1 /* $OpenBSD: sha512.c,v 1.38 2023/05/19 00:54:28 deraadt Exp $ */ 2 /* ==================================================================== 3 * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the 15 * distribution. 16 * 17 * 3. All advertising materials mentioning features or use of this 18 * software must display the following acknowledgment: 19 * "This product includes software developed by the OpenSSL Project 20 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 21 * 22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 23 * endorse or promote products derived from this software without 24 * prior written permission. For written permission, please contact 25 * openssl-core@openssl.org. 26 * 27 * 5. Products derived from this software may not be called "OpenSSL" 28 * nor may "OpenSSL" appear in their names without prior written 29 * permission of the OpenSSL Project. 30 * 31 * 6. Redistributions of any form whatsoever must retain the following 32 * acknowledgment: 33 * "This product includes software developed by the OpenSSL Project 34 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 35 * 36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 47 * OF THE POSSIBILITY OF SUCH DAMAGE. 48 * ==================================================================== 49 * 50 * This product includes cryptographic software written by Eric Young 51 * (eay@cryptsoft.com). This product includes software written by Tim 52 * Hudson (tjh@cryptsoft.com). 53 */ 54 55 #include <endian.h> 56 #include <stdlib.h> 57 #include <string.h> 58 59 #include <openssl/opensslconf.h> 60 61 #include <openssl/crypto.h> 62 #include <openssl/sha.h> 63 64 #include "crypto_internal.h" 65 #include "sha_internal.h" 66 67 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512) 68 69 #if !defined(__STRICT_ALIGNMENT) || defined(SHA512_ASM) 70 #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA 71 #endif 72 73 #ifdef SHA512_ASM 74 void sha512_block_data_order(SHA512_CTX *ctx, const void *in, size_t num); 75 #endif 76 77 #ifndef SHA512_ASM 78 static const SHA_LONG64 K512[80] = { 79 U64(0x428a2f98d728ae22), U64(0x7137449123ef65cd), 80 U64(0xb5c0fbcfec4d3b2f), U64(0xe9b5dba58189dbbc), 81 U64(0x3956c25bf348b538), U64(0x59f111f1b605d019), 82 U64(0x923f82a4af194f9b), U64(0xab1c5ed5da6d8118), 83 U64(0xd807aa98a3030242), U64(0x12835b0145706fbe), 84 U64(0x243185be4ee4b28c), U64(0x550c7dc3d5ffb4e2), 85 U64(0x72be5d74f27b896f), U64(0x80deb1fe3b1696b1), 86 U64(0x9bdc06a725c71235), U64(0xc19bf174cf692694), 87 U64(0xe49b69c19ef14ad2), U64(0xefbe4786384f25e3), 88 U64(0x0fc19dc68b8cd5b5), U64(0x240ca1cc77ac9c65), 89 U64(0x2de92c6f592b0275), U64(0x4a7484aa6ea6e483), 90 U64(0x5cb0a9dcbd41fbd4), U64(0x76f988da831153b5), 91 U64(0x983e5152ee66dfab), U64(0xa831c66d2db43210), 92 U64(0xb00327c898fb213f), U64(0xbf597fc7beef0ee4), 93 U64(0xc6e00bf33da88fc2), U64(0xd5a79147930aa725), 94 U64(0x06ca6351e003826f), U64(0x142929670a0e6e70), 95 U64(0x27b70a8546d22ffc), U64(0x2e1b21385c26c926), 96 