xref: /freebsd/sys/crypto/openssl/ossl_sha512.c (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1 /*
2  * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <sys/cdefs.h>
11 #include <sys/libkern.h>
12 #include <sys/malloc.h>
13 
14 #include <opencrypto/cryptodev.h>
15 #include <opencrypto/xform_auth.h>
16 
17 #include <crypto/openssl/ossl.h>
18 #include <crypto/openssl/ossl_sha.h>
19 
20 /* sha512-x86_64.S */
21 void sha512_block_data_order(SHA512_CTX *c, const void *in, size_t num);
22 
23 /* From crypto/sha/sha512.c */
24 
25 #if defined(__i386__) || defined(__amd64__) || defined(__aarch64__)
26 # define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
27 #endif
28 
29 static void
30 ossl_sha384_init(void *c_)
31 {
32     SHA512_CTX *c = c_;
33     c->h[0] = U64(0xcbbb9d5dc1059ed8);
34     c->h[1] = U64(0x629a292a367cd507);
35     c->h[2] = U64(0x9159015a3070dd17);
36     c->h[3] = U64(0x152fecd8f70e5939);
37     c->h[4] = U64(0x67332667ffc00b31);
38     c->h[5] = U64(0x8eb44a8768581511);
39     c->h[6] = U64(0xdb0c2e0d64f98fa7);
40     c->h[7] = U64(0x47b5481dbefa4fa4);
41 
42     c->Nl = 0;
43     c->Nh = 0;
44     c->num = 0;
45     c->md_len = SHA384_DIGEST_LENGTH;
46 }
47 
48 static void
49 ossl_sha512_init(void *c_)
50 {
51     SHA512_CTX *c = c_;
52     c->h[0] = U64(0x6a09e667f3bcc908);
53     c->h[1] = U64(0xbb67ae8584caa73b);
54     c->h[2] = U64(0x3c6ef372fe94f82b);
55     c->h[3] = U64(0xa54ff53a5f1d36f1);
56     c->h[4] = U64(0x510e527fade682d1);
57     c->h[5] = U64(0x9b05688c2b3e6c1f);
58     c->h[6] = U64(0x1f83d9abfb41bd6b);
59     c->h[7] = U64(0x5be0cd19137e2179);
60 
61     c->Nl = 0;
62     c->Nh = 0;
63     c->num = 0;
64     c->md_len = SHA512_DIGEST_LENGTH;
65 }
66 
67 static void
68 ossl_sha512_final(uint8_t *md, void *c_)
69 {
70     SHA512_CTX *c = c_;
71     unsigned char *p = (unsigned char *)c->u.p;
72     size_t n = c->num;
73 
74     p[n] = 0x80;                /* There always is a room for one */
75     n++;
76     if (n > (sizeof(c->u) - 16)) {
77         memset(p + n, 0, sizeof(c->u) - n);
78         n = 0;
79         sha512_block_data_order(c, p, 1);
80     }
81 
82     memset(p + n, 0, sizeof(c->u) - 16 - n);
83 #if _BYTE_ORDER == _BIG_ENDIAN
84     c->u.d[SHA_LBLOCK - 2] = c->Nh;
85     c->u.d[SHA_LBLOCK - 1] = c->Nl;
86 #else
87     p[sizeof(c->u) - 1] = (unsigned char)(c->Nl);
88     p[sizeof(c->u) - 2] = (unsigned char)(c->Nl >> 8);
89     p[sizeof(c->u) - 3] = (unsigned char)(c->Nl >> 16);
90     p[sizeof(c->u) - 4] = (unsigned char)(c->Nl >> 24);
91     p[sizeof(c->u) - 5] = (unsigned char)(c->Nl >> 32);
92     p[sizeof(c->u) - 6] = (unsigned char)(c->Nl >> 40);
93     p[sizeof(c->u) - 7] = (unsigned char)(c->Nl >> 48);
94     p[sizeof(c->u) - 8] = (unsigned char)(c->Nl >> 56);
95     p[sizeof(c->u) - 9] = (unsigned char)(c->Nh);
96     p[sizeof(c->u) - 10] = (unsigned char)(c->Nh >> 8);
97     p[sizeof(c->u) - 11] = (unsigned char)(c->Nh >> 16);
98     p[sizeof(c->u) - 12] = (unsigned char)(c->Nh >> 24);
99     p[sizeof(c->u) - 13] = (unsigned char)(c->Nh >> 32);
100     p[sizeof(c->u) - 14] = (unsigned char)(c->Nh >> 40);
101     p[sizeof(c->u) - 15] = (unsigned char)(c->Nh >> 48);
102     p[sizeof(c->u) - 16] = (unsigned char)(c->Nh >> 56);
103 #endif
104 
105     sha512_block_data_order(c, p, 1);
106 
107     switch (c->md_len) {
108     /* Let compiler decide if it's appropriate to unroll... */
109     case SHA224_DIGEST_LENGTH:
110         for (n = 0; n < SHA224_DIGEST_LENGTH / 8; n++) {
111             SHA_LONG64 t = c->h[n];
112 
113             *(md++) = (unsigned char)(t >> 56);
114             *(md++) = (unsigned char)(t >> 48);
115             *(md++) = (unsigned char)(t >> 40);
116             *(md++) = (unsigned char)(t >> 32);
117             *(md++) = (unsigned char)(t >> 24);
118             *(md++) = (unsigned char)(t >> 16);
119             *(md++) = (unsigned char)(t >> 8);
120             *(md++) = (unsigned char)(t);
121         }
122         /*
123          * For 224 bits, there are four bytes left over that have to be
124          * processed separately.
