1/* 2 * Copyright 2005 Colin Percival 3 * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org> 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28#include <sys/cdefs.h> 29__FBSDID("$FreeBSD$"); 30 31#include <sys/endian.h> 32#include <sys/types.h> 33 34#ifdef _KERNEL 35#include <sys/systm.h> 36#else 37#include <string.h> 38#endif 39 40#include "sha512.h" 41#include "sha512t.h" 42#include "sha384.h" 43 44#if BYTE_ORDER == BIG_ENDIAN 45 46/* Copy a vector of big-endian uint64_t into a vector of bytes */ 47#define be64enc_vect(dst, src, len) \ 48 memcpy((void *)dst, (const void *)src, (size_t)len) 49 50/* Copy a vector of bytes into a vector of big-endian uint64_t */ 51#define be64dec_vect(dst, src, len) \ 52 memcpy((void *)dst, (const void *)src, (size_t)len) 53 54#else /* BYTE_ORDER != BIG_ENDIAN */ 55 56/* 57 * Encode a length len/4 vector of (uint64_t) into a length len vector of 58 * (unsigned char) in big-endian form. Assumes len is a multiple of 8. 59 */ 60static void 61be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len) 62{ 63 size_t i; 64 65 for (i = 0; i < len / 8; i++) 66 be64enc(dst + i * 8, src[i]); 67} 68 69/* 70 * Decode a big-endian length len vector of (unsigned char) into a length 71 * len/4 vector of (uint64_t). Assumes len is a multiple of 8. 72 */ 73static void 74be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len) 75{ 76 size_t i; 77 78 for (i = 0; i < len / 8; i++) 79 dst[i] = be64dec(src + i * 8); 80} 81 82#endif /* BYTE_ORDER != BIG_ENDIAN */ 83 84/* SHA512 round constants. */ 85static const uint64_t K[80] = { 86 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 87 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 88 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 89 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 90 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 91 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 92 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 93 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 94 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 95 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 96 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 97 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 98 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 99 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 100 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 101 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 102 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 103 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 104 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 105 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 106 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 107 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 108 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 109 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 110 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 111 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 112 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 113 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 114 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 115 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 116 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 117 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 118 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 119 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 120 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 121 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 122 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 