Signed-off-by: NArd Biesheuvel <ardb@kernel.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The RC4-HMAC-MD5 KerberosV algorithm is based on RFC 4757 [0], which
was specifically issued for interoperability with Windows 2000, but was
never intended to receive the same level of support. The RFC says

  The IETF Kerberos community supports publishing this specification as
  an informational document in order to describe this widely
  implemented technology.  However, while these encryption types
  provide the operations necessary to implement the base Kerberos
  specification [RFC4120], they do not provide all the required
  operations in the Kerberos cryptography framework [RFC3961].  As a
  result, it is not generally possible to implement potential
  extensions to Kerberos using these encryption types.  The Kerberos
  encryption type negotiation mechanism [RFC4537] provides one approach
  for using such extensions even when a Kerberos infrastructure uses
  long-term RC4 keys.  Because this specification does not implement
  operations required by RFC 3961 and because of security concerns with
  the use of RC4 and MD4 discussed in Section 8, this specification is
  not appropriate for publication on the standards track.

  The RC4-HMAC encryption types are used to ease upgrade of existing
  Windows NT environments, provide strong cryptography (128-bit key
  lengths), and provide exportable (meet United States government
  export restriction requirements) encryption.  This document describes
  the implementation of those encryption types.

Furthermore, this RFC was re-classified as 'historic' by RFC 8429 [1] in
2018, stating that 'none of the encryption types it specifies should be
used'

Note that other outdated algorithms are left in place (some of which are
guarded by CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES), so this should only
adversely affect interoperability with Windows NT/2000 systems that have
not received any updates since 2008 (but are connected to a network
nonetheless)

[0] https://tools.ietf.org/html/rfc4757
[1] https://tools.ietf.org/html/rfc8429Signed-off-by: NArd Biesheuvel <ardb@kernel.org>
Acked-by: NJ. Bruce Fields <bfields@redhat.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Switch to the ARC4 library interface, to remove the pointless
dependency on the skcipher API, from which we will hopefully be
able to drop ecb(arc4) skcipher support.
Signed-off-by: NArd Biesheuvel <ardb@kernel.org>
Acked-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Switch to the ARC4 library interface, to remove the pointless
dependency on the skcipher API, from which we will hopefully be
able to drop ecb(arc4) skcipher support.
Signed-off-by: NArd Biesheuvel <ardb@kernel.org>
Acked-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The RNGB can generate 2^20 words (1 word == 4 byte) of 'random' data
after the seed pool was initialized. The pool needs to be reseeded if
more words are required. The reseeding is done automatically since
commit 3acd9ea9 ("hwrng: imx-rngc - use automatic seeding").

We can't retrieve the TRNG values directly so we need a other way to get
the quality level. We know that the PRNG uses 20.000 entropy samples
from the TRNG to generate 2^20 words (1MiB) and the quality level is
defined as (in bits of entropy per 1024 bits of input). So the quality
level can be calculated by:

   20.000 * 1024
   ------------- = ~ 19.5
        2^20
Signed-off-by: NMarco Felsch <m.felsch@pengutronix.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Return -EINVAL for authenc(hmac(sha1),cbc(aes)),
authenc(hmac(sha256),cbc(aes)) and authenc(hmac(sha512),cbc(aes))
if the cipher length is not multiple of the AES block.
This is to prevent an undefined device behaviour.

Fixes: d370cec3 ("crypto: qat - Intel(R) QAT crypto interface")
Cc: <stable@vger.kernel.org>
Signed-off-by: NDominik Przychodni <dominik.przychodni@intel.com>
[giovanni.cabiddu@intel.com: reworded commit message]
Signed-off-by: NGiovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Use traditional error check pattern
	ret = ...;
	if (ret)
		return ret;
	...
instead of checking error code to be 0.
Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: NIuliana Prodan <iuliana.prodan@nxp.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

x86_64 zero extends 32bit operations, so for 64bit operands,
XORL r32,r32 is functionally equal to XORQ r64,r64, but avoids
a REX prefix byte when legacy registers are used.
Signed-off-by: NUros Bizjak <ubizjak@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Acked-by: NJason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

x86_64 zero extends 32bit operations, so for 64bit operands,
XORL r32,r32 is functionally equal to XORL r64,r64, but avoids
a REX prefix byte when legacy registers are used.
Signed-off-by: NUros Bizjak <ubizjak@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Acked-by: NJason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Clang detects a warning for an assignment that doesn't really do
anything. Fix this by removing the offending piece of code.

