PostgreSQL Source Code  git master
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros
sha2.c
Go to the documentation of this file.
1 /* $OpenBSD: sha2.c,v 1.6 2004/05/03 02:57:36 millert Exp $ */
2 
3 /*
4  * FILE: sha2.c
5  * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
6  *
7  * Copyright (c) 2000-2001, Aaron D. Gifford
8  * All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  * notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  * notice, this list of conditions and the following disclaimer in the
17  * documentation and/or other materials provided with the distribution.
18  * 3. Neither the name of the copyright holder nor the names of contributors
19  * may be used to endorse or promote products derived from this software
20  * without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  *
34  * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
35  *
36  * contrib/pgcrypto/sha2.c
37  */
38 
39 #include "postgres.h"
40 
41 #include <sys/param.h>
42 
43 #include "px.h"
44 #include "sha2.h"
45 
46 /*
47  * UNROLLED TRANSFORM LOOP NOTE:
48  * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
49  * loop version for the hash transform rounds (defined using macros
50  * later in this file). Either define on the command line, for example:
51  *
52  * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
53  *
54  * or define below:
55  *
56  * #define SHA2_UNROLL_TRANSFORM
57  *
58  */
59 
60 /*** SHA-256/384/512 Various Length Definitions ***********************/
61 /* NOTE: Most of these are in sha2.h */
62 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
63 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
64 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
65 
66 
67 /*** ENDIAN REVERSAL MACROS *******************************************/
68 #ifndef WORDS_BIGENDIAN
69 #define REVERSE32(w,x) { \
70  uint32 tmp = (w); \
71  tmp = (tmp >> 16) | (tmp << 16); \
72  (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
73 }
74 #define REVERSE64(w,x) { \
75  uint64 tmp = (w); \
76  tmp = (tmp >> 32) | (tmp << 32); \
77  tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
78  ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
79  (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
80  ((tmp & 0x0000ffff0000ffffULL) << 16); \
81 }
82 #endif /* not bigendian */
83 
84 /*
85  * Macro for incrementally adding the unsigned 64-bit integer n to the
86  * unsigned 128-bit integer (represented using a two-element array of
87  * 64-bit words):
88  */
89 #define ADDINC128(w,n) { \
90  (w)[0] += (uint64)(n); \
91  if ((w)[0] < (n)) { \
92  (w)[1]++; \
93  } \
94 }
95 
96 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
97 /*
98  * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
99  *
100  * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
101  * S is a ROTATION) because the SHA-256/384/512 description document
102  * (see http://www.iwar.org.uk/comsec/resources/cipher/sha256-384-512.pdf)
103  * uses this same "backwards" definition.
104  */
105 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
106 #define R(b,x) ((x) >> (b))
107 /* 32-bit Rotate-right (used in SHA-256): */
108 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
109 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
110 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
111 
112 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
113 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
114 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
115 
116 /* Four of six logical functions used in SHA-256: */
117 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
118 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
119 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
120 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
121 
122 /* Four of six logical functions used in SHA-384 and SHA-512: */
123 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
124 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
125 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
126 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
127 
128 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
129 /* NOTE: These should not be accessed directly from outside this
130  * library -- they are intended for private internal visibility/use
131  * only.
