sha512c.c revision 314327 
1/*-
2 * Copyright 2005 Colin Percival
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
28__FBSDID("$FreeBSD: stable/10/sys/crypto/sha2/sha512c.c 314327 2017-02-27 08:27:38Z avg $");
29
30#include <sys/endian.h>
31#include <sys/types.h>
32
33#ifdef _KERNEL
34#include <sys/systm.h>
35#else
36#include <string.h>
37#endif
38
39#include "sha512.h"
40#include "sha384.h"
41
42#if BYTE_ORDER == BIG_ENDIAN
43
44/* Copy a vector of big-endian uint64_t into a vector of bytes */
45#define be64enc_vect(dst, src, len)	\
46	memcpy((void *)dst, (const void *)src, (size_t)len)
47
48/* Copy a vector of bytes into a vector of big-endian uint64_t */
49#define be64dec_vect(dst, src, len)	\
50	memcpy((void *)dst, (const void *)src, (size_t)len)
51
52#else /* BYTE_ORDER != BIG_ENDIAN */
53
54/*
55 * Encode a length len/4 vector of (uint64_t) into a length len vector of
56 * (unsigned char) in big-endian form.  Assumes len is a multiple of 8.
57 */
58static void
59be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len)
60{
61	size_t i;
62
63	for (i = 0; i < len / 8; i++)
64		be64enc(dst + i * 8, src[i]);
65}
66
67/*
68 * Decode a big-endian length len vector of (unsigned char) into a length
69 * len/4 vector of (uint64_t).  Assumes len is a multiple of 8.
70 */
71static void
72be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len)
73{
74	size_t i;
75
76	for (i = 0; i < len / 8; i++)
77		dst[i] = be64dec(src + i * 8);
78}
79
80#endif /* BYTE_ORDER != BIG_ENDIAN */
81
82/* Elementary functions used by SHA512 */
83#define Ch(x, y, z)	((x & (y ^ z)) ^ z)
84#define Maj(x, y, z)	((x & (y | z)) | (y & z))
85#define SHR(x, n)	(x >> n)
86#define ROTR(x, n)	((x >> n) | (x << (64 - n)))
87#define S0(x)		(ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
88#define S1(x)		(ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
89#define s0(x)		(ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
90#define s1(x)		(ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
91
92/* SHA512 round function */
93#define RND(a, b, c, d, e, f, g, h, k)			\
94	t0 = h + S1(e) + Ch(e, f, g) + k;		\
95	t1 = S0(a) + Maj(a, b, c);			\
96	d += t0;					\
97	h  = t0 + t1;
98
99/* Adjusted round function for rotating state */
100#define RNDr(S, W, i, k)			\
101	RND(S[(80 - i) % 8], S[(81 - i) % 8],	\
102	    S[(82 - i) % 8], S[(83 - i) % 8],	\
103	    S[(84 - i) % 8], S[(85 - i) % 8],	\
104	    S[(86 - i) % 8], S[(87 - i) % 8],	\
105	    W[i] + k)
106
107/*
108 * SHA512 block compression function.  The 512-bit state is transformed via
109 * the 512-bit input block to produce a new state.
