]> git.ipfire.org Git - thirdparty/kernel/stable.git/log
thirdparty/kernel/stable.git
5 years agocrypto: chacha20poly1305 - prevent integer overflow on large input
Jason A. Donenfeld [Thu, 6 Feb 2020 11:42:01 +0000 (12:42 +0100)] 
crypto: chacha20poly1305 - prevent integer overflow on large input

This code assigns src_len (size_t) to sl (int), which causes problems
when src_len is very large. Probably nobody in the kernel should be
passing this much data to chacha20poly1305 all in one go anyway, so I
don't think we need to change the algorithm or introduce larger types
or anything. But we should at least error out early in this case and
print a warning so that we get reports if this does happen and can look
into why anybody is possibly passing it that much data or if they're
accidently passing -1 or similar.

Fixes: d95312a3ccc0 ("crypto: lib/chacha20poly1305 - reimplement crypt_from_sg() routine")
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: stable@vger.kernel.org # 5.5+
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agotee: amdtee: amdtee depends on CRYPTO_DEV_CCP_DD
Hongbo Yao [Wed, 22 Jan 2020 09:12:38 +0000 (17:12 +0800)] 
tee: amdtee: amdtee depends on CRYPTO_DEV_CCP_DD

If CRYPTO_DEV_CCP_DD=m and AMDTEE=y, the following error is seen
while building call.c or core.c

drivers/tee/amdtee/call.o: In function `handle_unload_ta':
call.c:(.text+0x35f): undefined reference to `psp_tee_process_cmd'
drivers/tee/amdtee/core.o: In function `amdtee_driver_init':
core.c:(.init.text+0xf): undefined reference to `psp_check_tee_status

Fix the config dependency for AMDTEE here.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Signed-off-by: Hongbo Yao <yaohongbo@huawei.com>
Reviewed-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: Kconfig - allow tests to be disabled when manager is disabled
Jason A. Donenfeld [Fri, 17 Jan 2020 11:01:36 +0000 (12:01 +0100)] 
crypto: Kconfig - allow tests to be disabled when manager is disabled

The library code uses CRYPTO_MANAGER_DISABLE_TESTS to conditionalize its
tests, but the library code can also exist without CRYPTO_MANAGER. That
means on minimal configs, the test code winds up being built with no way
to disable it.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: arm/chacha - fix build failured when kernel mode NEON is disabled
Ard Biesheuvel [Fri, 17 Jan 2020 16:43:18 +0000 (17:43 +0100)] 
crypto: arm/chacha - fix build failured when kernel mode NEON is disabled

When the ARM accelerated ChaCha driver is built as part of a configuration
that has kernel mode NEON disabled, we expect the compiler to propagate
the build time constant expression IS_ENABLED(CONFIG_KERNEL_MODE_NEON) in
a way that eliminates all the cross-object references to the actual NEON
routines, which allows the chacha-neon-core.o object to be omitted from
the build entirely.

Unfortunately, this fails to work as expected in some cases, and we may
end up with a build error such as

  chacha-glue.c:(.text+0xc0): undefined reference to `chacha_4block_xor_neon'

caused by the fact that chacha_doneon() has not been eliminated from the
object code, even though it will never be called in practice.

Let's fix this by adding some IS_ENABLED(CONFIG_KERNEL_MODE_NEON) tests
that are not strictly needed from a logical point of view, but should
help the compiler infer that the NEON code paths are unreachable in
those cases.

Fixes: b36d8c09e710c71f ("crypto: arm/chacha - remove dependency on generic ...")
Reported-by: Russell King <linux@armlinux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: caam - add support for i.MX8M Plus
Horia Geantă [Fri, 17 Jan 2020 14:35:13 +0000 (16:35 +0200)] 
crypto: caam - add support for i.MX8M Plus

Add support for the crypto engine used in i.mx8mp (i.MX 8M "Plus"),
which is very similar to the one used in i.mx8mq, i.mx8mm, i.mx8mn.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: x86/poly1305 - emit does base conversion itself
Jason A. Donenfeld [Fri, 17 Jan 2020 10:42:22 +0000 (11:42 +0100)] 
crypto: x86/poly1305 - emit does base conversion itself

The emit code does optional base conversion itself in assembly, so we
don't need to do that here. Also, neither one of these functions uses
simd instructions, so checking for that doesn't make sense either.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - fix spelling mistake "disgest" -> "digest"
Colin Ian King [Fri, 17 Jan 2020 09:28:19 +0000 (09:28 +0000)] 
crypto: hisilicon - fix spelling mistake "disgest" -> "digest"

There is a spelling mistake in an error message. Fix it.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: chacha20poly1305 - add back missing test vectors and test chunking
Jason A. Donenfeld [Thu, 16 Jan 2020 20:26:34 +0000 (21:26 +0100)] 
crypto: chacha20poly1305 - add back missing test vectors and test chunking

When this was originally ported, the 12-byte nonce vectors were left out
to keep things simple. I agree that we don't need nor want a library
interface for 12-byte nonces. But these test vectors were specially
crafted to look at issues in the underlying primitives and related
interactions.  Therefore, we actually want to keep around all of the
test vectors, and simply have a helper function to test them with.

Secondly, the sglist-based chunking code in the library interface is
rather complicated, so this adds a developer-only test for ensuring that
all the book keeping is correct, across a wide array of possibilities.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: x86/poly1305 - fix .gitignore typo
Jason A. Donenfeld [Thu, 16 Jan 2020 17:23:55 +0000 (18:23 +0100)] 
crypto: x86/poly1305 - fix .gitignore typo

Admist the kbuild robot induced changes, the .gitignore file for the
generated file wasn't updated with the non-clashing filename. This
commit adjusts that.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agotee: fix memory allocation failure checks on drv_data and amdtee
Colin Ian King [Thu, 16 Jan 2020 15:48:52 +0000 (15:48 +0000)] 
tee: fix memory allocation failure checks on drv_data and amdtee

Currently the memory allocation failure checks on drv_data and
amdtee are using IS_ERR rather than checking for a null pointer.
Fix these checks to use the conventional null pointer check.

Addresses-Coverity: ("Dereference null return")
Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccree - erase unneeded inline funcs
Gilad Ben-Yossef [Thu, 16 Jan 2020 10:14:46 +0000 (12:14 +0200)] 
crypto: ccree - erase unneeded inline funcs

These inline versions of PM function for the case of CONFIG_PM is
not set are never used. Erase them.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccree - make cc_pm_put_suspend() void
Gilad Ben-Yossef [Thu, 16 Jan 2020 10:14:45 +0000 (12:14 +0200)] 
crypto: ccree - make cc_pm_put_suspend() void

cc_pm_put_suspend() return value was never checked and is not
useful. Turn it into a void functions.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccree - split overloaded usage of irq field
Gilad Ben-Yossef [Thu, 16 Jan 2020 10:14:44 +0000 (12:14 +0200)] 
crypto: ccree - split overloaded usage of irq field

We were using the irq field of the drvdata struct in
an overloaded fahsion - saving the IRQ number during init
and then storing the pending itnerrupt sources during
interrupt in the same field.

