162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * Cryptographic API. 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * HMAC: Keyed-Hashing for Message Authentication (RFC2104). 662306a36Sopenharmony_ci * 762306a36Sopenharmony_ci * Copyright (c) 2002 James Morris <jmorris@intercode.com.au> 862306a36Sopenharmony_ci * Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au> 962306a36Sopenharmony_ci * 1062306a36Sopenharmony_ci * The HMAC implementation is derived from USAGI. 1162306a36Sopenharmony_ci * Copyright (c) 2002 Kazunori Miyazawa <miyazawa@linux-ipv6.org> / USAGI 1262306a36Sopenharmony_ci */ 1362306a36Sopenharmony_ci 1462306a36Sopenharmony_ci#include <crypto/hmac.h> 1562306a36Sopenharmony_ci#include <crypto/internal/hash.h> 1662306a36Sopenharmony_ci#include <crypto/scatterwalk.h> 1762306a36Sopenharmony_ci#include <linux/err.h> 1862306a36Sopenharmony_ci#include <linux/fips.h> 1962306a36Sopenharmony_ci#include <linux/init.h> 2062306a36Sopenharmony_ci#include <linux/kernel.h> 2162306a36Sopenharmony_ci#include <linux/module.h> 2262306a36Sopenharmony_ci#include <linux/scatterlist.h> 2362306a36Sopenharmony_ci#include <linux/string.h> 2462306a36Sopenharmony_ci 2562306a36Sopenharmony_cistruct hmac_ctx { 2662306a36Sopenharmony_ci struct crypto_shash *hash; 2762306a36Sopenharmony_ci}; 2862306a36Sopenharmony_ci 2962306a36Sopenharmony_cistatic inline void *align_ptr(void *p, unsigned int align) 3062306a36Sopenharmony_ci{ 3162306a36Sopenharmony_ci return (void *)ALIGN((unsigned long)p, align); 3262306a36Sopenharmony_ci} 3362306a36Sopenharmony_ci 3462306a36Sopenharmony_cistatic inline struct hmac_ctx *hmac_ctx(struct crypto_shash *tfm) 3562306a36Sopenharmony_ci{ 3662306a36Sopenharmony_ci return align_ptr(crypto_shash_ctx_aligned(tfm) + 3762306a36Sopenharmony_ci crypto_shash_statesize(tfm) * 2, 3862306a36Sopenharmony_ci crypto_tfm_ctx_alignment()); 3962306a36Sopenharmony_ci} 4062306a36Sopenharmony_ci 4162306a36Sopenharmony_cistatic int hmac_setkey(struct crypto_shash *parent, 4262306a36Sopenharmony_ci const u8 *inkey, unsigned int keylen) 4362306a36Sopenharmony_ci{ 4462306a36Sopenharmony_ci int bs = crypto_shash_blocksize(parent); 4562306a36Sopenharmony_ci int ds = crypto_shash_digestsize(parent); 4662306a36Sopenharmony_ci int ss = crypto_shash_statesize(parent); 4762306a36Sopenharmony_ci char *ipad = crypto_shash_ctx_aligned(parent); 4862306a36Sopenharmony_ci char *opad = ipad + ss; 4962306a36Sopenharmony_ci struct hmac_ctx *ctx = align_ptr(opad + ss, 5062306a36Sopenharmony_ci crypto_tfm_ctx_alignment()); 5162306a36Sopenharmony_ci struct crypto_shash *hash = ctx->hash; 5262306a36Sopenharmony_ci SHASH_DESC_ON_STACK(shash, hash); 5362306a36Sopenharmony_ci unsigned int i; 5462306a36Sopenharmony_ci 5562306a36Sopenharmony_ci if (fips_enabled && (keylen < 112 / 8)) 5662306a36Sopenharmony_ci return -EINVAL; 5762306a36Sopenharmony_ci 5862306a36Sopenharmony_ci shash->tfm = hash; 5962306a36Sopenharmony_ci 6062306a36Sopenharmony_ci if (keylen > bs) { 6162306a36Sopenharmony_ci int err; 6262306a36Sopenharmony_ci 6362306a36Sopenharmony_ci err = crypto_shash_digest(shash, inkey, keylen, ipad); 6462306a36Sopenharmony_ci if (err) 6562306a36Sopenharmony_ci return err; 6662306a36Sopenharmony_ci 6762306a36Sopenharmony_ci keylen = ds; 6862306a36Sopenharmony_ci } else 6962306a36Sopenharmony_ci memcpy(ipad, inkey, keylen); 7062306a36Sopenharmony_ci 7162306a36Sopenharmony_ci memset(ipad + keylen, 0, bs - keylen); 7262306a36Sopenharmony_ci