PostgreSQL Source Code git master
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
sha2.c
Go to the documentation of this file.
1/*-------------------------------------------------------------------------
2 *
3 * sha2.c
4 * SHA functions for SHA-224, SHA-256, SHA-384 and SHA-512.
5 *
6 * This includes the fallback implementation for SHA2 cryptographic
7 * hashes.
8 *
9 * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
10 * Portions Copyright (c) 1994, Regents of the University of California
11 *
12 * IDENTIFICATION
13 * src/common/sha2.c
14 *
15 *-------------------------------------------------------------------------
16 */
17
18/* $OpenBSD: sha2.c,v 1.6 2004/05/03 02:57:36 millert Exp $ */
19/*
20 * FILE: sha2.c
21 * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
22 *
23 * Copyright (c) 2000-2001, Aaron D. Gifford
24 * All rights reserved.
25 *
26 * Redistribution and use in source and binary forms, with or without
27 * modification, are permitted provided that the following conditions
28 * are met:
29 * 1. Redistributions of source code must retain the above copyright
30 * notice, this list of conditions and the following disclaimer.
31 * 2. Redistributions in binary form must reproduce the above copyright
32 * notice, this list of conditions and the following disclaimer in the
33 * documentation and/or other materials provided with the distribution.
34 * 3. Neither the name of the copyright holder nor the names of contributors
35 * may be used to endorse or promote products derived from this software
36 * without specific prior written permission.
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
39 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
41 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
42 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
43 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
44 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
45 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
46 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
47 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
48 * SUCH DAMAGE.
49 *
50 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
51 */
52
53
54#ifndef FRONTEND
55#include "postgres.h"
56#else
57#include "postgres_fe.h"
58#endif
59
60#include "sha2_int.h"
61
62/*
63 * In backend, use palloc/pfree to ease the error handling. In frontend,
64 * use malloc to be able to return a failure status back to the caller.
65 */
66#ifndef FRONTEND
67#define ALLOC(size) palloc(size)
68#define FREE(ptr) pfree(ptr)
69#else
70#define ALLOC(size) malloc(size)
71#define FREE(ptr) free(ptr)
72#endif
73
74/*
75 * UNROLLED TRANSFORM LOOP NOTE:
76 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
77 * loop version for the hash transform rounds (defined using macros
78 * later in this file). Either define on the command line, for example:
79 *
80 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
81 *
82 * or define below:
83 *
84 * #define SHA2_UNROLL_TRANSFORM
85 *
86 */
87
88/*** SHA-256/384/512 Various Length Definitions ***********************/
89#define PG_SHA256_SHORT_BLOCK_LENGTH (PG_SHA256_BLOCK_LENGTH - 8)
90#define PG_SHA384_SHORT_BLOCK_LENGTH (PG_SHA384_BLOCK_LENGTH - 16)
91#define PG_SHA512_SHORT_BLOCK_LENGTH (PG_SHA512_BLOCK_LENGTH - 16)
92
93/*** ENDIAN REVERSAL MACROS *******************************************/
94#ifndef WORDS_BIGENDIAN
95#define REVERSE32(w,x) { \
96 uint32 tmp = (w); \
97 tmp = (tmp >> 16) | (tmp << 16); \
98 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
99}
100#define REVERSE64(w,x) { \
101 uint64 tmp = (w); \
102 tmp = (tmp >> 32) | (tmp << 32); \
103 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
104 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
105 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
106 ((tmp & 0x0000ffff0000ffffULL) << 16); \
107}
108#endif /* not bigendian */
109
110/*
111 * Macro for incrementally adding the unsigned 64-bit integer n to the
112 * unsigned 128-bit integer (represented using a two-element array of
113 * 64-bit words):
114 */
115#define ADDINC128(w,n) { \
116 (w)[0] += (uint64)(n); \
117 if ((w)[0] < (n)) { \
118 (w)[1]++; \
119 } \
120}
121
122/*** THE SIX LOGICAL FUNCTIONS ****************************************/
123/*
124 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
125 *
126 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
127 * S is a ROTATION) because the SHA-256/384/512 description document
128 * (see http://www.iwar.org.uk/comsec/resources/cipher/sha256-384-512.pdf)
129 * uses this same "backwards" definition.
130 */
131/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
132#define R(b,x) ((x) >> (b))
133/* 32-bit Rotate-right (used in SHA-256): */
134#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
135/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
136#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
137
138/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
139#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
140#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
141
142/* Four of six logical functions used in SHA-256: */
143#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
144#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
145#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
146#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
147
148/* Four of six logical functions used in SHA-384 and SHA-512: */
149#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
150#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
151#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
152#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
153
154/*** INTERNAL FUNCTION PROTOTYPES *************************************/
155/* NOTE: These should not be accessed directly from outside this
156 * library -- they are intended for private internal visibility/use
157 * only.
