crypto: lib/sha1 - rename "sha" to "sha1"

The library implementation of the SHA-1 compression function is
confusingly called just "sha_transform()".  Alongside it are some "SHA_"
constants and "sha_init()".  Presumably these are left over from a time
when SHA just meant SHA-1.  But now there are also SHA-2 and SHA-3, and
moreover SHA-1 is now considered insecure and thus shouldn't be used.

Therefore, rename these functions and constants to make it very clear
that they are for SHA-1.  Also add a comment to make it clear that these
shouldn't be used.

For the extra-misleadingly named "SHA_MESSAGE_BYTES", rename it to
SHA1_BLOCK_SIZE and define it to just '64' rather than '(512/8)' so that
it matches the same definition in <crypto/sha.h>.  This prepares for
merging <linux/cryptohash.h> into <crypto/sha.h>.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This commit is contained in:
Eric Biggers 2020-05-02 11:24:25 -07:00 committed by Herbert Xu
parent 4d21e59450
commit 6b0b0fa2bc
8 changed files with 43 additions and 37 deletions

View File

@ -7,7 +7,7 @@ SipHash - a short input PRF
SipHash is a cryptographically secure PRF -- a keyed hash function -- that SipHash is a cryptographically secure PRF -- a keyed hash function -- that
performs very well for short inputs, hence the name. It was designed by performs very well for short inputs, hence the name. It was designed by
cryptographers Daniel J. Bernstein and Jean-Philippe Aumasson. It is intended cryptographers Daniel J. Bernstein and Jean-Philippe Aumasson. It is intended
as a replacement for some uses of: `jhash`, `md5_transform`, `sha_transform`, as a replacement for some uses of: `jhash`, `md5_transform`, `sha1_transform`,
and so forth. and so forth.
SipHash takes a secret key filled with randomly generated numbers and either SipHash takes a secret key filled with randomly generated numbers and either

View File

@ -31,10 +31,10 @@ EXPORT_SYMBOL_GPL(sha1_zero_message_hash);
static void sha1_generic_block_fn(struct sha1_state *sst, u8 const *src, static void sha1_generic_block_fn(struct sha1_state *sst, u8 const *src,
int blocks) int blocks)
{ {
u32 temp[SHA_WORKSPACE_WORDS]; u32 temp[SHA1_WORKSPACE_WORDS];
while (blocks--) { while (blocks--) {
sha_transform(sst->state, src, temp); sha1_transform(sst->state, src, temp);
src += SHA1_BLOCK_SIZE; src += SHA1_BLOCK_SIZE;
} }
memzero_explicit(temp, sizeof(temp)); memzero_explicit(temp, sizeof(temp));

View File

@ -1397,14 +1397,14 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
__u32 w[5]; __u32 w[5];
unsigned long l[LONGS(20)]; unsigned long l[LONGS(20)];
} hash; } hash;
__u32 workspace[SHA_WORKSPACE_WORDS]; __u32 workspace[SHA1_WORKSPACE_WORDS];
unsigned long flags; unsigned long flags;
/* /*
* If we have an architectural hardware random number * If we have an architectural hardware random number
* generator, use it for SHA's initial vector * generator, use it for SHA's initial vector
*/ */
sha_init(hash.w); sha1_init(hash.w);
for (i = 0; i < LONGS(20); i++) { for (i = 0; i < LONGS(20); i++) {
unsigned long v; unsigned long v;
if (!arch_get_random_long(&v)) if (!arch_get_random_long(&v))
@ -1415,7 +1415,7 @@ static void extract_buf(struct entropy_store *r, __u8 *out)
/* Generate a hash across the pool, 16 words (512 bits) at a time */ /* Generate a hash across the pool, 16 words (512 bits) at a time */
spin_lock_irqsave(&r->lock, flags); spin_lock_irqsave(&r->lock, flags);
for (i = 0; i < r->poolinfo->poolwords; i += 16) for (i = 0; i < r->poolinfo->poolwords; i += 16)
sha_transform(hash.w, (__u8 *)(r->pool + i), workspace); sha1_transform(hash.w, (__u8 *)(r->pool + i), workspace);
/* /*
* We mix the hash back into the pool to prevent backtracking * We mix the hash back into the pool to prevent backtracking

