1. 27 Oct, 2023 20 commits
    • Eric Biggers's avatar
      crypto: adiantum - stop using alignmask of shash_alg · 321dfe97
      Eric Biggers authored
      Now that the shash algorithm type does not support nonzero alignmasks,
      shash_alg::base.cra_alignmask is always 0, so OR-ing it into another
      value is a no-op.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      321dfe97
    • Eric Biggers's avatar
      crypto: testmgr - stop checking crypto_shash_alignmask · 2125c11e
      Eric Biggers authored
      Now that the shash algorithm type does not support nonzero alignmasks,
      crypto_shash_alignmask() always returns 0 and will be removed.  In
      preparation for this, stop checking crypto_shash_alignmask() in testmgr.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      2125c11e
    • Eric Biggers's avatar
      crypto: drbg - stop checking crypto_shash_alignmask · eed577b9
      Eric Biggers authored
      Now that the shash algorithm type does not support nonzero alignmasks,
      crypto_shash_alignmask() always returns 0 and will be removed.  In
      preparation for this, stop checking crypto_shash_alignmask() in drbg.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      eed577b9
    • Eric Biggers's avatar
      libceph: stop checking crypto_shash_alignmask · 69dde0a1
      Eric Biggers authored
      Now that the shash algorithm type does not support nonzero alignmasks,
      crypto_shash_alignmask() always returns 0 and will be removed.  In
      preparation for this, stop checking crypto_shash_alignmask() in
      net/ceph/messenger_v2.c.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      69dde0a1
    • Eric Biggers's avatar
      crypto: shash - remove support for nonzero alignmask · 345bfa3c
      Eric Biggers authored
      Currently, the shash API checks the alignment of all message, key, and
      digest buffers against the algorithm's declared alignmask, and for any
      unaligned buffers it falls back to manually aligned temporary buffers.
      
      This is virtually useless, however.  In the case of the message buffer,
      cryptographic hash functions internally operate on fixed-size blocks, so
      implementations end up needing to deal with byte-aligned data anyway
      because the length(s) passed to ->update might not be divisible by the
      block size.  Word-alignment of the message can theoretically be helpful
      for CRCs, like what was being done in crc32c-sparc64.  But in practice
      it's better for the algorithms to use unaligned accesses or align the
      message themselves.  A similar argument applies to the key and digest.
      
      In any case, no shash algorithms actually set a nonzero alignmask
      anymore.  Therefore, remove support for it from shash.  The benefit is
      that all the code to handle "misaligned" buffers in the shash API goes
      away, reducing the overhead of the shash API.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      345bfa3c
    • Eric Biggers's avatar
      crypto: xcbc - remove unnecessary alignment logic · a2b11180
      Eric Biggers authored
      The xcbc template is setting its alignmask to that of its underlying
      'cipher'.  Yet, it doesn't care itself about how its inputs and outputs
      are aligned, which is ostensibly the point of the alignmask.  Instead,
      xcbc actually just uses its alignmask itself to runtime-align certain
      fields in its tfm and desc contexts appropriately for its underlying
      cipher.  That is almost entirely pointless too, though, since xcbc is
      already using the cipher API functions that handle alignment themselves,
      and few ciphers set a nonzero alignmask anyway.  Also, even without
      runtime alignment, an alignment of at least 4 bytes can be guaranteed.
      
      Thus, at best this code is optimizing for the rare case of ciphers that
      set an alignmask >= 7, at the cost of hurting the common cases.
      
      Therefore, this patch removes the manual alignment code from xcbc and
      makes it stop setting an alignmask.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      a2b11180
    • Eric Biggers's avatar
      crypto: vmac - don't set alignmask · 1fb90689
      Eric Biggers authored
      The vmac template is setting its alignmask to that of its underlying
      'cipher'.  This doesn't actually accomplish anything useful, though, so
      stop doing it.  (vmac_update() does have an alignment bug, where it
      assumes u64 alignment when it shouldn't, but that bug exists both before
      and after this patch.)  This is a prerequisite for removing support for
      nonzero alignmasks from shash.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1fb90689
    • Eric Biggers's avatar
      crypto: hmac - remove unnecessary alignment logic · 25c74a39
      Eric Biggers authored
      The hmac template is setting its alignmask to that of its underlying
      unkeyed hash algorithm, and it is aligning the ipad and opad fields in
      its tfm context to that alignment.  However, hmac does not actually need
      any sort of alignment itself, which makes this pointless except to keep
      the pads aligned to what the underlying algorithm prefers.  But very few
      shash algorithms actually set an alignmask, and it is being removed from
      those remaining ones; also, after setkey, the pads are only passed to
      crypto_shash_import and crypto_shash_export which ignore the alignmask.
      
