summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* crypto: run initcalls for generic implementations earlierEric Biggers2019-04-1883-83/+89
| | | | | | | | | | | | | | | | | | | | Use subsys_initcall for registration of all templates and generic algorithm implementations, rather than module_init. Then change cryptomgr to use arch_initcall, to place it before the subsys_initcalls. This is needed so that when both a generic and optimized implementation of an algorithm are built into the kernel (not loadable modules), the generic implementation is registered before the optimized one. Otherwise, the self-tests for the optimized implementation are unable to allocate the generic implementation for the new comparison fuzz tests. Note that on arm, a side effect of this change is that self-tests for generic implementations may run before the unaligned access handler has been installed. So, unaligned accesses will crash the kernel. This is arguably a good thing as it makes it easier to detect that type of bug. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - fuzz AEADs against their generic implementationEric Biggers2019-04-181-0/+229
| | | | | | | | | | | | When the extra crypto self-tests are enabled, test each AEAD algorithm against its generic implementation when one is available. This involves: checking the algorithm properties for consistency, then randomly generating test vectors using the generic implementation and running them against the implementation under test. Both good and bad inputs are tested. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - fuzz skciphers against their generic implementationEric Biggers2019-04-182-1/+198
| | | | | | | | | | | | | | | When the extra crypto self-tests are enabled, test each skcipher algorithm against its generic implementation when one is available. This involves: checking the algorithm properties for consistency, then randomly generating test vectors using the generic implementation and running them against the implementation under test. Both good and bad inputs are tested. This has already detected a bug in the skcipher_walk API, a bug in the LRW template, and an inconsistency in the cts implementations. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - fuzz hashes against their generic implementationEric Biggers2019-04-181-4/+170
| | | | | | | | | | | | | | | When the extra crypto self-tests are enabled, test each hash algorithm against its generic implementation when one is available. This involves: checking the algorithm properties for consistency, then randomly generating test vectors using the generic implementation and running them against the implementation under test. Both good and bad inputs are tested. This has already detected a bug in the x86 implementation of poly1305, bugs in crct10dif, and an inconsistency in cbcmac. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - add helpers for fuzzing against generic implementationEric Biggers2019-04-181-0/+128
| | | | | | | | Add some helper functions in preparation for fuzz testing algorithms against their generic implementation. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - identify test vectors by name rather than numberEric Biggers2019-04-181-87/+96
| | | | | | | | | | | | In preparation for fuzz testing algorithms against their generic implementation, make error messages in testmgr identify test vectors by name rather than index. Built-in test vectors are simply "named" by their index in testmgr.h, as before. But (in later patches) generated test vectors will be given more descriptive names to help developers debug problems detected with them. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - expand ability to test for errorsEric Biggers2019-04-182-50/+104
| | | | | | | | | | | | | | | | | | | | | Update testmgr to support testing for specific errors from setkey() and digest() for hashes; setkey() and encrypt()/decrypt() for skciphers and ciphers; and setkey(), setauthsize(), and encrypt()/decrypt() for AEADs. This is useful because algorithms usually restrict the lengths or format of the message, key, and/or authentication tag in some way. And bad inputs should be tested too, not just good inputs. As part of this change, remove the ambiguously-named 'fail' flag and replace it with 'setkey_error = -EINVAL' for the only test vector that used it -- the DES weak key test vector. Note that this tightens the test to require -EINVAL rather than any error code, but AFAICS this won't cause any test failure. Other than that, these new fields aren't set on any test vectors yet. Later patches will do so. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* integrity: support EC-RDSA signatures for asymmetric_verifyVitaly Chikunov2019-04-181-2/+9
| | | | | | | | | | | | | Allow to use EC-RDSA signatures for IMA by determining signature type by the hash algorithm name. This works good for EC-RDSA since Streebog and EC-RDSA should always be used together. Cc: Mimi Zohar <zohar@linux.ibm.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: linux-integrity@vger.kernel.org Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: ecrdsa - add EC-RDSA test vectors to testmgrVitaly Chikunov2019-04-182-0/+160
| | | | | | | | | Add testmgr test vectors for EC-RDSA algorithm for every of five supported parameters (curves). Because there are no officially published test vectors for the curves, the vectors are generated by gost-engine. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithmVitaly Chikunov2019-04-1810-13/+1022
