- 18 Apr, 2019 37 commits
-
-
Vitaly Chikunov authored
Previous akcipher .verify() just `decrypts' (using RSA encrypt which is using public key) signature to uncover message hash, which was then compared in upper level public_key_verify_signature() with the expected hash value, which itself was never passed into verify(). This approach was incompatible with EC-DSA family of algorithms, because, to verify a signature EC-DSA algorithm also needs a hash value as input; then it's used (together with a signature divided into halves `r||s') to produce a witness value, which is then compared with `r' to determine if the signature is correct. Thus, for EC-DSA, nor requirements of .verify() itself, nor its output expectations in public_key_verify_signature() wasn't sufficient. Make improved .verify() call which gets hash value as input and produce complete signature check without any output besides status. Now for the top level verification only crypto_akcipher_verify() needs to be called and its return value inspected. Make sure that `digest' is in kmalloc'd memory (in place of `output`) in {public,tpm}_key_verify_signature() as insisted by Herbert Xu, and will be changed in the following commit. Cc: David Howells <dhowells@redhat.com> Cc: keyrings@vger.kernel.org Signed-off-by:Vitaly Chikunov <vt@altlinux.org> Reviewed-by:
Denis Kenzior <denkenz@gmail.com> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au>
-
Vitaly Chikunov authored
In preparation for new akcipher verify call remove sign/verify callbacks from RSA backends and make PKCS1 driver call encrypt/decrypt instead. This also complies with the well-known idea that raw RSA should never be used for sign/verify. It only should be used with proper padding scheme such as PKCS1 driver provides. Cc: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Cc: qat-linux@intel.com Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Gary Hook <gary.hook@amd.com> Cc: Horia Geantă <horia.geanta@nxp.com> Cc: Aymen Sghaier <aymen.sghaier@nxp.com> Signed-off-by:
Horia Geantă <horia.geanta@nxp.com> Acked-by:
Gary R Hook <gary.hook@amd.com> Signed-off-by:
-
Vitaly Chikunov authored
Because with the introduction of EC-RDSA and change in workings of RSA in regard to sign/verify, akcipher could have not all callbacks defined, check the presence of callbacks in crypto_register_akcipher() and provide default implementation if the callback is not implemented. This is suggested by Herbert Xu instead of checking the presence of the callback on every request. Signed-off-by:
-
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes the registration of the non-standard des/des3 ablkcipher algorithms. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by:
Corentin Labbe <clabbe.montjoie@gmail.com> Tested-by:
-
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by:
-
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes a couple of unnecessary key length checks that are already performed by the crypto API. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes an unnecessary key length checks that are already performed by the crypto API. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes a couple of unnecessary key length checks that are already performed by the crypto API. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes a couple of unnecessary key length checks that are already performed by the crypto API. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by:
Gilad Ben-Yossef <gilad@benyossef.com> Signed-off-by:
-
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by:
Iuliana Prodan <iuliana.prodan@nxp.com> Signed-off-by:
-
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. This patch also removes the bogus CFB 3DES modes that only work with a short 3DES key not otherwise allowed by the crypto API. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: -
Herbert Xu authored
This patch adds a requirement to the generic 3DES implementation such that 2-key 3DES (K1 == K3) is no longer allowed in FIPS mode. We will also provide helpers that may be used by drivers that implement 3DES to make the same check. Signed-off-by: -
Eric Biggers authored
In the VMX implementations of AES and AES modes, return -EINVAL when an invalid key length is provided, rather than some unusual error code determined via a series of additions. This makes the behavior match the other AES implementations in the kernel's crypto API. Cc: Daniel Axtens <dja@axtens.net> Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
-
Eric Biggers authored
