1 <?xml version=
"1.0" encoding=
"UTF-8"?>
2 <!DOCTYPE book PUBLIC
"-//OASIS//DTD DocBook XML V4.1.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" []
>
5 <book id=
"KernelCryptoAPI">
7 <title>Linux Kernel Crypto API
</title>
11 <firstname>Stephan
</firstname>
12 <surname>Mueller
</surname>
15 <email>smueller@chronox.de
</email>
20 <firstname>Marek
</firstname>
21 <surname>Vasut
</surname>
24 <email>marek@denx.de
</email>
32 <holder>Stephan Mueller
</holder>
38 This documentation is free software; you can redistribute
39 it and/or modify it under the terms of the GNU General Public
40 License as published by the Free Software Foundation; either
41 version
2 of the License, or (at your option) any later
46 This program is distributed in the hope that it will be
47 useful, but WITHOUT ANY WARRANTY; without even the implied
48 warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
49 See the GNU General Public License for more details.
53 You should have received a copy of the GNU General Public
54 License along with this program; if not, write to the Free
55 Software Foundation, Inc.,
59 Temple Place, Suite
330, Boston,
60 For more details see the file COPYING in the source
61 distribution of Linux.
69 <title>Kernel Crypto API Interface Specification
</title>
71 <sect1><title>Introduction
</title>
74 The kernel crypto API offers a rich set of cryptographic ciphers as
75 well as other data transformation mechanisms and methods to invoke
76 these. This document contains a description of the API and provides
81 To understand and properly use the kernel crypto API a brief
82 explanation of its structure is given. Based on the architecture,
83 the API can be separated into different components. Following the
84 architecture specification, hints to developers of ciphers are
85 provided. Pointers to the API function call documentation are
90 The kernel crypto API refers to all algorithms as
"transformations".
91 Therefore, a cipher handle variable usually has the name
"tfm".
92 Besides cryptographic operations, the kernel crypto API also knows
93 compression transformations and handles them the same way as ciphers.
97 The kernel crypto API serves the following entity types:
101 <para>consumers requesting cryptographic services
</para>
104 <para>data transformation implementations (typically ciphers)
105 that can be called by consumers using the kernel crypto
112 This specification is intended for consumers of the kernel crypto
113 API as well as for developers implementing ciphers. This API
114 specification, however, does not discusses all API calls available
115 to data transformation implementations (i.e. implementations of
116 ciphers and other transformations (such as CRC or even compression
117 algorithms) that can register with the kernel crypto API).
121 Note: The terms
"transformation" and cipher algorithm are used
126 <sect1><title>Terminology
</title>
128 The transformation implementation is an actual code or interface
129 to hardware which implements a certain transformation with precisely
134 The transformation object (TFM) is an instance of a transformation
135 implementation. There can be multiple transformation objects
136 associated with a single transformation implementation. Each of
137 those transformation objects is held by a crypto API consumer or
138 another transformation. Transformation object is allocated when a
139 crypto API consumer requests a transformation implementation.
140 The consumer is then provided with a structure, which contains
141 a transformation object (TFM).
145 The structure that contains transformation objects may also be
146 referred to as a
"cipher handle". Such a cipher handle is always
147 subject to the following phases that are reflected in the API calls
148 applicable to such a cipher handle:
153 <para>Initialization of a cipher handle.
</para>
156 <para>Execution of all intended cipher operations applicable
157 for the handle where the cipher handle must be furnished to
158 every API call.
</para>
161 <para>Destruction of a cipher handle.
</para>
166 When using the initialization API calls, a cipher handle is
167 created and returned to the consumer. Therefore, please refer
168 to all initialization API calls that refer to the data
169 structure type a consumer is expected to receive and subsequently
170 to use. The initialization API calls have all the same naming
171 conventions of crypto_alloc_*.
175 The transformation context is private data associated with
176 the transformation object.
181 <chapter id=
"Architecture"><title>Kernel Crypto API Architecture
</title>
182 <sect1><title>Cipher algorithm types
</title>
184 The kernel crypto API provides different API calls for the
185 following cipher types:
188 <listitem><para>Symmetric ciphers
</para></listitem>
189 <listitem><para>AEAD ciphers
</para></listitem>
190 <listitem><para>Message digest, including keyed message digest
</para></listitem>
191 <listitem><para>Random number generation
</para></listitem>
192 <listitem><para>User space interface
</para></listitem>
197 <sect1><title>Ciphers And Templates
</title>
199 The kernel crypto API provides implementations of single block
200 ciphers and message digests. In addition, the kernel crypto API
201 provides numerous
"templates" that can be used in conjunction
202 with the single block ciphers and message digests. Templates
203 include all types of block chaining mode, the HMAC mechanism, etc.
