summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* [CRYPTO] gcm: New algorithmMikko Herranen2008-01-115-0/+848
| | | | | | | | | | | Add GCM/GMAC support to cryptoapi. GCM (Galois/Counter Mode) is an AEAD mode of operations for any block cipher with a block size of 16. The typical example is AES-GCM. Signed-off-by: Mikko Herranen <mh1@iki.fi> Reviewed-by: Mika Kukkonen <mika.kukkonen@nsn.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] tcrypt: Add aead supportMikko Herranen2008-01-112-9/+271
| | | | | | | | Add AEAD support to tcrypt, needed by GCM. Signed-off-by: Mikko Herranen <mh1@iki.fi> Reviewed-by: Mika Kukkonen <mika.kukkonen@nsn.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] camellia: Move more common code into camellia_setup_tailDenys Vlasenko2008-01-111-134/+84
| | | | | | | | | | | Analogously to camellia7 patch, move "absorb kw2 to other subkeys" and "absorb kw4 to other subkeys" code parts into camellia_setup_tail(). This further reduces source and object code size at the cost of two brances in key setup code. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] camellia: Move common code into camellia_setup_tailDenys Vlasenko2008-01-111-160/+104
| | | | | | | | | Move "key XOR is end of F-function" code part into camellia_setup_tail(), it is sufficiently similar between camellia_setup128 and camellia_setup256. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] camellia: Merge encrypt/decrypt routines for all key lengthsDenys Vlasenko2008-01-111-403/+106
| | | | | | | | | | | unifies encrypt/decrypt routines for different key lengths. This reduces module size by ~25%, with tiny (less than 1%) speed impact. Also collapses encrypt/decrypt into more readable (visually shorter) form using macros. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] camellia: Code shrinkDenys Vlasenko2008-01-111-134/+135
| | | | | | | | | | Remove unused macro params. Use (u8)(expr) instead of (expr) & 0xff, helps gcc to realize how to use simpler commands. Move CAMELLIA_FLS macro closer to encrypt/decrypt routines. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] ctr: Use crypto_inc and crypto_xorHerbert Xu2008-01-111-55/+16
| | | | | | This patch replaces the custom inc/xor in CTR with the generic functions. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] pcbc: Use crypto_xorHerbert Xu2008-01-111-81/+24
| | | | | | | | | This patch replaces the custom xor in CBC with the generic crypto_xor. It changes the operations for in-place encryption slightly to avoid calling crypto_xor with tmpbuf since it is not necessarily aligned. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] cbc: Require block size to be a power of 2Herbert Xu2008-01-111-8/+10
| | | | | | | | | | | | | | All common block ciphers have a block size that's a power of 2. In fact, all of our block ciphers obey this rule. If we require this then CBC can be optimised to avoid an expensive divide on in-place decryption. I've also changed the saving of the first IV in the in-place decryption case to the last IV because that lets us use walk->iv (which is already aligned) for the xor operation where alignment is required. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] cbc: Use crypto_xorHerbert Xu2008-01-111-77/+16
| | | | | | This patch replaces the custom xor in CBC with the generic crypto_xor. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] api: Add crypto_inc and crypto_xorHerbert Xu2008-01-112-0/+51
| | | | | | | | | | | | With the addition of more stream ciphers we need to curb the proliferation of ad-hoc xor functions. This patch creates a generic pair of functions, crypto_inc and crypto_xor which does big-endian increment and exclusive or, respectively. For optimum performance, they both use u32 operations so alignment must be as that of u32 even though the arguments are of type u8 *. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [HIFN]: Add support for using the random number generatorPatrick McHardy2008-01-111-1/+81
| | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [HIFN]: Improve PLL initializationPatrick McHardy2008-01-111-2/+108
