PostgreSQL Source Code  git master
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros
sha2.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * sha2.c
4  * Set of SHA functions for SHA-224, SHA-256, SHA-384 and SHA-512.
5  *
6  * This is the set of in-core functions used when there are no other
7  * alternative options like OpenSSL.
8  *
9  * Portions Copyright (c) 2016-2017, PostgreSQL Global Development Group
10  *
11  * IDENTIFICATION
12  * src/common/sha2.c
13  *
14  *-------------------------------------------------------------------------
15  */
16 
17 /* $OpenBSD: sha2.c,v 1.6 2004/05/03 02:57:36 millert Exp $ */
18 /*
19  * FILE: sha2.c
20  * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
21  *
22  * Copyright (c) 2000-2001, Aaron D. Gifford
23  * All rights reserved.
24  *
25  * Redistribution and use in source and binary forms, with or without
26  * modification, are permitted provided that the following conditions
27  * are met:
28  * 1. Redistributions of source code must retain the above copyright
29  * notice, this list of conditions and the following disclaimer.
30  * 2. Redistributions in binary form must reproduce the above copyright
31  * notice, this list of conditions and the following disclaimer in the
32  * documentation and/or other materials provided with the distribution.
33  * 3. Neither the name of the copyright holder nor the names of contributors
34  * may be used to endorse or promote products derived from this software
35  * without specific prior written permission.
36  *
37  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
38  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
39  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
40  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
41  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
42  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
43  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
45  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
46  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
47  * SUCH DAMAGE.
48  *
49  * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
50  */
51 
52 
53 #ifndef FRONTEND
54 #include "postgres.h"
55 #else
56 #include "postgres_fe.h"
57 #endif
58 
59 #include <sys/param.h>
60 
61 #include "common/sha2.h"
62 
63 /*
64  * UNROLLED TRANSFORM LOOP NOTE:
65  * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
66  * loop version for the hash transform rounds (defined using macros
67  * later in this file). Either define on the command line, for example:
68  *
69  * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
70  *
71  * or define below:
72  *
73  * #define SHA2_UNROLL_TRANSFORM
74  *
75  */
76 
77 /*** SHA-256/384/512 Various Length Definitions ***********************/
78 #define PG_SHA256_SHORT_BLOCK_LENGTH (PG_SHA256_BLOCK_LENGTH - 8)
79 #define PG_SHA384_SHORT_BLOCK_LENGTH (PG_SHA384_BLOCK_LENGTH - 16)
80 #define PG_SHA512_SHORT_BLOCK_LENGTH (PG_SHA512_BLOCK_LENGTH - 16)
81 
82 /*** ENDIAN REVERSAL MACROS *******************************************/
83 #ifndef WORDS_BIGENDIAN
84 #define REVERSE32(w,x) { \
85  uint32 tmp = (w); \
86  tmp = (tmp >> 16) | (tmp << 16); \
87  (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
88 }
89 #define REVERSE64(w,x) { \
90  uint64 tmp = (w); \
91  tmp = (tmp >> 32) | (tmp << 32); \
92  tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
93  ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
94  (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
95  ((tmp & 0x0000ffff0000ffffULL) << 16); \
96 }
97 #endif /* not bigendian */
98 
99 /*
100  * Macro for incrementally adding the unsigned 64-bit integer n to the
101  * unsigned 128-bit integer (represented using a two-element array of
102  * 64-bit words):
103  */
104 #define ADDINC128(w,n) { \
105  (w)[0] += (uint64)(n); \
106  if ((w)[0] < (n)) { \
107  (w)[1]++; \
108  } \
109 }
110 
111 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
112 /*
113  * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
114  *
115  * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
116  * S is a ROTATION) because the SHA-256/384/512 description document
117  * (see http://www.iwar.org.uk/comsec/resources/cipher/sha256-384-512.pdf)
118  * uses this same "backwards" definition.
119  */
120 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
121 #define R(b,x) ((x) >> (b))
122 /* 32-bit Rotate-right (used in SHA-256): */
123 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
124 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
125 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
126 
127 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
128 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
129 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
130 
131 /* Four of six logical functions used in SHA-256: */
132 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
133 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
134 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
135 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
136 
137 /* Four of six logical functions used in SHA-384 and SHA-512: */
138 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
139 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
140 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
141 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
142 
143 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
144 /* NOTE: These should not be accessed directly from outside this
145  * library -- they are intended for private internal visibility/use
146  * only.
