CoCalc -- sha1.c

GitHub Repository: torvalds/linux
Path: blob/master/lib/crypto/sha1.c
⁴⁹¹⁰⁸ views
1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * SHA-1 and HMAC-SHA1 library functions
4
 */
5

6
#include <crypto/hmac.h>
7
#include <crypto/sha1.h>
8
#include <linux/bitops.h>
9
#include <linux/export.h>
10
#include <linux/kernel.h>
11
#include <linux/module.h>
12
#include <linux/string.h>
13
#include <linux/unaligned.h>
14
#include <linux/wordpart.h>
15
#include "fips.h"
16

17
static const struct sha1_block_state sha1_iv = {
18
	.h = { SHA1_H0, SHA1_H1, SHA1_H2, SHA1_H3, SHA1_H4 },
19
};
20

21
/*
22
 * If you have 32 registers or more, the compiler can (and should)
23
 * try to change the array[] accesses into registers. However, on
24
 * machines with less than ~25 registers, that won't really work,
25
 * and at least gcc will make an unholy mess of it.
26
 *
27
 * So to avoid that mess which just slows things down, we force
28
 * the stores to memory to actually happen (we might be better off
29
 * with a 'W(t)=(val);asm("":"+m" (W(t))' there instead, as
30
 * suggested by Artur Skawina - that will also make gcc unable to
31
 * try to do the silly "optimize away loads" part because it won't
32
 * see what the value will be).
33
 *
34
 * Ben Herrenschmidt reports that on PPC, the C version comes close
35
 * to the optimized asm with this (ie on PPC you don't want that
36
 * 'volatile', since there are lots of registers).
37
 *
38
 * On ARM we get the best code generation by forcing a full memory barrier
39
 * between each SHA_ROUND, otherwise gcc happily get wild with spilling and
40
 * the stack frame size simply explode and performance goes down the drain.
41
 */
42

43
#ifdef CONFIG_X86
44
  #define setW(x, val) (*(volatile __u32 *)&W(x) = (val))
45
#elif defined(CONFIG_ARM)
46
  #define setW(x, val) do { W(x) = (val); __asm__("":::"memory"); } while (0)
47
#else
48
  #define setW(x, val) (W(x) = (val))
49
#endif
50

51
/* This "rolls" over the 512-bit array */
52
#define W(x) (array[(x)&15])
53

54
/*
55
 * Where do we get the source from? The first 16 iterations get it from
56
 * the input data, the next mix it from the 512-bit array.
57
 */
58
#define SHA_SRC(t) get_unaligned_be32((__u32 *)data + t)
59
#define SHA_MIX(t) rol32(W(t+13) ^ W(t+8) ^ W(t+2) ^ W(t), 1)
60

61
#define SHA_ROUND(t, input, fn, constant, A, B, C, D, E) do { \
62
	__u32 TEMP = input(t); setW(t, TEMP); \
63
	E += TEMP + rol32(A,5) + (fn) + (constant); \
64
	B = ror32(B, 2); \
65
	TEMP = E; E = D; D = C; C = B; B = A; A = TEMP; } while (0)
66

67
#define T_0_15(t, A, B, C, D, E)  SHA_ROUND(t, SHA_SRC, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
68
#define T_16_19(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (((C^D)&B)^D) , 0x5a827999, A, B, C, D, E )
69
#define T_20_39(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) , 0x6ed9eba1, A, B, C, D, E )
70
#define T_40_59(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, ((B&C)+(D&(B^C))) , 0x8f1bbcdc, A, B, C, D, E )
71
#define T_60_79(t, A, B, C, D, E) SHA_ROUND(t, SHA_MIX, (B^C^D) ,  0xca62c1d6, A, B, C, D, E )
72

