Commit Graph

720 Commits

Author SHA1 Message Date
Geert Uytterhoeven 0c01aed50d crypto: testmgr - add zlib test
Signed-off-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-03-04 15:42:15 +08:00
Geert Uytterhoeven bf68e65ec9 crypto: zlib - New zlib crypto module, using pcomp
Signed-off-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-03-04 15:16:19 +08:00
Geert Uytterhoeven 8064efb874 crypto: testmgr - Add support for the pcomp interface
Signed-off-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-03-04 15:16:18 +08:00
Geert Uytterhoeven a1d2f09544 crypto: compress - Add pcomp interface
The current "comp" crypto interface supports one-shot (de)compression only,
i.e. the whole data buffer to be (de)compressed must be passed at once, and
the whole (de)compressed data buffer will be received at once.
In several use-cases (e.g. compressed file systems that store files in big
compressed blocks), this workflow is not suitable.
Furthermore, the "comp" type doesn't provide for the configuration of
(de)compression parameters, and always allocates workspace memory for both
compression and decompression, which may waste memory.

To solve this, add a "pcomp" partial (de)compression interface that provides
the following operations:
  - crypto_compress_{init,update,final}() for compression,
  - crypto_decompress_{init,update,final}() for decompression,
  - crypto_{,de}compress_setup(), to configure (de)compression parameters
    (incl. allocating workspace memory).

The (de)compression methods take a struct comp_request, which was mimicked
after the z_stream object in zlib, and contains buffer pointer and length
pairs for input and output.

The setup methods take an opaque parameter pointer and length pair. Parameters
are supposed to be encoded using netlink attributes, whose meanings depend on
the actual (name of the) (de)compression algorithm.

Signed-off-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-03-04 15:05:33 +08:00
Adrian-Ken Rueegsegger 8c882f6413 crypto: Fix dead links
Signed-off-by: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-03-04 14:43:52 +08:00
Herbert Xu a760a6656e crypto: api - Fix module load deadlock with fallback algorithms
With the mandatory algorithm testing at registration, we have
now created a deadlock with algorithms requiring fallbacks.
This can happen if the module containing the algorithm requiring
fallback is loaded first, without the fallback module being loaded
first.  The system will then try to test the new algorithm, find
that it needs to load a fallback, and then try to load that.

As both algorithms share the same module alias, it can attempt
to load the original algorithm again and block indefinitely.

As algorithms requiring fallbacks are a special case, we can fix
this by giving them a different module alias than the rest.  Then
it's just a matter of using the right aliases according to what
algorithms we're trying to find.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-26 14:06:31 +08:00
Lee Nipper bb402f16ec crypto: ahash - Fix digest size in /proc/crypto
crypto_ahash_show changed to use cra_ahash for digestsize reference.

Signed-off-by: Lee Nipper <lee.nipper@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-19 14:46:26 +08:00
Huang Ying 0a2e821d62 crypto: chainiv - Use kcrypto_wq instead of keventd_wq
keventd_wq has potential starvation problem, so use dedicated
kcrypto_wq instead.

Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-19 14:44:02 +08:00
Huang Ying 254eff7714 crypto: cryptd - Per-CPU thread implementation based on kcrypto_wq
Original cryptd thread implementation has scalability issue, this
patch solve the issue with a per-CPU thread implementation.

struct cryptd_queue is defined to be a per-CPU queue, which holds one
struct cryptd_cpu_queue for each CPU. In struct cryptd_cpu_queue, a
struct crypto_queue holds all requests for the CPU, a struct
work_struct is used to run all requests for the CPU.

Testing based on dm-crypt on an Intel Core 2 E6400 (two cores) machine
shows 19.2% performance gain. The testing script is as follow:

-------------------- script begin ---------------------------
#!/bin/sh

dmc_create()
{
        # Create a crypt device using dmsetup
        dmsetup create $2 --table "0 `blockdev --getsize $1` crypt cbc(aes-asm)?cryptd?plain:plain babebabebabebabebabebabebabebabe 0 $1 0"
}

dmsetup remove crypt0
dmsetup remove crypt1

dd if=/dev/zero of=/dev/ram0 bs=1M count=4 >& /dev/null
dd if=/dev/zero of=/dev/ram1 bs=1M count=4 >& /dev/null

dmc_create /dev/ram0 crypt0
dmc_create /dev/ram1 crypt1

cat >tr.sh <<EOF
#!/bin/sh

for n in \$(seq 10); do
        dd if=/dev/dm-0 of=/dev/null >& /dev/null &
        dd if=/dev/dm-1 of=/dev/null >& /dev/null &
done
wait
EOF

for n in $(seq 10); do
        /usr/bin/time sh tr.sh
done
rm tr.sh
-------------------- script end   ---------------------------

The separator of dm-crypt parameter is changed from "-" to "?", because
"-" is used in some cipher driver name too, and cryptds need to specify
cipher driver name instead of cipher name.

The test result on an Intel Core2 E6400 (two cores) is as follow:

without patch:
-----------------wo begin --------------------------
0.04user 0.38system 0:00.39elapsed 107%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6566minor)pagefaults 0swaps
0.07user 0.35system 0:00.35elapsed 121%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6567minor)pagefaults 0swaps
0.06user 0.34system 0:00.30elapsed 135%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6562minor)pagefaults 0swaps
0.05user 0.37system 0:00.36elapsed 119%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6607minor)pagefaults 0swaps
0.06user 0.36system 0:00.35elapsed 120%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6562minor)pagefaults 0swaps
0.05user 0.37system 0:00.31elapsed 136%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6594minor)pagefaults 0swaps
0.04user 0.34system 0:00.30elapsed 126%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6597minor)pagefaults 0swaps
0.06user 0.32system 0:00.31elapsed 125%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6571minor)pagefaults 0swaps
0.06user 0.34system 0:00.31elapsed 134%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6581minor)pagefaults 0swaps
0.05user 0.38system 0:00.31elapsed 138%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6600minor)pagefaults 0swaps
-----------------wo end   --------------------------


with patch:
------------------w begin --------------------------
0.02user 0.31system 0:00.24elapsed 141%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6554minor)pagefaults 0swaps
0.05user 0.34system 0:00.31elapsed 127%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6606minor)pagefaults 0swaps
0.07user 0.33system 0:00.26elapsed 155%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6559minor)pagefaults 0swaps
0.07user 0.32system 0:00.26elapsed 151%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6562minor)pagefaults 0swaps
0.05user 0.34system 0:00.26elapsed 150%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6603minor)pagefaults 0swaps
0.03user 0.36system 0:00.31elapsed 124%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6562minor)pagefaults 0swaps
0.04user 0.35system 0:00.26elapsed 147%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6586minor)pagefaults 0swaps
0.03user 0.37system 0:00.27elapsed 146%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6562minor)pagefaults 0swaps
0.04user 0.36system 0:00.26elapsed 154%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6594minor)pagefaults 0swaps
0.04user 0.35system 0:00.26elapsed 154%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+6557minor)pagefaults 0swaps
------------------w end   --------------------------

The middle value of elapsed time is:
wo cryptwq: 0.31
w  cryptwq: 0.26

The performance gain is about (0.31-0.26)/0.26 = 0.192.

Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-19 14:42:19 +08:00
Huang Ying 25c38d3fb9 crypto: api - Use dedicated workqueue for crypto subsystem
Use dedicated workqueue for crypto subsystem

A dedicated workqueue named kcrypto_wq is created to be used by crypto
subsystem. The system shared keventd_wq is not suitable for
encryption/decryption, because of potential starvation problem.

Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-19 14:33:40 +08:00
Herbert Xu 6fe4a28d88 crypto: testmgr - Test skciphers with no IVs
As it is an skcipher with no IV escapes testing altogether because
we only test givcipher objects.  This patch fixes the bypass logic
to test these algorithms.

Conversely, we're currently testing nivaead algorithms with IVs,
which would have deadlocked had it not been for the fact that no
nivaead algorithms have any test vectors.  This patch also fixes
that case.

Both fixes are ugly as hell, but this ugliness should hopefully
disappear once we move them into the per-type code (i.e., the
AEAD test would live in aead.c and the skcipher stuff in ablkcipher.c).

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-18 21:41:29 +08:00
Herbert Xu 5852ae4242 crypto: aead - Avoid infinite loop when nivaead fails selftest
When an aead constructed through crypto_nivaead_default fails
its selftest, we'll loop forever trying to construct new aead
objects but failing because it already exists.

The crux of the issue is that once an aead fails the selftest,
we'll ignore it on the next run through crypto_aead_lookup and
attempt to construct a new aead.

We should instead return an error to the caller if we find an
an that has failed the test.

This bug hasn't manifested itself yet because we don't have any
test vectors for the existing nivaead algorithms.  They're tested
through the underlying algorithms only.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-18 21:21:24 +08:00
Herbert Xu b170a137f4 crypto: skcipher - Avoid infinite loop when cipher fails selftest
When an skcipher constructed through crypto_givcipher_default fails
its selftest, we'll loop forever trying to construct new skcipher
objects but failing because it already exists.

The crux of the issue is that once a givcipher fails the selftest,
we'll ignore it on the next run through crypto_skcipher_lookup and
attempt to construct a new givcipher.

We should instead return an error to the caller if we find a
givcipher that has failed the test.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-18 21:20:06 +08:00
Herbert Xu 3f683d6175 crypto: api - Fix crypto_alloc_tfm/create_create_tfm return convention
This is based on a report and patch by Geert Uytterhoeven.

The functions crypto_alloc_tfm and create_create_tfm return a
pointer that needs to be adjusted by the caller when successful
and otherwise an error value.  This means that the caller has
to check for the error and only perform the adjustment if the
pointer returned is valid.

Since all callers want to make the adjustment and we know how
to adjust it ourselves, it's much easier to just return adjusted
pointer directly.

The only caveat is that we have to return a void * instead of
struct crypto_tfm *.  However, this isn't that bad because both
of these functions are for internal use only (by types code like
shash.c, not even algorithms code).

This patch also moves crypto_alloc_tfm into crypto/internal.h
(crypto_create_tfm is already there) to reflect this.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-18 16:56:59 +08:00
Herbert Xu ff753308d2 crypto: api - crypto_alg_mod_lookup either tested or untested
As it stands crypto_alg_mod_lookup will search either tested or
untested algorithms, but never both at the same time.  However,
we need exactly that when constructing givcipher and aead so
this patch adds support for that by setting the tested bit in
type but clearing it in mask.  This combination is currently
unused.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-18 16:49:43 +08:00
Neil Horman c5b1e545a5 crypto: ansi_cprng - Panic on CPRNG test failure when in FIPS mode
FIPS 140-2 specifies that all access to various cryptographic modules be
prevented in the event that any of the provided self tests fail on the various
implemented algorithms.  We already panic when any of the test in testmgr.c
fail when we are operating in fips mode.  The continuous test in the cprng here
was missed when that was implmented.  This code simply checks for the
fips_enabled flag if the test fails, and warns us via syslog or panics the box
accordingly.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-18 16:48:07 +08:00
Neil Horman d7992f42c6 crypto: ansi_cprng - Force reset on allocation
Pseudo RNGs provide predictable outputs based on input parateters {key, V, DT},
the idea behind them is that only the user should know what the inputs are.
While its nice to have default known values for testing purposes, it seems
dangerous to allow the use of those default values without some sort of safety
measure in place, lest an attacker easily guess the output of the cprng.  This
patch forces the NEED_RESET flag on when allocating a cprng context, so that any
user is forced to reseed it before use.  The defaults can still be used for
testing, but this will prevent their inadvertent use, and be more secure.
   
Signed-off-by: Neil Horman <nhorman@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-18 16:48:06 +08:00
Huang Ying 54b6a1bd53 crypto: aes-ni - Add support to Intel AES-NI instructions for x86_64 platform
Intel AES-NI is a new set of Single Instruction Multiple Data (SIMD)
instructions that are going to be introduced in the next generation of
Intel processor, as of 2009. These instructions enable fast and secure
data encryption and decryption, using the Advanced Encryption Standard
(AES), defined by FIPS Publication number 197.  The architecture
introduces six instructions that offer full hardware support for
AES. Four of them support high performance data encryption and
decryption, and the other two instructions support the AES key
expansion procedure.

The white paper can be downloaded from:

http://softwarecommunity.intel.com/isn/downloads/intelavx/AES-Instructions-Set_WP.pdf

AES may be used in soft_irq context, but MMX/SSE context can not be
touched safely in soft_irq context. So in_interrupt() is checked, if
in IRQ or soft_irq context, the general x86_64 implementation are used
instead.

Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-18 16:48:06 +08:00
Huang Ying 1cac2cbc76 crypto: cryptd - Add support to access underlying blkcipher
cryptd_alloc_ablkcipher() will allocate a cryptd-ed ablkcipher for
specified algorithm name. The new allocated one is guaranteed to be
cryptd-ed ablkcipher, so the blkcipher underlying can be gotten via
cryptd_ablkcipher_child().

Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-18 16:48:05 +08:00
Herbert Xu 1693531e9e crypto: shash - Remove superfluous check in init_tfm
We're currently checking the frontend type in init_tfm.  This is
completely pointless because the fact that we're called at all
means that the frontend is ours so the type must match as well.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-18 16:48:05 +08:00
Herbert Xu 8eb2dfac41 crypto: lrw - Fix big endian support
It turns out that LRW has never worked properly on big endian.
This was never discussed because nobody actually used it that
way.  In fact, it was only discovered when Geert Uytterhoeven
loaded it through tcrypt which failed the test on it.

The fix is straightforward, on big endian the to find the nth
bit we should be grouping them by words instead of bytes.  So
setbit128_bbe should xor with 128 - BITS_PER_LONG instead of
128 - BITS_PER_BYTE == 0x78.

Tested-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-17 20:00:11 +08:00
Herbert Xu 4f3e797ad0 crypto: scatterwalk - Avoid flush_dcache_page on slab pages
It's illegal to call flush_dcache_page on slab pages on a number
of architectures.  So this patch avoids doing so if PageSlab is
true.

In future we can move the flush_dcache_page call to those page
cache users that actually need it.

Reported-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-09 14:30:25 +11:00
Herbert Xu 7b2cd92adc crypto: api - Fix zeroing on free
Geert Uytterhoeven pointed out that we're not zeroing all the
memory when freeing a transform.  This patch fixes it by calling
ksize to ensure that we zero everything in sight.

Reported-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-05 16:48:53 +11:00
Adrian-Ken Rueegsegger 4abfd73e34 crypto: shash - Fix module refcount
Module reference counting for shash is incorrect: when
a new shash transformation is created the refcount is not
increased as it should.

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-02-05 16:19:31 +11:00
Herbert Xu b8e15992b4 crypto: api - Fix algorithm test race that broke aead initialisation
When we complete a test we'll notify everyone waiting on it, drop
the mutex, and then remove the test larval (after reacquiring the
mutex).  If one of the notified parties tries to register another
algorithm with the same driver name prior to the removal of the
test larval, they will fail with EEXIST as only one algorithm of
a given name can be tested at any time.

This broke the initialisation of aead and givcipher algorithms as
they will register two algorithms with the same driver name, in
sequence.

This patch fixes the problem by marking the larval as dead before
we drop the mutex, and also ignoring all dead or dying algorithms
on the registration path.

Tested-by: Andreas Steffen <andreas.steffen@strongswan.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-01-28 14:09:59 +11:00
Jarod Wilson 516280e735 crypto: ccm - Fix handling of null assoc data
Its a valid use case to have null associated data in a ccm vector, but
this case isn't being handled properly right now.

