1 /*-------------------------------------------------------------------------
4 * SHA functions for SHA-224, SHA-256, SHA-384 and SHA-512.
6 * This includes the fallback implementation for SHA2 cryptographic
9 * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
10 * Portions Copyright (c) 1994, Regents of the University of California
15 *-------------------------------------------------------------------------
18 /* $OpenBSD: sha2.c,v 1.6 2004/05/03 02:57:36 millert Exp $ */
21 * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
23 * Copyright (c) 2000-2001, Aaron D. Gifford
24 * All rights reserved.
26 * Redistribution and use in source and binary forms, with or without
27 * modification, are permitted provided that the following conditions
29 * 1. Redistributions of source code must retain the above copyright
30 * notice, this list of conditions and the following disclaimer.
31 * 2. Redistributions in binary form must reproduce the above copyright
32 * notice, this list of conditions and the following disclaimer in the
33 * documentation and/or other materials provided with the distribution.
34 * 3. Neither the name of the copyright holder nor the names of contributors
35 * may be used to endorse or promote products derived from this software
36 * without specific prior written permission.
38 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
39 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
41 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
42 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
43 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
44 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
45 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
46 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
47 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
57 #include "postgres_fe.h"
63 * In backend, use palloc/pfree to ease the error handling. In frontend,
64 * use malloc to be able to return a failure status back to the caller.
67 #define ALLOC(size) palloc(size)
68 #define FREE(ptr) pfree(ptr)
70 #define ALLOC(size) malloc(size)
71 #define FREE(ptr) free(ptr)
75 * UNROLLED TRANSFORM LOOP NOTE:
76 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
77 * loop version for the hash transform rounds (defined using macros
78 * later in this file). Either define on the command line, for example:
80 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
84 * #define SHA2_UNROLL_TRANSFORM
88 /*** SHA-256/384/512 Various Length Definitions ***********************/
89 #define PG_SHA256_SHORT_BLOCK_LENGTH (PG_SHA256_BLOCK_LENGTH - 8)
90 #define PG_SHA384_SHORT_BLOCK_LENGTH (PG_SHA384_BLOCK_LENGTH - 16)
91 #define PG_SHA512_SHORT_BLOCK_LENGTH (PG_SHA512_BLOCK_LENGTH - 16)
93 /*** ENDIAN REVERSAL MACROS *******************************************/
94 #ifndef WORDS_BIGENDIAN
95 #define REVERSE32(w,x) { \
97 tmp = (tmp >> 16) | (tmp << 16); \
98 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
100 #define REVERSE64(w,x) { \
102 tmp = (tmp >> 32) | (tmp << 32); \
103 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
104 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
105 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
106 ((tmp & 0x0000ffff0000ffffULL) << 16); \
108 #endif /* not bigendian */
111 * Macro for incrementally adding the unsigned 64-bit integer n to the
112 * unsigned 128-bit integer (represented using a two-element array of
115 #define ADDINC128(w,n) { \
116 (w)[0] += (uint64)(n); \
117 if ((w)[0] < (n)) { \
122 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
124 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
126 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
127 * S is a ROTATION) because the SHA-256/384/512 description document
128 * (see http://www.iwar.org.uk/comsec/resources/cipher/sha256-384-512.pdf)
129 * uses this same "backwards" definition.
