Re: Where has CRYPTO_TFM_MODE_nnn gone?

Re: Where has CRYPTO_TFM_MODE_nnn gone?

[Marc St-Jean]

Herbert Xu wrote:
> Marc St-Jean <Marc_St-Jean@pmc-sierra.com> wrote:
>  >
>  > I'm porting a security engine driver from 2.6.18 to 2.6.21/22. I've 
> found
>  > that although 'cit_mode' is still in struct cipher_tfm, the definitions
>  > for CRYPTO_TFM_MODE_ECB and CRYPTO_TFM_MODE_CBC are gone!
> 
> Thanks for noticing it, I'll make sure that cit_mode disappears :)

No problem :) Looking at your patch I see that you've also dropped
cit_encrypt_iv/cit_decrypt_iv. That is likely related to my next question
regarding crypto_tfm_alg_ivsize().

In CBC mode we had a line of code copying cipher_desc.info to get the
initialization vector. Such as:
		/* Copy in IV */
		memcpy((u8*)(sa->crypt_iv), desc->info,
			crypto_tfm_alg_ivsize(tfm));

Now the only reference to the function I can find is in an IPsec comment
from include/net/esp.h. Any tips on getting the size?


>  > Our HW needs to know what mode to set up some SA flags. Any advice on
>  > how to best find this mode from a common cipher function which can 
> handle
>  > AES, DES and 3DES?
> 
> The block algorithm is now part of the name just like the cipher
> algorithm itself.  So if you're providing a block cipher you should
> register it as "cbc(aes)" (for example) instead of "aes" as you would've
> done previously.

And if we can support both I assume we must register multiple times?

> Check out drivers/crypto/padlock* for a good example.

Thanks, I have been looking at that code but unfortunately it supports
fewer cryptos/hashes so does not answer all my questions.

Marc

Re: Where has CRYPTO_TFM_MODE_nnn gone?

[Herbert Xu]

On Fri, Jun 08, 2007 at 12:13:17PM -0700, Marc St-Jean wrote:
> 
> In CBC mode we had a line of code copying cipher_desc.info to get the
> initialization vector. Such as:
> 		/* Copy in IV */
> 		memcpy((u8*)(sa->crypt_iv), desc->info,
> 			crypto_tfm_alg_ivsize(tfm));
> 
> Now the only reference to the function I can find is in an IPsec comment
> from include/net/esp.h. Any tips on getting the size?

We now have two types of ciphers, simple ciphers and block ciphers.  The
former only ever ecnrypts one block at a time, and therefore needs no IV.
Only block ciphers have IVs.

The other change is that instead of having everything as crypto_tfm they
all have their own types now.  So ciphers are crypto_cipher while block
ciphers are crypto_blkcipher.

In your case your tfm should be of type crypto_blkcipher.  Then you simply
call crypto_blkcipher_ivsize(tfm) to get the size.
 
> Thanks, I have been looking at that code but unfortunately it supports
> fewer cryptos/hashes so does not answer all my questions.

The same concept still applies regardless of the actual number of modes.

Oh and yes you do register it multiple times, once for each combination
of the blocking mode and the cipher.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: Where has CRYPTO_TFM_MODE_nnn gone?

[Marc St-Jean]

Herbert Xu wrote:
> On Fri, Jun 08, 2007 at 12:13:17PM -0700, Marc St-Jean wrote:
>  >
>  > In CBC mode we had a line of code copying cipher_desc.info to get the
>  > initialization vector. Such as:
>  >               /* Copy in IV */
>  >               memcpy((u8*)(sa->crypt_iv), desc->info,
>  >                       crypto_tfm_alg_ivsize(tfm));
>  >
>  > Now the only reference to the function I can find is in an IPsec comment
>  > from include/net/esp.h. Any tips on getting the size?
> 
> We now have two types of ciphers, simple ciphers and block ciphers.  The
> former only ever ecnrypts one block at a time, and therefore needs no IV.
> Only block ciphers have IVs.
> 
> The other change is that instead of having everything as crypto_tfm they
> all have their own types now.  So ciphers are crypto_cipher while block
> ciphers are crypto_blkcipher.
> 
> In your case your tfm should be of type crypto_blkcipher.  Then you simply
> call crypto_blkcipher_ivsize(tfm) to get the size.
>  
>  > Thanks, I have been looking at that code but unfortunately it supports
>  > fewer cryptos/hashes so does not answer all my questions.
> 
> The same concept still applies regardless of the actual number of modes.
> 
> Oh and yes you do register it multiple times, once for each combination
> of the blocking mode and the cipher.

