GitHub/LineageOS/G12/android_kernel_amlogic_linux-4.9.git
9 years agorandom: Add callback API for random pool readiness
Herbert Xu [Tue, 9 Jun 2015 10:19:39 +0000 (18:19 +0800)]
random: Add callback API for random pool readiness

The get_blocking_random_bytes API is broken because the wait can
be arbitrarily long (potentially forever) so there is no safe way
of calling it from within the kernel.

This patch replaces it with a callback API instead.  The callback
is invoked potentially from interrupt context so the user needs
to schedule their own work thread if necessary.

In addition to adding callbacks, they can also be removed as
otherwise this opens up a way for user-space to allocate kernel
memory with no bound (by opening algif_rng descriptors and then
closing them).

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agonios2: Export get_cycles
Herbert Xu [Tue, 9 Jun 2015 04:46:46 +0000 (12:46 +0800)]
nios2: Export get_cycles

nios2 is the only architecture that does not inline get_cycles
and does not export it.  This breaks crypto as it uses get_cycles
in a number of modules.

Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: drbg - use pragmas for disabling optimization
Stephan Mueller [Tue, 9 Jun 2015 02:08:49 +0000 (04:08 +0200)]
crypto: drbg - use pragmas for disabling optimization

Replace the global -O0 compiler flag from the Makefile with GCC
pragmas to mark only the functions required to be compiled without
optimizations.

This patch also adds a comment describing the rationale for the
functions chosen to be compiled without optimizations.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: caam - Clamp AEAD SG list by input length
Herbert Xu [Mon, 8 Jun 2015 08:38:24 +0000 (16:38 +0800)]
crypto: caam - Clamp AEAD SG list by input length

Currently caam assumes that the SG list contains exactly the number
of bytes required.  This assumption is incorrect.

Up until now this has been harmless.  However with the new AEAD
interface this now breaks as the AD SG list contains more bytes
than just the AD.

This patch fixes this by always clamping the AD SG list by the
specified AD length.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat: fix issue when mapping assoc to internal AD struct
Tadeusz Struk [Fri, 5 Jun 2015 22:52:13 +0000 (15:52 -0700)]
crypto: qat: fix issue when mapping assoc to internal AD struct

This patch fixes an issue when building an internal AD representation.
We need to check assoclen and not only blindly loop over assoc sgl.

Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - Set max request size
Tadeusz Struk [Fri, 5 Jun 2015 22:51:18 +0000 (15:51 -0700)]
crypto: qat - Set max request size

The device doensn't support the default value and will change it to 256, which
will cause performace degradation for biger packets.
Add an explicit write to set it to 1024.

Reported-by: Tianliang Wang <tianliang.wang@intel.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: testmgr - Document struct cipher_testvec
LABBE Corentin [Fri, 5 Jun 2015 09:39:22 +0000 (11:39 +0200)]
crypto: testmgr - Document struct cipher_testvec

Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: doc - Fix typo in crypto-API.xml
Masanari Iida [Wed, 3 Jun 2015 15:01:21 +0000 (00:01 +0900)]
crypto: doc - Fix typo in crypto-API.xml

This patch fix some typos found in crypto-API.xml.
It is because the file is generated from comments in sources,
so I had to fix typo in sources.

Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Acked-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: doc - Fix typo in crypto-API.tmpl
Masanari Iida [Wed, 3 Jun 2015 15:01:20 +0000 (00:01 +0900)]
crypto: doc - Fix typo in crypto-API.tmpl

This patch fix some spelling typo found in crypto-API.tmpl

Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Acked-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: rng - Remove krng
Herbert Xu [Wed, 3 Jun 2015 06:49:32 +0000 (14:49 +0800)]
crypto: rng - Remove krng

This patch removes krng so that DRBG can take its place.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: rng - Make DRBG the default RNG
Herbert Xu [Wed, 3 Jun 2015 06:49:31 +0000 (14:49 +0800)]
crypto: rng - Make DRBG the default RNG

This patch creates a new invisible Kconfig option CRYPTO_RNG_DEFAULT
that simply selects the DRBG.  This new option is then selected
by the IV generators.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: echainiv - Set Kconfig default to m
Herbert Xu [Wed, 3 Jun 2015 06:49:29 +0000 (14:49 +0800)]
crypto: echainiv - Set Kconfig default to m

As this is required by many IPsec algorithms, let's set the default
to m.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: drbg - Add stdrng alias and increase priority
Herbert Xu [Wed, 3 Jun 2015 06:49:28 +0000 (14:49 +0800)]
crypto: drbg - Add stdrng alias and increase priority

This patch adds the stdrng module alias and increases the priority
to ensure that it is loaded in preference to other RNGs.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: seqiv - Move IV seeding into init function
Herbert Xu [Wed, 3 Jun 2015 06:49:27 +0000 (14:49 +0800)]
crypto: seqiv - Move IV seeding into init function

We currently do the IV seeding on the first givencrypt call in
order to conserve entropy.  However, this does not work with
DRBG which cannot be called from interrupt context.  In fact,
with DRBG we don't need to conserve entropy anyway.  So this
patch moves the seeding into the init function.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: eseqiv - Move IV seeding into init function
Herbert Xu [Wed, 3 Jun 2015 06:49:25 +0000 (14:49 +0800)]
crypto: eseqiv - Move IV seeding into init function

