1. 22 Aug, 2017 15 commits
  2. 17 Aug, 2017 4 commits
  3. 09 Aug, 2017 9 commits
    • Stephan Mueller's avatar
      crypto: af_alg - consolidation of duplicate code · 2d97591e
      Stephan Mueller authored
      Consolidate following data structures:
      
      skcipher_async_req, aead_async_req -> af_alg_async_req
      skcipher_rsgl, aead_rsql -> af_alg_rsgl
      skcipher_tsgl, aead_tsql -> af_alg_tsgl
      skcipher_ctx, aead_ctx -> af_alg_ctx
      
      Consolidate following functions:
      
      skcipher_sndbuf, aead_sndbuf -> af_alg_sndbuf
      skcipher_writable, aead_writable -> af_alg_writable
      skcipher_rcvbuf, aead_rcvbuf -> af_alg_rcvbuf
      skcipher_readable, aead_readable -> af_alg_readable
      aead_alloc_tsgl, skcipher_alloc_tsgl -> af_alg_alloc_tsgl
      aead_count_tsgl, skcipher_count_tsgl -> af_alg_count_tsgl
      aead_pull_tsgl, skcipher_pull_tsgl -> af_alg_pull_tsgl
      aead_free_areq_sgls, skcipher_free_areq_sgls -> af_alg_free_areq_sgls
      aead_wait_for_wmem, skcipher_wait_for_wmem -> af_alg_wait_for_wmem
      aead_wmem_wakeup, skcipher_wmem_wakeup -> af_alg_wmem_wakeup
      aead_wait_for_data, skcipher_wait_for_data -> af_alg_wait_for_data
      aead_data_wakeup, skcipher_data_wakeup -> af_alg_data_wakeup
      aead_sendmsg, skcipher_sendmsg -> af_alg_sendmsg
      aead_sendpage, skcipher_sendpage -> af_alg_sendpage
      aead_async_cb, skcipher_async_cb -> af_alg_async_cb
      aead_poll, skcipher_poll -> af_alg_poll
      
      Split out the following common code from recvmsg:
      
      af_alg_alloc_areq: allocation of the request data structure for the
      cipher operation
      
      af_alg_get_rsgl: creation of the RX SGL anchored in the request data
      structure
      
      The following changes to the implementation without affecting the
      functionality have been applied to synchronize slightly different code
      bases in algif_skcipher and algif_aead:
      
      The wakeup in af_alg_wait_for_data is triggered when either more data
      is received or the indicator that more data is to be expected is
      released. The first is triggered by user space, the second is
      triggered by the kernel upon finishing the processing of data
      (i.e. the kernel is ready for more).
      
      af_alg_sendmsg uses size_t in min_t calculation for obtaining len.
      Return code determination is consistent with algif_skcipher. The
      scope of the variable i is reduced to match algif_aead. The type of the
      variable i is switched from int to unsigned int to match algif_aead.
      
      af_alg_sendpage does not contain the superfluous err = 0 from
      aead_sendpage.
      
      af_alg_async_cb requires to store the number of output bytes in
      areq->outlen before the AIO callback is triggered.
      
      The POLLIN / POLLRDNORM is now set when either not more data is given or
      the kernel is supplied with data. This is consistent to the wakeup from
      sleep when the kernel waits for data.
      
      The request data structure is extended by the field last_rsgl which
      points to the last RX SGL list entry. This shall help recvmsg
      implementation to chain the RX SGL to other SG(L)s if needed. It is
      currently used by algif_aead which chains the tag SGL to the RX SGL
      during decryption.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      2d97591e
    • Fabio Estevam's avatar
      crypto: caam - Remove unused dentry members · a92f7af3
      Fabio Estevam authored
      Most of the dentry members from structure caam_drv_private
      are never used at all, so it is safe to remove them.
      
      Since debugfs_remove_recursive() is called, we don't need the
      file entries.
      Signed-off-by: default avatarFabio Estevam <festevam@gmail.com>
      Acked-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      a92f7af3
    • Arnd Bergmann's avatar
      crypto: ccp - select CONFIG_CRYPTO_RSA · ac360faf
      Arnd Bergmann authored
      Without the base RSA code, we run into a link error:
      
      ERROR: "rsa_parse_pub_key" [drivers/crypto/ccp/ccp-crypto.ko] undefined!
      ERROR: "rsa_parse_priv_key" [drivers/crypto/ccp/ccp-crypto.ko] undefined!
      
      Like the other drivers implementing RSA in hardware, this
      can be avoided by always enabling the base support when we build
      CCP.
      
      Fixes: ceeec0af ("crypto: ccp - Add support for RSA on the CCP")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ac360faf
    • Arnd Bergmann's avatar
      crypto: ccp - avoid uninitialized variable warning · d634baea
      Arnd Bergmann authored
      The added support for version 5 CCPs introduced a false-positive
      warning in the RSA implementation:
      
      drivers/crypto/ccp/ccp-ops.c: In function 'ccp_run_rsa_cmd':
      drivers/crypto/ccp/ccp-ops.c:1856:3: error: 'sb_count' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      
      This changes the code in a way that should make it easier for
      the compiler to track the state of the sb_count variable, and
      avoid the warning.
      
