1. 25 Dec, 2008 25 commits
    • Jarod Wilson's avatar
      crypto: ansi_cprng - Avoid incorrect extra call to _get_more_prng_bytes · aa1a85db
      Jarod Wilson authored
      While working with some FIPS RNGVS test vectors yesterday, I discovered a
      little bug in the way the ansi_cprng code works right now.
      
      For example, the following test vector (complete with expected result)
      from http://csrc.nist.gov/groups/STM/cavp/documents/rng/RNGVS.pdf ...
      
      Key = f3b1666d13607242ed061cabb8d46202
      DT = e6b3be782a23fa62d71d4afbb0e922fc
      V = f0000000000000000000000000000000
      R = 88dda456302423e5f69da57e7b95c73a
      
      ...when run through ansi_cprng, yields an incorrect R value
      of e2afe0d794120103d6e86a2b503bdfaa.
      
      If I load up ansi_cprng w/dbg=1 though, it was fairly obvious what was
      going wrong:
      
      ----8<----
      getting 16 random bytes for context ffff810033fb2b10
      Calling _get_more_prng_bytes for context ffff810033fb2b10
      Input DT: 00000000: e6 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
      Input I: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
      Input V: 00000000: f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
      tmp stage 0: 00000000: e6 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
      tmp stage 1: 00000000: f4 8e cb 25 94 3e 8c 31 d6 14 cd 8a 23 f1 3f 84 
      tmp stage 2: 00000000: 8c 53 6f 73 a4 1a af d4 20 89 68 f4 58 64 f8 be 
      Returning new block for context ffff810033fb2b10
      Output DT: 00000000: e7 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
      Output I: 00000000: 04 8e cb 25 94 3e 8c 31 d6 14 cd 8a 23 f1 3f 84 
      Output V: 00000000: 48 89 3b 71 bc e4 00 b6 5e 21 ba 37 8a 0a d5 70 
      New Random Data: 00000000: 88 dd a4 56 30 24 23 e5 f6 9d a5 7e 7b 95 c7 3a 
      Calling _get_more_prng_bytes for context ffff810033fb2b10
      Input DT: 00000000: e7 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
      Input I: 00000000: 04 8e cb 25 94 3e 8c 31 d6 14 cd 8a 23 f1 3f 84 
      Input V: 00000000: 48 89 3b 71 bc e4 00 b6 5e 21 ba 37 8a 0a d5 70 
      tmp stage 0: 00000000: e7 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
      tmp stage 1: 00000000: 80 6b 3a 8c 23 ae 8f 53 be 71 4c 16 fc 13 b2 ea 
      tmp stage 2: 00000000: 2a 4d e1 2a 0b 58 8e e6 36 b8 9c 0a 26 22 b8 30 
      Returning new block for context ffff810033fb2b10
      Output DT: 00000000: e8 b3 be 78 2a 23 fa 62 d7 1d 4a fb b0 e9 22 fc 
      Output I: 00000000: c8 e2 01 fd 9f 4a 8f e5 e0 50 f6 21 76 19 67 9a 
      Output V: 00000000: ba 98 e3 75 c0 1b 81 8d 03 d6 f8 e2 0c c6 54 4b 
      New Random Data: 00000000: e2 af e0 d7 94 12 01 03 d6 e8 6a 2b 50 3b df aa 
      returning 16 from get_prng_bytes in context ffff810033fb2b10
      ----8<----
      
      The expected result is there, in the first "New Random Data", but we're
      incorrectly making a second call to _get_more_prng_bytes, due to some checks
      that are slightly off, which resulted in our original bytes never being
      returned anywhere.
      
      One approach to fixing this would be to alter some byte_count checks in
      get_prng_bytes, but it would mean the last DEFAULT_BLK_SZ bytes would be
      copied a byte at a time, rather than in a single memcpy, so a slightly more
      involved, equally functional, and ultimately more efficient way of fixing this
      was suggested to me by Neil, which I'm submitting here. All of the RNGVS ANSI
      X9.31 AES128 VST test vectors I've passed through ansi_cprng are now returning
      the expected results with this change.
      Signed-off-by: default avatarJarod Wilson <jarod@redhat.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      aa1a85db
    • Julia Lawall's avatar
      crypto: md4 - Use ARRAY_SIZE · 31a61bfc
      Julia Lawall authored
      ARRAY_SIZE is more concise to use when the size of an array is divided by
      the size of its type or the size of its first element.
      