      Therefore, make the hmac template stop setting an alignmask and simply
      use natural alignment for ipad and opad.  Note, this change also moves
      the pads from the beginning of the tfm context to the end, which makes
      much more sense; the variable-length fields should be at the end.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      25c74a39
    • Eric Biggers's avatar
      crypto: cmac - remove unnecessary alignment logic · f9dc9f2e
      Eric Biggers authored
      The cmac template is setting its alignmask to that of its underlying
      'cipher'.  Yet, it doesn't care itself about how its inputs and outputs
      are aligned, which is ostensibly the point of the alignmask.  Instead,
      cmac actually just uses its alignmask itself to runtime-align certain
      fields in its tfm and desc contexts appropriately for its underlying
      cipher.  That is almost entirely pointless too, though, since cmac is
      already using the cipher API functions that handle alignment themselves,
      and few ciphers set a nonzero alignmask anyway.  Also, even without
      runtime alignment, an alignment of at least 4 bytes can be guaranteed.
      
      Thus, at best this code is optimizing for the rare case of ciphers that
      set an alignmask >= 7, at the cost of hurting the common cases.
      
      Therefore, this patch removes the manual alignment code from cmac and
      makes it stop setting an alignmask.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f9dc9f2e
    • Eric Biggers's avatar
      crypto: cbcmac - remove unnecessary alignment logic · 21415bfe
      Eric Biggers authored
      The cbcmac template is aligning a field in its desc context to the
      alignmask of its underlying 'cipher', at runtime.  This is almost
      entirely pointless, since cbcmac is already using the cipher API
      functions that handle alignment themselves, and few ciphers set a
      nonzero alignmask anyway.  Also, even without runtime alignment, an
      alignment of at least 4 bytes can be guaranteed.
      
      Thus, at best this code is optimizing for the rare case of ciphers that
      set an alignmask >= 7, at the cost of hurting the common cases.
      
      Therefore, remove the manual alignment code from cbcmac.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      21415bfe
    • Eric Biggers's avatar
      crypto: loongarch/crc32 - remove redundant setting of alignmask to 0 · d72c46f7
      Eric Biggers authored
      This unnecessary explicit setting of cra_alignmask to 0 shows up when
      grepping for shash algorithms that set an alignmask.  Remove it.  No
      change in behavior.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d72c46f7
    • Eric Biggers's avatar
      crypto: mips/crc32 - remove redundant setting of alignmask to 0 · 9cf52f7b
      Eric Biggers authored
      This unnecessary explicit setting of cra_alignmask to 0 shows up when
      grepping for shash algorithms that set an alignmask.  Remove it.  No
      change in behavior.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      9cf52f7b
    • Eric Biggers's avatar
      crypto: xilinx/zynqmp-sha - remove unnecessary alignmask · 71e8c241
      Eric Biggers authored
      The zynqmp-sha3-384 algorithm sets a nonzero alignmask, but it doesn't
      appear to actually need it.  Therefore, stop setting it.  This will
      allow this algorithm to keep being registered after alignmask support is
      removed from shash.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      71e8c241
    • Eric Biggers's avatar
      crypto: stm32 - remove unnecessary alignmask · 0174275a
      Eric Biggers authored
      The stm32 crc32 algorithms set a nonzero alignmask, but they don't seem
      to actually need it.  Their ->update function already has code that
      handles aligning the data to the same alignment that the alignmask
      specifies, their ->setkey function already uses get_unaligned_le32(),
      and their ->final function already uses put_unaligned_le32().
      Therefore, stop setting the alignmask.  This will allow these algorithms
      to keep being registered after alignmask support is removed from shash.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      0174275a
    • Eric Biggers's avatar
      crypto: sparc/crc32c - stop using the shash alignmask · 99240038
      Eric Biggers authored
      As far as I can tell, "crc32c-sparc64" is the only "shash" algorithm in
      the kernel that sets a nonzero alignmask and actually relies on it to
      get the crypto API to align the inputs and outputs.  This capability is
      not really useful, though.  To unblock removing the support for
      alignmask from shash_alg, this patch updates crc32c-sparc64 to no longer
      use the alignmask.  This means doing 8-byte alignment of the data when
      doing an update, using get_unaligned_le32() when setting a non-default
      initial CRC, and using put_unaligned_le32() to output the final CRC.
      
