From: Darrick J. Wong <djwong@xxxxxxxxxx> Add a generic implementation of this hash algorithm. Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx> --- include/libxfs.h | 1 io/crc32cselftest.c | 22 ++++ libfrog/Makefile | 10 +- libfrog/sha512.c | 249 ++++++++++++++++++++++++++++++++++++++++++++++ libfrog/sha512.h | 33 ++++++ libfrog/sha512selftest.h | 86 ++++++++++++++++ man/man8/xfs_io.8 | 4 + mkfs/xfs_mkfs.c | 8 + repair/init.c | 5 + 9 files changed, 416 insertions(+), 2 deletions(-) create mode 100644 libfrog/sha512.c create mode 100644 libfrog/sha512.h create mode 100644 libfrog/sha512selftest.h diff --git a/include/libxfs.h b/include/libxfs.h index a38d78a1..23756f27 100644 --- a/include/libxfs.h +++ b/include/libxfs.h @@ -38,6 +38,7 @@ extern uint32_t crc32c_le(uint32_t crc, unsigned char const *p, size_t len); /* fake up kernel's iomap, (not) used in xfs_bmap.[ch] */ struct iomap; #include "xfs_cksum.h" +#include "libfrog/sha512.h" #define __round_mask(x, y) ((__typeof__(x))((y)-1)) #define round_up(x, y) ((((x)-1) | __round_mask(x, y))+1) diff --git a/io/crc32cselftest.c b/io/crc32cselftest.c index 49eb5b6d..ebef6fe0 100644 --- a/io/crc32cselftest.c +++ b/io/crc32cselftest.c @@ -10,6 +10,8 @@ #include "io.h" #include "libfrog/crc32c.h" #include "libfrog/crc32cselftest.h" +#include "libfrog/sha512.h" +#include "libfrog/sha512selftest.h" static int crc32cselftest_f( @@ -30,8 +32,28 @@ static const cmdinfo_t crc32cselftest_cmd = { .oneline = N_("self test of crc32c implementation"), }; +static int +sha512selftest_f( + int argc, + char **argv) +{ + return sha512_test(0) != 0; +} + +static const cmdinfo_t sha512selftest_cmd = { + .name = "sha512selftest", + .cfunc = sha512selftest_f, + .argmin = 0, + .argmax = 0, + .canpush = 0, + .flags = CMD_FLAG_ONESHOT | CMD_FLAG_FOREIGN_OK | + CMD_NOFILE_OK | CMD_NOMAP_OK, + .oneline = N_("self test of sha512 implementation"), +}; + void crc32cselftest_init(void) { add_command(&crc32cselftest_cmd); + add_command(&sha512selftest_cmd); } diff --git a/libfrog/Makefile b/libfrog/Makefile index 5622ab9b..752fb9c7 100644 --- a/libfrog/Makefile +++ b/libfrog/Makefile @@ -28,6 +28,7 @@ projects.c \ ptvar.c \ radix-tree.c \ scrub.c \ +sha512.c \ util.c \ workqueue.c @@ -48,6 +49,7 @@ projects.h \ ptvar.h \ radix-tree.h \ scrub.h \ +sha512.h \ workqueue.h LSRCFILES += gen_crc32table.c @@ -56,9 +58,9 @@ ifeq ($(HAVE_GETMNTENT),yes) LCFLAGS += -DHAVE_GETMNTENT endif -LDIRT = gen_crc32table crc32table.h crc32selftest +LDIRT = gen_crc32table crc32table.h crc32selftest sha512selftest -default: crc32selftest ltdepend $(LTLIBRARY) +default: crc32selftest sha512selftest ltdepend $(LTLIBRARY) crc32table.h: gen_crc32table.c crc32defs.h @echo " [CC] gen_crc32table" @@ -75,6 +77,10 @@ crc32selftest: gen_crc32table.c crc32table.h crc32.c crc32defs.h @echo " [TEST] CRC32" $(Q) $(BUILD_CC) $(BUILD_CFLAGS) -D