xref: /freebsd/sys/contrib/openzfs/module/icp/algs/sha2/sha2_generic.c (revision ae8d58814089308028046ac80aeeb9cbb784bd0a)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or https://opensource.org/licenses/CDDL-1.0.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Based on public domain code in cppcrypto 0.10.
24  * Copyright (c) 2022 Tino Reichardt <milky-zfs@mcmilk.de>
25  */
26 
27 #include <sys/zfs_context.h>
28 #include <sys/zfs_impl.h>
29 #include <sys/sha2.h>
30 
31 #include <sha2/sha2_impl.h>
32 
33 /*
34  * On i386, gcc brings this for sha512_generic():
35  * error: the frame size of 1040 bytes is larger than 1024
36  */
37 #if defined(__GNUC__) && defined(_ILP32)
38 #pragma GCC diagnostic ignored "-Wframe-larger-than="
39 #endif
40 
41 /* SHA256 */
42 static const uint32_t SHA256_K[64] = {
43 	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
44 	0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
45 	0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
46 	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
47 	0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
48 	0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
49 	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
50 	0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
51 	0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
52 	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
53 	0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
54 	0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
55 	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
56 	0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
57 	0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
58 	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
59 };
60 
61 #define	Ch(x, y, z)	((z) ^ ((x) & ((y) ^ (z))))
62 #define	Maj(x, y, z)	(((y) & (z)) | (((y) | (z)) & (x)))
63 
64 #define	rotr32(x, n)	(((x) >> n) | ((x) << (32 - n)))
65 #define	sum0(x)		(rotr32((x),  2) ^ rotr32((x), 13) ^ rotr32((x), 22))
66 #define	sum1(x)		(rotr32((x),  6) ^ rotr32((x), 11) ^ rotr32((x), 25))
67 #define	sigma0(x)	(rotr32((x),  7) ^ rotr32((x), 18) ^ ((x) >> 3))
68 #define	sigma1(x)	(rotr32((x), 17) ^ rotr32((x), 19) ^ ((x) >> 10))
69 
70 #define	WU(j) (W[j & 15] += sigma1(W[(j + 14) & 15]) \
71 	+ W[(j + 9) & 15] + sigma0(W[(j + 1) & 15]))
72 
73 #define	COMPRESS(i, j, K) \
74 	T1 = h + sum1(e) + Ch(e, f, g) + K[i + j] + (i? WU(j): W[j]); \
75 	T2 = sum0(a) + Maj(a, b, c); \
76 	h = g, g = f, f = e, e = d + T1; \
77 	d = c, c = b, b = a, a = T1 + T2;
78 
79 static void sha256_generic(uint32_t state[8], const void *data, size_t num_blks)
80 {
81 	uint64_t blk;
82 
83 	for (blk = 0; blk < num_blks; blk++) {
84 		uint32_t W[16];
85 		uint32_t a, b, c, d, e, f, g, h;
86 		uint32_t T1, T2;
87 		int i;
88 
89 		for (i = 0; i < 16; i++) {
90 			W[i] = BE_32( \
91 			    (((const uint32_t *)(data))[blk * 16 + i]));
92 		}
93 
94 		a = state[0];
95 		b = state[1];
96 		c = state[2];
97 		d = state[3];
98 		e = state[4];
99 		f = state[5];
100 		g = state[6];