147  */
148 static void SHA512_Last(pg_sha512_ctx *context);
149 static void SHA256_Transform(pg_sha256_ctx *context, const uint8 *data);
150 static void SHA512_Transform(pg_sha512_ctx *context, const uint8 *data);
151 
152 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
153 /* Hash constant words K for SHA-256: */
154 static const uint32 K256[64] = {
155  0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
156  0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
157  0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
158  0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
159  0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
160  0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
161  0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
162  0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
163  0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
164  0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
165  0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
166  0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
167  0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
168  0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
169  0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
170  0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
171 };
172 
173 /* Initial hash value H for SHA-224: */
175  0xc1059ed8UL,
176  0x367cd507UL,
177  0x3070dd17UL,
178  0xf70e5939UL,
179  0xffc00b31UL,
180  0x68581511UL,
181  0x64f98fa7UL,
182  0xbefa4fa4UL
183 };
184 
185 /* Initial hash value H for SHA-256: */
187  0x6a09e667UL,
188  0xbb67ae85UL,
189  0x3c6ef372UL,
190  0xa54ff53aUL,
191  0x510e527fUL,
192  0x9b05688cUL,
193  0x1f83d9abUL,
194  0x5be0cd19UL
195 };
196 
197 /* Hash constant words K for SHA-384 and SHA-512: */
198 static const uint64 K512[80] = {
199  0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
200  0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
201  0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
202  0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
203  0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
204  0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
205  0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
206  0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
207  0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
208  0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
209  0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
210  0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
211  0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
212  0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
213  0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
214  0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
215  0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
216  0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
217  0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
218  0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
219  0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
220  0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
221  0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
222  0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
223  0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
224  0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
225  0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
226  0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
227  0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
228  0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
229  0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
230  0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
231  0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
232  0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
