[1/9] Convert padlock sha to shash

[1/9] Convert padlock sha to shash

[Herbert Xu]

Hi:

This series of patches converts the padlock-sha implementation to
shash.  This is also the last legacy hash algorithm to be converted,
apart from hmac which I had to revert as it would break padlock-sha
unless the latter is converted.

As I don't have the hardware supporting padlock-sha, could someone
with access to it please test this for me? In particular, I'd like
to see this tested with an actual IPsec connection.

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[PATCH 2/10] crypto: shash - Export/import hash state only

[Herbert Xu]

crypto: shash - Export/import hash state only

This patch replaces the full descriptor export with an export of
the partial hash state.  This allows the use of a consistent export
format across all implementations of a given algorithm.

This is useful because a number of cases require the use of the
partial hash state, e.g., PadLock can use the SHA1 hash state
to get around the fact that it can only hash contiguous data
chunks.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/shash.c        |   25 ++++++++++++++-----------
 include/crypto/hash.h |   18 ++++++++++++++----
 2 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/crypto/shash.c b/crypto/shash.c
index 23e05a1..14a3b70 100644
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -172,19 +172,15 @@ int crypto_shash_digest(struct shash_desc *desc, const u8 *data,
 }
 EXPORT_SYMBOL_GPL(crypto_shash_digest);
 
-int crypto_shash_import(struct shash_desc *desc, const u8 *in)
+static int shash_no_export(struct shash_desc *desc, void *out)
 {
-	struct crypto_shash *tfm = desc->tfm;
-	struct shash_alg *alg = crypto_shash_alg(tfm);
-
-	memcpy(shash_desc_ctx(desc), in, crypto_shash_descsize(tfm));
-
-	if (alg->reinit)
-		return alg->reinit(desc);
+	return -ENOSYS;
+}
 
-	return 0;
+static int shash_no_import(struct shash_desc *desc, const void *in)
+{
+	return -ENOSYS;
 }
-EXPORT_SYMBOL_GPL(crypto_shash_import);
 
 static int shash_async_setkey(struct crypto_ahash *tfm, const u8 *key,
 			      unsigned int keylen)
@@ -484,12 +480,19 @@ static int shash_prepare_alg(struct shash_alg *alg)
 	struct crypto_alg *base = &alg->base;
 
 	if (alg->digestsize > PAGE_SIZE / 8 ||
-	    alg->descsize > PAGE_SIZE / 8)
+	    alg->descsize > PAGE_SIZE / 8 ||
+	    alg->statesize > PAGE_SIZE / 8)
 		return -EINVAL;
 
 	base->cra_type = &crypto_shash_type;
 	base->cra_flags &= ~CRYPTO_ALG_TYPE_MASK;
 	base->cra_flags |= CRYPTO_ALG_TYPE_SHASH;
+
+	if (!alg->import)
+		alg->import = shash_no_import;
+	if (!alg->export)
+		alg->export = shash_no_export;
+
 	return 0;
 }
 
diff --git a/include/crypto/hash.h b/include/crypto/hash.h
index d56bb71..3c4cce6 100644
--- a/include/crypto/hash.h
+++ b/include/crypto/hash.h
@@ -24,7 +24,6 @@ struct shash_desc {
 
 struct shash_alg {
 	int (*init)(struct shash_desc *desc);
-	int (*reinit)(struct shash_desc *desc);
 	int (*update)(struct shash_desc *desc, const u8 *data,
 		      unsigned int len);
 	int (*final)(struct shash_desc *desc, u8 *out);
@@ -32,11 +31,14 @@ struct shash_alg {
 		     unsigned int len, u8 *out);
 	int (*digest)(struct shash_desc *desc, const u8 *data,
 		      unsigned int len, u8 *out);
+	int (*export)(struct shash_desc *desc, void *out);
+	int (*import)(struct shash_desc *desc, const void *in);
 	int (*setkey)(struct crypto_shash *tfm, const u8 *key,
 		      unsigned int keylen);
 
 	unsigned int descsize;
 	unsigned int digestsize;
+	unsigned int statesize;
 
 	struct crypto_alg base;
 };
@@ -251,6 +253,11 @@ static inline unsigned int crypto_shash_digestsize(struct crypto_shash *tfm)
 	return crypto_shash_alg(tfm)->digestsize;
 }
 
+static inline unsigned int crypto_shash_statesize(struct crypto_shash *tfm)
+{
+	return crypto_shash_alg(tfm)->statesize;
+}
+
 static inline u32 crypto_shash_get_flags(struct crypto_shash *tfm)
 {
 	return crypto_tfm_get_flags(crypto_shash_tfm(tfm));
@@ -281,12 +288,15 @@ int crypto_shash_setkey(struct crypto_shash *tfm, const u8 *key,
 int crypto_shash_digest(struct shash_desc *desc, const u8 *data,
 			unsigned int len, u8 *out);
 
-static inline void crypto_shash_export(struct shash_desc *desc, u8 *out)
+static inline int crypto_shash_export(struct shash_desc *desc, void *out)
 {
-	memcpy(out, shash_desc_ctx(desc), crypto_shash_descsize(desc->tfm));
+	return crypto_shash_alg(desc->tfm)->export(desc, out);
 }
 
-int crypto_shash_import(struct shash_desc *desc, const u8 *in);
+static inline int crypto_shash_import(struct shash_desc *desc, const void *in)
+{
+	return crypto_shash_alg(desc->tfm)->import(desc, in);
+}
 
 static inline int crypto_shash_init(struct shash_desc *desc)
 {

[PATCH 3/10] crypto: shash - Move finup/digest null checks to registration time

[Herbert Xu]

crypto: shash - Move finup/digest null checks to registration time

This patch moves the run-time null finup/digest checks to the
shash_prepare_alg function which is run at registration time.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/shash.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/crypto/shash.c b/crypto/shash.c
index 14a3b70..f7fcc65 100644
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -142,8 +142,7 @@ int crypto_shash_finup(struct shash_desc *desc, const u8 *data,
 	struct shash_alg *shash = crypto_shash_alg(tfm);
 	unsigned long alignmask = crypto_shash_alignmask(tfm);
 
-	if (((unsigned long)data | (unsigned long)out) & alignmask ||
-	    !shash->finup)
+	if (((unsigned long)data | (unsigned long)out) & alignmask)
 		return shash_finup_unaligned(desc, data, len, out);
 
 	return shash->finup(desc, data, len, out);
@@ -164,8 +163,7 @@ int crypto_shash_digest(struct shash_desc *desc, const u8 *data,
 	struct shash_alg *shash = crypto_shash_alg(tfm);
 	unsigned long alignmask = crypto_shash_alignmask(tfm);
 
-	if (((unsigned long)data | (unsigned long)out) & alignmask ||
-	    !shash->digest)
+	if (((unsigned long)data | (unsigned long)out) & alignmask)
 		return shash_digest_unaligned(desc, data, len, out);
 
 	return shash->digest(desc, data, len, out);
@@ -488,6 +486,10 @@ static int shash_prepare_alg(struct shash_alg *alg)
 	base->cra_flags &= ~CRYPTO_ALG_TYPE_MASK;
 	base->cra_flags |= CRYPTO_ALG_TYPE_SHASH;
 
+	if (!alg->finup)
+		alg->finup = shash_finup_unaligned;
+	if (!alg->digest)
+		alg->digest = shash_digest_unaligned;
 	if (!alg->import)
 		alg->import = shash_no_import;
 	if (!alg->export)

