2 * Copyright 2005 Colin Percival
3 * Copyright (c) 2015 Allan Jude <allanjude@FreeBSD.org>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
31 #include <sys/endian.h>
32 #include <sys/types.h>
35 #include <sys/systm.h>
43 #include "sha512c_impl.h"
45 #if defined(ARM64_SHA512)
47 #include <machine/ifunc.h>
50 #if BYTE_ORDER == BIG_ENDIAN
52 /* Copy a vector of big-endian uint64_t into a vector of bytes */
53 #define be64enc_vect(dst, src, len) \
54 memcpy((void *)dst, (const void *)src, (size_t)len)
56 /* Copy a vector of bytes into a vector of big-endian uint64_t */
57 #define be64dec_vect(dst, src, len) \
58 memcpy((void *)dst, (const void *)src, (size_t)len)
60 #else /* BYTE_ORDER != BIG_ENDIAN */
63 * Encode a length (len + 7) / 8 vector of (uint64_t) into a length len
64 * vector of (unsigned char) in big-endian form. Assumes len is a
68 be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len)
72 for (i = 0; i < len / 8; i++)
73 be64enc(dst + i * 8, src[i]);
75 be32enc(dst + i * 8, src[i] >> 32);
79 * Decode a big-endian length len vector of (unsigned char) into a length
80 * len/8 vector of (uint64_t). Assumes len is a multiple of 8.
83 be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len)
87 for (i = 0; i < len / 8; i++)
88 dst[i] = be64dec(src + i * 8);
91 #endif /* BYTE_ORDER != BIG_ENDIAN */
93 /* SHA512 round constants. */
94 static const uint64_t K[80] = {
95 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
96 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
97 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
98 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
99 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
100 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
101 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
102 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
103 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
104 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
105 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
106 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
107 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
108 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
109 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
110 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
111 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
112 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
113 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
114 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
115 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
116 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
117 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
118 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
119 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
120 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
121 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
122 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
123 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
124 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
125 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
126 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
127 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
128 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
129 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
130 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
131 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
132 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
133 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
134 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
137 /* Elementary functions used by SHA512 */
138 #define Ch(x, y, z) ((x & (y ^ z)) ^ z)
139 #define Maj(x, y, z) ((x & (y | z)) | (y & z))
140 #define SHR(x, n) (x >> n)
141 #define ROTR(x, n) ((x >> n) | (x << (64 - n)))
142 #define S0(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
143 #define S1(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
144 #define s0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
145 #define s1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6))
147 /* SHA512 round function */
148 #define RND(a, b, c, d, e, f, g, h, k) \
149 h += S1(e) + Ch(e, f, g) + k; \
151 h += S0(a) + Maj(a, b, c);
153 /* Adjusted round function for rotating state */
154 #define RNDr(S, W, i, ii) \
155 RND(S[(80 - i) % 8], S[(81 - i) % 8], \
156 S[(82 - i) % 8], S[(83 - i) % 8], \
157 S[(84 - i) % 8], S[(85 - i) % 8], \
158 S[(86 - i) % 8], S[(87 - i) % 8], \
159 W[i + ii] + K[i + ii])
161 /* Message schedule computation */
162 #define MSCH(W, ii, i) \
163 W[i + ii + 16] = s1(W[i + ii + 14]) + W[i + ii + 9] + s0(W[i + ii + 1]) + W[i + ii]
166 * SHA512 block compression function. The 512-bit state is transformed via
167 * the 512-bit input block to produce a new state.
