1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * Common values for SHA-2 algorithms
4 */
5
6 #ifndef _CRYPTO_SHA2_H
7 #define _CRYPTO_SHA2_H
8
9 #include <linux/types.h>
10
11 #define SHA224_DIGEST_SIZE 28
12 #define SHA224_BLOCK_SIZE 64
13
14 #define SHA256_DIGEST_SIZE 32
15 #define SHA256_BLOCK_SIZE 64
16 #define SHA256_STATE_WORDS 8
17
18 #define SHA384_DIGEST_SIZE 48
19 #define SHA384_BLOCK_SIZE 128
20
21 #define SHA512_DIGEST_SIZE 64
22 #define SHA512_BLOCK_SIZE 128
23 #define SHA512_STATE_SIZE 80
24
25 #define SHA224_H0 0xc1059ed8UL
26 #define SHA224_H1 0x367cd507UL
27 #define SHA224_H2 0x3070dd17UL
28 #define SHA224_H3 0xf70e5939UL
29 #define SHA224_H4 0xffc00b31UL
30 #define SHA224_H5 0x68581511UL
31 #define SHA224_H6 0x64f98fa7UL
32 #define SHA224_H7 0xbefa4fa4UL
33
34 #define SHA256_H0 0x6a09e667UL
35 #define SHA256_H1 0xbb67ae85UL
36 #define SHA256_H2 0x3c6ef372UL
37 #define SHA256_H3 0xa54ff53aUL
38 #define SHA256_H4 0x510e527fUL
39 #define SHA256_H5 0x9b05688cUL
40 #define SHA256_H6 0x1f83d9abUL
41 #define SHA256_H7 0x5be0cd19UL
42
43 #define SHA384_H0 0xcbbb9d5dc1059ed8ULL
44 #define SHA384_H1 0x629a292a367cd507ULL
45 #define SHA384_H2 0x9159015a3070dd17ULL
46 #define SHA384_H3 0x152fecd8f70e5939ULL
47 #define SHA384_H4 0x67332667ffc00b31ULL
48 #define SHA384_H5 0x8eb44a8768581511ULL
49 #define SHA384_H6 0xdb0c2e0d64f98fa7ULL
50 #define SHA384_H7 0x47b5481dbefa4fa4ULL
51
52 #define SHA512_H0 0x6a09e667f3bcc908ULL
53 #define SHA512_H1 0xbb67ae8584caa73bULL
54 #define SHA512_H2 0x3c6ef372fe94f82bULL
55 #define SHA512_H3 0xa54ff53a5f1d36f1ULL
56 #define SHA512_H4 0x510e527fade682d1ULL
57 #define SHA512_H5 0x9b05688c2b3e6c1fULL
58 #define SHA512_H6 0x1f83d9abfb41bd6bULL
59 #define SHA512_H7 0x5be0cd19137e2179ULL
60
61 extern const u8 sha224_zero_message_hash[SHA224_DIGEST_SIZE];
62
63 extern const u8 sha256_zero_message_hash[SHA256_DIGEST_SIZE];
64
65 extern const u8 sha384_zero_message_hash[SHA384_DIGEST_SIZE];
66
67 extern const u8 sha512_zero_message_hash[SHA512_DIGEST_SIZE];
68
69 struct crypto_sha256_state {
70 u32 state[SHA256_STATE_WORDS];
71 u64 count;
72 };
73
sha224_block_init(struct crypto_sha256_state * sctx)74 static inline void sha224_block_init(struct crypto_sha256_state *sctx)
75 {
76 sctx->state[0] = SHA224_H0;
77 sctx->state[1] = SHA224_H1;
78 sctx->state[2] = SHA224_H2;
79 sctx->state[3] = SHA224_H3;
80 sctx->state[4] = SHA224_H4;
81 sctx->state[5] = SHA224_H5;
82 sctx->state[6] = SHA224_H6;
83 sctx->state[7] = SHA224_H7;
84 sctx->count = 0;
85 }
86
sha256_block_init(struct crypto_sha256_state * sctx)87 static inline void sha256_block_init(struct crypto_sha256_state *sctx)
88 {
89 sctx->state[0] = SHA256_H0;
90 sctx->state[1] = SHA256_H1;
91 sctx->state[2] = SHA256_H2;
92 sctx->state[3] = SHA256_H3;
93 sctx->state[4] = SHA256_H4;
94 sctx->state[5] = SHA256_H5;
95 sctx->state[6] = SHA256_H6;
96 sctx->state[7] = SHA256_H7;
97 sctx->count = 0;
98 }
99
100 struct sha256_state {
101 union {
102 struct crypto_sha256_state ctx;
103 struct {
104 u32 state[SHA256_STATE_WORDS];
105 u64 count;
106 };
107 };
108 u8 buf[SHA256_BLOCK_SIZE];
109 };
110
111 struct sha512_state {
112 u64 state[SHA512_DIGEST_SIZE / 8];
113 u64 count[2];
114 u8 buf[SHA512_BLOCK_SIZE];
115 };
116
117 /* State for the SHA-256 (and SHA-224) compression function */
118 struct sha256_block_state {
119 u32 h[SHA256_STATE_WORDS];
120 };
121
122 /*
123 * Context structure, shared by SHA-224 and SHA-256. The sha224_ctx and
124 * sha256_ctx structs wrap this one so that the API has proper typing and
125 * doesn't allow mixing the SHA-224 and SHA-256 functions arbitrarily.
