CoCalc -- sha256.c

GitHub Repository: torvalds/linux
Path: blob/master/lib/crypto/sha256.c
²⁶²⁸² views
1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/*
3
 * SHA-224, SHA-256, HMAC-SHA224, and HMAC-SHA256 library functions
4
 *
5
 * Copyright (c) Jean-Luc Cooke <[email protected]>
6
 * Copyright (c) Andrew McDonald <[email protected]>
7
 * Copyright (c) 2002 James Morris <[email protected]>
8
 * Copyright (c) 2014 Red Hat Inc.
9
 * Copyright 2025 Google LLC
10
 */
11

12
#include <crypto/hmac.h>
13
#include <crypto/sha2.h>
14
#include <linux/export.h>
15
#include <linux/kernel.h>
16
#include <linux/module.h>
17
#include <linux/string.h>
18
#include <linux/unaligned.h>
19
#include <linux/wordpart.h>
20

21
static const struct sha256_block_state sha224_iv = {
22
	.h = {
23
		SHA224_H0, SHA224_H1, SHA224_H2, SHA224_H3,
24
		SHA224_H4, SHA224_H5, SHA224_H6, SHA224_H7,
25
	},
26
};
27

28
static const struct sha256_block_state sha256_iv = {
29
	.h = {
30
		SHA256_H0, SHA256_H1, SHA256_H2, SHA256_H3,
31
		SHA256_H4, SHA256_H5, SHA256_H6, SHA256_H7,
32
	},
33
};
34

35
static const u32 sha256_K[64] = {
36
	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
37
	0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
38
	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
39
	0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
40
	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
41
	0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
42
	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
43
	0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
44
	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
45
	0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
46
	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
47
};
48

49
#define Ch(x, y, z) ((z) ^ ((x) & ((y) ^ (z))))
50
#define Maj(x, y, z) (((x) & (y)) | ((z) & ((x) | (y))))
51
#define e0(x) (ror32((x), 2) ^ ror32((x), 13) ^ ror32((x), 22))
52
#define e1(x) (ror32((x), 6) ^ ror32((x), 11) ^ ror32((x), 25))
53
#define s0(x) (ror32((x), 7) ^ ror32((x), 18) ^ ((x) >> 3))
54
#define s1(x) (ror32((x), 17) ^ ror32((x), 19) ^ ((x) >> 10))
55

56
static inline void LOAD_OP(int I, u32 *W, const u8 *input)
57
{
58
	W[I] = get_unaligned_be32((__u32 *)input + I);
59
}
60

61
static inline void BLEND_OP(int I, u32 *W)
62
{
63
	W[I] = s1(W[I - 2]) + W[I - 7] + s0(W[I - 15]) + W[I - 16];
64
}
65

66
#define SHA256_ROUND(i, a, b, c, d, e, f, g, h)                    \
67
	do {                                                       \
68
		u32 t1, t2;                                        \
69
		t1 = h + e1(e) + Ch(e, f, g) + sha256_K[i] + W[i]; \
70
		t2 = e0(a) + Maj(a, b, c);                         \
71
		d += t1;                                           \
72
		h = t1 + t2;                                       \
73
	} while (0)
74

75
static void sha256_block_generic(struct sha256_block_state *state,
76
				 const u8 *input, u32 W[64])
77
{
78
	u32 a, b, c, d, e, f, g, h;
79
	int i;
80

81
	/* load the input */
82
	for (i = 0; i < 16; i += 8) {
83
		LOAD_OP(i + 0, W, input);
84
		LOAD_OP(i + 1, W, input);
85
		LOAD_OP(i + 2, W, input);
86
		LOAD_OP(i + 3, W, input);
87
		LOAD_OP(i + 4, W, input);
88
		LOAD_OP(i + 5, W, input);
89
		LOAD_OP(i + 6, W, input);
90
		LOAD_OP(i + 7, W, input);
91
	}
92

