1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Cryptographic API. 4 * 5 * RIPEMD-160 - RACE Integrity Primitives Evaluation Message Digest. 6 * 7 * Based on the reference implementation by Antoon Bosselaers, ESAT-COSIC 8 * 9 * Copyright (c) 2008 Adrian-Ken Rueegsegger <ken@codelabs.ch> 10 */ 11 #include <crypto/internal/hash.h> 12 #include <linux/kernel.h> 13 #include <linux/module.h> 14 #include <linux/string.h> 15 #include "ripemd.h" 16 17 struct rmd160_ctx { 18 u64 byte_count; 19 u32 state[5]; 20 }; 21 22 #define K1 RMD_K1 23 #define K2 RMD_K2 24 #define K3 RMD_K3 25 #define K4 RMD_K4 26 #define K5 RMD_K5 27 #define KK1 RMD_K6 28 #define KK2 RMD_K7 29 #define KK3 RMD_K8 30 #define KK4 RMD_K9 31 #define KK5 RMD_K1 32 33 #define F1(x, y, z) (x ^ y ^ z) /* XOR */ 34 #define F2(x, y, z) (z ^ (x & (y ^ z))) /* x ? y : z */ 35 #define F3(x, y, z) ((x | ~y) ^ z) 36 #define F4(x, y, z) (y ^ (z & (x ^ y))) /* z ? x : y */ 37 #define F5(x, y, z) (x ^ (y | ~z)) 38 39 #define ROUND(a, b, c, d, e, f, k, x, s) { \ 40 (a) += f((b), (c), (d)) + le32_to_cpup(&(x)) + (k); \ 41 (a) = rol32((a), (s)) + (e); \ 42 (c) = rol32((c), 10); \ 43 } 44 45 static void rmd160_transform(u32 *state, const __le32 *in) 46 { 47 u32 aa, bb, cc, dd, ee, aaa, bbb, ccc, ddd, eee; 48 49 /* Initialize left lane */ 50 aa = state[0]; 51 bb = state[1]; 52 cc = state[2]; 53 dd = state[3]; 54 ee = state[4]; 55 56 /* Initialize right lane */ 57 aaa = state[0]; 58 bbb = state[1]; 59 ccc = state[2]; 60 ddd = state[3]; 61 eee = state[4]; 62 63 /* round 1: left lane */ 64 ROUND(aa, bb, cc, dd, ee, F1, K1, in[0], 11); 65 ROUND(ee, aa, bb, cc, dd, F1, K1, in[1], 14); 66 ROUND(dd, ee, aa, bb, cc, F1, K1, in[2], 15); 67 ROUND(cc, dd, ee, aa, bb, F1, K1, in[3], 12); 68 ROUND(bb, cc, dd, ee, aa, F1, K1, in[4], 5); 69 ROUND(aa, bb, cc, dd, ee, F1, K1, in[5], 8); 70 ROUND(ee, aa, bb, cc, dd, F1, K1, in[6], 7); 71 ROUND(dd, ee, aa, bb, cc, F1, K1, in[7], 9); 72 ROUND(cc, dd, ee, aa, bb, F1, K1, in[8], 11); 73 ROUND(bb, cc, dd, ee, aa, F1, K1, in[9], 13); 74 ROUND(aa, bb, cc, dd, ee, F1, K1, in[10], 14); 75 ROUND(ee, aa, bb, cc, dd, F1, K1, in[11], 15); 76 ROUND(dd, ee, aa, bb, cc, F1, K1, in[12], 6); 77 ROUND(cc, dd, ee, aa, bb, F1, K1, in[13], 7); 78 ROUND(bb, cc, dd, ee, aa, F1, K1, in[14], 9); 79 ROUND(aa, bb, cc, dd, ee, F1, K1, in[15], 8); 80 81 /* round 2: left lane" */ 82 ROUND(ee, aa, bb, cc, dd, F2, K2, in[7], 7); 83 ROUND(dd, ee, aa, bb, cc, F2, K2, in[4], 6); 84 ROUND(cc, dd, ee, aa, bb, F2, K2, in[13], 8); 85 ROUND(bb, cc, dd, ee, aa, F2, K2, in[1], 13); 86 ROUND(aa, bb, cc, dd, ee, F2, K2, in[10], 11); 87 ROUND(ee, aa, bb, cc, dd, F2, K2, in[6], 9); 88 ROUND(dd, ee, aa, bb, cc, F2, K2, in[15], 7); 89 ROUND(cc, dd, ee, aa, bb, F2, K2, in[3], 15); 90 ROUND(bb, cc, dd, ee, aa, F2, K2, in[12], 7); 91 ROUND(aa, bb, cc, dd, ee, F2, K2, in[0], 12); 92 ROUND(ee, aa, bb, cc, dd, F2, K2, in[9], 15); 93 ROUND(dd, ee, aa, bb, cc, F2, K2, in[5], 9); 94 ROUND(cc, dd, ee, aa, bb, F2, K2, in[2], 11); 95 ROUND(bb, cc, dd, ee, aa, F2, K2, in[14], 7); 96 ROUND(aa, bb, cc, dd, ee, F2, K2, in[11], 13); 97 ROUND(ee, aa, bb, cc, dd, F2, K2, in[8], 12); 98 99 /* round 3: left lane" */ 100 ROUND(dd, ee, aa, bb, cc, F3, K3, in[3], 11); 101 ROUND(cc, dd, ee, aa, bb, F3, K3, in[10], 13); 102 ROUND(bb, cc, dd, ee, aa, F3, K3, in[14], 6); 103 ROUND(aa, bb, cc, dd, ee, F3, K3, in[4], 7); 104 ROUND(ee, aa, bb, cc, dd, F3, K3, in[9], 14); 105 ROUND(dd, ee, aa, bb, cc, F3, K3, in[15], 9); 106 ROUND(cc, dd, ee, aa, bb, F3, K3, in[8], 13); 107 ROUND(bb, cc, dd, ee, aa, F3, K3, in[1], 15); 108 ROUND(aa, bb, cc, dd, ee, F3, K3, in[2], 14); 109 ROUND(ee, aa, bb, cc, dd, F3, K3, in[7], 8); 110 ROUND(dd, ee, aa, bb, cc, F3, K3, in[0], 13); 111 ROUND(cc, dd, ee, aa, bb, F3, K3, in[6], 6); 112 ROUND(bb, cc, dd, ee, aa, F3, K3, in[13], 5); 113 ROUND(aa, bb, cc, dd, ee, F3, K3, in[11], 12); 114 ROUND(ee, aa, bb, cc, dd, F3, K3, in[5], 7); 115 ROUND(dd, ee, aa, bb, cc, F3, K3, in[12], 5); 116 117 /* round 4: left lane" */ 118 ROUND(cc, dd, ee, aa, bb, F4, K4, in[1], 11); 119 ROUND(bb, cc, dd, ee, aa, F4, K4, in[9], 12); 120 ROUND(aa, bb, cc, dd, ee, F4, K4, in[11], 14); 121 ROUND(ee, aa, bb, cc, dd, F4, K4, in[10], 15); 122 ROUND(dd, ee, aa, bb, cc, F4, K4, in[0], 14); 123 ROUND(cc, dd, ee, aa, bb, F4, K4, in[8], 15); 124 ROUND(bb, cc, dd, ee, aa, F4, K4, in[12], 9); 125 ROUND(aa, bb, cc, dd, ee, F4, K4, in[4], 8); 126 ROUND(ee, aa, bb, cc, dd, F4, K4, in[13], 9); 127 ROUND(dd, ee, aa, bb, cc, F4, K4, in[3], 14); 128 ROUND(cc, dd, ee, aa, bb, F4, K4, in[7], 5); 129 ROUND(bb, cc, dd, ee, aa, F4, K4, in[15], 6); 130 ROUND(aa, bb, cc, dd, ee, F4, K4, in[14], 8); 131 ROUND(ee, aa, bb, cc, dd, F4, K4, in[5], 6); 132 ROUND(dd, ee, aa, bb, cc, F4, K4, in[6], 5); 133 ROUND(cc, dd, ee, aa, bb, F4, K4, in[2], 12); 134 135 /* round 5: left lane" */ 136 ROUND(bb, cc, dd, ee, aa, F5, K5, in[4], 9); 137 ROUND(aa, bb, cc, dd, ee, F5, K5, in[0], 15); 138 ROUND(ee, aa, bb, cc, dd, F5, K5, in[5], 5); 139 ROUND(dd, ee, aa, bb, cc, F5, K5, in[9], 11); 140 ROUND(cc, dd, ee, aa, bb, F5, K5, in[7], 6); 141 ROUND(bb, cc, dd, ee, aa, F5, K5, in[12], 8); 142 ROUND(aa, bb, cc, dd, ee, F5, K5, in[2], 13); 143 ROUND(ee, aa, bb, cc, dd, F5, K5, in[10], 12); 144 ROUND(dd, ee, aa, bb, cc, F5, K5, in[14], 5); 145 ROUND(cc, dd, ee, aa, bb, F5, K5, in[1], 