- 30 3月, 2022 1 次提交
-
-
由 Peter Zijlstra 提交于
This missed the big asm update due to being merged through the crypto tree. Fixes: f94909ce ("x86: Prepare asm files for straight-line-speculation") Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
- 25 3月, 2022 4 次提交
-
-
由 Peter Zijlstra 提交于
Due to being a perl generated asm file, it got missed by the mass convertion script. arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_init_x86_64()+0x3a: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_x86_64()+0xf2: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_emit_x86_64()+0x37: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: __poly1305_block()+0x6d: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: __poly1305_init_avx()+0x1e8: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx()+0x18a: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx()+0xaf8: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_emit_avx()+0x99: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx2()+0x18a: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx2()+0x776: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx512()+0x18a: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx512()+0x796: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx512()+0x10bd: missing int3 after ret Fixes: f94909ce ("x86: Prepare asm files for straight-line-speculation") Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Peter Zijlstra 提交于
The chacha_Nblock_xor_avx512vl() functions all have their own, identical, .LdoneN label, however in one particular spot {2,4} jump to the 8 version instead of their own. Resulting in: arch/x86/crypto/chacha-x86_64.o: warning: objtool: chacha_2block_xor_avx512vl() falls through to next function chacha_8block_xor_avx512vl() arch/x86/crypto/chacha-x86_64.o: warning: objtool: chacha_4block_xor_avx512vl() falls through to next function chacha_8block_xor_avx512vl() Make each function consistently use its own done label. Reported-by: NStephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: NMartin Willi <martin@strongswan.org> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Zheng Yongjun 提交于
pm_runtime_get_sync() will increment pm usage counter even it failed. Forgetting to call pm_runtime_put_noidle will result in reference leak in stm32_crc_remove, so we should fix it. Signed-off-by: NZheng Yongjun <zhengyongjun3@huawei.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Herbert Xu 提交于
The algorithm __cbc-aes-neonbs requires a fallback so we need to select the config options for them or otherwise it will fail to register on boot-up. Fixes: 00b99ad2 ("crypto: arm/aes-neonbs - Use generic cbc...") Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
- 14 3月, 2022 4 次提交
-
-
由 Herbert Xu 提交于
This patch turns the new SHA driver into a tristate and also allows compile testing. Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Longfang Liu 提交于
Zaibo moved projects and is not looking into crypto stuff. I am responsible for checking the patches of these modules. so the maintainers list needs to be updated. I take care of HPRE, Qian Weili take care of TRNG, Ye Kai and me take care of SEC2. Signed-off-by: NLongfang Liu <liulongfang@huawei.com> Signed-off-by: NKai Ye <yekai12@huawei.com> Signed-off-by: NWeili Qian <qianweili@huawei.com> Signed-off-by: NZaibo Xu <xuzaibo@huawei.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Jiapeng Chong 提交于
Fix the following W=1 kernel warnings: crypto/dh.c:311:31: warning: unused function 'dh_safe_prime_dh_alg' [-Wunused-function] Reported-by: NAbaci Robot <abaci@linux.alibaba.com> Signed-off-by: NJiapeng Chong <jiapeng.chong@linux.alibaba.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Miaoqian Lin 提交于
The corresponding API for clk_prepare_enable is clk_disable_unprepare, other than clk_disable_unprepare. Fix this by changing clk_disable to clk_disable_unprepare. Fixes: beca35d0 ("hwrng: nomadik - use clk_prepare_enable()") Signed-off-by: NMiaoqian Lin <linmq006@gmail.com> Reviewed-by: NLinus Walleij <linus.walleij@linaro.org> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
- 09 3月, 2022 10 次提交
-
-
由 Tom Rix 提交于
For spdx, use // for *.c files Replacements significanty to significantly Signed-off-by: NTom Rix <trix@redhat.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Giovanni Cabiddu 提交于
