linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/6] crypto: sha256 - Merge 2 separate C implementations into 1, put into separate library
@ 2019-08-16 21:16 Hans de Goede
  2019-08-16 21:16 ` [PATCH 1/6] crypto: sha256 - Fix some coding style issues Hans de Goede
                   ` (5 more replies)
  0 siblings, 6 replies; 15+ messages in thread
From: Hans de Goede @ 2019-08-16 21:16 UTC (permalink / raw)
  To: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger
  Cc: Hans de Goede, Ard Biesheuvel, linux-crypto, x86, linux-s390,
	linux-kernel

Hi All,

Here is a patch series refactoring the current 2 separate SHA256
C implementations into 1 and put it into a separate library.

There are 2 reasons for this:

1) Remove the code duplication of having 2 separate implementations

2) Offer a separate library SHA256 implementation which can be used
without having to call crypto_alloc_shash first. This is especially
useful for use during early boot when crypto_alloc_shash does not
work yet.

This has been tested on x86, including checking that kecec still works.

This has NOT been tested on s390, if someone with access to s390 can
test that things still build with this series applied and that
kexec still works, that would be great.

Regards,

Hans


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [PATCH 1/6] crypto: sha256 - Fix some coding style issues
  2019-08-16 21:16 [PATCH 0/6] crypto: sha256 - Merge 2 separate C implementations into 1, put into separate library Hans de Goede
@ 2019-08-16 21:16 ` Hans de Goede
  2019-08-16 21:16 ` [PATCH 2/6] crypto: sha256_generic " Hans de Goede
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 15+ messages in thread
From: Hans de Goede @ 2019-08-16 21:16 UTC (permalink / raw)
  To: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger
  Cc: Hans de Goede, Ard Biesheuvel, linux-crypto, x86, linux-s390,
	linux-kernel

For some reason after the first 15 steps the last statement of each
step ends with "t1+t2", missing spaces around the "+". This commit
fixes this. This was done with a 's/= t1+t2/= t1 + t2/' to make sure
no functional changes are introduced.

Note the main goal of this is to make lib/sha256.c's sha256_transform
and its helpers identical in formatting too the duplcate implementation
in crypto/sha256_generic.c so that "diff -u" can be used to compare them
to prove that no functional changes are made when further patches in
this series consolidate the 2 implementations into 1.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 lib/sha256.c | 98 ++++++++++++++++++++++++++--------------------------
 1 file changed, 49 insertions(+), 49 deletions(-)

diff --git a/lib/sha256.c b/lib/sha256.c
index d9af148d4349..ba4dce0b3711 100644
--- a/lib/sha256.c
+++ b/lib/sha256.c
@@ -92,109 +92,109 @@ static void sha256_transform(u32 *state, const u8 *input)
 	t1 = b + e1(g) + Ch(g, h, a) + 0x9bdc06a7 + W[14];
 	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
 	t1 = a + e1(f) + Ch(f, g, h) + 0xc19bf174 + W[15];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
 	t1 = h + e1(e) + Ch(e, f, g) + 0xe49b69c1 + W[16];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1+t2;
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
 	t1 = g + e1(d) + Ch(d, e, f) + 0xefbe4786 + W[17];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1+t2;
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
 	t1 = f + e1(c) + Ch(c, d, e) + 0x0fc19dc6 + W[18];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1+t2;
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
 	t1 = e + e1(b) + Ch(b, c, d) + 0x240ca1cc + W[19];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1+t2;
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
 	t1 = d + e1(a) + Ch(a, b, c) + 0x2de92c6f + W[20];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1+t2;
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
 	t1 = c + e1(h) + Ch(h, a, b) + 0x4a7484aa + W[21];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1+t2;
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
 	t1 = b + e1(g) + Ch(g, h, a) + 0x5cb0a9dc + W[22];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1+t2;
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
 	t1 = a + e1(f) + Ch(f, g, h) + 0x76f988da + W[23];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
 	t1 = h + e1(e) + Ch(e, f, g) + 0x983e5152 + W[24];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1+t2;
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
 	t1 = g + e1(d) + Ch(d, e, f) + 0xa831c66d + W[25];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1+t2;
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
 	t1 = f + e1(c) + Ch(c, d, e) + 0xb00327c8 + W[26];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1+t2;
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
 	t1 = e + e1(b) + Ch(b, c, d) + 0xbf597fc7 + W[27];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1+t2;
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
 	t1 = d + e1(a) + Ch(a, b, c) + 0xc6e00bf3 + W[28];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1+t2;
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
 	t1 = c + e1(h) + Ch(h, a, b) + 0xd5a79147 + W[29];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1+t2;
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
 	t1 = b + e1(g) + Ch(g, h, a) + 0x06ca6351 + W[30];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1+t2;
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
 	t1 = a + e1(f) + Ch(f, g, h) + 0x14292967 + W[31];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
 	t1 = h + e1(e) + Ch(e, f, g) + 0x27b70a85 + W[32];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1+t2;
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
 	t1 = g + e1(d) + Ch(d, e, f) + 0x2e1b2138 + W[33];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1+t2;
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
 	t1 = f + e1(c) + Ch(c, d, e) + 0x4d2c6dfc + W[34];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1+t2;
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
 	t1 = e + e1(b) + Ch(b, c, d) + 0x53380d13 + W[35];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1+t2;
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
 	t1 = d + e1(a) + Ch(a, b, c) + 0x650a7354 + W[36];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1+t2;
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
 	t1 = c + e1(h) + Ch(h, a, b) + 0x766a0abb + W[37];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1+t2;
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
 	t1 = b + e1(g) + Ch(g, h, a) + 0x81c2c92e + W[38];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1+t2;
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
 	t1 = a + e1(f) + Ch(f, g, h) + 0x92722c85 + W[39];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
 	t1 = h + e1(e) + Ch(e, f, g) + 0xa2bfe8a1 + W[40];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1+t2;
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
 	t1 = g + e1(d) + Ch(d, e, f) + 0xa81a664b + W[41];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1+t2;
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
 	t1 = f + e1(c) + Ch(c, d, e) + 0xc24b8b70 + W[42];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1+t2;
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
 	t1 = e + e1(b) + Ch(b, c, d) + 0xc76c51a3 + W[43];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1+t2;
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
 	t1 = d + e1(a) + Ch(a, b, c) + 0xd192e819 + W[44];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1+t2;
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
 	t1 = c + e1(h) + Ch(h, a, b) + 0xd6990624 + W[45];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1+t2;
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
 	t1 = b + e1(g) + Ch(g, h, a) + 0xf40e3585 + W[46];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1+t2;
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
 	t1 = a + e1(f) + Ch(f, g, h) + 0x106aa070 + W[47];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
 	t1 = h + e1(e) + Ch(e, f, g) + 0x19a4c116 + W[48];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1+t2;
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
 	t1 = g + e1(d) + Ch(d, e, f) + 0x1e376c08 + W[49];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1+t2;
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
 	t1 = f + e1(c) + Ch(c, d, e) + 0x2748774c + W[50];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1+t2;
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
 	t1 = e + e1(b) + Ch(b, c, d) + 0x34b0bcb5 + W[51];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1+t2;
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
 	t1 = d + e1(a) + Ch(a, b, c) + 0x391c0cb3 + W[52];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1+t2;
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
 	t1 = c + e1(h) + Ch(h, a, b) + 0x4ed8aa4a + W[53];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1+t2;
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
 	t1 = b + e1(g) + Ch(g, h, a) + 0x5b9cca4f + W[54];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1+t2;
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
 	t1 = a + e1(f) + Ch(f, g, h) + 0x682e6ff3 + W[55];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
 	t1 = h + e1(e) + Ch(e, f, g) + 0x748f82ee + W[56];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1+t2;
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
 	t1 = g + e1(d) + Ch(d, e, f) + 0x78a5636f + W[57];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1+t2;
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
 	t1 = f + e1(c) + Ch(c, d, e) + 0x84c87814 + W[58];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1+t2;
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
 	t1 = e + e1(b) + Ch(b, c, d) + 0x8cc70208 + W[59];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1+t2;
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
 	t1 = d + e1(a) + Ch(a, b, c) + 0x90befffa + W[60];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1+t2;
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
 	t1 = c + e1(h) + Ch(h, a, b) + 0xa4506ceb + W[61];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1+t2;
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
 	t1 = b + e1(g) + Ch(g, h, a) + 0xbef9a3f7 + W[62];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1+t2;
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
 	t1 = a + e1(f) + Ch(f, g, h) + 0xc67178f2 + W[63];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1+t2;
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
 	state[0] += a; state[1] += b; state[2] += c; state[3] += d;
 	state[4] += e; state[5] += f; state[6] += g; state[7] += h;
-- 
2.22.0


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [PATCH 2/6] crypto: sha256_generic - Fix some coding style issues
  2019-08-16 21:16 [PATCH 0/6] crypto: sha256 - Merge 2 separate C implementations into 1, put into separate library Hans de Goede
  2019-08-16 21:16 ` [PATCH 1/6] crypto: sha256 - Fix some coding style issues Hans de Goede
@ 2019-08-16 21:16 ` Hans de Goede
  2019-08-16 21:16 ` [PATCH 3/6] crypto: sha256 - Move lib/sha256.c to lib/crypto Hans de Goede
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 15+ messages in thread
From: Hans de Goede @ 2019-08-16 21:16 UTC (permalink / raw)
  To: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger
  Cc: Hans de Goede, Ard Biesheuvel, linux-crypto, x86, linux-s390,
	linux-kernel

Add a bunch of missing spaces after commas and arround operators.

Note the main goal of this is to make sha256_transform and its helpers
identical in formatting too the duplcate implementation in lib/sha256.c,
so that "diff -u" can be used to compare them to prove that no functional
changes are made when further patches in this series consolidate the 2
implementations into 1.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 crypto/sha256_generic.c | 268 ++++++++++++++++++++--------------------
 1 file changed, 134 insertions(+), 134 deletions(-)

diff --git a/crypto/sha256_generic.c b/crypto/sha256_generic.c
index b7502a96a0d4..dac930ca827d 100644
--- a/crypto/sha256_generic.c
+++ b/crypto/sha256_generic.c
@@ -48,10 +48,10 @@ static inline u32 Maj(u32 x, u32 y, u32 z)
 	return (x & y) | (z & (x | y));
 }
 
-#define e0(x)       (ror32(x, 2) ^ ror32(x,13) ^ ror32(x,22))
-#define e1(x)       (ror32(x, 6) ^ ror32(x,11) ^ ror32(x,25))
-#define s0(x)       (ror32(x, 7) ^ ror32(x,18) ^ (x >> 3))
-#define s1(x)       (ror32(x,17) ^ ror32(x,19) ^ (x >> 10))
+#define e0(x)       (ror32(x, 2) ^ ror32(x, 13) ^ ror32(x, 22))
+#define e1(x)       (ror32(x, 6) ^ ror32(x, 11) ^ ror32(x, 25))
+#define s0(x)       (ror32(x, 7) ^ ror32(x, 18) ^ (x >> 3))
+#define s1(x)       (ror32(x, 17) ^ ror32(x, 19) ^ (x >> 10))
 
 static inline void LOAD_OP(int I, u32 *W, const u8 *input)
 {
@@ -78,145 +78,145 @@ static void sha256_transform(u32 *state, const u8 *input)
 		BLEND_OP(i, W);
 
 	/* load the state into our registers */
-	a=state[0];  b=state[1];  c=state[2];  d=state[3];
-	e=state[4];  f=state[5];  g=state[6];  h=state[7];
+	a = state[0];  b = state[1];  c = state[2];  d = state[3];
+	e = state[4];  f = state[5];  g = state[6];  h = state[7];
 