If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. xts-aes-neonbs doesn't set an alignmask, so currently it isn't affected by this despite unconditionally accessing walk.iv. However this is more subtle than desired, and unconditionally accessing walk.iv has caused a real problem in other algorithms. Thus, update xts-aes-neonbs to start checking the return value of skcipher_walk_virt(). Fixes: 1abee99e ("crypto: arm64/aes - reimplement bit-sliced ARM/NEON implementation for arm64") Cc: <stable@vger.kernel.org> # v4.11+ Signed-off-by:
-
Eric Biggers authored
If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't affected by this despite unconditionally accessing walk.iv. However this is more subtle than desired, and it was actually broken prior to the alignmask being removed by commit cc477bf6 ("crypto: arm/aes - replace bit-sliced OpenSSL NEON code"). Thus, update xts-aes-neonbs to start checking the return value of skcipher_walk_virt(). Fixes: e4e7f10b ("ARM: add support for bit sliced AES using NEON instructions") Cc: <stable@vger.kernel.org> # v3.13+ Signed-off-by:
-
Eric Biggers authored
If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. salsa20-generic doesn't set an alignmask, so currently it isn't affected by this despite unconditionally accessing walk.iv. However this is more subtle than desired, and it was actually broken prior to the alignmask being removed by commit b62b3db7 ("crypto: salsa20-generic - cleanup and convert to skcipher API"). Since salsa20-generic does not update the IV and does not need any IV alignment, update it to use req->iv instead of walk.iv. Fixes: 2407d608 ("[CRYPTO] salsa20: Salsa20 stream cipher") Cc: stable@vger.kernel.org Signed-off-by:
-
Eric Biggers authored
If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. Fix this in the LRW template by checking the return value of skcipher_walk_virt(). This bug was detected by my patches that improve testmgr to fuzz algorithms against their generic implementation. When the extra self-tests were run on a KASAN-enabled kernel, a KASAN use-after-free splat occured during lrw(aes) testing. Fixes: c778f96b ("crypto: lrw - Optimize tweak computation") Cc: <stable@vger.kernel.org> # v4.20+ Cc: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by:
-
YueHaibing authored
Fixes gcc '-Wunused-but-set-variable' warning: drivers/crypto/mxs-dcp.c: In function 'dcp_chan_thread_sha': drivers/crypto/mxs-dcp.c:707:11: warning: variable 'fini' set but not used [-Wunused-but-set-variable] It's not used since commit d80771c0 ("crypto: mxs-dcp - Fix wait logic on chan threads"),so can be removed. Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Signed-off-by:
-
Joe Perches authored
IS_ENABLED should be reserved for CONFIG_<FOO> uses so convert the uses of IS_ENABLED with a #define to __is_defined. Signed-off-by:
Joe Perches <joe@perches.com> Signed-off-by:
-
Vakul Garg authored
In function caam_jr_dequeue(), a full memory barrier is used before writing response job ring's register to signal removal of the completed job. Therefore for writing the register, we do not need another write memory barrier. Hence it is removed by replacing the call to wr_reg32() with a newly defined function wr_reg32_relaxed(). Signed-off-by:
Vakul Garg <vakul.garg@nxp.com> Signed-off-by:
-
Singh, Brijesh authored
Currently, we free the psp_master if the PLATFORM_INIT fails during the SEV FW probe. If psp_master is freed then driver does not invoke the PSP FW. As per SEV FW spec, there are several commands (PLATFORM_RESET, PLATFORM_STATUS, GET_ID etc) which can be executed in the UNINIT state We should not free the psp_master when PLATFORM_INIT fails. Fixes: 200664d5 ("crypto: ccp: Add SEV support") Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Gary Hook <gary.hook@amd.com> Cc: stable@vger.kernel.org # 4.19.y Signed-off-by:
Brijesh Singh <brijesh.singh@amd.com> Signed-off-by:
-
Lionel Debieve authored
Change the wait condition to check if the hash is busy. Context can be saved as soon as hash has finishing processing data. Remove unused lock in the device structure. Signed-off-by:
Lionel Debieve <lionel.debieve@st.com> Signed-off-by:
-
- 16 Apr, 2019 1 commit
-
-
Herbert Xu authored
This driver has been completely broken since the very beginning because it doesn't even have a setkey function. This means that nobody has ever used it as it would crash during setkey. This patch removes this driver. Fixes: d293b640 ("crypto: mxc-scc - add basic driver for the...") Signed-off-by:
-
- 15 Apr, 2019 2 commits
-
-
Lionel Debieve authored
Add a default quality to hw_random device to be automatically set as new default entropy. Setting random quality will decrease the crng init time by switching to this hardware random source. Signed-off-by:
-
Lionel Debieve authored
No remove function implemented yet in the driver. Without remove function, the pm_runtime implementation complains when removing and probing again the driver. Signed-off-by:
-
