- 25 Apr, 2019 37 commits
-
-
Gilad Ben-Yossef authored
We were computing the size of the import buffer based on the digest size but the 318 and 224 byte variants use 512 and 256 bytes internal state sizes respectfully, thus causing the import buffer to overrun. Fix it by using the right sizes. Signed-off-by:
Gilad Ben-Yossef <gilad@benyossef.com> Cc: stable@vger.kernel.org # v4.19+ Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au>
-
Gilad Ben-Yossef authored
We were trying to be clever zapping out of the cache only the required length out of scatter list on AEAD request completion and getting it wrong. As Knuth said: "when in douby, use brute force". Zap the whole length of the scatter list. Signed-off-by:
-
Gilad Ben-Yossef authored
Fix some scatter list interation code was not handling scatter lists being shorter than expected in a graceful manner. Signed-off-by:
-
Gilad Ben-Yossef authored
We were mangling the request struct assoclen field. Fix it by keeping an internal version and working on it. Signed-off-by:
-
Gilad Ben-Yossef authored
The function cc_prepare_aead_data_dlli() which calculates ICV addresses was needlessly complicate it. This patch simplifies it without altering its functionality. Signed-off-by:
-
Gilad Ben-Yossef authored
The code detecting whether the ICV is fragmented was overly complex and limited the number of fragments an ICV may be comprised of with no reason in the current code, casuing the new testmgr tests to fail. This patch removes this legacy limitation and greatly simplifies the code. Signed-off-by:
-
Gilad Ben-Yossef authored
Remove unused definitions from AEAD driver code. Signed-off-by:
-
Gilad Ben-Yossef authored
When we are given a 0 sized cryptlen and assoclen in a scatterlist with two entries we were falsely trying to create a zero length MLLI table, causing the HW to choke. Don't try to copy a zero sized MLLI table. Signed-off-by:
-
Gilad Ben-Yossef authored
We did not zero out the internal struct before use causing problem in some rare error code paths. Signed-off-by:
-
Gilad Ben-Yossef authored
This sacrificial copyright header update is offered to the legal department as atonement for any changes made in this driver files in the course of the current year which have not been duly recorded as such. Signed-off-by:
-
Gilad Ben-Yossef authored
Move to use the std api sg_nents_for_len() when we do not in fact require the extra information about the number of bytes in the last entry provided by the in-driver variant cc_get_sgl_nents(). This also resolves a Coverity warning cause by us not using the output value. Signed-off-by:
-
Gilad Ben-Yossef authored
Move some remaining device data allocation to the safer devm_* interface. Signed-off-by:
-
Gilad Ben-Yossef authored
Fix a memory leak on the error path of IV generation code. Signed-off-by:
-
Gilad Ben-Yossef authored
Fix a typo in debugfs interface error path which can result in a panic following a memory allocation failure. Signed-off-by:
-
Gilad Ben-Yossef authored
We were handling chained scattergather lists with specialized code needlessly as the regular sg APIs handle them just fine. The code handling this also had an (unused) code path with a use-before-init error, flagged by Coverity. Remove all special handling of chained sg and leave their handling to the regular sg APIs. Signed-off-by:
-
Gilad Ben-Yossef authored
Use proper hash callback completion API instead of open coding it. Signed-off-by:
-
Gilad Ben-Yossef authored
We were doing backlog notification callbacks via a cipher/hash/aead request structure cast to the base structure, which may or may not work based on how the structure is laid in memory and is not safe. Fix it by delegating the backlog notification to the appropriate internal callbacks which are type aware. Signed-off-by:
-
Gilad Ben-Yossef authored
The new HW uses a new standard product and component ID registers replacing the old ad-hoc version and signature gister schemes. Update the driver to support the new HW ID registers. Signed-off-by:
-
Gilad Ben-Yossef authored
We were computing the next IV in software instead of reading it from HW on the premise that this can be quicker due to the small size of IVs but this proved to be much more hassle and bug ridden than expected. Move to reading the next IV as computed by the HW. This fixes a number of issue with next IV being wrong for OFB, CTS-CBC and probably most of the other ciphers as well. Signed-off-by:
