xref: /linux/lib/crypto/sha256.c (revision 300a0cfe9f375b2843bcb331bcfa7503475ef5dd)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * SHA-224, SHA-256, HMAC-SHA224, and HMAC-SHA256 library functions
4  *
5  * Copyright (c) Jean-Luc Cooke <jlcooke@certainkey.com>
6  * Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk>
7  * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
8  * Copyright (c) 2014 Red Hat Inc.
9  * Copyright 2025 Google LLC
10  */
11 
12 #include <crypto/hmac.h>
13 #include <crypto/sha2.h>
14 #include <linux/export.h>
15 #include <linux/kernel.h>
16 #include <linux/module.h>
17 #include <linux/string.h>
18 #include <linux/unaligned.h>
19 #include <linux/wordpart.h>
20 
21 static const struct sha256_block_state sha224_iv = {
22 	.h = {
23 		SHA224_H0, SHA224_H1, SHA224_H2, SHA224_H3,
24 		SHA224_H4, SHA224_H5, SHA224_H6, SHA224_H7,
25 	},
26 };
27 
28 static const struct sha256_block_state sha256_iv = {
29 	.h = {
30 		SHA256_H0, SHA256_H1, SHA256_H2, SHA256_H3,
31 		SHA256_H4, SHA256_H5, SHA256_H6, SHA256_H7,
32 	},
33 };
34 
35 static const u32 sha256_K[64] = {
36 	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
37 	0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
38 	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
39 	0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
40 	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
41 	0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
42 	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
43 	0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
44 	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
45 	0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
46 	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
47 };
48 
49 #define Ch(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
50 #define Maj(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
51 #define e0(x) (ror32((x), 2) ^ ror32((x), 13) ^ ror32((x), 22))
52 #define e1(x) (ror32((x), 6) ^ ror32((x), 11) ^ ror32((x), 25))
53 #define s0(x) (ror32((x), 7) ^ ror32((x), 18) ^ ((x) >> 3))
54 #define s1(x) (ror32((x), 17) ^ ror32((x), 19) ^ ((x) >> 10))
55 
56 static inline void LOAD_OP(int I, u32 *W, const u8 *input)
57 {
58 	W[I] = get_unaligned_be32((__u32 *)input + I);
59 }
60 
61 static inline void BLEND_OP(int I, u32 *W)
62 {
63 	W[I] = s1(W[I - 2]) + W[I - 7] + s0(W[I - 15]) + W[I - 16];
64 }
65 
66 #define SHA256_ROUND(i, a, b, c, d, e, f, g, h)                    \
67 	do {                                                       \
68 		u32 t1, t2;                                        \
69 		t1 = h + e1(e) + Ch(e, f, g) + sha256_K[i] + W[i]; \
70 		t2 = e0(a) + Maj(a, b, c);                         \
71 		d += t1;                                           \
72 		h = t1 + t2;                                       \
73 	} while (0)
74 
75 static void sha256_block_generic(struct sha256_block_state *state,
76 				 const u8 *input, u32 W[64])
77 {
78 	u32 a, b, c, d, e, f, g, h;
79 	int i;
80 
81 	/* load the input */
82 	for (i = 0; i < 16; i += 8) {
83 		LOAD_OP(i + 0, W, input);
84 		LOAD_OP(i + 1, W, input);
85 		LOAD_OP(i + 2, W, input);
86 		LOAD_OP(i + 3, W, input);
87 		LOAD_OP(i + 4, W, input);
88 		LOAD_OP(i + 5, W, input);
89 		LOAD_OP(i + 6, W, input);
90 		LOAD_OP(i + 7, W, input);
91 	}
92 
93 	/* now blend */
94 	for (i = 16; i < 64; i += 8) {
95 		BLEND_OP(i + 0, W);
96 		BLEND_OP(i + 1, W);
97 		BLEND_OP(i + 2, W);
98 		BLEND_OP(i + 3, W);
