1 /*------------------------------------------------------------------------- 2 * 3 * sha2.c 4 * Set of SHA functions for SHA-224, SHA-256, SHA-384 and SHA-512. 5 * 6 * This is the set of in-core functions used when there are no other 7 * alternative options like OpenSSL. 8 * 9 * Portions Copyright (c) 2016-2020, PostgreSQL Global Development Group 10 * 11 * IDENTIFICATION 12 * src/common/sha2.c 13 * 14 *------------------------------------------------------------------------- 15 */ 16 17 /* $OpenBSD: sha2.c,v 1.6 2004/05/03 02:57:36 millert Exp $ */ 18 /* 19 * FILE: sha2.c 20 * AUTHOR: Aaron D. Gifford <me@aarongifford.com> 21 * 22 * Copyright (c) 2000-2001, Aaron D. Gifford 23 * All rights reserved. 24 * 25 * Redistribution and use in source and binary forms, with or without 26 * modification, are permitted provided that the following conditions 27 * are met: 28 * 1. Redistributions of source code must retain the above copyright 29 * notice, this list of conditions and the following disclaimer. 30 * 2. Redistributions in binary form must reproduce the above copyright 31 * notice, this list of conditions and the following disclaimer in the 32 * documentation and/or other materials provided with the distribution. 33 * 3. Neither the name of the copyright holder nor the names of contributors 34 * may be used to endorse or promote products derived from this software 35 * without specific prior written permission. 36 * 37 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND 38 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 39 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 40 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE 41 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 42 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 43 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 45 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 46 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 47 * SUCH DAMAGE. 48 * 49 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ 50 */ 51 52 53 #ifndef FRONTEND 54 #include "postgres.h" 55 #else 56 #include "postgres_fe.h" 57 #endif 58 59 #include <sys/param.h> 60 61 #include "common/sha2.h" 62 63 /* 64 * UNROLLED TRANSFORM LOOP NOTE: 65 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform 66 * loop version for the hash transform rounds (defined using macros 67 * later in this file). Either define on the command line, for example: 68 * 69 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c 70 * 71 * or define below: 72 * 73 * #define SHA2_UNROLL_TRANSFORM 74 * 75 */ 76 77 /*** SHA-256/384/512 Various Length Definitions ***********************/ 78 #define PG_SHA256_SHORT_BLOCK_LENGTH (PG_SHA256_BLOCK_LENGTH - 8) 79 #define PG_SHA384_SHORT_BLOCK_LENGTH (PG_SHA384_BLOCK_LENGTH - 16) 80 #define PG_SHA512_SHORT_BLOCK_LENGTH (PG_SHA512_BLOCK_LENGTH - 16) 81 82 /*** ENDIAN REVERSAL MACROS *******************************************/ 83 #ifndef WORDS_BIGENDIAN 84 #define REVERSE32(w,x) { \ 85 uint32 tmp = (w); \ 86 tmp = (tmp >> 16) | (tmp << 16); \ 87 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \ 88 } 89 #define REVERSE64(w,x) { \ 90 uint64 tmp = (w); \ 91 tmp = (tmp >> 32) | (tmp << 32); \ 92 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \ 93 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \ 94 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \ 95 ((tmp & 0x0000ffff0000ffffULL) << 16); \ 96 } 97 #endif /* not bigendian */ 98 99 /* 100 * Macro for incrementally adding the unsigned 64-bit integer n to the 101 * unsigned 128-bit integer (represented using a two-element array of 102 * 64-bit words): 103 */ 104 #define ADDINC128(w,n) { \ 105 (w)[0] += (uint64)(n); \ 106 if ((w)[0] < (n)) { \ 107 (w)[1]++; \ 108 } \ 109 } 110 111 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 112 /* 113 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 114 * 115 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 116 * S is a ROTATION) because the SHA-256/384/512 description document 117 * (see http://www.iwar.org.uk/comsec/resources/cipher/sha256-384-512.pdf) 118 * uses this same "backwards" definition. 