1. 28 Feb, 2019 7 commits
  2. 22 Feb, 2019 17 commits
  3. 15 Feb, 2019 4 commits
  4. 08 Feb, 2019 12 commits
    • Herbert Xu's avatar
      crypto: qat - Remove unused goto label · 920d7f72
      Herbert Xu authored
      This patch removes an unused label.
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Fixes: f0fcf9ad ("crypto: qat - no need to check return...")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      920d7f72
    • Gilad Ben-Yossef's avatar
      MAINTAINERS: crypto: ccree: remove co-maintainer · 532a50fd
      Gilad Ben-Yossef authored
      The best-laid plans of mice and men often go awry.
      Remove Yael C. as co-maintainer as she moved on to other endeavours.
      Signed-off-by: default avatarGilad Ben-Yossef <gilad@benyossef.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      532a50fd
    • Eric Biggers's avatar
      crypto: testmgr - check for aead_request corruption · a6e5ef9b
      Eric Biggers authored
      Check that algorithms do not change the aead_request structure, as users
      may rely on submitting the request again (e.g. after copying new data
      into the same source buffer) without reinitializing everything.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      a6e5ef9b
    • Eric Biggers's avatar
      crypto: testmgr - check for skcipher_request corruption · fa353c99
      Eric Biggers authored
      Check that algorithms do not change the skcipher_request structure, as
      users may rely on submitting the request again (e.g. after copying new
      data into the same source buffer) without reinitializing everything.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      fa353c99
    • Eric Biggers's avatar
      crypto: testmgr - convert hash testing to use testvec_configs · 4cc2dcf9
      Eric Biggers authored
      Convert alg_test_hash() to use the new test framework, adding a list of
      testvec_configs to test by default.  When the extra self-tests are
      enabled, randomly generated testvec_configs are tested as well.
      
      This improves hash test coverage mainly because now all algorithms have
      a variety of data layouts tested, whereas before each algorithm was
      responsible for declaring its own chunked test cases which were often
      missing or provided poor test coverage.  The new code also tests both
      the MAY_SLEEP and !MAY_SLEEP cases and buffers that cross pages.
      
      This already found bugs in the hash walk code and in the arm32 and arm64
      implementations of crct10dif.
      
      I removed the hash chunked test vectors that were the same as
      non-chunked ones, but left the ones that were unique.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4cc2dcf9
    • Eric Biggers's avatar
      crypto: testmgr - convert aead testing to use testvec_configs · ed96804f
      Eric Biggers authored
      Convert alg_test_aead() to use the new test framework, using the same
      list of testvec_configs that skcipher testing uses.
      
      This significantly improves AEAD test coverage mainly because previously
      there was only very limited test coverage of the possible data layouts.
      Now the data layouts to test are listed in one place for all algorithms
      and optionally are also randomly generated.  In fact, only one AEAD
      algorithm (AES-GCM) even had a chunked test case before.
      
      This already found bugs in all the AEGIS and MORUS implementations, the
      x86 AES-GCM implementation, and the arm64 AES-CCM implementation.
      
      I removed the AEAD chunked test vectors that were the same as
      non-chunked ones, but left the ones that were unique.
      
      Note: the rewritten test code allocates an aead_request just once per
      algorithm rather than once per encryption/decryption, but some AEAD
      algorithms incorrectly change the tfm pointer in the request.  It's
      nontrivial to fix these, so to move forward I'm temporarily working
      around it by resetting the tfm pointer.  But they'll need to be fixed.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ed96804f
    • Eric Biggers's avatar
      crypto: testmgr - convert skcipher testing to use testvec_configs · 4e7babba
      Eric Biggers authored
      Convert alg_test_skcipher() to use the new test framework, adding a list
      of testvec_configs to test by default.  When the extra self-tests are
      enabled, randomly generated testvec_configs are tested as well.
      
      This improves skcipher test coverage mainly because now all algorithms
      have a variety of data layouts tested, whereas before each algorithm was
      responsible for declaring its own chunked test cases which were often
      missing or provided poor test coverage.  The new code also tests both
      the MAY_SLEEP and !MAY_SLEEP cases, different IV alignments, and buffers
      that cross pages.
      
      This has already found a bug in the arm64 ctr-aes-neonbs algorithm.
      It would have easily found many past bugs.
      
      I removed the skcipher chunked test vectors that were the same as
      non-chunked ones, but left the ones that were unique.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4e7babba
    • Eric Biggers's avatar
      crypto: testmgr - implement random testvec_config generation · 25f9dddb
      Eric Biggers authored
      Add functions that generate a random testvec_config, in preparation for
      using it for randomized fuzz tests.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      25f9dddb
    • Eric Biggers's avatar
      crypto: testmgr - introduce CONFIG_CRYPTO_MANAGER_EXTRA_TESTS · 5b2706a4
      Eric Biggers authored
      To achieve more comprehensive crypto test coverage, I'd like to add fuzz
      tests that use random data layouts and request flags.
      
