Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / avb / 1614f552a53d9dcd85ff404156422d935ebdb1a4 / . / libavb / avb_sha512.c
blob: 8df63193c97792a558690ebe75d44a13e29995fa [file] [log] [blame]
David Zeuthen21e95262016-07-27 17:58:40 -0400[diff] [blame]1/* SHA-256 and SHA-512 implementation based on code by Oliver Gay
2 * <olivier.gay@a3.epfl.ch> under a BSD-style license. See below.
3 */
4
5/*
6 * FIPS 180-2 SHA-224/256/384/512 implementation
7 * Last update: 02/02/2007
8 * Issue date: 04/30/2005
9 *
10 * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
11 * All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. Neither the name of the project nor the names of its contributors
22 * may be used to endorse or promote products derived from this software
23 * without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 */
37
38#include "avb_sha.h"
39
40#define SHFR(x, n) (x >> n)
41#define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n)))
42#define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n)))
43#define CH(x, y, z) ((x & y) ^ (~x & z))
44#define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
45
46#define SHA512_F1(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
47#define SHA512_F2(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
48#define SHA512_F3(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHFR(x, 7))
49#define SHA512_F4(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHFR(x, 6))
50
51#define UNPACK32(x, str) \
52 { \
53 *((str) + 3) = (uint8_t)((x)); \
54 *((str) + 2) = (uint8_t)((x) >> 8); \
55 *((str) + 1) = (uint8_t)((x) >> 16); \
56 *((str) + 0) = (uint8_t)((x) >> 24); \
57 }
58
59#define UNPACK64(x, str) \
60 { \
61 *((str) + 7) = (uint8_t)x; \
62 *((str) + 6) = (uint8_t)((uint64_t)x >> 8); \
63 *((str) + 5) = (uint8_t)((uint64_t)x >> 16); \
64 *((str) + 4) = (uint8_t)((uint64_t)x >> 24); \
65 *((str) + 3) = (uint8_t)((uint64_t)x >> 32); \
66 *((str) + 2) = (uint8_t)((uint64_t)x >> 40); \
67 *((str) + 1) = (uint8_t)((uint64_t)x >> 48); \
68 *((str) + 0) = (uint8_t)((uint64_t)x >> 56); \
69 }
70
71#define PACK64(str, x) \
72 { \
73 *(x) = \
74 ((uint64_t) * ((str) + 7)) | ((uint64_t) * ((str) + 6) << 8) | \
75 ((uint64_t) * ((str) + 5) << 16) | ((uint64_t) * ((str) + 4) << 24) | \
76 ((uint64_t) * ((str) + 3) << 32) | ((uint64_t) * ((str) + 2) << 40) | \
77 ((uint64_t) * ((str) + 1) << 48) | ((uint64_t) * ((str) + 0) << 56); \
78 }
79
80/* Macros used for loops unrolling */
81
82#define SHA512_SCR(i) \
83 { w[i] = SHA512_F4(w[i - 2]) + w[i - 7] + SHA512_F3(w[i - 15]) + w[i - 16]; }
84
85#define SHA512_EXP(a, b, c, d, e, f, g, h, j) \
86 { \
87 t1 = wv[h] + SHA512_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) + sha512_k[j] + \
88 w[j]; \
89 t2 = SHA512_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
90 wv[d] += t1; \
91 wv[h] = t1 + t2; \
92 }
93
David Zeuthen4b6a6342017-01-03 15:19:56 -0500[diff] [blame]94static const uint64_t sha512_h0[8] = {0x6a09e667f3bcc908ULL,
