This patch creates a new interface algorithm testing.  A test can
be requested for a particular implementation of an algorithm.  This
is achieved by taking both the name of the algorithm and that of
the implementation.

The all-inclusive test has also been rewritten to no longer require
a duplicate listing of all algorithms with tests.  In that process
a number of missing tests have also been discovered and rectified.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The info printed is a complete waste of space when there is no error
since it doesn't tell us anything that we don't already know.  If there
is an error, we can also be more verbose.

In case that there is an error, this patch also aborts the test and
returns the error to the caller.  In future this will be used to
algorithms at registration time.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

If tcrypt is to be used as a run-time integrity test, it needs to be
more resilient in a hostile environment.  For a start allocating 32K
of physically contiguous memory is definitely out.

This patch teaches it to use separate pages instead.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

My changeset 4b22f0dd

	crypto: tcrpyt - Remove unnecessary kmap/kunmap calls

introduced a typo that broke AEAD chunk testing.  In particular,
axbuf should really be xbuf.

There is also an issue with testing the last segment when encrypting.
The additional part produced by AEAD wasn't tested.  Similarly, on
decryption the additional part of the AEAD input is mistaken for
corruption.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

All new crypto interfaces should go into individual files as much
as possible in order to ensure that crypto.h does not collapse under
its own weight.

This patch moves the ahash code into crypto/hash.h and crypto/internal/hash.h
respectively.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Noticed by Neil Horman: we are doing unnecessary kmap/kunmap calls
on kmalloced memory.  This patch removes them.  For the purposes of
testing SG construction, the underlying crypto code already does plenty
of kmap/kunmap calls anyway.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Patch to add checking  of DES3 test vectors using CBC mode.  FIPS-140-2
compliance mandates that any supported mode of operation must include a self
test.  This satisfies that requirement for cbc(des3_ede).  The included test
vector was generated by me using openssl.  Key/IV was generated with the
following command:

	openssl enc -des_ede_cbc -P

input and output values were generated by repeating the string "Too many
secrets" a few times over, truncating it to 128 bytes, and encrypting it with
openssl using the aformentioned key.  Tested successfully by myself
Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
Acked-by: NAdrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch changes tcrypt to use the new asynchronous hash interface
for testing hash algorithm correctness.  The speed tests will continue
to use the existing interface for now.
Signed-off-by: NLoc Ho <lho@amcc.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds test vectors for RIPEMD-256 and
RIPEMD-320 hash algorithms.

The test vectors are taken from
<http://homes.esat.kuleuven.be/~bosselae/ripemd160.html>
Signed-off-by: NAdrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

    
Check whether the destination buffer is written to beyond the last
byte contained in the scatterlist.
    
Also change IDX1 of the cross-page access offsets to a multiple of 4.
This triggers a corruption in the HIFN driver and doesn't seem to
negatively impact other testcases.
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Change logs should be kept in source control systems, not the source.
This patch removes the change log from tcrpyt to stop people from
extending it any more.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds test vectors for RIPEMD-128 and
RIPEMD-160 hash algorithms and digests (HMAC).

The test vectors are taken from ISO:IEC 10118-3 (2004)
and RFC2286.
Signed-off-by: NAdrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Coverity CID: 2306 & 2307 RESOURCE_LEAK

In the second for loop in test_cipher(), data is allocated space with
kzalloc() and is only ever freed in an error case.
Looking at this loop, data is written to this memory but nothing seems
to read from it. 
So here is a patch removing the allocation, I think this is the right
fix.

Only compile tested.
Signed-off-by: NDarren Jenkins <darrenrjenkins@gmailcom>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

On Thu, Mar 27, 2008 at 03:40:36PM +0100, Bodo Eggert wrote:
> Kamalesh Babulal <kamalesh@linux.vnet.ibm.com> wrote:
> 
> > This patch cleanups the crypto code, replaces the init() and fini()
> > with the <algorithm name>_init/_fini
> 
> This part ist OK.
> 
> > or init/fini_<algorithm name> (if the 
> > <algorithm name>_init/_fini exist)
> 
> Having init_foo and foo_init won't be a good thing, will it? I'd start
> confusing them.
> 
> What about foo_modinit instead?

