mirror of
https://github.com/torvalds/linux.git
synced 2024-11-22 04:38:03 +00:00
992b706680
Since commit "s390/sha3: Support sha3 performance enhancements"
the selftests of the sha3_256_s390 and sha3_512_s390 kernel digests
sometimes fail with:
alg: shash: sha3-256-s390 test failed (wrong result) on test vector 3,
cfg="import/export"
alg: self-tests for sha3-256 using sha3-256-s390 failed (rc=-22)
or with
alg: ahash: sha3-256-s390 test failed (wrong result) on test vector 3,
cfg="digest misaligned splits crossing pages"
alg: self-tests for sha3-256 using sha3-256-s390 failed (rc=-22)
The first failure is because the newly introduced context field
'first_message_part' is not copied during export and import operations.
Because of that the value of 'first_message_part' is more or less random
after an import into a newly allocated context and may or may not fit to
the state of the imported SHA3 operation, causing an invalid hash when it
does not fit.
Save the 'first_message_part' field in the currently unused field 'partial'
of struct sha3_state, even though the meaning of 'partial' is not exactly
the same as 'first_message_part'. For the caller the returned state blob
is opaque and it must only be ensured that the state can be imported later
on by the module that exported it.
The second failure is when on entry of s390_sha_update() the flag
'first_message_part' is on, and kimd is called in the first 'if (index)'
block as well as in the second 'if (len >= bsize)' block. In this case,
the 'first_message_part' is turned off after the first kimd, but the
function code incorrectly retains the NIP flag. Reset the NIP flag after
the first kimd unconditionally besides turning 'first_message_part' off.
Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Fixes: 88c02b3f79 ("s390/sha3: Support sha3 performance enhancements")
Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
162 lines
3.8 KiB
C
162 lines
3.8 KiB
C
// SPDX-License-Identifier: GPL-2.0+
|
|
/*
|
|
* Cryptographic API.
|
|
*
|
|
* s390 implementation of the SHA512 and SHA384 Secure Hash Algorithm.
|
|
*
|
|
* Copyright IBM Corp. 2019
|
|
* Author(s): Joerg Schmidbauer (jschmidb@de.ibm.com)
|
|
*/
|
|
#include <crypto/internal/hash.h>
|
|
#include <linux/init.h>
|
|
#include <linux/module.h>
|
|
#include <linux/cpufeature.h>
|
|
#include <crypto/sha3.h>
|
|
#include <asm/cpacf.h>
|
|
|
|
#include "sha.h"
|
|
|
|
static int sha3_512_init(struct shash_desc *desc)
|
|
{
|
|
struct s390_sha_ctx *sctx = shash_desc_ctx(desc);
|
|
|
|
if (!test_facility(86)) /* msa 12 */
|
|
memset(sctx->state, 0, sizeof(sctx->state));
|
|
sctx->count = 0;
|
|
sctx->func = CPACF_KIMD_SHA3_512;
|
|
sctx->first_message_part = 1;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int sha3_512_export(struct shash_desc *desc, void *out)
|
|
{
|
|
struct s390_sha_ctx *sctx = shash_desc_ctx(desc);
|
|
struct sha3_state *octx = out;
|
|
|
|
octx->rsiz = sctx->count;
|
|
octx->rsizw = sctx->count >> 32;
|
|
|
|
memcpy(octx->st, sctx->state, sizeof(octx->st));
|
|
memcpy(octx->buf, sctx->buf, sizeof(octx->buf));
|
|
octx->partial = sctx->first_message_part;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int sha3_512_import(struct shash_desc *desc, const void *in)