| | | | | | | | | | | | | | | | | | | | | | | | | | The current PLL initalization has a number of deficiencies: - uses fixed multiplier of 8, which overclocks the chip when using a reference clock that operates at frequencies above 33MHz. According to a comment in the BSD source, this is true for the external clock on almost all every board. - writes to a reserved bit - doesn't follow the initialization procedure specified in chapter 6.11.1 of the HIFN hardware users guide - doesn't allow to use the PCI clock This patch adds a module parameter to specify the reference clock (pci or external) and its frequency and uses that to calculate the optimum multiplier to reach the maximal speed. By default it uses the external clock and assumes a speed of 66MHz, which effectively halfs the frequency currently used. Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [HWRNG]: move status polling loop to data_present callbacksPatrick McHardy2008-01-118-38/+73
| | | | | | | | | Handle waiting for new random within the drivers themselves, this allows to use better suited timeouts for the individual rngs. Signed-off-by: Patrick McHardy <kaber@trash.net> Acked-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] salsa20: Salsa20 stream cipherTan Swee Heng2008-01-115-1/+424
| | | | | | | | | | | | | | | | This patch implements the Salsa20 stream cipher using the blkcipher interface. The core cipher code comes from Daniel Bernstein's submission to eSTREAM: http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/ref/ The test vectors comes from: http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/ It has been tested successfully with "modprobe tcrypt mode=34" on an UML instance. Signed-off-by: Tan Swee Heng <thesweeheng@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] ablkcipher: Add distinct ABLKCIPHER typeHerbert Xu2008-01-116-20/+19
| | | | | | | | | | | | | | | | | | | | | | | | Up until now we have ablkcipher algorithms have been identified as type BLKCIPHER with the ASYNC bit set. This is suboptimal because ablkcipher refers to two things. On the one hand it refers to the top-level ablkcipher interface with requests. On the other hand it refers to and algorithm type underneath. As it is you cannot request a synchronous block cipher algorithm with the ablkcipher interface on top. This is a problem because we want to be able to eventually phase out the blkcipher top-level interface. This patch fixes this by making ABLKCIPHER its own type, just as we have distinct types for HASH and DIGEST. The type it associated with the algorithm implementation only. Which top-level interface is used for synchronous block ciphers is then determined by the mask that's used. If it's a specific mask then the old blkcipher interface is given, otherwise we go with the new ablkcipher interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] doc: Update api-intro.txtHerbert Xu2008-01-111-25/+16
| | | | | | | | | | | | | | This patch updates the list of transforms we support and clarifies that the Block Ciphers interface in fact supports all ciphers including stream ciphers. It also removes the obsolete Configuration Notes section and adds the linux-crypto mailing list as the primary bug reporting address. Finally it documents the fact that setkey should only be called from user context. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] scatterwalk: Use generic scatterlist chainingHerbert Xu2008-01-114-9/+3
| | | | | | | This patch converts the crypto scatterwalk code to use the generic scatterlist chaining rather the version specific to crypto. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] hifn: Add missing includesAndrew Morton2008-01-111-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | alpha: drivers/crypto/hifn_795x.c: In function 'ablkcipher_walk_init': drivers/crypto/hifn_795x.c:1231: error: implicit declaration of function 'sg_init_table' drivers/crypto/hifn_795x.c:1243: error: implicit declaration of function 'sg_set_page' drivers/crypto/hifn_795x.c: In function 'ablkcipher_walk_exit': drivers/crypto/hifn_795x.c:1257: error: implicit declaration of function 'sg_page' drivers/crypto/hifn_795x.c:1257: warning: passing argument 1 of '__free_pages' makes pointer from integer without a cast drivers/crypto/hifn_795x.c: In function 'ablkcipher_add': drivers/crypto/hifn_795x.c:1278: warning: passing argument 1 of 'kmap_atomic' makes pointer from integer without a cast drivers/crypto/hifn_795x.c: In function 'ablkcipher_walk': drivers/crypto/hifn_795x.c:1336: warning: passing argument 1 of 