Message ID | e7f46def436c2c705c0b2cac3324f817efa4717d.1570715842.git.dsterba@suse.com (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Herbert Xu |
Headers | show |
Series | [v3] crypto: add blake2b generic implementation | expand |
On Thu, 10 Oct 2019 at 16:09, David Sterba <dsterba@suse.com> wrote: > > The patch brings support of several BLAKE2 variants (2b with various > digest lengths). The keyed digest is supported, using tfm->setkey call. > The in-tree user will be btrfs (for checksumming), we're going to use > the BLAKE2b-256 variant. > > The code is reference implementation taken from the official sources and > modified only in terms of kernel coding style (whitespace, comments, > uintXX_t -> uXX types, removed unused prototypes and #ifdefs, removed > testing code, changed secure_zero_memory -> memzero_explicit, used own > helpers for unaligned reads/writes and rotations). > > Signed-off-by: David Sterba <dsterba@suse.com> > --- > > V3: > > - added 'static' to blake2b_* and removed .h declarations > - updated Kconfig help text > - replaced custom build bug check with BUILD_BUG_ON > > - added .setkey to TFM, optional key, the length validation is same as > what blake2b_init_key accepts, ie. 1..BLAKE2B_KEYBYTES > > - fixed a serious bug: digestsize in all callbacks must be obtained from > TFM, as the same functions are used for all variants but the default > output size was used (in digest_init, digest_final, digest_finup), > > I'm going to do the selftests next so the above can't happen again. > Yes, please. If possible, run the tests on big-endian as well (or I can do it for you if you want) > crypto/Kconfig | 18 ++ > crypto/Makefile | 1 + > crypto/blake2b_generic.c | 504 +++++++++++++++++++++++++++++++++++++++ > include/crypto/blake2b.h | 48 ++++ > 4 files changed, 571 insertions(+) > create mode 100644 crypto/blake2b_generic.c > create mode 100644 include/crypto/blake2b.h > > diff --git a/crypto/Kconfig b/crypto/Kconfig > index e801450bcb1c..2b76752608ae 100644 > --- a/crypto/Kconfig > +++ b/crypto/Kconfig > @@ -691,6 +691,24 @@ config CRYPTO_XXHASH > xxHash non-cryptographic hash algorithm. Extremely fast, working at > speeds close to RAM limits. > > +config CRYPTO_BLAKE2B > + tristate "BLAKE2b digest algorithm" > + select CRYPTO_HASH > + help > + Implementation of cryptographic hash function BLAKE2b (or just BLAKE2), > + optimized for 64bit platforms and can produce digests of any size > + between 1 to 64. The keyed hash is also implemented. > + > + This module provides the following algorithms: > + > + - blake2b - the default 512b digest > + - blake2b-160 > + - blake2b-256 > + - blake2b-384 > + - blake2b-512 > + > + See https://blake2.net for further information. > + > config CRYPTO_CRCT10DIF > tristate "CRCT10DIF algorithm" > select CRYPTO_HASH > diff --git a/crypto/Makefile b/crypto/Makefile > index 9479e1a45d8c..2318420d3e71 100644 > --- a/crypto/Makefile > +++ b/crypto/Makefile > @@ -74,6 +74,7 @@ obj-$(CONFIG_CRYPTO_STREEBOG) += streebog_generic.o > obj-$(CONFIG_CRYPTO_WP512) += wp512.o > CFLAGS_wp512.o := $(call cc-option,-fno-schedule-insns) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 > obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o > +obj-$(CONFIG_CRYPTO_BLAKE2B) += blake2b_generic.o > obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o > obj-$(CONFIG_CRYPTO_ECB) += ecb.o > obj-$(CONFIG_CRYPTO_CBC) += cbc.o > diff --git a/crypto/blake2b_generic.c b/crypto/blake2b_generic.c > new file mode 100644 > index 000000000000..588f2c5daa2d > --- /dev/null > +++ b/crypto/blake2b_generic.c > @@ -0,0 +1,504 @@ > +// SPDX-License-Identifier: (GPL-2.0-only OR Apache-2.0) > +/* > + * BLAKE2b reference source code package - reference C implementations > + * > + * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the > + * terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at > + * your option. The terms of these licenses can be found at: > + * > + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 > + * - OpenSSL license : https://www.openssl.org/source/license.html > + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 > + * > + * More information about the BLAKE2 hash function can be found at > + * https://blake2.net. > + */ > + > +#include <asm/unaligned.h> > +#include <linux/module.h> > +#include <linux/string.h> > +#include <linux/kernel.h> > +#include <linux/bitops.h> > +#include <crypto/internal/hash.h> > +#include <crypto/blake2b.h> > + > +struct blake2b_param > +{ > + u8 digest_length; /* 1 */ > + u8 key_length; /* 2 */ > + u8 fanout; /* 3 */ > + u8 depth; /* 4 */ > + u32 leaf_length; /* 8 */ > + u32 node_offset; /* 12 */ > + u32 xof_length; /* 16 */ > + u8 node_depth; /* 17 */ > + u8 inner_length; /* 18 */ > + u8 reserved[14]; /* 32 */ > + u8 salt[BLAKE2B_SALTBYTES]; /* 48 */ > + u8 personal[BLAKE2B_PERSONALBYTES]; /* 64 */ > +} __packed; > + > +static const u64 blake2b_IV[8] = > +{ > + 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, > + 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, > + 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, > + 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL > +}; > + > +static const u8 blake2b_sigma[12][16] = > +{ > + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, > + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, > + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, > + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, > + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, > + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, > + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, > + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, > + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, > + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 }, > + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, > + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } > +}; > + > +static int blake2b_update(struct blake2b_state *S, const void *pin, size_t inlen); > + > +static void blake2b_set_lastnode(struct blake2b_state *S) > +{ > + S->f[1] = (u64)-1; > +} > + > +static int blake2b_is_lastblock(const struct blake2b_state *S) > +{ > + return S->f[0] != 0; > +} > + > +static void blake2b_set_lastblock(struct blake2b_state *S) > +{ > + if (S->last_node) > + blake2b_set_lastnode(S); > + > + S->f[0] = (u64)-1; > +} > + > +static void blake2b_increment_counter(struct blake2b_state *S, const u64 inc) > +{ > + S->t[0] += inc; > + S->t[1] += (S->t[0] < inc); > +} > + > +static void blake2b_init0(struct blake2b_state *S) > +{ > + size_t i; > + > + memset(S, 0, sizeof(struct blake2b_state)); > + > + for (i = 0; i < 8; ++i) > + S->h[i] = blake2b_IV[i]; > +} > + > +/* init xors IV with input parameter block */ > +static int blake2b_init_param(struct blake2b_state *S, > + const struct blake2b_param *P) > +{ > + const u8 *p = (const u8 *)(P); > + size_t i; > + > + blake2b_init0(S); > + > + /* IV XOR ParamBlock */ > + for (i = 0; i < 8; ++i) > + S->h[i] ^= get_unaligned_le64(p + sizeof(S->h[i]) * i); > + > + S->outlen = P->digest_length; > + return 0; > +} > + > +static int blake2b_init(struct blake2b_state *S, size_t outlen) > +{ > + struct blake2b_param P[1]; > + > + if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) > + return -1; > + > + P->digest_length = (u8)outlen; > + P->key_length = 0; > + P->fanout = 1; > + P->depth = 1; > + put_unaligned_le32(0, &P->leaf_length); > + put_unaligned_le32(0, &P->node_offset); > + put_unaligned_le32(0, &P->xof_length); > + P->node_depth = 0; > + P->inner_length = 0; > + memset(P->reserved, 0, sizeof(P->reserved)); > + memset(P->salt, 0, sizeof(P->salt)); > + memset(P->personal, 0, sizeof(P->personal)); > + return blake2b_init_param(S, P); > +} > + > +static int blake2b_init_key(struct blake2b_state *S, size_t outlen, > + const void *key, size_t keylen) > +{ > + struct blake2b_param P[1]; > + > + if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) > + return -1; > + > + if (!key || !keylen || keylen > BLAKE2B_KEYBYTES) > + return -1; > + > + P->digest_length = (u8)outlen; > + P->key_length = (u8)keylen; > + P->fanout = 1; > + P->depth = 1; > + put_unaligned_le32(0, &P->leaf_length); > + put_unaligned_le32(0, &P->node_offset); > + put_unaligned_le32(0, &P->xof_length); > + P->node_depth = 0; > + P->inner_length = 0; > + memset(P->reserved, 0, sizeof(P->reserved)); > + memset(P->salt, 0, sizeof(P->salt)); > + memset(P->personal, 0, sizeof(P->personal)); > + > + if (blake2b_init_param(S, P) < 0) > + return -1; > + > + { > + u8 block[BLAKE2B_BLOCKBYTES]; > + > + memset(block, 0, BLAKE2B_BLOCKBYTES); > + memcpy(block, key, keylen); > + blake2b_update(S, block, BLAKE2B_BLOCKBYTES); > + memzero_explicit(block, BLAKE2B_BLOCKBYTES); > + } > + return 0; > +} > + > +#define G(r,i,a,b,c,d) \ > + do { \ > + a = a + b + m[blake2b_sigma[r][2*i+0]]; \ > + d = ror64(d ^ a, 32); \ > + c = c + d; \ > + b = ror64(b ^ c, 24); \ > + a = a + b + m[blake2b_sigma[r][2*i+1]]; \ > + d = ror64(d ^ a, 16); \ > + c = c + d; \ > + b = ror64(b ^ c, 63); \ > + } while(0) > + > +#define ROUND(r) \ > + do { \ > + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ > + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ > + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ > + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ > + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ > + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ > + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ > + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ > + } while(0) > + > +static void blake2b_compress(struct blake2b_state *S, > + const u8 block[BLAKE2B_BLOCKBYTES]) > +{ > + u64 m[16]; > + u64 v[16]; > + size_t i; > + > + for (i = 0; i < 16; ++i) > + m[i] = get_unaligned_le64(block + i * sizeof(m[i])); > + > + for (i = 0; i < 8; ++i) > + v[i] = S->h[i]; > + > + v[ 8] = blake2b_IV[0]; > + v[ 9] = blake2b_IV[1]; > + v[10] = blake2b_IV[2]; > + v[11] = blake2b_IV[3]; > + v[12] = blake2b_IV[4] ^ S->t[0]; > + v[13] = blake2b_IV[5] ^ S->t[1]; > + v[14] = blake2b_IV[6] ^ S->f[0]; > + v[15] = blake2b_IV[7] ^ S->f[1]; > + > + ROUND(0); > + ROUND(1); > + ROUND(2); > + ROUND(3); > + ROUND(4); > + ROUND(5); > + ROUND(6); > + ROUND(7); > + ROUND(8); > + ROUND(9); > + ROUND(10); > + ROUND(11); > + > + for (i = 0; i < 8; ++i) > + S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; > +} > + > +#undef G > +#undef ROUND > + > +static int blake2b_update(struct blake2b_state *S, const void *pin, size_t inlen) > +{ > + const unsigned char *in = (const unsigned char *)pin; > + > + if (inlen > 0) { > + size_t left = S->buflen; > + size_t fill = BLAKE2B_BLOCKBYTES - left; > + > + if (inlen > fill) { > + S->buflen = 0; > + /* Fill buffer */ > + memcpy(S->buf + left, in, fill); > + blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); > + /* Compress */ > + blake2b_compress(S, S->buf); > + in += fill; > + inlen -= fill; > + while (inlen > BLAKE2B_BLOCKBYTES) { > + blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); > + blake2b_compress(S, in); > + in += BLAKE2B_BLOCKBYTES; > + inlen -= BLAKE2B_BLOCKBYTES; > + } > + } > + memcpy(S->buf + S->buflen, in, inlen); > + S->buflen += inlen; > + } > + return 0; > +} > + > +static int blake2b_final(struct blake2b_state *S, void *out, size_t outlen) > +{ > + u8 buffer[BLAKE2B_OUTBYTES] = {0}; > + size_t i; > + > + if (out == NULL || outlen < S->outlen) > + return -1; > + > + if (blake2b_is_lastblock(S)) > + return -1; > + > + blake2b_increment_counter(S, S->buflen); > + blake2b_set_lastblock(S); > + /* Padding */ > + memset(S->buf + S->buflen, 0, BLAKE2B_BLOCKBYTES - S->buflen); > + blake2b_compress(S, S->buf); > + > + /* Output full hash to temp buffer */ > + for (i = 0; i < 8; ++i) > + put_unaligned_le64(S->h[i], buffer + sizeof(S->h[i]) * i); > + > + memcpy(out, buffer, S->outlen); > + memzero_explicit(buffer, sizeof(buffer)); > + return 0; > +} > + > +struct digest_tfm_ctx { > + u8 key[BLAKE2B_KEYBYTES]; > + unsigned int keylen; > +}; > + > +struct digest_desc_ctx { > + struct blake2b_state S[1]; > +}; > + > +static int digest_setkey(struct crypto_shash *tfm, const u8 *key, > + unsigned int keylen) > +{ > + struct digest_tfm_ctx *mctx = crypto_shash_ctx(tfm); > + > + if (keylen == 0 || keylen > BLAKE2B_KEYBYTES) { > + crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); > + return -EINVAL; > + } > + > + memcpy(mctx->key, key, BLAKE2B_KEYBYTES); > + mctx->keylen = keylen; > + > + return 0; > +} > + > +static int digest_init(struct shash_desc *desc) > +{ > + struct digest_tfm_ctx *mctx = crypto_shash_ctx(desc->tfm); > + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); > + const int digestsize = crypto_shash_digestsize(desc->tfm); > + int ret; > + > + if (mctx->keylen == 0) > + ret = blake2b_init(ctx->S, digestsize); > + else > + ret = blake2b_init_key(ctx->S, digestsize, mctx->key, > + mctx->keylen); > + if (ret) > + return -EINVAL; > + return 0; > +} > + > +static int digest_update(struct shash_desc *desc, const u8 *data, > + unsigned int length) > +{ > + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); > + int ret; > + > + ret = blake2b_update(ctx->S, data, length); > + if (ret) > + return -EINVAL; > + return 0; > +} > + > +static int digest_final(struct shash_desc *desc, u8 *out) > +{ > + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); > + const int digestsize = crypto_shash_digestsize(desc->tfm); > + int ret; > + > + ret = blake2b_final(ctx->S, out, digestsize); > + if (ret) > + return -EINVAL; > + return 0; > +} > + > +static int digest_finup(struct shash_desc *desc, const u8 *data, > + unsigned int len, u8 *out) > +{ > + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); > + const int digestsize = crypto_shash_digestsize(desc->tfm); > + int ret; > + > + ret = blake2b_update(ctx->S, data, len); > + if (ret) > + return -EINVAL; > + ret = blake2b_final(ctx->S, out, digestsize); > + if (ret) > + return -EINVAL; > + return 0; > +} > + > +static int blake2b_cra_init(struct crypto_tfm *tfm) > +{ > + struct digest_tfm_ctx *mctx = crypto_tfm_ctx(tfm); > + > + /* Use the unkeyed version by default */ > + memset(mctx->key, 0, BLAKE2B_KEYBYTES); > + mctx->keylen = 0; > + > + return 0; > +} > + > +static struct shash_alg blake2b_algs[] = { > + { > + .digestsize = BLAKE2B_512_DIGEST_SIZE, > + .setkey = digest_setkey, > + .init = digest_init, > + .update = digest_update, > + .final = digest_final, > + .finup = digest_finup, > + .descsize = sizeof(struct digest_desc_ctx), > + .base.cra_name = "blake2b", > + .base.cra_driver_name = "blake2b-generic", > + .base.cra_priority = 100, > + .