20 Nov, 2018
2 commits
-
Some algorithms initialize their .cra_list prior to registration.
But this is unnecessary since crypto_register_alg() will overwrite
.cra_list when adding the algorithm to the 'crypto_alg_list'.
Apparently the useless assignment has just been copy+pasted around.So, remove the useless assignments.
Exception: paes_s390.c uses cra_list to check whether the algorithm is
registered or not, so I left that as-is for now.This patch shouldn't change any actual behavior.
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Remove the unnecessary setting of CRYPTO_ALG_TYPE_SKCIPHER.
Commit 2c95e6d97892 ("crypto: skcipher - remove useless setting of type
flags") took care of this everywhere else, but a few more instances made
it into the tree at about the same time. Squash them before they get
copy+pasted around again.This patch shouldn't change any actual behavior.
Signed-off-by: Eric Biggers
Acked-by: Antoine Tenart
Signed-off-by: Herbert Xu
16 Nov, 2018
23 commits
-
ecc_point_mult is supposed to be used with a regularized scalar,
otherwise, it's possible to deduce the position of the top bit of the
scalar with timing attack. This is important when the scalar is a
private key.ecc_point_mult is already using a regular algorithm (i.e. having an
operation flow independent of the input scalar) but regularization step
is not implemented.Arrange scalar to always have fixed top bit by adding a multiple of the
curve order (n).References:
The constant time regularization step is based on micro-ecc by Kenneth
MacKay and also referenced in the literature (Bernstein, D. J., & Lange,
T. (2017). Montgomery curves and the Montgomery ladder. (Cryptology
ePrint Archive; Vol. 2017/293). s.l.: IACR. Chapter 4.6.2.)Signed-off-by: Vitaly Chikunov
Cc: kernel-hardening@lists.openwall.com
Signed-off-by: Herbert Xu -
This variant builds upon the idea of the 2-block AVX2 variant that
shuffles words after each round. The shuffling has a rather high latency,
so the arithmetic units are not optimally used.Given that we have plenty of registers in AVX, this version parallelizes
the 2-block variant to do four blocks. While the first two blocks are
shuffling, the CPU can do the XORing on the second two blocks and
vice-versa, which makes this version much faster than the SSSE3 variant
for four blocks. The latter is now mostly for systems that do not have
AVX2, but there it is the work-horse, so we keep it in place.The partial XORing function trailer is very similar to the AVX2 2-block
variant. While it could be shared, that code segment is rather short;
profiling is also easier with the trailer integrated, so we keep it per
function.Signed-off-by: Martin Willi
Signed-off-by: Herbert Xu -
This variant uses the same principle as the single block SSSE3 variant
by shuffling the state matrix after each round. With the wider AVX
registers, we can do two blocks in parallel, though.This function can increase performance and efficiency significantly for
lengths that would otherwise require a 4-block function.Signed-off-by: Martin Willi
Signed-off-by: Herbert Xu -
Now that all block functions support partial lengths, engage the wider
block sizes more aggressively. This prevents using smaller block
functions multiple times, where the next larger block function would
have been faster.Signed-off-by: Martin Willi
Signed-off-by: Herbert Xu -
Add a length argument to the eight block function for AVX2, so the
block function may XOR only a partial length of eight blocks.To avoid unnecessary operations, we integrate XORing of the first four
blocks in the final lane interleaving; this also avoids some work in
the partial lengths path.Signed-off-by: Martin Willi
Signed-off-by: Herbert Xu -
Add a length argument to the quad block function for SSSE3, so the
block function may XOR only a partial length of four blocks.As we already have the stack set up, the partial XORing does not need
to. This gives a slightly different function trailer, so we keep that
separate from the 1-block function.Signed-off-by: Martin Willi
Signed-off-by: Herbert Xu -
Add a length argument to the single block function for SSSE3, so the
block function may XOR only a partial length of the full block. Given
that the setup code is rather cheap, the function does not process more
than one block; this allows us to keep the block function selection in
the C glue code.The required branching does not negatively affect performance for full
block sizes. The partial XORing uses simple "rep movsb" to copy the
data before and after doing XOR in SSE. This is rather efficient on
modern processors; movsw can be slightly faster, but the additional
complexity is probably not worth it.Signed-off-by: Martin Willi
Signed-off-by: Herbert Xu -
Adopt the SPDX license identifier headers to ease license compliance
management. While we are at this fix the comment style, too.Cc: Lubomir Rintel
Signed-off-by: Stefan Wahren
Acked-by: Greg Kroah-Hartman
Reviewed-by: Eric Anholt
Acked-by: Lubomir Rintel
Signed-off-by: Herbert Xu -
Trivial fix to clean up an indentation issue
Signed-off-by: Colin Ian King
Signed-off-by: Herbert Xu -
Add support for Chacha20 + Poly1305 combined AEAD:
-generic (rfc7539)
-IPsec (rfc7634 - known as rfc7539esp in the kernel)Signed-off-by: Horia Geantă
Signed-off-by: Herbert Xu -
Add support for Chacha20 + Poly1305 combined AEAD:
-generic (rfc7539)
-IPsec (rfc7634 - known as rfc7539esp in the kernel)Signed-off-by: Cristian Stoica
Signed-off-by: Horia Geantă
Signed-off-by: Herbert Xu -
Move CHACHAPOLY_IV_SIZE to header file, so it can be reused.
