- 16 Feb, 2012 1 commit
-
-
Alexey Dobriyan authored
Use standard ror64() instead of hand-written. There is no standard ror64, so create it. The difference is shift value being "unsigned int" instead of uint64_t (for which there is no reason). gcc starts to emit native ROR instructions which it doesn't do for some reason currently. This should make the code faster. Patch survives in-tree crypto test and ping flood with hmac(sha512) on. Signed-off-by:
Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au>
-
- 05 Feb, 2012 1 commit
-
-
Herbert Xu authored
Unfortunately in reducing W from 80 to 16 we ended up unrolling the loop twice. As gcc has issues dealing with 64-bit ops on i386 this means that we end up using even more stack space (>1K). This patch solves the W reduction by moving LOAD_OP/BLEND_OP into the loop itself, thus avoiding the need to duplicate it. While the stack space still isn't great (>0.5K) it is at least in the same ball park as the amount of stack used for our C sha1 implementation. Note that this patch basically reverts to the original code so the diff looks bigger than it really is. Cc: stable@vger.kernel.org Signed-off-by:
-
- 26 Jan, 2012 1 commit
-
-
Herbert Xu authored
The previous patch used the modulus operator over a power of 2 unnecessarily which may produce suboptimal binary code. This patch changes changes them to binary ands instead. Signed-off-by:
-
- 15 Jan, 2012 2 commits
-
-
Alexey Dobriyan authored
For rounds 16--79, W[i] only depends on W[i - 2], W[i - 7], W[i - 15] and W[i - 16]. Consequently, keeping all W[80] array on stack is unnecessary, only 16 values are really needed. Using W[16] instead of W[80] greatly reduces stack usage (~750 bytes to ~340 bytes on x86_64). Line by line explanation: * BLEND_OP array is "circular" now, all indexes have to be modulo 16. Round number is positive, so remainder operation should be without surprises. * initial full message scheduling is trimmed to first 16 values which come from data block, the rest is calculated before it's needed. * original loop body is unrolled version of new SHA512_0_15 and SHA512_16_79 macros, unrolling was done to not do explicit variable renaming. Otherwise it's the very same code after preprocessing. See sha1_transform() code which does the same trick. Patch survives in-tree crypto test and original bugreport test (ping flood with hmac(sha512). See FIPS 180-2 for SHA-512 definition http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdfSigned-off-by:
-
Alexey Dobriyan authored
commit f9e2bca6 aka "crypto: sha512 - Move message schedule W[80] to static percpu area" created global message schedule area. If sha512_update will ever be entered twice, hash will be silently calculated incorrectly. Probably the easiest way to notice incorrect hashes being calculated is to run 2 ping floods over AH with hmac(sha512): #!/usr/sbin/setkey -f flush; spdflush; add IP1 IP2 ah 25 -A hmac-sha512 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000025; add IP2 IP1 ah 52 -A hmac-sha512 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052; spdadd IP1 IP2 any -P out ipsec ah/transport//require; spdadd IP2 IP1 any -P in ipsec ah/transport//require; XfrmInStateProtoError will start ticking with -EBADMSG being returned from ah_input(). This never happens with, say, hmac(sha1). With patch applied (on BOTH sides), XfrmInStateProtoError does not tick with multiple bidirectional ping flood streams like it doesn't tick with SHA-1. After this patch sha512_transform() will start using ~750 bytes of stack on x86_64. This is OK for simple loads, for something more heavy, stack reduction will be done separatedly. Signed-off-by:
-
- 20 Dec, 2011 15 commits
-
-
Jussi Kivilinna authored
CRYPTO_GF128MUL does not select EXPERIMENTAL anymore so remove the "(EXPERIMENTAL)" from its name. Signed-off-by:
Jussi Kivilinna <jussi.kivilinna@mbnet.fi> Signed-off-by:
-
Jussi Kivilinna authored
Since LRW & XTS are selected by serpent-sse2, we don't need these #ifdefs anymore. Signed-off-by:
-
Jussi Kivilinna authored
