03 Jun, 2010
2 commits
-
This fixes the broken autoloading of the corresponding twofish assembler
ciphers on x86 and x86_64 if they are available. The module name of the
generic implementation was in conflict with the alias in the assembler
modules. The generic twofish c implementation is renamed to
twofish_generic according to the other algorithms with assembler
implementations and an module alias is added for 'twofish'. You can now
load 'twofish' giving you the best implementation by priority,
'twofish-generic' to get the c implementation or 'twofish-asm' to get
the assembler version of cipher.Signed-off-by: Joachim Fritschi
Signed-off-by: Herbert Xu -
The PCOMP Kconfig entry current allows the following combination
which is illegal:ZLIB=y
PCOMP=y
ALGAPI=m
ALGAPI2=y
MANAGER=m
MANAGER2=mThis patch fixes this by adding PCOMP2 so that PCOMP can select
ALGAPI to propagate the setting to MANAGER2.Signed-off-by: Herbert Xu
07 Jan, 2010
1 commit
-
This patch adds a parallel crypto template that takes a crypto
algorithm and converts it to process the crypto transforms in
parallel. For the moment only aead algorithms are supported.Signed-off-by: Steffen Klassert
Signed-off-by: Herbert Xu
02 Sep, 2009
1 commit
-
This patch adds VMAC (a fast MAC) support into crypto framework.
Signed-off-by: Shane Wang
Signed-off-by: Joseph Cihula
Signed-off-by: Herbert Xu
06 Aug, 2009
1 commit
-
GHASH is implemented as a shash algorithm. The actual implementation
is copied from gcm.c. This makes it possible to add
architecture/hardware accelerated GHASH implementation.Signed-off-by: Huang Ying
Signed-off-by: Herbert Xu
14 Jul, 2009
1 commit
-
This patch removes the implementation of hash and digest now that
no algorithms use them anymore. The interface though will remain
until the users are converted across.Signed-off-by: Herbert Xu
04 Mar, 2009
2 commits
-
Signed-off-by: Geert Uytterhoeven
Cc: James Morris
Signed-off-by: Herbert Xu -
The current "comp" crypto interface supports one-shot (de)compression only,
i.e. the whole data buffer to be (de)compressed must be passed at once, and
the whole (de)compressed data buffer will be received at once.
In several use-cases (e.g. compressed file systems that store files in big
compressed blocks), this workflow is not suitable.
Furthermore, the "comp" type doesn't provide for the configuration of
(de)compression parameters, and always allocates workspace memory for both
compression and decompression, which may waste memory.To solve this, add a "pcomp" partial (de)compression interface that provides
the following operations:
- crypto_compress_{init,update,final}() for compression,
- crypto_decompress_{init,update,final}() for decompression,
- crypto_{,de}compress_setup(), to configure (de)compression parameters
(incl. allocating workspace memory).The (de)compression methods take a struct comp_request, which was mimicked
after the z_stream object in zlib, and contains buffer pointer and length
pairs for input and output.The setup methods take an opaque parameter pointer and length pair. Parameters
are supposed to be encoded using netlink attributes, whose meanings depend on
the actual (name of the) (de)compression algorithm.Signed-off-by: Geert Uytterhoeven
Signed-off-by: Herbert Xu
19 Feb, 2009
1 commit
-
Use dedicated workqueue for crypto subsystem
A dedicated workqueue named kcrypto_wq is created to be used by crypto
subsystem. The system shared keventd_wq is not suitable for
encryption/decryption, because of potential starvation problem.Signed-off-by: Huang Ying
Signed-off-by: Herbert Xu
25 Dec, 2008
1 commit
-
The shash interface replaces the current synchronous hash interface.
It improves over hash in two ways. Firstly shash is reentrant,
meaning that the same tfm may be used by two threads simultaneously
as all hashing state is stored in a local descriptor.The other enhancement is that shash no longer takes scatter list
entries. This is because shash is specifically designed for
synchronous algorithms and as such scatter lists are unnecessary.All existing hash users will be converted to shash once the
algorithms have been completely converted.There is also a new finup function that combines update with final.
This will be extended to ahash once the algorithm conversion is
done.This is also the first time that an algorithm type has their own
registration function. Existing algorithm types will be converted
to this way in due course.Signed-off-by: Herbert Xu
10 Dec, 2008
1 commit
-
If we have at least one algorithm built-in then it no longer makes
sense to have the testing framework, and hence cryptomgr to be a
module. It should be either on or off, i.e., built-in or disabled.This just happens to stop a potential runaway modprobe loop that
seems to trigger on at least one distro.With fixes from Evgeniy Polyakov.