Signed-off-by: Cristian Stoica
Signed-off-by: Horia Geantă
Signed-off-by: Herbert Xu -
Add support for ChaCha20 skcipher algorithm.
Signed-off-by: Carmen Iorga
Signed-off-by: Horia Geantă
Signed-off-by: Herbert Xu -
Era 10 changes the register map.
The updates that affect the drivers:
-new version registers are added
-DBG_DBG[deco_state] field is moved to a new register -
DBG_EXEC[19:16] @ 8_0E3Ch.Signed-off-by: Horia Geantă
Signed-off-by: Herbert Xu -
On 6ull and 6sll the DCP block has a clock which needs to be explicitly
enabled.Add minimal handling for this at probe/remove time.
Signed-off-by: Leonard Crestez
Reviewed-by: Fabio Estevam
Signed-off-by: Herbert Xu -
Explicit clock enabling is required on 6sll and 6ull so mention that
standard clock bindings are used.Signed-off-by: Leonard Crestez
Reviewed-by: Fabio Estevam
Reviewed-by: Rob Herring
Signed-off-by: Herbert Xu -
Add testmgr and tcrypt tests and vectors for Streebog hash function
from RFC 6986 and GOST R 34.11-2012, for HMAC-Streebog vectors are
from RFC 7836 and R 50.1.113-2016.Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov
Acked-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
Register Streebog hash function in Hash Info arrays to let IMA use
it for its purposes.Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov
Reviewed-by: Mimi Zohar
Signed-off-by: Herbert Xu -
Add GOST/IETF Streebog hash function (GOST R 34.11-2012, RFC 6986)
generic hash transformation.Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov
Reviewed-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
Remove asm/hwcap.h which is included more than once
Signed-off-by: Brajeswar Ghosh
Acked-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
Remove setkey() callback handler for normal/non key
hash algorithms and keep it for AES-CBC/CMAC which needs key.Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
Signed-off-by: Raveendra Padasalagi
Signed-off-by: Herbert Xu -
cts(cbc(aes)) as used in the kernel has been added to NIST
standard as CBC-CS3. Document it as such.Signed-off-by: Gilad Ben-Yossef
Suggested-by: Stephan Mueller
Acked-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
Currently used scalar multiplication algorithm (Matthieu Rivain, 2011)
have invalid values for scalar == 1, n-1, and for regularized version
n-2, which was previously not checked. Verify that they are not used as
private keys.Signed-off-by: Vitaly Chikunov
Signed-off-by: Herbert Xu
09 Nov, 2018
15 commits
-
As per Sp800-38A addendum from Oct 2010[1], cts(cbc(aes)) is
allowed as a FIPS mode algorithm. Mark it as such.[1] https://csrc.nist.gov/publications/detail/sp/800-38a/addendum/final
Signed-off-by: Gilad Ben-Yossef
Reviewed-by: Stephan Mueller
Signed-off-by: Herbert Xu -
There have been a pretty ridiculous number of issues with initializing
the report structures that are copied to userspace by NETLINK_CRYPTO.
Commit 4473710df1f8 ("crypto: user - Prepare for CRYPTO_MAX_ALG_NAME
expansion") replaced some strncpy()s with strlcpy()s, thereby
introducing information leaks. Later two other people tried to replace
other strncpy()s with strlcpy() too, which would have introduced even
more information leaks:- https://lore.kernel.org/patchwork/patch/954991/
- https://patchwork.kernel.org/patch/10434351/Commit cac5818c25d0 ("crypto: user - Implement a generic crypto
statistics") also uses the buggy strlcpy() approach and therefore leaks
uninitialized memory to userspace. A fix was proposed, but it was
originally incomplete.Seeing as how apparently no one can get this right with the current
approach, change all the reporting functions to:- Start by memsetting the report structure to 0. This guarantees it's
always initialized, regardless of what happens later.
