Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / kernel / shift / mainline / 83dee2ce1ae791c3dc0c9d4d3a8d42cb109613f6 / . / crypto / sha3_generic.c
blob: 5fecb609e3be4cfd381a925e3f5408f6485dccc1 [file] [log] [blame]
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]1/*
2 * Cryptographic API.
3 *
4 * SHA-3, as specified in
5 * http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
6 *
7 * SHA-3 code by Jeff Garzik <jeff@garzik.org>
Ard Biesheuvel83dee2c2018-01-19 12:04:34 +0000[diff] [blame^]8 * Ard Biesheuvel <ard.biesheuvel@linaro.org>
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]9 *
10 * This program is free software; you can redistribute it and/or modify it
11 * under the terms of the GNU General Public License as published by the Free
12 * Software Foundation; either version 2 of the License, or (at your option)•
13 * any later version.
14 *
15 */
16#include <crypto/internal/hash.h>
17#include <linux/init.h>
18#include <linux/module.h>
19#include <linux/types.h>
20#include <crypto/sha3.h>
21#include <asm/byteorder.h>
Ard Biesheuvelc013cee2018-01-19 12:04:33 +0000[diff] [blame]22#include <asm/unaligned.h>
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]23
24#define KECCAK_ROUNDS 24
25
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]26static const u64 keccakf_rndc[24] = {
Geert Uytterhoevenf743e702016-08-03 19:37:03 +0200[diff] [blame]27 0x0000000000000001ULL, 0x0000000000008082ULL, 0x800000000000808aULL,
28 0x8000000080008000ULL, 0x000000000000808bULL, 0x0000000080000001ULL,
29 0x8000000080008081ULL, 0x8000000000008009ULL, 0x000000000000008aULL,
30 0x0000000000000088ULL, 0x0000000080008009ULL, 0x000000008000000aULL,
31 0x000000008000808bULL, 0x800000000000008bULL, 0x8000000000008089ULL,
32 0x8000000000008003ULL, 0x8000000000008002ULL, 0x8000000000000080ULL,
33 0x000000000000800aULL, 0x800000008000000aULL, 0x8000000080008081ULL,
34 0x8000000000008080ULL, 0x0000000080000001ULL, 0x8000000080008008ULL
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]35};
36
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]37/* update the state with given number of rounds */
38
Ard Biesheuvel83dee2c2018-01-19 12:04:34 +0000[diff] [blame^]39static void __attribute__((__optimize__("O3"))) keccakf(u64 st[25])
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]40{
Ard Biesheuvel83dee2c2018-01-19 12:04:34 +0000[diff] [blame^]41 u64 t[5], tt, bc[5];
42 int round;
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]43
44 for (round = 0; round < KECCAK_ROUNDS; round++) {
45
46 /* Theta */
Ard Biesheuvel83dee2c2018-01-19 12:04:34 +0000[diff] [blame^]47 bc[0] = st[0] ^ st[5] ^ st[10] ^ st[15] ^ st[20];
48 bc[1] = st[1] ^ st[6] ^ st[11] ^ st[16] ^ st[21];
49 bc[2] = st[2] ^ st[7] ^ st[12] ^ st[17] ^ st[22];
50 bc[3] = st[3] ^ st[8] ^ st[13] ^ st[18] ^ st[23];
51 bc[4] = st[4] ^ st[9] ^ st[14] ^ st[19] ^ st[24];