This worked because these usage are mutually exclusive but
are confusing. So simplify the code and change the init use
case to use a simple local variable.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccree - fix PM race condition
Gilad Ben-Yossef [Thu, 16 Jan 2020 10:14:43 +0000 (12:14 +0200)] 
crypto: ccree - fix PM race condition

The PM code was racy, possibly causing the driver to submit
requests to a powered down device. Fix the race and while
at it simplify the PM code.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Fixes: 1358c13a48c4 ("crypto: ccree - fix resume race condition on init")
Cc: stable@kernel.org # v4.20
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccree - fix FDE descriptor sequence
Ofir Drang [Thu, 16 Jan 2020 10:14:42 +0000 (12:14 +0200)] 
crypto: ccree - fix FDE descriptor sequence

In FDE mode (xts, essiv and bitlocker) the cryptocell hardware requires
that the the XEX key will be loaded after Key1.

Signed-off-by: Ofir Drang <ofir.drang@arm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccree - cc_do_send_request() is void func
Gilad Ben-Yossef [Thu, 16 Jan 2020 10:14:41 +0000 (12:14 +0200)] 
crypto: ccree - cc_do_send_request() is void func

cc_do_send_request() cannot fail and always returns
-EINPROGRESS. Turn it into a void function and simplify
code.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccree - fix pm wrongful error reporting
Gilad Ben-Yossef [Thu, 16 Jan 2020 10:14:40 +0000 (12:14 +0200)] 
crypto: ccree - fix pm wrongful error reporting

pm_runtime_get_sync() can return 1 as a valid (none error) return
code. Treat it as such.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Cc: stable@vger.kernel.org # v4.19+
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccree - turn errors to debug msgs
Gilad Ben-Yossef [Thu, 16 Jan 2020 10:14:39 +0000 (12:14 +0200)] 
crypto: ccree - turn errors to debug msgs

We have several loud error log messages that are already reported
via the normal return code mechanism and produce a lot of noise
when the new testmgr extra test are enabled. Turn these into
debug only messages

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccree - fix AEAD decrypt auth fail
Gilad Ben-Yossef [Thu, 16 Jan 2020 10:14:38 +0000 (12:14 +0200)] 
crypto: ccree - fix AEAD decrypt auth fail

On AEAD decryption authentication failure we are suppose to
zero out the output plaintext buffer. However, we've missed
skipping the optional associated data that may prefix the
ciphertext. This commit fixes this issue.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Fixes: e88b27c8eaa8 ("crypto: ccree - use std api sg_zero_buffer")
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccree - fix typo in comment
Hadar Gat [Thu, 16 Jan 2020 10:14:37 +0000 (12:14 +0200)] 
crypto: ccree - fix typo in comment

Fixed a typo in a commnet.

Signed-off-by: Hadar Gat <hadar.gat@arm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccree - fix typos in error msgs
Hadar Gat [Thu, 16 Jan 2020 10:14:36 +0000 (12:14 +0200)] 
crypto: ccree - fix typos in error msgs

Fixed typos in ccree error msgs.

Signed-off-by: Hadar Gat <hadar.gat@arm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: atmel-{aes,sha,tdes} - Retire crypto_platform_data
Tudor Ambarus [Wed, 15 Jan 2020 12:53:53 +0000 (12:53 +0000)] 
crypto: atmel-{aes,sha,tdes} - Retire crypto_platform_data

These drivers no longer need it as they are only probed via DT.
crypto_platform_data was allocated but unused, so remove it.
This is a follow up for:
commit 45a536e3a7e0 ("crypto: atmel-tdes - Retire dma_request_slave_channel_compat()")
commit db28512f48e2 ("crypto: atmel-sha - Retire dma_request_slave_channel_compat()")
commit 62f72cbdcf02 ("crypto: atmel-aes - Retire dma_request_slave_channel_compat()")

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: x86/sha - Eliminate casts on asm implementations
Kees Cook [Wed, 15 Jan 2020 03:57:29 +0000 (19:57 -0800)] 
crypto: x86/sha - Eliminate casts on asm implementations

In order to avoid CFI function prototype mismatches, this removes the
casts on assembly implementations of sha1/256/512 accelerators. The
safety checks from BUILD_BUG_ON() remain.

Additionally, this renames various arguments for clarity, as suggested
by Eric Biggers.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: chtls - Fixed listen fail when max stid range reached
Vinay Kumar Yadav [Tue, 14 Jan 2020 12:28:48 +0000 (17:58 +0530)] 
crypto: chtls - Fixed listen fail when max stid range reached

Do not return error when max stid reached, to Fallback to nic mode.

Signed-off-by: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: chtls - Corrected function call context
Vinay Kumar Yadav [Tue, 14 Jan 2020 12:28:47 +0000 (17:58 +0530)] 
crypto: chtls - Corrected function call context

corrected function call context and moved t4_defer_reply
to apropriate location.

Signed-off-by: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: caam/qi2 - fix typo in algorithm's driver name
Horia Geantă [Mon, 13 Jan 2020 08:54:35 +0000 (10:54 +0200)] 
crypto: caam/qi2 - fix typo in algorithm's driver name

Fixes: 8d818c105501 ("crypto: caam/qi2 - add DPAA2-CAAM driver")
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: essiv - fix AEAD capitalization and preposition use in help text
Geert Uytterhoeven [Sun, 12 Jan 2020 16:58:58 +0000 (17:58 +0100)] 
crypto: essiv - fix AEAD capitalization and preposition use in help text

"AEAD" is capitalized everywhere else.
Use "an" when followed by a written or spoken vowel.

Fixes: be1eb7f78aa8fbe3 ("crypto: essiv - create wrapper template for ESSIV generation")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - add branch prediction macro
Zaibo Xu [Sat, 11 Jan 2020 08:58:18 +0000 (16:58 +0800)] 
crypto: hisilicon - add branch prediction macro

This branch prediction macro on the hot path can improve
small performance(about 2%) according to the test.

Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - adjust hpre_crt_para_get
Zaibo Xu [Sat, 11 Jan 2020 08:58:17 +0000 (16:58 +0800)] 
crypto: hisilicon - adjust hpre_crt_para_get

Reorder the input parameters of hpre_crt_para_get to
make it cleaner.

Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - Fixed some tiny bugs of HPRE
Zaibo Xu [Sat, 11 Jan 2020 08:58:16 +0000 (16:58 +0800)] 
crypto: hisilicon - Fixed some tiny bugs of HPRE

1.Use memzero_explicit to clear key;
2.Fix some little endian writings;
3.Fix some other bugs and stuff of code style;

Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - Bugfixed tfm leak
Zaibo Xu [Sat, 11 Jan 2020 08:58:15 +0000 (16:58 +0800)] 
crypto: hisilicon - Bugfixed tfm leak

1.Fixed the bug of software tfm leakage.
2.Update HW error log message.

Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - Add aead support on SEC2
Zaibo Xu [Sat, 11 Jan 2020 02:41:56 +0000 (10:41 +0800)] 
crypto: hisilicon - Add aead support on SEC2

authenc(hmac(sha1),cbc(aes)), authenc(hmac(sha256),cbc(aes)), and
authenc(hmac(sha512),cbc(aes)) support are added for SEC v2.

Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - redefine skcipher initiation
Zaibo Xu [Sat, 11 Jan 2020 02:41:55 +0000 (10:41 +0800)] 
crypto: hisilicon - redefine skcipher initiation

1.Define base initiation of QP for context which can be reused.
2.Define cipher initiation for other algorithms.

Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - Add branch prediction macro
Zaibo Xu [Sat, 11 Jan 2020 02:41:54 +0000 (10:41 +0800)] 
crypto: hisilicon - Add branch prediction macro

After adding branch prediction for skcipher hot path,
a little bit income of performance is gotten.

Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - Add callback error check
Zaibo Xu [Sat, 11 Jan 2020 02:41:53 +0000 (10:41 +0800)] 
crypto: hisilicon - Add callback error check

Add error type parameter for call back checking inside.

Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - Adjust some inner logic
Zaibo Xu [Sat, 11 Jan 2020 02:41:52 +0000 (10:41 +0800)] 
crypto: hisilicon - Adjust some inner logic

1.Adjust call back function.
2.Adjust parameter checking function.

Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - Update QP resources of SEC V2
Zaibo Xu [Sat, 11 Jan 2020 02:41:51 +0000 (10:41 +0800)] 
crypto: hisilicon - Update QP resources of SEC V2

1.Put resource including request and resource list into
  QP context structure to avoid allocate memory repeatedly.
2.Add max context queue number to void kcalloc large memory for QP context.
3.Remove the resource allocation operation.
4.Redefine resource allocation APIs to be shared by other algorithms.
5.Move resource allocation and free inner functions out of
  operations 'struct sec_req_op', and they are called directly.

Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - Update some names on SEC V2
Zaibo Xu [Sat, 11 Jan 2020 02:41:50 +0000 (10:41 +0800)] 
crypto: hisilicon - Update some names on SEC V2

1.Adjust dma map function to be reused by AEAD algorithms;
2.Update some names of internal functions and variables to
  support AEAD algorithms;
3.Rename 'sec_skcipher_exit' as 'sec_skcipher_uninit';
4.Rename 'sec_get/put_queue_id' as 'sec_alloc/free_queue_id';

Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - fix print/comment of SEC V2
Zaibo Xu [Sat, 11 Jan 2020 02:41:49 +0000 (10:41 +0800)] 
crypto: hisilicon - fix print/comment of SEC V2

Fixed some print, coding style and comments of HiSilicon SEC V2.

Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hisilicon - Update debugfs usage of SEC V2
Zaibo Xu [Sat, 11 Jan 2020 02:41:48 +0000 (10:41 +0800)] 
crypto: hisilicon - Update debugfs usage of SEC V2

Applied some advices of Marco Elver on atomic usage of Debugfs,
which is carried out by basing on Arnd Bergmann's fixing patch.

Reported-by: Arnd Bergmann <arnd@arndb.de>
Reported-by: Marco Elver <elver@google.com>
Signed-off-by: Zaibo Xu <xuzaibo@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agotee: amdtee: remove redundant NULL check for pool
Rijo Thomas [Thu, 9 Jan 2020 12:53:22 +0000 (18:23 +0530)] 
tee: amdtee: remove redundant NULL check for pool

Remove NULL check for pool variable, since in the current
code path it is guaranteed to be non-NULL.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agotee: amdtee: rename err label to err_device_unregister
Rijo Thomas [Thu, 9 Jan 2020 12:53:21 +0000 (18:23 +0530)] 
tee: amdtee: rename err label to err_device_unregister

Rename err label to err_device_unregister for better
readability.

Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agotee: amdtee: skip tee_device_unregister if tee_device_alloc fails
Rijo Thomas [Thu, 9 Jan 2020 12:53:20 +0000 (18:23 +0530)] 
tee: amdtee: skip tee_device_unregister if tee_device_alloc fails

Currently, if tee_device_alloc() fails, then tee_device_unregister()
is a no-op. Therefore, skip the function call to tee_device_unregister() by
introducing a new goto label 'err_free_pool'.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agotee: amdtee: print error message if tee not present
Rijo Thomas [Thu, 9 Jan 2020 12:53:19 +0000 (18:23 +0530)] 
tee: amdtee: print error message if tee not present

If there is no TEE with which the driver can communicate, then
print an error message and return.

Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agotee: amdtee: remove unused variable initialization
Rijo Thomas [Thu, 9 Jan 2020 12:53:18 +0000 (18:23 +0530)] 
tee: amdtee: remove unused variable initialization

Remove unused variable initialization from driver code.

If enabled as a compiler option, compiler may throw warning for
unused assignments.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: vmx - reject xts inputs that are too short
Daniel Axtens [Wed, 8 Jan 2020 05:06:46 +0000 (16:06 +1100)] 
crypto: vmx - reject xts inputs that are too short

When the kernel XTS implementation was extended to deal with ciphertext
stealing in commit 8083b1bf8163 ("crypto: xts - add support for ciphertext
stealing"), a check was added to reject inputs that were too short.

However, in the vmx enablement - commit 239668419349 ("crypto: vmx/xts -
use fallback for ciphertext stealing"), that check wasn't added to the
vmx implementation. This disparity leads to errors like the following:

alg: skcipher: p8_aes_xts encryption unexpectedly succeeded on test vector "random: len=0 klen=64"; expected_error=-22, cfg="random: inplace may_sleep use_finup src_divs=[<flush>66.99%@+10, 33.1%@alignmask+1155]"

Return -EINVAL if asked to operate with a cryptlen smaller than the AES
block size. This brings vmx in line with the generic implementation.

Reported-by: Erhard Furtner <erhard_f@mailbox.org>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=206049
Fixes: 239668419349 ("crypto: vmx/xts - use fallback for ciphertext stealing")
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: stable@vger.kernel.org # v5.4+
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[dja: commit message]
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: curve25519 - Fix selftest build error
Herbert Xu [Wed, 8 Jan 2020 04:37:35 +0000 (12:37 +0800)] 
crypto: curve25519 - Fix selftest build error

If CRYPTO_CURVE25519 is y, CRYPTO_LIB_CURVE25519_GENERIC will be
y, but CRYPTO_LIB_CURVE25519 may be set to m, this causes build
errors:

lib/crypto/curve25519-selftest.o: In function `curve25519':
curve25519-selftest.c:(.text.unlikely+0xc): undefined reference to `curve25519_arch'
lib/crypto/curve25519-selftest.o: In function `curve25519_selftest':
curve25519-selftest.c:(.init.text+0x17e): undefined reference to `curve25519_base_arch'

This is because the curve25519 self-test code is being controlled
by the GENERIC option rather than the overall CURVE25519 option,
as is the case with blake2s.  To recap, the GENERIC and ARCH options
for CURVE25519 are internal only and selected by users such as
the Crypto API, or the externally visible CURVE25519 option which
in turn is selected by wireguard.  The self-test is specific to the
the external CURVE25519 option and should not be enabled by the
Crypto API.

