jsonpath scanner: reentrant scanner
[pgsql.git] / src / common / sha2.c
blob736634b24be5dc2083754512fb450ca5036a4417
1 /*-------------------------------------------------------------------------
3 * sha2.c
4 * SHA functions for SHA-224, SHA-256, SHA-384 and SHA-512.
6 * This includes the fallback implementation for SHA2 cryptographic
7 * hashes.
9 * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
10 * Portions Copyright (c) 1994, Regents of the University of California
12 * IDENTIFICATION
13 * src/common/sha2.c
15 *-------------------------------------------------------------------------
18 /* $OpenBSD: sha2.c,v 1.6 2004/05/03 02:57:36 millert Exp $ */
20 * FILE: sha2.c
21 * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
23 * Copyright (c) 2000-2001, Aaron D. Gifford
24 * All rights reserved.
26 * Redistribution and use in source and binary forms, with or without
27 * modification, are permitted provided that the following conditions
28 * are met:
29 * 1. Redistributions of source code must retain the above copyright
30 * notice, this list of conditions and the following disclaimer.
31 * 2. Redistributions in binary form must reproduce the above copyright
32 * notice, this list of conditions and the following disclaimer in the
33 * documentation and/or other materials provided with the distribution.
34 * 3. Neither the name of the copyright holder nor the names of contributors
35 * may be used to endorse or promote products derived from this software
36 * without specific prior written permission.
38 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
39 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
41 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
42 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
43 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
44 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
45 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
46 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
47 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
48 * SUCH DAMAGE.
50 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
54 #ifndef FRONTEND
55 #include "postgres.h"
56 #else
57 #include "postgres_fe.h"
58 #endif
60 #include "sha2_int.h"
63 * In backend, use palloc/pfree to ease the error handling. In frontend,
64 * use malloc to be able to return a failure status back to the caller.
66 #ifndef FRONTEND
67 #define ALLOC(size) palloc(size)
68 #define FREE(ptr) pfree(ptr)
69 #else
70 #define ALLOC(size) malloc(size)
71 #define FREE(ptr) free(ptr)
72 #endif
75 * UNROLLED TRANSFORM LOOP NOTE:
76 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
77 * loop version for the hash transform rounds (defined using macros
78 * later in this file). Either define on the command line, for example:
80 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
82 * or define below:
84 * #define SHA2_UNROLL_TRANSFORM
88 /*** SHA-256/384/512 Various Length Definitions ***********************/
89 #define PG_SHA256_SHORT_BLOCK_LENGTH (PG_SHA256_BLOCK_LENGTH - 8)
90 #define PG_SHA384_SHORT_BLOCK_LENGTH (PG_SHA384_BLOCK_LENGTH - 16)
91 #define PG_SHA512_SHORT_BLOCK_LENGTH (PG_SHA512_BLOCK_LENGTH - 16)
93 /*** ENDIAN REVERSAL MACROS *******************************************/
94 #ifndef WORDS_BIGENDIAN
95 #define REVERSE32(w,x) { \
96 uint32 tmp = (w); \
97 tmp = (tmp >> 16) | (tmp << 16); \
98 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
100 #define REVERSE64(w,x) { \
101 uint64 tmp = (w); \
102 tmp = (tmp >> 32) | (tmp << 32); \
103 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
104 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
105 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
106 ((tmp & 0x0000ffff0000ffffULL) << 16); \
108 #endif /* not bigendian */
111 * Macro for incrementally adding the unsigned 64-bit integer n to the
112 * unsigned 128-bit integer (represented using a two-element array of
113 * 64-bit words):
115 #define ADDINC128(w,n) { \
116 (w)[0] += (uint64)(n); \
117 if ((w)[0] < (n)) { \
118 (w)[1]++; \
122 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
124 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
126 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
127 * S is a ROTATION) because the SHA-256/384/512 description document
128 * (see http://www.iwar.org.uk/comsec/resources/cipher/sha256-384-512.pdf)
129 * uses this same "backwards" definition.
