[linux-block.git] / crypto / blake2b_generic.c

// SPDX-License-Identifier: (GPL-2.0-only OR Apache-2.0)
/*
 * BLAKE2b reference source code package - reference C implementations
 *
 * Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.  You may use this under the
 * terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
 * your option.  The terms of these licenses can be found at:
 *
 * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
 * - OpenSSL license   : https://www.openssl.org/source/license.html
 * - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
 *
 * More information about the BLAKE2 hash function can be found at
 * https://blake2.net.
 *
 * Note: the original sources have been modified for inclusion in linux kernel
 * in terms of coding style, using generic helpers and simplifications of error
 * handling.
 */

#include <asm/unaligned.h>
#include <linux/module.h>
#include <linux/string.h>
#include <linux/kernel.h>
#include <linux/bitops.h>
#include <crypto/internal/hash.h>

#define BLAKE2B_160_DIGEST_SIZE		(160 / 8)
#define BLAKE2B_256_DIGEST_SIZE		(256 / 8)
#define BLAKE2B_384_DIGEST_SIZE		(384 / 8)
#define BLAKE2B_512_DIGEST_SIZE		(512 / 8)

enum blake2b_constant {
	BLAKE2B_BLOCKBYTES    = 128,
	BLAKE2B_OUTBYTES      = 64,
	BLAKE2B_KEYBYTES      = 64,
	BLAKE2B_SALTBYTES     = 16,
	BLAKE2B_PERSONALBYTES = 16
};

struct blake2b_state {
	u64      h[8];
	u64      t[2];
	u64      f[2];
	u8       buf[BLAKE2B_BLOCKBYTES];
	size_t   buflen;
	size_t   outlen;
	u8       last_node;
};

struct blake2b_param {
	u8 digest_length;			/* 1 */
	u8 key_length;				/* 2 */
	u8 fanout;				/* 3 */
	u8 depth;				/* 4 */
	__le32 leaf_length;			/* 8 */
	__le32 node_offset;			/* 12 */
	__le32 xof_length;			/* 16 */
	u8 node_depth;				/* 17 */
	u8 inner_length;			/* 18 */
	u8 reserved[14];			/* 32 */
	u8 salt[BLAKE2B_SALTBYTES];		/* 48 */
	u8 personal[BLAKE2B_PERSONALBYTES];	/* 64 */
} __packed;

static const u64 blake2b_IV[8] = {
	0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
	0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
	0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
	0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
};

static const u8 blake2b_sigma[12][16] = {
	{  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 },
	{ 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 },
	{ 11,  8, 12,  0,  5,  2, 15, 13, 10, 14,  3,  6,  7,  1,  9,  4 },
	{  7,  9,  3,  1, 13, 12, 11, 14,  2,  6,  5, 10,  4,  0, 15,  8 },
	{  9,  0,  5,  7,  2,  4, 10, 15, 14,  1, 11, 12,  6,  8,  3, 13 },
	{  2, 12,  6, 10,  0, 11,  8,  3,  4, 13,  7,  5, 15, 14,  1,  9 },
	{ 12,  5,  1, 15, 14, 13,  4, 10,  0,  7,  6,  3,  9,  2,  8, 11 },
	{ 13, 11,  7, 14, 12,  1,  3,  9,  5,  0, 15,  4,  8,  6,  2, 10 },
	{  6, 15, 14,  9, 11,  3,  0,  8, 12,  2, 13,  7,  1,  4, 10,  5 },
	{ 10,  2,  8,  4,  7,  6,  1,  5, 15, 11,  9, 14,  3, 12, 13,  0 },
	{  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 },
	{ 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 }
};

static void blake2b_update(struct blake2b_state *S, const void *pin, size_t inlen);

static void blake2b_set_lastnode(struct blake2b_state *S)
{
	S->f[1] = (u64)-1;
}

static void blake2b_set_lastblock(struct blake2b_state *S)
{
	if (S->last_node)
		blake2b_set_lastnode(S);