126 */
127 struct __sha256_ctx {
128 struct sha256_block_state state;
129 u64 bytecount;
130 u8 buf[SHA256_BLOCK_SIZE] __aligned(__alignof__(__be64));
131 };
132 void __sha256_update(struct __sha256_ctx *ctx, const u8 *data, size_t len);
133
134 /*
135 * HMAC key and message context structs, shared by HMAC-SHA224 and HMAC-SHA256.
136 * The hmac_sha224_* and hmac_sha256_* structs wrap this one so that the API has
137 * proper typing and doesn't allow mixing the functions arbitrarily.
138 */
139 struct __hmac_sha256_key {
140 struct sha256_block_state istate;
141 struct sha256_block_state ostate;
142 };
143 struct __hmac_sha256_ctx {
144 struct __sha256_ctx sha_ctx;
145 struct sha256_block_state ostate;
146 };
147 void __hmac_sha256_init(struct __hmac_sha256_ctx *ctx,
148 const struct __hmac_sha256_key *key);
149
150 /**
151 * struct sha224_ctx - Context for hashing a message with SHA-224
152 * @ctx: private
153 */
154 struct sha224_ctx {
155 struct __sha256_ctx ctx;
156 };
157
158 /**
159 * sha224_init() - Initialize a SHA-224 context for a new message
160 * @ctx: the context to initialize
161 *
162 * If you don't need incremental computation, consider sha224() instead.
163 *
164 * Context: Any context.
165 */
166 void sha224_init(struct sha224_ctx *ctx);
167
168 /**
169 * sha224_update() - Update a SHA-224 context with message data
170 * @ctx: the context to update; must have been initialized
171 * @data: the message data
172 * @len: the data length in bytes
173 *
174 * This can be called any number of times.
175 *
176 * Context: Any context.
177 */
sha224_update(struct sha224_ctx * ctx,const u8 * data,size_t len)178 static inline void sha224_update(struct sha224_ctx *ctx,
179 const u8 *data, size_t len)
180 {
181 __sha256_update(&ctx->ctx, data, len);
182 }
183
184 /**
185 * sha224_final() - Finish computing a SHA-224 message digest
186 * @ctx: the context to finalize; must have been initialized
187 * @out: (output) the resulting SHA-224 message digest
188 *
189 * After finishing, this zeroizes @ctx. So the caller does not need to do it.
190 *
191 * Context: Any context.
192 */
193 void sha224_final(struct sha224_ctx *ctx, u8 out[at_least SHA224_DIGEST_SIZE]);
194
195 /**
196 * sha224() - Compute SHA-224 message digest in one shot
197 * @data: the message data
198 * @len: the data length in bytes
199 * @out: (output) the resulting SHA-224 message digest
200 *
201 * Context: Any context.
202 */
203 void sha224(const u8 *data, size_t len, u8 out[at_least SHA224_DIGEST_SIZE]);
204
205 /**
206 * struct hmac_sha224_key - Prepared key for HMAC-SHA224
207 * @key: private
208 */
209 struct hmac_sha224_key {
210 struct __hmac_sha256_key key;
211 };
212
213 /**
214 * struct hmac_sha224_ctx - Context for computing HMAC-SHA224 of a message
215 * @ctx: private
216 */
217 struct hmac_sha224_ctx {
218 struct __hmac_sha256_ctx ctx;
219 };
220
221 /**
222 * hmac_sha224_preparekey() - Prepare a key for HMAC-SHA224
223 * @key: (output) the key structure to initialize
224 * @raw_key: the raw HMAC-SHA224 key
225 * @raw_key_len: the key length in bytes. All key lengths are supported.
