tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
crypto: lib/chacha - strongly type the ChaCha state
The ChaCha state matrix is 16 32-bit words. Currently it is represented
in the code as a raw u32 array, or even just a pointer to u32. This
weak typing is error-prone. Instead, introduce struct chacha_state:
struct chacha_state {
u32 x[16];
};
Convert all ChaCha and HChaCha functions to use struct chacha_state.
No functional changes.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Kent Overstreet <kent.overstreet@linux.dev>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
authored by
Eric Biggers
and committed by
Herbert Xu
98066f2f
97855e7f
+228
-190
+17
-13
arch/arm/lib/crypto/chacha-glue.c
+17
-13
arch/arm/lib/crypto/chacha-glue.c
···
17
17
#include <asm/neon.h>
18
18
#include <asm/simd.h>
19
19
20
-
asmlinkage void chacha_block_xor_neon(const u32 *state, u8 *dst, const u8 *src,
21
-
int nrounds);
22
-
asmlinkage void chacha_4block_xor_neon(const u32 *state, u8 *dst, const u8 *src,
20
+
asmlinkage void chacha_block_xor_neon(const struct chacha_state *state,
21
+
u8 *dst, const u8 *src, int nrounds);
22
+
asmlinkage void chacha_4block_xor_neon(const struct chacha_state *state,
23
+
u8 *dst, const u8 *src,
23
24
int nrounds, unsigned int nbytes);
24
-
asmlinkage void hchacha_block_arm(const u32 *state, u32 *out, int nrounds);
25
-
asmlinkage void hchacha_block_neon(const u32 *state, u32 *out, int nrounds);
25
+
asmlinkage void hchacha_block_arm(const struct chacha_state *state,
26
+
u32 *out, int nrounds);
27
+
asmlinkage void hchacha_block_neon(const struct chacha_state *state,
28
+
u32 *out, int nrounds);
26
29
27
30
asmlinkage void chacha_doarm(u8 *dst, const u8 *src, unsigned int bytes,
28
-
const u32 *state, int nrounds);
31
+
const struct chacha_state *state, int nrounds);
29
32
30
33
static __ro_after_init DEFINE_STATIC_KEY_FALSE(use_neon);
31
34
···
37
34
return static_branch_likely(&use_neon) && crypto_simd_usable();
38
35
}
39
36
40
-
static void chacha_doneon(u32 *state, u8 *dst, const u8 *src,
37
+
static void chacha_doneon(struct chacha_state *state, u8 *dst, const u8 *src,
41
38
unsigned int bytes, int nrounds)
42
39
{
43
40
u8 buf[CHACHA_BLOCK_SIZE];
···
49
46
bytes -= l;
50
47
src += l;
51
48
dst += l;
52
-
state[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE);
49
+
state->x[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE);
53
50
}
54
51
if (bytes) {
55
52
const u8 *s = src;
···
60
57
chacha_block_xor_neon(state, d, s, nrounds);
61
58
if (d != dst)
62
59
memcpy(dst, buf, bytes);
63
-
state[12]++;
60
+
state->x[12]++;
64
61
}
65
62
}
66
63
67
-
void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds)
64
+
void hchacha_block_arch(const struct chacha_state *state, u32 *stream,
65
+
int nrounds)
68
66
{
69
67
if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon_usable()) {
70
68
hchacha_block_arm(state, stream, nrounds);
···
77
73
}
78
74
EXPORT_SYMBOL(hchacha_block_arch);
79
75
80
-
void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes,
81
-
int nrounds)
76
+
void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src,
77
+
unsigned int bytes, int nrounds)
82
78
{
83
79
if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon_usable() ||
84
80
bytes <= CHACHA_BLOCK_SIZE) {
85
81
chacha_doarm(dst, src, bytes, state, nrounds);
86
-
state[12] += DIV_ROUND_UP(bytes, CHACHA_BLOCK_SIZE);
82
+
state->x[12] += DIV_ROUND_UP(bytes, CHACHA_BLOCK_SIZE);
87
83
return;
88
84
}
89
85
+3
-2
arch/arm/lib/crypto/chacha-scalar-core.S
+3
-2
arch/arm/lib/crypto/chacha-scalar-core.S
···
367
367
368
368
/*
369
369
* void chacha_doarm(u8 *dst, const u8 *src, unsigned int bytes,
370
-
* const u32 *state, int nrounds);
370
+
* const struct chacha_state *state, int nrounds);
371
371
*/
372
372
ENTRY(chacha_doarm)
373
373
cmp r2, #0 // len == 0?
···
407
407
ENDPROC(chacha_doarm)
408
408
409
409
/*
410
-
* void hchacha_block_arm(const u32 state[16], u32 out[8], int nrounds);
410
+
* void hchacha_block_arm(const struct chacha_state *state,
411
+
* u32 out[8], int nrounds);
411
412
*/
412
413
ENTRY(hchacha_block_arm)
413
414
push {r1,r4-r11,lr}
+13
-10
arch/arm64/lib/crypto/chacha-neon-glue.c
+13
-10
arch/arm64/lib/crypto/chacha-neon-glue.c
···
28
28
#include <asm/neon.h>
29
29
#include <asm/simd.h>
30
30
31
-
asmlinkage void chacha_block_xor_neon(u32 *state, u8 *dst, const u8 *src,
32
-
int nrounds);
33
-
asmlinkage void chacha_4block_xor_neon(u32 *state, u8 *dst, const u8 *src,
31
+
asmlinkage void chacha_block_xor_neon(const struct chacha_state *state,
32
+
u8 *dst, const u8 *src, int nrounds);
33
+
asmlinkage void chacha_4block_xor_neon(const struct chacha_state *state,
34
+
u8 *dst, const u8 *src,
34
35
int nrounds, int bytes);
35
-
asmlinkage void hchacha_block_neon(const u32 *state, u32 *out, int nrounds);
36
+
asmlinkage void hchacha_block_neon(const struct chacha_state *state,
37
+
u32 *out, int nrounds);
36
38
37
39
static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
38
40
39
-
static void chacha_doneon(u32 *state, u8 *dst, const u8 *src,
41
+
static void chacha_doneon(struct chacha_state *state, u8 *dst, const u8 *src,
40
42
int bytes, int nrounds)
41
43
{
42
44
while (bytes > 0) {
···
50
48
memcpy(buf, src, l);
51
49
chacha_block_xor_neon(state, buf, buf, nrounds);
52
50
memcpy(dst, buf, l);
53
-
state[12] += 1;
51
+
state->x[12] += 1;
54
52
break;
55
53
}
56
54
