From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org,
linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org,
sparclinux@vger.kernel.org, x86@kernel.org,
Ard Biesheuvel <ardb@kernel.org>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH v3 06/16] crypto: sha512 - Use same state format as legacy drivers
Date: Mon, 30 Jun 2025 09:03:10 -0700 [thread overview]
Message-ID: <20250630160320.2888-7-ebiggers@kernel.org> (raw)
In-Reply-To: <20250630160320.2888-1-ebiggers@kernel.org>
Make the export and import functions for the sha384, sha512,
hmac(sha384), and hmac(sha512) shash algorithms use the same format as
the padlock-sha and nx-sha512 drivers, as required by Herbert.
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
crypto/sha512.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 96 insertions(+)
diff --git a/crypto/sha512.c b/crypto/sha512.c
index d1e5400fe5906..fb1c520978ef3 100644
--- a/crypto/sha512.c
+++ b/crypto/sha512.c
@@ -10,10 +10,48 @@
#include <crypto/internal/hash.h>
#include <crypto/sha2.h>
#include <linux/kernel.h>
#include <linux/module.h>
+/*
+ * Export and import functions. crypto_shash wants a particular format that
+ * matches that used by some legacy drivers. It currently is the same as the
+ * library SHA context, except the value in bytecount_lo must be block-aligned
+ * and the remainder must be stored in an extra u8 appended to the struct.
+ */
+
+#define SHA512_SHASH_STATE_SIZE 209
+static_assert(offsetof(struct __sha512_ctx, state) == 0);
+static_assert(offsetof(struct __sha512_ctx, bytecount_lo) == 64);
+static_assert(offsetof(struct __sha512_ctx, bytecount_hi) == 72);
+static_assert(offsetof(struct __sha512_ctx, buf) == 80);
+static_assert(sizeof(struct __sha512_ctx) + 1 == SHA512_SHASH_STATE_SIZE);
+
+static int __crypto_sha512_export(const struct __sha512_ctx *ctx0, void *out)
+{
+ struct __sha512_ctx ctx = *ctx0;
+ unsigned int partial;
+ u8 *p = out;
+
+ partial = ctx.bytecount_lo % SHA512_BLOCK_SIZE;
+ ctx.bytecount_lo -= partial;
+ memcpy(p, &ctx, sizeof(ctx));
+ p += sizeof(ctx);
+ *p = partial;
+ return 0;
+}
+
+static int __crypto_sha512_import(struct __sha512_ctx *ctx, const void *in)
+{
+ const u8 *p = in;
+
+ memcpy(ctx, p, sizeof(*ctx));
+ p += sizeof(*ctx);
+ ctx->bytecount_lo += *p;
+ return 0;
+}
+
/* SHA-384 */
const u8 sha384_zero_message_hash[SHA384_DIGEST_SIZE] = {
0x38, 0xb0, 0x60, 0xa7, 0x51, 0xac, 0x96, 0x38,
0x4c, 0xd9, 0x32, 0x7e, 0xb1, 0xb1, 0xe3, 0x6a,
@@ -50,10 +88,20 @@ static int crypto_sha384_digest(struct shash_desc *desc,
{
sha384(data, len, out);
return 0;
}
+static int crypto_sha384_export(struct shash_desc *desc, void *out)
+{
+ return __crypto_sha512_export(&SHA384_CTX(desc)->ctx, out);
+}
+
+static int crypto_sha384_import(struct shash_desc *desc, const void *in)
+{
+ return __crypto_sha512_import(&SHA384_CTX(desc)->ctx, in);
+}
+
/* SHA-512 */
const u8 sha512_zero_message_hash[SHA512_DIGEST_SIZE] = {
0xcf, 0x83, 0xe1, 0x35, 0x7e, 0xef, 0xb8, 0xbd,
0xf1, 0x54, 0x28, 0x50, 0xd6, 0x6d, 0x80, 0x07,
@@ -92,10 +140,20 @@ static int crypto_sha512_digest(struct shash_desc *desc,
{
sha512(data, len, out);
return 0;
}
+static int crypto_sha512_export(struct shash_desc *desc, void *out)
