summaryrefslogtreecommitdiff
path: root/crypto
AgeCommit message (Collapse)AuthorFilesLines
2015-06-04crypto: testmgr - Add Poly1305 test vectors from RFC7539Martin Willi2-0/+268
Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-04crypto: poly1305 - Add a generic Poly1305 authenticator implementationMartin Willi3-0/+310
Poly1305 is a fast message authenticator designed by Daniel J. Bernstein. It is further defined in RFC7539 as a building block for the ChaCha20-Poly1305 AEAD for use in IETF protocols. This is a portable C implementation of the algorithm without architecture specific optimizations, based on public domain code by Daniel J. Bernstein and Andrew Moon. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-04crypto: testmgr - Add ChaCha20 test vectors from RFC7539Martin Willi2-0/+192
We explicitly set the Initial block Counter by prepending it to the nonce in Little Endian. The same test vector is used for both encryption and decryption, ChaCha20 is a cipher XORing a keystream. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-04crypto: chacha20 - Add a generic ChaCha20 stream cipher implementationMartin Willi3-0/+230
ChaCha20 is a high speed 256-bit key size stream cipher algorithm designed by Daniel J. Bernstein. It is further specified in RFC7539 for use in IETF protocols as a building block for the ChaCha20-Poly1305 AEAD. This is a portable C implementation without any architecture specific optimizations. It uses a 16-byte IV, which includes the 12-byte ChaCha20 nonce prepended by the initial block counter. Some algorithms require an explicit counter value, for example the mentioned AEAD construction. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-03crypto: scatterwalk - Hide PageSlab call to optimise away flush_dcache_pageHerbert Xu1-1/+5
On architectures where flush_dcache_page is not needed, we will end up generating all the code up to the PageSlab call. This is because PageSlab operates on a volatile pointer and thus cannot be optimised away. This patch works around this by checking whether flush_dcache_page is needed before we call PageSlab which then allows PageSlab to be compiled awy. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-03crypto: cryptd - Convert to new AEAD interfaceHerbert Xu1-35/+29
This patch converts cryptd to the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-03crypto: cryptd - Add setkey/setauthsize functions for AEADHerbert Xu1-2/+20
This patch adds setkey and setauthsize for cryptd AEAD. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-03crypto: pcrypt - Add support for new AEAD interfaceHerbert Xu1-95/+40
This patch converts pcrypt over to the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-03crypto: aead - Add multiple algorithm registration interfaceHerbert Xu1-0/+29
This patch adds the helpers that allow the registration and removal of multiple algorithms. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-03crypto: aead - Ignore return value from crypto_unregister_algHerbert Xu1-2/+2
No new code should be using the return value of crypto_unregister_alg as it will become void soon. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-03crypto: api - Include alignment in crypto_alg_extsizeHerbert Xu1-1/+2
This patch ensures that the tfm context always has enough extra memory to ensure that it is aligned according to cra_alignment. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-03crypto: aead - Add type-safe init/exit functionsHerbert Xu1-0/+14
As it stands the only non-type safe functions left in the new AEAD interface are the cra_init/cra_exit functions. It means exposing the ugly __crypto_aead_cast to every AEAD implementor. This patch adds type-safe init/exit functions to AEAD. Existing algorithms are unaffected while new implementations can simply fill in these two instead of cra_init/cra_exit. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-03Revert "crypto: algif_aead - Disable AEAD user-space for now"Herbert Xu1-0/+9
This reverts commit f858c7bcca8c20761a20593439fe998b4b67e86b as the algif_aead interface has been switched over to the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-01Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netDavid S. Miller1-9/+0
Conflicts: drivers/net/phy/amd-xgbe-phy.c drivers/net/wireless/iwlwifi/Kconfig include/net/mac80211.h iwlwifi/Kconfig and mac80211.h were both trivial overlapping changes. The drivers/net/phy/amd-xgbe-phy.c file got removed in 'net-next' and the bug fix that happened on the 'net' side is already integrated into the rest of the amd-xgbe driver. Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-28crypto: jitterentropy - remove timekeeping_valid_for_hresStephan Mueller1-3/+0
The patch removes the use of timekeeping_valid_for_hres which is now marked as internal for the time keeping subsystem. The jitterentropy does not really require this verification as a coarse timer (when random_get_entropy is absent) is discovered by the initialization test of jent_entropy_init, which would cause the jitter rng to not load in that case. Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: algif_aead - Switch to new AEAD interfaceHerbert Xu1-58/+8
This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. Note that the user-space interface now requires both input and output to be of the same length, and both must include space for the AD as well as the authentication tag. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: tcrypt - Switch to new AEAD interfaceHerbert Xu1-8/+7
This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: testmgr - Switch to new AEAD interfaceHerbert Xu1-39/+48
This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: seqiv - Fix module unload/reload crashHerbert Xu1-0/+1
On module unload we weren't unregistering the seqniv template, thus leading to a crash the next time someone walks the template list. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: seqiv - Fix IV size in context size calculationHerbert Xu1-1/+1
