xref: /freebsd/sys/crypto/sha2/sha256c.c (revision e9e8876a4d6afc1ad5315faaa191b25121a813d7)
1 /*-
2  * Copyright 2005 Colin Percival
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
29 
30 #include <sys/endian.h>
31 #include <sys/types.h>
32 
33 #ifdef _KERNEL
34 #include <sys/systm.h>
35 #else
36 #include <string.h>
37 #endif
38 
39 #include "sha224.h"
40 #include "sha256.h"
41 #include "sha256c_impl.h"
42 
43 #if defined(ARM64_SHA2)
44 #include <sys/auxv.h>
45 #include <machine/ifunc.h>
46 #endif
47 
48 #if BYTE_ORDER == BIG_ENDIAN
49 
50 /* Copy a vector of big-endian uint32_t into a vector of bytes */
51 #define be32enc_vect(dst, src, len)	\
52 	memcpy((void *)dst, (const void *)src, (size_t)len)
53 
54 /* Copy a vector of bytes into a vector of big-endian uint32_t */
55 #define be32dec_vect(dst, src, len)	\
56 	memcpy((void *)dst, (const void *)src, (size_t)len)
57 
58 #else /* BYTE_ORDER != BIG_ENDIAN */
59 
60 /*
61  * Encode a length len/4 vector of (uint32_t) into a length len vector of
62  * (unsigned char) in big-endian form.  Assumes len is a multiple of 4.
63  */
64 static void
65 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len)
66 {
67 	size_t i;
68 
69 	for (i = 0; i < len / 4; i++)
70 		be32enc(dst + i * 4, src[i]);
71 }
72 
73 /*
74  * Decode a big-endian length len vector of (unsigned char) into a length
75  * len/4 vector of (uint32_t).  Assumes len is a multiple of 4.
76  */
77 static void
78 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len)
79 {
80 	size_t i;
81 
82 	for (i = 0; i < len / 4; i++)
83 		dst[i] = be32dec(src + i * 4);
84 }
85 
86 #endif /* BYTE_ORDER != BIG_ENDIAN */
87 
88 /* SHA256 round constants. */
89 static const uint32_t K[64] = {
90 	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
91 	0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
92 	0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
93 	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
94 	0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
95 	0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
96 	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
97 	0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
98 	0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
99 	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
100 	0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
101 	0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
102 	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
103 	0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
104 	0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
105 	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
106 };
107 
108 /* Elementary functions used by SHA256 */
109 #define Ch(x, y, z)	((x & (y ^ z)) ^ z)
110 #define Maj(x, y, z)	((x & (y | z)) | (y & z))
111 #define SHR(x, n)	(x >> n)
112 #define ROTR(x, n)	((x >> n) | (x << (32 - n)))
113 #define S0(x)		(ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
114 #define S1(x)		(ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
115 #define s0(x)		(ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3))
116 #define s1(x)		(ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10))
117 
118 /* SHA256 round function */
119 #define RND(a, b, c, d, e, f, g, h, k)			\
120 	h += S1(e) + Ch(e, f, g) + k;			\
121 	d += h;						\
122 	h += S0(a) + Maj(a, b, c);
123 
124 /* Adjusted round function for rotating state */
125 #define RNDr(S, W, i, ii)			\
126 	RND(S[(64 - i) % 8], S[(65 - i) % 8],	\
127 	    S[(66 - i) % 8], S[(67 - i) % 8],	\
128 	    S[(68 - i) % 8], S[(69 - i) % 8],	\
129 	    S[(70 - i) % 8], S[(71 - i) % 8],	\
130 	    W[i + ii] + K[i + ii])
131 
132 /* Message schedule computation */
133 #define MSCH(W, ii, i)				\
134 	W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]
135 
136 /*
137  * SHA256 block compression function.  The 256-bit state is transformed via
138  * the 512-bit input block to produce a new state.
