1 /* 2 * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <sys/cdefs.h> 11 #include <sys/libkern.h> 12 #include <sys/malloc.h> 13 14 #include <opencrypto/cryptodev.h> 15 #include <opencrypto/xform_auth.h> 16 17 #include <crypto/openssl/ossl.h> 18 #include <crypto/openssl/ossl_sha.h> 19 20 /* sha512-x86_64.S */ 21 void sha512_block_data_order(SHA512_CTX *c, const void *in, size_t num); 22 23 /* From crypto/sha/sha512.c */ 24 25 #if defined(__i386__) || defined(__amd64__) || defined(__aarch64__) 26 # define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA 27 #endif 28 29 static void 30 ossl_sha384_init(void *c_) 31 { 32 SHA512_CTX *c = c_; 33 c->h[0] = U64(0xcbbb9d5dc1059ed8); 34 c->h[1] = U64(0x629a292a367cd507); 35 c->h[2] = U64(0x9159015a3070dd17); 36 c->h[3] = U64(0x152fecd8f70e5939); 37 c->h[4] = U64(0x67332667ffc00b31); 38 c->h[5] = U64(0x8eb44a8768581511); 39 c->h[6] = U64(0xdb0c2e0d64f98fa7); 40 c->h[7] = U64(0x47b5481dbefa4fa4); 41 42 c->Nl = 0; 43 c->Nh = 0; 44 c->num = 0; 45 c->md_len = SHA384_DIGEST_LENGTH; 46 } 47 48 static void 49 ossl_sha512_init(void *c_) 50 { 51 SHA512_CTX *c = c_; 52 c->h[0] = U64(0x6a09e667f3bcc908); 53 c->h[1] = U64(0xbb67ae8584caa73b); 54 c->h[2] = U64(0x3c6ef372fe94f82b); 55 c->h[3] = U64(0xa54ff53a5f1d36f1); 56 c->h[4] = U64(0x510e527fade682d1); 57 c->h[5] = U64(0x9b05688c2b3e6c1f); 58 c->h[6] = U64(0x1f83d9abfb41bd6b); 59 c->h[7] = U64(0x5be0cd19137e2179); 60 61 c->Nl = 0; 62 c->Nh = 0; 63 c->num = 0; 64 c->md_len = SHA512_DIGEST_LENGTH; 65 } 66 67 static void 68 ossl_sha512_final(uint8_t *md, void *c_) 69 { 70 SHA512_CTX *c = c_; 71 unsigned char *p = (unsigned char *)c->u.p; 72 size_t n = c->num; 73 74 p[n] = 0x80; /* There always is a room for one */ 75 n++; 76 if (n > (sizeof(c->u) - 16)) { 77 memset(p + n, 0, sizeof(c->u) - n); 78 n = 0; 79 sha512_block_data_order(c, p, 1); 80 } 81 82 memset(p + n, 0, sizeof(c->u) - 16 - n); 83 #if _BYTE_ORDER == _BIG_ENDIAN 84 c->u.d[SHA_LBLOCK - 2] = c->Nh; 85 c->u.d[SHA_LBLOCK - 1] = c->Nl; 86 #else 87 p[sizeof(c->u) - 1] = (unsigned char)(c->Nl); 88 p[sizeof(c->u) - 2] = (unsigned char)(c->Nl >> 8); 89 p[sizeof(c->u) - 3] = (unsigned char)(c->Nl >> 16); 90 p[sizeof(c->u) - 4] = (unsigned char)(c->Nl >> 24); 91 p[sizeof(c->u) - 5] = (unsigned char)(c->Nl >> 32); 92 p[sizeof(c->u) - 6] = (unsigned char)(c->Nl >> 40); 93 p[sizeof(c->u) - 7] = (unsigned char)(c->Nl >> 48); 94 p[sizeof(c->u) - 8] = (unsigned char)(c->Nl >> 56); 95 p[sizeof(c->u) - 9] = (unsigned char)(c->Nh); 96 p[sizeof(c->u) - 10] = (unsigned char)(c->Nh >> 8); 97 p[sizeof(c->u) - 11] = (unsigned char)(c->Nh >> 16); 98 p[sizeof(c->u) - 12] = (unsigned char)(c->Nh >> 24); 99 p[sizeof(c->u) - 13] = (unsigned char)(c->Nh >> 32); 100 p[sizeof(c->u) - 14] = (unsigned char)(c->Nh >> 40); 101 p[sizeof(c->u) - 15] = (unsigned char)(c->Nh >> 48); 102 p[sizeof(c->u) - 16] = (unsigned char)(c->Nh >> 56); 103 #endif 104 105 sha512_block_data_order(c, p, 1); 106 107 switch (c->md_len) { 108 /* Let compiler decide if it's appropriate to unroll... */ 109 case SHA224_DIGEST_LENGTH: 110 for (n = 0; n < SHA224_DIGEST_LENGTH / 8; n++) { 111 SHA_LONG64 t = c->h[n]; 112 113 *(md++) = (unsigned char)(t >> 56); 114 *(md++) = (unsigned char)(t >> 48); 115 *(md++) = (unsigned char)(t >> 40); 116 *(md++) = (unsigned char)(t >> 32); 117 *(md++) = (unsigned char)(t >> 24); 118 *(md++) = (unsigned char)(t >> 16); 119 *(md++) = (unsigned char)(t >> 8); 120 *(md++) = (unsigned char)(t); 121 } 122 /* 123 * For 224 bits, there are four bytes left over that have to be 124 * processed separately. 