 	/* now iterate */
-	t1 = h + e1(e) + Ch(e,f,g) + 0x428a2f98 + W[ 0];
-	t2 = e0(a) + Maj(a,b,c);    d+=t1;    h=t1+t2;
-	t1 = g + e1(d) + Ch(d,e,f) + 0x71374491 + W[ 1];
-	t2 = e0(h) + Maj(h,a,b);    c+=t1;    g=t1+t2;
-	t1 = f + e1(c) + Ch(c,d,e) + 0xb5c0fbcf + W[ 2];
-	t2 = e0(g) + Maj(g,h,a);    b+=t1;    f=t1+t2;
-	t1 = e + e1(b) + Ch(b,c,d) + 0xe9b5dba5 + W[ 3];
-	t2 = e0(f) + Maj(f,g,h);    a+=t1;    e=t1+t2;
-	t1 = d + e1(a) + Ch(a,b,c) + 0x3956c25b + W[ 4];
-	t2 = e0(e) + Maj(e,f,g);    h+=t1;    d=t1+t2;
-	t1 = c + e1(h) + Ch(h,a,b) + 0x59f111f1 + W[ 5];
-	t2 = e0(d) + Maj(d,e,f);    g+=t1;    c=t1+t2;
-	t1 = b + e1(g) + Ch(g,h,a) + 0x923f82a4 + W[ 6];
-	t2 = e0(c) + Maj(c,d,e);    f+=t1;    b=t1+t2;
-	t1 = a + e1(f) + Ch(f,g,h) + 0xab1c5ed5 + W[ 7];
-	t2 = e0(b) + Maj(b,c,d);    e+=t1;    a=t1+t2;
+	t1 = h + e1(e) + Ch(e, f, g) + 0x428a2f98 + W[0];
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
+	t1 = g + e1(d) + Ch(d, e, f) + 0x71374491 + W[1];
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
+	t1 = f + e1(c) + Ch(c, d, e) + 0xb5c0fbcf + W[2];
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
+	t1 = e + e1(b) + Ch(b, c, d) + 0xe9b5dba5 + W[3];
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
+	t1 = d + e1(a) + Ch(a, b, c) + 0x3956c25b + W[4];
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
+	t1 = c + e1(h) + Ch(h, a, b) + 0x59f111f1 + W[5];
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
+	t1 = b + e1(g) + Ch(g, h, a) + 0x923f82a4 + W[6];
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
+	t1 = a + e1(f) + Ch(f, g, h) + 0xab1c5ed5 + W[7];
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
-	t1 = h + e1(e) + Ch(e,f,g) + 0xd807aa98 + W[ 8];
-	t2 = e0(a) + Maj(a,b,c);    d+=t1;    h=t1+t2;
-	t1 = g + e1(d) + Ch(d,e,f) + 0x12835b01 + W[ 9];
-	t2 = e0(h) + Maj(h,a,b);    c+=t1;    g=t1+t2;
-	t1 = f + e1(c) + Ch(c,d,e) + 0x243185be + W[10];
-	t2 = e0(g) + Maj(g,h,a);    b+=t1;    f=t1+t2;
-	t1 = e + e1(b) + Ch(b,c,d) + 0x550c7dc3 + W[11];
-	t2 = e0(f) + Maj(f,g,h);    a+=t1;    e=t1+t2;
-	t1 = d + e1(a) + Ch(a,b,c) + 0x72be5d74 + W[12];
-	t2 = e0(e) + Maj(e,f,g);    h+=t1;    d=t1+t2;
-	t1 = c + e1(h) + Ch(h,a,b) + 0x80deb1fe + W[13];
-	t2 = e0(d) + Maj(d,e,f);    g+=t1;    c=t1+t2;
-	t1 = b + e1(g) + Ch(g,h,a) + 0x9bdc06a7 + W[14];
-	t2 = e0(c) + Maj(c,d,e);    f+=t1;    b=t1+t2;
-	t1 = a + e1(f) + Ch(f,g,h) + 0xc19bf174 + W[15];
-	t2 = e0(b) + Maj(b,c,d);    e+=t1;    a=t1+t2;
+	t1 = h + e1(e) + Ch(e, f, g) + 0xd807aa98 + W[8];
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
+	t1 = g + e1(d) + Ch(d, e, f) + 0x12835b01 + W[9];
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
+	t1 = f + e1(c) + Ch(c, d, e) + 0x243185be + W[10];
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
+	t1 = e + e1(b) + Ch(b, c, d) + 0x550c7dc3 + W[11];
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
+	t1 = d + e1(a) + Ch(a, b, c) + 0x72be5d74 + W[12];
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
+	t1 = c + e1(h) + Ch(h, a, b) + 0x80deb1fe + W[13];
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
+	t1 = b + e1(g) + Ch(g, h, a) + 0x9bdc06a7 + W[14];
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
+	t1 = a + e1(f) + Ch(f, g, h) + 0xc19bf174 + W[15];
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
-	t1 = h + e1(e) + Ch(e,f,g) + 0xe49b69c1 + W[16];
-	t2 = e0(a) + Maj(a,b,c);    d+=t1;    h=t1+t2;
-	t1 = g + e1(d) + Ch(d,e,f) + 0xefbe4786 + W[17];
-	t2 = e0(h) + Maj(h,a,b);    c+=t1;    g=t1+t2;
-	t1 = f + e1(c) + Ch(c,d,e) + 0x0fc19dc6 + W[18];
-	t2 = e0(g) + Maj(g,h,a);    b+=t1;    f=t1+t2;
-	t1 = e + e1(b) + Ch(b,c,d) + 0x240ca1cc + W[19];
-	t2 = e0(f) + Maj(f,g,h);    a+=t1;    e=t1+t2;
-	t1 = d + e1(a) + Ch(a,b,c) + 0x2de92c6f + W[20];
-	t2 = e0(e) + Maj(e,f,g);    h+=t1;    d=t1+t2;
-	t1 = c + e1(h) + Ch(h,a,b) + 0x4a7484aa + W[21];
-	t2 = e0(d) + Maj(d,e,f);    g+=t1;    c=t1+t2;
-	t1 = b + e1(g) + Ch(g,h,a) + 0x5cb0a9dc + W[22];
-	t2 = e0(c) + Maj(c,d,e);    f+=t1;    b=t1+t2;
-	t1 = a + e1(f) + Ch(f,g,h) + 0x76f988da + W[23];
-	t2 = e0(b) + Maj(b,c,d);    e+=t1;    a=t1+t2;
+	t1 = h + e1(e) + Ch(e, f, g) + 0xe49b69c1 + W[16];
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
+	t1 = g + e1(d) + Ch(d, e, f) + 0xefbe4786 + W[17];
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
+	t1 = f + e1(c) + Ch(c, d, e) + 0x0fc19dc6 + W[18];
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
+	t1 = e + e1(b) + Ch(b, c, d) + 0x240ca1cc + W[19];
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
+	t1 = d + e1(a) + Ch(a, b, c) + 0x2de92c6f + W[20];
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
+	t1 = c + e1(h) + Ch(h, a, b) + 0x4a7484aa + W[21];
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
+	t1 = b + e1(g) + Ch(g, h, a) + 0x5cb0a9dc + W[22];
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
+	t1 = a + e1(f) + Ch(f, g, h) + 0x76f988da + W[23];
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
-	t1 = h + e1(e) + Ch(e,f,g) + 0x983e5152 + W[24];
-	t2 = e0(a) + Maj(a,b,c);    d+=t1;    h=t1+t2;
-	t1 = g + e1(d) + Ch(d,e,f) + 0xa831c66d + W[25];
-	t2 = e0(h) + Maj(h,a,b);    c+=t1;    g=t1+t2;
-	t1 = f + e1(c) + Ch(c,d,e) + 0xb00327c8 + W[26];
-	t2 = e0(g) + Maj(g,h,a);    b+=t1;    f=t1+t2;
-	t1 = e + e1(b) + Ch(b,c,d) + 0xbf597fc7 + W[27];
-	t2 = e0(f) + Maj(f,g,h);    a+=t1;    e=t1+t2;
-	t1 = d + e1(a) + Ch(a,b,c) + 0xc6e00bf3 + W[28];
-	t2 = e0(e) + Maj(e,f,g);    h+=t1;    d=t1+t2;
-	t1 = c + e1(h) + Ch(h,a,b) + 0xd5a79147 + W[29];
-	t2 = e0(d) + Maj(d,e,f);    g+=t1;    c=t1+t2;
-	t1 = b + e1(g) + Ch(g,h,a) + 0x06ca6351 + W[30];
-	t2 = e0(c) + Maj(c,d,e);    f+=t1;    b=t1+t2;
-	t1 = a + e1(f) + Ch(f,g,h) + 0x14292967 + W[31];
-	t2 = e0(b) + Maj(b,c,d);    e+=t1;    a=t1+t2;
+	t1 = h + e1(e) + Ch(e, f, g) + 0x983e5152 + W[24];
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
+	t1 = g + e1(d) + Ch(d, e, f) + 0xa831c66d + W[25];
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
+	t1 = f + e1(c) + Ch(c, d, e) + 0xb00327c8 + W[26];
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
+	t1 = e + e1(b) + Ch(b, c, d) + 0xbf597fc7 + W[27];
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
+	t1 = d + e1(a) + Ch(a, b, c) + 0xc6e00bf3 + W[28];
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
+	t1 = c + e1(h) + Ch(h, a, b) + 0xd5a79147 + W[29];
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
+	t1 = b + e1(g) + Ch(g, h, a) + 0x06ca6351 + W[30];
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
+	t1 = a + e1(f) + Ch(f, g, h) + 0x14292967 + W[31];
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
-	t1 = h + e1(e) + Ch(e,f,g) + 0x27b70a85 + W[32];
-	t2 = e0(a) + Maj(a,b,c);    d+=t1;    h=t1+t2;
-	t1 = g + e1(d) + Ch(d,e,f) + 0x2e1b2138 + W[33];
-	t2 = e0(h) + Maj(h,a,b);    c+=t1;    g=t1+t2;
-	t1 = f + e1(c) + Ch(c,d,e) + 0x4d2c6dfc + W[34];
-	t2 = e0(g) + Maj(g,h,a);    b+=t1;    f=t1+t2;
-	t1 = e + e1(b) + Ch(b,c,d) + 0x53380d13 + W[35];
-	t2 = e0(f) + Maj(f,g,h);    a+=t1;    e=t1+t2;
-	t1 = d + e1(a) + Ch(a,b,c) + 0x650a7354 + W[36];
-	t2 = e0(e) + Maj(e,f,g);    h+=t1;    d=t1+t2;
-	t1 = c + e1(h) + Ch(h,a,b) + 0x766a0abb + W[37];
-	t2 = e0(d) + Maj(d,e,f);    g+=t1;    c=t1+t2;
-	t1 = b + e1(g) + Ch(g,h,a) + 0x81c2c92e + W[38];
-	t2 = e0(c) + Maj(c,d,e);    f+=t1;    b=t1+t2;
-	t1 = a + e1(f) + Ch(f,g,h) + 0x92722c85 + W[39];
-	t2 = e0(b) + Maj(b,c,d);    e+=t1;    a=t1+t2;
+	t1 = h + e1(e) + Ch(e, f, g) + 0x27b70a85 + W[32];
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
+	t1 = g + e1(d) + Ch(d, e, f) + 0x2e1b2138 + W[33];
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
+	t1 = f + e1(c) + Ch(c, d, e) + 0x4d2c6dfc + W[34];
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
+	t1 = e + e1(b) + Ch(b, c, d) + 0x53380d13 + W[35];
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
+	t1 = d + e1(a) + Ch(a, b, c) + 0x650a7354 + W[36];
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
+	t1 = c + e1(h) + Ch(h, a, b) + 0x766a0abb + W[37];
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
+	t1 = b + e1(g) + Ch(g, h, a) + 0x81c2c92e + W[38];
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
+	t1 = a + e1(f) + Ch(f, g, h) + 0x92722c85 + W[39];
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
-	t1 = h + e1(e) + Ch(e,f,g) + 0xa2bfe8a1 + W[40];
-	t2 = e0(a) + Maj(a,b,c);    d+=t1;    h=t1+t2;
-	t1 = g + e1(d) + Ch(d,e,f) + 0xa81a664b + W[41];
-	t2 = e0(h) + Maj(h,a,b);    c+=t1;    g=t1+t2;
-	t1 = f + e1(c) + Ch(c,d,e) + 0xc24b8b70 + W[42];
-	t2 = e0(g) + Maj(g,h,a);    b+=t1;    f=t1+t2;
-	t1 = e + e1(b) + Ch(b,c,d) + 0xc76c51a3 + W[43];
-	t2 = e0(f) + Maj(f,g,h);    a+=t1;    e=t1+t2;
-	t1 = d + e1(a) + Ch(a,b,c) + 0xd192e819 + W[44];
-	t2 = e0(e) + Maj(e,f,g);    h+=t1;    d=t1+t2;
-	t1 = c + e1(h) + Ch(h,a,b) + 0xd6990624 + W[45];
-	t2 = e0(d) + Maj(d,e,f);    g+=t1;    c=t1+t2;
-	t1 = b + e1(g) + Ch(g,h,a) + 0xf40e3585 + W[46];
-	t2 = e0(c) + Maj(c,d,e);    f+=t1;    b=t1+t2;
-	t1 = a + e1(f) + Ch(f,g,h) + 0x106aa070 + W[47];
-	t2 = e0(b) + Maj(b,c,d);    e+=t1;    a=t1+t2;
+	t1 = h + e1(e) + Ch(e, f, g) + 0xa2bfe8a1 + W[40];
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
+	t1 = g + e1(d) + Ch(d, e, f) + 0xa81a664b + W[41];
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
+	t1 = f + e1(c) + Ch(c, d, e) + 0xc24b8b70 + W[42];
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
+	t1 = e + e1(b) + Ch(b, c, d) + 0xc76c51a3 + W[43];
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
+	t1 = d + e1(a) + Ch(a, b, c) + 0xd192e819 + W[44];
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
+	t1 = c + e1(h) + Ch(h, a, b) + 0xd6990624 + W[45];
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
+	t1 = b + e1(g) + Ch(g, h, a) + 0xf40e3585 + W[46];
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
+	t1 = a + e1(f) + Ch(f, g, h) + 0x106aa070 + W[47];
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
-	t1 = h + e1(e) + Ch(e,f,g) + 0x19a4c116 + W[48];
-	t2 = e0(a) + Maj(a,b,c);    d+=t1;    h=t1+t2;
-	t1 = g + e1(d) + Ch(d,e,f) + 0x1e376c08 + W[49];
-	t2 = e0(h) + Maj(h,a,b);    c+=t1;    g=t1+t2;
-	t1 = f + e1(c) + Ch(c,d,e) + 0x2748774c + W[50];
-	t2 = e0(g) + Maj(g,h,a);    b+=t1;    f=t1+t2;
-	t1 = e + e1(b) + Ch(b,c,d) + 0x34b0bcb5 + W[51];
-	t2 = e0(f) + Maj(f,g,h);    a+=t1;    e=t1+t2;
-	t1 = d + e1(a) + Ch(a,b,c) + 0x391c0cb3 + W[52];
-	t2 = e0(e) + Maj(e,f,g);    h+=t1;    d=t1+t2;
-	t1 = c + e1(h) + Ch(h,a,b) + 0x4ed8aa4a + W[53];
-	t2 = e0(d) + Maj(d,e,f);    g+=t1;    c=t1+t2;
-	t1 = b + e1(g) + Ch(g,h,a) + 0x5b9cca4f + W[54];
-	t2 = e0(c) + Maj(c,d,e);    f+=t1;    b=t1+t2;
-	t1 = a + e1(f) + Ch(f,g,h) + 0x682e6ff3 + W[55];
-	t2 = e0(b) + Maj(b,c,d);    e+=t1;    a=t1+t2;
+	t1 = h + e1(e) + Ch(e, f, g) + 0x19a4c116 + W[48];
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
+	t1 = g + e1(d) + Ch(d, e, f) + 0x1e376c08 + W[49];
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
+	t1 = f + e1(c) + Ch(c, d, e) + 0x2748774c + W[50];
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
+	t1 = e + e1(b) + Ch(b, c, d) + 0x34b0bcb5 + W[51];
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
+	t1 = d + e1(a) + Ch(a, b, c) + 0x391c0cb3 + W[52];
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
+	t1 = c + e1(h) + Ch(h, a, b) + 0x4ed8aa4a + W[53];
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
+	t1 = b + e1(g) + Ch(g, h, a) + 0x5b9cca4f + W[54];
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
+	t1 = a + e1(f) + Ch(f, g, h) + 0x682e6ff3 + W[55];
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
-	t1 = h + e1(e) + Ch(e,f,g) + 0x748f82ee + W[56];
-	t2 = e0(a) + Maj(a,b,c);    d+=t1;    h=t1+t2;
-	t1 = g + e1(d) + Ch(d,e,f) + 0x78a5636f + W[57];
-	t2 = e0(h) + Maj(h,a,b);    c+=t1;    g=t1+t2;
-	t1 = f + e1(c) + Ch(c,d,e) + 0x84c87814 + W[58];
-	t2 = e0(g) + Maj(g,h,a);    b+=t1;    f=t1+t2;
-	t1 = e + e1(b) + Ch(b,c,d) + 0x8cc70208 + W[59];
-	t2 = e0(f) + Maj(f,g,h);    a+=t1;    e=t1+t2;
-	t1 = d + e1(a) + Ch(a,b,c) + 0x90befffa + W[60];
-	t2 = e0(e) + Maj(e,f,g);    h+=t1;    d=t1+t2;
-	t1 = c + e1(h) + Ch(h,a,b) + 0xa4506ceb + W[61];
-	t2 = e0(d) + Maj(d,e,f);    g+=t1;    c=t1+t2;
-	t1 = b + e1(g) + Ch(g,h,a) + 0xbef9a3f7 + W[62];
-	t2 = e0(c) + Maj(c,d,e);    f+=t1;    b=t1+t2;
-	t1 = a + e1(f) + Ch(f,g,h) + 0xc67178f2 + W[63];
-	t2 = e0(b) + Maj(b,c,d);    e+=t1;    a=t1+t2;
+	t1 = h + e1(e) + Ch(e, f, g) + 0x748f82ee + W[56];
+	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
+	t1 = g + e1(d) + Ch(d, e, f) + 0x78a5636f + W[57];
+	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
+	t1 = f + e1(c) + Ch(c, d, e) + 0x84c87814 + W[58];
+	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
+	t1 = e + e1(b) + Ch(b, c, d) + 0x8cc70208 + W[59];
+	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
+	t1 = d + e1(a) + Ch(a, b, c) + 0x90befffa + W[60];
+	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
+	t1 = c + e1(h) + Ch(h, a, b) + 0xa4506ceb + W[61];
+	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
+	t1 = b + e1(g) + Ch(g, h, a) + 0xbef9a3f7 + W[62];
+	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
+	t1 = a + e1(f) + Ch(f, g, h) + 0xc67178f2 + W[63];
+	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
 
