summaryrefslogtreecommitdiff
path: root/include/crypto (follow)
Commit message (Collapse)AuthorAge
* FROMGIT: crypto: speck - export common helpersEric Biggers2018-02-23
| | | | | | | | | | | | | | | | | Export the Speck constants and transform context and the ->setkey(), ->encrypt(), and ->decrypt() functions so that they can be reused by the ARM NEON implementation of Speck-XTS. The generic key expansion code will be reused because it is not performance-critical and is not vectorizable, while the generic encryption and decryption functions are needed as fallbacks and for the XTS tweak encryption. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit c8c36413ca8ccbf7a0afe71247fc4617ee2dfcfe git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master) Change-Id: I93e96e1ef40de7071af212146b8ad3bf45297c1d Signed-off-by: Eric Biggers <ebiggers@google.com>
* Merge 4.4.116 into android-4.4Greg Kroah-Hartman2018-02-20
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.116 powerpc/bpf/jit: Disable classic BPF JIT on ppc64le powerpc/64: Fix flush_(d|i)cache_range() called from modules powerpc: Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC powerpc: Simplify module TOC handling powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper powerpc/64: Add macros for annotating the destination of rfid/hrfid powerpc/64s: Simple RFI macro conversions powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL powerpc/64s: Add support for RFI flush of L1-D cache powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti powerpc/pseries: Query hypervisor for RFI flush settings powerpc/powernv: Check device-tree for RFI flush settings powerpc/64s: Wire up cpu_show_meltdown() powerpc/64s: Allow control of RFI flush via debugfs ASoC: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE usbip: vhci_hcd: clear just the USB_PORT_STAT_POWER bit usbip: fix 3eee23c3ec14 tcp_socket address still in the status file net: cdc_ncm: initialize drvflags before usage ASoC: simple-card: Fix misleading error message ASoC: rsnd: don't call free_irq() on Parent SSI ASoC: rsnd: avoid duplicate free_irq() drm: rcar-du: Use the VBK interrupt for vblank events drm: rcar-du: Fix race condition when disabling planes at CRTC stop x86/asm: Fix inline asm call constraints for GCC 4.4 ip6mr: fix stale iterator net: igmp: add a missing rcu locking section qlcnic: fix deadlock bug r8169: fix RTL8168EP take too long to complete driver initialization. tcp: release sk_frag.page in tcp_disconnect vhost_net: stop device during reset owner media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE KEYS: encrypted: fix buffer overread in valid_master_desc() don't put symlink bodies in pagecache into highmem crypto: tcrypt - fix S/G table for test_aead_speed() x86/microcode/AMD: Do not load when running on a hypervisor x86/microcode: Do the family check first powerpc/pseries: include linux/types.h in asm/hvcall.h cifs: Fix missing put_xid in cifs_file_strict_mmap cifs: Fix autonegotiate security settings mismatch CIFS: zero sensitive data when freeing dmaengine: dmatest: fix container_of member in dmatest_callback x86/kaiser: fix build error with KASAN && !FUNCTION_GRAPH_TRACER kaiser: fix compile error without vsyscall netfilter: nf_queue: Make the queue_handler pernet posix-timer: Properly check sigevent->sigev_notify usb: gadget: uvc: Missing files for configfs interface sched/rt: Use container_of() to get root domain in rto_push_irq_work_func() sched/rt: Up the root domain ref count when passing it around via IPIs dccp: CVE-2017-8824: use-after-free in DCCP code media: dvb-usb-v2: lmedm04: Improve logic checking of warm start media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner mtd: cfi: convert inline functions to macros mtd: nand: brcmnand: Disable prefetch by default mtd: nand: Fix nand_do_read_oob() return value mtd: nand: sunxi: Fix ECC strength choice ubi: block: Fix locking for idr_alloc/idr_remove nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds NFS: Add a cond_resched() to nfs_commit_release_pages() NFS: commit direct writes even if they fail partially NFS: reject request for id_legacy key without auxdata kernfs: fix regression in kernfs_fop_write caused by wrong type ahci: Annotate PCI ids for mobile Intel chipsets as such ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI ahci: Add Intel Cannon Lake PCH-H PCI ID crypto: hash - introduce crypto_hash_alg_has_setkey() crypto: cryptd - pass through absence of ->setkey() crypto: poly1305 - remove ->setkey() method nsfs: mark dentry with DCACHE_RCUACCESS media: v4l2-ioctl.c: don't copy back the result for -ENOTTY vb2: V4L2_BUF_FLAG_DONE is set after DQBUF media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF media: v4l2-compat-ioctl32.c: fix the indentation media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32 media: v4l2-compat-ioctl32.c: avoid sizeof(type) media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer media: v4l2-compat-ioctl32.c: make ctrl_is_pointer work for subdevs media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic crypto: caam - fix endless loop when DECO acquire fails arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls KVM: nVMX: Fix races when sending nested PI while dest enters/leaves L2 watchdog: imx2_wdt: restore previous timeout after suspend+resume media: ts2020: avoid integer overflows on 32 bit machines media: cxusb, dib0700: ignore XC2028_I2C_FLUSH kernel/async.c: revert "async: simplify lowest_in_progress()" HID: quirks: Fix keyboard + touchpad on Toshiba Click Mini not working Bluetooth: btsdio: Do not bind to non-removable BCM43341 Revert "Bluetooth: btusb: fix QCA Rome suspend/resume" Bluetooth: btusb: Restore QCA Rome suspend/resume fix with a "rewritten" version signal/openrisc: Fix do_unaligned_access to send the proper signal signal/sh: Ensure si_signo is initialized in do_divide_error alpha: fix crash if pthread_create races with signal delivery alpha: fix reboot on Avanti platform xtensa: fix futex_atomic_cmpxchg_inatomic EDAC, octeon: Fix an uninitialized variable warning pktcdvd: Fix pkt_setup_dev() error path btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker nvme: Fix managing degraded controllers ACPI: sbshc: remove raw pointer from printk() message ovl: fix failure to fsync lower dir mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy ftrace: Remove incorrect setting of glob search field Linux 4.4.116 Change-Id: Id000cb8d59b74de063902e9ad24dd07fe1b1694b Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