170 #if defined(ARM64_SHA512)
171 SHA512_Transform_c(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH])
173 SHA512_Transform(uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH])
180 /* 1. Prepare the first part of the message schedule W. */
181 be64dec_vect(W, block, SHA512_BLOCK_LENGTH);
183 /* 2. Initialize working variables. */
184 memcpy(S, state, SHA512_DIGEST_LENGTH);
187 for (i = 0; i < 80; i += 16) {
225 /* 4. Mix local working variables into global state */
226 for (i = 0; i < 8; i++)
230 #if defined(ARM64_SHA512)
232 SHA512_Transform_arm64(uint64_t * state,
233 const unsigned char block[SHA512_BLOCK_LENGTH])
235 SHA512_Transform_arm64_impl(state, block, K);
238 DEFINE_UIFUNC(static, void, SHA512_Transform,
239 (uint64_t * state, const unsigned char block[SHA512_BLOCK_LENGTH]))
243 if (elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)) == 0) {
244 if ((hwcap & HWCAP_SHA512) != 0) {
245 return (SHA512_Transform_arm64);
249 return (SHA512_Transform_c);
253 static unsigned char PAD[SHA512_BLOCK_LENGTH] = {
254 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
255 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
256 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
257 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
258 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
259 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
260 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
261 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
264 /* Add padding and terminating bit-count. */
266 SHA512_Pad(SHA512_CTX * ctx)
270 /* Figure out how many bytes we have buffered. */
271 r = (ctx->count[1] >> 3) & 0x7f;
273 /* Pad to 112 mod 128, transforming if we finish a block en route. */
275 /* Pad to 112 mod 128. */
276 memcpy(&ctx->buf[r], PAD, 112 - r);
278 /* Finish the current block and mix. */
279 memcpy(&ctx->buf[r], PAD, 128 - r);
280 SHA512_Transform(ctx->state, ctx->buf);
282 /* The start of the final block is all zeroes. */
283 memset(&ctx->buf[0], 0, 112);
286 /* Add the terminating bit-count. */
287 be64enc_vect(&ctx->buf[112], ctx->count, 16);
289 /* Mix in the final block. */
290 SHA512_Transform(ctx->state, ctx->buf);
293 /* SHA-512 initialization. Begins a SHA-512 operation. */
295 SHA512_Init(SHA512_CTX * ctx)
298 /* Zero bits processed so far */
299 ctx->count[0] = ctx->count[1] = 0;
301 /* Magic initialization constants */
302 ctx->state[0] = 0x6a09e667f3bcc908ULL;
303 ctx->state[1] = 0xbb67ae8584caa73bULL;
304 ctx->state[2] = 0x3c6ef372fe94f82bULL;
305 ctx->state[3] = 0xa54ff53a5f1d36f1ULL;
306 ctx->state[4] = 0x510e527fade682d1ULL;
307 ctx->state[5] = 0x9b05688c2b3e6c1fULL;
308 ctx->state[6] = 0x1f83d9abfb41bd6bULL;
309 ctx->state[7] = 0x5be0cd19137e2179ULL;
312 /* Add bytes into the hash */
314 SHA512_Update(SHA512_CTX * ctx, const void *in, size_t len)
318 const unsigned char *src = in;
320 /* Number of bytes left in the buffer from previous updates */
321 r = (ctx->count[1] >> 3) & 0x7f;
323 /* Convert the length into a number of bits */
324 bitlen[1] = ((uint64_t)len) << 3;
325 bitlen[0] = ((uint64_t)len) >> 61;
327 /* Update number of bits */
328 if ((ctx->count[1] += bitlen[1]) < bitlen[1])
330 ctx->count[0] += bitlen[0];
332 /* Handle the case where we don't need to perform any transforms */
333 if (len < SHA512_BLOCK_LENGTH - r) {
334 memcpy(&ctx->buf[r], src, len);
338 /* Finish the current block */
339 memcpy(&ctx->buf[r], src, SHA512_BLOCK_LENGTH - r);
340 SHA512_Transform(ctx->state, ctx->buf);
341 src += SHA512_BLOCK_LENGTH - r;
342 len -= SHA512_BLOCK_LENGTH - r;
344 /* Perform complete blocks */
345 while (len >= SHA512_BLOCK_LENGTH) {
346 SHA512_Transform(ctx->state, src);
347 src += SHA512_BLOCK_LENGTH;
348 len -= SHA512_BLOCK_LENGTH;
351 /* Copy left over data into buffer */
352 memcpy(ctx->buf, src, len);
356 * SHA-512 finalization. Pads the input data, exports the hash value,
357 * and clears the context state.