We currently do the IV seeding on the first givencrypt call in
order to conserve entropy.  However, this does not work with
DRBG which cannot be called from interrupt context.  In fact,
with DRBG we don't need to conserve entropy anyway.  So this
patch moves the seeding into the init function.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: echainiv - Move IV seeding into init function
Herbert Xu [Wed, 3 Jun 2015 06:49:24 +0000 (14:49 +0800)]
crypto: echainiv - Move IV seeding into init function

We currently do the IV seeding on the first givencrypt call in
order to conserve entropy.  However, this does not work with
DRBG which cannot be called from interrupt context.  In fact,
with DRBG we don't need to conserve entropy anyway.  So this
patch moves the seeding into the init function.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: chainiv - Move IV seeding into init function
Herbert Xu [Wed, 3 Jun 2015 06:49:23 +0000 (14:49 +0800)]
crypto: chainiv - Move IV seeding into init function

We currently do the IV seeding on the first givencrypt call in
order to conserve entropy.  However, this does not work with
DRBG which cannot be called from interrupt context.  In fact,
with DRBG we don't need to conserve entropy anyway.  So this
patch moves the seeding into the init function.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: nx - fix nx-842 pSeries driver minimum buffer size
Dan Streetman [Tue, 2 Jun 2015 19:22:10 +0000 (15:22 -0400)]
crypto: nx - fix nx-842 pSeries driver minimum buffer size

Reduce the nx-842 pSeries driver minimum buffer size from 128 to 8.
Also replace the single use of IO_BUFFER_ALIGN macro with the standard
and correct DDE_BUFFER_ALIGN.

The hw sometimes rejects buffers that contain padding past the end of the
8-byte aligned section where it sees the "end" marker.  With the minimum
buffer size set too high, some highly compressed buffers were being padded
and the hw was incorrectly rejecting them; this sets the minimum correctly
so there will be no incorrect padding.

Signed-off-by: Dan Streetman <ddstreet@ieee.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoxfrm: Define ChaCha20-Poly1305 AEAD XFRM algo for IPsec users
Martin Willi [Mon, 1 Jun 2015 11:44:04 +0000 (13:44 +0200)]
xfrm: Define ChaCha20-Poly1305 AEAD XFRM algo for IPsec users

Signed-off-by: Martin Willi <martin@strongswan.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: testmgr - Add draft-ietf-ipsecme-chacha20-poly1305 test vector
Martin Willi [Mon, 1 Jun 2015 11:44:03 +0000 (13:44 +0200)]
crypto: testmgr - Add draft-ietf-ipsecme-chacha20-poly1305 test vector

Signed-off-by: Martin Willi <martin@strongswan.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: chacha20poly1305 - Add an IPsec variant for RFC7539 AEAD
Martin Willi [Mon, 1 Jun 2015 11:44:02 +0000 (13:44 +0200)]
crypto: chacha20poly1305 - Add an IPsec variant for RFC7539 AEAD

draft-ietf-ipsecme-chacha20-poly1305 defines the use of ChaCha20/Poly1305 in
ESP. It uses additional four byte key material as a salt, which is then used
with an 8 byte IV to form the ChaCha20 nonce as defined in the RFC7539.

Signed-off-by: Martin Willi <martin@strongswan.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: testmgr - Add ChaCha20-Poly1305 test vectors from RFC7539
Martin Willi [Mon, 1 Jun 2015 11:44:01 +0000 (13:44 +0200)]
crypto: testmgr - Add ChaCha20-Poly1305 test vectors from RFC7539

Signed-off-by: Martin Willi <martin@strongswan.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539
Martin Willi [Mon, 1 Jun 2015 11:44:00 +0000 (13:44 +0200)]
crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539

This AEAD uses a chacha20 ablkcipher and a poly1305 ahash to construct the
ChaCha20-Poly1305 AEAD as defined in RFC7539. It supports both synchronous and
asynchronous operations, even if we currently have no async chacha20 or poly1305
drivers.

Signed-off-by: Martin Willi <martin@strongswan.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: testmgr - Add Poly1305 test vectors from RFC7539
Martin Willi [Mon, 1 Jun 2015 11:43:59 +0000 (13:43 +0200)]
crypto: testmgr - Add Poly1305 test vectors from RFC7539

Signed-off-by: Martin Willi <martin@strongswan.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: poly1305 - Add a generic Poly1305 authenticator implementation
Martin Willi [Mon, 1 Jun 2015 11:43:58 +0000 (13:43 +0200)]
crypto: poly1305 - Add a generic Poly1305 authenticator implementation

Poly1305 is a fast message authenticator designed by Daniel J. Bernstein.
It is further defined in RFC7539 as a building block for the ChaCha20-Poly1305
AEAD for use in IETF protocols.

This is a portable C implementation of the algorithm without architecture
specific optimizations, based on public domain code by Daniel J. Bernstein and
Andrew Moon.

Signed-off-by: Martin Willi <martin@strongswan.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: testmgr - Add ChaCha20 test vectors from RFC7539
Martin Willi [Mon, 1 Jun 2015 11:43:57 +0000 (13:43 +0200)]
crypto: testmgr - Add ChaCha20 test vectors from RFC7539

We explicitly set the Initial block Counter by prepending it to the nonce in
Little Endian. The same test vector is used for both encryption and decryption,
ChaCha20 is a cipher XORing a keystream.