chacha_4block_xor_neon(state, dst, src, nrounds, l);
57
55
bytes -= l;
58
56
src += l;
59
57
dst += l;
60
-
state[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE);
58
+
state->x[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE);
61
59
}
62
60
}
63
61
64
-
void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds)
62
+
void hchacha_block_arch(const struct chacha_state *state, u32 *stream,
63
+
int nrounds)
65
64
{
66
65
if (!static_branch_likely(&have_neon) || !crypto_simd_usable()) {
67
66
hchacha_block_generic(state, stream, nrounds);
···
74
71
}
75
72
EXPORT_SYMBOL(hchacha_block_arch);
76
73
77
-
void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes,
78
-
int nrounds)
74
+
void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src,
75
+
unsigned int bytes, int nrounds)
79
76
{
80
77
if (!static_branch_likely(&have_neon) || bytes <= CHACHA_BLOCK_SIZE ||
81
78
!crypto_simd_usable())
+4
-2
arch/mips/lib/crypto/chacha-glue.c
+4
-2
arch/mips/lib/crypto/chacha-glue.c
···
9
9
#include <linux/kernel.h>
10
10
#include <linux/module.h>
11
11
12
-
asmlinkage void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src,
12
+
asmlinkage void chacha_crypt_arch(struct chacha_state *state,
13
+
u8 *dst, const u8 *src,
13
14
unsigned int bytes, int nrounds);
14
15
EXPORT_SYMBOL(chacha_crypt_arch);
15
16
16
-
asmlinkage void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds);
17
+
asmlinkage void hchacha_block_arch(const struct chacha_state *state,
18
+
u32 *stream, int nrounds);
17
19
EXPORT_SYMBOL(hchacha_block_arch);
18
20
19
21
bool chacha_is_arch_optimized(void)
+8
-7
arch/powerpc/lib/crypto/chacha-p10-glue.c
+8
-7
arch/powerpc/lib/crypto/chacha-p10-glue.c
···
14
14
#include <asm/simd.h>
15
15
#include <asm/switch_to.h>
16
16
17
-
asmlinkage void chacha_p10le_8x(u32 *state, u8 *dst, const u8 *src,
18
-
unsigned int len, int nrounds);
17
+
asmlinkage void chacha_p10le_8x(const struct chacha_state *state, u8 *dst,
18
+
const u8 *src, unsigned int len, int nrounds);
19
19
20
20
static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_p10);
21
21
···
31
31
preempt_enable();
32
32
}
33
33
34
-
static void chacha_p10_do_8x(u32 *state, u8 *dst, const u8 *src,
34
+
static void chacha_p10_do_8x(struct chacha_state *state, u8 *dst, const u8 *src,
35
35
unsigned int bytes, int nrounds)
36
36
{
37
37
unsigned int l = bytes & ~0x0FF;
···
41
41
bytes -= l;
42
42
src += l;
43
43
dst += l;
44
-
state[12] += l / CHACHA_BLOCK_SIZE;
44
+
state->x[12] += l / CHACHA_BLOCK_SIZE;
45
45
}
46
46
47
47
if (bytes > 0)
48
48
chacha_crypt_generic(state, dst, src, bytes, nrounds);
49
49
}
50
50
51
-
void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds)
51
+
void hchacha_block_arch(const struct chacha_state *state,
52
+
u32 *stream, int nrounds)
52
53
{
53
54
hchacha_block_generic(state, stream, nrounds);
54
55
}
55
56
EXPORT_SYMBOL(hchacha_block_arch);
56
57
57
-
void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes,
58
-
int nrounds)
58
+
void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src,
59
+
unsigned int bytes, int nrounds)
59
60
{
60
61
if (!static_branch_likely(&have_p10) || bytes <= CHACHA_BLOCK_SIZE ||
61
62
!crypto_simd_usable())
+2
-4
arch/powerpc/lib/crypto/chacha-p10le-8x.S
+2
-4
arch/powerpc/lib/crypto/chacha-p10le-8x.S
···
7
7
#===================================================================================
8
8
# Written by Danny Tsen <dtsen@us.ibm.com>
9
9
#
10
-
# chacha_p10le_8x(u32 *state, byte *dst, const byte *src,
11
-
# size_t len, int nrounds);
12
-
#
13
10
# do rounds, 8 quarter rounds
14
11
# 1. a += b; d ^= a; d <<<= 16;
15
12
# 2. c += d; b ^= c; b <<<= 12;
···
572
575
.endm
573
576
574
577
#
575
-
# chacha20_p10le_8x(u32 *state, byte *dst, const byte *src, size_t len, int nrounds);
578
+
# void chacha_p10le_8x(const struct chacha_state *state, u8 *dst, const u8 *src,
579
+
# unsigned int len, int nrounds);
576
580
#
577
581
SYM_FUNC_START(chacha_p10le_8x)
578
582
.align 5
+4
-4
arch/riscv/lib/crypto/chacha-riscv64-glue.c
+4
-4
arch/riscv/lib/crypto/chacha-riscv64-glue.c
···
15
15
16
16
static __ro_after_init DEFINE_STATIC_KEY_FALSE(use_zvkb);
17
17
18
-
asmlinkage void chacha_zvkb(u32 state[16], const u8 *in, u8 *out,
18
+
asmlinkage void chacha_zvkb(struct chacha_state *state, const u8 *in, u8 *out,
19
19
size_t nblocks, int nrounds);
20
20
21
-
void hchacha_block_arch(const u32 *state, u32 *out, int nrounds)
21
+
void hchacha_block_arch(const struct chacha_state *state, u32 *out, int nrounds)
22
22
{
23
23
hchacha_block_generic(state, out, nrounds);
24
24
}
25
25
EXPORT_SYMBOL(hchacha_block_arch);
26
26
27
-
void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes,
28
-
int nrounds)
27
+
void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src,
28
+
unsigned int bytes, int nrounds)
29
29
{
30
30
u8 block_buffer[CHACHA_BLOCK_SIZE];
31
31
unsigned int full_blocks = bytes / CHACHA_BLOCK_SIZE;
+5
-5
arch/riscv/lib/crypto/chacha-riscv64-zvkb.S
+5
-5
arch/riscv/lib/crypto/chacha-riscv64-zvkb.S
···
132
132
vror.vi \b3, \b3, 32 - 7
133
133
.endm
134
134
135
-
// void chacha_zvkb(u32 state[16], const u8 *in, u8 *out, size_t nblocks,
136
-
// int nrounds);
135
+
// void chacha_zvkb(struct chacha_state *state, const u8 *in, u8 *out,
136
+
// size_t nblocks, int nrounds);
137
137
//
138
138
// |nblocks| is the number of 64-byte blocks to process, and must be nonzero.
