openwrt/staging/blogic.git
6 years agocrypto: x86 - Add missing RETs
Borislav Petkov [Sat, 23 Jun 2018 10:36:22 +0000 (12:36 +0200)]
crypto: x86 - Add missing RETs

Add explicit RETs to the tail calls of AEGIS and MORUS crypto algorithms
otherwise they run into INT3 padding due to

  ("x86/asm: Pad assembly functions with INT3 instructions")

leading to spurious debug exceptions.

Mike Galbraith <efault@gmx.de> took care of all the remaining callsites.

Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Ondrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm/speck - fix building in Thumb2 mode
Eric Biggers [Mon, 18 Jun 2018 22:33:23 +0000 (15:33 -0700)]
crypto: arm/speck - fix building in Thumb2 mode

Building the kernel with CONFIG_THUMB2_KERNEL=y and
CONFIG_CRYPTO_SPECK_NEON set fails with the following errors:

    arch/arm/crypto/speck-neon-core.S: Assembler messages:

    arch/arm/crypto/speck-neon-core.S:419: Error: r13 not allowed here -- `bic sp,#0xf'
    arch/arm/crypto/speck-neon-core.S:423: Error: r13 not allowed here -- `bic sp,#0xf'
    arch/arm/crypto/speck-neon-core.S:427: Error: r13 not allowed here -- `bic sp,#0xf'
    arch/arm/crypto/speck-neon-core.S:431: Error: r13 not allowed here -- `bic sp,#0xf'

The problem is that the 'bic' instruction can't operate on the 'sp'
register in Thumb2 mode.  Fix it by using a temporary register.  This
isn't in the main loop, so the performance difference is negligible.
This also matches what aes-neonbs-core.S does.

Reported-by: Stefan Agner <stefan@agner.ch>
Fixes: ede9622162fa ("crypto: arm/speck - add NEON-accelerated implementation of Speck-XTS")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: core - Always drop the RNG in hwrng_unregister()
Michael Büsch [Thu, 14 Jun 2018 18:08:11 +0000 (20:08 +0200)]
hwrng: core - Always drop the RNG in hwrng_unregister()

enable_best_rng() is used in hwrng_unregister() to switch away from the
currently active RNG, if that is the one currently being removed.
However enable_best_rng() might fail, if the next RNG's init routine
fails. In that case enable_best_rng() will return an error code and
the currently active RNG will remain active.
After unregistering this might lead to crashes due to use-after-free.

Fix this by dropping the currently active RNG, if enable_best_rng()
failed. This will result in no RNG to be active, if the next-best
one failed to initialize.

This problem was introduced by 142a27f0a731ddcf467546960a5585970ca98e21

Fixes: 142a27f0a731 ("hwrng: core - Reset user selected rng by...")
Reported-by: Wirz <spam@lukas-wirz.de>
Tested-by: Wirz <spam@lukas-wirz.de>
Signed-off-by: Michael Büsch <m@bues.ch>
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: morus640 - Fix out-of-bounds access
Ondrej Mosnáček [Wed, 13 Jun 2018 14:44:17 +0000 (16:44 +0200)]
crypto: morus640 - Fix out-of-bounds access

We must load the block from the temporary variable here, not directly
from the input.

Also add forgotten zeroing-out of the uninitialized part of the
temporary block (as is done correctly in morus1280.c).

Fixes: 396be41f16fd ("crypto: morus - Add generic MORUS AEAD implementations")
Reported-by: syzbot+1fafa9c4cf42df33f716@syzkaller.appspotmail.com
Reported-by: syzbot+d82643ba80bf6937cd44@syzkaller.appspotmail.com
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: don't optimize keccakf()
Dmitry Vyukov [Fri, 8 Jun 2018 09:53:41 +0000 (11:53 +0200)]
crypto: don't optimize keccakf()

keccakf() is the only function in kernel that uses __optimize() macro.
__optimize() breaks frame pointer unwinder as optimized code uses RBP,
and amusingly this always lead to degraded performance as gcc does not
inline across different optimizations levels, so keccakf() wasn't inlined
into its callers and keccakf_round() wasn't inlined into keccakf().

Drop __optimize() to resolve both problems.

Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: 83dee2ce1ae7 ("crypto: sha3-generic - rewrite KECCAK transform to help the compiler optimize")
Reported-by: syzbot+37035ccfa9a0a017ffcf@syzkaller.appspotmail.com
Reported-by: syzbot+e073e4740cfbb3ae200b@syzkaller.appspotmail.com
Cc: linux-crypto@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/aes-blk - fix and move skcipher_walk_done out of kernel_neon_begin...
Jia He [Fri, 8 Jun 2018 07:41:44 +0000 (15:41 +0800)]
crypto: arm64/aes-blk - fix and move skcipher_walk_done out of kernel_neon_begin, _end

In a arm64 server(QDF2400),I met a similar might-sleep warning as [1]:
[    7.019116] BUG: sleeping function called from invalid context at
./include/crypto/algapi.h:416
[    7.027863] in_atomic(): 1, irqs_disabled(): 0, pid: 410, name:
cryptomgr_test
[    7.035106] 1 lock held by cryptomgr_test/410:
[    7.039549]  #0:         (ptrval) (&drbg->drbg_mutex){+.+.}, at:
drbg_instantiate+0x34/0x398
[    7.048038] CPU: 9 PID: 410 Comm: cryptomgr_test Not tainted
4.17.0-rc6+ #27
[    7.068228]  dump_backtrace+0x0/0x1c0
[    7.071890]  show_stack+0x24/0x30
[    7.075208]  dump_stack+0xb0/0xec
[    7.078523]  ___might_sleep+0x160/0x238
[    7.082360]  skcipher_walk_done+0x118/0x2c8
[    7.086545]  ctr_encrypt+0x98/0x130
[    7.090035]  simd_skcipher_encrypt+0x68/0xc0
[    7.094304]  drbg_kcapi_sym_ctr+0xd4/0x1f8
[    7.098400]  drbg_ctr_update+0x98/0x330
[    7.102236]  drbg_seed+0x1b8/0x2f0
[    7.105637]  drbg_instantiate+0x2ac/0x398
[    7.109646]  drbg_kcapi_seed+0xbc/0x188
[    7.113482]  crypto_rng_reset+0x4c/0xb0
[    7.117319]  alg_test_drbg+0xec/0x330
[    7.120981]  alg_test.part.6+0x1c8/0x3c8
[    7.124903]  alg_test+0x58/0xa0
[    7.128044]  cryptomgr_test+0x50/0x58
[    7.131708]  kthread+0x134/0x138
[    7.134936]  ret_from_fork+0x10/0x1c

Seems there is a bug in Ard Biesheuvel's commit.
Fixes: 683381747270 ("crypto: arm64/aes-blk - move kernel mode neon
en/disable into loop")

[1] https://www.spinics.net/lists/linux-crypto/msg33103.html

Signed-off-by: jia.he@hxt-semitech.com
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: <stable@vger.kernel.org> # 4.17
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chtls - use after free in chtls_pt_recvmsg()
Dan Carpenter [Fri, 1 Jun 2018 07:59:25 +0000 (10:59 +0300)]
crypto: chtls - use after free in chtls_pt_recvmsg()

We call chtls_free_skb() but then we dereference it on the next lines.
Also "skb" can't be NULL, we just dereferenced it on the line before.