131 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
132 #define R(b,x) ((x) >> (b))
133 /* 32-bit Rotate-right (used in SHA-256): */
134 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
135 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
136 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
138 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
139 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
140 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
142 /* Four of six logical functions used in SHA-256: */
143 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
144 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
145 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
146 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
148 /* Four of six logical functions used in SHA-384 and SHA-512: */
149 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
150 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
151 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
152 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
154 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
155 /* NOTE: These should not be accessed directly from outside this
156 * library -- they are intended for private internal visibility/use
157 * only.
159 static void SHA512_Last(pg_sha512_ctx *context);
160 static void SHA256_Transform(pg_sha256_ctx *context, const uint8 *data);
161 static void SHA512_Transform(pg_sha512_ctx *context, const uint8 *data);
163 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
164 /* Hash constant words K for SHA-256: */
165 static const uint32 K256[64] = {
166 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
167 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
168 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
169 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
170 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
171 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
172 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
173 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
174 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
175 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
176 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
177 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
178 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
179 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
180 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
181 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
184 /* Initial hash value H for SHA-224: */
185 static const uint32 sha224_initial_hash_value[8] = {
186 0xc1059ed8UL,
187 0x367cd507UL,
188 0x3070dd17UL,
189 0xf70e5939UL,
190 0xffc00b31UL,
191 0x68581511UL,
192 0x64f98fa7UL,
193 0xbefa4fa4UL
196 /* Initial hash value H for SHA-256: */
197 static const uint32 sha256_initial_hash_value[8] = {
198 0x6a09e667UL,
199 0xbb67ae85UL,
200 0x3c6ef372UL,
201 0xa54ff53aUL,
202 0x510e527fUL,
203 0x9b05688cUL,
204 0x1f83d9abUL,
205 0x5be0cd19UL
208 /* Hash constant words K for SHA-384 and SHA-512: */
209 static const uint64 K512[80] = {
210 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
211 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
212 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
213 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
214 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
215 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
216 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
217 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
218 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
219 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
220 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
221 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
222 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
223 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