| * crypto: poly1305 - remove ->setkey() methodEric Biggers2018-02-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit a16e772e664b9a261424107784804cffc8894977 upstream. Since Poly1305 requires a nonce per invocation, the Linux kernel implementations of Poly1305 don't use the crypto API's keying mechanism and instead expect the key and nonce as the first 32 bytes of the data. But ->setkey() is still defined as a stub returning an error code. This prevents Poly1305 from being used through AF_ALG and will also break it completely once we start enforcing that all crypto API users (not just AF_ALG) call ->setkey() if present. Fix it by removing crypto_poly1305_setkey(), leaving ->setkey as NULL. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * crypto: hash - introduce crypto_hash_alg_has_setkey()Eric Biggers2018-02-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit cd6ed77ad5d223dc6299fb58f62e0f5267f7e2ba upstream. Templates that use an shash spawn can use crypto_shash_alg_has_setkey() to determine whether the underlying algorithm requires a key or not. But there was no corresponding function for ahash spawns. Add it. Note that the new function actually has to support both shash and ahash algorithms, since the ahash API can be used with either. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | Merge 4.4.109 into android-4.4Greg Kroah-Hartman2018-01-02
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.109 ACPI: APEI / ERST: Fix missing error handling in erst_reader() crypto: mcryptd - protect the per-CPU queue with a lock mfd: cros ec: spi: Don't send first message too soon mfd: twl4030-audio: Fix sibling-node lookup mfd: twl6040: Fix child-node lookup ALSA: rawmidi: Avoid racy info ioctl via ctl device ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() parisc: Hide Diva-built-in serial aux and graphics card spi: xilinx: Detect stall with Unknown commands KVM: X86: Fix load RFLAGS w/o the fixed bit kvm: x86: fix RSM when PCID is non-zero powerpc/perf: Dereference BHRB entries safely net: mvneta: clear interface link status on port disable tracing: Remove extra zeroing out of the ring buffer page tracing: Fix possible double free on failure of allocating trace buffer tracing: Fix crash when it fails to alloc ring buffer ring-buffer: Mask out the info bits when returning buffer page length iw_cxgb4: Only validate the MSN for successful completions ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure ASoC: twl4030: fix child-node lookup ALSA: hda: Drop useless WARN_ON() ALSA: hda - fix headset mic detection issue on a Dell machine x86/vm86/32: Switch to flush_tlb_mm_range() in mark_screen_rdonly() x86/mm: Remove flush_tlb() and flush_tlb_current_task() x86/mm: Make flush_tlb_mm_range() more predictable x86/mm: Reimplement flush_tlb_page() using flush_tlb_mm_range() x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code x86/mm: Disable PCID on 32-bit kernels x86/mm: Add the 'nopcid' boot option to turn off PCID x86/mm: Enable CR4.PCIDE on supported systems x86/mm/64: Fix reboot interaction with CR4.PCIDE kbuild: add '-fno-stack-check' to kernel build options ipv4: igmp: guard against silly MTU values ipv6: mcast: better catch silly mtu values net: igmp: Use correct source address on IGMPv3 reports netlink: Add netns check on taps net: qmi_wwan: add Sierra EM7565 1199:9091 net: reevalulate autoflowlabel setting after sysctl setting tcp md5sig: Use skb's saddr when replying to an incoming segment tg3: Fix rx hang on MTU change with 5717/5719 net: ipv4: fix for a race condition in raw_sendmsg net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case sctp: Replace use of sockets_allocated with specified macro. ipv4: Fix use-after-free when flushing FIB tables net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks net: Fix double free and memory corruption in get_net_ns_by_id() net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround sock: free skb in skb_complete_tx_timestamp on error usbip: fix usbip bind writing random string after command in match_busid usbip: stub: stop printing kernel pointer addresses in messages usbip: vhci: stop printing kernel pointer addresses in messages USB: serial: ftdi_sio: add id for Airbus DS P8GR USB: serial: qcserial: add Sierra Wireless EM7565 USB: serial: option: add support for Telit ME910 PID 0x1101 USB: serial: option: adding support for YUGA CLM920-NC5 usb: Add device quirk for Logitech HD Pro Webcam C925e usb: add RESET_RESUME for ELSA MicroLink 56K USB: Fix off by one in type-specific length check of BOS SSP capability usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201 nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick() x86/smpboot: Remove stale TLB flush invocations n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) mm/vmstat: Make NR_TLB_REMOTE_FLUSH_RECEIVED available even on UP Linux 4.4.109 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
| * crypto: mcryptd - protect the per-CPU queue with a lockSebastian Andrzej Siewior2018-01-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 9abffc6f2efe46c3564c04312e52e07622d40e51 upstream. mcryptd_enqueue_request() grabs the per-CPU queue struct and protects access to it with disabled preemption. Then it schedules a worker on the same CPU. The worker in mcryptd_queue_worker() guards access to the same per-CPU variable with disabled preemption. If we take CPU-hotplug into account then it is possible that between queue_work_on() and the actual invocation of the worker the CPU goes down and the worker will be scheduled on _another_ CPU. And here the preempt_disable() protection does not work anymore. The easiest thing is to add a spin_lock() to guard access to the list. Another detail: mcryptd_queue_worker() is not processing more than MCRYPTD_BATCH invocation in a row. If there are still items left, then it will invoke queue_work() to proceed with more later. *I* would suggest to simply drop that check because it does not use a system workqueue and the workqueue is already marked as "CPU_INTENSIVE". And if preemption is required then the scheduler should do it. However if queue_work() is used then the work item is marked as CPU unbound. That means it will try to run on the local CPU but it may run on another CPU as well. Especially with CONFIG_DEBUG_WQ_FORCE_RR_CPU=y. Again, the preempt_disable() won't work here but lock which was introduced will help. In order to keep work-item on the local CPU (and avoid RR) I changed it to queue_work_on(). Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | Merge 4.4.107 into android-4.4Greg Kroah-Hartman2017-12-20