99 		BLEND_OP(i + 4, W);
100 		BLEND_OP(i + 5, W);
101 		BLEND_OP(i + 6, W);
102 		BLEND_OP(i + 7, W);
103 	}
104 
105 	/* load the state into our registers */
106 	a = state->h[0];
107 	b = state->h[1];
108 	c = state->h[2];
109 	d = state->h[3];
110 	e = state->h[4];
111 	f = state->h[5];
112 	g = state->h[6];
113 	h = state->h[7];
114 
115 	/* now iterate */
116 	for (i = 0; i < 64; i += 8) {
117 		SHA256_ROUND(i + 0, a, b, c, d, e, f, g, h);
118 		SHA256_ROUND(i + 1, h, a, b, c, d, e, f, g);
119 		SHA256_ROUND(i + 2, g, h, a, b, c, d, e, f);
120 		SHA256_ROUND(i + 3, f, g, h, a, b, c, d, e);
121 		SHA256_ROUND(i + 4, e, f, g, h, a, b, c, d);
122 		SHA256_ROUND(i + 5, d, e, f, g, h, a, b, c);
123 		SHA256_ROUND(i + 6, c, d, e, f, g, h, a, b);
124 		SHA256_ROUND(i + 7, b, c, d, e, f, g, h, a);
125 	}
126 
127 	state->h[0] += a;
128 	state->h[1] += b;
129 	state->h[2] += c;
130 	state->h[3] += d;
131 	state->h[4] += e;
132 	state->h[5] += f;
133 	state->h[6] += g;
134 	state->h[7] += h;
135 }
136 
137 static void __maybe_unused
138 sha256_blocks_generic(struct sha256_block_state *state,
139 		      const u8 *data, size_t nblocks)
140 {
141 	u32 W[64];
142 
143 	do {
144 		sha256_block_generic(state, data, W);
145 		data += SHA256_BLOCK_SIZE;
146 	} while (--nblocks);
147 
148 	memzero_explicit(W, sizeof(W));
149 }
150 
151 #if defined(CONFIG_CRYPTO_LIB_SHA256_ARCH) && !defined(__DISABLE_EXPORTS)
152 #include "sha256.h" /* $(SRCARCH)/sha256.h */
153 #else
154 #define sha256_blocks sha256_blocks_generic
155 #endif
156 
157 static void __sha256_init(struct __sha256_ctx *ctx,
158 			  const struct sha256_block_state *iv,
159 			  u64 initial_bytecount)
160 {
161 	ctx->state = *iv;
162 	ctx->bytecount = initial_bytecount;
163 }
164 
165 void sha224_init(struct sha224_ctx *ctx)
166 {
167 	__sha256_init(&ctx->ctx, &sha224_iv, 0);
168 }
169 EXPORT_SYMBOL_GPL(sha224_init);
170 
171 void sha256_init(struct sha256_ctx *ctx)
172 {
173 	__sha256_init(&ctx->ctx, &sha256_iv, 0);
174 }
175 EXPORT_SYMBOL_GPL(sha256_init);
176 
177 void __sha256_update(struct __sha256_ctx *ctx, const u8 *data, size_t len)
178 {
179 	size_t partial = ctx->bytecount % SHA256_BLOCK_SIZE;
180 
181 	ctx->bytecount += len;
182 
183 	if (partial + len >= SHA256_BLOCK_SIZE) {
184 		size_t nblocks;
185 
186 		if (partial) {
187 			size_t l = SHA256_BLOCK_SIZE - partial;
188 
189 			memcpy(&ctx->buf[partial], data, l);
190 			data += l;
191 			len -= l;
192 
193 			sha256_blocks(&ctx->state, ctx->buf, 1);
194 		}
195 
196 		nblocks = len / SHA256_BLOCK_SIZE;
197 		len %= SHA256_BLOCK_SIZE;
198 
199 		if (nblocks) {
200 			sha256_blocks(&ctx->state, data, nblocks);
201 			data += nblocks * SHA256_BLOCK_SIZE;
202 		}
203 		partial = 0;
204 	}
205 	if (len)
206 		memcpy(&ctx->buf[partial], data, len);
207 }
208 EXPORT_SYMBOL(__sha256_update);
209 
210 static void __sha256_final(struct __sha256_ctx *ctx,
211 			   u8 *out, size_t digest_size)
212 {
213 	u64 bitcount = ctx->bytecount << 3;
214 	size_t partial = ctx->bytecount % SHA256_BLOCK_SIZE;
215 
216 	ctx->buf[partial++] = 0x80;
217 	if (partial > SHA256_BLOCK_SIZE - 8) {
218 		memset(&ctx->buf[partial], 0, SHA256_BLOCK_SIZE - partial);
219 		sha256_blocks(&ctx->state, ctx->buf, 1);
220 		partial = 0;
221 	}
222 	memset(&ctx->buf[partial], 0, SHA256_BLOCK_SIZE - 8 - partial);
223 	*(__be64 *)&ctx->buf[SHA256_BLOCK_SIZE - 8] = cpu_to_be64(bitcount);
224 	sha256_blocks(&ctx->state, ctx->buf, 1);
225 
