Now that type-safe init/exit functions exist, they often need
to access the underlying aead_instance.  So this patch adds the
helper aead_alg_instance to access aead_instance from a crypto_aead
object.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

As it stands the only non-type safe functions left in the new
AEAD interface are the cra_init/cra_exit functions.  It means
exposing the ugly __crypto_aead_cast to every AEAD implementor.

This patch adds type-safe init/exit functions to AEAD.  Existing
algorithms are unaffected while new implementations can simply
fill in these two instead of cra_init/cra_exit.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The patch updates the DocBook to cover the new AEAD interface
implementation.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds some common IV generation code currently duplicated
by seqiv and echainiv.  For example, the setkey and setauthsize
functions are completely identical.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch defines the behaviour of AD in the new interface more
clearly.  In particular, it specifies that if the user must copy
the AD to the destination manually when src != dst if they wish
to guarantee that the destination buffer contains a copy of the
AD.

The reason for this is that otherwise every AEAD implementation
would have to perform such a copy when src != dst.  In reality
most users do in-place processing where src == dst so this is
not an issue.

This patch also kills some remaining references to cryptoff.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

During initialization, the DRBG now tries to allocate a handle of the
Jitter RNG. If such a Jitter RNG is available during seeding, the DRBG
pulls the required entropy/nonce string from get_random_bytes and
concatenates it with a string of equal size from the Jitter RNG. That
combined string is now the seed for the DRBG.

Written differently, the initial seed of the DRBG is now:

get_random_bytes(entropy/nonce) || jitterentropy (entropy/nonce)

If the Jitter RNG is not available, the DRBG only seeds from
get_random_bytes.

CC: Andreas Steffen <andreas.steffen@strongswan.org>
CC: Theodore Ts'o <tytso@mit.edu>
CC: Sandy Harris <sandyinchina@gmail.com>
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The async seeding operation is triggered during initalization right
after the first non-blocking seeding is completed. As required by the
asynchronous operation of random.c, a callback function is provided that
is triggered by random.c once entropy is available. That callback
function performs the actual seeding of the DRBG.

CC: Andreas Steffen <andreas.steffen@strongswan.org>
CC: Theodore Ts'o <tytso@mit.edu>
CC: Sandy Harris <sandyinchina@gmail.com>
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

In order to prepare for the addition of the asynchronous seeding call,
the invocation of seeding the DRBG is moved out into a helper function.

In addition, a block of memory is allocated during initialization time
that will be used as a scratchpad for obtaining entropy. That scratchpad
is used for the initial seeding operation as well as by the
asynchronous seeding call. The memory must be zeroized every time the
DRBG seeding call succeeds to avoid entropy data lingering in memory.

CC: Andreas Steffen <andreas.steffen@strongswan.org>
CC: Theodore Ts'o <tytso@mit.edu>
CC: Sandy Harris <sandyinchina@gmail.com>
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch removes the cryptoff parameter now that all users
set it to zero.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

AEAD algorithm implementors need to figure out a given algorithm's
IV size and maximum authentication size.  During the transition
this is difficult to do as an algorithm could be new style or old
style.

This patch creates two helpers to make this easier.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch converts the seqiv IV generator to work with the new
AEAD interface where IV generators are just normal AEAD algorithms.

Full backwards compatibility is paramount at this point since
no users have yet switched over to the new interface.  Nor can
they switch to the new interface until IV generation is fully
supported by it.

So this means we are adding two versions of seqiv alongside the
existing one.  The first one is the one that will be used when
the underlying AEAD algorithm has switched over to the new AEAD
interface.  The second one handles the current case where the
underlying AEAD algorithm still uses the old interface.

Both versions export themselves through the new AEAD interface.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds a default null skcipher for users such as gcm
to perform copies on SG lists.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the basic structure of the new AEAD type.  Unlike
the current version, there is no longer any concept of geniv.  IV
generation will still be carried out by wrappers but they will be
normal AEAD algorithms that simply take the IPsec sequence number
as the IV.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the helper crypto_aead_maxauthsize to remove the
need to directly dereference aead_alg internals by AEAD implementors.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch is the first step in the introduction of a new AEAD
alg type.  Unlike normal conversions this patch only renames the
existing aead_alg structure because there are external references
to it.

Those references will be removed after this patch.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The primary user of AEAD, IPsec includes the IV in the AD in
most cases, except where it is implicitly authenticated by the
underlying algorithm.

The way it is currently implemented is a hack because we pass
the data in piecemeal and the underlying algorithms try to stitch
them back up into one piece.

This is why this patch is adding a new interface that allows a
single SG list to be passed in that contains everything so the
algorithm implementors do not have to stitch.

The new interface accepts a single source SG list and a single
destination SG list.  Both must be laid out as follows:

	AD, skipped data, plain/cipher text, ICV

The ICV is not present from the source during encryption and from
the destination during decryption.

For the top-level IPsec AEAD algorithm the plain/cipher text will
contain the generated (or received) IV.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the scatterwalk_ffwd helper which can create an
SG list that starts in the middle of an existing SG list.  The
new list may either be part of the existing list or be a chain
that latches onto part of the existing list.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch simply adds the MD5 IV in the md5 header.
Signed-off-by: NLABBE Corentin <clabbe.montjoie@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch converts the top-level aead interface to the new style.
All user-level AEAD interface code have been moved into crypto/aead.h.

The allocation/free functions have switched over to the new way of
allocating tfms.

This patch also removes the double indrection on setkey so the
indirection now exists only at the alg level.