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.107 crypto: hmac - require that the underlying hash algorithm is unkeyed crypto: salsa20 - fix blkcipher_walk API usage autofs: fix careless error in recent commit tracing: Allocate mask_str buffer dynamically USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID USB: core: prevent malicious bNumInterfaces overflow usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer ceph: drop negative child dentries before try pruning inode's alias Bluetooth: btusb: driver to enable the usb-wakeup feature xhci: Don't add a virt_dev to the devs array before it's fully allocated sched/rt: Do not pull from current CPU if only one CPU to pull dmaengine: dmatest: move callback wait queue to thread context ext4: fix fdatasync(2) after fallocate(2) operation ext4: fix crash when a directory's i_size is too small KEYS: add missing permission check for request_key() destination mac80211: Fix addition of mesh configuration element usb: phy: isp1301: Add OF device ID table md-cluster: free md_cluster_info if node leave cluster userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE userfaultfd: selftest: vm: allow to build in vm/ directory net: initialize msg.msg_flags in recvfrom net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values net: bcmgenet: correct MIB access of UniMAC RUNT counters net: bcmgenet: reserved phy revisions must be checked first net: bcmgenet: power down internal phy if open or resume fails net: bcmgenet: Power up the internal PHY before probing the MII NFSD: fix nfsd_minorversion(.., NFSD_AVAIL) NFSD: fix nfsd_reset_versions for NFSv4. Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list drm/omap: fix dmabuf mmap for dma_alloc'ed buffers netfilter: bridge: honor frag_max_size when refragmenting writeback: fix memory leak in wb_queue_work() net: wimax/i2400m: fix NULL-deref at probe dmaengine: Fix array index out of bounds warning in __get_unmap_pool() net: Resend IGMP memberships upon peer notification. mlxsw: reg: Fix SPVM max record count mlxsw: reg: Fix SPVMLR max record count intel_th: pci: Add Gemini Lake support openrisc: fix issue handling 8 byte get_user calls scsi: hpsa: update check for logical volume status scsi: hpsa: limit outstanding rescans fjes: Fix wrong netdevice feature flags drm/radeon/si: add dpm quirk for Oland sched/deadline: Make sure the replenishment timer fires in the next period sched/deadline: Throttle a constrained deadline task activated after the deadline sched/deadline: Use deadline instead of period when calculating overflow mmc: mediatek: Fixed bug where clock frequency could be set wrong drm/radeon: reinstate oland workaround for sclk afs: Fix missing put_page() afs: Populate group ID from vnode status afs: Adjust mode bits processing afs: Flush outstanding writes when an fd is closed afs: Migrate vlocation fields to 64-bit afs: Prevent callback expiry timer overflow afs: Fix the maths in afs_fs_store_data() afs: Populate and use client modification time afs: Fix page leak in afs_write_begin() afs: Fix afs_kill_pages() net/mlx4_core: Avoid delays during VF driver device shutdown perf symbols: Fix symbols__fixup_end heuristic for corner cases efi/esrt: Cleanup bad memory map log messages NFSv4.1 respect server's max size in CREATE_SESSION btrfs: add missing memset while reading compressed inline extents target: Use system workqueue for ALUA transitions target: fix ALUA transition timeout handling target: fix race during implicit transition work flushes sfc: don't warn on successful change of MAC fbdev: controlfb: Add missing modes to fix out of bounds access video: udlfb: Fix read EDID timeout video: fbdev: au1200fb: Release some resources if a memory allocation fails video: fbdev: au1200fb: Return an error code if a memory allocation fails rtc: pcf8563: fix output clock rate dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type PCI/PME: Handle invalid data when reading Root Status powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo netfilter: ipvs: Fix inappropriate output of procfs powerpc/opal: Fix EBUSY bug in acquiring tokens powerpc/ipic: Fix status get and status clear target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd() iscsi-target: fix memory leak in lio_target_tiqn_addtpg() target:fix condition return in core_pr_dump_initiator_port() target/file: Do not return error for UNMAP if length is zero arm-ccn: perf: Prevent module unload while PMU is in use crypto: tcrypt - fix buffer lengths in test_aead_speed() mm: Handle 0 flags in _calc_vm_trans() macro clk: mediatek: add the option for determining PLL source clock clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o VPU clk: tegra: Fix cclk_lp divisor register ppp: Destroy the mutex when cleanup thermal/drivers/step_wise: Fix temperature regulation misbehavior GFS2: Take inode off order_write list when setting jdata flag bcache: explicitly destroy mutex while exiting bcache: fix wrong cache_misses statistics l2tp: cleanup l2tp_tunnel_delete calls xfs: fix log block underflow during recovery cycle verification xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real PCI: Detach driver before procfs & sysfs teardown on device remove scsi: hpsa: cleanup sas_phy structures in sysfs when unloading scsi: hpsa: destroy sas transport properties before scsi_host powerpc/perf/hv-24x7: Fix incorrect comparison in memord tty fix oops when rmmod 8250 usb: musb: da8xx: fix babble condition handling pinctrl: adi2: Fix Kconfig build problem raid5: Set R5_Expanded on parity devices as well as data. scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend scsi: sd: change manage_start_stop to bool in sysfs interface scsi: sd: change allow_restart to bool in sysfs interface scsi: bfa: integer overflow in debugfs udf: Avoid overflow when session starts at large offset macvlan: Only deliver one copy of the frame to the macvlan interface RDMA/cma: Avoid triggering undefined behavior IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop ath9k: fix tx99 potential info leak Linux 4.4.107 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
