162306a36Sopenharmony_ci.. SPDX-License-Identifier: GPL-2.0 262306a36Sopenharmony_ci 362306a36Sopenharmony_ci============================= 462306a36Sopenharmony_ciScatterlist Cryptographic API 562306a36Sopenharmony_ci============================= 662306a36Sopenharmony_ci 762306a36Sopenharmony_ciIntroduction 862306a36Sopenharmony_ci============ 962306a36Sopenharmony_ci 1062306a36Sopenharmony_ciThe Scatterlist Crypto API takes page vectors (scatterlists) as 1162306a36Sopenharmony_ciarguments, and works directly on pages. In some cases (e.g. ECB 1262306a36Sopenharmony_cimode ciphers), this will allow for pages to be encrypted in-place 1362306a36Sopenharmony_ciwith no copying. 1462306a36Sopenharmony_ci 1562306a36Sopenharmony_ciOne of the initial goals of this design was to readily support IPsec, 1662306a36Sopenharmony_ciso that processing can be applied to paged skb's without the need 1762306a36Sopenharmony_cifor linearization. 1862306a36Sopenharmony_ci 1962306a36Sopenharmony_ci 2062306a36Sopenharmony_ciDetails 2162306a36Sopenharmony_ci======= 2262306a36Sopenharmony_ci 2362306a36Sopenharmony_ciAt the lowest level are algorithms, which register dynamically with the 2462306a36Sopenharmony_ciAPI. 2562306a36Sopenharmony_ci 2662306a36Sopenharmony_ci'Transforms' are user-instantiated objects, which maintain state, handle all 2762306a36Sopenharmony_ciof the implementation logic (e.g. manipulating page vectors) and provide an 2862306a36Sopenharmony_ciabstraction to the underlying algorithms. However, at the user 2962306a36Sopenharmony_cilevel they are very simple. 3062306a36Sopenharmony_ci 3162306a36Sopenharmony_ciConceptually, the API layering looks like this:: 3262306a36Sopenharmony_ci 3362306a36Sopenharmony_ci [transform api] (user interface) 3462306a36Sopenharmony_ci [transform ops] (per-type logic glue e.g. cipher.c, compress.c) 3562306a36Sopenharmony_ci [algorithm api] (for registering algorithms) 3662306a36Sopenharmony_ci 3762306a36Sopenharmony_ciThe idea is to make the user interface and algorithm registration API 3862306a36Sopenharmony_civery simple, while hiding the core logic from both. Many good ideas 3962306a36Sopenharmony_cifrom existing APIs such as Cryptoapi and Nettle have been adapted for this. 4062306a36Sopenharmony_ci 4162306a36Sopenharmony_ciThe API currently supports five main types of transforms: AEAD (Authenticated 4262306a36Sopenharmony_ciEncryption with Associated Data), Block Ciphers, Ciphers, Compressors and 4362306a36Sopenharmony_ciHashes. 4462306a36Sopenharmony_ci 4562306a36Sopenharmony_ciPlease note that Block Ciphers is somewhat of a misnomer. It is in fact 4662306a36Sopenharmony_cimeant to support all ciphers including stream ciphers. The difference 4762306a36Sopenharmony_cibetween Block Ciphers and Ciphers is that the latter operates on exactly 4862306a36Sopenharmony_cione block while the former can operate on an arbitrary amount of data, 4962306a36Sopenharmony_cisubject to block size requirements (i.e., non-stream ciphers can only 5062306a36Sopenharmony_ciprocess multiples of blocks). 