I have moved the free down a couple lines to fix this issue.

Fixes: 17a7d24aa89d ("crypto: chtls - generic handling of data and hdr")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chtls - free beyond end rspq_skb_cache
Atul Gupta [Sun, 27 May 2018 15:45:22 +0000 (21:15 +0530)]
crypto: chtls - free beyond end rspq_skb_cache

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Atul Gupta <atul.gupta@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chtls - kbuild warnings
Atul Gupta [Sun, 27 May 2018 15:45:21 +0000 (21:15 +0530)]
crypto: chtls - kbuild warnings

- unindented continue
- check for null page
- signed return

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Atul Gupta <atul.gupta@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chtls - dereference null variable
Atul Gupta [Sun, 27 May 2018 15:45:20 +0000 (21:15 +0530)]
crypto: chtls - dereference null variable

skb dereferenced before check in sendpage

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Atul Gupta <atul.gupta@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chtls - wait for memory sendmsg, sendpage
Atul Gupta [Sun, 27 May 2018 15:45:19 +0000 (21:15 +0530)]
crypto: chtls - wait for memory sendmsg, sendpage

address suspicious code <gustavo@embeddedor.com>

1210       set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
1211       }

The issue is that in the code above, set_bit is never reached
due to the 'continue' statement at line 1208.

Also reported by bug report:<dan.carpenter@oracle.com>
1210       set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Not reachable.

Its required to wait for buffer in the send path and takes care of
unaddress and un-handled SOCK_NOSPACE.

v2: use csk_mem_free where appropriate
    proper indent of goto do_nonblock
    replace out with do_rm_wq

Reported-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Atul Gupta <atul.gupta@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chtls - key len correction
Atul Gupta [Sun, 27 May 2018 15:45:18 +0000 (21:15 +0530)]
crypto: chtls - key len correction

corrected the key length to copy 128b key. Removed 192b and 256b
key as user input supports key of size 128b in gcm_ctx

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Atul Gupta <atul.gupta@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: salsa20 - Revert "crypto: salsa20 - export generic helpers"
Eric Biggers [Sat, 26 May 2018 07:08:59 +0000 (00:08 -0700)]
crypto: salsa20 - Revert "crypto: salsa20 - export generic helpers"

This reverts commit eb772f37ae8163a89e28a435f6a18742ae06653b, as now the
x86 Salsa20 implementation has been removed and the generic helpers are
no longer needed outside of salsa20_generic.c.

We could keep this just in case someone else wants to add a new
optimized Salsa20 implementation.  But given that we have ChaCha20 now
too, I think it's unlikely.  And this can always be reverted back.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: x86/salsa20 - remove x86 salsa20 implementations
Eric Biggers [Sat, 26 May 2018 07:08:58 +0000 (00:08 -0700)]
crypto: x86/salsa20 - remove x86 salsa20 implementations

The x86 assembly implementations of Salsa20 use the frame base pointer
register (%ebp or %rbp), which breaks frame pointer convention and
breaks stack traces when unwinding from an interrupt in the crypto code.
Recent (v4.10+) kernels will warn about this, e.g.

WARNING: kernel stack regs at 00000000a8291e69 in syzkaller047086:4677 has bad 'bp' value 000000001077994c
[...]

But after looking into it, I believe there's very little reason to still
retain the x86 Salsa20 code.  First, these are *not* vectorized
(SSE2/SSSE3/AVX2) implementations, which would be needed to get anywhere
close to the best Salsa20 performance on any remotely modern x86
processor; they're just regular x86 assembly.  Second, it's still
unclear that anyone is actually using the kernel's Salsa20 at all,
especially given that now ChaCha20 is supported too, and with much more
efficient SSSE3 and AVX2 implementations.  Finally, in benchmarks I did
on both Intel and AMD processors with both gcc 8.1.0 and gcc 4.9.4, the
x86_64 salsa20-asm is actually slightly *slower* than salsa20-generic
(~3% slower on Skylake, ~10% slower on Zen), while the i686 salsa20-asm
is only slightly faster than salsa20-generic (~15% faster on Skylake,
~20% faster on Zen).  The gcc version made little difference.

So, the x86_64 salsa20-asm is pretty clearly useless.  That leaves just
the i686 salsa20-asm, which based on my tests provides a 15-20% speed
boost.  But that's without updating the code to not use %ebp.  And given
the maintenance cost, the small speed difference vs. salsa20-generic,
the fact that few people still use i686 kernels, the doubt that anyone
is even using the kernel's Salsa20 at all, and the fact that a SSE2
implementation would almost certainly be much faster on any remotely
modern x86 processor yet no one has cared enough to add one yet, I don't
think it's worthwhile to keep.

Thus, just remove both the x86_64 and i686 salsa20-asm implementations.

Reported-by: syzbot+ffa3a158337bbc01ff09@syzkaller.appspotmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccp - Add GET_ID SEV command
Janakarajan Natarajan [Fri, 25 May 2018 20:23:30 +0000 (15:23 -0500)]
crypto: ccp - Add GET_ID SEV command

The GET_ID command, added as of SEV API v0.16, allows the SEV firmware
to be queried about a unique CPU ID. This unique ID can then be used
to obtain the public certificate containing the Chip Endorsement Key
(CEK) public key signed by the AMD SEV Signing Key (ASK).

For more information please refer to "Section 5.12 GET_ID" of
https://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf

Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccp - Add DOWNLOAD_FIRMWARE SEV command
Janakarajan Natarajan [Fri, 25 May 2018 20:23:29 +0000 (15:23 -0500)]
crypto: ccp - Add DOWNLOAD_FIRMWARE SEV command

The DOWNLOAD_FIRMWARE command, added as of SEV API v0.15, allows the OS
to install SEV firmware newer than the currently active SEV firmware.

For the new SEV firmware to be applied it must:
* Pass the validation test performed by the existing firmware.
* Be of the same build or a newer build compared to the existing firmware.

For more information please refer to "Section 5.11 DOWNLOAD_FIRMWARE" of
https://support.amd.com/TechDocs/55766_SEV-KM%20API_Specification.pdf

Signed-off-by: Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: qat - Add MODULE_FIRMWARE for all qat drivers
Conor McLoughlin [Fri, 25 May 2018 09:14:22 +0000 (10:14 +0100)]
crypto: qat - Add MODULE_FIRMWARE for all qat drivers

Signed-off-by: Conor McLoughlin <conor.mcloughlin@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccree - silence debug prints
Gilad Ben-Yossef [Thu, 24 May 2018 14:19:08 +0000 (15:19 +0100)]
crypto: ccree - silence debug prints

The cache parameter register configuration was being too verbose.
Use dev_dbg() to only provide the information if needed.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccree - better clock handling
Gilad Ben-Yossef [Thu, 24 May 2018 14:19:07 +0000 (15:19 +0100)]
crypto: ccree - better clock handling

Use managed clock handling, differentiate between no clock (possibly OK)
and clock init failure (never OK) and correctly handle clock detection
being deferred.