[PATCH 4/10] crypto: sha1_generic - Add export/import support

[Herbert Xu]

crypto: sha1_generic - Add export/import support

This patch adds export/import support to sha1_generic.  The exported
type is defined by struct sha1_state, which is basically the entire
descriptor state of sha1_generic.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/sha1_generic.c |   41 +++++++++++++++++++++++++----------------
 include/crypto/sha.h  |    8 ++++++++
 2 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/crypto/sha1_generic.c b/crypto/sha1_generic.c
index 9efef20..0416091 100644
--- a/crypto/sha1_generic.c
+++ b/crypto/sha1_generic.c
@@ -25,31 +25,21 @@
 #include <crypto/sha.h>
 #include <asm/byteorder.h>
 
-struct sha1_ctx {
-        u64 count;
-        u32 state[5];
-        u8 buffer[64];
-};
-
 static int sha1_init(struct shash_desc *desc)
 {
-	struct sha1_ctx *sctx = shash_desc_ctx(desc);
+	struct sha1_state *sctx = shash_desc_ctx(desc);
 
-	static const struct sha1_ctx initstate = {
-	  0,
-	  { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
-	  { 0, }
+	*sctx = (struct sha1_state){
+		.state = { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
 	};
 
-	*sctx = initstate;
-
 	return 0;
 }
 
 static int sha1_update(struct shash_desc *desc, const u8 *data,
 			unsigned int len)
 {
-	struct sha1_ctx *sctx = shash_desc_ctx(desc);
+	struct sha1_state *sctx = shash_desc_ctx(desc);
 	unsigned int partial, done;
 	const u8 *src;
 
@@ -85,7 +75,7 @@ static int sha1_update(struct shash_desc *desc, const u8 *data,
 /* Add padding and return the message digest. */
 static int sha1_final(struct shash_desc *desc, u8 *out)
 {
-	struct sha1_ctx *sctx = shash_desc_ctx(desc);
+	struct sha1_state *sctx = shash_desc_ctx(desc);
 	__be32 *dst = (__be32 *)out;
 	u32 i, index, padlen;
 	__be64 bits;
@@ -111,12 +101,31 @@ static int sha1_final(struct shash_desc *desc, u8 *out)
 	return 0;
 }
 
+static int sha1_export(struct shash_desc *desc, void *out)
+{
+	struct sha1_state *sctx = shash_desc_ctx(desc);
+
+	memcpy(out, sctx, sizeof(*sctx));
+	return 0;
+}
+
+static int sha1_import(struct shash_desc *desc, const void *in)
+{
+	struct sha1_state *sctx = shash_desc_ctx(desc);
+
+	memcpy(sctx, in, sizeof(*sctx));
+	return 0;
+}
+
 static struct shash_alg alg = {
 	.digestsize	=	SHA1_DIGEST_SIZE,
 	.init		=	sha1_init,
 	.update		=	sha1_update,
 	.final		=	sha1_final,
-	.descsize	=	sizeof(struct sha1_ctx),
+	.export		=	sha1_export,
+	.import		=	sha1_import,
+	.descsize	=	sizeof(struct sha1_state),
+	.statesize	=	sizeof(struct sha1_state),
 	.base		=	{
 		.cra_name	=	"sha1",
 		.cra_driver_name=	"sha1-generic",
diff --git a/include/crypto/sha.h b/include/crypto/sha.h
index c0ccc2b..922a248 100644
--- a/include/crypto/sha.h
+++ b/include/crypto/sha.h
@@ -5,6 +5,8 @@
 #ifndef _CRYPTO_SHA_H
 #define _CRYPTO_SHA_H
 
+#include <linux/types.h>
+
 #define SHA1_DIGEST_SIZE        20
 #define SHA1_BLOCK_SIZE         64
 
@@ -62,4 +64,10 @@
 #define SHA512_H6	0x1f83d9abfb41bd6bULL
 #define SHA512_H7	0x5be0cd19137e2179ULL
 
+struct sha1_state {
+	u64 count;
+	u32 state[SHA1_DIGEST_SIZE / 4];
+	u8 buffer[SHA1_BLOCK_SIZE];
+};
+
 #endif

[PATCH 5/10] crypto: sha256_generic - Use 64-bit counter like sha1

[Herbert Xu]

crypto: sha256_generic - Use 64-bit counter like sha1

This patch replaces the two 32-bit counter code in sha256_generic
with the simpler 64-bit counter code from sha1.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/sha256_generic.c |   65 ++++++++++++++++++++++--------------------------
 1 file changed, 30 insertions(+), 35 deletions(-)

diff --git a/crypto/sha256_generic.c b/crypto/sha256_generic.c
index 6349d83..e58c71b 100644
--- a/crypto/sha256_generic.c
+++ b/crypto/sha256_generic.c
@@ -26,7 +26,7 @@
 #include <asm/byteorder.h>
 
 struct sha256_ctx {
-	u32 count[2];
+	u64 count;
 	u32 state[8];
 	u8 buf[128];
 };
@@ -231,8 +231,7 @@ static int sha224_init(struct shash_desc *desc)
 	sctx->state[5] = SHA224_H5;
 	sctx->state[6] = SHA224_H6;
 	sctx->state[7] = SHA224_H7;
-	sctx->count[0] = 0;
-	sctx->count[1] = 0;
+	sctx->count = 0;
 
 	return 0;
 }
@@ -248,7 +247,7 @@ static int sha256_init(struct shash_desc *desc)
 	sctx->state[5] = SHA256_H5;
 	sctx->state[6] = SHA256_H6;
 	sctx->state[7] = SHA256_H7;
-	sctx->count[0] = sctx->count[1] = 0;
+	sctx->count = 0;
 
 	return 0;
 }
@@ -257,33 +256,30 @@ static int sha256_update(struct shash_desc *desc, const u8 *data,
 			  unsigned int len)
 {
 	struct sha256_ctx *sctx = shash_desc_ctx(desc);
-	unsigned int i, index, part_len;
-
-	/* Compute number of bytes mod 128 */
-	index = (unsigned int)((sctx->count[0] >> 3) & 0x3f);
-
-	/* Update number of bits */
-	if ((sctx->count[0] += (len << 3)) < (len << 3)) {
-		sctx->count[1]++;
-		sctx->count[1] += (len >> 29);
+	unsigned int partial, done;
+	const u8 *src;
+
+	partial = sctx->count & 0x3f;
+	sctx->count += len;
+	done = 0;
+	src = data;
+
+	if ((partial + len) > 63) {
+		if (partial) {
+			done = -partial;
+			memcpy(sctx->buf + partial, data, done + 64);
+			src = sctx->buf;
+		}
+
+		do {
+			sha256_transform(sctx->state, src);
+			done += 64;
+			src = data + done;
+		} while (done + 63 < len);
+
+		partial = 0;
 	}
-
-	part_len = 64 - index;
-
-	/* Transform as many times as possible. */
-	if (len >= part_len) {
-		memcpy(&sctx->buf[index], data, part_len);
-		sha256_transform(sctx->state, sctx->buf);
-
-		for (i = part_len; i + 63 < len; i += 64)
-			sha256_transform(sctx->state, &data[i]);
-		index = 0;
-	} else {
-		i = 0;
-	}
-
-	/* Buffer remaining input */
-	memcpy(&sctx->buf[index], &data[i], len-i);
+	memcpy(sctx->buf + partial, src, len - done);
 
 	return 0;
 }
@@ -292,22 +288,21 @@ static int sha256_final(struct shash_desc *desc, u8 *out)
 {
 	struct sha256_ctx *sctx = shash_desc_ctx(desc);
 	__be32 *dst = (__be32 *)out;
-	__be32 bits[2];
+	__be64 bits;
 	unsigned int index, pad_len;
 	int i;
 	static const u8 padding[64] = { 0x80, };
 