131 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
132 #define R(b,x) ((x) >> (b))
133 /* 32-bit Rotate-right (used in SHA-256): */
134 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
135 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
136 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
138 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
139 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
140 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
142 /* Four of six logical functions used in SHA-256: */
143 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
144 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
145 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
146 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
148 /* Four of six logical functions used in SHA-384 and SHA-512: */
149 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
150 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
151 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
152 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
154 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
155 /* NOTE: These should not be accessed directly from outside this
156 * library -- they are intended for private internal visibility/use
159 static void SHA512_Last(pg_sha512_ctx
*context
);
160 static void SHA256_Transform(pg_sha256_ctx
*context
, const uint8
*data
);
161 static void SHA512_Transform(pg_sha512_ctx
*context
, const uint8
*data
);
163 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
164 /* Hash constant words K for SHA-256: */
165 static const uint32 K256
[64] = {
166 0x428a2f98UL
, 0x71374491UL
, 0xb5c0fbcfUL
, 0xe9b5dba5UL
,
167 0x3956c25bUL
, 0x59f111f1UL
, 0x923f82a4UL
, 0xab1c5ed5UL
,
168 0xd807aa98UL
, 0x12835b01UL
, 0x243185beUL
, 0x550c7dc3UL
,
169 0x72be5d74UL
, 0x80deb1feUL
, 0x9bdc06a7UL
, 0xc19bf174UL
,
170 0xe49b69c1UL
, 0xefbe4786UL
, 0x0fc19dc6UL
, 0x240ca1ccUL
,
171 0x2de92c6fUL
, 0x4a7484aaUL
, 0x5cb0a9dcUL
, 0x76f988daUL
,
172 0x983e5152UL
, 0xa831c66dUL
, 0xb00327c8UL
, 0xbf597fc7UL
,
173 0xc6e00bf3UL
, 0xd5a79147UL
, 0x06ca6351UL
, 0x14292967UL
,
174 0x27b70a85UL
, 0x2e1b2138UL
, 0x4d2c6dfcUL
, 0x53380d13UL
,
175 0x650a7354UL
, 0x766a0abbUL
, 0x81c2c92eUL
, 0x92722c85UL
,
176 0xa2bfe8a1UL
, 0xa81a664bUL
, 0xc24b8b70UL
, 0xc76c51a3UL
,
177 0xd192e819UL
, 0xd6990624UL
, 0xf40e3585UL
, 0x106aa070UL
,
178 0x19a4c116UL
, 0x1e376c08UL
, 0x2748774cUL
, 0x34b0bcb5UL
,
179 0x391c0cb3UL
, 0x4ed8aa4aUL
, 0x5b9cca4fUL
, 0x682e6ff3UL
,
180 0x748f82eeUL
, 0x78a5636fUL
, 0x84c87814UL
, 0x8cc70208UL
,
181 0x90befffaUL
, 0xa4506cebUL
, 0xbef9a3f7UL
, 0xc67178f2UL
184 /* Initial hash value H for SHA-224: */
185 static const uint32 sha224_initial_hash_value
[8] = {
196 /* Initial hash value H for SHA-256: */
197 static const uint32 sha256_initial_hash_value
[8] = {
208 /* Hash constant words K for SHA-384 and SHA-512: */
209 static const uint64 K512
[80] = {
210 0x428a2f98d728ae22ULL
, 0x7137449123ef65cdULL
,
211 0xb5c0fbcfec4d3b2fULL
, 0xe9b5dba58189dbbcULL
,
212 0x3956c25bf348b538ULL
, 0x59f111f1b605d019ULL
,
213 0x923f82a4af194f9bULL