Initialize fully the structures rts_map_msg containing the ring to service map from the host. This is to fix the following warning when compiling the QAT driver using the clang compiler with CC=clang W=2: drivers/crypto/qat/qat_common/adf_pfvf_vf_msg.c:144:51: warning: missing field 'map' initializer [-Wmissing-field-initializers] struct ring_to_svc_map_v1 rts_map_msg = { { 0 }, }; ^ Fixes: e1b176af ("crypto: qat - exchange ring-to-service mappings over PFVF") Signed-off-by: NGiovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Giovanni Cabiddu 提交于
Initialize fully the structures cap_msg containing the device capabilities from the host. This is to fix the following warning when compiling the QAT driver using the clang compiler with CC=clang W=2: drivers/crypto/qat/qat_common/adf_pfvf_vf_msg.c:99:44: warning: missing field 'ext_dc_caps' initializer [-Wmissing-field-initializers] struct capabilities_v3 cap_msg = { { 0 }, }; ^ Fixes: 851ed498 ("crypto: qat - exchange device capabilities over PFVF") Signed-off-by: NGiovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Giovanni Cabiddu 提交于
The function adf_gen4_get_vf2pf_sources() computes a mask which is stored in a variable which is returned and not used. Remove superfluous assignment of variable. This is to fix the following warning when compiling the QAT driver with clang scan-build: drivers/crypto/qat/qat_common/adf_gen4_pfvf.c:46:9: warning: Although the value stored to 'sou' is used in the enclosing expression, the value is never actually read from 'sou' [deadcode.DeadStores] return sou &= ~mask; ^ ~~~~~ Fixes: 5901b4af6e07 ("crypto: qat - fix access to PFVF interrupt registers for GEN4") Signed-off-by: NGiovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Giovanni Cabiddu 提交于
The implementations of aead and skcipher in the QAT driver do not support properly requests with the CRYPTO_TFM_REQ_MAY_BACKLOG flag set. If the HW queue is full, the driver returns -EBUSY but does not enqueue the request. This can result in applications like dm-crypt waiting indefinitely for a completion of a request that was never submitted to the hardware. To avoid this problem, disable the registration of all crypto algorithms in the QAT driver by setting the number of crypto instances to 0 at configuration time. Cc: stable@vger.kernel.org Signed-off-by: NGiovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Kai Ye 提交于
Due to that extra page addr is used as a qp error flag when the device resetting. So it not should to clear this qp flag in userspace. Signed-off-by: NKai Ye <yekai13@huawei.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Corentin Labbe 提交于
The zynqmp-sha driver is always loaded and register its algorithm even on platform which do not have the proper hardware. This lead to a stacktrace due to zynqmp-sha3-384 failing its crypto self tests. So check if hardware is present via the firmware API call get_version. While at it, simplify the platform_driver by using module_platform_driver() Furthermore the driver should depend on ZYNQMP_FIRMWARE since it cannot work without it. Fixes: 7ecc3e34 ("crypto: xilinx - Add Xilinx SHA3 driver") Signed-off-by: NCorentin Labbe <clabbe@baylibre.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Jiapeng Chong 提交于
Clean the following coccicheck warning: ./drivers/crypto/marvell/octeontx/otx_cptvf_algs.c:1645:16-17: WARNING opportunity for swap(). Reported-by: NAbaci Robot <abaci@linux.alibaba.com> Signed-off-by: NJiapeng Chong <jiapeng.chong@linux.alibaba.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Jianglei Nie 提交于
kfree_sensitive(ctx_p->user.key) will free the ctx_p->user.key. But ctx_p->user.key is still used in the next line, which will lead to a use after free. We can call kfree_sensitive() after dev_dbg() to avoid the uaf. Fixes: 63ee04c8 ("crypto: ccree - add skcipher support") Signed-off-by: NJianglei Nie <niejianglei2021@163.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Dāvis Mosāns 提交于
ccp_dmaengine_register adds dma_chan->device_node to dma_dev->channels list but ccp_dmaengine_unregister didn't remove them. That can cause crashes in various dmaengine methods that tries to use dma_dev->channels Fixes: 58ea8abf ("crypto: ccp - Register the CCP as a DMA...") Signed-off-by: NDāvis Mosāns <davispuh@gmail.com> Acked-by: NJohn Allen <john.allen@amd.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
- 03 3月, 2022 21 次提交
