1 /*- 2 * Copyright 2005 Colin Percival 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 __FBSDID("$FreeBSD$"); 29 30 #include <sys/endian.h> 31 #include <sys/types.h> 32 33 #ifdef _KERNEL 34 #include <sys/systm.h> 35 #else 36 #include <string.h> 37 #endif 38 39 #include "sha224.h" 40 #include "sha256.h" 41 #include "sha256c_impl.h" 42 43 #if defined(ARM64_SHA2) 44 #include <sys/auxv.h> 45 #include <machine/ifunc.h> 46 #endif 47 48 #if BYTE_ORDER == BIG_ENDIAN 49 50 /* Copy a vector of big-endian uint32_t into a vector of bytes */ 51 #define be32enc_vect(dst, src, len) \ 52 memcpy((void *)dst, (const void *)src, (size_t)len) 53 54 /* Copy a vector of bytes into a vector of big-endian uint32_t */ 55 #define be32dec_vect(dst, src, len) \ 56 memcpy((void *)dst, (const void *)src, (size_t)len) 57 58 #else /* BYTE_ORDER != BIG_ENDIAN */ 59 60 /* 61 * Encode a length len/4 vector of (uint32_t) into a length len vector of 62 * (unsigned char) in big-endian form. Assumes len is a multiple of 4. 63 */ 64 static void 65 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) 66 { 67 size_t i; 68 69 for (i = 0; i < len / 4; i++) 70 be32enc(dst + i * 4, src[i]); 71 } 72 73 /* 74 * Decode a big-endian length len vector of (unsigned char) into a length 75 * len/4 vector of (uint32_t). Assumes len is a multiple of 4. 76 */ 77 static void 78 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) 79 { 80 size_t i; 81 82 for (i = 0; i < len / 4; i++) 83 dst[i] = be32dec(src + i * 4); 84 } 85 86 #endif /* BYTE_ORDER != BIG_ENDIAN */ 87 88 /* SHA256 round constants. */ 89 static const uint32_t K[64] = { 90 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 91 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 92 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 93 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 94 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 95 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 96 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 97 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 98 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 99 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 100 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 101 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 102 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 103 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 104 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 105 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 106 }; 107 108 /* Elementary functions used by SHA256 */ 109 #define Ch(x, y, z) ((x & (y ^ z)) ^ z) 110 #define Maj(x, y, z) ((x & (y | z)) | (y & z)) 111 #define SHR(x, n) (x >> n) 112 #define ROTR(x, n) ((x >> n) | (x << (32 - n))) 113 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) 114 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) 115 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) 116 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) 117 118 /* SHA256 round function */ 119 #define RND(a, b, c, d, e, f, g, h, k) \ 120 h += S1(e) + Ch(e, f, g) + k; \ 121 d += h; \ 122 h += S0(a) + Maj(a, b, c); 123 124 /* Adjusted round function for rotating state */ 125 #define RNDr(S, W, i, ii) \ 126 RND(S[(64 - i) % 8], S[(65 - i) % 8], \ 127 S[(66 - i) % 8], S[(67 - i) % 8], \ 128 S[(68 - i) % 8], S[(69 - i) % 8], \ 129 S[(70 - i) % 8], S[(71 - i) % 8], \ 130 W[i + ii] + K[i + ii]) 131 132 /* Message schedule computation */ 133 #define MSCH(W, ii, i) \ 134 W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii] 135 136 /* 137 * SHA256 block compression function. The 256-bit state is transformed via 138 * the 512-bit input block to produce a new state. 