Thanks for the info Herbert.

Marc

Where has CRYPTO_TFM_MODE_nnn gone?

[Marc St-Jean]

Hi all,

I'm porting a security engine driver from 2.6.18 to 2.6.21/22. I've found
that although 'cit_mode' is still in struct cipher_tfm, the definitions
for CRYPTO_TFM_MODE_ECB and CRYPTO_TFM_MODE_CBC are gone!

Our HW needs to know what mode to set up some SA flags. Any advice on
how to best find this mode from a common cipher function which can handle
AES, DES and 3DES?

Advance thanks,
Marc

Re: Where has CRYPTO_TFM_MODE_nnn gone?

[Herbert Xu]

Marc St-Jean <Marc_St-Jean@pmc-sierra.com> wrote:
> 
> I'm porting a security engine driver from 2.6.18 to 2.6.21/22. I've found
> that although 'cit_mode' is still in struct cipher_tfm, the definitions
> for CRYPTO_TFM_MODE_ECB and CRYPTO_TFM_MODE_CBC are gone!

Thanks for noticing it, I'll make sure that cit_mode disappears :)

> Our HW needs to know what mode to set up some SA flags. Any advice on
> how to best find this mode from a common cipher function which can handle
> AES, DES and 3DES?

The block algorithm is now part of the name just like the cipher
algorithm itself.  So if you're providing a block cipher you should
register it as "cbc(aes)" (for example) instead of "aes" as you would've
done previously.

Check out drivers/crypto/padlock* for a good example.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: Where has CRYPTO_TFM_MODE_nnn gone?

[Herbert Xu]

On Fri, Jun 08, 2007 at 04:17:48PM +1000, Herbert Xu wrote:
> Marc St-Jean <Marc_St-Jean@pmc-sierra.com> wrote:
> > 
> > I'm porting a security engine driver from 2.6.18 to 2.6.21/22. I've found
> > that although 'cit_mode' is still in struct cipher_tfm, the definitions
> > for CRYPTO_TFM_MODE_ECB and CRYPTO_TFM_MODE_CBC are gone!
> 
> Thanks for noticing it, I'll make sure that cit_mode disappears :)

Here is the patch.

[CRYPTO] cipher: Remove obsolete fields from cipher_tfm

This removes all the unused block cipher fields from cipher_tfm.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
diff --git a/include/linux/crypto.h b/include/linux/crypto.h
index 0de7e2a..357e8cf 100644
--- a/include/linux/crypto.h
+++ b/include/linux/crypto.h
@@ -295,28 +295,8 @@ struct blkcipher_tfm {
 };
 
 struct cipher_tfm {
-	void *cit_iv;
-	unsigned int cit_ivsize;
-	u32 cit_mode;
 	int (*cit_setkey)(struct crypto_tfm *tfm,
 	                  const u8 *key, unsigned int keylen);
-	int (*cit_encrypt)(struct crypto_tfm *tfm,
-			   struct scatterlist *dst,
-			   struct scatterlist *src,
-			   unsigned int nbytes);
-	int (*cit_encrypt_iv)(struct crypto_tfm *tfm,
-	                      struct scatterlist *dst,
-	                      struct scatterlist *src,
-	                      unsigned int nbytes, u8 *iv);
-	int (*cit_decrypt)(struct crypto_tfm *tfm,
-			   struct scatterlist *dst,
-			   struct scatterlist *src,
-			   unsigned int nbytes);
-	int (*cit_decrypt_iv)(struct crypto_tfm *tfm,
-			   struct scatterlist *dst,
-			   struct scatterlist *src,
-			   unsigned int nbytes, u8 *iv);
-	void (*cit_xor_block)(u8 *dst, const u8 *src);
 	void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
 	void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
 };