95 0xbb67ae8584caa73bULL,
96 0x3c6ef372fe94f82bULL,
97 0xa54ff53a5f1d36f1ULL,
98 0x510e527fade682d1ULL,
99 0x9b05688c2b3e6c1fULL,
100 0x1f83d9abfb41bd6bULL,
101 0x5be0cd19137e2179ULL};
David Zeuthen21e95262016-07-27 17:58:40 -0400[diff] [blame]102
103static const uint64_t sha512_k[80] = {
104 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL,
105 0xe9b5dba58189dbbcULL, 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
106 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 0xd807aa98a3030242ULL,
107 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
108 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL,
109 0xc19bf174cf692694ULL, 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
110 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 0x2de92c6f592b0275ULL,
111 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
112 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL,
113 0xbf597fc7beef0ee4ULL, 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
114 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 0x27b70a8546d22ffcULL,
115 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
116 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL,
117 0x92722c851482353bULL, 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
118 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 0xd192e819d6ef5218ULL,
119 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
120 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL,
121 0x34b0bcb5e19b48a8ULL, 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
122 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 0x748f82ee5defb2fcULL,
123 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
124 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL,
125 0xc67178f2e372532bULL, 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
126 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 0x06f067aa72176fbaULL,
127 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
128 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL,
129 0x431d67c49c100d4cULL, 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
130 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL};
131
132/* SHA-512 implementation */
133
134void avb_sha512_init(AvbSHA512Ctx* ctx) {
135#ifdef UNROLL_LOOPS_SHA512
136 ctx->h[0] = sha512_h0[0];
137 ctx->h[1] = sha512_h0[1];
138 ctx->h[2] = sha512_h0[2];
139 ctx->h[3] = sha512_h0[3];
140 ctx->h[4] = sha512_h0[4];
141 ctx->h[5] = sha512_h0[5];
142 ctx->h[6] = sha512_h0[6];
143 ctx->h[7] = sha512_h0[7];
144#else
145 int i;
146
David Zeuthen4b6a6342017-01-03 15:19:56 -0500[diff] [blame]147 for (i = 0; i < 8; i++)
148 ctx->h[i] = sha512_h0[i];
David Zeuthen21e95262016-07-27 17:58:40 -0400[diff] [blame]149#endif /* UNROLL_LOOPS_SHA512 */
150
151 ctx->len = 0;
152 ctx->tot_len = 0;
153}
154
David Zeuthen4b6a6342017-01-03 15:19:56 -0500[diff] [blame]155static void SHA512_transform(AvbSHA512Ctx* ctx,
