1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Crypto API support for SHA-384, SHA-512, HMAC-SHA384, and HMAC-SHA512
4 *
5 * Copyright (c) Jean-Luc Cooke <jlcooke@certainkey.com>
6 * Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk>
7 * Copyright (c) 2003 Kyle McMartin <kyle@debian.org>
8 * Copyright 2025 Google LLC
9 */
10 #include <crypto/internal/hash.h>
11 #include <crypto/sha2.h>
12 #include <linux/kernel.h>
13 #include <linux/module.h>
14
15 /*
16 * Export and import functions. crypto_shash wants a particular format that
17 * matches that used by some legacy drivers. It currently is the same as the
18 * library SHA context, except the value in bytecount_lo must be block-aligned
19 * and the remainder must be stored in an extra u8 appended to the struct.
20 */
21
22 #define SHA512_SHASH_STATE_SIZE 209
23 static_assert(offsetof(struct __sha512_ctx, state) == 0);
24 static_assert(offsetof(struct __sha512_ctx, bytecount_lo) == 64);
25 static_assert(offsetof(struct __sha512_ctx, bytecount_hi) == 72);
26 static_assert(offsetof(struct __sha512_ctx, buf) == 80);
27 static_assert(sizeof(struct __sha512_ctx) + 1 == SHA512_SHASH_STATE_SIZE);
28
__crypto_sha512_export(const struct __sha512_ctx * ctx0,void * out)29 static int __crypto_sha512_export(const struct __sha512_ctx *ctx0, void *out)
30 {
31 struct __sha512_ctx ctx = *ctx0;
32 unsigned int partial;
33 u8 *p = out;
34
35 partial = ctx.bytecount_lo % SHA512_BLOCK_SIZE;
36 ctx.bytecount_lo -= partial;
37 memcpy(p, &ctx, sizeof(ctx));
38 p += sizeof(ctx);
39 *p = partial;
40 return 0;
41 }
42
__crypto_sha512_import(struct __sha512_ctx * ctx,const void * in)43 static int __crypto_sha512_import(struct __sha512_ctx *ctx, const void *in)
44 {
45 const u8 *p = in;
46
47 memcpy(ctx, p, sizeof(*ctx));
48 p += sizeof(*ctx);
49 ctx->bytecount_lo += *p;
50 return 0;
51 }
52
53 /* SHA-384 */
54
55 const u8 sha384_zero_message_hash[SHA384_DIGEST_SIZE] = {
56 0x38, 0xb0, 0x60, 0xa7, 0x51, 0xac, 0x96, 0x38,
57 0x4c, 0xd9, 0x32, 0x7e, 0xb1, 0xb1, 0xe3, 0x6a,
58 0x21, 0xfd, 0xb7, 0x11, 0x14, 0xbe, 0x07, 0x43,
59 0x4c, 0x0c, 0xc7, 0xbf, 0x63, 0xf6, 0xe1, 0xda,
60 0x27, 0x4e, 0xde, 0xbf, 0xe7, 0x6f, 0x65, 0xfb,
61 0xd5, 0x1a, 0xd2, 0xf1, 0x48, 0x98, 0xb9, 0x5b
62 };
63 EXPORT_SYMBOL_GPL(sha384_zero_message_hash);
64
65 #define SHA384_CTX(desc) ((struct sha384_ctx *)shash_desc_ctx(desc))
66
crypto_sha384_init(struct shash_desc * desc)67 static int crypto_sha384_init(struct shash_desc *desc)
68 {
69 sha384_init(SHA384_CTX(desc));
70 return 0;
71 }
72
crypto_sha384_update(struct shash_desc * desc,const u8 * data,unsigned int len)73 static int crypto_sha384_update(struct shash_desc *desc,
74 const u8 *data, unsigned int len)
75 {
76 sha384_update(SHA384_CTX(desc), data, len);
77 return 0;
78 }
79
crypto_sha384_final(struct shash_desc * desc,u8 * out)80 static int crypto_sha384_final(struct shash_desc *desc, u8 *out)
81 {
82 sha384_final(SHA384_CTX(desc), out);
83 return 0;
84 }
85
crypto_sha384_digest(struct shash_desc * desc,const u8 * data,unsigned int len,u8 * out)86 static int crypto_sha384_digest(struct shash_desc *desc,
87 const u8 *data, unsigned int len, u8 *out)
88 {
89 sha384(data, len, out);
90 return 0;
91 }
92
