1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or https://opensource.org/licenses/CDDL-1.0. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Based on public domain code in cppcrypto 0.10. 24 * Copyright (c) 2022 Tino Reichardt <milky-zfs@mcmilk.de> 25 */ 26 27 #include <sys/zfs_context.h> 28 #include <sys/zfs_impl.h> 29 #include <sys/sha2.h> 30 31 #include <sha2/sha2_impl.h> 32 33 /* 34 * On i386, gcc brings this for sha512_generic(): 35 * error: the frame size of 1040 bytes is larger than 1024 36 */ 37 #if defined(__GNUC__) && defined(_ILP32) 38 #pragma GCC diagnostic ignored "-Wframe-larger-than=" 39 #endif 40 41 /* SHA256 */ 42 static const uint32_t SHA256_K[64] = { 43 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 44 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 45 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 46 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 47 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 48 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 49 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 50 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 51 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 52 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 53 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 54 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 55 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 56 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 57 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 58 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 59 }; 60 61 #define Ch(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) 62 #define Maj(x, y, z) (((y) & (z)) | (((y) | (z)) & (x))) 63 64 #define rotr32(x, n) (((x) >> n) | ((x) << (32 - n))) 65 #define sum0(x) (rotr32((x), 2) ^ rotr32((x), 13) ^ rotr32((x), 22)) 66 #define sum1(x) (rotr32((x), 6) ^ rotr32((x), 11) ^ rotr32((x), 25)) 67 #define sigma0(x) (rotr32((x), 7) ^ rotr32((x), 18) ^ ((x) >> 3)) 68 #define sigma1(x) (rotr32((x), 17) ^ rotr32((x), 19) ^ ((x) >> 10)) 69 70 #define WU(j) (W[j & 15] += sigma1(W[(j + 14) & 15]) \ 71 + W[(j + 9) & 15] + sigma0(W[(j + 1) & 15])) 72 73 #define COMPRESS(i, j, K) \ 74 T1 = h + sum1(e) + Ch(e, f, g) + K[i + j] + (i? WU(j): W[j]); \ 75 T2 = sum0(a) + Maj(a, b, c); \ 76 h = g, g = f, f = e, e = d + T1; \ 77 d = c, c = b, b = a, a = T1 + T2; 78 79 static void sha256_generic(uint32_t state[8], const void *data, size_t num_blks) 80 { 81 uint64_t blk; 82 83 for (blk = 0; blk < num_blks; blk++) { 84 uint32_t W[16]; 85 uint32_t a, b, c, d, e, f, g, h; 86 uint32_t T1, T2; 87 int i; 88 89 for (i = 0; i < 16; i++) { 90 W[i] = BE_32( \ 91 (((const uint32_t *)(data))[blk * 16 + i])); 92 } 93 94 a = state[0]; 95 b = state[1]; 96 c = state[2]; 97 d = state[3]; 98 e = state[4]; 99 f = state[5]; 100 g = state[6]; 101 h = state[7]; 102 103 for (i = 0; i <= 63; i += 16) { 104 COMPRESS(i, 0, SHA256_K); 105 COMPRESS(i, 1, SHA256_K); 106 COMPRESS(i, 2, SHA256_K); 107 COMPRESS(i, 3, SHA256_K); 108 COMPRESS(i, 4, SHA256_K); 109 COMPRESS(i, 5, SHA256_K); 110 COMPRESS(i, 6, SHA256_K); 111 COMPRESS(i, 7, SHA256_K); 112 COMPRESS(i, 8, SHA256_K); 113 COMPRESS(i, 9, SHA256_K); 114 COMPRESS(i, 10, SHA256_K); 115 COMPRESS(i, 11, SHA256_K); 116 COMPRESS(i, 12, SHA256_K); 117 COMPRESS(i, 13, SHA256_K); 118 COMPRESS(i, 14, SHA256_K); 119 COMPRESS(i, 15, SHA256_K); 120 } 121 122 state[0] += a; 123 state[1] += b; 124 state[2] += c; 125 state[3] += d; 126 state[4] += e; 127 state[5] += f; 128 state[6] += g; 129 state[7] += h; 130 } 131 } 132 133 #undef sum0 134 #undef sum1 135 #undef sigma0 136 #undef sigma1 137 138 #define rotr64(x, n) (((x) >> n) | ((x) << (64 - n))) 139 #define sum0(x) (rotr64((x), 28) ^ rotr64((x), 34) ^ rotr64((x), 39)) 140 #define sum1(x) (rotr64((x), 14) ^ rotr64((x), 18) ^ rotr64((x), 41)) 141 #define sigma0(x) (rotr64((x), 1) ^ rotr64((x), 8) ^ ((x) >> 7)) 142 #define sigma1(x) (rotr64((x), 19) ^ rotr64((x), 61) ^ ((x) >> 6)) 143 144 /* SHA512 */ 145 static const uint64_t SHA512_K[80] = { 146 0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f, 147 0xe9b5dba58189dbbc, 0x3956c25bf348b538, 0x59f111f1b605d019, 148 0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242, 149 0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2, 150 0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235, 151 0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3, 152 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 0x2de92c6f592b0275, 153 0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5, 154 0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f, 155 0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725, 156 0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc, 157 0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df, 158 0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6, 159 0x92722c851482353b, 0xa2bfe8a14cf10364, 0xa81a664bbc423001, 160 0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218, 161 0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8, 162 0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99, 163 0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb, 164 0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc, 165 0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec, 166 0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915, 167 0xc67178f2e372532b, 0xca273eceea26619c, 0xd186b8c721c0c207, 168 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba, 169 0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b, 170 0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc, 171 0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a, 172 0x5fcb6fab3ad6faec, 0x6c44198c4a475817 173 }; 174 175 static void sha512_generic(uint64_t state[8], const void *data, size_t num_blks) 176 { 177 uint64_t blk; 178 179 for (blk = 0; blk < num_blks; blk++) { 180 uint64_t W[16]; 181 uint64_t a, b, c, d, e, f, g, h; 182 uint64_t T1, T2; 183 int i; 184 185 for (i = 0; i < 16; i++) { 186 W[i] = BE_64( \ 187 (((const uint64_t *)(data))[blk * 16 + i])); 188 } 189 190 a = state[0]; 191 b = state[1]; 192 c = state[2]; 193 d = state[3]; 194 e = state[4]; 195 f = state[5]; 196 g = state[6]; 197 h = state[7]; 198 199 for (i = 0; i <= 79; i += 16) { 200 COMPRESS(i, 0, SHA512_K); 201 COMPRESS(i, 1, SHA512_K); 202 COMPRESS(i, 2, SHA512_K); 203 COMPRESS(i, 3, SHA512_K); 204 COMPRESS(i, 4, SHA512_K); 205 COMPRESS(i, 5, SHA512_K); 206 COMPRESS(i, 6, SHA512_K); 207 COMPRESS(i, 7, SHA512_K); 208 COMPRESS(i, 8, SHA512_K); 209 COMPRESS(i, 9, SHA512_K); 210 COMPRESS(i, 10, SHA512_K); 211 COMPRESS(i, 11, SHA512_K); 212 COMPRESS(i, 12, SHA512_K); 213 COMPRESS(i, 13, SHA512_K); 214 COMPRESS(i, 14, SHA512_K); 215 COMPRESS(i, 15, SHA512_K); 216 } 217 state[0] += a; 218 state[1] += b; 219 state[2] += c; 220 state[3] += d; 221 state[4] += e; 222 state[5] += f; 223 state[6] += g; 224 state[7] += h; 225 } 226 } 227 228 static void sha256_update(sha256_ctx *ctx, const uint8_t *data, size_t len) 229 { 230 uint64_t pos = ctx->count[0]; 231 uint64_t total = ctx->count[1]; 232 uint8_t *m = ctx->wbuf; 233 const sha256_ops_t *ops = ctx->ops; 234 235 if (pos && pos + len >= 64) { 236 