158 */
159static void SHA512_Last(pg_sha512_ctx *context);
160static void SHA256_Transform(pg_sha256_ctx *context, const uint8 *data);
161static void SHA512_Transform(pg_sha512_ctx *context, const uint8 *data);
162
163/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
164/* Hash constant words K for SHA-256: */
165static const uint32 K256[64] = {
166 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
167 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
168 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
169 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
170 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
171 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
172 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
173 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
174 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
175 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
176 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
177 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
178 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
179 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
180 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
181 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
182};
183
184/* Initial hash value H for SHA-224: */
185static const uint32 sha224_initial_hash_value[8] = {
186 0xc1059ed8UL,
187 0x367cd507UL,
188 0x3070dd17UL,
189 0xf70e5939UL,
190 0xffc00b31UL,
191 0x68581511UL,
192 0x64f98fa7UL,
193 0xbefa4fa4UL
194};
195
196/* Initial hash value H for SHA-256: */
197static const uint32 sha256_initial_hash_value[8] = {
198 0x6a09e667UL,
199 0xbb67ae85UL,
200 0x3c6ef372UL,
201 0xa54ff53aUL,
202 0x510e527fUL,
203 0x9b05688cUL,
204 0x1f83d9abUL,
205 0x5be0cd19UL
206};
207
208/* Hash constant words K for SHA-384 and SHA-512: */
209static const uint64 K512[80] = {
210 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
211 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
212 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
213 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
214 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
215 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
216 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
217 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
218 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
219 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
220 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
221 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
222 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
223 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
224 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
225 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
226 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
227 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
228 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
229 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
230 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
231 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
232 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
233 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
234 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
235 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
236 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
237 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
238 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
239 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
240 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
241 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
242 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
243 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
244 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
245 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
246 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
