summaryrefslogtreecommitdiffstats
path: root/crypto
Commit message (Collapse)AuthorAgeFilesLines
* new helper: msg_data_left()Al Viro2015-04-112-4/+4
| | | | | | convert open-coded instances Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* Merge branch 'iocb' into for-davemAl Viro2015-04-091-1/+1
|\ | | | | | | | | | | | | trivial conflict in net/socket.c and non-trivial one in crypto - that one had evaded aio_complete() removal. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | crypto: algif - explicitly mark end of datatadeusz.struk@intel.com2015-04-011-4/+8
| | | | | | | | | | | | | | | | | | | | | | After the TX sgl is expanded we need to explicitly mark end of data at the last buffer that contains data. Changes in v2 - use type 'bool' and true/false for 'mark'. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | crypto: algif - use kmalloc instead of kzallocTadeusz Struk2015-04-011-1/+1
| | | | | | | | | | | | | | No need to use kzalloc to allocate sgls as the structure is initialized anyway. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | crypto: af_alg - make exports consistantTadeusz Struk2015-04-011-1/+1
| | | | | | | | | | | | | | Use EXPORT_SYMBOL_GPL instead of EXPORT_SYMBOL. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | crypto: algif - fix warn: unsigned 'used' is never less than zerotadeusz.struk@intel.com2015-03-251-1/+1
| | | | | | | | | | | | | | | | | | Change type from unsigned long to int to fix an issue reported by kbuild robot: crypto/algif_skcipher.c:596 skcipher_recvmsg_async() warn: unsigned 'used' is never less than zero. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | crypto: algif - change algif_skcipher to be asynchronousTadeusz Struk2015-03-231-7/+226
| | | | | | | | | | | | | | | | | | | | | | The way the algif_skcipher works currently is that on sendmsg/sendpage it builds an sgl for the input data and then on read/recvmsg it sends the job for encryption putting the user to sleep till the data is processed. This way it can only handle one job at a given time. This patch changes it to be asynchronous by adding AIO support. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | crypto: af_alg - Allow to link sglTadeusz Struk2015-03-231-5/+13
| | | | | | | | | | | | | | Allow to link af_alg sgls. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: Remove iocb argument from sendmsg and recvmsgYing Xue2015-03-023-10/+10
|/ | | | | | | | | | | | | | After TIPC doesn't depend on iocb argument in its internal implementations of sendmsg() and recvmsg() hooks defined in proto structure, no any user is using iocb argument in them at all now. Then we can drop the redundant iocb argument completely from kinds of implementations of both sendmsg() and recvmsg() in the entire networking stack. Cc: Christoph Hellwig <hch@lst.de> Suggested-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6Linus Torvalds2015-02-1415-80/+316
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pull crypto update from Herbert Xu: "Here is the crypto update for 3.20: - Added 192/256-bit key support to aesni GCM. - Added MIPS OCTEON MD5 support. - Fixed hwrng starvation and race conditions. - Added note that memzero_explicit is not a subsitute for memset. - Added user-space interface for crypto_rng. - Misc fixes" * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (71 commits) crypto: tcrypt - do not allocate iv on stack for aead speed tests crypto: testmgr - limit IV copy length in aead tests crypto: tcrypt - fix buflen reminder calculation crypto: testmgr - mark rfc4106(gcm(aes)) as fips_allowed crypto: caam - fix resource clean-up on error path for caam_jr_init crypto: caam - pair irq map and dispose in the same function crypto: ccp - terminate ccp_support array with empty element crypto: caam - remove unused local variable crypto: caam - remove dead code crypto: caam - don't emit ICV check failures to dmesg hwrng: virtio - drop extra empty line crypto: replace scatterwalk_sg_next with sg_next crypto: atmel - Free memory in error path crypto: doc - remove colons in comments crypto: seqiv - Ensure that IV size is at least 8 bytes crypto: cts - Weed out non-CBC algorithms MAINTAINERS: add linux-crypto to hw random crypto: cts - Remove bogus use of seqiv crypto: qat - don't need qat_auth_state struct crypto: algif_rng - fix sparse non static symbol warning ...
