release/src/router/nettle/sha512.c

   1 /* sha512.c
   2  *
   3  * The sha512 hash function.
   4  *
   5  * See http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
   6  */
   7
   8 /* nettle, low-level cryptographics library
   9  *
  10  * Copyright (C) 2001, 2010 Niels Möller
  11  *
  12  * The nettle library is free software; you can redistribute it and/or modify
  13  * it under the terms of the GNU Lesser General Public License as published by
  14  * the Free Software Foundation; either version 2.1 of the License, or (at your
  15  * option) any later version.
  16  *
  17  * The nettle library is distributed in the hope that it will be useful, but
  18  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  19  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
  20  * License for more details.
  21  *
  22  * You should have received a copy of the GNU Lesser General Public License
  23  * along with the nettle library; see the file COPYING.LIB.  If not, write to
  24  * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  25  * MA 02111-1301, USA.
  26  */
  27
  28 /* Modelled after the sha1.c code by Peter Gutmann. */
  29
  30 #if HAVE_CONFIG_H
  31 # include "config.h"
  32 #endif
  33
  34 #include <assert.h>
  35 #include <stdlib.h>
  36 #include <string.h>
  37
  38 #include "sha2.h"
  39
  40 #include "macros.h"
  41
  42 /* Generated by the gp script
  43
  44      {
  45        print("obase=16");
  46        for (i = 1,80,
  47          root = prime(i)^(1/3);
  48          fraction = root - floor(root);
  49          print(floor(2^64 * fraction));
  50        );
  51        quit();
  52      }
  53
  54    piped through
  55
  56      |grep -v '^[' | bc \
  57        |awk '{printf("0x%sULL,%s", $1, NR%3 == 0 ? "\n" : "");}'
  58
  59    to convert it to hex.
  60 */
  61
  62 static const uint64_t
  63 K[80] =
  64 {
  65   0x428A2F98D728AE22ULL,0x7137449123EF65CDULL,
  66   0xB5C0FBCFEC4D3B2FULL,0xE9B5DBA58189DBBCULL,
  67   0x3956C25BF348B538ULL,0x59F111F1B605D019ULL,
  68   0x923F82A4AF194F9BULL,0xAB1C5ED5DA6D8118ULL,
  69   0xD807AA98A3030242ULL,0x12835B0145706FBEULL,
  70   0x243185BE4EE4B28CULL,0x550C7DC3D5FFB4E2ULL,
  71   0x72BE5D74F27B896FULL,0x80DEB1FE3B1696B1ULL,
  72   0x9BDC06A725C71235ULL,0xC19BF174CF692694ULL,
  73   0xE49B69C19EF14AD2ULL,0xEFBE4786384F25E3ULL,
  74   0xFC19DC68B8CD5B5ULL,0x240CA1CC77AC9C65ULL,
  75   0x2DE92C6F592B0275ULL,0x4A7484AA6EA6E483ULL,
  76   0x5CB0A9DCBD41FBD4ULL,0x76F988DA831153B5ULL,
  77   0x983E5152EE66DFABULL,0xA831C66D2DB43210ULL,
  78   0xB00327C898FB213FULL,0xBF597FC7BEEF0EE4ULL,
  79   0xC6E00BF33DA88FC2ULL,0xD5A79147930AA725ULL,
  80   0x6CA6351E003826FULL,0x142929670A0E6E70ULL,
  81   0x27B70A8546D22FFCULL,0x2E1B21385C26C926ULL,
  82   0x4D2C6DFC5AC42AEDULL,0x53380D139D95B3DFULL,
  83   0x650A73548BAF63DEULL,0x766A0ABB3C77B2A8ULL,
  84   0x81C2C92E47EDAEE6ULL,0x92722C851482353BULL,
  85   0xA2BFE8A14CF10364ULL,0xA81A664BBC423001ULL,
  86   0xC24B8B70D0F89791ULL,0xC76C51A30654BE30ULL,
  87   0xD192E819D6EF5218ULL,0xD69906245565A910ULL,
  88   0xF40E35855771202AULL,0x106AA07032BBD1B8ULL,
  89   0x19A4C116B8D2D0C8ULL,0x1E376C085141AB53ULL,
  90   0x2748774CDF8EEB99ULL,0x34B0BCB5E19B48A8ULL,
  91   0x391C0CB3C5C95A63ULL,0x4ED8AA4AE3418ACBULL,
  92   0x5B9CCA4F7763E373ULL,0x682E6FF3D6B2B8A3ULL,
  93   0x748F82EE5DEFB2FCULL,0x78A5636F43172F60ULL,
  94   0x84C87814A1F0AB72ULL,0x8CC702081A6439ECULL,
  95   0x90BEFFFA23631E28ULL,0xA4506CEBDE82BDE9ULL,
  96   0xBEF9A3F7B2C67915ULL,0xC67178F2E372532BULL,
  97   0xCA273ECEEA26619CULL,0xD186B8C721C0C207ULL,
  98   0xEADA7DD6CDE0EB1EULL,0xF57D4F7FEE6ED178ULL,
  99   0x6F067AA72176FBAULL,0xA637DC5A2C898A6ULL,
 100   0x113F9804BEF90DAEULL,0x1B710B35131C471BULL,
 101   0x28DB77F523047D84ULL,0x32CAAB7B40C72493ULL,
 102   0x3C9EBE0A15C9BEBCULL,0x431D67C49C100D4CULL,
 103   0x4CC5D4BECB3E42B6ULL,0x597F299CFC657E2AULL,
 104   0x5FCB6FAB3AD6FAECULL,0x6C44198C4A475817ULL,
