Commit Graph

89 Commits

Author SHA1 Message Date
Tan Swee Heng
6d1a69d53a [CRYPTO] tcrypt: Support for large test vectors
Currently the number of entries in a cipher test vector template is
limited by TVMEMSIZE/sizeof(struct cipher_testvec). This patch
circumvents the problem by pointing cipher_tv to each entry in the
template, rather than the template itself.

Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:25 +11:00
Mikko Herranen
28db8e3e38 [CRYPTO] gcm: New algorithm
Add GCM/GMAC support to cryptoapi.

GCM (Galois/Counter Mode) is an AEAD mode of operations for any block cipher
with a block size of 16.  The typical example is AES-GCM.

Signed-off-by: Mikko Herranen <mh1@iki.fi>
Reviewed-by: Mika Kukkonen <mika.kukkonen@nsn.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:23 +11:00
Mikko Herranen
e3a4ea4fd2 [CRYPTO] tcrypt: Add aead support
Add AEAD support to tcrypt, needed by GCM.

Signed-off-by: Mikko Herranen <mh1@iki.fi>
Reviewed-by: Mika Kukkonen <mika.kukkonen@nsn.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:23 +11:00
Tan Swee Heng
2407d60872 [CRYPTO] salsa20: Salsa20 stream cipher
This patch implements the Salsa20 stream cipher using the blkcipher interface.

The core cipher code comes from Daniel Bernstein's submission to eSTREAM:
  http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/ref/

The test vectors comes from:
  http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/

It has been tested successfully with "modprobe tcrypt mode=34" on an
UML instance.

Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:15 +11:00
Jonathan Lynch
cd12fb906d [CRYPTO] sha256-generic: Extend sha256_generic.c to support SHA-224
Resubmitting this patch which extends sha256_generic.c to support SHA-224 as
described in FIPS 180-2 and RFC 3874. HMAC-SHA-224 as described in RFC4231
is then supported through the hmac interface.

Patch includes test vectors for SHA-224 and HMAC-SHA-224.

SHA-224 chould be chosen as a hash algorithm when 112 bits of security
strength is required.

Patch generated against the 2.6.24-rc1 kernel and tested against
2.6.24-rc1-git14 which includes fix for scatter gather implementation for HMAC.

Signed-off-by: Jonathan Lynch <jonathan.lynch@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:12 +11:00
Joy Latten
41fdab3dd3 [CRYPTO] ctr: Add countersize
This patch adds countersize to CTR mode.
The template is now ctr(algo,noncesize,ivsize,countersize).

For example, ctr(aes,4,8,4) indicates the counterblock
will be composed of a salt/nonce that is 4 bytes, an iv
that is 8 bytes and the counter is 4 bytes.

When noncesize + ivsize < blocksize, CTR initializes the
last block - ivsize - noncesize portion of the block to
zero.  Otherwise the counter block is composed of the IV
(and nonce if necessary).

If noncesize + ivsize == blocksize, then this indicates that
user is passing in entire counterblock. Thus countersize
indicates the amount of bytes in counterblock to use as
the counter for incrementing. CTR will increment counter
portion by 1, and begin encryption with that value.

Note that CTR assumes the counter portion of the block that
will be incremented is stored in big endian.

Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:08 +11:00
Joy Latten
23e353c8a6 [CRYPTO] ctr: Add CTR (Counter) block cipher mode
This patch implements CTR mode for IPsec.
It is based off of RFC 3686.

Please note:
1. CTR turns a block cipher into a stream cipher.
Encryption is done in blocks, however the last block
may be a partial block.

A "counter block" is encrypted, creating a keystream
that is xor'ed with the plaintext. The counter portion
of the counter block is incremented after each block
of plaintext is encrypted.
Decryption is performed in same manner.