Signed-off-by: Martin Willi <martin@strongswan.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: chacha20 - Add a generic ChaCha20 stream cipher implementation
Martin Willi [Mon, 1 Jun 2015 11:43:56 +0000 (13:43 +0200)]
crypto: chacha20 - Add a generic ChaCha20 stream cipher implementation

ChaCha20 is a high speed 256-bit key size stream cipher algorithm designed by
Daniel J. Bernstein. It is further specified in RFC7539 for use in IETF
protocols as a building block for the ChaCha20-Poly1305 AEAD.

This is a portable C implementation without any architecture specific
optimizations. It uses a 16-byte IV, which includes the 12-byte ChaCha20 nonce
prepended by the initial block counter. Some algorithms require an explicit
counter value, for example the mentioned AEAD construction.

Signed-off-by: Martin Willi <martin@strongswan.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ccp - Protect against poorly marked end of sg list
Tom Lendacky [Mon, 1 Jun 2015 16:15:53 +0000 (11:15 -0500)]
crypto: ccp - Protect against poorly marked end of sg list

Scatter gather lists can be created with more available entries than are
actually used (e.g. using sg_init_table() to reserve a specific number
of sg entries, but in actuality using something less than that based on
the data length).  The caller sometimes fails to mark the last entry
with sg_mark_end().  In these cases, sg_nents() will return the original
size of the sg list as opposed to the actual number of sg entries that
contain valid data.

On arm64, if the sg_nents() value is used in a call to dma_map_sg() in
this situation, then it causes a BUG_ON in lib/swiotlb.c because an
"empty" sg list entry results in dma_capable() returning false and
swiotlb trying to create a bounce buffer of size 0. This occurred in
the userspace crypto interface before being fixed by

0f477b655a52 ("crypto: algif - Mark sgl end at the end of data")

Protect against this by using the new sg_nents_for_len() function which
returns only the number of sg entries required to meet the desired
length and supplying that value to dma_map_sg().

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoscatterlist: introduce sg_nents_for_len
Tom Lendacky [Mon, 1 Jun 2015 16:15:25 +0000 (11:15 -0500)]
scatterlist: introduce sg_nents_for_len

When performing a dma_map_sg() call, the number of sg entries to map is
required. Using sg_nents to retrieve the number of sg entries will
return the total number of entries in the sg list up to the entry marked
as the end. If there happen to be unused entries in the list, these will
still be counted. Some dma_map_sg() implementations will not handle the
unused entries correctly (lib/swiotlb.c) and execute a BUG_ON.

The sg_nents_for_len() function will traverse the sg list and return the
number of entries required to satisfy the supplied length argument. This
can then be supplied to the dma_map_sg() call to successfully map the
sg.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: scatterwalk - Hide PageSlab call to optimise away flush_dcache_page
Herbert Xu [Mon, 1 Jun 2015 08:22:03 +0000 (16:22 +0800)]
crypto: scatterwalk - Hide PageSlab call to optimise away flush_dcache_page

On architectures where flush_dcache_page is not needed, we will
end up generating all the code up to the PageSlab call.  This is
because PageSlab operates on a volatile pointer and thus cannot
be optimised away.

This patch works around this by checking whether flush_dcache_page
is needed before we call PageSlab which then allows PageSlab to be
compiled awy.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aesni - Convert rfc4106 to new AEAD interface
Herbert Xu [Mon, 1 Jun 2015 07:53:06 +0000 (15:53 +0800)]
crypto: aesni - Convert rfc4106 to new AEAD interface

This patch converts the low-level __gcm-aes-aesni algorithm to
the new AEAD interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: nx - prevent nx 842 load if no hw driver
Dan Streetman [Thu, 28 May 2015 20:21:31 +0000 (16:21 -0400)]
crypto: nx - prevent nx 842 load if no hw driver

Change the nx-842 common driver to wait for loading of both platform
drivers, and fail loading if the platform driver pointer is not set.
Add an independent platform driver pointer, that the platform drivers
set if they find they are able to load (i.e. if they find their platform
devicetree node(s)).

The problem is currently, the main nx-842 driver will stay loaded even
if there is no platform driver and thus no possible way it can do any
compression or decompression.  This allows the crypto 842-nx driver
to load even if it won't actually work.  For crypto compression users
(e.g. zswap) that expect an available crypto compression driver to
actually work, this is bad.  This patch fixes that, so the 842-nx crypto
compression driver won't load if it doesn't have the driver and hardware
available to perform the compression.

Signed-off-by: Dan Streetman <ddstreet@ieee.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: cryptd - Convert to new AEAD interface
Herbert Xu [Thu, 28 May 2015 14:08:04 +0000 (22:08 +0800)]
crypto: cryptd - Convert to new AEAD interface

This patch converts cryptd to the new AEAD interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aesni - Convert top-level rfc4106 algorithm to new interface
Herbert Xu [Thu, 28 May 2015 14:08:03 +0000 (22:08 +0800)]
crypto: aesni - Convert top-level rfc4106 algorithm to new interface

This patch converts rfc4106-gcm-aesni to the new AEAD interface.
The low-level interface remains as is for now because we can't
touch it until cryptd itself is upgraded.

