1. 11 2月, 2017 5 次提交
    • A
      crypto: improve gcc optimization flags for serpent and wp512 · 7d6e9105
      Arnd Bergmann 提交于
      An ancient gcc bug (first reported in 2003) has apparently resurfaced
      on MIPS, where kernelci.org reports an overly large stack frame in the
      whirlpool hash algorithm:
      
      crypto/wp512.c:987:1: warning: the frame size of 1112 bytes is larger than 1024 bytes [-Wframe-larger-than=]
      
      With some testing in different configurations, I'm seeing large
      variations in stack frames size up to 1500 bytes for what should have
      around 300 bytes at most. I also checked the reference implementation,
      which is essentially the same code but also comes with some test and
      benchmarking infrastructure.
      
      It seems that recent compiler versions on at least arm, arm64 and powerpc
      have a partial fix for this problem, but enabling "-fsched-pressure", but
      even with that fix they suffer from the issue to a certain degree. Some
      testing on arm64 shows that the time needed to hash a given amount of
      data is roughly proportional to the stack frame size here, which makes
      sense given that the wp512 implementation is doing lots of loads for
      table lookups, and the problem with the overly large stack is a result
      of doing a lot more loads and stores for spilled registers (as seen from
      inspecting the object code).
      
      Disabling -fschedule-insns consistently fixes the problem for wp512,
      in my collection of cross-compilers, the results are consistently better
      or identical when comparing the stack sizes in this function, though
      some architectures (notable x86) have schedule-insns disabled by
      default.
      
      The four columns are:
      default: -O2
      press:	 -O2 -fsched-pressure
      nopress: -O2 -fschedule-insns -fno-sched-pressure
      nosched: -O2 -no-schedule-insns (disables sched-pressure)
      
      				default	press	nopress	nosched
      alpha-linux-gcc-4.9.3		1136	848	1136	176
      am33_2.0-linux-gcc-4.9.3	2100	2076	2100	2104
      arm-linux-gnueabi-gcc-4.9.3	848	848	1048	352
      cris-linux-gcc-4.9.3		272	272	272	272
      frv-linux-gcc-4.9.3		1128	1000	1128	280
      hppa64-linux-gcc-4.9.3		1128	336	1128	184
      hppa-linux-gcc-4.9.3		644	308	644	276
      i386-linux-gcc-4.9.3		352	352	352	352
      m32r-linux-gcc-4.9.3		720	656	720	268
      microblaze-linux-gcc-4.9.3	1108	604	1108	256
      mips64-linux-gcc-4.9.3		1328	592	1328	208
      mips-linux-gcc-4.9.3		1096	624	1096	240
      powerpc64-linux-gcc-4.9.3	1088	432	1088	160
      powerpc-linux-gcc-4.9.3		1080	584	1080	224
      s390-linux-gcc-4.9.3		456	456	624	360
      sh3-linux-gcc-4.9.3		292	292	292	292
      sparc64-linux-gcc-4.9.3		992	240	992	208
      sparc-linux-gcc-4.9.3		680	592	680	312
      x86_64-linux-gcc-4.9.3		224	240	272	224
      xtensa-linux-gcc-4.9.3		1152	704	1152	304
      
      aarch64-linux-gcc-7.0.0		224	224	1104	208
      arm-linux-gnueabi-gcc-7.0.1	824	824	1048	352
      mips-linux-gcc-7.0.0		1120	648	1120	272
      x86_64-linux-gcc-7.0.1		240	240	304	240
      
      arm-linux-gnueabi-gcc-4.4.7	840			392
      arm-linux-gnueabi-gcc-4.5.4	784	728	784	320
      arm-linux-gnueabi-gcc-4.6.4	736	728	736	304
      arm-linux-gnueabi-gcc-4.7.4	944	784	944	352
      arm-linux-gnueabi-gcc-4.8.5	464	464	760	352
      arm-linux-gnueabi-gcc-4.9.3	848	848	1048	352
      arm-linux-gnueabi-gcc-5.3.1	824	824	1064	336
      arm-linux-gnueabi-gcc-6.1.1	808	808	1056	344
      arm-linux-gnueabi-gcc-7.0.1	824	824	1048	352
      
      Trying the same test for serpent-generic, the picture is a bit different,
      and while -fno-schedule-insns is generally better here than the default,
      -fsched-pressure wins overall, so I picked that instead.
      
