[linux-2.6-block.git] / crypto / hmac.c

// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * Cryptographic API.
 *
 * HMAC: Keyed-Hashing for Message Authentication (RFC2104).
 *
 * Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
 * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
 *
 * The HMAC implementation is derived from USAGI.
 * Copyright (c) 2002 Kazunori Miyazawa <miyazawa@linux-ipv6.org> / USAGI
 */

#include <crypto/hmac.h>
#include <crypto/internal/hash.h>
#include <crypto/scatterwalk.h>
#include <linux/err.h>
#include <linux/fips.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/scatterlist.h>
#include <linux/string.h>

struct hmac_ctx {
	struct crypto_shash *hash;
	/* Contains 'u8 ipad[statesize];', then 'u8 opad[statesize];' */
	u8 pads[];
};

static int hmac_setkey(struct crypto_shash *parent,
		       const u8 *inkey, unsigned int keylen)
{
	int bs = crypto_shash_blocksize(parent);
	int ds = crypto_shash_digestsize(parent);
	int ss = crypto_shash_statesize(parent);
	struct hmac_ctx *tctx = crypto_shash_ctx(parent);
	struct crypto_shash *hash = tctx->hash;
	u8 *ipad = &tctx->pads[0];
	u8 *opad = &tctx->pads[ss];
	SHASH_DESC_ON_STACK(shash, hash);
	unsigned int i;

	if (fips_enabled && (keylen < 112 / 8))
		return -EINVAL;

	shash->tfm = hash;

	if (keylen > bs) {
		int err;

		err = crypto_shash_digest(shash, inkey, keylen, ipad);
		if (err)
			return err;

		keylen = ds;
	} else
		memcpy(ipad, inkey, keylen);

	memset(ipad + keylen, 0, bs - keylen);
	memcpy(opad, ipad, bs);

	for (i = 0; i < bs; i++) {
		ipad[i] ^= HMAC_IPAD_VALUE;
		opad[i] ^= HMAC_OPAD_VALUE;
	}

	return crypto_shash_init(shash) ?:
	       crypto_shash_update(shash, ipad, bs) ?:
	       crypto_shash_export(shash, ipad) ?:
	       crypto_shash_init(shash) ?:
	       crypto_shash_update(shash, opad, bs) ?:
	       crypto_shash_export(shash, opad);
}

static int hmac_export(struct shash_desc *pdesc, void *out)
{
	struct shash_desc *desc = shash_desc_ctx(pdesc);

	return crypto_shash_export(desc, out);
}

static int hmac_import(struct shash_desc *pdesc, const void *in)
{
	struct shash_desc *desc = shash_desc_ctx(pdesc);
	const struct hmac_ctx *tctx = crypto_shash_ctx(pdesc->tfm);

	desc->tfm = tctx->hash;

	return crypto_shash_import(desc, in);
}

static int hmac_init(struct shash_desc *pdesc)
{
	const struct hmac_ctx *tctx = crypto_shash_ctx(pdesc->tfm);

	return hmac_import(pdesc, &tctx->pads[0]);
}

static int hmac_update(struct shash_desc *pdesc,
		       const u8 *data, unsigned int nbytes)
{
	struct shash_desc *desc = shash_desc_ctx(pdesc);

	return crypto_shash_update(desc, data, nbytes);
}

static int hmac_final(struct shash_desc *pdesc, u8 *out)
{
	struct crypto_shash *parent = pdesc->tfm;
	int ds = crypto_shash_digestsize(parent);
	int ss = crypto_shash_statesize(parent);
	const struct hmac_ctx *tctx = crypto_shash_ctx(parent);
	const u8 *opad = &tctx->pads[ss];
	struct shash_desc *desc = shash_desc_ctx(pdesc);

	return crypto_shash_final(desc, out) ?:
	       crypto_shash_import(desc, opad) ?:
	       crypto_shash_finup(desc, out, ds, out);
}

static int hmac_finup(struct shash_desc *pdesc, const u8 *data,
		      unsigned int nbytes, u8 *out)
{

	struct crypto_shash *parent = pdesc->tfm;
	int ds = crypto_shash_digestsize(parent);
	int ss = crypto_shash_statesize(parent);
	const struct hmac_ctx *tctx = crypto_shash_ctx(parent);
	const u8 *opad = &tctx->pads[ss];
	struct shash_desc *desc = shash_desc_ctx(pdesc);

