sha256.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /*
  3. * SHA-224, SHA-256, HMAC-SHA224, and HMAC-SHA256 library functions
  4. *
  5. * Copyright (c) Jean-Luc Cooke <jlcooke@certainkey.com>
  6. * Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk>
  7. * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
  8. * Copyright (c) 2014 Red Hat Inc.
  9. * Copyright 2025 Google LLC
  10. */
  11. #include <crypto/hmac.h>
  12. #include <crypto/sha2.h>
  13. #include <linux/export.h>
  14. #include <linux/kernel.h>
  15. #include <linux/module.h>
  16. #include <linux/string.h>
  17. #include <linux/unaligned.h>
  18. #include <linux/wordpart.h>
  19. #include "fips.h"
  20. static const struct sha256_block_state sha224_iv = {
  21. .h = {
  22. SHA224_H0, SHA224_H1, SHA224_H2, SHA224_H3,
  23. SHA224_H4, SHA224_H5, SHA224_H6, SHA224_H7,
  24. },
  25. };
  26. static const struct sha256_ctx initial_sha256_ctx = {
  27. .ctx = {
  28. .state = {
  29. .h = {
  30. SHA256_H0, SHA256_H1, SHA256_H2, SHA256_H3,
  31. SHA256_H4, SHA256_H5, SHA256_H6, SHA256_H7,
  32. },
  33. },
  34. .bytecount = 0,
  35. },
  36. };
  37. #define sha256_iv (initial_sha256_ctx.ctx.state)
  38. static const u32 sha256_K[64] = {
  39. 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
  40. 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
  41. 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
  42. 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
  43. 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
  44. 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
  45. 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
  46. 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
  47. 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
  48. 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
  49. 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
  50. };
  51. #define Ch(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
  52. #define Maj(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
  53. #define e0(x) (ror32((x), 2) ^ ror32((x), 13) ^ ror32((x), 22))
  54. #define e1(x) (ror32((x), 6) ^ ror32((x), 11) ^ ror32((x), 25))
  55. #define s0(x) (ror32((x), 7) ^ ror32((x), 18) ^ ((x) >> 3))
  56. #define s1(x) (ror32((x), 17) ^ ror32((x), 19) ^ ((x) >> 10))
  57. static inline void LOAD_OP(int I, u32 *W, const u8 *input)
  58. {
  59. W[I] = get_unaligned_be32((__u32 *)input + I);
  60. }
  61. static inline void BLEND_OP(int I, u32 *W)
  62. {
  63. W[I] = s1(W[I - 2]) + W[I - 7] + s0(W[I - 15]) + W[I - 16];
  64. }
  65. #define SHA256_ROUND(i, a, b, c, d, e, f, g, h) \
  66. do { \
  67. u32 t1, t2; \
  68. t1 = h + e1(e) + Ch(e, f, g) + sha256_K[i] + W[i]; \
  69. t2 = e0(a) + Maj(a, b, c); \
  70. d += t1; \
  71. h = t1 + t2; \
  72. } while (0)
  73. static void sha256_block_generic(struct sha256_block_state *state,
  74. const u8 *input, u32 W[64])
  75. {
  76. u32 a, b, c, d, e, f, g, h;
  77. int i;
  78. /* load the input */
  79. for (i = 0; i < 16; i += 8) {
  80. LOAD_OP(i + 0, W, input);
  81. LOAD_OP(i + 1, W, input);
  82. LOAD_OP(i + 2, W, input);
  83. LOAD_OP(i + 3, W, input);
  84. LOAD_OP(i + 4, W, input);
  85. LOAD_OP(i + 5, W, input);
  86. LOAD_OP(i + 6, W, input);
  87. LOAD_OP(i + 7, W, input);