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, > + .base.cra_blocksize = BLAKE2B_BLOCKBYTES, > + .base.cra_ctxsize = 0, > + .base.cra_module = THIS_MODULE, > + .base.cra_init = blake2b_cra_init, > + }, { > + .digestsize = BLAKE2B_160_DIGEST_SIZE, > + .setkey = digest_setkey, > + .init = digest_init, > + .update = digest_update, > + .final = digest_final, > + .finup = digest_finup, > + .descsize = sizeof(struct digest_desc_ctx), > + .base.cra_name = "blake2b-160", > + .base.cra_driver_name = "blake2b-160-generic", > + .base.cra_priority = 100, > + .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, > + .base.cra_blocksize = BLAKE2B_BLOCKBYTES, > + .base.cra_ctxsize = 0, > + .base.cra_module = THIS_MODULE, > + .base.cra_init = blake2b_cra_init, > + }, { > + .digestsize = BLAKE2B_256_DIGEST_SIZE, > + .setkey = digest_setkey, > + .init = digest_init, > + .update = digest_update, > + .final = digest_final, > + .finup = digest_finup, > + .descsize = sizeof(struct digest_desc_ctx), > + .base.cra_name = "blake2b-256", > + .base.cra_driver_name = "blake2b-256-generic", > + .base.cra_priority = 100, > + .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, > + .base.cra_blocksize = BLAKE2B_BLOCKBYTES, > + .base.cra_ctxsize = 0, > + .base.cra_module = THIS_MODULE, > + .base.cra_init = blake2b_cra_init, > + }, { > + .digestsize = BLAKE2B_384_DIGEST_SIZE, > + .setkey = digest_setkey, > + .init = digest_init, > + .update = digest_update, > + .final = digest_final, > + .finup = digest_finup, > + .descsize = sizeof(struct digest_desc_ctx), > + .base.cra_name = "blake2b-384", > + .base.cra_driver_name = "blake2b-384-generic", > + .base.cra_priority = 100, > + .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, > + .base.cra_blocksize = BLAKE2B_BLOCKBYTES, > + .base.cra_ctxsize = 0, > + .base.cra_module = THIS_MODULE, > + .base.cra_init = blake2b_cra_init, > + }, { > + .digestsize = BLAKE2B_512_DIGEST_SIZE, > + .setkey = digest_setkey, > + .init = digest_init, > + .update = digest_update, > + .final = digest_final, > + .finup = digest_finup, > + .descsize = sizeof(struct digest_desc_ctx), > + .base.cra_name = "blake2b-512", > + .base.cra_driver_name = "blake2b-512-generic", > + .base.cra_priority = 100, > + .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, > + .base.cra_blocksize = BLAKE2B_BLOCKBYTES, > + .base.cra_ctxsize = 0, > + .base.cra_module = THIS_MODULE, > + .base.cra_init = blake2b_cra_init, > + } > +}; > + > +static int __init blake2b_mod_init(void) > +{ > + BUILD_BUG_ON(sizeof(struct blake2b_param) != BLAKE2B_OUTBYTES); > + > + return crypto_register_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs)); > +} > + > +static void __exit blake2b_mod_fini(void) > +{ > + crypto_unregister_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs)); > +} > + > +subsys_initcall(blake2b_mod_init); > +module_exit(blake2b_mod_fini); > + > +MODULE_AUTHOR("David Sterba <kdave@kernel.org>"); > +MODULE_DESCRIPTION("BLAKE2b generic implementation"); > +MODULE_LICENSE("GPL"); > +MODULE_ALIAS_CRYPTO("blake2b"); > +MODULE_ALIAS_CRYPTO("blake2b-generic"); > +MODULE_ALIAS_CRYPTO("blake2b-160"); > +MODULE_ALIAS_CRYPTO("blake2b-160-generic"); > +MODULE_ALIAS_CRYPTO("blake2b-256"); > +MODULE_ALIAS_CRYPTO("blake2b-256-generic"); > +MODULE_ALIAS_CRYPTO("blake2b-384"); > +MODULE_ALIAS_CRYPTO("blake2b-384-generic"); > +MODULE_ALIAS_CRYPTO("blake2b-512"); > +MODULE_ALIAS_CRYPTO("blake2b-512-generic"); > diff --git a/include/crypto/blake2b.h b/include/crypto/blake2b.h > new file mode 100644 > index 000000000000..197cf6f680bf > --- /dev/null > +++ b/include/crypto/blake2b.h > @@ -0,0 +1,48 @@ > +/* SPDX-License-Identifier: (GPL-2.0-only OR Apache-2.0) */ > +/* > + * BLAKE2 reference source code package - reference C implementations > + * > + * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the > + * terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at > + * your option. The terms of these licenses can be found at: > + * > + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 > + * - OpenSSL license : https://www.openssl.org/source/license.html > + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 > + * > + * More information about the BLAKE2 hash function can be found at > + * https://blake2.net. > +*/ > + > +#ifndef _CRYPTO_BLAKE2B_H > +#define _CRYPTO_BLAKE2B_H > + > +#include <linux/compiler.h> > +#include <stddef.h> > + > +#define BLAKE2B_160_DIGEST_SIZE (160 / 8) > +#define BLAKE2B_256_DIGEST_SIZE (256 / 8) > +#define BLAKE2B_384_DIGEST_SIZE (384 / 8) > +#define BLAKE2B_512_DIGEST_SIZE (512 / 8) > + > +enum blake2b_constant > +{ > + BLAKE2B_BLOCKBYTES = 128, > + BLAKE2B_OUTBYTES = 64, > + BLAKE2B_KEYBYTES = 64, > + BLAKE2B_SALTBYTES = 16, > + BLAKE2B_PERSONALBYTES = 16 > +}; > + > +struct blake2b_state > +{ > + u64 h[8]; > + u64 t[2]; > + u64 f[2]; > + u8 buf[BLAKE2B_BLOCKBYTES]; > + size_t buflen; > + size_t outlen; > + u8 last_node; > +}; > + > +#endif > -- > 2.23.0 >
Hi David, thanks for working on this. Comments below. On Thu, Oct 10, 2019 at 04:10:05PM +0200, David Sterba wrote: > The patch brings support of several BLAKE2 variants (2b with various > digest lengths). The keyed digest is supported, using tfm->setkey call. > The in-tree user will be btrfs (for checksumming), we're going to use > the BLAKE2b-256 variant. > > The code is reference implementation taken from the official sources and > modified only in terms of kernel coding style (whitespace, comments, > uintXX_t -> uXX types, removed unused prototypes and #ifdefs, removed > testing code, changed secure_zero_memory -> memzero_explicit, used own > helpers for unaligned reads/writes and rotations). > > Signed-off-by: David Sterba <dsterba@suse.com> > --- > > V3: > > - added 'static' to blake2b_* and removed .h declarations > - updated Kconfig help text > - replaced custom build bug check with BUILD_BUG_ON > > - added .setkey to TFM, optional key, the length validation is same as > what blake2b_init_key accepts, ie. 1..BLAKE2B_KEYBYTES > > - fixed a serious bug: digestsize in all callbacks must be obtained from > TFM, as the same functions are used for all variants but the default > output size was used (in digest_init, digest_final, digest_finup), > > I'm going to do the selftests next so the above can't happen again. The test vectors should be included in this patch. > + > + - blake2b - the default 512b digest > + - blake2b-160 > + - blake2b-256 > + - blake2b-384 > + - blake2b-512 > + Why have the "blake2b" algorithm at all, when it's already available under the name "blake2b-512"? It's confusing to have two different names for the same algorithm because then people will need to decide which one to use, and both will need to be tested. > diff --git a/crypto/blake2b_generic.c b/crypto/blake2b_generic.c > new file mode 100644 > index 000000000000..588f2c5daa2d > --- /dev/null > +++ b/crypto/blake2b_generic.c > @@ -0,0 +1,504 @@ > +// SPDX-License-Identifier: (GPL-2.0-only OR Apache-2.0) > +/* > + * BLAKE2b reference source code package - reference C implementations > + * > + * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the > + * terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at > + * your option. The terms of these licenses can be found at: > + * > + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 > + * - OpenSSL license : https://www.openssl.org/source/license.html > + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 > + * > + * More information about the BLAKE2 hash function can be found at > + * https://blake2.net. > + */ > + > +#include <asm/unaligned.h> > +#include <linux/module.h> > +#include <linux/string.h> > +#include <linux/kernel.h> > +#include <linux/bitops.h> > +#include <crypto/internal/hash.h> > +#include <crypto/blake2b.h> > + > +struct blake2b_param > +{ > + u8 digest_length; /* 1 */ > + u8 key_length; /* 2 */ > + u8 fanout; /* 3 */ > + u8 depth; /* 4 */ > + u32 leaf_length; /* 8 */ > + u32 node_offset; /* 12 */ > + u32 xof_length; /* 16 */ The u32 fields need to be __le32, since this struct is interpreted as an array of bytes. > +static int blake2b_init(struct blake2b_state *S, size_t outlen) > +{ > + struct blake2b_param P[1]; This shouldn't be an array. > + > + if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) > + return -1; No need for these checks, since this patch doesn't provide any way for the user to set an arbitrary outlen. They should either be removed, or replaced with a WARN_ON(). As-is, it looks like a valid error, which is bad because some callers of the crypto_shash API don't handle errors. > + > + P->digest_length = (u8)outlen; > + P->key_length = 0; > + P->fanout = 1; > + P->depth = 1; > + put_unaligned_le32(0, &P->leaf_length); > + put_unaligned_le32(0, &P->node_offset); > + put_unaligned_le32(0, &P->xof_length); struct blake2b_param is already a packed structure, so these should be direct assignments. No need for put_unaligned_le32(). > + P->node_depth = 0; > + P->inner_length = 0; > + memset(P->reserved, 0, sizeof(P->reserved)); > + memset(P->salt, 0, sizeof(P->salt)); > + memset(P->personal, 0, sizeof(P->personal)); > + return blake2b_init_param(S, P); > +} > + > +static int blake2b_init_key(struct blake2b_state *S, size_t outlen, > + const void *key, size_t keylen) > +{ > + struct blake2b_param P[1]; > + > + if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) > + return -1; > + > + if (!key || !keylen || keylen > BLAKE2B_KEYBYTES) > + return -1; More unclear error checks here. Which are actually valid reachable errors, and which are assertions that should never trigger? See comment above. > + > + P->digest_length = (u8)outlen; > + P->key_length = (u8)keylen; > + P->fanout = 1; > + P->depth = 1; > + put_unaligned_le32(0, &P->leaf_length); > + put_unaligned_le32(0, &P->node_offset); > + put_unaligned_le32(0, &P->xof_length); Same problem with the unnecessary put_unaligned_le32(). > +static int blake2b_final(struct blake2b_state *S, void *out, size_t outlen) > +{ > + u8 buffer[BLAKE2B_OUTBYTES] = {0}; > + size_t i; > + > + if (out == NULL || outlen < S->outlen) > + return -1; More unnecessary error checks. None of the other hash algorithms check for a NULL output buffer, and some users don't check for errors. So returning -1 instead of just crashing could hide bugs. > + > + if (blake2b_is_lastblock(S)) > + return -1; This can't be the case because lastblock is only set by final(). > +static int digest_setkey(struct crypto_shash *tfm, const u8 *key, > + unsigned int keylen) > +{ > + struct digest_tfm_ctx *mctx = crypto_shash_ctx(tfm); > + > + if (keylen == 0 || keylen > BLAKE2B_KEYBYTES) { > + crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); > + return -EINVAL; > + } > + > + memcpy(mctx->key, key, BLAKE2B_KEYBYTES); > + mctx->keylen = keylen; > + > + return 0; > +} This reads past the end of the key buffer if keylen < BLAKE2B_KEYBYTES. Please add tests and run with CONFIG_KASAN=y. > +static int digest_update(struct shash_desc *desc, const u8 *data, > + unsigned int length) > +{ > + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); > + int ret; > + > + ret = blake2b_update(ctx->S, data, length); > + if (ret) > + return -EINVAL; > + return 0; > +} Why does update() need to fail? Not all shash API users check for errors. > + > +static int digest_final(struct shash_desc *desc, u8 *out) > +{ > + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); > + const int digestsize = crypto_shash_digestsize(desc->tfm); > + int ret; > + > + ret = blake2b_final(ctx->S, out, digestsize); > + if (ret) > + return -EINVAL; > + return 0; > +} Likewise. Why does final() need to fail? > + > +static int digest_finup(struct shash_desc *desc, const u8 *data, > + unsigned int len, u8 *out) > +{ > + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); > + const int digestsize = crypto_shash_digestsize(desc->tfm); > + int ret; > + > + ret = blake2b_update(ctx->S, data, len); > + if (ret) > + return -EINVAL; > + ret = blake2b_final(ctx->S, out, digestsize); > + if (ret) > + return -EINVAL; > + return 0; > +} finup() shouldn't be implemented if it can't be made more efficient than update() and final() separately. > +static int blake2b_cra_init(struct crypto_tfm *tfm) > +{ > + struct digest_tfm_ctx *mctx = crypto_tfm_ctx(tfm); > + > + /* Use the unkeyed version by default */ > + memset(mctx->key, 0, BLAKE2B_KEYBYTES); > + mctx->keylen = 0; > + > + return 0; > +} No need for this function, since the tfm_ctx starts out zeroed by default. > +static struct shash_alg blake2b_algs[] = { > + { > + .digestsize = BLAKE2B_512_DIGEST_SIZE, > + .setkey = digest_setkey, > + .init = digest_init, > + .update = digest_update, > + .final = digest_final, > + .finup = digest_finup, > + .descsize = sizeof(struct digest_desc_ctx), > + .base.cra_name = "blake2b", > + .base.cra_driver_name = "blake2b-generic", > + .base.cra_priority = 100, > + .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, > + .base.cra_blocksize = BLAKE2B_BLOCKBYTES, > + .base.cra_ctxsize = 0, Need to set cra_ctxsize to sizeof(struct digest_tfm_ctx), otherwise the code is using an area beyond the end of the buffer for the tfm_ctx. This would have been caught if there were self tests and they were run with CONFIG_KASAN=y. Thanks! - Eric
A couple more comments: On Thu, Oct 10, 2019 at 04:10:05PM +0200, David Sterba wrote: > +static void blake2b_set_lastnode(struct blake2b_state *S) > +{ > + S->f[1] = (u64)-1; > +} > + [...] > +static void blake2b_set_lastblock(struct blake2b_state *S) > +{ > + if (S->last_node) > + blake2b_set_lastnode(S); > + last_node is never true, so this is dead code. > +struct digest_desc_ctx { > + struct blake2b_state S[1]; > +}; This indirection isn't needed. Just use struct blake2b_state directly as the shash_desc_ctx. - Eric
On Thu, Oct 10, 2019 at 03:12:02PM -0700, Eric Biggers wrote: > > I'm going to do the selftests next so the above can't happen again. > > The test vectors should be included in this patch. > > > + > > + - blake2b - the default 512b digest > > + - blake2b-160 > > + - blake2b-256 > > + - blake2b-384 > > + - blake2b-512 > > + > > Why have the "blake2b" algorithm at all, when it's already available under the > name "blake2b-512"? It's confusing to have two different names for the same > algorithm because then people will need to decide which one to use, and both > will need to be tested. The idea is that 'blake2b' is a convenience alias for the default digest size, as it is commonly referred. But I agree it's can cause some confusion, so I'll remove it. > > +struct blake2b_param > > +{ > > + u8 digest_length; /* 1 */ > > + u8 key_length; /* 2 */ > > + u8 fanout; /* 3 */ > > + u8 depth; /* 4 */ > > + u32 leaf_length; /* 8 */ > > + u32 node_offset; /* 12 */ > > + u32 xof_length; /* 16 */ > > The u32 fields need to be __le32, since this struct is interpreted as an array > of bytes. For this and several other comments: I tried to minimize changes to the the reference implementation, not to introduce bugs or remove code that should be there, unless requested by a reviewer. I hope you understand that and don't mind. > > +static int blake2b_init(struct blake2b_state *S, size_t outlen) > > +{ > > + struct blake2b_param P[1]; > > This shouldn't be an array. Copied from the original, will switch to simple variable. > > + if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) > > + return -1; > > No need for these checks, since this patch doesn't provide any way for the user > to set an arbitrary outlen. They should either be removed, or replaced with a > WARN_ON(). As-is, it looks like a valid error, which is bad because some > callers of the crypto_shash API don't handle errors. I see and will remove it. > > + P->digest_length = (u8)outlen; > > + P->key_length = 0; > > + P->fanout = 1; > > + P->depth = 1; > > + put_unaligned_le32(0, &P->leaf_length); > > + put_unaligned_le32(0, &P->node_offset); > > + put_unaligned_le32(0, &P->xof_length); > > struct blake2b_param is already a packed structure, so these should be direct > assignments. No need for put_unaligned_le32(). > > > + P->node_depth = 0; > > + P->inner_length = 0; > > + memset(P->reserved, 0, sizeof(P->reserved)); > > + memset(P->salt, 0, sizeof(P->salt)); > > + memset(P->personal, 0, sizeof(P->personal)); > > + return blake2b_init_param(S, P); > > +} > > + > > +static int blake2b_init_key(struct blake2b_state *S, size_t outlen, > > + const void *key, size_t keylen) > > +{ > > + struct blake2b_param P[1]; > > + > > + if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) > > + return -1; > > + > > + if (!key || !keylen || keylen > BLAKE2B_KEYBYTES) > > + return -1; > > More unclear error checks here. Which are actually valid reachable errors, and > which are assertions that should never trigger? See comment above. > > > + > > + P->digest_length = (u8)outlen; > > + P->key_length = (u8)keylen; > > + P->fanout = 1; > > + P->depth = 1; > > + put_unaligned_le32(0, &P->leaf_length); > > + put_unaligned_le32(0, &P->node_offset); > > + put_unaligned_le32(0, &P->xof_length); > > Same problem with the unnecessary put_unaligned_le32(). > > > +static int blake2b_final(struct blake2b_state *S, void *out, size_t outlen) > > +{ > > + u8 buffer[BLAKE2B_OUTBYTES] = {0}; > > + size_t i; > > + > > + if (out == NULL || outlen < S->outlen) > > + return -1; > > More unnecessary error checks. None of the other hash algorithms check for a > NULL output buffer, and some users don't check for errors. So returning -1 > instead of just crashing could hide bugs. Yeah, removing the checks will allow to remove return values. > > + if (blake2b_is_lastblock(S)) > > + return -1; > > This can't be the case because lastblock is only set by final(). > > > +static int digest_setkey(struct crypto_shash *tfm, const u8 *key, > > + unsigned int keylen) > > +{ > > + struct digest_tfm_ctx *mctx = crypto_shash_ctx(tfm); > > + > > + if (keylen == 0 || keylen > BLAKE2B_KEYBYTES) { > > + crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); > > + return -EINVAL; > > + } > > + > > + memcpy(mctx->key, key, BLAKE2B_KEYBYTES); > > + mctx->keylen = keylen; > > + > > + return 0; > > +} > > This reads past the end of the key buffer if keylen < BLAKE2B_KEYBYTES. > > Please add tests and run with CONFIG_KASAN=y. Right, I'll fix it. The selftests did not catch this because all of them used the maximum key length. > > +static int digest_update(struct shash_desc *desc, const u8 *data, > > + unsigned int length) > > +{ > > + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); > > + int ret; > > + > > + ret = blake2b_update(ctx->S, data, length); > > + if (ret) > > + return -EINVAL; > > + return 0; > > +} > > Why does update() need to fail? Not all shash API users check for errors. > > > + > > +static int digest_final(struct shash_desc *desc, u8 *out) > > +{ > > + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); > > + const int digestsize = crypto_shash_digestsize(desc->tfm); > > + int ret; > > + > > + ret = blake2b_final(ctx->S, out, digestsize); > > + if (ret) > > + return -EINVAL; > > + return 0; > > +} > > Likewise. Why does final() need to fail? > > > + > > +static int digest_finup(struct shash_desc *desc, const u8 *data, > > + unsigned int len, u8 *out) > > +{ > > + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); > > + const int digestsize = crypto_shash_digestsize(desc->tfm); > > + int ret; > > + > > + ret = blake2b_update(ctx->S, data, len); > > + if (ret) > > + return -EINVAL; > > + ret = blake2b_final(ctx->S, out, digestsize); > > + if (ret) > > + return -EINVAL; > > + return 0; > > +} > > finup() shouldn't be implemented if it can't be made more efficient than > update() and final() separately. Ok, will be removed. > > +static int blake2b_cra_init(struct crypto_tfm *tfm) > > +{ > > + struct digest_tfm_ctx *mctx = crypto_tfm_ctx(tfm); > > + > > + /* Use the unkeyed version by default */ > > + memset(mctx->key, 0, BLAKE2B_KEYBYTES); > > + mctx->keylen = 0; > > + > > + return 0; > > +} > > No need for this function, since the tfm_ctx starts out zeroed by default. Ok, will be removed. > > +static struct shash_alg blake2b_algs[] = { > > + { > > + .digestsize = BLAKE2B_512_DIGEST_SIZE, > > + .setkey = digest_setkey, > > + .init = digest_init, > > + .update = digest_update, > > + .final = digest_final, > > + .finup = digest_finup, > > + .descsize = sizeof(struct digest_desc_ctx), > > + .base.cra_name = "blake2b", > > + .base.cra_driver_name = "blake2b-generic", > > + .base.cra_priority = 100, > > + .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, > > + .base.cra_blocksize = BLAKE2B_BLOCKBYTES, > > + .base.cra_ctxsize = 0, > > Need to set cra_ctxsize to sizeof(struct digest_tfm_ctx), otherwise the code is > using an area beyond the end of the buffer for the tfm_ctx. This would have > been caught if there were self tests and they were run with CONFIG_KASAN=y. I found it out the hard way, the sefltests caused memory overwrite, caught by SLUB_DEBUG, but I did the KASAN pass as well, no further problems found. I'll spin v4, adding the test vectors. It'll be probably a series because single patch I have now is over 400K in size, so we'd need one more feedback round to decide what test values to include. Thanks for the comments.
