Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.168 2022-12-31T12:32:34+00:00 2022-12-31T12:32:34+00:00 Zhang Yiqun zhangyiqun@phytium.com.cn 2022-11-16T09:24:11+00:00 urn:sha1:314398bc1014d9d407ef3c03f4c864607a066382 [ Upstream commit 1aa33fc8d4032227253ceb736f47c52b859d9683 ] In the past, the data for mb-skcipher test has been allocated twice, that means the first allcated memory area is without free, which may cause a potential memory leakage. So this patch is to remove one allocation to fix this error. Fixes: e161c5930c15 ("crypto: tcrypt - add multibuf skcipher...") Signed-off-by: Zhang Yiqun <zhangyiqun@phytium.com.cn> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-12-31T12:32:30+00:00 Robert Elliott elliott@hpe.com 2022-09-30T21:40:14+00:00 urn:sha1:7b5bc00a59efb3e74edeecc7b0b5c8983f87149f [ Upstream commit 65c92cbb3f2365627a10cf97560d51e88fb4e588 ] When a test mode invokes multiple tests (e.g., mode 0 invokes modes 1 through 199, and mode 3 tests three block cipher modes with des), don't keep accumulating the return values with ret += tcrypt_test(), which results in a bogus value if more than one report a nonzero value (e.g., two reporting -2 (-ENOENT) end up reporting -4 (-EINTR)). Instead, keep track of the minimum return value reported by any subtest. Fixes: 4e033a6bc70f ("crypto: tcrypt - Do not exit on success in fips mode") Signed-off-by: Robert Elliott <elliott@hpe.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-09-24T08:14:44+00:00 Taehee Yoo ap420073@gmail.com 2022-09-16T12:57:36+00:00 urn:sha1:c4b1ce72b5c9f7d5772b2f2d4efa25ef0e6fb576 In order to test for the performance of aria-avx implementation, it needs an async speed test. So, it adds async speed tests to the tcrypt. Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-08-26T10:49:09+00:00 Robert Elliott elliott@hpe.com 2022-08-15T04:29:15+00:00 urn:sha1:6363d81b78c00d98f6d92b04acf65b4a18013690 The lists of algothms checked for existence by modprobe tcrypt mode=1000 generates three bogus errors: modprobe tcrypt mode=1000 console log: tcrypt: alg rot13 not found tcrypt: alg cts not found tcrypt: alg arc4 not found rot13 is not an algorithm in the crypto API or tested. cts is a wrapper, not a base algorithm. arc4 is named ecb(arc4), not arc4. Also, the list is missing numerous algorithms that are tested by other test modes: blake2b-512 blake2s-256 crct10dif xxhash64 ghash cast5 sm4 ansi_prng Several of the algorithms are only available if CONFIG_CRYPTO_USER_API_ENABLE_OBSOLETE is enabled: arc4 khazad seed tea, xtea, xeta Rather that fix that list, remove test mode=1000 entirely. It seems to have limited utility, and a web search shows no discussion of anybody using it. Suggested-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Robert Elliott <elliott@hpe.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-07-29T10:29:18+00:00 Jason Wang wangborong@cdjrlc.com 2022-07-23T09:26:40+00:00 urn:sha1:af5d35b83f642399c719ea9a8599a13b8a0c4167 Initialise global and static variable to NULL is always unnecessary. Remove the unnecessary initialisations. Signed-off-by: Jason Wang <wangborong@cdjrlc.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-07-15T08:43:20+00:00 Taehee Yoo ap420073@gmail.com 2022-07-04T09:42:49+00:00 urn:sha1:01ce31de7043e17b0d7d47f5e038f067db618113 It contains ARIA ecb(aria), cbc(aria), cfb(aria), ctr(aria), and gcm(aria). ecb testvector is from RFC standard. cbc, cfb, and ctr testvectors are from KISA[1], who developed ARIA algorithm. gcm(aria) is from openssl test vector. [1] https://seed.kisa.or.kr/kisa/kcmvp/EgovVerification.do (Korean) Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-06-10T08:43:49+00:00 Jason A. Donenfeld Jason@zx2c4.com 2022-05-28T19:44:07+00:00 urn:sha1:2d16803c562ecc644803d42ba98a8e0aef9c014e BLAKE2s has no currently known use as an shash. Just remove all of this unnecessary plumbing. Removing this shash was something we talked