207 Single block ciphers and message digests can either be directly
208 used by a caller or invoked together with a template to form
209 multi-block ciphers or keyed message digests.
213 A single block cipher may even be called with multiple templates.
214 However, templates cannot be used without a single cipher.
218 See /proc/crypto and search for
"name". For example:
221 <listitem><para>aes
</para></listitem>
222 <listitem><para>ecb(aes)
</para></listitem>
223 <listitem><para>cmac(aes)
</para></listitem>
224 <listitem><para>ccm(aes)
</para></listitem>
225 <listitem><para>rfc4106(gcm(aes))
</para></listitem>
226 <listitem><para>sha1
</para></listitem>
227 <listitem><para>hmac(sha1)
</para></listitem>
228 <listitem><para>authenc(hmac(sha1),cbc(aes))
</para></listitem>
233 In these examples,
"aes" and
"sha1" are the ciphers and all
234 others are the templates.
238 <sect1><title>Synchronous And Asynchronous Operation
</title>
240 The kernel crypto API provides synchronous and asynchronous
245 When using the synchronous API operation, the caller invokes
246 a cipher operation which is performed synchronously by the
247 kernel crypto API. That means, the caller waits until the
248 cipher operation completes. Therefore, the kernel crypto API
249 calls work like regular function calls. For synchronous
250 operation, the set of API calls is small and conceptually
251 similar to any other crypto library.
255 Asynchronous operation is provided by the kernel crypto API
256 which implies that the invocation of a cipher operation will
257 complete almost instantly. That invocation triggers the
258 cipher operation but it does not signal its completion. Before
259 invoking a cipher operation, the caller must provide a callback
260 function the kernel crypto API can invoke to signal the
261 completion of the cipher operation. Furthermore, the caller
262 must ensure it can handle such asynchronous events by applying
263 appropriate locking around its data. The kernel crypto API
264 does not perform any special serialization operation to protect
265 the caller's data integrity.
269 <sect1><title>Crypto API Cipher References And Priority
</title>
271 A cipher is referenced by the caller with a string. That string
272 has the following semantics:
275 template(single block cipher)
278 where
"template" and
"single block cipher" is the aforementioned
279 template and single block cipher, respectively. If applicable,
280 additional templates may enclose other templates, such as
283 template1(template2(single block cipher)))
288 The kernel crypto API may provide multiple implementations of a
289 template or a single block cipher. For example, AES on newer
290 Intel hardware has the following implementations: AES-NI,
291 assembler implementation, or straight C. Now, when using the
292 string
"aes" with the kernel crypto API, which cipher
293 implementation is used? The answer to that question is the
294 priority number assigned to each cipher implementation by the
295 kernel crypto API. When a caller uses the string to refer to a
296 cipher during initialization of a cipher handle, the kernel
297 crypto API looks up all implementations providing an
298 implementation with that name and selects the implementation
299 with the highest priority.
303 Now, a caller may have the need to refer to a specific cipher
304 implementation and thus does not want to rely on the
305 priority-based selection. To accommodate this scenario, the
306 kernel crypto API allows the cipher implementation to register
307 a unique name in addition to common names. When using that
308 unique name, a caller is therefore always sure to refer to
309 the intended cipher implementation.
313 The list of available ciphers is given in /proc/crypto. However,
314 that list does not specify all possible permutations of
315 templates and ciphers. Each block listed in /proc/crypto may
316 contain the following information -- if one of the components
317 listed as follows are not applicable to a cipher, it is not
323 <para>name: the generic name of the cipher that is subject
324 to the priority-based selection -- this name can be used by
325 the cipher allocation API calls (all names listed above are
326 examples for such generic names)
</para>
329 <para>driver: the unique name of the cipher -- this name can
330 be used by the cipher allocation API calls
</para>
333 <para>module: the kernel module providing the cipher
334 implementation (or
"kernel" for statically linked ciphers)
</para>
337 <para>priority: the priority value of the cipher implementation
</para>
340 <para>refcnt: the reference count of the respective cipher
341 (i.e. the number of current consumers of this cipher)
</para>
344 <para>selftest: specification whether the self test for the
351 <para>blkcipher for synchronous block ciphers
</para>
354 <para>ablkcipher for asynchronous block ciphers
</para>
357 <para>cipher for single block ciphers that may be used with
358 an additional template
</para>
361 <para>shash for synchronous message digest
</para>
364 <para>ahash for asynchronous message digest
</para>
367 <para>aead for AEAD cipher type
</para>
370 <para>compression for compression type transformations
</para>
373 <para>rng for random number generator
</para>
376 <para>givcipher for cipher with associated IV generator
377 (see the geniv entry below for the specification of the
378 IV generator type used by the cipher implementation)
</para>
384 <para>blocksize: blocksize of cipher in bytes
</para>
387 <para>keysize: key size in bytes
</para>
390 <para>ivsize: IV size in bytes
</para>
393 <para>seedsize: required size of seed data for random number
397 <para>digestsize: output size of the message digest
</para>
400 <para>geniv: IV generation type:
403 <para>eseqiv for encrypted sequence number based IV
407 <para>seqiv for sequence number based IV generation
</para>
410 <para>chainiv for chain iv generation
</para>
413 <para><builtin
> is a marker that the cipher implements
414 IV generation and handling as it is specific to the given
423 <sect1><title>Key Sizes
</title>
425 When allocating a cipher handle, the caller only specifies the
426 cipher type. Symmetric ciphers, however, typically support
427 multiple key sizes (e.g. AES-
128 vs. AES-
192 vs. AES-
256).