CRC32_SELFTEST=1 crc32.c -o $@ $(Q) ./$@ +sha512selftest: sha512.h sha512selftest.h sha512.c + @echo " [TEST] SHA512" + $(Q) $(BUILD_CC) $(BUILD_CFLAGS) -D SHA512_SELFTEST=1 sha512.c -o $@ + $(Q) ./$@ include $(BUILDRULES) diff --git a/libfrog/sha512.c b/libfrog/sha512.c new file mode 100644 index 00000000..741e03be --- /dev/null +++ b/libfrog/sha512.c @@ -0,0 +1,249 @@ +/* + * sha512.c --- The sha512 algorithm + * + * Copyright (C) 2004 Sam Hocevar <sam@xxxxxxxxxxx> + * (copied from libtomcrypt and then relicensed under GPLv2) + * (and later copied from e2fsprogs) + * + * %Begin-Header% + * This file may be redistributed under the terms of the GNU Library + * General Public License, version 2. + * %End-Header% + */ +#include <string.h> +#include "xfs.h" +#include "libfrog/sha512.h" + +/* the K array */ +#define CONST64(n) n +static const __u64 K[80] = { + CONST64(0x428a2f98d728ae22), CONST64(0x7137449123ef65cd), + CONST64(0xb5c0fbcfec4d3b2f), CONST64(0xe9b5dba58189dbbc), + CONST64(0x3956c25bf348b538), CONST64(0x59f111f1b605d019), + CONST64(0x923f82a4af194f9b), CONST64(0xab1c5ed5da6d8118), + CONST64(0xd807aa98a3030242), CONST64(0x12835b0145706fbe), + CONST64(0x243185be4ee4b28c), CONST64(0x550c7dc3d5ffb4e2), + CONST64(0x72be5d74f27b896f), CONST64(0x80deb1fe3b1696b1), + CONST64(0x9bdc06a725c71235), CONST64(0xc19bf174cf692694), + CONST64(0xe49b69c19ef14ad2), CONST64(0xefbe4786384f25e3), + CONST64(0x0fc19dc68b8cd5b5), CONST64(0x240ca1cc77ac9c65), + CONST64(0x2de92c6f592b0275), CONST64(0x4a7484aa6ea6e483), + CONST64(0x5cb0a9dcbd41fbd4), CONST64(0x76f988da831153b5), + CONST64(0x983e5152ee66dfab), CONST64(0xa831c66d2db43210), + CONST64(0xb00327c898fb213f), CONST64(0xbf597fc7beef0ee4), + CONST64(0xc6e00bf33da88fc2), CONST64(0xd5a79147930aa725), + CONST64(0x06ca6351e003826f), CONST64(0x142929670a0e6e70), + CONST64(0x27b70a8546d22ffc), CONST64(0x2e1b21385c26c926), + CONST64(0x4d2c6dfc5ac42aed), CONST64(0x53380d139d95b3df), + CONST64(0x650a73548baf63de), CONST64(0x766a0abb3c77b2a8), + CONST64(0x81c2c92e47edaee6), CONST64(0x92722c851482353b), + CONST64(0xa2bfe8a14cf10364), CONST64(0xa81a664bbc423001), + CONST64(0xc24b8b70d0f89791), CONST64(0xc76c51a30654be30), + CONST64(0xd192e819d6ef5218), CONST64(0xd69906245565a910), + CONST64(0xf40e35855771202a), CONST64(0x106aa07032bbd1b8), + CONST64(0x19a4c116b8d2d0c8), CONST64(0x1e376c085141ab53), + CONST64(0x2748774cdf8eeb99), CONST64(0x34b0bcb5e19b48a8), + CONST64(0x391c0cb3c5c95a63), CONST64(0x4ed8aa4ae3418acb), + CONST64(0x5b9cca4f7763e373), CONST64(0x682e6ff3d6b2b8a3), + CONST64(0x748f82ee5defb2fc), CONST64(0x78a5636f43172f60), + CONST64(0x84c87814a1f0ab72), CONST64(0x8cc702081a6439ec), + CONST64(0x90befffa23631e28), CONST64(0xa4506cebde82bde9), + CONST64(0xbef9a3f7b2c67915), CONST64(0xc67178f2e372532b), + CONST64(0xca273eceea26619c), CONST64(0xd186