Change the crypto 842 compression alg to use the software 842 compression
and decompression library.  Add the crypto driver_name as "842-generic".
Remove the fallback to LZO compression.

Previously, this crypto compression alg attemped 842 compression using
PowerPC hardware, and fell back to LZO compression and decompression if
the 842 PowerPC hardware was unavailable or failed.  This should not
fall back to any other compression method, however; users of this crypto
compression alg can fallback if desired, and transparent fallback tricks
callers into thinking they are getting 842 compression when they actually
get LZO compression - the failure of the 842 hardware should not be
transparent to the caller.

The crypto compression alg for a hardware device also should not be located
in crypto/ so this is now a software-only implementation that uses the 842
software compression/decompression library.
Signed-off-by: NDan Streetman <ddstreet@ieee.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This adds a couple of test cases for CRC32 (not CRC32c) to
ensure that the generic and arch specific implementations
are in sync.
Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
Acked-by: NSteve Capper <steve.capper@linaro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

In the test manager, there are a number of if-statements with expressions of
the form !x == y that incur warnings with gcc-5 of the following form:

../crypto/testmgr.c: In function '__test_aead':
../crypto/testmgr.c:523:12: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses]
   if (!ret == template[i].fail) {
            ^

By converting the 'fail' member of struct aead_testvec and struct
cipher_testvec to a bool, we can get rid of the warnings.
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

In testmgr, struct pcomp_testvec takes a non-const 'params' field, which is
pointed to a const deflate_comp_params or deflate_decomp_params object.  With
gcc-5 this incurs the following warnings:

In file included from ../crypto/testmgr.c:44:0:
../crypto/testmgr.h:28736:13: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers]
   .params = &deflate_comp_params,
             ^
../crypto/testmgr.h:28748:13: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers]
   .params = &deflate_comp_params,
             ^
../crypto/testmgr.h:28776:13: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers]
   .params = &deflate_decomp_params,
             ^
../crypto/testmgr.h:28800:13: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers]
   .params = &deflate_decomp_params,
             ^

Fix this by making the parameters pointer const and constifying the things
that use it.
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

When the user explicitly states that they don't care whether the
algorithm has been tested (type = CRYPTO_ALG_TESTED and mask = 0),
there is a corner case where we may erroneously return ENOENT.

This patch fixes it by correcting the logic in the test.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

When the user explicitly states that they don't care whether the
algorithm has been tested (type = CRYPTO_ALG_TESTED and mask = 0),
there is a corner case where we may erroneously return ENOENT.

This patch fixes it by correcting the logic in the test.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The commit 59afdc7b ("crypto:
api - Move module sig ifdef into accessor function") broke the
build when modules are completely disabled because we directly
dereference module->name.

This patch fixes this by using the accessor function module_name.
Reported-by: NFengguang Wu <fengguang.wu@intel.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

All users of AEAD should include crypto/aead.h instead of
include/linux/crypto.h.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NDavid S. Miller <davem@davemloft.net>

All users of AEAD should include crypto/aead.h instead of
include/linux/crypto.h.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NDavid S. Miller <davem@davemloft.net>

All users of AEAD should include crypto/aead.h instead of
include/linux/crypto.h.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NDavid S. Miller <davem@davemloft.net>

Now that all fips_enabled users are including linux/fips.h directly
instead of getting it through internal.h, we can remove the fips.h
inclusions from internal.h.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

All users of fips_enabled should include linux/fips.h directly
instead of getting it through internal.h.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

All users of fips_enabled should include linux/fips.h directly
instead of getting it through internal.h which is reserved for
internal crypto API implementors.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

There is currently a large ifdef FIPS code section in proc.c.
Ostensibly it's there because the fips_enabled sysctl sits under
/proc/sys/crypto.  However, no other crypto sysctls exist.

In fact, the whole ethos of the crypto API is against such user
interfaces so this patch moves all the FIPS sysctl code over to
fips.c.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The header file internal.h is only meant for internal crypto API
implementors such as rng.c.  So fips has no business in including
it.