In the conversion I've also removed the duplicate copy of the
context in the top-level algorithm.  Now all processing is carried
out in the low-level __driver-gcm-aes-aesni algorithm.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: cryptd - Add setkey/setauthsize functions for AEAD
Herbert Xu [Thu, 28 May 2015 14:08:01 +0000 (22:08 +0800)]
crypto: cryptd - Add setkey/setauthsize functions for AEAD

This patch adds setkey and setauthsize for cryptd AEAD.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: pcrypt - Add support for new AEAD interface
Herbert Xu [Thu, 28 May 2015 14:08:00 +0000 (22:08 +0800)]
crypto: pcrypt - Add support for new AEAD interface

This patch converts pcrypt over to the new AEAD interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Add multiple algorithm registration interface
Herbert Xu [Thu, 28 May 2015 14:07:59 +0000 (22:07 +0800)]
crypto: aead - Add multiple algorithm registration interface

This patch adds the helpers that allow the registration and removal
of multiple algorithms.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Ignore return value from crypto_unregister_alg
Herbert Xu [Thu, 28 May 2015 14:07:57 +0000 (22:07 +0800)]
crypto: aead - Ignore return value from crypto_unregister_alg

No new code should be using the return value of crypto_unregister_alg
as it will become void soon.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: api - Include alignment in crypto_alg_extsize
Herbert Xu [Thu, 28 May 2015 14:07:56 +0000 (22:07 +0800)]
crypto: api - Include alignment in crypto_alg_extsize

This patch ensures that the tfm context always has enough extra
memory to ensure that it is aligned according to cra_alignment.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Add aead_alg_instance
Herbert Xu [Thu, 28 May 2015 14:07:55 +0000 (22:07 +0800)]
crypto: aead - Add aead_alg_instance

Now that type-safe init/exit functions exist, they often need
to access the underlying aead_instance.  So this patch adds the
helper aead_alg_instance to access aead_instance from a crypto_aead
object.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Add type-safe init/exit functions
Herbert Xu [Thu, 28 May 2015 14:07:53 +0000 (22:07 +0800)]
crypto: aead - Add type-safe init/exit functions

As it stands the only non-type safe functions left in the new
AEAD interface are the cra_init/cra_exit functions.  It means
exposing the ugly __crypto_aead_cast to every AEAD implementor.

This patch adds type-safe init/exit functions to AEAD.  Existing
algorithms are unaffected while new implementations can simply
fill in these two instead of cra_init/cra_exit.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: doc - cover new AEAD interface
Stephan Mueller [Thu, 28 May 2015 06:52:42 +0000 (08:52 +0200)]
crypto: doc - cover new AEAD interface

The patch updates the DocBook to cover the new AEAD interface
implementation.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoRevert "crypto: algif_aead - Disable AEAD user-space for now"
Herbert Xu [Thu, 28 May 2015 03:30:35 +0000 (11:30 +0800)]
Revert "crypto: algif_aead - Disable AEAD user-space for now"

This reverts commit f858c7bcca8c20761a20593439fe998b4b67e86b as
the algif_aead interface has been switched over to the new AEAD
interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: jitterentropy - remove timekeeping_valid_for_hres
Stephan Mueller [Wed, 27 May 2015 11:50:12 +0000 (13:50 +0200)]
crypto: jitterentropy - remove timekeeping_valid_for_hres

The patch removes the use of timekeeping_valid_for_hres which is now
marked as internal for the time keeping subsystem. The jitterentropy
does not really require this verification as a coarse timer (when
random_get_entropy is absent) is discovered by the initialization test
of jent_entropy_init, which would cause the jitter rng to not load in
that case.

Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: algif_aead - Switch to new AEAD interface
Herbert Xu [Wed, 27 May 2015 09:24:41 +0000 (17:24 +0800)]
crypto: algif_aead - Switch to new AEAD interface

This patch makes use of the new AEAD interface which uses a single
SG list instead of separate lists for the AD and plain text.

Note that the user-space interface now requires both input and
output to be of the same length, and both must include space for
the AD as well as the authentication tag.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: tcrypt - Switch to new AEAD interface
Herbert Xu [Wed, 27 May 2015 08:03:51 +0000 (16:03 +0800)]
crypto: tcrypt - Switch to new AEAD interface

This patch makes use of the new AEAD interface which uses a single
SG list instead of separate lists for the AD and plain text.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agomac80211: Switch to new AEAD interface
Herbert Xu [Wed, 27 May 2015 08:03:50 +0000 (16:03 +0800)]
mac80211: Switch to new AEAD interface

This patch makes use of the new AEAD interface which uses a single
SG list instead of separate lists for the AD and plain text.

Tested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agomac802154: Switch to new AEAD interface
Herbert Xu [Wed, 27 May 2015 08:03:48 +0000 (16:03 +0800)]
mac802154: Switch to new AEAD interface

This patch makes use of the new AEAD interface which uses a single
SG list instead of separate lists for the AD and plain text.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoesp6: Switch to new AEAD interface
Herbert Xu [Wed, 27 May 2015 08:03:47 +0000 (16:03 +0800)]
esp6: Switch to new AEAD interface

This patch makes use of the new AEAD interface which uses a single
SG list instead of separate lists for the AD and plain text.  The
IV generation is also now carried out through normal AEAD methods.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoesp4: Switch to new AEAD interface
Herbert Xu [Wed, 27 May 2015 08:03:46 +0000 (16:03 +0800)]
esp4: Switch to new AEAD interface

