[PATCH v5 3/4] crypto: akcipher: add akcipher declarations needed by templates.
Add a struct akcipher_instance and struct akcipher_spawn similar to how AEAD declares them and the macros for converting to/from crypto_instance/crypto_spawn. Also add register functions to avoid exposing crypto_akcipher_type. Signed-off-by: Andrew Zaborowski --- v2: no changes since v1 v3: drop the new crypto_akcipher_type methods and add struct akcipher_instance v4: avoid exposing crypto_akcipher_type after all, add struct akcipher_spawn and utilities v5: add akcipher_instance.free --- crypto/akcipher.c | 39 - include/crypto/internal/akcipher.h | 60 ++ 2 files changed, 98 insertions(+), 1 deletion(-) diff --git a/crypto/akcipher.c b/crypto/akcipher.c index 120ec04..eef68e8 100644 --- a/crypto/akcipher.c +++ b/crypto/akcipher.c @@ -21,6 +21,7 @@ #include #include #include +#include #include "internal.h" #ifdef CONFIG_NET @@ -75,9 +76,22 @@ static int crypto_akcipher_init_tfm(struct crypto_tfm *tfm) return 0; } +static void crypto_akcipher_free_instance(struct crypto_instance *inst) +{ + struct akcipher_instance *akcipher = akcipher_instance(inst); + + if (!akcipher->free) { + inst->tmpl->free(inst); + return; + } + + akcipher->free(akcipher); +} + static const struct crypto_type crypto_akcipher_type = { .extsize = crypto_alg_extsize, .init_tfm = crypto_akcipher_init_tfm, + .free = crypto_akcipher_free_instance, #ifdef CONFIG_PROC_FS .show = crypto_akcipher_show, #endif @@ -88,6 +102,14 @@ static const struct crypto_type crypto_akcipher_type = { .tfmsize = offsetof(struct crypto_akcipher, base), }; +int crypto_grab_akcipher(struct crypto_akcipher_spawn *spawn, const char *name, +u32 type, u32 mask) +{ + spawn->base.frontend = &crypto_akcipher_type; + return crypto_grab_spawn(&spawn->base, name, type, mask); +} +EXPORT_SYMBOL_GPL(crypto_grab_akcipher); + struct crypto_akcipher *crypto_alloc_akcipher(const char *alg_name, u32 type, u32 mask) { @@ -95,13 +117,20 @@ struct crypto_akcipher *crypto_alloc_akcipher(const char *alg_name, u32 type, } EXPORT_SYMBOL_GPL(crypto_alloc_akcipher); -int crypto_register_akcipher(struct akcipher_alg *alg) +static void akcipher_prepare_alg(struct akcipher_alg *alg) { struct crypto_alg *base = &alg->base; base->cra_type = &crypto_akcipher_type; base->cra_flags &= ~CRYPTO_ALG_TYPE_MASK; base->cra_flags |= CRYPTO_ALG_TYPE_AKCIPHER; +} + +int crypto_register_akcipher(struct akcipher_alg *alg) +{ + struct crypto_alg *base = &alg->base; + + akcipher_prepare_alg(alg); return crypto_register_alg(base); } EXPORT_SYMBOL_GPL(crypto_register_akcipher); @@ -112,5 +141,13 @@ void crypto_unregister_akcipher(struct akcipher_alg *alg) } EXPORT_SYMBOL_GPL(crypto_unregister_akcipher); +int akcipher_register_instance(struct crypto_template *tmpl, + struct akcipher_instance *inst) +{ + akcipher_prepare_alg(&inst->alg); + return crypto_register_instance(tmpl, akcipher_crypto_instance(inst)); +} +EXPORT_SYMBOL_GPL(akcipher_register_instance); + MODULE_LICENSE("GPL"); MODULE_DESCRIPTION("Generic public key cipher type"); diff --git a/include/crypto/internal/akcipher.h b/include/crypto/internal/akcipher.h index 9a2bda1..9e4103d 100644 --- a/include/crypto/internal/akcipher.h +++ b/include/crypto/internal/akcipher.h @@ -13,6 +13,22 @@ #ifndef _CRYPTO_AKCIPHER_INT_H #define _CRYPTO_AKCIPHER_INT_H #include +#include + +struct akcipher_instance { + void (*free)(struct akcipher_instance *inst); + union { + struct { + char head[offsetof(struct akcipher_alg, base)]; + struct crypto_instance base; + } s; + struct akcipher_alg alg; + }; +}; + +struct crypto_akcipher_spawn { + struct crypto_spawn base; +}; /* * Transform internal helpers. @@ -38,6 +54,38 @@ static inline const char *akcipher_alg_name(struct crypto_akcipher *tfm) return crypto_akcipher_tfm(tfm)->__crt_alg->cra_name; } +static inline struct crypto_instance *akcipher_crypto_instance( + struct akcipher_instance *inst) +{ + return container_of(&inst->alg.base, struct crypto_instance, alg); +} + +static inline struct akcipher_instance *akcipher_instance( + struct crypto_instance *inst) +{ + return container_of(&inst->alg, struct akcipher_instance, alg.base); +} + +int crypto_grab_akcipher(struct crypto_akcipher_spawn *spawn, const char *name, + u32 type, u32 mask); + +static inline void crypto_drop_akcipher(struct crypto_akcipher_spawn *spawn) +{ + crypto_drop_spawn(&spawn->base); +} + +static inline struct akcipher_alg *crypto_spawn_akcipher_alg( + s
