xref: /freebsd/sys/crypto/sha2/sha512c.c (revision 7815283df299be63807225a9fe9b6e54406eae28)
1 /*-
2  * Copyright 2005 Colin Percival
3  * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org>
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25  * SUCH DAMAGE.
26  */
27 
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
30 
31 #include <sys/endian.h>
32 #include <sys/types.h>
33 
34 #ifdef _KERNEL
35 #include <sys/systm.h>
36 #else
37 #include <string.h>
38 #endif
39 
40 #include "sha512.h"
41 #include "sha512t.h"
42 #include "sha384.h"
43 
44 #if BYTE_ORDER == BIG_ENDIAN
45 
46 /* Copy a vector of big-endian uint64_t into a vector of bytes */
47 #define be64enc_vect(dst, src, len)	\
48 	memcpy((void *)dst, (const void *)src, (size_t)len)
49 
50 /* Copy a vector of bytes into a vector of big-endian uint64_t */
51 #define be64dec_vect(dst, src, len)	\
52 	memcpy((void *)dst, (const void *)src, (size_t)len)
53 
54 #else /* BYTE_ORDER != BIG_ENDIAN */
55 
56 /*
57  * Encode a length len/4 vector of (uint64_t) into a length len vector of
58  * (unsigned char) in big-endian form.  Assumes len is a multiple of 8.
59  */
60 static void
61 be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len)
62 {
63 	size_t i;
64 
65 	for (i = 0; i < len / 8; i++)
66 		be64enc(dst + i * 8, src[i]);
67 }
68 
69 /*
70  * Decode a big-endian length len vector of (unsigned char) into a length
71  * len/4 vector of (uint64_t).  Assumes len is a multiple of 8.
72  */
73 static void
74 be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len)
75 {
76 	size_t i;
77 
78 	for (i = 0; i < len / 8; i++)
79 		dst[i] = be64dec(src + i * 8);
80 }
81 
82 #endif /* BYTE_ORDER != BIG_ENDIAN */
83 
84 /* SHA512 round constants. */
85 static const uint64_t K[80] = {
86 	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
87 	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
88 	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
89 	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
90 	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
91 	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
92 	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
93 	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
94 	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
95 	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
96 	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
97 	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
98 	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
99 	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
100 	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
101 	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
102 	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
103 	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
104 	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
105 	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
106 	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
107 	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
108 	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
109 	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
110 	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
111 	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
112 	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
113 	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
114 	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
115 	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
116 	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
117 	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
118 	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
119 	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
120 	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
121 	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
122 	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
123 	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
124 	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
125 	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
126 };
127 
128 /* Elementary functions used by SHA512 */
129 #define Ch(x, y, z)	((x & (y ^ z)) ^ z)
130 #define Maj(x, y, z)	((x & (y | z)) | (y & z))
131 #define SHR(x, n)	(x >> n)
132 #define ROTR(x, n)	((x >> n) | (x << (64 - n)))
133 #define S0(x)		(ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
134 #define S1(x)		(ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
135 #define s0(x)		(ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
136 #define s1(x)		(ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
137 
138 /* SHA512 round function */
139 #define RND(a, b, c, d, e, f, g, h, k)			\
140 	h += S1(e) + Ch(e, f, g) + k;			\
141 	d += h;						\
142 	h += S0(a) + Maj(a, b, c);
143 
144 /* Adjusted round function for rotating state */
145 #define RNDr(S, W, i, ii)			\
146 	RND(S[(80 - i) % 8], S[(81 - i) % 8],	\
147 	    S[(82 - i) % 8], S[(83 - i) % 8],	\
148 	    S[(84 - i) % 8], S[(85 - i) % 8],	\
149 	    S[(86 - i) % 8], S[(87 - i) % 8],	\
150 	    W[i + ii] + K[i + ii])
151 
152 /* Message schedule computation */
153 #define MSCH(W, ii, i)				\
154 	W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]
155 
156 /*
157  * SHA512 block compression function.  The 512-bit state is transformed via
158  * the 512-bit input block to produce a new state.