Suggested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccree - correct host regs offset
Gilad Ben-Yossef [Thu, 24 May 2018 14:19:06 +0000 (15:19 +0100)]
crypto: ccree - correct host regs offset

The product signature and HW revision register have different offset on the
older HW revisions.
This fixes the problem of the driver failing sanity check on silicon
despite working on the FPGA emulation systems.

Fixes: 27b3b22dd98c ("crypto: ccree - add support for older HW revs")
Cc: stable@vger.kernel.org
Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chelsio - Remove separate buffer used for DMA map B0 block in CCM
Harsh Jain [Thu, 24 May 2018 11:56:39 +0000 (17:26 +0530)]
crypto: chelsio - Remove separate buffer used for DMA map B0 block in CCM

Extends memory required for IV to include B0 Block and DMA map in
single operation.

Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypt: chelsio - Send IV as Immediate for cipher algo
Harsh Jain [Thu, 24 May 2018 11:56:38 +0000 (17:26 +0530)]
crypt: chelsio - Send IV as Immediate for cipher algo

Send IV in WR as immediate instead of dma mapped entry for cipher.

Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chelsio - Return -ENOSPC for transient busy indication.
Harsh Jain [Thu, 24 May 2018 11:56:37 +0000 (17:26 +0530)]
crypto: chelsio - Return -ENOSPC for transient busy indication.

Change the return type based on following patch
https://www.mail-archive.com/linux-crypto@vger.kernel.org/msg28552.html

Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam/qi - fix warning in init_cgr()
Horia Geantă [Wed, 23 May 2018 11:32:42 +0000 (14:32 +0300)]
crypto: caam/qi - fix warning in init_cgr()

Coverity warns about an
"Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)"
when computing the congestion threshold value.

Even though it is highly unlikely for an overflow to happen,
use this as an opportunity to simplify the code.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam - fix rfc4543 descriptors
Horia Geantă [Wed, 23 May 2018 11:32:41 +0000 (14:32 +0300)]
crypto: caam - fix rfc4543 descriptors

In some cases the CCB DMA-based internal transfer started by the MOVE
command (src=M3 register, dst=descriptor buffer) does not finish
in time and DECO executes the unpatched descriptor.
This leads eventually to a DECO Watchdog Timer timeout error.

To make sure the transfer ends, change the MOVE command to be blocking.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam - fix MC firmware detection
Horia Geantă [Wed, 23 May 2018 11:32:40 +0000 (14:32 +0300)]
crypto: caam - fix MC firmware detection

Management Complex (MC) f/w detection is based on CTPR_MS[DPAA2] bit.

This is incorrect since:
-the bit is set for all CAAM blocks integrated in SoCs with a certain
Layerscape Chassis
-some SoCs with LS Chassis don't have an MC block (thus no MC f/w)

To fix this, MC f/w detection will be based on the presence of
"fsl,qoriq-mc" compatible string in the device tree.

Fixes: 297b9cebd2fc0 ("crypto: caam/jr - add support for DPAA2 parts")
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: clarify licensing of OpenSSL asm code
Adam Langley [Tue, 22 May 2018 19:35:11 +0000 (12:35 -0700)]
crypto: clarify licensing of OpenSSL asm code

Several source files have been taken from OpenSSL. In some of them a
comment that "permission to use under GPL terms is granted" was
included below a contradictory license statement. In several cases,
there was no indication that the license of the code was compatible
with the GPLv2.

This change clarifies the licensing for all of these files. I've
confirmed with the author (Andy Polyakov) that a) he has licensed the
files with the GPLv2 comment under that license and b) that he's also
happy to license the other files under GPLv2 too. In one case, the
file is already contained in his CRYPTOGAMS bundle, which has a GPLv2
option, and so no special measures are needed.

In all cases, the license status of code has been clarified by making
the GPLv2 license prominent.

The .S files have been regenerated from the updated .pl files.

This is a comment-only change. No code is changed.

Signed-off-by: Adam Langley <agl@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: morus - Mark MORUS SIMD glue as x86-specific
Ondrej Mosnacek [Mon, 21 May 2018 19:41:51 +0000 (21:41 +0200)]
crypto: morus - Mark MORUS SIMD glue as x86-specific

Commit 56e8e57fc3a7 ("crypto: morus - Add common SIMD glue code for
MORUS") accidetally consiedered the glue code to be usable by different
architectures, but it seems to be only usable on x86.

This patch moves it under arch/x86/crypto and adds 'depends on X86' to
the Kconfig options and also removes the prompt to hide these internal
options from the user.

Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - eliminate redundant decryption test vectors
Eric Biggers [Mon, 21 May 2018 05:50:29 +0000 (22:50 -0700)]
crypto: testmgr - eliminate redundant decryption test vectors

Currently testmgr has separate encryption and decryption test vectors
for symmetric ciphers.  That's massively redundant, since with few
exceptions (mostly mistakes, apparently), all decryption tests are
identical to the encryption tests, just with the input/result flipped.

Therefore, eliminate the redundancy by removing the decryption test
vectors and updating testmgr to test both encryption and decryption
using what used to be the encryption test vectors.  Naming is adjusted
accordingly: each cipher_testvec now has a 'ptext' (plaintext), 'ctext'
(ciphertext), and 'len' instead of an 'input', 'result', 'ilen', and
'rlen'.  Note that it was always the case that 'ilen == rlen'.

AES keywrap ("kw(aes)") is special because its IV is generated by the
encryption.  Previously this was handled by specifying 'iv_out' for
encryption and 'iv' for decryption.  To make it work cleanly with only
one set of test vectors, put the IV in 'iv', remove 'iv_out', and add a
boolean that indicates that the IV is generated by the encryption.

In total, this removes over 10000 lines from testmgr.h, with no
reduction in test coverage since prior patches already copied the few
unique decryption test vectors into the encryption test vectors.

This covers all algorithms that used 'struct cipher_testvec', e.g. any
block cipher in the ECB, CBC, CTR, XTS, LRW, CTS-CBC, PCBC, OFB, or
keywrap modes, and Salsa20 and ChaCha20.  No change is made to AEAD
tests, though we probably can eliminate a similar redundancy there too.

The testmgr.h portion of this patch was automatically generated using
the following awk script, with some slight manual fixups on top (updated
'struct cipher_testvec' definition, updated a few comments, and fixed up
the AES keywrap test vectors):

    BEGIN { OTHER = 0; ENCVEC = 1; DECVEC = 2; DECVEC_TAIL = 3; mode = OTHER }

    /^static const struct cipher_testvec.*_enc_/ { sub("_enc", ""); mode = ENCVEC }
    /^static const struct cipher_testvec.*_dec_/ { mode = DECVEC }
    mode == ENCVEC && !/\.ilen[[:space:]]*=/ {
     sub(/\.input[[:space:]]*=$/,    ".ptext =")
     sub(/\.input[[:space:]]*=/,     ".ptext\t=")
     sub(/\.result[[:space:]]*=$/,   ".ctext =")
     sub(/\.result[[:space:]]*=/,    ".ctext\t=")
     sub(/\.rlen[[:space:]]*=/,      ".len\t=")
     print
    }
    mode == DECVEC_TAIL && /[^[:space:]]/ { mode = OTHER }
    mode == OTHER                         { print }
    mode == ENCVEC && /^};/               { mode = OTHER }
    mode == DECVEC && /^};/               { mode = DECVEC_TAIL }

Note that git's default diff algorithm gets confused by the testmgr.h
portion of this patch, and reports too many lines added and removed.
It's better viewed with 'git diff --minimal' (or 'git show --minimal'),
which reports "2 files changed, 919 insertions(+), 11723 deletions(-)".

