1/*- 2 * Copyright 2005 Colin Percival 3 * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28#include <sys/cdefs.h> 29__FBSDID("$FreeBSD$"); 30 31#include <sys/endian.h> 32#include <sys/types.h> 33 34#ifdef _KERNEL 35#include <sys/systm.h> 36#else 37#include <string.h> 38#endif 39 40#include "sha512.h" 41#include "sha512t.h" 42#include "sha384.h" 43 44#if BYTE_ORDER == BIG_ENDIAN 45 46/* Copy a vector of big-endian uint64_t into a vector of bytes */ 47#define be64enc_vect(dst, src, len) \ 48 memcpy((void *)dst, (const void *)src, (size_t)len) 49 50/* Copy a vector of bytes into a vector of big-endian uint64_t */ 51#define be64dec_vect(dst, src, len) \ 52 memcpy((void *)dst, (const void *)src, (size_t)len) 53 54#else /* BYTE_ORDER != BIG_ENDIAN */ 55 56/* 57 * Encode a length len/4 vector of (uint64_t) into a length len vector of 58 * (unsigned char) in big-endian form. Assumes len is a multiple of 8. 59 */ 60static void 61be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len) 62{ 63 size_t i; 64 65 for (i = 0; i < len / 8; i++) 66 be64enc(dst + i * 8, src[i]); 67} 68 69/* 70 * Decode a big-endian length len vector of (unsigned char) into a length 71 * len/4 vector of (uint64_t). Assumes len is a multiple of 8. 72 */ 73static void 74be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len) 75{ 76 size_t i; 77 78 for (i = 0; i < len / 8; i++) 79 dst[i] = be64dec(src + i * 8); 80} 81 82#endif /* BYTE_ORDER != BIG_ENDIAN */ 83 84/* SHA512 round constants. */ 85static const uint64_t K[80] = { 86 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 87 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 88 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 89 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 90 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 91 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 92 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 93 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 94 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 95 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 96 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 97 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 98 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 99 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 100 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 101 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 102 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 103 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 104 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 105 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 106 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 107 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 108 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 109 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 110 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 111 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 112 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 113 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 114 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 115 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 116 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 117 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 118 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 119 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 120 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 121 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 122 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 123 