Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

very simple, while hiding the core logic from both.  Many good ideas

from existing APIs such as Cryptoapi and Nettle have been adapted for this.

The API currently supports three types of transforms: Ciphers, Digests and

Compressors.  The compression algorithms especially seem to be performing

very well so far.

The API currently supports five main types of transforms: AEAD (Authenticated

Encryption with Associated Data), Block Ciphers, Ciphers, Compressors and

Hashes.

Please note that Block Ciphers is somewhat of a misnomer.  It is in fact

meant to support all ciphers including stream ciphers.  The difference

between Block Ciphers and Ciphers is that the latter operates on exactly

one block while the former can operate on an arbitrary amount of data,

subject to block size requirements (i.e., non-stream ciphers can only

process multiples of blocks).

Support for hardware crypto devices via an asynchronous interface is

under development.

Many real examples are available in the regression test module (tcrypt.c).

CONFIGURATION NOTES

As Triple DES is part of the DES module, for those using modular builds,

add the following line to /etc/modprobe.conf:

  alias des3_ede des

The Null algorithms reside in the crypto_null module, so these lines

should also be added:

  alias cipher_null crypto_null

  alias digest_null crypto_null

  alias compress_null crypto_null

The SHA384 algorithm shares code within the SHA512 module, so you'll

also need:

  alias sha384 sha512

DEVELOPER NOTES

Transforms may only be allocated in user context, and cryptographic

methods may only be called from softirq and user contexts.

methods may only be called from softirq and user contexts.  For

transforms with a setkey method it too should only be called from

user context.

When using the API for ciphers, performance will be optimal if each

scatterlist contains data which is a multiple of the cipher's block

BUGS

Send bug reports to:

Herbert Xu <herbert@gondor.apana.org.au>

Cc: David S. Miller <davem@redhat.com>

linux-crypto@vger.kernel.org

Cc: Herbert Xu <herbert@gondor.apana.org.au>,

    David S. Miller <davem@redhat.com>

FURTHER INFORMATION

 * s390 Version:

 *   Copyright IBM Corp. 2005,2007

 *   Author(s): Jan Glauber (jang@de.ibm.com)

 *		Sebastian Siewior (sebastian@breakpoint.cc> SW-Fallback

 *

 * Derived from "crypto/aes_generic.c"

 *

 *

 */

#include <crypto/aes.h>

#include <crypto/algapi.h>

#include <linux/err.h>

#include <linux/module.h>

#include <linux/init.h>

#include "crypt_s390.h"

#define AES_MIN_KEY_SIZE	16

#define AES_MAX_KEY_SIZE	32

/* data block size for all key lengths */

#define AES_BLOCK_SIZE		16

#define AES_KEYLEN_128		1

#define AES_KEYLEN_192		2

#define AES_KEYLEN_256		4

	long enc;

	long dec;

	int key_len;

	union {

		struct crypto_blkcipher *blk;

		struct crypto_cipher *cip;

	} fallback;

};

static int aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,

		       unsigned int key_len)

/*

 * Check if the key_len is supported by the HW.

 * Returns 0 if it is, a positive number if it is not and software fallback is

 * required or a negative number in case the key size is not valid

 */

static int need_fallback(unsigned int key_len)

{

	struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm);

	u32 *flags = &tfm->crt_flags;

	switch (key_len) {

	case 16:

		if (!(keylen_flag & AES_KEYLEN_128))

			goto fail;

			return 1;

		break;

	case 24:

		if (!(keylen_flag & AES_KEYLEN_192))

			goto fail;

			return 1;

		break;

	case 32:

		if (!(keylen_flag & AES_KEYLEN_256))

			goto fail;

			return 1;

		break;

	default:

		goto fail;

		return -1;

		break;

	}

	return 0;

}

static int setkey_fallback_cip(struct crypto_tfm *tfm, const u8 *in_key,

		unsigned int key_len)

{

	struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm);

	int ret;

	sctx->fallback.blk->base.crt_flags &= ~CRYPTO_TFM_REQ_MASK;

	sctx->fallback.blk->base.crt_flags |= (tfm->crt_flags &

			CRYPTO_TFM_REQ_MASK);

	ret = crypto_cipher_setkey(sctx->fallback.cip, in_key, key_len);

	if (ret) {

		tfm->crt_flags &= ~CRYPTO_TFM_RES_MASK;

		tfm->crt_flags |= (sctx->fallback.blk->base.crt_flags &

				CRYPTO_TFM_RES_MASK);