428 These key sizes are determined with the length of the provided
429 key. Thus, the kernel crypto API does not provide a separate
430 way to select the particular symmetric cipher key size.
434 <sect1><title>Cipher Allocation Type And Masks
</title>
436 The different cipher handle allocation functions allow the
437 specification of a type and mask flag. Both parameters have
438 the following meaning (and are therefore not covered in the
439 subsequent sections).
443 The type flag specifies the type of the cipher algorithm.
444 The caller usually provides a
0 when the caller wants the
445 default handling. Otherwise, the caller may provide the
446 following selections which match the the aforementioned
452 <para>CRYPTO_ALG_TYPE_CIPHER Single block cipher
</para>
455 <para>CRYPTO_ALG_TYPE_COMPRESS Compression
</para>
458 <para>CRYPTO_ALG_TYPE_AEAD Authenticated Encryption with
459 Associated Data (MAC)
</para>
462 <para>CRYPTO_ALG_TYPE_BLKCIPHER Synchronous multi-block cipher
</para>
465 <para>CRYPTO_ALG_TYPE_ABLKCIPHER Asynchronous multi-block cipher
</para>
468 <para>CRYPTO_ALG_TYPE_GIVCIPHER Asynchronous multi-block
469 cipher packed together with an IV generator (see geniv field
470 in the /proc/crypto listing for the known IV generators)
</para>
473 <para>CRYPTO_ALG_TYPE_DIGEST Raw message digest
</para>
476 <para>CRYPTO_ALG_TYPE_HASH Alias for CRYPTO_ALG_TYPE_DIGEST
</para>
479 <para>CRYPTO_ALG_TYPE_SHASH Synchronous multi-block hash
</para>
482 <para>CRYPTO_ALG_TYPE_AHASH Asynchronous multi-block hash
</para>
485 <para>CRYPTO_ALG_TYPE_RNG Random Number Generation
</para>
488 <para>CRYPTO_ALG_TYPE_PCOMPRESS Enhanced version of
489 CRYPTO_ALG_TYPE_COMPRESS allowing for segmented compression /
490 decompression instead of performing the operation on one
491 segment only. CRYPTO_ALG_TYPE_PCOMPRESS is intended to replace
492 CRYPTO_ALG_TYPE_COMPRESS once existing consumers are converted.
</para>
497 The mask flag restricts the type of cipher. The only allowed
498 flag is CRYPTO_ALG_ASYNC to restrict the cipher lookup function
499 to asynchronous ciphers. Usually, a caller provides a
0 for the
504 When the caller provides a mask and type specification, the
505 caller limits the search the kernel crypto API can perform for
506 a suitable cipher implementation for the given cipher name.
507 That means, even when a caller uses a cipher name that exists
508 during its initialization call, the kernel crypto API may not
509 select it due to the used type and mask field.
514 <chapter id=
"Development"><title>Developing Cipher Algorithms
</title>
515 <sect1><title>Registering And Unregistering Transformation
</title>
517 There are three distinct types of registration functions in
518 the Crypto API. One is used to register a generic cryptographic
519 transformation, while the other two are specific to HASH
520 transformations and COMPRESSion. We will discuss the latter
521 two in a separate chapter, here we will only look at the
526 Before discussing the register functions, the data structure
527 to be filled with each, struct crypto_alg, must be considered
528 -- see below for a description of this data structure.
532 The generic registration functions can be found in
533 include/linux/crypto.h and their definition can be seen below.
534 The former function registers a single transformation, while
535 the latter works on an array of transformation descriptions.
536 The latter is useful when registering transformations in bulk.
540 int crypto_register_alg(struct crypto_alg *alg);
541 int crypto_register_algs(struct crypto_alg *algs, int count);
545 The counterparts to those functions are listed below.
549 int crypto_unregister_alg(struct crypto_alg *alg);
550 int crypto_unregister_algs(struct crypto_alg *algs, int count);
554 Notice that both registration and unregistration functions
555 do return a value, so make sure to handle errors. A return
556 code of zero implies success. Any return code
< 0 implies
561 The bulk registration / unregistration functions require
562 that struct crypto_alg is an array of count size. These
563 functions simply loop over that array and register /
564 unregister each individual algorithm. If an error occurs,
565 the loop is terminated at the offending algorithm definition.