233  0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
234  0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
235  0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
236  0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
237  0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
238  0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
239 };
240 
241 /* Initial hash value H for SHA-384 */
242 static const uint64 sha384_initial_hash_value[8] = {
243  0xcbbb9d5dc1059ed8ULL,
244  0x629a292a367cd507ULL,
245  0x9159015a3070dd17ULL,
246  0x152fecd8f70e5939ULL,
247  0x67332667ffc00b31ULL,
248  0x8eb44a8768581511ULL,
249  0xdb0c2e0d64f98fa7ULL,
250  0x47b5481dbefa4fa4ULL
251 };
252 
253 /* Initial hash value H for SHA-512 */
254 static const uint64 sha512_initial_hash_value[8] = {
255  0x6a09e667f3bcc908ULL,
256  0xbb67ae8584caa73bULL,
257  0x3c6ef372fe94f82bULL,
258  0xa54ff53a5f1d36f1ULL,
259  0x510e527fade682d1ULL,
260  0x9b05688c2b3e6c1fULL,
261  0x1f83d9abfb41bd6bULL,
262  0x5be0cd19137e2179ULL
263 };
264 
265 
266 /*** SHA-256: *********************************************************/
267 void
269 {
270  if (context == NULL)
271  return;
273  memset(context->buffer, 0, PG_SHA256_BLOCK_LENGTH);
274  context->bitcount = 0;
275 }
276 
277 #ifdef SHA2_UNROLL_TRANSFORM
278 
279 /* Unrolled SHA-256 round macros: */
280 
281 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
282  W256[j] = (uint32)data[3] | ((uint32)data[2] << 8) | \
283  ((uint32)data[1] << 16) | ((uint32)data[0] << 24); \
284  data += 4; \
285  T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
286  (d) += T1; \
287  (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
288  j++; \
289 } while(0)
290 
291 #define ROUND256(a,b,c,d,e,f,g,h) do { \
292  s0 = W256[(j+1)&0x0f]; \
293  s0 = sigma0_256(s0); \
294  s1 = W256[(j+14)&0x0f]; \
295  s1 = sigma1_256(s1); \
296  T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
297  (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
298  (d) += T1; \
299  (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
300  j++; \
301 } while(0)
302 
303 static void
304 SHA256_Transform(pg_sha256_ctx *context, const uint8 *data)
305 {
306  uint32 a,
307  b,
308  c,
309  d,
310  e,
311  f,
312  g,
313  h,
314  s0,
315  s1;
316  uint32 T1,
317  *W256;
318  int j;
319 
320  W256 = (uint32 *) context->buffer;
321 
322  /* Initialize registers with the prev. intermediate value */
323  a = context->state[0];
324  b = context->state[1];
325  c = context->state[2];
326  d = context->state[3];
327  e = context->state[4];
328  f = context->state[5];
329  g = context->state[6];
330  h = context->state[7];
331 
332  j = 0;
333  do
334  {
335  /* Rounds 0 to 15 (unrolled): */
336  ROUND256_0_TO_15(a, b, c, d, e, f, g, h);
337  ROUND256_0_TO_15(h, a, b, c, d, e, f, g);
338  ROUND256_0_TO_15(g, h, a, b, c, d, e, f);
339  ROUND256_0_TO_15(f, g, h, a, b, c, d, e);
340  ROUND256_0_TO_15(e, f, g, h, a, b, c, d);
341  ROUND256_0_TO_15(d, e, f, g, h, a, b, c);
342  ROUND256_0_TO_15(c, d, e, f, g, h, a, b);
343  ROUND256_0_TO_15(b, c, d, e, f, g, h, a);
344  } while (j < 16);
345 
346  /* Now for the remaining rounds to 64: */
347  do
348  {
349  ROUND256(a, b, c, d, e, f, g, h);
350  ROUND256(h, a, b, c, d, e, f, g);
351  ROUND256(g, h, a, b, c, d, e, f);
352  ROUND256(f, g, h, a, b, c, d, e);
353  ROUND256(e, f, g, h, a, b, c, d);
354  ROUND256(d, e, f, g, h, a, b, c);
355  ROUND256(c, d, e, f, g, h, a, b);
356  ROUND256(b, c, d, e, f, g, h, a);
357  } while (j < 64);
358 
359  /* Compute the current intermediate hash value */
360  context->state[0] += a;
361  context->state[1] += b;
362  context->state[2] += c;
363  context->state[3] += d;
364  context->state[4] += e;
365  context->state[5] += f;
366  context->state[6] += g;
367  context->state[7] += h;
368 
