summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* crypto: chacha20poly1305 - Add an IPsec variant for RFC7539 AEADMartin Willi2015-06-041-1/+25
| | | | | | | | | | draft-ietf-ipsecme-chacha20-poly1305 defines the use of ChaCha20/Poly1305 in ESP. It uses additional four byte key material as a salt, which is then used with an 8 byte IV to form the ChaCha20 nonce as defined in the RFC7539. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Add ChaCha20-Poly1305 test vectors from RFC7539Martin Willi2015-06-042-0/+284
| | | | | | Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539Martin Willi2015-06-043-0/+676
| | | | | | | | | | | This AEAD uses a chacha20 ablkcipher and a poly1305 ahash to construct the ChaCha20-Poly1305 AEAD as defined in RFC7539. It supports both synchronous and asynchronous operations, even if we currently have no async chacha20 or poly1305 drivers. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Add Poly1305 test vectors from RFC7539Martin Willi2015-06-042-0/+268
| | | | | | Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: poly1305 - Add a generic Poly1305 authenticator implementationMartin Willi2015-06-043-0/+310
| | | | | | | | | | | | | | Poly1305 is a fast message authenticator designed by Daniel J. Bernstein. It is further defined in RFC7539 as a building block for the ChaCha20-Poly1305 AEAD for use in IETF protocols. This is a portable C implementation of the algorithm without architecture specific optimizations, based on public domain code by Daniel J. Bernstein and Andrew Moon. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Add ChaCha20 test vectors from RFC7539Martin Willi2015-06-042-0/+192
| | | | | | | | | | We explicitly set the Initial block Counter by prepending it to the nonce in Little Endian. The same test vector is used for both encryption and decryption, ChaCha20 is a cipher XORing a keystream. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: chacha20 - Add a generic ChaCha20 stream cipher implementationMartin Willi2015-06-043-0/+230
| | | | | | | | | | | | | | | ChaCha20 is a high speed 256-bit key size stream cipher algorithm designed by Daniel J. Bernstein. It is further specified in RFC7539 for use in IETF protocols as a building block for the ChaCha20-Poly1305 AEAD. This is a portable C implementation without any architecture specific optimizations. It uses a 16-byte IV, which includes the 12-byte ChaCha20 nonce prepended by the initial block counter. Some algorithms require an explicit counter value, for example the mentioned AEAD construction. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: ccp - Protect against poorly marked end of sg listTom Lendacky2015-06-031-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | Scatter gather lists can be created with more available entries than are actually used (e.g. using sg_init_table() to reserve a specific number of sg entries, but in actuality using something less than that based on the data length). The caller sometimes fails to mark the last entry with sg_mark_end(). In these cases, sg_nents() will return the original size of the sg list as opposed to the actual number of sg entries that contain valid data. On arm64, if the sg_nents() value is used in a call to dma_map_sg() in this situation, then it causes a BUG_ON in lib/swiotlb.c because an "empty" sg list entry results in dma_capable() returning false and swiotlb trying to create a bounce buffer of size 0. This occurred in the userspace crypto interface before being fixed by 0f477b655a52 ("crypto: algif - Mark sgl end at the end of data") Protect against this by using the new sg_nents_for_len() function which returns only the number of sg entries required to meet the desired length and supplying that value to dma_map_sg(). Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* scatterlist: introduce sg_nents_for_lenTom Lendacky2015-06-032-0/+33
| | | | | | | | | | | | | | | | | When performing a dma_map_sg() call, the number of sg entries to map is required. Using sg_nents to retrieve the number of sg entries will return the total number of entries in the sg list up to the entry marked as the end. If there happen to be unused entries in the list, these will still be counted. Some dma_map_sg() implementations will not handle the unused entries correctly (lib/swiotlb.c) and execute a BUG_ON. The sg_nents_for_len() function will traverse the sg list and return the number of entries required to satisfy the supplied length argument. This can then be supplied to the dma_map_sg() call to successfully map the sg. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: scatterwalk - Hide PageSlab call to optimise away flush_dcache_pageHerbert Xu2015-06-031-1/+5
| | | | | | | | | | | | | On architectures where flush_dcache_page is not needed, we will end up generating all the code up to the PageSlab call. This is because PageSlab operates on a volatile pointer and thus cannot be optimised away. This patch works around this by checking whether flush_dcache_page is needed before we call PageSlab which then allows PageSlab to be compiled awy. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aesni - Convert rfc4106 to new AEAD interfaceHerbert Xu2015-06-031-167/+83
| | | | | | | This patch converts the low-level __gcm-aes-aesni algorithm to the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: nx - prevent nx 842 load if no hw driverDan Streetman2015-06-036-135/+148