5162306a36Sopenharmony_ci 5262306a36Sopenharmony_ciHere's an example of how to use the API:: 5362306a36Sopenharmony_ci 5462306a36Sopenharmony_ci #include <crypto/hash.h> 5562306a36Sopenharmony_ci #include <linux/err.h> 5662306a36Sopenharmony_ci #include <linux/scatterlist.h> 5762306a36Sopenharmony_ci 5862306a36Sopenharmony_ci struct scatterlist sg[2]; 5962306a36Sopenharmony_ci char result[128]; 6062306a36Sopenharmony_ci struct crypto_ahash *tfm; 6162306a36Sopenharmony_ci struct ahash_request *req; 6262306a36Sopenharmony_ci 6362306a36Sopenharmony_ci tfm = crypto_alloc_ahash("md5", 0, CRYPTO_ALG_ASYNC); 6462306a36Sopenharmony_ci if (IS_ERR(tfm)) 6562306a36Sopenharmony_ci fail(); 6662306a36Sopenharmony_ci 6762306a36Sopenharmony_ci /* ... set up the scatterlists ... */ 6862306a36Sopenharmony_ci 6962306a36Sopenharmony_ci req = ahash_request_alloc(tfm, GFP_ATOMIC); 7062306a36Sopenharmony_ci if (!req) 7162306a36Sopenharmony_ci fail(); 7262306a36Sopenharmony_ci 7362306a36Sopenharmony_ci ahash_request_set_callback(req, 0, NULL, NULL); 7462306a36Sopenharmony_ci ahash_request_set_crypt(req, sg, result, 2); 7562306a36Sopenharmony_ci 7662306a36Sopenharmony_ci if (crypto_ahash_digest(req)) 7762306a36Sopenharmony_ci fail(); 7862306a36Sopenharmony_ci 7962306a36Sopenharmony_ci ahash_request_free(req); 8062306a36Sopenharmony_ci crypto_free_ahash(tfm); 8162306a36Sopenharmony_ci 8262306a36Sopenharmony_ci 8362306a36Sopenharmony_ciMany real examples are available in the regression test module (tcrypt.c). 8462306a36Sopenharmony_ci 8562306a36Sopenharmony_ci 8662306a36Sopenharmony_ciDeveloper Notes 8762306a36Sopenharmony_ci=============== 8862306a36Sopenharmony_ci 8962306a36Sopenharmony_ciTransforms may only be allocated in user context, and cryptographic 9062306a36Sopenharmony_cimethods may only be called from softirq and user contexts. For 9162306a36Sopenharmony_citransforms with a setkey method it too should only be called from 9262306a36Sopenharmony_ciuser context. 9362306a36Sopenharmony_ci 9462306a36Sopenharmony_ciWhen using the API for ciphers, performance will be optimal if each 9562306a36Sopenharmony_ciscatterlist contains data which is a multiple of the cipher's block 9662306a36Sopenharmony_cisize (typically 8 bytes). This prevents having to do any copying 9762306a36Sopenharmony_ciacross non-aligned page fragment boundaries. 9862306a36Sopenharmony_ci 9962306a36Sopenharmony_ci 10062306a36Sopenharmony_ciAdding New Algorithms 10162306a36Sopenharmony_ci===================== 10262306a36Sopenharmony_ci 10362306a36Sopenharmony_ciWhen submitting a new algorithm for inclusion, a mandatory requirement 10462306a36Sopenharmony_ciis that at least a few test vectors from known sources (preferably 10562306a36Sopenharmony_cistandards) be included. 10662306a36Sopenharmony_ci 10762306a36Sopenharmony_ciConverting existing well known code is preferred, as it is more likely 10862306a36Sopenharmony_cito have been reviewed and widely tested. If submitting code from LGPL 10962306a36Sopenharmony_cisources, please consider changing the license to GPL (see section 3 of 11062306a36Sopenharmony_cithe LGPL). 11162306a36Sopenharmony_ci 11262306a36Sopenharmony_ciAlgorithms submitted must also be generally patent-free (e.g. IDEA 11362306a36Sopenharmony_ciwill not be included in the mainline until around 2011), and be based 11462306a36Sopenharmony_cion a recognized standard and/or have been subjected to appropriate 11562306a36Sopenharmony_cipeer review. 11662306a36Sopenharmony_ci 11762306a36Sopenharmony_ciAlso check for any RFCs which may relate to the use of specific algorithms, 11862306a36Sopenharmony_cias well as general application notes such as RFC2451 ("The ESP CBC-Mode 11962306a36Sopenharmony_ciCipher Algorithms"). 