This patch makes use of the new AEAD interface which uses a single
SG list instead of separate lists for the AD and plain text.  The
IV generation is also now carried out through normal AEAD methods.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoipsec: Add IV generator information to xfrm_state
Herbert Xu [Wed, 27 May 2015 08:03:45 +0000 (16:03 +0800)]
ipsec: Add IV generator information to xfrm_state

This patch adds IV generator information to xfrm_state.  This
is currently obtained from our own list of algorithm descriptions.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoxfrm: Add IV generator information to xfrm_algo_desc
Herbert Xu [Wed, 27 May 2015 08:03:44 +0000 (16:03 +0800)]
xfrm: Add IV generator information to xfrm_algo_desc

This patch adds IV generator information for each AEAD and block
cipher to xfrm_algo_desc.  This will be used to access the new
AEAD interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: testmgr - Switch to new AEAD interface
Herbert Xu [Wed, 27 May 2015 08:03:43 +0000 (16:03 +0800)]
crypto: testmgr - Switch to new AEAD interface

This patch makes use of the new AEAD interface which uses a single
SG list instead of separate lists for the AD and plain text.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: seqiv - Fix module unload/reload crash
Herbert Xu [Wed, 27 May 2015 06:37:40 +0000 (14:37 +0800)]
crypto: seqiv - Fix module unload/reload crash

On module unload we weren't unregistering the seqniv template,
thus leading to a crash the next time someone walks the template
list.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: seqiv - Fix IV size in context size calculation
Herbert Xu [Wed, 27 May 2015 06:37:39 +0000 (14:37 +0800)]
crypto: seqiv - Fix IV size in context size calculation

This patch fixes a bug in the context size calculation where we
were still referring to the old cra_aead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: seqiv - Use common IV generation code
Herbert Xu [Wed, 27 May 2015 06:37:37 +0000 (14:37 +0800)]
crypto: seqiv - Use common IV generation code

This patch makes use of the new common IV generation code.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: seqiv - Copy AD along with plain/cipher text
Herbert Xu [Wed, 27 May 2015 06:37:36 +0000 (14:37 +0800)]
crypto: seqiv - Copy AD along with plain/cipher text

As the AD does not necessarily exist in the destination buffer
it must be copied along with the plain/cipher text.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: echainiv - Fix IV size in context size calculation
Herbert Xu [Wed, 27 May 2015 06:37:34 +0000 (14:37 +0800)]
crypto: echainiv - Fix IV size in context size calculation

This patch fixes a bug in the context size calculation where we
were still referring to the old cra_aead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: echainiv - Use common IV generation code
Herbert Xu [Wed, 27 May 2015 06:37:33 +0000 (14:37 +0800)]
crypto: echainiv - Use common IV generation code

This patch makes use of the new common IV generation code.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: echainiv - Copy AD along with plain text
Herbert Xu [Wed, 27 May 2015 06:37:31 +0000 (14:37 +0800)]
crypto: echainiv - Copy AD along with plain text

As the AD does not necessarily exist in the destination buffer
it must be copied along with the plain text.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Add common IV generation code
Herbert Xu [Wed, 27 May 2015 06:37:30 +0000 (14:37 +0800)]
crypto: aead - Add common IV generation code

This patch adds some common IV generation code currently duplicated
by seqiv and echainiv.  For example, the setkey and setauthsize
functions are completely identical.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Preserve in-place processing in old_crypt
Herbert Xu [Wed, 27 May 2015 06:37:29 +0000 (14:37 +0800)]
crypto: aead - Preserve in-place processing in old_crypt

This patch tries to preserve in-place processing in old_crypt as
various algorithms are optimised for in-place processing where
src == dst.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: scatterwalk - Add missing sg_init_table to scatterwalk_ffwd
Herbert Xu [Wed, 27 May 2015 06:37:27 +0000 (14:37 +0800)]
crypto: scatterwalk - Add missing sg_init_table to scatterwalk_ffwd

We need to call sg_init_table as otherwise the first entry may
inadvertently become the last.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Document behaviour of AD in destination buffer
Herbert Xu [Wed, 27 May 2015 06:37:26 +0000 (14:37 +0800)]
crypto: aead - Document behaviour of AD in destination buffer

This patch defines the behaviour of AD in the new interface more
clearly.  In particular, it specifies that if the user must copy
the AD to the destination manually when src != dst if they wish
to guarantee that the destination buffer contains a copy of the
AD.

The reason for this is that otherwise every AEAD implementation
would have to perform such a copy when src != dst.  In reality
most users do in-place processing where src == dst so this is
not an issue.

This patch also kills some remaining references to cryptoff.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Herbert Xu [Thu, 28 May 2015 03:16:41 +0000 (11:16 +0800)]
Merge git://git./linux/kernel/git/herbert/crypto-2.6

Merge the crypto tree for 4.1 to pull in the changeset that disables
algif_aead.

