1. 04 Oct, 2018 1 commit
  2. 17 Aug, 2018 1 commit
    • Eric Biggers's avatar
      crypto: ablkcipher - fix crash flushing dcache in error path · 68432fd1
      Eric Biggers authored
      commit 318abdfb upstream.
      Like the skcipher_walk and blkcipher_walk cases:
      scatterwalk_done() is only meant to be called after a nonzero number of
      bytes have been processed, since scatterwalk_pagedone() will flush the
      dcache of the *previous* page.  But in the error case of
      ablkcipher_walk_done(), e.g. if the input wasn't an integer number of
      blocks, scatterwalk_done() was actually called after advancing 0 bytes.
      This caused a crash ("BUG: unable to handle kernel paging request")
      during '!PageSlab(page)' on architectures like arm and arm64 that define
      ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
      page-aligned as in that case walk->offset == 0.
      Fix it by reorganizing ablkcipher_walk_done() to skip the
      scatterwalk_advance() and scatterwalk_done() if an error has occurred.
      Reported-by: default avatarLiu Chao <liuchao741@huawei.com>
      Fixes: bf06099d ("crypto: skcipher - Add ablkcipher_walk interfaces")
      Cc: <stable@vger.kernel.org> # v2.6.35+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
  3. 12 Jan, 2017 1 commit
    • Gideon Israel Dsouza's avatar
      crypto: Replaced gcc specific attributes with macros from compiler.h · d8c34b94
      Gideon Israel Dsouza authored
      Continuing from this commit: 52f5684c
      ("kernel: use macros from compiler.h instead of __attribute__((...))")
      I submitted 4 total patches. They are part of task I've taken up to
      increase compiler portability in the kernel. I've cleaned up the
      subsystems under /kernel /mm /block and /security, this patch targets
      There is <linux/compiler.h> which provides macros for various gcc specific
      constructs. Eg: __weak for __attribute__((weak)). I've cleaned all
      instances of gcc specific attributes with the right macros for the crypto
      I had to make one additional change into compiler-gcc.h for the case when
      one wants to use this: __attribute__((aligned) and not specify an alignment
      factor. From the gcc docs, this will result in the largest alignment for
      that data type on the target machine so I've named the macro
      __aligned_largest. Please advise if another name is more appropriate.
      Signed-off-by: default avatarGideon Israel Dsouza <gidisrael@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  4. 18 Jul, 2016 1 commit
    • Herbert Xu's avatar
      crypto: skcipher - Remove top-level givcipher interface · 3a01d0ee
      Herbert Xu authored
      This patch removes the old crypto_grab_skcipher helper and replaces
      it with crypto_grab_skcipher2.
      As this is the final entry point into givcipher this patch also
      removes all traces of the top-level givcipher interface, including
      all implicit IV generators such as chainiv.
      The bottom-level givcipher interface remains until the drivers
      using it are converted.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  5. 07 Jun, 2016 1 commit
  6. 09 Dec, 2015 1 commit
    • Jason A. Donenfeld's avatar
      crypto: skcipher - Copy iv from desc even for 0-len walks · 70d906bc
      Jason A. Donenfeld authored
      Some ciphers actually support encrypting zero length plaintexts. For
      example, many AEAD modes support this. The resulting ciphertext for
      those winds up being only the authentication tag, which is a result of
      the key, the iv, the additional data, and the fact that the plaintext
      had zero length. The blkcipher constructors won't copy the IV to the
      right place, however, when using a zero length input, resulting in
      some significant problems when ciphers call their initialization
      routines, only to find that the ->iv parameter is uninitialized. One
      such example of this would be using chacha20poly1305 with a zero length
      input, which then calls chacha20, which calls the key setup routine,
      which eventually OOPSes due to the uninitialized ->iv member.
      Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  7. 20 Oct, 2015 1 commit
    • Herbert Xu's avatar
      crypto: api - Only abort operations on fatal signal · 3fc89adb
      Herbert Xu authored
      Currently a number of Crypto API operations may fail when a signal
      occurs.  This causes nasty problems as the caller of those operations
      are often not in a good position to restart the operation.
      In fact there is currently no need for those operations to be
      interrupted by user signals at all.  All we need is for them to
      be killable.
      This patch replaces the relevant calls of signal_pending with
      fatal_signal_pending, and wait_for_completion_interruptible with
      wait_for_completion_killable, respectively.
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  8. 22 Jun, 2015 1 commit
    • Herbert Xu's avatar
      crypto: skcipher - Allow givencrypt to be NULL · 21dbd96f
      Herbert Xu authored
      Currently for skcipher IV generators they must provide givencrypt
      as that is the whole point.  We are currently replacing skcipher
      IV generators with explicit IV generators.  In order to maintain
      backwards compatibility, we need to allow the IV generators to
      still function as a normal skcipher when the RNG Is not present
      (e.g., in the initramfs during boot).  IOW everything but givencrypt
      and givdecrypt will still work but those two will fail.