+{
+ return __crypto_sha512_export(&SHA512_CTX(desc)->ctx, out);
+}
+
+static int crypto_sha512_import(struct shash_desc *desc, const void *in)
+{
+ return __crypto_sha512_import(&SHA512_CTX(desc)->ctx, in);
+}
+
/* HMAC-SHA384 */
#define HMAC_SHA384_KEY(tfm) ((struct hmac_sha384_key *)crypto_shash_ctx(tfm))
#define HMAC_SHA384_CTX(desc) ((struct hmac_sha384_ctx *)shash_desc_ctx(desc))
@@ -131,10 +189,23 @@ static int crypto_hmac_sha384_digest(struct shash_desc *desc,
{
hmac_sha384(HMAC_SHA384_KEY(desc->tfm), data, len, out);
return 0;
}
+static int crypto_hmac_sha384_export(struct shash_desc *desc, void *out)
+{
+ return __crypto_sha512_export(&HMAC_SHA384_CTX(desc)->ctx.sha_ctx, out);
+}
+
+static int crypto_hmac_sha384_import(struct shash_desc *desc, const void *in)
+{
+ struct hmac_sha384_ctx *ctx = HMAC_SHA384_CTX(desc);
+
+ ctx->ctx.ostate = HMAC_SHA384_KEY(desc->tfm)->key.ostate;
+ return __crypto_sha512_import(&ctx->ctx.sha_ctx, in);
+}
+
/* HMAC-SHA512 */
#define HMAC_SHA512_KEY(tfm) ((struct hmac_sha512_key *)crypto_shash_ctx(tfm))
#define HMAC_SHA512_CTX(desc) ((struct hmac_sha512_ctx *)shash_desc_ctx(desc))
@@ -170,10 +241,23 @@ static int crypto_hmac_sha512_digest(struct shash_desc *desc,
{
hmac_sha512(HMAC_SHA512_KEY(desc->tfm), data, len, out);
return 0;
}
+static int crypto_hmac_sha512_export(struct shash_desc *desc, void *out)
+{
+ return __crypto_sha512_export(&HMAC_SHA512_CTX(desc)->ctx.sha_ctx, out);
+}
+
+static int crypto_hmac_sha512_import(struct shash_desc *desc, const void *in)
+{
+ struct hmac_sha512_ctx *ctx = HMAC_SHA512_CTX(desc);
+
+ ctx->ctx.ostate = HMAC_SHA512_KEY(desc->tfm)->key.ostate;
+ return __crypto_sha512_import(&ctx->ctx.sha_ctx, in);
+}
+
/* Algorithm definitions */
static struct shash_alg algs[] = {
{
.base.cra_name = "sha384",
@@ -184,11 +268,14 @@ static struct shash_alg algs[] = {
.digestsize = SHA384_DIGEST_SIZE,
.init = crypto_sha384_init,
.update = crypto_sha384_update,
.final = crypto_sha384_final,
.digest = crypto_sha384_digest,
+ .export = crypto_sha384_export,
+ .import = crypto_sha384_import,
.descsize = sizeof(struct sha384_ctx),
+ .statesize = SHA512_SHASH_STATE_SIZE,
},
{
.base.cra_name = "sha512",
.base.cra_driver_name = "sha512-lib",
.base.cra_priority = 300,
@@ -197,11 +284,14 @@ static struct shash_alg algs[] = {
.digestsize = SHA512_DIGEST_SIZE,
.init = crypto_sha512_init,
.update = crypto_sha512_update,
.final = crypto_sha512_final,
.digest = crypto_sha512_digest,
+ .export = crypto_sha512_export,
+ .import = crypto_sha512_import,
.descsize = sizeof(struct sha512_ctx),
+ .statesize = SHA512_SHASH_STATE_SIZE,
},
{
.base.cra_name = "hmac(sha384)",
.base.cra_driver_name = "hmac-sha384-lib",
.base.cra_priority = 300,
@@ -212,11 +302,14 @@ static struct shash_alg algs[] = {
.setkey = crypto_hmac_sha384_setkey,
.init = crypto_hmac_sha384_init,
.update = crypto_hmac_sha384_update,
.final = crypto_hmac_sha384_final,
.digest = crypto_hmac_sha384_digest,
+ .export = crypto_hmac_sha384_export,
+ .import = crypto_hmac_sha384_import,
.descsize = sizeof(struct hmac_sha384_ctx),
+ .statesize = SHA512_SHASH_STATE_SIZE,
},
{
.base.cra_name = "hmac(sha512)",
.base.cra_driver_name = "hmac-sha512-lib",
