Regression: hmac(sha3-224) is missing in newer kernels on s390?

linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Regression: hmac(sha3-224) is missing in newer kernels on s390?
@ 2025-07-30  8:11 Ingo Franzki
  2025-07-30 11:29 ` Ingo Franzki
  2025-07-30 16:11 ` Eric Biggers
  0 siblings, 2 replies; 4+ messages in thread
From: Ingo Franzki @ 2025-07-30  8:11 UTC (permalink / raw)
  To: Eric Biggers, Herbert Xu, linux-crypto
  Cc: Harald Freudenberger, Holger Dengler, linux-s390

Hi Eric, Herbert,

I just noticed that the algorithm 'hmac(sha3-224)' is not supported anymore.
This is at least on yesterday's 6.17 as well as on linux-next.
On earlier kernels 'hmac(sha3-224)' was available. I don't exactly know when it started to be missing. 
I can't tell if the same is true on other archs. 

'sha3-224' as digest is there, but 'hmac(sha3-224)' is not. All the other sha3 and all sha2 variants are there as well (digest and hmac).

# grep "sha3-" /proc/crypto
name         : hmac(sha3-512)
driver       : hmac(sha3-512-s390)
name         : hmac(sha3-384)
driver       : hmac(sha3-384-s390)
name         : hmac(sha3-256)
driver       : hmac(sha3-256-s390)
name         : sha3-384
driver       : sha3-384-s390
name         : sha3-512
driver       : sha3-512-s390
name         : sha3-224
driver       : sha3-224-s390   
name         : sha3-256
driver       : sha3-256-s390
name         : sha3-512
driver       : sha3-512-generic
name         : sha3-384
driver       : sha3-384-generic
name         : sha3-256
driver       : sha3-256-generic
name         : sha3-224
driver       : sha3-224-generic

On a 6.11 kernel:

# grep "sha3-" /proc/crypto
name         : sha3-384
driver       : sha3-384-s390
name         : sha3-512
driver       : sha3-512-s390
name         : sha3-224           <---- its there
driver       : sha3-224-s390
name         : sha3-256
driver       : sha3-256-s390
name         : sha3-512
driver       : sha3-512-generic
name         : sha3-384
driver       : sha3-384-generic
name         : sha3-256
driver       : sha3-256-generic
name         : sha3-224
driver       : sha3-224-generic

-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Regression: hmac(sha3-224) is missing in newer kernels on s390?
  2025-07-30  8:11 Regression: hmac(sha3-224) is missing in newer kernels on s390? Ingo Franzki
@ 2025-07-30 11:29 ` Ingo Franzki
  2025-07-30 16:11 ` Eric Biggers
  1 sibling, 0 replies; 4+ messages in thread
From: Ingo Franzki @ 2025-07-30 11:29 UTC (permalink / raw)
  To: Eric Biggers, Herbert Xu, linux-crypto
  Cc: Harald Freudenberger, Holger Dengler, linux-s390

On 30.07.2025 10:11, Ingo Franzki wrote:

> On a 6.11 kernel:

This must of course be:

On a 6.11 kernel:

# grep sha3- /proc/crypto
name         : hmac(sha3-512)
driver       : hmac(sha3-512-s390)
name         : hmac(sha3-384)
driver       : hmac(sha3-384-s390)
name         : hmac(sha3-224)        <--- its here
driver       : hmac(sha3-224-s390)
name         : hmac(sha3-256)
driver       : hmac(sha3-256-s390)
name         : sha3-384
driver       : sha3-384-s390
name         : sha3-512
driver       : sha3-512-s390
name         : sha3-224
driver       : sha3-224-s390
name         : sha3-256
driver       : sha3-256-s390
name         : sha3-512
driver       : sha3-512-generic
name         : sha3-384
driver       : sha3-384-generic
name         : sha3-256
driver       : sha3-256-generic
name         : sha3-224
driver       : sha3-224-generic


-- 
Ingo Franzki
eMail: ifranzki@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Regression: hmac(sha3-224) is missing in newer kernels on s390?
  2025-07-30  8:11 Regression: hmac(sha3-224) is missing in newer kernels on s390? Ingo Franzki
  2025-07-30 11:29 ` Ingo Franzki
@ 2025-07-30 16:11 ` Eric Biggers
  2025-07-31  1:41   ` [PATCH] crypto: hash - Increase HASH_MAX_DESCSIZE for hmac(sha3-224-s390) Herbert Xu
  1 sibling, 1 reply; 4+ messages in thread
From: Eric Biggers @ 2025-07-30 16:11 UTC (permalink / raw)
  To: Ingo Franzki
  Cc: Herbert Xu, linux-crypto, Harald Freudenberger, Holger Dengler,
	linux-s390