139
139
//
140
140
// |state| gives the ChaCha state matrix, including the 32-bit counter in
141
-
// state[12] following the RFC7539 convention; note that this differs from the
142
-
// original Salsa20 paper which uses a 64-bit counter in state[12..13]. The
143
-
// updated 32-bit counter is written back to state[12] before returning.
141
+
// state->x[12] following the RFC7539 convention; note that this differs from
142
+
// the original Salsa20 paper which uses a 64-bit counter in state->x[12..13].
143
+
// The updated 32-bit counter is written back to state->x[12] before returning.
144
144
SYM_FUNC_START(chacha_zvkb)
145
145
addi sp, sp, -96
146
146
sd s0, 0(sp)
+6
-5
arch/s390/lib/crypto/chacha-glue.c
+6
-5
arch/s390/lib/crypto/chacha-glue.c
···
16
16
#include <asm/fpu.h>
17
17
#include "chacha-s390.h"
18
18
19
-
void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds)
19
+
void hchacha_block_arch(const struct chacha_state *state,
20
+
u32 *stream, int nrounds)
20
21
{
21
22
/* TODO: implement hchacha_block_arch() in assembly */
22
23
hchacha_block_generic(state, stream, nrounds);
23
24
}
24
25
EXPORT_SYMBOL(hchacha_block_arch);
25
26
26
-
void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src,
27
+
void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src,
27
28
unsigned int bytes, int nrounds)
28
29
{
29
30
/* s390 chacha20 implementation has 20 rounds hard-coded,
···
37
36
DECLARE_KERNEL_FPU_ONSTACK32(vxstate);
38
37
39
38
kernel_fpu_begin(&vxstate, KERNEL_VXR);
40
-
chacha20_vx(dst, src, bytes, &state[4], &state[12]);
39
+
chacha20_vx(dst, src, bytes, &state->x[4], &state->x[12]);
41
40
kernel_fpu_end(&vxstate, KERNEL_VXR);
42
41
43
-
state[12] += round_up(bytes, CHACHA_BLOCK_SIZE) /
44
-
CHACHA_BLOCK_SIZE;
42
+
state->x[12] += round_up(bytes, CHACHA_BLOCK_SIZE) /
43
+
CHACHA_BLOCK_SIZE;
45
44
}
46
45
}
47
46
EXPORT_SYMBOL(chacha_crypt_arch);
+34
-24
arch/x86/lib/crypto/chacha_glue.c
+34
-24
arch/x86/lib/crypto/chacha_glue.c
···
12
12
#include <linux/module.h>
13
13
#include <linux/sizes.h>
14
14
15
-
asmlinkage void chacha_block_xor_ssse3(u32 *state, u8 *dst, const u8 *src,
15
+
asmlinkage void chacha_block_xor_ssse3(const struct chacha_state *state,
16
+
u8 *dst, const u8 *src,
16
17
unsigned int len, int nrounds);
17
-
asmlinkage void chacha_4block_xor_ssse3(u32 *state, u8 *dst, const u8 *src,
18
+
asmlinkage void chacha_4block_xor_ssse3(const struct chacha_state *state,
19
+
u8 *dst, const u8 *src,
18
20
unsigned int len, int nrounds);
19
-
asmlinkage void hchacha_block_ssse3(const u32 *state, u32 *out, int nrounds);
21
+
asmlinkage void hchacha_block_ssse3(const struct chacha_state *state,
22
+
u32 *out, int nrounds);
20
23
21
-
asmlinkage void chacha_2block_xor_avx2(u32 *state, u8 *dst, const u8 *src,
24
+
asmlinkage void chacha_2block_xor_avx2(const struct chacha_state *state,
25
+
u8 *dst, const u8 *src,
22
26
unsigned int len, int nrounds);
23
-
asmlinkage void chacha_4block_xor_avx2(u32 *state, u8 *dst, const u8 *src,
27
+
asmlinkage void chacha_4block_xor_avx2(const struct chacha_state *state,
28
+
u8 *dst, const u8 *src,
24
29
unsigned int len, int nrounds);
25
-
asmlinkage void chacha_8block_xor_avx2(u32 *state, u8 *dst, const u8 *src,
30
+
asmlinkage void chacha_8block_xor_avx2(const struct chacha_state *state,
31
+
u8 *dst, const u8 *src,
26
32
unsigned int len, int nrounds);
27
33
28
-
asmlinkage void chacha_2block_xor_avx512vl(u32 *state, u8 *dst, const u8 *src,
34
+
asmlinkage void chacha_2block_xor_avx512vl(const struct chacha_state *state,
35
+
u8 *dst, const u8 *src,
29
36
unsigned int len, int nrounds);
30
-
asmlinkage void chacha_4block_xor_avx512vl(u32 *state, u8 *dst, const u8 *src,
37
+
asmlinkage void chacha_4block_xor_avx512vl(const struct chacha_state *state,
38
+
u8 *dst, const u8 *src,
31
39
unsigned int len, int nrounds);
32
-
asmlinkage void chacha_8block_xor_avx512vl(u32 *state, u8 *dst, const u8 *src,
40
+
asmlinkage void chacha_8block_xor_avx512vl(const struct chacha_state *state,
41
+
u8 *dst, const u8 *src,
33
42
unsigned int len, int nrounds);
34
43
35
44
static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_simd);
···
51
42
return round_up(len, CHACHA_BLOCK_SIZE) / CHACHA_BLOCK_SIZE;
52
43
}
53
44
54
-
static void chacha_dosimd(u32 *state, u8 *dst, const u8 *src,
45
+
static void chacha_dosimd(struct chacha_state *state, u8 *dst, const u8 *src,
55
46
unsigned int bytes, int nrounds)
56
47
{
57
48
if (static_branch_likely(&chacha_use_avx512vl)) {
···
61
52
bytes -= CHACHA_BLOCK_SIZE * 8;
62
53
src += CHACHA_BLOCK_SIZE * 8;
63
54
dst += CHACHA_BLOCK_SIZE * 8;
64
-
state[12] += 8;
55
+
state->x[12] += 8;
65
56
}
66
57
if (bytes > CHACHA_BLOCK_SIZE * 4) {
67
58
chacha_8block_xor_avx512vl(state, dst, src, bytes,
68
