1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Crypto API support for SHA-384, SHA-512, HMAC-SHA384, and HMAC-SHA512 4 * 5 * Copyright (c) Jean-Luc Cooke <jlcooke@certainkey.com> 6 * Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk> 7 * Copyright (c) 2003 Kyle McMartin <kyle@debian.org> 8 * Copyright 2025 Google LLC 9 */ 10 #include <crypto/internal/hash.h> 11 #include <crypto/sha2.h> 12 #include <linux/kernel.h> 13 #include <linux/module.h> 14 15 /* 16 * Export and import functions. crypto_shash wants a particular format that 17 * matches that used by some legacy drivers. It currently is the same as the 18 * library SHA context, except the value in bytecount_lo must be block-aligned 19 * and the remainder must be stored in an extra u8 appended to the struct. 20 */ 21 22 #define SHA512_SHASH_STATE_SIZE 209 23 static_assert(offsetof(struct __sha512_ctx, state) == 0); 24 static_assert(offsetof(struct __sha512_ctx, bytecount_lo) == 64); 25 static_assert(offsetof(struct __sha512_ctx, bytecount_hi) == 72); 26 static_assert(offsetof(struct __sha512_ctx, buf) == 80); 27 static_assert(sizeof(struct __sha512_ctx) + 1 == SHA512_SHASH_STATE_SIZE); 28 29 static int __crypto_sha512_export(const struct __sha512_ctx *ctx0, void *out) 30 { 31 struct __sha512_ctx ctx = *ctx0; 32 unsigned int partial; 33 u8 *p = out; 34 35 partial = ctx.bytecount_lo % SHA512_BLOCK_SIZE; 36 ctx.bytecount_lo -= partial; 37 memcpy(p, &ctx, sizeof(ctx)); 38 p += sizeof(ctx); 39 *p = partial; 40 return 0; 41 } 42 43 static int __crypto_sha512_import(struct __sha512_ctx *ctx, const void *in) 44 { 45 const u8 *p = in; 46 47 memcpy(ctx, p, sizeof(*ctx)); 48 p += sizeof(*ctx); 49 ctx->bytecount_lo += *p; 50 return 0; 51 } 52 53 static int __crypto_sha512_export_core(const struct __sha512_ctx *ctx, 54 void *out) 55 { 56 memcpy(out, ctx, offsetof(struct __sha512_ctx, buf)); 57 return 0; 58 } 59 60 static int __crypto_sha512_import_core(struct __sha512_ctx *ctx, const void *in) 61 { 62 memcpy(ctx, in, offsetof(struct __sha512_ctx, buf)); 63 return 0; 64 } 65 66 /* SHA-384 */ 67 68 const u8 sha384_zero_message_hash[SHA384_DIGEST_SIZE] = { 69 0x38, 0xb0, 0x60, 0xa7, 0x51, 0xac, 0x96, 0x38, 70 0x4c, 0xd9, 0x32, 0x7e, 0xb1, 0xb1, 0xe3, 0x6a, 71 0x21, 0xfd, 0xb7, 0x11, 0x14, 0xbe, 0x07, 0x43, 72 0x4c, 0x0c, 0xc7, 0xbf, 0x63, 0xf6, 0xe1, 0xda, 73 0x27, 0x4e, 0xde, 0xbf, 0xe7, 0x6f, 0x65, 0xfb, 74 0xd5, 0x1a, 0xd2, 0xf1, 0x48, 0x98, 0xb9, 0x5b 75 }; 76 EXPORT_SYMBOL_GPL(sha384_zero_message_hash); 77 78 #define SHA384_CTX(desc) ((struct sha384_ctx *)shash_desc_ctx(desc)) 79 80 static int crypto_sha384_init(struct shash_desc *desc) 81 { 82 sha384_init(SHA384_CTX(desc)); 83 return 0; 84 } 85 86 static int crypto_sha384_update(struct shash_desc *desc, 87 const u8 *data, unsigned int len) 88 { 89 sha384_update(SHA384_CTX(desc), data, len); 90 return 0; 91 } 92 93 static int crypto_sha384_final(struct shash_desc *desc, u8 *out) 94 { 95 sha384_final(SHA384_CTX(desc), out); 96 return 0; 97 } 98 99 static int crypto_sha384_digest(struct shash_desc *desc, 100 const u8 *data, unsigned int len, u8 *out) 101 { 102 sha384(data, len, out); 103 return 0; 104 } 105 106 static int crypto_sha384_export(struct shash_desc *desc, void *out) 107 { 108 return __crypto_sha512_export(&SHA384_CTX(desc)->ctx, out); 109 } 110 111 static int crypto_sha384_import(struct