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - add extra kw(aes) encryption test vector
Eric Biggers [Mon, 21 May 2018 05:50:28 +0000 (22:50 -0700)]
crypto: testmgr - add extra kw(aes) encryption test vector

One "kw(aes)" decryption test vector doesn't exactly match an encryption
test vector with input and result swapped.  In preparation for removing
the decryption test vectors, add this test vector to the encryption test
vectors, so we don't lose any test coverage.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - add extra ecb(tnepres) encryption test vectors
Eric Biggers [Mon, 21 May 2018 05:50:27 +0000 (22:50 -0700)]
crypto: testmgr - add extra ecb(tnepres) encryption test vectors

None of the four "ecb(tnepres)" decryption test vectors exactly match an
encryption test vector with input and result swapped.  In preparation
for removing the decryption test vectors, add these to the encryption
test vectors, so we don't lose any test coverage.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - make an cbc(des) encryption test vector chunked
Eric Biggers [Mon, 21 May 2018 05:50:26 +0000 (22:50 -0700)]
crypto: testmgr - make an cbc(des) encryption test vector chunked

One "cbc(des)" decryption test vector doesn't exactly match an
encryption test vector with input and result swapped.  It's *almost* the
same as one, but the decryption version is "chunked" while the
encryption version is "unchunked".  In preparation for removing the
decryption test vectors, make the encryption one both chunked and
unchunked, so we don't lose any test coverage.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - add extra ecb(des) encryption test vectors
Eric Biggers [Mon, 21 May 2018 05:50:25 +0000 (22:50 -0700)]
crypto: testmgr - add extra ecb(des) encryption test vectors

Two "ecb(des)" decryption test vectors don't exactly match any of the
encryption test vectors with input and result swapped.  In preparation
for removing the decryption test vectors, add these to the encryption
test vectors, so we don't lose any test coverage.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: x86/aegis256 - Fix wrong key buffer size
Ondrej Mosnacek [Sun, 20 May 2018 08:57:23 +0000 (10:57 +0200)]
crypto: x86/aegis256 - Fix wrong key buffer size

AEGIS-256 key is two blocks, not one.

Fixes: 1d373d4e8e15 ("crypto: x86 - Add optimized AEGIS implementations")
Reported-by: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - add more unkeyed crc32 and crc32c test vectors
Eric Biggers [Sun, 20 May 2018 05:07:42 +0000 (22:07 -0700)]
crypto: testmgr - add more unkeyed crc32 and crc32c test vectors

crc32c has an unkeyed test vector but crc32 did not.  Add the crc32c one
(which uses an empty input) to crc32 too, and also add a new one to both
that uses a nonempty input.  These test vectors verify that crc32 and
crc32c implementations use the correct default initial state.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - fix testing OPTIONAL_KEY hash algorithms
Eric Biggers [Sun, 20 May 2018 05:07:41 +0000 (22:07 -0700)]
crypto: testmgr - fix testing OPTIONAL_KEY hash algorithms

Since testmgr uses a single tfm for all tests of each hash algorithm,
once a key is set the tfm won't be unkeyed anymore.  But with crc32 and
crc32c, the key is really the "default initial state" and is optional;
those algorithms should have both keyed and unkeyed test vectors, to
verify that implementations use the correct default key.

Simply listing the unkeyed test vectors first isn't guaranteed to work
yet because testmgr makes multiple passes through the test vectors.
crc32c does have an unkeyed test vector listed first currently, but it
only works by chance because the last crc32c test vector happens to use
a key that is the same as the default key.

Therefore, teach testmgr to split hash test vectors into unkeyed and
keyed sections, and do all the unkeyed ones before the keyed ones.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - remove bfin_crc "hmac(crc32)" test vectors
Eric Biggers [Sun, 20 May 2018 05:07:40 +0000 (22:07 -0700)]
crypto: testmgr - remove bfin_crc "hmac(crc32)" test vectors

The Blackfin CRC driver was removed by commit 9678a8dc53c1 ("crypto:
bfin_crc - remove blackfin CRC driver"), but it was forgotten to remove
the corresponding "hmac(crc32)" test vectors.  I see no point in keeping
them since nothing else appears to implement or use "hmac(crc32)", which
isn't an algorithm that makes sense anyway because HMAC is meant to be
used with a cryptographically secure hash function, which CRC's are not.

Thus, remove the unneeded test vectors.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crc32-generic - remove __crc32_le()
Eric Biggers [Sun, 20 May 2018 05:07:39 +0000 (22:07 -0700)]
crypto: crc32-generic - remove __crc32_le()

The __crc32_le() wrapper function is pointless.  Just call crc32_le()
directly instead.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crc32c-generic - remove cra_alignmask
Eric Biggers [Sun, 20 May 2018 05:07:38 +0000 (22:07 -0700)]
crypto: crc32c-generic - remove cra_alignmask

crc32c-generic sets an alignmask, but actually its ->update() works with
any alignment; only its ->setkey() and outputting the final digest
assume an alignment.  To prevent the buffer from having to be aligned by
the crypto API for just these cases, switch these cases over to the
unaligned access macros and remove the cra_alignmask.  Note that this
also makes crc32c-generic more consistent with crc32-generic.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crc32-generic - use unaligned access macros when needed
Eric Biggers [Sun, 20 May 2018 05:07:37 +0000 (22:07 -0700)]
crypto: crc32-generic - use unaligned access macros when needed

crc32-generic doesn't have a cra_alignmask set, which is desired as its
->update() works with any alignment.  However, it incorrectly assumes
4-byte alignment in ->setkey() and when outputting the final digest.

Fix this by using the unaligned access macros in those cases.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chtls - fix a missing-check bug
Wenwen Wang [Fri, 18 May 2018 19:55:35 +0000 (14:55 -0500)]
crypto: chtls - fix a missing-check bug

In do_chtls_setsockopt(), the tls crypto info is first copied from the
poiner 'optval' in userspace and saved to 'tmp_crypto_info'. Then the
'version' of the crypto info is checked. If the version is not as expected,
i.e., TLS_1_2_VERSION, error code -ENOTSUPP is returned to indicate that
the provided crypto info is not supported yet. Then, the 'cipher_type'
field of the 'tmp_crypto_info' is also checked to see if it is
TLS_CIPHER_AES_GCM_128. If it is, the whole struct of
tls12_crypto_info_aes_gcm_128 is copied from the pointer 'optval' and then
the function chtls_setkey() is invoked to set the key.

