From 629e805588a2ec7f85964fa96fa94d10a2ffe2d4 Mon Sep 17 00:00:00 2001 From: Stephan Mueller Date: Sat, 31 May 2014 17:22:31 +0200 Subject: crypto: drbg - DRBG kernel configuration options The different DRBG types of CTR, Hash, HMAC can be enabled or disabled at compile time. At least one DRBG type shall be selected. The default is the HMAC DRBG as its code base is smallest. Signed-off-by: Stephan Mueller Signed-off-by: Herbert Xu --- crypto/Kconfig | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) (limited to 'crypto/Kconfig') diff --git a/crypto/Kconfig b/crypto/Kconfig index ce4012a5..c9c1cd91 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -23,7 +23,7 @@ comment "Crypto core or helper" config CRYPTO_FIPS bool "FIPS 200 compliance" - depends on CRYPTO_ANSI_CPRNG && !CRYPTO_MANAGER_DISABLE_TESTS + depends on (CRYPTO_ANSI_CPRNG || CRYTPO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS help This options enables the fips boot option which is required if you want to system to operate in a FIPS 200 @@ -1380,6 +1380,40 @@ config CRYPTO_ANSI_CPRNG ANSI X9.31 A.2.4. Note that this option must be enabled if CRYPTO_FIPS is selected +menuconfig CRYTPO_DRBG + tristate "NIST SP800-90A DRBG" + depends on CRYPTO + select CRYPTO_RNG + help + NIST SP800-90A compliant DRBG. In the following submenu, one or + more of the DRBG types must be selected. + +if CRYTPO_DRBG + +config CRYPTO_DRBG_HMAC + bool "Enable HMAC DRBG" + default y + depends on CRYTPO_DRBG + select CRYPTO_HMAC + help + Enable the HMAC DRBG variant as defined in NIST SP800-90A. + +config CRYPTO_DRBG_HASH + bool "Enable Hash DRBG" + depends on CRYTPO_DRBG + select CRYPTO_HASH + help + Enable the Hash DRBG variant as defined in NIST SP800-90A. + +config CRYPTO_DRBG_CTR + bool "Enable CTR DRBG" + depends on CRYTPO_DRBG + select CRYPTO_AES + help + Enable the CTR DRBG variant as defined in NIST SP800-90A. + +endif #CRYTPO_DRBG + config CRYPTO_USER_API tristate -- cgit v1.2.3 From 03fc7a553be0516290a2bdd1221c8e5f8cee6438 Mon Sep 17 00:00:00 2001 From: Jussi Kivilinna Date: Mon, 9 Jun 2014 20:59:54 +0300 Subject: crypto: des_3des - add x86-64 assembly implementation Patch adds x86_64 assembly implementation of Triple DES EDE cipher algorithm. Two assembly implementations are provided. First is regular 'one-block at time' encrypt/decrypt function. Second is 'three-blocks at time' function that gains performance increase on out-of-order CPUs. tcrypt test results: Intel Core i5-4570: des3_ede-asm vs des3_ede-generic: size ecb-enc ecb-dec cbc-enc cbc-dec ctr-enc ctr-dec 16B 1.21x 1.22x 1.27x 1.36x 1.25x 1.25x 64B 1.98x 1.96x 1.23x 2.04x 2.01x 2.00x 256B 2.34x 2.37x 1.21x 2.40x 2.38x 2.39x 1024B 2.50x 2.47x 1.22x 2.51x 2.52x 2.51x 8192B 2.51x 2.53x 1.21x 2.56x 2.54x 2.55x Signed-off-by: Jussi Kivilinna Signed-off-by: Herbert Xu --- crypto/Kconfig | 13 +++++++++++++ crypto/des_generic.c | 22 +++++++++++++++++----- 2 files changed, 30 insertions(+), 5 deletions(-) (limited to 'crypto/Kconfig') diff --git a/crypto/Kconfig b/crypto/Kconfig index c9c1cd91..025c5108 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -1019,6 +1019,19 @@ config CRYPTO_DES_SPARC64 DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3), optimized using SPARC64 crypto opcodes. +config CRYPTO_DES3_EDE_X86_64 + tristate "Triple DES EDE cipher algorithm (x86-64)" + depends on X86 && 64BIT + select CRYPTO_ALGAPI + select CRYPTO_DES + help + Triple DES EDE (FIPS 46-3) algorithm. + + This module provides implementation of the Triple DES EDE cipher + algorithm that is optimized for x86-64 processors. Two versions of + algorithm are provided; regular processing one input block and + one that processes three blocks parallel. + config CRYPTO_FCRYPT tristate "FCrypt cipher algorithm" select CRYPTO_ALGAPI diff --git a/crypto/des_generic.c b/crypto/des_generic.c index f6cf63f8..298d464a 100644 --- a/crypto/des_generic.c +++ b/crypto/des_generic.c @@ -859,13 +859,10 @@ static void des_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) * property. * */ -static int des3_ede_setkey(struct crypto_tfm *tfm, const u8 *key, - unsigned int keylen) +int __des3_ede_setkey(u32 *expkey, u32 *flags, const u8 *key, + unsigned int keylen) { const u32 *K = (const u32 *)key; - struct des3_ede_ctx *dctx = crypto_tfm_ctx(tfm); - u32 *expkey = dctx->expkey; - u32 *flags = &tfm->crt_flags; if (unlikely(!((K[0] ^ K[2]) | (K[1] ^ K[3])) || !((K[2] ^ K[4]) | (K[3] ^ K[5]))) && @@ -880,6 +877,17 @@ static int des3_ede_setkey(struct crypto_tfm *tfm, const u8 *key, return 0; } +EXPORT_SYMBOL_GPL(__des3_ede_setkey); + +static int des3_ede_setkey(struct crypto_tfm *tfm, const u8 *key, + unsigned int keylen) +{ + struct des3_ede_ctx *dctx = crypto_tfm_ctx(tfm); + u32 *flags = &tfm->crt_flags; + u32 *expkey = dctx->expkey; + + return __des3_ede_setkey(expkey, flags, key, keylen); +} static void des3_ede_encrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) { @@ -945,6 +953,8 @@ static void des3_ede_decrypt(struct crypto_tfm *tfm, u8 *dst, const u8 *src) static struct crypto_alg des_algs[2] = { { .cra_name = "des", + .cra_driver_name = "des-generic", + .cra_priority = 100, .cra_flags = CRYPTO_ALG_TYPE_CIPHER, .cra_blocksize = DES_BLOCK_SIZE, .cra_ctxsize = sizeof(struct des_ctx), @@ -958,6 +968,8 @@ static struct crypto_alg des_algs[2] = { { .cia_decrypt = des_decrypt } } }, { .cra_name = "des3_ede", + .cra_driver_name = "des3_ede-generic", + .cra_priority = 100, .cra_flags = CRYPTO_ALG_TYPE_CIPHER, .cra_blocksize = DES3_EDE_BLOCK_SIZE, .cra_ctxsize = sizeof(struct des3_ede_ctx), -- cgit v1.2.3 From 8d01107c9e31440450e6a9e512f55dca06a0c9b6 Mon Sep 17 00:00:00 2001 From: Jarod Wilson Date: Wed, 2 Jul 2014 15:37:30 -0400 Subject: crypto: fips - only panic on bad/missing crypto mod signatures Per further discussion with NIST, the requirements for FIPS state that we only need to panic the system on failed kernel module signature checks for crypto subsystem modules. This moves the fips-mode-only module signature check out of the generic module loading code, into the crypto subsystem, at points where we can catch both algorithm module loads and mode module loads. At the same time, make CONFIG_CRYPTO_FIPS dependent on CONFIG_MODULE_SIG, as this is entirely necessary for FIPS mode. v2: remove extraneous blank line, perform checks in static inline function, drop no longer necessary fips.h include. CC: "David S. Miller" CC: Rusty Russell CC: Stephan Mueller Signed-off-by: Jarod Wilson Acked-by: Neil Horman Signed-off-by: Herbert Xu --- crypto/Kconfig | 1 + crypto/algapi.c | 14 ++++++++++++++ 2 files changed, 15 insertions(+) (limited to 'crypto/Kconfig') diff --git a/crypto/Kconfig b/crypto/Kconfig index 025c5108..1dca374b 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -24,6 +24,7 @@ comment "Crypto core or helper" config CRYPTO_FIPS bool "FIPS 200 compliance" depends on (CRYPTO_ANSI_CPRNG || CRYTPO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS + depends on MODULE_SIG help This options enables the fips boot option which is required if you want to system to operate in a FIPS 200 diff --git a/crypto/algapi.c b/crypto/algapi.c index 7a1ae87f..e8d3a7dc 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -41,8 +41,20 @@ static inline int crypto_set_driver_name(struct crypto_alg *alg) return 0; } +static inline void crypto_check_module_sig(struct module *mod) +{ +#ifdef CONFIG_CRYPTO_FIPS + if (fips_enabled && mod && !mod->sig_ok) + panic("Module %s signature