	S->f[0] = (u64)-1;
}

static void blake2b_increment_counter(struct blake2b_state *S, const u64 inc)
{
	S->t[0] += inc;
	S->t[1] += (S->t[0] < inc);
}

#define G(r,i,a,b,c,d)                                  \
	do {                                            \
		a = a + b + m[blake2b_sigma[r][2*i+0]]; \
		d = ror64(d ^ a, 32);                   \
		c = c + d;                              \
		b = ror64(b ^ c, 24);                   \
		a = a + b + m[blake2b_sigma[r][2*i+1]]; \
		d = ror64(d ^ a, 16);                   \
		c = c + d;                              \
		b = ror64(b ^ c, 63);                   \
	} while (0)

#define ROUND(r)                                \
	do {                                    \
		G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
		G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
		G(r,2,v[ 2],v[ 6],v[10],v[14]); \
		G(r,3,v[ 3],v[ 7],v[11],v[15]); \
		G(r,4,v[ 0],v[ 5],v[10],v[15]); \
		G(r,5,v[ 1],v[ 6],v[11],v[12]); \
		G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
		G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
	} while (0)

static void blake2b_compress(struct blake2b_state *S,
			     const u8 block[BLAKE2B_BLOCKBYTES])
{
	u64 m[16];
	u64 v[16];
	size_t i;

	for (i = 0; i < 16; ++i)
		m[i] = get_unaligned_le64(block + i * sizeof(m[i]));

	for (i = 0; i < 8; ++i)
		v[i] = S->h[i];

	v[ 8] = blake2b_IV[0];
	v[ 9] = blake2b_IV[1];
	v[10] = blake2b_IV[2];
	v[11] = blake2b_IV[3];
	v[12] = blake2b_IV[4] ^ S->t[0];
	v[13] = blake2b_IV[5] ^ S->t[1];
	v[14] = blake2b_IV[6] ^ S->f[0];
	v[15] = blake2b_IV[7] ^ S->f[1];

	ROUND(0);
	ROUND(1);
	ROUND(2);
	ROUND(3);
	ROUND(4);
	ROUND(5);
	ROUND(6);
	ROUND(7);
	ROUND(8);
	ROUND(9);
	ROUND(10);
	ROUND(11);

	for (i = 0; i < 8; ++i)
		S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
}

#undef G
#undef ROUND

static void blake2b_update(struct blake2b_state *S, const void *pin, size_t inlen)
{
	const u8 *in = (const u8 *)pin;

	if (inlen > 0) {
		size_t left = S->buflen;
		size_t fill = BLAKE2B_BLOCKBYTES - left;

		if (inlen > fill) {
			S->buflen = 0;
			/* Fill buffer */
			memcpy(S->buf + left, in, fill);
			blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES);
			/* Compress */
			blake2b_compress(S, S->buf);
			in += fill;
			inlen -= fill;
			while (inlen > BLAKE2B_BLOCKBYTES) {
				blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES);
				blake2b_compress(S, in);
				in += BLAKE2B_BLOCKBYTES;
				inlen -= BLAKE2B_BLOCKBYTES;
			}
		}
		memcpy(S->buf + S->buflen, in, inlen);
		S->buflen += inlen;
	}
}

struct digest_tfm_ctx {
	u8 key[BLAKE2B_KEYBYTES];
	unsigned int keylen;
};

static int digest_setkey(struct crypto_shash *tfm, const u8 *key,
			 unsigned int keylen)
{
	struct digest_tfm_ctx *mctx = crypto_shash_ctx(tfm);

	if (keylen == 0 || keylen > BLAKE2B_KEYBYTES) {
		crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
		return -EINVAL;
	}

	memcpy(mctx->key, key, keylen);
	mctx->keylen = keylen;

	return 0;
}

static int blake2b_init(struct shash_desc *desc)
{
	struct digest_tfm_ctx *mctx = crypto_shash_ctx(desc->tfm);
	struct blake2b_state *state = shash_desc_ctx(desc);
	const int digestsize = crypto_shash_digestsize(desc->tfm);

	memset(state, 0, sizeof(*state));
	memcpy(state->h, blake2b_IV, sizeof(state->h));

