1 /*- 2 * Copyright 2005 Colin Percival 3 * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include <sys/endian.h> 32 #include <sys/types.h> 33 34 #ifdef _KERNEL 35 #include <sys/systm.h> 36 #else 37 #include <string.h> 38 #endif 39 40 #include "sha512.h" 41 #include "sha512t.h" 42 #include "sha384.h" 43 44 #if BYTE_ORDER == BIG_ENDIAN 45 46 /* Copy a vector of big-endian uint64_t into a vector of bytes */ 47 #define be64enc_vect(dst, src, len) \ 48 memcpy((void *)dst, (const void *)src, (size_t)len) 49 50 /* Copy a vector of bytes into a vector of big-endian uint64_t */ 51 #define be64dec_vect(dst, src, len) \ 52 memcpy((void *)dst, (const void *)src, (size_t)len) 53 54 #else /* BYTE_ORDER != BIG_ENDIAN */ 55 56 /* 57 * Encode a length len/4 vector of (uint64_t) into a length len vector of 58 * (unsigned char) in big-endian form. Assumes len is a multiple of 8. 59 */ 60 static void 61 be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len) 62 { 63 size_t i; 64 65 for (i = 0; i < len / 8; i++) 66 be64enc(dst + i * 8, src[i]); 67 } 68 69 /* 70 * Decode a big-endian length len vector of (unsigned char) into a length 71 * len/4 vector of (uint64_t). Assumes len is a multiple of 8. 72 */ 73 static void 74 be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len) 75 { 76 size_t i; 77 78 for (i = 0; i < len / 8; i++) 79 dst[i] = be64dec(src + i * 8); 80 } 81 82 #endif /* BYTE_ORDER != BIG_ENDIAN */ 83 84 /* Elementary functions used by SHA512 */ 85 #define Ch(x, y, z) ((x & (y ^ z)) ^ z) 86 #define Maj(x, y, z) ((x & (y | z)) | (y & z)) 87 #define SHR(x, n) (x >> n) 88 #define ROTR(x, n) ((x >> n) | (x << (64 - n))) 89 #define S0(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39)) 90 #define S1(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41)) 91 #define s0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7)) 92 #define s1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6)) 93 94 /* SHA512 round function */ 95 #define RND(a, b, c, d, e, f, g, h, k) \ 96 t0 = h + S1(e) + Ch(e, f, g) + k; \ 97 t1 = S0(a) + Maj(a, b, c); \ 98 d += t0; \ 99 h = t0 + t1; 100 101 /* Adjusted round function for rotating state */ 102 #define RNDr(S, W, i, k) \ 103 RND(S[(80 - i) % 8], S[(81 - i) % 8], \ 104 S[(82 - i) % 8], S[(83 - i) % 8], \ 105 S[(84 - i) % 8], S[(85 - i) % 8], \ 106 S[(86 - i) % 8], S[(87 - i) % 8], \ 107 W[i] + k) 108 109 /* 110 * SHA512 block compression function. The 512-bit state is transformed via 111 * the 512-bit input block to produce a new state. 112 */ 113 static void 114 SHA512_Transform(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH]) 115 { 116 uint64_t W[80]; 117 uint64_t S[8]; 118 uint64_t t0, t1; 119 int i; 120 121 /* 1. Prepare message schedule W. */ 122 be64dec_vect(W, block, SHA512_BLOCK_LENGTH); 123 for (i = 16; i < 80; i++) 124 W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; 125 126 /* 2. Initialize working variables. */ 127 memcpy(S, state, SHA512_DIGEST_LENGTH); 