-
Gilad Ben-Yossef authored
Adapt the CPP descriptor to new HW interface. Signed-off-by:
-
Gilad Ben-Yossef authored
Add the registration for the SM4 based policy protected keys ciphers. Signed-off-by:
-
Gilad Ben-Yossef authored
Add the missing logic to set usage policy protections for keys. This enables key policy protection for AES. Signed-off-by:
-
Gilad Ben-Yossef authored
Add the logic needed to track and report CPP operation rejection. The new logic will be used by the CPP feature introduced later. Signed-off-by:
-
Gilad Ben-Yossef authored
Add support for the Security Disabled mode under which only pure cryptographic functionality is enabled and protected keys services are unavailable. Signed-off-by:
-
Gilad Ben-Yossef authored
Refactor to move the descriptor copying the MLLI line to SRAM to before the key loading descriptor in preparation to the introduction of CPP later on. Signed-off-by:
-
Gilad Ben-Yossef authored
Refactor the descriptor setup code in order to move the key loading descriptor to one before last position. This has no effect on current functionality but is needed for later support of Content Protection Policy keys. Signed-off-by:
-
Gilad Ben-Yossef authored
Mark sm4 and missing aes using protected keys which are indetical to same algs with no HW protected keys as tested. Signed-off-by:
-
Corentin Labbe authored
sun4i-ss does not handle requests when length are not a multiple of blocksize. This patch adds a fallback for that case. Fixes: 6298e948 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") Signed-off-by:
Corentin Labbe <clabbe.montjoie@gmail.com> Signed-off-by:
-
Corentin Labbe authored
When nbytes < 4, end is wronlgy set to a negative value which, due to uint, is then interpreted to a large value leading to a deadlock in the following code. This patch fix this problem. Fixes: 6298e948 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") Signed-off-by:
-
Corentin Labbe authored
ECB algos does not need IV. Fixes: 6298e948 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") Signed-off-by:
-
Corentin Labbe authored
This patch remove the test against areq->info since sun4i-ss could work without it (ECB). Fixes: 6298e948 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") Signed-off-by:
-
Nagadheeraj Rottela authored
This patch fixes the NITROX-V family part name format. The fix includes ZIP core performance (feature option) in the part name to differentiate various HW devices. The complete HW part name format is mentioned below Part name: CNN55<core option>-<freq>BG676-<feature option>-<rev> Signed-off-by:
Nagadheeraj Rottela <rnagadheeraj@marvell.com> Reviewed-by:
Srikanth Jampala <jsrikanth@marvell.com> Signed-off-by:
-
Horia Geantă authored
GCM detection logic has to change for two reasons: -some CAAM instantiations with Era < 10, even though they have AES LP, they now support GCM mode -Era 10 upwards, there is a dedicated bit in AESA_VERSION[AESA_MISC] field for GCM support For Era 9 and earlier, all AES accelerator versions support GCM, except for AES LP (CHAVID_LS[AESVID]=3) with revision CRNR[AESRN] < 8. For Era 10 and later, bit 9 of the AESA_VERSION register should be used to detect GCM support in AES accelerator. Note: caam/qi and caam/qi2 are drivers for QI (Queue Interface), which is used in DPAA-based SoCs; for now, we rely on CAAM having an AES HP and this AES accelerator having support for GCM. Signed-off-by:
Horia Geantă <horia.geanta@nxp.com> Reviewed-by:
Iuliana Prodan <iuliana.prodan@nxp.com> Signed-off-by:
-
Colin Ian King authored
There is a spelling mistake in an error message in the qi_error_list array. Fix this. Signed-off-by:
Colin Ian King <colin.king@canonical.com> Reviewed-by:
Mukesh Ojha <mojha@codeaurora.org> Signed-off-by:
-
Eric Biggers authored
The flags field in 'struct shash_desc' never actually does anything. The only ostensibly supported flag is CRYPTO_TFM_REQ_MAY_SLEEP. However, no shash algorithm ever sleeps, making this flag a no-op. With this being the case, inevitably some users who can't sleep wrongly pass MAY_SLEEP. These would all need to be fixed if any shash algorithm actually started sleeping. For example, the shash_ahash_*() functions, which wrap a shash algorithm with the ahash API, pass through MAY_SLEEP from the ahash API to the shash API. However, the shash functions are called under kmap_atomic(), so actually they're assumed to never sleep. Even if it turns out that some users do need preemption points while hashing large buffers, we could easily provide a helper function crypto_shash_update_large() which divides the data into smaller chunks and calls crypto_shash_update() and cond_resched() for each chunk. It's not necessary to have a flag in 'struct shash_desc', nor is it necessary to make individual shash algorithms aware of this at all. Therefore, remove shash_desc::flags, and document that the crypto_shash_*() functions can be called from any context. Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
