path: root/crypto
AgeCommit message (Collapse)Author
2012-03-15Revert "crypto: testmgr: add support for aes ofb mode"Mallikarjun Kasoju
This reverts commit 2afef0391f30a2831f8beed6a89351682c8a81f6. Change-Id: Ieef8fd28ba78334a4a0a1b7c64ba6fd4d0f4cb05 Reviewed-on: http://git-master/r/90082 Reviewed-by: Mallikarjun Kasoju <> Tested-by: Mallikarjun Kasoju <> Reviewed-by: Automatic_Commit_Validation_User Reviewed-by: Venkat Moganty <>
2012-02-09crypto: sha512 - reduce stack usage to safe numberAlexey Dobriyan
commit 51fc6dc8f948047364f7d42a4ed89b416c6cc0a3 upstream. For rounds 16--79, W[i] only depends on W[i - 2], W[i - 7], W[i - 15] and W[i - 16]. Consequently, keeping all W[80] array on stack is unnecessary, only 16 values are really needed. Using W[16] instead of W[80] greatly reduces stack usage (~750 bytes to ~340 bytes on x86_64). Line by line explanation: * BLEND_OP array is "circular" now, all indexes have to be modulo 16. Round number is positive, so remainder operation should be without surprises. * initial full message scheduling is trimmed to first 16 values which come from data block, the rest is calculated before it's needed. * original loop body is unrolled version of new SHA512_0_15 and SHA512_16_79 macros, unrolling was done to not do explicit variable renaming. Otherwise it's the very same code after preprocessing. See sha1_transform() code which does the same trick. Patch survives in-tree crypto test and original bugreport test (ping flood with hmac(sha512). See FIPS 180-2 for SHA-512 definition Signed-off-by: Alexey Dobriyan <> Signed-off-by: Herbert Xu <> Signed-off-by: Greg Kroah-Hartman <> Signed-off-by: Varun Wadekar <> Change-Id: I7945bdc928bd3491117ea5e334a0bc5dd6231299 Reviewed-on: http://git-master/r/79657
2012-02-09crypto: sha512 - make it work, undo percpu message scheduleAlexey Dobriyan
commit 84e31fdb7c797a7303e0cc295cb9bc8b73fb872d upstream. commit f9e2bca6c22d75a289a349f869701214d63b5060 aka "crypto: sha512 - Move message schedule W[80] to static percpu area" created global message schedule area. If sha512_update will ever be entered twice, hash will be silently calculated incorrectly. Probably the easiest way to notice incorrect hashes being calculated is to run 2 ping floods over AH with hmac(sha512): #!/usr/sbin/setkey -f flush; spdflush; add IP1 IP2 ah 25 -A hmac-sha512 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000025; add IP2 IP1 ah 52 -A hmac-sha512 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052; spdadd IP1 IP2 any -P out ipsec ah/transport//require; spdadd IP2 IP1 any -P in ipsec ah/transport//require; XfrmInStateProtoError will start ticking with -EBADMSG being returned from ah_input(). This never happens with, say, hmac(sha1). With patch applied (on BOTH sides), XfrmInStateProtoError does not tick with multiple bidirectional ping flood streams like it doesn't tick with SHA-1. After this patch sha512_transform() will start using ~750 bytes of stack on x86_64. This is OK for simple loads, for something more heavy, stack reduction will be done separatedly. Signed-off-by: Alexey Dobriyan <> Signed-off-by: Herbert Xu <> Signed-off-by: Greg Kroah-Hartman <> Signed-off-by: Varun Wadekar <> Change-Id: I752dc16e90deb04b35202fddce818ace0b605e9d Reviewed-on: http://git-master/r/79656
2011-12-08crypto: testmgr: add support for aes ofb modePuneet Saxena