-
-
由 Yang Yingliang 提交于
Add the missing unlock before return from error path. Fixes: 4363f3d3 ("crypto: octeontx2 - add synchronization between mailbox accesses") Reported-by: NHulk Robot <hulkci@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Wan Jiabing 提交于
Fix following coccicheck warning: ./drivers/char/hw_random/cavium-rng-vf.c:182:17-20: ERROR: pdev is NULL but dereferenced. Signed-off-by: NWan Jiabing <wanjiabing@vivo.com> Reviewed-by: NSunil Goutham <sgoutham@marvell.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Andy Shevchenko 提交于
While in this particular case it would not be a (critical) issue, the pattern itself is bad and error prone in case the location of the parameter is changed. Don't cast parameter to unsigned long pointer in the bit operations. Instead copy to a local variable on stack of a proper type and use. Fixes: cf718eaa ("crypto: cavium/nitrox - Enabled Mailbox support") Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Petr Vorel 提交于
vmx-crypto module depends on CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or CRYPTO_XTS, thus add them. These dependencies are likely to be enabled, but if CRYPTO_DEV_VMX=y && !CRYPTO_MANAGER_DISABLE_TESTS and either of CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or CRYPTO_XTS is built as module or disabled, alg_test() from crypto/testmgr.c complains during boot about failing to allocate the generic fallback implementations (2 == ENOENT): [ 0.540953] Failed to allocate xts(aes) fallback: -2 [ 0.541014] alg: skcipher: failed to allocate transform for p8_aes_xts: -2 [ 0.541120] alg: self-tests for p8_aes_xts (xts(aes)) failed (rc=-2) [ 0.544440] Failed to allocate ctr(aes) fallback: -2 [ 0.544497] alg: skcipher: failed to allocate transform for p8_aes_ctr: -2 [ 0.544603] alg: self-tests for p8_aes_ctr (ctr(aes)) failed (rc=-2) [ 0.547992] Failed to allocate cbc(aes) fallback: -2 [ 0.548052] alg: skcipher: failed to allocate transform for p8_aes_cbc: -2 [ 0.548156] alg: self-tests for p8_aes_cbc (cbc(aes)) failed (rc=-2) [ 0.550745] Failed to allocate transformation for 'aes': -2 [ 0.550801] alg: cipher: Failed to load transform for p8_aes: -2 [ 0.550892] alg: self-tests for p8_aes (aes) failed (rc=-2) Fixes: c07f5d3d ("crypto: vmx - Adding support for XTS") Fixes: d2e3ae6f ("crypto: vmx - Enabling VMX module for PPC64") Suggested-by: NNicolai Stange <nstange@suse.de> Signed-off-by: NPetr Vorel <pvorel@suse.cz> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Harsha 提交于
This patch adds an entry for ZynqMP SHA3 driver in the list of Maintainers. Signed-off-by: NHarsha <harsha.harsha@xilinx.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Harsha 提交于
This patch adds SHA3 driver support for the Xilinx ZynqMP SoC. Xilinx ZynqMP SoC has SHA3 engine used for secure hash calculation. The flow is SHA3 request from Userspace -> SHA3 driver-> ZynqMp driver-> Firmware -> SHA3 HW Engine SHA3 HW engine in Xilinx ZynqMP SoC, does not support parallel processing of 2 hash requests. Therefore, software fallback is being used for init, update, final, export and import in the ZynqMP SHA driver For digest, the calculation of SHA3 hash is done by the hardened SHA3 accelerator in Xilinx ZynqMP SoC. Signed-off-by: NHarsha <harsha.harsha@xilinx.com> Signed-off-by: NKalyani Akula <kalyani.akula@xilinx.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Harsha 提交于
This patch adds zynqmp_pm_sha_hash API in the ZynqMP firmware to compute SHA3 hash of given data. Signed-off-by: NHarsha <harsha.harsha@xilinx.com> Signed-off-by: NKalyani Akula <kalyani.akula@xilinx.com> Acked-by: NMichal Simek <michal.simek@xilinx.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Harsha 提交于
This patch updates the Makefile for xilinx subdirectory. CONFIG_CRYPTO_DEV_ZYNQMP_AES protects zynqmp-aes-gcm.o and it is used twice (in drivers/crypto/Makefile and drivers/crypto/xilinx/Makefile) and it is enough to use it once. Signed-off-by: NHarsha <harsha.harsha@xilinx.com> Reviewed-by: NMichal Simek <michal.simek@xilinx.com> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Ard Biesheuvel 提交于
