1 /*
2 * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <sys/cdefs.h>
11 #include <sys/libkern.h>
12 #include <sys/malloc.h>
13
14 #include <opencrypto/cryptodev.h>
15 #include <opencrypto/xform_auth.h>
16
17 #include <crypto/openssl/ossl.h>
18 #include <crypto/openssl/ossl_sha.h>
19
20 /* sha512-x86_64.S */
21 void sha512_block_data_order(SHA512_CTX *c, const void *in, size_t num);
22
23 /* From crypto/sha/sha512.c */
24
25 #if defined(__i386__) || defined(__amd64__) || defined(__aarch64__)
26 # define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
27 #endif
28
29 static void
ossl_sha384_init(void * c_)30 ossl_sha384_init(void *c_)
31 {
32 SHA512_CTX *c = c_;
33 c->h[0] = U64(0xcbbb9d5dc1059ed8);
34 c->h[1] = U64(0x629a292a367cd507);
35 c->h[2] = U64(0x9159015a3070dd17);
36 c->h[3] = U64(0x152fecd8f70e5939);
37 c->h[4] = U64(0x67332667ffc00b31);
38 c->h[5] = U64(0x8eb44a8768581511);
39 c->h[6] = U64(0xdb0c2e0d64f98fa7);
40 c->h[7] = U64(0x47b5481dbefa4fa4);
41
42 c->Nl = 0;
43 c->Nh = 0;
44 c->num = 0;
45 c->md_len = SHA384_DIGEST_LENGTH;
46 }
47
48 static void
ossl_sha512_init(void * c_)49 ossl_sha512_init(void *c_)
50 {
51 SHA512_CTX *c = c_;
52 c->h[0] = U64(0x6a09e667f3bcc908);
53 c->h[1] = U64(0xbb67ae8584caa73b);
54 c->h[2] = U64(0x3c6ef372fe94f82b);
55 c->h[3] = U64(0xa54ff53a5f1d36f1);
56 c->h[4] = U64(0x510e527fade682d1);
57 c->h[5] = U64(0x9b05688c2b3e6c1f);
58 c->h[6] = U64(0x1f83d9abfb41bd6b);
59 c->h[7] = U64(0x5be0cd19137e2179);
60
61 c->Nl = 0;
62 c->Nh = 0;
63 c->num = 0;
64 c->md_len = SHA512_DIGEST_LENGTH;
65 }
66
67 static void
ossl_sha512_final(uint8_t * md,void * c_)68 ossl_sha512_final(uint8_t *md, void *c_)
69 {
70 SHA512_CTX *c = c_;
71 unsigned char *p = (unsigned char *)c->u.p;
72 size_t n = c->num;
73
74 p[n] = 0x80; /* There always is a room for one */
75 n++;
76 if (n > (sizeof(c->u) - 16)) {
77 memset(p + n, 0, sizeof(c->u) - n);
78 n = 0;
79 sha512_block_data_order(c, p, 1);
80 }
81
82 memset(p + n, 0, sizeof(c->u) - 16 - n);
83 #if _BYTE_ORDER == _BIG_ENDIAN
84 c->u.d[SHA_LBLOCK - 2] = c->Nh;
85 c->u.d[SHA_LBLOCK - 1] = c->Nl;
86 #else
87 p[sizeof(c->u) - 1] = (unsigned char)(c->Nl);
88 p[sizeof(c->u) - 2] = (unsigned char)(c->Nl >> 8);
89 p[sizeof(c->u) - 3] = (unsigned char)(c->Nl >> 16);
90 p[sizeof(c->u) - 4] = (unsigned char)(c->Nl >> 24);
91 p[sizeof(c->u) - 5] = (unsigned char)(c->Nl >> 32);
92 p[sizeof(c->u) - 6] = (unsigned char)(c->Nl >> 40);
93 p[sizeof(c->u) - 7] = (unsigned char)(c->Nl >> 48);
94 p[sizeof(c->u) - 8] = (unsigned char)(c->Nl >> 56);
95 p[sizeof(c->u) - 9] = (unsigned char)(c->Nh);
96 p[sizeof(c->u) - 10] = (unsigned char)(c->Nh >> 8);
97 p[sizeof(c->u) - 11] = (unsigned char)(c->Nh >> 16);
98 p[sizeof(c->u) - 12] = (unsigned char)(c->Nh >> 24);
99 p[sizeof(c->u) - 13] = (unsigned char)(c->Nh >> 32);
100 p[sizeof(c->u) - 14] = (unsigned char)(c->Nh >> 40);
101 p[sizeof(c->u) - 15] = (unsigned char)(c->Nh >> 48);
102 p[sizeof(c->u) - 16] = (unsigned char)(c->Nh >> 56);
103 #endif
104
105 sha512_block_data_order(c, p, 1);
106
107 switch (c->md_len) {
108 /* Let compiler decide if it's appropriate to unroll... */
109 case SHA224_DIGEST_LENGTH:
110 for (n = 0; n < SHA224_DIGEST_LENGTH / 8; n++) {
111 SHA_LONG64 t = c->h[n];
112
113 *(md++) = (unsigned char)(t >> 56);
114 *(md++) = (unsigned char)(t >> 48);
115 *(md++) = (unsigned char)(t >> 40);
116 *(md++) = (unsigned char)(t >> 32);
117 *(md++) = (unsigned char)(t >> 24);
118 *(md++) = (unsigned char)(t >> 16);
119 *(md++) = (unsigned char)(t >> 8);
120 *(md++) = (unsigned char)(t);
121 }
122 /*
123 * For 224 bits, there are four bytes left over that have to be
124 * processed separately.
