diff options
author | Salvatore Benedetto <salvatore.benedetto@intel.com> | 2016-06-22 12:49:15 -0400 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2016-06-23 06:29:57 -0400 |
commit | 3c4b23901a0c766879dff680cd6bdab47bcdbbd2 (patch) | |
tree | 3bcc903dce759f69193f4b9fa638f1383d7323d3 | |
parent | 802c7f1c84e4b5a6ac78635878041023fc5831b1 (diff) |
crypto: ecdh - Add ECDH software support
* Implement ECDH under kpp API
* Provide ECC software support for curve P-192 and
P-256.
* Add kpp test for ECDH with data generated by OpenSSL
Signed-off-by: Salvatore Benedetto <salvatore.benedetto@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r-- | crypto/Kconfig | 5 | ||||
-rw-r--r-- | crypto/Makefile | 4 | ||||
-rw-r--r-- | crypto/ecc.c | 1018 | ||||
-rw-r--r-- | crypto/ecc.h | 83 | ||||
-rw-r--r-- | crypto/ecc_curve_defs.h | 57 | ||||
-rw-r--r-- | crypto/ecdh.c | 151 | ||||
-rw-r--r-- | crypto/ecdh_helper.c | 86 | ||||
-rw-r--r-- | crypto/testmgr.c | 10 | ||||
-rw-r--r-- | crypto/testmgr.h | 93 | ||||
-rw-r--r-- | include/crypto/ecdh.h | 30 | ||||
-rw-r--r-- | include/crypto/kpp.h | 1 |
11 files changed, 1538 insertions, 0 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig index 162d2f9aa242..5baaa9d87574 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig | |||
@@ -118,6 +118,11 @@ config CRYPTO_DH | |||
118 | help | 118 | help |
119 | Generic implementation of the Diffie-Hellman algorithm. | 119 | Generic implementation of the Diffie-Hellman algorithm. |
120 | 120 | ||
121 | config CRYPTO_ECDH | ||
122 | tristate "ECDH algorithm" | ||
123 | select CRYTPO_KPP | ||
124 | help | ||
125 | Generic implementation of the ECDH algorithm | ||
121 | 126 | ||
122 | config CRYPTO_MANAGER | 127 | config CRYPTO_MANAGER |
123 | tristate "Cryptographic algorithm manager" | 128 | tristate "Cryptographic algorithm manager" |
diff --git a/crypto/Makefile b/crypto/Makefile index 82897208e8e0..df1bcfb090d2 100644 --- a/crypto/Makefile +++ b/crypto/Makefile | |||
@@ -35,6 +35,10 @@ obj-$(CONFIG_CRYPTO_KPP2) += kpp.o | |||
35 | dh_generic-y := dh.o | 35 | dh_generic-y := dh.o |
36 | dh_generic-y += dh_helper.o | 36 | dh_generic-y += dh_helper.o |
37 | obj-$(CONFIG_CRYPTO_DH) += dh_generic.o | 37 | obj-$(CONFIG_CRYPTO_DH) += dh_generic.o |
38 | ecdh_generic-y := ecc.o | ||
39 | ecdh_generic-y += ecdh.o | ||
40 | ecdh_generic-y += ecdh_helper.o | ||
41 | obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o | ||
38 | 42 | ||
39 | $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h | 43 | $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h |
40 | $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h | 44 | $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h |
diff --git a/crypto/ecc.c b/crypto/ecc.c new file mode 100644 index 000000000000..9aedec6bbe72 --- /dev/null +++ b/crypto/ecc.c | |||
@@ -0,0 +1,1018 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2013, Kenneth MacKay | ||
3 | * All rights reserved. | ||
4 | * | ||
5 | * Redistribution and use in source and binary forms, with or without | ||
6 | * modification, are permitted provided that the following conditions are | ||
7 | * met: | ||
8 | * * Redistributions of source code must retain the above copyright | ||
9 | * notice, this list of conditions and the following disclaimer. | ||
10 | * * Redistributions in binary form must reproduce the above copyright | ||
11 | * notice, this list of conditions and the following disclaimer in the | ||
12 | * documentation and/or other materials provided with the distribution. | ||
13 | * | ||
14 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | ||
15 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | ||
16 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | ||
17 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | ||
18 | * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
19 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | ||
20 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
21 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
22 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | ||
24 | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
25 | */ | ||
26 | |||
27 | #include <linux/random.h> | ||
28 | #include <linux/slab.h> | ||
29 | #include <linux/swab.h> | ||
30 | #include <linux/fips.h> | ||
31 | #include <crypto/ecdh.h> | ||
32 | |||
33 | #include "ecc.h" | ||
34 | #include "ecc_curve_defs.h" | ||
35 | |||
36 | typedef struct { | ||
37 | u64 m_low; | ||
38 | u64 m_high; | ||
39 | } uint128_t; | ||
40 | |||
41 | static inline const struct ecc_curve *ecc_get_curve(unsigned int curve_id) | ||
42 | { | ||
43 | switch (curve_id) { | ||
44 | /* In FIPS mode only allow P256 and higher */ | ||
45 | case ECC_CURVE_NIST_P192: | ||
46 | return fips_enabled ? NULL : &nist_p192; | ||
47 | case ECC_CURVE_NIST_P256: | ||
48 | return &nist_p256; | ||
49 | default: | ||
50 | return NULL; | ||
51 | } | ||
52 | } | ||
53 | |||
54 | static u64 *ecc_alloc_digits_space(unsigned int ndigits) | ||
55 | { | ||
56 | size_t len = ndigits * sizeof(u64); | ||
57 | |||
58 | if (!len) | ||
59 | return NULL; | ||
60 | |||
61 | return kmalloc(len, GFP_KERNEL); | ||
62 | } | ||
63 | |||
64 | static void ecc_free_digits_space(u64 *space) | ||
65 | { | ||
66 | kzfree(space); | ||
67 | } | ||
68 | |||
69 | static struct ecc_point *ecc_alloc_point(unsigned int ndigits) | ||
70 | { | ||
71 | struct ecc_point *p = kmalloc(sizeof(*p), GFP_KERNEL); | ||
72 | |||
73 | if (!p) | ||
74 | return NULL; | ||
75 | |||
76 | p->x = ecc_alloc_digits_space(ndigits); | ||
77 | if (!p->x) | ||
78 | goto err_alloc_x; | ||
79 | |||
80 | p->y = ecc_alloc_digits_space(ndigits); | ||
81 | if (!p->y) | ||
82 | goto err_alloc_y; | ||
83 | |||
84 | p->ndigits = ndigits; | ||
85 | |||
86 | return p; | ||
87 | |||
88 | err_alloc_y: | ||
89 | ecc_free_digits_space(p->x); | ||
90 | err_alloc_x: | ||
91 | kfree(p); | ||
92 | return NULL; | ||
93 | } | ||
94 | |||
95 | static void ecc_free_point(struct ecc_point *p) | ||
96 | { | ||
97 | if (!p) | ||
98 | return; | ||
99 | |||
100 | kzfree(p->x); | ||
101 | kzfree(p->y); | ||
102 | kzfree(p); | ||
103 | } | ||
104 | |||
105 | static void vli_clear(u64 *vli, unsigned int ndigits) | ||
106 | { | ||
107 | int i; | ||
108 | |||
109 | for (i = 0; i < ndigits; i++) | ||
110 | vli[i] = 0; | ||
111 | } | ||
112 | |||
113 | /* Returns true if vli == 0, false otherwise. */ | ||
114 | static bool vli_is_zero(const u64 *vli, unsigned int ndigits) | ||
115 | { | ||
116 | int i; | ||
117 | |||
118 | for (i = 0; i < ndigits; i++) { | ||
119 | if (vli[i]) | ||
120 | return false; | ||
121 | } | ||
122 | |||
123 | return true; | ||
124 | } | ||
125 | |||
126 | /* Returns nonzero if bit bit of vli is set. */ | ||
127 | static u64 vli_test_bit(const u64 *vli, unsigned int bit) | ||
128 | { | ||
129 | return (vli[bit / 64] & ((u64)1 << (bit % 64))); | ||
130 | } | ||
131 | |||
132 | /* Counts the number of 64-bit "digits" in vli. */ | ||
133 | static unsigned int vli_num_digits(const u64 *vli, unsigned int ndigits) | ||
134 | { | ||
135 | int i; | ||
136 | |||
137 | /* Search from the end until we find a non-zero digit. | ||
138 | * We do it in reverse because we expect that most digits will | ||
139 | * be nonzero. | ||