      				default	press	nopress	nosched
      alpha-linux-gcc-4.9.3		1392	864	1392	960
      am33_2.0-linux-gcc-4.9.3	536	524	536	528
      arm-linux-gnueabi-gcc-4.9.3	552	552	776	536
      cris-linux-gcc-4.9.3		528	528	528	528
      frv-linux-gcc-4.9.3		536	400	536	504
      hppa64-linux-gcc-4.9.3		524	208	524	480
      hppa-linux-gcc-4.9.3		768	472	768	508
      i386-linux-gcc-4.9.3		564	564	564	564
      m32r-linux-gcc-4.9.3		712	576	712	532
      microblaze-linux-gcc-4.9.3	724	392	724	512
      mips64-linux-gcc-4.9.3		720	384	720	496
      mips-linux-gcc-4.9.3		728	384	728	496
      powerpc64-linux-gcc-4.9.3	704	304	704	480
      powerpc-linux-gcc-4.9.3		704	296	704	480
      s390-linux-gcc-4.9.3		560	560	592	536
      sh3-linux-gcc-4.9.3		540	540	540	540
      sparc64-linux-gcc-4.9.3		544	352	544	496
      sparc-linux-gcc-4.9.3		544	344	544	496
      x86_64-linux-gcc-4.9.3		528	536	576	528
      xtensa-linux-gcc-4.9.3		752	544	752	544
      
      aarch64-linux-gcc-7.0.0		432	432	656	480
      arm-linux-gnueabi-gcc-7.0.1	616	616	808	536
      mips-linux-gcc-7.0.0		720	464	720	488
      x86_64-linux-gcc-7.0.1		536	528	600	536
      
      arm-linux-gnueabi-gcc-4.4.7	592			440
      arm-linux-gnueabi-gcc-4.5.4	776	448	776	544
      arm-linux-gnueabi-gcc-4.6.4	776	448	776	544
      arm-linux-gnueabi-gcc-4.7.4	768	448	768	544
      arm-linux-gnueabi-gcc-4.8.5	488	488	776	544
      arm-linux-gnueabi-gcc-4.9.3	552	552	776	536
      arm-linux-gnueabi-gcc-5.3.1	552	552	776	536
      arm-linux-gnueabi-gcc-6.1.1	560	560	776	536
      arm-linux-gnueabi-gcc-7.0.1	616	616	808	536
      
      I did not do any runtime tests with serpent, so it is possible that stack
      frame size does not directly correlate with runtime performance here and
      it actually makes things worse, but it's more likely to help here, and
      the reduced stack frame size is probably enough reason to apply the patch,
      especially given that the crypto code is often used in deep call chains.
      
      Link: https://kernelci.org/build/id/58797d7559b5149efdf6c3a9/logs/
      Link: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=11488
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      7d6e9105
    • A
      crypto: ccm - switch to separate cbcmac driver · f15f05b0
      Ard Biesheuvel 提交于
      Update the generic CCM driver to defer CBC-MAC processing to a
      dedicated CBC-MAC ahash transform rather than open coding this
      transform (and much of the associated scatterwalk plumbing) in
      the CCM driver itself.
      
      This cleans up the code considerably, but more importantly, it allows
      the use of alternative CBC-MAC implementations that don't suffer from
      performance degradation due to significant setup time (e.g., the NEON
      based AES code needs to enable/disable the NEON, and load the S-box
      into 16 SIMD registers, which cannot be amortized over the entire input
      when using the cipher interface)
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      f15f05b0
    • A
      crypto: testmgr - add test cases for cbcmac(aes) · 092acf06
      Ard Biesheuvel 提交于
      In preparation of splitting off the CBC-MAC transform in the CCM
      driver into a separate algorithm, define some test cases for the
      AES incarnation of cbcmac.
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      092acf06
    • A
      crypto: aes - add generic time invariant AES cipher · b5e0b032
      Ard Biesheuvel 提交于
      Lookup table based AES is sensitive to timing attacks, which is due to
      the fact that such table lookups are data dependent, and the fact that
      8 KB worth of tables covers a significant number of cachelines on any
      architecture, resulting in an exploitable correlation between the key
      and the processing time for known plaintexts.
      
