1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * SHA-224, SHA-256, HMAC-SHA224, and HMAC-SHA256 library functions
4 *
5 * Copyright (c) Jean-Luc Cooke <jlcooke@certainkey.com>
6 * Copyright (c) Andrew McDonald <andrew@mcdonald.org.uk>
7 * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
8 * Copyright (c) 2014 Red Hat Inc.
9 * Copyright 2025 Google LLC
10 */
11
12#include <crypto/hmac.h>
13#include <crypto/sha2.h>
14#include <linux/export.h>
15#include <linux/kernel.h>
16#include <linux/module.h>
17#include <linux/string.h>
18#include <linux/unaligned.h>
19#include <linux/wordpart.h>
20
21static const struct sha256_block_state sha224_iv = {
22 .h = {
23 SHA224_H0, SHA224_H1, SHA224_H2, SHA224_H3,
24 SHA224_H4, SHA224_H5, SHA224_H6, SHA224_H7,
25 },
26};
27
28static const struct sha256_ctx initial_sha256_ctx = {
29 .ctx = {
30 .state = {
31 .h = {
32 SHA256_H0, SHA256_H1, SHA256_H2, SHA256_H3,
33 SHA256_H4, SHA256_H5, SHA256_H6, SHA256_H7,
34 },
35 },
36 .bytecount = 0,
37 },
38};
39
40#define sha256_iv (initial_sha256_ctx.ctx.state)
41
42static const u32 sha256_K[64] = {
43 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
44 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
45 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
46 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
47 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
48 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
49 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
50 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
51 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
52 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
53 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
54};
55
56#define Ch(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
57#define Maj(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
58#define e0(x) (ror32((x), 2) ^ ror32((x), 13) ^ ror32((x), 22))
59#define e1(x) (ror32((x), 6) ^ ror32((x), 11) ^ ror32((x), 25))
60#define s0(x) (ror32((x), 7) ^ ror32((x), 18) ^ ((x) >> 3))
61#define s1(x) (ror32((x), 17) ^ ror32((x), 19) ^ ((x) >> 10))
62
63static inline void LOAD_OP(int I, u32 *W, const u8 *input)
64{
65 W[I] = get_unaligned_be32(p: (__u32 *)input + I);
66}
67
68static inline void BLEND_OP(int I, u32 *W)
69{
70 W[I] = s1(W[I - 2]) + W[I - 7] + s0(W[I - 15]) + W[I - 16];
71}
72
73#define SHA256_ROUND(i, a, b, c, d, e, f, g, h) \
74 do { \
75 u32 t1, t2; \
76 t1 = h + e1(e) + Ch(e, f, g) + sha256_K[i] + W[i]; \
77 t2 = e0(a) + Maj(a, b, c); \
78 d += t1; \
79 h = t1 + t2; \
80 } while (0)
81
82static void sha256_block_generic(struct sha256_block_state *state,
83 const u8 *input, u32 W[64])
84{
85 u32 a, b, c, d, e, f, g, h;
86 int i;
87
88 /* load the input */
89 for (i = 0; i < 16; i += 8) {
90 LOAD_OP(I: i + 0, W, input);
91 LOAD_OP(I: i + 1, W, input);
92 LOAD_OP(I: i + 2, W, input);
93 LOAD_OP(I: i + 3, W, input);
94 LOAD_OP(I: i + 4, W, input);
95 LOAD_OP(I: i + 5, W, input);
96 LOAD_OP(I: i + 6, W, input);
97 LOAD_OP(I: i + 7, W, input);