	/* Parameter block is all zeros except index 0, no xor for 1..7 */
	state->h[0] ^= 0x01010000 | mctx->keylen << 8 | digestsize;

	if (mctx->keylen) {
		u8 block[BLAKE2B_BLOCKBYTES];

		memset(block, 0, BLAKE2B_BLOCKBYTES);
		memcpy(block, mctx->key, mctx->keylen);
		blake2b_update(state, block, BLAKE2B_BLOCKBYTES);
		memzero_explicit(block, BLAKE2B_BLOCKBYTES);
	}
	return 0;
}

static int digest_update(struct shash_desc *desc, const u8 *data,
			 unsigned int length)
{
	struct blake2b_state *state = shash_desc_ctx(desc);

	blake2b_update(state, data, length);
	return 0;
}

static int blake2b_final(struct shash_desc *desc, u8 *out)
{
	struct blake2b_state *state = shash_desc_ctx(desc);
	const int digestsize = crypto_shash_digestsize(desc->tfm);
	size_t i;

	blake2b_increment_counter(state, state->buflen);
	blake2b_set_lastblock(state);
	/* Padding */
	memset(state->buf + state->buflen, 0, BLAKE2B_BLOCKBYTES - state->buflen);
	blake2b_compress(state, state->buf);

	/* Avoid temporary buffer and switch the internal output to LE order */
	for (i = 0; i < ARRAY_SIZE(state->h); i++)
		__cpu_to_le64s(&state->h[i]);

	memcpy(out, state->h, digestsize);
	return 0;
}

static struct shash_alg blake2b_algs[] = {
	{
		.base.cra_name		= "blake2b-160",
		.base.cra_driver_name	= "blake2b-160-generic",
		.base.cra_priority	= 100,
		.base.cra_flags		= CRYPTO_ALG_OPTIONAL_KEY,
		.base.cra_blocksize	= BLAKE2B_BLOCKBYTES,
		.base.cra_ctxsize	= sizeof(struct digest_tfm_ctx),
		.base.cra_module	= THIS_MODULE,
		.digestsize		= BLAKE2B_160_DIGEST_SIZE,
		.setkey			= digest_setkey,
		.init			= blake2b_init,
		.update			= digest_update,
		.final			= blake2b_final,
		.descsize		= sizeof(struct blake2b_state),
	}, {
		.base.cra_name		= "blake2b-256",
		.base.cra_driver_name	= "blake2b-256-generic",
		.base.cra_priority	= 100,
		.base.cra_flags		= CRYPTO_ALG_OPTIONAL_KEY,
		.base.cra_blocksize	= BLAKE2B_BLOCKBYTES,
		.base.cra_ctxsize	= sizeof(struct digest_tfm_ctx),
		.base.cra_module	= THIS_MODULE,
		.digestsize		= BLAKE2B_256_DIGEST_SIZE,
		.setkey			= digest_setkey,
		.init			= blake2b_init,
		.update			= digest_update,
		.final			= blake2b_final,
		.descsize		= sizeof(struct blake2b_state),
	}, {
		.base.cra_name		= "blake2b-384",
		.base.cra_driver_name	= "blake2b-384-generic",
		.base.cra_priority	= 100,
		.base.cra_flags		= CRYPTO_ALG_OPTIONAL_KEY,
		.base.cra_blocksize	= BLAKE2B_BLOCKBYTES,
		.base.cra_ctxsize	= sizeof(struct digest_tfm_ctx),
		.base.cra_module	= THIS_MODULE,
		.digestsize		= BLAKE2B_384_DIGEST_SIZE,
		.setkey			= digest_setkey,
		.init			= blake2b_init,
		.update			= digest_update,
		.final			= blake2b_final,
		.descsize		= sizeof(struct blake2b_state),
	}, {
		.base.cra_name		= "blake2b-512",
		.base.cra_driver_name	= "blake2b-512-generic",
		.base.cra_priority	= 100,
		.base.cra_flags		= CRYPTO_ALG_OPTIONAL_KEY,
		.base.cra_blocksize	= BLAKE2B_BLOCKBYTES,
		.base.cra_ctxsize	= sizeof(struct digest_tfm_ctx),
		.base.cra_module	= THIS_MODULE,
		.digestsize		= BLAKE2B_512_DIGEST_SIZE,
		.setkey			= digest_setkey,
		.init			= blake2b_init,
		.update			= digest_update,
		.final			= blake2b_final,
		.descsize		= sizeof(struct blake2b_state),
	}
};

