- Jul 08, 2023
-
-
David Howells authored
The 'MSG_MORE' state of the previous sendmsg() is fetched without the socket lock held, so two sendmsg calls can race. This can be seen with a large sendfile() as that now does a series of sendmsg() calls, and if a write() comes in on the same socket at an inopportune time, it can flip the state. Fix this by moving the fetch of ctx->more inside the socket lock. Fixes: c662b043 ("crypto: af_alg/hash: Support MSG_SPLICE_PAGES") Reported-by:
<syzbot+689ec3afb1ef07b766b2@syzkaller.appspotmail.com> Link: https://lore.kernel.org/r/000000000000554b8205ffdea64e@google.com/ Signed-off-by:
David Howells <dhowells@redhat.com> Tested-by:
Herbert Xu <herbert@gondor.apana.org.au>
-
- Jul 07, 2023
-
-
Dan Carpenter authored
These error paths should return the appropriate error codes instead of returning success. Fixes: 63ba4d67 ("KEYS: asymmetric: Use new crypto interface without scatterlists") Signed-off-by:
Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by:
-
- Jul 05, 2023
-
-
David Howells authored
af_alg_sendmsg() takes data-to-be-copied that's provided by write(), send(), sendmsg() and similar into pages that it allocates and will merge new data into the last page in the list, based on the value of ctx->merge. Now that af_alg_sendmsg() accepts MSG_SPLICE_PAGES, it adds spliced pages directly into the list and then incorrectly appends data to them if there's space left because ctx->merge says that it can. This was cleared by af_alg_sendpage(), but that got lost. Fix this by skipping the merge if MSG_SPLICE_PAGES is specified and clearing ctx->merge after MSG_SPLICE_PAGES has added stuff to the list. Fixes: bf63e250 ("crypto: af_alg: Support MSG_SPLICE_PAGES") Reported-by:
Ondrej Mosnáček <omosnacek@gmail.com> Link: https://lore.kernel.org/r/CAAUqJDvFuvms55Td1c=XKv6epfRnnP78438nZQ-JKyuCptGBiQ@mail.gmail.com/ Signed-off-by:
-
- Jun 27, 2023
-
-
Herbert Xu authored
As signature verification has a NULL destination buffer, the pointer needs to be checked before the memcpy is done. Fixes: addde1f2 ("crypto: akcipher - Add sync interface without SG lists") Signed-off-by:
-
Herbert Xu authored
The dst SG list needs to be set to NULL for verify calls. Do this as otherwise the underlying algorithm may fail. Furthermore the digest needs to be copied just like the source. Fixes: 6cb8815f ("crypto: sig - Add interface for sign/verify") Signed-off-by:
-
Herbert Xu authored
The request tfm needs to be set. Fixes: addde1f2 ("crypto: akcipher - Add sync interface without SG lists") Reported-by:
kernel test robot <oliver.sang@intel.com> Closes: https://lore.kernel.org/oe-lkp/202306261421.2ac744fa-oliver.sang@intel.com Signed-off-by:
-
- Jun 24, 2023
-
-
David Howells authored
Remove ->sendpage() and ->sendpage_locked(). sendmsg() with MSG_SPLICE_PAGES should be used instead. This allows multiple pages and multipage folios to be passed through. Signed-off-by:
Jakub Kicinski <kuba@kernel.org>
-
- Jun 23, 2023
-
-
Herbert Xu authored
Use the new akcipher and sig interfaces which no longer have scatterlists in them. Signed-off-by: -
Herbert Xu authored
The sm2 certificate requires a modified digest. Move the code for the hashing from the signature verification path into the code where we generate the digest. Signed-off-by: -
Herbert Xu authored
Split out the sign/verify functionality from the existing akcipher interface. Most algorithms in akcipher either support encryption and decryption, or signing and verify. Only one supports both. As a signature algorithm may not support encryption at all, these two should be spearated. For now sig is simply a wrapper around akcipher as all algorithms remain unchanged. This is a first step and allows users to start allocating sig instead of akcipher. Signed-off-by: -
Herbert Xu authored
