search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Follow upstream changes -- Bytestring updates
[git-darcs-import.git] / src / Crypt / sha2.c
bloba32427ed9603720b8f892efa21a3e6578ab68645
1 /*
2 * FIPS 180-2 SHA-224/256/384/512 implementation
3 * Last update: 02/02/2007
4 * Issue date: 04/30/2005
5 *
6 * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #if 0
35 #define UNROLL_LOOPS /* Enable loops unrolling */
36 #endif
37
38 #include <string.h>
39
40 #include "sha2.h"
41
42 #define SHFR(x, n) (x >> n)
43 #define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n)))
44 #define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n)))
45 #define CH(x, y, z) ((x & y) ^ (~x & z))
46 #define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
47
48 #define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
49 #define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
50 #define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3))
51 #define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10))
52
53 #define SHA512_F1(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
54 #define SHA512_F2(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
55 #define SHA512_F3(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHFR(x, 7))
56 #define SHA512_F4(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHFR(x, 6))
57
58 #define UNPACK32(x, str) \
59 { \
60 *((str) + 3) = (uint8) ((x) ); \
61 *((str) + 2) = (uint8) ((x) >> 8); \
62 *((str) + 1) = (uint8) ((x) >> 16); \
63 *((str) + 0) = (uint8) ((x) >> 24); \
64 }
65
66 #define PACK32(str, x) \
67 { \
68 *(x) = ((uint32) *((str) + 3) ) \
69 | ((uint32) *((str) + 2) << 8) \
70 | ((uint32) *((str) + 1) << 16) \
71 | ((uint32) *((str) + 0) << 24); \
72 }
73
74 #define UNPACK64(x, str) \
75 { \
76 *((str) + 7) = (uint8) ((x) ); \
77 *((str) + 6) = (uint8) ((x) >> 8); \
78 *((str) + 5) = (uint8) ((x) >> 16); \
79 *((str) + 4) = (uint8) ((x) >> 24); \
80 *((str) + 3) = (uint8) ((x) >> 32); \
81 *((str) + 2) = (uint8) ((x) >> 40); \
82 *((str) + 1) = (uint8) ((x) >> 48); \
83 *((str) + 0) = (uint8) ((x) >> 56); \
84 }
85
86 #define PACK64(str, x) \
87 { \
88 *(x) = ((uint64) *((str) + 7) ) \
89 | ((uint64) *((str) + 6) << 8) \
90 | ((uint64) *((str) + 5) << 16) \
91 | ((uint64) *((str) + 4) << 24) \
92 | ((uint64) *((str) + 3) << 32) \
93 | ((uint64) *((str) + 2) << 40) \
94 | ((uint64) *((str) + 1) << 48) \
95 | ((uint64) *((str) + 0) << 56); \
96 }
97
98 /* Macros used for loops unrolling */
99
100 #define SHA256_SCR(i) \
101 { \
102 w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \
103 + SHA256_F3(w[i - 15]) + w[i - 16]; \
104 }
105
106 #define SHA512_SCR(i) \
107 { \
108 w[i] = SHA512_F4(w[i - 2]) + w[i - 7] \
109 + SHA512_F3(w[i - 15]) + w[i - 16]; \
110 }
111
112 #define SHA256_EXP(a, b, c, d, e, f, g, h, j) \
113 { \
114 t1 = wv[h] + SHA256_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
115 + sha256_k[j] + w[j]; \
116 t2 = SHA256_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
117 wv[d] += t1; \
118 wv[h] = t1 + t2; \
119 }
120
121 #define SHA512_EXP(a, b, c, d, e, f, g ,h, j) \
122 { \
123 t1 = wv[h] + SHA512_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
124 + sha512_k[j] + w[j]; \
125 t2 = SHA512_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
126 wv[d] += t1; \
127 wv[h] = t1 + t2; \
128 }
129
130 uint32 sha224_h0[8] =
131 {0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
132 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4};
133
134 uint32 sha256_h0[8] =
135 {0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
136 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
137
138 uint64 sha384_h0[8] =
139 {0xcbbb9d5dc1059ed8ULL, 0x629a292a367cd507ULL,
140 0x9159015a3070dd17ULL, 0x152fecd8f70e5939ULL,
141 0x67332667ffc00b31ULL, 0x8eb44a8768581511ULL,