memcpy(m + pos, data, 64 - pos); 237 ops->transform(ctx->state, m, 1); 238 len -= 64 - pos; 239 total += (64 - pos) * 8; 240 data += 64 - pos; 241 pos = 0; 242 } 243 244 if (len >= 64) { 245 uint32_t blocks = len / 64; 246 uint32_t bytes = blocks * 64; 247 ops->transform(ctx->state, data, blocks); 248 len -= bytes; 249 total += (bytes) * 8; 250 data += bytes; 251 } 252 memcpy(m + pos, data, len); 253 254 pos += len; 255 total += len * 8; 256 ctx->count[0] = pos; 257 ctx->count[1] = total; 258 } 259 260 static void sha512_update(sha512_ctx *ctx, const uint8_t *data, size_t len) 261 { 262 uint64_t pos = ctx->count[0]; 263 uint64_t total = ctx->count[1]; 264 uint8_t *m = ctx->wbuf; 265 const sha512_ops_t *ops = ctx->ops; 266 267 if (pos && pos + len >= 128) { 268 memcpy(m + pos, data, 128 - pos); 269 ops->transform(ctx->state, m, 1); 270 len -= 128 - pos; 271 total += (128 - pos) * 8; 272 data += 128 - pos; 273 pos = 0; 274 } 275 276 if (len >= 128) { 277 uint64_t blocks = len / 128; 278 uint64_t bytes = blocks * 128; 279 ops->transform(ctx->state, data, blocks); 280 len -= bytes; 281 total += (bytes) * 8; 282 data += bytes; 283 } 284 memcpy(m + pos, data, len); 285 286 pos += len; 287 total += len * 8; 288 ctx->count[0] = pos; 289 ctx->count[1] = total; 290 } 291 292 static void sha256_final(sha256_ctx *ctx, uint8_t *result, int bits) 293 { 294 uint64_t mlen, pos = ctx->count[0]; 295 uint8_t *m = ctx->wbuf; 296 uint32_t *R = (uint32_t *)result; 297 const sha256_ops_t *ops = ctx->ops; 298 299 m[pos++] = 0x80; 300 if (pos > 56) { 301 memset(m + pos, 0, 64 - pos); 302 ops->transform(ctx->state, m, 1); 303 pos = 0; 304 } 305 306 memset(m + pos, 0, 64 - pos); 307 mlen = BE_64(ctx->count[1]); 308 memcpy(m + (64 - 8), &mlen, 64 / 8); 309 ops->transform(ctx->state, m, 1); 310 311 switch (bits) { 312 case 224: /* 28 - unused currently /TR */ 313 R[0] = BE_32(ctx->state[0]); 314 R[1] = BE_32(ctx->state[1]); 315 R[2] = BE_32(ctx->state[2]); 316 R[3] = BE_32(ctx->state[3]); 317 R[4] = BE_32(ctx->state[4]); 318 R[5] = BE_32(ctx->state[5]); 319 R[6] = BE_32(ctx->state[6]); 320 break; 321 case 256: /* 32 */ 322 R[0] = BE_32(ctx->state[0]); 323 R[1] = BE_32(ctx->state[1]); 324 R[2] = BE_32(ctx->state[2]); 325 R[3] = BE_32(ctx->state[3]); 326 R[4] = BE_32(ctx->state[4]); 327 R[5] = BE_32(ctx->state[5]); 328 R[6] = BE_32(ctx->state[6]); 329 R[7] = BE_32(ctx->state[7]); 330 break; 331 } 332 333 memset(ctx, 0, sizeof (*ctx)); 334 } 335 336 static void sha512_final(sha512_ctx *ctx, uint8_t *result, int bits) 337 { 338 uint64_t mlen, pos = ctx->count[0]; 339 uint8_t *m = ctx->wbuf, *r; 340 uint64_t *R = (uint64_t *)result; 341 const sha512_ops_t *ops = ctx->ops; 342 343 m[pos++] = 0x80; 344 if (pos > 112) { 345 memset(m + pos, 0, 128 - pos); 346 ops->transform(ctx->state, m, 1); 347 pos = 0; 348 } 349 350 memset(m + pos, 0, 128 - pos); 351 mlen = BE_64(ctx->count[1]); 352 memcpy(m + (128 - 8), &mlen, 64 / 8); 353 ops->transform(ctx->state, m, 1); 354 355 switch (bits) { 356 case 224: /* 28 => 3,5 x 8 */ 357 r = result + 24; 358 R[0] = BE_64(ctx->state[0]); 359 R[1] = BE_64(ctx->state[1]); 360 R[2] = BE_64(ctx->state[2]); 361 /* last 4 bytes are special here */ 362 *r++ = (uint8_t)(ctx->state[3] >> 56); 363 *r++ = (uint8_t)(ctx->state[3] >> 48); 364 *r++ = (uint8_t)(ctx->state[3] >> 40); 365 *r++ = (uint8_t)(ctx->state[3] >> 32); 366 break; 367 case 256: /* 32 */ 368 R[0] = BE_64(ctx->state[0]); 369 R[1] = BE_64(ctx->state[1]); 370 R[2] = BE_64(ctx->state[2]); 371 R[3] = BE_64(ctx->state[3]); 372 break; 373 case 384: /* 48 */ 374 R[0] = BE_64(ctx->state[0]); 375 