Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v3.19 2014-12-05T15:56:55Z 2014-12-05T15:56:55Z Stephan Mueller smueller@chronox.de 2014-12-03T19:55:42Z urn:sha1:af8e80731a94ff9de9508b01d9e5d931d538dc6b AEAD requires the caller to specify the following information separate from the data stream. This information allows the AEAD interface handler to identify the AAD, ciphertext/plaintext and the authentication tag: * Associated authentication data of arbitrary length and length * Length of authentication tag for encryption Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2014-11-17T14:53:48Z Stephan Mueller smueller@chronox.de 2014-11-14T04:26:21Z urn:sha1:52744af3af977ccbbf768be34650d7c75cfc1ad6 Fix documentation typo for shash_alg->descsize. Add documentation for initially uncovered member variables. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2014-11-13T14:31:40Z Stephan Mueller smueller@chronox.de 2014-11-12T04:27:16Z urn:sha1:968ab291078006de022b2245702a050ccdc32cd3 The API function calls exported by the kernel crypto API for SHASHes to be used by consumers are documented. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2014-11-13T14:31:39Z Stephan Mueller smueller@chronox.de 2014-11-12T04:26:41Z urn:sha1:90240ffb127729713cd7d9c1b5c1c0c9451681cd The API function calls exported by the kernel crypto API for AHASHes to be used by consumers are documented. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2014-11-13T14:31:39Z Stephan Mueller smueller@chronox.de 2014-11-12T04:26:03Z urn:sha1:5d8c723f61f2e6dacbd02d80a516115993c4f292 The hash data structures needed to be filled in by cipher developers are documented. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2014-11-13T14:31:38Z Stephan Mueller smueller@chronox.de 2014-11-12T04:25:31Z urn:sha1:aa1b6fbcbeaca21038db3e7a98d739786ae93511 The API function calls exported by the kernel crypto API for RNGs to be used by consumers are documented. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2014-10-14T08:51:22Z Behan Webster behanw@converseincode.com 2014-09-08T05:05:09Z urn:sha1:a0a77af14117e388d43b2385d5ecc800e2d6eee9 Add a macro which replaces the use of a Variable Length Array In Struct (VLAIS) with a C99 compliant equivalent. This macro instead allocates the appropriate amount of memory using an char array. The new code can be compiled with both gcc and clang. struct shash_desc contains a flexible array member member ctx declared with CRYPTO_MINALIGN_ATTR, so sizeof(struct shash_desc) aligns the beginning of the array declared after struct shash_desc with long long. No trailing padding is required because it is not a struct type that can be used in an array. The CRYPTO_MINALIGN_ATTR is required so that desc is aligned with long long as would be the case for a struct containing a member with CRYPTO_MINALIGN_ATTR. If you want to get to the ctx at the end of the shash_desc as before you can do so using shash_desc_ctx(shash) Signed-off-by: Behan Webster <behanw@converseincode.com> Reviewed-by: Mark Charlebois <charlebm@gmail.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michał Mirosław <mirqus@gmail.com> 2014-10-12T14:13:55Z Linus Torvalds torvalds@linux-foundation.org 2014-10-12T14:13:55Z urn:sha1:5e40d331bd72447197f26525f21711c4a265b6a6 Pull security subsystem updates from James Morris. Mostly ima, selinux, smack and key handling updates. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (65 commits) integrity: do zero padding of the key id KEYS: output last portion of fingerprint in /proc/keys KEYS: strip 'id:' from ca_keyid KEYS: use swapped SKID for performing partial matching KEYS: Restore partial ID matching functionality for asymmetric keys X.509: If available, use the raw subjKeyId to form the key description KEYS: handle error code encoded in pointer selinux: normalize audit log formatting selinux: cleanup error reporting in selinux_nlmsg_perm() KEYS: Check hex2bin()'s return when generating an asymmetric key ID ima: detect violations for mmaped files ima: fix race condition on ima_rdwr_violation_check and process_measurement ima: added ima_policy_flag variable ima: return an error code from ima_add_boot_aggregate() ima: provide 'ima_appraise=log' kernel option ima: move keyring initialization to ima_init() PKCS#7: Handle PKCS#7 messages that contain no X.509 certs PKCS#7: Better handling of unsupported crypto KEYS: Overhaul key identification when searching for asymmetric keys KEYS: Implement binary asymmetric key ID handling ... 2014-10-06T14:21:05Z Dmitry Kasatkin d.kasatkin@samsung.com 2014-10-06T14:21:05Z urn:sha1:f1b731dbc2530cab93fcfc5fcb18c9f3a100feeb Bring back the functionality whereby an asymmetric key can be matched with a partial match on one of its IDs. Whilst we're at it, allow for the possibility of having an increased number of IDs. Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com> 2014-09-16T16:36:13Z David Howells dhowells@redhat.com 2014-09-16T16:36:13Z urn:sha1:46963b774d441c833afc1535f6d84b3df2a94204 Make use of the new match string preparsing to overhaul key identification when searching for asymmetric keys. The following changes are made: (1) Use the previously created asymmetric_key_id struct to hold the following key IDs derived from the X.509 certificate or PKCS#7 message: id: serial number + issuer skid: subjKeyId + subject authority: authKeyId + issuer (2) Replace the hex fingerprint attached to key->type_data[1] with an asymmetric_key_ids struct containing the id and the skid (if present). (3) Make the asymmetric_type match data preparse select one of two searches: (a) An iterative search for the key ID given if prefixed with "id:". The prefix is expected to be followed by a hex string giving the ID to search for. The criterion key ID is checked against all key IDs recorded on the key. (b) A direct search if the key ID is not prefixed with "id:". This will look for an exact match on the key description. (4) Make x509_request_asymmetric_key() take a key ID. This is then converted into "id:<hex>" and passed into keyring_search() where match preparsing will turn it back into a binary ID. (5) X.509 certificate verification then takes the authority key ID and looks up a key that matches it to find the public key for the certificate signature. (6) PKCS#7 certificate verification then takes the id key ID and looks up a key that matches it to find the public key for the signed information block signature. Additional changes: (1) Multiple subjKeyId and authKeyId values on an X.509 certificate cause the cert to be rejected with -EBADMSG. (2) The 'fingerprint' ID is gone. This was primarily intended to convey PGP public key fingerprints. If PGP is supported in future, this should generate a key ID that carries the fingerprint. (3) Th ca_keyid= kernel command line option is now converted to a key ID and used to match the authority key ID. Possibly this should only match the actual authKeyId part and not the issuer as well. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Vivek Goyal <vgoyal@redhat.com>