user/sven/linux.git/crypto/authenc.c, branch v4.4.27

crypto: aead - Remove CRYPTO_ALG_AEAD_NEW flag

2015-08-17T08:53:53Z

This patch removes the CRYPTO_ALG_AEAD_NEW flag now that everyone has been converted. Signed-off-by: Herbert Xu

crypto: authenc - Convert to new AEAD interface

2015-08-04T12:45:31Z

This patch converts authenc to the new AEAD interface. Signed-off-by: Herbert Xu

crypto: authenc - Use crypto_aead_set_reqsize helper

2015-05-13T02:31:37Z

This patch uses the crypto_aead_set_reqsize helper to avoid directly touching the internals of aead. Signed-off-by: Herbert Xu

crypto: authenc - Include internal/aead.h

2015-05-13T02:31:26Z

All AEAD implementations must include internal/aead.h in order to access required helpers. Signed-off-by: Herbert Xu

crypto: include crypto- module prefix in template

2014-11-26T12:06:30Z

This adds the module loading prefix "crypto-" to the template lookup as well. For example, attempting to load 'vfat(blowfish)' via AF_ALG now correctly includes the "crypto-" prefix at every level, correctly rejecting "vfat": net-pf-38 algif-hash crypto-vfat(blowfish) crypto-vfat(blowfish)-all crypto-vfat Reported-by: Mathias Krause Signed-off-by: Kees Cook Acked-by: Mathias Krause Signed-off-by: Herbert Xu

crypto: authenc - Find proper IV address in ablkcipher callback

2013-11-28T14:16:23Z

When performing an asynchronous ablkcipher operation the authenc completion callback routine is invoked, but it does not locate and use the proper IV. The callback routine, crypto_authenc_encrypt_done, is updated to use the same method of calculating the address of the IV as is done in crypto_authenc_encrypt function which sets up the callback. Cc: stable@vger.kernel.org Signed-off-by: Tom Lendacky Signed-off-by: Herbert Xu

crypto: authenc - Export key parsing helper function

2013-10-16T12:56:25Z

AEAD key parsing is duplicated to multiple places in the kernel. Add a common helper function to consolidate that functionality. Cc: Herbert Xu Cc: "David S. Miller" Signed-off-by: Mathias Krause Signed-off-by: Herbert Xu

crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks

2013-10-07T06:17:06Z

When comparing MAC hashes, AEAD authentication tags, or other hash values in the context of authentication or integrity checking, it is important not to leak timing information to a potential attacker, i.e. when communication happens over a network. Bytewise memory comparisons (such as memcmp) are usually optimized so that they return a nonzero value as soon as a mismatch is found. E.g, on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch and up to ~850 cyc for a full match (cold). This early-return behavior can leak timing information as a side channel, allowing an attacker to iteratively guess the correct result. This patch adds a new method crypto_memneq ("memory not equal to each other") to the crypto API that compares memory areas of the same length in roughly "constant time" (cache misses could change the timing, but since they don't reveal information about the content of the strings being compared, they are effectively benign). Iow, best and worst case behaviour take the same amount of time to complete (in contrast to memcmp). Note that crypto_memneq (unlike memcmp) can only be used to test for equality or inequality, NOT for lexicographical order. This, however, is not an issue for its use-cases within the crypto API. We tried to locate all of the places in the crypto API where memcmp was being used for authentication or integrity checking, and convert them over to crypto_memneq. crypto_memneq is declared noinline, placed in its own source file, and compiled with optimizations that might increase code size disabled ("Os") because a smart compiler (or LTO) might notice that the return value is always compared against zero/nonzero, and might then reintroduce the same early-return optimization that we are trying to avoid. Using #pragma or __attribute__ optimization annotations of the code for disabling optimization was avoided as it seems to be considered broken or unmaintained for long time in GCC [1]. Therefore, we work around that by specifying the compile flag for memneq.o directly in the Makefile. We found that this seems to be most appropriate. As we use ("Os"), this patch also provides a loop-free "fast-path" for frequently used 16 byte digests. Similarly to kernel library string functions, leave an option for future even further optimized architecture specific assembler implementations. This was a joint work of James Yonan and Daniel Borkmann. Also thanks for feedback from Florian Weimer on this and earlier proposals [2]. [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html [2] https://lkml.org/lkml/2013/2/10/131 Signed-off-by: James Yonan Signed-off-by: Daniel Borkmann Cc: Florian Weimer Signed-off-by: Herbert Xu

crypto: use ERR_CAST

2013-02-04T13:16:53Z

Replace PTR_ERR followed by ERR_PTR by ERR_CAST, to be more concise. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // @@ expression err,x; @@ - err = PTR_ERR(x); if (IS_ERR(x)) - return ERR_PTR(err); + return ERR_CAST(x); // Signed-off-by: Julia Lawall Signed-off-by: Herbert Xu

crypto: authenc - Fix crash with zero-length assoc data

2012-09-11T04:05:45Z

The authenc code doesn't deal with zero-length associated data correctly and ends up constructing a zero-length sg entry which causes a crash when it's fed into the crypto system. This patch fixes this by avoiding the code-path that triggers the SG construction if we have no associated data. This isn't the most optimal fix as it means that we'll end up using the fallback code-path even when we could still execute the digest function. However, this isn't a big deal as nobody but the test path would supply zero-length associated data. Reported-by: Romain Francoise Signed-off-by: Herbert Xu Tested-by: Romain Francoise