566 That means, the algorithms prior to the offending algorithm
567 are successfully registered. Note, the caller has no way of
568 knowing which cipher implementations have successfully
569 registered. If this is important to know, the caller should
570 loop through the different implementations using the single
571 instance *_alg functions for each individual implementation.
575 <sect1><title>Single-Block Symmetric Ciphers [CIPHER]
</title>
577 Example of transformations: aes, arc4, ...
581 This section describes the simplest of all transformation
582 implementations, that being the CIPHER type used for symmetric
583 ciphers. The CIPHER type is used for transformations which
584 operate on exactly one block at a time and there are no
585 dependencies between blocks at all.
588 <sect2><title>Registration specifics
</title>
590 The registration of [CIPHER] algorithm is specific in that
591 struct crypto_alg field .cra_type is empty. The .cra_u.cipher
592 has to be filled in with proper callbacks to implement this
597 See struct cipher_alg below.
601 <sect2><title>Cipher Definition With struct cipher_alg
</title>
603 Struct cipher_alg defines a single block cipher.
607 Here are schematics of how these functions are called when
608 operated from other part of the kernel. Note that the
609 .cia_setkey() call might happen before or after any of these
610 schematics happen, but must not happen during any of these
616 KEY ---. PLAINTEXT ---.
618 .cia_setkey() -
> .cia_encrypt()
620 '-----
> CIPHERTEXT
625 Please note that a pattern where .cia_setkey() is called
626 multiple times is also valid:
632 KEY1 --. PLAINTEXT1 --. KEY2 --. PLAINTEXT2 --.
634 .cia_setkey() -
> .cia_encrypt() -
> .cia_setkey() -
> .cia_encrypt()
636 '---
> CIPHERTEXT1 '---
> CIPHERTEXT2
643 <sect1><title>Multi-Block Ciphers [BLKCIPHER] [ABLKCIPHER]
</title>
645 Example of transformations: cbc(aes), ecb(arc4), ...
649 This section describes the multi-block cipher transformation
650 implementations for both synchronous [BLKCIPHER] and
651 asynchronous [ABLKCIPHER] case. The multi-block ciphers are
652 used for transformations which operate on scatterlists of
653 data supplied to the transformation functions. They output
654 the result into a scatterlist of data as well.
657 <sect2><title>Registration Specifics
</title>
660 The registration of [BLKCIPHER] or [ABLKCIPHER] algorithms
661 is one of the most standard procedures throughout the crypto API.
665 Note, if a cipher implementation requires a proper alignment
666 of data, the caller should use the functions of
667 crypto_blkcipher_alignmask() or crypto_ablkcipher_alignmask()
668 respectively to identify a memory alignment mask. The kernel
669 crypto API is able to process requests that are unaligned.
670 This implies, however, additional overhead as the kernel
671 crypto API needs to perform the realignment of the data which
672 may imply moving of data.
676 <sect2><title>Cipher Definition With struct blkcipher_alg and ablkcipher_alg
</title>
678 Struct blkcipher_alg defines a synchronous block cipher whereas
679 struct ablkcipher_alg defines an asynchronous block cipher.
683 Please refer to the single block cipher description for schematics
684 of the block cipher usage. The usage patterns are exactly the same
685 for [ABLKCIPHER] and [BLKCIPHER] as they are for plain [CIPHER].
689 <sect2><title>Specifics Of Asynchronous Multi-Block Cipher
</title>
691 There are a couple of specifics to the [ABLKCIPHER] interface.
695 First of all, some of the drivers will want to use the
696 Generic ScatterWalk in case the hardware needs to be fed
697 separate chunks of the scatterlist which contains the
698 plaintext and will contain the ciphertext. Please refer
699 to the ScatterWalk interface offered by the Linux kernel
700 scatter / gather list implementation.
705 <sect1><title>Hashing [HASH]
</title>
708 Example of transformations: crc32, md5, sha1, sha256,...
711 <sect2><title>Registering And Unregistering The Transformation
</title>
714 There are multiple ways to register a HASH transformation,
715 depending on whether the transformation is synchronous [SHASH]
716 or asynchronous [AHASH] and the amount of HASH transformations
717 we are registering. You can find the prototypes defined in
718 include/crypto/internal/hash.h:
722 int crypto_register_ahash(struct ahash_alg *alg);
724 int crypto_register_shash(struct shash_alg *alg);
725 int crypto_register_shashes(struct shash_alg *algs, int count);
729 The respective counterparts for unregistering the HASH
730 transformation are as follows:
734 int crypto_unregister_ahash(struct ahash_alg *alg);
736 int crypto_unregister_shash(struct shash_alg *alg);
737 int crypto_unregister_shashes(struct shash_alg *algs, int count);
741 <sect2><title>Cipher Definition With struct shash_alg and ahash_alg
</title>
743 Here are schematics of how these functions are called when
744 operated from other part of the kernel. Note that the .setkey()
745 call might happen before or after any of these schematics happen,
746 but must not happen during any of these are in-flight. Please note
747 that calling .init() followed immediately by .finish() is also a
748 perfectly valid transformation.