| * crypto: hmac - require that the underlying hash algorithm is unkeyedEric Biggers2017-12-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 upstream. Because the HMAC template didn't check that its underlying hash algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))" through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC being used without having been keyed, resulting in sha3_update() being called without sha3_init(), causing a stack buffer overflow. This is a very old bug, but it seems to have only started causing real problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3) because the innermost hash's state is ->import()ed from a zeroed buffer, and it just so happens that other hash algorithms are fine with that, but SHA-3 is not. However, there could be arch or hardware-dependent hash algorithms also affected; I couldn't test everything. Fix the bug by introducing a function crypto_shash_alg_has_setkey() which tests whether a shash algorithm is keyed. Then update the HMAC template to require that its underlying hash algorithm is unkeyed. Here is a reproducer: #include <linux/if_alg.h> #include <sys/socket.h> int main() { int algfd; struct sockaddr_alg addr = { .salg_type = "hash", .salg_name = "hmac(hmac(sha3-512-generic))", }; char key[4096] = { 0 }; algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); bind(algfd, (const struct sockaddr *)&addr, sizeof(addr)); setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key)); } Here was the KASAN report from syzbot: BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline] BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044 CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x25b/0x340 mm/kasan/report.c:409 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x137/0x190 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 memcpy include/linux/string.h:341 [inline] sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161 crypto_shash_update+0xcb/0x220 crypto/shash.c:109 shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151 crypto_shash_finup+0xc4/0x120 crypto/shash.c:165 hmac_finup+0x182/0x330 crypto/hmac.c:152 crypto_shash_finup+0xc4/0x120 crypto/shash.c:165 shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172 crypto_shash_digest+0xc4/0x120 crypto/shash.c:186 hmac_setkey+0x36a/0x690 crypto/hmac.c:66 crypto_shash_setkey+0xad/0x190 crypto/shash.c:64 shash_async_setkey+0x47/0x60 crypto/shash.c:207 crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200 hash_setkey+0x40/0x90 crypto/algif_hash.c:446 alg_setkey crypto/af_alg.c:221 [inline] alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254 SYSC_setsockopt net/socket.c:1851 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1830 entry_SYSCALL_64_fastpath+0x1f/0x96 Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | Merge 4.4.63 into android-4.4Greg Kroah-Hartman2017-04-21
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.63: cgroup, kthread: close race window where new kthreads can be migrated to non-root cgroups thp: fix MADV_DONTNEED vs clear soft dirty race drm/nouveau/mpeg: mthd returns true on success now drm/nouveau/mmu/nv4a: use nv04 mmu rather than the nv44 one CIFS: store results of cifs_reopen_file to avoid infinite wait Input: xpad - add support for Razer Wildcat gamepad perf/x86: Avoid exposing wrong/stale data in intel_pmu_lbr_read_32() x86/vdso: Ensure vdso32_enabled gets set to valid values only x86/vdso: Plug race between mapping and ELF header setup acpi, nfit, libnvdimm: fix interleave set cookie calculation (64-bit comparison) iscsi-target: Fix TMR reference leak during session shutdown iscsi-target: Drop work-around for legacy GlobalSAN initiator scsi: sr: Sanity check returned mode data scsi: sd: Consider max_xfer_blocks if opt_xfer_blocks is unusable scsi: sd: Fix capacity calculation with 32-bit sector_t xen, fbfront: fix connecting to backend libnvdimm: fix reconfig_mutex, mmap_sem, and jbd2_handle lockdep splat irqchip/irq-imx-gpcv2: Fix spinlock initialization ftrace: Fix removing of second function probe char: Drop bogus dependency of DEVPORT on !M68K char: lack of bool string made CONFIG_DEVPORT always on Revert "MIPS: Lantiq: Fix cascaded IRQ setup" kvm: fix page struct leak in handle_vmon zram: do not use copy_page with non-page aligned address powerpc: Disable HFSCR[TM] if TM is not supported crypto: ahash - Fix EINPROGRESS notification callback ath9k: fix NULL pointer dereference dvb-usb-v2: avoid use-after-free ext4: fix inode checksum calculation problem if i_extra_size is small platform/x86: acer-wmi: setup accelerometer when machine has appropriate notify event rtc: tegra: Implement clock handling mm: Tighten x86 /dev/mem with zeroing reads dvb-usb: don't use stack for firmware load dvb-usb-firmware: don't do DMA on stack virtio-console: avoid DMA from stack pegasus: Use heap buffers for all register access rtl8150: Use heap buffers for all register access catc: Combine failure cleanup code in catc_probe() catc: Use heap buffer for memory size test ibmveth: calculate gso_segs for large packets SUNRPC: fix refcounting problems with auth_gss messages. tty/serial: atmel: RS485 half duplex w/DMA: enable RX after TX is done net: ipv6: check route protocol when deleting routes sctp: deny peeloff operation on asocs with threads sleeping on it MIPS: fix Select HAVE_IRQ_EXIT_ON_IRQ_STACK patch. Linux 4.4.63 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
| * crypto: ahash - Fix EINPROGRESS notification callbackHerbert Xu2017-04-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit ef0579b64e93188710d48667cb5e014926af9f1b upstream. The ahash API modifies the request's callback function in order to clean up after itself in some corner cases (unaligned final and missing finup). When the request is complete ahash will restore the original callback and everything is fine. However, when the request gets an EBUSY on a full queue, an EINPROGRESS callback is made while the request is still ongoing. In this case the ahash API will incorrectly call its own callback. This patch fixes the problem by creating a temporary request object on the stack which is used to relay EINPROGRESS back to the original completion function. This patch also adds code to preserve the original flags value. Fixes: ab6bf4e5e5e4 ("crypto: hash - Fix the pointer voodoo in...") Reported-by: Sabrina Dubroca <sd@queasysnail.net> Tested-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | Merge remote-tracking branch 'common/android-4.4' into android-4.4.yDmitry Shmidt2017-02-15