369  /* Clean up */
370  a = b = c = d = e = f = g = h = T1 = 0;
371 }
372 #else /* SHA2_UNROLL_TRANSFORM */
373 
374 static void
375 SHA256_Transform(pg_sha256_ctx *context, const uint8 *data)
376 {
377  uint32 a,
378  b,
379  c,
380  d,
381  e,
382  f,
383  g,
384  h,
385  s0,
386  s1;
387  uint32 T1,
388  T2,
389  *W256;
390  int j;
391 
392  W256 = (uint32 *) context->buffer;
393 
394  /* Initialize registers with the prev. intermediate value */
395  a = context->state[0];
396  b = context->state[1];
397  c = context->state[2];
398  d = context->state[3];
399  e = context->state[4];
400  f = context->state[5];
401  g = context->state[6];
402  h = context->state[7];
403 
404  j = 0;
405  do
406  {
407  W256[j] = (uint32) data[3] | ((uint32) data[2] << 8) |
408  ((uint32) data[1] << 16) | ((uint32) data[0] << 24);
409  data += 4;
410  /* Apply the SHA-256 compression function to update a..h */
411  T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
412  T2 = Sigma0_256(a) + Maj(a, b, c);
413  h = g;
414  g = f;
415  f = e;
416  e = d + T1;
417  d = c;
418  c = b;
419  b = a;
420  a = T1 + T2;
421 
422  j++;
423  } while (j < 16);
424 
425  do
426  {
427  /* Part of the message block expansion: */
428  s0 = W256[(j + 1) & 0x0f];
429  s0 = sigma0_256(s0);
430  s1 = W256[(j + 14) & 0x0f];
431  s1 = sigma1_256(s1);
432 
433  /* Apply the SHA-256 compression function to update a..h */
434  T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
435  (W256[j & 0x0f] += s1 + W256[(j + 9) & 0x0f] + s0);
436  T2 = Sigma0_256(a) + Maj(a, b, c);
437  h = g;
438  g = f;
439  f = e;
440  e = d + T1;
441  d = c;
442  c = b;
443  b = a;
444  a = T1 + T2;
445 
446  j++;
447  } while (j < 64);
448 
449  /* Compute the current intermediate hash value */
450  context->state[0] += a;
451  context->state[1] += b;
452  context->state[2] += c;
453  context->state[3] += d;
454  context->state[4] += e;
455  context->state[5] += f;
456  context->state[6] += g;
457  context->state[7] += h;
458 
459  /* Clean up */
460  a = b = c = d = e = f = g = h = T1 = T2 = 0;
461 }
462 #endif /* SHA2_UNROLL_TRANSFORM */
463 
464 void
465 pg_sha256_update(pg_sha256_ctx *context, const uint8 *data, size_t len)
466 {
467  size_t freespace,
468  usedspace;
469 
470  /* Calling with no data is valid (we do nothing) */
471  if (len == 0)
472  return;
473 
474  usedspace = (context->bitcount >> 3) % PG_SHA256_BLOCK_LENGTH;
475  if (usedspace > 0)
476  {
477  /* Calculate how much free space is available in the buffer */
478  freespace = PG_SHA256_BLOCK_LENGTH - usedspace;
479 
480  if (len >= freespace)
481  {
482  /* Fill the buffer completely and process it */
483  memcpy(&context->buffer[usedspace], data, freespace);
484  context->bitcount += freespace << 3;
485  len -= freespace;
486  data += freespace;
487  SHA256_Transform(context, context->buffer);
488  }
489  else
490  {
491  /* The buffer is not yet full */
492  memcpy(&context->buffer[usedspace], data, len);
493  context->bitcount += len << 3;
494  /* Clean up: */
495  usedspace = freespace = 0;
496  return;
497  }
498  }
499  while (len >= PG_SHA256_BLOCK_LENGTH)
500  {
501  /* Process as many complete blocks as we can */
502  SHA256_Transform(context, data);
503  context->bitcount += PG_SHA256_BLOCK_LENGTH << 3;
504  len -= PG_SHA256_BLOCK_LENGTH;
505  data += PG_SHA256_BLOCK_LENGTH;
506  }
507  if (len > 0)
508  {
509  /* There's left-overs, so save 'em */
510  memcpy(context->buffer, data, len);
511  context->bitcount += len << 3;
512  }
513  /* Clean up: */
514  usedspace = freespace = 0;
515 }
516 
517 static void
519 {
520  unsigned int usedspace;
521 
522  usedspace = (context->bitcount >> 3) % PG_SHA256_BLOCK_LENGTH;
523 #ifndef WORDS_BIGENDIAN
524  /* Convert FROM host byte order */
525  REVERSE64(context->bitcount, context->bitcount);
526 #endif
527  if (usedspace > 0)