the fix add testcase for testing aes ofb mode. Signed-off-by: Puneet Saxena <> Signed-off-by: Herbert Xu <> Bug 787628 cherry picked the following commit cryptodev-2.6.git;a=commit;h=ba0e14acc417eceb895efda1ff46366f4d1728f8 Reviewed-on: http://git-master/r/30339 Reviewed-on: http://git-master/r/54441 (cherry picked from commit b6a86d94028d57884b85179a641a6275d6708c70) Change-Id: I5bbd3e8a04f0281ff5c22ffcf7522ac3d4a31e30 Reviewed-on: http://git-master/r/68150 Tested-by: Puneet Saxena <> Reviewed-by: Varun Wadekar <>
2011-11-30crypto: testmgr - Adding ofb(aes) and cmac(aes) testsKasoju Mallikarjun
Added ofb(aes) and cmac(aes) tests Original-Change-Id: Ia79b0f979af88d337e91164f0b8b6d0eba18cd03 Reviewed-on: http://git-master/r/34701 Reviewed-by: Mallikarjun Kasoju <> Tested-by: Mallikarjun Kasoju <> Reviewed-by: Hanumanth Venkateswa Moganty <> Rebase-Id: R383d7f642cab41350f54367687861615f9484cf3
2011-11-11crypto: cryptd - Use subsys_initcall to prevent races with aesniHerbert Xu
commit b2bac6acf86d05d8af0499f37d91ecac15722803 upstream. As cryptd is depeneded on by other algorithms such as aesni-intel, it needs to be registered before them. When everything is built as modules, this occurs naturally. However, for this to work when they are built-in, we need to use subsys_initcall in cryptd. Tested-by: Josh Boyer <> Signed-off-by: Herbert Xu <> Cc: Kerin Millar <> Signed-off-by: Greg Kroah-Hartman <>
2011-10-21crypto: ghash - Avoid null pointer dereference if no key is setNick Bowler
The ghash_update function passes a pointer to gf128mul_4k_lle which will be NULL if ghash_setkey is not called or if the most recent call to ghash_setkey failed to allocate memory. This causes an oops. Fix this up by returning an error code in the null case. This is trivially triggered from unprivileged userspace through the AF_ALG interface by simply writing to the socket without setting a key. The ghash_final function has a similar issue, but triggering it requires a memory allocation failure in ghash_setkey _after_ at least one successful call to ghash_update. BUG: unable to handle kernel NULL pointer dereference at 00000670 IP: [<d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP Modules linked in: ghash_generic gf128mul algif_hash af_alg nfs lockd nfs_acl sunrpc bridge ipv6 stp llc Pid: 1502, comm: hashatron Tainted: G W 3.1.0-rc9-00085-ge9308cf #32 Bochs Bochs EIP: 0060:[<d88c92d4>] EFLAGS: 00000202 CPU: 0 EIP is at gf128mul_4k_lle+0x23/0x60 [gf128mul] EAX: d69db1f0 EBX: d6b8ddac ECX: 00000004 EDX: 00000000 ESI: 00000670 EDI: d6b8ddac EBP: d6b8ddc8 ESP: d6b8dda4 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process hashatron (pid: 1502, ti=d6b8c000 task=d6810000 task.ti=d6b8c000) Stack: 00000000 d69db1f0 00000163 00000000 d6b8ddc8 c101a520 d69db1f0 d52aa000 00000ff0 d6b8dde8 d88d310f d6b8a3f8 d52aa000 00001000 d88d502c d6b8ddfc 00001000 d6b8ddf4 c11676ed d69db1e8 d6b8de24 c11679ad d52aa000 00000000 Call Trace: [<c101a520>] ? kmap_atomic_prot+0x37/0xa6 [<d88d310f>] ghash_update+0x85/0xbe [ghash_generic] [<c11676ed>] crypto_shash_update+0x18/0x1b [<c11679ad>] shash_ahash_update+0x22/0x36 [<c11679cc>] shash_async_update+0xb/0xd [<d88ce0ba>] hash_sendpage+0xba/0xf2 [algif_hash] [<c121b24c>] kernel_sendpage+0x39/0x4e [<d88ce000>] ? 0xd88cdfff [<c121b298>] sock_sendpage+0x37/0x3e [<c121b261>] ? kernel_sendpage+0x4e/0x4e [<c10b4dbc>] pipe_to_sendpage+0x56/0x61 [<c10b4e1f>] splice_from_pipe_feed+0x58/0xcd [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10 [<c10b51f5>] __splice_from_pipe+0x36/0x55 [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10 [<c10b6383>] splice_from_pipe+0x51/0x64 [<c10b63c2>] ? default_file_splice_write+0x2c/0x2c [<c10b63d5>] generic_splice_sendpage+0x13/0x15 [<c10b4d66>] ? splice_from_pipe_begin+0x10/0x10 [<c10b527f>] do_splice_from+0x5d/0x67 [<c10b6865>] sys_splice+0x2bf/0x363 [<c129373b>] ? sysenter_exit+0xf/0x16 [<c104dc1e>] ? trace_hardirqs_on_caller+0x10e/0x13f [<c129370c>] sysenter_do_call+0x12/0x32 Code: 83 c4 0c 5b 5e 5f c9 c3 55 b9 04 00 00 00 89 e5 57 8d 7d e4 56 53 8d 5d e4 83 ec 18 89 45 e0 89 55 dc 0f b6 70 0f c1 e6 04 01 d6 <f3> a5 be 0f 00 00 00 4e 89 d8 e8 48 ff ff ff 8b 45 e0 89 da 0f EIP: [<d88c92d4>] gf128mul_4k_lle+0x23/0x60 [gf128mul] SS:ESP 0068:d6b8dda4 CR2: 0000000000000670 ---[ end trace 4eaa2a86a8e2da24 ]--- note: hashatron[1502] exited with preempt_count 1 BUG: scheduling while atomic: hashatron/1502/0x10000002 INFO: lockdep is turned off. [...] Signed-off-by: Nick Bowler <> Cc: [2.6.37+] Signed-off-by: Herbert Xu <>
2011-08-06crypto: Move md5_transform to lib/md5.cDavid S. Miller
We are going to use this for TCP/IP sequence number and fragment ID generation. Signed-off-by: David S. Miller <>
2011-07-26atomic: use <linux/atomic.h>Arun Sharma
This allows us to move duplicated code in <asm/atomic.h> (atomic_inc_not_zero() for now) to <linux/atomic.h> Signed-off-by: Arun Sharma <> Reviewed-by: Eric Dumazet <> Cc: Ingo Molnar <> Cc: David Miller <> Cc: Eric Dumazet <> Acked-by: Mike Frysinger <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2011-07-25Merge branch 'for-linus' of ↵Linus Torvalds
git:// * 'for-linus' of git:// (43 commits) fs: Merge split strings treewide: fix potentially dangerous trailing ';' in #defined values/expressions uwb: Fix misspelling of neighbourhood in comment net, netfilter: Remove redundant goto in ebt_ulog_packet trivial: don't touch files that are removed in the staging tree lib/vsprintf: replace link to Draft by final RFC number doc: Kconfig: `to be' -> `be' doc: Kconfig: Typo: square -> squared doc: Konfig: Documentation/power/{pm => apm-acpi}.txt drivers/net: static should be at beginning of declaration drivers/media: static should be at beginning of declaration drivers/i2c: static should be at beginning of declaration XTENSA: static should be at beginning of declaration SH: static should be at beginning of declaration MIPS: static should be at beginning of declaration ARM: static should be at beginning of declaration rcu: treewide: Do not use rcu_read_lock_held when calling rcu_dereference_check Update my e-mail address PCIe ASPM: forcedly -> forcibly gma500: push through device driver tree ... Fix up trivial conflicts: - arch/arm/mach-ep93xx/dma-m2p.c (deleted) - drivers/gpio/gpio-ep93xx.c (renamed and context nearby) - drivers/net/r8169.c (just context changes)
2011-07-24Merge git:// Torvalds
* git:// (34 commits) crypto: caam - ablkcipher support crypto: caam - faster aead implementation crypto: caam - structure renaming crypto: caam - shorter names crypto: talitos - don't bad_key in ablkcipher setkey crypto: talitos - remove unused giv from ablkcipher methods crypto: talitos - don't set done notification in hot path crypto: talitos - ensure request ordering within a single tfm crypto: gf128mul - fix call to memset() crypto: s390 - support hardware accelerated SHA-224 crypto: algif_hash - Handle initial af_alg_make_sg error correctly crypto: sha1_generic - use SHA1_BLOCK_SIZE hwrng: ppc4xx - add support for ppc4xx TRNG crypto: crypto4xx - Perform read/modify/write on device control register crypto: caam - fix build warning when DEBUG_FS not configured crypto: arc4 - Fixed coding style issues crypto: crc32c - Fixed coding style issue crypto: omap-sham - do not schedule tasklet if there is no active requests crypto: omap-sham - clear device flags when finishing request crypto: omap-sham - irq handler must not clear error code ...