132  */
133 static void SHA512_Last(SHA512_CTX *);
134 static void SHA256_Transform(SHA256_CTX *, const uint8 *);
135 static void SHA512_Transform(SHA512_CTX *, const uint8 *);
136 
137 
138 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
139 /* Hash constant words K for SHA-256: */
140 static const uint32 K256[64] = {
141  0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
142  0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
143  0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
144  0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
145  0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
146  0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
147  0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
148  0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
149  0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
150  0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
151  0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
152  0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
153  0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
154  0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
155  0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
156  0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
157 };
158 
159 /* Initial hash value H for SHA-224: */
161  0xc1059ed8UL,
162  0x367cd507UL,
163  0x3070dd17UL,
164  0xf70e5939UL,
165  0xffc00b31UL,
166  0x68581511UL,
167  0x64f98fa7UL,
168  0xbefa4fa4UL
169 };
170 
171 /* Initial hash value H for SHA-256: */
173  0x6a09e667UL,
174  0xbb67ae85UL,
175  0x3c6ef372UL,
176  0xa54ff53aUL,
177  0x510e527fUL,
178  0x9b05688cUL,
179  0x1f83d9abUL,
180  0x5be0cd19UL
181 };
182 
183 /* Hash constant words K for SHA-384 and SHA-512: */
184 static const uint64 K512[80] = {
185  0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
186  0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
187  0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
188  0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
189  0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
190  0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
191  0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
192  0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
193  0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
194  0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
195  0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
196  0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
197  0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
198  0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
199  0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
200  0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
201  0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
202  0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
203  0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
204  0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
205  0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
206  0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
207  0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
208  0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
209  0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
210  0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
211  0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
212  0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
213  0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
214  0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
215  0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
216  0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
217  0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
218  0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
