PostgreSQL Source Code  git master
sha2.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * sha2.c
4  * SHA functions for SHA-224, SHA-256, SHA-384 and SHA-512.
5  *
6  * This includes the fallback implementation for SHA2 cryptographic
7  * hashes.
8  *
9  * Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
10  * Portions Copyright (c) 1994, Regents of the University of California
11  *
12  * IDENTIFICATION
13  * src/common/sha2.c
14  *
15  *-------------------------------------------------------------------------
16  */
17 
18 /* $OpenBSD: sha2.c,v 1.6 2004/05/03 02:57:36 millert Exp $ */
19 /*
20  * FILE: sha2.c
21  * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
22  *
23  * Copyright (c) 2000-2001, Aaron D. Gifford
24  * All rights reserved.
25  *
26  * Redistribution and use in source and binary forms, with or without
27  * modification, are permitted provided that the following conditions
28  * are met:
29  * 1. Redistributions of source code must retain the above copyright
30  * notice, this list of conditions and the following disclaimer.
31  * 2. Redistributions in binary form must reproduce the above copyright
32  * notice, this list of conditions and the following disclaimer in the
33  * documentation and/or other materials provided with the distribution.
34  * 3. Neither the name of the copyright holder nor the names of contributors
35  * may be used to endorse or promote products derived from this software
36  * without specific prior written permission.
37  *
38  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
39  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
41  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
42  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
43  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
44  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
45  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
46  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
47  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
48  * SUCH DAMAGE.
49  *
50  * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
51  */
52 
53 
54 #ifndef FRONTEND
55 #include "postgres.h"
56 #else
57 #include "postgres_fe.h"
58 #endif
59 
60 #include "sha2_int.h"
61 
62 /*
63  * In backend, use palloc/pfree to ease the error handling. In frontend,
64  * use malloc to be able to return a failure status back to the caller.
65  */
66 #ifndef FRONTEND
67 #define ALLOC(size) palloc(size)
68 #define FREE(ptr) pfree(ptr)
69 #else
70 #define ALLOC(size) malloc(size)
71 #define FREE(ptr) free(ptr)
72 #endif
73 
74 /*
75  * UNROLLED TRANSFORM LOOP NOTE:
76  * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
77  * loop version for the hash transform rounds (defined using macros
78  * later in this file). Either define on the command line, for example:
79  *
80  * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
81  *
82  * or define below:
83  *
84  * #define SHA2_UNROLL_TRANSFORM
85  *
86  */
87 
88 /*** SHA-256/384/512 Various Length Definitions ***********************/
89 #define PG_SHA256_SHORT_BLOCK_LENGTH (PG_SHA256_BLOCK_LENGTH - 8)
90 #define PG_SHA384_SHORT_BLOCK_LENGTH (PG_SHA384_BLOCK_LENGTH - 16)
91 #define PG_SHA512_SHORT_BLOCK_LENGTH (PG_SHA512_BLOCK_LENGTH - 16)
92 
93 /*** ENDIAN REVERSAL MACROS *******************************************/
94 #ifndef WORDS_BIGENDIAN
95 #define REVERSE32(w,x) { \
96  uint32 tmp = (w); \
97  tmp = (tmp >> 16) | (tmp << 16); \
98  (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
99 }
100 #define REVERSE64(w,x) { \
101  uint64 tmp = (w); \
102  tmp = (tmp >> 32) | (tmp << 32); \
103  tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
104  ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
105  (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
106  ((tmp & 0x0000ffff0000ffffULL) << 16); \
107 }
108 #endif /* not bigendian */
109 
110 /*
111  * Macro for incrementally adding the unsigned 64-bit integer n to the
112  * unsigned 128-bit integer (represented using a two-element array of
113  * 64-bit words):
114  */
115 #define ADDINC128(w,n) { \
116  (w)[0] += (uint64)(n); \
117  if ((w)[0] < (n)) { \
118  (w)[1]++; \
119  } \
120 }
121 
122 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
123 /*
124  * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
125  *
126  * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
127  * S is a ROTATION) because the SHA-256/384/512 description document
128  * (see http://www.iwar.org.uk/comsec/resources/cipher/sha256-384-512.pdf)
129  * uses this same "backwards" definition.
