sha3_generic.c source code [Linux/crypto/sha3_generic.c]

1	// SPDX-License-Identifier: GPL-2.0-or-later
2	/*
3	* Cryptographic API.
4	*
5	* SHA-3, as specified in
6	* https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
7	*
8	* SHA-3 code by Jeff Garzik <jeff@garzik.org>
9	* Ard Biesheuvel <ard.biesheuvel@linaro.org>
10	*/
11	#include <crypto/internal/hash.h>
12	#include <crypto/sha3.h>
13	#include <linux/kernel.h>
14	#include <linux/module.h>
15	#include <linux/string.h>
16	#include <linux/unaligned.h>
17
18	/*
19	* On some 32-bit architectures (h8300), GCC ends up using
20	* over 1 KB of stack if we inline the round calculation into the loop
21	* in keccakf(). On the other hand, on 64-bit architectures with plenty
22	* of [64-bit wide] general purpose registers, not inlining it severely
23	* hurts performance. So let's use 64-bitness as a heuristic to decide
24	* whether to inline or not.
25	*/
26	#ifdef CONFIG_64BIT
27	#define SHA3_INLINE inline
28	#else
29	#define SHA3_INLINE noinline
30	#endif
31
32	#define KECCAK_ROUNDS 24
33
34	static const u64 keccakf_rndc[`24`] = {
35	`0x0000000000000001ULL`, `0x0000000000008082ULL`, `0x800000000000808aULL`,
36	`0x8000000080008000ULL`, `0x000000000000808bULL`, `0x0000000080000001ULL`,
37	`0x8000000080008081ULL`, `0x8000000000008009ULL`, `0x000000000000008aULL`,
38	`0x0000000000000088ULL`, `0x0000000080008009ULL`, `0x000000008000000aULL`,
39	`0x000000008000808bULL`, `0x800000000000008bULL`, `0x8000000000008089ULL`,
40	`0x8000000000008003ULL`, `0x8000000000008002ULL`, `0x8000000000000080ULL`,
41	`0x000000000000800aULL`, `0x800000008000000aULL`, `0x8000000080008081ULL`,
42	`0x8000000000008080ULL`, `0x0000000080000001ULL`, `0x8000000080008008ULL`
43	};
44
45	/ update the state with given number of rounds /
46
47	static SHA3_INLINE void keccakf_round(u64 st[`25`])
48	{
49	u64 t[`5`], tt, bc[`5`];
50
51	/ Theta /
52	bc[`0`] = st[`0`] ^ st[`5`] ^ st[`10`] ^ st[`15`] ^ st[`20`];
53	bc[`1`] = st[`1`] ^ st[`6`] ^ st[`11`] ^ st[`16`] ^ st[`21`];
54	bc[`2`] = st[`2`] ^ st[`7`] ^ st[`12`] ^ st[`17`] ^ st[`22`];
55	bc[`3`] = st[`3`] ^ st[`8`] ^ st[`13`] ^ st[`18`] ^ st[`23`];
56	bc[`4`] = st[`4`] ^ st[`9`] ^ st[`14`] ^ st[`19`] ^ st[`24`];
57
58	t[`0`] = bc[`4`] ^ rol64(word: bc[`1`], shift: `1`);
59	t[`1`] = bc[`0`] ^ rol64(word: bc[`2`], shift: `1`);
60	t[`2`] = bc[`1`] ^ rol64(word: bc[`3`], shift: `1`);
61	t[`3`] = bc[`2`] ^ rol64(word: bc[`4`], shift: `1`);
62	t[`4`] = bc[`3`] ^ rol64(word: bc[`0`], shift: `1`);
63
64	st[`0`] ^= t[`0`];
65
66	/ Rho Pi /
67	tt = st[`1`];
68	st[ `1`] = rol64(word: st[ `6`] ^ t[`1`], shift: `44`);
69	st[ `6`] = rol64(word: st[ `9`] ^ t[`4`], shift: `20`);
70	st[ `9`] = rol64(word: st[`22`] ^ t[`2`], shift: `61`);
71	st[`22`] = rol64(word: st[`14`] ^ t[`4`], shift: `39`);
72	st[`14`] = rol64(word: st[`20`] ^ t[`0`], shift: `18`);
73	st[`20`] = rol64(word: st[ `2`] ^ t[`2`], shift: `62`);
74	st[ `2`] = rol64(word: st[`12`] ^ t[`2`], shift: `43`);
75	st[`12`] = rol64(word: st[`13`] ^ t[`3`], shift: `25`);
76	st[`13`] = rol64(word: st[`19`] ^ t[`4`], shift: `8`);
77	st[`19`] = rol64(word: st[`23`] ^ t[`3`], shift: `56`);
78	st[`23`] = rol64(word: st[`15`] ^ t[`0`], shift: `41`);
79	st[`15`] = rol64(word: st[ `4`] ^ t[`4`], shift: `27`);
80	st[ `4`] = rol64(word: st[`24`] ^ t[`4`], shift: `14`);