140 | */ | ||
141 | for (i = ndigits - 1; i >= 0 && vli[i] == 0; i--); | ||
142 | |||
143 | return (i + 1); | ||
144 | } | ||
145 | |||
146 | /* Counts the number of bits required for vli. */ | ||
147 | static unsigned int vli_num_bits(const u64 *vli, unsigned int ndigits) | ||
148 | { | ||
149 | unsigned int i, num_digits; | ||
150 | u64 digit; | ||
151 | |||
152 | num_digits = vli_num_digits(vli, ndigits); | ||
153 | if (num_digits == 0) | ||
154 | return 0; | ||
155 | |||
156 | digit = vli[num_digits - 1]; | ||
157 | for (i = 0; digit; i++) | ||
158 | digit >>= 1; | ||
159 | |||
160 | return ((num_digits - 1) * 64 + i); | ||
161 | } | ||
162 | |||
163 | /* Sets dest = src. */ | ||
164 | static void vli_set(u64 *dest, const u64 *src, unsigned int ndigits) | ||
165 | { | ||
166 | int i; | ||
167 | |||
168 | for (i = 0; i < ndigits; i++) | ||
169 | dest[i] = src[i]; | ||
170 | } | ||
171 | |||
172 | /* Returns sign of left - right. */ | ||
173 | static int vli_cmp(const u64 *left, const u64 *right, unsigned int ndigits) | ||
174 | { | ||
175 | int i; | ||
176 | |||
177 | for (i = ndigits - 1; i >= 0; i--) { | ||
178 | if (left[i] > right[i]) | ||
179 | return 1; | ||
180 | else if (left[i] < right[i]) | ||
181 | return -1; | ||
182 | } | ||
183 | |||
184 | return 0; | ||
185 | } | ||
186 | |||
187 | /* Computes result = in << c, returning carry. Can modify in place | ||
188 | * (if result == in). 0 < shift < 64. | ||
189 | */ | ||
190 | static u64 vli_lshift(u64 *result, const u64 *in, unsigned int shift, | ||
191 | unsigned int ndigits) | ||
192 | { | ||
193 | u64 carry = 0; | ||
194 | int i; | ||
195 | |||
196 | for (i = 0; i < ndigits; i++) { | ||
197 | u64 temp = in[i]; | ||
198 | |||
199 | result[i] = (temp << shift) | carry; | ||
200 | carry = temp >> (64 - shift); | ||
201 | } | ||
202 | |||
203 | return carry; | ||
204 | } | ||
205 | |||
206 | /* Computes vli = vli >> 1. */ | ||
207 | static void vli_rshift1(u64 *vli, unsigned int ndigits) | ||
208 | { | ||
209 | u64 *end = vli; | ||
210 | u64 carry = 0; | ||
211 | |||
212 | vli += ndigits; | ||
213 | |||
214 | while (vli-- > end) { | ||
215 | u64 temp = *vli; | ||
216 | *vli = (temp >> 1) | carry; | ||
217 | carry = temp << 63; | ||
218 | } | ||
219 | } | ||
220 | |||
221 | /* Computes result = left + right, returning carry. Can modify in place. */ | ||
222 | static u64 vli_add(u64 *result, const u64 *left, const u64 *right, | ||
223 | unsigned int ndigits) | ||
224 | { | ||
225 | u64 carry = 0; | ||
226 | int i; | ||
227 | |||
228 | for (i = 0; i < ndigits; i++) { | ||
229 | u64 sum; | ||
230 | |||
231 | sum = left[i] + right[i] + carry; | ||
232 | if (sum != left[i]) | ||
233 | carry = (sum < left[i]); | ||
234 | |||
235 | result[i] = sum; | ||
236 | } | ||
237 | |||
238 | return carry; | ||
239 | } | ||
240 | |||
241 | /* Computes result = left - right, returning borrow. Can modify in place. */ | ||
242 | static u64 vli_sub(u64 *result, const u64 *left, const u64 *right, | ||
243 | unsigned int ndigits) | ||
244 | { | ||
245 | u64 borrow = 0; | ||
246 | int i; | ||
247 | |||
248 | for (i = 0; i < ndigits; i++) { | ||
249 | u64 diff; | ||
250 | |||
251 | diff = left[i] - right[i] - borrow; | ||
252 | if (diff != left[i]) | ||
253 | borrow = (diff > left[i]); | ||
254 | |||
255 | result[i] = diff; | ||
256 | } | ||
257 | |||
258 | return borrow; | ||
259 | } | ||
260 | |||
261 | static uint128_t mul_64_64(u64 left, u64 right) | ||
262 | { | ||
263 | u64 a0 = left & 0xffffffffull; | ||
264 | u64 a1 = left >> 32; | ||
265 | u64 b0 = right & 0xffffffffull; | ||
266 | u64 b1 = right >> 32; | ||
267 | u64 m0 = a0 * b0; | ||
268 | u64 m1 = a0 * b1; | ||
269 | u64 m2 = a1 * b0; | ||
270 | u64 m3 = a1 * b1; | ||
271 | uint128_t result; | ||
272 | |||
273 | m2 += (m0 >> 32); | ||
274 | m2 += m1; | ||
275 | |||
276 | /* Overflow */ | ||
277 | if (m2 < m1) | ||
278 | m3 += 0x100000000ull; | ||
279 | |||
280 | result.m_low = (m0 & 0xffffffffull) | (m2 << 32); | ||
281 | result.m_high = m3 + (m2 >> 32); | ||
282 | |||
283 | return result; | ||
284 | } | ||
285 | |||
286 | static uint128_t add_128_128(uint128_t a, uint128_t b) | ||
287 | { | ||
288 | uint128_t result; | ||
289 | |||
290 | result.m_low = a.m_low + b.m_low; | ||
291 | result.m_high = a.m_high + b.m_high + (result.m_low < a.m_low); | ||
292 | |||
293 | return result; | ||
294 | } | ||
295 | |||
296 | static void vli_mult(u64 *result, const u64 *left, const u64 *right, | ||
297 | unsigned int ndigits) | ||
298 | { | ||
299 | uint128_t r01 = { 0, 0 }; | ||
300 | u64 r2 = 0; | ||
301 | unsigned int i, k; | ||
302 | |||
303 | /* Compute each digit of result in sequence, maintaining the | ||
304 | * carries. | ||
305 | */ | ||
306 | for (k = 0; k < ndigits * 2 - 1; k++) { | ||
307 | unsigned int min; | ||
308 | |||
309 | if (k < ndigits) | ||
310 | min = 0; | ||
311 | else | ||
312 | min = (k + 1) - ndigits; | ||
313 | |||
314 | for (i = min; i <= k && i < ndigits; i++) { | ||
315 | uint128_t product; | ||
316 | |||
317 | product = mul_64_64(left[i], right[k - i]); | ||
318 | |||
319 | r01 = add_128_128(r01, product); | ||
320 | r2 += (r01.m_high < product.m_high); | ||
321 | } | ||
322 | |||
323 | result[k] = r01.m_low; | ||
324 | r01.m_low = r01.m_high; | ||
325 | r01.m_high = r2; | ||
326 | r2 = 0; | ||
327 | } | ||
328 | |||
329 | result[ndigits * 2 - 1] = r01.m_low; | ||
330 | } | ||
331 | |||
332 | static void vli_square(u64 *result, const u64 *left, unsigned int ndigits) | ||
333 | { | ||
334 | uint128_t r01 = { 0, 0 }; | ||
335 | u64 r2 = 0; | ||
336 | int i, k; | ||
337 | |||
338 | for (k = 0; k < ndigits * 2 - 1; k++) { | ||
339 | unsigned int min; | ||
340 | |||
341 | if (k < ndigits) | ||
342 | min = 0; | ||
343 | else | ||
344 | min = (k + 1) - ndigits; | ||
345 | |||
346 | for (i = min; i <= k && i <= k - i; i++) { | ||
347 | uint128_t product; | ||
348 | |||
349 | product = mul_64_64(left[i], left[k - i]); | ||
350 | |||
351 | if (i < k - i) { | ||
352 | r2 += product.m_high >> 63; | ||
353 | product.m_high = (product.m_high << 1) | | ||
354 | (product.m_low >> 63); | ||
355 | product.m_low <<= 1; | ||
356 | } | ||
357 | |||
358 | r01 = add_128_128(r01, product); | ||
359 | r2 += (r01.m_high < product.m_high); | ||
360 | } | ||
361 | |||
362 | result[k] = r01.m_low; | ||
363 | r01.m_low = r01.m_high; | ||
364 | r01.m_high = r2; | ||
365 | r2 = 0; | ||
366 | } | ||
367 | |||
368 | result[ndigits * 2 - 1] = r01.m_low; | ||
369 | } | ||
370 | |||
371 | /* Computes result = (left + right) % mod. | ||
372 | * Assumes that left < mod and right < mod, result != mod. | ||
373 | */ | ||
374 | static void vli_mod_add(u64 *result, const u64 *left, const u64 *right, | ||
375 | const u64 *mod, unsigned int ndigits) | ||
376 | { | ||
377 | u64 carry; | ||
378 | |||
379 | carry = vli_add(result, left, right, ndigits); | ||
380 | |||
381 | /* result > mod (result = mod + remainder), so subtract mod to | ||
382 | * get remainder. | ||
383 | */ | ||
384 | if (carry || vli_cmp(result, mod, ndigits) >= 0) | ||
385 | vli_sub(result, result, mod, ndigits); | ||
386 | } | ||
387 | |||
388 | /* Computes result = (left - right) % mod. | ||
389 | * Assumes that left < mod and right < mod, result != mod. | ||
390 | */ | ||
