1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * SHA-1 and HMAC-SHA1 library functions 4 */ 5 6 #include <crypto/hmac.h> 7 #include <crypto/sha1.h> 8 #include <linux/bitops.h> 9 #include <linux/export.h> 10 #include <linux/kernel.h> 11 #include <linux/module.h> 12 #include <linux/string.h> 13 #include <linux/unaligned.h> 14 #include <linux/wordpart.h> 15 #include "fips.h" 16 17 static const struct sha1_block_state sha1_iv = { 18 .h = { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 }, 19 }; 20 21 /* 22 * If you have 32 registers or more, the compiler can (and should) 23 * try to change the array[] accesses into registers. However, on 24 * machines with less than ~25 registers, that won't really work, 25 * and at least gcc will make an unholy mess of it. 26 * 27 * So to avoid that mess which just slows things down, we force 28 * the stores to memory to actually happen (we might be better off 29 * with a 'W(t)=(val);asm("":"+m" (W(t))' there instead, as 30 * suggested by Artur Skawina - that will also make gcc unable to 31 * try to do the silly "optimize away loads" part because it won't 32 * see what the value will be). 33 * 34 * Ben Herrenschmidt reports that on PPC, the C version comes close 35 * to the optimized asm with this (ie on PPC you don't want that 36 * 'volatile', since there are lots of registers). 37 * 38 * On ARM we get the best code generation by forcing a full memory barrier 39 * between each SHA_ROUND, otherwise gcc happily get wild with spilling and 40 * the stack frame size simply explode and performance goes down the drain. 41 */ 42 43 #ifdef CONFIG_X86 44 #define setW(x, val) (*(volatile __u32 *)&W(x) = (val)) 45 #elif defined(CONFIG_ARM) 46 #define setW(x, val) do { W(x) = (val); __asm__("":::"memory"); } while (0) 47 #else 48 #define setW(x, val) (W(x) = (val)) 49 #endif 50 51 /* This "rolls" over the 512-bit array */ 52 #define W(x) (workspace[(x)&15]) 53 54 /* 55 * Where do we get the source from? The first 16 iterations get it from 56 * the input data, the next mix it from the 512-bit array. 57 */ 58 #define SHA_SRC(t) get_unaligned_be32((__u32 *)data + t) 59 #define SHA_MIX(t) rol32(W(t+13) ^ W(t+8) ^ W(t+2) ^ W(t), 1) 60 61 #define SHA_ROUND(t, input, fn, constant, A, B, C, D, E) do { \ 62 __u32 TEMP = input(t); setW(t, TEMP); \ 63 E += TEMP + rol32(A,5) + (fn) + (constant); \ 64 B = ror32(B, 2); \ 65 TEMP = E; E = D; D = C; C = B; B = A; A = TEMP; } while (0) 66 67 #define T_0_15(t, A, B, C, D, E) SHA_ROUND(t, SHA_SRC, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E ) 68 #define T_16_19(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E ) 69 #define T_20_39(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0x6ed9eba1, A, B, C, D, E ) 70 #define T_40_59(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, ((B&C)+(D&(B^C))) , 0x8f1bbcdc, A, B, C, D, E ) 71 #define T_60_79(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0xca62c1d6, A, B, C, D, E ) 72 73 #define SHA1_WORKSPACE_WORDS 16 74 75 static void sha1_block_generic(struct sha1_block_state *state, 76 const u8 data[SHA1_BLOCK_SIZE], 77 u32 workspace[SHA1_WORKSPACE_WORDS]) 78 { 79 __u32 A, B, C, D, E; 80 unsigned int i = 0; 81 82 A = state->h[0]; 83 B = state->h[1]; 84 C = state->h[2]; 85 D = state->h[3]; 86 E = state->h[4]; 87 88 /* Round 1 - iterations 0-16 take their input from 'data' */ 89 for (; i < 16; ++i) 90 T_0_15(i, A, B, C, D, E); 91 92 /* Round 1 - tail. Input from 512-bit mixing array */ 93 for (; i < 20; ++i) 94 T_16_19(i, A, B, C, D, E); 95 96 /* Round 2 */ 97 for (; i < 40; ++i) 98 T_20_39(i, A, B, C, D, E); 99 100 /* Round 3 */ 101 for (; i < 60; ++i) 102 T_40_59(i, A, B, C, D, E); 103 104 /* Round 4 */ 105 for (; i < 80; ++i) 106 T_60_79(i, A, B, C, D, E); 107 108 state->h[0] += A; 109 state->h[1] += B; 110 state->h[2] += C; 111 state->h[3] += D; 112 state->h[4] += E; 113 } 114 115 static void __maybe_unused sha1_blocks_generic(struct sha1_block_state *state, 116 const u8 *data, size_t nblocks) 117 { 118 u32 workspace[SHA1_WORKSPACE_WORDS]; 119 120 do { 121 sha1_block_generic(state, data, workspace); 122 data += SHA1_BLOCK_SIZE; 123 } while (--nblocks); 124 125 memzero_explicit(workspace, sizeof(workspace)); 126 } 127 128 #ifdef CONFIG_CRYPTO_LIB_SHA1_ARCH 129 #include "sha1.h" /* $(SRCARCH)/sha1.h */ 130 #else 131 #define sha1_blocks sha1_blocks_generic 132 #endif 133 134 void sha1_init(struct sha1_ctx *ctx) 135 { 136 ctx->state = sha1_iv; 137 ctx->bytecount = 0; 138 } 139 EXPORT_SYMBOL_GPL(sha1_init); 140 141 void sha1_update(struct sha1_ctx *ctx, const u8 *data, size_t len) 142 { 143 size_t partial = ctx->bytecount % SHA1_BLOCK_SIZE; 144 145 ctx->bytecount += len; 146 147 if (partial + len >= SHA1_BLOCK_SIZE) { 148 size_t nblocks; 149 150 if (partial) { 151 size_t l = SHA1_BLOCK_SIZE - partial; 152 153 memcpy(&ctx->buf[partial], data, l); 154 data += l; 155 len -= l; 156 157 sha1_blocks(&ctx->state, ctx->buf, 1); 158 } 159 160 nblocks = len / SHA1_BLOCK_SIZE; 161 len %= SHA1_BLOCK_SIZE; 162 163 if (nblocks) { 164 sha1_blocks(&ctx->state, data, nblocks); 165 data += nblocks * SHA1_BLOCK_SIZE; 166 } 167 partial = 0; 168 } 169 if (len) 170 memcpy(&ctx->buf[partial], data, len); 171 } 172 EXPORT_SYMBOL_GPL(sha1_update); 173 174 static void __sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]) 175 { 176 u64 bitcount = ctx->bytecount << 3; 177 size_t partial = ctx->bytecount % SHA1_BLOCK_SIZE; 178 179 ctx->buf[partial++] = 0x80; 180 if (partial > SHA1_BLOCK_SIZE - 8) { 181 memset(&ctx->buf[partial], 0, SHA1_BLOCK_SIZE - partial); 182 sha1_blocks(&ctx->state, ctx->buf, 1); 183 partial = 0; 184 } 185 memset(&ctx->buf[partial], 0, SHA1_BLOCK_SIZE - 8 - partial); 186 *(__be64 *)&ctx->buf[SHA1_BLOCK_SIZE - 8] = cpu_to_be64(bitcount); 187 sha1_blocks(&ctx->state, ctx->buf, 1); 188 189 for (size_t i = 0; i < SHA1_DIGEST_SIZE; i += 4) 190 put_unaligned_be32(ctx->state.h[i / 4], out + i); 191 } 192 193 void sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]) 194 { 195 __sha1_final(ctx, out); 196 memzero_explicit(ctx, sizeof(*ctx)); 197 } 198 EXPORT_SYMBOL_GPL(sha1_final); 199 200 void sha1(const u8 *data, size_t len, u8 out[SHA1_DIGEST_SIZE]) 201 { 202 struct sha1_ctx ctx; 203 204 sha1_init(&ctx); 205 sha1_update(&ctx, data, len); 206 sha1_final(&ctx, out); 207 } 208 EXPORT_SYMBOL_GPL(sha1); 209 210 static void __hmac_sha1_preparekey(struct sha1_block_state *istate, 211 struct sha1_block_state *ostate, 212 const u8 *raw_key, size_t raw_key_len) 213 { 214 union { 215 u8 b[SHA1_BLOCK_SIZE]; 216 unsigned long w[SHA1_BLOCK_SIZE / sizeof(unsigned long)]; 217 } derived_key = { 0 }; 218 219 if (unlikely(raw_key_len > SHA1_BLOCK_SIZE)) 220 sha1(raw_key, raw_key_len, derived_key.b); 221 else 222 memcpy(derived_key.b, raw_key, raw_key_len); 223 224 for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++) 225 derived_key.w[i] ^= REPEAT_BYTE(HMAC_IPAD_VALUE); 226 *istate = sha1_iv; 227 sha1_blocks(istate, derived_key.b, 