2011-07-11doc: Kconfig: `to be' -> `be'Michael Witten
Also, a comma was inserted to offset a modifier. Signed-off-by: Michael Witten <> Signed-off-by: Jiri Kosina <>
2011-07-08crypto: gf128mul - fix call to memset()Mathias Krause
In gf128mul_lle() and gf128mul_bbe() r isn't completely initialized with zero because the size argument passed to memset() is the size of the pointer, not the structure it points to. Luckily there are no in-kernel users of those functions so the ABI change implied by this fix should break no existing code. Based on a patch by the PaX Team. Signed-off-by: Mathias Krause <> Cc: PaX Team <> Acked-by: David S. Miller <> Signed-off-by: Herbert Xu <>
2011-07-05Merge branch 'master' of ↵David S. Miller
2011-06-30crypto: algif_hash - Handle initial af_alg_make_sg error correctlyHerbert Xu
When the first call to af_alg_make_sg fails, we may return garbage instead of the real error. This patch fixes it by setting the error if "copied" is zero. Based on a patch by Jesper Juhl. Reported-by: Jesper Juhl <> Signed-off-by: Herbert Xu <>
2011-06-30crypto: sha1_generic - use SHA1_BLOCK_SIZEMandeep Singh Baines
Modify sha1_update to use SHA1_BLOCK_SIZE. Signed-off-by: Mandeep Singh Baines <> Signed-off-by: Herbert Xu <>
2011-06-30crypto: arc4 - Fixed coding style issuesMati Vait
Fixed coding style issues: unnecessary spaces, parentheses on wrong lines. Signed-off-by: Mati Vait <> Signed-off-by: Herbert Xu <>
2011-06-30crypto: crc32c - Fixed coding style issueMati Vait
Removed coding style issue: space before tabs. Signed-off-by: Mati Vait <> Signed-off-by: Herbert Xu <>
2011-06-30crypto: UML build fixesRichard Weinberger
CRYPTO_GHASH_CLMUL_NI_INTEL and CRYPTO_AES_NI_INTEL cannot be used on UML. Commit 3e02e5cb and 54b6a1b enabled them by accident. Signed-off-by: Richard Weinberger <> Signed-off-by: Herbert Xu <>
2011-06-30crypto: testmgr - add xts-aes-256 self-testJarod Wilson
FIPS compliance requires a known-answer self-test for all approved cipher and mode combinations, for all valid key sizes. Presently, there are only self-tests for xts-aes-128. This adds a 256-bit one, pulled from the same reference document, which should satisfy the requirement. Signed-off-by: Jarod Wilson <> Signed-off-by: Herbert Xu <>
2011-06-29net+crypto: Use vmalloc for zlib inflate buffers.David S. Miller
They are 64K and result in order-4 allocations, even with SLUB. Therefore, just like we always have for the deflate buffers, use vmalloc. Reported-by: Martin Jackson <> Acked-by: Herbert Xu <> Signed-off-by: David S. Miller <>
2011-06-21net: remove mm.h inclusion from netdevice.hAlexey Dobriyan
Remove linux/mm.h inclusion from netdevice.h -- it's unused (I've checked manually). To prevent mm.h inclusion via other channels also extract "enum dma_data_direction" definition into separate header. This tiny piece is what gluing netdevice.h with mm.h via "netdevice.h => dmaengine.h => dma-mapping.h => scatterlist.h => mm.h". Removal of mm.h from scatterlist.h was tried and was found not feasible on most archs, so the link was cutoff earlier. Hope people are OK with tiny include file. Note, that mm_types.h is still dragged in, but it is a separate story. Signed-off-by: Alexey Dobriyan <> Signed-off-by: David S. Miller <>
2011-05-20Merge git:// Torvalds
* git:// (45 commits) crypto: caam - add support for sha512 variants of existing AEAD algorithms crypto: caam - remove unused authkeylen from caam_ctx crypto: caam - fix decryption shared vs. non-shared key setting crypto: caam - platform_bus_type migration crypto: aesni-intel - fix aesni build on i386 crypto: aesni-intel - Merge with fpu.ko crypto: mv_cesa - make count_sgs() null-pointer proof crypto: mv_cesa - copy remaining bytes to SRAM only when needed crypto: mv_cesa - move digest state initialisation to a better place crypto: mv_cesa - fill inner/outer IV fields only in HMAC case crypto: mv_cesa - refactor copy_src_to_buf() crypto: mv_cesa - no need to save digest state after the last chunk crypto: mv_cesa - print a warning when registration of AES algos fail crypto: mv_cesa - drop this call to mv_hash_final from mv_hash_finup crypto: mv_cesa - the descriptor pointer register needs to be set just once crypto: mv_cesa - use ablkcipher_request_cast instead of the manual container_of crypto: caam - fix printk recursion for long error texts crypto: caam - remove unused keylen from session context hwrng: amd - enable AMD hw rnd driver for Maple PPC boards hwrng: amd - manage resource allocation ...
