summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-05-27crypto: drbg - use Jitter RNG to obtain seedStephan Mueller
During initialization, the DRBG now tries to allocate a handle of the Jitter RNG. If such a Jitter RNG is available during seeding, the DRBG pulls the required entropy/nonce string from get_random_bytes and concatenates it with a string of equal size from the Jitter RNG. That combined string is now the seed for the DRBG. Written differently, the initial seed of the DRBG is now: get_random_bytes(entropy/nonce) || jitterentropy (entropy/nonce) If the Jitter RNG is not available, the DRBG only seeds from get_random_bytes. CC: Andreas Steffen <andreas.steffen@strongswan.org> CC: Theodore Ts'o <tytso@mit.edu> CC: Sandy Harris <sandyinchina@gmail.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-27crypto: drbg - add async seeding operationStephan Mueller
The async seeding operation is triggered during initalization right after the first non-blocking seeding is completed. As required by the asynchronous operation of random.c, a callback function is provided that is triggered by random.c once entropy is available. That callback function performs the actual seeding of the DRBG. CC: Andreas Steffen <andreas.steffen@strongswan.org> CC: Theodore Ts'o <tytso@mit.edu> CC: Sandy Harris <sandyinchina@gmail.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-27crypto: drbg - prepare for async seedingStephan Mueller
In order to prepare for the addition of the asynchronous seeding call, the invocation of seeding the DRBG is moved out into a helper function. In addition, a block of memory is allocated during initialization time that will be used as a scratchpad for obtaining entropy. That scratchpad is used for the initial seeding operation as well as by the asynchronous seeding call. The memory must be zeroized every time the DRBG seeding call succeeds to avoid entropy data lingering in memory. CC: Andreas Steffen <andreas.steffen@strongswan.org> CC: Theodore Ts'o <tytso@mit.edu> CC: Sandy Harris <sandyinchina@gmail.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-27random: Blocking API for accessing nonblocking_poolStephan Mueller
The added API calls provide a synchronous function call get_blocking_random_bytes where the caller is blocked until the nonblocking_pool is initialized. CC: Andreas Steffen <andreas.steffen@strongswan.org> CC: Theodore Ts'o <tytso@mit.edu> CC: Sandy Harris <sandyinchina@gmail.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-27random: Wake up all getrandom(2) callers when pool is readyHerbert Xu
If more than one application invokes getrandom(2) before the pool is ready, then all bar one will be stuck forever because we use wake_up_interruptible which wakes up a single task. This patch replaces it with wake_up_all. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: aead - Remove unused cryptoff parameterHerbert Xu
This patch removes the cryptoff parameter now that all users set it to zero. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: seqiv - Stop using cryptoffHerbert Xu
The cryptoff parameter was added to facilitate the skipping of IVs that sit between the AD and the plain/cipher text. However, it was never implemented correctly as and we do not handle users such as IPsec setting cryptoff. It is simply ignored. Implementing correctly is in fact more trouble than what it's worth. This patch removes the uses of cryptoff by moving the AD forward to fill the gap left by the IV. The AD is moved back after the underlying AEAD processing is finished. This is in fact beter than the cryptoff solution because it allows algorithms that use seqniv (i.e., GCM and CCM) to hash the whole packet as a single piece, while cryptoff meant that there was guaranteed to be a gap. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: echainiv - Stop using cryptoffHerbert Xu
The cryptoff parameter was added to facilitate the skipping of IVs that sit between the AD and the plain/cipher text. However, it was never implemented correctly as and we do not handle users such as IPsec setting cryptoff. It is simply ignored. Implementing correctly is in fact more trouble than what it's worth. This patch removes the uses of cryptoff and simply falls back to using the old AEAD interface as it's only needed for old AEAD implementations. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: aead - Do not set cra_type for new style instancesHerbert Xu
The function aead_geniv_alloc currently sets cra_type even for new style instances. This is unnecessary and may hide bugs such as when our caller uses crypto_register_instance instead of the correct aead_register_instance. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: echainiv - Use aead_register_instanceHerbert Xu
New style AEAD instances must use aead_register_instance. This worked by chance because aead_geniv_alloc is still setting things the old way. This patch converts the template over to the create model where we are responsible for instance registration so that we can call the correct function. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: seqiv - Use aead_register_instanceHerbert Xu
New style AEAD instances must use aead_register_instance. This worked by chance because aead_geniv_alloc is still setting things the old way. This patch converts the template over to the create model where we are responsible for instance registration so that we can call the correct function. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: aead - Use tmpl->createHerbert Xu
Newer templates use tmpl->create and have a NULL tmpl->alloc. So we must use tmpl->create if it is set. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: skcipher - Use tmpl->createHerbert Xu