98 }
99
100 /* now blend */
101 for (i = 16; i < 64; i += 8) {
102 BLEND_OP(I: i + 0, W);
103 BLEND_OP(I: i + 1, W);
104 BLEND_OP(I: i + 2, W);
105 BLEND_OP(I: i + 3, W);
106 BLEND_OP(I: i + 4, W);
107 BLEND_OP(I: i + 5, W);
108 BLEND_OP(I: i + 6, W);
109 BLEND_OP(I: i + 7, W);
110 }
111
112 /* load the state into our registers */
113 a = state->h[0];
114 b = state->h[1];
115 c = state->h[2];
116 d = state->h[3];
117 e = state->h[4];
118 f = state->h[5];
119 g = state->h[6];
120 h = state->h[7];
121
122 /* now iterate */
123 for (i = 0; i < 64; i += 8) {
124 SHA256_ROUND(i + 0, a, b, c, d, e, f, g, h);
125 SHA256_ROUND(i + 1, h, a, b, c, d, e, f, g);
126 SHA256_ROUND(i + 2, g, h, a, b, c, d, e, f);
127 SHA256_ROUND(i + 3, f, g, h, a, b, c, d, e);
128 SHA256_ROUND(i + 4, e, f, g, h, a, b, c, d);
129 SHA256_ROUND(i + 5, d, e, f, g, h, a, b, c);
130 SHA256_ROUND(i + 6, c, d, e, f, g, h, a, b);
131 SHA256_ROUND(i + 7, b, c, d, e, f, g, h, a);
132 }
133
134 state->h[0] += a;
135 state->h[1] += b;
136 state->h[2] += c;
137 state->h[3] += d;
138 state->h[4] += e;
139 state->h[5] += f;
140 state->h[6] += g;
141 state->h[7] += h;
142}
143
144static void __maybe_unused
145sha256_blocks_generic(struct sha256_block_state *state,
146 const u8 *data, size_t nblocks)
147{
148 u32 W[64];
149
150 do {
151 sha256_block_generic(state, input: data, W);
152 data += SHA256_BLOCK_SIZE;
153 } while (--nblocks);
154
155 memzero_explicit(s: W, count: sizeof(W));
156}
157
158#if defined(CONFIG_CRYPTO_LIB_SHA256_ARCH) && !defined(__DISABLE_EXPORTS)
159#include "sha256.h" /* $(SRCARCH)/sha256.h */
160#else
161#define sha256_blocks sha256_blocks_generic
162#endif
163
164static void __sha256_init(struct __sha256_ctx *ctx,
165 const struct sha256_block_state *iv,
166 u64 initial_bytecount)
167{
168 ctx->state = *iv;
169 ctx->bytecount = initial_bytecount;
170}
171
172void sha224_init(struct sha224_ctx *ctx)
173{
174 __sha256_init(ctx: &ctx->ctx, iv: &sha224_iv, initial_bytecount: 0);
175}
176EXPORT_SYMBOL_GPL(sha224_init);
177
178void sha256_init(struct sha256_ctx *ctx)
179{
180 __sha256_init(ctx: &ctx->ctx, iv: &sha256_iv, initial_bytecount: 0);
181}
182EXPORT_SYMBOL_GPL(sha256_init);
183
184void __sha256_update(struct __sha256_ctx *ctx, const u8 *data, size_t len)
185{
186 size_t partial = ctx->bytecount % SHA256_BLOCK_SIZE;
187
188 ctx->bytecount += len;
189
190 if (partial + len >= SHA256_BLOCK_SIZE) {
191 size_t nblocks;
192
193 if (partial) {
194 size_t l = SHA256_BLOCK_SIZE - partial;
195
196 memcpy(to: &ctx->buf[partial], from: data, len: l);
197 data += l;
198 len -= l;
199
200 sha256_blocks(state: &ctx->state, data: ctx->buf, nblocks: 1);
201 }
202
203 nblocks = len / SHA256_BLOCK_SIZE;
204 len %= SHA256_BLOCK_SIZE;
205
206 if (nblocks) {
207 sha256_blocks(state: &ctx->state, data, nblocks);
208 data += nblocks * SHA256_BLOCK_SIZE;
209 }
210 partial = 0;
211 }
212 if (len)
213 memcpy(to: &ctx->buf[partial], from: data, len);
214}
215EXPORT_SYMBOL(__sha256_update);
216
217static void __sha256_final(struct __sha256_ctx *ctx,
