summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSalvatore Benedetto <salvatore.benedetto@intel.com>2016-06-22 12:49:15 -0400
committerHerbert Xu <herbert@gondor.apana.org.au>2016-06-23 06:29:57 -0400
commit3c4b23901a0c766879dff680cd6bdab47bcdbbd2 (patch)
tree3bcc903dce759f69193f4b9fa638f1383d7323d3
parent802c7f1c84e4b5a6ac78635878041023fc5831b1 (diff)
crypto: ecdh - Add ECDH software support
* Implement ECDH under kpp API * Provide ECC software support for curve P-192 and P-256. * Add kpp test for ECDH with data generated by OpenSSL Signed-off-by: Salvatore Benedetto <salvatore.benedetto@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r--crypto/Kconfig5
-rw-r--r--crypto/Makefile4
-rw-r--r--crypto/ecc.c1018
-rw-r--r--crypto/ecc.h83
-rw-r--r--crypto/ecc_curve_defs.h57
-rw-r--r--crypto/ecdh.c151
-rw-r--r--crypto/ecdh_helper.c86
-rw-r--r--crypto/testmgr.c10
-rw-r--r--crypto/testmgr.h93
-rw-r--r--include/crypto/ecdh.h30
-rw-r--r--include/crypto/kpp.h1
11 files changed, 1538 insertions, 0 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 162d2f9aa242..5baaa9d87574 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -118,6 +118,11 @@ config CRYPTO_DH
118 help 118 help
119 Generic implementation of the Diffie-Hellman algorithm. 119 Generic implementation of the Diffie-Hellman algorithm.
120 120
121config CRYPTO_ECDH
122 tristate "ECDH algorithm"
123 select CRYTPO_KPP
124 help
125 Generic implementation of the ECDH algorithm
121 126
122config CRYPTO_MANAGER 127config CRYPTO_MANAGER
123 tristate "Cryptographic algorithm manager" 128 tristate "Cryptographic algorithm manager"
diff --git a/crypto/Makefile b/crypto/Makefile
index 82897208e8e0..df1bcfb090d2 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -35,6 +35,10 @@ obj-$(CONFIG_CRYPTO_KPP2) += kpp.o
35dh_generic-y := dh.o 35dh_generic-y := dh.o
36dh_generic-y += dh_helper.o 36dh_generic-y += dh_helper.o
37obj-$(CONFIG_CRYPTO_DH) += dh_generic.o 37obj-$(CONFIG_CRYPTO_DH) += dh_generic.o
38ecdh_generic-y := ecc.o
39ecdh_generic-y += ecdh.o
40ecdh_generic-y += ecdh_helper.o
41obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o
38 42
39$(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h 43$(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
40$(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h 44$(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
diff --git a/crypto/ecc.c b/crypto/ecc.c
new file mode 100644
index 000000000000..9aedec6bbe72
--- /dev/null
+++ b/crypto/ecc.c
@@ -0,0 +1,1018 @@
1/*
2 * Copyright (c) 2013, Kenneth MacKay
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are
7 * met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
16 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
17 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
18 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
20 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include <linux/random.h>
28#include <linux/slab.h>
29#include <linux/swab.h>
30#include <linux/fips.h>
31#include <crypto/ecdh.h>
32
33#include "ecc.h"
34#include "ecc_curve_defs.h"
35
36typedef struct {
37 u64 m_low;
38 u64 m_high;
39} uint128_t;
40
41static inline const struct ecc_curve *ecc_get_curve(unsigned int curve_id)
42{
43 switch (curve_id) {
44 /* In FIPS mode only allow P256 and higher */
45 case ECC_CURVE_NIST_P192:
46 return fips_enabled ? NULL : &nist_p192;
47 case ECC_CURVE_NIST_P256:
48 return &nist_p256;
49 default:
50 return NULL;
51 }
52}
53
54static u64 *ecc_alloc_digits_space(unsigned int ndigits)
55{
56 size_t len = ndigits * sizeof(u64);
57
58 if (!len)
59 return NULL;
60
61 return kmalloc(len, GFP_KERNEL);
62}
63
64static void ecc_free_digits_space(u64 *space)
65{
66 kzfree(space);
67}
68
69static struct ecc_point *ecc_alloc_point(unsigned int ndigits)
70{
71 struct ecc_point *p = kmalloc(sizeof(*p), GFP_KERNEL);
72
73 if (!p)
74 return NULL;
75
76 p->x = ecc_alloc_digits_space(ndigits);
77 if (!p->x)
78 goto err_alloc_x;
79
80 p->y = ecc_alloc_digits_space(ndigits);
81 if (!p->y)
82 goto err_alloc_y;
83
84 p->ndigits = ndigits;
85
86 return p;
87
88err_alloc_y:
89 ecc_free_digits_space(p->x);
90err_alloc_x:
91 kfree(p);
92 return NULL;
93}
94
95static void ecc_free_point(struct ecc_point *p)
96{
97 if (!p)
98 return;
99
100 kzfree(p->x);
101 kzfree(p->y);
102 kzfree(p);
103}
104
105static void vli_clear(u64 *vli, unsigned int ndigits)
106{
107 int i;
108
109 for (i = 0; i < ndigits; i++)
110 vli[i] = 0;
111}
112
113/* Returns true if vli == 0, false otherwise. */
114static bool vli_is_zero(const u64 *vli, unsigned int ndigits)
115{
116 int i;
117
118 for (i = 0; i < ndigits; i++) {
119 if (vli[i])
120 return false;
121 }
122
123 return true;
124}
125
126/* Returns nonzero if bit bit of vli is set. */
127static u64 vli_test_bit(const u64 *vli, unsigned int bit)
128{
129 return (vli[bit / 64] & ((u64)1 << (bit % 64)));
130}
131
132/* Counts the number of 64-bit "digits" in vli. */
133static unsigned int vli_num_digits(const u64 *vli, unsigned int ndigits)
134{
135 int i;
136
137 /* Search from the end until we find a non-zero digit.
138 * We do it in reverse because we expect that most digits will
139 * be nonzero.
140 */
141 for (i = ndigits - 1; i >= 0 && vli[i] == 0; i--);
142
143 return (i + 1);
144}
145
146/* Counts the number of bits required for vli. */
147static unsigned int vli_num_bits(const u64 *vli, unsigned int ndigits)
148{
149 unsigned int i, num_digits;
150 u64 digit;
151
152 num_digits = vli_num_digits(vli, ndigits);
153 if (num_digits == 0)
154 return 0;
155
156 digit = vli[num_digits - 1];
157 for (i = 0; digit; i++)
158 digit >>= 1;
159
160 return ((num_digits - 1) * 64 + i);
161}
162
163/* Sets dest = src. */
164static void vli_set(u64 *dest, const u64 *src, unsigned int ndigits)
165{
166 int i;
167
168 for (i = 0; i < ndigits; i++)
169 dest[i] = src[i];
170}
171
172/* Returns sign of left - right. */
173static int vli_cmp(const u64 *left, const u64 *right, unsigned int ndigits)
174{
175 int i;
176
177 for (i = ndigits - 1; i >= 0; i--) {
178 if (left[i] > right[i])
179 return 1;
180 else if (left[i] < right[i])
181 return -1;
182 }
183
184 return 0;
185}
186
187/* Computes result = in << c, returning carry. Can modify in place
188 * (if result == in). 0 < shift < 64.
