2 * Copyright 2005 Colin Percival
3 * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
31 #include <sys/endian.h>
32 #include <sys/types.h>
35 #include <sys/systm.h>
44 #if BYTE_ORDER == BIG_ENDIAN
46 /* Copy a vector of big-endian uint64_t into a vector of bytes */
47 #define be64enc_vect(dst, src, len) \
48 memcpy((void *)dst, (const void *)src, (size_t)len)
50 /* Copy a vector of bytes into a vector of big-endian uint64_t */
51 #define be64dec_vect(dst, src, len) \
52 memcpy((void *)dst, (const void *)src, (size_t)len)
54 #else /* BYTE_ORDER != BIG_ENDIAN */
57 * Encode a length len/4 vector of (uint64_t) into a length len vector of
58 * (unsigned char) in big-endian form. Assumes len is a multiple of 8.
61 be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len)
65 for (i = 0; i < len / 8; i++)
66 be64enc(dst + i * 8, src[i]);
70 * Decode a big-endian length len vector of (unsigned char) into a length
71 * len/4 vector of (uint64_t). Assumes len is a multiple of 8.
74 be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len)
78 for (i = 0; i < len / 8; i++)
79 dst[i] = be64dec(src + i * 8);
82 #endif /* BYTE_ORDER != BIG_ENDIAN */
84 /* SHA512 round constants. */
85 static const uint64_t K[80] = {
86 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
87 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
88 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
89 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
90 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
91 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
92 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
93 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
94 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
95 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
96 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
97 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
98 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
99 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
100 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
101 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
102 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
103 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
104 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
105 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
106 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
107 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
108 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
109 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
110 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
111 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
112 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
113 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
114 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
115 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
116 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
117 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
118 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
119 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
120 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
121 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
122 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
123 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
124 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
125 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
128 /* Elementary functions used by SHA512 */
129 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
130 #define Maj(x, y, z) ((x & (y | z)) | (y & z))
131 #define SHR(x, n) (x >> n)
132 #define ROTR(x, n) ((x >> n) | (x << (64 - n)))
133 #define S0(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
134 #define S1(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
135 #define s0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
136 #define s1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
138 /* SHA512 round function */
139 #define RND(a, b, c, d, e, f, g, h, k) \
140 h += S1(e) + Ch(e, f, g) + k; \
142 h += S0(a) + Maj(a, b, c);
144 /* Adjusted round function for rotating state */
145 #define RNDr(S, W, i, ii) \
146 RND(S[(80 - i) % 8], S[(81 - i) % 8], \
147 S[(82 - i) % 8], S[(83 - i) % 8], \
148 S[(84 - i) % 8], S[(85 - i) % 8], \
149 S[(86 - i) % 8], S[(87 - i) % 8], \
150 W[i + ii] + K[i + ii])
152 /* Message schedule computation */
153 #define MSCH(W, ii, i) \
154 W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]
157 * SHA512 block compression function. The 512-bit state is transformed via
158 * the 512-bit input block to produce a new state.