226 *
227 * Note: the caller is responsible for zeroizing both the struct hmac_sha224_key
228 * and the raw key once they are no longer needed.
229 *
230 * Context: Any context.
231 */
232 void hmac_sha224_preparekey(struct hmac_sha224_key *key,
233 const u8 *raw_key, size_t raw_key_len);
234
235 /**
236 * hmac_sha224_init() - Initialize an HMAC-SHA224 context for a new message
237 * @ctx: (output) the HMAC context to initialize
238 * @key: the prepared HMAC key
239 *
240 * If you don't need incremental computation, consider hmac_sha224() instead.
241 *
242 * Context: Any context.
243 */
hmac_sha224_init(struct hmac_sha224_ctx * ctx,const struct hmac_sha224_key * key)244 static inline void hmac_sha224_init(struct hmac_sha224_ctx *ctx,
245 const struct hmac_sha224_key *key)
246 {
247 __hmac_sha256_init(&ctx->ctx, &key->key);
248 }
249
250 /**
251 * hmac_sha224_init_usingrawkey() - Initialize an HMAC-SHA224 context for a new
252 * message, using a raw key
253 * @ctx: (output) the HMAC context to initialize
254 * @raw_key: the raw HMAC-SHA224 key
255 * @raw_key_len: the key length in bytes. All key lengths are supported.
256 *
257 * If you don't need incremental computation, consider hmac_sha224_usingrawkey()
258 * instead.
259 *
260 * Context: Any context.
261 */
262 void hmac_sha224_init_usingrawkey(struct hmac_sha224_ctx *ctx,
263 const u8 *raw_key, size_t raw_key_len);
264
265 /**
266 * hmac_sha224_update() - Update an HMAC-SHA224 context with message data
267 * @ctx: the HMAC context to update; must have been initialized
268 * @data: the message data
269 * @data_len: the data length in bytes
270 *
271 * This can be called any number of times.
272 *
273 * Context: Any context.
274 */
hmac_sha224_update(struct hmac_sha224_ctx * ctx,const u8 * data,size_t data_len)275 static inline void hmac_sha224_update(struct hmac_sha224_ctx *ctx,
276 const u8 *data, size_t data_len)
277 {
278 __sha256_update(&ctx->ctx.sha_ctx, data, data_len);
279 }
280
281 /**
282 * hmac_sha224_final() - Finish computing an HMAC-SHA224 value
283 * @ctx: the HMAC context to finalize; must have been initialized
284 * @out: (output) the resulting HMAC-SHA224 value
285 *
286 * After finishing, this zeroizes @ctx. So the caller does not need to do it.
287 *
288 * Context: Any context.
289 */
290 void hmac_sha224_final(struct hmac_sha224_ctx *ctx,
291 u8 out[at_least SHA224_DIGEST_SIZE]);
292
293 /**
294 * hmac_sha224() - Compute HMAC-SHA224 in one shot, using a prepared key
295 * @key: the prepared HMAC key
296 * @data: the message data
297 * @data_len: the data length in bytes
298 * @out: (output) the resulting HMAC-SHA224 value
299 *
300 * If you're using the key only once, consider using hmac_sha224_usingrawkey().
301 *
302 * Context: Any context.
303 */
304 void hmac_sha224(const struct hmac_sha224_key *key,
305 const u8 *data, size_t data_len,
306 u8 out[at_least SHA224_DIGEST_SIZE]);
307
308 /**
309 * hmac_sha224_usingrawkey() - Compute HMAC-SHA224 in one shot, using a raw key
310 * @raw_key: the raw HMAC-SHA224 key
311 * @raw_key_len: the key length in bytes. All key lengths are supported.
312 * @data: the message data
313 * @data_len: the data length in bytes
314 * @out: (output) the resulting HMAC-SHA224 value
315 *
316 * If you're using the key multiple times, prefer to use
317 * hmac_sha224_preparekey() followed by multiple calls to hmac_sha224() instead.
318 *
319 * Context: Any context.
320 */
321 void hmac_sha224_usingrawkey(const u8 *raw_key, size_t raw_key_len,
322 const u8 *data, size_t data_len,
323 u8 out[at_least SHA224_DIGEST_SIZE]);
324
325 /**
326 * struct sha256_ctx - Context for hashing a message with SHA-256
327 * @ctx: private
328 */
329 struct sha256_ctx {
330 struct __sha256_ctx ctx;
331 };
332
333 /**
334 * sha256_init() - Initialize a SHA-256 context for a new message
335 * @ctx: the context to initialize
336 *
337 * If you don't need incremental computation, consider sha256() instead.