      For network facing algorithms such as CTR, CCM or GCM, this presents a
      security risk, which is why arch specific AES ports are typically time
      invariant, either through the use of special instructions, or by using
      SIMD algorithms that don't rely on table lookups.
      
      For generic code, this is difficult to achieve without losing too much
      performance, but we can improve the situation significantly by switching
      to an implementation that only needs 256 bytes of table data (the actual
      S-box itself), which can be prefetched at the start of each block to
      eliminate data dependent latencies.
      
      This code encrypts at ~25 cycles per byte on ARM Cortex-A57 (while the
      ordinary generic AES driver manages 18 cycles per byte on this
      hardware). Decryption is substantially slower.
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      b5e0b032
    • A
      crypto: aes-generic - drop alignment requirement · ec38a937
      Ard Biesheuvel 提交于
      The generic AES code exposes a 32-bit align mask, which forces all
      users of the code to use temporary buffers or take other measures to
      ensure the alignment requirement is adhered to, even on architectures
      that don't care about alignment for software algorithms such as this
      one.
      
      So drop the align mask, and fix the code to use get_unaligned_le32()
      where appropriate, which will resolve to whatever is optimal for the
      architecture.
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      ec38a937
  2. 03 2月, 2017 1 次提交
  3. 23 1月, 2017 2 次提交
  4. 13 1月, 2017 4 次提交
    • A
      crypto: testmgr - use calculated count for number of test vectors · 21c8e720
      Ard Biesheuvel 提交于
      When working on AES in CCM mode for ARM, my code passed the internal
      tcrypt test before I had even bothered to implement the AES-192 and
      AES-256 code paths, which is strange because the tcrypt does contain
      AES-192 and AES-256 test vectors for CCM.
      
      As it turned out, the define AES_CCM_ENC_TEST_VECTORS was out of sync
      with the actual number of test vectors, causing only the AES-128 ones
      to be executed.
      
      So get rid of the defines, and wrap the test vector references in a
      macro that calculates the number of vectors automatically.
      
      The following test vector counts were out of sync with the respective
      defines:
      
          BF_CTR_ENC_TEST_VECTORS          2 ->  3
          BF_CTR_DEC_TEST_VECTORS          2 ->  3
          TF_CTR_ENC_TEST_VECTORS          2 ->  3
          TF_CTR_DEC_TEST_VECTORS          2 ->  3
          SERPENT_CTR_ENC_TEST_VECTORS     2 ->  3
          SERPENT_CTR_DEC_TEST_VECTORS     2 ->  3
          AES_CCM_ENC_TEST_VECTORS         8 -> 14
          AES_CCM_DEC_TEST_VECTORS         7 -> 17
          AES_CCM_4309_ENC_TEST_VECTORS    7 -> 23
          AES_CCM_4309_DEC_TEST_VECTORS   10 -> 23
          CAMELLIA_CTR_ENC_TEST_VECTORS    2 ->  3
          CAMELLIA_CTR_DEC_TEST_VECTORS    2 ->  3
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      21c8e720
    • A
      crypto: testmgr - Allocate only the required output size for hash tests · e93acd6f
      Andrew Lutomirski 提交于
      There are some hashes (e.g. sha224) that have some internal trickery
      to make sure that only the correct number of output bytes are
      generated.  If something goes wrong, they could potentially overrun
      the output buffer.
      
      Make the test more robust by allocating only enough space for the
      correct output size so that memory debugging will catch the error if
      the output is overrun.
      
      Tested by intentionally breaking sha224 to output all 256
      internally-generated bits while running on KASAN.
      
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NAndy Lutomirski <luto@kernel.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      e93acd6f
    • G
      crypto: Replaced gcc specific attributes with macros from compiler.h · d8c34b94
      Gideon Israel Dsouza 提交于
      Continuing from this commit: 52f5684c
      ("kernel: use macros from compiler.h instead of __attribute__((...))")
      
      I submitted 4 total patches. They are part of task I've taken up to
      increase compiler portability in the kernel. I've cleaned up the
      subsystems under /kernel /mm /block and /security, this patch targets
      /crypto.
      
      There is <linux/compiler.h> which provides macros for various gcc specific
      constructs. Eg: __weak for __attribute__((weak)). I've cleaned all
      instances of gcc specific attributes with the right macros for the crypto
      subsystem.
      