142 0xdb0c2e0d64f98fa7ULL, 0x47b5481dbefa4fa4ULL};
143
144 uint64 sha512_h0[8] =
145 {0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
146 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
147 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
148 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL};
149
150 uint32 sha256_k[64] =
151 {0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
152 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
153 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
154 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
155 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
156 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
157 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
158 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
159 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
160 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
161 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
162 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
163 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
164 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
165 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
166 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
167
168 uint64 sha512_k[80] =
169 {0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
170 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
171 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
172 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
173 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
174 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
175 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
176 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
177 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
178 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
179 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
180 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
181 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
182 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
183 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
184 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
185 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
186 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
187 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
188 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
189 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
190 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
191 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
192 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
193 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
194 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
195 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
196 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
197 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
198 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
199 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
200 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
201 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
202 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
203 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
204 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
205 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
206 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
207 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
208 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL};
209
210 /* SHA-256 functions */
211
212 void sha256_transf(sha256_ctx *ctx, const unsigned char *message,
213 unsigned int block_nb)
214 {
215 uint32 w[64];
216 uint32 wv[8];
217 uint32 t1, t2;
218 const unsigned char *sub_block;
219 int i;
220
221 #ifndef UNROLL_LOOPS
222 int j;
223 #endif
224
225 for (i = 0; i < (int) block_nb; i++) {
226 sub_block = message + (i << 6);
227
228 #ifndef UNROLL_LOOPS
229 for (j = 0; j < 16; j++) {
230 PACK32(&sub_block[j << 2], &w[j]);
231 }
232
233 for (j = 16; j < 64; j++) {
234 SHA256_SCR(j);
235 }
236
237 for (j = 0; j < 8; j++) {
238 wv[j] = ctx->h[j];
239 }
240
241 for (j = 0; j < 64; j++) {
242 t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
243 + sha256_k[j] + w[j];
244 t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
245 wv[7] = wv[6];
246 wv[6] = wv[5];
247 wv[5] = wv[4];
248 wv[4] = wv[3] + t1;
249 wv[3] = wv[2];
250 wv[2] = wv[1];
251 wv[1] = wv[0];
252 wv[0] = t1 + t2;
253 }
254
255 for (j = 0; j < 8; j++) {
256 ctx->h[j] += wv[j];
257 }
258 #else
259 PACK32(&sub_block[ 0], &w[ 0]); PACK32(&sub_block[ 4], &w[ 1]);
260 PACK32(&sub_block[ 8], &w[ 2]); PACK32(&sub_block[12], &w[ 3]);
261 PACK32(&sub_block[16], &w[ 4]); PACK32(&sub_block[20], &w[ 5]);
262 PACK32(&sub_block[24], &w[ 6]); PACK32(&sub_block[28], &w[ 7]);
263 PACK32(&sub_block[32], &w[ 8]); PACK32(&sub_block[36], &w[ 9]);
264 PACK32(&sub_block[40], &w[10]); PACK32(&sub_block[44], &w[11]);
265 PACK32(&sub_block[48], &w[12]); PACK32(&sub_block[52], &w[13]);
266 PACK32(&sub_block[56], &w[14]); PACK32(&sub_block[60], &w[15]);
267
268 SHA256_SCR(16); SHA256_SCR(17); SHA256_SCR(18); SHA256_SCR(19);
269 SHA256_SCR(20); SHA256_SCR(21); SHA256_SCR(22); SHA256_SCR(23);
270 SHA256_SCR(24); SHA256_SCR(25); SHA256_SCR(26); SHA256_SCR(27);
271 SHA256_SCR(28); SHA256_SCR(29); SHA256_SCR(30); SHA256_SCR(31);
272 SHA256_SCR(32); SHA256_SCR(33); SHA256_SCR(34); SHA256_SCR(35);
273 SHA256_SCR(36); SHA256_SCR(37); SHA256_SCR(38); SHA256_SCR(39);
274 SHA256_SCR(40); SHA256_SCR(41); SHA256_SCR(42); SHA256_SCR(43);
275 SHA256_SCR(44); SHA256_SCR(45); SHA256_SCR(46); SHA256_SCR(47);
276 SHA256_SCR(48); SHA256_SCR(49); SHA256_SCR(50); SHA256_SCR(51);
277 SHA256_SCR(52); SHA256_SCR(53); SHA256_SCR(54); SHA256_SCR(55);
278 SHA256_SCR(56); SHA256_SCR(57); SHA256_SCR(58); SHA256_SCR(59);
279 SHA256_SCR(60); SHA256_SCR(61); SHA256_SCR(62); SHA256_SCR(63);
280
281 wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
282 wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
283 wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
284 wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
285
286 SHA256_EXP(0,1,2,3,4,5,6,7, 0); SHA256_EXP(7,0,1,2,3,4,5,6, 1);
287 SHA256_EXP(6,7,0,1,2,3,4,5, 2); SHA256_EXP(5,6,7,0,1,2,3,4, 3);
288 SHA256_EXP(4,5,6,7,0,1,2,3, 4); SHA256_EXP(3,4,5,6,7,0,1,2, 5);
289 SHA256_EXP(2,3,4,5,6,7,0,1, 6); SHA256_EXP(1,2,3,4,5,6,7,0, 7);
290 SHA256_EXP(0,1,2,3,4,5,6,7, 8); SHA256_EXP(7,0,1,2,3,4,5,6, 9);
291 SHA256_EXP(6,7,0,1,2,3,4,5,10); SHA256_EXP(5,6,7,0,1,2,3,4,11);
292 SHA256_EXP(4,5,6,7,0,1,2,3,12); SHA256_EXP(3,4,5,6,7,0,1,2,13);
293 SHA256_EXP(2,3,4,5,6,7,0,1,14); SHA256_EXP(1,2,3,4,5,6,7,0,15);
294 SHA256_EXP(0,1,2,3,4,5,6,7,16); SHA256_EXP(7,0,1,2,3,4,5,6,17);
295 SHA256_EXP(6,7,0,1,2,3,4,5,18); SHA256_EXP(5,6,7,0,1,2,3,4,19);
296 SHA256_EXP(4,5,6,7,0,1,2,3,20); SHA256_EXP(3,4,5,6,7,0,1,2,21);
297 SHA256_EXP(2,3,4,5,6,7,0,1,22); SHA256_EXP(1,2,3,4,5,6,7,0,23);
298 SHA256_EXP(0,1,2,3,4,5,6,7,24); SHA256_EXP(7,0,1,2,3,4,5,6,25);
299 SHA256_EXP(6,7,0,1,2,3,4,5,26); SHA256_EXP(5,6,7,0,1,2,3,4,27);
300 SHA256_EXP(4,5,6,7,0,1,2,3,28); SHA256_EXP(3,4,5,6,7,0,1,2,29);
301 SHA256_EXP(2,3,4,5,6,7,0,1,30); SHA256_EXP(1,2,3,4,5,6,7,0,31);
302 SHA256_EXP(0,1,2,3,4,5,6,7,32); SHA256_EXP(7,0,1,2,3,4,5,6,33);
303 SHA256_EXP(6,7,0,1,2,3,4,5,34); SHA256_EXP(5,6,7,0,1,2,3,4,35);
304 SHA256_EXP(4,5,6,7,0,1,2,3,36); SHA256_EXP(3,4,5,6,7,0,1,2,37);
305 SHA256_EXP(2,3,4,5,6,7,0,1,38); SHA256_EXP(1,2,3,4,5,6,7,0,39);