On Wed, Jul 30, 2025 at 10:11:47AM +0200, Ingo Franzki wrote:
> Hi Eric, Herbert,
> 
> I just noticed that the algorithm 'hmac(sha3-224)' is not supported anymore.
> This is at least on yesterday's 6.17 as well as on linux-next.
> On earlier kernels 'hmac(sha3-224)' was available. I don't exactly know when it started to be missing. 
> I can't tell if the same is true on other archs. 
> 
> 'sha3-224' as digest is there, but 'hmac(sha3-224)' is not. All the other sha3 and all sha2 variants are there as well (digest and hmac).
> 
> # grep "sha3-" /proc/crypto
> name         : hmac(sha3-512)
> driver       : hmac(sha3-512-s390)
> name         : hmac(sha3-384)
> driver       : hmac(sha3-384-s390)
> name         : hmac(sha3-256)
> driver       : hmac(sha3-256-s390)
> name         : sha3-384
> driver       : sha3-384-s390
> name         : sha3-512
> driver       : sha3-512-s390
> name         : sha3-224
> driver       : sha3-224-s390   
> name         : sha3-256
> driver       : sha3-256-s390
> name         : sha3-512
> driver       : sha3-512-generic
> name         : sha3-384
> driver       : sha3-384-generic
> name         : sha3-256
> driver       : sha3-256-generic
> name         : sha3-224
> driver       : sha3-224-generic
> 
> On a 6.11 kernel:
> 
> # grep "sha3-" /proc/crypto
> name         : sha3-384
> driver       : sha3-384-s390
> name         : sha3-512
> driver       : sha3-512-s390
> name         : sha3-224           <---- its there
> driver       : sha3-224-s390
> name         : sha3-256
> driver       : sha3-256-s390
> name         : sha3-512
> driver       : sha3-512-generic
> name         : sha3-384
> driver       : sha3-384-generic
> name         : sha3-256
> driver       : sha3-256-generic
> name         : sha3-224
> driver       : sha3-224-generic

I haven't touched SHA-3 yet.  This is a bug from the following commit:

    commit 6f90ba7065515d69b24729cf85c45b2add99e638
    Author: Herbert Xu <herbert@gondor.apana.org.au>
    Date:   Fri Apr 18 11:00:13 2025 +0800

        crypto: s390/sha3 - Use API partial block handling

        Use the Crypto API partial block handling.

        Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

That increased the descsize of hmac(sha3-224-s390) from 368 to 369,
which made it exceed HASH_MAX_DESCSIZE, causing it to fail to register.

- Eric

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH] crypto: hash - Increase HASH_MAX_DESCSIZE for hmac(sha3-224-s390)
  2025-07-30 16:11 ` Eric Biggers
@ 2025-07-31  1:41   ` Herbert Xu
  0 siblings, 0 replies; 4+ messages in thread
From: Herbert Xu @ 2025-07-31  1:41 UTC (permalink / raw)
  To: Eric Biggers
  Cc: Ingo Franzki, linux-crypto, Harald Freudenberger, Holger Dengler,
	linux-s390

On Wed, Jul 30, 2025 at 09:11:49AM -0700, Eric Biggers wrote:
>
> I haven't touched SHA-3 yet.  This is a bug from the following commit:
> 
>     commit 6f90ba7065515d69b24729cf85c45b2add99e638
>     Author: Herbert Xu <herbert@gondor.apana.org.au>
>     Date:   Fri Apr 18 11:00:13 2025 +0800
> 
>         crypto: s390/sha3 - Use API partial block handling
> 
>         Use the Crypto API partial block handling.
> 
>         Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> 
> That increased the descsize of hmac(sha3-224-s390) from 368 to 369,
> which made it exceed HASH_MAX_DESCSIZE, causing it to fail to register.

Thanks for diagnosing the problem.

---8<---
The value of HASH_MAX_DESCSIZE is off by one for hmac(sha3-224-s390).
Fix this so that hmac(sha3-224-s390) can be registered.

Reported-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reported-by: Eric Biggers <ebiggers@kernel.org>
Fixes: 6f90ba706551 ("crypto: s390/sha3 - Use API partial block handling")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/include/crypto/hash.h b/include/crypto/hash.h
index db294d452e8c..bbaeae705ef0 100644
--- a/include/crypto/hash.h
+++ b/include/crypto/hash.h
@@ -184,7 +184,7 @@ struct shash_desc {
  * Worst case is hmac(sha3-224-s390).  Its context is a nested 'shash_desc'
  * containing a 'struct s390_sha_ctx'.
  */
-#define HASH_MAX_DESCSIZE	(sizeof(struct shash_desc) + 360)
+#define HASH_MAX_DESCSIZE	(sizeof(struct shash_desc) + 361)
 #define MAX_SYNC_HASH_REQSIZE	(sizeof(struct ahash_request) + \
 				 HASH_MAX_DESCSIZE)
 
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-07-31  1:42 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-30  8:11 Regression: hmac(sha3-224) is missing in newer kernels on s390? Ingo Franzki
2025-07-30 11:29 ` Ingo Franzki
2025-07-30 16:11 ` Eric Biggers
2025-07-31  1:41   ` [PATCH] crypto: hash - Increase HASH_MAX_DESCSIZE for hmac(sha3-224-s390) Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).