'kmap_atomic' makes pointer from integer without a cast drivers/crypto/hifn_795x.c: In function 'hifn_setup_session': drivers/crypto/hifn_795x.c:1465: warning: assignment makes pointer from integer without a cast drivers/crypto/hifn_795x.c:1469: warning: assignment makes pointer from integer without a cast drivers/crypto/hifn_795x.c:1472: warning: assignment makes pointer from integer without a cast drivers/crypto/hifn_795x.c: In function 'ablkcipher_get': drivers/crypto/hifn_795x.c:1593: warning: passing argument 1 of 'kmap_atomic' makes pointer from integer without a cast {standard input}: Assembler messages: {standard input}:7: Warning: setting incorrect section attributes for .got drivers/crypto/hifn_795x.c: In function 'hifn_process_ready': drivers/crypto/hifn_795x.c:1653: warning: passing argument 1 of 'kmap_atomic' makes pointer from integer without a cast drivers/crypto/hifn_795x.c: In function 'hifn_probe': drivers/crypto/hifn_795x.c:2438: error: 'DMA_32BIT_MASK' undeclared (first use in this function) drivers/crypto/hifn_795x.c:2438: error: (Each undeclared identifier is reported only once drivers/crypto/hifn_795x.c:2438: error: for each function it appears in.) drivers/crypto/hifn_795x.c:2443: warning: format '%d' expects type 'int', but argument 4 has type 'long int' drivers/crypto/hifn_795x.c:2443: warning: format '%d' expects type 'int', but argument 4 has type 'long int' Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] hifn: Make Kconfig option depend on PCIJan Glauber2008-01-111-0/+1
| | | | | | | | | | The HIFN driver is currently selectable on s390 but wont compile. Since it looks like HIFN needs PCI make the Kconfig dependent on PCI, which is not available on s390. Signed-off-by: Jan Glauber <jang@linux.vnet.ibm.com> Acked-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] hifn: Schedule callback invocation to tasklet.Evgeniy Polyakov2008-01-111-1/+21
| | | | | | | | | | | | | | | | | This patch forces HIFN driver to invoke crypto request callbacks from tasklet (softirq context) instead of hardirq context, since network stack expects it to be called from bottom halves. It is done by simply scheduling callback invocation via dedicated tasklet. Workqueue solution was dropped because of tooo slow rescheduling performance (7 times slower than tasklet, for mode details one can check this link: http://tservice.net.ru/~s0mbre/blog/devel/other/2007_11_09.html). Driver passed all AES and DES tests in tcryt.c module. Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] sha256-generic: Extend sha256_generic.c to support SHA-224Jonathan Lynch2008-01-115-12/+241
| | | | | | | | | | | | | | | | | Resubmitting this patch which extends sha256_generic.c to support SHA-224 as described in FIPS 180-2 and RFC 3874. HMAC-SHA-224 as described in RFC4231 is then supported through the hmac interface. Patch includes test vectors for SHA-224 and HMAC-SHA-224. SHA-224 chould be chosen as a hash algorithm when 112 bits of security strength is required. Patch generated against the 2.6.24-rc1 kernel and tested against 2.6.24-rc1-git14 which includes fix for scatter gather implementation for HMAC. Signed-off-by: Jonathan Lynch <jonathan.lynch@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] geode: Add fallback for unsupported modesSebastian Siewior2008-01-112-43/+206
| | | | | | | | | | The Geode AES crypto engine supports only 128 bit long key. This patch adds fallback for other key sizes which are required by the AES standard. Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Acked-by: Jordan Crouse <jordan.crouse@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] aes-i586: Remove setkeySebastian Siewior2008-01-113-504/+47
| | | | | | | The setkey() function can be shared with the generic algorithm. Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] ctr: Remove default MSebastian Siewior2008-01-111-1/+0
| | | | | | | NO other block mode is M by default. Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] aes-x86-64: Remove setkeySebastian Siewior2008-01-113-313/+38
| | | | | | | The setkey() function can be shared with the generic algorithm. Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] aes-generic: Make key generation exportableSebastian Siewior2008-01-112-129/+136
