mirror of
https://github.com/torvalds/linux.git
synced 2026-03-07 23:04:33 +01:00
b2c15db74a
Switch from the old AES library functions (which use struct crypto_aes_ctx) to the new ones (which use struct aes_enckey). This eliminates the unnecessary computation and caching of the decryption round keys. The new AES en/decryption functions are also much faster and use AES instructions when supported by the CPU. Note that in addition to the change in the key preparation function and the key struct type itself, the change in the type of the key struct results in aes_encrypt() (which is temporarily a type-generic macro) calling the new encryption function rather than the old one. Acked-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20260112192035.10427-30-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org>
222 lines
6.6 KiB
C
222 lines
6.6 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
/*
|
|
* NIST SP800-90A DRBG derivation function
|
|
*
|
|
* Copyright (C) 2014, Stephan Mueller <smueller@chronox.de>
|
|
*/
|
|
|
|
#include <linux/errno.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/module.h>
|
|
#include <linux/string.h>
|
|
#include <crypto/aes.h>
|
|
#include <crypto/df_sp80090a.h>
|
|
#include <crypto/internal/drbg.h>
|
|
|
|
static void drbg_kcapi_sym(struct aes_enckey *aeskey, unsigned char *outval,
|
|
const struct drbg_string *in, u8 blocklen_bytes)
|
|
{
|
|
/* there is only component in *in */
|
|
BUG_ON(in->len < blocklen_bytes);
|
|
aes_encrypt(aeskey, outval, in->buf);
|
|
}
|
|
|
|
/* BCC function for CTR DRBG as defined in 10.4.3 */
|
|
|
|
static void drbg_ctr_bcc(struct aes_enckey *aeskey,
|
|
unsigned char *out, const unsigned char *key,
|
|
struct list_head *in,
|
|
u8 blocklen_bytes,
|
|
u8 keylen)
|
|
{
|
|
struct drbg_string *curr = NULL;
|
|
struct drbg_string data;
|
|
short cnt = 0;
|
|
|
|
drbg_string_fill(&data, out, blocklen_bytes);
|
|
|
|
/* 10.4.3 step 2 / 4 */
|
|
aes_prepareenckey(aeskey, key, keylen);
|
|
list_for_each_entry(curr, in, list) {
|
|
const unsigned char *pos = curr->buf;
|
|
size_t len = curr->len;
|
|
/* 10.4.3 step 4.1 */
|
|
while (len) {
|
|
/* 10.4.3 step 4.2 */
|
|
if (blocklen_bytes == cnt) {
|
|
cnt = 0;
|
|
drbg_kcapi_sym(aeskey, out, &data, blocklen_bytes);
|
|
}
|
|
out[cnt] ^= *pos;
|
|
pos++;
|
|
cnt++;
|
|
len--;
|
|
}
|
|
}
|
|
/* 10.4.3 step 4.2 for last block */
|
|
if (cnt)
|
|
drbg_kcapi_sym(aeskey, out, &data, blocklen_bytes);
|
|
}
|
|
|
|
/*
|
|
* scratchpad usage: drbg_ctr_update is interlinked with crypto_drbg_ctr_df
|
|
* (and drbg_ctr_bcc, but this function does not need any temporary buffers),
|
|
* the scratchpad is used as follows:
|
|
* drbg_ctr_update:
|
|
* temp
|
|
* start: drbg->scratchpad
|
|
* length: drbg_statelen(drbg) + drbg_blocklen(drbg)
|
|
* note: the cipher writing into this variable works
|
|
* blocklen-wise. Now, when the statelen is not a multiple
|
|
* of blocklen, the generateion loop below "spills over"
|
|
* by at most blocklen. Thus, we need to give sufficient
|
|
* memory.
|
|
* df_data
|
|
* start: drbg->scratchpad +
|
|
* drbg_statelen(drbg) + drbg_blocklen(drbg)
|
|
* length: drbg_statelen(drbg)
|
|
*
|
|
* crypto_drbg_ctr_df:
|
|
* pad
|
|
* start: df_data + drbg_statelen(drbg)
|
|
* length: drbg_blocklen(drbg)
|
|
* iv
|
|
* start: pad + drbg_blocklen(drbg)
|
|
* length: drbg_blocklen(drbg)
|
|
* temp
|
|
* start: iv + drbg_blocklen(drbg)
|
|
* length: drbg_satelen(drbg) + drbg_blocklen(drbg)
|
|
* note: temp is the buffer that the BCC function operates
|
|
* on. BCC operates blockwise. drbg_statelen(drbg)
|
|
* is sufficient when the DRBG state length is a multiple
|
|
* of the block size. For AES192 (and maybe other ciphers)
|
|
* this is not correct and the length for temp is
|
|
* insufficient (yes, that also means for such ciphers,
|
|
* the final output of all BCC rounds are truncated).
|
|
* Therefore, add drbg_blocklen(drbg) to cover all
|
|
* possibilities.
