1. 25 Mar, 2022 4 commits
    • Peter Zijlstra's avatar
      crypto: x86/poly1305 - Fixup SLS · 7ed7aa4d
      Peter Zijlstra authored
      Due to being a perl generated asm file, it got missed by the mass
      convertion script.
      
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_init_x86_64()+0x3a: missing int3 after ret
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_x86_64()+0xf2: missing int3 after ret
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_emit_x86_64()+0x37: missing int3 after ret
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: __poly1305_block()+0x6d: missing int3 after ret
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: __poly1305_init_avx()+0x1e8: missing int3 after ret
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx()+0x18a: missing int3 after ret
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx()+0xaf8: missing int3 after ret
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_emit_avx()+0x99: missing int3 after ret
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx2()+0x18a: missing int3 after ret
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx2()+0x776: missing int3 after ret
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx512()+0x18a: missing int3 after ret
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx512()+0x796: missing int3 after ret
      arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx512()+0x10bd: missing int3 after ret
      
      Fixes: f94909ce ("x86: Prepare asm files for straight-line-speculation")
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7ed7aa4d
    • Peter Zijlstra's avatar
      crypto: x86/chacha20 - Avoid spurious jumps to other functions · 4327d168
      Peter Zijlstra authored
      The chacha_Nblock_xor_avx512vl() functions all have their own,
      identical, .LdoneN label, however in one particular spot {2,4} jump to
      the 8 version instead of their own. Resulting in:
      
        arch/x86/crypto/chacha-x86_64.o: warning: objtool: chacha_2block_xor_avx512vl() falls through to next function chacha_8block_xor_avx512vl()
        arch/x86/crypto/chacha-x86_64.o: warning: objtool: chacha_4block_xor_avx512vl() falls through to next function chacha_8block_xor_avx512vl()
      
      Make each function consistently use its own done label.
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4327d168
    • Zheng Yongjun's avatar
      crypto: stm32 - fix reference leak in stm32_crc_remove · e9a36fee
      Zheng Yongjun authored
      pm_runtime_get_sync() will increment pm usage counter even it
      failed. Forgetting to call pm_runtime_put_noidle will result
      in reference leak in stm32_crc_remove, so we should fix it.
      Signed-off-by: default avatarZheng Yongjun <zhengyongjun3@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      e9a36fee
    • Herbert Xu's avatar
      crypto: arm/aes-neonbs-cbc - Select generic cbc and aes · c8bd296c
      Herbert Xu authored
      The algorithm __cbc-aes-neonbs requires a fallback so we need
      to select the config options for them or otherwise it will fail
      to register on boot-up.
      
      Fixes: 00b99ad2 ("crypto: arm/aes-neonbs - Use generic cbc...")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c8bd296c
  2. 14 Mar, 2022 4 commits
  3. 09 Mar, 2022 10 commits
  4. 02 Mar, 2022 22 commits
    • Yang Yingliang's avatar
      crypto: octeontx2 - fix missing unlock · 280ee3c3
      Yang Yingliang authored
      Add the missing unlock before return from error path.
      
      Fixes: 4363f3d3 ("crypto: octeontx2 - add synchronization between mailbox accesses")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      280ee3c3
    • Wan Jiabing's avatar
      hwrng: cavium - fix NULL but dereferenced coccicheck error · e6205ad5
      Wan Jiabing authored
      Fix following coccicheck warning:
      ./drivers/char/hw_random/cavium-rng-vf.c:182:17-20: ERROR:
      pdev is NULL but dereferenced.
      Signed-off-by: default avatarWan Jiabing <wanjiabing@vivo.com>
      Reviewed-by: default avatarSunil Goutham <sgoutham@marvell.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      e6205ad5
    • Andy Shevchenko's avatar
      crypto: cavium/nitrox - don't cast parameter in bit operations · 959e3754
      Andy Shevchenko authored
      While in this particular case it would not be a (critical) issue,
      the pattern itself is bad and error prone in case the location
      of the parameter is changed.
      
      Don't cast parameter to unsigned long pointer in the bit operations.
      Instead copy to a local variable on stack of a proper type and use.
      
      Fixes: cf718eaa ("crypto: cavium/nitrox - Enabled Mailbox support")
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      959e3754
    • Petr Vorel's avatar
      crypto: vmx - add missing dependencies · 647d41d3
      Petr Vorel authored
      vmx-crypto module depends on CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or
      CRYPTO_XTS, thus add them.
      
      These dependencies are likely to be enabled, but if
      CRYPTO_DEV_VMX=y && !CRYPTO_MANAGER_DISABLE_TESTS
      and either of CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or CRYPTO_XTS is built
      as module or disabled, alg_test() from crypto/testmgr.c complains during
      boot about failing to allocate the generic fallback implementations
      (2 == ENOENT):
      
      [    0.540953] Failed to allocate xts(aes) fallback: -2
      [    0.541014] alg: skcipher: failed to allocate transform for p8_aes_xts: -2
      [    0.541120] alg: self-tests for p8_aes_xts (xts(aes)) failed (rc=-2)
      [    0.544440] Failed to allocate ctr(aes) fallback: -2
      [    0.544497] alg: skcipher: failed to allocate transform for p8_aes_ctr: -2
      [    0.544603] alg: self-tests for p8_aes_ctr (ctr(aes)) failed (rc=-2)
      [    0.547992] Failed to allocate cbc(aes) fallback: -2
      [    0.548052] alg: skcipher: failed to allocate transform for p8_aes_cbc: -2
      [    0.548156] alg: self-tests for p8_aes_cbc (cbc(aes)) failed (rc=-2)
      [    0.550745] Failed to allocate transformation for 'aes': -2
      [    0.550801] alg: cipher: Failed to load transform for p8_aes: -2
      [    0.550892] alg: self-tests for p8_aes (aes) failed (rc=-2)
      
      Fixes: c07f5d3d ("crypto: vmx - Adding support for XTS")
      Fixes: d2e3ae6f ("crypto: vmx - Enabling VMX module for PPC64")
      Suggested-by: default avatarNicolai Stange <nstange@suse.de>
      Signed-off-by: default avatarPetr Vorel <pvorel@suse.cz>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      647d41d3
    • Harsha's avatar
      MAINTAINERS: Add maintainer for Xilinx ZynqMP SHA3 driver · 9578de38
      Harsha authored
      This patch adds an entry for ZynqMP SHA3 driver in the list of
      Maintainers.
      Signed-off-by: default avatarHarsha <harsha.harsha@xilinx.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      9578de38
    • Harsha's avatar
      crypto: xilinx - Add Xilinx SHA3 driver · 7ecc3e34
      Harsha authored
      This patch adds SHA3 driver support for the Xilinx ZynqMP SoC.
      Xilinx ZynqMP SoC has SHA3 engine used for secure hash calculation.
      The flow is
      SHA3 request from Userspace -> SHA3 driver-> ZynqMp driver-> Firmware ->
      SHA3 HW Engine
      
      SHA3 HW engine in Xilinx ZynqMP SoC, does not support parallel processing
      of 2 hash requests.
      Therefore, software fallback is being used for init, update, final,
      export and import in the ZynqMP SHA driver
      For digest, the calculation of SHA3 hash is done by the hardened
      SHA3 accelerator in Xilinx ZynqMP SoC.
      Signed-off-by: default avatarHarsha <harsha.harsha@xilinx.com>
      Signed-off-by: default avatarKalyani Akula <kalyani.akula@xilinx.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7ecc3e34
    • Harsha's avatar
      firmware: xilinx: Add ZynqMP SHA API for SHA3 functionality · 80f940ef
      Harsha authored
      This patch adds zynqmp_pm_sha_hash API in the ZynqMP firmware to compute
      SHA3 hash of given data.
      Signed-off-by: default avatarHarsha <harsha.harsha@xilinx.com>
      Signed-off-by: default avatarKalyani Akula <kalyani.akula@xilinx.com>
      Acked-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      80f940ef
    • Harsha's avatar
      crypto: xilinx - Updated Makefile for xilinx subdirectory · 52af29ab
      Harsha authored
      This patch updates the Makefile for xilinx subdirectory.
      CONFIG_CRYPTO_DEV_ZYNQMP_AES protects zynqmp-aes-gcm.o and it is used
      twice (in drivers/crypto/Makefile and drivers/crypto/xilinx/Makefile)
      and it is enough to use it once.
      Signed-off-by: default avatarHarsha <harsha.harsha@xilinx.com>
      Reviewed-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      52af29ab
    • Ard Biesheuvel's avatar
      crypto: crypto_xor - use helpers for unaligned accesses · 7976c149
      Ard Biesheuvel authored
      Dereferencing a misaligned pointer is undefined behavior in C, and may
      result in codegen on architectures such as ARM that trigger alignments
      traps and expensive fixups in software.
      