U64(0x4d2c6dfc5ac42aed), U64(0x53380d139d95b3df), 97 U64(0x650a73548baf63de), U64(0x766a0abb3c77b2a8), 98 U64(0x81c2c92e47edaee6), U64(0x92722c851482353b), 99 U64(0xa2bfe8a14cf10364), U64(0xa81a664bbc423001), 100 U64(0xc24b8b70d0f89791), U64(0xc76c51a30654be30), 101 U64(0xd192e819d6ef5218), U64(0xd69906245565a910), 102 U64(0xf40e35855771202a), U64(0x106aa07032bbd1b8), 103 U64(0x19a4c116b8d2d0c8), U64(0x1e376c085141ab53), 104 U64(0x2748774cdf8eeb99), U64(0x34b0bcb5e19b48a8), 105 U64(0x391c0cb3c5c95a63), U64(0x4ed8aa4ae3418acb), 106 U64(0x5b9cca4f7763e373), U64(0x682e6ff3d6b2b8a3), 107 U64(0x748f82ee5defb2fc), U64(0x78a5636f43172f60), 108 U64(0x84c87814a1f0ab72), U64(0x8cc702081a6439ec), 109 U64(0x90befffa23631e28), U64(0xa4506cebde82bde9), 110 U64(0xbef9a3f7b2c67915), U64(0xc67178f2e372532b), 111 U64(0xca273eceea26619c), U64(0xd186b8c721c0c207), 112 U64(0xeada7dd6cde0eb1e), U64(0xf57d4f7fee6ed178), 113 U64(0x06f067aa72176fba), U64(0x0a637dc5a2c898a6), 114 U64(0x113f9804bef90dae), U64(0x1b710b35131c471b), 115 U64(0x28db77f523047d84), U64(0x32caab7b40c72493), 116 U64(0x3c9ebe0a15c9bebc), U64(0x431d67c49c100d4c), 117 U64(0x4cc5d4becb3e42b6), U64(0x597f299cfc657e2a), 118 U64(0x5fcb6fab3ad6faec), U64(0x6c44198c4a475817), 119 }; 120 121 #if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) 122 # if defined(__x86_64) || defined(__x86_64__) 123 # define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x))); \ 124 asm ("bswapq %0" \ 125 : "=r"(ret) \ 126 : "0"(ret)); ret; }) 127 # elif (defined(__i386) || defined(__i386__)) 128 # define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\ 129 unsigned int hi=p[0],lo=p[1]; \ 130 asm ("bswapl %0; bswapl %1;" \ 131 : "=r"(lo),"=r"(hi) \ 132 : "0"(lo),"1"(hi)); \ 133 ((SHA_LONG64)hi)<<32|lo; }) 134 # endif 135 #endif 136 137 #ifndef PULL64 138 #if BYTE_ORDER == BIG_ENDIAN 139 #define PULL64(x) (x) 140 #else 141 #define B(x, j) (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8)) 142 #define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7)) 143 #endif 144 #endif 145 146 #define ROTR(x, s) crypto_ror_u64(x, s) 147 148 #define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) 149 #define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) 150 #define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7)) 151 #define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6)) 152 153 #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z))) 154 #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 155 156 #define ROUND_00_15(i, a, b, c, d, e, f, g, h, Wt) do { \ 157 T1 = h + Sigma1(e) + Ch(e, f, g) + K512[i] + Wt; \ 158 T2 = Sigma0(a) + Maj(a, b, c); \ 159 d += T1; \ 160 h = T1 + T2; \ 161 } while (0) 162 163 #define ROUND_16_80(i, j, a, b, c, d, e, f, g, h, X) do { \ 164 s0 = sigma0(X[(j + 1) & 0x0f]); \ 165 s1 = sigma1(X[(j + 14) & 0x0f]); \ 166 X[(j) & 0x0f] += s0 + s1 + X[(j + 9) & 0x0f]; \ 167 ROUND_00_15(i + j, a, b, c, d, e, f, g, h, X[(j) & 0x0f]); \ 168 } while (0) 169 170 static void 171 sha512_block_data_order(SHA512_CTX *ctx, const void *_in, size_t num) 172 { 173 const SHA_LONG64 *in = _in; 174 SHA_LONG64 a, b, c, d, e, f, g, h, s0, s1, T1, T2; 175 SHA_LONG64 X[16]; 176 int i; 177 178 while (num--) { 179 a = ctx->h[0]; 180 b = ctx->h[1]; 181 c = ctx->h[2]; 182 d = ctx->h[3]; 183 e = ctx->h[4]; 184 f = ctx->h[5]; 185 g = ctx->h[6]; 186 h = ctx->h[7]; 187 188 X[0] = PULL64(in[0]); 189 ROUND_00_15(0, a, b, c, d, e, f, g, h, X[0]); 190 X[1] = PULL64(in[1]); 191 ROUND_00_15(1, h, a, b, c, d, e, f, g, X[1]); 192 X[2] = PULL64(in[2]); 193 ROUND_00_15(2, g, h, a, b, c, d, e, f, X[2]); 194 X[3] = PULL64(in[3]); 195 ROUND_00_15(3, f, g, h, a, b, c, d, e, X[3]); 196 X[4] = PULL64(in[4]); 197 ROUND_00_15(4, e, f, g, h, a, b, c, d, X[4]); 198 X[5] = PULL64(in[5]); 199 ROUND_00_15(5, d, e, f, g, h, a, b, c, X[5]); 200 X[6] = PULL64(in[6]); 201 ROUND_00_15(6, c, d, e, f, g, h, a, b, X[6]); 202 X[7] = PULL64(in[7]); 203 ROUND_00_15(7, b, c, d, e, f, g, h, a, X[7]); 204 X[8] = PULL64(in[8]); 205 ROUND_00_15(8, a, b, c, d, e, f, g, h, X[8]); 206 X[9] = PULL64(in[9]); 207 ROUND_00_15(9, h, a, b, c, d, e, f, g, X[9]); 208 X[10] = PULL64(in[10]); 209 ROUND_00_15(10, g, h, a, b, c, d, e, f, X[10]); 210 X[11] = PULL64(in[11]); 211 ROUND_00_15(11, f, g, h, a, b, c, d, e, X[11]); 212 X[12] = PULL64(in[12]); 213 ROUND_00_15(12, e, f, g, h, a, b, c, d, X[12]); 214 X[13] = PULL64(in[13]); 215 ROUND_00_15(13, d, e, f, g, h, a, b, c, X[13]); 216 X[14] = PULL64(in[14]); 217 ROUND_00_15(14, c, d, e, f, g, h, a, b, X[14]); 218 X[15] = PULL64(in[15]); 219 ROUND_00_15(15, b, c, d, e, f, g, h, a, X[15]); 220 221 for (i = 16; i < 80; i += 16) { 222 ROUND_16_80(i, 0, a, b, c, d, e, f, g, h, X); 223 ROUND_16_80(i, 1, h, a, b, c, d, e, f, g, X); 224 ROUND_16_80(i, 2, g, h, a, b, c, d, e, f, X); 225 ROUND_16_80(i, 3, f, g, h, a, b, c, d, e, X); 226 ROUND_16_80(i, 4, e, f, g, h, a, b, c, d, X); 227 ROUND_16_80(i, 5, d, e, f, g, h, a, b, c, X); 228 ROUND_16_80(i, 6, c, d, e, f, g, h, a, b, X); 229 ROUND_16_80(i, 7, b, c, d, e, f, g, h, a, X); 230 ROUND_16_80(i, 8, a, b, c, d, e, f, g, h, X); 231 ROUND_16_80(i, 9, h, a, b, c, d, e, f, g, X); 232 ROUND_16_80(i, 10, g, h, a, b, c, d, e, f, X); 233 ROUND_16_80(i, 11, f, g, h, a, b, c, d, e, X); 234 ROUND_16_80(i, 12, e, f, g, h, a, b, c, d, X); 235 ROUND_16_80(i, 13, d, e, f, g, h, a, b, c, X); 236 ROUND_16_80(i, 14, c, d, e, f, g, h, a, b, X); 237 ROUND_16_80(i, 15, b, c, d, e, f, g, h, a, X); 238 } 239 240 ctx->h[0] += a; 241 ctx->h[1] += b; 242 ctx->h[2] += c; 243 ctx->h[3] += d; 244 ctx->h[4] += e; 245 ctx->h[5] += f; 246 ctx->h[6] += g; 247 ctx->h[7] += h; 248 249 in += SHA_LBLOCK; 250 } 251 } 252 253 #endif /* SHA512_ASM */ 254 255 int 256 SHA384_Init(SHA512_CTX *c) 257 { 258 memset(c, 0, sizeof(*c)); 259 260 c->h[0] = U64(0xcbbb9d5dc1059ed8); 261 c->h[1] = U64(0x629a292a367cd507); 262 c->h[2] = U64(0x9159015a3070dd17); 263 c->h[3] = U64(0x152fecd8f70e5939); 264 c->h[4] = U64(0x67332667ffc00b31); 265 c->h[5] = U64(0x8eb44a8768581511); 266 