338 *
339 * Context: Any context.
340 */
341 void sha256_init(struct sha256_ctx *ctx);
342
343 /**
344 * sha256_update() - Update a SHA-256 context with message data
345 * @ctx: the context to update; must have been initialized
346 * @data: the message data
347 * @len: the data length in bytes
348 *
349 * This can be called any number of times.
350 *
351 * Context: Any context.
352 */
sha256_update(struct sha256_ctx * ctx,const u8 * data,size_t len)353 static inline void sha256_update(struct sha256_ctx *ctx,
354 const u8 *data, size_t len)
355 {
356 __sha256_update(&ctx->ctx, data, len);
357 }
358
359 /**
360 * sha256_final() - Finish computing a SHA-256 message digest
361 * @ctx: the context to finalize; must have been initialized
362 * @out: (output) the resulting SHA-256 message digest
363 *
364 * After finishing, this zeroizes @ctx. So the caller does not need to do it.
365 *
366 * Context: Any context.
367 */
368 void sha256_final(struct sha256_ctx *ctx, u8 out[at_least SHA256_DIGEST_SIZE]);
369
370 /**
371 * sha256() - Compute SHA-256 message digest in one shot
372 * @data: the message data
373 * @len: the data length in bytes
374 * @out: (output) the resulting SHA-256 message digest
375 *
376 * Context: Any context.
377 */
378 void sha256(const u8 *data, size_t len, u8 out[at_least SHA256_DIGEST_SIZE]);
379
380 /**
381 * sha256_finup_2x() - Compute two SHA-256 digests from a common initial
382 * context. On some CPUs, this is faster than sequentially
383 * computing each digest.
384 * @ctx: an optional initial context, which may have already processed data. If
385 * NULL, a default initial context is used (equivalent to sha256_init()).
386 * @data1: data for the first message
387 * @data2: data for the second message
388 * @len: the length of each of @data1 and @data2, in bytes
389 * @out1: (output) the first SHA-256 message digest
390 * @out2: (output) the second SHA-256 message digest
391 *
392 * Context: Any context.
393 */
394 void sha256_finup_2x(const struct sha256_ctx *ctx, const u8 *data1,
395 const u8 *data2, size_t len,
396 u8 out1[at_least SHA256_DIGEST_SIZE],
397 u8 out2[at_least SHA256_DIGEST_SIZE]);
398
399 /**
400 * sha256_finup_2x_is_optimized() - Check if sha256_finup_2x() is using a real
401 * interleaved implementation, as opposed to a
402 * sequential fallback
403 * @return: true if optimized
404 *
405 * Context: Any context.
406 */
407 bool sha256_finup_2x_is_optimized(void);
408
409 /**
410 * struct hmac_sha256_key - Prepared key for HMAC-SHA256
411 * @key: private
412 */
413 struct hmac_sha256_key {
414 struct __hmac_sha256_key key;
415 };
416
417 /**
418 * struct hmac_sha256_ctx - Context for computing HMAC-SHA256 of a message
419 * @ctx: private
420 */
421 struct hmac_sha256_ctx {
422 struct __hmac_sha256_ctx ctx;
423 };
424
425 /**
426 * hmac_sha256_preparekey() - Prepare a key for HMAC-SHA256
427 * @key: (output) the key structure to initialize
428 * @raw_key: the raw HMAC-SHA256 key
429 * @raw_key_len: the key length in bytes. All key lengths are supported.
430 *
431 * Note: the caller is responsible for zeroizing both the struct hmac_sha256_key
432 * and the raw key once they are no longer needed.
433 *
434 * Context: Any context.
435 */
436 void hmac_sha256_preparekey(struct hmac_sha256_key *key,
437 const u8 *raw_key, size_t raw_key_len);
438
439 /**
440 * hmac_sha256_init() - Initialize an HMAC-SHA256 context for a new message
441 * @ctx: (output) the HMAC context to initialize
442 * @key: the prepared HMAC key
443 *
444 * If you don't need incremental computation, consider hmac_sha256() instead.
445 *
446 * Context: Any context.
447 */
hmac_sha256_init(struct hmac_sha256_ctx * ctx,const struct hmac_sha256_key * key)448 static inline void hmac_sha256_init(struct hmac_sha256_ctx *ctx,
449 const struct hmac_sha256_key *key)
450 {
451 __hmac_sha256_init(&ctx->ctx, &key->key);
452 }
453
454 /**
455 * hmac_sha256_init_usingrawkey() - Initialize an HMAC-SHA256 context for a new
456 * message, using a raw key
457 * @ctx: (output) the HMAC context to initialize
458 * @raw_key: the raw HMAC-SHA256 key
459 * @raw_key_len: the key length in bytes. All key lengths are supported.