12); 146 ROUND(bb, cc, dd, ee, aa, F5, K5, in[3], 13); 147 ROUND(aa, bb, cc, dd, ee, F5, K5, in[8], 14); 148 ROUND(ee, aa, bb, cc, dd, F5, K5, in[11], 11); 149 ROUND(dd, ee, aa, bb, cc, F5, K5, in[6], 8); 150 ROUND(cc, dd, ee, aa, bb, F5, K5, in[15], 5); 151 ROUND(bb, cc, dd, ee, aa, F5, K5, in[13], 6); 152 153 /* round 1: right lane */ 154 ROUND(aaa, bbb, ccc, ddd, eee, F5, KK1, in[5], 8); 155 ROUND(eee, aaa, bbb, ccc, ddd, F5, KK1, in[14], 9); 156 ROUND(ddd, eee, aaa, bbb, ccc, F5, KK1, in[7], 9); 157 ROUND(ccc, ddd, eee, aaa, bbb, F5, KK1, in[0], 11); 158 ROUND(bbb, ccc, ddd, eee, aaa, F5, KK1, in[9], 13); 159 ROUND(aaa, bbb, ccc, ddd, eee, F5, KK1, in[2], 15); 160 ROUND(eee, aaa, bbb, ccc, ddd, F5, KK1, in[11], 15); 161 ROUND(ddd, eee, aaa, bbb, ccc, F5, KK1, in[4], 5); 162 ROUND(ccc, ddd, eee, aaa, bbb, F5, KK1, in[13], 7); 163 ROUND(bbb, ccc, ddd, eee, aaa, F5, KK1, in[6], 7); 164 ROUND(aaa, bbb, ccc, ddd, eee, F5, KK1, in[15], 8); 165 ROUND(eee, aaa, bbb, ccc, ddd, F5, KK1, in[8], 11); 166 ROUND(ddd, eee, aaa, bbb, ccc, F5, KK1, in[1], 14); 167 ROUND(ccc, ddd, eee, aaa, bbb, F5, KK1, in[10], 14); 168 ROUND(bbb, ccc, ddd, eee, aaa, F5, KK1, in[3], 12); 169 ROUND(aaa, bbb, ccc, ddd, eee, F5, KK1, in[12], 6); 170 171 /* round 2: right lane */ 172 ROUND(eee, aaa, bbb, ccc, ddd, F4, KK2, in[6], 9); 173 ROUND(ddd, eee, aaa, bbb, ccc, F4, KK2, in[11], 13); 174 ROUND(ccc, ddd, eee, aaa, bbb, F4, KK2, in[3], 15); 175 ROUND(bbb, ccc, ddd, eee, aaa, F4, KK2, in[7], 7); 176 ROUND(aaa, bbb, ccc, ddd, eee, F4, KK2, in[0], 12); 177 ROUND(eee, aaa, bbb, ccc, ddd, F4, KK2, in[13], 8); 178 ROUND(ddd, eee, aaa, bbb, ccc, F4, KK2, in[5], 9); 179 ROUND(ccc, ddd, eee, aaa, bbb, F4, KK2, in[10], 11); 180 ROUND(bbb, ccc, ddd, eee, aaa, F4, KK2, in[14], 7); 181 ROUND(aaa, bbb, ccc, ddd, eee, F4, KK2, in[15], 7); 182 ROUND(eee, aaa, bbb, ccc, ddd, F4, KK2, in[8], 12); 183 ROUND(ddd, eee, aaa, bbb, ccc, F4, KK2, in[12], 7); 184 ROUND(ccc, ddd, eee, aaa, bbb, F4, KK2, in[4], 6); 185 ROUND(bbb, ccc, ddd, eee, aaa, F4, KK2, in[9], 15); 186 ROUND(aaa, bbb, ccc, ddd, eee, F4, KK2, in[1], 13); 187 ROUND(eee, aaa, bbb, ccc, ddd, F4, KK2, in[2], 11); 188 189 /* round 3: right lane */ 190 ROUND(ddd, eee, aaa, bbb, ccc, F3, KK3, in[15], 9); 191 ROUND(ccc, ddd, eee, aaa, bbb, F3, KK3, in[5], 7); 192 ROUND(bbb, ccc, ddd, eee, aaa, F3, KK3, in[1], 15); 193 ROUND(aaa, bbb, ccc, ddd, eee, F3, KK3, in[3], 11); 194 ROUND(eee, aaa, bbb, ccc, ddd, F3, KK3, in[7], 8); 195 ROUND(ddd, eee, aaa, bbb, ccc, F3, KK3, in[14], 6); 196 ROUND(ccc, ddd, eee, aaa, bbb, F3, KK3, in[6], 6); 197 ROUND(bbb, ccc, ddd, eee, aaa, F3, KK3, in[9], 14); 198 