128 129 /* 3. Mix. */ 130 RNDr(S, W, 0, 0x428a2f98d728ae22ULL); 131 RNDr(S, W, 1, 0x7137449123ef65cdULL); 132 RNDr(S, W, 2, 0xb5c0fbcfec4d3b2fULL); 133 RNDr(S, W, 3, 0xe9b5dba58189dbbcULL); 134 RNDr(S, W, 4, 0x3956c25bf348b538ULL); 135 RNDr(S, W, 5, 0x59f111f1b605d019ULL); 136 RNDr(S, W, 6, 0x923f82a4af194f9bULL); 137 RNDr(S, W, 7, 0xab1c5ed5da6d8118ULL); 138 RNDr(S, W, 8, 0xd807aa98a3030242ULL); 139 RNDr(S, W, 9, 0x12835b0145706fbeULL); 140 RNDr(S, W, 10, 0x243185be4ee4b28cULL); 141 RNDr(S, W, 11, 0x550c7dc3d5ffb4e2ULL); 142 RNDr(S, W, 12, 0x72be5d74f27b896fULL); 143 RNDr(S, W, 13, 0x80deb1fe3b1696b1ULL); 144 RNDr(S, W, 14, 0x9bdc06a725c71235ULL); 145 RNDr(S, W, 15, 0xc19bf174cf692694ULL); 146 RNDr(S, W, 16, 0xe49b69c19ef14ad2ULL); 147 RNDr(S, W, 17, 0xefbe4786384f25e3ULL); 148 RNDr(S, W, 18, 0x0fc19dc68b8cd5b5ULL); 149 RNDr(S, W, 19, 0x240ca1cc77ac9c65ULL); 150 RNDr(S, W, 20, 0x2de92c6f592b0275ULL); 151 RNDr(S, W, 21, 0x4a7484aa6ea6e483ULL); 152 RNDr(S, W, 22, 0x5cb0a9dcbd41fbd4ULL); 153 RNDr(S, W, 23, 0x76f988da831153b5ULL); 154 RNDr(S, W, 24, 0x983e5152ee66dfabULL); 155 RNDr(S, W, 25, 0xa831c66d2db43210ULL); 156 RNDr(S, W, 26, 0xb00327c898fb213fULL); 157 RNDr(S, W, 27, 0xbf597fc7beef0ee4ULL); 158 RNDr(S, W, 28, 0xc6e00bf33da88fc2ULL); 159 RNDr(S, W, 29, 0xd5a79147930aa725ULL); 160 RNDr(S, W, 30, 0x06ca6351e003826fULL); 161 RNDr(S, W, 31, 0x142929670a0e6e70ULL); 162 RNDr(S, W, 32, 0x27b70a8546d22ffcULL); 163 RNDr(S, W, 33, 0x2e1b21385c26c926ULL); 164 RNDr(S, W, 34, 0x4d2c6dfc5ac42aedULL); 165 RNDr(S, W, 35, 0x53380d139d95b3dfULL); 166 RNDr(S, W, 36, 0x650a73548baf63deULL); 167 RNDr(S, W, 37, 0x766a0abb3c77b2a8ULL); 168 RNDr(S, W, 38, 0x81c2c92e47edaee6ULL); 169 RNDr(S, W, 39, 0x92722c851482353bULL); 170 RNDr(S, W, 40, 0xa2bfe8a14cf10364ULL); 171 RNDr(S, W, 41, 0xa81a664bbc423001ULL); 172 RNDr(S, W, 42, 0xc24b8b70d0f89791ULL); 173 RNDr(S, W, 43, 0xc76c51a30654be30ULL); 174 RNDr(S, W, 44, 0xd192e819d6ef5218ULL); 175 RNDr(S, W, 45, 0xd69906245565a910ULL); 176 RNDr(S, W, 46, 0xf40e35855771202aULL); 177 RNDr(S, W, 47, 0x106aa07032bbd1b8ULL); 178 RNDr(S, W, 48, 0x19a4c116b8d2d0c8ULL); 179 RNDr(S, W, 49, 0x1e376c085141ab53ULL); 180 RNDr(S, W, 50, 0x2748774cdf8eeb99ULL); 181 RNDr(S, W, 51, 0x34b0bcb5e19b48a8ULL); 182 RNDr(S, W, 52, 0x391c0cb3c5c95a63ULL); 183 RNDr(S, W, 53, 0x4ed8aa4ae3418acbULL); 184 RNDr(S, W, 54, 0x5b9cca4f7763e373ULL); 185 RNDr(S, W, 55, 0x682e6ff3d6b2b8a3ULL); 186 RNDr(S, W, 56, 0x748f82ee5defb2fcULL); 187 RNDr(S, W, 57, 0x78a5636f43172f60ULL); 188 RNDr(S, W, 58, 0x84c87814a1f0ab72ULL); 189 RNDr(S, W, 59, 0x8cc702081a6439ecULL); 190 RNDr(S, W, 60, 0x90befffa23631e28ULL); 191 RNDr(S, W, 61, 0xa4506cebde82bde9ULL); 192 RNDr(S, W, 62, 0xbef9a3f7b2c67915ULL); 193 RNDr(S, W, 63, 0xc67178f2e372532bULL); 194 RNDr(S, W, 64, 0xca273eceea26619cULL); 195 RNDr(S, W, 65, 0xd186b8c721c0c207ULL); 196 RNDr(S, W, 66, 0xeada7dd6cde0eb1eULL); 197 RNDr(S, W, 67, 0xf57d4f7fee6ed178ULL); 198 RNDr(S, W, 68, 0x06f067aa72176fbaULL); 