Commit 5be4d4c9 ("crypto: replace scatterwalk_sg_next with sg_next")
did not consider the fact that scatterwalk_sg_next() was looking at
sg entry length, while sg_next() looks at the "chained" sg bit.

This should have no effect in theory. However in practice, there are
cases where the sg table is initialized to a number of entries and
some of them are not properly configured. While scatterwalk_sg_next()
would have returned NULL (since sg length = 0 and sg page_link = 0),
sg_next() happily returns the next unconfigured sg entry.

insmod tcrypt.ko mode=500 sec=1

testing speed of async cbc(aes) (cbc-aes-talitos) encryption
test 0 (128 bit key, 16 byte blocks):
Unable to handle kernel paging request for data at address 0x00000000
Faulting instruction address: 0xc00d79e4
Oops: Kernel access of bad area, sig: 11 [#1]
SMP NR_CPUS=8 P1022 DS
Modules linked in: tcrypt(+) talitos
CPU: 0 PID: 2670 Comm: insmod Not tainted 4.0.0-rc1-QorIQ-SDK-V1.6+g904f1ca82209 #1
task: e8de3200 ti: e70bc000 task.ti: e70bc000
NIP: c00d79e4 LR: f92d223c CTR: c00d79c8
REGS: e70bda00 TRAP: 0300   Not tainted  (4.0.0-rc1-QorIQ-SDK-V1.6+g904f1ca82209)
MSR: 00029000 <CE,EE,ME>  CR: 84428f22  XER: 00000000
DEAR: 00000000 ESR: 00000000
GPR00: f92d223c e70bdab0 e8de3200 00000000 e70bdbb8 00000001 00000000 00000000
GPR08: 00000000 00000000 c08b0380 27282010 c00d79c8 1003a634 00000000 e70bdf1c
GPR16: e70bdef0 00000020 00000000 c08c0000 00000010 00000000 e70bdbb8 00000010
GPR24: e976d3a8 00000010 00000000 e70bdbd8 e8961010 00000001 c086e560 00000000
NIP [c00d79e4] page_address+0x1c/0x110
LR [f92d223c] talitos_map_sg+0x130/0x184 [talitos]
Call Trace:
[e70bdab0] [00000010] 0x10 (unreliable)
[e70bdad0] [f92d223c] talitos_map_sg+0x130/0x184 [talitos]
[e70bdb00] [f92d30d8] common_nonsnoop.constprop.13+0xc0/0x304 [talitos]
[e70bdb30] [f933fd90] test_acipher_speed+0x434/0x7dc [tcrypt]
[e70bdcc0] [f934318c] do_test+0x2478/0x306c [tcrypt]
[e70bdd80] [f11fe058] tcrypt_mod_init+0x58/0x100 [tcrypt]
[e70bdda0] [c0002354] do_one_initcall+0x90/0x1f4
[e70bde10] [c061fe00] do_init_module+0x60/0x1ac
[e70bde30] [c00a79f0] load_module+0x185c/0x1f88
[e70bdee0] [c00a82b0] SyS_finit_module+0x7c/0x98
[e70bdf40] [c000e8b0] ret_from_syscall+0x0/0x3c
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Enable user to select OCTEON SHA1/256/512 modules.
Signed-off-by: NAaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Change the RNGs to always return 0 in success case.

This patch ensures that seqiv.c works with RNGs other than krng. seqiv
expects that any return code other than 0 is an error. Without the
patch, rfc4106(gcm(aes)) will not work when using a DRBG or an ANSI
X9.31 RNG.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The DRBG code contains memset(0) calls to initialize a varaible
that are not necessary as the variable is always overwritten by
the processing.

This patch increases the CTR and Hash DRBGs by about 5%.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The CTR DRBG only encrypts one single block at a time. Thus, use the
single block crypto API to avoid additional overhead from the block
chaining modes.

With the patch, the speed of the DRBG increases between 30% and 40%.

