16df3ef80SGreg Tucker /**********************************************************************
26df3ef80SGreg Tucker Copyright(c) 2011-2016 Intel Corporation All rights reserved.
36df3ef80SGreg Tucker
46df3ef80SGreg Tucker Redistribution and use in source and binary forms, with or without
56df3ef80SGreg Tucker modification, are permitted provided that the following conditions
66df3ef80SGreg Tucker are met:
76df3ef80SGreg Tucker * Redistributions of source code must retain the above copyright
86df3ef80SGreg Tucker notice, this list of conditions and the following disclaimer.
96df3ef80SGreg Tucker * Redistributions in binary form must reproduce the above copyright
106df3ef80SGreg Tucker notice, this list of conditions and the following disclaimer in
116df3ef80SGreg Tucker the documentation and/or other materials provided with the
126df3ef80SGreg Tucker distribution.
136df3ef80SGreg Tucker * Neither the name of Intel Corporation nor the names of its
146df3ef80SGreg Tucker contributors may be used to endorse or promote products derived
156df3ef80SGreg Tucker from this software without specific prior written permission.
166df3ef80SGreg Tucker
176df3ef80SGreg Tucker THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
186df3ef80SGreg Tucker "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
196df3ef80SGreg Tucker LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
206df3ef80SGreg Tucker A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
216df3ef80SGreg Tucker OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
226df3ef80SGreg Tucker SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
236df3ef80SGreg Tucker LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
246df3ef80SGreg Tucker DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
256df3ef80SGreg Tucker THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
266df3ef80SGreg Tucker (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
276df3ef80SGreg Tucker OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
286df3ef80SGreg Tucker **********************************************************************/
296df3ef80SGreg Tucker
306df3ef80SGreg Tucker #include <string.h>
316df3ef80SGreg Tucker #include "sha512_mb.h"
3292aa5aa4SGreg Tucker #include "endian_helper.h"
336df3ef80SGreg Tucker
346df3ef80SGreg Tucker ////////////////////////////////////////////////////////////////////////
356df3ef80SGreg Tucker ////////////////////////////////////////////////////////////////////////
366df3ef80SGreg Tucker // Reference SHA512 Functions
376df3ef80SGreg Tucker ////////////////////////////////////////////////////////////////////////
386df3ef80SGreg Tucker ////////////////////////////////////////////////////////////////////////
396df3ef80SGreg Tucker
406df3ef80SGreg Tucker #define H0 0x6a09e667f3bcc908
416df3ef80SGreg Tucker #define H1 0xbb67ae8584caa73b
426df3ef80SGreg Tucker #define H2 0x3c6ef372fe94f82b
436df3ef80SGreg Tucker #define H3 0xa54ff53a5f1d36f1
446df3ef80SGreg Tucker #define H4 0x510e527fade682d1
456df3ef80SGreg Tucker #define H5 0x9b05688c2b3e6c1f
466df3ef80SGreg Tucker #define H6 0x1f83d9abfb41bd6b
476df3ef80SGreg Tucker #define H7 0x5be0cd19137e2179
486df3ef80SGreg Tucker
493fb7b5f1SMarcel Cornu void
