Commit 5abe8d8e authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'libcrypto-updates-for-linus' of... 

Merge tag 'libcrypto-updates-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux

Pull crypto library updates from Eric Biggers:
 "This is the main crypto library pull request for 6.19. It includes:

   - Add SHA-3 support to lib/crypto/, including support for both the
     hash functions and the extendable-output functions. Reimplement the
     existing SHA-3 crypto_shash support on top of the library.

     This is motivated mainly by the upcoming support for the ML-DSA
     signature algorithm, which needs the SHAKE128 and SHAKE256
     functions. But even on its own it's a useful cleanup.

     This also fixes the longstanding issue where the
     architecture-optimized SHA-3 code was disabled by default.

   - Add BLAKE2b support to lib/crypto/, and reimplement the existing
     BLAKE2b crypto_shash support on top of the library.

     This is motivated mainly by btrfs, which supports BLAKE2b
     checksums. With this change, all btrfs checksum algorithms now have
     library APIs. btrfs is planned to start just using the library
     directly.

     This refactor also improves consistency between the BLAKE2b code
     and BLAKE2s code. And as usual, it also fixes the issue where the
     architecture-optimized BLAKE2b code was disabled by default.

   - Add POLYVAL support to lib/crypto/, replacing the existing POLYVAL
     support in crypto_shash. Reimplement HCTR2 on top of the library.

     This simplifies the code and improves HCTR2 performance. As usual,
     it also makes the architecture-optimized code be enabled by
     default. The generic implementation of POLYVAL is greatly improved
     as well.

   - Clean up the BLAKE2s code

   - Add FIPS self-tests for SHA-1, SHA-2, and SHA-3"

* tag 'libcrypto-updates-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux: (37 commits)
  fscrypt: Drop obsolete recommendation to enable optimized POLYVAL
  crypto: polyval - Remove the polyval crypto_shash
  crypto: hctr2 - Convert to use POLYVAL library
  lib/crypto: x86/polyval: Migrate optimized code into library
  lib/crypto: arm64/polyval: Migrate optimized code into library
  lib/crypto: polyval: Add POLYVAL library
  crypto: polyval - Rename conflicting functions
  lib/crypto: x86/blake2s: Use vpternlogd for 3-input XORs
  lib/crypto: x86/blake2s: Avoid writing back unchanged 'f' value
  lib/crypto: x86/blake2s: Improve readability
  lib/crypto: x86/blake2s: Use local labels for data
  lib/crypto: x86/blake2s: Drop check for nblocks == 0
  lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit
  lib/crypto: arm, arm64: Drop filenames from file comments
  lib/crypto: arm/blake2s: Fix some comments
  crypto: s390/sha3 - Remove superseded SHA-3 code
  crypto: sha3 - Reimplement using library API
  crypto: jitterentropy - Use default sha3 implementation
  lib/crypto: s390/sha3: Add optimized one-shot SHA-3 digest functions
  lib/crypto: sha3: Support arch overrides of one-shot digest functions
  ...
parents 619f4edc 2dbb6f4a

Documentation/crypto/index.rst

+1 −0
Original line number Diff line number Diff line
@@ -27,3 +27,4 @@ for cryptographic use cases, as well as programming examples. 
   descore-readme

   device_drivers/index

   krb5

   sha3

Documentation/crypto/sha3.rst

0 → 100644
+119 −0
Original line number Diff line number Diff line 
.. SPDX-License-Identifier: GPL-2.0-or-later



==========================

SHA-3 Algorithm Collection

==========================



.. contents::



Overview

========



The SHA-3 family of algorithms, as specified in NIST FIPS-202 [1]_, contains six

algorithms based on the Keccak sponge function.  The differences between them

are: the "rate" (how much of the state buffer gets updated with new data between

invocations of the Keccak function and analogous to the "block size"), what

domain separation suffix gets appended to the input data, and how much output

data is extracted at the end.  The Keccak sponge function is designed such that

arbitrary amounts of output can be obtained for certain algorithms.



Four digest algorithms are provided:



 - SHA3-224

 - SHA3-256

 - SHA3-384

 - SHA3-512



Additionally, two Extendable-Output Functions (XOFs) are provided:



 - SHAKE128

 - SHAKE256



The SHA-3 library API supports all six of these algorithms.  The four digest

algorithms are also supported by the crypto_shash and crypto_ahash APIs.



This document describes the SHA-3 library API.