 	state[0] += a; state[1] += b; state[2] += c; state[3] += d;
 	state[4] += e; state[5] += f; state[6] += g; state[7] += h;
-- 
2.22.0


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [PATCH 3/6] crypto: sha256 - Move lib/sha256.c to lib/crypto
  2019-08-16 21:16 [PATCH 0/6] crypto: sha256 - Merge 2 separate C implementations into 1, put into separate library Hans de Goede
  2019-08-16 21:16 ` [PATCH 1/6] crypto: sha256 - Fix some coding style issues Hans de Goede
  2019-08-16 21:16 ` [PATCH 2/6] crypto: sha256_generic " Hans de Goede
@ 2019-08-16 21:16 ` Hans de Goede
  2019-08-17  5:19   ` Eric Biggers
  2019-08-16 21:16 ` [PATCH 4/6] crypto: sha256 - Use get_unaligned_be32 to get input, memzero_explicit Hans de Goede
                   ` (2 subsequent siblings)
  5 siblings, 1 reply; 15+ messages in thread
From: Hans de Goede @ 2019-08-16 21:16 UTC (permalink / raw)
  To: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger
  Cc: Hans de Goede, Ard Biesheuvel, linux-crypto, x86, linux-s390,
	linux-kernel

Generic crypto implementations belong under lib/crypto not directly in
lib, likewise the header should be in include/crypto, not include/linux.

Note that the code in lib/crypto/sha256.c is not yet available for
generic use after this commit, it is still only used by the s390 and x86
purgatory code. Making it suitable for generic use is done in further
patches in this series.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 arch/s390/purgatory/Makefile       | 2 +-
 arch/s390/purgatory/purgatory.c    | 2 +-
 arch/x86/purgatory/Makefile        | 2 +-
 arch/x86/purgatory/purgatory.c     | 2 +-
 include/{linux => crypto}/sha256.h | 0
 lib/{ => crypto}/sha256.c          | 2 +-
 6 files changed, 5 insertions(+), 5 deletions(-)
 rename include/{linux => crypto}/sha256.h (100%)
 rename lib/{ => crypto}/sha256.c (99%)

diff --git a/arch/s390/purgatory/Makefile b/arch/s390/purgatory/Makefile
index dc1ae4ff79d7..85b05c9e40f5 100644
--- a/arch/s390/purgatory/Makefile
+++ b/arch/s390/purgatory/Makefile
@@ -7,7 +7,7 @@ purgatory-y := head.o purgatory.o string.o sha256.o mem.o
 targets += $(purgatory-y) purgatory.lds purgatory purgatory.ro
 PURGATORY_OBJS = $(addprefix $(obj)/,$(purgatory-y))
 
-$(obj)/sha256.o: $(srctree)/lib/sha256.c FORCE
+$(obj)/sha256.o: $(srctree)/lib/crypto/sha256.c FORCE
 	$(call if_changed_rule,cc_o_c)
 
 $(obj)/mem.o: $(srctree)/arch/s390/lib/mem.S FORCE
diff --git a/arch/s390/purgatory/purgatory.c b/arch/s390/purgatory/purgatory.c
index 3528e6da4e87..a80c78da9985 100644
--- a/arch/s390/purgatory/purgatory.c
+++ b/arch/s390/purgatory/purgatory.c
@@ -8,8 +8,8 @@
  */
 
 #include <linux/kexec.h>
-#include <linux/sha256.h>
 #include <linux/string.h>
+#include <crypto/sha256.h>
 #include <asm/purgatory.h>
 
 int verify_sha256_digest(void)
diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile
index 8901a1f89cf5..6ebd0739106e 100644
--- a/arch/x86/purgatory/Makefile
+++ b/arch/x86/purgatory/Makefile
@@ -9,7 +9,7 @@ PURGATORY_OBJS = $(addprefix $(obj)/,$(purgatory-y))
 $(obj)/string.o: $(srctree)/arch/x86/boot/compressed/string.c FORCE
 	$(call if_changed_rule,cc_o_c)
 
-$(obj)/sha256.o: $(srctree)/lib/sha256.c FORCE
+$(obj)/sha256.o: $(srctree)/lib/crypto/sha256.c FORCE
 	$(call if_changed_rule,cc_o_c)
 
 LDFLAGS_purgatory.ro := -e purgatory_start -r --no-undefined -nostdlib -z nodefaultlib
diff --git a/arch/x86/purgatory/purgatory.c b/arch/x86/purgatory/purgatory.c
index b607bda786f6..7f90a86eff49 100644
--- a/arch/x86/purgatory/purgatory.c
+++ b/arch/x86/purgatory/purgatory.c
@@ -9,7 +9,7 @@
  */
 
 #include <linux/bug.h>
-#include <linux/sha256.h>
+#include <crypto/sha256.h>
 #include <asm/purgatory.h>
 
 #include "../boot/string.h"
diff --git a/include/linux/sha256.h b/include/crypto/sha256.h
similarity index 100%
rename from include/linux/sha256.h
rename to include/crypto/sha256.h
diff --git a/lib/sha256.c b/lib/crypto/sha256.c
similarity index 99%
rename from lib/sha256.c
rename to lib/crypto/sha256.c
index ba4dce0b3711..b8114028d06f 100644
--- a/lib/sha256.c
+++ b/lib/crypto/sha256.c
@@ -12,8 +12,8 @@
  */
 