110 */
111static void
112SHA512_Transform(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH])
113{
114	uint64_t W[80];
115	uint64_t S[8];
116	uint64_t t0, t1;
117	int i;
118
119	/* 1. Prepare message schedule W. */
120	be64dec_vect(W, block, SHA512_BLOCK_LENGTH);
121	for (i = 16; i < 80; i++)
122		W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16];
123
124	/* 2. Initialize working variables. */
125	memcpy(S, state, SHA512_DIGEST_LENGTH);
126
127	/* 3. Mix. */
128	RNDr(S, W, 0, 0x428a2f98d728ae22ULL);
129	RNDr(S, W, 1, 0x7137449123ef65cdULL);
130	RNDr(S, W, 2, 0xb5c0fbcfec4d3b2fULL);
131	RNDr(S, W, 3, 0xe9b5dba58189dbbcULL);
132	RNDr(S, W, 4, 0x3956c25bf348b538ULL);
133	RNDr(S, W, 5, 0x59f111f1b605d019ULL);
134	RNDr(S, W, 6, 0x923f82a4af194f9bULL);
135	RNDr(S, W, 7, 0xab1c5ed5da6d8118ULL);
136	RNDr(S, W, 8, 0xd807aa98a3030242ULL);
137	RNDr(S, W, 9, 0x12835b0145706fbeULL);
138	RNDr(S, W, 10, 0x243185be4ee4b28cULL);
139	RNDr(S, W, 11, 0x550c7dc3d5ffb4e2ULL);
140	RNDr(S, W, 12, 0x72be5d74f27b896fULL);
141	RNDr(S, W, 13, 0x80deb1fe3b1696b1ULL);
142	RNDr(S, W, 14, 0x9bdc06a725c71235ULL);
143	RNDr(S, W, 15, 0xc19bf174cf692694ULL);
144	RNDr(S, W, 16, 0xe49b69c19ef14ad2ULL);
145	RNDr(S, W, 17, 0xefbe4786384f25e3ULL);
146	RNDr(S, W, 18, 0x0fc19dc68b8cd5b5ULL);
147	RNDr(S, W, 19, 0x240ca1cc77ac9c65ULL);
148	RNDr(S, W, 20, 0x2de92c6f592b0275ULL);
149	RNDr(S, W, 21, 0x4a7484aa6ea6e483ULL);
150	RNDr(S, W, 22, 0x5cb0a9dcbd41fbd4ULL);
151	RNDr(S, W, 23, 0x76f988da831153b5ULL);
152	RNDr(S, W, 24, 0x983e5152ee66dfabULL);
153	RNDr(S, W, 25, 0xa831c66d2db43210ULL);
154	RNDr(S, W, 26, 0xb00327c898fb213fULL);
155	RNDr(S, W, 27, 0xbf597fc7beef0ee4ULL);
156	RNDr(S, W, 28, 0xc6e00bf33da88fc2ULL);
157	RNDr(S, W, 29, 0xd5a79147930aa725ULL);
158	RNDr(S, W, 30, 0x06ca6351e003826fULL);
159	RNDr(S, W, 31, 0x142929670a0e6e70ULL);
160	RNDr(S, W, 32, 0x27b70a8546d22ffcULL);
161	RNDr(S, W, 33, 0x2e1b21385c26c926ULL);
162	RNDr(S, W, 34, 0x4d2c6dfc5ac42aedULL);
163	RNDr(S, W, 35, 0x53380d139d95b3dfULL);
164	RNDr(S, W, 36, 0x650a73548baf63deULL);
165	RNDr(S, W, 37, 0x766a0abb3c77b2a8ULL);
166	RNDr(S, W, 38, 0x81c2c92e47edaee6ULL);
167	RNDr(S, W, 39, 0x92722c851482353bULL);
168	RNDr(S, W, 40, 0xa2bfe8a14cf10364ULL);
169	RNDr(S, W, 41, 0xa81a664bbc423001ULL);
170	RNDr(S, W, 42, 0xc24b8b70d0f89791ULL);
171	RNDr(S, W, 43, 0xc76c51a30654be30ULL);
172	RNDr(S, W, 44, 0xd192e819d6ef5218ULL);
173	RNDr(S, W, 45, 0xd69906245565a910ULL);
174	RNDr(S, W, 46, 0xf40e35855771202aULL);
175	RNDr(S, W, 47, 0x106aa07032bbd1b8ULL);
176	RNDr(S, W, 48, 0x19a4c116b8d2d0c8ULL);
177	RNDr(S, W, 49, 0x1e376c085141ab53ULL);
178	RNDr(S, W, 50, 0x2748774cdf8eeb99ULL);
179	RNDr(S, W, 51, 0x34b0bcb5e19b48a8ULL);
180	RNDr(S, W, 52, 0x391c0cb3c5c95a63ULL);
181	RNDr(S, W, 53, 0x4ed8aa4ae3418acbULL);
182	RNDr(S, W, 54, 0x5b9cca4f7763e373ULL);
183	RNDr(S, W, 55, 0x682e6ff3d6b2b8a3ULL);
184	RNDr(S, W, 56, 0x748f82ee5defb2fcULL);
185	RNDr(S, W, 57, 0x78a5636f43172f60ULL);
186	RNDr(S, W, 58, 0x84c87814a1f0ab72ULL);
187	RNDr(S, W, 59, 0x8cc702081a6439ecULL);
188	RNDr(S, W, 60, 0x90befffa23631e28ULL);
189	RNDr(S, W, 61, 0xa4506cebde82bde9ULL);
190	RNDr(S, W, 62, 0xbef9a3f7b2c67915ULL);
191	RNDr(S, W, 63, 0xc67178f2e372532bULL);
192	RNDr(S, W, 64, 0xca273eceea26619cULL);
193	RNDr(S, W, 65, 0xd186b8c721c0c207ULL);
194	RNDr(S, W, 66, 0xeada7dd6cde0eb1eULL);
195	RNDr(S, W, 67, 0xf57d4f7fee6ed178ULL);
196	RNDr(S, W, 68, 0x06f067aa72176fbaULL);
197	RNDr(S, W, 69, 0x0a637dc5a2c898a6ULL);
198	RNDr(S, W, 70, 0x113f9804bef90daeULL);
199	RNDr(S, W, 71, 0x1b710b35131c471bULL);