247 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
248 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
249 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
250};
251
252/* Initial hash value H for SHA-384 */
253static const uint64 sha384_initial_hash_value[8] = {
254 0xcbbb9d5dc1059ed8ULL,
255 0x629a292a367cd507ULL,
256 0x9159015a3070dd17ULL,
257 0x152fecd8f70e5939ULL,
258 0x67332667ffc00b31ULL,
259 0x8eb44a8768581511ULL,
260 0xdb0c2e0d64f98fa7ULL,
261 0x47b5481dbefa4fa4ULL
262};
263
264/* Initial hash value H for SHA-512 */
265static const uint64 sha512_initial_hash_value[8] = {
266 0x6a09e667f3bcc908ULL,
267 0xbb67ae8584caa73bULL,
268 0x3c6ef372fe94f82bULL,
269 0xa54ff53a5f1d36f1ULL,
270 0x510e527fade682d1ULL,
271 0x9b05688c2b3e6c1fULL,
272 0x1f83d9abfb41bd6bULL,
273 0x5be0cd19137e2179ULL
274};
275
276
277/*** SHA-256: *********************************************************/
278void
279pg_sha256_init(pg_sha256_ctx *context)
280{
281 if (context == NULL)
282 return;
283 memcpy(context->state, sha256_initial_hash_value, PG_SHA256_DIGEST_LENGTH);
284 memset(context->buffer, 0, PG_SHA256_BLOCK_LENGTH);
285 context->bitcount = 0;
286}
287
288#ifdef SHA2_UNROLL_TRANSFORM
289
290/* Unrolled SHA-256 round macros: */
291
292#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
293 W256[j] = (uint32)data[3] | ((uint32)data[2] << 8) | \
294 ((uint32)data[1] << 16) | ((uint32)data[0] << 24); \
295 data += 4; \
296 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
297 (d) += T1; \
298 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
299 j++; \
300} while(0)
301
302#define ROUND256(a,b,c,d,e,f,g,h) do { \
303 s0 = W256[(j+1)&0x0f]; \
304 s0 = sigma0_256(s0); \
305 s1 = W256[(j+14)&0x0f]; \
306 s1 = sigma1_256(s1); \
307 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
308 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
309 (d) += T1; \
310 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
311 j++; \
312} while(0)
313
314static void
315SHA256_Transform(pg_sha256_ctx *context, const uint8 *data)
316{
317 uint32 a,
318 b,
319 c,
320 d,
321 e,
322 f,
323 g,
324 h,
325 s0,
326 s1;
327 uint32 T1,
328 *W256;
329 int j;
330
331 W256 = (uint32 *) context->buffer;
332
333 /* Initialize registers with the prev. intermediate value */
334 a = context->state[0];
335 b = context->state[1];
336 c = context->state[2];
337 d = context->state[3];
338 e = context->state[4];
339 f = context->state[5];
340 g = context->state[6];
341 h = context->state[7];
342
343 j = 0;
344 do
345 {
346 /* Rounds 0 to 15 (unrolled): */
347 ROUND256_0_TO_15(a, b, c, d, e, f, g, h);
348 ROUND256_0_TO_15(h, a, b, c, d, e, f, g);
349 ROUND256_0_TO_15(g, h, a, b, c, d, e, f);
350 ROUND256_0_TO_15(f, g, h, a, b, c, d, e);
351 ROUND256_0_TO_15(e, f, g, h, a, b, c, d);
352 ROUND256_0_TO_15(d, e, f, g, h, a, b, c);
353 ROUND256_0_TO_15(c, d, e, f, g, h, a, b);
354 ROUND256_0_TO_15(b, c, d, e, f, g, h, a);
355 } while (j < 16);
356
357 /* Now for the remaining rounds to 64: */
358 do
359 {
360 ROUND256(a, b, c, d, e, f, g, h);
361 ROUND256(h, a, b, c, d, e, f, g);
362 ROUND256(g, h, a, b, c, d, e, f);
363 ROUND256(f, g, h, a, b, c, d, e);
364 ROUND256(e, f, g, h, a, b, c, d);
365 ROUND256(d, e, f, g, h, a, b, c);
366 ROUND256(c, d, e, f, g, h, a, b);
367 ROUND256(b, c, d, e, f, g, h, a);
368 } while (j < 64);
369
370 /* Compute the current intermediate hash value */
371 context->state[0] += a;
372 context->state[1] += b;
373 context->state[2] += c;
374 context->state[3] += d;
375 context->state[4] += e;
376 context->state[5] += f;
377 context->state[6] += g;
378 context->state[7] += h;
379
380 /* Clean up */
381 a = b = c = d = e = f = g = h = T1 = 0;
382}
383#else /* SHA2_UNROLL_TRANSFORM */
384
385static void
386SHA256_Transform(pg_sha256_ctx *context, const uint8 *data)
387{
388 uint32 a,
389 b,
390 c,
391 d,
392 e,
393 f,
394 g,
395 h,
396 s0,
397 s1;
398 uint32 T1,
399 T2,
400 *W256;
401 int j;
402
403 W256 = (uint32 *) context->buffer;
404
405 /* Initialize registers with the prev. intermediate value */
