1. 25 Apr, 2019 16 commits
  2. 19 Apr, 2019 2 commits
    • Eric Biggers's avatar
      crypto: ccm - fix incompatibility between "ccm" and "ccm_base" · 6a1faa4a
      Eric Biggers authored
      CCM instances can be created by either the "ccm" template, which only
      allows choosing the block cipher, e.g. "ccm(aes)"; or by "ccm_base",
      which allows choosing the ctr and cbcmac implementations, e.g.
      "ccm_base(ctr(aes-generic),cbcmac(aes-generic))".
      
      However, a "ccm_base" instance prevents a "ccm" instance from being
      registered using the same implementations.  Nor will the instance be
      found by lookups of "ccm".  This can be used as a denial of service.
      Moreover, "ccm_base" instances are never tested by the crypto
      self-tests, even if there are compatible "ccm" tests.
      
      The root cause of these problems is that instances of the two templates
      use different cra_names.  Therefore, fix these problems by making
      "ccm_base" instances set the same cra_name as "ccm" instances, e.g.
      "ccm(aes)" instead of "ccm_base(ctr(aes-generic),cbcmac(aes-generic))".
      
      This requires extracting the block cipher name from the name of the ctr
      and cbcmac algorithms.  It also requires starting to verify that the
      algorithms are really ctr and cbcmac using the same block cipher, not
      something else entirely.  But it would be bizarre if anyone were
      actually using non-ccm-compatible algorithms with ccm_base, so this
      shouldn't break anyone in practice.
      
      Fixes: 4a49b499 ("[CRYPTO] ccm: Added CCM mode")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6a1faa4a
    • Eric Biggers's avatar
      crypto: gcm - fix incompatibility between "gcm" and "gcm_base" · f699594d
      Eric Biggers authored
      GCM instances can be created by either the "gcm" template, which only
      allows choosing the block cipher, e.g. "gcm(aes)"; or by "gcm_base",
      which allows choosing the ctr and ghash implementations, e.g.
      "gcm_base(ctr(aes-generic),ghash-generic)".
      
      However, a "gcm_base" instance prevents a "gcm" instance from being
      registered using the same implementations.  Nor will the instance be
      found by lookups of "gcm".  This can be used as a denial of service.
      Moreover, "gcm_base" instances are never tested by the crypto
      self-tests, even if there are compatible "gcm" tests.
      
      The root cause of these problems is that instances of the two templates
      use different cra_names.  Therefore, fix these problems by making
      "gcm_base" instances set the same cra_name as "gcm" instances, e.g.
      "gcm(aes)" instead of "gcm_base(ctr(aes-generic),ghash-generic)".
      
      This requires extracting the block cipher name from the name of the ctr
      algorithm.  It also requires starting to verify that the algorithms are
      really ctr and ghash, not something else entirely.  But it would be
      bizarre if anyone were actually using non-gcm-compatible algorithms with
      gcm_base, so this shouldn't break anyone in practice.
      
      Fixes: d00aa19b ("[CRYPTO] gcm: Allow block cipher parameter")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f699594d
  3. 18 Apr, 2019 22 commits
    • Eric Biggers's avatar
      crypto: shash - fix missed optimization in shash_ahash_digest() · 67cb60e4
      Eric Biggers authored
      shash_ahash_digest(), which is the ->digest() method for ahash tfms that
      use an shash algorithm, has an optimization where crypto_shash_digest()
      is called if the data is in a single page.  But an off-by-one error
      prevented this path from being taken unless the user happened to provide
      extra data in the scatterlist.  Fix it.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      67cb60e4
    • Eric Biggers's avatar
      crypto: powerpc - convert to use crypto_simd_usable() · 626ddb2f
      Eric Biggers authored
      Replace all calls to in_interrupt() in the PowerPC crypto code with
      !crypto_simd_usable().  This causes the crypto self-tests to test the
      no-SIMD code paths when CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y.
      