Fixes: 7694b6ca ("crypto: sa2ul - Add crypto driver")
Reported-by: NNathan Chancellor <natechancellor@gmail.com>
Signed-off-by: NTero Kristo <t-kristo@ti.com>
Reviewed-by: NNathan Chancellor <natechancellor@gmail.com>
Tested-by: Nathan Chancellor <natechancellor@gmail.com> # build
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The endianness marking on the variable v in meson_cipher is wrong.
It is actually in CPU-order, not little-endian.

This patch fixes it.

Fixes: 3d041588 ("crypto: amlogic - enable working on big...")
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NCorentin Labbe <clabbe@baylibre.com>
Tested-by: NCorentin Labbe <clabbe@baylibre.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

At Steffen's request, I'll help maintain padata for the foreseeable
future.

While at it, let's have patches go to lkml too since the code is now
used outside of crypto.
Signed-off-by: NDaniel Jordan <daniel.m.jordan@oracle.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Acked-by: NSteffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Remove redundant memzero_explicit() in sun8i_ss_cipher() before calling
kfree_sensitive(). kfree_sensitive() will zero the memory with
memzero_explicit().

Fixes: 453431a5 ("mm, treewide: rename kzfree() to kfree_sensitive()")
Signed-off-by: NDenis Efremov <efremov@linux.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Use kfree_sensitive() instead of open-coding it.
Signed-off-by: NDenis Efremov <efremov@linux.com>
Acked-by: NCorentin Labbe <clabbe.montjoie@gmail.com>
Tested-by: NCorentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Use kfree_sensitive() instead of open-coding it.
Signed-off-by: NDenis Efremov <efremov@linux.com>
Acked-by: NCorentin Labbe <clabbe.montjoie@gmail.com>
Tested-by: NCorentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Use kfree_sensitive() instead of open-coding it.
Signed-off-by: NDenis Efremov <efremov@linux.com>
Tested-by: NCorentin Labbe <clabbe@baylibre.com>
Acked-by: NCorentin Labbe <clabbe@baylibre.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Use kfree_sensitive() instead of open-coding it.
Signed-off-by: NDenis Efremov <efremov@linux.com>
Acked-by: NAntoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Common pattern of handling deferred probe can be simplified with
dev_err_probe().  Less code and also it prints the error value.
Signed-off-by: NKrzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Common pattern of handling deferred probe can be simplified with
dev_err_probe().  Less code and also it prints the error value.
Signed-off-by: NKrzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Common pattern of handling deferred probe can be simplified with
dev_err_probe().  Less code and also it prints the error value.
Signed-off-by: NKrzysztof Kozlowski <krzk@kernel.org>
Acked-by: NHadar Gat <hadar.gat@arm.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch fixes a sparse endianness warning by changing crc32 to
__le32 instead of u32:

  CHECK   ../arch/powerpc/crypto/crc-vpmsum_test.c
../arch/powerpc/crypto/crc-vpmsum_test.c:102:39: warning: cast from restricted __le32
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch changes a couple u128's to be128 which is the correct
type to use and fixes a few sparse warnings.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NArd Biesheuvel <ardb@kernel.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds declarations for variables only used by assembly
code to silence compiler warnings:

  CC [M]  arch/arm64/crypto/sha1-ce-glue.o
  AS [M]  arch/arm64/crypto/sha1-ce-core.o
  CC [M]  arch/arm64/crypto/sha2-ce-glue.o
  AS [M]  arch/arm64/crypto/sha2-ce-core.o
  CHECK   ../arch/arm64/crypto/sha1-ce-glue.c
  CHECK   ../arch/arm64/crypto/sha2-ce-glue.c
../arch/arm64/crypto/sha1-ce-glue.c:38:11: warning: symbol 'sha1_ce_offsetof_count' was not declared. Should it be static?
../arch/arm64/crypto/sha1-ce-glue.c:39:11: warning: symbol 'sha1_ce_offsetof_finalize' was not declared. Should it be static?
../arch/arm64/crypto/sha2-ce-glue.c:38:11: warning: symbol 'sha256_ce_offsetof_count' was not declared. Should it be static?
../arch/arm64/crypto/sha2-ce-glue.c:40:11: warning: symbol 'sha256_ce_offsetof_finalize' was not declared. Should it be static?
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NArd Biesheuvel <ardb@kernel.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds a prototype for poly1305_blocks_neon to slience
a compiler warning:

  CC [M]  arch/arm/crypto/poly1305-glue.o
../arch/arm/crypto/poly1305-glue.c:25:13: warning: no previous prototype for `poly1305_blocks_neon' [-Wmissing-prototypes]
 void __weak poly1305_blocks_neon(void *state, const u8 *src, u32 len, u32 hibit)
             ^~~~~~~~~~~~~~~~~~~~
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NJason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch fixes most of the sparse endianness warnings in stm32.
The patch itself doesn't change anything apart from markings,
but there is some questionable code in stm32_cryp_check_ctr_counter.

That function operates on the counters as if they're in CPU order,
however, they're then written out as big-endian.  This looks like
a genuine bug.  Therefore I've left that warning alone until
someone can confirm that this really does work as intended on
little-endian.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

pm_runtime_get_sync() increments the runtime PM usage counter
even when it returns an error code. However, users of cc_pm_get(),
a direct wrapper of pm_runtime_get_sync(), assume that PM usage
counter will not change on error. Thus a pairing decrement is needed
on the error handling path to keep the counter balanced.

Fixes: 8c7849a3 ("crypto: ccree - simplify Runtime PM handling")
Signed-off-by: NDinghao Liu <dinghao.liu@zju.edu.cn>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch squashes all the sparse warnings in mediatek, some of
which appear to be genuine bugs.  In particular, previously on
BE the keys and IVs all get 32-bit swabbed which can't be right
because they don't get swabbed on LE.  I presume LE is the one
that actually works.

Another funky thing is that the GHASH key gets swabbed on LE.
This makes no sense but I'm presuming someone actually tested
this on LE so I'm preserving the swabbing.  Someone needs to
test this though as it is entirely possible that GCM is the
only thing that worked on BE but not LE.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

As we're already using Kconfig to disable 64-bit builds for this
driver, there is no point in doing it again in the source code.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Provide an error message for users when pci_request_mem_regions failed.
Signed-off-by: NGeorge Acosta <acostag.ubuntu@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

drivers/crypto/sa2ul.c: In function ‘sa_sha_init’:
drivers/crypto/sa2ul.c:1486:33: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
   crypto_ahash_digestsize(tfm), (u64)rctx);
                                 ^
./include/linux/dev_printk.h:123:47: note: in definition of macro ‘dev_dbg’
   dev_printk(KERN_DEBUG, dev, dev_fmt(fmt), ##__VA_ARGS__); \
                                               ^~~~~~~~~~~

Use %p to print rctx pointer.
Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch removes AHASH_REQUEST_ON_STACK which is unused.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NArd Biesheuvel <ardb@kernel.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the helper ahash_alg_instance which is used to
convert a crypto_ahash object into its corresponding ahash_instance.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the type-safe init_tfm/exit_tfm functions to the
ahash interface.  This is meant to replace the unsafe cra_init and
cra_exit interface.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Building ARM allmodconfig leads to the following warnings:

arch/arm/crypto/curve25519-glue.c:73:12: error: implicit declaration of function 'sg_copy_to_buffer' [-Werror=implicit-function-declaration]
arch/arm/crypto/curve25519-glue.c:74:9: error: implicit declaration of function 'sg_nents_for_len' [-Werror=implicit-function-declaration]
arch/arm/crypto/curve25519-glue.c:88:11: error: implicit declaration of function 'sg_copy_from_buffer' [-Werror=implicit-function-declaration]

Include <linux/scatterlist.h> to fix such warnings
Reported-by: NOlof's autobuilder <build@lixom.net>
Fixes: 0c3dc787 ("crypto: algapi - Remove skbuff.h inclusion")
Signed-off-by: NFabio Estevam <festevam@gmail.com>
Acked-by: NArd Biesheuvel <ardb@kernel.org>
Acked-by: NJason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The stm32 driver was missing a number of includes that we being
pulled in by unrelated header files.  As the indirect inclusion
went away, it now fails to build.

This patch adds the missing inclusions.
Reported-by: Nkernel test robot <lkp@intel.com>
Fixes: 0c3dc787 ("crypto: algapi - Remove skbuff.h inclusion")
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

When the devices are removed or not existing, the corresponding algorithms
which are registered by 'hisi-zip' driver can't be used.