189 */
190static u64 vli_lshift(u64 *result, const u64 *in, unsigned int shift,
191 unsigned int ndigits)
192{
193 u64 carry = 0;
194 int i;
195
196 for (i = 0; i < ndigits; i++) {
197 u64 temp = in[i];
198
199 result[i] = (temp << shift) | carry;
200 carry = temp >> (64 - shift);
201 }
202
203 return carry;
204}
205
206/* Computes vli = vli >> 1. */
207static void vli_rshift1(u64 *vli, unsigned int ndigits)
208{
209 u64 *end = vli;
210 u64 carry = 0;
211
212 vli += ndigits;
213
214 while (vli-- > end) {
215 u64 temp = *vli;
216 *vli = (temp >> 1) | carry;
217 carry = temp << 63;
218 }
219}
220
221/* Computes result = left + right, returning carry. Can modify in place. */
222static u64 vli_add(u64 *result, const u64 *left, const u64 *right,
223 unsigned int ndigits)
224{
225 u64 carry = 0;
226 int i;
227
228 for (i = 0; i < ndigits; i++) {
229 u64 sum;
230
231 sum = left[i] + right[i] + carry;
232 if (sum != left[i])
233 carry = (sum < left[i]);
234
235 result[i] = sum;
236 }
237
238 return carry;
239}
240
241/* Computes result = left - right, returning borrow. Can modify in place. */
242static u64 vli_sub(u64 *result, const u64 *left, const u64 *right,
243 unsigned int ndigits)
244{
245 u64 borrow = 0;
246 int i;
247
248 for (i = 0; i < ndigits; i++) {
249 u64 diff;
250
251 diff = left[i] - right[i] - borrow;
252 if (diff != left[i])
253 borrow = (diff > left[i]);
254
255 result[i] = diff;
256 }
257
258 return borrow;
259}
260
261static uint128_t mul_64_64(u64 left, u64 right)
262{
263 u64 a0 = left & 0xffffffffull;
264 u64 a1 = left >> 32;
265 u64 b0 = right & 0xffffffffull;
266 u64 b1 = right >> 32;
267 u64 m0 = a0 * b0;
268 u64 m1 = a0 * b1;
269 u64 m2 = a1 * b0;
270 u64 m3 = a1 * b1;
271 uint128_t result;
272
273 m2 += (m0 >> 32);
274 m2 += m1;
275
276 /* Overflow */
277 if (m2 < m1)
278 m3 += 0x100000000ull;
279
280 result.m_low = (m0 & 0xffffffffull) | (m2 << 32);
281 result.m_high = m3 + (m2 >> 32);
282
283 return result;
284}
285
286static uint128_t add_128_128(uint128_t a, uint128_t b)
287{
288 uint128_t result;
289
290 result.m_low = a.m_low + b.m_low;
291 result.m_high = a.m_high + b.m_high + (result.m_low < a.m_low);
292
293 return result;
294}
295
296static void vli_mult(u64 *result, const u64 *left, const u64 *right,
297 unsigned int ndigits)
298{
299 uint128_t r01 = { 0, 0 };
300 u64 r2 = 0;
301 unsigned int i, k;
302
303 /* Compute each digit of result in sequence, maintaining the
304 * carries.
305 */
306 for (k = 0; k < ndigits * 2 - 1; k++) {
307 unsigned int min;
308
309 if (k < ndigits)
310 min = 0;
311 else
312 min = (k + 1) - ndigits;
313
314 for (i = min; i <= k && i < ndigits; i++) {
315 uint128_t product;
316
317 product = mul_64_64(left[i], right[k - i]);
318
319 r01 = add_128_128(r01, product);
320 r2 += (r01.m_high < product.m_high);
321 }
322
323 result[k] = r01.m_low;
324 r01.m_low = r01.m_high;
325 r01.m_high = r2;
326 r2 = 0;
327 }
328
329 result[ndigits * 2 - 1] = r01.m_low;
330}
331
332static void vli_square(u64 *result, const u64 *left, unsigned int ndigits)
333{
334 uint128_t r01 = { 0, 0 };
335 u64 r2 = 0;
336 int i, k;
337
338 for (k = 0; k < ndigits * 2 - 1; k++) {
339 unsigned int min;
340
341 if (k < ndigits)
342 min = 0;
343 else
344 min = (k + 1) - ndigits;
345
346 for (i = min; i <= k && i <= k - i; i++) {
347 uint128_t product;
348
349 product = mul_64_64(left[i], left[k - i]);
350
351 if (i < k - i) {
352 r2 += product.m_high >> 63;
353 product.m_high = (product.m_high << 1) |
354 (product.m_low >> 63);
355 product.m_low <<= 1;
356 }
357
358 r01 = add_128_128(r01, product);
359 r2 += (r01.m_high < product.m_high);
360 }
361
362 result[k] = r01.m_low;
363 r01.m_low = r01.m_high;
364 r01.m_high = r2;
365 r2 = 0;
366 }
367
368 result[ndigits * 2 - 1] = r01.m_low;
369}
370
371/* Computes result = (left + right) % mod.
372 * Assumes that left < mod and right < mod, result != mod.
373 */
374static void vli_mod_add(u64 *result, const u64 *left, const u64 *right,
375 const u64 *mod, unsigned int ndigits)
376{
377 u64 carry;
378
379 carry = vli_add(result, left, right, ndigits);
380
381 /* result > mod (result = mod + remainder), so subtract mod to
382 * get remainder.
383 */
384 if (carry || vli_cmp(result, mod, ndigits) >= 0)
385 vli_sub(result, result, mod, ndigits);
386}
387
388/* Computes result = (left - right) % mod.
389 * Assumes that left < mod and right < mod, result != mod.
390 */
391static void vli_mod_sub(u64 *result, const u64 *left, const u64 *right,
392 const u64 *mod, unsigned int ndigits)
393{
394 u64 borrow = vli_sub(result, left, right, ndigits);
395
396 /* In this case, p_result == -diff == (max int) - diff.
397 * Since -x % d == d - x, we can get the correct result from
398 * result + mod (with overflow).
399 */
400 if (borrow)
401 vli_add(result, result, mod, ndigits);
402}
403
404/* Computes p_result = p_product % curve_p.
