| Message ID | 1465983719-8313-2-git-send-email-raveendra.padasalagi@broadcom.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Herbert Xu |
| Headers | show |
Am Mittwoch, 15. Juni 2016, 15:11:58 schrieb Raveendra Padasalagi: Hi Raveendra, > From: Jeff Garzik <jeff@garzik.org> > > This patch adds the implementation of SHA3 algorithm > in software and it's based on original implementation > pushed in patch https://lwn.net/Articles/518415/ with > additional changes to match the padding rules specified > in SHA-3 specification. > > Signed-off-by: Jeff Garzik <jgarzik@redhat.com> > Signed-off-by: Raveendra Padasalagi <raveendra.padasalagi@broadcom.com> > --- > crypto/Kconfig | 10 ++ > crypto/Makefile | 1 + > crypto/sha3_generic.c | 296 > ++++++++++++++++++++++++++++++++++++++++++++++++++ include/crypto/sha3.h | > 29 +++++ > 4 files changed, 336 insertions(+) > create mode 100644 crypto/sha3_generic.c > create mode 100644 include/crypto/sha3.h > > diff --git a/crypto/Kconfig b/crypto/Kconfig > index 1d33beb..83ee8cb 100644 > --- a/crypto/Kconfig > +++ b/crypto/Kconfig > @@ -750,6 +750,16 @@ config CRYPTO_SHA512_SPARC64 > SHA-512 secure hash standard (DFIPS 180-2) implemented > using sparc64 crypto instructions, when available. > > +config CRYPTO_SHA3 > + tristate "SHA3 digest algorithm" > + select CRYPTO_HASH > + help > + SHA-3 secure hash standard (DFIPS 202). It's based on Typo DFIPS? > + cryptographic sponge function family called Keccak. > + > + References: > + http://keccak.noekeon.org/ > + > config CRYPTO_TGR192 > tristate "Tiger digest algorithms" > select CRYPTO_HASH > diff --git a/crypto/Makefile b/crypto/Makefile > index 4f4ef7e..0b82c47 100644 > --- a/crypto/Makefile > +++ b/crypto/Makefile > @@ -61,6 +61,7 @@ obj-$(CONFIG_CRYPTO_RMD320) += rmd320.o > obj-$(CONFIG_CRYPTO_SHA1) += sha1_generic.o > obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o > obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o > +obj-$(CONFIG_CRYPTO_SHA3) += sha3_generic.o > obj-$(CONFIG_CRYPTO_WP512) += wp512.o > obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o > obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o > diff --git a/crypto/sha3_generic.c b/crypto/sha3_generic.c > new file mode 100644 > index 0000000..162dfc3 > --- /dev/null > +++ b/crypto/sha3_generic.c > @@ -0,0 +1,296 @@ > +/* > + * Cryptographic API. > + * > + * SHA-3, as specified in > + * http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf > + * > + * SHA-3 code by Jeff Garzik <jeff@garzik.org> > + * > + * This program is free software; you can redistribute it and/or modify it > + * under the terms of the GNU General Public License as published by the > Free + * Software Foundation; either version 2 of the License, or (at your > option)• + * any later version. > + * > + */ > +#include <crypto/internal/hash.h> > +#include <linux/init.h> > +#include <linux/module.h> > +#include <linux/types.h> > +#include <crypto/sha3.h> > +#include <asm/byteorder.h> > + > +#define KECCAK_ROUNDS 24 > + > +#define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) > + > +static const u64 keccakf_rndc[24] = { > + 0x0000000000000001, 0x0000000000008082, 0x800000000000808a, > + 0x8000000080008000, 0x000000000000808b, 0x0000000080000001, > + 0x8000000080008081, 0x8000000000008009, 0x000000000000008a, > + 0x0000000000000088, 0x0000000080008009, 0x000000008000000a, > + 0x000000008000808b, 0x800000000000008b, 0x8000000000008089, > + 0x8000000000008003, 0x8000000000008002, 0x8000000000000080, > + 0x000000000000800a, 0x800000008000000a, 0x8000000080008081, > + 0x8000000000008080, 0x0000000080000001, 0x8000000080008008 > +}; > + > +static const int keccakf_rotc[24] = { > + 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, > + 27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44 > +}; > + > +static const int keccakf_piln[24] = { > + 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, > + 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1 > +}; > + > +/* update the state with given number of rounds */ > + > +static void keccakf(u64 st[25]) > +{ > + int i, j, round; > + u64 t, bc[5]; > + > + for (round = 0; round < KECCAK_ROUNDS; round++) { > + > + /* Theta */ > + for (i = 0; i < 5; i++) > + bc[i] = st[i] ^ st[i + 5] ^ st[i + 10] ^ st[i + 15] > + ^ st[i + 20]; > + > + for (i = 0; i < 5; i++) { > + t = bc[(i + 4) % 5] ^ ROTL64(bc[(i + 1) % 5], 1); > + for (j = 0; j < 25; j += 5) > + st[j + i] ^= t; > + } > + > + /* Rho Pi */ > + t = st[1]; > + for (i = 0; i < 24; i++) { > + j = keccakf_piln[i]; > + bc[0] = st[j]; > + st[j] = ROTL64(t, keccakf_rotc[i]); > + t = bc[0]; > + } > + > + /* Chi */ > + for (j = 0; j < 25; j += 5) { > + for (i = 0; i < 5; i++) > + bc[i] = st[j + i]; > + for (i = 0; i < 5; i++) > + st[j + i] ^= (~bc[(i + 1) % 5]) & > + bc[(i + 2) % 5]; > + } > + > + /* Iota */ > + st[0] ^= keccakf_rndc[round]; > + } > +} > + > +static void sha3_init(struct sha3_state *sctx, unsigned int digest_sz) > +{ > + memset(sctx, 0, sizeof(*sctx)); > + sctx->md_len = digest_sz; > + sctx->rsiz = 200 - 2 * digest_sz; > + sctx->rsizw = sctx->rsiz / 8; > +} > + > +static int sha3_224_init(struct shash_desc *desc) > +{ > + struct sha3_state *sctx = shash_desc_ctx(desc); > + > + sha3_init(sctx, SHA3_224_DIGEST_SIZE); > + return 0; > +} > + > +static int sha3_256_init(struct shash_desc *desc) > +{ > + struct sha3_state *sctx = shash_desc_ctx(desc); > + > + sha3_init(sctx, SHA3_256_DIGEST_SIZE); > + return 0; > +} > + > +static int sha3_384_init(struct shash_desc *desc) > +{ > + struct sha3_state *sctx = shash_desc_ctx(desc); > + > + sha3_init(sctx, SHA3_384_DIGEST_SIZE); > + return 0; > +} > + > +static int sha3_512_init(struct shash_desc *desc) > +{ > + struct sha3_state *sctx = shash_desc_ctx(desc); > + > + sha3_init(sctx, SHA3_512_DIGEST_SIZE); > + return 0; > +} > + > +static int sha3_update(struct shash_desc *desc, const u8 *data, > + unsigned int len) > +{ > + struct sha3_state *sctx = shash_desc_ctx(desc); > + unsigned int done; > + const u8 *src; > + > + done = 0; > + src = data; > + > + if ((sctx->partial + len) > (sctx->rsiz - 1)) { > + if (sctx->partial) { > + done = -sctx->partial; > + memcpy(sctx->buf + sctx->partial, data, > + done + sctx->rsiz); > + src = sctx->buf; > + } > + > + do { > + unsigned int i; > + > + for (i = 0; i < sctx->rsizw; i++) > + sctx->st[i] ^= ((u64 *) src)[i]; > + keccakf(sctx->st); > + > + done += sctx->rsiz; > + src = data + done; > + } while (done + (sctx->rsiz - 1) < len); > + > + sctx->partial = 0; > + } > + memcpy(sctx->buf + sctx->partial, src, len - done); > + sctx->partial += (len - done); > + > + return 0; > +} > + > +static int sha3_final(struct shash_desc *desc, u8 *out) > +{ > + struct sha3_state *sctx = shash_desc_ctx(desc); > + unsigned int i, inlen = sctx->partial; > + > + sctx->buf[inlen++] = 0x06; > + memset(sctx->buf + inlen, 0, sctx->rsiz - inlen); > + sctx->buf[sctx->rsiz - 1] |= 0x80; > + > + for (i = 0; i < sctx->rsizw; i++) > + sctx->st[i] ^= ((u64 *) sctx->buf)[i]; > + > + keccakf(sctx->st); > + > + for (i = 0; i < sctx->rsizw; i++) > + sctx->st[i] = cpu_to_le64(sctx->st[i]); > + > + memcpy(out, sctx->st, sctx->md_len); > + > + memset(sctx, 0, sizeof(*sctx)); > + return 0; > +} > + > +static struct shash_alg sha3_224 = { > + .digestsize = SHA3_224_DIGEST_SIZE, > + .init = sha3_224_init, > + .update = sha3_update, > + .final = sha3_final, > + .descsize = sizeof(struct sha3_state), > + .base = { > + .cra_name = "sha3-224", > + .cra_driver_name = "sha3-224-generic", > + .cra_flags = CRYPTO_ALG_TYPE_SHASH, > + .cra_blocksize = SHA3_224_BLOCK_SIZE, > + .cra_module = THIS_MODULE, > + } > +}; > + > +static struct shash_alg sha3_256 = { > + .digestsize = SHA3_256_DIGEST_SIZE, > + .init = sha3_256_init, > + .update = sha3_update, > + .final = sha3_final, > + .descsize = sizeof(struct sha3_state), > + .base = { > + .cra_name = "sha3-256", > + .cra_driver_name = "sha3-256-generic", > + .cra_flags = CRYPTO_ALG_TYPE_SHASH, > + .cra_blocksize = SHA3_256_BLOCK_SIZE, > + .cra_module = THIS_MODULE, > + } > +}; > + > +static struct shash_alg sha3_384 = { > + .digestsize = SHA3_384_DIGEST_SIZE, > + .init = sha3_384_init, > + .update = sha3_update, > + .final = sha3_final, > + .descsize = sizeof(struct sha3_state), > + .base = { > + .cra_name = "sha3-384", > + .cra_driver_name = "sha3-384-generic", > + .cra_flags = CRYPTO_ALG_TYPE_SHASH, > + .cra_blocksize = SHA3_384_BLOCK_SIZE, > + .cra_module = THIS_MODULE, > + } > +}; > + > +static struct shash_alg sha3_512 = { > + .digestsize = SHA3_512_DIGEST_SIZE, > + .init = sha3_512_init, > + .update = sha3_update, > + .final = sha3_final, > + .descsize = sizeof(struct sha3_state), > + .base = { > + .cra_name = "sha3-512", > + .cra_driver_name = "sha3-512-generic", > + .cra_flags = CRYPTO_ALG_TYPE_SHASH, > + .cra_blocksize = SHA3_512_BLOCK_SIZE, > + .cra_module = THIS_MODULE, > + } > +}; Shouldn't there be a priority here? > + > +static int __init sha3_generic_mod_init(void) > +{ > + int ret; > + > + ret = crypto_register_shash(&sha3_224); > + if (ret < 0) > + goto err_out; > + ret = crypto_register_shash(&sha3_256); > + if (ret < 0) > + goto err_out_224; > + ret = crypto_register_shash(&sha3_384); > + if (ret < 0) > + goto err_out_256; > + ret = crypto_register_shash(&sha3_512); > + if (ret < 0) > + goto err_out_384; > + > + return 0; > + > +err_out_384: > + crypto_unregister_shash(&sha3_384); > +err_out_256: > + crypto_unregister_shash(&sha3_256); > +err_out_224: > + crypto_unregister_shash(&sha3_224); > +err_out: > + return ret; > +} > + > +static void __exit sha3_generic_mod_fini(void) > +{ > + crypto_unregister_shash(&sha3_224); > + crypto_unregister_shash(&sha3_256); > + crypto_unregister_shash(&sha3_384); > + crypto_unregister_shash(&sha3_512); > +} > + > +module_init(sha3_generic_mod_init); > +module_exit(sha3_generic_mod_fini); > + > +MODULE_LICENSE("GPL"); > +MODULE_DESCRIPTION("SHA-3 Secure Hash Algorithm"); > + > +MODULE_ALIAS("sha3-224"); > +MODULE_ALIAS("sha3-256"); > +MODULE_ALIAS("sha3-384"); > +MODULE_ALIAS("sha3-512"); MODULE_ALIAS_CRYPTO? What about the aliases for cra_driver_name? > diff --git a/include/crypto/sha3.h b/include/crypto/sha3.h > new file mode 100644 > index 0000000..f4c9f68 > --- /dev/null > +++ b/include/crypto/sha3.h > @@ -0,0 +1,29 @@ > +/* > + * Common values for SHA-3 algorithms > + */ > +#ifndef __CRYPTO_SHA3_H__ > +#define __CRYPTO_SHA3_H__ > + > +#define SHA3_224_DIGEST_SIZE (224 / 8) > +#define SHA3_224_BLOCK_SIZE (200 - 2 * SHA3_224_DIGEST_SIZE) > + > +#define SHA3_256_DIGEST_SIZE (256 / 8) > +#define SHA3_256_BLOCK_SIZE (200 - 2 * SHA3_256_DIGEST_SIZE) > + > +#define SHA3_384_DIGEST_SIZE (384 / 8) > +#define SHA3_384_BLOCK_SIZE (200 - 2 * SHA3_384_DIGEST_SIZE) > + > +#define SHA3_512_DIGEST_SIZE (512 / 8) > +#define SHA3_512_BLOCK_SIZE (200 - 2 * SHA3_512_DIGEST_SIZE) > + > +struct sha3_state { > + u64 st[25]; > + unsigned int md_len; > + unsigned int rsiz; > + unsigned int rsizw; > + > + unsigned int partial; > + u8 buf[SHA3_224_BLOCK_SIZE]; > +}; > + > +#endif Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Stephan, Thanks for the review comments. I will address it in the next patch. Please look at my reply below against each comment. Regards, Raveendra On Wed, Jun 15, 2016 at 5:12 PM, Stephan Mueller <smueller@chronox.de> wrote: > Am Mittwoch, 15. Juni 2016, 15:11:58 schrieb Raveendra Padasalagi: > > Hi Raveendra, > >> From: Jeff Garzik <jeff@garzik.org> >> >> This patch adds the implementation of SHA3 algorithm >> in software and it's based on original implementation >> pushed in patch https://lwn.net/Articles/518415/ with >> additional changes to match the padding rules specified >> in SHA-3 specification. >> >> Signed-off-by: Jeff Garzik <jgarzik@redhat.com> >> Signed-off-by: Raveendra Padasalagi <raveendra.padasalagi@broadcom.com> >> --- >> crypto/Kconfig | 10 ++ >> crypto/Makefile | 1 + >> crypto/sha3_generic.c | 296 >> ++++++++++++++++++++++++++++++++++++++++++++++++++ include/crypto/sha3.h | >> 29 +++++ >> 4 files changed, 336 insertions(+) >> create mode 100644 crypto/sha3_generic.c >> create mode 100644 include/crypto/sha3.h >> >> diff --git a/crypto/Kconfig b/crypto/Kconfig >> index 1d33beb..83ee8cb 100644 >> --- a/crypto/Kconfig >> +++ b/crypto/Kconfig >> @@ -750,6 +750,16 @@ config CRYPTO_SHA512_SPARC64 >> SHA-512 secure hash standard (DFIPS 180-2) implemented >> using sparc64 crypto instructions, when available. >> >> +config CRYPTO_SHA3 >> + tristate "SHA3 digest algorithm" >> + select CRYPTO_HASH >> + help >> + SHA-3 secure hash standard (DFIPS 202). It's based on > > Typo DFIPS? It's not typo, DFIPS mean here Draft FIPS 202. Do you want me to put it in another way ? >> + cryptographic sponge function family called Keccak. >> + >> + References: >> + http://keccak.noekeon.org/ >> + >> config CRYPTO_TGR192 >> tristate "Tiger digest algorithms" >> select CRYPTO_HASH >> diff --git a/crypto/Makefile b/crypto/Makefile >> index 4f4ef7e..0b82c47 100644 >> --- a/crypto/Makefile >> +++ b/crypto/Makefile >> @@ -61,6 +61,7 @@ obj-$(CONFIG_CRYPTO_RMD320) += rmd320.o >> obj-$(CONFIG_CRYPTO_SHA1) += sha1_generic.o >> obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o >> obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o >> +obj-$(CONFIG_CRYPTO_SHA3) += sha3_generic.o >> obj-$(CONFIG_CRYPTO_WP512) += wp512.o >> obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o >> obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o >> diff --git a/crypto/sha3_generic.c b/crypto/sha3_generic.c >> new file mode 100644 >> index 0000000..162dfc3 >> --- /dev/null >> +++ b/crypto/sha3_generic.c >> @@ -0,0 +1,296 @@ >> +/* >> + * Cryptographic API. >> + * >> + * SHA-3, as specified in >> + * http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf >> + * >> + * SHA-3 code by Jeff Garzik <jeff@garzik.org> >> + * >> + * This program is free software; you can redistribute it and/or modify it >> + * under the terms of the GNU General Public License as published by the >> Free + * Software Foundation; either version 2 of the License, or (at your >> option)• + * any later version. >> + * >> + */ >> +#include <crypto/internal/hash.h> >> +#include <linux/init.h> >> +#include <linux/module.h> >> +#include <linux/types.h> >> +#include <crypto/sha3.h> >> +#include <asm/byteorder.h> >> + >> +#define KECCAK_ROUNDS 24 >> + >> +#define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) >> + >> +static const u64 keccakf_rndc[24] = { >> + 0x0000000000000001, 0x0000000000008082, 0x800000000000808a, >> + 0x8000000080008000, 0x000000000000808b, 0x0000000080000001, >> + 0x8000000080008081, 0x8000000000008009, 0x000000000000008a, >> + 0x0000000000000088, 0x0000000080008009, 0x000000008000000a, >> + 0x000000008000808b, 0x800000000000008b, 0x8000000000008089, >> + 0x8000000000008003, 0x8000000000008002, 0x8000000000000080, >> + 0x000000000000800a, 0x800000008000000a, 0x8000000080008081, >> + 0x8000000000008080, 0x0000000080000001, 0x8000000080008008 >> +}; >> + >> +static const int keccakf_rotc[24] = { >> + 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, >> + 27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44 >> +}; >> + >> +static const int keccakf_piln[24] = { >> + 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, >> + 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1 >> +}; >> + >> +/* update the state with given number of rounds */ >> + >> +static void keccakf(u64 st[25]) >> +{ >> + int i, j, round; >> + u64 t, bc[5]; >> + >> + for (round = 0; round < KECCAK_ROUNDS; round++) { >> + >> + /* Theta */ >> + for (i = 0; i < 5; i++) >> + bc[i] = st[i] ^ st[i + 5] ^ st[i + 10] ^ st[i + 15] >> + ^ st[i + 20]; >> + >> + for (i = 0; i < 5; i++) { >> + t = bc[(i + 4) % 5] ^ ROTL64(bc[(i + 1) % 5], 1); >> + for (j = 0; j < 25; j += 5) >> + st[j + i] ^= t; >> + } >> + >> + /* Rho Pi */ >> + t = st[1]; >> + for (i = 0; i < 24; i++) { >> + j = keccakf_piln[i]; >> + bc[0] = st[j]; >> + st[j] = ROTL64(t, keccakf_rotc[i]); >> + t = bc[0]; >> + } >> + >> + /* Chi */ >> + for (j = 0; j < 25; j += 5) { >> + for (i = 0; i < 5; i++) >> + bc[i] = st[j + i]; >> + for (i = 0; i < 5; i++) >> + st[j + i] ^= (~bc[(i + 1) % 5]) & >> + bc[(i + 2) % 5]; >> + } >> + >> + /* Iota */ >> + st[0] ^= keccakf_rndc[round]; >> + } >> +} >> + >> +static void sha3_init(struct sha3_state *sctx, unsigned int digest_sz) >> +{ >> + memset(sctx, 0, sizeof(*sctx)); >> + sctx->md_len = digest_sz; >> + sctx->rsiz = 200 - 2 * digest_sz; >> + sctx->rsizw = sctx->rsiz / 8; >> +} >> + >> +static int sha3_224_init(struct shash_desc *desc) >> +{ >> + struct sha3_state *sctx = shash_desc_ctx(desc); >> + >> + sha3_init(sctx, SHA3_224_DIGEST_SIZE); >> + return 0; >> +} >> + >> +static int sha3_256_init(struct shash_desc *desc) >> +{ >> + struct sha3_state *sctx = shash_desc_ctx(desc); >> + >> + sha3_init(sctx, SHA3_256_DIGEST_SIZE); >> + return 0; >> +} >> + >> +static int sha3_384_init(struct shash_desc *desc) >> +{ >> + struct sha3_state *sctx = shash_desc_ctx(desc); >> + >> + sha3_init(sctx, SHA3_384_DIGEST_SIZE); >> + return 0; >> +} >> + >> +static int sha3_512_init(struct shash_desc *desc) >> +{ >> + struct sha3_state *sctx = shash_desc_ctx(desc); >> + >> + sha3_init(sctx, SHA3_512_DIGEST_SIZE); >> + return 0; >> +} >> + >> +static int sha3_update(struct shash_desc *desc, const u8 *data, >> + unsigned int len) >> +{ >> + struct sha3_state *sctx = shash_desc_ctx(desc); >> + unsigned int done; >> + const u8 *src; >> + >> + done = 0; >> + src = data; >> + >> + if ((sctx->partial + len) > (sctx->rsiz - 1)) { >> + if (sctx->partial) { >> + done = -sctx->partial; >> + memcpy(sctx->buf + sctx->partial, data, >> + done + sctx->rsiz); >> + src = sctx->buf; >> + } >> + >> + do { >> + unsigned int i; >> + >> + for (i = 0; i < sctx->rsizw; i++) >> + sctx->st[i] ^= ((u64 *) src)[i]; >> + keccakf(sctx->st); >> + >> + done += sctx->rsiz; >> + src = data + done; >> + } while (done + (sctx->rsiz - 1) < len); >> + >> + sctx->partial = 0; >> + } >> + memcpy(sctx->buf + sctx->partial, src, len - done); >> + sctx->partial += (len - done); >> + >> + return 0; >> +} >> + >> +static int sha3_final(struct shash_desc *desc, u8 *out) >> +{ >> + struct sha3_state *sctx = shash_desc_ctx(desc); >> + unsigned int i, inlen = sctx->partial; >> + >> + sctx->buf[inlen++] = 0x06; >> + memset(sctx->buf + inlen, 0, sctx->rsiz - inlen); >> + sctx->buf[sctx->rsiz - 1] |= 0x80; >> + >> + for (i = 0; i < sctx->rsizw; i++) >> + sctx->st[i] ^= ((u64 *) sctx->buf)[i]; >> + >> + keccakf(sctx->st); >> + >> + for (i = 0; i < sctx->rsizw; i++) >> + sctx->st[i] = cpu_to_le64(sctx->st[i]); >> + >> + memcpy(out, sctx->st, sctx->md_len); >> + >> + memset(sctx, 0, sizeof(*sctx)); >> + return 0; >> +} >> + >> +static struct shash_alg sha3_224 = { >> + .digestsize = SHA3_224_DIGEST_SIZE, >> + .init = sha3_224_init, >> + .update = sha3_update, >> + .final = sha3_final, >> + .descsize = sizeof(struct sha3_state), >> + .base = { >> + .cra_name = "sha3-224", >> + .cra_driver_name = "sha3-224-generic", >> + .cra_flags = CRYPTO_ALG_TYPE_SHASH, >> + .cra_blocksize = SHA3_224_BLOCK_SIZE, >> + .cra_module = THIS_MODULE, >> + } >> +}; >> + >> +static struct shash_alg sha3_256 = { >> + .digestsize = SHA3_256_DIGEST_SIZE, >> + .init = sha3_256_init, >> + .update = sha3_update, >> + .final = sha3_final, >> + .descsize = sizeof(struct sha3_state), >> + .base = { >> + .cra_name = "sha3-256", >> + .cra_driver_name = "sha3-256-generic", >> + .cra_flags = CRYPTO_ALG_TYPE_SHASH, >> + .cra_blocksize = SHA3_256_BLOCK_SIZE, >> + .cra_module = THIS_MODULE, >> + } >> +}; >> + >> +static struct shash_alg sha3_384 = { >> + .digestsize = SHA3_384_DIGEST_SIZE, >> + .init = sha3_384_init, >> + .update = sha3_update, >> + .final = sha3_final, >> + .descsize = sizeof(struct sha3_state), >> + .base = { >> + .cra_name = "sha3-384", >> + .cra_driver_name = "sha3-384-generic", >> + .cra_flags = CRYPTO_ALG_TYPE_SHASH, >> + .cra_blocksize = SHA3_384_BLOCK_SIZE, >> + .cra_module = THIS_MODULE, >> + } >> +}; >> + >> +static struct shash_alg sha3_512 = { >> + .digestsize = SHA3_512_DIGEST_SIZE, >> + .init = sha3_512_init, >> + .update = sha3_update, >> + .final = sha3_final, >> + .descsize = sizeof(struct sha3_state), >> + .base = { >> + .cra_name = "sha3-512", >> + .cra_driver_name = "sha3-512-generic", >> + .cra_flags = CRYPTO_ALG_TYPE_SHASH, >> + .cra_blocksize = SHA3_512_BLOCK_SIZE, >> + .cra_module = THIS_MODULE, >> + } >> +}; > > Shouldn't there be a priority here? Yes, I will fix it in next patch. >> + >> +static int __init sha3_generic_mod_init(void) >> +{ >> + int ret; >> + >> + ret = crypto_register_shash(&sha3_224); >> + if (ret < 0) >> + goto err_out; >> + ret = crypto_register_shash(&sha3_256); >> + if (ret < 0) >> + goto err_out_224; >> + ret = crypto_register_shash(&sha3_384); >> + if (ret < 0) >> + goto err_out_256; >> + ret = crypto_register_shash(&sha3_512); >> + if (ret < 0) >> + goto err_out_384; >> + >> + return 0; >> + >> +err_out_384: >> + crypto_unregister_shash(&sha3_384); >> +err_out_256: >> + crypto_unregister_shash(&sha3_256); >> +err_out_224: >> + crypto_unregister_shash(&sha3_224); >> +err_out: >> + return ret; >> +} >> + >> +static void __exit sha3_generic_mod_fini(void) >> +{ >> + crypto_unregister_shash(&sha3_224); >> + crypto_unregister_shash(&sha3_256); >> + crypto_unregister_shash(&sha3_384); >> + crypto_unregister_shash(&sha3_512); >> +} >> + >> +module_init(sha3_generic_mod_init); >> +module_exit(sha3_generic_mod_fini); >> + >> +MODULE_LICENSE("GPL"); >> +MODULE_DESCRIPTION("SHA-3 Secure Hash Algorithm"); >> + >> +MODULE_ALIAS("sha3-224"); >> +MODULE_ALIAS("sha3-256"); >> +MODULE_ALIAS("sha3-384"); >> +MODULE_ALIAS("sha3-512"); > > MODULE_ALIAS_CRYPTO? > > What about the aliases for cra_driver_name? Yes, I will fix it in next patch. >> diff --git a/include/crypto/sha3.h b/include/crypto/sha3.h >> new file mode 100644 >> index 0000000..f4c9f68 >> --- /dev/null >> +++ b/include/crypto/sha3.h >> @@ -0,0 +1,29 @@ >> +/* >> + * Common values for SHA-3 algorithms >> + */ >> +#ifndef __CRYPTO_SHA3_H__ >> +#define __CRYPTO_SHA3_H__ >> + >> +#define SHA3_224_DIGEST_SIZE (224 / 8) >> +#define SHA3_224_BLOCK_SIZE (200 - 2 * SHA3_224_DIGEST_SIZE) >> + >> +#define SHA3_256_DIGEST_SIZE (256 / 8) >> +#define SHA3_256_BLOCK_SIZE (200 - 2 * SHA3_256_DIGEST_SIZE) >> + >> +#define SHA3_384_DIGEST_SIZE (384 / 8) >> +#define SHA3_384_BLOCK_SIZE (200 - 2 * SHA3_384_DIGEST_SIZE) >> + >> +#define SHA3_512_DIGEST_SIZE (512 / 8) >> +#define SHA3_512_BLOCK_SIZE (200 - 2 * SHA3_512_DIGEST_SIZE) >> + >> +struct sha3_state { >> + u64 st[25]; >> + unsigned int md_len; >> + unsigned int rsiz; >> + unsigned int rsizw; >> + >> + unsigned int partial; >> + u8 buf[SHA3_224_BLOCK_SIZE]; >> +}; >> + >> +#endif > > > Ciao > Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Am Donnerstag, 16. Juni 2016, 14:44:57 schrieb Raveendra Padasalagi: Hi Raveendra, > > Typo DFIPS? > > It's not typo, DFIPS mean here Draft FIPS 202. > Do you want me to put it in another way ? I have never seen DFIPS. Besides, most FIPS standards are drafts (including of FIPS 140-2 :-) ), because it would require a signature from some ministry big- wig in the US govt to "release" it. Hence, I expect that it would retain its draft state for a long time :-) But if DFIPS is what you think is right, leave it :-) Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Stephan, Yes, I was initially thinking of to put it as FIPS but looked at the existing "crypto/Kconfig" for other algorithms and found it to be using DFIPS. So kept this also the same :) I need some clarification to address your comment "Shouldn't there be a priority here?" What I know regarding priority value for an algorithm is higher the priority value it will be get selected for execution. For example, let's say for software implementation of the algorithm if priority value is specified as 100 and hardware driver implementation of the same algorithm uses the priority value of 300 then hardware algo is what selected for execution. I just had a look at priority value specified for other hash algorithm's and none of the software implementation specify any value, So it will be 0. I think it's okay to not to specify any priority value for software implementation, as hardware implementation can use non zero value if it needs higher priority. What's your opinion ? Regards, Raveendra On Thu, Jun 16, 2016 at 9:10 PM, Stephan Mueller <smueller@chronox.de> wrote: > Am Donnerstag, 16. Juni 2016, 14:44:57 schrieb Raveendra Padasalagi: > > Hi Raveendra, > >> > Typo DFIPS? >> >> It's not typo, DFIPS mean here Draft FIPS 202. >> Do you want me to put it in another way ? > > I have never seen DFIPS. Besides, most FIPS standards are drafts (including of > FIPS 140-2 :-) ), because it would require a signature from some ministry big- > wig in the US govt to "release" it. Hence, I expect that it would retain its > draft state for a long time :-) > > But if DFIPS is what you think is right, leave it :-) > > Ciao > Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Am Donnerstag, 16. Juni 2016, 21:39:17 schrieb Raveendra Padasalagi: Hi Raveendra, > I need some clarification to address your comment > > "Shouldn't there be a priority here?" > > What I know regarding priority value for an algorithm > is higher the priority value it will be get selected for execution. > > For example, let's say for software implementation of the algorithm if > priority value > is specified as 100 and hardware driver implementation of the same > algorithm uses > the priority value of 300 then hardware algo is what selected for execution. > > I just had a look at priority value specified for other hash > algorithm's and none of the > software implementation specify any value, So it will be 0. > > I think it's okay to not to specify any priority value for software > implementation, > as hardware implementation can use non zero value if it needs higher > priority. > > What's your opinion ? You are fully correct. To be in line with the other hashes, maybe let us leave it at 0. I was thinking about "backend" ciphers that should never ever be selected (like the Intel AES-NI examples) which should have a lower prio than any other cipher. But then, they have unique cra_names, so it does not really matter :-) Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/crypto/Kconfig b/crypto/Kconfig index 1d33beb..83ee8cb 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -750,6 +750,16 @@ config CRYPTO_SHA512_SPARC64 SHA-512 secure hash standard (DFIPS 180-2) implemented using sparc64 crypto instructions, when available. +config CRYPTO_SHA3 + tristate "SHA3 digest algorithm" + select CRYPTO_HASH + help + SHA-3 secure hash standard (DFIPS 202). It's based on + cryptographic sponge function family called Keccak. + + References: + http://keccak.noekeon.org/ + config CRYPTO_TGR192 tristate "Tiger digest algorithms" select CRYPTO_HASH diff --git a/crypto/Makefile b/crypto/Makefile index 4f4ef7e..0b82c47 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -61,6 +61,7 @@ obj-$(CONFIG_CRYPTO_RMD320) += rmd320.o obj-$(CONFIG_CRYPTO_SHA1) += sha1_generic.o obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o +obj-$(CONFIG_CRYPTO_SHA3) += sha3_generic.o obj-$(CONFIG_CRYPTO_WP512) += wp512.o obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o diff --git a/crypto/sha3_generic.c b/crypto/sha3_generic.c new file mode 100644 index 0000000..162dfc3 --- /dev/null +++ b/crypto/sha3_generic.c @@ -0,0 +1,296 @@ +/* + * Cryptographic API. + * + * SHA-3, as specified in + * http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf + * + * SHA-3 code by Jeff Garzik <jeff@garzik.org> + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option)• + * any later version. + * + */ +#include <crypto/internal/hash.h> +#include <linux/init.h> +#include <linux/module.h> +#include <linux/types.h> +#include <crypto/sha3.h> +#include <asm/byteorder.h> + +#define KECCAK_ROUNDS 24 + +#define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) + +static const u64 keccakf_rndc[24] = { + 0x0000000000000001, 0x0000000000008082, 0x800000000000808a, + 0x8000000080008000, 0x000000000000808b, 0x0000000080000001, + 0x8000000080008081, 0x8000000000008009, 0x000000000000008a, + 0x0000000000000088, 0x0000000080008009, 0x000000008000000a, + 0x000000008000808b, 0x800000000000008b, 0x8000000000008089, + 0x8000000000008003, 0x8000000000008002, 0x8000000000000080, + 0x000000000000800a, 0x800000008000000a, 0x8000000080008081, + 0x8000000000008080, 0x0000000080000001, 0x8000000080008008 +}; + +static const int keccakf_rotc[24] = { + 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, + 27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44 +}; + +static const int keccakf_piln[24] = { + 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, + 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1 +}; + +/* update the state with given number of rounds */ + +static void keccakf(u64 st[25]) +{ + int i, j, round; + u64 t, bc[5]; + + for (round = 0; round < KECCAK_ROUNDS; round++) { + + /* Theta */ + for (i = 0; i < 5; i++) + bc[i] = st[i] ^ st[i + 5] ^ st[i + 10] ^ st[i + 15] + ^ st[i + 20]; + + for (i = 0; i < 5; i++) { + t = bc[(i + 4) % 5] ^ ROTL64(bc[(i + 1) % 5], 1); + for (j = 0; j < 25; j += 5) + st[j + i] ^= t; + } + + /* Rho Pi */ + t = st[1]; + for (i = 0; i < 24; i++) { + j = keccakf_piln[i]; + bc[0] = st[j]; + st[j] = ROTL64(t, keccakf_rotc[i]); + t = bc[0]; + } + + /* Chi */ + for (j = 0; j < 25; j += 5) { + for (i = 0; i < 5; i++) + bc[i] = st[j + i]; + for (i = 0; i < 5; i++) + st[j + i] ^= (~bc[(i + 1) % 5]) & + bc[(i + 2) % 5]; + } + + /* Iota */ + st[0] ^= keccakf_rndc[round]; + } +} + +static void sha3_init(struct sha3_state *sctx, unsigned int digest_sz) +{ + memset(sctx, 0, sizeof(*sctx)); + sctx->md_len = digest_sz; + sctx->rsiz = 200 - 2 * digest_sz; + sctx->rsizw = sctx->rsiz / 8; +} + +static int sha3_224_init(struct shash_desc *desc) +{ + struct sha3_state *sctx = shash_desc_ctx(desc); + + sha3_init(sctx, SHA3_224_DIGEST_SIZE); + return 0; +} + +static int sha3_256_init(struct shash_desc *desc) +{ + struct sha3_state *sctx = shash_desc_ctx(desc); + + sha3_init(sctx, SHA3_256_DIGEST_SIZE); + return 0; +} + +static int sha3_384_init(struct shash_desc *desc) +{ + struct sha3_state *sctx = shash_desc_ctx(desc); + + sha3_init(sctx, SHA3_384_DIGEST_SIZE); + return 0; +} + +static int sha3_512_init(struct shash_desc *desc) +{ + struct sha3_state *sctx = shash_desc_ctx(desc); + + sha3_init(sctx, SHA3_512_DIGEST_SIZE); + return 0; +} + +static int sha3_update(struct shash_desc *desc, const u8 *data, + unsigned int len) +{ + struct sha3_state *sctx = shash_desc_ctx(desc); + unsigned int done; + const u8 *src; + + done = 0; + src = data; + + if ((sctx->partial + len) > (sctx->rsiz - 1)) { + if (sctx->partial) { + done = -sctx->partial; + memcpy(sctx->buf + sctx->partial, data, + done + sctx->rsiz); + src = sctx->buf; + } + + do { + unsigned int i; + + for (i = 0; i < sctx->rsizw; i++) + sctx->st[i] ^= ((u64 *) src)[i]; + keccakf(sctx->st); + + done += sctx->rsiz; + src = data + done; + } while (done + (sctx->rsiz - 1) < len); + + sctx->partial = 0; + } + memcpy(sctx->buf + sctx->partial, src, len - done); + sctx->partial += (len - done); + + return 0; +} + +static int sha3_final(struct shash_desc *desc, u8 *out) +{ + struct sha3_state *sctx = shash_desc_ctx(desc); + unsigned int i, inlen = sctx->partial; + + sctx->buf[inlen++] = 0x06; + memset(sctx->buf + inlen, 0, sctx->rsiz - inlen); + sctx->buf[sctx->rsiz - 1] |= 0x80; + + for (i = 0; i < sctx->rsizw; i++) + sctx->st[i] ^= ((u64 *) sctx->buf)[i]; + + keccakf(sctx->st); + + for (i = 0; i < sctx->rsizw; i++) + sctx->st[i] = cpu_to_le64(sctx->st[i]); + + memcpy(out, sctx->st, sctx->md_len); + + memset(sctx, 0, sizeof(*sctx)); + return 0; +} + +static struct shash_alg sha3_224 = { + .digestsize = SHA3_224_DIGEST_SIZE, + .init = sha3_224_init, + .update = sha3_update, + .final = sha3_final, + .descsize = sizeof(struct sha3_state), + .base = { + .cra_name = "sha3-224", + .cra_driver_name = "sha3-224-generic", + .cra_flags = CRYPTO_ALG_TYPE_SHASH, + .cra_blocksize = SHA3_224_BLOCK_SIZE, + .cra_module = THIS_MODULE, + } +}; + +static struct shash_alg sha3_256 = { + .digestsize = SHA3_256_DIGEST_SIZE, + .init = sha3_256_init, + .update = sha3_update, + .final = sha3_final, + .descsize = sizeof(struct sha3_state), + .base = { + .cra_name = "sha3-256", + .cra_driver_name = "sha3-256-generic", + .cra_flags = CRYPTO_ALG_TYPE_SHASH, + .cra_blocksize = SHA3_256_BLOCK_SIZE, + .cra_module = THIS_MODULE, + } +}; + +static struct shash_alg sha3_384 = { + .digestsize = SHA3_384_DIGEST_SIZE, + .init = sha3_384_init, + .update = sha3_update, + .final = sha3_final, + .descsize = sizeof(struct sha3_state), + .base = { + .cra_name = "sha3-384", + .cra_driver_name = "sha3-384-generic", + .cra_flags = CRYPTO_ALG_TYPE_SHASH, + .cra_blocksize = SHA3_384_BLOCK_SIZE, + .cra_module = THIS_MODULE, + } +}; + +static struct shash_alg sha3_512 = { + .digestsize = SHA3_512_DIGEST_SIZE, + .init = sha3_512_init, + .update = sha3_update, + .final = sha3_final, + .descsize = sizeof(struct sha3_state), + .base = { + .cra_name = "sha3-512", + .cra_driver_name = "sha3-512-generic", + .cra_flags = CRYPTO_ALG_TYPE_SHASH, + .cra_blocksize = SHA3_512_BLOCK_SIZE, + .cra_module = THIS_MODULE, + } +}; + +static int __init sha3_generic_mod_init(void) +{ + int ret; + + ret = crypto_register_shash(&sha3_224); + if (ret < 0) + goto err_out; + ret = crypto_register_shash(&sha3_256); + if (ret < 0) + goto err_out_224; + ret = crypto_register_shash(&sha3_384); + if (ret < 0) + goto err_out_256; + ret = crypto_register_shash(&sha3_512); + if (ret < 0) + goto err_out_384; + + return 0; + +err_out_384: + crypto_unregister_shash(&sha3_384); +err_out_256: + crypto_unregister_shash(&sha3_256); +err_out_224: + crypto_unregister_shash(&sha3_224); +err_out: + return ret; +} + +static void __exit sha3_generic_mod_fini(void) +{ + crypto_unregister_shash(&sha3_224); + crypto_unregister_shash(&sha3_256); + crypto_unregister_shash(&sha3_384); + crypto_unregister_shash(&sha3_512); +} + +module_init(sha3_generic_mod_init); +module_exit(sha3_generic_mod_fini); + +MODULE_LICENSE("GPL"); +MODULE_DESCRIPTION("SHA-3 Secure Hash Algorithm"); + +MODULE_ALIAS("sha3-224"); +MODULE_ALIAS("sha3-256"); +MODULE_ALIAS("sha3-384"); +MODULE_ALIAS("sha3-512"); diff --git a/include/crypto/sha3.h b/include/crypto/sha3.h new file mode 100644 index 0000000..f4c9f68 --- /dev/null +++ b/include/crypto/sha3.h @@ -0,0 +1,29 @@ +/* + * Common values for SHA-3 algorithms + */ +#ifndef __CRYPTO_SHA3_H__ +#define __CRYPTO_SHA3_H__ + +#define SHA3_224_DIGEST_SIZE (224 / 8) +#define SHA3_224_BLOCK_SIZE (200 - 2 * SHA3_224_DIGEST_SIZE) + +#define SHA3_256_DIGEST_SIZE (256 / 8) +#define SHA3_256_BLOCK_SIZE (200 - 2 * SHA3_256_DIGEST_SIZE) + +#define SHA3_384_DIGEST_SIZE (384 / 8) +#define SHA3_384_BLOCK_SIZE (200 - 2 * SHA3_384_DIGEST_SIZE) + +#define SHA3_512_DIGEST_SIZE (512 / 8) +#define SHA3_512_BLOCK_SIZE (200 - 2 * SHA3_512_DIGEST_SIZE) + +struct sha3_state { + u64 st[25]; + unsigned int md_len; + unsigned int rsiz; + unsigned int rsizw; + + unsigned int partial; + u8 buf[SHA3_224_BLOCK_SIZE]; +}; + +#endif