200	RNDr(S, W, 72, 0x28db77f523047d84ULL);
201	RNDr(S, W, 73, 0x32caab7b40c72493ULL);
202	RNDr(S, W, 74, 0x3c9ebe0a15c9bebcULL);
203	RNDr(S, W, 75, 0x431d67c49c100d4cULL);
204	RNDr(S, W, 76, 0x4cc5d4becb3e42b6ULL);
205	RNDr(S, W, 77, 0x597f299cfc657e2aULL);
206	RNDr(S, W, 78, 0x5fcb6fab3ad6faecULL);
207	RNDr(S, W, 79, 0x6c44198c4a475817ULL);
208
209	/* 4. Mix local working variables into global state */
210	for (i = 0; i < 8; i++)
211		state[i] += S[i];
212}
213
214static unsigned char PAD[SHA512_BLOCK_LENGTH] = {
215	0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
216	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
217	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
218	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
219	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
220	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
221	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
222	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
223};
224
225/* Add padding and terminating bit-count. */
226static void
227SHA512_Pad(SHA512_CTX * ctx)
228{
229	unsigned char len[16];
230	uint64_t r, plen;
231
232	/*
233	 * Convert length to a vector of bytes -- we do this now rather
234	 * than later because the length will change after we pad.
235	 */
236	be64enc_vect(len, ctx->count, 16);
237
238	/* Add 1--128 bytes so that the resulting length is 112 mod 128 */
239	r = (ctx->count[1] >> 3) & 0x7f;
240	plen = (r < 112) ? (112 - r) : (240 - r);
241	SHA512_Update(ctx, PAD, (size_t)plen);
242
243	/* Add the terminating bit-count */
244	SHA512_Update(ctx, len, 16);
245}
246
247/* SHA-512 initialization.  Begins a SHA-512 operation. */
248void
249SHA512_Init(SHA512_CTX * ctx)
250{
251
252	/* Zero bits processed so far */
253	ctx->count[0] = ctx->count[1] = 0;
254
255	/* Magic initialization constants */
256	ctx->state[0] = 0x6a09e667f3bcc908ULL;
257	ctx->state[1] = 0xbb67ae8584caa73bULL;
258	ctx->state[2] = 0x3c6ef372fe94f82bULL;
259	ctx->state[3] = 0xa54ff53a5f1d36f1ULL;
260	ctx->state[4] = 0x510e527fade682d1ULL;
261	ctx->state[5] = 0x9b05688c2b3e6c1fULL;
262	ctx->state[6] = 0x1f83d9abfb41bd6bULL;
263	ctx->state[7] = 0x5be0cd19137e2179ULL;
264}
265
266/* Add bytes into the hash */
267void
268SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len)
269{
270	uint64_t bitlen[2];
271	uint64_t r;
272	const unsigned char *src = in;
273
274	/* Number of bytes left in the buffer from previous updates */
275	r = (ctx->count[1] >> 3) & 0x7f;
276
277	/* Convert the length into a number of bits */
278	bitlen[1] = ((uint64_t)len) << 3;
279	bitlen[0] = ((uint64_t)len) >> 61;
280
281	/* Update number of bits */
282	if ((ctx->count[1] += bitlen[1]) < bitlen[1])
283		ctx->count[0]++;
284	ctx->count[0] += bitlen[0];
285
286	/* Handle the case where we don't need to perform any transforms */
287	if (len < SHA512_BLOCK_LENGTH - r) {
288		memcpy(&ctx->buf[r], src, len);
289		return;
290	}
291
292	/* Finish the current block */
293	memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r);
294	SHA512_Transform(ctx->state, ctx->buf);
295	src += SHA512_BLOCK_LENGTH - r;
296	len -= SHA512_BLOCK_LENGTH - r;
297
298	/* Perform complete blocks */
299	while (len >= SHA512_BLOCK_LENGTH) {
300		SHA512_Transform(ctx->state, src);
301		src += SHA512_BLOCK_LENGTH;
302		len -= SHA512_BLOCK_LENGTH;
303	}
304
305	/* Copy left over data into buffer */
306	memcpy(ctx->buf, src, len);
307}
308
309/*
310 * SHA-512 finalization.  Pads the input data, exports the hash value,
311 * and clears the context state.