The following ccm decryption/verification test vector, using the
rfc4309 implementation regularly triggers a panic, as will any
other vector with null assoc data:

* key: ab2f8a74b71cd2b1ff802e487d82f8b9
* iv: c6fb7d800d13abd8a6b2d8
* Associated Data: [NULL]
* Tag Length: 8
* input: d5e8939fc7892e2b

The resulting panic looks like so:

Unable to handle kernel paging request at ffff810064ddaec0 RIP: 
 [<ffffffff8864c4d7>] :ccm:get_data_to_compute+0x1a6/0x1d6
PGD 8063 PUD 0 
Oops: 0002 [1] SMP 
last sysfs file: /module/libata/version
CPU 0
Modules linked in: crypto_tester_kmod(U) seqiv krng ansi_cprng chainiv rng ctr aes_generic aes_x86_64 ccm cryptomgr testmgr_cipher testmgr aead crypto_blkcipher crypto_a
lgapi des ipv6 xfrm_nalgo crypto_api autofs4 hidp l2cap bluetooth nfs lockd fscache nfs_acl sunrpc ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink xt_
tcpudp iptable_filter ip_tables x_tables dm_mirror dm_log dm_multipath scsi_dh dm_mod video hwmon backlight sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp sg 
snd_intel8x0 snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss joydev snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss ide_cd snd_pcm floppy parport_p
c shpchp e752x_edac snd_timer e1000 i2c_i801 edac_mc snd soundcore snd_page_alloc i2c_core cdrom parport serio_raw pcspkr ata_piix libata sd_mod scsi_mod ext3 jbd uhci_h
cd ohci_hcd ehci_hcd
Pid: 12844, comm: crypto-tester Tainted: G      2.6.18-128.el5.fips1 #1
RIP: 0010:[<ffffffff8864c4d7>]  [<ffffffff8864c4d7>] :ccm:get_data_to_compute+0x1a6/0x1d6
RSP: 0018:ffff8100134434e8  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8100104898b0 RCX: ffffffffab6aea10
RDX: 0000000000000010 RSI: ffff8100104898c0 RDI: ffff810064ddaec0
RBP: 0000000000000000 R08: ffff8100104898b0 R09: 0000000000000000
R10: ffff8100103bac84 R11: ffff8100104898b0 R12: ffff810010489858
R13: ffff8100104898b0 R14: ffff8100103bac00 R15: 0000000000000000
FS:  00002ab881adfd30(0000) GS:ffffffff803ac000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffff810064ddaec0 CR3: 0000000012a88000 CR4: 00000000000006e0
Process crypto-tester (pid: 12844, threadinfo ffff810013442000, task ffff81003d165860)
Stack:  ffff8100103bac00 ffff8100104898e8 ffff8100134436f8 ffffffff00000000
 0000000000000000 ffff8100104898b0 0000000000000000 ffff810010489858
 0000000000000000 ffff8100103bac00 ffff8100134436f8 ffffffff8864c634
Call Trace:
 [<ffffffff8864c634>] :ccm:crypto_ccm_auth+0x12d/0x140
 [<ffffffff8864cf73>] :ccm:crypto_ccm_decrypt+0x161/0x23a
 [<ffffffff88633643>] :crypto_tester_kmod:cavs_test_rfc4309_ccm+0x4a5/0x559
[...]

The above is from a RHEL5-based kernel, but upstream is susceptible too.

The fix is trivial: in crypto/ccm.c:crypto_ccm_auth(), pctx->ilen contains
whatever was in memory when pctx was allocated if assoclen is 0. The tested
fix is to simply add an else clause setting pctx->ilen to 0 for the
assoclen == 0 case, so that get_data_to_compute() doesn't try doing
things its not supposed to.

Signed-off-by: Jarod Wilson <jarod@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-01-27 17:11:15 +11:00
Herbert Xu bac1b5c469 crypto: blkcipher - Fix WARN_ON handling in walk_done
When we get left-over bits from a slow walk, it means that the
underlying cipher has gone troppo.  However, as we're handling
that case we should ensure that the caller terminates the walk.

This patch does this by setting walk->nbytes to zero.

Reported-by: Roel Kluin <roel.kluin@gmail.com>
Reported-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-01-27 17:11:13 +11:00
Herbert Xu 29b37f4212 crypto: authenc - Fix zero-length IV crash
As it is if an algorithm with a zero-length IV is used (e.g.,
NULL encryption) with authenc, authenc may generate an SG entry
of length zero, which will trigger a BUG check in the hash layer.

This patch fixes it by skipping the IV SG generation if the IV
size is zero.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-01-15 15:33:49 +11:00
Dan Williams 209b84a88f dmaengine: replace dma_async_client_register with dmaengine_get
Now that clients no longer need to be notified of channel arrival
dma_async_client_register can simply increment the dmaengine_ref_count.

Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2009-01-06 11:38:17 -07:00
Dan Williams 2ba05622b8 dmaengine: provide a common 'issue_pending_all' implementation
async_tx and net_dma each have open-coded versions of issue_pending_all,
so provide a common routine in dmaengine.

The implementation needs to walk the global device list, so implement
rcu to allow dma_issue_pending_all to run lockless.  Clients protect
themselves from channel removal events by holding a dmaengine reference.

Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2009-01-06 11:38:14 -07:00
Dan Williams bec085134e dmaengine: centralize channel allocation, introduce dma_find_channel
Allowing multiple clients to each define their own channel allocation
scheme quickly leads to a pathological situation.  For memory-to-memory
offload all clients can share a central allocator.

This simply moves the existing async_tx allocator to dmaengine with
minimal fixups:
* async_tx.c:get_chan_ref_by_cap --> dmaengine.c:nth_chan
* async_tx.c:async_tx_rebalance --> dmaengine.c:dma_channel_rebalance
* split out common code from async_tx.c:__async_tx_find_channel -->
  dma_find_channel

Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2009-01-06 11:38:14 -07:00
Dan Williams 6f49a57aa5 dmaengine: up-level reference counting to the module level
Simply, if a client wants any dmaengine channel then prevent all dmaengine
modules from being removed.  Once the clients are done re-enable module
removal.

Why?, beyond reducing complication:
1/ Tracking reference counts per-transaction in an efficient manner, as
   is currently done, requires a complicated scheme to avoid cache-line
   bouncing effects.
2/ Per-transaction ref-counting gives the false impression that a
   dma-driver can be gracefully removed ahead of its user (net, md, or
   dma-slave)
3/ None of the in-tree dma-drivers talk to hot pluggable hardware, but
   if such an engine were built one day we still would not need to notify
   clients of remove events.  The driver can simply return NULL to a
   ->prep() request, something that is much easier for a client to handle.

Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Maciej Sosnowski <maciej.sosnowski@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2009-01-06 11:38:14 -07:00
Dan Williams 07f2211e4f dmaengine: remove dependency on async_tx
async_tx.ko is a consumer of dma channels.  A circular dependency arises
if modules in drivers/dma rely on common code in async_tx.ko.  It
prevents either module from being unloaded.

Move dma_wait_for_async_tx and async_tx_run_dependencies to dmaeninge.o
where they should have been from the beginning.

Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2009-01-05 18:10:19 -07:00
Herbert Xu 0ee4a96902 crypto: aes - Precompute tables
The tables used by the various AES algorithms are currently
computed at run-time.  This has created an init ordering problem
because some AES algorithms may be registered before the tables
have been initialised.

This patch gets around this whole thing by precomputing the tables.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:05:13 +11:00
Geert Uytterhoeven bcf84a38f0 crypto: testmgr - Correct comment about deflate parameters
The comment for the deflate test vectors says the winbits parameter is 11,
while the deflate module actually uses -11 (a negative window bits parameter
enables the raw deflate format instead of the zlib format).
Correct this, to avoid confusion about the format used.

Signed-off-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:32 +11:00
Harvey Harrison f0d1ec3a22 crypto: salsa20 - Remove private wrappers around various operations
ROTATE -> rol32
XOR was always used with the same destination, use ^=
PLUS/PLUSONE use ++ or +=

Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:30 +11:00
Jarod Wilson ad79cdd77f crypto: des3_ede - permit weak keys unless REQ_WEAK_KEY set
While its a slightly insane to bypass the key1 == key2 ||
key2 == key3 check in triple-des, since it reduces it to the
same strength as des, some folks do need to do this from time
to time for backwards compatibility with des.

My own case is FIPS CAVS test vectors. Many triple-des test
vectors use a single key, replicated 3x. In order to get the
expected results, des3_ede_setkey() needs to only reject weak
keys if the CRYPTO_TFM_REQ_WEAK_KEY flag is set.

Also sets a more appropriate RES flag when a weak key is found.

Signed-off-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:28 +11:00
Adrian-Ken Rueegsegger bd9d20dba1 crypto: sha512 - Switch to shash
This patch changes sha512 and sha384 to the new shash interface.

Signed-off-by: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:27 +11:00
Adrian-Ken Rueegsegger f9e2bca6c2 crypto: sha512 - Move message schedule W[80] to static percpu area
The message schedule W (u64[80]) is too big for the stack. In order
for this algorithm to be used with shash it is moved to a static
percpu area.

Signed-off-by: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:25 +11:00
Adrian-Ken Rueegsegger 19e2bf1467 crypto: michael_mic - Switch to shash
This patch changes michael_mic to the new shash interface.

Signed-off-by: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:24 +11:00
Adrian-Ken Rueegsegger 4946510baa crypto: wp512 - Switch to shash
This patch changes wp512, wp384 and wp256 to the new shash interface.

Signed-off-by: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:22 +11:00
Adrian-Ken Rueegsegger f63fbd3d50 crypto: tgr192 - Switch to shash
This patch changes tgr192, tgr160 and tgr128 to the new shash interface.

Signed-off-by: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:21 +11:00
Adrian-Ken Rueegsegger 50e109b5b9 crypto: sha256 - Switch to shash
This patch changes sha256 and sha224 to the new shash interface.

Signed-off-by: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:19 +11:00
Adrian-Ken Rueegsegger 14b75ba70d crypto: md5 - Switch to shash
This patch changes md5 to the new shash interface.

Signed-off-by: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:18 +11:00
Adrian-Ken Rueegsegger 808a1763ce crypto: md4 - Switch to shash
This patch changes md4 to the new shash interface.

Signed-off-by: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:16 +11:00
Adrian-Ken Rueegsegger 54ccb36776 crypto: sha1 - Switch to shash
This patch changes sha1 to the new shash interface.

Signed-off-by: Adrian-Ken Rueegsegger <ken@codelabs.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:15 +11:00
Herbert Xu 3b8efb4c41 crypto: rmd320 - Switch to shash
This patch changes rmd320 to the new shash interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:13 +11:00
Herbert Xu d8a5e2e9f4 crypto: rmd256 - Switch to shash
This patch changes rmd256 to the new shash interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:12 +11:00
Herbert Xu e5835fba02 crypto: rmd160 - Switch to shash
This patch changes rmd160 to the new shash interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:10 +11:00
Herbert Xu 7c4468bc01 crypto: rmd128 - Switch to shash
This patch changes rmd128 to the new shash interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:09 +11:00
Herbert Xu d35d2454ce crypto: null - Switch to shash
This patch changes digest_null to the new shash interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:07 +11:00
Herbert Xu 3751f402e0 crypto: hash - Make setkey optional
Since most cryptographic hash algorithms have no keys, this patch
makes the setkey function optional for ahash and shash.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:06 +11:00
Geert Uytterhoeven b812eb0076 crypto: testmgr - Validate output length in (de)compression tests
When self-testing (de)compression algorithms, make sure the actual size of
the (de)compressed output data matches the expected output size.
Otherwise, in case the actual output size would be smaller than the expected
output size, the subsequent buffer compare test would still succeed, and no
error would be reported.

Signed-off-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:04 +11:00
Harvey Harrison dad3df2044 crypto: remove uses of __constant_{endian} helpers
Base versions handle constant folding just fine.

Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:03 +11:00
Ingo Molnar 664134d291 crypto: testmgr - Fix error flow of test_comp
This warning:

  crypto/testmgr.c: In function ‘test_comp’:
  crypto/testmgr.c:829: warning: ‘ret’ may be used uninitialized in this function

triggers because GCC correctly notices that in the ctcount == 0 &&
dtcount != 0 input condition case this function can return an undefined
value, if the second loop fails.

Remove the shadowed 'ret' variable from the second loop that was probably
unintended.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:02:01 +11:00
Jarod Wilson 09fbf7c0f2 crypto: ansi_cprng - fix inverted DT increment routine
The ANSI X9.31 PRNG docs aren't particularly clear on how to increment DT,
but empirical testing shows we're incrementing from the wrong end. A 10,000
iteration Monte Carlo RNG test currently winds up not getting the expected
result.

From http://csrc.nist.gov/groups/STM/cavp/documents/rng/RNGVS.pdf :

# CAVS 4.3
# ANSI931 MCT
[X9.31]
[AES 128-Key]

COUNT = 0
Key = 9f5b51200bf334b5d82be8c37255c848
DT = 6376bbe52902ba3b67c925fa701f11ac
V = 572c8e76872647977e74fbddc49501d1
R = 48e9bd0d06ee18fbe45790d5c3fc9b73

Currently, we get 0dd08496c4f7178bfa70a2161a79459a after 10000 loops.

Inverting the DT increment routine results in us obtaining the expected result
of 48e9bd0d06ee18fbe45790d5c3fc9b73. Verified on both x86_64 and ppc64.

Signed-off-by: Jarod Wilson <jarod@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:49 +11:00
Jarod Wilson aa1a85dbd1 crypto: ansi_cprng - Avoid incorrect extra call to _get_more_prng_bytes
While working with some FIPS RNGVS test vectors yesterday, I discovered a
little bug in the way the ansi_cprng code works right now.

For example, the following test vector (complete with expected result)
from http://csrc.nist.gov/groups/STM/cavp/documents/rng/RNGVS.pdf ...

Key = f3b1666d13607242ed061cabb8d46202
DT = e6b3be782a23fa62d71d4afbb0e922fc
V = f0000000000000000000000000000000
R = 88dda456302423e5f69da57e7b95c73a

...when run through ansi_cprng, yields an incorrect R value
of e2afe0d794120103d6e86a2b503bdfaa.

If I load up ansi_cprng w/dbg=1 though, it was fairly obvious what was
going wrong:

----8<----
getting 16 random bytes for context ffff810033fb2b10
Calling _get_more_prng_bytes for context ffff810033fb2b10
Input DT: 00000000: e6 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
Input I: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
Input V: 00000000: f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
tmp stage 0: 00000000: e6 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
tmp stage 1: 00000000: f4 8e cb 25 94 3e 8c 31 d6 14 cd 8a 23 f1 3f 84 
tmp stage 2: 00000000: 8c 53 6f 73 a4 1a af d4 20 89 68 f4 58 64 f8 be 
Returning new block for context ffff810033fb2b10
Output DT: 00000000: e7 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
Output I: 00000000: 04 8e cb 25 94 3e 8c 31 d6 14 cd 8a 23 f1 3f 84 
Output V: 00000000: 48 89 3b 71 bc e4 00 b6 5e 21 ba 37 8a 0a d5 70 
New Random Data: 00000000: 88 dd a4 56 30 24 23 e5 f6 9d a5 7e 7b 95 c7 3a 
Calling _get_more_prng_bytes for context ffff810033fb2b10
Input DT: 00000000: e7 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
Input I: 00000000: 04 8e cb 25 94 3e 8c 31 d6 14 cd 8a 23 f1 3f 84 
Input V: 00000000: 48 89 3b 71 bc e4 00 b6 5e 21 ba 37 8a 0a d5 70 
tmp stage 0: 00000000: e7 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
tmp stage 1: 00000000: 80 6b 3a 8c 23 ae 8f 53 be 71 4c 16 fc 13 b2 ea 
tmp stage 2: 00000000: 2a 4d e1 2a 0b 58 8e e6 36 b8 9c 0a 26 22 b8 30 
Returning new block for context ffff810033fb2b10
Output DT: 00000000: e8 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
Output I: 00000000: c8 e2 01 fd 9f 4a 8f e5 e0 50 f6 21 76 19 67 9a 
Output V: 00000000: ba 98 e3 75 c0 1b 81 8d 03 d6 f8 e2 0c c6 54 4b 
New Random Data: 00000000: e2 af e0 d7 94 12 01 03 d6 e8 6a 2b 50 3b df aa 
returning 16 from get_prng_bytes in context ffff810033fb2b10
----8<----

The expected result is there, in the first "New Random Data", but we're
incorrectly making a second call to _get_more_prng_bytes, due to some checks
that are slightly off, which resulted in our original bytes never being
returned anywhere.

One approach to fixing this would be to alter some byte_count checks in
get_prng_bytes, but it would mean the last DEFAULT_BLK_SZ bytes would be
copied a byte at a time, rather than in a single memcpy, so a slightly more
involved, equally functional, and ultimately more efficient way of fixing this
was suggested to me by Neil, which I'm submitting here. All of the RNGVS ANSI
X9.31 AES128 VST test vectors I've passed through ansi_cprng are now returning
the expected results with this change.

