From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E76C230BC5; Sat, 12 Jul 2025 23:26:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362781; cv=none; b=T5XCjrEY9BwXLpSGBrRO9TAjaRc7ygDdKbpXWT4Yfsi817QLEXbuhxbsJrMFXodKLsFQQ82uCJfh/F6yiuqBKBnKSyBpKCF9gJTRcXx9VpFoqPGXEqNTa/cgcYyKcZnzwWlQnwGg7neKZ92AmW5U7dg7fIC+SDmZNB7drZosgyA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362781; c=relaxed/simple; bh=8Vb27gWyZe63wNRoxap9QiheYDb0OlWgd9TqwRTjPok=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=diUDn8Jhs7twJelNSQspg2y1gPvNYXJhjMrHWIODuDnJdHNbzZH332rQfzdO00XOAutRfUVahbLmSOGJXK4c6bo1+IKNTZG3xI/yMTbTLhBzGdpRQO6CJ6FsS2+xMXZnSaXO41OyrtOKwhuUz6otEoLrTCQDddjWEK5dVqjn0kA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=FLdhoQ9O; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="FLdhoQ9O" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6F89CC4CEF1; Sat, 12 Jul 2025 23:26:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362780; bh=8Vb27gWyZe63wNRoxap9QiheYDb0OlWgd9TqwRTjPok=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FLdhoQ9O/rEdQQwDfB++qTeJwUvBRaf0giyFlD0IE9HPCHMIxwRbbPZX6O9u0CZjm 1S7td9m5IXWuVpnSg/lTQZoSA8mLrhcxCEDqQskG1J2oHW5dy7RINPivna14fk/R8B gWAVbX+5VllXd3iKDgmQQHr9MQexHmWBc6Z7aOQc4C9Fwh4fK6K91WkCXRGU1rSLYk 6jWE5tjg5pnd6IcAkotb4VGlAL+H2SxWbnMZRfBajfIAsz67vR45SAVVWMThixpDBx g4AqUUXLUdKDs0Wb0sr/Mv7RDTWACPNNTvEudIe/btKC3CDRVi5U5opkfD1yPWVEvt DswyfbkvbZOAg== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 01/26] crypto: x86/sha1 - Rename conflicting symbol Date: Sat, 12 Jul 2025 16:22:52 -0700 Message-ID: <20250712232329.818226-2-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Rename x86's sha1_update() to sha1_update_x86(), since it conflicts with the upcoming sha1_update() library function. Note: the affected code will be superseded by later commits that migrate the arch-optimized SHA-1 code into the library. This commit simply keeps the kernel building for the initial introduction of the library. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- arch/x86/crypto/sha1_ssse3_glue.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/arch/x86/crypto/sha1_ssse3_glue.c b/arch/x86/crypto/sha1_ssse3= _glue.c index 0a912bfc86c51..826579a7473c4 100644 --- a/arch/x86/crypto/sha1_ssse3_glue.c +++ b/arch/x86/crypto/sha1_ssse3_glue.c @@ -32,11 +32,11 @@ static const struct x86_cpu_id module_cpu_ids[] =3D { X86_MATCH_FEATURE(X86_FEATURE_SSSE3, NULL), {} }; MODULE_DEVICE_TABLE(x86cpu, module_cpu_ids); =20 -static inline int sha1_update(struct shash_desc *desc, const u8 *data, +static inline int sha1_update_x86(struct shash_desc *desc, const u8 *data, unsigned int len, sha1_block_fn *sha1_xform) { int remain; =20 /* @@ -67,11 +67,11 @@ asmlinkage void sha1_transform_ssse3(struct sha1_state = *state, const u8 *data, int blocks); =20 static int sha1_ssse3_update(struct shash_desc *desc, const u8 *data, unsigned int len) { - return sha1_update(desc, data, len, sha1_transform_ssse3); + return sha1_update_x86(desc, data, len, sha1_transform_ssse3); } =20 static int sha1_ssse3_finup(struct shash_desc *desc, const u8 *data, unsigned int len, u8 *out) { @@ -111,11 +111,11 @@ asmlinkage void sha1_transform_avx(struct sha1_state = *state, const u8 *data, int blocks); =20 static int sha1_avx_update(struct shash_desc *desc, const u8 *data, unsigned int len) { - return sha1_update(desc, data, len, sha1_transform_avx); + return sha1_update_x86(desc, data, len, sha1_transform_avx); } =20 static int sha1_avx_finup(struct shash_desc *desc, const u8 *data, unsigned int len, u8 *out) { @@ -188,11 +188,11 @@ static inline void sha1_apply_transform_avx2(struct s= ha1_state *state, } =20 static int sha1_avx2_update(struct shash_desc *desc, const u8 *data, unsigned int len) { - return sha1_update(desc, data, len, sha1_apply_transform_avx2); + return sha1_update_x86(desc, data, len, sha1_apply_transform_avx2); } =20 static int sha1_avx2_finup(struct shash_desc *desc, const u8 *data, unsigned int len, u8 *out) { @@ -232,11 +232,11 @@ asmlinkage void sha1_ni_transform(struct sha1_state *= digest, const u8 *data, int rounds); =20 static int sha1_ni_update(struct shash_desc *desc, const u8 *data, unsigned int len) { - return sha1_update(desc, data, len, sha1_ni_transform); + return sha1_update_x86(desc, data, len, sha1_ni_transform); } =20 static int sha1_ni_finup(struct shash_desc *desc, const u8 *data, unsigned int len, u8 *out) { --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A1FB7231840; Sat, 12 Jul 2025 23:26:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362781; cv=none; b=neO53Ow9EfwcwfLIZ7R40SERHeg2rGo4IAiRX/UU2XkyDVbhrjP6xucEOz7B+qcSqy7SBMCLisse5cgaQIYgV46+C42Aa/DD8YHbgQxOGdy9u5rKPILlgsdXTiG1q/C5VplsEKNO+5kUfh5D9m4ZuNiCRTcHwEl/N6GRy7bG+kE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362781; c=relaxed/simple; bh=E22JI/nh2KoyIuwx+c+Le9v+4pE3ucXhZL4d/YBdz7g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NI7a5C73oqMM3Mnhw7fuVV4OD5sJRGXmqzMJgnAA7hDrqYHp2WgPfl+uW550C0O2WMi7CimEz01xQgD2DqZJp8E+mgV4KWz1ECJSGo0mr77+xRHwGLIWFW2WRpCIaO78+ic79TXV+GG/jOtvSmF3Ibh+K5bQbpvAzzk4YMgwy8g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=cmmwf+fA; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="cmmwf+fA" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E19DEC4CEF8; Sat, 12 Jul 2025 23:26:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362781; bh=E22JI/nh2KoyIuwx+c+Le9v+4pE3ucXhZL4d/YBdz7g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cmmwf+fAlxfZeUlUdvV1RStLqLkPiW2zfJ2zBPrVlnr7L04CcfPF3I/ZY61mhxqzF UmqYAUQ4svnDAjD64/qd2nbDs5VfdmZ+Wdl6axs+Pp2dBobCdfzKvfiUfyjWyV0Emu bnFJy4JMfW/NLQp1h1EAuLTEdvJJVjXcMFnzNKc2usi851QxfTu1Eem5KjkNwGll5f lgQrbXzEIq4c4ZedmXzCDpa9WeJNZgMl9S3h/6kVtOWN5EVdkv3MDG/a3Oum868UU6 SfJiyW/fELObXrfYbVzrJFLlz3eNbYdmWQXsdfzTPEmjVRv+y4B1yYLAvoaYPKAIou 1xYQp8kEh20rg== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 02/26] lib/crypto: sha1: Rename sha1_init() to sha1_init_raw() Date: Sat, 12 Jul 2025 16:22:53 -0700 Message-ID: <20250712232329.818226-3-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Rename the existing sha1_init() to sha1_init_raw(), since it conflicts with the upcoming library function. This will later be removed, but this keeps the kernel building for the introduction of the library. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- include/crypto/sha1.h | 2 +- kernel/bpf/core.c | 2 +- lib/crypto/sha1.c | 6 +++--- net/ipv6/addrconf.c | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/crypto/sha1.h b/include/crypto/sha1.h index f48230b1413c3..d853d3b931699 100644 --- a/include/crypto/sha1.h +++ b/include/crypto/sha1.h @@ -31,9 +31,9 @@ struct sha1_state { * You shouldn't be using SHA-1, and even if you *have* to use SHA-1, this= isn't * the correct way to hash something with SHA-1 (use crypto_shash instead). */ #define SHA1_DIGEST_WORDS (SHA1_DIGEST_SIZE / 4) #define SHA1_WORKSPACE_WORDS 16 -void sha1_init(__u32 *buf); +void sha1_init_raw(__u32 *buf); void sha1_transform(__u32 *digest, const char *data, __u32 *W); =20 #endif /* _CRYPTO_SHA1_H */ diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index c20babbf998f4..dae281a1286d5 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -302,11 +302,11 @@ int bpf_prog_calc_tag(struct bpf_prog *fp) =20 raw =3D vmalloc(raw_size); if (!raw) return -ENOMEM; =20 - sha1_init(digest); + sha1_init_raw(digest); memset(ws, 0, sizeof(ws)); =20 /* We need to take out the map fd for the digest calculation * since they are unstable from user space side. */ diff --git a/lib/crypto/sha1.c b/lib/crypto/sha1.c index 6d809c3088be3..813ad96daa25a 100644 --- a/lib/crypto/sha1.c +++ b/lib/crypto/sha1.c @@ -122,20 +122,20 @@ void sha1_transform(__u32 *digest, const char *data, = __u32 *array) digest[4] +=3D E; } EXPORT_SYMBOL(sha1_transform); =20 /** - * sha1_init - initialize the vectors for a SHA1 digest + * sha1_init_raw - initialize the vectors for a SHA1 digest * @buf: vector to initialize */ -void sha1_init(__u32 *buf) +void sha1_init_raw(__u32 *buf) { buf[0] =3D 0x67452301; buf[1] =3D 0xefcdab89; buf[2] =3D 0x98badcfe; buf[3] =3D 0x10325476; buf[4] =3D 0xc3d2e1f0; } -EXPORT_SYMBOL(sha1_init); +EXPORT_SYMBOL(sha1_init_raw); =20 MODULE_DESCRIPTION("SHA-1 Algorithm"); MODULE_LICENSE("GPL"); diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index ba2ec7c870ccb..d0e5b94c10af4 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -3365,11 +3365,11 @@ static int ipv6_generate_stable_address(struct in6_= addr *address, return -1; =20 retry: spin_lock_bh(&lock); =20 - sha1_init(digest); + sha1_init_raw(digest); memset(&data, 0, sizeof(data)); memset(workspace, 0, sizeof(workspace)); memcpy(data.hwaddr, idev->dev->perm_addr, idev->dev->addr_len); data.prefix[0] =3D address->s6_addr32[0]; data.prefix[1] =3D address->s6_addr32[1]; --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14E5B23236D; Sat, 12 Jul 2025 23:26:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362782; cv=none; b=lLFWo/f7+RyxFyGfabY/CHgxuquXp2S4tVGTGMVdM9X2tjGvWxDWj7L/bZiqt70+0s+ibSs2F1n7pg+3nZXN8r/PvH1ob6PfzsQIzKFDJ0mLotmEn2ff/nzh+Bgff4uLBf/dPU1VrevoYBpULNqyYnI+sdGXHTfjmP9dZL1SpZY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362782; c=relaxed/simple; bh=7FCBsAJrrnnuA4T7D71YIVEm2XZIVKTGyQn5RJhvcdk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fwSoxuKKH35qodtlGafv3wHZFAP32rUydwO43DNyEY+CkLdQ7EN8oC77Yzfh3aZLawJvgBO9Y8QmqPZJz9jLamFJ/UpTe0FSthEP3wJ4Ctbn8znWVhJt78QMk3wYJ6UKnAuS1GFQQcNyxyUUArAeWSFnTxY8BuibKPgub21+aB0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=AESXCqC0; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="AESXCqC0" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5F0C1C4CEEF; Sat, 12 Jul 2025 23:26:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362781; bh=7FCBsAJrrnnuA4T7D71YIVEm2XZIVKTGyQn5RJhvcdk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AESXCqC0z6pOQ9CUMUWhaUwDe7++NcZw3AkLl0Yfi0I7+dpBw5r3npCKV7bLhWYBP xaqjcxQ18FNqMMPZ78UZNtsR7pL7zZSAClydv+Nd7OeiLFyi7h8wZnzEfyiTvREzLE s6GzQO7R7wVH1ysDJveWRNmIZqa5oCW0DT8MDtQ08U1ghX0K8+Yg+PpsnHcoCMJSSs g8dmb32IhNUuXJnbhoiSiYajsRhlpebCwJAzut4xyIcwp5IJL2MaPCyiPxDOBxPRKO uVX2GN4FX8bPqJ16M4wrOL2SlllBXxZBhyhIMx2Aej4zsc7M7X8Kc5ExmIKzuG99gj RwTgzg1CKVUAA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 03/26] lib/crypto: sha1: Add SHA-1 library functions Date: Sat, 12 Jul 2025 16:22:54 -0700 Message-ID: <20250712232329.818226-4-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a library interface for SHA-1, following the SHA-2 one. As was the case with SHA-2, this will be useful for various in-kernel users. The crypto_shash interface will be reimplemented on top of it as well. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- include/crypto/sha1.h | 60 +++++++++++++++++++++++ lib/crypto/Kconfig | 7 +++ lib/crypto/Makefile | 9 +++- lib/crypto/sha1.c | 110 +++++++++++++++++++++++++++++++++++++++++- 4 files changed, 183 insertions(+), 3 deletions(-) diff --git a/include/crypto/sha1.h b/include/crypto/sha1.h index d853d3b931699..387f6123a05e8 100644 --- a/include/crypto/sha1.h +++ b/include/crypto/sha1.h @@ -34,6 +34,66 @@ struct sha1_state { #define SHA1_DIGEST_WORDS (SHA1_DIGEST_SIZE / 4) #define SHA1_WORKSPACE_WORDS 16 void sha1_init_raw(__u32 *buf); void sha1_transform(__u32 *digest, const char *data, __u32 *W); =20 +/* State for the SHA-1 compression function */ +struct sha1_block_state { + u32 h[SHA1_DIGEST_SIZE / 4]; +}; + +/** + * struct sha1_ctx - Context for hashing a message with SHA-1 + * @state: the compression function state + * @bytecount: number of bytes processed so far + * @buf: partial block buffer; bytecount % SHA1_BLOCK_SIZE bytes are valid + */ +struct sha1_ctx { + struct sha1_block_state state; + u64 bytecount; + u8 buf[SHA1_BLOCK_SIZE]; +}; + +/** + * sha1_init() - Initialize a SHA-1 context for a new message + * @ctx: the context to initialize + * + * If you don't need incremental computation, consider sha1() instead. + * + * Context: Any context. + */ +void sha1_init(struct sha1_ctx *ctx); + +/** + * sha1_update() - Update a SHA-1 context with message data + * @ctx: the context to update; must have been initialized + * @data: the message data + * @len: the data length in bytes + * + * This can be called any number of times. + * + * Context: Any context. + */ +void sha1_update(struct sha1_ctx *ctx, const u8 *data, size_t len); + +/** + * sha1_final() - Finish computing a SHA-1 message digest + * @ctx: the context to finalize; must have been initialized + * @out: (output) the resulting SHA-1 message digest + * + * After finishing, this zeroizes @ctx. So the caller does not need to do= it. + * + * Context: Any context. + */ +void sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]); + +/** + * sha1() - Compute SHA-1 message digest in one shot + * @data: the message data + * @len: the data length in bytes + * @out: (output) the resulting SHA-1 message digest + * + * Context: Any context. + */ +void sha1(const u8 *data, size_t len, u8 out[SHA1_DIGEST_SIZE]); + #endif /* _CRYPTO_SHA1_H */ diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index c2a28a50ac576..ff54c9a631f86 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -137,10 +137,17 @@ config CRYPTO_LIB_CHACHA20POLY1305 select CRYPTO_LIB_POLY1305 select CRYPTO_LIB_UTILS =20 config CRYPTO_LIB_SHA1 tristate + help + The SHA-1 library functions. Select this if your module uses any of + the functions from . + +config CRYPTO_LIB_SHA1_ARCH + bool + depends on CRYPTO_LIB_SHA1 && !UML =20 config CRYPTO_LIB_SHA256 tristate help Enable the SHA-256 library interface. This interface may be fulfilled diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 8aaec39b85608..c96abfc4b9d3b 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -65,12 +65,17 @@ libpoly1305-y +=3D poly1305.o obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC) +=3D libpoly1305-generic.o libpoly1305-generic-y :=3D poly1305-donna32.o libpoly1305-generic-$(CONFIG_ARCH_SUPPORTS_INT128) :=3D poly1305-donna64.o libpoly1305-generic-y +=3D poly1305-generic.o =20 -obj-$(CONFIG_CRYPTO_LIB_SHA1) +=3D libsha1.o -libsha1-y :=3D sha1.o +##########################################################################= ###### + +obj-$(CONFIG_CRYPTO_LIB_SHA1) +=3D libsha1.o +libsha1-y :=3D sha1.o +ifeq ($(CONFIG_CRYPTO_LIB_SHA1_ARCH),y) +CFLAGS_sha1.o +=3D -I$(src)/$(SRCARCH) +endif # CONFIG_CRYPTO_LIB_SHA1_ARCH =20 ##########################################################################= ###### =20 obj-$(CONFIG_CRYPTO_LIB_SHA256) +=3D libsha256.o libsha256-y :=3D sha256.o diff --git a/lib/crypto/sha1.c b/lib/crypto/sha1.c index 813ad96daa25a..7c0763cbf9f1e 100644 --- a/lib/crypto/sha1.c +++ b/lib/crypto/sha1.c @@ -12,10 +12,14 @@ #include #include #include #include =20 +static const struct sha1_block_state sha1_iv =3D { + .h =3D { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 }, +}; + /* * If you have 32 registers or more, the compiler can (and should) * try to change the array[] accesses into registers. However, on * machines with less than ~25 registers, that won't really work, * and at least gcc will make an unholy mess of it. @@ -135,7 +139,111 @@ void sha1_init_raw(__u32 *buf) buf[3] =3D 0x10325476; buf[4] =3D 0xc3d2e1f0; } EXPORT_SYMBOL(sha1_init_raw); =20 -MODULE_DESCRIPTION("SHA-1 Algorithm"); +static void __maybe_unused sha1_blocks_generic(struct sha1_block_state *st= ate, + const u8 *data, size_t nblocks) +{ + u32 workspace[SHA1_WORKSPACE_WORDS]; + + do { + sha1_transform(state->h, data, workspace); + data +=3D SHA1_BLOCK_SIZE; + } while (--nblocks); + + memzero_explicit(workspace, sizeof(workspace)); +} + +#ifdef CONFIG_CRYPTO_LIB_SHA1_ARCH +#include "sha1.h" /* $(SRCARCH)/sha1.h */ +#else +#define sha1_blocks sha1_blocks_generic +#endif + +void sha1_init(struct sha1_ctx *ctx) +{ + ctx->state =3D sha1_iv; + ctx->bytecount =3D 0; +} +EXPORT_SYMBOL_GPL(sha1_init); + +void sha1_update(struct sha1_ctx *ctx, const u8 *data, size_t len) +{ + size_t partial =3D ctx->bytecount % SHA1_BLOCK_SIZE; + + ctx->bytecount +=3D len; + + if (partial + len >=3D SHA1_BLOCK_SIZE) { + size_t nblocks; + + if (partial) { + size_t l =3D SHA1_BLOCK_SIZE - partial; + + memcpy(&ctx->buf[partial], data, l); + data +=3D l; + len -=3D l; + + sha1_blocks(&ctx->state, ctx->buf, 1); + } + + nblocks =3D len / SHA1_BLOCK_SIZE; + len %=3D SHA1_BLOCK_SIZE; + + if (nblocks) { + sha1_blocks(&ctx->state, data, nblocks); + data +=3D nblocks * SHA1_BLOCK_SIZE; + } + partial =3D 0; + } + if (len) + memcpy(&ctx->buf[partial], data, len); +} +EXPORT_SYMBOL_GPL(sha1_update); + +void sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]) +{ + u64 bitcount =3D ctx->bytecount << 3; + size_t partial =3D ctx->bytecount % SHA1_BLOCK_SIZE; + + ctx->buf[partial++] =3D 0x80; + if (partial > SHA1_BLOCK_SIZE - 8) { + memset(&ctx->buf[partial], 0, SHA1_BLOCK_SIZE - partial); + sha1_blocks(&ctx->state, ctx->buf, 1); + partial =3D 0; + } + memset(&ctx->buf[partial], 0, SHA1_BLOCK_SIZE - 8 - partial); + *(__be64 *)&ctx->buf[SHA1_BLOCK_SIZE - 8] =3D cpu_to_be64(bitcount); + sha1_blocks(&ctx->state, ctx->buf, 1); + + for (size_t i =3D 0; i < SHA1_DIGEST_SIZE; i +=3D 4) + put_unaligned_be32(ctx->state.h[i / 4], out + i); + memzero_explicit(ctx, sizeof(*ctx)); +} +EXPORT_SYMBOL_GPL(sha1_final); + +void sha1(const u8 *data, size_t len, u8 out[SHA1_DIGEST_SIZE]) +{ + struct sha1_ctx ctx; + + sha1_init(&ctx); + sha1_update(&ctx, data, len); + sha1_final(&ctx, out); +} +EXPORT_SYMBOL_GPL(sha1); + +#ifdef sha1_mod_init_arch +static int __init sha1_mod_init(void) +{ + sha1_mod_init_arch(); + return 0; +} +subsys_initcall(sha1_mod_init); + +static void __exit sha1_mod_exit(void) +{ +} +module_exit(sha1_mod_exit); +#endif + +MODULE_DESCRIPTION("SHA-1 library functions"); MODULE_LICENSE("GPL"); --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 476BE233155; Sat, 12 Jul 2025 23:26:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362782; cv=none; b=Frmwa9OVu/r9qMy5iVWWq+42TUqexu3zflpuhxQjs6v/03lN21Ky3hviT76624qdtYje5LoXWumCuqIc3DYRs4PDSzfLX5OcFNoYbSi9J/EJvdG8AbPU5r4RJ0ZTkPQ/R0KnOq7sSQ7NbhMyll/VD5W9uvOsamSwBXOUnLKaf0Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362782; c=relaxed/simple; bh=p3kE84TCz0VQuyy8H041drVH/O+OxCoctuuVLXqPVR4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lFVRBMlbifJkvRGErKpUBqOmA2BNYWjp5bKS0IQLCiUhARVyOKcHNrSpBy5yC63ceAq+AJd8chcALBnrIHOworePBEk0SIY74Wf5UNFtuWeJtipGn2JqU7slEGgfFSCtuahF41RRfCz5e9hKYQfh/0KeczhyDPbqhvOZseFA0qs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ePEcZTid; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ePEcZTid" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D0E75C4CEF8; Sat, 12 Jul 2025 23:26:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362782; bh=p3kE84TCz0VQuyy8H041drVH/O+OxCoctuuVLXqPVR4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ePEcZTid0NAvCm5AHIwLUw51pnGSlOVO3QO2ZZZKukCAL0jPAivjBViMyqd0cL+hG PneEbJdkasyj4e93lFgzizFcnxdnYEpdgvoAmia9YkahWKua7t+qOKdzZU5XwRsWbT 0fMYEfl53qEmj9L+Qnjj9HKk2E77XueRCs2gv3cOpk+PS31Ipuv5WiqArGmWFoMY6e K09W2ZJOvtzDwv3BOyhSwP8L5q3NVmdi/8Dtl0CcbqNC8lkNOPjHXpxG1QCulGsKVi OtbtsNJ9Jcot1qoCCfys5OcHVXjhKc4elRBw329mjauV/R9FhqeK5KM052hbqr2du0 2X8QRQDnj4fXw== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 04/26] lib/crypto: sha1: Add HMAC support Date: Sat, 12 Jul 2025 16:22:55 -0700 Message-ID: <20250712232329.818226-5-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add HMAC support to the SHA-1 library, again following what was done for SHA-2. Besides providing the basis for a more streamlined "hmac(sha1)" shash, this will also be useful for multiple in-kernel users such as net/sctp/auth.c, net/ipv6/seg6_hmac.c, and security/keys/trusted-keys/trusted_tpm1.c. Those are currently using crypto_shash, but using the library functions would be much simpler. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- include/crypto/sha1.h | 118 ++++++++++++++++++++++++++++++++++++++++++ lib/crypto/sha1.c | 106 ++++++++++++++++++++++++++++++++++++- 2 files changed, 222 insertions(+), 2 deletions(-) diff --git a/include/crypto/sha1.h b/include/crypto/sha1.h index 387f6123a05e8..162a529ec8413 100644 --- a/include/crypto/sha1.h +++ b/include/crypto/sha1.h @@ -94,6 +94,124 @@ void sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGES= T_SIZE]); * * Context: Any context. */ void sha1(const u8 *data, size_t len, u8 out[SHA1_DIGEST_SIZE]); =20 +/** + * struct hmac_sha1_key - Prepared key for HMAC-SHA1 + * @istate: private + * @ostate: private + */ +struct hmac_sha1_key { + struct sha1_block_state istate; + struct sha1_block_state ostate; +}; + +/** + * struct hmac_sha1_ctx - Context for computing HMAC-SHA1 of a message + * @sha_ctx: private + * @ostate: private + */ +struct hmac_sha1_ctx { + struct sha1_ctx sha_ctx; + struct sha1_block_state ostate; +}; + +/** + * hmac_sha1_preparekey() - Prepare a key for HMAC-SHA1 + * @key: (output) the key structure to initialize + * @raw_key: the raw HMAC-SHA1 key + * @raw_key_len: the key length in bytes. All key lengths are supported. + * + * Note: the caller is responsible for zeroizing both the struct hmac_sha1= _key + * and the raw key once they are no longer needed. + * + * Context: Any context. + */ +void hmac_sha1_preparekey(struct hmac_sha1_key *key, + const u8 *raw_key, size_t raw_key_len); + +/** + * hmac_sha1_init() - Initialize an HMAC-SHA1 context for a new message + * @ctx: (output) the HMAC context to initialize + * @key: the prepared HMAC key + * + * If you don't need incremental computation, consider hmac_sha1() instead. + * + * Context: Any context. + */ +void hmac_sha1_init(struct hmac_sha1_ctx *ctx, const struct hmac_sha1_key = *key); + +/** + * hmac_sha1_init_usingrawkey() - Initialize an HMAC-SHA1 context for a new + * message, using a raw key + * @ctx: (output) the HMAC context to initialize + * @raw_key: the raw HMAC-SHA1 key + * @raw_key_len: the key length in bytes. All key lengths are supported. + * + * If you don't need incremental computation, consider hmac_sha1_usingrawk= ey() + * instead. + * + * Context: Any context. + */ +void hmac_sha1_init_usingrawkey(struct hmac_sha1_ctx *ctx, + const u8 *raw_key, size_t raw_key_len); + +/** + * hmac_sha1_update() - Update an HMAC-SHA1 context with message data + * @ctx: the HMAC context to update; must have been initialized + * @data: the message data + * @data_len: the data length in bytes + * + * This can be called any number of times. + * + * Context: Any context. + */ +static inline void hmac_sha1_update(struct hmac_sha1_ctx *ctx, + const u8 *data, size_t data_len) +{ + sha1_update(&ctx->sha_ctx, data, data_len); +} + +/** + * hmac_sha1_final() - Finish computing an HMAC-SHA1 value + * @ctx: the HMAC context to finalize; must have been initialized + * @out: (output) the resulting HMAC-SHA1 value + * + * After finishing, this zeroizes @ctx. So the caller does not need to do= it. + * + * Context: Any context. + */ +void hmac_sha1_final(struct hmac_sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]); + +/** + * hmac_sha1() - Compute HMAC-SHA1 in one shot, using a prepared key + * @key: the prepared HMAC key + * @data: the message data + * @data_len: the data length in bytes + * @out: (output) the resulting HMAC-SHA1 value + * + * If you're using the key only once, consider using hmac_sha1_usingrawkey= (). + * + * Context: Any context. + */ +void hmac_sha1(const struct hmac_sha1_key *key, + const u8 *data, size_t data_len, u8 out[SHA1_DIGEST_SIZE]); + +/** + * hmac_sha1_usingrawkey() - Compute HMAC-SHA1 in one shot, using a raw key + * @raw_key: the raw HMAC-SHA1 key + * @raw_key_len: the key length in bytes. All key lengths are supported. + * @data: the message data + * @data_len: the data length in bytes + * @out: (output) the resulting HMAC-SHA1 value + * + * If you're using the key multiple times, prefer to use hmac_sha1_prepare= key() + * followed by multiple calls to hmac_sha1() instead. + * + * Context: Any context. + */ +void hmac_sha1_usingrawkey(const u8 *raw_key, size_t raw_key_len, + const u8 *data, size_t data_len, + u8 out[SHA1_DIGEST_SIZE]); + #endif /* _CRYPTO_SHA1_H */ diff --git a/lib/crypto/sha1.c b/lib/crypto/sha1.c index 7c0763cbf9f1e..89831f7f27793 100644 --- a/lib/crypto/sha1.c +++ b/lib/crypto/sha1.c @@ -4,17 +4,19 @@ * and to avoid unnecessary copies into the context array. * * This was based on the git SHA1 implementation. */ =20 +#include #include #include #include #include #include #include #include +#include =20 static const struct sha1_block_state sha1_iv =3D { .h =3D { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 }, }; =20 @@ -198,11 +200,11 @@ void sha1_update(struct sha1_ctx *ctx, const u8 *data= , size_t len) if (len) memcpy(&ctx->buf[partial], data, len); } EXPORT_SYMBOL_GPL(sha1_update); =20 -void sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]) +static void __sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]) { u64 bitcount =3D ctx->bytecount << 3; size_t partial =3D ctx->bytecount % SHA1_BLOCK_SIZE; =20 ctx->buf[partial++] =3D 0x80; @@ -215,10 +217,15 @@ void sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIG= EST_SIZE]) *(__be64 *)&ctx->buf[SHA1_BLOCK_SIZE - 8] =3D cpu_to_be64(bitcount); sha1_blocks(&ctx->state, ctx->buf, 1); =20 for (size_t i =3D 0; i < SHA1_DIGEST_SIZE; i +=3D 4) put_unaligned_be32(ctx->state.h[i / 4], out + i); +} + +void sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]) +{ + __sha1_final(ctx, out); memzero_explicit(ctx, sizeof(*ctx)); } EXPORT_SYMBOL_GPL(sha1_final); =20 void sha1(const u8 *data, size_t len, u8 out[SHA1_DIGEST_SIZE]) @@ -229,10 +236,105 @@ void sha1(const u8 *data, size_t len, u8 out[SHA1_DI= GEST_SIZE]) sha1_update(&ctx, data, len); sha1_final(&ctx, out); } EXPORT_SYMBOL_GPL(sha1); =20 +static void __hmac_sha1_preparekey(struct sha1_block_state *istate, + struct sha1_block_state *ostate, + const u8 *raw_key, size_t raw_key_len) +{ + union { + u8 b[SHA1_BLOCK_SIZE]; + unsigned long w[SHA1_BLOCK_SIZE / sizeof(unsigned long)]; + } derived_key =3D { 0 }; + + if (unlikely(raw_key_len > SHA1_BLOCK_SIZE)) + sha1(raw_key, raw_key_len, derived_key.b); + else + memcpy(derived_key.b, raw_key, raw_key_len); + + for (size_t i =3D 0; i < ARRAY_SIZE(derived_key.w); i++) + derived_key.w[i] ^=3D REPEAT_BYTE(HMAC_IPAD_VALUE); + *istate =3D sha1_iv; + sha1_blocks(istate, derived_key.b, 1); + + for (size_t i =3D 0; i < ARRAY_SIZE(derived_key.w); i++) + derived_key.w[i] ^=3D REPEAT_BYTE(HMAC_OPAD_VALUE ^ + HMAC_IPAD_VALUE); + *ostate =3D sha1_iv; + sha1_blocks(ostate, derived_key.b, 1); + + memzero_explicit(&derived_key, sizeof(derived_key)); +} + +void hmac_sha1_preparekey(struct hmac_sha1_key *key, + const u8 *raw_key, size_t raw_key_len) +{ + __hmac_sha1_preparekey(&key->istate, &key->ostate, + raw_key, raw_key_len); +} +EXPORT_SYMBOL_GPL(hmac_sha1_preparekey); + +void hmac_sha1_init(struct hmac_sha1_ctx *ctx, const struct hmac_sha1_key = *key) +{ + ctx->sha_ctx.state =3D key->istate; + ctx->sha_ctx.bytecount =3D SHA1_BLOCK_SIZE; + ctx->ostate =3D key->ostate; +} +EXPORT_SYMBOL_GPL(hmac_sha1_init); + +void hmac_sha1_init_usingrawkey(struct hmac_sha1_ctx *ctx, + const u8 *raw_key, size_t raw_key_len) +{ + __hmac_sha1_preparekey(&ctx->sha_ctx.state, &ctx->ostate, + raw_key, raw_key_len); + ctx->sha_ctx.bytecount =3D SHA1_BLOCK_SIZE; +} +EXPORT_SYMBOL_GPL(hmac_sha1_init_usingrawkey); + +void hmac_sha1_final(struct hmac_sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]) +{ + /* Generate the padded input for the outer hash in ctx->sha_ctx.buf. */ + __sha1_final(&ctx->sha_ctx, ctx->sha_ctx.buf); + memset(&ctx->sha_ctx.buf[SHA1_DIGEST_SIZE], 0, + SHA1_BLOCK_SIZE - SHA1_DIGEST_SIZE); + ctx->sha_ctx.buf[SHA1_DIGEST_SIZE] =3D 0x80; + *(__be32 *)&ctx->sha_ctx.buf[SHA1_BLOCK_SIZE - 4] =3D + cpu_to_be32(8 * (SHA1_BLOCK_SIZE + SHA1_DIGEST_SIZE)); + + /* Compute the outer hash, which gives the HMAC value. */ + sha1_blocks(&ctx->ostate, ctx->sha_ctx.buf, 1); + for (size_t i =3D 0; i < SHA1_DIGEST_SIZE; i +=3D 4) + put_unaligned_be32(ctx->ostate.h[i / 4], out + i); + + memzero_explicit(ctx, sizeof(*ctx)); +} +EXPORT_SYMBOL_GPL(hmac_sha1_final); + +void hmac_sha1(const struct hmac_sha1_key *key, + const u8 *data, size_t data_len, u8 out[SHA1_DIGEST_SIZE]) +{ + struct hmac_sha1_ctx ctx; + + hmac_sha1_init(&ctx, key); + hmac_sha1_update(&ctx, data, data_len); + hmac_sha1_final(&ctx, out); +} +EXPORT_SYMBOL_GPL(hmac_sha1); + +void hmac_sha1_usingrawkey(const u8 *raw_key, size_t raw_key_len, + const u8 *data, size_t data_len, + u8 out[SHA1_DIGEST_SIZE]) +{ + struct hmac_sha1_ctx ctx; + + hmac_sha1_init_usingrawkey(&ctx, raw_key, raw_key_len); + hmac_sha1_update(&ctx, data, data_len); + hmac_sha1_final(&ctx, out); +} +EXPORT_SYMBOL_GPL(hmac_sha1_usingrawkey); + #ifdef sha1_mod_init_arch static int __init sha1_mod_init(void) { sha1_mod_init_arch(); return 0; @@ -243,7 +345,7 @@ static void __exit sha1_mod_exit(void) { } module_exit(sha1_mod_exit); #endif =20 -MODULE_DESCRIPTION("SHA-1 library functions"); +MODULE_DESCRIPTION("SHA-1 and HMAC-SHA1 library functions"); MODULE_LICENSE("GPL"); --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1287E23535C; Sat, 12 Jul 2025 23:26:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362783; cv=none; b=HVJ5ggIsGg0RtuSH8BSVv5xFLqfUVu9EjvOBOBN8dWQr4SrwLeVXrxhrwgIFnejV7jEK6dI//QcD4pfydXReyB8cYzKAIhawUc8kU3RkJnnhgZ/r2F1ZY7GngC0qYrjTPCvNCfhP1tygZf3/v6BJHcJcF0XuOu+nPQrsivW25x0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362783; c=relaxed/simple; bh=AlEfsWshuJVJoEqIWDUHgVA6EIWkvwPPCzh+qlha/7Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nBqqXzS6/JjokraQr/SvBgE6A5FzDtzFzxbRwp3j62grbXl13Rx8knoBfyeo3wrc3ToYtVc59x1qGhvoCeKVBV8OgMh2cAB8wF0JSWjOrtZ9+YrDC6N00GX31i3KzMykFfD5WuT9CmUb4P5XRUTaYAAucgczUq0JTAnTQXyzkA0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=a45xcfmJ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="a45xcfmJ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4E7B8C4CEEF; Sat, 12 Jul 2025 23:26:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362782; bh=AlEfsWshuJVJoEqIWDUHgVA6EIWkvwPPCzh+qlha/7Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=a45xcfmJxSdS2gmP8Arke0HTOR8xVfTQZ3wbcilteIj4ntdMDu9slJhe//M/jB8bX fKSvKhuDxUW7NqL2XbNdHzN125wzKynYOGdG7BPCKKw+vyIsz+ymx2YzA/BeKz3sft Kg67dJX9xNYEJIECVlK3C7vtWISPqdOsa2nbQu1D6IcLd/C2oEYpgxz7WotH+AM2/0 TIQcPsKlVtGLtiEfS0tLHKIGXa/p3BruwzUS3sV5IYNsOKCMTQI58R7TnA/cLSc79q SNX6M/G5iSJPQJdI0WgB5L6O/2ybDntJkcoDTKsI3N7QRZ1adU2k96AJvsUDUfxHsg thxXtYqtTspLA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 05/26] crypto: sha1 - Wrap library and add HMAC support Date: Sat, 12 Jul 2025 16:22:56 -0700 Message-ID: <20250712232329.818226-6-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Like I did for crypto/sha512.c, rework crypto/sha1_generic.c (renamed to crypto/sha1.c) to simply wrap the normal library functions instead of accessing the low-level block function directly. Also add support for HMAC-SHA1, again just wrapping the library functions. Since the replacement crypto_shash algorithms are implemented using the (potentially arch-optimized) library functions, give them driver names ending with "-lib" rather than "-generic". Update crypto/testmgr.c and an odd driver to take this change in driver name into account. Note: to see the diff from crypto/sha1_generic.c to crypto/sha1.c, view this commit with 'git show -M10'. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- crypto/Makefile | 2 +- crypto/sha1.c | 135 ++++++++++++++++++++++++++++++++++++++ crypto/sha1_generic.c | 87 ------------------------ crypto/testmgr.c | 6 ++ drivers/crypto/img-hash.c | 2 +- 5 files changed, 143 insertions(+), 89 deletions(-) create mode 100644 crypto/sha1.c delete mode 100644 crypto/sha1_generic.c diff --git a/crypto/Makefile b/crypto/Makefile index 816607e0e78ce..9110f708e5a9f 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -73,11 +73,11 @@ obj-$(CONFIG_CRYPTO_HMAC) +=3D hmac.o obj-$(CONFIG_CRYPTO_XCBC) +=3D xcbc.o obj-$(CONFIG_CRYPTO_NULL) +=3D crypto_null.o obj-$(CONFIG_CRYPTO_MD4) +=3D md4.o obj-$(CONFIG_CRYPTO_MD5) +=3D md5.o obj-$(CONFIG_CRYPTO_RMD160) +=3D rmd160.o -obj-$(CONFIG_CRYPTO_SHA1) +=3D sha1_generic.o +obj-$(CONFIG_CRYPTO_SHA1) +=3D sha1.o obj-$(CONFIG_CRYPTO_SHA256) +=3D sha256.o obj-$(CONFIG_CRYPTO_SHA512) +=3D sha512.o obj-$(CONFIG_CRYPTO_SHA3) +=3D sha3_generic.o obj-$(CONFIG_CRYPTO_SM3_GENERIC) +=3D sm3_generic.o obj-$(CONFIG_CRYPTO_STREEBOG) +=3D streebog_generic.o diff --git a/crypto/sha1.c b/crypto/sha1.c new file mode 100644 index 0000000000000..00e273b0401db --- /dev/null +++ b/crypto/sha1.c @@ -0,0 +1,135 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Crypto API support for SHA-1 and HMAC-SHA1 + * + * Copyright (c) Alan Smithee. + * Copyright (c) Andrew McDonald + * Copyright (c) Jean-Francois Dive + * Copyright 2025 Google LLC + */ +#include +#include +#include +#include + +const u8 sha1_zero_message_hash[SHA1_DIGEST_SIZE] =3D { + 0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, + 0x32, 0x55, 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, + 0xaf, 0xd8, 0x07, 0x09 +}; +EXPORT_SYMBOL_GPL(sha1_zero_message_hash); + +#define SHA1_CTX(desc) ((struct sha1_ctx *)shash_desc_ctx(desc)) + +static int crypto_sha1_init(struct shash_desc *desc) +{ + sha1_init(SHA1_CTX(desc)); + return 0; +} + +static int crypto_sha1_update(struct shash_desc *desc, + const u8 *data, unsigned int len) +{ + sha1_update(SHA1_CTX(desc), data, len); + return 0; +} + +static int crypto_sha1_final(struct shash_desc *desc, u8 *out) +{ + sha1_final(SHA1_CTX(desc), out); + return 0; +} + +static int crypto_sha1_digest(struct shash_desc *desc, + const u8 *data, unsigned int len, u8 *out) +{ + sha1(data, len, out); + return 0; +} + +#define HMAC_SHA1_KEY(tfm) ((struct hmac_sha1_key *)crypto_shash_ctx(tfm)) +#define HMAC_SHA1_CTX(desc) ((struct hmac_sha1_ctx *)shash_desc_ctx(desc)) + +static int crypto_hmac_sha1_setkey(struct crypto_shash *tfm, + const u8 *raw_key, unsigned int keylen) +{ + hmac_sha1_preparekey(HMAC_SHA1_KEY(tfm), raw_key, keylen); + return 0; +} + +static int crypto_hmac_sha1_init(struct shash_desc *desc) +{ + hmac_sha1_init(HMAC_SHA1_CTX(desc), HMAC_SHA1_KEY(desc->tfm)); + return 0; +} + +static int crypto_hmac_sha1_update(struct shash_desc *desc, + const u8 *data, unsigned int len) +{ + hmac_sha1_update(HMAC_SHA1_CTX(desc), data, len); + return 0; +} + +static int crypto_hmac_sha1_final(struct shash_desc *desc, u8 *out) +{ + hmac_sha1_final(HMAC_SHA1_CTX(desc), out); + return 0; +} + +static int crypto_hmac_sha1_digest(struct shash_desc *desc, + const u8 *data, unsigned int len, u8 *out) +{ + hmac_sha1(HMAC_SHA1_KEY(desc->tfm), data, len, out); + return 0; +} + +static struct shash_alg algs[] =3D { + { + .base.cra_name =3D "sha1", + .base.cra_driver_name =3D "sha1-lib", + .base.cra_priority =3D 300, + .base.cra_blocksize =3D SHA1_BLOCK_SIZE, + .base.cra_module =3D THIS_MODULE, + .digestsize =3D SHA1_DIGEST_SIZE, + .init =3D crypto_sha1_init, + .update =3D crypto_sha1_update, + .final =3D crypto_sha1_final, + .digest =3D crypto_sha1_digest, + .descsize =3D sizeof(struct sha1_ctx), + }, + { + .base.cra_name =3D "hmac(sha1)", + .base.cra_driver_name =3D "hmac-sha1-lib", + .base.cra_priority =3D 300, + .base.cra_blocksize =3D SHA1_BLOCK_SIZE, + .base.cra_ctxsize =3D sizeof(struct hmac_sha1_key), + .base.cra_module =3D THIS_MODULE, + .digestsize =3D SHA1_DIGEST_SIZE, + .setkey =3D crypto_hmac_sha1_setkey, + .init =3D crypto_hmac_sha1_init, + .update =3D crypto_hmac_sha1_update, + .final =3D crypto_hmac_sha1_final, + .digest =3D crypto_hmac_sha1_digest, + .descsize =3D sizeof(struct hmac_sha1_ctx), + }, +}; + +static int __init crypto_sha1_mod_init(void) +{ + return crypto_register_shashes(algs, ARRAY_SIZE(algs)); +} +module_init(crypto_sha1_mod_init); + +static void __exit crypto_sha1_mod_exit(void) +{ + crypto_unregister_shashes(algs, ARRAY_SIZE(algs)); +} +module_exit(crypto_sha1_mod_exit); + +MODULE_LICENSE("GPL"); +MODULE_DESCRIPTION("Crypto API support for SHA-1 and HMAC-SHA1"); + +MODULE_ALIAS_CRYPTO("sha1"); +MODULE_ALIAS_CRYPTO("sha1-lib"); +MODULE_ALIAS_CRYPTO("hmac(sha1)"); +MODULE_ALIAS_CRYPTO("hmac-sha1-lib"); diff --git a/crypto/sha1_generic.c b/crypto/sha1_generic.c deleted file mode 100644 index 024e8043bab02..0000000000000 --- a/crypto/sha1_generic.c +++ /dev/null @@ -1,87 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Cryptographic API. - * - * SHA1 Secure Hash Algorithm. - * - * Derived from cryptoapi implementation, adapted for in-place - * scatterlist interface. - * - * Copyright (c) Alan Smithee. - * Copyright (c) Andrew McDonald - * Copyright (c) Jean-Francois Dive - */ -#include -#include -#include -#include -#include -#include - -const u8 sha1_zero_message_hash[SHA1_DIGEST_SIZE] =3D { - 0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, - 0x32, 0x55, 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, - 0xaf, 0xd8, 0x07, 0x09 -}; -EXPORT_SYMBOL_GPL(sha1_zero_message_hash); - -static void sha1_generic_block_fn(struct sha1_state *sst, u8 const *src, - int blocks) -{ - u32 temp[SHA1_WORKSPACE_WORDS]; - - while (blocks--) { - sha1_transform(sst->state, src, temp); - src +=3D SHA1_BLOCK_SIZE; - } - memzero_explicit(temp, sizeof(temp)); -} - -static int crypto_sha1_update(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - return sha1_base_do_update_blocks(desc, data, len, - sha1_generic_block_fn); -} - -static int crypto_sha1_finup(struct shash_desc *desc, const u8 *data, - unsigned int len, u8 *out) -{ - sha1_base_do_finup(desc, data, len, sha1_generic_block_fn); - return sha1_base_finish(desc, out); -} - -static struct shash_alg alg =3D { - .digestsize =3D SHA1_DIGEST_SIZE, - .init =3D sha1_base_init, - .update =3D crypto_sha1_update, - .finup =3D crypto_sha1_finup, - .descsize =3D SHA1_STATE_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name=3D "sha1-generic", - .cra_priority =3D 100, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static int __init sha1_generic_mod_init(void) -{ - return crypto_register_shash(&alg); -} - -static void __exit sha1_generic_mod_fini(void) -{ - crypto_unregister_shash(&alg); -} - -module_init(sha1_generic_mod_init); -module_exit(sha1_generic_mod_fini); - -MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm"); - -MODULE_ALIAS_CRYPTO("sha1"); -MODULE_ALIAS_CRYPTO("sha1-generic"); diff --git a/crypto/testmgr.c b/crypto/testmgr.c index 4e95567f7ed17..be78e39307692 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -4235,33 +4235,37 @@ static const struct alg_test_desc alg_test_descs[] = =3D { .suite =3D { .aead =3D __VECS(hmac_md5_ecb_cipher_null_tv_template) } }, { .alg =3D "authenc(hmac(sha1),cbc(aes))", + .generic_driver =3D "authenc(hmac-sha1-lib,cbc(aes-generic))", .test =3D alg_test_aead, .fips_allowed =3D 1, .suite =3D { .aead =3D __VECS(hmac_sha1_aes_cbc_tv_temp) } }, { .alg =3D "authenc(hmac(sha1),cbc(des))", + .generic_driver =3D "authenc(hmac-sha1-lib,cbc(des-generic))", .test =3D alg_test_aead, .suite =3D { .aead =3D __VECS(hmac_sha1_des_cbc_tv_temp) } }, { .alg =3D "authenc(hmac(sha1),cbc(des3_ede))", + .generic_driver =3D "authenc(hmac-sha1-lib,cbc(des3_ede-generic))", .test =3D alg_test_aead, .suite =3D { .aead =3D __VECS(hmac_sha1_des3_ede_cbc_tv_temp) } }, { .alg =3D "authenc(hmac(sha1),ctr(aes))", .test =3D alg_test_null, .fips_allowed =3D 1, }, { .alg =3D "authenc(hmac(sha1),ecb(cipher_null))", + .generic_driver =3D "authenc(hmac-sha1-lib,ecb-cipher_null)", .test =3D alg_test_aead, .suite =3D { .aead =3D __VECS(hmac_sha1_ecb_cipher_null_tv_temp) } }, { @@ -5120,10 +5124,11 @@ static const struct alg_test_desc alg_test_descs[] = =3D { .suite =3D { .hash =3D __VECS(hmac_rmd160_tv_template) } }, { .alg =3D "hmac(sha1)", + .generic_driver =3D "hmac-sha1-lib", .test =3D alg_test_hash, .fips_allowed =3D 1, .suite =3D { .hash =3D __VECS(hmac_sha1_tv_template) } @@ -5460,10 +5465,11 @@ static const struct alg_test_desc alg_test_descs[] = =3D { .suite =3D { .akcipher =3D __VECS(rsa_tv_template) } }, { .alg =3D "sha1", + .generic_driver =3D "sha1-lib", .test =3D alg_test_hash, .fips_allowed =3D 1, .suite =3D { .hash =3D __VECS(sha1_tv_template) } diff --git a/drivers/crypto/img-hash.c b/drivers/crypto/img-hash.c index f312eb075feca..a8f735390f0dd 100644 --- a/drivers/crypto/img-hash.c +++ b/drivers/crypto/img-hash.c @@ -703,11 +703,11 @@ static int img_hash_cra_md5_init(struct crypto_tfm *t= fm) return img_hash_cra_init(tfm, "md5-generic"); } =20 static int img_hash_cra_sha1_init(struct crypto_tfm *tfm) { - return img_hash_cra_init(tfm, "sha1-generic"); + return img_hash_cra_init(tfm, "sha1-lib"); } =20 static int img_hash_cra_sha224_init(struct crypto_tfm *tfm) { return img_hash_cra_init(tfm, "sha224-lib"); --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 74A9A236437; Sat, 12 Jul 2025 23:26:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362783; cv=none; b=KFZGf1DZhKCT3iYxfpOdDY4bT9btMFOUZULcQU716rdC83UlEVAsbZBboTPz5+hoZAfKHMHtFLZSv6PQJeVVX5QhrwTKUB1N0r/rFW4GsoywQX6/CkY1rlt10hGBYjPp3wH5QReTpKLCQ8w2v+8jUoJE3qCHZ8ToYjiedJDvyX0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362783; c=relaxed/simple; bh=n359i41djwWU+CGbW44dWKxffZV+egIZKibwbQ46oIQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fv2lZV8aUWG0DzAyqTYkigxrYAOiOvcxVsE2ThBGPguMLwk46yHb19vrjY9siiRjTehfhJfuHcQEvpENNuZTF09QdBEOiTJGhreO58Ezy7grDXhOVmfRIUsWx01eTjKMAhm7HakxTAHsjto/mDWKSMsaBIZVfMtZtJFoJFGZy48= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=K8YbndeO; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="K8YbndeO" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BFA18C4CEF5; Sat, 12 Jul 2025 23:26:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362783; bh=n359i41djwWU+CGbW44dWKxffZV+egIZKibwbQ46oIQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=K8YbndeO+dMZGy3v3A29yW4ag3kUQJAE3I0HlAMkkp1SkG9D5Q8ojJFLySi0YHm/Q DRNs3LUUmZe7vOScPcD8GdnNrJN4Iynsvd5PuxN51Ri5Zz/OD9JnoVqZDgBIspgBZJ uLEJF8hZ5RNCal9KNkWNmPI/OT8wlhEAjp4pxLD5WSJQEWvDhJKpiwtoPs7t2CPqZl fxjRCRMHRBzbHPJ4jp1LbQppuQU8wI8Wq3MjL2iMdrvaTQU8yofE9FK0aqLGCan2iw ufT012XOOlulVEJ5QKifmXRld5x5wGSlbRCejtvEMqX6JadX77XNhU3+YbvUfUuJlB CLnVb3YUz8dmA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 06/26] crypto: sha1 - Use same state format as legacy drivers Date: Sat, 12 Jul 2025 16:22:57 -0700 Message-ID: <20250712232329.818226-7-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Same as sha256 and sha512: Use the state format that the generic partial block handling code produces, as requested by Herbert, even though this is applicable only to legacy drivers. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- crypto/sha1.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/crypto/sha1.c b/crypto/sha1.c index 00e273b0401db..ecef4bf2d9c00 100644 --- a/crypto/sha1.c +++ b/crypto/sha1.c @@ -10,10 +10,47 @@ #include #include #include #include =20 +/* + * Export and import functions. crypto_shash wants a particular format th= at + * matches that used by some legacy drivers. It currently is the same as = the + * library SHA context, except the value in bytecount must be block-aligne= d and + * the remainder must be stored in an extra u8 appended to the struct. + */ + +#define SHA1_SHASH_STATE_SIZE (sizeof(struct sha1_ctx) + 1) +static_assert(sizeof(struct sha1_ctx) =3D=3D sizeof(struct sha1_state)); +static_assert(offsetof(struct sha1_ctx, state) =3D=3D offsetof(struct sha1= _state, state)); +static_assert(offsetof(struct sha1_ctx, bytecount) =3D=3D offsetof(struct = sha1_state, count)); +static_assert(offsetof(struct sha1_ctx, buf) =3D=3D offsetof(struct sha1_s= tate, buffer)); + +static int __crypto_sha1_export(const struct sha1_ctx *ctx0, void *out) +{ + struct sha1_ctx ctx =3D *ctx0; + unsigned int partial; + u8 *p =3D out; + + partial =3D ctx.bytecount % SHA1_BLOCK_SIZE; + ctx.bytecount -=3D partial; + memcpy(p, &ctx, sizeof(ctx)); + p +=3D sizeof(ctx); + *p =3D partial; + return 0; +} + +static int __crypto_sha1_import(struct sha1_ctx *ctx, const void *in) +{ + const u8 *p =3D in; + + memcpy(ctx, p, sizeof(*ctx)); + p +=3D sizeof(*ctx); + ctx->bytecount +=3D *p; + return 0; +} + const u8 sha1_zero_message_hash[SHA1_DIGEST_SIZE] =3D { 0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09 }; @@ -45,10 +82,20 @@ static int crypto_sha1_digest(struct shash_desc *desc, { sha1(data, len, out); return 0; } =20 +static int crypto_sha1_export(struct shash_desc *desc, void *out) +{ + return __crypto_sha1_export(SHA1_CTX(desc), out); +} + +static int crypto_sha1_import(struct shash_desc *desc, const void *in) +{ + return __crypto_sha1_import(SHA1_CTX(desc), in); +} + #define HMAC_SHA1_KEY(tfm) ((struct hmac_sha1_key *)crypto_shash_ctx(tfm)) #define HMAC_SHA1_CTX(desc) ((struct hmac_sha1_ctx *)shash_desc_ctx(desc)) =20 static int crypto_hmac_sha1_setkey(struct crypto_shash *tfm, const u8 *raw_key, unsigned int keylen) @@ -81,10 +128,23 @@ static int crypto_hmac_sha1_digest(struct shash_desc *= desc, { hmac_sha1(HMAC_SHA1_KEY(desc->tfm), data, len, out); return 0; } =20 +static int crypto_hmac_sha1_export(struct shash_desc *desc, void *out) +{ + return __crypto_sha1_export(&HMAC_SHA1_CTX(desc)->sha_ctx, out); +} + +static int crypto_hmac_sha1_import(struct shash_desc *desc, const void *in) +{ + struct hmac_sha1_ctx *ctx =3D HMAC_SHA1_CTX(desc); + + ctx->ostate =3D HMAC_SHA1_KEY(desc->tfm)->ostate; + return __crypto_sha1_import(&ctx->sha_ctx, in); +} + static struct shash_alg algs[] =3D { { .base.cra_name =3D "sha1", .base.cra_driver_name =3D "sha1-lib", .base.cra_priority =3D 300, @@ -93,11 +153,14 @@ static struct shash_alg algs[] =3D { .digestsize =3D SHA1_DIGEST_SIZE, .init =3D crypto_sha1_init, .update =3D crypto_sha1_update, .final =3D crypto_sha1_final, .digest =3D crypto_sha1_digest, + .export =3D crypto_sha1_export, + .import =3D crypto_sha1_import, .descsize =3D sizeof(struct sha1_ctx), + .statesize =3D SHA1_SHASH_STATE_SIZE, }, { .base.cra_name =3D "hmac(sha1)", .base.cra_driver_name =3D "hmac-sha1-lib", .base.cra_priority =3D 300, @@ -108,11 +171,14 @@ static struct shash_alg algs[] =3D { .setkey =3D crypto_hmac_sha1_setkey, .init =3D crypto_hmac_sha1_init, .update =3D crypto_hmac_sha1_update, .final =3D crypto_hmac_sha1_final, .digest =3D crypto_hmac_sha1_digest, + .export =3D crypto_hmac_sha1_export, + .import =3D crypto_hmac_sha1_import, .descsize =3D sizeof(struct hmac_sha1_ctx), + .statesize =3D SHA1_SHASH_STATE_SIZE, }, }; =20 static int __init crypto_sha1_mod_init(void) { --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AA36D2367C0; Sat, 12 Jul 2025 23:26:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362783; cv=none; b=nA7gM04uNrWaYzxfnVZuL1f+tN1IpvaSz1DYfo/+7oM3RWLrb5CakwX2e99Ya6QbJ3cRBa8scw8cKtr1jOB4vJzASuwi9f4JiNg9I6B3U82FkpKs0UKvIrX8MFk8IzwSEqRVy0RLuLaQYTmR4GVAGRW8YZJqLc9nA7q1SuBHDQw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362783; c=relaxed/simple; bh=bpokzlR5aRrtAf8xhNRcFoywovQO/qQZG9FKuitvbCw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=FLmuHzcb1LOw9f2tAHTiUxtmp7LBNMusIoNj2kY0I03jZUpvbEXrkYUyahBGEhIe+svGEzsiW8y02K/NlM8N3cnpmr3AWtxO0f/yw9ozFGDFVr+Z5DgUmdMVHXZAqQnQatzUcA9BQGxoiU3aokKNKXkuD/VbICsUw8X/0EjjM5A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=VHp+oJL4; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="VHp+oJL4" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3C9FBC4CEF7; Sat, 12 Jul 2025 23:26:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362783; bh=bpokzlR5aRrtAf8xhNRcFoywovQO/qQZG9FKuitvbCw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VHp+oJL4lww+HdUgf7FStuudDaEDe4dNiT/XClKNlG+hNGTx3nTDtMRzMd79RvUAd HwebO+Scx1RN0yl+EavxREVlCgi0yunL5T+KDzGRcaBzPJucUQ61pK3nZp3k4bcrHo B4T01D1397+RVSmZY9cGBfKhOkR65hNiE6gHEukV5u2yIw/VQTHffDnqfIAJSYpaa9 LCnzRFnURojiEODMeMQr8Ai/7CAYsKOnDnHKmX0gmrUQ3YtrvZd/Bwm2hym+38atew qKMOlBrFqCv1I5eL+wfRHpQSNTYlpRLNtjr9dEQZs22Dw8Xfke2XInPk55SYESOx/I 0V9QcqcOg8o5A== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 07/26] lib/crypto: arm/sha1: Migrate optimized code into library Date: Sat, 12 Jul 2025 16:22:58 -0700 Message-ID: <20250712232329.818226-8-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Instead of exposing the arm-optimized SHA-1 code via arm-specific crypto_shash algorithms, instead just implement the sha1_blocks() library function. This is much simpler, it makes the SHA-1 library functions be arm-optimized, and it fixes the longstanding issue where the arm-optimized SHA-1 code was disabled by default. SHA-1 still remains available through crypto_shash, but individual architectures no longer need to handle it. To match sha1_blocks(), change the type of the nblocks parameter of the assembly functions from int to size_t. The assembly functions actually already treated it as size_t. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- arch/arm/configs/exynos_defconfig | 1 - arch/arm/configs/milbeaut_m10v_defconfig | 2 - arch/arm/configs/multi_v7_defconfig | 2 - arch/arm/configs/omap2plus_defconfig | 1 - arch/arm/configs/pxa_defconfig | 1 - arch/arm/crypto/Kconfig | 31 ------- arch/arm/crypto/Makefile | 6 -- arch/arm/crypto/sha1-ce-glue.c | 72 ---------------- arch/arm/crypto/sha1_glue.c | 75 ----------------- arch/arm/crypto/sha1_neon_glue.c | 83 ------------------- lib/crypto/Kconfig | 1 + lib/crypto/Makefile | 5 ++ .../crypto/arm}/sha1-armv4-large.S | 0 .../crypto/arm}/sha1-armv7-neon.S | 13 ++- .../crypto =3D> lib/crypto/arm}/sha1-ce-core.S | 4 +- lib/crypto/arm/sha1.h | 46 ++++++++++ 16 files changed, 60 insertions(+), 283 deletions(-) delete mode 100644 arch/arm/crypto/sha1-ce-glue.c delete mode 100644 arch/arm/crypto/sha1_glue.c delete mode 100644 arch/arm/crypto/sha1_neon_glue.c rename {arch/arm/crypto =3D> lib/crypto/arm}/sha1-armv4-large.S (100%) rename {arch/arm/crypto =3D> lib/crypto/arm}/sha1-armv7-neon.S (98%) rename {arch/arm/crypto =3D> lib/crypto/arm}/sha1-ce-core.S (96%) create mode 100644 lib/crypto/arm/sha1.h diff --git a/arch/arm/configs/exynos_defconfig b/arch/arm/configs/exynos_de= fconfig index d58e300693045..6915c766923a2 100644 --- a/arch/arm/configs/exynos_defconfig +++ b/arch/arm/configs/exynos_defconfig @@ -361,11 +361,10 @@ CONFIG_CRYPTO_LZO=3Dm CONFIG_CRYPTO_LZ4=3Dm CONFIG_CRYPTO_USER_API_HASH=3Dm CONFIG_CRYPTO_USER_API_SKCIPHER=3Dm CONFIG_CRYPTO_USER_API_RNG=3Dm CONFIG_CRYPTO_USER_API_AEAD=3Dm -CONFIG_CRYPTO_SHA1_ARM_NEON=3Dm CONFIG_CRYPTO_AES_ARM_BS=3Dm CONFIG_CRYPTO_CHACHA20_NEON=3Dm CONFIG_CRYPTO_DEV_EXYNOS_RNG=3Dy CONFIG_CRYPTO_DEV_S5P=3Dy CONFIG_DMA_CMA=3Dy diff --git a/arch/arm/configs/milbeaut_m10v_defconfig b/arch/arm/configs/mi= lbeaut_m10v_defconfig index 8ebf8bd872fe8..a3be0b2ede09c 100644 --- a/arch/arm/configs/milbeaut_m10v_defconfig +++ b/arch/arm/configs/milbeaut_m10v_defconfig @@ -96,12 +96,10 @@ CONFIG_KEYS=3Dy CONFIG_CRYPTO_SELFTESTS=3Dy # CONFIG_CRYPTO_ECHAINIV is not set CONFIG_CRYPTO_AES=3Dy CONFIG_CRYPTO_SEQIV=3Dm CONFIG_CRYPTO_GHASH_ARM_CE=3Dm -CONFIG_CRYPTO_SHA1_ARM_NEON=3Dm -CONFIG_CRYPTO_SHA1_ARM_CE=3Dm CONFIG_CRYPTO_AES_ARM=3Dm CONFIG_CRYPTO_AES_ARM_BS=3Dm CONFIG_CRYPTO_AES_ARM_CE=3Dm CONFIG_CRYPTO_CHACHA20_NEON=3Dm # CONFIG_CRYPTO_HW is not set diff --git a/arch/arm/configs/multi_v7_defconfig b/arch/arm/configs/multi_v= 7_defconfig index 3fd07e864ca85..fb63f487a6232 100644 --- a/arch/arm/configs/multi_v7_defconfig +++ b/arch/arm/configs/multi_v7_defconfig @@ -1278,12 +1278,10 @@ CONFIG_CRYPTO_USER=3Dm CONFIG_CRYPTO_USER_API_HASH=3Dm CONFIG_CRYPTO_USER_API_SKCIPHER=3Dm CONFIG_CRYPTO_USER_API_RNG=3Dm CONFIG_CRYPTO_USER_API_AEAD=3Dm CONFIG_CRYPTO_GHASH_ARM_CE=3Dm -CONFIG_CRYPTO_SHA1_ARM_NEON=3Dm -CONFIG_CRYPTO_SHA1_ARM_CE=3Dm CONFIG_CRYPTO_AES_ARM=3Dm CONFIG_CRYPTO_AES_ARM_BS=3Dm CONFIG_CRYPTO_AES_ARM_CE=3Dm CONFIG_CRYPTO_CHACHA20_NEON=3Dm CONFIG_CRYPTO_DEV_SUN4I_SS=3Dm diff --git a/arch/arm/configs/omap2plus_defconfig b/arch/arm/configs/omap2p= lus_defconfig index 530dfb8338c98..0464676379013 100644 --- a/arch/arm/configs/omap2plus_defconfig +++ b/arch/arm/configs/omap2plus_defconfig @@ -702,11 +702,10 @@ CONFIG_ROOT_NFS=3Dy CONFIG_NLS_CODEPAGE_437=3Dy CONFIG_NLS_ISO8859_1=3Dy CONFIG_SECURITY=3Dy CONFIG_CRYPTO_MICHAEL_MIC=3Dy CONFIG_CRYPTO_GHASH_ARM_CE=3Dm -CONFIG_CRYPTO_SHA1_ARM_NEON=3Dm CONFIG_CRYPTO_AES_ARM=3Dm CONFIG_CRYPTO_AES_ARM_BS=3Dm CONFIG_CRYPTO_CHACHA20_NEON=3Dm CONFIG_CRYPTO_DEV_OMAP=3Dm CONFIG_CRYPTO_DEV_OMAP_SHAM=3Dm diff --git a/arch/arm/configs/pxa_defconfig b/arch/arm/configs/pxa_defconfig index eaa44574d4a64..1a80602c12845 100644 --- a/arch/arm/configs/pxa_defconfig +++ b/arch/arm/configs/pxa_defconfig @@ -656,11 +656,10 @@ CONFIG_CRYPTO_TGR192=3Dm CONFIG_CRYPTO_WP512=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_XCBC=3Dm CONFIG_CRYPTO_DEFLATE=3Dy CONFIG_CRYPTO_LZO=3Dy -CONFIG_CRYPTO_SHA1_ARM=3Dm CONFIG_CRYPTO_AES_ARM=3Dm CONFIG_FONTS=3Dy CONFIG_FONT_8x8=3Dy CONFIG_FONT_8x16=3Dy CONFIG_FONT_6x11=3Dy diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig index a18f97f1597cb..1e5f3cdf691c4 100644 --- a/arch/arm/crypto/Kconfig +++ b/arch/arm/crypto/Kconfig @@ -60,41 +60,10 @@ config CRYPTO_BLAKE2B_NEON On ARM processors that have NEON support but not the ARMv8 Crypto Extensions, typically this BLAKE2b implementation is much faster than the SHA-2 family and slightly faster than SHA-1. =20 -config CRYPTO_SHA1_ARM - tristate "Hash functions: SHA-1" - select CRYPTO_SHA1 - select CRYPTO_HASH - help - SHA-1 secure hash algorithm (FIPS 180) - - Architecture: arm - -config CRYPTO_SHA1_ARM_NEON - tristate "Hash functions: SHA-1 (NEON)" - depends on KERNEL_MODE_NEON - select CRYPTO_SHA1_ARM - select CRYPTO_SHA1 - select CRYPTO_HASH - help - SHA-1 secure hash algorithm (FIPS 180) - - Architecture: arm using - - NEON (Advanced SIMD) extensions - -config CRYPTO_SHA1_ARM_CE - tristate "Hash functions: SHA-1 (ARMv8 Crypto Extensions)" - depends on KERNEL_MODE_NEON - select CRYPTO_SHA1_ARM - select CRYPTO_HASH - help - SHA-1 secure hash algorithm (FIPS 180) - - Architecture: arm using ARMv8 Crypto Extensions - config CRYPTO_AES_ARM tristate "Ciphers: AES" select CRYPTO_ALGAPI select CRYPTO_AES help diff --git a/arch/arm/crypto/Makefile b/arch/arm/crypto/Makefile index 78a4042d8761c..4f23999ae17df 100644 --- a/arch/arm/crypto/Makefile +++ b/arch/arm/crypto/Makefile @@ -3,25 +3,19 @@ # Arch-specific CryptoAPI modules. # =20 obj-$(CONFIG_CRYPTO_AES_ARM) +=3D aes-arm.o obj-$(CONFIG_CRYPTO_AES_ARM_BS) +=3D aes-arm-bs.o -obj-$(CONFIG_CRYPTO_SHA1_ARM) +=3D sha1-arm.o -obj-$(CONFIG_CRYPTO_SHA1_ARM_NEON) +=3D sha1-arm-neon.o obj-$(CONFIG_CRYPTO_BLAKE2B_NEON) +=3D blake2b-neon.o obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) +=3D nhpoly1305-neon.o obj-$(CONFIG_CRYPTO_CURVE25519_NEON) +=3D curve25519-neon.o =20 obj-$(CONFIG_CRYPTO_AES_ARM_CE) +=3D aes-arm-ce.o -obj-$(CONFIG_CRYPTO_SHA1_ARM_CE) +=3D sha1-arm-ce.o obj-$(CONFIG_CRYPTO_GHASH_ARM_CE) +=3D ghash-arm-ce.o =20 aes-arm-y :=3D aes-cipher-core.o aes-cipher-glue.o aes-arm-bs-y :=3D aes-neonbs-core.o aes-neonbs-glue.o -sha1-arm-y :=3D sha1-armv4-large.o sha1_glue.o -sha1-arm-neon-y :=3D sha1-armv7-neon.o sha1_neon_glue.o blake2b-neon-y :=3D blake2b-neon-core.o blake2b-neon-glue.o -sha1-arm-ce-y :=3D sha1-ce-core.o sha1-ce-glue.o aes-arm-ce-y :=3D aes-ce-core.o aes-ce-glue.o ghash-arm-ce-y :=3D ghash-ce-core.o ghash-ce-glue.o nhpoly1305-neon-y :=3D nh-neon-core.o nhpoly1305-neon-glue.o curve25519-neon-y :=3D curve25519-core.o curve25519-glue.o diff --git a/arch/arm/crypto/sha1-ce-glue.c b/arch/arm/crypto/sha1-ce-glue.c deleted file mode 100644 index fac07a4799de6..0000000000000 --- a/arch/arm/crypto/sha1-ce-glue.c +++ /dev/null @@ -1,72 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-only -/* - * sha1-ce-glue.c - SHA-1 secure hash using ARMv8 Crypto Extensions - * - * Copyright (C) 2015 Linaro Ltd - */ - -#include -#include -#include -#include -#include -#include -#include - -MODULE_DESCRIPTION("SHA1 secure hash using ARMv8 Crypto Extensions"); -MODULE_AUTHOR("Ard Biesheuvel "); -MODULE_LICENSE("GPL v2"); - -asmlinkage void sha1_ce_transform(struct sha1_state *sst, u8 const *src, - int blocks); - -static int sha1_ce_update(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - int remain; - - kernel_neon_begin(); - remain =3D sha1_base_do_update_blocks(desc, data, len, sha1_ce_transform); - kernel_neon_end(); - - return remain; -} - -static int sha1_ce_finup(struct shash_desc *desc, const u8 *data, - unsigned int len, u8 *out) -{ - kernel_neon_begin(); - sha1_base_do_finup(desc, data, len, sha1_ce_transform); - kernel_neon_end(); - - return sha1_base_finish(desc, out); -} - -static struct shash_alg alg =3D { - .init =3D sha1_base_init, - .update =3D sha1_ce_update, - .finup =3D sha1_ce_finup, - .descsize =3D SHA1_STATE_SIZE, - .digestsize =3D SHA1_DIGEST_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name =3D "sha1-ce", - .cra_priority =3D 200, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static int __init sha1_ce_mod_init(void) -{ - return crypto_register_shash(&alg); -} - -static void __exit sha1_ce_mod_fini(void) -{ - crypto_unregister_shash(&alg); -} - -module_cpu_feature_match(SHA1, sha1_ce_mod_init); -module_exit(sha1_ce_mod_fini); diff --git a/arch/arm/crypto/sha1_glue.c b/arch/arm/crypto/sha1_glue.c deleted file mode 100644 index 255da00c7d98a..0000000000000 --- a/arch/arm/crypto/sha1_glue.c +++ /dev/null @@ -1,75 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Cryptographic API. - * Glue code for the SHA1 Secure Hash Algorithm assembler implementation - * - * This file is based on sha1_generic.c and sha1_ssse3_glue.c - * - * Copyright (c) Alan Smithee. - * Copyright (c) Andrew McDonald - * Copyright (c) Jean-Francois Dive - * Copyright (c) Mathias Krause - */ - -#include -#include -#include -#include -#include - -asmlinkage void sha1_block_data_order(struct sha1_state *digest, - const u8 *data, int rounds); - -static int sha1_update_arm(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - /* make sure signature matches sha1_block_fn() */ - BUILD_BUG_ON(offsetof(struct sha1_state, state) !