	return crypto_shash_finup(desc, data, nbytes, out) ?:
	       crypto_shash_import(desc, opad) ?:
	       crypto_shash_finup(desc, out, ds, out);
}

static int hmac_init_tfm(struct crypto_shash *parent)
{
	struct crypto_shash *hash;
	struct shash_instance *inst = shash_alg_instance(parent);
	struct crypto_shash_spawn *spawn = shash_instance_ctx(inst);
	struct hmac_ctx *tctx = crypto_shash_ctx(parent);

	hash = crypto_spawn_shash(spawn);
	if (IS_ERR(hash))
		return PTR_ERR(hash);

	parent->descsize = sizeof(struct shash_desc) +
			   crypto_shash_descsize(hash);

	tctx->hash = hash;
	return 0;
}

static int hmac_clone_tfm(struct crypto_shash *dst, struct crypto_shash *src)
{
	struct hmac_ctx *sctx = crypto_shash_ctx(src);
	struct hmac_ctx *dctx = crypto_shash_ctx(dst);
	struct crypto_shash *hash;

	hash = crypto_clone_shash(sctx->hash);
	if (IS_ERR(hash))
		return PTR_ERR(hash);

	dctx->hash = hash;
	return 0;
}

static void hmac_exit_tfm(struct crypto_shash *parent)
{
	struct hmac_ctx *tctx = crypto_shash_ctx(parent);

	crypto_free_shash(tctx->hash);
}

static int hmac_create(struct crypto_template *tmpl, struct rtattr **tb)
{
	struct shash_instance *inst;
	struct crypto_shash_spawn *spawn;
	struct crypto_alg *alg;
	struct shash_alg *salg;
	u32 mask;
	int err;
	int ds;
	int ss;

	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SHASH, &mask);
	if (err)
		return err;

	inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
	if (!inst)
		return -ENOMEM;
	spawn = shash_instance_ctx(inst);

	err = crypto_grab_shash(spawn, shash_crypto_instance(inst),
				crypto_attr_alg_name(tb[1]), 0, mask);
	if (err)
		goto err_free_inst;
	salg = crypto_spawn_shash_alg(spawn);
	alg = &salg->base;

	/* The underlying hash algorithm must not require a key */
	err = -EINVAL;
	if (crypto_shash_alg_needs_key(salg))
		goto err_free_inst;

	ds = salg->digestsize;
	ss = salg->statesize;
	if (ds > alg->cra_blocksize ||
	    ss < alg->cra_blocksize)
		goto err_free_inst;

	err = crypto_inst_setname(shash_crypto_instance(inst), tmpl->name, alg);
	if (err)
		goto err_free_inst;

	inst->alg.base.cra_priority = alg->cra_priority;
	inst->alg.base.cra_blocksize = alg->cra_blocksize;
	inst->alg.base.cra_ctxsize = sizeof(struct hmac_ctx) + (ss * 2);

	inst->alg.digestsize = ds;
	inst->alg.statesize = ss;
	inst->alg.init = hmac_init;
	inst->alg.update = hmac_update;
	inst->alg.final = hmac_final;
	inst->alg.finup = hmac_finup;
	inst->alg.export = hmac_export;
	inst->alg.import = hmac_import;
	inst->alg.setkey = hmac_setkey;
	inst->alg.init_tfm = hmac_init_tfm;
	inst->alg.clone_tfm = hmac_clone_tfm;
	inst->alg.exit_tfm = hmac_exit_tfm;

	inst->free = shash_free_singlespawn_instance;

	err = shash_register_instance(tmpl, inst);
	if (err) {
err_free_inst:
		shash_free_singlespawn_instance(inst);
	}
	return err;
}

static struct crypto_template hmac_tmpl = {
	.name = "hmac",
	.create = hmac_create,
	.module = THIS_MODULE,
};

static int __init hmac_module_init(void)
{
	return crypto_register_template(&hmac_tmpl);
}

static void __exit hmac_module_exit(void)
{
	crypto_unregister_template(&hmac_tmpl);
}

subsys_initcall(hmac_module_init);
module_exit(hmac_module_exit);

MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("HMAC hash algorithm");
MODULE_ALIAS_CRYPTO("hmac");
Commit	Line	Data
2874c5fd	1	// SPDX-License-Identifier: GPL-2.0-or-later
1da177e4 LT	2	/*
	3	* Cryptographic API.
	4	*
	5	* HMAC: Keyed-Hashing for Message Authentication (RFC2104).
	6	*
	7	* Copyright (c) 2002 James Morris <jmorris@intercode.com.au>
0796ae06	8	* Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
1da177e4 LT	9	*
	10	* The HMAC implementation is derived from USAGI.
	11	* Copyright (c) 2002 Kazunori Miyazawa <miyazawa@linux-ipv6.org> / USAGI
1da177e4	12	*/
0796ae06	13
03d7db56	14	#include <crypto/hmac.h>
5f7082ed	15	#include <crypto/internal/hash.h>
b2ab4a57	16	#include <crypto/scatterwalk.h>
0796ae06	17	#include <linux/err.h>
37f36e57	18	#include <linux/fips.h>
0796ae06 HX	19	#include <linux/init.h>
	20	#include <linux/kernel.h>
	21	#include <linux/module.h>
378f058c	22	#include <linux/scatterlist.h>
0796ae06 HX	23	#include <linux/string.h>
	24
	25	struct hmac_ctx {
0b767b4d	26	struct crypto_shash *hash;
25c74a39 EB	27	/* Contains 'u8 ipad[statesize];', then 'u8 opad[statesize];' */
25c74a39 EB	28	u8 pads[];
0796ae06	29	};
1da177e4	30
8bd1209c	31	static int hmac_setkey(struct crypto_shash *parent,
0796ae06 HX	32	const u8 *inkey, unsigned int keylen)
0796ae06 HX	33	{
8bd1209c HX	34	int bs = crypto_shash_blocksize(parent);
8bd1209c HX	35	int ds = crypto_shash_digestsize(parent);
0b767b4d	36	int ss = crypto_shash_statesize(parent);
25c74a39 EB	37	struct hmac_ctx *tctx = crypto_shash_ctx(parent);
	38	struct crypto_shash *hash = tctx->hash;
	39	u8 *ipad = &tctx->pads[0];
	40	u8 *opad = &tctx->pads[ss];
ffb32e97	41	SHASH_DESC_ON_STACK(shash, hash);
0796ae06 HX	42	unsigned int i;
0796ae06 HX	43
37f36e57 SM	44	if (fips_enabled && (keylen < 112 / 8))
	45	return -EINVAL;
	46
ffb32e97	47	shash->tfm = hash;
0b767b4d	48
0796ae06	49	if (keylen > bs) {
0796ae06 HX	50	int err;
0796ae06 HX	51
ffb32e97	52	err = crypto_shash_digest(shash, inkey, keylen, ipad);
0796ae06 HX	53	if (err)
	54	return err;
	55
0796ae06	56	keylen = ds;
0b767b4d HX	57	} else
0b767b4d HX	58	memcpy(ipad, inkey, keylen);
0796ae06	59
0796ae06 HX	60	memset(ipad + keylen, 0, bs - keylen);
	61	memcpy(opad, ipad, bs);
	62
	63	for (i = 0; i < bs; i++) {
03d7db56 CL	64	ipad[i] ^= HMAC_IPAD_VALUE;
03d7db56 CL	65	opad[i] ^= HMAC_OPAD_VALUE;
0796ae06 HX	66	}
0796ae06 HX	67
ffb32e97 JSM	68	return crypto_shash_init(shash) ?:
	69	crypto_shash_update(shash, ipad, bs) ?:
	70	crypto_shash_export(shash, ipad) ?:
	71	crypto_shash_init(shash) ?:
	72	crypto_shash_update(shash, opad, bs) ?:
	73	crypto_shash_export(shash, opad);
0796ae06 HX	74	}
0796ae06 HX	75
0b767b4d HX	76	static int hmac_export(struct shash_desc pdesc, void out)
	77	{
	78	struct shash_desc *desc = shash_desc_ctx(pdesc);
	79
0b767b4d HX	80	return crypto_shash_export(desc, out);
	81	}
	82
	83	static int hmac_import(struct shash_desc pdesc, const void in)
0796ae06	84	{
8bd1209c	85	struct shash_desc *desc = shash_desc_ctx(pdesc);
25c74a39	86	const struct hmac_ctx *tctx = crypto_shash_ctx(pdesc->tfm);
8bd1209c	87
25c74a39	88	desc->tfm = tctx->hash;
8bd1209c	89
