xref: /freebsd/sys/crypto/sha2/sha512c.c (revision fafb1ee7bdc5d8a7d07cd03b2fb0bbb76f7a9d7c)
1 /*-
2  * Copyright 2005 Colin Percival
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24  * SUCH DAMAGE.
25  */
26 
27 #include <sys/cdefs.h>
28 __FBSDID("$FreeBSD$");
29 
30 #include <sys/endian.h>
31 #include <sys/types.h>
32 
33 #ifdef _KERNEL
34 #include <sys/systm.h>
35 #else
36 #include <string.h>
37 #endif
38 
39 #include "sha512.h"
40 #include "sha384.h"
41 
42 #if BYTE_ORDER == BIG_ENDIAN
43 
44 /* Copy a vector of big-endian uint64_t into a vector of bytes */
45 #define be64enc_vect(dst, src, len)	\
46 	memcpy((void *)dst, (const void *)src, (size_t)len)
47 
48 /* Copy a vector of bytes into a vector of big-endian uint64_t */
49 #define be64dec_vect(dst, src, len)	\
50 	memcpy((void *)dst, (const void *)src, (size_t)len)
51 
52 #else /* BYTE_ORDER != BIG_ENDIAN */
53 
54 /*
55  * Encode a length len/4 vector of (uint64_t) into a length len vector of
56  * (unsigned char) in big-endian form.  Assumes len is a multiple of 8.
57  */
58 static void
59 be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len)
60 {
61 	size_t i;
62 
63 	for (i = 0; i < len / 8; i++)
64 		be64enc(dst + i * 8, src[i]);
65 }
66 
67 /*
68  * Decode a big-endian length len vector of (unsigned char) into a length
69  * len/4 vector of (uint64_t).  Assumes len is a multiple of 8.
70  */
71 static void
72 be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len)
73 {
74 	size_t i;
75 
76 	for (i = 0; i < len / 8; i++)
77 		dst[i] = be64dec(src + i * 8);
78 }
79 
80 #endif /* BYTE_ORDER != BIG_ENDIAN */
81 
82 /* Elementary functions used by SHA512 */
83 #define Ch(x, y, z)	((x & (y ^ z)) ^ z)
84 #define Maj(x, y, z)	((x & (y | z)) | (y & z))
85 #define SHR(x, n)	(x >> n)
86 #define ROTR(x, n)	((x >> n) | (x << (64 - n)))
87 #define S0(x)		(ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
88 #define S1(x)		(ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
89 #define s0(x)		(ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
90 #define s1(x)		(ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
91 
92 /* SHA512 round function */
93 #define RND(a, b, c, d, e, f, g, h, k)			\
94 	t0 = h + S1(e) + Ch(e, f, g) + k;		\
95 	t1 = S0(a) + Maj(a, b, c);			\
96 	d += t0;					\
97 	h  = t0 + t1;
98 
99 /* Adjusted round function for rotating state */
100 #define RNDr(S, W, i, k)			\
101 	RND(S[(80 - i) % 8], S[(81 - i) % 8],	\
102 	    S[(82 - i) % 8], S[(83 - i) % 8],	\
103 	    S[(84 - i) % 8], S[(85 - i) % 8],	\
104 	    S[(86 - i) % 8], S[(87 - i) % 8],	\
105 	    W[i] + k)
106 
107 /*
108  * SHA512 block compression function.  The 512-bit state is transformed via
109  * the 512-bit input block to produce a new state.