59
nrounds);
69
-
state[12] += chacha_advance(bytes, 8);
60
+
state->x[12] += chacha_advance(bytes, 8);
70
61
return;
71
62
}
72
63
if (bytes > CHACHA_BLOCK_SIZE * 2) {
73
64
chacha_4block_xor_avx512vl(state, dst, src, bytes,
74
65
nrounds);
75
-
state[12] += chacha_advance(bytes, 4);
66
+
state->x[12] += chacha_advance(bytes, 4);
76
67
return;
77
68
}
78
69
if (bytes) {
79
70
chacha_2block_xor_avx512vl(state, dst, src, bytes,
80
71
nrounds);
81
-
state[12] += chacha_advance(bytes, 2);
72
+
state->x[12] += chacha_advance(bytes, 2);
82
73
return;
83
74
}
84
75
}
···
89
80
bytes -= CHACHA_BLOCK_SIZE * 8;
90
81
src += CHACHA_BLOCK_SIZE * 8;
91
82
dst += CHACHA_BLOCK_SIZE * 8;
92
-
state[12] += 8;
83
+
state->x[12] += 8;
93
84
}
94
85
if (bytes > CHACHA_BLOCK_SIZE * 4) {
95
86
chacha_8block_xor_avx2(state, dst, src, bytes, nrounds);
96
-
state[12] += chacha_advance(bytes, 8);
87
+
state->x[12] += chacha_advance(bytes, 8);
97
88
return;
98
89
}
99
90
if (bytes > CHACHA_BLOCK_SIZE * 2) {
100
91
chacha_4block_xor_avx2(state, dst, src, bytes, nrounds);
101
-
state[12] += chacha_advance(bytes, 4);
92
+
state->x[12] += chacha_advance(bytes, 4);
102
93
return;
103
94
}
104
95
if (bytes > CHACHA_BLOCK_SIZE) {
105
96
chacha_2block_xor_avx2(state, dst, src, bytes, nrounds);
106
-
state[12] += chacha_advance(bytes, 2);
97
+
state->x[12] += chacha_advance(bytes, 2);
107
98
return;
108
99
}
109
100
}
···
113
104
bytes -= CHACHA_BLOCK_SIZE * 4;
114
105
src += CHACHA_BLOCK_SIZE * 4;
115
106
dst += CHACHA_BLOCK_SIZE * 4;
116
-
state[12] += 4;
107
+
state->x[12] += 4;
117
108
}
118
109
if (bytes > CHACHA_BLOCK_SIZE) {
119
110
chacha_4block_xor_ssse3(state, dst, src, bytes, nrounds);
120
-
state[12] += chacha_advance(bytes, 4);
111
+
state->x[12] += chacha_advance(bytes, 4);
121
112
return;
122
113
}
123
114
if (bytes) {
124
115
chacha_block_xor_ssse3(state, dst, src, bytes, nrounds);
125
-
state[12]++;
116
+
state->x[12]++;
126
117
}
127
118
}
128
119
129
-
void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds)
120
+
void hchacha_block_arch(const struct chacha_state *state,
121
+
u32 *stream, int nrounds)
130
122
{
131
123
if (!static_branch_likely(&chacha_use_simd)) {
132
124
hchacha_block_generic(state, stream, nrounds);
···
139
129
}
140
130
EXPORT_SYMBOL(hchacha_block_arch);
141
131
142
-
void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes,
143
-
int nrounds)
132
+
void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src,
133
+
unsigned int bytes, int nrounds)
144
134
{
145
135
if (!static_branch_likely(&chacha_use_simd) ||
146
136
bytes <= CHACHA_BLOCK_SIZE)
+8
-8
crypto/chacha.c
+8
-8
crypto/chacha.c
···
50
50
bool arch)
51
51
{
52
52
struct skcipher_walk walk;
53
-
u32 state[16];
53
+
struct chacha_state state;
54
54
int err;
55
55
56
56
err = skcipher_walk_virt(&walk, req, false);
57
57
58
-
chacha_init(state, ctx->key, iv);
58
+
chacha_init(&state, ctx->key, iv);
59
59
60
60
while (walk.nbytes > 0) {
61
61
unsigned int nbytes = walk.nbytes;
···
64
64
nbytes = round_down(nbytes, CHACHA_BLOCK_SIZE);
65
65
66
66
if (arch)
67
-
chacha_crypt(state, walk.dst.virt.addr,
67
+
chacha_crypt(&state, walk.dst.virt.addr,
68
68
walk.src.virt.addr, nbytes, ctx->nrounds);
69
69
else
70
-
chacha_crypt_generic(state, walk.dst.virt.addr,
70
+
chacha_crypt_generic(&state, walk.dst.virt.addr,
71
71
walk.src.virt.addr, nbytes,
72
72
ctx->nrounds);
73
73
err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
···
97
97
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
98
98
const struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
99
99
struct chacha_ctx subctx;
100
-
u32 state[16];
100
+
struct chacha_state state;
101
101
u8 real_iv[16];
102
102
103
103
/* Compute the subkey given the original key and first 128 nonce bits */
104
-
chacha_init(state, ctx->key, req->iv);
104
+
chacha_init(&state, ctx->key, req->iv);
105
105
if (arch)
106
-
hchacha_block(state, subctx.key, ctx->nrounds);
106
+
hchacha_block(&state, subctx.key, ctx->nrounds);
107
107
else
108
-
hchacha_block_generic(state, subctx.key, ctx->nrounds);
108
+
hchacha_block_generic(&state, subctx.key, ctx->nrounds);
109
109
subctx.nrounds = ctx->nrounds;
110
110
111
111
/* Build the real IV */
+21
-20
drivers/char/random.c
+21
-20
drivers/char/random.c
···
309
309
* key value, at index 4, so the state should always be zeroed out
310
310
* immediately after using in order to maintain forward secrecy.
311
311
* If the state cannot be erased in a timely manner, then it is
312
-
* safer to set the random_data parameter to &chacha_state[4] so
313
-
* that this function overwrites it before returning.
312
+
* safer to set the random_data parameter to &chacha_state->x[4]
313
+
* so that this function overwrites it before returning.