diff --git a/crypto/Kconfig b/crypto/Kconfig index e801450bcb1c..2b76752608ae 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -691,6 +691,24 @@ config CRYPTO_XXHASH xxHash non-cryptographic hash algorithm. Extremely fast, working at speeds close to RAM limits. +config CRYPTO_BLAKE2B + tristate "BLAKE2b digest algorithm" + select CRYPTO_HASH + help + Implementation of cryptographic hash function BLAKE2b (or just BLAKE2), + optimized for 64bit platforms and can produce digests of any size + between 1 to 64. The keyed hash is also implemented. + + This module provides the following algorithms: + + - blake2b - the default 512b digest + - blake2b-160 + - blake2b-256 + - blake2b-384 + - blake2b-512 + + See https://blake2.net for further information. + config CRYPTO_CRCT10DIF tristate "CRCT10DIF algorithm" select CRYPTO_HASH diff --git a/crypto/Makefile b/crypto/Makefile index 9479e1a45d8c..2318420d3e71 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -74,6 +74,7 @@ obj-$(CONFIG_CRYPTO_STREEBOG) += streebog_generic.o obj-$(CONFIG_CRYPTO_WP512) += wp512.o CFLAGS_wp512.o := $(call cc-option,-fno-schedule-insns) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149 obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o +obj-$(CONFIG_CRYPTO_BLAKE2B) += blake2b_generic.o obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o obj-$(CONFIG_CRYPTO_ECB) += ecb.o obj-$(CONFIG_CRYPTO_CBC) += cbc.o diff --git a/crypto/blake2b_generic.c b/crypto/blake2b_generic.c new file mode 100644 index 000000000000..588f2c5daa2d --- /dev/null +++ b/crypto/blake2b_generic.c @@ -0,0 +1,504 @@ +// SPDX-License-Identifier: (GPL-2.0-only OR Apache-2.0) +/* + * BLAKE2b reference source code package - reference C implementations + * + * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the + * terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at + * your option. The terms of these licenses can be found at: + * + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + * - OpenSSL license : https://www.openssl.org/source/license.html + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + * + * More information about the BLAKE2 hash function can be found at + * https://blake2.net. + */ + +#include <asm/unaligned.h> +#include <linux/module.h> +#include <linux/string.h> +#include <linux/kernel.h> +#include <linux/bitops.h> +#include <crypto/internal/hash.h> +#include <crypto/blake2b.h> + +struct blake2b_param +{ + u8 digest_length; /* 1 */ + u8 key_length; /* 2 */ + u8 fanout; /* 3 */ + u8 depth; /* 4 */ + u32 leaf_length; /* 8 */ + u32 node_offset; /* 12 */ + u32 xof_length; /* 16 */ + u8 node_depth; /* 17 */ + u8 inner_length; /* 18 */ + u8 reserved[14]; /* 32 */ + u8 salt[BLAKE2B_SALTBYTES]; /* 48 */ + u8 personal[BLAKE2B_PERSONALBYTES]; /* 64 */ +} __packed; + +static const u64 blake2b_IV[8] = +{ + 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, + 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, + 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, + 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL +}; + +static const u8 blake2b_sigma[12][16] = +{ + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 }, + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } +}; + +static int blake2b_update(struct blake2b_state *S, const void *pin, size_t inlen); + +static void blake2b_set_lastnode(struct blake2b_state *S) +{ + S->f[1] = (u64)-1; +} + +static int blake2b_is_lastblock(const struct blake2b_state *S) +{ + return S->f[0] != 0; +} + +static void blake2b_set_lastblock(struct blake2b_state *S) +{ + if (S->last_node) + blake2b_set_lastnode(S); + + S->f[0] = (u64)-1; +} + +static void blake2b_increment_counter(struct blake2b_state *S, const u64 inc) +{ + S->t[0] += inc; + S->t[1] += (S->t[0] < inc); +} + +static void blake2b_init0(struct blake2b_state *S) +{ + size_t i; + + memset(S, 0, sizeof(struct blake2b_state)); + + for (i = 0; i < 8; ++i) + S->h[i] = blake2b_IV[i]; +} + +/* init xors IV with input parameter block */ +static int blake2b_init_param(struct blake2b_state *S, + const struct blake2b_param *P) +{ + const u8 *p = (const u8 *)(P); + size_t i; + + blake2b_init0(S); + + /* IV XOR ParamBlock */ + for (i = 0; i < 8; ++i) + S->h[i] ^= get_unaligned_le64(p + sizeof(S->h[i]) * i); + + S->outlen = P->digest_length; + return 0; +} + +static int blake2b_init(struct blake2b_state *S, size_t outlen) +{ + struct blake2b_param P[1]; + + if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) + return -1; + + P->digest_length = (u8)outlen; + P->key_length = 0; + P->fanout = 1; + P->depth = 1; + put_unaligned_le32(0, &P->leaf_length); + put_unaligned_le32(0, &P->node_offset); + put_unaligned_le32(0, &P->xof_length); + P->node_depth = 0; + P->inner_length = 0; + memset(P->reserved, 0, sizeof(P->reserved)); + memset(P->salt, 0, sizeof(P->salt)); + memset(P->personal, 0, sizeof(P->personal)); + return blake2b_init_param(S, P); +} + +static int blake2b_init_key(struct blake2b_state *S, size_t outlen, + const void *key, size_t keylen) +{ + struct blake2b_param P[1]; + + if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) + return -1; + + if (!key || !keylen || keylen > BLAKE2B_KEYBYTES) + return -1; + + P->digest_length = (u8)outlen; + P->key_length = (u8)keylen; + P->fanout = 1; + P->depth = 1; + put_unaligned_le32(0, &P->leaf_length); + put_unaligned_le32(0, &P->node_offset); + put_unaligned_le32(0, &P->xof_length); + P->node_depth = 0; + P->inner_length = 0; + memset(P->reserved, 0, sizeof(P->reserved)); + memset(P->salt, 0, sizeof(P->salt)); + memset(P->personal, 0, sizeof(P->personal)); + + if (blake2b_init_param(S, P) < 0) + return -1; + + { + u8 block[BLAKE2B_BLOCKBYTES]; + + memset(block, 