From 2d016672528a592ada5188e53ac746e1b8b7a978 Mon Sep 17 00:00:00 2001 From: Hui Tang Date: Mon, 10 May 2021 16:54:08 +0800 Subject: crypto: testmgr - fix initialization of 'secret_size' Actual data length of the 'secret' is not equal to the 'secret_size'. Since the 'curve_id' has removed in the 'secret', the 'secret_size' should subtract the length of the 'curve_id'. Fixes: 6763f5ea2d9a ("crypto: ecdh - move curve_id of ECDH from ...") Signed-off-by: Hui Tang Signed-off-by: Herbert Xu --- crypto/testmgr.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'crypto') diff --git a/crypto/testmgr.h b/crypto/testmgr.h index 34e4a3db3991..aead75d90493 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -2719,7 +2719,7 @@ static const struct kpp_testvec ecdh_p192_tv_template[] = { "\xf4\x57\xcc\x4f\x1f\x4e\x31\xcc" "\xe3\x40\x60\xc8\x06\x93\xc6\x2e" "\x99\x80\x81\x28\xaf\xc5\x51\x74", - .secret_size = 32, + .secret_size = 30, .b_public_size = 48, .expected_a_public_size = 48, .expected_ss_size = 24 @@ -2766,7 +2766,7 @@ static const struct kpp_testvec ecdh_p256_tv_template[] = { "\x9f\x4a\x38\xcc\xc0\x2c\x49\x2f" "\xb1\x32\xbb\xaf\x22\x61\xda\xcb" "\x6f\xdb\xa9\xaa\xfc\x77\x81\xf3", - .secret_size = 40, + .secret_size = 38, .b_public_size = 64, .expected_a_public_size = 64, .expected_ss_size = 32 @@ -2804,8 +2804,8 @@ static const struct kpp_testvec ecdh_p256_tv_template[] = { "\x37\x08\xcc\x40\x5e\x7a\xfd\x6a" "\x6a\x02\x6e\x41\x87\x68\x38\x77" "\xfa\xa9\x44\x43\x2d\xef\x09\xdf", - .secret_size = 8, - .b_secret_size = 40, + .secret_size = 6, + .b_secret_size = 38, .b_public_size = 64, .expected_a_public_size = 64, .expected_ss_size = 32, -- cgit v1.2.3 From c5ae16f5c6b91dc78a08885a753489d608de4abd Mon Sep 17 00:00:00 2001 From: Hui Tang Date: Mon, 10 May 2021 16:59:47 +0800 Subject: crypto: ecdh - extend 'cra_driver_name' with curve name Currently, 'cra_driver_name' cannot be used to specify ecdh algorithm with a special curve, so extending it with curve name. Although using 'cra_name' can also specify a special curve, but ecdh generic driver cannot be specified when vendor hardware accelerator has registered. Fixes: 6763f5ea2d9a ("crypto: ecdh - move curve_id of ECDH from ...") Signed-off-by: Hui Tang Signed-off-by: Herbert Xu --- crypto/ecdh.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'crypto') diff --git a/crypto/ecdh.c b/crypto/ecdh.c index 04a427b8c956..07eb34fef25b 100644 --- a/crypto/ecdh.c +++ b/crypto/ecdh.c @@ -141,7 +141,7 @@ static struct kpp_alg ecdh_nist_p192 = { .init = ecdh_nist_p192_init_tfm, .base = { .cra_name = "ecdh-nist-p192", - .cra_driver_name = "ecdh-generic", + .cra_driver_name = "ecdh-nist-p192-generic", .cra_priority = 100, .cra_module = THIS_MODULE, .cra_ctxsize = sizeof(struct ecdh_ctx), @@ -166,7 +166,7 @@ static struct kpp_alg ecdh_nist_p256 = { .init = ecdh_nist_p256_init_tfm, .base = { .cra_name = "ecdh-nist-p256", - .cra_driver_name = "ecdh-generic", + .cra_driver_name = "ecdh-nist-p256-generic", .cra_priority = 100, .cra_module = THIS_MODULE, .cra_ctxsize = sizeof(struct ecdh_ctx), -- cgit v1.2.3 From 308365483351fad2c2c15e173df60c7168c828a5 Mon Sep 17 00:00:00 2001 From: Hui Tang Date: Wed, 19 May 2021 13:59:44 +0800 Subject: crypto: khazad,wp512 - remove leading spaces before tabs There are a few leading spaces before tabs and remove it by running the following commard: $ find . -name '*.c' | xargs sed -r -i 's/^[ ]+\t/\t/' At the same time, fix two warning by running checkpatch.pl: WARNING: suspect code indent for conditional statements (16, 16) WARNING: braces {} are not necessary for single statement blocks Signed-off-by: Hui Tang Signed-off-by: Herbert Xu --- crypto/khazad.c | 2 +- crypto/wp512.c | 40 +++++++++++++++++++--------------------- 2 files changed, 20 insertions(+), 22 deletions(-) (limited to 'crypto') diff --git a/crypto/khazad.c b/crypto/khazad.c index 14ca7f1631c7..f19339954c89 100644 --- a/crypto/khazad.c +++ b/crypto/khazad.c @@ -819,7 +819,7 @@ static void khazad_crypt(const u64 roundKey[KHAZAD_ROUNDS + 1], T6[(int)(state >> 8) & 0xff] ^ T7[(int)(state ) & 0xff] ^ roundKey[r]; - } + } state = (T0[(int)(state >> 56) ] & 0xff00000000000000ULL) ^ (T1[(int)(state >> 48) & 0xff] & 0x00ff000000000000ULL) ^ diff --git a/crypto/wp512.c b/crypto/wp512.c index feadc13ccae0..bf79fbb2340f 100644 --- a/crypto/wp512.c +++ b/crypto/wp512.c @@ -1066,33 +1066,31 @@ static int wp512_final(struct shash_desc *desc, u8 *out) { struct wp512_ctx *wctx = shash_desc_ctx(desc); int i; - u8 *buffer = wctx->buffer; - u8 *bitLength = wctx->bitLength; - int bufferBits = wctx->bufferBits; - int bufferPos = wctx->bufferPos; + u8 *buffer = wctx->buffer; + u8 *bitLength = wctx->bitLength; + int bufferBits = wctx->bufferBits; + int bufferPos = wctx->bufferPos; __be64 *digest = (__be64 *)out; - buffer[bufferPos] |= 0x80U >> (bufferBits & 7); - bufferPos++; - if (bufferPos > WP512_BLOCK_SIZE - WP512_LENGTHBYTES) { - if (bufferPos < WP512_BLOCK_SIZE) { - memset(&buffer[bufferPos], 0, WP512_BLOCK_SIZE - bufferPos); - } - wp512_process_buffer(wctx); - bufferPos = 0; - } - if (bufferPos < WP512_BLOCK_SIZE - WP512_LENGTHBYTES) { - memset(&buffer[bufferPos], 0, + buffer[bufferPos] |= 0x80U >> (bufferBits & 7); + bufferPos++; + if (bufferPos > WP512_BLOCK_SIZE - WP512_LENGTHBYTES) { + if (bufferPos < WP512_BLOCK_SIZE) + memset(&buffer[bufferPos], 0, WP512_BLOCK_SIZE - bufferPos); + wp512_process_buffer(wctx); + bufferPos = 0; + } + if (bufferPos < WP512_BLOCK_SIZE - WP512_LENGTHBYTES) + memset(&buffer[bufferPos], 0, (WP512_BLOCK_SIZE - WP512_LENGTHBYTES) - bufferPos); - } - bufferPos = WP512_BLOCK_SIZE - WP512_LENGTHBYTES; - memcpy(&buffer[WP512_BLOCK_SIZE - WP512_LENGTHBYTES], + bufferPos = WP512_BLOCK_SIZE - WP512_LENGTHBYTES; + memcpy(&buffer[WP512_BLOCK_SIZE - WP512_LENGTHBYTES], bitLength, WP512_LENGTHBYTES); - wp512_process_buffer(wctx); + wp512_process_buffer(wctx); for (i = 0; i < WP512_DIGEST_SIZE/8; i++) digest[i] = cpu_to_be64(wctx->hash[i]); - wctx->bufferBits = bufferBits; - wctx->bufferPos = bufferPos; + wctx->bufferBits = bufferBits; + wctx->bufferPos = bufferPos; return 0; } -- cgit v1.2.3 From aa22cd7f67807eb8047221e57f8a327432ab8309 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Thu, 20 May 2021 12:40:00 +0200 Subject: crypto: tcrypt - enable tests for xxhash and blake2 Fill some of the recently freed up slots in tcrypt with xxhash64 and blake2b/blake2s, so we can easily benchmark their kernel implementations from user space. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu --- crypto/tcrypt.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'crypto') diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c index 6b7c158dc508..f8d06da78e4f 100644 --- a/crypto/tcrypt.c +++ b/crypto/tcrypt.c @@ -1847,10 +1847,22 @@ static int do_test(const char *alg, u32 type, u32 mask, int m, u32 num_mb) ret += tcrypt_test("cts(cbc(aes))"); break; + case 39: + ret += tcrypt_test("xxhash64"); + break; + case 40: ret += tcrypt_test("rmd160"); break; + case 41: + ret += tcrypt_test("blake2s-256"); + break; + + case 42: + ret += tcrypt_test("blake2b-512"); + break; + case 43: ret += tcrypt_test("ecb(seed)"); break; @@ -2356,10 +2368,22 @@ static int do_test(const char *alg, u32 type, u32 mask, int m, u32 num_mb) test_hash_speed("sha224", sec, generic_hash_speed_template); if (mode > 300 && mode < 400) break; fallthrough; + case 314: + test_hash_speed("xxhash64", sec, generic_hash_speed_template); + if (mode > 300 && mode < 400) break; + fallthrough; case 315: test_hash_speed("rmd160", sec, generic_hash_speed_template); if (mode > 300 && mode < 400) break; fallthrough; + case 316: + test_hash_speed("blake2s-256", sec, generic_hash_speed_template); + if (mode > 300 && mode < 400) break; + fallthrough; + case 317: + test_hash_speed("blake2b-512", sec, generic_hash_speed_template); + if (mode > 300 && mode < 400) break; + fallthrough; case 318: klen = 16; test_hash_speed("ghash", sec, generic_hash_speed_template); @@ -2456,10 +2480,22 @@ static int do_test(const char *alg, u32 type, u32 mask, int m, u32 num_mb) test_ahash_speed("sha224", sec, generic_hash_speed_template); if (mode > 400 && mode < 500) break; fallthrough; + case 414: + test_ahash_speed("xxhash64", sec, generic_hash_speed_template); + if (mode > 400 && mode < 500) break; + fallthrough; case 415: test_ahash_speed("rmd160", sec, generic_hash_speed_template); if (mode > 400 && mode < 500) break; fallthrough; + case 416: + test_ahash_speed("blake2s-256", sec, generic_hash_speed_template); + if (mode > 400 && mode < 500) break; + fallthrough; + case 417: + test_ahash_speed("blake2b-512", sec, generic_hash_speed_template); + if (mode > 400 && mode < 500) break; + fallthrough; case 418: test_ahash_speed("sha3-224", sec, generic_hash_speed_template); if (mode > 400 && mode < 500) break; -- cgit v1.2.3 From 9b7b94683a9b9c42a743d591e48b9f51f505dd1f Mon Sep 17 00:00:00 2001 From: Stephan Müller Date: Thu, 20 May 2021 21:31:11 +0200 Subject: crypto: DRBG - switch to HMAC SHA512 DRBG as default DRBG The default DRBG is the one that has the highest priority. The priority is defined based on the order of the list drbg_cores[] where the highest priority is given to the last entry by drbg_fill_array. With this patch the default DRBG is switched from HMAC SHA256 to HMAC SHA512 to support compliance with SP800-90B and SP800-90C (current draft). The user of the crypto API is completely unaffected by the change. Signed-off-by: Stephan Mueller Acked-by: simo Sorce Signed-off-by: Herbert Xu --- crypto/drbg.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'crypto') diff --git a/crypto/drbg.c b/crypto/drbg.c index 1b4587e0ddad..ea85d4a0fe9e 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -176,18 +176,18 @@ static const struct drbg_core drbg_cores[] = { .blocklen_bytes = 48, .cra_name = "hmac_sha384", .backend_cra_name = "hmac(sha384)", - }, { - .flags = DRBG_HMAC | DRBG_STRENGTH256, - .statelen = 64, /* block length of cipher */ - .blocklen_bytes = 64, - .cra_name = "hmac_sha512", - .backend_cra_name = "hmac(sha512)", }, { .flags = DRBG_HMAC | DRBG_STRENGTH256, .statelen = 32, /* block length of cipher */ .blocklen_bytes = 32, .cra_name = "hmac_sha256", .backend_cra_name = "hmac(sha256)", + }, { + .flags = DRBG_HMAC | DRBG_STRENGTH256, + .statelen = 64, /* block length of cipher */ + .blocklen_bytes = 64, + .cra_name = "hmac_sha512", + .backend_cra_name = "hmac(sha512)", }, #endif /* CONFIG_CRYPTO_DRBG_HMAC */ }; -- cgit v1.2.3 From 6889fc2104e5d20899b91e61daf07a7524b2010d Mon Sep 17 00:00:00 2001 From: Hui Tang Date: Sat, 22 May 2021 10:44:28 +0800 Subject: crypto: ecdh - fix ecdh-nist-p192's entry in testmgr Add a comment that p192 will fail to register in FIPS mode. Fix ecdh-nist-p192's entry in testmgr by removing the ifdefs and not setting fips_allowed. Signed-off-by: Hui Tang Signed-off-by: Herbert Xu --- crypto/ecdh.c | 1 + crypto/testmgr.c | 3 --- crypto/testmgr.h | 2 -- 3 files changed, 1 insertion(+), 5 deletions(-) (limited to 'crypto') diff --git a/crypto/ecdh.c b/crypto/ecdh.c index 07eb34fef25b..197467509323 100644 --- a/crypto/ecdh.c +++ b/crypto/ecdh.c @@ -179,6 +179,7 @@ static int ecdh_init(void) { int ret; + /* NIST p192 will fail to register in FIPS mode */ ret = crypto_register_kpp(&ecdh_nist_p192); ecdh_nist_p192_registered = ret == 0; diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 10c5b3b01ec4..26e40dba9ad2 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -4899,15 +4899,12 @@ static const struct alg_test_desc alg_test_descs[] = { } }, { #endif -#ifndef CONFIG_CRYPTO_FIPS .alg = "ecdh-nist-p192", .test = alg_test_kpp, - .fips_allowed = 1, .suite = { .kpp = __VECS(ecdh_p192_tv_template) } }, { -#endif .alg = "ecdh-nist-p256", .test = alg_test_kpp, .fips_allowed = 1, diff --git a/crypto/testmgr.h b/crypto/testmgr.h index aead75d90493..b9cf5b815532 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -2685,7 +2685,6 @@ static const struct kpp_testvec curve25519_tv_template[] = { } }; -#ifndef CONFIG_CRYPTO_FIPS static const struct kpp_testvec ecdh_p192_tv_template[] = { { .secret = @@ -2725,7 +2724,6 @@ static const struct kpp_testvec ecdh_p192_tv_template[] = { .expected_ss_size = 24 } }; -#endif static const struct kpp_testvec ecdh_p256_tv_template[] = { { -- cgit v1.2.3 From 8fd28fa5046b377039d5bbc0ab2f625dec703980 Mon Sep 17 00:00:00 2001 From: Hui Tang Date: Sat, 22 May 2021 10:44:29 +0800 Subject: crypto: ecdh - fix 'ecdh_init' NIST P192 is not unregistered if failed to register NIST P256, actually it need to unregister the algorithms already registered. Signed-off-by: Hui Tang Signed-off-by: Herbert Xu --- crypto/ecdh.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'crypto') diff --git a/crypto/ecdh.c b/crypto/ecdh.c index 197467509323..b6f493e82812 100644 --- a/crypto/ecdh.c +++ b/crypto/ecdh.c @@ -183,7 +183,16 @@ static int ecdh_init(void) ret = crypto_register_kpp(&ecdh_nist_p192); ecdh_nist_p192_registered = ret == 0; - return crypto_register_kpp(&ecdh_nist_p256); + ret = crypto_register_kpp(&ecdh_nist_p256); + if (ret) + goto nist_p256_error; + + return 0; + +nist_p256_error: + if (ecdh_nist_p192_registered) + crypto_unregister_kpp(&ecdh_nist_p192); + return ret; } static void ecdh_exit(void) -- cgit v1.2.3 From 8154132521e9cd6d28a7e9778c4ae23b716994bf Mon Sep 17 00:00:00 2001 From: Hui Tang Date: Sat, 22 May 2021 10:44:30 +0800 Subject: crypto: ecdh - register NIST P384 tfm Add ecdh_nist_p384_init_tfm and register and unregister P384 tfm. Signed-off-by: Hui Tang Signed-off-by: Herbert Xu --- crypto/ecdh.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'crypto') diff --git a/crypto/ecdh.c b/crypto/ecdh.c index b6f493e82812..c6f61c2211dc 100644 --- a/crypto/ecdh.c +++ b/crypto/ecdh.c @@ -173,6 +173,31 @@ static struct kpp_alg ecdh_nist_p256 = { }, }; +static int ecdh_nist_p384_init_tfm(struct crypto_kpp *tfm) +{ + struct ecdh_ctx *ctx = ecdh_get_ctx(tfm); + + ctx->curve_id = ECC_CURVE_NIST_P384; + ctx->ndigits = ECC_CURVE_NIST_P384_DIGITS; + + return 0; +} + +static struct kpp_alg ecdh_nist_p384 = { + .set_secret = ecdh_set_secret, + .generate_public_key = ecdh_compute_value, + .compute_shared_secret = ecdh_compute_value, + .max_size = ecdh_max_size, + .init = ecdh_nist_p384_init_tfm, + .base = { + .cra_name = "ecdh-nist-p384", + .cra_driver_name = "ecdh-nist-p384-generic", + .cra_priority = 100, + .cra_module = THIS_MODULE, + .cra_ctxsize = sizeof(struct ecdh_ctx), + }, +}; + static bool ecdh_nist_p192_registered; static int ecdh_init(void) @@ -187,8 +212,15 @@ static int ecdh_init(void) if (ret) goto nist_p256_error; + ret = crypto_register_kpp(&ecdh_nist_p384); + if (ret) + goto nist_p384_error; + return 0; +nist_p384_error: + crypto_unregister_kpp(&ecdh_nist_p256); + nist_p256_error: if (ecdh_nist_p192_registered) crypto_unregister_kpp(&ecdh_nist_p192); @@ -200,6 +232,7 @@ static void ecdh_exit(void) if (ecdh_nist_p192_registered) crypto_unregister_kpp(&ecdh_nist_p192); crypto_unregister_kpp(&ecdh_nist_p256); + crypto_unregister_kpp(&ecdh_nist_p384); } subsys_initcall(ecdh_init); -- cgit v1.2.3 From 8e568fc2a71d097a5549043a39984a46262b6035 Mon Sep 17 00:00:00 2001 From: Hui Tang Date: Sat, 22 May 2021 10:44:31 +0800 Subject: crypto: ecdh - add test suite for NIST P384 Add test vector params for NIST P384, add test vector for NIST P384 on vector of tests. Vector param from: https://datatracker.ietf.org/doc/html/rfc5903#section-3.1 Signed-off-by: Hui Tang Signed-off-by: Herbert Xu --- crypto/testmgr.c | 7 +++++++ crypto/testmgr.h | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+) (limited to 'crypto') diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 26e40dba9ad2..1f7f63e836ae 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -4911,6 +4911,13 @@ static const struct alg_test_desc alg_test_descs[] = { .suite = { .kpp = __VECS(ecdh_p256_tv_template) } + }, { + .alg = "ecdh-nist-p384", + .test = alg_test_kpp, + .fips_allowed = 1, + .suite = { + .kpp = __VECS(ecdh_p384_tv_template) + } }, { .alg = "ecdsa-nist-p192", .test = alg_test_akcipher, diff --git a/crypto/testmgr.h b/crypto/testmgr.h index b9cf5b815532..96eb7ce9f81b 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h @@ -2811,6 +2811,67 @@ static const struct kpp_testvec ecdh_p256_tv_template[] = { } }; +/* + * NIST P384 test vectors from RFC5903 + */ +static const struct kpp_testvec ecdh_p384_tv_template[] = { + { + .secret = +#ifdef __LITTLE_ENDIAN + "\x02\x00" /* type */ + "\x36\x00" /* len */ + "\x30\x00" /* key_size */ +#else + "\x00\x02" /* type */ + "\x00\x36" /* len */ + "\x00\x30" /* key_size */ +#endif + "\x09\x9F\x3C\x70\x34\xD4\xA2\xC6" + "\x99\x88\x4D\x73\xA3\x75\xA6\x7F" + "\x76\x24\xEF\x7C\x6B\x3C\x0F\x16" + "\x06\x47\xB6\x74\x14\xDC\xE6\x55" + "\xE3\x5B\x53\x80\x41\xE6\x49\xEE" + "\x3F\xAE\xF8\x96\x78\x3A\xB1\x94", + .b_public = + "\xE5\x58\xDB\xEF\x53\xEE\xCD\xE3" + "\xD3\xFC\xCF\xC1\xAE\xA0\x8A\x89" + "\xA9\x87\x47\x5D\x12\xFD\x95\x0D" + "\x83\xCF\xA4\x17\x32\xBC\x50\x9D" + "\x0D\x1A\xC4\x3A\x03\x36\xDE\xF9" + "\x6F\xDA\x41\xD0\x77\x4A\x35\x71" + "\xDC\xFB\xEC\x7A\xAC\xF3\x19\x64" + "\x72\x16\x9E\x83\x84\x30\x36\x7F" + "\x66\xEE\xBE\x3C\x6E\x70\xC4\x16" + "\xDD\x5F\x0C\x68\x75\x9D\xD1\xFF" + "\xF8\x3F\xA4\x01\x42\x20\x9D\xFF" + "\x5E\xAA\xD9\x6D\xB9\xE6\x38\x6C", + .expected_a_public = + "\x66\x78\x42\xD7\xD1\x80\xAC\x2C" + "\xDE\x6F\x74\xF3\x75\x51\xF5\x57" + "\x55\xC7\x64\x5C\x20\xEF\x73\xE3" + "\x16\x34\xFE\x72\xB4\xC5\x5E\xE6" + "\xDE\x3A\xC8\x08\xAC\xB4\xBD\xB4" + "\xC8\x87\x32\xAE\xE9\x5F\x41\xAA" + "\x94\x82\xED\x1F\xC0\xEE\xB9\xCA" + "\xFC\x49\x84\x62\x5C\xCF\xC2\x3F" + "\x65\x03\x21\x49\xE0\xE1\x44\xAD" + "\xA0\x24\x18\x15\x35\xA0\xF3\x8E" + "\xEB\x9F\xCF\xF3\xC2\xC9\x47\xDA" + "\xE6\x9B\x4C\x63\x45\x73\xA8\x1C", + .expected_ss = + "\x11\x18\x73\x31\xC2\x79\x96\x2D" + "\x93\xD6\x04\x24\x3F\xD5\x92\xCB" + "\x9D\x0A\x92\x6F\x42\x2E\x47\x18" + "\x75\x21\x28\x7E\x71\x56\xC5\xC4" + "\xD6\x03\x13\x55\x69\xB9\xE9\xD0" + "\x9C\xF5\xD4\xA2\x70\xF5\x97\x46", + .secret_size = 54, + .b_public_size = 96, + .expected_a_public_size = 96, + .expected_ss_size = 48 + } +}; + /* * MD4 test vectors from RFC1320 */ -- cgit v1.2.3 From 7551a074700a4093f5556a5ae51c1f83ea6b96ba Mon Sep 17 00:00:00 2001 From: Wu Bo Date: Tue, 25 May 2021 16:15:19 +0800 Subject: crypto: af_alg - use DIV_ROUND_UP helper macro for calculations Replace open coded divisor calculations with the DIV_ROUND_UP kernel macro for better readability. Signed-off-by: Wu Bo Signed-off-by: Herbert Xu --- crypto/af_alg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'crypto') diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 