1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * SHA-1 and HMAC-SHA1 library functions
4 */
5
6 #include <crypto/hmac.h>
7 #include <crypto/sha1.h>
8 #include <linux/bitops.h>
9 #include <linux/export.h>
10 #include <linux/kernel.h>
11 #include <linux/module.h>
12 #include <linux/string.h>
13 #include <linux/unaligned.h>
14 #include <linux/wordpart.h>
15 #include "fips.h"
16
17 static const struct sha1_block_state sha1_iv = {
18 .h = { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
19 };
20
21 /*
22 * If you have 32 registers or more, the compiler can (and should)
23 * try to change the array[] accesses into registers. However, on
24 * machines with less than ~25 registers, that won't really work,
25 * and at least gcc will make an unholy mess of it.
26 *
27 * So to avoid that mess which just slows things down, we force
28 * the stores to memory to actually happen (we might be better off
29 * with a 'W(t)=(val);asm("":"+m" (W(t))' there instead, as
30 * suggested by Artur Skawina - that will also make gcc unable to
31 * try to do the silly "optimize away loads" part because it won't
32 * see what the value will be).
33 *
34 * Ben Herrenschmidt reports that on PPC, the C version comes close
35 * to the optimized asm with this (ie on PPC you don't want that
36 * 'volatile', since there are lots of registers).
37 *
38 * On ARM we get the best code generation by forcing a full memory barrier
39 * between each SHA_ROUND, otherwise gcc happily get wild with spilling and
40 * the stack frame size simply explode and performance goes down the drain.
41 */
42
43 #ifdef CONFIG_X86
44 #define setW(x, val) (*(volatile __u32 *)&W(x) = (val))
45 #elif defined(CONFIG_ARM)
46 #define setW(x, val) do { W(x) = (val); __asm__("":::"memory"); } while (0)
47 #else
48 #define setW(x, val) (W(x) = (val))
49 #endif
50
51 /* This "rolls" over the 512-bit array */
52 #define W(x) (array[(x)&15])
53
54 /*
55 * Where do we get the source from? The first 16 iterations get it from
56 * the input data, the next mix it from the 512-bit array.
57 */
58 #define SHA_SRC(t) get_unaligned_be32((__u32 *)data + t)
59 #define SHA_MIX(t) rol32(W(t+13) ^ W(t+8) ^ W(t+2) ^ W(t), 1)
60
61 #define SHA_ROUND(t, input, fn, constant, A, B, C, D, E) do { \
62 __u32 TEMP = input(t); setW(t, TEMP); \
63 E += TEMP + rol32(A,5) + (fn) + (constant); \
64 B = ror32(B, 2); \
65 TEMP = E; E = D; D = C; C = B; B = A; A = TEMP; } while (0)
66
67 #define T_0_15(t, A, B, C, D, E) SHA_ROUND(t, SHA_SRC, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
68 #define T_16_19(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
69 #define T_20_39(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0x6ed9eba1, A, B, C, D, E )
70 #define T_40_59(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, ((B&C)+(D&(B^C))) , 0x8f1bbcdc, A, B, C, D, E )
71 #define T_60_79(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0xca62c1d6, A, B, C, D, E )
72
73 /**
74 * sha1_transform - single block SHA1 transform (deprecated)
75 *
76 * @digest: 160 bit digest to update
77 * @data: 512 bits of data to hash
78 * @array: 16 words of workspace (see note)
79 *
80 * This function executes SHA-1's internal compression function. It updates the
81 * 160-bit internal state (@digest) with a single 512-bit data block (@data).
82 *
83 * Don't use this function. SHA-1 is no longer considered secure. And even if
84 * you do have to use SHA-1, this isn't the correct way to hash something with
85 * SHA-1 as this doesn't handle padding and finalization.
86 *
87 * Note: If the hash is security sensitive, the caller should be sure
88 * to clear the workspace. This is left to the caller to avoid
89 * unnecessary clears between chained hashing operations.