View File

@ -4,11 +4,15 @@
#include <uapi/linux/types.h> #include <uapi/linux/types.h>
#define SHA_DIGEST_WORDS 5 /*
#define SHA_MESSAGE_BYTES (512 /*bits*/ / 8) * An implementation of SHA-1's compression function. Don't use in new code!
#define SHA_WORKSPACE_WORDS 16 * You shouldn't be using SHA-1, and even if you *have* to use SHA-1, this isn't
* the correct way to hash something with SHA-1 (use crypto_shash instead).
void sha_init(__u32 *buf); */
void sha_transform(__u32 *digest, const char *data, __u32 *W); #define SHA1_DIGEST_WORDS 5
#define SHA1_BLOCK_SIZE 64
#define SHA1_WORKSPACE_WORDS 16
void sha1_init(__u32 *buf);
void sha1_transform(__u32 *digest, const char *data, __u32 *W);
#endif #endif

View File

@ -746,7 +746,7 @@ static inline u32 bpf_prog_insn_size(const struct bpf_prog *prog)
static inline u32 bpf_prog_tag_scratch_size(const struct bpf_prog *prog) static inline u32 bpf_prog_tag_scratch_size(const struct bpf_prog *prog)
{ {
return round_up(bpf_prog_insn_size(prog) + return round_up(bpf_prog_insn_size(prog) +
sizeof(__be64) + 1, SHA_MESSAGE_BYTES); sizeof(__be64) + 1, SHA1_BLOCK_SIZE);
} }
static inline unsigned int bpf_prog_size(unsigned int proglen) static inline unsigned int bpf_prog_size(unsigned int proglen)

View File

@ -262,10 +262,10 @@ void __bpf_prog_free(struct bpf_prog *fp)
int bpf_prog_calc_tag(struct bpf_prog *fp) int bpf_prog_calc_tag(struct bpf_prog *fp)
{ {
const u32 bits_offset = SHA_MESSAGE_BYTES - sizeof(__be64); const u32 bits_offset = SHA1_BLOCK_SIZE - sizeof(__be64);
u32 raw_size = bpf_prog_tag_scratch_size(fp); u32 raw_size = bpf_prog_tag_scratch_size(fp);
u32 digest[SHA_DIGEST_WORDS]; u32 digest[SHA1_DIGEST_WORDS];
u32 ws[SHA_WORKSPACE_WORDS]; u32 ws[SHA1_WORKSPACE_WORDS];
u32 i, bsize, psize, blocks; u32 i, bsize, psize, blocks;
struct bpf_insn *dst; struct bpf_insn *dst;
bool was_ld_map; bool was_ld_map;
@ -277,7 +277,7 @@ int bpf_prog_calc_tag(struct bpf_prog *fp)
if (!raw) if (!raw)
return -ENOMEM; return -ENOMEM;
sha_init(digest); sha1_init(digest);
memset(ws, 0, sizeof(ws)); memset(ws, 0, sizeof(ws));
/* We need to take out the map fd for the digest calculation /* We need to take out the map fd for the digest calculation
@ -308,8 +308,8 @@ int bpf_prog_calc_tag(struct bpf_prog *fp)
memset(&raw[psize], 0, raw_size - psize); memset(&raw[psize], 0, raw_size - psize);
raw[psize++] = 0x80; raw[psize++] = 0x80;
bsize = round_up(psize, SHA_MESSAGE_BYTES); bsize = round_up(psize, SHA1_BLOCK_SIZE);
blocks = bsize / SHA_MESSAGE_BYTES; blocks = bsize / SHA1_BLOCK_SIZE;
todo = raw; todo = raw;
if (bsize - psize >= sizeof(__be64)) { if (bsize - psize >= sizeof(__be64)) {
bits = (__be64 *)(todo + bsize - sizeof(__be64)); bits = (__be64 *)(todo + bsize - sizeof(__be64));
@ -320,12 +320,12 @@ int bpf_prog_calc_tag(struct bpf_prog *fp)
*bits = cpu_to_be64((psize - 1) << 3); *bits = cpu_to_be64((psize - 1) << 3);
while (blocks--) { while (blocks--) {
sha_transform(digest, todo, ws); sha1_transform(digest, todo, ws);
todo += SHA_MESSAGE_BYTES; todo += SHA1_BLOCK_SIZE;
} }
result = (__force __be32 *)digest; result = (__force __be32 *)digest;
for (i = 0; i < SHA_DIGEST_WORDS; i++) for (i = 0; i < SHA1_DIGEST_WORDS; i++)
result[i] = cpu_to_be32(digest[i]); result[i] = cpu_to_be32(digest[i]);
memcpy(fp->tag, result, sizeof(fp->tag)); memcpy(fp->tag, result, sizeof(fp->tag));