      Instead, use the get_aligned()/put_aligned() accessors, which are cheap
      or even completely free when CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y.
      
      In the converse case, the prior alignment checks ensure that the casts
      are safe, and so no unaligned accessors are necessary.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7976c149
    • Tom Rix's avatar
      crypto: cleanup comments · 4920a4a7
      Tom Rix authored
      For spdx
      /* */ for *.h, // for *.c
      Space before spdx tag
      
      Replacements
      paramenters to parameters
      aymmetric to asymmetric
      sigature to signature
      boudary to boundary
      compliled to compiled
      eninges to engines
      explicity to explicitly
      Signed-off-by: default avatarTom Rix <trix@redhat.com>
      Acked-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4920a4a7
    • Nicolai Stange's avatar
      crypto: dh - calculate Q from P for the full public key verification · 35d2bf20
      Nicolai Stange authored
      As the ->q in struct dh_ctx gets never set anywhere, the code in
      dh_is_pubkey_valid() for doing the full public key validation in accordance
      to SP800-56Arev3 is effectively dead.
      
      However, for safe-prime groups Q = (P - 1)/2 by definition and
      as the safe-prime groups are the only possible groups in FIPS mode (via
      those ffdheXYZ() templates), this enables dh_is_pubkey_valid() to calculate
      Q on the fly for these.
      Implement this.
      
      With this change, the last code accessing struct dh_ctx's ->q is now gone.
      Remove this member from struct dh_ctx.
      Signed-off-by: default avatarNicolai Stange <nstange@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      35d2bf20
    • Nicolai Stange's avatar
      lib/mpi: export mpi_rshift · 81771ff2
      Nicolai Stange authored
      A subsequent patch will make the crypto/dh's dh_is_pubkey_valid() to
      calculate a safe-prime groups Q parameter from P: Q = (P - 1) / 2. For
      implementing this, mpi_rshift() will be needed. Export it so that it's
      accessible from crypto/dh.
      Signed-off-by: default avatarNicolai Stange <nstange@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      81771ff2
    • Nicolai Stange's avatar
      crypto: dh - disallow plain "dh" usage in FIPS mode · 32f07cc4
      Nicolai Stange authored
      SP800-56Arev3, sec. 5.5.2 ("Assurance of Domain-Parameter Validity")
      asserts that an implementation needs to verify domain paramtere validity,
      which boils down to either
      - the domain parameters corresponding to some known safe-prime group
        explicitly listed to be approved in the document or
      - for parameters conforming to a "FIPS 186-type parameter-size set",
        that the implementation needs to perform an explicit domain parameter
        verification, which would require access to the "seed" and "counter"
        values used in their generation.
      
      The latter is not easily feasible and moreover, SP800-56Arev3 states that
      safe-prime groups are preferred and that FIPS 186-type parameter sets
      should only be supported for backward compatibility, if it all.
      
      Mark "dh" as not fips_allowed in testmgr. Note that the safe-prime
      ffdheXYZ(dh) wrappers are not affected by this change: as these enforce
      some approved safe-prime group each, their usage is still allowed in FIPS
      mode.
      
      This change will effectively render the keyctl(KEYCTL_DH_COMPUTE) syscall
      unusable in FIPS mode, but it has been brought up that this might even be
      a good thing ([1]).
      
