1 /*
2 * FIPS 180-2 SHA-224/256/384/512 implementation
3 * Last update: 02/02/2007
4 * Issue date: 04/30/2005
5 *
6 * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #if 0
35 #define UNROLL_LOOPS /* Enable loops unrolling */
36 #endif
37
38 #include <string.h>
39
40 #include "sha2.h"
41
42 #define SHFR(x, n) (x >> n)
43 #define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n)))
44 #define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n)))
45 #define CH(x, y, z) ((x & y) ^ (~x & z))
46 #define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
47
48 #define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
49 #define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
50 #define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3))
51 #define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10))
52
53 #define SHA512_F1(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
54 #define SHA512_F2(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
55 #define SHA512_F3(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHFR(x, 7))
56 #define SHA512_F4(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHFR(x, 6))
57
58 #define UNPACK32(x, str) \
59 { \
60 *((str) + 3) = (uint8) ((x) ); \
61 *((str) + 2) = (uint8) ((x) >> 8); \
62 *((str) + 1) = (uint8) ((x) >> 16); \
63 *((str) + 0) = (uint8) ((x) >> 24); \
64 }
65
66 #define PACK32(str, x) \
67 { \
68 *(x) = ((uint32) *((str) + 3) ) \
69 | ((uint32) *((str) + 2) << 8) \
70 | ((uint32) *((str) + 1) << 16) \
71 | ((uint32) *((str) + 0) << 24); \
72 }
73
74 #define UNPACK64(x, str) \
75 { \
76 *((str) + 7) = (uint8) ((x) ); \
77 *((str) + 6) = (uint8) ((x) >> 8); \
78 *((str) + 5) = (uint8) ((x) >> 16); \
79 *((str) + 4) = (uint8) ((x) >> 24); \
80 *((str) + 3) = (uint8) ((x) >> 32); \
81 *((str) + 2) = (uint8) ((x) >> 40); \
82 *((str) + 1) = (uint8) ((x) >> 48); \
83 *((str) + 0) = (uint8) ((x) >> 56); \
84 }
85
86 #define PACK64(str, x) \
87 { \
88 *(x) = ((uint64) *((str) + 7) ) \
89 | ((uint64) *((str) + 6) << 8) \
90 | ((uint64) *((str) + 5) << 16) \
91 | ((uint64) *((str) + 4) << 24) \
92 | ((uint64) *((str) + 3) << 32) \
93 | ((uint64) *((str) + 2) << 40) \
94 | ((uint64) *((str) + 1) << 48) \
95 | ((uint64) *((str) + 0) << 56); \
96 }
97
98 /* Macros used for loops unrolling */
99
100 #define SHA256_SCR(i) \
101 { \
102 w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \
103 + SHA256_F3(w[i - 15]) + w[i - 16]; \
104 }
105
106 #define SHA512_SCR(i) \
107 { \
108 w[i] = SHA512_F4(w[i - 2]) + w[i - 7] \
109 + SHA512_F3(w[i - 15]) + w[i - 16]; \
110 }
111
112 #define SHA256_EXP(a, b, c, d, e, f, g, h, j) \
113 { \
114 t1 = wv[h] + SHA256_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
115 + sha256_k[j] + w[j]; \
116 t2 = SHA256_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
117 wv[d] += t1; \
118 wv[h] = t1 + t2; \
119 }
120
121 #define SHA512_EXP(a, b, c, d, e, f, g ,h, j) \
122 { \
123 t1 = wv[h] + SHA512_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
124 + sha512_k[j] + w[j]; \
125 t2 = SHA512_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
126 wv[d] += t1; \
127 wv[h] = t1 + t2; \
128 }
129
130 uint32 sha224_h0[8] =
131 {0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
132 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4};
133
134 uint32 sha256_h0[8] =
135 {0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
136 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
137
138 uint64 sha384_h0[8] =
139 {li_64(cbbb9d5dc1059ed8), li_64(629a292a367cd507),
140 li_64(9159015a3070dd17), li_64(152fecd8f70e5939),
141 li_64(67332667ffc00b31), li_64(8eb44a8768581511),
142 li_64(db0c2e0d64f98fa7), li_64(47b5481dbefa4fa4)};
143
144 uint64 sha512_h0[8] =
145 {li_64(6a09e667f3bcc908), li_64(bb67ae8584caa73b),
146 li_64(3c6ef372fe94f82b), li_64(a54ff53a5f1d36f1),
147 li_64(510e527fade682d1), li_64(9b05688c2b3e6c1f),
148 li_64(1f83d9abfb41bd6b), li_64(5be0cd19137e2179)};