125          */
126         {
127             SHA_LONG64 t = c->h[SHA224_DIGEST_LENGTH / 8];
128 
129             *(md++) = (unsigned char)(t >> 56);
130             *(md++) = (unsigned char)(t >> 48);
131             *(md++) = (unsigned char)(t >> 40);
132             *(md++) = (unsigned char)(t >> 32);
133         }
134         break;
135     case SHA256_DIGEST_LENGTH:
136         for (n = 0; n < SHA256_DIGEST_LENGTH / 8; n++) {
137             SHA_LONG64 t = c->h[n];
138 
139             *(md++) = (unsigned char)(t >> 56);
140             *(md++) = (unsigned char)(t >> 48);
141             *(md++) = (unsigned char)(t >> 40);
142             *(md++) = (unsigned char)(t >> 32);
143             *(md++) = (unsigned char)(t >> 24);
144             *(md++) = (unsigned char)(t >> 16);
145             *(md++) = (unsigned char)(t >> 8);
146             *(md++) = (unsigned char)(t);
147         }
148         break;
149     case SHA384_DIGEST_LENGTH:
150         for (n = 0; n < SHA384_DIGEST_LENGTH / 8; n++) {
151             SHA_LONG64 t = c->h[n];
152 
153             *(md++) = (unsigned char)(t >> 56);
154             *(md++) = (unsigned char)(t >> 48);
155             *(md++) = (unsigned char)(t >> 40);
156             *(md++) = (unsigned char)(t >> 32);
157             *(md++) = (unsigned char)(t >> 24);
158             *(md++) = (unsigned char)(t >> 16);
159             *(md++) = (unsigned char)(t >> 8);
160             *(md++) = (unsigned char)(t);
161         }
162         break;
163     case SHA512_DIGEST_LENGTH:
164         for (n = 0; n < SHA512_DIGEST_LENGTH / 8; n++) {
165             SHA_LONG64 t = c->h[n];
166 
167             *(md++) = (unsigned char)(t >> 56);
168             *(md++) = (unsigned char)(t >> 48);
169             *(md++) = (unsigned char)(t >> 40);
170             *(md++) = (unsigned char)(t >> 32);
171             *(md++) = (unsigned char)(t >> 24);
172             *(md++) = (unsigned char)(t >> 16);
173             *(md++) = (unsigned char)(t >> 8);
174             *(md++) = (unsigned char)(t);
175         }
176         break;
177     /* ... as well as make sure md_len is not abused. */
178     default:
179         __assert_unreachable();
180     }
181 }
182 
183 static int
184 ossl_sha512_update(void *c_, const void *_data, unsigned int len)
185 {
186     SHA512_CTX *c = c_;
187     SHA_LONG64 l;
188     unsigned char *p = c->u.p;
189     const unsigned char *data = (const unsigned char *)_data;
190 
191     if (len == 0)
192         return 0;
193 
194     l = (c->Nl + (((SHA_LONG64) len) << 3)) & U64(0xffffffffffffffff);
195     if (l < c->Nl)
196         c->Nh++;
197     if (sizeof(len) >= 8)
198         c->Nh += (((SHA_LONG64) len) >> 61);
199     c->Nl = l;
200 
201     if (c->num != 0) {
202         size_t n = sizeof(c->u) - c->num;
203 
204         if (len < n) {
205             memcpy(p + c->num, data, len), c->num += (unsigned int)len;
206             return 0;
207         } else {
208             memcpy(p + c->num, data, n), c->num = 0;
209             len -= n, data += n;
210             sha512_block_data_order(c, p, 1);
211         }
212     }
213 
214     if (len >= sizeof(c->u)) {
215 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
216         if ((size_t)data % sizeof(c->u.d[0]) != 0)
217             while (len >= sizeof(c->u))
218                 memcpy(p, data, sizeof(c->u)),
219                 sha512_block_data_order(c, p, 1),
220                 len -= sizeof(c->u), data += sizeof(c->u);
221         else
222 #endif
223             sha512_block_data_order(c, data, len / sizeof(c->u)),
224             data += len, len %= sizeof(c->u), data -= len;
225     }
226 
227     if (len != 0)
228         memcpy(p, data, len), c->num = (int)len;
229 
230     return 0;
231 }
232 
233 struct auth_hash ossl_hash_sha384 = {
234 	.type = CRYPTO_SHA2_384,
235 	.name = "OpenSSL-SHA2-384",
236 	.hashsize = SHA2_384_HASH_LEN,
237 	.ctxsize = sizeof(SHA512_CTX),
238 	.blocksize = SHA2_384_BLOCK_LEN,
239 	.Init = ossl_sha384_init,
240 	.Update = ossl_sha512_update,
241 	.Final = ossl_sha512_final,
242 };
243 
244 struct auth_hash ossl_hash_sha512 = {
245 	.type = CRYPTO_SHA2_512,
246 	.name = "OpenSSL-SHA2-512",
247 	.hashsize = SHA2_512_HASH_LEN,
248 	.ctxsize = sizeof(SHA512_CTX),
249 	.blocksize = SHA2_512_BLOCK_LEN,
250 	.Init = ossl_sha512_init,
251 	.Update = ossl_sha512_update,
252 	.Final = ossl_sha512_final,
253 };
254 
255 _Static_assert(sizeof(SHA512_CTX) <= sizeof(struct ossl_hash_context),
256     "ossl_hash_context too small");
257