xref: /freebsd/sys/crypto/sha2/sha256c.c (revision ae7e8a02e6e93455e026036132c4d053b2c12ad9)
1 /*-
2  * Copyright 2005 Colin Percival
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
29 
30 #include <sys/endian.h>
31 #include <sys/types.h>
32 
33 #ifdef _KERNEL
34 #include <sys/systm.h>
35 #else
36 #include <string.h>
37 #endif
38 
39 #include "sha224.h"
40 #include "sha256.h"
41 #include "sha256c_impl.h"
42 
43 #if defined(ARM64_SHA2)
44 #include <sys/auxv.h>
45 #include <machine/ifunc.h>
46 #endif
47 
48 #if BYTE_ORDER == BIG_ENDIAN
49 
50 /* Copy a vector of big-endian uint32_t into a vector of bytes */
51 #define be32enc_vect(dst, src, len)	\
52 	memcpy((void *)dst, (const void *)src, (size_t)len)
53 
54 /* Copy a vector of bytes into a vector of big-endian uint32_t */
55 #define be32dec_vect(dst, src, len)	\
56 	memcpy((void *)dst, (const void *)src, (size_t)len)
57 
58 #else /* BYTE_ORDER != BIG_ENDIAN */
59 
60 /*
61  * Encode a length len/4 vector of (uint32_t) into a length len vector of
62  * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
63  */
64 static void
65 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
66 {
67 	size_t i;
68 
69 	for (i = 0; i < len / 4; i++)
70 		be32enc(dst + i * 4, src[i]);
71 }
72 
73 /*
74  * Decode a big-endian length len vector of (unsigned char) into a length
75  * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
76  */
77 static void
78 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
79 {
80 	size_t i;
81 
82 	for (i = 0; i < len / 4; i++)
83 		dst[i] = be32dec(src + i * 4);
84 }
85 
86 #endif /* BYTE_ORDER != BIG_ENDIAN */
87 
88 /* SHA256 round constants. */
89 static const uint32_t K[64] = {
90 	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
91 	0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
92 	0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
93 	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
94 	0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
95 	0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
96 	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
97 	0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
98 	0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
99 	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
100 	0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
101 	0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
102 	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
103 	0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
104 	0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
105 	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
106 };
107 
108 /* Elementary functions used by SHA256 */
109 #define Ch(x, y, z)	((x & (y ^ z)) ^ z)
110 #define Maj(x, y, z)	((x & (y | z)) | (y & z))
111 #define SHR(x, n)	(x >> n)
112 #define ROTR(x, n)	((x >> n) | (x << (32 - n)))
113 #define S0(x)		(ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
114 #define S1(x)		(ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
115 #define s0(x)		(ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
116 #define s1(x)		(ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
117 
118 /* SHA256 round function */
119 #define RND(a, b, c, d, e, f, g, h, k)			\
120 	h += S1(e) + Ch(e, f, g) + k;			\
121 	d += h;						\
122 	h += S0(a) + Maj(a, b, c);
123 
124 /* Adjusted round function for rotating state */
125 #define RNDr(S, W, i, ii)			\
126 	RND(S[(64 - i) % 8], S[(65 - i) % 8],	\
127 	    S[(66 - i) % 8], S[(67 - i) % 8],	\
128 	    S[(68 - i) % 8], S[(69 - i) % 8],	\
129 	    S[(70 - i) % 8], S[(71 - i) % 8],	\
130 	    W[i + ii] + K[i + ii])
131 
132 /* Message schedule computation */
133 #define MSCH(W, ii, i)				\
134 	W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]
135 
136 /*
137  * SHA256 block compression function.  The 256-bit state is transformed via
138  * the 512-bit input block to produce a new state.
