cpukit/libmd/sha512c.c

0001 /*-
0002  * Copyright 2005 Colin Percival
0003  * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org>
0004  * All rights reserved.
0005  *
0006  * Redistribution and use in source and binary forms, with or without
0007  * modification, are permitted provided that the following conditions
0008  * are met:
0009  * 1. Redistributions of source code must retain the above copyright
0010  *    notice, this list of conditions and the following disclaimer.
0011  * 2. Redistributions in binary form must reproduce the above copyright
0012  *    notice, this list of conditions and the following disclaimer in the
0013  *    documentation and/or other materials provided with the distribution.
0014  *
0015  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
0016  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
0017  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
0018  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
0019  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
0020  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
0021  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
0022  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
0023  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
0024  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
0025  * SUCH DAMAGE.
0026  */
0027
0028 #include <sys/cdefs.h>
0029 __FBSDID("$FreeBSD$");
0030
0031 #include <sys/endian.h>
0032 #include <sys/types.h>
0033
0034 #include <string.h>
0035
0036 #include "sha512.h"
0037 #include "sha512t.h"
0038 #include "sha384.h"
0039
0040 #if BYTE_ORDER == BIG_ENDIAN
0041
0042 /* Copy a vector of big-endian uint64_t into a vector of bytes */
0043 #define be64enc_vect(dst, src, len) \
0044     memcpy((void *)dst, (const void *)src, (size_t)len)
0045
0046 /* Copy a vector of bytes into a vector of big-endian uint64_t */
0047 #define be64dec_vect(dst, src, len) \
0048     memcpy((void *)dst, (const void *)src, (size_t)len)
0049
0050 #else /* BYTE_ORDER != BIG_ENDIAN */
0051
0052 /*
0053  * Encode a length (len + 7) / 8 vector of (uint64_t) into a length len
0054  * vector of (unsigned char) in big-endian form.  Assumes len is a
0055  * multiple of 4.
0056  */
0057 static inline void
0058 be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len)
0059 {
0060     size_t i;
0061
0062     for (i = 0; i < len / 8; i++)
0063         be64enc(dst + i * 8, src[i]);
0064     if (len % 8 == 4)
0065         be32enc(dst + i * 8, src[i] >> 32);
0066 }
0067
0068 /*
0069  * Decode a big-endian length len vector of (unsigned char) into a length
0070  * len/8 vector of (uint64_t).  Assumes len is a multiple of 8.
0071  */
0072 static inline void
0073 be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len)
0074 {
0075     size_t i;
0076
0077     for (i = 0; i < len / 8; i++)
0078         dst[i] = be64dec(src + i * 8);
0079 }
0080
0081 #endif /* BYTE_ORDER != BIG_ENDIAN */
0082
0083 /* SHA512 round constants. */
0084 static const uint64_t K[80] = {
0085     0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
0086     0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
0087     0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
0088     0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
0089     0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
0090     0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
0091     0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
0092     0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
0093     0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
0094     0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
0095     0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
0096     0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
0097     0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
0098     0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
0099     0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
0100     0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
0101     0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
0102     0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
0103     0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
0104     0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
0105     0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
0106     0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
0107     0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
0108     0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
0109     0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
0110     0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
0111     0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
0112     0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
0113     0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
0114     0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
0115     0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
0116     0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
0117     0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
0118     0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
0119     0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
0120     0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
0121     0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
0122     0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
0123     0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
0124     0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
0125 };
0126
0127 /* Elementary functions used by SHA512 */
0128 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
0129 #define Maj(x, y, z)    ((x & (y | z)) | (y & z))
0130 #define SHR(x, n)   (x >> n)
0131 #define ROTR(x, n)  ((x >> n) | (x << (64 - n)))
0132 #define S0(x)       (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
0133 #define S1(x)       (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
0134 #define s0(x)       (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
0135 #define s1(x)       (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
0136
0137 /* SHA512 round function */
0138 #define RND(a, b, c, d, e, f, g, h, k)          \
0139     h += S1(e) + Ch(e, f, g) + k;           \
0140     d += h;                     \
0141     h += S0(a) + Maj(a, b, c);
0142
0143 /* Adjusted round function for rotating state */
0144 #define RNDr(S, W, i, ii)           \
0145     RND(S[(80 - i) % 8], S[(81 - i) % 8],   \
0146         S[(82 - i) % 8], S[(83 - i) % 8],   \
0147         S[(84 - i) % 8], S[(85 - i) % 8],   \
0148         S[(86 - i) % 8], S[(87 - i) % 8],   \
0149         W[i + ii] + K[i + ii])
0150
0151 /* Message schedule computation */
0152 #define MSCH(W, ii, i)              \
0153     W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]
0154
0155 /*
0156  * SHA512 block compression function.  The 512-bit state is transformed via
0157  * the 512-bit input block to produce a new state.