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add Elliptic Curve Russian Digital Signature Algorithm (GOST R 34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since 2018 the CIS countries) cryptographic standard algorithms (called GOST algorithms). Only signature verification is supported, with intent to be used in the IMA. Summary of the changes: * crypto/Kconfig: - EC-RDSA is added into Public-key cryptography section. * crypto/Makefile: - ecrdsa objects are added. * crypto/asymmetric_keys/x509_cert_parser.c: - Recognize EC-RDSA and Streebog OIDs. * include/linux/oid_registry.h: - EC-RDSA OIDs are added to the enum. Also, a two currently not implemented curve OIDs are added for possible extension later (to not change numbering and grouping). * crypto/ecc.c: - Kenneth MacKay copyright date is updated to 2014, because vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his code from micro-ecc. - Functions needed for ecrdsa are EXPORT_SYMBOL'ed. - New functions: vli_is_negative - helper to determine sign of vli; vli_from_be64 - unpack big-endian array into vli (used for a signature); vli_from_le64 - unpack little-endian array into vli (used for a public key); vli_uadd, vli_usub - add/sub u64 value to/from vli (used for increment/decrement); mul_64_64 - optimized to use __int128 where appropriate, this speeds up point multiplication (and as a consequence signature verification) by the factor of 1.5-2; vli_umult - multiply vli by a small value (speeds up point multiplication by another factor of 1.5-2, depending on vli sizes); vli_mmod_special - module reduction for some form of Pseudo-Mersenne primes (used for the curves A); vli_mmod_special2 - module reduction for another form of Pseudo-Mersenne primes (used for the curves B); vli_mmod_barrett - module reduction using pre-computed value (used for the curve C); vli_mmod_slow - more general module reduction which is much slower (used when the modulus is subgroup order); vli_mod_mult_slow - modular multiplication; ecc_point_add - add two points; ecc_point_mult_shamir - add two points multiplied by scalars in one combined multiplication (this gives speed up by another factor 2 in compare to two separate multiplications). ecc_is_pubkey_valid_partial - additional samity check is added. - Updated vli_mmod_fast with non-strict heuristic to call optimal module reduction function depending on the prime value; - All computations for the previously defined (two NIST) curves should not unaffected. * crypto/ecc.h: - Newly exported functions are documented. * crypto/ecrdsa_defs.h - Five curves are defined. * crypto/ecrdsa.c: - Signature verification is implemented. * crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1: - Templates for BER decoder for EC-RDSA parameters and public key. Cc: linux-integrity@vger.kernel.org Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: ecc - make ecc into separate moduleVitaly Chikunov2019-04-185-23/+122
| | | | | | | | | | | | ecc.c have algorithms that could be used togeter by ecdh and ecrdsa. Make it separate module. Add CRYPTO_ECC into Kconfig. EXPORT_SYMBOL and document to what seems appropriate. Move structs ecc_point and ecc_curve from ecc_curve_defs.h into ecc.h. No code changes. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: Kconfig - create Public-key cryptography sectionVitaly Chikunov2019-04-181-23/+25
| | | | | | | Group RSA, DH, and ECDH into Public-key cryptography config section. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* X.509: parse public key parameters from x509 for akcipherVitaly Chikunov2019-04-188-29/+136
| | | | | | | | | | | | | | | | | | | | | | Some public key algorithms (like EC-DSA) keep in parameters field important data such as digest and curve OIDs (possibly more for different EC-DSA variants). Thus, just setting a public key (as for RSA) is not enough. Append parameters into the key stream for akcipher_set_{pub,priv}_key. Appended data is: (u32) algo OID, (u32) parameters length, parameters data. This does not affect current akcipher API nor RSA ciphers (they could ignore it). Idea of appending parameters to the key stream is by Herbert Xu. Cc: David Howells <dhowells@redhat.com> Cc: Denis Kenzior <denkenz@gmail.com> Cc: keyrings@vger.kernel.org Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Reviewed-by: Denis Kenzior <denkenz@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* KEYS: do not kmemdup digest in {public,tpm}_key_verify_signatureVitaly Chikunov2019-04-182-17/+2
| | | | | | | | | | | | | | | Treat (struct public_key_signature)'s digest same as its signature (s). Since digest should be already in the kmalloc'd memory do not kmemdup digest value before calling {public,tpm}_key_verify_signature. Patch is split from the previous as suggested by Herbert Xu. Suggested-by: David Howells <dhowells@redhat.com> Cc: David Howells <dhowells@redhat.com> Cc: keyrings@vger.kernel.org Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Reviewed-by: Denis Kenzior <denkenz@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: akcipher - new verify API for public key algorithmsVitaly Chikunov2019-04-185-91/+92
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previous akcipher .verify() just `decrypts' (using RSA encrypt which is using public key) signature to uncover message hash, which was then compared in upper level public_key_verify_signature() with the expected hash value, which itself was never passed into verify(). This approach was incompatible with EC-DSA family of algorithms, because, to verify a signature EC-DSA algorithm also needs a hash value as input; then it's used (together with a signature divided into halves `r||s') to produce a witness value, which is then compared with `r' to determine if the signature is correct. Thus, for EC-DSA, nor requirements of .verify() itself, nor its output expectations in public_key_verify_signature() wasn't sufficient. Make improved .verify() call which gets hash value as input and produce complete signature check without any output besides status. Now for the top level verification only crypto_akcipher_verify() needs to be called and its return value inspected. Make sure that `digest' is in kmalloc'd memory (in place of `output`) in {public,tpm}_key_verify_signature() as insisted by Herbert Xu, and will be changed in the following commit. Cc: David Howells <dhowells@redhat.com> Cc: keyrings@vger.kernel.org Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Reviewed-by: Denis Kenzior <denkenz@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: rsa - unimplement sign/verify for raw RSA backendsVitaly Chikunov2019-04-185-117/+2
