mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-23 04:48:22 +00:00
f8bac9cc82
Without this patch, the chacha block counter is not incremented on neon rounds, resulting in incorrect calculations and corrupt packets. This also switches to using `--no-numbered --zero-commit` so that future diffs are smaller. Reported-by: Hans Geiblinger <cybrnook2002@yahoo.com> Reviewed-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com> Cc: David Bauer <mail@david-bauer.net> Cc: Petr Štetiar <ynezz@true.cz> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: maurerr <mariusd84@gmail.com>
246 lines
7.5 KiB
Diff
246 lines
7.5 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Ard Biesheuvel <ardb@kernel.org>
|
|
Date: Fri, 8 Nov 2019 13:22:30 +0100
|
|
Subject: [PATCH] crypto: blake2s - implement generic shash driver
|
|
|
|
commit 7f9b0880925f1f9d7d59504ea0892d2ae9cfc233 upstream.
|
|
|
|
Wire up our newly added Blake2s implementation via the shash API.
|
|
|
|
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
|
|
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
---
|
|
crypto/Kconfig | 18 ++++
|
|
crypto/Makefile | 1 +
|
|
crypto/blake2s_generic.c | 171 ++++++++++++++++++++++++++++++
|
|
include/crypto/internal/blake2s.h | 5 +
|
|
4 files changed, 195 insertions(+)
|
|
create mode 100644 crypto/blake2s_generic.c
|
|
|
|
--- a/crypto/Kconfig
|
|
+++ b/crypto/Kconfig
|
|
@@ -639,6 +639,24 @@ config CRYPTO_XXHASH
|
|
xxHash non-cryptographic hash algorithm. Extremely fast, working at
|
|
speeds close to RAM limits.
|
|
|
|
+config CRYPTO_BLAKE2S
|
|
+ tristate "BLAKE2s digest algorithm"
|
|
+ select CRYPTO_LIB_BLAKE2S_GENERIC
|
|
+ select CRYPTO_HASH
|
|
+ help
|
|
+ Implementation of cryptographic hash function BLAKE2s
|
|
+ optimized for 8-32bit platforms and can produce digests of any size
|
|
+ between 1 to 32. The keyed hash is also implemented.
|
|
+
|
|
+ This module provides the following algorithms:
|
|
+
|
|
+ - blake2s-128
|
|
+ - blake2s-160
|
|
+ - blake2s-224
|
|
+ - blake2s-256
|
|
+
|
|
+ See https://blake2.net for further information.
|
|
+
|
|
config CRYPTO_CRCT10DIF
|
|
tristate "CRCT10DIF algorithm"
|
|
select CRYPTO_HASH
|
|
--- a/crypto/Makefile
|
|
+++ b/crypto/Makefile
|
|
@@ -74,6 +74,7 @@ obj-$(CONFIG_CRYPTO_STREEBOG) += streebo
|
|
obj-$(CONFIG_CRYPTO_WP512) += wp512.o
|
|
CFLAGS_wp512.o := $(call cc-option,-fno-schedule-insns) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
|
|
obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o
|
|
+obj-$(CONFIG_CRYPTO_BLAKE2S) += blake2s_generic.o
|
|
obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o
|
|
obj-$(CONFIG_CRYPTO_ECB) += ecb.o
|
|
obj-$(CONFIG_CRYPTO_CBC) += cbc.o
|
|
--- /dev/null
|
|
+++ b/crypto/blake2s_generic.c
|
|
@@ -0,0 +1,171 @@
|
|
+// SPDX-License-Identifier: GPL-2.0 OR MIT
|
|
+/*
|
|
+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
|
|
+ */
|
|
+
|
|
+#include <crypto/internal/blake2s.h>
|
|
+#include <crypto/internal/simd.h>
|
|
+#include <crypto/internal/hash.h>
|
|
+
|
|
+#include <linux/types.h>
|
|
+#include <linux/jump_label.h>
|
|
+#include <linux/kernel.h>
|
|
+#include <linux/module.h>
|
|
+
|
|
+static int crypto_blake2s_setkey(struct crypto_shash *tfm, const u8 *key,
|
|
+ unsigned int keylen)
|
|
+{
|
|
+ struct blake2s_tfm_ctx *tctx = crypto_shash_ctx(tfm);
|
|
+
|
|
+ if (keylen == 0 || keylen > BLAKE2S_KEY_SIZE) {
|
|
+ crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+
|
|
+ memcpy(tctx->key, key, keylen);
|
|
+ tctx->keylen = keylen;
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int crypto_blake2s_init(struct shash_desc *desc)
|
|
+{
|
|
+ struct blake2s_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
|
|
+ struct blake2s_state *state = shash_desc_ctx(desc);
|
|
+ const int outlen = crypto_shash_digestsize(desc->tfm);
|
|
+
|
|
+ if (tctx->keylen)
|
|
+ blake2s_init_key(state, outlen, tctx->key, tctx->keylen);
|
|
+ else
|
|
+ blake2s_init(state, outlen);
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int crypto_blake2s_update(struct shash_desc *desc, const u8 *in,
|
|
+ unsigned int inlen)
|
|
+{
|
|
+ struct blake2s_state *state = shash_desc_ctx(desc);
|
|
+ const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
|
|
+
|
|
+ if (unlikely(!inlen))
|
|
+ return 0;
|
|
+ if (inlen > fill) {
|
|
+ memcpy(state->buf + state->buflen, in, fill);
|
|
+ blake2s_compress_generic(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
|
|
+ state->buflen = 0;
|
|
+ in += fill;
|
|
+ inlen -= fill;
|
|
+ }
|
|
+ if (inlen > BLAKE2S_BLOCK_SIZE) {
