1 /*- 2 * Copyright 2005 Colin Percival 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 __FBSDID("$FreeBSD$"); 29 30 #include <sys/endian.h> 31 #include <sys/types.h> 32 33 #ifdef _KERNEL 34 #include <sys/systm.h> 35 #else 36 #include <string.h> 37 #endif 38 39 #include "sha224.h" 40 #include "sha256.h" 41 #include "sha256c_impl.h" 42 43 #if defined(ARM64_SHA2) 44 #include <sys/auxv.h> 45 #include <machine/ifunc.h> 46 #endif 47 48 #if BYTE_ORDER == BIG_ENDIAN 49 50 /* Copy a vector of big-endian uint32_t into a vector of bytes */ 51 #define be32enc_vect(dst, src, len) \ 52 memcpy((void *)dst, (const void *)src, (size_t)len) 53 54 /* Copy a vector of bytes into a vector of big-endian uint32_t */ 55 #define be32dec_vect(dst, src, len) \ 56 memcpy((void *)dst, (const void *)src, (size_t)len) 57 58 #else /* BYTE_ORDER != BIG_ENDIAN */ 59 60 /* 61 * Encode a length len/4 vector of (uint32_t) into a length len vector of 62 * (unsigned char) in big-endian form. Assumes len is a multiple of 4. 63 */ 64 static void 65 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) 66 { 67 size_t i; 68 69 for (i = 0; i < len / 4; i++) 70 be32enc(dst + i * 4, src[i]); 71 } 72 73 /* 74 * Decode a big-endian length len vector of (unsigned char) into a length 75 * len/4 vector of (uint32_t). Assumes len is a multiple of 4. 76 */ 77 static void 78 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) 79 { 80 size_t i; 81 82 for (i = 0; i < len / 4; i++) 83 dst[i] = be32dec(src + i * 4); 84 } 85 86 #endif /* BYTE_ORDER != BIG_ENDIAN */ 87 88 /* SHA256 round constants. */ 89 static const uint32_t K[64] = { 90 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 91 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 92 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 93 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 94 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 95 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 96 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 97 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 98 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 99 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 100 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 101 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 102 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 103 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 104 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 105 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 106 }; 107 108 /* Elementary functions used by SHA256 */ 109 #define Ch(x, y, z) ((x & (y ^ z)) ^ z) 110 #define Maj(x, y, z) ((x & (y | z)) | (y & z)) 111 #define SHR(x, n) (x >> n) 112 #define ROTR(x, n) ((x >> n) | (x << (32 - n))) 113 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) 114 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) 115 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) 116 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) 117 118 /* SHA256 round function */ 119 #define RND(a, b, c, d, e, f, g, h, k) \ 120 h += S1(e) + Ch(e, f, g) + k; \ 121 d += h; \ 122 h += S0(a) + Maj(a, b, c); 123 124 /* Adjusted round function for rotating state */ 125 #define RNDr(S, W, i, ii) \ 126 RND(S[(64 - i) % 8], S[(65 - i) % 8], \ 127 S[(66 - i) % 8], S[(67 - i) % 8], \ 128 S[(68 - i) % 8], S[(69 - i) % 8], \ 129 S[(70 - i) % 8], S[(71 - i) % 8], \ 130 W[i + ii] + K[i + ii]) 131 132 /* Message schedule computation */ 133 #define MSCH(W, ii, i) \ 134 W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii] 135 136 /* 137 * SHA256 block compression function. The 256-bit state is transformed via 138 * the 512-bit input block to produce a new state. 