406 a = context->state[0];
407 b = context->state[1];
408 c = context->state[2];
409 d = context->state[3];
410 e = context->state[4];
411 f = context->state[5];
412 g = context->state[6];
413 h = context->state[7];
414
415 j = 0;
416 do
417 {
418 W256[j] = (uint32) data[3] | ((uint32) data[2] << 8) |
419 ((uint32) data[1] << 16) | ((uint32) data[0] << 24);
420 data += 4;
421 /* Apply the SHA-256 compression function to update a..h */
422 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
423 T2 = Sigma0_256(a) + Maj(a, b, c);
424 h = g;
425 g = f;
426 f = e;
427 e = d + T1;
428 d = c;
429 c = b;
430 b = a;
431 a = T1 + T2;
432
433 j++;
434 } while (j < 16);
435
436 do
437 {
438 /* Part of the message block expansion: */
439 s0 = W256[(j + 1) & 0x0f];
440 s0 = sigma0_256(s0);
441 s1 = W256[(j + 14) & 0x0f];
442 s1 = sigma1_256(s1);
443
444 /* Apply the SHA-256 compression function to update a..h */
445 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
446 (W256[j & 0x0f] += s1 + W256[(j + 9) & 0x0f] + s0);
447 T2 = Sigma0_256(a) + Maj(a, b, c);
448 h = g;
449 g = f;
450 f = e;
451 e = d + T1;
452 d = c;
453 c = b;
454 b = a;
455 a = T1 + T2;
456
457 j++;
458 } while (j < 64);
459
460 /* Compute the current intermediate hash value */
461 context->state[0] += a;
462 context->state[1] += b;
463 context->state[2] += c;
464 context->state[3] += d;
465 context->state[4] += e;
466 context->state[5] += f;
467 context->state[6] += g;
468 context->state[7] += h;
469
470 /* Clean up */
471 a = b = c = d = e = f = g = h = T1 = T2 = 0;
472}
473#endif /* SHA2_UNROLL_TRANSFORM */
474
475void
476pg_sha256_update(pg_sha256_ctx *context, const uint8 *data, size_t len)
477{
478 size_t freespace,
479 usedspace;
480
481 /* Calling with no data is valid (we do nothing) */
482 if (len == 0)
483 return;
484
485 usedspace = (context->bitcount >> 3) % PG_SHA256_BLOCK_LENGTH;
486 if (usedspace > 0)
487 {
488 /* Calculate how much free space is available in the buffer */
489 freespace = PG_SHA256_BLOCK_LENGTH - usedspace;
490
491 if (len >= freespace)
492 {
493 /* Fill the buffer completely and process it */
494 memcpy(&context->buffer[usedspace], data, freespace);
495 context->bitcount += freespace << 3;
496 len -= freespace;
497 data += freespace;
498 SHA256_Transform(context, context->buffer);
499 }
500 else
501 {
502 /* The buffer is not yet full */
503 memcpy(&context->buffer[usedspace], data, len);
504 context->bitcount += len << 3;
505 /* Clean up: */
506 usedspace = freespace = 0;
507 return;
508 }
509 }
510 while (len >= PG_SHA256_BLOCK_LENGTH)
511 {
512 /* Process as many complete blocks as we can */
513 SHA256_Transform(context, data);
514 context->bitcount += PG_SHA256_BLOCK_LENGTH << 3;
515 len -= PG_SHA256_BLOCK_LENGTH;
516 data += PG_SHA256_BLOCK_LENGTH;
517 }
518 if (len > 0)
519 {
520 /* There's left-overs, so save 'em */
521 memcpy(context->buffer, data, len);
522 context->bitcount += len << 3;
523 }
524 /* Clean up: */
525 usedspace = freespace = 0;
526}
527
528static void
529SHA256_Last(pg_sha256_ctx *context)
530{
531 unsigned int usedspace;
532
533 usedspace = (context->bitcount >> 3) % PG_SHA256_BLOCK_LENGTH;
534#ifndef WORDS_BIGENDIAN
535 /* Convert FROM host byte order */
536 REVERSE64(context->bitcount, context->bitcount);
537#endif
538 if (usedspace > 0)
539 {
540 /* Begin padding with a 1 bit: */
541 context->buffer[usedspace++] = 0x80;
542
543 if (usedspace <= PG_SHA256_SHORT_BLOCK_LENGTH)
544 {
545 /* Set-up for the last transform: */
546 memset(&context->buffer[usedspace], 0, PG_SHA256_SHORT_BLOCK_LENGTH - usedspace);
547 }
548 else
549 {
550 if (usedspace < PG_SHA256_BLOCK_LENGTH)
551 {
552 memset(&context->buffer[usedspace], 0, PG_SHA256_BLOCK_LENGTH - usedspace);
553 }
554 /* Do second-to-last transform: */
555 SHA256_Transform(context, context->buffer);
556
557 /* And set-up for the last transform: */
558 memset(context->buffer, 0, PG_SHA256_SHORT_BLOCK_LENGTH);
559 }
560 }
561 else
562 {
563 /* Set-up for the last transform: */