224 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
225 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
226 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
227 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
228 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
229 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
230 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
231 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
232 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
233 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
234 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
235 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
236 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
237 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
238 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
239 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
240 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
241 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
242 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
243 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
244 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
245 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
246 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
247 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
248 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
249 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
252 /* Initial hash value H for SHA-384 */
253 static const uint64 sha384_initial_hash_value[8] = {
254 0xcbbb9d5dc1059ed8ULL,
255 0x629a292a367cd507ULL,
256 0x9159015a3070dd17ULL,
257 0x152fecd8f70e5939ULL,
258 0x67332667ffc00b31ULL,
259 0x8eb44a8768581511ULL,
260 0xdb0c2e0d64f98fa7ULL,
261 0x47b5481dbefa4fa4ULL
264 /* Initial hash value H for SHA-512 */
265 static const uint64 sha512_initial_hash_value[8] = {
266 0x6a09e667f3bcc908ULL,
267 0xbb67ae8584caa73bULL,
268 0x3c6ef372fe94f82bULL,
269 0xa54ff53a5f1d36f1ULL,
270 0x510e527fade682d1ULL,
271 0x9b05688c2b3e6c1fULL,
272 0x1f83d9abfb41bd6bULL,
273 0x5be0cd19137e2179ULL
277 /*** SHA-256: *********************************************************/
278 void
279 pg_sha256_init(pg_sha256_ctx *context)
281 if (context == NULL)
282 return;
283 memcpy(context->state, sha256_initial_hash_value, PG_SHA256_DIGEST_LENGTH);
284 memset(context->buffer, 0, PG_SHA256_BLOCK_LENGTH);
285 context->bitcount = 0;
288 #ifdef SHA2_UNROLL_TRANSFORM
290 /* Unrolled SHA-256 round macros: */
292 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
293 W256[j] = (uint32)data[3] | ((uint32)data[2] << 8) | \
294 ((uint32)data[1] << 16) | ((uint32)data[0] << 24); \
295 data += 4; \
296 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
297 (d) += T1; \
298 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
299 j++; \
300 } while(0)
302 #define ROUND256(a,b,c,d,e,f,g,h) do { \
303 s0 = W256[(j+1)&0x0f]; \
304 s0 = sigma0_256(s0); \
305 s1 = W256[(j+14)&0x0f]; \
306 s1 = sigma1_256(s1); \
307 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
308 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
309 (d) += T1; \
310 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
311 j++; \
312 } while(0)
314 static void
315 SHA256_Transform(pg_sha256_ctx *context, const uint8 *data)
317 uint32 a,
327 uint32 T1,
328 *W256;
329 int j;
331 W256 = (uint32 *) context->buffer;
333 /* Initialize registers with the prev. intermediate value */
334 a = context->state[0];
335 b = context->state[1];
336 c = context->state[2];
337 d = context->state[3];
338 e = context->state[4];
339 f = context->state[5];
340 g = context->state[6];
341 h = context->state[7];
343 j = 0;
346 /* Rounds 0 to 15 (unrolled): */
347 ROUND256_0_TO_15(a, b, c, d, e, f, g, h);
348 ROUND256_0_TO_15(h, a, b, c, d, e, f, g);
349 ROUND256_0_TO_15(g, h, a, b, c, d, e, f);
350 ROUND256_0_TO_15(f, g, h, a, b, c, d, e);
351 ROUND256_0_TO_15(e, f, g, h, a, b, c, d);
