summaryrefslogtreecommitdiffstats
path: root/crypto
Commit message (Collapse)AuthorAgeFilesLines
* crypto: rsa-pkcs1pad - Handle leading zero for decryptionHerbert Xu2016-09-221-17/+24
| | | | | | | | | | | | | As the software RSA implementation now produces fixed-length output, we need to eliminate leading zeros in the calling code instead. This patch does just that for pkcs1pad decryption while signature verification was fixed in an earlier patch. Fixes: 9b45b7bba3d2 ("crypto: rsa - Generate fixed-length output") Reported-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: skcipher - Fix blkcipher walk OOM crashHerbert Xu2016-09-131-1/+2
| | | | | | | | | | | | | | | | | When we need to allocate a temporary blkcipher_walk_next and it fails, the code is supposed to take the slow path of processing the data block by block. However, due to an unrelated change we instead end up dereferencing the NULL pointer. This patch fixes it by moving the unrelated bsize setting out of the way so that we enter the slow path as inteded. Fixes: 7607bd8ff03b ("[CRYPTO] blkcipher: Added blkcipher_walk_virt_block") Cc: stable@vger.kernel.org Reported-by: xiakaixu <xiakaixu@huawei.com> Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
* crypto: echainiv - Replace chaining with multiplicationHerbert Xu2016-09-131-91/+24
| | | | | | | | | | | | | | The current implementation uses a global per-cpu array to store data which are used to derive the next IV. This is insecure as the attacker may change the stored data. This patch removes all traces of chaining and replaces it with multiplication of the salt and the sequence number. Fixes: a10f554fa7e0 ("crypto: echainiv - Add encrypted chain IV...") Cc: stable@vger.kernel.org Reported-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: cryptd - initialize child shash_desc on importArd Biesheuvel2016-09-071-2/+7
| | | | | | | | | | When calling .import() on a cryptd ahash_request, the structure members that describe the child transform in the shash_desc need to be initialized like they are when calling .init() Cc: stable@vger.kernel.org Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: cryptd - Use correct tfm object for AEAD trackingHerbert Xu2016-08-311-1/+2
| | | | | | | | | The AEAD code path incorrectly uses the child tfm to track the cryptd refcnt, and then potentially frees the child tfm. Fixes: 81760ea6a95a ("crypto: cryptd - Add helpers to check...") Reported-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: powerpc - CRYPT_CRC32C_VPMSUM should depend on ALTIVECMichael Ellerman2016-08-091-1/+1
| | | | | | | | | | | The optimised crc32c implementation depends on VMX (aka. Altivec) instructions, so the kernel must be built with Altivec support in order for the crc32c code to build. Fixes: 6dd7a82cc54e ("crypto: powerpc - Add POWER8 optimised crc32c") Acked-by: Anton Blanchard <anton@samba.org> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* crypto: sha3 - Add missing ULL suffixes for 64-bit constantsGeert Uytterhoeven2016-08-081-8/+8
| | | | | | | | | | | | | | | | | | | | | | On 32-bit (e.g. with m68k-linux-gnu-gcc-4.1): crypto/sha3_generic.c:27: warning: integer constant is too large for ‘long’ type crypto/sha3_generic.c:28: warning: integer constant is too large for ‘long’ type crypto/sha3_generic.c:29: warning: integer constant is too large for ‘long’ type crypto/sha3_generic.c:29: warning: integer constant is too large for ‘long’ type crypto/sha3_generic.c:31: warning: integer constant is too large for ‘long’ type crypto/sha3_generic.c:31: warning: integer constant is too large for ‘long’ type crypto/sha3_generic.c:32: warning: integer constant is too large for ‘long’ type crypto/sha3_generic.c:32: warning: integer constant is too large for ‘long’ type crypto/sha3_generic.c:32: warning: integer constant is too large for ‘long’ type crypto/sha3_generic.c:33: warning: integer constant is too large for ‘long’ type crypto/sha3_generic.c:33: warning: integer constant is too large for ‘long’ type crypto/sha3_generic.c:34: warning: integer constant is too large for ‘long’ type crypto/sha3_generic.c:34: warning: integer constant is too large for ‘long’ type Fixes: 53964b9ee63b7075 ("crypto: sha3 - Add SHA-3 hash algorithm") Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