      Therefore this patch assigns a default givencrypt that simply
      returns an error should it be NULL.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  9. 25 May, 2015 1 commit
  10. 26 Apr, 2015 1 commit
  11. 26 Jan, 2015 1 commit
  12. 22 Dec, 2014 1 commit
    • Joshua I. James's avatar
      crypto: ablkcipher - fixed style errors in ablkcipher.c · a861afbc
      Joshua I. James authored
      Fixed style errors reported by checkpatch.
      WARNING: Missing a blank line after declarations
      +       u8 *end_page = (u8 *)(((unsigned long)(start + len - 1)) & PAGE_MASK);
      +       return max(start, end_page);
      WARNING: line over 80 characters
      +               scatterwalk_start(&walk->out, scatterwalk_sg_next(walk->out.sg));
      WARNING: Missing a blank line after declarations
      +               int err = ablkcipher_copy_iv(walk, tfm, alignmask);
      +               if (err)
      ERROR: do not use assignment in if condition
      +       if ((err = crypto_register_instance(tmpl, inst))) {
      Signed-off-by: default avatarJoshua I. James <joshua@cybercrimetech.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  13. 30 Oct, 2013 1 commit
  14. 19 Feb, 2013 1 commit
    • Mathias Krause's avatar
      crypto: user - fix info leaks in report API · 9a5467bf
      Mathias Krause authored
      Three errors resulting in kernel memory disclosure:
      1/ The structures used for the netlink based crypto algorithm report API
      are located on the stack. As snprintf() does not fill the remainder of
      the buffer with null bytes, those stack bytes will be disclosed to users
      of the API. Switch to strncpy() to fix this.
      2/ crypto_report_one() does not initialize all field of struct
      crypto_user_alg. Fix this to fix the heap info leak.
      3/ For the module name we should copy only as many bytes as
      module_name() returns -- not as much as the destination buffer could
      hold. But the current code does not and therefore copies random data
      from behind the end of the module name, as the module name is always
      shorter than CRYPTO_MAX_ALG_NAME.
      Also switch to use strncpy() to copy the algorithm's name and
      driver_name. They are strings, after all.
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  15. 02 Apr, 2012 1 commit
  16. 29 Mar, 2012 1 commit
  17. 10 Nov, 2011 1 commit
  18. 21 Oct, 2011 2 commits
  19. 29 Jan, 2011 1 commit
  20. 23 Jun, 2010 1 commit
  21. 19 May, 2010 1 commit
    • David S. Miller's avatar
      crypto: skcipher - Add ablkcipher_walk interfaces · bf06099d
      David S. Miller authored
      These are akin to the blkcipher_walk helpers.
      The main differences in the async variant are:
      1) Only physical walking is supported.  We can't hold on to
         kmap mappings across the async operation to support virtual
         ablkcipher_walk operations anyways.
      2) Bounce buffers used for async more need to be persistent and
         freed at a later point in time when the async op completes.
         Therefore we maintain a list of writeback buffers and require
         that the ablkcipher_walk user call the 'complete' operation
         so we can copy the bounce buffers out to the real buffers and
         free up the bounce buffer chunks.
      These interfaces will be used by the new Niagara2 crypto driver.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  22. 16 Feb, 2010 1 commit
  23. 14 Aug, 2009 1 commit
    • Herbert Xu's avatar
      crypto: blkcipher - Do not use eseqiv on stream ciphers · 63b5ac28
      Herbert Xu authored
      Recently we switched to using eseqiv on SMP machines in preference
      over chainiv.  However, eseqiv does not support stream ciphers so
      they should still default to chainiv.
      This patch applies the same check as done by eseqiv to weed out
      the stream ciphers.  In particular, all algorithms where the IV
      size is not equal to the block size will now default to chainiv.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  24. 25 Jun, 2009 2 commits
    • Herbert Xu's avatar
      crypto: skcipher - Change default sync geniv on SMP to eseqiv · 0b67fb65
      Herbert Xu authored
      As it stands we use chainiv for sync algorithms and eseqiv for
      async algorithms.  However, when there is more than one CPU
      chainiv forces all processing to be serialised which is usually
      not what you want.  Also, the added overhead of eseqiv isn't that
      Therefore this patch changes the default sync geniv on SMP machines
      to eseqiv.  For the odd situation where the overhead is unacceptable
      then chainiv is still available as an option.
      Note that on UP machines chainiv is still preferred over eseqiv
      for sync algorithms.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      crypto: skcipher - Fix request for sync algorithms · 435578ae
      Herbert Xu authored
      When a sync givcipher algorithm is requested, if an async version
      of the same algorithm already exists, then we will loop forever
      without ever constructing the sync version based on a blkcipher.
