iPXE
sha512.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2015 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  *
19  * You can also choose to distribute this program under the terms of
20  * the Unmodified Binary Distribution Licence (as given in the file
21  * COPYING.UBDL), provided that you have satisfied its requirements.
22  */
23 
24 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25 
26 /** @file
27  *
28  * SHA-512 algorithm
29  *
30  */
31 
32 #include <stdint.h>
33 #include <string.h>
34 #include <byteswap.h>
35 #include <assert.h>
36 #include <ipxe/rotate.h>
37 #include <ipxe/crypto.h>
38 #include <ipxe/asn1.h>
39 #include <ipxe/sha512.h>
40 
41 /** SHA-512 variables */
43  /* This layout matches that of struct sha512_digest_data,
44  * allowing for efficient endianness-conversion,
45  */
55 } __attribute__ (( packed ));
56 
57 /** SHA-512 constants */
58 static const uint64_t k[SHA512_ROUNDS] = {
59  0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL,
60  0xe9b5dba58189dbbcULL, 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
61  0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 0xd807aa98a3030242ULL,
62  0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
63  0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL,
64  0xc19bf174cf692694ULL, 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
65  0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 0x2de92c6f592b0275ULL,
66  0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
67  0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL,
68  0xbf597fc7beef0ee4ULL, 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
69  0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 0x27b70a8546d22ffcULL,
70  0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
71  0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL,
72  0x92722c851482353bULL, 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
73  0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 0xd192e819d6ef5218ULL,
74  0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
75  0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL,
76  0x34b0bcb5e19b48a8ULL, 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
77  0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 0x748f82ee5defb2fcULL,
78  0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
79  0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL,
80  0xc67178f2e372532bULL, 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
81  0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 0x06f067aa72176fbaULL,
82  0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
83  0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL,
84  0x431d67c49c100d4cULL, 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
85  0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
86 };
87 
88 /** SHA-512 initial digest values */
89 static const struct sha512_digest sha512_init_digest = {
90  .h = {
91  cpu_to_be64 ( 0x6a09e667f3bcc908ULL ),
92  cpu_to_be64 ( 0xbb67ae8584caa73bULL ),
93  cpu_to_be64 ( 0x3c6ef372fe94f82bULL ),
94  cpu_to_be64 ( 0xa54ff53a5f1d36f1ULL ),
95  cpu_to_be64 ( 0x510e527fade682d1ULL ),
96  cpu_to_be64 ( 0x9b05688c2b3e6c1fULL ),
97  cpu_to_be64 ( 0x1f83d9abfb41bd6bULL ),
98  cpu_to_be64 ( 0x5be0cd19137e2179ULL ),
99  },
100 };
101 
102 /**
103  * Initialise SHA-512 family algorithm
104  *
105  * @v context SHA-512 context
106  * @v init Initial digest values
