summaryrefslogtreecommitdiff
path: root/crypto
AgeCommit message (Collapse)AuthorFilesLines
2008-04-02[CRYPTO] xcbc: Fix crash when ipsec uses xcbc-mac with big data chunkJoy Latten1-8/+9
The kernel crashes when ipsec passes a udp packet of about 14XX bytes of data to aes-xcbc-mac. It seems the first xxxx bytes of the data are in first sg entry, and remaining xx bytes are in next sg entry. But we don't check next sg entry to see if we need to go look the page up. I noticed in hmac.c, we do a scatterwalk_sg_next(), to do this check and possible lookup, thus xcbc.c needs to use this routine too. A 15-hour run of an ipsec stress test sending streams of tcp and udp packets of various sizes, using this patch and aes-xcbc-mac completed successfully, so hopefully this fixes the problem. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-03-18async_tx: avoid the async xor_zero_sum path when src_cnt > device->max_xorDan Williams1-1/+1
If the channel cannot perform the operation in one call to ->device_prep_dma_zero_sum, then fallback to the xor+page_is_zero path. This only affects users with arrays larger than 16 devices on iop13xx or 32 devices on iop3xx. Cc: <stable@kernel.org> Cc: Neil Brown <neilb@suse.de> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-03-13async_tx: checkpatch says s/__FUNCTION__/__func__/gDan Williams4-15/+15
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-03-08[CRYPTO] skcipher: Fix section mismatchesHerbert Xu2-5/+1
The previous patch to move chainiv and eseqiv into blkcipher created a section mismatch for the chainiv exit function which was also called from __init. This patch removes the __exit marking on it. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-03-06[CRYPTO] xcbc: Fix crash with IPsecJoy Latten1-1/+5
When using aes-xcbc-mac for authentication in IPsec, the kernel crashes. It seems this algorithm doesn't account for the space IPsec may make in scatterlist for authtag. Thus when crypto_xcbc_digest_update2() gets called, nbytes may be less than sg[i].length. Since nbytes is an unsigned number, it wraps at the end of the loop allowing us to go back into loop and causing crash in memcpy. I used update function in digest.c to model this fix. Please let me know if it looks ok. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-03-06[CRYPTO] xts: Use proper alignmentSebastian Siewior1-7/+6
The XTS blockmode uses a copy of the IV which is saved on the stack and may or may not be properly aligned. If it is not, it will break hardware cipher like the geode or padlock. This patch encrypts the IV in place so we don't have to worry about alignment. Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Tested-by: Stefan Hellermann <stefan@the2masters.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-03-05[CRYPTO] digest: Include internal.h for prototypesAdrian Bunk1-0/+2
Every file should include the headers containing the externs for its global code (in this case for struct crypto_{init,exit}_digest_ops()). Signed-off-by: Adrian Bunk <bunk@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-02-23[CRYPTO] authenc: Add missing Kconfig dependency on BLKCIPHERHerbert Xu1-0/+1
The authenc algorithm requires BLKCIPHER to be present. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-02-23[CRYPTO] skcipher: Move chainiv/seqiv into crypto_blkcipher moduleHerbert Xu5-21/+39
For compatibility with dm-crypt initramfs setups it is useful to merge chainiv/seqiv into the crypto_blkcipher module. Since they're required by most algorithms anyway this is an acceptable trade-off. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-02-18[CRYPTO] null: Add missing Kconfig dependency on BLKCIPHERAdrian Bunk1-0/+1
This patch fixes the following build error caused by commit 3631c650c495d61b1dabf32eb26b46873636e918: <-- snip --> ... LD .tmp_vmlinux1 crypto/built-in.o: In function `skcipher_null_crypt': crypto_null.c:(.text+0x3d14): undefined reference to `blkcipher_walk_virt' crypto_null.c:(.text+0x3d14): relocation truncated to fit: R_MIPS_26 against `blkcipher_walk_virt' crypto/built-in.o: In function `$L32': crypto_null.c:(.text+0x3d54): undefined reference to `blkcipher_walk_done' crypto_null.c:(.text+0x3d54): relocation truncated to fit: R_MIPS_26 against `blkcipher_walk_done' crypto/built-in.o:(.data+0x2e8): undefined reference to `crypto_blkcipher_type' make[1]: *** [.tmp_vmlinux1] Error 1 <-- snip --> Signed-off-by: Adrian Bunk <bunk@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-02-15[CRYPTO] tcrypt: Add missing Kconfig dependency on BLKCIPHERFrederik Deweerdt1-0/+1
