linux-toradex.git/crypto/ablkcipher.c, branch v4.9.62 Linux kernel for Apalis and Colibri modules crypto: skcipher - Remove top-level givcipher interface 2016-07-18T09:35:46+00:00 Herbert Xu herbert@gondor.apana.org.au 2016-07-12T05:17:50+00:00 3a01d0ee2b991c8c267620e63a4ab47cd8c30cc4 This patch removes the old crypto_grab_skcipher helper and replaces it with crypto_grab_skcipher2. As this is the final entry point into givcipher this patch also removes all traces of the top-level givcipher interface, including all implicit IV generators such as chainiv. The bottom-level givcipher interface remains until the drivers using it are converted. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
This patch removes the old crypto_grab_skcipher helper and replaces
it with crypto_grab_skcipher2.

As this is the final entry point into givcipher this patch also
removes all traces of the top-level givcipher interface, including
all implicit IV generators such as chainiv.

The bottom-level givcipher interface remains until the drivers
using it are converted.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: skcipher - remove unused header cpumask.h 2016-06-07T10:41:53+00:00 Geliang Tang geliangtang@gmail.com 2016-06-02T05:48:38+00:00 88aff46040a8a13ade85e8e450d781f89899e9fb Remove unused header cpumask.h from crypto/ablkcipher.c. Signed-off-by: Geliang Tang <geliangtang@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Remove unused header cpumask.h from crypto/ablkcipher.c.

Signed-off-by: Geliang Tang <geliangtang@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: skcipher - Copy iv from desc even for 0-len walks 2015-12-09T12:16:22+00:00 Jason A. Donenfeld Jason@zx2c4.com 2015-12-06T01:51:37+00:00 70d906bc17500edfa9bdd8c8b7e59618c7911613 Some ciphers actually support encrypting zero length plaintexts. For example, many AEAD modes support this. The resulting ciphertext for those winds up being only the authentication tag, which is a result of the key, the iv, the additional data, and the fact that the plaintext had zero length. The blkcipher constructors won't copy the IV to the right place, however, when using a zero length input, resulting in some significant problems when ciphers call their initialization routines, only to find that the ->iv parameter is uninitialized. One such example of this would be using chacha20poly1305 with a zero length input, which then calls chacha20, which calls the key setup routine, which eventually OOPSes due to the uninitialized ->iv member. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Cc: <stable@vger.kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Some ciphers actually support encrypting zero length plaintexts. For
example, many AEAD modes support this. The resulting ciphertext for
those winds up being only the authentication tag, which is a result of
the key, the iv, the additional data, and the fact that the plaintext
had zero length. The blkcipher constructors won't copy the IV to the
right place, however, when using a zero length input, resulting in
some significant problems when ciphers call their initialization
routines, only to find that the ->iv parameter is uninitialized. One
such example of this would be using chacha20poly1305 with a zero length
input, which then calls chacha20, which calls the key setup routine,
which eventually OOPSes due to the uninitialized ->iv member.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: api - Only abort operations on fatal signal 2015-10-20T13:59:25+00:00 Herbert Xu herbert@gondor.apana.org.au 2015-10-19T10:23:57+00:00 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 Currently a number of Crypto API operations may fail when a signal occurs. This causes nasty problems as the caller of those operations are often not in a good position to restart the operation. In fact there is currently no need for those operations to be interrupted by user signals at all. All we need is for them to be killable. This patch replaces the relevant calls of signal_pending with fatal_signal_pending, and wait_for_completion_interruptible with wait_for_completion_killable, respectively. Cc: stable@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Currently a number of Crypto API operations may fail when a signal
occurs.  This causes nasty problems as the caller of those operations
are often not in a good position to restart the operation.

In fact there is currently no need for those operations to be
interrupted by user signals at all.  All we need is for them to
be killable.

This patch replaces the relevant calls of signal_pending with
fatal_signal_pending, and wait_for_completion_interruptible with
wait_for_completion_killable, respectively.

Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: skcipher - Allow givencrypt to be NULL 2015-06-22T07:49:16+00:00 Herbert Xu herbert@gondor.apana.org.au 2015-06-21T11:11:41+00:00 21dbd96f2287a49219d35a0e916cf3f2bcaab9d0 Currently for skcipher IV generators they must provide givencrypt as that is the whole point. We are currently replacing skcipher IV generators with explicit IV generators. In order to maintain backwards compatibility, we need to allow the IV generators to still function as a normal skcipher when the RNG Is not present (e.g., in the initramfs during boot). IOW everything but givencrypt and givdecrypt will still work but those two will fail. Therefore this patch assigns a default givencrypt that simply returns an error should it be NULL. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Currently for skcipher IV generators they must provide givencrypt
as that is the whole point.  We are currently replacing skcipher
IV generators with explicit IV generators.  In order to maintain
backwards compatibility, we need to allow the IV generators to
still function as a normal skcipher when the RNG Is not present
(e.g., in the initramfs during boot).  IOW everything but givencrypt
and givdecrypt will still work but those two will fail.

