Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.11 2025-09-03T02:02:37+00:00 2025-09-03T02:02:37+00:00 Eric Biggers ebiggers@kernel.org 2025-09-01T16:50:12+00:00 urn:sha1:30b2a8c4f2f3833f4f813d3e0d003f7c50cdf275 Since commit 9d7a0ab1c753 ("crypto: ahash - Handle partial blocks in API"), the recently-added export_core() and import_core() methods in struct shash_alg have effectively become mandatory (even though it is not tested or enforced), since legacy drivers that need a fallback depend on them. Make crypto/sha256.c compatible with these legacy drivers by adding export_core() and import_core() methods to it. Reported-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Reported-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com> Closes: https://lore.kernel.org/r/aLSnCc9Ws5L9y+8X@gcabiddu-mobl.ger.corp.intel.com Fixes: 07f090959bba ("crypto: sha256 - Use same state format as legacy drivers") Tested-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Tested-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com> Link: https://lore.kernel.org/r/20250901165013.48649-3-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-07-04T17:23:11+00:00 Eric Biggers ebiggers@kernel.org 2025-06-30T16:06:41+00:00 urn:sha1:07f090959bba437dd531bd2e08440ec6bf588878 Make the export and import functions for the sha224, sha256, hmac(sha224), and hmac(sha256) shash algorithms use the same format as the padlock-sha and nx-sha256 drivers, as required by Herbert. Acked-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20250630160645.3198-11-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-07-04T17:23:11+00:00 Eric Biggers ebiggers@kernel.org 2025-06-30T16:06:40+00:00 urn:sha1:e0cd3716910385ba1ccbd433c860516cf806fc71 Like I did for crypto/sha512.c, rework crypto/sha256.c to simply wrap the normal library functions instead of accessing the low-level arch- optimized and generic block functions directly. Also add support for HMAC-SHA224 and HMAC-SHA256, again just wrapping the library functions. Since the replacement crypto_shash algorithms are implemented using the (potentially arch-optimized) library functions, give them driver names ending with "-lib" rather than "-generic". Update crypto/testmgr.c and a couple odd drivers to take this change in driver name into account. Besides the above cases which are accounted for, there are no known cases where the driver names were being depended on. There is potential for confusion for people manually checking /proc/crypto (e.g. https://lore.kernel.org/r/9e33c893-2466-4d4e-afb1-966334e451a2@linux.ibm.com/), but really people just need to get used to the driver name not being meaningful for the software algorithms. Historically, the optimized code was disabled by default, so there was some purpose to checking whether it was enabled or not. However, this is now fixed for all SHA-2 algorithms, and the library code just always does the right thing. E.g. if the CPU supports SHA-256 instructions, they are used. This change does also mean that the generic partial block handling code in crypto/shash.c, which got added in 6.16, no longer gets used. But that's fine; the library has to implement the partial block handling anyway, and it's better to do it in the library since the block size and other properties of the algorithm are all fixed at compile time there, resulting in more streamlined code. Acked-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20250630160645.3198-10-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-07-04T17:18:53+00:00 Eric Biggers ebiggers@kernel.org 2025-06-30T16:06:37+00:00 urn:sha1:b86ced882b8e667758afddffd8d6354197842110 Currently the SHA-224 and SHA-256 library functions can be mixed arbitrarily, even in ways that are incorrect, for example using sha224_init() and sha256_final(). This is because they operate on the same structure, sha256_state. Introduce stronger typing, as I did for SHA-384 and SHA-512. Also as I did for SHA-384 and SHA-512, use the names *_ctx instead of *_state. The *_ctx names have the following small benefits: - They're shorter. - They avoid an ambiguity with the compression function state. - They're consistent with the well-known OpenSSL API. - Users usually name the variable 'sctx' anyway, which suggests that *_ctx would be the more natural name for the actual struct. Therefore: update the SHA-224 and SHA-256 APIs, implementation, and calling code accordingly. In the new structs, also strongly-type the compression function state. Acked-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20250630160645.3198-7-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-05-05T10:20:45+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-05-02T05:31:12+00:00 urn:sha1:3bf5337879101166dfacfbc2a780d1a379c288ba Use the shash partial block API by default. Add a separate set of lib shash algorithms to preserve testing coverage until lib/sha256 has its own tests. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-05-05T10:20:45+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-05-02T05:30:56+00:00 urn:sha1:ff8f037d394f0900597ba527388a6eb95cd02695 The shash interface already handles partial blocks, use it for sha224-generic and sha256-generic instead of going through the lib/sha256 interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-05-05T10:20:44+00:00 Herbert Xu herbert@gondor.apana.org.au 2025-04-30T08:17:02+00:00 urn:sha1:ef93f1562803cd7bb8159e3abedaf7f47dce4e35 This reverts commit c4741b23059794bd99beef0f700103b0d983b3fd. Crypto API self-tests no longer run at registration time and now occur either at late_initcall or upon the first use. Therefore the premise of the above commit no longer exists. Revert it and subsequent additions of subsys_initcall and arch_initcall. Note that lib/crypto calls will stay at subsys_initcall (or rather downgraded from arch_initcall) because they may need to occur before Crypto API registration. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2025-05-05T05:38:12+00:00 Eric Biggers ebiggers@google.com 2025-04-28T17:00:26+00:00 urn:sha1:950e5c84118c9e5b06bb9a9b64edf989ee4034df As has been done for various other algorithms, rework the design of the SHA-256 library to support arch-optimized implementations, and make crypto/sha256.c expose both generic and arch-optimized shash algorithms that wrap the library functions. This allows users of the SHA-256 library functions to take advantage of the arch-optimized code, and this makes it much simpler to integrate SHA-256 for each architecture. Note that sha256_base.h is not used in the new design. It will be removed once all the architecture-specific code has been updated. Move the generic block function into its own module to avoid a circular dependency from libsha256.ko => sha256-$ARCH.ko => libsha256.ko. Signed-off-by: Eric Biggers <ebiggers@google.com> Add export and import functions to maintain existing export format. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2007-10-10T23:55:50+00:00 Sebastian Siewior sebastian@breakpoint.cc 2007-10-08T03:45:10+00:00 urn:sha1:ad5d27899fdbe7a66e57fdf1af883dbd7ff88dac Loading the crypto algorithm by the alias instead of by module directly has the advantage that all possible implementations of this algorithm are loaded automatically and the crypto API can choose the best one depending on its priority. Additionally it ensures that the generic implementation as well as the HW driver (if available) is loaded in case the HW driver needs the generic version as fallback in corner cases. Also remove the probe for sha1 in padlock's init code. Quote from Herbert: The probe is actually pointless since we can always probe when the algorithm is actually used which does not lead to dead-locks like this. Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2006-09-21T01:40:20+00:00 Michal Ludvig michal@logix.cz 2006-07-08T22:59:38+00:00 urn:sha1:b3be9a6d9a78bb820f5242f43b98f38b0ca610a6 Crypto modules should be loadable by their .cra_driver_name, so we should make MODULE_ALIAS()es with these names. This patch adds aliases for SHA1 and SHA256 only as that's what we need for PadLock-SHA driver. Signed-off-by: Michal Ludvig <michal@logix.cz> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>