Thanks for the suggestion, the init() is replaced with

	<algorithm name>_mod_init ()

and fini () is replaced with <algorithm name>_mod_fini.
Signed-off-by: NKamalesh Babulal <kamalesh@linux.vnet.ibm.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Implement CTS wrapper for CBC mode required for support of AES
encryption support for Kerberos (rfc3962).
Signed-off-by: NKevin Coffman <kwc@citi.umich.edu>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The test routines (test_{cipher,hash,aead}) are makeing a copy
of the test template and are processing the encryption process
in place. This patch changes the creation of the copy so it will
work even if the source address of the input data isn't an array
inside of the template but a pointer.
Signed-off-by: NSebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The speed templates as it look always the same. The key size
is repeated for each block size and we test always the same
block size. The addition of one inner loop makes it possible
to get rid of the struct and it is possible to use a tiny
u8 array :)
Signed-off-by: NSebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Some crypto ciphers which are impleneted support similar key sizes
(16,24 & 32 byte). They can be grouped together and use a common
templatte instead of their own which contains the same data.
Signed-off-by: NSebastian Siewior <sebastian@breakpoint.cc>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Currently the gcm(aes) tests have to be taken together with all other
algorithms.  This patch makes it available by itself at number 106.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The axbuf buffer is used by test_aead and therefore should be zeroed
there instead of in test_hash.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds 7 test vectors to tcrypt for CCM.
The test vectors are from rfc 3610.
There are about 10 more test vectors in RFC 3610
and 4 or 5 more in NIST. I can add these as time permits.

I also needed to set authsize. CCM has a prerequisite of
authsize. 
Signed-off-by: NJoy Latten <latten@austin.ibm.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

As discussed previously, this patch moves the basic CTR functionality
into a chainable algorithm called ctr.  The IPsec-specific variant of
it is now placed on top with the name rfc3686.

So ctr(aes) gives a chainable cipher with IV size 16 while the IPsec
variant will be called rfc3686(ctr(aes)).  This patch also adjusts
gcm accordingly.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds a simple speed test for salsa20.
Usage: modprobe tcrypt mode=206
Signed-of-by: NTan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add LZO compression algorithm support
Signed-off-by: NZoltan Sogor <weth@inf.u-szeged.hu>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add common compression tester function
Modify deflate test case to use the common compressor test function
Signed-off-by: NZoltan Sogor <weth@inf.u-szeged.hu>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The crypto_aead convention for ICVs is to include it directly in the
output.  If we decided to change this in future then we would make
the ICV (if the algorithm has an explicit one) available in the
request itself.

For now no algorithm needs this so this patch changes gcm to conform
to this convention.  It also adjusts the tcrypt aead tests to take
this into account.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Currently the gcm(aes) tests have to be taken together with all other
ciphers.  This patch makes it available by itself at number 35.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

These utilities implemented in lib/hexdump.c are more handy, please use this.
Signed-off-by: NDenis Cheng <crquan@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Currently the number of entries in a cipher test vector template is
limited by TVMEMSIZE/sizeof(struct cipher_testvec). This patch
circumvents the problem by pointing cipher_tv to each entry in the
template, rather than the template itself.
Signed-off-by: NTan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add GCM/GMAC support to cryptoapi.

GCM (Galois/Counter Mode) is an AEAD mode of operations for any block cipher
with a block size of 16.  The typical example is AES-GCM.
Signed-off-by: NMikko Herranen <mh1@iki.fi>
Reviewed-by: NMika Kukkonen <mika.kukkonen@nsn.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Add AEAD support to tcrypt, needed by GCM.
Signed-off-by: NMikko Herranen <mh1@iki.fi>
Reviewed-by: NMika Kukkonen <mika.kukkonen@nsn.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch implements the Salsa20 stream cipher using the blkcipher interface.