This patch fixes this by splitting the GENERIC module from the
CURVE25519 module with the latter now containing just the self-test.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: aa127963f1ca ("crypto: lib/curve25519 - re-add selftests")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: caam - add support for i.MX8M Nano
Horia Geantă [Mon, 6 Jan 2020 20:01:53 +0000 (22:01 +0200)] 
crypto: caam - add support for i.MX8M Nano

Add support for the crypto engine used in i.mx8mn (i.MX 8M "Nano"),
which is very similar to the one used in i.mx8mq, i.mx8mm.

Since the clocks are identical for all members of i.MX 8M family,
simplify the SoC <--> clock array mapping table.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Tested-by: Iuliana Prodan <iuliana.prodan@nxp.com>
Reviewed-by: Iuliana Prodan <iuliana.prodan@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: sun8i-ce - remove dead code
Corentin Labbe [Mon, 6 Jan 2020 19:32:08 +0000 (20:32 +0100)] 
crypto: sun8i-ce - remove dead code

Some code were left in the final driver but without any use.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: sun8i-ce - fix removal of module
Corentin Labbe [Mon, 6 Jan 2020 19:30:53 +0000 (20:30 +0100)] 
crypto: sun8i-ce - fix removal of module

Removing the driver cause an oops due to the fact we clean an extra
channel.
Let's give the right index to the cleaning function.

Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine")
Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: amlogic - fix removal of module
Corentin Labbe [Mon, 6 Jan 2020 19:29:50 +0000 (20:29 +0100)] 
crypto: amlogic - fix removal of module

Removing the driver cause an oops due to the fact we clean an extra
channel.
Let's give the right index to the cleaning function.
Fixes: 48fe583fe541 ("crypto: amlogic - Add crypto accelerator for amlogic GXL")
Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: sun8i-ss - fix removal of module
Corentin Labbe [Mon, 6 Jan 2020 19:28:52 +0000 (20:28 +0100)] 
crypto: sun8i-ss - fix removal of module

Removing the driver cause an oops due to the fact we clean an extra
channel.
Let's give the right index to the cleaning function.
Fixes: f08fcced6d00 ("crypto: allwinner - Add sun8i-ss cryptographic offloader")
Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: {arm,arm64,mips}/poly1305 - remove redundant non-reduction from emit
Jason A. Donenfeld [Mon, 6 Jan 2020 03:40:49 +0000 (22:40 -0500)] 
crypto: {arm,arm64,mips}/poly1305 - remove redundant non-reduction from emit

This appears to be some kind of copy and paste error, and is actually
dead code.

Pre: f = 0 ⇒ (f >> 32) = 0
    f = (f >> 32) + le32_to_cpu(digest[0]);
Post: 0 ≤ f < 2³²
    put_unaligned_le32(f, dst);

Pre: 0 ≤ f < 2³² ⇒ (f >> 32) = 0
    f = (f >> 32) + le32_to_cpu(digest[1]);
Post: 0 ≤ f < 2³²
    put_unaligned_le32(f, dst + 4);

Pre: 0 ≤ f < 2³² ⇒ (f >> 32) = 0
    f = (f >> 32) + le32_to_cpu(digest[2]);
Post: 0 ≤ f < 2³²
    put_unaligned_le32(f, dst + 8);

Pre: 0 ≤ f < 2³² ⇒ (f >> 32) = 0
    f = (f >> 32) + le32_to_cpu(digest[3]);
Post: 0 ≤ f < 2³²
    put_unaligned_le32(f, dst + 12);

Therefore this sequence is redundant. And Andy's code appears to handle
misalignment acceptably.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Tested-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: x86/poly1305 - wire up faster implementations for kernel
Jason A. Donenfeld [Mon, 6 Jan 2020 03:40:48 +0000 (22:40 -0500)] 
crypto: x86/poly1305 - wire up faster implementations for kernel

These x86_64 vectorized implementations support AVX, AVX-2, and AVX512F.
The AVX-512F implementation is disabled on Skylake, due to throttling,
but it is quite fast on >= Cannonlake.

On the left is cycle counts on a Core i7 6700HQ using the AVX-2
codepath, comparing this implementation ("new") to the implementation in
the current crypto api ("old"). On the right are benchmarks on a Xeon
Gold 5120 using the AVX-512 codepath. The new implementation is faster
on all benchmarks.

        AVX-2                  AVX-512
      ---------              -----------

    size    old     new      size   old     new
    ----    ----    ----     ----   ----    ----
    0       70      68       0      74      70
    16      92      90       16     96      92
    32      134     104      32     136     106
    48      172     120      48     184     124
    64      218     136      64     218     138
    80      254     158      80     260     160
    96      298     174      96     300     176
    112     342     192      112    342     194
    128     388     212      128    384     212
    144     428     228      144    420     226
    160     466     246      160    464     248
    176     510     264      176    504     264
    192     550     282      192    544     282
    208     594     302      208    582     300
    224     628     316      224    624     318
    240     676     334      240    662     338
    256     716     354      256    708     358
    272     764     374      272    748     372
    288     802     352      288    788     358
    304     420     366      304    422     370
    320     428     360      320    432     364
    336     484     378      336    486     380
    352     426     384      352    434     390
    368     478     400      368    480     408
    384     488     394      384    490     398
    400     542     408      400    542     412
    416     486     416      416    492     426
    432     534     430      432    538     436
    448     544     422      448    546     432
    464     600     438      464    600     448
    480     540     448      480    548     456
    496     594     464      496    594     476
    512     602     456      512    606     470
    528     656     476      528    656     480
    544     600     480      544    606     498
    560     650     494      560    652     512
    576     664     490      576    662     508
    592     714     508      592    716     522
    608     656     514      608    664     538
    624     708     532      624    710     552
    640     716     524      640    720     516
    656     770     536      656    772     526
    672     716     548      672    722     544
    688     770     562      688    768     556
    704     774     552      704    778     556
    720     826     568      720    832     568
    736     768     574      736    780     584
    752     822     592      752    826     600
    768     830     584      768    836     560
    784     884     602      784    888     572
    800     828     610      800    838     588
    816     884     628      816    884     604
    832     888     618      832    894     598
    848     942     632      848    946     612
    864     884     644      864    896     628
    880     936     660      880    942     644
    896     948     652      896    952     608
    912     1000    664      912    1004    616
    928     942     676      928    954     634
    944     994     690      944    1000    646
    960     1002    680      960    1008    646
    976     1054    694      976    1062    658
    992     1002    706      992    1012    674
    1008    1052    720      1008   1058    690

This commit wires in the prior implementation from Andy, and makes the
following changes to be suitable for kernel land.

  - Some cosmetic and structural changes, like renaming labels to
    .Lname, constants, and other Linux conventions, as well as making
    the code easy for us to maintain moving forward.

  - CPU feature checking is done in C by the glue code.

  - We avoid jumping into the middle of functions, to appease objtool,
    and instead parameterize shared code.

  - We maintain frame pointers so that stack traces make sense.

  - We remove the dependency on the perl xlate code, which transforms
    the output into things that assemblers we don't care about use.

