summaryrefslogtreecommitdiffstats
path: root/crypto
Commit message (Collapse)AuthorAgeFilesLines
* crypto: poly1305 - Pass key as first two message blocks to each desc_ctxMartin Willi2015-06-173-116/+134
| | | | | | | | | | The Poly1305 authenticator requires a unique key for each generated tag. This implies that we can't set the key per tfm, as multiple users set individual keys. Instead we pass a desc specific key as the first two blocks of the message to authenticate in update(). Signed-off-by: Martin Willi <martin@strongswan.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Add mcgrew test vectors for rfc4106Herbert Xu2015-06-171-3/+846
| | | | | | | This patch adds rfc4106 test vectors sourced from draft-mcgrew-gcm-test-01. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* Revert "crypto: testmgr - Disable rfc4543 test"Herbert Xu2015-06-171-1/+1
| | | | | | | | | This reverts commit 9b9f9296a7b73fbafe0a0a6f2494eaadd97f9f73 as all in-kernel implementations of GCM have been converted to the new AEAD interface, meaning that they should now pass the updated rfc4543 test. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Update rfc4543 test vectorsHerbert Xu2015-06-171-6/+9
| | | | | | | | | This patch updates the rfc4543 test vectors to the new format where the IV is part of the AD. For now these vectors are still unused. They will be reactivated once all rfc4543 implementations have migrated. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: gcm - Convert to new AEAD interfaceHerbert Xu2015-06-171-532/+373
| | | | | | | | | This patch converts generic gcm and its associated transforms to the new AEAD interface. The biggest reward is in code reduction for rfc4543 where it used to do IV stitching which is no longer needed as the IV is already part of the AD on input. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Disable rfc4543 testHerbert Xu2015-06-171-1/+1
| | | | | | | | Because the old rfc4543 implementation always injected an IV into the AD, while the new one does not, we have to disable the test while it is converted over to the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - Add select on sha256Herbert Xu2015-06-111-1/+2
| | | | | | | The hash-based DRBG variants all use sha256 so we need to add a select on it. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - report backend_cra_name when allocation failsSergey Senozhatsky2015-06-111-2/+4
| | | | | | | | | | | | | Be more verbose and also report ->backend_cra_name when crypto_alloc_shash() or crypto_alloc_cipher() fail in drbg_init_hash_kernel() or drbg_init_sym_kernel() correspondingly. Example DRBG: could not allocate digest TFM handle: hmac(sha256) Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - reseed often if seedsource is degradedStephan Mueller2015-06-101-1/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | As required by SP800-90A, the DRBG implements are reseeding threshold. This threshold is at 2**48 (64 bit) and 2**32 bit (32 bit) as implemented in drbg_max_requests. With the recently introduced changes, the DRBG is now always used as a stdrng which is initialized very early in the boot cycle. To ensure that sufficient entropy is present, the Jitter RNG is added to even provide entropy at early boot time. However, the 2nd seed source, the nonblocking pool, is usually degraded at that time. Therefore, the DRBG is seeded with the Jitter RNG (which I believe contains good entropy, which however is questioned by others) and is seeded with a degradded nonblocking pool. This seed is now used for quasi the lifetime of the system (2**48 requests is a lot). The patch now changes the reseed threshold as follows: up until the time the DRBG obtains a seed from a fully iniitialized nonblocking pool, the reseeding threshold is lowered such that the DRBG is forced to reseed itself resonably often. Once it obtains the seed from a fully initialized nonblocking pool, the reseed threshold is set to the value required by SP800-90A. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - Use callback API for random readinessStephan Mueller2015-06-101-91/+126
| | | | | | | | | | | | | | | The get_blocking_random_bytes API is broken because the wait can be arbitrarily long (potentially forever) so there is no safe way of calling it from within the kernel. This patch replaces it with the new callback API which does not have this problem. The patch also removes the entropy buffer registered with the DRBG handle in favor of stack variables to hold the seed data. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - use pragmas for disabling optimizationStephan Mueller2015-06-092-5/+26
| | | | | | | | | | | | Replace the global -O0 compiler flag from the Makefile with GCC pragmas to mark only the functions required to be compiled without optimizations. This patch also adds a comment describing the rationale for the functions chosen to be compiled without optimizations. Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Document struct cipher_testvecLABBE Corentin2015-06-091-0/+18
| | | | | Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: rng - Remove krngHerbert Xu2015-06-042-62/+0
| | | | | | This patch removes krng so that DRBG can take its place. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: rng - Make DRBG the default RNGHerbert Xu2015-06-041-7/+8
| | | | | | | | This patch creates a new invisible Kconfig option CRYPTO_RNG_DEFAULT that simply selects the DRBG. This new option is then selected by the IV generators. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: echainiv - Set Kconfig default to mHerbert Xu2015-06-041-0/+1