| | | | | | | | | | | | | | | | | | | | Change the nx-842 common driver to wait for loading of both platform drivers, and fail loading if the platform driver pointer is not set. Add an independent platform driver pointer, that the platform drivers set if they find they are able to load (i.e. if they find their platform devicetree node(s)). The problem is currently, the main nx-842 driver will stay loaded even if there is no platform driver and thus no possible way it can do any compression or decompression. This allows the crypto 842-nx driver to load even if it won't actually work. For crypto compression users (e.g. zswap) that expect an available crypto compression driver to actually work, this is bad. This patch fixes that, so the 842-nx crypto compression driver won't load if it doesn't have the driver and hardware available to perform the compression. Signed-off-by: Dan Streetman <ddstreet@ieee.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: cryptd - Convert to new AEAD interfaceHerbert Xu2015-06-031-35/+29
| | | | | | This patch converts cryptd to the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aesni - Convert top-level rfc4106 algorithm to new interfaceHerbert Xu2015-06-031-89/+83
| | | | | | | | | | | | This patch converts rfc4106-gcm-aesni to the new AEAD interface. The low-level interface remains as is for now because we can't touch it until cryptd itself is upgraded. In the conversion I've also removed the duplicate copy of the context in the top-level algorithm. Now all processing is carried out in the low-level __driver-gcm-aes-aesni algorithm. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: cryptd - Add setkey/setauthsize functions for AEADHerbert Xu2015-06-031-2/+20
| | | | | | This patch adds setkey and setauthsize for cryptd AEAD. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: pcrypt - Add support for new AEAD interfaceHerbert Xu2015-06-031-95/+40
| | | | | | This patch converts pcrypt over to the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Add multiple algorithm registration interfaceHerbert Xu2015-06-032-0/+31
| | | | | | | This patch adds the helpers that allow the registration and removal of multiple algorithms. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Ignore return value from crypto_unregister_algHerbert Xu2015-06-032-3/+3
| | | | | | | No new code should be using the return value of crypto_unregister_alg as it will become void soon. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: api - Include alignment in crypto_alg_extsizeHerbert Xu2015-06-031-1/+2
| | | | | | | This patch ensures that the tfm context always has enough extra memory to ensure that it is aligned according to cra_alignment. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Add aead_alg_instanceHerbert Xu2015-06-031-0/+5
| | | | | | | | | Now that type-safe init/exit functions exist, they often need to access the underlying aead_instance. So this patch adds the helper aead_alg_instance to access aead_instance from a crypto_aead object. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Add type-safe init/exit functionsHerbert Xu2015-06-032-0/+27
| | | | | | | | | | | | As it stands the only non-type safe functions left in the new AEAD interface are the cra_init/cra_exit functions. It means exposing the ugly __crypto_aead_cast to every AEAD implementor. This patch adds type-safe init/exit functions to AEAD. Existing algorithms are unaffected while new implementations can simply fill in these two instead of cra_init/cra_exit. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: doc - cover new AEAD interfaceStephan Mueller2015-06-032-7/+21
| | | | | | | | The patch updates the DocBook to cover the new AEAD interface implementation. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* Revert "crypto: algif_aead - Disable AEAD user-space for now"Herbert Xu2015-06-031-0/+9
| | | | | | | | This reverts commit f858c7bcca8c20761a20593439fe998b4b67e86b as the algif_aead interface has been switched over to the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: jitterentropy - remove timekeeping_valid_for_hresStephan Mueller2015-05-281-3/+0
| | | | | | | | | | | | | The patch removes the use of timekeeping_valid_for_hres which is now marked as internal for the time keeping subsystem. The jitterentropy does not really require this verification as a coarse timer (when random_get_entropy is absent) is discovered by the initialization test of jent_entropy_init, which would cause the jitter rng to not load in that case. Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: algif_aead - Switch to new AEAD interfaceHerbert Xu2015-05-281-58/+8
| | | | | | | | | | | This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. Note that the user-space interface now requires both input and output to be of the same length, and both must include space for the AD as well as the authentication tag. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: tcrypt - Switch to new AEAD interfaceHerbert Xu2015-05-281-8/+7
| | | | | | | This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* mac80211: Switch to new AEAD interfaceHerbert Xu2015-05-283-39/+33
| | | | | | | | This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. Tested-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* mac802154: Switch to new AEAD interfaceHerbert Xu2015-05-281-27/+14
| | | | | | | This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* esp6: Switch to new AEAD interfaceHerbert Xu2015-05-281-78/+122
| | | | | | | | This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. The IV generation is also now carried out through normal AEAD methods. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* esp4: Switch to new AEAD interfaceHerbert Xu2015-05-281-78/+122
| | | | | | | | This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. The IV generation is also now carried out through normal AEAD methods. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* ipsec: Add IV generator information to xfrm_stateHerbert Xu2015-05-283-9/+33
