Am Mittwoch, 15. Juni 2016, 15:11:58 schrieb Raveendra Padasalagi: Hi Raveendra, > From: Jeff Garzik <jeff@xxxxxxxxxx> > > This patch adds the implementation of SHA3 algorithm > in software and it's based on original implementation > pushed in patch https://lwn.net/Articles/518415/ with > additional changes to match the padding rules specified > in SHA-3 specification. > > Signed-off-by: Jeff Garzik <jgarzik@xxxxxxxxxx> > Signed-off-by: Raveendra Padasalagi <raveendra.padasalagi@xxxxxxxxxxxx> > --- > crypto/Kconfig | 10 ++ > crypto/Makefile | 1 + > crypto/sha3_generic.c | 296 > ++++++++++++++++++++++++++++++++++++++++++++++++++ include/crypto/sha3.h | > 29 +++++ > 4 files changed, 336 insertions(+) > create mode 100644 crypto/sha3_generic.c > create mode 100644 include/crypto/sha3.h > > diff --git a/crypto/Kconfig b/crypto/Kconfig > index 1d33beb..83ee8cb 100644 > --- a/crypto/Kconfig > +++ b/crypto/Kconfig > @@ -750,6 +750,16 @@ config CRYPTO_SHA512_SPARC64 > SHA-512 secure hash standard (DFIPS 180-2) implemented > using sparc64 crypto instructions, when available. > > +config CRYPTO_SHA3 > + tristate "SHA3 digest algorithm" > + select CRYPTO_HASH > + help > + SHA-3 secure hash standard (DFIPS 202). It's based on Typo DFIPS? > + cryptographic sponge function family called Keccak. > + > + References: > + http://keccak.noekeon.org/ > + > config CRYPTO_TGR192 > tristate "Tiger digest algorithms" > select CRYPTO_HASH > diff --git a/crypto/Makefile b/crypto/Makefile > index 4f4ef7e..0b82c47 100644 > --- a/crypto/Makefile > +++ b/crypto/Makefile > @@ -61,6 +61,7 @@ obj-$(CONFIG_CRYPTO_RMD320) += rmd320.o > obj-$(CONFIG_CRYPTO_SHA1) += sha1_generic.o > obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o > obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o > +obj-$(CONFIG_CRYPTO_SHA3) += sha3_generic.o > obj-$(CONFIG_CRYPTO_WP512) += wp512.o > obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o > obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o > diff --git a/crypto/sha3_generic.c b/crypto/sha3_generic.c > new file mode 100644 > index 0000000..162dfc3 > --- /dev/null > +++ b/crypto/sha3_generic.c > @@ -0,0 +1,296 @@ > +/* > + * Cryptographic API. > + * > + * SHA-3, as specified in > + * http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf > + * > + * SHA-3 code by Jeff Garzik <jeff@xxxxxxxxxx> > + * > + * This program is free software; you can redistribute it and/or modify it > + * under the terms of the GNU General Public License as published by the > Free + * Software Foundation; either version 2 of the License, or (at your > option)• + * any later version. > + * > + */ > +#include <crypto/internal/hash.h> > +#include <linux/init.h> > +#include <linux/module.h> > +#include <linux/types.h> > +#include <crypto/sha3.h> > +#include <asm/byteorder.h> > + > +#define KECCAK_ROUNDS 24 > + > +#define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) > + > +static const u64 keccakf_rndc[24] = { > + 0x0000000000000001, 0x0000000000008082, 0x800000000000808a, > + 0x8000000080008000, 0x000000000000808b, 0x0000000080000001, > + 0x8000000080008081, 0x8000000000008009, 0x000000000000008a, > + 0x0000000000000088, 0x0000000080008009, 0x000000008000000a, > + 0x000000008000808b, 0x800000000000008b, 0x8000000000008089, > + 0x8000000000008003, 0x8000000000008002, 0x8000000000000080, > + 0x000000000000800a, 0x800000008000000a, 0x8000000080008081, > + 0x8000000000008080, 0x0000000080000001, 0x8000000080008008 > +}; > + > +static const int keccakf_rotc[24] = { > + 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, > + 27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44 > +}; > + > +static const int keccakf_piln[24] = { > + 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, > + 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1 > +}; > + > +/* update the state with given number of rounds */ > + > +static void keccakf(u64 st[25]) > +{ > + int i, j, round; > + u64 t, bc[5]; > + > + for (round = 0; round < KECCAK_ROUNDS; round++) { > + > + /* Theta */ > + for (i = 0; i < 5; i++) > + bc[i] = st[i] ^ st[i + 5] ^ st[i + 10] ^ st[i + 15] > + ^ st[i + 20]; > + > + for (i = 0; i < 5; i++) { > + t = bc[(i + 4) % 5] ^ ROTL64(bc[(i + 1) % 5], 1); > + for (j = 0; j < 25; j += 5) > + st[j + i] ^= t; > + } > + > + /* Rho Pi */ > + t = st[1]; > + for (i = 0; i < 24; i++) { > + j = keccakf_piln[i]; > + bc[0] = st[j]; > + st[j] = ROTL64(t, keccakf_rotc[i]); > + t = bc[0]; > + } > + > + /* Chi */ > + for (j = 0; j < 25; j += 5) { > + for (i = 0; i < 5; i++) > + bc[i] = st[j + i]; > + for (i = 0; i < 5; i++) > + st[j + i] ^= (~bc[(i + 1) % 5]) & > + bc[(i + 2) % 5]; > + } > + > + /* Iota */ > + st[0] ^= keccakf_rndc[round]; > + } > +} > + > +static void sha3_init(struct sha3_state *sctx, unsigned int digest_sz) > +{ > + memset(sctx, 0, sizeof(*sctx)); > + sctx->md_len = digest_sz; > + sctx->rsiz = 200 - 2 * digest_sz; > + sctx->rsizw = sctx->rsiz / 8; > +} > + > +static int sha3_224_init(struct shash_desc *desc) > +{ > + struct sha3_state *sctx = shash_desc_ctx(desc); > + > + sha3_init(sctx, SHA3_224_DIGEST_SIZE); > + return 0; > +} > + > +static int sha3_256_init(struct shash_desc *desc) > +{ > + struct sha3_state *sctx = shash_desc_ctx(desc); > + > + sha3_init(sctx, SHA3_256_DIGEST_SIZE); > + return 0; > +} > + > +static int sha3_384_init(struct shash_desc *desc) > +{ > + struct sha3_state *sctx = shash_desc_ctx(desc); > + > + sha3_init(sctx, SHA3_384_DIGEST_SIZE); > + return 0; > +} > + > +static int sha3_512_init(struct shash_desc *desc) > +{ > + struct sha3_state *sctx = shash_desc_ctx(desc); > + > + sha3_init(sctx, SHA3_512_DIGEST_SIZE); > + return 0; > +} > + > +static int sha3_update(struct shash_desc *desc, const u8 *data, > + unsigned int len) > +{ > + struct sha3_state *sctx = shash_desc_ctx(desc); > + unsigned int done; > + const u8 *src; > + > + done = 0; > + src = data; > + > + if ((sctx->partial + len) > (sctx->rsiz - 1)) { > + if (sctx->partial) { > + done = -sctx->partial; > + memcpy(sctx->buf + sctx->partial, data, > + done + sctx->rsiz); > + src = sctx->buf; > + } > + > + do { > + unsigned int i; > + > + for (i = 0; i < sctx->rsizw; i++) > + sctx->st[i] ^= ((u64 *) src)[i]; > + keccakf(sctx->st); > + > + done += sctx->rsiz; > + src = data + done; > + } while (done + (sctx->rsiz - 1) < len); > + > + sctx->partial = 0; > + } > + memcpy(sctx->buf + sctx->partial, src, len - done); > + sctx->partial += (len - done); > + > + return 0; > +} > + > +static int sha3_final(struct shash_desc *desc, u8 *out) > +{ > + struct sha3_state *sctx = shash_desc_ctx(desc); > + unsigned int i, inlen = sctx->partial; > + > + sctx->buf[inlen++] = 0x06; > + memset(sctx->buf + inlen, 0, sctx->rsiz - inlen); > + sctx->buf[sctx->rsiz - 1] |= 0x80; > + > + for (i = 0; i < sctx->rsizw; i++) > + sctx->st[i] ^= ((u64 *) sctx->buf)[i]; > + > + keccakf(sctx->st); > + > + for (i = 0; i < sctx->rsizw; i++) > + sctx->st[i] = cpu_to_le64(sctx->st[i]); > + > + memcpy(out, sctx->st, sctx->md_len); > + > + memset(sctx, 0, sizeof(*sctx)); > + return 0; > +} > + > +static struct shash_alg sha3_224 = { > + .digestsize = SHA3_224_DIGEST_SIZE, > + .init = sha3_224_init, > + .update = sha3_update, > + .final = sha3_final, > + .descsize = sizeof(struct sha3_state), > + .base = { > + .cra_name = "sha3-224", > + .cra_driver_name = "sha3-224-generic", > + .cra_flags = CRYPTO_ALG_TYPE_SHASH, > + .cra_blocksize = SHA3_224_BLOCK_SIZE, > + .cra_module = THIS_MODULE, > + } > +}; > + > +static struct shash_alg sha3_256 = { > + .digestsize = SHA3_256_DIGEST_SIZE, > + .init = sha3_256_init, > + .update = sha3_update, > + .final = sha3_final, > + .descsize = sizeof(struct sha3_state), > + .base = { > + .cra_name = "sha3-256", > + .cra_driver_name = "sha3-256-generic", > + .cra_flags = CRYPTO_ALG_TYPE_SHASH, > + .cra_blocksize = SHA3_256_BLOCK_SIZE, > + .cra_module = THIS_MODULE, > + } > +}; > + > +static struct shash_alg sha3_384 = { > + .digestsize = SHA3_384_DIGEST_SIZE, > + .init = sha3_384_init, > + .update = sha3_update, > + .final = sha3_final, > + .descsize = sizeof(struct sha3_state), > + .base = { > + .cra_name = "sha3-384", > + .cra_driver_name = "sha3-384-generic", > + .cra_flags = CRYPTO_ALG_TYPE_SHASH, > + .cra_blocksize = SHA3_384_BLOCK_SIZE, > + .cra_module = THIS_MODULE, > + } > +}; > + > +static struct shash_alg sha3_512 = { > + .digestsize = SHA3_512_DIGEST_SIZE, > + .init = sha3_512_init, > + .update = sha3_update, > + .final = sha3_final, > + .descsize = sizeof(struct sha3_state), > + .base = { > + .cra_name = "sha3-512", > + .cra_driver_name = "sha3-512-generic", > + .cra_flags = CRYPTO_ALG_TYPE_SHASH, > + .cra_blocksize = SHA3_512_BLOCK_SIZE, > + .cra_module = THIS_MODULE, > + } > +}; Shouldn't there be a priority here? > + > +static int __init sha3_generic_mod_init(void) > +{ > + int ret; > + > + ret = crypto_register_shash(&sha3_224); > + if (ret < 0) > + goto err_out; > + ret = crypto_register_shash(&sha3_256); > + if (ret < 0) > + goto err_out_224; > + ret = crypto_register_shash(&sha3_384); > + if (ret < 0) > + goto err_out_256; > + ret = crypto_register_shash(&sha3_512); > + if (ret < 0) > + goto err_out_384; > + > + return 0; > + > +err_out_384: > + crypto_unregister_shash(&sha3_384); > +err_out_256: > + crypto_unregister_shash(&sha3_256); > +err_out_224: > + crypto_unregister_shash(&sha3_224); > +err_out: > + return ret; > +} > + > +static void __exit sha3_generic_mod_fini(void) > +{ > + crypto_unregister_shash(&sha3_224); > + crypto_unregister_shash(&sha3_256); > + crypto_unregister_shash(&sha3_384); > + crypto_unregister_shash(&sha3_512); > +} > + > +module_init(sha3_generic_mod_init); > +module_exit(sha3_generic_mod_fini); > + > +MODULE_LICENSE("GPL"); > +MODULE_DESCRIPTION("SHA-3 Secure Hash Algorithm"); > + > +MODULE_ALIAS("sha3-224"); > +MODULE_ALIAS("sha3-256"); > +MODULE_ALIAS("sha3-384"); > +MODULE_ALIAS("sha3-512"); MODULE_ALIAS_CRYPTO? What about the aliases for cra_driver_name? > diff --git a/include/crypto/sha3.h b/include/crypto/sha3.h > new file mode 100644 > index 0000000..f4c9f68 > --- /dev/null > +++ b/include/crypto/sha3.h > @@ -0,0 +1,29 @@ > +/* > + * Common values for SHA-3 algorithms > + */ > +#ifndef __CRYPTO_SHA3_H__ > +#define __CRYPTO_SHA3_H__ > + > +#define SHA3_224_DIGEST_SIZE (224 / 8) > +#define SHA3_224_BLOCK_SIZE (200 - 2 * SHA3_224_DIGEST_SIZE) > + > +#define SHA3_256_DIGEST_SIZE (256 / 8) > +#define SHA3_256_BLOCK_SIZE (200 - 2 * SHA3_256_DIGEST_SIZE) > + > +#define SHA3_384_DIGEST_SIZE (384 / 8) > +#define SHA3_384_BLOCK_SIZE (200 - 2 * SHA3_384_DIGEST_SIZE) > + > +#define SHA3_512_DIGEST_SIZE (512 / 8) > +#define SHA3_512_BLOCK_SIZE (200 - 2 * SHA3_512_DIGEST_SIZE) > + > +struct sha3_state { > + u64 st[25]; > + unsigned int md_len; > + unsigned int rsiz; > + unsigned int rsizw; > + > + unsigned int partial; > + u8 buf[SHA3_224_BLOCK_SIZE]; > +}; > + > +#endif Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html