93
	/* now blend */
94
	for (i = 16; i < 64; i += 8) {
95
		BLEND_OP(i + 0, W);
96
		BLEND_OP(i + 1, W);
97
		BLEND_OP(i + 2, W);
98
		BLEND_OP(i + 3, W);
99
		BLEND_OP(i + 4, W);
100
		BLEND_OP(i + 5, W);
101
		BLEND_OP(i + 6, W);
102
		BLEND_OP(i + 7, W);
103
	}
104

105
	/* load the state into our registers */
106
	a = state->h[0];
107
	b = state->h[1];
108
	c = state->h[2];
109
	d = state->h[3];
110
	e = state->h[4];
111
	f = state->h[5];
112
	g = state->h[6];
113
	h = state->h[7];
114

115
	/* now iterate */
116
	for (i = 0; i < 64; i += 8) {
117
		SHA256_ROUND(i + 0, a, b, c, d, e, f, g, h);
118
		SHA256_ROUND(i + 1, h, a, b, c, d, e, f, g);
119
		SHA256_ROUND(i + 2, g, h, a, b, c, d, e, f);
120
		SHA256_ROUND(i + 3, f, g, h, a, b, c, d, e);
121
		SHA256_ROUND(i + 4, e, f, g, h, a, b, c, d);
122
		SHA256_ROUND(i + 5, d, e, f, g, h, a, b, c);
123
		SHA256_ROUND(i + 6, c, d, e, f, g, h, a, b);
124
		SHA256_ROUND(i + 7, b, c, d, e, f, g, h, a);
125
	}
126

127
	state->h[0] += a;
128
	state->h[1] += b;
129
	state->h[2] += c;
130
	state->h[3] += d;
131
	state->h[4] += e;
132
	state->h[5] += f;
133
	state->h[6] += g;
134
	state->h[7] += h;
135
}
136

137
static void __maybe_unused
138
sha256_blocks_generic(struct sha256_block_state *state,
139
		      const u8 *data, size_t nblocks)
140
{
141
	u32 W[64];
142

143
	do {
144
		sha256_block_generic(state, data, W);
145
		data += SHA256_BLOCK_SIZE;
146
	} while (--nblocks);
147

148
	memzero_explicit(W, sizeof(W));
149
}
150

151
#if defined(CONFIG_CRYPTO_LIB_SHA256_ARCH) && !defined(__DISABLE_EXPORTS)
152
#include "sha256.h" /* $(SRCARCH)/sha256.h */
153
#else
154
#define sha256_blocks sha256_blocks_generic
155
#endif
156

157
static void __sha256_init(struct __sha256_ctx *ctx,
158
			  const struct sha256_block_state *iv,
159
			  u64 initial_bytecount)
160
{
161
	ctx->state = *iv;
162
	ctx->bytecount = initial_bytecount;
163
}
164

165
void sha224_init(struct sha224_ctx *ctx)
166
{
167
	__sha256_init(&ctx->ctx, &sha224_iv, 0);
168
}
169
EXPORT_SYMBOL_GPL(sha224_init);
170

171
void sha256_init(struct sha256_ctx *ctx)
172
{
173
	__sha256_init(&ctx->ctx, &sha256_iv, 0);
174
}
175
EXPORT_SYMBOL_GPL(sha256_init);
176

177
void __sha256_update(struct __sha256_ctx *ctx, const u8 *data, size_t len)
178
{
179
	size_t partial = ctx->bytecount % SHA256_BLOCK_SIZE;
180

181
	ctx->bytecount += len;
182

183
	if (partial + len >= SHA256_BLOCK_SIZE) {
184
		size_t nblocks;
185

186
		if (partial) {
187
			size_t l = SHA256_BLOCK_SIZE - partial;
188

189
			memcpy(&ctx->buf[partial], data, l);
190
			data += l;
191
			len -= l;
192