314
314
*/
315
315
static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE],
316
-
u32 chacha_state[CHACHA_STATE_WORDS],
316
+
struct chacha_state *chacha_state,
317
317
u8 *random_data, size_t random_data_len)
318
318
{
319
319
u8 first_block[CHACHA_BLOCK_SIZE];
···
321
321
BUG_ON(random_data_len > 32);
322
322
323
323
chacha_init_consts(chacha_state);
324
-
memcpy(&chacha_state[4], key, CHACHA_KEY_SIZE);
325
-
memset(&chacha_state[12], 0, sizeof(u32) * 4);
324
+
memcpy(&chacha_state->x[4], key, CHACHA_KEY_SIZE);
325
+
memset(&chacha_state->x[12], 0, sizeof(u32) * 4);
326
326
chacha20_block(chacha_state, first_block);
327
327
328
328
memcpy(key, first_block, CHACHA_KEY_SIZE);
···
335
335
* random data. It also returns up to 32 bytes on its own of random data
336
336
* that may be used; random_data_len may not be greater than 32.
337
337
*/
338
-
static void crng_make_state(u32 chacha_state[CHACHA_STATE_WORDS],
338
+
static void crng_make_state(struct chacha_state *chacha_state,
339
339
u8 *random_data, size_t random_data_len)
340
340
{
341
341
unsigned long flags;
···
395
395
396
396
static void _get_random_bytes(void *buf, size_t len)
397
397
{
398
-
u32 chacha_state[CHACHA_STATE_WORDS];
398
+
struct chacha_state chacha_state;
399
399
u8 tmp[CHACHA_BLOCK_SIZE];
400
400
size_t first_block_len;
401
401
···
403
403
return;
404
404
405
405
first_block_len = min_t(size_t, 32, len);
406
-
crng_make_state(chacha_state, buf, first_block_len);
406
+
crng_make_state(&chacha_state, buf, first_block_len);
407
407
len -= first_block_len;
408
408
buf += first_block_len;
409
409
410
410
while (len) {
411
411
if (len < CHACHA_BLOCK_SIZE) {
412
-
chacha20_block(chacha_state, tmp);
412
+
chacha20_block(&chacha_state, tmp);
413
413
memcpy(buf, tmp, len);
414
414
memzero_explicit(tmp, sizeof(tmp));
415
415
break;
416
416
}
417
417
418
-
chacha20_block(chacha_state, buf);
419
-
if (unlikely(chacha_state[12] == 0))
420
-
++chacha_state[13];
418
+
chacha20_block(&chacha_state, buf);
419
+
if (unlikely(chacha_state.x[12] == 0))
420
+
++chacha_state.x[13];
421
421
len -= CHACHA_BLOCK_SIZE;
422
422
buf += CHACHA_BLOCK_SIZE;
423
423
}
424
424
425
-
memzero_explicit(chacha_state, sizeof(chacha_state));
425
+
memzero_explicit(&chacha_state, sizeof(chacha_state));
426
426
}
427
427
428
428
/*
···
441
441
442
442
static ssize_t get_random_bytes_user(struct iov_iter *iter)
443
443
{
444
-
u32 chacha_state[CHACHA_STATE_WORDS];
444
+
struct chacha_state chacha_state;
445
445
u8 block[CHACHA_BLOCK_SIZE];
446
446
size_t ret = 0, copied;
447
447
···
453
453
* bytes, in case userspace causes copy_to_iter() below to sleep
454
454
* forever, so that we still retain forward secrecy in that case.
455
455
*/
456
-
crng_make_state(chacha_state, (u8 *)&chacha_state[4], CHACHA_KEY_SIZE);
456
+
crng_make_state(&chacha_state, (u8 *)&chacha_state.x[4],
457
+
CHACHA_KEY_SIZE);
457
458
/*
458
459
* However, if we're doing a read of len <= 32, we don't need to
459
460
* use chacha_state after, so we can simply return those bytes to
460
461
* the user directly.
461
462
*/
462
463
if (iov_iter_count(iter) <= CHACHA_KEY_SIZE) {
463
-
ret = copy_to_iter(&chacha_state[4], CHACHA_KEY_SIZE, iter);
464
+
ret = copy_to_iter(&chacha_state.x[4], CHACHA_KEY_SIZE, iter);
464
465
goto out_zero_chacha;
465
466
}
466
467
467
468
for (;;) {
468
-
chacha20_block(chacha_state, block);
469
-
if (unlikely(chacha_state[12] == 0))
470
-
++chacha_state[13];
469
+
chacha20_block(&chacha_state, block);
470
+
if (unlikely(chacha_state.x[12] == 0))
471
+
++chacha_state.x[13];
471
472
472
473
copied = copy_to_iter(block, sizeof(block), iter);
473
474
ret += copied;
···
485
484
486
485
memzero_explicit(block, sizeof(block));
487
486
out_zero_chacha:
488
-
memzero_explicit(chacha_state, sizeof(chacha_state));
487
+
memzero_explicit(&chacha_state, sizeof(chacha_state));
489
488
return ret ? ret : -EFAULT;
490
489
}
491
490
+9
-9
fs/bcachefs/checksum.c
+9
-9
fs/bcachefs/checksum.c
···
91
91
}
92
92
}
93
93
94
-
static void bch2_chacha20_init(u32 state[CHACHA_STATE_WORDS],
94
+
static void bch2_chacha20_init(struct chacha_state *state,
95
95
const struct bch_key *key, struct nonce nonce)
96
96
{
97
97
u32 key_words[CHACHA_KEY_SIZE / sizeof(u32)];
···
109
109
static void bch2_chacha20(const struct bch_key *key, struct nonce nonce,
110
110
void *data, size_t len)
111
111
{
112
-
u32 state[CHACHA_STATE_WORDS];
112
+
struct chacha_state state;
113
113
114
-
bch2_chacha20_init(state, key, nonce);
115
-
chacha20_crypt(state, data, data, len);
116
-
memzero_explicit(state, sizeof(state));
114
+
bch2_chacha20_init(&state, key, nonce);
115
+
chacha20_crypt(&state, data, data, len);
116
+
memzero_explicit(&state, sizeof(state));
117
117
}
118
118
119
119
static void bch2_poly1305_init(struct poly1305_desc_ctx *desc,
···
257
257
{
258
258
struct bio_vec bv;
259
259
struct bvec_iter iter;
260
-
u32 chacha_state[CHACHA_STATE_WORDS];
260
+
struct chacha_state chacha_state;
261
261
int ret = 0;
262
262
263
263
if (bch2_fs_inconsistent_on(!c->chacha20_key_set,
264
264
c, "attempting to encrypt without encryption key"))
265
265
return -BCH_ERR_no_encryption_key;
266
266
267
-