2011-05-16crypto: aesni-intel - Merge with fpu.koAndy Lutomirski
Loading fpu without aesni-intel does nothing. Loading aesni-intel without fpu causes modes like xts to fail. (Unloading aesni-intel will restore those modes.) One solution would be to make aesni-intel depend on fpu, but it seems cleaner to just combine the modules. This is probably responsible for bugs like: Signed-off-by: Andy Lutomirski <> Signed-off-by: Herbert Xu <>
2011-05-04crypto: tcrypt - CTR mode speed test for AESJan Glauber
Add the CTR mode speed test for AES. Signed-off-by: Jan Glauber <> Signed-off-by: Herbert Xu <>
2011-05-04crypto: testmgr - add support for aes ofb modePuneet Saxena
the fix add testcase for testing aes ofb mode. Signed-off-by: Puneet Saxena <> Signed-off-by: Herbert Xu <>
2011-03-31Fix common misspellingsLucas De Marchi
Fixes generated by 'codespell' and manually reviewed. Signed-off-by: Lucas De Marchi <>
2011-03-22zlib: slim down zlib_deflate() workspace when possibleJim Keniston
Instead of always creating a huge (268K) deflate_workspace with the maximum compression parameters (windowBits=15, memLevel=8), allow the caller to obtain a smaller workspace by specifying smaller parameter values. For example, when capturing oops and panic reports to a medium with limited capacity, such as NVRAM, compression may be the only way to capture the whole report. In this case, a small workspace (24K works fine) is a win, whether you allocate the workspace when you need it (i.e., during an oops or panic) or at boot time. I've verified that this patch works with all accepted values of windowBits (positive and negative), memLevel, and compression level. Signed-off-by: Jim Keniston <> Cc: Herbert Xu <> Cc: David Miller <> Cc: Chris Mason <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2011-03-16Merge git:// Torvalds
* git:// (1480 commits) bonding: enable netpoll without checking link status xfrm: Refcount destination entry on xfrm_lookup net: introduce rx_handler results and logic around that bonding: get rid of IFF_SLAVE_INACTIVE netdev->priv_flag bonding: wrap slave state work net: get rid of multiple bond-related netdevice->priv_flags bonding: register slave pointer for rx_handler be2net: Bump up the version number be2net: Copyright notice change. Update to Emulex instead of ServerEngines e1000e: fix kconfig for crc32 dependency netfilter ebtables: fix xt_AUDIT to work with ebtables xen network backend driver bonding: Improve syslog message at device creation time bonding: Call netif_carrier_off after register_netdevice bonding: Incorrect TX queue offset net_sched: fix ip_tos2prio xfrm: fix __xfrm_route_forward() be2net: Fix UDP packet detected status in RX compl Phonet: fix aligned-mode pipe socket buffer header reserve netxen: support for GbE port settings ... Fix up conflicts in drivers/staging/brcm80211/brcmsmac/wl_mac80211.c with the staging updates.