Therefore this patch assigns a default givencrypt that simply
returns an error should it be NULL.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: skcipher - Use tmpl->create 2015-05-25T10:41:28+00:00 Herbert Xu herbert@gondor.apana.org.au 2015-05-23T07:41:48+00:00 56e34378bbbb7af21cf73d98a92c0411386e091c Newer templates use tmpl->create and have a NULL tmpl->alloc. So we must use tmpl->create if it is set. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Newer templates use tmpl->create and have a NULL tmpl->alloc.  So
we must use tmpl->create if it is set.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: skcipher - Fix corner case in crypto_lookup_skcipher 2015-04-26T06:33:15+00:00 Herbert Xu herbert@gondor.apana.org.au 2015-04-23T08:34:47+00:00 26739535206e819946b0740347c09c94c4e48ba9 When the user explicitly states that they don't care whether the algorithm has been tested (type = CRYPTO_ALG_TESTED and mask = 0), there is a corner case where we may erroneously return ENOENT. This patch fixes it by correcting the logic in the test. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
When the user explicitly states that they don't care whether the
algorithm has been tested (type = CRYPTO_ALG_TESTED and mask = 0),
there is a corner case where we may erroneously return ENOENT.

This patch fixes it by correcting the logic in the test.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: replace scatterwalk_sg_next with sg_next 2015-01-26T00:34:22+00:00 Cristian Stoica cristian.stoica@freescale.com 2015-01-20T08:06:16+00:00 5be4d4c94b1f98b839344fda7a8752a4a09d0ef5 Modify crypto drivers to use the generic SG helper since both of them are equivalent and the one from crypto is redundant. See also: 468577abe37ff7b453a9ac613e0ea155349203ae reverted in b2ab4a57b018aafbba35bff088218f5cc3d2142e Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Modify crypto drivers to use the generic SG helper since
both of them are equivalent and the one from crypto is redundant.

See also:
  468577abe37ff7b453a9ac613e0ea155349203ae   reverted in
  b2ab4a57b018aafbba35bff088218f5cc3d2142e

Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: ablkcipher - fixed style errors in ablkcipher.c 2014-12-22T12:02:35+00:00 Joshua I. James joshua@cybercrimetech.com 2014-12-05T05:06:16+00:00 a861afbc931b489b3b2362f8011cccd2a071ec37 Fixed style errors reported by checkpatch. WARNING: Missing a blank line after declarations + u8 *end_page = (u8 *)(((unsigned long)(start + len - 1)) & PAGE_MASK); + return max(start, end_page); WARNING: line over 80 characters + scatterwalk_start(&walk->out, scatterwalk_sg_next(walk->out.sg)); WARNING: Missing a blank line after declarations + int err = ablkcipher_copy_iv(walk, tfm, alignmask); + if (err) ERROR: do not use assignment in if condition + if ((err = crypto_register_instance(tmpl, inst))) { Signed-off-by: Joshua I. James <joshua@cybercrimetech.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 
Fixed style errors reported by checkpatch.

WARNING: Missing a blank line after declarations
+       u8 *end_page = (u8 *)(((unsigned long)(start + len - 1)) & PAGE_MASK);
+       return max(start, end_page);

WARNING: line over 80 characters
+               scatterwalk_start(&walk->out, scatterwalk_sg_next(walk->out.sg));

WARNING: Missing a blank line after declarations
+               int err = ablkcipher_copy_iv(walk, tfm, alignmask);
+               if (err)

ERROR: do not use assignment in if condition
+       if ((err = crypto_register_instance(tmpl, inst))) {

Signed-off-by: Joshua I. James <joshua@cybercrimetech.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto: skcipher - Use eseqiv even on UP machines 2013-10-30T01:51:45+00:00 Herbert Xu herbert@gondor.apana.org.au 2013-10-30T01:51:45+00:00 f3d53ed038944a5e785f04952170f7e239a49ae8 Previously we would use eseqiv on all async ciphers in all cases, and sync ciphers if we have more than one CPU. This meant that chainiv is only used in the case of sync ciphers on a UP machine. As chainiv may aid attackers by making the IV predictable, even though this risk itself is small, the above usage pattern causes it to further leak information about the host. This patch addresses these issues by using eseqiv even if we're on a UP machine. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: David S. Miller <davem@davemloft.net> 
Previously we would use eseqiv on all async ciphers in all cases,
and sync ciphers if we have more than one CPU.  This meant that
chainiv is only used in the case of sync ciphers on a UP machine.

As chainiv may aid attackers by making the IV predictable, even
though this risk itself is small, the above usage pattern causes
it to further leak information about the host.

This patch addresses these issues by using eseqiv even if we're
on a UP machine.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: David S. Miller <davem@davemloft.net>