9 years agocrypto: ccp - Remove unused structure field
Tom Lendacky [Tue, 26 May 2015 18:06:30 +0000 (13:06 -0500)]
crypto: ccp - Remove unused structure field

Remove the length field from the ccp_sg_workarea since it is unused.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ccp - Remove manual check and set of dma_mask pointer
Tom Lendacky [Tue, 26 May 2015 18:06:24 +0000 (13:06 -0500)]
crypto: ccp - Remove manual check and set of dma_mask pointer

The underlying device support will set the device dma_mask pointer
if DMA is set up properly for the device.  Remove the check for and
assignment of dma_mask when it is null. Instead, just error out if
the dma_set_mask_and_coherent function fails because dma_mask is null.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: jitterentropy - add jitterentropy RNG
Stephan Mueller [Mon, 25 May 2015 13:10:20 +0000 (15:10 +0200)]
crypto: jitterentropy - add jitterentropy RNG

The CPU Jitter RNG provides a source of good entropy by
collecting CPU executing time jitter. The entropy in the CPU
execution time jitter is magnified by the CPU Jitter Random
Number Generator. The CPU Jitter Random Number Generator uses
the CPU execution timing jitter to generate a bit stream
which complies with different statistical measurements that
determine the bit stream is random.

The CPU Jitter Random Number Generator delivers entropy which
follows information theoretical requirements. Based on these
studies and the implementation, the caller can assume that
one bit of data extracted from the CPU Jitter Random Number
Generator holds one bit of entropy.

The CPU Jitter Random Number Generator provides a decentralized
source of entropy, i.e. every caller can operate on a private
state of the entropy pool.

The RNG does not have any dependencies on any other service
in the kernel. The RNG only needs a high-resolution time
stamp.

Further design details, the cryptographic assessment and
large array of test results are documented at
http://www.chronox.de/jent.html.

CC: Andreas Steffen <andreas.steffen@strongswan.org>
CC: Theodore Ts'o <tytso@mit.edu>
CC: Sandy Harris <sandyinchina@gmail.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: drbg - use Jitter RNG to obtain seed
Stephan Mueller [Mon, 25 May 2015 13:09:59 +0000 (15:09 +0200)]
crypto: drbg - use Jitter RNG to obtain seed

During initialization, the DRBG now tries to allocate a handle of the
Jitter RNG. If such a Jitter RNG is available during seeding, the DRBG
pulls the required entropy/nonce string from get_random_bytes and
concatenates it with a string of equal size from the Jitter RNG. That
combined string is now the seed for the DRBG.

Written differently, the initial seed of the DRBG is now:

get_random_bytes(entropy/nonce) || jitterentropy (entropy/nonce)

If the Jitter RNG is not available, the DRBG only seeds from
get_random_bytes.

CC: Andreas Steffen <andreas.steffen@strongswan.org>
CC: Theodore Ts'o <tytso@mit.edu>
CC: Sandy Harris <sandyinchina@gmail.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: drbg - add async seeding operation
Stephan Mueller [Mon, 25 May 2015 13:09:36 +0000 (15:09 +0200)]
crypto: drbg - add async seeding operation

The async seeding operation is triggered during initalization right
after the first non-blocking seeding is completed. As required by the
asynchronous operation of random.c, a callback function is provided that
is triggered by random.c once entropy is available. That callback
function performs the actual seeding of the DRBG.

CC: Andreas Steffen <andreas.steffen@strongswan.org>
CC: Theodore Ts'o <tytso@mit.edu>
CC: Sandy Harris <sandyinchina@gmail.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: drbg - prepare for async seeding
Stephan Mueller [Mon, 25 May 2015 13:09:14 +0000 (15:09 +0200)]
crypto: drbg - prepare for async seeding

In order to prepare for the addition of the asynchronous seeding call,
the invocation of seeding the DRBG is moved out into a helper function.

In addition, a block of memory is allocated during initialization time
that will be used as a scratchpad for obtaining entropy. That scratchpad
is used for the initial seeding operation as well as by the
asynchronous seeding call. The memory must be zeroized every time the
DRBG seeding call succeeds to avoid entropy data lingering in memory.

CC: Andreas Steffen <andreas.steffen@strongswan.org>
CC: Theodore Ts'o <tytso@mit.edu>
CC: Sandy Harris <sandyinchina@gmail.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agorandom: Blocking API for accessing nonblocking_pool
Stephan Mueller [Mon, 25 May 2015 13:08:47 +0000 (15:08 +0200)]
random: Blocking API for accessing nonblocking_pool

The added API calls provide a synchronous function call
get_blocking_random_bytes where the caller is blocked until
the nonblocking_pool is initialized.

CC: Andreas Steffen <andreas.steffen@strongswan.org>
CC: Theodore Ts'o <tytso@mit.edu>
CC: Sandy Harris <sandyinchina@gmail.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agorandom: Wake up all getrandom(2) callers when pool is ready
Herbert Xu [Thu, 21 May 2015 08:19:54 +0000 (16:19 +0800)]
random: Wake up all getrandom(2) callers when pool is ready

If more than one application invokes getrandom(2) before the pool
is ready, then all bar one will be stuck forever because we use
wake_up_interruptible which wakes up a single task.

This patch replaces it with wake_up_all.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: algif_aead - Disable AEAD user-space for now
Herbert Xu [Tue, 26 May 2015 07:32:42 +0000 (15:32 +0800)]
crypto: algif_aead - Disable AEAD user-space for now

The newly added AEAD user-space isn't quite ready for prime time
just yet.  In particular it is conflicting with the AEAD single
SG list interface change so this patch disables it now.

