1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Crypto API support for SHA-384, SHA-512, HMAC-SHA384, and HMAC-SHA512
4 *
5 * Copyright (c) Jean-Luc Cooke <jlcooke@certainkey.com>
6 * Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk>
7 * Copyright (c) 2003 Kyle McMartin <kyle@debian.org>
8 * Copyright 2025 Google LLC
9 */
10 #include <crypto/internal/hash.h>
11 #include <crypto/sha2.h>
12 #include <linux/kernel.h>
13 #include <linux/module.h>
14
15 /*
16 * Export and import functions. crypto_shash wants a particular format that
17 * matches that used by some legacy drivers. It currently is the same as the
18 * library SHA context, except the value in bytecount_lo must be block-aligned
19 * and the remainder must be stored in an extra u8 appended to the struct.
20 */
21
22 #define SHA512_SHASH_STATE_SIZE 209
23 static_assert(offsetof(struct __sha512_ctx, state) == 0);
24 static_assert(offsetof(struct __sha512_ctx, bytecount_lo) == 64);
25 static_assert(offsetof(struct __sha512_ctx, bytecount_hi) == 72);
26 static_assert(offsetof(struct __sha512_ctx, buf) == 80);
27 static_assert(sizeof(struct __sha512_ctx) + 1 == SHA512_SHASH_STATE_SIZE);
28
__crypto_sha512_export(const struct __sha512_ctx * ctx0,void * out)29 static int __crypto_sha512_export(const struct __sha512_ctx *ctx0, void *out)
30 {
31 struct __sha512_ctx ctx = *ctx0;
32 unsigned int partial;
33 u8 *p = out;
34
35 partial = ctx.bytecount_lo % SHA512_BLOCK_SIZE;
36 ctx.bytecount_lo -= partial;
37 memcpy(p, &ctx, sizeof(ctx));
38 p += sizeof(ctx);
39 *p = partial;
40 return 0;
41 }
42
__crypto_sha512_import(struct __sha512_ctx * ctx,const void * in)43 static int __crypto_sha512_import(struct __sha512_ctx *ctx, const void *in)
44 {
45 const u8 *p = in;
46
47 memcpy(ctx, p, sizeof(*ctx));
48 p += sizeof(*ctx);
49 ctx->bytecount_lo += *p;
50 return 0;
51 }
52
__crypto_sha512_export_core(const struct __sha512_ctx * ctx,void * out)53 static int __crypto_sha512_export_core(const struct __sha512_ctx *ctx,
54 void *out)
55 {
56 memcpy(out, ctx, offsetof(struct __sha512_ctx, buf));
57 return 0;
58 }
59
__crypto_sha512_import_core(struct __sha512_ctx * ctx,const void * in)60 static int __crypto_sha512_import_core(struct __sha512_ctx *ctx, const void *in)
61 {
62 memcpy(ctx, in, offsetof(struct __sha512_ctx, buf));
63 return 0;
64 }
65
66 /* SHA-384 */
67
68 const u8 sha384_zero_message_hash[SHA384_DIGEST_SIZE] = {
69 0x38, 0xb0, 0x60, 0xa7, 0x51, 0xac, 0x96, 0x38,
70 0x4c, 0xd9, 0x32, 0x7e, 0xb1, 0xb1, 0xe3, 0x6a,
71 0x21, 0xfd, 0xb7, 0x11, 0x14, 0xbe, 0x07, 0x43,
72 0x4c, 0x0c, 0xc7, 0xbf, 0x63, 0xf6, 0xe1, 0xda,
73 0x27, 0x4e, 0xde, 0xbf, 0xe7, 0x6f, 0x65, 0xfb,
74 0xd5, 0x1a, 0xd2, 0xf1, 0x48, 0x98, 0xb9, 0x5b
75 };
76 EXPORT_SYMBOL_GPL(sha384_zero_message_hash);
77
78 #define SHA384_CTX(desc) ((struct sha384_ctx *)shash_desc_ctx(desc))
79
crypto_sha384_init(struct shash_desc * desc)80 static int crypto_sha384_init(struct shash_desc *desc)
81 {
82 sha384_init(SHA384_CTX(desc));
83 return 0;
84 }
85
crypto_sha384_update(struct shash_desc * desc,const u8 * data,unsigned int len)86 static int crypto_sha384_update(struct shash_desc *desc,
87 const u8 *data, unsigned int len)
88 {
89 sha384_update(SHA384_CTX(desc), data, len);