Given that the 'optval' pointer resides in userspace, a malicious userspace
process can race to change the data pointed by 'optval' between the two
copies. For example, a user can provide a crypto info with TLS_1_2_VERSION
and TLS_CIPHER_AES_GCM_128. After the first copy, the user can modify the
'version' and the 'cipher_type' fields to any versions and/or cipher types
that are not allowed. This way, the user can bypass the checks, inject
bad data to the kernel, cause chtls_setkey() to set a wrong key or other
issues.

This patch reuses the data copied in the first try so as to ensure these
checks will not be bypassed.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - authenc(hmac(sha1), cbc(aes)) support
Antoine Tenart [Mon, 14 May 2018 13:11:04 +0000 (15:11 +0200)]
crypto: inside-secure - authenc(hmac(sha1), cbc(aes)) support

This patch adds the authenc(hmac(sha1),cbc(aes)) AEAD algorithm
support to the Inside Secure SafeXcel driver.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - authenc(hmac(sha224), cbc(aes)) support
Antoine Tenart [Mon, 14 May 2018 13:11:03 +0000 (15:11 +0200)]
crypto: inside-secure - authenc(hmac(sha224), cbc(aes)) support

This patch adds the authenc(hmac(sha224),cbc(aes)) AEAD algorithm
support to the Inside Secure SafeXcel driver.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - authenc(hmac(sha256), cbc(aes)) support
Antoine Tenart [Mon, 14 May 2018 13:11:02 +0000 (15:11 +0200)]
crypto: inside-secure - authenc(hmac(sha256), cbc(aes)) support

This patch adds support for the first AEAD algorithm in the Inside
Secure SafeXcel driver, authenc(hmac(sha256),cbc(aes)). As this is the
first AEAD algorithm added to this driver, common AEAD functions are
added as well.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - improve error reporting
Antoine Tenart [Mon, 14 May 2018 13:11:01 +0000 (15:11 +0200)]
crypto: inside-secure - improve error reporting

This patch improves the error reporting from the Inside Secure driver to
the upper layers and crypto consumers. All errors reported by the engine
aren't fatal, and some may be genuine.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - fix the hash then encrypt/decrypt types
Antoine Tenart [Mon, 14 May 2018 13:11:00 +0000 (15:11 +0200)]
crypto: inside-secure - fix the hash then encrypt/decrypt types

This commit fixes the CONTEXT_CONTROL_TYPE_HASH_ENCRYPT_OUT and
CONTEXT_CONTROL_TYPE_HASH_DECRYPT_OUT types by assigning the right
value, and by renaming CONTEXT_CONTROL_TYPE_HASH_DECRYPT_OUT to
CONTEXT_CONTROL_TYPE_HASH_DECRYPT_IN.

This is not submitted as a fix for older kernel versions as these two
defines weren't used back then.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - make the key and context size computation dynamic
Antoine Tenart [Mon, 14 May 2018 13:10:59 +0000 (15:10 +0200)]
crypto: inside-secure - make the key and context size computation dynamic

This patches makes the key and context size computation dynamic when
using memzero_explicit() on these two arrays. This is safer, cleaner and
will help future modifications of the driver when these two parameters
sizes will changes (the context size will be bigger when using AEAD
algorithms).

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - make the context control size dynamic
Antoine Tenart [Mon, 14 May 2018 13:10:58 +0000 (15:10 +0200)]
crypto: inside-secure - make the context control size dynamic

This patch makes the context control size computation dynamic, not to
rely on hardcoded values. This is better for the future, and will help
adding the AEAD support.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - rework the alg type settings in the context
Antoine Tenart [Mon, 14 May 2018 13:10:57 +0000 (15:10 +0200)]
crypto: inside-secure - rework the alg type settings in the context

This patches reworks the way the algorithm type is set in the context,
by using the fact that the decryption algorithms are just a combination
of the algorithm encryption type and CONTEXT_CONTROL_TYPE_NULL_IN.

This will help having simpler code when adding the AEAD support, to
avoid ending up with an endless switch case block.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - rework cipher functions for future AEAD support
Antoine Tenart [Mon, 14 May 2018 13:10:56 +0000 (15:10 +0200)]
crypto: inside-secure - rework cipher functions for future AEAD support

This patch reworks the Inside Secure cipher functions, to remove all
skcipher specific information and structure from all functions generic
enough to be shared between skcipher and aead algorithms.

This is a cosmetic only patch.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - remove VLAs
Antoine Tenart [Mon, 14 May 2018 13:10:55 +0000 (15:10 +0200)]
crypto: inside-secure - remove VLAs

This patch removes the use of VLAs to allocate requests on the stack, by
removing both SKCIPHER_REQUEST_ON_STACK and AHASH_REQUEST_ON_STACK. As
we still need to allocate requests on the stack to ease the creation of
invalidation requests a new, non-VLA, definition is used:
EIP197_REQUEST_ON_STACK.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chtls - generic handling of data and hdr
Atul Gupta [Mon, 14 May 2018 11:11:38 +0000 (16:41 +0530)]
crypto: chtls - generic handling of data and hdr

removed redundant check and made TLS PDU and header recv
handling common as received from HW.
Ensure that only tls header is read in cpl_rx_tls_cmp
read-ahead and skb is freed when entire data is processed.

Signed-off-by: Atul Gupta <atul.gupta@chelsio.com>
Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: x86 - Add optimized MORUS implementations
Ondrej Mosnacek [Fri, 11 May 2018 12:19:12 +0000 (14:19 +0200)]
crypto: x86 - Add optimized MORUS implementations

This patch adds optimized implementations of MORUS-640 and MORUS-1280,
utilizing the SSE2 and AVX2 x86 extensions.

For MORUS-1280 (which operates on 256-bit blocks) we provide both AVX2
and SSE2 implementation. Although SSE2 MORUS-1280 is slower than AVX2
MORUS-1280, it is comparable in speed to the SSE2 MORUS-640.

Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: morus - Add common SIMD glue code for MORUS
Ondrej Mosnacek [Fri, 11 May 2018 12:19:11 +0000 (14:19 +0200)]
crypto: morus - Add common SIMD glue code for MORUS

This patch adds a common glue code for optimized implementations of
MORUS AEAD algorithms.

Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - Add test vectors for MORUS
Ondrej Mosnacek [Fri, 11 May 2018 12:19:10 +0000 (14:19 +0200)]
crypto: testmgr - Add test vectors for MORUS

This patch adds test vectors for MORUS-640 and MORUS-1280. The test
vectors were generated using the reference implementation from
SUPERCOP (see code comments for more details).

Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: morus - Add generic MORUS AEAD implementations
Ondrej Mosnacek [Fri, 11 May 2018 12:19:09 +0000 (14:19 +0200)]
crypto: morus - Add generic MORUS AEAD implementations

This patch adds the generic implementation of the MORUS family of AEAD
algorithms (MORUS-640 and MORUS-1280). The original authors of MORUS
are Hongjun Wu and Tao Huang.

At the time of writing, MORUS is one of the finalists in CAESAR, an
open competition intended to select a portfolio of alternatives to
the problematic AES-GCM:

https://competitions.cr.yp.to/caesar-submissions.html
https://competitions.cr.yp.to/round3/morusv2.pdf

Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: x86 - Add optimized AEGIS implementations
Ondrej Mosnacek [Fri, 11 May 2018 12:12:51 +0000 (14:12 +0200)]
crypto: x86 - Add optimized AEGIS implementations

This patch adds optimized implementations of AEGIS-128, AEGIS-128L,
and AEGIS-256, utilizing the AES-NI and SSE2 x86 extensions.

Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - Add test vectors for AEGIS
Ondrej Mosnacek [Fri, 11 May 2018 12:12:50 +0000 (14:12 +0200)]
crypto: testmgr - Add test vectors for AEGIS

This patch adds test vectors for the AEGIS family of AEAD algorithms
(AEGIS-128, AEGIS-128L, and AEGIS-256). The test vectors were
generated using the reference implementation from SUPERCOP (see code
comments for more details).

Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aegis - Add generic AEGIS AEAD implementations
Ondrej Mosnacek [Fri, 11 May 2018 12:12:49 +0000 (14:12 +0200)]
crypto: aegis - Add generic AEGIS AEAD implementations

This patch adds the generic implementation of the AEGIS family of AEAD
algorithms (AEGIS-128, AEGIS-128L, and AEGIS-256). The original
authors of AEGIS are Hongjun Wu and Bart Preneel.

At the time of writing, AEGIS is one of the finalists in CAESAR, an
open competition intended to select a portfolio of alternatives to
the problematic AES-GCM:

https://competitions.cr.yp.to/caesar-submissions.html
https://competitions.cr.yp.to/round3/aegisv11.pdf

Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - reorder paes test lexicographically
Gilad Ben-Yossef [Fri, 11 May 2018 08:04:06 +0000 (09:04 +0100)]
crypto: testmgr - reorder paes test lexicographically

Due to a snafu "paes" testmgr tests were not ordered
lexicographically, which led to boot time warnings.
Reorder the tests as needed.

Fixes: a794d8d ("crypto: ccree - enable support for hardware keys")
Reported-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Tested-by: Abdul Haleem <abdhalee@linux.vnet.ibm.com>
Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chelsio - request to HW should wrap
Atul Gupta [Thu, 10 May 2018 04:44:42 +0000 (10:14 +0530)]
crypto: chelsio - request to HW should wrap

-Tx request and data is copied to HW Q in 64B desc, check for
end of queue and adjust the current position to start from
beginning before passing the additional request info.
-key context copy should check key length only
-Few reverse christmas tree correction

Signed-off-by: Atul Gupta <atul.gupta@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: nx - fix spelling mistake: "seqeunce" -> "sequence"
Colin Ian King [Wed, 9 May 2018 09:16:36 +0000 (10:16 +0100)]
crypto: nx - fix spelling mistake: "seqeunce" -> "sequence"

Trivial fix to spelling mistake in CSB_ERR error message text

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: n2 - fix spelling mistake: "restesting" -> "retesting"
Colin Ian King [Tue, 8 May 2018 22:18:42 +0000 (23:18 +0100)]
hwrng: n2 - fix spelling mistake: "restesting" -> "retesting"

Trivial fix to spelling mistake in dev_err error message

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: vmx - Remove overly verbose printk from AES XTS init
Michael Ellerman [Thu, 3 May 2018 12:29:30 +0000 (22:29 +1000)]
crypto: vmx - Remove overly verbose printk from AES XTS init

In p8_aes_xts_init() we do a printk(KERN_INFO ...) to report the
fallback implementation we're using. However with a slow console this
can significantly affect the speed of crypto operations. So remove it.

Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS")
Cc: stable@vger.kernel.org # v4.8+
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: vmx - Remove overly verbose printk from AES init routines
Michael Ellerman [Thu, 3 May 2018 12:29:29 +0000 (22:29 +1000)]
crypto: vmx - Remove overly verbose printk from AES init routines

In the vmx AES init routines we do a printk(KERN_INFO ...) to report
the fallback implementation we're using.

However with a slow console this can significantly affect the speed of
crypto operations. Using 'cryptsetup benchmark' the removal of the
printk() leads to a ~5x speedup for aes-cbc decryption.

So remove them.

Fixes: 8676590a1593 ("crypto: vmx - Adding AES routines for VMX module")
Fixes: 8c755ace357c ("crypto: vmx - Adding CBC routines for VMX module")
Fixes: 4f7f60d312b3 ("crypto: vmx - Adding CTR routines for VMX module")
Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module")
Cc: stable@vger.kernel.org # v4.1+
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/sha512-ce - yield NEON after every block of input
Ard Biesheuvel [Mon, 30 Apr 2018 16:18:30 +0000 (18:18 +0200)]
crypto: arm64/sha512-ce - yield NEON after every block of input

Avoid excessive scheduling delays under a preemptible kernel by
conditionally yielding the NEON after every block of input.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/sha3-ce - yield NEON after every block of input
Ard Biesheuvel [Mon, 30 Apr 2018 16:18:29 +0000 (18:18 +0200)]
crypto: arm64/sha3-ce - yield NEON after every block of input

Avoid excessive scheduling delays under a preemptible kernel by
conditionally yielding the NEON after every block of input.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/crct10dif-ce - yield NEON after every block of input
Ard Biesheuvel [Mon, 30 Apr 2018 16:18:28 +0000 (18:18 +0200)]
crypto: arm64/crct10dif-ce - yield NEON after every block of input

Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/crc32-ce - yield NEON after every block of input
Ard Biesheuvel [Mon, 30 Apr 2018 16:18:27 +0000 (18:18 +0200)]
crypto: arm64/crc32-ce - yield NEON after every block of input

Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/aes-ghash - yield NEON after every block of input
Ard Biesheuvel [Mon, 30 Apr 2018 16:18:26 +0000 (18:18 +0200)]
crypto: arm64/aes-ghash - yield NEON after every block of input

Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/aes-bs - yield NEON after every block of input
Ard Biesheuvel [Mon, 30 Apr 2018 16:18:25 +0000 (18:18 +0200)]
crypto: arm64/aes-bs - yield NEON after every block of input

Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/aes-blk - yield NEON after every block of input
Ard Biesheuvel [Mon, 30 Apr 2018 16:18:24 +0000 (18:18 +0200)]
crypto: arm64/aes-blk - yield NEON after every block of input

Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/aes-ccm - yield NEON after every block of input
Ard Biesheuvel [Mon, 30 Apr 2018 16:18:23 +0000 (18:18 +0200)]
crypto: arm64/aes-ccm - yield NEON after every block of input

Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/sha2-ce - yield NEON after every block of input
Ard Biesheuvel [Mon, 30 Apr 2018 16:18:22 +0000 (18:18 +0200)]
crypto: arm64/sha2-ce - yield NEON after every block of input

Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/sha1-ce - yield NEON after every block of input
Ard Biesheuvel [Mon, 30 Apr 2018 16:18:21 +0000 (18:18 +0200)]
crypto: arm64/sha1-ce - yield NEON after every block of input

Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ghash-clmulni - fix spelling mistake: "acclerated" -> "accelerated"
Colin Ian King [Fri, 27 Apr 2018 18:08:05 +0000 (19:08 +0100)]
crypto: ghash-clmulni - fix spelling mistake: "acclerated" -> "accelerated"

Trivial fix to spelling mistake in module description text

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam - fix size of RSA prime factor q
Horia Geantă [Fri, 27 Apr 2018 08:40:11 +0000 (11:40 +0300)]
crypto: caam - fix size of RSA prime factor q

Fix a typo where size of RSA prime factor q is using the size of
prime factor p.