199 RNDr(S, W, 69, 0x0a637dc5a2c898a6ULL); 200 RNDr(S, W, 70, 0x113f9804bef90daeULL); 201 RNDr(S, W, 71, 0x1b710b35131c471bULL); 202 RNDr(S, W, 72, 0x28db77f523047d84ULL); 203 RNDr(S, W, 73, 0x32caab7b40c72493ULL); 204 RNDr(S, W, 74, 0x3c9ebe0a15c9bebcULL); 205 RNDr(S, W, 75, 0x431d67c49c100d4cULL); 206 RNDr(S, W, 76, 0x4cc5d4becb3e42b6ULL); 207 RNDr(S, W, 77, 0x597f299cfc657e2aULL); 208 RNDr(S, W, 78, 0x5fcb6fab3ad6faecULL); 209 RNDr(S, W, 79, 0x6c44198c4a475817ULL); 210 211 /* 4. Mix local working variables into global state */ 212 for (i = 0; i < 8; i++) 213 state[i] += S[i]; 214 } 215 216 static unsigned char PAD[SHA512_BLOCK_LENGTH] = { 217 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 218 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 219 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 220 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 221 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 222 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 223 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 224 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 225 }; 226 227 /* Add padding and terminating bit-count. */ 228 static void 229 SHA512_Pad(SHA512_CTX * ctx) 230 { 231 unsigned char len[16]; 232 uint64_t r, plen; 233 234 /* 235 * Convert length to a vector of bytes -- we do this now rather 236 * than later because the length will change after we pad. 237 */ 238 be64enc_vect(len, ctx->count, 16); 239 240 /* Add 1--128 bytes so that the resulting length is 112 mod 128 */ 241 r = (ctx->count[1] >> 3) & 0x7f; 242 plen = (r < 112) ? (112 - r) : (240 - r); 243 SHA512_Update(ctx, PAD, (size_t)plen); 244 245 /* Add the terminating bit-count */ 246 SHA512_Update(ctx, len, 16); 247 } 248 249 /* SHA-512 initialization. Begins a SHA-512 operation. */ 250 void 251 SHA512_Init(SHA512_CTX * ctx) 252 { 253 254 /* Zero bits processed so far */ 255 ctx->count[0] = ctx->count[1] = 0; 256 257 /* Magic initialization constants */ 258 ctx->state[0] = 0x6a09e667f3bcc908ULL; 259 ctx->state[1] = 0xbb67ae8584caa73bULL; 260 ctx->state[2] = 0x3c6ef372fe94f82bULL; 261 ctx->state[3] = 0xa54ff53a5f1d36f1ULL; 262 ctx->state[4] = 0x510e527fade682d1ULL; 263 ctx->state[5] = 0x9b05688c2b3e6c1fULL; 264 ctx->state[6] = 0x1f83d9abfb41bd6bULL; 265 ctx->state[7] = 0x5be0cd19137e2179ULL; 266 } 267 268 /* Add bytes into the hash */ 269 void 270 SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len) 271 { 272 uint64_t bitlen[2]; 273 uint64_t r; 274 const unsigned char *src = in; 275 276 /* Number of bytes left in the buffer from previous updates */ 277 r = (ctx->count[1] >> 3) & 0x7f; 278 279 /* Convert the length into a number of bits */ 280 bitlen[1] = ((uint64_t)len) << 3; 281 bitlen[0] = ((uint64_t)len) >> 61; 282 283 /* Update number of bits */ 284 if ((ctx->count[1] += bitlen[1]) < bitlen[1]) 285 ctx->count[0]++; 286 ctx->count[0] += bitlen[0]; 287 288 /* Handle the case where we don't need to perform any