1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Diffie-Hellman Key Agreement Method [RFC2631]
4 * Copyright (c) 2016, Intel Corporation
5 * Authors: Salvatore Benedetto <salvatore.benedetto@intel.com>
8 #include <linux/fips.h>
9 #include <linux/module.h>
10 #include <crypto/internal/kpp.h>
11 #include <crypto/kpp.h>
12 #include <crypto/dh.h>
13 #include <crypto/rng.h>
14 #include <linux/mpi.h>
17 MPI p
; /* Value is guaranteed to be set. */
18 MPI g
; /* Value is guaranteed to be set. */
19 MPI xa
; /* Value is guaranteed to be set. */
22 static void dh_clear_ctx(struct dh_ctx
*ctx
)
27 memset(ctx
, 0, sizeof(*ctx
));
31 * If base is g we compute the public key
32 * ya = g^xa mod p; [RFC2631 sec 2.1.1]
33 * else if base if the counterpart public key we compute the shared secret
34 * ZZ = yb^xa mod p; [RFC2631 sec 2.1.1]
36 static int _compute_val(const struct dh_ctx
*ctx
, MPI base
, MPI val
)
38 /* val = base^xa mod p */
39 return mpi_powm(val
, base
, ctx
->xa
, ctx
->p
);
42 static inline struct dh_ctx
*dh_get_ctx(struct crypto_kpp
*tfm
)
44 return kpp_tfm_ctx(tfm
);
47 static int dh_check_params_length(unsigned int p_len
)
50 return (p_len
< 2048) ? -EINVAL
: 0;
52 return (p_len
< 1536) ? -EINVAL
: 0;
55 static int dh_set_params(struct dh_ctx
*ctx
, struct dh
*params
)
57 if (dh_check_params_length(params
->p_size
<< 3))
60 ctx
->p
= mpi_read_raw_data(params
->p
, params
->p_size
);
64 ctx
->g
= mpi_read_raw_data(params
->g
, params
->g_size
);
71 static int dh_set_secret(struct crypto_kpp
*tfm
, const void *buf
,
74 struct dh_ctx
*ctx
= dh_get_ctx(tfm
);
77 /* Free the old MPI key if any */
80 if (crypto_dh_decode_key(buf
, len
, ¶ms
) < 0)
83 if (dh_set_params(ctx
, ¶ms
) < 0)
86 ctx
->xa
= mpi_read_raw_data(params
.key
, params
.key_size
);
98 * SP800-56A public key verification:
100 * * For the safe-prime groups in FIPS mode, Q can be computed
101 * trivially from P and a full validation according to SP800-56A
102 * section 5.6.2.3.1 is performed.
104 * * For all other sets of group parameters, only a partial validation
105 * according to SP800-56A section 5.6.2.3.2 is performed.
107 static int dh_is_pubkey_valid(struct dh_ctx
*ctx
, MPI y
)
115 if (unlikely(!ctx
->p
))
119 * Step 1: Verify that 2 <= y <= p - 2.
121 * The upper limit check is actually y < p instead of y < p - 1
122 * in order to save one mpi_sub_ui() invocation here. Note that
123 * p - 1 is the non-trivial element of the subgroup of order 2 and
124 * thus, the check on y^q below would fail if y == p - 1.
126 if (mpi_cmp_ui(y
, 1) < 1 || mpi_cmp(y
, ctx
->p
) >= 0)
130 * Step 2: Verify that 1 = y^q mod p
132 * For the safe-prime groups q = (p - 1)/2.
138 q
= mpi_alloc(mpi_get_nlimbs(ctx
->p
));
145 * ->p is odd, so no need to explicitly subtract one
146 * from it before shifting to the right.