crypto_sha384_export(struct shash_desc * desc,void * out)93 static int crypto_sha384_export(struct shash_desc *desc, void *out)
94 {
95 return __crypto_sha512_export(&SHA384_CTX(desc)->ctx, out);
96 }
97
crypto_sha384_import(struct shash_desc * desc,const void * in)98 static int crypto_sha384_import(struct shash_desc *desc, const void *in)
99 {
100 return __crypto_sha512_import(&SHA384_CTX(desc)->ctx, in);
101 }
102
103 /* SHA-512 */
104
105 const u8 sha512_zero_message_hash[SHA512_DIGEST_SIZE] = {
106 0xcf, 0x83, 0xe1, 0x35, 0x7e, 0xef, 0xb8, 0xbd,
107 0xf1, 0x54, 0x28, 0x50, 0xd6, 0x6d, 0x80, 0x07,
108 0xd6, 0x20, 0xe4, 0x05, 0x0b, 0x57, 0x15, 0xdc,
109 0x83, 0xf4, 0xa9, 0x21, 0xd3, 0x6c, 0xe9, 0xce,
110 0x47, 0xd0, 0xd1, 0x3c, 0x5d, 0x85, 0xf2, 0xb0,
111 0xff, 0x83, 0x18, 0xd2, 0x87, 0x7e, 0xec, 0x2f,
112 0x63, 0xb9, 0x31, 0xbd, 0x47, 0x41, 0x7a, 0x81,
113 0xa5, 0x38, 0x32, 0x7a, 0xf9, 0x27, 0xda, 0x3e
114 };
115 EXPORT_SYMBOL_GPL(sha512_zero_message_hash);
116
117 #define SHA512_CTX(desc) ((struct sha512_ctx *)shash_desc_ctx(desc))
118
crypto_sha512_init(struct shash_desc * desc)119 static int crypto_sha512_init(struct shash_desc *desc)
120 {
121 sha512_init(SHA512_CTX(desc));
122 return 0;
123 }
124
crypto_sha512_update(struct shash_desc * desc,const u8 * data,unsigned int len)125 static int crypto_sha512_update(struct shash_desc *desc,
126 const u8 *data, unsigned int len)
127 {
128 sha512_update(SHA512_CTX(desc), data, len);
129 return 0;
130 }
131
crypto_sha512_final(struct shash_desc * desc,u8 * out)132 static int crypto_sha512_final(struct shash_desc *desc, u8 *out)
133 {
134 sha512_final(SHA512_CTX(desc), out);
135 return 0;
136 }
137
crypto_sha512_digest(struct shash_desc * desc,const u8 * data,unsigned int len,u8 * out)138 static int crypto_sha512_digest(struct shash_desc *desc,
139 const u8 *data, unsigned int len, u8 *out)
140 {
141 sha512(data, len, out);
142 return 0;
143 }
144
crypto_sha512_export(struct shash_desc * desc,void * out)145 static int crypto_sha512_export(struct shash_desc *desc, void *out)
146 {
147 return __crypto_sha512_export(&SHA512_CTX(desc)->ctx, out);
148 }
149
crypto_sha512_import(struct shash_desc * desc,const void * in)150 static int crypto_sha512_import(struct shash_desc *desc, const void *in)
151 {
152 return __crypto_sha512_import(&SHA512_CTX(desc)->ctx, in);
153 }
154
155 /* HMAC-SHA384 */
156
157 #define HMAC_SHA384_KEY(tfm) ((struct hmac_sha384_key *)crypto_shash_ctx(tfm))
158 #define HMAC_SHA384_CTX(desc) ((struct hmac_sha384_ctx *)shash_desc_ctx(desc))
159
crypto_hmac_sha384_setkey(struct crypto_shash * tfm,const u8 * raw_key,unsigned int keylen)160 static int crypto_hmac_sha384_setkey(struct crypto_shash *tfm,
161 const u8 *raw_key, unsigned int keylen)
162 {
163 hmac_sha384_preparekey(HMAC_SHA384_KEY(tfm), raw_key, keylen);
164 return 0;
165 }
166
crypto_hmac_sha384_init(struct shash_desc * desc)167 static int crypto_hmac_sha384_init(struct shash_desc *desc)
168 {
169 hmac_sha384_init(HMAC_SHA384_CTX(desc), HMAC_SHA384_KEY(desc->tfm));
170 return 0;
171 }
172
crypto_hmac_sha384_update(struct shash_desc * desc,const u8 * data,unsigned int len)173 static int crypto_hmac_sha384_update(struct shash_desc *desc,
174 const u8 *data, unsigned int len)
175 {
176 hmac_sha384_update(HMAC_SHA384_CTX(desc), data, len);