156 const uint8_t* message,
David Zeuthen21e95262016-07-27 17:58:40 -0400[diff] [blame]157 unsigned int block_nb) {
158 uint64_t w[80];
159 uint64_t wv[8];
160 uint64_t t1, t2;
161 const uint8_t* sub_block;
162 int i, j;
163
164 for (i = 0; i < (int)block_nb; i++) {
165 sub_block = message + (i << 7);
166
167#ifdef UNROLL_LOOPS_SHA512
168 PACK64(&sub_block[0], &w[0]);
169 PACK64(&sub_block[8], &w[1]);
170 PACK64(&sub_block[16], &w[2]);
171 PACK64(&sub_block[24], &w[3]);
172 PACK64(&sub_block[32], &w[4]);
173 PACK64(&sub_block[40], &w[5]);
174 PACK64(&sub_block[48], &w[6]);
175 PACK64(&sub_block[56], &w[7]);
176 PACK64(&sub_block[64], &w[8]);
177 PACK64(&sub_block[72], &w[9]);
178 PACK64(&sub_block[80], &w[10]);
179 PACK64(&sub_block[88], &w[11]);
180 PACK64(&sub_block[96], &w[12]);
181 PACK64(&sub_block[104], &w[13]);
182 PACK64(&sub_block[112], &w[14]);
183 PACK64(&sub_block[120], &w[15]);
184
185 SHA512_SCR(16);
186 SHA512_SCR(17);
187 SHA512_SCR(18);
188 SHA512_SCR(19);
189 SHA512_SCR(20);
190 SHA512_SCR(21);
191 SHA512_SCR(22);
192 SHA512_SCR(23);
193 SHA512_SCR(24);
194 SHA512_SCR(25);
195 SHA512_SCR(26);
196 SHA512_SCR(27);
197 SHA512_SCR(28);
198 SHA512_SCR(29);
199 SHA512_SCR(30);
200 SHA512_SCR(31);
201 SHA512_SCR(32);
202 SHA512_SCR(33);
203 SHA512_SCR(34);
204 SHA512_SCR(35);
205 SHA512_SCR(36);
206 SHA512_SCR(37);
207 SHA512_SCR(38);
208 SHA512_SCR(39);
209 SHA512_SCR(40);
210 SHA512_SCR(41);
211 SHA512_SCR(42);
212 SHA512_SCR(43);
213 SHA512_SCR(44);
214 SHA512_SCR(45);
215 SHA512_SCR(46);
216 SHA512_SCR(47);
217 SHA512_SCR(48);
218 SHA512_SCR(49);
219 SHA512_SCR(50);
220 SHA512_SCR(51);
221 SHA512_SCR(52);
222 SHA512_SCR(53);
223 SHA512_SCR(54);
224 SHA512_SCR(55);
225 SHA512_SCR(56);
226 SHA512_SCR(57);
227 SHA512_SCR(58);
228 SHA512_SCR(59);
229 SHA512_SCR(60);
230 SHA512_SCR(61);
231 SHA512_SCR(62);
232 SHA512_SCR(63);
233 SHA512_SCR(64);
234 SHA512_SCR(65);
235 SHA512_SCR(66);
236 SHA512_SCR(67);
237 SHA512_SCR(68);
238 SHA512_SCR(69);
239 SHA512_SCR(70);
240 SHA512_SCR(71);
241 SHA512_SCR(72);
242 SHA512_SCR(73);
243 SHA512_SCR(74);
244 SHA512_SCR(75);
245 SHA512_SCR(76);
246 SHA512_SCR(77);
247 SHA512_SCR(78);
248 SHA512_SCR(79);
249
250 wv[0] = ctx->h[0];
251 wv[1] = ctx->h[1];
252 wv[2] = ctx->h[2];
253 wv[3] = ctx->h[3];
254 wv[4] = ctx->h[4];
255 wv[5] = ctx->h[5];
256 wv[6] = ctx->h[6];
257 wv[7] = ctx->h[7];
258
259 j = 0;
260
261 do {
262 SHA512_EXP(0, 1, 2, 3, 4, 5, 6, 7, j);
263 j++;
264 SHA512_EXP(7, 0, 1, 2, 3, 4, 5, 6, j);
265 j++;
266 SHA512_EXP(6, 7, 0, 1, 2, 3, 4, 5, j);
267 j++;
268 SHA512_EXP(5, 6, 7, 0, 1, 2, 3, 4, j);
269 j++;
270 SHA512_EXP(4, 5, 6, 7, 0, 1, 2, 3, j);
271 j++;
272 SHA512_EXP(3, 4, 5, 6, 7, 0, 1, 2, j);
273 j++;
274 SHA512_EXP(2, 3, 4, 5, 6, 7, 0, 1, j);
275 j++;
276 SHA512_EXP(1, 2, 3, 4, 5, 6, 7, 0, j);
277 j++;
278 } while (j < 80);
279
280 ctx->h[0] += wv[0];
281 ctx->h[1] += wv[1];
282 ctx->h[2] += wv[2];