      The semantic patch that makes this change is as follows:
      (http://www.emn.fr/x-info/coccinelle/)
      
      // <smpl>
      @i@
      @@
      
      #include <linux/kernel.h>
      
      @depends on i using "paren.iso"@
      type T;
      T[] E;
      @@
      
      - (sizeof(E)/sizeof(T))
      + ARRAY_SIZE(E)
      // </smpl>
      Signed-off-by: default avatarJulia Lawall <julia@diku.dk>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      31a61bfc
    • Herbert Xu's avatar
      libcrc32c: Add crc32c_le macro · 0426c166
      Herbert Xu authored
      The bnx2x driver actually uses the crc32c_le name so this patch
      restores the crc32c_le symbol through a macro.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      0426c166
    • Adrian-Ken Rueegsegger's avatar
      libcrc32c: Fix "crc32c undefined" compilation error · 53b146ae
      Adrian-Ken Rueegsegger authored
      The latest shash changes leave crc32c undefined:
      
      [...]
      Building modules, stage 2.
        MODPOST 1381 modules
        ERROR: "crc32c" [net/sctp/sctp.ko] undefined!
        ERROR: "crc32c" [net/ipv4/netfilter/nf_nat_proto_sctp.ko] undefined!
      
      Adding EXPORT_SYMBOL(crc32c) to lib/libcrc32c.c fixes the compile error.
      This patch has been compile-tested only.
      Signed-off-by: default avatarAdrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      53b146ae
    • Herbert Xu's avatar
      libcrc32c: Move implementation to crypto crc32c · 69c35efc
      Herbert Xu authored
      This patch swaps the role of libcrc32c and crc32c.  Previously
      the implementation was in libcrc32c and crc32c was a wrapper.
      Now the code is in crc32c and libcrc32c just calls the crypto
      layer.
      
      The reason for the change is to tap into the algorithm selection
      capability of the crypto API so that optimised implementations
      such as the one utilising Intel's CRC32C instruction can be
      used where available.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      69c35efc
    • Herbert Xu's avatar
      crypto: crc32c - Test descriptor context format · 8e3ee85e
      Herbert Xu authored
      This patch adds a test for the requirement that all crc32c algorithms
      shall store the partial result in the first four bytes of the descriptor
      context.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      8e3ee85e
    • Herbert Xu's avatar
      crypto: crc32c-intel - Switch to shash · b7e8bdad
      Herbert Xu authored
      This patch changes crc32c-intel to the new shash interface.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      b7e8bdad
    • Herbert Xu's avatar
      crypto: crc32c - Switch to shash · faccc4bb
      Herbert Xu authored
      This patch changes crc32c to the new shash interface.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      faccc4bb
    • Herbert Xu's avatar
      crypto: hash - Export shash through hash · 5f7082ed
      Herbert Xu authored
      This patch allows shash algorithms to be used through the old hash
      interface.  This is a transitional measure so we can convert the
      underlying algorithms to shash before converting the users across.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5f7082ed
    • Herbert Xu's avatar
      crypto: api - Call type show function before legacy for proc · 67cd080c
      Herbert Xu authored
      This patch makes /proc/crypto call the type-specific show function
      if one is present before calling the legacy show functions for
      cipher/digest/compress.  This allows us to reuse the type values
      for those legacy types.  In particular, hash and digest will share
      one type value while shash is phased in as the default hash type.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      67cd080c
    • Herbert Xu's avatar
      crypto: hash - Add import/export interface · dec8b786
      Herbert Xu authored
      It is often useful to save the partial state of a hash function
      so that it can be used as a base for two or more computations.
      
      The most prominent example is HMAC where all hashes start from
      a base determined by the key.  Having an import/export interface
      means that we only have to compute that base once rather than
      for each message.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      dec8b786
    • Herbert Xu's avatar
      crypto: hash - Export shash through ahash · 3b2f6df0
      Herbert Xu authored
      This patch allows shash algorithms to be used through the ahash
      interface.  This is required before we can convert digest algorithms
      over to shash.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3b2f6df0
    • Herbert Xu's avatar
      crypto: hash - Add shash interface · 7b5a080b
      Herbert Xu authored
      The shash interface replaces the current synchronous hash interface.
      It improves over hash in two ways.  Firstly shash is reentrant,
      meaning that the same tfm may be used by two threads simultaneously
      as all hashing state is stored in a local descriptor.
      
      The other enhancement is that shash no longer takes scatter list
      entries.  This is because shash is specifically designed for
      synchronous algorithms and as such scatter lists are unnecessary.
      
      All existing hash users will be converted to shash once the
      algorithms have been completely converted.
      
      There is also a new finup function that combines update with final.
      This will be extended to ahash once the algorithm conversion is
      done.
      