161 SHA512_Transform(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH])
167 /* 1. Prepare the first part of the message schedule W. */
168 be64dec_vect(W, block, SHA512_BLOCK_LENGTH);
170 /* 2. Initialize working variables. */
171 memcpy(S, state, SHA512_DIGEST_LENGTH);
174 for (i = 0; i < 80; i += 16) {
212 /* 4. Mix local working variables into global state */
213 for (i = 0; i < 8; i++)
217 static unsigned char PAD[SHA512_BLOCK_LENGTH] = {
218 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
219 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
220 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
221 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
222 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
223 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
224 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
225 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
228 /* Add padding and terminating bit-count. */
230 SHA512_Pad(SHA512_CTX * ctx)
234 /* Figure out how many bytes we have buffered. */
235 r = (ctx->count[1] >> 3) & 0x7f;
237 /* Pad to 112 mod 128, transforming if we finish a block en route. */
239 /* Pad to 112 mod 128. */
240 memcpy(&ctx->buf[r], PAD, 112 - r);
242 /* Finish the current block and mix. */
243 memcpy(&ctx->buf[r], PAD, 128 - r);
244 SHA512_Transform(ctx->state, ctx->buf);
246 /* The start of the final block is all zeroes. */
247 memset(&ctx->buf[0], 0, 112);
250 /* Add the terminating bit-count. */
251 be64enc_vect(&ctx->buf[112], ctx->count, 16);
253 /* Mix in the final block. */
254 SHA512_Transform(ctx->state, ctx->buf);
257 /* SHA-512 initialization. Begins a SHA-512 operation. */
259 SHA512_Init(SHA512_CTX * ctx)
262 /* Zero bits processed so far */
263 ctx->count[0] = ctx->count[1] = 0;
265 /* Magic initialization constants */
266 ctx->state[0] = 0x6a09e667f3bcc908ULL;
267 ctx->state[1] = 0xbb67ae8584caa73bULL;
268 ctx->state[2] = 0x3c6ef372fe94f82bULL;
269 ctx->state[3] = 0xa54ff53a5f1d36f1ULL;
270 ctx->state[4] = 0x510e527fade682d1ULL;
271 ctx->state[5] = 0x9b05688c2b3e6c1fULL;
272 ctx->state[6] = 0x1f83d9abfb41bd6bULL;
273 ctx->state[7] = 0x5be0cd19137e2179ULL;
276 /* Add bytes into the hash */
278 SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len)
282 const unsigned char *src = in;
284 /* Number of bytes left in the buffer from previous updates */
285 r = (ctx->count[1] >> 3) & 0x7f;
287 /* Convert the length into a number of bits */
288 bitlen[1] = ((uint64_t)len) << 3;
289 bitlen[0] = ((uint64_t)len) >> 61;
291 /* Update number of bits */
292 if ((ctx->count[1] += bitlen[1]) < bitlen[1])
294 ctx->count[0] += bitlen[0];
296 /* Handle the case where we don't need to perform any transforms */
297 if (len < SHA512_BLOCK_LENGTH - r) {
298 memcpy(&ctx->buf[r], src, len);
302 /* Finish the current block */
303 memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r);
304 SHA512_Transform(ctx->state, ctx->buf);
305 src += SHA512_BLOCK_LENGTH - r;
306 len -= SHA512_BLOCK_LENGTH - r;
308 /* Perform complete blocks */
309 while (len >= SHA512_BLOCK_LENGTH) {
310 SHA512_Transform(ctx->state, src);
311 src += SHA512_BLOCK_LENGTH;
312 len -= SHA512_BLOCK_LENGTH;
315 /* Copy left over data into buffer */
316 memcpy(ctx->buf, src, len);
320 * SHA-512 finalization. Pads the input data, exports the hash value,
321 * and clears the context state.
324 SHA512_Final(unsigned char digest[static SHA512_DIGEST_LENGTH], SHA512_CTX *ctx)
331 be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH);
333 /* Clear the context state */
334 memset(ctx, 0, sizeof(*ctx));
337 /*** SHA-512t: *********************************************************/
339 * the SHA512t transforms are identical to SHA512 so reuse the existing function
342 SHA512_224_Init(SHA512_CTX * ctx)
345 /* Zero bits processed so far */
346 ctx->count[0] = ctx->count[1] = 0;