static int __init blake2b_mod_init(void)
{
	BUILD_BUG_ON(sizeof(struct blake2b_param) != BLAKE2B_OUTBYTES);

	return crypto_register_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs));
}

static void __exit blake2b_mod_fini(void)
{
	crypto_unregister_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs));
}

subsys_initcall(blake2b_mod_init);
module_exit(blake2b_mod_fini);

MODULE_AUTHOR("David Sterba <kdave@kernel.org>");
MODULE_DESCRIPTION("BLAKE2b generic implementation");
MODULE_LICENSE("GPL");
MODULE_ALIAS_CRYPTO("blake2b-160");
MODULE_ALIAS_CRYPTO("blake2b-160-generic");
MODULE_ALIAS_CRYPTO("blake2b-256");
MODULE_ALIAS_CRYPTO("blake2b-256-generic");
MODULE_ALIAS_CRYPTO("blake2b-384");
MODULE_ALIAS_CRYPTO("blake2b-384-generic");
MODULE_ALIAS_CRYPTO("blake2b-512");
MODULE_ALIAS_CRYPTO("blake2b-512-generic");
Commit	Line	Data
91d68933 DS	1	// SPDX-License-Identifier: (GPL-2.0-only OR Apache-2.0)
	2	/*
	3	* BLAKE2b reference source code package - reference C implementations
	4	*
	5	* Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the
	6	* terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
	7	* your option. The terms of these licenses can be found at:
	8	*
	9	* - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
	10	* - OpenSSL license : https://www.openssl.org/source/license.html
	11	* - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
	12	*
	13	* More information about the BLAKE2 hash function can be found at
	14	* https://blake2.net.
	15	*
	16	* Note: the original sources have been modified for inclusion in linux kernel
	17	* in terms of coding style, using generic helpers and simplifications of error
	18	* handling.
	19	*/
	20
	21	#include <asm/unaligned.h>
	22	#include <linux/module.h>
	23	#include <linux/string.h>
	24	#include <linux/kernel.h>
	25	#include <linux/bitops.h>
	26	#include <crypto/internal/hash.h>
	27
	28	#define BLAKE2B_160_DIGEST_SIZE (160 / 8)
	29	#define BLAKE2B_256_DIGEST_SIZE (256 / 8)
	30	#define BLAKE2B_384_DIGEST_SIZE (384 / 8)
	31	#define BLAKE2B_512_DIGEST_SIZE (512 / 8)
	32
	33	enum blake2b_constant {
	34	BLAKE2B_BLOCKBYTES = 128,
	35	BLAKE2B_OUTBYTES = 64,
	36	BLAKE2B_KEYBYTES = 64,
	37	BLAKE2B_SALTBYTES = 16,
	38	BLAKE2B_PERSONALBYTES = 16
	39	};
	40
	41	struct blake2b_state {
	42	u64 h[8];
	43	u64 t[2];
	44	u64 f[2];
	45	u8 buf[BLAKE2B_BLOCKBYTES];
	46	size_t buflen;
	47	size_t outlen;
	48	u8 last_node;
	49	};
	50
	51	struct blake2b_param {
	52	u8 digest_length; /* 1 */
	53	u8 key_length; /* 2 */
	54	u8 fanout; /* 3 */
	55	u8 depth; /* 4 */
	56	__le32 leaf_length; /* 8 */
	57	__le32 node_offset; /* 12 */
	58	__le32 xof_length; /* 16 */
	59	u8 node_depth; /* 17 */
	60	u8 inner_length; /* 18 */
	61	u8 reserved[14]; /* 32 */
	62	u8 salt[BLAKE2B_SALTBYTES]; /* 48 */
	63	u8 personal[BLAKE2B_PERSONALBYTES]; /* 64 */
	64	} __packed;
65
66	static const u64 blake2b_IV[8] = {
67	0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
68	0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
69	0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
70	0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