      This is also the first time that an algorithm type has their own
      registration function.  Existing algorithm types will be converted
      to this way in due course.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7b5a080b
    • Herbert Xu's avatar
      crypto: api - Rebirth of crypto_alloc_tfm · 7b0bac64
      Herbert Xu authored
      This patch reintroduces a completely revamped crypto_alloc_tfm.
      The biggest change is that we now take two crypto_type objects
      when allocating a tfm, a frontend and a backend.  In fact this
      simply formalises what we've been doing behind the API's back.
      
      For example, as it stands crypto_alloc_ahash may use an
      actual ahash algorithm or a crypto_hash algorithm.  Putting
      this in the API allows us to do this much more cleanly.
      
      The existing types will be converted across gradually.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7b0bac64
    • Herbert Xu's avatar
      crypto: api - Move type exit function into crypto_tfm · 4a779486
      Herbert Xu authored
      The type exit function needs to undo any allocations done by the type
      init function.  However, the type init function may differ depending
      on the upper-level type of the transform (e.g., a crypto_blkcipher
      instantiated as a crypto_ablkcipher).
      
      So we need to move the exit function out of the lower-level
      structure and into crypto_tfm itself.
      
      As it stands this is a no-op since nobody uses exit functions at
      all.  However, all cases where a lower-level type is instantiated
      as a different upper-level type (such as blkcipher as ablkcipher)
      will be converted such that they allocate the underlying transform
      and use that instead of casting (e.g., crypto_ablkcipher casted
      into crypto_blkcipher).  That will need to use a different exit
      function depending on the upper-level type.
      
      This patch also allows the type init/exit functions to call (or not)
      cra_init/cra_exit instead of always calling them from the top level.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4a779486
    • Neil Horman's avatar
      crypto: ansi_cprng - Allow resetting of DT value · 2566578a
      Neil Horman authored
      	This is a patch that was sent to me by Jarod Wilson, marking off my
      outstanding todo to allow the ansi cprng to set/reset the DT counter value in a
      cprng instance.  Currently crytpo_rng_reset accepts a seed byte array which is
      interpreted by the ansi_cprng as a {V key} tuple.  This patch extends that tuple
      to now be {V key DT}, with DT an optional value during reset.  This patch also
      fixes  a bug we noticed in which the offset of the key area of the seed is
      started at DEFAULT_PRNG_KSZ rather than DEFAULT_BLK_SZ as it should be.
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarJarod Wilson <jarod@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      2566578a
    • Herbert Xu's avatar
      crypto: padlock - Avoid resetting cword on successive operations · 420a4b20
      Herbert Xu authored
      Resetting the control word is quite expensive.  Fortunately this
      isn't an issue for the common operations such as CBC and ECB as
      the whole operation is done through a single call.  However, modes
      such as LRW and XTS have to call padlock over and over again for
      one operation which really hurts if each call resets the control
      word.
      
      This patch uses an idea by Sebastian Siewior to store the last
      control word used on a CPU and only reset the control word if
      that changes.
      
      Note that any task switch automatically resets the control word
      so we only need to be accurate with regard to the stored control
      word when no task switches occur.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      420a4b20
    • Kent Liu's avatar
      crypto: crc32c-intel - Update copyright head · 1c06da81
      Kent Liu authored
      The original copyright head for crc32c-intel.c is incorrect. Please merge
      the patch to update it.
      Signed-Off-By: default avatarKent Liu <kent.liu@intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1c06da81
    • Vishnu Suresh's avatar
      crypto: talitos - Preempt overflow interrupts off-by-one fix · 4b24ea97
      Vishnu Suresh authored
      In commit ec6644d6 "crypto: talitos - Preempt
      overflow interrupts", the test in atomic_inc_not_zero was interpreted by the
      author to be applied after the increment operation (not before). This off-by-one
      fix prevents overflow error interrupts from occurring when requests are frequent
      and large enough to do so.
      Signed-off-by: default avatarVishnu Suresh <Vishnu@freescale.com>
      Signed-off-by: default avatarKim Phillips <kim.phillips@freescale.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4b24ea97
    • Harvey Harrison's avatar
      crypto: camellia - use kernel-provided bitops, unaligned access · 32bd78e0
      Harvey Harrison authored
      Remove the private implementation of 32-bit rotation and unaligned
      access with byteswapping.
      