Signed-off-by: Jarod Wilson <jarod@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:47 +11:00
Julia Lawall 31a61bfc6e crypto: md4 - Use ARRAY_SIZE
ARRAY_SIZE is more concise to use when the size of an array is divided by
the size of its type or the size of its first element.

The semantic patch that makes this change is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@i@
@@

#include <linux/kernel.h>

@depends on i using "paren.iso"@
type T;
T[] E;
@@

- (sizeof(E)/sizeof(T))
+ ARRAY_SIZE(E)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:45 +11:00
Herbert Xu 69c35efcf1 libcrc32c: Move implementation to crypto crc32c
This patch swaps the role of libcrc32c and crc32c.  Previously
the implementation was in libcrc32c and crc32c was a wrapper.
Now the code is in crc32c and libcrc32c just calls the crypto
layer.

The reason for the change is to tap into the algorithm selection
capability of the crypto API so that optimised implementations
such as the one utilising Intel's CRC32C instruction can be
used where available.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:40 +11:00
Herbert Xu 8e3ee85e68 crypto: crc32c - Test descriptor context format
This patch adds a test for the requirement that all crc32c algorithms
shall store the partial result in the first four bytes of the descriptor
context.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:38 +11:00
Herbert Xu faccc4bba1 crypto: crc32c - Switch to shash
This patch changes crc32c to the new shash interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:35 +11:00
Herbert Xu 5f7082ed4f crypto: hash - Export shash through hash
This patch allows shash algorithms to be used through the old hash
interface.  This is a transitional measure so we can convert the
underlying algorithms to shash before converting the users across.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:33 +11:00
Herbert Xu 67cd080c50 crypto: api - Call type show function before legacy for proc
This patch makes /proc/crypto call the type-specific show function
if one is present before calling the legacy show functions for
cipher/digest/compress.  This allows us to reuse the type values
for those legacy types.  In particular, hash and digest will share
one type value while shash is phased in as the default hash type.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:32 +11:00
Herbert Xu dec8b78606 crypto: hash - Add import/export interface
It is often useful to save the partial state of a hash function
so that it can be used as a base for two or more computations.

The most prominent example is HMAC where all hashes start from
a base determined by the key.  Having an import/export interface
means that we only have to compute that base once rather than
for each message.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:30 +11:00
Herbert Xu 3b2f6df082 crypto: hash - Export shash through ahash
This patch allows shash algorithms to be used through the ahash
interface.  This is required before we can convert digest algorithms
over to shash.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:28 +11:00
Herbert Xu 7b5a080b3c crypto: hash - Add shash interface
The shash interface replaces the current synchronous hash interface.
It improves over hash in two ways.  Firstly shash is reentrant,
meaning that the same tfm may be used by two threads simultaneously
as all hashing state is stored in a local descriptor.

The other enhancement is that shash no longer takes scatter list
entries.  This is because shash is specifically designed for
synchronous algorithms and as such scatter lists are unnecessary.

All existing hash users will be converted to shash once the
algorithms have been completely converted.

There is also a new finup function that combines update with final.
This will be extended to ahash once the algorithm conversion is
done.

This is also the first time that an algorithm type has their own
registration function.  Existing algorithm types will be converted
to this way in due course.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:26 +11:00
Herbert Xu 7b0bac64cd crypto: api - Rebirth of crypto_alloc_tfm
This patch reintroduces a completely revamped crypto_alloc_tfm.
The biggest change is that we now take two crypto_type objects
when allocating a tfm, a frontend and a backend.  In fact this
simply formalises what we've been doing behind the API's back.

For example, as it stands crypto_alloc_ahash may use an
actual ahash algorithm or a crypto_hash algorithm.  Putting
this in the API allows us to do this much more cleanly.

The existing types will be converted across gradually.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:24 +11:00
Herbert Xu 4a7794860b crypto: api - Move type exit function into crypto_tfm
The type exit function needs to undo any allocations done by the type
init function.  However, the type init function may differ depending
on the upper-level type of the transform (e.g., a crypto_blkcipher
instantiated as a crypto_ablkcipher).

So we need to move the exit function out of the lower-level
structure and into crypto_tfm itself.

As it stands this is a no-op since nobody uses exit functions at
all.  However, all cases where a lower-level type is instantiated
as a different upper-level type (such as blkcipher as ablkcipher)
will be converted such that they allocate the underlying transform
and use that instead of casting (e.g., crypto_ablkcipher casted
into crypto_blkcipher).  That will need to use a different exit
function depending on the upper-level type.

This patch also allows the type init/exit functions to call (or not)
cra_init/cra_exit instead of always calling them from the top level.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:23 +11:00
Neil Horman 2566578a6f crypto: ansi_cprng - Allow resetting of DT value
This is a patch that was sent to me by Jarod Wilson, marking off my
outstanding todo to allow the ansi cprng to set/reset the DT counter value in a
cprng instance.  Currently crytpo_rng_reset accepts a seed byte array which is
interpreted by the ansi_cprng as a {V key} tuple.  This patch extends that tuple
to now be {V key DT}, with DT an optional value during reset.  This patch also
fixes  a bug we noticed in which the offset of the key area of the seed is
started at DEFAULT_PRNG_KSZ rather than DEFAULT_BLK_SZ as it should be.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:21 +11:00
Harvey Harrison 32bd78e0a5 crypto: camellia - use kernel-provided bitops, unaligned access
Remove the private implementation of 32-bit rotation and unaligned
access with byteswapping.

As a bonus, fixes sparse warnings:
crypto/camellia.c:602:2: warning: cast to restricted __be32
crypto/camellia.c:603:2: warning: cast to restricted __be32
crypto/camellia.c:604:2: warning: cast to restricted __be32
crypto/camellia.c:605:2: warning: cast to restricted __be32
crypto/camellia.c:710:2: warning: cast to restricted __be32
crypto/camellia.c:711:2: warning: cast to restricted __be32
crypto/camellia.c:712:2: warning: cast to restricted __be32
crypto/camellia.c:713:2: warning: cast to restricted __be32
crypto/camellia.c:714:2: warning: cast to restricted __be32
crypto/camellia.c:715:2: warning: cast to restricted __be32
crypto/camellia.c:716:2: warning: cast to restricted __be32
crypto/camellia.c:717:2: warning: cast to restricted __be32

[Thanks to Tomoyuki Okazaki for spotting the typo]
Tested-by: Carlo E. Prelz <fluido@fluido.as>
Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:15 +11:00
Neil Horman d12d6b6d37 crypto: testmgr - Trigger a panic when self test fails in FIPS mode
The FIPS specification requires that should self test for any supported
crypto algorithm fail during operation in fips mode, we need to prevent
the use of any crypto functionality until such time as the system can
be re-initialized.  Seems like the best way to handle that would be
to panic the system if we were in fips mode and failed a self test.
This patch implements that functionality.  I've built and run it
successfully.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-25 11:01:14 +11:00
Linus Torvalds 59da1f87b2 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx:
  async_xor: dma_map destination DMA_BIDIRECTIONAL
  dmaengine: protect 'id' from concurrent registrations
  ioat: wait for self-test completion
2008-12-18 12:05:53 -08:00
Herbert Xu 6a0fcbb4da crypto: api - Disallow cryptomgr as a module if algorithms are built-in
If we have at least one algorithm built-in then it no longer makes
sense to have the testing framework, and hence cryptomgr to be a
module.  It should be either on or off, i.e., built-in or disabled.

This just happens to stop a potential runaway modprobe loop that
seems to trigger on at least one distro.

With fixes from Evgeniy Polyakov.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-12-10 23:29:44 +11:00
Dan Williams a06d568f7c async_xor: dma_map destination DMA_BIDIRECTIONAL
Mapping the destination multiple times is a misuse of the dma-api.
Since the destination may be reused as a source, ensure that it is only
mapped once and that it is mapped bidirectionally.  This appears to add
ugliness on the unmap side in that it always reads back the destination
address from the descriptor, but gcc can determine that dma_unmap is a
nop and not emit the code that calculates its arguments.

Cc: <stable@kernel.org>
Cc: Saeed Bishara <saeed@marvell.com>
Acked-by: Yuri Tikhonov <yur@emcraft.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-12-08 13:46:00 -07:00
Linus Torvalds b91385236c Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx:
  fsldma: allow Freescale Elo DMA driver to be compiled as a module
  fsldma: remove internal self-test from Freescale Elo DMA driver
  drivers/dma/dmatest.c: switch a GFP_ATOMIC to GFP_KERNEL
  dmatest: properly handle duplicate DMA channels
  drivers/dma/ioat_dma.c: drop code after return
  async_tx: make async_tx_run_dependencies() easier to read
2008-10-20 12:54:30 -07:00
Linus Torvalds f6bccf6954 Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: skcipher - Use RNG interface instead of get_random_bytes
  crypto: rng - RNG interface and implementation
  crypto: api - Add fips_enable flag
  crypto: skcipher - Move IV generators into their own modules
  crypto: cryptomgr - Test ciphers using ECB
  crypto: api - Use test infrastructure
  crypto: cryptomgr - Add test infrastructure
  crypto: tcrypt - Add alg_test interface
  crypto: tcrypt - Abort and only log if there is an error
  crypto: crc32c - Use Intel CRC32 instruction
  crypto: tcrypt - Avoid using contiguous pages
  crypto: api - Display larval objects properly
  crypto: api - Export crypto_alg_lookup instead of __crypto_alg_lookup
  crypto: Kconfig - Replace leading spaces with tabs
2008-10-10 11:20:42 -07:00
Dan Williams fdb0ac8061 async_tx: make async_tx_run_dependencies() easier to read
* Rename 'next' to 'dep'
* Move the channel switch check inside the loop to simplify
  termination

Acked-by: Ilya Yanok <yanok@emcraft.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-09-13 19:57:04 -07:00
Herbert Xu f4c4cd6d14 Revert "crypto: camellia - Use kernel-provided bitops, unaligned access helpers"
This reverts commit bd699f2df6,
which causes camellia to fail the included self-test vectors.
It has also been confirmed that it breaks existing encrypted
disks using camellia.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-09-08 14:29:54 +10:00
Yuri Tikhonov de24125dd0 async_tx: fix the bug in async_tx_run_dependencies
Should clear the next pointer of the TX if we are sure that the
next TX (say NXT) will be submitted to the channel too. Overwise,
we break the chain of descriptors, because we lose the information
about the next descriptor to run. So next time, when invoke
async_tx_run_dependencies() with TX, it's TX->next will be NULL, and
NXT will be never submitted.

Cc: <stable@kernel.org>		[2.6.26]
Signed-off-by: Yuri Tikhonov <yur@emcraft.com>
Signed-off-by: Ilya Yanok <yanok@emcraft.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-09-05 08:15:47 -07:00
Herbert Xu a0f000ec9b crypto: skcipher - Use RNG interface instead of get_random_bytes
This patch makes the IV generators use the new RNG interface so
that the user can pick an RNG other than the default get_random_bytes.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:50:06 +10:00
Neil Horman 17f0f4a47d crypto: rng - RNG interface and implementation
This patch adds a random number generator interface as well as a
cryptographic pseudo-random number generator based on AES.  It is
meant to be used in cases where a deterministic CPRNG is required.

One of the first applications will be as an input in the IPsec IV
generation process.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:50:04 +10:00
Neil Horman ccb778e184 crypto: api - Add fips_enable flag
Add the ability to turn FIPS-compliant mode on or off at boot

In order to be FIPS compliant, several check may need to be preformed that may
be construed as unusefull in a non-compliant mode.  This patch allows us to set
a kernel flag incating that we are running in a fips-compliant mode from boot
up.  It also exports that mode information to user space via a sysctl
(/proc/sys/crypto/fips_enabled).

Tested successfully by me.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:50:02 +10:00
Herbert Xu 5be5e667a9 crypto: skcipher - Move IV generators into their own modules
This patch moves the default IV generators into their own modules
in order to break a dependency loop between cryptomgr, rng, and
blkcipher.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:50:00 +10:00
Herbert Xu 1aa4ecd95d crypto: cryptomgr - Test ciphers using ECB
As it is we only test ciphers when combined with a mode.  That means
users that do not invoke a mode of operations may get an untested
cipher.

This patch tests all ciphers using the ECB mode so that simple cipher
users such as ansi-cprng are also protected.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:49:58 +10:00
Herbert Xu 73d3864a48 crypto: api - Use test infrastructure
This patch makes use of the new testing infrastructure by requiring
algorithms to pass a run-time test before they're made available to
users.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:49:57 +10:00
Herbert Xu da7f033ddc crypto: cryptomgr - Add test infrastructure
This patch moves the newly created alg_test infrastructure into
cryptomgr.  This shall allow us to use it for testing at algorithm
registrations.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:49:55 +10:00
Herbert Xu 01b323245e crypto: tcrypt - Add alg_test interface
This patch creates a new interface algorithm testing.  A test can
be requested for a particular implementation of an algorithm.  This
is achieved by taking both the name of the algorithm and that of
the implementation.

The all-inclusive test has also been rewritten to no longer require
a duplicate listing of all algorithms with tests.  In that process
a number of missing tests have also been discovered and rectified.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:49:53 +10:00
Herbert Xu bdecd22821 crypto: tcrypt - Abort and only log if there is an error
The info printed is a complete waste of space when there is no error
since it doesn't tell us anything that we don't already know.  If there
is an error, we can also be more verbose.

In case that there is an error, this patch also aborts the test and
returns the error to the caller.  In future this will be used to
algorithms at registration time.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:49:52 +10:00
Austin Zhang 8cb51ba8e0 crypto: crc32c - Use Intel CRC32 instruction
From NHM processor onward, Intel processors can support hardware accelerated
CRC32c algorithm with the new CRC32 instruction in SSE 4.2 instruction set.
The patch detects the availability of the feature, and chooses the most proper
way to calculate CRC32c checksum.
Byte code instructions are used for compiler compatibility.
No MMX / XMM registers is involved in the implementation.

Signed-off-by: Austin Zhang <austin.zhang@intel.com>
Signed-off-by: Kent Liu <kent.liu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:49:50 +10:00
Herbert Xu f139cfa7cd crypto: tcrypt - Avoid using contiguous pages
If tcrypt is to be used as a run-time integrity test, it needs to be
more resilient in a hostile environment.  For a start allocating 32K
of physically contiguous memory is definitely out.

This patch teaches it to use separate pages instead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:48:57 +10:00
Herbert Xu a7581a01fb crypto: api - Display larval objects properly
Rather than displaying larval objects as real objects, this patch
makes them show up under /proc/crypto as of type larval.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:48:56 +10:00
Herbert Xu c51b6c8102 crypto: api - Export crypto_alg_lookup instead of __crypto_alg_lookup
Since the only user of __crypto_alg_lookup is doing exactly what
crypto_alg_lookup does, we can now the latter in lieu of the former.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:48:55 +10:00
Adrian Bunk b6d4434186 crypto: Kconfig - Replace leading spaces with tabs
Instead of tabs there were two spaces.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-29 15:48:53 +10:00
Herbert Xu a697690bec crypto: authenc - Avoid using clobbered request pointer
Authenc works in two stages for encryption, it first encrypts and
then computes an ICV.  The context memory of the request is used
by both operations.  The problem is that when an asynchronous
encryption completes, we will compute the ICV and then reread the
context memory of the encryption to get the original request.

It just happens that we have a buffer of 16 bytes in front of the
request pointer, so ICVs of 16 bytes (such as SHA1) do not trigger
the bug.  However, any attempt to uses a larger ICV instantly kills
the machine when the first asynchronous encryption is completed.

This patch fixes this by saving the request pointer before we start
the ICV computation.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-23 01:04:06 +10:00
Herbert Xu dbaaba1d0a crypto: hash - Fix digest size check for digest type
The changeset ca786dc738

	crypto: hash - Fixed digest size check

missed one spot for the digest type.  This patch corrects that
error.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-13 20:08:38 +10:00
Herbert Xu f176e632ef crypto: tcrypt - Fix AEAD chunk testing
My changeset 4b22f0ddb6

	crypto: tcrpyt - Remove unnecessary kmap/kunmap calls

introduced a typo that broke AEAD chunk testing.  In particular,
axbuf should really be xbuf.