18cc82dc4a42..8bd288d2b089 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -411,7 +411,7 @@ int af_alg_make_sg(struct af_alg_sgl *sgl, struct iov_iter *iter, int len) if (n < 0) return n; - npages = (off + n + PAGE_SIZE - 1) >> PAGE_SHIFT; + npages = DIV_ROUND_UP(off + n, PAGE_SIZE); if (WARN_ON(npages == 0)) return -EINVAL; /* Add one extra for linking */ -- cgit v1.2.3 From 5cd259ca5d466f65ffd21e2e2fa00fb648a8c555 Mon Sep 17 00:00:00 2001 From: Hongbo Li Date: Fri, 4 Jun 2021 14:30:35 +0800 Subject: crypto: sm2 - fix a memory leak in sm2 SM2 module alloc ec->Q in sm2_set_pub_key(), when doing alg test in test_akcipher_one(), it will set public key for every test vector, and don't free ec->Q. This will cause a memory leak. This patch alloc ec->Q in sm2_ec_ctx_init(). Fixes: ea7ecb66440b ("crypto: sm2 - introduce OSCCA SM2 asymmetric cipher algorithm") Signed-off-by: Hongbo Li Reviewed-by: Tianjia Zhang Signed-off-by: Herbert Xu --- crypto/sm2.c | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) (limited to 'crypto') diff --git a/crypto/sm2.c b/crypto/sm2.c index b21addc3ac06..db8a4a265669 100644 --- a/crypto/sm2.c +++ b/crypto/sm2.c @@ -79,10 +79,17 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec) goto free; rc = -ENOMEM; + + ec->Q = mpi_point_new(0); + if (!ec->Q) + goto free; + /* mpi_ec_setup_elliptic_curve */ ec->G = mpi_point_new(0); - if (!ec->G) + if (!ec->G) { + mpi_point_release(ec->Q); goto free; + } mpi_set(ec->G->x, x); mpi_set(ec->G->y, y); @@ -91,6 +98,7 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec) rc = -EINVAL; ec->n = mpi_scanval(ecp->n); if (!ec->n) { + mpi_point_release(ec->Q); mpi_point_release(ec->G); goto free; } @@ -386,27 +394,15 @@ static int sm2_set_pub_key(struct crypto_akcipher *tfm, MPI a; int rc; - ec->Q = mpi_point_new(0); - if (!ec->Q) - return -ENOMEM; - /* include the uncompressed flag '0x04' */ - rc = -ENOMEM; a = mpi_read_raw_data(key, keylen); if (!a) - goto error; + return -ENOMEM; mpi_normalize(a); rc = sm2_ecc_os2ec(ec->Q, a); mpi_free(a); - if (rc) - goto error; - - return 0; -error: - mpi_point_release(ec->Q); - ec->Q = NULL; return rc; } -- cgit v1.2.3 From 22ca9f4aaf431a9413dcc115dd590123307f274f Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Thu, 10 Jun 2021 08:21:50 +0200 Subject: crypto: shash - avoid comparing pointers to exported functions under CFI crypto_shash_alg_has_setkey() is implemented by testing whether the .setkey() member of a struct shash_alg points to the default version, called shash_no_setkey(). As crypto_shash_alg_has_setkey() is a static inline, this requires shash_no_setkey() to be exported to modules. Unfortunately, when building with CFI, function pointers are routed via CFI stubs which are private to each module (or to the kernel proper) and so this function pointer comparison may fail spuriously. Let's fix this by turning crypto_shash_alg_has_setkey() into an out of line function. Cc: Sami Tolvanen Cc: Eric Biggers Signed-off-by: Ard Biesheuvel Reviewed-by: Eric Biggers Reviewed-by: Sami Tolvanen Signed-off-by: Herbert Xu --- crypto/shash.c | 18 +++++++++++++++--- include/crypto/internal/hash.h | 8 +------- 2 files changed, 16 insertions(+), 10 deletions(-) (limited to 'crypto') diff --git a/crypto/shash.c b/crypto/shash.c index 2e3433ad9762..0a0a50cb694f 100644 --- a/crypto/shash.c +++ b/crypto/shash.c @@ -20,12 +20,24 @@ static const struct crypto_type crypto_shash_type; -int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, - unsigned int keylen) +static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, + unsigned int keylen) { return -ENOSYS; } -EXPORT_SYMBOL_GPL(shash_no_setkey); + +/* + * Check