460 *
461 * If you don't need incremental computation, consider hmac_sha256_usingrawkey()
462 * instead.
463 *
464 * Context: Any context.
465 */
466 void hmac_sha256_init_usingrawkey(struct hmac_sha256_ctx *ctx,
467 const u8 *raw_key, size_t raw_key_len);
468
469 /**
470 * hmac_sha256_update() - Update an HMAC-SHA256 context with message data
471 * @ctx: the HMAC context to update; must have been initialized
472 * @data: the message data
473 * @data_len: the data length in bytes
474 *
475 * This can be called any number of times.
476 *
477 * Context: Any context.
478 */
hmac_sha256_update(struct hmac_sha256_ctx * ctx,const u8 * data,size_t data_len)479 static inline void hmac_sha256_update(struct hmac_sha256_ctx *ctx,
480 const u8 *data, size_t data_len)
481 {
482 __sha256_update(&ctx->ctx.sha_ctx, data, data_len);
483 }
484
485 /**
486 * hmac_sha256_final() - Finish computing an HMAC-SHA256 value
487 * @ctx: the HMAC context to finalize; must have been initialized
488 * @out: (output) the resulting HMAC-SHA256 value
489 *
490 * After finishing, this zeroizes @ctx. So the caller does not need to do it.
491 *
492 * Context: Any context.
493 */
494 void hmac_sha256_final(struct hmac_sha256_ctx *ctx,
495 u8 out[at_least SHA256_DIGEST_SIZE]);
496
497 /**
498 * hmac_sha256() - Compute HMAC-SHA256 in one shot, using a prepared key
499 * @key: the prepared HMAC key
500 * @data: the message data
501 * @data_len: the data length in bytes
502 * @out: (output) the resulting HMAC-SHA256 value
503 *
504 * If you're using the key only once, consider using hmac_sha256_usingrawkey().
505 *
506 * Context: Any context.
507 */
508 void hmac_sha256(const struct hmac_sha256_key *key,
509 const u8 *data, size_t data_len,
510 u8 out[at_least SHA256_DIGEST_SIZE]);
511
512 /**
513 * hmac_sha256_usingrawkey() - Compute HMAC-SHA256 in one shot, using a raw key
514 * @raw_key: the raw HMAC-SHA256 key
515 * @raw_key_len: the key length in bytes. All key lengths are supported.
516 * @data: the message data
517 * @data_len: the data length in bytes
518 * @out: (output) the resulting HMAC-SHA256 value
519 *
520 * If you're using the key multiple times, prefer to use
521 * hmac_sha256_preparekey() followed by multiple calls to hmac_sha256() instead.
522 *
523 * Context: Any context.
524 */
525 void hmac_sha256_usingrawkey(const u8 *raw_key, size_t raw_key_len,
526 const u8 *data, size_t data_len,
527 u8 out[at_least SHA256_DIGEST_SIZE]);
528
529 /* State for the SHA-512 (and SHA-384) compression function */
530 struct sha512_block_state {
531 u64 h[8];
532 };
533
534 /*
535 * Context structure, shared by SHA-384 and SHA-512. The sha384_ctx and
536 * sha512_ctx structs wrap this one so that the API has proper typing and
537 * doesn't allow mixing the SHA-384 and SHA-512 functions arbitrarily.
538 */
539 struct __sha512_ctx {
540 struct sha512_block_state state;
541 u64 bytecount_lo;
542 u64 bytecount_hi;
543 u8 buf[SHA512_BLOCK_SIZE] __aligned(__alignof__(__be64));
544 };
545 void __sha512_update(struct __sha512_ctx *ctx, const u8 *data, size_t len);
546
547 /*
548 * HMAC key and message context structs, shared by HMAC-SHA384 and HMAC-SHA512.
549 * The hmac_sha384_* and hmac_sha512_* structs wrap this one so that the API has
550 * proper typing and doesn't allow mixing the functions arbitrarily.
551 */
552 struct __hmac_sha512_key {
553 struct sha512_block_state istate;
554 struct sha512_block_state ostate;
555 };
556 struct __hmac_sha512_ctx {
557 struct __sha512_ctx sha_ctx;
558 struct sha512_block_state ostate;
559 };
560 void __hmac_sha512_init(struct __hmac_sha512_ctx *ctx,
561 const struct __hmac_sha512_key *key);
562
563 /**
564 * struct sha384_ctx - Context for hashing a message with SHA-384
565 * @ctx: private
566 */
567 struct sha384_ctx {
568 struct __sha512_ctx ctx;
569 };
570
571 /**
572 * sha384_init() - Initialize a SHA-384 context for a new message
573 * @ctx: the context to initialize
574 *
575 * If you don't need incremental computation, consider sha384() instead.