139 */ 140 static void 141 SHA256_Transform_c(uint32_t * state, const unsigned char block[64]) 142 { 143 uint32_t W[64]; 144 uint32_t S[8]; 145 int i; 146 147 /* 1. Prepare the first part of the message schedule W. */ 148 be32dec_vect(W, block, 64); 149 150 /* 2. Initialize working variables. */ 151 memcpy(S, state, 32); 152 153 /* 3. Mix. */ 154 for (i = 0; i < 64; i += 16) { 155 RNDr(S, W, 0, i); 156 RNDr(S, W, 1, i); 157 RNDr(S, W, 2, i); 158 RNDr(S, W, 3, i); 159 RNDr(S, W, 4, i); 160 RNDr(S, W, 5, i); 161 RNDr(S, W, 6, i); 162 RNDr(S, W, 7, i); 163 RNDr(S, W, 8, i); 164 RNDr(S, W, 9, i); 165 RNDr(S, W, 10, i); 166 RNDr(S, W, 11, i); 167 RNDr(S, W, 12, i); 168 RNDr(S, W, 13, i); 169 RNDr(S, W, 14, i); 170 RNDr(S, W, 15, i); 171 172 if (i == 48) 173 break; 174 MSCH(W, 0, i); 175 MSCH(W, 1, i); 176 MSCH(W, 2, i); 177 MSCH(W, 3, i); 178 MSCH(W, 4, i); 179 MSCH(W, 5, i); 180 MSCH(W, 6, i); 181 MSCH(W, 7, i); 182 MSCH(W, 8, i); 183 MSCH(W, 9, i); 184 MSCH(W, 10, i); 185 MSCH(W, 11, i); 186 MSCH(W, 12, i); 187 MSCH(W, 13, i); 188 MSCH(W, 14, i); 189 MSCH(W, 15, i); 190 } 191 192 /* 4. Mix local working variables into global state */ 193 for (i = 0; i < 8; i++) 194 state[i] += S[i]; 195 } 196 197 #if defined(ARM64_SHA2) 198 static void 199 SHA256_Transform_arm64(uint32_t * state, const unsigned char block[64]) 200 { 201 SHA256_Transform_arm64_impl(state, block, K); 202 } 203 204 DEFINE_UIFUNC(static, void, SHA256_Transform, 205 (uint32_t * state, const unsigned char block[64])) 206 { 207 u_long hwcap; 208 209 if (elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)) == 0) { 210 if ((hwcap & HWCAP_SHA2) != 0) 211 return (SHA256_Transform_arm64); 212 } 213 214 return (SHA256_Transform_c); 215 } 216 #else 217 static void 218 SHA256_Transform(uint32_t * state, const unsigned char block[64]) 219 { 220 SHA256_Transform_c(state, block); 221 } 222 #endif 223 224 static unsigned char PAD[64] = { 225 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 226 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 227 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 228 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 229 }; 230 231 /* Add padding and terminating bit-count. */ 232 static void 233 SHA256_Pad(SHA256_CTX * ctx) 234 { 235 size_t r; 236 237 /* Figure out how many bytes we have buffered. */ 238 r = (ctx->count >> 3) & 0x3f; 239 240 /* Pad to 56 mod 64, transforming if we finish a block en route. */ 241 if (r < 56) { 242 /* Pad to 56 mod 64. */ 243 memcpy(&ctx->buf[r], PAD, 56 - r); 244 } else { 245 /* Finish the current block and mix. */ 246 memcpy(&ctx->buf[r], PAD, 64 - r); 247 SHA256_Transform(ctx->state, ctx->buf); 248 249 /* The start of the final block is all zeroes. */ 250 memset(&ctx->buf[0], 0, 56); 251 } 252 253 /* Add the terminating bit-count. */ 254 be64enc(&ctx->buf[56], ctx->count); 255 256 /* Mix in the final block. */ 257 SHA256_Transform(ctx->state, ctx->buf); 258 } 259 260 /* SHA-256 initialization. Begins a SHA-256 operation. */ 261 void 262 SHA256_Init(SHA256_CTX * ctx) 263 { 264 265 /* Zero bits processed so far */ 266 ctx->count = 0; 267 268 /* Magic initialization constants */ 269 ctx->state[0] = 0x6A09E667; 270 ctx->state[1] = 0xBB67AE85; 271 ctx->state[2] = 0x3C6EF372; 272 ctx->state[3] = 0xA54FF53A; 273 ctx->state[4] = 0x510E527F; 274 ctx->state[5] = 0x9B05688C; 