  88. }
  89. /* now blend */
  90. for (i = 16; i < 64; i += 8) {
  91. BLEND_OP(i + 0, W);
  92. BLEND_OP(i + 1, W);
  93. BLEND_OP(i + 2, W);
  94. BLEND_OP(i + 3, W);
  95. BLEND_OP(i + 4, W);
  96. BLEND_OP(i + 5, W);
  97. BLEND_OP(i + 6, W);
  98. BLEND_OP(i + 7, W);
  99. }
  100. /* load the state into our registers */
  101. a = state->h[0];
  102. b = state->h[1];
  103. c = state->h[2];
  104. d = state->h[3];
  105. e = state->h[4];
  106. f = state->h[5];
  107. g = state->h[6];
  108. h = state->h[7];
  109. /* now iterate */
  110. for (i = 0; i < 64; i += 8) {
  111. SHA256_ROUND(i + 0, a, b, c, d, e, f, g, h);
  112. SHA256_ROUND(i + 1, h, a, b, c, d, e, f, g);
  113. SHA256_ROUND(i + 2, g, h, a, b, c, d, e, f);
  114. SHA256_ROUND(i + 3, f, g, h, a, b, c, d, e);
  115. SHA256_ROUND(i + 4, e, f, g, h, a, b, c, d);
  116. SHA256_ROUND(i + 5, d, e, f, g, h, a, b, c);
  117. SHA256_ROUND(i + 6, c, d, e, f, g, h, a, b);
  118. SHA256_ROUND(i + 7, b, c, d, e, f, g, h, a);
  119. }
  120. state->h[0] += a;
  121. state->h[1] += b;
  122. state->h[2] += c;
  123. state->h[3] += d;
  124. state->h[4] += e;
  125. state->h[5] += f;
  126. state->h[6] += g;
  127. state->h[7] += h;
  128. }
  129. static void __maybe_unused
  130. sha256_blocks_generic(struct sha256_block_state *state,
  131. const u8 *data, size_t nblocks)
  132. {
  133. u32 W[64];
  134. do {
  135. sha256_block_generic(state, data, W);
  136. data += SHA256_BLOCK_SIZE;
  137. } while (--nblocks);
  138. memzero_explicit(W, sizeof(W));
  139. }
  140. #if defined(CONFIG_CRYPTO_LIB_SHA256_ARCH) && !defined(__DISABLE_EXPORTS)
  141. #include "sha256.h" /* $(SRCARCH)/sha256.h */
  142. #else
  143. #define sha256_blocks sha256_blocks_generic
  144. #endif
  145. static void __sha256_init(struct __sha256_ctx *ctx,
  146. const struct sha256_block_state *iv,
  147. u64 initial_bytecount)
  148. {
  149. ctx->state = *iv;
  150. ctx->bytecount = initial_bytecount;
  151. }
  152. void sha224_init(struct sha224_ctx *ctx)
  153. {
  154. __sha256_init(&ctx->ctx, &sha224_iv, 0);
  155. }
  156. EXPORT_SYMBOL_GPL(sha224_init);
  157. void sha256_init(struct sha256_ctx *ctx)
  158. {
  159. __sha256_init(&ctx->ctx, &sha256_iv, 0);
  160. }
  161. EXPORT_SYMBOL_GPL(sha256_init);
  162. void __sha256_update(struct __sha256_ctx *ctx, const u8 *data, size_t len)
  163. {
  164. size_t partial = ctx->bytecount % SHA256_BLOCK_SIZE;
  165. ctx->bytecount += len;
  166. if (partial + len >= SHA256_BLOCK_SIZE) {
  167. size_t nblocks;
  168. if (partial) {
  169. size_t l = SHA256_BLOCK_SIZE - partial;
  170. memcpy(&ctx->buf[partial], data, l);
  171. data += l;
  172. len -= l;
  173. sha256_blocks(&ctx->state, ctx->buf, 1);
  174. }
  175. nblocks = len / SHA256_BLOCK_SIZE;
  176. len %= SHA256_BLOCK_SIZE;
  177. if (nblocks) {
  178. sha256_blocks(&ctx->state, data, nblocks);
  179. data += nblocks * SHA256_BLOCK_SIZE;
  180. }
  181. partial = 0;
  182. }
  183. if (len)
  184. memcpy(&ctx->buf[partial], data, len);
  185. }
  186. EXPORT_SYMBOL(__sha256_update);
  187. static void __sha256_final(struct __sha256_ctx *ctx,
  188. u8 *out, size_t digest_size)
  189. {
  190. u64 bitcount = ctx->bytecount << 3;
  191. size_t partial = ctx->bytecount % SHA256_BLOCK_SIZE;