, 0xab1c5ed5da6d8118ULL
,
214 0xd807aa98a3030242ULL
, 0x12835b0145706fbeULL
,
215 0x243185be4ee4b28cULL
, 0x550c7dc3d5ffb4e2ULL
,
216 0x72be5d74f27b896fULL
, 0x80deb1fe3b1696b1ULL
,
217 0x9bdc06a725c71235ULL
, 0xc19bf174cf692694ULL
,
218 0xe49b69c19ef14ad2ULL
, 0xefbe4786384f25e3ULL
,
219 0x0fc19dc68b8cd5b5ULL
, 0x240ca1cc77ac9c65ULL
,
220 0x2de92c6f592b0275ULL
, 0x4a7484aa6ea6e483ULL
,
221 0x5cb0a9dcbd41fbd4ULL
, 0x76f988da831153b5ULL
,
222 0x983e5152ee66dfabULL
, 0xa831c66d2db43210ULL
,
223 0xb00327c898fb213fULL
, 0xbf597fc7beef0ee4ULL
,
224 0xc6e00bf33da88fc2ULL
, 0xd5a79147930aa725ULL
,
225 0x06ca6351e003826fULL
, 0x142929670a0e6e70ULL
,
226 0x27b70a8546d22ffcULL
, 0x2e1b21385c26c926ULL
,
227 0x4d2c6dfc5ac42aedULL
, 0x53380d139d95b3dfULL
,
228 0x650a73548baf63deULL
, 0x766a0abb3c77b2a8ULL
,
229 0x81c2c92e47edaee6ULL
, 0x92722c851482353bULL
,
230 0xa2bfe8a14cf10364ULL
, 0xa81a664bbc423001ULL
,
231 0xc24b8b70d0f89791ULL
, 0xc76c51a30654be30ULL
,
232 0xd192e819d6ef5218ULL
, 0xd69906245565a910ULL
,
233 0xf40e35855771202aULL
, 0x106aa07032bbd1b8ULL
,
234 0x19a4c116b8d2d0c8ULL
, 0x1e376c085141ab53ULL
,
235 0x2748774cdf8eeb99ULL
, 0x34b0bcb5e19b48a8ULL
,
236 0x391c0cb3c5c95a63ULL
, 0x4ed8aa4ae3418acbULL
,
237 0x5b9cca4f7763e373ULL
, 0x682e6ff3d6b2b8a3ULL
,
238 0x748f82ee5defb2fcULL
, 0x78a5636f43172f60ULL
,
239 0x84c87814a1f0ab72ULL
, 0x8cc702081a6439ecULL
,
240 0x90befffa23631e28ULL
, 0xa4506cebde82bde9ULL
,
241 0xbef9a3f7b2c67915ULL
, 0xc67178f2e372532bULL
,
242 0xca273eceea26619cULL
, 0xd186b8c721c0c207ULL
,
243 0xeada7dd6cde0eb1eULL
, 0xf57d4f7fee6ed178ULL
,
244 0x06f067aa72176fbaULL
, 0x0a637dc5a2c898a6ULL
,
245 0x113f9804bef90daeULL
, 0x1b710b35131c471bULL
,
246 0x28db77f523047d84ULL
, 0x32caab7b40c72493ULL
,
247 0x3c9ebe0a15c9bebcULL
, 0x431d67c49c100d4cULL
,
248 0x4cc5d4becb3e42b6ULL
, 0x597f299cfc657e2aULL
,
249 0x5fcb6fab3ad6faecULL
, 0x6c44198c4a475817ULL
252 /* Initial hash value H for SHA-384 */
253 static const uint64 sha384_initial_hash_value
[8] = {
254 0xcbbb9d5dc1059ed8ULL
,
255 0x629a292a367cd507ULL
,
256 0x9159015a3070dd17ULL
,
257 0x152fecd8f70e5939ULL
,
258 0x67332667ffc00b31ULL
,
259 0x8eb44a8768581511ULL
,
260 0xdb0c2e0d64f98fa7ULL
,
261 0x47b5481dbefa4fa4ULL
264 /* Initial hash value H for SHA-512 */
265 static const uint64 sha512_initial_hash_value
[8] = {
266 0x6a09e667f3bcc908ULL
,
267 0xbb67ae8584caa73bULL
,
268 0x3c6ef372fe94f82bULL
,
269 0xa54ff53a5f1d36f1ULL
,
270 0x510e527fade682d1ULL
,
271 0x9b05688c2b3e6c1fULL
,
272 0x1f83d9abfb41bd6bULL
,
273 0x5be0cd19137e2179ULL
277 /*** SHA-256: *********************************************************/
279 pg_sha256_init(pg_sha256_ctx
*context
)
283 memcpy(context
->state
, sha256_initial_hash_value
, PG_SHA256_DIGEST_LENGTH
);
284 memset(context
->buffer
, 0, PG_SHA256_BLOCK_LENGTH
);
285 context
->bitcount
= 0;
288 #ifdef SHA2_UNROLL_TRANSFORM
290 /* Unrolled SHA-256 round macros: */
292 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
293 W256[j] = (uint32)data[3] | ((uint32)data[2] << 8) | \
294 ((uint32)data[1] << 16) | ((uint32)data[0] << 24); \
296 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
