Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/sys/crypto/sha2/sha512c.c
104396 views
1
/*-

2
 * Copyright 2005 Colin Percival

3
 * Copyright (c) 2015 Allan Jude <[email protected]>

4
 * All rights reserved.

5
 *

6
 * Redistribution and use in source and binary forms, with or without

7
 * modification, are permitted provided that the following conditions

8
 * are met:

9
 * 1. Redistributions of source code must retain the above copyright

10
 *    notice, this list of conditions and the following disclaimer.

11
 * 2. Redistributions in binary form must reproduce the above copyright

12
 *    notice, this list of conditions and the following disclaimer in the

13
 *    documentation and/or other materials provided with the distribution.

14
 *

15
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

16
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

17
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

18
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

19
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

20
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

21
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

22
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

23
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

24
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

25
 * SUCH DAMAGE.

26
 */

27


28
#include <sys/cdefs.h>

29
#include <sys/endian.h>

30
#include <sys/types.h>

31


32
#ifdef _KERNEL

33
#include <sys/systm.h>

34
#else

35
#include <string.h>

36
#endif

37


38
#include "sha512.h"

39
#include "sha512t.h"

40
#include "sha384.h"

41
#include "sha512c_impl.h"

42


43
#if defined(ARM64_SHA512)

44
#include <sys/auxv.h>

45
#include <machine/ifunc.h>

46
#endif

47


48
#if BYTE_ORDER == BIG_ENDIAN

49


50
/* Copy a vector of big-endian uint64_t into a vector of bytes */

51
#define be64enc_vect(dst, src, len)	\

52
	memcpy((void *)dst, (const void *)src, (size_t)len)

53


54
/* Copy a vector of bytes into a vector of big-endian uint64_t */

55
#define be64dec_vect(dst, src, len)	\

56
	memcpy((void *)dst, (const void *)src, (size_t)len)

57


58
#else /* BYTE_ORDER != BIG_ENDIAN */

59


60
/*

61
 * Encode a length (len + 7) / 8 vector of (uint64_t) into a length len

62
 * vector of (unsigned char) in big-endian form.  Assumes len is a

63
 * multiple of 4.

64
 */

65
static inline void

66
be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len)

67
{

68
	size_t i;

69


70
	for (i = 0; i < len / 8; i++)

71
		be64enc(dst + i * 8, src[i]);

72
	if (len % 8 == 4)

73
		be32enc(dst + i * 8, src[i] >> 32);

74
}

75


76
/*

77
 * Decode a big-endian length len vector of (unsigned char) into a length

78
 * len/8 vector of (uint64_t).  Assumes len is a multiple of 8.

79
 */

80
static inline void

81
be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len)

82
{

83
	size_t i;

84


85
	for (i = 0; i < len / 8; i++)

86
		dst[i] = be64dec(src + i * 8);

87
}

88


89
#endif /* BYTE_ORDER != BIG_ENDIAN */

90


91
/* SHA512 round constants. */

92
static const uint64_t K[80] = {

93
	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,

94
	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,

95
	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,

96
	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,

97
	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,

98
	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,

99
	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,

100
	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,

101
	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,

102
	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,

103
	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,

104
	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,

105
	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,

106
	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,

107
	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,

108
	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,

109
	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,

110
	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,

111
	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,

112
	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,

113
	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,

114
	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,

115
	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,

116
	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,

117
	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,

118
	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,

119
	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,

120
	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,

121
	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,

122
	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,

123
	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,

124
	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,

125
	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,

126
	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,

127
	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,

128
	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,

129
	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,

130
	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,

131
	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,

132
	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL

133
};

134


135
/* Elementary functions used by SHA512 */

136
#define Ch(x, y, z)	((x & (y ^ z)) ^ z)

137
#define Maj(x, y, z)	((x & (y | z)) | (y & z))

138
#define SHR(x, n)	(x >> n)

139
#define ROTR(x, n)	((x >> n) | (x << (64 - n)))

140
#define S0(x)		(ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))

141
#define S1(x)		(ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))

142
#define s0(x)		(ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))

143
#define s1(x)		(ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))

144


145
/* SHA512 round function */

146
#define RND(a, b, c, d, e, f, g, h, k)			\

147
	h += S1(e) + Ch(e, f, g) + k;			\

148
	d += h;						\

149
	h += S0(a) + Maj(a, b, c);

150


151
/* Adjusted round function for rotating state */

152
#define RNDr(S, W, i, ii)			\

153
	RND(S[(80 - i) % 8], S[(81 - i) % 8],	\

154
	    S[(82 - i) % 8], S[(83 - i) % 8],	\

155
	    S[(84 - i) % 8], S[(85 - i) % 8],	\

156
	    S[(86 - i) % 8], S[(87 - i) % 8],	\

157
	    W[i + ii] + K[i + ii])

158


159
/* Message schedule computation */

160
#define MSCH(W, ii, i)				\

161
	W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]

162


163
/*

164
 * SHA512 block compression function.  The 512-bit state is transformed via

165
 * the 512-bit input block to produce a new state.