 	/* Save number of bits */
-	bits[1] = cpu_to_be32(sctx->count[0]);
-	bits[0] = cpu_to_be32(sctx->count[1]);
+	bits = cpu_to_be64(sctx->count << 3);
 
 	/* Pad out to 56 mod 64. */
-	index = (sctx->count[0] >> 3) & 0x3f;
+	index = sctx->count & 0x3f;
 	pad_len = (index < 56) ? (56 - index) : ((64+56) - index);
 	sha256_update(desc, padding, pad_len);
 
 	/* Append length (before padding) */
-	sha256_update(desc, (const u8 *)bits, sizeof(bits));
+	sha256_update(desc, (const u8 *)&bits, sizeof(bits));
 
 	/* Store state in digest */
 	for (i = 0; i < 8; i++)

[PATCH 6/10] crypto: sha256_generic - Add export/import support

[Herbert Xu]

crypto: sha256_generic - Add export/import support

This patch adds export/import support to sha256_generic.  The exported
type is defined by struct sha256_state, which is basically the entire
descriptor state of sha256_generic.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/sha256_generic.c |   37 +++++++++++++++++++++++++------------
 include/crypto/sha.h    |    6 ++++++
 2 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/crypto/sha256_generic.c b/crypto/sha256_generic.c
index e58c71b..c48459e 100644
--- a/crypto/sha256_generic.c
+++ b/crypto/sha256_generic.c
@@ -25,12 +25,6 @@
 #include <crypto/sha.h>
 #include <asm/byteorder.h>
 
-struct sha256_ctx {
-	u64 count;
-	u32 state[8];
-	u8 buf[128];
-};
-
 static inline u32 Ch(u32 x, u32 y, u32 z)
 {
 	return z ^ (x & (y ^ z));
@@ -222,7 +216,7 @@ static void sha256_transform(u32 *state, const u8 *input)
 
 static int sha224_init(struct shash_desc *desc)
 {
-	struct sha256_ctx *sctx = shash_desc_ctx(desc);
+	struct sha256_state *sctx = shash_desc_ctx(desc);
 	sctx->state[0] = SHA224_H0;
 	sctx->state[1] = SHA224_H1;
 	sctx->state[2] = SHA224_H2;
@@ -238,7 +232,7 @@ static int sha224_init(struct shash_desc *desc)
 
 static int sha256_init(struct shash_desc *desc)
 {
-	struct sha256_ctx *sctx = shash_desc_ctx(desc);
+	struct sha256_state *sctx = shash_desc_ctx(desc);
 	sctx->state[0] = SHA256_H0;
 	sctx->state[1] = SHA256_H1;
 	sctx->state[2] = SHA256_H2;
@@ -255,7 +249,7 @@ static int sha256_init(struct shash_desc *desc)
 static int sha256_update(struct shash_desc *desc, const u8 *data,
 			  unsigned int len)
 {
-	struct sha256_ctx *sctx = shash_desc_ctx(desc);
+	struct sha256_state *sctx = shash_desc_ctx(desc);
 	unsigned int partial, done;
 	const u8 *src;
 
@@ -286,7 +280,7 @@ static int sha256_update(struct shash_desc *desc, const u8 *data,
 
 static int sha256_final(struct shash_desc *desc, u8 *out)
 {
-	struct sha256_ctx *sctx = shash_desc_ctx(desc);
+	struct sha256_state *sctx = shash_desc_ctx(desc);
 	__be32 *dst = (__be32 *)out;
 	__be64 bits;
 	unsigned int index, pad_len;
@@ -326,12 +320,31 @@ static int sha224_final(struct shash_desc *desc, u8 *hash)
 	return 0;
 }
 
+static int sha256_export(struct shash_desc *desc, void *out)
+{
+	struct sha256_state *sctx = shash_desc_ctx(desc);
+
+	memcpy(out, sctx, sizeof(*sctx));
+	return 0;
+}
+
+static int sha256_import(struct shash_desc *desc, const void *in)
+{
+	struct sha256_state *sctx = shash_desc_ctx(desc);
+
+	memcpy(sctx, in, sizeof(*sctx));
+	return 0;
+}
+
 static struct shash_alg sha256 = {
 	.digestsize	=	SHA256_DIGEST_SIZE,
 	.init		=	sha256_init,
 	.update		=	sha256_update,
 	.final		=	sha256_final,
-	.descsize	=	sizeof(struct sha256_ctx),
+	.export		=	sha256_export,
+	.import		=	sha256_import,
+	.descsize	=	sizeof(struct sha256_state),
+	.statesize	=	sizeof(struct sha256_state),
 	.base		=	{
 		.cra_name	=	"sha256",
 		.cra_driver_name=	"sha256-generic",
@@ -346,7 +359,7 @@ static struct shash_alg sha224 = {
 	.init		=	sha224_init,
 	.update		=	sha256_update,
 	.final		=	sha224_final,
-	.descsize	=	sizeof(struct sha256_ctx),
+	.descsize	=	sizeof(struct sha256_state),
 	.base		=	{
 		.cra_name	=	"sha224",
 		.cra_driver_name=	"sha224-generic",
diff --git a/include/crypto/sha.h b/include/crypto/sha.h
index 922a248..88ef5eb 100644
--- a/include/crypto/sha.h
+++ b/include/crypto/sha.h
@@ -70,4 +70,10 @@ struct sha1_state {
 	u8 buffer[SHA1_BLOCK_SIZE];
 };
 
+struct sha256_state {
+	u64 count;
+	u32 state[SHA256_DIGEST_SIZE / 4];
+	u8 buf[SHA256_BLOCK_SIZE];
+};
+
 #endif

[PATCH 7/10] crypto: sha1-s390 - Add export/import support

[Herbert Xu]

crypto: sha1-s390 - Add export/import support

This patch adds export/import support to sha1-s390.  The exported
type is defined by struct sha1_state, which is basically the entire
descriptor state of sha1_generic.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 arch/s390/crypto/sha1_s390.c |   26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/arch/s390/crypto/sha1_s390.c b/arch/s390/crypto/sha1_s390.c
index e85ba34..2c5ec79 100644
--- a/arch/s390/crypto/sha1_s390.c
+++ b/arch/s390/crypto/sha1_s390.c
@@ -46,12 +46,38 @@ static int sha1_init(struct shash_desc *desc)
 	return 0;
 }
 
+static int sha1_export(struct shash_desc *desc, void *out)
+{
+	struct s390_sha_ctx *sctx = shash_desc_ctx(desc);
+	struct sha1_state *octx = out;
+
+	octx->count = sctx->count;
+	memcpy(octx->state, sctx->state, sizeof(octx->state));
+	memcpy(octx->buffer, sctx->buf, sizeof(octx->buffer));
+	return 0;
+}
+
+static int sha1_import(struct shash_desc *desc, const u8 *in)
+{
+	struct sha1_state *sctx = shash_desc_ctx(desc);
+	struct sha1_state *ictx = in;
+
+	sctx->count = ictx->count;
+	memcpy(sctx->state, ictx->state, sizeof(ictx->state));
+	memcpy(sctx->buf, ictx->buffer, sizeof(ictx->buffer));
+	sctx->func = KIMD_SHA_1;
+	return 0;
+}
+
 static struct shash_alg alg = {
 	.digestsize	=	SHA1_DIGEST_SIZE,
 	.init		=	sha1_init,
 	.update		=	s390_sha_update,
 	.final		=	s390_sha_final,
+	.export		=	sha1_export,
+	.import		=	sha1_import,
 	.descsize	=	sizeof(struct s390_sha_ctx),
+	.statesize	=	sizeof(struct sha1_state),
 	.base		=	{
 		.cra_name	=	"sha1",
 		.cra_driver_name=	"sha1-s390",