[PATCH v5 4/4] crypto: RSA padding algorithm
This patch adds PKCS#1 v1.5 standard RSA padding as a separate template. This way an RSA cipher with padding can be obtained by instantiating "pkcs1pad(rsa)". The reason for adding this is that RSA is almost never used without this padding (or OAEP) so it will be needed for either certificate work in the kernel or the userspace, and I also hear that it is likely implemented by hardware RSA in which case hardware implementations of the whole of pkcs1pad(rsa) can be provided. Signed-off-by: Andrew Zaborowski --- v2: rename rsa-padding.c to rsa-pkcs1pad.c, use a memset instead of a loop, add a key size check in pkcs1pad_sign, add a general comment about pkcs1pad_verify v3: rewrite the initialisation to avoid an obsolete and less flexible mechanism, now following the aead template initialisation. v4: follow the aead template initialisation exactly. v5: use the instance .free, set no template .free. --- crypto/Makefile | 1 + crypto/rsa-pkcs1pad.c | 610 ++ crypto/rsa.c | 16 +- include/crypto/internal/rsa.h | 2 + 4 files changed, 628 insertions(+), 1 deletion(-) create mode 100644 crypto/rsa-pkcs1pad.c diff --git a/crypto/Makefile b/crypto/Makefile index f7aba92..2acdbbd 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -40,6 +40,7 @@ rsa_generic-y := rsapubkey-asn1.o rsa_generic-y += rsaprivkey-asn1.o rsa_generic-y += rsa.o rsa_generic-y += rsa_helper.o +rsa_generic-y += rsa-pkcs1pad.o obj-$(CONFIG_CRYPTO_RSA) += rsa_generic.o cryptomgr-y := algboss.o testmgr.o diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c new file mode 100644 index 000..d65e7f3 --- /dev/null +++ b/crypto/rsa-pkcs1pad.c @@ -0,0 +1,610 @@ +/* + * RSA padding templates. + * + * Copyright (c) 2015 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +struct pkcs1pad_ctx { + struct crypto_akcipher *child; + + unsigned int key_size; +}; + +struct pkcs1pad_request { + struct akcipher_request child_req; + + struct scatterlist in_sg[3], out_sg[2]; + uint8_t *in_buf, *out_buf; +}; + +static int pkcs1pad_set_pub_key(struct crypto_akcipher *tfm, const void *key, + unsigned int keylen) +{ + struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); + int err, size; + + err = crypto_akcipher_set_pub_key(ctx->child, key, keylen); + + if (!err) { + /* Find out new modulus size from rsa implementation */ + size = crypto_akcipher_maxsize(ctx->child); + + ctx->key_size = size > 0 ? size : 0; + if (size <= 0) + err = size; + } + + return err; +} + +static int pkcs1pad_set_priv_key(struct crypto_akcipher *tfm, const void *key, + unsigned int keylen) +{ + struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); + int err, size; + + err = crypto_akcipher_set_priv_key(ctx->child, key, keylen); + + if (!err) { + /* Find out new modulus size from rsa implementation */ + size = crypto_akcipher_maxsize(ctx->child); + + ctx->key_size = size > 0 ? size : 0; + if (size <= 0) + err = size; + } + + return err; +} + +static int pkcs1pad_get_max_size(struct crypto_akcipher *tfm) +{ + struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); + + /* +* The maximum destination buffer size for the encrypt/sign operations +* will be the same as for RSA, even though it's smaller for +* decrypt/verify. +*/ + + return ctx->key_size ?: -EINVAL; +} + +static void pkcs1pad_sg_set_buf(struct scatterlist *sg, void *buf, size_t len, + struct scatterlist *next) +{ + int nsegs = next ? 1 : 0; + + if (offset_in_page(buf) + len <= PAGE_SIZE) { + nsegs += 1; + sg_init_table(sg, nsegs); + sg_set_buf(sg, buf, len); + } else { + nsegs += 2; + sg_init_table(sg, nsegs); + sg_set_buf(sg + 0, buf, PAGE_SIZE - offset_in_page(buf)); + sg_set_buf(sg + 1, buf + PAGE_SIZE - offset_in_page(buf), + offset_in_page(buf) + len - PAGE_SIZE); + } + + if (next) + sg_chain(sg, nsegs, next); +} + +static int pkcs1pad_encrypt_sign_complete(struct akcipher_request *req, int err) +{ + struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req); + struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm); + struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req); +