about back when we were making BLAKE2s a built-in, but I simply never got around to doing it. So this completes that project. Importantly, this fixs a bug in which the lib code depends on crypto_simd_disabled_for_test, causing linker errors. Also add more alignment tests to the selftests and compare SIMD and non-SIMD compression functions, to make up for what we lose from testmgr.c. Reported-by: gaochao <gaochao49@huawei.com> Cc: Eric Biggers <ebiggers@kernel.org> Cc: Ard Biesheuvel <ardb@kernel.org> Cc: stable@vger.kernel.org Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in") Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-06-10T08:40:17+00:00 Nathan Huckleberry nhuck@google.com 2022-05-20T18:14:55+00:00 urn:sha1:7ff554ced7c7d7cf77586e07474e8633e011e2d0 Add support for HCTR2 as a template. HCTR2 is a length-preserving encryption mode that is efficient on processors with instructions to accelerate AES and carryless multiplication, e.g. x86 processors with AES-NI and CLMUL, and ARM processors with the ARMv8 Crypto Extensions. As a length-preserving encryption mode, HCTR2 is suitable for applications such as storage encryption where ciphertext expansion is not possible, and thus authenticated encryption cannot be used. Currently, such applications usually use XTS, or in some cases Adiantum. XTS has the disadvantage that it is a narrow-block mode: a bitflip will only change 16 bytes in the resulting ciphertext or plaintext. This reveals more information to an attacker than necessary. HCTR2 is a wide-block mode, so it provides a stronger security property: a bitflip will change the entire message. HCTR2 is somewhat similar to Adiantum, which is also a wide-block mode. However, HCTR2 is designed to take advantage of existing crypto instructions, while Adiantum targets devices without such hardware support. Adiantum is also designed with longer messages in mind, while HCTR2 is designed to be efficient even on short messages. HCTR2 requires POLYVAL and XCTR as components. More information on HCTR2 can be found here: "Length-preserving encryption with HCTR2": https://eprint.iacr.org/2021/1441.pdf Signed-off-by: Nathan Huckleberry <nhuck@google.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Reviewed-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-06-10T08:40:17+00:00 Nathan Huckleberry nhuck@google.com 2022-05-20T18:14:54+00:00 urn:sha1:f3c923a09c4c4f5861b1ed53cf75673992a6ba68 Add support for POLYVAL, an ε-Δ-universal hash function similar to GHASH. This patch only uses POLYVAL as a component to implement HCTR2 mode. It should be noted that POLYVAL was originally specified for use in AES-GCM-SIV (RFC 8452), but the kernel does not currently support this mode. POLYVAL is implemented as an shash algorithm. The implementation is modified from ghash-generic.c. For more information on POLYVAL see: Length-preserving encryption with HCTR2: https://eprint.iacr.org/2021/1441.pdf AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption: https://datatracker.ietf.org/doc/html/rfc8452 Signed-off-by: Nathan Huckleberry <nhuck@google.com> Reviewed-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2022-06-10T08:40:16+00:00 Nathan Huckleberry nhuck@google.com 2022-05-20T18:14:53+00:00 urn:sha1:17fee07a2ac577da18b44dd658a9c3c864281c49 Add a generic implementation of XCTR mode as a template. XCTR is a blockcipher mode similar to CTR mode. XCTR uses XORs and little-endian addition rather than big-endian arithmetic which has two advantages: It is slightly faster on little-endian CPUs and it is less likely to be implemented incorrect since integer overflows are not possible on practical input sizes. XCTR is used as a component to implement HCTR2. More information on XCTR mode can be found in the HCTR2 paper: https://eprint.iacr.org/2021/1441.pdf Signed-off-by: Nathan Huckleberry <nhuck@google.com> Reviewed-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>