298 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
302 #define ROUND256(a,b,c,d,e,f,g,h) do { \
303 s0 = W256[(j+1)&0x0f]; \
304 s0 = sigma0_256(s0); \
305 s1 = W256[(j+14)&0x0f]; \
306 s1 = sigma1_256(s1); \
307 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
308 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
310 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
315 SHA256_Transform(pg_sha256_ctx
*context
, const uint8
*data
)
331 W256
= (uint32
*) context
->buffer
;
333 /* Initialize registers with the prev. intermediate value */
334 a
= context
->state
[0];
335 b
= context
->state
[1];
336 c
= context
->state
[2];
337 d
= context
->state
[3];
338 e
= context
->state
[4];
339 f
= context
->state
[5];
340 g
= context
->state
[6];
341 h
= context
->state
[7];
346 /* Rounds 0 to 15 (unrolled): */
347 ROUND256_0_TO_15(a
, b
, c
, d
, e
, f
, g
, h
);
348 ROUND256_0_TO_15(h
, a
, b
, c
, d
, e
, f
, g
);
349 ROUND256_0_TO_15(g
, h
, a
, b
, c
, d
, e
, f
);
350 ROUND256_0_TO_15(f
, g
, h
, a
, b
, c
, d
, e
);
351 ROUND256_0_TO_15(e
, f
, g
, h
, a
, b
, c
, d
);
352 ROUND256_0_TO_15(d
, e
, f
, g
, h
, a
, b
, c
);
353 ROUND256_0_TO_15(c
, d
, e
, f
, g
, h
, a
, b
);
354 ROUND256_0_TO_15(b
, c
, d
, e
, f
, g
, h
, a
);
357 /* Now for the remaining rounds to 64: */
360 ROUND256(a
, b
, c
, d
, e
, f
, g
, h
);
361 ROUND256(h
, a
, b
, c
, d
, e
, f
, g
);
362 ROUND256(g
, h
, a
, b
, c
, d
, e
, f
);
363 ROUND256(f
, g
, h
, a
, b
, c
, d
, e
);
364 ROUND256(e
, f
, g
, h
, a
, b
, c
, d
);
365 ROUND256(d
, e
, f
, g
, h
, a
, b
, c
);
366 ROUND256(c
, d
, e
, f
, g
, h
, a
, b
);
367 ROUND256(b
, c
, d
, e
, f
, g
, h
, a
);
370 /* Compute the current intermediate hash value */
371 context
->state
[0] += a
;
372 context
->state
[1] += b
;
373 context
->state
[2] += c
;
374 context
->state
[3] += d
;
375 context
->state
[4] += e
;
376 context
->state
[5] += f
;
377 context
->state
[6] += g
;
378 context
->state
[7] += h
;
381 a
= b
= c
= d
= e
= f
= g
= h
= T1
= 0;
383 #else /* SHA2_UNROLL_TRANSFORM */
386 SHA256_Transform(pg_sha256_ctx
*context
, const uint8
*data
)
403 W256
= (uint32
*) context
->buffer
;
405 /* Initialize registers with the prev. intermediate value */
406 a
= context
->state
[0];
407 b
= context
->state
[1];
408 c
= context
->state
[2];
409 d
= context
->state
[3];
410 e
= context
->state
[4];
411 f
= context
->state
[5];
412 g
= context
->state
[6];
413 h
= context
->state
[7];
418 W256
[j
] = (uint32
) data
[3] | ((uint32
) data
[2] << 8) |
419 ((uint32
) data
[1] << 16) | ((uint32
) data
[0] << 24);
421 /* Apply the SHA-256 compression function to update a..h */
422 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] + W256
[j
];
423 T2
= Sigma0_256(a
) + Maj(a
, b
, c
);
438 /* Part of the message block expansion: */
439 s0
= W256
[(j
+ 1) & 0x0f];
441 s1
= W256
[(j
+ 14) & 0x0f];
444 /* Apply the SHA-256 compression function to update a..h */
445 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] +
446 (W256
[j
& 0x0f] += s1
+ W256
[(j
+ 9) & 0x0f] + s0
);
447 T2
= Sigma0_256(a
) + Maj(a
, b
, c
