10 Jul, 2008
1 commit
-
When chainiv postpones requests it never calls their completion functions.
This causes symptoms such as memory leaks when IPsec is in use.Signed-off-by: Herbert Xu
08 Jul, 2008
1 commit
-
Coverity CID: 2306 & 2307 RESOURCE_LEAK
In the second for loop in test_cipher(), data is allocated space with
kzalloc() and is only ever freed in an error case.
Looking at this loop, data is written to this memory but nothing seems
to read from it.
So here is a patch removing the allocation, I think this is the right
fix.Only compile tested.
Signed-off-by: Darren Jenkins
Signed-off-by: Herbert Xu
02 Jun, 2008
1 commit
-
Steps to reproduce:
modprobe tcrypt # with CONFIG_DEBUG_SG=y
testing cts(cbc(aes)) encryption
test 1 (128 bit key):
------------[ cut here ]------------
kernel BUG at include/linux/scatterlist.h:65!
invalid opcode: 0000 [1] PREEMPT SMP DEBUG_PAGEALLOC
CPU 0
Modules linked in: tea xts twofish twofish_common tcrypt(+) [maaaany]
Pid: 16151, comm: modprobe Not tainted 2.6.26-rc4-fat #7
RIP: 0010:[] [] :cts:cts_cbc_encrypt+0x151/0x355
RSP: 0018:ffff81016f497a88 EFLAGS: 00010286
RAX: ffffe20009535d58 RBX: ffff81016f497af0 RCX: 0000000087654321
RDX: ffff8100010d4f28 RSI: ffff81016f497ee8 RDI: ffff81016f497ac0
RBP: ffff81016f497c38 R08: 0000000000000000 R09: 0000000000000011
R10: ffffffff00000008 R11: ffff8100010d4f28 R12: ffff81016f497ac0
R13: ffff81016f497b30 R14: 0000000000000010 R15: 0000000000000010
FS: 00007fac6fa276f0(0000) GS:ffffffff8060e000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f12ca7cc000 CR3: 000000016f441000 CR4: 00000000000026e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
Process modprobe (pid: 16151, threadinfo ffff81016f496000, task ffff8101755b4ae0)
Stack: 0000000000000001 ffff81016f496000 ffffffff80719f78 0000000000000001
0000000000000001 ffffffff8020c87c ffff81016f99c918 20646c756f772049
65687420656b696c 0000000000000020 0000000000000000 0000000033341102
Call Trace:
[] ? restore_args+0x0/0x30
[] ? :aes_generic:crypto_aes_expand_key+0x311/0x369
[] ? check_object+0x15a/0x213
[] ? init_object+0x6e/0x76
[] ? __slab_free+0xfc/0x371
[] :cts:crypto_cts_encrypt+0xbb/0xca
[] ? :crypto_blkcipher:setkey+0xc7/0xec
[] :crypto_blkcipher:async_encrypt+0x38/0x3a
[] :tcrypt:test_cipher+0x261/0x7c6
[] :tcrypt:tcrypt_mod_init+0x9df/0x1b30
[] sys_init_module+0x9e/0x1b2
[] system_call_after_swapgs+0x8a/0x8f
Code: 45 c0 e8 aa 24 63 df 48 c1 e8 0c 48 b9 00 00 00 00 00 e2 ff ff 48 8b 55 88 48 6b c0 68 48 01 c8 b9 21 43 65 87 48 39 4d 80 74 04 0b eb fe f6 c2 01 74 04 0f 0b eb fe 83 e2 03 4c 89 ef 44 89
RIP [] :cts:cts_cbc_encrypt+0x151/0x355
RSP
---[ end trace e8bahiarjand37fd ]---Signed-off-by: Alexey Dobriyan
Signed-off-by: Herbert Xu
07 May, 2008
1 commit
-
When HMAC gets a key longer than the block size of the hash, it needs
to feed it as input to the hash to reduce it to a fixed length. As
it is HMAC converts the key to a scatter and gather list. However,
this doesn't work on certain platforms if the key is not allocated
via kmalloc. For example, the keys from tcrypt are stored in the
rodata section and this causes it to fail with HMAC on x86-64.This patch fixes this by copying the key to memory obtained via
kmalloc before hashing it.Signed-off-by: Herbert Xu
01 May, 2008
3 commits
-
Normally, kzalloc returns NULL or a valid pointer value, not a value to be
tested using IS_ERR.Signed-off-by: Julia Lawall
Signed-off-by: Herbert Xu -
After attaching the IV to the head during encryption, eseqiv does not
increase the encryption length by that amount. As such the last block