148 ret
= mpi_rshift(q
, ctx
->p
, 1) ?:
149 mpi_powm(val
, y
, q
, ctx
->p
);
157 ret
= mpi_cmp_ui(val
, 1);
167 static int dh_compute_value(struct kpp_request
*req
)
169 struct crypto_kpp
*tfm
= crypto_kpp_reqtfm(req
);
170 struct dh_ctx
*ctx
= dh_get_ctx(tfm
);
171 MPI base
, val
= mpi_alloc(0);
178 if (unlikely(!ctx
->xa
)) {
184 base
= mpi_read_raw_from_sgl(req
->src
, req
->src_len
);
189 ret
= dh_is_pubkey_valid(ctx
, base
);
196 ret
= _compute_val(ctx
, base
, val
);
201 /* SP800-56A rev3 5.7.1.1 check: Validation of shared secret */
206 if (mpi_cmp_ui(val
, 1) < 1) {
219 ret
= mpi_sub_ui(pone
, ctx
->p
, 1);
220 if (!ret
&& !mpi_cmp(pone
, val
))
228 /* SP800-56A rev 3 5.6.2.1.3 key check */
230 if (dh_is_pubkey_valid(ctx
, val
)) {
237 ret
= mpi_write_to_sgl(val
, req
->dst
, req
->dst_len
, &sign
);
251 static unsigned int dh_max_size(struct crypto_kpp
*tfm
)
253 struct dh_ctx
*ctx
= dh_get_ctx(tfm
);
255 return mpi_get_size(ctx
->p
);
258 static void dh_exit_tfm(struct crypto_kpp
*tfm
)
260 struct dh_ctx
*ctx
= dh_get_ctx(tfm
);
265 static struct kpp_alg dh
= {
266 .set_secret
= dh_set_secret
,
267 .generate_public_key
= dh_compute_value
,
268 .compute_shared_secret
= dh_compute_value
,
269 .max_size
= dh_max_size
,
273 .cra_driver_name
= "dh-generic",
275 .cra_module
= THIS_MODULE
,
276 .cra_ctxsize
= sizeof(struct dh_ctx
),
281 struct dh_safe_prime
{
282 unsigned int max_strength
;
287 static const char safe_prime_g
[] = { 2 };
289 struct dh_safe_prime_instance_ctx
{
290 struct crypto_kpp_spawn dh_spawn
;
291 const struct dh_safe_prime
*safe_prime
;
294 struct dh_safe_prime_tfm_ctx
{
295 struct crypto_kpp
*dh_tfm
;
298 static void dh_safe_prime_free_instance(struct kpp_instance
*inst
)
300 struct dh_safe_prime_instance_ctx
*ctx
= kpp_instance_ctx(inst
);
302 crypto_drop_kpp(&ctx
->dh_spawn
);
306 static inline struct dh_safe_prime_instance_ctx
*dh_safe_prime_instance_ctx(
307 struct crypto_kpp
*tfm
)
309 return kpp_instance_ctx(kpp_alg_instance(tfm
));
312 static int dh_safe_prime_init_tfm(struct crypto_kpp
*tfm
)
314 struct dh_safe_prime_instance_ctx
*inst_ctx
=
315 dh_safe_prime_instance_ctx(tfm
);
316 struct dh_safe_prime_tfm_ctx
*tfm_ctx
= kpp_tfm_ctx(tfm
);
318 tfm_ctx
->dh_tfm
= crypto_spawn_kpp(&inst_ctx
->dh_spawn
);
319 if (IS_ERR(tfm_ctx
->dh_tfm
))
320 return PTR_ERR(tfm_ctx
->dh_tfm
);
322 kpp_set_reqsize(tfm
, sizeof(struct kpp_request
) +
323 crypto_kpp_reqsize(tfm_ctx
->dh_tfm
));
328 static void dh_safe_prime_exit_tfm(struct crypto_kpp
*tfm
)
330 struct dh_safe_prime_tfm_ctx
*tfm_ctx
= kpp_tfm_ctx(tfm
);
332 crypto_free_kpp(tfm_ctx
->dh_tfm
);
335 static u64
__add_u64_to_be(__be64
*dst
, unsigned int n
, u64 val
)
339 for (i
= n
; val
&& i
> 0; --i
) {
340 u64 tmp
= be64_to_cpu(dst
[i
- 1]);
343 val
= tmp
>= val
? 0 : 1;
344 dst
[i
- 1] = cpu_to_be64(tmp
);
350 static void *dh_safe_prime_gen_privkey(const struct dh_safe_prime
*safe_prime
,
351 unsigned int *key_size
)
353 unsigned int n
, oversampling_size
;
359 * Generate a private key following NIST SP800-56Ar3,
360 * sec. 5.6.1.1.1 and 5.6.1.1.3 resp..
362 * 5.6.1.1.1: choose key length N such that
363 * 2 * ->max_strength <= N <= log2(q) + 1 = ->p_size * 8 - 1
364 * with q = (p - 1) / 2 for the safe-prime groups.
365 * Choose the lower bound's next power of two for N in order to
366 * avoid excessively large private keys while still
367 * maintaining some extra reserve beyond the bare minimum in
368 * most cases. Note that for each entry in safe_prime_groups[],
369 * the following holds for such N:
370 * - N >= 256, in particular it is a multiple of 2^6 = 64
372 * - N < log2(q) + 1, i.e. N respects the upper bound.