119 */ 120 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 121 #define R(b,x) ((x) >> (b)) 122 /* 32-bit Rotate-right (used in SHA-256): */ 123 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 124 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 125 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 126 127 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 128 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 129 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 130 131 /* Four of six logical functions used in SHA-256: */ 132 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 133 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 134 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 135 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 136 137 /* Four of six logical functions used in SHA-384 and SHA-512: */ 138 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 139 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 140 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 141 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 142 143 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 144 /* NOTE: These should not be accessed directly from outside this 145 * library -- they are intended for private internal visibility/use 146 * only. 147 */ 148 static void SHA512_Last(pg_sha512_ctx *context); 149 static void SHA256_Transform(pg_sha256_ctx *context, const uint8 *data); 150 static void SHA512_Transform(pg_sha512_ctx *context, const uint8 *data); 151 152 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 153 /* Hash constant words K for SHA-256: */ 154 static const uint32 K256[64] = { 155 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 156 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 157 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 158 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 159 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 160 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 161 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 162 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 163 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 164 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 165 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 166 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 167 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 168 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 169 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 170 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 171 }; 172 173 /* Initial hash value H for SHA-224: */ 174 static const uint32 sha224_initial_hash_value[8] = { 175 0xc1059ed8UL, 176 0x367cd507UL, 177 0x3070dd17UL, 178 0xf70e5939UL, 179 0xffc00b31UL, 180 0x68581511UL, 181 0x64f98fa7UL, 182 0xbefa4fa4UL 183 }; 184 185 /* Initial hash value H for SHA-256: */ 186 static const uint32 sha256_initial_hash_value[8] = { 187 0x6a09e667UL, 188 0xbb67ae85UL, 189 0x3c6ef372UL, 190 0xa54ff53aUL, 191 0x510e527fUL, 192 0x9b05688cUL, 193 0x1f83d9abUL, 194 0x5be0cd19UL 195 }; 196 197 /* Hash constant words K for SHA-384 and SHA-512: */ 198 static const uint64 K512[80] = { 199 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 200 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 201 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 202 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 203 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 204 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 205 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 206 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 207 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 208 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 209 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 210 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 211 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 212 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 213 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 214 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 215 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 216 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 217 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 218 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 