Importantly, none of our changes affect the arithmetic or core code, but
just involve the differing environment of kernel space.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
Co-developed-by: Samuel Neves <sneves@dei.uc.pt>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: x86/poly1305 - import unmodified cryptogams implementation
Jason A. Donenfeld [Mon, 6 Jan 2020 03:40:47 +0000 (22:40 -0500)] 
crypto: x86/poly1305 - import unmodified cryptogams implementation

These x86_64 vectorized implementations come from Andy Polyakov's
CRYPTOGAMS implementation, and are included here in raw form without
modification, so that subsequent commits that fix these up for the
kernel can see how it has changed.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: poly1305 - add new 32 and 64-bit generic versions
Jason A. Donenfeld [Mon, 6 Jan 2020 03:40:46 +0000 (22:40 -0500)] 
crypto: poly1305 - add new 32 and 64-bit generic versions

These two C implementations from Zinc -- a 32x32 one and a 64x64 one,
depending on the platform -- come from Andrew Moon's public domain
poly1305-donna portable code, modified for usage in the kernel. The
precomputation in the 32-bit version and the use of 64x64 multiplies in
the 64-bit version make these perform better than the code it replaces.
Moon's code is also very widespread and has received many eyeballs of
scrutiny.

There's a bit of interference between the x86 implementation, which
relies on internal details of the old scalar implementation. In the next
commit, the x86 implementation will be replaced with a faster one that
doesn't rely on this, so none of this matters much. But for now, to keep
this passing the tests, we inline the bits of the old implementation
that the x86 implementation relied on. Also, since we now support a
slightly larger key space, via the union, some offsets had to be fixed
up.

Nonce calculation was folded in with the emit function, to take
advantage of 64x64 arithmetic. However, Adiantum appeared to rely on no
nonce handling in emit, so this path was conditionalized. We also
introduced a new struct, poly1305_core_key, to represent the precise
amount of space that particular implementation uses.

Testing with kbench9000, depending on the CPU, the update function for
the 32x32 version has been improved by 4%-7%, and for the 64x64 by
19%-30%. The 32x32 gains are small, but I think there's great value in
having a parallel implementation to the 64x64 one so that the two can be
compared side-by-side as nice stand-alone units.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Herbert Xu [Thu, 16 Jan 2020 07:17:08 +0000 (15:17 +0800)] 
Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

Merge crypto tree to pick up hisilicon patch.

5 years agocrypto: exynos-rng - Rename Exynos to lowercase
Krzysztof Kozlowski [Sat, 4 Jan 2020 15:20:59 +0000 (16:20 +0100)] 
crypto: exynos-rng - Rename Exynos to lowercase

Fix up inconsistent usage of upper and lowercase letters in "Exynos"
name.

"EXYNOS" is not an abbreviation but a regular trademarked name.
Therefore it should be written with lowercase letters starting with
capital letter.

The lowercase "Exynos" name is promoted by its manufacturer Samsung
Electronics Co., Ltd., in advertisement materials and on website.

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: chelsio - Resetting crypto counters during the driver unregister
Ayush Sawal [Fri, 3 Jan 2020 04:56:51 +0000 (10:26 +0530)] 
crypto: chelsio - Resetting crypto counters during the driver unregister

Signed-off-by: Ayush Sawal <ayush.sawal@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: algapi - enforce that all instances have a ->free() method
Eric Biggers [Fri, 3 Jan 2020 04:04:40 +0000 (20:04 -0800)] 
crypto: algapi - enforce that all instances have a ->free() method

All instances need to have a ->free() method, but people could forget to
set it and then not notice if the instance is never unregistered.  To
help detect this bug earlier, don't allow an instance without a ->free()
method to be registered, and complain loudly if someone tries to do it.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: algapi - remove crypto_template::{alloc,free}()
Eric Biggers [Fri, 3 Jan 2020 04:04:39 +0000 (20:04 -0800)] 
crypto: algapi - remove crypto_template::{alloc,free}()

Now that all templates provide a ->create() method which creates an
instance, installs a strongly-typed ->free() method directly to it, and
registers it, the older ->alloc() and ->free() methods in
'struct crypto_template' are no longer used.  Remove them.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: shash - convert shash_free_instance() to new style
Eric Biggers [Fri, 3 Jan 2020 04:04:38 +0000 (20:04 -0800)] 
crypto: shash - convert shash_free_instance() to new style

Convert shash_free_instance() and its users to the new way of freeing
instances, where a ->free() method is installed to the instance struct
itself.  This replaces the weakly-typed method crypto_template::free().

This will allow removing support for the old way of freeing instances.

Also give shash_free_instance() a more descriptive name to reflect that
it's only for instances with a single spawn, not for any instance.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: cryptd - convert to new way of freeing instances
Eric Biggers [Fri, 3 Jan 2020 04:04:37 +0000 (20:04 -0800)] 
crypto: cryptd - convert to new way of freeing instances

Convert the "cryptd" template to the new way of freeing instances, where
a ->free() method is installed to the instance struct itself.  This
replaces the weakly-typed method crypto_template::free().

This will allow removing support for the old way of freeing instances.

Note that the 'default' case in cryptd_free() was already unreachable.
So, we aren't missing anything by keeping only the ahash and aead parts.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: geniv - convert to new way of freeing instances
Eric Biggers [Fri, 3 Jan 2020 04:04:36 +0000 (20:04 -0800)] 
crypto: geniv - convert to new way of freeing instances

Convert the "seqiv" template to the new way of freeing instances where a
->free() method is installed to the instance struct itself.  Also remove
the unused implementation of the old way of freeing instances from the
"echainiv" template, since it's already using the new way too.

In doing this, also simplify the code by making the helper function
aead_geniv_alloc() install the ->free() method, instead of making seqiv
and echainiv do this themselves.  This is analogous to how
skcipher_alloc_instance_simple() works.

This will allow removing support for the old way of freeing instances.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hash - add support for new way of freeing instances
Eric Biggers [Fri, 3 Jan 2020 04:04:35 +0000 (20:04 -0800)] 
crypto: hash - add support for new way of freeing instances

Add support to shash and ahash for the new way of freeing instances
(already used for skcipher, aead, and akcipher) where a ->free() method
is installed to the instance struct itself.  These methods are more
strongly-typed than crypto_template::free(), which they replace.

This will allow removing support for the old way of freeing instances.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: algapi - fold crypto_init_spawn() into crypto_grab_spawn()
Eric Biggers [Fri, 3 Jan 2020 03:59:08 +0000 (19:59 -0800)] 
crypto: algapi - fold crypto_init_spawn() into crypto_grab_spawn()

Now that crypto_init_spawn() is only called by crypto_grab_spawn(),
simplify things by moving its functionality into crypto_grab_spawn().