0, BLAKE2B_BLOCKBYTES); + memcpy(block, key, keylen); + blake2b_update(S, block, BLAKE2B_BLOCKBYTES); + memzero_explicit(block, BLAKE2B_BLOCKBYTES); + } + return 0; +} + +#define G(r,i,a,b,c,d) \ + do { \ + a = a + b + m[blake2b_sigma[r][2*i+0]]; \ + d = ror64(d ^ a, 32); \ + c = c + d; \ + b = ror64(b ^ c, 24); \ + a = a + b + m[blake2b_sigma[r][2*i+1]]; \ + d = ror64(d ^ a, 16); \ + c = c + d; \ + b = ror64(b ^ c, 63); \ + } while(0) + +#define ROUND(r) \ + do { \ + G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ + G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ + G(r,2,v[ 2],v[ 6],v[10],v[14]); \ + G(r,3,v[ 3],v[ 7],v[11],v[15]); \ + G(r,4,v[ 0],v[ 5],v[10],v[15]); \ + G(r,5,v[ 1],v[ 6],v[11],v[12]); \ + G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ + G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ + } while(0) + +static void blake2b_compress(struct blake2b_state *S, + const u8 block[BLAKE2B_BLOCKBYTES]) +{ + u64 m[16]; + u64 v[16]; + size_t i; + + for (i = 0; i < 16; ++i) + m[i] = get_unaligned_le64(block + i * sizeof(m[i])); + + for (i = 0; i < 8; ++i) + v[i] = S->h[i]; + + v[ 8] = blake2b_IV[0]; + v[ 9] = blake2b_IV[1]; + v[10] = blake2b_IV[2]; + v[11] = blake2b_IV[3]; + v[12] = blake2b_IV[4] ^ S->t[0]; + v[13] = blake2b_IV[5] ^ S->t[1]; + v[14] = blake2b_IV[6] ^ S->f[0]; + v[15] = blake2b_IV[7] ^ S->f[1]; + + ROUND(0); + ROUND(1); + ROUND(2); + ROUND(3); + ROUND(4); + ROUND(5); + ROUND(6); + ROUND(7); + ROUND(8); + ROUND(9); + ROUND(10); + ROUND(11); + + for (i = 0; i < 8; ++i) + S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; +} + +#undef G +#undef ROUND + +static int blake2b_update(struct blake2b_state *S, const void *pin, size_t inlen) +{ + const unsigned char *in = (const unsigned char *)pin; + + if (inlen > 0) { + size_t left = S->buflen; + size_t fill = BLAKE2B_BLOCKBYTES - left; + + if (inlen > fill) { + S->buflen = 0; + /* Fill buffer */ + memcpy(S->buf + left, in, fill); + blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); + /* Compress */ + blake2b_compress(S, S->buf); + in += fill; + inlen -= fill; + while (inlen > BLAKE2B_BLOCKBYTES) { + blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); + blake2b_compress(S, in); + in += BLAKE2B_BLOCKBYTES; + inlen -= BLAKE2B_BLOCKBYTES; + } + } + memcpy(S->buf + S->buflen, in, inlen); + S->buflen += inlen; + } + return 0; +} + +static int blake2b_final(struct blake2b_state *S, void *out, size_t outlen) +{ + u8 buffer[BLAKE2B_OUTBYTES] = {0}; + size_t i; + + if (out == NULL || outlen < S->outlen) + return -1; + + if (blake2b_is_lastblock(S)) + return -1; + + blake2b_increment_counter(S, S->buflen); + blake2b_set_lastblock(S); + /* Padding */ + memset(S->buf + S->buflen, 0, BLAKE2B_BLOCKBYTES - S->buflen); + blake2b_compress(S, S->buf); + + /* Output full hash to temp buffer */ + for (i = 0; i < 8; ++i) + put_unaligned_le64(S->h[i], buffer + sizeof(S->h[i]) * i); + + memcpy(out, buffer, S->outlen); + memzero_explicit(buffer, sizeof(buffer)); + return 0; +} + +struct digest_tfm_ctx { + u8 key[BLAKE2B_KEYBYTES]; + unsigned int keylen; +}; + +struct digest_desc_ctx { + struct blake2b_state S[1]; +}; + +static int digest_setkey(struct crypto_shash *tfm, const u8 *key, + unsigned int keylen) +{ + struct digest_tfm_ctx *mctx = crypto_shash_ctx(tfm); + + if (keylen == 0 || keylen > BLAKE2B_KEYBYTES) { + crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); + return -EINVAL; + } + + memcpy(mctx->key, key, BLAKE2B_KEYBYTES); + mctx->keylen = keylen; + + return 0; +} + +static int digest_init(struct shash_desc *desc) +{ + struct digest_tfm_ctx *mctx = crypto_shash_ctx(desc->tfm); + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); + const int digestsize = crypto_shash_digestsize(desc->tfm); + int ret; + + if (mctx->keylen == 0) + ret = blake2b_init(ctx->S, digestsize); + else + ret = blake2b_init_key(ctx->S, digestsize, mctx->key, + mctx->keylen); + if (ret) + return -EINVAL; + return 0; +} + +static int digest_update(struct shash_desc *desc, const u8 *data, + unsigned int length) +{ + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); + int ret; + + ret = blake2b_update(ctx->S, data, length); + if (ret) + return -EINVAL; + return 0; +} + +static int digest_final(struct shash_desc *desc, u8 *out) +{ + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); + const int digestsize = crypto_shash_digestsize(desc->tfm); + int ret; + + ret = blake2b_final(ctx->S, out, digestsize); + if (ret) + return -EINVAL; + return 0; +} + +static int digest_finup(struct shash_desc *desc, const u8 *data, + unsigned int len, u8 *out) +{ + struct digest_desc_ctx *ctx = shash_desc_ctx(desc); + const int digestsize = crypto_shash_digestsize(desc->tfm); + int ret; + + ret = blake2b_update(ctx->S, data, len); + if (ret) + return -EINVAL; + ret = blake2b_final(ctx->S, out, digestsize); + if (ret) + return -EINVAL; + return 0; +} + +static int blake2b_cra_init(struct crypto_tfm *tfm) +{ + struct digest_tfm_ctx *mctx = crypto_tfm_ctx(tfm); + + /* Use the unkeyed version by default */ + memset(mctx->key, 0, BLAKE2B_KEYBYTES); + mctx->keylen = 0; + + return 0; +} + +static struct shash_alg blake2b_algs[] = { + { + .digestsize = BLAKE2B_512_DIGEST_SIZE, + .setkey = digest_setkey, + .init = digest_init, + .update = digest_update, + .final = digest_final, + .finup = digest_finup, + .descsize = sizeof(struct digest_desc_ctx), + .base.cra_name = "blake2b", + .base.cra_driver_name = "blake2b-generic", + .base.cra_priority = 100, + .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, + .base.cra_blocksize = BLAKE2B_BLOCKBYTES, + .base.cra_ctxsize = 0, + .base.cra_module = THIS_MODULE, + .base.cra_init = blake2b_cra_init, + }, { + .digestsize = BLAKE2B_160_DIGEST_SIZE, + .setkey = digest_setkey, + .init = digest_init, + .update = digest_update, + .final = digest_final, + .finup = digest_finup, + .descsize = sizeof(struct digest_desc_ctx), + .base.cra_name = "blake2b-160", + .base.cra_driver_name = "blake2b-160-generic", + .base.cra_priority = 100, + .