Apart from these there are no user-visible changes.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

cryptd.h needs to include crypto/aead.h because it uses crypto_aead.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the helper crypto_aead_set_reqsize so that people
don't have to directly access the aead internals to set the reqsize.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds a new primitive crypto_grab_spawn which is meant
to replace crypto_init_spawn and crypto_init_spawn2.  Under the
new scheme the user no longer has to worry about reference counting
the alg object before it is subsumed by the spawn.

It is pretty much an exact copy of crypto_grab_aead.

Prior to calling this function spawn->frontend and spawn->inst
must have been set.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

In testmgr, struct pcomp_testvec takes a non-const 'params' field, which is
pointed to a const deflate_comp_params or deflate_decomp_params object.  With
gcc-5 this incurs the following warnings:

In file included from ../crypto/testmgr.c:44:0:
../crypto/testmgr.h:28736:13: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers]
   .params = &deflate_comp_params,
             ^
../crypto/testmgr.h:28748:13: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers]
   .params = &deflate_comp_params,
             ^
../crypto/testmgr.h:28776:13: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers]
   .params = &deflate_decomp_params,
             ^
../crypto/testmgr.h:28800:13: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers]
   .params = &deflate_decomp_params,
             ^

Fix this by making the parameters pointer const and constifying the things
that use it.
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Now that all rng implementations have switched over to the new
interface, we can remove the old low-level interface.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch converts the DRBG implementation to the new low-level
rng interface.

This allows us to get rid of struct drbg_gen by using the new RNG
API instead.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NStephan Mueller <smueller@chronox.de>

This patch adds the helpers that allow the registration and removal
of multiple RNG algorithms.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the function crypto_rng_set_entropy.  It is only
meant to be used by testmgr when testing RNG implementations by
providing fixed entropy data in order to verify test vectors.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch converts the low-level crypto_rng interface to the
"new" style.

This allows existing implementations to be converted over one-
by-one.  Once that is complete we can then remove the old rng
interface.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

There is no reason why crypto_rng_reset should modify the seed
so this patch marks it as const.  Since our algorithms don't
export a const seed function yet we have to go through some
contortions for now.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds the new top-level function crypto_rng_generate
which generates random numbers with additional input.  It also
extends the mid-level rng_gen_random function to take additional
data as input.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch converts the top-level crypto_rng to the "new" style.
It was the last algorithm type added before we switched over
to the new way of doing things exemplified by shash.

All users will automatically switch over to the new interface.

Note that this patch does not touch the low-level interface to
rng implementations.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The creation of a shadow copy is intended to only hold a short term
lock. But the drawback is that parallel users have a very similar DRBG
state which only differs by a high-resolution time stamp.

The DRBG will now hold a long term lock. Therefore, the lock is changed
to a mutex which implies that the DRBG can only be used in process
context.

The lock now guards the instantiation as well as the entire DRBG
generation operation. Therefore, multiple callers are fully serialized
when generating a random number.

As the locking is changed to use a long-term lock to avoid such similar
DRBG states, the entire creation and maintenance of a shadow copy can be
removed.
Signed-off-by: NStephan Mueller <smueller@chronox.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This updated the generic SHA-512 implementation to use the
generic shared SHA-512 glue code.

It also implements a .finup hook crypto_sha512_finup() and exports
it to other modules. The import and export() functions and the
.statesize member are dropped, since the default implementation
is perfectly suitable for this module.
Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This updates the generic SHA-256 implementation to use the
new shared SHA-256 glue code.

It also implements a .finup hook crypto_sha256_finup() and exports
it to other modules. The import and export() functions and the
.statesize member are dropped, since the default implementation
is perfectly suitable for this module.
Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This updated the generic SHA-1 implementation to use the generic
shared SHA-1 glue code.

It also implements a .finup hook crypto_sha1_finup() and exports
it to other modules. The import and export() functions and the
.statesize member are dropped, since the default implementation
is perfectly suitable for this module.
Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

To reduce the number of copies of boilerplate code throughout
the tree, this patch implements generic glue for the SHA-512
algorithm. This allows a specific arch or hardware implementation
to only implement the special handling that it needs.

The users need to supply an implementation of

  void (sha512_block_fn)(struct sha512_state *sst, u8 const *src, int blocks)

and pass it to the SHA-512 base functions. For easy casting between the
prototype above and existing block functions that take a 'u64 state[]'
as their first argument, the 'state' member of struct sha512_state is
moved to the base of the struct.
Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

To reduce the number of copies of boilerplate code throughout
the tree, this patch implements generic glue for the SHA-256
algorithm. This allows a specific arch or hardware implementation
to only implement the special handling that it needs.

The users need to supply an implementation of

  void (sha256_block_fn)(struct sha256_state *sst, u8 const *src, int blocks)

and pass it to the SHA-256 base functions. For easy casting between the
prototype above and existing block functions that take a 'u32 state[]'
as their first argument, the 'state' member of struct sha256_state is
moved to the base of the struct.
Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

To reduce the number of copies of boilerplate code throughout
the tree, this patch implements generic glue for the SHA-1
algorithm. This allows a specific arch or hardware implementation
to only implement the special handling that it needs.

The users need to supply an implementation of

  void (sha1_block_fn)(struct sha1_state *sst, u8 const *src, int blocks)

and pass it to the SHA-1 base functions. For easy casting between the
prototype above and existing block functions that take a 'u32 state[]'
as their first argument, the 'state' member of struct sha1_state is
moved to the base of the struct.
Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch makes crypto_unregister_instance take a crypto_instance
instead of a crypto_alg.  This allows us to remove a duplicate
CRYPTO_ALG_INSTANCE check in crypto_unregister_instance.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Allow to link af_alg sgls.
Signed-off-by: NTadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>