transforms */ 289 if (len < SHA512_BLOCK_LENGTH - r) { 290 memcpy(&ctx->buf[r], src, len); 291 return; 292 } 293 294 /* Finish the current block */ 295 memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r); 296 SHA512_Transform(ctx->state, ctx->buf); 297 src += SHA512_BLOCK_LENGTH - r; 298 len -= SHA512_BLOCK_LENGTH - r; 299 300 /* Perform complete blocks */ 301 while (len >= SHA512_BLOCK_LENGTH) { 302 SHA512_Transform(ctx->state, src); 303 src += SHA512_BLOCK_LENGTH; 304 len -= SHA512_BLOCK_LENGTH; 305 } 306 307 /* Copy left over data into buffer */ 308 memcpy(ctx->buf, src, len); 309 } 310 311 /* 312 * SHA-512 finalization. Pads the input data, exports the hash value, 313 * and clears the context state. 314 */ 315 void 316 SHA512_Final(unsigned char digest[static SHA512_DIGEST_LENGTH], SHA512_CTX *ctx) 317 { 318 319 /* Add padding */ 320 SHA512_Pad(ctx); 321 322 /* Write the hash */ 323 be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH); 324 325 /* Clear the context state */ 326 memset(ctx, 0, sizeof(*ctx)); 327 } 328 329 /*** SHA-512t: *********************************************************/ 330 /* 331 * the SHA512t transforms are identical to SHA512 so reuse the existing function 332 */ 333 void 334 SHA512_224_Init(SHA512_CTX * ctx) 335 { 336 337 /* Zero bits processed so far */ 338 ctx->count[0] = ctx->count[1] = 0; 339 340 /* Magic initialization constants */ 341 ctx->state[0] = 0x8c3d37c819544da2ULL; 342 ctx->state[1] = 0x73e1996689dcd4d6ULL; 343 ctx->state[2] = 0x1dfab7ae32ff9c82ULL; 344 ctx->state[3] = 0x679dd514582f9fcfULL; 345 ctx->state[4] = 0x0f6d2b697bd44da8ULL; 346 ctx->state[5] = 0x77e36f7304c48942ULL; 347 ctx->state[6] = 0x3f9d85a86a1d36c8ULL; 348 ctx->state[7] = 0x1112e6ad91d692a1ULL; 349 } 350 351 void 352 SHA512_224_Update(SHA512_CTX * ctx, const void *in, size_t len) 353 { 354 355 SHA512_Update(ctx, in, len); 356 } 357 358 void 359 SHA512_224_Final(unsigned char digest[static SHA512_224_DIGEST_LENGTH], SHA512_CTX * ctx) 360 { 361 362 /* Add padding */ 363 SHA512_Pad(ctx); 364 365 /* Write the hash */ 366 be64enc_vect(digest, ctx->state, SHA512_224_DIGEST_LENGTH); 367 368 /* Clear the context state */ 369 memset(ctx, 0, sizeof(*ctx)); 370 } 371 372 void 373 SHA512_256_Init(SHA512_CTX * ctx) 374 { 375 376 /* Zero bits processed so far */ 377 ctx->count[0] = ctx->count[1] = 0; 378 379 /* Magic initialization constants */ 380 ctx->state[0] = 0x22312194fc2bf72cULL; 381 ctx->state[1] = 0x9f555fa3c84c64c2ULL; 382 ctx->state[2] = 0x2393b86b6f53b151ULL; 383 ctx->state[3] = 0x963877195940eabdULL; 384 ctx->state[4] = 0x96283ee2a88effe3ULL; 385 ctx->state[5] = 0xbe5e1e2553863992ULL; 386 ctx->state[6] = 0x2b0199fc2c85b8aaULL; 387 ctx->state[7] = 0x0eb72ddc81c52ca2ULL; 388 } 389 390 void 391 SHA512_256_Update(SHA512_CTX * ctx, const void *in, size_t len) 392 { 393 394 SHA512_Update(ctx, in, len); 395 } 396 397 void 398 SHA512_256_Final(unsigned char digest[static SHA512_256_DIGEST_LENGTH], SHA512_CTX * ctx) 399 { 400 401 /* Add padding */ 402 SHA512_Pad(ctx); 403 404 /* Write the hash */ 405 be64enc_vect(digest, ctx->state, SHA512_256_DIGEST_LENGTH); 406 407 /* Clear the context state */ 408 memset(ctx, 0, sizeof(*ctx)); 409 } 410 411 /*** SHA-384: *********************************************************/ 412 /* 413 * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped 414 */ 415 416 /* SHA-384 initialization. Begins a SHA-384 operation. */ 417 void 418 SHA384_Init(SHA384_CTX * ctx) 419 { 420 421 /* Zero bits processed so far */ 422 ctx->count[0] = ctx->count[1] = 0; 423 424 /* Magic initialization constants */ 425 ctx->state[0] = 0xcbbb9d5dc1059ed8ULL; 426 ctx->state[1] = 0x629a292a367cd507ULL; 427 ctx->state[2] = 0x9159015a3070dd17ULL; 428 ctx->state[3] = 0x152fecd8f70e5939ULL; 429 ctx->state[4] = 0x67332667ffc00b31ULL; 430 ctx->state[5] = 0x8eb44a8768581511ULL; 431 ctx->state[6] = 0xdb0c2e0d64f98fa7ULL; 432 ctx->state[7] = 0x47b5481dbefa4fa4ULL; 433 } 434 435 /* Add bytes into the SHA-384 hash */ 436 void 437 SHA384_Update(SHA384_CTX * ctx, const void *in, size_t len) 438 { 439 440 SHA512_Update((SHA512_CTX *)ctx, in, len); 441 } 442 443 /* 444 * SHA-384 finalization. Pads the input data, exports the hash value, 445 * and clears the context state. 446 */ 447 void 448 SHA384_Final(unsigned char digest[static SHA384_DIGEST_LENGTH], SHA384_CTX *ctx) 449 { 450 451 /* Add padding */ 452 SHA512_Pad((SHA512_CTX *)ctx); 453 454 /* Write the hash */ 455 be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH); 456 457 /* Clear the context state */ 458 memset(ctx, 0, sizeof(*ctx)); 459 } 460 461 #ifdef WEAK_REFS 462 /* When building libmd, provide weak references. Note: this is not 463 activated in the context of compiling these sources for internal 464 use in libcrypt. 465 */ 466 #undef SHA512_Init 467 __weak_reference(_libmd_SHA512_Init, SHA512_Init); 468 #undef SHA512_Update 469 __weak_reference(_libmd_SHA512_Update, SHA512_Update); 470 #undef SHA512_Final 471 __weak_reference(_libmd_SHA512_Final, SHA512_Final); 472 #undef SHA512_Transform 473 __weak_reference(_libmd_SHA512_Transform, SHA512_Transform); 474 475 #undef SHA512_224_Init 476 __weak_reference(_libmd_SHA512_224_Init, SHA512_224_Init); 477 #undef SHA512_224_Update 478 __weak_reference(_libmd_SHA512_224_Update, SHA512_224_Update); 479 #undef SHA512_224_Final 480 __weak_reference(_libmd_SHA512_224_Final, SHA512_224_Final); 481 482 #undef SHA512_256_Init 483 __weak_reference(_libmd_SHA512_256_Init, SHA512_256_Init); 484 #undef SHA512_256_Update 485 __weak_reference(_libmd_SHA512_256_Update, SHA512_256_Update); 486 #undef SHA512_256_Final 487 __weak_reference(_libmd_SHA512_256_Final, SHA512_256_Final); 488 489 #undef SHA384_Init 490 __weak_reference(_libmd_SHA384_Init, SHA384_Init); 491 #undef SHA384_Update 492 __weak_reference(_libmd_SHA384_Update, SHA384_Update); 493 #undef SHA384_Final 494 __weak_reference(_libmd_SHA384_Final, SHA384_Final); 495 #endif 496