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, + .base.cra_blocksize = BLAKE2B_BLOCKBYTES, + .base.cra_ctxsize = 0, + .base.cra_module = THIS_MODULE, + .base.cra_init = blake2b_cra_init, + }, { + .digestsize = BLAKE2B_256_DIGEST_SIZE, + .setkey = digest_setkey, + .init = digest_init, + .update = digest_update, + .final = digest_final, + .finup = digest_finup, + .descsize = sizeof(struct digest_desc_ctx), + .base.cra_name = "blake2b-256", + .base.cra_driver_name = "blake2b-256-generic", + .base.cra_priority = 100, + .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, + .base.cra_blocksize = BLAKE2B_BLOCKBYTES, + .base.cra_ctxsize = 0, + .base.cra_module = THIS_MODULE, + .base.cra_init = blake2b_cra_init, + }, { + .digestsize = BLAKE2B_384_DIGEST_SIZE, + .setkey = digest_setkey, + .init = digest_init, + .update = digest_update, + .final = digest_final, + .finup = digest_finup, + .descsize = sizeof(struct digest_desc_ctx), + .base.cra_name = "blake2b-384", + .base.cra_driver_name = "blake2b-384-generic", + .base.cra_priority = 100, + .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, + .base.cra_blocksize = BLAKE2B_BLOCKBYTES, + .base.cra_ctxsize = 0, + .base.cra_module = THIS_MODULE, + .base.cra_init = blake2b_cra_init, + }, { + .digestsize = BLAKE2B_512_DIGEST_SIZE, + .setkey = digest_setkey, + .init = digest_init, + .update = digest_update, + .final = digest_final, + .finup = digest_finup, + .descsize = sizeof(struct digest_desc_ctx), + .base.cra_name = "blake2b-512", + .base.cra_driver_name = "blake2b-512-generic", + .base.cra_priority = 100, + .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY, + .base.cra_blocksize = BLAKE2B_BLOCKBYTES, + .base.cra_ctxsize = 0, + .base.cra_module = THIS_MODULE, + .base.cra_init = blake2b_cra_init, + } +}; + +static int __init blake2b_mod_init(void) +{ + BUILD_BUG_ON(sizeof(struct blake2b_param) != BLAKE2B_OUTBYTES); + + return crypto_register_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs)); +} + +static void __exit blake2b_mod_fini(void) +{ + crypto_unregister_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs)); +} + +subsys_initcall(blake2b_mod_init); +module_exit(blake2b_mod_fini); + +MODULE_AUTHOR("David Sterba <kdave@kernel.org>"); +MODULE_DESCRIPTION("BLAKE2b generic implementation"); +MODULE_LICENSE("GPL"); +MODULE_ALIAS_CRYPTO("blake2b"); +MODULE_ALIAS_CRYPTO("blake2b-generic"); +MODULE_ALIAS_CRYPTO("blake2b-160"); +MODULE_ALIAS_CRYPTO("blake2b-160-generic"); +MODULE_ALIAS_CRYPTO("blake2b-256"); +MODULE_ALIAS_CRYPTO("blake2b-256-generic"); +MODULE_ALIAS_CRYPTO("blake2b-384"); +MODULE_ALIAS_CRYPTO("blake2b-384-generic"); +MODULE_ALIAS_CRYPTO("blake2b-512"); +MODULE_ALIAS_CRYPTO("blake2b-512-generic"); diff --git a/include/crypto/blake2b.h b/include/crypto/blake2b.h new file mode 100644 index 000000000000..197cf6f680bf --- /dev/null +++ b/include/crypto/blake2b.h @@ -0,0 +1,48 @@ +/* SPDX-License-Identifier: (GPL-2.0-only OR Apache-2.0) */ +/* + * BLAKE2 reference source code package - reference C implementations + * + * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the + * terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at + * your option. The terms of these licenses can be found at: + * + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + * - OpenSSL license : https://www.openssl.org/source/license.html + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + * + * More information about the BLAKE2 hash function can be found at + * https://blake2.net. +*/ + +#ifndef _CRYPTO_BLAKE2B_H +#define _CRYPTO_BLAKE2B_H + +#include <linux/compiler.h> +#include <stddef.h> + +#define BLAKE2B_160_DIGEST_SIZE (160 / 8) +#define BLAKE2B_256_DIGEST_SIZE (256 / 8) +#define BLAKE2B_384_DIGEST_SIZE (384 / 8) +#define BLAKE2B_512_DIGEST_SIZE (512 / 8) + +enum blake2b_constant +{ + BLAKE2B_BLOCKBYTES = 128, + BLAKE2B_OUTBYTES = 64, + BLAKE2B_KEYBYTES = 64, + BLAKE2B_SALTBYTES = 16, + BLAKE2B_PERSONALBYTES = 16 +}; + +struct blake2b_state +{ + u64 h[8]; + u64 t[2]; + u64 f[2]; + u8 buf[BLAKE2B_BLOCKBYTES]; + size_t buflen; + size_t outlen; + u8 last_node; +}; + +#endif
The patch brings support of several BLAKE2 variants (2b with various digest lengths). The keyed digest is supported, using tfm->setkey call. The in-tree user will be btrfs (for checksumming), we're going to use the BLAKE2b-256 variant. The code is reference implementation taken from the official sources and modified only in terms of kernel coding style (whitespace, comments, uintXX_t -> uXX types, removed unused prototypes and #ifdefs, removed testing code, changed secure_zero_memory -> memzero_explicit, used own helpers for unaligned reads/writes and rotations). Signed-off-by: David Sterba <dsterba@suse.com> --- V3: - added 'static' to blake2b_* and removed .h declarations - updated Kconfig help text - replaced custom build bug check with BUILD_BUG_ON - added .setkey to TFM, optional key, the length validation is same as what blake2b_init_key accepts, ie. 1..BLAKE2B_KEYBYTES - fixed a serious bug: digestsize in all callbacks must be obtained from TFM, as the same functions are used for all variants but the default output size was used (in digest_init, digest_final, digest_finup), I'm going to do the selftests next so the above can't happen again. crypto/Kconfig | 18 ++ crypto/Makefile | 1 + crypto/blake2b_generic.c | 504 +++++++++++++++++++++++++++++++++++++++ include/crypto/blake2b.h | 48 ++++ 4 files changed, 571 insertions(+) create mode 100644 crypto/blake2b_generic.c create mode 100644 include/crypto/blake2b.h