| | | | | | | | | | | | This patch exports four tables and the set_key() routine. This ressources can be shared by other AES implementations (aes-x86_64 for instance). The decryption key has been turned around (deckey[0] is the first piece of the key instead of deckey[keylen+20]). The encrypt/decrypt functions are looking now identical (except they are using different tables and key). Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] aes-generic: Coding style cleanupSebastian Siewior2008-01-111-149/+176
| | | | | Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] ctr: Add countersizeJoy Latten2008-01-112-15/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds countersize to CTR mode. The template is now ctr(algo,noncesize,ivsize,countersize). For example, ctr(aes,4,8,4) indicates the counterblock will be composed of a salt/nonce that is 4 bytes, an iv that is 8 bytes and the counter is 4 bytes. When noncesize + ivsize < blocksize, CTR initializes the last block - ivsize - noncesize portion of the block to zero. Otherwise the counter block is composed of the IV (and nonce if necessary). If noncesize + ivsize == blocksize, then this indicates that user is passing in entire counterblock. Thus countersize indicates the amount of bytes in counterblock to use as the counter for incrementing. CTR will increment counter portion by 1, and begin encryption with that value. Note that CTR assumes the counter portion of the block that will be incremented is stored in big endian. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] camellia: De-unrollingDenys Vlasenko2008-01-111-84/+23
| | | | | | | | | | | | Move huge unrolled pieces of code (3 screenfuls) at the end of 128/256 key setup routines into common camellia_setup_tail(), convert it to loop there. Loop is still unrolled six times, so performance hit is very small, code size win is big. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> Acked-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] camellia: Code cleanupDenys Vlasenko2008-01-111-18/+21
| | | | | | | | | | Optimize GETU32 to use 4-byte memcpy (modern gcc will convert such memcpy to single move instruction on i386). Original GETU32 did four byte fetches, and shifted/XORed those. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> Acked-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] camellia: Code cleanupDenys Vlasenko2008-01-111-517/+418
| | | | | | | | | | | | | | Rename some macros to shorter names: CAMELLIA_RR8 -> ROR8, making it easier to understand that it is just a right rotation, nothing camellia-specific in it. CAMELLIA_SUBKEY_L() -> SUBKEY_L() - just shorter. Move be32 <-> cpu conversions out of en/decrypt128/256 and into camellia_en/decrypt - no reason to have that code duplicated twice. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> Acked-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] camellia: Code cleanupDenys Vlasenko2008-01-111-540/+426
| | | | | | | | | | | | | | | | | | | | | Move code blocks around so that related pieces are closer together: e.g. CAMELLIA_ROUNDSM macro does not need to be separated from the rest of the code by huge array of constants. Remove unused macros (COPY4WORD, SWAP4WORD, XOR4WORD[2]) Drop SUBL(), SUBR() macros which only obscure things. Same for CAMELLIA_SP1110() macro and KEY_TABLE_TYPE typedef. Remove useless comments: /* encryption */ -- well it's obvious enough already! void camellia_encrypt128(...) Combine swap with copying at the beginning/end of encrypt/decrypt. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> Acked-by: Noriaki TAKAMIYA <takamiya@po.ntts.co.jp> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] twofish: Do not unroll big stuff in twofish key setupDenys Vlasenko2008-01-111-66/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently twofish cipher key setup code has unrolled loops - approximately 70-100 instructions are repeated 40 times. As a result, twofish module is the biggest module in crypto/*. Unrolling produces x2.5 more code (+18k on i386), and speeds up key setup by 7%: unrolled: twofish_setkey/sec: 41128 loop: twofish_setkey/sec: 38148 CALC_K256: ~100 insns each CALC_K192: ~90 insns CALC_K: ~70 insns Attached patch removes this unrolling. $ size */twofish_common.o text data bss dec hex filename 37920 0 0 37920 9420 crypto.org/twofish_common.o 13209 0 0 13209 3399 crypto/twofish_common.o Run tested (modprobe tcrypt reports ok). Please apply. Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] geode: move defines into a headerfileSebastian Siewior2008-01-112-34/+34
