1. 26 Oct, 2018 19 commits
  2. 23 Oct, 2018 1 commit
    • Karsten Graul's avatar
      Revert "net: simplify sock_poll_wait" · 89ab066d
      Karsten Graul authored
      This reverts commit dd979b4d.
      
      This broke tcp_poll for SMC fallback: An AF_SMC socket establishes an
      internal TCP socket for the initial handshake with the remote peer.
      Whenever the SMC connection can not be established this TCP socket is
      used as a fallback. All socket operations on the SMC socket are then
      forwarded to the TCP socket. In case of poll, the file->private_data
      pointer references the SMC socket because the TCP socket has no file
      assigned. This causes tcp_poll to wait on the wrong socket.
      Signed-off-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89ab066d
  3. 12 Oct, 2018 1 commit
  4. 08 Oct, 2018 2 commits
    • Ard Biesheuvel's avatar
      crypto: aegis/generic - fix for big endian systems · 4a34e3c2
      Ard Biesheuvel authored
      Use the correct __le32 annotation and accessors to perform the
      single round of AES encryption performed inside the AEGIS transform.
      Otherwise, tcrypt reports:
      
        alg: aead: Test 1 failed on encryption for aegis128-generic
        00000000: 6c 25 25 4a 3c 10 1d 27 2b c1 d4 84 9a ef 7f 6e
        alg: aead: Test 1 failed on encryption for aegis128l-generic
        00000000: cd c6 e3 b8 a0 70 9d 8e c2 4f 6f fe 71 42 df 28
        alg: aead: Test 1 failed on encryption for aegis256-generic
        00000000: aa ed 07 b1 96 1d e9 e6 f2 ed b5 8e 1c 5f dc 1c
      
      Fixes: f606a88e ("crypto: aegis - Add generic AEGIS AEAD implementations")
      Cc: <stable@vger.kernel.org> # v4.18+
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Reviewed-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4a34e3c2
    • Ard Biesheuvel's avatar
      crypto: morus/generic - fix for big endian systems · 5a8dedfa
      Ard Biesheuvel authored
      Omit the endian swabbing when folding the lengths of the assoc and
      crypt input buffers into the state to finalize the tag. This is not
      necessary given that the memory representation of the state is in
      machine native endianness already.
      
      This fixes an error reported by tcrypt running on a big endian system:
      
        alg: aead: Test 2 failed on encryption for morus640-generic
        00000000: a8 30 ef fb e6 26 eb 23 b0 87 dd 98 57 f3 e1 4b
        00000010: 21
        alg: aead: Test 2 failed on encryption for morus1280-generic
        00000000: 88 19 1b fb 1c 29 49 0e ee 82 2f cb 97 a6 a5 ee
        00000010: 5f
      
      Fixes: 396be41f ("crypto: morus - Add generic MORUS AEAD implementations")
      Cc: <stable@vger.kernel.org> # v4.18+
      Reviewed-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5a8dedfa
  5. 05 Oct, 2018 2 commits
  6. 28 Sep, 2018 9 commits
  7. 21 Sep, 2018 6 commits
    • Ondrej Mosnacek's avatar
      crypto: lrw - Do not use auxiliary buffer · ac3c8f36
      Ondrej Mosnacek authored
      This patch simplifies the LRW template to recompute the LRW tweaks from
      scratch in the second pass and thus also removes the need to allocate a
      dynamic buffer using kmalloc().
      
      As discussed at [1], the use of kmalloc causes deadlocks with dm-crypt.
      
      PERFORMANCE MEASUREMENTS (x86_64)
      Performed using: https://gitlab.com/omos/linux-crypto-bench
      Crypto driver used: lrw(ecb-aes-aesni)
      
      The results show that the new code has about the same performance as the
      old code. For 512-byte message it seems to be even slightly faster, but
      that might be just noise.
      
      Before:
             ALGORITHM KEY (b)        DATA (B)   TIME ENC (ns)   TIME DEC (ns)
              lrw(aes)     256              64             200             203
              lrw(aes)     320              64             202             204
              lrw(aes)     384              64             204             205
              lrw(aes)     256             512             415             415
              lrw(aes)     320             512             432             440
              lrw(aes)     384             512             449             451
              lrw(aes)     256            4096            1838            1995
              lrw(aes)     320            4096            2123            1980
              lrw(aes)     384            4096            2100            2119
              lrw(aes)     256           16384            7183            6954
              lrw(aes)     320           16384            7844            7631
              lrw(aes)     384           16384            8256            8126
              lrw(aes)     256           32768           14772           14484
              lrw(aes)     320           32768           15281           15431
              lrw(aes)     384           32768           16469           16293
      
      After:
             ALGORITHM KEY (b)        DATA (B)   TIME ENC (ns)   TIME DEC (ns)
              lrw(aes)     256              64             197             196
              lrw(aes)     320              64             200             197
              lrw(aes)     384              64             203             199
              lrw(aes)     256             512             385             380
              lrw(aes)     320             512             401             395
              lrw(aes)     384             512             415             415
              lrw(aes)     256            4096            1869            1846
              lrw(aes)     320            4096            2080            1981
              lrw(aes)     384            4096            2160            2109
              lrw(aes)     256           16384            7077            7127
              lrw(aes)     320           16384            7807            7766
              lrw(aes)     384           16384            8108            8357
              lrw(aes)     256           32768           14111           14454
              lrw(aes)     320           32768           15268           15082
              lrw(aes)     384           32768           16581           16250
      
      [1] https://lkml.org/lkml/2018/8/23/1315Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ac3c8f36
    • Ondrej Mosnacek's avatar
      crypto: lrw - Optimize tweak computation · c778f96b
      Ondrej Mosnacek authored
      This patch rewrites the tweak computation to a slightly simpler method
      that performs less bswaps. Based on performance measurements the new
      code seems to provide slightly better performance than the old one.
      