107  * @v digestsize Digest size
108  */
109 void sha512_family_init ( struct sha512_context *context,
110  const struct sha512_digest *init,
111  size_t digestsize ) {
112 
113  context->len = 0;
114  context->digestsize = digestsize;
115  memcpy ( &context->ddq.dd.digest, init,
116  sizeof ( context->ddq.dd.digest ) );
117 }
118 
119 /**
120  * Initialise SHA-512 algorithm
121  *
122  * @v ctx SHA-512 context
123  */
124 static void sha512_init ( void *ctx ) {
125  struct sha512_context *context = ctx;
126 
128  sizeof ( struct sha512_digest ) );
129 }
130 
131 /**
132  * Calculate SHA-512 digest of accumulated data
133  *
134  * @v context SHA-512 context
135  */
136 static void sha512_digest ( struct sha512_context *context ) {
137  union {
139  struct sha512_variables v;
140  } u;
141  uint64_t *a = &u.v.a;
142  uint64_t *b = &u.v.b;
143  uint64_t *c = &u.v.c;
144  uint64_t *d = &u.v.d;
145  uint64_t *e = &u.v.e;
146  uint64_t *f = &u.v.f;
147  uint64_t *g = &u.v.g;
148  uint64_t *h = &u.v.h;
149  uint64_t *w = u.v.w;
150  uint64_t s0;
151  uint64_t s1;
152  uint64_t maj;
153  uint64_t t1;
154  uint64_t t2;
155  uint64_t ch;
156  unsigned int i;
157 
158  /* Sanity checks */
159  assert ( ( context->len % sizeof ( context->ddq.dd.data ) ) == 0 );
160  linker_assert ( &u.ddq.dd.digest.h[0] == a, sha512_bad_layout );
161  linker_assert ( &u.ddq.dd.digest.h[1] == b, sha512_bad_layout );
162  linker_assert ( &u.ddq.dd.digest.h[2] == c, sha512_bad_layout );
163  linker_assert ( &u.ddq.dd.digest.h[3] == d, sha512_bad_layout );
164  linker_assert ( &u.ddq.dd.digest.h[4] == e, sha512_bad_layout );
165  linker_assert ( &u.ddq.dd.digest.h[5] == f, sha512_bad_layout );
166  linker_assert ( &u.ddq.dd.digest.h[6] == g, sha512_bad_layout );
167  linker_assert ( &u.ddq.dd.digest.h[7] == h, sha512_bad_layout );
168  linker_assert ( &u.ddq.dd.data.qword[0] == w, sha512_bad_layout );
169 
170  DBGC ( context, "SHA512 digesting:\n" );
171  DBGC_HDA ( context, 0, &context->ddq.dd.digest,
172  sizeof ( context->ddq.dd.digest ) );
173  DBGC_HDA ( context, context->len, &context->ddq.dd.data,
174  sizeof ( context->ddq.dd.data ) );
175 
176  /* Convert h[0..7] to host-endian, and initialise a, b, c, d,
177  * e, f, g, h, and w[0..15]
178  */
179  for ( i = 0 ; i < ( sizeof ( u.ddq.qword ) /
180  sizeof ( u.ddq.qword[0] ) ) ; i++ ) {
181  be64_to_cpus ( &context->ddq.qword[i] );
182  u.ddq.qword[i] = context->ddq.qword[i];
183  }
184 
185  /* Initialise w[16..79] */
186  for ( i = 16 ; i < SHA512_ROUNDS ; i++ ) {
187  s0 = ( ror64 ( w[i-15], 1 ) ^ ror64 ( w[i-15], 8 ) ^
188  ( w[i-15] >> 7 ) );
189  s1 = ( ror64 ( w[i-2], 19 ) ^ ror64 ( w[i-2], 61 ) ^
190  ( w[i-2] >> 6 ) );
191  w[i] = ( w[i-16] + s0 + w[i-7] + s1 );
192  }
193 
194  /* Main loop */
195  for ( i = 0 ; i < SHA512_ROUNDS ; i++ ) {
196  s0 = ( ror64 ( *a, 28 ) ^ ror64 ( *a, 34 ) ^ ror64 ( *a, 39 ) );
197  maj = ( ( *a & *b ) ^ ( *a & *c ) ^ ( *b & *c ) );
198  t2 = ( s0 + maj );
199  s1 = ( ror64 ( *e, 14 ) ^ ror64 ( *e, 18 ) ^ ror64 ( *e, 41 ) );
200  ch = ( ( *e & *f ) ^ ( (~*e) & *g ) );
201  t1 = ( *h + s1 + ch + k[i] + w[i] );
202  *h = *g;
203  *g = *f;
204  *f = *e;
205  *e = ( *d + t1 );
206  *d = *c;
207  *c = *b;
208  *b = *a;
209  *a = ( t1 + t2 );
210  DBGC2 ( context, "%2d : %016llx %016llx %016llx %016llx "
211  "%016llx %016llx %016llx %016llx\n",
212  i, *a, *b, *c, *d, *e, *f, *g, *h );
213  }