In the process of doing this, also be more consistent about when the
spawn and instance are updated, and remove the crypto_spawn::dropref
flag since now it's always set.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ahash - unexport crypto_ahash_type
Eric Biggers [Fri, 3 Jan 2020 03:59:07 +0000 (19:59 -0800)] 
crypto: ahash - unexport crypto_ahash_type

Now that all the templates that need ahash spawns have been converted to
use crypto_grab_ahash() rather than look up the algorithm directly,
crypto_ahash_type is no longer used outside of ahash.c.  Make it static.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: algapi - remove obsoleted instance creation helpers
Eric Biggers [Fri, 3 Jan 2020 03:59:06 +0000 (19:59 -0800)] 
crypto: algapi - remove obsoleted instance creation helpers

Remove lots of helper functions that were previously used for
instantiating crypto templates, but are now unused:

- crypto_get_attr_alg() and similar functions looked up an inner
  algorithm directly from a template parameter.  These were replaced
  with getting the algorithm's name, then calling crypto_grab_*().

- crypto_init_spawn2() and similar functions initialized a spawn, given
  an algorithm.  Similarly, these were replaced with crypto_grab_*().

- crypto_alloc_instance() and similar functions allocated an instance
  with a single spawn, given the inner algorithm.  These aren't useful
  anymore since crypto_grab_*() need the instance allocated first.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: cipher - make crypto_spawn_cipher() take a crypto_cipher_spawn
Eric Biggers [Fri, 3 Jan 2020 03:59:05 +0000 (19:59 -0800)] 
crypto: cipher - make crypto_spawn_cipher() take a crypto_cipher_spawn

Now that all users of single-block cipher spawns have been converted to
use 'struct crypto_cipher_spawn' rather than the less specifically typed
'struct crypto_spawn', make crypto_spawn_cipher() take a pointer to a
'struct crypto_cipher_spawn' rather than a 'struct crypto_spawn'.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: xcbc - use crypto_grab_cipher() and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:59:04 +0000 (19:59 -0800)] 
crypto: xcbc - use crypto_grab_cipher() and simplify error paths

Make the xcbc template use the new function crypto_grab_cipher() to
initialize its cipher spawn.

This is needed to make all spawns be initialized in a consistent way.

This required making xcbc_create() allocate the instance directly rather
than use shash_alloc_instance().

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet, and
by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: vmac - use crypto_grab_cipher() and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:59:03 +0000 (19:59 -0800)] 
crypto: vmac - use crypto_grab_cipher() and simplify error paths

Make the vmac64 template use the new function crypto_grab_cipher() to
initialize its cipher spawn.

This is needed to make all spawns be initialized in a consistent way.

This required making vmac_create() allocate the instance directly rather
than use shash_alloc_instance().

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet, and
by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: cmac - use crypto_grab_cipher() and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:59:02 +0000 (19:59 -0800)] 
crypto: cmac - use crypto_grab_cipher() and simplify error paths

Make the cmac template use the new function crypto_grab_cipher() to
initialize its cipher spawn.

This is needed to make all spawns be initialized in a consistent way.

This required making cmac_create() allocate the instance directly rather
than use shash_alloc_instance().

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet, and
by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: cbcmac - use crypto_grab_cipher() and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:59:01 +0000 (19:59 -0800)] 
crypto: cbcmac - use crypto_grab_cipher() and simplify error paths

Make the cbcmac template use the new function crypto_grab_cipher() to
initialize its cipher spawn.

This is needed to make all spawns be initialized in a consistent way.

This required making cbcmac_create() allocate the instance directly
rather than use shash_alloc_instance().

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet, and
by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: skcipher - use crypto_grab_cipher() and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:59:00 +0000 (19:59 -0800)] 
crypto: skcipher - use crypto_grab_cipher() and simplify error paths

Make skcipher_alloc_instance_simple() use the new function
crypto_grab_cipher() to initialize its cipher spawn.

This is needed to make all spawns be initialized in a consistent way.

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet, and
by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: chacha20poly1305 - use crypto_grab_ahash() and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:58:59 +0000 (19:58 -0800)] 
crypto: chacha20poly1305 - use crypto_grab_ahash() and simplify error paths

Make the rfc7539 and rfc7539esp templates use the new function
crypto_grab_ahash() to initialize their ahash spawn.

This is needed to make all spawns be initialized in a consistent way.

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet, and
by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccm - use crypto_grab_ahash() and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:58:58 +0000 (19:58 -0800)] 
crypto: ccm - use crypto_grab_ahash() and simplify error paths

Make the ccm and ccm_base templates use the new function
crypto_grab_ahash() to initialize their ahash spawn.

This is needed to make all spawns be initialized in a consistent way.

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: gcm - use crypto_grab_ahash() and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:58:57 +0000 (19:58 -0800)] 
crypto: gcm - use crypto_grab_ahash() and simplify error paths

Make the gcm and gcm_base templates use the new function
crypto_grab_ahash() to initialize their ahash spawn.

This is needed to make all spawns be initialized in a consistent way.

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: authencesn - use crypto_grab_ahash() and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:58:56 +0000 (19:58 -0800)] 
crypto: authencesn - use crypto_grab_ahash() and simplify error paths

Make the authencesn template use the new function crypto_grab_ahash() to
initialize its ahash spawn.

This is needed to make all spawns be initialized in a consistent way.

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet, and
by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: authenc - use crypto_grab_ahash() and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:58:55 +0000 (19:58 -0800)] 
crypto: authenc - use crypto_grab_ahash() and simplify error paths

Make the authenc template use the new function crypto_grab_ahash() to
initialize its ahash spawn.

This is needed to make all spawns be initialized in a consistent way.

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet, and
by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: hmac - use crypto_grab_shash() and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:58:54 +0000 (19:58 -0800)] 
crypto: hmac - use crypto_grab_shash() and simplify error paths

Make the hmac template use the new function crypto_grab_shash() to
initialize its shash spawn.

This is needed to make all spawns be initialized in a consistent way.

This required making hmac_create() allocate the instance directly rather
than use shash_alloc_instance().

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet, and
by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: cryptd - use crypto_grab_shash() and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:58:53 +0000 (19:58 -0800)] 
crypto: cryptd - use crypto_grab_shash() and simplify error paths

Make the cryptd template (in the hash case) use the new function
crypto_grab_shash() to initialize its shash spawn.

This is needed to make all spawns be initialized in a consistent way.

This required making cryptd_create_hash() allocate the instance directly
rather than use cryptd_alloc_instance().

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet, and
by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: adiantum - use crypto_grab_{cipher,shash} and simplify error paths
Eric Biggers [Fri, 3 Jan 2020 03:58:52 +0000 (19:58 -0800)] 
crypto: adiantum - use crypto_grab_{cipher,shash} and simplify error paths

Make the adiantum template use the new functions crypto_grab_cipher()
and crypto_grab_shash() to initialize its cipher and shash spawns.

This is needed to make all spawns be initialized in a consistent way.

Also simplify the error handling by taking advantage of crypto_drop_*()
now accepting (as a no-op) spawns that haven't been initialized yet, and
by taking advantage of crypto_grab_*() now handling ERR_PTR() names.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: cipher - introduce crypto_cipher_spawn and crypto_grab_cipher()
Eric Biggers [Fri, 3 Jan 2020 03:58:51 +0000 (19:58 -0800)] 
crypto: cipher - introduce crypto_cipher_spawn and crypto_grab_cipher()

Currently, "cipher" (single-block cipher) spawns are usually initialized
by using crypto_get_attr_alg() to look up the algorithm, then calling
crypto_init_spawn().  In one case, crypto_grab_spawn() is used directly.