159  */
160 static void
161 SHA512_Transform(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH])
162 {
163 	uint64_t W[80];
164 	uint64_t S[8];
165 	int i;
166 
167 	/* 1. Prepare the first part of the message schedule W. */
168 	be64dec_vect(W, block, SHA512_BLOCK_LENGTH);
169 
170 	/* 2. Initialize working variables. */
171 	memcpy(S, state, SHA512_DIGEST_LENGTH);
172 
173 	/* 3. Mix. */
174 	for (i = 0; i < 80; i += 16) {
175 		RNDr(S, W, 0, i);
176 		RNDr(S, W, 1, i);
177 		RNDr(S, W, 2, i);
178 		RNDr(S, W, 3, i);
179 		RNDr(S, W, 4, i);
180 		RNDr(S, W, 5, i);
181 		RNDr(S, W, 6, i);
182 		RNDr(S, W, 7, i);
183 		RNDr(S, W, 8, i);
184 		RNDr(S, W, 9, i);
185 		RNDr(S, W, 10, i);
186 		RNDr(S, W, 11, i);
187 		RNDr(S, W, 12, i);
188 		RNDr(S, W, 13, i);
189 		RNDr(S, W, 14, i);
190 		RNDr(S, W, 15, i);
191 
192 		if (i == 64)
193 			break;
194 		MSCH(W, 0, i);
195 		MSCH(W, 1, i);
196 		MSCH(W, 2, i);
197 		MSCH(W, 3, i);
198 		MSCH(W, 4, i);
199 		MSCH(W, 5, i);
200 		MSCH(W, 6, i);
201 		MSCH(W, 7, i);
202 		MSCH(W, 8, i);
203 		MSCH(W, 9, i);
204 		MSCH(W, 10, i);
205 		MSCH(W, 11, i);
206 		MSCH(W, 12, i);
207 		MSCH(W, 13, i);
208 		MSCH(W, 14, i);
209 		MSCH(W, 15, i);
210 	}
211 
212 	/* 4. Mix local working variables into global state */
213 	for (i = 0; i < 8; i++)
214 		state[i] += S[i];
215 }
216 
217 static unsigned char PAD[SHA512_BLOCK_LENGTH] = {
218 	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
219 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
220 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
221 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
222 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
223 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
224 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
225 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
226 };
227 
228 /* Add padding and terminating bit-count. */
229 static void
230 SHA512_Pad(SHA512_CTX * ctx)
231 {
232 	size_t r;
233 
234 	/* Figure out how many bytes we have buffered. */
235 	r = (ctx->count[1] >> 3) & 0x7f;
236 
237 	/* Pad to 112 mod 128, transforming if we finish a block en route. */
238 	if (r < 112) {
239 		/* Pad to 112 mod 128. */
240 		memcpy(&ctx->buf[r], PAD, 112 - r);
241 	} else {
242 		/* Finish the current block and mix. */
243 		memcpy(&ctx->buf[r], PAD, 128 - r);
244 		SHA512_Transform(ctx->state, ctx->buf);
245 
246 		/* The start of the final block is all zeroes. */
247 		memset(&ctx->buf[0], 0, 112);
248 	}
249 
250 	/* Add the terminating bit-count. */
251 	be64enc_vect(&ctx->buf[112], ctx->count, 16);
252 
253 	/* Mix in the final block. */
254 	SHA512_Transform(ctx->state, ctx->buf);
255 }
256 
257 /* SHA-512 initialization.  Begins a SHA-512 operation. */
258 void
259 SHA512_Init(SHA512_CTX * ctx)
260 {
261 
262 	/* Zero bits processed so far */
263 	ctx->count[0] = ctx->count[1] = 0;
264 
265 	/* Magic initialization constants */
266 	ctx->state[0] = 0x6a09e667f3bcc908ULL;
267 	ctx->state[1] = 0xbb67ae8584caa73bULL;
268 	ctx->state[2] = 0x3c6ef372fe94f82bULL;
269 	ctx->state[3] = 0xa54ff53a5f1d36f1ULL;
270 	ctx->state[4] = 0x510e527fade682d1ULL;
271 	ctx->state[5] = 0x9b05688c2b3e6c1fULL;
272 	ctx->state[6] = 0x1f83d9abfb41bd6bULL;
273 	ctx->state[7] = 0x5be0cd19137e2179ULL;
274 }
275 
276 /* Add bytes into the hash */
277 void