405 * See algorithm 5 and 6 from
406 * http://www.isys.uni-klu.ac.at/PDF/2001-0126-MT.pdf
407 */
408static void vli_mmod_fast_192(u64 *result, const u64 *product,
409 const u64 *curve_prime, u64 *tmp)
410{
411 const unsigned int ndigits = 3;
412 int carry;
413
414 vli_set(result, product, ndigits);
415
416 vli_set(tmp, &product[3], ndigits);
417 carry = vli_add(result, result, tmp, ndigits);
418
419 tmp[0] = 0;
420 tmp[1] = product[3];
421 tmp[2] = product[4];
422 carry += vli_add(result, result, tmp, ndigits);
423
424 tmp[0] = tmp[1] = product[5];
425 tmp[2] = 0;
426 carry += vli_add(result, result, tmp, ndigits);
427
428 while (carry || vli_cmp(curve_prime, result, ndigits) != 1)
429 carry -= vli_sub(result, result, curve_prime, ndigits);
430}
431
432/* Computes result = product % curve_prime
433 * from http://www.nsa.gov/ia/_files/nist-routines.pdf
434 */
435static void vli_mmod_fast_256(u64 *result, const u64 *product,
436 const u64 *curve_prime, u64 *tmp)
437{
438 int carry;
439 const unsigned int ndigits = 4;
440
441 /* t */
442 vli_set(result, product, ndigits);
443
444 /* s1 */
445 tmp[0] = 0;
446 tmp[1] = product[5] & 0xffffffff00000000ull;
447 tmp[2] = product[6];
448 tmp[3] = product[7];
449 carry = vli_lshift(tmp, tmp, 1, ndigits);
450 carry += vli_add(result, result, tmp, ndigits);
451
452 /* s2 */
453 tmp[1] = product[6] << 32;
454 tmp[2] = (product[6] >> 32) | (product[7] << 32);
455 tmp[3] = product[7] >> 32;
456 carry += vli_lshift(tmp, tmp, 1, ndigits);
457 carry += vli_add(result, result, tmp, ndigits);
458
459 /* s3 */
460 tmp[0] = product[4];
461 tmp[1] = product[5] & 0xffffffff;
462 tmp[2] = 0;
463 tmp[3] = product[7];
464 carry += vli_add(result, result, tmp, ndigits);
465
466 /* s4 */
467 tmp[0] = (product[4] >> 32) | (product[5] << 32);
468 tmp[1] = (product[5] >> 32) | (product[6] & 0xffffffff00000000ull);
469 tmp[2] = product[7];
470 tmp[3] = (product[6] >> 32) | (product[4] << 32);
471 carry += vli_add(result, result, tmp, ndigits);
472
473 /* d1 */
474 tmp[0] = (product[5] >> 32) | (product[6] << 32);
475 tmp[1] = (product[6] >> 32);
476 tmp[2] = 0;
477 tmp[3] = (product[4] & 0xffffffff) | (product[5] << 32);
478 carry -= vli_sub(result, result, tmp, ndigits);
479
480 /* d2 */
481 tmp[0] = product[6];
482 tmp[1] = product[7];
483 tmp[2] = 0;
484 tmp[3] = (product[4] >> 32) | (product[5] & 0xffffffff00000000ull);
485 carry -= vli_sub(result, result, tmp, ndigits);
486
487 /* d3 */
488 tmp[0] = (product[6] >> 32) | (product[7] << 32);
489 tmp[1] = (product[7] >> 32) | (product[4] << 32);
490 tmp[2] = (product[4] >> 32) | (product[5] << 32);
491 tmp[3] = (product[6] << 32);
492 carry -= vli_sub(result, result, tmp, ndigits);
493
494 /* d4 */
495 tmp[0] = product[7];
496 tmp[1] = product[4] & 0xffffffff00000000ull;
497 tmp[2] = product[5];
498 tmp[3] = product[6] & 0xffffffff00000000ull;
499 carry -= vli_sub(result, result, tmp, ndigits);
500
501 if (carry < 0) {
502 do {
503 carry += vli_add(result, result, curve_prime, ndigits);
504 } while (carry < 0);
505 } else {
506 while (carry || vli_cmp(curve_prime, result, ndigits) != 1)
507 carry -= vli_sub(result, result, curve_prime, ndigits);
508 }
509}
510
511/* Computes result = product % curve_prime
512 * from http://www.nsa.gov/ia/_files/nist-routines.pdf
513*/
514static bool vli_mmod_fast(u64 *result, u64 *product,
515 const u64 *curve_prime, unsigned int ndigits)
516{
517 u64 tmp[2 * ndigits];
518
519 switch (ndigits) {
520 case 3:
521 vli_mmod_fast_192(result, product, curve_prime, tmp);
522 break;
523 case 4:
524 vli_mmod_fast_256(result, product, curve_prime, tmp);
525 break;
526 default:
527 pr_err("unsupports digits size!\n");
528 return false;
529 }
530
531 return true;
532}
533
534/* Computes result = (left * right) % curve_prime. */
535static void vli_mod_mult_fast(u64 *result, const u64 *left, const u64 *right,
536 const u64 *curve_prime, unsigned int ndigits)
537{
538 u64 product[2 * ndigits];
539
540 vli_mult(product, left, right, ndigits);
541 vli_mmod_fast(result, product, curve_prime, ndigits);
542}
543
544/* Computes result = left^2 % curve_prime. */
545static void vli_mod_square_fast(u64 *result, const u64 *left,
546 const u64 *curve_prime, unsigned int ndigits)
547{
548 u64 product[2 * ndigits];
549
550 vli_square(product, left, ndigits);
551 vli_mmod_fast(result, product, curve_prime, ndigits);
552}
553
554#define EVEN(vli) (!(vli[0] & 1))
555/* Computes result = (1 / p_input) % mod. All VLIs are the same size.
556 * See "From Euclid's GCD to Montgomery Multiplication to the Great Divide"
557 * https://labs.oracle.com/techrep/2001/smli_tr-2001-95.pdf
558 */
559static void vli_mod_inv(u64 *result, const u64 *input, const u64 *mod,
560 unsigned int ndigits)
561{
562 u64 a[ndigits], b[ndigits];
563 u64 u[ndigits], v[ndigits];
564 u64 carry;
565 int cmp_result;
566
567 if (vli_is_zero(input, ndigits)) {
568 vli_clear(result, ndigits);
569 return;
570 }
571
572 vli_set(a, input, ndigits);
573 vli_set(b, mod, ndigits);
574 vli_clear(u, ndigits);
575 u[0] = 1;
576 vli_clear(v, ndigits);
577
578 while ((cmp_result = vli_cmp(a, b, ndigits)) != 0) {
579 carry = 0;
580
581 if (EVEN(a)) {
582 vli_rshift1(a, ndigits);
583
584 if (!EVEN(u))
585 carry = vli_add(u, u, mod, ndigits);
586
587 vli_rshift1(u, ndigits);
588 if (carry)
589 u[ndigits - 1] |= 0x8000000000000000ull;
590 } else if (EVEN(b)) {
591 vli_rshift1(b, ndigits);
592
593 if (!EVEN(v))
594 carry = vli_add(v, v, mod, ndigits);
595
596 vli_rshift1(v, ndigits);
597 if (carry)
598 v[ndigits - 1] |= 0x8000000000000000ull;
599 } else if (cmp_result > 0) {
600 vli_sub(a, a, b, ndigits);