[PATCH] hw_random: core, sleep interruptible in read
hwrng kthread can be waiting via hwrng_fillfn for some data from a rng like virtio-rng: hwrng D 880093e17798 0 382 2 0x ... Call Trace: [] wait_for_completion_killable+0x96/0x210 [] virtio_read+0x57/0xf0 [virtio_rng] [] hwrng_fillfn+0x75/0x130 [] kthread+0xf3/0x110 And when some user program tries to read the /dev node in this state, we get: rngdD 880093e17798 0 762 1 0x0004 ... Call Trace: [] mutex_lock_nested+0x15c/0x3e0 [] rng_dev_read+0x6e/0x240 [] __vfs_read+0x28/0xe0 [] vfs_read+0x83/0x130 And this is indeed unkillable. So use mutex_lock_interruptible instead of mutex_lock in rng_dev_read and exit immediatelly when interrupted. And possibly return already read data, if any (as POSIX allows). Signed-off-by: Jiri Slaby Cc: Matt Mackall Cc: Herbert Xu Cc: --- drivers/char/hw_random/core.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c index a064237ff362..f003df162e09 100644 --- a/drivers/char/hw_random/core.c +++ b/drivers/char/hw_random/core.c @@ -238,7 +238,10 @@ static ssize_t rng_dev_read(struct file *filp, char __user *buf, goto out; } - mutex_lock(&reading_mutex); + if (mutex_lock_interruptible(&reading_mutex)) { + err = -EINTR; + goto out_put; + } if (!data_avail) { bytes_read = rng_get_data(rng, rng_buffer, rng_buffer_size(), @@ -288,6 +291,7 @@ out: out_unlock_reading: mutex_unlock(&reading_mutex); +out_put: put_rng(rng); goto out; } -- 2.6.3 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] crypto: mxs-dcp - Initialize .statesize fields
Initialize .statesize fields in order to avoid the following error on probe: mxs-dcp 80028000.dcp: Failed to register sha1 hash! mxs-dcp: probe of 80028000.dcp failed with error -22 Cc: # 4.1+ Suggested-by: Stephan Mueller Signed-off-by: Fabio Estevam --- drivers/crypto/mxs-dcp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c index 59ed54e..e65d379 100644 --- a/drivers/crypto/mxs-dcp.c +++ b/drivers/crypto/mxs-dcp.c @@ -836,6 +836,7 @@ static struct ahash_alg dcp_sha1_alg = { .digest = dcp_sha_digest, .halg = { .digestsize = SHA1_DIGEST_SIZE, + .statesize = sizeof(struct sha1_state), .base = { .cra_name = "sha1", .cra_driver_name= "sha1-dcp", @@ -860,6 +861,7 @@ static struct ahash_alg dcp_sha256_alg = { .digest = dcp_sha_digest, .halg = { .digestsize = SHA256_DIGEST_SIZE, + .statesize = sizeof(struct sha256_state), .base = { .cra_name = "sha256", .cra_driver_name= "sha256-dcp", -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
ahash and halg.statesize
Hi Herbert, after Fabio's confirmation on the mxs-dcp ahash implementations, I briefly looked for the invocation of crypto_register_ahash and found numerous invocations. After taking two examples (sahara, n2), I did not find halg.statesize. Thus, I would conclude that none of these ciphers would work currently. I am currently not sure how to solve that issue as every ahash implementation must be assessed for its statesize. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: mxs-dcp: Failed to register sha1 hash
On Thursday, November 26, 2015 at 04:38:01 PM, Fabio Estevam wrote: > Hi Stephan, > > On Thu, Nov 26, 2015 at 1:25 PM, Stephan Mueller wrote: > > Briefly looking into drivers/crypto/mxs-dcp.c, it is an ahash and does > > not contain halg.statesize in the algo definitions. Thus it looks very > > much like the same issue that I see with ghash. > > Thanks for your suggestion! > > You are right: this makes the error goes away: > > --- a/drivers/crypto/mxs-dcp.c > +++ b/drivers/crypto/mxs-dcp.c > @@ -836,6 +836,7 @@ static struct ahash_alg dcp_sha1_alg = { > .digest = dcp_sha_digest, > .halg = { > .digestsize = SHA1_DIGEST_SIZE, > + .statesize = sizeof(struct sha1_state), > .base = { > .cra_name = "sha1", > .cra_driver_name= "sha1-dcp", > @@ -860,6 +861,7 @@ static struct ahash_alg dcp_sha256_alg = { > .digest = dcp_sha_digest, > .halg = { > .digestsize = SHA256_DIGEST_SIZE, > + .statesize = sizeof(struct sha256_state), > .base = { > .cra_name = "sha256", > .cra_driver_name= "sha256-dcp", > > > Will submit it as a formal patch. Excellent, thank you! Best regards, Marek Vasut -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: mxs-dcp: Failed to register sha1 hash