      [1] https://lore.kernel.org/r/20211217055227.GA20698@gondor.apana.org.auSigned-off-by: default avatarNicolai Stange <nstange@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      32f07cc4
    • Nicolai Stange's avatar
      crypto: api - allow algs only in specific constructions in FIPS mode · d6097b8d
      Nicolai Stange authored
      Currently we do not distinguish between algorithms that fail on
      the self-test vs. those which are disabled in FIPS mode (not allowed).
      Both are marked as having failed the self-test.
      
      Recently the need arose to allow the usage of certain algorithms only
      as arguments to specific template instantiations in FIPS mode. For
      example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is
      allowed. Other potential use cases include "cbcmac(aes)", which must
      only be used with ccm(), or "ghash", which must be used only for
      gcm().
      
      This patch allows this scenario by adding a new flag FIPS_INTERNAL to
      indicate those algorithms that are not FIPS-allowed. They can then be
      used as template arguments only, i.e. when looked up via
      crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets
      propagated upwards recursively into the surrounding template
      instances, until the construction eventually matches an explicit
      testmgr entry with ->fips_allowed being set, if any.
      
      The behaviour to skip !->fips_allowed self-test executions in FIPS
      mode will be retained. Note that this effectively means that
      FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL
      ones in this regard. It is expected that the FIPS_INTERNAL algorithms
      will receive sufficient testing when the larger constructions they're
      a part of, if any, get exercised by testmgr.
      
      Note that as a side-effect of this patch algorithms which are not
      FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully
      this is not an issue as some people were relying on this already.
      
      Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.auOriginally-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarNicolai Stange <nstange@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d6097b8d
    • Nicolai Stange's avatar
      crypto: dh - allow for passing NULL to the ffdheXYZ(dh)s' ->set_secret() · c8e8236c
      Nicolai Stange authored
      Ephemeral key generation can be requested from any of the ffdheXYZ(dh)
      variants' common ->set_secret() by passing it an (encoded) struct dh
      with the key parameter being unset, i.e. with ->key_size == 0. As the
      whole purpose of the ffdheXYZ(dh) templates is to fill in the group
      parameters as appropriate, they expect ->p and ->g to be unset in any
      input struct dh as well. This means that a user would have to encode an
      all-zeroes struct dh instance via crypto_dh_encode_key() when requesting
      ephemeral key generation from a ffdheXYZ(dh) instance, which is kind of
      pointless.
      
      Make dh_safe_prime_set_secret() to decode a struct dh from the supplied
      buffer only if the latter is non-NULL and initialize it with all zeroes
      otherwise.
      
      That is, it is now possible to call
      
        crypto_kpp_set_secret(tfm, NULL, 0);
      
      on any ffdheXYZ(dh) tfm for requesting ephemeral key generation.
      Signed-off-by: default avatarNicolai Stange <nstange@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c8e8236c
    • Nicolai Stange's avatar
      crypto: testmgr - add keygen tests for ffdheXYZ(dh) templates · 209b7fc9
      Nicolai Stange authored
      Now that the ffdheXYZ(dh) templates support ephemeral key generation, add
      ->keygen = 1 TVs for each of them to the testmgr.c.
      
      In order to facilitate string merging by the compiler, set party B's secret
      and public keys to the ones specified for party A in the respective
      existing known answer test. With GCC 7.5 on x86_64, this leads to an
      increase of testmgr.o size by less than half a kB.
      Signed-off-by: default avatarNicolai Stange <nstange@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      209b7fc9
    • Nicolai Stange's avatar
      crypto: dh - implement private key generation primitive for ffdheXYZ(dh) · 1e207964
      Nicolai Stange authored
      The support for NVME in-band authentication currently in the works ([1])
      needs to generate ephemeral DH keys for use with the RFC 7919 safe-prime
      FFDHE groups.
      
      In analogy to ECDH and its ecc_gen_privkey(), implement a
      dh_safe_prime_gen_privkey() and invoke it from the ffdheXYZ(dh) templates'
      common ->set_secret(), i.e. dh_safe_prime_set_secret(), in case the input
      ->key_size is zero.
      
