- 19 Jun, 2015 3 commits
-
-
Herbert Xu authored
I incorrectly removed DESC_MAX_USED_BYTES when enlarging the size of the shared descriptor buffers, thus making it four times larger than what is necessary. This patch restores the division by four calculation. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
The struct aead_instance is meant to extend struct crypto_instance by incorporating the extra members of struct aead_alg. However, the current layout which is copied from shash/ahash does not specify the struct fully. In particular only aead_alg is present. For shash/ahash this works because users there add extra headroom to sizeof(struct crypto_instance) when allocating the instance. Unfortunately for aead, this bit was lost when the new aead_instance was added. Rather than fixing it like shash/ahash, this patch simply expands struct aead_instance to contain what is supposed to be there, i.e., adding struct crypto_instance. In order to not break existing AEAD users, this is done through an anonymous union. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
The struct crypto_alg is embedded into various type-specific structs such as aead_alg. This is then used as part of instances such as struct aead_instance. It is also embedded into the generic struct crypto_instance. In order to ensure that struct aead_instance can be converted to struct crypto_instance when necessary, we need to ensure that crypto_alg is aligned properly. This patch adds an alignment attribute to struct crypto_alg to ensure this. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- 18 Jun, 2015 4 commits
-
-
Herbert Xu authored
This patch fixes a number of problems in crypto driver Kconfig entries: 1. Select BLKCIPHER instead of BLKCIPHER2. The latter is internal and should not be used outside of the crypto API itself. 2. Do not select ALGAPI unless you use a legacy type like CRYPTO_ALG_TYPE_CIPHER. 3. Select the algorithm type that you are implementing, e.g., AEAD. 4. Do not select generic C code such as CBC/ECB unless you use them as a fallback. 5. Remove default n since that is the default default. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
The AEAD speed test SG list setup did not correctly mark the AD, potentially causing a crash. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
This patch adds a speed test for rfc4309(ccm(aes)) as mode 212. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Steffen Trumtrar authored
The patch crypto: caam - Add definition of rd/wr_reg64 for little endian platform added support for little endian platforms to the CAAM driver. Namely a write and read function for 64 bit registers. The only user of this functions is the Job Ring driver (drivers/crypto/caam/jr.c). It uses the functions to set the DMA addresses for the input/output rings. However, at least in the default configuration, the least significant 32 bits are always in the base+0x0004 address; independent of the endianness of the bytes itself. That means the addresses do not change with the system endianness. DMA addresses are only 32 bits wide on non-64-bit systems, writing the upper 32 bits of this value to the register for the least significant bits results in the DMA address being set to 0. Fix this by always writing the registers in the same way. Suggested-by: Russell King <linux@arm.linux.org.uk> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- 17 Jun, 2015 12 commits
-
-
Tadeusz Struk authored
New test vectors for RSA algorithm. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Tadeusz Struk authored
Add a new rsa generic SW implementation. This implements only cryptographic primitives. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Added select on ASN1. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Tadeusz Struk authored
Add Public Key Encryption API. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Made CRYPTO_AKCIPHER invisible like other type config options. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Martin Willi authored
The Poly1305 authenticator requires a unique key for each generated tag. This implies that we can't set the key per tfm, as multiple users set individual keys. Instead we pass a desc specific key as the first two blocks of the message to authenticate in update(). Signed-off-by: Martin Willi <martin@strongswan.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
This patch adds rfc4106 test vectors sourced from draft-mcgrew-gcm-test-01. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
This reverts commit 9b9f9296a7b73fbafe0a0a6f2494eaadd97f9f73 as all in-kernel implementations of GCM have been converted to the new AEAD interface, meaning that they should now pass the updated rfc4543 test. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
This patch converts the caam GCM implementations to the new AEAD interface. This is compile-tested only. Note that all IV generation for GCM algorithms have been removed. The reason is that the current generation uses purely random IVs which is not appropriate for counter-based algorithms where we first and foremost require uniqueness. Of course there is no reason why you couldn't implement seqiv or seqniv within caam since all they do is xor the sequence number with a salt, but since I can't test this on actual hardware I'll leave it alone for now. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
