Software APIs
sha512.h
1 // Copyright lowRISC contributors (OpenTitan project).
2 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
3 // SPDX-License-Identifier: Apache-2.0
4 
5 #ifndef OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_SHA2_SHA512_H_
6 #define OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_SHA2_SHA512_H_
7 
8 #include "sw/device/lib/base/hardened.h"
9 #include "sw/device/lib/crypto/drivers/otbn.h"
10 
11 #ifdef __cplusplus
12 extern "C" {
13 #endif // __cplusplus
14 
15 enum {
16  /**
17  * SHA-384 digest size in bits.
18  */
19  kSha384DigestBits = 384,
20  /**
21  * SHA-384 digest size in bytes.
22  */
23  kSha384DigestBytes = kSha384DigestBits / 8,
24  /**
25  * SHA-384 digest size in words.
26  */
27  kSha384DigestWords = kSha384DigestBytes / sizeof(uint32_t),
28  /**
29  * SHA-512 message block size in bits.
30  */
31  kSha512MessageBlockBits = 1024,
32  /**
33  * SHA-512 message block size in bytes.
34  */
35  kSha512MessageBlockBytes = kSha512MessageBlockBits / 8,
36  /**
37  * SHA-512 message block size in words.
38  */
39  kSha512MessageBlockWords = kSha512MessageBlockBytes / sizeof(uint32_t),
40  /**
41  * SHA-512 state buffer size in bits.
42  */
43  kSha512StateBits = 512,
44  /**
45  * SHA-512 state buffer size in bytes.
46  */
47  kSha512StateBytes = kSha512StateBits / 8,
48  /**
49  * SHA-512 state buffer size in words.
50  */
51  kSha512StateWords = kSha512StateBytes / sizeof(uint32_t),
52  /**
53  * SHA-512 digest size in bits.
54  */
55  kSha512DigestBits = 512,
56  /**
57  * SHA-512 digest size in bytes.
58  */
59  kSha512DigestBytes = kSha512DigestBits / 8,
60  /**
61  * SHA-512 digest size in words.
62  */
63  kSha512DigestWords = kSha512DigestBytes / sizeof(uint32_t),
64 };
65 
66 /**
67  * A type that holds the SHA-512 message length.
68  *
69  * The length may be up to 128 bits.
70  *
71  * IMPORTANT: Every member of this struct should be a word-aligned type and
72  * have a size divisible by `sizeof(uint32_t)`; otherwise `sha512_state_t` will
73  * not be suitable for `hardened_memcpy()`.
74  */
75 typedef struct sha512_message_length {
76  /**
77  * Lower 64 bits of the message bit-length.
78  */
79  uint64_t lower;
80  /**
81  * Upper 64 bits of the message bit-length.
82  */
83  uint64_t upper;
84 } sha512_message_length_t;
85 
86 /**
87  * A type that holds the context for an ongoing SHA-512 operation.
88  *
89  * IMPORTANT: Every member of this struct should be a word-aligned type and
90  * have a size divisible by `sizeof(uint32_t)`; otherwise `sha512_state_t` will
91  * not be suitable for `hardened_memcpy()`.
92  */
93 typedef struct sha512_state {
94  /**
95  * Working state for a SHA-512 or SHA-384 computation.
96  */
97  uint32_t H[kSha512StateWords];
98  /**
99  * Partial block, if any.
100  *
101  * If we get an update() with a message that isn't an even number of blocks,
102  * there's no way to know if we should pad it or not until we get the next
103  * update() or final(). The length of actual data in this block is always
104  * (total_len % kSha512MessageBlockBytes) bytes.
105  */
106  uint32_t partial_block[kSha512MessageBlockWords];
107  /**
108  * Total message length so far, in bits.
109  */
110  sha512_message_length_t total_len;
111 } sha512_state_t;
112 
113 /**
114  * A type that holds the context for an ongoing SHA-384 operation.
115  *
116  * Since SHA-384 uses the same internal process as SHA-512, just with a
117  * different initial value, the context structs are the same.
118  */
119 typedef sha512_state_t sha384_state_t;
120 
121 /**
122  * One-shot SHA-384 hash computation.
123  *
124  * Returns OTCRYPTO_ASYNC_INCOMPLETE if OTBN is busy.
125  *
126  * @param msg Input message
127  * @param msg_len Input message length in bytes
128  * @param[out] digest Output buffer for digest.
129  * @return Result of the operation (OK or error).