219 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 220 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 221 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 222 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 223 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 224 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 225 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 226 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 227 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 228 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 229 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 230 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 231 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 232 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 233 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 234 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 235 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 236 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 237 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 238 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 239 }; 240 241 /* Initial hash value H for SHA-384 */ 242 static const uint64 sha384_initial_hash_value[8] = { 243 0xcbbb9d5dc1059ed8ULL, 244 0x629a292a367cd507ULL, 245 0x9159015a3070dd17ULL, 246 0x152fecd8f70e5939ULL, 247 0x67332667ffc00b31ULL, 248 0x8eb44a8768581511ULL, 249 0xdb0c2e0d64f98fa7ULL, 250 0x47b5481dbefa4fa4ULL 251 }; 252 253 /* Initial hash value H for SHA-512 */ 254 static const uint64 sha512_initial_hash_value[8] = { 255 0x6a09e667f3bcc908ULL, 256 0xbb67ae8584caa73bULL, 257 0x3c6ef372fe94f82bULL, 258 0xa54ff53a5f1d36f1ULL, 259 0x510e527fade682d1ULL, 260 0x9b05688c2b3e6c1fULL, 261 0x1f83d9abfb41bd6bULL, 262 0x5be0cd19137e2179ULL 263 }; 264 265 266 /*** SHA-256: *********************************************************/ 267 void 268 pg_sha256_init(pg_sha256_ctx *context) 269 { 270 if (context == NULL) 271 return; 272 memcpy(context->state, sha256_initial_hash_value, PG_SHA256_DIGEST_LENGTH); 273 memset(context->buffer, 0, PG_SHA256_BLOCK_LENGTH); 274 context->bitcount = 0; 275 } 276 277 #ifdef SHA2_UNROLL_TRANSFORM 278 279 /* Unrolled SHA-256 round macros: */ 280 281 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \ 282 W256[j] = (uint32)data[3] | ((uint32)data[2] << 8) | \ 283 ((uint32)data[1] << 16) | ((uint32)data[0] << 24); \ 284 data += 4; \ 285 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \ 286 (d) += T1; \ 287 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ 288 j++; \ 289 } while(0) 290 291 #define ROUND256(a,b,c,d,e,f,g,h) do { \ 292 s0 = W256[(j+1)&0x0f]; \ 293 s0 = sigma0_256(s0); \ 294 s1 = W256[(j+14)&0x0f]; \ 295 s1 = sigma1_256(s1); \ 296 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \ 297 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 298 (d) += T1; \ 299 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ 300 j++; \ 301 } while(0) 302 303 static void 304 SHA256_Transform(pg_sha256_ctx *context, const uint8 *data) 305 { 306 uint32 a, 307 b, 308 c, 309 d, 310 e, 311 f, 312 g, 313 h, 314 s0, 315 s1; 316 uint32 T1, 317 *W256; 318 int j; 319 320 W256 = (uint32 *) context->buffer; 321 322 /* Initialize registers with the prev. intermediate value */ 323 a = context->state[0]; 324 b = context->state[1]; 325 c = context->state[2]; 326 d = context->state[3]; 327 e = context->state[4]; 328 f = context->state[5]; 329 g = context->state[6]; 330 h = context->state[7]; 331 332 j = 0; 333 do 334 { 335 /* Rounds 0 to 15 (unrolled): */ 336 ROUND256_0_TO_15(a, b, c, d, e, f, g, h); 337 ROUND256_0_TO_15(h, a, b, c, d, e, f, g); 338 ROUND256_0_TO_15(g, h, a, b, c, d, e, f); 339 ROUND256_0_TO_15(f, g, h, a, b, c, d, e); 340 ROUND256_0_TO_15(e, f, g, h, a, b, c, d); 341 ROUND256_0_TO_15(d, e, f, g, h, a, b, c); 342 ROUND256_0_TO_15(c, d, e, f, g, h, a, b); 343 ROUND256_0_TO_15(b, c, d, e, f, g, h, a); 344 } while (j < 16); 345 346 /* Now for the remaining rounds to 64: */ 347 do 348 { 349 ROUND256(a, b, c, d, e, f, g, h); 350 ROUND256(h, a, b, c, d, e, f, g); 351 ROUND256(g, h, a, b, c, d, e, f); 352 ROUND256(f, g, h, a, b, c, d, e); 353 ROUND256(e, f, g, h, a, b, c, d); 354 ROUND256(d, e, f, g, h, a, b, c); 355 