| | | | | | | | | | | | | | | | | | | | In preparation for new akcipher verify call remove sign/verify callbacks from RSA backends and make PKCS1 driver call encrypt/decrypt instead. This also complies with the well-known idea that raw RSA should never be used for sign/verify. It only should be used with proper padding scheme such as PKCS1 driver provides. Cc: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Cc: qat-linux@intel.com Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Gary Hook <gary.hook@amd.com> Cc: Horia Geantă <horia.geanta@nxp.com> Cc: Aymen Sghaier <aymen.sghaier@nxp.com> Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Reviewed-by: Horia Geantă <horia.geanta@nxp.com> Acked-by: Gary R Hook <gary.hook@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: akcipher - default implementations for request callbacksVitaly Chikunov2019-04-181-0/+14
| | | | | | | | | | | | | Because with the introduction of EC-RDSA and change in workings of RSA in regard to sign/verify, akcipher could have not all callbacks defined, check the presence of callbacks in crypto_register_akcipher() and provide default implementation if the callback is not implemented. This is suggested by Herbert Xu instead of checking the presence of the callback on every request. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: ux500 - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-79/+7
| | | | | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes the registration of the non-standard des/des3 ablkcipher algorithms. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: talitos - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-13/+95
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: sun4i-ss - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-6/+5
| | | | | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Corentin Labbe <clabbe.montjoie@gmail.com> Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: stm32 - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-4/+11
| | | | | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Lionel Debieve<lionel.debieve@st.com> Tested-by: Lionel Debieve<lionel.debieve@st.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: rockchip - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-12/+24
| | | | | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes a couple of unnecessary key length checks that are already performed by the crypto API. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: qce - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-1/+21
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: picoxcell - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-7/+26
| | | | | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes an unnecessary key length checks that are already performed by the crypto API. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: omap - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-5/+24
| | | | | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes a couple of unnecessary key length checks that are already performed by the crypto API. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: n2 - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-4/+9
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: marvell - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-6/+5
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: ixp4xx - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-9/+55
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: inside-secure - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-6/+5
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: hisilicon - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-8/+4
| | | | | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. It also removes a couple of unnecessary key length checks that are already performed by the crypto API. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: hifn_795x - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-4/+27
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: ccree - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-2/+35
| | | | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Gilad Ben-Yossef <gilad@benyossef.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: ccp - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-17/+4
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: nitrox - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-6/+2
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: cavium - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-0/+18
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: caam - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-183-38/+151
| | | | | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Reviewed-by: Horia Geantă <horia.geanta@nxp.com> Tested-by: Iuliana Prodan <iuliana.prodan@nxp.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: bcm - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-10/+11
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: atmel - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-93/+10
| | | | | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. This patch also removes the bogus CFB 3DES modes that only work with a short 3DES key not otherwise allowed by the crypto API. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: sparc - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-7/+4