312 */
313void
314SHA512_Final(unsigned char digest[SHA512_DIGEST_LENGTH], SHA512_CTX * ctx)
315{
316
317	/* Add padding */
318	SHA512_Pad(ctx);
319
320	/* Write the hash */
321	be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH);
322
323	/* Clear the context state */
324	memset((void *)ctx, 0, sizeof(*ctx));
325}
326
327/*** SHA-384: *********************************************************/
328/*
329 * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped
330 */
331
332/* SHA-384 initialization.  Begins a SHA-384 operation. */
333void
334SHA384_Init(SHA384_CTX * ctx)
335{
336
337	/* Zero bits processed so far */
338	ctx->count[0] = ctx->count[1] = 0;
339
340	/* Magic initialization constants */
341	ctx->state[0] = 0xcbbb9d5dc1059ed8ULL;
342	ctx->state[1] = 0x629a292a367cd507ULL;
343	ctx->state[2] = 0x9159015a3070dd17ULL;
344	ctx->state[3] = 0x152fecd8f70e5939ULL;
345	ctx->state[4] = 0x67332667ffc00b31ULL;
346	ctx->state[5] = 0x8eb44a8768581511ULL;
347	ctx->state[6] = 0xdb0c2e0d64f98fa7ULL;
348	ctx->state[7] = 0x47b5481dbefa4fa4ULL;
349}
350
351/* Add bytes into the SHA-384 hash */
352void
353SHA384_Update(SHA384_CTX * ctx, const void *in, size_t len)
354{
355
356	SHA512_Update((SHA512_CTX *)ctx, in, len);
357}
358
359/*
360 * SHA-384 finalization.  Pads the input data, exports the hash value,
361 * and clears the context state.
362 */
363void
364SHA384_Final(unsigned char digest[SHA384_DIGEST_LENGTH], SHA384_CTX * ctx)
365{
366
367	/* Add padding */
368	SHA512_Pad((SHA512_CTX *)ctx);
369
370	/* Write the hash */
371	be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH);
372
373	/* Clear the context state */
374	memset((void *)ctx, 0, sizeof(*ctx));
375}
376
377#ifdef WEAK_REFS
378/* When building libmd, provide weak references. Note: this is not
379   activated in the context of compiling these sources for internal
380   use in libcrypt.
381 */
382#undef SHA512_Init
383__weak_reference(_libmd_SHA512_Init, SHA512_Init);
384#undef SHA512_Update
385__weak_reference(_libmd_SHA512_Update, SHA512_Update);
386#undef SHA512_Final
387__weak_reference(_libmd_SHA512_Final, SHA512_Final);
388#undef SHA512_Transform
389__weak_reference(_libmd_SHA512_Transform, SHA512_Transform);
390
391#undef SHA384_Init
392__weak_reference(_libmd_SHA384_Init, SHA384_Init);
393#undef SHA384_Update
394__weak_reference(_libmd_SHA384_Update, SHA384_Update);
395#undef SHA384_Final
396__weak_reference(_libmd_SHA384_Final, SHA384_Final);
397#endif
398