601 vli_rshift1(a, ndigits);
602
603 if (vli_cmp(u, v, ndigits) < 0)
604 vli_add(u, u, mod, ndigits);
605
606 vli_sub(u, u, v, ndigits);
607 if (!EVEN(u))
608 carry = vli_add(u, u, mod, ndigits);
609
610 vli_rshift1(u, ndigits);
611 if (carry)
612 u[ndigits - 1] |= 0x8000000000000000ull;
613 } else {
614 vli_sub(b, b, a, ndigits);
615 vli_rshift1(b, ndigits);
616
617 if (vli_cmp(v, u, ndigits) < 0)
618 vli_add(v, v, mod, ndigits);
619
620 vli_sub(v, v, u, ndigits);
621 if (!EVEN(v))
622 carry = vli_add(v, v, mod, ndigits);
623
624 vli_rshift1(v, ndigits);
625 if (carry)
626 v[ndigits - 1] |= 0x8000000000000000ull;
627 }
628 }
629
630 vli_set(result, u, ndigits);
631}
632
633/* ------ Point operations ------ */
634
635/* Returns true if p_point is the point at infinity, false otherwise. */
636static bool ecc_point_is_zero(const struct ecc_point *point)
637{
638 return (vli_is_zero(point->x, point->ndigits) &&
639 vli_is_zero(point->y, point->ndigits));
640}
641
642/* Point multiplication algorithm using Montgomery's ladder with co-Z
643 * coordinates. From http://eprint.iacr.org/2011/338.pdf
644 */
645
646/* Double in place */
647static void ecc_point_double_jacobian(u64 *x1, u64 *y1, u64 *z1,
648 u64 *curve_prime, unsigned int ndigits)
649{
650 /* t1 = x, t2 = y, t3 = z */
651 u64 t4[ndigits];
652 u64 t5[ndigits];
653
654 if (vli_is_zero(z1, ndigits))
655 return;
656
657 /* t4 = y1^2 */
658 vli_mod_square_fast(t4, y1, curve_prime, ndigits);
659 /* t5 = x1*y1^2 = A */
660 vli_mod_mult_fast(t5, x1, t4, curve_prime, ndigits);
661 /* t4 = y1^4 */
662 vli_mod_square_fast(t4, t4, curve_prime, ndigits);
663 /* t2 = y1*z1 = z3 */
664 vli_mod_mult_fast(y1, y1, z1, curve_prime, ndigits);
665 /* t3 = z1^2 */
666 vli_mod_square_fast(z1, z1, curve_prime, ndigits);
667
668 /* t1 = x1 + z1^2 */
669 vli_mod_add(x1, x1, z1, curve_prime, ndigits);
670 /* t3 = 2*z1^2 */
671 vli_mod_add(z1, z1, z1, curve_prime, ndigits);
672 /* t3 = x1 - z1^2 */
673 vli_mod_sub(z1, x1, z1, curve_prime, ndigits);
674 /* t1 = x1^2 - z1^4 */
675 vli_mod_mult_fast(x1, x1, z1, curve_prime, ndigits);
676
677 /* t3 = 2*(x1^2 - z1^4) */
678 vli_mod_add(z1, x1, x1, curve_prime, ndigits);
679 /* t1 = 3*(x1^2 - z1^4) */
680 vli_mod_add(x1, x1, z1, curve_prime, ndigits);
681 if (vli_test_bit(x1, 0)) {
682 u64 carry = vli_add(x1, x1, curve_prime, ndigits);
683
684 vli_rshift1(x1, ndigits);
685 x1[ndigits - 1] |= carry << 63;
686 } else {
687 vli_rshift1(x1, ndigits);
688 }
689 /* t1 = 3/2*(x1^2 - z1^4) = B */
690
691 /* t3 = B^2 */
692 vli_mod_square_fast(z1, x1, curve_prime, ndigits);
693 /* t3 = B^2 - A */
694 vli_mod_sub(z1, z1, t5, curve_prime, ndigits);
695 /* t3 = B^2 - 2A = x3 */
696 vli_mod_sub(z1, z1, t5, curve_prime, ndigits);
697 /* t5 = A - x3 */
698 vli_mod_sub(t5, t5, z1, curve_prime, ndigits);
699 /* t1 = B * (A - x3) */
700 vli_mod_mult_fast(x1, x1, t5, curve_prime, ndigits);
701 /* t4 = B * (A - x3) - y1^4 = y3 */
702 vli_mod_sub(t4, x1, t4, curve_prime, ndigits);
703
704 vli_set(x1, z1, ndigits);
705 vli_set(z1, y1, ndigits);
706 vli_set(y1, t4, ndigits);
707}
708
709/* Modify (x1, y1) => (x1 * z^2, y1 * z^3) */
710static void apply_z(u64 *x1, u64 *y1, u64 *z, u64 *curve_prime,
711 unsigned int ndigits)
712{
713 u64 t1[ndigits];
714
715 vli_mod_square_fast(t1, z, curve_prime, ndigits); /* z^2 */
716 vli_mod_mult_fast(x1, x1, t1, curve_prime, ndigits); /* x1 * z^2 */
717 vli_mod_mult_fast(t1, t1, z, curve_prime, ndigits); /* z^3 */
718 vli_mod_mult_fast(y1, y1, t1, curve_prime, ndigits); /* y1 * z^3 */
719}
720
721/* P = (x1, y1) => 2P, (x2, y2) => P' */
722static void xycz_initial_double(u64 *x1, u64 *y1, u64 *x2, u64 *y2,
723 u64 *p_initial_z, u64 *curve_prime,
724 unsigned int ndigits)
725{
726 u64 z[ndigits];
727
728 vli_set(x2, x1, ndigits);
729 vli_set(y2, y1, ndigits);
730
731 vli_clear(z, ndigits);
732 z[0] = 1;
733
734 if (p_initial_z)
735 vli_set(z, p_initial_z, ndigits);
736
737 apply_z(x1, y1, z, curve_prime, ndigits);
738
739 ecc_point_double_jacobian(x1, y1, z, curve_prime, ndigits);
740
741 apply_z(x2, y2, z, curve_prime, ndigits);
742}
743
744/* Input P = (x1, y1, Z), Q = (x2, y2, Z)
745 * Output P' = (x1', y1', Z3), P + Q = (x3, y3, Z3)
746 * or P => P', Q => P + Q
747 */
748static void xycz_add(u64 *x1, u64 *y1, u64 *x2, u64 *y2, u64 *curve_prime,
749 unsigned int ndigits)
750{
751 /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */
752 u64 t5[ndigits];
753
754 /* t5 = x2 - x1 */
755 vli_mod_sub(t5, x2, x1, curve_prime, ndigits);
756 /* t5 = (x2 - x1)^2 = A */
757 vli_mod_square_fast(t5, t5, curve_prime, ndigits);
758 /* t1 = x1*A = B */
759 vli_mod_mult_fast(x1, x1, t5, curve_prime, ndigits);
760 /* t3 = x2*A = C */
761 vli_mod_mult_fast(x2, x2, t5, curve_prime, ndigits);
762 /* t4 = y2 - y1 */
763 vli_mod_sub(y2, y2, y1, curve_prime, ndigits);
764 /* t5 = (y2 - y1)^2 = D */
765 vli_mod_square_fast(t5, y2, curve_prime, ndigits);
766
767 /* t5 = D - B */
768 vli_mod_sub(t5, t5, x1, curve_prime, ndigits);
769 /* t5 = D - B - C = x3 */
770 vli_mod_sub(t5, t5, x2, curve_prime, ndigits);
771 /* t3 = C - B */
772 vli_mod_sub(x2, x2, x1, curve_prime, ndigits);
773 /* t2 = y1*(C - B) */
774 vli_mod_mult_fast(y1, y1, x2, curve_prime, ndigits);
775 /* t3 = B - x3 */
776 vli_mod_sub(x2, x1, t5, curve_prime, ndigits);
777 /* t4 = (y2 - y1)*(B - x3) */
778 vli_mod_mult_fast(y2, y2, x2, curve_prime, ndigits);
779 /* t4 = y3 */
780 vli_mod_sub(y2, y2, y1, curve_prime, ndigits);
781
782 vli_set(x2, t5, ndigits);
783}
784
785/* Input P = (x1, y1, Z), Q = (x2, y2, Z)
786 * Output P + Q = (x3, y3, Z3), P - Q = (x3', y3', Z3)
787 * or P => P - Q, Q => P + Q
788 */