      As a bonus, fixes sparse warnings:
      crypto/camellia.c:602:2: warning: cast to restricted __be32
      crypto/camellia.c:603:2: warning: cast to restricted __be32
      crypto/camellia.c:604:2: warning: cast to restricted __be32
      crypto/camellia.c:605:2: warning: cast to restricted __be32
      crypto/camellia.c:710:2: warning: cast to restricted __be32
      crypto/camellia.c:711:2: warning: cast to restricted __be32
      crypto/camellia.c:712:2: warning: cast to restricted __be32
      crypto/camellia.c:713:2: warning: cast to restricted __be32
      crypto/camellia.c:714:2: warning: cast to restricted __be32
      crypto/camellia.c:715:2: warning: cast to restricted __be32
      crypto/camellia.c:716:2: warning: cast to restricted __be32
      crypto/camellia.c:717:2: warning: cast to restricted __be32
      
      [Thanks to Tomoyuki Okazaki for spotting the typo]
      Tested-by: default avatarCarlo E. Prelz <fluido@fluido.as>
      Signed-off-by: default avatarHarvey Harrison <harvey.harrison@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      32bd78e0
    • Neil Horman's avatar
      crypto: testmgr - Trigger a panic when self test fails in FIPS mode · d12d6b6d
      Neil Horman authored
      The FIPS specification requires that should self test for any supported
      crypto algorithm fail during operation in fips mode, we need to prevent
      the use of any crypto functionality until such time as the system can
      be re-initialized.  Seems like the best way to handle that would be
      to panic the system if we were in fips mode and failed a self test.
      This patch implements that functionality.  I've built and run it
      successfully.
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d12d6b6d
    • Kim Phillips's avatar
      crypto: talitos - Perform auth check in h/w if on sec 2.1 and above · fe5720e2
      Kim Phillips authored
      SEC version 2.1 and above adds the capability to do the IPSec ICV
      memcmp in h/w. Results of the cmp are written back in the descriptor
      header, along with the done status.  A new callback is added that
      checks these ICCR bits instead of performing the memcmp on the core,
      and is enabled by h/w capability.
      Signed-off-by: default avatarKim Phillips <kim.phillips@freescale.com>
      
      After testing on different parts, another condition was added
      before using h/w auth check because different
      SEC revisions require different handling.
      
      The SEC 3.0 allows a more flexible link table where
      the auth data can span separate link table entries.
      The SEC 2.4/2.1 does not support this case.
      So a test was added in the decrypt routine
      for a fragmented case; the h/w auth check is disallowed for
      revisions not having the extent in the link table;
      in this case the hw auth check is done by software.
      
      A portion of a previous change for SEC 3.0 link table handling
      was removed since it became dead code with the hw auth check supported.
      
      This seems to be the best compromise for using hw auth check
      on supporting SEC revisions; it keeps the link table logic
      simpler for the fragmented cases.
      Signed-off-by: default avatarLee Nipper <lee.nipper@freescale.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      fe5720e2
    • Lee Nipper's avatar
      crypto: talitos - Implement done interrupt mitigation · 1c2e8811
      Lee Nipper authored
      In talitos_interrupt, upon one done interrupt, mask further done interrupts,
      and ack only any error interrupt.
      In talitos_done, unmask done interrupts after completing processing.
      In flush_channel, ack each done channel processed.
      Keep done overflow interrupts masked because even though each pkt
      is ack'ed, a few done overflows still occur.
      Signed-off-by: default avatarLee Nipper <lee.nipper@freescale.com>
      Signed-off-by: default avatarKim Phillips <kim.phillips@freescale.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1c2e8811
    • Kim Phillips's avatar
      crypto: talitos - Pass correct interrupt status to error handler · 40405f10
      Kim Phillips authored
      Since we ack early, the re-read interrupt status in talitos_error
      may be already updated with a new value.  Pass the error ISR value
      directly in order to report and handle the error based on the correct
      error status.
      
      Also remove unused error tasklet.
      Signed-off-by: default avatarKim Phillips <kim.phillips@freescale.com>
      Signed-off-by: default avatarLee Nipper <lee.nipper@freescale.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      40405f10
    • Evgeniy Polyakov's avatar
      crypto: hifn - Disable driver when physical size exceeds 32 bits · a44b56cc
      Evgeniy Polyakov authored
      On Tue, Sep 23, 2008 at 08:06:32PM +0200, Dimitri Puzin (max@psycast.de) wrote:
      > With this patch applied it still doesn't work as expected. The overflow
      > messages are gone however syslog shows
      > [  120.924266] hifn0: abort: c: 0, s: 1, d: 0, r: 0.
      > when doing cryptsetup luksFormat as in original e-mail. At this point
      > cryptsetup hangs and can't be killed with -SIGKILL. I've attached
      > SysRq-t dump of this condition.
      
      Yes, I was wrong with the patch: HIFN does not support 64-bit addresses
      afaics.
      
      Attached patch should not allow HIFN to be registered on 64-bit arch, so
      crypto layer will fallback to the software algorithms.
      Signed-off-by: default avatarEvgeniy Polyakov <johnpol@2ka.mipt.ru>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      a44b56cc
  2. 24 Dec, 2008 8 commits
  3. 23 Dec, 2008 7 commits