This patch fixes a bug in the context size calculation where we were still referring to the old cra_aead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: seqiv - Use common IV generation codeHerbert Xu1-56/+36
This patch makes use of the new common IV generation code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: seqiv - Copy AD along with plain/cipher textHerbert Xu1-27/+6
As the AD does not necessarily exist in the destination buffer it must be copied along with the plain/cipher text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: echainiv - Fix IV size in context size calculationHerbert Xu1-1/+1
This patch fixes a bug in the context size calculation where we were still referring to the old cra_aead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: echainiv - Use common IV generation codeHerbert Xu1-212/+18
This patch makes use of the new common IV generation code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: echainiv - Copy AD along with plain textHerbert Xu1-8/+2
As the AD does not necessarily exist in the destination buffer it must be copied along with the plain text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: aead - Add common IV generation codeHerbert Xu1-3/+202
This patch adds some common IV generation code currently duplicated by seqiv and echainiv. For example, the setkey and setauthsize functions are completely identical. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: aead - Preserve in-place processing in old_cryptHerbert Xu1-1/+2
This patch tries to preserve in-place processing in old_crypt as various algorithms are optimised for in-place processing where src == dst. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28crypto: scatterwalk - Add missing sg_init_table to scatterwalk_ffwdHerbert Xu1-0/+1
We need to call sg_init_table as otherwise the first entry may inadvertently become the last. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-28Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6Herbert Xu2-14/+4
Merge the crypto tree for 4.1 to pull in the changeset that disables algif_aead.
2015-05-27Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6Linus Torvalds1-9/+0
Pull crypto fix from Herbert Xu: "This disables the newly (4.1) added user-space AEAD interface so that we can fix issues in the underlying kernel AEAD interface. Once the new kernel AEAD interface is ready we can then reenable the user-space AEAD interface" * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: algif_aead - Disable AEAD user-space for now
2015-05-27crypto: jitterentropy - add jitterentropy RNGStephan Mueller4-0/+925
The CPU Jitter RNG provides a source of good entropy by collecting CPU executing time jitter. The entropy in the CPU execution time jitter is magnified by the CPU Jitter Random Number Generator. The CPU Jitter Random Number Generator uses the CPU execution timing jitter to generate a bit stream which complies with different statistical measurements that determine the bit stream is random. The CPU Jitter Random Number Generator delivers entropy which follows information theoretical requirements. Based on these studies and the implementation, the caller can assume that one bit of data extracted from the CPU Jitter Random Number Generator holds one bit of entropy. The CPU Jitter Random Number Generator provides a decentralized source of entropy, i.e. every caller can operate on a private state of the entropy pool. The RNG does not have any dependencies on any other service in the kernel. The RNG only needs a high-resolution time stamp. Further design details, the cryptographic assessment and large array of test results are documented at http://www.chronox.de/jent.html. CC: Andreas Steffen <andreas.steffen@strongswan.org> CC: Theodore Ts'o <tytso@mit.edu> CC: Sandy Harris <sandyinchina@gmail.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-27crypto: drbg - use Jitter RNG to obtain seedStephan Mueller1-7/+45
During initialization, the DRBG now tries to allocate a handle of the Jitter RNG. If such a Jitter RNG is available during seeding, the DRBG pulls the required entropy/nonce string from get_random_bytes and concatenates it with a string of equal size from the Jitter RNG. That combined string is now the seed for the DRBG. Written differently, the initial seed of the DRBG is now: get_random_bytes(entropy/nonce) || jitterentropy (entropy/nonce) If the Jitter RNG is not available, the DRBG only seeds from get_random_bytes. CC: Andreas Steffen <andreas.steffen@strongswan.org> CC: Theodore Ts'o <tytso@mit.edu> CC: Sandy Harris <sandyinchina@gmail.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-27crypto: drbg - add async seeding operationStephan Mueller1-0/+24
The async seeding operation is triggered during initalization right after the first non-blocking seeding is completed. As required by the asynchronous operation of random.c, a callback function is provided that is triggered by random.c once entropy is available. That callback function performs the actual seeding of the DRBG. CC: Andreas Steffen <andreas.steffen@strongswan.org> CC: Theodore Ts'o <tytso@mit.edu> CC: Sandy Harris <sandyinchina@gmail.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-27crypto: drbg - prepare for async seedingStephan Mueller1-27/+54
In order to prepare for the addition of the asynchronous seeding call, the invocation of seeding the DRBG is moved out into a helper function. In addition, a block of memory is allocated during initialization time that will be used as a scratchpad for obtaining entropy. That scratchpad is used for the initial seeding operation as well as by the asynchronous seeding call. The memory must be zeroized every time the DRBG seeding call succeeds to avoid entropy data lingering in memory. CC: Andreas Steffen <andreas.steffen@strongswan.org> CC: Theodore Ts'o <tytso@mit.edu> CC: Sandy Harris <sandyinchina@gmail.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-26crypto: algif_aead - Disable AEAD user-space for nowHerbert Xu1-9/+0