754 .init() -
> .update() -
> .final() ! .update() might not be called
755 ^ | | at all in this scenario.
758 II) DATA -----------.-----------.
760 .init() -
> .update() -
> .finup() ! .update() may not be called
761 ^ | | at all in this scenario.
764 III) DATA -----------.
766 .digest() ! The entire process is handled
767 | by the .digest() call.
768 '---------------
> HASH
772 Here is a schematic of how the .export()/.import() functions are
773 called when used from another part of the kernel.
778 v v ! .update() may not be called
779 .setkey() -
> .init() -
> .update() -
> .export() at all in this scenario.
781 '-----' '--
> PARTIAL_HASH
783 ----------- other transformations happen here -----------
785 PARTIAL_HASH--. DATA1--.
787 .import -
> .update() -
> .final() ! .update() may not be called
788 ^ | | at all in this scenario.
791 PARTIAL_HASH--. DATA2-.
793 .import -
> .finup()
795 '---------------
> HASH2
799 <sect2><title>Specifics Of Asynchronous HASH Transformation
</title>
801 Some of the drivers will want to use the Generic ScatterWalk
802 in case the implementation needs to be fed separate chunks of the
803 scatterlist which contains the input data. The buffer containing
804 the resulting hash will always be properly aligned to
805 .cra_alignmask so there is no need to worry about this.
811 <chapter id=
"API"><title>Programming Interface
</title>
812 <sect1><title>Block Cipher Context Data Structures
</title>
813 !Pinclude/linux/crypto.h Block Cipher Context Data Structures
814 !Finclude/linux/crypto.h aead_request
816 <sect1><title>Block Cipher Algorithm Definitions
</title>
817 !Pinclude/linux/crypto.h Block Cipher Algorithm Definitions
818 !Finclude/linux/crypto.h crypto_alg
819 !Finclude/linux/crypto.h ablkcipher_alg
820 !Finclude/linux/crypto.h aead_alg
821 !Finclude/linux/crypto.h blkcipher_alg
822 !Finclude/linux/crypto.h cipher_alg
823 !Finclude/linux/crypto.h rng_alg
825 <sect1><title>Asynchronous Block Cipher API
</title>
826 !Pinclude/linux/crypto.h Asynchronous Block Cipher API
827 !Finclude/linux/crypto.h crypto_alloc_ablkcipher
828 !Finclude/linux/crypto.h crypto_free_ablkcipher
829 !Finclude/linux/crypto.h crypto_has_ablkcipher
830 !Finclude/linux/crypto.h crypto_ablkcipher_ivsize
831 !Finclude/linux/crypto.h crypto_ablkcipher_blocksize
832 !Finclude/linux/crypto.h crypto_ablkcipher_setkey
833 !Finclude/linux/crypto.h crypto_ablkcipher_reqtfm
834 !Finclude/linux/crypto.h crypto_ablkcipher_encrypt
835 !Finclude/linux/crypto.h crypto_ablkcipher_decrypt
837 <sect1><title>Asynchronous Cipher Request Handle
</title>
838 !Pinclude/linux/crypto.h Asynchronous Cipher Request Handle
839 !Finclude/linux/crypto.h crypto_ablkcipher_reqsize
840 !Finclude/linux/crypto.h ablkcipher_request_set_tfm
841 !Finclude/linux/crypto.h ablkcipher_request_alloc
842 !Finclude/linux/crypto.h ablkcipher_request_free
843 !Finclude/linux/crypto.h ablkcipher_request_set_callback
844 !Finclude/linux/crypto.h ablkcipher_request_set_crypt
846 <sect1><title>Authenticated Encryption With Associated Data (AEAD) Cipher API
</title>
847 !Pinclude/linux/crypto.h Authenticated Encryption With Associated Data (AEAD) Cipher API
848 !Finclude/linux/crypto.h crypto_alloc_aead
849 !Finclude/linux/crypto.h crypto_free_aead
850 !Finclude/linux/crypto.h crypto_aead_ivsize
851 !Finclude/linux/crypto.h crypto_aead_authsize
852 !Finclude/linux/crypto.h crypto_aead_blocksize
853 !Finclude/linux/crypto.h crypto_aead_setkey
854 !Finclude/linux/crypto.h crypto_aead_setauthsize
855 !Finclude/linux/crypto.h crypto_aead_encrypt