bch2_chacha20_init(chacha_state, &c->chacha20_key, nonce);
267
+
bch2_chacha20_init(&chacha_state, &c->chacha20_key, nonce);
268
268
269
269
bio_for_each_segment(bv, bio, iter) {
270
270
void *p;
···
280
280
}
281
281
282
282
p = bvec_kmap_local(&bv);
283
-
chacha20_crypt(chacha_state, p, p, bv.bv_len);
283
+
chacha20_crypt(&chacha_state, p, p, bv.bv_len);
284
284
kunmap_local(p);
285
285
}
286
-
memzero_explicit(chacha_state, sizeof(chacha_state));
286
+
memzero_explicit(&chacha_state, sizeof(chacha_state));
287
287
return ret;
288
288
}
289
289
+37
-28
include/crypto/chacha.h
+37
-28
include/crypto/chacha.h
···
30
30
/* 192-bit nonce, then 64-bit stream position */
31
31
#define XCHACHA_IV_SIZE 32
32
32
33
-
void chacha_block_generic(u32 *state, u8 *stream, int nrounds);
34
-
static inline void chacha20_block(u32 *state, u8 *stream)
33
+
struct chacha_state {
34
+
u32 x[CHACHA_STATE_WORDS];
35
+
};
36
+
37
+
void chacha_block_generic(struct chacha_state *state, u8 *stream, int nrounds);
38
+
static inline void chacha20_block(struct chacha_state *state, u8 *stream)
35
39
{
36
40
chacha_block_generic(state, stream, 20);
37
41
}
38
42
39
-
void hchacha_block_arch(const u32 *state, u32 *out, int nrounds);
40
-
void hchacha_block_generic(const u32 *state, u32 *out, int nrounds);
43
+
void hchacha_block_arch(const struct chacha_state *state, u32 *out,
44
+
int nrounds);
45
+
void hchacha_block_generic(const struct chacha_state *state, u32 *out,
46
+
int nrounds);
41
47
42
-
static inline void hchacha_block(const u32 *state, u32 *out, int nrounds)
48
+
static inline void hchacha_block(const struct chacha_state *state, u32 *out,
49
+
int nrounds)
43
50
{
44
51
if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
45
52
hchacha_block_arch(state, out, nrounds);
···
61
54
CHACHA_CONSTANT_TE_K = 0x6b206574U
62
55
};
63
56
64
-
static inline void chacha_init_consts(u32 *state)
57
+
static inline void chacha_init_consts(struct chacha_state *state)
65
58
{
66
-
state[0] = CHACHA_CONSTANT_EXPA;
67
-
state[1] = CHACHA_CONSTANT_ND_3;
68
-
state[2] = CHACHA_CONSTANT_2_BY;
69
-
state[3] = CHACHA_CONSTANT_TE_K;
59
+
state->x[0] = CHACHA_CONSTANT_EXPA;
60
+
state->x[1] = CHACHA_CONSTANT_ND_3;
61
+
state->x[2] = CHACHA_CONSTANT_2_BY;
62
+
state->x[3] = CHACHA_CONSTANT_TE_K;
70
63
}
71
64
72
-
static inline void chacha_init(u32 *state, const u32 *key, const u8 *iv)
65
+
static inline void chacha_init(struct chacha_state *state,
66
+
const u32 *key, const u8 *iv)
73
67
{
74
68
chacha_init_consts(state);
75
-
state[4] = key[0];
76
-
state[5] = key[1];
77
-
state[6] = key[2];
78
-
state[7] = key[3];
79
-
state[8] = key[4];
80
-
state[9] = key[5];
81
-
state[10] = key[6];
82
-
state[11] = key[7];
83
-
state[12] = get_unaligned_le32(iv + 0);
84
-
state[13] = get_unaligned_le32(iv + 4);
85
-
state[14] = get_unaligned_le32(iv + 8);
86
-
state[15] = get_unaligned_le32(iv + 12);
69
+
state->x[4] = key[0];
70
+
state->x[5] = key[1];
71
+
state->x[6] = key[2];
72
+
state->x[7] = key[3];
73
+
state->x[8] = key[4];
74
+
state->x[9] = key[5];
75
+
state->x[10] = key[6];
76
+
state->x[11] = key[7];
77
+
state->x[12] = get_unaligned_le32(iv + 0);
78
+
state->x[13] = get_unaligned_le32(iv + 4);
79
+
state->x[14] = get_unaligned_le32(iv + 8);
80
+
state->x[15] = get_unaligned_le32(iv + 12);
87
81
}
88
82
89
-
void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src,
83
+
void chacha_crypt_arch(struct chacha_state *state, u8 *dst, const u8 *src,
90
84
unsigned int bytes, int nrounds);
91
-
void chacha_crypt_generic(u32 *state, u8 *dst, const u8 *src,
85
+
void chacha_crypt_generic(struct chacha_state *state, u8 *dst, const u8 *src,
92
86
unsigned int bytes, int nrounds);
93
87
94
-
static inline void chacha_crypt(u32 *state, u8 *dst, const u8 *src,
88
+
static inline void chacha_crypt(struct chacha_state *state,
89
+
u8 *dst, const u8 *src,
95
90
unsigned int bytes, int nrounds)
96
91
{
97
92
if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
···
102
93
chacha_crypt_generic(state, dst, src, bytes, nrounds);
103
94
}
104
95
105
-
static inline void chacha20_crypt(u32 *state, u8 *dst, const u8 *src,
106
-
unsigned int bytes)
96
+
static inline void chacha20_crypt(struct chacha_state *state,
97
+
u8 *dst, const u8 *src, unsigned int bytes)
107
98
{
108
99
chacha_crypt(state, dst, src, bytes, 20);
109
100
}
+19
-16
lib/crypto/chacha.c
+19
-16
lib/crypto/chacha.c
···
13
13
#include <linux/unaligned.h>
14
14
#include <crypto/chacha.h>
15
15
16
-
static void chacha_permute(u32 *x, int nrounds)
16
+
static void chacha_permute(struct chacha_state *state, int nrounds)
17
17
{
18
+
u32 *x = state->x;
18
19
int i;
19
20
20
21
/* whitelist the allowed round counts */
···
66
65
67
66
/**
68
67
* chacha_block_generic - generate one keystream block and increment block counter
69
-
* @state: input state matrix (16 32-bit words)
68
+
* @state: input state matrix
70
69
* @stream: output keystream block (64 bytes)
71
70
* @nrounds: number of rounds (20 or 12; 20 is recommended)
72
71
*
···
74
73
* The caller has already converted the endianness of the input. This function
75
74
* also handles incrementing the block counter in the input matrix.