Dereferencing a misaligned pointer is undefined behavior in C, and may result in codegen on architectures such as ARM that trigger alignments traps and expensive fixups in software. Instead, use the get_aligned()/put_aligned() accessors, which are cheap or even completely free when CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y. In the converse case, the prior alignment checks ensure that the casts are safe, and so no unaligned accessors are necessary. Signed-off-by: NArd Biesheuvel <ardb@kernel.org> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Tom Rix 提交于
For spdx /* */ for *.h, // for *.c Space before spdx tag Replacements paramenters to parameters aymmetric to asymmetric sigature to signature boudary to boundary compliled to compiled eninges to engines explicity to explicitly Signed-off-by: NTom Rix <trix@redhat.com> Acked-by: NJarkko Sakkinen <jarkko@kernel.org> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Nicolai Stange 提交于
As the ->q in struct dh_ctx gets never set anywhere, the code in dh_is_pubkey_valid() for doing the full public key validation in accordance to SP800-56Arev3 is effectively dead. However, for safe-prime groups Q = (P - 1)/2 by definition and as the safe-prime groups are the only possible groups in FIPS mode (via those ffdheXYZ() templates), this enables dh_is_pubkey_valid() to calculate Q on the fly for these. Implement this. With this change, the last code accessing struct dh_ctx's ->q is now gone. Remove this member from struct dh_ctx. Signed-off-by: NNicolai Stange <nstange@suse.de> Reviewed-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Nicolai Stange 提交于
A subsequent patch will make the crypto/dh's dh_is_pubkey_valid() to calculate a safe-prime groups Q parameter from P: Q = (P - 1) / 2. For implementing this, mpi_rshift() will be needed. Export it so that it's accessible from crypto/dh. Signed-off-by: NNicolai Stange <nstange@suse.de> Reviewed-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Nicolai Stange 提交于
SP800-56Arev3, sec. 5.5.2 ("Assurance of Domain-Parameter Validity") asserts that an implementation needs to verify domain paramtere validity, which boils down to either - the domain parameters corresponding to some known safe-prime group explicitly listed to be approved in the document or - for parameters conforming to a "FIPS 186-type parameter-size set", that the implementation needs to perform an explicit domain parameter verification, which would require access to the "seed" and "counter" values used in their generation. The latter is not easily feasible and moreover, SP800-56Arev3 states that safe-prime groups are preferred and that FIPS 186-type parameter sets should only be supported for backward compatibility, if it all. Mark "dh" as not fips_allowed in testmgr. Note that the safe-prime ffdheXYZ(dh) wrappers are not affected by this change: as these enforce some approved safe-prime group each, their usage is still allowed in FIPS mode. This change will effectively render the keyctl(KEYCTL_DH_COMPUTE) syscall unusable in FIPS mode, but it has been brought up that this might even be a good thing ([1]). [1] https://lore.kernel.org/r/20211217055227.GA20698@gondor.apana.org.auSigned-off-by: NNicolai Stange <nstange@suse.de> Reviewed-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Nicolai Stange 提交于
Currently we do not distinguish between algorithms that fail on the self-test vs. those which are disabled in FIPS mode (not allowed). Both are marked as having failed the self-test. Recently the need arose to allow the usage of certain algorithms only as arguments to specific template instantiations in FIPS mode. For example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is allowed. Other potential use cases include "cbcmac(aes)", which must only be used with ccm(), or "ghash", which must be used only for gcm(). This patch allows this scenario by adding a new flag FIPS_INTERNAL to indicate those algorithms that are not FIPS-allowed. They can then be used as template arguments only, i.e. when looked up via crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets propagated upwards recursively into the surrounding template instances, until the construction eventually matches an explicit testmgr entry with ->fips_allowed being set, if any. The behaviour to skip !->fips_allowed self-test executions in FIPS mode will be retained. Note that this effectively means that FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL ones in this regard. It is expected that the FIPS_INTERNAL algorithms will receive sufficient testing when the larger constructions they're a part of, if any, get exercised by testmgr. Note that as a side-effect of this patch algorithms which are not FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully this is not an issue as some people were relying on this already. Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.auOriginally-by: NHerbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NNicolai Stange <nstange@suse.de> Reviewed-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Nicolai Stange 提交于