374 n
= roundup_pow_of_two(2 * safe_prime
->max_strength
);
375 WARN_ON_ONCE(n
& ((1u << 6) - 1));
376 n
>>= 6; /* Convert N into units of u64. */
379 * Reserve one extra u64 to hold the extra random bits
380 * required as per 5.6.1.1.3.
382 oversampling_size
= (n
+ 1) * sizeof(__be64
);
383 key
= kmalloc(oversampling_size
, GFP_KERNEL
);
385 return ERR_PTR(-ENOMEM
);
388 * 5.6.1.1.3, step 3 (and implicitly step 4): obtain N + 64
389 * random bits and interpret them as a big endian integer.
392 if (crypto_get_default_rng())
395 err
= crypto_rng_get_bytes(crypto_default_rng
, (u8
*)key
,
397 crypto_put_default_rng();
402 * 5.6.1.1.3, step 5 is implicit: 2^N < q and thus,
403 * M = min(2^N, q) = 2^N.
405 * For step 6, calculate
406 * key = (key[] mod (M - 1)) + 1 = (key[] mod (2^N - 1)) + 1.
408 * In order to avoid expensive divisions, note that
409 * 2^N mod (2^N - 1) = 1 and thus, for any integer h,
410 * 2^N * h mod (2^N - 1) = h mod (2^N - 1) always holds.
411 * The big endian integer key[] composed of n + 1 64bit words
412 * may be written as key[] = h * 2^N + l, with h = key[0]
413 * representing the 64 most significant bits and l
414 * corresponding to the remaining 2^N bits. With the remark
416 * h * 2^N + l mod (2^N - 1) = l + h mod (2^N - 1).
417 * As both, l and h are less than 2^N, their sum after
418 * this first reduction is guaranteed to be <= 2^(N + 1) - 2.
419 * Or equivalently, that their sum can again be written as
420 * h' * 2^N + l' with h' now either zero or one and if one,
421 * then l' <= 2^N - 2. Thus, all bits at positions >= N will
422 * be zero after a second reduction:
423 * h' * 2^N + l' mod (2^N - 1) = l' + h' mod (2^N - 1).
424 * At this point, it is still possible that
425 * l' + h' = 2^N - 1, i.e. that l' + h' mod (2^N - 1)
426 * is zero. This condition will be detected below by means of
427 * the final increment overflowing in this case.
429 h
= be64_to_cpu(key
[0]);
430 h
= __add_u64_to_be(key
+ 1, n
, h
);
431 h
= __add_u64_to_be(key
+ 1, n
, h
);
434 /* Increment to obtain the final result. */
435 o
= __add_u64_to_be(key
+ 1, n
, 1);
437 * The overflow bit o from the increment is either zero or
438 * one. If zero, key[1:n] holds the final result in big-endian
439 * order. If one, key[1:n] is zero now, but needs to be set to
443 key
[n
] = cpu_to_be64(1);
445 /* n is in units of u64, convert to bytes. */
447 /* Strip the leading extra __be64, which is (virtually) zero by now. */
448 memmove(key
, &key
[1], *key_size
);
453 kfree_sensitive(key
);
457 static int dh_safe_prime_set_secret(struct crypto_kpp
*tfm
, const void *buffer
,
460 struct dh_safe_prime_instance_ctx
*inst_ctx
=
461 dh_safe_prime_instance_ctx(tfm
);
462 struct dh_safe_prime_tfm_ctx
*tfm_ctx
= kpp_tfm_ctx(tfm
);
463 struct dh params
= {};
464 void *buf
= NULL
, *key
= NULL
;
465 unsigned int buf_size
;
469 err
= __crypto_dh_decode_key(buffer
, len
, ¶ms
);
472 if (params
.p_size
|| params
.g_size
)
476 params
.p
= inst_ctx
->safe_prime
->p
;
477 params
.p_size
= inst_ctx
->safe_prime
->p_size
;
478 params
.g
= safe_prime_g
;
479 params
.g_size
= sizeof(safe_prime_g
);
481 if (!params
.key_size
) {
482 key
= dh_safe_prime_gen_privkey(inst_ctx
->safe_prime
,
489 buf_size
= crypto_dh_key_len(¶ms
);
490 buf
= kmalloc(buf_size
, GFP_KERNEL
);
496 err
= crypto_dh_encode_key(buf
, buf_size
, ¶ms
);
500 err
= crypto_kpp_set_secret(tfm_ctx