166
 */

167
static void

168
#if defined(ARM64_SHA512)

169
SHA512_Transform_c(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH])

170
#else

171
SHA512_Transform(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH])

172
#endif

173
{

174
	uint64_t W[80];

175
	uint64_t S[8];

176
	int i;

177


178
	/* 1. Prepare the first part of the message schedule W. */

179
	be64dec_vect(W, block, SHA512_BLOCK_LENGTH);

180


181
	/* 2. Initialize working variables. */

182
	memcpy(S, state, SHA512_DIGEST_LENGTH);

183


184
	/* 3. Mix. */

185
	for (i = 0; i < 80; i += 16) {

186
		RNDr(S, W, 0, i);

187
		RNDr(S, W, 1, i);

188
		RNDr(S, W, 2, i);

189
		RNDr(S, W, 3, i);

190
		RNDr(S, W, 4, i);

191
		RNDr(S, W, 5, i);

192
		RNDr(S, W, 6, i);

193
		RNDr(S, W, 7, i);

194
		RNDr(S, W, 8, i);

195
		RNDr(S, W, 9, i);

196
		RNDr(S, W, 10, i);

197
		RNDr(S, W, 11, i);

198
		RNDr(S, W, 12, i);

199
		RNDr(S, W, 13, i);

200
		RNDr(S, W, 14, i);

201
		RNDr(S, W, 15, i);

202


203
		if (i == 64)

204
			break;

205
		MSCH(W, 0, i);

206
		MSCH(W, 1, i);

207
		MSCH(W, 2, i);

208
		MSCH(W, 3, i);

209
		MSCH(W, 4, i);

210
		MSCH(W, 5, i);

211
		MSCH(W, 6, i);

212
		MSCH(W, 7, i);

213
		MSCH(W, 8, i);

214
		MSCH(W, 9, i);

215
		MSCH(W, 10, i);

216
		MSCH(W, 11, i);

217
		MSCH(W, 12, i);

218
		MSCH(W, 13, i);

219
		MSCH(W, 14, i);

220
		MSCH(W, 15, i);

221
	}

222


223
	/* 4. Mix local working variables into global state */

224
	for (i = 0; i < 8; i++)

225
		state[i] += S[i];

226
}

227


228
#if defined(ARM64_SHA512)

229
static void

230
SHA512_Transform_arm64(uint64_t * state,

231
    const unsigned char block[SHA512_BLOCK_LENGTH])

232
{

233
	SHA512_Transform_arm64_impl(state, block, K);

234
}

235


236
DEFINE_UIFUNC(static, void, SHA512_Transform,

237
    (uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH]))

238
{

239
	if ((at_hwcap & HWCAP_SHA512) != 0)

240
		return (SHA512_Transform_arm64);

241


242
	return (SHA512_Transform_c);

243
}

244
#endif

245


246
static unsigned char PAD[SHA512_BLOCK_LENGTH] = {

247
	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,

248
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,

249
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,

250
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,

251
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,

252
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,

253
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,

254
	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0

255
};

256


257
/* Add padding and terminating bit-count. */

258
static void

259
SHA512_Pad(SHA512_CTX * ctx)

260
{

261
	size_t r;

262


263
	/* Figure out how many bytes we have buffered. */

264
	r = (ctx->count[1] >> 3) & 0x7f;

265


266
	/* Pad to 112 mod 128, transforming if we finish a block en route. */

267
	if (r < 112) {

268
		/* Pad to 112 mod 128. */

269
		memcpy(&ctx->buf[r], PAD, 112 - r);

270
	} else {

271
		/* Finish the current block and mix. */

272
		memcpy(&ctx->buf[r], PAD, 128 - r);

273
		SHA512_Transform(ctx->state, ctx->buf);

274


275
		/* The start of the final block is all zeroes. */

276
		memset(&ctx->buf[0], 0, 112);

277
	}

278


279
	/* Add the terminating bit-count. */

280
	be64enc_vect(&ctx->buf[112], ctx->count, 16);

281


282
	/* Mix in the final block. */

283
	SHA512_Transform(ctx->state, ctx->buf);

284
}

285


286
/* SHA-512 initialization.  Begins a SHA-512 operation. */

287
void

288
SHA512_Init(SHA512_CTX * ctx)

289
{

290


291
	/* Zero bits processed so far */

292
	ctx->count[0] = ctx->count[1] = 0;