130  */
131 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
132 #define R(b,x) ((x) >> (b))
133 /* 32-bit Rotate-right (used in SHA-256): */
134 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
135 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
136 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
137 
138 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
139 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
140 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
141 
142 /* Four of six logical functions used in SHA-256: */
143 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
144 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
145 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
146 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
147 
148 /* Four of six logical functions used in SHA-384 and SHA-512: */
149 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
150 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
151 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
152 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
153 
154 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
155 /* NOTE: These should not be accessed directly from outside this
156  * library -- they are intended for private internal visibility/use
157  * only.
158  */
159 static void SHA512_Last(pg_sha512_ctx *context);
160 static void SHA256_Transform(pg_sha256_ctx *context, const uint8 *data);
161 static void SHA512_Transform(pg_sha512_ctx *context, const uint8 *data);
162 
163 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
164 /* Hash constant words K for SHA-256: */
165 static const uint32 K256[64] = {
166  0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
167  0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
168  0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
169  0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
170  0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
171  0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
172  0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
173  0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
174  0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
175  0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
176  0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
177  0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
178  0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
179  0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
180  0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
181  0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
182 };
183 
184 /* Initial hash value H for SHA-224: */
186  0xc1059ed8UL,
187  0x367cd507UL,
188  0x3070dd17UL,
189  0xf70e5939UL,
190  0xffc00b31UL,
191  0x68581511UL,
192  0x64f98fa7UL,
193  0xbefa4fa4UL
194 };
195 
196 /* Initial hash value H for SHA-256: */
198  0x6a09e667UL,
199  0xbb67ae85UL,
200  0x3c6ef372UL,
201  0xa54ff53aUL,
202  0x510e527fUL,
203  0x9b05688cUL,
204  0x1f83d9abUL,
205  0x5be0cd19UL
206 };
207 
208 /* Hash constant words K for SHA-384 and SHA-512: */
209 static const uint64 K512[80] = {
210  0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
211  0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
212  0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
213  0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
214  0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
215  0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
216  0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
217  0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
218  0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
219  0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
220  0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
221  0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
222  0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
223  0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
224  0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