->dh_tfm
, buf
, buf_size
);
502 kfree_sensitive(buf
);
503 kfree_sensitive(key
);
507 static void dh_safe_prime_complete_req(void *data
, int err
)
509 struct kpp_request
*req
= data
;
511 kpp_request_complete(req
, err
);
514 static struct kpp_request
*dh_safe_prime_prepare_dh_req(struct kpp_request
*req
)
516 struct dh_safe_prime_tfm_ctx
*tfm_ctx
=
517 kpp_tfm_ctx(crypto_kpp_reqtfm(req
));
518 struct kpp_request
*dh_req
= kpp_request_ctx(req
);
520 kpp_request_set_tfm(dh_req
, tfm_ctx
->dh_tfm
);
521 kpp_request_set_callback(dh_req
, req
->base
.flags
,
522 dh_safe_prime_complete_req
, req
);
524 kpp_request_set_input(dh_req
, req
->src
, req
->src_len
);
525 kpp_request_set_output(dh_req
, req
->dst
, req
->dst_len
);
530 static int dh_safe_prime_generate_public_key(struct kpp_request
*req
)
532 struct kpp_request
*dh_req
= dh_safe_prime_prepare_dh_req(req
);
534 return crypto_kpp_generate_public_key(dh_req
);
537 static int dh_safe_prime_compute_shared_secret(struct kpp_request
*req
)
539 struct kpp_request
*dh_req
= dh_safe_prime_prepare_dh_req(req
);
541 return crypto_kpp_compute_shared_secret(dh_req
);
544 static unsigned int dh_safe_prime_max_size(struct crypto_kpp
*tfm
)
546 struct dh_safe_prime_tfm_ctx
*tfm_ctx
= kpp_tfm_ctx(tfm
);
548 return crypto_kpp_maxsize(tfm_ctx
->dh_tfm
);
551 static int __maybe_unused
__dh_safe_prime_create(
552 struct crypto_template
*tmpl
, struct rtattr
**tb
,
553 const struct dh_safe_prime
*safe_prime
)
555 struct kpp_instance
*inst
;
556 struct dh_safe_prime_instance_ctx
*ctx
;
558 struct kpp_alg
*dh_alg
;
562 err
= crypto_check_attr_type(tb
, CRYPTO_ALG_TYPE_KPP
, &mask
);
566 dh_name
= crypto_attr_alg_name(tb
[1]);
568 return PTR_ERR(dh_name
);
570 inst
= kzalloc(sizeof(*inst
) + sizeof(*ctx
), GFP_KERNEL
);
574 ctx
= kpp_instance_ctx(inst
);
576 err
= crypto_grab_kpp(&ctx
->dh_spawn
, kpp_crypto_instance(inst
),
582 dh_alg
= crypto_spawn_kpp_alg(&ctx
->dh_spawn
);
583 if (strcmp(dh_alg
->base
.cra_name
, "dh"))
586 ctx
->safe_prime
= safe_prime
;
588 err
= crypto_inst_setname(kpp_crypto_instance(inst
),
589 tmpl
->name
, &dh_alg
->base
);
593 inst
->alg
.set_secret
= dh_safe_prime_set_secret
;
594 inst
->alg
.generate_public_key
= dh_safe_prime_generate_public_key
;
595 inst
->alg
.compute_shared_secret
= dh_safe_prime_compute_shared_secret
;
596 inst
->alg
.max_size
= dh_safe_prime_max_size
;
597 inst
->alg
.init
= dh_safe_prime_init_tfm
;
598 inst
->alg
.exit
= dh_safe_prime_exit_tfm
;
599 inst
->alg
.base
.cra_priority
= dh_alg
->base
.cra_priority
;
600 inst
->alg
.base
.cra_module
= THIS_MODULE
;
601 inst
->alg
.base
.cra_ctxsize
= sizeof(struct dh_safe_prime_tfm_ctx
);
603 inst
->free
= dh_safe_prime_free_instance
;
605 err
= kpp_register_instance(tmpl
, inst
);
612 dh_safe_prime_free_instance(inst
);
617 #ifdef CONFIG_CRYPTO_DH_RFC7919_GROUPS
619 static const struct dh_safe_prime ffdhe2048_prime
= {
623 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
624 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
625 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
626 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
627 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
628 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
629 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
630 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