There is also an issue with testing the last segment when encrypting.
The additional part produced by AEAD wasn't tested.  Similarly, on
decryption the additional part of the AEAD input is mistaken for
corruption.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-13 20:08:36 +10:00
Dan Williams e34a8ae790 async_tx: fix missing braces in async_xor_zero_sum
Found-by: Yuri Tikhonov <yur@emcraft.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-08-05 10:25:20 -07:00
Linus Torvalds 5554b35933 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/async_tx: (24 commits)
  I/OAT: I/OAT version 3.0 support
  I/OAT: tcp_dma_copybreak default value dependent on I/OAT version
  I/OAT: Add watchdog/reset functionality to ioatdma
  iop_adma: cleanup iop_chan_xor_slot_count
  iop_adma: document how to calculate the minimum descriptor pool size
  iop_adma: directly reclaim descriptors on allocation failure
  async_tx: make async_tx_test_ack a boolean routine
  async_tx: remove depend_tx from async_tx_sync_epilog
  async_tx: export async_tx_quiesce
  async_tx: fix handling of the "out of descriptor" condition in async_xor
  async_tx: ensure the xor destination buffer remains dma-mapped
  async_tx: list_for_each_entry_rcu() cleanup
  dmaengine: Driver for the Synopsys DesignWare DMA controller
  dmaengine: Add slave DMA interface
  dmaengine: add DMA_COMPL_SKIP_{SRC,DEST}_UNMAP flags to control dma unmap
  dmaengine: Add dma_client parameter to device_alloc_chan_resources
  dmatest: Simple DMA memcpy test client
  dmaengine: DMA engine driver for Marvell XOR engine
  iop-adma: fix platform driver hotplug/coldplug
  dmaengine: track the number of clients using a channel
  ...

Fixed up conflict in drivers/dca/dca-sysfs.c manually
2008-07-23 12:03:18 -07:00
Dan Williams 3dce017137 async_tx: remove depend_tx from async_tx_sync_epilog
All callers of async_tx_sync_epilog have called async_tx_quiesce on the
depend_tx, so async_tx_sync_epilog need only call the callback to
complete the operation.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-07-17 17:59:55 -07:00
Dan Williams d2c52b7983 async_tx: export async_tx_quiesce
Replace open coded "wait and acknowledge" instances with async_tx_quiesce.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-07-17 17:59:55 -07:00
Dan Williams 669ab0b210 async_tx: fix handling of the "out of descriptor" condition in async_xor
Ensure forward progress is made when a dmaengine driver is unable to
allocate an xor descriptor by breaking the dependency chain with
async_tx_quisce() and issue any pending descriptors.

Tested with iop-adma by setting device->max_xor = 2 to force multiple
calls to device_prep_dma_xor for each call to async_xor and limiting the
descriptor slot pool to 5.  Discovered that the minimum descriptor pool
size for iop-adma is 2 * iop_chan_xor_slot_cnt(device->max_xor) + 1.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-07-17 17:59:55 -07:00
Dan Williams 1e55db2d6b async_tx: ensure the xor destination buffer remains dma-mapped
When the number of source buffers for an xor operation exceeds the hardware
channel maximum async_xor creates a chain of dependent operations.  The result
of one operation is reused as an input to the next to continue the xor
calculation.  The destination buffer should remain mapped for the duration of
the entire chain.  To provide this guarantee the code must no longer be allowed
to fallback to the synchronous path as this will preclude the buffer from being
unmapped, i.e. the dma-driver will potentially miss the descriptor with
!DMA_COMPL_SKIP_DEST_UNMAP.

Cc: Neil Brown <neilb@suse.de>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-07-17 17:59:55 -07:00
Li Zefan 20fc190b0e async_tx: list_for_each_entry_rcu() cleanup
In the rcu update side, don't use list_for_each_entry_rcu().

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-07-17 17:59:47 -07:00
Linus Torvalds 260eddf439 Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  Revert crypto: prng - Deterministic CPRNG
2008-07-15 18:57:38 -07:00
Ingo Molnar 6c9fcaf2ee Merge branch 'core/rcu' into core/rcu-for-linus 2008-07-15 21:10:12 +02:00
Herbert Xu 7890ea1f95 Revert crypto: prng - Deterministic CPRNG
This patch is clearly not ready yet for prime time.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-15 23:46:24 +08:00
Ingo Molnar 0c81b2a144 Merge branch 'linus' into core/rcu
Conflicts:

	include/linux/rculist.h
	kernel/rcupreempt.c

Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-07-11 10:46:50 +02:00
Herbert Xu 18e33e6d5c crypto: hash - Move ahash functions into crypto/hash.h
All new crypto interfaces should go into individual files as much
as possible in order to ensure that crypto.h does not collapse under
its own weight.

This patch moves the ahash code into crypto/hash.h and crypto/internal/hash.h
respectively.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:18 +08:00
Herbert Xu 5773a3e6e3 crypto: crc32c - Add ahash implementation
This patch reimplements crc32c using the ahash interface.  This
allows one tfm to be used by an unlimited number of users provided
that they all use the same key (which all current crc32c users do).

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:18 +08:00
Herbert Xu 20036252fc crypto: hash - Added scatter list walking helper
This patch adds the walking helpers for hash algorithms akin to
those of block ciphers.  This is a necessary step before we can
reimplement existing hash algorithms using the new ahash interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:18 +08:00
Neil Horman b8454eebe3 crypto: prng - Deterministic CPRNG
This patch adds a cryptographic pseudo-random number generator
based on CTR(AES-128).  It is meant to be used in cases where a
deterministic CPRNG is required.

One of the first applications will be as an input in the IPsec IV
generation process.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:18 +08:00
Herbert Xu 166247f46a crypto: hash - Removed vestigial ahash fields
The base field in ahash_tfm appears to have been cut-n-pasted from
ablkcipher.  It isn't needed here at all.  Similarly, the info field
in ahash_request also appears to have originated from its cipher
counter-part and is vestigial.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:18 +08:00
Herbert Xu ca786dc738 crypto: hash - Fixed digest size check
The digest size check on hash algorithms is incorrect.  It's
perfectly valid for hash algorithms to have a digest length
longer than their block size.  For example crc32c has a block
size of 1 and a digest size of 4.  Rather than having it lie
about its block size, this patch fixes the checks to do what
they really should which is to bound the digest size so that
code placing the digest on the stack continue to work.

HMAC however still needs to check this as it's only defined
for such algorithms.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:17 +08:00
Harvey Harrison caee16883a crypto: rmd - sparse annotations
Similar to the rmd128.c annotations, significantly cuts down on the
noise.

Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:17 +08:00
Harvey Harrison b2b6a1720d crypto: rmd128 - sparse annotations
Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:17 +08:00
Harvey Harrison bd699f2df6 crypto: camellia - Use kernel-provided bitops, unaligned access helpers
Remove the private implementation of 32-bit rotation and unaligned
access with byteswapping.

As a bonus, fixes sparse warnings:
crypto/camellia.c:602:2: warning: cast to restricted __be32
crypto/camellia.c:603:2: warning: cast to restricted __be32
crypto/camellia.c:604:2: warning: cast to restricted __be32
crypto/camellia.c:605:2: warning: cast to restricted __be32
crypto/camellia.c:710:2: warning: cast to restricted __be32
crypto/camellia.c:711:2: warning: cast to restricted __be32
crypto/camellia.c:712:2: warning: cast to restricted __be32
crypto/camellia.c:713:2: warning: cast to restricted __be32
crypto/camellia.c:714:2: warning: cast to restricted __be32
crypto/camellia.c:715:2: warning: cast to restricted __be32
crypto/camellia.c:716:2: warning: cast to restricted __be32
crypto/camellia.c:717:2: warning: cast to restricted __be32

Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:17 +08:00
Herbert Xu 4b22f0ddb6 crypto: tcrpyt - Remove unnecessary kmap/kunmap calls
Noticed by Neil Horman: we are doing unnecessary kmap/kunmap calls
on kmalloced memory.  This patch removes them.  For the purposes of
testing SG construction, the underlying crypto code already does plenty
of kmap/kunmap calls anyway.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:16 +08:00
Neil Horman d729de23e8 [CRYPTO] tcrypt: Add self test for des3_ebe cipher operating in cbc mode
Patch to add checking  of DES3 test vectors using CBC mode.  FIPS-140-2
compliance mandates that any supported mode of operation must include a self
test.  This satisfies that requirement for cbc(des3_ede).  The included test
vector was generated by me using openssl.  Key/IV was generated with the
following command:

	openssl enc -des_ede_cbc -P

input and output values were generated by repeating the string "Too many
secrets" a few times over, truncating it to 128 bytes, and encrypting it with
openssl using the aformentioned key.  Tested successfully by myself

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:16 +08:00
Herbert Xu 5cdcc22f25 [CRYPTO] rmd: Use pointer form of endian swapping operations
This patch converts the relevant code in the rmd implementations to
use the pointer form of the endian swapping operations.  This allows
certain architectures to generate more optimised code.  For example,
on sparc64 this more than halves the CPU cycles on a typical hashing
operation.

Based on a patch by David Miller.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:15 +08:00
Adrian-Ken Rueegsegger feedfdaa7b [CRYPTO] rmd320: Fix endian issues
This patch fixes endian issues making rmd320 work
properly on big-endian machines.

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Acked-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:15 +08:00
Adrian-Ken Rueegsegger 2952ff1a59 [CRYPTO] rmd256: Fix endian issues
This patch fixes endian issues making rmd256 work
properly on big-endian machines.

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Acked-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:15 +08:00
Adrian-Ken Rueegsegger c928a0cddd [CRYPTO] rmd160: Fix endian issues
This patch fixes endian issues making rmd160 work
properly on big-endian machines.

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Acked-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:15 +08:00
Adrian-Ken Rueegsegger 0f923a2aab [CRYPTO] rmd128: Fix endian problems
This patch is based on Sebastian Siewior's patch and
fixes endian issues making rmd128 work properly on
big-endian machines.

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Acked-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:14 +08:00
Loc Ho cde0e2c819 [CRYPTO] tcrypt: Use asynchronous hash interface
This patch changes tcrypt to use the new asynchronous hash interface
for testing hash algorithm correctness.  The speed tests will continue
to use the existing interface for now.

Signed-off-by: Loc Ho <lho@amcc.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:14 +08:00
Loc Ho b8a28251c2 [CRYPTO] cryptd: Add asynchronous hash support
This patch adds asynchronous hash support to crypto daemon.

Signed-off-by: Loc Ho <lho@amcc.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:14 +08:00
Loc Ho 004a403c2e [CRYPTO] hash: Add asynchronous hash support
This patch adds asynchronous hash and digest support.

Signed-off-by: Loc Ho <lho@amcc.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:13 +08:00
Adrian-Ken Rueegsegger 534fe2c1c3 [CRYPTO] ripemd: Add Kconfig entries for extended RIPEMD hash algorithms
This patch adds Kconfig entries for RIPEMD-256 and RIPEMD-320.

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:13 +08:00
Adrian-Ken Rueegsegger 2998db37b5 [CRYPTO] tcrypt: Add test vectors for RIPEMD-256 and RIPEMD-320
This patch adds test vectors for RIPEMD-256 and
RIPEMD-320 hash algorithms.

The test vectors are taken from
<http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:13 +08:00
Adrian-Ken Rueegsegger c555c28d9d [CRYPTO] ripemd: Add support for RIPEMD-256 and RIPEMD-320
This patch adds support for the extended RIPEMD hash
algorithms RIPEMD-256 and RIPEMD-320.

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:13 +08:00
Adrian-Ken Rueegsegger ba6b039872 [CRYPTO] ripemd: Put all common RIPEMD values in header file
This patch puts all common RIPEMD values in the
appropriate header file. Initial values and constants
are the same for all variants of RIPEMD.

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:12 +08:00
Patrick McHardy a558f1d4f8 [CRYPTO] tcrypt: Catch cipher destination memory corruption
Check whether the destination buffer is written to beyond the last
byte contained in the scatterlist.
    
Also change IDX1 of the cross-page access offsets to a multiple of 4.
This triggers a corruption in the HIFN driver and doesn't seem to
negatively impact other testcases.
    
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:12 +08:00
Herbert Xu b10c170638 [CRYPTO] tcrpyt: Get rid of change log in source
Change logs should be kept in source control systems, not the source.
This patch removes the change log from tcrpyt to stop people from
extending it any more.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:10 +08:00
Adrian-Ken Rueegsegger 82798f90fb [CRYPTO] ripemd: Add Kconfig entries for RIPEMD hash algorithms
This patch adds Kconfig entries for RIPEMD-128 and RIPEMD-160.

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:10 +08:00
Adrian-Ken Rueegsegger fd4adf1a0b [CRYPTO] tcrypt: Add test vectors for RIPEMD-128 and RIPEMD-160
This patch adds test vectors for RIPEMD-128 and
RIPEMD-160 hash algorithms and digests (HMAC).

The test vectors are taken from ISO:IEC 10118-3 (2004)
and RFC2286.

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:10 +08:00
Adrian-Ken Rueegsegger c6580eb8b1 [CRYPTO] ripemd: Add support for RIPEMD hash algorithms
This patch adds support for RIPEMD-128 and RIPEMD-160
hash algorithms.

Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:09 +08:00
Herbert Xu 93aa7f8a12 [CRYPTO] cryptd: Fix EINPROGRESS notification context
The EINPROGRESS notifications should be done just like the final
call-backs, i.e., with BH off.  This patch fixes the call in cryptd
since previously it was called with BH on.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:35:09 +08:00
Herbert Xu 872ac8743c crypto: chainiv - Invoke completion function
When chainiv postpones requests it never calls their completion functions.
This causes symptoms such as memory leaks when IPsec is in use.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-10 20:34:38 +08:00
Dan Williams 65bc3ffe8c async_tx: fix async_memset compile error
commit 636bdeaa 'dmaengine: ack to flags: make use of the unused bits in
the 'ack' field' missed an ->ack conversion in
crypto/async_tx/async_memset.c

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-07-08 11:57:55 -07:00
Darren Jenkins dbb018cd8a crypto: tcrypt - Fix memory leak in test_cipher
Coverity CID: 2306 & 2307 RESOURCE_LEAK

In the second for loop in test_cipher(), data is allocated space with
kzalloc() and is only ever freed in an error case.
Looking at this loop, data is written to this memory but nothing seems
to read from it. 
So here is a patch removing the allocation, I think this is the right
fix.

Only compile tested.