123 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 124 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 125 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 126}; 127 128/* Elementary functions used by SHA512 */ 129#define Ch(x, y, z) ((x & (y ^ z)) ^ z) 130#define Maj(x, y, z) ((x & (y | z)) | (y & z)) 131#define SHR(x, n) (x >> n) 132#define ROTR(x, n) ((x >> n) | (x << (64 - n))) 133#define S0(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39)) 134#define S1(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41)) 135#define s0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7)) 136#define s1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6)) 137 138/* SHA512 round function */ 139#define RND(a, b, c, d, e, f, g, h, k) \ 140 h += S1(e) + Ch(e, f, g) + k; \ 141 d += h; \ 142 h += S0(a) + Maj(a, b, c); 143 144/* Adjusted round function for rotating state */ 145#define RNDr(S, W, i, ii) \ 146 RND(S[(80 - i) % 8], S[(81 - i) % 8], \ 147 S[(82 - i) % 8], S[(83 - i) % 8], \ 148 S[(84 - i) % 8], S[(85 - i) % 8], \ 149 S[(86 - i) % 8], S[(87 - i) % 8], \ 150 W[i + ii] + K[i + ii]) 151 152/* Message schedule computation */ 153#define MSCH(W, ii, i) \ 154 W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + \ 155 s0(W[i + ii + 1]) + W[i + ii] 156 157/* 158 * SHA512 block compression function. The 512-bit state is transformed via 159 * the 512-bit input block to produce a new state. 160 */ 161static void 162SHA512_Transform(uint64_t *state, 163 const unsigned char block[SHA512_BLOCK_LENGTH]) 164{ 165 uint64_t W[80]; 166 uint64_t S[8]; 167 int i; 168 169 /* 1. Prepare the first part of the message schedule W. */ 170 be64dec_vect(W, block, SHA512_BLOCK_LENGTH); 171 172 /* 2. Initialize working variables. */ 173 memcpy(S, state, SHA512_DIGEST_LENGTH); 174 175 /* 3. Mix. */ 176 for (i = 0; i < 80; i += 16) { 177 RNDr(S, W, 0, i); 178 RNDr(S, W, 1, i); 179 RNDr(S, W, 2, i); 180 RNDr(S, W, 3, i); 181 RNDr(S, W, 4, i); 182 RNDr(S, W, 5, i); 183 RNDr(S, W, 6, i); 184 RNDr(S, W, 7, i); 185 RNDr(S, W, 8, i); 186 RNDr(S, W, 9, i); 187 RNDr(S, W, 10, i); 188 RNDr(S, W, 11, i); 189 RNDr(S, W, 12, i); 190 RNDr(S, W, 13, i); 191 RNDr(S, W, 14, i); 192 RNDr(S, W, 15, i); 193 194 if (i == 64) 195 break; 196 MSCH(W, 0, i); 197 MSCH(W, 1, i); 198 MSCH(W, 2, i); 199 MSCH(W, 3, i); 200 MSCH(W, 4, i); 201 MSCH(W, 5, i); 202 MSCH(W, 6, i); 203 MSCH(W, 7, i); 204 MSCH(W, 8, i); 205 MSCH(W, 9, i); 206 MSCH(W, 10, i); 207 MSCH(W, 11, i); 208 MSCH(W, 12, i); 209 MSCH(W, 13, i); 210 MSCH(W, 14, i); 211 MSCH(W, 15, i); 212 } 213 214 /* 4. Mix local working variables into global state */ 215 for (i = 0; i < 8; i++) 216 state[i] += S[i]; 217} 218 219static unsigned char PAD[SHA512_BLOCK_LENGTH] = { 220 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 221 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 222 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 223 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 224 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 225 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 226 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 227 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 228}; 229 230/* Add padding and terminating bit-count. */ 231static void 232SHA512_Pad(SHA512_CTX * ctx) 233{ 234 size_t r; 235 236 /* Figure out how many bytes we have buffered. */ 237 r = (ctx->count[1] >> 3) & 0x7f; 238 239 /* Pad to 112 mod 128, transforming if we finish a block en route. */ 240 if (r < 112) { 241 /* Pad to 112 mod 128. */ 242 memcpy(&ctx->buf[r], PAD, 112 - r); 243 } else { 244 /* Finish the current block and mix. */ 245 memcpy(&ctx->buf[r], PAD, 128 - r); 246 