528  {
529  /* Begin padding with a 1 bit: */
530  context->buffer[usedspace++] = 0x80;
531 
532  if (usedspace <= PG_SHA256_SHORT_BLOCK_LENGTH)
533  {
534  /* Set-up for the last transform: */
535  memset(&context->buffer[usedspace], 0, PG_SHA256_SHORT_BLOCK_LENGTH - usedspace);
536  }
537  else
538  {
539  if (usedspace < PG_SHA256_BLOCK_LENGTH)
540  {
541  memset(&context->buffer[usedspace], 0, PG_SHA256_BLOCK_LENGTH - usedspace);
542  }
543  /* Do second-to-last transform: */
544  SHA256_Transform(context, context->buffer);
545 
546  /* And set-up for the last transform: */
547  memset(context->buffer, 0, PG_SHA256_SHORT_BLOCK_LENGTH);
548  }
549  }
550  else
551  {
552  /* Set-up for the last transform: */
553  memset(context->buffer, 0, PG_SHA256_SHORT_BLOCK_LENGTH);
554 
555  /* Begin padding with a 1 bit: */
556  *context->buffer = 0x80;
557  }
558  /* Set the bit count: */
559  *(uint64 *) &context->buffer[PG_SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
560 
561  /* Final transform: */
562  SHA256_Transform(context, context->buffer);
563 }
564 
565 void
567 {
568  /* If no digest buffer is passed, we don't bother doing this: */
569  if (digest != NULL)
570  {
571  SHA256_Last(context);
572 
573 #ifndef WORDS_BIGENDIAN
574  {
575  /* Convert TO host byte order */
576  int j;
577 
578  for (j = 0; j < 8; j++)
579  {
580  REVERSE32(context->state[j], context->state[j]);
581  }
582  }
583 #endif
584  memcpy(digest, context->state, PG_SHA256_DIGEST_LENGTH);
585  }
586 
587  /* Clean up state data: */
588  memset(context, 0, sizeof(pg_sha256_ctx));
589 }
590 
591 
592 /*** SHA-512: *********************************************************/
593 void
595 {
596  if (context == NULL)
597  return;
599  memset(context->buffer, 0, PG_SHA512_BLOCK_LENGTH);
600  context->bitcount[0] = context->bitcount[1] = 0;
601 }
602 
603 #ifdef SHA2_UNROLL_TRANSFORM
604 
605 /* Unrolled SHA-512 round macros: */
606 
607 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
608  W512[j] = (uint64)data[7] | ((uint64)data[6] << 8) | \
609  ((uint64)data[5] << 16) | ((uint64)data[4] << 24) | \
610  ((uint64)data[3] << 32) | ((uint64)data[2] << 40) | \
611  ((uint64)data[1] << 48) | ((uint64)data[0] << 56); \
612  data += 8; \
613  T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
614  (d) += T1; \
615  (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
616  j++; \
617 } while(0)
618 
619 
620 #define ROUND512(a,b,c,d,e,f,g,h) do { \
621  s0 = W512[(j+1)&0x0f]; \
622  s0 = sigma0_512(s0); \
623  s1 = W512[(j+14)&0x0f]; \
624  s1 = sigma1_512(s1); \
625  T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
626  (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
627  (d) += T1; \
628  (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
629  j++; \
630 } while(0)
631 
632 static void
633 SHA512_Transform(pg_sha512_ctx *context, const uint8 *data)
634 {
635  uint64 a,
636  b,
637  c,
638  d,
639  e,
640  f,
641  g,
642  h,
643  s0,
644  s1;
645  uint64 T1,
646  *W512 = (uint64 *) context->buffer;
647  int j;
648 
649  /* Initialize registers with the prev. intermediate value */
650  a = context->state[0];
651  b = context->state[1];
652  c = context->state[2];
653  d = context->state[3];
654  e = context->state[4];
655  f = context->state[5];
656  g = context->state[6];
657  h = context->state[7];
658 
659  j = 0;
660  do
661  {
662  ROUND512_0_TO_15(a, b, c, d, e, f, g, h);
663  ROUND512_0_TO_15(h, a, b, c, d, e, f, g);
664  ROUND512_0_TO_15(g, h, a, b, c, d, e, f);
665  ROUND512_0_TO_15(f, g, h, a, b, c, d, e);
666  ROUND512_0_TO_15(e, f, g, h, a, b, c, d);
667  ROUND512_0_TO_15(d, e, f, g, h, a, b, c);
668  ROUND512_0_TO_15(c, d, e, f, g, h, a, b);
669  ROUND512_0_TO_15(b, c, d, e, f, g, h, a);
670  } while (j < 16);
671 
672  /* Now for the remaining rounds up to 79: */
673  do