serpent-sse2 uses functions from LRW and XTS modules, so selecting would appear to be better option than using #ifdefs in serpent_sse2_glue.c to enable/disable LRW and XTS features. This also fixes build problem when serpent-sse2 would be build into kernel but XTS/LRW are build as modules. Signed-off-by:
-
Jussi Kivilinna authored
Since LRW & XTS are selected by twofish-x86_64-3way, we don't need these #ifdefs anymore. Signed-off-by:
-
Jussi Kivilinna authored
twofish-x86_64-3way uses functions from LRW and XTS modules, so selecting would appear to be better option than using #ifdefs in twofish_glue_3way.c to enable/disable LRW and XTS features. This also fixes build problem when twofish-x86_64-3way would be build into kernel but XTS/LRW are build as modules. Signed-off-by:
-
Jussi Kivilinna authored
XTS has been EXPERIMENTAL since it was introduced in 2007. I'd say by now it has seen enough testing to justify removal of EXPERIMENTAL tag. CC: Rik Snel <rsnel@cube.dyndns.org> Signed-off-by:
-
Jussi Kivilinna authored
LRW has been EXPERIMENTAL since it was introduced in 2006. I'd say by now it has seen enough testing to justify removal of EXPERIMENTAL tag. CC: Rik Snel <rsnel@cube.dyndns.org> Signed-off-by:
-
Jamie Iles authored
The AES engine only supports 128 and 256 bit keys so we should correctly test for that. Cc: Herbert Xu <herbert@gondor.apana.org.au> Reported-by:
Joe Perches <joe@perches.com> Signed-off-by:
Jamie Iles <jamie@jamieiles.com> Signed-off-by:
-
Kim Phillips authored
Access to the SEC4 DECOs (DEscriptor COntrollers) (for debug purposes) isn't supported or used, and its register access initialization code erroneously makes illegal i/o accesses that show up as errors when run under simulation. Remove it until proper support (via DECORR) is added. Signed-off-by:
Kim Phillips <kim.phillips@freescale.com> Signed-off-by:
-
Kim Phillips authored
the polarity of the definition for error propagation was reverse in the initial desc.h. Fix desc.h and its users. Signed-off-by:
-
Kim Phillips authored
manual removal of double-spaces - no non-whitespace changes. Signed-off-by:
-
Kim Phillips authored
this is the result of running unexpand -a on desc.h. Signed-off-by:
-
Kim Phillips authored
SEC2/3 h/w doesn't have a dedicated interrupt for errors, and the only callsite for talitos_error has already done the type conversion, so simplify talitos_error to take a pointer to a struct device. Signed-off-by:
-
Kim Phillips authored
As prescribed by Linus: https://lkml.org/lkml/2011/12/2/290Signed-off-by:
-
Kim Phillips authored
Fix a kfree to an invalid address which causes an oops when running on SEC v2.0 h/w (introduced in commit 702331b "crypto: talitos - add hmac algorithms"). Signed-off-by:
-
- 30 Nov, 2011 5 commits
-
-
Axel Lin authored
This patch converts the drivers in drivers/crypto/* to use the module_platform_driver() macro which makes the code smaller and a bit simpler. Cc: James Hsiao <jhsiao@amcc.com> Cc: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Cc: Kim Phillips <kim.phillips@freescale.com> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by:
Axel Lin <axel.lin@gmail.com> Acked-by:
Vladimir Zapolskiy <vzapolskiy@gmail.com> Acked-by:
-
Axel Lin authored
This patch converts the drivers in drivers/char/hw_random/* to use the module_platform_driver() macro which makes the code smaller and a bit simpler. Cc: David S. Miller <davem@davemloft.net> Cc: Josh Boyer <jwboyer@linux.vnet.ibm.com> Cc: Matt Mackall <mpm@selenic.com> Signed-off-by:
Alexander Clouter <alex@digriz.org.uk> Acked-by:
Olof Johansson <olof@lixom.net> Acked-by:
David Daney <david.daney@cavium.com> Signed-off-by:
-
Jussi Kivilinna authored
Since serpent_sse2_glue.c uses cryptd, CRYPTO_SERPENT_SSE2_X86_64 and CRYPTO_SERPENT_SSE2_586 should be selecting CRYPTO_CRYPTD. Reported-by:
Randy Dunlap <rdunlap@xenotime.net> Signed-off-by:
-
Jussi Kivilinna authored
Now that serpent.c has been cleaned from checkpatch warnings, we can do clean rename. Signed-off-by:
-
Jussi Kivilinna authored
Do checkpatch fixes before rename to keep rename patch simple and clean. Signed-off-by:
-
- 21 Nov, 2011 10 commits
-
-
Kim Phillips authored
specifically, add these algorithm combinations: authenc-hmac-md5-cbc-aes-caam authenc-hmac-md5-cbc-des3_ede-caam authenc-hmac-md5-cbc-des-caam Signed-off-by:
-
Kim Phillips authored
Some later SEC v3.x are equipped with a second IRQ line. By correctly assigning IRQ affinity, this feature can be used to increase performance on dual core parts, like the MPC8572E and P2020E. The existence of the 2nd IRQ is determined from the device node's interrupt property. If present, the driver remaps two of four channels, which in turn makes those channels trigger their interrupts on the 2nd line instead of the first. To handle single- and dual-IRQ combinations efficiently, talitos gets two new interrupt handlers and back-half workers. [includes a fix to MCR_LO's address.] Signed-off-by:
-
Kim Phillips authored
Add a reg member to the channel struct and use it to access channels. Signed-off-by:
-
Kim Phillips authored
talitos prints every algorithm it registers at module load time. Algorithms are being added that make for an excessively noisy console (latest HMACs patch makes an SEC 3.1 print 20 lines). Instead, display the SEC h/w version number, and inform the user of algorithm registration status in /proc/crypto, like so: talitos ffe30000.crypto: fsl,sec3.1 algorithms registered in /proc/crypto Signed-off-by:
-
Lee Nipper authored
Add these hmac algorithms to talitos: hmac(md5), hmac(sha1), hmac(sha224), hmac(sha256), hmac(sha384), hmac(sha512). These are all type ahash. Signed-off-by:Lee Nipper <lee.nipper@gmail.com> Fixed up to not register HMAC algorithms on sec2.0 devices. Rationale (from Lee): on an 8349E Rev1.1, there's a problem with hmac for any talitos hmac sequence requiring an intermediate hash context (Pointer DWORD 1); the result is an incorrect hmac. An intermediate hash context is required for something longer than (65536-blocksize), and for other cases when update/finup/final are used inefficiently. Interestingly, a normal hash (without hmac) works perfectly when using an intermediate context. Signed-off-by:
-
Jussi Kivilinna authored
LRW/XTS patches for serpent-sse2 forgot to add this. CRYPTO_TFM_REQ_MAY_SLEEP should be cleared as sleeping between kernel_fpu_begin()/kernel_fpu_end() is not allowed. Signed-off-by:
-
Jussi Kivilinna authored
Patch adds XTS support for serpent-sse2 by using xts_crypt(). Patch has been tested with tcrypt and automated filesystem tests. Tcrypt benchmarks results (serpent-sse2/serpent_generic speed ratios): Intel Celeron T1600 (x86_64) (fam:6, model:15, step:13): size xts-enc xts-dec 16B 0.98x 1.00x 64B 1.00x 1.01x 256B 2.78x 2.75x 1024B 3.30x 3.26x 8192B 3.39x 3.30x AMD Phenom II 1055T (x86_64) (fam:16, model:10): size xts-enc xts-dec 16B 1.05x 1.02x 64B 1.04x 1.03x 256B 2.10x 2.05x 1024B 2.34x 2.35x 8192B 2.34x 2.40x Intel Atom N270 (i586): size xts-enc xts-dec 16B 0.95x 0.96x 64B 1.53x 1.50x 256B 1.72x 1.75x 1024B 1.88x 1.87x 8192B 1.86x 1.83x Signed-off-by:
-
Jussi Kivilinna authored
Patch adds LRW support for serpent-sse2 by using lrw_crypt(). Patch has been tested with tcrypt and automated filesystem tests. Tcrypt benchmarks results (serpent-sse2/serpent_generic speed ratios): Benchmark results with tcrypt: Intel Celeron T1600 (x86_64) (fam:6, model:15, step:13): size lrw-enc lrw-dec 16B 1.00x 0.96x 64B 1.01x 1.01x 256B 3.01x 2.97x 1024B 3.39x 3.33x 8192B 3.35x 3.33x AMD Phenom II 1055T (x86_64) (fam:16, model:10): size lrw-enc lrw-dec 16B 0.98x 1.03x 64B 1.01x 1.04x 256B 2.10x 2.14x 1024B 2.28x 2.33x 8192B 2.30x 2.33x Intel Atom N270 (i586): size lrw-enc lrw-dec 16B 0.97x 0.97x 64B 1.47x 1.50x 256B 1.72x 1.69x 1024B 1.88x 1.81x 8192B 1.84x 1.79x Signed-off-by:
-
Jussi Kivilinna authored