352 ROUND256_0_TO_15(d, e, f, g, h, a, b, c);
353 ROUND256_0_TO_15(c, d, e, f, g, h, a, b);
354 ROUND256_0_TO_15(b, c, d, e, f, g, h, a);
355 } while (j < 16);
357 /* Now for the remaining rounds to 64: */
360 ROUND256(a, b, c, d, e, f, g, h);
361 ROUND256(h, a, b, c, d, e, f, g);
362 ROUND256(g, h, a, b, c, d, e, f);
363 ROUND256(f, g, h, a, b, c, d, e);
364 ROUND256(e, f, g, h, a, b, c, d);
365 ROUND256(d, e, f, g, h, a, b, c);
366 ROUND256(c, d, e, f, g, h, a, b);
367 ROUND256(b, c, d, e, f, g, h, a);
368 } while (j < 64);
370 /* Compute the current intermediate hash value */
371 context->state[0] += a;
372 context->state[1] += b;
373 context->state[2] += c;
374 context->state[3] += d;
375 context->state[4] += e;
376 context->state[5] += f;
377 context->state[6] += g;
378 context->state[7] += h;
380 /* Clean up */
381 a = b = c = d = e = f = g = h = T1 = 0;
383 #else /* SHA2_UNROLL_TRANSFORM */
385 static void
386 SHA256_Transform(pg_sha256_ctx *context, const uint8 *data)
388 uint32 a,
398 uint32 T1,
400 *W256;
401 int j;
403 W256 = (uint32 *) context->buffer;
405 /* Initialize registers with the prev. intermediate value */
406 a = context->state[0];
407 b = context->state[1];
408 c = context->state[2];
409 d = context->state[3];
410 e = context->state[4];
411 f = context->state[5];
412 g = context->state[6];
413 h = context->state[7];
415 j = 0;
418 W256[j] = (uint32) data[3] | ((uint32) data[2] << 8) |
419 ((uint32) data[1] << 16) | ((uint32) data[0] << 24);
420 data += 4;
421 /* Apply the SHA-256 compression function to update a..h */
422 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
423 T2 = Sigma0_256(a) + Maj(a, b, c);
424 h = g;
425 g = f;
426 f = e;
427 e = d + T1;
428 d = c;
429 c = b;
430 b = a;
431 a = T1 + T2;
433 j++;
434 } while (j < 16);
438 /* Part of the message block expansion: */
439 s0 = W256[(j + 1) & 0x0f];
440 s0 = sigma0_256(s0);
441 s1 = W256[(j + 14) & 0x0f];
442 s1 = sigma1_256(s1);
444 /* Apply the SHA-256 compression function to update a..h */
445 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
446 (W256[j & 0x0f] += s1 + W256[(j + 9) & 0x0f] + s0);
447 T2 = Sigma0_256(a) + Maj(a, b, c);
448 h = g;
449 g = f;
450 f = e;
451 e = d + T1;
452 d = c;
453 c = b;
454 b = a;
455 a = T1 + T2;
457 j++;
458 } while (j < 64);
460 /* Compute the current intermediate hash value */
461 context->state[0] += a;
462 context->state[1] += b;
463 context->state[2] += c;
464 context->state[3] += d;
465 context->state[4] += e;
466 context->state[5] += f;
467 context->state[6] += g;
468 context->state[7] += h;
470 /* Clean up */
471 a = b = c = d = e = f = g = h = T1 = T2 = 0;
473 #endif /* SHA2_UNROLL_TRANSFORM */
475 void
476 pg_sha256_update(pg_sha256_ctx *context, const uint8 *data, size_t len)
478 size_t freespace,
479 usedspace;
481 /* Calling with no data is valid (we do nothing) */
482 if (len == 0)
483 return;
485 usedspace = (context->bitcount >> 3) % PG_SHA256_BLOCK_LENGTH;
486 if (usedspace > 0)
488 /* Calculate how much free space is available in the buffer */
489 freespace = PG_SHA256_BLOCK_LENGTH - usedspace;
491 if (len >= freespace)
493 /* Fill the buffer completely and process it */
494 memcpy(&context->buffer[usedspace], data, freespace);
495 context->bitcount += freespace << 3;
496 len -= freespace;
497 data += freespace;
498 SHA256_Transform(context, context->buffer);
500 else
502 /* The buffer is not yet full */
503 memcpy(&context->buffer[usedspace], data, len);
504 context->bitcount += len << 3;
505 /* Clean up: */
506 usedspace = freespace = 0;
507 return;
510 while (len >= PG_SHA256_BLOCK_LENGTH)
512 /* Process as many complete blocks as we can */
513 SHA256_Transform(context, data);
514 context->bitcount += PG_SHA256_BLOCK_LENGTH << 3;
515 len -= PG_SHA256_BLOCK_LENGTH;
516 data += PG_SHA256_BLOCK_LENGTH;
518 if (len > 0)
520 /* There's left-overs, so save 'em */
521 memcpy(context->buffer, data, len);
522 context->bitcount += len << 3;