789static void xycz_add_c(u64 *x1, u64 *y1, u64 *x2, u64 *y2, u64 *curve_prime,
790 unsigned int ndigits)
791{
792 /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */
793 u64 t5[ndigits];
794 u64 t6[ndigits];
795 u64 t7[ndigits];
796
797 /* t5 = x2 - x1 */
798 vli_mod_sub(t5, x2, x1, curve_prime, ndigits);
799 /* t5 = (x2 - x1)^2 = A */
800 vli_mod_square_fast(t5, t5, curve_prime, ndigits);
801 /* t1 = x1*A = B */
802 vli_mod_mult_fast(x1, x1, t5, curve_prime, ndigits);
803 /* t3 = x2*A = C */
804 vli_mod_mult_fast(x2, x2, t5, curve_prime, ndigits);
805 /* t4 = y2 + y1 */
806 vli_mod_add(t5, y2, y1, curve_prime, ndigits);
807 /* t4 = y2 - y1 */
808 vli_mod_sub(y2, y2, y1, curve_prime, ndigits);
809
810 /* t6 = C - B */
811 vli_mod_sub(t6, x2, x1, curve_prime, ndigits);
812 /* t2 = y1 * (C - B) */
813 vli_mod_mult_fast(y1, y1, t6, curve_prime, ndigits);
814 /* t6 = B + C */
815 vli_mod_add(t6, x1, x2, curve_prime, ndigits);
816 /* t3 = (y2 - y1)^2 */
817 vli_mod_square_fast(x2, y2, curve_prime, ndigits);
818 /* t3 = x3 */
819 vli_mod_sub(x2, x2, t6, curve_prime, ndigits);
820
821 /* t7 = B - x3 */
822 vli_mod_sub(t7, x1, x2, curve_prime, ndigits);
823 /* t4 = (y2 - y1)*(B - x3) */
824 vli_mod_mult_fast(y2, y2, t7, curve_prime, ndigits);
825 /* t4 = y3 */
826 vli_mod_sub(y2, y2, y1, curve_prime, ndigits);
827
828 /* t7 = (y2 + y1)^2 = F */
829 vli_mod_square_fast(t7, t5, curve_prime, ndigits);
830 /* t7 = x3' */
831 vli_mod_sub(t7, t7, t6, curve_prime, ndigits);
832 /* t6 = x3' - B */
833 vli_mod_sub(t6, t7, x1, curve_prime, ndigits);
834 /* t6 = (y2 + y1)*(x3' - B) */
835 vli_mod_mult_fast(t6, t6, t5, curve_prime, ndigits);
836 /* t2 = y3' */
837 vli_mod_sub(y1, t6, y1, curve_prime, ndigits);
838
839 vli_set(x1, t7, ndigits);
840}
841
842static void ecc_point_mult(struct ecc_point *result,
843 const struct ecc_point *point, const u64 *scalar,
844 u64 *initial_z, u64 *curve_prime,
845 unsigned int ndigits)
846{
847 /* R0 and R1 */
848 u64 rx[2][ndigits];
849 u64 ry[2][ndigits];
850 u64 z[ndigits];
851 int i, nb;
852 int num_bits = vli_num_bits(scalar, ndigits);
853
854 vli_set(rx[1], point->x, ndigits);
855 vli_set(ry[1], point->y, ndigits);
856
857 xycz_initial_double(rx[1], ry[1], rx[0], ry[0], initial_z, curve_prime,
858 ndigits);
859
860 for (i = num_bits - 2; i > 0; i--) {
861 nb = !vli_test_bit(scalar, i);
862 xycz_add_c(rx[1 - nb], ry[1 - nb], rx[nb], ry[nb], curve_prime,
863 ndigits);
864 xycz_add(rx[nb], ry[nb], rx[1 - nb], ry[1 - nb], curve_prime,
865 ndigits);
866 }
867
868 nb = !vli_test_bit(scalar, 0);
869 xycz_add_c(rx[1 - nb], ry[1 - nb], rx[nb], ry[nb], curve_prime,
870 ndigits);
871
872 /* Find final 1/Z value. */
873 /* X1 - X0 */
874 vli_mod_sub(z, rx[1], rx[0], curve_prime, ndigits);
875 /* Yb * (X1 - X0) */
876 vli_mod_mult_fast(z, z, ry[1 - nb], curve_prime, ndigits);
877 /* xP * Yb * (X1 - X0) */
878 vli_mod_mult_fast(z, z, point->x, curve_prime, ndigits);
879
880 /* 1 / (xP * Yb * (X1 - X0)) */
881 vli_mod_inv(z, z, curve_prime, point->ndigits);
882
883 /* yP / (xP * Yb * (X1 - X0)) */
884 vli_mod_mult_fast(z, z, point->y, curve_prime, ndigits);
885 /* Xb * yP / (xP * Yb * (X1 - X0)) */
886 vli_mod_mult_fast(z, z, rx[1 - nb], curve_prime, ndigits);
887 /* End 1/Z calculation */
888
889 xycz_add(rx[nb], ry[nb], rx[1 - nb], ry[1 - nb], curve_prime, ndigits);
890
891 apply_z(rx[0], ry[0], z, curve_prime, ndigits);
892
893 vli_set(result->x, rx[0], ndigits);
894 vli_set(result->y, ry[0], ndigits);
895}
896
897static inline void ecc_swap_digits(const u64 *in, u64 *out,
898 unsigned int ndigits)
899{
900 int i;
901
902 for (i = 0; i < ndigits; i++)
903 out[i] = __swab64(in[ndigits - 1 - i]);
904}
905
906int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits,
907 const u8 *private_key, unsigned int private_key_len)
908{
909 int nbytes;
910 const struct ecc_curve *curve = ecc_get_curve(curve_id);
911
912 if (!private_key)
913 return -EINVAL;
914
915 nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
916
917 if (private_key_len != nbytes)
918 return -EINVAL;
919
920 if (vli_is_zero((const u64 *)&private_key[0], ndigits))
921 return -EINVAL;
922
923 /* Make sure the private key is in the range [1, n-1]. */
924 if (vli_cmp(curve->n, (const u64 *)&private_key[0], ndigits) != 1)
925 return -EINVAL;
926
927 return 0;
928}
929
930int ecdh_make_pub_key(unsigned int curve_id, unsigned int ndigits,
931 const u8 *private_key, unsigned int private_key_len,
932 u8 *public_key, unsigned int public_key_len)
933{
934 int ret = 0;
935 struct ecc_point *pk;
936 u64 priv[ndigits];
937 unsigned int nbytes;
938 const struct ecc_curve *curve = ecc_get_curve(curve_id);
939
940 if (!private_key || !curve) {
941 ret = -EINVAL;
942 goto out;
943 }
944
945 ecc_swap_digits((const u64 *)private_key, priv, ndigits);
946
947 pk = ecc_alloc_point(ndigits);
948 if (!pk) {
949 ret = -ENOMEM;
950 goto out;
951 }
952
953 ecc_point_mult(pk, &curve->g, priv, NULL, curve->p, ndigits);
954 if (ecc_point_is_zero(pk)) {
955 ret = -EAGAIN;
956 goto err_free_point;
957 }
958
959 nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
960 ecc_swap_digits(pk->x, (u64 *)public_key, ndigits);
961 ecc_swap_digits(pk->y, (u64 *)&public_key[nbytes], ndigits);
962
963err_free_point:
964 ecc_free_point(pk);
965out:
966 return ret;
967}
968
969int ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
970 const u8 *private_key, unsigned int private_key_len,
971 const u8 *public_key, unsigned int public_key_len,
972 u8 *secret, unsigned int secret_len)
973{
974 int ret = 0;
975 struct ecc_point *product, *pk;
976 u64 priv[ndigits];
977 u64 rand_z[ndigits];
978 unsigned int nbytes;