      The p8_ghash algorithm is currently failing and needs to be fixed, as it
      produces the wrong digest when no-SIMD updates are mixed with SIMD ones.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      626ddb2f
    • Eric Biggers's avatar
      crypto: cavium - remove bogus code handling cryptd · 0edf8593
      Eric Biggers authored
      The cavium crypto driver adds 'sizeof(struct ablkcipher_request)' to its
      request size because "the cryptd daemon uses this memory for request_ctx
      information".  This is incorrect and unnecessary; cryptd doesn't require
      wrapped algorithms to reserve extra request space.  So remove this.
      
      Also remove the unneeded memset() of the tfm context to 0.
      It's already zeroed on allocation.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      0edf8593
    • Eric Biggers's avatar
      crypto: cryptd - remove ability to instantiate ablkciphers · 0a877e35
      Eric Biggers authored
      Remove cryptd_alloc_ablkcipher() and the ability of cryptd to create
      algorithms with the deprecated "ablkcipher" type.
      
      This has been unused since commit 0e145b47 ("crypto: ablk_helper -
      remove ablk_helper").  Instead, cryptd_alloc_skcipher() is used.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      0a877e35
    • Sebastian Andrzej Siewior's avatar
      crypto: scompress - initialize per-CPU variables on each CPU · 8c3fffe3
      Sebastian Andrzej Siewior authored
      In commit 71052dcf ("crypto: scompress - Use per-CPU struct instead
      multiple variables") I accidentally initialized multiple times the memory on a
      random CPU. I should have initialize the memory on every CPU like it has
      been done earlier. I didn't notice this because the scheduler didn't
      move the task to another CPU.
      Guenter managed to do that and the code crashed as expected.
      
      Allocate / free per-CPU memory on each CPU.
      
      Fixes: 71052dcf ("crypto: scompress - Use per-CPU struct instead multiple variables")
      Reported-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Tested-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      8c3fffe3
    • Zhang Zhijie's avatar
      crypto: rockchip - update IV buffer to contain the next IV · f0cfd57b
      Zhang Zhijie authored
      The Kernel Crypto API request output the next IV data to
      IV buffer for CBC implementation. So the last block data of
      ciphertext should be copid into assigned IV buffer.
      Reported-by: default avatarEric Biggers <ebiggers@google.com>
      Fixes: 433cd2c6 ("crypto: rockchip - add crypto driver for rk3288")
      Cc: <stable@vger.kernel.org> # v4.5+
      Signed-off-by: default avatarZhang Zhijie <zhangzj@rock-chips.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f0cfd57b
    • Eric Biggers's avatar
      crypto: run initcalls for generic implementations earlier · c4741b23
      Eric Biggers authored
      Use subsys_initcall for registration of all templates and generic
      algorithm implementations, rather than module_init.  Then change
      cryptomgr to use arch_initcall, to place it before the subsys_initcalls.
      
      This is needed so that when both a generic and optimized implementation
      of an algorithm are built into the kernel (not loadable modules), the
      generic implementation is registered before the optimized one.
      Otherwise, the self-tests for the optimized implementation are unable to
      allocate the generic implementation for the new comparison fuzz tests.
      
      Note that on arm, a side effect of this change is that self-tests for
      generic implementations may run before the unaligned access handler has
      been installed.  So, unaligned accesses will crash the kernel.  This is
      arguably a good thing as it makes it easier to detect that type of bug.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c4741b23
    • Eric Biggers's avatar
      crypto: testmgr - fuzz AEADs against their generic implementation · 40153b10
      Eric Biggers authored
      When the extra crypto self-tests are enabled, test each AEAD algorithm
      against its generic implementation when one is available.  This
      involves: checking the algorithm properties for consistency, then
      randomly generating test vectors using the generic implementation and
      running them against the implementation under test.  Both good and bad
      inputs are tested.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      40153b10
    • Eric Biggers's avatar
      crypto: testmgr - fuzz skciphers against their generic implementation · d435e10e
      Eric Biggers authored
      When the extra crypto self-tests are enabled, test each skcipher
      algorithm against its generic implementation when one is available.
      This involves: checking the algorithm properties for consistency, then
      randomly generating test vectors using the generic implementation and
      running them against the implementation under test.  Both good and bad
      inputs are tested.
      