* Merge tag 'random_for_linus' of ↵Linus Torvalds2016-07-271-61/+0
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random Pull random driver updates from Ted Ts'o: "A number of improvements for the /dev/random driver; the most important is the use of a ChaCha20-based CRNG for /dev/urandom, which is faster, more efficient, and easier to make scalable for silly/abusive userspace programs that want to read from /dev/urandom in a tight loop on NUMA systems. This set of patches also improves entropy gathering on VM's running on Microsoft Azure, and will take advantage of a hw random number generator (if present) to initialize the /dev/urandom pool" (It turns out that the random tree hadn't been in linux-next this time around, because it had been dropped earlier as being too quiet. Oh well). * tag 'random_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random: random: strengthen input validation for RNDADDTOENTCNT random: add backtracking protection to the CRNG random: make /dev/urandom scalable for silly userspace programs random: replace non-blocking pool with a Chacha20-based CRNG random: properly align get_random_int_hash random: add interrupt callback to VMBus IRQ handler random: print a warning for the first ten uninitialized random users random: initialize the non-blocking pool via add_hwgenerator_randomness()
| * random: replace non-blocking pool with a Chacha20-based CRNGTheodore Ts'o2016-07-031-61/+0
| | | | | | | | | | | | | | The CRNG is faster, and we don't pretend to track entropy usage in the CRNG any more. Signed-off-by: Theodore Ts'o <tytso@mit.edu>
* | Merge branch 'linus' of ↵Linus Torvalds2016-07-2643-2521/+5343
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto updates from Herbert Xu: "Here is the crypto update for 4.8: API: - first part of skcipher low-level conversions - add KPP (Key-agreement Protocol Primitives) interface. Algorithms: - fix IPsec/cryptd reordering issues that affects aesni - RSA no longer does explicit leading zero removal - add SHA3 - add DH - add ECDH - improve DRBG performance by not doing CTR by hand Drivers: - add x86 AVX2 multibuffer SHA256/512 - add POWER8 optimised crc32c - add xts support to vmx - add DH support to qat - add RSA support to caam - add Layerscape support to caam - add SEC1 AEAD support to talitos - improve performance by chaining requests in marvell/cesa - add support for Araneus Alea I USB RNG - add support for Broadcom BCM5301 RNG - add support for Amlogic Meson RNG - add support Broadcom NSP SoC RNG" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (180 commits) crypto: vmx - Fix aes_p8_xts_decrypt build failure crypto: vmx - Ignore generated files crypto: vmx - Adding support for XTS crypto: vmx - Adding asm subroutines for XTS crypto: skcipher - add comment for skcipher_alg->base crypto: testmgr - Print akcipher algorithm name crypto: marvell - Fix wrong flag used for GFP in mv_cesa_dma_add_iv_op crypto: nx - off by one bug in nx_of_update_msc() crypto: rsa-pkcs1pad - fix rsa-pkcs1pad request struct crypto: scatterwalk - Inline start/map/done crypto: scatterwalk - Remove unnecessary BUG in scatterwalk_start crypto: scatterwalk - Remove unnecessary advance in scatterwalk_pagedone crypto: scatterwalk - Fix test in scatterwalk_done crypto: api - Optimise away crypto_yield when hard preemption is on crypto: scatterwalk - add no-copy support to copychunks crypto: scatterwalk - Remove scatterwalk_bytes_sglen crypto: omap - Stop using crypto scatterwalk_bytes_sglen crypto: skcipher - Remove top-level givcipher interface crypto: user - Remove crypto_lookup_skcipher call crypto: cts - Convert to skcipher ...
| * \ Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6Herbert Xu2016-07-211-0/+1
| |\ \ | | | | | | | | | | | | Merge the crypto tree to resolve conflict in qat Makefile.