306 SHA256_EXP(0,1,2,3,4,5,6,7,40); SHA256_EXP(7,0,1,2,3,4,5,6,41);
307 SHA256_EXP(6,7,0,1,2,3,4,5,42); SHA256_EXP(5,6,7,0,1,2,3,4,43);
308 SHA256_EXP(4,5,6,7,0,1,2,3,44); SHA256_EXP(3,4,5,6,7,0,1,2,45);
309 SHA256_EXP(2,3,4,5,6,7,0,1,46); SHA256_EXP(1,2,3,4,5,6,7,0,47);
310 SHA256_EXP(0,1,2,3,4,5,6,7,48); SHA256_EXP(7,0,1,2,3,4,5,6,49);
311 SHA256_EXP(6,7,0,1,2,3,4,5,50); SHA256_EXP(5,6,7,0,1,2,3,4,51);
312 SHA256_EXP(4,5,6,7,0,1,2,3,52); SHA256_EXP(3,4,5,6,7,0,1,2,53);
313 SHA256_EXP(2,3,4,5,6,7,0,1,54); SHA256_EXP(1,2,3,4,5,6,7,0,55);
314 SHA256_EXP(0,1,2,3,4,5,6,7,56); SHA256_EXP(7,0,1,2,3,4,5,6,57);
315 SHA256_EXP(6,7,0,1,2,3,4,5,58); SHA256_EXP(5,6,7,0,1,2,3,4,59);
316 SHA256_EXP(4,5,6,7,0,1,2,3,60); SHA256_EXP(3,4,5,6,7,0,1,2,61);
317 SHA256_EXP(2,3,4,5,6,7,0,1,62); SHA256_EXP(1,2,3,4,5,6,7,0,63);
318
319 ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
320 ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
321 ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
322 ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
323 #endif /* !UNROLL_LOOPS */
324 }
325 }
326
327 void sha256(const unsigned char *message, unsigned int len, unsigned char *digest)
328 {
329 sha256_ctx ctx;
330
331 sha256_init(&ctx);
332 sha256_update(&ctx, message, len);
333 sha256_final(&ctx, digest);
334 }
335
336 void sha256_init(sha256_ctx *ctx)
337 {
338 #ifndef UNROLL_LOOPS
339 int i;
340 for (i = 0; i < 8; i++) {
341 ctx->h[i] = sha256_h0[i];
342 }
343 #else
344 ctx->h[0] = sha256_h0[0]; ctx->h[1] = sha256_h0[1];
345 ctx->h[2] = sha256_h0[2]; ctx->h[3] = sha256_h0[3];
346 ctx->h[4] = sha256_h0[4]; ctx->h[5] = sha256_h0[5];
347 ctx->h[6] = sha256_h0[6]; ctx->h[7] = sha256_h0[7];
348 #endif /* !UNROLL_LOOPS */
349
350 ctx->len = 0;
351 ctx->tot_len = 0;
352 }
353
354 void sha256_update(sha256_ctx *ctx, const unsigned char *message,
355 unsigned int len)
356 {
357 unsigned int block_nb;
358 unsigned int new_len, rem_len, tmp_len;
359 const unsigned char *shifted_message;
360
361 tmp_len = SHA256_BLOCK_SIZE - ctx->len;
362 rem_len = len < tmp_len ? len : tmp_len;
363
364 memcpy(&ctx->block[ctx->len], message, rem_len);
365
366 if (ctx->len + len < SHA256_BLOCK_SIZE) {
367 ctx->len += len;
368 return;
369 }
370
371 new_len = len - rem_len;
372 block_nb = new_len / SHA256_BLOCK_SIZE;
373
374 shifted_message = message + rem_len;
375
376 sha256_transf(ctx, ctx->block, 1);
377 sha256_transf(ctx, shifted_message, block_nb);
378
379 rem_len = new_len % SHA256_BLOCK_SIZE;
380
381 memcpy(ctx->block, &shifted_message[block_nb << 6],
382 rem_len);
383
384 ctx->len = rem_len;
385 ctx->tot_len += (block_nb + 1) << 6;
386 }
387
388 void sha256_final(sha256_ctx *ctx, unsigned char *digest)
389 {
390 unsigned int block_nb;
391 unsigned int pm_len;
392 unsigned int len_b;
393
394 #ifndef UNROLL_LOOPS
395 int i;
396 #endif
397
398 block_nb = (1 + ((SHA256_BLOCK_SIZE - 9)
399 < (ctx->len % SHA256_BLOCK_SIZE)));
400
401 len_b = (ctx->tot_len + ctx->len) << 3;
402 pm_len = block_nb << 6;
403
404 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
405 ctx->block[ctx->len] = 0x80;
406 UNPACK32(len_b, ctx->block + pm_len - 4);
407
408 sha256_transf(ctx, ctx->block, block_nb);
409
410 #ifndef UNROLL_LOOPS
411 for (i = 0 ; i < 8; i++) {
412 UNPACK32(ctx->h[i], &digest[i << 2]);
413 }
414 #else
415 UNPACK32(ctx->h[0], &digest[ 0]);
416 UNPACK32(ctx->h[1], &digest[ 4]);
417 UNPACK32(ctx->h[2], &digest[ 8]);
418 UNPACK32(ctx->h[3], &digest[12]);
419 UNPACK32(ctx->h[4], &digest[16]);
420 UNPACK32(ctx->h[5], &digest[20]);
421 UNPACK32(ctx->h[6], &digest[24]);
422 UNPACK32(ctx->h[7], &digest[28]);
423 #endif /* !UNROLL_LOOPS */
424 }
425
426 /* SHA-512 functions */
427
428 void sha512_transf(sha512_ctx *ctx, const unsigned char *message,
429 unsigned int block_nb)
430 {
431 uint64 w[80];
432 uint64 wv[8];
433 uint64 t1, t2;