      This has already detected a bug in the skcipher_walk API, a bug in the
      LRW template, and an inconsistency in the cts implementations.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d435e10e
    • Eric Biggers's avatar
      crypto: testmgr - fuzz hashes against their generic implementation · 9a8a6b3f
      Eric Biggers authored
      When the extra crypto self-tests are enabled, test each hash algorithm
      against its generic implementation when one is available.  This
      involves: checking the algorithm properties for consistency, then
      randomly generating test vectors using the generic implementation and
      running them against the implementation under test.  Both good and bad
      inputs are tested.
      
      This has already detected a bug in the x86 implementation of poly1305,
      bugs in crct10dif, and an inconsistency in cbcmac.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      9a8a6b3f
    • Eric Biggers's avatar
      crypto: testmgr - add helpers for fuzzing against generic implementation · f2bb770a
      Eric Biggers authored
      Add some helper functions in preparation for fuzz testing algorithms
      against their generic implementation.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f2bb770a
    • Eric Biggers's avatar
      crypto: testmgr - identify test vectors by name rather than number · 951d1332
      Eric Biggers authored
      In preparation for fuzz testing algorithms against their generic
      implementation, make error messages in testmgr identify test vectors by
      name rather than index.  Built-in test vectors are simply "named" by
      their index in testmgr.h, as before.  But (in later patches) generated
      test vectors will be given more descriptive names to help developers
      debug problems detected with them.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      951d1332
    • Eric Biggers's avatar
      crypto: testmgr - expand ability to test for errors · 5283a8ee
      Eric Biggers authored
      Update testmgr to support testing for specific errors from setkey() and
      digest() for hashes; setkey() and encrypt()/decrypt() for skciphers and
      ciphers; and setkey(), setauthsize(), and encrypt()/decrypt() for AEADs.
      This is useful because algorithms usually restrict the lengths or format
      of the message, key, and/or authentication tag in some way.  And bad
      inputs should be tested too, not just good inputs.
      
      As part of this change, remove the ambiguously-named 'fail' flag and
      replace it with 'setkey_error = -EINVAL' for the only test vector that
      used it -- the DES weak key test vector.  Note that this tightens the
      test to require -EINVAL rather than any error code, but AFAICS this
      won't cause any test failure.
      
      Other than that, these new fields aren't set on any test vectors yet.
      Later patches will do so.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5283a8ee
    • Vitaly Chikunov's avatar
      integrity: support EC-RDSA signatures for asymmetric_verify · be08f0c6
      Vitaly Chikunov authored
      Allow to use EC-RDSA signatures for IMA by determining signature type by
      the hash algorithm name. This works good for EC-RDSA since Streebog and
      EC-RDSA should always be used together.
      
      Cc: Mimi Zohar <zohar@linux.ibm.com>
      Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
      Cc: linux-integrity@vger.kernel.org
      Signed-off-by: default avatarVitaly Chikunov <vt@altlinux.org>
      Reviewed-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      be08f0c6
    • Vitaly Chikunov's avatar
      crypto: ecrdsa - add EC-RDSA test vectors to testmgr · 32fbdbd3
      Vitaly Chikunov authored
      Add testmgr test vectors for EC-RDSA algorithm for every of five
      supported parameters (curves). Because there are no officially published
      test vectors for the curves, the vectors are generated by gost-engine.
      Signed-off-by: default avatarVitaly Chikunov <vt@altlinux.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      32fbdbd3
    • Vitaly Chikunov's avatar
      crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm · 0d7a7864
      Vitaly Chikunov authored
      Add Elliptic Curve Russian Digital Signature Algorithm (GOST R
      34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since
      2018 the CIS countries) cryptographic standard algorithms (called GOST
      algorithms). Only signature verification is supported, with intent to be
      used in the IMA.
      
