1 /*- 2 * Copyright 2005 Colin Percival 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 */ 26 27 #include <sys/cdefs.h> 28 #include <sys/endian.h> 29 #include <sys/types.h> 30 31 #ifdef _KERNEL 32 #include <sys/systm.h> 33 #else 34 #include <string.h> 35 #endif 36 37 #include "sha224.h" 38 #include "sha256.h" 39 #include "sha256c_impl.h" 40 41 #if defined(ARM64_SHA2) 42 #include <sys/auxv.h> 43 #include <machine/ifunc.h> 44 #endif 45 46 #if BYTE_ORDER == BIG_ENDIAN 47 48 /* Copy a vector of big-endian uint32_t into a vector of bytes */ 49 #define be32enc_vect(dst, src, len) \ 50 memcpy((void *)dst, (const void *)src, (size_t)len) 51 52 /* Copy a vector of bytes into a vector of big-endian uint32_t */ 53 #define be32dec_vect(dst, src, len) \ 54 memcpy((void *)dst, (const void *)src, (size_t)len) 55 56 #else /* BYTE_ORDER != BIG_ENDIAN */ 57 58 /* 59 * Encode a length len/4 vector of (uint32_t) into a length len vector of 60 * (unsigned char) in big-endian form. Assumes len is a multiple of 4. 61 */ 62 static void 63 be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) 64 { 65 size_t i; 66 67 for (i = 0; i < len / 4; i++) 68 be32enc(dst + i * 4, src[i]); 69 } 70 71 /* 72 * Decode a big-endian length len vector of (unsigned char) into a length 73 * len/4 vector of (uint32_t). Assumes len is a multiple of 4. 74 */ 75 static void 76 be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) 77 { 78 size_t i; 79 80 for (i = 0; i < len / 4; i++) 81 dst[i] = be32dec(src + i * 4); 82 } 83 84 #endif /* BYTE_ORDER != BIG_ENDIAN */ 85 86 /* SHA256 round constants. */ 87 static const uint32_t K[64] = { 88 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 89 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 90 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 91 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 92 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 93 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 94 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 95 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 96 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 97 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 98 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 99 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 100 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 101 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 102 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 103 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 104 }; 105 106 /* Elementary functions used by SHA256 */ 107 #define Ch(x, y, z) ((x & (y ^ z)) ^ z) 108 #define Maj(x, y, z) ((x & (y | z)) | (y & z)) 109 #define SHR(x, n) (x >> n) 110 #define ROTR(x, n) ((x >> n) | (x << (32 - n))) 111 #define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) 112 #define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) 113 #define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) 114 #define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) 115 116 /* SHA256 round function */ 117 #define RND(a, b, c, d, e, f, g, h, k) \ 118 h += S1(e) + Ch(e, f, g) + k; \ 119 d += h; \ 120 h += S0(a) + Maj(a, b, c); 121 122 /* Adjusted round function for rotating state */ 123 #define RNDr(S, W, i, ii) \ 124 RND(S[(64 - i) % 8], S[(65 - i) % 8], \ 125 S[(66 - i) % 8], S[(67 - i) % 8], \ 126 S[(68 - i) % 8], S[(69 - i) % 8], \ 127 S[(70 - i) % 8], S[(71 - i) % 8], \ 128 W[i + ii] + K[i + ii]) 129 130 /* Message schedule computation */ 131 #define MSCH(W, ii, i) \ 132 W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii] 133 134 /* 135 * SHA256 block compression function. The 256-bit state is transformed via 136 * the 512-bit input block to produce a new state. 