Cc: <stable@vger.kernel.org> # 4.13+
Fixes: 52e26d77b8b3 ("crypto: caam - add support for RSA key form 2")
Fixes: 4a651b122adb ("crypto: caam - add support for RSA key form 3")
Reported-by: David Binderman <dcb314@hotmail.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: tcrypt - Remove VLA usage
Kees Cook [Fri, 27 Apr 2018 02:57:28 +0000 (19:57 -0700)]
crypto: tcrypt - Remove VLA usage

In the quest to remove all stack VLA usage from the kernel[1], this
allocates the return code buffers before starting jiffie timers, rather
than using stack space for the array. Additionally cleans up some exit
paths and make sure that the num_mb module_param() is used only once
per execution to avoid possible races in the value changing.

[1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64 - add support for SM4 encryption using special instructions
Ard Biesheuvel [Wed, 25 Apr 2018 12:20:46 +0000 (14:20 +0200)]
crypto: arm64 - add support for SM4 encryption using special instructions

Add support for the SM4 symmetric cipher implemented using the special
SM4 instructions introduced in ARM architecture revision 8.2.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: sm4 - export encrypt/decrypt routines to other drivers
Ard Biesheuvel [Wed, 25 Apr 2018 12:20:45 +0000 (14:20 +0200)]
crypto: sm4 - export encrypt/decrypt routines to other drivers

In preparation of adding support for the SIMD based arm64 implementation
of arm64, which requires a fallback to non-SIMD code when invoked in
certain contexts, expose the generic SM4 encrypt and decrypt routines
to other drivers.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: stm32 - fix pm_suspend issue
lionel.debieve@st.com [Mon, 23 Apr 2018 15:04:26 +0000 (17:04 +0200)]
hwrng: stm32 - fix pm_suspend issue

When suspend is called after pm_runtime_suspend,
same callback is used and access to rng register is
freezing system. By calling the pm_runtime_force_suspend,
it first checks that runtime has been already done.

Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: stm32 - define default state for rng driver
lionel.debieve@st.com [Mon, 23 Apr 2018 15:04:25 +0000 (17:04 +0200)]
hwrng: stm32 - define default state for rng driver

Define default state for stm32_rng driver. It will
be default selected with multi_v7_defconfig

Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccree - use proper printk format
Gilad Ben-Yossef [Mon, 23 Apr 2018 07:25:15 +0000 (08:25 +0100)]
crypto: ccree - use proper printk format

Fix incorrect use of %pad as a printk format string for none dma_addr_t
variable.

Discovered via smatch.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccree - enable support for hardware keys
Gilad Ben-Yossef [Mon, 23 Apr 2018 07:25:14 +0000 (08:25 +0100)]
crypto: ccree - enable support for hardware keys

Enable CryptoCell support for hardware keys.

Hardware keys are regular AES keys loaded into CryptoCell internal memory
via firmware, often from secure boot ROM or hardware fuses at boot time.

As such, they can be used for enc/dec purposes like any other key but
cannot (read: extremely hard to) be extracted since since they are not
available anywhere in RAM during runtime.

The mechanism has some similarities to s390 secure keys although the keys
are not wrapped or sealed, but simply loaded offline. The interface was
therefore modeled based on the s390 secure keys support.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crypto4xx - put temporary dst sg into request ctx
Christian Lamparter [Thu, 19 Apr 2018 16:41:57 +0000 (18:41 +0200)]
crypto: crypto4xx - put temporary dst sg into request ctx

This patch fixes a crash that happens when testing rfc4543(gcm(aes))

Unable to handle kernel paging request for data at address 0xf59b3420
Faulting instruction address: 0xc0012994
Oops: Kernel access of bad area, sig: 11 [#1]
BE PowerPC 44x Platform
Modules linked in: tcrypt(+) crypto4xx [...]
CPU: 0 PID: 0 Comm: swapper Tainted: G           O      4.17.0-rc1+ #23
NIP:  c0012994 LR: d3077934 CTR: 06026d49
REGS: cfff7e30 TRAP: 0300   Tainted: G           O       (4.17.0-rc1+)
MSR:  00029000 <CE,EE,ME>  CR: 44744822  XER: 00000000
DEAR: f59b3420 ESR: 00000000
NIP [c0012994] __dma_sync+0x58/0x10c
LR [d3077934] crypto4xx_bh_tasklet_cb+0x188/0x3c8 [crypto4xx]

__dma_sync was fed the temporary _dst that crypto4xx_build_pd()
had in it's function stack. This clearly never worked.
This patch therefore overhauls the code from the original driver
and puts the temporary dst sg list into aead's request context.

Fixes: a0aae821ba3d3 ("crypto: crypto4xx - prepare for AEAD support")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crypto4xx - extend aead fallback checks
Christian Lamparter [Thu, 19 Apr 2018 16:41:56 +0000 (18:41 +0200)]
crypto: crypto4xx - extend aead fallback checks

1020 bytes is the limit for associated data. Any more
and it will no longer fit into hash_crypto_offset anymore.

The hardware will not process aead requests with plaintext
that have less than AES_BLOCK_SIZE bytes. When decrypting
aead requests the authsize has to be taken in account as
well, as it is part of the cryptlen. Otherwise the hardware
will think it has been misconfigured and will return:

aead return err status = 0x98

For rtc4543(gcm(aes)), the hardware has a dedicated GMAC
mode as part of the hash function set.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crypto4xx - properly set IV after de- and encrypt
Christian Lamparter [Thu, 19 Apr 2018 16:41:55 +0000 (18:41 +0200)]
crypto: crypto4xx - properly set IV after de- and encrypt

This patch fixes cts(cbc(aes)) test when cbc-aes-ppc4xx is used.
alg: skcipher: Test 1 failed (invalid result) on encryption for cts(cbc-aes-ppc4xx)
00000000: 4b 10 75 fc 2f 14 1b 6a 27 35 37 33 d1 b7 70 05
00000010: 97
alg: skcipher: Failed to load transform for cts(cbc(aes)): -2

The CTS cipher mode expect the IV (req->iv) of skcipher_request
to contain the last ciphertext block after the {en,de}crypt
operation is complete.

Fix this issue for the AMCC Crypto4xx hardware engine.
The tcrypt test case for cts(cbc(aes)) is now correctly passed.

name         : cts(cbc(aes))
driver       : cts(cbc-aes-ppc4xx)
module       : cts
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : skcipher
async        : yes
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 16
chunksize    : 16
walksize     : 16

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crypto4xx - add aes-ctr support
Christian Lamparter [Thu, 19 Apr 2018 16:41:54 +0000 (18:41 +0200)]
crypto: crypto4xx - add aes-ctr support

This patch adds support for the aes-ctr skcipher.

name         : ctr(aes)
driver       : ctr-aes-ppc4xx
module       : crypto4xx
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : skcipher
async        : yes
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 16
chunksize    : 16
walksize     : 16

The hardware uses only the last 32-bits as the counter while the
kernel tests (aes_ctr_enc_tv_template[4] for example) expect that
the whole IV is a counter. To make this work, the driver will
fallback if the counter is going to overlow.