shash_desc *desc, const void *in) 112 { 113 return __crypto_sha512_import(&SHA384_CTX(desc)->ctx, in); 114 } 115 116 static int crypto_sha384_export_core(struct shash_desc *desc, void *out) 117 { 118 return __crypto_sha512_export_core(&SHA384_CTX(desc)->ctx, out); 119 } 120 121 static int crypto_sha384_import_core(struct shash_desc *desc, const void *in) 122 { 123 return __crypto_sha512_import_core(&SHA384_CTX(desc)->ctx, in); 124 } 125 126 /* SHA-512 */ 127 128 const u8 sha512_zero_message_hash[SHA512_DIGEST_SIZE] = { 129 0xcf, 0x83, 0xe1, 0x35, 0x7e, 0xef, 0xb8, 0xbd, 130 0xf1, 0x54, 0x28, 0x50, 0xd6, 0x6d, 0x80, 0x07, 131 0xd6, 0x20, 0xe4, 0x05, 0x0b, 0x57, 0x15, 0xdc, 132 0x83, 0xf4, 0xa9, 0x21, 0xd3, 0x6c, 0xe9, 0xce, 133 0x47, 0xd0, 0xd1, 0x3c, 0x5d, 0x85, 0xf2, 0xb0, 134 0xff, 0x83, 0x18, 0xd2, 0x87, 0x7e, 0xec, 0x2f, 135 0x63, 0xb9, 0x31, 0xbd, 0x47, 0x41, 0x7a, 0x81, 136 0xa5, 0x38, 0x32, 0x7a, 0xf9, 0x27, 0xda, 0x3e 137 }; 138 EXPORT_SYMBOL_GPL(sha512_zero_message_hash); 139 140 #define SHA512_CTX(desc) ((struct sha512_ctx *)shash_desc_ctx(desc)) 141 142 static int crypto_sha512_init(struct shash_desc *desc) 143 { 144 sha512_init(SHA512_CTX(desc)); 145 return 0; 146 } 147 148 static int crypto_sha512_update(struct shash_desc *desc, 149 const u8 *data, unsigned int len) 150 { 151 sha512_update(SHA512_CTX(desc), data, len); 152 return 0; 153 } 154 155 static int crypto_sha512_final(struct shash_desc *desc, u8 *out) 156 { 157 sha512_final(SHA512_CTX(desc), out); 158 return 0; 159 } 160 161 static int crypto_sha512_digest(struct shash_desc *desc, 162 const u8 *data, unsigned int len, u8 *out) 163 { 164 sha512(data, len, out); 165 return 0; 166 } 167 168 static int crypto_sha512_export(struct shash_desc *desc, void *out) 169 { 170 return __crypto_sha512_export(&SHA512_CTX(desc)->ctx, out); 171 } 172 173 static int crypto_sha512_import(struct shash_desc *desc, const void *in) 174 { 175 return __crypto_sha512_import(&SHA512_CTX(desc)->ctx, in); 176 } 177 178 static int crypto_sha512_export_core(struct shash_desc *desc, void *out) 179 { 180 return __crypto_sha512_export_core(&SHA512_CTX(desc)->ctx, out); 181 } 182 183 static int crypto_sha512_import_core(struct shash_desc *desc, const void *in) 184 { 185 return __crypto_sha512_import_core(&SHA512_CTX(desc)->ctx, in); 186 } 187 188 /* HMAC-SHA384 */ 189 190 #define HMAC_SHA384_KEY(tfm) ((struct hmac_sha384_key *)crypto_shash_ctx(tfm)) 191 #define HMAC_SHA384_CTX(desc) ((struct hmac_sha384_ctx *)shash_desc_ctx(desc)) 192 193 static int crypto_hmac_sha384_setkey(struct crypto_shash *tfm, 194 const u8 *raw_key, unsigned int keylen) 195 { 196 hmac_sha384_preparekey(HMAC_SHA384_KEY(tfm), raw_key, keylen); 197 return 0; 198 } 199 200 static int crypto_hmac_sha384_init(struct shash_desc *desc) 201 { 202 hmac_sha384_init(HMAC_SHA384_CTX(desc), HMAC_SHA384_KEY(desc->tfm)); 203 return 0; 204 } 205 206 static int crypto_hmac_sha384_update(struct shash_desc *desc, 207 const u8 *data, unsigned int len) 208 { 209 hmac_sha384_update(HMAC_SHA384_CTX(desc), data, len); 210 return 0; 211 } 212 213 static int crypto_hmac_sha384_final(struct shash_desc *desc, u8 *out) 214 { 215 hmac_sha384_final(HMAC_SHA384_CTX(desc), out); 216 return 0; 217 } 218 219 static int crypto_hmac_sha384_digest(struct shash_desc *desc, 220 const u8 *data, unsigned int len, 221 u8 *out) 222 { 