Newer templates use tmpl->create and have a NULL tmpl->alloc. So we must use tmpl->create if it is set. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: echainiv - echainiv_read_iv() can be staticWu Fengguang
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: mv_cesa - request registers memory regionBoris BREZILLON
The mv_cesa driver does not request the CESA registers memory region. Since we're about to add a new CESA driver, we need to make sure only one of these drivers probe the CESA device, and requesting the registers memory region is a good way to achieve that. Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: pcrypt - Make tfm_count an atomic_tHerbert Xu
The variable tfm_count is accessed by multiple threads without locking. This patch converts it to an atomic_t. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: aead - Add crypto_aead_alg_ivsize/maxauthsizeHerbert Xu
AEAD algorithm implementors need to figure out a given algorithm's IV size and maximum authentication size. During the transition this is difficult to do as an algorithm could be new style or old style. This patch creates two helpers to make this easier. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-25crypto: testmgr - Added one larger ghash testvector (400 bytes) to the testmgr.Harald Freudenberger
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: echainiv - Add encrypted chain IV generatorHerbert Xu
This patch adds a new AEAD IV generator echainiv. It is intended to replace the existing skcipher IV generator eseqiv. If the underlying AEAD algorithm is using the old AEAD interface, then echainiv will simply use its IV generator. Otherwise, echainiv will encrypt a counter just like eseqiv but it'll first xor it against a previously stored IV similar to chainiv. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: seqiv - Add seqnivHerbert Xu
This patch adds a new IV generator seqniv which is identical to seqiv except that it skips the IV when authenticating. This is intended to be used by algorithms such as rfc4106 that does the IV authentication implicitly. Note that the code used for seqniv is in fact identical to the compatibility case for seqiv. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: seqiv - Add support for new AEAD interfaceHerbert Xu
This patch converts the seqiv IV generator to work with the new AEAD interface where IV generators are just normal AEAD algorithms. Full backwards compatibility is paramount at this point since no users have yet switched over to the new interface. Nor can they switch to the new interface until IV generation is fully supported by it. So this means we are adding two versions of seqiv alongside the existing one. The first one is the one that will be used when the underlying AEAD algorithm has switched over to the new AEAD interface. The second one handles the current case where the underlying AEAD algorithm still uses the old interface. Both versions export themselves through the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: scatterwalk - Check for same address in map_and_copyHerbert Xu
This patch adds a check for in scatterwalk_map_and_copy to avoid copying from the same address to the same address. This is going to be used for IV copying in AEAD IV generators. There is no provision for partial overlaps. This patch also uses the new scatterwalk_ffwd instead of doing it by hand in scatterwalk_map_and_copy. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: gcm - Use default null skcipherHerbert Xu
This patch makes gcm use the default null skcipher instead of allocating a new one for each tfm. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: null - Add default null skcipherHerbert Xu
This patch adds a default null skcipher for users such as gcm to perform copies on SG lists. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: aead - Add support for new AEAD implementationsHerbert Xu
This patch adds the basic structure of the new AEAD type. Unlike the current version, there is no longer any concept of geniv. IV generation will still be carried out by wrappers but they will be normal AEAD algorithms that simply take the IPsec sequence number as the IV. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: nx - Remove unnecessary maxauthsize checkHerbert Xu
The crypto layer already checks maxauthsize when setauthsize is called. So there is no need to check it again within setauthsize. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: ixp4xx - Use crypto_aead_maxauthsizeHerbert Xu
This patch uses the helper crypto_aead_maxauthsize instead of directly dereferencing aead_alg. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: aead - Add crypto_aead_maxauthsizeHerbert Xu
This patch adds the helper crypto_aead_maxauthsize to remove the need to directly dereference aead_alg internals by AEAD implementors. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: caam - Use old_aead_algHerbert Xu
This patch replaces references to aead_alg with old_aead_alg. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: aead - Rename aead_alg to old_aead_algHerbert Xu
This patch is the first step in the introduction of a new AEAD alg type. Unlike normal conversions this patch only renames the existing aead_alg structure because there are external references to it. Those references will be removed after this patch. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: aead - Add new interface with single SG listHerbert Xu