631 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
632 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
633 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
634 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
635 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
636 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
637 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
638 "\x88\x6b\x42\x38\x61\x28\x5c\x97\xff\xff\xff\xff\xff\xff\xff\xff",
641 static const struct dh_safe_prime ffdhe3072_prime
= {
645 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
646 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
647 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
648 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
649 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
650 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
651 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
652 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
653 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
654 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
655 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
656 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
657 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
658 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
659 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
660 "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
661 "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
662 "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
663 "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
664 "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
665 "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
666 "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
667 "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
668 "\x25\xe4\x1d\x2b\x66\xc6\x2e\x37\xff\xff\xff\xff\xff\xff\xff\xff",
671 static const struct dh_safe_prime ffdhe4096_prime
= {
675 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
676 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
677 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
678 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
679 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
680 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
681 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
682 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
683 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
684 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
685 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
686 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
687 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
688 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
689 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
690 "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
691 "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
692 "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
693 "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
694 "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
695 "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
696 "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
697 "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
698 "\x25\xe4\x1d\x2b\x66\x9e\x1e\xf1\x6e\x6f\x52\xc3\x16\x4d\xf4\xfb"
699 "\x79\x30\xe9\xe4\xe5\x88\x57\xb6\xac\x7d\x5f\x42\xd6\x9f\x6d\x18"
700 "\x77\x63\xcf\x1d\x55\x03\x40\x04\x87\xf5\x5b\xa5\x7e\x31\xcc\x7a"
701 "\x71\x35\xc8\x86\xef\xb4\x31\x8a\xed\x6a\x1e\x01\x2d\x9e\x68\x32"
702 "\xa9\x07\x60\x0a\x91\x81\x30\xc4\x6d\xc7\x78\xf9\x71\xad\x00\x38"
703 "\x09\x29\x99\xa3\x33\xcb\x8b\x7a\x1a\x1d\xb9\x3d\x71\x40\x00\x3c"
704 "\x2a\x4e\xce\xa9\xf9\x8d\x0a\xcc\x0a\x82\x91\xcd\xce\xc9\x7d\xcf"
705 "\x8e\xc9\xb5\x5a\x7f\x88\xa4\x6b\x4d\xb5\xa8\x51\xf4\x41\x82\xe1"
706 "\xc6\x8a\x00\x7e\x5e\x65\x5f\x6a\xff\xff\xff\xff\xff\xff\xff\xff",
709 static const struct dh_safe_prime ffdhe6144_prime
= {
713 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
714 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
715 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
716 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
717 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
718 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
719 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
720 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
721 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
722 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
723 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
724 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
725 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
726 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
727 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
728 "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
729 "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
730 "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
731 "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
732 "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
733 "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
734 "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
735 "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
736 "\x25\xe4\x1d\x2b\x66\x9e\x1e\xf1\x6e\x6f\x52\xc3\x16\x4d\xf4\xfb"
737 "\x79\x30\xe9\xe4\xe5\x88\x57\xb6\xac\x7d\x5f\x42\xd6\x9f\x6d\x18"
738 "\x77\x63\xcf\x1d\x55\x03\x40\x04\x87\xf5\x5b\xa5\x7e\x31\xcc\x7a"
739 "\x71\x35\xc8\x86\xef\xb4\x31\x8a\xed\x6a\x1e\x01\x2d\x9e\x68\x32"
740 "\xa9\x07\x60\x0a\x91\x81\x30\xc4\x6d\xc7\x78\xf9\x71\xad\x00\x38"
741 "\x09\x29\x99\xa3\x33\xcb\x8b\x7a\x1a\x1d\xb9\x3d\x71\x40\x00\x3c"
742 "\x2a\x4e\xce\xa9\xf9\x8d\x0a\xcc\x0a\x82\x91\xcd\xce\xc9\x7d\xcf"
743 "\x8e\xc9\xb5\x5a\x7f\x88\xa4\x6b\x4d\xb5\xa8\x51\xf4\x41\x82\xe1"
744 "\xc6\x8a\x00\x7e\x5e\x0d\xd9\x02\x0b\xfd\x64\xb6\x45\x03\x6c\x7a"
745 "\x4e\x67\x7d\x2c\x38\x53\x2a\x3a\x23\xba\x44\x42\xca\xf5\x3e\xa6"
746 "\x3b\xb4\x54\x32\x9b\x76\x24\xc8\x91\x7b\xdd\x64\xb1\xc0\xfd\x4c"
747 "\xb3\x8e\x8c\x33\x4c\x70\x1c\x3a\xcd\xad\x06\x57\xfc\xcf\xec\x71"
748 "\x9b\x1f\x5c\x3e\x4e\x46\x04\x1f\x38\x81\x47\xfb\x4c\xfd\xb4\x77"
749 "\xa5\x24\x71\xf7\xa9\xa9\x69\x10\xb8\x55\x32\x2e\xdb\x63\x40\xd8"
750 "\xa0\x0e\xf0\x92\x35\x05\x11\xe3\x0a\xbe\xc1\xff\xf9\xe3\xa2\x6e"
751 "\x7f\xb2\x9f\x8c\x18\x30\x23\xc3\x58\x7e\x38\xda\x00\x77\xd9\xb4"
752 "\x76\x3e\x4e\x4b\x94\xb2\xbb\xc1\x94\xc6\x65\x1e\x77\xca\xf9\x92"
753 "\xee\xaa\xc0\x23\x2a\x28\x1b\xf6\xb3\xa7\x39\xc1\x22\x61\x16\x82"
754 "\x0a\xe8\xdb\x58\x47\xa6\x7c\xbe\xf9\xc9\x09\x1b\x46\x2d\x53\x8c"