76
75
*/
77
-
void chacha_block_generic(u32 *state, u8 *stream, int nrounds)
76
+
void chacha_block_generic(struct chacha_state *state, u8 *stream, int nrounds)
78
77
{
79
-
u32 x[16];
78
+
struct chacha_state permuted_state;
80
79
int i;
81
80
82
-
memcpy(x, state, 64);
81
+
memcpy(permuted_state.x, state->x, 64);
83
82
84
-
chacha_permute(x, nrounds);
83
+
chacha_permute(&permuted_state, nrounds);
85
84
86
-
for (i = 0; i < ARRAY_SIZE(x); i++)
87
-
put_unaligned_le32(x[i] + state[i], &stream[i * sizeof(u32)]);
85
+
for (i = 0; i < ARRAY_SIZE(state->x); i++)
86
+
put_unaligned_le32(permuted_state.x[i] + state->x[i],
87
+
&stream[i * sizeof(u32)]);
88
88
89
-
state[12]++;
89
+
state->x[12]++;
90
90
}
91
91
EXPORT_SYMBOL(chacha_block_generic);
92
92
93
93
/**
94
94
* hchacha_block_generic - abbreviated ChaCha core, for XChaCha
95
-
* @state: input state matrix (16 32-bit words)
95
+
* @state: input state matrix
96
96
* @stream: output (8 32-bit words)
97
97
* @nrounds: number of rounds (20 or 12; 20 is recommended)
98
98
*
···
102
100
* skips the final addition of the initial state, and outputs only certain words
103
101
* of the state. It should not be used for streaming directly.
104
102
*/
105
-
void hchacha_block_generic(const u32 *state, u32 *stream, int nrounds)
103
+
void hchacha_block_generic(const struct chacha_state *state,
104
+
u32 *stream, int nrounds)
106
105
{
107
-
u32 x[16];
106
+
struct chacha_state permuted_state;
108
107
109
-
memcpy(x, state, 64);
108
+
memcpy(permuted_state.x, state->x, 64);
110
109
111
-
chacha_permute(x, nrounds);
110
+
chacha_permute(&permuted_state, nrounds);
112
111
113
-
memcpy(&stream[0], &x[0], 16);
114
-
memcpy(&stream[4], &x[12], 16);
112
+
memcpy(&stream[0], &permuted_state.x[0], 16);
113
+
memcpy(&stream[4], &permuted_state.x[12], 16);
115
114
}
116
115
EXPORT_SYMBOL(hchacha_block_generic);
+4
-4
lib/crypto/chacha20poly1305-selftest.c
+4
-4
lib/crypto/chacha20poly1305-selftest.c
···
8832
8832
{
8833
8833
const u8 *pad0 = page_address(ZERO_PAGE(0));
8834
8834
struct poly1305_desc_ctx poly1305_state;
8835
-
u32 chacha20_state[CHACHA_STATE_WORDS];
8835
+
struct chacha_state chacha20_state;
8836
8836
union {
8837
8837
u8 block0[POLY1305_KEY_SIZE];
8838
8838
__le64 lens[2];
···
8844
8844
memcpy(&bottom_row[4], nonce, 12);
8845
8845
for (i = 0; i < 8; ++i)
8846
8846
le_key[i] = get_unaligned_le32(key + sizeof(le_key[i]) * i);
8847
-
chacha_init(chacha20_state, le_key, bottom_row);
8848
-
chacha20_crypt(chacha20_state, b.block0, b.block0, sizeof(b.block0));
8847
+
chacha_init(&chacha20_state, le_key, bottom_row);
8848
+
chacha20_crypt(&chacha20_state, b.block0, b.block0, sizeof(b.block0));
8849
8849
poly1305_init(&poly1305_state, b.block0);
8850
8850
poly1305_update(&poly1305_state, ad, ad_len);
8851
8851
poly1305_update(&poly1305_state, pad0, (0x10 - ad_len) & 0xf);
8852
-
chacha20_crypt(chacha20_state, dst, src, src_len);
8852
+
chacha20_crypt(&chacha20_state, dst, src, src_len);
8853
8853
poly1305_update(&poly1305_state, dst, src_len);
8854
8854
poly1305_update(&poly1305_state, pad0, (0x10 - src_len) & 0xf);
8855
8855
b.lens[0] = cpu_to_le64(ad_len);
+28
-23
lib/crypto/chacha20poly1305.c
+28
-23
lib/crypto/chacha20poly1305.c
···
32
32
k[7] = get_unaligned_le32(in + 28);
33
33
}
34
34
35
-
static void xchacha_init(u32 *chacha_state, const u8 *key, const u8 *nonce)
35
+
static void xchacha_init(struct chacha_state *chacha_state,
36
+
const u8 *key, const u8 *nonce)
36
37
{
37
38
u32 k[CHACHA_KEY_WORDS];
38
39
u8 iv[CHACHA_IV_SIZE];
···
55
54
56
55
static void
57
56
__chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
58
-
const u8 *ad, const size_t ad_len, u32 *chacha_state)
57
+
const u8 *ad, const size_t ad_len,
58
+
struct chacha_state *chacha_state)
59
59
{
60
60
const u8 *pad0 = page_address(ZERO_PAGE(0));
61
61
struct poly1305_desc_ctx poly1305_state;
···
84
82
85
83
poly1305_final(&poly1305_state, dst + src_len);
86
84
87
-
memzero_explicit(chacha_state, CHACHA_STATE_WORDS * sizeof(u32));
85
+
memzero_explicit(chacha_state, sizeof(*chacha_state));
88
86
memzero_explicit(&b, sizeof(b));
89
87
}
90
88
···
93
91
const u64 nonce,
94
92
const u8 key[CHACHA20POLY1305_KEY_SIZE])
95
93
{
96
-
u32 chacha_state[CHACHA_STATE_WORDS];
94
+
struct chacha_state chacha_state;
97
95
u32 k[CHACHA_KEY_WORDS];
98
96
__le64 iv[2];
99
97
···
102
100
iv[0] = 0;
103
101
iv[1] = cpu_to_le64(nonce);
104
102
105
-
chacha_init(chacha_state, k, (u8 *)iv);
106
-
__chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len, chacha_state);
103
+
chacha_init(&chacha_state, k, (u8 *)iv);
104
+
__chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len,
105
+
&chacha_state);
107
106
108
107
memzero_explicit(iv, sizeof(iv));
109
108
memzero_explicit(k, sizeof(k));
···
116
113
const u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
117
114
const u8 key[CHACHA20POLY1305_KEY_SIZE])
118
115
{
119
-
u32 chacha_state[CHACHA_STATE_WORDS];
116
+
struct chacha_state chacha_state;