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]52
Ard Biesheuvel83dee2c2018-01-19 12:04:34 +0000[diff] [blame^]53 t[0] = bc[4] ^ rol64(bc[1], 1);
54 t[1] = bc[0] ^ rol64(bc[2], 1);
55 t[2] = bc[1] ^ rol64(bc[3], 1);
56 t[3] = bc[2] ^ rol64(bc[4], 1);
57 t[4] = bc[3] ^ rol64(bc[0], 1);
58
59 st[0] ^= t[0];
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]60
61 /* Rho Pi */
Ard Biesheuvel83dee2c2018-01-19 12:04:34 +0000[diff] [blame^]62 tt = st[1];
63 st[ 1] = rol64(st[ 6] ^ t[1], 44);
64 st[ 6] = rol64(st[ 9] ^ t[4], 20);
65 st[ 9] = rol64(st[22] ^ t[2], 61);
66 st[22] = rol64(st[14] ^ t[4], 39);
67 st[14] = rol64(st[20] ^ t[0], 18);
68 st[20] = rol64(st[ 2] ^ t[2], 62);
69 st[ 2] = rol64(st[12] ^ t[2], 43);
70 st[12] = rol64(st[13] ^ t[3], 25);
71 st[13] = rol64(st[19] ^ t[4], 8);
72 st[19] = rol64(st[23] ^ t[3], 56);
73 st[23] = rol64(st[15] ^ t[0], 41);
74 st[15] = rol64(st[ 4] ^ t[4], 27);
75 st[ 4] = rol64(st[24] ^ t[4], 14);
76 st[24] = rol64(st[21] ^ t[1], 2);
77 st[21] = rol64(st[ 8] ^ t[3], 55);
78 st[ 8] = rol64(st[16] ^ t[1], 45);
79 st[16] = rol64(st[ 5] ^ t[0], 36);
80 st[ 5] = rol64(st[ 3] ^ t[3], 28);
81 st[ 3] = rol64(st[18] ^ t[3], 21);
82 st[18] = rol64(st[17] ^ t[2], 15);
83 st[17] = rol64(st[11] ^ t[1], 10);
84 st[11] = rol64(st[ 7] ^ t[2], 6);
85 st[ 7] = rol64(st[10] ^ t[0], 3);
86 st[10] = rol64( tt ^ t[1], 1);
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]87
88 /* Chi */
Ard Biesheuvel83dee2c2018-01-19 12:04:34 +0000[diff] [blame^]89 bc[ 0] = ~st[ 1] & st[ 2];
90 bc[ 1] = ~st[ 2] & st[ 3];
91 bc[ 2] = ~st[ 3] & st[ 4];
92 bc[ 3] = ~st[ 4] & st[ 0];
93 bc[ 4] = ~st[ 0] & st[ 1];
94 st[ 0] ^= bc[ 0];
95 st[ 1] ^= bc[ 1];
96 st[ 2] ^= bc[ 2];
97 st[ 3] ^= bc[ 3];
98 st[ 4] ^= bc[ 4];
99
100 bc[ 0] = ~st[ 6] & st[ 7];
101 bc[ 1] = ~st[ 7] & st[ 8];
102 bc[ 2] = ~st[ 8] & st[ 9];
103 bc[ 3] = ~st[ 9] & st[ 5];
104 bc[ 4] = ~st[ 5] & st[ 6];
105 st[ 5] ^= bc[ 0];
106 st[ 6] ^= bc[ 1];
107 st[ 7] ^= bc[ 2];
108 st[ 8] ^= bc[ 3];
109 st[ 9] ^= bc[ 4];
110
111 bc[ 0] = ~st[11] & st[12];
112 bc[ 1] = ~st[12] & st[13];
113 bc[ 2] = ~st[13] & st[14];
114 bc[ 3] = ~st[14] & st[10];
115 bc[ 4] = ~st[10] & st[11];
116 st[10] ^= bc[ 0];
117 st[11] ^= bc[ 1];
118 st[12] ^= bc[ 2];
119 st[13] ^= bc[ 3];
120 st[14] ^= bc[ 4];
121
122 bc[ 0] = ~st[16] & st[17];
123 bc[ 1] = ~st[17] & st[18];
124 bc[ 2] = ~st[18] & st[19];
125 bc[ 3] = ~st[19] & st[15];
126 bc[ 4] = ~st[15] & st[16];
127 st[15] ^= bc[ 0];
128 st[16] ^= bc[ 1];
129 st[17] ^= bc[ 2];
130 st[18] ^= bc[ 3];
131 st[19] ^= bc[ 4];
132
133 bc[ 0] = ~st[21] & st[22];
134 bc[ 1] = ~st[22] & st[23];
135 bc[ 2] = ~st[23] & st[24];
136 bc[ 3] = ~st[24] & st[20];
137 bc[ 4] = ~st[20] & st[21];
138 st[20] ^= bc[ 0];
139 st[21] ^= bc[ 1];
140 st[22] ^= bc[ 2];
141 st[23] ^= bc[ 3];
142 st[24] ^= bc[ 4];