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 124 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 125 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 126}; 127 128/* Elementary functions used by SHA512 */ 129#define Ch(x, y, z) ((x & (y ^ z)) ^ z) 130#define Maj(x, y, z) ((x & (y | z)) | (y & z)) 131#define SHR(x, n) (x >> n) 132#define ROTR(x, n) ((x >> n) | (x << (64 - n))) 133#define S0(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39)) 134#define S1(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41)) 135#define s0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7)) 136#define s1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6)) 137 138/* SHA512 round function */ 139#define RND(a, b, c, d, e, f, g, h, k) \ 140 h += S1(e) + Ch(e, f, g) + k; \ 141 d += h; \ 142 h += S0(a) + Maj(a, b, c); 143 144/* Adjusted round function for rotating state */ 145#define RNDr(S, W, i, ii) \ 146 RND(S[(80 - i) % 8], S[(81 - i) % 8], \ 147 S[(82 - i) % 8], S[(83 - i) % 8], \ 148 S[(84 - i) % 8], S[(85 - i) % 8], \ 149 S[(86 - i) % 8], S[(87 - i) % 8], \ 150 W[i + ii] + K[i + ii]) 151 152/* Message schedule computation */ 153#define MSCH(W, ii, i) \ 154 W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii] 155 156/* 157 * SHA512 block compression function. The 512-bit state is transformed via 158 * the 512-bit input block to produce a new state. 159 */ 160static void 161SHA512_Transform(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH]) 162{ 163 uint64_t W[80]; 164 uint64_t S[8]; 165 int i; 166 167 /* 1. Prepare the first part of the message schedule W. */ 168 be64dec_vect(W, block, SHA512_BLOCK_LENGTH); 169 170 /* 2. Initialize working variables. */ 171 memcpy(S, state, SHA512_DIGEST_LENGTH); 172 173 /* 3. Mix. */ 174 for (i = 0; i < 80; i += 16) { 175 RNDr(S, W, 0, i); 176 RNDr(S, W, 1, i); 177 RNDr(S, W, 2, i); 178 RNDr(S, W, 3, i); 179 RNDr(S, W, 4, i); 180 RNDr(S, W, 5, i); 181 RNDr(S, W, 6, i); 182 RNDr(S, W, 7, i); 183 RNDr(S, W, 8, i); 184 RNDr(S, W, 9, i); 185 RNDr(S, W, 10, i); 186 RNDr(S, W, 11, i); 187 RNDr(S, W, 12, i); 188 RNDr(S, W, 13, i); 189 RNDr(S, W, 14, i); 190 RNDr(S, W, 15, i); 191 192 if (i == 64) 193 break; 194 MSCH(W, 0, i); 195 MSCH(W, 1, i); 196 MSCH(W, 2, i); 197 MSCH(W, 3, i); 198 MSCH(W, 4, i); 199 MSCH(W, 5, i); 200 MSCH(W, 6, i); 201 MSCH(W, 7, i); 202 MSCH(W, 8, i); 203 MSCH(W, 9, i); 204 MSCH(W, 10, i); 205 MSCH(W, 11, i); 206 MSCH(W, 12, i); 207 MSCH(W, 13, i); 208 MSCH(W, 14, i); 209 MSCH(W, 15, i); 210 } 211 212 /* 4. Mix local working variables into global state */ 213 for (i = 0; i < 8; i++) 214 state[i] += S[i]; 215} 216 217static unsigned char PAD[SHA512_BLOCK_LENGTH] = { 218 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 219 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 220 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 221 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 222 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 223 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 224 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 225 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 226}; 227 228/* Add padding and terminating bit-count. */ 229static void 230SHA512_Pad(SHA512_CTX * ctx) 231{ 232 size_t r; 233 234 /* Figure out how many bytes we have buffered. */ 235 r = (ctx->count[1] >> 3) & 0x7f; 236 237 /* Pad to 112 mod 128, transforming if we finish a block en route. */ 238 if (r < 112) { 239 /* Pad to 112 mod 128. */ 240 memcpy(&ctx->buf[r], PAD, 112 - r); 241 } else { 242 /* Finish the current block and mix. */ 243 memcpy(&ctx->buf[r], PAD, 128 - r); 244 SHA512_Transform(ctx->state, ctx->buf); 245 246 /* The start of the final block is all zeroes. */ 247 memset(&ctx->buf[0], 0, 112); 248 } 249 250 /* Add the terminating bit-count. */ 251 be64enc_vect(&ctx->buf[112], ctx->count, 16); 252 253 /* Mix in the final block. */ 254 SHA512_Transform(ctx->state, ctx->buf); 255} 256 257/* SHA-512 initialization. Begins a SHA-512 operation. */ 258void 259SHA512_Init(SHA512_CTX * ctx) 260{ 261 262 /* Zero bits processed so far */ 263 ctx->count[0] = ctx->count[1] = 0; 264 265 /* Magic initialization constants */ 266 ctx->state[0] = 0x6a09e667f3bcc908ULL; 267 ctx->state[1] = 0xbb67ae8584caa73bULL; 268 ctx->state[2] = 0x3c6ef372fe94f82bULL; 269 ctx->state[3] = 0xa54ff53a5f1d36f1ULL; 270 ctx->state[4] = 0x510e527fade682d1ULL; 271 ctx->state[5] = 0x9b05688c2b3e6c1fULL; 272 ctx->state[6] = 0x1f83d9abfb41bd6bULL; 273 ctx->state[7] = 0x5be0cd19137e2179ULL; 274} 275 276/* Add bytes into the hash */ 277void 278SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len) 279{ 280 uint64_t bitlen[2]; 281 uint64_t r; 282 const unsigned char *src = in; 283 284 /* Number of bytes left in the buffer from previous updates */ 285 r = (ctx->count[1] >> 3) & 0x7f; 286 287 /* Convert the length into a number of bits */ 288 bitlen[1] = ((uint64_t)len) << 3; 289 bitlen[0] = ((uint64_t)len) >> 61; 290 291 /* Update number of bits */ 292 if ((ctx->count[1] += bitlen[1]) < bitlen[1]) 293 ctx->count[0]++; 294 ctx->count[0] += bitlen[0]; 295 296 /* Handle the case where we don't need to perform any transforms */ 297 if (len < SHA512_BLOCK_LENGTH - r) { 298 memcpy(&ctx->buf[r], src, len); 299 return; 300 } 301 302 /* Finish the current block */ 303 memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r); 304 SHA512_Transform(ctx->state, ctx->buf); 305 src += SHA512_BLOCK_LENGTH - r; 306 len -= SHA512_BLOCK_LENGTH - r; 307 308 /* Perform complete blocks */ 309 while (len >= SHA512_BLOCK_LENGTH) { 310 SHA512_Transform(ctx->state, src); 311 src += SHA512_BLOCK_LENGTH; 312 len -= SHA512_BLOCK_LENGTH; 313 } 314 315 /* Copy left over data into buffer */ 316 memcpy(ctx->buf, src, len); 317} 318 319/* 320 * SHA-512 finalization. Pads the input data, exports the hash value, 321 * and clears the context state. 322 */ 323void 324SHA512_Final(unsigned char digest[static SHA512_DIGEST_LENGTH], SHA512_CTX *ctx) 325{ 326 327 /* Add padding */ 328 SHA512_Pad(ctx); 329 330 /* Write the hash */ 331 be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH); 332 333 /* Clear the context state */ 334 memset(ctx, 0, sizeof(*ctx)); 335} 336 337/*** SHA-512t: *********************************************************/ 338/* 339 * the SHA512t transforms are identical to SHA512 so reuse the existing function 340 */ 341void 342SHA512_224_Init(SHA512_CTX * ctx) 343{ 344 345 /* Zero bits processed so far */ 346 ctx->count[0] = ctx->count[1] = 0; 347 348 /* Magic initialization constants */ 349 ctx->state[0] = 0x8c3d37c819544da2ULL; 350 ctx->state[1] = 0x73e1996689dcd4d6ULL; 351 ctx->state[2] = 0x1dfab7ae32ff9c82ULL; 352 ctx->state[3] = 0x679dd514582f9fcfULL; 353 ctx->state[4] = 0x0f6d2b697bd44da8ULL; 354 ctx->state[5] = 0x77e36f7304c48942ULL; 355 ctx->state[6] = 0x3f9d85a86a1d36c8ULL; 356 ctx->state[7] = 0x1112e6ad91d692a1ULL; 357} 358 359void 360SHA512_224_Update(SHA512_CTX * ctx, const void *in, size_t len) 361{ 362 363 SHA512_Update(ctx, in, len); 364} 365 366void 367SHA512_224_Final(unsigned char digest[static SHA512_224_DIGEST_LENGTH], SHA512_CTX * ctx) 368{ 369 370 /* Add padding */ 371 SHA512_Pad(ctx); 372 373 /* Write the hash */ 374 be64enc_vect(digest, ctx->state, SHA512_224_DIGEST_LENGTH); 375 376 /* Clear the context state */ 377 memset(ctx, 0, sizeof(*ctx)); 378} 