	}

	return ret;

}

static int aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,

		       unsigned int key_len)

{

	struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm);

	u32 *flags = &tfm->crt_flags;

	int ret;

	ret = need_fallback(key_len);

	if (ret < 0) {

		*flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;

		return -EINVAL;

	}

	sctx->key_len = key_len;

	if (!ret) {

		memcpy(sctx->key, in_key, key_len);

		return 0;

fail:

	*flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;

	return -EINVAL;

	}

	return setkey_fallback_cip(tfm, in_key, key_len);

}

static void aes_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)

{

	const struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm);

	if (unlikely(need_fallback(sctx->key_len))) {

		crypto_cipher_encrypt_one(sctx->fallback.cip, out, in);

		return;

	}

	switch (sctx->key_len) {

	case 16:

		crypt_s390_km(KM_AES_128_ENCRYPT, &sctx->key, out, in,

{

	const struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm);

	if (unlikely(need_fallback(sctx->key_len))) {

		crypto_cipher_decrypt_one(sctx->fallback.cip, out, in);

		return;

	}

	switch (sctx->key_len) {

	case 16:

		crypt_s390_km(KM_AES_128_DECRYPT, &sctx->key, out, in,

	}

}

static int fallback_init_cip(struct crypto_tfm *tfm)

{

	const char *name = tfm->__crt_alg->cra_name;

	struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm);

	sctx->fallback.cip = crypto_alloc_cipher(name, 0,

			CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK);

	if (IS_ERR(sctx->fallback.cip)) {

		printk(KERN_ERR "Error allocating fallback algo %s\n", name);

		return PTR_ERR(sctx->fallback.blk);

	}

	return 0;

}

static void fallback_exit_cip(struct crypto_tfm *tfm)

{

	struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm);

	crypto_free_cipher(sctx->fallback.cip);

	sctx->fallback.cip = NULL;

}

static struct crypto_alg aes_alg = {

	.cra_name		=	"aes",

	.cra_ctxsize		=	sizeof(struct s390_aes_ctx),

	.cra_module		=	THIS_MODULE,

	.cra_list		=	LIST_HEAD_INIT(aes_alg.cra_list),

	.cra_init               =       fallback_init_cip,

	.cra_exit               =       fallback_exit_cip,

	.cra_u			=	{

		.cipher = {

			.cia_min_keysize	=	AES_MIN_KEY_SIZE,

	}

};

static int setkey_fallback_blk(struct crypto_tfm *tfm, const u8 *key,

		unsigned int len)

{

	struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm);

	unsigned int ret;

	sctx->fallback.blk->base.crt_flags &= ~CRYPTO_TFM_REQ_MASK;

	sctx->fallback.blk->base.crt_flags |= (tfm->crt_flags &

			CRYPTO_TFM_REQ_MASK);

	ret = crypto_blkcipher_setkey(sctx->fallback.blk, key, len);

	if (ret) {

		tfm->crt_flags &= ~CRYPTO_TFM_RES_MASK;

		tfm->crt_flags |= (sctx->fallback.blk->base.crt_flags &

				CRYPTO_TFM_RES_MASK);

	}

	return ret;

}

static int fallback_blk_dec(struct blkcipher_desc *desc,

		struct scatterlist *dst, struct scatterlist *src,

		unsigned int nbytes)

{

	unsigned int ret;

	struct crypto_blkcipher *tfm;

	struct s390_aes_ctx *sctx = crypto_blkcipher_ctx(desc->tfm);

	tfm = desc->tfm;

	desc->tfm = sctx->fallback.blk;

	ret = crypto_blkcipher_decrypt_iv(desc, dst, src, nbytes);

	desc->tfm = tfm;

	return ret;

}

static int fallback_blk_enc(struct blkcipher_desc *desc,

		struct scatterlist *dst, struct scatterlist *src,

		unsigned int nbytes)

{

	unsigned int ret;

	struct crypto_blkcipher *tfm;

	struct s390_aes_ctx *sctx = crypto_blkcipher_ctx(desc->tfm);

	tfm = desc->tfm;

	desc->tfm = sctx->fallback.blk;

	ret = crypto_blkcipher_encrypt_iv(desc, dst, src, nbytes);

	desc->tfm = tfm;

	return ret;

}

static int ecb_aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,

			   unsigned int key_len)