110  */
111 static void
112 SHA512_Transform(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH])
113 {
114 	uint64_t W[80];
115 	uint64_t S[8];
116 	uint64_t t0, t1;
117 	int i;
118 
119 	/* 1. Prepare message schedule W. */
120 	be64dec_vect(W, block, SHA512_BLOCK_LENGTH);
121 	for (i = 16; i < 80; i++)
122 		W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
123 
124 	/* 2. Initialize working variables. */
125 	memcpy(S, state, SHA512_DIGEST_LENGTH);
126 
127 	/* 3. Mix. */
128 	RNDr(S, W, 0, 0x428a2f98d728ae22ULL);
129 	RNDr(S, W, 1, 0x7137449123ef65cdULL);
130 	RNDr(S, W, 2, 0xb5c0fbcfec4d3b2fULL);
131 	RNDr(S, W, 3, 0xe9b5dba58189dbbcULL);
132 	RNDr(S, W, 4, 0x3956c25bf348b538ULL);
133 	RNDr(S, W, 5, 0x59f111f1b605d019ULL);
134 	RNDr(S, W, 6, 0x923f82a4af194f9bULL);
135 	RNDr(S, W, 7, 0xab1c5ed5da6d8118ULL);
136 	RNDr(S, W, 8, 0xd807aa98a3030242ULL);
137 	RNDr(S, W, 9, 0x12835b0145706fbeULL);
138 	RNDr(S, W, 10, 0x243185be4ee4b28cULL);
139 	RNDr(S, W, 11, 0x550c7dc3d5ffb4e2ULL);
140 	RNDr(S, W, 12, 0x72be5d74f27b896fULL);
141 	RNDr(S, W, 13, 0x80deb1fe3b1696b1ULL);
142 	RNDr(S, W, 14, 0x9bdc06a725c71235ULL);
143 	RNDr(S, W, 15, 0xc19bf174cf692694ULL);
144 	RNDr(S, W, 16, 0xe49b69c19ef14ad2ULL);
145 	RNDr(S, W, 17, 0xefbe4786384f25e3ULL);
146 	RNDr(S, W, 18, 0x0fc19dc68b8cd5b5ULL);
147 	RNDr(S, W, 19, 0x240ca1cc77ac9c65ULL);
148 	RNDr(S, W, 20, 0x2de92c6f592b0275ULL);
149 	RNDr(S, W, 21, 0x4a7484aa6ea6e483ULL);
150 	RNDr(S, W, 22, 0x5cb0a9dcbd41fbd4ULL);
151 	RNDr(S, W, 23, 0x76f988da831153b5ULL);
152 	RNDr(S, W, 24, 0x983e5152ee66dfabULL);
153 	RNDr(S, W, 25, 0xa831c66d2db43210ULL);
154 	RNDr(S, W, 26, 0xb00327c898fb213fULL);
155 	RNDr(S, W, 27, 0xbf597fc7beef0ee4ULL);
156 	RNDr(S, W, 28, 0xc6e00bf33da88fc2ULL);
157 	RNDr(S, W, 29, 0xd5a79147930aa725ULL);
158 	RNDr(S, W, 30, 0x06ca6351e003826fULL);
159 	RNDr(S, W, 31, 0x142929670a0e6e70ULL);
160 	RNDr(S, W, 32, 0x27b70a8546d22ffcULL);
161 	RNDr(S, W, 33, 0x2e1b21385c26c926ULL);
162 	RNDr(S, W, 34, 0x4d2c6dfc5ac42aedULL);
163 	RNDr(S, W, 35, 0x53380d139d95b3dfULL);
164 	RNDr(S, W, 36, 0x650a73548baf63deULL);
165 	RNDr(S, W, 37, 0x766a0abb3c77b2a8ULL);
166 	RNDr(S, W, 38, 0x81c2c92e47edaee6ULL);
167 	RNDr(S, W, 39, 0x92722c851482353bULL);
168 	RNDr(S, W, 40, 0xa2bfe8a14cf10364ULL);
169 	RNDr(S, W, 41, 0xa81a664bbc423001ULL);
170 	RNDr(S, W, 42, 0xc24b8b70d0f89791ULL);
171 	RNDr(S, W, 43, 0xc76c51a30654be30ULL);
172 	RNDr(S, W, 44, 0xd192e819d6ef5218ULL);
173 	RNDr(S, W, 45, 0xd69906245565a910ULL);
174 	RNDr(S, W, 46, 0xf40e35855771202aULL);
175 	RNDr(S, W, 47, 0x106aa07032bbd1b8ULL);
176 	RNDr(S, W, 48, 0x19a4c116b8d2d0c8ULL);
177 	RNDr(S, W, 49, 0x1e376c085141ab53ULL);
178 	RNDr(S, W, 50, 0x2748774cdf8eeb99ULL);
179 	RNDr(S, W, 51, 0x34b0bcb5e19b48a8ULL);
180 	RNDr(S, W, 52, 0x391c0cb3c5c95a63ULL);
181 	RNDr(S, W, 53, 0x4ed8aa4ae3418acbULL);
182 	RNDr(S, W, 54, 0x5b9cca4f7763e373ULL);
183 	RNDr(S, W, 55, 0x682e6ff3d6b2b8a3ULL);
184 	RNDr(S, W, 56, 0x748f82ee5defb2fcULL);
185 	RNDr(S, W, 57, 0x78a5636f43172f60ULL);
186 	RNDr(S, W, 58, 0x84c87814a1f0ab72ULL);
187 	RNDr(S, W, 59, 0x8cc702081a6439ecULL);
188 	RNDr(S, W, 60, 0x90befffa23631e28ULL);
189 	RNDr(S, W, 61, 0xa4506cebde82bde9ULL);
190 	RNDr(S, W, 62, 0xbef9a3f7b2c67915ULL);
191 	RNDr(S, W, 63, 0xc67178f2e372532bULL);
192 	RNDr(S, W, 64, 0xca273eceea26619cULL);
193 	RNDr(S, W, 65, 0xd186b8c721c0c207ULL);
194 	RNDr(S, W, 66, 0xeada7dd6cde0eb1eULL);
195 	RNDr(S, W, 67, 0xf57d4f7fee6ed178ULL);
196 	RNDr(S, W, 68, 0x06f067aa72176fbaULL);
197 	RNDr(S, W, 69, 0x0a637dc5a2c898a6ULL);
198 	RNDr(S, W, 70, 0x113f9804bef90daeULL);
199 	RNDr(S, W, 71, 0x1b710b35131c471bULL);
