1. 06 Feb, 2016 1 commit
  2. 01 Feb, 2016 2 commits
  3. 14 Jul, 2015 2 commits
  4. 12 May, 2015 2 commits
    • Herbert Xu's avatar
      crypto: aead - Convert top level interface to new style · 5d1d65f8
      Herbert Xu authored
      This patch converts the top-level aead interface to the new style.
      All user-level AEAD interface code have been moved into crypto/aead.h.
      The allocation/free functions have switched over to the new way of
      allocating tfms.
      This patch also removes the double indrection on setkey so the
      indirection now exists only at the alg level.
      Apart from these there are no user-visible changes.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      crypto: api - Add crypto_grab_spawn primitive · d6ef2f19
      Herbert Xu authored
      This patch adds a new primitive crypto_grab_spawn which is meant
      to replace crypto_init_spawn and crypto_init_spawn2.  Under the
      new scheme the user no longer has to worry about reference counting
      the alg object before it is subsumed by the spawn.
      It is pretty much an exact copy of crypto_grab_aead.
      Prior to calling this function spawn->frontend and spawn->inst
      must have been set.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  5. 03 Apr, 2015 1 commit
  6. 20 Jun, 2014 1 commit
  7. 10 Mar, 2014 2 commits
  8. 07 Oct, 2013 1 commit
    • James Yonan's avatar
      crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks · 6bf37e5a
      James Yonan authored
      When comparing MAC hashes, AEAD authentication tags, or other hash
      values in the context of authentication or integrity checking, it
      is important not to leak timing information to a potential attacker,
      i.e. when communication happens over a network.
      Bytewise memory comparisons (such as memcmp) are usually optimized so
      that they return a nonzero value as soon as a mismatch is found. E.g,
      on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
      and up to ~850 cyc for a full match (cold). This early-return behavior
      can leak timing information as a side channel, allowing an attacker to
      iteratively guess the correct result.
      This patch adds a new method crypto_memneq ("memory not equal to each
      other") to the crypto API that compares memory areas of the same length
      in roughly "constant time" (cache misses could change the timing, but
      since they don't reveal information about the content of the strings
      being compared, they are effectively benign). Iow, best and worst case
      behaviour take the same amount of time to complete (in contrast to
      Note that crypto_memneq (unlike memcmp) can only be used to test for
      equality or inequality, NOT for lexicographical order. This, however,
      is not an issue for its use-cases within the crypto API.
      We tried to locate all of the places in the crypto API where memcmp was
      being used for authentication or integrity checking, and convert them
      over to crypto_memneq.
      crypto_memneq is declared noinline, placed in its own source file,
      and compiled with optimizations that might increase code size disabled
      ("Os") because a smart compiler (or LTO) might notice that the return
      value is always compared against zero/nonzero, and might then
      reintroduce the same early-return optimization that we are trying to
      Using #pragma or __attribute__ optimization annotations of the code
      for disabling optimization was avoided as it seems to be considered
      broken or unmaintained for long time in GCC [1]. Therefore, we work
      around that by specifying the compile flag for memneq.o directly in
      the Makefile. We found that this seems to be most appropriate.
      As we use ("Os"), this patch also provides a loop-free "fast-path" for
      frequently used 16 byte digests. Similarly to kernel library string
      functions, leave an option for future even further optimized architecture
      specific assembler implementations.
      This was a joint work of James Yonan and Daniel Borkmann. Also thanks
      for feedback from Florian Weimer on this and earlier proposals [2].
        [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
        [2] https://lkml.org/lkml/2013/2/10/131Signed-off-by: default avatarJames Yonan <james@openvpn.net>
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Florian Weimer <fw@deneb.enyo.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  9. 08 Nov, 2011 1 commit
  10. 21 Oct, 2011 1 commit
  11. 18 May, 2010 1 commit
    • David S. Miller's avatar
      crypto: skcipher - Add ablkcipher_walk interfaces · bf06099d
      David S. Miller authored
      These are akin to the blkcipher_walk helpers.
      The main differences in the async variant are:
      1) Only physical walking is supported.  We can't hold on to
         kmap mappings across the async operation to support virtual
         ablkcipher_walk operations anyways.
      2) Bounce buffers used for async more need to be persistent and
         freed at a later point in time when the async op completes.
         Therefore we maintain a list of writeback buffers and require
         that the ablkcipher_walk user call the 'complete' operation
         so we can copy the bounce buffers out to the real buffers and
         free up the bounce buffer chunks.