[PATCH 8/10] crypto: sha256-s390 - Add export/import support

[Herbert Xu]

crypto: sha256-s390 - Add export/import support

This patch adds export/import support to sha256-s390.  The exported
type is defined by struct sha256_state, which is basically the entire
descriptor state of sha256_generic.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 arch/s390/crypto/sha256_s390.c |   26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/arch/s390/crypto/sha256_s390.c b/arch/s390/crypto/sha256_s390.c
index f9fefc5..943a669 100644
--- a/arch/s390/crypto/sha256_s390.c
+++ b/arch/s390/crypto/sha256_s390.c
@@ -42,12 +42,38 @@ static int sha256_init(struct shash_desc *desc)
 	return 0;
 }
 
+static int sha256_export(struct shash_desc *desc, void *out)
+{
+	struct s390_sha_ctx *sctx = shash_desc_ctx(desc);
+	struct sha256_state *octx = out;
+
+	octx->count = sctx->count;
+	memcpy(octx->state, sctx->state, sizeof(octx->state));
+	memcpy(octx->buf, sctx->buf, sizeof(octx->buf));
+	return 0;
+}
+
+static int sha256_import(struct shash_desc *desc, const u8 *in)
+{
+	struct sha256_state *sctx = shash_desc_ctx(desc);
+	struct sha256_state *ictx = in;
+
+	sctx->count = ictx->count;
+	memcpy(sctx->state, ictx->state, sizeof(ictx->state));
+	memcpy(sctx->buf, ictx->buf, sizeof(ictx->buf));
+	sctx->func = KIMD_SHA_256;
+	return 0;
+}
+
 static struct shash_alg alg = {
 	.digestsize	=	SHA256_DIGEST_SIZE,
 	.init		=	sha256_init,
 	.update		=	s390_sha_update,
 	.final		=	s390_sha_final,
+	.export		=	sha256_export,
+	.import		=	sha256_import,
 	.descsize	=	sizeof(struct s390_sha_ctx),
+	.statesize	=	sizeof(struct sha256_state),
 	.base		=	{
 		.cra_name	=	"sha256",
 		.cra_driver_name=	"sha256-s390",

[PATCH 9/10] crypto: padlock - Use shash fallback for sha

[Herbert Xu]

crypto: padlock - Use shash fallback for sha

This patch changes padlock sha fallback to shash instead of hash.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 drivers/crypto/padlock-sha.c |   82 +++++++++++++++++++++++++++----------------
 1 file changed, 52 insertions(+), 30 deletions(-)

diff --git a/drivers/crypto/padlock-sha.c b/drivers/crypto/padlock-sha.c
index a2c8e85..868da54 100644
--- a/drivers/crypto/padlock-sha.c
+++ b/drivers/crypto/padlock-sha.c
@@ -12,28 +12,24 @@
  *
  */
 
-#include <crypto/algapi.h>
+#include <crypto/internal/hash.h>
 #include <crypto/sha.h>
 #include <linux/err.h>
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/errno.h>
-#include <linux/cryptohash.h>
 #include <linux/interrupt.h>
 #include <linux/kernel.h>
 #include <linux/scatterlist.h>
 #include <asm/i387.h>
 #include "padlock.h"
 
-#define SHA1_DEFAULT_FALLBACK	"sha1-generic"
-#define SHA256_DEFAULT_FALLBACK "sha256-generic"
-
 struct padlock_sha_ctx {
 	char		*data;
 	size_t		used;
 	int		bypass;
 	void (*f_sha_padlock)(const char *in, char *out, int count);
-	struct hash_desc fallback;
+	struct shash_desc *fallback;
 };
 
 static inline struct padlock_sha_ctx *ctx(struct crypto_tfm *tfm)
@@ -47,21 +43,26 @@ static inline struct padlock_sha_ctx *ctx(struct crypto_tfm *tfm)
 
 static struct crypto_alg sha1_alg, sha256_alg;
 
-static void padlock_sha_bypass(struct crypto_tfm *tfm)
+static int padlock_sha_bypass(struct crypto_tfm *tfm)
 {
+	int err = 0;
+
 	if (ctx(tfm)->bypass)
-		return;
+		goto out;
 
-	crypto_hash_init(&ctx(tfm)->fallback);
-	if (ctx(tfm)->data && ctx(tfm)->used) {
-		struct scatterlist sg;
+	err = crypto_shash_init(ctx(tfm)->fallback);
+	if (err)
+		goto out;
 
-		sg_init_one(&sg, ctx(tfm)->data, ctx(tfm)->used);
-		crypto_hash_update(&ctx(tfm)->fallback, &sg, sg.length);
-	}
+	if (ctx(tfm)->data && ctx(tfm)->used)
+		err = crypto_shash_update(ctx(tfm)->fallback, ctx(tfm)->data,
+					  ctx(tfm)->used);
 
 	ctx(tfm)->used = 0;
 	ctx(tfm)->bypass = 1;
+
+out:
+	return err;
 }
 
 static void padlock_sha_init(struct crypto_tfm *tfm)
@@ -73,15 +74,18 @@ static void padlock_sha_init(struct crypto_tfm *tfm)
 static void padlock_sha_update(struct crypto_tfm *tfm,
 			const uint8_t *data, unsigned int length)
 {
+	int err;
+
 	/* Our buffer is always one page. */
 	if (unlikely(!ctx(tfm)->bypass &&
-		     (ctx(tfm)->used + length > PAGE_SIZE)))
-		padlock_sha_bypass(tfm);
+		     (ctx(tfm)->used + length > PAGE_SIZE))) {
+		err = padlock_sha_bypass(tfm);
+		BUG_ON(err);
+	}
 
 	if (unlikely(ctx(tfm)->bypass)) {
-		struct scatterlist sg;
-		sg_init_one(&sg, (uint8_t *)data, length);
-		crypto_hash_update(&ctx(tfm)->fallback, &sg, length);
+		err = crypto_shash_update(ctx(tfm)->fallback, data, length);
+		BUG_ON(err);
 		return;
 	}
 
@@ -151,8 +155,11 @@ static void padlock_do_sha256(const char *in, char *out, int count)
 
 static void padlock_sha_final(struct crypto_tfm *tfm, uint8_t *out)
 {
+	int err;
+
 	if (unlikely(ctx(tfm)->bypass)) {
-		crypto_hash_final(&ctx(tfm)->fallback, out);
+		err = crypto_shash_final(ctx(tfm)->fallback, out);
+		BUG_ON(err);
 		ctx(tfm)->bypass = 0;
 		return;
 	}
@@ -166,27 +173,41 @@ static void padlock_sha_final(struct crypto_tfm *tfm, uint8_t *out)
 static int padlock_cra_init(struct crypto_tfm *tfm)
 {
 	const char *fallback_driver_name = tfm->__crt_alg->cra_name;
-	struct crypto_hash *fallback_tfm;
+	struct crypto_shash *fallback_tfm;
+	int err = -ENOMEM;
 
 	/* For now we'll allocate one page. This
 	 * could eventually be configurable one day. */
 	ctx(tfm)->data = (char *)__get_free_page(GFP_KERNEL);
 	if (!ctx(tfm)->data)
-		return -ENOMEM;
+		goto out;
 