      Partially tested with:
      
          export ARCH=sparc64 CROSS_COMPILE=sparc64-linux-gnu-
          make sparc64_defconfig
          echo CONFIG_CRYPTO_CRC32C_SPARC64=y >> .config
          echo '# CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set' >> .config
          echo CONFIG_DEBUG_KERNEL=y >> .config
          echo CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y >> .config
          make olddefconfig
          make -j$(getconf _NPROCESSORS_ONLN)
          qemu-system-sparc64 -kernel arch/sparc/boot/image  -nographic
      
      However, qemu doesn't actually support the sparc CRC32C instructions, so
      for the test I temporarily replaced crc32c_sparc64() with __crc32c_le()
      and made sparc64_has_crc32c_opcode() always return true.  So essentially
      I tested the glue code, not the actual SPARC part which is unchanged.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      99240038
    • Eric Biggers's avatar
      crypto: shash - eliminate indirect call for default import and export · 08debaa5
      Eric Biggers authored
      Most shash algorithms don't have custom ->import and ->export functions,
      resulting in the memcpy() based default being used.  Yet,
      crypto_shash_import() and crypto_shash_export() still make an indirect
      call, which is expensive.  Therefore, change how the default import and
      export are called to make it so that crypto_shash_import() and
      crypto_shash_export() don't do an indirect call in this case.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      08debaa5
    • Om Prakash Singh's avatar
      dt-bindings: crypto: qcom,prng: document SA8775P and SC7280 · a411f6de
      Om Prakash Singh authored
      Document SA8775P and SC7280 compatible for the True Random Number
      Generator.
      Signed-off-by: default avatarOm Prakash Singh <quic_omprsing@quicinc.com>
      Reviewed-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
      Reviewed-by: default avatarBjorn Andersson <andersson@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      a411f6de
    • Herbert Xu's avatar
      crypto: rsa - Add module alias for pkcs1pad · f5fb88e5
      Herbert Xu authored
      Add a module alias for pkcs1pas so that it can be auto-loaded by
      modprobe.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f5fb88e5
    • Herbert Xu's avatar
      certs: Break circular dependency when selftest is modular · 04a93202
      Herbert Xu authored
      The modular build fails because the self-test code depends on pkcs7
      which in turn depends on x509 which contains the self-test.
      
      Split the self-test out into its own module to break the cycle.
      
      Fixes: 3cde3174 ("certs: Add FIPS selftests")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      04a93202
    • WangJinchao's avatar
      padata: Fix refcnt handling in padata_free_shell() · 7ddc21e3
      WangJinchao authored
      In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead
      to system UAF (Use-After-Free) issues. Due to the lengthy analysis of
      the pcrypt_aead01 function call, I'll describe the problem scenario
      using a simplified model:
      
      Suppose there's a user of padata named `user_function` that adheres to
      the padata requirement of calling `padata_free_shell` after `serial()`
      has been invoked, as demonstrated in the following code:
      
      ```c
      struct request {
          struct padata_priv padata;
          struct completion *done;
      };
      
      void parallel(struct padata_priv *padata) {
          do_something();
      }
      
      void serial(struct padata_priv *padata) {
          struct request *request = container_of(padata,
          				struct request,
      				padata);
          complete(request->done);
      }
      
      void user_function() {
          DECLARE_COMPLETION(done)
          padata->parallel = parallel;
          padata->serial = serial;
          padata_do_parallel();
          wait_for_completion(&done);
          padata_free_shell();
      }
      ```
      
      In the corresponding padata.c file, there's the following code:
      
      ```c
      static void padata_serial_worker(struct work_struct *serial_work) {
          ...
          cnt = 0;
      
          while (!list_empty(&local_list)) {
              ...
              padata->serial(padata);
              cnt++;
          }
      
          local_bh_enable();
      
          if (refcount_sub_and_test(cnt, &pd->refcnt))
              padata_free_pd(pd);
      }
      ```
      
      Because of the high system load and the accumulation of unexecuted
      softirq at this moment, `local_bh_enable()` in padata takes longer
      to execute than usual. Subsequently, when accessing `pd->refcnt`,
      `pd` has already been released by `padata_free_shell()`, resulting
      in a UAF issue with `pd->refcnt`.
      
      The fix is straightforward: add `refcount_dec_and_test` before calling
      `padata_free_pd` in `padata_free_shell`.
      
      Fixes: 07928d9b ("padata: Remove broken queue flushing")
      Signed-off-by: default avatarWangJinchao <wangjinchao@xfusion.com>
      Acked-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
      Acked-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7ddc21e3
  2. 20 Oct, 2023 20 commits