      This is because we did not include the requested type/mask when
      getting a larval for the geniv algorithm that is to be constructed.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  25. 18 Feb, 2009 1 commit
    • Herbert Xu's avatar
      crypto: skcipher - Avoid infinite loop when cipher fails selftest · b170a137
      Herbert Xu authored
      When an skcipher constructed through crypto_givcipher_default fails
      its selftest, we'll loop forever trying to construct new skcipher
      objects but failing because it already exists.
      The crux of the issue is that once a givcipher fails the selftest,
      we'll ignore it on the next run through crypto_skcipher_lookup and
      attempt to construct a new givcipher.
      We should instead return an error to the caller if we find a
      givcipher that has failed the test.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  26. 23 Feb, 2008 1 commit
  27. 10 Jan, 2008 6 commits
    • Herbert Xu's avatar
      [CRYPTO] api: Show async type · 189ed66e
      Herbert Xu authored
      This patch adds an async field to /proc/crypto for ablkcipher and aead
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      [CRYPTO] skcipher: Create default givcipher instances · b9c55aa4
      Herbert Xu authored
      This patch makes crypto_alloc_ablkcipher/crypto_grab_skcipher always
      return algorithms that are capable of generating their own IVs through
      givencrypt and givdecrypt.  Each algorithm may specify its default IV
      generator through the geniv field.
      For algorithms that do not set the geniv field, the blkcipher layer will
      pick a default.  Currently it's chainiv for synchronous algorithms and
      eseqiv for asynchronous algorithms.  Note that if these wrappers do not
      work on an algorithm then that algorithm must specify its own geniv or
      it can't be used at all.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      [CRYPTO] skcipher: Add skcipher_geniv_alloc/skcipher_geniv_free · ecfc4329
      Herbert Xu authored
      This patch creates the infrastructure to help the construction of givcipher
      templates that wrap around existing blkcipher/ablkcipher algorithms by adding
      an IV generator to them.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      [CRYPTO] skcipher: Added geniv field · 23508e11
      Herbert Xu authored
      This patch introduces the geniv field which indicates the default IV
      generator for each algorithm.  It should point to a string that is not
      freed as long as the algorithm is registered.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      [CRYPTO] skcipher: Add givcrypt operations and givcipher type · 61da88e2
      Herbert Xu authored
      Different block cipher modes have different requirements for intialisation
      vectors.  For example, CBC can use a simple randomly generated IV while
      modes such as CTR must use an IV generation mechanisms that give a stronger
      guarantee on the lack of collisions.  Furthermore, disk encryption modes
      have their own IV generation algorithms.
      Up until now IV generation has been left to the users of the symmetric
      key cipher API.  This is inconvenient as the number of block cipher modes
      increase because the user needs to be aware of which mode is supposed to
      be paired with which IV generation algorithm.
      Therefore it makes sense to integrate the IV generation into the crypto
      API.  This patch takes the first step in that direction by creating two
      new ablkcipher operations, givencrypt and givdecrypt that generates an
      IV before performing the actual encryption or decryption.
      The operations are currently not exposed to the user.  That will be done
      once the underlying functionality has actually been implemented.
      It also creates the underlying givcipher type.  Algorithms that directly
      generate IVs would use it instead of ablkcipher.  All other algorithms
      (including all existing ones) would generate a givcipher algorithm upon
      registration.  This givcipher algorithm will be constructed from the geniv
      string that's stored in every algorithm.  That string will locate a template
      which is instantiated by the blkcipher/ablkcipher algorithm in question to
      give a givcipher algorithm.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      [CRYPTO] skcipher: Add crypto_grab_skcipher interface · 378f4f51
      Herbert Xu authored
      Note: From now on the collective of ablkcipher/blkcipher/givcipher will
      be known as skcipher, i.e., symmetric key cipher.  The name blkcipher has
      always been much of a misnomer since it supports stream ciphers too.
      This patch adds the function crypto_grab_skcipher as a new way of getting
      an ablkcipher spawn.  The problem is that previously we did this in two
      steps, first getting the algorithm and then calling crypto_init_spawn.
      This meant that each spawn user had to be aware of what type and mask to
      use for these two steps.  This is difficult and also presents a problem
      when the type/mask changes as they're about to be for IV generators.
      The new interface does both steps together just like crypto_alloc_ablkcipher.
      As a side-effect this also allows us to be stronger on type enforcement
      for spawns.  For now this is only done for ablkcipher but it's trivial
      to extend for other types.
      This patch also moves the type/mask logic for skcipher into the helpers
      crypto_skcipher_type and crypto_skcipher_mask.
      Finally this patch introduces the function crypto_require_sync to determine
      whether the user is specifically requesting a sync algorithm.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  28. 10 Oct, 2007 2 commits
  29. 06 Aug, 2007 1 commit
  30. 11 Jul, 2007 2 commits
  31. 02 May, 2007 1 commit