| * crypto: tcrypt - do not allocate iv on stack for aead speed testsCristian Stoica2015-02-041-3/+8
| | | | | | | | | | | | | | See also: 9bac019dad8098a77cce555d929f678e22111783 Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: testmgr - limit IV copy length in aead testsCristian Stoica2015-02-041-3/+4
| | | | | | | | | | | | | | | | | | | | The working copy of IV is the same size as the transformation's IV. It is not necessary to copy more than that from the template since iv_len is usually less than MAX_IVLEN and the rest of the copied data is garbage. Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: tcrypt - fix buflen reminder calculationCristian Stoica2015-02-041-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - This fixes the intent of the code to limit the last scatterlist to either a full PAGE or a fraction of it, depending on the number of pages needed by buflen and the available space advertised by XBUFLEN. The original code always sets the last scatterlist to a fraction of a PAGE because the first 'if' is never executed. - Rearrange the second part of the code to remove the conditional from the loop Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: testmgr - mark rfc4106(gcm(aes)) as fips_allowedJarod Wilson2015-01-261-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | This gcm variant is popular for ipsec use, and there are folks who would like to use it while in fips mode. Mark it with fips_allowed=1 to facilitate that. CC: LKML <linux-kernel@vger.kernel.org> CC: Stephan Mueller <smueller@atsec.com> Signed-off-by: Jarod Wilson <jarod@redhat.com> Acked-by: Stephan Mueller <smueller@atsec.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: replace scatterwalk_sg_next with sg_nextCristian Stoica2015-01-263-6/+5
| | | | | | | | | | | | | | | | | | | | | | | | Modify crypto drivers to use the generic SG helper since both of them are equivalent and the one from crypto is redundant. See also: 468577abe37ff7b453a9ac613e0ea155349203ae reverted in b2ab4a57b018aafbba35bff088218f5cc3d2142e Signed-off-by: Cristian Stoica <cristian.stoica@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: seqiv - Ensure that IV size is at least 8 bytesHerbert Xu2015-01-201-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Since seqiv is designed for IPsec we need to be able to accomodate the whole IPsec sequence number in order to ensure the uniqueness of the IV. This patch forbids any algorithm with an IV size of less than 8 from using it. This should have no impact on existing users since they all have an IV size of 8. Reported-by: Maciej ?enczykowski <zenczykowski@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Maciej ?enczykowski <zenczykowski@gmail.com>
| * crypto: cts - Weed out non-CBC algorithmsHerbert Xu2015-01-201-0/+3
| | | | | | | | | | | | | | | | The cts algorithm as currently implemented assumes the underlying is a CBC-mode algorithm. So this patch adds a check for that to eliminate bogus combinations of cts with non-CBC modes. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: cts - Remove bogus use of seqivHerbert Xu2015-01-201-2/+0
| | | | | | | | | | | | | | | | | | The seqiv generator is completely inappropriate for cts as it's designed for IPsec algorithms. Since cts users do not actually use the IV generator we can just fall back to the default. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Maciej ?enczykowski <zenczykowski@gmail.com>
| * crypto: algif_rng - fix sparse non static symbol warningWei Yongjun2015-01-141-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Fixes the following sparse warnings: crypto/algif_rng.c:185:13: warning: symbol 'rng_exit' was not declared. Should it be static? Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Acked-by: Stephan Mueller <smueller@chronox.de> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: testmgr - don't use interruptible wait in testsRabin Vincent2015-01-132-34/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | tcrypt/testmgr uses wait_for_completion_interruptible() everywhere when it waits for a request to be completed. If it's interrupted, then the test is aborted and the request is freed. However, if any of these calls actually do get interrupted, the result will likely be a kernel crash, when the driver handles the now-freed request. Use wait_for_completion() instead. Signed-off-by: Rabin Vincent <rabin.vincent@axis.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * Revert "crypto: drbg - use memzero_explicit() for clearing sensitive data"Herbert Xu2015-01-051-12/+11