225  0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
226  0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
227  0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
228  0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
229  0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
230  0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
231  0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
232  0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
233  0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
234  0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
235  0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
236  0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
237  0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
238  0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
239  0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
240  0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
241  0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
242  0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
243  0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
244  0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
245  0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
246  0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
247  0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
248  0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
249  0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
250 };
251 
252 /* Initial hash value H for SHA-384 */
253 static const uint64 sha384_initial_hash_value[8] = {
254  0xcbbb9d5dc1059ed8ULL,
255  0x629a292a367cd507ULL,
256  0x9159015a3070dd17ULL,
257  0x152fecd8f70e5939ULL,
258  0x67332667ffc00b31ULL,
259  0x8eb44a8768581511ULL,
260  0xdb0c2e0d64f98fa7ULL,
261  0x47b5481dbefa4fa4ULL
262 };
263 
264 /* Initial hash value H for SHA-512 */
265 static const uint64 sha512_initial_hash_value[8] = {
266  0x6a09e667f3bcc908ULL,
267  0xbb67ae8584caa73bULL,
268  0x3c6ef372fe94f82bULL,
269  0xa54ff53a5f1d36f1ULL,
270  0x510e527fade682d1ULL,
271  0x9b05688c2b3e6c1fULL,
272  0x1f83d9abfb41bd6bULL,
273  0x5be0cd19137e2179ULL
274 };
275 
276 
277 /*** SHA-256: *********************************************************/
278 void
280 {
281  if (context == NULL)
282  return;
284  memset(context->buffer, 0, PG_SHA256_BLOCK_LENGTH);
285  context->bitcount = 0;
286 }
287 
288 #ifdef SHA2_UNROLL_TRANSFORM
289 
290 /* Unrolled SHA-256 round macros: */
291 
292 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
293  W256[j] = (uint32)data[3] | ((uint32)data[2] << 8) | \
294  ((uint32)data[1] << 16) | ((uint32)data[0] << 24); \
295  data += 4; \
296  T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
297  (d) += T1; \
298  (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
299  j++; \
300 } while(0)
301 
302 #define ROUND256(a,b,c,d,e,f,g,h) do { \
303  s0 = W256[(j+1)&0x0f]; \
304  s0 = sigma0_256(s0); \
305  s1 = W256[(j+14)&0x0f]; \
306  s1 = sigma1_256(s1); \
307  T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
308  (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
309  (d) += T1; \
310  (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
311  j++; \
312 } while(0)
313 
314 static void
315 SHA256_Transform(pg_sha256_ctx *context, const uint8 *data)
316 {
317  uint32 a,
318  b,
319  c,
320  d,
321  e,
322  f,
323  g,
324  h,
325  s0,
326  s1;
327  uint32 T1,
328  *W256;
329  int j;
330 
331  W256 = (uint32 *) context->buffer;
332 
333  /* Initialize registers with the prev. intermediate value */
334  a = context->state[0];
335  b = context->state[1];
336  c = context->state[2];
337  d = context->state[3];
338  e = context->state[4];
339  f = context->state[5];
340  g = context->state[6];
341  h = context->state[7];
342 
343  j = 0;
344  do
345  {
346  /* Rounds 0 to 15 (unrolled): */
347  ROUND256_0_TO_15(a, b, c, d, e, f, g, h);
348  ROUND256_0_TO_15(h, a, b, c, d, e, f, g);
349  ROUND256_0_TO_15(g, h, a, b, c, d, e, f);