200 	RNDr(S, W, 72, 0x28db77f523047d84ULL);
201 	RNDr(S, W, 73, 0x32caab7b40c72493ULL);
202 	RNDr(S, W, 74, 0x3c9ebe0a15c9bebcULL);
203 	RNDr(S, W, 75, 0x431d67c49c100d4cULL);
204 	RNDr(S, W, 76, 0x4cc5d4becb3e42b6ULL);
205 	RNDr(S, W, 77, 0x597f299cfc657e2aULL);
206 	RNDr(S, W, 78, 0x5fcb6fab3ad6faecULL);
207 	RNDr(S, W, 79, 0x6c44198c4a475817ULL);
208 
209 	/* 4. Mix local working variables into global state */
210 	for (i = 0; i < 8; i++)
211 		state[i] += S[i];
212 }
213 
214 static unsigned char PAD[SHA512_BLOCK_LENGTH] = {
215 	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
216 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
217 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
218 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
219 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
220 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
221 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
222 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
223 };
224 
225 /* Add padding and terminating bit-count. */
226 static void
227 SHA512_Pad(SHA512_CTX * ctx)
228 {
229 	unsigned char len[16];
230 	uint64_t r, plen;
231 
232 	/*
233 	 * Convert length to a vector of bytes -- we do this now rather
234 	 * than later because the length will change after we pad.
235 	 */
236 	be64enc_vect(len, ctx->count, 16);
237 
238 	/* Add 1--128 bytes so that the resulting length is 112 mod 128 */
239 	r = (ctx->count[1] >> 3) & 0x7f;
240 	plen = (r < 112) ? (112 - r) : (240 - r);
241 	SHA512_Update(ctx, PAD, (size_t)plen);
242 
243 	/* Add the terminating bit-count */
244 	SHA512_Update(ctx, len, 16);
245 }
246 
247 /* SHA-512 initialization.  Begins a SHA-512 operation. */
248 void
249 SHA512_Init(SHA512_CTX * ctx)
250 {
251 
252 	/* Zero bits processed so far */
253 	ctx->count[0] = ctx->count[1] = 0;
254 
255 	/* Magic initialization constants */
256 	ctx->state[0] = 0x6a09e667f3bcc908ULL;
257 	ctx->state[1] = 0xbb67ae8584caa73bULL;
258 	ctx->state[2] = 0x3c6ef372fe94f82bULL;
259 	ctx->state[3] = 0xa54ff53a5f1d36f1ULL;
260 	ctx->state[4] = 0x510e527fade682d1ULL;
261 	ctx->state[5] = 0x9b05688c2b3e6c1fULL;
262 	ctx->state[6] = 0x1f83d9abfb41bd6bULL;
263 	ctx->state[7] = 0x5be0cd19137e2179ULL;
264 }
265 
266 /* Add bytes into the hash */
267 void
268 SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len)
269 {
270 	uint64_t bitlen[2];
271 	uint64_t r;
272 	const unsigned char *src = in;
273 
274 	/* Number of bytes left in the buffer from previous updates */
275 	r = (ctx->count[1] >> 3) & 0x7f;
276 
277 	/* Convert the length into a number of bits */
278 	bitlen[1] = ((uint64_t)len) << 3;
279 	bitlen[0] = ((uint64_t)len) >> 61;
280 
281 	/* Update number of bits */
282 	if ((ctx->count[1] += bitlen[1]) < bitlen[1])
283 		ctx->count[0]++;
284 	ctx->count[0] += bitlen[0];
285 
286 	/* Handle the case where we don't need to perform any transforms */
287 	if (len < SHA512_BLOCK_LENGTH - r) {
288 		memcpy(&ctx->buf[r], src, len);
289 		return;
290 	}
291 
292 	/* Finish the current block */
293 	memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r);
294 	SHA512_Transform(ctx->state, ctx->buf);
295 	src += SHA512_BLOCK_LENGTH - r;
296 	len -= SHA512_BLOCK_LENGTH - r;
297 
298 	/* Perform complete blocks */
299 	while (len >= SHA512_BLOCK_LENGTH) {
300 		SHA512_Transform(ctx->state, src);
301 		src += SHA512_BLOCK_LENGTH;
302 		len -= SHA512_BLOCK_LENGTH;
303 	}
304 
305 	/* Copy left over data into buffer */
306 	memcpy(ctx->buf, src, len);
307 }
308 
309 /*
310  * SHA-512 finalization.  Pads the input data, exports the hash value,
311  * and clears the context state.