.base.cra_priority = 300,
@@ -227,11 +320,14 @@ static struct shash_alg algs[] = {
.setkey = crypto_hmac_sha512_setkey,
.init = crypto_hmac_sha512_init,
.update = crypto_hmac_sha512_update,
.final = crypto_hmac_sha512_final,
.digest = crypto_hmac_sha512_digest,
+ .export = crypto_hmac_sha512_export,
+ .import = crypto_hmac_sha512_import,
.descsize = sizeof(struct hmac_sha512_ctx),
+ .statesize = SHA512_SHASH_STATE_SIZE,
},
};
static int __init crypto_sha512_mod_init(void)
{
--
2.50.0
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org,
linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org,
sparclinux@vger.kernel.org, x86@kernel.org,
Ard Biesheuvel <ardb@kernel.org>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH v3 06/16] crypto: sha512 - Use same state format as legacy drivers
Date: Mon, 30 Jun 2025 09:03:10 -0700 [thread overview]
Message-ID: <20250630160320.2888-7-ebiggers@kernel.org> (raw)
In-Reply-To: <20250630160320.2888-1-ebiggers@kernel.org>
Make the export and import functions for the sha384, sha512,
hmac(sha384), and hmac(sha512) shash algorithms use the same format as
the padlock-sha and nx-sha512 drivers, as required by Herbert.
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
crypto/sha512.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 96 insertions(+)
diff --git a/crypto/sha512.c b/crypto/sha512.c
index d1e5400fe5906..fb1c520978ef3 100644
--- a/crypto/sha512.c
+++ b/crypto/sha512.c
@@ -10,10 +10,48 @@
#include <crypto/internal/hash.h>
#include <crypto/sha2.h>
#include <linux/kernel.h>
#include <linux/module.h>
+/*
+ * Export and import functions. crypto_shash wants a particular format that
+ * matches that used by some legacy drivers. It currently is the same as the
+ * library SHA context, except the value in bytecount_lo must be block-aligned
+ * and the remainder must be stored in an extra u8 appended to the struct.
+ */
+
+#define SHA512_SHASH_STATE_SIZE 209
+static_assert(offsetof(struct __sha512_ctx, state) == 0);
+static_assert(offsetof(struct __sha512_ctx, bytecount_lo) == 64);
+static_assert(offsetof(struct __sha512_ctx, bytecount_hi) == 72);
+static_assert(offsetof(struct __sha512_ctx, buf) == 80);
+static_assert(sizeof(struct __sha512_ctx) + 1 == SHA512_SHASH_STATE_SIZE);
+
+static int __crypto_sha512_export(const struct __sha512_ctx *ctx0, void *out)
+{
+ struct __sha512_ctx ctx = *ctx0;
+ unsigned int partial;
+ u8 *p = out;
+
+ partial = ctx.bytecount_lo % SHA512_BLOCK_SIZE;
+ ctx.bytecount_lo -= partial;
+ memcpy(p, &ctx, sizeof(ctx));
+ p += sizeof(ctx);
+ *p = partial;
+ return 0;
+}
+
+static int __crypto_sha512_import(struct __sha512_ctx *ctx, const void *in)
+{
+ const u8 *p = in;
+
+ memcpy(ctx, p, sizeof(*ctx));
+ p += sizeof(*ctx);
+ ctx->bytecount_lo += *p;
+ return 0;
+}
+
/* SHA-384 */
const u8 sha384_zero_message_hash[SHA384_DIGEST_SIZE] = {
0x38, 0xb0, 0x60, 0xa7, 0x51, 0xac, 0x96, 0x38,
0x4c, 0xd9, 0x32, 0x7e, 0xb1, 0xb1, 0xe3, 0x6a,
@@ -50,10 +88,20 @@ static int crypto_sha384_digest(struct shash_desc *desc,
{
sha384(data, len, out);
return 0;
}
+static int crypto_sha384_export(struct shash_desc *desc, void *out)
+{
+ return __crypto_sha512_export(&SHA384_CTX(desc)->ctx, out);