Building latest git fails with the following error: ERROR: "crypto_alloc_ablkcipher" [crypto/tcrypt.ko] undefined! This appears to happen because CONFIG_CRYPTO_TEST is set while CONFIG_CRYPTO_BLKCIPHER is not. The following patch fixes the problem for me. Signed-off-by: Frederik Deweerdt <frederik.deweerdt@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-02-07Convert ERR_PTR(PTR_ERR(p)) instances to ERR_CAST(p)David Howells7-8/+8
Convert instances of ERR_PTR(PTR_ERR(p)) to ERR_CAST(p) using: perl -spi -e 's/ERR_PTR[(]PTR_ERR[(](.*)[)][)]/ERR_CAST(\1)/' `grep -rl 'ERR_PTR[(]*PTR_ERR' fs crypto net security` Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-02-06async_tx: allow architecture specific async_tx_find_channel implementationsDan Williams4-7/+13
The source and destination addresses are included to allow channel selection based on address alignment. Signed-off-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Haavard Skinnemoen <hskinnemoen@atmel.com>
2008-02-06async_tx: replace 'int_en' with operation preparation flagsDan Williams3-6/+10
Pass a full set of flags to drivers' per-operation 'prep' routines. Currently the only flag passed is DMA_PREP_INTERRUPT. The expectation is that arch-specific async_tx_find_channel() implementations can exploit this capability to find the best channel for an operation. Signed-off-by: Dan Williams <dan.j.williams@intel.com> Acked-by: Shannon Nelson <shannon.nelson@intel.com> Reviewed-by: Haavard Skinnemoen <hskinnemoen@atmel.com>
2008-02-06async_tx: kill tx_set_src and tx_set_dest methodsDan Williams3-58/+83
The tx_set_src and tx_set_dest methods were originally implemented to allow an array of addresses to be passed down from async_xor to the dmaengine driver while minimizing stack overhead. Removing these methods allows drivers to have all transaction parameters available at 'prep' time, saves two function pointers in struct dma_async_tx_descriptor, and reduces the number of indirect branches.. A consequence of moving this data to the 'prep' routine is that multi-source routines like async_xor need temporary storage to convert an array of linear addresses into an array of dma addresses. In order to keep the same stack footprint of the previous implementation the input array is reused as storage for the dma addresses. This requires that sizeof(dma_addr_t) be less than or equal to sizeof(void *). As a consequence CONFIG_DMADEVICES now depends on !CONFIG_HIGHMEM64G. It also requires that drivers be able to make descriptor resources available when the 'prep' routine is polled. Signed-off-by: Dan Williams <dan.j.williams@intel.com> Acked-by: Shannon Nelson <shannon.nelson@intel.com>
2008-02-06async_tx: kill ASYNC_TX_ASSUME_COHERENTDan Williams3-31/+14
Remove the unused ASYNC_TX_ASSUME_COHERENT flag. Async_tx is meant to hide the difference between asynchronous hardware and synchronous software operations, this flag requires clients to understand cache coherency consequences of the async path. Signed-off-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Haavard Skinnemoen <hskinnemoen@atmel.com>
2008-02-06async_tx: use LIST_HEAD instead of LIST_HEAD_INITDenis Cheng1-2/+1
single list_head variable initialized with LIST_HEAD_INIT could almost always can be replaced with LIST_HEAD declaration, this shrinks the code and looks better. Signed-off-by: Denis Cheng <crquan@gmail.com> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2008-02-06async_tx: fix compile breakage, mark do_async_xor __always_inlineDan Williams1-1/+5
do_async_xor must be compiled away on !HAS_DMA archs. Signed-off-by: Dan Williams <dan.j.williams@intel.com> Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
2008-01-25Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6Linus Torvalds34-2061/+9478
* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (125 commits) [CRYPTO] twofish: Merge common glue code [CRYPTO] hifn_795x: Fixup container_of() usage [CRYPTO] cast6: inline bloat-- [CRYPTO] api: Set default CRYPTO_MINALIGN to unsigned long long [CRYPTO] tcrypt: Make xcbc available as a standalone test [CRYPTO] xcbc: Remove bogus hash/cipher test [CRYPTO] xcbc: Fix algorithm leak when block size check fails [CRYPTO] tcrypt: Zero axbuf in the right function [CRYPTO] padlock: Only reset the key once for each CBC and ECB operation [CRYPTO] api: Include sched.h for cond_resched in scatterwalk.h [CRYPTO] salsa20-asm: Remove unnecessary dependency on CRYPTO_SALSA20 [CRYPTO] tcrypt: Add select of AEAD [CRYPTO] salsa20: Add x86-64 assembly version [CRYPTO] salsa20_i586: Salsa20 stream cipher algorithm (i586 version) [CRYPTO] gcm: Introduce rfc4106 [CRYPTO] api: Show async type [CRYPTO] chainiv: Avoid lock spinning where possible [CRYPTO] seqiv: Add select AEAD in Kconfig [CRYPTO] scatterwalk: Handle zero nbytes in scatterwalk_map_and_copy [CRYPTO] null: Allow setkey on digest_null ...