564 memset(context->buffer, 0, PG_SHA256_SHORT_BLOCK_LENGTH);
565
566 /* Begin padding with a 1 bit: */
567 *context->buffer = 0x80;
568 }
569 /* Set the bit count: */
570 *(uint64 *) &context->buffer[PG_SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
571
572 /* Final transform: */
573 SHA256_Transform(context, context->buffer);
574}
575
576void
577pg_sha256_final(pg_sha256_ctx *context, uint8 *digest)
578{
579 /* If no digest buffer is passed, we don't bother doing this: */
580 if (digest != NULL)
581 {
582 SHA256_Last(context);
583
584#ifndef WORDS_BIGENDIAN
585 {
586 /* Convert TO host byte order */
587 int j;
588
589 for (j = 0; j < 8; j++)
590 {
591 REVERSE32(context->state[j], context->state[j]);
592 }
593 }
594#endif
595 memcpy(digest, context->state, PG_SHA256_DIGEST_LENGTH);
596 }
597
598 /* Clean up state data: */
599 memset(context, 0, sizeof(pg_sha256_ctx));
600}
601
602
603/*** SHA-512: *********************************************************/
604void
605pg_sha512_init(pg_sha512_ctx *context)
606{
607 if (context == NULL)
608 return;
609 memcpy(context->state, sha512_initial_hash_value, PG_SHA512_DIGEST_LENGTH);
610 memset(context->buffer, 0, PG_SHA512_BLOCK_LENGTH);
611 context->bitcount[0] = context->bitcount[1] = 0;
612}
613
614#ifdef SHA2_UNROLL_TRANSFORM
615
616/* Unrolled SHA-512 round macros: */
617
618#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
619 W512[j] = (uint64)data[7] | ((uint64)data[6] << 8) | \
620 ((uint64)data[5] << 16) | ((uint64)data[4] << 24) | \
621 ((uint64)data[3] << 32) | ((uint64)data[2] << 40) | \
622 ((uint64)data[1] << 48) | ((uint64)data[0] << 56); \
623 data += 8; \
624 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
625 (d) += T1; \
626 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
627 j++; \
628} while(0)
629
630
631#define ROUND512(a,b,c,d,e,f,g,h) do { \
632 s0 = W512[(j+1)&0x0f]; \
633 s0 = sigma0_512(s0); \
634 s1 = W512[(j+14)&0x0f]; \
635 s1 = sigma1_512(s1); \
636 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
637 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
638 (d) += T1; \
639 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
640 j++; \
641} while(0)
642
643static void
644SHA512_Transform(pg_sha512_ctx *context, const uint8 *data)
645{
646 uint64 a,
647 b,
648 c,
649 d,
650 e,
651 f,
652 g,
653 h,
654 s0,
655 s1;
656 uint64 T1,
657 *W512 = (uint64 *) context->buffer;
658 int j;
659
660 /* Initialize registers with the prev. intermediate value */
661 a = context->state[0];
662 b = context->state[1];
663 c = context->state[2];
664 d = context->state[3];
665 e = context->state[4];
666 f = context->state[5];
667 g = context->state[6];
668 h = context->state[7];
669
670 j = 0;
671 do
672 {
673 ROUND512_0_TO_15(a, b, c, d, e, f, g, h);
674 ROUND512_0_TO_15(h, a, b, c, d, e, f, g);
675 ROUND512_0_TO_15(g, h, a, b, c, d, e, f);
676 ROUND512_0_TO_15(f, g, h, a, b, c, d, e);
677 ROUND512_0_TO_15(e, f, g, h, a, b, c, d);
678 ROUND512_0_TO_15(d, e, f, g, h, a, b, c);
679 ROUND512_0_TO_15(c, d, e, f, g, h, a, b);
680 ROUND512_0_TO_15(b, c, d, e, f, g, h, a);
681 } while (j < 16);
682
683 /* Now for the remaining rounds up to 79: */
684 do
685 {
686 ROUND512(a, b, c, d, e, f, g, h);
687 ROUND512(h, a, b, c, d, e, f, g);
688 ROUND512(g, h, a, b, c, d, e, f);
689 ROUND512(f, g, h, a, b, c, d, e);
690 ROUND512(e, f, g, h, a, b, c, d);
691 ROUND512(d, e, f, g, h, a, b, c);
692 ROUND512(c, d, e, f, g, h, a, b);
693 ROUND512(b, c, d, e, f, g, h, a);
694 } while (j < 80);
695
696 /* Compute the current intermediate hash value */
697 context->state[0] += a;
698 context->state[1] += b;
699 context->state[2] += c;
700 context->state[3] += d;
701 context->state[4] += e;
702 context->state[5] += f;
703 context->state[6] += g;
704 context->state[7] += h;
705
706 /* Clean up */
707 a = b = c = d = e = f = g = h = T1 = 0;
708}
709#else /* SHA2_UNROLL_TRANSFORM */
710
711static void
712SHA512_Transform(pg_sha512_ctx *context, const uint8 *data)
713{
714 uint64 a,
715 b,
716 c,
717 d,
718 e,
719 f,
720 g,
721 h,
722 s0,