391 | static void vli_mod_sub(u64 *result, const u64 *left, const u64 *right, | ||
392 | const u64 *mod, unsigned int ndigits) | ||
393 | { | ||
394 | u64 borrow = vli_sub(result, left, right, ndigits); | ||
395 | |||
396 | /* In this case, p_result == -diff == (max int) - diff. | ||
397 | * Since -x % d == d - x, we can get the correct result from | ||
398 | * result + mod (with overflow). | ||
399 | */ | ||
400 | if (borrow) | ||
401 | vli_add(result, result, mod, ndigits); | ||
402 | } | ||
403 | |||
404 | /* Computes p_result = p_product % curve_p. | ||
405 | * See algorithm 5 and 6 from | ||
406 | * http://www.isys.uni-klu.ac.at/PDF/2001-0126-MT.pdf | ||
407 | */ | ||
408 | static void vli_mmod_fast_192(u64 *result, const u64 *product, | ||
409 | const u64 *curve_prime, u64 *tmp) | ||
410 | { | ||
411 | const unsigned int ndigits = 3; | ||
412 | int carry; | ||
413 | |||
414 | vli_set(result, product, ndigits); | ||
415 | |||
416 | vli_set(tmp, &product[3], ndigits); | ||
417 | carry = vli_add(result, result, tmp, ndigits); | ||
418 | |||
419 | tmp[0] = 0; | ||
420 | tmp[1] = product[3]; | ||
421 | tmp[2] = product[4]; | ||
422 | carry += vli_add(result, result, tmp, ndigits); | ||
423 | |||
424 | tmp[0] = tmp[1] = product[5]; | ||
425 | tmp[2] = 0; | ||
426 | carry += vli_add(result, result, tmp, ndigits); | ||
427 | |||
428 | while (carry || vli_cmp(curve_prime, result, ndigits) != 1) | ||
429 | carry -= vli_sub(result, result, curve_prime, ndigits); | ||
430 | } | ||
431 | |||
432 | /* Computes result = product % curve_prime | ||
433 | * from http://www.nsa.gov/ia/_files/nist-routines.pdf | ||
434 | */ | ||
435 | static void vli_mmod_fast_256(u64 *result, const u64 *product, | ||
436 | const u64 *curve_prime, u64 *tmp) | ||
437 | { | ||
438 | int carry; | ||
439 | const unsigned int ndigits = 4; | ||
440 | |||
441 | /* t */ | ||
442 | vli_set(result, product, ndigits); | ||
443 | |||
444 | /* s1 */ | ||
445 | tmp[0] = 0; | ||
446 | tmp[1] = product[5] & 0xffffffff00000000ull; | ||
447 | tmp[2] = product[6]; | ||
448 | tmp[3] = product[7]; | ||
449 | carry = vli_lshift(tmp, tmp, 1, ndigits); | ||
450 | carry += vli_add(result, result, tmp, ndigits); | ||
451 | |||
452 | /* s2 */ | ||
453 | tmp[1] = product[6] << 32; | ||
454 | tmp[2] = (product[6] >> 32) | (product[7] << 32); | ||
455 | tmp[3] = product[7] >> 32; | ||
456 | carry += vli_lshift(tmp, tmp, 1, ndigits); | ||
457 | carry += vli_add(result, result, tmp, ndigits); | ||
458 | |||
459 | /* s3 */ | ||
460 | tmp[0] = product[4]; | ||
461 | tmp[1] = product[5] & 0xffffffff; | ||
462 | tmp[2] = 0; | ||
463 | tmp[3] = product[7]; | ||
464 | carry += vli_add(result, result, tmp, ndigits); | ||
465 | |||
466 | /* s4 */ | ||
467 | tmp[0] = (product[4] >> 32) | (product[5] << 32); | ||
468 | tmp[1] = (product[5] >> 32) | (product[6] & 0xffffffff00000000ull); | ||
469 | tmp[2] = product[7]; | ||
470 | tmp[3] = (product[6] >> 32) | (product[4] << 32); | ||
471 | carry += vli_add(result, result, tmp, ndigits); | ||
472 | |||
473 | /* d1 */ | ||
474 | tmp[0] = (product[5] >> 32) | (product[6] << 32); | ||
475 | tmp[1] = (product[6] >> 32); | ||
476 | tmp[2] = 0; | ||
477 | tmp[3] = (product[4] & 0xffffffff) | (product[5] << 32); | ||
478 | carry -= vli_sub(result, result, tmp, ndigits); | ||
479 | |||
480 | /* d2 */ | ||
481 | tmp[0] = product[6]; | ||
482 | tmp[1] = product[7]; | ||
483 | tmp[2] = 0; | ||
484 | tmp[3] = (product[4] >> 32) | (product[5] & 0xffffffff00000000ull); | ||
485 | carry -= vli_sub(result, result, tmp, ndigits); | ||
486 | |||
487 | /* d3 */ | ||
488 | tmp[0] = (product[6] >> 32) | (product[7] << 32); | ||
489 | tmp[1] = (product[7] >> 32) | (product[4] << 32); | ||
490 | tmp[2] = (product[4] >> 32) | (product[5] << 32); | ||
491 | tmp[3] = (product[6] << 32); | ||
492 | carry -= vli_sub(result, result, tmp, ndigits); | ||
493 | |||
494 | /* d4 */ | ||
495 | tmp[0] = product[7]; | ||
496 | tmp[1] = product[4] & 0xffffffff00000000ull; | ||
497 | tmp[2] = product[5]; | ||
498 | tmp[3] = product[6] & 0xffffffff00000000ull; | ||
499 | carry -= vli_sub(result, result, tmp, ndigits); | ||
500 | |||
501 | if (carry < 0) { | ||
502 | do { | ||
503 | carry += vli_add(result, result, curve_prime, ndigits); | ||
504 | } while (carry < 0); | ||
505 | } else { | ||
506 | while (carry || vli_cmp(curve_prime, result, ndigits) != 1) | ||
507 | carry -= vli_sub(result, result, curve_prime, ndigits); | ||
508 | } | ||
509 | } | ||
510 | |||
511 | /* Computes result = product % curve_prime | ||
512 | * from http://www.nsa.gov/ia/_files/nist-routines.pdf | ||
513 | */ | ||
514 | static bool vli_mmod_fast(u64 *result, u64 *product, | ||
515 | const u64 *curve_prime, unsigned int ndigits) | ||
516 | { | ||
517 | u64 tmp[2 * ndigits]; | ||
518 | |||
519 | switch (ndigits) { | ||
520 | case 3: | ||
521 | vli_mmod_fast_192(result, product, curve_prime, tmp); | ||
522 | break; | ||
523 | case 4: | ||
524 | vli_mmod_fast_256(result, product, curve_prime, tmp); | ||
525 | break; | ||
526 | default: | ||
527 | pr_err("unsupports digits size!\n"); | ||
528 | return false; | ||
529 | } | ||
530 | |||
531 | return true; | ||
532 | } | ||
533 | |||
534 | /* Computes result = (left * right) % curve_prime. */ | ||
535 | static void vli_mod_mult_fast(u64 *result, const u64 *left, const u64 *right, | ||
536 | const u64 *curve_prime, unsigned int ndigits) | ||
537 | { | ||
538 | u64 product[2 * ndigits]; | ||
539 | |||
540 | vli_mult(product, left, right, ndigits); | ||
541 | vli_mmod_fast(result, product, curve_prime, ndigits); | ||
542 | } | ||
543 | |||
544 | /* Computes result = left^2 % curve_prime. */ | ||
545 | static void vli_mod_square_fast(u64 *result, const u64 *left, | ||
546 | const u64 *curve_prime, unsigned int ndigits) | ||
547 | { | ||
548 | u64 product[2 * ndigits]; | ||
549 | |||
550 | vli_square(product, left, ndigits); | ||
551 | vli_mmod_fast(result, product, curve_prime, ndigits); | ||
552 | } | ||
553 | |||
554 | #define EVEN(vli) (!(vli[0] & 1)) | ||
555 | /* Computes result = (1 / p_input) % mod. All VLIs are the same size. | ||
556 | * See "From Euclid's GCD to Montgomery Multiplication to the Great Divide" | ||
557 | * https://labs.oracle.com/techrep/2001/smli_tr-2001-95.pdf | ||
558 | */ | ||
559 | static void vli_mod_inv(u64 *result, const u64 *input, const u64 *mod, | ||
560 | unsigned int ndigits) | ||
561 | { | ||
562 | u64 a[ndigits], b[ndigits]; | ||
563 | u64 u[ndigits], v[ndigits]; | ||
564 | u64 carry; | ||
565 | int cmp_result; | ||
566 | |||
567 | if (vli_is_zero(input, ndigits)) { | ||
568 | vli_clear(result, ndigits); | ||
569 | return; | ||
570 | } | ||
571 | |||
572 | vli_set(a, input, ndigits); | ||
573 | vli_set(b, mod, ndigits); | ||
574 | vli_clear(u, ndigits); | ||
575 | u[0] = 1; | ||
576 | vli_clear(v, ndigits); | ||
577 | |||
578 | while ((cmp_result = vli_cmp(a, b, ndigits)) != 0) { | ||
579 | carry = 0; | ||
580 | |||
581 | if (EVEN(a)) { | ||
582 | vli_rshift1(a, ndigits); | ||
583 | |||
584 | if (!EVEN(u)) | ||
585 | carry = vli_add(u, u, mod, ndigits); | ||
586 | |||
587 | vli_rshift1(u, ndigits); | ||
588 | if (carry) | ||
589 | u[ndigits - 1] |= 0x8000000000000000ull; | ||
590 | } else if (EVEN(b)) { | ||
591 | vli_rshift1(b, ndigits); | ||
592 | |||