101 		h = state[7];
102 
103 		for (i = 0; i <= 63; i += 16) {
104 			COMPRESS(i, 0, SHA256_K);
105 			COMPRESS(i, 1, SHA256_K);
106 			COMPRESS(i, 2, SHA256_K);
107 			COMPRESS(i, 3, SHA256_K);
108 			COMPRESS(i, 4, SHA256_K);
109 			COMPRESS(i, 5, SHA256_K);
110 			COMPRESS(i, 6, SHA256_K);
111 			COMPRESS(i, 7, SHA256_K);
112 			COMPRESS(i, 8, SHA256_K);
113 			COMPRESS(i, 9, SHA256_K);
114 			COMPRESS(i, 10, SHA256_K);
115 			COMPRESS(i, 11, SHA256_K);
116 			COMPRESS(i, 12, SHA256_K);
117 			COMPRESS(i, 13, SHA256_K);
118 			COMPRESS(i, 14, SHA256_K);
119 			COMPRESS(i, 15, SHA256_K);
120 		}
121 
122 		state[0] += a;
123 		state[1] += b;
124 		state[2] += c;
125 		state[3] += d;
126 		state[4] += e;
127 		state[5] += f;
128 		state[6] += g;
129 		state[7] += h;
130 	}
131 }
132 
133 #undef sum0
134 #undef sum1
135 #undef sigma0
136 #undef sigma1
137 
138 #define	rotr64(x, n)	(((x) >> n) | ((x) << (64 - n)))
139 #define	sum0(x)		(rotr64((x), 28) ^ rotr64((x), 34) ^ rotr64((x), 39))
140 #define	sum1(x)		(rotr64((x), 14) ^ rotr64((x), 18) ^ rotr64((x), 41))
141 #define	sigma0(x)	(rotr64((x),  1) ^ rotr64((x),  8) ^ ((x) >> 7))
142 #define	sigma1(x)	(rotr64((x), 19) ^ rotr64((x), 61) ^ ((x) >> 6))
143 
144 /* SHA512 */
145 static const uint64_t SHA512_K[80] = {
146 	0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f,
147 	0xe9b5dba58189dbbc, 0x3956c25bf348b538, 0x59f111f1b605d019,
148 	0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242,
149 	0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2,
150 	0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235,
151 	0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3,
152 	0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 0x2de92c6f592b0275,
153 	0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5,
154 	0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f,
155 	0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725,
156 	0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc,
157 	0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df,
158 	0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6,
159 	0x92722c851482353b, 0xa2bfe8a14cf10364, 0xa81a664bbc423001,
160 	0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218,
161 	0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8,
162 	0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99,
163 	0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb,
164 	0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc,
165 	0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec,
166 	0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915,
167 	0xc67178f2e372532b, 0xca273eceea26619c, 0xd186b8c721c0c207,
168 	0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba,
169 	0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b,
170 	0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc,
171 	0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a,
172 	0x5fcb6fab3ad6faec, 0x6c44198c4a475817
173 };
174 
175 static void sha512_generic(uint64_t state[8], const void *data, size_t num_blks)