The aead's crypto4xx_setup_fallback() function is renamed to
crypto4xx_aead_setup_fallback.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crypto4xx - avoid VLA use
Christian Lamparter [Thu, 19 Apr 2018 16:41:53 +0000 (18:41 +0200)]
crypto: crypto4xx - avoid VLA use

This patch fixes some of the -Wvla warnings.

crypto4xx_alg.c:83:19: warning: Variable length array is used.
crypto4xx_alg.c:273:56: warning: Variable length array is used.
crypto4xx_alg.c:380:32: warning: Variable length array is used.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crypto4xx - convert to skcipher
Christian Lamparter [Thu, 19 Apr 2018 16:41:52 +0000 (18:41 +0200)]
crypto: crypto4xx - convert to skcipher

The ablkcipher APIs have been effectively deprecated since [1].
This patch converts the crypto4xx driver to the new skcipher APIs.

[1] <https://www.spinics.net/lists/linux-crypto/msg18133.html>

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crypto4xx - performance optimizations
Christian Lamparter [Thu, 19 Apr 2018 16:41:51 +0000 (18:41 +0200)]
crypto: crypto4xx - performance optimizations

This patch provides a cheap 2MiB/s+ (~ 6%) performance
improvement over the current code. This is because the
compiler can now optimize several endian swap memcpy.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: cavium - Remove unnecessary parentheses
Varsha Rao [Thu, 19 Apr 2018 15:49:43 +0000 (21:19 +0530)]
crypto: cavium - Remove unnecessary parentheses

This patch fixes the clang warning of extraneous parentheses, with the
following coccinelle script.

@@
identifier i;
constant c;
expression e;
@@
(
!((e))
|
-((
\(i == c\|i != c\|i <= c\|i < c\|i >= c\|i > c\)
-))
)

Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: drivers - simplify getting .drvdata
Wolfram Sang [Thu, 19 Apr 2018 14:05:36 +0000 (16:05 +0200)]
crypto: drivers - simplify getting .drvdata

We should get drvdata from struct device directly. Going via
platform_device is an unneeded step back and forth.

Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: omap-sham - fix memleak
Bin Liu [Tue, 17 Apr 2018 19:53:13 +0000 (14:53 -0500)]
crypto: omap-sham - fix memleak

Fixes: 8043bb1ae03cb ("crypto: omap-sham - convert driver logic to use sgs for data xmit")
The memory pages freed in omap_sham_finish_req() were less than those
allocated in omap_sham_copy_sgs().

Cc: stable@vger.kernel.org
Signed-off-by: Bin Liu <b-liu@ti.com>
Acked-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: drivers - Remove depends on HAS_DMA in case of platform dependency
Geert Uytterhoeven [Tue, 17 Apr 2018 17:49:03 +0000 (19:49 +0200)]
crypto: drivers - Remove depends on HAS_DMA in case of platform dependency

Remove dependencies on HAS_DMA where a Kconfig symbol depends on another
symbol that implies HAS_DMA, and, optionally, on "|| COMPILE_TEST".
In most cases this other symbol is an architecture or platform specific
symbol, or PCI.

Generic symbols and drivers without platform dependencies keep their
dependencies on HAS_DMA, to prevent compiling subsystems or drivers that
cannot work anyway.

This simplifies the dependencies, and allows to improve compile-testing.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Reviewed-by: Mark Brown <broonie@kernel.org>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam: - Use kmemdup() function
Fabio Estevam [Mon, 16 Apr 2018 16:05:01 +0000 (13:05 -0300)]
crypto: caam: - Use kmemdup() function

Use kmemdup() rather than duplicating its implementation.

By usign kmemdup() we can also get rid of the 'val' variable.

Detected with Coccinelle script.

Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam - strip input zeros from RSA input buffer
Horia Geantă [Mon, 16 Apr 2018 13:07:05 +0000 (08:07 -0500)]
crypto: caam - strip input zeros from RSA input buffer

Sometimes the provided RSA input buffer provided is not stripped
of leading zeros. This could cause its size to be bigger than that
of the modulus, making the HW complain:

caam_jr 2142000.jr1: 40000789: DECO: desc idx 7:
Protocol Size Error - A protocol has seen an error in size. When
running RSA, pdb size N < (size of F) when no formatting is used; or
pdb size N < (F + 11) when formatting is used.

Fix the problem by stripping off the leading zero from input data
before feeding it to the CAAM accelerator.

Fixes: 8c419778ab57e ("crypto: caam - add support for RSA algorithm")
Cc: <stable@vger.kernel.org> # 4.8+
Reported-by: Martin Townsend <mtownsend1973@gmail.com>
Link: https://lkml.kernel.org/r/CABatt_ytYORYKtApcB4izhNanEKkGFi9XAQMjHi_n-8YWoCRiw@mail.gmail.com
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Tested-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: via - support new Centaur CPU
davidwang [Fri, 13 Apr 2018 07:03:03 +0000 (15:03 +0800)]
hwrng: via - support new Centaur CPU

New Centaur CPU(Family > 6) supprt Random Number Generator, but can't
support MSR_VIA_RNG. Just like VIA Nano.

Signed-off-by: David Wang <davidwang@zhaoxin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: rsa - Remove unneeded error assignment
Fabio Estevam [Wed, 11 Apr 2018 21:37:17 +0000 (18:37 -0300)]
crypto: rsa - Remove unneeded error assignment

There is no need to assign an error value to 'ret' prior
to calling mpi_read_raw_from_sgl() because in the case
of error the 'ret' variable will be assigned to the error
code inside the if block.

In the case of non failure, 'ret' will be overwritten
immediately after, so remove the unneeded assignment.

Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - Allow different compression results
Mahipal Challa [Wed, 11 Apr 2018 18:28:32 +0000 (20:28 +0200)]
crypto: testmgr - Allow different compression results

The following error is triggered by the ThunderX ZIP driver
if the testmanager is enabled:

[  199.069437] ThunderX-ZIP 0000:03:00.0: Found ZIP device 0 177d:a01a on Node 0
[  199.073573] alg: comp: Compression test 1 failed for deflate-generic: output len = 37

The reason for this error is the verification of the compression
results. Verifying the compression result only works if all
algorithm parameters are identical, in this case to the software
implementation.

Different compression engines like the ThunderX ZIP coprocessor
might yield different compression results by tuning the
algorithm parameters. In our case the compressed result is
shorter than the test vector.

We should not forbid different compression results but only
check that compression -> decompression yields the same
result. This is done already in the acomp test. Do something
similar for test_comp().

Signed-off-by: Mahipal Challa <mchalla@cavium.com>
Signed-off-by: Balakrishna Bhamidipati <bbhamidipati@cavium.com>
[jglauber@cavium.com: removed unrelated printk changes, rewrote commit msg,
 fixed whitespace and unneeded initialization]
Signed-off-by: Jan Glauber <jglauber@cavium.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>