73
/**
74
 * sha1_transform - single block SHA1 transform (deprecated)
75
 *
76
 * @digest: 160 bit digest to update
77
 * @data:   512 bits of data to hash
78
 * @array:  16 words of workspace (see note)
79
 *
80
 * This function executes SHA-1's internal compression function.  It updates the
81
 * 160-bit internal state (@digest) with a single 512-bit data block (@data).
82
 *
83
 * Don't use this function.  SHA-1 is no longer considered secure.  And even if
84
 * you do have to use SHA-1, this isn't the correct way to hash something with
85
 * SHA-1 as this doesn't handle padding and finalization.
86
 *
87
 * Note: If the hash is security sensitive, the caller should be sure
88
 * to clear the workspace. This is left to the caller to avoid
89
 * unnecessary clears between chained hashing operations.
90
 */
91
void sha1_transform(__u32 *digest, const char *data, __u32 *array)
92
{
93
	__u32 A, B, C, D, E;
94
	unsigned int i = 0;
95

96
	A = digest[0];
97
	B = digest[1];
98
	C = digest[2];
99
	D = digest[3];
100
	E = digest[4];
101

102
	/* Round 1 - iterations 0-16 take their input from 'data' */
103
	for (; i < 16; ++i)
104
		T_0_15(i, A, B, C, D, E);
105

106
	/* Round 1 - tail. Input from 512-bit mixing array */
107
	for (; i < 20; ++i)
108
		T_16_19(i, A, B, C, D, E);
109

110
	/* Round 2 */
111
	for (; i < 40; ++i)
112
		T_20_39(i, A, B, C, D, E);
113

114
	/* Round 3 */
115
	for (; i < 60; ++i)
116
		T_40_59(i, A, B, C, D, E);
117

118
	/* Round 4 */
119
	for (; i < 80; ++i)
120
		T_60_79(i, A, B, C, D, E);
121

122
	digest[0] += A;
123
	digest[1] += B;
124
	digest[2] += C;
125
	digest[3] += D;
126
	digest[4] += E;
127
}
128
EXPORT_SYMBOL(sha1_transform);
129

130
/**
131
 * sha1_init_raw - initialize the vectors for a SHA1 digest
132
 * @buf: vector to initialize
133
 */
134
void sha1_init_raw(__u32 *buf)
135
{
136
	buf[0] = 0x67452301;
137
	buf[1] = 0xefcdab89;
138
	buf[2] = 0x98badcfe;
139
	buf[3] = 0x10325476;
140
	buf[4] = 0xc3d2e1f0;
141
}
142
EXPORT_SYMBOL(sha1_init_raw);
143

144
static void __maybe_unused sha1_blocks_generic(struct sha1_block_state *state,
145
					       const u8 *data, size_t nblocks)
146
{
147
	u32 workspace[SHA1_WORKSPACE_WORDS];
148

149
	do {
150
		sha1_transform(state->h, data, workspace);
151
		data += SHA1_BLOCK_SIZE;
152
	} while (--nblocks);
153

154
	memzero_explicit(workspace, sizeof(workspace));
155
}
156

157
#ifdef CONFIG_CRYPTO_LIB_SHA1_ARCH
158
#include "sha1.h" /* $(SRCARCH)/sha1.h */
159
#else
160
#define sha1_blocks sha1_blocks_generic
161
#endif
162

163
void sha1_init(struct sha1_ctx *ctx)
164
{
165
	ctx->state = sha1_iv;
166
	ctx->bytecount = 0;
167
}
168
EXPORT_SYMBOL_GPL(sha1_init);
169

170
void sha1_update(struct sha1_ctx *ctx, const u8 *data, size_t len)
171
{
172
	size_t partial = ctx->bytecount % SHA1_BLOCK_SIZE;
173

174
	ctx->bytecount += len;
175

176
	if (partial + len >= SHA1_BLOCK_SIZE) {
177
		size_t nblocks;
178

179
		if (partial) {
180
			size_t l = SHA1_BLOCK_SIZE - partial;
181

182
			memcpy(&ctx->buf[partial], data, l);
183
			data += l;
184
			len -= l;
185

186
			sha1_blocks(&ctx->state, ctx->buf, 1);
187
		}
188

189
		nblocks = len / SHA1_BLOCK_SIZE;
190
		len %= SHA1_BLOCK_SIZE;
191

192
		if (nblocks) {
193
			sha1_blocks(&ctx->state, data, nblocks);
194
			data += nblocks * SHA1_BLOCK_SIZE;
195
		}
196
		partial = 0;
197
	}
198
	if (len)
199
		memcpy(&ctx->buf[partial], data, len);
200
}
201
EXPORT_SYMBOL_GPL(sha1_update);
202

