1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Crypto API support for SHA-224, SHA-256, HMAC-SHA224, and HMAC-SHA256
4 *
5 * Copyright (c) Jean-Luc Cooke <jlcooke@certainkey.com>
6 * Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk>
7 * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
8 * SHA224 Support Copyright 2007 Intel Corporation <jonathan.lynch@intel.com>
9 * Copyright 2025 Google LLC
10 */
11 #include <crypto/internal/hash.h>
12 #include <crypto/sha2.h>
13 #include <linux/kernel.h>
14 #include <linux/module.h>
15
16 /*
17 * Export and import functions. crypto_shash wants a particular format that
18 * matches that used by some legacy drivers. It currently is the same as the
19 * library SHA context, except the value in bytecount must be block-aligned and
20 * the remainder must be stored in an extra u8 appended to the struct.
21 */
22
23 #define SHA256_SHASH_STATE_SIZE 105
24 static_assert(offsetof(struct __sha256_ctx, state) == 0);
25 static_assert(offsetof(struct __sha256_ctx, bytecount) == 32);
26 static_assert(offsetof(struct __sha256_ctx, buf) == 40);
27 static_assert(sizeof(struct __sha256_ctx) + 1 == SHA256_SHASH_STATE_SIZE);
28
__crypto_sha256_export(const struct __sha256_ctx * ctx0,void * out)29 static int __crypto_sha256_export(const struct __sha256_ctx *ctx0, void *out)
30 {
31 struct __sha256_ctx ctx = *ctx0;
32 unsigned int partial;
33 u8 *p = out;
34
35 partial = ctx.bytecount % SHA256_BLOCK_SIZE;
36 ctx.bytecount -= partial;
37 memcpy(p, &ctx, sizeof(ctx));
38 p += sizeof(ctx);
39 *p = partial;
40 return 0;
41 }
42
__crypto_sha256_import(struct __sha256_ctx * ctx,const void * in)43 static int __crypto_sha256_import(struct __sha256_ctx *ctx, const void *in)
44 {
45 const u8 *p = in;
46
47 memcpy(ctx, p, sizeof(*ctx));
48 p += sizeof(*ctx);
49 ctx->bytecount += *p;
50 return 0;
51 }
52
53 /* SHA-224 */
54
55 const u8 sha224_zero_message_hash[SHA224_DIGEST_SIZE] = {
56 0xd1, 0x4a, 0x02, 0x8c, 0x2a, 0x3a, 0x2b, 0xc9, 0x47,
57 0x61, 0x02, 0xbb, 0x28, 0x82, 0x34, 0xc4, 0x15, 0xa2,
58 0xb0, 0x1f, 0x82, 0x8e, 0xa6, 0x2a, 0xc5, 0xb3, 0xe4,
59 0x2f
60 };
61 EXPORT_SYMBOL_GPL(sha224_zero_message_hash);
62
63 #define SHA224_CTX(desc) ((struct sha224_ctx *)shash_desc_ctx(desc))
64
crypto_sha224_init(struct shash_desc * desc)65 static int crypto_sha224_init(struct shash_desc *desc)
66 {
67 sha224_init(SHA224_CTX(desc));
68 return 0;
69 }
70
crypto_sha224_update(struct shash_desc * desc,const u8 * data,unsigned int len)71 static int crypto_sha224_update(struct shash_desc *desc,
72 const u8 *data, unsigned int len)
73 {
74 sha224_update(SHA224_CTX(desc), data, len);
75 return 0;
76 }
77
crypto_sha224_final(struct shash_desc * desc,u8 * out)78 static int crypto_sha224_final(struct shash_desc *desc, u8 *out)
79 {
80 sha224_final(SHA224_CTX(desc), out);
81 return 0;
82 }
83
crypto_sha224_digest(struct shash_desc * desc,const u8 * data,unsigned int len,u8 * out)84 static int crypto_sha224_digest(struct shash_desc *desc,
85 const u8 *data, unsigned int len, u8 *out)
86 {
87 sha224(data, len, out);
88 return 0;
89 }
90
crypto_sha224_export(struct shash_desc * desc,void * out)91 static int crypto_sha224_export(struct shash_desc *desc, void *out)