| | | | | | | This patch moves macros in geode-aes.c into geode-aes.h. Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] geode: relax in busy loop and care about return valueSebastian Siewior2008-01-111-3/+6
| | | | | | | | | | | The code waits in a busy loop until the hardware finishes the encryption or decryption process. This wants a cpu_relax() :) The busy loop finishes either if the encryption is done or if the counter is zero. If the latter is true than the hardware failed. Since this should not happen, leave sith a BUG(). Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] geode: use consistent IV copySebastian Siewior2008-01-111-6/+4
| | | | | | | | | | | | It is enough if the IV is copied before and after the while loop. With DM-Crypt is seems not be required to save the IV after encrytion because a new one is used in the request (dunno about other users). It is not save to load the IV within while loop and not save afterwards because we mill end up with the wrong IV if the request goes consists of more than one page. Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] aes: Move common defines into a header fileSebastian Siewior2008-01-117-22/+21
| | | | | | | This three defines are used in all AES related hardware. Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] geode: remove aliasSebastian Siewior2008-01-111-1/+0
| | | | | | | alias isn't required because the module provides PCI ids. Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] hifn_795x: Detect weak keysEvgeniy Polyakov2008-01-113-5/+17
| | | | | | | HIFN driver update to use DES weak key checks (exported in this patch). Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] des: Create header file for common macrosEvgeniy Polyakov2008-01-112-7/+20
| | | | | | | | This patch creates include/crypto/des.h for common macros shared between DES implementations. Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] hifn_795x: HIFN 795x driverEvgeniy Polyakov2008-01-113-0/+2630
| | | | | | | | | | This is a driver for HIFN 795x crypto accelerator chips. It passed all tests for AES, DES and DES3_EDE except weak test for DES, since hardware can not determine weak keys. Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] ctr: Add CTR (Counter) block cipher modeJoy Latten2008-01-115-0/+572
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch implements CTR mode for IPsec. It is based off of RFC 3686. Please note: 1. CTR turns a block cipher into a stream cipher. Encryption is done in blocks, however the last block may be a partial block. A "counter block" is encrypted, creating a keystream that is xor'ed with the plaintext. The counter portion of the counter block is incremented after each block of plaintext is encrypted. Decryption is performed in same manner. 2. The CTR counterblock is composed of, nonce + IV + counter The size of the counterblock is equivalent to the blocksize of the cipher. sizeof(nonce) + sizeof(IV) + sizeof(counter) = blocksize The CTR template requires the name of the cipher algorithm, the sizeof the nonce, and the sizeof the iv. ctr(cipher,sizeof_nonce,sizeof_iv) So for example, ctr(aes,4,8) specifies the counterblock will be composed of 4 bytes from a nonce, 8 bytes from the iv, and 4 bytes for counter since aes has a blocksize of 16 bytes. 3. The counter portion of the counter block is stored in big endian for conformance to rfc 3686. Signed-off-by: Joy Latten <latten@austin.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] padlock: Fix alignment fault in aes_crypt_copyHerbert Xu2008-01-111-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | The previous patch fixed spurious read faults from occuring by copying the data if we happen to have a single block at the end of a page. It appears that gcc cannot guarantee 16-byte alignment in the kernel with __attribute__. The following report from Torben Viets shows a buffer that's only 8-byte aligned: > eneral protection fault: 0000 [#1] > Modules linked in: xt_TCPMSS xt_tcpmss iptable_mangle ipt_MASQUERADE > xt_tcpudp xt_mark xt_state iptable_nat nf_nat nf_conntrack_ipv4 > iptable_filter ip_tables x_tables pppoe pppox af_packet ppp_generic slhc > aes_i586 > CPU: 0 > EIP: 0060:[<c035b828>] Not tainted VLI > EFLAGS: 00010292 (2.6.23.12 #7) > EIP is at aes_crypt_copy+0x28/0x40 > eax: f7639ff0 ebx: f6c24050 ecx: 00000001 edx: f6c24030 > esi: f7e89dc8 edi: f7639ff0 ebp: 00010000 esp: f7e89dc8 Since the hardware must have 16-byte alignment, the following patch fixes this by open coding the alignment adjustment. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] padlock: Fix spurious ECB page faultHerbert Xu2007-12-281-4/+49
