1 /* SHA-256 and SHA-512 implementation based on code by Oliver Gay 2 * <olivier.gay (at) a3.epfl.ch> under a BSD-style license. See below. 3 */ 4 5 /* 6 * FIPS 180-2 SHA-224/256/384/512 implementation 7 * Last update: 02/02/2007 8 * Issue date: 04/30/2005 9 * 10 * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay (at) a3.epfl.ch> 11 * All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of the project nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 */ 37 38 #include "avb_sha.h" 39 40 #define SHFR(x, n) (x >> n) 41 #define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n))) 42 #define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n))) 43 #define CH(x, y, z) ((x & y) ^ (~x & z)) 44 #define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) 45 46 #define SHA512_F1(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39)) 47 #define SHA512_F2(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41)) 48 #define SHA512_F3(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHFR(x, 7)) 49 #define SHA512_F4(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHFR(x, 6)) 50 51 #define UNPACK32(x, str) \ 52 { \ 53 *((str) + 3) = (uint8_t)((x)); \ 54 *((str) + 2) = (uint8_t)((x) >> 8); \ 55 *((str) + 1) = (uint8_t)((x) >> 16); \ 56 *((str) + 0) = (uint8_t)((x) >> 24); \ 57 } 58 59 #define UNPACK64(x, str) \ 60 { \ 61 *((str) + 7) = (uint8_t)x; \ 62 *((str) + 6) = (uint8_t)((uint64_t)x >> 8); \ 63 *((str) + 5) = (uint8_t)((uint64_t)x >> 16); \ 64 *((str) + 4) = (uint8_t)((uint64_t)x >> 24); \ 65 *((str) + 3) = (uint8_t)((uint64_t)x >> 32); \ 66 *((str) + 2) = (uint8_t)((uint64_t)x >> 40); \ 67 *((str) + 1) = (uint8_t)((uint64_t)x >> 48); \ 68 *((str) + 0) = (uint8_t)((uint64_t)x >> 56); \ 69 } 70 71 #define PACK64(str, x) \ 72 { \ 73 *(x) = \ 74 ((uint64_t) * ((str) + 7)) | ((uint64_t) * ((str) + 6) << 8) | \ 75 ((uint64_t) * ((str) + 5) << 16) | ((uint64_t) * ((str) + 4) << 24) | \ 76 ((uint64_t) * ((str) + 3) << 32) | ((uint64_t) * ((str) + 2) << 40) | \ 77 ((uint64_t) * ((str) + 1) << 48) | ((uint64_t) * ((str) + 0) << 56); \ 78 } 79 80 /* Macros used for loops unrolling */ 81 82 #define SHA512_SCR(i) \ 83 { w[i] = SHA512_F4(w[i - 2]) + w[i - 7] + SHA512_F3(w[i - 15]) + w[i - 16]; } 84 85 #define SHA512_EXP(a, b, c, d, e, f, g, h, j) \ 86 { \ 87 t1 = wv[h] + SHA512_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) + sha512_k[j] + \ 88 w[j]; \ 89 t2 = SHA512_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \ 90 wv[d] += t1; \ 91 wv[h] = t1 + t2; \ 92 } 93 94 static const uint64_t sha512_h0[8] = {0x6a09e667f3bcc908ULL, 95 0xbb67ae8584caa73bULL, 96 0x3c6ef372fe94f82bULL, 97 0xa54ff53a5f1d36f1ULL, 98 0x510e527fade682d1ULL, 99 0x9b05688c2b3e6c1fULL, 100 0x1f83d9abfb41bd6bULL, 101 0x5be0cd19137e2179ULL}; 102 103 static const uint64_t sha512_k[80] = { 104 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL, 105 0xe9b5dba58189dbbcULL, 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 106 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 0xd807aa98a3030242ULL, 107 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 108 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL, 109 0xc19bf174cf692694ULL, 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 110 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 0x2de92c6f592b0275ULL, 111 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 112 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL, 113 0xbf597fc7beef0ee4ULL, 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 114 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 0x27b70a8546d22ffcULL, 115 