|
|
{
|
|
struct s390_sha_ctx *sctx = shash_desc_ctx(desc);
|
|
const struct sha3_state *ictx = in;
|
|
|
|
if (unlikely(ictx->rsizw))
|
|
return -ERANGE;
|
|
sctx->count = ictx->rsiz;
|
|
|
|
memcpy(sctx->state, ictx->st, sizeof(ictx->st));
|
|
memcpy(sctx->buf, ictx->buf, sizeof(ictx->buf));
|
|
sctx->first_message_part = ictx->partial;
|
|
sctx->func = CPACF_KIMD_SHA3_512;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int sha3_384_import(struct shash_desc *desc, const void *in)
|
|
{
|
|
struct s390_sha_ctx *sctx = shash_desc_ctx(desc);
|
|
const struct sha3_state *ictx = in;
|
|
|
|
if (unlikely(ictx->rsizw))
|
|
return -ERANGE;
|
|
sctx->count = ictx->rsiz;
|
|
|
|
memcpy(sctx->state, ictx->st, sizeof(ictx->st));
|
|
memcpy(sctx->buf, ictx->buf, sizeof(ictx->buf));
|
|
sctx->first_message_part = ictx->partial;
|
|
sctx->func = CPACF_KIMD_SHA3_384;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static struct shash_alg sha3_512_alg = {
|
|
.digestsize = SHA3_512_DIGEST_SIZE,
|
|
.init = sha3_512_init,
|
|
.update = s390_sha_update,
|
|
.final = s390_sha_final,
|
|
.export = sha3_512_export,
|
|
.import = sha3_512_import,
|
|
.descsize = sizeof(struct s390_sha_ctx),
|
|
.statesize = sizeof(struct sha3_state),
|
|
.base = {
|
|
.cra_name = "sha3-512",
|
|
.cra_driver_name = "sha3-512-s390",
|
|
.cra_priority = 300,
|
|
.cra_blocksize = SHA3_512_BLOCK_SIZE,
|
|
.cra_module = THIS_MODULE,
|
|
}
|
|
};
|
|
|
|
MODULE_ALIAS_CRYPTO("sha3-512");
|
|
|
|
static int sha3_384_init(struct shash_desc *desc)
|
|
{
|
|
struct s390_sha_ctx *sctx = shash_desc_ctx(desc);
|
|
|
|
if (!test_facility(86)) /* msa 12 */
|
|
memset(sctx->state, 0, sizeof(sctx->state));
|
|
sctx->count = 0;
|
|
sctx->func = CPACF_KIMD_SHA3_384;
|
|
sctx->first_message_part = 1;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static struct shash_alg sha3_384_alg = {
|
|
.digestsize = SHA3_384_DIGEST_SIZE,
|
|
.init = sha3_384_init,
|
|
.update = s390_sha_update,
|
|
.final = s390_sha_final,
|
|
.export = sha3_512_export, /* same as for 512 */
|
|
.import = sha3_384_import, /* function code different! */
|
|
.descsize = sizeof(struct s390_sha_ctx),
|
|
.statesize = sizeof(struct sha3_state),
|
|
.base = {
|
|
.cra_name = "sha3-384",
|
|
.cra_driver_name = "sha3-384-s390",
|
|
.cra_priority = 300,
|
|
.cra_blocksize = SHA3_384_BLOCK_SIZE,
|
|
.cra_ctxsize = sizeof(struct s390_sha_ctx),
|
|
.cra_module = THIS_MODULE,
|
|
}
|
|
};
|
|
|
|
MODULE_ALIAS_CRYPTO("sha3-384");
|
|
|
|
static int __init init(void)
|
|
{
|
|
int ret;
|
|
|
|
if (!cpacf_query_func(CPACF_KIMD, CPACF_KIMD_SHA3_512))
|
|
return -ENODEV;
|
|
ret = crypto_register_shash(&sha3_512_alg);
|
|
if (ret < 0)
|
|
goto out;
|
|
ret = crypto_register_shash(&sha3_384_alg);
|
|
if (ret < 0)
|
|
crypto_unregister_shash(&sha3_512_alg);
|
|
out:
|
|
return ret;
|
|
}
|
|
|
|
static void __exit fini(void)
|
|
{
|
|
crypto_unregister_shash(&sha3_512_alg);
|
|
crypto_unregister_shash(&sha3_384_alg);
|
|
}
|
|
|
|
module_cpu_feature_match(S390_CPU_FEATURE_MSA, init);
|
|
module_exit(fini);
|
|
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_DESCRIPTION("SHA3-512 and SHA3-384 Secure Hash Algorithm");
|