350  ROUND256_0_TO_15(f, g, h, a, b, c, d, e);
351  ROUND256_0_TO_15(e, f, g, h, a, b, c, d);
352  ROUND256_0_TO_15(d, e, f, g, h, a, b, c);
353  ROUND256_0_TO_15(c, d, e, f, g, h, a, b);
354  ROUND256_0_TO_15(b, c, d, e, f, g, h, a);
355  } while (j < 16);
356 
357  /* Now for the remaining rounds to 64: */
358  do
359  {
360  ROUND256(a, b, c, d, e, f, g, h);
361  ROUND256(h, a, b, c, d, e, f, g);
362  ROUND256(g, h, a, b, c, d, e, f);
363  ROUND256(f, g, h, a, b, c, d, e);
364  ROUND256(e, f, g, h, a, b, c, d);
365  ROUND256(d, e, f, g, h, a, b, c);
366  ROUND256(c, d, e, f, g, h, a, b);
367  ROUND256(b, c, d, e, f, g, h, a);
368  } while (j < 64);
369 
370  /* Compute the current intermediate hash value */
371  context->state[0] += a;
372  context->state[1] += b;
373  context->state[2] += c;
374  context->state[3] += d;
375  context->state[4] += e;
376  context->state[5] += f;
377  context->state[6] += g;
378  context->state[7] += h;
379 
380  /* Clean up */
381  a = b = c = d = e = f = g = h = T1 = 0;
382 }
383 #else /* SHA2_UNROLL_TRANSFORM */
384 
385 static void
387 {
388  uint32 a,
389  b,
390  c,
391  d,
392  e,
393  f,
394  g,
395  h,
396  s0,
397  s1;
398  uint32 T1,
399  T2,
400  *W256;
401  int j;
402 
403  W256 = (uint32 *) context->buffer;
404 
405  /* Initialize registers with the prev. intermediate value */
406  a = context->state[0];
407  b = context->state[1];
408  c = context->state[2];
409  d = context->state[3];
410  e = context->state[4];
411  f = context->state[5];
412  g = context->state[6];
413  h = context->state[7];
414 
415  j = 0;
416  do
417  {
418  W256[j] = (uint32) data[3] | ((uint32) data[2] << 8) |
419  ((uint32) data[1] << 16) | ((uint32) data[0] << 24);
420  data += 4;
421  /* Apply the SHA-256 compression function to update a..h */
422  T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
423  T2 = Sigma0_256(a) + Maj(a, b, c);
424  h = g;
425  g = f;
426  f = e;
427  e = d + T1;
428  d = c;
429  c = b;
430  b = a;
431  a = T1 + T2;
432 
433  j++;
434  } while (j < 16);
435 
436  do
437  {
438  /* Part of the message block expansion: */
439  s0 = W256[(j + 1) & 0x0f];
440  s0 = sigma0_256(s0);
441  s1 = W256[(j + 14) & 0x0f];
442  s1 = sigma1_256(s1);
443 
444  /* Apply the SHA-256 compression function to update a..h */
445  T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
446  (W256[j & 0x0f] += s1 + W256[(j + 9) & 0x0f] + s0);
447  T2 = Sigma0_256(a) + Maj(a, b, c);
448  h = g;
449  g = f;
450  f = e;
451  e = d + T1;
452  d = c;
453  c = b;
454  b = a;
455  a = T1 + T2;
456 
457  j++;
458  } while (j < 64);
459 
460  /* Compute the current intermediate hash value */
461  context->state[0] += a;
462  context->state[1] += b;
463  context->state[2] += c;
464  context->state[3] += d;
465  context->state[4] += e;
466  context->state[5] += f;
467  context->state[6] += g;
468  context->state[7] += h;
469 
470  /* Clean up */
471  a = b = c = d = e = f = g = h = T1 = T2 = 0;
472 }
473 #endif /* SHA2_UNROLL_TRANSFORM */
474 
475 void
476 pg_sha256_update(pg_sha256_ctx *context, const uint8 *data, size_t len)
477 {
478  size_t freespace,
479  usedspace;
480 
481  /* Calling with no data is valid (we do nothing) */
482  if (len == 0)
483  return;
484 
485  usedspace = (context->bitcount >> 3) % PG_SHA256_BLOCK_LENGTH;
486  if (usedspace > 0)
487  {
488  /* Calculate how much free space is available in the buffer */
489  freespace = PG_SHA256_BLOCK_LENGTH - usedspace;
490 
491  if (len >= freespace)
492  {
493  /* Fill the buffer completely and process it */
494  memcpy(&context->buffer[usedspace], data, freespace);
495  context->bitcount += freespace << 3;
496  len -= freespace;
497  data += freespace;
498  SHA256_Transform(context, context->buffer);
499  }
500  else
501  {
502  /* The buffer is not yet full */
503  memcpy(&context->buffer[usedspace], data, len);
504  context->bitcount += len << 3;
505  /* Clean up: */
506  usedspace = freespace = 0;
507  return;
508  }
509  }
510  while (len >= PG_SHA256_BLOCK_LENGTH)