149
150 uint32 sha256_k[64] =
151 {0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
152 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
153 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
154 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
155 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
156 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
157 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
158 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
159 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
160 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
161 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
162 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
163 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
164 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
165 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
166 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
167
168 uint64 sha512_k[80] =
169 {li_64(428a2f98d728ae22), li_64(7137449123ef65cd),
170 li_64(b5c0fbcfec4d3b2f), li_64(e9b5dba58189dbbc),
171 li_64(3956c25bf348b538), li_64(59f111f1b605d019),
172 li_64(923f82a4af194f9b), li_64(ab1c5ed5da6d8118),
173 li_64(d807aa98a3030242), li_64(12835b0145706fbe),
174 li_64(243185be4ee4b28c), li_64(550c7dc3d5ffb4e2),
175 li_64(72be5d74f27b896f), li_64(80deb1fe3b1696b1),
176 li_64(9bdc06a725c71235), li_64(c19bf174cf692694),
177 li_64(e49b69c19ef14ad2), li_64(efbe4786384f25e3),
178 li_64(0fc19dc68b8cd5b5), li_64(240ca1cc77ac9c65),
179 li_64(2de92c6f592b0275), li_64(4a7484aa6ea6e483),
180 li_64(5cb0a9dcbd41fbd4), li_64(76f988da831153b5),
181 li_64(983e5152ee66dfab), li_64(a831c66d2db43210),
182 li_64(b00327c898fb213f), li_64(bf597fc7beef0ee4),
183 li_64(c6e00bf33da88fc2), li_64(d5a79147930aa725),
184 li_64(06ca6351e003826f), li_64(142929670a0e6e70),
185 li_64(27b70a8546d22ffc), li_64(2e1b21385c26c926),
186 li_64(4d2c6dfc5ac42aed), li_64(53380d139d95b3df),
187 li_64(650a73548baf63de), li_64(766a0abb3c77b2a8),
188 li_64(81c2c92e47edaee6), li_64(92722c851482353b),
189 li_64(a2bfe8a14cf10364), li_64(a81a664bbc423001),
190 li_64(c24b8b70d0f89791), li_64(c76c51a30654be30),
191 li_64(d192e819d6ef5218), li_64(d69906245565a910),
192 li_64(f40e35855771202a), li_64(106aa07032bbd1b8),
193 li_64(19a4c116b8d2d0c8), li_64(1e376c085141ab53),
194 li_64(2748774cdf8eeb99), li_64(34b0bcb5e19b48a8),
195 li_64(391c0cb3c5c95a63), li_64(4ed8aa4ae3418acb),
196 li_64(5b9cca4f7763e373), li_64(682e6ff3d6b2b8a3),
197 li_64(748f82ee5defb2fc), li_64(78a5636f43172f60),
198 li_64(84c87814a1f0ab72), li_64(8cc702081a6439ec),
199 li_64(90befffa23631e28), li_64(a4506cebde82bde9),
200 li_64(bef9a3f7b2c67915), li_64(c67178f2e372532b),
201 li_64(ca273eceea26619c), li_64(d186b8c721c0c207),
202 li_64(eada7dd6cde0eb1e), li_64(f57d4f7fee6ed178),
203 li_64(06f067aa72176fba), li_64(0a637dc5a2c898a6),
204 li_64(113f9804bef90dae), li_64(1b710b35131c471b),
205 li_64(28db77f523047d84), li_64(32caab7b40c72493),
206 li_64(3c9ebe0a15c9bebc), li_64(431d67c49c100d4c),
207 li_64(4cc5d4becb3e42b6), li_64(597f299cfc657e2a),
208 li_64(5fcb6fab3ad6faec), li_64(6c44198c4a475817)};
209
210 /* SHA-256 functions */
211
sha256_transf(sha256_ctx * ctx,const unsigned char * message,unsigned int block_nb)212 void sha256_transf(sha256_ctx *ctx, const unsigned char *message,
213 unsigned int block_nb)
214 {
215 uint32 w[64];
216 uint32 wv[8];
217 uint32 t1, t2;
218 const unsigned char *sub_block;
219 int i;
220
221 #ifndef UNROLL_LOOPS
222 int j;
223 #endif
224
225 for (i = 0; i < (int) block_nb; i++) {
226 sub_block = message + (i << 6);
227
228 #ifndef UNROLL_LOOPS
229 for (j = 0; j < 16; j++) {
230 PACK32(&sub_block[j << 2], &w[j]);
231 }
232
233 for (j = 16; j < 64; j++) {
234 SHA256_SCR(j);
235 }
236
237 for (j = 0; j < 8; j++) {
238 wv[j] = ctx->h[j];
239 }
240
241 for (j = 0; j < 64; j++) {
242 t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