- Initialize all strings using strscpy(). This is safe after the
memset, ensures null termination of long strings, avoids unnecessary
work, and avoids the -Wstringop-truncation warnings from gcc.
- Use sizeof(var) instead of sizeof(type). This is more robust against
copy+paste errors.For simplicity, also reuse the -EMSGSIZE return value from nla_put().
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
The acomp, akcipher, and kpp algorithm types already have .report
methods defined, so there's no need to duplicate this functionality in
crypto_user itself; the duplicate functions are actually never executed.
Remove the unused code.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Trivial fix to clean up varous indentation issue
Signed-off-by: Colin Ian King
Signed-off-by: Herbert Xu -
Passing string 'name' as the format specifier is potentially hazardous
because name could (although very unlikely to) have a format specifier
embedded in it causing issues when parsing the non-existent arguments
to these. Follow best practice by using the "%s" format string for
the string 'name'.Cleans up clang warning:
crypto/pcrypt.c:397:40: warning: format string is not a string literal
(potentially insecure) [-Wformat-security]Fixes: a3fb1e330dd2 ("pcrypt: Added sysfs interface to pcrypt")
Signed-off-by: Colin Ian King
Signed-off-by: Herbert Xu -
Add AES128/192/256-CFB testvectors from NIST SP800-38A.
Signed-off-by: Dmitry Eremin-Solenikov
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Eremin-Solenikov
Signed-off-by: Herbert Xu -
crypto_cfb_decrypt_segment() incorrectly XOR'ed generated keystream with
IV, rather than with data stream, resulting in incorrect decryption.
Test vectors will be added in the next patch.Signed-off-by: Dmitry Eremin-Solenikov
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu -
In crypto_alloc_context(), a DMA pool is allocated through dma_pool_alloc()
to hold the crypto context. The meta data of the DMA pool, including the
pool used for the allocation 'ndev->ctx_pool' and the base address of the
DMA pool used by the device 'dma', are then stored to the beginning of the
pool. These meta data are eventually used in crypto_free_context() to free
the DMA pool through dma_pool_free(). However, given that the DMA pool can
also be accessed by the device, a malicious device can modify these meta
data, especially when the device is controlled to deploy an attack. This
can cause an unexpected DMA pool free failure.To avoid the above issue, this patch introduces a new structure
crypto_ctx_hdr and a new field chdr in the structure nitrox_crypto_ctx hold
the meta data information of the DMA pool after the allocation. Note that
the original structure ctx_hdr is not changed to ensure the compatibility.Cc:
Signed-off-by: Wenwen Wang
Signed-off-by: Herbert Xu -
Add support for SM3 cipher in CryptoCell 713.
Signed-off-by: Yael Chemla
Signed-off-by: Herbert Xu -
encapsulate set_cipher_mode call with another api,
preparation for specific hash behavior as needed in later patches
when SM3 introduced.Signed-off-by: Yael Chemla
Signed-off-by: Herbert Xu -
Adjust hash length such that it will not be fixed and general for all algs.
Instead make it suitable for certain context information.
This is preparation for SM3 support.Signed-off-by: Yael Chemla
Signed-off-by: Herbert Xu -
Add support for SM4 cipher in CryptoCell 713.
Signed-off-by: Gilad Ben-Yossef
Signed-off-by: Herbert Xu -
Add device tree bindings associating Arm TrustZone CryptoCell 713 with the
ccree driver.Signed-off-by: Gilad Ben-Yossef
Reviewed-by: Rob Herring
Signed-off-by: Herbert Xu -
Add support for Arm TrustZone CryptoCell 713.
Note that this patch just enables using a 713 in backwards compatible mode
to 712. Newer 713 specific features will follow.Signed-off-by: Gilad Ben-Yossef
Signed-off-by: Herbert Xu -
Make the ARM scalar AES implementation closer to constant-time by
disabling interrupts and prefetching the tables into L1 cache. This is
feasible because due to ARM's "free" rotations, the main tables are only
1024 bytes instead of the usual 4096 used by most AES implementations.On ARM Cortex-A7, the speed loss is only about 5%. The resulting code
is still over twice as fast as aes_ti.c. Responsiveness is potentially
a concern, but interrupts are only disabled for a single AES block.Note that even after these changes, the implementation still isn't
necessarily guaranteed to be constant-time; see
https://cr.yp.to/antiforgery/cachetiming-20050414.pdf for a discussion
of the many difficulties involved in writing truly constant-time AES
software. But it's valuable to make such attacks more difficult.Much of this patch is based on patches suggested by Ard Biesheuvel.
Suggested-by: Ard Biesheuvel
Signed-off-by: Eric Biggers
Reviewed-by: Ard Biesheuvel
Signed-off-by: Herbert Xu