348 /* Magic initialization constants */
349 ctx->state[0] = 0x8c3d37c819544da2ULL;
350 ctx->state[1] = 0x73e1996689dcd4d6ULL;
351 ctx->state[2] = 0x1dfab7ae32ff9c82ULL;
352 ctx->state[3] = 0x679dd514582f9fcfULL;
353 ctx->state[4] = 0x0f6d2b697bd44da8ULL;
354 ctx->state[5] = 0x77e36f7304c48942ULL;
355 ctx->state[6] = 0x3f9d85a86a1d36c8ULL;
356 ctx->state[7] = 0x1112e6ad91d692a1ULL;
360 SHA512_224_Update(SHA512_CTX * ctx, const void *in, size_t len)
363 SHA512_Update(ctx, in, len);
367 SHA512_224_Final(unsigned char digest[static SHA512_224_DIGEST_LENGTH], SHA512_CTX * ctx)
374 be64enc_vect(digest, ctx->state, SHA512_224_DIGEST_LENGTH);
376 /* Clear the context state */
377 memset(ctx, 0, sizeof(*ctx));
381 SHA512_256_Init(SHA512_CTX * ctx)
384 /* Zero bits processed so far */
385 ctx->count[0] = ctx->count[1] = 0;
387 /* Magic initialization constants */
388 ctx->state[0] = 0x22312194fc2bf72cULL;
389 ctx->state[1] = 0x9f555fa3c84c64c2ULL;
390 ctx->state[2] = 0x2393b86b6f53b151ULL;
391 ctx->state[3] = 0x963877195940eabdULL;
392 ctx->state[4] = 0x96283ee2a88effe3ULL;
393 ctx->state[5] = 0xbe5e1e2553863992ULL;
394 ctx->state[6] = 0x2b0199fc2c85b8aaULL;
395 ctx->state[7] = 0x0eb72ddc81c52ca2ULL;
399 SHA512_256_Update(SHA512_CTX * ctx, const void *in, size_t len)
402 SHA512_Update(ctx, in, len);
406 SHA512_256_Final(unsigned char digest[static SHA512_256_DIGEST_LENGTH], SHA512_CTX * ctx)
413 be64enc_vect(digest, ctx->state, SHA512_256_DIGEST_LENGTH);
415 /* Clear the context state */
416 memset(ctx, 0, sizeof(*ctx));
419 /*** SHA-384: *********************************************************/
421 * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped
424 /* SHA-384 initialization. Begins a SHA-384 operation. */
426 SHA384_Init(SHA384_CTX * ctx)
429 /* Zero bits processed so far */
430 ctx->count[0] = ctx->count[1] = 0;
432 /* Magic initialization constants */
433 ctx->state[0] = 0xcbbb9d5dc1059ed8ULL;
434 ctx->state[1] = 0x629a292a367cd507ULL;
435 ctx->state[2] = 0x9159015a3070dd17ULL;
436 ctx->state[3] = 0x152fecd8f70e5939ULL;
437 ctx->state[4] = 0x67332667ffc00b31ULL;
438 ctx->state[5] = 0x8eb44a8768581511ULL;
439 ctx->state[6] = 0xdb0c2e0d64f98fa7ULL;
440 ctx->state[7] = 0x47b5481dbefa4fa4ULL;
443 /* Add bytes into the SHA-384 hash */
445 SHA384_Update(SHA384_CTX * ctx, const void *in, size_t len)
448 SHA512_Update((SHA512_CTX *)ctx, in, len);
452 * SHA-384 finalization. Pads the input data, exports the hash value,
453 * and clears the context state.
456 SHA384_Final(unsigned char digest[static SHA384_DIGEST_LENGTH], SHA384_CTX *ctx)
460 SHA512_Pad((SHA512_CTX *)ctx);
463 be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH);
465 /* Clear the context state */
466 memset(ctx, 0, sizeof(*ctx));
470 /* When building libmd, provide weak references. Note: this is not
471 activated in the context of compiling these sources for internal
475 __weak_reference(_libmd_SHA512_Init, SHA512_Init);
477 __weak_reference(_libmd_SHA512_Update, SHA512_Update);
479 __weak_reference(_libmd_SHA512_Final, SHA512_Final);
480 #undef SHA512_Transform
481 __weak_reference(_libmd_SHA512_Transform, SHA512_Transform);
483 #undef SHA512_224_Init
484 __weak_reference(_libmd_SHA512_224_Init, SHA512_224_Init);
485 #undef SHA512_224_Update
486 __weak_reference(_libmd_SHA512_224_Update, SHA512_224_Update);
487 #undef SHA512_224_Final
488 __weak_reference(_libmd_SHA512_224_Final, SHA512_224_Final);
490 #undef SHA512_256_Init
491 __weak_reference(_libmd_SHA512_256_Init, SHA512_256_Init);
492 #undef SHA512_256_Update
493 __weak_reference(_libmd_SHA512_256_Update, SHA512_256_Update);
494 #undef SHA512_256_Final
495 __weak_reference(_libmd_SHA512_256_Final, SHA512_256_Final);
498 __weak_reference(_libmd_SHA384_Init, SHA384_Init);
500 __weak_reference(_libmd_SHA384_Update, SHA384_Update);
502 __weak_reference(_libmd_SHA384_Final, SHA384_Final);