243 + sha256_k[j] + w[j];
244 t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
245 wv[7] = wv[6];
246 wv[6] = wv[5];
247 wv[5] = wv[4];
248 wv[4] = wv[3] + t1;
249 wv[3] = wv[2];
250 wv[2] = wv[1];
251 wv[1] = wv[0];
252 wv[0] = t1 + t2;
253 }
254
255 for (j = 0; j < 8; j++) {
256 ctx->h[j] += wv[j];
257 }
258 #else
259 PACK32(&sub_block[ 0], &w[ 0]); PACK32(&sub_block[ 4], &w[ 1]);
260 PACK32(&sub_block[ 8], &w[ 2]); PACK32(&sub_block[12], &w[ 3]);
261 PACK32(&sub_block[16], &w[ 4]); PACK32(&sub_block[20], &w[ 5]);
262 PACK32(&sub_block[24], &w[ 6]); PACK32(&sub_block[28], &w[ 7]);
263 PACK32(&sub_block[32], &w[ 8]); PACK32(&sub_block[36], &w[ 9]);
264 PACK32(&sub_block[40], &w[10]); PACK32(&sub_block[44], &w[11]);
265 PACK32(&sub_block[48], &w[12]); PACK32(&sub_block[52], &w[13]);
266 PACK32(&sub_block[56], &w[14]); PACK32(&sub_block[60], &w[15]);
267
268 SHA256_SCR(16); SHA256_SCR(17); SHA256_SCR(18); SHA256_SCR(19);
269 SHA256_SCR(20); SHA256_SCR(21); SHA256_SCR(22); SHA256_SCR(23);
270 SHA256_SCR(24); SHA256_SCR(25); SHA256_SCR(26); SHA256_SCR(27);
271 SHA256_SCR(28); SHA256_SCR(29); SHA256_SCR(30); SHA256_SCR(31);
272 SHA256_SCR(32); SHA256_SCR(33); SHA256_SCR(34); SHA256_SCR(35);
273 SHA256_SCR(36); SHA256_SCR(37); SHA256_SCR(38); SHA256_SCR(39);
274 SHA256_SCR(40); SHA256_SCR(41); SHA256_SCR(42); SHA256_SCR(43);
275 SHA256_SCR(44); SHA256_SCR(45); SHA256_SCR(46); SHA256_SCR(47);
276 SHA256_SCR(48); SHA256_SCR(49); SHA256_SCR(50); SHA256_SCR(51);
277 SHA256_SCR(52); SHA256_SCR(53); SHA256_SCR(54); SHA256_SCR(55);
278 SHA256_SCR(56); SHA256_SCR(57); SHA256_SCR(58); SHA256_SCR(59);
279 SHA256_SCR(60); SHA256_SCR(61); SHA256_SCR(62); SHA256_SCR(63);
280
281 wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
282 wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
283 wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
284 wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
285
286 SHA256_EXP(0,1,2,3,4,5,6,7, 0); SHA256_EXP(7,0,1,2,3,4,5,6, 1);
287 SHA256_EXP(6,7,0,1,2,3,4,5, 2); SHA256_EXP(5,6,7,0,1,2,3,4, 3);
288 SHA256_EXP(4,5,6,7,0,1,2,3, 4); SHA256_EXP(3,4,5,6,7,0,1,2, 5);
289 SHA256_EXP(2,3,4,5,6,7,0,1, 6); SHA256_EXP(1,2,3,4,5,6,7,0, 7);
290 SHA256_EXP(0,1,2,3,4,5,6,7, 8); SHA256_EXP(7,0,1,2,3,4,5,6, 9);
291 SHA256_EXP(6,7,0,1,2,3,4,5,10); SHA256_EXP(5,6,7,0,1,2,3,4,11);
292 SHA256_EXP(4,5,6,7,0,1,2,3,12); SHA256_EXP(3,4,5,6,7,0,1,2,13);
293 SHA256_EXP(2,3,4,5,6,7,0,1,14); SHA256_EXP(1,2,3,4,5,6,7,0,15);
294 SHA256_EXP(0,1,2,3,4,5,6,7,16); SHA256_EXP(7,0,1,2,3,4,5,6,17);
295 SHA256_EXP(6,7,0,1,2,3,4,5,18); SHA256_EXP(5,6,7,0,1,2,3,4,19);
296 SHA256_EXP(4,5,6,7,0,1,2,3,20); SHA256_EXP(3,4,5,6,7,0,1,2,21);
297 SHA256_EXP(2,3,4,5,6,7,0,1,22); SHA256_EXP(1,2,3,4,5,6,7,0,23);
298 SHA256_EXP(0,1,2,3,4,5,6,7,24); SHA256_EXP(7,0,1,2,3,4,5,6,25);
299 SHA256_EXP(6,7,0,1,2,3,4,5,26); SHA256_EXP(5,6,7,0,1,2,3,4,27);
300 SHA256_EXP(4,5,6,7,0,1,2,3,28); SHA256_EXP(3,4,5,6,7,0,1,2,29);
301 SHA256_EXP(2,3,4,5,6,7,0,1,30); SHA256_EXP(1,2,3,4,5,6,7,0,31);
302 SHA256_EXP(0,1,2,3,4,5,6,7,32); SHA256_EXP(7,0,1,2,3,4,5,6,33);
303 SHA256_EXP(6,7,0,1,2,3,4,5,34); SHA256_EXP(5,6,7,0,1,2,3,4,35);
304 SHA256_EXP(4,5,6,7,0,1,2,3,36); SHA256_EXP(3,4,5,6,7,0,1,2,37);
305 SHA256_EXP(2,3,4,5,6,7,0,1,38); SHA256_EXP(1,2,3,4,5,6,7,0,39);
306 SHA256_EXP(0,1,2,3,4,5,6,7,40); SHA256_EXP(7,0,1,2,3,4,5,6,41);
307 SHA256_EXP(6,7,0,1,2,3,4,5,42); SHA256_EXP(5,6,7,0,1,2,3,4,43);
308 SHA256_EXP(4,5,6,7,0,1,2,3,44); SHA256_EXP(3,4,5,6,7,0,1,2,45);
309 SHA256_EXP(2,3,4,5,6,7,0,1,46); SHA256_EXP(1,2,3,4,5,6,7,0,47);
310 SHA256_EXP(0,1,2,3,4,5,6,7,48); SHA256_EXP(7,0,1,2,3,4,5,6,49);
311 SHA256_EXP(6,7,0,1,2,3,4,5,50); SHA256_EXP(5,6,7,0,1,2,3,4,51);
312 SHA256_EXP(4,5,6,7,0,1,2,3,52); SHA256_EXP(3,4,5,6,7,0,1,2,53);
313 SHA256_EXP(2,3,4,5,6,7,0,1,54); SHA256_EXP(1,2,3,4,5,6,7,0,55);
314 SHA256_EXP(0,1,2,3,4,5,6,7,56); SHA256_EXP(7,0,1,2,3,4,5,6,57);