memcpy(opad, ipad, bs); 7362306a36Sopenharmony_ci 7462306a36Sopenharmony_ci for (i = 0; i < bs; i++) { 7562306a36Sopenharmony_ci ipad[i] ^= HMAC_IPAD_VALUE; 7662306a36Sopenharmony_ci opad[i] ^= HMAC_OPAD_VALUE; 7762306a36Sopenharmony_ci } 7862306a36Sopenharmony_ci 7962306a36Sopenharmony_ci return crypto_shash_init(shash) ?: 8062306a36Sopenharmony_ci crypto_shash_update(shash, ipad, bs) ?: 8162306a36Sopenharmony_ci crypto_shash_export(shash, ipad) ?: 8262306a36Sopenharmony_ci crypto_shash_init(shash) ?: 8362306a36Sopenharmony_ci crypto_shash_update(shash, opad, bs) ?: 8462306a36Sopenharmony_ci crypto_shash_export(shash, opad); 8562306a36Sopenharmony_ci} 8662306a36Sopenharmony_ci 8762306a36Sopenharmony_cistatic int hmac_export(struct shash_desc *pdesc, void *out) 8862306a36Sopenharmony_ci{ 8962306a36Sopenharmony_ci struct shash_desc *desc = shash_desc_ctx(pdesc); 9062306a36Sopenharmony_ci 9162306a36Sopenharmony_ci return crypto_shash_export(desc, out); 9262306a36Sopenharmony_ci} 9362306a36Sopenharmony_ci 9462306a36Sopenharmony_cistatic int hmac_import(struct shash_desc *pdesc, const void *in) 9562306a36Sopenharmony_ci{ 9662306a36Sopenharmony_ci struct shash_desc *desc = shash_desc_ctx(pdesc); 9762306a36Sopenharmony_ci struct hmac_ctx *ctx = hmac_ctx(pdesc->tfm); 9862306a36Sopenharmony_ci 9962306a36Sopenharmony_ci desc->tfm = ctx->hash; 10062306a36Sopenharmony_ci 10162306a36Sopenharmony_ci return crypto_shash_import(desc, in); 10262306a36Sopenharmony_ci} 10362306a36Sopenharmony_ci 10462306a36Sopenharmony_cistatic int hmac_init(struct shash_desc *pdesc) 10562306a36Sopenharmony_ci{ 10662306a36Sopenharmony_ci return hmac_import(pdesc, crypto_shash_ctx_aligned(pdesc->tfm)); 10762306a36Sopenharmony_ci} 10862306a36Sopenharmony_ci 10962306a36Sopenharmony_cistatic int hmac_update(struct shash_desc *pdesc, 11062306a36Sopenharmony_ci const u8 *data, unsigned int nbytes) 11162306a36Sopenharmony_ci{ 11262306a36Sopenharmony_ci struct shash_desc *desc = shash_desc_ctx(pdesc); 11362306a36Sopenharmony_ci 11462306a36Sopenharmony_ci return crypto_shash_update(desc, data, nbytes); 11562306a36Sopenharmony_ci} 11662306a36Sopenharmony_ci 11762306a36Sopenharmony_cistatic int hmac_final(struct shash_desc *pdesc, u8 *out) 11862306a36Sopenharmony_ci{ 11962306a36Sopenharmony_ci struct crypto_shash *parent = pdesc->tfm; 12062306a36Sopenharmony_ci int ds = crypto_shash_digestsize(parent); 12162306a36Sopenharmony_ci int ss = crypto_shash_statesize(parent); 12262306a36Sopenharmony_ci char *opad = crypto_shash_ctx_aligned(parent) + ss; 12362306a36Sopenharmony_ci struct shash_desc *desc = shash_desc_ctx(pdesc); 12462306a36Sopenharmony_ci 12562306a36Sopenharmony_ci return crypto_shash_final(desc, out) ?: 12662306a36Sopenharmony_ci crypto_shash_import(desc, opad) ?: 12762306a36Sopenharmony_ci crypto_shash_finup(desc, out, ds, out); 12862306a36Sopenharmony_ci} 12962306a36Sopenharmony_ci 13062306a36Sopenharmony_cistatic int hmac_finup(struct shash_desc *pdesc, const u8 *data, 13162306a36Sopenharmony_ci unsigned int nbytes, u8 *out) 13262306a36Sopenharmony_ci{ 13362306a36Sopenharmony_ci 13462306a36Sopenharmony_ci struct crypto_shash *parent = pdesc->tfm; 13562306a36Sopenharmony_ci int ds = crypto_shash_digestsize(parent); 13662306a36Sopenharmony_ci int ss = crypto_shash_statesize(parent); 13762306a36Sopenharmony_ci char *opad = crypto_shash_ctx_aligned(parent) + ss; 13862306a36Sopenharmony_ci struct shash_desc *desc = shash_desc_ctx(pdesc); 13962306a36Sopenharmony_ci 