226 	for (size_t i = 0; i < digest_size; i += 4)
227 		put_unaligned_be32(ctx->state.h[i / 4], out + i);
228 }
229 
230 void sha224_final(struct sha224_ctx *ctx, u8 out[SHA224_DIGEST_SIZE])
231 {
232 	__sha256_final(&ctx->ctx, out, SHA224_DIGEST_SIZE);
233 	memzero_explicit(ctx, sizeof(*ctx));
234 }
235 EXPORT_SYMBOL(sha224_final);
236 
237 void sha256_final(struct sha256_ctx *ctx, u8 out[SHA256_DIGEST_SIZE])
238 {
239 	__sha256_final(&ctx->ctx, out, SHA256_DIGEST_SIZE);
240 	memzero_explicit(ctx, sizeof(*ctx));
241 }
242 EXPORT_SYMBOL(sha256_final);
243 
244 void sha224(const u8 *data, size_t len, u8 out[SHA224_DIGEST_SIZE])
245 {
246 	struct sha224_ctx ctx;
247 
248 	sha224_init(&ctx);
249 	sha224_update(&ctx, data, len);
250 	sha224_final(&ctx, out);
251 }
252 EXPORT_SYMBOL(sha224);
253 
254 void sha256(const u8 *data, size_t len, u8 out[SHA256_DIGEST_SIZE])
255 {
256 	struct sha256_ctx ctx;
257 
258 	sha256_init(&ctx);
259 	sha256_update(&ctx, data, len);
260 	sha256_final(&ctx, out);
261 }
262 EXPORT_SYMBOL(sha256);
263 
264 /* pre-boot environment (as indicated by __DISABLE_EXPORTS) doesn't need HMAC */
265 #ifndef __DISABLE_EXPORTS
266 static void __hmac_sha256_preparekey(struct sha256_block_state *istate,
267 				     struct sha256_block_state *ostate,
268 				     const u8 *raw_key, size_t raw_key_len,
269 				     const struct sha256_block_state *iv)
270 {
271 	union {
272 		u8 b[SHA256_BLOCK_SIZE];
273 		unsigned long w[SHA256_BLOCK_SIZE / sizeof(unsigned long)];
274 	} derived_key = { 0 };
275 
276 	if (unlikely(raw_key_len > SHA256_BLOCK_SIZE)) {
277 		if (iv == &sha224_iv)
278 			sha224(raw_key, raw_key_len, derived_key.b);
279 		else
280 			sha256(raw_key, raw_key_len, derived_key.b);
281 	} else {
282 		memcpy(derived_key.b, raw_key, raw_key_len);
283 	}
284 
285 	for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
286 		derived_key.w[i] ^= REPEAT_BYTE(HMAC_IPAD_VALUE);
287 	*istate = *iv;
288 	sha256_blocks(istate, derived_key.b, 1);
289 
290 	for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
291 		derived_key.w[i] ^= REPEAT_BYTE(HMAC_OPAD_VALUE ^
292 						HMAC_IPAD_VALUE);
293 	*ostate = *iv;
294 	sha256_blocks(ostate, derived_key.b, 1);
295 
296 	memzero_explicit(&derived_key, sizeof(derived_key));
297 }
298 
299 void hmac_sha224_preparekey(struct hmac_sha224_key *key,
300 			    const u8 *raw_key, size_t raw_key_len)
301 {
302 	__hmac_sha256_preparekey(&key->key.istate, &key->key.ostate,
303 				 raw_key, raw_key_len, &sha224_iv);
304 }
305 EXPORT_SYMBOL_GPL(hmac_sha224_preparekey);
306 
307 void hmac_sha256_preparekey(struct hmac_sha256_key *key,
308 			    const u8 *raw_key, size_t raw_key_len)
309 {
310 	__hmac_sha256_preparekey(&key->key.istate, &key->key.ostate,
311 				 raw_key, raw_key_len, &sha256_iv);
312 }
313 EXPORT_SYMBOL_GPL(hmac_sha256_preparekey);
314 
315 void __hmac_sha256_init(struct __hmac_sha256_ctx *ctx,
316 			const struct __hmac_sha256_key *key)
317 {
318 	__sha256_init(&ctx->sha_ctx, &key->istate, SHA256_BLOCK_SIZE);
319 	ctx->ostate = key->ostate;
320 }
321 EXPORT_SYMBOL_GPL(__hmac_sha256_init);
322 
323 void hmac_sha224_init_usingrawkey(struct hmac_sha224_ctx *ctx,
324 				  const u8 *raw_key, size_t raw_key_len)
325 {
326 	__hmac_sha256_preparekey(&ctx->ctx.sha_ctx.state, &ctx->ctx.ostate,
327 				 raw_key, raw_key_len, &sha224_iv);
328 	ctx->ctx.sha_ctx.bytecount = SHA256_BLOCK_SIZE;
329 }
330 EXPORT_SYMBOL_GPL(hmac_sha224_init_usingrawkey);
331 