219  0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
220  0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
221  0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
222  0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
223  0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
224  0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
225 };
226 
227 /* Initial hash value H for SHA-384 */
228 static const uint64 sha384_initial_hash_value[8] = {
229  0xcbbb9d5dc1059ed8ULL,
230  0x629a292a367cd507ULL,
231  0x9159015a3070dd17ULL,
232  0x152fecd8f70e5939ULL,
233  0x67332667ffc00b31ULL,
234  0x8eb44a8768581511ULL,
235  0xdb0c2e0d64f98fa7ULL,
236  0x47b5481dbefa4fa4ULL
237 };
238 
239 /* Initial hash value H for SHA-512 */
240 static const uint64 sha512_initial_hash_value[8] = {
241  0x6a09e667f3bcc908ULL,
242  0xbb67ae8584caa73bULL,
243  0x3c6ef372fe94f82bULL,
244  0xa54ff53a5f1d36f1ULL,
245  0x510e527fade682d1ULL,
246  0x9b05688c2b3e6c1fULL,
247  0x1f83d9abfb41bd6bULL,
248  0x5be0cd19137e2179ULL
249 };
250 
251 
252 /*** SHA-256: *********************************************************/
253 void
255 {
256  if (context == NULL)
257  return;
259  memset(context->buffer, 0, SHA256_BLOCK_LENGTH);
260  context->bitcount = 0;
261 }
262 
263 #ifdef SHA2_UNROLL_TRANSFORM
264 
265 /* Unrolled SHA-256 round macros: */
266 
267 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
268  W256[j] = (uint32)data[3] | ((uint32)data[2] << 8) | \
269  ((uint32)data[1] << 16) | ((uint32)data[0] << 24); \
270  data += 4; \
271  T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
272  (d) += T1; \
273  (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
274  j++; \
275 } while(0)
276 
277 #define ROUND256(a,b,c,d,e,f,g,h) do { \
278  s0 = W256[(j+1)&0x0f]; \
279  s0 = sigma0_256(s0); \
280  s1 = W256[(j+14)&0x0f]; \
281  s1 = sigma1_256(s1); \
282  T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
283  (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
284  (d) += T1; \
285  (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
286  j++; \
287 } while(0)
288 
289 static void
290 SHA256_Transform(SHA256_CTX *context, const uint8 *data)
291 {
292  uint32 a,
293  b,
294  c,
295  d,
296  e,
297  f,
298  g,
299  h,
300  s0,
301  s1;
302  uint32 T1,
303  *W256;
304  int j;
305 
306  W256 = (uint32 *) context->buffer;
307 
308  /* Initialize registers with the prev. intermediate value */
309  a = context->state[0];
310  b = context->state[1];
311  c = context->state[2];
312  d = context->state[3];
313  e = context->state[4];
314  f = context->state[5];
315  g = context->state[6];
316  h = context->state[7];
317 
318  j = 0;
319  do
320  {
321  /* Rounds 0 to 15 (unrolled): */
322  ROUND256_0_TO_15(a, b, c, d, e, f, g, h);
323  ROUND256_0_TO_15(h, a, b, c, d, e, f, g);
324  ROUND256_0_TO_15(g, h, a, b, c, d, e, f);
325  ROUND256_0_TO_15(f, g, h, a, b, c, d, e);
326  ROUND256_0_TO_15(e, f, g, h, a, b, c, d);
327  ROUND256_0_TO_15(d, e, f, g, h, a, b, c);
328  ROUND256_0_TO_15(c, d, e, f, g, h, a, b);
329  ROUND256_0_TO_15(b, c, d, e, f, g, h, a);
330  } while (j < 16);
331 
332  /* Now for the remaining rounds to 64: */
333  do
334  {
335  ROUND256(a, b, c, d, e, f, g, h);
336  ROUND256(h, a, b, c, d, e, f, g);
337  ROUND256(g, h, a, b, c, d, e, f);
338  ROUND256(f, g, h, a, b, c, d, e);
339  ROUND256(e, f, g, h, a, b, c, d);
340  ROUND256(d, e, f, g, h, a, b, c);
341  ROUND256(c, d, e, f, g, h, a, b);
342  ROUND256(b, c, d, e, f, g, h, a);
343  } while (j < 64);
344 
345  /* Compute the current intermediate hash value */
346  context->state[0] += a;
347  context->state[1] += b;
348  context->state[2] += c;
349  context->state[3] += d;
350  context->state[4] += e;
351  context->state[5] += f;
352  context->state[6] += g;
353  context->state[7] += h;
354 
355  /* Clean up */