275 ctx->state[6] = 0x1F83D9AB; 276 ctx->state[7] = 0x5BE0CD19; 277 } 278 279 /* Add bytes into the hash */ 280 void 281 SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len) 282 { 283 uint64_t bitlen; 284 uint32_t r; 285 const unsigned char *src = in; 286 287 /* Number of bytes left in the buffer from previous updates */ 288 r = (ctx->count >> 3) & 0x3f; 289 290 /* Convert the length into a number of bits */ 291 bitlen = len << 3; 292 293 /* Update number of bits */ 294 ctx->count += bitlen; 295 296 /* Handle the case where we don't need to perform any transforms */ 297 if (len < 64 - r) { 298 memcpy(&ctx->buf[r], src, len); 299 return; 300 } 301 302 /* Finish the current block */ 303 memcpy(&ctx->buf[r], src, 64 - r); 304 SHA256_Transform(ctx->state, ctx->buf); 305 src += 64 - r; 306 len -= 64 - r; 307 308 /* Perform complete blocks */ 309 while (len >= 64) { 310 SHA256_Transform(ctx->state, src); 311 src += 64; 312 len -= 64; 313 } 314 315 /* Copy left over data into buffer */ 316 memcpy(ctx->buf, src, len); 317 } 318 319 /* 320 * SHA-256 finalization. Pads the input data, exports the hash value, 321 * and clears the context state. 322 */ 323 void 324 SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH], SHA256_CTX *ctx) 325 { 326 327 /* Add padding */ 328 SHA256_Pad(ctx); 329 330 /* Write the hash */ 331 be32enc_vect(digest, ctx->state, SHA256_DIGEST_LENGTH); 332 333 /* Clear the context state */ 334 explicit_bzero(ctx, sizeof(*ctx)); 335 } 336 337 /*** SHA-224: *********************************************************/ 338 /* 339 * the SHA224 and SHA256 transforms are identical 340 */ 341 342 /* SHA-224 initialization. Begins a SHA-224 operation. */ 343 void 344 SHA224_Init(SHA224_CTX * ctx) 345 { 346 347 /* Zero bits processed so far */ 348 ctx->count = 0; 349 350 /* Magic initialization constants */ 351 ctx->state[0] = 0xC1059ED8; 352 ctx->state[1] = 0x367CD507; 353 ctx->state[2] = 0x3070DD17; 354 ctx->state[3] = 0xF70E5939; 355 ctx->state[4] = 0xFFC00B31; 356 ctx->state[5] = 0x68581511; 357 ctx->state[6] = 0x64f98FA7; 358 ctx->state[7] = 0xBEFA4FA4; 359 } 360 361 /* Add bytes into the SHA-224 hash */ 362 void 363 SHA224_Update(SHA224_CTX * ctx, const void *in, size_t len) 364 { 365 366 SHA256_Update((SHA256_CTX *)ctx, in, len); 367 } 368 369 /* 370 * SHA-224 finalization. Pads the input data, exports the hash value, 371 * and clears the context state. 372 */ 373 void 374 SHA224_Final(unsigned char digest[static SHA224_DIGEST_LENGTH], SHA224_CTX *ctx) 375 { 376 377 /* Add padding */ 378 SHA256_Pad((SHA256_CTX *)ctx); 379 380 /* Write the hash */ 381 be32enc_vect(digest, ctx->state, SHA224_DIGEST_LENGTH); 382 383 /* Clear the context state */ 384 explicit_bzero(ctx, sizeof(*ctx)); 385 } 386 387 #ifdef WEAK_REFS 388 /* When building libmd, provide weak references. Note: this is not 389 activated in the context of compiling these sources for internal 390 use in libcrypt. 391 */ 392 #undef SHA256_Init 393 __weak_reference(_libmd_SHA256_Init, SHA256_Init); 394 #undef SHA256_Update 395 __weak_reference(_libmd_SHA256_Update, SHA256_Update); 396 #undef SHA256_Final 397 __weak_reference(_libmd_SHA256_Final, SHA256_Final); 398 #undef SHA256_Transform 399 __weak_reference(_libmd_SHA256_Transform, SHA256_Transform); 400 401 #undef SHA224_Init 402 __weak_reference(_libmd_SHA224_Init, SHA224_Init); 403 #undef SHA224_Update 404 __weak_reference(_libmd_SHA224_Update, SHA224_Update); 405 #undef SHA224_Final 406 __weak_reference(_libmd_SHA224_Final, SHA224_Final); 407 #endif 408