503fb7b5f1SMarcel Cornu sha512_single(const uint8_t *data, uint64_t digest[]);
516df3ef80SGreg Tucker
523fb7b5f1SMarcel Cornu void
sha512_ref(uint8_t * input_data,uint64_t * digest,uint32_t len)533fb7b5f1SMarcel Cornu sha512_ref(uint8_t *input_data, uint64_t *digest, uint32_t len)
546df3ef80SGreg Tucker {
556df3ef80SGreg Tucker uint32_t i, j;
56*592e639eSPablo de Lara uint8_t buf[2 * ISAL_SHA512_BLOCK_SIZE];
576df3ef80SGreg Tucker
586df3ef80SGreg Tucker /* 128 bit lengths not needed as len is uint32_t, so use 64 bit length
596df3ef80SGreg Tucker * and pad the first 64 bits with zeros. */
606df3ef80SGreg Tucker
616df3ef80SGreg Tucker digest[0] = H0;
626df3ef80SGreg Tucker digest[1] = H1;
636df3ef80SGreg Tucker digest[2] = H2;
646df3ef80SGreg Tucker digest[3] = H3;
656df3ef80SGreg Tucker digest[4] = H4;
666df3ef80SGreg Tucker digest[5] = H5;
676df3ef80SGreg Tucker digest[6] = H6;
686df3ef80SGreg Tucker digest[7] = H7;
696df3ef80SGreg Tucker
706df3ef80SGreg Tucker i = len;
716df3ef80SGreg Tucker /* Hash the complete blocks */
72*592e639eSPablo de Lara while (i >= ISAL_SHA512_BLOCK_SIZE) {
736df3ef80SGreg Tucker sha512_single(input_data, digest);
74*592e639eSPablo de Lara input_data += ISAL_SHA512_BLOCK_SIZE;
75*592e639eSPablo de Lara i -= ISAL_SHA512_BLOCK_SIZE;
766df3ef80SGreg Tucker }
776df3ef80SGreg Tucker
786df3ef80SGreg Tucker /* Copy remainder to a buffer to be padded */
796df3ef80SGreg Tucker memcpy(buf, input_data, i);
806df3ef80SGreg Tucker buf[i++] = 0x80;
816df3ef80SGreg Tucker
826df3ef80SGreg Tucker // Pad more than required here and overwrite with length
83*592e639eSPablo de Lara for (j = i; j < (2 * ISAL_SHA512_BLOCK_SIZE); j++)
846df3ef80SGreg Tucker buf[j] = 0;
856df3ef80SGreg Tucker
86*592e639eSPablo de Lara if (i > ISAL_SHA512_BLOCK_SIZE - ISAL_SHA512_PADLENGTHFIELD_SIZE)
87*592e639eSPablo de Lara i = 2 * ISAL_SHA512_BLOCK_SIZE;
886df3ef80SGreg Tucker else
89*592e639eSPablo de Lara i = ISAL_SHA512_BLOCK_SIZE;
906df3ef80SGreg Tucker
91e3f7d4fbSUlrich Weigand *(uint64_t *) (buf + i - 8) = to_be64((uint64_t) len * 8);
926df3ef80SGreg Tucker
936df3ef80SGreg Tucker /* Hash the padded last block */
946df3ef80SGreg Tucker sha512_single(buf, digest);
956df3ef80SGreg Tucker if (i == 256)
966df3ef80SGreg Tucker sha512_single(buf + 128, digest);
976df3ef80SGreg Tucker }
986df3ef80SGreg Tucker
996df3ef80SGreg Tucker /* From the FIPS, these are the same as for SHA256, but operating on 64 bit words
1006df3ef80SGreg Tucker * instead of 32 bit.
1016df3ef80SGreg Tucker */
1026df3ef80SGreg Tucker #define ch(e, f, g) ((e & f) ^ (g & ~e))
1036df3ef80SGreg Tucker #define maj(a, b, c) ((a & b) ^ (a & c) ^ (b & c))
1046df3ef80SGreg Tucker
1056df3ef80SGreg Tucker /* Sigma functions have same form as SHA256 but
1066df3ef80SGreg Tucker * - change the word size to 64bit
1076df3ef80SGreg Tucker * - change the amount to rotate
1086df3ef80SGreg Tucker */
1096df3ef80SGreg Tucker #define ror64(x, r) (((x) >> (r)) ^ ((x) << (64 - (r))))
1106df3ef80SGreg Tucker
1116df3ef80SGreg Tucker /* Technically, s0 should be S0 as these are "capital sigma" functions, and likewise the case
1126df3ef80SGreg Tucker * of the S0 should be s0, but keep as-is to avoid confusion with the other reference functions.
