- Jul 11, 2009
-
-
Herbert Xu authored
This patch replaces the full descriptor export with an export of the partial hash state. This allows the use of a consistent export format across all implementations of a given algorithm. This is useful because a number of cases require the use of the partial hash state, e.g., PadLock can use the SHA1 hash state to get around the fact that it can only hash contiguous data chunks. Signed-off-by:Herbert Xu <herbert@gondor.apana.org.au>
-
- Jul 09, 2009
-
-
Herbert Xu authored
This patch allows crypto_drop_spawn to be called on spawns that have not been initialised or have failed initialisation. This fixes potential crashes during initialisation without adding special case code. Signed-off-by:
-
- Jul 08, 2009
-
-
Herbert Xu authored
This patch fixes crypto_shash_import to propagate the value returned by reinit. Signed-off-by: -
Herbert Xu authored
This patch simplifies the default digest function by using finup. Signed-off-by: -
Herbert Xu authored
This patch adds shash_register_instance so that shash instances can be registered without bypassing the shash checks applied to normal algorithms. Signed-off-by: -
Herbert Xu authored
This patch adds the helper shash_attr_alg2 which locates a shash algorithm based on the information in the given attribute. Signed-off-by: -
Herbert Xu authored
This patch adds the helper crypto_attr_alg2 which is similar to crypto_attr_alg but takes an extra frontend argument. This is intended to be used by new style algorithm types such as shash. Signed-off-by: -
Herbert Xu authored
This patch adds the functions needed to create and use shash spawns, i.e., to use shash algorithms in a template. Signed-off-by: -
Herbert Xu authored
This patch modifies the spawn infrastructure to support new style algorithms like shash. In particular, this means storing the frontend type in the spawn and using crypto_create_tfm to allocate the tfm. Signed-off-by: -
Herbert Xu authored
This patch adds shash_instance and the associated alloc/free functions. This is meant to be an instance that with a shash algorithm under it. Note that the instance itself doesn't have to be shash. Signed-off-by:
-
- Jul 07, 2009
-
-
Herbert Xu authored
This patch adds a new argument to crypto_alloc_instance which sets aside some space before the instance for use by algorithms such as shash that place type-specific data before crypto_alg. For compatibility the function has been renamed so that existing users aren't affected. Signed-off-by: -
Herbert Xu authored
This patch introduces the template->create function intended to replace the existing alloc function. The intention is for create to handle the registration directly, whereas currently the caller of alloc has to handle the registration. This allows type-specific code to be run prior to registration. Signed-off-by:
-
- Jul 03, 2009
-
-
Sebastian Andrzej Siewior authored
As reported by Eric Sesterhenn the re-allocation of the cipher in reset leads to: |BUG: sleeping function called from invalid context at kernel/rwsem.c:21 |in_atomic(): 1, irqs_disabled(): 0, pid: 4926, name: modprobe |INFO: lockdep is turned off. |Pid: 4926, comm: modprobe Tainted: G M 2.6.31-rc1-22297-g5298976 #24 |Call Trace: | [<c011dd93>] __might_sleep+0xf9/0x101 | [<c0777aa0>] down_read+0x16/0x68 | [<c048bf04>] crypto_alg_lookup+0x16/0x34 | [<c048bf52>] crypto_larval_lookup+0x30/0xf9 | [<c048c038>] crypto_alg_mod_lookup+0x1d/0x62 | [<c048c13e>] crypto_alloc_base+0x1e/0x64 | [<c04bf991>] reset_prng_context+0xab/0x13f | [<c04e5cfc>] ? __spin_lock_init+0x27/0x51 | [<c04bfce1>] cprng_init+0x2a/0x42 | [<c048bb4c>] __crypto_alloc_tfm+0xfa/0x128 | [<c048c153>] crypto_alloc_base+0x33/0x64 | [<c04933c9>] alg_test_cprng+0x30/0x1f4 | [<c0493329>] alg_test+0x12f/0x19f | [<c0177f1f>] ? __alloc_pages_nodemask+0x14d/0x481 | [<d09219e2>] do_test+0xf9d/0x163f [tcrypt] | [<d0920de6>] do_test+0x3a1/0x163f [tcrypt] | [<d0926035>] tcrypt_mod_init+0x35/0x7c [tcrypt] | [<c010113c>] _stext+0x54/0x12c | [<d0926000>] ? tcrypt_mod_init+0x0/0x7c [tcrypt] | [<c01398a3>] ? up_read+0x16/0x2b | [<c0139fc4>] ? __blocking_notifier_call_chain+0x40/0x4c | [<c014ee8d>] sys_init_module+0xa9/0x1bf | [<c010292b>] sysenter_do_call+0x12/0x32 because a spin lock is held and crypto_alloc_base() may sleep. There is no reason to re-allocate the cipher, the state is resetted in ->setkey(). This patches makes the cipher allocation a one time thing and moves it to init. Reported-by:
Eric Sesterhenn <eric.sesterhenn@lsexperts.de> Signed-off-by:
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Acked-by:
Neil Horman <nhorman@tuxdriver.com> Signed-off-by:
-
Sebastian Andrzej Siewior authored
The current code uses a mix of sping_lock() & spin_lock_irqsave(). This can lead to deadlock with the correct timming & cprng_get_random() + cprng_reset() sequence. I've converted them to bottom half locks since all three user grab just a BH lock so this runs probably in softirq :) Signed-off-by:
-
- Jul 02, 2009
-
-
Herbert Xu authored
This patch adds the support for testing specific implementations. This should only be used in very specific situations. Right now this means specific implementations of random number generators. Signed-off-by:
-
- Jun 25, 2009
-
-
Herbert Xu authored
As it stands we use chainiv for sync algorithms and eseqiv for async algorithms. However, when there is more than one CPU chainiv forces all processing to be serialised which is usually not what you want. Also, the added overhead of eseqiv isn't that great. Therefore this patch changes the default sync geniv on SMP machines to eseqiv. For the odd situation where the overhead is unacceptable then chainiv is still available as an option. Note that on UP machines chainiv is still preferred over eseqiv for sync algorithms. Signed-off-by: -
Herbert Xu authored
When a sync givcipher algorithm is requested, if an async version of the same algorithm already exists, then we will loop forever without ever constructing the sync version based on a blkcipher. This is because we did not include the requested type/mask when getting a larval for the geniv algorithm that is to be constructed. Signed-off-by:
-
- Jun 24, 2009
-
-
Herbert Xu authored
Until hash test vectors grow longer than 256 bytes, the only purpose of the check is to generate a gcc warning. Signed-off-by:
-
- Jun 21, 2009
-
-
Neil Horman authored
The ANSI CPRNG has no dependence on FIPS support. FIPS support however, requires the use of the CPRNG. Adjust that depedency relationship in Kconfig. Signed-off-by:
-
- Jun 19, 2009
-
-
Herbert Xu authored
We should return 0/-ENOENT instead of 1/0 when testing by name. Signed-off-by: -
Herbert Xu authored
The RNG should work with FIPS disabled. Signed-off-by: -
Steffen Klassert authored
This adds the 'alg' module parameter to be able to test an algorithm by name. If the algorithm type is not ad-hoc clear for a algorithm (e.g. pcrypt, cryptd) it is possilbe to set the algorithm type with the 'type' module parameter. Signed-off-by:
Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by:
-
- Jun 18, 2009
-
-
Neil Horman authored
FIPS-140 requires that all random number generators implement continuous self tests in which each extracted block of data is compared against the last block for repetition. The ansi_cprng implements such a test, but it would be nice if the hw rng's did the same thing. Obviously its not something thats always needed, but it seems like it would be a nice feature to have on occasion. I've written the below patch which allows individual entropy stores to be flagged as desiring a continuous test to be run on them as is extracted. By default this option is off, but is enabled in the event that fips mode is selected during bootup. Signed-off-by:
Matt Mackall <mpm@selenic.com> Signed-off-by:
-
- Jun 15, 2009
-
-
Vegard Nossum authored
The xor tests are run on uninitialized data, because it is doesn't really matter what the underlying data is. Annotate this false- positive warning. Acked-by:
Pekka Enberg <penberg@cs.helsinki.fi> Signed-off-by:
Vegard Nossum <vegard.nossum@gmail.com>
-
- Jun 02, 2009
-
-
Alex Riesen authored
Besdies, for the old code, gcc-4.3.3 produced this warning: "format not a string literal and no format arguments" Signed-off-by:
Alex Riesen <raa.lkml@gmail.com> Signed-off-by:
-
Herbert Xu authored
As it stands we will each test hash vector both linearly and as a scatter list if applicable. This means that we cannot have vectors longer than a page, even with scatter lists. This patch fixes this by skipping test vectors with np != 0 when testing linearly. Signed-off-by: -
Herbert Xu authored
As we cannot guarantee the availability of contiguous pages at run-time, all test vectors must either fit within a page, or use scatter lists. In some cases vectors were not checked as to whether they fit inside a page. This patch adds all the missing checks. Signed-off-by: -
Jarod Wilson authored
At present, the tcrypt module always exits with an -EAGAIN upon successfully completing all the tests its been asked to run. In fips mode, integrity checking is done by running all self-tests from the initrd, and its much simpler to check the ret from modprobe for success than to scrape dmesg and/or /proc/crypto. Simply stay loaded, giving modprobe a retval of 0, if self-tests all pass and we're in fips mode. A side-effect of tracking success/failure for fips mode is that in non-fips mode, self-test failures will return the actual failure return codes, rather than always returning -EAGAIN, which seems more correct anyway. The tcrypt_test() portion of the patch is dependent on my earlier pair of patches that skip non-fips algs in fips mode, at least to achieve the fully intended behavior. Nb: testing this patch against the cryptodev tree revealed a test failure for sha384, which I have yet to look into... Signed-off-by:
Jarod Wilson <jarod@redhat.com> Acked-by:
-
Geert Uytterhoeven authored
If crypto_{,de}compress_{update,final}() succeed, return the actual number of bytes produced instead of zero, so their users don't have to calculate that theirselves. Signed-off-by:Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com> Signed-off-by:
-
Jarod Wilson authored
Because all fips-allowed algorithms must be self-tested before they can be used, they will all have entries in testmgr.c's alg_test_descs[]. Skip self-tests for any algs not flagged as fips_approved and return -EINVAL when in fips mode. Signed-off-by:
-
Jarod Wilson authored
Set the fips_allowed flag in testmgr.c's alg_test_descs[] for algs that are allowed to be used when in fips mode. One caveat: des isn't actually allowed anymore, but des (and thus also ecb(des)) has to be permitted, because disallowing them results in des3_ede being unable to properly register (see des module init func). Also, crc32 isn't technically on the fips approved list, but I think it gets used in various places that necessitate it being allowed. This list is based on http://csrc.nist.gov/groups/STM/cavp/index.html Important note: allowed/approved here does NOT mean "validated", just that its an alg that *could* be validated. Signed-off-by:
-
Jarod Wilson authored
Now with multi-block test vectors, all from SP800-38A, Appendix F.5. Also added ctr(aes) to case 10 in tcrypt. Signed-off-by:
-
Herbert Xu authored
We currently allocate temporary memory that is used for testing statically. This renders the testing engine non-reentrant. As algorithms may nest, i.e., one may construct another in order to carry out a part of its operation, this is unacceptable. For example, it has been reported that an AEAD implementation allocates a cipher in its setkey function, which causes it to fail during testing as the temporary memory is overwritten. This patch replaces the static memory with dynamically allocated buffers. We need a maximum of 16 pages so this slightly increases the chances of an algorithm failing due to memory shortage. However, as testing usually occurs at registration, this shouldn't be a big problem. Reported-by:
Shasi Pulijala <spulijala@amcc.com> Signed-off-by:
-
Jarod Wilson authored
According to our FIPS CAVS testing lab guru, when we're in fips mode, we must print out notices of successful self-test completion for every alg to be compliant. New and improved v2, without strncmp crap. Doesn't need to touch a flag though, due to not moving the notest label around anymore. Applies atop '[PATCH v2] crypto: catch base cipher self-test failures in fips mode'. Personally, I wouldn't mind seeing this info printed out regardless of whether or not we're in fips mode, I think its useful info, but will stick with only in fips mode for now. Signed-off-by:
-
Jarod Wilson authored
Signed-off-by:
-
Jarod Wilson authored
Add ANSI X9.31 Continuous Pseudo-Random Number Generator (AES mode), aka 'ansi_cprng' test vectors, taken from Appendix B.2.9 and B.2.10 of the NIST RNGVS document, found here: http://csrc.nist.gov/groups/STM/cavp/documents/rng/RNGVS.pdf Successfully tested against both the cryptodev-2.6 tree and a Red Hat Enterprise Linux 5.4 kernel, via 'modprobe tcrypt mode=150'. The selection of 150 was semi-arbitrary, didn't seem like it should go any place in particular, so I started a new range for rng tests. Signed-off-by: -
Jarod Wilson authored
Add some necessary infrastructure to make it possible to run self-tests for ansi_cprng. The bits are likely very specific to the ANSI X9.31 CPRNG in AES mode, and thus perhaps should be named more specifically if/when we grow additional CPRNG support... Successfully tested against the cryptodev-2.6 tree and a Red Hat Enterprise Linux 5.x kernel with the follow-on patch that adds the actual test vectors. Signed-off-by:
-
Jarod Wilson authored
Add an array of encryption and decryption + verification self-tests for rfc4309(ccm(aes)). Test vectors all come from sample FIPS CAVS files provided to Red Hat by a testing lab. Unfortunately, all the published sample vectors in RFC 3610 and NIST Special Publication 800-38C contain nonce lengths that the kernel's rfc4309 implementation doesn't support, so while using some public domain vectors would have been preferred, its not possible at this time. Signed-off-by:
-
Jarod Wilson authored
Add infrastructure to tcrypt/testmgr to support handling ccm decryption test vectors that are expected to fail verification. Signed-off-by:
-
Geert Uytterhoeven authored
make C=1: | crypto/pcompress.c:77:5: warning: symbol 'crypto_register_pcomp' was not declared. Should it be static? | crypto/pcompress.c:89:5: warning: symbol 'crypto_unregister_pcomp' was not declared. Should it be static? Signed-off-by:
-