12062306a36Sopenharmony_ci 12162306a36Sopenharmony_ciIt's a good idea to avoid using lots of macros and use inlined functions 12262306a36Sopenharmony_ciinstead, as gcc does a good job with inlining, while excessive use of 12362306a36Sopenharmony_cimacros can cause compilation problems on some platforms. 12462306a36Sopenharmony_ci 12562306a36Sopenharmony_ciAlso check the TODO list at the web site listed below to see what people 12662306a36Sopenharmony_cimight already be working on. 12762306a36Sopenharmony_ci 12862306a36Sopenharmony_ci 12962306a36Sopenharmony_ciBugs 13062306a36Sopenharmony_ci==== 13162306a36Sopenharmony_ci 13262306a36Sopenharmony_ciSend bug reports to: 13362306a36Sopenharmony_ci linux-crypto@vger.kernel.org 13462306a36Sopenharmony_ci 13562306a36Sopenharmony_ciCc: 13662306a36Sopenharmony_ci Herbert Xu <herbert@gondor.apana.org.au>, 13762306a36Sopenharmony_ci David S. Miller <davem@redhat.com> 13862306a36Sopenharmony_ci 13962306a36Sopenharmony_ci 14062306a36Sopenharmony_ciFurther Information 14162306a36Sopenharmony_ci=================== 14262306a36Sopenharmony_ci 14362306a36Sopenharmony_ciFor further patches and various updates, including the current TODO 14462306a36Sopenharmony_cilist, see: 14562306a36Sopenharmony_cihttp://gondor.apana.org.au/~herbert/crypto/ 14662306a36Sopenharmony_ci 14762306a36Sopenharmony_ci 14862306a36Sopenharmony_ciAuthors 14962306a36Sopenharmony_ci======= 15062306a36Sopenharmony_ci 15162306a36Sopenharmony_ci- James Morris 15262306a36Sopenharmony_ci- David S. Miller 15362306a36Sopenharmony_ci- Herbert Xu 15462306a36Sopenharmony_ci 15562306a36Sopenharmony_ci 15662306a36Sopenharmony_ciCredits 15762306a36Sopenharmony_ci======= 15862306a36Sopenharmony_ci 15962306a36Sopenharmony_ciThe following people provided invaluable feedback during the development 16062306a36Sopenharmony_ciof the API: 16162306a36Sopenharmony_ci 16262306a36Sopenharmony_ci - Alexey Kuznetzov 16362306a36Sopenharmony_ci - Rusty Russell 16462306a36Sopenharmony_ci - Herbert Valerio Riedel 16562306a36Sopenharmony_ci - Jeff Garzik 16662306a36Sopenharmony_ci - Michael Richardson 16762306a36Sopenharmony_ci - Andrew Morton 16862306a36Sopenharmony_ci - Ingo Oeser 16962306a36Sopenharmony_ci - Christoph Hellwig 17062306a36Sopenharmony_ci 17162306a36Sopenharmony_ciPortions of this API were derived from the following projects: 17262306a36Sopenharmony_ci 17362306a36Sopenharmony_ci Kerneli Cryptoapi (http://www.kerneli.org/) 17462306a36Sopenharmony_ci - Alexander Kjeldaas 17562306a36Sopenharmony_ci - Herbert Valerio Riedel 17662306a36Sopenharmony_ci - Kyle McMartin 17762306a36Sopenharmony_ci - Jean-Luc Cooke 17862306a36Sopenharmony_ci - David Bryson 17962306a36Sopenharmony_ci - Clemens Fruhwirth 18062306a36Sopenharmony_ci - Tobias Ringstrom 18162306a36Sopenharmony_ci - Harald Welte 18262306a36Sopenharmony_ci 18362306a36Sopenharmony_ciand; 18462306a36Sopenharmony_ci 18562306a36Sopenharmony_ci Nettle (https://www.lysator.liu.se/~nisse/nettle/) 18662306a36Sopenharmony_ci - Niels Möller 18762306a36Sopenharmony_ci 18862306a36Sopenharmony_ciOriginal developers of the crypto algorithms: 18962306a36Sopenharmony_ci 19062306a36Sopenharmony_ci - Dana L. How (DES) 19162306a36Sopenharmony_ci - Andrew Tridgell and Steve French (MD4) 19262306a36Sopenharmony_ci - Colin Plumb (MD5) 