1136df3ef80SGreg Tucker */
1146df3ef80SGreg Tucker #define s0(a) (ror64(a, 28) ^ ror64(a, 34) ^ ror64(a, 39))
1156df3ef80SGreg Tucker #define s1(e) (ror64(e, 14) ^ ror64(e, 18) ^ ror64(e, 41))
1166df3ef80SGreg Tucker
1176df3ef80SGreg Tucker #define S0(w) (ror64(w, 1) ^ ror64(w, 8) ^ (w >> 7))
1186df3ef80SGreg Tucker #define S1(w) (ror64(w, 19) ^ ror64(w, 61) ^ (w >> 6))
1196df3ef80SGreg Tucker
1206df3ef80SGreg Tucker #define W(x) w[(x) & 15]
1216df3ef80SGreg Tucker
1226df3ef80SGreg Tucker #define step(i, a, b, c, d, e, f, g, h, k) \
1233fb7b5f1SMarcel Cornu if (i < 16) \
1243fb7b5f1SMarcel Cornu W(i) = to_be64(ww[i]); \
1256df3ef80SGreg Tucker else \
1266df3ef80SGreg Tucker W(i) = W(i - 16) + S0(W(i - 15)) + W(i - 7) + S1(W(i - 2)); \
1276df3ef80SGreg Tucker t2 = s0(a) + maj(a, b, c); \
1286df3ef80SGreg Tucker t1 = h + s1(e) + ch(e, f, g) + k + W(i); \
1296df3ef80SGreg Tucker d += t1; \
1306df3ef80SGreg Tucker h = t1 + t2;
1316df3ef80SGreg Tucker
1323fb7b5f1SMarcel Cornu void
sha512_single(const uint8_t * data,uint64_t digest[])1333fb7b5f1SMarcel Cornu sha512_single(const uint8_t *data, uint64_t digest[])
1346df3ef80SGreg Tucker {
1356df3ef80SGreg Tucker /* Check these are all uint64_t */
1366df3ef80SGreg Tucker uint64_t a, b, c, d, e, f, g, h, t1, t2;
1376df3ef80SGreg Tucker uint64_t w[16];
1386df3ef80SGreg Tucker uint64_t *ww = (uint64_t *) data;
1396df3ef80SGreg Tucker
1406df3ef80SGreg Tucker a = digest[0];
1416df3ef80SGreg Tucker b = digest[1];
1426df3ef80SGreg Tucker c = digest[2];
1436df3ef80SGreg Tucker d = digest[3];
1446df3ef80SGreg Tucker e = digest[4];
1456df3ef80SGreg Tucker f = digest[5];
1466df3ef80SGreg Tucker g = digest[6];
1476df3ef80SGreg Tucker h = digest[7];
1486df3ef80SGreg Tucker
1496df3ef80SGreg Tucker step(0, a, b, c, d, e, f, g, h, 0x428a2f98d728ae22);
1506df3ef80SGreg Tucker step(1, h, a, b, c, d, e, f, g, 0x7137449123ef65cd);
1516df3ef80SGreg Tucker step(2, g, h, a, b, c, d, e, f, 0xb5c0fbcfec4d3b2f);
1526df3ef80SGreg Tucker step(3, f, g, h, a, b, c, d, e, 0xe9b5dba58189dbbc);
1536df3ef80SGreg Tucker step(4, e, f, g, h, a, b, c, d, 0x3956c25bf348b538);
1546df3ef80SGreg Tucker step(5, d, e, f, g, h, a, b, c, 0x59f111f1b605d019);
1556df3ef80SGreg Tucker step(6, c, d, e, f, g, h, a, b, 0x923f82a4af194f9b);
1566df3ef80SGreg Tucker step(7, b, c, d, e, f, g, h, a, 0xab1c5ed5da6d8118);
1576df3ef80SGreg Tucker step(8, a, b, c, d, e, f, g, h, 0xd807aa98a3030242);
1586df3ef80SGreg Tucker step(9, h, a, b, c, d, e, f, g, 0x12835b0145706fbe);
1596df3ef80SGreg Tucker step(10, g, h, a, b, c, d, e, f, 0x243185be4ee4b28c);
1606df3ef80SGreg Tucker step(11, f, g, h, a, b, c, d, e, 0x550c7dc3d5ffb4e2);
1616df3ef80SGreg Tucker step(12, e, f, g, h, a, b, c, d, 0x72be5d74f27b896f);
1626df3ef80SGreg Tucker step(13, d, e, f, g, h, a, b, c, 0x80deb1fe3b1696b1);