723 s1;
724 uint64 T1,
725 T2,
726 *W512 = (uint64 *) context->buffer;
727 int j;
728
729 /* Initialize registers with the prev. intermediate value */
730 a = context->state[0];
731 b = context->state[1];
732 c = context->state[2];
733 d = context->state[3];
734 e = context->state[4];
735 f = context->state[5];
736 g = context->state[6];
737 h = context->state[7];
738
739 j = 0;
740 do
741 {
742 W512[j] = (uint64) data[7] | ((uint64) data[6] << 8) |
743 ((uint64) data[5] << 16) | ((uint64) data[4] << 24) |
744 ((uint64) data[3] << 32) | ((uint64) data[2] << 40) |
745 ((uint64) data[1] << 48) | ((uint64) data[0] << 56);
746 data += 8;
747 /* Apply the SHA-512 compression function to update a..h */
748 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
749 T2 = Sigma0_512(a) + Maj(a, b, c);
750 h = g;
751 g = f;
752 f = e;
753 e = d + T1;
754 d = c;
755 c = b;
756 b = a;
757 a = T1 + T2;
758
759 j++;
760 } while (j < 16);
761
762 do
763 {
764 /* Part of the message block expansion: */
765 s0 = W512[(j + 1) & 0x0f];
766 s0 = sigma0_512(s0);
767 s1 = W512[(j + 14) & 0x0f];
768 s1 = sigma1_512(s1);
769
770 /* Apply the SHA-512 compression function to update a..h */
771 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
772 (W512[j & 0x0f] += s1 + W512[(j + 9) & 0x0f] + s0);
773 T2 = Sigma0_512(a) + Maj(a, b, c);
774 h = g;
775 g = f;
776 f = e;
777 e = d + T1;
778 d = c;
779 c = b;
780 b = a;
781 a = T1 + T2;
782
783 j++;
784 } while (j < 80);
785
786 /* Compute the current intermediate hash value */
787 context->state[0] += a;
788 context->state[1] += b;
789 context->state[2] += c;
790 context->state[3] += d;
791 context->state[4] += e;
792 context->state[5] += f;
793 context->state[6] += g;
794 context->state[7] += h;
795
796 /* Clean up */
797 a = b = c = d = e = f = g = h = T1 = T2 = 0;
798}
799#endif /* SHA2_UNROLL_TRANSFORM */
800
801void
802pg_sha512_update(pg_sha512_ctx *context, const uint8 *data, size_t len)
803{
804 size_t freespace,
805 usedspace;
806
807 /* Calling with no data is valid (we do nothing) */
808 if (len == 0)
809 return;
810
811 usedspace = (context->bitcount[0] >> 3) % PG_SHA512_BLOCK_LENGTH;
812 if (usedspace > 0)
813 {
814 /* Calculate how much free space is available in the buffer */
815 freespace = PG_SHA512_BLOCK_LENGTH - usedspace;
816
817 if (len >= freespace)
818 {
819 /* Fill the buffer completely and process it */
820 memcpy(&context->buffer[usedspace], data, freespace);
821 ADDINC128(context->bitcount, freespace << 3);
822 len -= freespace;
823 data += freespace;
824 SHA512_Transform(context, context->buffer);
825 }
826 else
827 {
828 /* The buffer is not yet full */
829 memcpy(&context->buffer[usedspace], data, len);
830 ADDINC128(context->bitcount, len << 3);
831 /* Clean up: */
832 usedspace = freespace = 0;
833 return;
834 }
835 }
836 while (len >= PG_SHA512_BLOCK_LENGTH)
837 {
838 /* Process as many complete blocks as we can */
839 SHA512_Transform(context, data);
840 ADDINC128(context->bitcount, PG_SHA512_BLOCK_LENGTH << 3);
841 len -= PG_SHA512_BLOCK_LENGTH;
842 data += PG_SHA512_BLOCK_LENGTH;
843 }
844 if (len > 0)
845 {
846 /* There's left-overs, so save 'em */
847 memcpy(context->buffer, data, len);
848 ADDINC128(context->bitcount, len << 3);
849 }
850 /* Clean up: */
851 usedspace = freespace = 0;
852}
853
854static void
855SHA512_Last(pg_sha512_ctx *context)
856{
857 unsigned int usedspace;
858
859 usedspace = (context->bitcount[0] >> 3) % PG_SHA512_BLOCK_LENGTH;
860#ifndef WORDS_BIGENDIAN
861 /* Convert FROM host byte order */
862 REVERSE64(context->bitcount[0], context->bitcount[0]);
863 REVERSE64(context->bitcount[1], context->bitcount[1]);
864#endif
865 if (usedspace > 0)
866 {
867 /* Begin padding with a 1 bit: */
868 context->buffer[usedspace++] = 0x80;
869
870 if (usedspace <= PG_SHA512_SHORT_BLOCK_LENGTH)
871 {
872 /* Set-up for the last transform: */
873 memset(&context->buffer[usedspace], 0, PG_SHA512_SHORT_BLOCK_LENGTH - usedspace);
874 }
875 else
876 {
877 if (usedspace < PG_SHA512_BLOCK_LENGTH)
878 {