379 380void 381SHA512_256_Init(SHA512_CTX * ctx) 382{ 383 384 /* Zero bits processed so far */ 385 ctx->count[0] = ctx->count[1] = 0; 386 387 /* Magic initialization constants */ 388 ctx->state[0] = 0x22312194fc2bf72cULL; 389 ctx->state[1] = 0x9f555fa3c84c64c2ULL; 390 ctx->state[2] = 0x2393b86b6f53b151ULL; 391 ctx->state[3] = 0x963877195940eabdULL; 392 ctx->state[4] = 0x96283ee2a88effe3ULL; 393 ctx->state[5] = 0xbe5e1e2553863992ULL; 394 ctx->state[6] = 0x2b0199fc2c85b8aaULL; 395 ctx->state[7] = 0x0eb72ddc81c52ca2ULL; 396} 397 398void 399SHA512_256_Update(SHA512_CTX * ctx, const void *in, size_t len) 400{ 401 402 SHA512_Update(ctx, in, len); 403} 404 405void 406SHA512_256_Final(unsigned char digest[static SHA512_256_DIGEST_LENGTH], SHA512_CTX * ctx) 407{ 408 409 /* Add padding */ 410 SHA512_Pad(ctx); 411 412 /* Write the hash */ 413 be64enc_vect(digest, ctx->state, SHA512_256_DIGEST_LENGTH); 414 415 /* Clear the context state */ 416 memset(ctx, 0, sizeof(*ctx)); 417} 418 419/*** SHA-384: *********************************************************/ 420/* 421 * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped 422 */ 423 424/* SHA-384 initialization. Begins a SHA-384 operation. */ 425void 426SHA384_Init(SHA384_CTX * ctx) 427{ 428 429 /* Zero bits processed so far */ 430 ctx->count[0] = ctx->count[1] = 0; 431 432 /* Magic initialization constants */ 433 ctx->state[0] = 0xcbbb9d5dc1059ed8ULL; 434 ctx->state[1] = 0x629a292a367cd507ULL; 435 ctx->state[2] = 0x9159015a3070dd17ULL; 436 ctx->state[3] = 0x152fecd8f70e5939ULL; 437 ctx->state[4] = 0x67332667ffc00b31ULL; 438 ctx->state[5] = 0x8eb44a8768581511ULL; 439 ctx->state[6] = 0xdb0c2e0d64f98fa7ULL; 440 ctx->state[7] = 0x47b5481dbefa4fa4ULL; 441} 442 443/* Add bytes into the SHA-384 hash */ 444void 445SHA384_Update(SHA384_CTX * ctx, const void *in, size_t len) 446{ 447 448 SHA512_Update((SHA512_CTX *)ctx, in, len); 449} 450 451/* 452 * SHA-384 finalization. Pads the input data, exports the hash value, 453 * and clears the context state. 454 */ 455void 456SHA384_Final(unsigned char digest[static SHA384_DIGEST_LENGTH], SHA384_CTX *ctx) 457{ 458 459 /* Add padding */ 460 SHA512_Pad((SHA512_CTX *)ctx); 461 462 /* Write the hash */ 463 be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH); 464 465 /* Clear the context state */ 466 memset(ctx, 0, sizeof(*ctx)); 467} 468 469#ifdef WEAK_REFS 470/* When building libmd, provide weak references. Note: this is not 471 activated in the context of compiling these sources for internal 472 use in libcrypt. 473 */ 474#undef SHA512_Init 475__weak_reference(_libmd_SHA512_Init, SHA512_Init); 476#undef SHA512_Update 477__weak_reference(_libmd_SHA512_Update, SHA512_Update); 478#undef SHA512_Final 479__weak_reference(_libmd_SHA512_Final, SHA512_Final); 480#undef SHA512_Transform 481__weak_reference(_libmd_SHA512_Transform, SHA512_Transform); 482 483#undef SHA512_224_Init 484__weak_reference(_libmd_SHA512_224_Init, SHA512_224_Init); 485#undef SHA512_224_Update 486__weak_reference(_libmd_SHA512_224_Update, SHA512_224_Update); 487#undef SHA512_224_Final 488__weak_reference(_libmd_SHA512_224_Final, SHA512_224_Final); 489 490#undef SHA512_256_Init 491__weak_reference(_libmd_SHA512_256_Init, SHA512_256_Init); 492#undef SHA512_256_Update 493__weak_reference(_libmd_SHA512_256_Update, SHA512_256_Update); 494#undef SHA512_256_Final 495__weak_reference(_libmd_SHA512_256_Final, SHA512_256_Final); 496 497#undef SHA384_Init 498__weak_reference(_libmd_SHA384_Init, SHA384_Init); 499#undef SHA384_Update 500__weak_reference(_libmd_SHA384_Update, SHA384_Update); 501#undef SHA384_Final 502__weak_reference(_libmd_SHA384_Final, SHA384_Final); 503#endif 504