2011-03-13crypto: authencesn - Add algorithm to handle IPsec extended sequence numbersSteffen Klassert
ESP with separate encryption/authentication algorithms needs a special treatment for the associated data. This patch add a new algorithm that handles esp with extended sequence numbers. Signed-off-by: Steffen Klassert <> Acked-by: Herbert Xu <> Signed-off-by: David S. Miller <>
2011-03-04crypto: tcrypt - do not attempt to write to readonly variableDavid Sterba
Commit da7f033ddc9fdeb (”crypto: cryptomgr - Add test infrastructure”) added a const to variable which is later used as target buffer of memcpy. crypto/tcrypt.c:217:12: warning: passing 'const char (*)[128]' to parameter of type 'void *' discards qualifiers memset(&iv, 0xff, iv_len); crypto/tcrypt.c:test_cipher_speed() - unsigned char *key, iv[128]; + const char *key, iv[128]; ... memset(&iv, 0xff, iv_len); Signed-off-by: David Sterba <> Signed-off-by: Herbert Xu <>
2011-02-17crypto: sha1 - Add test vector to test partial block processingHerbert Xu
In light of the recent discovery of the bug with partial block processing on s390, we need best test coverage for that. This patch adds a test vector for SHA1 that should catch such problems. Signed-off-by: Herbert Xu <>
2011-01-29crypto: testmgr - mark ghash as fips_allowedJarod Wilson
A self-test failure in fips mode means a panic. Well, gcm(aes) self-tests currently fail in fips mode, as gcm is dependent on ghash, which semi-recently got self-test vectors added, but wasn't marked as a fips_allowed algorithm. Because of gcm's dependence on what is now seen as a non-fips_allowed algorithm, its self-tests refuse to run. Previously, ghash got a pass in fips mode, due to the lack of any test vectors at all, and thus gcm self-tests were able to run. After this patch, a 'modprobe tcrypt mode=35' no longer panics in fips mode, and successful self-test of gcm(aes) is reported. Signed-off-by: Jarod Wilson <> Signed-off-by: Herbert Xu <>
2011-01-29crypto: testmgr - mark xts(aes) as fips_allowedJarod Wilson
We (Red Hat) are intending to include dm-crypt functionality, using xts(aes) for disk encryption, as part of an upcoming FIPS-140-2 certification effort, and xts(aes) *is* on the list of possible mode/cipher combinations that can be certified. To make that possible, we need to mark xts(aes) as fips_allowed in the crypto subsystem. A 'modprobe tcrypt mode=10' in fips mode shows xts(aes) self-tests passing successfully after this change. Signed-off-by: Jarod Wilson <> Signed-off-by: Herbert Xu <>
2011-01-29crypto: skcipher - remove redundant NULL checkDavidlohr Bueso
Signed-off-by: Davidlohr Bueso <> Acked-by: David S. Miller <> Signed-off-by: Herbert Xu <>
2011-01-13Merge git:// Torvalds
* git:// (46 commits) hwrng: via_rng - Fix memory scribbling on some CPUs crypto: padlock - Move padlock.h into include/crypto hwrng: via_rng - Fix asm constraints crypto: n2 - use __devexit not __exit in n2_unregister_algs crypto: mark crypto workqueues CPU_INTENSIVE crypto: mv_cesa - dont return PTR_ERR() of wrong pointer crypto: ripemd - Set module author and update email address crypto: omap-sham - backlog handling fix crypto: gf128mul - Remove experimental tag crypto: af_alg - fix af_alg memory_allocated data type crypto: aesni-intel - Fixed build with binutils 2.16 crypto: af_alg - Make sure sk_security is initialized on accept()ed sockets net: Add missing lockdep class names for af_alg include: Install linux/if_alg.h for user-space crypto API crypto: omap-aes - checkpatch --file warning fixes crypto: omap-aes - initialize aes module once per request crypto: omap-aes - unnecessary code removed crypto: omap-aes - error handling implementation improved crypto: omap-aes - redundant locking is removed crypto: omap-aes - DMA initialization fixes for OMAP off mode ...
2011-01-04crypto: mark crypto workqueues CPU_INTENSIVETejun Heo
kcrypto_wq and pcrypt->wq's are used to run ciphers and may consume considerable amount of CPU cycles. Mark both as CPU_INTENSIVE so that they don't block other work items. As the workqueues are primarily used to burn CPU cycles, concurrency levels shouldn't matter much and are left at 1. A higher value may be beneficial and needs investigation. Signed-off-by: Tejun Heo <> Signed-off-by: Herbert Xu <>
2011-01-04crypto: ripemd - Set module author and update email addressAdrian-Ken Rueegsegger
Signed-off-by: Adrian-Ken Rueegsegger <> Signed-off-by: Herbert Xu <>
2010-12-28crypto: gf128mul - Remove experimental tagHerbert Xu
This feature no longer needs the experimental tag. Reported-by: Toralf Förster <> Signed-off-by: Herbert Xu <>