137 */ 138 static void 139 #if defined(ARM64_SHA2) 140 SHA256_Transform_c(uint32_t * state, const unsigned char block[64]) 141 #else 142 SHA256_Transform(uint32_t * state, const unsigned char block[64]) 143 #endif 144 { 145 uint32_t W[64]; 146 uint32_t S[8]; 147 int i; 148 149 /* 1. Prepare the first part of the message schedule W. */ 150 be32dec_vect(W, block, 64); 151 152 /* 2. Initialize working variables. */ 153 memcpy(S, state, 32); 154 155 /* 3. Mix. */ 156 for (i = 0; i < 64; i += 16) { 157 RNDr(S, W, 0, i); 158 RNDr(S, W, 1, i); 159 RNDr(S, W, 2, i); 160 RNDr(S, W, 3, i); 161 RNDr(S, W, 4, i); 162 RNDr(S, W, 5, i); 163 RNDr(S, W, 6, i); 164 RNDr(S, W, 7, i); 165 RNDr(S, W, 8, i); 166 RNDr(S, W, 9, i); 167 RNDr(S, W, 10, i); 168 RNDr(S, W, 11, i); 169 RNDr(S, W, 12, i); 170 RNDr(S, W, 13, i); 171 RNDr(S, W, 14, i); 172 RNDr(S, W, 15, i); 173 174 if (i == 48) 175 break; 176 MSCH(W, 0, i); 177 MSCH(W, 1, i); 178 MSCH(W, 2, i); 179 MSCH(W, 3, i); 180 MSCH(W, 4, i); 181 MSCH(W, 5, i); 182 MSCH(W, 6, i); 183 MSCH(W, 7, i); 184 MSCH(W, 8, i); 185 MSCH(W, 9, i); 186 MSCH(W, 10, i); 187 MSCH(W, 11, i); 188 MSCH(W, 12, i); 189 MSCH(W, 13, i); 190 MSCH(W, 14, i); 191 MSCH(W, 15, i); 192 } 193 194 /* 4. Mix local working variables into global state */ 195 for (i = 0; i < 8; i++) 196 state[i] += S[i]; 197 } 198 199 #if defined(ARM64_SHA2) 200 static void 201 SHA256_Transform_arm64(uint32_t * state, const unsigned char block[64]) 202 { 203 SHA256_Transform_arm64_impl(state, block, K); 204 } 205 206 DEFINE_UIFUNC(static, void, SHA256_Transform, 207 (uint32_t * state, const unsigned char block[64])) 208 { 209 u_long hwcap; 210 211 if (elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)) == 0) { 212 if ((hwcap & HWCAP_SHA2) != 0) 213 return (SHA256_Transform_arm64); 214 } 215 216 return (SHA256_Transform_c); 217 } 218 #endif 219 220 static unsigned char PAD[64] = { 221 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 222 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 223 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 224 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 225 }; 226 227 /* Add padding and terminating bit-count. */ 228 static void 229 SHA256_Pad(SHA256_CTX * ctx) 230 { 231 size_t r; 232 233 /* Figure out how many bytes we have buffered. */ 234 r = (ctx->count >> 3) & 0x3f; 235 236 /* Pad to 56 mod 64, transforming if we finish a block en route. */ 237 if (r < 56) { 238 /* Pad to 56 mod 64. */ 239 memcpy(&ctx->buf[r], PAD, 56 - r); 240 } else { 241 /* Finish the current block and mix. */ 242 memcpy(&ctx->buf[r], PAD, 64 - r); 243 SHA256_Transform(ctx->state, ctx->buf); 244 245 /* The start of the final block is all zeroes. */ 246 memset(&ctx->buf[0], 0, 56); 247 } 248 249 /* Add the terminating bit-count. */ 250 be64enc(&ctx->buf[56], ctx->count); 251 252 /* Mix in the final block. */ 253 SHA256_Transform(ctx->state, ctx->buf); 254 } 255 256 /* SHA-256 initialization. Begins a SHA-256 operation. */ 257 void 258 SHA256_Init(SHA256_CTX * ctx) 259 { 260 261 /* Zero bits processed so far */ 262 ctx->count = 0; 263 264 /* Magic initialization constants */ 265 ctx->state[0] = 0x6A09E667; 266 ctx->state[1] = 0xBB67AE85; 267 ctx->state[2] = 0x3C6EF372; 268 ctx->state[3] = 0xA54FF53A; 269 ctx->state[4] = 0x510E527F; 270 ctx->state[5] = 0x9B05688C; 