diff options
Diffstat (limited to 'crypto')
76 files changed, 4030 insertions, 6052 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig index 2e5b195b1b06..103d1f58cb7c 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -2,8 +2,6 @@ # # Generic algorithms support # -config XOR_BLOCKS - tristate # # async_tx api: hardware offloaded memory transfer/transform support @@ -25,7 +23,7 @@ menu "Crypto core or helper" config CRYPTO_FIPS bool "FIPS 200 compliance" - depends on CRYPTO_DRBG && CRYPTO_SELFTESTS + depends on CRYPTO_DRBG=y && CRYPTO_SELFTESTS depends on (MODULE_SIG || !MODULES) help This option enables the fips boot option which is @@ -109,10 +107,6 @@ config CRYPTO_RNG2 tristate select CRYPTO_ALGAPI2 -config CRYPTO_RNG_DEFAULT - tristate - select CRYPTO_DRBG_MENU - config CRYPTO_AKCIPHER2 tristate select CRYPTO_ALGAPI2 @@ -141,12 +135,6 @@ config CRYPTO_ACOMP select CRYPTO_ALGAPI select CRYPTO_ACOMP2 -config CRYPTO_HKDF - tristate - select CRYPTO_SHA256 if CRYPTO_SELFTESTS - select CRYPTO_SHA512 if CRYPTO_SELFTESTS - select CRYPTO_HASH2 - config CRYPTO_MANAGER tristate default CRYPTO_ALGAPI if CRYPTO_SELFTESTS @@ -157,19 +145,20 @@ config CRYPTO_MANAGER config CRYPTO_MANAGER2 def_tristate CRYPTO_MANAGER || (CRYPTO_MANAGER!=n && CRYPTO_ALGAPI=y) - select CRYPTO_ACOMP2 - select CRYPTO_AEAD2 - select CRYPTO_AKCIPHER2 - select CRYPTO_SIG2 - select CRYPTO_HASH2 - select CRYPTO_KPP2 - select CRYPTO_RNG2 - select CRYPTO_SKCIPHER2 + select CRYPTO_ACOMP2 if CRYPTO_SELFTESTS + select CRYPTO_AEAD2 if CRYPTO_SELFTESTS + select CRYPTO_AKCIPHER2 if CRYPTO_SELFTESTS + select CRYPTO_SIG2 if CRYPTO_SELFTESTS + select CRYPTO_HASH2 if CRYPTO_SELFTESTS + select CRYPTO_KPP2 if CRYPTO_SELFTESTS + select CRYPTO_RNG2 if CRYPTO_SELFTESTS + select CRYPTO_SKCIPHER2 if CRYPTO_SELFTESTS config CRYPTO_USER tristate "Userspace cryptographic algorithm configuration" depends on NET select CRYPTO_MANAGER + select CRYPTO_RNG help Userspace configuration for cryptographic instantiations such as cbc(aes). @@ -224,6 +213,7 @@ config CRYPTO_PCRYPT config CRYPTO_CRYPTD tristate "Software async crypto daemon" + select CRYPTO_AEAD select CRYPTO_SKCIPHER select CRYPTO_HASH select CRYPTO_MANAGER @@ -257,7 +247,10 @@ config CRYPTO_KRB5ENC config CRYPTO_BENCHMARK tristate "Crypto benchmarking module" depends on m || EXPERT + select CRYPTO_AEAD + select CRYPTO_HASH select CRYPTO_MANAGER + select CRYPTO_SKCIPHER help Quick & dirty crypto benchmarking module. @@ -267,10 +260,16 @@ config CRYPTO_BENCHMARK config CRYPTO_SIMD tristate + select CRYPTO_AEAD select CRYPTO_CRYPTD config CRYPTO_ENGINE tristate + select CRYPTO_AEAD + select CRYPTO_AKCIPHER + select CRYPTO_HASH + select CRYPTO_KPP + select CRYPTO_SKCIPHER endmenu @@ -296,7 +295,6 @@ config CRYPTO_DH config CRYPTO_DH_RFC7919_GROUPS bool "RFC 7919 FFDHE groups" depends on CRYPTO_DH - select CRYPTO_RNG_DEFAULT help FFDHE (Finite-Field-based Diffie-Hellman Ephemeral) groups defined in RFC7919. @@ -308,7 +306,6 @@ config CRYPTO_DH_RFC7919_GROUPS config CRYPTO_ECC tristate - select CRYPTO_RNG_DEFAULT config CRYPTO_ECDH tristate "ECDH (Elliptic Curve Diffie-Hellman)" @@ -344,6 +341,15 @@ config CRYPTO_ECRDSA One of the Russian cryptographic standard algorithms (called GOST algorithms). Only