The former way is different from how skcipher, aead, and akcipher spawns
are initialized (they use crypto_grab_*()), and for no good reason.
This difference introduces unnecessary complexity.

The crypto_grab_*() functions used to have some problems, like not
holding a reference to the algorithm and requiring the caller to
initialize spawn->base.inst.  But those problems are fixed now.

Also, the cipher spawns are not strongly typed; e.g., the API requires
that the user manually specify the flags CRYPTO_ALG_TYPE_CIPHER and
CRYPTO_ALG_TYPE_MASK.  Though the "cipher" algorithm type itself isn't
yet strongly typed, we can start by making the spawns strongly typed.

So, let's introduce a new 'struct crypto_cipher_spawn', and functions
crypto_grab_cipher() and crypto_drop_cipher() to grab and drop them.

Later patches will convert all cipher spawns to use these, then make
crypto_spawn_cipher() take 'struct crypto_cipher_spawn' as well, instead
of a bare 'struct crypto_spawn' as it currently does.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ahash - introduce crypto_grab_ahash()
Eric Biggers [Fri, 3 Jan 2020 03:58:50 +0000 (19:58 -0800)] 
crypto: ahash - introduce crypto_grab_ahash()

Currently, ahash spawns are initialized by using ahash_attr_alg() or
crypto_find_alg() to look up the ahash algorithm, then calling
crypto_init_ahash_spawn().

This is different from how skcipher, aead, and akcipher spawns are
initialized (they use crypto_grab_*()), and for no good reason.  This
difference introduces unnecessary complexity.

The crypto_grab_*() functions used to have some problems, like not
holding a reference to the algorithm and requiring the caller to
initialize spawn->base.inst.  But those problems are fixed now.

So, let's introduce crypto_grab_ahash() so that we can convert all
templates to the same way of initializing their spawns.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: shash - introduce crypto_grab_shash()
Eric Biggers [Fri, 3 Jan 2020 03:58:49 +0000 (19:58 -0800)] 
crypto: shash - introduce crypto_grab_shash()

Currently, shash spawns are initialized by using shash_attr_alg() or
crypto_alg_mod_lookup() to look up the shash algorithm, then calling
crypto_init_shash_spawn().

This is different from how skcipher, aead, and akcipher spawns are
initialized (they use crypto_grab_*()), and for no good reason.  This
difference introduces unnecessary complexity.

The crypto_grab_*() functions used to have some problems, like not
holding a reference to the algorithm and requiring the caller to
initialize spawn->base.inst.  But those problems are fixed now.

So, let's introduce crypto_grab_shash() so that we can convert all
templates to the same way of initializing their spawns.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: algapi - pass instance to crypto_grab_spawn()
Eric Biggers [Fri, 3 Jan 2020 03:58:48 +0000 (19:58 -0800)] 
crypto: algapi - pass instance to crypto_grab_spawn()

Currently, crypto_spawn::inst is first used temporarily to pass the
instance to crypto_grab_spawn().  Then crypto_init_spawn() overwrites it
with crypto_spawn::next, which shares the same union.  Finally,
crypto_spawn::inst is set again when the instance is registered.

Make this less convoluted by just passing the instance as an argument to
crypto_grab_spawn() instead.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: akcipher - pass instance to crypto_grab_akcipher()
Eric Biggers [Fri, 3 Jan 2020 03:58:47 +0000 (19:58 -0800)] 
crypto: akcipher - pass instance to crypto_grab_akcipher()

Initializing a crypto_akcipher_spawn currently requires:

1. Set spawn->base.inst to point to the instance.
2. Call crypto_grab_akcipher().

But there's no reason for these steps to be separate, and in fact this
unneeded complication has caused at least one bug, the one fixed by
commit 6db43410179b ("crypto: adiantum - initialize crypto_spawn::inst")

So just make crypto_grab_akcipher() take the instance as an argument.

To keep the function call from getting too unwieldy due to this extra
argument, also introduce a 'mask' variable into pkcs1pad_create().

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: aead - pass instance to crypto_grab_aead()
Eric Biggers [Fri, 3 Jan 2020 03:58:46 +0000 (19:58 -0800)] 
crypto: aead - pass instance to crypto_grab_aead()

Initializing a crypto_aead_spawn currently requires:

1. Set spawn->base.inst to point to the instance.
2. Call crypto_grab_aead().

But there's no reason for these steps to be separate, and in fact this
unneeded complication has caused at least one bug, the one fixed by
commit 6db43410179b ("crypto: adiantum - initialize crypto_spawn::inst")

So just make crypto_grab_aead() take the instance as an argument.

To keep the function calls from getting too unwieldy due to this extra
argument, also introduce a 'mask' variable into the affected places
which weren't already using one.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: skcipher - pass instance to crypto_grab_skcipher()
Eric Biggers [Fri, 3 Jan 2020 03:58:45 +0000 (19:58 -0800)] 
crypto: skcipher - pass instance to crypto_grab_skcipher()

Initializing a crypto_skcipher_spawn currently requires:

1. Set spawn->base.inst to point to the instance.
2. Call crypto_grab_skcipher().

But there's no reason for these steps to be separate, and in fact this
unneeded complication has caused at least one bug, the one fixed by
commit 6db43410179b ("crypto: adiantum - initialize crypto_spawn::inst")

So just make crypto_grab_skcipher() take the instance as an argument.

To keep the function calls from getting too unwieldy due to this extra
argument, also introduce a 'mask' variable into the affected places
which weren't already using one.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ahash - make struct ahash_instance be the full size
Eric Biggers [Fri, 3 Jan 2020 03:58:44 +0000 (19:58 -0800)] 
crypto: ahash - make struct ahash_instance be the full size

Define struct ahash_instance in a way analogous to struct
skcipher_instance, struct aead_instance, and struct akcipher_instance,
where the struct is defined to include both the algorithm structure at
the beginning and the additional crypto_instance fields at the end.

This is needed to allow allocating ahash instances directly using
kzalloc(sizeof(*inst) + sizeof(*ictx), ...) in the same way as skcipher,
aead, and akcipher instances.  In turn, that's needed to make spawns be
initialized in a consistent way everywhere.

Also take advantage of the addition of the base instance to struct
ahash_instance by simplifying the ahash_crypto_instance() and
ahash_instance() functions.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: shash - make struct shash_instance be the full size
Eric Biggers [Fri, 3 Jan 2020 03:58:43 +0000 (19:58 -0800)] 
crypto: shash - make struct shash_instance be the full size

Define struct shash_instance in a way analogous to struct
skcipher_instance, struct aead_instance, and struct akcipher_instance,
where the struct is defined to include both the algorithm structure at
the beginning and the additional crypto_instance fields at the end.

This is needed to allow allocating shash instances directly using
kzalloc(sizeof(*inst) + sizeof(*ictx), ...) in the same way as skcipher,
aead, and akcipher instances.  In turn, that's needed to make spawns be
initialized in a consistent way everywhere.