whether an shash algorithm has a setkey function. + * + * For CFI compatibility, this must not be an inline function. This is because + * when CFI is enabled, modules won't get the same address for shash_no_setkey + * (if it were exported, which inlining would require) as the core kernel will. + */ +bool crypto_shash_alg_has_setkey(struct shash_alg *alg) +{ + return alg->setkey != shash_no_setkey; +} +EXPORT_SYMBOL_GPL(crypto_shash_alg_has_setkey); static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key, unsigned int keylen) diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h index 0a288dddcf5b..25806141db59 100644 --- a/include/crypto/internal/hash.h +++ b/include/crypto/internal/hash.h @@ -75,13 +75,7 @@ void crypto_unregister_ahashes(struct ahash_alg *algs, int count); int ahash_register_instance(struct crypto_template *tmpl, struct ahash_instance *inst); -int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, - unsigned int keylen); - -static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg) -{ - return alg->setkey != shash_no_setkey; -} +bool crypto_shash_alg_has_setkey(struct shash_alg *alg); static inline bool crypto_shash_alg_needs_key(struct shash_alg *alg) { -- cgit v1.2.3 From 10ff9976d06fc6a11f512755d500ab2860cbe650 Mon Sep 17 00:00:00 2001 From: Liu Shixin Date: Fri, 11 Jun 2021 10:01:00 +0800 Subject: crypto: api - remove CRYPTOA_U32 and related functions According to the advice of Eric and Herbert, type CRYPTOA_U32 has been unused for over a decade, so remove the code related to CRYPTOA_U32. After removing CRYPTOA_U32, the type of the variable attrs can be changed from union to struct. Signed-off-by: Liu Shixin Reviewed-by: Eric Biggers Signed-off-by: Herbert Xu --- crypto/algapi.c | 18 ------------------ crypto/algboss.c | 31 ++++++------------------------- include/crypto/algapi.h | 1 - include/linux/crypto.h | 5 ----- 4 files changed, 6 insertions(+), 49 deletions(-) (limited to 'crypto') diff --git a/crypto/algapi.c b/crypto/algapi.c index fdabf2675b63..43f999dba4dc 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -868,24 +868,6 @@ const char *crypto_attr_alg_name(struct rtattr *rta) } EXPORT_SYMBOL_GPL(crypto_attr_alg_name); -int crypto_attr_u32(struct rtattr *rta, u32 *num) -{ - struct crypto_attr_u32 *nu32; - - if (!rta) - return -ENOENT; - if (RTA_PAYLOAD(rta) < sizeof(*nu32)) - return -EINVAL; - if (rta->rta_type != CRYPTOA_U32) - return -EINVAL; - - nu32 = RTA_DATA(rta); - *num = nu32->num; - - return 0; -} -EXPORT_SYMBOL_GPL(crypto_attr_u32); - int crypto_inst_setname(struct crypto_instance *inst, const char *name, struct crypto_alg *alg) { diff --git a/crypto/algboss.c b/crypto/algboss.c index 5ebccbd6b74e..1814d2c5188a 100644 --- a/crypto/algboss.c +++ b/crypto/algboss.c @@ -28,16 +28,9 @@ struct cryptomgr_param { struct crypto_attr_type data; } type; - union { + struct { struct rtattr attr; - struct { - struct rtattr attr; - struct crypto_attr_alg data; - } alg; - struct { - struct rtattr attr; - struct crypto_attr_u32 data; - } nu32; + struct crypto_attr_alg data; } attrs[CRYPTO_MAX_ATTRS]; char template[CRYPTO_MAX_ALG_NAME]; @@ -104,12 +97,10 @@ static int cryptomgr_schedule_probe(struct crypto_larval *larval) i = 0; for (;;) { - int notnum = 0; - name = ++p; for (; isalnum(*p) || *p == '-' || *p == '_'; p++) - notnum |= !isdigit(*p); + ; if (*p == '(') { int recursion = 0; @@ -123,7 +114,6 @@ static int cryptomgr_schedule_probe(struct crypto_larval *larval) break; } - notnum = 1; p++; } @@ -131,18 +121,9 @@ static int cryptomgr_schedule_probe(struct crypto_larval *larval) if (!len) goto err_free_param; - if (notnum) { - param->attrs[i].alg.attr.rta_len = - sizeof(param->attrs[i].alg); - param->attrs[i].alg.attr.rta_type = CRYPTOA_ALG; - memcpy(param->attrs[i].alg.data.name, name, len); - } else { - param->attrs[i].nu32.attr.rta_len = - sizeof(param->attrs[i].nu32); - param->attrs[i].nu32.attr.rta_type = CRYPTOA_U32; - param->attrs[i].nu32.data.num = - simple_strtol(name, NULL, 0); - } + param->attrs[i].attr.rta_len = sizeof(param->attrs[i]); + param->attrs[i].attr.rta_type = CRYPTOA_ALG; + memcpy(param->attrs[i].data.name, name, len); param->tb[i + 1] = ¶m->attrs[i].attr; i++; diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h index 86f0748009af..41d42e649da4 100644 --- a/include/crypto/algapi.h +++ b/include/crypto/algapi.h @@ -118,7 +118,6 @@ void *crypto_spawn_tfm2(struct crypto_spawn *spawn); struct crypto_attr_type *crypto_get_attr_type(struct rtattr **tb); int crypto_check_attr_type(struct rtattr **tb, u32 type, u32 *mask_ret); const char *crypto_attr_alg_name(struct rtattr *rta); -int crypto_attr_u32(struct rtattr *rta, u32 *num); int crypto_inst_setname(struct crypto_instance *inst, const char *name, struct crypto_alg *alg); diff --git a/include/linux/crypto.h b/include/linux/crypto.h index da5e0d74bb2f..3b9263d6122f 100644 --- a/include/linux/crypto.h +++ b/include/linux/crypto.h @@ -647,7 +647,6 @@ enum { CRYPTOA_UNSPEC, CRYPTOA_ALG, CRYPTOA_TYPE, - CRYPTOA_U32, __CRYPTOA_MAX, }; @@ -665,10 +664,6 @@ struct crypto_attr_type { u32 mask; }; -struct crypto_attr_u32 { - u32 num; -}; - /* * Transform user interface. */ -- cgit v1.2.3 From 5163ab505e489400b4738b2a5547ec83d2dff7bb Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Thu, 17 Jun 2021 15:28:10 +0800 Subject: crypto: api - Move crypto attr definitions out of crypto.h The definitions for crypto_attr-related types and enums are not needed by most Crypto API users. This patch moves them out of crypto.h and into algapi.h/internal.h depending on the extent of their use. Signed-off-by: Herbert Xu --- crypto/internal.h | 12 ++++++++++++ include/crypto/algapi.h | 9 +++++++++ include/linux/crypto.h | 21 --------------------- 3 files changed, 21 insertions(+), 21 deletions(-) (limited to 'crypto') diff --git a/crypto/internal.h b/crypto/internal.h index 976ec9dfc76d..f00869af689f 100644 --- a/crypto/internal.h +++ b/crypto/internal.h @@ -29,6 +29,18 @@ struct crypto_larval { u32 mask; }; +enum { + CRYPTOA_UNSPEC, + CRYPTOA_ALG, + CRYPTOA_TYPE, + __CRYPTOA_MAX, +}; + +#define CRYPTOA_MAX (__CRYPTOA_MAX - 1) + +/* Maximum number of (rtattr) parameters for each template. */ +#define CRYPTO_MAX_ATTRS 32 + extern struct list_head crypto_alg_list; extern struct rw_semaphore crypto_alg_sem; extern struct blocking_notifier_head crypto_chain; diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h index 41d42e649da4..5f6841c73e5a 100644 --- a/include/crypto/algapi.h +++ b/include/crypto/algapi.h @@ -96,6 +96,15 @@ struct scatter_walk { unsigned int offset; }; +struct crypto_attr_alg { + char name[CRYPTO_MAX_ALG_NAME]; +}; + +struct crypto_attr_type { + u32 type; + u32 mask; +}; + void crypto_mod_put(struct crypto_alg *alg); int crypto_register_template(struct crypto_template *tmpl); diff --git a/include/linux/crypto.h b/include/linux/crypto.h index 3b9263d6122f..855869e1fd32 100644 --- a/include/linux/crypto.h +++ b/include/linux/crypto.h @@ -643,27 +643,6 @@ struct crypto_comp { struct crypto_tfm base; }; -enum { - CRYPTOA_UNSPEC, - CRYPTOA_ALG, - CRYPTOA_TYPE, - __CRYPTOA_MAX, -}; - -#define CRYPTOA_MAX (__CRYPTOA_MAX - 1) - -/* Maximum number of (rtattr) parameters for each template. */ -#define CRYPTO_MAX_ATTRS 32 - -struct crypto_attr_alg { - char name[CRYPTO_MAX_ALG_NAME]; -}; - -struct crypto_attr_type { - u32 type; - u32 mask; -}; - /* * Transform user interface. */ -- cgit v1.2.3