356  a = b = c = d = e = f = g = h = T1 = 0;
357 }
358 #else /* SHA2_UNROLL_TRANSFORM */
359 
360 static void
361 SHA256_Transform(SHA256_CTX *context, const uint8 *data)
362 {
363  uint32 a,
364  b,
365  c,
366  d,
367  e,
368  f,
369  g,
370  h,
371  s0,
372  s1;
373  uint32 T1,
374  T2,
375  *W256;
376  int j;
377 
378  W256 = (uint32 *) context->buffer;
379 
380  /* Initialize registers with the prev. intermediate value */
381  a = context->state[0];
382  b = context->state[1];
383  c = context->state[2];
384  d = context->state[3];
385  e = context->state[4];
386  f = context->state[5];
387  g = context->state[6];
388  h = context->state[7];
389 
390  j = 0;
391  do
392  {
393  W256[j] = (uint32) data[3] | ((uint32) data[2] << 8) |
394  ((uint32) data[1] << 16) | ((uint32) data[0] << 24);
395  data += 4;
396  /* Apply the SHA-256 compression function to update a..h */
397  T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
398  T2 = Sigma0_256(a) + Maj(a, b, c);
399  h = g;
400  g = f;
401  f = e;
402  e = d + T1;
403  d = c;
404  c = b;
405  b = a;
406  a = T1 + T2;
407 
408  j++;
409  } while (j < 16);
410 
411  do
412  {
413  /* Part of the message block expansion: */
414  s0 = W256[(j + 1) & 0x0f];
415  s0 = sigma0_256(s0);
416  s1 = W256[(j + 14) & 0x0f];
417  s1 = sigma1_256(s1);
418 
419  /* Apply the SHA-256 compression function to update a..h */
420  T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
421  (W256[j & 0x0f] += s1 + W256[(j + 9) & 0x0f] + s0);
422  T2 = Sigma0_256(a) + Maj(a, b, c);
423  h = g;
424  g = f;
425  f = e;
426  e = d + T1;
427  d = c;
428  c = b;
429  b = a;
430  a = T1 + T2;
431 
432  j++;
433  } while (j < 64);
434 
435  /* Compute the current intermediate hash value */
436  context->state[0] += a;
437  context->state[1] += b;
438  context->state[2] += c;
439  context->state[3] += d;
440  context->state[4] += e;
441  context->state[5] += f;
442  context->state[6] += g;
443  context->state[7] += h;
444 
445  /* Clean up */
446  a = b = c = d = e = f = g = h = T1 = T2 = 0;
447 }
448 #endif /* SHA2_UNROLL_TRANSFORM */
449 
450 void
451 SHA256_Update(SHA256_CTX *context, const uint8 *data, size_t len)
452 {
453  size_t freespace,
454  usedspace;
455 
456  /* Calling with no data is valid (we do nothing) */
457  if (len == 0)
458  return;
459 
460  usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
461  if (usedspace > 0)
462  {
463  /* Calculate how much free space is available in the buffer */
464  freespace = SHA256_BLOCK_LENGTH - usedspace;
465 
466  if (len >= freespace)
467  {
468  /* Fill the buffer completely and process it */
469  memcpy(&context->buffer[usedspace], data, freespace);
470  context->bitcount += freespace << 3;
471  len -= freespace;
472  data += freespace;
473  SHA256_Transform(context, context->buffer);
474  }
475  else
476  {
477  /* The buffer is not yet full */
478  memcpy(&context->buffer[usedspace], data, len);
479  context->bitcount += len << 3;
480  /* Clean up: */
481  usedspace = freespace = 0;
482  return;
483  }
484  }
485  while (len >= SHA256_BLOCK_LENGTH)
486  {
487  /* Process as many complete blocks as we can */
488  SHA256_Transform(context, data);
489  context->bitcount += SHA256_BLOCK_LENGTH << 3;
490  len -= SHA256_BLOCK_LENGTH;
491  data += SHA256_BLOCK_LENGTH;
492  }
493  if (len > 0)
494  {
495  /* There's left-overs, so save 'em */
496  memcpy(context->buffer, data, len);
497  context->bitcount += len << 3;
498  }
499  /* Clean up: */
500  usedspace = freespace = 0;
501 }
502 
503 static void
505 {
506  unsigned int usedspace;
507 
508  usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
509 #ifndef WORDS_BIGENDIAN
510  /* Convert FROM host byte order */
511  REVERSE64(context->bitcount, context->bitcount);
512 #endif
513  if (usedspace > 0)
514  {
515  /* Begin padding with a 1 bit: */