Signed-off-by: Herbert Xu
29 Aug, 2008
4 commits
-
This patch adds a random number generator interface as well as a
cryptographic pseudo-random number generator based on AES. It is
meant to be used in cases where a deterministic CPRNG is required.One of the first applications will be as an input in the IPsec IV
generation process.Signed-off-by: Neil Horman
Signed-off-by: Herbert Xu -
Add the ability to turn FIPS-compliant mode on or off at boot
In order to be FIPS compliant, several check may need to be preformed that may
be construed as unusefull in a non-compliant mode. This patch allows us to set
a kernel flag incating that we are running in a fips-compliant mode from boot
up. It also exports that mode information to user space via a sysctl
(/proc/sys/crypto/fips_enabled).Tested successfully by me.
Signed-off-by: Neil Horman
Signed-off-by: Herbert Xu -
This patch moves the default IV generators into their own modules
in order to break a dependency loop between cryptomgr, rng, and
blkcipher.Signed-off-by: Herbert Xu
-
This patch moves the newly created alg_test infrastructure into
cryptomgr. This shall allow us to use it for testing at algorithm
registrations.Signed-off-by: Herbert Xu
15 Jul, 2008
1 commit
-
This patch is clearly not ready yet for prime time.
Signed-off-by: Herbert Xu
10 Jul, 2008
4 commits
-
This patch adds a cryptographic pseudo-random number generator
based on CTR(AES-128). It is meant to be used in cases where a
deterministic CPRNG is required.One of the first applications will be as an input in the IPsec IV
generation process.Signed-off-by: Neil Horman
Signed-off-by: Herbert Xu -
This patch adds asynchronous hash and digest support.
Signed-off-by: Loc Ho
Signed-off-by: Herbert Xu -
This patch adds support for the extended RIPEMD hash
algorithms RIPEMD-256 and RIPEMD-320.Signed-off-by: Adrian-Ken Rueegsegger
Signed-off-by: Herbert Xu -
This patch adds support for RIPEMD-128 and RIPEMD-160
hash algorithms.Signed-off-by: Adrian-Ken Rueegsegger
Signed-off-by: Herbert Xu
21 Apr, 2008
3 commits
-
Signed-off-by: Sebastian Siewior
Signed-off-by: Herbert Xu -
Implement CTS wrapper for CBC mode required for support of AES
encryption support for Kerberos (rfc3962).Signed-off-by: Kevin Coffman
Signed-off-by: Herbert Xu -
Rename sha512 to sha512_generic and add a MODULE_ALIAS for sha512
so all sha512 implementations can be loaded automatically.Keep the broken tabs so git recognizes this as a rename.
Signed-off-by: Jan Glauber
Signed-off-by: Herbert Xu
23 Feb, 2008
1 commit
-
For compatibility with dm-crypt initramfs setups it is useful to merge
chainiv/seqiv into the crypto_blkcipher module. Since they're required
by most algorithms anyway this is an acceptable trade-off.Signed-off-by: Herbert Xu
11 Jan, 2008
9 commits
-
This patch adds Counter with CBC-MAC (CCM) support.
RFC 3610 and NIST Special Publication 800-38C were referenced.Signed-off-by: Joy Latten
Signed-off-by: Herbert Xu -
This generator generates an IV based on a sequence number by xoring it
with a salt. This algorithm is mainly useful for CTR and similar modes.This patch also sets it as the default IV generator for ctr.
Signed-off-by: Herbert Xu
-
This generator generates an IV based on a sequence number by xoring it
with a salt and then encrypting it with the same key as used to encrypt
the plain text. This algorithm requires that the block size be equal
to the IV size. It is mainly useful for CBC.It has one noteworthy property that for IPsec the IV happens to lie
just before the plain text so the IV generation simply increases the
number of encrypted blocks by one. Therefore the cost of this generator
is entirely dependent on the speed of the underlying cipher.Signed-off-by: Herbert Xu
-
The chain IV generator is the one we've been using in the IPsec stack.
It simply starts out with a random IV, then uses the last block of each
encrypted packet's cipher text as the IV for the next packet.It can only be used by synchronous ciphers since we have to make sure
that we don't start the encryption of the next packet until the last
one has completed.It does have the advantage of using very little CPU time since it doesn't
have to generate anything at all.Signed-off-by: Herbert Xu
-
With the impending addition of the givcipher type, both blkcipher and
ablkcipher algorithms will use it to create givcipher objects. As such
it no longer makes sense to split the system between ablkcipher and
blkcipher. In particular, both ablkcipher.c and blkcipher.c would need
to use the givcipher type which has to reside in ablkcipher.c since it
shares much code with it.This patch merges the two Kconfig options as well as the modules into one.
Signed-off-by: Herbert Xu
-
Add LZO compression algorithm support
Signed-off-by: Zoltan Sogor
Signed-off-by: Herbert Xu -
Add GCM/GMAC support to cryptoapi.
GCM (Galois/Counter Mode) is an AEAD mode of operations for any block cipher
with a block size of 16. The typical example is AES-GCM.Signed-off-by: Mikko Herranen
Reviewed-by: Mika Kukkonen
Signed-off-by: Herbert Xu -
This patch implements the Salsa20 stream cipher using the blkcipher interface.