434 const unsigned char *sub_block;
435 int i, j;
436
437 for (i = 0; i < (int) block_nb; i++) {
438 sub_block = message + (i << 7);
439
440 #ifndef UNROLL_LOOPS
441 for (j = 0; j < 16; j++) {
442 PACK64(&sub_block[j << 3], &w[j]);
443 }
444
445 for (j = 16; j < 80; j++) {
446 SHA512_SCR(j);
447 }
448
449 for (j = 0; j < 8; j++) {
450 wv[j] = ctx->h[j];
451 }
452
453 for (j = 0; j < 80; j++) {
454 t1 = wv[7] + SHA512_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
455 + sha512_k[j] + w[j];
456 t2 = SHA512_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
457 wv[7] = wv[6];
458 wv[6] = wv[5];
459 wv[5] = wv[4];
460 wv[4] = wv[3] + t1;
461 wv[3] = wv[2];
462 wv[2] = wv[1];
463 wv[1] = wv[0];
464 wv[0] = t1 + t2;
465 }
466
467 for (j = 0; j < 8; j++) {
468 ctx->h[j] += wv[j];
469 }
470 #else
471 PACK64(&sub_block[ 0], &w[ 0]); PACK64(&sub_block[ 8], &w[ 1]);
472 PACK64(&sub_block[ 16], &w[ 2]); PACK64(&sub_block[ 24], &w[ 3]);
473 PACK64(&sub_block[ 32], &w[ 4]); PACK64(&sub_block[ 40], &w[ 5]);
474 PACK64(&sub_block[ 48], &w[ 6]); PACK64(&sub_block[ 56], &w[ 7]);
475 PACK64(&sub_block[ 64], &w[ 8]); PACK64(&sub_block[ 72], &w[ 9]);
476 PACK64(&sub_block[ 80], &w[10]); PACK64(&sub_block[ 88], &w[11]);
477 PACK64(&sub_block[ 96], &w[12]); PACK64(&sub_block[104], &w[13]);
478 PACK64(&sub_block[112], &w[14]); PACK64(&sub_block[120], &w[15]);
479
480 SHA512_SCR(16); SHA512_SCR(17); SHA512_SCR(18); SHA512_SCR(19);
481 SHA512_SCR(20); SHA512_SCR(21); SHA512_SCR(22); SHA512_SCR(23);
482 SHA512_SCR(24); SHA512_SCR(25); SHA512_SCR(26); SHA512_SCR(27);
483 SHA512_SCR(28); SHA512_SCR(29); SHA512_SCR(30); SHA512_SCR(31);
484 SHA512_SCR(32); SHA512_SCR(33); SHA512_SCR(34); SHA512_SCR(35);
485 SHA512_SCR(36); SHA512_SCR(37); SHA512_SCR(38); SHA512_SCR(39);
486 SHA512_SCR(40); SHA512_SCR(41); SHA512_SCR(42); SHA512_SCR(43);
487 SHA512_SCR(44); SHA512_SCR(45); SHA512_SCR(46); SHA512_SCR(47);
488 SHA512_SCR(48); SHA512_SCR(49); SHA512_SCR(50); SHA512_SCR(51);
489 SHA512_SCR(52); SHA512_SCR(53); SHA512_SCR(54); SHA512_SCR(55);
490 SHA512_SCR(56); SHA512_SCR(57); SHA512_SCR(58); SHA512_SCR(59);
491 SHA512_SCR(60); SHA512_SCR(61); SHA512_SCR(62); SHA512_SCR(63);
492 SHA512_SCR(64); SHA512_SCR(65); SHA512_SCR(66); SHA512_SCR(67);
493 SHA512_SCR(68); SHA512_SCR(69); SHA512_SCR(70); SHA512_SCR(71);
494 SHA512_SCR(72); SHA512_SCR(73); SHA512_SCR(74); SHA512_SCR(75);
495 SHA512_SCR(76); SHA512_SCR(77); SHA512_SCR(78); SHA512_SCR(79);
496
497 wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
498 wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
499 wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
500 wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
501
502 j = 0;
503
504 do {
505 SHA512_EXP(0,1,2,3,4,5,6,7,j); j++;
506 SHA512_EXP(7,0,1,2,3,4,5,6,j); j++;
507 SHA512_EXP(6,7,0,1,2,3,4,5,j); j++;
508 SHA512_EXP(5,6,7,0,1,2,3,4,j); j++;
509 SHA512_EXP(4,5,6,7,0,1,2,3,j); j++;
510 SHA512_EXP(3,4,5,6,7,0,1,2,j); j++;
511 SHA512_EXP(2,3,4,5,6,7,0,1,j); j++;
512 SHA512_EXP(1,2,3,4,5,6,7,0,j); j++;
513 } while (j < 80);
514
515 ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
516 ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
517 ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
518 ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
519 #endif /* !UNROLL_LOOPS */
520 }
521 }
522
523 void sha512(const unsigned char *message, unsigned int len,
524 unsigned char *digest)
525 {
526 sha512_ctx ctx;
527
528 sha512_init(&ctx);
529 sha512_update(&ctx, message, len);
530 sha512_final(&ctx, digest);
531 }
532
533 void sha512_init(sha512_ctx *ctx)
534 {
535 #ifndef UNROLL_LOOPS
536 int i;
537 for (i = 0; i < 8; i++) {
538 ctx->h[i] = sha512_h0[i];
539 }
540 #else
541 ctx->h[0] = sha512_h0[0]; ctx->h[1] = sha512_h0[1];
542 ctx->h[2] = sha512_h0[2]; ctx->h[3] = sha512_h0[3];