 105 };
 106
 107 #define COMPRESS(ctx, data) (_nettle_sha512_compress((ctx)->state, (data), K))
 108
 109 void
 110 sha512_init(struct sha512_ctx *ctx)
 111 {
 112   /* Initial values, generated by the gp script
 113        {
 114          for (i = 1,8,
 115            root = prime(i)^(1/2);
 116            fraction = root - floor(root);
 117            print(floor(2^64 * fraction));
 118          );
 119        }
 120 . */
 121   static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
 122   {
 123     0x6A09E667F3BCC908ULL,0xBB67AE8584CAA73BULL,
 124     0x3C6EF372FE94F82BULL,0xA54FF53A5F1D36F1ULL,
 125     0x510E527FADE682D1ULL,0x9B05688C2B3E6C1FULL,
 126     0x1F83D9ABFB41BD6BULL,0x5BE0CD19137E2179ULL,
 127   };
 128
 129   memcpy(ctx->state, H0, sizeof(H0));
 130
 131   /* Initialize bit count */
 132   ctx->count_low = ctx->count_high = 0;
 133
 134   /* Initialize buffer */
 135   ctx->index = 0;
 136 }
 137
 138 void
 139 sha512_update(struct sha512_ctx *ctx,
 140               unsigned length, const uint8_t *data)
 141 {
 142   MD_UPDATE (ctx, length, data, COMPRESS, MD_INCR(ctx));
 143 }
 144
 145 static void
 146 sha512_write_digest(struct sha512_ctx *ctx,
 147                     unsigned length,
 148                     uint8_t *digest)
 149 {
 150   uint64_t high, low;
 151
 152   unsigned i;
 153   unsigned words;
 154   unsigned leftover;
 155
 156   assert(length <= SHA512_DIGEST_SIZE);
 157
 158   MD_PAD(ctx, 16, COMPRESS);
 159
 160   /* There are 1024 = 2^10 bits in one block */
 161   high = (ctx->count_high << 10) | (ctx->count_low >> 54);
 162   low = (ctx->count_low << 10) | (ctx->index << 3);
 163
 164   /* This is slightly inefficient, as the numbers are converted to
 165      big-endian format, and will be converted back by the compression
 166      function. It's probably not worth the effort to fix this. */
 167   WRITE_UINT64(ctx->block + (SHA512_DATA_SIZE - 16), high);
 168   WRITE_UINT64(ctx->block + (SHA512_DATA_SIZE - 8), low);
 169   COMPRESS(ctx, ctx->block);
 170
 171   words = length / 8;
 172   leftover = length % 8;
 173
 174   for (i = 0; i < words; i++, digest += 8)
 175     WRITE_UINT64(digest, ctx->state[i]);
 176
 177   if (leftover)
 178     {
 179       /* Truncate to the right size */
 180       uint64_t word = ctx->state[i] >> (8*(8 - leftover));
 181
 182       do {
 183         digest[--leftover] = word & 0xff;
 184         word >>= 8;
 185       } while (leftover);
 186     }
 187 }
 188
 189 void
 190 sha512_digest(struct sha512_ctx *ctx,
 191               unsigned length,
 192               uint8_t *digest)
 193 {
 194   assert(length <= SHA512_DIGEST_SIZE);
 195
 196   sha512_write_digest(ctx, length, digest);
 197   sha512_init(ctx);
 198 }
 199
 200 /* sha384 variant. FIXME: Move to separate file? */
 201 void
 202 sha384_init(struct sha512_ctx *ctx)
 203 {
 204   /* Initial values, generated by the gp script
 205        {
 206          for (i = 9,16,
 207            root = prime(i)^(1/2);
 208            fraction = root - floor(root);
 209            print(floor(2^64 * fraction));
 210          );
 211        }
 212 . */
 213   static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
 214   {
 215     0xCBBB9D5DC1059ED8ULL, 0x629A292A367CD507ULL,
 216     0x9159015A3070DD17ULL, 0x152FECD8F70E5939ULL,
 217     0x67332667FFC00B31ULL, 0x8EB44A8768581511ULL,
 218     0xDB0C2E0D64F98FA7ULL, 0x47B5481DBEFA4FA4ULL,
 219   };
 220
 221   memcpy(ctx->state, H0, sizeof(H0));
 222
 223   /* Initialize bit count */
 224   ctx->count_low = ctx->count_high = 0;
 225
 226   /* Initialize buffer */
 227   ctx->index = 0;
 228 }
 229
 230 void
 231 sha384_digest(struct sha512_ctx *ctx,
 232               unsigned length,
 233               uint8_t *digest)
 234 {
 235   assert(length <= SHA384_DIGEST_SIZE);
 236
 237   sha512_write_digest(ctx, length, digest);
 238   sha384_init(ctx);
 239 }