1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * Common values for SHA-2 algorithms 4 */ 5 6 #ifndef _CRYPTO_SHA2_H 7 #define _CRYPTO_SHA2_H 8 9 #include <linux/types.h> 10 11 #define SHA224_DIGEST_SIZE 28 12 #define SHA224_BLOCK_SIZE 64 13 14 #define SHA256_DIGEST_SIZE 32 15 #define SHA256_BLOCK_SIZE 64 16 #define SHA256_STATE_WORDS 8 17 18 #define SHA384_DIGEST_SIZE 48 19 #define SHA384_BLOCK_SIZE 128 20 21 #define SHA512_DIGEST_SIZE 64 22 #define SHA512_BLOCK_SIZE 128 23 #define SHA512_STATE_SIZE 80 24 25 #define SHA224_H0 0xc1059ed8UL 26 #define SHA224_H1 0x367cd507UL 27 #define SHA224_H2 0x3070dd17UL 28 #define SHA224_H3 0xf70e5939UL 29 #define SHA224_H4 0xffc00b31UL 30 #define SHA224_H5 0x68581511UL 31 #define SHA224_H6 0x64f98fa7UL 32 #define SHA224_H7 0xbefa4fa4UL 33 34 #define SHA256_H0 0x6a09e667UL 35 #define SHA256_H1 0xbb67ae85UL 36 #define SHA256_H2 0x3c6ef372UL 37 #define SHA256_H3 0xa54ff53aUL 38 #define SHA256_H4 0x510e527fUL 39 #define SHA256_H5 0x9b05688cUL 40 #define SHA256_H6 0x1f83d9abUL 41 #define SHA256_H7 0x5be0cd19UL 42 43 #define SHA384_H0 0xcbbb9d5dc1059ed8ULL 44 #define SHA384_H1 0x629a292a367cd507ULL 45 #define SHA384_H2 0x9159015a3070dd17ULL 46 #define SHA384_H3 0x152fecd8f70e5939ULL 47 #define SHA384_H4 0x67332667ffc00b31ULL 48 #define SHA384_H5 0x8eb44a8768581511ULL 49 #define SHA384_H6 0xdb0c2e0d64f98fa7ULL 50 #define SHA384_H7 0x47b5481dbefa4fa4ULL 51 52 #define SHA512_H0 0x6a09e667f3bcc908ULL 53 #define SHA512_H1 0xbb67ae8584caa73bULL 54 #define SHA512_H2 0x3c6ef372fe94f82bULL 55 #define SHA512_H3 0xa54ff53a5f1d36f1ULL 56 #define SHA512_H4 0x510e527fade682d1ULL 57 #define SHA512_H5 0x9b05688c2b3e6c1fULL 58 #define SHA512_H6 0x1f83d9abfb41bd6bULL 59 #define SHA512_H7 0x5be0cd19137e2179ULL 60 61 extern const u8 sha224_zero_message_hash[SHA224_DIGEST_SIZE]; 62 63 extern const u8 sha256_zero_message_hash[SHA256_DIGEST_SIZE]; 64 65 extern const u8 sha384_zero_message_hash[SHA384_DIGEST_SIZE]; 66 67 extern const u8 sha512_zero_message_hash[SHA512_DIGEST_SIZE]; 68 69 struct crypto_sha256_state { 70 u32 state[SHA256_STATE_WORDS]; 71 u64 count; 72 }; 73 74 static inline void sha224_block_init(struct crypto_sha256_state *sctx) 75 { 76 sctx->state[0] = SHA224_H0; 77 sctx->state[1] = SHA224_H1; 78 sctx->state[2] = SHA224_H2; 79 sctx->state[3] = SHA224_H3; 80 sctx->state[4] = SHA224_H4; 81 sctx->state[5] = SHA224_H5; 82 sctx->state[6] = SHA224_H6; 83 sctx->state[7] = SHA224_H7; 84 sctx->count = 0; 85 } 86 87 static inline void sha256_block_init(struct crypto_sha256_state *sctx) 88 { 89 sctx->state[0] = SHA256_H0; 90 sctx->state[1] = SHA256_H1; 91 sctx->state[2] = SHA256_H2; 92 sctx->state[3] = SHA256_H3; 93 sctx->state[4] = SHA256_H4; 94 sctx->state[5] = SHA256_H5; 95 sctx->state[6] = SHA256_H6; 96 sctx->state[7] = SHA256_H7; 97 sctx->count = 0; 98 } 99 100 struct sha256_state { 101 union { 102 struct crypto_sha256_state ctx; 103 struct { 104 u32 state[SHA256_STATE_WORDS]; 105 u64 count; 106 }; 107 }; 108 u8 buf[SHA256_BLOCK_SIZE]; 109 }; 110 111 struct sha512_state { 112 u64 state[SHA512_DIGEST_SIZE / 8]; 113 u64 count[2]; 114 u8 buf[SHA512_BLOCK_SIZE]; 115 }; 116 117 static inline void sha224_init(struct sha256_state *sctx) 118 { 119 sha224_block_init(&sctx->ctx); 120 } 121 /* Simply use sha256_update as it is equivalent to sha224_update. */ 122 void sha224_final(struct sha256_state *sctx, u8 out[SHA224_DIGEST_SIZE]); 123 124 static inline void sha256_init(struct sha256_state *sctx) 125 { 126 sha256_block_init(&sctx->ctx); 127 } 128 void sha256_update(struct sha256_state *sctx, const u8 *data, size_t len); 129 void sha256_final(struct sha256_state *sctx, u8 out[SHA256_DIGEST_SIZE]); 130 void sha256(const u8 *data, size_t len, u8 out[SHA256_DIGEST_SIZE]); 131 132 /* State for the SHA-512 (and SHA-384) compression function */ 133 struct sha512_block_state { 134 u64 h[8]; 135 }; 136 137 /* 138 * Context structure, shared by SHA-384 and SHA-512. The sha384_ctx and 139 * sha512_ctx structs wrap this one so that the API has proper typing and 140 * doesn't allow mixing the SHA-384 and SHA-512 functions arbitrarily. 141 */ 142 struct __sha512_ctx { 143 struct sha512_block_state state; 144 u64 bytecount_lo; 145 u64 bytecount_hi; 146 u8 buf[SHA512_BLOCK_SIZE] __aligned(__alignof__(__be64)); 147 }; 148 void __sha512_update(struct __sha512_ctx *ctx, const u8 *data, size_t len); 149 150 /* 151 * HMAC key and message context structs, shared by HMAC-SHA384 and HMAC-SHA512. 152 * The hmac_sha384_* and hmac_sha512_* structs wrap this one so that the API has 153 * proper typing and doesn't allow mixing the functions arbitrarily. 154 */ 155 struct __hmac_sha512_key { 156 struct sha512_block_state istate; 157 struct sha512_block_state ostate; 158 }; 159 struct __hmac_sha512_ctx { 160 struct __sha512_ctx sha_ctx; 161 struct sha512_block_state ostate; 162 }; 163 void __hmac_sha512_init(struct __hmac_sha512_ctx *ctx, 164 const struct __hmac_sha512_key *key); 165 166 /** 167 * struct sha384_ctx - Context for hashing a message with SHA-384 168 * @ctx: private 169 */ 170 struct sha384_ctx { 171 struct __sha512_ctx ctx; 172 }; 173 174 /** 175 * sha384_init() - Initialize a SHA-384 context for a new message 176 * @ctx: the context to initialize 177 * 178 * If you don't need incremental computation, consider sha384() instead. 179 * 180 * Context: Any context. 181 */ 182 void sha384_init(struct sha384_ctx *ctx); 183 184 /** 185 * sha384_update() - Update a SHA-384 context with message data 186 * @ctx: the context to update; must have been initialized 187 * @data: the message data 188 * @len: the data length in bytes 189 * 190 * This can be called any number of times. 191 * 192 * Context: Any context. 193 */ 194 static inline void sha384_update(struct sha384_ctx *ctx, 195 const u8 *data, size_t len) 196 { 197 __sha512_update(&ctx->ctx, data, len); 198 } 199 200 /** 201 * sha384_final() - Finish computing a SHA-384 message digest 202 * @ctx: the context to finalize; must have been initialized 203 * @out: (output) the resulting SHA-384 message digest 204 * 205 * After finishing, this zeroizes @ctx. So the caller does not need to do it. 206 * 207 * Context: Any context. 208 */ 209 void sha384_final(struct sha384_ctx *ctx, u8 out[SHA384_DIGEST_SIZE]); 210 211 /** 212 * sha384() - Compute SHA-384 message digest in one shot 213 * @data: the message data 214 * @len: the data length in bytes 215 * @out: (output) the resulting SHA-384 message digest 216 * 217 * Context: Any context. 218 */ 219 void sha384(const u8 *data, size_t len, u8 out[SHA384_DIGEST_SIZE]); 220 221 /** 222 * struct hmac_sha384_key - Prepared key for HMAC-SHA384 223 * @key: private 224 */ 225 struct hmac_sha384_key { 226 struct __hmac_sha512_key key; 227 }; 228 229 /** 230 * struct hmac_sha384_ctx - Context for computing HMAC-SHA384 of a message 231 * @ctx: private 232 */ 233 struct hmac_sha384_ctx { 234 struct __hmac_sha512_ctx ctx; 235 }; 236 237 /** 238 * hmac_sha384_preparekey() - Prepare a key for HMAC-SHA384 239 * @key: (output) the key structure to initialize 240 * @raw_key: the raw HMAC-SHA384 key 241 * @raw_key_len: the key length in bytes. All key lengths are supported. 242 * 243 * Note: the caller is responsible for zeroizing both the struct hmac_sha384_key 244 * and the raw key once they are no longer needed. 245 * 246 * Context: Any context. 247 */ 248 void hmac_sha384_preparekey(struct hmac_sha384_key *key, 249 const u8 *raw_key, size_t raw_key_len); 250 251 /** 252 * hmac_sha384_init() - Initialize an HMAC-SHA384 context for a new message 253 * @ctx: (output) the HMAC context to initialize 254 * @key: the prepared HMAC key 255 * 256 * If you don't need incremental computation, consider hmac_sha384() instead. 257 * 258 * Context: Any context. 259 */ 260 static inline void hmac_sha384_init(struct hmac_sha384_ctx *ctx, 261 const struct hmac_sha384_key *key) 262 { 263 __hmac_sha512_init(&ctx->ctx, &key->key); 264 } 265 266 /** 267 * hmac_sha384_update() - Update an HMAC-SHA384 context with message data 268 * @ctx: the HMAC context to update; must have been initialized 269 * @data: the message data 270 * @data_len: the data length in bytes 271 * 272 * This can be called any number of times. 273 * 274 * Context: Any context. 275 */ 276 static inline void hmac_sha384_update(struct hmac_sha384_ctx *ctx, 277 const u8 *data, size_t data_len) 278 { 279 __sha512_update(&ctx->ctx.sha_ctx, data, data_len); 280 } 281 282 /** 283 * hmac_sha384_final() - Finish computing an HMAC-SHA384 value 284 * @ctx: the HMAC context to finalize; must have been initialized 285 * @out: (output) the resulting HMAC-SHA384 value 286 * 287 * After finishing, this zeroizes @ctx. So the caller does not need to do it. 288 * 289 * Context: Any context. 290 */ 291 void hmac_sha384_final(struct hmac_sha384_ctx *ctx, u8 out[SHA384_DIGEST_SIZE]); 292 293 /** 294 * hmac_sha384() - Compute HMAC-SHA384 in one shot, using a prepared key 295 * @key: the prepared HMAC key 296 * @data: the message data 297 * @data_len: the data length in bytes 298 * @out: (output) the resulting HMAC-SHA384 value 299 * 300 * If you're using the key only once, consider using hmac_sha384_usingrawkey(). 301 * 302 * Context: Any context. 303 */ 304 void hmac_sha384(const struct hmac_sha384_key *key, 305 const u8 *data, size_t data_len, u8 out[SHA384_DIGEST_SIZE]); 306 307 /** 308 * hmac_sha384_usingrawkey() - Compute HMAC-SHA384 in one shot, using a raw key 309 * @raw_key: the raw HMAC-SHA384 key 310 * @raw_key_len: the key length in bytes. All key lengths are supported. 311 * @data: the message data 312 * @data_len: the data length in bytes 313 * @out: (output) the resulting HMAC-SHA384 value 314 * 315 * If you're using the key multiple times, prefer to use 316 * hmac_sha384_preparekey() followed by multiple calls to hmac_sha384() instead. 317 * 318 * Context: Any context. 319 */ 320 void hmac_sha384_usingrawkey(const u8 *raw_key, size_t raw_key_len, 321 const u8 *data, size_t data_len, 322 u8 out[SHA384_DIGEST_SIZE]); 323 324 /** 325 * struct sha512_ctx - Context for hashing a message with SHA-512 326 * @ctx: private 327 */ 328 struct sha512_ctx { 329 struct __sha512_ctx ctx; 330 }; 331 332 /** 333 * sha512_init() - Initialize a SHA-512 context for a new message 334 * @ctx: the context to initialize 335 * 336 * If you don't need incremental computation, consider sha512() instead. 337 * 338 * Context: Any context. 339 */ 340 void sha512_init(struct sha512_ctx *ctx); 341 342 /** 343 * sha512_update() - Update a SHA-512 context with message data 344 * @ctx: the context to update; must have been initialized 345 * @data: the message data 346 * @len: the data length in bytes 347 * 348 * This can be called any number of times. 349 * 350 * Context: Any context. 351 */ 352 static inline void sha512_update(struct sha512_ctx *ctx, 353 const u8 *data, size_t len) 354 { 355 __sha512_update(&ctx->ctx, data, len); 356 } 357 358 /** 359 * sha512_final() - Finish computing a SHA-512 message digest 360 * @ctx: the context to finalize; must have been initialized 361 * @out: (output) the resulting SHA-512 message digest 362 * 363 * After finishing, this zeroizes @ctx. So the caller does not need to do it. 364 * 365 * Context: Any context. 