 	/* Allocate a fallback and abort if it failed. */
-	fallback_tfm = crypto_alloc_hash(fallback_driver_name, 0,
-					 CRYPTO_ALG_ASYNC |
-					 CRYPTO_ALG_NEED_FALLBACK);
+	fallback_tfm = crypto_alloc_shash(fallback_driver_name, 0,
+					  CRYPTO_ALG_NEED_FALLBACK);
 	if (IS_ERR(fallback_tfm)) {
 		printk(KERN_WARNING PFX "Fallback driver '%s' could not be loaded!\n",
 		       fallback_driver_name);
-		free_page((unsigned long)(ctx(tfm)->data));
-		return PTR_ERR(fallback_tfm);
+		err = PTR_ERR(fallback_tfm);
+		goto out_free_page;
 	}
 
-	ctx(tfm)->fallback.tfm = fallback_tfm;
+	ctx(tfm)->fallback = kmalloc(sizeof(struct shash_desc) +
+				     crypto_shash_descsize(fallback_tfm),
+				     GFP_KERNEL);
+	if (!ctx(tfm)->fallback)
+		goto out_free_tfm;
+
+	ctx(tfm)->fallback->tfm = fallback_tfm;
+	ctx(tfm)->fallback->flags = 0;
 	return 0;
+
+out_free_tfm:
+	crypto_free_shash(fallback_tfm);
+out_free_page:
+	free_page((unsigned long)(ctx(tfm)->data));
+out:
+	return err;
 }
 
 static int padlock_sha1_cra_init(struct crypto_tfm *tfm)
@@ -210,8 +231,9 @@ static void padlock_cra_exit(struct crypto_tfm *tfm)
 		ctx(tfm)->data = NULL;
 	}
 
-	crypto_free_hash(ctx(tfm)->fallback.tfm);
-	ctx(tfm)->fallback.tfm = NULL;
+	crypto_free_shash(ctx(tfm)->fallback->tfm);
+
+	kzfree(ctx(tfm)->fallback);
 }
 
 static struct crypto_alg sha1_alg = {

[PATCH 10/10] crypto: padlock - Switch sha to shash

[Herbert Xu]

crypto: padlock - Switch sha to shash

This patch converts the padlock-sha implementation to shash.
In doing so the existing mechanism of storing the data until
final is no longer viable as we do not have a way of allocating
data in crypto_shash_init and then reliably freeing it.

This is just as well because a better way of handling the problem
is to hash everything but the last chunk using normal sha code
and then provide the intermediate result to the padlock device.

This is good enough because the primary application of padlock-sha
is IPsec and there the data is laid out in the form of an hmac
header followed by the rest of the packet.  In essence we can
provide all the data to the padlock as the hmac header only needs
to be hashed once.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---

 crypto/shash.c                 |    3 
 drivers/crypto/Kconfig         |    2 
 drivers/crypto/padlock-sha.c   |  333 +++++++++++++++++++----------------------
 include/crypto/hash.h          |    3 
 include/crypto/internal/hash.h |    2 
 5 files changed, 162 insertions(+), 181 deletions(-)

diff --git a/crypto/shash.c b/crypto/shash.c
index f7fcc65..cf388d5 100644
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -431,6 +431,9 @@ static unsigned int crypto_shash_ctxsize(struct crypto_alg *alg, u32 type,
 static int crypto_shash_init_tfm(struct crypto_tfm *tfm,
 				 const struct crypto_type *frontend)
 {
+	struct crypto_shash *hash = __crypto_shash_cast(tfm);
+
+	hash->descsize = crypto_shash_alg(hash)->descsize;
 	return 0;
 }
 
diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
index 5b27692..1bb4b7f 100644
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -13,7 +13,6 @@ if CRYPTO_HW
 config CRYPTO_DEV_PADLOCK
 	tristate "Support for VIA PadLock ACE"
 	depends on X86 && !UML
-	select CRYPTO_ALGAPI
 	help
 	  Some VIA processors come with an integrated crypto engine
 	  (so called VIA PadLock ACE, Advanced Cryptography Engine)
@@ -39,6 +38,7 @@ config CRYPTO_DEV_PADLOCK_AES
 config CRYPTO_DEV_PADLOCK_SHA
 	tristate "PadLock driver for SHA1 and SHA256 algorithms"
 	depends on CRYPTO_DEV_PADLOCK
+	select CRYPTO_HASH
 	select CRYPTO_SHA1
 	select CRYPTO_SHA256
 	help
diff --git a/drivers/crypto/padlock-sha.c b/drivers/crypto/padlock-sha.c
index 868da54..fb6e6c3 100644
--- a/drivers/crypto/padlock-sha.c
+++ b/drivers/crypto/padlock-sha.c
@@ -24,73 +24,31 @@
 #include <asm/i387.h>
 #include "padlock.h"
 
-struct padlock_sha_ctx {
-	char		*data;
-	size_t		used;
-	int		bypass;
-	void (*f_sha_padlock)(const char *in, char *out, int count);
-	struct shash_desc *fallback;
+struct padlock_sha_desc {
+	struct shash_desc fallback;
 };
 
-static inline struct padlock_sha_ctx *ctx(struct crypto_tfm *tfm)
-{
-	return crypto_tfm_ctx(tfm);
-}
-
-/* We'll need aligned address on the stack */
-#define NEAREST_ALIGNED(ptr) \
-	((void *)ALIGN((size_t)(ptr), PADLOCK_ALIGNMENT))
-
-static struct crypto_alg sha1_alg, sha256_alg;
+struct padlock_sha_ctx {
+	struct crypto_shash *fallback;
+};
 
-static int padlock_sha_bypass(struct crypto_tfm *tfm)
+static int padlock_sha_init(struct shash_desc *desc)
 {
-	int err = 0;
-
-	if (ctx(tfm)->bypass)
-		goto out;
+	struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
+	struct padlock_sha_ctx *ctx = crypto_shash_ctx(desc->tfm);
 
-	err = crypto_shash_init(ctx(tfm)->fallback);
-	if (err)
-		goto out;
-
-	if (ctx(tfm)->data && ctx(tfm)->used)
-		err = crypto_shash_update(ctx(tfm)->fallback, ctx(tfm)->data,
-					  ctx(tfm)->used);
-
-	ctx(tfm)->used = 0;
-	ctx(tfm)->bypass = 1;
-
-out:
-	return err;
+	dctx->fallback.tfm = ctx->fallback;
+	dctx->fallback.flags = desc->flags & CRYPTO_TFM_REQ_MAY_SLEEP;
+	return crypto_shash_init(&dctx->fallback);
 }
 
-static void padlock_sha_init(struct crypto_tfm *tfm)
+static int padlock_sha_update(struct shash_desc *desc,
+			      const u8 *data, unsigned int length)
 {
-	ctx(tfm)->used = 0;
-	ctx(tfm)->bypass = 0;
-}
+	struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
 
-static void padlock_sha_update(struct crypto_tfm *tfm,
-			const uint8_t *data, unsigned int length)
-{
-	int err;
-
-	/* Our buffer is always one page. */
-	if (unlikely(!ctx(tfm)->bypass &&
-		     (ctx(tfm)->used + length > PAGE_SIZE))) {
-		err = padlock_sha_bypass(tfm);
-		BUG_ON(err);
-	}
-
-	if (unlikely(ctx(tfm)->bypass)) {
-		err = crypto_shash_update(ctx(tfm)->fallback, data, length);
-		BUG_ON(err);
-		return;
-	}
-
-	memcpy(ctx(tfm)->data + ctx(tfm)->used, data, length);
-	ctx(tfm)->used += length;
+	dctx->fallback.flags = desc->flags & CRYPTO_TFM_REQ_MAY_SLEEP;
+	return crypto_shash_update(&dctx->fallback, data, length);
 }
 
 static inline void padlock_output_block(uint32_t *src,
@@ -100,88 +58,138 @@ static inline void padlock_output_block(uint32_t *src,
 		*dst++ = swab32(*src++);
 }
 