1636df3ef80SGreg Tucker step(14, c, d, e, f, g, h, a, b, 0x9bdc06a725c71235);
1646df3ef80SGreg Tucker step(15, b, c, d, e, f, g, h, a, 0xc19bf174cf692694);
1656df3ef80SGreg Tucker step(16, a, b, c, d, e, f, g, h, 0xe49b69c19ef14ad2);
1666df3ef80SGreg Tucker step(17, h, a, b, c, d, e, f, g, 0xefbe4786384f25e3);
1676df3ef80SGreg Tucker step(18, g, h, a, b, c, d, e, f, 0x0fc19dc68b8cd5b5);
1686df3ef80SGreg Tucker step(19, f, g, h, a, b, c, d, e, 0x240ca1cc77ac9c65);
1696df3ef80SGreg Tucker step(20, e, f, g, h, a, b, c, d, 0x2de92c6f592b0275);
1706df3ef80SGreg Tucker step(21, d, e, f, g, h, a, b, c, 0x4a7484aa6ea6e483);
1716df3ef80SGreg Tucker step(22, c, d, e, f, g, h, a, b, 0x5cb0a9dcbd41fbd4);
1726df3ef80SGreg Tucker step(23, b, c, d, e, f, g, h, a, 0x76f988da831153b5);
1736df3ef80SGreg Tucker step(24, a, b, c, d, e, f, g, h, 0x983e5152ee66dfab);
1746df3ef80SGreg Tucker step(25, h, a, b, c, d, e, f, g, 0xa831c66d2db43210);
1756df3ef80SGreg Tucker step(26, g, h, a, b, c, d, e, f, 0xb00327c898fb213f);
1766df3ef80SGreg Tucker step(27, f, g, h, a, b, c, d, e, 0xbf597fc7beef0ee4);
1776df3ef80SGreg Tucker step(28, e, f, g, h, a, b, c, d, 0xc6e00bf33da88fc2);
1786df3ef80SGreg Tucker step(29, d, e, f, g, h, a, b, c, 0xd5a79147930aa725);
1796df3ef80SGreg Tucker step(30, c, d, e, f, g, h, a, b, 0x06ca6351e003826f);
1806df3ef80SGreg Tucker step(31, b, c, d, e, f, g, h, a, 0x142929670a0e6e70);
1816df3ef80SGreg Tucker step(32, a, b, c, d, e, f, g, h, 0x27b70a8546d22ffc);
1826df3ef80SGreg Tucker step(33, h, a, b, c, d, e, f, g, 0x2e1b21385c26c926);
1836df3ef80SGreg Tucker step(34, g, h, a, b, c, d, e, f, 0x4d2c6dfc5ac42aed);
1846df3ef80SGreg Tucker step(35, f, g, h, a, b, c, d, e, 0x53380d139d95b3df);
1856df3ef80SGreg Tucker step(36, e, f, g, h, a, b, c, d, 0x650a73548baf63de);
1866df3ef80SGreg Tucker step(37, d, e, f, g, h, a, b, c, 0x766a0abb3c77b2a8);
1876df3ef80SGreg Tucker step(38, c, d, e, f, g, h, a, b, 0x81c2c92e47edaee6);
1886df3ef80SGreg Tucker step(39, b, c, d, e, f, g, h, a, 0x92722c851482353b);
1896df3ef80SGreg Tucker step(40, a, b, c, d, e, f, g, h, 0xa2bfe8a14cf10364);
1906df3ef80SGreg Tucker step(41, h, a, b, c, d, e, f, g, 0xa81a664bbc423001);
1916df3ef80SGreg Tucker step(42, g, h, a, b, c, d, e, f, 0xc24b8b70d0f89791);
1926df3ef80SGreg Tucker step(43, f, g, h, a, b, c, d, e, 0xc76c51a30654be30);
1936df3ef80SGreg Tucker step(44, e, f, g, h, a, b, c, d, 0xd192e819d6ef5218);
1946df3ef80SGreg Tucker step(45, d, e, f, g, h, a, b, c, 0xd69906245565a910);
1956df3ef80SGreg Tucker step(46, c, d, e, f, g, h, a, b, 0xf40e35855771202a);
1966df3ef80SGreg Tucker step(47, b, c, d, e, f, g, h, a, 0x106aa07032bbd1b8);
1976df3ef80SGreg Tucker step(48, a, b, c, d, e, f, g, h, 0x19a4c116b8d2d0c8);