0158  */
0159 static void
0160 SHA512_Transform(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH])
0161 {
0162     uint64_t W[80];
0163     uint64_t S[8];
0164     int i;
0165
0166     /* 1. Prepare the first part of the message schedule W. */
0167     be64dec_vect(W, block, SHA512_BLOCK_LENGTH);
0168
0169     /* 2. Initialize working variables. */
0170     memcpy(S, state, SHA512_DIGEST_LENGTH);
0171
0172     /* 3. Mix. */
0173     for (i = 0; i < 80; i += 16) {
0174         RNDr(S, W, 0, i);
0175         RNDr(S, W, 1, i);
0176         RNDr(S, W, 2, i);
0177         RNDr(S, W, 3, i);
0178         RNDr(S, W, 4, i);
0179         RNDr(S, W, 5, i);
0180         RNDr(S, W, 6, i);
0181         RNDr(S, W, 7, i);
0182         RNDr(S, W, 8, i);
0183         RNDr(S, W, 9, i);
0184         RNDr(S, W, 10, i);
0185         RNDr(S, W, 11, i);
0186         RNDr(S, W, 12, i);
0187         RNDr(S, W, 13, i);
0188         RNDr(S, W, 14, i);
0189         RNDr(S, W, 15, i);
0190
0191         if (i == 64)
0192             break;
0193         MSCH(W, 0, i);
0194         MSCH(W, 1, i);
0195         MSCH(W, 2, i);
0196         MSCH(W, 3, i);
0197         MSCH(W, 4, i);
0198         MSCH(W, 5, i);
0199         MSCH(W, 6, i);
0200         MSCH(W, 7, i);
0201         MSCH(W, 8, i);
0202         MSCH(W, 9, i);
0203         MSCH(W, 10, i);
0204         MSCH(W, 11, i);
0205         MSCH(W, 12, i);
0206         MSCH(W, 13, i);
0207         MSCH(W, 14, i);
0208         MSCH(W, 15, i);
0209     }
0210
0211     /* 4. Mix local working variables into global state */
0212     for (i = 0; i < 8; i++)
0213         state[i] += S[i];
0214 }
0215
0216 static const unsigned char PAD[SHA512_BLOCK_LENGTH] = {
0217     0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0218     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0219     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0220     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0221     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0222     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0223     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0224     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
0225 };
0226
0227 /* Add padding and terminating bit-count. */
0228 static void
0229 SHA512_Pad(SHA512_CTX * ctx)
0230 {
0231     size_t r;
0232
0233     /* Figure out how many bytes we have buffered. */
0234     r = (ctx->count[1] >> 3) & 0x7f;
0235
0236     /* Pad to 112 mod 128, transforming if we finish a block en route. */
0237     if (r < 112) {
0238         /* Pad to 112 mod 128. */
0239         memcpy(&ctx->buf[r], PAD, 112 - r);
0240     } else {
0241         /* Finish the current block and mix. */
0242         memcpy(&ctx->buf[r], PAD, 128 - r);
0243         SHA512_Transform(ctx->state, ctx->buf);
0244
0245         /* The start of the final block is all zeroes. */
0246         memset(&ctx->buf[0], 0, 112);
0247     }
0248
0249     /* Add the terminating bit-count. */
0250     be64enc_vect(&ctx->buf[112], ctx->count, 16);
0251
0252     /* Mix in the final block. */
0253     SHA512_Transform(ctx->state, ctx->buf);
0254 }
0255
0256 /* SHA-512 initialization.  Begins a SHA-512 operation. */