| | | | | | | | | | | | | | | | | | This reverts commit 421d82f5b3e75f94e31875e37d45cdf6a557c120. None of the data zeroed are on the stack so the compiler cannot optimise them away. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: algif_rng - enable RNG interface compilationStephan Mueller2014-12-292-0/+10
| | | | | | | | | | | | | | | | Enable compilation of the RNG AF_ALG support and provide a Kconfig option to compile the RNG AF_ALG support. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: algif_rng - add random number generator supportStephan Mueller2014-12-291-0/+192
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the random number generator support for AF_ALG. A random number generator's purpose is to generate data without requiring the caller to provide any data. Therefore, the AF_ALG interface handler for RNGs only implements a callback handler for recvmsg. The following parameters provided with a recvmsg are processed by the RNG callback handler: * sock - to resolve the RNG context data structure accessing the RNG instance private to the socket * len - this parameter allows userspace callers to specify how many random bytes the RNG shall produce and return. As the kernel context for the RNG allocates a buffer of 128 bytes to store random numbers before copying them to userspace, the len parameter is checked that it is not larger than 128. If a caller wants more random numbers, a new request for recvmsg shall be made. The size of 128 bytes is chose because of the following considerations: * to increase the memory footprint of the kernel too much (note, that would be 128 bytes per open socket) * 128 is divisible by any typical cryptographic block size an RNG may have * A request for random numbers typically only shall supply small amount of data like for keys or IVs that should only require one invocation of the recvmsg function. Note, during instantiation of the RNG, the code checks whether the RNG implementation requires seeding. If so, the RNG is seeded with output from get_random_bytes. A fully working example using all aspects of the RNG interface is provided at http://www.chronox.de/libkcapi.html Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: af_alg - zeroize key dataStephan Mueller2014-12-261-1/+1
| | | | | | | | | | | | | | alg_setkey should zeroize the sensitive data after use. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: octeon - enable OCTEON MD5 module selectionAaro Koskinen2014-12-241-0/+9
| | | | | | | | | | | | | | Enable user to select OCTEON MD5 module. Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: algif - Mark sgl end at the end of dataTadeusz Struk2014-12-221-0/+8
| | | | | | | | | | | | | | | | | | | | algif_skcipher sends 127 sgl buffers for encryption regardless of how many buffers acctually have data to process, where the few first with valid len and the rest with zero len. This is not very eficient. This patch marks the last one with data as the last one to process. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: af_alg - add setsockopt for auth tag sizeStephan Mueller2014-12-221-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | Use setsockopt on the tfm FD to provide the authentication tag size for an AEAD cipher. This is achieved by adding a callback function which is intended to be used by the AEAD AF_ALG implementation. The optlen argument of the setsockopt specifies the authentication tag size to be used with the AEAD tfm. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: drbg - panic on continuous self test errorStephan Mueller2014-12-221-9/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a panic if the FIPS 140-2 self test error failed. Note, that entire code is only executed with fips_enabled (i.e. when the kernel is booted with fips=1. It is therefore not executed for 99.9% of all user base. As mathematically such failure cannot occur, this panic should never be triggered. But to comply with NISTs current requirements, an endless loop must be replaced with the panic. When the new version of FIPS 140 will be released, this entire continuous self test function will be ripped out as it will not be needed any more. This patch is functionally equivalent as implemented in ansi_cprng.c and drivers/char/random.c. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: api - fixed style erro in algapi.cJoshua I. James2014-12-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | Fixed style error identified by checkpatch. WARNING: Missing a blank line after declarations + int err = crypto_remove_alg(&inst->alg, &users); + BUG_ON(err); Signed-off-by: Joshua I. James <joshua@cybercrimetech.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: ahash - fixed style error in ahash.cJoshua I. James2014-12-221-0/+1