576 *
577 * Context: Any context.
578 */
579 void sha384_init(struct sha384_ctx *ctx);
580
581 /**
582 * sha384_update() - Update a SHA-384 context with message data
583 * @ctx: the context to update; must have been initialized
584 * @data: the message data
585 * @len: the data length in bytes
586 *
587 * This can be called any number of times.
588 *
589 * Context: Any context.
590 */
sha384_update(struct sha384_ctx * ctx,const u8 * data,size_t len)591 static inline void sha384_update(struct sha384_ctx *ctx,
592 const u8 *data, size_t len)
593 {
594 __sha512_update(&ctx->ctx, data, len);
595 }
596
597 /**
598 * sha384_final() - Finish computing a SHA-384 message digest
599 * @ctx: the context to finalize; must have been initialized
600 * @out: (output) the resulting SHA-384 message digest
601 *
602 * After finishing, this zeroizes @ctx. So the caller does not need to do it.
603 *
604 * Context: Any context.
605 */
606 void sha384_final(struct sha384_ctx *ctx, u8 out[at_least SHA384_DIGEST_SIZE]);
607
608 /**
609 * sha384() - Compute SHA-384 message digest in one shot
610 * @data: the message data
611 * @len: the data length in bytes
612 * @out: (output) the resulting SHA-384 message digest
613 *
614 * Context: Any context.
615 */
616 void sha384(const u8 *data, size_t len, u8 out[at_least SHA384_DIGEST_SIZE]);
617
618 /**
619 * struct hmac_sha384_key - Prepared key for HMAC-SHA384
620 * @key: private
621 */
622 struct hmac_sha384_key {
623 struct __hmac_sha512_key key;
624 };
625
626 /**
627 * struct hmac_sha384_ctx - Context for computing HMAC-SHA384 of a message
628 * @ctx: private
629 */
630 struct hmac_sha384_ctx {
631 struct __hmac_sha512_ctx ctx;
632 };
633
634 /**
635 * hmac_sha384_preparekey() - Prepare a key for HMAC-SHA384
636 * @key: (output) the key structure to initialize
637 * @raw_key: the raw HMAC-SHA384 key
638 * @raw_key_len: the key length in bytes. All key lengths are supported.
639 *
640 * Note: the caller is responsible for zeroizing both the struct hmac_sha384_key
641 * and the raw key once they are no longer needed.
642 *
643 * Context: Any context.
644 */
645 void hmac_sha384_preparekey(struct hmac_sha384_key *key,
646 const u8 *raw_key, size_t raw_key_len);
647
648 /**
649 * hmac_sha384_init() - Initialize an HMAC-SHA384 context for a new message
650 * @ctx: (output) the HMAC context to initialize
651 * @key: the prepared HMAC key
652 *
653 * If you don't need incremental computation, consider hmac_sha384() instead.
654 *
655 * Context: Any context.
656 */
hmac_sha384_init(struct hmac_sha384_ctx * ctx,const struct hmac_sha384_key * key)657 static inline void hmac_sha384_init(struct hmac_sha384_ctx *ctx,
658 const struct hmac_sha384_key *key)
659 {
660 __hmac_sha512_init(&ctx->ctx, &key->key);
661 }
662
663 /**
664 * hmac_sha384_init_usingrawkey() - Initialize an HMAC-SHA384 context for a new
665 * message, using a raw key
666 * @ctx: (output) the HMAC context to initialize
667 * @raw_key: the raw HMAC-SHA384 key
668 * @raw_key_len: the key length in bytes. All key lengths are supported.
669 *
670 * If you don't need incremental computation, consider hmac_sha384_usingrawkey()
671 * instead.
672 *
673 * Context: Any context.
674 */
675 void hmac_sha384_init_usingrawkey(struct hmac_sha384_ctx *ctx,
676 const u8 *raw_key, size_t raw_key_len);
677
678 /**
679 * hmac_sha384_update() - Update an HMAC-SHA384 context with message data
680 * @ctx: the HMAC context to update; must have been initialized
681 * @data: the message data
682 * @data_len: the data length in bytes
683 *
684 * This can be called any number of times.
685 *
686 * Context: Any context.
