1 /*- 2 * Copyright 2005 Colin Percival 3 * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 #include <sys/endian.h> 30 #include <sys/types.h> 31 32 #ifdef _KERNEL 33 #include <sys/systm.h> 34 #else 35 #include <string.h> 36 #endif 37 38 #include "sha512.h" 39 #include "sha512t.h" 40 #include "sha384.h" 41 #include "sha512c_impl.h" 42 43 #if defined(ARM64_SHA512) 44 #include <sys/auxv.h> 45 #include <machine/ifunc.h> 46 #endif 47 48 #if BYTE_ORDER == BIG_ENDIAN 49 50 /* Copy a vector of big-endian uint64_t into a vector of bytes */ 51 #define be64enc_vect(dst, src, len) \ 52 memcpy((void *)dst, (const void *)src, (size_t)len) 53 54 /* Copy a vector of bytes into a vector of big-endian uint64_t */ 55 #define be64dec_vect(dst, src, len) \ 56 memcpy((void *)dst, (const void *)src, (size_t)len) 57 58 #else /* BYTE_ORDER != BIG_ENDIAN */ 59 60 /* 61 * Encode a length (len + 7) / 8 vector of (uint64_t) into a length len 62 * vector of (unsigned char) in big-endian form. Assumes len is a 63 * multiple of 4. 64 */ 65 static inline void 66 be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len) 67 { 68 size_t i; 69 70 for (i = 0; i < len / 8; i++) 71 be64enc(dst + i * 8, src[i]); 72 if (len % 8 == 4) 73 be32enc(dst + i * 8, src[i] >> 32); 74 } 75 76 /* 77 * Decode a big-endian length len vector of (unsigned char) into a length 78 * len/8 vector of (uint64_t). Assumes len is a multiple of 8. 79 */ 80 static inline void 81 be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len) 82 { 83 size_t i; 84 85 for (i = 0; i < len / 8; i++) 86 dst[i] = be64dec(src + i * 8); 87 } 88 89 #endif /* BYTE_ORDER != BIG_ENDIAN */ 90 91 /* SHA512 round constants. */ 92 static const uint64_t K[80] = { 93 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 94 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 95 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 96 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 97 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 98 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 99 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 100 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 101 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 102 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 103 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 104 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 105 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 106 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 107 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 108 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 109 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 110 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 111 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 112 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 113 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 114 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 115 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 116 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 117 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 118 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 119 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 120 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 121 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 122 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 123 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 124 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 125 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 126 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 127 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 128 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 129 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 130 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 