crypto: ghash - add comment and improve help text

To help avoid confusion, add a comment to ghash-generic.c which explains the convention that the kernel's implementation of GHASH uses. Also update the Kconfig help text and module descriptions to call GHASH a "hash function" rather than a "message digest", since the latter normally means a real cryptographic hash function, which GHASH is not. Cc: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Acked-by: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author: Eric Biggers <ebiggers@google.com> 2019-07-20 02:09:18 -0400
committer: Herbert Xu <herbert@gondor.apana.org.au> 2019-07-27 07:08:38 -0400
commit: 8dfa20fcfbeb245642dfe3a43f8a3735d9aed42a (patch)
tree: 887e9ffb1793ff6f754ab839a528a170177f219d
parent: 065cf577135a4977931c7a1e1edf442bfd9773dd (diff)
7 files changed, 41 insertions, 16 deletions
diff --git a/arch/arm/crypto/ghash-ce-glue.c b/arch/arm/crypto/ghash-ce-glue.c
index bb906b5f1eb3..c691077679a6 100644
--- a/arch/arm/crypto/ghash-ce-glue.c
+++ b/arch/arm/crypto/ghash-ce-glue.c
@@ -18,7 +18,7 @@
 #include <linux/crypto.h>
 #include <linux/module.h>
-MODULE_DESCRIPTION("GHASH secure hash using ARMv8 Crypto Extensions");
+MODULE_DESCRIPTION("GHASH hash function using ARMv8 Crypto Extensions");
 MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>");
 MODULE_LICENSE("GPL v2");
 MODULE_ALIAS_CRYPTO("ghash");
diff --git a/arch/s390/crypto/ghash_s390.c b/arch/s390/crypto/ghash_s390.c
index eeeb6a7737a4..a3e7400e031c 100644
--- a/arch/s390/crypto/ghash_s390.c
+++ b/arch/s390/crypto/ghash_s390.c
@@ -153,4 +153,4 @@ module_exit(ghash_mod_exit);
 MODULE_ALIAS_CRYPTO("ghash");
 MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("GHASH Message Digest Algorithm, s390 implementation");
+MODULE_DESCRIPTION("GHASH hash function, s390 implementation");
diff --git a/arch/x86/crypto/ghash-clmulni-intel_glue.c b/arch/x86/crypto/ghash-clmulni-intel_glue.c
index ac76fe88ac4f..04d72a5a8ce9 100644
--- a/arch/x86/crypto/ghash-clmulni-intel_glue.c
+++ b/arch/x86/crypto/ghash-clmulni-intel_glue.c
@@ -357,6 +357,5 @@ module_init(ghash_pclmulqdqni_mod_init);
 module_exit(ghash_pclmulqdqni_mod_exit);
 MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("GHASH Message Digest Algorithm, "
+MODULE_DESCRIPTION("GHASH hash function, accelerated by PCLMULQDQ-NI");
-                   "accelerated by PCLMULQDQ-NI");
 MODULE_ALIAS_CRYPTO("ghash");
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 2e7f08ba0675..455a3354e291 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -647,11 +647,12 @@ config CRYPTO_VPMSUM_TESTER
          Unless you are testing these algorithms, you don't need this.
 config CRYPTO_GHASH
-        tristate "GHASH digest algorithm"
+        tristate "GHASH hash function"
        select CRYPTO_GF128MUL
        select CRYPTO_HASH
        help
-          GHASH is message digest algorithm for GCM (Galois/Counter Mode).
+          GHASH is the hash function used in GCM (Galois/Counter Mode).
+          It is not a general-purpose cryptographic hash function.
 config CRYPTO_POLY1305
        tristate "Poly1305 authenticator algorithm"
@@ -976,12 +977,12 @@ config CRYPTO_WP512
          <http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html>
 config CRYPTO_GHASH_CLMUL_NI_INTEL
-        tristate "GHASH digest algorithm (CLMUL-NI accelerated)"
+        tristate "GHASH hash function (CLMUL-NI accelerated)"
        depends on X86 && 64BIT
        select CRYPTO_CRYPTD
        help
-          GHASH is message digest algorithm for GCM (Galois/Counter Mode).