687 */
hmac_sha384_update(struct hmac_sha384_ctx * ctx,const u8 * data,size_t data_len)688 static inline void hmac_sha384_update(struct hmac_sha384_ctx *ctx,
689 const u8 *data, size_t data_len)
690 {
691 __sha512_update(&ctx->ctx.sha_ctx, data, data_len);
692 }
693
694 /**
695 * hmac_sha384_final() - Finish computing an HMAC-SHA384 value
696 * @ctx: the HMAC context to finalize; must have been initialized
697 * @out: (output) the resulting HMAC-SHA384 value
698 *
699 * After finishing, this zeroizes @ctx. So the caller does not need to do it.
700 *
701 * Context: Any context.
702 */
703 void hmac_sha384_final(struct hmac_sha384_ctx *ctx,
704 u8 out[at_least SHA384_DIGEST_SIZE]);
705
706 /**
707 * hmac_sha384() - Compute HMAC-SHA384 in one shot, using a prepared key
708 * @key: the prepared HMAC key
709 * @data: the message data
710 * @data_len: the data length in bytes
711 * @out: (output) the resulting HMAC-SHA384 value
712 *
713 * If you're using the key only once, consider using hmac_sha384_usingrawkey().
714 *
715 * Context: Any context.
716 */
717 void hmac_sha384(const struct hmac_sha384_key *key,
718 const u8 *data, size_t data_len,
719 u8 out[at_least SHA384_DIGEST_SIZE]);
720
721 /**
722 * hmac_sha384_usingrawkey() - Compute HMAC-SHA384 in one shot, using a raw key
723 * @raw_key: the raw HMAC-SHA384 key
724 * @raw_key_len: the key length in bytes. All key lengths are supported.
725 * @data: the message data
726 * @data_len: the data length in bytes
727 * @out: (output) the resulting HMAC-SHA384 value
728 *
729 * If you're using the key multiple times, prefer to use
730 * hmac_sha384_preparekey() followed by multiple calls to hmac_sha384() instead.
731 *
732 * Context: Any context.
733 */
734 void hmac_sha384_usingrawkey(const u8 *raw_key, size_t raw_key_len,
735 const u8 *data, size_t data_len,
736 u8 out[at_least SHA384_DIGEST_SIZE]);
737
738 /**
739 * struct sha512_ctx - Context for hashing a message with SHA-512
740 * @ctx: private
741 */
742 struct sha512_ctx {
743 struct __sha512_ctx ctx;
744 };
745
746 /**
747 * sha512_init() - Initialize a SHA-512 context for a new message
748 * @ctx: the context to initialize
749 *
750 * If you don't need incremental computation, consider sha512() instead.
751 *
752 * Context: Any context.
753 */
754 void sha512_init(struct sha512_ctx *ctx);
755
756 /**
757 * sha512_update() - Update a SHA-512 context with message data
758 * @ctx: the context to update; must have been initialized
759 * @data: the message data
760 * @len: the data length in bytes
761 *
762 * This can be called any number of times.
763 *
764 * Context: Any context.
765 */
sha512_update(struct sha512_ctx * ctx,const u8 * data,size_t len)766 static inline void sha512_update(struct sha512_ctx *ctx,
767 const u8 *data, size_t len)
768 {
769 __sha512_update(&ctx->ctx, data, len);
770 }
771
772 /**
773 * sha512_final() - Finish computing a SHA-512 message digest
774 * @ctx: the context to finalize; must have been initialized
775 * @out: (output) the resulting SHA-512 message digest
776 *
777 * After finishing, this zeroizes @ctx. So the caller does not need to do it.
778 *
779 * Context: Any context.
780 */
781 void sha512_final(struct sha512_ctx *ctx, u8 out[at_least SHA512_DIGEST_SIZE]);
782
783 /**
784 * sha512() - Compute SHA-512 message digest in one shot
785 * @data: the message data
786 * @len: the data length in bytes
787 * @out: (output) the resulting SHA-512 message digest
788 *
789 * Context: Any context.
790 */
791 void sha512(const u8 *data, size_t len, u8 out[at_least SHA512_DIGEST_SIZE]);
792
793 /**
794 * struct hmac_sha512_key - Prepared key for HMAC-SHA512
795 * @key: private
796 */
797 struct hmac_sha512_key {
798 struct __hmac_sha512_key key;
799 };
800
801 /**
802 * struct hmac_sha512_ctx - Context for computing HMAC-SHA512 of a message
803 * @ctx: private
804 */
805 struct hmac_sha512_ctx {
806 struct __hmac_sha512_ctx ctx;
807 };
808
809 /**
810 * hmac_sha512_preparekey() - Prepare a key for HMAC-SHA512
811 * @key: (output) the key structure to initialize
812 * @raw_key: the raw HMAC-SHA512 key
813 * @raw_key_len: the key length in bytes. All key lengths are supported.