-static void padlock_do_sha1(const char *in, char *out, int count)
+static int padlock_sha1_finup(struct shash_desc *desc, const u8 *in,
+			      unsigned int count, u8 *out)
 {
 	/* We can't store directly to *out as it may be unaligned. */
 	/* BTW Don't reduce the buffer size below 128 Bytes!
 	 *     PadLock microcode needs it that big. */
-	char buf[128+16];
-	char *result = NEAREST_ALIGNED(buf);
+	char result[128] __attribute__ ((aligned(PADLOCK_ALIGNMENT)));
+	struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
+	struct sha1_state state;
+	unsigned int space;
+	unsigned int leftover;
 	int ts_state;
+	int err;
+
+	dctx->fallback.flags = desc->flags & CRYPTO_TFM_REQ_MAY_SLEEP;
+	err = crypto_shash_export(&dctx->fallback, &state);
+	if (err)
+		goto out;
+
+	if (state.count + count > ULONG_MAX)
+		return crypto_shash_finup(&dctx->fallback, in, count, out);
+
+	leftover = ((state.count - 1) & (SHA1_BLOCK_SIZE - 1)) + 1;
+	space =  SHA1_BLOCK_SIZE - leftover;
+	if (space) {
+		if (count > space) {
+			err = crypto_shash_update(&dctx->fallback, in, space) ?:
+			      crypto_shash_export(&dctx->fallback, &state);
+			if (err)
+				goto out;
+			count -= space;
+			in += space;
+		} else {
+			memcpy(state.buffer + leftover, in, count);
+			in = state.buffer;
+			count += leftover;
+		}
+	}
+
+	memcpy(result, &state.state, SHA1_DIGEST_SIZE);
 
-	((uint32_t *)result)[0] = SHA1_H0;
-	((uint32_t *)result)[1] = SHA1_H1;
-	((uint32_t *)result)[2] = SHA1_H2;
-	((uint32_t *)result)[3] = SHA1_H3;
-	((uint32_t *)result)[4] = SHA1_H4;
- 
 	/* prevent taking the spurious DNA fault with padlock. */
 	ts_state = irq_ts_save();
 	asm volatile (".byte 0xf3,0x0f,0xa6,0xc8" /* rep xsha1 */
-		      : "+S"(in), "+D"(result)
-		      : "c"(count), "a"(0));
+		      : \
+		      : "c"(state.count + count), "a"(state.count), \
+			"S"(in), "D"(result));
 	irq_ts_restore(ts_state);
 
 	padlock_output_block((uint32_t *)result, (uint32_t *)out, 5);
+
+out:
+	return err;
 }
 
-static void padlock_do_sha256(const char *in, char *out, int count)
+static int padlock_sha1_final(struct shash_desc *desc, u8 *out)
+{
+	u8 buf[4];
+
+	return padlock_sha1_finup(desc, buf, 0, out);
+}
+
+static int padlock_sha256_finup(struct shash_desc *desc, const u8 *in,
+				unsigned int count, u8 *out)
 {
 	/* We can't store directly to *out as it may be unaligned. */
 	/* BTW Don't reduce the buffer size below 128 Bytes!
 	 *     PadLock microcode needs it that big. */
-	char buf[128+16];
-	char *result = NEAREST_ALIGNED(buf);
+	char result[128] __attribute__ ((aligned(PADLOCK_ALIGNMENT)));
+	struct padlock_sha_desc *dctx = shash_desc_ctx(desc);
+	struct sha256_state state;
+	unsigned int space;
+	unsigned int leftover;
 	int ts_state;
+	int err;
 
-	((uint32_t *)result)[0] = SHA256_H0;
-	((uint32_t *)result)[1] = SHA256_H1;
-	((uint32_t *)result)[2] = SHA256_H2;
-	((uint32_t *)result)[3] = SHA256_H3;
-	((uint32_t *)result)[4] = SHA256_H4;
-	((uint32_t *)result)[5] = SHA256_H5;
-	((uint32_t *)result)[6] = SHA256_H6;
-	((uint32_t *)result)[7] = SHA256_H7;
+	dctx->fallback.flags = desc->flags & CRYPTO_TFM_REQ_MAY_SLEEP;
+	err = crypto_shash_export(&dctx->fallback, &state);
+	if (err)
+		goto out;
+
+	if (state.count + count > ULONG_MAX)
+		return crypto_shash_finup(&dctx->fallback, in, count, out);
+
+	leftover = ((state.count - 1) & (SHA256_BLOCK_SIZE - 1)) + 1;
+	space =  SHA256_BLOCK_SIZE - leftover;
+	if (space) {
+		if (count > space) {
+			err = crypto_shash_update(&dctx->fallback, in, space) ?:
+			      crypto_shash_export(&dctx->fallback, &state);
+			if (err)
+				goto out;
+			count -= space;
+			in += space;
+		} else {
+			memcpy(state.buf + leftover, in, count);
+			in = state.buf;
+			count += leftover;
+		}
+	}
+
+	memcpy(result, &state.state, SHA256_DIGEST_SIZE);
 
 	/* prevent taking the spurious DNA fault with padlock. */
 	ts_state = irq_ts_save();
 	asm volatile (".byte 0xf3,0x0f,0xa6,0xd0" /* rep xsha256 */
-		      : "+S"(in), "+D"(result)
-		      : "c"(count), "a"(0));
+		      : \
+		      : "c"(state.count + count), "a"(state.count), \
+			"S"(in), "D"(result));
 	irq_ts_restore(ts_state);
 
 	padlock_output_block((uint32_t *)result, (uint32_t *)out, 8);
+
+out:
+	return err;
 }
 
-static void padlock_sha_final(struct crypto_tfm *tfm, uint8_t *out)
+static int padlock_sha256_final(struct shash_desc *desc, u8 *out)
 {
-	int err;
-
-	if (unlikely(ctx(tfm)->bypass)) {
-		err = crypto_shash_final(ctx(tfm)->fallback, out);
-		BUG_ON(err);
-		ctx(tfm)->bypass = 0;
-		return;
-	}
+	u8 buf[4];
 
-	/* Pass the input buffer to PadLock microcode... */
-	ctx(tfm)->f_sha_padlock(ctx(tfm)->data, out, ctx(tfm)->used);
-
-	ctx(tfm)->used = 0;
+	return padlock_sha256_finup(desc, buf, 0, out);
 }
 
 static int padlock_cra_init(struct crypto_tfm *tfm)
 {
+	struct crypto_shash *hash = __crypto_shash_cast(tfm);
 	const char *fallback_driver_name = tfm->__crt_alg->cra_name;
+	struct padlock_sha_ctx *ctx = crypto_tfm_ctx(tfm);
 	struct crypto_shash *fallback_tfm;
 	int err = -ENOMEM;
 
-	/* For now we'll allocate one page. This
-	 * could eventually be configurable one day. */
-	ctx(tfm)->data = (char *)__get_free_page(GFP_KERNEL);
-	if (!ctx(tfm)->data)
-		goto out;
-
 	/* Allocate a fallback and abort if it failed. */
 	fallback_tfm = crypto_alloc_shash(fallback_driver_name, 0,
 					  CRYPTO_ALG_NEED_FALLBACK);
@@ -189,94 +197,63 @@ static int padlock_cra_init(struct crypto_tfm *tfm)
 		printk(KERN_WARNING PFX "Fallback driver '%s' could not be loaded!\n",
 		       fallback_driver_name);
 		err = PTR_ERR(fallback_tfm);
-		goto out_free_page;
+		goto out;
 	}
 