ROUND(aaa, bbb, ccc, ddd, eee, F3, KK3, in[11], 12); 199 ROUND(eee, aaa, bbb, ccc, ddd, F3, KK3, in[8], 13); 200 ROUND(ddd, eee, aaa, bbb, ccc, F3, KK3, in[12], 5); 201 ROUND(ccc, ddd, eee, aaa, bbb, F3, KK3, in[2], 14); 202 ROUND(bbb, ccc, ddd, eee, aaa, F3, KK3, in[10], 13); 203 ROUND(aaa, bbb, ccc, ddd, eee, F3, KK3, in[0], 13); 204 ROUND(eee, aaa, bbb, ccc, ddd, F3, KK3, in[4], 7); 205 ROUND(ddd, eee, aaa, bbb, ccc, F3, KK3, in[13], 5); 206 207 /* round 4: right lane */ 208 ROUND(ccc, ddd, eee, aaa, bbb, F2, KK4, in[8], 15); 209 ROUND(bbb, ccc, ddd, eee, aaa, F2, KK4, in[6], 5); 210 ROUND(aaa, bbb, ccc, ddd, eee, F2, KK4, in[4], 8); 211 ROUND(eee, aaa, bbb, ccc, ddd, F2, KK4, in[1], 11); 212 ROUND(ddd, eee, aaa, bbb, ccc, F2, KK4, in[3], 14); 213 ROUND(ccc, ddd, eee, aaa, bbb, F2, KK4, in[11], 14); 214 ROUND(bbb, ccc, ddd, eee, aaa, F2, KK4, in[15], 6); 215 ROUND(aaa, bbb, ccc, ddd, eee, F2, KK4, in[0], 14); 216 ROUND(eee, aaa, bbb, ccc, ddd, F2, KK4, in[5], 6); 217 ROUND(ddd, eee, aaa, bbb, ccc, F2, KK4, in[12], 9); 218 ROUND(ccc, ddd, eee, aaa, bbb, F2, KK4, in[2], 12); 219 ROUND(bbb, ccc, ddd, eee, aaa, F2, KK4, in[13], 9); 220 ROUND(aaa, bbb, ccc, ddd, eee, F2, KK4, in[9], 12); 221 ROUND(eee, aaa, bbb, ccc, ddd, F2, KK4, in[7], 5); 222 ROUND(ddd, eee, aaa, bbb, ccc, F2, KK4, in[10], 15); 223 ROUND(ccc, ddd, eee, aaa, bbb, F2, KK4, in[14], 8); 224 225 /* round 5: right lane */ 226 ROUND(bbb, ccc, ddd, eee, aaa, F1, KK5, in[12], 8); 227 ROUND(aaa, bbb, ccc, ddd, eee, F1, KK5, in[15], 5); 228 ROUND(eee, aaa, bbb, ccc, ddd, F1, KK5, in[10], 12); 229 ROUND(ddd, eee, aaa, bbb, ccc, F1, KK5, in[4], 9); 230 ROUND(ccc, ddd, eee, aaa, bbb, F1, KK5, in[1], 12); 231 ROUND(bbb, ccc, ddd, eee, aaa, F1, KK5, in[5], 5); 232 ROUND(aaa, bbb, ccc, ddd, eee, F1, KK5, in[8], 14); 233 ROUND(eee, aaa, bbb, ccc, ddd, F1, KK5, in[7], 6); 234 ROUND(ddd, eee, aaa, bbb, ccc, F1, KK5, in[6], 8); 235 ROUND(ccc, ddd, eee, aaa, bbb, F1, KK5, in[2], 13); 236 ROUND(bbb, ccc, ddd, eee, aaa, F1, KK5, in[13], 6); 237 ROUND(aaa, bbb, ccc, ddd, eee, F1, KK5, in[14], 5); 238 ROUND(eee, aaa, bbb, ccc, ddd, F1, KK5, in[0], 15); 239 ROUND(ddd, eee, aaa, bbb, ccc, F1, KK5, in[3], 13); 240 ROUND(ccc, ddd, eee, aaa, bbb, F1, KK5, in[9], 11); 241 ROUND(bbb, ccc, ddd, eee, aaa, F1, KK5, in[11], 11); 242 243 /* combine results */ 244 ddd += cc + state[1]; /* final result for state[0] */ 245 state[1] = state[2] + dd + eee; 246 state[2] = state[3] + ee + aaa; 247 state[3] = state[4] + aa + bbb; 248 state[4] = state[0] + bb + ccc; 249 state[0] = ddd; 250 } 251 252 static int rmd160_init(struct shash_desc *desc) 253 { 254 struct rmd160_ctx *rctx = shash_desc_ctx(desc); 255 