1. 27 Jun, 2019 1 commit
  2. 20 Jun, 2019 15 commits
  3. 13 Jun, 2019 17 commits
  4. 06 Jun, 2019 7 commits
    • Eric Biggers's avatar
      crypto: chacha20poly1305 - fix atomic sleep when using async algorithm · 7545b6c2
      Eric Biggers authored
      Clear the CRYPTO_TFM_REQ_MAY_SLEEP flag when the chacha20poly1305
      operation is being continued from an async completion callback, since
      sleeping may not be allowed in that context.
      
      This is basically the same bug that was recently fixed in the xts and
      lrw templates.  But, it's always been broken in chacha20poly1305 too.
      This was found using syzkaller in combination with the updated crypto
      self-tests which actually test the MAY_SLEEP flag now.
      
      Reproducer:
      
          python -c 'import socket; socket.socket(socket.AF_ALG, 5, 0).bind(
          	       ("aead", "rfc7539(cryptd(chacha20-generic),poly1305-generic)"))'
      
      Kernel output:
      
          BUG: sleeping function called from invalid context at include/crypto/algapi.h:426
          in_atomic(): 1, irqs_disabled(): 0, pid: 1001, name: kworker/2:2
          [...]
          CPU: 2 PID: 1001 Comm: kworker/2:2 Not tainted 5.2.0-rc2 #5
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
          Workqueue: crypto cryptd_queue_worker
          Call Trace:
           __dump_stack lib/dump_stack.c:77 [inline]
           dump_stack+0x4d/0x6a lib/dump_stack.c:113
           ___might_sleep kernel/sched/core.c:6138 [inline]
           ___might_sleep.cold.19+0x8e/0x9f kernel/sched/core.c:6095
           crypto_yield include/crypto/algapi.h:426 [inline]
           crypto_hash_walk_done+0xd6/0x100 crypto/ahash.c:113
           shash_ahash_update+0x41/0x60 crypto/shash.c:251
           shash_async_update+0xd/0x10 crypto/shash.c:260
           crypto_ahash_update include/crypto/hash.h:539 [inline]
           poly_setkey+0xf6/0x130 crypto/chacha20poly1305.c:337
           poly_init+0x51/0x60 crypto/chacha20poly1305.c:364
           async_done_continue crypto/chacha20poly1305.c:78 [inline]
           poly_genkey_done+0x15/0x30 crypto/chacha20poly1305.c:369
           cryptd_skcipher_complete+0x29/0x70 crypto/cryptd.c:279
           cryptd_skcipher_decrypt+0xcd/0x110 crypto/cryptd.c:339
           cryptd_queue_worker+0x70/0xa0 crypto/cryptd.c:184
           process_one_work+0x1ed/0x420 kernel/workqueue.c:2269
           worker_thread+0x3e/0x3a0 kernel/workqueue.c:2415
           kthread+0x11f/0x140 kernel/kthread.c:255
           ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
      
      Fixes: 71ebc4d1 ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
      Cc: <stable@vger.kernel.org> # v4.2+
      Cc: Martin Willi <martin@strongswan.org>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7545b6c2
    • YueHaibing's avatar
      crypto: atmel-i2c - Fix build error while CRC16 set to m · 4bb02dbd
      YueHaibing authored
      If CRYPTO_DEV_ATMEL_ECC is set m, which select CRC16 to m,
      while CRYPTO_DEV_ATMEL_SHA204A is set to y, building fails.
      
      drivers/crypto/atmel-i2c.o: In function 'atmel_i2c_checksum':
      atmel-i2c.c:(.text+0x16): undefined reference to 'crc16'
      