| | | | | | | | | | | | | | | | | | | | | | Fixed style error identified by checkpatch. WARNING: Missing a blank line after declarations + unsigned int unaligned = alignmask + 1 - (offset & alignmask); + if (nbytes > unaligned) Signed-off-by: Joshua I. James <joshua@cybercrimetech.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: af_alg - fixed style error in af_alg.cJoshua I. James2014-12-221-1/+1
| | | | | | | | | | | | | | | | | | | | Fixed style error identified by checkpatch. ERROR: space required before the open parenthesis '(' + switch(cmsg->cmsg_type) { Signed-off-by: Joshua I. James <joshua@cybercrimetech.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: aead - fixed style error in aead.cJoshua I. James2014-12-221-1/+2
| | | | | | | | | | | | | | | | | | | | Fixed style error identified by checkpatch. ERROR: do not use assignment in if condition + if ((err = crypto_register_instance(tmpl, inst))) { Signed-off-by: Joshua I. James <joshua@cybercrimetech.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: ablkcipher - fixed style errors in ablkcipher.cJoshua I. James2014-12-221-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixed style errors reported by checkpatch. WARNING: Missing a blank line after declarations + u8 *end_page = (u8 *)(((unsigned long)(start + len - 1)) & PAGE_MASK); + return max(start, end_page); WARNING: line over 80 characters + scatterwalk_start(&walk->out, scatterwalk_sg_next(walk->out.sg)); WARNING: Missing a blank line after declarations + int err = ablkcipher_copy_iv(walk, tfm, alignmask); + if (err) ERROR: do not use assignment in if condition + if ((err = crypto_register_instance(tmpl, inst))) { Signed-off-by: Joshua I. James <joshua@cybercrimetech.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* | crypto: fix af_alg_make_sg() conversion to iov_iterLinus Torvalds2015-02-102-4/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 1d10eb2f156f ("crypto: switch af_alg_make_sg() to iov_iter") broke af_alg_make_sg() and skcipher_recvmsg() in the process of moving them to the iov_iter interfaces. The 'npages' calculation in the formar calculated the number of *bytes* in the pages, and in the latter case the conversion didn't re-read the value of 'ctx->used' after waiting for it to become non-zero. This reverts to the original code for both these cases. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: David Miller <davem@davemloft.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | crypto: switch af_alg_make_sg() to iov_iterAl Viro2015-02-043-98/+61
| | | | | | | | | | | | | | | | | | | | | | With that, all ->sendmsg() instances are converted to iov_iter primitives and are agnostic wrt the kind of iov_iter they are working with. So's the last remaining ->recvmsg() instance that wasn't kind-agnostic yet. All ->sendmsg() and ->recvmsg() advance ->msg_iter by the amount actually copied and none of them modifies the underlying iovec, etc. Cc: linux-crypto@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | crypto: add missing crypto module aliasesMathias Krause2015-01-1320-3/+25
|/ | | | | | | | | | | | | | | | | | | | | | Commit 5d26a105b5a7 ("crypto: prefix module autoloading with "crypto-"") changed the automatic module loading when requesting crypto algorithms to prefix all module requests with "crypto-". This requires all crypto modules to have a crypto specific module alias even if their file name would otherwise match the requested crypto algorithm. Even though commit 5d26a105b5a7 added those aliases for a vast amount of modules, it was missing a few. Add the required MODULE_ALIAS_CRYPTO annotations to those files to make them get loaded automatically, again. This fixes, e.g., requesting 'ecb(blowfish-generic)', which used to work with kernels v3.18 and below. Also change MODULE_ALIAS() lines to MODULE_ALIAS_CRYPTO(). The former won't work for crypto modules any more. Fixes: 5d26a105b5a7 ("crypto: prefix module