- 18 Apr, 2019 35 commits
-
-
Vitaly Chikunov authored
Because with the introduction of EC-RDSA and change in workings of RSA in regard to sign/verify, akcipher could have not all callbacks defined, check the presence of callbacks in crypto_register_akcipher() and provide default implementation if the callback is not implemented. This is suggested by Herbert Xu instead of checking the presence of the callback on every request. Signed-off-by:
Vitaly Chikunov <vt@altlinux.org> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes the registration of the non-standard des/des3 ablkcipher algorithms. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by:
Corentin Labbe <clabbe.montjoie@gmail.com> Tested-by:
-
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by:
-
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes a couple of unnecessary key length checks that are already performed by the crypto API. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes an unnecessary key length checks that are already performed by the crypto API. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes a couple of unnecessary key length checks that are already performed by the crypto API. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes a couple of unnecessary key length checks that are already performed by the crypto API. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by:
Gilad Ben-Yossef <gilad@benyossef.com> Signed-off-by:
-
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by:
Horia Geantă <horia.geanta@nxp.com> Tested-by:
Iuliana Prodan <iuliana.prodan@nxp.com> Signed-off-by:
-
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. This patch also removes the bogus CFB 3DES modes that only work with a short 3DES key not otherwise allowed by the crypto API. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch adds a requirement to the generic 3DES implementation such that 2-key 3DES (K1 == K3) is no longer allowed in FIPS mode. We will also provide helpers that may be used by drivers that implement 3DES to make the same check. Signed-off-by: -
Eric Biggers authored
In the VMX implementations of AES and AES modes, return -EINVAL when an invalid key length is provided, rather than some unusual error code determined via a series of additions. This makes the behavior match the other AES implementations in the kernel's crypto API. Cc: Daniel Axtens <dja@axtens.net> Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
-
Eric Biggers authored
If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. xts-aes-neonbs doesn't set an alignmask, so currently it isn't affected by this despite unconditionally accessing walk.iv. However this is more subtle than desired, and unconditionally accessing walk.iv has caused a real problem in other algorithms. Thus, update xts-aes-neonbs to start checking the return value of skcipher_walk_virt(). Fixes: 1abee99e ("crypto: arm64/aes - reimplement bit-sliced ARM/NEON implementation for arm64") Cc: <stable@vger.kernel.org> # v4.11+ Signed-off-by:
-
Eric Biggers authored
If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't affected by this despite unconditionally accessing walk.iv. However this is more subtle than desired, and it was actually broken prior to the alignmask being removed by commit cc477bf6 ("crypto: arm/aes - replace bit-sliced OpenSSL NEON code"). Thus, update xts-aes-neonbs to start checking the return value of skcipher_walk_virt(). Fixes: e4e7f10b ("ARM: add support for bit sliced AES using NEON instructions") Cc: <stable@vger.kernel.org> # v3.13+ Signed-off-by:
-
Eric Biggers authored
If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. salsa20-generic doesn't set an alignmask, so currently it isn't affected by this despite unconditionally accessing walk.iv. However this is more subtle than desired, and it was actually broken prior to the alignmask being removed by commit b62b3db7 ("crypto: salsa20-generic - cleanup and convert to skcipher API"). Since salsa20-generic does not update the IV and does not need any IV alignment, update it to use req->iv instead of walk.iv. Fixes: 2407d608 ("[CRYPTO] salsa20: Salsa20 stream cipher") Cc: stable@vger.kernel.org Signed-off-by:
-
Eric Biggers authored