125 */
126 {
127 SHA_LONG64 t = c->h[SHA224_DIGEST_LENGTH / 8];
128
129 *(md++) = (unsigned char)(t >> 56);
130 *(md++) = (unsigned char)(t >> 48);
131 *(md++) = (unsigned char)(t >> 40);
132 *(md++) = (unsigned char)(t >> 32);
133 }
134 break;
135 case SHA256_DIGEST_LENGTH:
136 for (n = 0; n < SHA256_DIGEST_LENGTH / 8; n++) {
137 SHA_LONG64 t = c->h[n];
138
139 *(md++) = (unsigned char)(t >> 56);
140 *(md++) = (unsigned char)(t >> 48);
141 *(md++) = (unsigned char)(t >> 40);
142 *(md++) = (unsigned char)(t >> 32);
143 *(md++) = (unsigned char)(t >> 24);
144 *(md++) = (unsigned char)(t >> 16);
145 *(md++) = (unsigned char)(t >> 8);
146 *(md++) = (unsigned char)(t);
147 }
148 break;
149 case SHA384_DIGEST_LENGTH:
150 for (n = 0; n < SHA384_DIGEST_LENGTH / 8; n++) {
151 SHA_LONG64 t = c->h[n];
152
153 *(md++) = (unsigned char)(t >> 56);
154 *(md++) = (unsigned char)(t >> 48);
155 *(md++) = (unsigned char)(t >> 40);
156 *(md++) = (unsigned char)(t >> 32);
157 *(md++) = (unsigned char)(t >> 24);
158 *(md++) = (unsigned char)(t >> 16);
159 *(md++) = (unsigned char)(t >> 8);
160 *(md++) = (unsigned char)(t);
161 }
162 break;
163 case SHA512_DIGEST_LENGTH:
164 for (n = 0; n < SHA512_DIGEST_LENGTH / 8; n++) {
165 SHA_LONG64 t = c->h[n];
166
167 *(md++) = (unsigned char)(t >> 56);
168 *(md++) = (unsigned char)(t >> 48);
169 *(md++) = (unsigned char)(t >> 40);
170 *(md++) = (unsigned char)(t >> 32);
171 *(md++) = (unsigned char)(t >> 24);
172 *(md++) = (unsigned char)(t >> 16);
173 *(md++) = (unsigned char)(t >> 8);
174 *(md++) = (unsigned char)(t);
175 }
176 break;
177 /* ... as well as make sure md_len is not abused. */
178 default:
179 __assert_unreachable();
180 }
181 }
182
183 static int
ossl_sha512_update(void * c_,const void * _data,unsigned int len)184 ossl_sha512_update(void *c_, const void *_data, unsigned int len)
185 {
186 SHA512_CTX *c = c_;
187 SHA_LONG64 l;
188 unsigned char *p = c->u.p;
189 const unsigned char *data = (const unsigned char *)_data;
190
191 if (len == 0)
192 return 0;
193
194 l = (c->Nl + (((SHA_LONG64) len) << 3)) & U64(0xffffffffffffffff);
195 if (l < c->Nl)
196 c->Nh++;
197 if (sizeof(len) >= 8)
198 c->Nh += (((SHA_LONG64) len) >> 61);
199 c->Nl = l;
200
201 if (c->num != 0) {
202 size_t n = sizeof(c->u) - c->num;
203
204 if (len < n) {
205 memcpy(p + c->num, data, len), c->num += (unsigned int)len;
206 return 0;
207 } else {
208 memcpy(p + c->num, data, n), c->num = 0;
209 len -= n, data += n;
210 sha512_block_data_order(c, p, 1);
211 }
212 }
213
214 if (len >= sizeof(c->u)) {
215 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
216 if ((size_t)data % sizeof(c->u.d[0]) != 0)
217 while (len >= sizeof(c->u))
218 memcpy(p, data, sizeof(c->u)),
219 sha512_block_data_order(c, p, 1),
220 len -= sizeof(c->u), data += sizeof(c->u);
221 else
222 #endif
223 sha512_block_data_order(c, data, len / sizeof(c->u)),
224 data += len, len %= sizeof(c->u), data -= len;
225 }
226
227 if (len != 0)
228 memcpy(p, data, len), c->num = (int)len;
229
230 return 0;
231 }
232
233 struct auth_hash ossl_hash_sha384 = {
234 .type = CRYPTO_SHA2_384,
235 .name = "OpenSSL-SHA2-384",
236 .hashsize = SHA2_384_HASH_LEN,
237 .ctxsize = sizeof(SHA512_CTX),
238 .blocksize = SHA2_384_BLOCK_LEN,
239 .Init = ossl_sha384_init,
240 .Update = ossl_sha512_update,
241 .Final = ossl_sha512_final,
242 };
243
244 struct auth_hash ossl_hash_sha512 = {
245 .type = CRYPTO_SHA2_512,
246 .name = "OpenSSL-SHA2-512",
247 .hashsize = SHA2_512_HASH_LEN,
248 .ctxsize = sizeof(SHA512_CTX),
249 .blocksize = SHA2_512_BLOCK_LEN,
250 .Init = ossl_sha512_init,
251 .Update = ossl_sha512_update,
252 .Final = ossl_sha512_final,
253 };
254
255 _Static_assert(sizeof(SHA512_CTX) <= sizeof(struct ossl_hash_context),
256 "ossl_hash_context too small");
257