315 SHA256_EXP(6,7,0,1,2,3,4,5,58); SHA256_EXP(5,6,7,0,1,2,3,4,59);
316 SHA256_EXP(4,5,6,7,0,1,2,3,60); SHA256_EXP(3,4,5,6,7,0,1,2,61);
317 SHA256_EXP(2,3,4,5,6,7,0,1,62); SHA256_EXP(1,2,3,4,5,6,7,0,63);
318
319 ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
320 ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
321 ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
322 ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
323 #endif /* !UNROLL_LOOPS */
324 }
325 }
326
sha256(const unsigned char * message,unsigned int len,unsigned char * digest)327 void sha256(const unsigned char *message, unsigned int len, unsigned char *digest)
328 {
329 sha256_ctx ctx;
330
331 sha256_init(&ctx);
332 sha256_update(&ctx, message, len);
333 sha256_final(&ctx, digest);
334 }
335
sha256_init(sha256_ctx * ctx)336 void sha256_init(sha256_ctx *ctx)
337 {
338 #ifndef UNROLL_LOOPS
339 int i;
340 for (i = 0; i < 8; i++) {
341 ctx->h[i] = sha256_h0[i];
342 }
343 #else
344 ctx->h[0] = sha256_h0[0]; ctx->h[1] = sha256_h0[1];
345 ctx->h[2] = sha256_h0[2]; ctx->h[3] = sha256_h0[3];
346 ctx->h[4] = sha256_h0[4]; ctx->h[5] = sha256_h0[5];
347 ctx->h[6] = sha256_h0[6]; ctx->h[7] = sha256_h0[7];
348 #endif /* !UNROLL_LOOPS */
349
350 ctx->len = 0;
351 ctx->tot_len = 0;
352 }
353
sha256_update(sha256_ctx * ctx,const unsigned char * message,unsigned int len)354 void sha256_update(sha256_ctx *ctx, const unsigned char *message,
355 unsigned int len)
356 {
357 unsigned int block_nb;
358 unsigned int new_len, rem_len, tmp_len;
359 const unsigned char *shifted_message;
360
361 tmp_len = SHA256_BLOCK_SIZE - ctx->len;
362 rem_len = len < tmp_len ? len : tmp_len;
363
364 memcpy(&ctx->block[ctx->len], message, rem_len);
365
366 if (ctx->len + len < SHA256_BLOCK_SIZE) {
367 ctx->len += len;
368 return;
369 }
370
371 new_len = len - rem_len;
372 block_nb = new_len / SHA256_BLOCK_SIZE;
373
374 shifted_message = message + rem_len;
375
376 sha256_transf(ctx, ctx->block, 1);
377 sha256_transf(ctx, shifted_message, block_nb);
378
379 rem_len = new_len % SHA256_BLOCK_SIZE;
380
381 memcpy(ctx->block, &shifted_message[block_nb << 6],
382 rem_len);
383
384 ctx->len = rem_len;
385 ctx->tot_len += (block_nb + 1) << 6;
386 }
387
sha256_final(sha256_ctx * ctx,unsigned char * digest)388 void sha256_final(sha256_ctx *ctx, unsigned char *digest)
389 {
390 unsigned int block_nb;
391 unsigned int pm_len;
392 unsigned int len_b;
393
394 #ifndef UNROLL_LOOPS
395 int i;
396 #endif
397
398 block_nb = (1 + ((SHA256_BLOCK_SIZE - 9)
399 < (ctx->len % SHA256_BLOCK_SIZE)));
400
401 len_b = (ctx->tot_len + ctx->len) << 3;
402 pm_len = block_nb << 6;
403
404 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
405 ctx->block[ctx->len] = 0x80;
406 UNPACK32(len_b, ctx->block + pm_len - 4);
407
408 sha256_transf(ctx, ctx->block, block_nb);
409
410 #ifndef UNROLL_LOOPS
411 for (i = 0 ; i < 8; i++) {
412 UNPACK32(ctx->h[i], &digest[i << 2]);
413 }
414 #else
415 UNPACK32(ctx->h[0], &digest[ 0]);
416 UNPACK32(ctx->h[1], &digest[ 4]);
417 UNPACK32(ctx->h[2], &digest[ 8]);
418 UNPACK32(ctx->h[3], &digest[12]);
419 UNPACK32(ctx->h[4], &digest[16]);
420 UNPACK32(ctx->h[5], &digest[20]);
421 UNPACK32(ctx->h[6], &digest[24]);
422 UNPACK32(ctx->h[7], &digest[28]);
423 #endif /* !UNROLL_LOOPS */
424 }
425
426 /* SHA-512 functions */
427
sha512_transf(sha512_ctx * ctx,const unsigned char * message,unsigned int block_nb)428 void sha512_transf(sha512_ctx *ctx, const unsigned char *message,
429 unsigned int block_nb)
430 {
431 uint64 w[80];
432 uint64 wv[8];
433 uint64 t1, t2;
434 const unsigned char *sub_block;
435 int i, j;
436
437 for (i = 0; i < (int) block_nb; i++) {
438 sub_block = message + (i << 7);
439
440 #ifndef UNROLL_LOOPS
441 for (j = 0; j < 16; j++) {
442 PACK64(&sub_block[j << 3], &w[j]);
443 }
444
445 for (j = 16; j < 80; j++) {
446 SHA512_SCR(j);
447 }
448
449 for (j = 0; j < 8; j++) {
450 wv[j] = ctx->h[j];
451 }