278 SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len)
279 {
280 	uint64_t bitlen[2];
281 	uint64_t r;
282 	const unsigned char *src = in;
283 
284 	/* Number of bytes left in the buffer from previous updates */
285 	r = (ctx->count[1] >> 3) & 0x7f;
286 
287 	/* Convert the length into a number of bits */
288 	bitlen[1] = ((uint64_t)len) << 3;
289 	bitlen[0] = ((uint64_t)len) >> 61;
290 
291 	/* Update number of bits */
292 	if ((ctx->count[1] += bitlen[1]) < bitlen[1])
293 		ctx->count[0]++;
294 	ctx->count[0] += bitlen[0];
295 
296 	/* Handle the case where we don't need to perform any transforms */
297 	if (len < SHA512_BLOCK_LENGTH - r) {
298 		memcpy(&ctx->buf[r], src, len);
299 		return;
300 	}
301 
302 	/* Finish the current block */
303 	memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r);
304 	SHA512_Transform(ctx->state, ctx->buf);
305 	src += SHA512_BLOCK_LENGTH - r;
306 	len -= SHA512_BLOCK_LENGTH - r;
307 
308 	/* Perform complete blocks */
309 	while (len >= SHA512_BLOCK_LENGTH) {
310 		SHA512_Transform(ctx->state, src);
311 		src += SHA512_BLOCK_LENGTH;
312 		len -= SHA512_BLOCK_LENGTH;
313 	}
314 
315 	/* Copy left over data into buffer */
316 	memcpy(ctx->buf, src, len);
317 }
318 
319 /*
320  * SHA-512 finalization.  Pads the input data, exports the hash value,
321  * and clears the context state.
322  */
323 void
324 SHA512_Final(unsigned char digest[static SHA512_DIGEST_LENGTH], SHA512_CTX *ctx)
325 {
326 
327 	/* Add padding */
328 	SHA512_Pad(ctx);
329 
330 	/* Write the hash */
331 	be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH);
332 
333 	/* Clear the context state */
334 	explicit_bzero(ctx, sizeof(*ctx));
335 }
336 
337 /*** SHA-512t: *********************************************************/
338 /*
339  * the SHA512t transforms are identical to SHA512 so reuse the existing function
340  */
341 void
342 SHA512_224_Init(SHA512_CTX * ctx)
343 {
344 
345 	/* Zero bits processed so far */
346 	ctx->count[0] = ctx->count[1] = 0;
347 
348 	/* Magic initialization constants */
349 	ctx->state[0] = 0x8c3d37c819544da2ULL;
350 	ctx->state[1] = 0x73e1996689dcd4d6ULL;
351 	ctx->state[2] = 0x1dfab7ae32ff9c82ULL;
352 	ctx->state[3] = 0x679dd514582f9fcfULL;
353 	ctx->state[4] = 0x0f6d2b697bd44da8ULL;
354 	ctx->state[5] = 0x77e36f7304c48942ULL;
355 	ctx->state[6] = 0x3f9d85a86a1d36c8ULL;
356 	ctx->state[7] = 0x1112e6ad91d692a1ULL;
357 }
358 
359 void
360 SHA512_224_Update(SHA512_CTX * ctx, const void *in, size_t len)
361 {
362 
363 	SHA512_Update(ctx, in, len);
364 }
365 
366 void
367 SHA512_224_Final(unsigned char digest[static SHA512_224_DIGEST_LENGTH], SHA512_CTX * ctx)
368 {
369 
370 	/* Add padding */
371 	SHA512_Pad(ctx);
372 
373 	/* Write the hash */
374 	be64enc_vect(digest, ctx->state, SHA512_224_DIGEST_LENGTH);
375 
376 	/* Clear the context state */
377 	explicit_bzero(ctx, sizeof(*ctx));
378 }
379 
380 void
381 SHA512_256_Init(SHA512_CTX * ctx)
382 {
383 
384 	/* Zero bits processed so far */
385 	ctx->count[0] = ctx->count[1] = 0;
386 
387 	/* Magic initialization constants */
388 	ctx->state[0] = 0x22312194fc2bf72cULL;
389 	ctx->state[1] = 0x9f555fa3c84c64c2ULL;
390 	ctx->state[2] = 0x2393b86b6f53b151ULL;
391 	ctx->state[3] = 0x963877195940eabdULL;
392 	ctx->state[4] = 0x96283ee2a88effe3ULL;
393 	ctx->state[5] = 0xbe5e1e2553863992ULL;