92 {
93 return __crypto_sha256_export(&SHA224_CTX(desc)->ctx, out);
94 }
95
crypto_sha224_import(struct shash_desc * desc,const void * in)96 static int crypto_sha224_import(struct shash_desc *desc, const void *in)
97 {
98 return __crypto_sha256_import(&SHA224_CTX(desc)->ctx, in);
99 }
100
101 /* SHA-256 */
102
103 const u8 sha256_zero_message_hash[SHA256_DIGEST_SIZE] = {
104 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14,
105 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24,
106 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c,
107 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
108 };
109 EXPORT_SYMBOL_GPL(sha256_zero_message_hash);
110
111 #define SHA256_CTX(desc) ((struct sha256_ctx *)shash_desc_ctx(desc))
112
crypto_sha256_init(struct shash_desc * desc)113 static int crypto_sha256_init(struct shash_desc *desc)
114 {
115 sha256_init(SHA256_CTX(desc));
116 return 0;
117 }
118
crypto_sha256_update(struct shash_desc * desc,const u8 * data,unsigned int len)119 static int crypto_sha256_update(struct shash_desc *desc,
120 const u8 *data, unsigned int len)
121 {
122 sha256_update(SHA256_CTX(desc), data, len);
123 return 0;
124 }
125
crypto_sha256_final(struct shash_desc * desc,u8 * out)126 static int crypto_sha256_final(struct shash_desc *desc, u8 *out)
127 {
128 sha256_final(SHA256_CTX(desc), out);
129 return 0;
130 }
131
crypto_sha256_digest(struct shash_desc * desc,const u8 * data,unsigned int len,u8 * out)132 static int crypto_sha256_digest(struct shash_desc *desc,
133 const u8 *data, unsigned int len, u8 *out)
134 {
135 sha256(data, len, out);
136 return 0;
137 }
138
crypto_sha256_export(struct shash_desc * desc,void * out)139 static int crypto_sha256_export(struct shash_desc *desc, void *out)
140 {
141 return __crypto_sha256_export(&SHA256_CTX(desc)->ctx, out);
142 }
143
crypto_sha256_import(struct shash_desc * desc,const void * in)144 static int crypto_sha256_import(struct shash_desc *desc, const void *in)
145 {
146 return __crypto_sha256_import(&SHA256_CTX(desc)->ctx, in);
147 }
148
149 /* HMAC-SHA224 */
150
151 #define HMAC_SHA224_KEY(tfm) ((struct hmac_sha224_key *)crypto_shash_ctx(tfm))
152 #define HMAC_SHA224_CTX(desc) ((struct hmac_sha224_ctx *)shash_desc_ctx(desc))
153
crypto_hmac_sha224_setkey(struct crypto_shash * tfm,const u8 * raw_key,unsigned int keylen)154 static int crypto_hmac_sha224_setkey(struct crypto_shash *tfm,
155 const u8 *raw_key, unsigned int keylen)
156 {
157 hmac_sha224_preparekey(HMAC_SHA224_KEY(tfm), raw_key, keylen);
158 return 0;
159 }
160
crypto_hmac_sha224_init(struct shash_desc * desc)161 static int crypto_hmac_sha224_init(struct shash_desc *desc)
162 {
163 hmac_sha224_init(HMAC_SHA224_CTX(desc), HMAC_SHA224_KEY(desc->tfm));
164 return 0;
165 }
166
crypto_hmac_sha224_update(struct shash_desc * desc,const u8 * data,unsigned int len)167 static int crypto_hmac_sha224_update(struct shash_desc *desc,
168 const u8 *data, unsigned int len)
169 {
170 hmac_sha224_update(HMAC_SHA224_CTX(desc), data, len);
171 return 0;
172 }
173
crypto_hmac_sha224_final(struct shash_desc * desc,u8 * out)174 static int crypto_hmac_sha224_final(struct shash_desc *desc, u8 *out)