674  {
675  ROUND512(a, b, c, d, e, f, g, h);
676  ROUND512(h, a, b, c, d, e, f, g);
677  ROUND512(g, h, a, b, c, d, e, f);
678  ROUND512(f, g, h, a, b, c, d, e);
679  ROUND512(e, f, g, h, a, b, c, d);
680  ROUND512(d, e, f, g, h, a, b, c);
681  ROUND512(c, d, e, f, g, h, a, b);
682  ROUND512(b, c, d, e, f, g, h, a);
683  } while (j < 80);
684 
685  /* Compute the current intermediate hash value */
686  context->state[0] += a;
687  context->state[1] += b;
688  context->state[2] += c;
689  context->state[3] += d;
690  context->state[4] += e;
691  context->state[5] += f;
692  context->state[6] += g;
693  context->state[7] += h;
694 
695  /* Clean up */
696  a = b = c = d = e = f = g = h = T1 = 0;
697 }
698 #else /* SHA2_UNROLL_TRANSFORM */
699 
700 static void
701 SHA512_Transform(pg_sha512_ctx *context, const uint8 *data)
702 {
703  uint64 a,
704  b,
705  c,
706  d,
707  e,
708  f,
709  g,
710  h,
711  s0,
712  s1;
713  uint64 T1,
714  T2,
715  *W512 = (uint64 *) context->buffer;
716  int j;
717 
718  /* Initialize registers with the prev. intermediate value */
719  a = context->state[0];
720  b = context->state[1];
721  c = context->state[2];
722  d = context->state[3];
723  e = context->state[4];
724  f = context->state[5];
725  g = context->state[6];
726  h = context->state[7];
727 
728  j = 0;
729  do
730  {
731  W512[j] = (uint64) data[7] | ((uint64) data[6] << 8) |
732  ((uint64) data[5] << 16) | ((uint64) data[4] << 24) |
733  ((uint64) data[3] << 32) | ((uint64) data[2] << 40) |
734  ((uint64) data[1] << 48) | ((uint64) data[0] << 56);
735  data += 8;
736  /* Apply the SHA-512 compression function to update a..h */
737  T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
738  T2 = Sigma0_512(a) + Maj(a, b, c);
739  h = g;
740  g = f;
741  f = e;
742  e = d + T1;
743  d = c;
744  c = b;
745  b = a;
746  a = T1 + T2;
747 
748  j++;
749  } while (j < 16);
750 
751  do
752  {
753  /* Part of the message block expansion: */
754  s0 = W512[(j + 1) & 0x0f];
755  s0 = sigma0_512(s0);
756  s1 = W512[(j + 14) & 0x0f];
757  s1 = sigma1_512(s1);
758 
759  /* Apply the SHA-512 compression function to update a..h */
760  T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
761  (W512[j & 0x0f] += s1 + W512[(j + 9) & 0x0f] + s0);
762  T2 = Sigma0_512(a) + Maj(a, b, c);
763  h = g;
764  g = f;
765  f = e;
766  e = d + T1;
767  d = c;
768  c = b;
769  b = a;
770  a = T1 + T2;
771 
772  j++;
773  } while (j < 80);
774 
775  /* Compute the current intermediate hash value */
776  context->state[0] += a;
777  context->state[1] += b;
778  context->state[2] += c;
779  context->state[3] += d;
780  context->state[4] += e;
781  context->state[5] += f;
782  context->state[6] += g;
783  context->state[7] += h;
784 
785  /* Clean up */
786  a = b = c = d = e = f = g = h = T1 = T2 = 0;
787 }
788 #endif /* SHA2_UNROLL_TRANSFORM */
789 
790 void
791 pg_sha512_update(pg_sha512_ctx *context, const uint8 *data, size_t len)
792 {
793  size_t freespace,
794  usedspace;
795 
796  /* Calling with no data is valid (we do nothing) */
797  if (len == 0)
798  return;
799 
800  usedspace = (context->bitcount[0] >> 3) % PG_SHA512_BLOCK_LENGTH;
801  if (usedspace > 0)
802  {
803  /* Calculate how much free space is available in the buffer */
804  freespace = PG_SHA512_BLOCK_LENGTH - usedspace;
805 
806  if (len >= freespace)
807  {
808  /* Fill the buffer completely and process it */
809  memcpy(&context->buffer[usedspace], data, freespace);
810  ADDINC128(context->bitcount, freespace << 3);
811  len -= freespace;
812  data += freespace;
813  SHA512_Transform(context, context->buffer);
814  }
815  else
816  {
817  /* The buffer is not yet full */
818  memcpy(&context->buffer[usedspace], data, len);
819  ADDINC128(context->bitcount, len << 3);
820  /* Clean up: */
821  usedspace = freespace = 0;
822  return;
823  }
824  }