203
static void __sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE])
204
{
205
	u64 bitcount = ctx->bytecount << 3;
206
	size_t partial = ctx->bytecount % SHA1_BLOCK_SIZE;
207

208
	ctx->buf[partial++] = 0x80;
209
	if (partial > SHA1_BLOCK_SIZE - 8) {
210
		memset(&ctx->buf[partial], 0, SHA1_BLOCK_SIZE - partial);
211
		sha1_blocks(&ctx->state, ctx->buf, 1);
212
		partial = 0;
213
	}
214
	memset(&ctx->buf[partial], 0, SHA1_BLOCK_SIZE - 8 - partial);
215
	*(__be64 *)&ctx->buf[SHA1_BLOCK_SIZE - 8] = cpu_to_be64(bitcount);
216
	sha1_blocks(&ctx->state, ctx->buf, 1);
217

218
	for (size_t i = 0; i < SHA1_DIGEST_SIZE; i += 4)
219
		put_unaligned_be32(ctx->state.h[i / 4], out + i);
220
}
221

222
void sha1_final(struct sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE])
223
{
224
	__sha1_final(ctx, out);
225
	memzero_explicit(ctx, sizeof(*ctx));
226
}
227
EXPORT_SYMBOL_GPL(sha1_final);
228

229
void sha1(const u8 *data, size_t len, u8 out[SHA1_DIGEST_SIZE])
230
{
231
	struct sha1_ctx ctx;
232

233
	sha1_init(&ctx);
234
	sha1_update(&ctx, data, len);
235
	sha1_final(&ctx, out);
236
}
237
EXPORT_SYMBOL_GPL(sha1);
238

239
static void __hmac_sha1_preparekey(struct sha1_block_state *istate,
240
				   struct sha1_block_state *ostate,
241
				   const u8 *raw_key, size_t raw_key_len)
242
{
243
	union {
244
		u8 b[SHA1_BLOCK_SIZE];
245
		unsigned long w[SHA1_BLOCK_SIZE / sizeof(unsigned long)];
246
	} derived_key = { 0 };
247

248
	if (unlikely(raw_key_len > SHA1_BLOCK_SIZE))
249
		sha1(raw_key, raw_key_len, derived_key.b);
250
	else
251
		memcpy(derived_key.b, raw_key, raw_key_len);
252

253
	for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
254
		derived_key.w[i] ^= REPEAT_BYTE(HMAC_IPAD_VALUE);
255
	*istate = sha1_iv;
256
	sha1_blocks(istate, derived_key.b, 1);
257

258
	for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
259
		derived_key.w[i] ^= REPEAT_BYTE(HMAC_OPAD_VALUE ^
260
						HMAC_IPAD_VALUE);
261
	*ostate = sha1_iv;
262
	sha1_blocks(ostate, derived_key.b, 1);
263

264
	memzero_explicit(&derived_key, sizeof(derived_key));
265
}
266

267
void hmac_sha1_preparekey(struct hmac_sha1_key *key,
268
			  const u8 *raw_key, size_t raw_key_len)
269
{
270
	__hmac_sha1_preparekey(&key->istate, &key->ostate,
271
			       raw_key, raw_key_len);
272
}
273
EXPORT_SYMBOL_GPL(hmac_sha1_preparekey);
274

275
void hmac_sha1_init(struct hmac_sha1_ctx *ctx, const struct hmac_sha1_key *key)
276
{
277
	ctx->sha_ctx.state = key->istate;
278
	ctx->sha_ctx.bytecount = SHA1_BLOCK_SIZE;
279
	ctx->ostate = key->ostate;
280
}
281
EXPORT_SYMBOL_GPL(hmac_sha1_init);
282