19362306a36Sopenharmony_ci - Steve Reid (SHA1) 19462306a36Sopenharmony_ci - Jean-Luc Cooke (SHA256, SHA384, SHA512) 19562306a36Sopenharmony_ci - Kazunori Miyazawa / USAGI (HMAC) 19662306a36Sopenharmony_ci - Matthew Skala (Twofish) 19762306a36Sopenharmony_ci - Dag Arne Osvik (Serpent) 19862306a36Sopenharmony_ci - Brian Gladman (AES) 19962306a36Sopenharmony_ci - Kartikey Mahendra Bhatt (CAST6) 20062306a36Sopenharmony_ci - Jon Oberheide (ARC4) 20162306a36Sopenharmony_ci - Jouni Malinen (Michael MIC) 20262306a36Sopenharmony_ci - NTT(Nippon Telegraph and Telephone Corporation) (Camellia) 20362306a36Sopenharmony_ci 20462306a36Sopenharmony_ciSHA1 algorithm contributors: 20562306a36Sopenharmony_ci - Jean-Francois Dive 20662306a36Sopenharmony_ci 20762306a36Sopenharmony_ciDES algorithm contributors: 20862306a36Sopenharmony_ci - Raimar Falke 20962306a36Sopenharmony_ci - Gisle Sælensminde 21062306a36Sopenharmony_ci - Niels Möller 21162306a36Sopenharmony_ci 21262306a36Sopenharmony_ciBlowfish algorithm contributors: 21362306a36Sopenharmony_ci - Herbert Valerio Riedel 21462306a36Sopenharmony_ci - Kyle McMartin 21562306a36Sopenharmony_ci 21662306a36Sopenharmony_ciTwofish algorithm contributors: 21762306a36Sopenharmony_ci - Werner Koch 21862306a36Sopenharmony_ci - Marc Mutz 21962306a36Sopenharmony_ci 22062306a36Sopenharmony_ciSHA256/384/512 algorithm contributors: 22162306a36Sopenharmony_ci - Andrew McDonald 22262306a36Sopenharmony_ci - Kyle McMartin 22362306a36Sopenharmony_ci - Herbert Valerio Riedel 22462306a36Sopenharmony_ci 22562306a36Sopenharmony_ciAES algorithm contributors: 22662306a36Sopenharmony_ci - Alexander Kjeldaas 22762306a36Sopenharmony_ci - Herbert Valerio Riedel 22862306a36Sopenharmony_ci - Kyle McMartin 22962306a36Sopenharmony_ci - Adam J. Richter 23062306a36Sopenharmony_ci - Fruhwirth Clemens (i586) 23162306a36Sopenharmony_ci - Linus Torvalds (i586) 23262306a36Sopenharmony_ci 23362306a36Sopenharmony_ciCAST5 algorithm contributors: 23462306a36Sopenharmony_ci - Kartikey Mahendra Bhatt (original developers unknown, FSF copyright). 23562306a36Sopenharmony_ci 23662306a36Sopenharmony_ciTEA/XTEA algorithm contributors: 23762306a36Sopenharmony_ci - Aaron Grothe 23862306a36Sopenharmony_ci - Michael Ringe 23962306a36Sopenharmony_ci 24062306a36Sopenharmony_ciKhazad algorithm contributors: 24162306a36Sopenharmony_ci - Aaron Grothe 24262306a36Sopenharmony_ci 24362306a36Sopenharmony_ciWhirlpool algorithm contributors: 24462306a36Sopenharmony_ci - Aaron Grothe 24562306a36Sopenharmony_ci - Jean-Luc Cooke 24662306a36Sopenharmony_ci 24762306a36Sopenharmony_ciAnubis algorithm contributors: 24862306a36Sopenharmony_ci - Aaron Grothe 24962306a36Sopenharmony_ci 25062306a36Sopenharmony_ciTiger algorithm contributors: 25162306a36Sopenharmony_ci - Aaron Grothe 25262306a36Sopenharmony_ci 25362306a36Sopenharmony_ciVIA PadLock contributors: 25462306a36Sopenharmony_ci - Michal Ludvig 25562306a36Sopenharmony_ci 25662306a36Sopenharmony_ciCamellia algorithm contributors: 25762306a36Sopenharmony_ci - NTT(Nippon Telegraph and Telephone Corporation) (Camellia) 25862306a36Sopenharmony_ci 25962306a36Sopenharmony_ciGeneric scatterwalk code by Adam J. Richter <adam@yggdrasil.com> 26062306a36Sopenharmony_ci 26162306a36Sopenharmony_ciPlease send any credits updates or corrections to: 26262306a36Sopenharmony_ciHerbert Xu <herbert@gondor.apana.org.au> 263