2 * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/opensslconf.h>
12 * IMPLEMENTATION NOTES.
14 * As you might have noticed 32-bit hash algorithms:
16 * - permit SHA_LONG to be wider than 32-bit
17 * - optimized versions implement two transform functions: one operating
18 * on [aligned] data in host byte order and one - on data in input
20 * - share common byte-order neutral collector and padding function
21 * implementations, ../md32_common.h;
23 * Neither of the above applies to this SHA-512 implementations. Reasons
24 * [in reverse order] are:
26 * - it's the only 64-bit hash algorithm for the moment of this writing,
27 * there is no need for common collector/padding implementation [yet];
28 * - by supporting only one transform function [which operates on
29 * *aligned* data in input stream byte order, big-endian in this case]
30 * we minimize burden of maintenance in two ways: a) collector/padding
31 * function is simpler; b) only one transform function to stare at;
32 * - SHA_LONG64 is required to be exactly 64-bit in order to be able to
33 * apply a number of optimizations to mitigate potential performance
34 * penalties caused by previous design decision;
38 * Implementation relies on the fact that "long long" is 64-bit on
39 * both 32- and 64-bit platforms. If some compiler vendor comes up
40 * with 128-bit long long, adjustment to sha.h would be required.
41 * As this implementation relies on 64-bit integer type, it's totally
42 * inappropriate for platforms which don't support it, most notably
48 #include <openssl/crypto.h>
49 #include <openssl/sha.h>
50 #include <openssl/opensslv.h>
52 #include "internal/cryptlib.h"
54 #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
55 defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) || \
56 defined(__s390__) || defined(__s390x__) || \
57 defined(__aarch64__) || \
59 # define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
62 int SHA384_Init(SHA512_CTX *c)
64 c->h[0] = U64(0xcbbb9d5dc1059ed8);
65 c->h[1] = U64(0x629a292a367cd507);
66 c->h[2] = U64(0x9159015a3070dd17);
67 c->h[3] = U64(0x152fecd8f70e5939);
68 c->h[4] = U64(0x67332667ffc00b31);
69 c->h[5] = U64(0x8eb44a8768581511);
70 c->h[6] = U64(0xdb0c2e0d64f98fa7);
71 c->h[7] = U64(0x47b5481dbefa4fa4);
76 c->md_len = SHA384_DIGEST_LENGTH;
80 int SHA512_Init(SHA512_CTX *c)
82 c->h[0] = U64(0x6a09e667f3bcc908);
83 c->h[1] = U64(0xbb67ae8584caa73b);
84 c->h[2] = U64(0x3c6ef372fe94f82b);
85 c->h[3] = U64(0xa54ff53a5f1d36f1);
86 c->h[4] = U64(0x510e527fade682d1);
87 c->h[5] = U64(0x9b05688c2b3e6c1f);
88 c->h[6] = U64(0x1f83d9abfb41bd6b);
89 c->h[7] = U64(0x5be0cd19137e2179);
94 c->md_len = SHA512_DIGEST_LENGTH;
101 void sha512_block_data_order(SHA512_CTX *ctx, const void *in, size_t num);
103 int SHA512_Final(unsigned char *md, SHA512_CTX *c)
105 unsigned char *p = (unsigned char *)c->u.p;
108 p[n] = 0x80; /* There always is a room for one */
110 if (n > (sizeof(c->u) - 16)) {
111 memset(p + n, 0, sizeof(c->u) - n);
113 sha512_block_data_order(c, p, 1);
116 memset(p + n, 0, sizeof(c->u) - 16 - n);
118 c->u.d[SHA_LBLOCK - 2] = c->Nh;
119 c->u.d[SHA_LBLOCK - 1] = c->Nl;
121 p[sizeof(c->u) - 1] = (unsigned char)(c->Nl);
122 p[sizeof(c->u) - 2] = (unsigned char)(c->Nl >> 8);