283
void hmac_sha1_init_usingrawkey(struct hmac_sha1_ctx *ctx,
284
				const u8 *raw_key, size_t raw_key_len)
285
{
286
	__hmac_sha1_preparekey(&ctx->sha_ctx.state, &ctx->ostate,
287
			       raw_key, raw_key_len);
288
	ctx->sha_ctx.bytecount = SHA1_BLOCK_SIZE;
289
}
290
EXPORT_SYMBOL_GPL(hmac_sha1_init_usingrawkey);
291

292
void hmac_sha1_final(struct hmac_sha1_ctx *ctx, u8 out[SHA1_DIGEST_SIZE])
293
{
294
	/* Generate the padded input for the outer hash in ctx->sha_ctx.buf. */
295
	__sha1_final(&ctx->sha_ctx, ctx->sha_ctx.buf);
296
	memset(&ctx->sha_ctx.buf[SHA1_DIGEST_SIZE], 0,
297
	       SHA1_BLOCK_SIZE - SHA1_DIGEST_SIZE);
298
	ctx->sha_ctx.buf[SHA1_DIGEST_SIZE] = 0x80;
299
	*(__be32 *)&ctx->sha_ctx.buf[SHA1_BLOCK_SIZE - 4] =
300
		cpu_to_be32(8 * (SHA1_BLOCK_SIZE + SHA1_DIGEST_SIZE));
301

302
	/* Compute the outer hash, which gives the HMAC value. */
303
	sha1_blocks(&ctx->ostate, ctx->sha_ctx.buf, 1);
304
	for (size_t i = 0; i < SHA1_DIGEST_SIZE; i += 4)
305
		put_unaligned_be32(ctx->ostate.h[i / 4], out + i);
306

307
	memzero_explicit(ctx, sizeof(*ctx));
308
}
309
EXPORT_SYMBOL_GPL(hmac_sha1_final);
310

311
void hmac_sha1(const struct hmac_sha1_key *key,
312
	       const u8 *data, size_t data_len, u8 out[SHA1_DIGEST_SIZE])
313
{
314
	struct hmac_sha1_ctx ctx;
315

316
	hmac_sha1_init(&ctx, key);
317
	hmac_sha1_update(&ctx, data, data_len);
318
	hmac_sha1_final(&ctx, out);
319
}
320
EXPORT_SYMBOL_GPL(hmac_sha1);
321

322
void hmac_sha1_usingrawkey(const u8 *raw_key, size_t raw_key_len,
323
			   const u8 *data, size_t data_len,
324
			   u8 out[SHA1_DIGEST_SIZE])
325
{
326
	struct hmac_sha1_ctx ctx;
327

328
	hmac_sha1_init_usingrawkey(&ctx, raw_key, raw_key_len);
329
	hmac_sha1_update(&ctx, data, data_len);
330
	hmac_sha1_final(&ctx, out);
331
}
332
EXPORT_SYMBOL_GPL(hmac_sha1_usingrawkey);
333

334
#if defined(sha1_mod_init_arch) || defined(CONFIG_CRYPTO_FIPS)
335
static int __init sha1_mod_init(void)
336
{
337
#ifdef sha1_mod_init_arch
338
	sha1_mod_init_arch();
339
#endif
340
	if (fips_enabled) {
341
		/*
342
		 * FIPS cryptographic algorithm self-test.  As per the FIPS
343
		 * Implementation Guidance, testing HMAC-SHA1 satisfies the test
344
		 * requirement for SHA-1 too.
345
		 */
346
		u8 mac[SHA1_DIGEST_SIZE];
347

348
		hmac_sha1_usingrawkey(fips_test_key, sizeof(fips_test_key),
349
				      fips_test_data, sizeof(fips_test_data),
350
				      mac);
351
		if (memcmp(fips_test_hmac_sha1_value, mac, sizeof(mac)) != 0)
352
			panic("sha1: FIPS self-test failed\n");
353
	}
354
	return 0;
355
}
356
subsys_initcall(sha1_mod_init);
357

358
static void __exit sha1_mod_exit(void)
359
{
360
}
361
module_exit(sha1_mod_exit);
362
#endif
363

364
MODULE_DESCRIPTION("SHA-1 and HMAC-SHA1 library functions");
365
MODULE_LICENSE("GPL");
366

367
Product

Resources

Company
