dh.c - OpenGrok cross reference for /linux/crypto/dh.c

Deleted Added

sdiffudifftextold (7dce5981..)new (1e207964..)

dh.c (7dce59819750d78513c70bf4a9024e265af88b23)	dh.c (1e207964566738b49b003e80063fd712af75b82c)
1// SPDX-License-Identifier: GPL-2.0-or-later 2/* Diffie-Hellman Key Agreement Method [RFC2631] 3 * 4 * Copyright (c) 2016, Intel Corporation 5 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com> 6 */ 7 8#include <linux/fips.h> 9#include <linux/module.h> 10#include <crypto/internal/kpp.h> 11#include <crypto/kpp.h> 12#include <crypto/dh.h>	1// SPDX-License-Identifier: GPL-2.0-or-later 2/* Diffie-Hellman Key Agreement Method [RFC2631] 3 * 4 * Copyright (c) 2016, Intel Corporation 5 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com> 6 */ 7 8#include <linux/fips.h> 9#include <linux/module.h> 10#include <crypto/internal/kpp.h> 11#include <crypto/kpp.h> 12#include <crypto/dh.h>
	13#include <crypto/rng.h>
13#include <linux/mpi.h> 14 15struct dh_ctx { 16 MPI p; /* Value is guaranteed to be set. / 17 MPI q; / Value is optional. / 18 MPI g; / Value is guaranteed to be set. / 19 MPI xa; / Value is guaranteed to be set. / 20}; --- 289 unchanged lines hidden* (view full) --- 310 311static void dh_safe_prime_exit_tfm(struct crypto_kpp tfm) 312{ 313 struct dh_safe_prime_tfm_ctx tfm_ctx = kpp_tfm_ctx(tfm); 314 315 crypto_free_kpp(tfm_ctx->dh_tfm); 316} 317	14#include <linux/mpi.h> 15 16struct dh_ctx { 17 MPI p; /* Value is guaranteed to be set. / 18 MPI q; / Value is optional. / 19 MPI g; / Value is guaranteed to be set. / 20 MPI xa; / Value is guaranteed to be set. / 21}; --- 289 unchanged lines hidden* (view full) --- 311 312static void dh_safe_prime_exit_tfm(struct crypto_kpp tfm) 313{ 314 struct dh_safe_prime_tfm_ctx tfm_ctx = kpp_tfm_ctx(tfm); 315 316 crypto_free_kpp(tfm_ctx->dh_tfm); 317} 318
	319static u64 __add_u64_to_be(__be64 dst, unsigned int n, u64 val) 320{ 321 unsigned int i; 322 323 for (i = n; val && i > 0; --i) { 324 u64 tmp = be64_to_cpu(dst[i - 1]); 325 326 tmp += val; 327 val = tmp >= val ? 0 : 1; 328 dst[i - 1] = cpu_to_be64(tmp); 329 } 330 331 return val; 332} 333 334static void dh_safe_prime_gen_privkey(const struct dh_safe_prime safe_prime, 335 unsigned int key_size) 336{ 337 unsigned int n, oversampling_size; 338 __be64 key; 339 int err; 340 u64 h, o; 341 342 / 343 * Generate a private key following NIST SP800-56Ar3, 344 * sec. 5.6.1.1.1 and 5.6.1.1.3 resp.. 345 * 346 * 5.6.1.1.1: choose key length N such that 347 * 2 * ->max_strength <= N <= log2(q) + 1 = ->p_size * 8 - 1 348 * with q = (p - 1) / 2 for the safe-prime groups. 349 * Choose the lower bound's next power of two for N in order to 350 * avoid excessively large private keys while still 351 * maintaining some extra reserve beyond the bare minimum in 352 * most cases. Note that for each entry in safe_prime_groups[], 353 * the following holds for such N: 354 * - N >= 256, in particular it is a multiple of 2^6 = 64 355 * bits and 356 * - N < log2(q) + 1, i.e. N respects the upper bound. 357 / 358 n = roundup_pow_of_two(2 safe_prime->max_strength); 359 WARN_ON_ONCE(n & ((1u << 6) - 1)); 360 n >>= 6; /* Convert N into units of u64. / 361 362 / 363 * Reserve one extra u64 to hold the extra random bits 364 * required as per 5.6.1.1.3. 365 / 366 oversampling_size = (n + 1) sizeof(__be64); 367 key = kmalloc(oversampling_size, GFP_KERNEL); 368 if (!key) 369 return ERR_PTR(-ENOMEM); 370 371 /* 372 * 5.6.1.1.3, step 3 (and implicitly step 4): obtain N + 64 373 * random bits and interpret them as a big endian integer. 374 / 375 err = -EFAULT; 376 if (crypto_get_default_rng()) 377 goto out_err; 378 379 err = crypto_rng_get_bytes(crypto_default_rng, (u8 )key, 380 oversampling_size); 381 crypto_put_default_rng(); 382 if (err) 383 goto out_err; 384 385 /* 386 * 5.6.1.1.3, step 5 is implicit: 2^N < q and thus, 387 * M = min(2^N, q) = 2^N. 388 * 389 * For step 6, calculate 390 * key = (key[] mod (M - 1)) + 1 = (key[] mod (2^N - 1)) + 1. 391 * 392 * In order to avoid expensive divisions, note that 393 * 2^N mod (2^N - 1) = 1 and thus, for any integer h, 394 * 2^N * h mod (2^N - 1) = h mod (2^N - 1) always holds. 395 * The big endian integer key[] composed of n + 1 64bit words 396 * may be written as key[] = h * 2^N + l, with h = key[0] 397 * representing the 64 most significant bits and l 398 * corresponding to the remaining 2^N bits. With the remark 399 * from above, 400 * h * 2^N + l mod (2^N - 1) = l + h mod (2^N - 1). 401 * As both, l and h are less than 2^N, their sum after 402 * this first reduction is guaranteed to be <= 2^(N + 1) - 2. 403 * Or equivalently, that their sum can again be written as 404 * h' * 2^N + l' with h' now either zero or one and if one, 405 * then l' <= 2^N - 2. Thus, all bits at positions >= N will 406 * be zero after a second reduction: 407 * h' * 2^N + l' mod (2^N - 1) = l' + h' mod (2^N - 1). 408 * At this point, it is still possible that 409 * l' + h' = 2^N - 1, i.e. that l' + h' mod (2^N - 1) 410 * is zero. This condition will be detected below by means of 411 * the final increment overflowing in this case. 412 / 413 h = be64_to_cpu(key[0]); 414 h = __add_u64_to_be(key + 1, n, h); 415 h = __add_u64_to_be(key + 1, n, h); 416 WARN_ON_ONCE(h); 417 418 / Increment to obtain the final result. / 419 o = __add_u64_to_be(key + 1, n, 1); 420 / 421 * The overflow bit o from the increment is either zero or 422 * one. If zero, key[1:n] holds the final result in big-endian 423 * order. If one, key[1:n] is zero now, but needs to be set to 424 * one, c.f. above. 425 / 426 if (o) 427 key[n] = cpu_to_be64(1); 428 429 / n is in units of u64, convert to bytes. / 430 key_size = n << 3; 431 /* Strip the leading extra __be64, which is (virtually) zero by now. / 432 memmove(key, &key[1], key_size); 433 434 return key; 435 436out_err: 437 kfree_sensitive(key); 438 return ERR_PTR(err); 439} 440
318static int dh_safe_prime_set_secret(struct crypto_kpp tfm, const void buffer, 319 unsigned int len) 320{ 321 struct dh_safe_prime_instance_ctx inst_ctx = 322 dh_safe_prime_instance_ctx(tfm); 323 struct dh_safe_prime_tfm_ctx tfm_ctx = kpp_tfm_ctx(tfm); 324 struct dh params;	441static int dh_safe_prime_set_secret(struct crypto_kpp tfm, const void buffer, 442 unsigned int len) 443{ 444 struct dh_safe_prime_instance_ctx inst_ctx = 445 dh_safe_prime_instance_ctx(tfm); 446 struct dh_safe_prime_tfm_ctx tfm_ctx = kpp_tfm_ctx(tfm); 447 struct dh params;
325 void *buf;	448 void buf = NULL, key = NULL;
326 unsigned int buf_size; 327 int err; 328 329 err = __crypto_dh_decode_key(buffer, len, &params); 330 if (err) 331 return err; 332 333 if (params.p_size \|\| params.g_size) 334 return -EINVAL; 335 336 params.p = inst_ctx->safe_prime->p; 337 params.p_size = inst_ctx->safe_prime->p_size; 338 params.g = safe_prime_g; 339 params.g_size = sizeof(safe_prime_g); 340	449 unsigned int buf_size; 450 int err; 451 452 err = __crypto_dh_decode_key(buffer, len, &params); 453 if (err) 454 return err; 455 456 if (params.p_size \|\| params.g_size) 457 return -EINVAL; 458 459 params.p = inst_ctx->safe_prime->p; 460 params.p_size = inst_ctx->safe_prime->p_size; 461 params.g = safe_prime_g; 462 params.g_size = sizeof(safe_prime_g); 463
	464 if (!params.key_size) { 465 key = dh_safe_prime_gen_privkey(inst_ctx->safe_prime, 466 &params.key_size); 467 if (IS_ERR(key)) 468 return PTR_ERR(key); 469 params.key = key; 470 } 471
341 buf_size = crypto_dh_key_len(&params); 342 buf = kmalloc(buf_size, GFP_KERNEL);	472 buf_size = crypto_dh_key_len(&params); 473 buf = kmalloc(buf_size, GFP_KERNEL);
343 if (!buf) 344 return -ENOMEM;	474 if (!buf) { 475 err = -ENOMEM; 476 goto out; 477 }
345 346 err = crypto_dh_encode_key(buf, buf_size, &params); 347 if (err) 348 goto out; 349 350 err = crypto_kpp_set_secret(tfm_ctx->dh_tfm, buf, buf_size); 351out: 352 kfree_sensitive(buf);	478 479 err = crypto_dh_encode_key(buf, buf_size, &params); 480 if (err) 481 goto out; 482 483 err = crypto_kpp_set_secret(tfm_ctx->dh_tfm, buf, buf_size); 484out: 485 kfree_sensitive(buf);
	486 kfree_sensitive(key);
353 return err; 354} 355 356static void dh_safe_prime_complete_req(struct crypto_async_request dh_req, 357 int err) 358{ 359 struct kpp_request req = dh_req->data; 360 --- 418 unchanged lines hidden ---	487 return err; 488} 489 490static void dh_safe_prime_complete_req(struct crypto_async_request dh_req, 491 int err) 492{ 493 struct kpp_request req = dh_req->data; 494 --- 418 unchanged lines hidden ---