123 p[sizeof(c->u) - 3] = (unsigned char)(c->Nl >> 16);
124 p[sizeof(c->u) - 4] = (unsigned char)(c->Nl >> 24);
125 p[sizeof(c->u) - 5] = (unsigned char)(c->Nl >> 32);
126 p[sizeof(c->u) - 6] = (unsigned char)(c->Nl >> 40);
127 p[sizeof(c->u) - 7] = (unsigned char)(c->Nl >> 48);
128 p[sizeof(c->u) - 8] = (unsigned char)(c->Nl >> 56);
129 p[sizeof(c->u) - 9] = (unsigned char)(c->Nh);
130 p[sizeof(c->u) - 10] = (unsigned char)(c->Nh >> 8);
131 p[sizeof(c->u) - 11] = (unsigned char)(c->Nh >> 16);
132 p[sizeof(c->u) - 12] = (unsigned char)(c->Nh >> 24);
133 p[sizeof(c->u) - 13] = (unsigned char)(c->Nh >> 32);
134 p[sizeof(c->u) - 14] = (unsigned char)(c->Nh >> 40);
135 p[sizeof(c->u) - 15] = (unsigned char)(c->Nh >> 48);
136 p[sizeof(c->u) - 16] = (unsigned char)(c->Nh >> 56);
139 sha512_block_data_order(c, p, 1);
145 /* Let compiler decide if it's appropriate to unroll... */
146 case SHA384_DIGEST_LENGTH:
147 for (n = 0; n < SHA384_DIGEST_LENGTH / 8; n++) {
148 SHA_LONG64 t = c->h[n];
150 *(md++) = (unsigned char)(t >> 56);
151 *(md++) = (unsigned char)(t >> 48);
152 *(md++) = (unsigned char)(t >> 40);
153 *(md++) = (unsigned char)(t >> 32);
154 *(md++) = (unsigned char)(t >> 24);
155 *(md++) = (unsigned char)(t >> 16);
156 *(md++) = (unsigned char)(t >> 8);
157 *(md++) = (unsigned char)(t);
160 case SHA512_DIGEST_LENGTH:
161 for (n = 0; n < SHA512_DIGEST_LENGTH / 8; n++) {
162 SHA_LONG64 t = c->h[n];
164 *(md++) = (unsigned char)(t >> 56);
165 *(md++) = (unsigned char)(t >> 48);
166 *(md++) = (unsigned char)(t >> 40);
167 *(md++) = (unsigned char)(t >> 32);
168 *(md++) = (unsigned char)(t >> 24);
169 *(md++) = (unsigned char)(t >> 16);
170 *(md++) = (unsigned char)(t >> 8);
171 *(md++) = (unsigned char)(t);
174 /* ... as well as make sure md_len is not abused. */
182 int SHA384_Final(unsigned char *md, SHA512_CTX *c)
184 return SHA512_Final(md, c);
187 int SHA512_Update(SHA512_CTX *c, const void *_data, size_t len)
190 unsigned char *p = c->u.p;
191 const unsigned char *data = (const unsigned char *)_data;
196 l = (c->Nl + (((SHA_LONG64) len) << 3)) & U64(0xffffffffffffffff);
199 if (sizeof(len) >= 8)
200 c->Nh += (((SHA_LONG64) len) >> 61);
204 size_t n = sizeof(c->u) - c->num;
207 memcpy(p + c->num, data, len), c->num += (unsigned int)len;
210 memcpy(p + c->num, data, n), c->num = 0;
212 sha512_block_data_order(c, p, 1);
216 if (len >= sizeof(c->u)) {
217 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
218 if ((size_t)data % sizeof(c->u.d[0]) != 0)
219 while (len >= sizeof(c->u))
220 memcpy(p, data, sizeof(c->u)),
221 sha512_block_data_order(c, p, 1),
222 len -= sizeof(c->u), data += sizeof(c->u);
225 sha512_block_data_order(c, data, len / sizeof(c->u)),
226 data += len, len %= sizeof(c->u), data -= len;
230 memcpy(p, data, len), c->num = (int)len;
235 int SHA384_Update(SHA512_CTX *c, const void *data, size_t len)
237 return SHA512_Update(c, data, len);
240 void SHA512_Transform(SHA512_CTX *c, const unsigned char *data)
242 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
243 if ((size_t)data % sizeof(c->u.d[0]) != 0)
244 memcpy(c->u.p, data, sizeof(c->u.p)), data = c->u.p;
246 sha512_block_data_order(c, data, 1);
249 unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