176 {
177 	uint64_t blk;
178 
179 	for (blk = 0; blk < num_blks; blk++) {
180 		uint64_t W[16];
181 		uint64_t a, b, c, d, e, f, g, h;
182 		uint64_t T1, T2;
183 		int i;
184 
185 		for (i = 0; i < 16; i++) {
186 			W[i] = BE_64( \
187 			    (((const uint64_t *)(data))[blk * 16 + i]));
188 		}
189 
190 		a = state[0];
191 		b = state[1];
192 		c = state[2];
193 		d = state[3];
194 		e = state[4];
195 		f = state[5];
196 		g = state[6];
197 		h = state[7];
198 
199 		for (i = 0; i <= 79; i += 16) {
200 			COMPRESS(i, 0, SHA512_K);
201 			COMPRESS(i, 1, SHA512_K);
202 			COMPRESS(i, 2, SHA512_K);
203 			COMPRESS(i, 3, SHA512_K);
204 			COMPRESS(i, 4, SHA512_K);
205 			COMPRESS(i, 5, SHA512_K);
206 			COMPRESS(i, 6, SHA512_K);
207 			COMPRESS(i, 7, SHA512_K);
208 			COMPRESS(i, 8, SHA512_K);
209 			COMPRESS(i, 9, SHA512_K);
210 			COMPRESS(i, 10, SHA512_K);
211 			COMPRESS(i, 11, SHA512_K);
212 			COMPRESS(i, 12, SHA512_K);
213 			COMPRESS(i, 13, SHA512_K);
214 			COMPRESS(i, 14, SHA512_K);
215 			COMPRESS(i, 15, SHA512_K);
216 		}
217 		state[0] += a;
218 		state[1] += b;
219 		state[2] += c;
220 		state[3] += d;
221 		state[4] += e;
222 		state[5] += f;
223 		state[6] += g;
224 		state[7] += h;
225 	}
226 }
227 
228 static void sha256_update(sha256_ctx *ctx, const uint8_t *data, size_t len)
229 {
230 	uint64_t pos = ctx->count[0];
231 	uint64_t total = ctx->count[1];
232 	uint8_t *m = ctx->wbuf;
233 	const sha256_ops_t *ops = ctx->ops;
234 
235 	if (pos && pos + len >= 64) {
236 		memcpy(m + pos, data, 64 - pos);
237 		ops->transform(ctx->state, m, 1);
238 		len -= 64 - pos;
239 		total += (64 - pos) * 8;
240 		data += 64 - pos;
241 		pos = 0;
242 	}
243 
244 	if (len >= 64) {
245 		uint32_t blocks = len / 64;
246 		uint32_t bytes = blocks * 64;
247 		ops->transform(ctx->state, data, blocks);
248 		len -= bytes;
249 		total += (bytes) * 8;
250 		data += bytes;
251 	}
252 	memcpy(m + pos, data, len);
253 
254 	pos += len;
255 	total += len * 8;
256 	ctx->count[0] = pos;
257 	ctx->count[1] = total;
258 }
259 
260 static void sha512_update(sha512_ctx *ctx, const uint8_t *data, size_t len)
261 {
262 	uint64_t pos = ctx->count[0];
263 	uint64_t total = ctx->count[1];
264 	uint8_t *m = ctx->wbuf;
265 	const sha512_ops_t *ops = ctx->ops;
266 
267 	if (pos && pos + len >= 128) {
268 		memcpy(m + pos, data, 128 - pos);
269 		ops->transform(ctx->state, m, 1);
270 		len -= 128 - pos;
271 		total += (128 - pos) * 8;
272 		data += 128 - pos;
273 		pos = 0;
274 	}
275 
276 	if (len >= 128) {
277 		uint64_t blocks = len / 128;
278 		uint64_t bytes = blocks * 128;
279 		ops->transform(ctx->state, data, blocks);
280 		len -= bytes;
281 		total += (bytes) * 8;
282 		data += bytes;
283 	}
284 	memcpy(m + pos, data, len);
285 
286 	pos += len;
287 	total += len * 8;
288 	ctx->count[0] = pos;
289 	ctx->count[1] = total;
290 }
291 
292 static void sha256_final(sha256_ctx *ctx, uint8_t *result, int bits)
293 {
294 	uint64_t mlen, pos = ctx->count[0];
295 	uint8_t *m = ctx->wbuf;
296 	uint32_t *R = (uint32_t *)result;