979 const struct ecc_curve *curve = ecc_get_curve(curve_id);
980
981 if (!private_key || !public_key || !curve) {
982 ret = -EINVAL;
983 goto out;
984 }
985
986 nbytes = ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
987
988 get_random_bytes(rand_z, nbytes);
989
990 pk = ecc_alloc_point(ndigits);
991 if (!pk) {
992 ret = -ENOMEM;
993 goto out;
994 }
995
996 product = ecc_alloc_point(ndigits);
997 if (!product) {
998 ret = -ENOMEM;
999 goto err_alloc_product;
1000 }
1001
1002 ecc_swap_digits((const u64 *)public_key, pk->x, ndigits);
1003 ecc_swap_digits((const u64 *)&public_key[nbytes], pk->y, ndigits);
1004 ecc_swap_digits((const u64 *)private_key, priv, ndigits);
1005
1006 ecc_point_mult(product, pk, priv, rand_z, curve->p, ndigits);
1007
1008 ecc_swap_digits(product->x, (u64 *)secret, ndigits);
1009
1010 if (ecc_point_is_zero(product))
1011 ret = -EFAULT;
1012
1013 ecc_free_point(product);
1014err_alloc_product:
1015 ecc_free_point(pk);
1016out:
1017 return ret;
1018}
diff --git a/crypto/ecc.h b/crypto/ecc.h
new file mode 100644
index 000000000000..b5db4b989f3c
--- /dev/null
+++ b/crypto/ecc.h
@@ -0,0 +1,83 @@
1/*
2 * Copyright (c) 2013, Kenneth MacKay
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are
7 * met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
16 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
17 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
18 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
19 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
20 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26#ifndef _CRYPTO_ECC_H
27#define _CRYPTO_ECC_H
28
29#define ECC_MAX_DIGITS 4 /* 256 */
30
31#define ECC_DIGITS_TO_BYTES_SHIFT 3
32
33/**
34 * ecc_is_key_valid() - Validate a given ECDH private key
35 *
36 * @curve_id: id representing the curve to use
37 * @ndigits: curve number of digits
38 * @private_key: private key to be used for the given curve
39 * @private_key_len: private key len
40 *
41 * Returns 0 if the key is acceptable, a negative value otherwise
42 */
43int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits,
44 const u8 *private_key, unsigned int private_key_len);
45
46/**
47 * ecdh_make_pub_key() - Compute an ECC public key
48 *
49 * @curve_id: id representing the curve to use
50 * @private_key: pregenerated private key for the given curve
51 * @private_key_len: length of private_key
52 * @public_key: buffer for storing the public key generated
53 * @public_key_len: length of the public_key buffer
54 *
55 * Returns 0 if the public key was generated successfully, a negative value
56 * if an error occurred.
57 */
58int ecdh_make_pub_key(const unsigned int curve_id, unsigned int ndigits,
59 const u8 *private_key, unsigned int private_key_len,
60 u8 *public_key, unsigned int public_key_len);
61
62/**
63 * ecdh_shared_secret() - Compute a shared secret
64 *
65 * @curve_id: id representing the curve to use
66 * @private_key: private key of part A
67 * @private_key_len: length of private_key
68 * @public_key: public key of counterpart B
69 * @public_key_len: length of public_key
70 * @secret: buffer for storing the calculated shared secret
71 * @secret_len: length of the secret buffer
72 *
73 * Note: It is recommended that you hash the result of ecdh_shared_secret
74 * before using it for symmetric encryption or HMAC.
75 *
76 * Returns 0 if the shared secret was generated successfully, a negative value
77 * if an error occurred.
78 */
79int ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits,
80 const u8 *private_key, unsigned int private_key_len,
81 const u8 *public_key, unsigned int public_key_len,
82 u8 *secret, unsigned int secret_len);
83#endif
diff --git a/crypto/ecc_curve_defs.h b/crypto/ecc_curve_defs.h
new file mode 100644
index 000000000000..03ae5f714028
--- /dev/null
+++ b/crypto/ecc_curve_defs.h
@@ -0,0 +1,57 @@
1#ifndef _CRYTO_ECC_CURVE_DEFS_H
2#define _CRYTO_ECC_CURVE_DEFS_H
3
4struct ecc_point {
5 u64 *x;
6 u64 *y;
7 u8 ndigits;
8};
9
10struct ecc_curve {
11 char *name;
12 struct ecc_point g;
13 u64 *p;
14 u64 *n;
15};
16
17/* NIST P-192 */
18static u64 nist_p192_g_x[] = { 0xF4FF0AFD82FF1012ull, 0x7CBF20EB43A18800ull,
19 0x188DA80EB03090F6ull };
20static u64 nist_p192_g_y[] = { 0x73F977A11E794811ull, 0x631011ED6B24CDD5ull,
21 0x07192B95FFC8DA78ull };
22static u64 nist_p192_p[] = { 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFFFFFFFFFEull,
23 0xFFFFFFFFFFFFFFFFull };
24static u64 nist_p192_n[] = { 0x146BC9B1B4D22831ull, 0xFFFFFFFF99DEF836ull,
25 0xFFFFFFFFFFFFFFFFull };
26static struct ecc_curve nist_p192 = {
27 .name = "nist_192",
28 .g = {
29 .x = nist_p192_g_x,
30 .y = nist_p192_g_y,
31 .ndigits = 3,
32 },
33 .p = nist_p192_p,
34 .n = nist_p192_n
35};
36
37/* NIST P-256 */
38static u64 nist_p256_g_x[] = { 0xF4A13945D898C296ull, 0x77037D812DEB33A0ull,
39 0xF8BCE6E563A440F2ull, 0x6B17D1F2E12C4247ull };
40static u64 nist_p256_g_y[] = { 0xCBB6406837BF51F5ull, 0x2BCE33576B315ECEull,
41 0x8EE7EB4A7C0F9E16ull, 0x4FE342E2FE1A7F9Bull };
42static u64 nist_p256_p[] = { 0xFFFFFFFFFFFFFFFFull, 0x00000000FFFFFFFFull,
43 0x0000000000000000ull, 0xFFFFFFFF00000001ull };
44static u64 nist_p256_n[] = { 0xF3B9CAC2FC632551ull, 0xBCE6FAADA7179E84ull,
45 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFF00000000ull };
46static struct ecc_curve nist_p256 = {
47 .name = "nist_256",
48 .g = {
49 .x = nist_p256_g_x,
50 .y = nist_p256_g_y,
51 .ndigits = 4,
52 },
53 .p = nist_p256_p,
54 .n = nist_p256_n
55};
56
57#endif
diff --git a/crypto/ecdh.c b/crypto/ecdh.c
new file mode 100644
index 000000000000..d3a9eeca4b32
--- /dev/null
+++ b/crypto/ecdh.c
@@ -0,0 +1,151 @@
