Intel OpenBMC Linux kernel source tree (mirror) https://git.radix-linux.su/BMC/Intel-BMC/linux.git/atom?h=dev-5.14-intel 2021-09-18T11:43:22+00:00 2021-09-18T11:43:22+00:00 zhenwei pi pizhenwei@bytedance.com 2021-08-19T12:37:10+00:00 urn:sha1:9f211615a4a8c04c0d200eb6ad05d2c5d2518518 commit f985911b7bc75d5c98ed24d8aaa8b94c590f7c6a upstream. Hit kernel warning like this, it can be reproduced by verifying 256 bytes datafile by keyctl command, run script: RAWDATA=rawdata SIGDATA=sigdata modprobe pkcs8_key_parser rm -rf *.der *.pem *.pfx rm -rf $RAWDATA dd if=/dev/random of=$RAWDATA bs=256 count=1 openssl req -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \ -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=xx.com/emailAddress=yy@xx.com" KEY_ID=`openssl pkcs8 -in key.pem -topk8 -nocrypt -outform DER | keyctl \ padd asymmetric 123 @s` keyctl pkey_sign $KEY_ID 0 $RAWDATA enc=pkcs1 hash=sha1 > $SIGDATA keyctl pkey_verify $KEY_ID 0 $RAWDATA $SIGDATA enc=pkcs1 hash=sha1 Then the kernel reports: WARNING: CPU: 5 PID: 344556 at crypto/rsa-pkcs1pad.c:540 pkcs1pad_verify+0x160/0x190 ... Call Trace: public_key_verify_signature+0x282/0x380 ? software_key_query+0x12d/0x180 ? keyctl_pkey_params_get+0xd6/0x130 asymmetric_key_verify_signature+0x66/0x80 keyctl_pkey_verify+0xa5/0x100 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae The reason of this issue, in function 'asymmetric_key_verify_signature': '.digest_size(u8) = params->in_len(u32)' leads overflow of an u8 value, so use u32 instead of u8 for digest_size field. And reorder struct public_key_signature, it saves 8 bytes on a 64-bit machine. Cc: stable@vger.kernel.org Signed-off-by: zhenwei pi <pizhenwei@bytedance.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-06-28T03:28:08+00:00 Herbert Xu herbert@gondor.apana.org.au 2021-06-24T06:32:15+00:00 urn:sha1:b0d2193ba643ec8246e7a194e336c71018b8e6f3 As it is now legal to call flush_dcache_page on slab pages we no longer need to do the check in the Crypto API. Reported-by: Ira Weiny <ira.weiny@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2021-06-24T06:51:35+00:00 Herbert Xu herbert@gondor.apana.org.au 2021-06-17T07:28:10+00:00 urn:sha1:5163ab505e489400b4738b2a5547ec83d2dff7bb The definitions for crypto_attr-related types and enums are not needed by most Crypto API users. This patch moves them out of crypto.h and into algapi.h/internal.h depending on the extent of their use. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2021-06-17T07:07:31+00:00 Liu Shixin liushixin2@huawei.com 2021-06-11T02:01:00+00:00 urn:sha1:10ff9976d06fc6a11f512755d500ab2860cbe650 According to the advice of Eric and Herbert, type CRYPTOA_U32 has been unused for over a decade, so remove the code related to CRYPTOA_U32. After removing CRYPTOA_U32, the type of the variable attrs can be changed from union to struct. Signed-off-by: Liu Shixin <liushixin2@huawei.com> Reviewed-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2021-06-17T07:07:31+00:00 Ard Biesheuvel ardb@kernel.org 2021-06-10T06:21:50+00:00 urn:sha1:22ca9f4aaf431a9413dcc115dd590123307f274f crypto_shash_alg_has_setkey() is implemented by testing whether the .setkey() member of a struct shash_alg points to the default version, called shash_no_setkey(). As crypto_shash_alg_has_setkey() is a static inline, this requires shash_no_setkey() to be exported to modules. Unfortunately, when building with CFI, function pointers are routed via CFI stubs which are private to each module (or to the kernel proper) and so this function pointer comparison may fail spuriously. Let's fix this by turning crypto_shash_alg_has_setkey() into an out of line function. Cc: Sami Tolvanen <samitolvanen@google.com> Cc: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Reviewed-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Sami Tolvanen <samitolvanen@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2021-05-28T06:21:08+00:00 Zhen Lei thunder.leizhen@huawei.com 2021-05-17T11:02:34+00:00 urn:sha1:155f7d321f021c084595d33efafa66f197fb2c00 Fix some spelling mistakes in comments: cipherntext ==> ciphertext syncronise ==> synchronise feeded ==> fed Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2021-04-02T07:28:12+00:00 Arnd Bergmann arnd@arndb.de 2021-03-22T17:05:15+00:00 urn:sha1:8d195e7a8ada68928f2aedb2c18302a4518fe68e gcc-11 points out a mismatch between the declaration and the definition of poly1305_core_setkey(): lib/crypto/poly1305-donna32.c:13:67: error: argument 2 of type ‘const u8[16]’ {aka ‘const unsigned char[16]’} with mismatched bound [-Werror=array-parameter=] 13 | void poly1305_core_setkey(struct poly1305_core_key *key, const u8 raw_key[16]) | ~~~~~~~~~^~~~~~~~~~~ In file included from lib/crypto/poly1305-donna32.c:11: include/crypto/internal/poly1305.h:21:68: note: previously declared as ‘const u8 *’ {aka ‘const unsigned char *’} 21 | void poly1305_core_setkey(struct poly1305_core_key *key, const u8 *raw_key); This is harmless in principle, as the calling conventions are the same, but the more specific prototype allows better type checking in the caller. Change the declaration to match the actual function definition. The poly1305_simd_init() is a bit suspicious here, as it previously had a 32-byte argument type, but looks like it needs to take the 16-byte POLY1305_BLOCK_SIZE array instead. Fixes: 1c08a104360f ("crypto: poly1305 - add new 32 and 64-bit generic versions") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Reviewed-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2021-04-02T07:28:12+00:00 Eric Biggers ebiggers@google.com 2021-03-22T05:13:47+00:00 urn:sha1:a181e0fdb2164268274453b5b291589edbb9b22d On big endian CPUs, the ChaCha20-based CRNG is using the wrong endianness for the ChaCha20 constants. This doesn't matter cryptographically, but technically it means it's not ChaCha20 anymore. Fix it to always use the standard constants. Cc: linux-crypto@vger.kernel.org Cc: Andy Lutomirski <luto@kernel.org> Cc: Jann Horn <jannh@google.com> Cc: Theodore Ts'o <tytso@mit.edu> Acked-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2021-03-26T08:55:55+00:00 Herbert Xu herbert@gondor.apana.org.au 2021-03-26T08:55:55+00:00 urn:sha1:3877869d13a043a2dbab0d034e5eac3b21f4994d This pulls in the NIST P384/256/192 x509 changes. 2021-03-26T08:41:58+00:00 Saulo Alessandre saulo.alessandre@tse.jus.br 2021-03-16T21:07:33+00:00 urn:sha1:703c748d5f2c4f6d2b494405130d61b8275189cf Add the parameters for the NIST P384 curve and define a new curve ID for it. Make the curve available in ecc_get_curve. Summary of changes: * crypto/ecc_curve_defs.h - add nist_p384 params * include/crypto/ecdh.h - add ECC_CURVE_NIST_P384 * crypto/ecc.c - change ecc_get_curve to accept nist_p384 Signed-off-by: Saulo Alessandre <saulo.alessandre@tse.jus.br> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Acked-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>