131 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 132 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 133 }; 134 135 /* Elementary functions used by SHA512 */ 136 #define Ch(x, y, z) ((x & (y ^ z)) ^ z) 137 #define Maj(x, y, z) ((x & (y | z)) | (y & z)) 138 #define SHR(x, n) (x >> n) 139 #define ROTR(x, n) ((x >> n) | (x << (64 - n))) 140 #define S0(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39)) 141 #define S1(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41)) 142 #define s0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7)) 143 #define s1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6)) 144 145 /* SHA512 round function */ 146 #define RND(a, b, c, d, e, f, g, h, k) \ 147 h += S1(e) + Ch(e, f, g) + k; \ 148 d += h; \ 149 h += S0(a) + Maj(a, b, c); 150 151 /* Adjusted round function for rotating state */ 152 #define RNDr(S, W, i, ii) \ 153 RND(S[(80 - i) % 8], S[(81 - i) % 8], \ 154 S[(82 - i) % 8], S[(83 - i) % 8], \ 155 S[(84 - i) % 8], S[(85 - i) % 8], \ 156 S[(86 - i) % 8], S[(87 - i) % 8], \ 157 W[i + ii] + K[i + ii]) 158 159 /* Message schedule computation */ 160 #define MSCH(W, ii, i) \ 161 W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii] 162 163 /* 164 * SHA512 block compression function. The 512-bit state is transformed via 165 * the 512-bit input block to produce a new state. 166 */ 167 static void 168 #if defined(ARM64_SHA512) 169 SHA512_Transform_c(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH]) 170 #else 171 SHA512_Transform(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH]) 172 #endif 173 { 174 uint64_t W[80]; 175 uint64_t S[8]; 176 int i; 177 178 /* 1. Prepare the first part of the message schedule W. */ 179 be64dec_vect(W, block, SHA512_BLOCK_LENGTH); 180 181 /* 2. Initialize working variables. */ 182 memcpy(S, state, SHA512_DIGEST_LENGTH); 183 184 /* 3. Mix. */ 185 for (i = 0; i < 80; i += 16) { 186 RNDr(S, W, 0, i); 187 RNDr(S, W, 1, i); 188 RNDr(S, W, 2, i); 189 RNDr(S, W, 3, i); 190 RNDr(S, W, 4, i); 191 RNDr(S, W, 5, i); 192 RNDr(S, W, 6, i); 193 RNDr(S, W, 7, i); 194 RNDr(S, W, 8, i); 195 RNDr(S, W, 9, i); 196 RNDr(S, W, 10, i); 197 RNDr(S, W, 11, i); 198 RNDr(S, W, 12, i); 199 RNDr(S, W, 13, i); 200 RNDr(S, W, 14, i); 201 RNDr(S, W, 15, i); 202 203 if (i == 64) 204 break; 205 MSCH(W, 0, i); 206 MSCH(W, 1, i); 207 MSCH(W, 2, i); 208 MSCH(W, 3, i); 209 MSCH(W, 4, i); 210 MSCH(W, 5, i); 211 MSCH(W, 6, i); 212 MSCH(W, 7, i); 213 MSCH(W, 8, i); 214 MSCH(W, 9, i); 215 MSCH(W, 10, i); 216 MSCH(W, 11, i); 217 MSCH(W, 12, i); 218 MSCH(W, 13, i); 219 MSCH(W, 14, i); 220 MSCH(W, 15, i); 221 } 222 223 /* 4. Mix local working variables into global state */ 224 for (i = 0; i < 8; i++) 225 state[i] += S[i]; 226 } 227 228 #if defined(ARM64_SHA512) 229 static void 230 SHA512_Transform_arm64(uint64_t * state, 231 const unsigned char block[SHA512_BLOCK_LENGTH]) 232 { 233 SHA512_Transform_arm64_impl(state, block, K); 234 } 235 236 DEFINE_UIFUNC(static, void, SHA512_Transform, 237 (uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH])) 238 { 239 if ((at_hwcap & HWCAP_SHA512) != 0) 240 return (SHA512_Transform_arm64); 241 242 return (SHA512_Transform_c); 243 } 244 #endif 245 246 static unsigned char PAD[SHA512_BLOCK_LENGTH] = { 247 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 248 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 249 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 250 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 251 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 252 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 253 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 254 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 255 }; 256 257 /* Add padding and terminating bit-count. */ 258 static void 259 SHA512_Pad(SHA512_CTX * ctx) 260 { 261 size_t r; 262 263 /* Figure out how many bytes we have buffered. */ 264 r = (ctx->count[1] >> 3) & 0x7f; 265 266 /* Pad to 112 mod 128, transforming if we finish a block en route. */ 267 if (r < 112) { 268 /* Pad to 112 mod 128. */ 269 memcpy(&ctx->buf[r], PAD, 112 - r); 270 } else { 271 /* Finish the current block and mix. */ 272 memcpy(&ctx->buf[r], PAD, 128 - r); 273 SHA512_Transform(ctx->state, ctx->buf); 274 275 /* The start of the final block is all zeroes. */ 276 memset(&ctx->buf[0], 0, 112); 277 } 278 279 /* Add the terminating bit-count. */ 280 be64enc_vect(&ctx->buf[112], ctx->count, 16); 281 282 /* Mix in the final block. */ 283 SHA512_Transform(ctx->state, ctx->buf); 284 } 285 286 /* SHA-512 initialization. Begins a SHA-512 operation. */ 287 void 288 SHA512_Init(SHA512_CTX * ctx) 289 { 290 291 /* Zero bits processed so far */ 292 ctx->count[0] = ctx->count[1] = 0; 293 294 /* Magic initialization constants */ 295 ctx->state[0] = 0x6a09e667f3bcc908ULL; 296 ctx->state[1] = 0xbb67ae8584caa73bULL; 297 ctx->state[2] = 0x3c6ef372fe94f82bULL; 298 ctx->state[3] = 0xa54ff53a5f1d36f1ULL; 299 ctx->state[4] = 0x510e527fade682d1ULL; 300 ctx->state[5] = 0x9b05688c2b3e6c1fULL; 301 ctx->state[6] = 0x1f83d9abfb41bd6bULL; 302 ctx->state[7] = 0x5be0cd19137e2179ULL; 303 } 304 305 /* Add bytes into the hash */ 306 void 307 SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len) 308 { 309 uint64_t bitlen[2]; 310 uint64_t r; 311 const unsigned char *src = in; 312 313 /* Number of bytes left in the buffer from previous updates */ 314 r = (ctx->count[1] >> 3) & 0x7f; 315 316 /* Convert the length into a number of bits */ 317 bitlen[1] = ((uint64_t)len) << 3; 318 bitlen[0] = ((uint64_t)len) >> 61; 319 320 /* Update number of bits */ 321 if ((ctx->count[1] += bitlen[1]) < bitlen[1]) 322 ctx->count[0]++; 323 ctx->count[0] += bitlen[0]; 324 325 /* Handle the case where we don't need to perform any transforms */ 326 if (len < SHA512_BLOCK_LENGTH - r) { 327 memcpy(&ctx->buf[r], src, len); 328 return; 329 } 330 331 /* Finish the current block */ 332 memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r); 333 SHA512_Transform(ctx->state, ctx->buf); 334 src += SHA512_BLOCK_LENGTH - r; 335 len -= SHA512_BLOCK_LENGTH - r; 336 337 /* Perform complete blocks */ 338 while (len >= SHA512_BLOCK_LENGTH) { 339 SHA512_Transform(ctx->state, src); 340 src += SHA512_BLOCK_LENGTH; 341 len -= SHA512_BLOCK_LENGTH; 342 } 343 344 /* Copy left over data into buffer */ 345 memcpy(ctx->buf, src, len); 346 } 347 348 /* 349 * SHA-512 finalization. Pads the input data, exports the hash value, 350 * and clears the context state. 351 */ 352 void 353 SHA512_Final(unsigned char digest[static SHA512_DIGEST_LENGTH], SHA512_CTX *ctx) 354 { 355 356 /* Add padding */ 357 SHA512_Pad(ctx); 358 359 /* Write the hash */ 360 be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH); 361 362 /* Clear the context state */ 363 explicit_bzero(ctx, sizeof(*ctx)); 364 } 365 366 /*** SHA-512t: *********************************************************/ 367 /* 368 * the SHA512t transforms are identical to SHA512 so reuse the existing function 369 */ 370 void 371 SHA512_224_Init(SHA512_CTX * ctx) 372 { 373 374 /* Zero bits processed so far */ 375 ctx->count[0] = ctx->count[1] = 0; 376 377 /* Magic initialization constants */ 378 ctx->state[0] = 0x8c3d37c819544da2ULL; 379 ctx->state[1] = 0x73e1996689dcd4d6ULL; 380 ctx->state[2] = 0x1dfab7ae32ff9c82ULL; 381 ctx->state[3] = 0x679dd514582f9fcfULL; 382 ctx->state[4] = 0x0f6d2b697bd44da8ULL; 383 ctx->state[5] = 0x77e36f7304c48942ULL; 384 ctx->state[6] = 0x3f9d85a86a1d36c8ULL; 385 ctx->state[7] = 0x1112e6ad91d692a1ULL; 386 } 387 388 void 389 SHA512_224_Update(SHA512_CTX * ctx, const void *in, size_t len) 390 { 391 392 SHA512_Update(ctx, in, len); 393 } 394 395 void 396 SHA512_224_Final(unsigned char digest[static SHA512_224_DIGEST_LENGTH], SHA512_CTX * ctx) 