252 static unsigned char m[SHA384_DIGEST_LENGTH];
257 SHA512_Update(&c, d, n);
258 SHA512_Final(md, &c);
259 OPENSSL_cleanse(&c, sizeof(c));
263 unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
266 static unsigned char m[SHA512_DIGEST_LENGTH];
271 SHA512_Update(&c, d, n);
272 SHA512_Final(md, &c);
273 OPENSSL_cleanse(&c, sizeof(c));
278 static const SHA_LONG64 K512[80] = {
279 U64(0x428a2f98d728ae22), U64(0x7137449123ef65cd),
280 U64(0xb5c0fbcfec4d3b2f), U64(0xe9b5dba58189dbbc),
281 U64(0x3956c25bf348b538), U64(0x59f111f1b605d019),
282 U64(0x923f82a4af194f9b), U64(0xab1c5ed5da6d8118),
283 U64(0xd807aa98a3030242), U64(0x12835b0145706fbe),
284 U64(0x243185be4ee4b28c), U64(0x550c7dc3d5ffb4e2),
285 U64(0x72be5d74f27b896f), U64(0x80deb1fe3b1696b1),
286 U64(0x9bdc06a725c71235), U64(0xc19bf174cf692694),
287 U64(0xe49b69c19ef14ad2), U64(0xefbe4786384f25e3),
288 U64(0x0fc19dc68b8cd5b5), U64(0x240ca1cc77ac9c65),
289 U64(0x2de92c6f592b0275), U64(0x4a7484aa6ea6e483),
290 U64(0x5cb0a9dcbd41fbd4), U64(0x76f988da831153b5),
291 U64(0x983e5152ee66dfab), U64(0xa831c66d2db43210),
292 U64(0xb00327c898fb213f), U64(0xbf597fc7beef0ee4),
293 U64(0xc6e00bf33da88fc2), U64(0xd5a79147930aa725),
294 U64(0x06ca6351e003826f), U64(0x142929670a0e6e70),
295 U64(0x27b70a8546d22ffc), U64(0x2e1b21385c26c926),
296 U64(0x4d2c6dfc5ac42aed), U64(0x53380d139d95b3df),
297 U64(0x650a73548baf63de), U64(0x766a0abb3c77b2a8),
298 U64(0x81c2c92e47edaee6), U64(0x92722c851482353b),
299 U64(0xa2bfe8a14cf10364), U64(0xa81a664bbc423001),
300 U64(0xc24b8b70d0f89791), U64(0xc76c51a30654be30),
301 U64(0xd192e819d6ef5218), U64(0xd69906245565a910),
302 U64(0xf40e35855771202a), U64(0x106aa07032bbd1b8),
303 U64(0x19a4c116b8d2d0c8), U64(0x1e376c085141ab53),
304 U64(0x2748774cdf8eeb99), U64(0x34b0bcb5e19b48a8),
305 U64(0x391c0cb3c5c95a63), U64(0x4ed8aa4ae3418acb),
306 U64(0x5b9cca4f7763e373), U64(0x682e6ff3d6b2b8a3),
307 U64(0x748f82ee5defb2fc), U64(0x78a5636f43172f60),
308 U64(0x84c87814a1f0ab72), U64(0x8cc702081a6439ec),
309 U64(0x90befffa23631e28), U64(0xa4506cebde82bde9),
310 U64(0xbef9a3f7b2c67915), U64(0xc67178f2e372532b),
311 U64(0xca273eceea26619c), U64(0xd186b8c721c0c207),
312 U64(0xeada7dd6cde0eb1e), U64(0xf57d4f7fee6ed178),
313 U64(0x06f067aa72176fba), U64(0x0a637dc5a2c898a6),
314 U64(0x113f9804bef90dae), U64(0x1b710b35131c471b),
315 U64(0x28db77f523047d84), U64(0x32caab7b40c72493),
316 U64(0x3c9ebe0a15c9bebc), U64(0x431d67c49c100d4c),
317 U64(0x4cc5d4becb3e42b6), U64(0x597f299cfc657e2a),
318 U64(0x5fcb6fab3ad6faec), U64(0x6c44198c4a475817)
322 # if defined(__GNUC__) && __GNUC__>=2 && \
323 !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
324 # if defined(__x86_64) || defined(__x86_64__)
325 # define ROTR(a,n) ({ SHA_LONG64 ret; \
330 # if !defined(B_ENDIAN)
331 # define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x))); \
336 # elif (defined(__i386) || defined(__i386__)) && !defined(B_ENDIAN)
337 # if defined(I386_ONLY)
338 # define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
339 unsigned int hi=p[0],lo=p[1]; \
340 asm("xchgb %%ah,%%al;xchgb %%dh,%%dl;"\
341 "roll $16,%%eax; roll $16,%%edx; "\
342 "xchgb %%ah,%%al;xchgb %%dh,%%dl;"\
343 : "=a"(lo),"=d"(hi) \
344 : "0"(lo),"1"(hi) : "cc"); \
345 ((SHA_LONG64)hi)<<32|lo; })
