1 /*-
2 * Copyright 2005 Colin Percival
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27 #include <sys/cdefs.h>
28 #include <sys/endian.h>
29 #include <sys/types.h>
30
31 #ifdef _KERNEL
32 #include <sys/systm.h>
33 #else
34 #include <string.h>
35 #endif
36
37 #include "sha224.h"
38 #include "sha256.h"
39 #include "sha256c_impl.h"
40
41 #if defined(ARM64_SHA2)
42 #include <sys/auxv.h>
43 #include <machine/ifunc.h>
44 #endif
45
46 #if BYTE_ORDER == BIG_ENDIAN
47
48 /* Copy a vector of big-endian uint32_t into a vector of bytes */
49 #define be32enc_vect(dst, src, len) \
50 memcpy((void *)dst, (const void *)src, (size_t)len)
51
52 /* Copy a vector of bytes into a vector of big-endian uint32_t */
53 #define be32dec_vect(dst, src, len) \
54 memcpy((void *)dst, (const void *)src, (size_t)len)
55
56 #else /* BYTE_ORDER != BIG_ENDIAN */
57
58 /*
59 * Encode a length len/4 vector of (uint32_t) into a length len vector of
60 * (unsigned char) in big-endian form. Assumes len is a multiple of 4.
61 */
62 static void
be32enc_vect(unsigned char * dst,const uint32_t * src,size_t len)63 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
64 {
65 size_t i;
66
67 for (i = 0; i < len / 4; i++)
68 be32enc(dst + i * 4, src[i]);
69 }
70
71 /*
72 * Decode a big-endian length len vector of (unsigned char) into a length
73 * len/4 vector of (uint32_t). Assumes len is a multiple of 4.
74 */
75 static void
be32dec_vect(uint32_t * dst,const unsigned char * src,size_t len)76 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
77 {
78 size_t i;
79
80 for (i = 0; i < len / 4; i++)
81 dst[i] = be32dec(src + i * 4);
82 }
83
84 #endif /* BYTE_ORDER != BIG_ENDIAN */
85
86 /* SHA256 round constants. */
87 static const uint32_t K[64] = {
88 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
89 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
90 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
91 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
92 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
93 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
94 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
95 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
96 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
97 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
98 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
99 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
100 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
101 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
102 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
103 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
104 };
105
106 /* Elementary functions used by SHA256 */
107 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
108 #define Maj(x, y, z) ((x & (y | z)) | (y & z))
109 #define SHR(x, n) (x >> n)
110 #define ROTR(x, n) ((x >> n) | (x << (32 - n)))
111 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
112 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
113 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
114 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
115
116 /* SHA256 round function */
117 #define RND(a, b, c, d, e, f, g, h, k) \
118 h += S1(e) + Ch(e, f, g) + k; \
119 d += h; \
120 h += S0(a) + Maj(a, b, c);
121
122 /* Adjusted round function for rotating state */
123 #define RNDr(S, W, i, ii) \
124 RND(S[(64 - i) % 8], S[(65 - i) % 8], \
125 S[(66 - i) % 8], S[(67 - i) % 8], \
126 S[(68 - i) % 8], S[(69 - i) % 8], \
127 S[(70 - i) % 8], S[(71 - i) % 8], \
128 W[i + ii] + K[i + ii])
129
130 /* Message schedule computation */
131 #define MSCH(W, ii, i) \
132 W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]
133
134 /*
135 * SHA256 block compression function. The 256-bit state is transformed via
136 * the 512-bit input block to produce a new state.