524 /* Clean up: */
525 usedspace = freespace = 0;
528 static void
529 SHA256_Last(pg_sha256_ctx *context)
531 unsigned int usedspace;
533 usedspace = (context->bitcount >> 3) % PG_SHA256_BLOCK_LENGTH;
534 #ifndef WORDS_BIGENDIAN
535 /* Convert FROM host byte order */
536 REVERSE64(context->bitcount, context->bitcount);
537 #endif
538 if (usedspace > 0)
540 /* Begin padding with a 1 bit: */
541 context->buffer[usedspace++] = 0x80;
543 if (usedspace <= PG_SHA256_SHORT_BLOCK_LENGTH)
545 /* Set-up for the last transform: */
546 memset(&context->buffer[usedspace], 0, PG_SHA256_SHORT_BLOCK_LENGTH - usedspace);
548 else
550 if (usedspace < PG_SHA256_BLOCK_LENGTH)
552 memset(&context->buffer[usedspace], 0, PG_SHA256_BLOCK_LENGTH - usedspace);
554 /* Do second-to-last transform: */
555 SHA256_Transform(context, context->buffer);
557 /* And set-up for the last transform: */
558 memset(context->buffer, 0, PG_SHA256_SHORT_BLOCK_LENGTH);
561 else
563 /* Set-up for the last transform: */
564 memset(context->buffer, 0, PG_SHA256_SHORT_BLOCK_LENGTH);
566 /* Begin padding with a 1 bit: */
567 *context->buffer = 0x80;
569 /* Set the bit count: */
570 *(uint64 *) &context->buffer[PG_SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
572 /* Final transform: */
573 SHA256_Transform(context, context->buffer);
576 void
577 pg_sha256_final(pg_sha256_ctx *context, uint8 *digest)
579 /* If no digest buffer is passed, we don't bother doing this: */
580 if (digest != NULL)
582 SHA256_Last(context);
584 #ifndef WORDS_BIGENDIAN
586 /* Convert TO host byte order */
587 int j;
589 for (j = 0; j < 8; j++)
591 REVERSE32(context->state[j], context->state[j]);
594 #endif
595 memcpy(digest, context->state, PG_SHA256_DIGEST_LENGTH);
598 /* Clean up state data: */
599 memset(context, 0, sizeof(pg_sha256_ctx));
603 /*** SHA-512: *********************************************************/
604 void
605 pg_sha512_init(pg_sha512_ctx *context)
607 if (context == NULL)
608 return;
609 memcpy(context->state, sha512_initial_hash_value, PG_SHA512_DIGEST_LENGTH);
610 memset(context->buffer, 0, PG_SHA512_BLOCK_LENGTH);
611 context->bitcount[0] = context->bitcount[1] = 0;
614 #ifdef SHA2_UNROLL_TRANSFORM
616 /* Unrolled SHA-512 round macros: */
618 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
619 W512[j] = (uint64)data[7] | ((uint64)data[6] << 8) | \
620 ((uint64)data[5] << 16) | ((uint64)data[4] << 24) | \
621 ((uint64)data[3] << 32) | ((uint64)data[2] << 40) | \
622 ((uint64)data[1] << 48) | ((uint64)data[0] << 56); \
623 data += 8; \
624 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
625 (d) += T1; \
626 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
627 j++; \
628 } while(0)
631 #define ROUND512(a,b,c,d,e,f,g,h) do { \
632 s0 = W512[(j+1)&0x0f]; \
633 s0 = sigma0_512(s0); \
634 s1 = W512[(j+14)&0x0f]; \
635 s1 = sigma1_512(s1); \
636 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
637 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
638 (d) += T1; \
639 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
640 j++; \
641 } while(0)
643 static void
644 SHA512_Transform(pg_sha512_ctx *context, const uint8 *data)
646 uint64 a,
656 uint64 T1,
657 *W512 = (uint64 *) context->buffer;
658 int j;
660 /* Initialize registers with the prev. intermediate value */
661 a = context->state[0];
662 b = context->state[1];
663 c = context->state[2];
664 d = context->state[3];
665 e = context->state[4];
666 f = context->state[5];
667 g = context->state[6];
668 h = context->state[7];
670 j = 0;
673 ROUND512_0_TO_15(a, b, c, d, e, f, g, h);
674 ROUND512_0_TO_15(h, a, b, c, d, e, f, g);
675 ROUND512_0_TO_15(g, h, a, b, c, d, e, f);
676 ROUND512_0_TO_15(f, g, h, a, b, c, d, e);
677 ROUND512_0_TO_15(e, f, g, h, a, b, c, d);
678 ROUND512_0_TO_15(d, e, f, g, h, a, b, c);
679 ROUND512_0_TO_15(c, d, e, f, g, h, a, b);
680 ROUND512_0_TO_15(b, c, d, e, f, g, h, a);
681 } while (j < 16);
683 /* Now for the remaining rounds up to 79: */