90 */
sha1_transform(__u32 * digest,const char * data,__u32 * array)91 void sha1_transform(__u32 *digest, const char *data, __u32 *array)
92 {
93 __u32 A, B, C, D, E;
94 unsigned int i = 0;
95
96 A = digest[0];
97 B = digest[1];
98 C = digest[2];
99 D = digest[3];
100 E = digest[4];
101
102 /* Round 1 - iterations 0-16 take their input from 'data' */
103 for (; i < 16; ++i)
104 T_0_15(i, A, B, C, D, E);
105
106 /* Round 1 - tail. Input from 512-bit mixing array */
107 for (; i < 20; ++i)
108 T_16_19(i, A, B, C, D, E);
109
110 /* Round 2 */
111 for (; i < 40; ++i)
112 T_20_39(i, A, B, C, D, E);
113
114 /* Round 3 */
115 for (; i < 60; ++i)
116 T_40_59(i, A, B, C, D, E);
117
118 /* Round 4 */
119 for (; i < 80; ++i)
120 T_60_79(i, A, B, C, D, E);
121
122 digest[0] += A;
123 digest[1] += B;
124 digest[2] += C;
125 digest[3] += D;
126 digest[4] += E;
127 }
128 EXPORT_SYMBOL(sha1_transform);
129
130 /**
131 * sha1_init_raw - initialize the vectors for a SHA1 digest
132 * @buf: vector to initialize
133 */
sha1_init_raw(__u32 * buf)134 void sha1_init_raw(__u32 *buf)
135 {
136 buf[0] = 0x67452301;
137 buf[1] = 0xefcdab89;
138 buf[2] = 0x98badcfe;
139 buf[3] = 0x10325476;
140 buf[4] = 0xc3d2e1f0;
141 }
142 EXPORT_SYMBOL(sha1_init_raw);
143
sha1_blocks_generic(struct sha1_block_state * state,const u8 * data,size_t nblocks)144 static void __maybe_unused sha1_blocks_generic(struct sha1_block_state *state,
145 const u8 *data, size_t nblocks)
146 {
147 u32 workspace[SHA1_WORKSPACE_WORDS];
148
149 do {
150 sha1_transform(state->h, data, workspace);
151 data += SHA1_BLOCK_SIZE;
152 } while (--nblocks);
153
154 memzero_explicit(workspace, sizeof(workspace));
155 }
156
157 #ifdef CONFIG_CRYPTO_LIB_SHA1_ARCH
158 #include "sha1.h" /* $(SRCARCH)/sha1.h */
159 #else
160 #define sha1_blocks sha1_blocks_generic
161 #endif
162
sha1_init(struct sha1_ctx * ctx)163 void sha1_init(struct sha1_ctx *ctx)
164 {
165 ctx->state = sha1_iv;
166 ctx->bytecount = 0;
167 }
168 EXPORT_SYMBOL_GPL(sha1_init);
169
sha1_update(struct sha1_ctx * ctx,const u8 * data,size_t len)170 void sha1_update(struct sha1_ctx *ctx, const u8 *data, size_t len)
171 {
172 size_t partial = ctx->bytecount % SHA1_BLOCK_SIZE;
173
174 ctx->bytecount += len;
175
176 if (partial + len >= SHA1_BLOCK_SIZE) {
177 size_t nblocks;
178
179 if (partial) {
180 size_t l = SHA1_BLOCK_SIZE - partial;
181
182 memcpy(&ctx->buf[partial], data, l);
183 data += l;
184 len -= l;
185
186 sha1_blocks(&ctx->state, ctx->buf, 1);
187 }
188
189 nblocks = len / SHA1_BLOCK_SIZE;
190 len %= SHA1_BLOCK_SIZE;
191
192 if (nblocks) {
193 sha1_blocks(&ctx->state, data, nblocks);
194 data += nblocks * SHA1_BLOCK_SIZE;
195 }
196 partial = 0;
197 }
198 if (len)
199 memcpy(&ctx->buf[partial], data, len);
200 }
201 EXPORT_SYMBOL_GPL(sha1_update);
202
__sha1_final(struct sha1_ctx * ctx,u8 out[SHA1_DIGEST_SIZE])203 static void __sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE])
204 {
