mirror of https://github.com/Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
184 lines
4.8 KiB
184 lines
4.8 KiB
// SPDX-License-Identifier: GPL-2.0-only |
|
/* |
|
* GHASH: hash function for GCM (Galois/Counter Mode). |
|
* |
|
* Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <[email protected]> |
|
* Copyright (c) 2009 Intel Corp. |
|
* Author: Huang Ying <[email protected]> |
|
*/ |
|
|
|
/* |
|
* GHASH is a keyed hash function used in GCM authentication tag generation. |
|
* |
|
* The original GCM paper [1] presents GHASH as a function GHASH(H, A, C) which |
|
* takes a 16-byte hash key H, additional authenticated data A, and a ciphertext |
|
* C. It formats A and C into a single byte string X, interprets X as a |
|
* polynomial over GF(2^128), and evaluates this polynomial at the point H. |
|
* |
|
* However, the NIST standard for GCM [2] presents GHASH as GHASH(H, X) where X |
|
* is the already-formatted byte string containing both A and C. |
|
* |
|
* "ghash" in the Linux crypto API uses the 'X' (pre-formatted) convention, |
|
* since the API supports only a single data stream per hash. Thus, the |
|
* formatting of 'A' and 'C' is done in the "gcm" template, not in "ghash". |
|
* |
|
* The reason "ghash" is separate from "gcm" is to allow "gcm" to use an |
|
* accelerated "ghash" when a standalone accelerated "gcm(aes)" is unavailable. |
|
* It is generally inappropriate to use "ghash" for other purposes, since it is |
|
* an "ε-almost-XOR-universal hash function", not a cryptographic hash function. |
|
* It can only be used securely in crypto modes specially designed to use it. |
|
* |
|
* [1] The Galois/Counter Mode of Operation (GCM) |
|
* (http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.694.695&rep=rep1&type=pdf) |
|
* [2] Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC |
|
* (https://csrc.nist.gov/publications/detail/sp/800-38d/final) |
|
*/ |
|
|
|
#include <crypto/algapi.h> |
|
#include <crypto/gf128mul.h> |
|
#include <crypto/ghash.h> |
|
#include <crypto/internal/hash.h> |
|
#include <linux/crypto.h> |
|
#include <linux/init.h> |
|
#include <linux/kernel.h> |
|
#include <linux/module.h> |
|
|
|
static int ghash_init(struct shash_desc *desc) |
|
{ |
|
struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); |
|
|
|
memset(dctx, 0, sizeof(*dctx)); |
|
|
|
return 0; |
|
} |
|
|
|
static int ghash_setkey(struct crypto_shash *tfm, |
|
const u8 *key, unsigned int keylen) |
|
{ |
|
struct ghash_ctx *ctx = crypto_shash_ctx(tfm); |
|
be128 k; |
|
|
|
if (keylen != GHASH_BLOCK_SIZE) |
|
return -EINVAL; |
|
|
|
if (ctx->gf128) |
|
gf128mul_free_4k(ctx->gf128); |
|
|
|
BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE); |
|
memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */ |
|
ctx->gf128 = gf128mul_init_4k_lle(&k); |
|
memzero_explicit(&k, GHASH_BLOCK_SIZE); |
|
|
|
if (!ctx->gf128) |
|
return -ENOMEM; |
|
|
|
return 0; |
|
} |
|
|
|
static int ghash_update(struct shash_desc *desc, |
|
const u8 *src, unsigned int srclen) |
|
{ |
|
struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); |
|
struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm); |
|
u8 *dst = dctx->buffer; |
|
|
|
if (dctx->bytes) { |
|
int n = min(srclen, dctx->bytes); |
|
u8 *pos = dst + (GHASH_BLOCK_SIZE - dctx->bytes); |
|
|
|
dctx->bytes -= n; |
|
srclen -= n; |
|
|
|
while (n--) |
|
*pos++ ^= *src++; |
|
|
|
if (!dctx->bytes) |
|
gf128mul_4k_lle((be128 *)dst, ctx->gf128); |
|
} |
|
|
|
while (srclen >= GHASH_BLOCK_SIZE) { |
|
crypto_xor(dst, src, GHASH_BLOCK_SIZE); |
|
gf128mul_4k_lle((be128 *)dst, ctx->gf128); |
|
src += GHASH_BLOCK_SIZE; |
|
srclen -= GHASH_BLOCK_SIZE; |
|
} |
|
|
|
if (srclen) { |
|
dctx->bytes = GHASH_BLOCK_SIZE - srclen; |
|
while (srclen--) |
|
*dst++ ^= *src++; |
|
} |
|
|
|
return 0; |
|
} |
|
|
|
static void ghash_flush(struct ghash_ctx *ctx, struct ghash_desc_ctx *dctx) |
|
{ |
|
u8 *dst = dctx->buffer; |
|
|
|
if (dctx->bytes) { |
|
u8 *tmp = dst + (GHASH_BLOCK_SIZE - dctx->bytes); |
|
|
|
while (dctx->bytes--) |
|
*tmp++ ^= 0; |
|
|
|
gf128mul_4k_lle((be128 *)dst, ctx->gf128); |
|
} |
|
|
|
dctx->bytes = 0; |
|
} |
|
|
|
static int ghash_final(struct shash_desc *desc, u8 *dst) |
|
{ |
|
struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); |
|
struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm); |
|
u8 *buf = dctx->buffer; |
|
|
|
ghash_flush(ctx, dctx); |
|
memcpy(dst, buf, GHASH_BLOCK_SIZE); |
|
|
|
return 0; |
|
} |
|
|
|
static void ghash_exit_tfm(struct crypto_tfm *tfm) |
|
{ |
|
struct ghash_ctx *ctx = crypto_tfm_ctx(tfm); |
|
if (ctx->gf128) |
|
gf128mul_free_4k(ctx->gf128); |
|
} |
|
|
|
static struct shash_alg ghash_alg = { |
|
.digestsize = GHASH_DIGEST_SIZE, |
|
.init = ghash_init, |
|
.update = ghash_update, |
|
.final = ghash_final, |
|
.setkey = ghash_setkey, |
|
.descsize = sizeof(struct ghash_desc_ctx), |
|
.base = { |
|
.cra_name = "ghash", |
|
.cra_driver_name = "ghash-generic", |
|
.cra_priority = 100, |
|
.cra_blocksize = GHASH_BLOCK_SIZE, |
|
.cra_ctxsize = sizeof(struct ghash_ctx), |
|
.cra_module = THIS_MODULE, |
|
.cra_exit = ghash_exit_tfm, |
|
}, |
|
}; |
|
|
|
static int __init ghash_mod_init(void) |
|
{ |
|
return crypto_register_shash(&ghash_alg); |
|
} |
|
|
|
static void __exit ghash_mod_exit(void) |
|
{ |
|
crypto_unregister_shash(&ghash_alg); |
|
} |
|
|
|
subsys_initcall(ghash_mod_init); |
|
module_exit(ghash_mod_exit); |
|
|
|
MODULE_LICENSE("GPL"); |
|
MODULE_DESCRIPTION("GHASH hash function"); |
|
MODULE_ALIAS_CRYPTO("ghash"); |
|
MODULE_ALIAS_CRYPTO("ghash-generic");
|
|
|