397 { 398 399 /* Add padding */ 400 SHA512_Pad(ctx); 401 402 /* Write the hash */ 403 be64enc_vect(digest, ctx->state, SHA512_224_DIGEST_LENGTH); 404 405 /* Clear the context state */ 406 explicit_bzero(ctx, sizeof(*ctx)); 407 } 408 409 void 410 SHA512_256_Init(SHA512_CTX * ctx) 411 { 412 413 /* Zero bits processed so far */ 414 ctx->count[0] = ctx->count[1] = 0; 415 416 /* Magic initialization constants */ 417 ctx->state[0] = 0x22312194fc2bf72cULL; 418 ctx->state[1] = 0x9f555fa3c84c64c2ULL; 419 ctx->state[2] = 0x2393b86b6f53b151ULL; 420 ctx->state[3] = 0x963877195940eabdULL; 421 ctx->state[4] = 0x96283ee2a88effe3ULL; 422 ctx->state[5] = 0xbe5e1e2553863992ULL; 423 ctx->state[6] = 0x2b0199fc2c85b8aaULL; 424 ctx->state[7] = 0x0eb72ddc81c52ca2ULL; 425 } 426 427 void 428 SHA512_256_Update(SHA512_CTX * ctx, const void *in, size_t len) 429 { 430 431 SHA512_Update(ctx, in, len); 432 } 433 434 void 435 SHA512_256_Final(unsigned char digest[static SHA512_256_DIGEST_LENGTH], SHA512_CTX * ctx) 436 { 437 438 /* Add padding */ 439 SHA512_Pad(ctx); 440 441 /* Write the hash */ 442 be64enc_vect(digest, ctx->state, SHA512_256_DIGEST_LENGTH); 443 444 /* Clear the context state */ 445 explicit_bzero(ctx, sizeof(*ctx)); 446 } 447 448 /*** SHA-384: *********************************************************/ 449 /* 450 * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped 451 */ 452 453 /* SHA-384 initialization. Begins a SHA-384 operation. */ 454 void 455 SHA384_Init(SHA384_CTX * ctx) 456 { 457 458 /* Zero bits processed so far */ 459 ctx->count[0] = ctx->count[1] = 0; 460 461 /* Magic initialization constants */ 462 ctx->state[0] = 0xcbbb9d5dc1059ed8ULL; 463 ctx->state[1] = 0x629a292a367cd507ULL; 464 ctx->state[2] = 0x9159015a3070dd17ULL; 465 ctx->state[3] = 0x152fecd8f70e5939ULL; 466 ctx->state[4] = 0x67332667ffc00b31ULL; 467 ctx->state[5] = 0x8eb44a8768581511ULL; 468 ctx->state[6] = 0xdb0c2e0d64f98fa7ULL; 469 ctx->state[7] = 0x47b5481dbefa4fa4ULL; 470 } 471 472 /* Add bytes into the SHA-384 hash */ 473 void 474 SHA384_Update(SHA384_CTX * ctx, const void *in, size_t len) 475 { 476 477 SHA512_Update((SHA512_CTX *)ctx, in, len); 478 } 479 480 /* 481 * SHA-384 finalization. Pads the input data, exports the hash value, 482 * and clears the context state. 483 */ 484 void 485 SHA384_Final(unsigned char digest[static SHA384_DIGEST_LENGTH], SHA384_CTX *ctx) 486 { 487 488 /* Add padding */ 489 SHA512_Pad((SHA512_CTX *)ctx); 490 491 /* Write the hash */ 492 be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH); 493 494 /* Clear the context state */ 495 explicit_bzero(ctx, sizeof(*ctx)); 496 } 497 498 #ifdef WEAK_REFS 499 /* When building libmd, provide weak references. Note: this is not 500 activated in the context of compiling these sources for internal 501 use in libcrypt. 502 */ 503 #undef SHA512_Init 504 __weak_reference(_libmd_SHA512_Init, SHA512_Init); 505 #undef SHA512_Update 506 __weak_reference(_libmd_SHA512_Update, SHA512_Update); 507 #undef SHA512_Final 508 __weak_reference(_libmd_SHA512_Final, SHA512_Final); 509 510 #undef SHA512_224_Init 511 __weak_reference(_libmd_SHA512_224_Init, SHA512_224_Init); 512 #undef SHA512_224_Update 513 __weak_reference(_libmd_SHA512_224_Update, SHA512_224_Update); 514 #undef SHA512_224_Final 515 __weak_reference(_libmd_SHA512_224_Final, SHA512_224_Final); 516 517 #undef SHA512_256_Init 518 __weak_reference(_libmd_SHA512_256_Init, SHA512_256_Init); 519 #undef SHA512_256_Update 520 __weak_reference(_libmd_SHA512_256_Update, SHA512_256_Update); 521 #undef SHA512_256_Final 522 __weak_reference(_libmd_SHA512_256_Final, SHA512_256_Final); 523 524 #undef SHA384_Init 525 __weak_reference(_libmd_SHA384_Init, SHA384_Init); 526 #undef SHA384_Update 527 __weak_reference(_libmd_SHA384_Update, SHA384_Update); 528 #undef SHA384_Final 529 __weak_reference(_libmd_SHA384_Final, SHA384_Final); 530 #endif 531