543 ctx->h[4] = sha512_h0[4]; ctx->h[5] = sha512_h0[5];
544 ctx->h[6] = sha512_h0[6]; ctx->h[7] = sha512_h0[7];
545 #endif /* !UNROLL_LOOPS */
546
547 ctx->len = 0;
548 ctx->tot_len = 0;
549 }
550
551 void sha512_update(sha512_ctx *ctx, const unsigned char *message,
552 unsigned int len)
553 {
554 unsigned int block_nb;
555 unsigned int new_len, rem_len, tmp_len;
556 const unsigned char *shifted_message;
557
558 tmp_len = SHA512_BLOCK_SIZE - ctx->len;
559 rem_len = len < tmp_len ? len : tmp_len;
560
561 memcpy(&ctx->block[ctx->len], message, rem_len);
562
563 if (ctx->len + len < SHA512_BLOCK_SIZE) {
564 ctx->len += len;
565 return;
566 }
567
568 new_len = len - rem_len;
569 block_nb = new_len / SHA512_BLOCK_SIZE;
570
571 shifted_message = message + rem_len;
572
573 sha512_transf(ctx, ctx->block, 1);
574 sha512_transf(ctx, shifted_message, block_nb);
575
576 rem_len = new_len % SHA512_BLOCK_SIZE;
577
578 memcpy(ctx->block, &shifted_message[block_nb << 7],
579 rem_len);
580
581 ctx->len = rem_len;
582 ctx->tot_len += (block_nb + 1) << 7;
583 }
584
585 void sha512_final(sha512_ctx *ctx, unsigned char *digest)
586 {
587 unsigned int block_nb;
588 unsigned int pm_len;
589 unsigned int len_b;
590
591 #ifndef UNROLL_LOOPS
592 int i;
593 #endif
594
595 block_nb = 1 + ((SHA512_BLOCK_SIZE - 17)
596 < (ctx->len % SHA512_BLOCK_SIZE));
597
598 len_b = (ctx->tot_len + ctx->len) << 3;
599 pm_len = block_nb << 7;
600
601 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
602 ctx->block[ctx->len] = 0x80;
603 UNPACK32(len_b, ctx->block + pm_len - 4);
604
605 sha512_transf(ctx, ctx->block, block_nb);
606
607 #ifndef UNROLL_LOOPS
608 for (i = 0 ; i < 8; i++) {
609 UNPACK64(ctx->h[i], &digest[i << 3]);
610 }
611 #else
612 UNPACK64(ctx->h[0], &digest[ 0]);
613 UNPACK64(ctx->h[1], &digest[ 8]);
614 UNPACK64(ctx->h[2], &digest[16]);
615 UNPACK64(ctx->h[3], &digest[24]);
616 UNPACK64(ctx->h[4], &digest[32]);
617 UNPACK64(ctx->h[5], &digest[40]);
618 UNPACK64(ctx->h[6], &digest[48]);
619 UNPACK64(ctx->h[7], &digest[56]);
620 #endif /* !UNROLL_LOOPS */
621 }
622
623 /* SHA-384 functions */
624
625 void sha384(const unsigned char *message, unsigned int len,
626 unsigned char *digest)
627 {
628 sha384_ctx ctx;
629
630 sha384_init(&ctx);
631 sha384_update(&ctx, message, len);
632 sha384_final(&ctx, digest);
633 }
634
635 void sha384_init(sha384_ctx *ctx)
636 {
637 #ifndef UNROLL_LOOPS
638 int i;
639 for (i = 0; i < 8; i++) {
640 ctx->h[i] = sha384_h0[i];
641 }
642 #else
643 ctx->h[0] = sha384_h0[0]; ctx->h[1] = sha384_h0[1];
644 ctx->h[2] = sha384_h0[2]; ctx->h[3] = sha384_h0[3];
645 ctx->h[4] = sha384_h0[4]; ctx->h[5] = sha384_h0[5];
646 ctx->h[6] = sha384_h0[6]; ctx->h[7] = sha384_h0[7];
647 #endif /* !UNROLL_LOOPS */
648
649 ctx->len = 0;
650 ctx->tot_len = 0;
651 }
652
653 void sha384_update(sha384_ctx *ctx, const unsigned char *message,
654 unsigned int len)
655 {
656 unsigned int block_nb;
657 unsigned int new_len, rem_len, tmp_len;
658 const unsigned char *shifted_message;
659
660 tmp_len = SHA384_BLOCK_SIZE - ctx->len;
661 rem_len = len < tmp_len ? len : tmp_len;
662
663 memcpy(&ctx->block[ctx->len], message, rem_len);
664
665 if (ctx->len + len < SHA384_BLOCK_SIZE) {
666 ctx->len += len;
667 return;
668 }
669
670 new_len = len - rem_len;
671 block_nb = new_len / SHA384_BLOCK_SIZE;
672
673 shifted_message = message + rem_len;
674
675 sha512_transf(ctx, ctx->block, 1);
676 sha512_transf(ctx, shifted_message, block_nb);
677
678 rem_len = new_len % SHA384_BLOCK_SIZE;
679
680 memcpy(ctx->block, &shifted_message[block_nb << 7],
681 rem_len);
682
683 ctx->len = rem_len;
684 ctx->tot_len += (block_nb + 1) << 7;
685 }
686
687 void sha384_final(sha384_ctx *ctx, unsigned char *digest)
688 {
689 unsigned int block_nb;
690 unsigned int pm_len;
691 unsigned int len_b;