223 hmac_sha384(HMAC_SHA384_KEY(desc->tfm), data, len, out); 224 return 0; 225 } 226 227 static int crypto_hmac_sha384_export(struct shash_desc *desc, void *out) 228 { 229 return __crypto_sha512_export(&HMAC_SHA384_CTX(desc)->ctx.sha_ctx, out); 230 } 231 232 static int crypto_hmac_sha384_import(struct shash_desc *desc, const void *in) 233 { 234 struct hmac_sha384_ctx *ctx = HMAC_SHA384_CTX(desc); 235 236 ctx->ctx.ostate = HMAC_SHA384_KEY(desc->tfm)->key.ostate; 237 return __crypto_sha512_import(&ctx->ctx.sha_ctx, in); 238 } 239 240 static int crypto_hmac_sha384_export_core(struct shash_desc *desc, void *out) 241 { 242 return __crypto_sha512_export_core(&HMAC_SHA384_CTX(desc)->ctx.sha_ctx, 243 out); 244 } 245 246 static int crypto_hmac_sha384_import_core(struct shash_desc *desc, 247 const void *in) 248 { 249 struct hmac_sha384_ctx *ctx = HMAC_SHA384_CTX(desc); 250 251 ctx->ctx.ostate = HMAC_SHA384_KEY(desc->tfm)->key.ostate; 252 return __crypto_sha512_import_core(&ctx->ctx.sha_ctx, in); 253 } 254 255 /* HMAC-SHA512 */ 256 257 #define HMAC_SHA512_KEY(tfm) ((struct hmac_sha512_key *)crypto_shash_ctx(tfm)) 258 #define HMAC_SHA512_CTX(desc) ((struct hmac_sha512_ctx *)shash_desc_ctx(desc)) 259 260 static int crypto_hmac_sha512_setkey(struct crypto_shash *tfm, 261 const u8 *raw_key, unsigned int keylen) 262 { 263 hmac_sha512_preparekey(HMAC_SHA512_KEY(tfm), raw_key, keylen); 264 return 0; 265 } 266 267 static int crypto_hmac_sha512_init(struct shash_desc *desc) 268 { 269 hmac_sha512_init(HMAC_SHA512_CTX(desc), HMAC_SHA512_KEY(desc->tfm)); 270 return 0; 271 } 272 273 static int crypto_hmac_sha512_update(struct shash_desc *desc, 274 const u8 *data, unsigned int len) 275 { 276 hmac_sha512_update(HMAC_SHA512_CTX(desc), data, len); 277 return 0; 278 } 279 280 static int crypto_hmac_sha512_final(struct shash_desc *desc, u8 *out) 281 { 282 hmac_sha512_final(HMAC_SHA512_CTX(desc), out); 283 return 0; 284 } 285 286 static int crypto_hmac_sha512_digest(struct shash_desc *desc, 287 const u8 *data, unsigned int len, 288 u8 *out) 289 { 290 hmac_sha512(HMAC_SHA512_KEY(desc->tfm), data, len, out); 291 return 0; 292 } 293 294 static int crypto_hmac_sha512_export(struct shash_desc *desc, void *out) 295 { 296 return __crypto_sha512_export(&HMAC_SHA512_CTX(desc)->ctx.sha_ctx, out); 297 } 298 299 static int crypto_hmac_sha512_import(struct shash_desc *desc, const void *in) 300 { 301 struct hmac_sha512_ctx *ctx = HMAC_SHA512_CTX(desc); 302 303 ctx->ctx.ostate = HMAC_SHA512_KEY(desc->tfm)->key.ostate; 304 return __crypto_sha512_import(&ctx->ctx.sha_ctx, in); 305 } 306 307 static int crypto_hmac_sha512_export_core(struct shash_desc *desc, void *out) 308 { 309 return __crypto_sha512_export_core(&HMAC_SHA512_CTX(desc)->ctx.sha_ctx, 310 out); 311 } 312 313 static int crypto_hmac_sha512_import_core(struct shash_desc *desc, 314 const void *in) 315 { 316 struct hmac_sha512_ctx *ctx = HMAC_SHA512_CTX(desc); 317 318 ctx->ctx.ostate = HMAC_SHA512_KEY(desc->tfm)->key.ostate; 319 return __crypto_sha512_import_core(&ctx->ctx.sha_ctx, in); 320 } 321 322 /* Algorithm definitions */ 323 324 static struct shash_alg algs[] = { 325 { 326 .base.cra_name = "sha384", 327 .base.cra_driver_name = "sha384-lib", 328 .base.cra_priority = 300, 329 .base.cra_blocksize = SHA384_BLOCK_SIZE, 330 .base.cra_module = THIS_MODULE, 331 .digestsize = SHA384_DIGEST_SIZE, 