+}
+
+static int crypto_sha384_import(struct shash_desc *desc, const void *in)
+{
+ return __crypto_sha512_import(&SHA384_CTX(desc)->ctx, in);
+}
+
/* SHA-512 */
const u8 sha512_zero_message_hash[SHA512_DIGEST_SIZE] = {
0xcf, 0x83, 0xe1, 0x35, 0x7e, 0xef, 0xb8, 0xbd,
0xf1, 0x54, 0x28, 0x50, 0xd6, 0x6d, 0x80, 0x07,
@@ -92,10 +140,20 @@ static int crypto_sha512_digest(struct shash_desc *desc,
{
sha512(data, len, out);
return 0;
}
+static int crypto_sha512_export(struct shash_desc *desc, void *out)
+{
+ return __crypto_sha512_export(&SHA512_CTX(desc)->ctx, out);
+}
+
+static int crypto_sha512_import(struct shash_desc *desc, const void *in)
+{
+ return __crypto_sha512_import(&SHA512_CTX(desc)->ctx, in);
+}
+
/* HMAC-SHA384 */
#define HMAC_SHA384_KEY(tfm) ((struct hmac_sha384_key *)crypto_shash_ctx(tfm))
#define HMAC_SHA384_CTX(desc) ((struct hmac_sha384_ctx *)shash_desc_ctx(desc))
@@ -131,10 +189,23 @@ static int crypto_hmac_sha384_digest(struct shash_desc *desc,
{
hmac_sha384(HMAC_SHA384_KEY(desc->tfm), data, len, out);
return 0;
}
+static int crypto_hmac_sha384_export(struct shash_desc *desc, void *out)
+{
+ return __crypto_sha512_export(&HMAC_SHA384_CTX(desc)->ctx.sha_ctx, out);
+}
+
+static int crypto_hmac_sha384_import(struct shash_desc *desc, const void *in)
+{
+ struct hmac_sha384_ctx *ctx = HMAC_SHA384_CTX(desc);
+
+ ctx->ctx.ostate = HMAC_SHA384_KEY(desc->tfm)->key.ostate;
+ return __crypto_sha512_import(&ctx->ctx.sha_ctx, in);
+}
+
/* HMAC-SHA512 */
#define HMAC_SHA512_KEY(tfm) ((struct hmac_sha512_key *)crypto_shash_ctx(tfm))
#define HMAC_SHA512_CTX(desc) ((struct hmac_sha512_ctx *)shash_desc_ctx(desc))
@@ -170,10 +241,23 @@ static int crypto_hmac_sha512_digest(struct shash_desc *desc,
{
hmac_sha512(HMAC_SHA512_KEY(desc->tfm), data, len, out);
return 0;
}
+static int crypto_hmac_sha512_export(struct shash_desc *desc, void *out)
+{
+ return __crypto_sha512_export(&HMAC_SHA512_CTX(desc)->ctx.sha_ctx, out);
+}
+
+static int crypto_hmac_sha512_import(struct shash_desc *desc, const void *in)
+{
+ struct hmac_sha512_ctx *ctx = HMAC_SHA512_CTX(desc);
+
+ ctx->ctx.ostate = HMAC_SHA512_KEY(desc->tfm)->key.ostate;
+ return __crypto_sha512_import(&ctx->ctx.sha_ctx, in);
+}
+
/* Algorithm definitions */
static struct shash_alg algs[] = {
{
.base.cra_name = "sha384",
@@ -184,11 +268,14 @@ static struct shash_alg algs[] = {
.digestsize = SHA384_DIGEST_SIZE,
.init = crypto_sha384_init,
.update = crypto_sha384_update,
.final = crypto_sha384_final,
.digest = crypto_sha384_digest,
+ .export = crypto_sha384_export,
+ .import = crypto_sha384_import,
.descsize = sizeof(struct sha384_ctx),
+ .statesize = SHA512_SHASH_STATE_SIZE,
},
{
.base.cra_name = "sha512",
.base.cra_driver_name = "sha512-lib",
.base.cra_priority = 300,
@@ -197,11 +284,14 @@ static struct shash_alg algs[] = {
.digestsize = SHA512_DIGEST_SIZE,
.init = crypto_sha512_init,
.update = crypto_sha512_update,
.final = crypto_sha512_final,
.digest = crypto_sha512_digest,
+ .export = crypto_sha512_export,
+ .import = crypto_sha512_import,
.descsize = sizeof(struct sha512_ctx),
+ .statesize = SHA512_SHASH_STATE_SIZE,
},
{
.base.cra_name = "hmac(sha384)",
.base.cra_driver_name = "hmac-sha384-lib",