511  {
512  /* Process as many complete blocks as we can */
513  SHA256_Transform(context, data);
514  context->bitcount += PG_SHA256_BLOCK_LENGTH << 3;
517  }
518  if (len > 0)
519  {
520  /* There's left-overs, so save 'em */
521  memcpy(context->buffer, data, len);
522  context->bitcount += len << 3;
523  }
524  /* Clean up: */
525  usedspace = freespace = 0;
526 }
527 
528 static void
530 {
531  unsigned int usedspace;
532 
533  usedspace = (context->bitcount >> 3) % PG_SHA256_BLOCK_LENGTH;
534 #ifndef WORDS_BIGENDIAN
535  /* Convert FROM host byte order */
536  REVERSE64(context->bitcount, context->bitcount);
537 #endif
538  if (usedspace > 0)
539  {
540  /* Begin padding with a 1 bit: */
541  context->buffer[usedspace++] = 0x80;
542 
543  if (usedspace <= PG_SHA256_SHORT_BLOCK_LENGTH)
544  {
545  /* Set-up for the last transform: */
546  memset(&context->buffer[usedspace], 0, PG_SHA256_SHORT_BLOCK_LENGTH - usedspace);
547  }
548  else
549  {
550  if (usedspace < PG_SHA256_BLOCK_LENGTH)
551  {
552  memset(&context->buffer[usedspace], 0, PG_SHA256_BLOCK_LENGTH - usedspace);
553  }
554  /* Do second-to-last transform: */
555  SHA256_Transform(context, context->buffer);
556 
557  /* And set-up for the last transform: */
558  memset(context->buffer, 0, PG_SHA256_SHORT_BLOCK_LENGTH);
559  }
560  }
561  else
562  {
563  /* Set-up for the last transform: */
564  memset(context->buffer, 0, PG_SHA256_SHORT_BLOCK_LENGTH);
565 
566  /* Begin padding with a 1 bit: */
567  *context->buffer = 0x80;
568  }
569  /* Set the bit count: */
570  *(uint64 *) &context->buffer[PG_SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
571 
572  /* Final transform: */
573  SHA256_Transform(context, context->buffer);
574 }
575 
576 void
578 {
579  /* If no digest buffer is passed, we don't bother doing this: */
580  if (digest != NULL)
581  {
582  SHA256_Last(context);
583 
584 #ifndef WORDS_BIGENDIAN
585  {
586  /* Convert TO host byte order */
587  int j;
588 
589  for (j = 0; j < 8; j++)
590  {
591  REVERSE32(context->state[j], context->state[j]);
592  }
593  }
594 #endif
595  memcpy(digest, context->state, PG_SHA256_DIGEST_LENGTH);
596  }
597 
598  /* Clean up state data: */
599  memset(context, 0, sizeof(pg_sha256_ctx));
600 }
601 
602 
603 /*** SHA-512: *********************************************************/
604 void
606 {
607  if (context == NULL)
608  return;
610  memset(context->buffer, 0, PG_SHA512_BLOCK_LENGTH);
611  context->bitcount[0] = context->bitcount[1] = 0;
612 }
613 
614 #ifdef SHA2_UNROLL_TRANSFORM
615 
616 /* Unrolled SHA-512 round macros: */
617 
618 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
619  W512[j] = (uint64)data[7] | ((uint64)data[6] << 8) | \
620  ((uint64)data[5] << 16) | ((uint64)data[4] << 24) | \
621  ((uint64)data[3] << 32) | ((uint64)data[2] << 40) | \
622  ((uint64)data[1] << 48) | ((uint64)data[0] << 56); \
623  data += 8; \
624  T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
625  (d) += T1; \
626  (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
627  j++; \
628 } while(0)
629 
630 
631 #define ROUND512(a,b,c,d,e,f,g,h) do { \
632  s0 = W512[(j+1)&0x0f]; \
633  s0 = sigma0_512(s0); \
634  s1 = W512[(j+14)&0x0f]; \
635  s1 = sigma1_512(s1); \
636  T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
637  (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
638  (d) += T1; \
639  (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
640  j++; \
641 } while(0)
642 
643 static void
644 SHA512_Transform(pg_sha512_ctx *context, const uint8 *data)
645 {
646  uint64 a,
647  b,
648  c,
649  d,
650  e,
651  f,
652  g,
653  h,
654  s0,
655  s1;
656  uint64 T1,
657  *W512 = (uint64 *) context->buffer;
658  int j;
659 
660  /* Initialize registers with the prev. intermediate value */
661  a = context->state[0];
662  b = context->state[1];
663  c = context->state[2];
664  d = context->state[3];
665  e = context->state[4];
666  f = context->state[5];
667  g = context->state[6];
668  h = context->state[7];
669 