The core cipher code comes from Daniel Bernstein's submission to eSTREAM:
  http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/ref/

The test vectors comes from:
  http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/

It has been tested successfully with "modprobe tcrypt mode=34" on an
UML instance.
Signed-off-by: NTan Swee Heng <thesweeheng@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Resubmitting this patch which extends sha256_generic.c to support SHA-224 as
described in FIPS 180-2 and RFC 3874. HMAC-SHA-224 as described in RFC4231
is then supported through the hmac interface.

Patch includes test vectors for SHA-224 and HMAC-SHA-224.

SHA-224 chould be chosen as a hash algorithm when 112 bits of security
strength is required.

Patch generated against the 2.6.24-rc1 kernel and tested against
2.6.24-rc1-git14 which includes fix for scatter gather implementation for HMAC.
Signed-off-by: NJonathan Lynch <jonathan.lynch@intel.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds countersize to CTR mode.
The template is now ctr(algo,noncesize,ivsize,countersize).

For example, ctr(aes,4,8,4) indicates the counterblock
will be composed of a salt/nonce that is 4 bytes, an iv
that is 8 bytes and the counter is 4 bytes.

When noncesize + ivsize < blocksize, CTR initializes the
last block - ivsize - noncesize portion of the block to
zero.  Otherwise the counter block is composed of the IV
(and nonce if necessary).

If noncesize + ivsize == blocksize, then this indicates that
user is passing in entire counterblock. Thus countersize
indicates the amount of bytes in counterblock to use as
the counter for incrementing. CTR will increment counter
portion by 1, and begin encryption with that value.

Note that CTR assumes the counter portion of the block that
will be incremented is stored in big endian.
Signed-off-by: NJoy Latten <latten@austin.ibm.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch implements CTR mode for IPsec.
It is based off of RFC 3686.

Please note:
1. CTR turns a block cipher into a stream cipher.
Encryption is done in blocks, however the last block
may be a partial block.

A "counter block" is encrypted, creating a keystream
that is xor'ed with the plaintext. The counter portion
of the counter block is incremented after each block
of plaintext is encrypted.
Decryption is performed in same manner.

2. The CTR counterblock is composed of,
        nonce + IV + counter

The size of the counterblock is equivalent to the
blocksize of the cipher.
        sizeof(nonce) + sizeof(IV) + sizeof(counter) = blocksize

The CTR template requires the name of the cipher
algorithm, the sizeof the nonce, and the sizeof the iv.
        ctr(cipher,sizeof_nonce,sizeof_iv)

So for example,
        ctr(aes,4,8)
specifies the counterblock will be composed of 4 bytes
from a nonce, 8 bytes from the iv, and 4 bytes for counter
since aes has a blocksize of 16 bytes.

3. The counter portion of the counter block is stored
in big endian for conformance to rfc 3686.
Signed-off-by: NJoy Latten <latten@austin.ibm.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch moves the sg_init_table out of the timing loops for hash
algorithms so that it doesn't impact on the speed test results.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Use sg_init_one() and sg_init_table() as needed.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Signed-off-by: NJens Axboe <jens.axboe@oracle.com>

XTS currently considered to be the successor of the LRW mode by the IEEE1619
workgroup. LRW was discarded, because it was not secure if the encyption key
itself is encrypted with LRW.

XTS does not have this problem. The implementation is pretty straightforward,
a new function was added to gf128mul to handle GF(128) elements in ble format.
Four testvectors from the specification
	http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
were added, and they verify on my system.
Signed-off-by: NRik Snel <rsnel@cube.dyndns.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch adds support for the SEED cipher (RFC4269).

This patch have been used in few VPN appliance vendors in Korea for
several years.  And it was verified by KISA, who developed the
algorithm itself.

As its importance in Korean banking industry, it would be great
if linux incorporates the support.
Signed-off-by: NHye-Shik Chang <perky@FreeBSD.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>