516  context->buffer[usedspace++] = 0x80;
517 
518  if (usedspace <= SHA256_SHORT_BLOCK_LENGTH)
519  {
520  /* Set-up for the last transform: */
521  memset(&context->buffer[usedspace], 0, SHA256_SHORT_BLOCK_LENGTH - usedspace);
522  }
523  else
524  {
525  if (usedspace < SHA256_BLOCK_LENGTH)
526  {
527  memset(&context->buffer[usedspace], 0, SHA256_BLOCK_LENGTH - usedspace);
528  }
529  /* Do second-to-last transform: */
530  SHA256_Transform(context, context->buffer);
531 
532  /* And set-up for the last transform: */
533  memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
534  }
535  }
536  else
537  {
538  /* Set-up for the last transform: */
539  memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
540 
541  /* Begin padding with a 1 bit: */
542  *context->buffer = 0x80;
543  }
544  /* Set the bit count: */
545  *(uint64 *) &context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
546 
547  /* Final transform: */
548  SHA256_Transform(context, context->buffer);
549 }
550 
551 void
552 SHA256_Final(uint8 digest[], SHA256_CTX *context)
553 {
554  /* If no digest buffer is passed, we don't bother doing this: */
555  if (digest != NULL)
556  {
557  SHA256_Last(context);
558 
559 #ifndef WORDS_BIGENDIAN
560  {
561  /* Convert TO host byte order */
562  int j;
563 
564  for (j = 0; j < 8; j++)
565  {
566  REVERSE32(context->state[j], context->state[j]);
567  }
568  }
569 #endif
570  memcpy(digest, context->state, SHA256_DIGEST_LENGTH);
571  }
572 
573  /* Clean up state data: */
574  px_memset(context, 0, sizeof(*context));
575 }
576 
577 
578 /*** SHA-512: *********************************************************/
579 void
581 {
582  if (context == NULL)
583  return;
585  memset(context->buffer, 0, SHA512_BLOCK_LENGTH);
586  context->bitcount[0] = context->bitcount[1] = 0;
587 }
588 
589 #ifdef SHA2_UNROLL_TRANSFORM
590 
591 /* Unrolled SHA-512 round macros: */
592 
593 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
594  W512[j] = (uint64)data[7] | ((uint64)data[6] << 8) | \
595  ((uint64)data[5] << 16) | ((uint64)data[4] << 24) | \
596  ((uint64)data[3] << 32) | ((uint64)data[2] << 40) | \
597  ((uint64)data[1] << 48) | ((uint64)data[0] << 56); \
598  data += 8; \
599  T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
600  (d) += T1; \
601  (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
602  j++; \
603 } while(0)
604 
605 
606 #define ROUND512(a,b,c,d,e,f,g,h) do { \
607  s0 = W512[(j+1)&0x0f]; \
608  s0 = sigma0_512(s0); \
609  s1 = W512[(j+14)&0x0f]; \
610  s1 = sigma1_512(s1); \
611  T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
612  (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
613  (d) += T1; \
614  (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
615  j++; \
616 } while(0)
617 
618 static void
619 SHA512_Transform(SHA512_CTX *context, const uint8 *data)
620 {
621  uint64 a,
622  b,
623  c,
624  d,
625  e,
626  f,
627  g,
628  h,
629  s0,
630  s1;
631  uint64 T1,
632  *W512 = (uint64 *) context->buffer;
633  int j;
634 
635  /* Initialize registers with the prev. intermediate value */
636  a = context->state[0];
637  b = context->state[1];
638  c = context->state[2];
639  d = context->state[3];
640  e = context->state[4];
641  f = context->state[5];
642  g = context->state[6];
643  h = context->state[7];
644 
645  j = 0;
646  do
647  {
648  ROUND512_0_TO_15(a, b, c, d, e, f, g, h);
649  ROUND512_0_TO_15(h, a, b, c, d, e, f, g);
650  ROUND512_0_TO_15(g, h, a, b, c, d, e, f);
651  ROUND512_0_TO_15(f, g, h, a, b, c, d, e);
652  ROUND512_0_TO_15(e, f, g, h, a, b, c, d);
653  ROUND512_0_TO_15(d, e, f, g, h, a, b, c);
654  ROUND512_0_TO_15(c, d, e, f, g, h, a, b);
655  ROUND512_0_TO_15(b, c, d, e, f, g, h, a);
656  } while (j < 16);
657 
658  /* Now for the remaining rounds up to 79: */
659  do
660  {
661  ROUND512(a, b, c, d, e, f, g, h);