347 # define PULL64(x) ({ const unsigned int *p=(const unsigned int *)(&(x));\
348 unsigned int hi=p[0],lo=p[1]; \
349 asm ("bswapl %0; bswapl %1;" \
350 : "=r"(lo),"=r"(hi) \
351 : "0"(lo),"1"(hi)); \
352 ((SHA_LONG64)hi)<<32|lo; })
354 # elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64)
355 # define ROTR(a,n) ({ SHA_LONG64 ret; \
356 asm ("rotrdi %0,%1,%2" \
358 : "r"(a),"K"(n)); ret; })
359 # elif defined(__aarch64__)
360 # define ROTR(a,n) ({ SHA_LONG64 ret; \
361 asm ("ror %0,%1,%2" \
363 : "r"(a),"I"(n)); ret; })
364 # if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
365 __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
366 # define PULL64(x) ({ SHA_LONG64 ret; \
369 : "r"(*((const SHA_LONG64 *)(&(x))))); ret; })
372 # elif defined(_MSC_VER)
373 # if defined(_WIN64) /* applies to both IA-64 and AMD64 */
374 # pragma intrinsic(_rotr64)
375 # define ROTR(a,n) _rotr64((a),n)
377 # if defined(_M_IX86) && !defined(OPENSSL_NO_ASM) && \
378 !defined(OPENSSL_NO_INLINE_ASM)
379 # if defined(I386_ONLY)
380 static SHA_LONG64 __fastcall __pull64be(const void *x)
382 _asm mov edx,[ecx + 0]
383 _asm mov eax,[ecx + 4]
392 static SHA_LONG64 __fastcall __pull64be(const void *x)
394 _asm mov edx,[ecx + 0]
395 _asm mov eax,[ecx + 4]
400 # define PULL64(x) __pull64be(&(x))
405 # define B(x,j) (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8))
406 # define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7))
409 # define ROTR(x,s) (((x)>>s) | (x)<<(64-s))
411 # define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
412 # define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))
413 # define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7))
414 # define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
415 # define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
416 # define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
418 # if defined(__i386) || defined(__i386__) || defined(_M_IX86)
420 * This code should give better results on 32-bit CPU with less than
421 * ~24 registers, both size and performance wise...
424 static void sha512_block_data_order(SHA512_CTX *ctx, const void *in,
427 const SHA_LONG64 *W = in;
429 SHA_LONG64 X[9 + 80], *F;
444 for (i = 0; i < 16; i++, F--) {
453 T += F[7] + Sigma1(E) + Ch(E, F[5], F[6]) + K512[i];
455 A = T + Sigma0(A) + Maj(A, F[1], F[2]);
458 for (; i < 80; i++, F--) {
459 T = sigma0(F[8 + 16 - 1]);
460 T += sigma1(F[8 + 16 - 14]);
461 T += F[8 + 16] + F[8 + 16 - 9];
466 T += F[7] + Sigma1(E) + Ch(E, F[5], F[6]) + K512[i];
468 A = T + Sigma0(A) + Maj(A, F[1], F[2]);
484 # elif defined(OPENSSL_SMALL_FOOTPRINT)
486 static void sha512_block_data_order(SHA512_CTX *ctx, const void *in,
489 const SHA_LONG64 *W = in;
490 SHA_LONG64 a, b, c, d, e, f, g, h, s0, s1, T1, T2;
505 for (i = 0; i < 16; i++) {
509 T1 = X[i] = PULL64(W[i]);
511 T1 += h + Sigma1(e) + Ch(e, f, g) + K512[i];
512 T2 = Sigma0(a) + Maj(a, b, c);
523 for (; i < 80; i++) {
524 s0 = X[(i + 1) & 0x0f];
526 s1 = X[(i + 14) & 0x0f];
529 T1 = X[i & 0xf] += s0 + s1 + X[(i + 9) & 0xf];
530 T1 += h + Sigma1(e) + Ch(e, f, g) + K512[i];
531 T2 = Sigma0(a) + Maj(a, b, c);
556 # define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \
557 T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i]; \