autoloading with "crypto-"") Cc: Kees Cook <keescook@chromium.org> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: af_alg - fix backlog handlingRabin Vincent2014-12-221-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | If a request is backlogged, it's complete() handler will get called twice: once with -EINPROGRESS, and once with the final error code. af_alg's complete handler, unlike other users, does not handle the -EINPROGRESS but instead always completes the completion that recvmsg() is waiting on. This can lead to a return to user space while the request is still pending in the driver. If userspace closes the sockets before the requests are handled by the driver, this will lead to use-after-frees (and potential crashes) in the kernel due to the tfm having been freed. The crashes can be easily reproduced (for example) by reducing the max queue length in cryptod.c and running the following (from http://www.chronox.de/libkcapi.html) on AES-NI capable hardware: $ while true; do kcapi -x 1 -e -c '__ecb-aes-aesni' \ -k 00000000000000000000000000000000 \ -p 00000000000000000000000000000000 >/dev/null & done Cc: stable@vger.kernel.org Signed-off-by: Rabin Vincent <rabin.vincent@axis.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6Linus Torvalds2014-12-1370-122/+191
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pull crypto update from Herbert Xu: - The crypto API is now documented :) - Disallow arbitrary module loading through crypto API. - Allow get request with empty driver name through crypto_user. - Allow speed testing of arbitrary hash functions. - Add caam support for ctr(aes), gcm(aes) and their derivatives. - nx now supports concurrent hashing properly. - Add sahara support for SHA1/256. - Add ARM64 version of CRC32. - Misc fixes. * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (77 commits) crypto: tcrypt - Allow speed testing of arbitrary hash functions crypto: af_alg - add user space interface for AEAD crypto: qat - fix problem with coalescing enable logic crypto: sahara - add support for SHA1/256 crypto: sahara - replace tasklets with kthread crypto: sahara - add support for i.MX53 crypto: sahara - fix spinlock initialization crypto: arm - replace memset by memzero_explicit crypto: powerpc - replace memset by memzero_explicit crypto: sha - replace memset by memzero_explicit crypto: sparc - replace memset by memzero_explicit crypto: algif_skcipher - initialize upon init request crypto: algif_skcipher - removed unneeded code crypto: algif_skcipher - Fixed blocking recvmsg crypto: drbg - use memzero_explicit() for clearing sensitive data crypto: drbg - use MODULE_ALIAS_CRYPTO crypto: include crypto- module prefix in template crypto: user - add MODULE_ALIAS crypto: sha-mb - remove a bogus NULL check crytpo: qat - Fix 64 bytes requests ...
| * crypto: tcrypt - Allow speed testing of arbitrary hash functionsHerbert Xu2014-12-051-12/+20
| | | | | | | | | | | | | | | | | | | | | | This patch allows the testing of arbitrary hash functions specified by the alg module parameter by using them in mode 300 (for sync hash) and mode 400 (for async hash). For example, you could do modprobe tcrypt mode=300 alg='vmac(aes)' Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: af_alg - add user space interface for AEADStephan Mueller2014-12-051-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | AEAD requires the caller to specify the following information separate from the data stream. This information allows the AEAD interface handler to identify the AAD, ciphertext/plaintext and the authentication tag: * Associated authentication data of arbitrary length and length * Length of authentication tag for encryption Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: algif_skcipher - initialize upon init requestStephan Mueller2014-12-021-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When using the algif_skcipher, the following call sequence causess a re-initialization: 1. sendmsg with ALG_SET_OP and iov == NULL, iovlen == 0 (i.e initializing the cipher, but not sending data) 2. sendmsg with msg->msg-controllen == 0 and iov != NULL (using the initalized cipher handle by sending data) In step 2, the cipher operation type (encryption or decryption) is reset to always decryption, because the local variable of enc is put into ctx->enc as ctx->user is still zero. The same applies when all send data is processed and ctx->used falls to zero followed by user space to send new data. This patch changes the behavior to only reset the cipher operation type (and the IV) if such configuration request is received. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: algif_skcipher - removed unneeded codeStruk, Tadeusz2014-12-011-4/+0