The only user of akcipher does not use SG lists. Therefore forcing users to use SG lists only results unnecessary overhead. Add a new interface that supports arbitrary kernel pointers. For the time being the copy will be performed unconditionally. But this will go away once the underlying interface is updated. Note also that only encryption and decryption is addressed by this patch as sign/verify will go into a new interface (sig). Signed-off-by: -
Dmitry Safonov authored
The refcounter of underlying algorithm should be incremented, otherwise it'll be destroyed with the cloned cipher, wrecking the original cipher. Signed-off-by:
Dmitry Safonov <dima@arista.com> Signed-off-by:
-
Herbert Xu authored
Use it straight away in crypto_clone_cipher(), as that is not meant to sleep. Fixes: 51d8d6d0 ("crypto: cipher - Add crypto_clone_cipher") Signed-off-by:
-
Dmitry Safonov authored
Purge crypto_type::init() as well. The last user seems to be gone with commit d63007eb ("crypto: ablkcipher - remove deprecated and unused ablkcipher support"). Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
-
Mahmoud Adam authored
check if rsa public exponent is odd and check its value is between 2^16 < e < 2^256. FIPS 186-5 DSS (page 35)[1] specify that: 1. The public exponent e shall be selected with the following constraints: (a) The public verification exponent e shall be selected prior to generating the primes, p and q, and the private signature exponent d. (b) The exponent e shall be an odd positive integer such that: 2^16 < e < 2^256. [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf Signed-off-by:
Mahmoud Adam <mngyadam@amazon.com> Reviewed-by:
Stephan Mueller <smueller@chronox.de> Signed-off-by:
-
Herbert Xu authored
Give geniv its own Kconfig option so that its dependencies are distinct from that of the AEAD API code. This also allows it to be disabled if no IV generators (seqiv/echainiv) are enabled. Remove the obsolete select on RNG2 by SKCIPHER2 as skcipher IV generators disappeared long ago. Signed-off-by: -
Herbert Xu authored
The testmgr code uses crypto_rng without depending on it. Add an explicit dependency to Kconfig. Also sort the MANAGER2 dependencies alphabetically. Signed-off-by:
-
- Jun 20, 2023
-
-
David Howells authored
If an AF_ALG socket bound to a hashing algorithm is sent a zero-length message with MSG_MORE set and then recvmsg() is called without first sending another message without MSG_MORE set to end the operation, an oops will occur because the crypto context and result doesn't now get set up in advance because hash_sendmsg() now defers that as long as possible in the hope that it can use crypto_ahash_digest() - and then because the message is zero-length, it the data wrangling loop is skipped. Fix this by handling zero-length sends at the top of the hash_sendmsg() function. If we're not continuing the previous sendmsg(), then just ignore the send (hash_recvmsg() will invent something when called); if we are continuing, then we finalise the request at this point if MSG_MORE is not set to get any error here, otherwise the send is of no effect and can be ignored. Whilst we're at it, remove the code to create a kvmalloc'd scatterlist if we get more than ALG_MAX_PAGES - this shouldn't happen. Fixes: c662b043 ("crypto: af_alg/hash: Support MSG_SPLICE_PAGES") Reported-by:
<syzbot+13a08c0bf4d212766c3c@syzkaller.appspotmail.com> Link: https://lore.kernel.org/r/000000000000b928f705fdeb873a@google.com/ Reported-by:
<syzbot+14234ccf6d0ef629ec1a@syzkaller.appspotmail.com> Link: https://lore.kernel.org/r/000000000000c047db05fdeb8790@google.com/ Reported-by:
<syzbot+4e2e47f32607d0f72d43@syzkaller.appspotmail.com> Link: https://lore.kernel.org/r/000000000000bcca3205fdeb87fb@google.com/ Reported-by:
<syzbot+472626bb5e7c59fb768f@syzkaller.appspotmail.com> Link: https://lore.kernel.org/r/000000000000b55d8805fdeb8385@google.com/ Signed-off-by:
<syzbot+6efc50cc1f8d718d6cb7@syzkaller.appspotmail.com> cc: Jens Axboe <axboe@kernel.dk> cc: Matthew Wilcox <willy@infradead.org> Acked-by:
-
- Jun 18, 2023
-
-
David Howells authored