856 !Finclude/linux/crypto.h crypto_aead_decrypt
858 <sect1><title>Asynchronous AEAD Request Handle
</title>
859 !Pinclude/linux/crypto.h Asynchronous AEAD Request Handle
860 !Finclude/linux/crypto.h crypto_aead_reqsize
861 !Finclude/linux/crypto.h aead_request_set_tfm
862 !Finclude/linux/crypto.h aead_request_alloc
863 !Finclude/linux/crypto.h aead_request_free
864 !Finclude/linux/crypto.h aead_request_set_callback
865 !Finclude/linux/crypto.h aead_request_set_crypt
866 !Finclude/linux/crypto.h aead_request_set_assoc
868 <sect1><title>Synchronous Block Cipher API
</title>
869 !Pinclude/linux/crypto.h Synchronous Block Cipher API
870 !Finclude/linux/crypto.h crypto_alloc_blkcipher
871 !Finclude/linux/crypto.h crypto_free_blkcipher
872 !Finclude/linux/crypto.h crypto_has_blkcipher
873 !Finclude/linux/crypto.h crypto_blkcipher_name
874 !Finclude/linux/crypto.h crypto_blkcipher_ivsize
875 !Finclude/linux/crypto.h crypto_blkcipher_blocksize
876 !Finclude/linux/crypto.h crypto_blkcipher_setkey
877 !Finclude/linux/crypto.h crypto_blkcipher_encrypt
878 !Finclude/linux/crypto.h crypto_blkcipher_encrypt_iv
879 !Finclude/linux/crypto.h crypto_blkcipher_decrypt
880 !Finclude/linux/crypto.h crypto_blkcipher_decrypt_iv
881 !Finclude/linux/crypto.h crypto_blkcipher_set_iv
882 !Finclude/linux/crypto.h crypto_blkcipher_get_iv
884 <sect1><title>Single Block Cipher API
</title>
885 !Pinclude/linux/crypto.h Single Block Cipher API
886 !Finclude/linux/crypto.h crypto_alloc_cipher
887 !Finclude/linux/crypto.h crypto_free_cipher
888 !Finclude/linux/crypto.h crypto_has_cipher
889 !Finclude/linux/crypto.h crypto_cipher_blocksize
890 !Finclude/linux/crypto.h crypto_cipher_setkey
891 !Finclude/linux/crypto.h crypto_cipher_encrypt_one
892 !Finclude/linux/crypto.h crypto_cipher_decrypt_one
894 <sect1><title>Synchronous Message Digest API
</title>
895 !Pinclude/linux/crypto.h Synchronous Message Digest API
896 !Finclude/linux/crypto.h crypto_alloc_hash
897 !Finclude/linux/crypto.h crypto_free_hash
898 !Finclude/linux/crypto.h crypto_has_hash
899 !Finclude/linux/crypto.h crypto_hash_blocksize
900 !Finclude/linux/crypto.h crypto_hash_digestsize
901 !Finclude/linux/crypto.h crypto_hash_init
902 !Finclude/linux/crypto.h crypto_hash_update
903 !Finclude/linux/crypto.h crypto_hash_final
904 !Finclude/linux/crypto.h crypto_hash_digest
905 !Finclude/linux/crypto.h crypto_hash_setkey
907 <sect1><title>Message Digest Algorithm Definitions
</title>
908 !Pinclude/crypto/hash.h Message Digest Algorithm Definitions
909 !Finclude/crypto/hash.h hash_alg_common
910 !Finclude/crypto/hash.h ahash_alg
911 !Finclude/crypto/hash.h shash_alg
913 <sect1><title>Asynchronous Message Digest API
</title>
914 !Pinclude/crypto/hash.h Asynchronous Message Digest API
915 !Finclude/crypto/hash.h crypto_alloc_ahash
916 !Finclude/crypto/hash.h crypto_free_ahash
917 !Finclude/crypto/hash.h crypto_ahash_init
918 !Finclude/crypto/hash.h crypto_ahash_digestsize
919 !Finclude/crypto/hash.h crypto_ahash_reqtfm
920 !Finclude/crypto/hash.h crypto_ahash_reqsize
921 !Finclude/crypto/hash.h crypto_ahash_setkey
922 !Finclude/crypto/hash.h crypto_ahash_finup
923 !Finclude/crypto/hash.h crypto_ahash_final
924 !Finclude/crypto/hash.h crypto_ahash_digest
925 !Finclude/crypto/hash.h crypto_ahash_export
926 !Finclude/crypto/hash.h crypto_ahash_import
928 <sect1><title>Asynchronous Hash Request Handle
</title>
929 !Pinclude/crypto/hash.h Asynchronous Hash Request Handle
930 !Finclude/crypto/hash.h ahash_request_set_tfm
931 !Finclude/crypto/hash.h ahash_request_alloc