662  ROUND512(h, a, b, c, d, e, f, g);
663  ROUND512(g, h, a, b, c, d, e, f);
664  ROUND512(f, g, h, a, b, c, d, e);
665  ROUND512(e, f, g, h, a, b, c, d);
666  ROUND512(d, e, f, g, h, a, b, c);
667  ROUND512(c, d, e, f, g, h, a, b);
668  ROUND512(b, c, d, e, f, g, h, a);
669  } while (j < 80);
670 
671  /* Compute the current intermediate hash value */
672  context->state[0] += a;
673  context->state[1] += b;
674  context->state[2] += c;
675  context->state[3] += d;
676  context->state[4] += e;
677  context->state[5] += f;
678  context->state[6] += g;
679  context->state[7] += h;
680 
681  /* Clean up */
682  a = b = c = d = e = f = g = h = T1 = 0;
683 }
684 #else /* SHA2_UNROLL_TRANSFORM */
685 
686 static void
687 SHA512_Transform(SHA512_CTX *context, const uint8 *data)
688 {
689  uint64 a,
690  b,
691  c,
692  d,
693  e,
694  f,
695  g,
696  h,
697  s0,
698  s1;
699  uint64 T1,
700  T2,
701  *W512 = (uint64 *) context->buffer;
702  int j;
703 
704  /* Initialize registers with the prev. intermediate value */
705  a = context->state[0];
706  b = context->state[1];
707  c = context->state[2];
708  d = context->state[3];
709  e = context->state[4];
710  f = context->state[5];
711  g = context->state[6];
712  h = context->state[7];
713 
714  j = 0;
715  do
716  {
717  W512[j] = (uint64) data[7] | ((uint64) data[6] << 8) |
718  ((uint64) data[5] << 16) | ((uint64) data[4] << 24) |
719  ((uint64) data[3] << 32) | ((uint64) data[2] << 40) |
720  ((uint64) data[1] << 48) | ((uint64) data[0] << 56);
721  data += 8;
722  /* Apply the SHA-512 compression function to update a..h */
723  T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
724  T2 = Sigma0_512(a) + Maj(a, b, c);
725  h = g;
726  g = f;
727  f = e;
728  e = d + T1;
729  d = c;
730  c = b;
731  b = a;
732  a = T1 + T2;
733 
734  j++;
735  } while (j < 16);
736 
737  do
738  {
739  /* Part of the message block expansion: */
740  s0 = W512[(j + 1) & 0x0f];
741  s0 = sigma0_512(s0);
742  s1 = W512[(j + 14) & 0x0f];
743  s1 = sigma1_512(s1);
744 
745  /* Apply the SHA-512 compression function to update a..h */
746  T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
747  (W512[j & 0x0f] += s1 + W512[(j + 9) & 0x0f] + s0);
748  T2 = Sigma0_512(a) + Maj(a, b, c);
749  h = g;
750  g = f;
751  f = e;
752  e = d + T1;
753  d = c;
754  c = b;
755  b = a;
756  a = T1 + T2;
757 
758  j++;
759  } while (j < 80);
760 
761  /* Compute the current intermediate hash value */
762  context->state[0] += a;
763  context->state[1] += b;
764  context->state[2] += c;
765  context->state[3] += d;
766  context->state[4] += e;
767  context->state[5] += f;
768  context->state[6] += g;
769  context->state[7] += h;
770 
771  /* Clean up */
772  a = b = c = d = e = f = g = h = T1 = T2 = 0;
773 }
774 #endif /* SHA2_UNROLL_TRANSFORM */
775 
776 void
777 SHA512_Update(SHA512_CTX *context, const uint8 *data, size_t len)
778 {
779  size_t freespace,
780  usedspace;
781 
782  /* Calling with no data is valid (we do nothing) */
783  if (len == 0)
784  return;
785 
786  usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
787  if (usedspace > 0)
788  {
789  /* Calculate how much free space is available in the buffer */
790  freespace = SHA512_BLOCK_LENGTH - usedspace;
791 
792  if (len >= freespace)
793  {
794  /* Fill the buffer completely and process it */
795  memcpy(&context->buffer[usedspace], data, freespace);
796  ADDINC128(context->bitcount, freespace << 3);
797  len -= freespace;
798  data += freespace;
799  SHA512_Transform(context, context->buffer);
800  }
801  else
802  {
803  /* The buffer is not yet full */
804  memcpy(&context->buffer[usedspace], data, len);
805  ADDINC128(context->bitcount, len << 3);
806  /* Clean up: */
807  usedspace = freespace = 0;
808  return;
809  }
810  }
811  while (len >= SHA512_BLOCK_LENGTH)
812  {