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: s390 - Forbid 2-key 3DES in FIPS modeHerbert Xu2019-04-181-17/+4
| | | | | | This patch forbids the use of 2-key 3DES (K1 == K3) in FIPS mode. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: des_generic - Forbid 2-key in 3DES and add helpersHerbert Xu2019-04-182-7/+47
| | | | | | | | | | This patch adds a requirement to the generic 3DES implementation such that 2-key 3DES (K1 == K3) is no longer allowed in FIPS mode. We will also provide helpers that may be used by drivers that implement 3DES to make the same check. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: vmx - return correct error code on failed setkeyEric Biggers2019-04-184-12/+16
| | | | | | | | | | | In the VMX implementations of AES and AES modes, return -EINVAL when an invalid key length is provided, rather than some unusual error code determined via a series of additions. This makes the behavior match the other AES implementations in the kernel's crypto API. Cc: Daniel Axtens <dja@axtens.net> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: arm64/aes-neonbs - don't access already-freed walk.ivEric Biggers2019-04-181-0/+2
| | | | | | | | | | | | | | | | | | If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. xts-aes-neonbs doesn't set an alignmask, so currently it isn't affected by this despite unconditionally accessing walk.iv. However this is more subtle than desired, and unconditionally accessing walk.iv has caused a real problem in other algorithms. Thus, update xts-aes-neonbs to start checking the return value of skcipher_walk_virt(). Fixes: 1abee99eafab ("crypto: arm64/aes - reimplement bit-sliced ARM/NEON implementation for arm64") Cc: <stable@vger.kernel.org> # v4.11+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: arm/aes-neonbs - don't access already-freed walk.ivEric Biggers2019-04-181-0/+2
| | | | | | | | | | | | | | | | | | | If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't affected by this despite unconditionally accessing walk.iv. However this is more subtle than desired, and it was actually broken prior to the alignmask being removed by commit cc477bf64573 ("crypto: arm/aes - replace bit-sliced OpenSSL NEON code"). Thus, update xts-aes-neonbs to start checking the return value of skcipher_walk_virt(). Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions") Cc: <stable@vger.kernel.org> # v3.13+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: salsa20 - don't access already-freed walk.ivEric Biggers2019-04-181-1/+1
| | | | | | | | | | | | | | | | | | | | | If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. salsa20-generic doesn't set an alignmask, so currently it isn't affected by this despite unconditionally accessing walk.iv. However this is more subtle than desired, and it was actually broken prior to the alignmask being removed by commit b62b3db76f73 ("crypto: salsa20-generic - cleanup and convert to skcipher API"). Since salsa20-generic does not update the IV and does not need any IV alignment, update it to use req->iv instead of walk.iv. Fixes: 2407d60872dd ("[CRYPTO] salsa20: Salsa20 stream cipher") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: lrw - don't access already-freed walk.ivEric Biggers2019-04-181-1/+3
| | | | | | | | | | | | | | | | | | | | | If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. Fix this in the LRW template by checking the return value of skcipher_walk_virt(). This bug was detected by my patches that improve testmgr to fuzz algorithms against their generic implementation. When the extra self-tests were run on a KASAN-enabled kernel, a KASAN use-after-free splat occured during lrw(aes) testing. Fixes: c778f96bf347 ("crypto: lrw - Optimize tweak computation") Cc: <stable@vger.kernel.org> # v4.20+ Cc: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: mxs-dcp - remove set but not used variable 'fini'YueHaibing2019-04-181-9/+1
| | | | | | | | | | | | | | Fixes gcc '-Wunused-but-set-variable' warning: drivers/crypto/mxs-dcp.c: In function 'dcp_chan_thread_sha': drivers/crypto/mxs-dcp.c:707:11: warning: variable 'fini' set but not used [-Wunused-but-set-variable] It's not used since commit d80771c08363 ("crypto: mxs-dcp - Fix wait logic on chan threads"),so can be removed. Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: sahara - Convert IS_ENABLED uses to __is_definedJoe Perches2019-04-181-3/+3
| | | | | | | | IS_ENABLED should be reserved for CONFIG_<FOO> uses so convert the uses of IS_ENABLED with a #define to __is_defined. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: caam/jr - Remove extra memory barrier during job ring dequeueVakul Garg2019-04-182-1/+9
| | | | | | | | | | | In function caam_jr_dequeue(), a full memory barrier is used before writing response job ring's register to signal removal of the completed job. Therefore for writing the register, we do not need another write memory barrier. Hence it is removed by replacing the call to wr_reg32() with a newly defined function wr_reg32_relaxed(). Signed-off-by: Vakul Garg <vakul.garg@nxp.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: ccp - Do not free psp_master when PLATFORM_INIT failsSingh, Brijesh2019-04-181-1/+1
| | | | | | | | | | | | | | | | Currently, we free the psp_master if the PLATFORM_INIT fails during the SEV FW probe. If psp_master is freed then driver does not invoke the PSP FW. As per SEV FW spec, there are several commands (PLATFORM_RESET, PLATFORM_STATUS, GET_ID etc) which can be executed in the UNINIT state We should not free the psp_master when PLATFORM_INIT fails. Fixes: 200664d5237f ("crypto: ccp: Add SEV support") Cc: Tom Lendacky <thomas.lendacky@amd.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Gary Hook <gary.hook@amd.com> Cc: stable@vger.kernel.org # 4.19.y Signed-off-by: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>