297 	const sha256_ops_t *ops = ctx->ops;
298 
299 	m[pos++] = 0x80;
300 	if (pos > 56) {
301 		memset(m + pos, 0, 64 - pos);
302 		ops->transform(ctx->state, m, 1);
303 		pos = 0;
304 	}
305 
306 	memset(m + pos, 0, 64 - pos);
307 	mlen = BE_64(ctx->count[1]);
308 	memcpy(m + (64 - 8), &mlen, 64 / 8);
309 	ops->transform(ctx->state, m, 1);
310 
311 	switch (bits) {
312 	case 224: /* 28 - unused currently /TR */
313 		R[0] = BE_32(ctx->state[0]);
314 		R[1] = BE_32(ctx->state[1]);
315 		R[2] = BE_32(ctx->state[2]);
316 		R[3] = BE_32(ctx->state[3]);
317 		R[4] = BE_32(ctx->state[4]);
318 		R[5] = BE_32(ctx->state[5]);
319 		R[6] = BE_32(ctx->state[6]);
320 		break;
321 	case 256: /* 32 */
322 		R[0] = BE_32(ctx->state[0]);
323 		R[1] = BE_32(ctx->state[1]);
324 		R[2] = BE_32(ctx->state[2]);
325 		R[3] = BE_32(ctx->state[3]);
326 		R[4] = BE_32(ctx->state[4]);
327 		R[5] = BE_32(ctx->state[5]);
328 		R[6] = BE_32(ctx->state[6]);
329 		R[7] = BE_32(ctx->state[7]);
330 		break;
331 	}
332 
333 	memset(ctx, 0, sizeof (*ctx));
334 }
335 
336 static void sha512_final(sha512_ctx *ctx, uint8_t *result, int bits)
337 {
338 	uint64_t mlen, pos = ctx->count[0];
339 	uint8_t *m = ctx->wbuf, *r;
340 	uint64_t *R = (uint64_t *)result;
341 	const sha512_ops_t *ops = ctx->ops;
342 
343 	m[pos++] = 0x80;
344 	if (pos > 112) {
345 		memset(m + pos, 0, 128 - pos);
346 		ops->transform(ctx->state, m, 1);
347 		pos = 0;
348 	}
349 
350 	memset(m + pos, 0, 128 - pos);
351 	mlen = BE_64(ctx->count[1]);
352 	memcpy(m + (128 - 8), &mlen, 64 / 8);
353 	ops->transform(ctx->state, m, 1);
354 
355 	switch (bits) {
356 	case 224: /* 28 => 3,5 x 8 */
357 		r = result + 24;
358 		R[0] = BE_64(ctx->state[0]);
359 		R[1] = BE_64(ctx->state[1]);
360 		R[2] = BE_64(ctx->state[2]);
361 		/* last 4 bytes are special here */
362 		*r++ = (uint8_t)(ctx->state[3] >> 56);
363 		*r++ = (uint8_t)(ctx->state[3] >> 48);
364 		*r++ = (uint8_t)(ctx->state[3] >> 40);
365 		*r++ = (uint8_t)(ctx->state[3] >> 32);
366 		break;
367 	case 256: /* 32 */
368 		R[0] = BE_64(ctx->state[0]);
369 		R[1] = BE_64(ctx->state[1]);
370 		R[2] = BE_64(ctx->state[2]);
371 		R[3] = BE_64(ctx->state[3]);
372 		break;
373 	case 384: /* 48 */
374 		R[0] = BE_64(ctx->state[0]);
375 		R[1] = BE_64(ctx->state[1]);
376 		R[2] = BE_64(ctx->state[2]);
377 		R[3] = BE_64(ctx->state[3]);
378 		R[4] = BE_64(ctx->state[4]);
379 		R[5] = BE_64(ctx->state[5]);
380 		break;
381 	case 512: /* 64 */
382 		R[0] = BE_64(ctx->state[0]);
383 		R[1] = BE_64(ctx->state[1]);
384 		R[2] = BE_64(ctx->state[2]);
385 		R[3] = BE_64(ctx->state[3]);
386 		R[4] = BE_64(ctx->state[4]);
387 		R[5] = BE_64(ctx->state[5]);
388 		R[6] = BE_64(ctx->state[6]);
389 		R[7] = BE_64(ctx->state[7]);
390 		break;
391 	}
392 
393 	memset(ctx, 0, sizeof (*ctx));
394 }
395 
396 /* SHA2 Init function */
397 void
398 SHA2Init(int algotype, SHA2_CTX *ctx)
399 {
400 	sha256_ctx *ctx256 = &ctx->sha256;
401 	sha512_ctx *ctx512 = &ctx->sha512;
402 
403 	ASSERT3S(algotype, >=, SHA512_HMAC_MECH_INFO_TYPE);