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 116 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL, 117 0x92722c851482353bULL, 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 118 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 0xd192e819d6ef5218ULL, 119 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 120 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL, 121 0x34b0bcb5e19b48a8ULL, 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 122 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 0x748f82ee5defb2fcULL, 123 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 124 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL, 125 0xc67178f2e372532bULL, 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 126 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 0x06f067aa72176fbaULL, 127 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 128 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL, 129 0x431d67c49c100d4cULL, 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 130 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL}; 131 132 /* SHA-512 implementation */ 133 134 void avb_sha512_init(AvbSHA512Ctx* ctx) { 135 #ifdef UNROLL_LOOPS_SHA512 136 ctx->h[0] = sha512_h0[0]; 137 ctx->h[1] = sha512_h0[1]; 138 ctx->h[2] = sha512_h0[2]; 139 ctx->h[3] = sha512_h0[3]; 140 ctx->h[4] = sha512_h0[4]; 141 ctx->h[5] = sha512_h0[5]; 142 ctx->h[6] = sha512_h0[6]; 143 ctx->h[7] = sha512_h0[7]; 144 #else 145 int i; 146 147 for (i = 0; i < 8; i++) 148 ctx->h[i] = sha512_h0[i]; 149 #endif /* UNROLL_LOOPS_SHA512 */ 150 151 ctx->len = 0; 152 ctx->tot_len = 0; 153 } 154 155 static void SHA512_transform(AvbSHA512Ctx* ctx, 156 const uint8_t* message, 157 unsigned int block_nb) { 158 uint64_t w[80]; 159 uint64_t wv[8]; 160 uint64_t t1, t2; 161 const uint8_t* sub_block; 162 int i, j; 163 164 for (i = 0; i < (int)block_nb; i++) { 165 sub_block = message + (i << 7); 166 167 #ifdef UNROLL_LOOPS_SHA512 168 PACK64(&sub_block[0], &w[0]); 169 PACK64(&sub_block[8], &w[1]); 170 PACK64(&sub_block[16], &w[2]); 171 PACK64(&sub_block[24], &w[3]); 172 PACK64(&sub_block[32], &w[4]); 173 PACK64(&sub_block[40], &w[5]); 174 PACK64(&sub_block[48], &w[6]); 175 PACK64(&sub_block[56], &w[7]); 176 PACK64(&sub_block[64], &w[8]); 177 PACK64(&sub_block[72], &w[9]); 178 PACK64(&sub_block[80], &w[10]); 179 PACK64(&sub_block[88], &w[11]); 180 PACK64(&sub_block[96], &w[12]); 181 PACK64(&sub_block[104], &w[13]); 182 PACK64(&sub_block[112], &w[14]); 183 PACK64(&sub_block[120], &w[15]); 184 185 SHA512_SCR(16); 186 SHA512_SCR(17); 187 SHA512_SCR(18); 188 SHA512_SCR(19); 189 SHA512_SCR(20); 190 SHA512_SCR(21); 191 SHA512_SCR(22); 192 SHA512_SCR(23); 193 SHA512_SCR(24); 194 SHA512_SCR(25); 195 SHA512_SCR(26); 196 SHA512_SCR(27); 197 SHA512_SCR(28); 198 SHA512_SCR(29); 199 SHA512_SCR(30); 200 SHA512_SCR(31); 201 SHA512_SCR(32); 202 SHA512_SCR(33); 203 SHA512_SCR(34); 204 SHA512_SCR(35); 205 SHA512_SCR(36); 206 SHA512_SCR(37); 207 SHA512_SCR(38); 208 SHA512_SCR(39); 209 SHA512_SCR(40); 210 SHA512_SCR(41); 211 SHA512_SCR(42); 212 SHA512_SCR(43); 213 SHA512_SCR(44); 214 SHA512_SCR(45); 215 SHA512_SCR(46); 216 SHA512_SCR(47); 217 SHA512_SCR(48); 218 SHA512_SCR(49); 219 SHA512_SCR(50); 220 SHA512_SCR(51); 221 SHA512_SCR(52); 222 SHA512_SCR(53); 223 SHA512_SCR(54); 224 SHA512_SCR(55); 225 SHA512_SCR(56); 226 SHA512_SCR(57); 227 SHA512_SCR(58); 228 SHA512_SCR(59); 229 SHA512_SCR(60); 230 SHA512_SCR(61); 231 SHA512_SCR(62); 232 SHA512_SCR(63); 233 SHA512_SCR(64); 234 SHA512_SCR(65); 235 SHA512_SCR(66); 236 SHA512_SCR(67); 237 SHA512_SCR(68); 238 SHA512_SCR(69); 239 SHA512_SCR(70); 