The core cipher code comes from Daniel Bernstein's submission to eSTREAM:
http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/ref/The test vectors comes from:
http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/It has been tested successfully with "modprobe tcrypt mode=34" on an
UML instance.Signed-off-by: Tan Swee Heng
Signed-off-by: Herbert Xu -
This patch implements CTR mode for IPsec.
It is based off of RFC 3686.Please note:
1. CTR turns a block cipher into a stream cipher.
Encryption is done in blocks, however the last block
may be a partial block.A "counter block" is encrypted, creating a keystream
that is xor'ed with the plaintext. The counter portion
of the counter block is incremented after each block
of plaintext is encrypted.
Decryption is performed in same manner.2. The CTR counterblock is composed of,
nonce + IV + counterThe size of the counterblock is equivalent to the
blocksize of the cipher.
sizeof(nonce) + sizeof(IV) + sizeof(counter) = blocksizeThe CTR template requires the name of the cipher
algorithm, the sizeof the nonce, and the sizeof the iv.
ctr(cipher,sizeof_nonce,sizeof_iv)So for example,
ctr(aes,4,8)
specifies the counterblock will be composed of 4 bytes
from a nonce, 8 bytes from the iv, and 4 bytes for counter
since aes has a blocksize of 16 bytes.3. The counter portion of the counter block is stored
in big endian for conformance to rfc 3686.Signed-off-by: Joy Latten
Signed-off-by: Herbert Xu
11 Oct, 2007
7 commits
-
Loading the crypto algorithm by the alias instead of by module directly
has the advantage that all possible implementations of this algorithm
are loaded automatically and the crypto API can choose the best one
depending on its priority.Additionally it ensures that the generic implementation as well as the
HW driver (if available) is loaded in case the HW driver needs the
generic version as fallback in corner cases.Also remove the probe for sha1 in padlock's init code.
Quote from Herbert:
The probe is actually pointless since we can always probe when
the algorithm is actually used which does not lead to dead-locks
like this.Signed-off-by: Sebastian Siewior
Signed-off-by: Herbert Xu -
Loading the crypto algorithm by the alias instead of by module directly
has the advantage that all possible implementations of this algorithm
are loaded automatically and the crypto API can choose the best one
depending on its priority.Additionally it ensures that the generic implementation as well as the
HW driver (if available) is loaded in case the HW driver needs the
generic version as fallback in corner cases.Signed-off-by: Sebastian Siewior
Signed-off-by: Herbert Xu -
Loading the crypto algorithm by the alias instead of by module directly
has the advantage that all possible implementations of this algorithm
are loaded automatically and the crypto API can choose the best one
depending on its priority.Signed-off-by: Sebastian Siewior
Signed-off-by: Herbert Xu -
XTS currently considered to be the successor of the LRW mode by the IEEE1619
workgroup. LRW was discarded, because it was not secure if the encyption key
itself is encrypted with LRW.XTS does not have this problem. The implementation is pretty straightforward,
a new function was added to gf128mul to handle GF(128) elements in ble format.
Four testvectors from the specification
http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
were added, and they verify on my system.Signed-off-by: Rik Snel
Signed-off-by: Herbert Xu -
This patch adds the authenc algorithm which constructs an AEAD algorithm
from an asynchronous block cipher and a hash. The construction is done
by concatenating the encrypted result from the cipher with the output
from the hash, as is used by the IPsec ESP protocol.The authenc algorithm exists as a template with four parameters:
authenc(auth, authsize, enc, enckeylen).
The authentication algorithm, the authentication size (i.e., truncating
the output of the authentication algorithm), the encryption algorithm,
and the encryption key length. Both the size field and the key length
field are in bytes. For example, AES-128 with SHA1-HMAC would be
represented byauthenc(hmac(sha1), 12, cbc(aes), 16)
The key for the authenc algorithm is the concatenation of the keys for
the authentication algorithm with the encryption algorithm. For the
above example, if a key of length 36 bytes is given, then hmac(sha1)
would receive the first 20 bytes while the last 16 would be given to
cbc(aes).Signed-off-by: Herbert Xu
-
The scatterwalk code is only used by algorithms that can be built as
a module. Therefore we can move it into algapi.Signed-off-by: Herbert Xu
-
This patch adds crypto_aead which is the interface for AEAD
(Authenticated Encryption with Associated Data) algorithms.AEAD algorithms perform authentication and encryption in one
step. Traditionally users (such as IPsec) would use two
different crypto algorithms to perform these. With AEAD
this comes down to one algorithm and one operation.Of course if traditional algorithms were used we'd still
be doing two operations underneath. However, real AEAD
algorithms may allow the underlying operations to be
optimised as well.Signed-off-by: Herbert Xu