      PERFORMANCE MEASUREMENTS (x86_64)
      Performed using: https://gitlab.com/omos/linux-crypto-bench
      Crypto driver used: lrw(ecb-aes-aesni)
      
      Before:
             ALGORITHM KEY (b)        DATA (B)   TIME ENC (ns)   TIME DEC (ns)
              lrw(aes)     256              64             204             286
              lrw(aes)     320              64             227             203
              lrw(aes)     384              64             208             204
              lrw(aes)     256             512             441             439
              lrw(aes)     320             512             456             455
              lrw(aes)     384             512             469             483
              lrw(aes)     256            4096            2136            2190
              lrw(aes)     320            4096            2161            2213
              lrw(aes)     384            4096            2295            2369
              lrw(aes)     256           16384            7692            7868
              lrw(aes)     320           16384            8230            8691
              lrw(aes)     384           16384            8971            8813
              lrw(aes)     256           32768           15336           15560
              lrw(aes)     320           32768           16410           16346
              lrw(aes)     384           32768           18023           17465
      
      After:
             ALGORITHM KEY (b)        DATA (B)   TIME ENC (ns)   TIME DEC (ns)
              lrw(aes)     256              64             200             203
              lrw(aes)     320              64             202             204
              lrw(aes)     384              64             204             205
              lrw(aes)     256             512             415             415
              lrw(aes)     320             512             432             440
              lrw(aes)     384             512             449             451
              lrw(aes)     256            4096            1838            1995
              lrw(aes)     320            4096            2123            1980
              lrw(aes)     384            4096            2100            2119
              lrw(aes)     256           16384            7183            6954
              lrw(aes)     320           16384            7844            7631
              lrw(aes)     384           16384            8256            8126
              lrw(aes)     256           32768           14772           14484
              lrw(aes)     320           32768           15281           15431
              lrw(aes)     384           32768           16469           16293
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c778f96b
    • Ondrej Mosnacek's avatar
      crypto: testmgr - Add test for LRW counter wrap-around · dc6d6d5a
      Ondrej Mosnacek authored
      This patch adds a test vector for lrw(aes) that triggers wrap-around of
      the counter, which is a tricky corner case.
      Suggested-by: default avatarEric Biggers <ebiggers@kernel.org>
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      dc6d6d5a
    • Ondrej Mosnacek's avatar
      crypto: lrw - Fix out-of bounds access on counter overflow · fbe1a850
      Ondrej Mosnacek authored
      When the LRW block counter overflows, the current implementation returns
      128 as the index to the precomputed multiplication table, which has 128
      entries. This patch fixes it to return the correct value (127).
      
      Fixes: 64470f1b ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode")
      Cc: <stable@vger.kernel.org> # 2.6.20+
      Reported-by: default avatarEric Biggers <ebiggers@kernel.org>
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      fbe1a850
    • Horia Geantă's avatar
      crypto: tcrypt - fix ghash-generic speed test · 331351f8
      Horia Geantă authored
      ghash is a keyed hash algorithm, thus setkey needs to be called.
      Otherwise the following error occurs:
      $ modprobe tcrypt mode=318 sec=1
      testing speed of async ghash-generic (ghash-generic)
      tcrypt: test  0 (   16 byte blocks,   16 bytes per update,   1 updates):
      tcrypt: hashing failed ret=-126
      
      Cc: <stable@vger.kernel.org> # 4.6+
      Fixes: 0660511c ("crypto: tcrypt - Use ahash")
      Tested-by: default avatarFranck Lenormand <franck.lenormand@nxp.com>
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Acked-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      331351f8
    • Eric Biggers's avatar
      crypto: chacha20 - Fix chacha20_block() keystream alignment (again) · a5e9f557
      Eric Biggers authored
      In commit 9f480fae ("crypto: chacha20 - Fix keystream alignment for
      chacha20_block()"), I had missed that chacha20_block() can be called
      directly on the buffer passed to get_random_bytes(), which can have any
      alignment.  So, while my commit didn't break anything, it didn't fully
      solve the alignment problems.
      
      Revert my solution and just update chacha20_block() to use
      put_unaligned_le32(), so the output buffer need not be aligned.
      This is simpler, and on many CPUs it's the same speed.
      
      But, I kept the 'tmp' buffers in extract_crng_user() and
      _get_random_bytes() 4-byte aligned, since that alignment is actually
      needed for _crng_backtrack_protect() too.
      Reported-by: default avatarStephan Müller <smueller@chronox.de>
      Cc: Theodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      a5e9f557