| | | | | | | | The xcryptecb instruction always processes an even number of blocks so we need to ensure th existence of an extra block if we have to process an odd number of blocks. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] api: Fix potential race in crypto_remove_spawnHerbert Xu2007-11-231-3/+3
| | | | | | | | | | | | As it is crypto_remove_spawn may try to unregister an instance which is yet to be registered. This patch fixes this by checking whether the instance has been registered before attempting to remove it. It also removes a bogus cra_destroy check in crypto_register_instance as 1) it's outside the mutex; 2) we have a check in __crypto_register_alg already. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* [CRYPTO] authenc: Move initialisations up to shut up gccHerbert Xu2007-11-231-8/+4
| | | | | | | | It seems that newer versions of gcc have regressed in their abilities to analyse initialisations. This patch moves the initialisations up to avoid the warnings. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* Merge branch 'master' of ↵Linus Torvalds2007-11-1716-82/+81
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/x86/linux-2.6-x86 * 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/x86/linux-2.6-x86: x86: simplify "make ARCH=x86" and fix kconfig all.config x86: reboot fixup for wrap2c board x86: check boundary in count setup resource x86: fix reboot with no keyboard attached x86: add hpet sanity checks x86: on x86_64, correct reading of PC RTC when update in progress in time_64.c x86: fix freeze in x86_64 RTC update code in time_64.c ntp: fix typo that makes sync_cmos_clock erratic Remove x86 merge artifact from top Makefile x86: fixup cpu_info array conversion x86: show cpuinfo only for online CPUs x86: fix cpu-hotplug regression x86: ignore the sys_getcpu() tcache parameter x86: voyager use correct header file name x86: fix smp init sections x86: fix voyager_cat_init section x86: fix bogus memcpy in es7000_check_dsdt()
| * x86: simplify "make ARCH=x86" and fix kconfig all.configSam Ravnborg2007-11-176-36/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Simplify "make ARCH=x86" and fix kconfig so we again can set 64BIT in all.config. For a fix the diffstat is nice: 6 files changed, 3 insertions(+), 36 deletions(-) The patch reverts these commits: 0f855aa64b3f63d35a891510cf7db932a435c116 -> kconfig: add helper to set config symbol from environment variable 2a113281f5cd2febbab21a93c8943f8d3eece4d3 -> kconfig: use $K64BIT to set 64BIT with all*config targets Roman Zippel pointed out that kconfig supported string compares so the additional complexity introduced by the above two patches were not needed. With this patch we have following behaviour: # make {allno,allyes,allmod,rand}config [ARCH=...] option \ host arch | 32bit | 64bit ===================================================== ./. | 32bit | 64bit ARCH=x86 | 32bit | 32bit ARCH=i386 | 32bit | 32bit ARCH=x86_64 | 64bit | 64bit The general rule are that ARCH= and native architecture takes precedence over the configuration. So make ARCH=i386 [whatever] will always build a 32-bit kernel no matter what the configuration says. The configuration will be updated to 32-bit if it was configured to 64-bit and the other way around. This behaviour is consistent with previous behaviour so no suprises here. make ARCH=x86 will per default result in a 32-bit kernel but as the only ARCH= value x86 allow the user to select between 32-bit and 64-bit using menuconfig. Signed-off-by: Sam Ravnborg <sam@ravnborg.org> Cc: Roman Zippel <zippel@linux-m68k.org> Cc: Andreas Herrmann <aherrman@arcor.de> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: "H. Peter Anvin" <hpa@zytor.com>
| * x86: reboot fixup for wrap2c boardDenys2007-11-171-0/+1
| | | | | | | | | | | | | | | | Needed to make the wireless board, WRAP2C reboot. Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>