kernel/linux.git/crypto/tcrypt.c, branch v5.19

crypto: api - allow algs only in specific constructions in FIPS mode

2022-03-02T22:47:51+00:00

Currently we do not distinguish between algorithms that fail on the self-test vs. those which are disabled in FIPS mode (not allowed). Both are marked as having failed the self-test. Recently the need arose to allow the usage of certain algorithms only as arguments to specific template instantiations in FIPS mode. For example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is allowed. Other potential use cases include "cbcmac(aes)", which must only be used with ccm(), or "ghash", which must be used only for gcm(). This patch allows this scenario by adding a new flag FIPS_INTERNAL to indicate those algorithms that are not FIPS-allowed. They can then be used as template arguments only, i.e. when looked up via crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets propagated upwards recursively into the surrounding template instances, until the construction eventually matches an explicit testmgr entry with ->fips_allowed being set, if any. The behaviour to skip !->fips_allowed self-test executions in FIPS mode will be retained. Note that this effectively means that FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL ones in this regard. It is expected that the FIPS_INTERNAL algorithms will receive sufficient testing when the larger constructions they're a part of, if any, get exercised by testmgr. Note that as a side-effect of this patch algorithms which are not FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully this is not an issue as some people were relying on this already. Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.au Originally-by: Herbert Xu Signed-off-by: Nicolai Stange Reviewed-by: Hannes Reinecke Signed-off-by: Herbert Xu

crypto: tcrypt - remove all multibuffer ahash tests

2022-02-05T04:10:52+00:00

The multibuffer algorithms was removed already in 2018, so it is necessary to clear the test code left by tcrypt. Suggested-by: Herbert Xu Signed-off-by: Tianjia Zhang Acked-by: Ard Biesheuvel Signed-off-by: Herbert Xu

crypto: tcrypt - add asynchronous speed test for SM3

2022-01-28T05:51:11+00:00

tcrypt supports testing of SM3 hash algorithms that use AVX instruction acceleration. In order to add the sm3 asynchronous test to the appropriate position, shift the testcase sequence number of the multi buffer backward and start from 450. Signed-off-by: Tianjia Zhang Signed-off-by: Herbert Xu

crypto: tcrypt - fix skcipher multi-buffer tests for 1420B blocks

2021-10-22T12:25:03+00:00

Commit ad6d66bcac77e ("crypto: tcrypt - include 1420 byte blocks in aead and skcipher benchmarks") mentions: > power-of-2 block size. So let's add 1420 bytes explicitly, and round > it up to the next blocksize multiple of the algo in question if it > does not support 1420 byte blocks. but misses updating skcipher multi-buffer tests. Fix this by using the proper (rounded) input size. Fixes: ad6d66bcac77e ("crypto: tcrypt - include 1420 byte blocks in aead and skcipher benchmarks") Signed-off-by: Horia Geantă Signed-off-by: Herbert Xu

crypto: tcrypt - add GCM/CCM mode test for SM4 algorithm

2021-08-21T07:44:57+00:00

tcrypt supports GCM/CCM mode, CMAC, CBCMAC, and speed test of SM4 algorithm. Signed-off-by: Tianjia Zhang Signed-off-by: Herbert Xu

crypto: tcrypt - Fix missing return value check

2021-08-21T07:44:57+00:00

There are several places where the return value check of crypto_aead_setkey and crypto_aead_setauthsize were lost. It is necessary to add these checks. At the same time, move the crypto_aead_setauthsize() call out of the loop, and only need to call it once after load transform. Fixee: 53f52d7aecb4 ("crypto: tcrypt - Added speed tests for AEAD crypto alogrithms in tcrypt test suite") Signed-off-by: Tianjia Zhang Reviewed-by: Vitaly Chikunov Signed-off-by: Herbert Xu

crypto: tcrypt - add the asynchronous speed test for SM4

2021-07-30T02:58:31+00:00

tcrypt supports testing of SM4 cipher algorithms that use avx instruction set acceleration. The implementation of sm4 instruction set acceleration supports up to 8 blocks in parallel encryption and decryption, which is 128 bytes. Therefore, the 128-byte block size is also added to block_sizes. Signed-off-by: Tianjia Zhang Signed-off-by: Herbert Xu

crypto: tcrypt - enable tests for xxhash and blake2

2021-05-28T07:11:45+00:00

Fill some of the recently freed up slots in tcrypt with xxhash64 and blake2b/blake2s, so we can easily benchmark their kernel implementations from user space. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu

crypto: serpent - get rid of obsolete tnepres variant

2021-02-10T06:55:56+00:00

It is not trivial to trace back why exactly the tnepres variant of serpent was added ~17 years ago - Google searches come up mostly empty, but it seems to be related with the 'kerneli' version, which was based on an incorrect interpretation of the serpent spec. In other words, nobody is likely to care anymore today, so let's get rid of it. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu

crypto: salsa20 - remove Salsa20 stream cipher algorithm

2021-01-29T05:07:04+00:00

Salsa20 is not used anywhere in the kernel, is not suitable for disk encryption, and widely considered to have been superseded by ChaCha20. So let's remove it. Signed-off-by: Ard Biesheuvel Acked-by: Mike Snitzer Signed-off-by: Herbert Xu