0b767b4d HX	90	return crypto_shash_import(desc, in);
	91	}
	92
	93	static int hmac_init(struct shash_desc *pdesc)
	94	{
25c74a39 EB	95	const struct hmac_ctx *tctx = crypto_shash_ctx(pdesc->tfm);
	96
	97	return hmac_import(pdesc, &tctx->pads[0]);
0796ae06 HX	98	}
0796ae06 HX	99
8bd1209c HX	100	static int hmac_update(struct shash_desc *pdesc,
8bd1209c HX	101	const u8 *data, unsigned int nbytes)
0796ae06	102	{
8bd1209c	103	struct shash_desc *desc = shash_desc_ctx(pdesc);
0796ae06	104
8bd1209c	105	return crypto_shash_update(desc, data, nbytes);
0796ae06 HX	106	}
0796ae06 HX	107
8bd1209c	108	static int hmac_final(struct shash_desc pdesc, u8 out)
0796ae06	109	{
8bd1209c	110	struct crypto_shash *parent = pdesc->tfm;
8bd1209c	111	int ds = crypto_shash_digestsize(parent);
0b767b4d	112	int ss = crypto_shash_statesize(parent);
25c74a39 EB	113	const struct hmac_ctx *tctx = crypto_shash_ctx(parent);
25c74a39 EB	114	const u8 *opad = &tctx->pads[ss];
8bd1209c	115	struct shash_desc *desc = shash_desc_ctx(pdesc);
0796ae06	116
0b767b4d HX	117	return crypto_shash_final(desc, out) ?:
	118	crypto_shash_import(desc, opad) ?:
	119	crypto_shash_finup(desc, out, ds, out);
0796ae06 HX	120	}
0796ae06 HX	121
8bd1209c HX	122	static int hmac_finup(struct shash_desc pdesc, const u8 data,
8bd1209c HX	123	unsigned int nbytes, u8 *out)
0796ae06	124	{
0796ae06	125
8bd1209c	126	struct crypto_shash *parent = pdesc->tfm;
8bd1209c	127	int ds = crypto_shash_digestsize(parent);
0b767b4d	128	int ss = crypto_shash_statesize(parent);
25c74a39 EB	129	const struct hmac_ctx *tctx = crypto_shash_ctx(parent);
25c74a39 EB	130	const u8 *opad = &tctx->pads[ss];
8bd1209c	131	struct shash_desc *desc = shash_desc_ctx(pdesc);
78c2f0b8	132
0b767b4d HX	133	return crypto_shash_finup(desc, data, nbytes, out) ?:
	134	crypto_shash_import(desc, opad) ?:
	135	crypto_shash_finup(desc, out, ds, out);
0796ae06 HX	136	}
0796ae06 HX	137
d9e1670b	138	static int hmac_init_tfm(struct crypto_shash *parent)
0796ae06	139	{
8bd1209c	140	struct crypto_shash *hash;
d9e1670b HX	141	struct shash_instance *inst = shash_alg_instance(parent);
d9e1670b HX	142	struct crypto_shash_spawn *spawn = shash_instance_ctx(inst);
25c74a39	143	struct hmac_ctx *tctx = crypto_shash_ctx(parent);
0796ae06	144
8bd1209c	145	hash = crypto_spawn_shash(spawn);
2e306ee0 HX	146	if (IS_ERR(hash))
2e306ee0 HX	147	return PTR_ERR(hash);
0796ae06	148
8bd1209c HX	149	parent->descsize = sizeof(struct shash_desc) +
	150	crypto_shash_descsize(hash);
	151
25c74a39	152	tctx->hash = hash;
0796ae06 HX	153	return 0;
	154	}
	155
8538e60d HX	156	static int hmac_clone_tfm(struct crypto_shash dst, struct crypto_shash src)
8538e60d HX	157	{
25c74a39 EB	158	struct hmac_ctx *sctx = crypto_shash_ctx(src);
25c74a39 EB	159	struct hmac_ctx *dctx = crypto_shash_ctx(dst);
8538e60d HX	160	struct crypto_shash *hash;
	161
	162	hash = crypto_clone_shash(sctx->hash);
	163	if (IS_ERR(hash))
	164	return PTR_ERR(hash);
	165
	166	dctx->hash = hash;
	167	return 0;
	168	}
	169
d9e1670b	170	static void hmac_exit_tfm(struct crypto_shash *parent)
0796ae06	171	{
25c74a39	172	struct hmac_ctx *tctx = crypto_shash_ctx(parent);
f75bd28b	173
25c74a39	174	crypto_free_shash(tctx->hash);