 #include <linux/bitops.h>
-#include <linux/sha256.h>
 #include <linux/string.h>
+#include <crypto/sha256.h>
 #include <asm/byteorder.h>
 
 static inline u32 Ch(u32 x, u32 y, u32 z)
-- 
2.22.0


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [PATCH 4/6] crypto: sha256 - Use get_unaligned_be32 to get input, memzero_explicit
  2019-08-16 21:16 [PATCH 0/6] crypto: sha256 - Merge 2 separate C implementations into 1, put into separate library Hans de Goede
                   ` (2 preceding siblings ...)
  2019-08-16 21:16 ` [PATCH 3/6] crypto: sha256 - Move lib/sha256.c to lib/crypto Hans de Goede
@ 2019-08-16 21:16 ` Hans de Goede
  2019-08-17  5:37   ` Eric Biggers
  2019-08-16 21:16 ` [PATCH 5/6] crypto: sha256 - Make lib/crypto/sha256.c suitable for generic use Hans de Goede
  2019-08-16 21:16 ` [PATCH 6/6] crypto: sha256_generic - Use sha256_transform from generic sha256 lib Hans de Goede
  5 siblings, 1 reply; 15+ messages in thread
From: Hans de Goede @ 2019-08-16 21:16 UTC (permalink / raw)
  To: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger
  Cc: Hans de Goede, Ard Biesheuvel, linux-crypto, x86, linux-s390,
	linux-kernel

Use get_unaligned_be32 in the lib/crypto/sha256.c sha256_transform()
implementation so that it can be used with unaligned buffers too,
making it more generic.

And use memzero_explicit for better clearing of sensitive data.

Note unlike other patches in this series this commit actually makes
functional changes to the sha256 code as used by the purgatory code.

This fully aligns the lib/crypto/sha256.c sha256_transform()
implementation with the one from crypto/sha256_generic.c allowing us
to remove the latter in further patches in this series.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 lib/crypto/sha256.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
index b8114028d06f..09a435d845fc 100644
--- a/lib/crypto/sha256.c
+++ b/lib/crypto/sha256.c
@@ -14,7 +14,7 @@
 #include <linux/bitops.h>
 #include <linux/string.h>
 #include <crypto/sha256.h>
-#include <asm/byteorder.h>
+#include <asm/unaligned.h>
 
 static inline u32 Ch(u32 x, u32 y, u32 z)
 {
@@ -33,7 +33,7 @@ static inline u32 Maj(u32 x, u32 y, u32 z)
 
 static inline void LOAD_OP(int I, u32 *W, const u8 *input)
 {
-	W[I] = __be32_to_cpu(((__be32 *)(input))[I]);
+	W[I] = get_unaligned_be32((__u32 *)input + I);
 }
 
 static inline void BLEND_OP(int I, u32 *W)
@@ -201,7 +201,7 @@ static void sha256_transform(u32 *state, const u8 *input)
 
 	/* clear any sensitive info... */
 	a = b = c = d = e = f = g = h = t1 = t2 = 0;
-	memset(W, 0, 64 * sizeof(u32));
+	memzero_explicit(W, 64 * sizeof(u32));
 }
 
 int sha256_init(struct sha256_state *sctx)
-- 
2.22.0


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [PATCH 5/6] crypto: sha256 - Make lib/crypto/sha256.c suitable for generic use
  2019-08-16 21:16 [PATCH 0/6] crypto: sha256 - Merge 2 separate C implementations into 1, put into separate library Hans de Goede
                   ` (3 preceding siblings ...)
  2019-08-16 21:16 ` [PATCH 4/6] crypto: sha256 - Use get_unaligned_be32 to get input, memzero_explicit Hans de Goede
@ 2019-08-16 21:16 ` Hans de Goede
  2019-08-16 21:16 ` [PATCH 6/6] crypto: sha256_generic - Use sha256_transform from generic sha256 lib Hans de Goede
  5 siblings, 0 replies; 15+ messages in thread
From: Hans de Goede @ 2019-08-16 21:16 UTC (permalink / raw)
  To: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger
  Cc: Hans de Goede, Ard Biesheuvel, linux-crypto, x86, linux-s390,
	linux-kernel

Before this commit lib/crypto/sha256.c has only been used in the s390 and
x86 purgatory code, make it suitable for generic use:

* Export interesting symbols
* Add  -D__DISABLE_EXPORTS to CFLAGS_sha256.o for purgatory builds to
  avoid the exports for the purgatory builds
* Add to lib/crypto/Makefile and crypto/Kconfig

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 arch/s390/purgatory/Makefile | 2 ++
 arch/x86/purgatory/Makefile  | 2 ++
 crypto/Kconfig               | 3 +++
 include/crypto/sha256.h      | 1 +
 lib/crypto/Makefile          | 3 +++
 lib/crypto/sha256.c          | 7 ++++++-
 6 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/arch/s390/purgatory/Makefile b/arch/s390/purgatory/Makefile
index 85b05c9e40f5..bc0d7a0d0394 100644
--- a/arch/s390/purgatory/Makefile
+++ b/arch/s390/purgatory/Makefile
@@ -10,6 +10,8 @@ PURGATORY_OBJS = $(addprefix $(obj)/,$(purgatory-y))
 $(obj)/sha256.o: $(srctree)/lib/crypto/sha256.c FORCE
 	$(call if_changed_rule,cc_o_c)
 
+CFLAGS_sha256.o := -D__DISABLE_EXPORTS
+
 $(obj)/mem.o: $(srctree)/arch/s390/lib/mem.S FORCE
 	$(call if_changed_rule,as_o_S)
 
diff --git a/arch/x86/purgatory/Makefile b/arch/x86/purgatory/Makefile
index 6ebd0739106e..a455083512c1 100644
--- a/arch/x86/purgatory/Makefile
+++ b/arch/x86/purgatory/Makefile
@@ -12,6 +12,8 @@ $(obj)/string.o: $(srctree)/arch/x86/boot/compressed/string.c FORCE
 $(obj)/sha256.o: $(srctree)/lib/crypto/sha256.c FORCE
 	$(call if_changed_rule,cc_o_c)
 
+CFLAGS_sha256.o := -D__DISABLE_EXPORTS
+
 LDFLAGS_purgatory.ro := -e purgatory_start -r --no-undefined -nostdlib -z nodefaultlib
 targets += purgatory.ro
 
diff --git a/crypto/Kconfig b/crypto/Kconfig
index df6f0be66574..3ac665dac35f 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -929,6 +929,9 @@ config CRYPTO_SHA1_PPC_SPE
 	  SHA-1 secure hash standard (DFIPS 180-4) implemented
 	  using powerpc SPE SIMD instruction set.
 
+config CRYPTO_LIB_SHA256
+	tristate
+
 config CRYPTO_SHA256
 	tristate "SHA224 and SHA256 digest algorithm"
 	select CRYPTO_HASH
diff --git a/include/crypto/sha256.h b/include/crypto/sha256.h
index 26972b9e92db..f596202ad85f 100644
--- a/include/crypto/sha256.h
+++ b/include/crypto/sha256.h
@@ -21,6 +21,7 @@
  */
 
 extern int sha256_init(struct sha256_state *sctx);
+extern void sha256_transform(u32 *state, const u8 *input);
 extern int sha256_update(struct sha256_state *sctx, const u8 *input,
 			 unsigned int length);
 extern int sha256_final(struct sha256_state *sctx, u8 *hash);
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 42a91c62d96d..5423482c1efd 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -5,3 +5,6 @@ libaes-y := aes.o
 
 obj-$(CONFIG_CRYPTO_LIB_ARC4) += libarc4.o
 libarc4-y := arc4.o
+
+obj-$(CONFIG_CRYPTO_LIB_SHA256) += libsha256.o
+libsha256-y := sha256.o
diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
index 09a435d845fc..3e9cc54f7e1c 100644
--- a/lib/crypto/sha256.c
+++ b/lib/crypto/sha256.c
@@ -12,6 +12,7 @@
  */
 
 #include <linux/bitops.h>
+#include <linux/export.h>
 #include <linux/string.h>
 #include <crypto/sha256.h>
 #include <asm/unaligned.h>
@@ -41,7 +42,7 @@ static inline void BLEND_OP(int I, u32 *W)
 	W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16];
 }
 
-static void sha256_transform(u32 *state, const u8 *input)
+void sha256_transform(u32 *state, const u8 *input)
 {
 	u32 a, b, c, d, e, f, g, h, t1, t2;
 	u32 W[64];
@@ -203,6 +204,7 @@ static void sha256_transform(u32 *state, const u8 *input)
 	a = b = c = d = e = f = g = h = t1 = t2 = 0;
 	memzero_explicit(W, 64 * sizeof(u32));
 }
+EXPORT_SYMBOL(sha256_transform);
 
 int sha256_init(struct sha256_state *sctx)
 {
@@ -218,6 +220,7 @@ int sha256_init(struct sha256_state *sctx)
 
 	return 0;
 }
+EXPORT_SYMBOL(sha256_init);
 
 int sha256_update(struct sha256_state *sctx, const u8 *data, unsigned int len)
 {
@@ -248,6 +251,7 @@ int sha256_update(struct sha256_state *sctx, const u8 *data, unsigned int len)
 
 	return 0;
 }
+EXPORT_SYMBOL(sha256_update);
 
 int sha256_final(struct sha256_state *sctx, u8 *out)
 {
@@ -277,3 +281,4 @@ int sha256_final(struct sha256_state *sctx, u8 *out)
 
 	return 0;
 }
+EXPORT_SYMBOL(sha256_final);
-- 
2.22.0


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* [PATCH 6/6] crypto: sha256_generic - Use sha256_transform from generic sha256 lib
  2019-08-16 21:16 [PATCH 0/6] crypto: sha256 - Merge 2 separate C implementations into 1, put into separate library Hans de Goede
                   ` (4 preceding siblings ...)
  2019-08-16 21:16 ` [PATCH 5/6] crypto: sha256 - Make lib/crypto/sha256.c suitable for generic use Hans de Goede
@ 2019-08-16 21:16 ` Hans de Goede
  2019-08-17  5:13   ` Eric Biggers
  5 siblings, 1 reply; 15+ messages in thread
From: Hans de Goede @ 2019-08-16 21:16 UTC (permalink / raw)
  To: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger
  Cc: Hans de Goede, Ard Biesheuvel, linux-crypto, x86, linux-s390,
	linux-kernel

Drop the duplicate sha256_transform function from crypto/sha256_generic.c
and use the implementation from lib/crypto/sha256.c instead.
"diff -u lib/crypto/sha256.c sha256_generic.c"
shows that both implementations are identical.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 crypto/Kconfig          |   1 +
 crypto/sha256_generic.c | 197 +---------------------------------------
 2 files changed, 6 insertions(+), 192 deletions(-)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 3ac665dac35f..05ab624dcca7 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -935,6 +935,7 @@ config CRYPTO_LIB_SHA256
 config CRYPTO_SHA256
 	tristate "SHA224 and SHA256 digest algorithm"
 	select CRYPTO_HASH
+	select CRYPTO_LIB_SHA256
 	help
 	  SHA256 secure hash standard (DFIPS 180-2).
 
diff --git a/crypto/sha256_generic.c b/crypto/sha256_generic.c
index dac930ca827d..51b3afcb5407 100644
--- a/crypto/sha256_generic.c
+++ b/crypto/sha256_generic.c
@@ -18,6 +18,7 @@
 #include <linux/mm.h>
 #include <linux/types.h>
 #include <crypto/sha.h>
+#include <crypto/sha256.h>
 #include <crypto/sha256_base.h>
 #include <asm/byteorder.h>
 #include <asm/unaligned.h>
@@ -38,194 +39,6 @@ const u8 sha256_zero_message_hash[SHA256_DIGEST_SIZE] = {
 };
 EXPORT_SYMBOL_GPL(sha256_zero_message_hash);
 