71	};
72
73	static const u8 blake2b_sigma[12][16] = {
74	{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
75	{ 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
76	{ 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
77	{ 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
78	{ 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
79	{ 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
80	{ 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
81	{ 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
82	{ 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
83	{ 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
84	{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
85	{ 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
86	};
87
88	static void blake2b_update(struct blake2b_state S, const void pin, size_t inlen);
89
90	static void blake2b_set_lastnode(struct blake2b_state *S)
91	{
92	S->f[1] = (u64)-1;
93	}
94
95	static void blake2b_set_lastblock(struct blake2b_state *S)
96	{
97	if (S->last_node)
98	blake2b_set_lastnode(S);
99
100	S->f[0] = (u64)-1;
101	}
102
103	static void blake2b_increment_counter(struct blake2b_state *S, const u64 inc)
104	{
105	S->t[0] += inc;
106	S->t[1] += (S->t[0] < inc);
107	}
108
91d68933 DS	109	#define G(r,i,a,b,c,d) \
	110	do { \
	111	a = a + b + m[blake2b_sigma[r][2*i+0]]; \
	112	d = ror64(d ^ a, 32); \
	113	c = c + d; \
	114	b = ror64(b ^ c, 24); \
	115	a = a + b + m[blake2b_sigma[r][2*i+1]]; \
	116	d = ror64(d ^ a, 16); \
	117	c = c + d; \
	118	b = ror64(b ^ c, 63); \
	119	} while (0)
	120
	121	#define ROUND(r) \
	122	do { \
	123	G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
	124	G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
	125	G(r,2,v[ 2],v[ 6],v[10],v[14]); \
	126	G(r,3,v[ 3],v[ 7],v[11],v[15]); \
	127	G(r,4,v[ 0],v[ 5],v[10],v[15]); \
	128	G(r,5,v[ 1],v[ 6],v[11],v[12]); \
	129	G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
	130	G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
	131	} while (0)
	132
	133	static void blake2b_compress(struct blake2b_state *S,
	134	const u8 block[BLAKE2B_BLOCKBYTES])
	135	{
	136	u64 m[16];
	137	u64 v[16];
	138	size_t i;
	139
	140	for (i = 0; i < 16; ++i)
	141	m[i] = get_unaligned_le64(block + i * sizeof(m[i]));
	142
	143	for (i = 0; i < 8; ++i)
	144	v[i] = S->h[i];
	145
	146	v[ 8] = blake2b_IV[0];
	147	v[ 9] = blake2b_IV[1];
	148	v[10] = blake2b_IV[2];
	149	v[11] = blake2b_IV[3];
	150	v[12] = blake2b_IV[4] ^ S->t[0];
	151	v[13] = blake2b_IV[5] ^ S->t[1];
	152	v[14] = blake2b_IV[6] ^ S->f[0];
	153	v[15] = blake2b_IV[7] ^ S->f[1];
	154
	155	ROUND(0);
	156	ROUND(1);
	157	ROUND(2);
	158	ROUND(3);
	159	ROUND(4);
	160	ROUND(5);
	161	ROUND(6);
	162	ROUND(7);
	163	ROUND(8);
	164	ROUND(9);
	165	ROUND(10);
	166	ROUND(11);
	167
	168	for (i = 0; i < 8; ++i)
	169	S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
	170	}
	171
	172	#undef G
173	#undef ROUND
174
175	static void blake2b_update(struct blake2b_state S, const void pin, size_t inlen)
176	{
177	const u8 in = (const u8 )pin;
178
179	if (inlen > 0) {
180	size_t left = S->buflen;