      As the RFC 7919 FFDHE groups are classified as approved safe-prime groups
      by SP800-56Arev3, it's worthwhile to make the new
      dh_safe_prime_gen_privkey() to follow the approach specified in
      SP800-56Arev3, sec. 5.6.1.1.3 ("Key-Pair Generation Using Extra Random
      Bits") in order to achieve conformance.
      
      SP800-56Arev3 specifies a lower as well as an upper bound on the generated
      key's length:
      - it must be >= two times the maximum supported security strength of
        the group in question and
      - it must be <= the length of the domain parameter Q.
      
      For any safe-prime group Q = (P - 1)/2 by definition and the individual
      maximum supported security strengths as specified by SP800-56Arev3 have
      been made available as part of the FFDHE dh_safe_prime definitions
      introduced with a previous patch. Make dh_safe_prime_gen_privkey() pick
      twice the maximum supported strength rounded up to the next power of two
      for the output key size. This choice respects both, the lower and upper
      bounds given by SP800-90Arev3 for any of the approved safe-prime groups and
      is also in line with the NVME base spec 2.0, which requires the key size to
      be >= 256bits.
      
      [1] https://lore.kernel.org/r/20211202152358.60116-1-hare@suse.deSigned-off-by: default avatarNicolai Stange <nstange@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1e207964
    • Nicolai Stange's avatar
      crypto: testmgr - add known answer tests for ffdheXYZ(dh) templates · 60a273e9
      Nicolai Stange authored
      Add known answer tests for the ffdhe2048(dh), ffdhe3072(dh), ffdhe4096(dh),
      ffdhe6144(dh) and ffdhe8192(dh) templates introduced with the previous
      patch to the testmgr. All TVs have been generated with OpenSSL.
      Signed-off-by: default avatarNicolai Stange <nstange@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      60a273e9
    • Nicolai Stange's avatar
      crypto: dh - implement ffdheXYZ(dh) templates · 7dce5981
      Nicolai Stange authored
      Current work on NVME in-band authentication support ([1]) needs to invoke
      DH with the FFDHE safe-prime group parameters specified in RFC 7919.
      
      Introduce a new CRYPTO_DH_RFC7919_GROUPS Kconfig option. If enabled, make
      dh_generic register a couple of ffdheXYZ(dh) templates, one for each group:
      ffdhe2048(dh), ffdhe3072(dh), ffdhe4096(dh), ffdhe6144(dh) and
      ffdhe8192(dh). Their respective ->set_secret() expects a (serialized)
      struct dh, just like the underlying "dh" implementation does, but with the
      P and G values unset so that the safe-prime constants for the given group
      can be filled in by the wrapping template.
      
      Internally, a struct dh_safe_prime instance is being defined for each of
      the ffdheXYZ(dh) templates as appropriate. In order to prepare for future
      key generation, fill in the maximum security strength values as specified
      by SP800-56Arev3 on the go, even though they're not needed at this point
      yet.
      
      Implement the respective ffdheXYZ(dh) crypto_template's ->create() by
      simply forwarding any calls to the __dh_safe_prime_create() helper
      introduced with the previous commit, passing the associated dh_safe_prime
      in addition to the received ->create() arguments.
      
      [1] https://lore.kernel.org/r/20211202152358.60116-1-hare@suse.deSigned-off-by: default avatarNicolai Stange <nstange@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7dce5981
    • Nicolai Stange's avatar
      crypto: dh - introduce common code for built-in safe-prime group support · d902981f
      Nicolai Stange authored
      Recent work on NVME in-band authentication support ([1]) needs to invoke
      the "dh" KPP with the FFDHE safe-prime group parameters as specified in
      RFC 7919 and generate ephemeral keys suitable for the respective group. By
      coincidence, the requirements from NIST SP800-56Arev3,
      sec. 5.5.2 ("Assurance of Domain-Parameter Validity") basically boil down
      to disallowing any group parameters not among the approved safe-prime
      groups specified in either RFC 7919 or RFC 3526 in FIPS mode. Furthermore,
      SP800-56Arev3 specifies the respective security strength for each of the
      approved safe-prime groups, which has a direct impact on the minimum key
      lengths.
      