1); 228 229 for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++) 230 derived_key.w[i] ^= REPEAT_BYTE(HMAC_OPAD_VALUE ^ 231 HMAC_IPAD_VALUE); 232 *ostate = sha1_iv; 233 sha1_blocks(ostate, derived_key.b, 1); 234 235 memzero_explicit(&derived_key, sizeof(derived_key)); 236 } 237 238 void hmac_sha1_preparekey(struct hmac_sha1_key *key, 239 const u8 *raw_key, size_t raw_key_len) 240 { 241 __hmac_sha1_preparekey(&key->istate, &key->ostate, 242 raw_key, raw_key_len); 243 } 244 EXPORT_SYMBOL_GPL(hmac_sha1_preparekey); 245 246 void hmac_sha1_init(struct hmac_sha1_ctx *ctx, const struct hmac_sha1_key *key) 247 { 248 ctx->sha_ctx.state = key->istate; 249 ctx->sha_ctx.bytecount = SHA1_BLOCK_SIZE; 250 ctx->ostate = key->ostate; 251 } 252 EXPORT_SYMBOL_GPL(hmac_sha1_init); 253 254 void hmac_sha1_init_usingrawkey(struct hmac_sha1_ctx *ctx, 255 const u8 *raw_key, size_t raw_key_len) 256 { 257 __hmac_sha1_preparekey(&ctx->sha_ctx.state, &ctx->ostate, 258 raw_key, raw_key_len); 259 ctx->sha_ctx.bytecount = SHA1_BLOCK_SIZE; 260 } 261 EXPORT_SYMBOL_GPL(hmac_sha1_init_usingrawkey); 262 263 void hmac_sha1_final(struct hmac_sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE]) 264 { 265 /* Generate the padded input for the outer hash in ctx->sha_ctx.buf. */ 266 __sha1_final(&ctx->sha_ctx, ctx->sha_ctx.buf); 267 memset(&ctx->sha_ctx.buf[SHA1_DIGEST_SIZE], 0, 268 SHA1_BLOCK_SIZE - SHA1_DIGEST_SIZE); 269 ctx->sha_ctx.buf[SHA1_DIGEST_SIZE] = 0x80; 270 *(__be32 *)&ctx->sha_ctx.buf[SHA1_BLOCK_SIZE - 4] = 271 cpu_to_be32(8 * (SHA1_BLOCK_SIZE + SHA1_DIGEST_SIZE)); 272 273 /* Compute the outer hash, which gives the HMAC value. */ 274 sha1_blocks(&ctx->ostate, ctx->sha_ctx.buf, 1); 275 for (size_t i = 0; i < SHA1_DIGEST_SIZE; i += 4) 276 put_unaligned_be32(ctx->ostate.h[i / 4], out + i); 277 278 memzero_explicit(ctx, sizeof(*ctx)); 279 } 280 EXPORT_SYMBOL_GPL(hmac_sha1_final); 281 282 void hmac_sha1(const struct hmac_sha1_key *key, 283 const u8 *data, size_t data_len, u8 out[SHA1_DIGEST_SIZE]) 284 { 285 struct hmac_sha1_ctx ctx; 286 287 hmac_sha1_init(&ctx, key); 288 hmac_sha1_update(&ctx, data, data_len); 289 hmac_sha1_final(&ctx, out); 290 } 291 EXPORT_SYMBOL_GPL(hmac_sha1); 292 293 void hmac_sha1_usingrawkey(const u8 *raw_key, size_t raw_key_len, 294 const u8 *data, size_t data_len, 295 u8 out[SHA1_DIGEST_SIZE]) 296 { 297 struct hmac_sha1_ctx ctx; 298 299 hmac_sha1_init_usingrawkey(&ctx, raw_key, raw_key_len); 300 hmac_sha1_update(&ctx, data, data_len); 301 hmac_sha1_final(&ctx, out); 302 } 303 EXPORT_SYMBOL_GPL(hmac_sha1_usingrawkey); 304 305 #if defined(sha1_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS) 306 static int __init sha1_mod_init(void) 307 { 308 #ifdef sha1_mod_init_arch 309 sha1_mod_init_arch(); 310 #endif 311 if (fips_enabled) { 312 /* 313 * FIPS cryptographic algorithm self-test. As per the FIPS 314 * Implementation Guidance, testing HMAC-SHA1 satisfies the test 315 * requirement for SHA-1 too. 316 */ 317 u8 mac[SHA1_DIGEST_SIZE]; 318 319 hmac_sha1_usingrawkey(fips_test_key, sizeof(fips_test_key), 320 fips_test_data, sizeof(fips_test_data), 321 mac); 322 if (memcmp(fips_test_hmac_sha1_value, mac, sizeof(mac)) != 0) 323 panic("sha1: FIPS self-test failed\n"); 324 } 325 return 0; 326 } 327 subsys_initcall(sha1_mod_init); 328 329 static void __exit sha1_mod_exit(void) 330 { 331 } 332 module_exit(sha1_mod_exit); 333 #endif 334 335 MODULE_DESCRIPTION("SHA-1 and HMAC-SHA1 library functions"); 336 MODULE_LICENSE("GPL"); 337