293


294
	/* Magic initialization constants */

295
	ctx->state[0] = 0x6a09e667f3bcc908ULL;

296
	ctx->state[1] = 0xbb67ae8584caa73bULL;

297
	ctx->state[2] = 0x3c6ef372fe94f82bULL;

298
	ctx->state[3] = 0xa54ff53a5f1d36f1ULL;

299
	ctx->state[4] = 0x510e527fade682d1ULL;

300
	ctx->state[5] = 0x9b05688c2b3e6c1fULL;

301
	ctx->state[6] = 0x1f83d9abfb41bd6bULL;

302
	ctx->state[7] = 0x5be0cd19137e2179ULL;

303
}

304


305
/* Add bytes into the hash */

306
void

307
SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len)

308
{

309
	uint64_t bitlen[2];

310
	uint64_t r;

311
	const unsigned char *src = in;

312


313
	/* Number of bytes left in the buffer from previous updates */

314
	r = (ctx->count[1] >> 3) & 0x7f;

315


316
	/* Convert the length into a number of bits */

317
	bitlen[1] = ((uint64_t)len) << 3;

318
	bitlen[0] = ((uint64_t)len) >> 61;

319


320
	/* Update number of bits */

321
	if ((ctx->count[1] += bitlen[1]) < bitlen[1])

322
		ctx->count[0]++;

323
	ctx->count[0] += bitlen[0];

324


325
	/* Handle the case where we don't need to perform any transforms */

326
	if (len < SHA512_BLOCK_LENGTH - r) {

327
		memcpy(&ctx->buf[r], src, len);

328
		return;

329
	}

330


331
	/* Finish the current block */

332
	memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r);

333
	SHA512_Transform(ctx->state, ctx->buf);

334
	src += SHA512_BLOCK_LENGTH - r;

335
	len -= SHA512_BLOCK_LENGTH - r;

336


337
	/* Perform complete blocks */

338
	while (len >= SHA512_BLOCK_LENGTH) {

339
		SHA512_Transform(ctx->state, src);

340
		src += SHA512_BLOCK_LENGTH;

341
		len -= SHA512_BLOCK_LENGTH;

342
	}

343


344
	/* Copy left over data into buffer */

345
	memcpy(ctx->buf, src, len);

346
}

347


348
/*

349
 * SHA-512 finalization.  Pads the input data, exports the hash value,

350
 * and clears the context state.

351
 */

352
void

353
SHA512_Final(unsigned char digest[static SHA512_DIGEST_LENGTH], SHA512_CTX *ctx)

354
{

355


356
	/* Add padding */

357
	SHA512_Pad(ctx);

358


359
	/* Write the hash */

360
	be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH);

361


362
	/* Clear the context state */

363
	explicit_bzero(ctx, sizeof(*ctx));

364
}

365


366
/*** SHA-512t: *********************************************************/

367
/*

368
 * the SHA512t transforms are identical to SHA512 so reuse the existing function

369
 */

370
void

371
SHA512_224_Init(SHA512_CTX * ctx)

372
{

373


374
	/* Zero bits processed so far */

375
	ctx->count[0] = ctx->count[1] = 0;

376


377
	/* Magic initialization constants */

378
	ctx->state[0] = 0x8c3d37c819544da2ULL;

379
	ctx->state[1] = 0x73e1996689dcd4d6ULL;

380
	ctx->state[2] = 0x1dfab7ae32ff9c82ULL;

381
	ctx->state[3] = 0x679dd514582f9fcfULL;

382
	ctx->state[4] = 0x0f6d2b697bd44da8ULL;

383
	ctx->state[5] = 0x77e36f7304c48942ULL;

384
	ctx->state[6] = 0x3f9d85a86a1d36c8ULL;

385
	ctx->state[7] = 0x1112e6ad91d692a1ULL;

386
}

387


388
void

389
SHA512_224_Update(SHA512_CTX * ctx, const void *in, size_t len)

390
{

391


392
	SHA512_Update(ctx, in, len);

393
}

394


395
void

396
SHA512_224_Final(unsigned char digest[static SHA512_224_DIGEST_LENGTH], SHA512_CTX * ctx)

397
{

398


399
	/* Add padding */

400
	SHA512_Pad(ctx);

401


402
	/* Write the hash */

403
	be64enc_vect(digest, ctx->state, SHA512_224_DIGEST_LENGTH);

404


405
	/* Clear the context state */

406
	explicit_bzero(ctx, sizeof(*ctx));

407
}

408


409
void

410
SHA512_256_Init(SHA512_CTX * ctx)

411
{

412


413
	/* Zero bits processed so far */

414
	ctx->count[0] = ctx->count[1] = 0;

415


416
	/* Magic initialization constants */

417
	ctx->state[0] = 0x22312194fc2bf72cULL;