193
			sha256_blocks(&ctx->state, ctx->buf, 1);
194
		}
195

196
		nblocks = len / SHA256_BLOCK_SIZE;
197
		len %= SHA256_BLOCK_SIZE;
198

199
		if (nblocks) {
200
			sha256_blocks(&ctx->state, data, nblocks);
201
			data += nblocks * SHA256_BLOCK_SIZE;
202
		}
203
		partial = 0;
204
	}
205
	if (len)
206
		memcpy(&ctx->buf[partial], data, len);
207
}
208
EXPORT_SYMBOL(__sha256_update);
209

210
static void __sha256_final(struct __sha256_ctx *ctx,
211
			   u8 *out, size_t digest_size)
212
{
213
	u64 bitcount = ctx->bytecount << 3;
214
	size_t partial = ctx->bytecount % SHA256_BLOCK_SIZE;
215

216
	ctx->buf[partial++] = 0x80;
217
	if (partial > SHA256_BLOCK_SIZE - 8) {
218
		memset(&ctx->buf[partial], 0, SHA256_BLOCK_SIZE - partial);
219
		sha256_blocks(&ctx->state, ctx->buf, 1);
220
		partial = 0;
221
	}
222
	memset(&ctx->buf[partial], 0, SHA256_BLOCK_SIZE - 8 - partial);
223
	*(__be64 *)&ctx->buf[SHA256_BLOCK_SIZE - 8] = cpu_to_be64(bitcount);
224
	sha256_blocks(&ctx->state, ctx->buf, 1);
225

226
	for (size_t i = 0; i < digest_size; i += 4)
227
		put_unaligned_be32(ctx->state.h[i / 4], out + i);
228
}
229

230
void sha224_final(struct sha224_ctx *ctx, u8 out[SHA224_DIGEST_SIZE])
231
{
232
	__sha256_final(&ctx->ctx, out, SHA224_DIGEST_SIZE);
233
	memzero_explicit(ctx, sizeof(*ctx));
234
}
235
EXPORT_SYMBOL(sha224_final);
236

237
void sha256_final(struct sha256_ctx *ctx, u8 out[SHA256_DIGEST_SIZE])
238
{
239
	__sha256_final(&ctx->ctx, out, SHA256_DIGEST_SIZE);
240
	memzero_explicit(ctx, sizeof(*ctx));
241
}
242
EXPORT_SYMBOL(sha256_final);
243

244
void sha224(const u8 *data, size_t len, u8 out[SHA224_DIGEST_SIZE])
245
{
246
	struct sha224_ctx ctx;
247

248
	sha224_init(&ctx);
249
	sha224_update(&ctx, data, len);
250
	sha224_final(&ctx, out);
251
}
252
EXPORT_SYMBOL(sha224);
253

254
void sha256(const u8 *data, size_t len, u8 out[SHA256_DIGEST_SIZE])
255
{
256
	struct sha256_ctx ctx;
257

258
	sha256_init(&ctx);
259
	sha256_update(&ctx, data, len);
260
	sha256_final(&ctx, out);
261
}
262
EXPORT_SYMBOL(sha256);
263

264
/* pre-boot environment (as indicated by __DISABLE_EXPORTS) doesn't need HMAC */
265
#ifndef __DISABLE_EXPORTS
266
static void __hmac_sha256_preparekey(struct sha256_block_state *istate,
267
				     struct sha256_block_state *ostate,
268
				     const u8 *raw_key, size_t raw_key_len,
269
				     const struct sha256_block_state *iv)
270
{
271
	union {
272
		u8 b[SHA256_BLOCK_SIZE];
273
		unsigned long w[SHA256_BLOCK_SIZE / sizeof(unsigned long)];
274
	} derived_key = { 0 };
275

276
	if (unlikely(raw_key_len > SHA256_BLOCK_SIZE)) {
277
		if (iv == &sha224_iv)
278
			sha224(raw_key, raw_key_len, derived_key.b);
279
		else
280
			sha256(raw_key, raw_key_len, derived_key.b);
281
	} else {
282
		memcpy(derived_key.b, raw_key, raw_key_len);
283
	}
284

