1. 29 Dec, 2014 1 commit
  2. 25 Aug, 2014 1 commit
    • Tim Chen's avatar
      crypto: sha-mb - multibuffer crypto infrastructure · 1e65b81a
      Tim Chen authored
      This patch introduces the multi-buffer crypto daemon which is responsible
      for submitting crypto jobs in a work queue to the responsible multi-buffer
      crypto algorithm.  The idea of the multi-buffer algorihtm is to put
      data streams from multiple jobs in a wide (AVX2) register and then
      take advantage of SIMD instructions to do crypto computation on several
      buffers simultaneously.
      
      The multi-buffer crypto daemon is also responsbile for flushing the
      remaining buffers to complete the computation if no new buffers arrive
      for a while.
      Signed-off-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1e65b81a
  3. 04 Jul, 2014 1 commit
  4. 20 Jun, 2014 1 commit
  5. 25 Feb, 2014 1 commit
  6. 05 Dec, 2013 1 commit
    • Cesar Eduardo Barros's avatar
      crypto: more robust crypto_memneq · fe8c8a12
      Cesar Eduardo Barros authored
      Disabling compiler optimizations can be fragile, since a new
      optimization could be added to -O0 or -Os that breaks the assumptions
      the code is making.
      
      Instead of disabling compiler optimizations, use a dummy inline assembly
      (based on RELOC_HIDE) to block the problematic kinds of optimization,
      while still allowing other optimizations to be applied to the code.
      
      The dummy inline assembly is added after every OR, and has the
      accumulator variable as its input and output. The compiler is forced to
      assume that the dummy inline assembly could both depend on the
      accumulator variable and change the accumulator variable, so it is
      forced to compute the value correctly before the inline assembly, and
      cannot assume anything about its value after the inline assembly.
      
      This change should be enough to make crypto_memneq work correctly (with
      data-independent timing) even if it is inlined at its call sites. That
      can be done later in a followup patch.
      
      Compile-tested on x86_64.
      Signed-off-by: default avatarCesar Eduardo Barros <cesarb@cesarb.eti.br>
      Acked-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      fe8c8a12
  7. 25 Oct, 2013 1 commit
  8. 07 Oct, 2013 1 commit
    • James Yonan's avatar
      crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks · 6bf37e5a
      James Yonan authored
      When comparing MAC hashes, AEAD authentication tags, or other hash
      values in the context of authentication or integrity checking, it
      is important not to leak timing information to a potential attacker,
      i.e. when communication happens over a network.
      
      Bytewise memory comparisons (such as memcmp) are usually optimized so
      that they return a nonzero value as soon as a mismatch is found. E.g,
      on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
      and up to ~850 cyc for a full match (cold). This early-return behavior
      can leak timing information as a side channel, allowing an attacker to
      iteratively guess the correct result.
      
      This patch adds a new method crypto_memneq ("memory not equal to each
      other") to the crypto API that compares memory areas of the same length
      in roughly "constant time" (cache misses could change the timing, but
      since they don't reveal information about the content of the strings
      being compared, they are effectively benign). Iow, best and worst case
      behaviour take the same amount of time to complete (in contrast to
      memcmp).
      
      Note that crypto_memneq (unlike memcmp) can only be used to test for
      equality or inequality, NOT for lexicographical order. This, however,
      is not an issue for its use-cases within the crypto API.
      
      We tried to locate all of the places in the crypto API where memcmp was
      being used for authentication or integrity checking, and convert them
      over to crypto_memneq.
      
      crypto_memneq is declared noinline, placed in its own source file,
      and compiled with optimizations that might increase code size disabled
      ("Os") because a smart compiler (or LTO) might notice that the return
      value is always compared against zero/nonzero, and might then
      reintroduce the same early-return optimization that we are trying to
      avoid.
      
      Using #pragma or __attribute__ optimization annotations of the code
      for disabling optimization was avoided as it seems to be considered
      broken or unmaintained for long time in GCC [1]. Therefore, we work
      around that by specifying the compile flag for memneq.o directly in
      the Makefile. We found that this seems to be most appropriate.
      
      As we use ("Os"), this patch also provides a loop-free "fast-path" for
      frequently used 16 byte digests. Similarly to kernel library string
      functions, leave an option for future even further optimized architecture
      specific assembler implementations.
      
      This was a joint work of James Yonan and Daniel Borkmann. Also thanks
      for feedback from Florian Weimer on this and earlier proposals [2].
      
        [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
        [2] https://lkml.org/lkml/2013/2/10/131Signed-off-by: default avatarJames Yonan <james@openvpn.net>
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Florian Weimer <fw@deneb.enyo.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6bf37e5a
  9. 23 Sep, 2013 1 commit
  10. 11 Sep, 2013 1 commit
    • Herbert Xu's avatar
      crypto: crct10dif - Add fallback for broken initrds · 26052f9b
      Herbert Xu authored
      Unfortunately, even with a softdep some distros fail to include
      the necessary modules in the initrd.  Therefore this patch adds
      a fallback path to restore existing behaviour where we cannot
      load the new crypto crct10dif algorithm.
      