755 "\xd7\x2b\x03\x74\x6a\xe7\x7f\x5e\x62\x29\x2c\x31\x15\x62\xa8\x46"
756 "\x50\x5d\xc8\x2d\xb8\x54\x33\x8a\xe4\x9f\x52\x35\xc9\x5b\x91\x17"
757 "\x8c\xcf\x2d\xd5\xca\xce\xf4\x03\xec\x9d\x18\x10\xc6\x27\x2b\x04"
758 "\x5b\x3b\x71\xf9\xdc\x6b\x80\xd6\x3f\xdd\x4a\x8e\x9a\xdb\x1e\x69"
759 "\x62\xa6\x95\x26\xd4\x31\x61\xc1\xa4\x1d\x57\x0d\x79\x38\xda\xd4"
760 "\xa4\x0e\x32\x9c\xd0\xe4\x0e\x65\xff\xff\xff\xff\xff\xff\xff\xff",
763 static const struct dh_safe_prime ffdhe8192_prime
= {
767 "\xff\xff\xff\xff\xff\xff\xff\xff\xad\xf8\x54\x58\xa2\xbb\x4a\x9a"
768 "\xaf\xdc\x56\x20\x27\x3d\x3c\xf1\xd8\xb9\xc5\x83\xce\x2d\x36\x95"
769 "\xa9\xe1\x36\x41\x14\x64\x33\xfb\xcc\x93\x9d\xce\x24\x9b\x3e\xf9"
770 "\x7d\x2f\xe3\x63\x63\x0c\x75\xd8\xf6\x81\xb2\x02\xae\xc4\x61\x7a"
771 "\xd3\xdf\x1e\xd5\xd5\xfd\x65\x61\x24\x33\xf5\x1f\x5f\x06\x6e\xd0"
772 "\x85\x63\x65\x55\x3d\xed\x1a\xf3\xb5\x57\x13\x5e\x7f\x57\xc9\x35"
773 "\x98\x4f\x0c\x70\xe0\xe6\x8b\x77\xe2\xa6\x89\xda\xf3\xef\xe8\x72"
774 "\x1d\xf1\x58\xa1\x36\xad\xe7\x35\x30\xac\xca\x4f\x48\x3a\x79\x7a"
775 "\xbc\x0a\xb1\x82\xb3\x24\xfb\x61\xd1\x08\xa9\x4b\xb2\xc8\xe3\xfb"
776 "\xb9\x6a\xda\xb7\x60\xd7\xf4\x68\x1d\x4f\x42\xa3\xde\x39\x4d\xf4"
777 "\xae\x56\xed\xe7\x63\x72\xbb\x19\x0b\x07\xa7\xc8\xee\x0a\x6d\x70"
778 "\x9e\x02\xfc\xe1\xcd\xf7\xe2\xec\xc0\x34\x04\xcd\x28\x34\x2f\x61"
779 "\x91\x72\xfe\x9c\xe9\x85\x83\xff\x8e\x4f\x12\x32\xee\xf2\x81\x83"
780 "\xc3\xfe\x3b\x1b\x4c\x6f\xad\x73\x3b\xb5\xfc\xbc\x2e\xc2\x20\x05"
781 "\xc5\x8e\xf1\x83\x7d\x16\x83\xb2\xc6\xf3\x4a\x26\xc1\xb2\xef\xfa"
782 "\x88\x6b\x42\x38\x61\x1f\xcf\xdc\xde\x35\x5b\x3b\x65\x19\x03\x5b"
783 "\xbc\x34\xf4\xde\xf9\x9c\x02\x38\x61\xb4\x6f\xc9\xd6\xe6\xc9\x07"
784 "\x7a\xd9\x1d\x26\x91\xf7\xf7\xee\x59\x8c\xb0\xfa\xc1\x86\xd9\x1c"
785 "\xae\xfe\x13\x09\x85\x13\x92\x70\xb4\x13\x0c\x93\xbc\x43\x79\x44"
786 "\xf4\xfd\x44\x52\xe2\xd7\x4d\xd3\x64\xf2\xe2\x1e\x71\xf5\x4b\xff"
787 "\x5c\xae\x82\xab\x9c\x9d\xf6\x9e\xe8\x6d\x2b\xc5\x22\x36\x3a\x0d"
788 "\xab\xc5\x21\x97\x9b\x0d\xea\xda\x1d\xbf\x9a\x42\xd5\xc4\x48\x4e"
789 "\x0a\xbc\xd0\x6b\xfa\x53\xdd\xef\x3c\x1b\x20\xee\x3f\xd5\x9d\x7c"
790 "\x25\xe4\x1d\x2b\x66\x9e\x1e\xf1\x6e\x6f\x52\xc3\x16\x4d\xf4\xfb"
791 "\x79\x30\xe9\xe4\xe5\x88\x57\xb6\xac\x7d\x5f\x42\xd6\x9f\x6d\x18"
792 "\x77\x63\xcf\x1d\x55\x03\x40\x04\x87\xf5\x5b\xa5\x7e\x31\xcc\x7a"
793 "\x71\x35\xc8\x86\xef\xb4\x31\x8a\xed\x6a\x1e\x01\x2d\x9e\x68\x32"
794 "\xa9\x07\x60\x0a\x91\x81\x30\xc4\x6d\xc7\x78\xf9\x71\xad\x00\x38"
795 "\x09\x29\x99\xa3\x33\xcb\x8b\x7a\x1a\x1d\xb9\x3d\x71\x40\x00\x3c"
796 "\x2a\x4e\xce\xa9\xf9\x8d\x0a\xcc\x0a\x82\x91\xcd\xce\xc9\x7d\xcf"
797 "\x8e\xc9\xb5\x5a\x7f\x88\xa4\x6b\x4d\xb5\xa8\x51\xf4\x41\x82\xe1"
798 "\xc6\x8a\x00\x7e\x5e\x0d\xd9\x02\x0b\xfd\x64\xb6\x45\x03\x6c\x7a"
799 "\x4e\x67\x7d\x2c\x38\x53\x2a\x3a\x23\xba\x44\x42\xca\xf5\x3e\xa6"
800 "\x3b\xb4\x54\x32\x9b\x76\x24\xc8\x91\x7b\xdd\x64\xb1\xc0\xfd\x4c"
801 "\xb3\x8e\x8c\x33\x4c\x70\x1c\x3a\xcd\xad\x06\x57\xfc\xcf\xec\x71"
802 "\x9b\x1f\x5c\x3e\x4e\x46\x04\x1f\x38\x81\x47\xfb\x4c\xfd\xb4\x77"
803 "\xa5\x24\x71\xf7\xa9\xa9\x69\x10\xb8\x55\x32\x2e\xdb\x63\x40\xd8"
804 "\xa0\x0e\xf0\x92\x35\x05\x11\xe3\x0a\xbe\xc1\xff\xf9\xe3\xa2\x6e"
805 "\x7f\xb2\x9f\x8c\x18\x30\x23\xc3\x58\x7e\x38\xda\x00\x77\xd9\xb4"
806 "\x76\x3e\x4e\x4b\x94\xb2\xbb\xc1\x94\xc6\x65\x1e\x77\xca\xf9\x92"
807 "\xee\xaa\xc0\x23\x2a\x28\x1b\xf6\xb3\xa7\x39\xc1\x22\x61\x16\x82"