814 *
815 * Note: the caller is responsible for zeroizing both the struct hmac_sha512_key
816 * and the raw key once they are no longer needed.
817 *
818 * Context: Any context.
819 */
820 void hmac_sha512_preparekey(struct hmac_sha512_key *key,
821 const u8 *raw_key, size_t raw_key_len);
822
823 /**
824 * hmac_sha512_init() - Initialize an HMAC-SHA512 context for a new message
825 * @ctx: (output) the HMAC context to initialize
826 * @key: the prepared HMAC key
827 *
828 * If you don't need incremental computation, consider hmac_sha512() instead.
829 *
830 * Context: Any context.
831 */
hmac_sha512_init(struct hmac_sha512_ctx * ctx,const struct hmac_sha512_key * key)832 static inline void hmac_sha512_init(struct hmac_sha512_ctx *ctx,
833 const struct hmac_sha512_key *key)
834 {
835 __hmac_sha512_init(&ctx->ctx, &key->key);
836 }
837
838 /**
839 * hmac_sha512_init_usingrawkey() - Initialize an HMAC-SHA512 context for a new
840 * message, using a raw key
841 * @ctx: (output) the HMAC context to initialize
842 * @raw_key: the raw HMAC-SHA512 key
843 * @raw_key_len: the key length in bytes. All key lengths are supported.
844 *
845 * If you don't need incremental computation, consider hmac_sha512_usingrawkey()
846 * instead.
847 *
848 * Context: Any context.
849 */
850 void hmac_sha512_init_usingrawkey(struct hmac_sha512_ctx *ctx,
851 const u8 *raw_key, size_t raw_key_len);
852
853 /**
854 * hmac_sha512_update() - Update an HMAC-SHA512 context with message data
855 * @ctx: the HMAC context to update; must have been initialized
856 * @data: the message data
857 * @data_len: the data length in bytes
858 *
859 * This can be called any number of times.
860 *
861 * Context: Any context.
862 */
hmac_sha512_update(struct hmac_sha512_ctx * ctx,const u8 * data,size_t data_len)863 static inline void hmac_sha512_update(struct hmac_sha512_ctx *ctx,
864 const u8 *data, size_t data_len)
865 {
866 __sha512_update(&ctx->ctx.sha_ctx, data, data_len);
867 }
868
869 /**
870 * hmac_sha512_final() - Finish computing an HMAC-SHA512 value
871 * @ctx: the HMAC context to finalize; must have been initialized
872 * @out: (output) the resulting HMAC-SHA512 value
873 *
874 * After finishing, this zeroizes @ctx. So the caller does not need to do it.
875 *
876 * Context: Any context.
877 */
878 void hmac_sha512_final(struct hmac_sha512_ctx *ctx,
879 u8 out[at_least SHA512_DIGEST_SIZE]);
880
881 /**
882 * hmac_sha512() - Compute HMAC-SHA512 in one shot, using a prepared key
883 * @key: the prepared HMAC key
884 * @data: the message data
885 * @data_len: the data length in bytes
886 * @out: (output) the resulting HMAC-SHA512 value
887 *
888 * If you're using the key only once, consider using hmac_sha512_usingrawkey().
889 *
890 * Context: Any context.
891 */
892 void hmac_sha512(const struct hmac_sha512_key *key,
893 const u8 *data, size_t data_len,
894 u8 out[at_least SHA512_DIGEST_SIZE]);
895
896 /**
897 * hmac_sha512_usingrawkey() - Compute HMAC-SHA512 in one shot, using a raw key
898 * @raw_key: the raw HMAC-SHA512 key
899 * @raw_key_len: the key length in bytes. All key lengths are supported.
900 * @data: the message data
901 * @data_len: the data length in bytes
902 * @out: (output) the resulting HMAC-SHA512 value
903 *
904 * If you're using the key multiple times, prefer to use
905 * hmac_sha512_preparekey() followed by multiple calls to hmac_sha512() instead.
906 *
907 * Context: Any context.
908 */
909 void hmac_sha512_usingrawkey(const u8 *raw_key, size_t raw_key_len,
910 const u8 *data, size_t data_len,
911 u8 out[at_least SHA512_DIGEST_SIZE]);
912
913 #endif /* _CRYPTO_SHA2_H */
914