90 return 0;
91 }
92
crypto_sha384_final(struct shash_desc * desc,u8 * out)93 static int crypto_sha384_final(struct shash_desc *desc, u8 *out)
94 {
95 sha384_final(SHA384_CTX(desc), out);
96 return 0;
97 }
98
crypto_sha384_digest(struct shash_desc * desc,const u8 * data,unsigned int len,u8 * out)99 static int crypto_sha384_digest(struct shash_desc *desc,
100 const u8 *data, unsigned int len, u8 *out)
101 {
102 sha384(data, len, out);
103 return 0;
104 }
105
crypto_sha384_export(struct shash_desc * desc,void * out)106 static int crypto_sha384_export(struct shash_desc *desc, void *out)
107 {
108 return __crypto_sha512_export(&SHA384_CTX(desc)->ctx, out);
109 }
110
crypto_sha384_import(struct shash_desc * desc,const void * in)111 static int crypto_sha384_import(struct shash_desc *desc, const void *in)
112 {
113 return __crypto_sha512_import(&SHA384_CTX(desc)->ctx, in);
114 }
115
crypto_sha384_export_core(struct shash_desc * desc,void * out)116 static int crypto_sha384_export_core(struct shash_desc *desc, void *out)
117 {
118 return __crypto_sha512_export_core(&SHA384_CTX(desc)->ctx, out);
119 }
120
crypto_sha384_import_core(struct shash_desc * desc,const void * in)121 static int crypto_sha384_import_core(struct shash_desc *desc, const void *in)
122 {
123 return __crypto_sha512_import_core(&SHA384_CTX(desc)->ctx, in);
124 }
125
126 /* SHA-512 */
127
128 const u8 sha512_zero_message_hash[SHA512_DIGEST_SIZE] = {
129 0xcf, 0x83, 0xe1, 0x35, 0x7e, 0xef, 0xb8, 0xbd,
130 0xf1, 0x54, 0x28, 0x50, 0xd6, 0x6d, 0x80, 0x07,
131 0xd6, 0x20, 0xe4, 0x05, 0x0b, 0x57, 0x15, 0xdc,
132 0x83, 0xf4, 0xa9, 0x21, 0xd3, 0x6c, 0xe9, 0xce,
133 0x47, 0xd0, 0xd1, 0x3c, 0x5d, 0x85, 0xf2, 0xb0,
134 0xff, 0x83, 0x18, 0xd2, 0x87, 0x7e, 0xec, 0x2f,
135 0x63, 0xb9, 0x31, 0xbd, 0x47, 0x41, 0x7a, 0x81,
136 0xa5, 0x38, 0x32, 0x7a, 0xf9, 0x27, 0xda, 0x3e
137 };
138 EXPORT_SYMBOL_GPL(sha512_zero_message_hash);
139
140 #define SHA512_CTX(desc) ((struct sha512_ctx *)shash_desc_ctx(desc))
141
crypto_sha512_init(struct shash_desc * desc)142 static int crypto_sha512_init(struct shash_desc *desc)
143 {
144 sha512_init(SHA512_CTX(desc));
145 return 0;
146 }
147
crypto_sha512_update(struct shash_desc * desc,const u8 * data,unsigned int len)148 static int crypto_sha512_update(struct shash_desc *desc,
149 const u8 *data, unsigned int len)
150 {
151 sha512_update(SHA512_CTX(desc), data, len);
152 return 0;
153 }
154
crypto_sha512_final(struct shash_desc * desc,u8 * out)155 static int crypto_sha512_final(struct shash_desc *desc, u8 *out)
156 {
157 sha512_final(SHA512_CTX(desc), out);
158 return 0;
159 }
160
crypto_sha512_digest(struct shash_desc * desc,const u8 * data,unsigned int len,u8 * out)161 static int crypto_sha512_digest(struct shash_desc *desc,
162 const u8 *data, unsigned int len, u8 *out)
163 {
164 sha512(data, len, out);
165 return 0;
166 }
167
crypto_sha512_export(struct shash_desc * desc,void * out)168 static int crypto_sha512_export(struct shash_desc *desc, void *out)
169 {
170 return __crypto_sha512_export(&SHA512_CTX(desc)->ctx, out);
171 }
172
crypto_sha512_import(struct shash_desc * desc,const void * in)173 static int crypto_sha512_import(struct shash_desc *desc, const void *in)