verification failed in FIPS mode\n", + mod->name); +#endif + return; +} + static int crypto_check_alg(struct crypto_alg *alg) { + crypto_check_module_sig(alg->cra_module); + if (alg->cra_alignmask & (alg->cra_alignmask + 1)) return -EINVAL; @@ -430,6 +442,8 @@ int crypto_register_template(struct crypto_template *tmpl) down_write(&crypto_alg_sem); + crypto_check_module_sig(tmpl->module); + list_for_each_entry(q, &crypto_template_list, list) { if (q == tmpl) goto out; -- cgit v1.2.3 From ed2657ea525ce62b2925dd70f5052e18095e0cf4 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Fri, 4 Jul 2014 22:15:08 +0800 Subject: crypto: drbg - Use Kconfig to ensure at least one RNG option is set This patch removes the build-time test that ensures at least one RNG is set. Instead we will simply not build drbg if no options are set through Kconfig. This also fixes a typo in the name of the Kconfig option CRYTPO_DRBG (should be CRYPTO_DRBG). Signed-off-by: Herbert Xu --- crypto/Kconfig | 18 +++++++++--------- crypto/Makefile | 2 +- crypto/drbg.c | 6 ------ 3 files changed, 10 insertions(+), 16 deletions(-) (limited to 'crypto/Kconfig') diff --git a/crypto/Kconfig b/crypto/Kconfig index 1dca374b..6345c470 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -23,7 +23,7 @@ comment "Crypto core or helper" config CRYPTO_FIPS bool "FIPS 200 compliance" - depends on (CRYPTO_ANSI_CPRNG || CRYTPO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS + depends on (CRYPTO_ANSI_CPRNG || CRYPTO_DRBG) && !CRYPTO_MANAGER_DISABLE_TESTS depends on MODULE_SIG help This options enables the fips boot option which is @@ -1394,39 +1394,39 @@ config CRYPTO_ANSI_CPRNG ANSI X9.31 A.2.4. Note that this option must be enabled if CRYPTO_FIPS is selected -menuconfig CRYTPO_DRBG +menuconfig CRYPTO_DRBG_MENU tristate "NIST SP800-90A DRBG" - depends on CRYPTO - select CRYPTO_RNG help NIST SP800-90A compliant DRBG. In the following submenu, one or more of the DRBG types must be selected. -if CRYTPO_DRBG +if CRYPTO_DRBG_MENU config CRYPTO_DRBG_HMAC bool "Enable HMAC DRBG" default y - depends on CRYTPO_DRBG select CRYPTO_HMAC help Enable the HMAC DRBG variant as defined in NIST SP800-90A. config CRYPTO_DRBG_HASH bool "Enable Hash DRBG" - depends on CRYTPO_DRBG select CRYPTO_HASH help Enable the Hash DRBG variant as defined in NIST SP800-90A. config CRYPTO_DRBG_CTR bool "Enable CTR DRBG" - depends on CRYTPO_DRBG select CRYPTO_AES help Enable the CTR DRBG variant as defined in NIST SP800-90A. -endif #CRYTPO_DRBG +config CRYPTO_DRBG + tristate + default CRYPTO_DRBG_MENU if (CRYPTO_DRBG_HMAC || CRYPTO_DRBG_HASH || CRYPTO_DRBG_CTR) + select CRYPTO_RNG + +endif # if CRYPTO_DRBG_MENU config CRYPTO_USER_API tristate diff --git a/crypto/Makefile b/crypto/Makefile index bfa94fad..cfa57b3f 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -92,7 +92,7 @@ obj-$(CONFIG_CRYPTO_842) += 842.o obj-$(CONFIG_CRYPTO_RNG2) += rng.o obj-$(CONFIG_CRYPTO_RNG2) += krng.o obj-$(CONFIG_CRYPTO_ANSI_CPRNG) += ansi_cprng.o -obj-$(CONFIG_CRYTPO_DRBG) += drbg.o +obj-$(CONFIG_CRYPTO_DRBG) += drbg.o obj-$(CONFIG_CRYPTO_TEST) += tcrypt.o obj-$(CONFIG_CRYPTO_GHASH) += ghash-generic.o obj-$(CONFIG_CRYPTO_USER_API) += af_alg.o diff --git a/crypto/drbg.c b/crypto/drbg.c index d6621a61..acc75237 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -99,12 +99,6 @@ #include -#if !defined(CONFIG_CRYPTO_DRBG_HASH) && \ - !defined(CONFIG_CRYPTO_DRBG_HMAC) && \ - !defined(CONFIG_CRYPTO_DRBG_CTR) -#warning "The DRBG code is useless without compiling at least one DRBG type" -#endif - /*************************************************************** * Backend cipher definitions available to DRBG ***************************************************************/ -- cgit v1.2.3