139 */ 140 static void 141 #if defined(ARM64_SHA2) 142 SHA256_Transform_c(uint32_t * state, const unsigned char block[64]) 143 #else 144 SHA256_Transform(uint32_t * state, const unsigned char block[64]) 145 #endif 146 { 147 uint32_t W[64]; 148 uint32_t S[8]; 149 int i; 150 151 /* 1. Prepare the first part of the message schedule W. */ 152 be32dec_vect(W, block, 64); 153 154 /* 2. Initialize working variables. */ 155 memcpy(S, state, 32); 156 157 /* 3. Mix. */ 158 for (i = 0; i < 64; i += 16) { 159 RNDr(S, W, 0, i); 160 RNDr(S, W, 1, i); 161 RNDr(S, W, 2, i); 162 RNDr(S, W, 3, i); 163 RNDr(S, W, 4, i); 164 RNDr(S, W, 5, i); 165 RNDr(S, W, 6, i); 166 RNDr(S, W, 7, i); 167 RNDr(S, W, 8, i); 168 RNDr(S, W, 9, i); 169 RNDr(S, W, 10, i); 170 RNDr(S, W, 11, i); 171 RNDr(S, W, 12, i); 172 RNDr(S, W, 13, i); 173 RNDr(S, W, 14, i); 174 RNDr(S, W, 15, i); 175 176 if (i == 48) 177 break; 178 MSCH(W, 0, i); 179 MSCH(W, 1, i); 180 MSCH(W, 2, i); 181 MSCH(W, 3, i); 182 MSCH(W, 4, i); 183 MSCH(W, 5, i); 184 MSCH(W, 6, i); 185 MSCH(W, 7, i); 186 MSCH(W, 8, i); 187 MSCH(W, 9, i); 188 MSCH(W, 10, i); 189 MSCH(W, 11, i); 190 MSCH(W, 12, i); 191 MSCH(W, 13, i); 192 MSCH(W, 14, i); 193 MSCH(W, 15, i); 194 } 195 196 /* 4. Mix local working variables into global state */ 197 for (i = 0; i < 8; i++) 198 state[i] += S[i]; 199 } 200 201 #if defined(ARM64_SHA2) 202 static void 203 SHA256_Transform_arm64(uint32_t * state, const unsigned char block[64]) 204 { 205 SHA256_Transform_arm64_impl(state, block, K); 206 } 207 208 DEFINE_UIFUNC(static, void, SHA256_Transform, 209 (uint32_t * state, const unsigned char block[64])) 210 { 211 u_long hwcap; 212 213 if (elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)) == 0) { 214 if ((hwcap & HWCAP_SHA2) != 0) 215 return (SHA256_Transform_arm64); 216 } 217 218 return (SHA256_Transform_c); 219 } 220 #endif 221 222 static unsigned char PAD[64] = { 223 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 224 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 225 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 226 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 227 }; 228 229 /* Add padding and terminating bit-count. */ 230 static void 231 SHA256_Pad(SHA256_CTX * ctx) 232 { 233 size_t r; 234 235 /* Figure out how many bytes we have buffered. */ 236 r = (ctx->count >> 3) & 0x3f; 237 238 /* Pad to 56 mod 64, transforming if we finish a block en route. */ 239 if (r < 56) { 240 /* Pad to 56 mod 64. */ 241 memcpy(&ctx->buf[r], PAD, 56 - r); 242 } else { 243 /* Finish the current block and mix. */ 244 memcpy(&ctx->buf[r], PAD, 64 - r); 245 SHA256_Transform(ctx->state, ctx->buf); 246 247 /* The start of the final block is all zeroes. */ 248 memset(&ctx->buf[0], 0, 56); 249 } 250 251 /* Add the terminating bit-count. */ 252 be64enc(&ctx->buf[56], ctx->count); 253 254 /* Mix in the final block. */ 255 SHA256_Transform(ctx->state, ctx->buf); 256 } 257 258 /* SHA-256 initialization. Begins a SHA-256 operation. */ 259 void 260 SHA256_Init(SHA256_CTX * ctx) 261 { 262 263 /* Zero bits processed so far */ 264 ctx->count = 0; 265 266 /* Magic initialization constants */ 267 ctx->state[0] = 0x6A09E667; 268 ctx->state[1] = 0xBB67AE85; 269 ctx->state[2] = 0x3C6EF372; 270 ctx->state[3] = 0xA54FF53A; 271 ctx->state[4] = 0x510E527F; 272 ctx->state[5] = 0x9B05688C; 273 