      Add CRC16 dependency to CRYPTO_DEV_ATMEL_SHA204A
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Fixes: da001fb6 ("crypto: atmel-i2c - add support for SHA204A random number generator")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4bb02dbd
    • Iuliana Prodan's avatar
      crypto: caam - disable some clock checks for iMX7ULP · 385cfc84
      Iuliana Prodan authored
      Disabled the check and set of 'mem' and 'emi_slow'
      clocks, since these are not available for iMX7ULP.
      Signed-off-by: default avatarIuliana Prodan <iuliana.prodan@nxp.com>
      Reviewed-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      385cfc84
    • Ard Biesheuvel's avatar
      crypto: caam - limit output IV to CBC to work around CTR mode DMA issue · ed527b13
      Ard Biesheuvel authored
      The CAAM driver currently violates an undocumented and slightly
      controversial requirement imposed by the crypto stack that a buffer
      referred to by the request structure via its virtual address may not
      be modified while any scatterlists passed via the same request
      structure are mapped for inbound DMA.
      
      This may result in errors like
      
        alg: aead: decryption failed on test 1 for gcm_base(ctr-aes-caam,ghash-generic): ret=74
        alg: aead: Failed to load transform for gcm(aes): -2
      
      on non-cache coherent systems, due to the fact that the GCM driver
      passes an IV buffer by virtual address which shares a cacheline with
      the auth_tag buffer passed via a scatterlist, resulting in corruption
      of the auth_tag when the IV is updated while the DMA mapping is live.
      
      Since the IV that is returned to the caller is only valid for CBC mode,
      and given that the in-kernel users of CBC (such as CTS) don't trigger the
      same issue as the GCM driver, let's just disable the output IV generation
      for all modes except CBC for the time being.
      
      Fixes: 854b06f7 ("crypto: caam - properly set IV after {en,de}crypt")
      Cc: Horia Geanta <horia.geanta@nxp.com>
      Cc: Iuliana Prodan <iuliana.prodan@nxp.com>
      Reported-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Reviewed-by: default avatarHoria Geanta <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ed527b13
    • Herbert Xu's avatar
      crypto: atmel - Fix sparse endianness warnings · 49d22167
      Herbert Xu authored
      The param2 member in atmel_i2c_cmd is supposed to be little-endian
      but was marked as u16.  This patch changes it to a __le16 which
      reveals a missing endian swap in atmel_i2c_init_read_cmd.
      
      Another missing little-endian marking is also added in
      atmel_i2c_checksum.
      
      Fixes: 11105693 ("crypto: atmel-ecc - introduce Microchip...")
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      49d22167
    • Eric Biggers's avatar
      crypto: lrw - use correct alignmask · 20a0f976
      Eric Biggers authored
      Commit c778f96b ("crypto: lrw - Optimize tweak computation")
      incorrectly reduced the alignmask of LRW instances from
      '__alignof__(u64) - 1' to '__alignof__(__be32) - 1'.
      
      However, xor_tweak() and setkey() assume that the data and key,
      respectively, are aligned to 'be128', which has u64 alignment.
      
      Fix the alignmask to be at least '__alignof__(be128) - 1'.
      
      Fixes: c778f96b ("crypto: lrw - Optimize tweak computation")
      Cc: <stable@vger.kernel.org> # v4.20+
      Cc: Ondrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      20a0f976
    • Eric Biggers's avatar
      crypto: ghash - fix unaligned memory access in ghash_setkey() · 5c6bc4df
      Eric Biggers authored
      Changing ghash_mod_init() to be subsys_initcall made it start running
      before the alignment fault handler has been installed on ARM.  In kernel
      builds where the keys in the ghash test vectors happened to be
      misaligned in the kernel image, this exposed the longstanding bug that
      ghash_setkey() is incorrectly casting the key buffer (which can have any
      alignment) to be128 for passing to gf128mul_init_4k_lle().
      
      Fix this by memcpy()ing the key to a temporary buffer.
      
      Don't fix it by setting an alignmask on the algorithm instead because
      that would unnecessarily force alignment of the data too.
      
      Fixes: 2cdc6899 ("crypto: ghash - Add GHASH digest algorithm for GCM")
      Reported-by: default avatarPeter Robinson <pbrobinson@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Tested-by: default avatarPeter Robinson <pbrobinson@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5c6bc4df