|
|
+ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
|
|
+ /* Hash one less (full) block than strictly possible */
|
|
+ blake2s_compress_generic(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
|
|
+ in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
|
|
+ inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
|
|
+ }
|
|
+ memcpy(state->buf + state->buflen, in, inlen);
|
|
+ state->buflen += inlen;
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int crypto_blake2s_final(struct shash_desc *desc, u8 *out)
|
|
+{
|
|
+ struct blake2s_state *state = shash_desc_ctx(desc);
|
|
+
|
|
+ blake2s_set_lastblock(state);
|
|
+ memset(state->buf + state->buflen, 0,
|
|
+ BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
|
|
+ blake2s_compress_generic(state, state->buf, 1, state->buflen);
|
|
+ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
|
|
+ memcpy(out, state->h, state->outlen);
|
|
+ memzero_explicit(state, sizeof(*state));
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static struct shash_alg blake2s_algs[] = {{
|
|
+ .base.cra_name = "blake2s-128",
|
|
+ .base.cra_driver_name = "blake2s-128-generic",
|
|
+ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
|
|
+ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
|
|
+ .base.cra_priority = 200,
|
|
+ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
|
|
+ .base.cra_module = THIS_MODULE,
|
|
+
|
|
+ .digestsize = BLAKE2S_128_HASH_SIZE,
|
|
+ .setkey = crypto_blake2s_setkey,
|
|
+ .init = crypto_blake2s_init,
|
|
+ .update = crypto_blake2s_update,
|
|
+ .final = crypto_blake2s_final,
|
|
+ .descsize = sizeof(struct blake2s_state),
|
|
+}, {
|
|
+ .base.cra_name = "blake2s-160",
|
|
+ .base.cra_driver_name = "blake2s-160-generic",
|
|
+ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
|
|
+ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
|
|
+ .base.cra_priority = 200,
|
|
+ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
|
|
+ .base.cra_module = THIS_MODULE,
|
|
+
|
|
+ .digestsize = BLAKE2S_160_HASH_SIZE,
|
|
+ .setkey = crypto_blake2s_setkey,
|
|
+ .init = crypto_blake2s_init,
|
|
+ .update = crypto_blake2s_update,
|
|
+ .final = crypto_blake2s_final,
|
|
+ .descsize = sizeof(struct blake2s_state),
|
|
+}, {
|
|
+ .base.cra_name = "blake2s-224",
|
|
+ .base.cra_driver_name = "blake2s-224-generic",
|
|
+ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
|
|
+ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
|
|
+ .base.cra_priority = 200,
|
|
+ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
|
|
+ .base.cra_module = THIS_MODULE,
|
|
+
|
|
+ .digestsize = BLAKE2S_224_HASH_SIZE,
|
|
+ .setkey = crypto_blake2s_setkey,
|
|
+ .init = crypto_blake2s_init,
|
|
+ .update = crypto_blake2s_update,
|
|
+ .final = crypto_blake2s_final,
|
|
+ .descsize = sizeof(struct blake2s_state),
|
|
+}, {
|
|
+ .base.cra_name = "blake2s-256",
|
|
+ .base.cra_driver_name = "blake2s-256-generic",
|
|
+ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
|
|
+ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
|
|
+ .base.cra_priority = 200,
|
|
+ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
|
|
+ .base.cra_module = THIS_MODULE,
|
|
+
|
|
+ .digestsize = BLAKE2S_256_HASH_SIZE,
|
|
+ .setkey = crypto_blake2s_setkey,
|
|
+ .init = crypto_blake2s_init,
|
|
+ .update = crypto_blake2s_update,
|
|
+ .final = crypto_blake2s_final,
|
|
+ .descsize = sizeof(struct blake2s_state),
|
|
+}};
|
|
+
|
|
+static int __init blake2s_mod_init(void)
|
|
+{
|
|
+ return crypto_register_shashes(blake2s_algs, ARRAY_SIZE(blake2s_algs));
|
|
+}
|
|
+
|
|
+static void __exit blake2s_mod_exit(void)
|
|
+{
|
|
+ crypto_unregister_shashes(blake2s_algs, ARRAY_SIZE(blake2s_algs));
|
|
+}
|
|
+
|
|
+subsys_initcall(blake2s_mod_init);
|
|
+module_exit(blake2s_mod_exit);
|
|
+
|
|
+MODULE_ALIAS_CRYPTO("blake2s-128");
|
|
+MODULE_ALIAS_CRYPTO("blake2s-128-generic");
|
|
+MODULE_ALIAS_CRYPTO("blake2s-160");
|
|
+MODULE_ALIAS_CRYPTO("blake2s-160-generic");
|
|
+MODULE_ALIAS_CRYPTO("blake2s-224");
|
|
+MODULE_ALIAS_CRYPTO("blake2s-224-generic");
|
|
+MODULE_ALIAS_CRYPTO("blake2s-256");
|
|
+MODULE_ALIAS_CRYPTO("blake2s-256-generic");
|
|
+MODULE_LICENSE("GPL v2");
|
|
--- a/include/crypto/internal/blake2s.h
|
|
+++ b/include/crypto/internal/blake2s.h
|
|
@@ -5,6 +5,11 @@
|
|
|
|
#include <crypto/blake2s.h>
|
|
|
|
+struct blake2s_tfm_ctx {
|
|
+ u8 key[BLAKE2S_KEY_SIZE];
|
|
+ unsigned int keylen;
|
|
+};
|
|
+
|
|
void blake2s_compress_generic(struct blake2s_state *state,const u8 *block,
|
|
size_t nblocks, const u32 inc);
|
|
|