125 */ 126 { 127 SHA_LONG64 t = c->h[SHA224_DIGEST_LENGTH / 8]; 128 129 *(md++) = (unsigned char)(t >> 56); 130 *(md++) = (unsigned char)(t >> 48); 131 *(md++) = (unsigned char)(t >> 40); 132 *(md++) = (unsigned char)(t >> 32); 133 } 134 break; 135 case SHA256_DIGEST_LENGTH: 136 for (n = 0; n < SHA256_DIGEST_LENGTH / 8; n++) { 137 SHA_LONG64 t = c->h[n]; 138 139 *(md++) = (unsigned char)(t >> 56); 140 *(md++) = (unsigned char)(t >> 48); 141 *(md++) = (unsigned char)(t >> 40); 142 *(md++) = (unsigned char)(t >> 32); 143 *(md++) = (unsigned char)(t >> 24); 144 *(md++) = (unsigned char)(t >> 16); 145 *(md++) = (unsigned char)(t >> 8); 146 *(md++) = (unsigned char)(t); 147 } 148 break; 149 case SHA384_DIGEST_LENGTH: 150 for (n = 0; n < SHA384_DIGEST_LENGTH / 8; n++) { 151 SHA_LONG64 t = c->h[n]; 152 153 *(md++) = (unsigned char)(t >> 56); 154 *(md++) = (unsigned char)(t >> 48); 155 *(md++) = (unsigned char)(t >> 40); 156 *(md++) = (unsigned char)(t >> 32); 157 *(md++) = (unsigned char)(t >> 24); 158 *(md++) = (unsigned char)(t >> 16); 159 *(md++) = (unsigned char)(t >> 8); 160 *(md++) = (unsigned char)(t); 161 } 162 break; 163 case SHA512_DIGEST_LENGTH: 164 for (n = 0; n < SHA512_DIGEST_LENGTH / 8; n++) { 165 SHA_LONG64 t = c->h[n]; 166 167 *(md++) = (unsigned char)(t >> 56); 168 *(md++) = (unsigned char)(t >> 48); 169 *(md++) = (unsigned char)(t >> 40); 170 *(md++) = (unsigned char)(t >> 32); 171 *(md++) = (unsigned char)(t >> 24); 172 *(md++) = (unsigned char)(t >> 16); 173 *(md++) = (unsigned char)(t >> 8); 174 *(md++) = (unsigned char)(t); 175 } 176 break; 177 /* ... as well as make sure md_len is not abused. */ 178 default: 179 __assert_unreachable(); 180 } 181 } 182 183 static int 184 ossl_sha512_update(void *c_, const void *_data, unsigned int len) 185 { 186 SHA512_CTX *c = c_; 187 SHA_LONG64 l; 188 unsigned char *p = c->u.p; 189 const unsigned char *data = (const unsigned char *)_data; 190 191 if (len == 0) 192 return 0; 193 194 l = (c->Nl + (((SHA_LONG64) len) << 3)) & U64(0xffffffffffffffff); 195 if (l < c->Nl) 196 c->Nh++; 197 if (sizeof(len) >= 8) 198 c->Nh += (((SHA_LONG64) len) >> 61); 199 c->Nl = l; 200 201 if (c->num != 0) { 202 size_t n = sizeof(c->u) - c->num; 203 204 if (len < n) { 205 memcpy(p + c->num, data, len), c->num += (unsigned int)len; 206 return 0; 207 } else { 208 memcpy(p + c->num, data, n), c->num = 0; 209 len -= n, data += n; 210 sha512_block_data_order(c, p, 1); 211 } 212 } 213 214 if (len >= sizeof(c->u)) { 215 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA 216 if ((size_t)data % sizeof(c->u.d[0]) != 0) 217 while (len >= sizeof(c->u)) 218 memcpy(p, data, sizeof(c->u)), 219 sha512_block_data_order(c, p, 1), 220 len -= sizeof(c->u), data += sizeof(c->u); 221 else 222 #endif 223 sha512_block_data_order(c, data, len / sizeof(c->u)), 224 data += len, len %= sizeof(c->u), data -= len; 225 } 226 227 if (len != 0) 228 memcpy(p, data, len), c->num = (int)len; 229 230 return 0; 231 } 232 233 struct auth_hash ossl_hash_sha384 = { 234 .type = CRYPTO_SHA2_384, 235 .name = "OpenSSL-SHA2-384", 236 .hashsize = SHA2_384_HASH_LEN, 237 .ctxsize = sizeof(SHA512_CTX), 238 .blocksize = SHA2_384_BLOCK_LEN, 239 .Init = ossl_sha384_init, 240 .Update = ossl_sha512_update, 241 .Final = ossl_sha512_final, 242 }; 243 244 struct auth_hash ossl_hash_sha512 = { 245 .type = CRYPTO_SHA2_512, 246 .name = "OpenSSL-SHA2-512", 247 .hashsize = SHA2_512_HASH_LEN, 248 .ctxsize = sizeof(SHA512_CTX), 249 .blocksize = SHA2_512_BLOCK_LEN, 250 .Init = ossl_sha512_init, 251 .Update = ossl_sha512_update, 252 .Final = ossl_sha512_final, 253 }; 254 255 _Static_assert(sizeof(SHA512_CTX) <= sizeof(struct ossl_hash_context), 256 "ossl_hash_context too small"); 257