218 u8 *out, size_t digest_size)
219{
220 u64 bitcount = ctx->bytecount << 3;
221 size_t partial = ctx->bytecount % SHA256_BLOCK_SIZE;
222
223 ctx->buf[partial++] = 0x80;
224 if (partial > SHA256_BLOCK_SIZE - 8) {
225 memset(s: &ctx->buf[partial], c: 0, SHA256_BLOCK_SIZE - partial);
226 sha256_blocks(state: &ctx->state, data: ctx->buf, nblocks: 1);
227 partial = 0;
228 }
229 memset(s: &ctx->buf[partial], c: 0, SHA256_BLOCK_SIZE - 8 - partial);
230 *(__be64 *)&ctx->buf[SHA256_BLOCK_SIZE - 8] = cpu_to_be64(bitcount);
231 sha256_blocks(state: &ctx->state, data: ctx->buf, nblocks: 1);
232
233 for (size_t i = 0; i < digest_size; i += 4)
234 put_unaligned_be32(val: ctx->state.h[i / 4], p: out + i);
235}
236
237void sha224_final(struct sha224_ctx *ctx, u8 out[SHA224_DIGEST_SIZE])
238{
239 __sha256_final(ctx: &ctx->ctx, out, SHA224_DIGEST_SIZE);
240 memzero_explicit(s: ctx, count: sizeof(*ctx));
241}
242EXPORT_SYMBOL(sha224_final);
243
244void sha256_final(struct sha256_ctx *ctx, u8 out[SHA256_DIGEST_SIZE])
245{
246 __sha256_final(ctx: &ctx->ctx, out, SHA256_DIGEST_SIZE);
247 memzero_explicit(s: ctx, count: sizeof(*ctx));
248}
249EXPORT_SYMBOL(sha256_final);
250
251void sha224(const u8 *data, size_t len, u8 out[SHA224_DIGEST_SIZE])
252{
253 struct sha224_ctx ctx;
254
255 sha224_init(&ctx);
256 sha224_update(ctx: &ctx, data, len);
257 sha224_final(&ctx, out);
258}
259EXPORT_SYMBOL(sha224);
260
261void sha256(const u8 *data, size_t len, u8 out[SHA256_DIGEST_SIZE])
262{
263 struct sha256_ctx ctx;
264
265 sha256_init(&ctx);
266 sha256_update(ctx: &ctx, data, len);
267 sha256_final(&ctx, out);
268}
269EXPORT_SYMBOL(sha256);
270
271/*
272 * Pre-boot environment (as indicated by __DISABLE_EXPORTS being defined)
273 * doesn't need either HMAC support or interleaved hashing support
274 */
275#ifndef __DISABLE_EXPORTS
276
277#ifndef sha256_finup_2x_arch
278static bool sha256_finup_2x_arch(const struct __sha256_ctx *ctx,
279 const u8 *data1, const u8 *data2, size_t len,
280 u8 out1[SHA256_DIGEST_SIZE],
281 u8 out2[SHA256_DIGEST_SIZE])
282{
283 return false;
284}
285static bool sha256_finup_2x_is_optimized_arch(void)
286{
287 return false;
288}
289#endif
290
291/* Sequential fallback implementation of sha256_finup_2x() */
292static noinline_for_stack void sha256_finup_2x_sequential(
293 const struct __sha256_ctx *ctx, const u8 *data1, const u8 *data2,
294 size_t len, u8 out1[SHA256_DIGEST_SIZE], u8 out2[SHA256_DIGEST_SIZE])
295{
296 struct __sha256_ctx mut_ctx;
297
298 mut_ctx = *ctx;
299 __sha256_update(&mut_ctx, data1, len);
300 __sha256_final(ctx: &mut_ctx, out: out1, SHA256_DIGEST_SIZE);
301
302 mut_ctx = *ctx;
303 __sha256_update(&mut_ctx, data2, len);
304 __sha256_final(ctx: &mut_ctx, out: out2, SHA256_DIGEST_SIZE);
305}
306
307void sha256_finup_2x(const struct sha256_ctx *ctx, const u8 *data1,
308 const u8 *data2, size_t len, u8 out1[SHA256_DIGEST_SIZE],
309 u8 out2[SHA256_DIGEST_SIZE])
310{
311 if (ctx == NULL)
312 ctx = &initial_sha256_ctx;
313
314 if (likely(sha256_finup_2x_arch(&ctx->ctx, data1, data2, len, out1,