137 */
138 static void
139 #if defined(ARM64_SHA2)
SHA256_Transform_c(uint32_t * state,const unsigned char block[64])140 SHA256_Transform_c(uint32_t * state, const unsigned char block[64])
141 #else
142 SHA256_Transform(uint32_t * state, const unsigned char block[64])
143 #endif
144 {
145 uint32_t W[64];
146 uint32_t S[8];
147 int i;
148
149 /* 1. Prepare the first part of the message schedule W. */
150 be32dec_vect(W, block, 64);
151
152 /* 2. Initialize working variables. */
153 memcpy(S, state, 32);
154
155 /* 3. Mix. */
156 for (i = 0; i < 64; i += 16) {
157 RNDr(S, W, 0, i);
158 RNDr(S, W, 1, i);
159 RNDr(S, W, 2, i);
160 RNDr(S, W, 3, i);
161 RNDr(S, W, 4, i);
162 RNDr(S, W, 5, i);
163 RNDr(S, W, 6, i);
164 RNDr(S, W, 7, i);
165 RNDr(S, W, 8, i);
166 RNDr(S, W, 9, i);
167 RNDr(S, W, 10, i);
168 RNDr(S, W, 11, i);
169 RNDr(S, W, 12, i);
170 RNDr(S, W, 13, i);
171 RNDr(S, W, 14, i);
172 RNDr(S, W, 15, i);
173
174 if (i == 48)
175 break;
176 MSCH(W, 0, i);
177 MSCH(W, 1, i);
178 MSCH(W, 2, i);
179 MSCH(W, 3, i);
180 MSCH(W, 4, i);
181 MSCH(W, 5, i);
182 MSCH(W, 6, i);
183 MSCH(W, 7, i);
184 MSCH(W, 8, i);
185 MSCH(W, 9, i);
186 MSCH(W, 10, i);
187 MSCH(W, 11, i);
188 MSCH(W, 12, i);
189 MSCH(W, 13, i);
190 MSCH(W, 14, i);
191 MSCH(W, 15, i);
192 }
193
194 /* 4. Mix local working variables into global state */
195 for (i = 0; i < 8; i++)
196 state[i] += S[i];
197 }
198
199 #if defined(ARM64_SHA2)
200 static void
SHA256_Transform_arm64(uint32_t * state,const unsigned char block[64])201 SHA256_Transform_arm64(uint32_t * state, const unsigned char block[64])
202 {
203 SHA256_Transform_arm64_impl(state, block, K);
204 }
205
206 DEFINE_UIFUNC(static, void, SHA256_Transform,
207 (uint32_t * state, const unsigned char block[64]))
208 {
209 if ((at_hwcap & HWCAP_SHA2) != 0)
210 return (SHA256_Transform_arm64);
211
212 return (SHA256_Transform_c);
213 }
214 #endif
215
216 static unsigned char PAD[64] = {
217 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
218 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
219 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
220 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
221 };
222
223 /* Add padding and terminating bit-count. */
224 static void
SHA256_Pad(SHA256_CTX * ctx)225 SHA256_Pad(SHA256_CTX * ctx)
226 {
227 size_t r;
228
229 /* Figure out how many bytes we have buffered. */
230 r = (ctx->count >> 3) & 0x3f;
231
232 /* Pad to 56 mod 64, transforming if we finish a block en route. */
233 if (r < 56) {
234 /* Pad to 56 mod 64. */
235 memcpy(&ctx->buf[r], PAD, 56 - r);
236 } else {
237 /* Finish the current block and mix. */
238 memcpy(&ctx->buf[r], PAD, 64 - r);
239 SHA256_Transform(ctx->state, ctx->buf);
240
241 /* The start of the final block is all zeroes. */
242 memset(&ctx->buf[0], 0, 56);
243 }
244
245 /* Add the terminating bit-count. */
246 be64enc(&ctx->buf[56], ctx->count);
247
248 /* Mix in the final block. */
249 SHA256_Transform(ctx->state, ctx->buf);
250 }
251
252 /* SHA-256 initialization. Begins a SHA-256 operation. */
253 void
SHA256_Init(SHA256_CTX * ctx)254 SHA256_Init(SHA256_CTX * ctx)
255 {
256
257 /* Zero bits processed so far */
258 ctx->count = 0;
259
260 /* Magic initialization constants */
261 ctx->state[0] = 0x6A09E667;
262 ctx->state[1] = 0xBB67AE85;
263 ctx->state[2] = 0x3C6EF372;
264 ctx->state[3] = 0xA54FF53A;
265 ctx->state[4] = 0x510E527F;
266 ctx->state[5] = 0x9B05688C;
267 ctx->state[6] = 0x1F83D9AB;
268 ctx->state[7] = 0x5BE0CD19;
269 }
270
271 /* Add bytes into the hash */
272 void
SHA256_Update(SHA256_CTX * ctx,const void * in,size_t len)273 SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
274 {
275 uint64_t bitlen;
276 uint32_t r;
277 const unsigned char *src = in;
278
279 /* Number of bytes left in the buffer from previous updates */
280 r = (ctx->count >> 3) & 0x3f;
281
282 /* Convert the length into a number of bits */
283 bitlen = len << 3;
284
285 /* Update number of bits */
286 ctx->count += bitlen;
287
288 /* Handle the case where we don't need to perform any transforms */
289 if (len < 64 - r) {
290 memcpy(&ctx->buf[r], src, len);
291 return;
292 }
293
294 /* Finish the current block */
295 memcpy(&ctx->buf[r], src, 64 - r);
296 SHA256_Transform(ctx->state, ctx->buf);
297 src += 64 - r;
298 len -= 64 - r;
299
300 /* Perform complete blocks */
301 while (len >= 64) {
302 SHA256_Transform(ctx->state, src);
303 src += 64;
304 len -= 64;
305 }
306
307 /* Copy left over data into buffer */
308 memcpy(ctx->buf, src, len);
309 }
310
311 /*
312 * SHA-256 finalization. Pads the input data, exports the hash value,
313 * and clears the context state.