177 return 0;
178 }
179
crypto_hmac_sha384_final(struct shash_desc * desc,u8 * out)180 static int crypto_hmac_sha384_final(struct shash_desc *desc, u8 *out)
181 {
182 hmac_sha384_final(HMAC_SHA384_CTX(desc), out);
183 return 0;
184 }
185
crypto_hmac_sha384_digest(struct shash_desc * desc,const u8 * data,unsigned int len,u8 * out)186 static int crypto_hmac_sha384_digest(struct shash_desc *desc,
187 const u8 *data, unsigned int len,
188 u8 *out)
189 {
190 hmac_sha384(HMAC_SHA384_KEY(desc->tfm), data, len, out);
191 return 0;
192 }
193
crypto_hmac_sha384_export(struct shash_desc * desc,void * out)194 static int crypto_hmac_sha384_export(struct shash_desc *desc, void *out)
195 {
196 return __crypto_sha512_export(&HMAC_SHA384_CTX(desc)->ctx.sha_ctx, out);
197 }
198
crypto_hmac_sha384_import(struct shash_desc * desc,const void * in)199 static int crypto_hmac_sha384_import(struct shash_desc *desc, const void *in)
200 {
201 struct hmac_sha384_ctx *ctx = HMAC_SHA384_CTX(desc);
202
203 ctx->ctx.ostate = HMAC_SHA384_KEY(desc->tfm)->key.ostate;
204 return __crypto_sha512_import(&ctx->ctx.sha_ctx, in);
205 }
206
207 /* HMAC-SHA512 */
208
209 #define HMAC_SHA512_KEY(tfm) ((struct hmac_sha512_key *)crypto_shash_ctx(tfm))
210 #define HMAC_SHA512_CTX(desc) ((struct hmac_sha512_ctx *)shash_desc_ctx(desc))
211
crypto_hmac_sha512_setkey(struct crypto_shash * tfm,const u8 * raw_key,unsigned int keylen)212 static int crypto_hmac_sha512_setkey(struct crypto_shash *tfm,
213 const u8 *raw_key, unsigned int keylen)
214 {
215 hmac_sha512_preparekey(HMAC_SHA512_KEY(tfm), raw_key, keylen);
216 return 0;
217 }
218
crypto_hmac_sha512_init(struct shash_desc * desc)219 static int crypto_hmac_sha512_init(struct shash_desc *desc)
220 {
221 hmac_sha512_init(HMAC_SHA512_CTX(desc), HMAC_SHA512_KEY(desc->tfm));
222 return 0;
223 }
224
crypto_hmac_sha512_update(struct shash_desc * desc,const u8 * data,unsigned int len)225 static int crypto_hmac_sha512_update(struct shash_desc *desc,
226 const u8 *data, unsigned int len)
227 {
228 hmac_sha512_update(HMAC_SHA512_CTX(desc), data, len);
229 return 0;
230 }
231
crypto_hmac_sha512_final(struct shash_desc * desc,u8 * out)232 static int crypto_hmac_sha512_final(struct shash_desc *desc, u8 *out)
233 {
234 hmac_sha512_final(HMAC_SHA512_CTX(desc), out);
235 return 0;
236 }
237
crypto_hmac_sha512_digest(struct shash_desc * desc,const u8 * data,unsigned int len,u8 * out)238 static int crypto_hmac_sha512_digest(struct shash_desc *desc,
239 const u8 *data, unsigned int len,
240 u8 *out)
241 {
242 hmac_sha512(HMAC_SHA512_KEY(desc->tfm), data, len, out);
243 return 0;
244 }
245
crypto_hmac_sha512_export(struct shash_desc * desc,void * out)246 static int crypto_hmac_sha512_export(struct shash_desc *desc, void *out)
247 {
248 return __crypto_sha512_export(&HMAC_SHA512_CTX(desc)->ctx.sha_ctx, out);
249 }
250
crypto_hmac_sha512_import(struct shash_desc * desc,const void * in)251 static int crypto_hmac_sha512_import(struct shash_desc *desc, const void *in)
252 {
253 struct hmac_sha512_ctx *ctx = HMAC_SHA512_CTX(desc);
254
255 ctx->ctx.ostate = HMAC_SHA512_KEY(desc->tfm)->key.ostate;
256 return __crypto_sha512_import(&ctx->ctx.sha_ctx, in);
257 }
258
259 /* Algorithm definitions */
260
261 static struct shash_alg algs[] = {