-	ctx(tfm)->fallback = kmalloc(sizeof(struct shash_desc) +
-				     crypto_shash_descsize(fallback_tfm),
-				     GFP_KERNEL);
-	if (!ctx(tfm)->fallback)
-		goto out_free_tfm;
-
-	ctx(tfm)->fallback->tfm = fallback_tfm;
-	ctx(tfm)->fallback->flags = 0;
+	ctx->fallback = fallback_tfm;
+	hash->descsize += crypto_shash_descsize(fallback_tfm);
 	return 0;
 
-out_free_tfm:
-	crypto_free_shash(fallback_tfm);
-out_free_page:
-	free_page((unsigned long)(ctx(tfm)->data));
 out:
 	return err;
 }
 
-static int padlock_sha1_cra_init(struct crypto_tfm *tfm)
-{
-	ctx(tfm)->f_sha_padlock = padlock_do_sha1;
-
-	return padlock_cra_init(tfm);
-}
-
-static int padlock_sha256_cra_init(struct crypto_tfm *tfm)
-{
-	ctx(tfm)->f_sha_padlock = padlock_do_sha256;
-
-	return padlock_cra_init(tfm);
-}
-
 static void padlock_cra_exit(struct crypto_tfm *tfm)
 {
-	if (ctx(tfm)->data) {
-		free_page((unsigned long)(ctx(tfm)->data));
-		ctx(tfm)->data = NULL;
-	}
-
-	crypto_free_shash(ctx(tfm)->fallback->tfm);
+	struct padlock_sha_ctx *ctx = crypto_tfm_ctx(tfm);
 
-	kzfree(ctx(tfm)->fallback);
+	crypto_free_shash(ctx->fallback);
 }
 
-static struct crypto_alg sha1_alg = {
-	.cra_name		=	"sha1",
-	.cra_driver_name	=	"sha1-padlock",
-	.cra_priority		=	PADLOCK_CRA_PRIORITY,
-	.cra_flags		=	CRYPTO_ALG_TYPE_DIGEST |
-					CRYPTO_ALG_NEED_FALLBACK,
-	.cra_blocksize		=	SHA1_BLOCK_SIZE,
-	.cra_ctxsize		=	sizeof(struct padlock_sha_ctx),
-	.cra_module		=	THIS_MODULE,
-	.cra_list		=	LIST_HEAD_INIT(sha1_alg.cra_list),
-	.cra_init		=	padlock_sha1_cra_init,
-	.cra_exit		=	padlock_cra_exit,
-	.cra_u			=	{
-		.digest = {
-			.dia_digestsize	=	SHA1_DIGEST_SIZE,
-			.dia_init   	= 	padlock_sha_init,
-			.dia_update 	=	padlock_sha_update,
-			.dia_final  	=	padlock_sha_final,
-		}
+static struct shash_alg sha1_alg = {
+	.digestsize	=	SHA1_DIGEST_SIZE,
+	.init   	= 	padlock_sha_init,
+	.update 	=	padlock_sha_update,
+	.finup  	=	padlock_sha1_finup,
+	.final  	=	padlock_sha1_final,
+	.descsize	=	sizeof(struct padlock_sha_desc),
+	.base		=	{
+		.cra_name		=	"sha1",
+		.cra_driver_name	=	"sha1-padlock",
+		.cra_priority		=	PADLOCK_CRA_PRIORITY,
+		.cra_flags		=	CRYPTO_ALG_TYPE_SHASH |
+						CRYPTO_ALG_NEED_FALLBACK,
+		.cra_blocksize		=	SHA1_BLOCK_SIZE,
+		.cra_ctxsize		=	sizeof(struct padlock_sha_ctx),
+		.cra_module		=	THIS_MODULE,
+		.cra_init		=	padlock_cra_init,
+		.cra_exit		=	padlock_cra_exit,
 	}
 };
 
-static struct crypto_alg sha256_alg = {
-	.cra_name		=	"sha256",
-	.cra_driver_name	=	"sha256-padlock",
-	.cra_priority		=	PADLOCK_CRA_PRIORITY,
-	.cra_flags		=	CRYPTO_ALG_TYPE_DIGEST |
-					CRYPTO_ALG_NEED_FALLBACK,
-	.cra_blocksize		=	SHA256_BLOCK_SIZE,
-	.cra_ctxsize		=	sizeof(struct padlock_sha_ctx),
-	.cra_module		=	THIS_MODULE,
-	.cra_list		=	LIST_HEAD_INIT(sha256_alg.cra_list),
-	.cra_init		=	padlock_sha256_cra_init,
-	.cra_exit		=	padlock_cra_exit,
-	.cra_u			=	{
-		.digest = {
-			.dia_digestsize	=	SHA256_DIGEST_SIZE,
-			.dia_init   	= 	padlock_sha_init,
-			.dia_update 	=	padlock_sha_update,
-			.dia_final  	=	padlock_sha_final,
-		}
+static struct shash_alg sha256_alg = {
+	.digestsize	=	SHA256_DIGEST_SIZE,
+	.init   	= 	padlock_sha_init,
+	.update 	=	padlock_sha_update,
+	.finup  	=	padlock_sha256_finup,
+	.final  	=	padlock_sha256_final,
+	.descsize	=	sizeof(struct padlock_sha_desc),
+	.base		=	{
+		.cra_name		=	"sha256",
+		.cra_driver_name	=	"sha256-padlock",
+		.cra_priority		=	PADLOCK_CRA_PRIORITY,
+		.cra_flags		=	CRYPTO_ALG_TYPE_SHASH |
+						CRYPTO_ALG_NEED_FALLBACK,
+		.cra_blocksize		=	SHA256_BLOCK_SIZE,
+		.cra_ctxsize		=	sizeof(struct padlock_sha_ctx),
+		.cra_module		=	THIS_MODULE,
+		.cra_init		=	padlock_cra_init,
+		.cra_exit		=	padlock_cra_exit,
 	}
 };
 
@@ -294,11 +271,11 @@ static int __init padlock_init(void)
 		return -ENODEV;
 	}
 
-	rc = crypto_register_alg(&sha1_alg);
+	rc = crypto_register_shash(&sha1_alg);
 	if (rc)
 		goto out;
 
-	rc = crypto_register_alg(&sha256_alg);
+	rc = crypto_register_shash(&sha256_alg);
 	if (rc)
 		goto out_unreg1;
 
@@ -307,7 +284,7 @@ static int __init padlock_init(void)
 	return 0;
 
 out_unreg1:
-	crypto_unregister_alg(&sha1_alg);
+	crypto_unregister_shash(&sha1_alg);
 out:
 	printk(KERN_ERR PFX "VIA PadLock SHA1/SHA256 initialization failed.\n");
 	return rc;
@@ -315,8 +292,8 @@ out:
 
 static void __exit padlock_fini(void)
 {
-	crypto_unregister_alg(&sha1_alg);
-	crypto_unregister_alg(&sha256_alg);
+	crypto_unregister_shash(&sha1_alg);
+	crypto_unregister_shash(&sha256_alg);
 }
 
 module_init(padlock_init);
diff --git a/include/crypto/hash.h b/include/crypto/hash.h
index 3c4cce6..ad941f1 100644
--- a/include/crypto/hash.h
+++ b/include/crypto/hash.h
@@ -48,6 +48,7 @@ struct crypto_ahash {
 };
 
 struct crypto_shash {
+	unsigned int descsize;
 	struct crypto_tfm base;
 };
 