139  */
140 static void
141 #if defined(ARM64_SHA2)
142 SHA256_Transform_c(uint32_t * state, const unsigned char block[64])
143 #else
144 SHA256_Transform(uint32_t * state, const unsigned char block[64])
145 #endif
146 {
147 	uint32_t W[64];
148 	uint32_t S[8];
149 	int i;
150 
151 	/* 1. Prepare the first part of the message schedule W. */
152 	be32dec_vect(W, block, 64);
153 
154 	/* 2. Initialize working variables. */
155 	memcpy(S, state, 32);
156 
157 	/* 3. Mix. */
158 	for (i = 0; i < 64; i += 16) {
159 		RNDr(S, W, 0, i);
160 		RNDr(S, W, 1, i);
161 		RNDr(S, W, 2, i);
162 		RNDr(S, W, 3, i);
163 		RNDr(S, W, 4, i);
164 		RNDr(S, W, 5, i);
165 		RNDr(S, W, 6, i);
166 		RNDr(S, W, 7, i);
167 		RNDr(S, W, 8, i);
168 		RNDr(S, W, 9, i);
169 		RNDr(S, W, 10, i);
170 		RNDr(S, W, 11, i);
171 		RNDr(S, W, 12, i);
172 		RNDr(S, W, 13, i);
173 		RNDr(S, W, 14, i);
174 		RNDr(S, W, 15, i);
175 
176 		if (i == 48)
177 			break;
178 		MSCH(W, 0, i);
179 		MSCH(W, 1, i);
180 		MSCH(W, 2, i);
181 		MSCH(W, 3, i);
182 		MSCH(W, 4, i);
183 		MSCH(W, 5, i);
184 		MSCH(W, 6, i);
185 		MSCH(W, 7, i);
186 		MSCH(W, 8, i);
187 		MSCH(W, 9, i);
188 		MSCH(W, 10, i);
189 		MSCH(W, 11, i);
190 		MSCH(W, 12, i);
191 		MSCH(W, 13, i);
192 		MSCH(W, 14, i);
193 		MSCH(W, 15, i);
194 	}
195 
196 	/* 4. Mix local working variables into global state */
197 	for (i = 0; i < 8; i++)
198 		state[i] += S[i];
199 }
200 
201 #if defined(ARM64_SHA2)
202 static void
203 SHA256_Transform_arm64(uint32_t * state, const unsigned char block[64])
204 {
205 	SHA256_Transform_arm64_impl(state, block, K);
206 }
207 
208 DEFINE_UIFUNC(static, void, SHA256_Transform,
209     (uint32_t * state, const unsigned char block[64]))
210 {
211 	u_long hwcap;
212 
213 	if (elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)) == 0) {
214 		if ((hwcap & HWCAP_SHA2) != 0)
215 			return (SHA256_Transform_arm64);
216 	}
217 
218 	return (SHA256_Transform_c);
219 }
220 #endif
221 
222 static unsigned char PAD[64] = {
223 	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
224 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
225 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
226 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
227 };
228 
229 /* Add padding and terminating bit-count. */
230 static void
231 SHA256_Pad(SHA256_CTX * ctx)
232 {
233 	size_t r;
234 
235 	/* Figure out how many bytes we have buffered. */
236 	r = (ctx->count >> 3) & 0x3f;
237 
238 	/* Pad to 56 mod 64, transforming if we finish a block en route. */
239 	if (r < 56) {
240 		/* Pad to 56 mod 64. */
241 		memcpy(&ctx->buf[r], PAD, 56 - r);
242 	} else {
243 		/* Finish the current block and mix. */
244 		memcpy(&ctx->buf[r], PAD, 64 - r);
245 		SHA256_Transform(ctx->state, ctx->buf);
246 
247 		/* The start of the final block is all zeroes. */
248 		memset(&ctx->buf[0], 0, 56);
249 	}
250 
251 	/* Add the terminating bit-count. */
252 	be64enc(&ctx->buf[56], ctx->count);
253 
254 	/* Mix in the final block. */
255 	SHA256_Transform(ctx->state, ctx->buf);
256 }
257 
258 /* SHA-256 initialization.  Begins a SHA-256 operation. */
259 void
260 SHA256_Init(SHA256_CTX * ctx)
261 {
262 
263 	/* Zero bits processed so far */
264 	ctx->count = 0;
265 
266 	/* Magic initialization constants */
267 	ctx->state[0] = 0x6A09E667;
268 	ctx->state[1] = 0xBB67AE85;
269 	ctx->state[2] = 0x3C6EF372;
270 	ctx->state[3] = 0xA54FF53A;
271 	ctx->state[4] = 0x510E527F;
272 	ctx->state[5] = 0x9B05688C;
273 	ctx->state[6] = 0x1F83D9AB;
274 	ctx->state[7] = 0x5BE0CD19;
275 }
276 
277 /* Add bytes into the hash */
278 void
279 SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len)
280 {
281 	uint64_t bitlen;
282 	uint32_t r;
283 	const unsigned char *src = in;
284 
285 	/* Number of bytes left in the buffer from previous updates */
286 	r = (ctx->count >> 3) & 0x3f;
287 
288 	/* Convert the length into a number of bits */
289 	bitlen = len << 3;
290 
291 	/* Update number of bits */
292 	ctx->count += bitlen;
293 
294 	/* Handle the case where we don't need to perform any transforms */
295 	if (len < 64 - r) {
296 		memcpy(&ctx->buf[r], src, len);
297 		return;
298 	}
299 
300 	/* Finish the current block */
301 	memcpy(&ctx->buf[r], src, 64 - r);
302 	SHA256_Transform(ctx->state, ctx->buf);
303 	src += 64 - r;
304 	len -= 64 - r;
305 
306 	/* Perform complete blocks */
307 	while (len >= 64) {
308 		SHA256_Transform(ctx->state, src);
309 		src += 64;
310 		len -= 64;
311 	}
312 
313 	/* Copy left over data into buffer */
314 	memcpy(ctx->buf, src, len);
315 }
316 
317 /*
318  * SHA-256 finalization.  Pads the input data, exports the hash value,
319  * and clears the context state.