314 */
315 void
SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH],SHA256_CTX * ctx)316 SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH], SHA256_CTX *ctx)
317 {
318
319 /* Add padding */
320 SHA256_Pad(ctx);
321
322 /* Write the hash */
323 be32enc_vect(digest, ctx->state, SHA256_DIGEST_LENGTH);
324
325 /* Clear the context state */
326 explicit_bzero(ctx, sizeof(*ctx));
327 }
328
329 /*** SHA-224: *********************************************************/
330 /*
331 * the SHA224 and SHA256 transforms are identical
332 */
333
334 /* SHA-224 initialization. Begins a SHA-224 operation. */
335 void
SHA224_Init(SHA224_CTX * ctx)336 SHA224_Init(SHA224_CTX * ctx)
337 {
338
339 /* Zero bits processed so far */
340 ctx->count = 0;
341
342 /* Magic initialization constants */
343 ctx->state[0] = 0xC1059ED8;
344 ctx->state[1] = 0x367CD507;
345 ctx->state[2] = 0x3070DD17;
346 ctx->state[3] = 0xF70E5939;
347 ctx->state[4] = 0xFFC00B31;
348 ctx->state[5] = 0x68581511;
349 ctx->state[6] = 0x64f98FA7;
350 ctx->state[7] = 0xBEFA4FA4;
351 }
352
353 /* Add bytes into the SHA-224 hash */
354 void
SHA224_Update(SHA224_CTX * ctx,const void * in,size_t len)355 SHA224_Update(SHA224_CTX * ctx, const void *in, size_t len)
356 {
357
358 SHA256_Update((SHA256_CTX *)ctx, in, len);
359 }
360
361 /*
362 * SHA-224 finalization. Pads the input data, exports the hash value,
363 * and clears the context state.
364 */
365 void
SHA224_Final(unsigned char digest[static SHA224_DIGEST_LENGTH],SHA224_CTX * ctx)366 SHA224_Final(unsigned char digest[static SHA224_DIGEST_LENGTH], SHA224_CTX *ctx)
367 {
368
369 /* Add padding */
370 SHA256_Pad((SHA256_CTX *)ctx);
371
372 /* Write the hash */
373 be32enc_vect(digest, ctx->state, SHA224_DIGEST_LENGTH);
374
375 /* Clear the context state */
376 explicit_bzero(ctx, sizeof(*ctx));
377 }
378
379 #ifdef WEAK_REFS
380 /* When building libmd, provide weak references. Note: this is not
381 activated in the context of compiling these sources for internal
382 use in libcrypt.
383 */
384 #undef SHA256_Init
385 __weak_reference(_libmd_SHA256_Init, SHA256_Init);
386 #undef SHA256_Update
387 __weak_reference(_libmd_SHA256_Update, SHA256_Update);
388 #undef SHA256_Final
389 __weak_reference(_libmd_SHA256_Final, SHA256_Final);
390
391 #undef SHA224_Init
392 __weak_reference(_libmd_SHA224_Init, SHA224_Init);
393 #undef SHA224_Update
394 __weak_reference(_libmd_SHA224_Update, SHA224_Update);
395 #undef SHA224_Final
396 __weak_reference(_libmd_SHA224_Final, SHA224_Final);
397 #endif
398