Once the SG list stuff is completely done we can then renable
this interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Remove unused cryptoff parameter
Herbert Xu [Sat, 23 May 2015 07:41:57 +0000 (15:41 +0800)]
crypto: aead - Remove unused cryptoff parameter

This patch removes the cryptoff parameter now that all users
set it to zero.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: seqiv - Stop using cryptoff
Herbert Xu [Sat, 23 May 2015 07:41:56 +0000 (15:41 +0800)]
crypto: seqiv - Stop using cryptoff

The cryptoff parameter was added to facilitate the skipping of
IVs that sit between the AD and the plain/cipher text.  However,
it was never implemented correctly as and we do not handle users
such as IPsec setting cryptoff.  It is simply ignored.

Implementing correctly is in fact more trouble than what it's
worth.

This patch removes the uses of cryptoff by moving the AD forward
to fill the gap left by the IV.  The AD is moved back after the
underlying AEAD processing is finished.

This is in fact beter than the cryptoff solution because it allows
algorithms that use seqniv (i.e., GCM and CCM) to hash the whole
packet as a single piece, while cryptoff meant that there was
guaranteed to be a gap.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: echainiv - Stop using cryptoff
Herbert Xu [Sat, 23 May 2015 07:41:54 +0000 (15:41 +0800)]
crypto: echainiv - Stop using cryptoff

The cryptoff parameter was added to facilitate the skipping of
IVs that sit between the AD and the plain/cipher text.  However,
it was never implemented correctly as and we do not handle users
such as IPsec setting cryptoff.  It is simply ignored.

Implementing correctly is in fact more trouble than what it's
worth.

This patch removes the uses of cryptoff and simply falls back
to using the old AEAD interface as it's only needed for old AEAD
implementations.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Do not set cra_type for new style instances
Herbert Xu [Sat, 23 May 2015 07:41:53 +0000 (15:41 +0800)]
crypto: aead - Do not set cra_type for new style instances

The function aead_geniv_alloc currently sets cra_type even for
new style instances.  This is unnecessary and may hide bugs such
as when our caller uses crypto_register_instance instead of the
correct aead_register_instance.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: echainiv - Use aead_register_instance
Herbert Xu [Sat, 23 May 2015 07:41:52 +0000 (15:41 +0800)]
crypto: echainiv - Use aead_register_instance

New style AEAD instances must use aead_register_instance.  This
worked by chance because aead_geniv_alloc is still setting things
the old way.

This patch converts the template over to the create model where
we are responsible for instance registration so that we can call
the correct function.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: seqiv - Use aead_register_instance
Herbert Xu [Sat, 23 May 2015 07:41:51 +0000 (15:41 +0800)]
crypto: seqiv - Use aead_register_instance

New style AEAD instances must use aead_register_instance.  This
worked by chance because aead_geniv_alloc is still setting things
the old way.

This patch converts the template over to the create model where
we are responsible for instance registration so that we can call
the correct function.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Use tmpl->create
Herbert Xu [Sat, 23 May 2015 07:41:49 +0000 (15:41 +0800)]
crypto: aead - Use tmpl->create

Newer templates use tmpl->create and have a NULL tmpl->alloc.  So
we must use tmpl->create if it is set.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: skcipher - Use tmpl->create
Herbert Xu [Sat, 23 May 2015 07:41:48 +0000 (15:41 +0800)]
crypto: skcipher - Use tmpl->create

Newer templates use tmpl->create and have a NULL tmpl->alloc.  So
we must use tmpl->create if it is set.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: echainiv - echainiv_read_iv() can be static
Wu Fengguang [Sat, 23 May 2015 03:22:47 +0000 (11:22 +0800)]
crypto: echainiv - echainiv_read_iv() can be static

Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: mv_cesa - request registers memory region
Boris BREZILLON [Fri, 22 May 2015 13:33:47 +0000 (15:33 +0200)]
crypto: mv_cesa - request registers memory region

The mv_cesa driver does not request the CESA registers memory region.
Since we're about to add a new CESA driver, we need to make sure only one
of these drivers probe the CESA device, and requesting the registers memory
region is a good way to achieve that.

Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: pcrypt - Make tfm_count an atomic_t
Herbert Xu [Fri, 22 May 2015 12:34:22 +0000 (20:34 +0800)]
crypto: pcrypt - Make tfm_count an atomic_t

The variable tfm_count is accessed by multiple threads without
locking.  This patch converts it to an atomic_t.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Add crypto_aead_alg_ivsize/maxauthsize
Herbert Xu [Fri, 22 May 2015 08:30:48 +0000 (16:30 +0800)]
crypto: aead - Add crypto_aead_alg_ivsize/maxauthsize

AEAD algorithm implementors need to figure out a given algorithm's
IV size and maximum authentication size.  During the transition
this is difficult to do as an algorithm could be new style or old
style.

This patch creates two helpers to make this easier.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: testmgr - Added one larger ghash testvector (400 bytes) to the testmgr.
Harald Freudenberger [Thu, 21 May 2015 15:34:31 +0000 (17:34 +0200)]
crypto: testmgr - Added one larger ghash testvector (400 bytes) to the testmgr.

Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: echainiv - Add encrypted chain IV generator
Herbert Xu [Thu, 21 May 2015 07:11:15 +0000 (15:11 +0800)]
crypto: echainiv - Add encrypted chain IV generator

This patch adds a new AEAD IV generator echainiv.  It is intended
to replace the existing skcipher IV generator eseqiv.