The primary user of AEAD, IPsec includes the IV in the AD in most cases, except where it is implicitly authenticated by the underlying algorithm. The way it is currently implemented is a hack because we pass the data in piecemeal and the underlying algorithms try to stitch them back up into one piece. This is why this patch is adding a new interface that allows a single SG list to be passed in that contains everything so the algorithm implementors do not have to stitch. The new interface accepts a single source SG list and a single destination SG list. Both must be laid out as follows: AD, skipped data, plain/cipher text, ICV The ICV is not present from the source during encryption and from the destination during decryption. For the top-level IPsec AEAD algorithm the plain/cipher text will contain the generated (or received) IV. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: scatterwalk - Add scatterwalk_ffwd helperHerbert Xu
This patch adds the scatterwalk_ffwd helper which can create an SG list that starts in the middle of an existing SG list. The new list may either be part of the existing list or be a chain that latches onto part of the existing list. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: pcrypt - Use crypto_grab_aeadHerbert Xu
As AEAD has switched over to using frontend types, the function crypto_init_spawn must not be used since it does not specify a frontend type. Otherwise it leads to a crash when the spawn is used. This patch fixes it by switching over to crypto_grab_aead instead. Fixes: 5d1d65f8bea6 ("crypto: aead - Convert top level interface to new style") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: cryptd - Use crypto_grab_aeadHerbert Xu
As AEAD has switched over to using frontend types, the function crypto_init_spawn must not be used since it does not specify a frontend type. Otherwise it leads to a crash when the spawn is used. This patch fixes it by switching over to crypto_grab_aead instead. Fixes: 5d1d65f8bea6 ("crypto: aead - Convert top level interface to new style") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-22crypto: doc - change header file locationsStephan Mueller
Due to the recent update of the kernel crypto API header files, locations of function definitions and their documentation have changed. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-18crypto: omap-sham - Add support for omap3 devicesPali Rohár
omap3 support is same as omap2, just with different IO address (specified in DT) Signed-off-by: Pali Rohár <pali.rohar@gmail.com> Acked-by: Pavel Machek <pavel@ucw.cz> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-18crypto: octeon - use md5 IV MD5_HX instead of their raw valueLABBE Corentin
Since MD5 IV are now available in crypto/md5.h, use them. Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-18crypto: n2 - use md5 IV MD5_HX instead of their raw valueLABBE Corentin
Since MD5 IV are now available in crypto/md5.h, use them. Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-18crypto: sparc/md5 - use md5 IV MD5_HX instead of their raw valueLABBE Corentin
Since MD5 IV are now available in crypto/md5.h, use them. Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-18crypto: powerpc/md5 - use md5 IV MD5_HX instead of their raw valueLABBE Corentin
Since MD5 IV are now available in crypto/md5.h, use them. Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-18crypto: md5 - use md5 IV MD5_HX instead of their raw valueLABBE Corentin
Since MD5 IV are now available in crypto/md5.h, use them. Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-18crypto: md5 - add MD5 initial vectorsLABBE Corentin
This patch simply adds the MD5 IV in the md5 header. Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-18crypto: nx - remove 842-nx null checksDan Streetman
Remove the null checks for tfm, src, slen, dst, dlen; tfm will never be null and the other fields are always expected to be set correctly. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Dan Streetman <ddstreet@ieee.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-15crypto: vmx - fix two mistyped textsPaulo Flabiano Smorigo
One mistyped description and another mistyped target were corrected. Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@linux.vnet.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-15crypto: qat - rm unneeded header includeTadeusz Struk
Don't need proc_fs.h Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-15crypto: qat - remove unused structure membersTadeusz Struk
Cleanup unused structure members. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-15crypto: omap-sham - Check for return value from pm_runtime_get_syncPali Rohár
Function pm_runtime_get_sync could fail and we need to check return value to prevent kernel crash. Signed-off-by: Pali Rohár <pali.rohar@gmail.com> Acked-by: Pavel Machek <pavel@ucw.cz> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-13lib: correct 842 decompress for 32 bitDan Streetman
Avoid 64 bit mod operation, which won't work on 32 bit systems. Simple subtraction can be used instead in this case. Reported-By: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Dan Streetman <ddstreet@ieee.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-13crypto: talitos - static code checker fixesHoria Geant?
-change req_ctx->nbuf from u64 to unsigned int to silence checker warnings; this is safe since nbuf value is <= HASH_MAX_BLOCK_SIZE -remove unused value read from TALITOS_CCPSR; there is no requirement to read upper 32b before reading lower 32b of a 64b register; SEC RM mentions: "reads can always be done by byte, word, or dword" -remove unused return value of sg_to_link_tbl() -change "len" parameter of map_single_talitos_ptr() and to_talitos_ptr_len() to unsigned int; later, cpu_to_be16 will __force downcast the value to unsigned short without any checker warning Signed-off-by: Horia Geanta <horia.geanta@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-05-13crypto: talitos - avoid out of bound scatterlist iteratorHoria Geant?
Check return value of scatterlist_sg_next(), i.e. don't rely solely on number of bytes to be processed or number of scatterlist entries. Signed-off-by: Horia Geanta <horia.geanta@freescale.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>