0257 void
0258 SHA512_Init(SHA512_CTX * ctx)
0259 {
0260
0261     /* Zero bits processed so far */
0262     ctx->count[0] = ctx->count[1] = 0;
0263
0264     /* Magic initialization constants */
0265     ctx->state[0] = 0x6a09e667f3bcc908ULL;
0266     ctx->state[1] = 0xbb67ae8584caa73bULL;
0267     ctx->state[2] = 0x3c6ef372fe94f82bULL;
0268     ctx->state[3] = 0xa54ff53a5f1d36f1ULL;
0269     ctx->state[4] = 0x510e527fade682d1ULL;
0270     ctx->state[5] = 0x9b05688c2b3e6c1fULL;
0271     ctx->state[6] = 0x1f83d9abfb41bd6bULL;
0272     ctx->state[7] = 0x5be0cd19137e2179ULL;
0273 }
0274
0275 /* Add bytes into the hash */
0276 void
0277 SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len)
0278 {
0279     uint64_t bitlen[2];
0280     uint64_t r;
0281     const unsigned char *src = in;
0282
0283     /* Number of bytes left in the buffer from previous updates */
0284     r = (ctx->count[1] >> 3) & 0x7f;
0285
0286     /* Convert the length into a number of bits */
0287     bitlen[1] = ((uint64_t)len) << 3;
0288     bitlen[0] = ((uint64_t)len) >> 61;
0289
0290     /* Update number of bits */
0291     if ((ctx->count[1] += bitlen[1]) < bitlen[1])
0292         ctx->count[0]++;
0293     ctx->count[0] += bitlen[0];
0294
0295     /* Handle the case where we don't need to perform any transforms */
0296     if (len < SHA512_BLOCK_LENGTH - r) {
0297         memcpy(&ctx->buf[r], src, len);
0298         return;
0299     }
0300
0301     /* Finish the current block */
0302     memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r);
0303     SHA512_Transform(ctx->state, ctx->buf);
0304     src += SHA512_BLOCK_LENGTH - r;
0305     len -= SHA512_BLOCK_LENGTH - r;
0306
0307     /* Perform complete blocks */
0308     while (len >= SHA512_BLOCK_LENGTH) {
0309         SHA512_Transform(ctx->state, src);
0310         src += SHA512_BLOCK_LENGTH;
0311         len -= SHA512_BLOCK_LENGTH;
0312     }
0313
0314     /* Copy left over data into buffer */
0315     memcpy(ctx->buf, src, len);
0316 }
0317
0318 /*
0319  * SHA-512 finalization.  Pads the input data, exports the hash value,
0320  * and clears the context state.
0321  */
0322 void
0323 SHA512_Final(unsigned char digest[static SHA512_DIGEST_LENGTH], SHA512_CTX *ctx)
0324 {
0325
0326     /* Add padding */
0327     SHA512_Pad(ctx);
0328
0329     /* Write the hash */
0330     be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH);
0331
0332     /* Clear the context state */
0333     explicit_bzero(ctx, sizeof(*ctx));
0334 }
0335
0336 /*** SHA-512t: *********************************************************/
0337 /*
0338  * the SHA512t transforms are identical to SHA512 so reuse the existing function
0339  */
0340 void
0341 SHA512_224_Init(SHA512_CTX * ctx)
0342 {
0343
0344     /* Zero bits processed so far */
0345     ctx->count[0] = ctx->count[1] = 0;
0346
0347     /* Magic initialization constants */
0348     ctx->state[0] = 0x8c3d37c819544da2ULL;
0349     ctx->state[1] = 0x73e1996689dcd4d6ULL;
0350     ctx->state[2] = 0x1dfab7ae32ff9c82ULL;
0351     ctx->state[3] = 0x679dd514582f9fcfULL;
0352     ctx->state[4] = 0x0f6d2b697bd44da8ULL;
0353     ctx->state[5] = 0x77e36f7304c48942ULL;
0354     ctx->state[6] = 0x3f9d85a86a1d36c8ULL;
