tcrypt/testmgr uses wait_for_completion_interruptible() everywhere when
it waits for a request to be completed.  If it's interrupted, then the
test is aborted and the request is freed.

However, if any of these calls actually do get interrupted, the result
will likely be a kernel crash, when the driver handles the now-freed
request.  Use wait_for_completion() instead.
Signed-off-by: NRabin Vincent <rabin.vincent@axis.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Lets improve the comment to add a note on when to use memzero_explicit()
for those not digging through the git logs. We don't want people to
pollute places with memzero_explicit() where it's not really necessary.

Reference: https://lkml.org/lkml/2015/1/4/190Suggested-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

memzero_explicit should only be used on stack variables that get
zapped just before they go out of scope.

This patch replaces all unnecessary uses of memzero_explicit with
memset, removes two memzero_explicit calls altogether as the tfm
context comes pre-zeroed, and adds a missing memzero_explicit of
the stack variable buff in qat_alg_do_precomputes.  The memzeros
on ipad/opad + digest_size/auth_keylen are also removed as the
entire auth_state is already zeroed on entry.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NTadeusz Struk <tadeusz.struk@intel.com>

The AEAD decryption operation requires the authentication tag to be
present as part of the cipher text buffer. The added check verifies that
the caller provides a cipher text with at least the authentication tag.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

dd->total is unsigned so it won't do any good to check for negative
value after subtracting instead of that we should check if the
subtracted value is bigger than him

This was partially found by using a static code analysis program
called cppcheck.
Signed-off-by: NAsaf Vertz <asaf.vertz@tandemg.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch removes unnecessary KERN_ERR from bfin_crypto_crc_mod_init().
Signed-off-by: NMasanari Iida <standby24x7@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Remove the function get_dynamic_sa_offset_iv_field() that is not used anywhere.

This was partially found by using a static code analysis program called cppcheck.
Signed-off-by: NRickard Strandqvist <rickard_strandqvist@spectrumdigital.se>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

    
This reverts commit 421d82f5.

None of the data zeroed are on the stack so the compiler cannot
optimise them away.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Enable compilation of the RNG AF_ALG support and provide a Kconfig
option to compile the RNG AF_ALG support.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the random number generator support for AF_ALG.

A random number generator's purpose is to generate data without
requiring the caller to provide any data. Therefore, the AF_ALG
interface handler for RNGs only implements a callback handler for
recvmsg.

The following parameters provided with a recvmsg are processed by the
RNG callback handler:

	* sock - to resolve the RNG context data structure accessing the
	  RNG instance private to the socket

	* len - this parameter allows userspace callers to specify how
	  many random bytes the RNG shall produce and return. As the
	  kernel context for the RNG allocates a buffer of 128 bytes to
	  store random numbers before copying them to userspace, the len
	  parameter is checked that it is not larger than 128. If a
	  caller wants more random numbers, a new request for recvmsg
	  shall be made.

The size of 128 bytes is chose because of the following considerations:

	* to increase the memory footprint of the kernel too much (note,
	  that would be 128 bytes per open socket)

	* 128 is divisible by any typical cryptographic block size an
	  RNG may have

	* A request for random numbers typically only shall supply small
	  amount of data like for keys or IVs that should only require
	  one invocation of the recvmsg function.

Note, during instantiation of the RNG, the code checks whether the RNG
implementation requires seeding. If so, the RNG is seeded with output
from get_random_bytes.

A fully working example using all aspects of the RNG interface is
provided at http://www.chronox.de/libkcapi.htmlSigned-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

alg_setkey should zeroize the sensitive data after use.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

We always do hwrng_init in set_current_rng.  In fact, our current
reference count system relies on this.  So make this explicit by
moving hwrng_init into set_current_rng.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Rather than having callers of set_current_rng call drop_current_rng,
we can do it directly in set_current_rng.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Currently we only register the device when a valid RNG is added.
However the way it's done is buggy because we test whether there
is a current RNG to determine whether we need to register.  As
the current RNG may be missing due to a reinitialisation error
this can lead to a reregistration of the device.

As the device already has to handle a NULL current RNG anyway,
let's just register the device always and remove the complexity.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The kref solution is still buggy because we were only focusing
on the register/unregister race.  The same race affects the
setting of current_rng through sysfs.

This patch fixes it by using kref_get_unless_zero.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

There is no point in doing a manual completion for cleanup_done
when struct completion fits in perfectly.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Enable user to select OCTEON MD5 module.
Signed-off-by: NAaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add OCTEON MD5 module.
Signed-off-by: NAaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Reintroduce run-time check for crypto features. The old one was deleted
because it was unreliable, now decide the crypto availability on early
boot when the model string is constructed.
Signed-off-by: NAaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add instruction definitions for MD5. Based on information extracted
from EdgeRouter Pro GPL source tarball.
Signed-off-by: NAaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add crypto helper functions which are needed for kernel level usage.
The code for these has been extracted from the EdgeRouter Pro GPL tarball.