Also take advantage of the addition of the base instance to struct
shash_instance by simplifying the shash_crypto_instance() and
shash_instance() functions.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: algapi - make crypto_grab_spawn() handle an ERR_PTR() name
Eric Biggers [Fri, 3 Jan 2020 03:58:42 +0000 (19:58 -0800)] 
crypto: algapi - make crypto_grab_spawn() handle an ERR_PTR() name

To allow further simplifying template ->create() functions, make
crypto_grab_spawn() handle an ERR_PTR() name by passing back the error.

For most templates, this will allow the result of crypto_attr_alg_name()
to be passed directly to crypto_grab_*(), rather than first having to
assign it to a variable [where it can then potentially be misused, as it
was in the rfc7539 template prior to commit 5e27f38f1f3f ("crypto:
chacha20poly1305 - set cra_name correctly")] and check it for error.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: algapi - make crypto_drop_spawn() a no-op on uninitialized spawns
Eric Biggers [Fri, 3 Jan 2020 03:58:41 +0000 (19:58 -0800)] 
crypto: algapi - make crypto_drop_spawn() a no-op on uninitialized spawns

Make crypto_drop_spawn() do nothing when the spawn hasn't been
initialized with an algorithm yet.  This will allow simplifying error
handling in all the template ->create() functions, since on error they
will be able to just call their usual "free instance" function, rather
than having to handle dropping just the spawns that have been
initialized so far.

This does assume the spawn starts out zero-filled, but that's always the
case since instances are allocated with kzalloc().  And some other code
already assumes this anyway.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: ccp - Update MAINTAINERS for CCP driver
Gary R Hook [Thu, 2 Jan 2020 19:57:03 +0000 (13:57 -0600)] 
crypto: ccp - Update MAINTAINERS for CCP driver

Remove Gary R Hook as CCP maintainer.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: crypto4xx - use GFP_KERNEL for big allocations
Christian Lamparter [Wed, 1 Jan 2020 22:27:02 +0000 (23:27 +0100)] 
crypto: crypto4xx - use GFP_KERNEL for big allocations

The driver should use GFP_KERNEL for the bigger allocation
during the driver's crypto4xx_probe() and not GFP_ATOMIC in
my opinion.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: crypto4xx - reduce memory fragmentation
Christian Lamparter [Wed, 1 Jan 2020 22:27:01 +0000 (23:27 +0100)] 
crypto: crypto4xx - reduce memory fragmentation

With recent kernels (>5.2), the driver fails to probe, as the
allocation of the driver's scatter buffer fails with -ENOMEM.

This happens in crypto4xx_build_sdr(). Where the driver tries
to get 512KiB (=PPC4XX_SD_BUFFER_SIZE * PPC4XX_NUM_SD) of
continuous memory. This big chunk is by design, since the driver
uses this circumstance in the crypto4xx_copy_pkt_to_dst() to
its advantage:
"all scatter-buffers are all neatly organized in one big
continuous ringbuffer; So scatterwalk_map_and_copy() can be
instructed to copy a range of buffers in one go."

The PowerPC arch does not have support for DMA_CMA. Hence,
this patch reorganizes the order in which the memory
allocations are done. Since the driver itself is responsible
for some of the issues.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: remove propagation of CRYPTO_TFM_RES_* flags
Eric Biggers [Tue, 31 Dec 2019 03:19:38 +0000 (21:19 -0600)] 
crypto: remove propagation of CRYPTO_TFM_RES_* flags

The CRYPTO_TFM_RES_* flags were apparently meant as a way to make the
->setkey() functions provide more information about errors.  But these
flags weren't actually being used or tested, and in many cases they
weren't being set correctly anyway.  So they've now been removed.

Also, if someone ever actually needs to start better distinguishing
->setkey() errors (which is somewhat unlikely, as this has been unneeded
for a long time), we'd be much better off just defining different return
values, like -EINVAL if the key is invalid for the algorithm vs.
-EKEYREJECTED if the key was rejected by a policy like "no weak keys".
That would be much simpler, less error-prone, and easier to test.

So just remove CRYPTO_TFM_RES_MASK and all the unneeded logic that
propagates these flags around.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: remove CRYPTO_TFM_RES_WEAK_KEY
Eric Biggers [Tue, 31 Dec 2019 03:19:37 +0000 (21:19 -0600)] 
crypto: remove CRYPTO_TFM_RES_WEAK_KEY

The CRYPTO_TFM_RES_WEAK_KEY flag was apparently meant as a way to make
the ->setkey() functions provide more information about errors.

However, no one actually checks for this flag, which makes it pointless.
There are also no tests that verify that all algorithms actually set (or
don't set) it correctly.

This is also the last remaining CRYPTO_TFM_RES_* flag, which means that
it's the only thing still needing all the boilerplate code which
propagates these flags around from child => parent tfms.

And if someone ever needs to distinguish this error in the future (which
is somewhat unlikely, as it's been unneeded for a long time), it would
be much better to just define a new return value like -EKEYREJECTED.
That would be much simpler, less error-prone, and easier to test.

So just remove this flag.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN
Eric Biggers [Tue, 31 Dec 2019 03:19:36 +0000 (21:19 -0600)] 
crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN

The CRYPTO_TFM_RES_BAD_KEY_LEN flag was apparently meant as a way to
make the ->setkey() functions provide more information about errors.

However, no one actually checks for this flag, which makes it pointless.

Also, many algorithms fail to set this flag when given a bad length key.
Reviewing just the generic implementations, this is the case for
aes-fixed-time, cbcmac, echainiv, nhpoly1305, pcrypt, rfc3686, rfc4309,
rfc7539, rfc7539esp, salsa20, seqiv, and xcbc.  But there are probably
many more in arch/*/crypto/ and drivers/crypto/.

Some algorithms can even set this flag when the key is the correct
length.  For example, authenc and authencesn set it when the key payload
is malformed in any way (not just a bad length), the atmel-sha and ccree
drivers can set it if a memory allocation fails, and the chelsio driver
sets it for bad auth tag lengths, not just bad key lengths.

So even if someone actually wanted to start checking this flag (which
seems unlikely, since it's been unused for a long time), there would be
a lot of work needed to get it working correctly.  But it would probably
be much better to go back to the drawing board and just define different
return values, like -EINVAL if the key is invalid for the algorithm vs.
-EKEYREJECTED if the key was rejected by a policy like "no weak keys".
That would be much simpler, less error-prone, and easier to test.

So just remove this flag.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
5 years agocrypto: remove CRYPTO_TFM_RES_BAD_BLOCK_LEN
Eric Biggers [Tue, 31 Dec 2019 03:19:35 +0000 (21:19 -0600)] 
crypto: remove CRYPTO_TFM_RES_BAD_BLOCK_LEN

The flag CRYPTO_TFM_RES_BAD_BLOCK_LEN is never checked for, and it's
only set by one driver.  And even that single driver's use is wrong
because the driver is setting the flag from ->encrypt() and ->decrypt()
with no locking, which is unsafe because ->encrypt() and ->decrypt() can
be executed by many threads in parallel on the same tfm.

Just remove this flag.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>