of the actual plain text will be left unencrypted.Fortunately the only user of this code hifn currently crashes so this
shouldn't affect anyone :)Signed-off-by: Herbert Xu
-
crypto_authenc_givencrypt_done uses req->data as struct aead_givcrypt_request,
while it really points to a struct aead_request, causing this crash:BUG: unable to handle kernel paging request at 6b6b6b6b
IP: [] :authenc:crypto_authenc_genicv+0x23/0x109
*pde = 00000000
Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
Modules linked in: hifn_795x authenc esp4 aead xfrm4_mode_tunnel sha1_generic hmac crypto_hash]Pid: 3074, comm: ping Not tainted (2.6.25 #4)
EIP: 0060:[] EFLAGS: 00010296 CPU: 0
EIP is at crypto_authenc_genicv+0x23/0x109 [authenc]
EAX: daa04690 EBX: daa046e0 ECX: dab0a100 EDX: daa046b0
ESI: 6b6b6b6b EDI: dc872054 EBP: c033ff60 ESP: c033ff0c
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process ping (pid: 3074, ti=c033f000 task=db883a80 task.ti=dab6c000)
Stack: 00000000 daa046b0 c0215a3e daa04690 dab0a100 00000000 ffffffff db9fd7f0
dba208c0 dbbb1720 00000001 daa04720 00000001 c033ff54 c0119ca9 dc852a75
c033ff60 c033ff60 daa046e0 00000000 00000001 c033ff6c dc87527b 00000001
Call Trace:
[] ? dev_alloc_skb+0x14/0x29
[] ? printk+0x15/0x17
[] ? crypto_authenc_givencrypt_done+0x1a/0x27 [authenc]
[] ? hifn_process_ready+0x34a/0x352 [hifn_795x]
[] ? rhine_napipoll+0x3f2/0x3fd [via_rhine]
[] ? hifn_check_for_completion+0x4d/0xa6 [hifn_795x]
[] ? hifn_tasklet_callback+0xa/0xc [hifn_795x]
[] ? tasklet_action+0x3f/0x66
[] ? __do_softirq+0x38/0x7a
[] ? do_softirq+0x3e/0x71
[] ? irq_exit+0x2c/0x65
[] ? smp_apic_timer_interrupt+0x5f/0x6a
[] ? apic_timer_interrupt+0x28/0x30
[] ? hifn_handle_req+0x44a/0x50d [hifn_795x]
...Signed-off-by: Patrick McHardy
Signed-off-by: Herbert Xu
21 Apr, 2008
14 commits
-
Ciphers, block modes, name it, are grouped together and sorted.
Signed-off-by: Sebastian Siewior
Signed-off-by: Herbert Xu -
On Thu, Mar 27, 2008 at 03:40:36PM +0100, Bodo Eggert wrote:
> Kamalesh Babulal wrote:
>
> > This patch cleanups the crypto code, replaces the init() and fini()
> > with the _init/_fini
>
> This part ist OK.
>
> > or init/fini_ (if the
> > _init/_fini exist)
>
> Having init_foo and foo_init won't be a good thing, will it? I'd start
> confusing them.
>
> What about foo_modinit instead?Thanks for the suggestion, the init() is replaced with
_mod_init ()
and fini () is replaced with _mod_fini.
Signed-off-by: Kamalesh Babulal
Signed-off-by: Herbert Xu -
The key expansion routine could be get little more generic, become
a kernel doc entry and then get exported.Signed-off-by: Sebastian Siewior
Tested-by: Stefan Hellermann
Signed-off-by: Herbert Xu -
Signed-off-by: Sebastian Siewior
Signed-off-by: Herbert Xu -
Implement CTS wrapper for CBC mode required for support of AES
encryption support for Kerberos (rfc3962).Signed-off-by: Kevin Coffman
Signed-off-by: Herbert Xu -
replace all:
big_endian_variable = cpu_to_beX(beX_to_cpu(big_endian_variable) +
expression_in_cpu_byteorder);
with:
beX_add_cpu(&big_endian_variable, expression_in_cpu_byteorder);Signed-off-by: Marcin Slusarz
Cc: David S. Miller
Cc: Roel Kluin
Signed-off-by: Herbert Xu -
The third test vector of ECB-XTEA-ENC fails for me all other
are fine. I could not find a RFC or something else where they
are defined. The test vector has not been modified since git
started recording histrory. The implementation is very close
(not to say equal) to what is available as Public Domain (they
recommend 64 rounds and the in kernel uses 32). Therefore I
belive that there is typo somewhere and tcrypt reported always
*fail* instead of *okey*.