While at it, also delete duplicate definitions of the functions.
Signed-off-by: NAaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed a coding style error, code indent should use tabs where possible
Signed-off-by: NAsaf Vertz <asaf.vertz@tandemg.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add support for cbc(aes) ablkcipher.
Signed-off-by: NTadeusz Struk <tadeusz.struk@intel.com>
Acked-by: NBruce W. Allan <bruce.w.allan@intel.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed invalid assumpion that the sgl in and sgl out will always have the same
number of entries.
Signed-off-by: NTadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

algif_skcipher sends 127 sgl buffers for encryption regardless of how
many buffers acctually have data to process, where the few first with
valid len and the rest with zero len. This is not very eficient.
This patch marks the last one with data as the last one to process.
Signed-off-by: NTadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Another interesting anti-pattern.
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Interesting anti-pattern.
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The previous patch added one potential problem: we can still be
reading from a hwrng when it's unregistered.  Add a wait for zero
in the hwrng_unregister path.
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
Signed-off-by: NAmos Kong <akong@redhat.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

current_rng holds one reference, and we bump it every time we want
to do a read from it.

This means we only hold the rng_mutex to grab or drop a reference,
so accessing /sys/devices/virtual/misc/hw_random/rng_current doesn't
block on read of /dev/hwrng.

Using a kref is overkill (we're always under the rng_mutex), but
a standard pattern.

This also solves the problem that the hwrng_fillfn thread was
accessing current_rng without a lock, which could change (eg. to NULL)
underneath it.
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
Signed-off-by: NAmos Kong <akong@redhat.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

In next patch, we use reference counting for each struct hwrng,
changing reference count also needs to take mutex_lock. Before
releasing the lock, if we try to stop a kthread that waits to
take the lock to reduce the referencing count, deadlock will
occur.
Signed-off-by: NAmos Kong <akong@redhat.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

There's currently a big lock around everything, and it means that we
can't query sysfs (eg /sys/devices/virtual/misc/hw_random/rng_current)
while the rng is reading.  This is a real problem when the rng is slow,
or blocked (eg. virtio_rng with qemu's default /dev/random backend)

This doesn't help (it leaves the current lock untouched), just adds a
lock to protect the read function and the static buffers, in preparation
for transition.
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Use setsockopt on the tfm FD to provide the authentication tag size for
an AEAD cipher. This is achieved by adding a callback function which is
intended to be used by the AEAD AF_ALG implementation.

The optlen argument of the setsockopt specifies the authentication tag
size to be used with the AEAD tfm.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds a panic if the FIPS 140-2 self test error failed.
Note, that entire code is only executed with fips_enabled (i.e. when the
kernel is booted with fips=1. It is therefore not executed for 99.9% of
all user base.

As mathematically such failure cannot occur, this panic should never be
triggered. But to comply with NISTs current requirements, an endless
loop must be replaced with the panic.

When the new version of FIPS 140 will be released, this entire
continuous self test function will be ripped out as it will not be
needed any more.

This patch is functionally equivalent as implemented in ansi_cprng.c and drivers/char/random.c.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed style error identified by checkpatch.

WARNING: Missing a blank line after declarations
+               int err = crypto_remove_alg(&inst->alg, &users);
+               BUG_ON(err);
Signed-off-by: NJoshua I. James <joshua@cybercrimetech.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed style error identified by checkpatch.

WARNING: Missing a blank line after declarations
+               unsigned int unaligned = alignmask + 1 - (offset & alignmask);
+               if (nbytes > unaligned)
Signed-off-by: NJoshua I. James <joshua@cybercrimetech.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed style error identified by checkpatch.

ERROR: space required before the open parenthesis '('
+               switch(cmsg->cmsg_type) {
Signed-off-by: NJoshua I. James <joshua@cybercrimetech.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed style error identified by checkpatch.

ERROR: do not use assignment in if condition
+       if ((err = crypto_register_instance(tmpl, inst))) {
Signed-off-by: NJoshua I. James <joshua@cybercrimetech.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Fixed style errors reported by checkpatch.

WARNING: Missing a blank line after declarations
+       u8 *end_page = (u8 *)(((unsigned long)(start + len - 1)) & PAGE_MASK);
+       return max(start, end_page);

WARNING: line over 80 characters
+               scatterwalk_start(&walk->out, scatterwalk_sg_next(walk->out.sg));

WARNING: Missing a blank line after declarations
+               int err = ablkcipher_copy_iv(walk, tfm, alignmask);
+               if (err)

ERROR: do not use assignment in if condition
+       if ((err = crypto_register_instance(tmpl, inst))) {
Signed-off-by: NJoshua I. James <joshua@cybercrimetech.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The fallback is never used, so there is no point in having it.

The cra_exit routine can also be removed, since all it did was releasing
the fallback, along with the stub around cra_init, which just added an
unused NULL argument.
Signed-off-by: NSvenning Soerensen <sss@secomea.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

If a request is backlogged, it's complete() handler will get called
twice: once with -EINPROGRESS, and once with the final error code.

af_alg's complete handler, unlike other users, does not handle the
-EINPROGRESS but instead always completes the completion that recvmsg()
is waiting on.  This can lead to a return to user space while the
request is still pending in the driver.  If userspace closes the sockets
before the requests are handled by the driver, this will lead to
use-after-frees (and potential crashes) in the kernel due to the tfm
having been freed.

The crashes can be easily reproduced (for example) by reducing the max
queue length in cryptod.c and running the following (from
http://www.chronox.de/libkcapi.html) on AES-NI capable hardware:

 $ while true; do kcapi -x 1 -e -c '__ecb-aes-aesni' \
    -k 00000000000000000000000000000000 \
    -p 00000000000000000000000000000000 >/dev/null & done

Cc: stable@vger.kernel.org
Signed-off-by: NRabin Vincent <rabin.vincent@axis.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>