-static inline u32 Ch(u32 x, u32 y, u32 z)
-{
-	return z ^ (x & (y ^ z));
-}
-
-static inline u32 Maj(u32 x, u32 y, u32 z)
-{
-	return (x & y) | (z & (x | y));
-}
-
-#define e0(x)       (ror32(x, 2) ^ ror32(x, 13) ^ ror32(x, 22))
-#define e1(x)       (ror32(x, 6) ^ ror32(x, 11) ^ ror32(x, 25))
-#define s0(x)       (ror32(x, 7) ^ ror32(x, 18) ^ (x >> 3))
-#define s1(x)       (ror32(x, 17) ^ ror32(x, 19) ^ (x >> 10))
-
-static inline void LOAD_OP(int I, u32 *W, const u8 *input)
-{
-	W[I] = get_unaligned_be32((__u32 *)input + I);
-}
-
-static inline void BLEND_OP(int I, u32 *W)
-{
-	W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16];
-}
-
-static void sha256_transform(u32 *state, const u8 *input)
-{
-	u32 a, b, c, d, e, f, g, h, t1, t2;
-	u32 W[64];
-	int i;
-
-	/* load the input */
-	for (i = 0; i < 16; i++)
-		LOAD_OP(i, W, input);
-
-	/* now blend */
-	for (i = 16; i < 64; i++)
-		BLEND_OP(i, W);
-
-	/* load the state into our registers */
-	a = state[0];  b = state[1];  c = state[2];  d = state[3];
-	e = state[4];  f = state[5];  g = state[6];  h = state[7];
-
-	/* now iterate */
-	t1 = h + e1(e) + Ch(e, f, g) + 0x428a2f98 + W[0];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
-	t1 = g + e1(d) + Ch(d, e, f) + 0x71374491 + W[1];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
-	t1 = f + e1(c) + Ch(c, d, e) + 0xb5c0fbcf + W[2];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
-	t1 = e + e1(b) + Ch(b, c, d) + 0xe9b5dba5 + W[3];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
-	t1 = d + e1(a) + Ch(a, b, c) + 0x3956c25b + W[4];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
-	t1 = c + e1(h) + Ch(h, a, b) + 0x59f111f1 + W[5];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
-	t1 = b + e1(g) + Ch(g, h, a) + 0x923f82a4 + W[6];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
-	t1 = a + e1(f) + Ch(f, g, h) + 0xab1c5ed5 + W[7];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
-
-	t1 = h + e1(e) + Ch(e, f, g) + 0xd807aa98 + W[8];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
-	t1 = g + e1(d) + Ch(d, e, f) + 0x12835b01 + W[9];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
-	t1 = f + e1(c) + Ch(c, d, e) + 0x243185be + W[10];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
-	t1 = e + e1(b) + Ch(b, c, d) + 0x550c7dc3 + W[11];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
-	t1 = d + e1(a) + Ch(a, b, c) + 0x72be5d74 + W[12];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
-	t1 = c + e1(h) + Ch(h, a, b) + 0x80deb1fe + W[13];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
-	t1 = b + e1(g) + Ch(g, h, a) + 0x9bdc06a7 + W[14];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
-	t1 = a + e1(f) + Ch(f, g, h) + 0xc19bf174 + W[15];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
-
-	t1 = h + e1(e) + Ch(e, f, g) + 0xe49b69c1 + W[16];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
-	t1 = g + e1(d) + Ch(d, e, f) + 0xefbe4786 + W[17];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
-	t1 = f + e1(c) + Ch(c, d, e) + 0x0fc19dc6 + W[18];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
-	t1 = e + e1(b) + Ch(b, c, d) + 0x240ca1cc + W[19];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
-	t1 = d + e1(a) + Ch(a, b, c) + 0x2de92c6f + W[20];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
-	t1 = c + e1(h) + Ch(h, a, b) + 0x4a7484aa + W[21];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
-	t1 = b + e1(g) + Ch(g, h, a) + 0x5cb0a9dc + W[22];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
-	t1 = a + e1(f) + Ch(f, g, h) + 0x76f988da + W[23];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
-
-	t1 = h + e1(e) + Ch(e, f, g) + 0x983e5152 + W[24];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
-	t1 = g + e1(d) + Ch(d, e, f) + 0xa831c66d + W[25];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
-	t1 = f + e1(c) + Ch(c, d, e) + 0xb00327c8 + W[26];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
-	t1 = e + e1(b) + Ch(b, c, d) + 0xbf597fc7 + W[27];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
-	t1 = d + e1(a) + Ch(a, b, c) + 0xc6e00bf3 + W[28];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
-	t1 = c + e1(h) + Ch(h, a, b) + 0xd5a79147 + W[29];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
-	t1 = b + e1(g) + Ch(g, h, a) + 0x06ca6351 + W[30];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
-	t1 = a + e1(f) + Ch(f, g, h) + 0x14292967 + W[31];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
-
-	t1 = h + e1(e) + Ch(e, f, g) + 0x27b70a85 + W[32];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
-	t1 = g + e1(d) + Ch(d, e, f) + 0x2e1b2138 + W[33];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
-	t1 = f + e1(c) + Ch(c, d, e) + 0x4d2c6dfc + W[34];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
-	t1 = e + e1(b) + Ch(b, c, d) + 0x53380d13 + W[35];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
-	t1 = d + e1(a) + Ch(a, b, c) + 0x650a7354 + W[36];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
-	t1 = c + e1(h) + Ch(h, a, b) + 0x766a0abb + W[37];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
-	t1 = b + e1(g) + Ch(g, h, a) + 0x81c2c92e + W[38];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
-	t1 = a + e1(f) + Ch(f, g, h) + 0x92722c85 + W[39];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
-
-	t1 = h + e1(e) + Ch(e, f, g) + 0xa2bfe8a1 + W[40];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
-	t1 = g + e1(d) + Ch(d, e, f) + 0xa81a664b + W[41];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
-	t1 = f + e1(c) + Ch(c, d, e) + 0xc24b8b70 + W[42];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
-	t1 = e + e1(b) + Ch(b, c, d) + 0xc76c51a3 + W[43];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
-	t1 = d + e1(a) + Ch(a, b, c) + 0xd192e819 + W[44];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
-	t1 = c + e1(h) + Ch(h, a, b) + 0xd6990624 + W[45];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
-	t1 = b + e1(g) + Ch(g, h, a) + 0xf40e3585 + W[46];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
-	t1 = a + e1(f) + Ch(f, g, h) + 0x106aa070 + W[47];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
-
-	t1 = h + e1(e) + Ch(e, f, g) + 0x19a4c116 + W[48];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
-	t1 = g + e1(d) + Ch(d, e, f) + 0x1e376c08 + W[49];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
-	t1 = f + e1(c) + Ch(c, d, e) + 0x2748774c + W[50];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
-	t1 = e + e1(b) + Ch(b, c, d) + 0x34b0bcb5 + W[51];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
-	t1 = d + e1(a) + Ch(a, b, c) + 0x391c0cb3 + W[52];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
-	t1 = c + e1(h) + Ch(h, a, b) + 0x4ed8aa4a + W[53];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
-	t1 = b + e1(g) + Ch(g, h, a) + 0x5b9cca4f + W[54];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
-	t1 = a + e1(f) + Ch(f, g, h) + 0x682e6ff3 + W[55];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
-
-	t1 = h + e1(e) + Ch(e, f, g) + 0x748f82ee + W[56];
-	t2 = e0(a) + Maj(a, b, c);    d += t1;    h = t1 + t2;
-	t1 = g + e1(d) + Ch(d, e, f) + 0x78a5636f + W[57];
-	t2 = e0(h) + Maj(h, a, b);    c += t1;    g = t1 + t2;
-	t1 = f + e1(c) + Ch(c, d, e) + 0x84c87814 + W[58];
-	t2 = e0(g) + Maj(g, h, a);    b += t1;    f = t1 + t2;
-	t1 = e + e1(b) + Ch(b, c, d) + 0x8cc70208 + W[59];
-	t2 = e0(f) + Maj(f, g, h);    a += t1;    e = t1 + t2;
-	t1 = d + e1(a) + Ch(a, b, c) + 0x90befffa + W[60];
-	t2 = e0(e) + Maj(e, f, g);    h += t1;    d = t1 + t2;
-	t1 = c + e1(h) + Ch(h, a, b) + 0xa4506ceb + W[61];
-	t2 = e0(d) + Maj(d, e, f);    g += t1;    c = t1 + t2;
-	t1 = b + e1(g) + Ch(g, h, a) + 0xbef9a3f7 + W[62];
-	t2 = e0(c) + Maj(c, d, e);    f += t1;    b = t1 + t2;
-	t1 = a + e1(f) + Ch(f, g, h) + 0xc67178f2 + W[63];
-	t2 = e0(b) + Maj(b, c, d);    e += t1;    a = t1 + t2;
-
-	state[0] += a; state[1] += b; state[2] += c; state[3] += d;
-	state[4] += e; state[5] += f; state[6] += g; state[7] += h;
-
-	/* clear any sensitive info... */
-	a = b = c = d = e = f = g = h = t1 = t2 = 0;
-	memzero_explicit(W, 64 * sizeof(u32));
-}
-
 static void sha256_generic_block_fn(struct sha256_state *sst, u8 const *src,
 				    int blocks)
 {
@@ -242,7 +55,7 @@ int crypto_sha256_update(struct shash_desc *desc, const u8 *data,
 }
 EXPORT_SYMBOL(crypto_sha256_update);
 
-static int sha256_final(struct shash_desc *desc, u8 *out)
+static int crypto_sha256_final(struct shash_desc *desc, u8 *out)
 {
 	sha256_base_do_finalize(desc, sha256_generic_block_fn);
 	return sha256_base_finish(desc, out);
@@ -252,7 +65,7 @@ int crypto_sha256_finup(struct shash_desc *desc, const u8 *data,
 			unsigned int len, u8 *hash)
 {
 	sha256_base_do_update(desc, data, len, sha256_generic_block_fn);
-	return sha256_final(desc, hash);
+	return crypto_sha256_final(desc, hash);
 }
 EXPORT_SYMBOL(crypto_sha256_finup);
 
@@ -260,7 +73,7 @@ static struct shash_alg sha256_algs[2] = { {
 	.digestsize	=	SHA256_DIGEST_SIZE,
 	.init		=	sha256_base_init,
 	.update		=	crypto_sha256_update,
-	.final		=	sha256_final,
+	.final		=	crypto_sha256_final,
 	.finup		=	crypto_sha256_finup,
 	.descsize	=	sizeof(struct sha256_state),
 	.base		=	{
@@ -274,7 +87,7 @@ static struct shash_alg sha256_algs[2] = { {
 	.digestsize	=	SHA224_DIGEST_SIZE,
 	.init		=	sha224_base_init,
 	.update		=	crypto_sha256_update,
-	.final		=	sha256_final,
+	.final		=	crypto_sha256_final,
 	.finup		=	crypto_sha256_finup,
 	.descsize	=	sizeof(struct sha256_state),
 	.base		=	{
-- 
2.22.0


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* Re: [PATCH 6/6] crypto: sha256_generic - Use sha256_transform from generic sha256 lib
  2019-08-16 21:16 ` [PATCH 6/6] crypto: sha256_generic - Use sha256_transform from generic sha256 lib Hans de Goede
@ 2019-08-17  5:13   ` Eric Biggers
  2019-08-17  5:35     ` Eric Biggers
  0 siblings, 1 reply; 15+ messages in thread
From: Eric Biggers @ 2019-08-17  5:13 UTC (permalink / raw)
  To: Hans de Goede
  Cc: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger, Ard Biesheuvel, linux-crypto, x86,
	linux-s390, linux-kernel

On Fri, Aug 16, 2019 at 11:16:11PM +0200, Hans de Goede wrote:
> Drop the duplicate sha256_transform function from crypto/sha256_generic.c
> and use the implementation from lib/crypto/sha256.c instead.
> "diff -u lib/crypto/sha256.c sha256_generic.c"
> shows that both implementations are identical.
> 
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>

Hi Hans, thanks for doing this!