  192. ctx->buf[partial++] = 0x80;
  193. if (partial > SHA256_BLOCK_SIZE - 8) {
  194. memset(&ctx->buf[partial], 0, SHA256_BLOCK_SIZE - partial);
  195. sha256_blocks(&ctx->state, ctx->buf, 1);
  196. partial = 0;
  197. }
  198. memset(&ctx->buf[partial], 0, SHA256_BLOCK_SIZE - 8 - partial);
  199. *(__be64 *)&ctx->buf[SHA256_BLOCK_SIZE - 8] = cpu_to_be64(bitcount);
  200. sha256_blocks(&ctx->state, ctx->buf, 1);
  201. for (size_t i = 0; i < digest_size; i += 4)
  202. put_unaligned_be32(ctx->state.h[i / 4], out + i);
  203. }
  204. void sha224_final(struct sha224_ctx *ctx, u8 out[SHA224_DIGEST_SIZE])
  205. {
  206. __sha256_final(&ctx->ctx, out, SHA224_DIGEST_SIZE);
  207. memzero_explicit(ctx, sizeof(*ctx));
  208. }
  209. EXPORT_SYMBOL(sha224_final);
  210. void sha256_final(struct sha256_ctx *ctx, u8 out[SHA256_DIGEST_SIZE])
  211. {
  212. __sha256_final(&ctx->ctx, out, SHA256_DIGEST_SIZE);
  213. memzero_explicit(ctx, sizeof(*ctx));
  214. }
  215. EXPORT_SYMBOL(sha256_final);
  216. void sha224(const u8 *data, size_t len, u8 out[SHA224_DIGEST_SIZE])
  217. {
  218. struct sha224_ctx ctx;
  219. sha224_init(&ctx);
  220. sha224_update(&ctx, data, len);
  221. sha224_final(&ctx, out);
  222. }
  223. EXPORT_SYMBOL(sha224);
  224. void sha256(const u8 *data, size_t len, u8 out[SHA256_DIGEST_SIZE])
  225. {
  226. struct sha256_ctx ctx;
  227. sha256_init(&ctx);
  228. sha256_update(&ctx, data, len);
  229. sha256_final(&ctx, out);
  230. }
  231. EXPORT_SYMBOL(sha256);
  232. /*
  233. * Pre-boot environments (as indicated by __DISABLE_EXPORTS being defined) just
  234. * need the generic SHA-256 code. Omit all other features from them.
  235. */
  236. #ifndef __DISABLE_EXPORTS
  237. #ifndef sha256_finup_2x_arch
  238. static bool sha256_finup_2x_arch(const struct __sha256_ctx *ctx,
  239. const u8 *data1, const u8 *data2, size_t len,
  240. u8 out1[SHA256_DIGEST_SIZE],
  241. u8 out2[SHA256_DIGEST_SIZE])
  242. {
  243. return false;
  244. }
  245. static bool sha256_finup_2x_is_optimized_arch(void)
  246. {
  247. return false;
  248. }
  249. #endif
  250. /* Sequential fallback implementation of sha256_finup_2x() */
  251. static noinline_for_stack void sha256_finup_2x_sequential(
  252. const struct __sha256_ctx *ctx, const u8 *data1, const u8 *data2,
  253. size_t len, u8 out1[SHA256_DIGEST_SIZE], u8 out2[SHA256_DIGEST_SIZE])
  254. {
  255. struct __sha256_ctx mut_ctx;
  256. mut_ctx = *ctx;
  257. __sha256_update(&mut_ctx, data1, len);
  258. __sha256_final(&mut_ctx, out1, SHA256_DIGEST_SIZE);
  259. mut_ctx = *ctx;
  260. __sha256_update(&mut_ctx, data2, len);
  261. __sha256_final(&mut_ctx, out2, SHA256_DIGEST_SIZE);
  262. }
  263. void sha256_finup_2x(const struct sha256_ctx *ctx, const u8 *data1,
  264. const u8 *data2, size_t len, u8 out1[SHA256_DIGEST_SIZE],
  265. u8 out2[SHA256_DIGEST_SIZE])
  266. {
  267. if (ctx == NULL)
  268. ctx = &initial_sha256_ctx;
  269. if (likely(sha256_finup_2x_arch(&ctx->ctx, data1, data2, len, out1,
  270. out2)))
  271. return;
  272. sha256_finup_2x_sequential(&ctx->ctx, data1, data2, len, out1, out2);
  273. }
  274. EXPORT_SYMBOL_GPL(sha256_finup_2x);
  275. bool sha256_finup_2x_is_optimized(void)
  276. {
  277. return sha256_finup_2x_is_optimized_arch();
  278. }
  279. EXPORT_SYMBOL_GPL(sha256_finup_2x_is_optimized);
  280. static void __hmac_sha256_preparekey(struct sha256_block_state *istate,
  281. struct sha256_block_state *ostate,
  282. const u8 *raw_key, size_t raw_key_len,
  283. const struct sha256_block_state *iv)
  284. {
  285. union {
  286. u8 b[SHA256_BLOCK_SIZE];
  287. unsigned long w[SHA256_BLOCK_SIZE / sizeof(unsigned long)];
  288. } derived_key = { 0 };
  289. if (unlikely(raw_key_len > SHA256_BLOCK_SIZE)) {
  290. if (iv == &sha224_iv)
  291. sha224(raw_key, raw_key_len, derived_key.b);
  292. else
  293. sha256(raw_key, raw_key_len, derived_key.b);
  294. } else {
  295. memcpy(derived_key.b, raw_key, raw_key_len);
  296. }
  297. for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
  298. derived_key.w[i] ^= REPEAT_BYTE(HMAC_IPAD_VALUE);
  299. *istate = *iv;
  300. sha256_blocks(istate, derived_key.b, 1);
  301. for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
  302. derived_key.w[i] ^= REPEAT_BYTE(HMAC_OPAD_VALUE ^
  303. HMAC_IPAD_VALUE);
  304. *ostate = *iv;
  305. sha256_blocks(ostate, derived_key.b, 1);
  306. memzero_explicit(&derived_key, sizeof(derived_key));
  307. }
  308. void hmac_sha224_preparekey(struct hmac_sha224_key *key,
  309. const u8 *raw_key, size_t raw_key_len)
  310. {
  311. __hmac_sha256_preparekey(&key->key.istate, &key->key.ostate,
  312. raw_key, raw_key_len, &sha224_iv);
  313. }
  314. EXPORT_SYMBOL_GPL(hmac_sha224_preparekey);
  315. void hmac_sha256_preparekey(struct hmac_sha256_key *key,
  316. const u8 *raw_key, size_t raw_key_len)
  317. {
  318. __hmac_sha256_preparekey(&key->key.istate, &key->key.ostate,
  319. raw_key, raw_key_len, &sha256_iv);
  320. }
  321. EXPORT_SYMBOL_GPL(hmac_sha256_preparekey);
  322. void __hmac_sha256_init(struct __hmac_sha256_ctx *ctx,
  323. const struct __hmac_sha256_key *key)
  324. {
  325. __sha256_init(&ctx->sha_ctx, &key->istate, SHA256_BLOCK_SIZE);
  326. ctx->ostate = key->ostate;
  327. }
  328. EXPORT_SYMBOL_GPL(__hmac_sha256_init);
  329. void hmac_sha224_init_usingrawkey(struct hmac_sha224_ctx *ctx,
  330. const u8 *raw_key, size_t raw_key_len)
  331. {
  332. __hmac_sha256_preparekey(&ctx->ctx.sha_ctx.state, &ctx->ctx.ostate,
  333. raw_key, raw_key_len, &sha224_iv);
  334. ctx->ctx.sha_ctx.bytecount = SHA256_BLOCK_SIZE;
  335. }
  336. EXPORT_SYMBOL_GPL(hmac_sha224_init_usingrawkey);
  337. void hmac_sha256_init_usingrawkey(struct hmac_sha256_ctx *ctx,
  338. const u8 *raw_key, size_t raw_key_len)
  339. {
  340. __hmac_sha256_preparekey(&ctx->ctx.sha_ctx.state, &ctx->ctx.ostate,
  341. raw_key, raw_key_len, &sha256_iv);
  342. ctx->ctx.sha_ctx.bytecount = SHA256_BLOCK_SIZE;
  343. }
  344. EXPORT_SYMBOL_GPL(hmac_sha256_init_usingrawkey);
  345. static void __hmac_sha256_final(struct __hmac_sha256_ctx *ctx,
  346. u8 *out, size_t digest_size)
  347. {
  348. /* Generate the padded input for the outer hash in ctx->sha_ctx.buf. */
  349. __sha256_final(&ctx->sha_ctx, ctx->sha_ctx.buf, digest_size);
  350. memset(&ctx->sha_ctx.buf[digest_size], 0,
  351. SHA256_BLOCK_SIZE - digest_size);
  352. ctx->sha_ctx.buf[digest_size] = 0x80;
  353. *(__be32 *)&ctx->sha_ctx.buf[SHA256_BLOCK_SIZE - 4] =
  354. cpu_to_be32(8 * (SHA256_BLOCK_SIZE + digest_size));