ctx->state[6] = 0x1F83D9AB; 274 ctx->state[7] = 0x5BE0CD19; 275 } 276 277 /* Add bytes into the hash */ 278 void 279 SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len) 280 { 281 uint64_t bitlen; 282 uint32_t r; 283 const unsigned char *src = in; 284 285 /* Number of bytes left in the buffer from previous updates */ 286 r = (ctx->count >> 3) & 0x3f; 287 288 /* Convert the length into a number of bits */ 289 bitlen = len << 3; 290 291 /* Update number of bits */ 292 ctx->count += bitlen; 293 294 /* Handle the case where we don't need to perform any transforms */ 295 if (len < 64 - r) { 296 memcpy(&ctx->buf[r], src, len); 297 return; 298 } 299 300 /* Finish the current block */ 301 memcpy(&ctx->buf[r], src, 64 - r); 302 SHA256_Transform(ctx->state, ctx->buf); 303 src += 64 - r; 304 len -= 64 - r; 305 306 /* Perform complete blocks */ 307 while (len >= 64) { 308 SHA256_Transform(ctx->state, src); 309 src += 64; 310 len -= 64; 311 } 312 313 /* Copy left over data into buffer */ 314 memcpy(ctx->buf, src, len); 315 } 316 317 /* 318 * SHA-256 finalization. Pads the input data, exports the hash value, 319 * and clears the context state. 320 */ 321 void 322 SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH], SHA256_CTX *ctx) 323 { 324 325 /* Add padding */ 326 SHA256_Pad(ctx); 327 328 /* Write the hash */ 329 be32enc_vect(digest, ctx->state, SHA256_DIGEST_LENGTH); 330 331 /* Clear the context state */ 332 explicit_bzero(ctx, sizeof(*ctx)); 333 } 334 335 /*** SHA-224: *********************************************************/ 336 /* 337 * the SHA224 and SHA256 transforms are identical 338 */ 339 340 /* SHA-224 initialization. Begins a SHA-224 operation. */ 341 void 342 SHA224_Init(SHA224_CTX * ctx) 343 { 344 345 /* Zero bits processed so far */ 346 ctx->count = 0; 347 348 /* Magic initialization constants */ 349 ctx->state[0] = 0xC1059ED8; 350 ctx->state[1] = 0x367CD507; 351 ctx->state[2] = 0x3070DD17; 352 ctx->state[3] = 0xF70E5939; 353 ctx->state[4] = 0xFFC00B31; 354 ctx->state[5] = 0x68581511; 355 ctx->state[6] = 0x64f98FA7; 356 ctx->state[7] = 0xBEFA4FA4; 357 } 358 359 /* Add bytes into the SHA-224 hash */ 360 void 361 SHA224_Update(SHA224_CTX * ctx, const void *in, size_t len) 362 { 363 364 SHA256_Update((SHA256_CTX *)ctx, in, len); 365 } 366 367 /* 368 * SHA-224 finalization. Pads the input data, exports the hash value, 369 * and clears the context state. 370 */ 371 void 372 SHA224_Final(unsigned char digest[static SHA224_DIGEST_LENGTH], SHA224_CTX *ctx) 373 { 374 375 /* Add padding */ 376 SHA256_Pad((SHA256_CTX *)ctx); 377 378 /* Write the hash */ 379 be32enc_vect(digest, ctx->state, SHA224_DIGEST_LENGTH); 380 381 /* Clear the context state */ 382 explicit_bzero(ctx, sizeof(*ctx)); 383 } 384 385 #ifdef WEAK_REFS 386 /* When building libmd, provide weak references. Note: this is not 387 activated in the context of compiling these sources for internal 388 use in libcrypt. 389 */ 390 #undef SHA256_Init 391 __weak_reference(_libmd_SHA256_Init, SHA256_Init); 392 #undef SHA256_Update 393 __weak_reference(_libmd_SHA256_Update, SHA256_Update); 394 #undef SHA256_Final 395 __weak_reference(_libmd_SHA256_Final, SHA256_Final); 396 #undef SHA256_Transform 397 __weak_reference(_libmd_SHA256_Transform, SHA256_Transform); 398 399 #undef SHA224_Init 400 __weak_reference(_libmd_SHA224_Init, SHA224_Init); 401 #undef SHA224_Update 402 __weak_reference(_libmd_SHA224_Update, SHA224_Update); 403 #undef SHA224_Final 404 __weak_reference(_libmd_SHA224_Final, SHA224_Final); 405 #endif 406