Hi Stephan, On Thu, Nov 26, 2015 at 1:25 PM, Stephan Mueller wrote: > Briefly looking into drivers/crypto/mxs-dcp.c, it is an ahash and does not > contain halg.statesize in the algo definitions. Thus it looks very much like > the same issue that I see with ghash. Thanks for your suggestion! You are right: this makes the error goes away: --- a/drivers/crypto/mxs-dcp.c +++ b/drivers/crypto/mxs-dcp.c @@ -836,6 +836,7 @@ static struct ahash_alg dcp_sha1_alg = { .digest = dcp_sha_digest, .halg = { .digestsize = SHA1_DIGEST_SIZE, + .statesize = sizeof(struct sha1_state), .base = { .cra_name = "sha1", .cra_driver_name= "sha1-dcp", @@ -860,6 +861,7 @@ static struct ahash_alg dcp_sha256_alg = { .digest = dcp_sha_digest, .halg = { .digestsize = SHA256_DIGEST_SIZE, + .statesize = sizeof(struct sha256_state), .base = { .cra_name = "sha256", .cra_driver_name= "sha256-dcp", Will submit it as a formal patch. Thanks! -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: mxs-dcp: Failed to register sha1 hash
Am Donnerstag, 26. November 2015, 13:14:12 schrieb Fabio Estevam: Hi Fabio, > Hi, > > On kernel 4.1.13 and also on 4.4.0-rc2-next-20151126 I see the > following error on mx28: > > [2.245453] mxs-dcp 80028000.dcp: Failed to register sha1 hash! > [2.253928] mxs-dcp: probe of 80028000.dcp failed with error -22 > > Does anyone have any idea how to fix this? Briefly looking into drivers/crypto/mxs-dcp.c, it is an ahash and does not contain halg.statesize in the algo definitions. Thus it looks very much like the same issue that I see with ghash. -- Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
mxs-dcp: Failed to register sha1 hash
Hi, On kernel 4.1.13 and also on 4.4.0-rc2-next-20151126 I see the following error on mx28: [2.245453] mxs-dcp 80028000.dcp: Failed to register sha1 hash! [2.253928] mxs-dcp: probe of 80028000.dcp failed with error -22 Does anyone have any idea how to fix this? Thanks, Fabio Estevam -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: ghash-clmulni: does not load
Am Donnerstag, 26. November 2015, 13:45:26 schrieb Stephan Mueller: Hi, >Hi Tadeusz, > >testing the current cryptodev-2.6 tree, ghash-clmulni does not load. In the >init function > > err = crypto_register_ahash(&ghash_async_alg); > >returns EINVAL. It looks like the halg.statesize is missing. When I add that field, the insmod works. But I do not know which statesize is needed to provide a full patch. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
ghash-clmulni: does not load
Hi Tadeusz, testing the current cryptodev-2.6 tree, ghash-clmulni does not load. In the init function err = crypto_register_ahash(&ghash_async_alg); returns EINVAL. Any ideas? -- Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4 4/4] crypto: RSA padding algorithm
Andrew Zaborowski wrote: > > +struct crypto_template rsa_pkcs1pad_tmpl = { > + .name = "pkcs1pad", > + .create = pkcs1pad_create, > + .free = pkcs1pad_free, Please use inst->free instead (crypto/gcm.c is a good example). BTW the first two patches are fine so you don't have to post them. Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3 5/5] crypto: AES CBC multi-buffer glue code
On Tue, Nov 24, 2015 at 10:30:06AM -0800, Tim Chen wrote: > > On the decrypt path, we don't need to use multi-buffer algorithm > as aes-cbc decrypt can be parallelized inherently on a single > request. So most of the time the outer layer algorithm > cbc_mb_async_ablk_decrypt can bypass mcryptd and > invoke mb_aes_cbc_decrypt synchronously > to do aes_cbc_dec when fpu is available. > This avoids the overhead of going through mcryptd. Hence > the use of blkcipher on the inner layer. For the mcryptd > path, we will complete a decrypt request in one shot so > blkcipher usage should be fine. I think there is a misunderstanding here. Just because you're using/exporting through the ablkcipher interface doesn't mean that you are asynchrounous. For example, all blkcipher algorithms can be accessed through the ablkcipher interface and they of course remain synchrounous. So I don't see how using an ablkcipher in the inner layer changes anything at all. You can still return immediately and not bother with completion functions when you are synchrounous. Cheers, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html