  355. /* Compute the outer hash, which gives the HMAC value. */
  356. sha256_blocks(&ctx->ostate, ctx->sha_ctx.buf, 1);
  357. for (size_t i = 0; i < digest_size; i += 4)
  358. put_unaligned_be32(ctx->ostate.h[i / 4], out + i);
  359. memzero_explicit(ctx, sizeof(*ctx));
  360. }
  361. void hmac_sha224_final(struct hmac_sha224_ctx *ctx,
  362. u8 out[SHA224_DIGEST_SIZE])
  363. {
  364. __hmac_sha256_final(&ctx->ctx, out, SHA224_DIGEST_SIZE);
  365. }
  366. EXPORT_SYMBOL_GPL(hmac_sha224_final);
  367. void hmac_sha256_final(struct hmac_sha256_ctx *ctx,
  368. u8 out[SHA256_DIGEST_SIZE])
  369. {
  370. __hmac_sha256_final(&ctx->ctx, out, SHA256_DIGEST_SIZE);
  371. }
  372. EXPORT_SYMBOL_GPL(hmac_sha256_final);
  373. void hmac_sha224(const struct hmac_sha224_key *key,
  374. const u8 *data, size_t data_len, u8 out[SHA224_DIGEST_SIZE])
  375. {
  376. struct hmac_sha224_ctx ctx;
  377. hmac_sha224_init(&ctx, key);
  378. hmac_sha224_update(&ctx, data, data_len);
  379. hmac_sha224_final(&ctx, out);
  380. }
  381. EXPORT_SYMBOL_GPL(hmac_sha224);
  382. void hmac_sha256(const struct hmac_sha256_key *key,
  383. const u8 *data, size_t data_len, u8 out[SHA256_DIGEST_SIZE])
  384. {
  385. struct hmac_sha256_ctx ctx;
  386. hmac_sha256_init(&ctx, key);
  387. hmac_sha256_update(&ctx, data, data_len);
  388. hmac_sha256_final(&ctx, out);
  389. }
  390. EXPORT_SYMBOL_GPL(hmac_sha256);
  391. void hmac_sha224_usingrawkey(const u8 *raw_key, size_t raw_key_len,
  392. const u8 *data, size_t data_len,
  393. u8 out[SHA224_DIGEST_SIZE])
  394. {
  395. struct hmac_sha224_ctx ctx;
  396. hmac_sha224_init_usingrawkey(&ctx, raw_key, raw_key_len);
  397. hmac_sha224_update(&ctx, data, data_len);
  398. hmac_sha224_final(&ctx, out);
  399. }
  400. EXPORT_SYMBOL_GPL(hmac_sha224_usingrawkey);
  401. void hmac_sha256_usingrawkey(const u8 *raw_key, size_t raw_key_len,
  402. const u8 *data, size_t data_len,
  403. u8 out[SHA256_DIGEST_SIZE])
  404. {
  405. struct hmac_sha256_ctx ctx;
  406. hmac_sha256_init_usingrawkey(&ctx, raw_key, raw_key_len);
  407. hmac_sha256_update(&ctx, data, data_len);
  408. hmac_sha256_final(&ctx, out);
  409. }
  410. EXPORT_SYMBOL_GPL(hmac_sha256_usingrawkey);
  411. #if defined(sha256_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
  412. static int __init sha256_mod_init(void)
  413. {
  414. #ifdef sha256_mod_init_arch
  415. sha256_mod_init_arch();
  416. #endif
  417. if (fips_enabled) {
  418. /*
  419. * FIPS cryptographic algorithm self-test. As per the FIPS
  420. * Implementation Guidance, testing HMAC-SHA256 satisfies the
  421. * test requirement for SHA-224, SHA-256, and HMAC-SHA224 too.
  422. */
  423. u8 mac[SHA256_DIGEST_SIZE];
  424. hmac_sha256_usingrawkey(fips_test_key, sizeof(fips_test_key),
  425. fips_test_data, sizeof(fips_test_data),
  426. mac);
  427. if (memcmp(fips_test_hmac_sha256_value, mac, sizeof(mac)) != 0)
  428. panic("sha256: FIPS self-test failed\n");
  429. }
  430. return 0;
  431. }
  432. subsys_initcall(sha256_mod_init);
  433. static void __exit sha256_mod_exit(void)
  434. {
  435. }
  436. module_exit(sha256_mod_exit);
  437. #endif
  438. #endif /* !__DISABLE_EXPORTS */
  439. MODULE_DESCRIPTION("SHA-224, SHA-256, HMAC-SHA224, and HMAC-SHA256 library functions");
  440. MODULE_LICENSE("GPL");