262 {
263 .base.cra_name = "sha384",
264 .base.cra_driver_name = "sha384-lib",
265 .base.cra_priority = 300,
266 .base.cra_blocksize = SHA384_BLOCK_SIZE,
267 .base.cra_module = THIS_MODULE,
268 .digestsize = SHA384_DIGEST_SIZE,
269 .init = crypto_sha384_init,
270 .update = crypto_sha384_update,
271 .final = crypto_sha384_final,
272 .digest = crypto_sha384_digest,
273 .export = crypto_sha384_export,
274 .import = crypto_sha384_import,
275 .descsize = sizeof(struct sha384_ctx),
276 .statesize = SHA512_SHASH_STATE_SIZE,
277 },
278 {
279 .base.cra_name = "sha512",
280 .base.cra_driver_name = "sha512-lib",
281 .base.cra_priority = 300,
282 .base.cra_blocksize = SHA512_BLOCK_SIZE,
283 .base.cra_module = THIS_MODULE,
284 .digestsize = SHA512_DIGEST_SIZE,
285 .init = crypto_sha512_init,
286 .update = crypto_sha512_update,
287 .final = crypto_sha512_final,
288 .digest = crypto_sha512_digest,
289 .export = crypto_sha512_export,
290 .import = crypto_sha512_import,
291 .descsize = sizeof(struct sha512_ctx),
292 .statesize = SHA512_SHASH_STATE_SIZE,
293 },
294 {
295 .base.cra_name = "hmac(sha384)",
296 .base.cra_driver_name = "hmac-sha384-lib",
297 .base.cra_priority = 300,
298 .base.cra_blocksize = SHA384_BLOCK_SIZE,
299 .base.cra_ctxsize = sizeof(struct hmac_sha384_key),
300 .base.cra_module = THIS_MODULE,
301 .digestsize = SHA384_DIGEST_SIZE,
302 .setkey = crypto_hmac_sha384_setkey,
303 .init = crypto_hmac_sha384_init,
304 .update = crypto_hmac_sha384_update,
305 .final = crypto_hmac_sha384_final,
306 .digest = crypto_hmac_sha384_digest,
307 .export = crypto_hmac_sha384_export,
308 .import = crypto_hmac_sha384_import,
309 .descsize = sizeof(struct hmac_sha384_ctx),
310 .statesize = SHA512_SHASH_STATE_SIZE,
311 },
312 {
313 .base.cra_name = "hmac(sha512)",
314 .base.cra_driver_name = "hmac-sha512-lib",
315 .base.cra_priority = 300,
316 .base.cra_blocksize = SHA512_BLOCK_SIZE,
317 .base.cra_ctxsize = sizeof(struct hmac_sha512_key),
318 .base.cra_module = THIS_MODULE,
319 .digestsize = SHA512_DIGEST_SIZE,
320 .setkey = crypto_hmac_sha512_setkey,
321 .init = crypto_hmac_sha512_init,
322 .update = crypto_hmac_sha512_update,
323 .final = crypto_hmac_sha512_final,
324 .digest = crypto_hmac_sha512_digest,
325 .export = crypto_hmac_sha512_export,
326 .import = crypto_hmac_sha512_import,
327 .descsize = sizeof(struct hmac_sha512_ctx),
328 .statesize = SHA512_SHASH_STATE_SIZE,
329 },
330 };
331
crypto_sha512_mod_init(void)332 static int __init crypto_sha512_mod_init(void)
333 {
334 return crypto_register_shashes(algs, ARRAY_SIZE(algs));
335 }
336 module_init(crypto_sha512_mod_init);
337
crypto_sha512_mod_exit(void)338 static void __exit crypto_sha512_mod_exit(void)
339 {
340 crypto_unregister_shashes(algs, ARRAY_SIZE(algs));
341 }
342 module_exit(crypto_sha512_mod_exit);
343
344 MODULE_LICENSE("GPL");
345 MODULE_DESCRIPTION("Crypto API support for SHA-384, SHA-512, HMAC-SHA384, and HMAC-SHA512");
346
347 MODULE_ALIAS_CRYPTO("sha384");
348 MODULE_ALIAS_CRYPTO("sha384-lib");
349 MODULE_ALIAS_CRYPTO("sha512");
350 MODULE_ALIAS_CRYPTO("sha512-lib");
351 MODULE_ALIAS_CRYPTO("hmac(sha384)");
352 MODULE_ALIAS_CRYPTO("hmac-sha384-lib");
353 MODULE_ALIAS_CRYPTO("hmac(sha512)");
354 MODULE_ALIAS_CRYPTO("hmac-sha512-lib");
355