);
460 /* Compute the current intermediate hash value */
461 context
->state
[0] += a
;
462 context
->state
[1] += b
;
463 context
->state
[2] += c
;
464 context
->state
[3] += d
;
465 context
->state
[4] += e
;
466 context
->state
[5] += f
;
467 context
->state
[6] += g
;
468 context
->state
[7] += h
;
471 a
= b
= c
= d
= e
= f
= g
= h
= T1
= T2
= 0;
473 #endif /* SHA2_UNROLL_TRANSFORM */
476 pg_sha256_update(pg_sha256_ctx
*context
, const uint8
*data
, size_t len
)
481 /* Calling with no data is valid (we do nothing) */
485 usedspace
= (context
->bitcount
>> 3) % PG_SHA256_BLOCK_LENGTH
;
488 /* Calculate how much free space is available in the buffer */
489 freespace
= PG_SHA256_BLOCK_LENGTH
- usedspace
;
491 if (len
>= freespace
)
493 /* Fill the buffer completely and process it */
494 memcpy(&context
->buffer
[usedspace
], data
, freespace
);
495 context
->bitcount
+= freespace
<< 3;
498 SHA256_Transform(context
, context
->buffer
);
502 /* The buffer is not yet full */
503 memcpy(&context
->buffer
[usedspace
], data
, len
);
504 context
->bitcount
+= len
<< 3;
506 usedspace
= freespace
= 0;
510 while (len
>= PG_SHA256_BLOCK_LENGTH
)
512 /* Process as many complete blocks as we can */
513 SHA256_Transform(context
, data
);
514 context
->bitcount
+= PG_SHA256_BLOCK_LENGTH
<< 3;
515 len
-= PG_SHA256_BLOCK_LENGTH
;
516 data
+= PG_SHA256_BLOCK_LENGTH
;
520 /* There's left-overs, so save 'em */
521 memcpy(context
->buffer
, data
, len
);
522 context
->bitcount
+= len
<< 3;
525 usedspace
= freespace
= 0;
529 SHA256_Last(pg_sha256_ctx
*context
)
531 unsigned int usedspace
;
533 usedspace
= (context
->bitcount
>> 3) % PG_SHA256_BLOCK_LENGTH
;
534 #ifndef WORDS_BIGENDIAN
535 /* Convert FROM host byte order */
536 REVERSE64(context
->bitcount
, context
->bitcount
);
540 /* Begin padding with a 1 bit: */
541 context
->buffer
[usedspace
++] = 0x80;
543 if (usedspace
<= PG_SHA256_SHORT_BLOCK_LENGTH
)
545 /* Set-up for the last transform: */
546 memset(&context
->buffer
[usedspace
], 0, PG_SHA256_SHORT_BLOCK_LENGTH
- usedspace
);
550 if (usedspace
< PG_SHA256_BLOCK_LENGTH
)
552 memset(&context
->buffer
[usedspace
], 0, PG_SHA256_BLOCK_LENGTH
- usedspace
);
554 /* Do second-to-last transform: */
555 SHA256_Transform(context
, context
->buffer
);
557 /* And set-up for the last transform: */
558 memset(context
->buffer
, 0, PG_SHA256_SHORT_BLOCK_LENGTH
);
563 /* Set-up for the last transform: */
564 memset(context
->buffer
, 0, PG_SHA256_SHORT_BLOCK_LENGTH
);
566 /* Begin padding with a 1 bit: */
567 *context
->buffer
= 0x80;
569 /* Set the bit count: */
570 *(uint64
*) &context
->buffer
[PG_SHA256_SHORT_BLOCK_LENGTH
] = context
->bitcount
;
572 /* Final transform: */
573 SHA256_Transform(context
, context
->buffer
);
577 pg_sha256_final(pg_sha256_ctx
*context
, uint8
*digest
)
579 /* If no digest buffer is passed, we don't bother doing this: */
582 SHA256_Last(context
);
584 #ifndef WORDS_BIGENDIAN
586 /* Convert TO host byte order */
589 for (j
= 0; j
< 8; j
++)
591 REVERSE32(context
->state
[j
], context
->state
[j
]);
595 memcpy(digest
, context
->state
, PG_SHA256_DIGEST_LENGTH