Signed-off-by: Darren Jenkins <darrenrjenkins@gmailcom>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-07-08 15:51:44 +08:00
Ingo Molnar 766d02786e Merge branch 'linus' into core/rcu 2008-06-16 11:23:36 +02:00
Alexey Dobriyan c4913c7b71 [CRYPTO] cts: Init SG tables
Steps to reproduce:

	modprobe tcrypt		# with CONFIG_DEBUG_SG=y

testing cts(cbc(aes)) encryption
test 1 (128 bit key):
------------[ cut here ]------------
kernel BUG at include/linux/scatterlist.h:65!
invalid opcode: 0000 [1] PREEMPT SMP DEBUG_PAGEALLOC
CPU 0 
Modules linked in: tea xts twofish twofish_common tcrypt(+) [maaaany]
Pid: 16151, comm: modprobe Not tainted 2.6.26-rc4-fat #7
RIP: 0010:[<ffffffffa0bf032e>]  [<ffffffffa0bf032e>] :cts:cts_cbc_encrypt+0x151/0x355
RSP: 0018:ffff81016f497a88  EFLAGS: 00010286
RAX: ffffe20009535d58 RBX: ffff81016f497af0 RCX: 0000000087654321
RDX: ffff8100010d4f28 RSI: ffff81016f497ee8 RDI: ffff81016f497ac0
RBP: ffff81016f497c38 R08: 0000000000000000 R09: 0000000000000011
R10: ffffffff00000008 R11: ffff8100010d4f28 R12: ffff81016f497ac0
R13: ffff81016f497b30 R14: 0000000000000010 R15: 0000000000000010
FS:  00007fac6fa276f0(0000) GS:ffffffff8060e000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f12ca7cc000 CR3: 000000016f441000 CR4: 00000000000026e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
Process modprobe (pid: 16151, threadinfo ffff81016f496000, task ffff8101755b4ae0)
Stack:  0000000000000001 ffff81016f496000 ffffffff80719f78 0000000000000001
 0000000000000001 ffffffff8020c87c ffff81016f99c918 20646c756f772049
 65687420656b696c 0000000000000020 0000000000000000 0000000033341102
Call Trace:
 [<ffffffff8020c87c>] ? restore_args+0x0/0x30
 [<ffffffffa04aa311>] ? :aes_generic:crypto_aes_expand_key+0x311/0x369
 [<ffffffff802ab453>] ? check_object+0x15a/0x213
 [<ffffffff802aad22>] ? init_object+0x6e/0x76
 [<ffffffff802ac3ae>] ? __slab_free+0xfc/0x371
 [<ffffffffa0bf05ed>] :cts:crypto_cts_encrypt+0xbb/0xca
 [<ffffffffa07108de>] ? :crypto_blkcipher:setkey+0xc7/0xec
 [<ffffffffa07110b8>] :crypto_blkcipher:async_encrypt+0x38/0x3a
 [<ffffffffa2ce9341>] :tcrypt:test_cipher+0x261/0x7c6
 [<ffffffffa2cfd9df>] :tcrypt:tcrypt_mod_init+0x9df/0x1b30
 [<ffffffff80261e35>] sys_init_module+0x9e/0x1b2
 [<ffffffff8020c15a>] system_call_after_swapgs+0x8a/0x8f
Code: 45 c0 e8 aa 24 63 df 48 c1 e8 0c 48 b9 00 00 00 00 00 e2 ff ff 48 8b 55 88 48 6b c0 68 48 01 c8 b9 21 43 65 87 48 39 4d 80 74 04 <0f> 0b eb fe f6 c2 01 74 04 0f 0b eb fe 83 e2 03 4c 89 ef 44 89 
RIP  [<ffffffffa0bf032e>] :cts:cts_cbc_encrypt+0x151/0x355
 RSP <ffff81016f497a88>
---[ end trace e8bahiarjand37fd ]---

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-06-02 15:46:51 +10:00
Franck Bui-Huu 82524746c2 rcu: split list.h and move rcu-protected lists into rculist.h
Move rcu-protected lists from list.h into a new header file rculist.h.

This is done because list are a very used primitive structure all over the
kernel and it's currently impossible to include other header files in this
list.h without creating some circular dependencies.

For example, list.h implements rcu-protected list and uses rcu_dereference()
without including rcupdate.h.  It actually compiles because users of
rcu_dereference() are macros.  Others RCU functions could be used too but
aren't probably because of this.

Therefore this patch creates rculist.h which includes rcupdates without to
many changes/troubles.

Signed-off-by: Franck Bui-Huu <fbuihuu@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Josh Triplett <josh@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-05-19 10:01:37 +02:00
Herbert Xu 67412f0e78 [CRYPTO] hmac: Avoid calling virt_to_page on key
When HMAC gets a key longer than the block size of the hash, it needs
to feed it as input to the hash to reduce it to a fixed length.  As
it is HMAC converts the key to a scatter and gather list.  However,
this doesn't work on certain platforms if the key is not allocated
via kmalloc.  For example, the keys from tcrypt are stored in the
rodata section and this causes it to fail with HMAC on x86-64.

This patch fixes this by copying the key to memory obtained via
kmalloc before hashing it.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-05-07 21:08:56 +08:00
Julia Lawall b1145ce395 [CRYPTO] cryptd: Correct kzalloc error test
Normally, kzalloc returns NULL or a valid pointer value, not a value to be
tested using IS_ERR.

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-05-01 18:22:28 +08:00
Herbert Xu 46f8153cc5 [CRYPTO] eseqiv: Fix off-by-one encryption
After attaching the IV to the head during encryption, eseqiv does not
increase the encryption length by that amount.  As such the last block
of the actual plain text will be left unencrypted.

Fortunately the only user of this code hifn currently crashes so this
shouldn't affect anyone :)

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-05-01 18:22:28 +08:00
Patrick McHardy 161613293f [CRYPTO] authenc: Fix async crypto crash in crypto_authenc_genicv()
crypto_authenc_givencrypt_done uses req->data as struct aead_givcrypt_request,
while it really points to a struct aead_request, causing this crash:

BUG: unable to handle kernel paging request at 6b6b6b6b
IP: [<dc87517b>] :authenc:crypto_authenc_genicv+0x23/0x109
*pde = 00000000
Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
Modules linked in: hifn_795x authenc esp4 aead xfrm4_mode_tunnel sha1_generic hmac crypto_hash]

Pid: 3074, comm: ping Not tainted (2.6.25 #4)
EIP: 0060:[<dc87517b>] EFLAGS: 00010296 CPU: 0
EIP is at crypto_authenc_genicv+0x23/0x109 [authenc]
EAX: daa04690 EBX: daa046e0 ECX: dab0a100 EDX: daa046b0
ESI: 6b6b6b6b EDI: dc872054 EBP: c033ff60 ESP: c033ff0c
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process ping (pid: 3074, ti=c033f000 task=db883a80 task.ti=dab6c000)
Stack: 00000000 daa046b0 c0215a3e daa04690 dab0a100 00000000 ffffffff db9fd7f0
       dba208c0 dbbb1720 00000001 daa04720 00000001 c033ff54 c0119ca9 dc852a75
       c033ff60 c033ff60 daa046e0 00000000 00000001 c033ff6c dc87527b 00000001
Call Trace:
 [<c0215a3e>] ? dev_alloc_skb+0x14/0x29
 [<c0119ca9>] ? printk+0x15/0x17
 [<dc87527b>] ? crypto_authenc_givencrypt_done+0x1a/0x27 [authenc]
 [<dc850cca>] ? hifn_process_ready+0x34a/0x352 [hifn_795x]
 [<dc8353c7>] ? rhine_napipoll+0x3f2/0x3fd [via_rhine]
 [<dc851a56>] ? hifn_check_for_completion+0x4d/0xa6 [hifn_795x]
 [<dc851ab9>] ? hifn_tasklet_callback+0xa/0xc [hifn_795x]
 [<c011d046>] ? tasklet_action+0x3f/0x66
 [<c011d230>] ? __do_softirq+0x38/0x7a
 [<c0105a5f>] ? do_softirq+0x3e/0x71
 [<c011d17c>] ? irq_exit+0x2c/0x65
 [<c010e0c0>] ? smp_apic_timer_interrupt+0x5f/0x6a
 [<c01042e4>] ? apic_timer_interrupt+0x28/0x30
 [<dc851640>] ? hifn_handle_req+0x44a/0x50d [hifn_795x]
 ...

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-05-01 18:22:28 +08:00
Sebastian Siewior 584fffc8b1 [CRYPTO] kconfig: Ordering cleanup
Ciphers, block modes, name it, are grouped together and sorted.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:34 +08:00
Kamalesh Babulal 3af5b90bde [CRYPTO] all: Clean up init()/fini()
On Thu, Mar 27, 2008 at 03:40:36PM +0100, Bodo Eggert wrote:
> Kamalesh Babulal <kamalesh@linux.vnet.ibm.com> wrote:
> 
> > This patch cleanups the crypto code, replaces the init() and fini()
> > with the <algorithm name>_init/_fini
> 
> This part ist OK.
> 
> > or init/fini_<algorithm name> (if the 
> > <algorithm name>_init/_fini exist)
> 
> Having init_foo and foo_init won't be a good thing, will it? I'd start
> confusing them.
> 
> What about foo_modinit instead?

Thanks for the suggestion, the init() is replaced with

	<algorithm name>_mod_init ()

and fini () is replaced with <algorithm name>_mod_fini.
 
Signed-off-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:34 +08:00
Sebastian Siewior 5427663f49 [CRYPTO] aes: Export generic setkey
The key expansion routine could be get little more generic, become
a kernel doc entry and then get exported.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Tested-by: Stefan Hellermann <stefan@the2masters.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:34 +08:00
Sebastian Siewior c3715cb90f [CRYPTO] api: Make the crypto subsystem fully modular
Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:23 +08:00
Kevin Coffman 76cb952179 [CRYPTO] cts: Add CTS mode required for Kerberos AES support
Implement CTS wrapper for CBC mode required for support of AES
encryption support for Kerberos (rfc3962).

Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:23 +08:00
Marcin Slusarz fd4609a8e0 [CRYPTO] lrw: Replace all adds to big endians variables with be*_add_cpu
replace all:
big_endian_variable = cpu_to_beX(beX_to_cpu(big_endian_variable) +
					expression_in_cpu_byteorder);
with:
	beX_add_cpu(&big_endian_variable, expression_in_cpu_byteorder);

Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Roel Kluin <12o3l@tiscali.nl>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:22 +08:00
Sebastian Siewior f0df30b1f7 [CRYPTO] tcrypt: Change the XTEA test vectors
The third test vector of ECB-XTEA-ENC fails for me all other
are fine. I could not find a RFC or something else where they
are defined. The test vector has not been modified since git
started recording histrory. The implementation is very close
(not to say equal) to what is available as Public Domain (they
recommend 64 rounds and the in kernel uses 32). Therefore I
belive that there is typo somewhere and tcrypt reported always
*fail* instead of *okey*.
This patch replaces input + result of the third test vector with
result + input from the third decryption vector. The key is the
same, the other three test vectors are also the reverse.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:22 +08:00
Sebastian Siewior de224c309b [CRYPTO] tcrypt: Shrink the tcrypt module
Currently the tcrypt module is about 2 MiB on x86-32. The
main reason for the huge size is the data segment which contains
all the test vectors for each algorithm. The test vectors are
staticly allocated in an array and the size of the array has been
drastically increased by the merge of the Salsa20 test vectors.

With a hint from Benedigt Spranger I found a way how I could
convert those fixed-length arrays to strings which are flexible
in size. VIM and regex were also very helpfull :)
So, I am talking about a shrinking of ~97% on x86-32:

   text    data     bss     dec     hex filename
  18309 2039708      20 2058037  1f6735 tcrypt-b4.ko
  45628   23516      80   69224   10e68 tcrypt.ko

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:22 +08:00
Sebastian Siewior 562954d5e0 [CRYPTO] tcrypt: Change the usage of the test vectors
The test routines (test_{cipher,hash,aead}) are makeing a copy
of the test template and are processing the encryption process
in place. This patch changes the creation of the copy so it will
work even if the source address of the input data isn't an array
inside of the template but a pointer.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:22 +08:00
Jan Engelhardt 48c8949ea8 [CRYPTO] api: Constify function pointer tables
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:22 +08:00
Sebastian Siewior d5dc392742 [CRYPTO] tcrypt: Shrink speed templates
The speed templates as it look always the same. The key size
is repeated for each block size and we test always the same
block size. The addition of one inner loop makes it possible
to get rid of the struct and it is possible to use a tiny
u8 array :)

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:21 +08:00
Sebastian Siewior 477035c2ab [CRYPTO] tcrypt: Group common speed templates
Some crypto ciphers which are impleneted support similar key sizes
(16,24 & 32 byte). They can be grouped together and use a common
templatte instead of their own which contains the same data.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:21 +08:00
Jan Glauber 78f8b3a240 [CRYPTO] sha512: Rename sha512 to sha512_generic
Rename sha512 to sha512_generic and add a MODULE_ALIAS for sha512
so all sha512 implementations can be loaded automatically.

Keep the broken tabs so git recognizes this as a rename.

Signed-off-by: Jan Glauber <jang@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:19:21 +08:00
Alexey Dobriyan 607424d858 [CRYPTO] api: Switch to proc_create()
Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-21 10:15:56 +08:00
Dan Williams 636bdeaa12 dmaengine: ack to flags: make use of the unused bits in the 'ack' field
'ack' is currently a simple integer that flags whether or not a client is done
touching fields in the given descriptor.  It is effectively just a single bit
of information.  Converting this to a flags parameter allows the other bits to
be put to use to control completion actions, like dma-unmap, and capture
results, like xor-zero-sum == 0.

Changes are one of:
1/ convert all open-coded ->ack manipulations to use async_tx_ack
   and async_tx_test_ack.
2/ set the ack bit at prep time where possible
3/ make drivers store the flags at prep time
4/ add flags to the device_prep_dma_interrupt prototype

Acked-by: Maciej Sosnowski <maciej.sosnowski@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-04-17 13:25:54 -07:00
Dan Williams 19242d7233 async_tx: fix multiple dependency submission
Shrink struct dma_async_tx_descriptor and introduce
async_tx_channel_switch to properly inject a channel switch interrupt in
the descriptor stream.  This simplifies the locking model as drivers no
longer need to handle dma_async_tx_descriptor.lock.

Acked-by: Shannon Nelson <shannon.nelson@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-04-17 13:25:05 -07:00
Joy Latten 1edcf2e1ee [CRYPTO] xcbc: Fix crash when ipsec uses xcbc-mac with big data chunk
The kernel crashes when ipsec passes a udp packet of about 14XX bytes
of data to aes-xcbc-mac.

It seems the first xxxx bytes of the data are in first sg entry,
and remaining xx bytes are in next sg entry. But we don't 
check next sg entry to see if we need to go look the page up.

I noticed in hmac.c, we do a scatterwalk_sg_next(), to do this check
and possible lookup, thus xcbc.c needs to use this routine too.

A 15-hour run of an ipsec stress test sending streams of tcp and
udp packets of various sizes,  using this patch and 
aes-xcbc-mac completed successfully, so hopefully this fixes the
problem.
 
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-04-02 14:36:09 +08:00
Dan Williams 8d8002f642 async_tx: avoid the async xor_zero_sum path when src_cnt > device->max_xor
If the channel cannot perform the operation in one call to
->device_prep_dma_zero_sum, then fallback to the xor+page_is_zero path.
This only affects users with arrays larger than 16 devices on iop13xx or
32 devices on iop3xx.

Cc: <stable@kernel.org>
Cc: Neil Brown <neilb@suse.de>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-03-18 17:01:00 -07:00
Dan Williams 3280ab3e88 async_tx: checkpatch says s/__FUNCTION__/__func__/g
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-03-13 10:57:10 -07:00
Herbert Xu f13ba2f7d3 [CRYPTO] skcipher: Fix section mismatches
The previous patch to move chainiv and eseqiv into blkcipher created
a section mismatch for the chainiv exit function which was also called
from __init.  This patch removes the __exit marking on it.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-03-08 20:29:43 +08:00
Joy Latten 2f40a178e7 [CRYPTO] xcbc: Fix crash with IPsec
When using aes-xcbc-mac for authentication in IPsec, 
the kernel crashes. It seems this algorithm doesn't 
account for the space IPsec may make in scatterlist for authtag.
Thus when crypto_xcbc_digest_update2() gets called,
nbytes may be less than sg[i].length. 
Since nbytes is an unsigned number, it wraps
at the end of the loop allowing us to go back 
into loop and causing crash in memcpy.

I used update function in digest.c to model this fix.
Please let me know if it looks ok.

Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-03-06 19:28:44 +08:00
Sebastian Siewior 6212f2c7f7 [CRYPTO] xts: Use proper alignment
The XTS blockmode uses a copy of the IV which is saved on the stack
and may or may not be properly aligned. If it is not, it will break
hardware cipher like the geode or padlock.
This patch encrypts the IV in place so we don't have to worry about
alignment.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Tested-by: Stefan Hellermann <stefan@the2masters.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-03-06 18:56:19 +08:00
Adrian Bunk bc97f19dc8 [CRYPTO] digest: Include internal.h for prototypes
Every file should include the headers containing the externs for its 
global code (in this case for struct crypto_{init,exit}_digest_ops()).