256 rctx->byte_count = 0; 257 258 rctx->state[0] = RMD_H0; 259 rctx->state[1] = RMD_H1; 260 rctx->state[2] = RMD_H2; 261 rctx->state[3] = RMD_H3; 262 rctx->state[4] = RMD_H4; 263 264 return 0; 265 } 266 267 static int rmd160_update(struct shash_desc *desc, const u8 *data, 268 unsigned int len) 269 { 270 int remain = len - round_down(len, RMD160_BLOCK_SIZE); 271 struct rmd160_ctx *rctx = shash_desc_ctx(desc); 272 __le32 buffer[RMD160_BLOCK_SIZE / 4]; 273 274 rctx->byte_count += len - remain; 275 276 do { 277 memcpy(buffer, data, sizeof(buffer)); 278 rmd160_transform(rctx->state, buffer); 279 data += sizeof(buffer); 280 len -= sizeof(buffer); 281 } while (len >= sizeof(buffer)); 282 283 memzero_explicit(buffer, sizeof(buffer)); 284 return remain; 285 } 286 287 /* Add padding and return the message digest. */ 288 static int rmd160_finup(struct shash_desc *desc, const u8 *src, 289 unsigned int len, u8 *out) 290 { 291 unsigned int bit_offset = RMD160_BLOCK_SIZE / 8 - 1; 292 struct rmd160_ctx *rctx = shash_desc_ctx(desc); 293 union { 294 __le64 l64[RMD160_BLOCK_SIZE / 4]; 295 __le32 l32[RMD160_BLOCK_SIZE / 2]; 296 u8 u8[RMD160_BLOCK_SIZE * 2]; 297 } block = {}; 298 __le32 *dst = (__le32 *)out; 299 u32 i; 300 301 rctx->byte_count += len; 302 if (len >= bit_offset * 8) 303 bit_offset += RMD160_BLOCK_SIZE / 8; 304 memcpy(&block, src, len); 305 block.u8[len] = 0x80; 306 block.l64[bit_offset] = cpu_to_le64(rctx->byte_count << 3); 307 308 rmd160_transform(rctx->state, block.l32); 309 if (bit_offset > RMD160_BLOCK_SIZE / 8) 310 rmd160_transform(rctx->state, 311 block.l32 + RMD160_BLOCK_SIZE / 4); 312 memzero_explicit(&block, sizeof(block)); 313 314 /* Store state in digest */ 315 for (i = 0; i < 5; i++) 316 dst[i] = cpu_to_le32p(&rctx->state[i]); 317 return 0; 318 } 319 320 static struct shash_alg alg = { 321 .digestsize = RMD160_DIGEST_SIZE, 322 .init = rmd160_init, 323 .update = rmd160_update, 324 .finup = rmd160_finup, 325 .descsize = sizeof(struct rmd160_ctx), 326 .base = { 327 .cra_name = "rmd160", 328 .cra_driver_name = "rmd160-generic", 329 .cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY, 330 .cra_blocksize = RMD160_BLOCK_SIZE, 331 .cra_module = THIS_MODULE, 332 } 333 }; 334 335 static int __init rmd160_mod_init(void) 336 { 337 return crypto_register_shash(&alg); 338 } 339 340 static void __exit rmd160_mod_fini(void) 341 { 342 crypto_unregister_shash(&alg); 343 } 344 345 module_init(rmd160_mod_init); 346 module_exit(rmd160_mod_fini); 347 348 MODULE_LICENSE("GPL"); 349 MODULE_AUTHOR("Adrian-Ken Rueegsegger <ken@codelabs.ch>"); 350 MODULE_DESCRIPTION("RIPEMD-160 Message Digest"); 351 MODULE_ALIAS_CRYPTO("rmd160"); 352