81	st[`24`] = rol64(word: st[`21`] ^ t[`1`], shift: `2`);
82	st[`21`] = rol64(word: st[ `8`] ^ t[`3`], shift: `55`);
83	st[ `8`] = rol64(word: st[`16`] ^ t[`1`], shift: `45`);
84	st[`16`] = rol64(word: st[ `5`] ^ t[`0`], shift: `36`);
85	st[ `5`] = rol64(word: st[ `3`] ^ t[`3`], shift: `28`);
86	st[ `3`] = rol64(word: st[`18`] ^ t[`3`], shift: `21`);
87	st[`18`] = rol64(word: st[`17`] ^ t[`2`], shift: `15`);
88	st[`17`] = rol64(word: st[`11`] ^ t[`1`], shift: `10`);
89	st[`11`] = rol64(word: st[ `7`] ^ t[`2`], shift: `6`);
90	st[ `7`] = rol64(word: st[`10`] ^ t[`0`], shift: `3`);
91	st[`10`] = rol64( word: tt ^ t[`1`], shift: `1`);
92
93	/ Chi /
94	bc[ `0`] = ~st[ `1`] & st[ `2`];
95	bc[ `1`] = ~st[ `2`] & st[ `3`];
96	bc[ `2`] = ~st[ `3`] & st[ `4`];
97	bc[ `3`] = ~st[ `4`] & st[ `0`];
98	bc[ `4`] = ~st[ `0`] & st[ `1`];
99	st[ `0`] ^= bc[ `0`];
100	st[ `1`] ^= bc[ `1`];
101	st[ `2`] ^= bc[ `2`];
102	st[ `3`] ^= bc[ `3`];
103	st[ `4`] ^= bc[ `4`];
104
105	bc[ `0`] = ~st[ `6`] & st[ `7`];
106	bc[ `1`] = ~st[ `7`] & st[ `8`];
107	bc[ `2`] = ~st[ `8`] & st[ `9`];
108	bc[ `3`] = ~st[ `9`] & st[ `5`];
109	bc[ `4`] = ~st[ `5`] & st[ `6`];
110	st[ `5`] ^= bc[ `0`];
111	st[ `6`] ^= bc[ `1`];
112	st[ `7`] ^= bc[ `2`];
113	st[ `8`] ^= bc[ `3`];
114	st[ `9`] ^= bc[ `4`];
115
116	bc[ `0`] = ~st[`11`] & st[`12`];
117	bc[ `1`] = ~st[`12`] & st[`13`];
118	bc[ `2`] = ~st[`13`] & st[`14`];
119	bc[ `3`] = ~st[`14`] & st[`10`];
120	bc[ `4`] = ~st[`10`] & st[`11`];
121	st[`10`] ^= bc[ `0`];
122	st[`11`] ^= bc[ `1`];
123	st[`12`] ^= bc[ `2`];
124	st[`13`] ^= bc[ `3`];
125	st[`14`] ^= bc[ `4`];
126
127	bc[ `0`] = ~st[`16`] & st[`17`];
128	bc[ `1`] = ~st[`17`] & st[`18`];
129	bc[ `2`] = ~st[`18`] & st[`19`];
130	bc[ `3`] = ~st[`19`] & st[`15`];
131	bc[ `4`] = ~st[`15`] & st[`16`];
132	st[`15`] ^= bc[ `0`];
133	st[`16`] ^= bc[ `1`];
134	st[`17`] ^= bc[ `2`];
135	st[`18`] ^= bc[ `3`];
136	st[`19`] ^= bc[ `4`];
137
138	bc[ `0`] = ~st[`21`] & st[`22`];
139	bc[ `1`] = ~st[`22`] & st[`23`];
140	bc[ `2`] = ~st[`23`] & st[`24`];
141	bc[ `3`] = ~st[`24`] & st[`20`];
142	bc[ `4`] = ~st[`20`] & st[`21`];
143	st[`20`] ^= bc[ `0`];
144	st[`21`] ^= bc[ `1`];
145	st[`22`] ^= bc[ `2`];
146	st[`23`] ^= bc[ `3`];
147	st[`24`] ^= bc[ `4`];
148	}
149
150	static void keccakf(u64 st[`25`])
151	{
152	int round;
153
154	for (round = `0`; round < KECCAK_ROUNDS; round++) {
155	keccakf_round(st);
156	/ Iota /
157	st[`0`] ^= keccakf_rndc[round];
158	}
159	}
160
161	int crypto_sha3_init(struct shash_desc *desc)
162	{
163	struct sha3_state *sctx = shash_desc_ctx(desc);
164
165	memset(s: sctx->st, c: `0`, n: sizeof(sctx->st));
166	return `0`;
167	}
168	EXPORT_SYMBOL(crypto_sha3_init);
169
170	static int crypto_sha3_update(struct shash_desc desc, const* u8 *data,
171	unsigned int len)
172	{
173	unsigned int rsiz = crypto_shash_blocksize(tfm: desc->tfm);
174	struct sha3_state *sctx = shash_desc_ctx(desc);
175	unsigned int rsizw = rsiz / `8`;
176
177	do {
178	int i;
179
180	for (i = `0`; i < rsizw; i++)
181	sctx->st[i] ^= get_unaligned_le64(p: data + `8` * i);
182	keccakf(st: sctx->st);
183
184	data += rsiz;
185	len -= rsiz;
186	} while (len >= rsiz);
187	return len;
188	}
189
190	static int crypto_sha3_finup(struct shash_desc desc, const* u8 *src,
191	unsigned int len, u8 *out)