285
	for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
286
		derived_key.w[i] ^= REPEAT_BYTE(HMAC_IPAD_VALUE);
287
	*istate = *iv;
288
	sha256_blocks(istate, derived_key.b, 1);
289

290
	for (size_t i = 0; i < ARRAY_SIZE(derived_key.w); i++)
291
		derived_key.w[i] ^= REPEAT_BYTE(HMAC_OPAD_VALUE ^
292
						HMAC_IPAD_VALUE);
293
	*ostate = *iv;
294
	sha256_blocks(ostate, derived_key.b, 1);
295

296
	memzero_explicit(&derived_key, sizeof(derived_key));
297
}
298

299
void hmac_sha224_preparekey(struct hmac_sha224_key *key,
300
			    const u8 *raw_key, size_t raw_key_len)
301
{
302
	__hmac_sha256_preparekey(&key->key.istate, &key->key.ostate,
303
				 raw_key, raw_key_len, &sha224_iv);
304
}
305
EXPORT_SYMBOL_GPL(hmac_sha224_preparekey);
306

307
void hmac_sha256_preparekey(struct hmac_sha256_key *key,
308
			    const u8 *raw_key, size_t raw_key_len)
309
{
310
	__hmac_sha256_preparekey(&key->key.istate, &key->key.ostate,
311
				 raw_key, raw_key_len, &sha256_iv);
312
}
313
EXPORT_SYMBOL_GPL(hmac_sha256_preparekey);
314

315
void __hmac_sha256_init(struct __hmac_sha256_ctx *ctx,
316
			const struct __hmac_sha256_key *key)
317
{
318
	__sha256_init(&ctx->sha_ctx, &key->istate, SHA256_BLOCK_SIZE);
319
	ctx->ostate = key->ostate;
320
}
321
EXPORT_SYMBOL_GPL(__hmac_sha256_init);
322

323
void hmac_sha224_init_usingrawkey(struct hmac_sha224_ctx *ctx,
324
				  const u8 *raw_key, size_t raw_key_len)
325
{
326
	__hmac_sha256_preparekey(&ctx->ctx.sha_ctx.state, &ctx->ctx.ostate,
327
				 raw_key, raw_key_len, &sha224_iv);
328
	ctx->ctx.sha_ctx.bytecount = SHA256_BLOCK_SIZE;
329
}
330
EXPORT_SYMBOL_GPL(hmac_sha224_init_usingrawkey);
331

332
void hmac_sha256_init_usingrawkey(struct hmac_sha256_ctx *ctx,
333
				  const u8 *raw_key, size_t raw_key_len)
334
{
335
	__hmac_sha256_preparekey(&ctx->ctx.sha_ctx.state, &ctx->ctx.ostate,
336
				 raw_key, raw_key_len, &sha256_iv);
337
	ctx->ctx.sha_ctx.bytecount = SHA256_BLOCK_SIZE;
338
}
339
EXPORT_SYMBOL_GPL(hmac_sha256_init_usingrawkey);
340

341
static void __hmac_sha256_final(struct __hmac_sha256_ctx *ctx,
342
				u8 *out, size_t digest_size)
343
{
344
	/* Generate the padded input for the outer hash in ctx->sha_ctx.buf. */
345
	__sha256_final(&ctx->sha_ctx, ctx->sha_ctx.buf, digest_size);
346
	memset(&ctx->sha_ctx.buf[digest_size], 0,
347
	       SHA256_BLOCK_SIZE - digest_size);
348
	ctx->sha_ctx.buf[digest_size] = 0x80;
349
	*(__be32 *)&ctx->sha_ctx.buf[SHA256_BLOCK_SIZE - 4] =
350
		cpu_to_be32(8 * (SHA256_BLOCK_SIZE + digest_size));
351