593 | if (!EVEN(v)) | ||
594 | carry = vli_add(v, v, mod, ndigits); | ||
595 | |||
596 | vli_rshift1(v, ndigits); | ||
597 | if (carry) | ||
598 | v[ndigits - 1] |= 0x8000000000000000ull; | ||
599 | } else if (cmp_result > 0) { | ||
600 | vli_sub(a, a, b, ndigits); | ||
601 | vli_rshift1(a, ndigits); | ||
602 | |||
603 | if (vli_cmp(u, v, ndigits) < 0) | ||
604 | vli_add(u, u, mod, ndigits); | ||
605 | |||
606 | vli_sub(u, u, v, ndigits); | ||
607 | if (!EVEN(u)) | ||
608 | carry = vli_add(u, u, mod, ndigits); | ||
609 | |||
610 | vli_rshift1(u, ndigits); | ||
611 | if (carry) | ||
612 | u[ndigits - 1] |= 0x8000000000000000ull; | ||
613 | } else { | ||
614 | vli_sub(b, b, a, ndigits); | ||
615 | vli_rshift1(b, ndigits); | ||
616 | |||
617 | if (vli_cmp(v, u, ndigits) < 0) | ||
618 | vli_add(v, v, mod, ndigits); | ||
619 | |||
620 | vli_sub(v, v, u, ndigits); | ||
621 | if (!EVEN(v)) | ||
622 | carry = vli_add(v, v, mod, ndigits); | ||
623 | |||
624 | vli_rshift1(v, ndigits); | ||
625 | if (carry) | ||
626 | v[ndigits - 1] |= 0x8000000000000000ull; | ||
627 | } | ||
628 | } | ||
629 | |||
630 | vli_set(result, u, ndigits); | ||
631 | } | ||
632 | |||
633 | /* ------ Point operations ------ */ | ||
634 | |||
635 | /* Returns true if p_point is the point at infinity, false otherwise. */ | ||
636 | static bool ecc_point_is_zero(const struct ecc_point *point) | ||
637 | { | ||
638 | return (vli_is_zero(point->x, point->ndigits) && | ||
639 | vli_is_zero(point->y, point->ndigits)); | ||
640 | } | ||
641 | |||
642 | /* Point multiplication algorithm using Montgomery's ladder with co-Z | ||
643 | * coordinates. From http://eprint.iacr.org/2011/338.pdf | ||
644 | */ | ||
645 | |||
646 | /* Double in place */ | ||
647 | static void ecc_point_double_jacobian(u64 *x1, u64 *y1, u64 *z1, | ||
648 | u64 *curve_prime, unsigned int ndigits) | ||
649 | { | ||
650 | /* t1 = x, t2 = y, t3 = z */ | ||
651 | u64 t4[ndigits]; | ||
652 | u64 t5[ndigits]; | ||
653 | |||
654 | if (vli_is_zero(z1, ndigits)) | ||
655 | return; | ||
656 | |||
657 | /* t4 = y1^2 */ | ||
658 | vli_mod_square_fast(t4, y1, curve_prime, ndigits); | ||
659 | /* t5 = x1*y1^2 = A */ | ||
660 | vli_mod_mult_fast(t5, x1, t4, curve_prime, ndigits); | ||
661 | /* t4 = y1^4 */ | ||
662 | vli_mod_square_fast(t4, t4, curve_prime, ndigits); | ||
663 | /* t2 = y1*z1 = z3 */ | ||
664 | vli_mod_mult_fast(y1, y1, z1, curve_prime, ndigits); | ||
665 | /* t3 = z1^2 */ | ||
666 | vli_mod_square_fast(z1, z1, curve_prime, ndigits); | ||
667 | |||
668 | /* t1 = x1 + z1^2 */ | ||
669 | vli_mod_add(x1, x1, z1, curve_prime, ndigits); | ||
670 | /* t3 = 2*z1^2 */ | ||
671 | vli_mod_add(z1, z1, z1, curve_prime, ndigits); | ||
672 | /* t3 = x1 - z1^2 */ | ||
673 | vli_mod_sub(z1, x1, z1, curve_prime, ndigits); | ||
674 | /* t1 = x1^2 - z1^4 */ | ||
675 | vli_mod_mult_fast(x1, x1, z1, curve_prime, ndigits); | ||
676 | |||
677 | /* t3 = 2*(x1^2 - z1^4) */ | ||
678 | vli_mod_add(z1, x1, x1, curve_prime, ndigits); | ||
679 | /* t1 = 3*(x1^2 - z1^4) */ | ||
680 | vli_mod_add(x1, x1, z1, curve_prime, ndigits); | ||
681 | if (vli_test_bit(x1, 0)) { | ||
682 | u64 carry = vli_add(x1, x1, curve_prime, ndigits); | ||
683 | |||
684 | vli_rshift1(x1, ndigits); | ||
685 | x1[ndigits - 1] |= carry << 63; | ||
686 | } else { | ||
687 | vli_rshift1(x1, ndigits); | ||
688 | } | ||
689 | /* t1 = 3/2*(x1^2 - z1^4) = B */ | ||
690 | |||
691 | /* t3 = B^2 */ | ||
692 | vli_mod_square_fast(z1, x1, curve_prime, ndigits); | ||
693 | /* t3 = B^2 - A */ | ||
694 | vli_mod_sub(z1, z1, t5, curve_prime, ndigits); | ||
695 | /* t3 = B^2 - 2A = x3 */ | ||
696 | vli_mod_sub(z1, z1, t5, curve_prime, ndigits); | ||
697 | /* t5 = A - x3 */ | ||
698 | vli_mod_sub(t5, t5, z1, curve_prime, ndigits); | ||
699 | /* t1 = B * (A - x3) */ | ||
700 | vli_mod_mult_fast(x1, x1, t5, curve_prime, ndigits); | ||
701 | /* t4 = B * (A - x3) - y1^4 = y3 */ | ||
702 | vli_mod_sub(t4, x1, t4, curve_prime, ndigits); | ||
703 | |||
704 | vli_set(x1, z1, ndigits); | ||
705 | vli_set(z1, y1, ndigits); | ||
706 | vli_set(y1, t4, ndigits); | ||
707 | } | ||
708 | |||
709 | /* Modify (x1, y1) => (x1 * z^2, y1 * z^3) */ | ||
710 | static void apply_z(u64 *x1, u64 *y1, u64 *z, u64 *curve_prime, | ||
711 | unsigned int ndigits) | ||
712 | { | ||
713 | u64 t1[ndigits]; | ||
714 | |||
715 | vli_mod_square_fast(t1, z, curve_prime, ndigits); /* z^2 */ | ||
716 | vli_mod_mult_fast(x1, x1, t1, curve_prime, ndigits); /* x1 * z^2 */ | ||
717 | vli_mod_mult_fast(t1, t1, z, curve_prime, ndigits); /* z^3 */ | ||
718 | vli_mod_mult_fast(y1, y1, t1, curve_prime, ndigits); /* y1 * z^3 */ | ||
719 | } | ||
720 | |||
721 | /* P = (x1, y1) => 2P, (x2, y2) => P' */ | ||
722 | static void xycz_initial_double(u64 *x1, u64 *y1, u64 *x2, u64 *y2, | ||
723 | u64 *p_initial_z, u64 *curve_prime, | ||
724 | unsigned int ndigits) | ||
725 | { | ||
726 | u64 z[ndigits]; | ||
727 | |||
728 | vli_set(x2, x1, ndigits); | ||
729 | vli_set(y2, y1, ndigits); | ||
730 | |||
731 | vli_clear(z, ndigits); | ||
732 | z[0] = 1; | ||
733 | |||
734 | if (p_initial_z) | ||
735 | vli_set(z, p_initial_z, ndigits); | ||
736 | |||
737 | apply_z(x1, y1, z, curve_prime, ndigits); | ||
738 | |||
739 | ecc_point_double_jacobian(x1, y1, z, curve_prime, ndigits); | ||
740 | |||
741 | apply_z(x2, y2, z, curve_prime, ndigits); | ||
742 | } | ||
743 | |||
744 | /* Input P = (x1, y1, Z), Q = (x2, y2, Z) | ||
745 | * Output P' = (x1', y1', Z3), P + Q = (x3, y3, Z3) | ||
746 | * or P => P', Q => P + Q | ||
747 | */ | ||
748 | static void xycz_add(u64 *x1, u64 *y1, u64 *x2, u64 *y2, u64 *curve_prime, | ||
749 | unsigned int ndigits) | ||
750 | { | ||
751 | /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */ | ||
752 | u64 t5[ndigits]; | ||
753 | |||
754 | /* t5 = x2 - x1 */ | ||
755 | vli_mod_sub(t5, x2, x1, curve_prime, ndigits); | ||
756 | /* t5 = (x2 - x1)^2 = A */ | ||
757 | vli_mod_square_fast(t5, t5, curve_prime, ndigits); | ||
758 | /* t1 = x1*A = B */ | ||
759 | vli_mod_mult_fast(x1, x1, t5, curve_prime, ndigits); | ||
760 | /* t3 = x2*A = C */ | ||
761 | vli_mod_mult_fast(x2, x2, t5, curve_prime, ndigits); | ||
762 | /* t4 = y2 - y1 */ | ||
763 | vli_mod_sub(y2, y2, y1, curve_prime, ndigits); | ||
764 | /* t5 = (y2 - y1)^2 = D */ | ||
765 | vli_mod_square_fast(t5, y2, curve_prime, ndigits); | ||
766 | |||
767 | /* t5 = D - B */ | ||
768 | vli_mod_sub(t5, t5, x1, curve_prime, ndigits); | ||
769 | /* t5 = D - B - C = x3 */ | ||
770 | vli_mod_sub(t5, t5, x2, curve_prime, ndigits); | ||
771 | /* t3 = C - B */ | ||
772 | vli_mod_sub(x2, x2, x1, curve_prime, ndigits); | ||
773 | /* t2 = y1*(C - B) */ | ||
774 | vli_mod_mult_fast(y1, y1, x2, curve_prime, ndigits); | ||
775 | /* t3 = B - x3 */ | ||
776 | vli_mod_sub(x2, x1, t5, curve_prime, ndigits); | ||
777 | /* t4 = (y2 - y1)*(B - x3) */ | ||
778 | vli_mod_mult_fast(y2, y2, x2, curve_prime, ndigits); | ||
779 | /* t4 = y3 */ | ||
780 | vli_mod_sub(y2, y2, y1, curve_prime, ndigits); | ||
781 | |||
782 | vli_set(x2, t5, ndigits); | ||
783 | } | ||
784 | |||
785 | /* Input P = (x1, y1, Z), Q = (x2, y2, Z) | ||
786 | * Output P + Q = (x3, y3, Z3), P - Q = (x3', y3', Z3) | ||
787 | * or P => P - Q, Q => P + Q | ||
788 | */ | ||
789 | static void xycz_add_c(u64 *x1, u64 *y1, u64 *x2, u64 *y2, u64 *curve_prime, | ||