692
693 #ifndef UNROLL_LOOPS
694 int i;
695 #endif
696
697 block_nb = (1 + ((SHA384_BLOCK_SIZE - 17)
698 < (ctx->len % SHA384_BLOCK_SIZE)));
699
700 len_b = (ctx->tot_len + ctx->len) << 3;
701 pm_len = block_nb << 7;
702
703 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
704 ctx->block[ctx->len] = 0x80;
705 UNPACK32(len_b, ctx->block + pm_len - 4);
706
707 sha512_transf(ctx, ctx->block, block_nb);
708
709 #ifndef UNROLL_LOOPS
710 for (i = 0 ; i < 6; i++) {
711 UNPACK64(ctx->h[i], &digest[i << 3]);
712 }
713 #else
714 UNPACK64(ctx->h[0], &digest[ 0]);
715 UNPACK64(ctx->h[1], &digest[ 8]);
716 UNPACK64(ctx->h[2], &digest[16]);
717 UNPACK64(ctx->h[3], &digest[24]);
718 UNPACK64(ctx->h[4], &digest[32]);
719 UNPACK64(ctx->h[5], &digest[40]);
720 #endif /* !UNROLL_LOOPS */
721 }
722
723 /* SHA-224 functions */
724
725 void sha224(const unsigned char *message, unsigned int len,
726 unsigned char *digest)
727 {
728 sha224_ctx ctx;
729
730 sha224_init(&ctx);
731 sha224_update(&ctx, message, len);
732 sha224_final(&ctx, digest);
733 }
734
735 void sha224_init(sha224_ctx *ctx)
736 {
737 #ifndef UNROLL_LOOPS
738 int i;
739 for (i = 0; i < 8; i++) {
740 ctx->h[i] = sha224_h0[i];
741 }
742 #else
743 ctx->h[0] = sha224_h0[0]; ctx->h[1] = sha224_h0[1];
744 ctx->h[2] = sha224_h0[2]; ctx->h[3] = sha224_h0[3];
745 ctx->h[4] = sha224_h0[4]; ctx->h[5] = sha224_h0[5];
746 ctx->h[6] = sha224_h0[6]; ctx->h[7] = sha224_h0[7];
747 #endif /* !UNROLL_LOOPS */
748
749 ctx->len = 0;
750 ctx->tot_len = 0;
751 }
752
753 void sha224_update(sha224_ctx *ctx, const unsigned char *message,
754 unsigned int len)
755 {
756 unsigned int block_nb;
757 unsigned int new_len, rem_len, tmp_len;
758 const unsigned char *shifted_message;
759
760 tmp_len = SHA224_BLOCK_SIZE - ctx->len;
761 rem_len = len < tmp_len ? len : tmp_len;
762
763 memcpy(&ctx->block[ctx->len], message, rem_len);
764
765 if (ctx->len + len < SHA224_BLOCK_SIZE) {
766 ctx->len += len;
767 return;
768 }
769
770 new_len = len - rem_len;
771 block_nb = new_len / SHA224_BLOCK_SIZE;
772
773 shifted_message = message + rem_len;
774
775 sha256_transf(ctx, ctx->block, 1);
776 sha256_transf(ctx, shifted_message, block_nb);
777
778 rem_len = new_len % SHA224_BLOCK_SIZE;
779
780 memcpy(ctx->block, &shifted_message[block_nb << 6],
781 rem_len);
782
783 ctx->len = rem_len;
784 ctx->tot_len += (block_nb + 1) << 6;
785 }
786
787 void sha224_final(sha224_ctx *ctx, unsigned char *digest)
788 {
789 unsigned int block_nb;
790 unsigned int pm_len;
791 unsigned int len_b;
792
793 #ifndef UNROLL_LOOPS
794 int i;
795 #endif
796
797 block_nb = (1 + ((SHA224_BLOCK_SIZE - 9)
798 < (ctx->len % SHA224_BLOCK_SIZE)));
799
800 len_b = (ctx->tot_len + ctx->len) << 3;
801 pm_len = block_nb << 6;
802
803 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
804 ctx->block[ctx->len] = 0x80;
805 UNPACK32(len_b, ctx->block + pm_len - 4);
806
807 sha256_transf(ctx, ctx->block, block_nb);
808
809 #ifndef UNROLL_LOOPS
810 for (i = 0 ; i < 7; i++) {
811 UNPACK32(ctx->h[i], &digest[i << 2]);
812 }
813 #else
814 UNPACK32(ctx->h[0], &digest[ 0]);
815 UNPACK32(ctx->h[1], &digest[ 4]);
816 UNPACK32(ctx->h[2], &digest[ 8]);
817 UNPACK32(ctx->h[3], &digest[12]);
818 UNPACK32(ctx->h[4], &digest[16]);
819 UNPACK32(ctx->h[5], &digest[20]);
820 UNPACK32(ctx->h[6], &digest[24]);
821 #endif /* !UNROLL_LOOPS */
822 }
823
824 #ifdef TEST_VECTORS
825
826 /* FIPS 180-2 Validation tests */
827
828 #include <stdio.h>
829 #include <stdlib.h>
830
831 void test(const unsigned char *vector, unsigned char *digest,
832 unsigned int digest_size)
833 {
834 unsigned char output[2 * SHA512_DIGEST_SIZE + 1];
835 int i;
836
837 output[2 * digest_size] = '\0';
838
839 for (i = 0; i < (int) digest_size ; i++) {
840 sprintf((char *) output + 2 * i, "%02x", digest[i]);
841 }
842
843 printf("H: %s\n", output);