SHA512_Transform(ctx->state, ctx->buf); 247 248 /* The start of the final block is all zeroes. */ 249 memset(&ctx->buf[0], 0, 112); 250 } 251 252 /* Add the terminating bit-count. */ 253 be64enc_vect(&ctx->buf[112], ctx->count, 16); 254 255 /* Mix in the final block. */ 256 SHA512_Transform(ctx->state, ctx->buf); 257} 258 259/* SHA-512 initialization. Begins a SHA-512 operation. */ 260void 261SHA512_Init(SHA512_CTX * ctx) 262{ 263 264 /* Zero bits processed so far */ 265 ctx->count[0] = ctx->count[1] = 0; 266 267 /* Magic initialization constants */ 268 ctx->state[0] = 0x6a09e667f3bcc908ULL; 269 ctx->state[1] = 0xbb67ae8584caa73bULL; 270 ctx->state[2] = 0x3c6ef372fe94f82bULL; 271 ctx->state[3] = 0xa54ff53a5f1d36f1ULL; 272 ctx->state[4] = 0x510e527fade682d1ULL; 273 ctx->state[5] = 0x9b05688c2b3e6c1fULL; 274 ctx->state[6] = 0x1f83d9abfb41bd6bULL; 275 ctx->state[7] = 0x5be0cd19137e2179ULL; 276} 277 278/* Add bytes into the hash */ 279void 280SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len) 281{ 282 uint64_t bitlen[2]; 283 uint64_t r; 284 const unsigned char *src = in; 285 286 /* Number of bytes left in the buffer from previous updates */ 287 r = (ctx->count[1] >> 3) & 0x7f; 288 289 /* Convert the length into a number of bits */ 290 bitlen[1] = ((uint64_t)len) << 3; 291 bitlen[0] = ((uint64_t)len) >> 61; 292 293 /* Update number of bits */ 294 if ((ctx->count[1] += bitlen[1]) < bitlen[1]) 295 ctx->count[0]++; 296 ctx->count[0] += bitlen[0]; 297 298 /* Handle the case where we don't need to perform any transforms */ 299 if (len < SHA512_BLOCK_LENGTH - r) { 300 memcpy(&ctx->buf[r], src, len); 301 return; 302 } 303 304 /* Finish the current block */ 305 memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r); 306 SHA512_Transform(ctx->state, ctx->buf); 307 src += SHA512_BLOCK_LENGTH - r; 308 len -= SHA512_BLOCK_LENGTH - r; 309 310 /* Perform complete blocks */ 311 while (len >= SHA512_BLOCK_LENGTH) { 312 SHA512_Transform(ctx->state, src); 313 src += SHA512_BLOCK_LENGTH; 314 len -= SHA512_BLOCK_LENGTH; 315 } 316 317 /* Copy left over data into buffer */ 318 memcpy(ctx->buf, src, len); 319} 320 321/* 322 * SHA-512 finalization. Pads the input data, exports the hash value, 323 * and clears the context state. 324 */ 325void 326SHA512_Final(unsigned char digest[static SHA512_DIGEST_LENGTH], SHA512_CTX *ctx) 327{ 328 329 /* Add padding */ 330 SHA512_Pad(ctx); 331 332 /* Write the hash */ 333 be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH); 334 335 /* Clear the context state */ 336 explicit_bzero(ctx, sizeof (*ctx)); 337} 338 339/* SHA-512t: ******************************************************** */ 340/* 341 * the SHA512t transforms are identical to SHA512 so reuse the existing function 342 */ 343void 344SHA512_224_Init(SHA512_CTX * ctx) 345{ 346 347 /* Zero bits processed so far */ 348 ctx->count[0] = ctx->count[1] = 0; 349 350 /* Magic initialization constants */ 351 ctx->state[0] = 0x8c3d37c819544da2ULL; 352 ctx->state[1] = 0x73e1996689dcd4d6ULL; 353 ctx->state[2] = 0x1dfab7ae32ff9c82ULL; 354 ctx->state[3] = 0x679dd514582f9fcfULL; 355 ctx->state[4] = 0x0f6d2b697bd44da8ULL; 356 ctx->state[5] = 0x77e36f7304c48942ULL; 357 ctx->state[6] = 0x3f9d85a86a1d36c8ULL; 358 ctx->state[7] = 0x1112e6ad91d692a1ULL; 359} 360 361void 362SHA512_224_Update(SHA512_CTX * ctx, const void *in, size_t len) 363{ 364 365 SHA512_Update(ctx, in, len); 366} 367 368void 369SHA512_224_Final(unsigned char digest[static SHA512_224_DIGEST_LENGTH], 370 SHA512_CTX *ctx) 371{ 372 373 /* Add padding */ 374 SHA512_Pad(ctx); 375 376 /* Write the hash */ 377 be64enc_vect(digest, ctx->state, SHA512_224_DIGEST_LENGTH); 378 379 /* Clear the context state */ 380 explicit_bzero(ctx, sizeof (*ctx)); 381} 382 383void 384SHA512_256_Init(SHA512_CTX * ctx) 385{ 386 387 /* Zero bits processed so far */ 388 ctx->count[0] = ctx->count[1] = 0; 389 390 /* Magic initialization constants */ 391 ctx->state[0] = 0x22312194fc2bf72cULL; 392 ctx->state[1] = 0x9f555fa3c84c64c2ULL; 393 ctx->state[2] = 0x2393b86b6f53b151ULL; 394 ctx->state[3] = 0x963877195940eabdULL; 395 ctx->state[4] = 0x96283ee2a88effe3ULL; 396 ctx->state[5] = 0xbe5e1e2553863992ULL; 397 ctx->state[6] = 0x2b0199fc2c85b8aaULL; 398 ctx->state[7] = 0x0eb72ddc81c52ca2ULL; 399} 400 401void 402SHA512_256_Update(SHA512_CTX * ctx, const void *in, size_t len) 403{ 404 405 SHA512_Update(ctx, in, len); 406} 407 408void 409SHA512_256_Final(unsigned char digest[static SHA512_256_DIGEST_LENGTH], 410 SHA512_CTX * ctx) 411{ 412 413 /* Add padding */ 414 SHA512_Pad(ctx); 415 416 /* Write the hash */ 417 be64enc_vect(digest, ctx->state, SHA512_256_DIGEST_LENGTH); 418 419 /* Clear the context state */ 420 explicit_bzero(ctx, sizeof (*ctx)); 421} 422 423/* ** SHA-384: ******************************************************** */ 424/* 425 * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped 426 */ 427 428/* SHA-384 initialization. Begins a SHA-384 operation. */ 429void 430SHA384_Init(SHA384_CTX * ctx) 431{ 432 433 /* Zero bits processed so far */ 434 ctx->count[0] = ctx->count[1] = 0; 435 436 /* Magic initialization constants */ 437 ctx->state[0] = 0xcbbb9d5dc1059ed8ULL; 438 ctx->state[1] = 0x629a292a367cd507ULL; 439 ctx->state[2] = 0x9159015a3070dd17ULL; 440 ctx->state[3] = 0x152fecd8f70e5939ULL; 441 ctx->state[4] = 0x67332667ffc00b31ULL; 442 ctx->state[5] = 0x8eb44a8768581511ULL; 443 ctx->state[6] = 0xdb0c2e0d64f98fa7ULL; 444 ctx->state[7] = 0x47b5481dbefa4fa4ULL; 445} 446 447/* Add bytes into the SHA-384 hash */ 448void 449SHA384_Update(SHA384_CTX * ctx, const void *in, size_t len) 450{ 451 452 SHA512_Update((SHA512_CTX *)ctx, in, len); 453} 454 455/* 456 * SHA-384 finalization. Pads the input data, exports the hash value, 457 * and clears the context state. 458 */ 459void 460SHA384_Final(unsigned char digest[static SHA384_DIGEST_LENGTH], SHA384_CTX *ctx) 461{ 462 463 /* Add padding */ 464 SHA512_Pad((SHA512_CTX *)ctx); 465 466 /* Write the hash */ 467 be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH); 468 469 /* Clear the context state */ 470 explicit_bzero(ctx, sizeof (*ctx)); 471} 472 473#if 0 474/* 475 * When building libmd, provide weak references. Note: this is not 476 * activated in the context of compiling these sources for internal 477 * use in libcrypt. 478 */ 479#undef SHA512_Init 480__weak_reference(_libmd_SHA512_Init, SHA512_Init); 481#undef SHA512_Update 482__weak_reference(_libmd_SHA512_Update, SHA512_Update); 483#undef SHA512_Final 484__weak_reference(_libmd_SHA512_Final, SHA512_Final); 485#undef SHA512_Transform 486__weak_reference(_libmd_SHA512_Transform, SHA512_Transform); 487 488#undef SHA512_224_Init 489__weak_reference(_libmd_SHA512_224_Init, SHA512_224_Init); 490#undef SHA512_224_Update 491__weak_reference(_libmd_SHA512_224_Update, SHA512_224_Update); 492#undef SHA512_224_Final 493__weak_reference(_libmd_SHA512_224_Final, SHA512_224_Final); 494 495#undef SHA512_256_Init 496__weak_reference(_libmd_SHA512_256_Init, SHA512_256_Init); 497#undef SHA512_256_Update 498__weak_reference(_libmd_SHA512_256_Update, SHA512_256_Update); 499#undef SHA512_256_Final 500__weak_reference(_libmd_SHA512_256_Final, SHA512_256_Final); 501 502#undef SHA384_Init 503__weak_reference(_libmd_SHA384_Init, SHA384_Init); 504#undef SHA384_Update 505__weak_reference(_libmd_SHA384_Update, SHA384_Update); 506#undef SHA384_Final 507__weak_reference(_libmd_SHA384_Final, SHA384_Final); 508#endif 509