139  */
140 static void
141 SHA256_Transform_c(uint32_t * state, const unsigned char block[64])
142 {
143 	uint32_t W[64];
144 	uint32_t S[8];
145 	int i;
146 
147 	/* 1. Prepare the first part of the message schedule W. */
148 	be32dec_vect(W, block, 64);
149 
150 	/* 2. Initialize working variables. */
151 	memcpy(S, state, 32);
152 
153 	/* 3. Mix. */
154 	for (i = 0; i < 64; i += 16) {
155 		RNDr(S, W, 0, i);
156 		RNDr(S, W, 1, i);
157 		RNDr(S, W, 2, i);
158 		RNDr(S, W, 3, i);
159 		RNDr(S, W, 4, i);
160 		RNDr(S, W, 5, i);
161 		RNDr(S, W, 6, i);
162 		RNDr(S, W, 7, i);
163 		RNDr(S, W, 8, i);
164 		RNDr(S, W, 9, i);
165 		RNDr(S, W, 10, i);
166 		RNDr(S, W, 11, i);
167 		RNDr(S, W, 12, i);
168 		RNDr(S, W, 13, i);
169 		RNDr(S, W, 14, i);
170 		RNDr(S, W, 15, i);
171 
172 		if (i == 48)
173 			break;
174 		MSCH(W, 0, i);
175 		MSCH(W, 1, i);
176 		MSCH(W, 2, i);
177 		MSCH(W, 3, i);
178 		MSCH(W, 4, i);
179 		MSCH(W, 5, i);
180 		MSCH(W, 6, i);
181 		MSCH(W, 7, i);
182 		MSCH(W, 8, i);
183 		MSCH(W, 9, i);
184 		MSCH(W, 10, i);
185 		MSCH(W, 11, i);
186 		MSCH(W, 12, i);
187 		MSCH(W, 13, i);
188 		MSCH(W, 14, i);
189 		MSCH(W, 15, i);
190 	}
191 
192 	/* 4. Mix local working variables into global state */
193 	for (i = 0; i < 8; i++)
194 		state[i] += S[i];
195 }
196 
197 #if defined(ARM64_SHA2)
198 static void
199 SHA256_Transform_arm64(uint32_t * state, const unsigned char block[64])
200 {
201 	SHA256_Transform_arm64_impl(state, block, K);
202 }
203 
204 DEFINE_UIFUNC(static, void, SHA256_Transform,
205     (uint32_t * state, const unsigned char block[64]))
206 {
207 	u_long hwcap;
208 
209 	if (elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)) == 0) {
210 		if ((hwcap & HWCAP_SHA2) != 0)
211 			return (SHA256_Transform_arm64);
212 	}
213 
214 	return (SHA256_Transform_c);
215 }
216 #else
217 static void
218 SHA256_Transform(uint32_t * state, const unsigned char block[64])
219 {
220 	SHA256_Transform_c(state, block);
221 }
222 #endif
223 
224 static unsigned char PAD[64] = {
225 	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
226 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
227 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
228 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
229 };
230 
231 /* Add padding and terminating bit-count. */
232 static void
233 SHA256_Pad(SHA256_CTX * ctx)
234 {
235 	size_t r;
236 
237 	/* Figure out how many bytes we have buffered. */
238 	r = (ctx->count >> 3) & 0x3f;
239 
240 	/* Pad to 56 mod 64, transforming if we finish a block en route. */
241 	if (r < 56) {
242 		/* Pad to 56 mod 64. */
243 		memcpy(&ctx->buf[r], PAD, 56 - r);
244 	} else {
245 		/* Finish the current block and mix. */
246 		memcpy(&ctx->buf[r], PAD, 64 - r);
247 		SHA256_Transform(ctx->state, ctx->buf);
248 
249 		/* The start of the final block is all zeroes. */
250 		memset(&ctx->buf[0], 0, 56);
251 	}
252 
253 	/* Add the terminating bit-count. */
254 	be64enc(&ctx->buf[56], ctx->count);
255 
256 	/* Mix in the final block. */
257 	SHA256_Transform(ctx->state, ctx->buf);
258 }
259 
260 /* SHA-256 initialization.  Begins a SHA-256 operation. */
261 void
262 SHA256_Init(SHA256_CTX * ctx)
263 {
264 
265 	/* Zero bits processed so far */
266 	ctx->count = 0;
267 
268 	/* Magic initialization constants */
269 	ctx->state[0] = 0x6A09E667;
270 	ctx->state[1] = 0xBB67AE85;
271 	ctx->state[2] = 0x3C6EF372;
272 	ctx->state[3] = 0xA54FF53A;
273 	ctx->state[4] = 0x510E527F;
274 	ctx->state[5] = 0x9B05688C;
275 	ctx->state[6] = 0x1F83D9AB;
276 	ctx->state[7] = 0x5BE0CD19;
277 }
278 
279 /* Add bytes into the hash */
280 void
281 SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
282 {
283 	uint64_t bitlen;
284 	uint32_t r;
285 	const unsigned char *src = in;
286 
287 	/* Number of bytes left in the buffer from previous updates */
288 	r = (ctx->count >> 3) & 0x3f;
289 
290 	/* Convert the length into a number of bits */
291 	bitlen = len << 3;
292 
293 	/* Update number of bits */
294 	ctx->count += bitlen;
295 
296 	/* Handle the case where we don't need to perform any transforms */
297 	if (len < 64 - r) {
298 		memcpy(&ctx->buf[r], src, len);
299 		return;
300 	}
301 
302 	/* Finish the current block */
303 	memcpy(&ctx->buf[r], src, 64 - r);
304 	SHA256_Transform(ctx->state, ctx->buf);
305 	src += 64 - r;
306 	len -= 64 - r;
307 
308 	/* Perform complete blocks */
309 	while (len >= 64) {
310 		SHA256_Transform(ctx->state, src);
311 		src += 64;
312 		len -= 64;
313 	}
314 
315 	/* Copy left over data into buffer */
316 	memcpy(ctx->buf, src, len);
317 }
318 
319 /*
320  * SHA-256 finalization.  Pads the input data, exports the hash value,
321  * and clears the context state.