452
453 for (j = 0; j < 80; j++) {
454 t1 = wv[7] + SHA512_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
455 + sha512_k[j] + w[j];
456 t2 = SHA512_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
457 wv[7] = wv[6];
458 wv[6] = wv[5];
459 wv[5] = wv[4];
460 wv[4] = wv[3] + t1;
461 wv[3] = wv[2];
462 wv[2] = wv[1];
463 wv[1] = wv[0];
464 wv[0] = t1 + t2;
465 }
466
467 for (j = 0; j < 8; j++) {
468 ctx->h[j] += wv[j];
469 }
470 #else
471 PACK64(&sub_block[ 0], &w[ 0]); PACK64(&sub_block[ 8], &w[ 1]);
472 PACK64(&sub_block[ 16], &w[ 2]); PACK64(&sub_block[ 24], &w[ 3]);
473 PACK64(&sub_block[ 32], &w[ 4]); PACK64(&sub_block[ 40], &w[ 5]);
474 PACK64(&sub_block[ 48], &w[ 6]); PACK64(&sub_block[ 56], &w[ 7]);
475 PACK64(&sub_block[ 64], &w[ 8]); PACK64(&sub_block[ 72], &w[ 9]);
476 PACK64(&sub_block[ 80], &w[10]); PACK64(&sub_block[ 88], &w[11]);
477 PACK64(&sub_block[ 96], &w[12]); PACK64(&sub_block[104], &w[13]);
478 PACK64(&sub_block[112], &w[14]); PACK64(&sub_block[120], &w[15]);
479
480 SHA512_SCR(16); SHA512_SCR(17); SHA512_SCR(18); SHA512_SCR(19);
481 SHA512_SCR(20); SHA512_SCR(21); SHA512_SCR(22); SHA512_SCR(23);
482 SHA512_SCR(24); SHA512_SCR(25); SHA512_SCR(26); SHA512_SCR(27);
483 SHA512_SCR(28); SHA512_SCR(29); SHA512_SCR(30); SHA512_SCR(31);
484 SHA512_SCR(32); SHA512_SCR(33); SHA512_SCR(34); SHA512_SCR(35);
485 SHA512_SCR(36); SHA512_SCR(37); SHA512_SCR(38); SHA512_SCR(39);
486 SHA512_SCR(40); SHA512_SCR(41); SHA512_SCR(42); SHA512_SCR(43);
487 SHA512_SCR(44); SHA512_SCR(45); SHA512_SCR(46); SHA512_SCR(47);
488 SHA512_SCR(48); SHA512_SCR(49); SHA512_SCR(50); SHA512_SCR(51);
489 SHA512_SCR(52); SHA512_SCR(53); SHA512_SCR(54); SHA512_SCR(55);
490 SHA512_SCR(56); SHA512_SCR(57); SHA512_SCR(58); SHA512_SCR(59);
491 SHA512_SCR(60); SHA512_SCR(61); SHA512_SCR(62); SHA512_SCR(63);
492 SHA512_SCR(64); SHA512_SCR(65); SHA512_SCR(66); SHA512_SCR(67);
493 SHA512_SCR(68); SHA512_SCR(69); SHA512_SCR(70); SHA512_SCR(71);
494 SHA512_SCR(72); SHA512_SCR(73); SHA512_SCR(74); SHA512_SCR(75);
495 SHA512_SCR(76); SHA512_SCR(77); SHA512_SCR(78); SHA512_SCR(79);
496
497 wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
498 wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
499 wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
500 wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
501
502 j = 0;
503
504 do {
505 SHA512_EXP(0,1,2,3,4,5,6,7,j); j++;
506 SHA512_EXP(7,0,1,2,3,4,5,6,j); j++;
507 SHA512_EXP(6,7,0,1,2,3,4,5,j); j++;
508 SHA512_EXP(5,6,7,0,1,2,3,4,j); j++;
509 SHA512_EXP(4,5,6,7,0,1,2,3,j); j++;
510 SHA512_EXP(3,4,5,6,7,0,1,2,j); j++;
511 SHA512_EXP(2,3,4,5,6,7,0,1,j); j++;
512 SHA512_EXP(1,2,3,4,5,6,7,0,j); j++;
513 } while (j < 80);
514
515 ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
516 ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
517 ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
518 ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
519 #endif /* !UNROLL_LOOPS */
520 }
521 }
522
sha512(const unsigned char * message,unsigned int len,unsigned char * digest)523 void sha512(const unsigned char *message, unsigned int len,
524 unsigned char *digest)
525 {
526 sha512_ctx ctx;
527
528 sha512_init(&ctx);
529 sha512_update(&ctx, message, len);
530 sha512_final(&ctx, digest);
531 }
532
sha512_init(sha512_ctx * ctx)533 void sha512_init(sha512_ctx *ctx)
534 {
535 #ifndef UNROLL_LOOPS
536 int i;
537 for (i = 0; i < 8; i++) {
538 ctx->h[i] = sha512_h0[i];
539 }
540 #else
541 ctx->h[0] = sha512_h0[0]; ctx->h[1] = sha512_h0[1];
542 ctx->h[2] = sha512_h0[2]; ctx->h[3] = sha512_h0[3];
543 ctx->h[4] = sha512_h0[4]; ctx->h[5] = sha512_h0[5];
544 ctx->h[6] = sha512_h0[6]; ctx->h[7] = sha512_h0[7];
545 #endif /* !UNROLL_LOOPS */
546
547 ctx->len = 0;
548 ctx->tot_len = 0;
549 }
550
sha512_update(sha512_ctx * ctx,const unsigned char * message,unsigned int len)551 void sha512_update(sha512_ctx *ctx, const unsigned char *message,