214 
215  /* Add chunk to hash and convert back to big-endian */
216  for ( i = 0 ; i < 8 ; i++ ) {
217  context->ddq.dd.digest.h[i] =
218  cpu_to_be64 ( context->ddq.dd.digest.h[i] +
219  u.ddq.dd.digest.h[i] );
220  }
221 
222  DBGC ( context, "SHA512 digested:\n" );
223  DBGC_HDA ( context, 0, &context->ddq.dd.digest,
224  sizeof ( context->ddq.dd.digest ) );
225 }
226 
227 /**
228  * Accumulate data with SHA-512 algorithm
229  *
230  * @v ctx SHA-512 context
231  * @v data Data
232  * @v len Length of data
233  */
234 void sha512_update ( void *ctx, const void *data, size_t len ) {
235  struct sha512_context *context = ctx;
236  const uint8_t *byte = data;
237  size_t offset;
238 
239  /* Accumulate data a byte at a time, performing the digest
240  * whenever we fill the data buffer
241  */
242  while ( len-- ) {
243  offset = ( context->len % sizeof ( context->ddq.dd.data ) );
244  context->ddq.dd.data.byte[offset] = *(byte++);
245  context->len++;
246  if ( ( context->len % sizeof ( context->ddq.dd.data ) ) == 0 )
247  sha512_digest ( context );
248  }
249 }
250 
251 /**
252  * Generate SHA-512 digest
253  *
254  * @v ctx SHA-512 context
255  * @v out Output buffer
256  */
257 void sha512_final ( void *ctx, void *out ) {
258  struct sha512_context *context = ctx;
259  uint64_t len_bits_hi;
260  uint64_t len_bits_lo;
261  uint8_t pad;
262 
263  /* Record length before pre-processing */
264  len_bits_hi = 0;
265  len_bits_lo = cpu_to_be64 ( ( ( uint64_t ) context->len ) * 8 );
266 
267  /* Pad with a single "1" bit followed by as many "0" bits as required */
268  pad = 0x80;
269  do {
270  sha512_update ( ctx, &pad, sizeof ( pad ) );
271  pad = 0x00;
272  } while ( ( context->len % sizeof ( context->ddq.dd.data ) ) !=
273  offsetof ( typeof ( context->ddq.dd.data ), final.len_hi ) );
274 
275  /* Append length (in bits) */
276  sha512_update ( ctx, &len_bits_hi, sizeof ( len_bits_hi ) );
277  sha512_update ( ctx, &len_bits_lo, sizeof ( len_bits_lo ) );
278  assert ( ( context->len % sizeof ( context->ddq.dd.data ) ) == 0 );
279 
280  /* Copy out final digest */
281  memcpy ( out, &context->ddq.dd.digest, context->digestsize );
282 }
283 
284 /** SHA-512 algorithm */
286  .name = "sha512",
287  .ctxsize = sizeof ( struct sha512_context ),
288  .blocksize = sizeof ( union sha512_block ),
289  .digestsize = sizeof ( struct sha512_digest ),
290  .init = sha512_init,
291  .update = sha512_update,
292  .final = sha512_final,
293 };
294 
295 /** "sha512" object identifier */
297 
298 /** "sha512" OID-identified algorithm */
299 struct asn1_algorithm oid_sha512_algorithm __asn1_algorithm = {
300  .name = "sha512",
301  .digest = &sha512_algorithm,
302  .oid = ASN1_OID_CURSOR ( oid_sha512 ),
303 };
void sha512_update(void *ctx, const void *data, size_t len)
Accumulate data with SHA-512 algorithm.
Definition: sha512.c:234
#define __attribute__(x)
Definition: compiler.h:10
void sha512_final(void *ctx, void *out)
Generate SHA-512 digest.
Definition: sha512.c:257
An ASN.1 OID-identified algorithm.
Definition: asn1.h:298
struct sha512_digest digest
Digest of data already processed.
Definition: sha512.h:48
uint64_t w[SHA512_ROUNDS]
Definition: sha512.c:54
SHA-512 digest and data block.
Definition: sha512.h:54
SHA-512 variables.
Definition: sha512.c:42
struct digest_algorithm sha512_algorithm
SHA-512 algorithm.
Definition: sha512.c:285
uint64_t h
Definition: sha512.c:53
#define DBGC(...)