174 {
175 return __crypto_sha512_import(&SHA512_CTX(desc)->ctx, in);
176 }
177
crypto_sha512_export_core(struct shash_desc * desc,void * out)178 static int crypto_sha512_export_core(struct shash_desc *desc, void *out)
179 {
180 return __crypto_sha512_export_core(&SHA512_CTX(desc)->ctx, out);
181 }
182
crypto_sha512_import_core(struct shash_desc * desc,const void * in)183 static int crypto_sha512_import_core(struct shash_desc *desc, const void *in)
184 {
185 return __crypto_sha512_import_core(&SHA512_CTX(desc)->ctx, in);
186 }
187
188 /* HMAC-SHA384 */
189
190 #define HMAC_SHA384_KEY(tfm) ((struct hmac_sha384_key *)crypto_shash_ctx(tfm))
191 #define HMAC_SHA384_CTX(desc) ((struct hmac_sha384_ctx *)shash_desc_ctx(desc))
192
crypto_hmac_sha384_setkey(struct crypto_shash * tfm,const u8 * raw_key,unsigned int keylen)193 static int crypto_hmac_sha384_setkey(struct crypto_shash *tfm,
194 const u8 *raw_key, unsigned int keylen)
195 {
196 hmac_sha384_preparekey(HMAC_SHA384_KEY(tfm), raw_key, keylen);
197 return 0;
198 }
199
crypto_hmac_sha384_init(struct shash_desc * desc)200 static int crypto_hmac_sha384_init(struct shash_desc *desc)
201 {
202 hmac_sha384_init(HMAC_SHA384_CTX(desc), HMAC_SHA384_KEY(desc->tfm));
203 return 0;
204 }
205
crypto_hmac_sha384_update(struct shash_desc * desc,const u8 * data,unsigned int len)206 static int crypto_hmac_sha384_update(struct shash_desc *desc,
207 const u8 *data, unsigned int len)
208 {
209 hmac_sha384_update(HMAC_SHA384_CTX(desc), data, len);
210 return 0;
211 }
212
crypto_hmac_sha384_final(struct shash_desc * desc,u8 * out)213 static int crypto_hmac_sha384_final(struct shash_desc *desc, u8 *out)
214 {
215 hmac_sha384_final(HMAC_SHA384_CTX(desc), out);
216 return 0;
217 }
218
crypto_hmac_sha384_digest(struct shash_desc * desc,const u8 * data,unsigned int len,u8 * out)219 static int crypto_hmac_sha384_digest(struct shash_desc *desc,
220 const u8 *data, unsigned int len,
221 u8 *out)
222 {
223 hmac_sha384(HMAC_SHA384_KEY(desc->tfm), data, len, out);
224 return 0;
225 }
226
crypto_hmac_sha384_export(struct shash_desc * desc,void * out)227 static int crypto_hmac_sha384_export(struct shash_desc *desc, void *out)
228 {
229 return __crypto_sha512_export(&HMAC_SHA384_CTX(desc)->ctx.sha_ctx, out);
230 }
231
crypto_hmac_sha384_import(struct shash_desc * desc,const void * in)232 static int crypto_hmac_sha384_import(struct shash_desc *desc, const void *in)
233 {
234 struct hmac_sha384_ctx *ctx = HMAC_SHA384_CTX(desc);
235
236 ctx->ctx.ostate = HMAC_SHA384_KEY(desc->tfm)->key.ostate;
237 return __crypto_sha512_import(&ctx->ctx.sha_ctx, in);
238 }
239
crypto_hmac_sha384_export_core(struct shash_desc * desc,void * out)240 static int crypto_hmac_sha384_export_core(struct shash_desc *desc, void *out)
241 {
242 return __crypto_sha512_export_core(&HMAC_SHA384_CTX(desc)->ctx.sha_ctx,
243 out);
244 }
245
crypto_hmac_sha384_import_core(struct shash_desc * desc,const void * in)246 static int crypto_hmac_sha384_import_core(struct shash_desc *desc,
247 const void *in)
248 {
249 struct hmac_sha384_ctx *ctx = HMAC_SHA384_CTX(desc);
250
251 ctx->ctx.ostate = HMAC_SHA384_KEY(desc->tfm)->key.ostate;
252 return __crypto_sha512_import_core(&ctx->ctx.sha_ctx, in);