The newly added AEAD user-space isn't quite ready for prime time just yet. In particular it is conflicting with the AEAD single SG list interface change so this patch disables it now. Once the SG list stuff is completely done we can then renable this interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: aead - Remove unused cryptoff parameterHerbert Xu3-10/+8
This patch removes the cryptoff parameter now that all users set it to zero. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: seqiv - Stop using cryptoffHerbert Xu1-67/+158
The cryptoff parameter was added to facilitate the skipping of IVs that sit between the AD and the plain/cipher text. However, it was never implemented correctly as and we do not handle users such as IPsec setting cryptoff. It is simply ignored. Implementing correctly is in fact more trouble than what it's worth. This patch removes the uses of cryptoff by moving the AD forward to fill the gap left by the IV. The AD is moved back after the underlying AEAD processing is finished. This is in fact beter than the cryptoff solution because it allows algorithms that use seqniv (i.e., GCM and CCM) to hash the whole packet as a single piece, while cryptoff meant that there was guaranteed to be a gap. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: echainiv - Stop using cryptoffHerbert Xu1-12/+23
The cryptoff parameter was added to facilitate the skipping of IVs that sit between the AD and the plain/cipher text. However, it was never implemented correctly as and we do not handle users such as IPsec setting cryptoff. It is simply ignored. Implementing correctly is in fact more trouble than what it's worth. This patch removes the uses of cryptoff and simply falls back to using the old AEAD interface as it's only needed for old AEAD implementations. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: aead - Do not set cra_type for new style instancesHerbert Xu1-3/+1
The function aead_geniv_alloc currently sets cra_type even for new style instances. This is unnecessary and may hide bugs such as when our caller uses crypto_register_instance instead of the correct aead_register_instance. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: echainiv - Use aead_register_instanceHerbert Xu1-19/+23
New style AEAD instances must use aead_register_instance. This worked by chance because aead_geniv_alloc is still setting things the old way. This patch converts the template over to the create model where we are responsible for instance registration so that we can call the correct function. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: seqiv - Use aead_register_instanceHerbert Xu1-56/+79
New style AEAD instances must use aead_register_instance. This worked by chance because aead_geniv_alloc is still setting things the old way. This patch converts the template over to the create model where we are responsible for instance registration so that we can call the correct function. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: aead - Use tmpl->createHerbert Xu1-0/+8
Newer templates use tmpl->create and have a NULL tmpl->alloc. So we must use tmpl->create if it is set. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: skcipher - Use tmpl->createHerbert Xu1-0/+8
Newer templates use tmpl->create and have a NULL tmpl->alloc. So we must use tmpl->create if it is set. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: echainiv - echainiv_read_iv() can be staticWu Fengguang1-2/+2
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: pcrypt - Make tfm_count an atomic_tHerbert Xu1-4/+4
The variable tfm_count is accessed by multiple threads without locking. This patch converts it to an atomic_t. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: aead - Add crypto_aead_alg_ivsize/maxauthsizeHerbert Xu1-12/+3
AEAD algorithm implementors need to figure out a given algorithm's IV size and maximum authentication size. During the transition this is difficult to do as an algorithm could be new style or old style. This patch creates two helpers to make this easier. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: testmgr - Added one larger ghash testvector (400 bytes) to the testmgr.Harald Freudenberger1-1/+58
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-23Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netDavid S. Miller1-5/+4
Conflicts: drivers/net/ethernet/cadence/macb.c drivers/net/phy/phy.c include/linux/skbuff.h net/ipv4/tcp.c net/switchdev/switchdev.c Switchdev was a case of RTNH_H_{EXTERNAL --> OFFLOAD} renaming overlapping with net-next changes of various sorts. phy.c was a case of two changes, one adding a local variable to a function whilst the second was removing one. tcp.c overlapped a deadlock fix with the addition of new tcp_info statistic values. macb.c involved the addition of two zyncq device entries. skbuff.h involved adding back ipv4_daddr to nf_bridge_info whilst net-next changes put two other existing members of that struct into a union. Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-22crypto: echainiv - Add encrypted chain IV generatorHerbert Xu3-0/+542
This patch adds a new AEAD IV generator echainiv. It is intended to replace the existing skcipher IV generator eseqiv. If the underlying AEAD algorithm is using the old AEAD interface, then echainiv will simply use its IV generator. Otherwise, echainiv will encrypt a counter just like eseqiv but it'll first xor it against a previously stored IV similar to chainiv. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: seqiv - Add seqnivHerbert Xu1-1/+70
This patch adds a new IV generator seqniv which is identical to seqiv except that it skips the IV when authenticating. This is intended to be used by algorithms such as rfc4106 that does the IV authentication implicitly. Note that the code used for seqniv is in fact identical to the compatibility case for seqiv. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>