=3D 0); - - return sha1_base_do_update_blocks(desc, data, len, - sha1_block_data_order); -} - -static int sha1_finup_arm(struct shash_desc *desc, const u8 *data, - unsigned int len, u8 *out) -{ - sha1_base_do_finup(desc, data, len, sha1_block_data_order); - return sha1_base_finish(desc, out); -} - -static struct shash_alg alg =3D { - .digestsize =3D SHA1_DIGEST_SIZE, - .init =3D sha1_base_init, - .update =3D sha1_update_arm, - .finup =3D sha1_finup_arm, - .descsize =3D SHA1_STATE_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name=3D "sha1-asm", - .cra_priority =3D 150, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - - -static int __init sha1_mod_init(void) -{ - return crypto_register_shash(&alg); -} - - -static void __exit sha1_mod_fini(void) -{ - crypto_unregister_shash(&alg); -} - - -module_init(sha1_mod_init); -module_exit(sha1_mod_fini); - -MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm (ARM)"); -MODULE_ALIAS_CRYPTO("sha1"); -MODULE_AUTHOR("David McCullough "); diff --git a/arch/arm/crypto/sha1_neon_glue.c b/arch/arm/crypto/sha1_neon_g= lue.c deleted file mode 100644 index d321850f22a6d..0000000000000 --- a/arch/arm/crypto/sha1_neon_glue.c +++ /dev/null @@ -1,83 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Glue code for the SHA1 Secure Hash Algorithm assembler implementation u= sing - * ARM NEON instructions. - * - * Copyright =C2=A9 2014 Jussi Kivilinna - * - * This file is based on sha1_generic.c and sha1_ssse3_glue.c: - * Copyright (c) Alan Smithee. - * Copyright (c) Andrew McDonald - * Copyright (c) Jean-Francois Dive - * Copyright (c) Mathias Krause - * Copyright (c) Chandramouli Narayanan - */ - -#include -#include -#include -#include -#include -#include - -asmlinkage void sha1_transform_neon(struct sha1_state *state_h, - const u8 *data, int rounds); - -static int sha1_neon_update(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - int remain; - - kernel_neon_begin(); - remain =3D sha1_base_do_update_blocks(desc, data, len, - sha1_transform_neon); - kernel_neon_end(); - - return remain; -} - -static int sha1_neon_finup(struct shash_desc *desc, const u8 *data, - unsigned int len, u8 *out) -{ - kernel_neon_begin(); - sha1_base_do_finup(desc, data, len, sha1_transform_neon); - kernel_neon_end(); - - return sha1_base_finish(desc, out); -} - -static struct shash_alg alg =3D { - .digestsize =3D SHA1_DIGEST_SIZE, - .init =3D sha1_base_init, - .update =3D sha1_neon_update, - .finup =3D sha1_neon_finup, - .descsize =3D SHA1_STATE_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name =3D "sha1-neon", - .cra_priority =3D 250, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static int __init sha1_neon_mod_init(void) -{ - if (!cpu_has_neon()) - return -ENODEV; - - return crypto_register_shash(&alg); -} - -static void __exit sha1_neon_mod_fini(void) -{ - crypto_unregister_shash(&alg); -} - -module_init(sha1_neon_mod_init); -module_exit(sha1_neon_mod_fini); - -MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm, NEON accelerated"); -MODULE_ALIAS_CRYPTO("sha1"); diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index ff54c9a631f86..5c1bfa02fa349 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -144,10 +144,11 @@ config CRYPTO_LIB_SHA1 the functions from . =20 config CRYPTO_LIB_SHA1_ARCH bool depends on CRYPTO_LIB_SHA1 && !UML + default y if ARM =20 config CRYPTO_LIB_SHA256 tristate help Enable the SHA-256 library interface. This interface may be fulfilled diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index c96abfc4b9d3b..e10a84a6dda6a 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -71,10 +71,15 @@ libpoly1305-generic-y +=3D poly1305-generic.o =20 obj-$(CONFIG_CRYPTO_LIB_SHA1) +=3D libsha1.o libsha1-y :=3D sha1.o ifeq ($(CONFIG_CRYPTO_LIB_SHA1_ARCH),y) CFLAGS_sha1.o +=3D -I$(src)/$(SRCARCH) +ifeq ($(CONFIG_ARM),y) +libsha1-y +=3D arm/sha1-armv4-large.o +libsha1-$(CONFIG_KERNEL_MODE_NEON) +=3D arm/sha1-armv7-neon.o \ + arm/sha1-ce-core.o +endif endif # CONFIG_CRYPTO_LIB_SHA1_ARCH =20 ##########################################################################= ###### =20 obj-$(CONFIG_CRYPTO_LIB_SHA256) +=3D libsha256.o diff --git a/arch/arm/crypto/sha1-armv4-large.S b/lib/crypto/arm/sha1-armv4= -large.S similarity index 100% rename from arch/arm/crypto/sha1-armv4-large.S rename to lib/crypto/arm/sha1-armv4-large.S diff --git a/arch/arm/crypto/sha1-armv7-neon.S b/lib/crypto/arm/sha1-armv7-= neon.S similarity index 98% rename from arch/arm/crypto/sha1-armv7-neon.S rename to lib/crypto/arm/sha1-armv7-neon.S index 28d816a6a5307..6edba3ab62e8b 100644 --- a/arch/arm/crypto/sha1-armv7-neon.S +++ b/lib/crypto/arm/sha1-armv7-neon.S @@ -280,22 +280,21 @@ #define WPRECALC_32_79_9(i,W,W_m04,W_m08,W_m12,W_m16,W_m20,W_m24,W_m28) \ vst1.32 {tmp0}, [RWK]; =20 =20 /* - * Transform nblks*64 bytes (nblks*16 32-bit words) at DATA. + * Transform nblocks*64 bytes (nblocks*16 32-bit words) at DATA. * - * unsigned int - * sha1_transform_neon (void *ctx, const unsigned char *data, - * unsigned int nblks) + * void sha1_transform_neon(struct sha1_block_state *state, + * const u8 *data, size_t nblocks); */ .align 3 ENTRY(sha1_transform_neon) /* input: - * r0: ctx, CTX - * r1: data (64*nblks bytes) - * r2: nblks + * r0: state + * r1: data (64*nblocks bytes) + * r2: nblocks */ =20 cmp RNBLKS, #0; beq .Ldo_nothing; =20 diff --git a/arch/arm/crypto/sha1-ce-core.S b/lib/crypto/arm/sha1-ce-core.S similarity index 96% rename from arch/arm/crypto/sha1-ce-core.S rename to lib/crypto/arm/sha1-ce-core.S index 8a702e051738a..2de40dd25e47e 100644 --- a/arch/arm/crypto/sha1-ce-core.S +++ b/lib/crypto/arm/sha1-ce-core.S @@ -57,12 +57,12 @@ .word 0x6ed9eba1, 0x6ed9eba1, 0x6ed9eba1, 0x6ed9eba1 .word 0x8f1bbcdc, 0x8f1bbcdc, 0x8f1bbcdc, 0x8f1bbcdc .word 0xca62c1d6, 0xca62c1d6, 0xca62c1d6, 0xca62c1d6 =20 /* - * void sha1_ce_transform(struct sha1_state *sst, u8 const *src, - * int blocks); + * void sha1_ce_transform(struct sha1_block_state *state, + * const u8 *data, size_t nblocks); */ ENTRY(sha1_ce_transform) /* load round constants */ adr ip, .Lsha1_rcon vld1.32 {k0-k1}, [ip, :128]! diff --git a/lib/crypto/arm/sha1.h b/lib/crypto/arm/sha1.h new file mode 100644 index 0000000000000..b177b71f5530a --- /dev/null +++ b/lib/crypto/arm/sha1.h @@ -0,0 +1,46 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * SHA-1 optimized for ARM + * + * Copyright 2025 Google LLC + */ +#include +#include + +static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon); +static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_ce); + +asmlinkage void sha1_block_data_order(struct sha1_block_state *state, + const u8 *data, size_t nblocks); +asmlinkage void sha1_transform_neon(struct sha1_block_state *state, + const u8 *data, size_t nblocks); +asmlinkage void sha1_ce_transform(struct sha1_block_state *state, + const u8 *data, size_t nblocks); + +static void sha1_blocks(struct sha1_block_state *state, + const u8 *data, size_t nblocks) +{ + if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && + static_branch_likely(&have_neon) && may_use_simd()) { + kernel_neon_begin(); + if (static_branch_likely(&have_ce)) + sha1_ce_transform(state, data, nblocks); + else + sha1_transform_neon(state, data, nblocks); + kernel_neon_end(); + } else { + sha1_block_data_order(state, data, nblocks); + } +} + +#ifdef CONFIG_KERNEL_MODE_NEON +#define sha1_mod_init_arch sha1_mod_init_arch +static inline void sha1_mod_init_arch(void) +{ + if (elf_hwcap & HWCAP_NEON) { + static_branch_enable(&have_neon); + if (elf_hwcap2 & HWCAP2_SHA1) + static_branch_enable(&have_ce); + } +} +#endif /* CONFIG_KERNEL_MODE_NEON */ --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BCCE238173; Sat, 12 Jul 2025 23:26:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362784; cv=none; b=RpHSmEl3SqrsJUGI47C0drmmsdoihWrjbxVMCW3hlMhmbEyyisUHkyq5bQHrT2xWw9hOqLjcwaL588Vnqbf8JeoTMQS6EwmaVagLrUQB8Dvhr0vMdGquLWLXWK84Ql8yjtJirXAP5xjbEW1BsE9JwdbEPpKsiIwl2e2PNnNqM0U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362784; c=relaxed/simple; bh=T1G5rz22TZVVTnJT6izv9vwaaifRR1MqdehL7gIh2Eo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lyeQnyeA6Owesie1UyYvWecQio3o4Kih00oktoHx5aVpsS0DPH/4l/48p7Y8TSPGXsCIgIC6HEuwbtQvmsmTWfICMAmIVFfuhNQB6mXoNl+fcEvYdg4iH6aEjm0iYXHwwHBkXL4MMR0OSnm5cXbXIAHNhMB4eK5kw+Q4B+9hcKY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=SnIQC8iL; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="SnIQC8iL" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AE99EC4CEF5; Sat, 12 Jul 2025 23:26:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362784; bh=T1G5rz22TZVVTnJT6izv9vwaaifRR1MqdehL7gIh2Eo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SnIQC8iLtvGuNtkaE6lzbpaOul2vAVIBXsCxe2sAJmAxdJGNTb8jlLL4ldCrGEviX RSkgJ1PtxdfYfGUH+QXqiqc4fryCCmjdVWOu4yDKj+pSJM3QB0aeEnzax75qyg24jI S9MLHc2/WFXkah2i94Lz8hyRrsOzTlPuAwvxmJbbdGELqv119ec0F9o0FjJOZAl4ia ehs9pO5xGnmwsn5Q2ctjrGamWWrBKK4dawMnSmkxNHZO2HneXum6/Eo4V8eg6tiqF9 Te4vk4maW5fj1MTVA+aFN+uznHrJyKfMwtMDkUlHMlu1QFNBuI0fVCTqRmxNIPDjpg pBdfCEVBhNRpg== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 08/26] lib/crypto: arm64/sha1: Migrate optimized code into library Date: Sat, 12 Jul 2025 16:22:59 -0700 Message-ID: <20250712232329.818226-9-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Instead of exposing the arm64-optimized SHA-1 code via arm64-specific crypto_shash algorithms, instead just implement the sha1_blocks() library function. This is much simpler, it makes the SHA-1 library functions be arm64-optimized, and it fixes the longstanding issue where the arm64-optimized SHA-1 code was disabled by default. SHA-1 still remains available through crypto_shash, but individual architectures no longer need to handle it. Remove support for SHA-1 finalization from assembly code, since the library does not yet support architecture-specific overrides of the finalization. (Support for that has been omitted for now, for simplicity and because usually it isn't performance-critical.) To match sha1_blocks(), change the type of the nblocks parameter and the return value of __sha1_ce_transform() from int to size_t. Update the assembly code accordingly. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- arch/arm64/configs/defconfig | 1 - arch/arm64/crypto/Kconfig | 11 -- arch/arm64/crypto/Makefile | 3 - arch/arm64/crypto/sha1-ce-glue.c | 118 ------------------ lib/crypto/Kconfig | 1 + lib/crypto/Makefile | 1 + .../crypto/arm64}/sha1-ce-core.S | 40 ++---- lib/crypto/arm64/sha1.h | 39 ++++++ 8 files changed, 51 insertions(+), 163 deletions(-) delete mode 100644 arch/arm64/crypto/sha1-ce-glue.c rename {arch/arm64/crypto =3D> lib/crypto/arm64}/sha1-ce-core.S (76%) create mode 100644 lib/crypto/arm64/sha1.h diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig index b612b78b3b091..31681206b49cf 100644 --- a/arch/arm64/configs/defconfig +++ b/arch/arm64/configs/defconfig @@ -1741,11 +1741,10 @@ CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_ECHAINIV=3Dy CONFIG_CRYPTO_MICHAEL_MIC=3Dm CONFIG_CRYPTO_ANSI_CPRNG=3Dy CONFIG_CRYPTO_USER_API_RNG=3Dm CONFIG_CRYPTO_GHASH_ARM64_CE=3Dy -CONFIG_CRYPTO_SHA1_ARM64_CE=3Dy CONFIG_CRYPTO_SHA3_ARM64=3Dm CONFIG_CRYPTO_SM3_ARM64_CE=3Dm CONFIG_CRYPTO_AES_ARM64_CE_BLK=3Dy CONFIG_CRYPTO_AES_ARM64_BS=3Dm CONFIG_CRYPTO_AES_ARM64_CE_CCM=3Dy diff --git a/arch/arm64/crypto/Kconfig b/arch/arm64/crypto/Kconfig index a9ead99f72c28..3bb5b513d5ae2 100644 --- a/arch/arm64/crypto/Kconfig +++ b/arch/arm64/crypto/Kconfig @@ -23,21 +23,10 @@ config CRYPTO_NHPOLY1305_NEON NHPoly1305 hash function (Adiantum) =20 Architecture: arm64 using: - NEON (Advanced SIMD) extensions =20 -config CRYPTO_SHA1_ARM64_CE - tristate "Hash functions: SHA-1 (ARMv8 Crypto Extensions)" - depends on KERNEL_MODE_NEON - select CRYPTO_HASH - select CRYPTO_SHA1 - help - SHA-1 secure hash algorithm (FIPS 180) - - Architecture: arm64 using: - - ARMv8 Crypto Extensions - config CRYPTO_SHA3_ARM64 tristate "Hash functions: SHA-3 (ARMv8.2 Crypto Extensions)" depends on KERNEL_MODE_NEON select CRYPTO_HASH select CRYPTO_SHA3 diff --git a/arch/arm64/crypto/Makefile b/arch/arm64/crypto/Makefile index 228101f125d50..a8b2cdbe202c1 100644 --- a/arch/arm64/crypto/Makefile +++ b/arch/arm64/crypto/Makefile @@ -3,13 +3,10 @@ # linux/arch/arm64/crypto/Makefile # # Copyright (C) 2014 Linaro Ltd # =20 -obj-$(CONFIG_CRYPTO_SHA1_ARM64_CE) +=3D sha1-ce.o -sha1-ce-y :=3D sha1-ce-glue.o sha1-ce-core.o - obj-$(CONFIG_CRYPTO_SHA3_ARM64) +=3D sha3-ce.o sha3-ce-y :=3D sha3-ce-glue.o sha3-ce-core.o =20 obj-$(CONFIG_CRYPTO_SM3_NEON) +=3D sm3-neon.o sm3-neon-y :=3D sm3-neon-glue.o sm3-neon-core.o diff --git a/arch/arm64/crypto/sha1-ce-glue.c b/arch/arm64/crypto/sha1-ce-g= lue.c deleted file mode 100644 index 65b6980817e5b..0000000000000 --- a/arch/arm64/crypto/sha1-ce-glue.c +++ /dev/null @@ -1,118 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-only -/* - * sha1-ce-glue.c - SHA-1 secure hash using ARMv8 Crypto Extensions - * - * Copyright (C) 2014 - 2017 Linaro Ltd - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -MODULE_DESCRIPTION("SHA1 secure hash using ARMv8 Crypto Extensions"); -MODULE_AUTHOR("Ard Biesheuvel "); -MODULE_LICENSE("GPL v2"); -MODULE_ALIAS_CRYPTO("sha1"); - -struct sha1_ce_state { - struct sha1_state sst; - u32 finalize; -}; - -extern const u32 sha1_ce_offsetof_count; -extern const u32 sha1_ce_offsetof_finalize; - -asmlinkage int __sha1_ce_transform(struct sha1_ce_state *sst, u8 const *sr= c, - int blocks); - -static void sha1_ce_transform(struct sha1_state *sst, u8 const *src, - int blocks) -{ - while (blocks) { - int rem; - - kernel_neon_begin(); - rem =3D __sha1_ce_transform(container_of(sst, - struct sha1_ce_state, - sst), src, blocks); - kernel_neon_end(); - src +=3D (blocks - rem) * SHA1_BLOCK_SIZE; - blocks =3D rem; - } -} - -const u32 sha1_ce_offsetof_count =3D offsetof(struct sha1_ce_state, sst.co= unt); -const u32 sha1_ce_offsetof_finalize =3D offsetof(struct sha1_ce_state, fin= alize); - -static int sha1_ce_update(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - struct sha1_ce_state *sctx =3D shash_desc_ctx(desc); - - sctx->finalize =3D 0; - return sha1_base_do_update_blocks(desc, data, len, sha1_ce_transform); -} - -static int sha1_ce_finup(struct shash_desc *desc, const u8 *data, - unsigned int len, u8 *out) -{ - struct sha1_ce_state *sctx =3D shash_desc_ctx(desc); - bool finalized =3D false; - - /* - * Allow the asm code to perform the finalization if there is no - * partial data and the input is a round multiple of the block size. - */ - if (len >=3D SHA1_BLOCK_SIZE) { - unsigned int remain =3D len - round_down(len, SHA1_BLOCK_SIZE); - - finalized =3D !remain; - sctx->finalize =3D finalized; - sha1_base_do_update_blocks(desc, data, len, sha1_ce_transform); - data +=3D len - remain; - len =3D remain; - } - if (!finalized) { - sctx->finalize =3D 0; - sha1_base_do_finup(desc, data, len, sha1_ce_transform); - } - return sha1_base_finish(desc, out); -} - -static struct shash_alg alg =3D { - .init =3D sha1_base_init, - .update =3D sha1_ce_update, - .finup =3D sha1_ce_finup, - .descsize =3D sizeof(struct sha1_ce_state), - .statesize =3D SHA1_STATE_SIZE, - .digestsize =3D SHA1_DIGEST_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name =3D "sha1-ce", - .cra_priority =3D 200, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY | - CRYPTO_AHASH_ALG_FINUP_MAX, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static int __init sha1_ce_mod_init(void) -{ - return crypto_register_shash(&alg); -} - -static void __exit sha1_ce_mod_fini(void) -{ - crypto_unregister_shash(&alg); -} - -module_cpu_feature_match(SHA1, sha1_ce_mod_init); -module_exit(sha1_ce_mod_fini); diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index 5c1bfa02fa349..189bdae58c812 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -145,10 +145,11 @@ config CRYPTO_LIB_SHA1 =20 config CRYPTO_LIB_SHA1_ARCH bool depends on CRYPTO_LIB_SHA1 && !UML default y if ARM + default y if ARM64 && KERNEL_MODE_NEON =20 config CRYPTO_LIB_SHA256 tristate help Enable the SHA-256 library interface. This interface may be fulfilled diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index e10a84a6dda6a..11c8ac54bf7d1 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -76,10 +76,11 @@ CFLAGS_sha1.o +=3D -I$(src)/$(SRCARCH) ifeq ($(CONFIG_ARM),y) libsha1-y +=3D arm/sha1-armv4-large.o libsha1-$(CONFIG_KERNEL_MODE_NEON) +=3D arm/sha1-armv7-neon.o \ arm/sha1-ce-core.o endif +libsha1-$(CONFIG_ARM64) +=3D arm64/sha1-ce-core.o endif # CONFIG_CRYPTO_LIB_SHA1_ARCH =20 ##########################################################################= ###### =20 obj-$(CONFIG_CRYPTO_LIB_SHA256) +=3D libsha256.o diff --git a/arch/arm64/crypto/sha1-ce-core.S b/lib/crypto/arm64/sha1-ce-co= re.S similarity index 76% rename from arch/arm64/crypto/sha1-ce-core.S rename to lib/crypto/arm64/sha1-ce-core.S index 9b1f2d82a6fea..21efbbafd7d62 100644 --- a/arch/arm64/crypto/sha1-ce-core.S +++ b/lib/crypto/arm64/sha1-ce-core.S @@ -60,12 +60,12 @@ movk \tmp, :abs_g1:\val dup \k, \tmp .endm =20 /* - * int __sha1_ce_transform(struct sha1_ce_state *sst, u8 const *src, - * int blocks) + * size_t __sha1_ce_transform(struct sha1_block_state *state, + * const u8 *data, size_t nblocks); */ SYM_FUNC_START(__sha1_ce_transform) /* load round constants */ loadrc k0.4s, 0x5a827999, w6 loadrc k1.4s, 0x6ed9eba1, w6 @@ -74,24 +74,20 @@ SYM_FUNC_START(__sha1_ce_transform) =20 /* load state */ ld1 {dgav.4s}, [x0] ldr dgb, [x0, #16] =20 - /* load sha1_ce_state::finalize */ - ldr_l w4, sha1_ce_offsetof_finalize, x4 - ldr w4, [x0, x4] - /* load input */ 0: ld1 {v8.4s-v11.4s}, [x1], #64 - sub w2, w2, #1 + sub x2, x2, #1 =20 CPU_LE( rev32 v8.16b, v8.16b ) CPU_LE( rev32 v9.16b, v9.16b ) CPU_LE( rev32 v10.16b, v10.16b ) CPU_LE( rev32 v11.16b, v11.16b ) =20 -1: add t0.4s, v8.4s, k0.4s + add t0.4s, v8.4s, k0.4s mov dg0v.16b, dgav.16b =20 add_update c, ev, k0, 8, 9, 10, 11, dgb add_update c, od, k0, 9, 10, 11, 8 add_update c, ev, k0, 10, 11, 8, 9 @@ -118,33 +114,17 @@ CPU_LE( rev32 v11.16b, v11.16b ) =20 /* update state */ add dgbv.2s, dgbv.2s, dg1v.2s add dgav.4s, dgav.4s, dg0v.4s =20 - cbz w2, 2f - cond_yield 3f, x5, x6 - b 0b + /* return early if voluntary preemption is needed */ + cond_yield 1f, x5, x6 =20 - /* - * Final block: add padding and total bit count. - * Skip if the input size was not a round multiple of the block size, - * the padding is handled by the C code in that case. - */ -2: cbz x4, 3f - ldr_l w4, sha1_ce_offsetof_count, x4 - ldr x4, [x0, x4] - movi v9.2d, #0 - mov x8, #0x80000000 - movi v10.2d, #0 - ror x7, x4, #29 // ror(lsl(x4, 3), 32) - fmov d8, x8 - mov x4, #0 - mov v11.d[0], xzr - mov v11.d[1], x7 - b 1b + /* handled all input blocks? */ + cbnz x2, 0b =20 /* store new state */ -3: st1 {dgav.4s}, [x0] +1: st1 {dgav.4s}, [x0] str dgb, [x0, #16] - mov w0, w2 + mov x0, x2 ret SYM_FUNC_END(__sha1_ce_transform) diff --git a/lib/crypto/arm64/sha1.h b/lib/crypto/arm64/sha1.h new file mode 100644 index 0000000000000..0a166f968f63e --- /dev/null +++ b/lib/crypto/arm64/sha1.h @@ -0,0 +1,39 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * SHA-1 optimized for ARM64 + * + * Copyright 2025 Google LLC + */ +#include +#include +#include + +static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_ce); + +asmlinkage size_t __sha1_ce_transform(struct sha1_block_state *state, + const u8 *data, size_t nblocks); + +static void sha1_blocks(struct sha1_block_state *state, + const u8 *data, size_t nblocks) +{ + if (static_branch_likely(&have_ce) && may_use_simd()) { + do { + size_t rem; + + kernel_neon_begin(); + rem =3D __sha1_ce_transform(state, data, nblocks); + kernel_neon_end(); + data +=3D (nblocks - rem) * SHA1_BLOCK_SIZE; + nblocks =3D rem; + } while (nblocks); + } else { + sha1_blocks_generic(state, data, nblocks); + } +} + +#define sha1_mod_init_arch sha1_mod_init_arch +static inline void sha1_mod_init_arch(void) +{ + if (cpu_have_named_feature(SHA1)) + static_branch_enable(&have_ce); +} --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACCB8238C1D; Sat, 12 Jul 2025 23:26:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362784; cv=none; b=K+iuFHqt6icSdNkoUCV9t3iHHu0h3KsP6CbIwdiAwh68l4ZUsDiuYV3UkG0pBoZ1Is6rxXObxhD4u/dWYkQKBbsM/t/VDjXtLM6xrlhR2L47T7jHd4M08Alq509ZvLt98yeW+jL1dHaxxp5Fh5PwcpYB0kXQbrl+pk5dyznO61s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362784; c=relaxed/simple; bh=7ZRIBZU5x4vLuGnKLqYWd5FSpgoUhoGAtMZsYPpXQZI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HaJ1E5zOmp4p5tXcPRnDQKZy4tjaiWXjimHQuApWFPKZ4reRggUdJJTXfW0dRfjprUPcue0zpTnameFUvnncIQUgVZ9iqpVtrdnDbm5x9es8d7w5xX3sNCZSnIfv7RCQ5dV6R7RGUZM7cUMEDFf87LgIE2lcLVoQRgnxhw86XBI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ql03WPlf; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ql03WPlf" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2C1C4C4CEF7; Sat, 12 Jul 2025 23:26:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362784; bh=7ZRIBZU5x4vLuGnKLqYWd5FSpgoUhoGAtMZsYPpXQZI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ql03WPlfahGzZKJvzjVHpg0MVKVv87jg4wSl6hXWxAStNBs0vKSuNhJLBZoY8lT3v 5JD9s4EBAGSslO44R/DSdr8IZL8xST5Ov/Il60WNomC/QH7OXf8WuVlBc+t9f3BDxH XTkmyQqqa2O5DpZXC+IYi1ApggxeJ08yYBDPXzLwps7Q/oOaCWGAenJcMFlX9THEDe cUQ3jYmhk4MotHHTrip9lxdL8x8P2VSXwC7Z6t1cTYdsfsUtvcd6ug3fLIi7HmkOOu gUP6YVxLUNYdVrCjjpvTNpSDXnMmeq42Rp8KpVFpi17210zsJAX5MfRw4j+HAeS/iL wi+5ogv9RDvMA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 09/26] lib/crypto: mips/sha1: Migrate optimized code into library Date: Sat, 12 Jul 2025 16:23:00 -0700 Message-ID: <20250712232329.818226-10-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Instead of exposing the mips-optimized SHA-1 code via mips-specific crypto_shash algorithms, instead just implement the sha1_blocks() library function. This is much simpler, it makes the SHA-1 library functions be mips-optimized, and it fixes the longstanding issue where the mips-optimized SHA-1 code was disabled by default. SHA-1 still remains available through crypto_shash, but individual architectures no longer need to handle it. Note: to see the diff from arch/mips/cavium-octeon/crypto/octeon-sha1.c to lib/crypto/mips/sha1.h, view this commit with 'git show -M10'. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- arch/mips/cavium-octeon/crypto/Makefile | 1 - arch/mips/cavium-octeon/crypto/octeon-sha1.c | 146 ------------------- arch/mips/configs/cavium_octeon_defconfig | 1 - arch/mips/crypto/Kconfig | 10 -- lib/crypto/Kconfig | 1 + lib/crypto/mips/sha1.h | 81 ++++++++++ 6 files changed, 82 insertions(+), 158 deletions(-) delete mode 100644 arch/mips/cavium-octeon/crypto/octeon-sha1.c create mode 100644 lib/crypto/mips/sha1.h diff --git a/arch/mips/cavium-octeon/crypto/Makefile b/arch/mips/cavium-oct= eon/crypto/Makefile index db428e4b30bce..83f2f5dd93ccc 100644 --- a/arch/mips/cavium-octeon/crypto/Makefile +++ b/arch/mips/cavium-octeon/crypto/Makefile @@ -4,6 +4,5 @@ # =20 obj-y +=3D octeon-crypto.o =20 obj-$(CONFIG_CRYPTO_MD5_OCTEON) +=3D octeon-md5.o -obj-$(CONFIG_CRYPTO_SHA1_OCTEON) +=3D octeon-sha1.o diff --git a/arch/mips/cavium-octeon/crypto/octeon-sha1.c b/arch/mips/caviu= m-octeon/crypto/octeon-sha1.c deleted file mode 100644 index e4a369a7764fb..0000000000000 --- a/arch/mips/cavium-octeon/crypto/octeon-sha1.c +++ /dev/null @@ -1,146 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Cryptographic API. - * - * SHA1 Secure Hash Algorithm. - * - * Adapted for OCTEON by Aaro Koskinen . - * - * Based on crypto/sha1_generic.c, which is: - * - * Copyright (c) Alan Smithee. - * Copyright (c) Andrew McDonald - * Copyright (c) Jean-Francois Dive - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -/* - * We pass everything as 64-bit. OCTEON can handle misaligned data. - */ - -static void octeon_sha1_store_hash(struct sha1_state *sctx) -{ - u64 *hash =3D (u64 *)sctx->state; - union { - u32 word[2]; - u64 dword; - } hash_tail =3D { { sctx->state[4], } }; - - write_octeon_64bit_hash_dword(hash[0], 0); - write_octeon_64bit_hash_dword(hash[1], 1); - write_octeon_64bit_hash_dword(hash_tail.dword, 2); - memzero_explicit(&hash_tail.word[0], sizeof(hash_tail.word[0])); -} - -static void octeon_sha1_read_hash(struct sha1_state *sctx) -{ - u64 *hash =3D (u64 *)sctx->state; - union { - u32 word[2]; - u64 dword; - } hash_tail; - - hash[0] =3D read_octeon_64bit_hash_dword(0); - hash[1] =3D read_octeon_64bit_hash_dword(1); - hash_tail.dword =3D read_octeon_64bit_hash_dword(2); - sctx->state[4] =3D hash_tail.word[0]; - memzero_explicit(&hash_tail.dword, sizeof(hash_tail.dword)); -} - -static void octeon_sha1_transform(struct sha1_state *sctx, const u8 *src, - int blocks) -{ - do { - const u64 *block =3D (const u64 *)src; - - write_octeon_64bit_block_dword(block[0], 0); - write_octeon_64bit_block_dword(block[1], 1); - write_octeon_64bit_block_dword(block[2], 2); - write_octeon_64bit_block_dword(block[3], 3); - write_octeon_64bit_block_dword(block[4], 4); - write_octeon_64bit_block_dword(block[5], 5); - write_octeon_64bit_block_dword(block[6], 6); - octeon_sha1_start(block[7]); - - src +=3D SHA1_BLOCK_SIZE; - } while (--blocks); -} - -static int octeon_sha1_update(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - struct sha1_state *sctx =3D shash_desc_ctx(desc); - struct octeon_cop2_state state; - unsigned long flags; - int remain; - - flags =3D octeon_crypto_enable(&state); - octeon_sha1_store_hash(sctx); - - remain =3D sha1_base_do_update_blocks(desc, data, len, - octeon_sha1_transform); - - octeon_sha1_read_hash(sctx); - octeon_crypto_disable(&state, flags); - return remain; -} - -static int octeon_sha1_finup(struct shash_desc *desc, const u8 *src, - unsigned int len, u8 *out) -{ - struct sha1_state *sctx =3D shash_desc_ctx(desc); - struct octeon_cop2_state state; - unsigned long flags; - - flags =3D octeon_crypto_enable(&state); - octeon_sha1_store_hash(sctx); - - sha1_base_do_finup(desc, src, len, octeon_sha1_transform); - - octeon_sha1_read_hash(sctx); - octeon_crypto_disable(&state, flags); - return sha1_base_finish(desc, out); -} - -static struct shash_alg octeon_sha1_alg =3D { - .digestsize =3D SHA1_DIGEST_SIZE, - .init =3D sha1_base_init, - .update =3D octeon_sha1_update, - .finup =3D octeon_sha1_finup, - .descsize =3D SHA1_STATE_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name=3D "octeon-sha1", - .cra_priority =3D OCTEON_CR_OPCODE_PRIORITY, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static int __init octeon_sha1_mod_init(void) -{ - if (!octeon_has_crypto()) - return -ENOTSUPP; - return crypto_register_shash(&octeon_sha1_alg); -} - -static void __exit octeon_sha1_mod_fini(void) -{ - crypto_unregister_shash(&octeon_sha1_alg); -} - -module_init(octeon_sha1_mod_init); -module_exit(octeon_sha1_mod_fini); - -MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm (OCTEON)"); -MODULE_AUTHOR("Aaro Koskinen "); diff --git a/arch/mips/configs/cavium_octeon_defconfig b/arch/mips/configs/= cavium_octeon_defconfig index effdfb2bb738b..3f50e1d78894a 100644 --- a/arch/mips/configs/cavium_octeon_defconfig +++ b/arch/mips/configs/cavium_octeon_defconfig @@ -154,11 +154,10 @@ CONFIG_NLS_UTF8=3Dy CONFIG_SECURITY=3Dy CONFIG_SECURITY_NETWORK=3Dy CONFIG_CRYPTO_CBC=3Dy CONFIG_CRYPTO_HMAC=3Dy CONFIG_CRYPTO_MD5_OCTEON=3Dy -CONFIG_CRYPTO_SHA1_OCTEON=3Dm CONFIG_CRYPTO_DES=3Dy CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=3Dy CONFIG_DEBUG_FS=3Dy CONFIG_MAGIC_SYSRQ=3Dy # CONFIG_SCHED_DEBUG is not set diff --git a/arch/mips/crypto/Kconfig b/arch/mips/crypto/Kconfig index 51a76a5ee3b16..7b91f4ec65bff 100644 --- a/arch/mips/crypto/Kconfig +++ b/arch/mips/crypto/Kconfig @@ -10,16 +10,6 @@ config CRYPTO_MD5_OCTEON help MD5 message digest algorithm (RFC1321) =20 Architecture: mips OCTEON using crypto instructions, when available =20 -config CRYPTO_SHA1_OCTEON - tristate "Hash functions: SHA-1 (OCTEON)" - depends on CPU_CAVIUM_OCTEON - select CRYPTO_SHA1 - select CRYPTO_HASH - help - SHA-1 secure hash algorithm (FIPS 180) - - Architecture: mips OCTEON - endmenu diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index 189bdae58c812..278ac6a7eca97 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -146,10 +146,11 @@ config CRYPTO_LIB_SHA1 config CRYPTO_LIB_SHA1_ARCH bool depends on CRYPTO_LIB_SHA1 && !UML default y if ARM default y if ARM64 && KERNEL_MODE_NEON + default y if MIPS && CPU_CAVIUM_OCTEON =20 config CRYPTO_LIB_SHA256 tristate help Enable the SHA-256 library interface. This interface may be fulfilled diff --git a/lib/crypto/mips/sha1.h b/lib/crypto/mips/sha1.h new file mode 100644 index 0000000000000..ba1965002e4a3 --- /dev/null +++ b/lib/crypto/mips/sha1.h @@ -0,0 +1,81 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Cryptographic API. + * + * SHA1 Secure Hash Algorithm. + * + * Adapted for OCTEON by Aaro Koskinen . + * + * Based on crypto/sha1_generic.c, which is: + * + * Copyright (c) Alan Smithee. + * Copyright (c) Andrew McDonald + * Copyright (c) Jean-Francois Dive + */ + +#include +#include + +/* + * We pass everything as 64-bit. OCTEON can handle misaligned data. + */ + +static void octeon_sha1_store_hash(struct sha1_block_state *state) +{ + u64 *hash =3D (u64 *)&state->h[0]; + union { + u32 word[2]; + u64 dword; + } hash_tail =3D { { state->h[4], } }; + + write_octeon_64bit_hash_dword(hash[0], 0); + write_octeon_64bit_hash_dword(hash[1], 1); + write_octeon_64bit_hash_dword(hash_tail.dword, 2); + memzero_explicit(&hash_tail.word[0], sizeof(hash_tail.word[0])); +} + +static void octeon_sha1_read_hash(struct sha1_block_state *state) +{ + u64 *hash =3D (u64 *)&state->h[0]; + union { + u32 word[2]; + u64 dword; + } hash_tail; + + hash[0] =3D read_octeon_64bit_hash_dword(0); + hash[1] =3D read_octeon_64bit_hash_dword(1); + hash_tail.dword =3D read_octeon_64bit_hash_dword(2); + state->h[4] =3D hash_tail.word[0]; + memzero_explicit(&hash_tail.dword, sizeof(hash_tail.dword)); +} + +static void sha1_blocks(struct sha1_block_state *state, + const u8 *data, size_t nblocks) +{ + struct octeon_cop2_state cop2_state; + unsigned long flags; + + if (!octeon_has_crypto()) + return sha1_blocks_generic(state, data, nblocks); + + flags =3D octeon_crypto_enable(&cop2_state); + octeon_sha1_store_hash(state); + + do { + const u64 *block =3D (const u64 *)data; + + write_octeon_64bit_block_dword(block[0], 0); + write_octeon_64bit_block_dword(block[1], 1); + write_octeon_64bit_block_dword(block[2], 2); + write_octeon_64bit_block_dword(block[3], 3); + write_octeon_64bit_block_dword(block[4], 4); + write_octeon_64bit_block_dword(block[5], 5); + write_octeon_64bit_block_dword(block[6], 6); + octeon_sha1_start(block[7]); + + data +=3D SHA1_BLOCK_SIZE; + } while (--nblocks); + + octeon_sha1_read_hash(state); + octeon_crypto_disable(&cop2_state, flags); +} --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 16371239581; Sat, 12 Jul 2025 23:26:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362785; cv=none; b=etSc1eG0fPmfYq6rP2xxRaeX+wpafJy+sbXrNJOf8kRvG+6fHlgkz8jPyeSKqzJiCHgm/rd1nrC+BSfIddJ2YUJvBAB4ItSYRiSDJJgJ/cr3AdpySBobc6QIbDRLzbsuaGFFaRc8lMmfcwrUK21M/sPTChZSdbANbyrs5QMO654= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362785; c=relaxed/simple; bh=+8vC3G9AEhz9GDqIivLu8sIg+zlvL2n5kSxCFBEHZMw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lOZur2G4o1ELh2cyCYQo4QF0vsPvym6dintkWawXKsP12HIuaKxyELPtyQ2egW9NLiunxVG69CoIuUmKXuR/StJtKqeVWHg28/9IVjxQbFJbWpUjJ78gNLJuwobrsQ8NDQRsRoPa2pBgfWFW0fK9ByFLj27pAppJYVu0zIsl3gI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=lthbmvWL; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="lthbmvWL" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9DF62C4CEFC; Sat, 12 Jul 2025 23:26:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362785; bh=+8vC3G9AEhz9GDqIivLu8sIg+zlvL2n5kSxCFBEHZMw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lthbmvWLFBZkamzkq8eewPrB6hxUeGFP3EWU1TNaUceuzv22JG1U/ehFGlSQkpWzu DzydsCXzUVxfLwawFmojHbWMQStwkoX84VMjBL8v/xrjNIueNbMQtYw368aEjXkUs9 Kvx036/YNOsyCLXOFLczY0gss8kOZBCmHHhtrjl3ZohnG11dD4z3wPl9sCVTDl948i k1RZAnEG/bFGoFwPRsErxiJ41wHc9+SUMwDMCpkU9YZbvrLVGojY4whVzVmaqjTacY YhMs6KhPWS/C38aKivzy1VNf4aqICRdskNqNvw3YXULYYJQlucBeCqFXO/wuE1OZty 2X8nVMgRTzmFQ== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 10/26] lib/crypto: powerpc/sha1: Migrate optimized code into library Date: Sat, 12 Jul 2025 16:23:01 -0700 Message-ID: <20250712232329.818226-11-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Instead of exposing the powerpc-optimized SHA-1 code via powerpc-specific crypto_shash algorithms, instead just implement the sha1_blocks() library function. This is much simpler, it makes the SHA-1 library functions be powerpc-optimized, and it fixes the longstanding issue where the powerpc-optimized SHA-1 code was disabled by default. SHA-1 still remains available through crypto_shash, but individual architectures no longer need to handle it. Note: to see the diff from arch/powerpc/crypto/sha1-spe-glue.c to lib/crypto/powerpc/sha1.h, view this commit with 'git show -M10'. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- arch/powerpc/configs/44x/akebono_defconfig | 1 - arch/powerpc/configs/powernv_defconfig | 1 - arch/powerpc/configs/ppc64_defconfig | 1 - arch/powerpc/crypto/Kconfig | 16 --- arch/powerpc/crypto/Makefile | 4 - arch/powerpc/crypto/sha1-spe-glue.c | 107 ------------------ arch/powerpc/crypto/sha1.c | 78 ------------- lib/crypto/Kconfig | 1 + lib/crypto/Makefile | 4 + .../crypto/powerpc}/sha1-powerpc-asm.S | 0 .../crypto/powerpc}/sha1-spe-asm.S | 0 lib/crypto/powerpc/sha1.h | 67 +++++++++++ 12 files changed, 72 insertions(+), 208 deletions(-) delete mode 100644 arch/powerpc/crypto/sha1-spe-glue.c delete mode 100644 arch/powerpc/crypto/sha1.c rename {arch/powerpc/crypto =3D> lib/crypto/powerpc}/sha1-powerpc-asm.S (1= 00%) rename {arch/powerpc/crypto =3D> lib/crypto/powerpc}/sha1-spe-asm.S (100%) create mode 100644 lib/crypto/powerpc/sha1.h diff --git a/arch/powerpc/configs/44x/akebono_defconfig b/arch/powerpc/conf= igs/44x/akebono_defconfig index fde4824f235ef..1882eb2da354a 100644 --- a/arch/powerpc/configs/44x/akebono_defconfig +++ b/arch/powerpc/configs/44x/akebono_defconfig @@ -126,8 +126,7 @@ CONFIG_XMON_DEFAULT=3Dy CONFIG_PPC_EARLY_DEBUG=3Dy CONFIG_PPC_EARLY_DEBUG_44x_PHYSLOW=3D0x00010000 CONFIG_PPC_EARLY_DEBUG_44x_PHYSHIGH=3D0x33f CONFIG_CRYPTO_PCBC=3Dy CONFIG_CRYPTO_MD5=3Dy -CONFIG_CRYPTO_SHA1_PPC=3Dy CONFIG_CRYPTO_DES=3Dy # CONFIG_CRYPTO_HW is not set diff --git a/arch/powerpc/configs/powernv_defconfig b/arch/powerpc/configs/= powernv_defconfig index 379229c982a49..98f56e63ad21c 100644 --- a/arch/powerpc/configs/powernv_defconfig +++ b/arch/powerpc/configs/powernv_defconfig @@ -320,11 +320,10 @@ CONFIG_XMON=3Dy CONFIG_CRYPTO_BENCHMARK=3Dm CONFIG_CRYPTO_PCBC=3Dm CONFIG_CRYPTO_HMAC=3Dy CONFIG_CRYPTO_MD5_PPC=3Dm CONFIG_CRYPTO_MICHAEL_MIC=3Dm -CONFIG_CRYPTO_SHA1_PPC=3Dm CONFIG_CRYPTO_SHA256=3Dy CONFIG_CRYPTO_WP512=3Dm CONFIG_CRYPTO_ANUBIS=3Dm CONFIG_CRYPTO_BLOWFISH=3Dm CONFIG_CRYPTO_CAST6=3Dm diff --git a/arch/powerpc/configs/ppc64_defconfig b/arch/powerpc/configs/pp= c64_defconfig index 3423c405cad4b..dca67aae5da3c 100644 --- a/arch/powerpc/configs/ppc64_defconfig +++ b/arch/powerpc/configs/ppc64_defconfig @@ -386,11 +386,10 @@ CONFIG_CRYPTO_PCBC=3Dm CONFIG_CRYPTO_MICHAEL_MIC=3Dm CONFIG_CRYPTO_SHA256=3Dy CONFIG_CRYPTO_WP512=3Dm CONFIG_CRYPTO_LZO=3Dm CONFIG_CRYPTO_MD5_PPC=3Dm -CONFIG_CRYPTO_SHA1_PPC=3Dm CONFIG_CRYPTO_AES_GCM_P10=3Dm CONFIG_CRYPTO_DEV_NX=3Dy CONFIG_CRYPTO_DEV_NX_ENCRYPT=3Dm CONFIG_CRYPTO_DEV_VMX=3Dy CONFIG_SYSTEM_TRUSTED_KEYRING=3Dy diff --git a/arch/powerpc/crypto/Kconfig b/arch/powerpc/crypto/Kconfig index caaa359f47420..cfe39fc221cf8 100644 --- a/arch/powerpc/crypto/Kconfig +++ b/arch/powerpc/crypto/Kconfig @@ -21,26 +21,10 @@ config CRYPTO_MD5_PPC help MD5 message digest algorithm (RFC1321) =20 Architecture: powerpc =20 -config CRYPTO_SHA1_PPC - tristate "Hash functions: SHA-1" - help - SHA-1 secure hash algorithm (FIPS 180) - - Architecture: powerpc - -config CRYPTO_SHA1_PPC_SPE - tristate "Hash functions: SHA-1 (SPE)" - depends on SPE - help - SHA-1 secure hash algorithm (FIPS 180) - - Architecture: powerpc using - - SPE (Signal Processing Engine) extensions - config CRYPTO_AES_PPC_SPE tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (SPE)" depends on SPE select CRYPTO_SKCIPHER help diff --git a/arch/powerpc/crypto/Makefile b/arch/powerpc/crypto/Makefile index 8c2936ae466fc..bc8fd27344b8b 100644 --- a/arch/powerpc/crypto/Makefile +++ b/arch/powerpc/crypto/Makefile @@ -5,20 +5,16 @@ # Arch-specific CryptoAPI modules. # =20 obj-$(CONFIG_CRYPTO_AES_PPC_SPE) +=3D aes-ppc-spe.o obj-$(CONFIG_CRYPTO_MD5_PPC) +=3D md5-ppc.o -obj-$(CONFIG_CRYPTO_SHA1_PPC) +=3D sha1-powerpc.o -obj-$(CONFIG_CRYPTO_SHA1_PPC_SPE) +=3D sha1-ppc-spe.o obj-$(CONFIG_CRYPTO_AES_GCM_P10) +=3D aes-gcm-p10-crypto.o obj-$(CONFIG_CRYPTO_DEV_VMX_ENCRYPT) +=3D vmx-crypto.o obj-$(CONFIG_CRYPTO_CURVE25519_PPC64) +=3D curve25519-ppc64le.o =20 aes-ppc-spe-y :=3D aes-spe-core.o aes-spe-keys.o aes-tab-4k.o aes-spe-mode= s.o aes-spe-glue.o md5-ppc-y :=3D md5-asm.o md5-glue.o -sha1-powerpc-y :=3D sha1-powerpc-asm.o sha1.o -sha1-ppc-spe-y :=3D sha1-spe-asm.o sha1-spe-glue.o aes-gcm-p10-crypto-y :=3D aes-gcm-p10-glue.o aes-gcm-p10.o ghashp10-ppc.o = aesp10-ppc.o vmx-crypto-objs :=3D vmx.o aesp8-ppc.o ghashp8-ppc.o aes.o aes_cbc.o aes_c= tr.o aes_xts.o ghash.o curve25519-ppc64le-y :=3D curve25519-ppc64le-core.o curve25519-ppc64le_asm= .o =20 ifeq ($(CONFIG_CPU_LITTLE_ENDIAN),y) diff --git a/arch/powerpc/crypto/sha1-spe-glue.c b/arch/powerpc/crypto/sha1= -spe-glue.c deleted file mode 100644 index 04c88e173ce15..0000000000000 --- a/arch/powerpc/crypto/sha1-spe-glue.c +++ /dev/null @@ -1,107 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Glue code for SHA-1 implementation for SPE instructions (PPC) - * - * Based on generic implementation. - * - * Copyright (c) 2015 Markus Stockhausen - */ - -#include -#include -#include -#include -#include -#include -#include - -/* - * MAX_BYTES defines the number of bytes that are allowed to be processed - * between preempt_disable() and preempt_enable(). SHA1 takes ~1000 - * operations per 64 bytes. e500 cores can issue two arithmetic instructio= ns - * per clock cycle using one 32/64 bit unit (SU1) and one 32 bit unit (SU2= ). - * Thus 2KB of input data will need an estimated maximum of 18,000 cycles. - * Headroom for cache misses included. Even with the low end model clocked - * at 667 MHz this equals to a critical time window of less than 27us. - * - */ -#define MAX_BYTES 2048 - -asmlinkage void ppc_spe_sha1_transform(u32 *state, const u8 *src, u32 bloc= ks); - -static void spe_begin(void) -{ - /* We just start SPE operations and will save SPE registers later. */ - preempt_disable(); - enable_kernel_spe(); -} - -static void spe_end(void) -{ - disable_kernel_spe(); - /* reenable preemption */ - preempt_enable(); -} - -static void ppc_spe_sha1_block(struct sha1_state *sctx, const u8 *src, - int blocks) -{ - do { - int unit =3D min(blocks, MAX_BYTES / SHA1_BLOCK_SIZE); - - spe_begin(); - ppc_spe_sha1_transform(sctx->state, src, unit); - spe_end(); - - src +=3D unit * SHA1_BLOCK_SIZE; - blocks -=3D unit; - } while (blocks); -} - -static int ppc_spe_sha1_update(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - return sha1_base_do_update_blocks(desc, data, len, ppc_spe_sha1_block); -} - -static int ppc_spe_sha1_finup(struct shash_desc *desc, const u8 *src, - unsigned int len, u8 *out) -{ - sha1_base_do_finup(desc, src, len, ppc_spe_sha1_block); - return sha1_base_finish(desc, out); -} - -static struct shash_alg alg =3D { - .digestsize =3D SHA1_DIGEST_SIZE, - .init =3D sha1_base_init, - .update =3D ppc_spe_sha1_update, - .finup =3D ppc_spe_sha1_finup, - .descsize =3D SHA1_STATE_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name=3D "sha1-ppc-spe", - .cra_priority =3D 300, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static int __init ppc_spe_sha1_mod_init(void) -{ - return crypto_register_shash(&alg); -} - -static void __exit ppc_spe_sha1_mod_fini(void) -{ - crypto_unregister_shash(&alg); -} - -module_init(ppc_spe_sha1_mod_init); -module_exit(ppc_spe_sha1_mod_fini); - -MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm, SPE optimized"); - -MODULE_ALIAS_CRYPTO("sha1"); -MODULE_ALIAS_CRYPTO("sha1-ppc-spe"); diff --git a/arch/powerpc/crypto/sha1.c b/arch/powerpc/crypto/sha1.c deleted file mode 100644 index 4593946aa9b33..0000000000000 --- a/arch/powerpc/crypto/sha1.c +++ /dev/null @@ -1,78 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Cryptographic API. - * - * powerpc implementation of the SHA1 Secure Hash Algorithm. - * - * Derived from cryptoapi implementation, adapted for in-place - * scatterlist interface. - * - * Derived from "crypto/sha1.c" - * Copyright (c) Alan Smithee. - * Copyright (c) Andrew McDonald - * Copyright (c) Jean-Francois Dive - */ -#include -#include -#include -#include -#include - -asmlinkage void powerpc_sha_transform(u32 *state, const u8 *src); - -static void powerpc_sha_block(struct sha1_state *sctx, const u8 *data, - int blocks) -{ - do { - powerpc_sha_transform(sctx->state, data); - data +=3D 64; - } while (--blocks); -} - -static int powerpc_sha1_update(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - return sha1_base_do_update_blocks(desc, data, len, powerpc_sha_block); -} - -/* Add padding and return the message digest. */ -static int powerpc_sha1_finup(struct shash_desc *desc, const u8 *src, - unsigned int len, u8 *out) -{ - sha1_base_do_finup(desc, src, len, powerpc_sha_block); - return sha1_base_finish(desc, out); -} - -static struct shash_alg alg =3D { - .digestsize =3D SHA1_DIGEST_SIZE, - .init =3D sha1_base_init, - .update =3D powerpc_sha1_update, - .finup =3D powerpc_sha1_finup, - .descsize =3D SHA1_STATE_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name=3D "sha1-powerpc", - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static int __init sha1_powerpc_mod_init(void) -{ - return crypto_register_shash(&alg); -} - -static void __exit sha1_powerpc_mod_fini(void) -{ - crypto_unregister_shash(&alg); -} - -module_init(sha1_powerpc_mod_init); -module_exit(sha1_powerpc_mod_fini); - -MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm"); - -MODULE_ALIAS_CRYPTO("sha1"); -MODULE_ALIAS_CRYPTO("sha1-powerpc"); diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index 278ac6a7eca97..e842f173cadec 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -147,10 +147,11 @@ config CRYPTO_LIB_SHA1_ARCH bool depends on CRYPTO_LIB_SHA1 && !UML default y if ARM default y if ARM64 && KERNEL_MODE_NEON default y if MIPS && CPU_CAVIUM_OCTEON + default y if PPC =20 config CRYPTO_LIB_SHA256 tristate help Enable the SHA-256 library interface. This interface may be fulfilled diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 11c8ac54bf7d1..3f4199c079307 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -77,10 +77,14 @@ ifeq ($(CONFIG_ARM),y) libsha1-y +=3D arm/sha1-armv4-large.o libsha1-$(CONFIG_KERNEL_MODE_NEON) +=3D arm/sha1-armv7-neon.o \ arm/sha1-ce-core.o endif libsha1-$(CONFIG_ARM64) +=3D arm64/sha1-ce-core.o +ifeq ($(CONFIG_PPC),y) +libsha1-y +=3D powerpc/sha1-powerpc-asm.o +libsha1-$(CONFIG_SPE) +=3D powerpc/sha1-spe-asm.o +endif endif # CONFIG_CRYPTO_LIB_SHA1_ARCH =20 ##########################################################################= ###### =20 obj-$(CONFIG_CRYPTO_LIB_SHA256) +=3D libsha256.o diff --git a/arch/powerpc/crypto/sha1-powerpc-asm.S b/lib/crypto/powerpc/sh= a1-powerpc-asm.S similarity index 100% rename from arch/powerpc/crypto/sha1-powerpc-asm.S rename to lib/crypto/powerpc/sha1-powerpc-asm.S diff --git a/arch/powerpc/crypto/sha1-spe-asm.S b/lib/crypto/powerpc/sha1-s= pe-asm.S similarity index 100% rename from arch/powerpc/crypto/sha1-spe-asm.S rename to lib/crypto/powerpc/sha1-spe-asm.S diff --git a/lib/crypto/powerpc/sha1.h b/lib/crypto/powerpc/sha1.h new file mode 100644 index 0000000000000..e2c010f0370bd --- /dev/null +++ b/lib/crypto/powerpc/sha1.h @@ -0,0 +1,67 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * SHA-1 optimized for PowerPC + * + * Copyright (c) 2015 Markus Stockhausen + */ + +#include +#include + +#ifdef CONFIG_SPE +/* + * MAX_BYTES defines the number of bytes that are allowed to be processed + * between preempt_disable() and preempt_enable(). SHA1 takes ~1000 + * operations per 64 bytes. e500 cores can issue two arithmetic instructio= ns + * per clock cycle using one 32/64 bit unit (SU1) and one 32 bit unit (SU2= ). + * Thus 2KB of input data will need an estimated maximum of 18,000 cycles. + * Headroom for cache misses included. Even with the low end model clocked + * at 667 MHz this equals to a critical time window of less than 27us. + * + */ +#define MAX_BYTES 2048 + +asmlinkage void ppc_spe_sha1_transform(struct sha1_block_state *state, + const u8 *data, u32 nblocks); + +static void spe_begin(void) +{ + /* We just start SPE operations and will save SPE registers later. */ + preempt_disable(); + enable_kernel_spe(); +} + +static void spe_end(void) +{ + disable_kernel_spe(); + /* reenable preemption */ + preempt_enable(); +} + +static void sha1_blocks(struct sha1_block_state *state, + const u8 *data, size_t nblocks) +{ + do { + u32 unit =3D min_t(size_t, nblocks, MAX_BYTES / SHA1_BLOCK_SIZE); + + spe_begin(); + ppc_spe_sha1_transform(state, data, unit); + spe_end(); + + data +=3D unit * SHA1_BLOCK_SIZE; + nblocks -=3D unit; + } while (nblocks); +} +#else /* CONFIG_SPE */ +asmlinkage void powerpc_sha_transform(struct sha1_block_state *state, + const u8 data[SHA1_BLOCK_SIZE]); + +static void sha1_blocks(struct sha1_block_state *state, + const u8 *data, size_t nblocks) +{ + do { + powerpc_sha_transform(state, data); + data +=3D SHA1_BLOCK_SIZE; + } while (--nblocks); +} +#endif /* !CONFIG_SPE */ --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA8A523A9BE; Sat, 12 Jul 2025 23:26:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362786; cv=none; b=TDqSqX5Rn17ZWKu5LybSRwz6GuF3yB9IScOGCAZNRCkEzorj+yxL24igNx3tdHdfG+gaqPp/1svojSLqrLP+Hyy3s9F8jGyjS8KoLPCRBm+upu+yEzBZT1EzdUY8beVVufMSTd0sS+Gjp6QYZB8aZVtc80eZhPjsKZAY4ImYpDE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362786; c=relaxed/simple; bh=O3ROQxfRSPV6vROVkg/oM0s+Z5uZgY7MSN9jjvnzA2U=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UDbigUL75KwwJIIMuKiAfMEuaBRj7o70V4FjRLZELg9E65+YffjSa+jvvYCaCcqgGcX1xZXCQjxvZSir43kM29f6VtIuzqaL9twlhrvsgA0Bl88m590xHMrFSiiie58BKd1MzTK8szJT/GiXZgfUZHsbI4pm9DdHjOPRESGX5tw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=bzEoJhD4; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bzEoJhD4" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1B7C7C4CEF6; Sat, 12 Jul 2025 23:26:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362785; bh=O3ROQxfRSPV6vROVkg/oM0s+Z5uZgY7MSN9jjvnzA2U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bzEoJhD4SjhvA2rhiEnzCrfcXUKKMCRILhg7dooVVVs3zW0Un0rieindqGFsF0BGG Q7EgYr4QMQHnXsYSPB0/fe/MyUFf6RBM9HvkAuswTjJpZ7mtlGfEN9PJeamWLebZiV w3VzZAiOb7F1CWIGbfwO14/sIx+7loNZPfvir7i7BvosIqnQXqhxS2pu2qRVPblogj bZHFTeyyhZs0HL9fwJjGGlX2G/920Ix2PxX/2OPsBxefdLBGYCJV5vx5Yld6Iz6hmE 2BmnLXXKszmrZirlLqoQU2R35mAYNHpcdz5h27AGqZEJM/4Q4jjzDXKH1vDrh8+uLk haaU+vmIEj5VQ== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 11/26] lib/crypto: s390/sha1: Migrate optimized code into library Date: Sat, 12 Jul 2025 16:23:02 -0700 Message-ID: <20250712232329.818226-12-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Instead of exposing the s390-optimized SHA-1 code via s390-specific crypto_shash algorithms, instead just implement the sha1_blocks() library function. This is much simpler, it makes the SHA-1 library functions be s390-optimized, and it fixes the longstanding issue where the s390-optimized SHA-1 code was disabled by default. SHA-1 still remains available through crypto_shash, but individual architectures no longer need to handle it. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- arch/s390/configs/debug_defconfig | 1 - arch/s390/configs/defconfig | 1 - arch/s390/crypto/Kconfig | 10 --- arch/s390/crypto/Makefile | 1 - arch/s390/crypto/sha1_s390.c | 103 ------------------------------ lib/crypto/Kconfig | 1 + lib/crypto/s390/sha1.h | 28 ++++++++ 7 files changed, 29 insertions(+), 116 deletions(-) delete mode 100644 arch/s390/crypto/sha1_s390.c create mode 100644 lib/crypto/s390/sha1.h diff --git a/arch/s390/configs/debug_defconfig b/arch/s390/configs/debug_de= fconfig index ef313c30b375c..a7db7ed287205 100644 --- a/arch/s390/configs/debug_defconfig +++ b/arch/s390/configs/debug_defconfig @@ -802,11 +802,10 @@ CONFIG_CRYPTO_ZSTD=3Dm CONFIG_CRYPTO_ANSI_CPRNG=3Dm CONFIG_CRYPTO_USER_API_HASH=3Dm CONFIG_CRYPTO_USER_API_SKCIPHER=3Dm CONFIG_CRYPTO_USER_API_RNG=3Dm CONFIG_CRYPTO_USER_API_AEAD=3Dm -CONFIG_CRYPTO_SHA1_S390=3Dm CONFIG_CRYPTO_SHA3_256_S390=3Dm CONFIG_CRYPTO_SHA3_512_S390=3Dm CONFIG_CRYPTO_GHASH_S390=3Dm CONFIG_CRYPTO_AES_S390=3Dm CONFIG_CRYPTO_DES_S390=3Dm diff --git a/arch/s390/configs/defconfig b/arch/s390/configs/defconfig index b6fa341bb03b6..0217ed5616bf4 100644 --- a/arch/s390/configs/defconfig +++ b/arch/s390/configs/defconfig @@ -789,11 +789,10 @@ CONFIG_CRYPTO_ANSI_CPRNG=3Dm CONFIG_CRYPTO_JITTERENTROPY_OSR=3D1 CONFIG_CRYPTO_USER_API_HASH=3Dm CONFIG_CRYPTO_USER_API_SKCIPHER=3Dm CONFIG_CRYPTO_USER_API_RNG=3Dm CONFIG_CRYPTO_USER_API_AEAD=3Dm -CONFIG_CRYPTO_SHA1_S390=3Dm CONFIG_CRYPTO_SHA3_256_S390=3Dm CONFIG_CRYPTO_SHA3_512_S390=3Dm CONFIG_CRYPTO_GHASH_S390=3Dm CONFIG_CRYPTO_AES_S390=3Dm CONFIG_CRYPTO_DES_S390=3Dm diff --git a/arch/s390/crypto/Kconfig b/arch/s390/crypto/Kconfig index 4557514fbac35..03f73fbd38b62 100644 --- a/arch/s390/crypto/Kconfig +++ b/arch/s390/crypto/Kconfig @@ -1,19 +1,9 @@ # SPDX-License-Identifier: GPL-2.0 =20 menu "Accelerated Cryptographic Algorithms for CPU (s390)" =20 -config CRYPTO_SHA1_S390 - tristate "Hash functions: SHA-1" - select CRYPTO_HASH - help - SHA-1 secure hash algorithm (FIPS 180) - - Architecture: s390 - - It is available as of z990. - config CRYPTO_SHA3_256_S390 tristate "Hash functions: SHA3-224 and SHA3-256" select CRYPTO_HASH help SHA3-224 and SHA3-256 secure hash algorithms (FIPS 202) diff --git a/arch/s390/crypto/Makefile b/arch/s390/crypto/Makefile index 473d64c0982af..1e5a1038d4914 100644 --- a/arch/s390/crypto/Makefile +++ b/arch/s390/crypto/Makefile @@ -1,11 +1,10 @@ # SPDX-License-Identifier: GPL-2.0 # # Cryptographic API # =20 -obj-$(CONFIG_CRYPTO_SHA1_S390) +=3D sha1_s390.o sha_common.o obj-$(CONFIG_CRYPTO_SHA3_256_S390) +=3D sha3_256_s390.o sha_common.o obj-$(CONFIG_CRYPTO_SHA3_512_S390) +=3D sha3_512_s390.o sha_common.o obj-$(CONFIG_CRYPTO_DES_S390) +=3D des_s390.o obj-$(CONFIG_CRYPTO_AES_S390) +=3D aes_s390.o obj-$(CONFIG_CRYPTO_PAES_S390) +=3D paes_s390.o diff --git a/arch/s390/crypto/sha1_s390.c b/arch/s390/crypto/sha1_s390.c deleted file mode 100644 index d229cbd2ba229..0000000000000 --- a/arch/s390/crypto/sha1_s390.c +++ /dev/null @@ -1,103 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0+ -/* - * Cryptographic API. - * - * s390 implementation of the SHA1 Secure Hash Algorithm. - * - * Derived from cryptoapi implementation, adapted for in-place - * scatterlist interface. Originally based on the public domain - * implementation written by Steve Reid. - * - * s390 Version: - * Copyright IBM Corp. 2003, 2007 - * Author(s): Thomas Spatzier - * Jan Glauber (jan.glauber@de.ibm.com) - * - * Derived from "crypto/sha1_generic.c" - * Copyright (c) Alan Smithee. - * Copyright (c) Andrew McDonald - * Copyright (c) Jean-Francois Dive - */ -#include -#include -#include -#include -#include -#include - -#include "sha.h" - -static int s390_sha1_init(struct shash_desc *desc) -{ - struct s390_sha_ctx *sctx =3D shash_desc_ctx(desc); - - sctx->state[0] =3D SHA1_H0; - sctx->state[1] =3D SHA1_H1; - sctx->state[2] =3D SHA1_H2; - sctx->state[3] =3D SHA1_H3; - sctx->state[4] =3D SHA1_H4; - sctx->count =3D 0; - sctx->func =3D CPACF_KIMD_SHA_1; - - return 0; -} - -static int s390_sha1_export(struct shash_desc *desc, void *out) -{ - struct s390_sha_ctx *sctx =3D shash_desc_ctx(desc); - struct sha1_state *octx =3D out; - - octx->count =3D sctx->count; - memcpy(octx->state, sctx->state, sizeof(octx->state)); - return 0; -} - -static int s390_sha1_import(struct shash_desc *desc, const void *in) -{ - struct s390_sha_ctx *sctx =3D shash_desc_ctx(desc); - const struct sha1_state *ictx =3D in; - - sctx->count =3D ictx->count; - memcpy(sctx->state, ictx->state, sizeof(ictx->state)); - sctx->func =3D CPACF_KIMD_SHA_1; - return 0; -} - -static struct shash_alg alg =3D { - .digestsize =3D SHA1_DIGEST_SIZE, - .init =3D s390_sha1_init, - .update =3D s390_sha_update_blocks, - .finup =3D s390_sha_finup, - .export =3D s390_sha1_export, - .import =3D s390_sha1_import, - .descsize =3D S390_SHA_CTX_SIZE, - .statesize =3D SHA1_STATE_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name=3D "sha1-s390", - .cra_priority =3D 300, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY | - CRYPTO_AHASH_ALG_FINUP_MAX, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static int __init sha1_s390_init(void) -{ - if (!cpacf_query_func(CPACF_KIMD, CPACF_KIMD_SHA_1)) - return -ENODEV; - return crypto_register_shash(&alg); -} - -static void __exit sha1_s390_fini(void) -{ - crypto_unregister_shash(&alg); -} - -module_cpu_feature_match(S390_CPU_FEATURE_MSA, sha1_s390_init); -module_exit(sha1_s390_fini); - -MODULE_ALIAS_CRYPTO("sha1"); -MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm"); diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index e842f173cadec..2c55b75cea525 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -148,10 +148,11 @@ config CRYPTO_LIB_SHA1_ARCH depends on CRYPTO_LIB_SHA1 && !UML default y if ARM default y if ARM64 && KERNEL_MODE_NEON default y if MIPS && CPU_CAVIUM_OCTEON default y if PPC + default y if S390 =20 config CRYPTO_LIB_SHA256 tristate help Enable the SHA-256 library interface. This interface may be fulfilled diff --git a/lib/crypto/s390/sha1.h b/lib/crypto/s390/sha1.h new file mode 100644 index 0000000000000..08bd138e881cc --- /dev/null +++ b/lib/crypto/s390/sha1.h @@ -0,0 +1,28 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * SHA-1 optimized using the CP Assist for Cryptographic Functions (CPACF) + * + * Copyright 2025 Google LLC + */ +#include +#include + +static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_cpacf_sha1); + +static void sha1_blocks(struct sha1_block_state *state, + const u8 *data, size_t nblocks) +{ + if (static_branch_likely(&have_cpacf_sha1)) + cpacf_kimd(CPACF_KIMD_SHA_1, state, data, + nblocks * SHA1_BLOCK_SIZE); + else + sha1_blocks_generic(state, data, nblocks); +} + +#define sha1_mod_init_arch sha1_mod_init_arch +static inline void sha1_mod_init_arch(void) +{ + if (cpu_have_feature(S390_CPU_FEATURE_MSA) && + cpacf_query_func(CPACF_KIMD, CPACF_KIMD_SHA_1)) + static_branch_enable(&have_cpacf_sha1); +} --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53E8B23ABBB; Sat, 12 Jul 2025 23:26:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362786; cv=none; b=XFRnGpw6HvrvTiEzmXWyyGKR0mSvB8kXaq1wTtKCgEOAW+iJOkydhN29wsh+MppOvAhi5pZTHe529N+MVKUe/xoqSFMA1ne9lklsiuT/V26hO05u/zh3OsVs7qBuaF+SKVeUyZJKfbN1z0252q57uJRrJak9m8J5c4SHRQ77re0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362786; c=relaxed/simple; bh=LruJqtF+TwmkPV/aEz/JpTzpQv42VX6b1q36sAkdMHQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=O8iJHzvWiD18Hhn/q49I/dldczgUYvVvvhxib+fI93+bOFQEJSTlhZRbQfLYrIg0cbp3T3UztOXP/wD2EFO866yYM17MwbAHEowUh9kbHmyJfU6c+u1i+DBCoIA0wcjcidepeTBvPoQ69xGYtP3U8tbI/W7Ebn/PGF8vjoTpvds= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=NHeLA/KH; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="NHeLA/KH" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8D961C4CEF7; Sat, 12 Jul 2025 23:26:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362785; bh=LruJqtF+TwmkPV/aEz/JpTzpQv42VX6b1q36sAkdMHQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NHeLA/KHLKl2QWc9TBszQnASmUzxeJUh4BNHOt6A3lNhYy9I4pp3sYrQKd72LR60z KGyJEWc1AzAAFX0ofjFZOaBPDWGm3LabMi5tr448sdAoMQAjXowUc2H82oe4Urk6qV GosEozTuBSz9eu2210F9B6S64TfigAzo5I5P25QUBsw50TxOqjpT+KMGWe/IcoB1AZ 7gDqTHuRg1Ry3yGHTSm37EYcGLJFyh4cXIHMKu1j7fuB5ltEkmNCkhf0jYwsA2L88E y/V+h9TEba4VUQqRGtSmZ0vKvRQv3S8nFvJSvdRakRfQNE6hSFJyOT0BR021XuPglF jGIUNOMddbOZA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 12/26] lib/crypto: sparc/sha1: Migrate optimized code into library Date: Sat, 12 Jul 2025 16:23:03 -0700 Message-ID: <20250712232329.818226-13-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Instead of exposing the sparc-optimized SHA-1 code via sparc-specific crypto_shash algorithms, instead just implement the sha1_blocks() library function. This is much simpler, it makes the SHA-1 library functions be sparc-optimized, and it fixes the longstanding issue where the sparc-optimized SHA-1 code was disabled by default. SHA-1 still remains available through crypto_shash, but individual architectures no longer need to handle it. Note: to see the diff from arch/sparc/crypto/sha1_glue.c to lib/crypto/sparc/sha1.h, view this commit with 'git show -M10'. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- arch/sparc/crypto/Kconfig | 10 -- arch/sparc/crypto/Makefile | 2 - arch/sparc/crypto/sha1_glue.c | 94 ------------------- lib/crypto/Kconfig | 1 + lib/crypto/Makefile | 1 + lib/crypto/sparc/sha1.h | 43 +++++++++ .../crypto =3D> lib/crypto/sparc}/sha1_asm.S | 0 7 files changed, 45 insertions(+), 106 deletions(-) delete mode 100644 arch/sparc/crypto/sha1_glue.c create mode 100644 lib/crypto/sparc/sha1.h rename {arch/sparc/crypto =3D> lib/crypto/sparc}/sha1_asm.S (100%) diff --git a/arch/sparc/crypto/Kconfig b/arch/sparc/crypto/Kconfig index 9d8da9aef3a41..f5b2e720fec3c 100644 --- a/arch/sparc/crypto/Kconfig +++ b/arch/sparc/crypto/Kconfig @@ -24,20 +24,10 @@ config CRYPTO_MD5_SPARC64 help MD5 message digest algorithm (RFC1321) =20 Architecture: sparc64 using crypto instructions, when available =20 -config CRYPTO_SHA1_SPARC64 - tristate "Hash functions: SHA-1" - depends on SPARC64 - select CRYPTO_SHA1 - select CRYPTO_HASH - help - SHA-1 secure hash algorithm (FIPS 180) - - Architecture: sparc64 - config CRYPTO_AES_SPARC64 tristate "Ciphers: AES, modes: ECB, CBC, CTR" depends on SPARC64 select CRYPTO_SKCIPHER help diff --git a/arch/sparc/crypto/Makefile b/arch/sparc/crypto/Makefile index 99a7e8fd13bc9..0d05a17988c4c 100644 --- a/arch/sparc/crypto/Makefile +++ b/arch/sparc/crypto/Makefile @@ -1,18 +1,16 @@ # SPDX-License-Identifier: GPL-2.0 # # Arch-specific CryptoAPI modules. # =20 -obj-$(CONFIG_CRYPTO_SHA1_SPARC64) +=3D sha1-sparc64.o obj-$(CONFIG_CRYPTO_MD5_SPARC64) +=3D md5-sparc64.o =20 obj-$(CONFIG_CRYPTO_AES_SPARC64) +=3D aes-sparc64.o obj-$(CONFIG_CRYPTO_DES_SPARC64) +=3D des-sparc64.o obj-$(CONFIG_CRYPTO_CAMELLIA_SPARC64) +=3D camellia-sparc64.o =20 -sha1-sparc64-y :=3D sha1_asm.o sha1_glue.o md5-sparc64-y :=3D md5_asm.o md5_glue.o =20 aes-sparc64-y :=3D aes_asm.o aes_glue.o des-sparc64-y :=3D des_asm.o des_glue.o camellia-sparc64-y :=3D camellia_asm.o camellia_glue.o diff --git a/arch/sparc/crypto/sha1_glue.c b/arch/sparc/crypto/sha1_glue.c deleted file mode 100644 index ef19d5023b1bc..0000000000000 --- a/arch/sparc/crypto/sha1_glue.c +++ /dev/null @@ -1,94 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-only -/* Glue code for SHA1 hashing optimized for sparc64 crypto opcodes. - * - * This is based largely upon arch/x86/crypto/sha1_ssse3_glue.c - * - * Copyright (c) Alan Smithee. - * Copyright (c) Andrew McDonald - * Copyright (c) Jean-Francois Dive - * Copyright (c) Mathias Krause - */ - -#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt - -#include -#include -#include -#include -#include -#include -#include -#include - -asmlinkage void sha1_sparc64_transform(struct sha1_state *digest, - const u8 *data, int rounds); - -static int sha1_sparc64_update(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - return sha1_base_do_update_blocks(desc, data, len, - sha1_sparc64_transform); -} - -/* Add padding and return the message digest. */ -static int sha1_sparc64_finup(struct shash_desc *desc, const u8 *src, - unsigned int len, u8 *out) -{ - sha1_base_do_finup(desc, src, len, sha1_sparc64_transform); - return sha1_base_finish(desc, out); -} - -static struct shash_alg alg =3D { - .digestsize =3D SHA1_DIGEST_SIZE, - .init =3D sha1_base_init, - .update =3D sha1_sparc64_update, - .finup =3D sha1_sparc64_finup, - .descsize =3D SHA1_STATE_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name=3D "sha1-sparc64", - .cra_priority =3D SPARC_CR_OPCODE_PRIORITY, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static bool __init sparc64_has_sha1_opcode(void) -{ - unsigned long cfr; - - if (!(sparc64_elf_hwcap & HWCAP_SPARC_CRYPTO)) - return false; - - __asm__ __volatile__("rd %%asr26, %0" : "=3Dr" (cfr)); - if (!(cfr & CFR_SHA1)) - return false; - - return true; -} - -static int __init sha1_sparc64_mod_init(void) -{ - if (sparc64_has_sha1_opcode()) { - pr_info("Using sparc64 sha1 opcode optimized SHA-1 implementation\n"); - return crypto_register_shash(&alg); - } - pr_info("sparc64 sha1 opcode not available.