670  j = 0;
671  do
672  {
673  ROUND512_0_TO_15(a, b, c, d, e, f, g, h);
674  ROUND512_0_TO_15(h, a, b, c, d, e, f, g);
675  ROUND512_0_TO_15(g, h, a, b, c, d, e, f);
676  ROUND512_0_TO_15(f, g, h, a, b, c, d, e);
677  ROUND512_0_TO_15(e, f, g, h, a, b, c, d);
678  ROUND512_0_TO_15(d, e, f, g, h, a, b, c);
679  ROUND512_0_TO_15(c, d, e, f, g, h, a, b);
680  ROUND512_0_TO_15(b, c, d, e, f, g, h, a);
681  } while (j < 16);
682 
683  /* Now for the remaining rounds up to 79: */
684  do
685  {
686  ROUND512(a, b, c, d, e, f, g, h);
687  ROUND512(h, a, b, c, d, e, f, g);
688  ROUND512(g, h, a, b, c, d, e, f);
689  ROUND512(f, g, h, a, b, c, d, e);
690  ROUND512(e, f, g, h, a, b, c, d);
691  ROUND512(d, e, f, g, h, a, b, c);
692  ROUND512(c, d, e, f, g, h, a, b);
693  ROUND512(b, c, d, e, f, g, h, a);
694  } while (j < 80);
695 
696  /* Compute the current intermediate hash value */
697  context->state[0] += a;
698  context->state[1] += b;
699  context->state[2] += c;
700  context->state[3] += d;
701  context->state[4] += e;
702  context->state[5] += f;
703  context->state[6] += g;
704  context->state[7] += h;
705 
706  /* Clean up */
707  a = b = c = d = e = f = g = h = T1 = 0;
708 }
709 #else /* SHA2_UNROLL_TRANSFORM */
710 
711 static void
713 {
714  uint64 a,
715  b,
716  c,
717  d,
718  e,
719  f,
720  g,
721  h,
722  s0,
723  s1;
724  uint64 T1,
725  T2,
726  *W512 = (uint64 *) context->buffer;
727  int j;
728 
729  /* Initialize registers with the prev. intermediate value */
730  a = context->state[0];
731  b = context->state[1];
732  c = context->state[2];
733  d = context->state[3];
734  e = context->state[4];
735  f = context->state[5];
736  g = context->state[6];
737  h = context->state[7];
738 
739  j = 0;
740  do
741  {
742  W512[j] = (uint64) data[7] | ((uint64) data[6] << 8) |
743  ((uint64) data[5] << 16) | ((uint64) data[4] << 24) |
744  ((uint64) data[3] << 32) | ((uint64) data[2] << 40) |
745  ((uint64) data[1] << 48) | ((uint64) data[0] << 56);
746  data += 8;
747  /* Apply the SHA-512 compression function to update a..h */
748  T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
749  T2 = Sigma0_512(a) + Maj(a, b, c);
750  h = g;
751  g = f;
752  f = e;
753  e = d + T1;
754  d = c;
755  c = b;
756  b = a;
757  a = T1 + T2;
758 
759  j++;
760  } while (j < 16);
761 
762  do
763  {
764  /* Part of the message block expansion: */
765  s0 = W512[(j + 1) & 0x0f];
766  s0 = sigma0_512(s0);
767  s1 = W512[(j + 14) & 0x0f];
768  s1 = sigma1_512(s1);
769 
770  /* Apply the SHA-512 compression function to update a..h */
771  T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
772  (W512[j & 0x0f] += s1 + W512[(j + 9) & 0x0f] + s0);
773  T2 = Sigma0_512(a) + Maj(a, b, c);
774  h = g;
775  g = f;
776  f = e;
777  e = d + T1;
778  d = c;
779  c = b;
780  b = a;
781  a = T1 + T2;
782 
783  j++;
784  } while (j < 80);
785 
786  /* Compute the current intermediate hash value */
787  context->state[0] += a;
788  context->state[1] += b;
789  context->state[2] += c;
790  context->state[3] += d;
791  context->state[4] += e;
792  context->state[5] += f;
793  context->state[6] += g;
794  context->state[7] += h;
795 
796  /* Clean up */
797  a = b = c = d = e = f = g = h = T1 = T2 = 0;
798 }
799 #endif /* SHA2_UNROLL_TRANSFORM */
800 
801 void
802 pg_sha512_update(pg_sha512_ctx *context, const uint8 *data, size_t len)
803 {
804  size_t freespace,
805  usedspace;
806 
807  /* Calling with no data is valid (we do nothing) */
808  if (len == 0)
809  return;
810 
811  usedspace = (context->bitcount[0] >> 3) % PG_SHA512_BLOCK_LENGTH;
812  if (usedspace > 0)
813  {
814  /* Calculate how much free space is available in the buffer */
815  freespace = PG_SHA512_BLOCK_LENGTH - usedspace;
816 
817  if (len >= freespace)
818  {
819  /* Fill the buffer completely and process it */
820  memcpy(&context->buffer[usedspace], data, freespace);
821  ADDINC128(context->bitcount, freespace << 3);
822  len -= freespace;
823  data += freespace;
824  SHA512_Transform(context, context->buffer);