| * | | crypto: testmgr - Print akcipher algorithm nameHerbert Xu2016-07-191-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When an akcipher test fails, we don't know which algorithm failed because the name is not printed. This patch fixes this. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: rsa-pkcs1pad - fix rsa-pkcs1pad request structTadeusz Struk2016-07-191-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To allow for child request context the struct akcipher_request child_req needs to be at the end of the structure. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: scatterwalk - Inline start/map/doneHerbert Xu2016-07-181-43/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch inlines the functions scatterwalk_start, scatterwalk_map and scatterwalk_done as they're all tiny and mostly used by the block cipher walker. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: scatterwalk - Remove unnecessary BUG in scatterwalk_startHerbert Xu2016-07-181-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Nothing bad will happen even if sg->length is zero, so there is no point in keeping this BUG_ON in scatterwalk_start. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: scatterwalk - Remove unnecessary advance in scatterwalk_pagedoneHerbert Xu2016-07-181-6/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The offset advance in scatterwalk_pagedone not only is unnecessary, but it was also buggy when it was needed by scatterwalk_copychunks. As the latter has long ago been fixed to call scatterwalk_advance directly, we can remove this unnecessary offset adjustment. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: scatterwalk - Fix test in scatterwalk_doneHerbert Xu2016-07-181-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When there is more data to be processed, the current test in scatterwalk_done may prevent us from calling pagedone even when we should. In particular, if we're on an SG entry spanning multiple pages where the last page is not a full page, we will incorrectly skip calling pagedone on the second last page. This patch fixes this by adding a separate test for whether we've reached the end of a page. Cc: stable@vger.kernel.org Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: scatterwalk - Add no-copy support to copychunksHerbert Xu2016-07-181-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The function ablkcipher_done_slow is pretty much identical to scatterwalk_copychunks except that it doesn't actually copy as the processing hasn't been completed yet. This patch allows scatterwalk_copychunks to be used in this case by specifying out == 2. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: scatterwalk - Remove scatterwalk_bytes_sglenHerbert Xu2016-07-181-22/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes the now unused scatterwalk_bytes_sglen. Anyone using this out-of-tree should switch over to sg_nents_for_len. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: skcipher - Remove top-level givcipher interfaceHerbert Xu2016-07-187-1128/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes the old crypto_grab_skcipher helper and replaces it with crypto_grab_skcipher2. As this is the final entry point into givcipher this patch also removes all traces of the top-level givcipher interface, including all implicit IV generators such as chainiv. The bottom-level givcipher interface remains until the drivers using it are converted. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: user - Remove crypto_lookup_skcipher callHerbert Xu2016-07-181-36/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | As there are no more kernel users of built-in IV generators we can remove the special lookup for skciphers. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: cts - Convert to skcipherHerbert Xu2016-07-181-210/+285
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts cts over to the skcipher interface. It also optimises the implementation to use one CBC operation for all but the last block, which is then processed separately. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: null - Remove default null blkcipherHerbert Xu2016-07-181-43/+6
| | | | | | | | | | | | | | | | | | | | | | | | The default null blkcipher is no longer used and can now be removed. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: aead - Remove blkcipher null for IV generatorsHerbert Xu2016-07-181-8/+0
| | | | | | | | | | | | | | | | | | | | | | | | The blkcipher null object is no longer used and can now be removed. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: seqiv - Use skcipherHerbert Xu2016-07-181-5/+9
| | | | | | | | | | | | | | | | | | | | | | | | This patch replaces use of the obsolete blkcipher with skcipher. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: echainiv - Use skcipherHerbert Xu2016-07-181-6/+10
| | | | | | | | | | | | | | | | | | | | | | | | This patch replaces use of the obsolete blkcipher with skcipher. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: aead - Add skcipher null for IV generatorsHerbert Xu2016-07-181-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds an skcipher null object alongside the existing null blkcipher so that IV generators using it can switch over to skcipher. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: chacha20poly1305 - Use skcipherHerbert Xu2016-07-181-43/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts chacha20poly1305 to use the new skcipher interface as opposed to ablkcipher. It also fixes a buglet where we may end up with an async poly1305 when the user asks for a async algorithm. This shouldn't be a problem yet as there aren't any async implementations of poly1305 out there. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: gcm - Use skcipherHerbert Xu2016-07-181-53/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts gcm to use the new skcipher interface as opposed to ablkcipher. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: ccm - Use skcipherHerbert Xu2016-07-181-35/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts ccm to use the new skcipher interface as opposed to ablkcipher. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: ctr - Use skcipher in rfc3686Herbert Xu2016-07-181-89/+94
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts rfc3686 to use the new skcipher interface as opposed to ablkcipher. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: authencesn - Use skcipherHerbert Xu2016-07-181-50/+54