332 void hmac_sha256_init_usingrawkey(struct hmac_sha256_ctx *ctx,
333 				  const u8 *raw_key, size_t raw_key_len)
334 {
335 	__hmac_sha256_preparekey(&ctx->ctx.sha_ctx.state, &ctx->ctx.ostate,
336 				 raw_key, raw_key_len, &sha256_iv);
337 	ctx->ctx.sha_ctx.bytecount = SHA256_BLOCK_SIZE;
338 }
339 EXPORT_SYMBOL_GPL(hmac_sha256_init_usingrawkey);
340 
341 static void __hmac_sha256_final(struct __hmac_sha256_ctx *ctx,
342 				u8 *out, size_t digest_size)
343 {
344 	/* Generate the padded input for the outer hash in ctx->sha_ctx.buf. */
345 	__sha256_final(&ctx->sha_ctx, ctx->sha_ctx.buf, digest_size);
346 	memset(&ctx->sha_ctx.buf[digest_size], 0,
347 	       SHA256_BLOCK_SIZE - digest_size);
348 	ctx->sha_ctx.buf[digest_size] = 0x80;
349 	*(__be32 *)&ctx->sha_ctx.buf[SHA256_BLOCK_SIZE - 4] =
350 		cpu_to_be32(8 * (SHA256_BLOCK_SIZE + digest_size));
351 
352 	/* Compute the outer hash, which gives the HMAC value. */
353 	sha256_blocks(&ctx->ostate, ctx->sha_ctx.buf, 1);
354 	for (size_t i = 0; i < digest_size; i += 4)
355 		put_unaligned_be32(ctx->ostate.h[i / 4], out + i);
356 
357 	memzero_explicit(ctx, sizeof(*ctx));
358 }
359 
360 void hmac_sha224_final(struct hmac_sha224_ctx *ctx,
361 		       u8 out[SHA224_DIGEST_SIZE])
362 {
363 	__hmac_sha256_final(&ctx->ctx, out, SHA224_DIGEST_SIZE);
364 }
365 EXPORT_SYMBOL_GPL(hmac_sha224_final);
366 
367 void hmac_sha256_final(struct hmac_sha256_ctx *ctx,
368 		       u8 out[SHA256_DIGEST_SIZE])
369 {
370 	__hmac_sha256_final(&ctx->ctx, out, SHA256_DIGEST_SIZE);
371 }
372 EXPORT_SYMBOL_GPL(hmac_sha256_final);
373 
374 void hmac_sha224(const struct hmac_sha224_key *key,
375 		 const u8 *data, size_t data_len, u8 out[SHA224_DIGEST_SIZE])
376 {
377 	struct hmac_sha224_ctx ctx;
378 
379 	hmac_sha224_init(&ctx, key);
380 	hmac_sha224_update(&ctx, data, data_len);
381 	hmac_sha224_final(&ctx, out);
382 }
383 EXPORT_SYMBOL_GPL(hmac_sha224);
384 
385 void hmac_sha256(const struct hmac_sha256_key *key,
386 		 const u8 *data, size_t data_len, u8 out[SHA256_DIGEST_SIZE])
387 {
388 	struct hmac_sha256_ctx ctx;
389 
390 	hmac_sha256_init(&ctx, key);
391 	hmac_sha256_update(&ctx, data, data_len);
392 	hmac_sha256_final(&ctx, out);
393 }
394 EXPORT_SYMBOL_GPL(hmac_sha256);
395 
396 void hmac_sha224_usingrawkey(const u8 *raw_key, size_t raw_key_len,
397 			     const u8 *data, size_t data_len,
398 			     u8 out[SHA224_DIGEST_SIZE])
399 {
400 	struct hmac_sha224_ctx ctx;
401 
402 	hmac_sha224_init_usingrawkey(&ctx, raw_key, raw_key_len);
403 	hmac_sha224_update(&ctx, data, data_len);
404 	hmac_sha224_final(&ctx, out);
405 }
406 EXPORT_SYMBOL_GPL(hmac_sha224_usingrawkey);
407 
408 void hmac_sha256_usingrawkey(const u8 *raw_key, size_t raw_key_len,
409 			     const u8 *data, size_t data_len,
410 			     u8 out[SHA256_DIGEST_SIZE])
411 {
412 	struct hmac_sha256_ctx ctx;
413 
414 	hmac_sha256_init_usingrawkey(&ctx, raw_key, raw_key_len);
415 	hmac_sha256_update(&ctx, data, data_len);
416 	hmac_sha256_final(&ctx, out);
417 }
418 EXPORT_SYMBOL_GPL(hmac_sha256_usingrawkey);
419 #endif /* !__DISABLE_EXPORTS */
420 
421 #ifdef sha256_mod_init_arch
422 static int __init sha256_mod_init(void)
423 {
424 	sha256_mod_init_arch();
425 	return 0;
426 }
427 subsys_initcall(sha256_mod_init);
428 
429 static void __exit sha256_mod_exit(void)
430 {
431 }
432 module_exit(sha256_mod_exit);
433 #endif
434 
435 MODULE_DESCRIPTION("SHA-224, SHA-256, HMAC-SHA224, and HMAC-SHA256 library functions");
436 MODULE_LICENSE("GPL");
437