1986df3ef80SGreg Tucker step(49, h, a, b, c, d, e, f, g, 0x1e376c085141ab53);
1996df3ef80SGreg Tucker step(50, g, h, a, b, c, d, e, f, 0x2748774cdf8eeb99);
2006df3ef80SGreg Tucker step(51, f, g, h, a, b, c, d, e, 0x34b0bcb5e19b48a8);
2016df3ef80SGreg Tucker step(52, e, f, g, h, a, b, c, d, 0x391c0cb3c5c95a63);
2026df3ef80SGreg Tucker step(53, d, e, f, g, h, a, b, c, 0x4ed8aa4ae3418acb);
2036df3ef80SGreg Tucker step(54, c, d, e, f, g, h, a, b, 0x5b9cca4f7763e373);
2046df3ef80SGreg Tucker step(55, b, c, d, e, f, g, h, a, 0x682e6ff3d6b2b8a3);
2056df3ef80SGreg Tucker step(56, a, b, c, d, e, f, g, h, 0x748f82ee5defb2fc);
2066df3ef80SGreg Tucker step(57, h, a, b, c, d, e, f, g, 0x78a5636f43172f60);
2076df3ef80SGreg Tucker step(58, g, h, a, b, c, d, e, f, 0x84c87814a1f0ab72);
2086df3ef80SGreg Tucker step(59, f, g, h, a, b, c, d, e, 0x8cc702081a6439ec);
2096df3ef80SGreg Tucker step(60, e, f, g, h, a, b, c, d, 0x90befffa23631e28);
2106df3ef80SGreg Tucker step(61, d, e, f, g, h, a, b, c, 0xa4506cebde82bde9);
2116df3ef80SGreg Tucker step(62, c, d, e, f, g, h, a, b, 0xbef9a3f7b2c67915);
2126df3ef80SGreg Tucker step(63, b, c, d, e, f, g, h, a, 0xc67178f2e372532b); // step 63
2136df3ef80SGreg Tucker step(64, a, b, c, d, e, f, g, h, 0xca273eceea26619c);
2146df3ef80SGreg Tucker step(65, h, a, b, c, d, e, f, g, 0xd186b8c721c0c207);
2156df3ef80SGreg Tucker step(66, g, h, a, b, c, d, e, f, 0xeada7dd6cde0eb1e);
2166df3ef80SGreg Tucker step(67, f, g, h, a, b, c, d, e, 0xf57d4f7fee6ed178);
2176df3ef80SGreg Tucker step(68, e, f, g, h, a, b, c, d, 0x06f067aa72176fba);
2186df3ef80SGreg Tucker step(69, d, e, f, g, h, a, b, c, 0x0a637dc5a2c898a6);
2196df3ef80SGreg Tucker step(70, c, d, e, f, g, h, a, b, 0x113f9804bef90dae);
2206df3ef80SGreg Tucker step(71, b, c, d, e, f, g, h, a, 0x1b710b35131c471b);
2216df3ef80SGreg Tucker step(72, a, b, c, d, e, f, g, h, 0x28db77f523047d84);
2226df3ef80SGreg Tucker step(73, h, a, b, c, d, e, f, g, 0x32caab7b40c72493);
2236df3ef80SGreg Tucker step(74, g, h, a, b, c, d, e, f, 0x3c9ebe0a15c9bebc);
2246df3ef80SGreg Tucker step(75, f, g, h, a, b, c, d, e, 0x431d67c49c100d4c);
2256df3ef80SGreg Tucker step(76, e, f, g, h, a, b, c, d, 0x4cc5d4becb3e42b6);
2266df3ef80SGreg Tucker step(77, d, e, f, g, h, a, b, c, 0x597f299cfc657e2a);
2276df3ef80SGreg Tucker step(78, c, d, e, f, g, h, a, b, 0x5fcb6fab3ad6faec);
2286df3ef80SGreg Tucker step(79, b, c, d, e, f, g, h, a, 0x6c44198c4a475817); // step 79
2296df3ef80SGreg Tucker
2306df3ef80SGreg Tucker digest[0] += a;
2316df3ef80SGreg Tucker digest[1] += b;
2326df3ef80SGreg Tucker digest[2] += c;
2336df3ef80SGreg Tucker digest[3] += d;
2346df3ef80SGreg Tucker digest[4] += e;
2356df3ef80SGreg Tucker digest[5] += f;
2366df3ef80SGreg Tucker digest[6] += g;
2376df3ef80SGreg Tucker digest[7] += h;
2386df3ef80SGreg Tucker }
239