| | | | | | | As this is required by many IPsec algorithms, let's set the default to m. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: drbg - Add stdrng alias and increase priorityHerbert Xu2015-06-041-1/+2
| | | | | | | This patch adds the stdrng module alias and increases the priority to ensure that it is loaded in preference to other RNGs. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: seqiv - Move IV seeding into init functionHerbert Xu2015-06-041-98/+15
| | | | | | | | | | We currently do the IV seeding on the first givencrypt call in order to conserve entropy. However, this does not work with DRBG which cannot be called from interrupt context. In fact, with DRBG we don't need to conserve entropy anyway. So this patch moves the seeding into the init function. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: eseqiv - Move IV seeding into init functionHerbert Xu2015-06-041-25/+4
| | | | | | | | | | We currently do the IV seeding on the first givencrypt call in order to conserve entropy. However, this does not work with DRBG which cannot be called from interrupt context. In fact, with DRBG we don't need to conserve entropy anyway. So this patch moves the seeding into the init function. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: echainiv - Move IV seeding into init functionHerbert Xu2015-06-041-24/+6
| | | | | | | | | | We currently do the IV seeding on the first givencrypt call in order to conserve entropy. However, this does not work with DRBG which cannot be called from interrupt context. In fact, with DRBG we don't need to conserve entropy anyway. So this patch moves the seeding into the init function. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: chainiv - Move IV seeding into init functionHerbert Xu2015-06-041-57/+9
| | | | | | | | | | We currently do the IV seeding on the first givencrypt call in order to conserve entropy. However, this does not work with DRBG which cannot be called from interrupt context. In fact, with DRBG we don't need to conserve entropy anyway. So this patch moves the seeding into the init function. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Add draft-ietf-ipsecme-chacha20-poly1305 test vectorMartin Willi2015-06-042-0/+194
| | | | | | Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: chacha20poly1305 - Add an IPsec variant for RFC7539 AEADMartin Willi2015-06-041-1/+25
| | | | | | | | | | draft-ietf-ipsecme-chacha20-poly1305 defines the use of ChaCha20/Poly1305 in ESP. It uses additional four byte key material as a salt, which is then used with an 8 byte IV to form the ChaCha20 nonce as defined in the RFC7539. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Add ChaCha20-Poly1305 test vectors from RFC7539Martin Willi2015-06-042-0/+284
| | | | | | Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539Martin Willi2015-06-043-0/+676
| | | | | | | | | | | This AEAD uses a chacha20 ablkcipher and a poly1305 ahash to construct the ChaCha20-Poly1305 AEAD as defined in RFC7539. It supports both synchronous and asynchronous operations, even if we currently have no async chacha20 or poly1305 drivers. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Add Poly1305 test vectors from RFC7539Martin Willi2015-06-042-0/+268
| | | | | | Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: poly1305 - Add a generic Poly1305 authenticator implementationMartin Willi2015-06-043-0/+310
| | | | | | | | | | | | | | Poly1305 is a fast message authenticator designed by Daniel J. Bernstein. It is further defined in RFC7539 as a building block for the ChaCha20-Poly1305 AEAD for use in IETF protocols. This is a portable C implementation of the algorithm without architecture specific optimizations, based on public domain code by Daniel J. Bernstein and Andrew Moon. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Add ChaCha20 test vectors from RFC7539Martin Willi2015-06-042-0/+192
| | | | | | | | | | We explicitly set the Initial block Counter by prepending it to the nonce in Little Endian. The same test vector is used for both encryption and decryption, ChaCha20 is a cipher XORing a keystream. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: chacha20 - Add a generic ChaCha20 stream cipher implementationMartin Willi2015-06-043-0/+230
| | | | | | | | | | | | | | | ChaCha20 is a high speed 256-bit key size stream cipher algorithm designed by Daniel J. Bernstein. It is further specified in RFC7539 for use in IETF protocols as a building block for the ChaCha20-Poly1305 AEAD. This is a portable C implementation without any architecture specific optimizations. It uses a 16-byte IV, which includes the 12-byte ChaCha20 nonce prepended by the initial block counter. Some algorithms require an explicit counter value, for example the mentioned AEAD construction. Signed-off-by: Martin Willi <martin@strongswan.org> Acked-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: scatterwalk - Hide PageSlab call to optimise away flush_dcache_pageHerbert Xu2015-06-031-1/+5
| | | | | | | | | | | | | On architectures where flush_dcache_page is not needed, we will end up generating all the code up to the PageSlab call. This is because PageSlab operates on a volatile pointer and thus cannot be optimised away. This patch works around this by checking whether flush_dcache_page is needed before we call PageSlab which then allows PageSlab to be compiled awy. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: cryptd - Convert to new AEAD interfaceHerbert Xu2015-06-031-35/+29