879 memset(&context->buffer[usedspace], 0, PG_SHA512_BLOCK_LENGTH - usedspace);
880 }
881 /* Do second-to-last transform: */
882 SHA512_Transform(context, context->buffer);
883
884 /* And set-up for the last transform: */
885 memset(context->buffer, 0, PG_SHA512_BLOCK_LENGTH - 2);
886 }
887 }
888 else
889 {
890 /* Prepare for final transform: */
891 memset(context->buffer, 0, PG_SHA512_SHORT_BLOCK_LENGTH);
892
893 /* Begin padding with a 1 bit: */
894 *context->buffer = 0x80;
895 }
896 /* Store the length of input data (in bits): */
897 *(uint64 *) &context->buffer[PG_SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
898 *(uint64 *) &context->buffer[PG_SHA512_SHORT_BLOCK_LENGTH + 8] = context->bitcount[0];
899
900 /* Final transform: */
901 SHA512_Transform(context, context->buffer);
902}
903
904void
905pg_sha512_final(pg_sha512_ctx *context, uint8 *digest)
906{
907 /* If no digest buffer is passed, we don't bother doing this: */
908 if (digest != NULL)
909 {
910 SHA512_Last(context);
911
912 /* Save the hash data for output: */
913#ifndef WORDS_BIGENDIAN
914 {
915 /* Convert TO host byte order */
916 int j;
917
918 for (j = 0; j < 8; j++)
919 {
920 REVERSE64(context->state[j], context->state[j]);
921 }
922 }
923#endif
924 memcpy(digest, context->state, PG_SHA512_DIGEST_LENGTH);
925 }
926
927 /* Zero out state data */
928 memset(context, 0, sizeof(pg_sha512_ctx));
929}
930
931
932/*** SHA-384: *********************************************************/
933void
934pg_sha384_init(pg_sha384_ctx *context)
935{
936 if (context == NULL)
937 return;
938 memcpy(context->state, sha384_initial_hash_value, PG_SHA512_DIGEST_LENGTH);
939 memset(context->buffer, 0, PG_SHA384_BLOCK_LENGTH);
940 context->bitcount[0] = context->bitcount[1] = 0;
941}
942
943void
944pg_sha384_update(pg_sha384_ctx *context, const uint8 *data, size_t len)
945{
946 pg_sha512_update((pg_sha512_ctx *) context, data, len);
947}
948
949void
950pg_sha384_final(pg_sha384_ctx *context, uint8 *digest)
951{
952 /* If no digest buffer is passed, we don't bother doing this: */
953 if (digest != NULL)
954 {
955 SHA512_Last((pg_sha512_ctx *) context);
956
957 /* Save the hash data for output: */
958#ifndef WORDS_BIGENDIAN
959 {
960 /* Convert TO host byte order */
961 int j;
962
963 for (j = 0; j < 6; j++)
964 {
965 REVERSE64(context->state[j], context->state[j]);
966 }
967 }
968#endif
969 memcpy(digest, context->state, PG_SHA384_DIGEST_LENGTH);
970 }
971
972 /* Zero out state data */
973 memset(context, 0, sizeof(pg_sha384_ctx));
974}
975
976/*** SHA-224: *********************************************************/
977void
978pg_sha224_init(pg_sha224_ctx *context)
979{
980 if (context == NULL)
981 return;
982 memcpy(context->state, sha224_initial_hash_value, PG_SHA256_DIGEST_LENGTH);
983 memset(context->buffer, 0, PG_SHA256_BLOCK_LENGTH);
984 context->bitcount = 0;
985}
986
987void
988pg_sha224_update(pg_sha224_ctx *context, const uint8 *data, size_t len)
989{
990 pg_sha256_update((pg_sha256_ctx *) context, data, len);
991}
992
993void
994pg_sha224_final(pg_sha224_ctx *context, uint8 *digest)
995{
996 /* If no digest buffer is passed, we don't bother doing this: */
997 if (digest != NULL)
998 {
999 SHA256_Last(context);
1000
1001#ifndef WORDS_BIGENDIAN
1002 {
1003 /* Convert TO host byte order */
1004 int j;
1005
1006 for (j = 0; j < 8; j++)
1007 {
1008 REVERSE32(context->state[j], context->state[j]);
1009 }
1010 }
1011#endif
1012 memcpy(digest, context->state, PG_SHA224_DIGEST_LENGTH);
1013 }
1014
1015 /* Clean up state data: */
1016 memset(context, 0, sizeof(pg_sha224_ctx));
1017}
uint8
uint8_t uint8
Definition: c.h:500
uint64
uint64_t uint64
Definition: c.h:503
uint32
uint32_t uint32
Definition: c.h:502
b
int b
Definition: isn.c:69
a
int a
Definition: isn.c:68
j
int j
Definition: isn.c:73
len
const void size_t len
Definition: pg_crc32c_sse42.c:25
data
const void * data
Definition: pg_crc32c_sse42.c:24
postgres_fe.h
c
char * c
Definition: preproc-cursor.c:31
e
e
Definition: preproc-init.c:82
s1
char * s1
Definition: preproc-strings.c:33