315 out2)))
316 return;
317 sha256_finup_2x_sequential(ctx: &ctx->ctx, data1, data2, len, out1, out2);
318}
319EXPORT_SYMBOL_GPL(sha256_finup_2x);
320
321bool sha256_finup_2x_is_optimized(void)
322{
323 return sha256_finup_2x_is_optimized_arch();
324}
325EXPORT_SYMBOL_GPL(sha256_finup_2x_is_optimized);
326
327static void __hmac_sha256_preparekey(struct sha256_block_state *istate,
328 struct sha256_block_state *ostate,
329 const u8 *raw_key, size_t raw_key_len,
330 const struct sha256_block_state *iv)
331{
332 union {
333 u8 b[SHA256_BLOCK_SIZE];
334 unsigned long w[SHA256_BLOCK_SIZE / sizeof(unsigned long)];
335 } derived_key = { 0 };
336
337 if (unlikely(raw_key_len > SHA256_BLOCK_SIZE)) {
338 if (iv == &sha224_iv)
339 sha224(raw_key, raw_key_len, derived_key.b);
340 else
341 sha256(raw_key, raw_key_len, derived_key.b);
342 } else {
343 memcpy(to: derived_key.b, from: raw_key, len: raw_key_len);
344 }
345
346 for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
347 derived_key.w[i] ^= REPEAT_BYTE(HMAC_IPAD_VALUE);
348 *istate = *iv;
349 sha256_blocks(state: istate, data: derived_key.b, nblocks: 1);
350
351 for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
352 derived_key.w[i] ^= REPEAT_BYTE(HMAC_OPAD_VALUE ^
353 HMAC_IPAD_VALUE);
354 *ostate = *iv;
355 sha256_blocks(state: ostate, data: derived_key.b, nblocks: 1);
356
357 memzero_explicit(s: &derived_key, count: sizeof(derived_key));
358}
359
360void hmac_sha224_preparekey(struct hmac_sha224_key *key,
361 const u8 *raw_key, size_t raw_key_len)
362{
363 __hmac_sha256_preparekey(istate: &key->key.istate, ostate: &key->key.ostate,
364 raw_key, raw_key_len, iv: &sha224_iv);
365}
366EXPORT_SYMBOL_GPL(hmac_sha224_preparekey);
367
368void hmac_sha256_preparekey(struct hmac_sha256_key *key,
369 const u8 *raw_key, size_t raw_key_len)
370{
371 __hmac_sha256_preparekey(istate: &key->key.istate, ostate: &key->key.ostate,
372 raw_key, raw_key_len, iv: &sha256_iv);
373}
374EXPORT_SYMBOL_GPL(hmac_sha256_preparekey);
375
376void __hmac_sha256_init(struct __hmac_sha256_ctx *ctx,
377 const struct __hmac_sha256_key *key)
378{
379 __sha256_init(ctx: &ctx->sha_ctx, iv: &key->istate, SHA256_BLOCK_SIZE);
380 ctx->ostate = key->ostate;
381}
382EXPORT_SYMBOL_GPL(__hmac_sha256_init);
383
384void hmac_sha224_init_usingrawkey(struct hmac_sha224_ctx *ctx,
385 const u8 *raw_key, size_t raw_key_len)
386{
387 __hmac_sha256_preparekey(istate: &ctx->ctx.sha_ctx.state, ostate: &ctx->ctx.ostate,
388 raw_key, raw_key_len, iv: &sha224_iv);
389 ctx->ctx.sha_ctx.bytecount = SHA256_BLOCK_SIZE;
390}
391EXPORT_SYMBOL_GPL(hmac_sha224_init_usingrawkey);
392
393void hmac_sha256_init_usingrawkey(struct hmac_sha256_ctx *ctx,
394 const u8 *raw_key, size_t raw_key_len)
395{
396 __hmac_sha256_preparekey(istate: &ctx->ctx.sha_ctx.state, ostate: &ctx->ctx.ostate,
397 raw_key, raw_key_len, iv: &sha256_iv);
398 ctx->ctx.sha_ctx.bytecount = SHA256_BLOCK_SIZE;
399}
400EXPORT_SYMBOL_GPL(hmac_sha256_init_usingrawkey);
401
402static void __hmac_sha256_final(struct __hmac_sha256_ctx *ctx,
