crypto: ghash - Remove ghash from crypto_shash API

-7

crypto/Kconfig

··· 888 888 CMAC (Cipher-based Message Authentication Code) authentication 889 889 mode (NIST SP800-38B and IETF RFC4493) 890 890 891 - config CRYPTO_GHASH 892 - tristate "GHASH" 893 - select CRYPTO_HASH 894 - select CRYPTO_LIB_GF128MUL 895 - help 896 - GCM GHASH function (NIST SP800-38D) 897 - 898 891 config CRYPTO_HMAC 899 892 tristate "HMAC (Keyed-Hash MAC)" 900 893 select CRYPTO_HASH

-1

crypto/Makefile

··· 171 171 jitterentropy_rng-y := jitterentropy.o jitterentropy-kcapi.o 172 172 obj-$(CONFIG_CRYPTO_JITTERENTROPY_TESTINTERFACE) += jitterentropy-testing.o 173 173 obj-$(CONFIG_CRYPTO_BENCHMARK) += tcrypt.o 174 - obj-$(CONFIG_CRYPTO_GHASH) += ghash-generic.o 175 174 obj-$(CONFIG_CRYPTO_USER_API) += af_alg.o 176 175 obj-$(CONFIG_CRYPTO_USER_API_HASH) += algif_hash.o 177 176 obj-$(CONFIG_CRYPTO_USER_API_SKCIPHER) += algif_skcipher.o