Patch adds i586/SSE2 assembler implementation of serpent cipher. Assembler functions crypt data in four block chunks. Patch has been tested with tcrypt and automated filesystem tests. Tcrypt benchmarks results (serpent-sse2/serpent_generic speed ratios): Intel Atom N270: size ecb-enc ecb-dec cbc-enc cbc-dec ctr-enc ctr-dec 16 0.95x 1.12x 1.02x 1.07x 0.97x 0.98x 64 1.73x 1.82x 1.08x 1.82x 1.72x 1.73x 256 2.08x 2.00x 1.04x 2.07x 1.99x 2.01x 1024 2.28x 2.18x 1.05x 2.23x 2.17x 2.20x 8192 2.28x 2.13x 1.05x 2.23x 2.18x 2.20x Full output: http://koti.mbnet.fi/axh/kernel/crypto/atom-n270/serpent-generic.txt http://koti.mbnet.fi/axh/kernel/crypto/atom-n270/serpent-sse2.txt Userspace test results: Encryption/decryption of sse2-i586 vs generic on Intel Atom N270: encrypt: 2.35x decrypt: 2.54x Encryption/decryption of sse2-i586 vs generic on AMD Phenom II: encrypt: 1.82x decrypt: 2.51x Encryption/decryption of sse2-i586 vs generic on Intel Xeon E7330: encrypt: 2.99x decrypt: 3.48x Signed-off-by:
-
Jussi Kivilinna authored
Patch adds x86_64/SSE2 assembler implementation of serpent cipher. Assembler functions crypt data in eigth block chunks (two 4 block chunk SSE2 operations in parallel to improve performance on out-of-order CPUs). Glue code is based on one from AES-NI implementation, so requests from irq context are redirected to cryptd. v2: - add missing include of linux/module.h (appearently crypto.h used to include module.h, which changed for 3.2 by commit 7c926402) Patch has been tested with tcrypt and automated filesystem tests. Tcrypt benchmarks results (serpent-sse2/serpent_generic speed ratios): AMD Phenom II 1055T (fam:16, model:10): size ecb-enc ecb-dec cbc-enc cbc-dec ctr-enc ctr-dec 16B 1.03x 1.01x 1.03x 1.05x 1.00x 0.99x 64B 1.00x 1.01x 1.02x 1.04x 1.02x 1.01x 256B 2.34x 2.41x 0.99x 2.43x 2.39x 2.40x 1024B 2.51x 2.57x 1.00x 2.59x 2.56x 2.56x 8192B 2.50x 2.54x 1.00x 2.55x 2.57x 2.57x Intel Celeron T1600 (fam:6, model:15, step:13): size ecb-enc ecb-dec cbc-enc cbc-dec ctr-enc ctr-dec 16B 0.97x 0.97x 1.01x 1.01x 1.01x 1.02x 64B 1.00x 1.00x 1.00x 1.02x 1.01x 1.01x 256B 3.41x 3.35x 1.00x 3.39x 3.42x 3.44x 1024B 3.75x 3.72x 0.99x 3.74x 3.75x 3.75x 8192B 3.70x 3.68x 0.99x 3.68x 3.69x 3.69x Full output: http://koti.mbnet.fi/axh/kernel/crypto/phenom-ii-1055t/serpent-generic.txt http://koti.mbnet.fi/axh/kernel/crypto/phenom-ii-1055t/serpent-sse2.txt http://koti.mbnet.fi/axh/kernel/crypto/celeron-t1600/serpent-generic.txt http://koti.mbnet.fi/axh/kernel/crypto/celeron-t1600/serpent-sse2.txtSigned-off-by:
-
- 09 Nov, 2011 5 commits
-
-
Valdis.Kletnieks@vt.edu authored
Fix a typo in the Kconfig file help text. Signed-off-by:
Valdis Kletnieks <valdis.kletnieks@vt.edu> Signed-off-by:
-
Steffen Klassert authored
We leak the crypto instance when we unregister an instance with crypto_del_alg(). Therefore we introduce crypto_unregister_instance() to unlink the crypto instance from the template's instances list and to free the recources of the instance properly. Signed-off-by:
Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by:
-
Jarod Wilson authored
Apparently, NIST is tightening up its requirements for FIPS validation with respect to RNGs. Its always been required that in fips mode, the ansi cprng not be fed key and seed material that was identical, but they're now interpreting FIPS 140-2, section AS07.09 as requiring that the implementation itself must enforce the requirement. Easy fix, we just do a memcmp of key and seed in fips_cprng_reset and call it a day. v2: Per Neil's advice, ensure slen is sufficiently long before we compare key and seed to avoid looking at potentially unallocated mem. CC: Stephan Mueller <smueller@atsec.com> CC: Steve Grubb <sgrubb@redhat.com> Signed-off-by:
Jarod Wilson <jarod@redhat.com> Acked-by:
Neil Horman <nhorman@tuxdriver.com> Signed-off-by:
-
Jussi Kivilinna authored
Patch adds XTS support for twofish-x86_64-3way by using xts_crypt(). Patch has been tested with tcrypt and automated filesystem tests. Tcrypt benchmarks results (twofish-3way/twofish-asm speed ratios): Intel Celeron T1600 (fam:6, model:15, step:13): size xts-enc xts-dec 16B 0.98x 1.00x 64B 1.14x 1.15x 256B 1.23x 1.25x 1024B 1.26x 1.29x 8192B 1.28x 1.30x AMD Phenom II 1055T (fam:16, model:10): size xts-enc xts-dec 16B 1.03x 1.03x 64B 1.13x 1.16x 256B 1.20x 1.20x 1024B 1.22x 1.22x 8192B 1.22x 1.21x Signed-off-by:
-
Jussi Kivilinna authored
Signed-off-by:
-