181	size_t fill = BLAKE2B_BLOCKBYTES - left;
182
183	if (inlen > fill) {
184	S->buflen = 0;
185	/* Fill buffer */
186	memcpy(S->buf + left, in, fill);
187	blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES);
188	/* Compress */
189	blake2b_compress(S, S->buf);
190	in += fill;
191	inlen -= fill;
192	while (inlen > BLAKE2B_BLOCKBYTES) {
193	blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES);
194	blake2b_compress(S, in);
195	in += BLAKE2B_BLOCKBYTES;
196	inlen -= BLAKE2B_BLOCKBYTES;
197	}
198	}
199	memcpy(S->buf + S->buflen, in, inlen);
200	S->buflen += inlen;
201	}
202	}
203
91d68933 DS	204	struct digest_tfm_ctx {
	205	u8 key[BLAKE2B_KEYBYTES];
	206	unsigned int keylen;
	207	};
	208
	209	static int digest_setkey(struct crypto_shash tfm, const u8 key,
	210	unsigned int keylen)
	211	{
	212	struct digest_tfm_ctx *mctx = crypto_shash_ctx(tfm);
	213
	214	if (keylen == 0 \|\| keylen > BLAKE2B_KEYBYTES) {
	215	crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
	216	return -EINVAL;
	217	}
	218
	219	memcpy(mctx->key, key, keylen);
	220	mctx->keylen = keylen;
	221
	222	return 0;
	223	}
	224
e3749695	225	static int blake2b_init(struct shash_desc *desc)
91d68933 DS	226	{
	227	struct digest_tfm_ctx *mctx = crypto_shash_ctx(desc->tfm);
	228	struct blake2b_state *state = shash_desc_ctx(desc);
	229	const int digestsize = crypto_shash_digestsize(desc->tfm);
	230
e3749695 DS	231	memset(state, 0, sizeof(*state));
	232	memcpy(state->h, blake2b_IV, sizeof(state->h));
	233
	234	/* Parameter block is all zeros except index 0, no xor for 1..7 */
	235	state->h[0] ^= 0x01010000 \| mctx->keylen << 8 \| digestsize;
	236
	237	if (mctx->keylen) {
	238	u8 block[BLAKE2B_BLOCKBYTES];
	239
	240	memset(block, 0, BLAKE2B_BLOCKBYTES);
	241	memcpy(block, mctx->key, mctx->keylen);
	242	blake2b_update(state, block, BLAKE2B_BLOCKBYTES);
	243	memzero_explicit(block, BLAKE2B_BLOCKBYTES);
	244	}
91d68933 DS	245	return 0;
	246	}
	247
	248	static int digest_update(struct shash_desc desc, const u8 data,
	249	unsigned int length)
	250	{
	251	struct blake2b_state *state = shash_desc_ctx(desc);
	252
	253	blake2b_update(state, data, length);
	254	return 0;
	255	}
	256
086db43b	257	static int blake2b_final(struct shash_desc desc, u8 out)
91d68933 DS	258	{
	259	struct blake2b_state *state = shash_desc_ctx(desc);
	260	const int digestsize = crypto_shash_digestsize(desc->tfm);
086db43b DS	261	size_t i;
	262
	263	blake2b_increment_counter(state, state->buflen);
	264	blake2b_set_lastblock(state);
	265	/* Padding */
	266	memset(state->buf + state->buflen, 0, BLAKE2B_BLOCKBYTES - state->buflen);
	267	blake2b_compress(state, state->buf);
	268
	269	/* Avoid temporary buffer and switch the internal output to LE order */
	270	for (i = 0; i < ARRAY_SIZE(state->h); i++)
	271	__cpu_to_le64s(&state->h[i]);
91d68933	272
086db43b	273	memcpy(out, state->h, digestsize);
91d68933 DS	274	return 0;
	275	}
	276
	277	static struct shash_alg blake2b_algs[] = {
	278	{
	279	.base.cra_name = "blake2b-160",
	280	.base.cra_driver_name = "blake2b-160-generic",
	281	.base.cra_priority = 100,