|\ \ | |/ |/| | | Change-Id: Icf907f5067fb6da5935ab0d3271df54b8d5df405
| * ANDROID: crypto: gf128mul - Add ble multiplication functionsAlex Cope2017-02-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adding ble multiplication to GF128mul, and fixing up comments. The ble multiplication functions multiply GF(2^128) elements in the ble format. This format is preferable because the bits within each byte map to polynomial coefficients in the natural order (lowest order bit = coefficient of lowest degree polynomial term), and the bytes are stored in little endian order which matches the endianness of most modern CPUs. These new functions will be used by the HEH algorithm. Signed-off-by: Alex Cope <alexcope@google.com> Bug: 32975945 Signed-off-by: Eric Biggers <ebiggers@google.com> Change-Id: I39a58e8ee83e6f9b2e6bd51738f816dbfa2f3a47
| * UPSTREAM: crypto: gf128mul - Zero memory when freeing multiplication tableAlex Cope2017-02-10
| | | | | | | | | | | | | | | | | | | | | | | | | | GF(2^128) multiplication tables are typically used for secret information, so it's a good idea to zero them on free. Signed-off-by: Alex Cope <alexcope@google.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry-picked from 75aa0a7cafe951538c7cb7c5ed457a3371ec5bcd) Bug: 32975945 Signed-off-by: Eric Biggers <ebiggers@google.com> Change-Id: I37b1ae9544158007f9ee2caf070120f4a42153ab
| * ANDROID: crypto: shash - Add crypto_grab_shash() and crypto_spawn_shash_alg()Eric Biggers2017-02-10
| | | | | | | | | | | | | | | | | | | | Analogous to crypto_grab_skcipher() and crypto_spawn_skcipher_alg(), these are useful for algorithms that need to use a shash sub-algorithm, possibly in addition to other sub-algorithms. Bug: 32975945 Signed-off-by: Eric Biggers <ebiggers@google.com> Change-Id: I44e5a519d73f5f839e3b6ecbf8c66e36ec569557
| * ANDROID: crypto: allow blkcipher walks over ablkcipher dataEric Biggers2017-02-10
| | | | | | | | | | | | | | | | | | | | | | | | Add a function blkcipher_ablkcipher_walk_virt() which allows ablkcipher algorithms to use the blkcipher_walk API to walk over their data. This will be used by the HEH algorithm, which to support asynchronous ECB algorithms will be an ablkcipher, but it also needs to make other passes over the data. Bug: 32975945 Signed-off-by: Eric Biggers <ebiggers@google.com> Change-Id: I05f9a0e5473ba6115fcc72d5122d6b0b18b2078b
* | crypto: ghash-generic - move common definitions to a new header fileMarcelo Cerri2016-10-22
| | | | | | | | | | | | | | | | | | | | | | | | | | commit a397ba829d7f8aff4c90af3704573a28ccd61a59 upstream. Move common values and types used by ghash-generic to a new header file so drivers can directly use ghash-generic as a fallback implementation. Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module") Signed-off-by: Marcelo Cerri <marcelo.cerri@canonical.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | crypto: af_alg - Allow af_af_alg_release_parent to be called on nokey pathHerbert Xu2016-02-17
| | | | | | | | | | | | | | | | | | | | | | commit 6a935170a980024dd29199e9dbb5c4da4767a1b9 upstream. This patch allows af_alg_release_parent to be called even for nokey sockets. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | crypto: skcipher - Add crypto_skcipher_has_setkeyHerbert Xu2016-02-17
| | | | | | | | | | | | | | | | | | | | | | commit a1383cd86a062fc798899ab20f0ec2116cce39cb upstream. This patch adds a way for skcipher users to determine whether a key is required by a transform. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | crypto: hash - Add crypto_ahash_has_setkeyHerbert Xu2016-02-17
| | | | | | | | | | | | | | | | | | | | | | commit a5596d6332787fd383b3b5427b41f94254430827 upstream. This patch adds a way for ahash users to determine whether a key is required by a crypto_ahash transform. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | crypto: af_alg - Add nokey compatibility pathHerbert Xu2016-02-17
| | | | | | | | | | | | | | | | | | | | | | commit 37766586c965d63758ad542325a96d5384f4a8c9 upstream. This patch adds a compatibility path to support old applications that do acept(2) before setkey. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | crypto: af_alg - Disallow bind/setkey/... after accept(2)Herbert Xu2016-02-17
|/ | | | | | | | | | | | | | | | | | | | commit c840ac6af3f8713a71b4d2363419145760bd6044 upstream. Each af_alg parent socket obtained by socket(2) corresponds to a tfm object once bind(2) has succeeded. An accept(2) call on that parent socket creates a context which then uses the tfm object. Therefore as long as any child sockets created by accept(2) exist the parent socket must not be modified or freed. This patch guarantees this by using locks and a reference count on the parent socket. Any attempt to modify the parent socket will fail with EBUSY. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* Merge branch 'next' of ↵Linus Torvalds2015-11-05
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security subsystem update from James Morris: "This is mostly maintenance updates across the subsystem, with a notable update for TPM 2.0, and addition of Jarkko Sakkinen as a maintainer of that" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (40 commits) apparmor: clarify CRYPTO dependency selinux: Use a kmem_cache for allocation struct file_security_struct selinux: ioctl_has_perm should be static selinux: use sprintf return value selinux: use kstrdup() in security_get_bools() selinux: use kmemdup in security_sid_to_context_core() selinux: remove pointless cast in selinux_inode_setsecurity() selinux: introduce security_context_str_to_sid selinux: do not check open perm on ftruncate call selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default KEYS: Merge the type-specific data with the payload data KEYS: Provide a script to extract a module signature KEYS: Provide a script to extract the sys cert list from a vmlinux file keys: Be more consistent in selection of union members used certs: add .gitignore to stop git nagging about x509_certificate_list KEYS: use kvfree() in add_key Smack: limited capability for changing process label TPM: remove unnecessary little endian conversion vTPM: support little endian guests char: Drop owner assignment from i2c_driver ...