The DRBG still passes the CTR DRBG CAVS test.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Integrate the module into the kernel config tree.
Signed-off-by: NMarkus Stockhausen <stockhausen@collogia.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Enable compilation of the AEAD AF_ALG support and provide a Kconfig
option to compile the AEAD AF_ALG support.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the AEAD support for AF_ALG.

The implementation is based on algif_skcipher, but contains heavy
modifications to streamline the interface for AEAD uses.

To use AEAD, the user space consumer has to use the salg_type named
"aead".

The AEAD implementation includes some overhead to calculate the size of
the ciphertext, because the AEAD implementation of the kernel crypto API
makes implied assumption on the location of the authentication tag. When
performing an encryption, the tag will be added to the created
ciphertext (note, the tag is placed adjacent to the ciphertext). For
decryption, the caller must hand in the ciphertext with the tag appended
to the ciphertext. Therefore, the selection of the used memory
needs to add/subtract the tag size from the source/destination buffers
depending on the encryption type. The code is provided with comments
explaining when and how that operation is performed.

A fully working example using all aspects of AEAD is provided at
http://www.chronox.de/libkcapi.htmlSigned-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Integrate the module into the kernel config tree.
Signed-off-by: NMarkus Stockhausen <stockhausen@collogia.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Integrate the module into the kernel configuration
Signed-off-by: NMarkus Stockhausen <stockhausen@collogia.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Integrate the module into the kernel config tree.
Signed-off-by: NMarkus Stockhausen <stockhausen@collogia.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Commit 1d10eb2f ("crypto: switch af_alg_make_sg() to iov_iter")
broke af_alg_make_sg() and skcipher_recvmsg() in the process of moving
them to the iov_iter interfaces.  The 'npages' calculation in the formar
calculated the number of *bytes* in the pages, and in the latter case
the conversion didn't re-read the value of 'ctx->used' after waiting for
it to become non-zero.

This reverts to the original code for both these cases.

Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

See also: 9bac019dSigned-off-by: NCristian Stoica <cristian.stoica@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The working copy of IV is the same size as the transformation's IV.
It is not necessary to copy more than that from the template since
iv_len is usually less than MAX_IVLEN and the rest of the copied data
is garbage.
Signed-off-by: NCristian Stoica <cristian.stoica@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

- This fixes the intent of the code to limit the last scatterlist to
  either a full PAGE or a fraction of it, depending on the number of
  pages needed by buflen and the available space advertised by XBUFLEN.

  The original code always sets the last scatterlist to a fraction of a
  PAGE because the first 'if' is never executed.

- Rearrange the second part of the code to remove the conditional from
  the loop
Signed-off-by: NCristian Stoica <cristian.stoica@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

With that, all ->sendmsg() instances are converted to iov_iter primitives
and are agnostic wrt the kind of iov_iter they are working with.
So's the last remaining ->recvmsg() instance that wasn't kind-agnostic yet.
All ->sendmsg() and ->recvmsg() advance ->msg_iter by the amount actually
copied and none of them modifies the underlying iovec, etc.

Cc: linux-crypto@vger.kernel.org
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

This gcm variant is popular for ipsec use, and there are folks who would
like to use it while in fips mode. Mark it with fips_allowed=1 to
facilitate that.

CC: LKML <linux-kernel@vger.kernel.org>
CC: Stephan Mueller <smueller@atsec.com>
Signed-off-by: NJarod Wilson <jarod@redhat.com>
Acked-by: NStephan Mueller <smueller@atsec.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Modify crypto drivers to use the generic SG helper since
both of them are equivalent and the one from crypto is redundant.

See also:
  468577ab   reverted in
  b2ab4a57Signed-off-by: NCristian Stoica <cristian.stoica@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Since seqiv is designed for IPsec we need to be able to accomodate
the whole IPsec sequence number in order to ensure the uniqueness
of the IV.