);
598 /* Clean up state data: */
599 memset(context
, 0, sizeof(pg_sha256_ctx
));
603 /*** SHA-512: *********************************************************/
605 pg_sha512_init(pg_sha512_ctx
*context
)
609 memcpy(context
->state
, sha512_initial_hash_value
, PG_SHA512_DIGEST_LENGTH
);
610 memset(context
->buffer
, 0, PG_SHA512_BLOCK_LENGTH
);
611 context
->bitcount
[0] = context
->bitcount
[1] = 0;
614 #ifdef SHA2_UNROLL_TRANSFORM
616 /* Unrolled SHA-512 round macros: */
618 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
619 W512[j] = (uint64)data[7] | ((uint64)data[6] << 8) | \
620 ((uint64)data[5] << 16) | ((uint64)data[4] << 24) | \
621 ((uint64)data[3] << 32) | ((uint64)data[2] << 40) | \
622 ((uint64)data[1] << 48) | ((uint64)data[0] << 56); \
624 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
626 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
631 #define ROUND512(a,b,c,d,e,f,g,h) do { \
632 s0 = W512[(j+1)&0x0f]; \
633 s0 = sigma0_512(s0); \
634 s1 = W512[(j+14)&0x0f]; \
635 s1 = sigma1_512(s1); \
636 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
637 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
639 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
644 SHA512_Transform(pg_sha512_ctx
*context
, const uint8
*data
)
657 *W512
= (uint64
*) context
->buffer
;
660 /* Initialize registers with the prev. intermediate value */
661 a
= context
->state
[0];
662 b
= context
->state
[1];
663 c
= context
->state
[2];
664 d
= context
->state
[3];
665 e
= context
->state
[4];
666 f
= context
->state
[5];
667 g
= context
->state
[6];
668 h
= context
->state
[7];
673 ROUND512_0_TO_15(a
, b
, c
, d
, e
, f
, g
, h
);
674 ROUND512_0_TO_15(h
, a
, b
, c
, d
, e
, f
, g
);
675 ROUND512_0_TO_15(g
, h
, a
, b
, c
, d
, e
, f
);
676 ROUND512_0_TO_15(f
, g
, h
, a
, b
, c
, d
, e
);
677 ROUND512_0_TO_15(e
, f
, g
, h
, a
, b
, c
, d
);
678 ROUND512_0_TO_15(d
, e
, f
, g
, h
, a
, b
, c
);
679 ROUND512_0_TO_15(c
, d
, e
, f
, g
, h
, a
, b
);
680 ROUND512_0_TO_15(b
, c
, d
, e
, f
, g
, h
, a
);
683 /* Now for the remaining rounds up to 79: */
686 ROUND512(a
, b
, c
, d
, e
, f
, g
, h
);
687 ROUND512(h
, a
, b
, c
, d
, e
, f
, g
);
688 ROUND512(g
, h
, a
, b
, c
, d
, e
, f
);
689 ROUND512(f
, g
, h
, a
, b
, c
, d
, e
);
690 ROUND512(e
, f
, g
, h
, a
, b
, c
, d
);
691 ROUND512(d
, e
, f
, g
, h
, a
, b
, c
);
692 ROUND512(c
, d
, e
, f
, g
, h
, a
, b
);
693 ROUND512(b
, c
, d
, e
, f
, g
, h
, a
);
696 /* Compute the current intermediate hash value */
697 context
->state
[0] += a
;
698 context
->state
[1] += b
;
699 context
->state
[2] += c
;
700 context
->state
[3] += d
;
701 context
->state
[4] += e
;
702 context
->state
[5] += f
;
703 context
->state
[6] += g
;
704 context
->state
[7] += h
;
707 a
= b
= c
= d
= e
= f
= g
= h
= T1
= 0;
709 #else /* SHA2_UNROLL_TRANSFORM */
712 SHA512_Transform(pg_sha512_ctx
*context
, const uint8
*data
)
726 *W512
= (uint64
*) context
->buffer
;
729 /* Initialize registers with the prev. intermediate value */
730 a
= context
->state
[0];
731 b
= context
->state
[1];
732 c
= context
->state
[2];
733 d
= context
