1. 18 Apr, 2019 23 commits
  2. 16 Apr, 2019 1 commit
  3. 15 Apr, 2019 2 commits
  4. 08 Apr, 2019 14 commits
    • Eric Biggers's avatar
      crypto: testmgr - add panic_on_fail module parameter · eda69b0c
      Eric Biggers authored
      Add a module parameter cryptomgr.panic_on_fail which causes the kernel
      to panic if any crypto self-tests fail.
      
      Use cases:
      
      - More easily detect crypto self-test failures by boot testing,
        e.g. on KernelCI.
      - Get a bug report if syzkaller manages to use the template system to
        instantiate an algorithm that fails its self-tests.
      
      The command-line option "fips=1" already does this, but it also makes
      other changes not wanted for general testing, such as disabling
      "unapproved" algorithms.  panic_on_fail just does what it says.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      eda69b0c
    • Eric Biggers's avatar
      crypto: arm64/cbcmac - handle empty messages in same way as template · f6e9af87
      Eric Biggers authored
      My patches to make testmgr fuzz algorithms against their generic
      implementation detected that the arm64 implementations of "cbcmac(aes)"
      handle empty messages differently from the cbcmac template.  Namely, the
      arm64 implementations return the encrypted initial value, but the cbcmac
      template returns the initial value directly.
      
      This isn't actually a meaningful case because any user of cbcmac needs
      to prepend the message length, as CCM does; otherwise it's insecure.
      However, we should keep the behavior consistent; at the very least this
      makes testing easier.
      
      Do it the easy way, which is to change the arm64 implementations to have
      the same behavior as the cbcmac template.
      
      For what it's worth, ghash does things essentially the same way: it
      returns its initial value when given an empty message, even though in
      practice ghash is never passed an empty message.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f6e9af87
    • Eric Biggers's avatar
      crypto: cts - don't support empty messages · c31a8719
      Eric Biggers authored
      My patches to make testmgr fuzz algorithms against their generic
      implementation detected that the arm64 implementations of
      "cts(cbc(aes))" handle empty messages differently from the cts template.
      Namely, the arm64 implementations forbids (with -EINVAL) all messages
      shorter than the block size, including the empty message; but the cts
      template permits empty messages as a special case.
      
      No user should be CTS-encrypting/decrypting empty messages, but we need
      to keep the behavior consistent.  Unfortunately, as noted in the source
      of OpenSSL's CTS implementation [1], there's no common specification for
      CTS.  This makes it somewhat debatable what the behavior should be.
      
      However, all CTS specifications seem to agree that messages shorter than
      the block size are not allowed, and OpenSSL follows this in both CTS
      conventions it implements.  It would also simplify the user-visible
      semantics to have empty messages no longer be a special case.
      
      Therefore, make the cts template return -EINVAL on *all* messages
      shorter than the block size, including the empty message.
      
      [1] https://github.com/openssl/openssl/blob/master/crypto/modes/cts128.cSigned-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c31a8719
    • Eric Biggers's avatar
      crypto: streebog - fix unaligned memory accesses · c5c46887
      Eric Biggers authored
      Don't cast the data buffer directly to streebog_uint512, as this
      violates alignment rules.
      
      Fixes: fe18957e ("crypto: streebog - add Streebog hash function")
      Cc: Vitaly Chikunov <vt@altlinux.org>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarVitaly Chikunov <vt@altlinux.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c5c46887
    • Eric Biggers's avatar
      crypto: chacha20poly1305 - set cra_name correctly · 5e27f38f
      Eric Biggers authored
      If the rfc7539 template is instantiated with specific implementations,
      e.g. "rfc7539(chacha20-generic,poly1305-generic)" rather than
      "rfc7539(chacha20,poly1305)", then the implementation names end up
      included in the instance's cra_name.  This is incorrect because it then
      prevents all users from allocating "rfc7539(chacha20,poly1305)", if the
      highest priority implementations of chacha20 and poly1305 were selected.
      Also, the self-tests aren't run on an instance allocated in this way.
      
      Fix it by setting the instance's cra_name from the underlying
      algorithms' actual cra_names, rather than from the requested names.
      This matches what other templates do.
      
      Fixes: 71ebc4d1 ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
      Cc: <stable@vger.kernel.org> # v4.2+
      Cc: Martin Willi <martin@strongswan.org>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5e27f38f
    • Eric Biggers's avatar
      crypto: skcipher - don't WARN on unprocessed data after slow walk step · dcaca01a
      Eric Biggers authored
      skcipher_walk_done() assumes it's a bug if, after the "slow" path is
      executed where the next chunk of data is processed via a bounce buffer,
      the algorithm says it didn't process all bytes.  Thus it WARNs on this.
      
      However, this can happen legitimately when the message needs to be
      evenly divisible into "blocks" but isn't, and the algorithm has a
      'walksize' greater than the block size.  For example, ecb-aes-neonbs
      sets 'walksize' to 128 bytes and only supports messages evenly divisible
      into 16-byte blocks.  If, say, 17 message bytes remain but they straddle
      scatterlist elements, the skcipher_walk code will take the "slow" path
      and pass the algorithm all 17 bytes in the bounce buffer.  But the
      algorithm will only be able to process 16 bytes, triggering the WARN.
      
      Fix this by just removing the WARN_ON().  Returning -EINVAL, as the code
      already does, is the right behavior.
      
      This bug was detected by my patches that improve testmgr to fuzz
      algorithms against their generic implementation.
      