      Summary of the changes:
      
      * crypto/Kconfig:
        - EC-RDSA is added into Public-key cryptography section.
      
      * crypto/Makefile:
        - ecrdsa objects are added.
      
      * crypto/asymmetric_keys/x509_cert_parser.c:
        - Recognize EC-RDSA and Streebog OIDs.
      
      * include/linux/oid_registry.h:
        - EC-RDSA OIDs are added to the enum. Also, a two currently not
          implemented curve OIDs are added for possible extension later (to
          not change numbering and grouping).
      
      * crypto/ecc.c:
        - Kenneth MacKay copyright date is updated to 2014, because
          vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his
          code from micro-ecc.
        - Functions needed for ecrdsa are EXPORT_SYMBOL'ed.
        - New functions:
          vli_is_negative - helper to determine sign of vli;
          vli_from_be64 - unpack big-endian array into vli (used for
            a signature);
          vli_from_le64 - unpack little-endian array into vli (used for
            a public key);
          vli_uadd, vli_usub - add/sub u64 value to/from vli (used for
            increment/decrement);
          mul_64_64 - optimized to use __int128 where appropriate, this speeds
            up point multiplication (and as a consequence signature
            verification) by the factor of 1.5-2;
          vli_umult - multiply vli by a small value (speeds up point
            multiplication by another factor of 1.5-2, depending on vli sizes);
          vli_mmod_special - module reduction for some form of Pseudo-Mersenne
            primes (used for the curves A);
          vli_mmod_special2 - module reduction for another form of
            Pseudo-Mersenne primes (used for the curves B);
          vli_mmod_barrett - module reduction using pre-computed value (used
            for the curve C);
          vli_mmod_slow - more general module reduction which is much slower
           (used when the modulus is subgroup order);
          vli_mod_mult_slow - modular multiplication;
          ecc_point_add - add two points;
          ecc_point_mult_shamir - add two points multiplied by scalars in one
            combined multiplication (this gives speed up by another factor 2 in
            compare to two separate multiplications).
          ecc_is_pubkey_valid_partial - additional samity check is added.
        - Updated vli_mmod_fast with non-strict heuristic to call optimal
            module reduction function depending on the prime value;
        - All computations for the previously defined (two NIST) curves should
          not unaffected.
      
      * crypto/ecc.h:
        - Newly exported functions are documented.
      
      * crypto/ecrdsa_defs.h
        - Five curves are defined.
      
      * crypto/ecrdsa.c:
        - Signature verification is implemented.
      
      * crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1:
        - Templates for BER decoder for EC-RDSA parameters and public key.
      
      Cc: linux-integrity@vger.kernel.org
      Signed-off-by: default avatarVitaly Chikunov <vt@altlinux.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      0d7a7864
    • Vitaly Chikunov's avatar
      crypto: ecc - make ecc into separate module · 4a2289da
      Vitaly Chikunov authored
      ecc.c have algorithms that could be used togeter by ecdh and ecrdsa.
      Make it separate module. Add CRYPTO_ECC into Kconfig. EXPORT_SYMBOL and
      document to what seems appropriate. Move structs ecc_point and ecc_curve
      from ecc_curve_defs.h into ecc.h.
      
      No code changes.
      Signed-off-by: default avatarVitaly Chikunov <vt@altlinux.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4a2289da
    • Vitaly Chikunov's avatar
      crypto: Kconfig - create Public-key cryptography section · 3d6228a5
      Vitaly Chikunov authored
      Group RSA, DH, and ECDH into Public-key cryptography config section.
      Signed-off-by: default avatarVitaly Chikunov <vt@altlinux.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3d6228a5
    • Vitaly Chikunov's avatar
      X.509: parse public key parameters from x509 for akcipher · f1774cb8
      Vitaly Chikunov authored
      Some public key algorithms (like EC-DSA) keep in parameters field
      important data such as digest and curve OIDs (possibly more for
      different EC-DSA variants). Thus, just setting a public key (as
      for RSA) is not enough.
      