686 ROUND512(a, b, c, d, e, f, g, h);
687 ROUND512(h, a, b, c, d, e, f, g);
688 ROUND512(g, h, a, b, c, d, e, f);
689 ROUND512(f, g, h, a, b, c, d, e);
690 ROUND512(e, f, g, h, a, b, c, d);
691 ROUND512(d, e, f, g, h, a, b, c);
692 ROUND512(c, d, e, f, g, h, a, b);
693 ROUND512(b, c, d, e, f, g, h, a);
694 } while (j < 80);
696 /* Compute the current intermediate hash value */
697 context->state[0] += a;
698 context->state[1] += b;
699 context->state[2] += c;
700 context->state[3] += d;
701 context->state[4] += e;
702 context->state[5] += f;
703 context->state[6] += g;
704 context->state[7] += h;
706 /* Clean up */
707 a = b = c = d = e = f = g = h = T1 = 0;
709 #else /* SHA2_UNROLL_TRANSFORM */
711 static void
712 SHA512_Transform(pg_sha512_ctx *context, const uint8 *data)
714 uint64 a,
724 uint64 T1,
726 *W512 = (uint64 *) context->buffer;
727 int j;
729 /* Initialize registers with the prev. intermediate value */
730 a = context->state[0];
731 b = context->state[1];
732 c = context->state[2];
733 d = context->state[3];
734 e = context->state[4];
735 f = context->state[5];
736 g = context->state[6];
737 h = context->state[7];
739 j = 0;
742 W512[j] = (uint64) data[7] | ((uint64) data[6] << 8) |
743 ((uint64) data[5] << 16) | ((uint64) data[4] << 24) |
744 ((uint64) data[3] << 32) | ((uint64) data[2] << 40) |
745 ((uint64) data[1] << 48) | ((uint64) data[0] << 56);
746 data += 8;
747 /* Apply the SHA-512 compression function to update a..h */
748 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
749 T2 = Sigma0_512(a) + Maj(a, b, c);
750 h = g;
751 g = f;
752 f = e;
753 e = d + T1;
754 d = c;
755 c = b;
756 b = a;
757 a = T1 + T2;
759 j++;
760 } while (j < 16);
764 /* Part of the message block expansion: */
765 s0 = W512[(j + 1) & 0x0f];
766 s0 = sigma0_512(s0);
767 s1 = W512[(j + 14) & 0x0f];
768 s1 = sigma1_512(s1);
770 /* Apply the SHA-512 compression function to update a..h */
771 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
772 (W512[j & 0x0f] += s1 + W512[(j + 9) & 0x0f] + s0);
773 T2 = Sigma0_512(a) + Maj(a, b, c);
774 h = g;
775 g = f;
776 f = e;
777 e = d + T1;
778 d = c;
779 c = b;
780 b = a;
781 a = T1 + T2;
783 j++;
784 } while (j < 80);
786 /* Compute the current intermediate hash value */
787 context->state[0] += a;
788 context->state[1] += b;
789 context->state[2] += c;
790 context->state[3] += d;
791 context->state[4] += e;
792 context->state[5] += f;
793 context->state[6] += g;
794 context->state[7] += h;
796 /* Clean up */
797 a = b = c = d = e = f = g = h = T1 = T2 = 0;
799 #endif /* SHA2_UNROLL_TRANSFORM */
801 void
802 pg_sha512_update(pg_sha512_ctx *context, const uint8 *data, size_t len)
804 size_t freespace,
805 usedspace;
807 /* Calling with no data is valid (we do nothing) */
808 if (len == 0)
809 return;
811 usedspace = (context->bitcount[0] >> 3) % PG_SHA512_BLOCK_LENGTH;
812 if (usedspace > 0)
814 /* Calculate how much free space is available in the buffer */
815 freespace = PG_SHA512_BLOCK_LENGTH - usedspace;
817 if (len >= freespace)
819 /* Fill the buffer completely and process it */
820 memcpy(&context->buffer[usedspace], data, freespace);
821 ADDINC128(context->bitcount, freespace << 3);
822 len -= freespace;
823 data += freespace;
824 SHA512_Transform(context, context->buffer);
826 else
828 /* The buffer is not yet full */
829 memcpy(&context->buffer[usedspace], data, len);
830 ADDINC128(context->bitcount, len << 3);
831 /* Clean up: */
832 usedspace = freespace = 0;
833 return;
836 while (len >= PG_SHA512_BLOCK_LENGTH)
838 /* Process as many complete blocks as we can */
839 SHA512_Transform(context, data);
840 ADDINC128(context->bitcount, PG_SHA512_BLOCK_LENGTH << 3);
841 len -= PG_SHA512_BLOCK_LENGTH;
842 data += PG_SHA512_BLOCK_LENGTH;
844 if (len > 0)
846 /* There's left-overs, so save 'em */
847 memcpy(context->buffer, data, len);
848 ADDINC128(context->bitcount, len << 3);
850 /* Clean up: */
851 usedspace = freespace = 0;
854 static void