      These interfaces will be used by the new Niagara2 crypto driver.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  12. 18 Oct, 2009 1 commit
  13. 29 Aug, 2009 1 commit
  14. 24 Jul, 2009 1 commit
    • Herbert Xu's avatar
      crypto: api - Fix aligned ctx helper · ab300465
      Herbert Xu authored
      The aligned ctx helper was using a bogus alignment value thas was
      one off the correct value.  Fortunately the current users do not
      require anything beyond the natural alignment of the platform so
      this hasn't caused a problem.
      This patch fixes that and also removes the unnecessary minimum
      check since if the alignment is less than the natural alignment
      then the subsequent ALIGN operation should be a noop.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  15. 14 Jul, 2009 1 commit
  16. 13 Jul, 2009 1 commit
  17. 08 Jul, 2009 2 commits
  18. 07 Jul, 2009 1 commit
  19. 06 Jul, 2009 1 commit
  20. 24 Dec, 2008 3 commits
    • Herbert Xu's avatar
      crypto: hash - Export shash through hash · 5f7082ed
      Herbert Xu authored
      This patch allows shash algorithms to be used through the old hash
      interface.  This is a transitional measure so we can convert the
      underlying algorithms to shash before converting the users across.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      crypto: api - Rebirth of crypto_alloc_tfm · 7b0bac64
      Herbert Xu authored
      This patch reintroduces a completely revamped crypto_alloc_tfm.
      The biggest change is that we now take two crypto_type objects
      when allocating a tfm, a frontend and a backend.  In fact this
      simply formalises what we've been doing behind the API's back.
      For example, as it stands crypto_alloc_ahash may use an
      actual ahash algorithm or a crypto_hash algorithm.  Putting
      this in the API allows us to do this much more cleanly.
      The existing types will be converted across gradually.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      crypto: api - Move type exit function into crypto_tfm · 4a779486
      Herbert Xu authored
      The type exit function needs to undo any allocations done by the type
      init function.  However, the type init function may differ depending
      on the upper-level type of the transform (e.g., a crypto_blkcipher
      instantiated as a crypto_ablkcipher).
      So we need to move the exit function out of the lower-level
      structure and into crypto_tfm itself.
      As it stands this is a no-op since nobody uses exit functions at
      all.  However, all cases where a lower-level type is instantiated
      as a different upper-level type (such as blkcipher as ablkcipher)
      will be converted such that they allocate the underlying transform
      and use that instead of casting (e.g., crypto_ablkcipher casted
      into crypto_blkcipher).  That will need to use a different exit
      function depending on the upper-level type.
      This patch also allows the type init/exit functions to call (or not)
      cra_init/cra_exit instead of always calling them from the top level.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  21. 10 Jul, 2008 2 commits
  22. 10 Jan, 2008 5 commits
    • Herbert Xu's avatar
      [CRYPTO] skcipher: Remove crypto_spawn_ablkcipher · 45d44eb5
      Herbert Xu authored
      Now that gcm and authenc have been converted to crypto_spawn_skcipher,
      this patch removes the obsolete crypto_spawn_ablkcipher function.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      [CRYPTO] skcipher: Add crypto_grab_skcipher interface · 378f4f51
      Herbert Xu authored
      Note: From now on the collective of ablkcipher/blkcipher/givcipher will
      be known as skcipher, i.e., symmetric key cipher.  The name blkcipher has
      always been much of a misnomer since it supports stream ciphers too.
      This patch adds the function crypto_grab_skcipher as a new way of getting
      an ablkcipher spawn.  The problem is that previously we did this in two
      steps, first getting the algorithm and then calling crypto_init_spawn.
      This meant that each spawn user had to be aware of what type and mask to
      use for these two steps.  This is difficult and also presents a problem
      when the type/mask changes as they're about to be for IV generators.
      The new interface does both steps together just like crypto_alloc_ablkcipher.
      As a side-effect this also allows us to be stronger on type enforcement
      for spawns.  For now this is only done for ablkcipher but it's trivial
      to extend for other types.
      This patch also moves the type/mask logic for skcipher into the helpers
      crypto_skcipher_type and crypto_skcipher_mask.