790 | unsigned int ndigits) | ||
791 | { | ||
792 | /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */ | ||
793 | u64 t5[ndigits]; | ||
794 | u64 t6[ndigits]; | ||
795 | u64 t7[ndigits]; | ||
796 | |||
797 | /* t5 = x2 - x1 */ | ||
798 | vli_mod_sub(t5, x2, x1, curve_prime, ndigits); | ||
799 | /* t5 = (x2 - x1)^2 = A */ | ||
800 | vli_mod_square_fast(t5, t5, curve_prime, ndigits); | ||
801 | /* t1 = x1*A = B */ | ||
802 | vli_mod_mult_fast(x1, x1, t5, curve_prime, ndigits); | ||
803 | /* t3 = x2*A = C */ | ||
804 | vli_mod_mult_fast(x2, x2, t5, curve_prime, ndigits); | ||
805 | /* t4 = y2 + y1 */ | ||
806 | vli_mod_add(t5, y2, y1, curve_prime, ndigits); | ||
807 | /* t4 = y2 - y1 */ | ||
808 | vli_mod_sub(y2, y2, y1, curve_prime, ndigits); | ||
809 | |||
810 | /* t6 = C - B */ | ||
811 | vli_mod_sub(t6, x2, x1, curve_prime, ndigits); | ||
812 | /* t2 = y1 * (C - B) */ | ||
813 | vli_mod_mult_fast(y1, y1, t6, curve_prime, ndigits); | ||
814 | /* t6 = B + C */ | ||
815 | vli_mod_add(t6, x1, x2, curve_prime, ndigits); | ||
816 | /* t3 = (y2 - y1)^2 */ | ||
817 | vli_mod_square_fast(x2, y2, curve_prime, ndigits); | ||
818 | /* t3 = x3 */ | ||
819 | vli_mod_sub(x2, x2, t6, curve_prime, ndigits); | ||
820 | |||
821 | /* t7 = B - x3 */ | ||
822 | vli_mod_sub(t7, x1, x2, curve_prime, ndigits); | ||
823 | /* t4 = (y2 - y1)*(B - x3) */ | ||
824 | vli_mod_mult_fast(y2, y2, t7, curve_prime, ndigits); | ||
825 | /* t4 = y3 */ | ||
826 | vli_mod_sub(y2, y2, y1, curve_prime, ndigits); | ||
827 | |||
828 | /* t7 = (y2 + y1)^2 = F */ | ||
829 | vli_mod_square_fast(t7, t5, curve_prime, ndigits); | ||
830 | /* t7 = x3' */ | ||
831 | vli_mod_sub(t7, t7, t6, curve_prime, ndigits); | ||
832 | /* t6 = x3' - B */ | ||
833 | vli_mod_sub(t6, t7, x1, curve_prime, ndigits); | ||
834 | /* t6 = (y2 + y1)*(x3' - B) */ | ||
835 | vli_mod_mult_fast(t6, t6, t5, curve_prime, ndigits); | ||
836 | /* t2 = y3' */ | ||
837 | vli_mod_sub(y1, t6, y1, curve_prime, ndigits); | ||
838 | |||
839 | vli_set(x1, t7, ndigits); | ||
840 | } | ||
841 | |||
842 | static void ecc_point_mult(struct ecc_point *result, | ||
843 | const struct ecc_point *point, const u64 *scalar, | ||
844 | u64 *initial_z, u64 *curve_prime, | ||
845 | unsigned int ndigits) | ||
846 | { | ||
847 | /* R0 and R1 */ | ||
848 | u64 rx[2][ndigits]; | ||
849 | u64 ry[2][ndigits]; | ||
850 | u64 z[ndigits]; | ||
851 | int i, nb; | ||
852 | int num_bits = vli_num_bits(scalar, ndigits); | ||
853 | |||
854 | vli_set(rx[1], point->x, ndigits); | ||
855 | vli_set(ry[1], point->y, ndigits); | ||
856 | |||
857 | xycz_initial_double(rx[1], ry[1], rx[0], ry[0], initial_z, curve_prime, | ||
858 | ndigits); | ||
859 | |||
860 | for (i = num_bits - 2; i > 0; i--) { | ||
861 | nb = !vli_test_bit(scalar, i); | ||
862 | xycz_add_c(rx[1 - nb], ry[1 - nb], rx[nb], ry[nb], curve_prime, | ||
863 | ndigits); | ||
864 | xycz_add(rx[nb], ry[nb], rx[1 - nb], ry[1 - nb], curve_prime, | ||
865 | ndigits); | ||
866 | } | ||
867 | |||
868 | nb = !vli_test_bit(scalar, 0); | ||
869 | xycz_add_c(rx[1 - nb], ry[1 - nb], rx[nb], ry[nb], curve_prime, | ||
870 | ndigits); | ||
871 | |||
872 | /* Find final 1/Z value. */ | ||
873 | /* X1 - X0 */ | ||
874 | vli_mod_sub(z, rx[1], rx[0], curve_prime, ndigits); | ||
875 | /* Yb * (X1 - X0) */ | ||
876 | vli_mod_mult_fast(z, z, ry[1 - nb], curve_prime, ndigits); | ||
877 | /* xP * Yb * (X1 - X0) */ | ||
878 | vli_mod_mult_fast(z, z, point->x, curve_prime, ndigits); | ||
879 | |||
880 | /* 1 / (xP * Yb * (X1 - X0)) */ | ||
881 | vli_mod_inv(z, z, curve_prime, point->ndigits); | ||
882 | |||
883 | /* yP / (xP * Yb * (X1 - X0)) */ | ||
884 | vli_mod_mult_fast(z, z, point->y, curve_prime, ndigits); | ||
885 | /* Xb * yP / (xP * Yb * (X1 - X0)) */ | ||
886 | vli_mod_mult_fast(z, z, rx[1 - nb], curve_prime, ndigits); | ||
887 | /* End 1/Z calculation */ | ||
888 | |||
889 | xycz_add(rx[nb], ry[nb], rx[1 - nb], ry[1 - nb], curve_prime, ndigits); | ||
890 | |||
891 | apply_z(rx[0], ry[0], z, curve_prime, ndigits); | ||
892 | |||
893 | vli_set(result->x, rx[0], ndigits); | ||
894 | vli_set(result->y, ry[0], ndigits); | ||
895 | } | ||
896 | |||
897 | static inline void ecc_swap_digits(const u64 *in, u64 *out, | ||
898 | unsigned int ndigits) | ||
899 | { | ||
900 | int i; | ||
901 | |||
902 | for (i = 0; i < ndigits; i++) | ||
903 | out[i] = __swab64(in[ndigits - 1 - i]); | ||
904 | } | ||
905 | |||
906 | int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits, | ||
907 | const u8 *private_key, unsigned int private_key_len) | ||
908 | { | ||
909 | int nbytes; | ||
910 | const struct ecc_curve *curve = ecc_get_curve(curve_id); | ||
911 | |||
912 | if (!private_key) | ||
913 | return -EINVAL; | ||
914 | |||
915 | nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT; | ||
916 | |||
917 | if (private_key_len != nbytes) | ||
918 | return -EINVAL; | ||
919 | |||
920 | if (vli_is_zero((const u64 *)&private_key[0], ndigits)) | ||
921 | return -EINVAL; | ||
922 | |||
923 | /* Make sure the private key is in the range [1, n-1]. */ | ||
924 | if (vli_cmp(curve->n, (const u64 *)&private_key[0], ndigits) != 1) | ||
925 | return -EINVAL; | ||
926 | |||
927 | return 0; | ||
928 | } | ||
929 | |||
930 | int ecdh_make_pub_key(unsigned int curve_id, unsigned int ndigits, | ||
931 | const u8 *private_key, unsigned int private_key_len, | ||
932 | u8 *public_key, unsigned int public_key_len) | ||
933 | { | ||
934 | int ret = 0; | ||
935 | struct ecc_point *pk; | ||
936 | u64 priv[ndigits]; | ||
937 | unsigned int nbytes; | ||
938 | const struct ecc_curve *curve = ecc_get_curve(curve_id); | ||
939 | |||
940 | if (!private_key || !curve) { | ||
941 | ret = -EINVAL; | ||
942 | goto out; | ||
943 | } | ||
944 | |||
945 | ecc_swap_digits((const u64 *)private_key, priv, ndigits); | ||
946 | |||
947 | pk = ecc_alloc_point(ndigits); | ||
948 | if (!pk) { | ||
949 | ret = -ENOMEM; | ||
950 | goto out; | ||
951 | } | ||
952 | |||
953 | ecc_point_mult(pk, &curve->g, priv, NULL, curve->p, ndigits); | ||
954 | if (ecc_point_is_zero(pk)) { | ||
955 | ret = -EAGAIN; | ||
956 | goto err_free_point; | ||
957 | } | ||
958 | |||
959 | nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT; | ||
960 | ecc_swap_digits(pk->x, (u64 *)public_key, ndigits); | ||
961 | ecc_swap_digits(pk->y, (u64 *)&public_key[nbytes], ndigits); | ||
962 | |||
963 | err_free_point: | ||
964 | ecc_free_point(pk); | ||
965 | out: | ||
966 | return ret; | ||
967 | } | ||
968 | |||
969 | int ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, | ||
970 | const u8 *private_key, unsigned int private_key_len, | ||
971 | const u8 *public_key, unsigned int public_key_len, | ||
972 | u8 *secret, unsigned int secret_len) | ||
973 | { | ||
974 | int ret = 0; | ||
975 | struct ecc_point *product, *pk; | ||
976 | u64 priv[ndigits]; | ||
977 | u64 rand_z[ndigits]; | ||
978 | unsigned int nbytes; | ||
979 | const struct ecc_curve *curve = ecc_get_curve(curve_id); | ||
980 | |||
981 | if (!private_key || !public_key || !curve) { | ||
982 | ret = -EINVAL; | ||
983 | goto out; | ||
984 | } | ||
985 | |||
986 | nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT; | ||
987 | |||
988 | get_random_bytes(rand_z, nbytes); | ||
989 | |||