| | | | | | | | | | | | | | Remover unneeded code. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: algif_skcipher - Fixed blocking recvmsgHerbert Xu2014-11-281-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As most (all?) users of algif_skcipher are single-threaded and therefore always write before reading from an algif_skcipher socket, they never block and exercise that code-path. It turns out that code path doesn't even work because we never reload ctx->used after waking up so we never even see the new data and immediately return an error (and a loud WARN_ON). This patch fixes this by always reloading ctx->used. Reported-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Stephan Mueller <smueller@chronox.de>
| * crypto: drbg - use memzero_explicit() for clearing sensitive dataNickolaus Woodruff2014-11-271-11/+12
| | | | | | | | | | | | | | | | | | | | Compiler dead store optimization can sometimes remove final calls to memset() used to clear sensitive data at the end of a function. Replace trailing memset() calls with memzero_explicit() to preclude unwanted removal. Signed-off-by: Nickolaus Woodruff <nickolauswoodruff@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: drbg - use MODULE_ALIAS_CRYPTOStephan Mueller2014-11-261-22/+22
| | | | | | | | | | | | | | Use the crypto- prefix for the DRBG implementations. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: include crypto- module prefix in templateKees Cook2014-11-2622-2/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the module loading prefix "crypto-" to the template lookup as well. For example, attempting to load 'vfat(blowfish)' via AF_ALG now correctly includes the "crypto-" prefix at every level, correctly rejecting "vfat": net-pf-38 algif-hash crypto-vfat(blowfish) crypto-vfat(blowfish)-all crypto-vfat Reported-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: user - add MODULE_ALIASStephan Mueller2014-11-261-0/+1
| | | | | | | | | | | | | | | | To allow automatic loading of the crypto_user kernel module, the netlink MODULE_ALIAS is added. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: algif - add and use sock_kzfree_s() instead of memzero_explicit()Daniel Borkmann2014-11-252-6/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit e1bd95bf7c25 ("crypto: algif - zeroize IV buffer") and 2a6af25befd0 ("crypto: algif - zeroize message digest buffer") added memzero_explicit() calls on buffers that are later on passed back to sock_kfree_s(). This is a discussed follow-up that, instead, extends the sock API and adds sock_kzfree_s(), which internally uses kzfree() instead of kfree() for passing the buffers back to slab. Having sock_kzfree_s() allows to keep the changes more minimal by just having a drop-in replacement instead of adding memzero_explicit() calls everywhere before sock_kfree_s(). In kzfree(), the compiler is not allowed to optimize the memset() away and thus there's no need for memzero_explicit(). Both, sock_kfree_s() and sock_kzfree_s() are wrappers for __sock_kfree_s() and call into kfree() resp. kzfree(); here, __sock_kfree_s() needs to be explicitly inlined as we want the compiler to optimize the call and condition away and thus it produces e.g. on x86_64 the _same_ assembler output for sock_kfree_s() before and after, and thus also allows for avoiding code duplication. Cc: David S. Miller <davem@davemloft.net> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: prefix module autoloading with "crypto-"Kees Cook2014-11-2444-39/+56
| | | | | | | | | | | | | | | | | | | | | | This prefixes all crypto module loading with "crypto-" so we never run the risk of exposing module auto-loading to userspace via a crypto API, as demonstrated by Mathias Krause: https://lkml.org/lkml/2013/3/4/70 Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: user - Allow get request with empty driver nameHerbert Xu2014-11-241-4/+1
| | | | | | | | | | | | | | | | Currently all get requests with an empty driver name fail with EINVAL. Since most users actually want to supply an empty driver name this patch removes this check. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>