      Append parameters into the key stream for akcipher_set_{pub,priv}_key.
      Appended data is: (u32) algo OID, (u32) parameters length, parameters
      data.
      
      This does not affect current akcipher API nor RSA ciphers (they could
      ignore it). Idea of appending parameters to the key stream is by Herbert
      Xu.
      
      Cc: David Howells <dhowells@redhat.com>
      Cc: Denis Kenzior <denkenz@gmail.com>
      Cc: keyrings@vger.kernel.org
      Signed-off-by: default avatarVitaly Chikunov <vt@altlinux.org>
      Reviewed-by: default avatarDenis Kenzior <denkenz@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f1774cb8
    • Vitaly Chikunov's avatar
      KEYS: do not kmemdup digest in {public,tpm}_key_verify_signature · 83bc0299
      Vitaly Chikunov authored
      Treat (struct public_key_signature)'s digest same as its signature (s).
      Since digest should be already in the kmalloc'd memory do not kmemdup
      digest value before calling {public,tpm}_key_verify_signature.
      
      Patch is split from the previous as suggested by Herbert Xu.
      Suggested-by: default avatarDavid Howells <dhowells@redhat.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: keyrings@vger.kernel.org
      Signed-off-by: default avatarVitaly Chikunov <vt@altlinux.org>
      Reviewed-by: default avatarDenis Kenzior <denkenz@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      83bc0299
    • Vitaly Chikunov's avatar
      crypto: akcipher - new verify API for public key algorithms · c7381b01
      Vitaly Chikunov authored
      Previous akcipher .verify() just `decrypts' (using RSA encrypt which is
      using public key) signature to uncover message hash, which was then
      compared in upper level public_key_verify_signature() with the expected
      hash value, which itself was never passed into verify().
      
      This approach was incompatible with EC-DSA family of algorithms,
      because, to verify a signature EC-DSA algorithm also needs a hash value
      as input; then it's used (together with a signature divided into halves
      `r||s') to produce a witness value, which is then compared with `r' to
      determine if the signature is correct. Thus, for EC-DSA, nor
      requirements of .verify() itself, nor its output expectations in
      public_key_verify_signature() wasn't sufficient.
      
      Make improved .verify() call which gets hash value as input and produce
      complete signature check without any output besides status.
      
      Now for the top level verification only crypto_akcipher_verify() needs
      to be called and its return value inspected.
      
      Make sure that `digest' is in kmalloc'd memory (in place of `output`) in
      {public,tpm}_key_verify_signature() as insisted by Herbert Xu, and will
      be changed in the following commit.
      
      Cc: David Howells <dhowells@redhat.com>
      Cc: keyrings@vger.kernel.org
      Signed-off-by: default avatarVitaly Chikunov <vt@altlinux.org>
      Reviewed-by: default avatarDenis Kenzior <denkenz@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c7381b01
    • Vitaly Chikunov's avatar
      crypto: rsa - unimplement sign/verify for raw RSA backends · 3ecc9725
      Vitaly Chikunov authored
      In preparation for new akcipher verify call remove sign/verify callbacks
      from RSA backends and make PKCS1 driver call encrypt/decrypt instead.
      
      This also complies with the well-known idea that raw RSA should never be
      used for sign/verify. It only should be used with proper padding scheme
      such as PKCS1 driver provides.
      
      Cc: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
      Cc: qat-linux@intel.com
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Gary Hook <gary.hook@amd.com>
      Cc: Horia Geantă <horia.geanta@nxp.com>
      Cc: Aymen Sghaier <aymen.sghaier@nxp.com>
      Signed-off-by: default avatarVitaly Chikunov <vt@altlinux.org>
      Reviewed-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Acked-by: default avatarGary R Hook <gary.hook@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3ecc9725