b8c721c0c207), + CONST64(0xeada7dd6cde0eb1e), CONST64(0xf57d4f7fee6ed178), + CONST64(0x06f067aa72176fba), CONST64(0x0a637dc5a2c898a6), + CONST64(0x113f9804bef90dae), CONST64(0x1b710b35131c471b), + CONST64(0x28db77f523047d84), CONST64(0x32caab7b40c72493), + CONST64(0x3c9ebe0a15c9bebc), CONST64(0x431d67c49c100d4c), + CONST64(0x4cc5d4becb3e42b6), CONST64(0x597f299cfc657e2a), + CONST64(0x5fcb6fab3ad6faec), CONST64(0x6c44198c4a475817) +}; +#define Ch(x,y,z) (z ^ (x & (y ^ z))) +#define Maj(x,y,z) (((x | y) & z) | (x & y)) +#define S(x, n) ROR64c(x, n) +#define R(x, n) (((x)&CONST64(0xFFFFFFFFFFFFFFFF))>>((__u64)n)) +#define Sigma0(x) (S(x, 28) ^ S(x, 34) ^ S(x, 39)) +#define Sigma1(x) (S(x, 14) ^ S(x, 18) ^ S(x, 41)) +#define Gamma0(x) (S(x, 1) ^ S(x, 8) ^ R(x, 7)) +#define Gamma1(x) (S(x, 19) ^ S(x, 61) ^ R(x, 6)) +#define RND(a,b,c,d,e,f,g,h,i)\ + t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i];\ + t1 = Sigma0(a) + Maj(a, b, c);\ + d += t0;\ + h = t0 + t1; +#define STORE64H(x, y) \ + do { \ + (y)[0] = (unsigned char)(((x)>>56)&255);\ + (y)[1] = (unsigned char)(((x)>>48)&255);\ + (y)[2] = (unsigned char)(((x)>>40)&255);\ + (y)[3] = (unsigned char)(((x)>>32)&255);\ + (y)[4] = (unsigned char)(((x)>>24)&255);\ + (y)[5] = (unsigned char)(((x)>>16)&255);\ + (y)[6] = (unsigned char)(((x)>>8)&255);\ + (y)[7] = (unsigned char)((x)&255); } while(0) + +#define LOAD64H(x, y)\ + do {x = \ + (((__u64)((y)[0] & 255)) << 56) |\ + (((__u64)((y)[1] & 255)) << 48) |\ + (((__u64)((y)[2] & 255)) << 40) |\ + (((__u64)((y)[3] & 255)) << 32) |\ + (((__u64)((y)[4] & 255)) << 24) |\ + (((__u64)((y)[5] & 255)) << 16) |\ + (((__u64)((y)[6] & 255)) << 8) |\ + (((__u64)((y)[7] & 255)));\ + } while(0) + +#define ROR64c(x, y) \ + ( ((((x)&CONST64(0xFFFFFFFFFFFFFFFF))>>((__u64)(y)&CONST64(63))) | \ + ((x)<<((__u64)(64-((y)&CONST64(63)))))) & CONST64(0xFFFFFFFFFFFFFFFF)) + +static void sha512_compress(struct sha512_state * md, const unsigned char *buf) +{ + __u64 S[8], W[80], t0, t1; + int i; + + /* copy state into S */ + for (i = 0; i < 8; i++) { + S[i] = md->state[i]; + } + + /* copy the state into 1024-bits into W[0..15] */ + for (i = 0; i < 16; i++) { + LOAD64H(W[i], buf + (8*i)); + } + + /* fill W[16..79] */ + for (i = 16; i < 80; i++) { + W[i] = Gamma1(W[i - 2]) + W[i - 7] + + Gamma0(W[i - 15]) + W[i - 16]; + } + + for (i = 0; i < 80; i += 8) { + RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],i+0); + RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],i+1); + RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],i+2); + RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],i+3); + RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],i+4); + RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],i+5); + RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],i+6); + RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],i+7); + } + + /* feedback */ + for (i = 0; i < 8; i++) { + md->state[i] = md->state[i] + S[i]; + } +} + +int sha512_init(struct sha512_state * md) +{ + md->curlen = 0; + md->length = 0; + md->state[0] = CONST64(0x6a09e667f3bcc908); + md->state[1] = CONST64(0xbb67ae8584caa73b); + md->state[2] = CONST64(0x3c6ef372fe94f82b); + md->state[3] = CONST64(0xa54ff53a5f1d36f1); + md->state[4] = CONST64(0x510e527fade682d1); + md->state[5] = CONST64(0x9b05688c2b3e6c1f); + md->state[6] = CONST64(0x1f83d9abfb41bd6b); + md->state[7] = CONST64(0x5be0cd19137e2179); + return 0; +} + +int sha512_done(struct sha512_state * md, unsigned char *out) +{ + int i; + + /* increase the length of the message */ + md->length += md->curlen * CONST64(8); + + /* append the '1' bit */ + md->buf[md->curlen++] = (unsigned char)0x80; + + /* if the length is currently above 112 bytes we append zeros then + * compress. Then we can fall back to padding zeros and length encoding + * like normal. */ + if (md->curlen > 112) { + while (md->curlen < 128) { + md->buf[md->curlen++] = (unsigned char)0; + } + sha512_compress(md, md->buf); + md->curlen = 0; + } + + /* pad up to 120 bytes of zeroes note: that from 112 to 120 is the 64 MSB + * of the length. We assume that you won't hash > 2^64 bits of data. */ + while (md->curlen < 120) { + md->buf[md->curlen++] = (unsigned char)0; + } + + /* store length */ + STORE64H(md->length, md->buf + 120); + sha512_compress(md, md->buf); + + /* copy output */ + for (i = 0; i < 8; i++) { + STORE64H(md->state[i], out+(8 * i)); + } + + return 0; +} + +#define SHA512_BLOCKSIZE 128 +int sha512_process(struct sha512_state * md, + const unsigned char *in, + unsigned long inlen) +{ + unsigned long n; + + while (inlen > 0) { + if (md->curlen == 0 && inlen >= SHA512_BLOCKSIZE) { + sha512_compress(md, in); + md->length += SHA512_BLOCKSIZE * 8; + in += SHA512_BLOCKSIZE; + inlen -= SHA512_BLOCKSIZE; + } else { + n = MIN(inlen, (SHA512_BLOCKSIZE - md->curlen)); + memcpy(md->buf + md->curlen, + in, (size_t)n); + md->curlen += n; + in += n; + inlen -= n; + if (md->curlen == SHA512_BLOCKSIZE) { + sha512_compress(md, md->buf); + md->length += SHA512_BLOCKSIZE * 8; + md->curlen = 0; + } + } + } + + return 0; +} + +void sha512(const unsigned char *in, unsigned long in_size, unsigned char *out) +{ + struct sha512_state md; + + sha512_init(&md); + sha512_process(&md, in, in_size); + sha512_done(&md, out); +} + +#ifdef SHA512_SELFTEST +# include "sha512selftest.h" + +/* + * make sure we always return 0 for a successful test run, and non-zero for a + * failed run. The build infrastructure is looking for this information to + * determine whether to allow the build to proceed. + */ +int main(int argc, char **argv) +{ + int errors; + + errors = sha512_test(0); + + return errors != 0; +} +#endif /* SHA512_SELFTEST */ diff --git a/libfrog/sha512.h b/libfrog/sha512.h new file mode 100644 index 00000000..28ff5284 --- /dev/null +++ b/libfrog/sha512.h @@ -0,0 +1,33 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (c) 2023 Oracle, Inc. + * All Rights Reserved. + */ +#ifndef __LIBFROG_SHA512_H__ +#define __LIBFROG_SHA512_H__ + +struct sha512_state { + __u64 length; + __u64 state[8]; + unsigned long curlen; + unsigned char buf[128]; +}; + +#define SHA512_DESC_ON_STACK(mp, name) \ + struct sha512_state name + +#define SHA512_DIGEST_SIZE 64 + +void sha512(const unsigned char *in, unsigned long in_size, unsigned char *out); + +int sha512_init(struct sha512_state *md); +int sha512_done(struct sha512_state *md, unsigned char *out); +int sha512_process(struct sha512_state *md, const unsigned char *in, + unsigned long inlen); + +static inline void sha512_erase(struct sha512_state *md) +{ + memset(md, 0, sizeof(*md)); +} + +#endif /* __LIBFROG_SHA512_H__ */ diff --git a/libfrog/sha512selftest.h b/libfrog/sha512selftest.h new file mode 100644 index 00000000..9f4edeb0 --- /dev/null +++ b/libfrog/sha512selftest.h @@ -0,0 +1,86 @@ +/* + * sha512.c --- The sha512 algorithm self tests + * + * Copyright (C) 2004 Sam Hocevar <sam@xxxxxxxxxxx> + * (copied from libtomcrypt and then relicensed under GPLv2) + * (and later copied from e2fsprogs) + * + * %Begin-Header% + * This file may be redistributed under the terms of the GNU Library + * General Public License, version 2. + * %End-Header% + */ +#ifndef __LIBFROG_SHA512SELFTEST_H__ +#define __LIBFROG_SHA512SELFTEST_H__ + +static const struct { + char *msg; + unsigned char hash[64]; +} sha512_tests[] = { + { "", + { 0xcf, 0x83, 0xe1, 0x35, 0x7e, 0xef, 0xb8, 0xbd, + 0xf1, 0x54, 0x28, 0x50, 0xd6, 0x6d, 0x80, 0x07, + 0xd6, 0x20, 0xe4, 0x05, 0x0b, 0x57, 0x15, 0xdc, + 0x83, 0xf4, 0xa9, 0x21, 0xd3, 0x6c, 0xe9, 0xce, + 0x47, 0xd0, 0xd1, 0x3c, 0x5d, 0x85, 0xf2, 0xb0, + 0xff, 0x83, 0x18, 0xd2, 0x87, 0x7e, 0xec, 0x2f, + 0x63, 0xb9, 0x31, 0xbd, 0x47, 0x41, 0x7a, 0x81, + 0xa5, 0x38, 0x32, 0x7a, 0xf9, 0x27, 0xda, 0x3e } + }, + { "abc", + { 0xdd, 0xaf, 0x35, 0xa1, 0x93, 0x61, 0x7a, 0xba, + 0xcc, 0x41, 0x73, 0x49, 0xae, 0x20, 0x41, 0x31, + 0x12, 0xe6, 0xfa, 0x4e, 0x89, 0xa9, 0x7e, 0xa2, + 0x0a, 0x9e, 0xee, 0xe6, 0x4b, 0x55, 0xd3, 0x9a, + 0x21, 0x92, 0x99, 0x2a, 0x27, 0x4f, 0xc1, 0xa8, + 0x36, 0xba, 0x3c, 0x23, 0xa3, 0xfe, 0xeb, 0xbd, + 0x45, 0x4d, 0x44, 0x23, 0x64, 0x3c, 0xe8, 0x0e, + 0x2a, 0x9a, 0xc9, 0x4f, 0xa5, 0x4c, 0xa4, 0x9f } + }, + { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", + { 0x8e, 0x95, 0x9b, 0x75, 0xda, 0xe3, 0x13, 0xda, + 0x8c, 0xf4, 0xf7, 0x28, 0x14, 0xfc, 0x14, 0x3f, + 0x8f, 0x77, 0x79, 0xc6, 0xeb, 0x9f, 0x7f, 0xa1, + 0x72, 0x99, 0xae, 0xad, 0xb6, 0x88, 0x90, 0x18, + 0x50, 0x1d, 0x28, 0x9e, 0x49, 0x00, 0xf7, 0xe4, + 0x33, 0x1b, 0x99, 0xde, 0xc4, 0xb5, 0x43, 0x3a, + 0xc7, 0xd3, 0x29, 0xee, 0xb6, 0xdd, 0x26, 0x54, + 0x5e, 0x96, 0xe5, 0x5b, 0x87, 0x4b, 0xe9, 0x09 } + }, + { "The quick brown fox jumps over the lazy dog.