808 "\x0a\xe8\xdb\x58\x47\xa6\x7c\xbe\xf9\xc9\x09\x1b\x46\x2d\x53\x8c"
809 "\xd7\x2b\x03\x74\x6a\xe7\x7f\x5e\x62\x29\x2c\x31\x15\x62\xa8\x46"
810 "\x50\x5d\xc8\x2d\xb8\x54\x33\x8a\xe4\x9f\x52\x35\xc9\x5b\x91\x17"
811 "\x8c\xcf\x2d\xd5\xca\xce\xf4\x03\xec\x9d\x18\x10\xc6\x27\x2b\x04"
812 "\x5b\x3b\x71\xf9\xdc\x6b\x80\xd6\x3f\xdd\x4a\x8e\x9a\xdb\x1e\x69"
813 "\x62\xa6\x95\x26\xd4\x31\x61\xc1\xa4\x1d\x57\x0d\x79\x38\xda\xd4"
814 "\xa4\x0e\x32\x9c\xcf\xf4\x6a\xaa\x36\xad\x00\x4c\xf6\x00\xc8\x38"
815 "\x1e\x42\x5a\x31\xd9\x51\xae\x64\xfd\xb2\x3f\xce\xc9\x50\x9d\x43"
816 "\x68\x7f\xeb\x69\xed\xd1\xcc\x5e\x0b\x8c\xc3\xbd\xf6\x4b\x10\xef"
817 "\x86\xb6\x31\x42\xa3\xab\x88\x29\x55\x5b\x2f\x74\x7c\x93\x26\x65"
818 "\xcb\x2c\x0f\x1c\xc0\x1b\xd7\x02\x29\x38\x88\x39\xd2\xaf\x05\xe4"
819 "\x54\x50\x4a\xc7\x8b\x75\x82\x82\x28\x46\xc0\xba\x35\xc3\x5f\x5c"
820 "\x59\x16\x0c\xc0\x46\xfd\x82\x51\x54\x1f\xc6\x8c\x9c\x86\xb0\x22"
821 "\xbb\x70\x99\x87\x6a\x46\x0e\x74\x51\xa8\xa9\x31\x09\x70\x3f\xee"
822 "\x1c\x21\x7e\x6c\x38\x26\xe5\x2c\x51\xaa\x69\x1e\x0e\x42\x3c\xfc"
823 "\x99\xe9\xe3\x16\x50\xc1\x21\x7b\x62\x48\x16\xcd\xad\x9a\x95\xf9"
824 "\xd5\xb8\x01\x94\x88\xd9\xc0\xa0\xa1\xfe\x30\x75\xa5\x77\xe2\x31"
825 "\x83\xf8\x1d\x4a\x3f\x2f\xa4\x57\x1e\xfc\x8c\xe0\xba\x8a\x4f\xe8"
826 "\xb6\x85\x5d\xfe\x72\xb0\xa6\x6e\xde\xd2\xfb\xab\xfb\xe5\x8a\x30"
827 "\xfa\xfa\xbe\x1c\x5d\x71\xa8\x7e\x2f\x74\x1e\xf8\xc1\xfe\x86\xfe"
828 "\xa6\xbb\xfd\xe5\x30\x67\x7f\x0d\x97\xd1\x1d\x49\xf7\xa8\x44\x3d"
829 "\x08\x22\xe5\x06\xa9\xf4\x61\x4e\x01\x1e\x2a\x94\x83\x8f\xf8\x8c"
830 "\xd6\x8c\x8b\xb7\xc5\xc6\x42\x4c\xff\xff\xff\xff\xff\xff\xff\xff",
833 static int dh_ffdhe2048_create(struct crypto_template
*tmpl
,
836 return __dh_safe_prime_create(tmpl
, tb
, &ffdhe2048_prime
);
839 static int dh_ffdhe3072_create(struct crypto_template
*tmpl
,
842 return __dh_safe_prime_create(tmpl
, tb
, &ffdhe3072_prime
);
845 static int dh_ffdhe4096_create(struct crypto_template
*tmpl
,
848 return __dh_safe_prime_create(tmpl
, tb
, &ffdhe4096_prime
);
851 static int dh_ffdhe6144_create(struct crypto_template
*tmpl
,
854 return __dh_safe_prime_create(tmpl
, tb
, &ffdhe6144_prime
);
857 static int dh_ffdhe8192_create(struct crypto_template
*tmpl
,
860 return __dh_safe_prime_create(tmpl
, tb
, &ffdhe8192_prime
);
863 static struct crypto_template crypto_ffdhe_templates
[] = {
866 .create
= dh_ffdhe2048_create
,
867 .module
= THIS_MODULE
,
871 .create
= dh_ffdhe3072_create
,
872 .module
= THIS_MODULE
,
876 .create
= dh_ffdhe4096_create
,
877 .module
= THIS_MODULE
,
881 .create
= dh_ffdhe6144_create
,
882 .module
= THIS_MODULE
,
886 .create
= dh_ffdhe8192_create
,
887 .module
= THIS_MODULE
,
891 #else /* ! CONFIG_CRYPTO_DH_RFC7919_GROUPS */
893 static struct crypto_template crypto_ffdhe_templates
[] = {};
895 #endif /* CONFIG_CRYPTO_DH_RFC7919_GROUPS */
898 static int __init
dh_init(void)
902 err
= crypto_register_kpp(&dh
);
906 err
= crypto_register_templates(crypto_ffdhe_templates
,
907 ARRAY_SIZE(crypto_ffdhe_templates
));
909 crypto_unregister_kpp(&dh
);
916 static void __exit
dh_exit(void)
918 crypto_unregister_templates(crypto_ffdhe_templates
,
919 ARRAY_SIZE(crypto_ffdhe_templates
));
920 crypto_unregister_kpp(&dh
);
923 subsys_initcall(dh_init
);
924 module_exit(dh_exit
);
925 MODULE_ALIAS_CRYPTO("dh");
926 MODULE_LICENSE("GPL");
927 MODULE_DESCRIPTION("DH generic algorithm");