If the underlying AEAD algorithm is using the old AEAD interface,
then echainiv will simply use its IV generator.

Otherwise, echainiv will encrypt a counter just like eseqiv but
it'll first xor it against a previously stored IV similar to
chainiv.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: seqiv - Add seqniv
Herbert Xu [Thu, 21 May 2015 07:11:14 +0000 (15:11 +0800)]
crypto: seqiv - Add seqniv

This patch adds a new IV generator seqniv which is identical to
seqiv except that it skips the IV when authenticating.  This is
intended to be used by algorithms such as rfc4106 that does the
IV authentication implicitly.

Note that the code used for seqniv is in fact identical to the
compatibility case for seqiv.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: seqiv - Add support for new AEAD interface
Herbert Xu [Thu, 21 May 2015 07:11:13 +0000 (15:11 +0800)]
crypto: seqiv - Add support for new AEAD interface

This patch converts the seqiv IV generator to work with the new
AEAD interface where IV generators are just normal AEAD algorithms.

Full backwards compatibility is paramount at this point since
no users have yet switched over to the new interface.  Nor can
they switch to the new interface until IV generation is fully
supported by it.

So this means we are adding two versions of seqiv alongside the
existing one.  The first one is the one that will be used when
the underlying AEAD algorithm has switched over to the new AEAD
interface.  The second one handles the current case where the
underlying AEAD algorithm still uses the old interface.

Both versions export themselves through the new AEAD interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: scatterwalk - Check for same address in map_and_copy
Herbert Xu [Thu, 21 May 2015 07:11:12 +0000 (15:11 +0800)]
crypto: scatterwalk - Check for same address in map_and_copy

This patch adds a check for in scatterwalk_map_and_copy to avoid
copying from the same address to the same address.  This is going
to be used for IV copying in AEAD IV generators.

There is no provision for partial overlaps.

This patch also uses the new scatterwalk_ffwd instead of doing
it by hand in scatterwalk_map_and_copy.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: gcm - Use default null skcipher
Herbert Xu [Thu, 21 May 2015 07:11:11 +0000 (15:11 +0800)]
crypto: gcm - Use default null skcipher

This patch makes gcm use the default null skcipher instead of
allocating a new one for each tfm.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: null - Add default null skcipher
Herbert Xu [Thu, 21 May 2015 07:11:09 +0000 (15:11 +0800)]
crypto: null - Add default null skcipher

This patch adds a default null skcipher for users such as gcm
to perform copies on SG lists.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Add support for new AEAD implementations
Herbert Xu [Thu, 21 May 2015 07:11:08 +0000 (15:11 +0800)]
crypto: aead - Add support for new AEAD implementations

This patch adds the basic structure of the new AEAD type.  Unlike
the current version, there is no longer any concept of geniv.  IV
generation will still be carried out by wrappers but they will be
normal AEAD algorithms that simply take the IPsec sequence number
as the IV.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: nx - Remove unnecessary maxauthsize check
Herbert Xu [Thu, 21 May 2015 07:11:07 +0000 (15:11 +0800)]
crypto: nx - Remove unnecessary maxauthsize check

The crypto layer already checks maxauthsize when setauthsize is
called.  So there is no need to check it again within setauthsize.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ixp4xx - Use crypto_aead_maxauthsize
Herbert Xu [Thu, 21 May 2015 07:11:06 +0000 (15:11 +0800)]
crypto: ixp4xx - Use crypto_aead_maxauthsize

This patch uses the helper crypto_aead_maxauthsize instead of
directly dereferencing aead_alg.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Add crypto_aead_maxauthsize
Herbert Xu [Thu, 21 May 2015 07:11:05 +0000 (15:11 +0800)]
crypto: aead - Add crypto_aead_maxauthsize

This patch adds the helper crypto_aead_maxauthsize to remove the
need to directly dereference aead_alg internals by AEAD implementors.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: caam - Use old_aead_alg
Herbert Xu [Thu, 21 May 2015 07:11:03 +0000 (15:11 +0800)]
crypto: caam - Use old_aead_alg

This patch replaces references to aead_alg with old_aead_alg.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Rename aead_alg to old_aead_alg
Herbert Xu [Thu, 21 May 2015 07:11:02 +0000 (15:11 +0800)]
crypto: aead - Rename aead_alg to old_aead_alg

This patch is the first step in the introduction of a new AEAD
alg type.  Unlike normal conversions this patch only renames the
existing aead_alg structure because there are external references
to it.

Those references will be removed after this patch.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aead - Add new interface with single SG list
Herbert Xu [Thu, 21 May 2015 07:11:01 +0000 (15:11 +0800)]
crypto: aead - Add new interface with single SG list

The primary user of AEAD, IPsec includes the IV in the AD in
most cases, except where it is implicitly authenticated by the
underlying algorithm.

The way it is currently implemented is a hack because we pass
the data in piecemeal and the underlying algorithms try to stitch
them back up into one piece.

This is why this patch is adding a new interface that allows a
single SG list to be passed in that contains everything so the
algorithm implementors do not have to stitch.

The new interface accepts a single source SG list and a single
destination SG list.  Both must be laid out as follows:

AD, skipped data, plain/cipher text, ICV

The ICV is not present from the source during encryption and from
the destination during decryption.

For the top-level IPsec AEAD algorithm the plain/cipher text will
contain the generated (or received) IV.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>