855 SHA512_Last(pg_sha512_ctx *context)
857 unsigned int usedspace;
859 usedspace = (context->bitcount[0] >> 3) % PG_SHA512_BLOCK_LENGTH;
860 #ifndef WORDS_BIGENDIAN
861 /* Convert FROM host byte order */
862 REVERSE64(context->bitcount[0], context->bitcount[0]);
863 REVERSE64(context->bitcount[1], context->bitcount[1]);
864 #endif
865 if (usedspace > 0)
867 /* Begin padding with a 1 bit: */
868 context->buffer[usedspace++] = 0x80;
870 if (usedspace <= PG_SHA512_SHORT_BLOCK_LENGTH)
872 /* Set-up for the last transform: */
873 memset(&context->buffer[usedspace], 0, PG_SHA512_SHORT_BLOCK_LENGTH - usedspace);
875 else
877 if (usedspace < PG_SHA512_BLOCK_LENGTH)
879 memset(&context->buffer[usedspace], 0, PG_SHA512_BLOCK_LENGTH - usedspace);
881 /* Do second-to-last transform: */
882 SHA512_Transform(context, context->buffer);
884 /* And set-up for the last transform: */
885 memset(context->buffer, 0, PG_SHA512_BLOCK_LENGTH - 2);
888 else
890 /* Prepare for final transform: */
891 memset(context->buffer, 0, PG_SHA512_SHORT_BLOCK_LENGTH);
893 /* Begin padding with a 1 bit: */
894 *context->buffer = 0x80;
896 /* Store the length of input data (in bits): */
897 *(uint64 *) &context->buffer[PG_SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
898 *(uint64 *) &context->buffer[PG_SHA512_SHORT_BLOCK_LENGTH + 8] = context->bitcount[0];
900 /* Final transform: */
901 SHA512_Transform(context, context->buffer);
904 void
905 pg_sha512_final(pg_sha512_ctx *context, uint8 *digest)
907 /* If no digest buffer is passed, we don't bother doing this: */
908 if (digest != NULL)
910 SHA512_Last(context);
912 /* Save the hash data for output: */
913 #ifndef WORDS_BIGENDIAN
915 /* Convert TO host byte order */
916 int j;
918 for (j = 0; j < 8; j++)
920 REVERSE64(context->state[j], context->state[j]);
923 #endif
924 memcpy(digest, context->state, PG_SHA512_DIGEST_LENGTH);
927 /* Zero out state data */
928 memset(context, 0, sizeof(pg_sha512_ctx));
932 /*** SHA-384: *********************************************************/
933 void
934 pg_sha384_init(pg_sha384_ctx *context)
936 if (context == NULL)
937 return;
938 memcpy(context->state, sha384_initial_hash_value, PG_SHA512_DIGEST_LENGTH);
939 memset(context->buffer, 0, PG_SHA384_BLOCK_LENGTH);
940 context->bitcount[0] = context->bitcount[1] = 0;
943 void
944 pg_sha384_update(pg_sha384_ctx *context, const uint8 *data, size_t len)
946 pg_sha512_update((pg_sha512_ctx *) context, data, len);
949 void
950 pg_sha384_final(pg_sha384_ctx *context, uint8 *digest)
952 /* If no digest buffer is passed, we don't bother doing this: */
953 if (digest != NULL)
955 SHA512_Last((pg_sha512_ctx *) context);
957 /* Save the hash data for output: */
958 #ifndef WORDS_BIGENDIAN
960 /* Convert TO host byte order */
961 int j;
963 for (j = 0; j < 6; j++)
965 REVERSE64(context->state[j], context->state[j]);
968 #endif
969 memcpy(digest, context->state, PG_SHA384_DIGEST_LENGTH);
972 /* Zero out state data */
973 memset(context, 0, sizeof(pg_sha384_ctx));
976 /*** SHA-224: *********************************************************/
977 void
978 pg_sha224_init(pg_sha224_ctx *context)
980 if (context == NULL)
981 return;
982 memcpy(context->state, sha224_initial_hash_value, PG_SHA256_DIGEST_LENGTH);
983 memset(context->buffer, 0, PG_SHA256_BLOCK_LENGTH);
984 context->bitcount = 0;
987 void
988 pg_sha224_update(pg_sha224_ctx *context, const uint8 *data, size_t len)
990 pg_sha256_update((pg_sha256_ctx *) context, data, len);
993 void
994 pg_sha224_final(pg_sha224_ctx *context, uint8 *digest)
996 /* If no digest buffer is passed, we don't bother doing this: */
997 if (digest != NULL)
999 SHA256_Last(context);
1001 #ifndef WORDS_BIGENDIAN
1003 /* Convert TO host byte order */
1004 int j;
1006 for (j = 0; j < 8; j++)
1008 REVERSE32(context->state[j], context->state[j]);
1011 #endif
1012 memcpy(digest, context->state, PG_SHA224_DIGEST_LENGTH);
1015 /* Clean up state data: */
1016 memset(context, 0, sizeof(pg_sha224_ctx));