205 u64 bitcount = ctx->bytecount << 3;
206 size_t partial = ctx->bytecount % SHA1_BLOCK_SIZE;
207
208 ctx->buf[partial++] = 0x80;
209 if (partial > SHA1_BLOCK_SIZE - 8) {
210 memset(&ctx->buf[partial], 0, SHA1_BLOCK_SIZE - partial);
211 sha1_blocks(&ctx->state, ctx->buf, 1);
212 partial = 0;
213 }
214 memset(&ctx->buf[partial], 0, SHA1_BLOCK_SIZE - 8 - partial);
215 *(__be64 *)&ctx->buf[SHA1_BLOCK_SIZE - 8] = cpu_to_be64(bitcount);
216 sha1_blocks(&ctx->state, ctx->buf, 1);
217
218 for (size_t i = 0; i < SHA1_DIGEST_SIZE; i += 4)
219 put_unaligned_be32(ctx->state.h[i / 4], out + i);
220 }
221
sha1_final(struct sha1_ctx * ctx,u8 out[SHA1_DIGEST_SIZE])222 void sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE])
223 {
224 __sha1_final(ctx, out);
225 memzero_explicit(ctx, sizeof(*ctx));
226 }
227 EXPORT_SYMBOL_GPL(sha1_final);
228
sha1(const u8 * data,size_t len,u8 out[SHA1_DIGEST_SIZE])229 void sha1(const u8 *data, size_t len, u8 out[SHA1_DIGEST_SIZE])
230 {
231 struct sha1_ctx ctx;
232
233 sha1_init(&ctx);
234 sha1_update(&ctx, data, len);
235 sha1_final(&ctx, out);
236 }
237 EXPORT_SYMBOL_GPL(sha1);
238
__hmac_sha1_preparekey(struct sha1_block_state * istate,struct sha1_block_state * ostate,const u8 * raw_key,size_t raw_key_len)239 static void __hmac_sha1_preparekey(struct sha1_block_state *istate,
240 struct sha1_block_state *ostate,
241 const u8 *raw_key, size_t raw_key_len)
242 {
243 union {
244 u8 b[SHA1_BLOCK_SIZE];
245 unsigned long w[SHA1_BLOCK_SIZE / sizeof(unsigned long)];
246 } derived_key = { 0 };
247
248 if (unlikely(raw_key_len > SHA1_BLOCK_SIZE))
249 sha1(raw_key, raw_key_len, derived_key.b);
250 else
251 memcpy(derived_key.b, raw_key, raw_key_len);
252
253 for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
254 derived_key.w[i] ^= REPEAT_BYTE(HMAC_IPAD_VALUE);
255 *istate = sha1_iv;
256 sha1_blocks(istate, derived_key.b, 1);
257
258 for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
259 derived_key.w[i] ^= REPEAT_BYTE(HMAC_OPAD_VALUE ^
260 HMAC_IPAD_VALUE);
261 *ostate = sha1_iv;
262 sha1_blocks(ostate, derived_key.b, 1);
263
264 memzero_explicit(&derived_key, sizeof(derived_key));
265 }
266
hmac_sha1_preparekey(struct hmac_sha1_key * key,const u8 * raw_key,size_t raw_key_len)267 void hmac_sha1_preparekey(struct hmac_sha1_key *key,
268 const u8 *raw_key, size_t raw_key_len)
269 {
270 __hmac_sha1_preparekey(&key->istate, &key->ostate,
271 raw_key, raw_key_len);
272 }
273 EXPORT_SYMBOL_GPL(hmac_sha1_preparekey);
274
hmac_sha1_init(struct hmac_sha1_ctx * ctx,const struct hmac_sha1_key * key)275 void hmac_sha1_init(struct hmac_sha1_ctx *ctx, const struct hmac_sha1_key *key)
276 {
277 ctx->sha_ctx.state = key->istate;
278 ctx->sha_ctx.bytecount = SHA1_BLOCK_SIZE;
279 ctx->ostate = key->ostate;
280 }
281 EXPORT_SYMBOL_GPL(hmac_sha1_init);
282
hmac_sha1_init_usingrawkey(struct hmac_sha1_ctx * ctx,const u8 * raw_key,size_t raw_key_len)283 void hmac_sha1_init_usingrawkey(struct hmac_sha1_ctx *ctx,