825  while (len >= PG_SHA512_BLOCK_LENGTH)
826  {
827  /* Process as many complete blocks as we can */
828  SHA512_Transform(context, data);
829  ADDINC128(context->bitcount, PG_SHA512_BLOCK_LENGTH << 3);
830  len -= PG_SHA512_BLOCK_LENGTH;
831  data += PG_SHA512_BLOCK_LENGTH;
832  }
833  if (len > 0)
834  {
835  /* There's left-overs, so save 'em */
836  memcpy(context->buffer, data, len);
837  ADDINC128(context->bitcount, len << 3);
838  }
839  /* Clean up: */
840  usedspace = freespace = 0;
841 }
842 
843 static void
845 {
846  unsigned int usedspace;
847 
848  usedspace = (context->bitcount[0] >> 3) % PG_SHA512_BLOCK_LENGTH;
849 #ifndef WORDS_BIGENDIAN
850  /* Convert FROM host byte order */
851  REVERSE64(context->bitcount[0], context->bitcount[0]);
852  REVERSE64(context->bitcount[1], context->bitcount[1]);
853 #endif
854  if (usedspace > 0)
855  {
856  /* Begin padding with a 1 bit: */
857  context->buffer[usedspace++] = 0x80;
858 
859  if (usedspace <= PG_SHA512_SHORT_BLOCK_LENGTH)
860  {
861  /* Set-up for the last transform: */
862  memset(&context->buffer[usedspace], 0, PG_SHA512_SHORT_BLOCK_LENGTH - usedspace);
863  }
864  else
865  {
866  if (usedspace < PG_SHA512_BLOCK_LENGTH)
867  {
868  memset(&context->buffer[usedspace], 0, PG_SHA512_BLOCK_LENGTH - usedspace);
869  }
870  /* Do second-to-last transform: */
871  SHA512_Transform(context, context->buffer);
872 
873  /* And set-up for the last transform: */
874  memset(context->buffer, 0, PG_SHA512_BLOCK_LENGTH - 2);
875  }
876  }
877  else
878  {
879  /* Prepare for final transform: */
880  memset(context->buffer, 0, PG_SHA512_SHORT_BLOCK_LENGTH);
881 
882  /* Begin padding with a 1 bit: */
883  *context->buffer = 0x80;
884  }
885  /* Store the length of input data (in bits): */
886  *(uint64 *) &context->buffer[PG_SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
887  *(uint64 *) &context->buffer[PG_SHA512_SHORT_BLOCK_LENGTH + 8] = context->bitcount[0];
888 
889  /* Final transform: */
890  SHA512_Transform(context, context->buffer);
891 }
892 
893 void
895 {
896  /* If no digest buffer is passed, we don't bother doing this: */
897  if (digest != NULL)
898  {
899  SHA512_Last(context);
900 
901  /* Save the hash data for output: */
902 #ifndef WORDS_BIGENDIAN
903  {
904  /* Convert TO host byte order */
905  int j;
906 
907  for (j = 0; j < 8; j++)
908  {
909  REVERSE64(context->state[j], context->state[j]);
910  }
911  }
912 #endif
913  memcpy(digest, context->state, PG_SHA512_DIGEST_LENGTH);
914  }
915 
916  /* Zero out state data */
917  memset(context, 0, sizeof(pg_sha512_ctx));
918 }
919 
920 
921 /*** SHA-384: *********************************************************/
922 void
924 {
925  if (context == NULL)
926  return;
928  memset(context->buffer, 0, PG_SHA384_BLOCK_LENGTH);
929  context->bitcount[0] = context->bitcount[1] = 0;
930 }
931 
932 void
933 pg_sha384_update(pg_sha384_ctx *context, const uint8 *data, size_t len)
934 {
935  pg_sha512_update((pg_sha512_ctx *) context, data, len);
936 }
937 
938 void
940 {
941  /* If no digest buffer is passed, we don't bother doing this: */
942  if (digest != NULL)
943  {
944  SHA512_Last((pg_sha512_ctx *) context);
945 
946  /* Save the hash data for output: */
947 #ifndef WORDS_BIGENDIAN
948  {
949  /* Convert TO host byte order */
950  int j;
951 
952  for (j = 0; j < 6; j++)
953  {
954  REVERSE64(context->state[j], context->state[j]);
955  }
956  }
957 #endif
958  memcpy(digest, context->state, PG_SHA384_DIGEST_LENGTH);
959  }
960 
961  /* Zero out state data */
962  memset(context, 0, sizeof(pg_sha384_ctx));
963 }
964 
965 /*** SHA-224: *********************************************************/
966 void
968 {
969  if (context == NULL)
970  return;
972  memset(context->buffer, 0, PG_SHA256_BLOCK_LENGTH);
973  context->bitcount = 0;
974 }
975 
976 void
