This is a followup to RFC 'crypto: wireguard with crypto API library interface' [0]. Since no objections were raised to my approach, I've proceeded to fix up some minor issues, and incorporate [most of] the missing MIPS code. Changes since RFC/v1: - dropped the WireGuard patch itself, and the followup patches - since the purpose was to illustrate the extent of the required changes, there is no reason to keep including them. - import the MIPS 32r2 versions of ChaCha and Poly1305, but expose both the crypto API and library interfaces so that not only WireGuard but also IPsec and Adiantum can benefit immediately. (The latter required adding support for the reduced round version of ChaCha to the MIPS asm code) - fix up various minor kconfig/build issues found in randconfig testing (thanks Arnd!) In the future, I would like to extend these interfaces to use static calls, so that the accelerated implementations can be [un]plugged at runtime. For the time being, we rely on weak aliases and conditional exports so that the users of the library interfaces link directly to the accelerated versions, but without the ability to unplug them. Patches can be found here: https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=wireguard-crypto-library-api-v2 Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Cc: David Miller <davem@xxxxxxxxxxxxx> Cc: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Cc: Jason A. Donenfeld <Jason@xxxxxxxxx> Cc: Samuel Neves <sneves@xxxxxxxxx> Cc: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Cc: Arnd Bergmann <arnd@xxxxxxxx> Cc: Eric Biggers <ebiggers@xxxxxxxxxx> Cc: Andy Lutomirski <luto@xxxxxxxxxx> Cc: Will Deacon <will@xxxxxxxxxx> Cc: Marc Zyngier <maz@xxxxxxxxxx> Cc: Catalin Marinas <catalin.marinas@xxxxxxx> Cc: Martin Willi <martin@xxxxxxxxxxxxxx> Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx> Cc: Josh Poimboeuf <jpoimboe@xxxxxxxxxx> [0] https://lore.kernel.org/linux-crypto/20190929173850.26055-1-ard.biesheuvel@xxxxxxxxxx/ Ard Biesheuvel (14): crypto: chacha - move existing library code into lib/crypto crypto: x86/chacha - expose SIMD ChaCha routine as library function crypto: arm64/chacha - expose arm64 ChaCha routine as library function crypto: arm/chacha - expose ARM ChaCha routine as library function crypto: mips/chacha - import accelerated 32r2 code from Zinc crypto: poly1305 - move into lib/crypto and refactor into library crypto: x86/poly1305 - expose existing driver as poly1305 library crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation crypto: arm/poly1305 - incorporate OpenSSL/CRYPTOGAMS NEON implementation crypto: mips/poly1305 - import accelerated 32r2 code from Zinc int128: move __uint128_t compiler test to Kconfig crypto: lib/curve25519 - work around Clang stack spilling issue crypto: chacha20poly1305 - import construction and selftest from Zinc crypto: lib/chacha20poly1305 - reimplement crypt_from_sg() routine Jason A. Donenfeld (6): crypto: BLAKE2s - generic C library implementation and selftest crypto: BLAKE2s - x86_64 library implementation crypto: Curve25519 - generic C library implementations and selftest crypto: Curve25519 - x86_64 library implementation crypto: arm - import Bernstein and Schwabe's Curve25519 ARM implementation crypto: arm/Curve25519 - wire up NEON implementation arch/arm/crypto/Kconfig | 11 + arch/arm/crypto/Makefile | 13 +- arch/arm/crypto/chacha-neon-glue.c | 42 +- arch/arm/crypto/curve25519-core.S | 2062 ++++++ arch/arm/crypto/curve25519-glue.c | 45 + arch/arm/crypto/poly1305-armv4.pl | 1236 ++++ arch/arm/crypto/poly1305-core.S_shipped | 1158 +++ arch/arm/crypto/poly1305-glue.c | 274 + arch/arm64/Kconfig | 2 +- arch/arm64/crypto/Kconfig | 6 + arch/arm64/crypto/Makefile | 10 +- arch/arm64/crypto/chacha-neon-glue.c | 32 +- arch/arm64/crypto/poly1305-armv8.pl | 913 +++ arch/arm64/crypto/poly1305-core.S_shipped | 835 +++ arch/arm64/crypto/poly1305-glue.c | 229 + arch/mips/Makefile | 2 +- arch/mips/crypto/Makefile | 6 + arch/mips/crypto/chacha-core.S | 424 ++ arch/mips/crypto/chacha-glue.c | 161 + arch/mips/crypto/poly1305-core.S | 407 ++ arch/mips/crypto/poly1305-glue.c | 203 + arch/riscv/Kconfig | 2 +- arch/x86/Kconfig | 2 +- arch/x86/crypto/Makefile | 3 + arch/x86/crypto/blake2s-core.S | 685 ++ arch/x86/crypto/blake2s-glue.c | 76 + arch/x86/crypto/chacha_glue.c | 38 +- arch/x86/crypto/curve25519-x86_64.c | 2381 +++++++ arch/x86/crypto/poly1305_glue.c | 145 +- crypto/Kconfig | 70 + crypto/adiantum.c | 5 +- crypto/chacha_generic.c | 44 +- crypto/ecc.c | 2 +- crypto/nhpoly1305.c | 3 +- crypto/poly1305_generic.c | 196 +- include/crypto/blake2s.h | 56 + include/crypto/chacha.h | 36 +- include/crypto/chacha20poly1305.h | 48 + include/crypto/curve25519.h | 28 + include/crypto/internal/chacha.h | 25 + include/crypto/internal/poly1305.h | 45 + include/crypto/poly1305.h | 43 +- init/Kconfig | 4 + lib/Makefile | 3 +- lib/crypto/Makefile | 40 +- lib/crypto/blake2s-selftest.c | 2093 ++++++ lib/crypto/blake2s.c | 281 + lib/{ => crypto}/chacha.c | 25 +- lib/crypto/chacha20poly1305-selftest.c | 7394 ++++++++++++++++++++ lib/crypto/chacha20poly1305.c | 369 + lib/crypto/curve25519-fiat32.c | 864 +++ lib/crypto/curve25519-hacl64.c | 788 +++ lib/crypto/curve25519-selftest.c | 1321 ++++ lib/crypto/curve25519.c | 86 + lib/crypto/libchacha.c | 67 + lib/crypto/poly1305.c | 248 + lib/ubsan.c | 2 +- lib/ubsan.h | 2 +- 58 files changed, 25213 insertions(+), 378 deletions(-) create mode 100644 arch/arm/crypto/curve25519-core.S create mode 100644 arch/arm/crypto/curve25519-glue.c create mode 100644 arch/arm/crypto/poly1305-armv4.pl create mode 100644 arch/arm/crypto/poly1305-core.S_shipped create mode 100644 arch/arm/crypto/poly1305-glue.c create mode 100644 arch/arm64/crypto/poly1305-armv8.pl create mode 100644 arch/arm64/crypto/poly1305-core.S_shipped create mode 100644 arch/arm64/crypto/poly1305-glue.c create mode 100644 arch/mips/crypto/chacha-core.S create mode 100644 arch/mips/crypto/chacha-glue.c create mode 100644 arch/mips/crypto/poly1305-core.S create mode 100644 arch/mips/crypto/poly1305-glue.c create mode 100644 arch/x86/crypto/blake2s-core.S create mode 100644 arch/x86/crypto/blake2s-glue.c create mode 100644 arch/x86/crypto/curve25519-x86_64.c create mode 100644 include/crypto/blake2s.h create mode 100644 include/crypto/chacha20poly1305.h create mode 100644 include/crypto/curve25519.h create mode 100644 include/crypto/internal/chacha.h create mode 100644 include/crypto/internal/poly1305.h create mode 100644 lib/crypto/blake2s-selftest.c create mode 100644 lib/crypto/blake2s.c rename lib/{ => crypto}/chacha.c (84%) create mode 100644 lib/crypto/chacha20poly1305-selftest.c create mode 100644 lib/crypto/chacha20poly1305.c create mode 100644 lib/crypto/curve25519-fiat32.c create mode 100644 lib/crypto/curve25519-hacl64.c create mode 100644 lib/crypto/curve25519-selftest.c create mode 100644 lib/crypto/curve25519.c create mode 100644 lib/crypto/libchacha.c create mode 100644 lib/crypto/poly1305.c -- 2.20.1