813  /* Process as many complete blocks as we can */
814  SHA512_Transform(context, data);
815  ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
816  len -= SHA512_BLOCK_LENGTH;
817  data += SHA512_BLOCK_LENGTH;
818  }
819  if (len > 0)
820  {
821  /* There's left-overs, so save 'em */
822  memcpy(context->buffer, data, len);
823  ADDINC128(context->bitcount, len << 3);
824  }
825  /* Clean up: */
826  usedspace = freespace = 0;
827 }
828 
829 static void
831 {
832  unsigned int usedspace;
833 
834  usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
835 #ifndef WORDS_BIGENDIAN
836  /* Convert FROM host byte order */
837  REVERSE64(context->bitcount[0], context->bitcount[0]);
838  REVERSE64(context->bitcount[1], context->bitcount[1]);
839 #endif
840  if (usedspace > 0)
841  {
842  /* Begin padding with a 1 bit: */
843  context->buffer[usedspace++] = 0x80;
844 
845  if (usedspace <= SHA512_SHORT_BLOCK_LENGTH)
846  {
847  /* Set-up for the last transform: */
848  memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace);
849  }
850  else
851  {
852  if (usedspace < SHA512_BLOCK_LENGTH)
853  {
854  memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace);
855  }
856  /* Do second-to-last transform: */
857  SHA512_Transform(context, context->buffer);
858 
859  /* And set-up for the last transform: */
860  memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
861  }
862  }
863  else
864  {
865  /* Prepare for final transform: */
866  memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
867 
868  /* Begin padding with a 1 bit: */
869  *context->buffer = 0x80;
870  }
871  /* Store the length of input data (in bits): */
872  *(uint64 *) &context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
873  *(uint64 *) &context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8] = context->bitcount[0];
874 
875  /* Final transform: */
876  SHA512_Transform(context, context->buffer);
877 }
878 
879 void
880 SHA512_Final(uint8 digest[], SHA512_CTX *context)
881 {
882  /* If no digest buffer is passed, we don't bother doing this: */
883  if (digest != NULL)
884  {
885  SHA512_Last(context);
886 
887  /* Save the hash data for output: */
888 #ifndef WORDS_BIGENDIAN
889  {
890  /* Convert TO host byte order */
891  int j;
892 
893  for (j = 0; j < 8; j++)
894  {
895  REVERSE64(context->state[j], context->state[j]);
896  }
897  }
898 #endif
899  memcpy(digest, context->state, SHA512_DIGEST_LENGTH);
900  }
901 
902  /* Zero out state data */
903  px_memset(context, 0, sizeof(*context));
904 }
905 
906 
907 /*** SHA-384: *********************************************************/
908 void
910 {
911  if (context == NULL)
912  return;
914  memset(context->buffer, 0, SHA384_BLOCK_LENGTH);
915  context->bitcount[0] = context->bitcount[1] = 0;
916 }
917 
918 void
919 SHA384_Update(SHA384_CTX *context, const uint8 *data, size_t len)
920 {
921  SHA512_Update((SHA512_CTX *) context, data, len);
922 }
923 
924 void
925 SHA384_Final(uint8 digest[], SHA384_CTX *context)
926 {
927  /* If no digest buffer is passed, we don't bother doing this: */
928  if (digest != NULL)
929  {
930  SHA512_Last((SHA512_CTX *) context);
931 
932  /* Save the hash data for output: */
933 #ifndef WORDS_BIGENDIAN
934  {
935  /* Convert TO host byte order */
936  int j;
937 
938  for (j = 0; j < 6; j++)
939  {
940  REVERSE64(context->state[j], context->state[j]);
941  }
942  }
943 #endif
944  memcpy(digest, context->state, SHA384_DIGEST_LENGTH);
945  }
946 
947  /* Zero out state data */
948  px_memset(context, 0, sizeof(*context));
949 }
950 
951 /*** SHA-224: *********************************************************/
952 void
954 {
955  if (context == NULL)
956  return;
958  memset(context->buffer, 0, SHA256_BLOCK_LENGTH);
959  context->bitcount = 0;
960 }
961 
962 void
963 SHA224_Update(SHA224_CTX *context, const uint8 *data, size_t len)