Currently dma_map_sg_chained does not handle errors from the underlying dma_map_sg calls. This patch adds rollback in case of an error by simply calling dma_unmap_sg_chained for the ones that we've already mapped. All current callers ignore the return value so this should have no impact on them. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
This patch converts the nx GCM implementations to the new AEAD interface. This is compile-tested only. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
This patch updates the rfc4543 test vectors to the new format where the IV is part of the AD. For now these vectors are still unused. They will be reactivated once all rfc4543 implementations have migrated. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
This patch converts generic gcm and its associated transforms to the new AEAD interface. The biggest reward is in code reduction for rfc4543 where it used to do IV stitching which is no longer needed as the IV is already part of the AD on input. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
Because the old rfc4543 implementation always injected an IV into the AD, while the new one does not, we have to disable the test while it is converted over to the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- 16 Jun, 2015 5 commits
-
-
Victoria Milhoan authored
Fix a "Trying to vfree() nonexistent vm area" error when unloading the CAAM controller module by providing the correct pointer value to iounmap(). Signed-off-by: Victoria Milhoan <vicki.milhoan@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Victoria Milhoan authored
The CAAM driver uses two data buffers to store data for a hashing operation, with one buffer defined as active. This change forces switching of the active buffer when executing a hashing operation to avoid a later DMA unmap using the length of the opposite buffer. Signed-off-by: Victoria Milhoan <vicki.milhoan@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Tadeusz Struk authored
Added a mpi_read_buf() helper function to export MPI to a buf provided by the user, and a mpi_get_size() helper, that tells the user how big the buf is. Changed mpi_free to use kzfree instead of kfree because it is used to free crypto keys. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
This patch reidents the vmx code-base to the kernel coding style. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
The top-level CRYPTO_DEV_VMX option already depends on PPC64 so there is no need to depend on it again at CRYPTO_DEV_VMX_ENCRYPT. This patch also removes a redundant "default n". Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- 15 Jun, 2015 3 commits
-
-
Jeremiah Mahler authored
The '__init aesni_init()' function calls the '__exit crypto_fpu_exit()' function directly. Since they are in different sections, this generates a warning. make CONFIG_DEBUG_SECTION_MISMATCH=y ... WARNING: arch/x86/crypto/aesni-intel.o(.init.text+0x12b): Section mismatch in reference from the function init_module() to the function .exit.text:crypto_fpu_exit() The function __init init_module() references a function __exit crypto_fpu_exit(). This is often seen when error handling in the init function uses functionality in the exit path. The fix is often to remove the __exit annotation of crypto_fpu_exit() so it may be used outside an exit section. Fix the warning by removing the __exit annotation. Signed-off-by: Jeremiah Mahler <jmmahler@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Dan Streetman authored
Replace the NX842_MEM_COMPRESS define with a function that returns the specific platform driver's required working memory size. The common nx-842.c driver refuses to load if there is no platform driver present, so instead of defining an approximate working memory size that's the maximum approximate size of both platform driver's size requirements, the platform driver can directly provide its specific, i.e. sizeof(struct nx842_workmem), size requirements which the 842-nx crypto compression driver will use. This saves memory by both reducing the required size of each driver to the specific sizeof() amount, as well as using the specific loaded platform driver's required amount, instead of the maximum of both. Signed-off-by: Dan Streetman <ddstreet@ieee.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Dan Streetman authored
Move the contents of the include/linux/nx842.h header file into the drivers/crypto/nx/nx-842.h header file. Remove the nx842.h header file and its entry in the MAINTAINERS file. The include/linux/nx842.h header originally was there because the crypto/842.c driver needed it to communicate with the nx-842 hw driver. However, that crypto compression driver was moved into the drivers/crypto/nx/ directory, and now can directly include the nx-842.h header. Nothing else needs the public include/linux/nx842.h header file, as all use of the nx-842 hardware driver will be through the "842-nx" crypto compression driver, since the direct nx-842 api is very limited in the buffer alignments and sizes that it will accept, and the crypto compression interface handles those limitations and allows any alignment and size buffers. Signed-off-by: Dan Streetman <ddstreet@ieee.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- 12 Jun, 2015 3 commits