403 u8 *out, size_t digest_size)
404{
405 /* Generate the padded input for the outer hash in ctx->sha_ctx.buf. */
406 __sha256_final(ctx: &ctx->sha_ctx, out: ctx->sha_ctx.buf, digest_size);
407 memset(s: &ctx->sha_ctx.buf[digest_size], c: 0,
408 SHA256_BLOCK_SIZE - digest_size);
409 ctx->sha_ctx.buf[digest_size] = 0x80;
410 *(__be32 *)&ctx->sha_ctx.buf[SHA256_BLOCK_SIZE - 4] =
411 cpu_to_be32(8 * (SHA256_BLOCK_SIZE + digest_size));
412
413 /* Compute the outer hash, which gives the HMAC value. */
414 sha256_blocks(state: &ctx->ostate, data: ctx->sha_ctx.buf, nblocks: 1);
415 for (size_t i = 0; i < digest_size; i += 4)
416 put_unaligned_be32(val: ctx->ostate.h[i / 4], p: out + i);
417
418 memzero_explicit(s: ctx, count: sizeof(*ctx));
419}
420
421void hmac_sha224_final(struct hmac_sha224_ctx *ctx,
422 u8 out[SHA224_DIGEST_SIZE])
423{
424 __hmac_sha256_final(ctx: &ctx->ctx, out, SHA224_DIGEST_SIZE);
425}
426EXPORT_SYMBOL_GPL(hmac_sha224_final);
427
428void hmac_sha256_final(struct hmac_sha256_ctx *ctx,
429 u8 out[SHA256_DIGEST_SIZE])
430{
431 __hmac_sha256_final(ctx: &ctx->ctx, out, SHA256_DIGEST_SIZE);
432}
433EXPORT_SYMBOL_GPL(hmac_sha256_final);
434
435void hmac_sha224(const struct hmac_sha224_key *key,
436 const u8 *data, size_t data_len, u8 out[SHA224_DIGEST_SIZE])
437{
438 struct hmac_sha224_ctx ctx;
439
440 hmac_sha224_init(ctx: &ctx, key);
441 hmac_sha224_update(ctx: &ctx, data, data_len);
442 hmac_sha224_final(&ctx, out);
443}
444EXPORT_SYMBOL_GPL(hmac_sha224);
445
446void hmac_sha256(const struct hmac_sha256_key *key,
447 const u8 *data, size_t data_len, u8 out[SHA256_DIGEST_SIZE])
448{
449 struct hmac_sha256_ctx ctx;
450
451 hmac_sha256_init(ctx: &ctx, key);
452 hmac_sha256_update(ctx: &ctx, data, data_len);
453 hmac_sha256_final(&ctx, out);
454}
455EXPORT_SYMBOL_GPL(hmac_sha256);
456
457void hmac_sha224_usingrawkey(const u8 *raw_key, size_t raw_key_len,
458 const u8 *data, size_t data_len,
459 u8 out[SHA224_DIGEST_SIZE])
460{
461 struct hmac_sha224_ctx ctx;
462
463 hmac_sha224_init_usingrawkey(&ctx, raw_key, raw_key_len);
464 hmac_sha224_update(ctx: &ctx, data, data_len);
465 hmac_sha224_final(&ctx, out);
466}
467EXPORT_SYMBOL_GPL(hmac_sha224_usingrawkey);
468
469void hmac_sha256_usingrawkey(const u8 *raw_key, size_t raw_key_len,
470 const u8 *data, size_t data_len,
471 u8 out[SHA256_DIGEST_SIZE])
472{
473 struct hmac_sha256_ctx ctx;
474
475 hmac_sha256_init_usingrawkey(&ctx, raw_key, raw_key_len);
476 hmac_sha256_update(ctx: &ctx, data, data_len);
477 hmac_sha256_final(&ctx, out);
478}
479EXPORT_SYMBOL_GPL(hmac_sha256_usingrawkey);
480#endif /* !__DISABLE_EXPORTS */
481
482#ifdef sha256_mod_init_arch
483static int __init sha256_mod_init(void)
484{
485 sha256_mod_init_arch();
486 return 0;
487}
488subsys_initcall(sha256_mod_init);
489
490static void __exit sha256_mod_exit(void)
491{
492}
493module_exit(sha256_mod_exit);
494#endif
495
496MODULE_DESCRIPTION("SHA-224, SHA-256, HMAC-SHA224, and HMAC-SHA256 library functions");
497MODULE_LICENSE("GPL");
498