253 }
254
255 /* HMAC-SHA512 */
256
257 #define HMAC_SHA512_KEY(tfm) ((struct hmac_sha512_key *)crypto_shash_ctx(tfm))
258 #define HMAC_SHA512_CTX(desc) ((struct hmac_sha512_ctx *)shash_desc_ctx(desc))
259
crypto_hmac_sha512_setkey(struct crypto_shash * tfm,const u8 * raw_key,unsigned int keylen)260 static int crypto_hmac_sha512_setkey(struct crypto_shash *tfm,
261 const u8 *raw_key, unsigned int keylen)
262 {
263 hmac_sha512_preparekey(HMAC_SHA512_KEY(tfm), raw_key, keylen);
264 return 0;
265 }
266
crypto_hmac_sha512_init(struct shash_desc * desc)267 static int crypto_hmac_sha512_init(struct shash_desc *desc)
268 {
269 hmac_sha512_init(HMAC_SHA512_CTX(desc), HMAC_SHA512_KEY(desc->tfm));
270 return 0;
271 }
272
crypto_hmac_sha512_update(struct shash_desc * desc,const u8 * data,unsigned int len)273 static int crypto_hmac_sha512_update(struct shash_desc *desc,
274 const u8 *data, unsigned int len)
275 {
276 hmac_sha512_update(HMAC_SHA512_CTX(desc), data, len);
277 return 0;
278 }
279
crypto_hmac_sha512_final(struct shash_desc * desc,u8 * out)280 static int crypto_hmac_sha512_final(struct shash_desc *desc, u8 *out)
281 {
282 hmac_sha512_final(HMAC_SHA512_CTX(desc), out);
283 return 0;
284 }
285
crypto_hmac_sha512_digest(struct shash_desc * desc,const u8 * data,unsigned int len,u8 * out)286 static int crypto_hmac_sha512_digest(struct shash_desc *desc,
287 const u8 *data, unsigned int len,
288 u8 *out)
289 {
290 hmac_sha512(HMAC_SHA512_KEY(desc->tfm), data, len, out);
291 return 0;
292 }
293
crypto_hmac_sha512_export(struct shash_desc * desc,void * out)294 static int crypto_hmac_sha512_export(struct shash_desc *desc, void *out)
295 {
296 return __crypto_sha512_export(&HMAC_SHA512_CTX(desc)->ctx.sha_ctx, out);
297 }
298
crypto_hmac_sha512_import(struct shash_desc * desc,const void * in)299 static int crypto_hmac_sha512_import(struct shash_desc *desc, const void *in)
300 {
301 struct hmac_sha512_ctx *ctx = HMAC_SHA512_CTX(desc);
302
303 ctx->ctx.ostate = HMAC_SHA512_KEY(desc->tfm)->key.ostate;
304 return __crypto_sha512_import(&ctx->ctx.sha_ctx, in);
305 }
306
crypto_hmac_sha512_export_core(struct shash_desc * desc,void * out)307 static int crypto_hmac_sha512_export_core(struct shash_desc *desc, void *out)
308 {
309 return __crypto_sha512_export_core(&HMAC_SHA512_CTX(desc)->ctx.sha_ctx,
310 out);
311 }
312
crypto_hmac_sha512_import_core(struct shash_desc * desc,const void * in)313 static int crypto_hmac_sha512_import_core(struct shash_desc *desc,
314 const void *in)
315 {
316 struct hmac_sha512_ctx *ctx = HMAC_SHA512_CTX(desc);
317
318 ctx->ctx.ostate = HMAC_SHA512_KEY(desc->tfm)->key.ostate;
319 return __crypto_sha512_import_core(&ctx->ctx.sha_ctx, in);
320 }
321
322 /* Algorithm definitions */
323
324 static struct shash_alg algs[] = {
325 {
326 .base.cra_name = "sha384",
327 .base.cra_driver_name = "sha384-lib",
328 .base.cra_priority = 300,
329 .base.cra_blocksize = SHA384_BLOCK_SIZE,
330 .base.cra_module = THIS_MODULE,
331 .digestsize = SHA384_DIGEST_SIZE,
332 .init = crypto_sha384_init,
333 .update = crypto_sha384_update,
334 .final = crypto_sha384_final,
335 .digest = crypto_sha384_digest,
336 .export = crypto_sha384_export,
337 .import = crypto_sha384_import,