2008-01-11[CRYPTO] cast6: inline bloat--Ilpo Järvinen1-3/+3
Bloat-o-meter shows rather high readings for cast6... crypto/cast6.c: cast6_setkey | -1310 cast6_encrypt | -4567 cast6_decrypt | -4561 3 functions changed, 10438 bytes removed, diff: -10438 crypto/cast6.c: W | +659 Q | +308 QBAR | +316 3 functions changed, 1283 bytes added, diff: +1283 crypto/cast6.o: 6 functions changed, 1283 bytes added, 10438 bytes removed, diff: -9155 Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] tcrypt: Make xcbc available as a standalone testHerbert Xu1-0/+6
Currently the gcm(aes) tests have to be taken together with all other algorithms. This patch makes it available by itself at number 106. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] xcbc: Remove bogus hash/cipher testHerbert Xu1-4/+1
When setting the digest size xcbc tests to see if the underlying algorithm is a hash. This is silly because we don't allow it to be a hash and we've specifically requested for a cipher. This patch removes the bogus test. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] xcbc: Fix algorithm leak when block size check failsHerbert Xu1-1/+2
When the underlying algorithm has a block size other than 16 we abort without freeing it. In fact, we try to return the algorithm itself as an error! This patch plugs the leak and makes it return -EINVAL instead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] tcrypt: Zero axbuf in the right functionHerbert Xu1-1/+1
The axbuf buffer is used by test_aead and therefore should be zeroed there instead of in test_hash. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] salsa20-asm: Remove unnecessary dependency on CRYPTO_SALSA20Tan Swee Heng1-2/+0
Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] tcrypt: Add select of AEADSebastian Siewior1-0/+1
ERROR: "crypto_aead_setauthsize" [crypto/tcrypt.ko] undefined! ERROR: "crypto_alloc_aead" [crypto/tcrypt.ko] undefined! Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] salsa20: Add x86-64 assembly versionTan Swee Heng1-0/+15
This is the x86-64 version of the Salsa20 stream cipher algorithm. The original assembly code came from <http://cr.yp.to/snuffle/salsa20/amd64-3/salsa20.s>. It has been reformatted for clarity. Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] salsa20_i586: Salsa20 stream cipher algorithm (i586 version)Tan Swee Heng1-0/+15
This patch contains the salsa20-i586 implementation. The original assembly code came from <http://cr.yp.to/snuffle/salsa20/x86-pm/salsa20.s>. I have reformatted it (added indents) so that it matches the other algorithms in arch/x86/crypto. Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] gcm: Introduce rfc4106Herbert Xu1-0/+239
This patch introduces the rfc4106 wrapper for GCM just as we have an rfc4309 wrapper for CCM. The purpose of the wrapper is to include part of the IV in the key so that it can be negotiated by IPsec. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] api: Show async typeHerbert Xu2-0/+8
This patch adds an async field to /proc/crypto for ablkcipher and aead algorithms. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] chainiv: Avoid lock spinning where possibleHerbert Xu1-8/+200
This patch makes chainiv avoid spinning by postponing requests on lock contention if the user allows the use of asynchronous algorithms. If a synchronous algorithm is requested then we behave as before. This should improve IPsec performance on SMP when two CPUs attempt to transmit over the same SA. Currently one of them will spin doing nothing waiting for the other CPU to finish its encryption. This patch makes it postpone the request and get on with other work. If only one CPU is transmitting for a given SA, then we will process the request synchronously as before. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] seqiv: Add select AEAD in KconfigHerbert Xu1-0/+1
Now that seqiv supports AEAD algorithms it needs to select the AEAD option. Thanks to Erez Zadok for pointing out the problem. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] scatterwalk: Handle zero nbytes in scatterwalk_map_and_copyHerbert Xu1-0/+3
It's better to return silently than crash and burn when someone feeds us a zero length. In particular the null digest algorithm when used as part of authenc will do that to us. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] null: Allow setkey on digest_null Herbert Xu1-0/+1
We need to allow setkey on digest_null if it is to be used directly by authenc instead of through hmac. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] null: Add null blkcipher algorithmHerbert Xu1-10/+59
This patch adds a null blkcipher algorithm called ecb(cipher_null) for backwards compatibility. Previously the null algorithm when used by IPsec copied the data byte by byte. This new algorithm optimises that to a straight memcpy which lets us better measure inherent overheads in our IPsec code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] tcrypt: Add CCM vectorsJoy Latten2-2/+289
This patch adds 7 test vectors to tcrypt for CCM. The test vectors are from rfc 3610. There are about 10 more test vectors in RFC 3610 and 4 or 5 more in NIST. I can add these as time permits. I also needed to set authsize. CCM has a prerequisite of authsize. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] ccm: Added CCM modeJoy Latten3-0/+897
This patch adds Counter with CBC-MAC (CCM) support. RFC 3610 and NIST Special Publication 800-38C were referenced. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] aead: Create default givcipher instancesHerbert Xu1-0/+153