964 {
965  SHA256_Update((SHA256_CTX *) context, data, len);
966 }
967 
968 void
969 SHA224_Final(uint8 digest[], SHA224_CTX *context)
970 {
971  /* If no digest buffer is passed, we don't bother doing this: */
972  if (digest != NULL)
973  {
974  SHA256_Last(context);
975 
976 #ifndef WORDS_BIGENDIAN
977  {
978  /* Convert TO host byte order */
979  int j;
980 
981  for (j = 0; j < 8; j++)
982  {
983  REVERSE32(context->state[j], context->state[j]);
984  }
985  }
986 #endif
987  memcpy(digest, context->state, SHA224_DIGEST_LENGTH);
988  }
989 
990  /* Clean up state data: */
991  px_memset(context, 0, sizeof(*context));
992 }
union sha1_ctxt::@15 h
#define Sigma0_512(x)
Definition: sha2.c:123
void SHA256_Init(SHA256_CTX *context)
Definition: sha2.c:254
static const uint64 sha512_initial_hash_value[8]
Definition: sha2.c:240
static const uint32 K256[64]
Definition: sha2.c:140
#define SHA384_BLOCK_LENGTH
Definition: sha2.h:59
void SHA256_Final(uint8 digest[], SHA256_CTX *context)
Definition: sha2.c:552
unsigned char uint8
Definition: c.h:263
#define SHA256_BLOCK_LENGTH
Definition: sha2.h:56
#define Ch(x, y, z)
Definition: sha2.c:113
uint64 state[8]
Definition: sha2.h:76
void SHA224_Final(uint8 digest[], SHA224_CTX *context)
Definition: sha2.c:969
#define sigma1_512(x)
Definition: sha2.c:126
uint8 buffer[SHA512_BLOCK_LENGTH]
Definition: sha2.h:78
static const uint32 sha256_initial_hash_value[8]
Definition: sha2.c:172
#define Sigma1_256(x)
Definition: sha2.c:118
#define sigma1_256(x)
Definition: sha2.c:120
char * s1
static void SHA256_Transform(SHA256_CTX *, const uint8 *)
Definition: sha2.c:361
uint8 buffer[SHA256_BLOCK_LENGTH]
Definition: sha2.h:72
char * c
void SHA384_Init(SHA384_CTX *context)
Definition: sha2.c:909
static const uint64 K512[80]
Definition: sha2.c:184
#define REVERSE64(w, x)
Definition: sha2.c:74
#define SHA384_DIGEST_LENGTH
Definition: sha2.h:60
unsigned int uint32
Definition: c.h:265
static const uint64 sha384_initial_hash_value[8]
Definition: sha2.c:228
#define sigma0_256(x)
Definition: sha2.c:119
void SHA224_Init(SHA224_CTX *context)
Definition: sha2.c:953
void SHA512_Update(SHA512_CTX *context, const uint8 *data, size_t len)
Definition: sha2.c:777
#define ADDINC128(w, n)
Definition: sha2.c:89
void SHA512_Init(SHA512_CTX *context)
Definition: sha2.c:580
uint64 bitcount[2]
Definition: sha2.h:77
#define Sigma0_256(x)
Definition: sha2.c:117
#define NULL
Definition: c.h:226
#define SHA256_DIGEST_LENGTH
Definition: sha2.h:57
#define SHA512_SHORT_BLOCK_LENGTH
Definition: sha2.c:64
#define sigma0_512(x)
Definition: sha2.c:125
void SHA256_Update(SHA256_CTX *context, const uint8 *data, size_t len)
Definition: sha2.c:451
uint32 state[8]
Definition: sha2.h:70
static void SHA512_Last(SHA512_CTX *)
Definition: sha2.c:830
#define Maj(x, y, z)
Definition: sha2.c:114
void SHA224_Update(SHA224_CTX *context, const uint8 *data, size_t len)
Definition: sha2.c:963
static void SHA512_Transform(SHA512_CTX *, const uint8 *)
Definition: sha2.c:687
e
Definition: preproc-init.c:82
static void SHA256_Last(SHA256_CTX *context)
Definition: sha2.c:504
uint64 bitcount
Definition: sha2.h:71
#define Sigma1_512(x)
Definition: sha2.c:124
void SHA512_Final(uint8 digest[], SHA512_CTX *context)
Definition: sha2.c:880
void SHA384_Update(SHA384_CTX *context, const uint8 *data, size_t len)
Definition: sha2.c:919
#define SHA512_DIGEST_LENGTH
Definition: sha2.h:63
#define SHA512_BLOCK_LENGTH
Definition: sha2.h:62
#define SHA256_SHORT_BLOCK_LENGTH
Definition: sha2.c:62
void px_memset(void *ptr, int c, size_t len)
Definition: px.c:134
#define SHA224_DIGEST_LENGTH
Definition: sha2.h:54
static const uint32 sha224_initial_hash_value[8]
Definition: sha2.c:160
#define REVERSE32(w, x)
Definition: sha2.c:69
void SHA384_Final(uint8 digest[], SHA384_CTX *context)
Definition: sha2.c:925