2. The CTR counterblock is composed of,
        nonce + IV + counter

The size of the counterblock is equivalent to the
blocksize of the cipher.
        sizeof(nonce) + sizeof(IV) + sizeof(counter) = blocksize

The CTR template requires the name of the cipher
algorithm, the sizeof the nonce, and the sizeof the iv.
        ctr(cipher,sizeof_nonce,sizeof_iv)

So for example,
        ctr(aes,4,8)
specifies the counterblock will be composed of 4 bytes
from a nonce, 8 bytes from the iv, and 4 bytes for counter
since aes has a blocksize of 16 bytes.

3. The counter portion of the counter block is stored
in big endian for conformance to rfc 3686.

Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-01-11 08:16:01 +11:00
Herbert Xu
a5a613a429 [CRYPTO] tcrypt: Move sg_init_table out of timing loops
This patch moves the sg_init_table out of the timing loops for hash
algorithms so that it doesn't impact on the speed test results.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-27 00:51:21 -07:00
David S. Miller
b733588559 [CRYPTO]: Initialize TCRYPT on-stack scatterlist objects correctly.
Use sg_init_one() and sg_init_table() as needed.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-26 00:38:10 -07:00
Jens Axboe
78c2f0b8c2 [SG] Update crypto/ to sg helpers
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
2007-10-22 19:40:16 +02:00
Rik Snel
f19f5111c9 [CRYPTO] xts: XTS blockcipher mode implementation without partial blocks
XTS currently considered to be the successor of the LRW mode by the IEEE1619
workgroup. LRW was discarded, because it was not secure if the encyption key
itself is encrypted with LRW.

XTS does not have this problem. The implementation is pretty straightforward,
a new function was added to gf128mul to handle GF(128) elements in ble format.
Four testvectors from the specification
	http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
were added, and they verify on my system.

Signed-off-by: Rik Snel <rsnel@cube.dyndns.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:45 -07:00
Hye-Shik Chang
e2ee95b8c6 [CRYPTO] seed: New cipher algorithm
This patch adds support for the SEED cipher (RFC4269).

This patch have been used in few VPN appliance vendors in Korea for
several years.  And it was verified by KISA, who developed the
algorithm itself.

As its importance in Korean banking industry, it would be great
if linux incorporates the support.

Signed-off-by: Hye-Shik Chang <perky@FreeBSD.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-10 16:55:38 -07:00
Herbert Xu
29059d12e0 [CRYPTO] tcrypt: Add missing error check
The return value of crypto_hash_final isn't checked in test_hash_cycles.
This patch corrects this.  Thanks to Eric Sesterhenn for reporting this.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-05-18 16:25:19 +10:00
Herbert Xu
6158efc090 [CRYPTO] tcrypt: Use async blkcipher interface
This patch converts the tcrypt module to use the asynchronous block cipher
interface.  As all synchronous block ciphers can be used through the async
interface, tcrypt is still able to test them.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-05-02 14:38:30 +10:00
Sebastian Siewior
7bc301e97b [CRYPTO] tcrypt: Fix error checking for comp allocation
This patch fixes loading the tcrypt module while deflate isn't available
at all (isn't build).

Signed-off-by: Sebastian Siewior <linux-crypto@ml.breakpoint.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-03-21 08:58:43 +11:00
Noriaki TAKAMIYA
02ab5a7056 [CRYPTO] camellia: added the testing code of Camellia cipher
This patch adds the code of Camellia code for testing module.

Signed-off-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-02-07 09:21:04 +11:00
Herbert Xu
ba8da2a948 [CRYPTO] tcrypt: Removed vestigial crypto_alloc_tfm call
The crypto_comp conversion missed the last remaining crypto_alloc_tfm
call.  This patch replaces it with crypto_alloc_comp.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-02-07 09:21:00 +11:00
David Howells
90831639a6 [CRYPTO] fcrypt: Add FCrypt from RxRPC
Add a crypto module to provide FCrypt encryption as used by RxRPC.

Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-02-07 09:20:59 +11:00
Andrew Donofrio
a28091ae17 [CRYPTO] tcrypt: Added test vectors for sha384/sha512
This patch adds tests for SHA384 HMAC and SHA512 HMAC to the tcrypt module. Test data was taken from
RFC4231. This patch is a follow-up to the discovery (bug 7646) that the kernel SHA384 HMAC
implementation was not generating proper SHA384 HMACs.

Signed-off-by: Andrew Donofrio <linuxbugzilla@kriptik.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-02-07 09:20:58 +11:00
Rik Snel
f3d1044cd0 [CRYPTO] tcrypt: LRW test vectors
Do modprobe tcrypt mode=10 to check the included test vectors, they are
from: http://grouper.ieee.org/groups/1619/email/pdf00017.pdf and from
http://www.mail-archive.com/stds-p1619@listserv.ieee.org/msg00173.html.

To make the last test vector fit, I had to increase the buffer size of
input and result to 512 bytes.

Signed-off-by: Rik Snel <rsnel@cube.dyndns.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2006-12-06 18:38:58 -08:00
Kazunori MIYAZAWA
5b2becf5dc [CRYPTO] tcrypt: Add test vectors of AES_XCBC
est vectors of XCBC with AES-128.

Signed-off-by: Kazunori MIYAZAWA <miyazawa@linux-ipv6.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2006-12-06 18:38:50 -08:00
Herbert Xu
e4d5b79c66 [CRYPTO] users: Use crypto_comp and crypto_has_*
This patch converts all users to use the new crypto_comp type and the
crypto_has_* functions.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2006-09-21 11:46:22 +10:00
Herbert Xu
e9d41164e2 [CRYPTO] tcrypt: Use HMAC template and hash interface
This patch converts tcrypt to use the new HMAC template rather than the
hard-coded version of HMAC.  It also converts all digest users to use
the new cipher interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-09-21 11:46:18 +10:00
Herbert Xu
cba83564d1 [CRYPTO] tcrypt: Use block ciphers where applicable
This patch converts tcrypt to use the new block cipher type where
applicable.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2006-09-21 11:44:50 +10:00
Herbert Xu
c907ee76d8 [CRYPTO] tcrypt: Use test_hash for crc32c
Now that crc32c has been fixed to conform with standard digest semantics,
we can use test_hash for it.  I've turned the last test into a chunky
test.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2006-09-21 11:41:03 +10:00
Herbert Xu
560c06ae1a [CRYPTO] api: Get rid of flags argument to setkey
Now that the tfm is passed directly to setkey instead of the ctx, we no
longer need to pass the &tfm->crt_flags pointer.

This patch also gets rid of a few unnecessary checks on the key length
for ciphers as the cipher layer guarantees that the key length is within
the bounds specified by the algorithm.

Rather than testing dia_setkey every time, this patch does it only once
during crypto_alloc_tfm.  The redundant check from crypto_digest_setkey
is also removed.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2006-09-21 11:41:02 +10:00
Herbert Xu
25cdbcd9e5 [CRYPTO] crc32c: Fix unconventional setkey usage
The convention for setkey is that once it is set it should not change,
in particular, init must not wipe out the key set by it.  In fact, init
should always be used after setkey before any digestion is performed.

The only user of crc32c that sets the key is tcrypt.  This patch adds
the necessary init calls there.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2006-09-21 11:41:01 +10:00
Michal Ludvig
e805792851 [CRYPTO] tcrypt: Speed benchmark support for digest algorithms
This patch adds speed tests (benchmarks) for digest algorithms.
Tests are run with different buffer sizes (16 bytes, ... 8 kBytes)
and with each buffer multiple tests are run with different update()
sizes (e.g. hash 64 bytes buffer in four 16 byte updates).
There is no correctness checking of the result and all tests and
algorithms use the same input buffer.