@@ -275,7 +276,7 @@ static inline void crypto_shash_clear_flags(struct crypto_shash *tfm, u32 flags)
 
 static inline unsigned int crypto_shash_descsize(struct crypto_shash *tfm)
 {
-	return crypto_shash_alg(tfm)->descsize;
+	return tfm->descsize;
 }
 
 static inline void *shash_desc_ctx(struct shash_desc *desc)
diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h
index 069b93e..2d1b10f 100644
--- a/include/crypto/internal/hash.h
+++ b/include/crypto/internal/hash.h
@@ -135,7 +135,7 @@ static inline void *crypto_shash_ctx_aligned(struct crypto_shash *tfm)
 
 static inline struct crypto_shash *__crypto_shash_cast(struct crypto_tfm *tfm)
 {
-	return (struct crypto_shash *)tfm;
+	return container_of(tfm, struct crypto_shash, base);
 }
 
 #endif	/* _CRYPTO_INTERNAL_HASH_H */

Re: [1/9] Convert padlock sha to shash

[Herbert Xu]

On Sat, Jul 11, 2009 at 06:19:58PM +0800, Herbert Xu wrote:
> Hi:
> 
> This series of patches converts the padlock-sha implementation to
> shash.  This is also the last legacy hash algorithm to be converted,
> apart from hmac which I had to revert as it would break padlock-sha
> unless the latter is converted.
> 
> As I don't have the hardware supporting padlock-sha, could someone
> with access to it please test this for me? In particular, I'd like
> to see this tested with an actual IPsec connection.

BTW, I got the numbering wrong so it started from 2 instead of
1.  For the record there is no 1/10.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [1/9] Convert padlock sha to shash

[Sebastian Andrzej Siewior]

* Herbert Xu | 2009-07-11 18:19:58 [+0800]:

>As I don't have the hardware supporting padlock-sha, could someone
>with access to it please test this for me? In particular, I'd like
>to see this tested with an actual IPsec connection.

I have here a via nano so I should be able to test it.
Do you have a particular test case in mind or should I just grab
ipsec-tools, setup a tunnel and send a few packets?

>Thanks,

Sebastian

Re: [1/9] Convert padlock sha to shash

[Herbert Xu]

On Tue, Jul 14, 2009 at 10:26:15PM +0200, Sebastian Andrzej Siewior wrote:
> 
> I have here a via nano so I should be able to test it.
> Do you have a particular test case in mind or should I just grab
> ipsec-tools, setup a tunnel and send a few packets?

Yes, that should be enough.  You don't even ipsec-tools, just
a manual SA setup with ip xfrm should be good enough.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [1/9] Convert padlock sha to shash

[Sebastian Andrzej Siewior]

* Herbert Xu | 2009-07-15 08:48:47 [+0800]:

>Yes, that should be enough.  You don't even ipsec-tools, just
>a manual SA setup with ip xfrm should be good enough.

I did not get that far:

|alg: hash: Chunking test 1 failed for sha1-padlock
|00000000: e9 95 22 0c 1b d1 0f 5f f1 fa ee 74 7d 27 cd b2
|00000010: 99 f2 ad 73
|alg: hash: Chunking test 1 failed for sha256-padlock
|00000000: 9e 49 25 fa b3 a8 45 de 53 e9 9f d0 e8 7d 2c 33
|00000010: 09 51 6b 33 15 cb e0 4e 22 c0 04 1b 1e 25 ad c9
|padlock: Using VIA PadLock ACE for SHA1/SHA256 algorithms.

Do you think that it is something obvious or should I dig into it?

>Cheers,

Sebastian

Re: [1/9] Convert padlock sha to shash

[Herbert Xu]

On Thu, Jul 16, 2009 at 12:06:06AM +0200, Sebastian Andrzej Siewior wrote:
> * Herbert Xu | 2009-07-15 08:48:47 [+0800]:
> 
> >Yes, that should be enough.  You don't even ipsec-tools, just
> >a manual SA setup with ip xfrm should be good enough.
> 
> I did not get that far:
> 
> |alg: hash: Chunking test 1 failed for sha1-padlock
> |00000000: e9 95 22 0c 1b d1 0f 5f f1 fa ee 74 7d 27 cd b2
> |00000010: 99 f2 ad 73
> |alg: hash: Chunking test 1 failed for sha256-padlock
> |00000000: 9e 49 25 fa b3 a8 45 de 53 e9 9f d0 e8 7d 2c 33
> |00000010: 09 51 6b 33 15 cb e0 4e 22 c0 04 1b 1e 25 ad c9
> |padlock: Using VIA PadLock ACE for SHA1/SHA256 algorithms.
> 
> Do you think that it is something obvious or should I dig into it?

Can you please pull my tree again? There were quite a few bugs
that I fixed last night.

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [1/9] Convert padlock sha to shash

[Herbert Xu]

On Thu, Jul 16, 2009 at 10:16:01AM +0800, Herbert Xu wrote:
>
> Can you please pull my tree again? There were quite a few bugs
> that I fixed last night.

Oh and please make sure you have this patch applied too:

commit e9b25f16cda88b33fe15b30c009912e6c471edda
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Thu Jul 16 10:33:27 2009 +0800

    crypto: padlock - Fix hashing of partial blocks
    
    When we encounter partial blocks in finup, we'll invoke the xsha
    instruction with a bogus count that is not a multiple of the block
    size.  This patch fixes it.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/drivers/crypto/padlock-sha.c b/drivers/crypto/padlock-sha.c
index a936ba4..76cb6b3 100644
--- a/drivers/crypto/padlock-sha.c
+++ b/drivers/crypto/padlock-sha.c
@@ -94,6 +94,7 @@ static int padlock_sha1_finup(struct shash_desc *desc, const u8 *in,
 			memcpy(state.buffer + leftover, in, count);
 			in = state.buffer;
 			count += leftover;
+			state.count &= ~(SHA1_BLOCK_SIZE - 1);
 		}
 	}
 
@@ -157,6 +158,7 @@ static int padlock_sha256_finup(struct shash_desc *desc, const u8 *in,
 			memcpy(state.buf + leftover, in, count);
 			in = state.buf;
 			count += leftover;
+			state.count &= ~(SHA1_BLOCK_SIZE - 1);
 		}
 	}
 
Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [1/9] Convert padlock sha to shash

[Sebastian Andrzej Siewior]

* Herbert Xu | 2009-07-16 10:34:13 [+0800]:

>On Thu, Jul 16, 2009 at 10:16:01AM +0800, Herbert Xu wrote:
>>
>> Can you please pull my tree again? There were quite a few bugs
>> that I fixed last night.
>
>Oh and please make sure you have this patch applied too:

It passes the testmgr with that patch on top. I try that ip xfrm thing
later today.

Sebastian

Re: [1/9] Convert padlock sha to shash

[Sebastian Andrzej Siewior]

* Sebastian Andrzej Siewior | 2009-07-16 09:36:30 [+0200]:

>* Herbert Xu | 2009-07-16 10:34:13 [+0800]:
>
>>On Thu, Jul 16, 2009 at 10:16:01AM +0800, Herbert Xu wrote:
>>>
>>> Can you please pull my tree again? There were quite a few bugs
>>> that I fixed last night.
>>
>>Oh and please make sure you have this patch applied too:
>
>It passes the testmgr with that patch on top. I try that ip xfrm thing
>later today.

Okay, Herbert it is working. I've setup a tunnel between two boxes and
was able to ping and copy stuff from /dev/zero on one box to /dev/null
on the other. 

Sebastian

Re: [1/9] Convert padlock sha to shash

[Herbert Xu]

On Fri, Jul 17, 2009 at 12:23:45AM +0200, Sebastian Andrzej Siewior wrote:
>
> Okay, Herbert it is working. I've setup a tunnel between two boxes and
> was able to ping and copy stuff from /dev/zero on one box to /dev/null
> on the other. 

Awesome, thanks a lot for verifying this Sebastian!
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt