From: Raveendra Padasalagi Subject: Re: [PATCH 1/2] Crypto: Add SHA-3 hash algorithm Date: Thu, 16 Jun 2016 14:44:57 +0530 Message-ID: References: <1465983719-8313-1-git-send-email-raveendra.padasalagi@broadcom.com> <1465983719-8313-2-git-send-email-raveendra.padasalagi@broadcom.com> <8163378.RZGaC46RvE@tauon.atsec.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: Herbert Xu , "David S. Miller" , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, Jon Mason , Florian Fainelli , Anup Patel , Ray Jui , Scott Branden , Pramod Kumar , bcm-kernel-feedback-list , Jeff Garzik , Jeff Garzik To: Stephan Mueller Return-path: In-Reply-To: <8163378.RZGaC46RvE@tauon.atsec.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-crypto.vger.kernel.org Hi Stephan, Thanks for the review comments. I will address it in the next patch. Please look at my reply below against each comment. Regards, Raveendra On Wed, Jun 15, 2016 at 5:12 PM, Stephan Mueller = wrote: > Am Mittwoch, 15. Juni 2016, 15:11:58 schrieb Raveendra Padasalagi: > > Hi Raveendra, > >> From: Jeff Garzik >> >> This patch adds the implementation of SHA3 algorithm >> in software and it's based on original implementation >> pushed in patch https://lwn.net/Articles/518415/ with >> additional changes to match the padding rules specified >> in SHA-3 specification. >> >> Signed-off-by: Jeff Garzik >> Signed-off-by: Raveendra Padasalagi >> --- >> crypto/Kconfig | 10 ++ >> crypto/Makefile | 1 + >> crypto/sha3_generic.c | 296 >> ++++++++++++++++++++++++++++++++++++++++++++++++++ include/crypto/sh= a3.h | >> 29 +++++ >> 4 files changed, 336 insertions(+) >> create mode 100644 crypto/sha3_generic.c >> create mode 100644 include/crypto/sha3.h >> >> diff --git a/crypto/Kconfig b/crypto/Kconfig >> index 1d33beb..83ee8cb 100644 >> --- a/crypto/Kconfig >> +++ b/crypto/Kconfig >> @@ -750,6 +750,16 @@ config CRYPTO_SHA512_SPARC64 >> SHA-512 secure hash standard (DFIPS 180-2) implemented >> using sparc64 crypto instructions, when available. >> >> +config CRYPTO_SHA3 >> + tristate "SHA3 digest algorithm" >> + select CRYPTO_HASH >> + help >> + SHA-3 secure hash standard (DFIPS 202). It's based on > > Typo DFIPS? It's not typo, DFIPS mean here Draft FIPS 202. Do you want me to put it in another way ? >> + cryptographic sponge function family called Keccak. >> + >> + References: >> + http://keccak.noekeon.org/ >> + >> config CRYPTO_TGR192 >> tristate "Tiger digest algorithms" >> select CRYPTO_HASH >> diff --git a/crypto/Makefile b/crypto/Makefile >> index 4f4ef7e..0b82c47 100644 >> --- a/crypto/Makefile >> +++ b/crypto/Makefile >> @@ -61,6 +61,7 @@ obj-$(CONFIG_CRYPTO_RMD320) +=3D rmd320.o >> obj-$(CONFIG_CRYPTO_SHA1) +=3D sha1_generic.o >> obj-$(CONFIG_CRYPTO_SHA256) +=3D sha256_generic.o >> obj-$(CONFIG_CRYPTO_SHA512) +=3D sha512_generic.o >> +obj-$(CONFIG_CRYPTO_SHA3) +=3D sha3_generic.o >> obj-$(CONFIG_CRYPTO_WP512) +=3D wp512.o >> obj-$(CONFIG_CRYPTO_TGR192) +=3D tgr192.o >> obj-$(CONFIG_CRYPTO_GF128MUL) +=3D gf128mul.o >> diff --git a/crypto/sha3_generic.c b/crypto/sha3_generic.c >> new file mode 100644 >> index 0000000..162dfc3 >> --- /dev/null >> +++ b/crypto/sha3_generic.c >> @@ -0,0 +1,296 @@ >> +/* >> + * Cryptographic API. >> + * >> + * SHA-3, as specified in >> + * http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf >> + * >> + * SHA-3 code by Jeff Garzik >> + * >> + * This program is free software; you can redistribute it and/or mo= dify it >> + * under the terms of the GNU General Public License as published b= y the >> Free + * Software Foundation; either version 2 of the License, or (a= t your >> option)=E2=80=A2 + * any later version. >> + * >> + */ >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +#define KECCAK_ROUNDS 24 >> + >> +#define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) >> + >> +static const u64 keccakf_rndc[24] =3D { >> + 0x0000000000000001, 0x0000000000008082, 0x800000000000808a, >> + 0x8000000080008000, 0x000000000000808b, 0x0000000080000001, >> + 0x8000000080008081, 0x8000000000008009, 0x000000000000008a, >> + 0x0000000000000088, 0x0000000080008009, 0x000000008000000a, >> + 0x000000008000808b, 0x800000000000008b, 0x8000000000008089, >> + 0x8000000000008003, 0x8000000000008002, 0x8000000000000080, >> + 0x000000000000800a, 0x800000008000000a, 0x8000000080008081, >> + 0x8000000000008080, 0x0000000080000001, 0x8000000080008008 >> +}; >> + >> +static const int keccakf_rotc[24] =3D { >> + 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, >> + 27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44 >> +}; >> + >> +static const int keccakf_piln[24] =3D { >> + 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, >> + 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1 >> +}; >> + >> +/* update the state with given number of rounds */ >> + >> +static void keccakf(u64 st[25]) >> +{ >> + int i, j, round; >> + u64 t, bc[5]; >> + >> + for (round =3D 0; round < KECCAK_ROUNDS; round++) { >> + >> + /* Theta */ >> + for (i =3D 0; i < 5; i++) >> + bc[i] =3D st[i] ^ st[i + 5] ^ st[i + 10] ^ st[= i + 15] >> + ^ st[i + 20]; >> + >> + for (i =3D 0; i < 5; i++) { >> + t =3D bc[(i + 4) % 5] ^ ROTL64(bc[(i + 1) % 5]= , 1); >> + for (j =3D 0; j < 25; j +=3D 5) >> + st[j + i] ^=3D t; >> + } >> + >> + /* Rho Pi */ >> + t =3D st[1]; >> + for (i =3D 0; i < 24; i++) { >> + j =3D keccakf_piln[i]; >> + bc[0] =3D st[j]; >> + st[j] =3D ROTL64(t, keccakf_rotc[i]); >> + t =3D bc[0]; >> + } >> + >> + /* Chi */ >> + for (j =3D 0; j < 25; j +=3D 5) { >> + for (i =3D 0; i < 5; i++) >> + bc[i] =3D st[j + i]; >> + for (i =3D 0; i < 5; i++) >> + st[j + i] ^=3D (~bc[(i + 1) % 5]) & >> + bc[(i + 2) % 5]; >> + } >> + >> + /* Iota */ >> + st[0] ^=3D keccakf_rndc[round]; >> + } >> +} >> + >> +static void sha3_init(struct sha3_state *sctx, unsigned int digest_= sz) >> +{ >> + memset(sctx, 0, sizeof(*sctx)); >> + sctx->md_len =3D digest_sz; >> + sctx->rsiz =3D 200 - 2 * digest_sz; >> + sctx->rsizw =3D sctx->rsiz / 8; >> +} >> + >> +static int sha3_224_init(struct shash_desc *desc) >> +{ >> + struct sha3_state *sctx =3D shash_desc_ctx(desc); >> + >> + sha3_init(sctx, SHA3_224_DIGEST_SIZE); >> + return 0; >> +} >> + >> +static int sha3_256_init(struct shash_desc *desc) >> +{ >> + struct sha3_state *sctx =3D shash_desc_ctx(desc); >> + >> + sha3_init(sctx, SHA3_256_DIGEST_SIZE); >> + return 0; >> +} >> + >> +static int sha3_384_init(struct shash_desc *desc) >> +{ >> + struct sha3_state *sctx =3D shash_desc_ctx(desc); >> + >> + sha3_init(sctx, SHA3_384_DIGEST_SIZE); >> + return 0; >> +} >> + >> +static int sha3_512_init(struct shash_desc *desc) >> +{ >> + struct sha3_state *sctx =3D shash_desc_ctx(desc); >> + >> + sha3_init(sctx, SHA3_512_DIGEST_SIZE); >> + return 0; >> +} >> + >> +static int sha3_update(struct shash_desc *desc, const u8 *data, >> + unsigned int len) >> +{ >> + struct sha3_state *sctx =3D shash_desc_ctx(desc); >> + unsigned int done; >> + const u8 *src; >> + >> + done =3D 0; >> + src =3D data; >> + >> + if ((sctx->partial + len) > (sctx->rsiz - 1)) { >> + if (sctx->partial) { >> + done =3D -sctx->partial; >> + memcpy(sctx->buf + sctx->partial, data, >> + done + sctx->rsiz); >> + src =3D sctx->buf; >> + } >> + >> + do { >> + unsigned int i; >> + >> + for (i =3D 0; i < sctx->rsizw; i++) >> + sctx->st[i] ^=3D ((u64 *) src)[i]; >> + keccakf(sctx->st); >> + >> + done +=3D sctx->rsiz; >> + src =3D data + done; >> + } while (done + (sctx->rsiz - 1) < len); >> + >> + sctx->partial =3D 0; >> + } >> + memcpy(sctx->buf + sctx->partial, src, len - done); >> + sctx->partial +=3D (len - done); >> + >> + return 0; >> +} >> + >> +static int sha3_final(struct shash_desc *desc, u8 *out) >> +{ >> + struct sha3_state *sctx =3D shash_desc_ctx(desc); >> + unsigned int i, inlen =3D sctx->partial; >> + >> + sctx->buf[inlen++] =3D 0x06; >> + memset(sctx->buf + inlen, 0, sctx->rsiz - inlen); >> + sctx->buf[sctx->rsiz - 1] |=3D 0x80; >> + >> + for (i =3D 0; i < sctx->rsizw; i++) >> + sctx->st[i] ^=3D ((u64 *) sctx->buf)[i]; >> + >> + keccakf(sctx->st); >> + >> + for (i =3D 0; i < sctx->rsizw; i++) >> + sctx->st[i] =3D cpu_to_le64(sctx->st[i]); >> + >> + memcpy(out, sctx->st, sctx->md_len); >> + >> + memset(sctx, 0, sizeof(*sctx)); >> + return 0; >> +} >> + >> +static struct shash_alg sha3_224 =3D { >> + .digestsize =3D SHA3_224_DIGEST_SIZE, >> + .init =3D sha3_224_init, >> + .update =3D sha3_update, >> + .final =3D sha3_final, >> + .descsize =3D sizeof(struct sha3_state), >> + .base =3D { >> + .cra_name =3D "sha3-224", >> + .cra_driver_name =3D "sha3-224-generic", >> + .cra_flags =3D CRYPTO_ALG_TYPE_SHASH, >> + .cra_blocksize =3D SHA3_224_BLOCK_SIZE, >> + .cra_module =3D THIS_MODULE, >> + } >> +}; >> + >> +static struct shash_alg sha3_256 =3D { >> + .digestsize =3D SHA3_256_DIGEST_SIZE, >> + .init =3D sha3_256_init, >> + .update =3D sha3_update, >> + .final =3D sha3_final, >> + .descsize =3D sizeof(struct sha3_state), >> + .base =3D { >> + .cra_name =3D "sha3-256", >> + .cra_driver_name =3D "sha3-256-generic", >> + .cra_flags =3D CRYPTO_ALG_TYPE_SHASH, >> + .cra_blocksize =3D SHA3_256_BLOCK_SIZE, >> + .cra_module =3D THIS_MODULE, >> + } >> +}; >> + >> +static struct shash_alg sha3_384 =3D { >> + .digestsize =3D SHA3_384_DIGEST_SIZE, >> + .init =3D sha3_384_init, >> + .update =3D sha3_update, >> + .final =3D sha3_final, >> + .descsize =3D sizeof(struct sha3_state), >> + .base =3D { >> + .cra_name =3D "sha3-384", >> + .cra_driver_name =3D "sha3-384-generic", >> + .cra_flags =3D CRYPTO_ALG_TYPE_SHASH, >> + .cra_blocksize =3D SHA3_384_BLOCK_SIZE, >> + .cra_module =3D THIS_MODULE, >> + } >> +}; >> + >> +static struct shash_alg sha3_512 =3D { >> + .digestsize =3D SHA3_512_DIGEST_SIZE, >> + .init =3D sha3_512_init, >> + .update =3D sha3_update, >> + .final =3D sha3_final, >> + .descsize =3D sizeof(struct sha3_state), >> + .base =3D { >> + .cra_name =3D "sha3-512", >> + .cra_driver_name =3D "sha3-512-generic", >> + .cra_flags =3D CRYPTO_ALG_TYPE_SHASH, >> + .cra_blocksize =3D SHA3_512_BLOCK_SIZE, >> + .cra_module =3D THIS_MODULE, >> + } >> +}; > > Shouldn't there be a priority here? Yes, I will fix it in next patch. >> + >> +static int __init sha3_generic_mod_init(void) >> +{ >> + int ret; >> + >> + ret =3D crypto_register_shash(&sha3_224); >> + if (ret < 0) >> + goto err_out; >> + ret =3D crypto_register_shash(&sha3_256); >> + if (ret < 0) >> + goto err_out_224; >> + ret =3D crypto_register_shash(&sha3_384); >> + if (ret < 0) >> + goto err_out_256; >> + ret =3D crypto_register_shash(&sha3_512); >> + if (ret < 0) >> + goto err_out_384; >> + >> + return 0; >> + >> +err_out_384: >> + crypto_unregister_shash(&sha3_384); >> +err_out_256: >> + crypto_unregister_shash(&sha3_256); >> +err_out_224: >> + crypto_unregister_shash(&sha3_224); >> +err_out: >> + return ret; >> +} >> + >> +static void __exit sha3_generic_mod_fini(void) >> +{ >> + crypto_unregister_shash(&sha3_224); >> + crypto_unregister_shash(&sha3_256); >> + crypto_unregister_shash(&sha3_384); >> + crypto_unregister_shash(&sha3_512); >> +} >> + >> +module_init(sha3_generic_mod_init); >> +module_exit(sha3_generic_mod_fini); >> + >> +MODULE_LICENSE("GPL"); >> +MODULE_DESCRIPTION("SHA-3 Secure Hash Algorithm"); >> + >> +MODULE_ALIAS("sha3-224"); >> +MODULE_ALIAS("sha3-256"); >> +MODULE_ALIAS("sha3-384"); >> +MODULE_ALIAS("sha3-512"); > > MODULE_ALIAS_CRYPTO? > > What about the aliases for cra_driver_name? Yes, I will fix it in next patch. >> diff --git a/include/crypto/sha3.h b/include/crypto/sha3.h >> new file mode 100644 >> index 0000000..f4c9f68 >> --- /dev/null >> +++ b/include/crypto/sha3.h >> @@ -0,0 +1,29 @@ >> +/* >> + * Common values for SHA-3 algorithms >> + */ >> +#ifndef __CRYPTO_SHA3_H__ >> +#define __CRYPTO_SHA3_H__ >> + >> +#define SHA3_224_DIGEST_SIZE (224 / 8) >> +#define SHA3_224_BLOCK_SIZE (200 - 2 * SHA3_224_DIGEST_SIZE) >> + >> +#define SHA3_256_DIGEST_SIZE (256 / 8) >> +#define SHA3_256_BLOCK_SIZE (200 - 2 * SHA3_256_DIGEST_SIZE) >> + >> +#define SHA3_384_DIGEST_SIZE (384 / 8) >> +#define SHA3_384_BLOCK_SIZE (200 - 2 * SHA3_384_DIGEST_SIZE) >> + >> +#define SHA3_512_DIGEST_SIZE (512 / 8) >> +#define SHA3_512_BLOCK_SIZE (200 - 2 * SHA3_512_DIGEST_SIZE) >> + >> +struct sha3_state { >> + u64 st[25]; >> + unsigned int md_len; >> + unsigned int rsiz; >> + unsigned int rsizw; >> + >> + unsigned int partial; >> + u8 buf[SHA3_224_BLOCK_SIZE]; >> +}; >> + >> +#endif > > > Ciao > Stephan