      Finally this patch introduces the function crypto_require_sync to determine
      whether the user is specifically requesting a sync algorithm.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      [CRYPTO] api: Add crypto_attr_alg_name · 68b6c7d6
      Herbert Xu authored
      This patch adds a new helper crypto_attr_alg_name which is basically the
      first half of crypto_attr_alg.  That is, it returns an algorithm name
      parameter as a string without looking it up.  The caller can then look it
      up immediately or defer it until later.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      [CRYPTO] api: Add crypto_inc and crypto_xor · 7613636d
      Herbert Xu authored
      With the addition of more stream ciphers we need to curb the proliferation
      of ad-hoc xor functions.  This patch creates a generic pair of functions,
      crypto_inc and crypto_xor which does big-endian increment and exclusive or,
      For optimum performance, they both use u32 operations so alignment must be
      as that of u32 even though the arguments are of type u8 *.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      [CRYPTO] ablkcipher: Add distinct ABLKCIPHER type · 332f8840
      Herbert Xu authored
      Up until now we have ablkcipher algorithms have been identified as
      type BLKCIPHER with the ASYNC bit set.  This is suboptimal because
      ablkcipher refers to two things.  On the one hand it refers to the
      top-level ablkcipher interface with requests.  On the other hand it
      refers to and algorithm type underneath.
      As it is you cannot request a synchronous block cipher algorithm
      with the ablkcipher interface on top.  This is a problem because
      we want to be able to eventually phase out the blkcipher top-level
      This patch fixes this by making ABLKCIPHER its own type, just as
      we have distinct types for HASH and DIGEST.  The type it associated
      with the algorithm implementation only.
      Which top-level interface is used for synchronous block ciphers is
      then determined by the mask that's used.  If it's a specific mask
      then the old blkcipher interface is given, otherwise we go with the
      new ablkcipher interface.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  23. 10 Oct, 2007 5 commits
    • Herbert Xu's avatar
      [CRYPTO] blkcipher: Added blkcipher_walk_virt_block · 7607bd8f
      Herbert Xu authored
      This patch adds the helper blkcipher_walk_virt_block which is similar to
      blkcipher_walk_virt but uses a supplied block size instead of the block
      size of the block cipher.  This is useful for CTR where the block size is
      1 but we still want to walk by the block size of the underlying cipher.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      [CRYPTO] aead: Add authenc · 3c09f17c
      Herbert Xu authored
      This patch adds the authenc algorithm which constructs an AEAD algorithm
      from an asynchronous block cipher and a hash.  The construction is done
      by concatenating the encrypted result from the cipher with the output
      from the hash, as is used by the IPsec ESP protocol.
      The authenc algorithm exists as a template with four parameters:
      	authenc(auth, authsize, enc, enckeylen).
      The authentication algorithm, the authentication size (i.e., truncating
      the output of the authentication algorithm), the encryption algorithm,
      and the encryption key length.  Both the size field and the key length
      field are in bytes.  For example, AES-128 with SHA1-HMAC would be
      represented by
      	authenc(hmac(sha1), 12, cbc(aes), 16)
      The key for the authenc algorithm is the concatenation of the keys for
      the authentication algorithm with the encryption algorithm.  For the
      above example, if a key of length 36 bytes is given, then hmac(sha1)
      would receive the first 20 bytes while the last 16 would be given to
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      [CRYPTO] ablkcipher: Remove queue pointer from common alg object · 2de98e75
      Herbert Xu authored
      Since not everyone needs a queue pointer and those who need it can
      always get it from the context anyway the queue pointer in the
      common alg object is redundant.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Herbert Xu's avatar
      [CRYPTO] api: Add aead crypto type · 1ae97820
      Herbert Xu authored
      This patch adds crypto_aead which is the interface for AEAD
      (Authenticated Encryption with Associated Data) algorithms.
      AEAD algorithms perform authentication and encryption in one
      step.  Traditionally users (such as IPsec) would use two
      different crypto algorithms to perform these.  With AEAD
      this comes down to one algorithm and one operation.
      Of course if traditional algorithms were used we'd still
      be doing two operations underneath.  However, real AEAD
      algorithms may allow the underlying operations to be
      optimised as well.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    • Sebastian Siewior's avatar
      [CRYPTO] api: Add crypto_ablkcipher_ctx_aligned · aa379a6a
      Sebastian Siewior authored
      This is function does the same thing for ablkcipher that is done for
      blkcipher by crypto_blkcipher_ctx_aligned(): it returns an aligned
      address of the private ctx.
      Signed-off-by: default avatarSebastian Siewior <sebastian@breakpoint.cc>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
  24. 01 May, 2007 1 commit