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]143
144 /* Iota */
145 st[0] ^= keccakf_rndc[round];
146 }
147}
148
149static void sha3_init(struct sha3_state *sctx, unsigned int digest_sz)
150{
151 memset(sctx, 0, sizeof(*sctx));
152 sctx->md_len = digest_sz;
153 sctx->rsiz = 200 - 2 * digest_sz;
154 sctx->rsizw = sctx->rsiz / 8;
155}
156
157static int sha3_224_init(struct shash_desc *desc)
158{
159 struct sha3_state *sctx = shash_desc_ctx(desc);
160
161 sha3_init(sctx, SHA3_224_DIGEST_SIZE);
162 return 0;
163}
164
165static int sha3_256_init(struct shash_desc *desc)
166{
167 struct sha3_state *sctx = shash_desc_ctx(desc);
168
169 sha3_init(sctx, SHA3_256_DIGEST_SIZE);
170 return 0;
171}
172
173static int sha3_384_init(struct shash_desc *desc)
174{
175 struct sha3_state *sctx = shash_desc_ctx(desc);
176
177 sha3_init(sctx, SHA3_384_DIGEST_SIZE);
178 return 0;
179}
180
181static int sha3_512_init(struct shash_desc *desc)
182{
183 struct sha3_state *sctx = shash_desc_ctx(desc);
184
185 sha3_init(sctx, SHA3_512_DIGEST_SIZE);
186 return 0;
187}
188
189static int sha3_update(struct shash_desc *desc, const u8 *data,
190 unsigned int len)
191{
192 struct sha3_state *sctx = shash_desc_ctx(desc);
193 unsigned int done;
194 const u8 *src;
195
196 done = 0;
197 src = data;
198
199 if ((sctx->partial + len) > (sctx->rsiz - 1)) {
200 if (sctx->partial) {
201 done = -sctx->partial;
202 memcpy(sctx->buf + sctx->partial, data,
203 done + sctx->rsiz);
204 src = sctx->buf;
205 }
206
207 do {
208 unsigned int i;
209
210 for (i = 0; i < sctx->rsizw; i++)
Ard Biesheuvelc013cee2018-01-19 12:04:33 +0000[diff] [blame]211 sctx->st[i] ^= get_unaligned_le64(src + 8 * i);
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]212 keccakf(sctx->st);
213
214 done += sctx->rsiz;
215 src = data + done;
216 } while (done + (sctx->rsiz - 1) < len);
217
218 sctx->partial = 0;
219 }
220 memcpy(sctx->buf + sctx->partial, src, len - done);
221 sctx->partial += (len - done);
222
223 return 0;
224}
225
226static int sha3_final(struct shash_desc *desc, u8 *out)
227{
228 struct sha3_state *sctx = shash_desc_ctx(desc);
229 unsigned int i, inlen = sctx->partial;
230
231 sctx->buf[inlen++] = 0x06;
232 memset(sctx->buf + inlen, 0, sctx->rsiz - inlen);
233 sctx->buf[sctx->rsiz - 1] |= 0x80;
234
235 for (i = 0; i < sctx->rsizw; i++)
Ard Biesheuvelc013cee2018-01-19 12:04:33 +0000[diff] [blame]236 sctx->st[i] ^= get_unaligned_le64(sctx->buf + 8 * i);
Jeff Garzik53964b92016-06-17 10:30:35 +0530[diff] [blame]237
238 keccakf(sctx->st);
239
240 for (i = 0; i < sctx->rsizw; i++)
241 sctx->st[i] = cpu_to_le64(sctx->st[i]);
242
243 memcpy(out, sctx->st, sctx->md_len);
244
245 memset(sctx, 0, sizeof(*sctx));
246 return 0;
247}
248
249static struct shash_alg sha3_224 = {
250 .digestsize = SHA3_224_DIGEST_SIZE,
251 .init = sha3_224_init,
252 .update = sha3_update,