320  */
321 void
322 SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH], SHA256_CTX *ctx)
323 {
324 
325 	/* Add padding */
326 	SHA256_Pad(ctx);
327 
328 	/* Write the hash */
329 	be32enc_vect(digest, ctx->state, SHA256_DIGEST_LENGTH);
330 
331 	/* Clear the context state */
332 	explicit_bzero(ctx, sizeof(*ctx));
333 }
334 
335 /*** SHA-224: *********************************************************/
336 /*
337  * the SHA224 and SHA256 transforms are identical
338  */
339 
340 /* SHA-224 initialization.  Begins a SHA-224 operation. */
341 void
342 SHA224_Init(SHA224_CTX * ctx)
343 {
344 
345 	/* Zero bits processed so far */
346 	ctx->count = 0;
347 
348 	/* Magic initialization constants */
349 	ctx->state[0] = 0xC1059ED8;
350 	ctx->state[1] = 0x367CD507;
351 	ctx->state[2] = 0x3070DD17;
352 	ctx->state[3] = 0xF70E5939;
353 	ctx->state[4] = 0xFFC00B31;
354 	ctx->state[5] = 0x68581511;
355 	ctx->state[6] = 0x64f98FA7;
356 	ctx->state[7] = 0xBEFA4FA4;
357 }
358 
359 /* Add bytes into the SHA-224 hash */
360 void
361 SHA224_Update(SHA224_CTX * ctx, const void *in, size_t len)
362 {
363 
364 	SHA256_Update((SHA256_CTX *)ctx, in, len);
365 }
366 
367 /*
368  * SHA-224 finalization.  Pads the input data, exports the hash value,
369  * and clears the context state.
370  */
371 void
372 SHA224_Final(unsigned char digest[static SHA224_DIGEST_LENGTH], SHA224_CTX *ctx)
373 {
374 
375 	/* Add padding */
376 	SHA256_Pad((SHA256_CTX *)ctx);
377 
378 	/* Write the hash */
379 	be32enc_vect(digest, ctx->state, SHA224_DIGEST_LENGTH);
380 
381 	/* Clear the context state */
382 	explicit_bzero(ctx, sizeof(*ctx));
383 }
384 
385 #ifdef WEAK_REFS
386 /* When building libmd, provide weak references. Note: this is not
387    activated in the context of compiling these sources for internal
388    use in libcrypt.
389  */
390 #undef SHA256_Init
391 __weak_reference(_libmd_SHA256_Init, SHA256_Init);
392 #undef SHA256_Update
393 __weak_reference(_libmd_SHA256_Update, SHA256_Update);
394 #undef SHA256_Final
395 __weak_reference(_libmd_SHA256_Final, SHA256_Final);
396 #undef SHA256_Transform
397 __weak_reference(_libmd_SHA256_Transform, SHA256_Transform);
398 
399 #undef SHA224_Init
400 __weak_reference(_libmd_SHA224_Init, SHA224_Init);
401 #undef SHA224_Update
402 __weak_reference(_libmd_SHA224_Update, SHA224_Update);
403 #undef SHA224_Final
404 __weak_reference(_libmd_SHA224_Final, SHA224_Final);
405 #endif
406