| * KEYS: Merge the type-specific data with the payload dataDavid Howells2015-10-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Merge the type-specific data with the payload data into one four-word chunk as it seems pointless to keep them separate. Use user_key_payload() for accessing the payloads of overloaded user-defined keys. Signed-off-by: David Howells <dhowells@redhat.com> cc: linux-cifs@vger.kernel.org cc: ecryptfs@vger.kernel.org cc: linux-ext4@vger.kernel.org cc: linux-f2fs-devel@lists.sourceforge.net cc: linux-nfs@vger.kernel.org cc: ceph-devel@vger.kernel.org cc: linux-ima-devel@lists.sourceforge.net
* | crypto: ahash - Add crypto_ahash_blocksizeHerbert Xu2015-10-20
| | | | | | | | | | | | | | This patch adds the missing helper crypto_ahash_blocksize which returns the block size of an ahash algorithm. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: akcipher - Changes to asymmetric key APITadeusz Struk2015-10-14
|/ | | | | | | | | | Setkey function has been split into set_priv_key and set_pub_key. Akcipher requests takes sgl for src and dst instead of void *. Users of the API i.e. two existing RSA implementation and test mgr code have been updated accordingly. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* Merge branch 'next' of ↵Linus Torvalds2015-09-08
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security subsystem updates from James Morris: "Highlights: - PKCS#7 support added to support signed kexec, also utilized for module signing. See comments in 3f1e1bea. ** NOTE: this requires linking against the OpenSSL library, which must be installed, e.g. the openssl-devel on Fedora ** - Smack - add IPv6 host labeling; ignore labels on kernel threads - support smack labeling mounts which use binary mount data - SELinux: - add ioctl whitelisting (see http://kernsec.org/files/lss2015/vanderstoep.pdf) - fix mprotect PROT_EXEC regression caused by mm change - Seccomp: - add ptrace options for suspend/resume" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (57 commits) PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them Documentation/Changes: Now need OpenSSL devel packages for module signing scripts: add extract-cert and sign-file to .gitignore modsign: Handle signing key in source tree modsign: Use if_changed rule for extracting cert from module signing key Move certificate handling to its own directory sign-file: Fix warning about BIO_reset() return value PKCS#7: Add MODULE_LICENSE() to test module Smack - Fix build error with bringup unconfigured sign-file: Document dependency on OpenSSL devel libraries PKCS#7: Appropriately restrict authenticated attributes and content type KEYS: Add a name for PKEY_ID_PKCS7 PKCS#7: Improve and export the X.509 ASN.1 time object decoder modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS extract-cert: Cope with multiple X.509 certificates in a single file sign-file: Generate CMS message as signature instead of PKCS#7 PKCS#7: Support CMS messages also [RFC5652] X.509: Change recorded SKID & AKID to not include Subject or Issuer PKCS#7: Check content type and versions MAINTAINERS: The keyrings mailing list has moved ...
| * PKCS#7: Appropriately restrict authenticated attributes and content typeDavid Howells2015-08-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A PKCS#7 or CMS message can have per-signature authenticated attributes that are digested as a lump and signed by the authorising key for that signature. If such attributes exist, the content digest isn't itself signed, but rather it is included in a special authattr which then contributes to the signature. Further, we already require the master message content type to be pkcs7_signedData - but there's also a separate content type for the data itself within the SignedData object and this must be repeated inside the authattrs for each signer [RFC2315 9.2, RFC5652 11.1]. We should really validate the authattrs if they exist or forbid them entirely as appropriate. To this end: (1) Alter the PKCS#7 parser to reject any message that has more than one signature where at least one signature has authattrs and at least one that does not. (2) Validate authattrs if they are present and strongly restrict them. Only the following authattrs are permitted and all others are rejected: (a) contentType. This is checked to be an OID that matches the content type in the SignedData object. (b) messageDigest. This must match the crypto digest of the data. (c) signingTime. If present, we check that this is a valid, parseable UTCTime or GeneralTime and that the date it encodes fits within the validity window of the matching X.509 cert. (d) S/MIME capabilities. We don't check the contents. (e) Authenticode SP Opus Info. We don't check the contents. (f) Authenticode Statement Type. We don't check the contents. The message is rejected if (a) or (b) are missing. If the message is an Authenticode type, the message is rejected if (e) is missing; if not Authenticode, the message is rejected if (d) - (f) are present. The S/MIME capabilities authattr (d) unfortunately has to be allowed to support kernels already signed by the pesign program. This only affects kexec. sign-file suppresses them (CMS_NOSMIMECAP). The message is also rejected if an authattr is given more than once or if it contains more than one element in its set of values. (3) Add a parameter to pkcs7_verify() to select one of the following restrictions and pass in the appropriate option from the callers: (*) VERIFYING_MODULE_SIGNATURE This requires that the SignedData content type be pkcs7-data and forbids authattrs. sign-file sets CMS_NOATTR. We could be more flexible and permit authattrs optionally, but only permit minimal content. (*) VERIFYING_FIRMWARE_SIGNATURE This requires that the SignedData content type be pkcs7-data and requires authattrs. In future, this will require an attribute holding the target firmware name in addition to the minimal set. (*) VERIFYING_UNSPECIFIED_SIGNATURE This requires that the SignedData content type be pkcs7-data but allows either no authattrs or only permits the minimal set. (*) VERIFYING_KEXEC_PE_SIGNATURE This only supports the Authenticode SPC_INDIRECT_DATA content type and requires at least an SpcSpOpusInfo authattr in addition to the minimal set. It also permits an SPC_STATEMENT_TYPE authattr (and an S/MIME capabilities authattr because the pesign program doesn't remove these). (*) VERIFYING_KEY_SIGNATURE (*) VERIFYING_KEY_SELF_SIGNATURE These are invalid in this context but are included for later use when limiting the use of X.509 certs. (4) The pkcs7_test key type is given a module parameter to select between the above options for testing purposes. For example: echo 1 >/sys/module/pkcs7_test_key/parameters/usage keyctl padd pkcs7_test foo @s </tmp/stuff.pkcs7 will attempt to check the signature on stuff.pkcs7 as if it contains a firmware blob (1 being VERIFYING_FIRMWARE_SIGNATURE). Suggested-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Marcel Holtmann <marcel@holtmann.org> Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