338 .export_core = crypto_sha384_export_core,
339 .import_core = crypto_sha384_import_core,
340 .descsize = sizeof(struct sha384_ctx),
341 .statesize = SHA512_SHASH_STATE_SIZE,
342 },
343 {
344 .base.cra_name = "sha512",
345 .base.cra_driver_name = "sha512-lib",
346 .base.cra_priority = 300,
347 .base.cra_blocksize = SHA512_BLOCK_SIZE,
348 .base.cra_module = THIS_MODULE,
349 .digestsize = SHA512_DIGEST_SIZE,
350 .init = crypto_sha512_init,
351 .update = crypto_sha512_update,
352 .final = crypto_sha512_final,
353 .digest = crypto_sha512_digest,
354 .export = crypto_sha512_export,
355 .import = crypto_sha512_import,
356 .export_core = crypto_sha512_export_core,
357 .import_core = crypto_sha512_import_core,
358 .descsize = sizeof(struct sha512_ctx),
359 .statesize = SHA512_SHASH_STATE_SIZE,
360 },
361 {
362 .base.cra_name = "hmac(sha384)",
363 .base.cra_driver_name = "hmac-sha384-lib",
364 .base.cra_priority = 300,
365 .base.cra_blocksize = SHA384_BLOCK_SIZE,
366 .base.cra_ctxsize = sizeof(struct hmac_sha384_key),
367 .base.cra_module = THIS_MODULE,
368 .digestsize = SHA384_DIGEST_SIZE,
369 .setkey = crypto_hmac_sha384_setkey,
370 .init = crypto_hmac_sha384_init,
371 .update = crypto_hmac_sha384_update,
372 .final = crypto_hmac_sha384_final,
373 .digest = crypto_hmac_sha384_digest,
374 .export = crypto_hmac_sha384_export,
375 .import = crypto_hmac_sha384_import,
376 .export_core = crypto_hmac_sha384_export_core,
377 .import_core = crypto_hmac_sha384_import_core,
378 .descsize = sizeof(struct hmac_sha384_ctx),
379 .statesize = SHA512_SHASH_STATE_SIZE,
380 },
381 {
382 .base.cra_name = "hmac(sha512)",
383 .base.cra_driver_name = "hmac-sha512-lib",
384 .base.cra_priority = 300,
385 .base.cra_blocksize = SHA512_BLOCK_SIZE,
386 .base.cra_ctxsize = sizeof(struct hmac_sha512_key),
387 .base.cra_module = THIS_MODULE,
388 .digestsize = SHA512_DIGEST_SIZE,
389 .setkey = crypto_hmac_sha512_setkey,
390 .init = crypto_hmac_sha512_init,
391 .update = crypto_hmac_sha512_update,
392 .final = crypto_hmac_sha512_final,
393 .digest = crypto_hmac_sha512_digest,
394 .export = crypto_hmac_sha512_export,
395 .import = crypto_hmac_sha512_import,
396 .export_core = crypto_hmac_sha512_export_core,
397 .import_core = crypto_hmac_sha512_import_core,
398 .descsize = sizeof(struct hmac_sha512_ctx),
399 .statesize = SHA512_SHASH_STATE_SIZE,
400 },
401 };
402
crypto_sha512_mod_init(void)403 static int __init crypto_sha512_mod_init(void)
404 {
405 return crypto_register_shashes(algs, ARRAY_SIZE(algs));
406 }
407 module_init(crypto_sha512_mod_init);
408
crypto_sha512_mod_exit(void)409 static void __exit crypto_sha512_mod_exit(void)
410 {
411 crypto_unregister_shashes(algs, ARRAY_SIZE(algs));
412 }
413 module_exit(crypto_sha512_mod_exit);
414
415 MODULE_LICENSE("GPL");
416 MODULE_DESCRIPTION("Crypto API support for SHA-384, SHA-512, HMAC-SHA384, and HMAC-SHA512");
417
418 MODULE_ALIAS_CRYPTO("sha384");
419 MODULE_ALIAS_CRYPTO("sha384-lib");
420 MODULE_ALIAS_CRYPTO("sha512");
421 MODULE_ALIAS_CRYPTO("sha512-lib");
422 MODULE_ALIAS_CRYPTO("hmac(sha384)");
423 MODULE_ALIAS_CRYPTO("hmac-sha384-lib");
424 MODULE_ALIAS_CRYPTO("hmac(sha512)");
425 MODULE_ALIAS_CRYPTO("hmac-sha512-lib");
426