This patch replaces input + result of the third test vector with
result + input from the third decryption vector. The key is the
same, the other three test vectors are also the reverse.Signed-off-by: Sebastian Siewior
Signed-off-by: Herbert Xu -
Currently the tcrypt module is about 2 MiB on x86-32. The
main reason for the huge size is the data segment which contains
all the test vectors for each algorithm. The test vectors are
staticly allocated in an array and the size of the array has been
drastically increased by the merge of the Salsa20 test vectors.With a hint from Benedigt Spranger I found a way how I could
convert those fixed-length arrays to strings which are flexible
in size. VIM and regex were also very helpfull :)
So, I am talking about a shrinking of ~97% on x86-32:text data bss dec hex filename
18309 2039708 20 2058037 1f6735 tcrypt-b4.ko
45628 23516 80 69224 10e68 tcrypt.koSigned-off-by: Sebastian Siewior
Signed-off-by: Herbert Xu -
The test routines (test_{cipher,hash,aead}) are makeing a copy
of the test template and are processing the encryption process
in place. This patch changes the creation of the copy so it will
work even if the source address of the input data isn't an array
inside of the template but a pointer.Signed-off-by: Sebastian Siewior
Signed-off-by: Herbert Xu -
Signed-off-by: Jan Engelhardt
Signed-off-by: Herbert Xu -
The speed templates as it look always the same. The key size
is repeated for each block size and we test always the same
block size. The addition of one inner loop makes it possible
to get rid of the struct and it is possible to use a tiny
u8 array :)Signed-off-by: Sebastian Siewior
Signed-off-by: Herbert Xu -
Some crypto ciphers which are impleneted support similar key sizes
(16,24 & 32 byte). They can be grouped together and use a common
templatte instead of their own which contains the same data.Signed-off-by: Sebastian Siewior
Signed-off-by: Herbert Xu -
Rename sha512 to sha512_generic and add a MODULE_ALIAS for sha512
so all sha512 implementations can be loaded automatically.Keep the broken tabs so git recognizes this as a rename.
Signed-off-by: Jan Glauber
Signed-off-by: Herbert Xu -
Signed-off-by: Alexey Dobriyan
Signed-off-by: Herbert Xu
18 Apr, 2008
2 commits
-
'ack' is currently a simple integer that flags whether or not a client is done
touching fields in the given descriptor. It is effectively just a single bit
of information. Converting this to a flags parameter allows the other bits to
be put to use to control completion actions, like dma-unmap, and capture
results, like xor-zero-sum == 0.Changes are one of:
1/ convert all open-coded ->ack manipulations to use async_tx_ack
and async_tx_test_ack.
2/ set the ack bit at prep time where possible
3/ make drivers store the flags at prep time
4/ add flags to the device_prep_dma_interrupt prototypeAcked-by: Maciej Sosnowski
Signed-off-by: Dan Williams -
Shrink struct dma_async_tx_descriptor and introduce
async_tx_channel_switch to properly inject a channel switch interrupt in
the descriptor stream. This simplifies the locking model as drivers no
longer need to handle dma_async_tx_descriptor.lock.Acked-by: Shannon Nelson
Signed-off-by: Dan Williams
02 Apr, 2008
1 commit
-
The kernel crashes when ipsec passes a udp packet of about 14XX bytes
of data to aes-xcbc-mac.It seems the first xxxx bytes of the data are in first sg entry,
and remaining xx bytes are in next sg entry. But we don't
check next sg entry to see if we need to go look the page up.I noticed in hmac.c, we do a scatterwalk_sg_next(), to do this check
and possible lookup, thus xcbc.c needs to use this routine too.A 15-hour run of an ipsec stress test sending streams of tcp and
udp packets of various sizes, using this patch and
aes-xcbc-mac completed successfully, so hopefully this fixes the
problem.Signed-off-by: Joy Latten
Signed-off-by: Herbert Xu
19 Mar, 2008
1 commit
-
If the channel cannot perform the operation in one call to
->device_prep_dma_zero_sum, then fallback to the xor+page_is_zero path.
This only affects users with arrays larger than 16 devices on iop13xx or
32 devices on iop3xx.Cc:
Cc: Neil Brown
Signed-off-by: Dan Williams
14 Mar, 2008
1 commit
-
Signed-off-by: Dan Williams
08 Mar, 2008
1 commit
-
The previous patch to move chainiv and eseqiv into blkcipher created
a section mismatch for the chainiv exit function which was also called
from __init. This patch removes the __exit marking on it.Signed-off-by: Herbert Xu
06 Mar, 2008
2 commits
-
When using aes-xcbc-mac for authentication in IPsec,
the kernel crashes. It seems this algorithm doesn't
account for the space IPsec may make in scatterlist for authtag.
Thus when crypto_xcbc_digest_update2() gets called,
nbytes may be less than sg[i].length.
Since nbytes is an unsigned number, it wraps
at the end of the loop allowing us to go back
into loop and causing crash in memcpy.I used update function in digest.c to model this fix.
