1. 18 Apr, 2019 34 commits
  2. 16 Apr, 2019 1 commit
  3. 15 Apr, 2019 2 commits
  4. 08 Apr, 2019 3 commits
    • Eric Biggers's avatar
      crypto: testmgr - add panic_on_fail module parameter · eda69b0c
      Eric Biggers authored
      Add a module parameter cryptomgr.panic_on_fail which causes the kernel
      to panic if any crypto self-tests fail.
      
      Use cases:
      
      - More easily detect crypto self-test failures by boot testing,
        e.g. on KernelCI.
      - Get a bug report if syzkaller manages to use the template system to
        instantiate an algorithm that fails its self-tests.
      
      The command-line option "fips=1" already does this, but it also makes
      other changes not wanted for general testing, such as disabling
      "unapproved" algorithms.  panic_on_fail just does what it says.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      eda69b0c
    • Eric Biggers's avatar
      crypto: arm64/cbcmac - handle empty messages in same way as template · f6e9af87
      Eric Biggers authored
      My patches to make testmgr fuzz algorithms against their generic
      implementation detected that the arm64 implementations of "cbcmac(aes)"
      handle empty messages differently from the cbcmac template.  Namely, the
      arm64 implementations return the encrypted initial value, but the cbcmac
      template returns the initial value directly.
      
      This isn't actually a meaningful case because any user of cbcmac needs
      to prepend the message length, as CCM does; otherwise it's insecure.
      However, we should keep the behavior consistent; at the very least this
      makes testing easier.
      
      Do it the easy way, which is to change the arm64 implementations to have
      the same behavior as the cbcmac template.
      
      For what it's worth, ghash does things essentially the same way: it
      returns its initial value when given an empty message, even though in
      practice ghash is never passed an empty message.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f6e9af87
    • Eric Biggers's avatar
      crypto: cts - don't support empty messages · c31a8719
      Eric Biggers authored
      My patches to make testmgr fuzz algorithms against their generic
      implementation detected that the arm64 implementations of
      "cts(cbc(aes))" handle empty messages differently from the cts template.
      Namely, the arm64 implementations forbids (with -EINVAL) all messages
      shorter than the block size, including the empty message; but the cts
      template permits empty messages as a special case.
      
      No user should be CTS-encrypting/decrypting empty messages, but we need
      to keep the behavior consistent.  Unfortunately, as noted in the source
      of OpenSSL's CTS implementation [1], there's no common specification for
      CTS.  This makes it somewhat debatable what the behavior should be.
      
      However, all CTS specifications seem to agree that messages shorter than
      the block size are not allowed, and OpenSSL follows this in both CTS
      conventions it implements.  It would also simplify the user-visible
      semantics to have empty messages no longer be a special case.
      
      Therefore, make the cts template return -EINVAL on *all* messages
      shorter than the block size, including the empty message.
      
      [1] https://github.com/openssl/openssl/blob/master/crypto/modes/cts128.cSigned-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c31a8719