The file comment for blake2b_generic.c makes it sound like it's the
reference implementation of BLAKE2b with only minor changes. But it's
actually been changed a lot. Update the comment to make this clearer.
Reviewed-by: David Sterba <dsterba@suse.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 0cdc438e6e13436b0190910ef7da49ce4f5a44f4)
Conflicts:
crypto/blake2b_generic.c
(trivial conflict due to upstream commit 9332a9e73918,
"crypto: Replace HTTP links with HTTPS ones")
Bug: 178411248
Change-Id: I8b58cd0e2892a873866ead52fa4dba3edabdeeb3
Signed-off-by: Eric Biggers <ebiggers@google.com>
Sync the BLAKE2b code with the BLAKE2s code as much as possible:
- Move a lot of code into new headers <crypto/blake2b.h> and
<crypto/internal/blake2b.h>, and adjust it to be like the
corresponding BLAKE2s code, i.e. like <crypto/blake2s.h> and
<crypto/internal/blake2s.h>.
- Rename constants, e.g. BLAKE2B_*_DIGEST_SIZE => BLAKE2B_*_HASH_SIZE.
- Use a macro BLAKE2B_ALG() to define the shash_alg structs.
- Export blake2b_compress_generic() for use as a fallback.
This makes it much easier to add optimized implementations of BLAKE2b,
as optimized implementations can use the helper functions
crypto_blake2b_{setkey,init,update,final}() and
blake2b_compress_generic(). The ARM implementation will use these.
But this change is also helpful because it eliminates unnecessary
differences between the BLAKE2b and BLAKE2s code, so that the same
improvements can easily be made to both. (The two algorithms are
basically identical, except for the word size and constants.) It also
makes it straightforward to add a library API for BLAKE2b in the future
if/when it's needed.
This change does make the BLAKE2b code slightly more complicated than it
needs to be, as it doesn't actually provide a library API yet. For
example, __blake2b_update() doesn't really need to exist yet; it could
just be inlined into crypto_blake2b_update(). But I believe this is
outweighed by the benefits of keeping the code in sync.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 28dcca4cc0c01e2467549a36b1b0eacfdb01236c)
Conflicts:
crypto/blake2b_generic.c
(conflict due to this branch not having commit 674f368a952c,
"crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN")
Bug: 178411248
Change-Id: I755c64fefe1209b54d1417d91e8a4c207382a620
Signed-off-by: Eric Biggers <ebiggers@google.com>
When building for ARMv7-M, clang-9 or higher tries to unroll some loops,
which ends up confusing the register allocator to the point of generating
rather bad code and using more than the warning limit for stack frames:
warning: stack frame size of 1200 bytes in function 'blake2b_compress' [-Wframe-larger-than=]
Forcing it to not unroll the final loop avoids this problem.
Fixes: 91d689337fe8 ("crypto: blake2b - add blake2b generic implementation")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 0c0408e86dbe8f44d4b27bf42130e8ac905361d6)
Bug: 178411248
Change-Id: I71ee6df844bdbace9f06342a61322c7494533564
Signed-off-by: Eric Biggers <ebiggers@google.com>
The TFM context can be renamed to a more appropriate name and the local
varaibles as well, using 'tctx' which seems to be more common than
'mctx'.
The _setkey callback was the last one without the blake2b_ prefix,
rename that too.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit c433a1a8572eceb7c45dd85d93fec6946b71bb72)
Bug: 178411248
Change-Id: I8b7dfa5779ee6f76bb7e21572d29df1310705485
Signed-off-by: Eric Biggers <ebiggers@google.com>
Now that there's only one call to blake2b_update, we can merge it to the
callback and simplify. The empty input check is split and the rest of
code un-indented.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 0b4b5f10ac1ffb7f51db1832d189c33955c0d4c1)
Bug: 178411248
Change-Id: Ic260edcee45116ac1a9f03f2792fe577a2c629c6
Signed-off-by: Eric Biggers <ebiggers@google.com>
The helper is trival and called once, inlining makes things simpler.
There's a comment to tie it back to the idea behind the code.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit a2e4bdce0f6e69c6cf9e460c4fe158bcc0db351f)
Bug: 178411248
Change-Id: Iba1276dfcdb29240206f66bf98902d0e587a590f
Signed-off-by: Eric Biggers <ebiggers@google.com>
All the code for param block has been inlined, last_node and outlen from
the state are not used or have become redundant due to other code.
Remove it.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit d063d6327e7de18e16e4742579a0ff759c3889fb)
Bug: 178411248
Change-Id: Ia7090fe3162495abae29b86f37e53ebf02414fe2
Signed-off-by: Eric Biggers <ebiggers@google.com>
The keyed init writes the key bytes to the input buffer and does an
update. We can do that in two ways: fill the buffer and update
immediatelly. This is what current blake2b_init_key does. Any other
following _update or _final will continue from the updated state.
The other way is to write the key and set the number of bytes to process
at the next _update or _final, lazy evaluation. Which leads to the the
simplified code in this patch.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit e87e484d60b0da8302b45f27fe32af1cea02c8d2)
Bug: 178411248
Change-Id: I90652bb41d252af9503d5976ce32b93e2610debf
Signed-off-by: Eric Biggers <ebiggers@google.com>
The call chain from blake2b_init can be simplified because the param
block is effectively zeros, besides the key.
- blake2b_init0 zeroes state and sets IV
- blake2b_init sets up param block with defaults (key and some 1s)
- init with key, write it to the input buffer and recalculate state
So the compact way is to zero out the state and initialize index 0 of
the state directly with the non-zero values and the key.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit e374969565472824eba4669dea4a23ad2edb414f)
Bug: 178411248
Change-Id: I797e941bf90262f6cf334c100a91e5b90dc00a2c
Signed-off-by: Eric Biggers <ebiggers@google.com>
blake2b_final is called only once, merge it to the crypto API callback
and simplify. This avoids the temporary buffer and swaps the bytes of
internal buffer.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 086db43b5a2281f7ce7d8a67a171b91e1e8fe0ec)
Bug: 178411248
Change-Id: I7c5e2d9d931d463ada7573e66268f7b93a2d40a4
Signed-off-by: Eric Biggers <ebiggers@google.com>
The patch brings support of several BLAKE2 variants (2b with various
digest lengths). The keyed digest is supported, using tfm->setkey call.
The in-tree user will be btrfs (for checksumming), we're going to use
the BLAKE2b-256 variant.
The code is reference implementation taken from the official sources and
modified in terms of kernel coding style (whitespace, comments, uintXX_t
-> uXX types, removed unused prototypes and #ifdefs, removed testing
code, changed secure_zero_memory -> memzero_explicit, used own helpers
for unaligned reads/writes and rotations).
Further changes removed sanity checks of key length or output size,
these values are verified in the crypto API callbacks or hardcoded in
shash_alg and not exposed to users.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 91d689337fe8b7703608a2ec39aae700b99f3933)
Conflicts:
crypto/Kconfig
crypto/Makefile
(trivial conflicts due to blake2s having been backported already)
Bug: 178411248
Change-Id: Ic4c2314b146434a5842facf56e58d3602bacc7d5
Signed-off-by: Eric Biggers <ebiggers@google.com>