1/* ECDH key-agreement protocol
2 *
3 * Copyright (c) 2016, Intel Corporation
4 * Authors: Salvator Benedetto <salvatore.benedetto@intel.com>
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#include <linux/module.h>
13#include <crypto/internal/kpp.h>
14#include <crypto/kpp.h>
15#include <crypto/ecdh.h>
16#include <linux/scatterlist.h>
17#include "ecc.h"
18
19struct ecdh_ctx {
20 unsigned int curve_id;
21 unsigned int ndigits;
22 u64 private_key[ECC_MAX_DIGITS];
23 u64 public_key[2 * ECC_MAX_DIGITS];
24 u64 shared_secret[ECC_MAX_DIGITS];
25};
26
27static inline struct ecdh_ctx *ecdh_get_ctx(struct crypto_kpp *tfm)
28{
29 return kpp_tfm_ctx(tfm);
30}
31
32static unsigned int ecdh_supported_curve(unsigned int curve_id)
33{
34 switch (curve_id) {
35 case ECC_CURVE_NIST_P192: return 3;
36 case ECC_CURVE_NIST_P256: return 4;
37 default: return 0;
38 }
39}
40
41static int ecdh_set_secret(struct crypto_kpp *tfm, void *buf, unsigned int len)
42{
43 struct ecdh_ctx *ctx = ecdh_get_ctx(tfm);
44 struct ecdh params;
45 unsigned int ndigits;
46
47 if (crypto_ecdh_decode_key(buf, len, &params) < 0)
48 return -EINVAL;
49
50 ndigits = ecdh_supported_curve(params.curve_id);
51 if (!ndigits)
52 return -EINVAL;
53
54 ctx->curve_id = params.curve_id;
55 ctx->ndigits = ndigits;
56
57 if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits,
58 (const u8 *)params.key, params.key_size) < 0)
59 return -EINVAL;
60
61 memcpy(ctx->private_key, params.key, params.key_size);
62
63 return 0;
64}
65
66static int ecdh_compute_value(struct kpp_request *req)
67{
68 int ret = 0;
69 struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
70 struct ecdh_ctx *ctx = ecdh_get_ctx(tfm);
71 size_t copied, nbytes;
72 void *buf;
73
74 nbytes = ctx->ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
75
76 if (req->src) {
77 copied = sg_copy_to_buffer(req->src, 1, ctx->public_key,
78 2 * nbytes);
79 if (copied != 2 * nbytes)
80 return -EINVAL;
81
82 ret = ecdh_shared_secret(ctx->curve_id, ctx->ndigits,
83 (const u8 *)ctx->private_key, nbytes,
84 (const u8 *)ctx->public_key, 2 * nbytes,
85 (u8 *)ctx->shared_secret, nbytes);
86
87 buf = ctx->shared_secret;
88 } else {
89 ret = ecdh_make_pub_key(ctx->curve_id, ctx->ndigits,
90 (const u8 *)ctx->private_key, nbytes,
91 (u8 *)ctx->public_key,
92 sizeof(ctx->public_key));
93 buf = ctx->public_key;
94 /* Public part is a point thus it has both coordinates */
95 nbytes *= 2;
96 }
97
98 if (ret < 0)
99 return ret;
100
101 copied = sg_copy_from_buffer(req->dst, 1, buf, nbytes);
102 if (copied != nbytes)
103 return -EINVAL;
104
105 return ret;
106}
107
108static int ecdh_max_size(struct crypto_kpp *tfm)
109{
110 struct ecdh_ctx *ctx = ecdh_get_ctx(tfm);
111 int nbytes = ctx->ndigits << ECC_DIGITS_TO_BYTES_SHIFT;
112
113 /* Public key is made of two coordinates */
114 return 2 * nbytes;
115}
116
117static void no_exit_tfm(struct crypto_kpp *tfm)
118{
119 return;
120}
121
122static struct kpp_alg ecdh = {
123 .set_secret = ecdh_set_secret,
124 .generate_public_key = ecdh_compute_value,
125 .compute_shared_secret = ecdh_compute_value,
126 .max_size = ecdh_max_size,
127 .exit = no_exit_tfm,
128 .base = {
129 .cra_name = "ecdh",
130 .cra_driver_name = "ecdh-generic",
131 .cra_priority = 100,
132 .cra_module = THIS_MODULE,
133 .cra_ctxsize = sizeof(struct ecdh_ctx),
134 },
135};
136
137static int ecdh_init(void)
138{
139 return crypto_register_kpp(&ecdh);
140}
141
142static void ecdh_exit(void)
143{
144 crypto_unregister_kpp(&ecdh);
145}
146
147module_init(ecdh_init);
148module_exit(ecdh_exit);
149MODULE_ALIAS_CRYPTO("ecdh");
150MODULE_LICENSE("GPL");
151MODULE_DESCRIPTION("ECDH generic algorithm");
diff --git a/crypto/ecdh_helper.c b/crypto/ecdh_helper.c
new file mode 100644
index 000000000000..3cd8a2414e60
--- /dev/null
+++ b/crypto/ecdh_helper.c
@@ -0,0 +1,86 @@
1/*
2 * Copyright (c) 2016, Intel Corporation
3 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>
4 *
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public Licence
7 * as published by the Free Software Foundation; either version
8 * 2 of the Licence, or (at your option) any later version.
9 */
10#include <linux/kernel.h>
11#include <linux/export.h>
12#include <linux/err.h>
13#include <linux/string.h>
14#include <crypto/ecdh.h>
15#include <crypto/kpp.h>
16
17#define ECDH_KPP_SECRET_MIN_SIZE (sizeof(struct kpp_secret) + 2 * sizeof(short))
18
19static inline u8 *ecdh_pack_data(void *dst, const void *src, size_t sz)
20{
21 memcpy(dst, src, sz);
22 return dst + sz;
23}
24
25static inline const u8 *ecdh_unpack_data(void *dst, const void *src, size_t sz)
26{
27 memcpy(dst, src, sz);
28 return src + sz;
29}
30
31int crypto_ecdh_key_len(const struct ecdh *params)
32{
33 return ECDH_KPP_SECRET_MIN_SIZE + params->key_size;
34}
35EXPORT_SYMBOL_GPL(crypto_ecdh_key_len);
36
37int crypto_ecdh_encode_key(char *buf, unsigned int len,
38 const struct ecdh *params)
39{
40 u8 *ptr = buf;
41 struct kpp_secret secret = {
42 .type = CRYPTO_KPP_SECRET_TYPE_ECDH,
43 .len = len
44 };
45
46 if (unlikely(!buf))
47 return -EINVAL;
48
49 if (len != crypto_ecdh_key_len(params))
50 return -EINVAL;
51
52 ptr = ecdh_pack_data(ptr, &secret, sizeof(secret));
53 ptr = ecdh_pack_data(ptr, &params->curve_id, sizeof(params->curve_id));
54 ptr = ecdh_pack_data(ptr, &params->key_size, sizeof(params->key_size));
55 ecdh_pack_data(ptr, params->key, params->key_size);
56
57 return 0;
58}
59EXPORT_SYMBOL_GPL(crypto_ecdh_encode_key);
60
61int crypto_ecdh_decode_key(const char *buf, unsigned int len,
62 struct ecdh *params)
63{
64 const u8 *ptr = buf;
65 struct kpp_secret secret;
66
67 if (unlikely(!buf || len < ECDH_KPP_SECRET_MIN_SIZE))