-
Eric Biggers authored
The nx driver uses the MAY_SLEEP flag in shash_desc::flags as an indicator to not retry sending the operation to the hardware as many times before returning -EBUSY. This is bogus because (1) that's not what the MAY_SLEEP flag is for, and (2) the shash API doesn't allow failing if the hardware is busy anyway. For now, just make it always retry the larger number of times. This doesn't actually fix this driver, but it at least makes it not use the shash_desc::flags field anymore. Then this field can be removed, as no other drivers use it. Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by:
-
Eric Biggers authored
The crypto_yield() in shash_ahash_digest() occurs after the entire digest operation already happened, so there's no real point. Remove it. Signed-off-by:
-
- 19 Apr, 2019 2 commits
-
-
Eric Biggers authored
CCM instances can be created by either the "ccm" template, which only allows choosing the block cipher, e.g. "ccm(aes)"; or by "ccm_base", which allows choosing the ctr and cbcmac implementations, e.g. "ccm_base(ctr(aes-generic),cbcmac(aes-generic))". However, a "ccm_base" instance prevents a "ccm" instance from being registered using the same implementations. Nor will the instance be found by lookups of "ccm". This can be used as a denial of service. Moreover, "ccm_base" instances are never tested by the crypto self-tests, even if there are compatible "ccm" tests. The root cause of these problems is that instances of the two templates use different cra_names. Therefore, fix these problems by making "ccm_base" instances set the same cra_name as "ccm" instances, e.g. "ccm(aes)" instead of "ccm_base(ctr(aes-generic),cbcmac(aes-generic))". This requires extracting the block cipher name from the name of the ctr and cbcmac algorithms. It also requires starting to verify that the algorithms are really ctr and cbcmac using the same block cipher, not something else entirely. But it would be bizarre if anyone were actually using non-ccm-compatible algorithms with ccm_base, so this shouldn't break anyone in practice. Fixes: 4a49b499 ("[CRYPTO] ccm: Added CCM mode") Cc: stable@vger.kernel.org Signed-off-by:
-
Eric Biggers authored
GCM instances can be created by either the "gcm" template, which only allows choosing the block cipher, e.g. "gcm(aes)"; or by "gcm_base", which allows choosing the ctr and ghash implementations, e.g. "gcm_base(ctr(aes-generic),ghash-generic)". However, a "gcm_base" instance prevents a "gcm" instance from being registered using the same implementations. Nor will the instance be found by lookups of "gcm". This can be used as a denial of service. Moreover, "gcm_base" instances are never tested by the crypto self-tests, even if there are compatible "gcm" tests. The root cause of these problems is that instances of the two templates use different cra_names. Therefore, fix these problems by making "gcm_base" instances set the same cra_name as "gcm" instances, e.g. "gcm(aes)" instead of "gcm_base(ctr(aes-generic),ghash-generic)". This requires extracting the block cipher name from the name of the ctr algorithm. It also requires starting to verify that the algorithms are really ctr and ghash, not something else entirely. But it would be bizarre if anyone were actually using non-gcm-compatible algorithms with gcm_base, so this shouldn't break anyone in practice. Fixes: d00aa19b ("[CRYPTO] gcm: Allow block cipher parameter") Cc: stable@vger.kernel.org Signed-off-by:
-
- 18 Apr, 2019 1 commit
-
-
Eric Biggers authored
shash_ahash_digest(), which is the ->digest() method for ahash tfms that use an shash algorithm, has an optimization where crypto_shash_digest() is called if the data is in a single page. But an off-by-one error prevented this path from being taken unless the user happened to provide extra data in the scatterlist. Fix it. Signed-off-by:
-