When af_alg_sendmsg() calls extract_iter_to_sg(), it passes MAX_SGL_ENTS as the maximum number of elements that may be written to, but some of the elements may already have been used (as recorded in sgl->cur), so extract_iter_to_sg() may end up overrunning the scatterlist. Fix this to limit the number of elements to "MAX_SGL_ENTS - sgl->cur". Note: It probably makes sense in future to alter the behaviour of extract_iter_to_sg() to stop if "sgtable->nents >= sg_max" instead, but this is a smaller fix for now. The bug causes errors looking something like: BUG: KASAN: slab-out-of-bounds in sg_assign_page include/linux/scatterlist.h:109 [inline] BUG: KASAN: slab-out-of-bounds in sg_set_page include/linux/scatterlist.h:139 [inline] BUG: KASAN: slab-out-of-bounds in extract_bvec_to_sg lib/scatterlist.c:1183 [inline] BUG: KASAN: slab-out-of-bounds in extract_iter_to_sg lib/scatterlist.c:1352 [inline] BUG: KASAN: slab-out-of-bounds in extract_iter_to_sg+0x17a6/0x1960 lib/scatterlist.c:1339 Fixes: bf63e250 ("crypto: af_alg: Support MSG_SPLICE_PAGES") Reported-by:
David S. Miller <davem@davemloft.net>
-
- Jun 16, 2023
-
-
Franziska Naepelt authored
The following checkpatch warning has been fixed: - WARNING: Missing a blank line after declarations Signed-off-by:
Franziska Naepelt <franziska.naepelt@gmail.com> Signed-off-by:
-
- Jun 13, 2023
-
-
David Howells authored
Remove hash_sendpage*() as nothing should now call it since the rewrite of splice_to_socket()[1]. Signed-off-by:
-
- Jun 08, 2023
-
-
Make AF_ALG sendmsg() support MSG_SPLICE_PAGES in the hashing code. This causes pages to be spliced from the source iterator if possible. This allows ->sendpage() to be replaced by something that can handle multiple multipage folios in a single transaction. Signed-off-by:
Paolo Abeni <pabeni@redhat.com>
-
Convert af_alg_sendpage() to use sendmsg() with MSG_SPLICE_PAGES rather than directly splicing in the pages itself. This allows ->sendpage() to be replaced by something that can handle multiple multipage folios in a single transaction. Signed-off-by:
-
Make AF_ALG sendmsg() support MSG_SPLICE_PAGES. This causes pages to be spliced from the source iterator. This allows ->sendpage() to be replaced by something that can handle multiple multipage folios in a single transaction. Signed-off-by:
-
Put the loop in af_alg_sendmsg() into an if-statement to indent it to make the next patch easier to review as that will add another branch to handle MSG_SPLICE_PAGES to the if-statement. Signed-off-by:
-
Use extract_iter_to_sg() to decant the destination iterator into a scatterlist in af_alg_get_rsgl(). af_alg_make_sg() can then be removed. Signed-off-by:
-
Convert AF_ALG to use iov_iter_extract_pages() instead of iov_iter_get_pages(). This will pin pages or leave them unaltered rather than getting a ref on them as appropriate to the iterator. The pages need to be pinned for DIO-read rather than having refs taken on them to prevent VM copy-on-write from malfunctioning during a concurrent fork() (the result of the I/O would otherwise end up only visible to the child process and not the parent). Signed-off-by:
-
- Jun 02, 2023
-
-
Roberto Sassu authored
Commit ac4e97ab ("scatterlist: sg_set_buf() argument must be in linear mapping") checks that both the signature and the digest reside in the linear mapping area. However, more recently commit ba14a194 ("fork: Add generic vmalloced stack support") made it possible to move the stack in the vmalloc area, which is not contiguous, and thus not suitable for sg_set_buf() which needs adjacent pages. Always make a copy of the signature and digest in the same buffer used to store the key and its parameters, and pass them to sg_init_one(). Prefer it to conditionally doing the copy if necessary, to keep the code simple. The buffer allocated with kmalloc() is in the linear mapping area. Cc: stable@vger.kernel.org # 4.9.x Fixes: ba14a194 ("fork: Add generic vmalloced stack support") Link: https://lore.kernel.org/linux-integrity/Y4pIpxbjBdajymBJ@sol.localdomain/ Suggested-by:
Eric Biggers <ebiggers@kernel.org> Signed-off-by:
Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by:
Stefan Berger <stefanb@linux.ibm.com>
-
Stephan Müller authored
With the update of the permanent and intermittent health errors, the actual indicator for the health test indicates a potential error only for the one offending time stamp gathered in the current iteration round. The next iteration round will "overwrite" the health test result. Thus, the entropy collection loop in jent_gen_entropy checks for the health test failure upon each loop iteration. However, the initialization operation checked for the APT health test once for an APT window which implies it would not catch most errors. Thus, the check for all health errors is now invoked unconditionally during each loop iteration for the startup test. With the change, the error JENT_ERCT becomes unused as all health errors are only reported with the JENT_HEALTH return code. This allows the removal of the error indicator. Fixes: 3fde2fe9 ("crypto: jitter - permanent and intermittent health errors" ) Reported-by:
Joachim Vandersmissen <git@jvdsn.com> Signed-off-by:
-
- May 24, 2023
-
-
Eric Biggers authored
Make the help text for CRYPTO_STATS explicitly mention that it reduces the performance of the crypto API. Signed-off-by:
Ard Biesheuvel <ardb@kernel.org> Signed-off-by:
-
Herbert Xu authored
Some shash algorithms are so simple that they don't have an init_tfm function. These can be cloned trivially. Check this before failing in crypto_clone_shash. Signed-off-by:
-
Herbert Xu authored
Allow cmac to be cloned. The underlying cipher needs to support cloning by not having a cra_init function (all implementations of aes that do not require a fallback can be cloned). Signed-off-by:
-
Herbert Xu authored
Allow simple ciphers to be cloned, if they don't have a cra_init function. This basically rules out those ciphers that require a fallback. In future simple ciphers will be eliminated, and replaced with a linear skcipher interface. When that happens this restriction will disappear. Signed-off-by:
-
Herbert Xu authored
Use the modern init_tfm/exit_tfm interface instead of the obsolete cra_init/cra_exit interface. Signed-off-by:
-
Arnd Bergmann authored
gcc warns if prototypes are only visible to the caller but not the callee: crypto/aegis128-neon-inner.c:134:6: warning: no previous prototype for 'crypto_aegis128_init_neon' [-Wmissing-prototypes] crypto/aegis128-neon-inner.c:164:6: warning: no previous prototype for 'crypto_aegis128_update_neon' [-Wmissing-prototypes] crypto/aegis128-neon-inner.c:221:6: warning: no previous prototype for 'crypto_aegis128_encrypt_chunk_neon' [-Wmissing-prototypes] crypto/aegis128-neon-inner.c:270:6: warning: no previous prototype for 'crypto_aegis128_decrypt_chunk_neon' [-Wmissing-prototypes] crypto/aegis128-neon-inner.c:316:5: warning: no previous prototype for 'crypto_aegis128_final_neon' [-Wmissing-prototypes] The prototypes cannot be in the regular aegis.h, as the inner neon code cannot include normal kernel headers. Instead add a new header just for the functions provided by this file. Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
- May 12, 2023
-
-
Stephan Müller authored
The test interface allows a privileged process to capture the raw unconditioned noise that is collected by the Jitter RNG for statistical analysis. Such testing allows the analysis how much entropy the Jitter RNG noise source provides on a given platform. The obtained data is the time stamp sampled by the Jitter RNG. Considering that the Jitter RNG inserts the delta of this time stamp compared to the immediately preceding time stamp, the obtained data needs to be post-processed accordingly to obtain the data the Jitter RNG inserts into its entropy pool. The raw entropy collection is provided to obtain the raw unmodified time stamps that are about to be added