c->h[6] = U64(0xdb0c2e0d64f98fa7); 267 c->h[7] = U64(0x47b5481dbefa4fa4); 268 269 c->md_len = SHA384_DIGEST_LENGTH; 270 271 return 1; 272 } 273 274 int 275 SHA384_Update(SHA512_CTX *c, const void *data, size_t len) 276 { 277 return SHA512_Update(c, data, len); 278 } 279 280 int 281 SHA384_Final(unsigned char *md, SHA512_CTX *c) 282 { 283 return SHA512_Final(md, c); 284 } 285 286 unsigned char * 287 SHA384(const unsigned char *d, size_t n, unsigned char *md) 288 { 289 SHA512_CTX c; 290 static unsigned char m[SHA384_DIGEST_LENGTH]; 291 292 if (md == NULL) 293 md = m; 294 295 SHA384_Init(&c); 296 SHA512_Update(&c, d, n); 297 SHA512_Final(md, &c); 298 299 explicit_bzero(&c, sizeof(c)); 300 301 return (md); 302 } 303 304 int 305 SHA512_Init(SHA512_CTX *c) 306 { 307 memset(c, 0, sizeof(*c)); 308 309 c->h[0] = U64(0x6a09e667f3bcc908); 310 c->h[1] = U64(0xbb67ae8584caa73b); 311 c->h[2] = U64(0x3c6ef372fe94f82b); 312 c->h[3] = U64(0xa54ff53a5f1d36f1); 313 c->h[4] = U64(0x510e527fade682d1); 314 c->h[5] = U64(0x9b05688c2b3e6c1f); 315 c->h[6] = U64(0x1f83d9abfb41bd6b); 316 c->h[7] = U64(0x5be0cd19137e2179); 317 318 c->md_len = SHA512_DIGEST_LENGTH; 319 320 return 1; 321 } 322 323 void 324 SHA512_Transform(SHA512_CTX *c, const unsigned char *data) 325 { 326 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA 327 if ((size_t)data % sizeof(c->u.d[0]) != 0) { 328 memcpy(c->u.p, data, sizeof(c->u.p)); 329 data = c->u.p; 330 } 331 #endif 332 sha512_block_data_order(c, data, 1); 333 } 334 335 int 336 SHA512_Update(SHA512_CTX *c, const void *_data, size_t len) 337 { 338 SHA_LONG64 l; 339 unsigned char *p = c->u.p; 340 const unsigned char *data = (const unsigned char *)_data; 341 342 if (len == 0) 343 return 1; 344 345 l = (c->Nl + (((SHA_LONG64)len) << 3))&U64(0xffffffffffffffff); 346 if (l < c->Nl) 347 c->Nh++; 348 if (sizeof(len) >= 8) 349 c->Nh += (((SHA_LONG64)len) >> 61); 350 c->Nl = l; 351 352 if (c->num != 0) { 353 size_t n = sizeof(c->u) - c->num; 354 355 if (len < n) { 356 memcpy(p + c->num, data, len); 357 c->num += (unsigned int)len; 358 return 1; 359 } else{ 360 memcpy(p + c->num, data, n); 361 c->num = 0; 362 len -= n; 363 data += n; 364 sha512_block_data_order(c, p, 1); 365 } 366 } 367 368 if (len >= sizeof(c->u)) { 369 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA 370 if ((size_t)data % sizeof(c->u.d[0]) != 0) { 371 while (len >= sizeof(c->u)) { 372 memcpy(p, data, sizeof(c->u)); 373 sha512_block_data_order(c, p, 1); 374 len -= sizeof(c->u); 375 data += sizeof(c->u); 376 } 377 } else 378 #endif 379 { 380 sha512_block_data_order(c, data, len/sizeof(c->u)); 381 data += len; 382 len %= sizeof(c->u); 383 data -= len; 384 } 385 } 386 387 if (len != 0) { 388 memcpy(p, data, len); 389 c->num = (int)len; 390 } 391 392 return 1; 393 } 394 395 int 396 SHA512_Final(unsigned char *md, SHA512_CTX *c) 397 { 398 unsigned char *p = (unsigned char *)c->u.p; 399 size_t n = c->num; 400 401 p[n]=0x80; /* There always is a room for one */ 402 n++; 403 if (n > (sizeof(c->u) - 16)) { 