932 !Finclude/crypto/hash.h ahash_request_free
933 !Finclude/crypto/hash.h ahash_request_set_callback
934 !Finclude/crypto/hash.h ahash_request_set_crypt
936 <sect1><title>Synchronous Message Digest API
</title>
937 !Pinclude/crypto/hash.h Synchronous Message Digest API
938 !Finclude/crypto/hash.h crypto_alloc_shash
939 !Finclude/crypto/hash.h crypto_free_shash
940 !Finclude/crypto/hash.h crypto_shash_blocksize
941 !Finclude/crypto/hash.h crypto_shash_digestsize
942 !Finclude/crypto/hash.h crypto_shash_descsize
943 !Finclude/crypto/hash.h crypto_shash_setkey
944 !Finclude/crypto/hash.h crypto_shash_digest
945 !Finclude/crypto/hash.h crypto_shash_export
946 !Finclude/crypto/hash.h crypto_shash_import
947 !Finclude/crypto/hash.h crypto_shash_init
948 !Finclude/crypto/hash.h crypto_shash_update
949 !Finclude/crypto/hash.h crypto_shash_final
950 !Finclude/crypto/hash.h crypto_shash_finup
952 <sect1><title>Crypto API Random Number API
</title>
953 !Pinclude/crypto/rng.h Random number generator API
954 !Finclude/crypto/rng.h crypto_alloc_rng
955 !Finclude/crypto/rng.h crypto_rng_alg
956 !Finclude/crypto/rng.h crypto_free_rng
957 !Finclude/crypto/rng.h crypto_rng_get_bytes
958 !Finclude/crypto/rng.h crypto_rng_reset
959 !Finclude/crypto/rng.h crypto_rng_seedsize
960 !Cinclude/crypto/rng.h
964 <chapter id=
"Code"><title>Code Examples
</title>
965 <sect1><title>Code Example For Asynchronous Block Cipher Operation
</title>
968 struct tcrypt_result {
969 struct completion completion;
973 /* tie all data structures together */
974 struct ablkcipher_def {
975 struct scatterlist sg;
976 struct crypto_ablkcipher *tfm;
977 struct ablkcipher_request *req;
978 struct tcrypt_result result;
981 /* Callback function */
982 static void test_ablkcipher_cb(struct crypto_async_request *req, int error)
984 struct tcrypt_result *result = req-
>data;
986 if (error == -EINPROGRESS)
988 result-
>err = error;
989 complete(
&result-
>completion);
990 pr_info(
"Encryption finished successfully\n");
993 /* Perform cipher operation */
994 static unsigned int test_ablkcipher_encdec(struct ablkcipher_def *ablk,
1000 rc = crypto_ablkcipher_encrypt(ablk-
>req);
1002 rc = crypto_ablkcipher_decrypt(ablk-
>req);
1009 rc = wait_for_completion_interruptible(
1010 &ablk-
>result.completion);
1011 if (!rc
&& !ablk-
>result.err) {
1012 reinit_completion(
&ablk-
>result.completion);
1016 pr_info(
"ablkcipher encrypt returned with %d result %d\n",
1017 rc, ablk-
>result.err);
1020 init_completion(
&ablk-
>result.completion);
1025 /* Initialize and trigger cipher operation */
1026 static int test_ablkcipher(void)
1028 struct ablkcipher_def ablk;
1029 struct crypto_ablkcipher *ablkcipher = NULL;
1030 struct ablkcipher_request *req = NULL;
1031 char *scratchpad = NULL;
1032 char *ivdata = NULL;
1033 unsigned char key[
32];
1036 ablkcipher = crypto_alloc_ablkcipher(
"cbc-aes-aesni",
0,
0);
1037 if (IS_ERR(ablkcipher)) {
1038 pr_info(
"could not allocate ablkcipher handle\n");
1039 return PTR_ERR(ablkcipher);
1042 req = ablkcipher_request_alloc(ablkcipher, GFP_KERNEL);
1044 pr_info(
"could not allocate request queue\n");
1049 ablkcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
1053 /* AES
256 with random key */
1054 get_random_bytes(
&key,
32);
1055 if (crypto_ablkcipher_setkey(ablkcipher, key,
32)) {
1056 pr_info(
"key could not be set\n");
1061 /* IV will be random */
1062 ivdata = kmalloc(
16, GFP_KERNEL);
1064 pr_info(
"could not allocate ivdata\n");
1067 get_random_bytes(ivdata,
16);
1069 /* Input data will be random */
1070 scratchpad = kmalloc(