Ephemeral key generation can be requested from any of the ffdheXYZ(dh) variants' common ->set_secret() by passing it an (encoded) struct dh with the key parameter being unset, i.e. with ->key_size == 0. As the whole purpose of the ffdheXYZ(dh) templates is to fill in the group parameters as appropriate, they expect ->p and ->g to be unset in any input struct dh as well. This means that a user would have to encode an all-zeroes struct dh instance via crypto_dh_encode_key() when requesting ephemeral key generation from a ffdheXYZ(dh) instance, which is kind of pointless. Make dh_safe_prime_set_secret() to decode a struct dh from the supplied buffer only if the latter is non-NULL and initialize it with all zeroes otherwise. That is, it is now possible to call crypto_kpp_set_secret(tfm, NULL, 0); on any ffdheXYZ(dh) tfm for requesting ephemeral key generation. Signed-off-by: NNicolai Stange <nstange@suse.de> Reviewed-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Nicolai Stange 提交于
Now that the ffdheXYZ(dh) templates support ephemeral key generation, add ->keygen = 1 TVs for each of them to the testmgr.c. In order to facilitate string merging by the compiler, set party B's secret and public keys to the ones specified for party A in the respective existing known answer test. With GCC 7.5 on x86_64, this leads to an increase of testmgr.o size by less than half a kB. Signed-off-by: NNicolai Stange <nstange@suse.de> Reviewed-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Nicolai Stange 提交于
The support for NVME in-band authentication currently in the works ([1]) needs to generate ephemeral DH keys for use with the RFC 7919 safe-prime FFDHE groups. In analogy to ECDH and its ecc_gen_privkey(), implement a dh_safe_prime_gen_privkey() and invoke it from the ffdheXYZ(dh) templates' common ->set_secret(), i.e. dh_safe_prime_set_secret(), in case the input ->key_size is zero. As the RFC 7919 FFDHE groups are classified as approved safe-prime groups by SP800-56Arev3, it's worthwhile to make the new dh_safe_prime_gen_privkey() to follow the approach specified in SP800-56Arev3, sec. 5.6.1.1.3 ("Key-Pair Generation Using Extra Random Bits") in order to achieve conformance. SP800-56Arev3 specifies a lower as well as an upper bound on the generated key's length: - it must be >= two times the maximum supported security strength of the group in question and - it must be <= the length of the domain parameter Q. For any safe-prime group Q = (P - 1)/2 by definition and the individual maximum supported security strengths as specified by SP800-56Arev3 have been made available as part of the FFDHE dh_safe_prime definitions introduced with a previous patch. Make dh_safe_prime_gen_privkey() pick twice the maximum supported strength rounded up to the next power of two for the output key size. This choice respects both, the lower and upper bounds given by SP800-90Arev3 for any of the approved safe-prime groups and is also in line with the NVME base spec 2.0, which requires the key size to be >= 256bits. [1] https://lore.kernel.org/r/20211202152358.60116-1-hare@suse.deSigned-off-by: NNicolai Stange <nstange@suse.de> Reviewed-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Nicolai Stange 提交于
Add known answer tests for the ffdhe2048(dh), ffdhe3072(dh), ffdhe4096(dh), ffdhe6144(dh) and ffdhe8192(dh) templates introduced with the previous patch to the testmgr. All TVs have been generated with OpenSSL. Signed-off-by: NNicolai Stange <nstange@suse.de> Reviewed-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Nicolai Stange 提交于