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-03-05 19:05:54 +08:00
Herbert Xu 3e16bfbaf3 [CRYPTO] authenc: Add missing Kconfig dependency on BLKCIPHER
The authenc algorithm requires BLKCIPHER to be present.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-02-23 11:13:00 +08:00
Herbert Xu 76fc60a2e3 [CRYPTO] skcipher: Move chainiv/seqiv into crypto_blkcipher module
For compatibility with dm-crypt initramfs setups it is useful to merge
chainiv/seqiv into the crypto_blkcipher module.  Since they're required
by most algorithms anyway this is an acceptable trade-off.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-02-23 11:12:06 +08:00
Adrian Bunk c8620c2590 [CRYPTO] null: Add missing Kconfig dependency on BLKCIPHER
This patch fixes the following build error caused by commit 
3631c650c495d61b1dabf32eb26b46873636e918:

<--  snip  -->

...
  LD      .tmp_vmlinux1
crypto/built-in.o: In function `skcipher_null_crypt':
crypto_null.c:(.text+0x3d14): undefined reference to `blkcipher_walk_virt'
crypto_null.c:(.text+0x3d14): relocation truncated to fit: R_MIPS_26 against `blkcipher_walk_virt'
crypto/built-in.o: In function `$L32':
crypto_null.c:(.text+0x3d54): undefined reference to `blkcipher_walk_done'
crypto_null.c:(.text+0x3d54): relocation truncated to fit: R_MIPS_26 against `blkcipher_walk_done'
crypto/built-in.o:(.data+0x2e8): undefined reference to `crypto_blkcipher_type'
make[1]: *** [.tmp_vmlinux1] Error 1

<--  snip  -->

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-02-18 09:00:05 +08:00
Frederik Deweerdt 242f1a3437 [CRYPTO] tcrypt: Add missing Kconfig dependency on BLKCIPHER
Building latest git fails with the following error:
	ERROR: "crypto_alloc_ablkcipher" [crypto/tcrypt.ko] undefined!
This appears to happen because CONFIG_CRYPTO_TEST is set while
CONFIG_CRYPTO_BLKCIPHER is not.
The following patch fixes the problem for me.

Signed-off-by: Frederik Deweerdt <frederik.deweerdt@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-02-15 19:19:33 +08:00
David Howells e231c2ee64 Convert ERR_PTR(PTR_ERR(p)) instances to ERR_CAST(p)
Convert instances of ERR_PTR(PTR_ERR(p)) to ERR_CAST(p) using:

perl -spi -e 's/ERR_PTR[(]PTR_ERR[(](.*)[)][)]/ERR_CAST(\1)/' `grep -rl 'ERR_PTR[(]*PTR_ERR' fs crypto net security`

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-02-07 08:42:26 -08:00
Dan Williams 47437b2c9a async_tx: allow architecture specific async_tx_find_channel implementations
The source and destination addresses are included to allow channel
selection based on address alignment.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Haavard Skinnemoen <hskinnemoen@atmel.com>
2008-02-06 10:12:18 -07:00
Dan Williams d4c56f97ff async_tx: replace 'int_en' with operation preparation flags
Pass a full set of flags to drivers' per-operation 'prep' routines.
Currently the only flag passed is DMA_PREP_INTERRUPT.  The expectation is
that arch-specific async_tx_find_channel() implementations can exploit this
capability to find the best channel for an operation.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Acked-by: Shannon Nelson <shannon.nelson@intel.com>
Reviewed-by: Haavard Skinnemoen <hskinnemoen@atmel.com>
2008-02-06 10:12:18 -07:00
Dan Williams 0036731c88 async_tx: kill tx_set_src and tx_set_dest methods
The tx_set_src and tx_set_dest methods were originally implemented to allow
an array of addresses to be passed down from async_xor to the dmaengine
driver while minimizing stack overhead.  Removing these methods allows
drivers to have all transaction parameters available at 'prep' time, saves
two function pointers in struct dma_async_tx_descriptor, and reduces the
number of indirect branches..

A consequence of moving this data to the 'prep' routine is that
multi-source routines like async_xor need temporary storage to convert an
array of linear addresses into an array of dma addresses.  In order to keep
the same stack footprint of the previous implementation the input array is
reused as storage for the dma addresses.  This requires that
sizeof(dma_addr_t) be less than or equal to sizeof(void *).  As a
consequence CONFIG_DMADEVICES now depends on !CONFIG_HIGHMEM64G.  It also
requires that drivers be able to make descriptor resources available when
the 'prep' routine is polled.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Acked-by: Shannon Nelson <shannon.nelson@intel.com>
2008-02-06 10:12:17 -07:00
Dan Williams d909b34759 async_tx: kill ASYNC_TX_ASSUME_COHERENT
Remove the unused ASYNC_TX_ASSUME_COHERENT flag.  Async_tx is
meant to hide the difference between asynchronous hardware and synchronous
software operations, this flag requires clients to understand cache
coherency consequences of the async path.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Haavard Skinnemoen <hskinnemoen@atmel.com>
2008-02-06 10:12:17 -07:00
Denis Cheng cf8f68aa76 async_tx: use LIST_HEAD instead of LIST_HEAD_INIT
single list_head variable initialized with LIST_HEAD_INIT could almost
always can be replaced with LIST_HEAD declaration, this shrinks the code
and looks better.

Signed-off-by: Denis Cheng <crquan@gmail.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-02-06 10:12:17 -07:00
Dan Williams 1367a3d310 async_tx: fix compile breakage, mark do_async_xor __always_inline
do_async_xor must be compiled away on !HAS_DMA archs.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2008-02-06 10:12:17 -07:00
Linus Torvalds eba0e319c1 Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (125 commits)
  [CRYPTO] twofish: Merge common glue code
  [CRYPTO] hifn_795x: Fixup container_of() usage
  [CRYPTO] cast6: inline bloat--
  [CRYPTO] api: Set default CRYPTO_MINALIGN to unsigned long long
  [CRYPTO] tcrypt: Make xcbc available as a standalone test
  [CRYPTO] xcbc: Remove bogus hash/cipher test
  [CRYPTO] xcbc: Fix algorithm leak when block size check fails
  [CRYPTO] tcrypt: Zero axbuf in the right function
  [CRYPTO] padlock: Only reset the key once for each CBC and ECB operation
  [CRYPTO] api: Include sched.h for cond_resched in scatterwalk.h
  [CRYPTO] salsa20-asm: Remove unnecessary dependency on CRYPTO_SALSA20
  [CRYPTO] tcrypt: Add select of AEAD
  [CRYPTO] salsa20: Add x86-64 assembly version
  [CRYPTO] salsa20_i586: Salsa20 stream cipher algorithm (i586 version)
  [CRYPTO] gcm: Introduce rfc4106
  [CRYPTO] api: Show async type
  [CRYPTO] chainiv: Avoid lock spinning where possible
  [CRYPTO] seqiv: Add select AEAD in Kconfig
  [CRYPTO] scatterwalk: Handle zero nbytes in scatterwalk_map_and_copy
  [CRYPTO] null: Allow setkey on digest_null 
  ...
2008-01-25 08:38:25 -08:00
Ilpo Järvinen e6ccc727f3 [CRYPTO] cast6: inline bloat--
Bloat-o-meter shows rather high readings for cast6...

crypto/cast6.c:
  cast6_setkey  | -1310
  cast6_encrypt | -4567
  cast6_decrypt | -4561
 3 functions changed, 10438 bytes removed, diff: -10438

crypto/cast6.c:
  W    | +659
  Q    | +308
  QBAR | +316
 3 functions changed, 1283 bytes added, diff: +1283

crypto/cast6.o:
 6 functions changed, 1283 bytes added, 10438 bytes removed, diff: -9155

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:17:02 +11:00
Herbert Xu 38ed9ab23b [CRYPTO] tcrypt: Make xcbc available as a standalone test
Currently the gcm(aes) tests have to be taken together with all other
algorithms.  This patch makes it available by itself at number 106.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:17:01 +11:00
Herbert Xu 94765b9e4c [CRYPTO] xcbc: Remove bogus hash/cipher test
When setting the digest size xcbc tests to see if the underlying algorithm
is a hash.  This is silly because we don't allow it to be a hash and we've
specifically requested for a cipher.

This patch removes the bogus test.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:17:00 +11:00
Herbert Xu 1b87887d6c [CRYPTO] xcbc: Fix algorithm leak when block size check fails
When the underlying algorithm has a block size other than 16 we abort
without freeing it.  In fact, we try to return the algorithm itself
as an error!

This patch plugs the leak and makes it return -EINVAL instead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:17:00 +11:00
Herbert Xu 2a999a3abb [CRYPTO] tcrypt: Zero axbuf in the right function
The axbuf buffer is used by test_aead and therefore should be zeroed
there instead of in test_hash.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:59 +11:00
Tan Swee Heng 214dc54f6f [CRYPTO] salsa20-asm: Remove unnecessary dependency on CRYPTO_SALSA20
Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:58 +11:00
Sebastian Siewior d1cda4e396 [CRYPTO] tcrypt: Add select of AEAD
ERROR: "crypto_aead_setauthsize" [crypto/tcrypt.ko] undefined!
 ERROR: "crypto_alloc_aead" [crypto/tcrypt.ko] undefined!

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:58 +11:00
Tan Swee Heng 9a7dafbba4 [CRYPTO] salsa20: Add x86-64 assembly version
This is the x86-64 version of the Salsa20 stream cipher algorithm. The
original assembly code came from
<http://cr.yp.to/snuffle/salsa20/amd64-3/salsa20.s>. It has been
reformatted for clarity.

Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:57 +11:00
Tan Swee Heng 974e4b752e [CRYPTO] salsa20_i586: Salsa20 stream cipher algorithm (i586 version)
This patch contains the salsa20-i586 implementation. The original
assembly code came from
<http://cr.yp.to/snuffle/salsa20/x86-pm/salsa20.s>. I have reformatted
it (added indents) so that it matches the other algorithms in
arch/x86/crypto.

Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:57 +11:00
Herbert Xu dadbc53d0b [CRYPTO] gcm: Introduce rfc4106
This patch introduces the rfc4106 wrapper for GCM just as we have an
rfc4309 wrapper for CCM.  The purpose of the wrapper is to include part
of the IV in the key so that it can be negotiated by IPsec.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:56 +11:00
Herbert Xu 189ed66e95 [CRYPTO] api: Show async type
This patch adds an async field to /proc/crypto for ablkcipher and aead
algorithms.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:56 +11:00
Herbert Xu e7cd2514ea [CRYPTO] chainiv: Avoid lock spinning where possible
This patch makes chainiv avoid spinning by postponing requests on lock
contention if the user allows the use of asynchronous algorithms.  If
a synchronous algorithm is requested then we behave as before.

This should improve IPsec performance on SMP when two CPUs attempt to
transmit over the same SA.  Currently one of them will spin doing nothing
waiting for the other CPU to finish its encryption.  This patch makes it
postpone the request and get on with other work.

If only one CPU is transmitting for a given SA, then we will process
the request synchronously as before.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:55 +11:00
Herbert Xu 4726204200 [CRYPTO] seqiv: Add select AEAD in Kconfig
Now that seqiv supports AEAD algorithms it needs to select the AEAD option.

Thanks to Erez Zadok for pointing out the problem.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:55 +11:00
Herbert Xu 6e050778c5 [CRYPTO] scatterwalk: Handle zero nbytes in scatterwalk_map_and_copy
It's better to return silently than crash and burn when someone feeds us
a zero length.  In particular the null digest algorithm when used as part
of authenc will do that to us.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:54 +11:00
Herbert Xu ce5bd4aca3 [CRYPTO] null: Allow setkey on digest_null
We need to allow setkey on digest_null if it is to be used directly by
authenc instead of through hmac.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:54 +11:00
Herbert Xu 3631c650c4 [CRYPTO] null: Add null blkcipher algorithm
This patch adds a null blkcipher algorithm called ecb(cipher_null) for
backwards compatibility.  Previously the null algorithm when used by
IPsec copied the data byte by byte.  This new algorithm optimises that
to a straight memcpy which lets us better measure inherent overheads in
our IPsec code.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:53 +11:00
Joy Latten 93cc74e078 [CRYPTO] tcrypt: Add CCM vectors
This patch adds 7 test vectors to tcrypt for CCM.
The test vectors are from rfc 3610.
There are about 10 more test vectors in RFC 3610
and 4 or 5 more in NIST. I can add these as time permits.

I also needed to set authsize. CCM has a prerequisite of
authsize. 

Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:53 +11:00
Joy Latten 4a49b499df [CRYPTO] ccm: Added CCM mode
This patch adds Counter with CBC-MAC (CCM) support.
RFC 3610 and NIST Special Publication 800-38C were referenced.

Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:53 +11:00
Herbert Xu d29ce988ae [CRYPTO] aead: Create default givcipher instances
This patch makes crypto_alloc_aead always return algorithms that is
capable of generating their own IVs through givencrypt and givdecrypt.
All existing AEAD algorithms already do.  New ones must either supply
their own or specify a generic IV generator with the geniv field.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:52 +11:00
Herbert Xu 14df4d8043 [CRYPTO] seqiv: Add AEAD support
This patch adds support for using seqiv with AEAD algorithms.  This is
useful for those AEAD algorithms that performs authentication before
encryption because the IV generated by the underlying encryption algorithm
won't be available for authentication.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:52 +11:00
Herbert Xu 5b6d2d7fdf [CRYPTO] aead: Add aead_geniv_alloc/aead_geniv_free
This patch creates the infrastructure to help the construction of IV
generator templates that wrap around AEAD algorithms by adding an IV
generator to them.  This is useful for AEAD algorithms with no built-in
IV generator or to replace their built-in generator.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:51 +11:00
Herbert Xu aedb30dc49 [CRYPTO] aead: Allow algorithms with no givcrypt support
Some algorithms always require manual IV construction.  For instance,
the generic CCM algorithm requires the first byte of the IV to be manually
constructed.  Such algorithms are always used by other algorithms equipped
with their own IV generators and do not need IV generation per se.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:50 +11:00
Herbert Xu e56dd56418 [CRYPTO] authenc: Add givencrypt operation
This patch implements the givencrypt function for authenc.  It simply
calls the givencrypt operation on the underlying cipher instead of encrypt.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:50 +11:00
Herbert Xu 743edf5727 [CRYPTO] aead: Add givcrypt operations
This patch adds the underlying givcrypt operations for aead and associated
support elements.  The rationale is identical to that of the skcipher
givcrypt operations, i.e., sometimes only the algorithm knows how the
IV should be generated.

A new request type aead_givcrypt_request is added which contains an
embedded aead_request structure with two new elements to support this
operation.  The new elements are seq and giv.  The seq field should
contain a strictly increasing 64-bit integer which may be used by
certain IV generators as an input value.  The giv field will be used
to store the generated IV.  It does not need to obey the alignment
requirements of the algorithm because it's not used during the operation.

The existing iv field must still be available as it will be used to store
intermediate IVs and the output IV if chaining is desired.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:49 +11:00
Herbert Xu 0a270321db [CRYPTO] seqiv: Add Sequence Number IV Generator
This generator generates an IV based on a sequence number by xoring it
with a salt.  This algorithm is mainly useful for CTR and similar modes.

This patch also sets it as the default IV generator for ctr.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:48 +11:00
Herbert Xu 1472e5ebaa [CRYPTO] gcm: Use crypto_grab_skcipher
This patch converts the gcm algorithm over to crypto_grab_skcipher
which is a prerequisite for IV generation.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:47 +11:00
Herbert Xu d00aa19b50 [CRYPTO] gcm: Allow block cipher parameter
This patch adds the gcm_base template which takes a block cipher
parameter instead of cipher.  This allows the user to specify a
specific CTR implementation.

This also fixes a leak of the cipher algorithm that was previously
looked up but never freed.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:47 +11:00
Herbert Xu 9ffde35a8e [CRYPTO] authenc: Use crypto_grab_skcipher
This patch converts the authenc algorithm over to crypto_grab_skcipher
which is a prerequisite for IV generation.

This patch also changes authenc to set its ASYNC status depending on
the ASYNC status of the underlying skcipher.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:46 +11:00
Herbert Xu b9c55aa475 [CRYPTO] skcipher: Create default givcipher instances
This patch makes crypto_alloc_ablkcipher/crypto_grab_skcipher always
return algorithms that are capable of generating their own IVs through
givencrypt and givdecrypt.  Each algorithm may specify its default IV
generator through the geniv field.

For algorithms that do not set the geniv field, the blkcipher layer will
pick a default.  Currently it's chainiv for synchronous algorithms and
eseqiv for asynchronous algorithms.  Note that if these wrappers do not
work on an algorithm then that algorithm must specify its own geniv or
it can't be used at all.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:46 +11:00
Herbert Xu 806d183aa6 [CRYPTO] eseqiv: Add Encrypted Sequence Number IV Generator
This generator generates an IV based on a sequence number by xoring it
with a salt and then encrypting it with the same key as used to encrypt
the plain text.  This algorithm requires that the block size be equal
to the IV size.  It is mainly useful for CBC.