Move 'hisi_zip_register_to_crypto' from 'hisi_zip_init' to
'hisi_zip_probe'. The algorithms will be registered to crypto only when
there is device bind on the driver. And when the devices are removed,
the algorithms will be unregistered.

In the previous process, the function 'xxx_register_to_crypto' need a lock
and a static variable to judge if the registration is the first time.
Move this action into the function 'hisi_qm_alg_register'. Each device
will call 'hisi_qm_alg_register' to add itself to qm list in probe process
and registering algs when the qm list is empty.
Signed-off-by: NYang Shen <shenyang39@huawei.com>
Reviewed-by: NZhou Wang <wangzhou1@hisilicon.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Call trace will appear in the Hisilicon crypto driver unbinding or
disabling SRIOV during task running with TFMs on the corresponding
function.
The log looks like this:
	[  293.908078] Call trace:
	[  293.908080]  __queue_work+0x494/0x548
	[  293.908081]  queue_work_on+0x84/0xd8
	[  293.908092]  qm_irq+0x4c/0xd0 [hisi_qm]
	[  293.908096]  __handle_irq_event_percpu+0x74/0x2a0
	[  293.908098]  handle_irq_event_percpu+0x40/0x98
	[  293.908099]  handle_irq_event+0x4c/0x80
	[  293.908101]  handle_fasteoi_irq+0xb0/0x170
	[  293.908102]  generic_handle_irq+0x3c/0x58
	[  293.908103]  __handle_domain_irq+0x68/0xc0
	[  293.908104]  gic_handle_irq+0xb4/0x298
	[  293.908105]  el1_irq+0xcc/0x180
	[  293.908107]  arch_cpu_idle+0x38/0x228
	[  293.908110]  default_idle_call+0x20/0x40
	[  293.908113]  do_idle+0x1cc/0x2b8
	[  293.908114]  cpu_startup_entry+0x2c/0x30
	[  293.908115]  rest_init+0xdc/0xe8
	[  293.908117]  arch_call_rest_init+0x14/0x1c
	[  293.908117]  start_kernel+0x490/0x4c4

This patch adds a waiting logic as user doing the above two operations
to avoid panic. The two operations will hold on in the driver
remove function until the tasks release all their relative TFMs.
Signed-off-by: NHui Tang <tanghui20@huawei.com>
Signed-off-by: NWeili Qian <qianweili@huawei.com>
Signed-off-by: NYang Shen <shenyang39@huawei.com>
Reviewed-by: NZhou Wang <wangzhou1@hisilicon.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Since the drivers such as HPRE/SEC/ZIP do not implement
'pci_driver.shutdow', a RAS will be triggered at OS rebooting or shutting
down as the hardware device is processing request.
The log looks like this:
	NOTICE:  [NimbusSecNodeType1]:[2372L]This is sec, Base = 0x141800000
	NOTICE:  [NimbusSecHandle]:[2319L] SecIntSt = 0x3
	NOTICE:  [NimbusSecHandle]:[2320L] SecQmIntStatus = 0x2
	NOTICE:  [PrintSecurityType]:[344L] SecurityType is RECOVERABLE!

This patch offers a new API in qm to shutdown devices, and add shutdown
callbacks in ACC driver based on this new API.

So the running devices will be stopped when the OS reboot or shutdown.
Signed-off-by: NYang Shen <shenyang39@huawei.com>
Reviewed-by: NZhou Wang <wangzhou1@hisilicon.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

When PF FLR, the hardware will actively trigger the VF FLR. Configuration
space of VF needs to be saved and restored to ensure that it is available
after the PF FLR.

Fixes: 7ce396fa("crypto: hisilicon - add FLR support")
Signed-off-by: NShukun Tan <tanshukun1@huawei.com>
Signed-off-by: NYang Shen <shenyang39@huawei.com>
Reviewed-by: NZhou Wang <wangzhou1@hisilicon.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Now, there are three reasons of stopping: 'NORMAL', 'SOFT_RESET' and 'FLR'.
In order to keep this, explicitly pass the stop reason as an input
parameter of 'hisi_qm_stop' function.

Fixes: b67202e8("crypto: hisilicon/qm - add state machine for QM")
Signed-off-by: NShukun Tan <tanshukun1@huawei.com>
Signed-off-by: NYang Shen <shenyang39@huawei.com>
Reviewed-by: NZhou Wang <wangzhou1@hisilicon.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>