      In order to do this, the underlying crct10dif has been split out
      from the crypto implementation so that it can be used on the
      fallback path.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      26052f9b
  11. 06 Sep, 2013 1 commit
  12. 24 Jul, 2013 1 commit
  13. 09 Jul, 2013 1 commit
  14. 20 May, 2013 1 commit
  15. 25 Apr, 2013 1 commit
  16. 19 Jan, 2013 1 commit
  17. 06 Dec, 2012 1 commit
  18. 07 Oct, 2012 1 commit
    • David Howells's avatar
      KEYS: Implement asymmetric key type · 964f3b3b
      David Howells authored
      Create a key type that can be used to represent an asymmetric key type for use
      in appropriate cryptographic operations, such as encryption, decryption,
      signature generation and signature verification.
      
      The key type is "asymmetric" and can provide access to a variety of
      cryptographic algorithms.
      
      Possibly, this would be better as "public_key" - but that has the disadvantage
      that "public key" is an overloaded term.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      964f3b3b
  19. 01 Aug, 2012 3 commits
  20. 14 Mar, 2012 2 commits
  21. 30 Nov, 2011 1 commit
  22. 08 Nov, 2011 1 commit
  23. 21 Oct, 2011 1 commit
  24. 22 Sep, 2011 2 commits
  25. 13 Mar, 2011 1 commit
  26. 27 Nov, 2010 1 commit
  27. 26 Nov, 2010 1 commit
    • Herbert Xu's avatar
      crypto: algif_skcipher - User-space interface for skcipher operations · 8ff59090
      Herbert Xu authored
      This patch adds the af_alg plugin for symmetric key ciphers,
      corresponding to the ablkcipher kernel operation type.
      
      Keys can optionally be set through the setsockopt interface.
      
      Once a sendmsg call occurs without MSG_MORE no further writes
      may be made to the socket until all previous data has been read.
      
      IVs and and whether encryption/decryption is performed can be
      set through the setsockopt interface or as a control message
      to sendmsg.
      
      The interface is completely synchronous, all operations are
      carried out in recvmsg(2) and will complete prior to the system
      call returning.
      
      The splice(2) interface support reading the user-space data directly
      without copying (except that the Crypto API itself may copy the data
      if alignment is off).
      
      The recvmsg(2) interface supports directly writing to user-space
      without additional copying, i.e., the kernel crypto interface will
      receive the user-space address as its output SG list.
      
      Thakns to Miloslav Trmac for reviewing this and contributing
      fixes and improvements.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ff59090
  28. 19 Nov, 2010 2 commits
    • Herbert Xu's avatar
      crypto: algif_hash - User-space interface for hash operations · fe869cdb
      Herbert Xu authored
      This patch adds the af_alg plugin for hash, corresponding to
      the ahash kernel operation type.
      
      Keys can optionally be set through the setsockopt interface.
      
      Each sendmsg call will finalise the hash unless sent with a MSG_MORE
      flag.
      
      Partial hash states can be cloned using accept(2).
      
      The interface is completely synchronous, all operations will
      complete prior to the system call returning.
      
      Both sendmsg(2) and splice(2) support reading the user-space
      data directly without copying (except that the Crypto API itself
      may copy the data if alignment is off).
      
      For now only the splice(2) interface supports performing digest
      instead of init/update/final.  In future the sendmsg(2) interface
      will also be modified to use digest/finup where possible so that
      hardware that cannot return a partial hash state can still benefit
      from this interface.
      
      Thakns to Miloslav Trmac for reviewing this and contributing
      fixes and improvements.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Tested-by: default avatarMartin Willi <martin@strongswan.org>
      fe869cdb
    • Herbert Xu's avatar
      crypto: af_alg - User-space interface for Crypto API · 03c8efc1
      Herbert Xu authored
      This patch creates the backbone of the user-space interface for
      the Crypto API, through a new socket family AF_ALG.
      
      Each session corresponds to one or more connections obtained from
      that socket.  The number depends on the number of inputs/outputs
      of that particular type of operation.  For most types there will
      be a s ingle connection/file descriptor that is used for both input
      and output.  AEAD is one of the few that require two inputs.
      
      Each algorithm type will provide its own implementation that plugs
      into af_alg.  They're keyed using a string such as "skcipher" or
      "hash".
      
      IOW this patch only contains the boring bits that is required
      to hold everything together.
      
      Thakns to Miloslav Trmac for reviewing this and contributing
      fixes and improvements.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Tested-by: default avatarMartin Willi <martin@strongswan.org>
      03c8efc1
  29. 03 Jun, 2010 2 commits
  30. 06 Jan, 2010 1 commit
  31. 02 Sep, 2009 1 commit
  32. 05 Aug, 2009 1 commit
  33. 13 Jul, 2009 1 commit
  34. 04 Mar, 2009 1 commit