990 | pk = ecc_alloc_point(ndigits); | ||
991 | if (!pk) { | ||
992 | ret = -ENOMEM; | ||
993 | goto out; | ||
994 | } | ||
995 | |||
996 | product = ecc_alloc_point(ndigits); | ||
997 | if (!product) { | ||
998 | ret = -ENOMEM; | ||
999 | goto err_alloc_product; | ||
1000 | } | ||
1001 | |||
1002 | ecc_swap_digits((const u64 *)public_key, pk->x, ndigits); | ||
1003 | ecc_swap_digits((const u64 *)&public_key[nbytes], pk->y, ndigits); | ||
1004 | ecc_swap_digits((const u64 *)private_key, priv, ndigits); | ||
1005 | |||
1006 | ecc_point_mult(product, pk, priv, rand_z, curve->p, ndigits); | ||
1007 | |||
1008 | ecc_swap_digits(product->x, (u64 *)secret, ndigits); | ||
1009 | |||
1010 | if (ecc_point_is_zero(product)) | ||
1011 | ret = -EFAULT; | ||
1012 | |||
1013 | ecc_free_point(product); | ||
1014 | err_alloc_product: | ||
1015 | ecc_free_point(pk); | ||
1016 | out: | ||
1017 | return ret; | ||
1018 | } | ||
diff --git a/crypto/ecc.h b/crypto/ecc.h new file mode 100644 index 000000000000..b5db4b989f3c --- /dev/null +++ b/crypto/ecc.h | |||
@@ -0,0 +1,83 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2013, Kenneth MacKay | ||
3 | * All rights reserved. | ||
4 | * | ||
5 | * Redistribution and use in source and binary forms, with or without | ||
6 | * modification, are permitted provided that the following conditions are | ||
7 | * met: | ||
8 | * * Redistributions of source code must retain the above copyright | ||
9 | * notice, this list of conditions and the following disclaimer. | ||
10 | * * Redistributions in binary form must reproduce the above copyright | ||
11 | * notice, this list of conditions and the following disclaimer in the | ||
12 | * documentation and/or other materials provided with the distribution. | ||
13 | * | ||
14 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | ||
15 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | ||
16 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | ||
17 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | ||
18 | * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
19 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | ||
20 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
21 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
22 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | ||
24 | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
25 | */ | ||
26 | #ifndef _CRYPTO_ECC_H | ||
27 | #define _CRYPTO_ECC_H | ||
28 | |||
29 | #define ECC_MAX_DIGITS 4 /* 256 */ | ||
30 | |||
31 | #define ECC_DIGITS_TO_BYTES_SHIFT 3 | ||
32 | |||
33 | /** | ||
34 | * ecc_is_key_valid() - Validate a given ECDH private key | ||
35 | * | ||
36 | * @curve_id: id representing the curve to use | ||
37 | * @ndigits: curve number of digits | ||
38 | * @private_key: private key to be used for the given curve | ||
39 | * @private_key_len: private key len | ||
40 | * | ||
41 | * Returns 0 if the key is acceptable, a negative value otherwise | ||
42 | */ | ||
43 | int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits, | ||
44 | const u8 *private_key, unsigned int private_key_len); | ||
45 | |||
46 | /** | ||
47 | * ecdh_make_pub_key() - Compute an ECC public key | ||
48 | * | ||
49 | * @curve_id: id representing the curve to use | ||
50 | * @private_key: pregenerated private key for the given curve | ||
51 | * @private_key_len: length of private_key | ||
52 | * @public_key: buffer for storing the public key generated | ||
53 | * @public_key_len: length of the public_key buffer | ||
54 | * | ||
55 | * Returns 0 if the public key was generated successfully, a negative value | ||
56 | * if an error occurred. | ||
57 | */ | ||
58 | int ecdh_make_pub_key(const unsigned int curve_id, unsigned int ndigits, | ||
59 | const u8 *private_key, unsigned int private_key_len, | ||
60 | u8 *public_key, unsigned int public_key_len); | ||
61 | |||
62 | /** | ||
63 | * ecdh_shared_secret() - Compute a shared secret | ||
64 | * | ||
65 | * @curve_id: id representing the curve to use | ||
66 | * @private_key: private key of part A | ||
67 | * @private_key_len: length of private_key | ||
68 | * @public_key: public key of counterpart B | ||
69 | * @public_key_len: length of public_key | ||
70 | * @secret: buffer for storing the calculated shared secret | ||
71 | * @secret_len: length of the secret buffer | ||
72 | * | ||
73 | * Note: It is recommended that you hash the result of ecdh_shared_secret | ||
74 | * before using it for symmetric encryption or HMAC. | ||
75 | * | ||
76 | * Returns 0 if the shared secret was generated successfully, a negative value | ||
77 | * if an error occurred. | ||
78 | */ | ||
79 | int ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, | ||
80 | const u8 *private_key, unsigned int private_key_len, | ||
81 | const u8 *public_key, unsigned int public_key_len, | ||
82 | u8 *secret, unsigned int secret_len); | ||
83 | #endif | ||
diff --git a/crypto/ecc_curve_defs.h b/crypto/ecc_curve_defs.h new file mode 100644 index 000000000000..03ae5f714028 --- /dev/null +++ b/crypto/ecc_curve_defs.h | |||
@@ -0,0 +1,57 @@ | |||
1 | #ifndef _CRYTO_ECC_CURVE_DEFS_H | ||
2 | #define _CRYTO_ECC_CURVE_DEFS_H | ||
3 | |||
4 | struct ecc_point { | ||
5 | u64 *x; | ||
6 | u64 *y; | ||
7 | u8 ndigits; | ||
8 | }; | ||
9 | |||
10 | struct ecc_curve { | ||
11 | char *name; | ||
12 | struct ecc_point g; | ||
13 | u64 *p; | ||
14 | u64 *n; | ||
15 | }; | ||
16 | |||
17 | /* NIST P-192 */ | ||
18 | static u64 nist_p192_g_x[] = { 0xF4FF0AFD82FF1012ull, 0x7CBF20EB43A18800ull, | ||
19 | 0x188DA80EB03090F6ull }; | ||
20 | static u64 nist_p192_g_y[] = { 0x73F977A11E794811ull, 0x631011ED6B24CDD5ull, | ||
21 | 0x07192B95FFC8DA78ull }; | ||
22 | static u64 nist_p192_p[] = { 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFFFFFFFFFEull, | ||
23 | 0xFFFFFFFFFFFFFFFFull }; | ||
24 | static u64 nist_p192_n[] = { 0x146BC9B1B4D22831ull, 0xFFFFFFFF99DEF836ull, | ||
25 | 0xFFFFFFFFFFFFFFFFull }; | ||
26 | static struct ecc_curve nist_p192 = { | ||
27 | .name = "nist_192", | ||
28 | .g = { | ||
29 | .x = nist_p192_g_x, | ||
30 | .y = nist_p192_g_y, | ||
31 | .ndigits = 3, | ||
32 | }, | ||
33 | .p = nist_p192_p, | ||
34 | .n = nist_p192_n | ||
35 | }; | ||
36 | |||
37 | /* NIST P-256 */ | ||
38 | static u64 nist_p256_g_x[] = { 0xF4A13945D898C296ull, 0x77037D812DEB33A0ull, | ||
39 | 0xF8BCE6E563A440F2ull, 0x6B17D1F2E12C4247ull }; | ||
40 | static u64 nist_p256_g_y[] = { 0xCBB6406837BF51F5ull, 0x2BCE33576B315ECEull, | ||
41 | 0x8EE7EB4A7C0F9E16ull, 0x4FE342E2FE1A7F9Bull }; | ||
42 | static u64 nist_p256_p[] = { 0xFFFFFFFFFFFFFFFFull, 0x00000000FFFFFFFFull, | ||
43 | 0x0000000000000000ull, 0xFFFFFFFF00000001ull }; | ||
44 | static u64 nist_p256_n[] = { 0xF3B9CAC2FC632551ull, 0xBCE6FAADA7179E84ull, | ||
45 | 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFF00000000ull }; | ||
46 | static struct ecc_curve nist_p256 = { | ||
47 | .name = "nist_256", | ||
48 | .g = { | ||
49 | .x = nist_p256_g_x, | ||
50 | .y = nist_p256_g_y, | ||
51 | .ndigits = 4, | ||
52 | }, | ||
53 | .p = nist_p256_p, | ||
54 | .n = nist_p256_n | ||
55 | }; | ||
56 | |||
57 | #endif | ||
diff --git a/crypto/ecdh.c b/crypto/ecdh.c new file mode 100644 index 000000000000..d3a9eeca4b32 --- /dev/null +++ b/crypto/ecdh.c | |||