16, GFP_KERNEL);
1072 pr_info(
"could not allocate scratchpad\n");
1075 get_random_bytes(scratchpad,
16);
1077 ablk.tfm = ablkcipher;
1080 /* We encrypt one block */
1081 sg_init_one(
&ablk.sg, scratchpad,
16);
1082 ablkcipher_request_set_crypt(req,
&ablk.sg,
&ablk.sg,
16, ivdata);
1083 init_completion(
&ablk.result.completion);
1086 ret = test_ablkcipher_encdec(
&ablk,
1);
1090 pr_info(
"Encryption triggered successfully\n");
1094 crypto_free_ablkcipher(ablkcipher);
1096 ablkcipher_request_free(req);
1106 <sect1><title>Code Example For Synchronous Block Cipher Operation
</title>
1109 static int test_blkcipher(void)
1111 struct crypto_blkcipher *blkcipher = NULL;
1112 char *cipher =
"cbc(aes)";
1115 "\x12\x34\x56\x78\x90\xab\xcd\xef\x12\x34\x56\x78\x90\xab\xcd\xef";
1117 "\x12\x34\x56\x78\x90\xab\xcd\xef\x12\x34\x56\x78\x90\xab\xcd\xef";
1118 unsigned int ivsize =
0;
1119 char *scratchpad = NULL; // holds plaintext and ciphertext
1120 struct scatterlist sg;
1121 struct blkcipher_desc desc;
1124 blkcipher = crypto_alloc_blkcipher(cipher,
0,
0);
1125 if (IS_ERR(blkcipher)) {
1126 printk(
"could not allocate blkcipher handle for %s\n", cipher);
1127 return -PTR_ERR(blkcipher);
1130 if (crypto_blkcipher_setkey(blkcipher, key, strlen(key))) {
1131 printk(
"key could not be set\n");
1136 ivsize = crypto_blkcipher_ivsize(blkcipher);
1138 if (ivsize != strlen(iv))
1139 printk(
"IV length differs from expected length\n");
1140 crypto_blkcipher_set_iv(blkcipher, iv, ivsize);
1143 scratchpad = kmalloc(crypto_blkcipher_blocksize(blkcipher), GFP_KERNEL);
1145 printk(
"could not allocate scratchpad for %s\n", cipher);
1148 /* get some random data that we want to encrypt */
1149 get_random_bytes(scratchpad, crypto_blkcipher_blocksize(blkcipher));
1152 desc.tfm = blkcipher;
1153 sg_init_one(
&sg, scratchpad, crypto_blkcipher_blocksize(blkcipher));
1155 /* encrypt data in place */
1156 crypto_blkcipher_encrypt(
&desc,
&sg,
&sg,
1157 crypto_blkcipher_blocksize(blkcipher));
1159 /* decrypt data in place
1160 * crypto_blkcipher_decrypt(
&desc,
&sg,
&sg,
1161 */ crypto_blkcipher_blocksize(blkcipher));
1164 printk(
"Cipher operation completed\n");
1169 crypto_free_blkcipher(blkcipher);
1177 <sect1><title>Code Example For Use of Operational State Memory With SHASH
</title>
1181 struct shash_desc shash;
1185 static struct sdescinit_sdesc(struct crypto_shash *alg)
1190 size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
1191 sdesc = kmalloc(size, GFP_KERNEL);
1193 return ERR_PTR(-ENOMEM);
1194 sdesc-
>shash.tfm = alg;
1195 sdesc-
>shash.flags =
0x0;
1199 static int calc_hash(struct crypto_shashalg,
1200 const unsigned chardata, unsigned int datalen,
1201 unsigned chardigest) {
1205 sdesc = init_sdesc(alg);
1206 if (IS_ERR(sdesc)) {
1207 pr_info(
"trusted_key: can't alloc %s\n", hash_alg);
1208 return PTR_ERR(sdesc);
1211 ret = crypto_shash_digest(
&sdesc-
>shash, data, datalen, digest);
1218 <sect1><title>Code Example For Random Number Generator Usage
</title>
1221 static int get_random_numbers(u8 *buf, unsigned int len)
1223 struct crypto_rngrng = NULL;
1224 chardrbg =
"drbg_nopr_sha256"; /* Hash DRBG with SHA-
256, no PR */
1228 pr_debug(
"No output buffer provided\n");
1232 rng = crypto_alloc_rng(drbg,
0,
0);
1234 pr_debug(
"could not allocate RNG handle for %s\n", drbg);
1235 return -PTR_ERR(rng);
1238 ret = crypto_rng_get_bytes(rng, buf, len);
1240 pr_debug(
"generation of random numbers failed\n");
1242 pr_debug(
"RNG returned no data");
1244 pr_debug(
"RNG returned %d bytes of data\n", ret);
1247 crypto_free_rng(rng);