signature verification is implemented. +config CRYPTO_MLDSA + tristate "ML-DSA (Module-Lattice-Based Digital Signature Algorithm)" + select CRYPTO_SIG + select CRYPTO_LIB_MLDSA + help + ML-DSA (Module-Lattice-Based Digital Signature Algorithm) (FIPS-204). + + Only signature verification is implemented. + endmenu menu "Block ciphers" @@ -352,6 +358,8 @@ config CRYPTO_AES tristate "AES (Advanced Encryption Standard)" select CRYPTO_ALGAPI select CRYPTO_LIB_AES + select CRYPTO_LIB_AES_CBC_MACS if CRYPTO_CMAC || CRYPTO_XCBC || CRYPTO_CCM + select CRYPTO_HASH if CRYPTO_CMAC || CRYPTO_XCBC || CRYPTO_CCM help AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3) @@ -366,27 +374,6 @@ config CRYPTO_AES The AES specifies three key sizes: 128, 192 and 256 bits -config CRYPTO_AES_TI - tristate "AES (Advanced Encryption Standard) (fixed time)" - select CRYPTO_ALGAPI - select CRYPTO_LIB_AES - help - AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3) - - This is a generic implementation of AES that attempts to eliminate - data dependent latencies as much as possible without affecting - performance too much. It is intended for use by the generic CCM - and GCM drivers, and other CTR or CMAC/XCBC based modes that rely - solely on encryption (although decryption is supported as well, but - with a more dramatic performance hit) - - Instead of using 16 lookup tables of 1 KB each, (8 for encryption and - 8 for decryption), this implementation only uses just two S-boxes of - 256 bytes each, and attempts to eliminate data dependent latencies by - prefetching the entire table into the cache at the start of each - block. Interrupts are also disabled to avoid races where cachelines - are evicted when the CPU is interrupted to do something else. - config CRYPTO_ANUBIS tristate "Anubis" depends on CRYPTO_USER_API_ENABLE_OBSOLETE @@ -601,9 +588,9 @@ menu "Length-preserving ciphers and modes" config CRYPTO_ADIANTUM tristate "Adiantum" select CRYPTO_CHACHA20 + select CRYPTO_LIB_NH select CRYPTO_LIB_POLY1305 select CRYPTO_LIB_POLY1305_GENERIC - select CRYPTO_NHPOLY1305 select CRYPTO_MANAGER help Adiantum tweakable, length-preserving encryption mode @@ -696,7 +683,7 @@ config CRYPTO_ECB config CRYPTO_HCTR2 tristate "HCTR2" select CRYPTO_XCTR - select CRYPTO_LIB_POLYVAL + select CRYPTO_LIB_GF128HASH select CRYPTO_MANAGER help HCTR2 length-preserving encryption mode @@ -759,12 +746,6 @@ config CRYPTO_XTS implementation currently can't handle a sectorsize which is not a multiple of 16 bytes. -config CRYPTO_NHPOLY1305 - tristate - select CRYPTO_HASH - select CRYPTO_LIB_POLY1305 - select CRYPTO_LIB_POLY1305_GENERIC - endmenu menu "AEAD (authenticated encryption with associated data) ciphers" @@ -772,7 +753,7 @@ menu "AEAD (authenticated encryption with associated data) ciphers" config CRYPTO_AEGIS128 tristate "AEGIS-128" select CRYPTO_AEAD - select CRYPTO_AES # for AES S-box tables + select CRYPTO_LIB_AES # for AES S-box tables help AEGIS-128 AEAD algorithm @@ -810,7 +791,7 @@ config CRYPTO_GCM tristate "GCM (Galois/Counter Mode) and GMAC (GCM MAC)" select CRYPTO_CTR select CRYPTO_AEAD - select CRYPTO_GHASH + select CRYPTO_LIB_GF128HASH select CRYPTO_MANAGER help GCM (Galois/Counter Mode) authenticated encryption mode