312  */
313 void
314 SHA512_Final(unsigned char digest[SHA512_DIGEST_LENGTH], SHA512_CTX * ctx)
315 {
316 
317 	/* Add padding */
318 	SHA512_Pad(ctx);
319 
320 	/* Write the hash */
321 	be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH);
322 
323 	/* Clear the context state */
324 	memset((void *)ctx, 0, sizeof(*ctx));
325 }
326 
327 /*** SHA-384: *********************************************************/
328 /*
329  * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped
330  */
331 
332 /* SHA-384 initialization.  Begins a SHA-384 operation. */
333 void
334 SHA384_Init(SHA384_CTX * ctx)
335 {
336 
337 	/* Zero bits processed so far */
338 	ctx->count[0] = ctx->count[1] = 0;
339 
340 	/* Magic initialization constants */
341 	ctx->state[0] = 0xcbbb9d5dc1059ed8ULL;
342 	ctx->state[1] = 0x629a292a367cd507ULL;
343 	ctx->state[2] = 0x9159015a3070dd17ULL;
344 	ctx->state[3] = 0x152fecd8f70e5939ULL;
345 	ctx->state[4] = 0x67332667ffc00b31ULL;
346 	ctx->state[5] = 0x8eb44a8768581511ULL;
347 	ctx->state[6] = 0xdb0c2e0d64f98fa7ULL;
348 	ctx->state[7] = 0x47b5481dbefa4fa4ULL;
349 }
350 
351 /* Add bytes into the SHA-384 hash */
352 void
353 SHA384_Update(SHA384_CTX * ctx, const void *in, size_t len)
354 {
355 
356 	SHA512_Update((SHA512_CTX *)ctx, in, len);
357 }
358 
359 /*
360  * SHA-384 finalization.  Pads the input data, exports the hash value,
361  * and clears the context state.
362  */
363 void
364 SHA384_Final(unsigned char digest[SHA384_DIGEST_LENGTH], SHA384_CTX * ctx)
365 {
366 
367 	/* Add padding */
368 	SHA512_Pad((SHA512_CTX *)ctx);
369 
370 	/* Write the hash */
371 	be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH);
372 
373 	/* Clear the context state */
374 	memset((void *)ctx, 0, sizeof(*ctx));
375 }
376 
377 #ifdef WEAK_REFS
378 /* When building libmd, provide weak references. Note: this is not
379    activated in the context of compiling these sources for internal
380    use in libcrypt.
381  */
382 #undef SHA512_Init
383 __weak_reference(_libmd_SHA512_Init, SHA512_Init);
384 #undef SHA512_Update
385 __weak_reference(_libmd_SHA512_Update, SHA512_Update);
386 #undef SHA512_Final
387 __weak_reference(_libmd_SHA512_Final, SHA512_Final);
388 #undef SHA512_Transform
389 __weak_reference(_libmd_SHA512_Transform, SHA512_Transform);
390 
391 #undef SHA384_Init
392 __weak_reference(_libmd_SHA384_Init, SHA384_Init);
393 #undef SHA384_Update
394 __weak_reference(_libmd_SHA384_Update, SHA384_Update);
395 #undef SHA384_Final
396 __weak_reference(_libmd_SHA384_Final, SHA384_Final);
397 #endif
398