283 ctx->h[3] += wv[3];
284 ctx->h[4] += wv[4];
285 ctx->h[5] += wv[5];
286 ctx->h[6] += wv[6];
287 ctx->h[7] += wv[7];
288#else
289 for (j = 0; j < 16; j++) {
290 PACK64(&sub_block[j << 3], &w[j]);
291 }
292
293 for (j = 16; j < 80; j++) {
294 SHA512_SCR(j);
295 }
296
297 for (j = 0; j < 8; j++) {
298 wv[j] = ctx->h[j];
299 }
300
301 for (j = 0; j < 80; j++) {
302 t1 = wv[7] + SHA512_F2(wv[4]) + CH(wv[4], wv[5], wv[6]) + sha512_k[j] +
303 w[j];
304 t2 = SHA512_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
305 wv[7] = wv[6];
306 wv[6] = wv[5];
307 wv[5] = wv[4];
308 wv[4] = wv[3] + t1;
309 wv[3] = wv[2];
310 wv[2] = wv[1];
311 wv[1] = wv[0];
312 wv[0] = t1 + t2;
313 }
314
David Zeuthen4b6a6342017-01-03 15:19:56 -0500[diff] [blame]315 for (j = 0; j < 8; j++)
316 ctx->h[j] += wv[j];
David Zeuthen21e95262016-07-27 17:58:40 -0400[diff] [blame]317#endif /* UNROLL_LOOPS_SHA512 */
318 }
319}
320
321void avb_sha512_update(AvbSHA512Ctx* ctx, const uint8_t* data, uint32_t len) {
322 unsigned int block_nb;
323 unsigned int new_len, rem_len, tmp_len;
324 const uint8_t* shifted_data;
325
326 tmp_len = AVB_SHA512_BLOCK_SIZE - ctx->len;
327 rem_len = len < tmp_len ? len : tmp_len;
328
329 avb_memcpy(&ctx->block[ctx->len], data, rem_len);
330
331 if (ctx->len + len < AVB_SHA512_BLOCK_SIZE) {
332 ctx->len += len;
333 return;
334 }
335
336 new_len = len - rem_len;
337 block_nb = new_len / AVB_SHA512_BLOCK_SIZE;
338
339 shifted_data = data + rem_len;
340
341 SHA512_transform(ctx, ctx->block, 1);
342 SHA512_transform(ctx, shifted_data, block_nb);
343
344 rem_len = new_len % AVB_SHA512_BLOCK_SIZE;
345
346 avb_memcpy(ctx->block, &shifted_data[block_nb << 7], rem_len);
347
348 ctx->len = rem_len;
349 ctx->tot_len += (block_nb + 1) << 7;
350}
351
352uint8_t* avb_sha512_final(AvbSHA512Ctx* ctx) {
353 unsigned int block_nb;
354 unsigned int pm_len;
355 unsigned int len_b;
356
357#ifndef UNROLL_LOOPS_SHA512
358 int i;
359#endif
360
361 block_nb =
362 1 + ((AVB_SHA512_BLOCK_SIZE - 17) < (ctx->len % AVB_SHA512_BLOCK_SIZE));
363
364 len_b = (ctx->tot_len + ctx->len) << 3;
365 pm_len = block_nb << 7;
366
367 avb_memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
368 ctx->block[ctx->len] = 0x80;
369 UNPACK32(len_b, ctx->block + pm_len - 4);
370
371 SHA512_transform(ctx, ctx->block, block_nb);
372
373#ifdef UNROLL_LOOPS_SHA512
374 UNPACK64(ctx->h[0], &ctx->buf[0]);
375 UNPACK64(ctx->h[1], &ctx->buf[8]);
376 UNPACK64(ctx->h[2], &ctx->buf[16]);
377 UNPACK64(ctx->h[3], &ctx->buf[24]);
378 UNPACK64(ctx->h[4], &ctx->buf[32]);
379 UNPACK64(ctx->h[5], &ctx->buf[40]);
380 UNPACK64(ctx->h[6], &ctx->buf[48]);
381 UNPACK64(ctx->h[7], &ctx->buf[56]);
382#else
David Zeuthen4b6a6342017-01-03 15:19:56 -0500[diff] [blame]383 for (i = 0; i < 8; i++)
384 UNPACK64(ctx->h[i], &ctx->buf[i << 3]);
David Zeuthen21e95262016-07-27 17:58:40 -0400[diff] [blame]385#endif /* UNROLL_LOOPS_SHA512 */
386
387 return ctx->buf;
388}