This patch forbids any algorithm with an IV size of less than 8
from using it.  This should have no impact on existing users since
they all have an IV size of 8.
Reported-by: NMaciej ?enczykowski <zenczykowski@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NMaciej ?enczykowski <zenczykowski@gmail.com>

The cts algorithm as currently implemented assumes the underlying
is a CBC-mode algorithm.  So this patch adds a check for that to
eliminate bogus combinations of cts with non-CBC modes.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The seqiv generator is completely inappropriate for cts as it's
designed for IPsec algorithms.  Since cts users do not actually
use the IV generator we can just fall back to the default.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NMaciej ?enczykowski <zenczykowski@gmail.com>

Fixes the following sparse warnings:

crypto/algif_rng.c:185:13: warning:
 symbol 'rng_exit' was not declared. Should it be static?
Signed-off-by: NWei Yongjun <yongjun_wei@trendmicro.com.cn>
Acked-by: NStephan Mueller <smueller@chronox.de>
Acked-by: NNeil Horman <nhorman@tuxdriver.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

tcrypt/testmgr uses wait_for_completion_interruptible() everywhere when
it waits for a request to be completed.  If it's interrupted, then the
test is aborted and the request is freed.

However, if any of these calls actually do get interrupted, the result
will likely be a kernel crash, when the driver handles the now-freed
request.  Use wait_for_completion() instead.
Signed-off-by: NRabin Vincent <rabin.vincent@axis.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Commit 5d26a105 ("crypto: prefix module autoloading with "crypto-"")
changed the automatic module loading when requesting crypto algorithms
to prefix all module requests with "crypto-". This requires all crypto
modules to have a crypto specific module alias even if their file name
would otherwise match the requested crypto algorithm.

Even though commit 5d26a105 added those aliases for a vast amount of
modules, it was missing a few. Add the required MODULE_ALIAS_CRYPTO
annotations to those files to make them get loaded automatically, again.
This fixes, e.g., requesting 'ecb(blowfish-generic)', which used to work
with kernels v3.18 and below.

Also change MODULE_ALIAS() lines to MODULE_ALIAS_CRYPTO(). The former
won't work for crypto modules any more.

Fixes: 5d26a105 ("crypto: prefix module autoloading with "crypto-"")
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: NMathias Krause <minipli@googlemail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

    
This reverts commit 421d82f5.

None of the data zeroed are on the stack so the compiler cannot
optimise them away.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Enable compilation of the RNG AF_ALG support and provide a Kconfig
option to compile the RNG AF_ALG support.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the random number generator support for AF_ALG.

A random number generator's purpose is to generate data without
requiring the caller to provide any data. Therefore, the AF_ALG
interface handler for RNGs only implements a callback handler for
recvmsg.

The following parameters provided with a recvmsg are processed by the
RNG callback handler:

	* sock - to resolve the RNG context data structure accessing the
	  RNG instance private to the socket

	* len - this parameter allows userspace callers to specify how
	  many random bytes the RNG shall produce and return. As the
	  kernel context for the RNG allocates a buffer of 128 bytes to
	  store random numbers before copying them to userspace, the len
	  parameter is checked that it is not larger than 128. If a
	  caller wants more random numbers, a new request for recvmsg
	  shall be made.

The size of 128 bytes is chose because of the following considerations:

	* to increase the memory footprint of the kernel too much (note,
	  that would be 128 bytes per open socket)

	* 128 is divisible by any typical cryptographic block size an
	  RNG may have

	* A request for random numbers typically only shall supply small
	  amount of data like for keys or IVs that should only require
	  one invocation of the recvmsg function.

Note, during instantiation of the RNG, the code checks whether the RNG
implementation requires seeding. If so, the RNG is seeded with output
from get_random_bytes.