->state
[3];
734 e
= context
->state
[4];
735 f
= context
->state
[5];
736 g
= context
->state
[6];
737 h
= context
->state
[7];
742 W512
[j
] = (uint64
) data
[7] | ((uint64
) data
[6] << 8) |
743 ((uint64
) data
[5] << 16) | ((uint64
) data
[4] << 24) |
744 ((uint64
) data
[3] << 32) | ((uint64
) data
[2] << 40) |
745 ((uint64
) data
[1] << 48) | ((uint64
) data
[0] << 56);
747 /* Apply the SHA-512 compression function to update a..h */
748 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] + W512
[j
];
749 T2
= Sigma0_512(a
) + Maj(a
, b
, c
);
764 /* Part of the message block expansion: */
765 s0
= W512
[(j
+ 1) & 0x0f];
767 s1
= W512
[(j
+ 14) & 0x0f];
770 /* Apply the SHA-512 compression function to update a..h */
771 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] +
772 (W512
[j
& 0x0f] += s1
+ W512
[(j
+ 9) & 0x0f] + s0
);
773 T2
= Sigma0_512(a
) + Maj(a
, b
, c
);
786 /* Compute the current intermediate hash value */
787 context
->state
[0] += a
;
788 context
->state
[1] += b
;
789 context
->state
[2] += c
;
790 context
->state
[3] += d
;
791 context
->state
[4] += e
;
792 context
->state
[5] += f
;
793 context
->state
[6] += g
;
794 context
->state
[7] += h
;
797 a
= b
= c
= d
= e
= f
= g
= h
= T1
= T2
= 0;
799 #endif /* SHA2_UNROLL_TRANSFORM */
802 pg_sha512_update(pg_sha512_ctx
*context
, const uint8
*data
, size_t len
)
807 /* Calling with no data is valid (we do nothing) */
811 usedspace
= (context
->bitcount
[0] >> 3) % PG_SHA512_BLOCK_LENGTH
;
814 /* Calculate how much free space is available in the buffer */
815 freespace
= PG_SHA512_BLOCK_LENGTH
- usedspace
;
817 if (len
>= freespace
)
819 /* Fill the buffer completely and process it */
820 memcpy(&context
->buffer
[usedspace
], data
, freespace
);
821 ADDINC128(context
->bitcount
, freespace
<< 3);
824 SHA512_Transform(context
, context
->buffer
);
828 /* The buffer is not yet full */
829 memcpy(&context
->buffer
[usedspace
], data
, len
);
830 ADDINC128(context
->bitcount
, len
<< 3);
832 usedspace
= freespace
= 0;
836 while (len
>= PG_SHA512_BLOCK_LENGTH
)
838 /* Process as many complete blocks as we can */
839 SHA512_Transform(context
, data
);
840 ADDINC128(context
->bitcount
, PG_SHA512_BLOCK_LENGTH
<< 3);
841 len
-= PG_SHA512_BLOCK_LENGTH
;
842 data
+= PG_SHA512_BLOCK_LENGTH
;
846 /* There's left-overs, so save 'em */
847 memcpy(context
->buffer
, data
, len
);
848 ADDINC128(context
->bitcount
, len
<< 3);
851 usedspace
= freespace
= 0;
855 SHA512_Last(pg_sha512_ctx
*context
)
857 unsigned int usedspace
;
859 usedspace
= (context
->bitcount
[0] >> 3) % PG_SHA512_BLOCK_LENGTH
;
860 #ifndef WORDS_BIGENDIAN
861 /* Convert FROM host byte order */
862 REVERSE64(context
->bitcount
[0], context
->bitcount
[0]);
863 REVERSE64(context
->bitcount
[1], context
->bitcount
[1]);
867 /* Begin padding with a 1 bit: */
868 context
->buffer
[usedspace
++] = 0x80;
870 if (usedspace
<= PG_SHA512_SHORT_BLOCK_LENGTH
)
872 /* Set-up for the last transform: */
873 memset(&context
->buffer
[usedspace
], 0, PG_SHA512_SHORT_BLOCK_LENGTH
- usedspace
);
877 if (usedspace
< PG_SHA512_BLOCK_LENGTH
)