	282	.base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
	283	.base.cra_blocksize = BLAKE2B_BLOCKBYTES,
	284	.base.cra_ctxsize = sizeof(struct digest_tfm_ctx),
	285	.base.cra_module = THIS_MODULE,
	286	.digestsize = BLAKE2B_160_DIGEST_SIZE,
	287	.setkey = digest_setkey,
e3749695	288	.init = blake2b_init,
91d68933	289	.update = digest_update,
086db43b	290	.final = blake2b_final,
91d68933 DS	291	.descsize = sizeof(struct blake2b_state),
	292	}, {
	293	.base.cra_name = "blake2b-256",
	294	.base.cra_driver_name = "blake2b-256-generic",
	295	.base.cra_priority = 100,
	296	.base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
	297	.base.cra_blocksize = BLAKE2B_BLOCKBYTES,
	298	.base.cra_ctxsize = sizeof(struct digest_tfm_ctx),
	299	.base.cra_module = THIS_MODULE,
	300	.digestsize = BLAKE2B_256_DIGEST_SIZE,
	301	.setkey = digest_setkey,
e3749695	302	.init = blake2b_init,
91d68933	303	.update = digest_update,
086db43b	304	.final = blake2b_final,
91d68933 DS	305	.descsize = sizeof(struct blake2b_state),
	306	}, {
	307	.base.cra_name = "blake2b-384",
	308	.base.cra_driver_name = "blake2b-384-generic",
	309	.base.cra_priority = 100,
	310	.base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
	311	.base.cra_blocksize = BLAKE2B_BLOCKBYTES,
	312	.base.cra_ctxsize = sizeof(struct digest_tfm_ctx),
	313	.base.cra_module = THIS_MODULE,
	314	.digestsize = BLAKE2B_384_DIGEST_SIZE,
	315	.setkey = digest_setkey,
e3749695	316	.init = blake2b_init,
91d68933	317	.update = digest_update,
086db43b	318	.final = blake2b_final,
91d68933 DS	319	.descsize = sizeof(struct blake2b_state),
	320	}, {
	321	.base.cra_name = "blake2b-512",
	322	.base.cra_driver_name = "blake2b-512-generic",
	323	.base.cra_priority = 100,
	324	.base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
	325	.base.cra_blocksize = BLAKE2B_BLOCKBYTES,
	326	.base.cra_ctxsize = sizeof(struct digest_tfm_ctx),
	327	.base.cra_module = THIS_MODULE,
	328	.digestsize = BLAKE2B_512_DIGEST_SIZE,
	329	.setkey = digest_setkey,
e3749695	330	.init = blake2b_init,
91d68933	331	.update = digest_update,
086db43b	332	.final = blake2b_final,
91d68933 DS	333	.descsize = sizeof(struct blake2b_state),
	334	}
	335	};
	336
	337	static int __init blake2b_mod_init(void)
	338	{
	339	BUILD_BUG_ON(sizeof(struct blake2b_param) != BLAKE2B_OUTBYTES);
	340
	341	return crypto_register_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs));
	342	}
	343
	344	static void __exit blake2b_mod_fini(void)
	345	{
	346	crypto_unregister_shashes(blake2b_algs, ARRAY_SIZE(blake2b_algs));
	347	}
	348
	349	subsys_initcall(blake2b_mod_init);
	350	module_exit(blake2b_mod_fini);
	351
	352	MODULE_AUTHOR("David Sterba <kdave@kernel.org>");
	353	MODULE_DESCRIPTION("BLAKE2b generic implementation");
	354	MODULE_LICENSE("GPL");
	355	MODULE_ALIAS_CRYPTO("blake2b-160");
	356	MODULE_ALIAS_CRYPTO("blake2b-160-generic");
	357	MODULE_ALIAS_CRYPTO("blake2b-256");
	358	MODULE_ALIAS_CRYPTO("blake2b-256-generic");
	359	MODULE_ALIAS_CRYPTO("blake2b-384");
	360	MODULE_ALIAS_CRYPTO("blake2b-384-generic");
	361	MODULE_ALIAS_CRYPTO("blake2b-512");
	362	MODULE_ALIAS_CRYPTO("blake2b-512-generic");