14062306a36Sopenharmony_ci return crypto_shash_finup(desc, data, nbytes, out) ?: 14162306a36Sopenharmony_ci crypto_shash_import(desc, opad) ?: 14262306a36Sopenharmony_ci crypto_shash_finup(desc, out, ds, out); 14362306a36Sopenharmony_ci} 14462306a36Sopenharmony_ci 14562306a36Sopenharmony_cistatic int hmac_init_tfm(struct crypto_shash *parent) 14662306a36Sopenharmony_ci{ 14762306a36Sopenharmony_ci struct crypto_shash *hash; 14862306a36Sopenharmony_ci struct shash_instance *inst = shash_alg_instance(parent); 14962306a36Sopenharmony_ci struct crypto_shash_spawn *spawn = shash_instance_ctx(inst); 15062306a36Sopenharmony_ci struct hmac_ctx *ctx = hmac_ctx(parent); 15162306a36Sopenharmony_ci 15262306a36Sopenharmony_ci hash = crypto_spawn_shash(spawn); 15362306a36Sopenharmony_ci if (IS_ERR(hash)) 15462306a36Sopenharmony_ci return PTR_ERR(hash); 15562306a36Sopenharmony_ci 15662306a36Sopenharmony_ci parent->descsize = sizeof(struct shash_desc) + 15762306a36Sopenharmony_ci crypto_shash_descsize(hash); 15862306a36Sopenharmony_ci 15962306a36Sopenharmony_ci ctx->hash = hash; 16062306a36Sopenharmony_ci return 0; 16162306a36Sopenharmony_ci} 16262306a36Sopenharmony_ci 16362306a36Sopenharmony_cistatic int hmac_clone_tfm(struct crypto_shash *dst, struct crypto_shash *src) 16462306a36Sopenharmony_ci{ 16562306a36Sopenharmony_ci struct hmac_ctx *sctx = hmac_ctx(src); 16662306a36Sopenharmony_ci struct hmac_ctx *dctx = hmac_ctx(dst); 16762306a36Sopenharmony_ci struct crypto_shash *hash; 16862306a36Sopenharmony_ci 16962306a36Sopenharmony_ci hash = crypto_clone_shash(sctx->hash); 17062306a36Sopenharmony_ci if (IS_ERR(hash)) 17162306a36Sopenharmony_ci return PTR_ERR(hash); 17262306a36Sopenharmony_ci 17362306a36Sopenharmony_ci dctx->hash = hash; 17462306a36Sopenharmony_ci return 0; 17562306a36Sopenharmony_ci} 17662306a36Sopenharmony_ci 17762306a36Sopenharmony_cistatic void hmac_exit_tfm(struct crypto_shash *parent) 17862306a36Sopenharmony_ci{ 17962306a36Sopenharmony_ci struct hmac_ctx *ctx = hmac_ctx(parent); 18062306a36Sopenharmony_ci 18162306a36Sopenharmony_ci crypto_free_shash(ctx->hash); 18262306a36Sopenharmony_ci} 18362306a36Sopenharmony_ci 18462306a36Sopenharmony_cistatic int hmac_create(struct crypto_template *tmpl, struct rtattr **tb) 18562306a36Sopenharmony_ci{ 18662306a36Sopenharmony_ci struct shash_instance *inst; 18762306a36Sopenharmony_ci struct crypto_shash_spawn *spawn; 18862306a36Sopenharmony_ci struct crypto_alg *alg; 18962306a36Sopenharmony_ci struct shash_alg *salg; 19062306a36Sopenharmony_ci u32 mask; 19162306a36Sopenharmony_ci int err; 19262306a36Sopenharmony_ci int ds; 19362306a36Sopenharmony_ci int ss; 19462306a36Sopenharmony_ci 19562306a36Sopenharmony_ci err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_SHASH, &mask); 19662306a36Sopenharmony_ci if (err) 19762306a36Sopenharmony_ci return err; 19862306a36Sopenharmony_ci 19962306a36Sopenharmony_ci inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL); 20062306a36Sopenharmony_ci if (!inst) 20162306a36Sopenharmony_ci return -ENOMEM; 20262306a36Sopenharmony_ci spawn = shash_instance_ctx(inst); 20362306a36Sopenharmony_ci 20462306a36Sopenharmony_ci err = crypto_grab_shash(spawn, shash_crypto_instance(inst), 20562306a36Sopenharmony_ci crypto_attr_alg_name(tb[1]), 0, mask); 20662306a36Sopenharmony_ci if (err) 20762306a36Sopenharmony_ci goto err_free_inst; 20862306a36Sopenharmony_ci salg = crypto_spawn_shash_alg(spawn); 20962306a36Sopenharmony_ci alg = &salg->base; 21062306a36Sopenharmony_ci 