404 memset(p + n, 0, sizeof(c->u) - n); 405 n = 0; 406 sha512_block_data_order(c, p, 1); 407 } 408 409 memset(p + n, 0, sizeof(c->u) - 16 - n); 410 c->u.d[SHA_LBLOCK - 2] = htobe64(c->Nh); 411 c->u.d[SHA_LBLOCK - 1] = htobe64(c->Nl); 412 413 sha512_block_data_order(c, p, 1); 414 415 if (md == NULL) 416 return 0; 417 418 /* Let compiler decide if it's appropriate to unroll... */ 419 switch (c->md_len) { 420 case SHA512_224_DIGEST_LENGTH: 421 for (n = 0; n < SHA512_224_DIGEST_LENGTH/8; n++) { 422 crypto_store_htobe64(md, c->h[n]); 423 md += 8; 424 } 425 crypto_store_htobe32(md, c->h[n] >> 32); 426 break; 427 case SHA512_256_DIGEST_LENGTH: 428 for (n = 0; n < SHA512_256_DIGEST_LENGTH/8; n++) { 429 crypto_store_htobe64(md, c->h[n]); 430 md += 8; 431 } 432 break; 433 case SHA384_DIGEST_LENGTH: 434 for (n = 0; n < SHA384_DIGEST_LENGTH/8; n++) { 435 crypto_store_htobe64(md, c->h[n]); 436 md += 8; 437 } 438 break; 439 case SHA512_DIGEST_LENGTH: 440 for (n = 0; n < SHA512_DIGEST_LENGTH/8; n++) { 441 crypto_store_htobe64(md, c->h[n]); 442 md += 8; 443 } 444 break; 445 default: 446 return 0; 447 } 448 449 return 1; 450 } 451 452 unsigned char * 453 SHA512(const unsigned char *d, size_t n, unsigned char *md) 454 { 455 SHA512_CTX c; 456 static unsigned char m[SHA512_DIGEST_LENGTH]; 457 458 if (md == NULL) 459 md = m; 460 461 SHA512_Init(&c); 462 SHA512_Update(&c, d, n); 463 SHA512_Final(md, &c); 464 465 explicit_bzero(&c, sizeof(c)); 466 467 return (md); 468 } 469 470 int 471 SHA512_224_Init(SHA512_CTX *c) 472 { 473 memset(c, 0, sizeof(*c)); 474 475 /* FIPS 180-4 section 5.3.6.1. */ 476 c->h[0] = U64(0x8c3d37c819544da2); 477 c->h[1] = U64(0x73e1996689dcd4d6); 478 c->h[2] = U64(0x1dfab7ae32ff9c82); 479 c->h[3] = U64(0x679dd514582f9fcf); 480 c->h[4] = U64(0x0f6d2b697bd44da8); 481 c->h[5] = U64(0x77e36f7304c48942); 482 c->h[6] = U64(0x3f9d85a86a1d36c8); 483 c->h[7] = U64(0x1112e6ad91d692a1); 484 485 c->md_len = SHA512_224_DIGEST_LENGTH; 486 487 return 1; 488 } 489 490 int 491 SHA512_224_Update(SHA512_CTX *c, const void *data, size_t len) 492 { 493 return SHA512_Update(c, data, len); 494 } 495 496 int 497 SHA512_224_Final(unsigned char *md, SHA512_CTX *c) 498 { 499 return SHA512_Final(md, c); 500 } 501 502 int 503 SHA512_256_Init(SHA512_CTX *c) 504 { 505 memset(c, 0, sizeof(*c)); 506 507 /* FIPS 180-4 section 5.3.6.2. */ 508 c->h[0] = U64(0x22312194fc2bf72c); 509 c->h[1] = U64(0x9f555fa3c84c64c2); 510 c->h[2] = U64(0x2393b86b6f53b151); 511 c->h[3] = U64(0x963877195940eabd); 512 c->h[4] = U64(0x96283ee2a88effe3); 513 c->h[5] = U64(0xbe5e1e2553863992); 514 c->h[6] = U64(0x2b0199fc2c85b8aa); 515 c->h[7] = U64(0x0eb72ddc81c52ca2); 516 517 c->md_len = SHA512_256_DIGEST_LENGTH; 518 519 return 1; 520 } 521 522 int 523 SHA512_256_Update(SHA512_CTX *c, const void *data, size_t len) 524 { 525 return SHA512_Update(c, data, len); 526 } 527 528 int 529 SHA512_256_Final(unsigned char *md, SHA512_CTX *c) 530 { 531 return SHA512_Final(md, c); 532 } 533 534 #endif /* !OPENSSL_NO_SHA512 */ 535