2010-12-21crypto: af_alg - fix af_alg memory_allocated data typeRandy Dunlap
Change data type to fix warning: crypto/af_alg.c:35: warning: initialization from incompatible pointer type Signed-off-by: Randy Dunlap <> Signed-off-by: Herbert Xu <>
2010-12-08crypto: af_alg - Make sure sk_security is initialized on accept()ed socketsMiloslav Trmač
Signed-off-by: Miloslav Trmač <> Signed-off-by: Herbert Xu <>
2010-12-02crypto: Use scatterwalk_crypto_chainSteffen Klassert
Use scatterwalk_crypto_chain in favor of locally defined chaining functions. Signed-off-by: Steffen Klassert <> Signed-off-by: Herbert Xu <>
2010-11-30crypto: algif_skcipher - Handle unaligned receive bufferHerbert Xu
As it is if user-space passes through a receive buffer that's not aligned to to the cipher block size, we'll end up encrypting or decrypting a partial block which causes a spurious EINVAL to be returned. This patch fixes this by moving the partial block test after the af_alg_make_sg call. Signed-off-by: Herbert Xu <>
2010-11-30crypto: algif_skcipher - Fixed overflow when sndbuf is page alignedHerbert Xu
When sk_sndbuf is not a multiple of PAGE_SIZE, the limit tests in sendmsg fail as the limit variable becomes negative and we're using an unsigned comparison. The same thing can happen if sk_sndbuf is lowered after a sendmsg call. This patch fixes this by always taking the signed maximum of limit and 0 before we perform the comparison. It also rounds the value of sk_sndbuf down to a multiple of PAGE_SIZE so that we don't end up allocating a page only to use a small number of bytes in it because we're bound by sk_sndbuf. Signed-off-by: Herbert Xu <>
2010-11-29crypto: af_alg - Add dependency on NETHerbert Xu
Add missing dependency on NET since we require sockets for our interface. Should really be a select but kconfig doesn't like that: net/Kconfig:6:error: found recursive dependency: NET -> NETWORK_FILESYSTEMS -> AFS_FS -> AF_RXRPC -> CRYPTO -> CRYPTO_USER_API_HASH -> CRYPTO_USER_API -> NET Reported-by: Zimny Lech <> Signed-off-by: Herbert Xu <>
2010-11-28crypto: algif_skcipher - Pass on error from af_alg_make_sgHerbert Xu
The error returned from af_alg_make_sg is currently lost and we always pass on -EINVAL. This patch pases on the underlying error. Signed-off-by: Herbert Xu <>
2010-11-27crypto: aesni-intel - Ported implementation to x86-32Mathias Krause
The AES-NI instructions are also available in legacy mode so the 32-bit architecture may profit from those, too. To illustrate the performance gain here's a short summary of a dm-crypt speed test on a Core i7 M620 running at 2.67GHz comparing both assembler implementations: x86: i568 aes-ni delta ECB, 256 bit: 93.8 MB/s 123.3 MB/s +31.4% CBC, 256 bit: 84.8 MB/s 262.3 MB/s +209.3% LRW, 256 bit: 108.6 MB/s 222.1 MB/s +104.5% XTS, 256 bit: 105.0 MB/s 205.5 MB/s +95.7% Additionally, due to some minor optimizations, the 64-bit version also got a minor performance gain as seen below: x86-64: old impl. new impl. delta ECB, 256 bit: 121.1 MB/s 123.0 MB/s +1.5% CBC, 256 bit: 285.3 MB/s 290.8 MB/s +1.9% LRW, 256 bit: 263.7 MB/s 265.3 MB/s +0.6% XTS, 256 bit: 251.1 MB/s 255.3 MB/s +1.7% Signed-off-by: Mathias Krause <> Reviewed-by: Huang Ying <> Signed-off-by: Herbert Xu <>
2010-11-27crypto: Makefile clean upTracey Dent
Changed Makefile to use <modules>-y instead of <modules>-objs. Signed-off-by: Tracey Dent <> Signed-off-by: Herbert Xu <>
2010-11-27crypto: Use vzallocJoe Perches
Signed-off-by: Joe Perches <> Signed-off-by: Herbert Xu <>
2010-11-26crypto: algif_skcipher - User-space interface for skcipher operationsHerbert Xu
This patch adds the af_alg plugin for symmetric key ciphers, corresponding to the ablkcipher kernel operation type. Keys can optionally be set through the setsockopt interface. Once a sendmsg call occurs without MSG_MORE no further writes may be made to the socket until all previous data has been read. IVs and and whether encryption/decryption is performed can be set through the setsockopt interface or as a control message to sendmsg. The interface is completely synchronous, all operations are carried out in recvmsg(2) and will complete prior to the system call returning. The splice(2) interface support reading the user-space data directly without copying (except that the Crypto API itself may copy the data if alignment is off). The recvmsg(2) interface supports directly writing to user-space without additional copying, i.e., the kernel crypto interface will receive the user-space address as its output SG list. Thakns to Miloslav Trmac for reviewing this and contributing fixes and improvements. Signed-off-by: Herbert Xu <> Acked-by: David S. Miller <>