      In this light, it's desirable to introduce built-in support for the
      RFC 7919 safe-prime groups to the kernel's DH implementation, provide a
      SP800-56Arev3 conforming key generation primitive for those and render
      non-approved group parameters unusable in FIPS mode on the way.
      
      As suggested ([2]) in the course of discussion to previous iterations of
      this patchset, the built-in support for ffdhe groups would be best made
      available in the form of templates wrapping the existing "dh"
      implementation, one for each group specified by RFC 7919: ffdhe2048(dh),
      ffdhe3072(dh), ffdhe4096(dh), ffdhe6144(dh) and ffdhe8192(dh). As these
      templates differ only in the safe-prime constants they'd configure the
      inner "dh" transforms with, they can share almost all of their
      "dh"-wrapping template implementation code.
      
      Introduce this common code to dh_generic. The actual dump of the RFC 7919
      safe-prime constants will be deferred to the next patch in order to
      facilitate review. The ephemeral key generation primitive mentioned above
      likewise deserves a patch on its own, as does the mechanism by which
      unapproved groups are rendered unusable in FIPS mode.
      
      Define a struct dh_safe_prime container for specifying the individual
      templates' associated safe-prime group constants. All ffdheXYZ(dh) template
      instances will store a pointer to such a dh_safe_prime in their context
      areas each. Implement the common __dh_safe_prime_create() template
      instantiation helper. The intention is that the individual ffdheXYZ(dh)
      crypto_templates' ->create() implementations will simply forward any calls
      to __dh_safe_prime_create(), passing a suitable dh_safe_prime in addition
      to the received ->create() arguments. __dh_safe_prime_create() would then
      create and register a kpp_instance as appropriate, storing the given
      dh_safe_prime pointer alongside a crypto_kpp_spawn for the inner "dh"
      kpp_alg in the context area.
      
      As the ffdheXYZ(dh) kpp_instances are supposed to act as proxies to the
      inner "dh" kpp_alg, make each of their associated crypto_kpp transforms to
      in turn own an inner "dh" transform, a pointer to which gets stored in the
      context area. Setup and teardown are getting handled from the outer
      ->init_tfm() and ->exit_tfm() respectively.
      
      In order to achieve the overall goal and let the ffdheXYZ(dh) kpp_instances
      configure the inner "dh" transforms with the respective group parameters,
      make their common ->set_secret(), the new dh_safe_prime_set_secret(), fill
      in the P and G values before forwarding the call to the inner "dh"'s
      ->set_secret(). Note that the outer ->set_secret() can obtain the P value
      associated with the given ffdheXYZ(dh) kpp_instance by means of the
      dh_safe_prime referenced from the latter's context. The value of G OTOH
      always equals constant 2 for the safe-prime groups.
      
      Finally, make the remaining two kpp_alg primitives both operating on
      kpp_requests, i.e. ->generate_public_key() and ->compute_shared_secret(),
      to merely forward any request to the inner "dh" implementation. However, a
      kpp_request instance received from the outside cannot get simply passed
      on as-is, because its associated transform (crypto_kpp_reqtfm()) will have
      been set to the outer ffdheXYZ(dh) one. In order to handle this, reserve
      some space in the outer ffdheXYZ(dh) kpp_requests' context areas for in
      turn storing an inner kpp_request suitable for "dh" each. Make the outer
      ->generate_public_key() and ->compute_shared_secret() respectively to setup
      this inner kpp_request by means of the new dh_safe_prime_prepare_dh_req()
      helper before handing it over to the "dh" implementation for further
      processing. dh_safe_prime_prepare_dh_req() basically copies the outer
      kpp_request received from the outside over to the inner one, but installs
      the inner transform and its own ->complete() proxy callback therein. This
      completion callback, the new dh_safe_prime_complete_req(), doesn't do
      anything beyond completing the outer request. Note that there exist some
      examples in crypto/, which would simply install the completion handler
      from the outer request at the inner one in similar setups, e.g. seqiv.
      However, this would mean that the user-provided completion handler won't
      get called with the address of the outer kpp_request initially submitted
      and the handler might not be prepared for this. Users could certainly work
      around this by setting the callback ->data properly, but IMO it's cleaner
      this way. Furthermore, it might make sense to extend
      dh_safe_prime_complete_req() in the future and move e.g. those
      post-computation FIPS checks from the generic "dh" implementation to the
      ffdheXYZ(dh) templates.
      