and GMAC @@ -822,7 +803,6 @@ config CRYPTO_GENIV tristate select CRYPTO_AEAD select CRYPTO_MANAGER - select CRYPTO_RNG_DEFAULT config CRYPTO_SEQIV tristate "Sequence Number IV Generator" @@ -894,8 +874,6 @@ config CRYPTO_BLAKE2B - blake2b-384 - blake2b-512 - Used by the btrfs filesystem. - See https://blake2.net for further information. config CRYPTO_CMAC @@ -906,13 +884,6 @@ config CRYPTO_CMAC CMAC (Cipher-based Message Authentication Code) authentication mode (NIST SP800-38B and IETF RFC4493) -config CRYPTO_GHASH - tristate "GHASH" - select CRYPTO_HASH - select CRYPTO_LIB_GF128MUL - help - GCM GHASH function (NIST SP800-38D) - config CRYPTO_HMAC tristate "HMAC (Keyed-Hash MAC)" select CRYPTO_HASH @@ -936,18 +907,6 @@ config CRYPTO_MD5 help MD5 message digest algorithm (RFC1321), including HMAC support. -config CRYPTO_MICHAEL_MIC - tristate "Michael MIC" - select CRYPTO_HASH - help - Michael MIC (Message Integrity Code) (IEEE 802.11i) - - Defined by the IEEE 802.11i TKIP (Temporal Key Integrity Protocol), - known as WPA (Wif-Fi Protected Access). - - This algorithm is required for TKIP, but it should not be used for - other purposes because of the weakness of the algorithm. - config CRYPTO_RMD160 tristate "RIPEMD-160" select CRYPTO_HASH @@ -983,7 +942,6 @@ config CRYPTO_SHA256 10118-3), including HMAC support. This is required for IPsec AH (XFRM_AH) and IPsec ESP (XFRM_ESP). - Used by the btrfs filesystem, Ceph, NFS, and SMB. config CRYPTO_SHA512 tristate "SHA-384 and SHA-512" @@ -1000,7 +958,7 @@ config CRYPTO_SHA3 help SHA-3 secure hash algorithms (FIPS 202, ISO/IEC 10118-3) -config CRYPTO_SM3_GENERIC +config CRYPTO_SM3 tristate "SM3 (ShangMi 3)" select CRYPTO_HASH select CRYPTO_LIB_SM3 @@ -1057,8 +1015,6 @@ config CRYPTO_XXHASH Extremely fast, working at speeds close to RAM limits. - Used by the btrfs filesystem. - endmenu menu "CRCs (cyclic redundancy checks)" @@ -1076,8 +1032,6 @@ config CRYPTO_CRC32C on Communications, Vol. 41, No. 6, June 1993, selected for use with iSCSI. - Used by btrfs, ext4, jbd2, NVMeoF/TCP, and iSCSI. - config CRYPTO_CRC32 tristate "CRC32" select CRYPTO_HASH @@ -1085,8 +1039,6 @@ config CRYPTO_CRC32 help CRC32 CRC algorithm (IEEE 802.3) - Used by RoCEv2 and f2fs. - endmenu menu "Compression" @@ -1202,8 +1154,8 @@ endif # if CRYPTO_DRBG_MENU config CRYPTO_JITTERENTROPY tristate "CPU Jitter Non-Deterministic RNG (Random Number Generator)" + select CRYPTO_LIB_SHA3 select CRYPTO_RNG - select CRYPTO_SHA3 help CPU Jitter RNG (Random Number Generator) from the Jitterentropy library diff --git a/crypto/Makefile b/crypto/Makefile index 16a35649dd91..162242593c7c 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -3,6 +3,8 @@ # Cryptographic API # +CONTEXT_ANALYSIS := y + obj-$(CONFIG_CRYPTO) += crypto.o crypto-y := api.o cipher.o @@ -34,7 +36,6 @@ obj-$(CONFIG_CRYPTO_HASH2) += crypto_hash.o obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o obj-$(CONFIG_CRYPTO_SIG2) += sig.o obj-$(CONFIG_CRYPTO_KPP2) += kpp.o -obj-$(CONFIG_CRYPTO_HKDF) += hkdf.o dh_generic-y := dh.o dh_generic-y += dh_helper.o @@ -60,6 +61,8 @@ ecdsa_generic-y += ecdsa-p1363.o ecdsa_generic-y += ecdsasignature.asn1.o obj-$(CONFIG_CRYPTO_ECDSA) += ecdsa_generic.o +obj-$(CONFIG_CRYPTO_MLDSA) += mldsa.o + crypto_acompress-y := acompress.o crypto_acompress-y += scompress.o obj-$(CONFIG_CRYPTO_ACOMP2) += crypto_acompress.o @@ -79,7 +82,7 @@ obj-$(CONFIG_CRYPTO_SHA1) += sha1.o obj-$(CONFIG_CRYPTO_SHA256) += sha256.o obj-$(CONFIG_CRYPTO_SHA512) += sha512.o obj-$(CONFIG_CRYPTO_SHA3) += sha3.o -obj-$(CONFIG_CRYPTO_SM3_GENERIC) += sm3_generic.o +obj-$(CONFIG_CRYPTO_SM3) += sm3.o obj-$(CONFIG_CRYPTO_STREEBOG) += streebog_generic.o obj-$(CONFIG_CRYPTO_WP512) += wp512.o CFLAGS_wp512.o := $(call cc-option,-fno-schedule-insns) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 @@ -94,7 +97,6 @@ obj-$(CONFIG_CRYPTO_CTR) += ctr.o obj-$(CONFIG_CRYPTO_XCTR) += xctr.o obj-$(CONFIG_CRYPTO_HCTR2) += hctr2.o obj-$(CONFIG_CRYPTO_ADIANTUM) += adiantum.o -obj-$(CONFIG_CRYPTO_NHPOLY1305) += nhpoly1305.o obj-$(CONFIG_CRYPTO_GCM) += gcm.o obj-$(CONFIG_CRYPTO_CCM) += ccm.o obj-$(CONFIG_CRYPTO_CHACHA20POLY1305) += chacha20poly1305.o @@ -131,11 +133,9 @@ obj-$(CONFIG_CRYPTO_TWOFISH) += twofish_generic.o obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += twofish_common.o obj-$(CONFIG_CRYPTO_SERPENT) += serpent_generic.o CFLAGS_serpent_generic.o := $(call cc-option,-fsched-pressure) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 -obj-$(CONFIG_CRYPTO_AES) += aes_generic.o -CFLAGS_aes_generic.o := $(call cc-option,-fno-code-hoisting) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356 +obj-$(CONFIG_CRYPTO_AES) += aes.o obj-$(CONFIG_CRYPTO_SM4) += sm4.o obj-$(CONFIG_CRYPTO_SM4_GENERIC) += sm4_generic.o -obj-$(CONFIG_CRYPTO_AES_TI) += aes_ti.o obj-$(CONFIG_CRYPTO_CAMELLIA) += camellia_generic.o obj-$(CONFIG_CRYPTO_CAST_COMMON) += cast_common.o obj-$(CONFIG_CRYPTO_CAST5) += cast5_generic.o @@ -149,7 +149,6 @@ obj-$(CONFIG_CRYPTO_ARIA) += aria_generic.o obj-$(CONFIG_CRYPTO_CHACHA20) += chacha.o CFLAGS_chacha.o += -DARCH=$(ARCH) obj-$(CONFIG_CRYPTO_DEFLATE) += deflate.o -obj-$(CONFIG_CRYPTO_MICHAEL_MIC) += michael_mic.o obj-$(CONFIG_CRYPTO_CRC32C) += crc32c-cryptoapi.o crc32c-cryptoapi-y := crc32c.o obj-$(CONFIG_CRYPTO_CRC32) += crc32-cryptoapi.o @@ -170,7 +169,6 @@ UBSAN_SANITIZE_jitterentropy.o = n jitterentropy_rng-y := jitterentropy.o jitterentropy-kcapi.o obj-$(CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE) += jitterentropy-testing.o obj-$(CONFIG_CRYPTO_BENCHMARK) += tcrypt.o -obj-$(CONFIG_CRYPTO_GHASH) += ghash-generic.o obj-$(CONFIG_CRYPTO_USER_API) += af_alg.o obj-$(CONFIG_CRYPTO_USER_API_HASH) += algif_hash.o obj-$(CONFIG_CRYPTO_USER_API_SKCIPHER) += algif_skcipher.o @@ -195,7 +193,6 @@ obj-$(CONFIG_CRYPTO_ECRDSA) += ecrdsa_generic.o # # generic algorithms and the async_tx api # -obj-$(CONFIG_XOR_BLOCKS) += xor.o obj-$(CONFIG_ASYNC_CORE) += async_tx/ obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys/ crypto_simd-y := simd.o diff --git a/crypto/acompress.c b/crypto/acompress.c index be28cbfd22e3..6025c1acce49 100644 --- a/crypto/acompress.c +++ b/crypto/acompress.c @@ -60,10 +60,8 @@ static int __maybe_unused crypto_acomp_report( return nla_put(skb, CRYPTOCFGA_REPORT_ACOMP, sizeof(racomp), &racomp); } -static void crypto_acomp_show(struct seq_file *m, struct crypto_alg *alg) - __maybe_unused; - -static void crypto_acomp_show(struct seq_file *m, struct crypto_alg *alg) +static void __maybe_unused crypto_acomp_show(struct seq_file *m, + struct crypto_alg *alg) { seq_puts(m, "type : acomp\n"); } @@ -171,15 +169,13 @@ static void acomp_save_req(struct acomp_req *req, crypto_completion_t cplt) state->compl = req->base.complete; state->data = req->base.data; req->base.complete = cplt; - req->base.data = state; + req->base.data = req; } static void acomp_restore_req(struct acomp_req *req) { - struct acomp_req_chain *state = req->base.data; - - req->base.complete = state->compl; - req->base.data = state->data; + req->base.complete = req->chain.compl; + req->base.data = req->chain.data; } static void acomp_reqchain_virt(struct acomp_req *req) @@ -337,17 +333,13 @@ int crypto_register_acomps(struct acomp_alg *algs, int count) for (i = 0; i < count; i++) { ret = crypto_register_acomp(&algs[i]); - if (ret) - goto err; + if (ret) { + crypto_unregister_acomps(algs, i); + return ret; + } } return 0; - -err: - for (--i; i >= 0; --i) - crypto_unregister_acomp(&algs[i]); - - return ret; } EXPORT_SYMBOL_GPL(crypto_register_acomps); @@ -449,8 +441,8 @@ int crypto_acomp_alloc_streams(struct crypto_acomp_streams *s) } EXPORT_SYMBOL_GPL(crypto_acomp_alloc_streams); -struct crypto_acomp_stream *crypto_acomp_lock_stream_bh( - struct crypto_acomp_streams *s) __acquires(stream) +struct crypto_acomp_stream *_crypto_acomp_lock_stream_bh( + struct crypto_acomp_streams *s) { struct crypto_acomp_stream __percpu *streams = s->streams; int cpu = raw_smp_processor_id(); @@ -469,7 +461,7 @@ struct crypto_acomp_stream *crypto_acomp_lock_stream_bh( spin_lock(&ps->lock); return ps; } -EXPORT_SYMBOL_GPL(crypto_acomp_lock_stream_bh); +EXPORT_SYMBOL_GPL(_crypto_acomp_lock_stream_bh); void acomp_walk_done_src(struct acomp_walk *walk, int used) { diff --git a/crypto/adiantum.c b/crypto/adiantum.c index a6bca877c3c7..5ddf585abb66 100644 --- a/crypto/adiantum.c +++ b/crypto/adiantum.c @@ -20,23 +20,14 @@ * * - Stream cipher: XChaCha12 or XChaCha20 * - Block cipher: any with a 128-bit block size and 256-bit key - * - * This implementation doesn't currently allow other ε-∆U hash functions, i.e. - * HPolyC is not supported. This is because Adiantum is ~20% faster than HPolyC - * but still provably as secure, and also the ε-∆U hash function of HBSH is - * formally defined to take two inputs (tweak, message) which makes it difficult - * to wrap with the crypto_shash API. Rather, some details need to be handled - * here. Nevertheless, if needed in the future, support for other ε-∆U hash - * functions could be added here. */ #include <crypto/b128ops.h> #include <crypto/chacha.h> #include <crypto/internal/cipher.h> -#include <crypto/internal/hash.h> #include <crypto/internal/poly1305.h> #include <crypto/internal/skcipher.h> -#include <crypto/nhpoly1305.h> +#include <crypto/nh.h> #include <crypto/scatterwalk.h> #include <linux/module.h> @@ -50,7 +41,7 @@ #define BLOCKCIPHER_KEY_SIZE 32 /* Size of the hash key (K_H) in bytes */ -#define HASH_KEY_SIZE (POLY1305_BLOCK_SIZE + NHPOLY1305_KEY_SIZE) +#define HASH_KEY_SIZE (2 * POLY1305_BLOCK_SIZE + NH_KEY_BYTES) /* * The specification allows variable-length tweaks, but Linux's crypto API @@ -64,43 +55,40 @@ struct adiantum_instance_ctx { struct crypto_skcipher_spawn streamcipher_spawn; |