21162306a36Sopenharmony_ci /* The underlying hash algorithm must not require a key */ 21262306a36Sopenharmony_ci err = -EINVAL; 21362306a36Sopenharmony_ci if (crypto_shash_alg_needs_key(salg)) 21462306a36Sopenharmony_ci goto err_free_inst; 21562306a36Sopenharmony_ci 21662306a36Sopenharmony_ci ds = salg->digestsize; 21762306a36Sopenharmony_ci ss = salg->statesize; 21862306a36Sopenharmony_ci if (ds > alg->cra_blocksize || 21962306a36Sopenharmony_ci ss < alg->cra_blocksize) 22062306a36Sopenharmony_ci goto err_free_inst; 22162306a36Sopenharmony_ci 22262306a36Sopenharmony_ci err = crypto_inst_setname(shash_crypto_instance(inst), tmpl->name, alg); 22362306a36Sopenharmony_ci if (err) 22462306a36Sopenharmony_ci goto err_free_inst; 22562306a36Sopenharmony_ci 22662306a36Sopenharmony_ci inst->alg.base.cra_priority = alg->cra_priority; 22762306a36Sopenharmony_ci inst->alg.base.cra_blocksize = alg->cra_blocksize; 22862306a36Sopenharmony_ci inst->alg.base.cra_alignmask = alg->cra_alignmask; 22962306a36Sopenharmony_ci 23062306a36Sopenharmony_ci ss = ALIGN(ss, alg->cra_alignmask + 1); 23162306a36Sopenharmony_ci inst->alg.digestsize = ds; 23262306a36Sopenharmony_ci inst->alg.statesize = ss; 23362306a36Sopenharmony_ci 23462306a36Sopenharmony_ci inst->alg.base.cra_ctxsize = sizeof(struct hmac_ctx) + 23562306a36Sopenharmony_ci ALIGN(ss * 2, crypto_tfm_ctx_alignment()); 23662306a36Sopenharmony_ci 23762306a36Sopenharmony_ci inst->alg.init = hmac_init; 23862306a36Sopenharmony_ci inst->alg.update = hmac_update; 23962306a36Sopenharmony_ci inst->alg.final = hmac_final; 24062306a36Sopenharmony_ci inst->alg.finup = hmac_finup; 24162306a36Sopenharmony_ci inst->alg.export = hmac_export; 24262306a36Sopenharmony_ci inst->alg.import = hmac_import; 24362306a36Sopenharmony_ci inst->alg.setkey = hmac_setkey; 24462306a36Sopenharmony_ci inst->alg.init_tfm = hmac_init_tfm; 24562306a36Sopenharmony_ci inst->alg.clone_tfm = hmac_clone_tfm; 24662306a36Sopenharmony_ci inst->alg.exit_tfm = hmac_exit_tfm; 24762306a36Sopenharmony_ci 24862306a36Sopenharmony_ci inst->free = shash_free_singlespawn_instance; 24962306a36Sopenharmony_ci 25062306a36Sopenharmony_ci err = shash_register_instance(tmpl, inst); 25162306a36Sopenharmony_ci if (err) { 25262306a36Sopenharmony_cierr_free_inst: 25362306a36Sopenharmony_ci shash_free_singlespawn_instance(inst); 25462306a36Sopenharmony_ci } 25562306a36Sopenharmony_ci return err; 25662306a36Sopenharmony_ci} 25762306a36Sopenharmony_ci 25862306a36Sopenharmony_cistatic struct crypto_template hmac_tmpl = { 25962306a36Sopenharmony_ci .name = "hmac", 26062306a36Sopenharmony_ci .create = hmac_create, 26162306a36Sopenharmony_ci .module = THIS_MODULE, 26262306a36Sopenharmony_ci}; 26362306a36Sopenharmony_ci 26462306a36Sopenharmony_cistatic int __init hmac_module_init(void) 26562306a36Sopenharmony_ci{ 26662306a36Sopenharmony_ci return crypto_register_template(&hmac_tmpl); 26762306a36Sopenharmony_ci} 26862306a36Sopenharmony_ci 26962306a36Sopenharmony_cistatic void __exit hmac_module_exit(void) 27062306a36Sopenharmony_ci{ 27162306a36Sopenharmony_ci crypto_unregister_template(&hmac_tmpl); 27262306a36Sopenharmony_ci} 27362306a36Sopenharmony_ci 27462306a36Sopenharmony_cisubsys_initcall(hmac_module_init); 27562306a36Sopenharmony_cimodule_exit(hmac_module_exit); 27662306a36Sopenharmony_ci 27762306a36Sopenharmony_ciMODULE_LICENSE("GPL"); 27862306a36Sopenharmony_ciMODULE_DESCRIPTION("HMAC hash algorithm"); 27962306a36Sopenharmony_ciMODULE_ALIAS_CRYPTO("hmac"); 280