192	{
193	unsigned int digest_size = crypto_shash_digestsize(tfm: desc->tfm);
194	unsigned int rsiz = crypto_shash_blocksize(tfm: desc->tfm);
195	struct sha3_state *sctx = shash_desc_ctx(desc);
196	__le64 block[SHA3_224_BLOCK_SIZE / `8`] = {};
197	__le64 digest = (__le64 )out;
198	unsigned int rsizw = rsiz / `8`;
199	u8 *p;
200	int i;
201
202	p = memcpy(to: block, from: src, len);
203	p[len++] = `0x06`;
204	p[rsiz - `1`] \|= `0x80`;
205
206	for (i = `0`; i < rsizw; i++)
207	sctx->st[i] ^= le64_to_cpu(block[i]);
208	memzero_explicit(s: block, count: sizeof(block));
209
210	keccakf(st: sctx->st);
211
212	for (i = `0`; i < digest_size / `8`; i++)
213	put_unaligned_le64(val: sctx->st[i], p: digest++);
214
215	if (digest_size & `4`)
216	put_unaligned_le32(val: sctx->st[i], p: (__le32 *)digest);
217
218	return `0`;
219	}
220
221	static struct shash_alg algs[] = { {
222	.digestsize = SHA3_224_DIGEST_SIZE,
223	.init = crypto_sha3_init,
224	.update = crypto_sha3_update,
225	.finup = crypto_sha3_finup,
226	.descsize = SHA3_STATE_SIZE,
227	.base.cra_name = "sha3-224",
228	.base.cra_driver_name = "sha3-224-generic",
229	.base.cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY,
230	.base.cra_blocksize = SHA3_224_BLOCK_SIZE,
231	.base.cra_module = THIS_MODULE,
232	}, {
233	.digestsize = SHA3_256_DIGEST_SIZE,
234	.init = crypto_sha3_init,
235	.update = crypto_sha3_update,
236	.finup = crypto_sha3_finup,
237	.descsize = SHA3_STATE_SIZE,
238	.base.cra_name = "sha3-256",
239	.base.cra_driver_name = "sha3-256-generic",
240	.base.cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY,
241	.base.cra_blocksize = SHA3_256_BLOCK_SIZE,
242	.base.cra_module = THIS_MODULE,
243	}, {
244	.digestsize = SHA3_384_DIGEST_SIZE,
245	.init = crypto_sha3_init,
246	.update = crypto_sha3_update,
247	.finup = crypto_sha3_finup,
248	.descsize = SHA3_STATE_SIZE,
249	.base.cra_name = "sha3-384",
250	.base.cra_driver_name = "sha3-384-generic",
251	.base.cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY,
252	.base.cra_blocksize = SHA3_384_BLOCK_SIZE,
253	.base.cra_module = THIS_MODULE,
254	}, {
255	.digestsize = SHA3_512_DIGEST_SIZE,
256	.init = crypto_sha3_init,
257	.update = crypto_sha3_update,
258	.finup = crypto_sha3_finup,
259	.descsize = SHA3_STATE_SIZE,
260	.base.cra_name = "sha3-512",
261	.base.cra_driver_name = "sha3-512-generic",
262	.base.cra_flags = CRYPTO_AHASH_ALG_BLOCK_ONLY,
263	.base.cra_blocksize = SHA3_512_BLOCK_SIZE,
264	.base.cra_module = THIS_MODULE,
265	} };
266
267	static int __init sha3_generic_mod_init(void)
268	{
269	return crypto_register_shashes(algs, ARRAY_SIZE(algs));
270	}
271
272	static void __exit sha3_generic_mod_fini(void)
273	{
274	crypto_unregister_shashes(algs, ARRAY_SIZE(algs));
275	}
276
277	module_init(sha3_generic_mod_init);
278	module_exit(sha3_generic_mod_fini);
279
280	MODULE_LICENSE("GPL");
281	MODULE_DESCRIPTION("SHA-3 Secure Hash Algorithm");
282
283	MODULE_ALIAS_CRYPTO("sha3-224");
284	MODULE_ALIAS_CRYPTO("sha3-224-generic");
285	MODULE_ALIAS_CRYPTO("sha3-256");
286	MODULE_ALIAS_CRYPTO("sha3-256-generic");
287	MODULE_ALIAS_CRYPTO("sha3-384");
288	MODULE_ALIAS_CRYPTO("sha3-384-generic");
289	MODULE_ALIAS_CRYPTO("sha3-512");
290	MODULE_ALIAS_CRYPTO("sha3-512-generic");
291

Browse the source code of Linux/crypto/sha3_generic.c