332 .init = crypto_sha384_init, 333 .update = crypto_sha384_update, 334 .final = crypto_sha384_final, 335 .digest = crypto_sha384_digest, 336 .export = crypto_sha384_export, 337 .import = crypto_sha384_import, 338 .export_core = crypto_sha384_export_core, 339 .import_core = crypto_sha384_import_core, 340 .descsize = sizeof(struct sha384_ctx), 341 .statesize = SHA512_SHASH_STATE_SIZE, 342 }, 343 { 344 .base.cra_name = "sha512", 345 .base.cra_driver_name = "sha512-lib", 346 .base.cra_priority = 300, 347 .base.cra_blocksize = SHA512_BLOCK_SIZE, 348 .base.cra_module = THIS_MODULE, 349 .digestsize = SHA512_DIGEST_SIZE, 350 .init = crypto_sha512_init, 351 .update = crypto_sha512_update, 352 .final = crypto_sha512_final, 353 .digest = crypto_sha512_digest, 354 .export = crypto_sha512_export, 355 .import = crypto_sha512_import, 356 .export_core = crypto_sha512_export_core, 357 .import_core = crypto_sha512_import_core, 358 .descsize = sizeof(struct sha512_ctx), 359 .statesize = SHA512_SHASH_STATE_SIZE, 360 }, 361 { 362 .base.cra_name = "hmac(sha384)", 363 .base.cra_driver_name = "hmac-sha384-lib", 364 .base.cra_priority = 300, 365 .base.cra_blocksize = SHA384_BLOCK_SIZE, 366 .base.cra_ctxsize = sizeof(struct hmac_sha384_key), 367 .base.cra_module = THIS_MODULE, 368 .digestsize = SHA384_DIGEST_SIZE, 369 .setkey = crypto_hmac_sha384_setkey, 370 .init = crypto_hmac_sha384_init, 371 .update = crypto_hmac_sha384_update, 372 .final = crypto_hmac_sha384_final, 373 .digest = crypto_hmac_sha384_digest, 374 .export = crypto_hmac_sha384_export, 375 .import = crypto_hmac_sha384_import, 376 .export_core = crypto_hmac_sha384_export_core, 377 .import_core = crypto_hmac_sha384_import_core, 378 .descsize = sizeof(struct hmac_sha384_ctx), 379 .statesize = SHA512_SHASH_STATE_SIZE, 380 }, 381 { 382 .base.cra_name = "hmac(sha512)", 383 .base.cra_driver_name = "hmac-sha512-lib", 384 .base.cra_priority = 300, 385 .base.cra_blocksize = SHA512_BLOCK_SIZE, 386 .base.cra_ctxsize = sizeof(struct hmac_sha512_key), 387 .base.cra_module = THIS_MODULE, 388 .digestsize = SHA512_DIGEST_SIZE, 389 .setkey = crypto_hmac_sha512_setkey, 390 .init = crypto_hmac_sha512_init, 391 .update = crypto_hmac_sha512_update, 392 .final = crypto_hmac_sha512_final, 393 .digest = crypto_hmac_sha512_digest, 394 .export = crypto_hmac_sha512_export, 395 .import = crypto_hmac_sha512_import, 396 .export_core = crypto_hmac_sha512_export_core, 397 .import_core = crypto_hmac_sha512_import_core, 398 .descsize = sizeof(struct hmac_sha512_ctx), 399 .statesize = SHA512_SHASH_STATE_SIZE, 400 }, 401 }; 402 403 static int __init crypto_sha512_mod_init(void) 404 { 405 return crypto_register_shashes(algs, ARRAY_SIZE(algs)); 406 } 407 module_init(crypto_sha512_mod_init); 408 409 static void __exit crypto_sha512_mod_exit(void) 410 { 411 crypto_unregister_shashes(algs, ARRAY_SIZE(algs)); 412 } 413 module_exit(crypto_sha512_mod_exit); 414 415 MODULE_LICENSE("GPL"); 416 MODULE_DESCRIPTION("Crypto API support for SHA-384, SHA-512, HMAC-SHA384, and HMAC-SHA512"); 417 418 MODULE_ALIAS_CRYPTO("sha384"); 419 MODULE_ALIAS_CRYPTO("sha384-lib"); 420 MODULE_ALIAS_CRYPTO("sha512"); 421 MODULE_ALIAS_CRYPTO("sha512-lib"); 422 MODULE_ALIAS_CRYPTO("hmac(sha384)"); 423 MODULE_ALIAS_CRYPTO("hmac-sha384-lib"); 424 MODULE_ALIAS_CRYPTO("hmac(sha512)"); 425 MODULE_ALIAS_CRYPTO("hmac-sha512-lib"); 426