977 pg_sha224_update(pg_sha224_ctx *context, const uint8 *data, size_t len)
978 {
979  pg_sha256_update((pg_sha256_ctx *) context, data, len);
980 }
981 
982 void
984 {
985  /* If no digest buffer is passed, we don't bother doing this: */
986  if (digest != NULL)
987  {
988  SHA256_Last(context);
989 
990 #ifndef WORDS_BIGENDIAN
991  {
992  /* Convert TO host byte order */
993  int j;
994 
995  for (j = 0; j < 8; j++)
996  {
997  REVERSE32(context->state[j], context->state[j]);
998  }
999  }
1000 #endif
1001  memcpy(digest, context->state, PG_SHA224_DIGEST_LENGTH);
1002  }
1003 
1004  /* Clean up state data: */
1005  memset(context, 0, sizeof(pg_sha224_ctx));
1006 }
#define Sigma0_512(x)
Definition: sha2.c:138
static void SHA256_Transform(pg_sha256_ctx *context, const uint8 *data)
Definition: sha2.c:375
uint64 bitcount
Definition: sha2.h:81
static const uint64 sha512_initial_hash_value[8]
Definition: sha2.c:254
uint8 buffer[PG_SHA512_BLOCK_LENGTH]
Definition: sha2.h:88
static const uint32 K256[64]
Definition: sha2.c:154
#define PG_SHA384_BLOCK_LENGTH
Definition: sha2.h:64
uint8 buffer[PG_SHA256_BLOCK_LENGTH]
Definition: sha2.h:82
#define PG_SHA256_DIGEST_LENGTH
Definition: sha2.h:62
unsigned char uint8
Definition: c.h:256
static void SHA512_Last(pg_sha512_ctx *context)
Definition: sha2.c:844
#define Ch(x, y, z)
Definition: sha2.c:128
#define PG_SHA512_DIGEST_LENGTH
Definition: sha2.h:68
void pg_sha256_init(pg_sha256_ctx *context)
Definition: sha2.c:268
#define sigma1_512(x)
Definition: sha2.c:141
static const uint32 sha256_initial_hash_value[8]
Definition: sha2.c:186
void pg_sha384_update(pg_sha384_ctx *context, const uint8 *data, size_t len)
Definition: sha2.c:933
#define Sigma1_256(x)
Definition: sha2.c:133
#define sigma1_256(x)
Definition: sha2.c:135
char * s1
#define PG_SHA256_BLOCK_LENGTH
Definition: sha2.h:61
#define PG_SHA256_SHORT_BLOCK_LENGTH
Definition: sha2.c:78
void pg_sha512_final(pg_sha512_ctx *context, uint8 *digest)
Definition: sha2.c:894
uint64 bitcount[2]
Definition: sha2.h:87
char * c
#define PG_SHA512_BLOCK_LENGTH
Definition: sha2.h:67
void pg_sha224_final(pg_sha224_ctx *context, uint8 *digest)
Definition: sha2.c:983
void pg_sha512_update(pg_sha512_ctx *context, const uint8 *data, size_t len)
Definition: sha2.c:791
static const uint64 K512[80]
Definition: sha2.c:198
static void SHA256_Last(pg_sha256_ctx *context)
Definition: sha2.c:518
#define REVERSE64(w, x)
Definition: sha2.c:89
unsigned int uint32
Definition: c.h:258
static const uint64 sha384_initial_hash_value[8]
Definition: sha2.c:242
#define sigma0_256(x)
Definition: sha2.c:134
void pg_sha224_init(pg_sha224_ctx *context)
Definition: sha2.c:967
#define ADDINC128(w, n)
Definition: sha2.c:104
void pg_sha256_update(pg_sha256_ctx *context, const uint8 *data, size_t len)
Definition: sha2.c:465
uint32 state[8]
Definition: sha2.h:80
void pg_sha224_update(pg_sha224_ctx *context, const uint8 *data, size_t len)
Definition: sha2.c:977
#define Sigma0_256(x)
Definition: sha2.c:132
void pg_sha384_final(pg_sha384_ctx *context, uint8 *digest)
Definition: sha2.c:939
#define sigma0_512(x)
Definition: sha2.c:140
uint64 state[8]
Definition: sha2.h:86
void pg_sha384_init(pg_sha384_ctx *context)
Definition: sha2.c:923
#define Maj(x, y, z)
Definition: sha2.c:129
void pg_sha512_init(pg_sha512_ctx *context)
Definition: sha2.c:594
e
Definition: preproc-init.c:82
void pg_sha256_final(pg_sha256_ctx *context, uint8 *digest)
Definition: sha2.c:566
static void SHA512_Transform(pg_sha512_ctx *context, const uint8 *data)
Definition: sha2.c:701
#define Sigma1_512(x)
Definition: sha2.c:139
#define PG_SHA512_SHORT_BLOCK_LENGTH
Definition: sha2.c:80
#define PG_SHA224_DIGEST_LENGTH
Definition: sha2.h:59
#define PG_SHA384_DIGEST_LENGTH
Definition: sha2.h:65
static const uint32 sha224_initial_hash_value[8]
Definition: sha2.c:174
#define REVERSE32(w, x)
Definition: sha2.c:84