.base.cra_priority = 300,
@@ -212,11 +302,14 @@ static struct shash_alg algs[] = {
.setkey = crypto_hmac_sha384_setkey,
.init = crypto_hmac_sha384_init,
.update = crypto_hmac_sha384_update,
.final = crypto_hmac_sha384_final,
.digest = crypto_hmac_sha384_digest,
+ .export = crypto_hmac_sha384_export,
+ .import = crypto_hmac_sha384_import,
.descsize = sizeof(struct hmac_sha384_ctx),
+ .statesize = SHA512_SHASH_STATE_SIZE,
},
{
.base.cra_name = "hmac(sha512)",
.base.cra_driver_name = "hmac-sha512-lib",
.base.cra_priority = 300,
@@ -227,11 +320,14 @@ static struct shash_alg algs[] = {
.setkey = crypto_hmac_sha512_setkey,
.init = crypto_hmac_sha512_init,
.update = crypto_hmac_sha512_update,
.final = crypto_hmac_sha512_final,
.digest = crypto_hmac_sha512_digest,
+ .export = crypto_hmac_sha512_export,
+ .import = crypto_hmac_sha512_import,
.descsize = sizeof(struct hmac_sha512_ctx),
+ .statesize = SHA512_SHASH_STATE_SIZE,
},
};
static int __init crypto_sha512_mod_init(void)
{
--
2.50.0
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2025-06-30 16:34 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-30 16:03 [PATCH v3 00/16] SHA-512 library functions Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 01/16] crypto: sha512 - Rename conflicting symbols Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 02/16] lib/crypto: sha512: Add support for SHA-384 and SHA-512 Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 03/16] lib/crypto: sha512: Add HMAC-SHA384 and HMAC-SHA512 support Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 04/16] crypto: riscv/sha512 - Stop depending on sha512_generic_block_fn Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 05/16] crypto: sha512 - Replace sha512_generic with wrapper around SHA-512 library Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` Eric Biggers [this message]
2025-06-30 16:03 ` [PATCH v3 06/16] crypto: sha512 - Use same state format as legacy drivers Eric Biggers
2025-06-30 16:03 ` [PATCH v3 07/16] lib/crypto: arm/sha512: Migrate optimized SHA-512 code to library Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 08/16] lib/crypto: arm64/sha512: " Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 09/16] mips: cavium-octeon: Move octeon-crypto.h into asm directory Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 10/16] lib/crypto: mips/sha512: Migrate optimized SHA-512 code to library Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 11/16] lib/crypto: riscv/sha512: " Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 12/16] lib/crypto: s390/sha512: " Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 13/16] lib/crypto: sparc/sha512: " Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 14/16] lib/crypto: x86/sha512: " Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 15/16] lib/crypto: x86/sha512: Remove unnecessary checks for nblocks==0 Eric Biggers
2025-06-30 16:03 ` Eric Biggers
2025-06-30 16:03 ` [PATCH v3 16/16] crypto: sha512 - Remove sha512_base.h Eric Biggers
2025-06-30 16:03 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250630160320.2888-7-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=sparclinux@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.