{

	struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm);

	int ret;

	ret = need_fallback(key_len);

	if (ret > 0) {

		sctx->key_len = key_len;

		return setkey_fallback_blk(tfm, in_key, key_len);

	}

	switch (key_len) {

	case 16:

	struct s390_aes_ctx *sctx = crypto_blkcipher_ctx(desc->tfm);

	struct blkcipher_walk walk;

	if (unlikely(need_fallback(sctx->key_len)))

		return fallback_blk_enc(desc, dst, src, nbytes);

	blkcipher_walk_init(&walk, dst, src, nbytes);

	return ecb_aes_crypt(desc, sctx->enc, sctx->key, &walk);

}

	struct s390_aes_ctx *sctx = crypto_blkcipher_ctx(desc->tfm);

	struct blkcipher_walk walk;

	if (unlikely(need_fallback(sctx->key_len)))

		return fallback_blk_dec(desc, dst, src, nbytes);

	blkcipher_walk_init(&walk, dst, src, nbytes);

	return ecb_aes_crypt(desc, sctx->dec, sctx->key, &walk);

}

static int fallback_init_blk(struct crypto_tfm *tfm)

{

	const char *name = tfm->__crt_alg->cra_name;

	struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm);

	sctx->fallback.blk = crypto_alloc_blkcipher(name, 0,

			CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK);

	if (IS_ERR(sctx->fallback.blk)) {

		printk(KERN_ERR "Error allocating fallback algo %s\n", name);

		return PTR_ERR(sctx->fallback.blk);

	}

	return 0;

}

static void fallback_exit_blk(struct crypto_tfm *tfm)

{

	struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm);

	crypto_free_blkcipher(sctx->fallback.blk);

	sctx->fallback.blk = NULL;

}

static struct crypto_alg ecb_aes_alg = {

	.cra_name		=	"ecb(aes)",

	.cra_driver_name	=	"ecb-aes-s390",

	.cra_type		=	&crypto_blkcipher_type,

	.cra_module		=	THIS_MODULE,

	.cra_list		=	LIST_HEAD_INIT(ecb_aes_alg.cra_list),

	.cra_init		=	fallback_init_blk,

	.cra_exit		=	fallback_exit_blk,

	.cra_u			=	{

		.blkcipher = {

			.min_keysize		=	AES_MIN_KEY_SIZE,

			   unsigned int key_len)

{

	struct s390_aes_ctx *sctx = crypto_tfm_ctx(tfm);

	int ret;

	ret = need_fallback(key_len);

	if (ret > 0) {

		sctx->key_len = key_len;

		return setkey_fallback_blk(tfm, in_key, key_len);

	}

	switch (key_len) {

	case 16:

	struct s390_aes_ctx *sctx = crypto_blkcipher_ctx(desc->tfm);

	struct blkcipher_walk walk;

	if (unlikely(need_fallback(sctx->key_len)))

		return fallback_blk_enc(desc, dst, src, nbytes);

	blkcipher_walk_init(&walk, dst, src, nbytes);

	return cbc_aes_crypt(desc, sctx->enc, sctx->iv, &walk);

}

	struct s390_aes_ctx *sctx = crypto_blkcipher_ctx(desc->tfm);

	struct blkcipher_walk walk;

	if (unlikely(need_fallback(sctx->key_len)))

		return fallback_blk_dec(desc, dst, src, nbytes);

	blkcipher_walk_init(&walk, dst, src, nbytes);

	return cbc_aes_crypt(desc, sctx->dec, sctx->iv, &walk);

}

	.cra_type		=	&crypto_blkcipher_type,

	.cra_module		=	THIS_MODULE,

	.cra_list		=	LIST_HEAD_INIT(cbc_aes_alg.cra_list),

	.cra_init		=	fallback_init_blk,

	.cra_exit		=	fallback_exit_blk,

	.cra_u			=	{

		.blkcipher = {

			.min_keysize		=	AES_MIN_KEY_SIZE,

		return -EOPNOTSUPP;

	/* z9 109 and z9 BC/EC only support 128 bit key length */

	if (keylen_flag == AES_KEYLEN_128) {

		aes_alg.cra_u.cipher.cia_max_keysize = AES_MIN_KEY_SIZE;

		ecb_aes_alg.cra_u.blkcipher.max_keysize = AES_MIN_KEY_SIZE;

		cbc_aes_alg.cra_u.blkcipher.max_keysize = AES_MIN_KEY_SIZE;

	if (keylen_flag == AES_KEYLEN_128)

		printk(KERN_INFO

		       "aes_s390: hardware acceleration only available for"