175 {
176 hmac_sha224_final(HMAC_SHA224_CTX(desc), out);
177 return 0;
178 }
179
crypto_hmac_sha224_digest(struct shash_desc * desc,const u8 * data,unsigned int len,u8 * out)180 static int crypto_hmac_sha224_digest(struct shash_desc *desc,
181 const u8 *data, unsigned int len,
182 u8 *out)
183 {
184 hmac_sha224(HMAC_SHA224_KEY(desc->tfm), data, len, out);
185 return 0;
186 }
187
crypto_hmac_sha224_export(struct shash_desc * desc,void * out)188 static int crypto_hmac_sha224_export(struct shash_desc *desc, void *out)
189 {
190 return __crypto_sha256_export(&HMAC_SHA224_CTX(desc)->ctx.sha_ctx, out);
191 }
192
crypto_hmac_sha224_import(struct shash_desc * desc,const void * in)193 static int crypto_hmac_sha224_import(struct shash_desc *desc, const void *in)
194 {
195 struct hmac_sha224_ctx *ctx = HMAC_SHA224_CTX(desc);
196
197 ctx->ctx.ostate = HMAC_SHA224_KEY(desc->tfm)->key.ostate;
198 return __crypto_sha256_import(&ctx->ctx.sha_ctx, in);
199 }
200
201 /* HMAC-SHA256 */
202
203 #define HMAC_SHA256_KEY(tfm) ((struct hmac_sha256_key *)crypto_shash_ctx(tfm))
204 #define HMAC_SHA256_CTX(desc) ((struct hmac_sha256_ctx *)shash_desc_ctx(desc))
205
crypto_hmac_sha256_setkey(struct crypto_shash * tfm,const u8 * raw_key,unsigned int keylen)206 static int crypto_hmac_sha256_setkey(struct crypto_shash *tfm,
207 const u8 *raw_key, unsigned int keylen)
208 {
209 hmac_sha256_preparekey(HMAC_SHA256_KEY(tfm), raw_key, keylen);
210 return 0;
211 }
212
crypto_hmac_sha256_init(struct shash_desc * desc)213 static int crypto_hmac_sha256_init(struct shash_desc *desc)
214 {
215 hmac_sha256_init(HMAC_SHA256_CTX(desc), HMAC_SHA256_KEY(desc->tfm));
216 return 0;
217 }
218
crypto_hmac_sha256_update(struct shash_desc * desc,const u8 * data,unsigned int len)219 static int crypto_hmac_sha256_update(struct shash_desc *desc,
220 const u8 *data, unsigned int len)
221 {
222 hmac_sha256_update(HMAC_SHA256_CTX(desc), data, len);
223 return 0;
224 }
225
crypto_hmac_sha256_final(struct shash_desc * desc,u8 * out)226 static int crypto_hmac_sha256_final(struct shash_desc *desc, u8 *out)
227 {
228 hmac_sha256_final(HMAC_SHA256_CTX(desc), out);
229 return 0;
230 }
231
crypto_hmac_sha256_digest(struct shash_desc * desc,const u8 * data,unsigned int len,u8 * out)232 static int crypto_hmac_sha256_digest(struct shash_desc *desc,
233 const u8 *data, unsigned int len,
234 u8 *out)
235 {
236 hmac_sha256(HMAC_SHA256_KEY(desc->tfm), data, len, out);
237 return 0;
238 }
239
crypto_hmac_sha256_export(struct shash_desc * desc,void * out)240 static int crypto_hmac_sha256_export(struct shash_desc *desc, void *out)
241 {
242 return __crypto_sha256_export(&HMAC_SHA256_CTX(desc)->ctx.sha_ctx, out);
243 }
244
crypto_hmac_sha256_import(struct shash_desc * desc,const void * in)245 static int crypto_hmac_sha256_import(struct shash_desc *desc, const void *in)
246 {
247 struct hmac_sha256_ctx *ctx = HMAC_SHA256_CTX(desc);
248
249 ctx->ctx.ostate = HMAC_SHA256_KEY(desc->tfm)->key.ostate;
250 return __crypto_sha256_import(&ctx->ctx.sha_ctx, in);
251 }
252
253 /* Algorithm definitions */
254
255 static struct shash_alg algs[] = {
256 {
257 .base.cra_name = "sha224",
258 .base.cra_driver_name = "sha224-lib",