This patch makes crypto_alloc_aead always return algorithms that is capable of generating their own IVs through givencrypt and givdecrypt. All existing AEAD algorithms already do. New ones must either supply their own or specify a generic IV generator with the geniv field. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] seqiv: Add AEAD supportHerbert Xu1-16/+175
This patch adds support for using seqiv with AEAD algorithms. This is useful for those AEAD algorithms that performs authentication before encryption because the IV generated by the underlying encryption algorithm won't be available for authentication. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] aead: Add aead_geniv_alloc/aead_geniv_freeHerbert Xu1-5/+211
This patch creates the infrastructure to help the construction of IV generator templates that wrap around AEAD algorithms by adding an IV generator to them. This is useful for AEAD algorithms with no built-in IV generator or to replace their built-in generator. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] aead: Allow algorithms with no givcrypt supportHerbert Xu1-3/+3
Some algorithms always require manual IV construction. For instance, the generic CCM algorithm requires the first byte of the IV to be manually constructed. Such algorithms are always used by other algorithms equipped with their own IV generators and do not need IV generation per se. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] authenc: Add givencrypt operationHerbert Xu1-22/+114
This patch implements the givencrypt function for authenc. It simply calls the givencrypt operation on the underlying cipher instead of encrypt. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] aead: Add givcrypt operationsHerbert Xu1-0/+7
This patch adds the underlying givcrypt operations for aead and associated support elements. The rationale is identical to that of the skcipher givcrypt operations, i.e., sometimes only the algorithm knows how the IV should be generated. A new request type aead_givcrypt_request is added which contains an embedded aead_request structure with two new elements to support this operation. The new elements are seq and giv. The seq field should contain a strictly increasing 64-bit integer which may be used by certain IV generators as an input value. The giv field will be used to store the generated IV. It does not need to obey the alignment requirements of the algorithm because it's not used during the operation. The existing iv field must still be available as it will be used to store intermediate IVs and the output IV if chaining is desired. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] seqiv: Add Sequence Number IV GeneratorHerbert Xu4-0/+198
This generator generates an IV based on a sequence number by xoring it with a salt. This algorithm is mainly useful for CTR and similar modes. This patch also sets it as the default IV generator for ctr. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] gcm: Use crypto_grab_skcipherHerbert Xu1-26/+23
This patch converts the gcm algorithm over to crypto_grab_skcipher which is a prerequisite for IV generation. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] gcm: Allow block cipher parameterHerbert Xu1-24/+89
This patch adds the gcm_base template which takes a block cipher parameter instead of cipher. This allows the user to specify a specific CTR implementation. This also fixes a leak of the cipher algorithm that was previously looked up but never freed. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] authenc: Use crypto_grab_skcipherHerbert Xu1-27/+38
This patch converts the authenc algorithm over to crypto_grab_skcipher which is a prerequisite for IV generation. This patch also changes authenc to set its ASYNC status depending on the ASYNC status of the underlying skcipher. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] skcipher: Create default givcipher instancesHerbert Xu4-6/+177
This patch makes crypto_alloc_ablkcipher/crypto_grab_skcipher always return algorithms that are capable of generating their own IVs through givencrypt and givdecrypt. Each algorithm may specify its default IV generator through the geniv field. For algorithms that do not set the geniv field, the blkcipher layer will pick a default. Currently it's chainiv for synchronous algorithms and eseqiv for asynchronous algorithms. Note that if these wrappers do not work on an algorithm then that algorithm must specify its own geniv or it can't be used at all. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] eseqiv: Add Encrypted Sequence Number IV GeneratorHerbert Xu2-0/+265
This generator generates an IV based on a sequence number by xoring it with a salt and then encrypting it with the same key as used to encrypt the plain text. This algorithm requires that the block size be equal to the IV size. It is mainly useful for CBC. It has one noteworthy property that for IPsec the IV happens to lie just before the plain text so the IV generation simply increases the number of encrypted blocks by one. Therefore the cost of this generator is entirely dependent on the speed of the underlying cipher. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11[CRYPTO] chainiv: Add chain IV generatorHerbert Xu2-0/+140
The chain IV generator is the one we've been using in the IPsec stack. It simply starts out with a random IV, then uses the last block of each encrypted packet's cipher text as the IV for the next packet. It can only be used by synchronous ciphers since we have to make sure that we don't start the encryption of the next packet until the last one has completed. It does have the advantage of using very little CPU time since it doesn't have to generate anything at all. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>