360 SHA512_Final(unsigned char digest[static SHA512_DIGEST_LENGTH], SHA512_CTX *ctx)
367 be64enc_vect(digest, ctx->state, SHA512_DIGEST_LENGTH);
369 /* Clear the context state */
370 explicit_bzero(ctx, sizeof(*ctx));
373 /*** SHA-512t: *********************************************************/
375 * the SHA512t transforms are identical to SHA512 so reuse the existing function
378 SHA512_224_Init(SHA512_CTX * ctx)
381 /* Zero bits processed so far */
382 ctx->count[0] = ctx->count[1] = 0;
384 /* Magic initialization constants */
385 ctx->state[0] = 0x8c3d37c819544da2ULL;
386 ctx->state[1] = 0x73e1996689dcd4d6ULL;
387 ctx->state[2] = 0x1dfab7ae32ff9c82ULL;
388 ctx->state[3] = 0x679dd514582f9fcfULL;
389 ctx->state[4] = 0x0f6d2b697bd44da8ULL;
390 ctx->state[5] = 0x77e36f7304c48942ULL;
391 ctx->state[6] = 0x3f9d85a86a1d36c8ULL;
392 ctx->state[7] = 0x1112e6ad91d692a1ULL;
396 SHA512_224_Update(SHA512_CTX * ctx, const void *in, size_t len)
399 SHA512_Update(ctx, in, len);
403 SHA512_224_Final(unsigned char digest[static SHA512_224_DIGEST_LENGTH], SHA512_CTX * ctx)
410 be64enc_vect(digest, ctx->state, SHA512_224_DIGEST_LENGTH);
412 /* Clear the context state */
413 explicit_bzero(ctx, sizeof(*ctx));
417 SHA512_256_Init(SHA512_CTX * ctx)
420 /* Zero bits processed so far */
421 ctx->count[0] = ctx->count[1] = 0;
423 /* Magic initialization constants */
424 ctx->state[0] = 0x22312194fc2bf72cULL;
425 ctx->state[1] = 0x9f555fa3c84c64c2ULL;
426 ctx->state[2] = 0x2393b86b6f53b151ULL;
427 ctx->state[3] = 0x963877195940eabdULL;
428 ctx->state[4] = 0x96283ee2a88effe3ULL;
429 ctx->state[5] = 0xbe5e1e2553863992ULL;
430 ctx->state[6] = 0x2b0199fc2c85b8aaULL;
431 ctx->state[7] = 0x0eb72ddc81c52ca2ULL;
435 SHA512_256_Update(SHA512_CTX * ctx, const void *in, size_t len)
438 SHA512_Update(ctx, in, len);
442 SHA512_256_Final(unsigned char digest[static SHA512_256_DIGEST_LENGTH], SHA512_CTX * ctx)
449 be64enc_vect(digest, ctx->state, SHA512_256_DIGEST_LENGTH);
451 /* Clear the context state */
452 explicit_bzero(ctx, sizeof(*ctx));
455 /*** SHA-384: *********************************************************/
457 * the SHA384 and SHA512 transforms are identical, so SHA384 is skipped
460 /* SHA-384 initialization. Begins a SHA-384 operation. */
462 SHA384_Init(SHA384_CTX * ctx)
465 /* Zero bits processed so far */
466 ctx->count[0] = ctx->count[1] = 0;
468 /* Magic initialization constants */
469 ctx->state[0] = 0xcbbb9d5dc1059ed8ULL;
470 ctx->state[1] = 0x629a292a367cd507ULL;
471 ctx->state[2] = 0x9159015a3070dd17ULL;
472 ctx->state[3] = 0x152fecd8f70e5939ULL;
473 ctx->state[4] = 0x67332667ffc00b31ULL;
474 ctx->state[5] = 0x8eb44a8768581511ULL;
475 ctx->state[6] = 0xdb0c2e0d64f98fa7ULL;
476 ctx->state[7] = 0x47b5481dbefa4fa4ULL;
479 /* Add bytes into the SHA-384 hash */
481 SHA384_Update(SHA384_CTX * ctx, const void *in, size_t len)
484 SHA512_Update((SHA512_CTX *)ctx, in, len);
488 * SHA-384 finalization. Pads the input data, exports the hash value,
489 * and clears the context state.
492 SHA384_Final(unsigned char digest[static SHA384_DIGEST_LENGTH], SHA384_CTX *ctx)
496 SHA512_Pad((SHA512_CTX *)ctx);
499 be64enc_vect(digest, ctx->state, SHA384_DIGEST_LENGTH);
501 /* Clear the context state */
502 explicit_bzero(ctx, sizeof(*ctx));
506 /* When building libmd, provide weak references. Note: this is not
507 activated in the context of compiling these sources for internal
511 __weak_reference(_libmd_SHA512_Init, SHA512_Init);
513 __weak_reference(_libmd_SHA512_Update, SHA512_Update);
515 __weak_reference(_libmd_SHA512_Final, SHA512_Final);
516 #undef SHA512_Transform
517 __weak_reference(_libmd_SHA512_Transform, SHA512_Transform);
519 #undef SHA512_224_Init
520 __weak_reference(_libmd_SHA512_224_Init, SHA512_224_Init);
521 #undef SHA512_224_Update
522 __weak_reference(_libmd_SHA512_224_Update, SHA512_224_Update);
523 #undef SHA512_224_Final
524 __weak_reference(_libmd_SHA512_224_Final, SHA512_224_Final);
526 #undef SHA512_256_Init
527 __weak_reference(_libmd_SHA512_256_Init, SHA512_256_Init);
528 #undef SHA512_256_Update
529 __weak_reference(_libmd_SHA512_256_Update, SHA512_256_Update);
530 #undef SHA512_256_Final
531 __weak_reference(_libmd_SHA512_256_Final, SHA512_256_Final);
534 __weak_reference(_libmd_SHA384_Init, SHA384_Init);
536 __weak_reference(_libmd_SHA384_Update, SHA384_Update);
538 __weak_reference(_libmd_SHA384_Final, SHA384_Final);