      I had to make one additional change into compiler-gcc.h for the case when
      one wants to use this: __attribute__((aligned) and not specify an alignment
      factor. From the gcc docs, this will result in the largest alignment for
      that data type on the target machine so I've named the macro
      __aligned_largest. Please advise if another name is more appropriate.
      Signed-off-by: NGideon Israel Dsouza <gidisrael@gmail.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      d8c34b94
    • E
      crypto: testmgr - use kmemdup instead of kmalloc+memcpy · d2110224
      Eric Biggers 提交于
      It's recommended to use kmemdup instead of kmalloc followed by memcpy.
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      d2110224
  5. 30 12月, 2016 1 次提交
    • A
      crypto: skcipher - introduce walksize attribute for SIMD algos · c821f6ab
      Ard Biesheuvel 提交于
      In some cases, SIMD algorithms can only perform optimally when
      allowed to operate on multiple input blocks in parallel. This is
      especially true for bit slicing algorithms, which typically take
      the same amount of time processing a single block or 8 blocks in
      parallel. However, other SIMD algorithms may benefit as well from
      bigger strides.
      
      So add a walksize attribute to the skcipher algorithm definition, and
      wire it up to the skcipher walk API. To avoid confusion between the
      skcipher and AEAD attributes, rename the skcipher_walk chunksize
      attribute to 'stride', and set it from the walksize (in the skcipher
      case) or from the chunksize (in the AEAD case).
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      c821f6ab
  6. 27 12月, 2016 3 次提交
    • J
      crypto: algif_hash - avoid zero-sized array · 62071194
      Jiri Slaby 提交于
      With this reproducer:
        struct sockaddr_alg alg = {
                .salg_family = 0x26,
                .salg_type = "hash",
                .salg_feat = 0xf,
                .salg_mask = 0x5,
                .salg_name = "digest_null",
        };
        int sock, sock2;
      
        sock = socket(AF_ALG, SOCK_SEQPACKET, 0);
        bind(sock, (struct sockaddr *)&alg, sizeof(alg));
        sock2 = accept(sock, NULL, NULL);
        setsockopt(sock, SOL_ALG, ALG_SET_KEY, "\x9b\xca", 2);
        accept(sock2, NULL, NULL);
      
      ==== 8< ======== 8< ======== 8< ======== 8< ====
      
      one can immediatelly see an UBSAN warning:
      UBSAN: Undefined behaviour in crypto/algif_hash.c:187:7
      variable length array bound value 0 <= 0
      CPU: 0 PID: 15949 Comm: syz-executor Tainted: G            E      4.4.30-0-default #1
      ...
      Call Trace:
      ...
       [<ffffffff81d598fd>] ? __ubsan_handle_vla_bound_not_positive+0x13d/0x188
       [<ffffffff81d597c0>] ? __ubsan_handle_out_of_bounds+0x1bc/0x1bc
       [<ffffffffa0e2204d>] ? hash_accept+0x5bd/0x7d0 [algif_hash]
       [<ffffffffa0e2293f>] ? hash_accept_nokey+0x3f/0x51 [algif_hash]
       [<ffffffffa0e206b0>] ? hash_accept_parent_nokey+0x4a0/0x4a0 [algif_hash]
       [<ffffffff8235c42b>] ? SyS_accept+0x2b/0x40
      
      It is a correct warning, as hash state is propagated to accept as zero,
      but creating a zero-length variable array is not allowed in C.
      
      Fix this as proposed by Herbert -- do "?: 1" on that site. No sizeof or
      similar happens in the code there, so we just allocate one byte even
      though we do not use the array.
      Signed-off-by: NJiri Slaby <jslaby@suse.cz>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: "David S. Miller" <davem@davemloft.net> (maintainer:CRYPTO API)
      Reported-by: NSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      62071194
    • A
      crypto: chacha20 - convert generic and x86 versions to skcipher · 9ae433bc
      Ard Biesheuvel 提交于
      This converts the ChaCha20 code from a blkcipher to a skcipher, which
      is now the preferred way to implement symmetric block and stream ciphers.
      
      This ports the generic and x86 versions at the same time because the
      latter reuses routines of the former.
      