271 ctx->state[6] = 0x1F83D9AB; 272 ctx->state[7] = 0x5BE0CD19; 273 } 274 275 /* Add bytes into the hash */ 276 void 277 SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len) 278 { 279 uint64_t bitlen; 280 uint32_t r; 281 const unsigned char *src = in; 282 283 /* Number of bytes left in the buffer from previous updates */ 284 r = (ctx->count >> 3) & 0x3f; 285 286 /* Convert the length into a number of bits */ 287 bitlen = len << 3; 288 289 /* Update number of bits */ 290 ctx->count += bitlen; 291 292 /* Handle the case where we don't need to perform any transforms */ 293 if (len < 64 - r) { 294 memcpy(&ctx->buf[r], src, len); 295 return; 296 } 297 298 /* Finish the current block */ 299 memcpy(&ctx->buf[r], src, 64 - r); 300 SHA256_Transform(ctx->state, ctx->buf); 301 src += 64 - r; 302 len -= 64 - r; 303 304 /* Perform complete blocks */ 305 while (len >= 64) { 306 SHA256_Transform(ctx->state, src); 307 src += 64; 308 len -= 64; 309 } 310 311 /* Copy left over data into buffer */ 312 memcpy(ctx->buf, src, len); 313 } 314 315 /* 316 * SHA-256 finalization. Pads the input data, exports the hash value, 317 * and clears the context state. 318 */ 319 void 320 SHA256_Final(unsigned char digest[static SHA256_DIGEST_LENGTH], SHA256_CTX *ctx) 321 { 322 323 /* Add padding */ 324 SHA256_Pad(ctx); 325 326 /* Write the hash */ 327 be32enc_vect(digest, ctx->state, SHA256_DIGEST_LENGTH); 328 329 /* Clear the context state */ 330 explicit_bzero(ctx, sizeof(*ctx)); 331 } 332 333 /*** SHA-224: *********************************************************/ 334 /* 335 * the SHA224 and SHA256 transforms are identical 336 */ 337 338 /* SHA-224 initialization. Begins a SHA-224 operation. */ 339 void 340 SHA224_Init(SHA224_CTX * ctx) 341 { 342 343 /* Zero bits processed so far */ 344 ctx->count = 0; 345 346 /* Magic initialization constants */ 347 ctx->state[0] = 0xC1059ED8; 348 ctx->state[1] = 0x367CD507; 349 ctx->state[2] = 0x3070DD17; 350 ctx->state[3] = 0xF70E5939; 351 ctx->state[4] = 0xFFC00B31; 352 ctx->state[5] = 0x68581511; 353 ctx->state[6] = 0x64f98FA7; 354 ctx->state[7] = 0xBEFA4FA4; 355 } 356 357 /* Add bytes into the SHA-224 hash */ 358 void 359 SHA224_Update(SHA224_CTX * ctx, const void *in, size_t len) 360 { 361 362 SHA256_Update((SHA256_CTX *)ctx, in, len); 363 } 364 365 /* 366 * SHA-224 finalization. Pads the input data, exports the hash value, 367 * and clears the context state. 368 */ 369 void 370 SHA224_Final(unsigned char digest[static SHA224_DIGEST_LENGTH], SHA224_CTX *ctx) 371 { 372 373 /* Add padding */ 374 SHA256_Pad((SHA256_CTX *)ctx); 375 376 /* Write the hash */ 377 be32enc_vect(digest, ctx->state, SHA224_DIGEST_LENGTH); 378 379 /* Clear the context state */ 380 explicit_bzero(ctx, sizeof(*ctx)); 381 } 382 383 #ifdef WEAK_REFS 384 /* When building libmd, provide weak references. Note: this is not 385 activated in the context of compiling these sources for internal 386 use in libcrypt. 387 */ 388 #undef SHA256_Init 389 __weak_reference(_libmd_SHA256_Init, SHA256_Init); 390 #undef SHA256_Update 391 __weak_reference(_libmd_SHA256_Update, SHA256_Update); 392 #undef SHA256_Final 393 __weak_reference(_libmd_SHA256_Final, SHA256_Final); 394 #undef SHA256_Transform 395 __weak_reference(_libmd_SHA256_Transform, SHA256_Transform); 396 397 #undef SHA224_Init 398 __weak_reference(_libmd_SHA224_Init, SHA224_Init); 399 #undef SHA224_Update 400 __weak_reference(_libmd_SHA224_Update, SHA224_Update); 401 #undef SHA224_Final 402 __weak_reference(_libmd_SHA224_Final, SHA224_Final); 403 #endif 404