It has one noteworthy property that for IPsec the IV happens to lie
just before the plain text so the IV generation simply increases the
number of encrypted blocks by one.  Therefore the cost of this generator
is entirely dependent on the speed of the underlying cipher.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:45 +11:00
Herbert Xu 7f47073911 [CRYPTO] chainiv: Add chain IV generator
The chain IV generator is the one we've been using in the IPsec stack.
It simply starts out with a random IV, then uses the last block of each
encrypted packet's cipher text as the IV for the next packet.

It can only be used by synchronous ciphers since we have to make sure
that we don't start the encryption of the next packet until the last
one has completed.

It does have the advantage of using very little CPU time since it doesn't
have to generate anything at all.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:44 +11:00
Herbert Xu ecfc43292f [CRYPTO] skcipher: Add skcipher_geniv_alloc/skcipher_geniv_free
This patch creates the infrastructure to help the construction of givcipher
templates that wrap around existing blkcipher/ablkcipher algorithms by adding
an IV generator to them.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:44 +11:00
Herbert Xu 927eead52c [CRYPTO] cryptd: Use geniv of the underlying algorithm
If the underlying algorithm specifies a specific geniv algorithm then
we should use it for the cryptd version as well.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:43 +11:00
Herbert Xu 23508e11ab [CRYPTO] skcipher: Added geniv field
This patch introduces the geniv field which indicates the default IV
generator for each algorithm.  It should point to a string that is not
freed as long as the algorithm is registered.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:43 +11:00
Herbert Xu 61da88e2b8 [CRYPTO] skcipher: Add givcrypt operations and givcipher type
Different block cipher modes have different requirements for intialisation
vectors.  For example, CBC can use a simple randomly generated IV while
modes such as CTR must use an IV generation mechanisms that give a stronger
guarantee on the lack of collisions.  Furthermore, disk encryption modes
have their own IV generation algorithms.

Up until now IV generation has been left to the users of the symmetric
key cipher API.  This is inconvenient as the number of block cipher modes
increase because the user needs to be aware of which mode is supposed to
be paired with which IV generation algorithm.

Therefore it makes sense to integrate the IV generation into the crypto
API.  This patch takes the first step in that direction by creating two
new ablkcipher operations, givencrypt and givdecrypt that generates an
IV before performing the actual encryption or decryption.

The operations are currently not exposed to the user.  That will be done
once the underlying functionality has actually been implemented.

It also creates the underlying givcipher type.  Algorithms that directly
generate IVs would use it instead of ablkcipher.  All other algorithms
(including all existing ones) would generate a givcipher algorithm upon
registration.  This givcipher algorithm will be constructed from the geniv
string that's stored in every algorithm.  That string will locate a template
which is instantiated by the blkcipher/ablkcipher algorithm in question to
give a givcipher algorithm.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:43 +11:00
Herbert Xu 378f4f51f9 [CRYPTO] skcipher: Add crypto_grab_skcipher interface
Note: From now on the collective of ablkcipher/blkcipher/givcipher will
be known as skcipher, i.e., symmetric key cipher.  The name blkcipher has
always been much of a misnomer since it supports stream ciphers too.

This patch adds the function crypto_grab_skcipher as a new way of getting
an ablkcipher spawn.  The problem is that previously we did this in two
steps, first getting the algorithm and then calling crypto_init_spawn.

This meant that each spawn user had to be aware of what type and mask to
use for these two steps.  This is difficult and also presents a problem
when the type/mask changes as they're about to be for IV generators.

The new interface does both steps together just like crypto_alloc_ablkcipher.

As a side-effect this also allows us to be stronger on type enforcement
for spawns.  For now this is only done for ablkcipher but it's trivial
to extend for other types.

This patch also moves the type/mask logic for skcipher into the helpers
crypto_skcipher_type and crypto_skcipher_mask.

Finally this patch introduces the function crypto_require_sync to determine
whether the user is specifically requesting a sync algorithm.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:42 +11:00
Herbert Xu 84c9115230 [CRYPTO] gcm: Add support for async ciphers
This patch adds the necessary changes for GCM to be used with async
ciphers.  This would allow it to be used with hardware devices that
support CTR.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:42 +11:00
Herbert Xu 5311f248b7 [CRYPTO] ctr: Refactor into ctr and rfc3686
As discussed previously, this patch moves the basic CTR functionality
into a chainable algorithm called ctr.  The IPsec-specific variant of
it is now placed on top with the name rfc3686.

So ctr(aes) gives a chainable cipher with IV size 16 while the IPsec
variant will be called rfc3686(ctr(aes)).  This patch also adjusts
gcm accordingly.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:41 +11:00
Herbert Xu 653ebd9c85 [CRYPTO] blkcipher: Merge ablkcipher and blkcipher into one option/module
With the impending addition of the givcipher type, both blkcipher and
ablkcipher algorithms will use it to create givcipher objects.  As such
it no longer makes sense to split the system between ablkcipher and
blkcipher.  In particular, both ablkcipher.c and blkcipher.c would need
to use the givcipher type which has to reside in ablkcipher.c since it
shares much code with it.

This patch merges the two Kconfig options as well as the modules into one.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:41 +11:00
Herbert Xu 2589469d7b [CRYPTO] gcm: Fix request context alignment
This patch fixes the request context alignment so that it is actually
aligned to the value required by the algorithm.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:40 +11:00
Herbert Xu 68b6c7d691 [CRYPTO] api: Add crypto_attr_alg_name
This patch adds a new helper crypto_attr_alg_name which is basically the
first half of crypto_attr_alg.  That is, it returns an algorithm name
parameter as a string without looking it up.  The caller can then look it
up immediately or defer it until later.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:40 +11:00
Borislav Petkov 5e553110f2 [CRYPTO] authenc: Select HASH in Kconfig
i get here:

----
  LD      vmlinux
  SYSMAP  System.map
  SYSMAP  .tmp_System.map
  Building modules, stage 2.
  MODPOST 226 modules
ERROR: "crypto_hash_type" [crypto/authenc.ko] undefined!
make[1]: *** [__modpost] Error 1
make: *** [modules] Error 2
---

which fails because crypto_hash_type is declared in crypto/hash.c. You might wanna
fix it like so:

Signed-off-by: Borislav Petkov <bbpetkov@yahoo.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:39 +11:00
Herbert Xu 7c3d703fa8 [CRYPTO] authenc: Merge common hashing code
This patch merges the common hashing code between encryption and decryption.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:38 +11:00
Herbert Xu 12dc5e62b4 [CRYPTO] authenc: Use RTA_OK to check length
This patch changes setkey to use RTA_OK to check the validity of the
setkey request.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:38 +11:00
Herbert Xu c2c61f513d [CRYPTO] authenc: Fix typo in ivsize
The ivsize should be fetched from ablkcipher, not blkcipher.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:37 +11:00
Tan Swee Heng 5de8f1b562 [CRYPTO] tcrypt: Added salsa20 speed test
This patch adds a simple speed test for salsa20.
Usage: modprobe tcrypt mode=206

Signed-of-by: Tan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:36 +11:00
Zoltan Sogor 0b77abb3b2 [CRYPTO] lzo: Add LZO compression algorithm support
Add LZO compression algorithm support

Signed-off-by: Zoltan Sogor <weth@inf.u-szeged.hu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:35 +11:00
Zoltan Sogor 91755a921c [CRYPTO] tcrypt: Add common compression tester function
Add common compression tester function
Modify deflate test case to use the common compressor test function

Signed-off-by: Zoltan Sogor <weth@inf.u-szeged.hu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:34 +11:00
Tan Swee Heng 8bff664cdf [CRYPTO] tcrypt: Salsa20 large test vector
This is a large test vector for Salsa20 that crosses the 4096-bytes
page boundary.

Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:34 +11:00
Tan Swee Heng eb6f13eb9f [CRYPTO] salsa20_generic: Fix multi-page processing
This patch fixes the multi-page processing bug that affects large test
vectors (the same bug that previously affected ctr.c).

There is an optimization for the case walk.nbytes == nbytes. Also we
now use crypto_xor() instead of adhoc XOR routines.

Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:34 +11:00
Herbert Xu 7f6813786a [CRYPTO] gcm: Put abreq in private context instead of on stack
The abreq structure is currently allocated on the stack.  This is broken
if the underlying algorithm is asynchronous.  This patch changes it so
that it's taken from the private context instead which has been enlarged
accordingly.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:33 +11:00
Herbert Xu b2ab4a57b0 [CRYPTO] scatterwalk: Restore custom sg chaining for now
Unfortunately the generic chaining hasn't been ported to all architectures
yet, and notably not s390.  So this patch restores the chainging that we've
been using previously which does work everywhere.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:33 +11:00
Herbert Xu 42c271c6c5 [CRYPTO] scatterwalk: Move scatterwalk.h to linux/crypto
The scatterwalk infrastructure is used by algorithms so it needs to
move out of crypto for future users that may live in drivers/crypto
or asm/*/crypto.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:32 +11:00
Herbert Xu fe70f5dfe1 [CRYPTO] aead: Return EBADMSG for ICV mismatch
This patch changes gcm/authenc to return EBADMSG instead of EINVAL for
ICV mismatches.  This convention has already been adopted by IPsec.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:32 +11:00
Herbert Xu 6160b28992 [CRYPTO] gcm: Fix ICV handling
The crypto_aead convention for ICVs is to include it directly in the
output.  If we decided to change this in future then we would make
the ICV (if the algorithm has an explicit one) available in the
request itself.

For now no algorithm needs this so this patch changes gcm to conform
to this convention.  It also adjusts the tcrypt aead tests to take
this into account.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:31 +11:00
Herbert Xu 8df213d9b5 [CRYPTO] tcrypt: Make gcm available as a standalone test
Currently the gcm(aes) tests have to be taken together with all other
ciphers.  This patch makes it available by itself at number 35.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:30 +11:00
Herbert Xu 481f34ae75 [CRYPTO] authenc: Fix hash verification
The previous code incorrectly included the hash in the verification which
also meant that we'd crash and burn when it comes to actually verifying
the hash since we'd go past the end of the SG list.

This patch fixes that by subtracting authsize from cryptlen at the start.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:30 +11:00
Herbert Xu e236d4a89a [CRYPTO] authenc: Move enckeylen into key itself
Having enckeylen as a template parameter makes it a pain for hardware
devices that implement ciphers with many key sizes since each one would
have to be registered separately.

Since the authenc algorithm is mainly used for legacy purposes where its
key is going to be constructed out of two separate keys, we can in fact
embed this value into the key itself.

This patch does this by prepending an rtnetlink header to the key that
contains the encryption key length.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:30 +11:00
Herbert Xu 7ba683a6de [CRYPTO] aead: Make authsize a run-time parameter
As it is authsize is an algorithm paramter which cannot be changed at
run-time.  This is inconvenient because hardware that implements such
algorithms would have to register each authsize that they support
separately.

Since authsize is a property common to all AEAD algorithms, we can add
a function setauthsize that sets it at run-time, just like setkey.

This patch does exactly that and also changes authenc so that authsize
is no longer a parameter of its template.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:29 +11:00
Herbert Xu e29bc6ad0e [CRYPTO] authenc: Use or instead of max on alignment masks
Since alignment masks are always one less than a power of two, we can
use binary or to find their maximum.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:28 +11:00
Denis Cheng a10e11946b [CRYPTO] tcrypt: Use print_hex_dump from linux/kernel.h
These utilities implemented in lib/hexdump.c are more handy, please use this.

Signed-off-by: Denis Cheng <crquan@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:27 +11:00
Jan Glauber 9617d6ef62 [CRYPTO] tcrypt: AES CBC test vectors from NIST SP800-38A
Add test vectors to tcrypt for AES in CBC mode for key sizes 192 and 256.
The test vectors are copied from NIST SP800-38A.

Signed-off-by: Jan Glauber <jang@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:26 +11:00
Tan Swee Heng a773edb3ed [CRYPTO] tcrypt: AES CTR large test vector
This patch adds a large AES CTR mode test vector. The test vector is
4100 bytes in size. It was generated using a C++ program that called
Crypto++.

Note that this patch increases considerably the size of "struct
cipher_testvec" and hence the size of tcrypt.ko.

Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:25 +11:00
Tan Swee Heng 6d1a69d53a [CRYPTO] tcrypt: Support for large test vectors
Currently the number of entries in a cipher test vector template is
limited by TVMEMSIZE/sizeof(struct cipher_testvec). This patch
circumvents the problem by pointing cipher_tv to each entry in the
template, rather than the template itself.

Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:25 +11:00
Herbert Xu 0971eb0de9 [CRYPTO] ctr: Fix multi-page processing
When the data spans across a page boundary, CTR may incorrectly process
a partial block in the middle because the blkcipher walking code may
supply partial blocks in the middle as long as the total length of the
supplied data is more than a block.  CTR is supposed to return any unused
partial block in that case to the walker.

This patch fixes this by doing exactly that, returning partial blocks to
the walker unless we received less than a block-worth of data to start
with.

This also allows us to optimise the bulk of the processing since we no
longer have to worry about partial blocks until the very end.

Thanks to Tan Swee Heng for fixes and actually testing this :)

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:24 +11:00
Mikko Herranen 28db8e3e38 [CRYPTO] gcm: New algorithm
Add GCM/GMAC support to cryptoapi.

GCM (Galois/Counter Mode) is an AEAD mode of operations for any block cipher
with a block size of 16.  The typical example is AES-GCM.

Signed-off-by: Mikko Herranen <mh1@iki.fi>
Reviewed-by: Mika Kukkonen <mika.kukkonen@nsn.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:23 +11:00
Mikko Herranen e3a4ea4fd2 [CRYPTO] tcrypt: Add aead support
Add AEAD support to tcrypt, needed by GCM.

Signed-off-by: Mikko Herranen <mh1@iki.fi>
Reviewed-by: Mika Kukkonen <mika.kukkonen@nsn.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:23 +11:00
Denys Vlasenko ff85a8082f [CRYPTO] camellia: Move more common code into camellia_setup_tail
Analogously to camellia7 patch, move
"absorb kw2 to other subkeys" and "absorb kw4 to other subkeys"
code parts into camellia_setup_tail(). This further reduces
source and object code size at the cost of two brances
in key setup code.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:22 +11:00
Denys Vlasenko dedcf8b064 [CRYPTO] camellia: Move common code into camellia_setup_tail
Move "key XOR is end of F-function" code part into
camellia_setup_tail(), it is sufficiently similar
between camellia_setup128 and camellia_setup256.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:21 +11:00
Denys Vlasenko acca79a664 [CRYPTO] camellia: Merge encrypt/decrypt routines for all key lengths
unifies encrypt/decrypt routines for different key lengths.
This reduces module size by ~25%, with tiny (less than 1%)
speed impact.
Also collapses encrypt/decrypt into more readable
(visually shorter) form using macros.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:21 +11:00
Denys Vlasenko 2ddae4a644 [CRYPTO] camellia: Code shrink
Remove unused macro params.
Use (u8)(expr) instead of (expr) & 0xff,
helps gcc to realize how to use simpler commands.
Move CAMELLIA_FLS macro closer to encrypt/decrypt routines.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:20 +11:00
Herbert Xu 3f8214ea33 [CRYPTO] ctr: Use crypto_inc and crypto_xor
This patch replaces the custom inc/xor in CTR with the generic functions.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:20 +11:00
Herbert Xu d0b9007a27 [CRYPTO] pcbc: Use crypto_xor
This patch replaces the custom xor in CBC with the generic crypto_xor.

It changes the operations for in-place encryption slightly to avoid
calling crypto_xor with tmpbuf since it is not necessarily aligned.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:19 +11:00
Herbert Xu 50b6544e13 [CRYPTO] cbc: Require block size to be a power of 2
All common block ciphers have a block size that's a power of 2.  In fact,
all of our block ciphers obey this rule.

If we require this then CBC can be optimised to avoid an expensive divide
on in-place decryption.

I've also changed the saving of the first IV in the in-place decryption
case to the last IV because that lets us use walk->iv (which is already
aligned) for the xor operation where alignment is required.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:19 +11:00
Herbert Xu 3c7f076da5 [CRYPTO] cbc: Use crypto_xor
This patch replaces the custom xor in CBC with the generic crypto_xor.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:18 +11:00
Herbert Xu 7613636def [CRYPTO] api: Add crypto_inc and crypto_xor
With the addition of more stream ciphers we need to curb the proliferation
of ad-hoc xor functions.  This patch creates a generic pair of functions,
crypto_inc and crypto_xor which does big-endian increment and exclusive or,
respectively.