I'm a little concerned that the only sha256 lib function which sha256_generic.c
calls is sha256_transform().  This means that sha256_init(), sha256_update(),
and sha256_final() are not tested by the crypto self-tests.  They could be
broken and we wouldn't know.

IMO, it would be better to make sha256_generic.c use sha256_init(),
sha256_update(), and sha256_final() rather than using sha256_base.h.
Then we'd get test coverage of both the sha256 lib, and of sha256_base.h
via the architecture-specific implementations.

To do this you'll also need to add sha224_init(), sha224_update(), and
sha224_final().  But that's straightforward.

- Eric

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH 3/6] crypto: sha256 - Move lib/sha256.c to lib/crypto
  2019-08-16 21:16 ` [PATCH 3/6] crypto: sha256 - Move lib/sha256.c to lib/crypto Hans de Goede
@ 2019-08-17  5:19   ` Eric Biggers
  2019-08-17  8:28     ` Hans de Goede
  0 siblings, 1 reply; 15+ messages in thread
From: Eric Biggers @ 2019-08-17  5:19 UTC (permalink / raw)
  To: Hans de Goede
  Cc: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger, Ard Biesheuvel, linux-crypto, x86,
	linux-s390, linux-kernel

On Fri, Aug 16, 2019 at 11:16:08PM +0200, Hans de Goede wrote:
> diff --git a/include/linux/sha256.h b/include/crypto/sha256.h
> similarity index 100%
> rename from include/linux/sha256.h
> rename to include/crypto/sha256.h

<crypto/sha.h> already has the declarations for both SHA-1 and SHA-2, including
SHA-256.  So I'm not sure a separate sha256.h is appropriate.  How about putting
these declarations in <crypto/sha.h>?

- Eric

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH 6/6] crypto: sha256_generic - Use sha256_transform from generic sha256 lib
  2019-08-17  5:13   ` Eric Biggers
@ 2019-08-17  5:35     ` Eric Biggers
  2019-08-17 12:18       ` Hans de Goede
  0 siblings, 1 reply; 15+ messages in thread
From: Eric Biggers @ 2019-08-17  5:35 UTC (permalink / raw)
  To: Hans de Goede, Herbert Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger, Ard Biesheuvel, linux-crypto, x86,
	linux-s390, linux-kernel

On Fri, Aug 16, 2019 at 10:13:18PM -0700, Eric Biggers wrote:
> On Fri, Aug 16, 2019 at 11:16:11PM +0200, Hans de Goede wrote:
> > Drop the duplicate sha256_transform function from crypto/sha256_generic.c
> > and use the implementation from lib/crypto/sha256.c instead.
> > "diff -u lib/crypto/sha256.c sha256_generic.c"
> > shows that both implementations are identical.
> > 
> > Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> 
> Hi Hans, thanks for doing this!
> 
> I'm a little concerned that the only sha256 lib function which sha256_generic.c
> calls is sha256_transform().  This means that sha256_init(), sha256_update(),
> and sha256_final() are not tested by the crypto self-tests.  They could be
> broken and we wouldn't know.
> 
> IMO, it would be better to make sha256_generic.c use sha256_init(),
> sha256_update(), and sha256_final() rather than using sha256_base.h.
> Then we'd get test coverage of both the sha256 lib, and of sha256_base.h
> via the architecture-specific implementations.
> 
> To do this you'll also need to add sha224_init(), sha224_update(), and
> sha224_final().  But that's straightforward.
> 

This is basically what I'm suggesting:

diff --git a/crypto/sha256_generic.c b/crypto/sha256_generic.c
index 51b3afcb5407..94bb23e33804 100644
--- a/crypto/sha256_generic.c
+++ b/crypto/sha256_generic.c
@@ -39,39 +39,42 @@ const u8 sha256_zero_message_hash[SHA256_DIGEST_SIZE] = {
 };
 EXPORT_SYMBOL_GPL(sha256_zero_message_hash);
 
-static void sha256_generic_block_fn(struct sha256_state *sst, u8 const *src,
-				    int blocks)
+static int crypto_sha256_init(struct shash_desc *desc)
 {
-	while (blocks--) {
-		sha256_transform(sst->state, src);
-		src += SHA256_BLOCK_SIZE;
-	}
+	return sha256_init(shash_desc_ctx(desc));
+}
+
+static int crypto_sha224_init(struct shash_desc *desc)
+{
+	return sha224_init(shash_desc_ctx(desc));
 }
 
 int crypto_sha256_update(struct shash_desc *desc, const u8 *data,
 			  unsigned int len)
 {
-	return sha256_base_do_update(desc, data, len, sha256_generic_block_fn);
+	return sha256_update(shash_desc_ctx(desc), data, len);
 }
 EXPORT_SYMBOL(crypto_sha256_update);
 
 static int crypto_sha256_final(struct shash_desc *desc, u8 *out)
 {
-	sha256_base_do_finalize(desc, sha256_generic_block_fn);
-	return sha256_base_finish(desc, out);
+	if (crypto_shash_digestsize(desc->tfm) == SHA224_DIGEST_SIZE)
+		return sha224_final(shash_desc_ctx(desc), out);
+	else
+		return sha256_final(shash_desc_ctx(desc), out);
 }
 
 int crypto_sha256_finup(struct shash_desc *desc, const u8 *data,
 			unsigned int len, u8 *hash)
 {
-	sha256_base_do_update(desc, data, len, sha256_generic_block_fn);
+	sha256_update(shash_desc_ctx(desc), data, len);
 	return crypto_sha256_final(desc, hash);
 }
 EXPORT_SYMBOL(crypto_sha256_finup);
 
 static struct shash_alg sha256_algs[2] = { {
 	.digestsize	=	SHA256_DIGEST_SIZE,
-	.init		=	sha256_base_init,
+	.init		=	crypto_sha256_init,
 	.update		=	crypto_sha256_update,
 	.final		=	crypto_sha256_final,
 	.finup		=	crypto_sha256_finup,
@@ -85,7 +88,7 @@ static struct shash_alg sha256_algs[2] = { {
 	}
 }, {
 	.digestsize	=	SHA224_DIGEST_SIZE,
-	.init		=	sha224_base_init,
+	.init		=	crypto_sha224_init,
 	.update		=	crypto_sha256_update,
 	.final		=	crypto_sha256_final,
 	.finup		=	crypto_sha256_finup,
diff --git a/include/crypto/sha256.h b/include/crypto/sha256.h
index f596202ad85f..44e207fb13ad 100644
--- a/include/crypto/sha256.h
+++ b/include/crypto/sha256.h
@@ -21,9 +21,13 @@
  */
 
 extern int sha256_init(struct sha256_state *sctx);
-extern void sha256_transform(u32 *state, const u8 *input);
 extern int sha256_update(struct sha256_state *sctx, const u8 *input,
 			 unsigned int length);
 extern int sha256_final(struct sha256_state *sctx, u8 *hash);
 
+extern int sha224_init(struct sha256_state *sctx);
+extern int sha224_update(struct sha256_state *sctx, const u8 *input,
+			 unsigned int length);
+extern int sha224_final(struct sha256_state *sctx, u8 *hash);
+
 #endif /* SHA256_H */
diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
index 3e9cc54f7e1c..d808543b3784 100644
--- a/lib/crypto/sha256.c
+++ b/lib/crypto/sha256.c
@@ -42,7 +42,7 @@ static inline void BLEND_OP(int I, u32 *W)
 	W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16];
 }
 
-void sha256_transform(u32 *state, const u8 *input)
+static void sha256_transform(u32 *state, const u8 *input)
 {
 	u32 a, b, c, d, e, f, g, h, t1, t2;
 	u32 W[64];
@@ -204,7 +204,6 @@ void sha256_transform(u32 *state, const u8 *input)
 	a = b = c = d = e = f = g = h = t1 = t2 = 0;
 	memzero_explicit(W, 64 * sizeof(u32));
 }
-EXPORT_SYMBOL(sha256_transform);
 
 int sha256_init(struct sha256_state *sctx)
 {
@@ -222,6 +221,22 @@ int sha256_init(struct sha256_state *sctx)
 }
 EXPORT_SYMBOL(sha256_init);
 
+int sha224_init(struct sha256_state *sctx)
+{
+	sctx->state[0] = SHA224_H0;
+	sctx->state[1] = SHA224_H1;
+	sctx->state[2] = SHA224_H2;
+	sctx->state[3] = SHA224_H3;
+	sctx->state[4] = SHA224_H4;
+	sctx->state[5] = SHA224_H5;
+	sctx->state[6] = SHA224_H6;
+	sctx->state[7] = SHA224_H7;
+	sctx->count = 0;
+
+	return 0;
+}
+EXPORT_SYMBOL(sha224_init);
+
 int sha256_update(struct sha256_state *sctx, const u8 *data, unsigned int len)
 {
 	unsigned int partial, done;
@@ -253,7 +268,13 @@ int sha256_update(struct sha256_state *sctx, const u8 *data, unsigned int len)
 }
 EXPORT_SYMBOL(sha256_update);
 
-int sha256_final(struct sha256_state *sctx, u8 *out)
+int sha224_update(struct sha256_state *sctx, const u8 *data, unsigned int len)
+{
+	return sha256_update(sctx, data, len);
+}
+EXPORT_SYMBOL(sha224_update);
+
+static int __sha256_final(struct sha256_state *sctx, u8 *out, int digest_words)
 {
 	__be32 *dst = (__be32 *)out;
 	__be64 bits;
@@ -273,7 +294,7 @@ int sha256_final(struct sha256_state *sctx, u8 *out)
 	sha256_update(sctx, (const u8 *)&bits, sizeof(bits));
 
 	/* Store state in digest */
-	for (i = 0; i < 8; i++)
+	for (i = 0; i < digest_words; i++)
 		dst[i] = cpu_to_be32(sctx->state[i]);
 
 	/* Zeroize sensitive information. */
@@ -281,4 +302,15 @@ int sha256_final(struct sha256_state *sctx, u8 *out)
 
 	return 0;
 }
+
+int sha256_final(struct sha256_state *sctx, u8 *out)
+{
+	return __sha256_final(sctx, out, 8);
+}
 EXPORT_SYMBOL(sha256_final);
+
+int sha224_final(struct sha256_state *sctx, u8 *out)
+{
+	return __sha256_final(sctx, out, 7);
+}
+EXPORT_SYMBOL(sha224_final);
-- 
2.22.0


^ permalink raw reply related	[flat|nested] 15+ messages in thread

* Re: [PATCH 4/6] crypto: sha256 - Use get_unaligned_be32 to get input, memzero_explicit
  2019-08-16 21:16 ` [PATCH 4/6] crypto: sha256 - Use get_unaligned_be32 to get input, memzero_explicit Hans de Goede
@ 2019-08-17  5:37   ` Eric Biggers
  0 siblings, 0 replies; 15+ messages in thread
From: Eric Biggers @ 2019-08-17  5:37 UTC (permalink / raw)
  To: Hans de Goede
  Cc: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger, Ard Biesheuvel, linux-crypto, x86,
	linux-s390, linux-kernel

On Fri, Aug 16, 2019 at 11:16:09PM +0200, Hans de Goede wrote:
> Use get_unaligned_be32 in the lib/crypto/sha256.c sha256_transform()
> implementation so that it can be used with unaligned buffers too,
> making it more generic.
> 
> And use memzero_explicit for better clearing of sensitive data.
> 
> Note unlike other patches in this series this commit actually makes
> functional changes to the sha256 code as used by the purgatory code.
> 
> This fully aligns the lib/crypto/sha256.c sha256_transform()
> implementation with the one from crypto/sha256_generic.c allowing us
> to remove the latter in further patches in this series.
> 
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> ---
>  lib/crypto/sha256.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
> index b8114028d06f..09a435d845fc 100644
> --- a/lib/crypto/sha256.c
> +++ b/lib/crypto/sha256.c
> @@ -14,7 +14,7 @@
>  #include <linux/bitops.h>
>  #include <linux/string.h>
>  #include <crypto/sha256.h>
> -#include <asm/byteorder.h>
> +#include <asm/unaligned.h>
>  
>  static inline u32 Ch(u32 x, u32 y, u32 z)
>  {
> @@ -33,7 +33,7 @@ static inline u32 Maj(u32 x, u32 y, u32 z)
>  
>  static inline void LOAD_OP(int I, u32 *W, const u8 *input)
>  {
> -	W[I] = __be32_to_cpu(((__be32 *)(input))[I]);
> +	W[I] = get_unaligned_be32((__u32 *)input + I);
>  }
>  
>  static inline void BLEND_OP(int I, u32 *W)
> @@ -201,7 +201,7 @@ static void sha256_transform(u32 *state, const u8 *input)
>  
>  	/* clear any sensitive info... */
>  	a = b = c = d = e = f = g = h = t1 = t2 = 0;
> -	memset(W, 0, 64 * sizeof(u32));
> +	memzero_explicit(W, 64 * sizeof(u32));
>  }
>  

There's also an unaligned access in sha256_final() which needs to be fixed.