View File

@ -64,22 +64,24 @@
#define T_60_79(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0xca62c1d6, A, B, C, D, E ) #define T_60_79(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0xca62c1d6, A, B, C, D, E )
/** /**
* sha_transform - single block SHA1 transform * sha1_transform - single block SHA1 transform (deprecated)
* *
* @digest: 160 bit digest to update * @digest: 160 bit digest to update
* @data: 512 bits of data to hash * @data: 512 bits of data to hash
* @array: 16 words of workspace (see note) * @array: 16 words of workspace (see note)
* *
* This function generates a SHA1 digest for a single 512-bit block. * This function executes SHA-1's internal compression function. It updates the
* Be warned, it does not handle padding and message digest, do not * 160-bit internal state (@digest) with a single 512-bit data block (@data).
* confuse it with the full FIPS 180-1 digest algorithm for variable *
* length messages. * Don't use this function. SHA-1 is no longer considered secure. And even if
* you do have to use SHA-1, this isn't the correct way to hash something with
* SHA-1 as this doesn't handle padding and finalization.
* *
* Note: If the hash is security sensitive, the caller should be sure * Note: If the hash is security sensitive, the caller should be sure
* to clear the workspace. This is left to the caller to avoid * to clear the workspace. This is left to the caller to avoid
* unnecessary clears between chained hashing operations. * unnecessary clears between chained hashing operations.
*/ */
void sha_transform(__u32 *digest, const char *data, __u32 *array) void sha1_transform(__u32 *digest, const char *data, __u32 *array)
{ {
__u32 A, B, C, D, E; __u32 A, B, C, D, E;
@ -185,13 +187,13 @@ void sha_transform(__u32 *digest, const char *data, __u32 *array)
digest[3] += D; digest[3] += D;
digest[4] += E; digest[4] += E;
} }
EXPORT_SYMBOL(sha_transform); EXPORT_SYMBOL(sha1_transform);
/** /**
* sha_init - initialize the vectors for a SHA1 digest * sha1_init - initialize the vectors for a SHA1 digest
* @buf: vector to initialize * @buf: vector to initialize
*/ */
void sha_init(__u32 *buf) void sha1_init(__u32 *buf)
{ {
buf[0] = 0x67452301; buf[0] = 0x67452301;
buf[1] = 0xefcdab89; buf[1] = 0xefcdab89;
@ -199,4 +201,4 @@ void sha_init(__u32 *buf)
buf[3] = 0x10325476; buf[3] = 0x10325476;
buf[4] = 0xc3d2e1f0; buf[4] = 0xc3d2e1f0;
} }
EXPORT_SYMBOL(sha_init); EXPORT_SYMBOL(sha1_init);

View File

@ -3222,11 +3222,11 @@ static int ipv6_generate_stable_address(struct in6_addr *address,
const struct inet6_dev *idev) const struct inet6_dev *idev)
{ {
static DEFINE_SPINLOCK(lock); static DEFINE_SPINLOCK(lock);
static __u32 digest[SHA_DIGEST_WORDS]; static __u32 digest[SHA1_DIGEST_WORDS];
static __u32 workspace[SHA_WORKSPACE_WORDS]; static __u32 workspace[SHA1_WORKSPACE_WORDS];
static union { static union {
char __data[SHA_MESSAGE_BYTES]; char __data[SHA1_BLOCK_SIZE];
struct { struct {
struct in6_addr secret; struct in6_addr secret;
__be32 prefix[2]; __be32 prefix[2];
@ -3251,7 +3251,7 @@ static int ipv6_generate_stable_address(struct in6_addr *address,
retry: retry:
spin_lock_bh(&lock); spin_lock_bh(&lock);
sha_init(digest); sha1_init(digest);
memset(&data, 0, sizeof(data)); memset(&data, 0, sizeof(data));
memset(workspace, 0, sizeof(workspace)); memset(workspace, 0, sizeof(workspace));
memcpy(data.hwaddr, idev->dev->perm_addr, idev->dev->addr_len); memcpy(data.hwaddr, idev->dev->perm_addr, idev->dev->addr_len);
@ -3260,7 +3260,7 @@ retry:
data.secret = secret; data.secret = secret;
data.dad_count = dad_count; data.dad_count = dad_count;
sha_transform(digest, data.__data, workspace); sha1_transform(digest, data.__data, workspace);
temp = *address; temp = *address;
temp.s6_addr32[2] = (__force __be32)digest[0]; temp.s6_addr32[2] = (__force __be32)digest[0];