R[1] = BE_64(ctx->state[1]); 376 R[2] = BE_64(ctx->state[2]); 377 R[3] = BE_64(ctx->state[3]); 378 R[4] = BE_64(ctx->state[4]); 379 R[5] = BE_64(ctx->state[5]); 380 break; 381 case 512: /* 64 */ 382 R[0] = BE_64(ctx->state[0]); 383 R[1] = BE_64(ctx->state[1]); 384 R[2] = BE_64(ctx->state[2]); 385 R[3] = BE_64(ctx->state[3]); 386 R[4] = BE_64(ctx->state[4]); 387 R[5] = BE_64(ctx->state[5]); 388 R[6] = BE_64(ctx->state[6]); 389 R[7] = BE_64(ctx->state[7]); 390 break; 391 } 392 393 memset(ctx, 0, sizeof (*ctx)); 394 } 395 396 /* SHA2 Init function */ 397 void 398 SHA2Init(int algotype, SHA2_CTX *ctx) 399 { 400 sha256_ctx *ctx256 = &ctx->sha256; 401 sha512_ctx *ctx512 = &ctx->sha512; 402 403 ASSERT3S(algotype, >=, SHA512_HMAC_MECH_INFO_TYPE); 404 ASSERT3S(algotype, <=, SHA512_256); 405 406 memset(ctx, 0, sizeof (*ctx)); 407 ctx->algotype = algotype; 408 switch (ctx->algotype) { 409 case SHA256: 410 ctx256->state[0] = 0x6a09e667; 411 ctx256->state[1] = 0xbb67ae85; 412 ctx256->state[2] = 0x3c6ef372; 413 ctx256->state[3] = 0xa54ff53a; 414 ctx256->state[4] = 0x510e527f; 415 ctx256->state[5] = 0x9b05688c; 416 ctx256->state[6] = 0x1f83d9ab; 417 ctx256->state[7] = 0x5be0cd19; 418 ctx256->count[0] = 0; 419 ctx256->ops = sha256_get_ops(); 420 break; 421 case SHA512: 422 case SHA512_HMAC_MECH_INFO_TYPE: 423 ctx512->state[0] = 0x6a09e667f3bcc908ULL; 424 ctx512->state[1] = 0xbb67ae8584caa73bULL; 425 ctx512->state[2] = 0x3c6ef372fe94f82bULL; 426 ctx512->state[3] = 0xa54ff53a5f1d36f1ULL; 427 ctx512->state[4] = 0x510e527fade682d1ULL; 428 ctx512->state[5] = 0x9b05688c2b3e6c1fULL; 429 ctx512->state[6] = 0x1f83d9abfb41bd6bULL; 430 ctx512->state[7] = 0x5be0cd19137e2179ULL; 431 ctx512->count[0] = 0; 432 ctx512->count[1] = 0; 433 ctx512->ops = sha512_get_ops(); 434 break; 435 case SHA512_256: 436 ctx512->state[0] = 0x22312194fc2bf72cULL; 437 ctx512->state[1] = 0x9f555fa3c84c64c2ULL; 438 ctx512->state[2] = 0x2393b86b6f53b151ULL; 439 ctx512->state[3] = 0x963877195940eabdULL; 440 ctx512->state[4] = 0x96283ee2a88effe3ULL; 441 ctx512->state[5] = 0xbe5e1e2553863992ULL; 442 ctx512->state[6] = 0x2b0199fc2c85b8aaULL; 443 ctx512->state[7] = 0x0eb72ddc81c52ca2ULL; 444 ctx512->count[0] = 0; 445 ctx512->count[1] = 0; 446 ctx512->ops = sha512_get_ops(); 447 break; 448 } 449 } 450 451 /* SHA2 Update function */ 452 void 453 SHA2Update(SHA2_CTX *ctx, const void *data, size_t len) 454 { 455 /* check for zero input length */ 456 if (len == 0) 457 return; 458 459 ASSERT3P(data, !=, NULL); 460 461 switch (ctx->algotype) { 462 case SHA256: 463 sha256_update(&ctx->sha256, data, len); 464 break; 465 case SHA512: 466 case SHA512_HMAC_MECH_INFO_TYPE: 467 sha512_update(&ctx->sha512, data, len); 468 break; 469 case SHA512_256: 470 sha512_update(&ctx->sha512, data, len); 471 break; 472 } 473 } 474 475 /* SHA2Final function */ 476 void 477 SHA2Final(void *digest, SHA2_CTX *ctx) 478 { 479 switch (ctx->algotype) { 480 case SHA256: 481 sha256_final(&ctx->sha256, digest, 256); 482 break; 483 case SHA512: 484 case SHA512_HMAC_MECH_INFO_TYPE: 485 sha512_final(&ctx->sha512, digest, 512); 486 break; 487 case SHA512_256: 488 sha512_final(&ctx->sha512, digest, 256); 489 break; 490 } 491 } 492 493 /* the generic implementation is always okay */ 494 static boolean_t sha2_is_supported(void) 495 { 496 return (B_TRUE); 497 } 498 499 const sha256_ops_t sha256_generic_impl = { 500 .name = "generic", 501 .transform = sha256_generic, 502 .is_supported = sha2_is_supported 503 }; 504 505 const sha512_ops_t sha512_generic_impl = { 506 .name = "generic", 507 .transform = sha512_generic, 508 .is_supported = sha2_is_supported 509 }; 510