      Fixes: b286d8b1 ("crypto: skcipher - Add skcipher walk interface")
      Cc: <stable@vger.kernel.org> # v4.10+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      dcaca01a
    • Eric Biggers's avatar
      crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest() · dec3d0b1
      Eric Biggers authored
      The ->digest() method of crct10dif-pclmul reads the current CRC value
      from the shash_desc context.  But this value is uninitialized, causing
      crypto_shash_digest() to compute the wrong result.  Fix it.
      
      Probably this wasn't noticed before because lib/crc-t10dif.c only uses
      crypto_shash_update(), not crypto_shash_digest().  Likewise,
      crypto_shash_digest() is not yet tested by the crypto self-tests because
      those only test the ahash API which only uses shash init/update/final.
      
      Fixes: 0b95a7f8 ("crypto: crct10dif - Glue code to cast accelerated CRCT10DIF assembly as a crypto transform")
      Cc: <stable@vger.kernel.org> # v3.11+
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      dec3d0b1
    • Eric Biggers's avatar
      crypto: crct10dif-generic - fix use via crypto_shash_digest() · 307508d1
      Eric Biggers authored
      The ->digest() method of crct10dif-generic reads the current CRC value
      from the shash_desc context.  But this value is uninitialized, causing
      crypto_shash_digest() to compute the wrong result.  Fix it.
      
      Probably this wasn't noticed before because lib/crc-t10dif.c only uses
      crypto_shash_update(), not crypto_shash_digest().  Likewise,
      crypto_shash_digest() is not yet tested by the crypto self-tests because
      those only test the ahash API which only uses shash init/update/final.
      
      This bug was detected by my patches that improve testmgr to fuzz
      algorithms against their generic implementation.
      
      Fixes: 2d31e518 ("crypto: crct10dif - Wrap crc_t10dif function all to use crypto transform framework")
      Cc: <stable@vger.kernel.org> # v3.11+
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      307508d1
    • YueHaibing's avatar
      crypto: nx842 - remove set but not used variables 'dpadding' and 'max_sync_size' · f947d7fd
      YueHaibing authored
      Fixes gcc '-Wunused-but-set-variable' warning:
      
      drivers/crypto/nx/nx-842.c: In function 'decompress':
      drivers/crypto/nx/nx-842.c:356:25: warning: variable 'dpadding' set but not used [-Wunused-but-set-variable]
      drivers/crypto/nx/nx-842-pseries.c: In function 'nx842_pseries_compress':
      drivers/crypto/nx/nx-842-pseries.c:299:15: warning: variable 'max_sync_size' set but not used [-Wunused-but-set-variable]
      drivers/crypto/nx/nx-842-pseries.c: In function 'nx842_pseries_decompress':
      drivers/crypto/nx/nx-842-pseries.c:430:15: warning: variable 'max_sync_size' set but not used [-Wunused-but-set-variable]
      
      They are not used any more and can be removed.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f947d7fd
    • YueHaibing's avatar
      crypto: mxs-dcp - return errcode in mxs_dcp_aes_enqueue and dcp_sha_update_fx · dbbaffef
      YueHaibing authored
      'err' is set in err path, but it's not returned to callers.
      Don't always return -EINPROGRESS, return err.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      dbbaffef
    • YueHaibing's avatar
      crypto: marvell - remove set but not used variable 'index' · d3154977
      YueHaibing authored
      Fixes gcc '-Wunused-but-set-variable' warning:
      
      drivers/crypto/marvell/hash.c: In function 'mv_cesa_ahash_pad_req':
      drivers/crypto/marvell/hash.c:138:15: warning: variable 'index' set but not used [-Wunused-but-set-variable]
      
      It's never used and can be removed.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d3154977
    • YueHaibing's avatar
      crypto: ccp - Use kmemdup in ccp_copy_and_save_keypart() · 8316da02
      YueHaibing authored
      Use kmemdup rather than duplicating its implementation
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Acked-by: default avatarGary R Hook <gary.hook@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      8316da02
    • Andi Kleen's avatar
      crypto: aes - Use ___cacheline_aligned for aes data · 61abc356
      Andi Kleen authored
      cacheline_aligned is a special section. It cannot be const at the same
      time because it's not read-only. It doesn't give any MMU protection.
      
      Mark it ____cacheline_aligned to not place it in a special section,
      but just align it in .rodata
      
      Cc: herbert@gondor.apana.org.au
      Suggested-by: default avatarRasmus Villemoes <linux@rasmusvillemoes.dk>
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Acked-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      61abc356
    • Sebastian Andrzej Siewior's avatar
      crypto: scompress - Use per-CPU struct instead multiple variables · 71052dcf
      Sebastian Andrzej Siewior authored
      Two per-CPU variables are allocated as pointer to per-CPU memory which
      then are used as scratch buffers.
      We could be smart about this and use instead a per-CPU struct which
      contains the pointers already and then we need to allocate just the
      scratch buffers.
      Add a lock to the struct. By doing so we can avoid the get_cpu()
      statement and gain lockdep coverage (if enabled) to ensure that the lock
      is always acquired in the right context. On non-preemptible kernels the
      lock vanishes.
      It is okay to use raw_cpu_ptr() in order to get a pointer to the struct
      since it is protected by the spinlock.
      
      The diffstat of this is negative and according to size scompress.o:
         text    data     bss     dec     hex filename
         1847     160      24    2031     7ef dbg_before.o
         1754     232       4    1990     7c6 dbg_after.o
         1799      64      24    1887     75f no_dbg-before.o
         1703      88       4    1795     703 no_dbg-after.o
      
      The overall size increase difference is also negative. The increase in
      the data section is only four bytes without lockdep.
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      71052dcf