418
	ctx->state[1] = 0x9f555fa3c84c64c2ULL;

419
	ctx->state[2] = 0x2393b86b6f53b151ULL;

420
	ctx->state[3] = 0x963877195940eabdULL;

421
	ctx->state[4] = 0x96283ee2a88effe3ULL;

422
	ctx->state[5] = 0xbe5e1e2553863992ULL;

423
	ctx->state[6] = 0x2b0199fc2c85b8aaULL;

424
	ctx->state[7] = 0x0eb72ddc81c52ca2ULL;

425
}

426


427
void

428
SHA512_256_Update(SHA512_CTX * ctx, const void *in, size_t len)

429
{

430


431
	SHA512_Update(ctx, in, len);

432
}

433


434
void

435
SHA512_256_Final(unsigned char digest[static SHA512_256_DIGEST_LENGTH], SHA512_CTX * ctx)

436
{

437


438
	/* Add padding */

439
	SHA512_Pad(ctx);

440


441
	/* Write the hash */

442
	be64enc_vect(digest, ctx->state, SHA512_256_DIGEST_LENGTH);

443


444
	/* Clear the context state */

445
	explicit_bzero(ctx, sizeof(*ctx));

446
}

447


448
/*** SHA-384: *********************************************************/

449
/*

450
 * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped

451
 */

452


453
/* SHA-384 initialization.  Begins a SHA-384 operation. */

454
void

455
SHA384_Init(SHA384_CTX * ctx)

456
{

457


458
	/* Zero bits processed so far */

459
	ctx->count[0] = ctx->count[1] = 0;

460


461
	/* Magic initialization constants */

462
	ctx->state[0] = 0xcbbb9d5dc1059ed8ULL;

463
	ctx->state[1] = 0x629a292a367cd507ULL;

464
	ctx->state[2] = 0x9159015a3070dd17ULL;

465
	ctx->state[3] = 0x152fecd8f70e5939ULL;

466
	ctx->state[4] = 0x67332667ffc00b31ULL;

467
	ctx->state[5] = 0x8eb44a8768581511ULL;

468
	ctx->state[6] = 0xdb0c2e0d64f98fa7ULL;

469
	ctx->state[7] = 0x47b5481dbefa4fa4ULL;

470
}

471


472
/* Add bytes into the SHA-384 hash */

473
void

474
SHA384_Update(SHA384_CTX * ctx, const void *in, size_t len)

475
{

476


477
	SHA512_Update((SHA512_CTX *)ctx, in, len);

478
}

479


480
/*

481
 * SHA-384 finalization.  Pads the input data, exports the hash value,

482
 * and clears the context state.

483
 */

484
void

485
SHA384_Final(unsigned char digest[static SHA384_DIGEST_LENGTH], SHA384_CTX *ctx)

486
{

487


488
	/* Add padding */

489
	SHA512_Pad((SHA512_CTX *)ctx);

490


491
	/* Write the hash */

492
	be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH);

493


494
	/* Clear the context state */

495
	explicit_bzero(ctx, sizeof(*ctx));

496
}

497


498
#ifdef WEAK_REFS

499
/* When building libmd, provide weak references. Note: this is not

500
   activated in the context of compiling these sources for internal

501
   use in libcrypt.

502
 */

503
#undef SHA512_Init

504
__weak_reference(_libmd_SHA512_Init, SHA512_Init);

505
#undef SHA512_Update

506
__weak_reference(_libmd_SHA512_Update, SHA512_Update);

507
#undef SHA512_Final

508
__weak_reference(_libmd_SHA512_Final, SHA512_Final);

509


510
#undef SHA512_224_Init

511
__weak_reference(_libmd_SHA512_224_Init, SHA512_224_Init);

512
#undef SHA512_224_Update

513
__weak_reference(_libmd_SHA512_224_Update, SHA512_224_Update);

514
#undef SHA512_224_Final

515
__weak_reference(_libmd_SHA512_224_Final, SHA512_224_Final);

516


517
#undef SHA512_256_Init

518
__weak_reference(_libmd_SHA512_256_Init, SHA512_256_Init);

519
#undef SHA512_256_Update

520
__weak_reference(_libmd_SHA512_256_Update, SHA512_256_Update);

521
#undef SHA512_256_Final

522
__weak_reference(_libmd_SHA512_256_Final, SHA512_256_Final);

523


524
#undef SHA384_Init

525
__weak_reference(_libmd_SHA384_Init, SHA384_Init);

526
#undef SHA384_Update

527
__weak_reference(_libmd_SHA384_Update, SHA384_Update);

528
#undef SHA384_Final

529
__weak_reference(_libmd_SHA384_Final, SHA384_Final);

530
#endif

531


532