558 h = Sigma0(a) + Maj(a,b,c); \
559 d += T1; h += T1; } while (0)
561 # define ROUND_16_80(i,j,a,b,c,d,e,f,g,h,X) do { \
562 s0 = X[(j+1)&0x0f]; s0 = sigma0(s0); \
563 s1 = X[(j+14)&0x0f]; s1 = sigma1(s1); \
564 T1 = X[(j)&0x0f] += s0 + s1 + X[(j+9)&0x0f]; \
565 ROUND_00_15(i+j,a,b,c,d,e,f,g,h); } while (0)
567 static void sha512_block_data_order(SHA512_CTX *ctx, const void *in,
570 const SHA_LONG64 *W = in;
571 SHA_LONG64 a, b, c, d, e, f, g, h, s0, s1, T1;
588 ROUND_00_15(0, a, b, c, d, e, f, g, h);
590 ROUND_00_15(1, h, a, b, c, d, e, f, g);
592 ROUND_00_15(2, g, h, a, b, c, d, e, f);
594 ROUND_00_15(3, f, g, h, a, b, c, d, e);
596 ROUND_00_15(4, e, f, g, h, a, b, c, d);
598 ROUND_00_15(5, d, e, f, g, h, a, b, c);
600 ROUND_00_15(6, c, d, e, f, g, h, a, b);
602 ROUND_00_15(7, b, c, d, e, f, g, h, a);
604 ROUND_00_15(8, a, b, c, d, e, f, g, h);
606 ROUND_00_15(9, h, a, b, c, d, e, f, g);
608 ROUND_00_15(10, g, h, a, b, c, d, e, f);
610 ROUND_00_15(11, f, g, h, a, b, c, d, e);
612 ROUND_00_15(12, e, f, g, h, a, b, c, d);
614 ROUND_00_15(13, d, e, f, g, h, a, b, c);
616 ROUND_00_15(14, c, d, e, f, g, h, a, b);
618 ROUND_00_15(15, b, c, d, e, f, g, h, a);
620 T1 = X[0] = PULL64(W[0]);
621 ROUND_00_15(0, a, b, c, d, e, f, g, h);
622 T1 = X[1] = PULL64(W[1]);
623 ROUND_00_15(1, h, a, b, c, d, e, f, g);
624 T1 = X[2] = PULL64(W[2]);
625 ROUND_00_15(2, g, h, a, b, c, d, e, f);
626 T1 = X[3] = PULL64(W[3]);
627 ROUND_00_15(3, f, g, h, a, b, c, d, e);
628 T1 = X[4] = PULL64(W[4]);
629 ROUND_00_15(4, e, f, g, h, a, b, c, d);
630 T1 = X[5] = PULL64(W[5]);
631 ROUND_00_15(5, d, e, f, g, h, a, b, c);
632 T1 = X[6] = PULL64(W[6]);
633 ROUND_00_15(6, c, d, e, f, g, h, a, b);
634 T1 = X[7] = PULL64(W[7]);
635 ROUND_00_15(7, b, c, d, e, f, g, h, a);
636 T1 = X[8] = PULL64(W[8]);
637 ROUND_00_15(8, a, b, c, d, e, f, g, h);
638 T1 = X[9] = PULL64(W[9]);
639 ROUND_00_15(9, h, a, b, c, d, e, f, g);
640 T1 = X[10] = PULL64(W[10]);
641 ROUND_00_15(10, g, h, a, b, c, d, e, f);
642 T1 = X[11] = PULL64(W[11]);
643 ROUND_00_15(11, f, g, h, a, b, c, d, e);
644 T1 = X[12] = PULL64(W[12]);
645 ROUND_00_15(12, e, f, g, h, a, b, c, d);
646 T1 = X[13] = PULL64(W[13]);
647 ROUND_00_15(13, d, e, f, g, h, a, b, c);
648 T1 = X[14] = PULL64(W[14]);
649 ROUND_00_15(14, c, d, e, f, g, h, a, b);
650 T1 = X[15] = PULL64(W[15]);
651 ROUND_00_15(15, b, c, d, e, f, g, h, a);
654 for (i = 16; i < 80; i += 16) {
655 ROUND_16_80(i, 0, a, b, c, d, e, f, g, h, X);
656 ROUND_16_80(i, 1, h, a, b, c, d, e, f, g, X);
657 ROUND_16_80(i, 2, g, h, a, b, c, d, e, f, X);
658 ROUND_16_80(i, 3, f, g, h, a, b, c, d, e, X);
659 ROUND_16_80(i, 4, e, f, g, h, a, b, c, d, X);
660 ROUND_16_80(i, 5, d, e, f, g, h, a, b, c, X);
661 ROUND_16_80(i, 6, c, d, e, f, g, h, a, b, X);
662 ROUND_16_80(i, 7, b, c, d, e, f, g, h, a, X);
663 ROUND_16_80(i, 8, a, b, c, d, e, f, g, h, X);
664 ROUND_16_80(i, 9, h, a, b, c, d, e, f, g, X);
665 ROUND_16_80(i, 10, g, h, a, b, c, d, e, f, X);
666 ROUND_16_80(i, 11, f, g, h, a, b, c, d, e, X);
667 ROUND_16_80(i, 12, e, f, g, h, a, b, c, d, X);
668 ROUND_16_80(i, 13, d, e, f, g, h, a, b, c, X);
669 ROUND_16_80(i, 14, c, d, e, f, g, h, a, b, X);
670 ROUND_16_80(i, 15, b, c, d, e, f, g, h, a, X);
688 #endif /* SHA512_ASM */