552 unsigned int len)
553 {
554 unsigned int block_nb;
555 unsigned int new_len, rem_len, tmp_len;
556 const unsigned char *shifted_message;
557
558 tmp_len = SHA512_BLOCK_SIZE - ctx->len;
559 rem_len = len < tmp_len ? len : tmp_len;
560
561 memcpy(&ctx->block[ctx->len], message, rem_len);
562
563 if (ctx->len + len < SHA512_BLOCK_SIZE) {
564 ctx->len += len;
565 return;
566 }
567
568 new_len = len - rem_len;
569 block_nb = new_len / SHA512_BLOCK_SIZE;
570
571 shifted_message = message + rem_len;
572
573 sha512_transf(ctx, ctx->block, 1);
574 sha512_transf(ctx, shifted_message, block_nb);
575
576 rem_len = new_len % SHA512_BLOCK_SIZE;
577
578 memcpy(ctx->block, &shifted_message[block_nb << 7],
579 rem_len);
580
581 ctx->len = rem_len;
582 ctx->tot_len += (block_nb + 1) << 7;
583 }
584
sha512_final(sha512_ctx * ctx,unsigned char * digest)585 void sha512_final(sha512_ctx *ctx, unsigned char *digest)
586 {
587 unsigned int block_nb;
588 unsigned int pm_len;
589 unsigned int len_b;
590
591 #ifndef UNROLL_LOOPS
592 int i;
593 #endif
594
595 block_nb = 1 + ((SHA512_BLOCK_SIZE - 17)
596 < (ctx->len % SHA512_BLOCK_SIZE));
597
598 len_b = (ctx->tot_len + ctx->len) << 3;
599 pm_len = block_nb << 7;
600
601 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
602 ctx->block[ctx->len] = 0x80;
603 UNPACK32(len_b, ctx->block + pm_len - 4);
604
605 sha512_transf(ctx, ctx->block, block_nb);
606
607 #ifndef UNROLL_LOOPS
608 for (i = 0 ; i < 8; i++) {
609 UNPACK64(ctx->h[i], &digest[i << 3]);
610 }
611 #else
612 UNPACK64(ctx->h[0], &digest[ 0]);
613 UNPACK64(ctx->h[1], &digest[ 8]);
614 UNPACK64(ctx->h[2], &digest[16]);
615 UNPACK64(ctx->h[3], &digest[24]);
616 UNPACK64(ctx->h[4], &digest[32]);
617 UNPACK64(ctx->h[5], &digest[40]);
618 UNPACK64(ctx->h[6], &digest[48]);
619 UNPACK64(ctx->h[7], &digest[56]);
620 #endif /* !UNROLL_LOOPS */
621 }
622
623 /* SHA-384 functions */
624
sha384(const unsigned char * message,unsigned int len,unsigned char * digest)625 void sha384(const unsigned char *message, unsigned int len,
626 unsigned char *digest)
627 {
628 sha384_ctx ctx;
629
630 sha384_init(&ctx);
631 sha384_update(&ctx, message, len);
632 sha384_final(&ctx, digest);
633 }
634
sha384_init(sha384_ctx * ctx)635 void sha384_init(sha384_ctx *ctx)
636 {
637 #ifndef UNROLL_LOOPS
638 int i;
639 for (i = 0; i < 8; i++) {
640 ctx->h[i] = sha384_h0[i];
641 }
642 #else
643 ctx->h[0] = sha384_h0[0]; ctx->h[1] = sha384_h0[1];
644 ctx->h[2] = sha384_h0[2]; ctx->h[3] = sha384_h0[3];
645 ctx->h[4] = sha384_h0[4]; ctx->h[5] = sha384_h0[5];
646 ctx->h[6] = sha384_h0[6]; ctx->h[7] = sha384_h0[7];
647 #endif /* !UNROLL_LOOPS */
648
649 ctx->len = 0;
650 ctx->tot_len = 0;
651 }
652
sha384_update(sha384_ctx * ctx,const unsigned char * message,unsigned int len)653 void sha384_update(sha384_ctx *ctx, const unsigned char *message,
654 unsigned int len)
655 {
656 unsigned int block_nb;
657 unsigned int new_len, rem_len, tmp_len;
658 const unsigned char *shifted_message;
659
660 tmp_len = SHA384_BLOCK_SIZE - ctx->len;
661 rem_len = len < tmp_len ? len : tmp_len;
662
663 memcpy(&ctx->block[ctx->len], message, rem_len);
664
665 if (ctx->len + len < SHA384_BLOCK_SIZE) {
666 ctx->len += len;
667 return;
668 }
669
670 new_len = len - rem_len;
671 block_nb = new_len / SHA384_BLOCK_SIZE;
672
673 shifted_message = message + rem_len;
674
675 sha512_transf(ctx, ctx->block, 1);
676 sha512_transf(ctx, shifted_message, block_nb);
677
678 rem_len = new_len % SHA384_BLOCK_SIZE;
679
680 memcpy(ctx->block, &shifted_message[block_nb << 7],
681 rem_len);
682
683 ctx->len = rem_len;
684 ctx->tot_len += (block_nb + 1) << 7;
685 }
686
sha384_final(sha384_ctx * ctx,unsigned char * digest)687 void sha384_final(sha384_ctx *ctx, unsigned char *digest)
688 {
689 unsigned int block_nb;
690 unsigned int pm_len;
691 unsigned int len_b;
692
693 #ifndef UNROLL_LOOPS
694 int i;
695 #endif
696
697 block_nb = (1 + ((SHA384_BLOCK_SIZE - 17)
698 < (ctx->len % SHA384_BLOCK_SIZE)));
699
700 len_b = (ctx->tot_len + ctx->len) << 3;
701 pm_len = block_nb << 7;
702
703 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
704 ctx->block[ctx->len] = 0x80;
705 UNPACK32(len_b, ctx->block + pm_len - 4);
706
707 sha512_transf(ctx, ctx->block, block_nb);
708
709 #ifndef UNROLL_LOOPS
710 for (i = 0 ; i < 6; i++) {
711 UNPACK64(ctx->h[i], &digest[i << 3]);
712 }
713 #else
714 UNPACK64(ctx->h[0], &digest[ 0]);
715 UNPACK64(ctx->h[1], &digest[ 8]);
716 UNPACK64(ctx->h[2], &digest[16]);
717 UNPACK64(ctx->h[3], &digest[24]);
718 UNPACK64(ctx->h[4], &digest[32]);
719 UNPACK64(ctx->h[5], &digest[40]);
720 #endif /* !UNROLL_LOOPS */
721 }
722
723 /* SHA-224 functions */
724
sha224(const unsigned char * message,unsigned int len,unsigned char * digest)725 void sha224(const unsigned char *message, unsigned int len,
726 unsigned char *digest)
727 {
728 sha224_ctx ctx;
729
730 sha224_init(&ctx);
731 sha224_update(&ctx, message, len);
732 sha224_final(&ctx, digest);
733 }
734
sha224_init(sha224_ctx * ctx)735 void sha224_init(sha224_ctx *ctx)
736 {
737 #ifndef UNROLL_LOOPS
738 int i;
739 for (i = 0; i < 8; i++) {
740 ctx->h[i] = sha224_h0[i];
741 }
742 #else
743 ctx->h[0] = sha224_h0[0]; ctx->h[1] = sha224_h0[1];
744 ctx->h[2] = sha224_h0[2]; ctx->h[3] = sha224_h0[3];
745 ctx->h[4] = sha224_h0[4]; ctx->h[5] = sha224_h0[5];
746 ctx->h[6] = sha224_h0[6]; ctx->h[7] = sha224_h0[7];
747 #endif /* !UNROLL_LOOPS */
748
749 ctx->len = 0;
750 ctx->tot_len = 0;
751 }
752
sha224_update(sha224_ctx * ctx,const unsigned char * message,unsigned int len)753 void sha224_update(sha224_ctx *ctx, const unsigned char *message,
754 unsigned int len)
755 {
756 unsigned int block_nb;
757 unsigned int new_len, rem_len, tmp_len;
758 const unsigned char *shifted_message;
759
760 tmp_len = SHA224_BLOCK_SIZE - ctx->len;
761 rem_len = len < tmp_len ? len : tmp_len;
762
763 memcpy(&ctx->block[ctx->len], message, rem_len);
764
765 if (ctx->len + len < SHA224_BLOCK_SIZE) {
766 ctx->len += len;
767 return;
768 }
769
770 new_len = len - rem_len;
771 block_nb = new_len / SHA224_BLOCK_SIZE;
772
773 shifted_message = message + rem_len;
774
775 sha256_transf(ctx, ctx->block, 1);
776 sha256_transf(ctx, shifted_message, block_nb);
777
778 rem_len = new_len % SHA224_BLOCK_SIZE;
779
780 memcpy(ctx->block, &shifted_message[block_nb << 6],
781 rem_len);
782
783 ctx->len = rem_len;
784 ctx->tot_len += (block_nb + 1) << 6;
785 }
786
sha224_final(sha224_ctx * ctx,unsigned char * digest)787 void sha224_final(sha224_ctx *ctx, unsigned char *digest)
788 {
789 unsigned int block_nb;
790 unsigned int pm_len;
791 unsigned int len_b;
792
793 #ifndef UNROLL_LOOPS
794 int i;
795 #endif
796
797 block_nb = (1 + ((SHA224_BLOCK_SIZE - 9)
798 < (ctx->len % SHA224_BLOCK_SIZE)));
799
800 len_b = (ctx->tot_len + ctx->len) << 3;
801 pm_len = block_nb << 6;
802
803 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
804 ctx->block[ctx->len] = 0x80;
805 UNPACK32(len_b, ctx->block + pm_len - 4);
806
807 sha256_transf(ctx, ctx->block, block_nb);
808
809 #ifndef UNROLL_LOOPS
810 for (i = 0 ; i < 7; i++) {
811 UNPACK32(ctx->h[i], &digest[i << 2]);
812 }
813 #else
814 UNPACK32(ctx->h[0], &digest[ 0]);
815 UNPACK32(ctx->h[1], &digest[ 4]);
816 UNPACK32(ctx->h[2], &digest[ 8]);
817 UNPACK32(ctx->h[3], &digest[12]);
818 UNPACK32(ctx->h[4], &digest[16]);
819 UNPACK32(ctx->h[5], &digest[20]);
820 UNPACK32(ctx->h[6], &digest[24]);
821 #endif /* !UNROLL_LOOPS */
822 }
823
824 #ifdef TEST_VECTORS
825
826 /* FIPS 180-2 Validation tests */
827
828 #include <stdio.h>
829 #include <stdlib.h>
830
test(const unsigned char * vector,unsigned char * digest,unsigned int digest_size)831 void test(const unsigned char *vector, unsigned char *digest,
832 unsigned int digest_size)
833 {
834 unsigned char output[2 * SHA512_DIGEST_SIZE + 1];
835 int i;
836
837 output[2 * digest_size] = '\0';
838
