.Together with the patch, the XTS test vectors where the AES key is
identical to the tweak key is disabled in FIPS mode. This test vector
violates the FIPS requirement that both keys must be different.Reported-by: Tapas Sarangi
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
09 Aug, 2016
1 commit
-
"if (!ret == template[i].fail)" is confusing to compilers (gcc5):
crypto/testmgr.c: In function '__test_aead':
crypto/testmgr.c:531:12: warning: logical not is only applied to the
left hand side of comparison [-Wlogical-not-parentheses]
if (!ret == template[i].fail) {
^Let there be 'if (template[i].fail == !ret) '.
Signed-off-by: Yanjiang Jin
Signed-off-by: Herbert Xu
19 Jul, 2016
1 commit
-
When an akcipher test fails, we don't know which algorithm failed
because the name is not printed. This patch fixes this.Signed-off-by: Herbert Xu
05 Jul, 2016
1 commit
-
Report correct error in case of failure
Signed-off-by: Salvatore Benedetto
Signed-off-by: Herbert Xu
01 Jul, 2016
2 commits
-
This patch adds HMAC-SHA3 test modes in tcrypt module
and related test vectors.Signed-off-by: Raveendra Padasalagi
Signed-off-by: Herbert Xu -
This patch allows RSA implementations to produce output with
leading zeroes. testmgr will skip leading zeroes when comparing
the output.This patch also tries to make the RSA test function generic enough
to potentially handle other akcipher algorithms.Signed-off-by: Herbert Xu
23 Jun, 2016
2 commits
-
* Implement ECDH under kpp API
* Provide ECC software support for curve P-192 and
P-256.
* Add kpp test for ECDH with data generated by OpenSSLSigned-off-by: Salvatore Benedetto
Signed-off-by: Herbert Xu -
* Implement MPI based Diffie-Hellman under kpp API
* Test provided uses data generad by OpenSSLSigned-off-by: Salvatore Benedetto
Signed-off-by: Herbert Xu
20 Jun, 2016
1 commit
-
Added support for SHA-3 algorithm test's
in tcrypt module and related test vectors.Signed-off-by: Raveendra Padasalagi
Signed-off-by: Herbert Xu
18 May, 2016
1 commit
-
Pull crypto update from Herbert Xu:
"API:- Crypto self tests can now be disabled at boot/run time.
- Add async support to algif_aead.Algorithms:
- A large number of fixes to MPI from Nicolai Stange.
- Performance improvement for HMAC DRBG.Drivers:
- Use generic crypto engine in omap-des.
- Merge ppc4xx-rng and crypto4xx drivers.
- Fix lockups in sun4i-ss driver by disabling IRQs.
- Add DMA engine support to ccp.
- Reenable talitos hash algorithms.
- Add support for Hisilicon SoC RNG.
- Add basic crypto driver for the MXC SCC.Others:
- Do not allocate crypto hash tfm in NORECLAIM context in ecryptfs"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (77 commits)
crypto: qat - change the adf_ctl_stop_devices to void
crypto: caam - fix caam_jr_alloc() ret code
crypto: vmx - comply with ABIs that specify vrsave as reserved.
crypto: testmgr - Add a flag allowing the self-tests to be disabled at runtime.
crypto: ccp - constify ccp_actions structure
crypto: marvell/cesa - Use dma_pool_zalloc
crypto: qat - make adf_vf_isr.c dependant on IOV config
crypto: qat - Fix typo in comments
lib: asn1_decoder - add MODULE_LICENSE("GPL")
crypto: omap-sham - Use dma_request_chan() for requesting DMA channel
crypto: omap-des - Use dma_request_chan() for requesting DMA channel
crypto: omap-aes - Use dma_request_chan() for requesting DMA channel
crypto: omap-des - Integrate with the crypto engine framework
crypto: s5p-sss - fix incorrect usage of scatterlists api
crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks
crypto: s5p-sss - Use common BIT macro
crypto: mxc-scc - fix unwinding in mxc_scc_crypto_register()
crypto: mxc-scc - signedness bugs in mxc_scc_ablkcipher_req_init()
crypto: talitos - fix ahash algorithms registration
crypto: ccp - Ensure all dependencies are specified
...
09 May, 2016
1 commit
-
As akcipher uses an SG interface, you must not use vmalloc memory
as input for it. This patch fixes testmgr to copy the vmalloc
test vectors to kmalloc memory before running the test.This patch also removes a superfluous sg_virt call in do_test_rsa.
Cc:
Reported-by: Anatoly Pugachev
Signed-off-by: Herbert Xu
05 May, 2016
1 commit
-
Running self-tests for a short-lived KVM VM takes 28ms on my laptop.
This commit adds a flag 'cryptomgr.notests' which allows them to be
disabled.However if fips=1 as well, we ignore this flag as FIPS mode mandates
that the self-tests are run.Signed-off-by: Richard W.M. Jones
Signed-off-by: Herbert Xu
28 Feb, 2016
1 commit
-
RFC 3686 CTR in various authenc methods.
rfc3686(ctr(aes)) is already marked fips compliant,
so these should be fine.Signed-off-by: Marcus Meissner
Acked-by: Stephan Mueller
Signed-off-by: Herbert Xu
17 Feb, 2016
1 commit
-
(2nd try that adds missing , to build.)
Signed-off-by: Marcus Meissner
Signed-off-by: Herbert Xu
06 Feb, 2016
3 commits
-
Some more authenc() wrapped algorithms are FIPS compliant, tag
them as such.Signed-off-by: Marcus Meissner
Acked-by: Stephan Mueller
Signed-off-by: Herbert Xu -
__test_aead() reads MAX_IVLEN bytes from template[i].iv, but the
actual length of the initialisation vector can be shorter.
The length of the IV is already calculated earlier in the
function. Let's just reuses that. Also the IV length is currently
calculated several time for no reason. Let's fix that too.
This fix an out-of-bound error detected by KASan.Signed-off-by: Jerome Marchand
Signed-off-by: Herbert Xu -
Modify __test_hash() so that hash import/export can be tested
from within the kernel. The test is unconditionally done when
a struct hash_testvec has its .np > 1.v3: make the test unconditional
v2: Leverage template[i].np as suggested by Tim ChenSigned-off-by: Rui Wang
Signed-off-by: Herbert Xu