+          This is the x86_64 CLMUL-NI accelerated implementation of
-          The implementation is accelerated by CLMUL-NI of Intel.
+          GHASH, the hash function used in GCM (Galois/Counter mode).
 comment "Ciphers"
diff --git a/crypto/ghash-generic.c b/crypto/ghash-generic.c
index dad9e1f91a78..5027b3461c92 100644
--- a/crypto/ghash-generic.c
+++ b/crypto/ghash-generic.c
@@ -1,12 +1,37 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
- * GHASH: digest algorithm for GCM (Galois/Counter Mode).
+ * GHASH: hash function for GCM (Galois/Counter Mode).
 *
 * Copyright (c) 2007 Nokia Siemens Networks - Mikko Herranen <mh1@iki.fi>
 * Copyright (c) 2009 Intel Corp.
 *   Author: Huang Ying <ying.huang@intel.com>
+ */
+/*
+ * GHASH is a keyed hash function used in GCM authentication tag generation.
+ *
+ * The original GCM paper [1] presents GHASH as a function GHASH(H, A, C) which
+ * takes a 16-byte hash key H, additional authenticated data A, and a ciphertext
+ * C.  It formats A and C into a single byte string X, interprets X as a
+ * polynomial over GF(2^128), and evaluates this polynomial at the point H.
+ *
+ * However, the NIST standard for GCM [2] presents GHASH as GHASH(H, X) where X
+ * is the already-formatted byte string containing both A and C.
+ *
+ * "ghash" in the Linux crypto API uses the 'X' (pre-formatted) convention,
+ * since the API supports only a single data stream per hash.  Thus, the
+ * formatting of 'A' and 'C' is done in the "gcm" template, not in "ghash".
+ *
+ * The reason "ghash" is separate from "gcm" is to allow "gcm" to use an
+ * accelerated "ghash" when a standalone accelerated "gcm(aes)" is unavailable.
+ * It is generally inappropriate to use "ghash" for other purposes, since it is
+ * an "ε-almost-XOR-universal hash function", not a cryptographic hash function.
+ * It can only be used securely in crypto modes specially designed to use it.
 *
- * The algorithm implementation is copied from gcm.c.
+ * [1] The Galois/Counter Mode of Operation (GCM)
+ *     (http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.694.695&rep=rep1&type=pdf)
+ * [2] Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
+ *     (https://csrc.nist.gov/publications/detail/sp/800-38d/final)
 */
 #include <crypto/algapi.h>
@@ -156,6 +181,6 @@ subsys_initcall(ghash_mod_init);
 module_exit(ghash_mod_exit);
 MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("GHASH Message Digest Algorithm");
+MODULE_DESCRIPTION("GHASH hash function");
 MODULE_ALIAS_CRYPTO("ghash");
 MODULE_ALIAS_CRYPTO("ghash-generic");
diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
index 69d1bbd5d9bf..b8c50871f11b 100644
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -189,12 +189,12 @@ config S390_PRNG
          It is available as of z9.
 config CRYPTO_GHASH_S390
-        tristate "GHASH digest algorithm"
+        tristate "GHASH hash function"
        depends on S390
        select CRYPTO_HASH
        help
-          This is the s390 hardware accelerated implementation of the
+          This is the s390 hardware accelerated implementation of GHASH,
-          GHASH message digest algorithm for GCM (Galois/Counter Mode).
+          the hash function used in GCM (Galois/Counter mode).
          It is available as of z196.
diff --git a/include/crypto/ghash.h b/include/crypto/ghash.h
index 9136301062a5..f832c9f2aca3 100644
--- a/include/crypto/ghash.h
+++ b/include/crypto/ghash.h
@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 /*
- * Common values for GHASH algorithms
+ * Common values for the GHASH hash function
 */
 #ifndef __CRYPTO_GHASH_H__
author	Eric Biggers <ebiggers@google.com>	2019-07-20 02:09:18 -0400
committer	Herbert Xu <herbert@gondor.apana.org.au>	2019-07-27 07:08:38 -0400
commit	8dfa20fcfbeb245642dfe3a43f8a3735d9aed42a (patch)
tree	887e9ffb1793ff6f754ab839a528a170177f219d
parent	065cf577135a4977931c7a1e1edf442bfd9773dd (diff)