to the Jitter RNG entropy pool and are credited with entropy. Thus, this patch adds an interface which renders the Jitter RNG insecure. This patch is NOT INTENDED FOR PRODUCTION SYSTEMS, but solely for development/test systems to verify the available entropy rate. Access to the data is given through the jent_raw_hires debugfs file. The data buffer should be multiples of sizeof(u32) to fill the entire buffer. Using the option jitterentropy_testing.boot_raw_hires_test=1 the raw noise of the first 1000 entropy events since boot can be sampled. This test interface allows generating the data required for analysis whether the Jitter RNG is in compliance with SP800-90B sections 3.1.3 and 3.1.4. If the test interface is not compiled, its code is a noop which has no impact on the performance. Signed-off-by:
-
Stephan Müller authored
Using the kernel crypto API, the SHA3-256 algorithm is used as conditioning element to replace the LFSR in the Jitter RNG. All other parts of the Jitter RNG are unchanged. The application and use of the SHA-3 conditioning operation is identical to the user space Jitter RNG 3.4.0 by applying the following concept: - the Jitter RNG initializes a SHA-3 state which acts as the "entropy pool" when the Jitter RNG is allocated. - When a new time delta is obtained, it is inserted into the "entropy pool" with a SHA-3 update operation. Note, this operation in most of the cases is a simple memcpy() onto the SHA-3 stack. - To cause a true SHA-3 operation for each time delta operation, a second SHA-3 operation is performed hashing Jitter RNG status information. The final message digest is also inserted into the "entropy pool" with a SHA-3 update operation. Yet, this data is not considered to provide any entropy, but it shall stir the entropy pool. - To generate a random number, a SHA-3 final operation is performed to calculate a message digest followed by an immediate SHA-3 init to re-initialize the "entropy pool". The obtained message digest is one block of the Jitter RNG that is returned to the caller. Mathematically speaking, the random number generated by the Jitter RNG is: aux_t = SHA-3(Jitter RNG state data) Jitter RNG block = SHA-3(time_i || aux_i || time_(i-1) || aux_(i-1) || ... || time_(i-255) || aux_(i-255)) when assuming that the OSR = 1, i.e. the default value. This operation implies that the Jitter RNG has an output-blocksize of 256 bits instead of the 64 bits of the LFSR-based Jitter RNG that is replaced with this patch. The patch also replaces the varying number of invocations of the conditioning function with one fixed number of invocations. The use of the conditioning function consistent with the userspace Jitter RNG library version 3.4.0. The code is tested with a system that exhibited the least amount of entropy generated by the Jitter RNG: the SiFive Unmatched RISC-V system. The measured entropy rate is well above the heuristically implied entropy value of 1 bit of entropy per time delta. On all other tested systems, the measured entropy rate is even higher by orders of magnitude. The measurement was performed using updated tooling provided with the user space Jitter RNG library test framework. The performance of the Jitter RNG with this patch is about en par with the performance of the Jitter RNG without the patch. Signed-off-by: -
Herbert Xu authored
Move the crypto_ahash_alg helper into include/crypto/internal so that drivers can use it. Signed-off-by: -
Herbert Xu authored
As ahash drivers may need to use fallbacks, their state size is thus variable. Deal with this by making it an attribute of crypto_ahash. Signed-off-by:
-
- May 02, 2023
-
-
Ondrej Mosnacek authored
Checking the config via ifdef incorrectly compiles out the report functions when CRYPTO_USER is set to =m. Fix it by using IS_ENABLED() instead. Fixes: c0f9e01d ("crypto: api - Check CRYPTO_USER instead of NET for report") Signed-off-by:
Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by:
-