404 	ASSERT3S(algotype, <=, SHA512_256);
405 
406 	memset(ctx, 0, sizeof (*ctx));
407 	ctx->algotype = algotype;
408 	switch (ctx->algotype) {
409 		case SHA256:
410 			ctx256->state[0] = 0x6a09e667;
411 			ctx256->state[1] = 0xbb67ae85;
412 			ctx256->state[2] = 0x3c6ef372;
413 			ctx256->state[3] = 0xa54ff53a;
414 			ctx256->state[4] = 0x510e527f;
415 			ctx256->state[5] = 0x9b05688c;
416 			ctx256->state[6] = 0x1f83d9ab;
417 			ctx256->state[7] = 0x5be0cd19;
418 			ctx256->count[0] = 0;
419 			ctx256->ops = sha256_get_ops();
420 			break;
421 		case SHA512:
422 		case SHA512_HMAC_MECH_INFO_TYPE:
423 			ctx512->state[0] = 0x6a09e667f3bcc908ULL;
424 			ctx512->state[1] = 0xbb67ae8584caa73bULL;
425 			ctx512->state[2] = 0x3c6ef372fe94f82bULL;
426 			ctx512->state[3] = 0xa54ff53a5f1d36f1ULL;
427 			ctx512->state[4] = 0x510e527fade682d1ULL;
428 			ctx512->state[5] = 0x9b05688c2b3e6c1fULL;
429 			ctx512->state[6] = 0x1f83d9abfb41bd6bULL;
430 			ctx512->state[7] = 0x5be0cd19137e2179ULL;
431 			ctx512->count[0] = 0;
432 			ctx512->count[1] = 0;
433 			ctx512->ops = sha512_get_ops();
434 			break;
435 		case SHA512_256:
436 			ctx512->state[0] = 0x22312194fc2bf72cULL;
437 			ctx512->state[1] = 0x9f555fa3c84c64c2ULL;
438 			ctx512->state[2] = 0x2393b86b6f53b151ULL;
439 			ctx512->state[3] = 0x963877195940eabdULL;
440 			ctx512->state[4] = 0x96283ee2a88effe3ULL;
441 			ctx512->state[5] = 0xbe5e1e2553863992ULL;
442 			ctx512->state[6] = 0x2b0199fc2c85b8aaULL;
443 			ctx512->state[7] = 0x0eb72ddc81c52ca2ULL;
444 			ctx512->count[0] = 0;
445 			ctx512->count[1] = 0;
446 			ctx512->ops = sha512_get_ops();
447 			break;
448 	}
449 }
450 
451 /* SHA2 Update function */
452 void
453 SHA2Update(SHA2_CTX *ctx, const void *data, size_t len)
454 {
455 	/* check for zero input length */
456 	if (len == 0)
457 		return;
458 
459 	ASSERT3P(data, !=, NULL);
460 
461 	switch (ctx->algotype) {
462 		case SHA256:
463 			sha256_update(&ctx->sha256, data, len);
464 			break;
465 		case SHA512:
466 		case SHA512_HMAC_MECH_INFO_TYPE:
467 			sha512_update(&ctx->sha512, data, len);
468 			break;
469 		case SHA512_256:
470 			sha512_update(&ctx->sha512, data, len);
471 			break;
472 	}
473 }
474 
475 /* SHA2Final function */
476 void
477 SHA2Final(void *digest, SHA2_CTX *ctx)
478 {
479 	switch (ctx->algotype) {
480 		case SHA256:
481 			sha256_final(&ctx->sha256, digest, 256);
482 			break;
483 		case SHA512:
484 		case SHA512_HMAC_MECH_INFO_TYPE:
485 			sha512_final(&ctx->sha512, digest, 512);
486 			break;
487 		case SHA512_256:
488 			sha512_final(&ctx->sha512, digest, 256);
489 			break;
490 	}
491 }
492 
493 /* the generic implementation is always okay */
494 static boolean_t sha2_is_supported(void)
495 {
496 	return (B_TRUE);
497 }
498 
499 const sha256_ops_t sha256_generic_impl = {
500 	.name = "generic",
501 	.transform = sha256_generic,
502 	.is_supported = sha2_is_supported
503 };
504 
505 const sha512_ops_t sha512_generic_impl = {
506 	.name = "generic",
507 	.transform = sha512_generic,
508 	.is_supported = sha2_is_supported
509 };
510