352
	/* Compute the outer hash, which gives the HMAC value. */
353
	sha256_blocks(&ctx->ostate, ctx->sha_ctx.buf, 1);
354
	for (size_t i = 0; i < digest_size; i += 4)
355
		put_unaligned_be32(ctx->ostate.h[i / 4], out + i);
356

357
	memzero_explicit(ctx, sizeof(*ctx));
358
}
359

360
void hmac_sha224_final(struct hmac_sha224_ctx *ctx,
361
		       u8 out[SHA224_DIGEST_SIZE])
362
{
363
	__hmac_sha256_final(&ctx->ctx, out, SHA224_DIGEST_SIZE);
364
}
365
EXPORT_SYMBOL_GPL(hmac_sha224_final);
366

367
void hmac_sha256_final(struct hmac_sha256_ctx *ctx,
368
		       u8 out[SHA256_DIGEST_SIZE])
369
{
370
	__hmac_sha256_final(&ctx->ctx, out, SHA256_DIGEST_SIZE);
371
}
372
EXPORT_SYMBOL_GPL(hmac_sha256_final);
373

374
void hmac_sha224(const struct hmac_sha224_key *key,
375
		 const u8 *data, size_t data_len, u8 out[SHA224_DIGEST_SIZE])
376
{
377
	struct hmac_sha224_ctx ctx;
378

379
	hmac_sha224_init(&ctx, key);
380
	hmac_sha224_update(&ctx, data, data_len);
381
	hmac_sha224_final(&ctx, out);
382
}
383
EXPORT_SYMBOL_GPL(hmac_sha224);
384

385
void hmac_sha256(const struct hmac_sha256_key *key,
386
		 const u8 *data, size_t data_len, u8 out[SHA256_DIGEST_SIZE])
387
{
388
	struct hmac_sha256_ctx ctx;
389

390
	hmac_sha256_init(&ctx, key);
391
	hmac_sha256_update(&ctx, data, data_len);
392
	hmac_sha256_final(&ctx, out);
393
}
394
EXPORT_SYMBOL_GPL(hmac_sha256);
395

396
void hmac_sha224_usingrawkey(const u8 *raw_key, size_t raw_key_len,
397
			     const u8 *data, size_t data_len,
398
			     u8 out[SHA224_DIGEST_SIZE])
399
{
400
	struct hmac_sha224_ctx ctx;
401

402
	hmac_sha224_init_usingrawkey(&ctx, raw_key, raw_key_len);
403
	hmac_sha224_update(&ctx, data, data_len);
404
	hmac_sha224_final(&ctx, out);
405
}
406
EXPORT_SYMBOL_GPL(hmac_sha224_usingrawkey);
407

408
void hmac_sha256_usingrawkey(const u8 *raw_key, size_t raw_key_len,
409
			     const u8 *data, size_t data_len,
410
			     u8 out[SHA256_DIGEST_SIZE])
411
{
412
	struct hmac_sha256_ctx ctx;
413

414
	hmac_sha256_init_usingrawkey(&ctx, raw_key, raw_key_len);
415
	hmac_sha256_update(&ctx, data, data_len);
416
	hmac_sha256_final(&ctx, out);
417
}
418
EXPORT_SYMBOL_GPL(hmac_sha256_usingrawkey);
419
#endif /* !__DISABLE_EXPORTS */
420

421
#ifdef sha256_mod_init_arch
422
static int __init sha256_mod_init(void)
423
{
424
	sha256_mod_init_arch();
425
	return 0;
426
}
427
subsys_initcall(sha256_mod_init);
428

429
static void __exit sha256_mod_exit(void)
430
{
431
}
432
module_exit(sha256_mod_exit);
433
#endif
434

435
MODULE_DESCRIPTION("SHA-224, SHA-256, HMAC-SHA224, and HMAC-SHA256 library functions");
436
MODULE_LICENSE("GPL");
437

438
Product

Resources

Company