68 return -EINVAL;
69
70 ptr = ecdh_unpack_data(&secret, ptr, sizeof(secret));
71 if (secret.type != CRYPTO_KPP_SECRET_TYPE_ECDH)
72 return -EINVAL;
73
74 ptr = ecdh_unpack_data(&params->curve_id, ptr, sizeof(params->curve_id));
75 ptr = ecdh_unpack_data(&params->key_size, ptr, sizeof(params->key_size));
76 if (secret.len != crypto_ecdh_key_len(params))
77 return -EINVAL;
78
79 /* Don't allocate memory. Set pointer to data
80 * within the given buffer
81 */
82 params->key = (void *)ptr;
83
84 return 0;
85}
86EXPORT_SYMBOL_GPL(crypto_ecdh_decode_key);
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index ff79eb887fd0..537fdc380a7b 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -3301,6 +3301,16 @@ static const struct alg_test_desc alg_test_descs[] = {
3301 } 3301 }
3302 } 3302 }
3303 }, { 3303 }, {
3304 .alg = "ecdh",
3305 .test = alg_test_kpp,
3306 .fips_allowed = 1,
3307 .suite = {
3308 .kpp = {
3309 .vecs = ecdh_tv_template,
3310 .count = ECDH_TEST_VECTORS
3311 }
3312 }
3313 }, {
3304 .alg = "gcm(aes)", 3314 .alg = "gcm(aes)",
3305 .test = alg_test_aead, 3315 .test = alg_test_aead,
3306 .fips_allowed = 1, 3316 .fips_allowed = 1,
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 78e874eca031..7358931b3082 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -560,6 +560,99 @@ struct kpp_testvec dh_tv_template[] = {
560 } 560 }
561}; 561};
562 562
563#ifdef CONFIG_CRYPTO_FIPS
564#define ECDH_TEST_VECTORS 1
565#else
566#define ECDH_TEST_VECTORS 2
567#endif
568struct kpp_testvec ecdh_tv_template[] = {
569 {
570#ifndef CONFIG_CRYPTO_FIPS
571 .secret =
572#ifdef __LITTLE_ENDIAN
573 "\x02\x00" /* type */
574 "\x20\x00" /* len */
575 "\x01\x00" /* curve_id */
576 "\x18\x00" /* key_size */
577#else
578 "\x00\x02" /* type */
579 "\x00\x20" /* len */
580 "\x00\x01" /* curve_id */
581 "\x00\x18" /* key_size */
582#endif
583 "\xb5\x05\xb1\x71\x1e\xbf\x8c\xda"
584 "\x4e\x19\x1e\x62\x1f\x23\x23\x31"
585 "\x36\x1e\xd3\x84\x2f\xcc\x21\x72",
586 .b_public =
587 "\xc3\xba\x67\x4b\x71\xec\xd0\x76"
588 "\x7a\x99\x75\x64\x36\x13\x9a\x94"
589 "\x5d\x8b\xdc\x60\x90\x91\xfd\x3f"
590 "\xb0\x1f\x8a\x0a\x68\xc6\x88\x6e"
591 "\x83\x87\xdd\x67\x09\xf8\x8d\x96"
592 "\x07\xd6\xbd\x1c\xe6\x8d\x9d\x67",
593 .expected_a_public =
594 "\x1a\x04\xdb\xa5\xe1\xdd\x4e\x79"
595 "\xa3\xe6\xef\x0e\x5c\x80\x49\x85"
596 "\xfa\x78\xb4\xef\x49\xbd\x4c\x7c"
597 "\x22\x90\x21\x02\xf9\x1b\x81\x5d"
598 "\x0c\x8a\xa8\x98\xd6\x27\x69\x88"
599 "\x5e\xbc\x94\xd8\x15\x9e\x21\xce",
600 .expected_ss =
601 "\xf4\x57\xcc\x4f\x1f\x4e\x31\xcc"
602 "\xe3\x40\x60\xc8\x06\x93\xc6\x2e"
603 "\x99\x80\x81\x28\xaf\xc5\x51\x74",
604 .secret_size = 32,
605 .b_public_size = 48,
606 .expected_a_public_size = 48,
607 .expected_ss_size = 24
608 }, {
609#endif
610 .secret =
611#ifdef __LITTLE_ENDIAN
612 "\x02\x00" /* type */
613 "\x28\x00" /* len */
614 "\x02\x00" /* curve_id */
615 "\x20\x00" /* key_size */
616#else
617 "\x00\x02" /* type */
618 "\x00\x28" /* len */
619 "\x00\x02" /* curve_id */
620 "\x00\x20" /* key_size */
621#endif
622 "\x24\xd1\x21\xeb\xe5\xcf\x2d\x83"
623 "\xf6\x62\x1b\x6e\x43\x84\x3a\xa3"
624 "\x8b\xe0\x86\xc3\x20\x19\xda\x92"
625 "\x50\x53\x03\xe1\xc0\xea\xb8\x82",
626 .expected_a_public =
627 "\x1a\x7f\xeb\x52\x00\xbd\x3c\x31"
628 "\x7d\xb6\x70\xc1\x86\xa6\xc7\xc4"
629 "\x3b\xc5\x5f\x6c\x6f\x58\x3c\xf5"
630 "\xb6\x63\x82\x77\x33\x24\xa1\x5f"
631 "\x6a\xca\x43\x6f\xf7\x7e\xff\x02"
632 "\x37\x08\xcc\x40\x5e\x7a\xfd\x6a"
633 "\x6a\x02\x6e\x41\x87\x68\x38\x77"
634 "\xfa\xa9\x44\x43\x2d\xef\x09\xdf",
635 .expected_ss =
636 "\xea\x17\x6f\x7e\x6e\x57\x26\x38"
637 "\x8b\xfb\x41\xeb\xba\xc8\x6d\xa5"
638 "\xa8\x72\xd1\xff\xc9\x47\x3d\xaa"
639 "\x58\x43\x9f\x34\x0f\x8c\xf3\xc9",
640 .b_public =
641 "\xcc\xb4\xda\x74\xb1\x47\x3f\xea"
642 "\x6c\x70\x9e\x38\x2d\xc7\xaa\xb7"
643 "\x29\xb2\x47\x03\x19\xab\xdd\x34"
644 "\xbd\xa8\x2c\x93\xe1\xa4\x74\xd9"
645 "\x64\x63\xf7\x70\x20\x2f\xa4\xe6"
646 "\x9f\x4a\x38\xcc\xc0\x2c\x49\x2f"
647 "\xb1\x32\xbb\xaf\x22\x61\xda\xcb"
648 "\x6f\xdb\xa9\xaa\xfc\x77\x81\xf3",
649 .secret_size = 40,
650 .b_public_size = 64,
651 .expected_a_public_size = 64,
652 .expected_ss_size = 32
653 }
654};
655
563/* 656/*
564 * MD4 test vectors from RFC1320 657 * MD4 test vectors from RFC1320
565 */ 658 */
diff --git a/include/crypto/ecdh.h b/include/crypto/ecdh.h
new file mode 100644
index 000000000000..84bad548d194
--- /dev/null
+++ b/include/crypto/ecdh.h
@@ -0,0 +1,30 @@
1/*
2 * ECDH params to be used with kpp API
3 *
4 * Copyright (c) 2016, Intel Corporation
5 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the Free
9 * Software Foundation; either version 2 of the License, or (at your option)
10 * any later version.
11 *
12 */
13#ifndef _CRYPTO_ECDH_
14#define _CRYPTO_ECDH_
15
16/* Curves IDs */
17#define ECC_CURVE_NIST_P192 0x0001
18#define ECC_CURVE_NIST_P256 0x0002
19
20struct ecdh {
21 unsigned short curve_id;
22 char *key;
23 unsigned short key_size;
24};
25
26int crypto_ecdh_key_len(const struct ecdh *params);
27int crypto_ecdh_encode_key(char *buf, unsigned int len, const struct ecdh *p);
28int crypto_ecdh_decode_key(const char *buf, unsigned int len, struct ecdh *p);
29
30#endif
diff --git a/include/crypto/kpp.h b/include/crypto/kpp.h
index 937ac122354a..30791f75c180 100644
--- a/include/crypto/kpp.h
+++ b/include/crypto/kpp.h
@@ -243,6 +243,7 @@ static inline void kpp_request_set_output(struct kpp_request *req,
243enum { 243enum {
244 CRYPTO_KPP_SECRET_TYPE_UNKNOWN, 244 CRYPTO_KPP_SECRET_TYPE_UNKNOWN,
245 CRYPTO_KPP_SECRET_TYPE_DH, 245 CRYPTO_KPP_SECRET_TYPE_DH,
246 CRYPTO_KPP_SECRET_TYPE_ECDH,
246}; 247};
247 248
248/** 249/**