Current work on NVME in-band authentication support ([1]) needs to invoke DH with the FFDHE safe-prime group parameters specified in RFC 7919. Introduce a new CRYPTO_DH_RFC7919_GROUPS Kconfig option. If enabled, make dh_generic register a couple of ffdheXYZ(dh) templates, one for each group: ffdhe2048(dh), ffdhe3072(dh), ffdhe4096(dh), ffdhe6144(dh) and ffdhe8192(dh). Their respective ->set_secret() expects a (serialized) struct dh, just like the underlying "dh" implementation does, but with the P and G values unset so that the safe-prime constants for the given group can be filled in by the wrapping template. Internally, a struct dh_safe_prime instance is being defined for each of the ffdheXYZ(dh) templates as appropriate. In order to prepare for future key generation, fill in the maximum security strength values as specified by SP800-56Arev3 on the go, even though they're not needed at this point yet. Implement the respective ffdheXYZ(dh) crypto_template's ->create() by simply forwarding any calls to the __dh_safe_prime_create() helper introduced with the previous commit, passing the associated dh_safe_prime in addition to the received ->create() arguments. [1] https://lore.kernel.org/r/20211202152358.60116-1-hare@suse.deSigned-off-by: NNicolai Stange <nstange@suse.de> Reviewed-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Nicolai Stange 提交于
Recent work on NVME in-band authentication support ([1]) needs to invoke the "dh" KPP with the FFDHE safe-prime group parameters as specified in RFC 7919 and generate ephemeral keys suitable for the respective group. By coincidence, the requirements from NIST SP800-56Arev3, sec. 5.5.2 ("Assurance of Domain-Parameter Validity") basically boil down to disallowing any group parameters not among the approved safe-prime groups specified in either RFC 7919 or RFC 3526 in FIPS mode. Furthermore, SP800-56Arev3 specifies the respective security strength for each of the approved safe-prime groups, which has a direct impact on the minimum key lengths. In this light, it's desirable to introduce built-in support for the RFC 7919 safe-prime groups to the kernel's DH implementation, provide a SP800-56Arev3 conforming key generation primitive for those and render non-approved group parameters unusable in FIPS mode on the way. As suggested ([2]) in the course of discussion to previous iterations of this patchset, the built-in support for ffdhe groups would be best made available in the form of templates wrapping the existing "dh" implementation, one for each group specified by RFC 7919: ffdhe2048(dh), ffdhe3072(dh), ffdhe4096(dh), ffdhe6144(dh) and ffdhe8192(dh). As these templates differ only in the safe-prime constants they'd configure the inner "dh" transforms with, they can share almost all of their "dh"-wrapping template implementation code. Introduce this common code to dh_generic. The actual dump of the RFC 7919 safe-prime constants will be deferred to the next patch in order to facilitate review. The ephemeral key generation primitive mentioned above likewise deserves a patch on its own, as does the mechanism by which unapproved groups are rendered unusable in FIPS mode. Define a struct dh_safe_prime container for specifying the individual templates' associated safe-prime group constants. All ffdheXYZ(dh) template instances will store a pointer to such a dh_safe_prime in their context areas each. Implement the common __dh_safe_prime_create() template instantiation helper. The intention is that the individual ffdheXYZ(dh) crypto_templates' ->create() implementations will simply forward any calls to __dh_safe_prime_create(), passing a suitable dh_safe_prime in addition to the received ->create() arguments. __dh_safe_prime_create() would then create and register a kpp_instance as appropriate, storing the given dh_safe_prime pointer alongside a crypto_kpp_spawn for the inner "dh" kpp_alg in the context area. As the ffdheXYZ(dh) kpp_instances are supposed to act as proxies to the inner "dh" kpp_alg, make each of their associated crypto_kpp transforms to in turn own an inner "dh" transform, a pointer to which gets stored in the context area. Setup and teardown are getting handled from the outer ->init_tfm() and ->exit_tfm() respectively. In order to achieve the overall goal and let the ffdheXYZ(dh) kpp_instances configure the inner "dh" transforms with the respective group parameters, make their common ->set_secret(), the new dh_safe_prime_set_secret(), fill in the P and G values before forwarding the call to the inner "dh"'s ->set_secret(). Note that the outer ->set_secret() can obtain the P value associated with the given ffdheXYZ(dh) kpp_instance by means of the dh_safe_prime