| * MODSIGN: Provide a utility to append a PKCS#7 signature to a moduleDavid Howells2015-08-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Provide a utility that: (1) Digests a module using the specified hash algorithm (typically sha256). [The digest can be dumped into a file by passing the '-d' flag] (2) Generates a PKCS#7 message that: (a) Has detached data (ie. the module content). (b) Is signed with the specified private key. (c) Refers to the specified X.509 certificate. (d) Has an empty X.509 certificate list. [The PKCS#7 message can be dumped into a file by passing the '-p' flag] (3) Generates a signed module by concatenating the old module, the PKCS#7 message, a descriptor and a magic string. The descriptor contains the size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7. (4) Either writes the signed module to the specified destination or renames it over the source module. This allows module signing to reuse the PKCS#7 handling code that was added for PE file parsing for signed kexec. Note that the utility is written in C and must be linked against the OpenSSL crypto library. Note further that I have temporarily dropped support for handling externally created signatures until we can work out the best way to do those. Hopefully, whoever creates the signature can give me a PKCS#7 certificate. Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Vivek Goyal <vgoyal@redhat.com>
| * PKCS#7: Allow detached data to be supplied for signature checking purposesDavid Howells2015-08-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | It is possible for a PKCS#7 message to have detached data. However, to verify the signatures on a PKCS#7 message, we have to be able to digest the data. Provide a function to supply that data. An error is given if the PKCS#7 message included embedded data. This is used in a subsequent patch to supply the data to module signing where the signature is in the form of a PKCS#7 message with detached data, whereby the detached data is the module content that is signed. Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Vivek Goyal <vgoyal@redhat.com>
| * X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifierDavid Howells2015-08-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If an X.509 certificate has an AuthorityKeyIdentifier extension that provides an issuer and serialNumber, then make it so that these are used in preference to the keyIdentifier field also held therein for searching for the signing certificate. If both the issuer+serialNumber and the keyIdentifier are supplied, then the certificate is looked up by the former but the latter is checked as well. If the latter doesn't match the subjectKeyIdentifier of the parent certificate, EKEYREJECTED is returned. This makes it possible to chain X.509 certificates based on the issuer and serialNumber fields rather than on subjectKeyIdentifier. This is necessary as we are having to deal with keys that are represented by X.509 certificates that lack a subjectKeyIdentifier. Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Vivek Goyal <vgoyal@redhat.com>
* | Merge branch 'for-4.3/sg' of git://git.kernel.dk/linux-blockLinus Torvalds2015-09-02
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pull SG updates from Jens Axboe: "This contains a set of scatter-gather related changes/fixes for 4.3: - Add support for limited chaining of sg tables even for architectures that do not set ARCH_HAS_SG_CHAIN. From Christoph. - Add sg chain support to target_rd. From Christoph. - Fixup open coded sg->page_link in crypto/omap-sham. From Christoph. - Fixup open coded crypto ->page_link manipulation. From Dan. - Also from Dan, automated fixup of manual sg_unmark_end() manipulations. - Also from Dan, automated fixup of open coded sg_phys() implementations. - From Robert Jarzmik, addition of an sg table splitting helper that drivers can use" * 'for-4.3/sg' of git://git.kernel.dk/linux-block: lib: scatterlist: add sg splitting function scatterlist: use sg_phys() crypto/omap-sham: remove an open coded access to ->page_link scatterlist: remove open coded sg_unmark_end instances crypto: replace scatterwalk_sg_chain with sg_chain target/rd: always chain S/G list scatterlist: allow limited chaining without ARCH_HAS_SG_CHAIN
| * | crypto: replace scatterwalk_sg_chain with sg_chainDan Williams2015-08-17
| |/ | | | | | | | | | | | | | | Signed-off-by: Dan Williams <dan.j.williams@intel.com> [hch: split from a larger patch by Dan] Signed-off-by: Christoph Hellwig <hch@lst.de> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Jens Axboe <axboe@fb.com>
* | crypto: hash - Add AHASH_REQUEST_ON_STACKHerbert Xu2015-08-21
| | | | | | | | | | | | | | This patch adds the helper AHASH_REQUEST_ON_STACK for those users of ahash that are synchronous only. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: skcipher - Add top-level skcipher interfaceHerbert Xu2015-08-21
| | | | | | | | | | | | | | | | | | | | | | | | | | This patch introduces the crypto skcipher interface which aims to replace both blkcipher and ablkcipher. It's very similar to the existing ablkcipher interface. The main difference is the removal of the givcrypt interface. In order to make the transition easier for blkcipher users, there is a helper SKCIPHER_REQUEST_ON_STACK which can be used to place a request on the stack for synchronous transforms. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: aead - Remove old AEAD interfacesHerbert Xu2015-08-17
| | | | | | | | | | | | | | Now that the AEAD conversion is complete we can rip out the old AEAD interafce and associated code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: aead - Add type-safe geniv init/exit helpersHerbert Xu2015-08-17
| | | | | | | | | | | | | | | | This patch adds the helpers aead_init_geniv and aead_exit_geniv which are type-safe and intended the replace the existing geniv init/exit helpers. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: doc - AEAD API conversionStephan Mueller2015-08-04