      Note that the skcipher_walk() API guarantees that all presented blocks
      except the final one are a multiple of the chunk size, so we can simplify
      the encrypt() routine somewhat.
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      9ae433bc
    • L
      crypto: testmgr - Use heap buffer for acomp test input · 02608e02
      Laura Abbott 提交于
      Christopher Covington reported a crash on aarch64 on recent Fedora
      kernels:
      
      kernel BUG at ./include/linux/scatterlist.h:140!
      Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
      Modules linked in:
      CPU: 2 PID: 752 Comm: cryptomgr_test Not tainted 4.9.0-11815-ge93b1cc8 #162
      Hardware name: linux,dummy-virt (DT)
      task: ffff80007c650080 task.stack: ffff800008910000
      PC is at sg_init_one+0xa0/0xb8
      LR is at sg_init_one+0x24/0xb8
      ...
      [<ffff000008398db8>] sg_init_one+0xa0/0xb8
      [<ffff000008350a44>] test_acomp+0x10c/0x438
      [<ffff000008350e20>] alg_test_comp+0xb0/0x118
      [<ffff00000834f28c>] alg_test+0x17c/0x2f0
      [<ffff00000834c6a4>] cryptomgr_test+0x44/0x50
      [<ffff0000080dac70>] kthread+0xf8/0x128
      [<ffff000008082ec0>] ret_from_fork+0x10/0x50
      
      The test vectors used for input are part of the kernel image. These
      inputs are passed as a buffer to sg_init_one which eventually blows up
      with BUG_ON(!virt_addr_valid(buf)). On arm64, virt_addr_valid returns
      false for the kernel image since virt_to_page will not return the
      correct page. Fix this by copying the input vectors to heap buffer
      before setting up the scatterlist.
      Reported-by: NChristopher Covington <cov@codeaurora.org>
      Fixes: d7db7a88 ("crypto: acomp - update testmgr with support for acomp")
      Signed-off-by: NLaura Abbott <labbott@redhat.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      02608e02
  7. 14 12月, 2016 3 次提交
  8. 08 12月, 2016 2 次提交
  9. 07 12月, 2016 4 次提交
  10. 01 12月, 2016 3 次提交
  11. 30 11月, 2016 3 次提交
    • A
      crypto: skcipher - fix crash in skcipher_walk_aead() · 3cbf61fb
      Ard Biesheuvel 提交于
      The new skcipher_walk_aead() may crash in the following way due to
      the walk flag SKCIPHER_WALK_PHYS not being cleared at the start of the
      walk:
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000001
      [..]
      Internal error: Oops: 96000044 [#1] PREEMPT SMP
      [..]
      PC is at skcipher_walk_next+0x208/0x450
      LR is at skcipher_walk_next+0x1e4/0x450
      pc : [<ffff2b93b7104e20>] lr : [<ffff2b93b7104dfc>] pstate: 40000045
      sp : ffffb925fa517940
      [...]
      [<ffff2b93b7104e20>] skcipher_walk_next+0x208/0x450
      [<ffff2b93b710535c>] skcipher_walk_first+0x54/0x148
      [<ffff2b93b7105664>] skcipher_walk_aead+0xd4/0x108
      [<ffff2b93b6e77928>] ccm_encrypt+0x68/0x158
      
      So clear the flag at the appropriate time.
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      3cbf61fb
    • D
      crypto: rsa - Add Makefile dependencies to fix parallel builds · 57891633
      David Michael 提交于
      Both asn1 headers are included by rsa_helper.c, so rsa_helper.o
      should explicitly depend on them.
      Signed-off-by: NDavid Michael <david.michael@coreos.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      57891633
    • S
      crypto: drbg - prevent invalid SG mappings · 51029812
      Stephan Mueller 提交于
      When using SGs, only heap memory (memory that is valid as per
      virt_addr_valid) is allowed to be referenced. The CTR DRBG used to
      reference the caller-provided memory directly in an SG. In case the
      caller provided stack memory pointers, the SG mapping is not considered
      to be valid. In some cases, this would even cause a paging fault.
      
      The change adds a new scratch buffer that is used unconditionally to
      catch the cases where the caller-provided buffer is not suitable for
      use in an SG. The crypto operation of the CTR DRBG produces its output
      with that scratch buffer and finally copies the content of the
      scratch buffer to the caller's buffer.
      
      The scratch buffer is allocated during allocation time of the CTR DRBG
      as its access is protected with the DRBG mutex.
      Signed-off-by: NStephan Mueller <smueller@chronox.de>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      51029812
  12. 28 11月, 2016 9 次提交