0355     ctx->state[7] = 0x1112e6ad91d692a1ULL;
0356 }
0357
0358 void
0359 SHA512_224_Update(SHA512_CTX * ctx, const void *in, size_t len)
0360 {
0361
0362     SHA512_Update(ctx, in, len);
0363 }
0364
0365 void
0366 SHA512_224_Final(unsigned char digest[static SHA512_224_DIGEST_LENGTH], SHA512_CTX * ctx)
0367 {
0368
0369     /* Add padding */
0370     SHA512_Pad(ctx);
0371
0372     /* Write the hash */
0373     be64enc_vect(digest, ctx->state, SHA512_224_DIGEST_LENGTH);
0374
0375     /* Clear the context state */
0376     explicit_bzero(ctx, sizeof(*ctx));
0377 }
0378
0379 void
0380 SHA512_256_Init(SHA512_CTX * ctx)
0381 {
0382
0383     /* Zero bits processed so far */
0384     ctx->count[0] = ctx->count[1] = 0;
0385
0386     /* Magic initialization constants */
0387     ctx->state[0] = 0x22312194fc2bf72cULL;
0388     ctx->state[1] = 0x9f555fa3c84c64c2ULL;
0389     ctx->state[2] = 0x2393b86b6f53b151ULL;
0390     ctx->state[3] = 0x963877195940eabdULL;
0391     ctx->state[4] = 0x96283ee2a88effe3ULL;
0392     ctx->state[5] = 0xbe5e1e2553863992ULL;
0393     ctx->state[6] = 0x2b0199fc2c85b8aaULL;
0394     ctx->state[7] = 0x0eb72ddc81c52ca2ULL;
0395 }
0396
0397 void
0398 SHA512_256_Update(SHA512_CTX * ctx, const void *in, size_t len)
0399 {
0400
0401     SHA512_Update(ctx, in, len);
0402 }
0403
0404 void
0405 SHA512_256_Final(unsigned char digest[static SHA512_256_DIGEST_LENGTH], SHA512_CTX * ctx)
0406 {
0407
0408     /* Add padding */
0409     SHA512_Pad(ctx);
0410
0411     /* Write the hash */
0412     be64enc_vect(digest, ctx->state, SHA512_256_DIGEST_LENGTH);
0413
0414     /* Clear the context state */
0415     explicit_bzero(ctx, sizeof(*ctx));
0416 }
0417
0418 /*** SHA-384: *********************************************************/
0419 /*
0420  * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped
0421  */
0422
0423 /* SHA-384 initialization.  Begins a SHA-384 operation. */
0424 void
0425 SHA384_Init(SHA384_CTX * ctx)
0426 {
0427
0428     /* Zero bits processed so far */
0429     ctx->count[0] = ctx->count[1] = 0;
0430
0431     /* Magic initialization constants */
0432     ctx->state[0] = 0xcbbb9d5dc1059ed8ULL;
0433     ctx->state[1] = 0x629a292a367cd507ULL;
0434     ctx->state[2] = 0x9159015a3070dd17ULL;
0435     ctx->state[3] = 0x152fecd8f70e5939ULL;
0436     ctx->state[4] = 0x67332667ffc00b31ULL;
0437     ctx->state[5] = 0x8eb44a8768581511ULL;
0438     ctx->state[6] = 0xdb0c2e0d64f98fa7ULL;
0439     ctx->state[7] = 0x47b5481dbefa4fa4ULL;
0440 }
0441
0442 /* Add bytes into the SHA-384 hash */
0443 void
0444 SHA384_Update(SHA384_CTX * ctx, const void *in, size_t len)
0445 {
0446
0447     SHA512_Update((SHA512_CTX *)ctx, in, len);
0448 }
0449
0450 /*
0451  * SHA-384 finalization.  Pads the input data, exports the hash value,
0452  * and clears the context state.
0453  */
0454 void
0455 SHA384_Final(unsigned char digest[static SHA384_DIGEST_LENGTH], SHA384_CTX *ctx)
0456 {
0457
0458     /* Add padding */
0459     SHA512_Pad((SHA512_CTX *)ctx);
0460
0461     /* Write the hash */
0462     be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH);
0463
0464     /* Clear the context state */
0465     explicit_bzero(ctx, sizeof(*ctx));
0466 }