130  */
131 OT_WARN_UNUSED_RESULT
132 status_t sha384(const uint8_t *msg, const size_t msg_len, uint32_t *digest);
133 
134 /**
135  * Set up a SHA-384 hash computation.
136  *
137  * Initializes the hash state; doesn't process anything.
138  *
139  * This interface expects the following sequence of calls:
140  * - one call to sha384_init()
141  * - zero or more calls to sha384_update()
142  * - one call to sha384_final()
143  *
144  * @param[out] state Hash context object to initialize.
145  * @return Result of the operation (OK or error).
146  */
147 void sha384_init(sha384_state_t *state);
148 
149 /**
150  * Process new message data for a SHA-384 hash computation.
151  *
152  * Incorporates the new message data into the hash context.
153  *
154  * Returns OTCRYPTO_ASYNC_INCOMPLETE if OTBN is busy.
155  *
156  * @param state Hash context object; updated in-place.
157  * @param msg Input message.
158  * @param msg_len Input message length in bytes.
159  * @return Result of the operation (OK or error).
160  */
161 OT_WARN_UNUSED_RESULT
162 status_t sha384_update(sha384_state_t *state, const uint8_t *msg,
163  const size_t msg_len);
164 
165 /**
166  * Finish a SHA-384 hash computation.
167  *
168  * Incorporates the new message data into the hash context, constructs the
169  * message padding and performs the final hash computation.
170  *
171  * The caller must ensure that at least `kSha384DigestBytes` bytes of space are
172  * available at the location pointed to by `digest`.
173  *
174  * Returns OTCRYPTO_ASYNC_INCOMPLETE if OTBN is busy.
175  *
176  * @param state Hash context object.
177  * @param msg Input message
178  * @param msg_len Input message length in bytes
179  * @param[out] digest Output buffer for digest.
180  * @return Result of the operation (OK or error).
181  */
182 OT_WARN_UNUSED_RESULT
183 status_t sha384_final(sha384_state_t *state, uint32_t *digest);
184 
185 /**
186  * One-shot SHA-512 hash computation.
187  *
188  * Returns OTCRYPTO_ASYNC_INCOMPLETE if OTBN is busy.
189  *
190  * @param msg Input message
191  * @param msg_len Input message length in bytes
192  * @param[out] digest Output buffer for digest.
193  * @return Result of the operation (OK or error).
194  */
195 OT_WARN_UNUSED_RESULT
196 status_t sha512(const uint8_t *msg, const size_t msg_len, uint32_t *digest);
197 
198 /**
199  * Set up a SHA-512 hash computation.
200  *
201  * Initializes the hash state; doesn't process anything.
202  *
203  * This interface expects the following sequence of calls:
204  * - one call to sha512_init()
205  * - zero or more calls to sha512_update()
206  * - one call to sha512_final()
207  *
208  * @param[out] state Hash context object to initialize.
209  * @return Result of the operation (OK or error).
210  */
211 void sha512_init(sha512_state_t *state);
212 
213 /**
214  * Process new message data for a SHA-512 hash computation.
215  *
216  * Incorporates the new message data into the hash context.
217  *
218  * Returns OTCRYPTO_ASYNC_INCOMPLETE if OTBN is busy.
219  *
220  * @param state Hash context object; updated in-place.
221  * @param msg Input message.
222  * @param msg_len Input message length in bytes.
223  * @return Result of the operation (OK or error).
224  */
225 OT_WARN_UNUSED_RESULT
226 status_t sha512_update(sha512_state_t *state, const uint8_t *msg,
227  const size_t msg_len);
228 
229 /**
230  * Finish a SHA-512 hash computation.
231  *
232  * Incorporates the new message data into the hash context, constructs the
233  * message padding and performs the final hash computation.
234  *
235  * The caller must ensure that at least `kSha512DigestBytes` bytes of space are
236  * available at the location pointed to by `digest`.
237  *
238  * Returns OTCRYPTO_ASYNC_INCOMPLETE if OTBN is busy.
239  *
240  * @param state Hash context object.
241  * @param msg Input message
242  * @param msg_len Input message length in bytes
243  * @param[out] digest Output buffer for digest.
244  * @return Result of the operation (OK or error).
245  */
246 OT_WARN_UNUSED_RESULT
247 status_t sha512_final(sha512_state_t *state, uint32_t *digest);
248 
249 #ifdef __cplusplus
250 } // extern "C"
251 #endif // __cplusplus
252 
253 #endif // OPENTITAN_SW_DEVICE_LIB_CRYPTO_IMPL_SHA2_SHA512_H_
Return to OpenTitan Documentation