240 SHA512_SCR(71); 241 SHA512_SCR(72); 242 SHA512_SCR(73); 243 SHA512_SCR(74); 244 SHA512_SCR(75); 245 SHA512_SCR(76); 246 SHA512_SCR(77); 247 SHA512_SCR(78); 248 SHA512_SCR(79); 249 250 wv[0] = ctx->h[0]; 251 wv[1] = ctx->h[1]; 252 wv[2] = ctx->h[2]; 253 wv[3] = ctx->h[3]; 254 wv[4] = ctx->h[4]; 255 wv[5] = ctx->h[5]; 256 wv[6] = ctx->h[6]; 257 wv[7] = ctx->h[7]; 258 259 j = 0; 260 261 do { 262 SHA512_EXP(0, 1, 2, 3, 4, 5, 6, 7, j); 263 j++; 264 SHA512_EXP(7, 0, 1, 2, 3, 4, 5, 6, j); 265 j++; 266 SHA512_EXP(6, 7, 0, 1, 2, 3, 4, 5, j); 267 j++; 268 SHA512_EXP(5, 6, 7, 0, 1, 2, 3, 4, j); 269 j++; 270 SHA512_EXP(4, 5, 6, 7, 0, 1, 2, 3, j); 271 j++; 272 SHA512_EXP(3, 4, 5, 6, 7, 0, 1, 2, j); 273 j++; 274 SHA512_EXP(2, 3, 4, 5, 6, 7, 0, 1, j); 275 j++; 276 SHA512_EXP(1, 2, 3, 4, 5, 6, 7, 0, j); 277 j++; 278 } while (j < 80); 279 280 ctx->h[0] += wv[0]; 281 ctx->h[1] += wv[1]; 282 ctx->h[2] += wv[2]; 283 ctx->h[3] += wv[3]; 284 ctx->h[4] += wv[4]; 285 ctx->h[5] += wv[5]; 286 ctx->h[6] += wv[6]; 287 ctx->h[7] += wv[7]; 288 #else 289 for (j = 0; j < 16; j++) { 290 PACK64(&sub_block[j << 3], &w[j]); 291 } 292 293 for (j = 16; j < 80; j++) { 294 SHA512_SCR(j); 295 } 296 297 for (j = 0; j < 8; j++) { 298 wv[j] = ctx->h[j]; 299 } 300 301 for (j = 0; j < 80; j++) { 302 t1 = wv[7] + SHA512_F2(wv[4]) + CH(wv[4], wv[5], wv[6]) + sha512_k[j] + 303 w[j]; 304 t2 = SHA512_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]); 305 wv[7] = wv[6]; 306 wv[6] = wv[5]; 307 wv[5] = wv[4]; 308 wv[4] = wv[3] + t1; 309 wv[3] = wv[2]; 310 wv[2] = wv[1]; 311 wv[1] = wv[0]; 312 wv[0] = t1 + t2; 313 } 314 315 for (j = 0; j < 8; j++) 316 ctx->h[j] += wv[j]; 317 #endif /* UNROLL_LOOPS_SHA512 */ 318 } 319 } 320 321 void avb_sha512_update(AvbSHA512Ctx* ctx, const uint8_t* data, uint32_t len) { 322 unsigned int block_nb; 323 unsigned int new_len, rem_len, tmp_len; 324 const uint8_t* shifted_data; 325 326 tmp_len = AVB_SHA512_BLOCK_SIZE - ctx->len; 327 rem_len = len < tmp_len ? len : tmp_len; 328 329 avb_memcpy(&ctx->block[ctx->len], data, rem_len); 330 331 if (ctx->len + len < AVB_SHA512_BLOCK_SIZE) { 332 ctx->len += len; 333 return; 334 } 335 336 new_len = len - rem_len; 337 block_nb = new_len / AVB_SHA512_BLOCK_SIZE; 338 339 shifted_data = data + rem_len; 340 341 SHA512_transform(ctx, ctx->block, 1); 342 SHA512_transform(ctx, shifted_data, block_nb); 343 344 rem_len = new_len % AVB_SHA512_BLOCK_SIZE; 345 346 avb_memcpy(ctx->block, &shifted_data[block_nb << 7], rem_len); 347 348 ctx->len = rem_len; 349 ctx->tot_len += (block_nb + 1) << 7; 350 } 351 352 uint8_t* avb_sha512_final(AvbSHA512Ctx* ctx) { 353 unsigned int block_nb; 354 unsigned int pm_len; 355 unsigned int len_b; 356 357 #ifndef UNROLL_LOOPS_SHA512 358 int i; 359 #endif 360 361 block_nb = 362 1 + ((AVB_SHA512_BLOCK_SIZE - 17) < (ctx->len % AVB_SHA512_BLOCK_SIZE)); 363 364 len_b = (ctx->tot_len + ctx->len) << 3; 365 pm_len = block_nb << 7; 366 367 avb_memset(ctx->block + ctx->len, 0, pm_len - ctx->len); 368 ctx->block[ctx->len] = 0x80; 369 UNPACK32(len_b, ctx->block + pm_len - 4); 370 371 SHA512_transform(ctx, ctx->block, block_nb); 372 373 #ifdef UNROLL_LOOPS_SHA512 374 UNPACK64(ctx->h[0], &ctx->buf[0]); 375 UNPACK64(ctx->h[1], &ctx->buf[8]); 376 UNPACK64(ctx->h[2], &ctx->buf[16]); 377 UNPACK64(ctx->h[3], &ctx->buf[24]); 378 UNPACK64(ctx->h[4], &ctx->buf[32]); 379 UNPACK64(ctx->h[5], &ctx->buf[40]); 380 UNPACK64(ctx->h[6], &ctx->buf[48]); 381 UNPACK64(ctx->h[7], &ctx->buf[56]); 382 #else 383 for (i = 0; i < 8; i++) 384 UNPACK64(ctx->h[i], &ctx->buf[i << 3]); 385 #endif /* UNROLL_LOOPS_SHA512 */ 386 387 return ctx->buf; 388 } 389