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts authencesn to use the new skcipher interface as opposed to ablkcipher. It also fixes a little bug where if a sync version of authencesn is requested we may still end up using an async ahash. This should have no effect as none of the authencesn users can request for a sync authencesn. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: authenc - Use skcipherHerbert Xu2016-07-181-51/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch converts authenc to use the new skcipher interface as opposed to ablkcipher. It also fixes a little bug where if a sync version of authenc is requested we may still end up using an async ahash. This should have no effect as none of the authenc users can request for a sync authenc. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: aead - Add chunk sizeHerbert Xu2016-07-181-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a chunk size parameter to aead algorithms, just like the chunk size for skcipher algorithms. However, unlike skcipher we do not currently export this to AEAD users. It is only meant to be used by AEAD implementors for now. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: null - Add new default null skcipherHerbert Xu2016-07-181-0/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Current the default null skcipher is actually a crypto_blkcipher. This patch creates a synchronous crypto_skcipher version of the null cipher which unfortunately has to settle for the name skcipher2. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: skcipher - Add low-level skcipher interfaceHerbert Xu2016-07-181-7/+189
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows skcipher algorithms and instances to be created and registered with the crypto API. They are accessible through the top-level skcipher interface, along with ablkcipher/blkcipher algorithms and instances. This patch also introduces a new parameter called chunk size which is meant for ciphers such as CTR and CTS which ostensibly can handle arbitrary lengths, but still behave like block ciphers in that you can only process a partial block at the very end. For these ciphers the block size will continue to be set to 1 as it is now while the chunk size will be set to the underlying block size. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: testmgr - Add 4K private key to RSA testvectorSalvatore Benedetto2016-07-051-1/+199
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Key generated with openssl. It also contains all fields required for testing CRT mode Signed-off-by: Salvatore Benedetto <salvatore.benedetto@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: rsa - Store rest of the private key componentsSalvatore Benedetto2016-07-052-5/+80
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When parsing a private key, store all non-optional fields. These are required for enabling CRT mode for decrypt and verify Signed-off-by: Salvatore Benedetto <salvatore.benedetto@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: testmgr - Set err before proceedingSalvatore Benedetto2016-07-051-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Report correct error in case of failure Signed-off-by: Salvatore Benedetto <salvatore.benedetto@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: powerpc - Add POWER8 optimised crc32cAnton Blanchard2016-07-051-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use the vector polynomial multiply-sum instructions in POWER8 to speed up crc32c. This is just over 41x faster than the slice-by-8 method that it replaces. Measurements on a 4.1 GHz POWER8 show it sustaining 52 GiB/sec. A simple btrfs write performance test: dd if=/dev/zero of=/mnt/tmpfile bs=1M count=4096 sync is over 3.7x faster. Signed-off-by: Anton Blanchard <anton@samba.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: rsa-pkcs1pad - Fix regression from leading zerosHerbert Xu2016-07-031-16/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As the software RSA implementation now produces fixed-length output, we need to eliminate leading zeros in the calling code instead. This patch does just that for pkcs1pad signature verification. Fixes: 9b45b7bba3d2 ("crypto: rsa - Generate fixed-length output") Reported-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: sha3 - Add HMAC-SHA3 test modes and test vectorsraveendra padasalagi2016-07-013-0/+444
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds HMAC-SHA3 test modes in tcrypt module and related test vectors. Signed-off-by: Raveendra Padasalagi <raveendra.padasalagi@broadcom.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: tcrypt - Do not bail on EINPROGRESS in multibuffer hash testHerbert Xu2016-07-011-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The multibuffer hash speed test is incorrectly bailing because of an EINPROGRESS return value. This patch fixes it by setting ret to zero if it is equal to -EINPROGRESS. Reported-by: Megha Dey <megha.dey@linux.intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: rsa-pkcs1pad - Avoid copying output when possibleHerbert Xu2016-07-011-67/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the vast majority of cases (2^-32 on 32-bit and 2^-64 on 64-bit) cases, the result from encryption/signing will require no padding. This patch makes these two operations write their output directly to the final destination. Only in the exceedingly rare cases where fixup is needed to we copy it out and back to add the leading zeroes. This patch also makes use of the crypto_akcipher_set_crypt API instead of writing the akcipher request directly. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: rsa-pkcs1pad - Move key size check to setkeyHerbert Xu2016-07-011-30/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Rather than repeatedly checking the key size on each operation, we should be checking it once when the key is set. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: rsa-pkcs1pad - Always use GFP_KERNELHerbert Xu2016-07-011-16/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | We don't currently support using akcipher in atomic contexts, so GFP_KERNEL should always be used. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: rsa-pkcs1pad - Remove bogus page splittingHerbert Xu2016-07-011-14/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The helper pkcs1pad_sg_set_buf tries to split a buffer that crosses a page boundary into two SG entries. This is unnecessary. This patch removes that. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: rsa-pkcs1pad - Require hash to be presentHerbert Xu2016-07-011-53/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The only user of rsa-pkcs1pad always uses the hash so there is no reason to support the case of not having a hash. This patch also changes the digest info lookup so that it is only done once during template instantiation rather than on each operation. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: rsa - Generate fixed-length outputHerbert Xu2016-07-012-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Every implementation of RSA that we have naturally generates output with leading zeroes. The one and only user of RSA, pkcs1pad wants to have those leading zeroes in place, in fact because they are currently absent it has to write those zeroes itself. So we shouldn't be stripping leading zeroes in the first place. In fact this patch makes rsa-generic produce output with fixed length so that pkcs1pad does not need to do any extra work. This patch also changes DH to use the new interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
| * | | crypto: testmgr - Allow leading zeros in RSAHerbert Xu2016-07-011-27/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch allows RSA implementations to produce output with leading zeroes. testmgr will skip leading zeroes when comparing the output. This patch also tries to make the RSA test function generic enough to potentially handle other akcipher algorithms. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>