844 if (strcmp((char *) vector, (char *) output)) {
845 fprintf(stderr, "Test failed.\n");
846 exit(EXIT_FAILURE);
847 }
848 }
849
850 int main()
851 {
852 static const unsigned char *vectors[4][3] =
853 { /* SHA-224 */
854 {
855 "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7",
856 "75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525",
857 "20794655980c91d8bbb4c1ea97618a4bf03f42581948b2ee4ee7ad67",
858 },
859 /* SHA-256 */
860 {
861 "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad",
862 "248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1",
863 "cdc76e5c9914fb9281a1c7e284d73e67f1809a48a497200e046d39ccc7112cd0",
864 },
865 /* SHA-384 */
866 {
867 "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed"
868 "8086072ba1e7cc2358baeca134c825a7",
869 "09330c33f71147e83d192fc782cd1b4753111b173b3b05d22fa08086e3b0f712"
870 "fcc7c71a557e2db966c3e9fa91746039",
871 "9d0e1809716474cb086e834e310a4a1ced149e9c00f248527972cec5704c2a5b"
872 "07b8b3dc38ecc4ebae97ddd87f3d8985",
873 },
874 /* SHA-512 */
875 {
876 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
877 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f",
878 "8e959b75dae313da8cf4f72814fc143f8f7779c6eb9f7fa17299aeadb6889018"
879 "501d289e4900f7e4331b99dec4b5433ac7d329eeb6dd26545e96e55b874be909",
880 "e718483d0ce769644e2e42c7bc15b4638e1f98b13b2044285632a803afa973eb"
881 "de0ff244877ea60a4cb0432ce577c31beb009c5c2c49aa2e4eadb217ad8cc09b"
882 }
883 };
884
885 static const unsigned char message1[] = "abc";
886 static const unsigned char message2a[] = "abcdbcdecdefdefgefghfghighijhi"
887 "jkijkljklmklmnlmnomnopnopq";
888 static const unsigned char message2b[] =
889 "abcdefghbcdefghicdefghijdefghijkefghij"
890 "klfghijklmghijklmnhijklmnoijklmnopjklm"
891 "nopqklmnopqrlmnopqrsmnopqrstnopqrstu";
892 unsigned char *message3;
893 unsigned int message3_len = 1000000;
894 unsigned char digest[SHA512_DIGEST_SIZE];
895
896 message3 = malloc(message3_len);
897 if (message3 == NULL) {
898 fprintf(stderr, "Can't allocate memory\n");
899 return -1;
900 }
901 memset(message3, 'a', message3_len);
902
903 printf("SHA-2 FIPS 180-2 Validation tests\n\n");
904 printf("SHA-224 Test vectors\n");
905
906 sha224(message1, strlen((char *) message1), digest);
907 test(vectors[0][0], digest, SHA224_DIGEST_SIZE);
908 sha224(message2a, strlen((char *) message2a), digest);
909 test(vectors[0][1], digest, SHA224_DIGEST_SIZE);
910 sha224(message3, message3_len, digest);
911 test(vectors[0][2], digest, SHA224_DIGEST_SIZE);
912 printf("\n");
913
914 printf("SHA-256 Test vectors\n");
915
916 sha256(message1, strlen((char *) message1), digest);
917 test(vectors[1][0], digest, SHA256_DIGEST_SIZE);
918 sha256(message2a, strlen((char *) message2a), digest);
919 test(vectors[1][1], digest, SHA256_DIGEST_SIZE);
920 sha256(message3, message3_len, digest);
921 test(vectors[1][2], digest, SHA256_DIGEST_SIZE);
922 printf("\n");
923
924 printf("SHA-384 Test vectors\n");
925
926 sha384(message1, strlen((char *) message1), digest);
927 test(vectors[2][0], digest, SHA384_DIGEST_SIZE);
928 sha384(message2b, strlen((char *) message2b), digest);
929 test(vectors[2][1], digest, SHA384_DIGEST_SIZE);
930 sha384(message3, message3_len, digest);
931 test(vectors[2][2], digest, SHA384_DIGEST_SIZE);
932 printf("\n");
933
934 printf("SHA-512 Test vectors\n");
935
936 sha512(message1, strlen((char *) message1), digest);
937 test(vectors[3][0], digest, SHA512_DIGEST_SIZE);
938 sha512(message2b, strlen((char *) message2b), digest);
939 test(vectors[3][1], digest, SHA512_DIGEST_SIZE);
940 sha512(message3, message3_len, digest);
941 test(vectors[3][2], digest, SHA512_DIGEST_SIZE);
942 printf("\n");
943
944 printf("All tests passed.\n");
945
946 return 0;
947 }
948
949 #endif /* TEST_VECTORS */
950
Yet another darcs to git importer