\n"); - return -ENODEV; -} - -static void __exit sha1_sparc64_mod_fini(void) -{ - crypto_unregister_shash(&alg); -} - -module_init(sha1_sparc64_mod_init); -module_exit(sha1_sparc64_mod_fini); - -MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm, sparc64 sha1 opcode accele= rated"); - -MODULE_ALIAS_CRYPTO("sha1"); - -#include "crop_devid.c" diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index 2c55b75cea525..3405789bebbe6 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -149,10 +149,11 @@ config CRYPTO_LIB_SHA1_ARCH default y if ARM default y if ARM64 && KERNEL_MODE_NEON default y if MIPS && CPU_CAVIUM_OCTEON default y if PPC default y if S390 + default y if SPARC64 =20 config CRYPTO_LIB_SHA256 tristate help Enable the SHA-256 library interface. This interface may be fulfilled diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 3f4199c079307..6e49e00b4a0a2 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -81,10 +81,11 @@ endif libsha1-$(CONFIG_ARM64) +=3D arm64/sha1-ce-core.o ifeq ($(CONFIG_PPC),y) libsha1-y +=3D powerpc/sha1-powerpc-asm.o libsha1-$(CONFIG_SPE) +=3D powerpc/sha1-spe-asm.o endif +libsha1-$(CONFIG_SPARC) +=3D sparc/sha1_asm.o endif # CONFIG_CRYPTO_LIB_SHA1_ARCH =20 ##########################################################################= ###### =20 obj-$(CONFIG_CRYPTO_LIB_SHA256) +=3D libsha256.o diff --git a/lib/crypto/sparc/sha1.h b/lib/crypto/sparc/sha1.h new file mode 100644 index 0000000000000..5015f93584b7e --- /dev/null +++ b/lib/crypto/sparc/sha1.h @@ -0,0 +1,43 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * SHA-1 accelerated using the sparc64 crypto opcodes + * + * Copyright (c) Alan Smithee. + * Copyright (c) Andrew McDonald + * Copyright (c) Jean-Francois Dive + * Copyright (c) Mathias Krause + */ + +#include +#include +#include + +static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_sha1_opcodes); + +asmlinkage void sha1_sparc64_transform(struct sha1_block_state *state, + const u8 *data, size_t nblocks); + +static void sha1_blocks(struct sha1_block_state *state, + const u8 *data, size_t nblocks) +{ + if (static_branch_likely(&have_sha1_opcodes)) + sha1_sparc64_transform(state, data, nblocks); + else + sha1_blocks_generic(state, data, nblocks); +} + +#define sha1_mod_init_arch sha1_mod_init_arch +static inline void sha1_mod_init_arch(void) +{ + unsigned long cfr; + + if (!(sparc64_elf_hwcap & HWCAP_SPARC_CRYPTO)) + return; + + __asm__ __volatile__("rd %%asr26, %0" : "=3Dr" (cfr)); + if (!(cfr & CFR_SHA1)) + return; + + static_branch_enable(&have_sha1_opcodes); + pr_info("Using sparc64 sha1 opcode optimized SHA-1 implementation\n"); +} diff --git a/arch/sparc/crypto/sha1_asm.S b/lib/crypto/sparc/sha1_asm.S similarity index 100% rename from arch/sparc/crypto/sha1_asm.S rename to lib/crypto/sparc/sha1_asm.S --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F0B5623BD02; Sat, 12 Jul 2025 23:26:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362787; cv=none; b=OZ0eDgUhegycAq5hIeys8fSKq8gZlBFLheDkcjE7EEMbGW/h3G3E6saVkjoCw/tcrKoCm6dfyMBNbNqHQnzQX/+cne8PEHWS1XRD7zbkPKJ4Tpz5ktGsUIHuORr/y6uIUWJsZyGGy2mflvd6c34OfsZehq8miQ4+yBR83q9Y/fg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362787; c=relaxed/simple; bh=SPZChn54e0x1BPD7Cx0ngiSiHMegWn4xMaHKEKQ8lCU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=I5PYT+CbAqF629emK3FYjfUNLplLmYImjGzNGg/I9E1a3mSHkIAXLocEGaqMBrBE+eBISvlBsUnL7MHylVApB58CdFDvIvKfjeo2xMJV5zScG4GIvOY1m2WRSR1ogm1rjlSJe+Q4iQUOCaA42AtM5geel3Mb2T4LouWBtSs+jLk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=CbF5yfXh; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="CbF5yfXh" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0B235C4CEF5; Sat, 12 Jul 2025 23:26:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362786; bh=SPZChn54e0x1BPD7Cx0ngiSiHMegWn4xMaHKEKQ8lCU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CbF5yfXhHCPwFCl1Aj5K7Wgk2SBbDM2WfVLW1eTPqq2c9DntFa1SRnHJa8Z+quOlm sjhK1lqAmAHpZAdWXsWuMkjhL73vs0bmGY+OMblmG81Eo4Ynm/sEKhTRN5t7hwcokm 2EtWV+/wbfnGQWQouMQy459/x2nXoGmXARst9VxMwJLrUcYUUIebI5KlvmxcVAwIVB 1j3joqn+++kkM9FIQWqfg2bPtu3B+jdWA9BRyWgjFIkYPSjxX2i+6LCf25lzJulBfK ypHjOXv64A1uKvIsnVEc8E4n4z8XmdpDhrHdOQVENmrQcTe5hJJZD2mqR2eogiRIXb sqeaCAY05kiqA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 13/26] lib/crypto: x86/sha1: Migrate optimized code into library Date: Sat, 12 Jul 2025 16:23:04 -0700 Message-ID: <20250712232329.818226-14-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Instead of exposing the x86-optimized SHA-1 code via x86-specific crypto_shash algorithms, instead just implement the sha1_blocks() library function. This is much simpler, it makes the SHA-1 library functions be x86-optimized, and it fixes the longstanding issue where the x86-optimized SHA-1 code was disabled by default. SHA-1 still remains available through crypto_shash, but individual architectures no longer need to handle it. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- arch/x86/crypto/Kconfig | 14 - arch/x86/crypto/Makefile | 3 - arch/x86/crypto/sha1_ssse3_glue.c | 324 ------------------ lib/crypto/Kconfig | 1 + lib/crypto/Makefile | 3 + .../crypto/x86/sha1-avx2-asm.S | 7 +- .../crypto/x86/sha1-ni-asm.S | 23 +- .../crypto/x86/sha1-ssse3-and-avx.S | 13 +- lib/crypto/x86/sha1.h | 75 ++++ 9 files changed, 95 insertions(+), 368 deletions(-) delete mode 100644 arch/x86/crypto/sha1_ssse3_glue.c rename arch/x86/crypto/sha1_avx2_x86_64_asm.S =3D> lib/crypto/x86/sha1-avx= 2-asm.S (98%) rename arch/x86/crypto/sha1_ni_asm.S =3D> lib/crypto/x86/sha1-ni-asm.S (90= %) rename arch/x86/crypto/sha1_ssse3_asm.S =3D> lib/crypto/x86/sha1-ssse3-and= -avx.S (97%) create mode 100644 lib/crypto/x86/sha1.h diff --git a/arch/x86/crypto/Kconfig b/arch/x86/crypto/Kconfig index eb641a300154e..94016c60561e2 100644 --- a/arch/x86/crypto/Kconfig +++ b/arch/x86/crypto/Kconfig @@ -374,24 +374,10 @@ config CRYPTO_POLYVAL_CLMUL_NI POLYVAL hash function for HCTR2 =20 Architecture: x86_64 using: - CLMUL-NI (carry-less multiplication new instructions) =20 -config CRYPTO_SHA1_SSSE3 - tristate "Hash functions: SHA-1 (SSSE3/AVX/AVX2/SHA-NI)" - depends on 64BIT - select CRYPTO_SHA1 - select CRYPTO_HASH - help - SHA-1 secure hash algorithm (FIPS 180) - - Architecture: x86_64 using: - - SSSE3 (Supplemental SSE3) - - AVX (Advanced Vector Extensions) - - AVX2 (Advanced Vector Extensions 2) - - SHA-NI (SHA Extensions New Instructions) - config CRYPTO_SM3_AVX_X86_64 tristate "Hash functions: SM3 (AVX)" depends on 64BIT select CRYPTO_HASH select CRYPTO_LIB_SM3 diff --git a/arch/x86/crypto/Makefile b/arch/x86/crypto/Makefile index d31348be83704..d402963d6b579 100644 --- a/arch/x86/crypto/Makefile +++ b/arch/x86/crypto/Makefile @@ -49,13 +49,10 @@ aesni-intel-$(CONFIG_64BIT) +=3D aes-ctr-avx-x86_64.o \ aes-xts-avx-x86_64.o ifeq ($(CONFIG_AS_VAES)$(CONFIG_AS_VPCLMULQDQ),yy) aesni-intel-$(CONFIG_64BIT) +=3D aes-gcm-avx10-x86_64.o endif =20 -obj-$(CONFIG_CRYPTO_SHA1_SSSE3) +=3D sha1-ssse3.o -sha1-ssse3-y :=3D sha1_avx2_x86_64_asm.o sha1_ssse3_asm.o sha1_ni_asm.o sh= a1_ssse3_glue.o - obj-$(CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL) +=3D ghash-clmulni-intel.o ghash-clmulni-intel-y :=3D ghash-clmulni-intel_asm.o ghash-clmulni-intel_g= lue.o =20 obj-$(CONFIG_CRYPTO_POLYVAL_CLMUL_NI) +=3D polyval-clmulni.o polyval-clmulni-y :=3D polyval-clmulni_asm.o polyval-clmulni_glue.o diff --git a/arch/x86/crypto/sha1_ssse3_glue.c b/arch/x86/crypto/sha1_ssse3= _glue.c deleted file mode 100644 index 826579a7473c4..0000000000000 --- a/arch/x86/crypto/sha1_ssse3_glue.c +++ /dev/null @@ -1,324 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-or-later -/* - * Cryptographic API. - * - * Glue code for the SHA1 Secure Hash Algorithm assembler implementations - * using SSSE3, AVX, AVX2, and SHA-NI instructions. - * - * This file is based on sha1_generic.c - * - * Copyright (c) Alan Smithee. - * Copyright (c) Andrew McDonald - * Copyright (c) Jean-Francois Dive - * Copyright (c) Mathias Krause - * Copyright (c) Chandramouli Narayanan - */ - -#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt - -#include -#include -#include -#include -#include -#include -#include -#include - -static const struct x86_cpu_id module_cpu_ids[] =3D { - X86_MATCH_FEATURE(X86_FEATURE_SHA_NI, NULL), - X86_MATCH_FEATURE(X86_FEATURE_AVX2, NULL), - X86_MATCH_FEATURE(X86_FEATURE_AVX, NULL), - X86_MATCH_FEATURE(X86_FEATURE_SSSE3, NULL), - {} -}; -MODULE_DEVICE_TABLE(x86cpu, module_cpu_ids); - -static inline int sha1_update_x86(struct shash_desc *desc, const u8 *data, - unsigned int len, sha1_block_fn *sha1_xform) -{ - int remain; - - /* - * Make sure struct sha1_state begins directly with the SHA1 - * 160-bit internal state, as this is what the asm functions expect. - */ - BUILD_BUG_ON(offsetof(struct sha1_state, state) !=3D 0); - - kernel_fpu_begin(); - remain =3D sha1_base_do_update_blocks(desc, data, len, sha1_xform); - kernel_fpu_end(); - - return remain; -} - -static inline int sha1_finup(struct shash_desc *desc, const u8 *data, - unsigned int len, u8 *out, - sha1_block_fn *sha1_xform) -{ - kernel_fpu_begin(); - sha1_base_do_finup(desc, data, len, sha1_xform); - kernel_fpu_end(); - - return sha1_base_finish(desc, out); -} - -asmlinkage void sha1_transform_ssse3(struct sha1_state *state, - const u8 *data, int blocks); - -static int sha1_ssse3_update(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - return sha1_update_x86(desc, data, len, sha1_transform_ssse3); -} - -static int sha1_ssse3_finup(struct shash_desc *desc, const u8 *data, - unsigned int len, u8 *out) -{ - return sha1_finup(desc, data, len, out, sha1_transform_ssse3); -} - -static struct shash_alg sha1_ssse3_alg =3D { - .digestsize =3D SHA1_DIGEST_SIZE, - .init =3D sha1_base_init, - .update =3D sha1_ssse3_update, - .finup =3D sha1_ssse3_finup, - .descsize =3D SHA1_STATE_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name =3D "sha1-ssse3", - .cra_priority =3D 150, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static int register_sha1_ssse3(void) -{ - if (boot_cpu_has(X86_FEATURE_SSSE3)) - return crypto_register_shash(&sha1_ssse3_alg); - return 0; -} - -static void unregister_sha1_ssse3(void) -{ - if (boot_cpu_has(X86_FEATURE_SSSE3)) - crypto_unregister_shash(&sha1_ssse3_alg); -} - -asmlinkage void sha1_transform_avx(struct sha1_state *state, - const u8 *data, int blocks); - -static int sha1_avx_update(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - return sha1_update_x86(desc, data, len, sha1_transform_avx); -} - -static int sha1_avx_finup(struct shash_desc *desc, const u8 *data, - unsigned int len, u8 *out) -{ - return sha1_finup(desc, data, len, out, sha1_transform_avx); -} - -static struct shash_alg sha1_avx_alg =3D { - .digestsize =3D SHA1_DIGEST_SIZE, - .init =3D sha1_base_init, - .update =3D sha1_avx_update, - .finup =3D sha1_avx_finup, - .descsize =3D SHA1_STATE_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name =3D "sha1-avx", - .cra_priority =3D 160, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static bool avx_usable(void) -{ - if (!cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL)) { - if (boot_cpu_has(X86_FEATURE_AVX)) - pr_info("AVX detected but unusable.\n"); - return false; - } - - return true; -} - -static int register_sha1_avx(void) -{ - if (avx_usable()) - return crypto_register_shash(&sha1_avx_alg); - return 0; -} - -static void unregister_sha1_avx(void) -{ - if (avx_usable()) - crypto_unregister_shash(&sha1_avx_alg); -} - -#define SHA1_AVX2_BLOCK_OPTSIZE 4 /* optimal 4*64 bytes of SHA1 blocks */ - -asmlinkage void sha1_transform_avx2(struct sha1_state *state, - const u8 *data, int blocks); - -static bool avx2_usable(void) -{ - if (avx_usable() && boot_cpu_has(X86_FEATURE_AVX2) - && boot_cpu_has(X86_FEATURE_BMI1) - && boot_cpu_has(X86_FEATURE_BMI2)) - return true; - - return false; -} - -static inline void sha1_apply_transform_avx2(struct sha1_state *state, - const u8 *data, int blocks) -{ - /* Select the optimal transform based on data block size */ - if (blocks >=3D SHA1_AVX2_BLOCK_OPTSIZE) - sha1_transform_avx2(state, data, blocks); - else - sha1_transform_avx(state, data, blocks); -} - -static int sha1_avx2_update(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - return sha1_update_x86(desc, data, len, sha1_apply_transform_avx2); -} - -static int sha1_avx2_finup(struct shash_desc *desc, const u8 *data, - unsigned int len, u8 *out) -{ - return sha1_finup(desc, data, len, out, sha1_apply_transform_avx2); -} - -static struct shash_alg sha1_avx2_alg =3D { - .digestsize =3D SHA1_DIGEST_SIZE, - .init =3D sha1_base_init, - .update =3D sha1_avx2_update, - .finup =3D sha1_avx2_finup, - .descsize =3D SHA1_STATE_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name =3D "sha1-avx2", - .cra_priority =3D 170, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static int register_sha1_avx2(void) -{ - if (avx2_usable()) - return crypto_register_shash(&sha1_avx2_alg); - return 0; -} - -static void unregister_sha1_avx2(void) -{ - if (avx2_usable()) - crypto_unregister_shash(&sha1_avx2_alg); -} - -asmlinkage void sha1_ni_transform(struct sha1_state *digest, const u8 *dat= a, - int rounds); - -static int sha1_ni_update(struct shash_desc *desc, const u8 *data, - unsigned int len) -{ - return sha1_update_x86(desc, data, len, sha1_ni_transform); -} - -static int sha1_ni_finup(struct shash_desc *desc, const u8 *data, - unsigned int len, u8 *out) -{ - return sha1_finup(desc, data, len, out, sha1_ni_transform); -} - -static struct shash_alg sha1_ni_alg =3D { - .digestsize =3D SHA1_DIGEST_SIZE, - .init =3D sha1_base_init, - .update =3D sha1_ni_update, - .finup =3D sha1_ni_finup, - .descsize =3D SHA1_STATE_SIZE, - .base =3D { - .cra_name =3D "sha1", - .cra_driver_name =3D "sha1-ni", - .cra_priority =3D 250, - .cra_flags =3D CRYPTO_AHASH_ALG_BLOCK_ONLY, - .cra_blocksize =3D SHA1_BLOCK_SIZE, - .cra_module =3D THIS_MODULE, - } -}; - -static int register_sha1_ni(void) -{ - if (boot_cpu_has(X86_FEATURE_SHA_NI)) - return crypto_register_shash(&sha1_ni_alg); - return 0; -} - -static void unregister_sha1_ni(void) -{ - if (boot_cpu_has(X86_FEATURE_SHA_NI)) - crypto_unregister_shash(&sha1_ni_alg); -} - -static int __init sha1_ssse3_mod_init(void) -{ - if (!x86_match_cpu(module_cpu_ids)) - return -ENODEV; - - if (register_sha1_ssse3()) - goto fail; - - if (register_sha1_avx()) { - unregister_sha1_ssse3(); - goto fail; - } - - if (register_sha1_avx2()) { - unregister_sha1_avx(); - unregister_sha1_ssse3(); - goto fail; - } - - if (register_sha1_ni()) { - unregister_sha1_avx2(); - unregister_sha1_avx(); - unregister_sha1_ssse3(); - goto fail; - } - - return 0; -fail: - return -ENODEV; -} - -static void __exit sha1_ssse3_mod_fini(void) -{ - unregister_sha1_ni(); - unregister_sha1_avx2(); - unregister_sha1_avx(); - unregister_sha1_ssse3(); -} - -module_init(sha1_ssse3_mod_init); -module_exit(sha1_ssse3_mod_fini); - -MODULE_LICENSE("GPL"); -MODULE_DESCRIPTION("SHA1 Secure Hash Algorithm, Supplemental SSE3 accelera= ted"); - -MODULE_ALIAS_CRYPTO("sha1"); -MODULE_ALIAS_CRYPTO("sha1-ssse3"); -MODULE_ALIAS_CRYPTO("sha1-avx"); -MODULE_ALIAS_CRYPTO("sha1-avx2"); -MODULE_ALIAS_CRYPTO("sha1-ni"); diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index 3405789bebbe6..c2b65b6a9bb6f 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -150,10 +150,11 @@ config CRYPTO_LIB_SHA1_ARCH default y if ARM64 && KERNEL_MODE_NEON default y if MIPS && CPU_CAVIUM_OCTEON default y if PPC default y if S390 default y if SPARC64 + default y if X86_64 =20 config CRYPTO_LIB_SHA256 tristate help Enable the SHA-256 library interface. This interface may be fulfilled diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 6e49e00b4a0a2..e4151be2ebd44 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -82,10 +82,13 @@ libsha1-$(CONFIG_ARM64) +=3D arm64/sha1-ce-core.o ifeq ($(CONFIG_PPC),y) libsha1-y +=3D powerpc/sha1-powerpc-asm.o libsha1-$(CONFIG_SPE) +=3D powerpc/sha1-spe-asm.o endif libsha1-$(CONFIG_SPARC) +=3D sparc/sha1_asm.o +libsha1-$(CONFIG_X86) +=3D x86/sha1-ssse3-and-avx.o \ + x86/sha1-avx2-asm.o \ + x86/sha1-ni-asm.o endif # CONFIG_CRYPTO_LIB_SHA1_ARCH =20 ##########################################################################= ###### =20 obj-$(CONFIG_CRYPTO_LIB_SHA256) +=3D libsha256.o diff --git a/arch/x86/crypto/sha1_avx2_x86_64_asm.S b/lib/crypto/x86/sha1-a= vx2-asm.S similarity index 98% rename from arch/x86/crypto/sha1_avx2_x86_64_asm.S rename to lib/crypto/x86/sha1-avx2-asm.S index 4b49bdc952658..91b2dc6db179f 100644 --- a/arch/x86/crypto/sha1_avx2_x86_64_asm.S +++ b/lib/crypto/x86/sha1-avx2-asm.S @@ -60,15 +60,12 @@ * *This implementation is based on the previous SSSE3 release: *Visit http://software.intel.com/en-us/articles/ *and refer to improving-the-performance-of-the-secure-hash-algorithm-1/ * - *Updates 20-byte SHA-1 record at start of 'state', from 'input', for - *even number of 'blocks' consecutive 64-byte blocks. - * - *extern "C" void sha1_transform_avx2( - * struct sha1_state *state, const u8* input, int blocks ); + * void sha1_transform_avx2(struct sha1_block_state *state, + * const u8 *data, size_t nblocks); */ =20 #include =20 #define CTX %rdi /* arg1 */ diff --git a/arch/x86/crypto/sha1_ni_asm.S b/lib/crypto/x86/sha1-ni-asm.S similarity index 90% rename from arch/x86/crypto/sha1_ni_asm.S rename to lib/crypto/x86/sha1-ni-asm.S index cade913d48822..3989b0642ff5f 100644 --- a/arch/x86/crypto/sha1_ni_asm.S +++ b/lib/crypto/x86/sha1-ni-asm.S @@ -52,11 +52,10 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ =20 #include -#include =20 #define DIGEST_PTR %rdi /* 1st arg */ #define DATA_PTR %rsi /* 2nd arg */ #define NUM_BLKS %rdx /* 3rd arg */ =20 @@ -72,30 +71,26 @@ #define MSG3 %xmm6 #define SHUF_MASK %xmm7 =20 =20 /* - * Intel SHA Extensions optimized implementation of a SHA-1 update function + * Intel SHA Extensions optimized implementation of a SHA-1 block function * - * The function takes a pointer to the current hash values, a pointer to t= he - * input data, and a number of 64 byte blocks to process. Once all blocks= have - * been processed, the digest pointer is updated with the resulting hash = value. - * The function only processes complete blocks, there is no functionality = to - * store partial blocks. All message padding and hash value initialization= must - * be done outside the update function. + * This function takes a pointer to the current SHA-1 state, a pointer to = the + * input data, and the number of 64-byte blocks to process. Once all bloc= ks + * have been processed, the state is updated with the new state. This fun= ction + * only processes complete blocks. State initialization, buffering of par= tial + * blocks, and digest finalization are expected to be handled elsewhere. * * The indented lines in the loop are instructions related to rounds proce= ssing. * The non-indented lines are instructions related to the message schedule. * - * void sha1_ni_transform(uint32_t *digest, const void *data, - uint32_t numBlocks) - * digest : pointer to digest - * data: pointer to input data - * numBlocks: Number of blocks to process + * void sha1_ni_transform(struct sha1_block_state *state, + * const u8 *data, size_t nblocks) */ .text -SYM_TYPED_FUNC_START(sha1_ni_transform) +SYM_FUNC_START(sha1_ni_transform) push %rbp mov %rsp, %rbp sub $FRAME_SIZE, %rsp and $~0xF, %rsp =20 diff --git a/arch/x86/crypto/sha1_ssse3_asm.S b/lib/crypto/x86/sha1-ssse3-a= nd-avx.S similarity index 97% rename from arch/x86/crypto/sha1_ssse3_asm.S rename to lib/crypto/x86/sha1-ssse3-and-avx.S index f54988c80eb40..78b48cb09c5b9 100644 --- a/arch/x86/crypto/sha1_ssse3_asm.S +++ b/lib/crypto/x86/sha1-ssse3-and-avx.S @@ -23,11 +23,10 @@ * Converted to AT&T syntax and adapted for inclusion in the Linux kernel: * Author: Mathias Krause */ =20 #include -#include =20 #define CTX %rdi // arg1 #define BUF %rsi // arg2 #define CNT %rdx // arg3 =20 @@ -66,11 +65,11 @@ /* * This macro implements the SHA-1 function's body for single 64-byte block * param: function's name */ .macro SHA1_VECTOR_ASM name - SYM_TYPED_FUNC_START(\name) + SYM_FUNC_START(\name) =20 push %rbx push %r12 push %rbp mov %rsp, %rbp @@ -459,14 +458,12 @@ W_PRECALC_SSSE3 .endm =20 /* * SSSE3 optimized implementation: * - * extern "C" void sha1_transform_ssse3(struct sha1_state *state, - * const u8 *data, int blocks); - * - * Note that struct sha1_state is assumed to begin with u32 state[5]. + * void sha1_transform_ssse3(struct sha1_block_state *state, + * const u8 *data, size_t nblocks); */ SHA1_VECTOR_ASM sha1_transform_ssse3 =20 .macro W_PRECALC_AVX =20 @@ -546,9 +543,9 @@ W_PRECALC_AVX vmovdqu \a,\b .endm =20 =20 /* AVX optimized implementation: - * extern "C" void sha1_transform_avx(struct sha1_state *state, - * const u8 *data, int blocks); + * void sha1_transform_avx(struct sha1_block_state *state, + * const u8 *data, size_t nblocks); */ SHA1_VECTOR_ASM sha1_transform_avx diff --git a/lib/crypto/x86/sha1.h b/lib/crypto/x86/sha1.h new file mode 100644 index 0000000000000..a26b85950003e --- /dev/null +++ b/lib/crypto/x86/sha1.h @@ -0,0 +1,75 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * SHA-1 optimized for x86_64 + * + * Copyright 2025 Google LLC + */ +#include +#include +#include + +DEFINE_STATIC_CALL(sha1_blocks_x86, sha1_blocks_generic); + +#define DEFINE_X86_SHA1_FN(c_fn, asm_fn) \ + asmlinkage void asm_fn(struct sha1_block_state *state, \ + const u8 *data, size_t nblocks); \ + static void c_fn(struct sha1_block_state *state, \ + const u8 *data, size_t nblocks) \ + { \ + if (likely(irq_fpu_usable())) { \ + kernel_fpu_begin(); \ + asm_fn(state, data, nblocks); \ + kernel_fpu_end(); \ + } else { \ + sha1_blocks_generic(state, data, nblocks); \ + } \ + } + +DEFINE_X86_SHA1_FN(sha1_blocks_ssse3, sha1_transform_ssse3); +DEFINE_X86_SHA1_FN(sha1_blocks_avx, sha1_transform_avx); +DEFINE_X86_SHA1_FN(sha1_blocks_ni, sha1_ni_transform); + +#define SHA1_AVX2_BLOCK_OPTSIZE 4 /* optimal 4*64 bytes of SHA1 blocks */ + +asmlinkage void sha1_transform_avx2(struct sha1_block_state *state, + const u8 *data, size_t nblocks); +static void sha1_blocks_avx2(struct sha1_block_state *state, + const u8 *data, size_t nblocks) +{ + if (likely(irq_fpu_usable())) { + kernel_fpu_begin(); + /* Select the optimal transform based on the number of blocks */ + if (nblocks >=3D SHA1_AVX2_BLOCK_OPTSIZE) + sha1_transform_avx2(state, data, nblocks); + else + sha1_transform_avx(state, data, nblocks); + kernel_fpu_end(); + } else { + sha1_blocks_generic(state, data, nblocks); + } +} + +static void sha1_blocks(struct sha1_block_state *state, + const u8 *data, size_t nblocks) +{ + static_call(sha1_blocks_x86)(state, data, nblocks); +} + +#define sha1_mod_init_arch sha1_mod_init_arch +static inline void sha1_mod_init_arch(void) +{ + if (boot_cpu_has(X86_FEATURE_SHA_NI)) { + static_call_update(sha1_blocks_x86, sha1_blocks_ni); + } else if (cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, + NULL) && + boot_cpu_has(X86_FEATURE_AVX)) { + if (boot_cpu_has(X86_FEATURE_AVX2) && + boot_cpu_has(X86_FEATURE_BMI1) && + boot_cpu_has(X86_FEATURE_BMI2)) + static_call_update(sha1_blocks_x86, sha1_blocks_avx2); + else + static_call_update(sha1_blocks_x86, sha1_blocks_avx); + } else if (boot_cpu_has(X86_FEATURE_SSSE3)) { + static_call_update(sha1_blocks_x86, sha1_blocks_ssse3); + } +} --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 033B523BD05; Sat, 12 Jul 2025 23:26:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362787; cv=none; b=tyDoMSqTK3nvw4UoYgu44dDivDI7KjDRGc5sXNBsOkwQxrWqOSi/TGOzARykff0lVx1EHSmWz8NswrTmlbILVSz7ztA8ilG8wdW8nLJCafBoPOUyaDGAX1mH+1mR/Z6DBmP9NtuBi0DEliTC9w6DK3jQ1Ca3wtqD67p6y9t5bEI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362787; c=relaxed/simple; bh=GJ7nKp2NVjns7Vn/yd3vh/j/wSpE2hgTFf8rr99laVc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=A/1UQL5oMF2ThLRNR7LSX3jk8wVAHacJgx3zbgUnbpY884tOuBsSGzC8gwZ/n0McOtsyPFxgTAYrgquSDYabWtQlmwUu6B/K6Dons5yyp5MztbStLUCocbliy83IQwKq8rBnpx/FHr/F2c5Wc+XCdaz5R0mJovycPXHcx+Gy2gI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=rz40jc33; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="rz40jc33" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 89025C4CEF7; Sat, 12 Jul 2025 23:26:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362786; bh=GJ7nKp2NVjns7Vn/yd3vh/j/wSpE2hgTFf8rr99laVc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rz40jc33/xphGqSYpQPco+3iJDZjL56YDYjR8lxUDvHZC9qTvA05p/dSIALTZNGLa yXvMs5aBqkFHImLl8aUETc28cZI9qr1/dmBFyRLyOgDtANWvrLelg0XRsRp+H1fo49 2DXRpbcKWE/DMscKaQTB1MFDsjuADixByyVL5OJsS9GQAlJAw6f+QBrnQF+UwZ7wEq b+hYHp4Q85Y8NjEOgve5GU4izy0luLiGraER+1MUi9nok4+Y53XmfRQ4/acQ0DDxuF YuAIzEJHyD9PML6iIifGmew7AXaHbdsozX5EIyYP5MW3xQ6bkeFEF23ba0B568EVUx Tvva3Jqe3BFgg== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 14/26] crypto: sha1 - Remove sha1_base.h Date: Sat, 12 Jul 2025 16:23:05 -0700 Message-ID: <20250712232329.818226-15-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" sha1_base.h is no longer used, so remove it. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- include/crypto/sha1_base.h | 82 -------------------------------------- 1 file changed, 82 deletions(-) delete mode 100644 include/crypto/sha1_base.h diff --git a/include/crypto/sha1_base.h b/include/crypto/sha1_base.h deleted file mode 100644 index 62701d136c793..0000000000000 --- a/include/crypto/sha1_base.h +++ /dev/null @@ -1,82 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -/* - * sha1_base.h - core logic for SHA-1 implementations - * - * Copyright (C) 2015 Linaro Ltd - */ - -#ifndef _CRYPTO_SHA1_BASE_H -#define _CRYPTO_SHA1_BASE_H - -#include -#include -#include -#include -#include -#include - -typedef void (sha1_block_fn)(struct sha1_state *sst, u8 const *src, int bl= ocks); - -static inline int sha1_base_init(struct shash_desc *desc) -{ - struct sha1_state *sctx =3D shash_desc_ctx(desc); - - sctx->state[0] =3D SHA1_H0; - sctx->state[1] =3D SHA1_H1; - sctx->state[2] =3D SHA1_H2; - sctx->state[3] =3D SHA1_H3; - sctx->state[4] =3D SHA1_H4; - sctx->count =3D 0; - - return 0; -} - -static inline int sha1_base_do_update_blocks(struct shash_desc *desc, - const u8 *data, - unsigned int len, - sha1_block_fn *block_fn) -{ - unsigned int remain =3D len - round_down(len, SHA1_BLOCK_SIZE); - struct sha1_state *sctx =3D shash_desc_ctx(desc); - - sctx->count +=3D len - remain; - block_fn(sctx, data, len / SHA1_BLOCK_SIZE); - return remain; -} - -static inline int sha1_base_do_finup(struct shash_desc *desc, - const u8 *src, unsigned int len, - sha1_block_fn *block_fn) -{ - unsigned int bit_offset =3D SHA1_BLOCK_SIZE / 8 - 1; - struct sha1_state *sctx =3D shash_desc_ctx(desc); - union { - __be64 b64[SHA1_BLOCK_SIZE / 4]; - u8 u8[SHA1_BLOCK_SIZE * 2]; - } block =3D {}; - - if (len >=3D bit_offset * 8) - bit_offset +=3D SHA1_BLOCK_SIZE / 8; - memcpy(&block, src, len); - block.u8[len] =3D 0x80; - sctx->count +=3D len; - block.b64[bit_offset] =3D cpu_to_be64(sctx->count << 3); - block_fn(sctx, block.u8, (bit_offset + 1) * 8 / SHA1_BLOCK_SIZE); - memzero_explicit(&block, sizeof(block)); - - return 0; -} - -static inline int sha1_base_finish(struct shash_desc *desc, u8 *out) -{ - struct sha1_state *sctx =3D shash_desc_ctx(desc); - __be32 *digest =3D (__be32 *)out; - int i; - - for (i =3D 0; i < SHA1_DIGEST_SIZE / sizeof(__be32); i++) - put_unaligned_be32(sctx->state[i], digest++); - - return 0; -} - -#endif /* _CRYPTO_SHA1_BASE_H */ --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B2E3223C8CD; Sat, 12 Jul 2025 23:26:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362787; cv=none; b=YhbRztDB58Q+xbPIg5cmBAUPFZSxSKpuoUx8FzzgcMQR7Cv6pxqmmaxoxkirYcM8APHAH4FmZgOmMa84+e560+B+OuszjeFJH+Fn5o+jvqIggLAinwrpvUmN9bv0pILtpOVeOqibEwQ+/1PkMIYlhEh4usaAkJuuhNVPoTfMRD4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362787; c=relaxed/simple; bh=SgVXlLx3zUAsItbZlZ/zxXFpPKAtVke822Qe2qamSSM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lFiGjFVK4kd1k5rvd32AA7CjWWErtQiHjJ40DAzh6Y2szcdmhorcSt4sSeDdfxVBTLjhcuJYC2yPM84zBNKHSBGyxylptJFytYJ8HaJBm73QK08D2UxXU1dz+tiwQt+6OW6b+7hed6ASUt2jPKR2mJOZTPAbpYZomzTCKRPlwfI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Yxndy/Iv; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Yxndy/Iv" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 06D6EC4CEF8; Sat, 12 Jul 2025 23:26:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362787; bh=SgVXlLx3zUAsItbZlZ/zxXFpPKAtVke822Qe2qamSSM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Yxndy/IvzWQWbnUBanLC+u/ucTDuAYy1aNSJJAU+8jT6By1Yjj55SBXvhvlCNFg8f SSB/HGy8c08shz70GBPTJUmHm2K1xOOz9Edp95QUJXtDsDU/DSP6yr/Pqi+XhzTm8m RJ74HNLpE5gvL0EEE5JEPfAkiODQR5wBJREtlYGT4tpkkL70Pp5sSHZ0c3Uu+GT3xH i9G0dQntawA946l/N9LEsyjdsG9KqnL/rqHTgoaZkNL/MA4nt1D0UmRo2H/0xvfe1I 6LpPC7PxtGTQj3VyBwGC1FCxsI/m3zd6UmUb4iFaliNUr3VAEWgoMUHBM29ibV1OeH bIRg/MvNWEtFw== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 15/26] lib/crypto: tests: Add KUnit tests for SHA-1 and HMAC-SHA1 Date: Sat, 12 Jul 2025 16:23:06 -0700 Message-ID: <20250712232329.818226-16-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a KUnit test suite for the SHA-1 library functions, including the corresponding HMAC support. The core test logic is in the previously-added hash-test-template.h. This commit just adds the actual KUnit suite, and it adds the generated test vectors to the tree so that gen-hash-testvecs.py won't have to be run at build time. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- lib/crypto/tests/Kconfig | 10 ++ lib/crypto/tests/Makefile | 1 + lib/crypto/tests/sha1-testvecs.h | 212 +++++++++++++++++++++++++++++++ lib/crypto/tests/sha1_kunit.c | 39 ++++++ 4 files changed, 262 insertions(+) create mode 100644 lib/crypto/tests/sha1-testvecs.h create mode 100644 lib/crypto/tests/sha1_kunit.c diff --git a/lib/crypto/tests/Kconfig b/lib/crypto/tests/Kconfig index 65f462754419d..de7e8babb6afc 100644 --- a/lib/crypto/tests/Kconfig +++ b/lib/crypto/tests/Kconfig @@ -7,10 +7,20 @@ config CRYPTO_LIB_POLY1305_KUNIT_TEST select CRYPTO_LIB_BENCHMARK_VISIBLE select CRYPTO_LIB_POLY1305 help KUnit tests for the Poly1305 library functions. =20 +config CRYPTO_LIB_SHA1_KUNIT_TEST + tristate "KUnit tests for SHA-1" if !KUNIT_ALL_TESTS + depends on KUNIT + default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS + select CRYPTO_LIB_BENCHMARK_VISIBLE + select CRYPTO_LIB_SHA1 + help + KUnit tests for the SHA-1 cryptographic hash function and its + corresponding HMAC. + # Option is named *_SHA256_KUNIT_TEST, though both SHA-224 and SHA-256 tes= ts are # included, for consistency with the naming used elsewhere (e.g. CRYPTO_SH= A256). config CRYPTO_LIB_SHA256_KUNIT_TEST tristate "KUnit tests for SHA-224 and SHA-256" if !KUNIT_ALL_TESTS depends on KUNIT diff --git a/lib/crypto/tests/Makefile b/lib/crypto/tests/Makefile index d33f6d85ecaa8..8601dccd6fdda 100644 --- a/lib/crypto/tests/Makefile +++ b/lib/crypto/tests/Makefile @@ -1,5 +1,6 @@ # SPDX-License-Identifier: GPL-2.0-or-later =20 obj-$(CONFIG_CRYPTO_LIB_POLY1305_KUNIT_TEST) +=3D poly1305_kunit.o +obj-$(CONFIG_CRYPTO_LIB_SHA1_KUNIT_TEST) +=3D sha1_kunit.o obj-$(CONFIG_CRYPTO_LIB_SHA256_KUNIT_TEST) +=3D sha224_kunit.o sha256_kuni= t.o obj-$(CONFIG_CRYPTO_LIB_SHA512_KUNIT_TEST) +=3D sha384_kunit.o sha512_kuni= t.o diff --git a/lib/crypto/tests/sha1-testvecs.h b/lib/crypto/tests/sha1-testv= ecs.h new file mode 100644 index 0000000000000..f5d050122e84f --- /dev/null +++ b/lib/crypto/tests/sha1-testvecs.h @@ -0,0 +1,212 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* This file was generated by: ./scripts/crypto/gen-hash-testvecs.py sha1 = */ + +static const struct { + size_t data_len; + u8 digest[SHA1_DIGEST_SIZE]; +} hash_testvecs[] =3D { + { + .data_len =3D 0, + .digest =3D { + 0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, + 0x32, 0x55, 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, + 0xaf, 0xd8, 0x07, 0x09, + }, + }, + { + .data_len =3D 1, + .digest =3D { + 0x0a, 0xd0, 0x52, 0xdd, 0x9f, 0x32, 0x40, 0x55, + 0x21, 0xe4, 0x3c, 0x6e, 0xbd, 0xc5, 0x2f, 0x5a, + 0x02, 0x54, 0x93, 0xb2, + }, + }, + { + .data_len =3D 2, + .digest =3D { + 0x13, 0x83, 0x82, 0x03, 0x23, 0xff, 0x46, 0xd6, + 0x12, 0x7f, 0xad, 0x05, 0x2b, 0xc3, 0x4a, 0x42, + 0x49, 0x6a, 0xf8, 0x84, + }, + }, + { + .data_len =3D 3, + .digest =3D { + 0xe4, 0xdf, 0x7b, 0xdc, 0xe8, 0x6e, 0x81, 0x97, + 0x1e, 0x0f, 0xe8, 0x8b, 0x76, 0xa8, 0x59, 0x04, + 0xae, 0x92, 0x1a, 0x7c, + }, + }, + { + .data_len =3D 16, + .digest =3D { + 0x8c, 0x1c, 0x30, 0xd8, 0xbc, 0xc4, 0xc3, 0xf5, + 0xf8, 0x83, 0x0d, 0x1e, 0x04, 0x5d, 0x29, 0xb5, + 0x68, 0x89, 0xc1, 0xe9, + }, + }, + { + .data_len =3D 32, + .digest =3D { + 0x6c, 0x1d, 0x72, 0x31, 0xa5, 0x03, 0x4f, 0xdc, + 0xff, 0x2d, 0x06, 0x3e, 0x24, 0x26, 0x34, 0x8d, + 0x60, 0xa4, 0x67, 0x16, + }, + }, + { + .data_len =3D 48, + .digest =3D { + 0x37, 0x53, 0x33, 0xfa, 0xd0, 0x21, 0xad, 0xe7, + 0xa5, 0x43, 0xf1, 0x94, 0x64, 0x11, 0x47, 0x9c, + 0x72, 0xb5, 0x78, 0xb4, + }, + }, + { + .data_len =3D 49, + .digest =3D { + 0x51, 0x5c, 0xd8, 0x5a, 0xa9, 0xde, 0x7b, 0x2a, + 0xa2, 0xff, 0x70, 0x09, 0x56, 0x88, 0x40, 0x2b, + 0x50, 0x93, 0x82, 0x47, + }, + }, + { + .data_len =3D 63, + .digest =3D { + 0xbc, 0x9c, 0xab, 0x93, 0x06, 0xd5, 0xdb, 0xac, + 0x2c, 0x33, 0x15, 0x83, 0x56, 0xf6, 0x91, 0x20, + 0x09, 0xc7, 0xb2, 0x6b, + }, + }, + { + .data_len =3D 64, + .digest =3D { + 0x26, 0x90, 0x3b, 0x47, 0xe1, 0x92, 0x42, 0xd0, + 0x85, 0x63, 0x2e, 0x6b, 0x68, 0xa4, 0xc4, 0x4c, + 0xe6, 0xf4, 0xb0, 0x52, + }, + }, + { + .data_len =3D 65, + .digest =3D { + 0x55, 0x6f, 0x87, 0xdc, 0x34, 0x3d, 0xe2, 0x4f, + 0xc3, 0x81, 0xa4, 0x82, 0x79, 0x84, 0x64, 0x01, + 0x55, 0xa0, 0x1e, 0x36, + }, + }, + { + .data_len =3D 127, + .digest =3D { + 0xb7, 0xd5, 0x5f, 0xa4, 0xef, 0xbf, 0x4f, 0x96, + 0x01, 0xc1, 0x06, 0xe3, 0x75, 0xa8, 0x90, 0x92, + 0x4c, 0x5f, 0xf1, 0x21, + }, + }, + { + .data_len =3D 128, + .digest =3D { + 0x70, 0x0c, 0xea, 0xa4, 0x93, 0xd0, 0x56, 0xf0, + 0x6f, 0xbb, 0x53, 0x42, 0x5b, 0xe3, 0xf2, 0xb0, + 0x30, 0x66, 0x8e, 0x75, + }, + }, + { + .data_len =3D 129, + .digest =3D { + 0x15, 0x01, 0xbc, 0xb0, 0xee, 0xd8, 0xeb, 0xa8, + 0x7d, 0xd9, 0x4d, 0x50, 0x2e, 0x41, 0x30, 0xba, + 0x41, 0xaa, 0x7b, 0x02, + }, + }, + { + .data_len =3D 256, + .digest =3D { + 0x98, 0x05, 0x52, 0xf5, 0x0f, 0xf0, 0xd3, 0x97, + 0x15, 0x8c, 0xa3, 0x9a, 0x2b, 0x4d, 0x67, 0x57, + 0x29, 0xa0, 0xac, 0x61, + }, + }, + { + .data_len =3D 511, + .digest =3D { + 0x1f, 0x47, 0xf0, 0xcc, 0xd7, 0xda, 0xa5, 0x3b, + 0x39, 0xb4, 0x5b, 0xa8, 0x33, 0xd4, 0xca, 0x2f, + 0xdd, 0xf2, 0x39, 0x89, + }, + }, + { + .data_len =3D 513, + .digest =3D { + 0xb9, 0x75, 0xe6, 0x57, 0x42, 0x7f, 0x8b, 0x0a, + 0xcc, 0x53, 0x10, 0x69, 0x45, 0xac, 0xfd, 0x11, + 0xf7, 0x1f, 0x4e, 0x6f, + }, + }, + { + .data_len =3D 1000, + .digest =3D { + 0x63, 0x66, 0xcb, 0x44, 0xc1, 0x2c, 0xa2, 0x06, + 0x5d, 0xb9, 0x8e, 0x31, 0xcb, 0x4f, 0x4e, 0x49, + 0xe0, 0xfb, 0x3c, 0x4e, + }, + }, + { + .data_len =3D 3333, + .digest =3D { + 0x35, 0xbc, 0x74, 0xfb, 0x31, 0x9c, 0xd4, 0xdd, + 0xe8, 0x87, 0xa7, 0x56, 0x3b, 0x08, 0xe5, 0x49, + 0xe1, 0xe9, 0xc9, 0xa8, + }, + }, + { + .data_len =3D 4096, + .digest =3D { + 0x43, 0x00, 0xea, 0xcd, 0x4e, 0x7c, 0xe9, 0xe4, + 0x32, 0xce, 0x25, 0xa8, 0xcd, 0x20, 0xa8, 0xaa, + 0x7b, 0x63, 0x2c, 0x3c, + }, + }, + { + .data_len =3D 4128, + .digest =3D { + 0xd0, 0x67, 0x26, 0x0e, 0x22, 0x72, 0xaa, 0x63, + 0xfc, 0x34, 0x55, 0x07, 0xab, 0xc8, 0x64, 0xb6, + 0xc4, 0xea, 0xd5, 0x7c, + }, + }, + { + .data_len =3D 4160, + .digest =3D { + 0x6b, 0xc9, 0x5e, 0xb9, 0x41, 0x19, 0x50, 0x35, + 0xf1, 0x39, 0xfe, 0xd9, 0x72, 0x6d, 0xd0, 0x55, + 0xb8, 0x1f, 0x1a, 0x95, + }, + }, + { + .data_len =3D 4224, + .digest =3D { + 0x70, 0x5d, 0x10, 0x2e, 0x4e, 0x44, 0xc9, 0x80, + 0x8f, 0xba, 0x13, 0xbc, 0xd0, 0x77, 0x78, 0xc7, + 0x84, 0xe3, 0x24, 0x43, + }, + }, + { + .data_len =3D 16384, + .digest =3D { + 0xa8, 0x82, 0xca, 0x08, 0xb4, 0x84, 0x09, 0x13, + 0xc0, 0x9c, 0x26, 0x18, 0xcf, 0x0f, 0xf3, 0x08, + 0xff, 0xa1, 0xe4, 0x5d, + }, + }, +}; + +static const u8 hash_testvec_consolidated[SHA1_DIGEST_SIZE] =3D { + 0xe1, 0x72, 0xa5, 0x3c, 0xda, 0xf2, 0xe5, 0x56, + 0xb8, 0xb5, 0x35, 0x6e, 0xce, 0xc8, 0x37, 0x57, + 0x31, 0xb4, 0x05, 0xdd, +}; + +static const u8 hmac_testvec_consolidated[SHA1_DIGEST_SIZE] =3D { + 0x9d, 0xe5, 0xb1, 0x43, 0x97, 0x95, 0x16, 0x52, + 0xa0, 0x7a, 0xc0, 0xe2, 0xc1, 0x60, 0x64, 0x7c, + 0x24, 0xf9, 0x34, 0xd7, +}; diff --git a/lib/crypto/tests/sha1_kunit.c b/lib/crypto/tests/sha1_kunit.c new file mode 100644 index 0000000000000..24ba8d5669c8f --- /dev/null +++ b/lib/crypto/tests/sha1_kunit.c @@ -0,0 +1,39 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright 2025 Google LLC + */ +#include +#include "sha1-testvecs.h" + +#define HASH sha1 +#define HASH_CTX sha1_ctx +#define HASH_SIZE SHA1_DIGEST_SIZE +#define HASH_INIT sha1_init +#define HASH_UPDATE sha1_update +#define HASH_FINAL sha1_final +#define HMAC_KEY hmac_sha1_key +#define HMAC_CTX hmac_sha1_ctx +#define HMAC_PREPAREKEY hmac_sha1_preparekey +#define HMAC_INIT hmac_sha1_init +#define HMAC_UPDATE hmac_sha1_update +#define HMAC_FINAL hmac_sha1_final +#define HMAC hmac_sha1 +#define HMAC_USINGRAWKEY hmac_sha1_usingrawkey +#include "hash-test-template.h" + +static struct kunit_case hash_test_cases[] =3D { + HASH_KUNIT_CASES, + KUNIT_CASE(benchmark_hash), + {}, +}; + +static struct kunit_suite hash_test_suite =3D { + .name =3D "sha1", + .test_cases =3D hash_test_cases, + .suite_init =3D hash_suite_init, + .suite_exit =3D hash_suite_exit, +}; +kunit_test_suite(hash_test_suite); + +MODULE_DESCRIPTION("KUnit tests and benchmark for SHA-1 and HMAC-SHA1"); +MODULE_LICENSE("GPL"); --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2799623D2B7; Sat, 12 Jul 2025 23:26:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362788; cv=none; b=lrjsjj8a1lHku7AfUe4QfSG8UGizX/V7sPPitXtClG6tPs6sZ5/vhRhJKJPfCbqKMpI1EkfxYdTozVck45C2djwrS++Q8IWHK9SlOc7579UT99N8AMaEhrIpO7y++GN5vNC8y6ANztoB+1ymW1pTpf9Iu+hmMkl7DqorDYbevcI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362788; c=relaxed/simple; bh=0uuH9SjZ8K8+ACPJuo2m4qDOTTccNZS9uJItjIz8lEA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lsh2SHb/fzYtMJHpExQ6/rHZKSJT5AZDe8o5wI0O6TX582+vYj9AW1TYIBc8axpUmYkt08Apy4K+cV+0UjgiLkSiDof+IsrAnZw9fJXjv7LxN4jUNYyD+XYrJeaABCi29As4pun5juF9W2cnIwbb5+2HiaFKoCLITo14q7qifyA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=dH9DsS2X; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="dH9DsS2X" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 791B6C4CEEF; Sat, 12 Jul 2025 23:26:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362787; bh=0uuH9SjZ8K8+ACPJuo2m4qDOTTccNZS9uJItjIz8lEA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dH9DsS2Xw3covYFWQE+Ugk+mBSxQ6BXP2pO4QGhLwVyEe44kLlMwoYGDWYEj3LbYU gNdRwNL79zti3WDAQqGT1htMpRbssnwYwxtC6lzR2Z7iMnN/nb5/eKFRmZfAYAyb7V n+j/QkLGWP4ObgYdRFiUCOqHz+h6ker+Ij6lHGSukFAD+bse5ep9FHfZvIUfPLxf24 EWrvdOPariUuQs9pPs+WP2TbaKFCh/iYI+jCyHvElw1B3YGPSTjJIys9WkZcYN0Qv9 x4K/cOgDkQB3FhwoiAqugSoucfjpSWvoeIMRrzhIV5GFjQ7fRsJv6EFguXNtbqYWBp h+kGyp8qif+ZQ== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 16/26] bpf: Use sha1() instead of sha1_transform() in bpf_prog_calc_tag() Date: Sat, 12 Jul 2025 16:23:07 -0700 Message-ID: <20250712232329.818226-17-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Now that there's a proper SHA-1 library API, just use that instead of the low-level SHA-1 compression function. This eliminates the need for bpf_prog_calc_tag() to implement the SHA-1 padding itself. No functional change. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- include/linux/filter.h | 6 ------ kernel/bpf/core.c | 49 +++++++----------------------------------- 2 files changed, 8 insertions(+), 47 deletions(-) diff --git a/include/linux/filter.h b/include/linux/filter.h index f5cf4d35d83e9..3aa33e904a4ed 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -995,16 +995,10 @@ void bpf_prog_change_xdp(struct bpf_prog *prev_prog, = struct bpf_prog *prog); static inline u32 bpf_prog_insn_size(const struct bpf_prog *prog) { return prog->len * sizeof(struct bpf_insn); } =20 -static inline u32 bpf_prog_tag_scratch_size(const struct bpf_prog *prog) -{ - return round_up(bpf_prog_insn_size(prog) + - sizeof(__be64) + 1, SHA1_BLOCK_SIZE); -} - static inline unsigned int bpf_prog_size(unsigned int proglen) { return max(sizeof(struct bpf_prog), offsetof(struct bpf_prog, insns[proglen])); } diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index dae281a1286d5..a1b727ffa4548 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -287,32 +287,23 @@ void __bpf_prog_free(struct bpf_prog *fp) vfree(fp); } =20 int bpf_prog_calc_tag(struct bpf_prog *fp) { - const u32 bits_offset =3D SHA1_BLOCK_SIZE - sizeof(__be64); - u32 raw_size =3D bpf_prog_tag_scratch_size(fp); - u32 digest[SHA1_DIGEST_WORDS]; - u32 ws[SHA1_WORKSPACE_WORDS]; - u32 i, bsize, psize, blocks; + size_t size =3D bpf_prog_insn_size(fp); + u8 digest[SHA1_DIGEST_SIZE]; struct bpf_insn *dst; bool was_ld_map; - u8 *raw, *todo; - __be32 *result; - __be64 *bits; + u32 i; =20 - raw =3D vmalloc(raw_size); - if (!raw) + dst =3D vmalloc(size); + if (!dst) return -ENOMEM; =20 - sha1_init_raw(digest); - memset(ws, 0, sizeof(ws)); - /* We need to take out the map fd for the digest calculation * since they are unstable from user space side. */ - dst =3D (void *)raw; for (i =3D 0, was_ld_map =3D false; i < fp->len; i++) { dst[i] =3D fp->insnsi[i]; if (!was_ld_map && dst[i].code =3D=3D (BPF_LD | BPF_IMM | BPF_DW) && (dst[i].src_reg =3D=3D BPF_PSEUDO_MAP_FD || @@ -328,37 +319,13 @@ int bpf_prog_calc_tag(struct bpf_prog *fp) dst[i].imm =3D 0; } else { was_ld_map =3D false; } } - - psize =3D bpf_prog_insn_size(fp); - memset(&raw[psize], 0, raw_size - psize); - raw[psize++] =3D 0x80; - - bsize =3D round_up(psize, SHA1_BLOCK_SIZE); - blocks =3D bsize / SHA1_BLOCK_SIZE; - todo =3D raw; - if (bsize - psize >=3D sizeof(__be64)) { - bits =3D (__be64 *)(todo + bsize - sizeof(__be64)); - } else { - bits =3D (__be64 *)(todo + bsize + bits_offset); - blocks++; - } - *bits =3D cpu_to_be64((psize - 1) << 3); - - while (blocks--) { - sha1_transform(digest, todo, ws); - todo +=3D SHA1_BLOCK_SIZE; - } - - result =3D (__force __be32 *)digest; - for (i =3D 0; i < SHA1_DIGEST_WORDS; i++) - result[i] =3D cpu_to_be32(digest[i]); - memcpy(fp->tag, result, sizeof(fp->tag)); - - vfree(raw); + sha1((const u8 *)dst, size, digest); + memcpy(fp->tag, digest, sizeof(fp->tag)); + vfree(dst); return 0; } =20 static int bpf_adj_delta_to_imm(struct bpf_insn *insn, u32 pos, s32 end_ol= d, s32 end_new, s32 curr, const bool probe_pass) --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65B4F23E355; Sat, 12 Jul 2025 23:26:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362788; cv=none; b=jsx62hOSHqrX9w3n6IOiMqWudGerXHSPy49TOwaB/ppBPSuR87uHFgmDGwtVhXyhi7g/zQ2QP5gAh+/gFDF7Ep7p3aG5zg1NP96CjsRs5vccQQHRxHzoDu+8/9CT27yNOkFYPVB8Mc1rjq9JoHAFqaSXQQRbhBgf47X6iIwuKSw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362788; c=relaxed/simple; bh=KTb/kHlWd3wQdhu+ilLCvMKl6qovl3HZh1pimsnVPTg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BcbUj0110HX/JWSRIFmb4kfvSp0GZ4Y6BDvXbkQH6IUs4uUTq7eN9yabLnqJqmpP/NmUyBcqHqbbY2odmLiNaxPT9VOSj709O700BesOsTx9bENC3Zk+ldWqcnlLDxkKLxIkpgEjLMUO7YIIi8+hiDzLmfm9AI0KlA22hxizoyk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=mxUS8aLD; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="mxUS8aLD" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EAF27C4CEF8; Sat, 12 Jul 2025 23:26:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362788; bh=KTb/kHlWd3wQdhu+ilLCvMKl6qovl3HZh1pimsnVPTg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mxUS8aLDzLz2lxZ7FY8YXhwan3picqBL4U0OESweinppoghCLFI2054GFQg+jkmnY DdhCc8Q8jLcHHO7wsDr62KIh0C1HowwzStV/jMEpViJ+KMHH/y/G0DrdDEB0Rw5anz DpqBniSkST9kWPQ8P997D4snILzkc1TorIdOr5tMqAoNKwi64MfNv59v41EkLBo9FT xjZ+qOZTB3FscgyvkMngJyaQ93UKpSLhzCx7R3Dp+bPpl4MAdT5Vrptt7okpvbn13M V7Jor9AXxyEcCNR6okV8WW/b6NR2rQzclvSIfn63GAwGHo5jykU+2Fx6C76eJZtcIN vMk5dzFz9MGtw== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 17/26] sctp: Use HMAC-SHA1 and HMAC-SHA256 library functions Date: Sat, 12 Jul 2025 16:23:08 -0700 Message-ID: <20250712232329.818226-18-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For SCTP authenticated chunks, use the HMAC-SHA1 and HMAC-SHA256 library functions instead of crypto_shash. This is simpler and faster. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- include/net/sctp/auth.h | 12 +-- include/net/sctp/constants.h | 2 - include/net/sctp/structs.h | 5 -- net/sctp/Kconfig | 15 ++-- net/sctp/auth.c | 153 +++++------------------------------ net/sctp/socket.c | 10 --- 6 files changed, 32 insertions(+), 165 deletions(-) diff --git a/include/net/sctp/auth.h b/include/net/sctp/auth.h index d4b3b2dcd15b7..02e13e126ceb7 100644 --- a/include/net/sctp/auth.h +++ b/include/net/sctp/auth.h @@ -20,20 +20,15 @@ =20 struct sctp_endpoint; struct sctp_association; struct sctp_authkey; struct sctp_hmacalgo; -struct crypto_shash; =20 -/* - * Define a generic struct that will hold all the info - * necessary for an HMAC transform - */ +/* Defines an HMAC algorithm supported by SCTP-AUTH */ struct sctp_hmac { - __u16 hmac_id; /* one of the above ids */ - char *hmac_name; /* name for loading */ - __u16 hmac_len; /* length of the signature */ + __u16 hmac_id; /* one of SCTP_AUTH_HMAC_ID_* */ + __u16 hmac_len; /* length of the HMAC signature in bytes */ }; =20 /* This is generic structure that containst authentication bytes used * as keying material. It's a what is referred to as byte-vector all * over SCTP-AUTH @@ -76,11 +71,10 @@ struct sctp_shared_key *sctp_auth_get_shkey( __u16 key_id); int sctp_auth_asoc_copy_shkeys(const struct sctp_endpoint *ep, struct sctp_association *asoc, gfp_t gfp); int sctp_auth_init_hmacs(struct sctp_endpoint *ep, gfp_t gfp); -void sctp_auth_destroy_hmacs(struct crypto_shash *auth_hmacs[]); struct sctp_hmac *sctp_auth_get_hmac(__u16 hmac_id); struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *a= soc); void sctp_auth_asoc_set_default_hmac(struct sctp_association *asoc, struct sctp_hmac_algo_param *hmacs); int sctp_auth_asoc_verify_hmac_id(const struct sctp_association *asoc, diff --git a/include/net/sctp/constants.h b/include/net/sctp/constants.h index 5859e0a16a584..81dde3c3e6a58 100644 --- a/include/net/sctp/constants.h +++ b/include/net/sctp/constants.h @@ -415,13 +415,11 @@ enum sctp_lower_cwnd { */ enum { SCTP_AUTH_HMAC_ID_RESERVED_0, SCTP_AUTH_HMAC_ID_SHA1, SCTP_AUTH_HMAC_ID_RESERVED_2, -#if defined (CONFIG_CRYPTO_SHA256) || defined (CONFIG_CRYPTO_SHA256_MODULE) SCTP_AUTH_HMAC_ID_SHA256, -#endif __SCTP_AUTH_HMAC_MAX }; =20 #define SCTP_AUTH_HMAC_ID_MAX __SCTP_AUTH_HMAC_MAX - 1 #define SCTP_AUTH_NUM_HMACS __SCTP_AUTH_HMAC_MAX diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index 1ad7ce71d0a78..1de69a236754f 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h @@ -1327,15 +1327,10 @@ struct sctp_endpoint { __u32 sndbuf_policy; =20 /* rcvbuf acct. policy. */ __u32 rcvbuf_policy; =20 - /* SCTP AUTH: array of the HMACs that will be allocated - * we need this per association so that we don't serialize - */ - struct crypto_shash **auth_hmacs; - /* SCTP-AUTH: hmacs for the endpoint encoded into parameter */ struct sctp_hmac_algo_param *auth_hmacs_list; =20 /* SCTP-AUTH: chunks to authenticate encoded into parameter */ struct sctp_chunks_param *auth_chunk_list; diff --git a/net/sctp/Kconfig b/net/sctp/Kconfig index 24d5a35ce894a..192027555b4d8 100644 --- a/net/sctp/Kconfig +++ b/net/sctp/Kconfig @@ -5,13 +5,12 @@ =20 menuconfig IP_SCTP tristate "The SCTP Protocol" depends on INET depends on IPV6 || IPV6=3Dn - select CRYPTO - select CRYPTO_HMAC - select CRYPTO_SHA1 + select CRYPTO_LIB_SHA1 + select CRYPTO_LIB_SHA256 select NET_CRC32C select NET_UDP_TUNNEL help Stream Control Transmission Protocol =20 @@ -77,19 +76,21 @@ endchoice =20 config SCTP_COOKIE_HMAC_MD5 bool "Enable optional MD5 hmac cookie generation" help Enable optional MD5 hmac based SCTP cookie generation - select CRYPTO_HMAC if SCTP_COOKIE_HMAC_MD5 - select CRYPTO_MD5 if SCTP_COOKIE_HMAC_MD5 + select CRYPTO + select CRYPTO_HMAC + select CRYPTO_MD5 =20 config SCTP_COOKIE_HMAC_SHA1 bool "Enable optional SHA1 hmac cookie generation" help Enable optional SHA1 hmac based SCTP cookie generation - select CRYPTO_HMAC if SCTP_COOKIE_HMAC_SHA1 - select CRYPTO_SHA1 if SCTP_COOKIE_HMAC_SHA1 + select CRYPTO + select CRYPTO_HMAC + select CRYPTO_SHA1 =20 config INET_SCTP_DIAG depends on INET_DIAG def_tristate INET_DIAG =20 diff --git a/net/sctp/auth.c b/net/sctp/auth.c index c58fffc86a0c2..21d679a2ffb60 100644 --- a/net/sctp/auth.c +++ b/net/sctp/auth.c @@ -10,40 +10,41 @@ * * Written or modified by: * Vlad Yasevich */ =20 -#include +#include +#include #include #include -#include #include #include =20 static struct sctp_hmac sctp_hmac_list[SCTP_AUTH_NUM_HMACS] =3D { { /* id 0 is reserved. as all 0 */ .hmac_id =3D SCTP_AUTH_HMAC_ID_RESERVED_0, }, { .hmac_id =3D SCTP_AUTH_HMAC_ID_SHA1, - .hmac_name =3D "hmac(sha1)", .hmac_len =3D SCTP_SHA1_SIG_SIZE, }, { /* id 2 is reserved as well */ .hmac_id =3D SCTP_AUTH_HMAC_ID_RESERVED_2, }, -#if IS_ENABLED(CONFIG_CRYPTO_SHA256) { .hmac_id =3D SCTP_AUTH_HMAC_ID_SHA256, - .hmac_name =3D "hmac(sha256)", .hmac_len =3D SCTP_SHA256_SIG_SIZE, } -#endif }; =20 +static bool sctp_hmac_supported(__u16 hmac_id) +{ + return hmac_id < ARRAY_SIZE(sctp_hmac_list) && + sctp_hmac_list[hmac_id].hmac_len !=3D 0; +} =20 void sctp_auth_key_put(struct sctp_auth_bytes *key) { if (!key) return; @@ -442,79 +443,10 @@ struct sctp_shared_key *sctp_auth_get_shkey( } =20 return NULL; } =20 -/* - * Initialize all the possible digest transforms that we can use. Right - * now, the supported digests are SHA1 and SHA256. We do this here once - * because of the restrictiong that transforms may only be allocated in - * user context. This forces us to pre-allocated all possible transforms - * at the endpoint init time. - */ -int sctp_auth_init_hmacs(struct sctp_endpoint *ep, gfp_t gfp) -{ - struct crypto_shash *tfm =3D NULL; - __u16 id; - - /* If the transforms are already allocated, we are done */ - if (ep->auth_hmacs) - return 0; - - /* Allocated the array of pointers to transorms */ - ep->auth_hmacs =3D kcalloc(SCTP_AUTH_NUM_HMACS, - sizeof(struct crypto_shash *), - gfp); - if (!ep->auth_hmacs) - return -ENOMEM; - - for (id =3D 0; id < SCTP_AUTH_NUM_HMACS; id++) { - - /* See is we support the id. Supported IDs have name and - * length fields set, so that we can allocated and use - * them. We can safely just check for name, for without the - * name, we can't allocate the TFM. - */ - if (!sctp_hmac_list[id].hmac_name) - continue; - - /* If this TFM has been allocated, we are all set */ - if (ep->auth_hmacs[id]) - continue; - - /* Allocate the ID */ - tfm =3D crypto_alloc_shash(sctp_hmac_list[id].hmac_name, 0, 0); - if (IS_ERR(tfm)) - goto out_err; - - ep->auth_hmacs[id] =3D tfm; - } - - return 0; - -out_err: - /* Clean up any successful allocations */ - sctp_auth_destroy_hmacs(ep->auth_hmacs); - ep->auth_hmacs =3D NULL; - return -ENOMEM; -} - -/* Destroy the hmac tfm array */ -void sctp_auth_destroy_hmacs(struct crypto_shash *auth_hmacs[]) -{ - int i; - - if (!auth_hmacs) - return; - - for (i =3D 0; i < SCTP_AUTH_NUM_HMACS; i++) { - crypto_free_shash(auth_hmacs[i]); - } - kfree(auth_hmacs); -} - - struct sctp_hmac *sctp_auth_get_hmac(__u16 hmac_id) { return &sctp_hmac_list[hmac_id]; } =20 @@ -541,30 +473,14 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struc= t sctp_association *asoc) =20 n_elt =3D (ntohs(hmacs->param_hdr.length) - sizeof(struct sctp_paramhdr)) >> 1; for (i =3D 0; i < n_elt; i++) { id =3D ntohs(hmacs->hmac_ids[i]); - - /* Check the id is in the supported range. And - * see if we support the id. Supported IDs have name and - * length fields set, so that we can allocate and use - * them. We can safely just check for name, for without the - * name, we can't allocate the TFM. - */ - if (id > SCTP_AUTH_HMAC_ID_MAX || - !sctp_hmac_list[id].hmac_name) { - id =3D 0; - continue; - } - - break; + if (sctp_hmac_supported(id)) + return &sctp_hmac_list[id]; } - - if (id =3D=3D 0) - return NULL; - - return &sctp_hmac_list[id]; + return NULL; } =20 static int __sctp_auth_find_hmacid(__be16 *hmacs, int n_elts, __be16 hmac_= id) { int found =3D 0; @@ -604,31 +520,23 @@ int sctp_auth_asoc_verify_hmac_id(const struct sctp_a= ssociation *asoc, * algorithm it supports. */ void sctp_auth_asoc_set_default_hmac(struct sctp_association *asoc, struct sctp_hmac_algo_param *hmacs) { - struct sctp_endpoint *ep; __u16 id; int i; int n_params; =20 /* if the default id is already set, use it */ if (asoc->default_hmac_id) return; =20 n_params =3D (ntohs(hmacs->param_hdr.length) - sizeof(struct sctp_paramhdr)) >> 1; - ep =3D asoc->ep; for (i =3D 0; i < n_params; i++) { id =3D ntohs(hmacs->hmac_ids[i]); - - /* Check the id is in the supported range */ - if (id > SCTP_AUTH_HMAC_ID_MAX) - continue; - - /* If this TFM has been allocated, use this id */ - if (ep->auth_hmacs[id]) { + if (sctp_hmac_supported(id)) { asoc->default_hmac_id =3D id; break; } } } @@ -707,13 +615,12 @@ int sctp_auth_recv_cid(enum sctp_cid chunk, const str= uct sctp_association *asoc) void sctp_auth_calculate_hmac(const struct sctp_association *asoc, struct sk_buff *skb, struct sctp_auth_chunk *auth, struct sctp_shared_key *ep_key, gfp_t gfp) { struct sctp_auth_bytes *asoc_key; - struct crypto_shash *tfm; __u16 key_id, hmac_id; - unsigned char *end; + size_t data_len; int free_key =3D 0; __u8 *digest; =20 /* Extract the info we need: * - hmac id @@ -731,23 +638,19 @@ void sctp_auth_calculate_hmac(const struct sctp_assoc= iation *asoc, return; =20 free_key =3D 1; } =20 - /* set up scatter list */ - end =3D skb_tail_pointer(skb); - - tfm =3D asoc->ep->auth_hmacs[hmac_id]; - + data_len =3D skb_tail_pointer(skb) - (u8 *)auth; digest =3D (u8 *)(&auth->auth_hdr + 1); - if (crypto_shash_setkey(tfm, &asoc_key->data[0], asoc_key->len)) - goto free; - - crypto_shash_tfm_digest(tfm, (u8 *)auth, end - (unsigned char *)auth, - digest); + if (hmac_id =3D=3D SCTP_AUTH_HMAC_ID_SHA1) + hmac_sha1_usingrawkey(asoc_key->data, asoc_key->len, + (u8 *)auth, data_len, digest); + else + hmac_sha256_usingrawkey(asoc_key->data, asoc_key->len, + (u8 *)auth, data_len, digest); =20 -free: if (free_key) sctp_auth_key_put(asoc_key); } =20 /* API Helpers */ @@ -786,18 +689,15 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep, * SHA1 is specified. */ for (i =3D 0; i < hmacs->shmac_num_idents; i++) { id =3D hmacs->shmac_idents[i]; =20 - if (id > SCTP_AUTH_HMAC_ID_MAX) + if (!sctp_hmac_supported(id)) return -EOPNOTSUPP; =20 if (SCTP_AUTH_HMAC_ID_SHA1 =3D=3D id) has_sha1 =3D 1; - - if (!sctp_hmac_list[id].hmac_name) - return -EOPNOTSUPP; } =20 if (!has_sha1) return -EINVAL; =20 @@ -1019,12 +919,10 @@ int sctp_auth_deact_key_id(struct sctp_endpoint *ep, return 0; } =20 int sctp_auth_init(struct sctp_endpoint *ep, gfp_t gfp) { - int err =3D -ENOMEM; - /* Allocate space for HMACS and CHUNKS authentication * variables. There are arrays that we encode directly * into parameters to make the rest of the operations easier. */ if (!ep->auth_hmacs_list) { @@ -1058,32 +956,23 @@ int sctp_auth_init(struct sctp_endpoint *ep, gfp_t g= fp) auth_chunks->param_hdr.length =3D htons(sizeof(struct sctp_paramhdr)); ep->auth_chunk_list =3D auth_chunks; } =20 - /* Allocate and initialize transorms arrays for supported - * HMACs. - */ - err =3D sctp_auth_init_hmacs(ep, gfp); - if (err) - goto nomem; - return 0; =20 nomem: /* Free all allocations */ kfree(ep->auth_hmacs_list); kfree(ep->auth_chunk_list); ep->auth_hmacs_list =3D NULL; ep->auth_chunk_list =3D NULL; - return err; + return -ENOMEM; } =20 void sctp_auth_free(struct sctp_endpoint *ep) { kfree(ep->auth_hmacs_list); kfree(ep->auth_chunk_list); ep->auth_hmacs_list =3D NULL; ep->auth_chunk_list =3D NULL; - sctp_auth_destroy_hmacs(ep->auth_hmacs); - ep->auth_hmacs =3D NULL; } diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 1e5739858c206..1f3f1e7e1793b 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -9579,20 +9579,10 @@ static int sctp_sock_migrate(struct sock *oldsk, st= ruct sock *newsk, err =3D sctp_bind_addr_dup(&newsp->ep->base.bind_addr, &oldsp->ep->base.bind_addr, GFP_KERNEL); if (err) return err; =20 - /* New ep's auth_hmacs should be set if old ep's is set, in case - * that net->sctp.auth_enable has been changed to 0 by users and - * new ep's auth_hmacs couldn't be set in sctp_endpoint_init(). - */ - if (oldsp->ep->auth_hmacs) { - err =3D sctp_auth_init_hmacs(newsp->ep, GFP_KERNEL); - if (err) - return err; - } - sctp_auto_asconf_init(newsp); =20 /* Move any messages in the old socket's receive queue that are for the * peeled off association to the new socket's receive queue. */ --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D60572405ED; Sat, 12 Jul 2025 23:26:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362789; cv=none; b=J15SdpDmXoiyH0TtTxu172BXDoGBtLqXyqzzVDoxhkoRS1dmlzOWl6Y7l/7KmN+y3P0Jq/ivke3xdIRs5jWfOIXsIhMocLfi5aIh7bhYAcviPR2a7w6HXc3kaa16IXWGNW0fq/bQQB0oA8+rkYYKCqEny/3TA4nVqCc9+NdUtiE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362789; c=relaxed/simple; bh=upgrbJIyKUJoRun4h/w8rzDBpBYiF16g2cfEnbcJkVg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rtVAXM6WRBMuVbKyfsiEAR7UM4YlZnRQp2tNhelflf67pDg3sUDDq2O3lLPoN4nMTiYpZu0XOUf+/CRGDkG4oLk+wnVCn/L5/ovzM4kHPh2bqW2cmLAqSvZZv3QAPFNOY0b/SCvtR7vM4c6jd0UbHYTfdsNoQ20JqXUfFIb45Yk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ROFWht91; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ROFWht91" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 68845C4CEF5; Sat, 12 Jul 2025 23:26:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362788; bh=upgrbJIyKUJoRun4h/w8rzDBpBYiF16g2cfEnbcJkVg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ROFWht91DC5XpPUdH8iXRlXvtmJOeGAoILEueEXRbxTAPmypO9d9+eWkmEkY7OfkC EznYlgw770sM+2hauKHQe9ZXD1pmPfGnLAWBZEKvJ68wP2iozUUeXCcATDci9H+nql 53wI7ihD56fb/OKj38J+495wElTRth1QNz9lquAmwXhzHyShTkHCCg1y7/9DV5nE7E DU6aJPNVq/OYfOPBT9oIPAopTGITq//h/vgYLJmpT7RxnkrmoKv6FuCRonUZesj0o0 SKmYw0xcwLeiizFPDxQqieqRzqlDu+cKh4N4/Cjwnsv1xm5C8P4t3ULqlN0Wr+zUrc BRmisBhki99bw== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 18/26] ipv6: sr: Use HMAC-SHA1 and HMAC-SHA256 library functions Date: Sat, 12 Jul 2025 16:23:09 -0700 Message-ID: <20250712232329.818226-19-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use the HMAC-SHA1 and HMAC-SHA256 library functions instead of crypto_shash. This is simpler and faster. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- include/net/seg6_hmac.h | 12 --- net/ipv6/Kconfig | 6 +- net/ipv6/seg6.c | 7 -- net/ipv6/seg6_hmac.c | 199 ++++------------------------------------ 4 files changed, 22 insertions(+), 202 deletions(-) diff --git a/include/net/seg6_hmac.h b/include/net/seg6_hmac.h index 24f733b3e3fe9..3fe4123dbbf0a 100644 --- a/include/net/seg6_hmac.h +++ b/include/net/seg6_hmac.h @@ -17,11 +17,10 @@ #include #include #include #include =20 -#define SEG6_HMAC_MAX_DIGESTSIZE 160 #define SEG6_HMAC_RING_SIZE 256 =20 struct seg6_hmac_info { struct rhash_head node; struct rcu_head rcu; @@ -30,17 +29,10 @@ struct seg6_hmac_info { char secret[SEG6_HMAC_SECRET_LEN]; u8 slen; u8 alg_id; }; =20 -struct seg6_hmac_algo { - u8 alg_id; - char name[64]; - struct crypto_shash * __percpu *tfms; - struct shash_desc * __percpu *shashs; -}; - extern int seg6_hmac_compute(struct seg6_hmac_info *hinfo, struct ipv6_sr_hdr *hdr, struct in6_addr *saddr, u8 *output); extern struct seg6_hmac_info *seg6_hmac_info_lookup(struct net *net, u32 k= ey); extern int seg6_hmac_info_add(struct net *net, u32 key, @@ -48,17 +40,13 @@ extern int seg6_hmac_info_add(struct net *net, u32 key, extern int seg6_hmac_info_del(struct net *net, u32 key); extern int seg6_push_hmac(struct net *net, struct in6_addr *saddr, struct ipv6_sr_hdr *srh); extern bool seg6_hmac_validate_skb(struct sk_buff *skb); #ifdef CONFIG_IPV6_SEG6_HMAC -extern int seg6_hmac_init(void); -extern void seg6_hmac_exit(void); extern int seg6_hmac_net_init(struct net *net); extern void seg6_hmac_net_exit(struct net *net); #else -static inline int seg6_hmac_init(void) { return 0; } -static inline void seg6_hmac_exit(void) {} static inline int seg6_hmac_net_init(struct net *net) { return 0; } static inline void seg6_hmac_net_exit(struct net *net) {} #endif =20 #endif diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig index 1c9c686d9522f..76eb48e766382 100644 --- a/net/ipv6/Kconfig +++ b/net/ipv6/Kconfig @@ -302,14 +302,12 @@ config IPV6_SEG6_LWTUNNEL If unsure, say N. =20 config IPV6_SEG6_HMAC bool "IPv6: Segment Routing HMAC support" depends on IPV6 - select CRYPTO - select CRYPTO_HMAC - select CRYPTO_SHA1 - select CRYPTO_SHA256 + select CRYPTO_LIB_SHA1 + select CRYPTO_LIB_SHA256 help Support for HMAC signature generation and verification of SR-enabled packets. =20 If unsure, say N. diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c index 180da19c148c1..a5c4c629b788c 100644 --- a/net/ipv6/seg6.c +++ b/net/ipv6/seg6.c @@ -520,20 +520,14 @@ int __init seg6_init(void) =20 err =3D seg6_local_init(); if (err) goto out_unregister_iptun; =20 - err =3D seg6_hmac_init(); - if (err) - goto out_unregister_seg6; - pr_info("Segment Routing with IPv6\n"); =20 out: return err; -out_unregister_seg6: - seg6_local_exit(); out_unregister_iptun: seg6_iptunnel_exit(); out_unregister_genl: genl_unregister_family(&seg6_genl_family); out_unregister_pernet: @@ -541,11 +535,10 @@ int __init seg6_init(void) goto out; } =20 void seg6_exit(void) { - seg6_hmac_exit(); seg6_local_exit(); seg6_iptunnel_exit(); genl_unregister_family(&seg6_genl_family); unregister_pernet_subsys(&ip6_segments_ops); } diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c index f78ecb6ad8383..17e57da813012 100644 --- a/net/ipv6/seg6_hmac.c +++ b/net/ipv6/seg6_hmac.c @@ -14,11 +14,10 @@ #include #include #include #include #include -#include #include =20 #include #include =20 @@ -32,11 +31,12 @@ #include #include #include #include =20 -#include +#include +#include #include #include #include #include =20 @@ -75,21 +75,10 @@ static const struct rhashtable_params rht_params =3D { .key_len =3D sizeof(u32), .automatic_shrinking =3D true, .obj_cmpfn =3D seg6_hmac_cmpfn, }; =20 -static struct seg6_hmac_algo hmac_algos[] =3D { - { - .alg_id =3D SEG6_HMAC_ALGO_SHA1, - .name =3D "hmac(sha1)", - }, - { - .alg_id =3D SEG6_HMAC_ALGO_SHA256, - .name =3D "hmac(sha256)", - }, -}; - static struct sr6_tlv_hmac *seg6_get_tlv_hmac(struct ipv6_sr_hdr *srh) { struct sr6_tlv_hmac *tlv; =20 if (srh->hdrlen < (srh->first_segment + 1) * 2 + 5) @@ -105,79 +94,17 @@ static struct sr6_tlv_hmac *seg6_get_tlv_hmac(struct i= pv6_sr_hdr *srh) return NULL; =20 return tlv; } =20 -static struct seg6_hmac_algo *__hmac_get_algo(u8 alg_id) -{ - struct seg6_hmac_algo *algo; - int i, alg_count; - - alg_count =3D ARRAY_SIZE(hmac_algos); - for (i =3D 0; i < alg_count; i++) { - algo =3D &hmac_algos[i]; - if (algo->alg_id =3D=3D alg_id) - return algo; - } - - return NULL; -} - -static int __do_hmac(struct seg6_hmac_info *hinfo, const char *text, u8 ps= ize, - u8 *output, int outlen) -{ - struct seg6_hmac_algo *algo; - struct crypto_shash *tfm; - struct shash_desc *shash; - int ret, dgsize; - - algo =3D __hmac_get_algo(hinfo->alg_id); - if (!algo) - return -ENOENT; - - tfm =3D *this_cpu_ptr(algo->tfms); - - dgsize =3D crypto_shash_digestsize(tfm); - if (dgsize > outlen) { - pr_debug("sr-ipv6: __do_hmac: digest size too big (%d / %d)\n", - dgsize, outlen); - return -ENOMEM; - } - - ret =3D crypto_shash_setkey(tfm, hinfo->secret, hinfo->slen); - if (ret < 0) { - pr_debug("sr-ipv6: crypto_shash_setkey failed: err %d\n", ret); - goto failed; - } - - shash =3D *this_cpu_ptr(algo->shashs); - shash->tfm =3D tfm; - - ret =3D crypto_shash_digest(shash, text, psize, output); - if (ret < 0) { - pr_debug("sr-ipv6: crypto_shash_digest failed: err %d\n", ret); - goto failed; - } - - return dgsize; - -failed: - return ret; -} - int seg6_hmac_compute(struct seg6_hmac_info *hinfo, struct ipv6_sr_hdr *hd= r, struct in6_addr *saddr, u8 *output) { __be32 hmackeyid =3D cpu_to_be32(hinfo->hmackeyid); - u8 tmp_out[SEG6_HMAC_MAX_DIGESTSIZE]; - int plen, i, dgsize, wrsize; + int plen, i, ret =3D 0; char *ring, *off; =20 - /* a 160-byte buffer for digest output allows to store highest known - * hash function (RadioGatun) with up to 1216 bits - */ - /* saddr(16) + first_seg(1) + flags(1) + keyid(4) + seglist(16n) */ plen =3D 16 + 1 + 1 + 4 + (hdr->first_segment + 1) * 16; =20 /* this limit allows for 14 segments */ if (plen >=3D SEG6_HMAC_RING_SIZE) @@ -216,26 +143,29 @@ int seg6_hmac_compute(struct seg6_hmac_info *hinfo, s= truct ipv6_sr_hdr *hdr, for (i =3D 0; i < hdr->first_segment + 1; i++) { memcpy(off, hdr->segments + i, 16); off +=3D 16; } =20 - dgsize =3D __do_hmac(hinfo, ring, plen, tmp_out, - SEG6_HMAC_MAX_DIGESTSIZE); + memset(output, 0, SEG6_HMAC_FIELD_LEN); + switch (hinfo->alg_id) { + case SEG6_HMAC_ALGO_SHA1: + hmac_sha1_usingrawkey(hinfo->secret, hinfo->slen, ring, plen, + output); + static_assert(SHA1_DIGEST_SIZE <=3D SEG6_HMAC_FIELD_LEN); + break; + case SEG6_HMAC_ALGO_SHA256: + hmac_sha256_usingrawkey(hinfo->secret, hinfo->slen, ring, plen, + output); + static_assert(SHA256_DIGEST_SIZE <=3D SEG6_HMAC_FIELD_LEN); + break; + default: + ret =3D -ENOENT; + break; + } local_unlock_nested_bh(&hmac_storage.bh_lock); local_bh_enable(); - - if (dgsize < 0) - return dgsize; - - wrsize =3D SEG6_HMAC_FIELD_LEN; - if (wrsize > dgsize) - wrsize =3D dgsize; - - memset(output, 0, SEG6_HMAC_FIELD_LEN); - memcpy(output, tmp_out, wrsize); - - return 0; + return ret; } EXPORT_SYMBOL(seg6_hmac_compute); =20 /* checks if an incoming SR-enabled packet's HMAC status matches * the incoming policy. @@ -357,106 +287,17 @@ int seg6_push_hmac(struct net *net, struct in6_addr = *saddr, rcu_read_unlock(); return err; } EXPORT_SYMBOL(seg6_push_hmac); =20 -static int seg6_hmac_init_algo(void) -{ - struct seg6_hmac_algo *algo; - struct crypto_shash *tfm; - struct shash_desc *shash; - int i, alg_count, cpu; - int ret =3D -ENOMEM; - - alg_count =3D ARRAY_SIZE(hmac_algos); - - for (i =3D 0; i < alg_count; i++) { - struct crypto_shash **p_tfm; - int shsize; - - algo =3D &hmac_algos[i]; - algo->tfms =3D alloc_percpu(struct crypto_shash *); - if (!algo->tfms) - goto error_out; - - for_each_possible_cpu(cpu) { - tfm =3D crypto_alloc_shash(algo->name, 0, 0); - if (IS_ERR(tfm)) { - ret =3D PTR_ERR(tfm); - goto error_out; - } - p_tfm =3D per_cpu_ptr(algo->tfms, cpu); - *p_tfm =3D tfm; - } - - p_tfm =3D raw_cpu_ptr(algo->tfms); - tfm =3D *p_tfm; - - shsize =3D sizeof(*shash) + crypto_shash_descsize(tfm); - - algo->shashs =3D alloc_percpu(struct shash_desc *); - if (!algo->shashs) - goto error_out; - - for_each_possible_cpu(cpu) { - shash =3D kzalloc_node(shsize, GFP_KERNEL, - cpu_to_node(cpu)); - if (!shash) - goto error_out; - *per_cpu_ptr(algo->shashs, cpu) =3D shash; - } - } - - return 0; - -error_out: - seg6_hmac_exit(); - return ret; -} - -int __init seg6_hmac_init(void) -{ - return seg6_hmac_init_algo(); -} - int __net_init seg6_hmac_net_init(struct net *net) { struct seg6_pernet_data *sdata =3D seg6_pernet(net); =20 return rhashtable_init(&sdata->hmac_infos, &rht_params); } =20 -void seg6_hmac_exit(void) -{ - struct seg6_hmac_algo *algo =3D NULL; - struct crypto_shash *tfm; - struct shash_desc *shash; - int i, alg_count, cpu; - - alg_count =3D ARRAY_SIZE(hmac_algos); - for (i =3D 0; i < alg_count; i++) { - algo =3D &hmac_algos[i]; - - if (algo->shashs) { - for_each_possible_cpu(cpu) { - shash =3D *per_cpu_ptr(algo->shashs, cpu); - kfree(shash); - } - free_percpu(algo->shashs); - } - - if (algo->tfms) { - for_each_possible_cpu(cpu) { - tfm =3D *per_cpu_ptr(algo->tfms, cpu); - crypto_free_shash(tfm); - } - free_percpu(algo->tfms); - } - } -} -EXPORT_SYMBOL(seg6_hmac_exit); - void __net_exit seg6_hmac_net_exit(struct net *net) { struct seg6_pernet_data *sdata =3D seg6_pernet(net); =20 rhashtable_free_and_destroy(&sdata->hmac_infos, seg6_free_hi, NULL); --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A5170242D6D; Sat, 12 Jul 2025 23:26:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362789; cv=none; b=Nmi1LOg+bK4t7Nl65wUCbXg+V6AzyMp5U9DUG6sV5YjJ+O7LBhaGL4ngBcCo2D3X7dCkeGmAIsVcSCLhEcRSxqEdsPlDjmFlrsSY8Nf5IpTVHl6UAdTLGPS0sPEX9EF21QW3qBKJhvXqlRIE5vQkDspsavQoLrOiOKPshdBoi4w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362789; c=relaxed/simple; bh=RedRxFFHKVy5vtVyY+MZJNiBk1oOHQ1I/68b2H+lbA4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=scySWXBw4KFxUmEMkh7pJ0lSFVZwWKsINRe31jyknr8Jgf/bB6j9U4rvp+DEUCG33+yqSRfO0tjhCsTBYHRCUB+K/THtUrEX9M2llrSsmyJsu/bBEYd+jFF2wQV3kCpJQ1vTfjnZdpSyzx+S4qd7z32/hzd9DKAnDC+WwiFhZII= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TruHvLVH; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TruHvLVH" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D9DD0C4CEEF; Sat, 12 Jul 2025 23:26:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362789; bh=RedRxFFHKVy5vtVyY+MZJNiBk1oOHQ1I/68b2H+lbA4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TruHvLVHxzmKSDlYw1X7RzNkw2reqbswxSziZxBysLXETgCfeJYJssRnoaL1nzchi mi9LuEPvy1/hCsL7g5ruwnoqxWESCQwA0R6D++X5zLp+a1AP/SYpw+WEAZjvmFQX6i m5sZe95u3ReCd2zA9v1HzPEzPx2HWU3ceCbr7feHlOPjPGB1S+Avh8UHhOh6Qd9t+q 9f4qhYO4xgQ30f+8sg3fvb3SJc4mvuEfy5lY9MGKg3uEMndll+YQh3+Gn88Rkq4xXy 9QbE4KXhY4FA2wx4Y5mO4lq71JIx2mLl3fKyCGcWwCY0X/KHwZI+dqmIh49OgDsD95 5DEcBVAIH3xUw== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 19/26] tee: Use SHA-1 library instead of crypto_shash Date: Sat, 12 Jul 2025 16:23:10 -0700 Message-ID: <20250712232329.818226-20-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use the SHA-1 library functions instead of crypto_shash. This is simpler and faster. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- drivers/tee/Kconfig | 3 +-- drivers/tee/tee_core.c | 55 +++++++----------------------------------- 2 files changed, 10 insertions(+), 48 deletions(-) diff --git a/drivers/tee/Kconfig b/drivers/tee/Kconfig index 61b507c187801..a84767940fbfc 100644 --- a/drivers/tee/Kconfig +++ b/drivers/tee/Kconfig @@ -1,12 +1,11 @@ # SPDX-License-Identifier: GPL-2.0-only # Generic Trusted Execution Environment Configuration menuconfig TEE tristate "Trusted Execution Environment support" depends on HAVE_ARM_SMCCC || COMPILE_TEST || CPU_SUP_AMD - select CRYPTO - select CRYPTO_SHA1 + select CRYPTO_LIB_SHA1 select DMA_SHARED_BUFFER select GENERIC_ALLOCATOR help This implements a generic interface towards a Trusted Execution Environment (TEE). diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c index acc7998758ad8..4c82a171bff20 100644 --- a/drivers/tee/tee_core.c +++ b/drivers/tee/tee_core.c @@ -12,11 +12,10 @@ #include #include #include #include #include -#include #include #include "tee_private.h" =20 #define TEE_NUM_DEVICES 32 =20 @@ -140,72 +139,36 @@ static int tee_release(struct inode *inode, struct fi= le *filp) * UUIDv5 is specific in RFC 4122. * * This implements section (for SHA-1): * 4.3. Algorithm for Creating a Name-Based UUID */ -static int uuid_v5(uuid_t *uuid, const uuid_t *ns, const void *name, - size_t size) +static void uuid_v5(uuid_t *uuid, const uuid_t *ns, const void *name, + size_t size) { + struct sha1_ctx ctx; unsigned char hash[SHA1_DIGEST_SIZE]; - struct crypto_shash *shash =3D NULL; - struct shash_desc *desc =3D NULL; - int rc; - - shash =3D crypto_alloc_shash("sha1", 0, 0); - if (IS_ERR(shash)) { - rc =3D PTR_ERR(shash); - pr_err("shash(sha1) allocation failed\n"); - return rc; - } - - desc =3D kzalloc(sizeof(*desc) + crypto_shash_descsize(shash), - GFP_KERNEL); - if (!desc) { - rc =3D -ENOMEM; - goto out_free_shash; - } - - desc->tfm =3D shash; =20 - rc =3D crypto_shash_init(desc); - if (rc < 0) - goto out_free_desc; - - rc =3D crypto_shash_update(desc, (const u8 *)ns, sizeof(*ns)); - if (rc < 0) - goto out_free_desc; - - rc =3D crypto_shash_update(desc, (const u8 *)name, size); - if (rc < 0) - goto out_free_desc; - - rc =3D crypto_shash_final(desc, hash); - if (rc < 0) - goto out_free_desc; + sha1_init(&ctx); + sha1_update(&ctx, (const u8 *)ns, sizeof(*ns)); + sha1_update(&ctx, (const u8 *)name, size); + sha1_final(&ctx, hash); =20 memcpy(uuid->b, hash, UUID_SIZE); =20 /* Tag for version 5 */ uuid->b[6] =3D (hash[6] & 0x0F) | 0x50; uuid->b[8] =3D (hash[8] & 0x3F) | 0x80; - -out_free_desc: - kfree(desc); - -out_free_shash: - crypto_free_shash(shash); - return rc; } =20 int tee_session_calc_client_uuid(uuid_t *uuid, u32 connection_method, const u8 connection_data[TEE_IOCTL_UUID_LEN]) { gid_t ns_grp =3D (gid_t)-1; kgid_t grp =3D INVALID_GID; char *name =3D NULL; int name_len; - int rc; + int rc =3D 0; =20 if (connection_method =3D=3D TEE_IOCTL_LOGIN_PUBLIC || connection_method =3D=3D TEE_IOCTL_LOGIN_REE_KERNEL) { /* Nil UUID to be passed to TEE environment */ uuid_copy(uuid, &uuid_null); @@ -258,11 +221,11 @@ int tee_session_calc_client_uuid(uuid_t *uuid, u32 co= nnection_method, default: rc =3D -EINVAL; goto out_free_name; } =20 - rc =3D uuid_v5(uuid, &tee_client_uuid_ns, name, name_len); + uuid_v5(uuid, &tee_client_uuid_ns, name, name_len); out_free_name: kfree(name); =20 return rc; } --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D21F24337B; Sat, 12 Jul 2025 23:26:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362790; cv=none; b=EmNIdsP1IaAhozmZylkRp30z7Nco6lP9SdPjij5EV9Zc55/n1j+MN1vKd5hGN7TtOxk5lID7/9lWTJA683BUMJWyH9tbD2QgubFlCxpKHu+iY2ZoVb0NFyUaj36dyoH6UdiryhkI/JZnf4VVJ5T3EoC8XirIu/07d/VAgQw7yvc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362790; c=relaxed/simple; bh=KDQk7Ir1m956D0f1p9m7xAyJlDKZMG/Uv5S3nHotAXE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=J2aOQXUXuzYjmjIXmX1pIyCczaZ0q97+PCIwLt6yxmuGmoOPf0kxnob5eYKIweI5i85eUa11oE4Z5z6R5UwgmYS98w5sYij0Qiwey7AVpoWHw2Xlx+aN9nsIQUiG+Lr/l5wlNed1IC2tET6RWfDGVk1E7X7mA4x0s9canP0cQl4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=WtGAriuO; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="WtGAriuO" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5734BC4CEF5; Sat, 12 Jul 2025 23:26:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362789; bh=KDQk7Ir1m956D0f1p9m7xAyJlDKZMG/Uv5S3nHotAXE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WtGAriuOY7k91SmjWU1Jatz3UxR2BoHMvt2+41ewmLk75abevvy+rjaJDEKA9dayT 4HnruTxiMdXn9C2lbXUTYijPl6AGxeUiVHGzv2Mci1g3kf1n8j8iqK/Gw4UhDfA1OM LEGQqPAvwRxD68ZByGUo/zfUhFtcAtZjF5EdvVBpUtFrWQZfMdAZzLC+bqW3uQZhM0 78Q9KCitYCnlEFnRK/ju2eh+jLK5DHwcHu4G++4VwfzzEeTmEfmKN7aI+ajzvGYgYp L16hAYEY2uFqQu6UpZuTAuo837yuo7jq8gjxWFDQqb9fzhSIEx19EAKXI/j3/CqaeY kvMR31cHKCF7g== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 20/26] lib/digsig: Use SHA-1 library instead of crypto_shash Date: Sat, 12 Jul 2025 16:23:11 -0700 Message-ID: <20250712232329.818226-21-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use the SHA-1 library functions instead of crypto_shash. This is simpler and faster. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- lib/Kconfig | 3 +-- lib/digsig.c | 46 ++++++---------------------------------------- 2 files changed, 7 insertions(+), 42 deletions(-) diff --git a/lib/Kconfig b/lib/Kconfig index 37db228f70a99..670c19800c26c 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -561,12 +561,11 @@ config MPILIB which is used by IMA/EVM digital signature extension. =20 config SIGNATURE tristate depends on KEYS - select CRYPTO - select CRYPTO_SHA1 + select CRYPTO_LIB_SHA1 select MPILIB help Digital signature verification. Currently only RSA is supported. Implementation is done using GnuPG MPI library =20 diff --git a/lib/digsig.c b/lib/digsig.c index 04b5e55ed95f5..5ddcc52f76863 100644 --- a/lib/digsig.c +++ b/lib/digsig.c @@ -16,19 +16,15 @@ =20 #include #include #include #include -#include -#include #include #include #include #include =20 -static struct crypto_shash *shash; - static const char *pkcs_1_v1_5_decode_emsa(const unsigned char *msg, unsigned long msglen, unsigned long modulus_bitlen, unsigned long *outlen) { @@ -197,16 +193,16 @@ static int digsig_verify_rsa(struct key *key, * */ int digsig_verify(struct key *keyring, const char *sig, int siglen, const char *data, int datalen) { - int err =3D -ENOMEM; struct signature_hdr *sh =3D (struct signature_hdr *)sig; - struct shash_desc *desc =3D NULL; + struct sha1_ctx ctx; unsigned char hash[SHA1_DIGEST_SIZE]; struct key *key; char name[20]; + int err; =20 if (siglen < sizeof(*sh) + 2) return -EINVAL; =20 if (sh->algo !=3D PUBKEY_ALGO_RSA) @@ -229,51 +225,21 @@ int digsig_verify(struct key *keyring, const char *si= g, int siglen, if (IS_ERR(key)) { pr_err("key not found, id: %s\n", name); return PTR_ERR(key); } =20 - desc =3D kzalloc(sizeof(*desc) + crypto_shash_descsize(shash), - GFP_KERNEL); - if (!desc) - goto err; - - desc->tfm =3D shash; - - crypto_shash_init(desc); - crypto_shash_update(desc, data, datalen); - crypto_shash_update(desc, sig, sizeof(*sh)); - crypto_shash_final(desc, hash); - - kfree(desc); + sha1_init(&ctx); + sha1_update(&ctx, data, datalen); + sha1_update(&ctx, sig, sizeof(*sh)); + sha1_final(&ctx, hash); =20 /* pass signature mpis address */ err =3D digsig_verify_rsa(key, sig + sizeof(*sh), siglen - sizeof(*sh), hash, sizeof(hash)); =20 -err: key_put(key); =20 return err ? -EINVAL : 0; } EXPORT_SYMBOL_GPL(digsig_verify); =20 -static int __init digsig_init(void) -{ - shash =3D crypto_alloc_shash("sha1", 0, 0); - if (IS_ERR(shash)) { - pr_err("shash allocation failed\n"); - return PTR_ERR(shash); - } - - return 0; - -} - -static void __exit digsig_cleanup(void) -{ - crypto_free_shash(shash); -} - -module_init(digsig_init); -module_exit(digsig_cleanup); - MODULE_LICENSE("GPL"); --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 842D6244681; Sat, 12 Jul 2025 23:26:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362790; cv=none; b=Se+SaTcFitBS0aJoEquPcUoTQXowYxum9lRCApNoSerT9x97beFkoRoTR0ZtIcptPxbmLR0Z56jZTA1kehRKSTgB4HojetAe5y4gPMLVn218wllzGwnPxws4IJ7X8rZzzeakpuAgVNq7YXPJStbjnhaSCHiXiivNaa6UsM2IicM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362790; c=relaxed/simple; bh=xZzl/xlzSt8gsN4p0nytxwCdAqxySD8jh31PuuGyOBQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=s82OCNVuJaTGHATlqfeApi6qm7DDsCKYHWXa+WU0e6UV9DI2w4/7YQ8IpP/RFekSfysl17WvAX8wt/Jmk1Z4tlSRTF11ahoA5M/CjvPuHbb6Afdv2Qnh2xuyAiZz5jYkkdcth7gveiJmz6zIU49l6ZPXiFd2CU7wIF9yTV6dEqM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=jHOgR8/e; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="jHOgR8/e" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C9477C4CEF8; Sat, 12 Jul 2025 23:26:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362790; bh=xZzl/xlzSt8gsN4p0nytxwCdAqxySD8jh31PuuGyOBQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jHOgR8/eAUWb+TKPF25TOK6Sliz7m1aUYz+j/MLYKMsxt4rKWRZJGo5hPIHSV64zn 7of82OAPvifGLUpuHuFDsjdQA92aH7ZkFpmPXS8OiM9eZNvip/CMvh2gfWUfpsJ3l4 CkTk+rCEkdibLqaQH8fh3UiGr6mwjUtiZs07/Qkt+YZg1C0SccjXKZMsmT6RS+7pet /YF/SspJy/r11r/BVbRD6U5wKlFEU4eWNfug2GDWZgxrSSqch+PUOQAWyZXRrUKu2z Vu/ThPYn8ewEdUblbxsMvgsAY7zmfj03U8oqUd9gKkQTaGl7/Z/+oEZXpbIf/sMfr8 r38CY8t/o97kQ== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 21/26] drm/bridge: it6505: Use SHA-1 library instead of crypto_shash Date: Sat, 12 Jul 2025 16:23:12 -0700 Message-ID: <20250712232329.818226-22-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use the SHA-1 library instead of crypto_shash. This is simpler and faster. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- drivers/gpu/drm/bridge/Kconfig | 3 +-- drivers/gpu/drm/bridge/ite-it6505.c | 33 ++--------------------------- 2 files changed, 3 insertions(+), 33 deletions(-) diff --git a/drivers/gpu/drm/bridge/Kconfig b/drivers/gpu/drm/bridge/Kconfig index b9e0ca85226a6..89ac820a13e1e 100644 --- a/drivers/gpu/drm/bridge/Kconfig +++ b/drivers/gpu/drm/bridge/Kconfig @@ -118,12 +118,11 @@ config DRM_ITE_IT6505 select DRM_DISPLAY_HDCP_HELPER select DRM_DISPLAY_HELPER select DRM_DISPLAY_DP_AUX_BUS select DRM_KMS_HELPER select EXTCON - select CRYPTO - select CRYPTO_HASH + select CRYPTO_LIB_SHA1 help ITE IT6505 DisplayPort bridge chip driver. =20 config DRM_LONTIUM_LT8912B tristate "Lontium LT8912B DSI/HDMI bridge" diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/i= te-it6505.c index 1383d1e21afea..319d956c0a28c 100644 --- a/drivers/gpu/drm/bridge/ite-it6505.c +++ b/drivers/gpu/drm/bridge/ite-it6505.c @@ -19,11 +19,11 @@ #include #include #include #include =20 -#include +#include =20 #include #include #include #include @@ -2105,39 +2105,10 @@ static void it6505_hdcp_part1_auth(struct it6505 *i= t6505) HDCP_TRIGGER_START); =20 it6505->hdcp_status =3D HDCP_AUTH_GOING; } =20 -static int it6505_sha1_digest(struct it6505 *it6505, u8 *sha1_input, - unsigned int size, u8 *output_av) -{ - struct shash_desc *desc; - struct crypto_shash *tfm; - int err; - struct device *dev =3D it6505->dev; - - tfm =3D crypto_alloc_shash("sha1", 0, 0); - if (IS_ERR(tfm)) { - dev_err(dev, "crypto_alloc_shash sha1 failed"); - return PTR_ERR(tfm); - } - desc =3D kzalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL); - if (!desc) { - crypto_free_shash(tfm); - return -ENOMEM; - } - - desc->tfm =3D tfm; - err =3D crypto_shash_digest(desc, sha1_input, size, output_av); - if (err) - dev_err(dev, "crypto_shash_digest sha1 failed"); - - crypto_free_shash(tfm); - kfree(desc); - return err; -} - static int it6505_setup_sha1_input(struct it6505 *it6505, u8 *sha1_input) { struct device *dev =3D it6505->dev; u8 binfo[2]; int down_stream_count, err, msg_count =3D 0; @@ -2203,11 +2174,11 @@ static bool it6505_hdcp_part2_ksvlist_check(struct = it6505 *it6505) if (i <=3D 0) { dev_err(dev, "SHA-1 Input length error %d", i); return false; } =20 - it6505_sha1_digest(it6505, it6505->sha1_input, i, (u8 *)av); + sha1(it6505->sha1_input, i, (u8 *)av); /*1B-05 V' must retry 3 times */ for (retry =3D 0; retry < 3; retry++) { err =3D it6505_get_dpcd(it6505, DP_AUX_HDCP_V_PRIME(0), (u8 *)bv, sizeof(bv)); =20 --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBB4224503C; Sat, 12 Jul 2025 23:26:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362791; cv=none; b=mrowQucoLmHAEOM7ktcpgolEnLcuFdIOGGJz6y26B94PkuGNkInqIbRAgcV7TAfNTI6VEnMJtLEbYqOJRVPRsUnUMUHLNLPM/pb2HH0nbeco1NiU3xNLHcdds6dh1GTX1KYMO4FXo/EDueT6whfPSNrBOXsHSrcydJUO3cFqlP8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362791; c=relaxed/simple; bh=CDCYvw9FzfgzLkUqSoVUscxv3AohvreIQRjFCF8Awe8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YrPhFByhvVClfoGCIXe8S+f9rmel8bfwxmNEJ9KIViEyMLazAbUN0+1cAxxysxrrv5lYmOM4eWixBHmU0Cyw0BIRh9MWtzPQXoXUWJ2Di/0nK+2WMP7YbsnVZR9mGvtcLb/56gxzo8/ueUPF090jeRcCieijVodeM2ehRwEhTKg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=IPqiN3o3; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="IPqiN3o3" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 46D7EC4CEF7; Sat, 12 Jul 2025 23:26:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362790; bh=CDCYvw9FzfgzLkUqSoVUscxv3AohvreIQRjFCF8Awe8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IPqiN3o3F2CcnU/lSiSEcezOvpLqcfESj5gdIyQXIgp9TcpJNc4+SEOkjA/C+spGj Zfst73HKBkJ3RTDUfFDKvQl7Mmw5pFdQYEglIXAhZC+EODLHKRSiXTX9qIZsb0r+6+ 1IfmLcXJraIBl0WHAvq6RVh9qLNWkjfrS6B3lhzdE9bVdL3PclsJIcFWKGGHADQexc oT0UaUvZGa0iS8nC0/6k8yEYGLRNGqkkHiXlesa3+yHAYn4wA3zfIhdu47yh0jD44S 7YhcfQhrICpQD72yjxbbQ4I94wj4xoa+kWSTHNjoYKh6ovpvEJkyWDNQRcS909kSeF 7YLhXtd85zZdA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 22/26] nfc: s3fwrn5: Use SHA-1 library instead of crypto_shash Date: Sat, 12 Jul 2025 16:23:13 -0700 Message-ID: <20250712232329.818226-23-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use the SHA-1 library instead of crypto_shash. This is simpler and faster. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- drivers/nfc/s3fwrn5/Kconfig | 3 +-- drivers/nfc/s3fwrn5/firmware.c | 17 +---------------- 2 files changed, 2 insertions(+), 18 deletions(-) diff --git a/drivers/nfc/s3fwrn5/Kconfig b/drivers/nfc/s3fwrn5/Kconfig index 8a6b1a79de253..96386b73fa2b6 100644 --- a/drivers/nfc/s3fwrn5/Kconfig +++ b/drivers/nfc/s3fwrn5/Kconfig @@ -1,10 +1,9 @@ # SPDX-License-Identifier: GPL-2.0-only config NFC_S3FWRN5 tristate - select CRYPTO - select CRYPTO_HASH + select CRYPTO_LIB_SHA1 help Core driver for Samsung S3FWRN5 NFC chip. Contains core utilities of chip. It's intended to be used by PHYs to avoid duplicating lots of common code. =20 diff --git a/drivers/nfc/s3fwrn5/firmware.c b/drivers/nfc/s3fwrn5/firmware.c index 781cdbcac104c..64d61b2a715ae 100644 --- a/drivers/nfc/s3fwrn5/firmware.c +++ b/drivers/nfc/s3fwrn5/firmware.c @@ -6,11 +6,10 @@ * Robert Baldyga */ =20 #include #include -#include #include =20 #include "s3fwrn5.h" #include "firmware.h" =20 @@ -409,31 +408,17 @@ bool s3fwrn5_fw_check_version(const struct s3fwrn5_fw= _info *fw_info, u32 version int s3fwrn5_fw_download(struct s3fwrn5_fw_info *fw_info) { struct device *dev =3D &fw_info->ndev->nfc_dev->dev; struct s3fwrn5_fw_image *fw =3D &fw_info->fw; u8 hash_data[SHA1_DIGEST_SIZE]; - struct crypto_shash *tfm; u32 image_size, off; int ret; =20 image_size =3D fw_info->sector_size * fw->image_sectors; =20 /* Compute SHA of firmware data */ - - tfm =3D crypto_alloc_shash("sha1", 0, 0); - if (IS_ERR(tfm)) { - dev_err(dev, "Cannot allocate shash (code=3D%pe)\n", tfm); - return PTR_ERR(tfm); - } - - ret =3D crypto_shash_tfm_digest(tfm, fw->image, image_size, hash_data); - - crypto_free_shash(tfm); - if (ret) { - dev_err(dev, "Cannot compute hash (code=3D%d)\n", ret); - return ret; - } + sha1(fw->image, image_size, hash_data); =20 /* Firmware update process */ =20 dev_info(dev, "Firmware update: %s\n", fw_info->fw_name); =20 --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81940246779; Sat, 12 Jul 2025 23:26:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362791; cv=none; b=WtsF84dboeO6lIg6W8Do8kBhL2CWBX16u2vH8vYV5LFlMSUgGr6ki/AixT5hgXCtXneyoBOGv47C8b2gxvKqzEuHkyble6NWJf3mJ2VZQDkMm4ffIsVQsw8p3ZbaeHWVSVJ+U0nklHl42rFIDf2sWCzCatS2tlxFVpK7x8Z4l00= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362791; c=relaxed/simple; bh=rfJ72uWvvK+whDF9VjkI5SYPfCKh27VtzjmWTwXhIJA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=u4vbGcAfESRxVll2CPv20ijpr7N0tIXjLvLgIKZ/9kBlIC676eZ32fGqrr6qkOydMwyfmUjpWqib+TR1+do2aPG4hY93g1oQvj0MG0lhQZqX64PZze2hoKQon59x/4K777lfdtrQADJdOAf0SFWByny5pKmIXnnw67VBgixHk30= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=adPuDNFT; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="adPuDNFT" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B87F5C4CEF8; Sat, 12 Jul 2025 23:26:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362791; bh=rfJ72uWvvK+whDF9VjkI5SYPfCKh27VtzjmWTwXhIJA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=adPuDNFTOjCINdd++ewChJOGNbvpvPCdKMgJfTgRQVWFOLKuAr3v2d13HC1FITvPY gL08rEFOe6I2qF2+ngmp0urjV0YUz6HmCSL1V8p3M1gV9CyYQMgLkCJS+O+7bq/Pd/ ELxAGoNm19hqjcz2MxC3qh2PLrusWwnTLczFTZqnDSGLkcEJvnUS8MeuaBWVioD+9M Ek1NkQVcy8IFlqynbsqyE5FOtX0PqYijraDbs8A7GLcrL32Zrb9sK1oM6D6Bhe1T2G AEDIb2+J1IXfEmKx8lL4J44Lyw1N73Qnd6JzBQB9Ltysfp/U2VnrpBGKTh7PN2Vof2 BtNUAszxW2+rQ== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 23/26] ppp: mppe: Use SHA-1 library instead of crypto_shash Date: Sat, 12 Jul 2025 16:23:14 -0700 Message-ID: <20250712232329.818226-24-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use the SHA-1 library instead of crypto_shash. This is simpler and faster. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- drivers/net/ppp/Kconfig | 3 +- drivers/net/ppp/ppp_mppe.c | 109 +++++++------------------------------ 2 files changed, 20 insertions(+), 92 deletions(-) diff --git a/drivers/net/ppp/Kconfig b/drivers/net/ppp/Kconfig index 8c9ed1889d1af..a1806b4b84beb 100644 --- a/drivers/net/ppp/Kconfig +++ b/drivers/net/ppp/Kconfig @@ -83,13 +83,12 @@ config PPP_FILTER If unsure, say N. =20 config PPP_MPPE tristate "PPP MPPE compression (encryption)" depends on PPP - select CRYPTO - select CRYPTO_SHA1 select CRYPTO_LIB_ARC4 + select CRYPTO_LIB_SHA1 help Support for the MPPE Encryption protocol, as employed by the Microsoft Point-to-Point Tunneling Protocol. =20 See http://pptpclient.sourceforge.net/ for information on diff --git a/drivers/net/ppp/ppp_mppe.c b/drivers/net/ppp/ppp_mppe.c index bcc1eaedf58fb..126908549f9c7 100644 --- a/drivers/net/ppp/ppp_mppe.c +++ b/drivers/net/ppp/ppp_mppe.c @@ -41,11 +41,11 @@ * MOD_DEC_USAGE_COUNT/MOD_INC_USAGE_COUNT which are * deprecated in 2.6 */ =20 #include -#include +#include #include #include #include #include #include @@ -53,11 +53,10 @@ #include #include #include #include #include -#include #include =20 #include "ppp_mppe.h" =20 MODULE_AUTHOR("Frank Cusack "); @@ -65,35 +64,19 @@ MODULE_DESCRIPTION("Point-to-Point Protocol Microsoft P= oint-to-Point Encryption MODULE_LICENSE("Dual BSD/GPL"); MODULE_ALIAS("ppp-compress-" __stringify(CI_MPPE)); MODULE_VERSION("1.0.2"); =20 #define SHA1_PAD_SIZE 40 - -/* - * kernel crypto API needs its arguments to be in kmalloc'd memory, not in= the module - * static data area. That means sha_pad needs to be kmalloc'd. - */ - -struct sha_pad { - unsigned char sha_pad1[SHA1_PAD_SIZE]; - unsigned char sha_pad2[SHA1_PAD_SIZE]; -}; -static struct sha_pad *sha_pad; - -static inline void sha_pad_init(struct sha_pad *shapad) -{ - memset(shapad->sha_pad1, 0x00, sizeof(shapad->sha_pad1)); - memset(shapad->sha_pad2, 0xF2, sizeof(shapad->sha_pad2)); -} +static const u8 sha_pad1[SHA1_PAD_SIZE] =3D { 0 }; +static const u8 sha_pad2[SHA1_PAD_SIZE] =3D { [0 ... SHA1_PAD_SIZE - 1] = =3D 0xF2 }; =20 /* * State for an MPPE (de)compressor. */ struct ppp_mppe_state { struct arc4_ctx arc4; - struct shash_desc *sha1; - unsigned char *sha1_digest; + unsigned char sha1_digest[SHA1_DIGEST_SIZE]; unsigned char master_key[MPPE_MAX_KEY_LEN]; unsigned char session_key[MPPE_MAX_KEY_LEN]; unsigned keylen; /* key length in bytes */ /* NB: 128-bit =3D=3D 16, 40-bit =3D=3D 8! */ /* If we want to support 56-bit, */ @@ -128,28 +111,27 @@ struct ppp_mppe_state { * Key Derivation, from RFC 3078, RFC 3079. * Equivalent to Get_Key() for MS-CHAP as described in RFC 3079. */ static void get_new_key_from_sha(struct ppp_mppe_state * state) { - crypto_shash_init(state->sha1); - crypto_shash_update(state->sha1, state->master_key, - state->keylen); - crypto_shash_update(state->sha1, sha_pad->sha_pad1, - sizeof(sha_pad->sha_pad1)); - crypto_shash_update(state->sha1, state->session_key, - state->keylen); - crypto_shash_update(state->sha1, sha_pad->sha_pad2, - sizeof(sha_pad->sha_pad2)); - crypto_shash_final(state->sha1, state->sha1_digest); + struct sha1_ctx ctx; + + sha1_init(&ctx); + sha1_update(&ctx, state->master_key, state->keylen); + sha1_update(&ctx, sha_pad1, sizeof(sha_pad1)); + sha1_update(&ctx, state->session_key, state->keylen); + sha1_update(&ctx, sha_pad2, sizeof(sha_pad2)); + sha1_final(&ctx, state->sha1_digest); } =20 /* * Perform the MPPE rekey algorithm, from RFC 3078, sec. 7.3. * Well, not what's written there, but rather what they meant. */ static void mppe_rekey(struct ppp_mppe_state * state, int initial_key) { + static_assert(SHA1_DIGEST_SIZE >=3D MPPE_MAX_KEY_LEN); get_new_key_from_sha(state); if (!initial_key) { arc4_setkey(&state->arc4, state->sha1_digest, state->keylen); arc4_crypt(&state->arc4, state->session_key, state->sha1_digest, state->keylen); @@ -169,43 +151,19 @@ static void mppe_rekey(struct ppp_mppe_state * state,= int initial_key) * Allocate space for a (de)compressor. */ static void *mppe_alloc(unsigned char *options, int optlen) { struct ppp_mppe_state *state; - struct crypto_shash *shash; - unsigned int digestsize; =20 if (optlen !=3D CILEN_MPPE + sizeof(state->master_key) || options[0] !=3D CI_MPPE || options[1] !=3D CILEN_MPPE || fips_enabled) - goto out; + return NULL; =20 state =3D kzalloc(sizeof(*state), GFP_KERNEL); if (state =3D=3D NULL) - goto out; - - - shash =3D crypto_alloc_shash("sha1", 0, 0); - if (IS_ERR(shash)) - goto out_free; - - state->sha1 =3D kmalloc(sizeof(*state->sha1) + - crypto_shash_descsize(shash), - GFP_KERNEL); - if (!state->sha1) { - crypto_free_shash(shash); - goto out_free; - } - state->sha1->tfm =3D shash; - - digestsize =3D crypto_shash_digestsize(shash); - if (digestsize < MPPE_MAX_KEY_LEN) - goto out_free; - - state->sha1_digest =3D kmalloc(digestsize, GFP_KERNEL); - if (!state->sha1_digest) - goto out_free; + return NULL; =20 /* Save keys. */ memcpy(state->master_key, &options[CILEN_MPPE], sizeof(state->master_key)); memcpy(state->session_key, state->master_key, @@ -215,34 +173,20 @@ static void *mppe_alloc(unsigned char *options, int o= ptlen) * We defer initial key generation until mppe_init(), as mppe_alloc() * is called frequently during negotiation. */ =20 return (void *)state; - -out_free: - kfree(state->sha1_digest); - if (state->sha1) { - crypto_free_shash(state->sha1->tfm); - kfree_sensitive(state->sha1); - } - kfree(state); -out: - return NULL; } =20 /* * Deallocate space for a (de)compressor. */ static void mppe_free(void *arg) { struct ppp_mppe_state *state =3D (struct ppp_mppe_state *) arg; - if (state) { - kfree(state->sha1_digest); - crypto_free_shash(state->sha1->tfm); - kfree_sensitive(state->sha1); - kfree_sensitive(state); - } + + kfree_sensitive(state); } =20 /* * Initialize (de)compressor state. */ @@ -647,42 +591,27 @@ static struct compressor ppp_mppe =3D { .decomp_stat =3D mppe_comp_stats, .owner =3D THIS_MODULE, .comp_extra =3D MPPE_PAD, }; =20 -/* - * ppp_mppe_init() - * - * Prior to allowing load, try to load the arc4 and sha1 crypto - * libraries. The actual use will be allocated later, but - * this way the module will fail to insmod if they aren't available. - */ - static int __init ppp_mppe_init(void) { int answer; - if (fips_enabled || !crypto_has_ahash("sha1", 0, CRYPTO_ALG_ASYNC)) - return -ENODEV; =20 - sha_pad =3D kmalloc(sizeof(struct sha_pad), GFP_KERNEL); - if (!sha_pad) - return -ENOMEM; - sha_pad_init(sha_pad); + if (fips_enabled) + return -ENODEV; =20 answer =3D ppp_register_compressor(&ppp_mppe); =20 if (answer =3D=3D 0) printk(KERN_INFO "PPP MPPE Compression module registered\n"); - else - kfree(sha_pad); =20 return answer; } =20 static void __exit ppp_mppe_cleanup(void) { ppp_unregister_compressor(&ppp_mppe); - kfree(sha_pad); } =20 module_init(ppp_mppe_init); module_exit(ppp_mppe_cleanup); --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B45CA246797; Sat, 12 Jul 2025 23:26:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362791; cv=none; b=Vp5zaykUQsaFiwqZ92JMSY2wDFV1npdUcoluUoiT8d93AWGgUv2jUmTjIY9HPhE9EaFVjed6IWXmKS/E3HjLF7B7E1O+XoJDBXp3b0wxKsgK3mMja0nnt9nfjW/t/E4htWKDiOBGYGH9LnqfLllOU1Enf/zVesgSZeshQHN+Dfk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362791; c=relaxed/simple; bh=yMm/MFGISASr8eQF+DRkJnRm7ToRkQJ87GfJAV9pLPk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bCRKfRY82MYFYmbw3P75gEzKhFUlZfmPu9o3iEx/oW/yypCDrvuFoMd7HAabpPPaWwPiHQbXv/4/yPPNESL+ns/x39bHBpexM1Z1t6ZmhB3F5ap9t2E648q45GGlpmLcoVDBmd8yorIXvZzCk49zBkyGwJuK3tO0rNBgg3ojDgI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hxrat3AU; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hxrat3AU" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 361B2C4CEEF; Sat, 12 Jul 2025 23:26:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362791; bh=yMm/MFGISASr8eQF+DRkJnRm7ToRkQJ87GfJAV9pLPk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hxrat3AU+uS8Fsd4qkVKddMNU8Tvc6x8NYEaAuXu8iD1taJ26o/23h0SEKxM2HTKf 2nI3g2MTjZGgaxKozBsz4uRO5d/vI9SGUFWCmBK1huSIe2uqH2AzBPXn2CMzMhnxBJ hxlZD6R7vbUYdNO1ilkGUBHg5WqFsIokkTqHUZF9XcKVtI/P3F8zoDfuP9xwd49NiO Q5mN5IcR++bmWT7or0aSekU3BR+hT8npj5SuOrN0osGgeCRMieMqkJ64lXgzpfhgC5 Clid2oofX3CNXKkXeL5ybQfy/veXWedNDrvyGhzQsOX4AunEdT7dDYAXT63Vj/3vCC tu0Wng+DxQbKQ== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 24/26] KEYS: trusted_tpm1: Use SHA-1 library instead of crypto_shash Date: Sat, 12 Jul 2025 16:23:15 -0700 Message-ID: <20250712232329.818226-25-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use the SHA-1 library functions instead of crypto_shash. This is simpler and faster. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- security/keys/trusted-keys/Kconfig | 4 +- security/keys/trusted-keys/trusted_tpm1.c | 221 ++++------------------ 2 files changed, 35 insertions(+), 190 deletions(-) diff --git a/security/keys/trusted-keys/Kconfig b/security/keys/trusted-key= s/Kconfig index 1fb8aa0019953..7685457ffcb41 100644 --- a/security/keys/trusted-keys/Kconfig +++ b/security/keys/trusted-keys/Kconfig @@ -3,13 +3,11 @@ config HAVE_TRUSTED_KEYS =20 config TRUSTED_KEYS_TPM bool "TPM-based trusted keys" depends on TCG_TPM >=3D TRUSTED_KEYS default y - select CRYPTO - select CRYPTO_HMAC - select CRYPTO_SHA1 + select CRYPTO_LIB_SHA1 select CRYPTO_HASH_INFO select ASN1_ENCODER select OID_REGISTRY select ASN1 select HAVE_TRUSTED_KEYS diff --git a/security/keys/trusted-keys/trusted_tpm1.c b/security/keys/trus= ted-keys/trusted_tpm1.c index 89c9798d18007..d1a66a0287fa5 100644 --- a/security/keys/trusted-keys/trusted_tpm1.c +++ b/security/keys/trusted-keys/trusted_tpm1.c @@ -5,89 +5,36 @@ * * See Documentation/security/keys/trusted-encrypted.rst */ =20 #include +#include #include #include #include #include #include #include #include -#include -#include -#include #include #include =20 #include =20 -static const char hmac_alg[] =3D "hmac(sha1)"; -static const char hash_alg[] =3D "sha1"; static struct tpm_chip *chip; static struct tpm_digest *digests; =20 -struct sdesc { - struct shash_desc shash; - char ctx[]; -}; - -static struct crypto_shash *hashalg; -static struct crypto_shash *hmacalg; - -static struct sdesc *init_sdesc(struct crypto_shash *alg) -{ - struct sdesc *sdesc; - int size; - - size =3D sizeof(struct shash_desc) + crypto_shash_descsize(alg); - sdesc =3D kmalloc(size, GFP_KERNEL); - if (!sdesc) - return ERR_PTR(-ENOMEM); - sdesc->shash.tfm =3D alg; - return sdesc; -} - -static int TSS_sha1(const unsigned char *data, unsigned int datalen, - unsigned char *digest) -{ - struct sdesc *sdesc; - int ret; - - sdesc =3D init_sdesc(hashalg); - if (IS_ERR(sdesc)) { - pr_info("can't alloc %s\n", hash_alg); - return PTR_ERR(sdesc); - } - - ret =3D crypto_shash_digest(&sdesc->shash, data, datalen, digest); - kfree_sensitive(sdesc); - return ret; -} - static int TSS_rawhmac(unsigned char *digest, const unsigned char *key, unsigned int keylen, ...) { - struct sdesc *sdesc; + struct hmac_sha1_ctx hmac_ctx; va_list argp; unsigned int dlen; unsigned char *data; - int ret; - - sdesc =3D init_sdesc(hmacalg); - if (IS_ERR(sdesc)) { - pr_info("can't alloc %s\n", hmac_alg); - return PTR_ERR(sdesc); - } + int ret =3D 0; =20 - ret =3D crypto_shash_setkey(hmacalg, key, keylen); - if (ret < 0) - goto out; - ret =3D crypto_shash_init(&sdesc->shash); - if (ret < 0) - goto out; + hmac_sha1_init_usingrawkey(&hmac_ctx, key, keylen); =20 va_start(argp, keylen); for (;;) { dlen =3D va_arg(argp, unsigned int); if (dlen =3D=3D 0) @@ -95,19 +42,15 @@ static int TSS_rawhmac(unsigned char *digest, const uns= igned char *key, data =3D va_arg(argp, unsigned char *); if (data =3D=3D NULL) { ret =3D -EINVAL; break; } - ret =3D crypto_shash_update(&sdesc->shash, data, dlen); - if (ret < 0) - break; + hmac_sha1_update(&hmac_ctx, data, dlen); } va_end(argp); if (!ret) - ret =3D crypto_shash_final(&sdesc->shash, digest); -out: - kfree_sensitive(sdesc); + hmac_sha1_final(&hmac_ctx, digest); return ret; } =20 /* * calculate authorization info fields to send to TPM @@ -115,53 +58,41 @@ static int TSS_rawhmac(unsigned char *digest, const un= signed char *key, int TSS_authhmac(unsigned char *digest, const unsigned char *key, unsigned int keylen, unsigned char *h1, unsigned char *h2, unsigned int h3, ...) { unsigned char paramdigest[SHA1_DIGEST_SIZE]; - struct sdesc *sdesc; + struct sha1_ctx sha_ctx; unsigned int dlen; unsigned char *data; unsigned char c; - int ret; + int ret =3D 0; va_list argp; =20 if (!chip) return -ENODEV; =20 - sdesc =3D init_sdesc(hashalg); - if (IS_ERR(sdesc)) { - pr_info("can't alloc %s\n", hash_alg); - return PTR_ERR(sdesc); - } - c =3D !!h3; - ret =3D crypto_shash_init(&sdesc->shash); - if (ret < 0) - goto out; + sha1_init(&sha_ctx); va_start(argp, h3); for (;;) { dlen =3D va_arg(argp, unsigned int); if (dlen =3D=3D 0) break; data =3D va_arg(argp, unsigned char *); if (!data) { ret =3D -EINVAL; break; } - ret =3D crypto_shash_update(&sdesc->shash, data, dlen); - if (ret < 0) - break; + sha1_update(&sha_ctx, data, dlen); } va_end(argp); if (!ret) - ret =3D crypto_shash_final(&sdesc->shash, paramdigest); + sha1_final(&sha_ctx, paramdigest); if (!ret) ret =3D TSS_rawhmac(digest, key, keylen, SHA1_DIGEST_SIZE, paramdigest, TPM_NONCE_SIZE, h1, TPM_NONCE_SIZE, h2, 1, &c, 0, 0); -out: - kfree_sensitive(sdesc); return ret; } EXPORT_SYMBOL_GPL(TSS_authhmac); =20 /* @@ -180,11 +111,11 @@ int TSS_checkhmac1(unsigned char *buffer, unsigned char *enonce; unsigned char *continueflag; unsigned char *authdata; unsigned char testhmac[SHA1_DIGEST_SIZE]; unsigned char paramdigest[SHA1_DIGEST_SIZE]; - struct sdesc *sdesc; + struct sha1_ctx sha_ctx; unsigned int dlen; unsigned int dpos; va_list argp; int ret; =20 @@ -201,53 +132,33 @@ int TSS_checkhmac1(unsigned char *buffer, return -EINVAL; authdata =3D buffer + bufsize - SHA1_DIGEST_SIZE; continueflag =3D authdata - 1; enonce =3D continueflag - TPM_NONCE_SIZE; =20 - sdesc =3D init_sdesc(hashalg); - if (IS_ERR(sdesc)) { - pr_info("can't alloc %s\n", hash_alg); - return PTR_ERR(sdesc); - } - ret =3D crypto_shash_init(&sdesc->shash); - if (ret < 0) - goto out; - ret =3D crypto_shash_update(&sdesc->shash, (const u8 *)&result, - sizeof result); - if (ret < 0) - goto out; - ret =3D crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, - sizeof ordinal); - if (ret < 0) - goto out; + sha1_init(&sha_ctx); + sha1_update(&sha_ctx, (const u8 *)&result, sizeof(result)); + sha1_update(&sha_ctx, (const u8 *)&ordinal, sizeof(ordinal)); va_start(argp, keylen); for (;;) { dlen =3D va_arg(argp, unsigned int); if (dlen =3D=3D 0) break; dpos =3D va_arg(argp, unsigned int); - ret =3D crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); - if (ret < 0) - break; + sha1_update(&sha_ctx, buffer + dpos, dlen); } va_end(argp); - if (!ret) - ret =3D crypto_shash_final(&sdesc->shash, paramdigest); - if (ret < 0) - goto out; + sha1_final(&sha_ctx, paramdigest); =20 ret =3D TSS_rawhmac(testhmac, key, keylen, SHA1_DIGEST_SIZE, paramdigest, TPM_NONCE_SIZE, enonce, TPM_NONCE_SIZE, ononce, 1, continueflag, 0, 0); if (ret < 0) - goto out; + return ret; =20 if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE)) - ret =3D -EINVAL; -out: - kfree_sensitive(sdesc); - return ret; + return -EINVAL; + return 0; } EXPORT_SYMBOL_GPL(TSS_checkhmac1); =20 /* * verify the AUTH2_COMMAND (unseal) result from TPM @@ -271,11 +182,11 @@ static int TSS_checkhmac2(unsigned char *buffer, unsigned char *continueflag2; unsigned char *authdata2; unsigned char testhmac1[SHA1_DIGEST_SIZE]; unsigned char testhmac2[SHA1_DIGEST_SIZE]; unsigned char paramdigest[SHA1_DIGEST_SIZE]; - struct sdesc *sdesc; + struct sha1_ctx sha_ctx; unsigned int dlen; unsigned int dpos; va_list argp; int ret; =20 @@ -294,62 +205,40 @@ static int TSS_checkhmac2(unsigned char *buffer, continueflag1 =3D authdata1 - 1; continueflag2 =3D authdata2 - 1; enonce1 =3D continueflag1 - TPM_NONCE_SIZE; enonce2 =3D continueflag2 - TPM_NONCE_SIZE; =20 - sdesc =3D init_sdesc(hashalg); - if (IS_ERR(sdesc)) { - pr_info("can't alloc %s\n", hash_alg); - return PTR_ERR(sdesc); - } - ret =3D crypto_shash_init(&sdesc->shash); - if (ret < 0) - goto out; - ret =3D crypto_shash_update(&sdesc->shash, (const u8 *)&result, - sizeof result); - if (ret < 0) - goto out; - ret =3D crypto_shash_update(&sdesc->shash, (const u8 *)&ordinal, - sizeof ordinal); - if (ret < 0) - goto out; + sha1_init(&sha_ctx); + sha1_update(&sha_ctx, (const u8 *)&result, sizeof(result)); + sha1_update(&sha_ctx, (const u8 *)&ordinal, sizeof(ordinal)); =20 va_start(argp, keylen2); for (;;) { dlen =3D va_arg(argp, unsigned int); if (dlen =3D=3D 0) break; dpos =3D va_arg(argp, unsigned int); - ret =3D crypto_shash_update(&sdesc->shash, buffer + dpos, dlen); - if (ret < 0) - break; + sha1_update(&sha_ctx, buffer + dpos, dlen); } va_end(argp); - if (!ret) - ret =3D crypto_shash_final(&sdesc->shash, paramdigest); - if (ret < 0) - goto out; + sha1_final(&sha_ctx, paramdigest); =20 ret =3D TSS_rawhmac(testhmac1, key1, keylen1, SHA1_DIGEST_SIZE, paramdigest, TPM_NONCE_SIZE, enonce1, TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0); if (ret < 0) - goto out; - if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) { - ret =3D -EINVAL; - goto out; - } + return ret; + if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) + return -EINVAL; ret =3D TSS_rawhmac(testhmac2, key2, keylen2, SHA1_DIGEST_SIZE, paramdigest, TPM_NONCE_SIZE, enonce2, TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0); if (ret < 0) - goto out; + return ret; if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE)) - ret =3D -EINVAL; -out: - kfree_sensitive(sdesc); - return ret; + return -EINVAL; + return 0; } =20 /* * For key specific tpm requests, we will generate and send our * own TPM command packets using the drivers send function. @@ -496,13 +385,11 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keyt= ype, dump_sess(&sess); =20 /* calculate encrypted authorization value */ memcpy(td->xorwork, sess.secret, SHA1_DIGEST_SIZE); memcpy(td->xorwork + SHA1_DIGEST_SIZE, sess.enonce, SHA1_DIGEST_SIZE); - ret =3D TSS_sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash); - if (ret < 0) - goto out; + sha1(td->xorwork, SHA1_DIGEST_SIZE * 2, td->xorhash); =20 ret =3D tpm_get_random(chip, td->nonceodd, TPM_NONCE_SIZE); if (ret < 0) goto out; =20 @@ -987,44 +874,10 @@ static int trusted_tpm_unseal(struct trusted_key_payl= oad *p, char *datablob) static int trusted_tpm_get_random(unsigned char *key, size_t key_len) { return tpm_get_random(chip, key, key_len); } =20 -static void trusted_shash_release(void) -{ - if (hashalg) - crypto_free_shash(hashalg); - if (hmacalg) - crypto_free_shash(hmacalg); -} - -static int __init trusted_shash_alloc(void) -{ - int ret; - - hmacalg =3D crypto_alloc_shash(hmac_alg, 0, 0); - if (IS_ERR(hmacalg)) { - pr_info("could not allocate crypto %s\n", - hmac_alg); - return PTR_ERR(hmacalg); - } - - hashalg =3D crypto_alloc_shash(hash_alg, 0, 0); - if (IS_ERR(hashalg)) { - pr_info("could not allocate crypto %s\n", - hash_alg); - ret =3D PTR_ERR(hashalg); - goto hashalg_fail; - } - - return 0; - -hashalg_fail: - crypto_free_shash(hmacalg); - return ret; -} - static int __init init_digests(void) { int i; =20 digests =3D kcalloc(chip->nr_allocated_banks, sizeof(*digests), @@ -1047,19 +900,14 @@ static int __init trusted_tpm_init(void) return -ENODEV; =20 ret =3D init_digests(); if (ret < 0) goto err_put; - ret =3D trusted_shash_alloc(); - if (ret < 0) - goto err_free; ret =3D register_key_type(&key_type_trusted); if (ret < 0) - goto err_release; + goto err_free; return 0; -err_release: - trusted_shash_release(); err_free: kfree(digests); err_put: put_device(&chip->dev); return ret; @@ -1068,11 +916,10 @@ static int __init trusted_tpm_init(void) static void trusted_tpm_exit(void) { if (chip) { put_device(&chip->dev); kfree(digests); - trusted_shash_release(); unregister_key_type(&key_type_trusted); } } =20 struct trusted_key_ops trusted_key_tpm_ops =3D { --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1FF0B246BD8; Sat, 12 Jul 2025 23:26:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362792; cv=none; b=azQL5B0/g9yL9SFbG8bl2K1foA11KmDZKoVyJL4+DlWOS31TjaIlhd+9lgQm0FSK7ho6xZelKZ0g4/JS5eix/OIOCzQUwvsCMYr2JBQi3kIqNjfvyP+XXkjKpWnAtmhPcAvRBZ0e6m0q2/ubrtjrkj7Lx3sPKJqy4wKBpnjvksE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362792; c=relaxed/simple; bh=oVRGZdE8JlbqTZ+/Vc8lJfxP7t8h25c1QhOzJeVqedA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TeyOlQXCoNygyOauO/XqWO2fqQmIhZqavYKvUxzQCOaa7D6on2qI3Gc7gKatfYdTyMAvjeAj2J1u8eTk8vhnKFp2cPD0hvQiq9zh1H/7wuua7+Kwb1ocX2ZNE8dsdWFVKEzxZXGP4QM6d810SLb/Koy5c4v/vqOA4m9JakXFH0I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Zj8p+TOd; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Zj8p+TOd" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A7C7AC4CEF1; Sat, 12 Jul 2025 23:26:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362792; bh=oVRGZdE8JlbqTZ+/Vc8lJfxP7t8h25c1QhOzJeVqedA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Zj8p+TOdVPu5lLHwjDdEJchVLZkO8F/qQjiyuD+eFQGiCyDQXvpReA3aDYR+mQdXN KP5SpOK4fB3lqKTD1miviKDDEE0Rh1/t2wj68FTUNFC3sg/5fiECZziA+PJrcihbcg EO2THy+IhzDgyjilv+vvjzNXCOgoFE/oeN39RE/9xR7cJuXS8JgPpnNegYYtrAHJn/ BP8LivY5YkQlIiBVMIrbibin415AHX10jV1s3KUYIvwDc/U1pvHnZVHEgqZskmXPls 60wYxMyihVBMQ31CfcCFnnUSBzCLxCm2+RHUrC7Fd2ORRkenalB5pgZEw3rJ9WKA4R jV4MTcMcL6DBQ== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 25/26] ipv6: Switch to higher-level SHA-1 functions Date: Sat, 12 Jul 2025 16:23:16 -0700 Message-ID: <20250712232329.818226-26-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" There's now a proper SHA-1 API that follows the usual conventions for hash function APIs: sha1_init(), sha1_update(), sha1_final(), sha1(). The only remaining user of the older low-level SHA-1 API, sha1_init_raw() and sha1_transform(), is ipv6_generate_stable_address(). I'd like to remove this older API, which is too low-level. Unfortunately, ipv6_generate_stable_address() does in fact skip the SHA-1 finalization for some reason. So the values it computes are not standard SHA-1 values, and it sort of does want the low-level API. Still, it's still possible to use the higher-level functions sha1_init() and sha1_update() to get the same result, provided that the resulting state is used directly, skipping sha1_final(). So, let's do that instead. This will allow removing the low-level API. Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- net/ipv6/addrconf.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index d0e5b94c10af4..a4d47044f4557 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -3336,12 +3336,11 @@ static bool ipv6_reserved_interfaceid(struct in6_ad= dr address) static int ipv6_generate_stable_address(struct in6_addr *address, u8 dad_count, const struct inet6_dev *idev) { static DEFINE_SPINLOCK(lock); - static __u32 digest[SHA1_DIGEST_WORDS]; - static __u32 workspace[SHA1_WORKSPACE_WORDS]; + static struct sha1_ctx sha_ctx; =20 static union { char __data[SHA1_BLOCK_SIZE]; struct { struct in6_addr secret; @@ -3353,36 +3352,40 @@ static int ipv6_generate_stable_address(struct in6_= addr *address, =20 struct in6_addr secret; struct in6_addr temp; struct net *net =3D dev_net(idev->dev); =20 - BUILD_BUG_ON(sizeof(data.__data) !=3D sizeof(data)); - if (idev->cnf.stable_secret.initialized) secret =3D idev->cnf.stable_secret.secret; else if (net->ipv6.devconf_dflt->stable_secret.initialized) secret =3D net->ipv6.devconf_dflt->stable_secret.secret; else return -1; =20 retry: spin_lock_bh(&lock); =20 - sha1_init_raw(digest); + sha1_init(&sha_ctx); + memset(&data, 0, sizeof(data)); - memset(workspace, 0, sizeof(workspace)); memcpy(data.hwaddr, idev->dev->perm_addr, idev->dev->addr_len); data.prefix[0] =3D address->s6_addr32[0]; data.prefix[1] =3D address->s6_addr32[1]; data.secret =3D secret; data.dad_count =3D dad_count; + sha1_update(&sha_ctx, (const u8 *)&data, sizeof(data)); =20 - sha1_transform(digest, data.__data, workspace); - + /* + * Note that the SHA-1 finalization is omitted here, and the digest is + * pulled directly from the internal SHA-1 state (making it incompatible + * with standard SHA-1). Unusual, but technically okay since the data + * length is fixed and is a multiple of the SHA-1 block size. + */ + static_assert(sizeof(data) % SHA1_BLOCK_SIZE =3D=3D 0); temp =3D *address; - temp.s6_addr32[2] =3D (__force __be32)digest[0]; - temp.s6_addr32[3] =3D (__force __be32)digest[1]; + temp.s6_addr32[2] =3D (__force __be32)sha_ctx.state.h[0]; + temp.s6_addr32[3] =3D (__force __be32)sha_ctx.state.h[1]; =20 spin_unlock_bh(&lock); =20 if (ipv6_reserved_interfaceid(temp)) { dad_count++; --=20 2.50.1 From nobody Tue Oct 7 07:01:23 2025 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 947D72472BD; Sat, 12 Jul 2025 23:26:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362792; cv=none; b=dTG9KHaMSPBQwqewle2OdrqmHDr6JMZrQ9BFvMz++1AG8OdNrdlRiYZIT/aHbIn6z3Dz1P4cby3QuaE5y5Ta4nLM0bx1xRz7oFfF/F5TKcsaUV0OQP1fAjPXkkzSCMaUU72xn0dipp4pFIMfgskC9+C/MbWnrPPmjyDDkMSPVx0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752362792; c=relaxed/simple; bh=yc9nP0AyrYTSdnZBDBrGS14R619T+8Od6p+X/EDi6Wk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tBKYwSFpu/k+c9UO0XOukIk0aPvr77iaumcFLjJqcY7OmikQby4zD8FQKOZHzili86uYlU0RFgvGqP4ilY56GLsDDPpBN79DZ6XNkH5tVBY+dAR7YOmV0gfynoHTBy08ibQozu5JCoP2kb+WfT/QlYHQqf4fLnjOL+p8phkSnDo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=fX0E8o1k; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="fX0E8o1k" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 25260C4CEF7; Sat, 12 Jul 2025 23:26:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752362792; bh=yc9nP0AyrYTSdnZBDBrGS14R619T+8Od6p+X/EDi6Wk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fX0E8o1k57ipPAfx4Uzk0gPIv9zXrwOi7EklV1MTTwN4CCofX0j1AgCETrLo46xpR Fb/HAiIDk0Q2P043QlgVPWAz6ctV/JLTH2RJwvNw1pAU/2HI7xBrHJ7zDBInTtl6pG mzEoqG3qquK7rGUpI1L2ysFaTLshgPnAeVAFNEt+PnuRxP2jzd7FmS0aJqJE6xV0G4 UAiLiC0Y1UK5bxhY8SxwNggognGdbLAPtfPBg71+lwZI1/NRIuLrUi/bGrX7oCfzlo jkJE8G03Pxs0HpkZAiPARUZk5aGWGElD8l3JOFy2Vc19sZYmnKIZ8d0fCNYAFiC01z WBJQa9HaiH7NQ== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel , "Jason A . Donenfeld" , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, sparclinux@vger.kernel.org, x86@kernel.org, Eric Biggers Subject: [PATCH 26/26] lib/crypto: sha1: Remove low-level functions from API Date: Sat, 12 Jul 2025 16:23:17 -0700 Message-ID: <20250712232329.818226-27-ebiggers@kernel.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250712232329.818226-1-ebiggers@kernel.org> References: <20250712232329.818226-1-ebiggers@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Now that there are no users of the low-level SHA-1 interface, remove it. Specifically: - Remove SHA1_DIGEST_WORDS (no longer used) - Remove sha1_init_raw() (no longer used) - Rename sha1_transform() to sha1_block_generic() and make it static - Move SHA1_WORKSPACE_WORDS into lib/crypto/sha1.c Signed-off-by: Eric Biggers Reviewed-by: Ard Biesheuvel --- include/crypto/sha1.h | 10 ------- lib/crypto/sha1.c | 63 ++++++++++++------------------------------- 2 files changed, 17 insertions(+), 56 deletions(-) diff --git a/include/crypto/sha1.h b/include/crypto/sha1.h index 162a529ec8413..34658f4d76e3b 100644 --- a/include/crypto/sha1.h +++ b/include/crypto/sha1.h @@ -24,20 +24,10 @@ struct sha1_state { u32 state[SHA1_DIGEST_SIZE / 4]; u64 count; u8 buffer[SHA1_BLOCK_SIZE]; }; =20 -/* - * An implementation of SHA-1's compression function. Don't use in new co= de! - * You shouldn't be using SHA-1, and even if you *have* to use SHA-1, this= isn't - * the correct way to hash something with SHA-1 (use crypto_shash instead). - */ -#define SHA1_DIGEST_WORDS (SHA1_DIGEST_SIZE / 4) -#define SHA1_WORKSPACE_WORDS 16 -void sha1_init_raw(__u32 *buf); -void sha1_transform(__u32 *digest, const char *data, __u32 *W); - /* State for the SHA-1 compression function */ struct sha1_block_state { u32 h[SHA1_DIGEST_SIZE / 4]; }; =20 diff --git a/lib/crypto/sha1.c b/lib/crypto/sha1.c index 89831f7f27793..87a76bf97f445 100644 --- a/lib/crypto/sha1.c +++ b/lib/crypto/sha1.c @@ -49,11 +49,11 @@ static const struct sha1_block_state sha1_iv =3D { #else #define setW(x, val) (W(x) =3D (val)) #endif =20 /* This "rolls" over the 512-bit array */ -#define W(x) (array[(x)&15]) +#define W(x) (workspace[(x)&15]) =20 /* * Where do we get the source from? The first 16 iterations get it from * the input data, the next mix it from the 512-bit array. */ @@ -70,38 +70,24 @@ static const struct sha1_block_state sha1_iv =3D { #define T_16_19(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (((C^D)&B)^D) , 0x= 5a827999, A, B, C, D, E ) #define T_20_39(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0x6ed9eb= a1, A, B, C, D, E ) #define T_40_59(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, ((B&C)+(D&(B^C))) = , 0x8f1bbcdc, A, B, C, D, E ) #define T_60_79(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0xca62c= 1d6, A, B, C, D, E ) =20 -/** - * sha1_transform - single block SHA1 transform (deprecated) - * - * @digest: 160 bit digest to update - * @data: 512 bits of data to hash - * @array: 16 words of workspace (see note) - * - * This function executes SHA-1's internal compression function. It updat= es the - * 160-bit internal state (@digest) with a single 512-bit data block (@dat= a). - * - * Don't use this function. SHA-1 is no longer considered secure. And ev= en if - * you do have to use SHA-1, this isn't the correct way to hash something = with - * SHA-1 as this doesn't handle padding and finalization. - * - * Note: If the hash is security sensitive, the caller should be sure - * to clear the workspace. This is left to the caller to avoid - * unnecessary clears between chained hashing operations. - */ -void sha1_transform(__u32 *digest, const char *data, __u32 *array) +#define SHA1_WORKSPACE_WORDS 16 + +static void sha1_block_generic(struct sha1_block_state *state, + const u8 data[SHA1_BLOCK_SIZE], + u32 workspace[SHA1_WORKSPACE_WORDS]) { __u32 A, B, C, D, E; unsigned int i =3D 0; =20 - A =3D digest[0]; - B =3D digest[1]; - C =3D digest[2]; - D =3D digest[3]; - E =3D digest[4]; + A =3D state->h[0]; + B =3D state->h[1]; + C =3D state->h[2]; + D =3D state->h[3]; + E =3D state->h[4]; =20 /* Round 1 - iterations 0-16 take their input from 'data' */ for (; i < 16; ++i) T_0_15(i, A, B, C, D, E); =20 @@ -119,39 +105,24 @@ void sha1_transform(__u32 *digest, const char *data, = __u32 *array) =20 /* Round 4 */ for (; i < 80; ++i) T_60_79(i, A, B, C, D, E); =20 - digest[0] +=3D A; - digest[1] +=3D B; - digest[2] +=3D C; - digest[3] +=3D D; - digest[4] +=3D E; -} -EXPORT_SYMBOL(sha1_transform); - -/** - * sha1_init_raw - initialize the vectors for a SHA1 digest - * @buf: vector to initialize - */ -void sha1_init_raw(__u32 *buf) -{ - buf[0] =3D 0x67452301; - buf[1] =3D 0xefcdab89; - buf[2] =3D 0x98badcfe; - buf[3] =3D 0x10325476; - buf[4] =3D 0xc3d2e1f0; + state->h[0] +=3D A; + state->h[1] +=3D B; + state->h[2] +=3D C; + state->h[3] +=3D D; + state->h[4] +=3D E; } -EXPORT_SYMBOL(sha1_init_raw); =20 static void __maybe_unused sha1_blocks_generic(struct sha1_block_state *st= ate, const u8 *data, size_t nblocks) { u32 workspace[SHA1_WORKSPACE_WORDS]; =20 do { - sha1_transform(state->h, data, workspace); + sha1_block_generic(state, data, workspace); data +=3D SHA1_BLOCK_SIZE; } while (--nblocks); =20 memzero_explicit(workspace, sizeof(workspace)); } --=20 2.50.1