879 memset(&context
->buffer
[usedspace
], 0, PG_SHA512_BLOCK_LENGTH
- usedspace
);
881 /* Do second-to-last transform: */
882 SHA512_Transform(context
, context
->buffer
);
884 /* And set-up for the last transform: */
885 memset(context
->buffer
, 0, PG_SHA512_BLOCK_LENGTH
- 2);
890 /* Prepare for final transform: */
891 memset(context
->buffer
, 0, PG_SHA512_SHORT_BLOCK_LENGTH
);
893 /* Begin padding with a 1 bit: */
894 *context
->buffer
= 0x80;
896 /* Store the length of input data (in bits): */
897 *(uint64
*) &context
->buffer
[PG_SHA512_SHORT_BLOCK_LENGTH
] = context
->bitcount
[1];
898 *(uint64
*) &context
->buffer
[PG_SHA512_SHORT_BLOCK_LENGTH
+ 8] = context
->bitcount
[0];
900 /* Final transform: */
901 SHA512_Transform(context
, context
->buffer
);
905 pg_sha512_final(pg_sha512_ctx
*context
, uint8
*digest
)
907 /* If no digest buffer is passed, we don't bother doing this: */
910 SHA512_Last(context
);
912 /* Save the hash data for output: */
913 #ifndef WORDS_BIGENDIAN
915 /* Convert TO host byte order */
918 for (j
= 0; j
< 8; j
++)
920 REVERSE64(context
->state
[j
], context
->state
[j
]);
924 memcpy(digest
, context
->state
, PG_SHA512_DIGEST_LENGTH
);
927 /* Zero out state data */
928 memset(context
, 0, sizeof(pg_sha512_ctx
));
932 /*** SHA-384: *********************************************************/
934 pg_sha384_init(pg_sha384_ctx
*context
)
938 memcpy(context
->state
, sha384_initial_hash_value
, PG_SHA512_DIGEST_LENGTH
);
939 memset(context
->buffer
, 0, PG_SHA384_BLOCK_LENGTH
);
940 context
->bitcount
[0] = context
->bitcount
[1] = 0;
944 pg_sha384_update(pg_sha384_ctx
*context
, const uint8
*data
, size_t len
)
946 pg_sha512_update((pg_sha512_ctx
*) context
, data
, len
);
950 pg_sha384_final(pg_sha384_ctx
*context
, uint8
*digest
)
952 /* If no digest buffer is passed, we don't bother doing this: */
955 SHA512_Last((pg_sha512_ctx
*) context
);
957 /* Save the hash data for output: */
958 #ifndef WORDS_BIGENDIAN
960 /* Convert TO host byte order */
963 for (j
= 0; j
< 6; j
++)
965 REVERSE64(context
->state
[j
], context
->state
[j
]);
969 memcpy(digest
, context
->state
, PG_SHA384_DIGEST_LENGTH
);
972 /* Zero out state data */
973 memset(context
, 0, sizeof(pg_sha384_ctx
));
976 /*** SHA-224: *********************************************************/
978 pg_sha224_init(pg_sha224_ctx
*context
)
982 memcpy(context
->state
, sha224_initial_hash_value
, PG_SHA256_DIGEST_LENGTH
);
983 memset(context
->buffer
, 0, PG_SHA256_BLOCK_LENGTH
);
984 context
->bitcount
= 0;
988 pg_sha224_update(pg_sha224_ctx
*context
, const uint8
*data
, size_t len
)
990 pg_sha256_update((pg_sha256_ctx
*) context
, data
, len
);
994 pg_sha224_final(pg_sha224_ctx
*context
, uint8
*digest
)
996 /* If no digest buffer is passed, we don't bother doing this: */
999 SHA256_Last(context
);
1001 #ifndef WORDS_BIGENDIAN
1003 /* Convert TO host byte order */
1006 for (j
= 0; j
< 8; j
++)
1008 REVERSE32(context
->state
[j
], context
->state
[j
]);
1012 memcpy(digest
, context
->state
, PG_SHA224_DIGEST_LENGTH
);
1015 /* Clean up state data: */
1016 memset(context
, 0, sizeof(pg_sha224_ctx
));