Definition: compiler.h:505
unsigned long long uint64_t
Definition: stdint.h:13
Cryptographic API.
static __always_inline void off_t int c
Definition: efi_uaccess.h:87
uint64_t c
Definition: sha512.c:48
#define offsetof(type, field)
Get offset of a field within a structure.
Definition: stddef.h:24
u32 pad[9]
Padding.
Definition: ar9003_mac.h:90
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
uint64_t a
Definition: sha512.c:46
uint8_t ch
Definition: registers.h:83
void * memcpy(void *dest, const void *src, size_t len) __nonnull
struct sha512_digest_data dd
Digest and data block.
Definition: sha512.h:56
Assertions.
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
ASN.1 encoding.
#define DBGC_HDA(...)
Definition: compiler.h:506
static userptr_t size_t offset
Offset of the first segment within the content.
Definition: deflate.h:259
uint8_t h
Definition: registers.h:18
#define ASN1_OID_CURSOR(oid_value)
Define an ASN.1 cursor containing an OID.
Definition: asn1.h:292
__be32 out[4]
Definition: CIB_PRM.h:36
uint64_t qword[sizeof(struct sha512_digest_data)/sizeof(uint64_t)]
Raw qwords.
Definition: sha512.h:59
An SHA-512 context.
Definition: sha512.h:63
An SHA-512 digest.
Definition: sha512.h:19
struct asn1_algorithm oid_sha512_algorithm __asn1_algorithm
"sha512" OID-identified algorithm
Definition: sha512.c:299
#define ASN1_OID_SHA512
ASN.1 OID for id-sha512 (2.16.840.1.101.3.4.2.3)
Definition: asn1.h:197
unsigned char uint8_t
Definition: stdint.h:10
An SHA-512 data block.
Definition: sha512.h:25
union sha512_digest_data_qwords ddq
Digest and accumulated data.
Definition: sha512.h:69
uint64_t d
Definition: sha512.c:49
static const struct sha512_digest sha512_init_digest
SHA-512 initial digest values.
Definition: sha512.c:89
uint64_t h[8]
Hash output.
Definition: sha512.h:21
size_t len
Amount of accumulated data.
Definition: sha512.h:65
const char * name
Name.
Definition: asn1.h:300
union sha512_block data
Accumulated data.
Definition: sha512.h:50
uint32_t len
Length.
Definition: ena.h:14
#define DBGC2(...)
Definition: compiler.h:522
static void sha512_init(void *ctx)
Initialise SHA-512 algorithm.
Definition: sha512.c:124
const char * name
Algorithm name.
Definition: crypto.h:18
uint64_t f
Definition: sha512.c:51
SHA-512 algorithm.
A message digest algorithm.
Definition: crypto.h:16
#define cpu_to_be64(value)
Definition: byteswap.h:111
static void sha512_digest(struct sha512_context *context)
Calculate SHA-512 digest of accumulated data.
Definition: sha512.c:136
static uint8_t oid_sha512[]
"sha512" object identifier
Definition: sha512.c:296
static const uint64_t k[SHA512_ROUNDS]
SHA-512 constants.
Definition: sha512.c:58
#define SHA512_ROUNDS
SHA-512 number of rounds.
Definition: sha512.h:16
uint32_t digestsize
Digest size (i.e.
Definition: pccrr.h:14
uint64_t g
Definition: sha512.c:52
struct arbelprm_port_state_change_st data
Message.
Definition: arbel.h:12
union @16 u
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
#define linker_assert(condition, error_symbol)
Assert a condition at link-time.
Definition: assert.h:68
uint64_t e
Definition: sha512.c:50
String functions.
uint8_t byte[128]
Raw bytes.
Definition: sha512.h:27
size_t digestsize
Digest size.
Definition: sha512.h:67
void sha512_family_init(struct sha512_context *context, const struct sha512_digest *init, size_t digestsize)
Initialise SHA-512 family algorithm.
Definition: sha512.c:109
#define be64_to_cpus(ptr)
Definition: byteswap.h:129
Bit operations.
uint64_t b
Definition: sha512.c:47