-
-
Herbert Xu authored
Currently the driver assumes that the SG list contains exactly the number of bytes required. This assumption is incorrect. Up until now this has been harmless. However with the new AEAD interface this now breaks as the AD SG list contains more bytes than just the AD. This patch fixes this by always clamping the AD SG list by the specified AD length. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
This patch makes use of the new sg_nents_for_len helper to replace the custom sg_count function. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
This driver uses SZ_64K so it should include linux/sizes.h rather than relying on others to pull it in for it. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- 11 Jun, 2015 2 commits
-
-
Herbert Xu authored
The hash-based DRBG variants all use sha256 so we need to add a select on it. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Sergey Senozhatsky authored
Be more verbose and also report ->backend_cra_name when crypto_alloc_shash() or crypto_alloc_cipher() fail in drbg_init_hash_kernel() or drbg_init_sym_kernel() correspondingly. Example DRBG: could not allocate digest TFM handle: hmac(sha256) Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- 10 Jun, 2015 4 commits
-
-
Stephan Mueller authored
As required by SP800-90A, the DRBG implements are reseeding threshold. This threshold is at 2**48 (64 bit) and 2**32 bit (32 bit) as implemented in drbg_max_requests. With the recently introduced changes, the DRBG is now always used as a stdrng which is initialized very early in the boot cycle. To ensure that sufficient entropy is present, the Jitter RNG is added to even provide entropy at early boot time. However, the 2nd seed source, the nonblocking pool, is usually degraded at that time. Therefore, the DRBG is seeded with the Jitter RNG (which I believe contains good entropy, which however is questioned by others) and is seeded with a degradded nonblocking pool. This seed is now used for quasi the lifetime of the system (2**48 requests is a lot). The patch now changes the reseed threshold as follows: up until the time the DRBG obtains a seed from a fully iniitialized nonblocking pool, the reseeding threshold is lowered such that the DRBG is forced to reseed itself resonably often. Once it obtains the seed from a fully initialized nonblocking pool, the reseed threshold is set to the value required by SP800-90A. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
This patch removes the kernel blocking API as it has been completely replaced by the callback API. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Stephan Mueller authored
The get_blocking_random_bytes API is broken because the wait can be arbitrarily long (potentially forever) so there is no safe way of calling it from within the kernel. This patch replaces it with the new callback API which does not have this problem. The patch also removes the entropy buffer registered with the DRBG handle in favor of stack variables to hold the seed data. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
The get_blocking_random_bytes API is broken because the wait can be arbitrarily long (potentially forever) so there is no safe way of calling it from within the kernel. This patch replaces it with a callback API instead. The callback is invoked potentially from interrupt context so the user needs to schedule their own work thread if necessary. In addition to adding callbacks, they can also be removed as otherwise this opens up a way for user-space to allocate kernel memory with no bound (by opening algif_rng descriptors and then closing them). Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- 09 Jun, 2015 4 commits
-
-
Herbert Xu authored
nios2 is the only architecture that does not inline get_cycles and does not export it. This breaks crypto as it uses get_cycles in a number of modules. Reported-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Stephan Mueller authored
Replace the global -O0 compiler flag from the Makefile with GCC pragmas to mark only the functions required to be compiled without optimizations. This patch also adds a comment describing the rationale for the functions chosen to be compiled without optimizations. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Herbert Xu authored
Currently caam assumes that the SG list contains exactly the number of bytes required. This assumption is incorrect. Up until now this has been harmless. However with the new AEAD interface this now breaks as the AD SG list contains more bytes than just the AD. This patch fixes this by always clamping the AD SG list by the specified AD length. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
Tadeusz Struk authored
This patch fixes an issue when building an internal AD representation. We need to check assoclen and not only blindly loop over assoc sgl. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-