		       "128 bit keys\n");

	}

	ret = crypto_register_alg(&aes_alg);

	if (ret)

MODULE_DESCRIPTION("Rijndael (AES) Cipher Algorithm");

MODULE_LICENSE("GPL");

obj-$(CONFIG_CRYPTO_AES_586) += aes-i586.o

obj-$(CONFIG_CRYPTO_TWOFISH_586) += twofish-i586.o

obj-$(CONFIG_CRYPTO_SALSA20_586) += salsa20-i586.o

obj-$(CONFIG_CRYPTO_AES_X86_64) += aes-x86_64.o

obj-$(CONFIG_CRYPTO_TWOFISH_X86_64) += twofish-x86_64.o

obj-$(CONFIG_CRYPTO_SALSA20_X86_64) += salsa20-x86_64.o

aes-i586-y := aes-i586-asm_32.o aes_32.o

twofish-i586-y := twofish-i586-asm_32.o twofish_32.o

aes-i586-y := aes-i586-asm_32.o aes_glue.o

twofish-i586-y := twofish-i586-asm_32.o twofish_glue.o

salsa20-i586-y := salsa20-i586-asm_32.o salsa20_glue.o

aes-x86_64-y := aes-x86_64-asm_64.o aes_64.o

twofish-x86_64-y := twofish-x86_64-asm_64.o twofish_64.o

aes-x86_64-y := aes-x86_64-asm_64.o aes_glue.o

twofish-x86_64-y := twofish-x86_64-asm_64.o twofish_glue.o

salsa20-x86_64-y := salsa20-x86_64-asm_64.o salsa20_glue.o

#define in_blk 16

/* offsets in crypto_tfm structure */

#define ekey (crypto_tfm_ctx_offset + 0)

#define nrnd (crypto_tfm_ctx_offset + 256)

#define dkey (crypto_tfm_ctx_offset + 260)

#define klen (crypto_tfm_ctx_offset + 0)

#define ekey (crypto_tfm_ctx_offset + 4)

#define dkey (crypto_tfm_ctx_offset + 244)

// register mapping for encrypt and decrypt subroutines

.global  aes_enc_blk

.extern  ft_tab

.extern  fl_tab

.extern  crypto_ft_tab

.extern  crypto_fl_tab

.align 4

1:	push    %ebx

	mov     in_blk+4(%esp),%r2

	push    %esi

	mov     nrnd(%ebp),%r3   // number of rounds

	mov     klen(%ebp),%r3   // key size

	push    %edi

#if ekey != 0

	lea     ekey(%ebp),%ebp  // key pointer

	sub     $8,%esp		// space for register saves on stack

	add     $16,%ebp	// increment to next round key

	cmp     $12,%r3

	cmp     $24,%r3

	jb      4f		// 10 rounds for 128-bit key

	lea     32(%ebp),%ebp

	je      3f		// 12 rounds for 192-bit key

	lea     32(%ebp),%ebp

2:	fwd_rnd1( -64(%ebp) ,ft_tab)	// 14 rounds for 256-bit key

	fwd_rnd2( -48(%ebp) ,ft_tab)

3:	fwd_rnd1( -32(%ebp) ,ft_tab)	// 12 rounds for 192-bit key

	fwd_rnd2( -16(%ebp) ,ft_tab)

4:	fwd_rnd1(    (%ebp) ,ft_tab)	// 10 rounds for 128-bit key

	fwd_rnd2( +16(%ebp) ,ft_tab)

	fwd_rnd1( +32(%ebp) ,ft_tab)

	fwd_rnd2( +48(%ebp) ,ft_tab)

	fwd_rnd1( +64(%ebp) ,ft_tab)

	fwd_rnd2( +80(%ebp) ,ft_tab)

	fwd_rnd1( +96(%ebp) ,ft_tab)

	fwd_rnd2(+112(%ebp) ,ft_tab)

	fwd_rnd1(+128(%ebp) ,ft_tab)

	fwd_rnd2(+144(%ebp) ,fl_tab)	// last round uses a different table

2:	fwd_rnd1( -64(%ebp), crypto_ft_tab)	// 14 rounds for 256-bit key

	fwd_rnd2( -48(%ebp), crypto_ft_tab)

3:	fwd_rnd1( -32(%ebp), crypto_ft_tab)	// 12 rounds for 192-bit key

	fwd_rnd2( -16(%ebp), crypto_ft_tab)