259 .base.cra_priority = 300,
260 .base.cra_blocksize = SHA224_BLOCK_SIZE,
261 .base.cra_module = THIS_MODULE,
262 .digestsize = SHA224_DIGEST_SIZE,
263 .init = crypto_sha224_init,
264 .update = crypto_sha224_update,
265 .final = crypto_sha224_final,
266 .digest = crypto_sha224_digest,
267 .export = crypto_sha224_export,
268 .import = crypto_sha224_import,
269 .descsize = sizeof(struct sha224_ctx),
270 .statesize = SHA256_SHASH_STATE_SIZE,
271 },
272 {
273 .base.cra_name = "sha256",
274 .base.cra_driver_name = "sha256-lib",
275 .base.cra_priority = 300,
276 .base.cra_blocksize = SHA256_BLOCK_SIZE,
277 .base.cra_module = THIS_MODULE,
278 .digestsize = SHA256_DIGEST_SIZE,
279 .init = crypto_sha256_init,
280 .update = crypto_sha256_update,
281 .final = crypto_sha256_final,
282 .digest = crypto_sha256_digest,
283 .export = crypto_sha256_export,
284 .import = crypto_sha256_import,
285 .descsize = sizeof(struct sha256_ctx),
286 .statesize = SHA256_SHASH_STATE_SIZE,
287 },
288 {
289 .base.cra_name = "hmac(sha224)",
290 .base.cra_driver_name = "hmac-sha224-lib",
291 .base.cra_priority = 300,
292 .base.cra_blocksize = SHA224_BLOCK_SIZE,
293 .base.cra_ctxsize = sizeof(struct hmac_sha224_key),
294 .base.cra_module = THIS_MODULE,
295 .digestsize = SHA224_DIGEST_SIZE,
296 .setkey = crypto_hmac_sha224_setkey,
297 .init = crypto_hmac_sha224_init,
298 .update = crypto_hmac_sha224_update,
299 .final = crypto_hmac_sha224_final,
300 .digest = crypto_hmac_sha224_digest,
301 .export = crypto_hmac_sha224_export,
302 .import = crypto_hmac_sha224_import,
303 .descsize = sizeof(struct hmac_sha224_ctx),
304 .statesize = SHA256_SHASH_STATE_SIZE,
305 },
306 {
307 .base.cra_name = "hmac(sha256)",
308 .base.cra_driver_name = "hmac-sha256-lib",
309 .base.cra_priority = 300,
310 .base.cra_blocksize = SHA256_BLOCK_SIZE,
311 .base.cra_ctxsize = sizeof(struct hmac_sha256_key),
312 .base.cra_module = THIS_MODULE,
313 .digestsize = SHA256_DIGEST_SIZE,
314 .setkey = crypto_hmac_sha256_setkey,
315 .init = crypto_hmac_sha256_init,
316 .update = crypto_hmac_sha256_update,
317 .final = crypto_hmac_sha256_final,
318 .digest = crypto_hmac_sha256_digest,
319 .export = crypto_hmac_sha256_export,
320 .import = crypto_hmac_sha256_import,
321 .descsize = sizeof(struct hmac_sha256_ctx),
322 .statesize = SHA256_SHASH_STATE_SIZE,
323 },
324 };
325
crypto_sha256_mod_init(void)326 static int __init crypto_sha256_mod_init(void)
327 {
328 return crypto_register_shashes(algs, ARRAY_SIZE(algs));
329 }
330 module_init(crypto_sha256_mod_init);
331
crypto_sha256_mod_exit(void)332 static void __exit crypto_sha256_mod_exit(void)
333 {
334 crypto_unregister_shashes(algs, ARRAY_SIZE(algs));
335 }
336 module_exit(crypto_sha256_mod_exit);
337
338 MODULE_LICENSE("GPL");
339 MODULE_DESCRIPTION("Crypto API support for SHA-224, SHA-256, HMAC-SHA224, and HMAC-SHA256");
340
341 MODULE_ALIAS_CRYPTO("sha224");
342 MODULE_ALIAS_CRYPTO("sha224-lib");
343 MODULE_ALIAS_CRYPTO("sha256");
344 MODULE_ALIAS_CRYPTO("sha256-lib");
345 MODULE_ALIAS_CRYPTO("hmac(sha224)");
346 MODULE_ALIAS_CRYPTO("hmac-sha224-lib");
347 MODULE_ALIAS_CRYPTO("hmac(sha256)");
348 MODULE_ALIAS_CRYPTO("hmac-sha256-lib");
349