referenced from the latter's context. The value of G OTOH always equals constant 2 for the safe-prime groups. Finally, make the remaining two kpp_alg primitives both operating on kpp_requests, i.e. ->generate_public_key() and ->compute_shared_secret(), to merely forward any request to the inner "dh" implementation. However, a kpp_request instance received from the outside cannot get simply passed on as-is, because its associated transform (crypto_kpp_reqtfm()) will have been set to the outer ffdheXYZ(dh) one. In order to handle this, reserve some space in the outer ffdheXYZ(dh) kpp_requests' context areas for in turn storing an inner kpp_request suitable for "dh" each. Make the outer ->generate_public_key() and ->compute_shared_secret() respectively to setup this inner kpp_request by means of the new dh_safe_prime_prepare_dh_req() helper before handing it over to the "dh" implementation for further processing. dh_safe_prime_prepare_dh_req() basically copies the outer kpp_request received from the outside over to the inner one, but installs the inner transform and its own ->complete() proxy callback therein. This completion callback, the new dh_safe_prime_complete_req(), doesn't do anything beyond completing the outer request. Note that there exist some examples in crypto/, which would simply install the completion handler from the outer request at the inner one in similar setups, e.g. seqiv. However, this would mean that the user-provided completion handler won't get called with the address of the outer kpp_request initially submitted and the handler might not be prepared for this. Users could certainly work around this by setting the callback ->data properly, but IMO it's cleaner this way. Furthermore, it might make sense to extend dh_safe_prime_complete_req() in the future and move e.g. those post-computation FIPS checks from the generic "dh" implementation to the ffdheXYZ(dh) templates. [1] https://lore.kernel.org/r/20211202152358.60116-1-hare@suse.de [2] https://lore.kernel.org/r/20211217055227.GA20698@gondor.apana.org.auSigned-off-by: NNicolai Stange <nstange@suse.de> Reviewed-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-
由 Nicolai Stange 提交于
A subsequent commit will introduce "dh" wrapping templates of the form "ffdhe2048(dh)", "ffdhe3072(dh)" and so on in order to provide built-in support for the well-known safe-prime ffdhe group parameters specified in RFC 7919. Those templates' ->set_secret() will wrap the inner "dh" implementation's ->set_secret() and set the ->p and ->g group parameters as appropriate on the way inwards. More specifically, - A ffdheXYZ(dh) user would call crypto_dh_encode() on a struct dh instance having ->p == ->g == NULL as well as ->p_size == ->g_size == 0 and pass the resulting buffer to the outer ->set_secret(). - This outer ->set_secret() would then decode the struct dh via crypto_dh_decode_key(), set ->p, ->g, ->p_size as well as ->g_size as appropriate for the group in question and encode the struct dh again before passing it further down to the inner "dh"'s ->set_secret(). The problem is that crypto_dh_decode_key() implements some basic checks which would reject parameter sets with ->p_size == 0 and thus, the ffdheXYZ templates' ->set_secret() cannot use it as-is for decoding the passed buffer. As the inner "dh"'s ->set_secret() will eventually conduct said checks on the final parameter set anyway, the outer ->set_secret() really only needs the decoding functionality. Split out the pure struct dh decoding part from crypto_dh_decode_key() into the new __crypto_dh_decode_key(). __crypto_dh_decode_key() gets defined in crypto/dh_helper.c, but will have to get called from crypto/dh.c and thus, its declaration must be somehow made available to the latter. Strictly speaking, __crypto_dh_decode_key() is internal to the dh_generic module, yet it would be a bit over the top to introduce a new header like e.g. include/crypto/internal/dh.h containing just a single prototype. Add the __crypto_dh_decode_key() declaration to include/crypto/dh.h instead. Provide a proper kernel-doc annotation, even though __crypto_dh_decode_key() is purposedly not on the function list specified in Documentation/crypto/api-kpp.rst. Signed-off-by: NNicolai Stange <nstange@suse.de> Reviewed-by: NHannes Reinecke <hare@suse.de> Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
-