284 const u8 *raw_key, size_t raw_key_len)
285 {
286 __hmac_sha1_preparekey(&ctx->sha_ctx.state, &ctx->ostate,
287 raw_key, raw_key_len);
288 ctx->sha_ctx.bytecount = SHA1_BLOCK_SIZE;
289 }
290 EXPORT_SYMBOL_GPL(hmac_sha1_init_usingrawkey);
291
hmac_sha1_final(struct hmac_sha1_ctx * ctx,u8 out[SHA1_DIGEST_SIZE])292 void hmac_sha1_final(struct hmac_sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE])
293 {
294 /* Generate the padded input for the outer hash in ctx->sha_ctx.buf. */
295 __sha1_final(&ctx->sha_ctx, ctx->sha_ctx.buf);
296 memset(&ctx->sha_ctx.buf[SHA1_DIGEST_SIZE], 0,
297 SHA1_BLOCK_SIZE - SHA1_DIGEST_SIZE);
298 ctx->sha_ctx.buf[SHA1_DIGEST_SIZE] = 0x80;
299 *(__be32 *)&ctx->sha_ctx.buf[SHA1_BLOCK_SIZE - 4] =
300 cpu_to_be32(8 * (SHA1_BLOCK_SIZE + SHA1_DIGEST_SIZE));
301
302 /* Compute the outer hash, which gives the HMAC value. */
303 sha1_blocks(&ctx->ostate, ctx->sha_ctx.buf, 1);
304 for (size_t i = 0; i < SHA1_DIGEST_SIZE; i += 4)
305 put_unaligned_be32(ctx->ostate.h[i / 4], out + i);
306
307 memzero_explicit(ctx, sizeof(*ctx));
308 }
309 EXPORT_SYMBOL_GPL(hmac_sha1_final);
310
hmac_sha1(const struct hmac_sha1_key * key,const u8 * data,size_t data_len,u8 out[SHA1_DIGEST_SIZE])311 void hmac_sha1(const struct hmac_sha1_key *key,
312 const u8 *data, size_t data_len, u8 out[SHA1_DIGEST_SIZE])
313 {
314 struct hmac_sha1_ctx ctx;
315
316 hmac_sha1_init(&ctx, key);
317 hmac_sha1_update(&ctx, data, data_len);
318 hmac_sha1_final(&ctx, out);
319 }
320 EXPORT_SYMBOL_GPL(hmac_sha1);
321
hmac_sha1_usingrawkey(const u8 * raw_key,size_t raw_key_len,const u8 * data,size_t data_len,u8 out[SHA1_DIGEST_SIZE])322 void hmac_sha1_usingrawkey(const u8 *raw_key, size_t raw_key_len,
323 const u8 *data, size_t data_len,
324 u8 out[SHA1_DIGEST_SIZE])
325 {
326 struct hmac_sha1_ctx ctx;
327
328 hmac_sha1_init_usingrawkey(&ctx, raw_key, raw_key_len);
329 hmac_sha1_update(&ctx, data, data_len);
330 hmac_sha1_final(&ctx, out);
331 }
332 EXPORT_SYMBOL_GPL(hmac_sha1_usingrawkey);
333
334 #if defined(sha1_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
sha1_mod_init(void)335 static int __init sha1_mod_init(void)
336 {
337 #ifdef sha1_mod_init_arch
338 sha1_mod_init_arch();
339 #endif
340 if (fips_enabled) {
341 /*
342 * FIPS cryptographic algorithm self-test. As per the FIPS
343 * Implementation Guidance, testing HMAC-SHA1 satisfies the test
344 * requirement for SHA-1 too.
345 */
346 u8 mac[SHA1_DIGEST_SIZE];
347
348 hmac_sha1_usingrawkey(fips_test_key, sizeof(fips_test_key),
349 fips_test_data, sizeof(fips_test_data),
350 mac);
351 if (memcmp(fips_test_hmac_sha1_value, mac, sizeof(mac)) != 0)
352 panic("sha1: FIPS self-test failed\n");
353 }
354 return 0;
355 }
356 subsys_initcall(sha1_mod_init);
357
sha1_mod_exit(void)358 static void __exit sha1_mod_exit(void)
359 {
360 }
361 module_exit(sha1_mod_exit);
362 #endif
363
364 MODULE_DESCRIPTION("SHA-1 and HMAC-SHA1 library functions");
365 MODULE_LICENSE("GPL");
366