120
117
121
-
xchacha_init(chacha_state, key, nonce);
122
-
__chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len, chacha_state);
118
+
xchacha_init(&chacha_state, key, nonce);
119
+
__chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len,
120
+
&chacha_state);
123
121
}
124
122
EXPORT_SYMBOL(xchacha20poly1305_encrypt);
125
123
126
124
static bool
127
125
__chacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len,
128
-
const u8 *ad, const size_t ad_len, u32 *chacha_state)
126
+
const u8 *ad, const size_t ad_len,
127
+
struct chacha_state *chacha_state)
129
128
{
130
129
const u8 *pad0 = page_address(ZERO_PAGE(0));
131
130
struct poly1305_desc_ctx poly1305_state;
···
174
169
const u64 nonce,
175
170
const u8 key[CHACHA20POLY1305_KEY_SIZE])
176
171
{
177
-
u32 chacha_state[CHACHA_STATE_WORDS];
172
+
struct chacha_state chacha_state;
178
173
u32 k[CHACHA_KEY_WORDS];
179
174
__le64 iv[2];
180
175
bool ret;
···
184
179
iv[0] = 0;
185
180
iv[1] = cpu_to_le64(nonce);
186
181
187
-
chacha_init(chacha_state, k, (u8 *)iv);
182
+
chacha_init(&chacha_state, k, (u8 *)iv);
188
183
ret = __chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len,
189
-
chacha_state);
184
+
&chacha_state);
190
185
191
-
memzero_explicit(chacha_state, sizeof(chacha_state));
186
+
memzero_explicit(&chacha_state, sizeof(chacha_state));
192
187
memzero_explicit(iv, sizeof(iv));
193
188
memzero_explicit(k, sizeof(k));
194
189
return ret;
···
200
195
const u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
201
196
const u8 key[CHACHA20POLY1305_KEY_SIZE])
202
197
{
203
-
u32 chacha_state[CHACHA_STATE_WORDS];
198
+
struct chacha_state chacha_state;
204
199
205
-
xchacha_init(chacha_state, key, nonce);
200
+
xchacha_init(&chacha_state, key, nonce);
206
201
return __chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len,
207
-
chacha_state);
202
+
&chacha_state);
208
203
}
209
204
EXPORT_SYMBOL(xchacha20poly1305_decrypt);
210
205
···
218
213
{
219
214
const u8 *pad0 = page_address(ZERO_PAGE(0));
220
215
struct poly1305_desc_ctx poly1305_state;
221
-
u32 chacha_state[CHACHA_STATE_WORDS];
216
+
struct chacha_state chacha_state;
222
217
struct sg_mapping_iter miter;
223
218
size_t partial = 0;
224
219
unsigned int flags;
···
245
240
b.iv[0] = 0;
246
241
b.iv[1] = cpu_to_le64(nonce);
247
242
248
-
chacha_init(chacha_state, b.k, (u8 *)b.iv);
249
-
chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
243
+
chacha_init(&chacha_state, b.k, (u8 *)b.iv);
244
+
chacha20_crypt(&chacha_state, b.block0, pad0, sizeof(b.block0));
250
245
poly1305_init(&poly1305_state, b.block0);
251
246
252
247
if (unlikely(ad_len)) {
···
281
276
282
277
if (unlikely(length < sl))
283
278
l &= ~(CHACHA_BLOCK_SIZE - 1);
284
-
chacha20_crypt(chacha_state, addr, addr, l);
279
+
chacha20_crypt(&chacha_state, addr, addr, l);
285
280
addr += l;
286
281
length -= l;
287
282
}
288
283
289
284
if (unlikely(length > 0)) {
290
-
chacha20_crypt(chacha_state, b.chacha_stream, pad0,
285
+
chacha20_crypt(&chacha_state, b.chacha_stream, pad0,
291
286
CHACHA_BLOCK_SIZE);
292
287
crypto_xor(addr, b.chacha_stream, length);
293
288
partial = length;
···
328
323
!crypto_memneq(b.mac[0], b.mac[1], POLY1305_DIGEST_SIZE);
329
324
}
330
325
331
-
memzero_explicit(chacha_state, sizeof(chacha_state));
326
+
memzero_explicit(&chacha_state, sizeof(chacha_state));
332
327
memzero_explicit(&b, sizeof(b));
333
328
334
329
return ret;
+1
-1
lib/crypto/libchacha.c
+1
-1
lib/crypto/libchacha.c
···
12
12
#include <crypto/algapi.h> // for crypto_xor_cpy
13
13
#include <crypto/chacha.h>
14
14
15
-
void chacha_crypt_generic(u32 *state, u8 *dst, const u8 *src,
15
+
void chacha_crypt_generic(struct chacha_state *state, u8 *dst, const u8 *src,
16
16
unsigned int bytes, int nrounds)
17
17
{
18
18
/* aligned to potentially speed up crypto_xor() */
+5
-5
tools/testing/crypto/chacha20-s390/test-cipher.c
+5
-5
tools/testing/crypto/chacha20-s390/test-cipher.c
···
50
50
/* Perform cipher operations with the chacha lib */
51
51
static int test_lib_chacha(u8 *revert, u8 *cipher, u8 *plain)
52
52
{
53
-
u32 chacha_state[CHACHA_STATE_WORDS];
53
+
struct chacha_state chacha_state;
54
54
u8 iv[16], key[32];
55
55
u64 start, end;
56
56
···
66
66
}
67
67
68
68
/* Encrypt */
69
-
chacha_init(chacha_state, (u32 *)key, iv);
69
+
chacha_init(&chacha_state, (u32 *)key, iv);
70
70
71
71
start = ktime_get_ns();
72
-
chacha_crypt_arch(chacha_state, cipher, plain, data_size, 20);
72
+
chacha_crypt_arch(&chacha_state, cipher, plain, data_size, 20);
73
73
end = ktime_get_ns();
74
74
75
75
···
81
81
pr_info("lib encryption took: %lld nsec", end - start);
82
82
83
83
/* Decrypt */
84
-
chacha_init(chacha_state, (u32 *)key, iv);
84
+
chacha_init(&chacha_state, (u32 *)key, iv);
85
85
86
86
start = ktime_get_ns();
87
-
chacha_crypt_arch(chacha_state, revert, cipher, data_size, 20);
87
+
chacha_crypt_arch(&chacha_state, revert, cipher, data_size, 20);
88
88
end = ktime_get_ns();
89
89
90
90
if (debug)