@@ -0,0 +1,151 @@ | |||
1 | /* ECDH key-agreement protocol | ||
2 | * | ||
3 | * Copyright (c) 2016, Intel Corporation | ||
4 | * Authors: Salvator Benedetto <salvatore.benedetto@intel.com> | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or | ||
7 | * modify it under the terms of the GNU General Public Licence | ||
8 | * as published by the Free Software Foundation; either version | ||
9 | * 2 of the Licence, or (at your option) any later version. | ||
10 | */ | ||
11 | |||
12 | #include <linux/module.h> | ||
13 | #include <crypto/internal/kpp.h> | ||
14 | #include <crypto/kpp.h> | ||
15 | #include <crypto/ecdh.h> | ||
16 | #include <linux/scatterlist.h> | ||
17 | #include "ecc.h" | ||
18 | |||
19 | struct ecdh_ctx { | ||
20 | unsigned int curve_id; | ||
21 | unsigned int ndigits; | ||
22 | u64 private_key[ECC_MAX_DIGITS]; | ||
23 | u64 public_key[2 * ECC_MAX_DIGITS]; | ||
24 | u64 shared_secret[ECC_MAX_DIGITS]; | ||
25 | }; | ||
26 | |||
27 | static inline struct ecdh_ctx *ecdh_get_ctx(struct crypto_kpp *tfm) | ||
28 | { | ||
29 | return kpp_tfm_ctx(tfm); | ||
30 | } | ||
31 | |||
32 | static unsigned int ecdh_supported_curve(unsigned int curve_id) | ||
33 | { | ||
34 | switch (curve_id) { | ||
35 | case ECC_CURVE_NIST_P192: return 3; | ||
36 | case ECC_CURVE_NIST_P256: return 4; | ||
37 | default: return 0; | ||
38 | } | ||
39 | } | ||
40 | |||
41 | static int ecdh_set_secret(struct crypto_kpp *tfm, void *buf, unsigned int len) | ||
42 | { | ||
43 | struct ecdh_ctx *ctx = ecdh_get_ctx(tfm); | ||
44 | struct ecdh params; | ||
45 | unsigned int ndigits; | ||
46 | |||
47 | if (crypto_ecdh_decode_key(buf, len, ¶ms) < 0) | ||
48 | return -EINVAL; | ||
49 | |||
50 | ndigits = ecdh_supported_curve(params.curve_id); | ||
51 | if (!ndigits) | ||
52 | return -EINVAL; | ||
53 | |||
54 | ctx->curve_id = params.curve_id; | ||
55 | ctx->ndigits = ndigits; | ||
56 | |||
57 | if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits, | ||
58 | (const u8 *)params.key, params.key_size) < 0) | ||
59 | return -EINVAL; | ||
60 | |||
61 | memcpy(ctx->private_key, params.key, params.key_size); | ||
62 | |||
63 | return 0; | ||
64 | } | ||
65 | |||
66 | static int ecdh_compute_value(struct kpp_request *req) | ||
67 | { | ||
68 | int ret = 0; | ||
69 | struct crypto_kpp *tfm = crypto_kpp_reqtfm(req); | ||
70 | struct ecdh_ctx *ctx = ecdh_get_ctx(tfm); | ||
71 | size_t copied, nbytes; | ||
72 | void *buf; | ||
73 | |||
74 | nbytes = ctx->ndigits << ECC_DIGITS_TO_BYTES_SHIFT; | ||
75 | |||
76 | if (req->src) { | ||
77 | copied = sg_copy_to_buffer(req->src, 1, ctx->public_key, | ||
78 | 2 * nbytes); | ||
79 | if (copied != 2 * nbytes) | ||
80 | return -EINVAL; | ||
81 | |||
82 | ret = ecdh_shared_secret(ctx->curve_id, ctx->ndigits, | ||
83 | (const u8 *)ctx->private_key, nbytes, | ||
84 | (const u8 *)ctx->public_key, 2 * nbytes, | ||
85 | (u8 *)ctx->shared_secret, nbytes); | ||
86 | |||
87 | buf = ctx->shared_secret; | ||
88 | } else { | ||
89 | ret = ecdh_make_pub_key(ctx->curve_id, ctx->ndigits, | ||
90 | (const u8 *)ctx->private_key, nbytes, | ||
91 | (u8 *)ctx->public_key, | ||
92 | sizeof(ctx->public_key)); | ||
93 | buf = ctx->public_key; | ||
94 | /* Public part is a point thus it has both coordinates */ | ||
95 | nbytes *= 2; | ||
96 | } | ||
97 | |||
98 | if (ret < 0) | ||
99 | return ret; | ||
100 | |||
101 | copied = sg_copy_from_buffer(req->dst, 1, buf, nbytes); | ||
102 | if (copied != nbytes) | ||
103 | return -EINVAL; | ||
104 | |||
105 | return ret; | ||
106 | } | ||
107 | |||
108 | static int ecdh_max_size(struct crypto_kpp *tfm) | ||
109 | { | ||
110 | struct ecdh_ctx *ctx = ecdh_get_ctx(tfm); | ||
111 | int nbytes = ctx->ndigits << ECC_DIGITS_TO_BYTES_SHIFT; | ||
112 | |||
113 | /* Public key is made of two coordinates */ | ||
114 | return 2 * nbytes; | ||
115 | } | ||
116 | |||
117 | static void no_exit_tfm(struct crypto_kpp *tfm) | ||
118 | { | ||
119 | return; | ||
120 | } | ||
121 | |||
122 | static struct kpp_alg ecdh = { | ||
123 | .set_secret = ecdh_set_secret, | ||
124 | .generate_public_key = ecdh_compute_value, | ||
125 | .compute_shared_secret = ecdh_compute_value, | ||
126 | .max_size = ecdh_max_size, | ||
127 | .exit = no_exit_tfm, | ||
128 | .base = { | ||
129 | .cra_name = "ecdh", | ||
130 | .cra_driver_name = "ecdh-generic", | ||
131 | .cra_priority = 100, | ||
132 | .cra_module = THIS_MODULE, | ||
133 | .cra_ctxsize = sizeof(struct ecdh_ctx), | ||
134 | }, | ||
135 | }; | ||
136 | |||
137 | static int ecdh_init(void) | ||
138 | { | ||
139 | return crypto_register_kpp(&ecdh); | ||
140 | } | ||
141 | |||
142 | static void ecdh_exit(void) | ||
143 | { | ||
144 | crypto_unregister_kpp(&ecdh); | ||
145 | } | ||
146 | |||
147 | module_init(ecdh_init); | ||
148 | module_exit(ecdh_exit); | ||
149 | MODULE_ALIAS_CRYPTO("ecdh"); | ||
150 | MODULE_LICENSE("GPL"); | ||
151 | MODULE_DESCRIPTION("ECDH generic algorithm"); | ||
diff --git a/crypto/ecdh_helper.c b/crypto/ecdh_helper.c new file mode 100644 index 000000000000..3cd8a2414e60 --- /dev/null +++ b/crypto/ecdh_helper.c | |||
@@ -0,0 +1,86 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2016, Intel Corporation | ||
3 | * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com> | ||
4 | * | ||
5 | * This program is free software; you can redistribute it and/or | ||
6 | * modify it under the terms of the GNU General Public Licence | ||
7 | * as published by the Free Software Foundation; either version | ||
8 | * 2 of the Licence, or (at your option) any later version. | ||
9 | */ | ||
10 | #include <linux/kernel.h> | ||
11 | #include <linux/export.h> | ||
12 | #include <linux/err.h> | ||
13 | #include <linux/string.h> | ||
14 | #include <crypto/ecdh.h> | ||
15 | #include <crypto/kpp.h> | ||
16 | |||
17 | #define ECDH_KPP_SECRET_MIN_SIZE (sizeof(struct kpp_secret) + 2 * sizeof(short)) | ||
18 | |||
19 | static inline u8 *ecdh_pack_data(void *dst, const void *src, size_t sz) | ||
20 | { | ||
21 | memcpy(dst, src, sz); | ||
22 | return dst + sz; | ||
23 | } | ||
24 | |||
25 | static inline const u8 *ecdh_unpack_data(void *dst, const void *src, size_t sz) | ||
26 | { | ||
27 | memcpy(dst, src, sz); | ||
28 | return src + sz; | ||
29 | } | ||
30 | |||
31 | int crypto_ecdh_key_len(const struct ecdh *params) | ||
32 | { | ||
33 | return ECDH_KPP_SECRET_MIN_SIZE + params->key_size; | ||
34 | } | ||
35 | EXPORT_SYMBOL_GPL(crypto_ecdh_key_len); | ||
36 | |||
37 | int crypto_ecdh_encode_key(char *buf, unsigned int len, | ||
38 | const struct ecdh *params) | ||
39 | { | ||
40 | u8 *ptr = buf; | ||
41 | struct kpp_secret secret = { | ||
42 | .type = CRYPTO_KPP_SECRET_TYPE_ECDH, | ||
43 | .len = len | ||
44 | }; | ||
45 | |||
46 | if (unlikely(!buf)) | ||
47 | return -EINVAL; | ||
48 | |||
49 | if (len != crypto_ecdh_key_len(params)) | ||
50 | return -EINVAL; | ||
51 | |||
52 | ptr = ecdh_pack_data(ptr, &secret, sizeof(secret)); | ||
53 | ptr = ecdh_pack_data(ptr, ¶ms->curve_id, sizeof(params->curve_id)); | ||
54 | ptr = ecdh_pack_data(ptr, ¶ms->key_size, sizeof(params->key_size)); | ||
55 | ecdh_pack_data(ptr, params->key, params->key_size); | ||
56 | |||
57 | return 0; | ||
58 | } | ||
59 | EXPORT_SYMBOL_GPL(crypto_ecdh_encode_key); | ||
60 | |||
61 | int crypto_ecdh_decode_key(const char *buf, unsigned int len, | ||