- Eric

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH 3/6] crypto: sha256 - Move lib/sha256.c to lib/crypto
  2019-08-17  5:19   ` Eric Biggers
@ 2019-08-17  8:28     ` Hans de Goede
  2019-08-18 15:54       ` Eric Biggers
  0 siblings, 1 reply; 15+ messages in thread
From: Hans de Goede @ 2019-08-17  8:28 UTC (permalink / raw)
  To: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger, Ard Biesheuvel, linux-crypto, x86,
	linux-s390, linux-kernel

Hi,

On 17-08-19 07:19, Eric Biggers wrote:
> On Fri, Aug 16, 2019 at 11:16:08PM +0200, Hans de Goede wrote:
>> diff --git a/include/linux/sha256.h b/include/crypto/sha256.h
>> similarity index 100%
>> rename from include/linux/sha256.h
>> rename to include/crypto/sha256.h
> 
> <crypto/sha.h> already has the declarations for both SHA-1 and SHA-2, including
> SHA-256.  So I'm not sure a separate sha256.h is appropriate.  How about putting
> these declarations in <crypto/sha.h>?

The problems with that is that the sha256_init, etc. names are quite generic
and they have not been reserved before, so a lot of the crypto hw-accel
drivers use them, for private file-local (static) code, e.g.:

[hans@shalem linux]$ ack -l sha256_init
include/crypto/sha256.h
drivers/crypto/marvell/hash.c
drivers/crypto/ccp/ccp-ops.c
drivers/crypto/nx/nx-sha256.c
drivers/crypto/ux500/hash/hash_core.c
drivers/crypto/inside-secure/safexcel_hash.c
drivers/crypto/chelsio/chcr_algo.h
drivers/crypto/stm32/stm32-hash.c
drivers/crypto/omap-sham.c
drivers/crypto/padlock-sha.c
drivers/crypto/n2_core.c
drivers/crypto/atmel-aes.c
drivers/crypto/axis/artpec6_crypto.c
drivers/crypto/mediatek/mtk-sha.c
drivers/crypto/qat/qat_common/qat_algs.c
drivers/crypto/img-hash.c
drivers/crypto/ccree/cc_hash.c
lib/crypto/sha256.c
arch/powerpc/crypto/sha256-spe-glue.c
arch/mips/cavium-octeon/crypto/octeon-sha256.c
arch/x86/purgatory/purgatory.c
arch/s390/crypto/sha256_s390.c
arch/s390/purgatory/purgatory.c

(in case you do not know ack is a smarter grep, which skips .o files, etc.)

All these do include crypto/sha.h and putting the stuff which is in what
was linux/sha256.h into crypto/sha.h leads to name collisions which causes
more churn then I would like this series to cause.

I guess we could do a cleanup afterwards, with one patch per file above
to fix the name collision issue, and then merge the 2 headers. I do not
want to do that for this series, as I want to keep this series as KISS
as possible since it is messing with somewhat sensitive stuff.

And TBH I even wonder if a follow-up series is worth the churn...

Regards,

Hans


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH 6/6] crypto: sha256_generic - Use sha256_transform from generic sha256 lib
  2019-08-17  5:35     ` Eric Biggers
@ 2019-08-17 12:18       ` Hans de Goede
  0 siblings, 0 replies; 15+ messages in thread
From: Hans de Goede @ 2019-08-17 12:18 UTC (permalink / raw)
  To: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger, Ard Biesheuvel, linux-crypto, x86,
	linux-s390, linux-kernel

Hi Eric,

Thank you for the review and for the quick turn around time
on the review.

On 17-08-19 07:35, Eric Biggers wrote:
> On Fri, Aug 16, 2019 at 10:13:18PM -0700, Eric Biggers wrote:
>> On Fri, Aug 16, 2019 at 11:16:11PM +0200, Hans de Goede wrote:
>>> Drop the duplicate sha256_transform function from crypto/sha256_generic.c
>>> and use the implementation from lib/crypto/sha256.c instead.
>>> "diff -u lib/crypto/sha256.c sha256_generic.c"
>>> shows that both implementations are identical.
>>>
>>> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>>
>> Hi Hans, thanks for doing this!
>>
>> I'm a little concerned that the only sha256 lib function which sha256_generic.c
>> calls is sha256_transform().  This means that sha256_init(), sha256_update(),
>> and sha256_final() are not tested by the crypto self-tests.  They could be
>> broken and we wouldn't know.
>>
>> IMO, it would be better to make sha256_generic.c use sha256_init(),
>> sha256_update(), and sha256_final() rather than using sha256_base.h.
>> Then we'd get test coverage of both the sha256 lib, and of sha256_base.h
>> via the architecture-specific implementations.
>>
>> To do this you'll also need to add sha224_init(), sha224_update(), and
>> sha224_final().  But that's straightforward.
>>
> 
> This is basically what I'm suggesting:
> 
> diff --git a/crypto/sha256_generic.c b/crypto/sha256_generic.c
> index 51b3afcb5407..94bb23e33804 100644
> --- a/crypto/sha256_generic.c
> +++ b/crypto/sha256_generic.c
> @@ -39,39 +39,42 @@ const u8 sha256_zero_message_hash[SHA256_DIGEST_SIZE] = {
>   };
>   EXPORT_SYMBOL_GPL(sha256_zero_message_hash);
>   
> -static void sha256_generic_block_fn(struct sha256_state *sst, u8 const *src,
> -				    int blocks)
> +static int crypto_sha256_init(struct shash_desc *desc)
>   {
> -	while (blocks--) {
> -		sha256_transform(sst->state, src);
> -		src += SHA256_BLOCK_SIZE;
> -	}
> +	return sha256_init(shash_desc_ctx(desc));
> +}
> +
> +static int crypto_sha224_init(struct shash_desc *desc)
> +{
> +	return sha224_init(shash_desc_ctx(desc));
>   }
>   
>   int crypto_sha256_update(struct shash_desc *desc, const u8 *data,
>   			  unsigned int len)
>   {
> -	return sha256_base_do_update(desc, data, len, sha256_generic_block_fn);
> +	return sha256_update(shash_desc_ctx(desc), data, len);
>   }
>   EXPORT_SYMBOL(crypto_sha256_update);
>   
>   static int crypto_sha256_final(struct shash_desc *desc, u8 *out)
>   {
> -	sha256_base_do_finalize(desc, sha256_generic_block_fn);
> -	return sha256_base_finish(desc, out);
> +	if (crypto_shash_digestsize(desc->tfm) == SHA224_DIGEST_SIZE)
> +		return sha224_final(shash_desc_ctx(desc), out);
> +	else
> +		return sha256_final(shash_desc_ctx(desc), out);
>   }
>   
>   int crypto_sha256_finup(struct shash_desc *desc, const u8 *data,
>   			unsigned int len, u8 *hash)
>   {
> -	sha256_base_do_update(desc, data, len, sha256_generic_block_fn);
> +	sha256_update(shash_desc_ctx(desc), data, len);
>   	return crypto_sha256_final(desc, hash);
>   }
>   EXPORT_SYMBOL(crypto_sha256_finup);
>   
>   static struct shash_alg sha256_algs[2] = { {
>   	.digestsize	=	SHA256_DIGEST_SIZE,
> -	.init		=	sha256_base_init,
> +	.init		=	crypto_sha256_init,
>   	.update		=	crypto_sha256_update,
>   	.final		=	crypto_sha256_final,
>   	.finup		=	crypto_sha256_finup,
> @@ -85,7 +88,7 @@ static struct shash_alg sha256_algs[2] = { {
>   	}
>   }, {
>   	.digestsize	=	SHA224_DIGEST_SIZE,
> -	.init		=	sha224_base_init,
> +	.init		=	crypto_sha224_init,
>   	.update		=	crypto_sha256_update,
>   	.final		=	crypto_sha256_final,
>   	.finup		=	crypto_sha256_finup,
> diff --git a/include/crypto/sha256.h b/include/crypto/sha256.h
> index f596202ad85f..44e207fb13ad 100644
> --- a/include/crypto/sha256.h
> +++ b/include/crypto/sha256.h
> @@ -21,9 +21,13 @@
>    */
>   
>   extern int sha256_init(struct sha256_state *sctx);
> -extern void sha256_transform(u32 *state, const u8 *input);
>   extern int sha256_update(struct sha256_state *sctx, const u8 *input,
>   			 unsigned int length);
>   extern int sha256_final(struct sha256_state *sctx, u8 *hash);
>   
> +extern int sha224_init(struct sha256_state *sctx);
> +extern int sha224_update(struct sha256_state *sctx, const u8 *input,
> +			 unsigned int length);
> +extern int sha224_final(struct sha256_state *sctx, u8 *hash);
> +
>   #endif /* SHA256_H */
> diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c
> index 3e9cc54f7e1c..d808543b3784 100644
> --- a/lib/crypto/sha256.c
> +++ b/lib/crypto/sha256.c
> @@ -42,7 +42,7 @@ static inline void BLEND_OP(int I, u32 *W)
>   	W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16];
>   }
>   
> -void sha256_transform(u32 *state, const u8 *input)
> +static void sha256_transform(u32 *state, const u8 *input)
>   {
>   	u32 a, b, c, d, e, f, g, h, t1, t2;
>   	u32 W[64];
> @@ -204,7 +204,6 @@ void sha256_transform(u32 *state, const u8 *input)
>   	a = b = c = d = e = f = g = h = t1 = t2 = 0;
>   	memzero_explicit(W, 64 * sizeof(u32));
>   }
> -EXPORT_SYMBOL(sha256_transform);
>   
>   int sha256_init(struct sha256_state *sctx)
>   {
> @@ -222,6 +221,22 @@ int sha256_init(struct sha256_state *sctx)
>   }
>   EXPORT_SYMBOL(sha256_init);
>   
> +int sha224_init(struct sha256_state *sctx)
> +{
> +	sctx->state[0] = SHA224_H0;
> +	sctx->state[1] = SHA224_H1;
> +	sctx->state[2] = SHA224_H2;
> +	sctx->state[3] = SHA224_H3;
> +	sctx->state[4] = SHA224_H4;
> +	sctx->state[5] = SHA224_H5;
> +	sctx->state[6] = SHA224_H6;
> +	sctx->state[7] = SHA224_H7;
> +	sctx->count = 0;
> +
> +	return 0;
> +}
> +EXPORT_SYMBOL(sha224_init);
> +
>   int sha256_update(struct sha256_state *sctx, const u8 *data, unsigned int len)
>   {
>   	unsigned int partial, done;
> @@ -253,7 +268,13 @@ int sha256_update(struct sha256_state *sctx, const u8 *data, unsigned int len)
>   }
>   EXPORT_SYMBOL(sha256_update);
>   
> -int sha256_final(struct sha256_state *sctx, u8 *out)
> +int sha224_update(struct sha256_state *sctx, const u8 *data, unsigned int len)
> +{
> +	return sha256_update(sctx, data, len);
> +}
> +EXPORT_SYMBOL(sha224_update);
> +
> +static int __sha256_final(struct sha256_state *sctx, u8 *out, int digest_words)
>   {
>   	__be32 *dst = (__be32 *)out;
>   	__be64 bits;
> @@ -273,7 +294,7 @@ int sha256_final(struct sha256_state *sctx, u8 *out)
>   	sha256_update(sctx, (const u8 *)&bits, sizeof(bits));
>   
>   	/* Store state in digest */
> -	for (i = 0; i < 8; i++)
> +	for (i = 0; i < digest_words; i++)
>   		dst[i] = cpu_to_be32(sctx->state[i]);
>   
>   	/* Zeroize sensitive information. */
> @@ -281,4 +302,15 @@ int sha256_final(struct sha256_state *sctx, u8 *out)
>   
>   	return 0;
>   }
> +
> +int sha256_final(struct sha256_state *sctx, u8 *out)
> +{
> +	return __sha256_final(sctx, out, 8);
> +}
>   EXPORT_SYMBOL(sha256_final);
> +
> +int sha224_final(struct sha256_state *sctx, u8 *out)
> +{
> +	return __sha256_final(sctx, out, 7);
> +}
> +EXPORT_SYMBOL(sha224_final);

Thank you for the patch, I agree with what you are suggesting, I'm
preparing a new version of the patch series with this added.

