Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'remove-low-level-sha-1-functions'

Eric Biggers says:

====================
Remove low-level SHA-1 functions

This series updates net/ipv6/addrconf.c to use the regular SHA-1
functions, then removes sha1_init_raw() and sha1_transform().

(These were originally patches 25-26 of the series
https://lore.kernel.org/linux-crypto/20250712232329.818226-1-ebiggers@kernel.org/ )
====================

Link: https://patch.msgid.link/20260123051656.396371-1-ebiggers@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

+30 -64
-10
include/crypto/sha1.h
··· 26 26 u8 buffer[SHA1_BLOCK_SIZE]; 27 27 }; 28 28 29 - /* 30 - * An implementation of SHA-1's compression function. Don't use in new code! 31 - * You shouldn't be using SHA-1, and even if you *have* to use SHA-1, this isn't 32 - * the correct way to hash something with SHA-1 (use crypto_shash instead). 33 - */ 34 - #define SHA1_DIGEST_WORDS (SHA1_DIGEST_SIZE / 4) 35 - #define SHA1_WORKSPACE_WORDS 16 36 - void sha1_init_raw(__u32 *buf); 37 - void sha1_transform(__u32 *digest, const char *data, __u32 *W); 38 - 39 29 /* State for the SHA-1 compression function */ 40 30 struct sha1_block_state { 41 31 u32 h[SHA1_DIGEST_SIZE / 4];
+17 -46
lib/crypto/sha1.c
··· 49 49 #endif 50 50 51 51 /* This "rolls" over the 512-bit array */ 52 - #define W(x) (array[(x)&15]) 52 + #define W(x) (workspace[(x)&15]) 53 53 54 54 /* 55 55 * Where do we get the source from? The first 16 iterations get it from ··· 70 70 #define T_40_59(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, ((B&C)+(D&(B^C))) , 0x8f1bbcdc, A, B, C, D, E ) 71 71 #define T_60_79(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0xca62c1d6, A, B, C, D, E ) 72 72 73 - /** 74 - * sha1_transform - single block SHA1 transform (deprecated) 75 - * 76 - * @digest: 160 bit digest to update 77 - * @data: 512 bits of data to hash 78 - * @array: 16 words of workspace (see note) 79 - * 80 - * This function executes SHA-1's internal compression function. It updates the 81 - * 160-bit internal state (@digest) with a single 512-bit data block (@data). 82 - * 83 - * Don't use this function. SHA-1 is no longer considered secure. And even if 84 - * you do have to use SHA-1, this isn't the correct way to hash something with 85 - * SHA-1 as this doesn't handle padding and finalization. 86 - * 87 - * Note: If the hash is security sensitive, the caller should be sure 88 - * to clear the workspace. This is left to the caller to avoid 89 - * unnecessary clears between chained hashing operations. 90 - */ 91 - void sha1_transform(__u32 *digest, const char *data, __u32 *array) 73 + #define SHA1_WORKSPACE_WORDS 16 74 + 75 + static void sha1_block_generic(struct sha1_block_state *state, 76 + const u8 data[SHA1_BLOCK_SIZE], 77 + u32 workspace[SHA1_WORKSPACE_WORDS]) 92 78 { 93 79 __u32 A, B, C, D, E; 94 80 unsigned int i = 0; 95 81 96 - A = digest[0]; 97 - B = digest[1]; 98 - C = digest[2]; 99 - D = digest[3]; 100 - E = digest[4]; 82 + A = state->h[0]; 83 + B = state->h[1]; 84 + C = state->h[2]; 85 + D = state->h[3]; 86 + E = state->h[4]; 101 87 102 88 /* Round 1 - iterations 0-16 take their input from 'data' */ 103 89 for (; i < 16; ++i) ··· 105 119 for (; i < 80; ++i) 106 120 T_60_79(i, A, B, C, D, E); 107 121 108 - digest[0] += A; 109 - digest[1] += B; 110 - digest[2] += C; 111 - digest[3] += D; 112 - digest[4] += E; 122 + state->h[0] += A; 123 + state->h[1] += B; 124 + state->h[2] += C; 125 + state->h[3] += D; 126 + state->h[4] += E; 113 127 } 114 - EXPORT_SYMBOL(sha1_transform); 115 - 116 - /** 117 - * sha1_init_raw - initialize the vectors for a SHA1 digest 118 - * @buf: vector to initialize 119 - */ 120 - void sha1_init_raw(__u32 *buf) 121 - { 122 - buf[0] = 0x67452301; 123 - buf[1] = 0xefcdab89; 124 - buf[2] = 0x98badcfe; 125 - buf[3] = 0x10325476; 126 - buf[4] = 0xc3d2e1f0; 127 - } 128 - EXPORT_SYMBOL(sha1_init_raw); 129 128 130 129 static void __maybe_unused sha1_blocks_generic(struct sha1_block_state *state, 131 130 const u8 *data, size_t nblocks) ··· 118 147 u32 workspace[SHA1_WORKSPACE_WORDS]; 119 148 120 149 do { 121 - sha1_transform(state->h, data, workspace); 150 + sha1_block_generic(state, data, workspace); 122 151 data += SHA1_BLOCK_SIZE; 123 152 } while (--nblocks); 124 153
+13 -8
net/ipv6/addrconf.c
··· 3339 3339 const struct inet6_dev *idev) 3340 3340 { 3341 3341 static DEFINE_SPINLOCK(lock); 3342 - static __u32 digest[SHA1_DIGEST_WORDS]; 3343 - static __u32 workspace[SHA1_WORKSPACE_WORDS]; 3342 + static struct sha1_ctx sha_ctx; 3344 3343 3345 3344 static union { 3346 - char __data[SHA1_BLOCK_SIZE]; 3345 + u8 __data[SHA1_BLOCK_SIZE]; 3347 3346 struct { 3348 3347 struct in6_addr secret; 3349 3348 __be32 prefix[2]; ··· 3367 3368 retry: 3368 3369 spin_lock_bh(&lock); 3369 3370 3370 - sha1_init_raw(digest); 3371 + sha1_init(&sha_ctx); 3372 + 3371 3373 memset(&data, 0, sizeof(data)); 3372 - memset(workspace, 0, sizeof(workspace)); 3373 3374 memcpy(data.hwaddr, idev->dev->perm_addr, idev->dev->addr_len); 3374 3375 data.prefix[0] = address->s6_addr32[0]; 3375 3376 data.prefix[1] = address->s6_addr32[1]; 3376 3377 data.secret = secret; 3377 3378 data.dad_count = dad_count; 3378 3379 3379 - sha1_transform(digest, data.__data, workspace); 3380 + sha1_update(&sha_ctx, data.__data, sizeof(data)); 3380 3381 3382 + /* 3383 + * Note that the SHA-1 finalization is omitted here, and the digest is 3384 + * pulled directly from the internal SHA-1 state (making it incompatible 3385 + * with standard SHA-1). Unusual, but technically okay since the data 3386 + * length is fixed and is a multiple of the SHA-1 block size. 3387 + */ 3381 3388 temp = *address; 3382 - temp.s6_addr32[2] = (__force __be32)digest[0]; 3383 - temp.s6_addr32[3] = (__force __be32)digest[1]; 3389 + temp.s6_addr32[2] = (__force __be32)sha_ctx.state.h[0]; 3390 + temp.s6_addr32[3] = (__force __be32)sha_ctx.state.h[1]; 3384 3391 3385 3392 spin_unlock_bh(&lock); 3386 3393