-162

crypto/ghash-generic.c

··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* 3 - * GHASH: hash function for GCM (Galois/Counter Mode). 4 - * 5 - * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi> 6 - * Copyright (c) 2009 Intel Corp. 7 - * Author: Huang Ying <ying.huang@intel.com> 8 - */ 9 - 10 - /* 11 - * GHASH is a keyed hash function used in GCM authentication tag generation. 12 - * 13 - * The original GCM paper [1] presents GHASH as a function GHASH(H, A, C) which 14 - * takes a 16-byte hash key H, additional authenticated data A, and a ciphertext 15 - * C. It formats A and C into a single byte string X, interprets X as a 16 - * polynomial over GF(2^128), and evaluates this polynomial at the point H. 17 - * 18 - * However, the NIST standard for GCM [2] presents GHASH as GHASH(H, X) where X 19 - * is the already-formatted byte string containing both A and C. 20 - * 21 - * "ghash" in the Linux crypto API uses the 'X' (pre-formatted) convention, 22 - * since the API supports only a single data stream per hash. Thus, the 23 - * formatting of 'A' and 'C' is done in the "gcm" template, not in "ghash". 24 - * 25 - * The reason "ghash" is separate from "gcm" is to allow "gcm" to use an 26 - * accelerated "ghash" when a standalone accelerated "gcm(aes)" is unavailable. 27 - * It is generally inappropriate to use "ghash" for other purposes, since it is 28 - * an "ε-almost-XOR-universal hash function", not a cryptographic hash function. 29 - * It can only be used securely in crypto modes specially designed to use it. 30 - * 31 - * [1] The Galois/Counter Mode of Operation (GCM) 32 - * (http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.694.695&rep=rep1&type=pdf) 33 - * [2] Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC 34 - * (https://csrc.nist.gov/publications/detail/sp/800-38d/final) 35 - */ 36 - 37 - #include <crypto/gf128mul.h> 38 - #include <crypto/ghash.h> 39 - #include <crypto/internal/hash.h> 40 - #include <crypto/utils.h> 41 - #include <linux/err.h> 42 - #include <linux/kernel.h> 43 - #include <linux/module.h> 44 - #include <linux/string.h> 45 - 46 - static int ghash_init(struct shash_desc *desc) 47 - { 48 - struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); 49 - 50 - memset(dctx, 0, sizeof(*dctx)); 51 - 52 - return 0; 53 - } 54 - 55 - static int ghash_setkey(struct crypto_shash *tfm, 56 - const u8 *key, unsigned int keylen) 57 - { 58 - struct ghash_ctx *ctx = crypto_shash_ctx(tfm); 59 - be128 k; 60 - 61 - if (keylen != GHASH_BLOCK_SIZE) 62 - return -EINVAL; 63 - 64 - if (ctx->gf128) 65 - gf128mul_free_4k(ctx->gf128); 66 - 67 - BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE); 68 - memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */ 69 - ctx->gf128 = gf128mul_init_4k_lle(&k); 70 - memzero_explicit(&k, GHASH_BLOCK_SIZE); 71 - 72 - if (!ctx->gf128) 73 - return -ENOMEM; 74 - 75 - return 0; 76 - } 77 - 78 - static int ghash_update(struct shash_desc *desc, 79 - const u8 *src, unsigned int srclen) 80 - { 81 - struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); 82 - struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm); 83 - u8 *dst = dctx->buffer; 84 - 85 - do { 86 - crypto_xor(dst, src, GHASH_BLOCK_SIZE); 87 - gf128mul_4k_lle((be128 *)dst, ctx->gf128); 88 - src += GHASH_BLOCK_SIZE; 89 - srclen -= GHASH_BLOCK_SIZE; 90 - } while (srclen >= GHASH_BLOCK_SIZE); 91 - 92 - return srclen; 93 - } 94 - 95 - static void ghash_flush(struct shash_desc *desc, const u8 *src, 96 - unsigned int len) 97 - { 98 - struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm); 99 - struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); 100 - u8 *dst = dctx->buffer; 101 - 102 - if (len) { 103 - crypto_xor(dst, src, len); 104 - gf128mul_4k_lle((be128 *)dst, ctx->gf128); 105 - } 106 - } 107 - 108 - static int ghash_finup(struct shash_desc *desc, const u8 *src, 109 - unsigned int len, u8 *dst) 110 - { 111 - struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); 112 - u8 *buf = dctx->buffer; 113 - 114 - ghash_flush(desc, src, len); 115 - memcpy(dst, buf, GHASH_BLOCK_SIZE); 116 - 117 - return 0; 118 - } 119 - 120 - static void ghash_exit_tfm(struct crypto_tfm *tfm) 121 - { 122 - struct ghash_ctx *ctx = crypto_tfm_ctx(tfm); 123 - if (ctx->gf128) 124 - gf128mul_free_4k(ctx->gf128); 125 - } 126 - 127 - static struct shash_alg ghash_alg = { 128 - .digestsize = GHASH_DIGEST_SIZE, 129 - .init = ghash_init, 130 - .update = ghash_update, 131 - .finup = ghash_finup, 132 - .setkey = ghash_setkey, 133 - .descsize = sizeof(struct ghash_desc_ctx), 134 - .base = { 135 - .cra_name = "ghash", 136 - .cra_driver_name = "ghash-generic", 137 - .cra_priority = 100, 138 - .cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY, 139 - .cra_blocksize = GHASH_BLOCK_SIZE, 140 - .cra_ctxsize = sizeof(struct ghash_ctx), 141 - .cra_module = THIS_MODULE, 142 - .cra_exit = ghash_exit_tfm, 143 - }, 144 - }; 145 - 146 - static int __init ghash_mod_init(void) 147 - { 148 - return crypto_register_shash(&ghash_alg); 149 - } 150 - 151 - static void __exit ghash_mod_exit(void) 152 - { 153 - crypto_unregister_shash(&ghash_alg); 154 - } 155 - 156 - module_init(ghash_mod_init); 157 - module_exit(ghash_mod_exit); 158 - 159 - MODULE_LICENSE("GPL"); 160 - MODULE_DESCRIPTION("GHASH hash function"); 161 - MODULE_ALIAS_CRYPTO("ghash"); 162 - MODULE_ALIAS_CRYPTO("ghash-generic");

-9

crypto/tcrypt.c

··· 1650 1650 ret = min(ret, tcrypt_test("rfc4309(ccm(aes))")); 1651 1651 break; 1652 1652 1653 - case 46: 1654 - ret = min(ret, tcrypt_test("ghash")); 1655 - break; 1656 - 1657 1653 case 48: 1658 1654 ret = min(ret, tcrypt_test("sha3-224")); 1659 1655 break; ··· 2245 2249 fallthrough; 2246 2250 case 317: 2247 2251 test_hash_speed("blake2b-512", sec, generic_hash_speed_template); 2248 - if (mode > 300 && mode < 400) break; 2249 - fallthrough; 2250 - case 318: 2251 - klen = 16; 2252 - test_hash_speed("ghash", sec, generic_hash_speed_template); 2253 2252 if (mode > 300 && mode < 400) break; 2254 2253 fallthrough; 2255 2254 case 319:

-6

crypto/testmgr.c

··· 4986 4986 .aead = __VECS(sm4_gcm_tv_template) 4987 4987 } 4988 4988 }, { 4989 - .alg = "ghash", 4990 - .test = alg_test_hash, 4991 - .suite = { 4992 - .hash = __VECS(ghash_tv_template) 4993 - } 4994 - }, { 4995 4989 .alg = "hctr2(aes)", 4996 4990 .generic_driver = "hctr2_base(xctr(aes-lib),polyval-lib)", 4997 4991 .test = alg_test_skcipher,

-109

crypto/testmgr.h

··· 6183 6183 }, 6184 6184 }; 6185 6185 6186 - static const struct hash_testvec ghash_tv_template[] = 6187 - { 6188 - { 6189 - .key = "\xdf\xa6\xbf\x4d\xed\x81\xdb\x03" 6190 - "\xff\xca\xff\x95\xf8\x30\xf0\x61", 6191 - .ksize = 16, 6192 - .plaintext = "\x95\x2b\x2a\x56\xa5\x60\x04a\xc0" 6193 - "\xb3\x2b\x66\x56\xa0\x5b\x40\xb6", 6194 - .psize = 16, 6195 - .digest = "\xda\x53\xeb\x0a\xd2\xc5\x5b\xb6" 6196 - "\x4f\xc4\x80\x2c\xc3\xfe\xda\x60", 6197 - }, { 6198 - .key = "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" 6199 - "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 6200 - .ksize = 16, 6201 - .plaintext = "what do ya want for nothing?", 6202 - .psize = 28, 6203 - .digest = "\x3e\x1f\x5c\x4d\x65\xf0\xef\xce" 6204 - "\x0d\x61\x06\x27\x66\x51\xd5\xe2", 6205 - }, { 6206 - .key = "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" 6207 - "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 6208 - .ksize = 16, 6209 - .plaintext = "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 6210 - "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 6211 - "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd" 6212 - "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd", 6213 - .psize = 50, 6214 - .digest = "\xfb\x49\x8a\x36\xe1\x96\xe1\x96" 6215 - "\xe1\x96\xe1\x96\xe1\x96\xe1\x96", 6216 - }, { 6217 - .key = "\xda\x53\xeb\x0a\xd2\xc5\x5b\xb6" 6218 - "\x4f\xc4\x80\x2c\xc3\xfe\xda\x60", 6219 - .ksize = 16, 6220 - .plaintext = "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 6221 - "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 6222 - "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd" 6223 - "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd", 6224 - .psize = 50, 6225 - .digest = "\x2b\x5c\x0c\x7f\x52\xd1\x60\xc2" 6226 - "\x49\xed\x6e\x32\x7a\xa9\xbe\x08", 6227 - }, { 6228 - .key = "\x95\x2b\x2a\x56\xa5\x60\x04a\xc0" 6229 - "\xb3\x2b\x66\x56\xa0\x5b\x40\xb6", 6230 - .ksize = 16, 6231 - .plaintext = "Test With Truncation", 6232 - .psize = 20, 6233 - .digest = "\xf8\x94\x87\x2a\x4b\x63\x99\x28" 6234 - "\x23\xf7\x93\xf7\x19\xf5\x96\xd9", 6235 - }, { 6236 - .key = "\x0a\x1b\x2c\x3d\x4e\x5f\x64\x71" 6237 - "\x82\x93\xa4\xb5\xc6\xd7\xe8\xf9", 6238 - .ksize = 16, 6239 - .plaintext = "\x56\x6f\x72\x20\x6c\x61\x75\x74" 6240 - "\x65\x72\x20\x4c\x61\x75\x73\x63" 6241 - "\x68\x65\x6e\x20\x75\x6e\x64\x20" 6242 - "\x53\x74\x61\x75\x6e\x65\x6e\x20" 6243 - "\x73\x65\x69\x20\x73\x74\x69\x6c" 6244 - "\x6c\x2c\x0a\x64\x75\x20\x6d\x65" 6245 - "\x69\x6e\x20\x74\x69\x65\x66\x74" 6246 - "\x69\x65\x66\x65\x73\x20\x4c\x65" 6247 - "\x62\x65\x6e\x3b\x0a\x64\x61\x73" 6248 - "\x73\x20\x64\x75\x20\x77\x65\x69" 6249 - "\xc3\x9f\x74\x20\x77\x61\x73\x20" 6250 - "\x64\x65\x72\x20\x57\x69\x6e\x64" 6251 - "\x20\x64\x69\x72\x20\x77\x69\x6c" 6252 - "\x6c\x2c\x0a\x65\x68\x20\x6e\x6f" 6253 - "\x63\x68\x20\x64\x69\x65\x20\x42" 6254 - "\x69\x72\x6b\x65\x6e\x20\x62\x65" 6255 - "\x62\x65\x6e\x2e\x0a\x0a\x55\x6e" 6256 - "\x64\x20\x77\x65\x6e\x6e\x20\x64" 6257 - "\x69\x72\x20\x65\x69\x6e\x6d\x61" 6258 - "\x6c\x20\x64\x61\x73\x20\x53\x63" 6259 - "\x68\x77\x65\x69\x67\x65\x6e\x20" 6260 - "\x73\x70\x72\x61\x63\x68\x2c\x0a" 6261 - "\x6c\x61\x73\x73\x20\x64\x65\x69" 6262 - "\x6e\x65\x20\x53\x69\x6e\x6e\x65" 6263 - "\x20\x62\x65\x73\x69\x65\x67\x65" 6264 - "\x6e\x2e\x0a\x4a\x65\x64\x65\x6d" 6265 - "\x20\x48\x61\x75\x63\x68\x65\x20" 6266 - "\x67\x69\x62\x74\x20\x64\x69\x63" 6267 - "\x68\x2c\x20\x67\x69\x62\x20\x6e" 6268 - "\x61\x63\x68\x2c\x0a\x65\x72\x20" 6269 - "\x77\x69\x72\x64\x20\x64\x69\x63" 6270 - "\x68\x20\x6c\x69\x65\x62\x65\x6e" 6271 - "\x20\x75\x6e\x64\x20\x77\x69\x65" 6272 - "\x67\x65\x6e\x2e\x0a\x0a\x55\x6e" 6273 - "\x64\x20\x64\x61\x6e\x6e\x20\x6d" 6274 - "\x65\x69\x6e\x65\x20\x53\x65\x65" 6275 - "\x6c\x65\x20\x73\x65\x69\x74\x20" 6276 - "\x77\x65\x69\x74\x2c\x20\x73\x65" 6277 - "\x69\x20\x77\x65\x69\x74\x2c\x0a" 6278 - "\x64\x61\x73\x73\x20\x64\x69\x72" 6279 - "\x20\x64\x61\x73\x20\x4c\x65\x62" 6280 - "\x65\x6e\x20\x67\x65\x6c\x69\x6e" 6281 - "\x67\x65\x2c\x0a\x62\x72\x65\x69" 6282 - "\x74\x65\x20\x64\x69\x63\x68\x20" 6283 - "\x77\x69\x65\x20\x65\x69\x6e\x20" 6284 - "\x46\x65\x69\x65\x72\x6b\x6c\x65" 6285 - "\x69\x64\x0a\xc3\xbc\x62\x65\x72" 6286 - "\x20\x64\x69\x65\x20\x73\x69\x6e" 6287 - "\x6e\x65\x6e\x64\x65\x6e\x20\x44" 6288 - "\x69\x6e\x67\x65\x2e\x2e\x2e\x0a", 6289 - .psize = 400, 6290 - .digest = "\xad\xb1\xc1\xe9\x56\x70\x31\x1d" 6291 - "\xbb\x5b\xdf\x5e\x70\x72\x1a\x57", 6292 - }, 6293 - }; 6294 - 6295 6186 /* 6296 6187 * HMAC-MD5 test vectors from RFC2202 6297 6188 * (These need to be fixed to not use strlen).

Configure Feed

Configure Feed