A fully working example using all aspects of the RNG interface is
provided at http://www.chronox.de/libkcapi.htmlSigned-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

alg_setkey should zeroize the sensitive data after use.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Enable user to select OCTEON MD5 module.
Signed-off-by: NAaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

algif_skcipher sends 127 sgl buffers for encryption regardless of how
many buffers acctually have data to process, where the few first with
valid len and the rest with zero len. This is not very eficient.
This patch marks the last one with data as the last one to process.
Signed-off-by: NTadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Use setsockopt on the tfm FD to provide the authentication tag size for
an AEAD cipher. This is achieved by adding a callback function which is
intended to be used by the AEAD AF_ALG implementation.

The optlen argument of the setsockopt specifies the authentication tag
size to be used with the AEAD tfm.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds a panic if the FIPS 140-2 self test error failed.
Note, that entire code is only executed with fips_enabled (i.e. when the
kernel is booted with fips=1. It is therefore not executed for 99.9% of
all user base.

As mathematically such failure cannot occur, this panic should never be
triggered. But to comply with NISTs current requirements, an endless
loop must be replaced with the panic.

When the new version of FIPS 140 will be released, this entire
continuous self test function will be ripped out as it will not be
needed any more.

This patch is functionally equivalent as implemented in ansi_cprng.c and drivers/char/random.c.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed style error identified by checkpatch.

WARNING: Missing a blank line after declarations
+               int err = crypto_remove_alg(&inst->alg, &users);
+               BUG_ON(err);
Signed-off-by: NJoshua I. James <joshua@cybercrimetech.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed style error identified by checkpatch.

WARNING: Missing a blank line after declarations
+               unsigned int unaligned = alignmask + 1 - (offset & alignmask);
+               if (nbytes > unaligned)
Signed-off-by: NJoshua I. James <joshua@cybercrimetech.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed style error identified by checkpatch.

ERROR: space required before the open parenthesis '('
+               switch(cmsg->cmsg_type) {
Signed-off-by: NJoshua I. James <joshua@cybercrimetech.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed style error identified by checkpatch.

ERROR: do not use assignment in if condition
+       if ((err = crypto_register_instance(tmpl, inst))) {
Signed-off-by: NJoshua I. James <joshua@cybercrimetech.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed style errors reported by checkpatch.

WARNING: Missing a blank line after declarations
+       u8 *end_page = (u8 *)(((unsigned long)(start + len - 1)) & PAGE_MASK);
+       return max(start, end_page);

WARNING: line over 80 characters
+               scatterwalk_start(&walk->out, scatterwalk_sg_next(walk->out.sg));

WARNING: Missing a blank line after declarations
+               int err = ablkcipher_copy_iv(walk, tfm, alignmask);
+               if (err)

ERROR: do not use assignment in if condition
+       if ((err = crypto_register_instance(tmpl, inst))) {
Signed-off-by: NJoshua I. James <joshua@cybercrimetech.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

If a request is backlogged, it's complete() handler will get called
twice: once with -EINPROGRESS, and once with the final error code.

af_alg's complete handler, unlike other users, does not handle the
-EINPROGRESS but instead always completes the completion that recvmsg()
is waiting on.  This can lead to a return to user space while the
request is still pending in the driver.  If userspace closes the sockets
before the requests are handled by the driver, this will lead to
use-after-frees (and potential crashes) in the kernel due to the tfm
having been freed.

The crashes can be easily reproduced (for example) by reducing the max
queue length in cryptod.c and running the following (from
http://www.chronox.de/libkcapi.html) on AES-NI capable hardware:

 $ while true; do kcapi -x 1 -e -c '__ecb-aes-aesni' \
    -k 00000000000000000000000000000000 \
    -p 00000000000000000000000000000000 >/dev/null & done

Cc: stable@vger.kernel.org
Signed-off-by: NRabin Vincent <rabin.vincent@axis.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Introduce helper macro for_each_cmsghdr as a wrapper of the enumerating
cmsghdr from msghdr, just cleanup.
Signed-off-by: NGu Zheng <guz.fnst@cn.fujitsu.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Note that the code _using_ ->msg_iter at that point will be very
unhappy with anything other than unshifted iovec-backed iov_iter.
We still need to convert users to proper primitives.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>