366 */ 367 void sha512_final(struct sha512_ctx *ctx, u8 out[SHA512_DIGEST_SIZE]); 368 369 /** 370 * sha512() - Compute SHA-512 message digest in one shot 371 * @data: the message data 372 * @len: the data length in bytes 373 * @out: (output) the resulting SHA-512 message digest 374 * 375 * Context: Any context. 376 */ 377 void sha512(const u8 *data, size_t len, u8 out[SHA512_DIGEST_SIZE]); 378 379 /** 380 * struct hmac_sha512_key - Prepared key for HMAC-SHA512 381 * @key: private 382 */ 383 struct hmac_sha512_key { 384 struct __hmac_sha512_key key; 385 }; 386 387 /** 388 * struct hmac_sha512_ctx - Context for computing HMAC-SHA512 of a message 389 * @ctx: private 390 */ 391 struct hmac_sha512_ctx { 392 struct __hmac_sha512_ctx ctx; 393 }; 394 395 /** 396 * hmac_sha512_preparekey() - Prepare a key for HMAC-SHA512 397 * @key: (output) the key structure to initialize 398 * @raw_key: the raw HMAC-SHA512 key 399 * @raw_key_len: the key length in bytes. All key lengths are supported. 400 * 401 * Note: the caller is responsible for zeroizing both the struct hmac_sha512_key 402 * and the raw key once they are no longer needed. 403 * 404 * Context: Any context. 405 */ 406 void hmac_sha512_preparekey(struct hmac_sha512_key *key, 407 const u8 *raw_key, size_t raw_key_len); 408 409 /** 410 * hmac_sha512_init() - Initialize an HMAC-SHA512 context for a new message 411 * @ctx: (output) the HMAC context to initialize 412 * @key: the prepared HMAC key 413 * 414 * If you don't need incremental computation, consider hmac_sha512() instead. 415 * 416 * Context: Any context. 417 */ 418 static inline void hmac_sha512_init(struct hmac_sha512_ctx *ctx, 419 const struct hmac_sha512_key *key) 420 { 421 __hmac_sha512_init(&ctx->ctx, &key->key); 422 } 423 424 /** 425 * hmac_sha512_update() - Update an HMAC-SHA512 context with message data 426 * @ctx: the HMAC context to update; must have been initialized 427 * @data: the message data 428 * @data_len: the data length in bytes 429 * 430 * This can be called any number of times. 431 * 432 * Context: Any context. 433 */ 434 static inline void hmac_sha512_update(struct hmac_sha512_ctx *ctx, 435 const u8 *data, size_t data_len) 436 { 437 __sha512_update(&ctx->ctx.sha_ctx, data, data_len); 438 } 439 440 /** 441 * hmac_sha512_final() - Finish computing an HMAC-SHA512 value 442 * @ctx: the HMAC context to finalize; must have been initialized 443 * @out: (output) the resulting HMAC-SHA512 value 444 * 445 * After finishing, this zeroizes @ctx. So the caller does not need to do it. 446 * 447 * Context: Any context. 448 */ 449 void hmac_sha512_final(struct hmac_sha512_ctx *ctx, u8 out[SHA512_DIGEST_SIZE]); 450 451 /** 452 * hmac_sha512() - Compute HMAC-SHA512 in one shot, using a prepared key 453 * @key: the prepared HMAC key 454 * @data: the message data 455 * @data_len: the data length in bytes 456 * @out: (output) the resulting HMAC-SHA512 value 457 * 458 * If you're using the key only once, consider using hmac_sha512_usingrawkey(). 459 * 460 * Context: Any context. 461 */ 462 void hmac_sha512(const struct hmac_sha512_key *key, 463 const u8 *data, size_t data_len, u8 out[SHA512_DIGEST_SIZE]); 464 465 /** 466 * hmac_sha512_usingrawkey() - Compute HMAC-SHA512 in one shot, using a raw key 467 * @raw_key: the raw HMAC-SHA512 key 468 * @raw_key_len: the key length in bytes. All key lengths are supported. 469 * @data: the message data 470 * @data_len: the data length in bytes 471 * @out: (output) the resulting HMAC-SHA512 value 472 * 473 * If you're using the key multiple times, prefer to use 474 * hmac_sha512_preparekey() followed by multiple calls to hmac_sha512() instead. 475 * 476 * Context: Any context. 477 */ 478 void hmac_sha512_usingrawkey(const u8 *raw_key, size_t raw_key_len, 479 const u8 *data, size_t data_len, 480 u8 out[SHA512_DIGEST_SIZE]); 481 482 #endif /* _CRYPTO_SHA2_H */ 483