Digests

=======



The following functions compute SHA-3 digests::



	void sha3_224(const u8 *in, size_t in_len, u8 out[SHA3_224_DIGEST_SIZE]);

	void sha3_256(const u8 *in, size_t in_len, u8 out[SHA3_256_DIGEST_SIZE]);

	void sha3_384(const u8 *in, size_t in_len, u8 out[SHA3_384_DIGEST_SIZE]);

	void sha3_512(const u8 *in, size_t in_len, u8 out[SHA3_512_DIGEST_SIZE]);



For users that need to pass in data incrementally, an incremental API is also

provided.  The incremental API uses the following struct::



	struct sha3_ctx { ... };



Initialization is done with one of::



	void sha3_224_init(struct sha3_ctx *ctx);

	void sha3_256_init(struct sha3_ctx *ctx);

	void sha3_384_init(struct sha3_ctx *ctx);

	void sha3_512_init(struct sha3_ctx *ctx);



Input data is then added with any number of calls to::



	void sha3_update(struct sha3_ctx *ctx, const u8 *in, size_t in_len);



Finally, the digest is generated using::



	void sha3_final(struct sha3_ctx *ctx, u8 *out);



which also zeroizes the context.  The length of the digest is determined by the

initialization function that was called.





Extendable-Output Functions

===========================



The following functions compute the SHA-3 extendable-output functions (XOFs)::



	void shake128(const u8 *in, size_t in_len, u8 *out, size_t out_len);

	void shake256(const u8 *in, size_t in_len, u8 *out, size_t out_len);



For users that need to provide the input data incrementally and/or receive the

output data incrementally, an incremental API is also provided.  The incremental

API uses the following struct::



	struct shake_ctx { ... };



Initialization is done with one of::



	void shake128_init(struct shake_ctx *ctx);

	void shake256_init(struct shake_ctx *ctx);



Input data is then added with any number of calls to::



	void shake_update(struct shake_ctx *ctx, const u8 *in, size_t in_len);



Finally, the output data is extracted with any number of calls to::



	void shake_squeeze(struct shake_ctx *ctx, u8 *out, size_t out_len);



and telling it how much data should be extracted.  Note that performing multiple

squeezes, with the output laid consecutively in a buffer, gets exactly the same

output as doing a single squeeze for the combined amount over the same buffer.



More input data cannot be added after squeezing has started.



Once all the desired output has been extracted, zeroize the context::



	void shake_zeroize_ctx(struct shake_ctx *ctx);





References

==========



.. [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf





API Function Reference

======================



.. kernel-doc:: include/crypto/sha3.h

Documentation/filesystems/fscrypt.rst

+0 −2
Original line number Diff line number Diff line
@@ -450,9 +450,7 @@ API, but the filenames mode still does. 
        - CONFIG_CRYPTO_HCTR2

    - Recommended:

        - arm64: CONFIG_CRYPTO_AES_ARM64_CE_BLK

        - arm64: CONFIG_CRYPTO_POLYVAL_ARM64_CE

        - x86: CONFIG_CRYPTO_AES_NI_INTEL

        - x86: CONFIG_CRYPTO_POLYVAL_CLMUL_NI



- Adiantum

    - Mandatory:

arch/arm/crypto/Kconfig

+0 −16
Original line number Diff line number Diff line
@@ -33,22 +33,6 @@ config CRYPTO_NHPOLY1305_NEON 
	  Architecture: arm using:

	  - NEON (Advanced SIMD) extensions



config CRYPTO_BLAKE2B_NEON

	tristate "Hash functions: BLAKE2b (NEON)"

	depends on KERNEL_MODE_NEON

	select CRYPTO_BLAKE2B

	help

	  BLAKE2b cryptographic hash function (RFC 7693)



	  Architecture: arm using

	  - NEON (Advanced SIMD) extensions



	  BLAKE2b digest algorithm optimized with ARM NEON instructions.

	  On ARM processors that have NEON support but not the ARMv8

	  Crypto Extensions, typically this BLAKE2b implementation is

	  much faster than the SHA-2 family and slightly faster than

	  SHA-1.



config CRYPTO_AES_ARM

	tristate "Ciphers: AES"

	select CRYPTO_ALGAPI

arch/arm/crypto/Makefile

+0 −2
Original line number Diff line number Diff line
@@ -5,7 +5,6 @@ 


obj-$(CONFIG_CRYPTO_AES_ARM) += aes-arm.o

obj-$(CONFIG_CRYPTO_AES_ARM_BS) += aes-arm-bs.o

obj-$(CONFIG_CRYPTO_BLAKE2B_NEON) += blake2b-neon.o

obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) += nhpoly1305-neon.o



obj-$(CONFIG_CRYPTO_AES_ARM_CE) += aes-arm-ce.o
@@ -13,7 +12,6 @@ obj-$(CONFIG_CRYPTO_GHASH_ARM_CE) += ghash-arm-ce.o 


aes-arm-y	:= aes-cipher-core.o aes-cipher-glue.o

aes-arm-bs-y	:= aes-neonbs-core.o aes-neonbs-glue.o

blake2b-neon-y  := blake2b-neon-core.o blake2b-neon-glue.o

aes-arm-ce-y	:= aes-ce-core.o aes-ce-glue.o

ghash-arm-ce-y	:= ghash-ce-core.o ghash-ce-glue.o

nhpoly1305-neon-y := nh-neon-core.o nhpoly1305-neon-glue.o