839 for (i = 0; i < (int) digest_size ; i++) {
840 sprintf((char *) output + 2 * i, "%02x", digest[i]);
841 }
842
843 printf("H: %s\n", output);
844 if (strcmp((char *) vector, (char *) output)) {
845 fprintf(stderr, "Test failed.\n");
846 exit(EXIT_FAILURE);
847 }
848 }
849
main()850 int main()
851 {
852 static const unsigned char *vectors[4][3] =
853 { /* SHA-224 */
854 {
855 "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7",
856 "75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525",
857 "20794655980c91d8bbb4c1ea97618a4bf03f42581948b2ee4ee7ad67",
858 },
859 /* SHA-256 */
860 {
861 "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad",
862 "248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1",
863 "cdc76e5c9914fb9281a1c7e284d73e67f1809a48a497200e046d39ccc7112cd0",
864 },
865 /* SHA-384 */
866 {
867 "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed"
868 "8086072ba1e7cc2358baeca134c825a7",
869 "09330c33f71147e83d192fc782cd1b4753111b173b3b05d22fa08086e3b0f712"
870 "fcc7c71a557e2db966c3e9fa91746039",
871 "9d0e1809716474cb086e834e310a4a1ced149e9c00f248527972cec5704c2a5b"
872 "07b8b3dc38ecc4ebae97ddd87f3d8985",
873 },
874 /* SHA-512 */
875 {
876 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
877 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f",
878 "8e959b75dae313da8cf4f72814fc143f8f7779c6eb9f7fa17299aeadb6889018"
879 "501d289e4900f7e4331b99dec4b5433ac7d329eeb6dd26545e96e55b874be909",
880 "e718483d0ce769644e2e42c7bc15b4638e1f98b13b2044285632a803afa973eb"
881 "de0ff244877ea60a4cb0432ce577c31beb009c5c2c49aa2e4eadb217ad8cc09b"
882 }
883 };
884
885 static const unsigned char message1[] = "abc";
886 static const unsigned char message2a[] = "abcdbcdecdefdefgefghfghighijhi"
887 "jkijkljklmklmnlmnomnopnopq";
888 static const unsigned char message2b[] =
889 "abcdefghbcdefghicdefghijdefghijkefghij"
890 "klfghijklmghijklmnhijklmnoijklmnopjklm"
891 "nopqklmnopqrlmnopqrsmnopqrstnopqrstu";
892 unsigned char *message3;
893 unsigned int message3_len = 1000000;
894 unsigned char digest[SHA512_DIGEST_SIZE];
895
896 message3 = malloc(message3_len);
897 if (message3 == NULL) {
898 fprintf(stderr, "Can't allocate memory\n");
899 return -1;
900 }
901 memset(message3, 'a', message3_len);
902
903 printf("SHA-2 FIPS 180-2 Validation tests\n\n");
904 printf("SHA-224 Test vectors\n");
905
906 sha224(message1, strlen((char *) message1), digest);
907 test(vectors[0][0], digest, SHA224_DIGEST_SIZE);
908 sha224(message2a, strlen((char *) message2a), digest);
909 test(vectors[0][1], digest, SHA224_DIGEST_SIZE);
910 sha224(message3, message3_len, digest);
911 test(vectors[0][2], digest, SHA224_DIGEST_SIZE);
912 printf("\n");
913
914 printf("SHA-256 Test vectors\n");
915
916 sha256(message1, strlen((char *) message1), digest);
917 test(vectors[1][0], digest, SHA256_DIGEST_SIZE);
918 sha256(message2a, strlen((char *) message2a), digest);
919 test(vectors[1][1], digest, SHA256_DIGEST_SIZE);
920 sha256(message3, message3_len, digest);
921 test(vectors[1][2], digest, SHA256_DIGEST_SIZE);
922 printf("\n");
923
924 printf("SHA-384 Test vectors\n");
925
926 sha384(message1, strlen((char *) message1), digest);
927 test(vectors[2][0], digest, SHA384_DIGEST_SIZE);
928 sha384(message2b, strlen((char *) message2b), digest);
929 test(vectors[2][1], digest, SHA384_DIGEST_SIZE);
930 sha384(message3, message3_len, digest);
931 test(vectors[2][2], digest, SHA384_DIGEST_SIZE);
932 printf("\n");
933
934 printf("SHA-512 Test vectors\n");
935
936 sha512(message1, strlen((char *) message1), digest);
937 test(vectors[3][0], digest, SHA512_DIGEST_SIZE);
938 sha512(message2b, strlen((char *) message2b), digest);
939 test(vectors[3][1], digest, SHA512_DIGEST_SIZE);
940 sha512(message3, message3_len, digest);
941 test(vectors[3][2], digest, SHA512_DIGEST_SIZE);
942 printf("\n");
943
944 printf("All tests passed.\n");
945
946 return 0;
947 }
948
949 #endif /* TEST_VECTORS */
950
951