62 | struct ecdh *params) | ||
63 | { | ||
64 | const u8 *ptr = buf; | ||
65 | struct kpp_secret secret; | ||
66 | |||
67 | if (unlikely(!buf || len < ECDH_KPP_SECRET_MIN_SIZE)) | ||
68 | return -EINVAL; | ||
69 | |||
70 | ptr = ecdh_unpack_data(&secret, ptr, sizeof(secret)); | ||
71 | if (secret.type != CRYPTO_KPP_SECRET_TYPE_ECDH) | ||
72 | return -EINVAL; | ||
73 | |||
74 | ptr = ecdh_unpack_data(¶ms->curve_id, ptr, sizeof(params->curve_id)); | ||
75 | ptr = ecdh_unpack_data(¶ms->key_size, ptr, sizeof(params->key_size)); | ||
76 | if (secret.len != crypto_ecdh_key_len(params)) | ||
77 | return -EINVAL; | ||
78 | |||
79 | /* Don't allocate memory. Set pointer to data | ||
80 | * within the given buffer | ||
81 | */ | ||
82 | params->key = (void *)ptr; | ||
83 | |||
84 | return 0; | ||
85 | } | ||
86 | EXPORT_SYMBOL_GPL(crypto_ecdh_decode_key); | ||
diff --git a/crypto/testmgr.c b/crypto/testmgr.c index ff79eb887fd0..537fdc380a7b 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c | |||
@@ -3301,6 +3301,16 @@ static const struct alg_test_desc alg_test_descs[] = { | |||
3301 | } | 3301 | } |
3302 | } | 3302 | } |
3303 | }, { | 3303 | }, { |
3304 | .alg = "ecdh", | ||
3305 | .test = alg_test_kpp, | ||
3306 | .fips_allowed = 1, | ||
3307 | .suite = { | ||
3308 | .kpp = { | ||
3309 | .vecs = ecdh_tv_template, | ||
3310 | .count = ECDH_TEST_VECTORS | ||
3311 | } | ||
3312 | } | ||
3313 | }, { | ||
3304 | .alg = "gcm(aes)", | 3314 | .alg = "gcm(aes)", |
3305 | .test = alg_test_aead, | 3315 | .test = alg_test_aead, |
3306 | .fips_allowed = 1, | 3316 | .fips_allowed = 1, |
diff --git a/crypto/testmgr.h b/crypto/testmgr.h index 78e874eca031..7358931b3082 100644 --- a/crypto/testmgr.h +++ b/crypto/testmgr.h | |||
@@ -560,6 +560,99 @@ struct kpp_testvec dh_tv_template[] = { | |||
560 | } | 560 | } |
561 | }; | 561 | }; |
562 | 562 | ||
563 | #ifdef CONFIG_CRYPTO_FIPS | ||
564 | #define ECDH_TEST_VECTORS 1 | ||
565 | #else | ||
566 | #define ECDH_TEST_VECTORS 2 | ||
567 | #endif | ||
568 | struct kpp_testvec ecdh_tv_template[] = { | ||
569 | { | ||
570 | #ifndef CONFIG_CRYPTO_FIPS | ||
571 | .secret = | ||
572 | #ifdef __LITTLE_ENDIAN | ||
573 | "\x02\x00" /* type */ | ||
574 | "\x20\x00" /* len */ | ||
575 | "\x01\x00" /* curve_id */ | ||
576 | "\x18\x00" /* key_size */ | ||
577 | #else | ||
578 | "\x00\x02" /* type */ | ||
579 | "\x00\x20" /* len */ | ||
580 | "\x00\x01" /* curve_id */ | ||
581 | "\x00\x18" /* key_size */ | ||
582 | #endif | ||
583 | "\xb5\x05\xb1\x71\x1e\xbf\x8c\xda" | ||
584 | "\x4e\x19\x1e\x62\x1f\x23\x23\x31" | ||
585 | "\x36\x1e\xd3\x84\x2f\xcc\x21\x72", | ||
586 | .b_public = | ||
587 | "\xc3\xba\x67\x4b\x71\xec\xd0\x76" | ||
588 | "\x7a\x99\x75\x64\x36\x13\x9a\x94" | ||
589 | "\x5d\x8b\xdc\x60\x90\x91\xfd\x3f" | ||
590 | "\xb0\x1f\x8a\x0a\x68\xc6\x88\x6e" | ||
591 | "\x83\x87\xdd\x67\x09\xf8\x8d\x96" | ||
592 | "\x07\xd6\xbd\x1c\xe6\x8d\x9d\x67", | ||
593 | .expected_a_public = | ||
594 | "\x1a\x04\xdb\xa5\xe1\xdd\x4e\x79" | ||
595 | "\xa3\xe6\xef\x0e\x5c\x80\x49\x85" | ||
596 | "\xfa\x78\xb4\xef\x49\xbd\x4c\x7c" | ||
597 | "\x22\x90\x21\x02\xf9\x1b\x81\x5d" | ||
598 | "\x0c\x8a\xa8\x98\xd6\x27\x69\x88" | ||
599 | "\x5e\xbc\x94\xd8\x15\x9e\x21\xce", | ||
600 | .expected_ss = | ||
601 | "\xf4\x57\xcc\x4f\x1f\x4e\x31\xcc" | ||
602 | "\xe3\x40\x60\xc8\x06\x93\xc6\x2e" | ||
603 | "\x99\x80\x81\x28\xaf\xc5\x51\x74", | ||
604 | .secret_size = 32, | ||
605 | .b_public_size = 48, | ||
606 | .expected_a_public_size = 48, | ||
607 | .expected_ss_size = 24 | ||
608 | }, { | ||
609 | #endif | ||
610 | .secret = | ||
611 | #ifdef __LITTLE_ENDIAN | ||
612 | "\x02\x00" /* type */ | ||
613 | "\x28\x00" /* len */ | ||
614 | "\x02\x00" /* curve_id */ | ||
615 | "\x20\x00" /* key_size */ | ||
616 | #else | ||
617 | "\x00\x02" /* type */ | ||
618 | "\x00\x28" /* len */ | ||
619 | "\x00\x02" /* curve_id */ | ||
620 | "\x00\x20" /* key_size */ | ||
621 | #endif | ||
622 | "\x24\xd1\x21\xeb\xe5\xcf\x2d\x83" | ||
623 | "\xf6\x62\x1b\x6e\x43\x84\x3a\xa3" | ||
624 | "\x8b\xe0\x86\xc3\x20\x19\xda\x92" | ||
625 | "\x50\x53\x03\xe1\xc0\xea\xb8\x82", | ||
626 | .expected_a_public = | ||
627 | "\x1a\x7f\xeb\x52\x00\xbd\x3c\x31" | ||
628 | "\x7d\xb6\x70\xc1\x86\xa6\xc7\xc4" | ||
629 | "\x3b\xc5\x5f\x6c\x6f\x58\x3c\xf5" | ||
630 | "\xb6\x63\x82\x77\x33\x24\xa1\x5f" | ||
631 | "\x6a\xca\x43\x6f\xf7\x7e\xff\x02" | ||
632 | "\x37\x08\xcc\x40\x5e\x7a\xfd\x6a" | ||
633 | "\x6a\x02\x6e\x41\x87\x68\x38\x77" | ||
634 | "\xfa\xa9\x44\x43\x2d\xef\x09\xdf", | ||
635 | .expected_ss = | ||
636 | "\xea\x17\x6f\x7e\x6e\x57\x26\x38" | ||
637 | "\x8b\xfb\x41\xeb\xba\xc8\x6d\xa5" | ||
638 | "\xa8\x72\xd1\xff\xc9\x47\x3d\xaa" | ||
639 | "\x58\x43\x9f\x34\x0f\x8c\xf3\xc9", | ||
640 | .b_public = | ||
641 | "\xcc\xb4\xda\x74\xb1\x47\x3f\xea" | ||
642 | "\x6c\x70\x9e\x38\x2d\xc7\xaa\xb7" | ||
643 | "\x29\xb2\x47\x03\x19\xab\xdd\x34" | ||
644 | "\xbd\xa8\x2c\x93\xe1\xa4\x74\xd9" | ||
645 | "\x64\x63\xf7\x70\x20\x2f\xa4\xe6" | ||
646 | "\x9f\x4a\x38\xcc\xc0\x2c\x49\x2f" | ||
647 | "\xb1\x32\xbb\xaf\x22\x61\xda\xcb" | ||
648 | "\x6f\xdb\xa9\xaa\xfc\x77\x81\xf3", | ||
649 | .secret_size = 40, | ||
650 | .b_public_size = 64, | ||
651 | .expected_a_public_size = 64, | ||
652 | .expected_ss_size = 32 | ||
653 | } | ||
654 | }; | ||
655 | |||
563 | /* | 656 | /* |
564 | * MD4 test vectors from RFC1320 | 657 | * MD4 test vectors from RFC1320 |
565 | */ | 658 | */ |
diff --git a/include/crypto/ecdh.h b/include/crypto/ecdh.h new file mode 100644 index 000000000000..84bad548d194 --- /dev/null +++ b/include/crypto/ecdh.h | |||
@@ -0,0 +1,30 @@ | |||
1 | /* | ||
2 | * ECDH params to be used with kpp API | ||
3 | * | ||
4 | * Copyright (c) 2016, Intel Corporation | ||
5 | * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com> | ||
6 | * | ||
7 | * This program is free software; you can redistribute it and/or modify it | ||
8 | * under the terms of the GNU General Public License as published by the Free | ||
9 | * Software Foundation; either version 2 of the License, or (at your option) | ||
10 | * any later version. | ||
11 | * | ||
12 | */ | ||
13 | #ifndef _CRYPTO_ECDH_ | ||
14 | #define _CRYPTO_ECDH_ | ||
15 | |||
16 | /* Curves IDs */ | ||
17 | #define ECC_CURVE_NIST_P192 0x0001 | ||
18 | #define ECC_CURVE_NIST_P256 0x0002 | ||
19 | |||
20 | struct ecdh { | ||
21 | unsigned short curve_id; | ||
22 | char *key; | ||
23 | unsigned short key_size; | ||
24 | }; | ||
25 | |||
26 | int crypto_ecdh_key_len(const struct ecdh *params); | ||
27 | int crypto_ecdh_encode_key(char *buf, unsigned int len, const struct ecdh *p); | ||
28 | int crypto_ecdh_decode_key(const char *buf, unsigned int len, struct ecdh *p); | ||
29 | |||
30 | #endif | ||
diff --git a/include/crypto/kpp.h b/include/crypto/kpp.h index 937ac122354a..30791f75c180 100644 --- a/include/crypto/kpp.h +++ b/include/crypto/kpp.h | |||
@@ -243,6 +243,7 @@ static inline void kpp_request_set_output(struct kpp_request *req, | |||
243 | enum { | 243 | enum { |
244 | CRYPTO_KPP_SECRET_TYPE_UNKNOWN, | 244 | CRYPTO_KPP_SECRET_TYPE_UNKNOWN, |
245 | CRYPTO_KPP_SECRET_TYPE_DH, | 245 | CRYPTO_KPP_SECRET_TYPE_DH, |
246 | CRYPTO_KPP_SECRET_TYPE_ECDH, | ||
246 | }; | 247 | }; |
247 | 248 | ||
248 | /** | 249 | /** |