253 .final = sha3_final,
254 .descsize = sizeof(struct sha3_state),
255 .base = {
256 .cra_name = "sha3-224",
257 .cra_driver_name = "sha3-224-generic",
258 .cra_flags = CRYPTO_ALG_TYPE_SHASH,
259 .cra_blocksize = SHA3_224_BLOCK_SIZE,
260 .cra_module = THIS_MODULE,
261 }
262};
263
264static struct shash_alg sha3_256 = {
265 .digestsize = SHA3_256_DIGEST_SIZE,
266 .init = sha3_256_init,
267 .update = sha3_update,
268 .final = sha3_final,
269 .descsize = sizeof(struct sha3_state),
270 .base = {
271 .cra_name = "sha3-256",
272 .cra_driver_name = "sha3-256-generic",
273 .cra_flags = CRYPTO_ALG_TYPE_SHASH,
274 .cra_blocksize = SHA3_256_BLOCK_SIZE,
275 .cra_module = THIS_MODULE,
276 }
277};
278
279static struct shash_alg sha3_384 = {
280 .digestsize = SHA3_384_DIGEST_SIZE,
281 .init = sha3_384_init,
282 .update = sha3_update,
283 .final = sha3_final,
284 .descsize = sizeof(struct sha3_state),
285 .base = {
286 .cra_name = "sha3-384",
287 .cra_driver_name = "sha3-384-generic",
288 .cra_flags = CRYPTO_ALG_TYPE_SHASH,
289 .cra_blocksize = SHA3_384_BLOCK_SIZE,
290 .cra_module = THIS_MODULE,
291 }
292};
293
294static struct shash_alg sha3_512 = {
295 .digestsize = SHA3_512_DIGEST_SIZE,
296 .init = sha3_512_init,
297 .update = sha3_update,
298 .final = sha3_final,
299 .descsize = sizeof(struct sha3_state),
300 .base = {
301 .cra_name = "sha3-512",
302 .cra_driver_name = "sha3-512-generic",
303 .cra_flags = CRYPTO_ALG_TYPE_SHASH,
304 .cra_blocksize = SHA3_512_BLOCK_SIZE,
305 .cra_module = THIS_MODULE,
306 }
307};
308
309static int __init sha3_generic_mod_init(void)
310{
311 int ret;
312
313 ret = crypto_register_shash(&sha3_224);
314 if (ret < 0)
315 goto err_out;
316 ret = crypto_register_shash(&sha3_256);
317 if (ret < 0)
318 goto err_out_224;
319 ret = crypto_register_shash(&sha3_384);
320 if (ret < 0)
321 goto err_out_256;
322 ret = crypto_register_shash(&sha3_512);
323 if (ret < 0)
324 goto err_out_384;
325
326 return 0;
327
328err_out_384:
329 crypto_unregister_shash(&sha3_384);
330err_out_256:
331 crypto_unregister_shash(&sha3_256);
332err_out_224:
333 crypto_unregister_shash(&sha3_224);
334err_out:
335 return ret;
336}
337
338static void __exit sha3_generic_mod_fini(void)
339{
340 crypto_unregister_shash(&sha3_224);
341 crypto_unregister_shash(&sha3_256);
342 crypto_unregister_shash(&sha3_384);
343 crypto_unregister_shash(&sha3_512);
344}
345
346module_init(sha3_generic_mod_init);
347module_exit(sha3_generic_mod_fini);
348
349MODULE_LICENSE("GPL");
350MODULE_DESCRIPTION("SHA-3 Secure Hash Algorithm");
351
352MODULE_ALIAS_CRYPTO("sha3-224");
353MODULE_ALIAS_CRYPTO("sha3-224-generic");
354MODULE_ALIAS_CRYPTO("sha3-256");
355MODULE_ALIAS_CRYPTO("sha3-256-generic");
356MODULE_ALIAS_CRYPTO("sha3-384");
357MODULE_ALIAS_CRYPTO("sha3-384-generic");
358MODULE_ALIAS_CRYPTO("sha3-512");
359MODULE_ALIAS_CRYPTO("sha3-512-generic");