Hi:
This series of patches converts the padlock-sha implementation to
shash. This is also the last legacy hash algorithm to be converted,
apart from hmac which I had to revert as it would break padlock-sha
unless the latter is converted.
As I don't have the hardware supporting padlock-sha, could someone
with access to it please test this for me? In particular, I'd like
to see this tested with an actual IPsec connection.
Thanks,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Sat, Jul 11, 2009 at 06:19:58PM +0800, Herbert Xu wrote:
> Hi:
>
> This series of patches converts the padlock-sha implementation to
> shash. This is also the last legacy hash algorithm to be converted,
> apart from hmac which I had to revert as it would break padlock-sha
> unless the latter is converted.
>
> As I don't have the hardware supporting padlock-sha, could someone
> with access to it please test this for me? In particular, I'd like
> to see this tested with an actual IPsec connection.
BTW, I got the numbering wrong so it started from 2 instead of
1. For the record there is no 1/10.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
* Herbert Xu | 2009-07-11 18:19:58 [+0800]:
>As I don't have the hardware supporting padlock-sha, could someone
>with access to it please test this for me? In particular, I'd like
>to see this tested with an actual IPsec connection.
I have here a via nano so I should be able to test it.
Do you have a particular test case in mind or should I just grab
ipsec-tools, setup a tunnel and send a few packets?
>Thanks,
Sebastian
On Tue, Jul 14, 2009 at 10:26:15PM +0200, Sebastian Andrzej Siewior wrote:
>
> I have here a via nano so I should be able to test it.
> Do you have a particular test case in mind or should I just grab
> ipsec-tools, setup a tunnel and send a few packets?
Yes, that should be enough. You don't even ipsec-tools, just
a manual SA setup with ip xfrm should be good enough.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
* Herbert Xu | 2009-07-15 08:48:47 [+0800]:
>Yes, that should be enough. You don't even ipsec-tools, just
>a manual SA setup with ip xfrm should be good enough.
I did not get that far:
|alg: hash: Chunking test 1 failed for sha1-padlock
|00000000: e9 95 22 0c 1b d1 0f 5f f1 fa ee 74 7d 27 cd b2
|00000010: 99 f2 ad 73
|alg: hash: Chunking test 1 failed for sha256-padlock
|00000000: 9e 49 25 fa b3 a8 45 de 53 e9 9f d0 e8 7d 2c 33
|00000010: 09 51 6b 33 15 cb e0 4e 22 c0 04 1b 1e 25 ad c9
|padlock: Using VIA PadLock ACE for SHA1/SHA256 algorithms.
Do you think that it is something obvious or should I dig into it?
>Cheers,
Sebastian
On Thu, Jul 16, 2009 at 12:06:06AM +0200, Sebastian Andrzej Siewior wrote:
> * Herbert Xu | 2009-07-15 08:48:47 [+0800]:
>
> >Yes, that should be enough. You don't even ipsec-tools, just
> >a manual SA setup with ip xfrm should be good enough.
>
> I did not get that far:
>
> |alg: hash: Chunking test 1 failed for sha1-padlock
> |00000000: e9 95 22 0c 1b d1 0f 5f f1 fa ee 74 7d 27 cd b2
> |00000010: 99 f2 ad 73
> |alg: hash: Chunking test 1 failed for sha256-padlock
> |00000000: 9e 49 25 fa b3 a8 45 de 53 e9 9f d0 e8 7d 2c 33
> |00000010: 09 51 6b 33 15 cb e0 4e 22 c0 04 1b 1e 25 ad c9
> |padlock: Using VIA PadLock ACE for SHA1/SHA256 algorithms.
>
> Do you think that it is something obvious or should I dig into it?
Can you please pull my tree again? There were quite a few bugs
that I fixed last night.
Thanks,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Thu, Jul 16, 2009 at 10:16:01AM +0800, Herbert Xu wrote:
>
> Can you please pull my tree again? There were quite a few bugs
> that I fixed last night.
Oh and please make sure you have this patch applied too:
commit e9b25f16cda88b33fe15b30c009912e6c471edda
Author: Herbert Xu <[email protected]>
Date: Thu Jul 16 10:33:27 2009 +0800
crypto: padlock - Fix hashing of partial blocks
When we encounter partial blocks in finup, we'll invoke the xsha
instruction with a bogus count that is not a multiple of the block
size. This patch fixes it.
Signed-off-by: Herbert Xu <[email protected]>
diff --git a/drivers/crypto/padlock-sha.c b/drivers/crypto/padlock-sha.c
index a936ba4..76cb6b3 100644
--- a/drivers/crypto/padlock-sha.c
+++ b/drivers/crypto/padlock-sha.c
@@ -94,6 +94,7 @@ static int padlock_sha1_finup(struct shash_desc *desc, const u8 *in,
memcpy(state.buffer + leftover, in, count);
in = state.buffer;
count += leftover;
+ state.count &= ~(SHA1_BLOCK_SIZE - 1);
}
}
@@ -157,6 +158,7 @@ static int padlock_sha256_finup(struct shash_desc *desc, const u8 *in,
memcpy(state.buf + leftover, in, count);
in = state.buf;
count += leftover;
+ state.count &= ~(SHA1_BLOCK_SIZE - 1);
}
}
Thanks,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
* Herbert Xu | 2009-07-16 10:34:13 [+0800]:
>On Thu, Jul 16, 2009 at 10:16:01AM +0800, Herbert Xu wrote:
>>
>> Can you please pull my tree again? There were quite a few bugs
>> that I fixed last night.
>
>Oh and please make sure you have this patch applied too:
It passes the testmgr with that patch on top. I try that ip xfrm thing
later today.
Sebastian
* Sebastian Andrzej Siewior | 2009-07-16 09:36:30 [+0200]:
>* Herbert Xu | 2009-07-16 10:34:13 [+0800]:
>
>>On Thu, Jul 16, 2009 at 10:16:01AM +0800, Herbert Xu wrote:
>>>
>>> Can you please pull my tree again? There were quite a few bugs
>>> that I fixed last night.
>>
>>Oh and please make sure you have this patch applied too:
>
>It passes the testmgr with that patch on top. I try that ip xfrm thing
>later today.
Okay, Herbert it is working. I've setup a tunnel between two boxes and
was able to ping and copy stuff from /dev/zero on one box to /dev/null
on the other.
Sebastian
On Fri, Jul 17, 2009 at 12:23:45AM +0200, Sebastian Andrzej Siewior wrote:
>
> Okay, Herbert it is working. I've setup a tunnel between two boxes and
> was able to ping and copy stuff from /dev/zero on one box to /dev/null
> on the other.
Awesome, thanks a lot for verifying this Sebastian!
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt