28 May, 2013
1 commit
-
'sha512_generic' should set driver name now that there is alternative sha512
provider (sha512_ssse3).Signed-off-by: Jussi Kivilinna
Signed-off-by: Herbert Xu
25 Apr, 2013
1 commit
-
Other SHA512 routines may need to use the generic routine when
FPU is not available.Signed-off-by: Tim Chen
Signed-off-by: Herbert Xu
01 Aug, 2012
1 commit
-
Combine all shash algs to be registered and use new crypto_[un]register_shashes
functions. This simplifies init/exit code.Signed-off-by: Jussi Kivilinna
Signed-off-by: Herbert Xu
05 Apr, 2012
1 commit
-
The current code only increments the upper 64 bits of the SHA-512 byte
counter when the number of bytes hashed happens to hit 2^64 exactly.This patch increments the upper 64 bits whenever the lower 64 bits
overflows.Signed-off-by: Kent Yoder
Cc: stable@kernel.org
Signed-off-by: Herbert Xu
16 Feb, 2012
1 commit
-
Use standard ror64() instead of hand-written.
There is no standard ror64, so create it.The difference is shift value being "unsigned int" instead of uint64_t
(for which there is no reason). gcc starts to emit native ROR instructions
which it doesn't do for some reason currently. This should make the code
faster.Patch survives in-tree crypto test and ping flood with hmac(sha512) on.
Signed-off-by: Alexey Dobriyan
Signed-off-by: Herbert Xu
05 Feb, 2012
1 commit
-
Unfortunately in reducing W from 80 to 16 we ended up unrolling
the loop twice. As gcc has issues dealing with 64-bit ops on
i386 this means that we end up using even more stack space (>1K).This patch solves the W reduction by moving LOAD_OP/BLEND_OP
into the loop itself, thus avoiding the need to duplicate it.While the stack space still isn't great (>0.5K) it is at least
in the same ball park as the amount of stack used for our C sha1
implementation.Note that this patch basically reverts to the original code so
the diff looks bigger than it really is.Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu
26 Jan, 2012
1 commit
-
The previous patch used the modulus operator over a power of 2
unnecessarily which may produce suboptimal binary code. This
patch changes changes them to binary ands instead.Signed-off-by: Herbert Xu
15 Jan, 2012
2 commits
-
For rounds 16--79, W[i] only depends on W[i - 2], W[i - 7], W[i - 15] and W[i - 16].
Consequently, keeping all W[80] array on stack is unnecessary,
only 16 values are really needed.Using W[16] instead of W[80] greatly reduces stack usage
(~750 bytes to ~340 bytes on x86_64).Line by line explanation:
* BLEND_OP
array is "circular" now, all indexes have to be modulo 16.
Round number is positive, so remainder operation should be
without surprises.* initial full message scheduling is trimmed to first 16 values which
come from data block, the rest is calculated before it's needed.* original loop body is unrolled version of new SHA512_0_15 and
SHA512_16_79 macros, unrolling was done to not do explicit variable
renaming. Otherwise it's the very same code after preprocessing.
See sha1_transform() code which does the same trick.Patch survives in-tree crypto test and original bugreport test
(ping flood with hmac(sha512).See FIPS 180-2 for SHA-512 definition
http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdfSigned-off-by: Alexey Dobriyan
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu -
commit f9e2bca6c22d75a289a349f869701214d63b5060
aka "crypto: sha512 - Move message schedule W[80] to static percpu area"
created global message schedule area.If sha512_update will ever be entered twice, hash will be silently
calculated incorrectly.Probably the easiest way to notice incorrect hashes being calculated is
to run 2 ping floods over AH with hmac(sha512):#!/usr/sbin/setkey -f
flush;
spdflush;
add IP1 IP2 ah 25 -A hmac-sha512 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000025;
add IP2 IP1 ah 52 -A hmac-sha512 0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000052;
spdadd IP1 IP2 any -P out ipsec ah/transport//require;
spdadd IP2 IP1 any -P in ipsec ah/transport//require;XfrmInStateProtoError will start ticking with -EBADMSG being returned
from ah_input(). This never happens with, say, hmac(sha1).With patch applied (on BOTH sides), XfrmInStateProtoError does not tick
with multiple bidirectional ping flood streams like it doesn't tick
with SHA-1.After this patch sha512_transform() will start using ~750 bytes of stack on x86_64.
This is OK for simple loads, for something more heavy, stack reduction will be done
separatedly.Signed-off-by: Alexey Dobriyan
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu
22 Jul, 2009
2 commits
-
This patch replaces the 32-bit counters in sha512_generic with
64-bit counters. It also switches the bit count to the simpler
byte count.Signed-off-by: Herbert Xu
-
This patch renames struct sha512_ctx and exports it as struct
sha512_state so that other sha512 implementations can use it
as the reference structure for exporting their state.Signed-off-by: Herbert Xu
25 Dec, 2008
2 commits
-
This patch changes sha512 and sha384 to the new shash interface.
Signed-off-by: Adrian-Ken Rueegsegger
Signed-off-by: Herbert Xu -
The message schedule W (u64[80]) is too big for the stack. In order
for this algorithm to be used with shash it is moved to a static
percpu area.Signed-off-by: Adrian-Ken Rueegsegger
Signed-off-by: Herbert Xu
21 Apr, 2008
2 commits
-
On Thu, Mar 27, 2008 at 03:40:36PM +0100, Bodo Eggert wrote:
> Kamalesh Babulal wrote:
>
> > This patch cleanups the crypto code, replaces the init() and fini()
> > with the _init/_fini
>
> This part ist OK.
>
> > or init/fini_ (if the
> > _init/_fini exist)
>
> Having init_foo and foo_init won't be a good thing, will it? I'd start
> confusing them.
>
> What about foo_modinit instead?Thanks for the suggestion, the init() is replaced with
_mod_init ()
and fini () is replaced with _mod_fini.
Signed-off-by: Kamalesh Babulal
Signed-off-by: Herbert Xu -
Rename sha512 to sha512_generic and add a MODULE_ALIAS for sha512
so all sha512 implementations can be loaded automatically.Keep the broken tabs so git recognizes this as a rename.
Signed-off-by: Jan Glauber
Signed-off-by: Herbert Xu