pg_sha512_final
void pg_sha512_final(pg_sha512_ctx *context, uint8 *digest)
Definition: sha2.c:905
Sigma0_512
#define Sigma0_512(x)
Definition: sha2.c:149
sha224_initial_hash_value
static const uint32 sha224_initial_hash_value[8]
Definition: sha2.c:185
sha256_initial_hash_value
static const uint32 sha256_initial_hash_value[8]
Definition: sha2.c:197
sha384_initial_hash_value
static const uint64 sha384_initial_hash_value[8]
Definition: sha2.c:253
pg_sha384_init
void pg_sha384_init(pg_sha384_ctx *context)
Definition: sha2.c:934
Sigma0_256
#define Sigma0_256(x)
Definition: sha2.c:143
PG_SHA512_SHORT_BLOCK_LENGTH
#define PG_SHA512_SHORT_BLOCK_LENGTH
Definition: sha2.c:91
pg_sha256_init
void pg_sha256_init(pg_sha256_ctx *context)
Definition: sha2.c:279
K512
static const uint64 K512[80]
Definition: sha2.c:209
K256
static const uint32 K256[64]
Definition: sha2.c:165
ADDINC128
#define ADDINC128(w, n)
Definition: sha2.c:115
Maj
#define Maj(x, y, z)
Definition: sha2.c:140
sigma0_512
#define sigma0_512(x)
Definition: sha2.c:151
pg_sha512_update
void pg_sha512_update(pg_sha512_ctx *context, const uint8 *data, size_t len)
Definition: sha2.c:802
pg_sha224_update
void pg_sha224_update(pg_sha224_ctx *context, const uint8 *data, size_t len)
Definition: sha2.c:988
REVERSE64
#define REVERSE64(w, x)
Definition: sha2.c:100
pg_sha512_init
void pg_sha512_init(pg_sha512_ctx *context)
Definition: sha2.c:605
Sigma1_512
#define Sigma1_512(x)
Definition: sha2.c:150
sigma1_256
#define sigma1_256(x)
Definition: sha2.c:146
REVERSE32
#define REVERSE32(w, x)
Definition: sha2.c:95
SHA512_Last
static void SHA512_Last(pg_sha512_ctx *context)
Definition: sha2.c:855
pg_sha224_init
void pg_sha224_init(pg_sha224_ctx *context)
Definition: sha2.c:978
pg_sha256_final
void pg_sha256_final(pg_sha256_ctx *context, uint8 *digest)
Definition: sha2.c:577
SHA256_Last
static void SHA256_Last(pg_sha256_ctx *context)
Definition: sha2.c:529
pg_sha224_final
void pg_sha224_final(pg_sha224_ctx *context, uint8 *digest)
Definition: sha2.c:994
Sigma1_256
#define Sigma1_256(x)
Definition: sha2.c:144
pg_sha384_final
void pg_sha384_final(pg_sha384_ctx *context, uint8 *digest)
Definition: sha2.c:950
Ch
#define Ch(x, y, z)
Definition: sha2.c:139
pg_sha384_update
void pg_sha384_update(pg_sha384_ctx *context, const uint8 *data, size_t len)
Definition: sha2.c:944
sigma1_512
#define sigma1_512(x)
Definition: sha2.c:152
sha512_initial_hash_value
static const uint64 sha512_initial_hash_value[8]
Definition: sha2.c:265
pg_sha256_update
void pg_sha256_update(pg_sha256_ctx *context, const uint8 *data, size_t len)
Definition: sha2.c:476
SHA512_Transform
static void SHA512_Transform(pg_sha512_ctx *context, const uint8 *data)
Definition: sha2.c:712
SHA256_Transform
static void SHA256_Transform(pg_sha256_ctx *context, const uint8 *data)
Definition: sha2.c:386
PG_SHA256_SHORT_BLOCK_LENGTH
#define PG_SHA256_SHORT_BLOCK_LENGTH
Definition: sha2.c:89
sigma0_256
#define sigma0_256(x)
Definition: sha2.c:145
PG_SHA256_DIGEST_LENGTH
#define PG_SHA256_DIGEST_LENGTH
Definition: sha2.h:23
PG_SHA384_BLOCK_LENGTH
#define PG_SHA384_BLOCK_LENGTH
Definition: sha2.h:25
PG_SHA384_DIGEST_LENGTH
#define PG_SHA384_DIGEST_LENGTH
Definition: sha2.h:26
PG_SHA512_DIGEST_LENGTH
#define PG_SHA512_DIGEST_LENGTH
Definition: sha2.h:29
PG_SHA256_BLOCK_LENGTH
#define PG_SHA256_BLOCK_LENGTH
Definition: sha2.h:22
PG_SHA512_BLOCK_LENGTH
#define PG_SHA512_BLOCK_LENGTH
Definition: sha2.h:28
PG_SHA224_DIGEST_LENGTH
#define PG_SHA224_DIGEST_LENGTH
Definition: sha2.h:20
sha2_int.h
pg_sha256_ctx
Definition: sha2_int.h:56
pg_sha256_ctx::buffer
uint8 buffer[PG_SHA256_BLOCK_LENGTH]
Definition: sha2_int.h:59
pg_sha256_ctx::state
uint32 state[8]
Definition: sha2_int.h:57
pg_sha256_ctx::bitcount
uint64 bitcount
Definition: sha2_int.h:58
pg_sha512_ctx
Definition: sha2_int.h:62
pg_sha512_ctx::state
uint64 state[8]
Definition: sha2_int.h:63
pg_sha512_ctx::buffer
uint8 buffer[PG_SHA512_BLOCK_LENGTH]
Definition: sha2_int.h:65
pg_sha512_ctx::bitcount
uint64 bitcount[2]
Definition: sha2_int.h:64