This patch removes that inclusions and instead adds inclusions of
the actual features used by fips.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

All users of fips_enabled should include linux/fips.h directly
instead of getting it through internal.h.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch removes the unnecessary CRYPTO_FIPS ifdef from
drbg_healthcheck_sanity so that the code always gets checked
by the compiler.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NStephan Mueller <smueller@chronox.de>

Currently we're hiding mod->sig_ok under an ifdef in open code.
This patch adds a module_sig_ok accessor function and removes that
ifdef.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NRusty Russell <rusty@rustcorp.com.au>

The function crypto_ahash_init can also be asynchronous just
like update and final.  So all callers must be able to handle
an async return.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

If we allocate a seed on behalf ot the user in crypto_rng_reset,
we must ensure that it is zeroed afterwards or the RNG may be
compromised.
Reported-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Now that crypto_rng_reset takes a const argument, we no longer
need to cast away the const qualifier.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Now that all rng implementations have switched over to the new
interface, we can remove the old low-level interface.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch ocnverts the KRNG implementation to the new low-level
rng interface.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch ocnverts the ANSI CPRNG implementation to the new
low-level rng interface.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NNeil Horman <nhorman@tuxdriver.com>

The file internal.h is only meant to be used by internel API
implementation and not algorithm implementations.  In fact it
isn't even needed here so this patch removes it.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NNeil Horman <nhorman@tuxdriver.com>

This patch converts the DRBG implementation to the new low-level
rng interface.

This allows us to get rid of struct drbg_gen by using the new RNG
API instead.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NStephan Mueller <smueller@chronox.de>

This patch adds the helpers that allow the registration and removal
of multiple RNG algorithms.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch converts the low-level crypto_rng interface to the
"new" style.

This allows existing implementations to be converted over one-
by-one.  Once that is complete we can then remove the old rng
interface.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

There is no reason why crypto_rng_reset should modify the seed
so this patch marks it as const.  Since our algorithms don't
export a const seed function yet we have to go through some
contortions for now.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the new top-level function crypto_rng_generate
which generates random numbers with additional input.  It also
extends the mid-level rng_gen_random function to take additional
data as input.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch converts the top-level crypto_rng to the "new" style.
It was the last algorithm type added before we switched over
to the new way of doing things exemplified by shash.

All users will automatically switch over to the new interface.

Note that this patch does not touch the low-level interface to
rng implementations.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch replaces crypto_pcomp_extsize function with
crypto_alg_extsize.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch replaces crypto_shash_extsize function with
crypto_alg_extsize.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds a crypto_alg_extsize helper that can be used
by algorithm types such as pcompress and shash.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Initialising the RNG in drbg_kcapi_init is a waste of precious
entropy because all users will immediately seed the RNG after
the allocation.

In fact, all users should seed the RNG before using it.  So there
is no point in doing the seeding in drbg_kcapi_init.

This patch removes the initial seeding and the user must seed
the RNG explicitly (as they all currently do).

This patch also changes drbg_kcapi_reset to allow reseeding.
That is, if you call it after a successful initial seeding, then
it will not reset the internal state of the DRBG before mixing
the new input and entropy.

If you still wish to reset the internal state, you can always
free the DRBG and allocate a new one.

Finally this patch removes locking from drbg_uninstantiate because
it's now only called from the destruction path which must not be
executed in parallel with normal operations.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NStephan Mueller <smueller@chronox.de>

As we moved the mutex init out of drbg_instantiate and into cra_init
we need to explicitly initialise the mutex in drbg_healthcheck_sanity.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NStephan Mueller <smueller@chronox.de>

As the DRBG does not operate on shadow copies of the DRBG instance
any more, the cipher handles only need to be allocated once during
initalization time and deallocated during uninstantiate time.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The creation of a shadow copy is intended to only hold a short term
lock. But the drawback is that parallel users have a very similar DRBG
state which only differs by a high-resolution time stamp.

The DRBG will now hold a long term lock. Therefore, the lock is changed
to a mutex which implies that the DRBG can only be used in process
context.

The lock now guards the instantiation as well as the entire DRBG
generation operation. Therefore, multiple callers are fully serialized
when generating a random number.

As the locking is changed to use a long-term lock to avoid such similar
DRBG states, the entire creation and maintenance of a shadow copy can be
removed.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The drbg_generate returns 0 in success case. That means that
drbg_generate_long will always only generate drbg_max_request_bytes at
most. Longer requests will be truncated to drbg_max_request_bytes.
Reported-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The buffer uses for temporary data must be cleared entirely. In AES192
the used buffer is drbg_statelen(drbg) + drbg_blocklen(drbg) as
documented in the comment above drbg_ctr_df.

This patch ensures that the temp buffer is completely wiped.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>