394 	ctx->state[6] = 0x2b0199fc2c85b8aaULL;
395 	ctx->state[7] = 0x0eb72ddc81c52ca2ULL;
396 }
397 
398 void
399 SHA512_256_Update(SHA512_CTX * ctx, const void *in, size_t len)
400 {
401 
402 	SHA512_Update(ctx, in, len);
403 }
404 
405 void
406 SHA512_256_Final(unsigned char digest[static SHA512_256_DIGEST_LENGTH], SHA512_CTX * ctx)
407 {
408 
409 	/* Add padding */
410 	SHA512_Pad(ctx);
411 
412 	/* Write the hash */
413 	be64enc_vect(digest, ctx->state, SHA512_256_DIGEST_LENGTH);
414 
415 	/* Clear the context state */
416 	explicit_bzero(ctx, sizeof(*ctx));
417 }
418 
419 /*** SHA-384: *********************************************************/
420 /*
421  * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped
422  */
423 
424 /* SHA-384 initialization.  Begins a SHA-384 operation. */
425 void
426 SHA384_Init(SHA384_CTX * ctx)
427 {
428 
429 	/* Zero bits processed so far */
430 	ctx->count[0] = ctx->count[1] = 0;
431 
432 	/* Magic initialization constants */
433 	ctx->state[0] = 0xcbbb9d5dc1059ed8ULL;
434 	ctx->state[1] = 0x629a292a367cd507ULL;
435 	ctx->state[2] = 0x9159015a3070dd17ULL;
436 	ctx->state[3] = 0x152fecd8f70e5939ULL;
437 	ctx->state[4] = 0x67332667ffc00b31ULL;
438 	ctx->state[5] = 0x8eb44a8768581511ULL;
439 	ctx->state[6] = 0xdb0c2e0d64f98fa7ULL;
440 	ctx->state[7] = 0x47b5481dbefa4fa4ULL;
441 }
442 
443 /* Add bytes into the SHA-384 hash */
444 void
445 SHA384_Update(SHA384_CTX * ctx, const void *in, size_t len)
446 {
447 
448 	SHA512_Update((SHA512_CTX *)ctx, in, len);
449 }
450 
451 /*
452  * SHA-384 finalization.  Pads the input data, exports the hash value,
453  * and clears the context state.
454  */
455 void
456 SHA384_Final(unsigned char digest[static SHA384_DIGEST_LENGTH], SHA384_CTX *ctx)
457 {
458 
459 	/* Add padding */
460 	SHA512_Pad((SHA512_CTX *)ctx);
461 
462 	/* Write the hash */
463 	be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH);
464 
465 	/* Clear the context state */
466 	explicit_bzero(ctx, sizeof(*ctx));
467 }
468 
469 #ifdef WEAK_REFS
470 /* When building libmd, provide weak references. Note: this is not
471    activated in the context of compiling these sources for internal
472    use in libcrypt.
473  */
474 #undef SHA512_Init
475 __weak_reference(_libmd_SHA512_Init, SHA512_Init);
476 #undef SHA512_Update
477 __weak_reference(_libmd_SHA512_Update, SHA512_Update);
478 #undef SHA512_Final
479 __weak_reference(_libmd_SHA512_Final, SHA512_Final);
480 #undef SHA512_Transform
481 __weak_reference(_libmd_SHA512_Transform, SHA512_Transform);
482 
483 #undef SHA512_224_Init
484 __weak_reference(_libmd_SHA512_224_Init, SHA512_224_Init);
485 #undef SHA512_224_Update
486 __weak_reference(_libmd_SHA512_224_Update, SHA512_224_Update);
487 #undef SHA512_224_Final
488 __weak_reference(_libmd_SHA512_224_Final, SHA512_224_Final);
489 
490 #undef SHA512_256_Init
491 __weak_reference(_libmd_SHA512_256_Init, SHA512_256_Init);
492 #undef SHA512_256_Update
493 __weak_reference(_libmd_SHA512_256_Update, SHA512_256_Update);
494 #undef SHA512_256_Final
495 __weak_reference(_libmd_SHA512_256_Final, SHA512_256_Final);
496 
497 #undef SHA384_Init
498 __weak_reference(_libmd_SHA384_Init, SHA384_Init);
499 #undef SHA384_Update
500 __weak_reference(_libmd_SHA384_Update, SHA384_Update);
501 #undef SHA384_Final
502 __weak_reference(_libmd_SHA384_Final, SHA384_Final);
503 #endif
504