| | | | | | This patch converts cryptd to the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: cryptd - Add setkey/setauthsize functions for AEADHerbert Xu2015-06-031-2/+20
| | | | | | This patch adds setkey and setauthsize for cryptd AEAD. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: pcrypt - Add support for new AEAD interfaceHerbert Xu2015-06-031-95/+40
| | | | | | This patch converts pcrypt over to the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Add multiple algorithm registration interfaceHerbert Xu2015-06-031-0/+29
| | | | | | | This patch adds the helpers that allow the registration and removal of multiple algorithms. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Ignore return value from crypto_unregister_algHerbert Xu2015-06-031-2/+2
| | | | | | | No new code should be using the return value of crypto_unregister_alg as it will become void soon. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: api - Include alignment in crypto_alg_extsizeHerbert Xu2015-06-031-1/+2
| | | | | | | This patch ensures that the tfm context always has enough extra memory to ensure that it is aligned according to cra_alignment. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Add type-safe init/exit functionsHerbert Xu2015-06-031-0/+14
| | | | | | | | | | | | As it stands the only non-type safe functions left in the new AEAD interface are the cra_init/cra_exit functions. It means exposing the ugly __crypto_aead_cast to every AEAD implementor. This patch adds type-safe init/exit functions to AEAD. Existing algorithms are unaffected while new implementations can simply fill in these two instead of cra_init/cra_exit. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* Revert "crypto: algif_aead - Disable AEAD user-space for now"Herbert Xu2015-06-031-0/+9
| | | | | | | | This reverts commit f858c7bcca8c20761a20593439fe998b4b67e86b as the algif_aead interface has been switched over to the new AEAD interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: jitterentropy - remove timekeeping_valid_for_hresStephan Mueller2015-05-281-3/+0
| | | | | | | | | | | | | The patch removes the use of timekeeping_valid_for_hres which is now marked as internal for the time keeping subsystem. The jitterentropy does not really require this verification as a coarse timer (when random_get_entropy is absent) is discovered by the initialization test of jent_entropy_init, which would cause the jitter rng to not load in that case. Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: algif_aead - Switch to new AEAD interfaceHerbert Xu2015-05-281-58/+8
| | | | | | | | | | | This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. Note that the user-space interface now requires both input and output to be of the same length, and both must include space for the AD as well as the authentication tag. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: tcrypt - Switch to new AEAD interfaceHerbert Xu2015-05-281-8/+7
| | | | | | | This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: testmgr - Switch to new AEAD interfaceHerbert Xu2015-05-281-39/+48
| | | | | | | This patch makes use of the new AEAD interface which uses a single SG list instead of separate lists for the AD and plain text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: seqiv - Fix module unload/reload crashHerbert Xu2015-05-281-0/+1
| | | | | | | | On module unload we weren't unregistering the seqniv template, thus leading to a crash the next time someone walks the template list. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: seqiv - Fix IV size in context size calculationHerbert Xu2015-05-281-1/+1
| | | | | | | This patch fixes a bug in the context size calculation where we were still referring to the old cra_aead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: seqiv - Use common IV generation codeHerbert Xu2015-05-281-56/+36
| | | | | | This patch makes use of the new common IV generation code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: seqiv - Copy AD along with plain/cipher textHerbert Xu2015-05-281-27/+6
| | | | | | | As the AD does not necessarily exist in the destination buffer it must be copied along with the plain/cipher text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: echainiv - Fix IV size in context size calculationHerbert Xu2015-05-281-1/+1
| | | | | | | This patch fixes a bug in the context size calculation where we were still referring to the old cra_aead. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: echainiv - Use common IV generation codeHerbert Xu2015-05-281-212/+18
| | | | | | This patch makes use of the new common IV generation code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: echainiv - Copy AD along with plain textHerbert Xu2015-05-281-8/+2
| | | | | | | As the AD does not necessarily exist in the destination buffer it must be copied along with the plain text. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Add common IV generation codeHerbert Xu2015-05-281-3/+202
| | | | | | | | This patch adds some common IV generation code currently duplicated by seqiv and echainiv. For example, the setkey and setauthsize functions are completely identical. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: aead - Preserve in-place processing in old_cryptHerbert Xu2015-05-281-1/+2
| | | | | | | | This patch tries to preserve in-place processing in old_crypt as various algorithms are optimised for in-place processing where src == dst. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
OpenPOWER on IntegriCloud