Signed-off-by: Michal Ludvig <michal@logix.cz>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2006-06-26 17:34:41 +10:00
Michal Ludvig
14fdf477a7 [CRYPTO] tcrypt: Return -EAGAIN from module_init()
Intentionaly return -EAGAIN from module_init() to ensure
it doesn't stay loaded in the kernel.  The module does all
its work from init() and doesn't offer any runtime
functionality => we don't need it in the memory, do we?

Signed-off-by: Michal Ludvig <michal@logix.cz>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2006-06-26 17:34:41 +10:00
Jan Glauber
05f29fcdb0 [PATCH] s390: in-kernel crypto test vectors
Add new test vectors to the AES test suite for AES CBC and AES with plaintext
larger than AES blocksize.

Signed-off-by: Jan Glauber <jan.glauber@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-01-06 08:33:51 -08:00
Herbert Xu
6df5b9f48d [CRYPTO] Simplify one-member scatterlist expressions
This patch rewrites various occurences of &sg[0] where sg is an array
of length one to simply sg.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2005-10-30 11:19:43 +11:00
David Hardeman
378f058cc4 [PATCH] Use sg_set_buf/sg_init_one where applicable
This patch uses sg_set_buf/sg_init_one in some places where it was
duplicated.

Signed-off-by: David Hardeman <david@2gen.com>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Cc: Greg KH <greg@kroah.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jeff Garzik <jgarzik@pobox.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2005-10-30 11:19:43 +11:00
Aaron Grothe
fb4f10ed50 [CRYPTO]: Fix XTEA implementation
The XTEA implementation was incorrect due to a misinterpretation of
operator precedence.  Because of the wide-spread nature of this
error, the erroneous implementation will be kept, albeit under the
new name of XETA.

Signed-off-by: Aaron Grothe <ajgrothe@yahoo.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-09-01 17:42:46 -07:00
Herbert Xu
6a17944ca1 [CRYPTO]: Use CPU cycle counters in tcrypt
After using this facility for a while to test my changes to the
cipher crypt() layer, I realised that I should've listend to Dave
and made this thing use CPU cycle counters :) As it is it's too
jittery for me to feel safe about relying on the results.

So here is a patch to make it use CPU cycles by default but fall
back to jiffies if the user specifies a non-zero sec value.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-06-22 13:29:03 -07:00
Herbert Xu
dce907c00f [CRYPTO]: Use template keys for speed tests if possible
The existing keys used in the speed tests do not pass the 3DES quality check.
This patch makes it use the template keys instead.

Other algorithms can supply template keys through the same interface if needed.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-06-22 13:27:51 -07:00
Harald Welte
ebfd9bcf16 [CRYPTO]: Add cipher speed tests
From: Reyk Floeter <reyk@vantronix.net>

I recently had the requirement to do some benchmarking on cryptoapi, and
I found reyk's very useful performance test patch [1].

However, I could not find any discussion on why that extension (or
something providing a similar feature but different implementation) was
not merged into mainline.  If there was such a discussion, can someone
please point me to the archive[s]?

I've now merged the old patch into 2.6.12-rc1, the result can be found
attached to this email.

[1] http://lists.logix.cz/pipermail/padlock/2004/000010.html

Signed-off-by: Harald Welte <laforge@gnumonks.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-06-22 13:27:23 -07:00
Herbert Xu
3cc3816f93 [CRYPTO]: Kill unnecessary strncpy from tcrypt
It seems that bad code tends to get copied (see test_cipher_speed).  So let's
kill this idiom before it spreads any further.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-06-22 13:26:36 -07:00
Herbert Xu
ef2736fc74 [CRYPTO]: White space and coding style clean up in tcrypt
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-06-22 13:26:03 -07:00
Linus Torvalds
1da177e4c3 Linux-2.6.12-rc2
Initial git repository build. I'm not bothering with the full history,
even though we have it. We can create a separate "historical" git
archive of that later if we want to, and in the meantime it's about
3.2GB when imported into git - space that would just make the early
git days unnecessarily complicated, when we don't have a lot of good
infrastructure for it.

Let it rip!
2005-04-16 15:20:36 -07:00