|
|
* refer to crypto_drbg_ctr_df_datalen() to get required length
|
|
*/
|
|
|
|
/* Derivation Function for CTR DRBG as defined in 10.4.2 */
|
|
int crypto_drbg_ctr_df(struct aes_enckey *aeskey,
|
|
unsigned char *df_data, size_t bytes_to_return,
|
|
struct list_head *seedlist,
|
|
u8 blocklen_bytes,
|
|
u8 statelen)
|
|
{
|
|
unsigned char L_N[8];
|
|
/* S3 is input */
|
|
struct drbg_string S1, S2, S4, cipherin;
|
|
LIST_HEAD(bcc_list);
|
|
unsigned char *pad = df_data + statelen;
|
|
unsigned char *iv = pad + blocklen_bytes;
|
|
unsigned char *temp = iv + blocklen_bytes;
|
|
size_t padlen = 0;
|
|
unsigned int templen = 0;
|
|
/* 10.4.2 step 7 */
|
|
unsigned int i = 0;
|
|
/* 10.4.2 step 8 */
|
|
const unsigned char *K = (unsigned char *)
|
|
"\x00\x01\x02\x03\x04\x05\x06\x07"
|
|
"\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
|
|
"\x10\x11\x12\x13\x14\x15\x16\x17"
|
|
"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f";
|
|
unsigned char *X;
|
|
size_t generated_len = 0;
|
|
size_t inputlen = 0;
|
|
struct drbg_string *seed = NULL;
|
|
u8 keylen;
|
|
|
|
memset(pad, 0, blocklen_bytes);
|
|
memset(iv, 0, blocklen_bytes);
|
|
keylen = statelen - blocklen_bytes;
|
|
/* 10.4.2 step 1 is implicit as we work byte-wise */
|
|
|
|
/* 10.4.2 step 2 */
|
|
if ((512 / 8) < bytes_to_return)
|
|
return -EINVAL;
|
|
|
|
/* 10.4.2 step 2 -- calculate the entire length of all input data */
|
|
list_for_each_entry(seed, seedlist, list)
|
|
inputlen += seed->len;
|
|
drbg_cpu_to_be32(inputlen, &L_N[0]);
|
|
|
|
/* 10.4.2 step 3 */
|
|
drbg_cpu_to_be32(bytes_to_return, &L_N[4]);
|
|
|
|
/* 10.4.2 step 5: length is L_N, input_string, one byte, padding */
|
|
padlen = (inputlen + sizeof(L_N) + 1) % (blocklen_bytes);
|
|
/* wrap the padlen appropriately */
|
|
if (padlen)
|
|
padlen = blocklen_bytes - padlen;
|
|
/*
|
|
* pad / padlen contains the 0x80 byte and the following zero bytes.
|
|
* As the calculated padlen value only covers the number of zero
|
|
* bytes, this value has to be incremented by one for the 0x80 byte.
|
|
*/
|
|
padlen++;
|
|
pad[0] = 0x80;
|
|
|
|
/* 10.4.2 step 4 -- first fill the linked list and then order it */
|
|
drbg_string_fill(&S1, iv, blocklen_bytes);
|
|
list_add_tail(&S1.list, &bcc_list);
|
|
drbg_string_fill(&S2, L_N, sizeof(L_N));
|
|
list_add_tail(&S2.list, &bcc_list);
|
|
list_splice_tail(seedlist, &bcc_list);
|
|
drbg_string_fill(&S4, pad, padlen);
|
|
list_add_tail(&S4.list, &bcc_list);
|
|
|
|
/* 10.4.2 step 9 */
|
|
while (templen < (keylen + (blocklen_bytes))) {
|
|
/*
|
|
* 10.4.2 step 9.1 - the padding is implicit as the buffer
|
|
* holds zeros after allocation -- even the increment of i
|
|
* is irrelevant as the increment remains within length of i
|
|
*/
|
|
drbg_cpu_to_be32(i, iv);
|
|
/* 10.4.2 step 9.2 -- BCC and concatenation with temp */
|
|
drbg_ctr_bcc(aeskey, temp + templen, K, &bcc_list,
|
|
blocklen_bytes, keylen);
|
|
/* 10.4.2 step 9.3 */
|
|
i++;
|
|
templen += blocklen_bytes;
|
|
}
|
|
|
|
/* 10.4.2 step 11 */
|
|
X = temp + (keylen);
|
|
drbg_string_fill(&cipherin, X, blocklen_bytes);
|
|
|
|
/* 10.4.2 step 12: overwriting of outval is implemented in next step */
|
|
|
|
/* 10.4.2 step 13 */
|
|
aes_prepareenckey(aeskey, temp, keylen);
|
|
while (generated_len < bytes_to_return) {
|
|
short blocklen = 0;
|
|
/*
|
|
* 10.4.2 step 13.1: the truncation of the key length is
|
|
* implicit as the key is only drbg_blocklen in size based on
|
|
* the implementation of the cipher function callback
|
|
*/
|
|
drbg_kcapi_sym(aeskey, X, &cipherin, blocklen_bytes);
|
|
blocklen = (blocklen_bytes <
|
|
(bytes_to_return - generated_len)) ?
|
|
blocklen_bytes :
|
|
(bytes_to_return - generated_len);
|
|
/* 10.4.2 step 13.2 and 14 */
|
|
memcpy(df_data + generated_len, X, blocklen);
|
|
generated_len += blocklen;
|
|
}
|
|
|
|
memset(iv, 0, blocklen_bytes);
|
|
memset(temp, 0, statelen + blocklen_bytes);
|
|
memset(pad, 0, blocklen_bytes);
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(crypto_drbg_ctr_df);
|
|
|
|
MODULE_IMPORT_NS("CRYPTO_INTERNAL");
|
|
MODULE_LICENSE("GPL v2");
|
|
MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
|
|
MODULE_DESCRIPTION("Derivation Function conformant to SP800-90A");
|