I'm adding a:

Suggested-by: Eric Biggers <ebiggers@kernel.org>

To credit you for your input on this.

Regards,

Hans


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH 3/6] crypto: sha256 - Move lib/sha256.c to lib/crypto
  2019-08-17  8:28     ` Hans de Goede
@ 2019-08-18 15:54       ` Eric Biggers
  2019-08-18 16:08         ` Hans de Goede
  0 siblings, 1 reply; 15+ messages in thread
From: Eric Biggers @ 2019-08-18 15:54 UTC (permalink / raw)
  To: Hans de Goede
  Cc: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger, Ard Biesheuvel, linux-crypto, x86,
	linux-s390, linux-kernel

On Sat, Aug 17, 2019 at 10:28:04AM +0200, Hans de Goede wrote:
> Hi,
> 
> On 17-08-19 07:19, Eric Biggers wrote:
> > On Fri, Aug 16, 2019 at 11:16:08PM +0200, Hans de Goede wrote:
> > > diff --git a/include/linux/sha256.h b/include/crypto/sha256.h
> > > similarity index 100%
> > > rename from include/linux/sha256.h
> > > rename to include/crypto/sha256.h
> > 
> > <crypto/sha.h> already has the declarations for both SHA-1 and SHA-2, including
> > SHA-256.  So I'm not sure a separate sha256.h is appropriate.  How about putting
> > these declarations in <crypto/sha.h>?
> 
> The problems with that is that the sha256_init, etc. names are quite generic
> and they have not been reserved before, so a lot of the crypto hw-accel
> drivers use them, for private file-local (static) code, e.g.:
> 
> [hans@shalem linux]$ ack -l sha256_init
> include/crypto/sha256.h
> drivers/crypto/marvell/hash.c
> drivers/crypto/ccp/ccp-ops.c
> drivers/crypto/nx/nx-sha256.c
> drivers/crypto/ux500/hash/hash_core.c
> drivers/crypto/inside-secure/safexcel_hash.c
> drivers/crypto/chelsio/chcr_algo.h
> drivers/crypto/stm32/stm32-hash.c
> drivers/crypto/omap-sham.c
> drivers/crypto/padlock-sha.c
> drivers/crypto/n2_core.c
> drivers/crypto/atmel-aes.c
> drivers/crypto/axis/artpec6_crypto.c
> drivers/crypto/mediatek/mtk-sha.c
> drivers/crypto/qat/qat_common/qat_algs.c
> drivers/crypto/img-hash.c
> drivers/crypto/ccree/cc_hash.c
> lib/crypto/sha256.c
> arch/powerpc/crypto/sha256-spe-glue.c
> arch/mips/cavium-octeon/crypto/octeon-sha256.c
> arch/x86/purgatory/purgatory.c
> arch/s390/crypto/sha256_s390.c
> arch/s390/purgatory/purgatory.c
> 
> (in case you do not know ack is a smarter grep, which skips .o files, etc.)

You need to match at word boundaries to avoid matching on ${foo}_sha256_init().
So it's actually a somewhat shorter list:

$ git grep -l -E '\<sha(224|256)_(init|update|final)\>'
arch/arm/crypto/sha256_glue.c
arch/arm/crypto/sha256_neon_glue.c
arch/arm64/crypto/sha256-glue.c
arch/s390/crypto/sha256_s390.c
arch/s390/purgatory/purgatory.c
arch/x86/crypto/sha256_ssse3_glue.c
arch/x86/purgatory/purgatory.c
crypto/sha256_generic.c
drivers/crypto/ccree/cc_hash.c
drivers/crypto/chelsio/chcr_algo.h
drivers/crypto/n2_core.c
include/linux/sha256.h
lib/sha256.c

5 of these are already edited by this patchset, so that leaves only 8 files.

> 
> All these do include crypto/sha.h and putting the stuff which is in what
> was linux/sha256.h into crypto/sha.h leads to name collisions which causes
> more churn then I would like this series to cause.
> 
> I guess we could do a cleanup afterwards, with one patch per file above
> to fix the name collision issue, and then merge the 2 headers. I do not
> want to do that for this series, as I want to keep this series as KISS
> as possible since it is messing with somewhat sensitive stuff.
> 
> And TBH I even wonder if a follow-up series is worth the churn...
> 

I think it should be done; the same was done when introducing the AES library.
But I'm okay with it being done later, if you want to keep this patchset
shorter.

- Eric

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH 3/6] crypto: sha256 - Move lib/sha256.c to lib/crypto
  2019-08-18 15:54       ` Eric Biggers
@ 2019-08-18 16:08         ` Hans de Goede
  0 siblings, 0 replies; 15+ messages in thread
From: Hans de Goede @ 2019-08-18 16:08 UTC (permalink / raw)
  To: Herbert Xu, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
	H . Peter Anvin, Heiko Carstens, Vasily Gorbik,
	Christian Borntraeger, Ard Biesheuvel, linux-crypto, x86,
	linux-s390, linux-kernel

Hi,

On 18-08-19 17:54, Eric Biggers wrote:
> On Sat, Aug 17, 2019 at 10:28:04AM +0200, Hans de Goede wrote:
>> Hi,
>>
>> On 17-08-19 07:19, Eric Biggers wrote:
>>> On Fri, Aug 16, 2019 at 11:16:08PM +0200, Hans de Goede wrote:
>>>> diff --git a/include/linux/sha256.h b/include/crypto/sha256.h
>>>> similarity index 100%
>>>> rename from include/linux/sha256.h
>>>> rename to include/crypto/sha256.h
>>>
>>> <crypto/sha.h> already has the declarations for both SHA-1 and SHA-2, including
>>> SHA-256.  So I'm not sure a separate sha256.h is appropriate.  How about putting
>>> these declarations in <crypto/sha.h>?
>>
>> The problems with that is that the sha256_init, etc. names are quite generic
>> and they have not been reserved before, so a lot of the crypto hw-accel
>> drivers use them, for private file-local (static) code, e.g.:
>>
>> [hans@shalem linux]$ ack -l sha256_init
>> include/crypto/sha256.h
>> drivers/crypto/marvell/hash.c
>> drivers/crypto/ccp/ccp-ops.c
>> drivers/crypto/nx/nx-sha256.c
>> drivers/crypto/ux500/hash/hash_core.c
>> drivers/crypto/inside-secure/safexcel_hash.c
>> drivers/crypto/chelsio/chcr_algo.h
>> drivers/crypto/stm32/stm32-hash.c
>> drivers/crypto/omap-sham.c
>> drivers/crypto/padlock-sha.c
>> drivers/crypto/n2_core.c
>> drivers/crypto/atmel-aes.c
>> drivers/crypto/axis/artpec6_crypto.c
>> drivers/crypto/mediatek/mtk-sha.c
>> drivers/crypto/qat/qat_common/qat_algs.c
>> drivers/crypto/img-hash.c
>> drivers/crypto/ccree/cc_hash.c
>> lib/crypto/sha256.c
>> arch/powerpc/crypto/sha256-spe-glue.c
>> arch/mips/cavium-octeon/crypto/octeon-sha256.c
>> arch/x86/purgatory/purgatory.c
>> arch/s390/crypto/sha256_s390.c
>> arch/s390/purgatory/purgatory.c
>>
>> (in case you do not know ack is a smarter grep, which skips .o files, etc.)
> 
> You need to match at word boundaries to avoid matching on ${foo}_sha256_init().
> So it's actually a somewhat shorter list:
> 
> $ git grep -l -E '\<sha(224|256)_(init|update|final)\>'
> arch/arm/crypto/sha256_glue.c
> arch/arm/crypto/sha256_neon_glue.c
> arch/arm64/crypto/sha256-glue.c
> arch/s390/crypto/sha256_s390.c
> arch/s390/purgatory/purgatory.c
> arch/x86/crypto/sha256_ssse3_glue.c
> arch/x86/purgatory/purgatory.c
> crypto/sha256_generic.c
> drivers/crypto/ccree/cc_hash.c
> drivers/crypto/chelsio/chcr_algo.h
> drivers/crypto/n2_core.c
> include/linux/sha256.h
> lib/sha256.c
> 
> 5 of these are already edited by this patchset, so that leaves only 8 files.

Good point.

>> All these do include crypto/sha.h and putting the stuff which is in what
>> was linux/sha256.h into crypto/sha.h leads to name collisions which causes
>> more churn then I would like this series to cause.
>>
>> I guess we could do a cleanup afterwards, with one patch per file above
>> to fix the name collision issue, and then merge the 2 headers. I do not
>> want to do that for this series, as I want to keep this series as KISS
>> as possible since it is messing with somewhat sensitive stuff.
>>
>> And TBH I even wonder if a follow-up series is worth the churn...
>>
> 
> I think it should be done; the same was done when introducing the AES library.
> But I'm okay with it being done later, if you want to keep this patchset
> shorter.

I would prefer to do this later, so that we can focus on the basis
of merging the 2 implementations now.

I'm willing to commit to doing the cleanup once the base series has been merged.

Regards,

Hans

^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2019-08-18 16:08 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-16 21:16 [PATCH 0/6] crypto: sha256 - Merge 2 separate C implementations into 1, put into separate library Hans de Goede
2019-08-16 21:16 ` [PATCH 1/6] crypto: sha256 - Fix some coding style issues Hans de Goede
2019-08-16 21:16 ` [PATCH 2/6] crypto: sha256_generic " Hans de Goede
2019-08-16 21:16 ` [PATCH 3/6] crypto: sha256 - Move lib/sha256.c to lib/crypto Hans de Goede
2019-08-17  5:19   ` Eric Biggers
2019-08-17  8:28     ` Hans de Goede
2019-08-18 15:54       ` Eric Biggers
2019-08-18 16:08         ` Hans de Goede
2019-08-16 21:16 ` [PATCH 4/6] crypto: sha256 - Use get_unaligned_be32 to get input, memzero_explicit Hans de Goede
2019-08-17  5:37   ` Eric Biggers
2019-08-16 21:16 ` [PATCH 5/6] crypto: sha256 - Make lib/crypto/sha256.c suitable for generic use Hans de Goede
2019-08-16 21:16 ` [PATCH 6/6] crypto: sha256_generic - Use sha256_transform from generic sha256 lib Hans de Goede
2019-08-17  5:13   ` Eric Biggers
2019-08-17  5:35     ` Eric Biggers
2019-08-17 12:18       ` Hans de Goede

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).