\n", + { 0x02, 0x0d, 0xa0, 0xf4, 0xd8, 0xa4, 0xc8, 0xbf, + 0xbc, 0x98, 0x27, 0x40, 0x27, 0x74, 0x00, 0x61, + 0xd7, 0xdf, 0x52, 0xee, 0x07, 0x09, 0x1e, 0xd6, + 0x59, 0x5a, 0x08, 0x3e, 0x0f, 0x45, 0x32, 0x7b, + 0xbe, 0x59, 0x42, 0x43, 0x12, 0xd8, 0x6f, 0x21, + 0x8b, 0x74, 0xed, 0x2e, 0x25, 0x50, 0x7a, 0xba, + 0xf5, 0xc7, 0xa5, 0xfc, 0xf4, 0xca, 0xfc, 0xf9, + 0x53, 0x8b, 0x70, 0x58, 0x08, 0xfd, 0x55, 0xec } + }, +}; + +/* Don't print anything to stdout. */ +#define SHA512TEST_QUIET (1U << 0) + +static int sha512_test(unsigned int flags) +{ + int i; + int errors = 0; + unsigned char tmp[64]; + + for (i = 0; i < (int)(sizeof(sha512_tests) / sizeof(sha512_tests[0])); i++) { + unsigned char *msg = (unsigned char *) sha512_tests[i].msg; + int len = strlen(sha512_tests[i].msg); + + sha512(msg, len, tmp); + if (memcmp(tmp, sha512_tests[i].hash, 64) != 0) + errors++; + } + + if (!(flags & SHA512TEST_QUIET) && errors) + printf("sha512: %d self tests failed\n", errors); + + return errors; +} + +#endif /* __LIBFROG_SHA512SELFTEST_H__ */ diff --git a/man/man8/xfs_io.8 b/man/man8/xfs_io.8 index ef7087b3..dc10c8f6 100644 --- a/man/man8/xfs_io.8 +++ b/man/man8/xfs_io.8 @@ -1506,6 +1506,10 @@ command. .B crc32cselftest Test the internal crc32c implementation to make sure that it computes results correctly. +.TP +.B sha512selftest +Test the internal sha512 implementation to make sure that it computes results +correctly. .SH SEE ALSO .BR mkfs.xfs (8), .BR xfsctl (3), diff --git a/mkfs/xfs_mkfs.c b/mkfs/xfs_mkfs.c index dffee9e2..d3f34ef8 100644 --- a/mkfs/xfs_mkfs.c +++ b/mkfs/xfs_mkfs.c @@ -11,6 +11,7 @@ #include "libfrog/fsgeom.h" #include "libfrog/convert.h" #include "libfrog/crc32cselftest.h" +#include "libfrog/sha512selftest.h" #include "proto.h" #include <ini.h> @@ -4287,6 +4288,13 @@ main( return 1; } + /* Make sure our checksum algorithm really works. */ + if (sha512_test(SHA512TEST_QUIET) != 0) { + fprintf(stderr, + _("sha512 self-test failed, will not create a filesystem here.\n")); + return 1; + } + /* * All values have been validated, discard the old device layout. */ diff --git a/repair/init.c b/repair/init.c index 3a320b4f..46b4dbef 100644 --- a/repair/init.c +++ b/repair/init.c @@ -15,6 +15,7 @@ #include "incore.h" #include "prefetch.h" #include "libfrog/crc32cselftest.h" +#include "libfrog/sha512selftest.h" #include <sys/resource.h> static void @@ -105,4 +106,8 @@ _("Unmount or use the dangerous (-d) option to repair a read-only mounted filesy if (crc32c_test(CRC32CTEST_QUIET) != 0) do_error( _("crc32c self-test failed, will not examine filesystem.\n")); + + if (sha512_test(SHA512TEST_QUIET) != 0) + do_error( + _("sha512 self-test failed, will not examine filesystem.\n")); }