0796ae06 HX	175	}
0796ae06 HX	176
8bd1209c	177	static int hmac_create(struct crypto_template tmpl, struct rtattr *tb)
0796ae06	178	{
8bd1209c	179	struct shash_instance *inst;
39e7a283	180	struct crypto_shash_spawn *spawn;
0796ae06	181	struct crypto_alg *alg;
8bd1209c	182	struct shash_alg *salg;
7bcb2c99	183	u32 mask;
ebc610e5	184	int err;
ca786dc7	185	int ds;
0b767b4d	186	int ss;
ebc610e5	187
7bcb2c99	188	err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SHASH, &mask);
ebc610e5	189	if (err)
8bd1209c HX	190	return err;
8bd1209c HX	191
39e7a283 EB	192	inst = kzalloc(sizeof(inst) + sizeof(spawn), GFP_KERNEL);
	193	if (!inst)
	194	return -ENOMEM;
	195	spawn = shash_instance_ctx(inst);
	196
	197	err = crypto_grab_shash(spawn, shash_crypto_instance(inst),
7bcb2c99	198	crypto_attr_alg_name(tb[1]), 0, mask);
39e7a283 EB	199	if (err)
	200	goto err_free_inst;
	201	salg = crypto_spawn_shash_alg(spawn);
af3ff804	202	alg = &salg->base;
8bd1209c	203
c2881789	204	/* The underlying hash algorithm must not require a key */
8bd1209c	205	err = -EINVAL;
c2881789	206	if (crypto_shash_alg_needs_key(salg))
39e7a283	207	goto err_free_inst;
af3ff804	208
8bd1209c	209	ds = salg->digestsize;
0b767b4d	210	ss = salg->statesize;
0b767b4d HX	211	if (ds > alg->cra_blocksize \|\|
0b767b4d HX	212	ss < alg->cra_blocksize)
39e7a283	213	goto err_free_inst;
ca786dc7	214
39e7a283	215	err = crypto_inst_setname(shash_crypto_instance(inst), tmpl->name, alg);
8bd1209c	216	if (err)
39e7a283	217	goto err_free_inst;
8bd1209c HX	218
	219	inst->alg.base.cra_priority = alg->cra_priority;
	220	inst->alg.base.cra_blocksize = alg->cra_blocksize;
25c74a39	221	inst->alg.base.cra_ctxsize = sizeof(struct hmac_ctx) + (ss * 2);
0796ae06	222
8bd1209c	223	inst->alg.digestsize = ds;
0b767b4d	224	inst->alg.statesize = ss;
8bd1209c HX	225	inst->alg.init = hmac_init;
	226	inst->alg.update = hmac_update;
	227	inst->alg.final = hmac_final;
	228	inst->alg.finup = hmac_finup;
0b767b4d HX	229	inst->alg.export = hmac_export;
0b767b4d HX	230	inst->alg.import = hmac_import;
8bd1209c	231	inst->alg.setkey = hmac_setkey;
d9e1670b	232	inst->alg.init_tfm = hmac_init_tfm;
8538e60d	233	inst->alg.clone_tfm = hmac_clone_tfm;
d9e1670b	234	inst->alg.exit_tfm = hmac_exit_tfm;
8bd1209c	235
a39c66cc EB	236	inst->free = shash_free_singlespawn_instance;
a39c66cc EB	237
8bd1209c HX	238	err = shash_register_instance(tmpl, inst);
8bd1209c HX	239	if (err) {
39e7a283	240	err_free_inst:
a39c66cc	241	shash_free_singlespawn_instance(inst);
8bd1209c	242	}
8bd1209c	243	return err;
0796ae06 HX	244	}
	245
	246	static struct crypto_template hmac_tmpl = {
	247	.name = "hmac",
8bd1209c	248	.create = hmac_create,
0796ae06 HX	249	.module = THIS_MODULE,
	250	};
	251
	252	static int __init hmac_module_init(void)
	253	{
	254	return crypto_register_template(&hmac_tmpl);
	255	}
	256
	257	static void __exit hmac_module_exit(void)
	258	{
	259	crypto_unregister_template(&hmac_tmpl);
	260	}
	261
c4741b23	262	subsys_initcall(hmac_module_init);
0796ae06 HX	263	module_exit(hmac_module_exit);
	264
	265	MODULE_LICENSE("GPL");
	266	MODULE_DESCRIPTION("HMAC hash algorithm");
4943ba16	267	MODULE_ALIAS_CRYPTO("hmac");