825  }
826  else
827  {
828  /* The buffer is not yet full */
829  memcpy(&context->buffer[usedspace], data, len);
830  ADDINC128(context->bitcount, len << 3);
831  /* Clean up: */
832  usedspace = freespace = 0;
833  return;
834  }
835  }
836  while (len >= PG_SHA512_BLOCK_LENGTH)
837  {
838  /* Process as many complete blocks as we can */
839  SHA512_Transform(context, data);
840  ADDINC128(context->bitcount, PG_SHA512_BLOCK_LENGTH << 3);
843  }
844  if (len > 0)
845  {
846  /* There's left-overs, so save 'em */
847  memcpy(context->buffer, data, len);
848  ADDINC128(context->bitcount, len << 3);
849  }
850  /* Clean up: */
851  usedspace = freespace = 0;
852 }
853 
854 static void
856 {
857  unsigned int usedspace;
858 
859  usedspace = (context->bitcount[0] >> 3) % PG_SHA512_BLOCK_LENGTH;
860 #ifndef WORDS_BIGENDIAN
861  /* Convert FROM host byte order */
862  REVERSE64(context->bitcount[0], context->bitcount[0]);
863  REVERSE64(context->bitcount[1], context->bitcount[1]);
864 #endif
865  if (usedspace > 0)
866  {
867  /* Begin padding with a 1 bit: */
868  context->buffer[usedspace++] = 0x80;
869 
870  if (usedspace <= PG_SHA512_SHORT_BLOCK_LENGTH)
871  {
872  /* Set-up for the last transform: */
873  memset(&context->buffer[usedspace], 0, PG_SHA512_SHORT_BLOCK_LENGTH - usedspace);
874  }
875  else
876  {
877  if (usedspace < PG_SHA512_BLOCK_LENGTH)
878  {
879  memset(&context->buffer[usedspace], 0, PG_SHA512_BLOCK_LENGTH - usedspace);
880  }
881  /* Do second-to-last transform: */
882  SHA512_Transform(context, context->buffer);
883 
884  /* And set-up for the last transform: */
885  memset(context->buffer, 0, PG_SHA512_BLOCK_LENGTH - 2);
886  }
887  }
888  else
889  {
890  /* Prepare for final transform: */
891  memset(context->buffer, 0, PG_SHA512_SHORT_BLOCK_LENGTH);
892 
893  /* Begin padding with a 1 bit: */
894  *context->buffer = 0x80;
895  }
896  /* Store the length of input data (in bits): */
897  *(uint64 *) &context->buffer[PG_SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
898  *(uint64 *) &context->buffer[PG_SHA512_SHORT_BLOCK_LENGTH + 8] = context->bitcount[0];
899 
900  /* Final transform: */
901  SHA512_Transform(context, context->buffer);
902 }
903 
904 void
906 {
907  /* If no digest buffer is passed, we don't bother doing this: */
908  if (digest != NULL)
909  {
910  SHA512_Last(context);
911 
912  /* Save the hash data for output: */
913 #ifndef WORDS_BIGENDIAN
914  {
915  /* Convert TO host byte order */
916  int j;
917 
918  for (j = 0; j < 8; j++)
919  {
920  REVERSE64(context->state[j], context->state[j]);
921  }
922  }
923 #endif
924  memcpy(digest, context->state, PG_SHA512_DIGEST_LENGTH);
925  }
926 
927  /* Zero out state data */
928  memset(context, 0, sizeof(pg_sha512_ctx));
929 }
930 
931 
932 /*** SHA-384: *********************************************************/
933 void
935 {
936  if (context == NULL)
937  return;
939  memset(context->buffer, 0, PG_SHA384_BLOCK_LENGTH);
940  context->bitcount[0] = context->bitcount[1] = 0;
941 }
942 
943 void
944 pg_sha384_update(pg_sha384_ctx *context, const uint8 *data, size_t len)
945 {
946  pg_sha512_update((pg_sha512_ctx *) context, data, len);
947 }
948 
949 void
951 {
952  /* If no digest buffer is passed, we don't bother doing this: */
953  if (digest != NULL)
954  {
955  SHA512_Last((pg_sha512_ctx *) context);
956 
957  /* Save the hash data for output: */
958 #ifndef WORDS_BIGENDIAN
959  {
960  /* Convert TO host byte order */
961  int j;
962 
963  for (j = 0; j < 6; j++)
964  {
965  REVERSE64(context->state[j], context->state[j]);
966  }
967  }
968 #endif
969  memcpy(digest, context->state, PG_SHA384_DIGEST_LENGTH);
970  }
971 
972  /* Zero out state data */
973  memset(context, 0, sizeof(pg_sha384_ctx));
974 }
975 
976 /*** SHA-224: *********************************************************/
977 void
979 {
980  if (context == NULL)
981  return;
983  memset(context->buffer, 0, PG_SHA256_BLOCK_LENGTH);
984  context->bitcount = 0;
985 }
986 
987 void