For optimum performance, they both use u32 operations so alignment must be
as that of u32 even though the arguments are of type u8 *.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:17 +11:00
Tan Swee Heng 2407d60872 [CRYPTO] salsa20: Salsa20 stream cipher
This patch implements the Salsa20 stream cipher using the blkcipher interface.

The core cipher code comes from Daniel Bernstein's submission to eSTREAM:
  http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/ref/

The test vectors comes from:
  http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/

It has been tested successfully with "modprobe tcrypt mode=34" on an
UML instance.

Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:15 +11:00
Herbert Xu 332f8840f7 [CRYPTO] ablkcipher: Add distinct ABLKCIPHER type
Up until now we have ablkcipher algorithms have been identified as
type BLKCIPHER with the ASYNC bit set.  This is suboptimal because
ablkcipher refers to two things.  On the one hand it refers to the
top-level ablkcipher interface with requests.  On the other hand it
refers to and algorithm type underneath.

As it is you cannot request a synchronous block cipher algorithm
with the ablkcipher interface on top.  This is a problem because
we want to be able to eventually phase out the blkcipher top-level
interface.

This patch fixes this by making ABLKCIPHER its own type, just as
we have distinct types for HASH and DIGEST.  The type it associated
with the algorithm implementation only.

Which top-level interface is used for synchronous block ciphers is
then determined by the mask that's used.  If it's a specific mask
then the old blkcipher interface is given, otherwise we go with the
new ablkcipher interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:15 +11:00
Herbert Xu 468577abe3 [CRYPTO] scatterwalk: Use generic scatterlist chaining
This patch converts the crypto scatterwalk code to use the generic
scatterlist chaining rather the version specific to crypto.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:14 +11:00
Jonathan Lynch cd12fb906d [CRYPTO] sha256-generic: Extend sha256_generic.c to support SHA-224
Resubmitting this patch which extends sha256_generic.c to support SHA-224 as
described in FIPS 180-2 and RFC 3874. HMAC-SHA-224 as described in RFC4231
is then supported through the hmac interface.

Patch includes test vectors for SHA-224 and HMAC-SHA-224.

SHA-224 chould be chosen as a hash algorithm when 112 bits of security
strength is required.

Patch generated against the 2.6.24-rc1 kernel and tested against
2.6.24-rc1-git14 which includes fix for scatter gather implementation for HMAC.

Signed-off-by: Jonathan Lynch <jonathan.lynch@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:12 +11:00
Sebastian Siewior 5157dea813 [CRYPTO] aes-i586: Remove setkey
The setkey() function can be shared with the generic algorithm.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:10 +11:00
Sebastian Siewior b345cee90a [CRYPTO] ctr: Remove default M
NO other block mode is M by default.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:10 +11:00
Sebastian Siewior 81190b3215 [CRYPTO] aes-x86-64: Remove setkey
The setkey() function can be shared with the generic algorithm.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:10 +11:00
Sebastian Siewior 96e82e4551 [CRYPTO] aes-generic: Make key generation exportable
This patch exports four tables and the set_key() routine. This ressources
can be shared by other AES implementations (aes-x86_64 for instance).
The decryption key has been turned around (deckey[0] is the first piece
of the key instead of deckey[keylen+20]). The encrypt/decrypt functions
are looking now identical (except they are using different tables and
key).

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:09 +11:00
Sebastian Siewior be5fb27012 [CRYPTO] aes-generic: Coding style cleanup
Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:09 +11:00
Joy Latten 41fdab3dd3 [CRYPTO] ctr: Add countersize
This patch adds countersize to CTR mode.
The template is now ctr(algo,noncesize,ivsize,countersize).

For example, ctr(aes,4,8,4) indicates the counterblock
will be composed of a salt/nonce that is 4 bytes, an iv
that is 8 bytes and the counter is 4 bytes.

When noncesize + ivsize < blocksize, CTR initializes the
last block - ivsize - noncesize portion of the block to
zero.  Otherwise the counter block is composed of the IV
(and nonce if necessary).

If noncesize + ivsize == blocksize, then this indicates that
user is passing in entire counterblock. Thus countersize
indicates the amount of bytes in counterblock to use as
the counter for incrementing. CTR will increment counter
portion by 1, and begin encryption with that value.

Note that CTR assumes the counter portion of the block that
will be incremented is stored in big endian.

Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:08 +11:00
Denys Vlasenko d3e7480572 [CRYPTO] camellia: De-unrolling
Move huge unrolled pieces of code (3 screenfuls) at the end of
128/256 key setup routines into common camellia_setup_tail(),
convert it to loop there.
Loop is still unrolled six times, so performance hit is very small,
code size win is big.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Acked-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:08 +11:00
Denys Vlasenko 1ce73e8d6d [CRYPTO] camellia: Code cleanup
Optimize GETU32 to use 4-byte memcpy (modern gcc will convert
such memcpy to single move instruction on i386).
Original GETU32 did four byte fetches, and shifted/XORed those.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Acked-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:07 +11:00
Denys Vlasenko 3a5e5f8108 [CRYPTO] camellia: Code cleanup
Rename some macros to shorter names: CAMELLIA_RR8 -> ROR8,
making it easier to understand that it is just a right rotation,
nothing camellia-specific in it.
CAMELLIA_SUBKEY_L() -> SUBKEY_L() - just shorter.

Move be32 <-> cpu conversions out of en/decrypt128/256 and into
camellia_en/decrypt - no reason to have that code duplicated twice.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Acked-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:07 +11:00
Denys Vlasenko 1721a81256 [CRYPTO] camellia: Code cleanup
Move code blocks around so that related pieces are closer together:
e.g. CAMELLIA_ROUNDSM macro does not need to be separated
from the rest of the code by huge array of constants.

Remove unused macros (COPY4WORD, SWAP4WORD, XOR4WORD[2])

Drop SUBL(), SUBR() macros which only obscure things.
Same for CAMELLIA_SP1110() macro and KEY_TABLE_TYPE typedef.

Remove useless comments:
/* encryption */ -- well it's obvious enough already!
void camellia_encrypt128(...)

Combine swap with copying at the beginning/end of encrypt/decrypt.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Acked-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:06 +11:00
Denys Vlasenko e2b21b5002 [CRYPTO] twofish: Do not unroll big stuff in twofish key setup
Currently twofish cipher key setup code
has unrolled loops - approximately 70-100
instructions are repeated 40 times.

As a result, twofish module is the biggest module
in crypto/*.

Unrolling produces x2.5 more code (+18k on i386), and speeds up key
setup by 7%:

	unrolled: twofish_setkey/sec: 41128
	    loop: twofish_setkey/sec: 38148
	CALC_K256: ~100 insns each
	CALC_K192: ~90 insns
	   CALC_K: ~70 insns

Attached patch removes this unrolling.

$ size */twofish_common.o
   text    data     bss     dec     hex filename
  37920       0       0   37920    9420 crypto.org/twofish_common.o
  13209       0       0   13209    3399 crypto/twofish_common.o

Run tested (modprobe tcrypt reports ok). Please apply.

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:06 +11:00
Sebastian Siewior 89e1265431 [CRYPTO] aes: Move common defines into a header file
This three defines are used in all AES related hardware.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:04 +11:00
Evgeniy Polyakov c3041f9c93 [CRYPTO] hifn_795x: Detect weak keys
HIFN driver update to use DES weak key checks (exported in this patch).

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:03 +11:00
Evgeniy Polyakov 16d004a2ed [CRYPTO] des: Create header file for common macros
This patch creates include/crypto/des.h for common macros shared between
DES implementations.

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:02 +11:00
Joy Latten 23e353c8a6 [CRYPTO] ctr: Add CTR (Counter) block cipher mode
This patch implements CTR mode for IPsec.
It is based off of RFC 3686.

Please note:
1. CTR turns a block cipher into a stream cipher.
Encryption is done in blocks, however the last block
may be a partial block.

A "counter block" is encrypted, creating a keystream
that is xor'ed with the plaintext. The counter portion
of the counter block is incremented after each block
of plaintext is encrypted.
Decryption is performed in same manner.

2. The CTR counterblock is composed of,
        nonce + IV + counter

The size of the counterblock is equivalent to the
blocksize of the cipher.
        sizeof(nonce) + sizeof(IV) + sizeof(counter) = blocksize

The CTR template requires the name of the cipher
algorithm, the sizeof the nonce, and the sizeof the iv.
        ctr(cipher,sizeof_nonce,sizeof_iv)

So for example,
        ctr(aes,4,8)
specifies the counterblock will be composed of 4 bytes
from a nonce, 8 bytes from the iv, and 4 bytes for counter
since aes has a blocksize of 16 bytes.

3. The counter portion of the counter block is stored
in big endian for conformance to rfc 3686.

Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:01 +11:00
Al Viro 3c50b3683a fcrypt endianness misannotations
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-12-05 09:25:20 -08:00
Herbert Xu 38cb2419f5 [CRYPTO] api: Fix potential race in crypto_remove_spawn
As it is crypto_remove_spawn may try to unregister an instance which is
yet to be registered.  This patch fixes this by checking whether the
instance has been registered before attempting to remove it.

It also removes a bogus cra_destroy check in crypto_register_instance as
1) it's outside the mutex;
2) we have a check in __crypto_register_alg already.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-11-23 19:32:09 +08:00
Herbert Xu f347c4facf [CRYPTO] authenc: Move initialisations up to shut up gcc
It seems that newer versions of gcc have regressed in their abilities to
analyse initialisations.  This patch moves the initialisations up to avoid
the warnings.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-11-23 19:32:09 +08:00
Adrian Bunk 87ae9afdca cleanup asm/scatterlist.h includes
Not architecture specific code should not #include <asm/scatterlist.h>.

This patch therefore either replaces them with
#include <linux/scatterlist.h> or simply removes them if they were
unused.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
2007-11-02 08:47:06 +01:00
Herbert Xu a5a613a429 [CRYPTO] tcrypt: Move sg_init_table out of timing loops
This patch moves the sg_init_table out of the timing loops for hash
algorithms so that it doesn't impact on the speed test results.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-27 00:51:21 -07:00
David S. Miller b733588559 [CRYPTO]: Initialize TCRYPT on-stack scatterlist objects correctly.
Use sg_init_one() and sg_init_table() as needed.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-26 00:38:10 -07:00
David S. Miller a6767721a5 [CRYPTO]: HMAC needs some more scatterlist fixups.
hmac_setkey(), hmac_init(), and hmac_final() have
a singular on-stack scatterlist.  Initialit is
using sg_init_one() instead of using sg_set_buf().

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-26 00:37:12 -07:00
Vlad Yasevich 41fb285430 [CRYPTO]: Fix hmac_digest from the SG breakage.
Crypto now uses SG helper functions.  Fix hmac_digest to use those
functions correctly and fix the oops associated with it.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-25 18:46:26 -07:00
Jens Axboe 642f149031 SG: Change sg_set_page() to take length and offset argument
Most drivers need to set length and offset as well, so may as well fold
those three lines into one.

Add sg_assign_page() for those two locations that only needed to set
the page, where the offset/length is set outside of the function context.

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
2007-10-24 11:20:47 +02:00
Jens Axboe 78c2f0b8c2 [SG] Update crypto/ to sg helpers
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
2007-10-22 19:40:16 +02:00
John Anthony Kazos Jr 991d17403c crypto: convert "crypto" subdirectory to UTF-8
Convert the subdirectory "crypto" to UTF-8. The files changed are
<crypto/fcrypt.c> and <crypto/api.c>.

Signed-off-by: John Anthony Kazos Jr. <jakj@j-a-k-j.com>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
2007-10-19 23:06:17 +02:00
Jens Axboe ab83407e9e crypto: don't pollute the global namespace with sg_next()
It's a subsystem function, prefix it as such.

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
2007-10-16 11:07:09 +02:00
Jan Glauber 5265eeb2b0 [CRYPTO] sha: Add header file for SHA definitions
There are currently several SHA implementations that all define their own
initialization vectors and size values. Since this values are idential
move them to a header file under include/crypto.

Signed-off-by: Jan Glauber <jang@de.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:50 -07:00
Sebastian Siewior ad5d27899f [CRYPTO] sha: Load the SHA[1|256] module by an alias
Loading the crypto algorithm by the alias instead of by module directly
has the advantage that all possible implementations of this algorithm
are loaded automatically and the crypto API can choose the best one
depending on its priority.

Additionally it ensures that the generic implementation as well as the
HW driver (if available) is loaded in case the HW driver needs the
generic version as fallback in corner cases.

Also remove the probe for sha1 in padlock's init code.

Quote from Herbert:
  The probe is actually pointless since we can always probe when
  the algorithm is actually used which does not lead to dead-locks
  like this.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:50 -07:00
Sebastian Siewior f8246af005 [CRYPTO] aes: Rename aes to aes-generic
Loading the crypto algorithm by the alias instead of by module directly
has the advantage that all possible implementations of this algorithm
are loaded automatically and the crypto API can choose the best one
depending on its priority.

Additionally it ensures that the generic implementation as well as the
HW driver (if available) is loaded in case the HW driver needs the
generic version as fallback in corner cases.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:49 -07:00
Sebastian Siewior c5a511f1cd [CRYPTO] des: Rename des to des-generic
Loading the crypto algorithm by the alias instead of by module directly
has the advantage that all possible implementations of this algorithm
are loaded automatically and the crypto API can choose the best one
depending on its priority.

Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:49 -07:00
Herbert Xu 7607bd8ff0 [CRYPTO] blkcipher: Added blkcipher_walk_virt_block
This patch adds the helper blkcipher_walk_virt_block which is similar to
blkcipher_walk_virt but uses a supplied block size instead of the block
size of the block cipher.  This is useful for CTR where the block size is
1 but we still want to walk by the block size of the underlying cipher.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:48 -07:00
Herbert Xu 2614de1b9a [CRYPTO] blkcipher: Increase kmalloc amount to aligned block size
Now that the block size is no longer a multiple of the alignment, we need to
increase the kmalloc amount in blkcipher_next_slow to use the aligned block
size.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:48 -07:00
Herbert Xu d8058480b3 [CRYPTO] api: Explain the comparison on larval cra_name
This patch adds a comment to explain why we compare the cra_driver_name of
the algorithm being registered against the cra_name of a larval as opposed
to the cra_driver_name of the larval.

In fact larvals have only one name, cra_name which is the name that was
requested by the user.  The test here is simply trying to find out whether
the algorithm being registered can or can not satisfy the larval.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:47 -07:00
Herbert Xu 70613783fc [CRYPTO] blkcipher: Remove alignment restriction on block size
Previously we assumed for convenience that the block size is a multiple of
the algorithm's required alignment.  With the pending addition of CTR this
will no longer be the case as the block size will be 1 due to it being a
stream cipher.  However, the alignment requirement will be that of the
underlying implementation which will most likely be greater than 1.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:46 -07:00
Herbert Xu e4c5c6c9b0 [CRYPTO] authenc: Kill spaces in algorithm names
We do not allow spaces in algorithm names or parameters.  Thanks to Joy Latten
for pointing this out.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:46 -07:00
Herbert Xu 720a650f8a [CRYPTO] cryptomgr: Fix parsing of recursive algorithms
As Joy Latten points out, inner algorithm parameters will miss the closing
bracket which will also cause the outer algorithm to terminate prematurely.

This patch fixes that also kills the WARN_ON if the number of parameters
exceed the maximum as that is a user error.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:45 -07:00
Rik Snel f19f5111c9 [CRYPTO] xts: XTS blockcipher mode implementation without partial blocks
XTS currently considered to be the successor of the LRW mode by the IEEE1619
workgroup. LRW was discarded, because it was not secure if the encyption key
itself is encrypted with LRW.

XTS does not have this problem. The implementation is pretty straightforward,
a new function was added to gf128mul to handle GF(128) elements in ble format.
Four testvectors from the specification
	http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
were added, and they verify on my system.

Signed-off-by: Rik Snel <rsnel@cube.dyndns.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:45 -07:00
Ingo Oeser 5aaff0c8f7 [CRYPTO] blkcipher: Use max() in blkcipher_get_spot() to state the intention
Use max in blkcipher_get_spot() instead of open coding it.

Signed-off-by: Ingo Oeser <ioe-lkml@rameria.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:44 -07:00