322  */
323 void
324 SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH], SHA256_CTX *ctx)
325 {
326 
327 	/* Add padding */
328 	SHA256_Pad(ctx);
329 
330 	/* Write the hash */
331 	be32enc_vect(digest, ctx->state, SHA256_DIGEST_LENGTH);
332 
333 	/* Clear the context state */
334 	explicit_bzero(ctx, sizeof(*ctx));
335 }
336 
337 /*** SHA-224: *********************************************************/
338 /*
339  * the SHA224 and SHA256 transforms are identical
340  */
341 
342 /* SHA-224 initialization.  Begins a SHA-224 operation. */
343 void
344 SHA224_Init(SHA224_CTX * ctx)
345 {
346 
347 	/* Zero bits processed so far */
348 	ctx->count = 0;
349 
350 	/* Magic initialization constants */
351 	ctx->state[0] = 0xC1059ED8;
352 	ctx->state[1] = 0x367CD507;
353 	ctx->state[2] = 0x3070DD17;
354 	ctx->state[3] = 0xF70E5939;
355 	ctx->state[4] = 0xFFC00B31;
356 	ctx->state[5] = 0x68581511;
357 	ctx->state[6] = 0x64f98FA7;
358 	ctx->state[7] = 0xBEFA4FA4;
359 }
360 
361 /* Add bytes into the SHA-224 hash */
362 void
363 SHA224_Update(SHA224_CTX * ctx, const void *in, size_t len)
364 {
365 
366 	SHA256_Update((SHA256_CTX *)ctx, in, len);
367 }
368 
369 /*
370  * SHA-224 finalization.  Pads the input data, exports the hash value,
371  * and clears the context state.
372  */
373 void
374 SHA224_Final(unsigned char digest[static SHA224_DIGEST_LENGTH], SHA224_CTX *ctx)
375 {
376 
377 	/* Add padding */
378 	SHA256_Pad((SHA256_CTX *)ctx);
379 
380 	/* Write the hash */
381 	be32enc_vect(digest, ctx->state, SHA224_DIGEST_LENGTH);
382 
383 	/* Clear the context state */
384 	explicit_bzero(ctx, sizeof(*ctx));
385 }
386 
387 #ifdef WEAK_REFS
388 /* When building libmd, provide weak references. Note: this is not
389    activated in the context of compiling these sources for internal
390    use in libcrypt.
391  */
392 #undef SHA256_Init
393 __weak_reference(_libmd_SHA256_Init, SHA256_Init);
394 #undef SHA256_Update
395 __weak_reference(_libmd_SHA256_Update, SHA256_Update);
396 #undef SHA256_Final
397 __weak_reference(_libmd_SHA256_Final, SHA256_Final);
398 #undef SHA256_Transform
399 __weak_reference(_libmd_SHA256_Transform, SHA256_Transform);
400 
401 #undef SHA224_Init
402 __weak_reference(_libmd_SHA224_Init, SHA224_Init);
403 #undef SHA224_Update
404 __weak_reference(_libmd_SHA224_Update, SHA224_Update);
405 #undef SHA224_Final
406 __weak_reference(_libmd_SHA224_Final, SHA224_Final);
407 #endif
408