Please let me know if it looks ok.Signed-off-by: Joy Latten
Signed-off-by: Herbert Xu -
The XTS blockmode uses a copy of the IV which is saved on the stack
and may or may not be properly aligned. If it is not, it will break
hardware cipher like the geode or padlock.
This patch encrypts the IV in place so we don't have to worry about
alignment.Signed-off-by: Sebastian Siewior
Tested-by: Stefan Hellermann
Signed-off-by: Herbert Xu
05 Mar, 2008
1 commit
-
Every file should include the headers containing the externs for its
global code (in this case for struct crypto_{init,exit}_digest_ops()).Signed-off-by: Adrian Bunk
Signed-off-by: Herbert Xu
23 Feb, 2008
2 commits
-
The authenc algorithm requires BLKCIPHER to be present.
Signed-off-by: Herbert Xu
-
For compatibility with dm-crypt initramfs setups it is useful to merge
chainiv/seqiv into the crypto_blkcipher module. Since they're required
by most algorithms anyway this is an acceptable trade-off.Signed-off-by: Herbert Xu
18 Feb, 2008
1 commit
-
This patch fixes the following build error caused by commit
3631c650c495d61b1dabf32eb26b46873636e918:...
LD .tmp_vmlinux1
crypto/built-in.o: In function `skcipher_null_crypt':
crypto_null.c:(.text+0x3d14): undefined reference to `blkcipher_walk_virt'
crypto_null.c:(.text+0x3d14): relocation truncated to fit: R_MIPS_26 against `blkcipher_walk_virt'
crypto/built-in.o: In function `$L32':
crypto_null.c:(.text+0x3d54): undefined reference to `blkcipher_walk_done'
crypto_null.c:(.text+0x3d54): relocation truncated to fit: R_MIPS_26 against `blkcipher_walk_done'
crypto/built-in.o:(.data+0x2e8): undefined reference to `crypto_blkcipher_type'
make[1]: *** [.tmp_vmlinux1] Error 1Signed-off-by: Adrian Bunk
Signed-off-by: Herbert Xu
15 Feb, 2008
1 commit
-
Building latest git fails with the following error:
ERROR: "crypto_alloc_ablkcipher" [crypto/tcrypt.ko] undefined!
This appears to happen because CONFIG_CRYPTO_TEST is set while
CONFIG_CRYPTO_BLKCIPHER is not.
The following patch fixes the problem for me.Signed-off-by: Frederik Deweerdt
Signed-off-by: Herbert Xu
08 Feb, 2008
1 commit
-
Convert instances of ERR_PTR(PTR_ERR(p)) to ERR_CAST(p) using:
perl -spi -e 's/ERR_PTR[(]PTR_ERR[(](.*)[)][)]/ERR_CAST(\1)/' `grep -rl 'ERR_PTR[(]*PTR_ERR' fs crypto net security`
Signed-off-by: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
07 Feb, 2008
5 commits
-
The source and destination addresses are included to allow channel
selection based on address alignment.Signed-off-by: Dan Williams
Reviewed-by: Haavard Skinnemoen -
Pass a full set of flags to drivers' per-operation 'prep' routines.
Currently the only flag passed is DMA_PREP_INTERRUPT. The expectation is
that arch-specific async_tx_find_channel() implementations can exploit this
capability to find the best channel for an operation.Signed-off-by: Dan Williams
Acked-by: Shannon Nelson
Reviewed-by: Haavard Skinnemoen -
The tx_set_src and tx_set_dest methods were originally implemented to allow
an array of addresses to be passed down from async_xor to the dmaengine
driver while minimizing stack overhead. Removing these methods allows
drivers to have all transaction parameters available at 'prep' time, saves
two function pointers in struct dma_async_tx_descriptor, and reduces the
number of indirect branches..A consequence of moving this data to the 'prep' routine is that
multi-source routines like async_xor need temporary storage to convert an
array of linear addresses into an array of dma addresses. In order to keep
the same stack footprint of the previous implementation the input array is
reused as storage for the dma addresses. This requires that
sizeof(dma_addr_t) be less than or equal to sizeof(void *). As a
consequence CONFIG_DMADEVICES now depends on !CONFIG_HIGHMEM64G. It also
requires that drivers be able to make descriptor resources available when
the 'prep' routine is polled.Signed-off-by: Dan Williams
Acked-by: Shannon Nelson -
Remove the unused ASYNC_TX_ASSUME_COHERENT flag. Async_tx is
meant to hide the difference between asynchronous hardware and synchronous
software operations, this flag requires clients to understand cache
coherency consequences of the async path.Signed-off-by: Dan Williams
Reviewed-by: Haavard Skinnemoen -
single list_head variable initialized with LIST_HEAD_INIT could almost
always can be replaced with LIST_HEAD declaration, this shrinks the code
and looks better.Signed-off-by: Denis Cheng
Signed-off-by: Dan Williams