988 pg_sha224_update(pg_sha224_ctx *context, const uint8 *data, size_t len)
989 {
990  pg_sha256_update((pg_sha256_ctx *) context, data, len);
991 }
992 
993 void
995 {
996  /* If no digest buffer is passed, we don't bother doing this: */
997  if (digest != NULL)
998  {
999  SHA256_Last(context);
1000 
1001 #ifndef WORDS_BIGENDIAN
1002  {
1003  /* Convert TO host byte order */
1004  int j;
1005 
1006  for (j = 0; j < 8; j++)
1007  {
1008  REVERSE32(context->state[j], context->state[j]);
1009  }
1010  }
1011 #endif
1012  memcpy(digest, context->state, PG_SHA224_DIGEST_LENGTH);
1013  }
1014 
1015  /* Clean up state data: */
1016  memset(context, 0, sizeof(pg_sha224_ctx));
1017 }
unsigned int uint32
Definition: c.h:441
unsigned char uint8
Definition: c.h:439
int b
Definition: isn.c:70
int a
Definition: isn.c:69
int j
Definition: isn.c:74
const void size_t len
const void * data
char * c
e
Definition: preproc-init.c:82
char * s1
void pg_sha512_final(pg_sha512_ctx *context, uint8 *digest)
Definition: sha2.c:905
#define Sigma0_512(x)
Definition: sha2.c:149
static const uint32 sha224_initial_hash_value[8]
Definition: sha2.c:185
static const uint32 sha256_initial_hash_value[8]
Definition: sha2.c:197
static const uint64 sha384_initial_hash_value[8]
Definition: sha2.c:253
void pg_sha384_init(pg_sha384_ctx *context)
Definition: sha2.c:934
#define Sigma0_256(x)
Definition: sha2.c:143
#define PG_SHA512_SHORT_BLOCK_LENGTH
Definition: sha2.c:91
void pg_sha256_init(pg_sha256_ctx *context)
Definition: sha2.c:279
static const uint64 K512[80]
Definition: sha2.c:209
static const uint32 K256[64]
Definition: sha2.c:165
#define ADDINC128(w, n)
Definition: sha2.c:115
#define Maj(x, y, z)
Definition: sha2.c:140
#define sigma0_512(x)
Definition: sha2.c:151
void pg_sha512_update(pg_sha512_ctx *context, const uint8 *data, size_t len)
Definition: sha2.c:802
void pg_sha224_update(pg_sha224_ctx *context, const uint8 *data, size_t len)
Definition: sha2.c:988
#define REVERSE64(w, x)
Definition: sha2.c:100
void pg_sha512_init(pg_sha512_ctx *context)
Definition: sha2.c:605
#define Sigma1_512(x)
Definition: sha2.c:150
#define sigma1_256(x)
Definition: sha2.c:146
#define REVERSE32(w, x)
Definition: sha2.c:95
static void SHA512_Last(pg_sha512_ctx *context)
Definition: sha2.c:855
void pg_sha224_init(pg_sha224_ctx *context)
Definition: sha2.c:978
void pg_sha256_final(pg_sha256_ctx *context, uint8 *digest)
Definition: sha2.c:577
static void SHA256_Last(pg_sha256_ctx *context)
Definition: sha2.c:529
void pg_sha224_final(pg_sha224_ctx *context, uint8 *digest)
Definition: sha2.c:994
#define Sigma1_256(x)
Definition: sha2.c:144
void pg_sha384_final(pg_sha384_ctx *context, uint8 *digest)
Definition: sha2.c:950
#define Ch(x, y, z)
Definition: sha2.c:139
void pg_sha384_update(pg_sha384_ctx *context, const uint8 *data, size_t len)
Definition: sha2.c:944
#define sigma1_512(x)
Definition: sha2.c:152
static const uint64 sha512_initial_hash_value[8]
Definition: sha2.c:265
void pg_sha256_update(pg_sha256_ctx *context, const uint8 *data, size_t len)
Definition: sha2.c:476
static void SHA512_Transform(pg_sha512_ctx *context, const uint8 *data)
Definition: sha2.c:712
static void SHA256_Transform(pg_sha256_ctx *context, const uint8 *data)
Definition: sha2.c:386
#define PG_SHA256_SHORT_BLOCK_LENGTH
Definition: sha2.c:89
#define sigma0_256(x)
Definition: sha2.c:145
#define PG_SHA256_DIGEST_LENGTH
Definition: sha2.h:23
#define PG_SHA384_BLOCK_LENGTH
Definition: sha2.h:25
#define PG_SHA384_DIGEST_LENGTH
Definition: sha2.h:26
#define PG_SHA512_DIGEST_LENGTH
Definition: sha2.h:29
#define PG_SHA256_BLOCK_LENGTH
Definition: sha2.h:22
#define PG_SHA512_BLOCK_LENGTH
Definition: sha2.h:28
#define PG_SHA224_DIGEST_LENGTH
Definition: sha2.h:20
uint8 buffer[PG_SHA256_BLOCK_LENGTH]
Definition: sha2_int.h:59
uint32 state[8]
Definition: sha2_int.h:57
uint64 bitcount
Definition: sha2_int.h:58
uint64 state[8]
Definition: sha2_int.h:63
uint8 buffer[PG_SHA512_BLOCK_LENGTH]
Definition: sha2_int.h:65
uint64 bitcount[2]
Definition: sha2_int.h:64