      [1] https://lore.kernel.org/r/20211202152358.60116-1-hare@suse.de
      [2] https://lore.kernel.org/r/20211217055227.GA20698@gondor.apana.org.auSigned-off-by: default avatarNicolai Stange <nstange@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d902981f
    • Nicolai Stange's avatar
      crypto: dh - split out deserialization code from crypto_dh_decode() · fae19893
      Nicolai Stange authored
      A subsequent commit will introduce "dh" wrapping templates of the form
      "ffdhe2048(dh)", "ffdhe3072(dh)" and so on in order to provide built-in
      support for the well-known safe-prime ffdhe group parameters specified in
      RFC 7919.
      
      Those templates' ->set_secret() will wrap the inner "dh" implementation's
      ->set_secret() and set the ->p and ->g group parameters as appropriate on
      the way inwards. More specifically,
      - A ffdheXYZ(dh) user would call crypto_dh_encode() on a struct dh instance
        having ->p == ->g == NULL as well as ->p_size == ->g_size == 0 and pass
        the resulting buffer to the outer ->set_secret().
      - This outer ->set_secret() would then decode the struct dh via
        crypto_dh_decode_key(), set ->p, ->g, ->p_size as well as ->g_size as
        appropriate for the group in question and encode the struct dh again
        before passing it further down to the inner "dh"'s ->set_secret().
      
      The problem is that crypto_dh_decode_key() implements some basic checks
      which would reject parameter sets with ->p_size == 0 and thus, the ffdheXYZ
      templates' ->set_secret() cannot use it as-is for decoding the passed
      buffer. As the inner "dh"'s ->set_secret() will eventually conduct said
      checks on the final parameter set anyway, the outer ->set_secret() really
      only needs the decoding functionality.
      
      Split out the pure struct dh decoding part from crypto_dh_decode_key() into
      the new __crypto_dh_decode_key().
      
      __crypto_dh_decode_key() gets defined in crypto/dh_helper.c, but will have
      to get called from crypto/dh.c and thus, its declaration must be somehow
      made available to the latter. Strictly speaking, __crypto_dh_decode_key()
      is internal to the dh_generic module, yet it would be a bit over the top
      to introduce a new header like e.g. include/crypto/internal/dh.h
      containing just a single prototype. Add the __crypto_dh_decode_key()
      declaration to include/crypto/dh.h instead.
      
      Provide a proper kernel-doc annotation, even though
      __crypto_dh_decode_key() is purposedly not on the function list specified
      in Documentation/crypto/api-kpp.rst.
      Signed-off-by: default avatarNicolai Stange <nstange@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      fae19893
    • Nicolai Stange's avatar
      crypto: dh - constify struct dh's pointer members · 215bebc8
      Nicolai Stange authored
      struct dh contains several pointer members corresponding to DH parameters:
      ->key, ->p and ->g. A subsequent commit will introduce "dh" wrapping
      templates of the form "ffdhe2048(dh)", "ffdhe3072(dh)" and so on in order
      to provide built-in support for the well-known safe-prime ffdhe group
      parameters specified in RFC 7919. These templates will need to set the
      group parameter related members of the (serialized) struct dh instance
      passed to the inner "dh" kpp_alg instance, i.e. ->p and ->g, to some
      constant, static storage arrays.
      
      Turn the struct dh pointer members' types into "pointer to const" in
      preparation for this.
      Signed-off-by: default avatarNicolai Stange <nstange@suse.de>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      215bebc8