| | | | | | | This patch adds IV generator information to xfrm_state. This is currently obtained from our own list of algorithm descriptions. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* xfrm: Add IV generator information to xfrm_algo_descHerbert Xu2015-05-282-0/+18
| | | | | | | | This patch adds IV generator information for each AEAD and block cipher to xfrm_algo_desc. This will be used to access the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Switch to new AEAD interfaceHerbert Xu2015-05-281-39/+48
| | | | | | | This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: seqiv - Fix module unload/reload crashHerbert Xu2015-05-281-0/+1
| | | | | | | | On module unload we weren't unregistering the seqniv template, thus leading to a crash the next time someone walks the template list. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: seqiv - Fix IV size in context size calculationHerbert Xu2015-05-281-1/+1
| | | | | | | This patch fixes a bug in the context size calculation where we were still referring to the old cra_aead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: seqiv - Use common IV generation codeHerbert Xu2015-05-281-56/+36
| | | | | | This patch makes use of the new common IV generation code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: seqiv - Copy AD along with plain/cipher textHerbert Xu2015-05-281-27/+6
| | | | | | | As the AD does not necessarily exist in the destination buffer it must be copied along with the plain/cipher text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: echainiv - Fix IV size in context size calculationHerbert Xu2015-05-281-1/+1
| | | | | | | This patch fixes a bug in the context size calculation where we were still referring to the old cra_aead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: echainiv - Use common IV generation codeHerbert Xu2015-05-281-212/+18
| | | | | | This patch makes use of the new common IV generation code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: echainiv - Copy AD along with plain textHerbert Xu2015-05-281-8/+2
| | | | | | | As the AD does not necessarily exist in the destination buffer it must be copied along with the plain text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Add common IV generation codeHerbert Xu2015-05-282-3/+226
| | | | | | | | This patch adds some common IV generation code currently duplicated by seqiv and echainiv. For example, the setkey and setauthsize functions are completely identical. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Preserve in-place processing in old_cryptHerbert Xu2015-05-281-1/+2
| | | | | | | | This patch tries to preserve in-place processing in old_crypt as various algorithms are optimised for in-place processing where src == dst. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: scatterwalk - Add missing sg_init_table to scatterwalk_ffwdHerbert Xu2015-05-281-0/+1
| | | | | | | We need to call sg_init_table as otherwise the first entry may inadvertently become the last. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Document behaviour of AD in destination bufferHerbert Xu2015-05-281-4/+10
| | | | | | | | | | | | | | | | | This patch defines the behaviour of AD in the new interface more clearly. In particular, it specifies that if the user must copy the AD to the destination manually when src != dst if they wish to guarantee that the destination buffer contains a copy of the AD. The reason for this is that otherwise every AEAD implementation would have to perform such a copy when src != dst. In reality most users do in-place processing where src == dst so this is not an issue. This patch also kills some remaining references to cryptoff. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6Herbert Xu2015-05-2813-42/+77
|\ | | | | | | | | Merge the crypto tree for 4.1 to pull in the changeset that disables algif_aead.
| * crypto: algif_aead - Disable AEAD user-space for nowHerbert Xu2015-05-261-9/+0
| | | | | | | | | | | | | | | | | | | | | | The newly added AEAD user-space isn't quite ready for prime time just yet. In particular it is conflicting with the AEAD single SG list interface change so this patch disables it now. Once the SG list stuff is completely done we can then renable this interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: s390/ghash - Fix incorrect ghash icv buffer handling.Harald Freudenberger2015-05-221-12/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | Multitheaded tests showed that the icv buffer in the current ghash implementation is not handled correctly. A move of this working ghash buffer value to the descriptor context fixed this. Code is tested and verified with an multithreaded application via af_alg interface. Cc: stable@vger.kernel.org Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com> Signed-off-by: Gerald Schaefer <geraldsc@linux.vnet.ibm.com> Reported-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: algif_aead - fix invalid sgl linkingTadeusz Struk2015-05-181-5/+4
| | | | | | | | | | | | | | | | This patch fixes it. Also minor updates to comments. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: arm64/sha2-ce - prevent asm code finalization in final() pathArd Biesheuvel2015-05-071-0/+3
| | | | | | | | | | | | | | | | Ensure that the asm code finalization path is not triggered when invoked via final(), since it already takes care of that itself. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * crypto: arm64/sha1-ce - prevent asm code finalization in final() pathArd Biesheuvel2015-05-071-0/+3
| | | | | | | | | | | | | | | | Ensure that the asm code finalization path is not triggered when invoked via final(), since it already takes care of that itself. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>