| | | | | | | | | | | | | | The AEAD API changes are now reflected in the crypto API doc book. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: poly1305 - Export common Poly1305 helpersMartin Willi2015-07-17
| | | | | | | | | | | | | | | | As architecture specific drivers need a software fallback, export Poly1305 init/update/final functions together with some helpers in a header file. Signed-off-by: Martin Willi <martin@strongswan.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: chacha20 - Export common ChaCha20 helpersMartin Willi2015-07-17
| | | | | | | | | | | | | | | | | | As architecture specific drivers need a software fallback, export a ChaCha20 en-/decryption function together with some helpers in a header file. Signed-off-by: Martin Willi <martin@strongswan.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: aead - Add type-safe function for freeing instancesHerbert Xu2015-07-14
| | | | | | | | | | | | | | | | | | This patch adds a type-safe function for freeing AEAD instances to struct aead_instance. This replaces the existing free function in struct crypto_template which does not know the type of the instance that it's freeing. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: api - Add instance free function to crypto_typeHerbert Xu2015-07-14
| | | | | | | | | | | | | | | | | | | | | | | | Currently the task of freeing an instance is given to the crypto template. However, it has no type information on the instance so we have to resort to checking type information at runtime. This patch introduces a free function to crypto_type that will be used to free an instance. This can then be used to free an instance in a type-safe manner. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: aead - Add aead_queue interfaceHerbert Xu2015-07-14
| | | | | | | | | | | | This patch adds a type-safe queueing interface for AEAD. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: api - Remove unused __crypto_dequeue_requestHerbert Xu2015-07-14
|/ | | | | | The function __crypto_dequeue_request is completely unused. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: rng - Do not free default RNG when it becomes unusedHerbert Xu2015-06-22
| | | | | | | | | | | | | | | | | Currently we free the default RNG when its use count hits zero. This was OK when the IV generators would latch onto the RNG at instance creation time and keep it until the instance is torn down. Now that IV generators only keep the RNG reference during init time this scheme causes the default RNG to come and go at a high frequencey. This is highly undesirable as we want to keep a single RNG in use unless the admin wants it to be removed. This patch changes the scheme so that the system RNG once allocated is never removed unless a specifically requested. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Fix aead_instance struct sizeHerbert Xu2015-06-19
| | | | | | | | | | | | | | | | | | | | | The struct aead_instance is meant to extend struct crypto_instance by incorporating the extra members of struct aead_alg. However, the current layout which is copied from shash/ahash does not specify the struct fully. In particular only aead_alg is present. For shash/ahash this works because users there add extra headroom to sizeof(struct crypto_instance) when allocating the instance. Unfortunately for aead, this bit was lost when the new aead_instance was added. Rather than fixing it like shash/ahash, this patch simply expands struct aead_instance to contain what is supposed to be there, i.e., adding struct crypto_instance. In order to not break existing AEAD users, this is done through an anonymous union. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: rsa - add a new rsa generic implementationTadeusz Struk2015-06-17
| | | | | | | | | | | Add a new rsa generic SW implementation. This implements only cryptographic primitives. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Added select on ASN1. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: akcipher - add PKE APITadeusz Struk2015-06-17
| | | | | | | | | | Add Public Key Encryption API. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Made CRYPTO_AKCIPHER invisible like other type config options. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - reseed often if seedsource is degradedStephan Mueller2015-06-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | As required by SP800-90A, the DRBG implements are reseeding threshold. This threshold is at 2**48 (64 bit) and 2**32 bit (32 bit) as implemented in drbg_max_requests. With the recently introduced changes, the DRBG is now always used as a stdrng which is initialized very early in the boot cycle. To ensure that sufficient entropy is present, the Jitter RNG is added to even provide entropy at early boot time. However, the 2nd seed source, the nonblocking pool, is usually degraded at that time. Therefore, the DRBG is seeded with the Jitter RNG (which I believe contains good entropy, which however is questioned by others) and is seeded with a degradded nonblocking pool. This seed is now used for quasi the lifetime of the system (2**48 requests is a lot). The patch now changes the reseed threshold as follows: up until the time the DRBG obtains a seed from a fully iniitialized nonblocking pool, the reseeding threshold is lowered such that the DRBG is forced to reseed itself resonably often. Once it obtains the seed from a fully initialized nonblocking pool, the reseed threshold is set to the value required by SP800-90A. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - Use callback API for random readinessStephan Mueller2015-06-10
| | | | | | | | | | | | | | | The get_blocking_random_bytes API is broken because the wait can be arbitrarily long (potentially forever) so there is no safe way of calling it from within the kernel. This patch replaces it with the new callback API which does not have this problem. The patch also removes the entropy buffer registered with the DRBG handle in favor of stack variables to hold the seed data. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: doc - Fix typo in crypto-API.xmlMasanari Iida2015-06-04
| | | | | | | | | | This patch fix some typos found in crypto-API.xml. It is because the file is generated from comments in sources, so I had to fix typo in sources. Signed-off-by: Masanari Iida <standby24x7@gmail.com> Acked-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>