4:	fwd_rnd1(    (%ebp), crypto_ft_tab)	// 10 rounds for 128-bit key

	fwd_rnd2( +16(%ebp), crypto_ft_tab)

	fwd_rnd1( +32(%ebp), crypto_ft_tab)

	fwd_rnd2( +48(%ebp), crypto_ft_tab)

	fwd_rnd1( +64(%ebp), crypto_ft_tab)

	fwd_rnd2( +80(%ebp), crypto_ft_tab)

	fwd_rnd1( +96(%ebp), crypto_ft_tab)

	fwd_rnd2(+112(%ebp), crypto_ft_tab)

	fwd_rnd1(+128(%ebp), crypto_ft_tab)

	fwd_rnd2(+144(%ebp), crypto_fl_tab)	// last round uses a different table

// move final values to the output array.  CAUTION: the 

// order of these assigns rely on the register mappings

.global  aes_dec_blk

.extern  it_tab

.extern  il_tab

.extern  crypto_it_tab

.extern  crypto_il_tab

.align 4

1:	push    %ebx

	mov     in_blk+4(%esp),%r2

	push    %esi

	mov     nrnd(%ebp),%r3   // number of rounds

	mov     klen(%ebp),%r3   // key size

	push    %edi

#if dkey != 0

	lea     dkey(%ebp),%ebp  // key pointer

#endif

	mov     %r3,%r0

	shl     $4,%r0

	add     %r0,%ebp

// input four columns and xor in first round key

	xor     12(%ebp),%r5

	sub     $8,%esp		// space for register saves on stack

	sub     $16,%ebp	// increment to next round key

	cmp     $12,%r3

	add     $16,%ebp	// increment to next round key

	cmp     $24,%r3

	jb      4f		// 10 rounds for 128-bit key

	lea     -32(%ebp),%ebp

	lea     32(%ebp),%ebp

	je      3f		// 12 rounds for 192-bit key

	lea     -32(%ebp),%ebp

2:	inv_rnd1( +64(%ebp), it_tab)	// 14 rounds for 256-bit key

	inv_rnd2( +48(%ebp), it_tab)

3:	inv_rnd1( +32(%ebp), it_tab)	// 12 rounds for 192-bit key

	inv_rnd2( +16(%ebp), it_tab)

4:	inv_rnd1(    (%ebp), it_tab)	// 10 rounds for 128-bit key

	inv_rnd2( -16(%ebp), it_tab)

	inv_rnd1( -32(%ebp), it_tab)

	inv_rnd2( -48(%ebp), it_tab)

	inv_rnd1( -64(%ebp), it_tab)

	inv_rnd2( -80(%ebp), it_tab)

	inv_rnd1( -96(%ebp), it_tab)

	inv_rnd2(-112(%ebp), it_tab)

	inv_rnd1(-128(%ebp), it_tab)

	inv_rnd2(-144(%ebp), il_tab)	// last round uses a different table

	lea     32(%ebp),%ebp

2:	inv_rnd1( -64(%ebp), crypto_it_tab)	// 14 rounds for 256-bit key

	inv_rnd2( -48(%ebp), crypto_it_tab)

3:	inv_rnd1( -32(%ebp), crypto_it_tab)	// 12 rounds for 192-bit key

	inv_rnd2( -16(%ebp), crypto_it_tab)

4:	inv_rnd1(    (%ebp), crypto_it_tab)	// 10 rounds for 128-bit key

	inv_rnd2( +16(%ebp), crypto_it_tab)

	inv_rnd1( +32(%ebp), crypto_it_tab)

	inv_rnd2( +48(%ebp), crypto_it_tab)

	inv_rnd1( +64(%ebp), crypto_it_tab)

	inv_rnd2( +80(%ebp), crypto_it_tab)

	inv_rnd1( +96(%ebp), crypto_it_tab)

	inv_rnd2(+112(%ebp), crypto_it_tab)

	inv_rnd1(+128(%ebp), crypto_it_tab)

	inv_rnd2(+144(%ebp), crypto_il_tab)	// last round uses a different table

// move final values to the output array.  CAUTION: the 

// order of these assigns rely on the register mappings

 * including this sentence is retained in full.

 */

.extern aes_ft_tab

.extern aes_it_tab

.extern aes_fl_tab

.extern aes_il_tab

.extern crypto_ft_tab

.extern crypto_it_tab

.extern crypto_fl_tab

.extern crypto_il_tab

.text

	.align	8;			\