      To be most effective these tests should be part of testmgr, so they
      automatically run on every algorithm registered with the crypto API.
      However, they will take much longer to run than the current tests and
      therefore will only really be intended to be run by developers, whereas
      the current tests have a wider audience.
      
      Therefore, add a new kconfig option CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
      that can be set by developers to enable these extra, expensive tests.
      
      Similar to the regular tests, also add a module parameter
      cryptomgr.noextratests to support disabling the tests.
      
      Finally, another module parameter cryptomgr.fuzz_iterations is added to
      control how many iterations the fuzz tests do.  Note: for now setting
      this to 0 will be equivalent to cryptomgr.noextratests=1.  But I opted
      for separate parameters to provide more flexibility to add other types
      of tests under the "extra tests" category in the future.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5b2706a4
    • Eric Biggers's avatar
      crypto: testmgr - add testvec_config struct and helper functions · 3f47a03d
      Eric Biggers authored
      Crypto algorithms must produce the same output for the same input
      regardless of data layout, i.e. how the src and dst scatterlists are
      divided into chunks and how each chunk is aligned.  Request flags such
      as CRYPTO_TFM_REQ_MAY_SLEEP must not affect the result either.
      
      However, testing of this currently has many gaps.  For example,
      individual algorithms are responsible for providing their own chunked
      test vectors.  But many don't bother to do this or test only one or two
      cases, providing poor test coverage.  Also, other things such as
      misaligned IVs and CRYPTO_TFM_REQ_MAY_SLEEP are never tested at all.
      
      Test code is also duplicated between the chunked and non-chunked cases,
      making it difficult to make other improvements.
      
      To improve the situation, this patch series basically moves the chunk
      descriptions into the testmgr itself so that they are shared by all
      algorithms.  However, it's done in an extensible way via a new struct
      'testvec_config', which describes not just the scaled chunk lengths but
      also all other aspects of the crypto operation besides the data itself
      such as the buffer alignments, the request flags, whether the operation
      is in-place or not, the IV alignment, and for hash algorithms when to
      do each update() and when to use finup() vs. final() vs. digest().
      
      Then, this patch series makes skcipher, aead, and hash algorithms be
      tested against a list of default testvec_configs, replacing the current
      test code.  This improves overall test coverage, without reducing test
      performance too much.  Note that the test vectors themselves are not
      changed, except for removing the chunk lists.
      
      This series also adds randomized fuzz tests, enabled by a new kconfig
      option intended for developer use only, where skcipher, aead, and hash
      algorithms are tested against many randomly generated testvec_configs.
      This provides much more comprehensive test coverage.
      
      These improved tests have already exposed many bugs.
      
      To start it off, this initial patch adds the testvec_config and various
      helper functions that will be used by the skcipher, aead, and hash test
      code that will be converted to use the new testvec_config framework.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3f47a03d
    • Eric Biggers's avatar
      crypto: arm64/aes-neonbs - fix returning final keystream block · 12455e32
      Eric Biggers authored
      The arm64 NEON bit-sliced implementation of AES-CTR fails the improved
      skcipher tests because it sometimes produces the wrong ciphertext.  The
      bug is that the final keystream block isn't returned from the assembly
      code when the number of non-final blocks is zero.  This can happen if
      the input data ends a few bytes after a page boundary.  In this case the
      last bytes get "encrypted" by XOR'ing them with uninitialized memory.
      
      Fix the assembly code to return the final keystream block when needed.
      
      Fixes: 88a3f582 ("crypto: arm64/aes - don't use IV buffer to return final keystream block")
      Cc: <stable@vger.kernel.org> # v4.11+
      Reviewed-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      12455e32
    • Eric Biggers's avatar
      crypto: ahash - fix another early termination in hash walk · 77568e53
      Eric Biggers authored
      Hash algorithms with an alignmask set, e.g. "xcbc(aes-aesni)" and
      "michael_mic", fail the improved hash tests because they sometimes
      produce the wrong digest.  The bug is that in the case where a
      scatterlist element crosses pages, not all the data is actually hashed
      because the scatterlist walk terminates too early.  This happens because
      the 'nbytes' variable in crypto_hash_walk_done() is assigned the number
      of bytes remaining in the page, then later interpreted as the number of
      bytes remaining in the scatterlist element.  Fix it.
      
      Fixes: 900a081f ("crypto: ahash - Fix early termination in hash walk")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      77568e53