      Fixes: 6ba46c7d ("crypto: ccp - Fix base RSA function for version 5 CCPs")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarGary R Hook <gary.hook@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d634baea
    • Arnd Bergmann's avatar
      crypto: serpent - improve __serpent_setkey with UBSAN · c871c10e
      Arnd Bergmann authored
      When UBSAN is enabled, we get a very large stack frame for
      __serpent_setkey, when the register allocator ends up using more registers
      than it has, and has to spill temporary values to the stack. The code
      was originally optimized for in-order x86-32 CPU implementations using
      older compilers, but it now runs into a highly suboptimal case on all
      CPU architectures, as seen by this warning:
      
      crypto/serpent_generic.c: In function '__serpent_setkey':
      crypto/serpent_generic.c:436:1: error: the frame size of 2720 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]
      
      Disabling -fsanitize=alignment would avoid that warning, presumably the
      option turns off a optimization step that is required for getting the
      register allocation right, but there is no easy way to do that on gcc-7
      (gcc-8 introduces a function attribute for this).
      
      I tried to figure out a way to modify the source code instead, and noticed
      that the two stages of the setkey() function (keyiter and sbox) each are
      fine by themselves, but not when combined into one function. Splitting
      out the entire sbox into a separate function also happens to work fine
      with all compilers I tried (arm, arm64 and x86).
      
      The setkey function uses a strange way to handle offsets into the key
      array, using both negative and positive index values, as well as adjusting
      the array pointer back and forth. I have checked that this actually
      makes no difference to modern compilers, but I left that untouched
      to make the patch easier to review and to keep the code closer to
      the reference implementation.
      
      Link: https://patchwork.kernel.org/patch/9189575/Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c871c10e
    • Stephan Mueller's avatar
      crypto: algif_aead - copy AAD from src to dst · 72548b09
      Stephan Mueller authored
      Use the NULL cipher to copy the AAD and PT/CT from the TX SGL
      to the RX SGL. This allows an in-place crypto operation on the
      RX SGL for encryption, because the TX data is always smaller or
      equal to the RX data (the RX data will hold the tag).
      
      For decryption, a per-request TX SGL is created which will only hold
      the tag value. As the RX SGL will have no space for the tag value and
      an in-place operation will not write the tag buffer, the TX SGL with the
      tag value is chained to the RX SGL. This now allows an in-place
      crypto operation.
      
      For example:
      
      * without the patch:
      kcapi -x 2 -e -c "gcm(aes)" -p 89154d0d4129d322e4487bafaa4f6b46 -k c0ece3e63198af382b5603331cc23fa8 -i 7e489b83622e7228314d878d -a afcd7202d621e06ca53b70c2bdff7fb2 -l 16 -u -s
      00000000000000000000000000000000f4a3eacfbdadd3b1a17117b1d67ffc1f1e21efbbc6d83724a8c296e3bb8cda0c
      
      * with the patch:
      kcapi -x 2 -e -c "gcm(aes)" -p 89154d0d4129d322e4487bafaa4f6b46 -k c0ece3e63198af382b5603331cc23fa8 -i 7e489b83622e7228314d878d -a afcd7202d621e06ca53b70c2bdff7fb2 -l 16 -u -s
      afcd7202d621e06ca53b70c2bdff7fb2f4a3eacfbdadd3b1a17117b1d67ffc1f1e21efbbc6d83724a8c296e3bb8cda0c
      
      Tests covering this functionality have been added to libkcapi.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      72548b09
    • Stephan Mueller's avatar
      crypto: algif - return error code when no data was processed · 5703c826
      Stephan Mueller authored
      If no data has been processed during recvmsg, return the error code.
      This covers all errors received during non-AIO operations.
      
      If any error occurs during a synchronous operation in addition to
      -EIOCBQUEUED or -EBADMSG (like -ENOMEM), it should be relayed to the
      caller.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5703c826
    • megha.dey@linux.intel.com's avatar
      crypto: x86/sha1 - Fix reads beyond the number of blocks passed · 8861249c
      megha.dey@linux.intel.com authored
      It was reported that the sha1 AVX2 function(sha1_transform_avx2) is
      reading ahead beyond its intended data, and causing a crash if the next
      block is beyond page boundary:
      http://marc.info/?l=linux-crypto-vger&m=149373371023377
      
      This patch makes sure that there is no overflow for any buffer length.
      
      It passes the tests written by Jan Stancek that revealed this problem:
      https://github.com/jstancek/sha1-avx2-crash
      
      I have re-enabled sha1-avx2 by reverting commit
      b82ce244
      
      Cc: <stable@vger.kernel.org>
      Fixes: b82ce244 ("crypto: sha1-ssse3 - Disable avx2")
      Originally-by: default avatarIlya Albrekht <ilya.albrekht@intel.com>
      Tested-by: default avatarJan Stancek <jstancek@redhat.com>
      Signed-off-by: default avatarMegha Dey <megha.dey@linux.intel.com>
      Reported-by: default avatarJan Stancek <jstancek@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      8861249c
    • Herbert Xu's avatar
      crypto: ixp4xx - Fix error handling path in 'aead_perform()' · 28389575
      Herbert Xu authored
      In commit 0f987e25, the source processing has been moved in front of
      the destination processing, but the error handling path has not been
      modified accordingly.
      Free resources in the correct order to avoid some leaks.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 0f987e25 ("crypto: ixp4xx - Fix false lastlen uninitialised warning")
      Reported-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Reviewed-by: default avatarArnd Bergmann <arnd@arndb.de>
      28389575
  4. 04 Aug, 2017 12 commits