If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. Fix this in the LRW template by checking the return value of skcipher_walk_virt(). This bug was detected by my patches that improve testmgr to fuzz algorithms against their generic implementation. When the extra self-tests were run on a KASAN-enabled kernel, a KASAN use-after-free splat occured during lrw(aes) testing. Fixes: c778f96b ("crypto: lrw - Optimize tweak computation") Cc: <stable@vger.kernel.org> # v4.20+ Cc: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by:
-
YueHaibing authored
Fixes gcc '-Wunused-but-set-variable' warning: drivers/crypto/mxs-dcp.c: In function 'dcp_chan_thread_sha': drivers/crypto/mxs-dcp.c:707:11: warning: variable 'fini' set but not used [-Wunused-but-set-variable] It's not used since commit d80771c0 ("crypto: mxs-dcp - Fix wait logic on chan threads"),so can be removed. Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Signed-off-by:
-
Joe Perches authored
IS_ENABLED should be reserved for CONFIG_<FOO> uses so convert the uses of IS_ENABLED with a #define to __is_defined. Signed-off-by:
Joe Perches <joe@perches.com> Signed-off-by:
-
Vakul Garg authored
In function caam_jr_dequeue(), a full memory barrier is used before writing response job ring's register to signal removal of the completed job. Therefore for writing the register, we do not need another write memory barrier. Hence it is removed by replacing the call to wr_reg32() with a newly defined function wr_reg32_relaxed(). Signed-off-by:
Vakul Garg <vakul.garg@nxp.com> Signed-off-by:
-
Singh, Brijesh authored
Currently, we free the psp_master if the PLATFORM_INIT fails during the SEV FW probe. If psp_master is freed then driver does not invoke the PSP FW. As per SEV FW spec, there are several commands (PLATFORM_RESET, PLATFORM_STATUS, GET_ID etc) which can be executed in the UNINIT state We should not free the psp_master when PLATFORM_INIT fails. Fixes: 200664d5 ("crypto: ccp: Add SEV support") Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Gary Hook <gary.hook@amd.com> Cc: stable@vger.kernel.org # 4.19.y Signed-off-by:
Brijesh Singh <brijesh.singh@amd.com> Signed-off-by:
-
Lionel Debieve authored
Change the wait condition to check if the hash is busy. Context can be saved as soon as hash has finishing processing data. Remove unused lock in the device structure. Signed-off-by:
Lionel Debieve <lionel.debieve@st.com> Signed-off-by:
-
- 16 Apr, 2019 1 commit
-
-
Herbert Xu authored
This driver has been completely broken since the very beginning because it doesn't even have a setkey function. This means that nobody has ever used it as it would crash during setkey. This patch removes this driver. Fixes: d293b640 ("crypto: mxc-scc - add basic driver for the...") Signed-off-by:
-
- 15 Apr, 2019 2 commits
-
-
Lionel Debieve authored
Add a default quality to hw_random device to be automatically set as new default entropy. Setting random quality will decrease the crng init time by switching to this hardware random source. Signed-off-by:
-
Lionel Debieve authored
No remove function implemented yet in the driver. Without remove function, the pm_runtime implementation complains when removing and probing again the driver. Signed-off-by:
-
- 08 Apr, 2019 2 commits
-
-
Eric Biggers authored
Add a module parameter cryptomgr.panic_on_fail which causes the kernel to panic if any crypto self-tests fail. Use cases: - More easily detect crypto self-test failures by boot testing, e.g. on KernelCI. - Get a bug report if syzkaller manages to use the template system to instantiate an algorithm that fails its self-tests. The command-line option "fips=1" already does this, but it also makes other changes not wanted for general testing, such as disabling "unapproved" algorithms. panic_on_fail just does what it says. Signed-off-by:
-
Eric Biggers authored
My patches to make testmgr fuzz algorithms against their generic implementation detected that the arm64 implementations of "cbcmac(aes)" handle empty messages differently from the cbcmac template. Namely, the arm64 implementations return the encrypted initial value, but the cbcmac template returns the initial value directly. This isn't actually a meaningful case because any user of cbcmac needs to prepend the message length, as CCM does; otherwise it's insecure. However, we should keep the behavior consistent; at the very least this makes testing easier. Do it the easy way, which is to change the arm64 implementations to have the same behavior as the cbcmac template. For what it's worth, ghash does things essentially the same way: it returns its initial value when given an empty message, even though in practice ghash is never passed an empty message. Signed-off-by:
-