ROUND256(c, d, e, f, g, h, a, b); 356 ROUND256(b, c, d, e, f, g, h, a); 357 } while (j < 64); 358 359 /* Compute the current intermediate hash value */ 360 context->state[0] += a; 361 context->state[1] += b; 362 context->state[2] += c; 363 context->state[3] += d; 364 context->state[4] += e; 365 context->state[5] += f; 366 context->state[6] += g; 367 context->state[7] += h; 368 369 /* Clean up */ 370 a = b = c = d = e = f = g = h = T1 = 0; 371 } 372 #else /* SHA2_UNROLL_TRANSFORM */ 373 374 static void 375 SHA256_Transform(pg_sha256_ctx *context, const uint8 *data) 376 { 377 uint32 a, 378 b, 379 c, 380 d, 381 e, 382 f, 383 g, 384 h, 385 s0, 386 s1; 387 uint32 T1, 388 T2, 389 *W256; 390 int j; 391 392 W256 = (uint32 *) context->buffer; 393 394 /* Initialize registers with the prev. intermediate value */ 395 a = context->state[0]; 396 b = context->state[1]; 397 c = context->state[2]; 398 d = context->state[3]; 399 e = context->state[4]; 400 f = context->state[5]; 401 g = context->state[6]; 402 h = context->state[7]; 403 404 j = 0; 405 do 406 { 407 W256[j] = (uint32) data[3] | ((uint32) data[2] << 8) | 408 ((uint32) data[1] << 16) | ((uint32) data[0] << 24); 409 data += 4; 410 /* Apply the SHA-256 compression function to update a..h */ 411 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 412 T2 = Sigma0_256(a) + Maj(a, b, c); 413 h = g; 414 g = f; 415 f = e; 416 e = d + T1; 417 d = c; 418 c = b; 419 b = a; 420 a = T1 + T2; 421 422 j++; 423 } while (j < 16); 424 425 do 426 { 427 /* Part of the message block expansion: */ 428 s0 = W256[(j + 1) & 0x0f]; 429 s0 = sigma0_256(s0); 430 s1 = W256[(j + 14) & 0x0f]; 431 s1 = sigma1_256(s1); 432 433 /* Apply the SHA-256 compression function to update a..h */ 434 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 435 (W256[j & 0x0f] += s1 + W256[(j + 9) & 0x0f] + s0); 436 T2 = Sigma0_256(a) + Maj(a, b, c); 437 h = g; 438 g = f; 439 f = e; 440 e = d + T1; 441 d = c; 442 c = b; 443 b = a; 444 a = T1 + T2; 445 446 j++; 447 } while (j < 64); 448 449 /* Compute the current intermediate hash value */ 450 context->state[0] += a; 451 context->state[1] += b; 452 context->state[2] += c; 453 context->state[3] += d; 454 context->state[4] += e; 455 context->state[5] += f; 456 context->state[6] += g; 457 context->state[7] += h; 458 459 /* Clean up */ 460 a = b = c = d = e = f = g = h = T1 = T2 = 0; 461 } 462 #endif /* SHA2_UNROLL_TRANSFORM */ 463 464 void 465 pg_sha256_update(pg_sha256_ctx *context, const uint8 *data, size_t len) 466 { 467 size_t freespace, 468 usedspace; 469 470 /* Calling with no data is valid (we do nothing) */ 471 if (len == 0) 472 return; 473 474 usedspace = (context->bitcount >> 3) % PG_SHA256_BLOCK_LENGTH; 475 if (usedspace > 0) 476 { 477 /* Calculate how much free space is available in the buffer */ 478 freespace = PG_SHA256_BLOCK_LENGTH - usedspace; 479 480 if (len >= freespace) 481 { 482 /* Fill the buffer completely and process it */ 483 memcpy(&context->buffer[usedspace], data, freespace); 484 context->bitcount += freespace << 3; 485 len -= freespace; 486 data += freespace; 487 SHA256_Transform(context, context->buffer); 488 } 489 else 490 { 491 /* The buffer is not yet full */ 492 memcpy(&context->buffer[usedspace], data, len); 493 context->bitcount += len << 3; 494 /* Clean up: */ 495 usedspace = freespace = 0; 496 return; 497 } 498 } 499 while (len >= PG_SHA256_BLOCK_LENGTH) 500 { 501 /* Process as many complete blocks as we can */ 502 SHA256_Transform(context, data); 503 context->bitcount += PG_SHA256_BLOCK_LENGTH << 3; 504 len -= PG_SHA256_BLOCK_LENGTH; 505 data += PG_SHA256_BLOCK_LENGTH; 506 } 507 if (len > 0) 508 { 509 /* There's left-overs, so save 'em */ 510 memcpy(context->buffer, data, len); 511 context->bitcount += len << 3; 512 } 513 /* Clean up: */ 514 usedspace = freespace = 0; 515 } 516 517 static void 518 SHA256_Last(pg_sha256_ctx *context) 519 { 520 unsigned int usedspace; 521 522 usedspace = (context->bitcount >> 3) % PG_SHA256_BLOCK_LENGTH; 523 #ifndef WORDS_BIGENDIAN 524 /* Convert FROM host byte order */ 525 REVERSE64(context->bitcount, context->bitcount); 526 #endif 527 if (usedspace > 0) 528 { 529 /* Begin padding with a 1 bit: */ 530 context->buffer[usedspace++] = 0x80; 531 532 if (usedspace <= PG_SHA256_SHORT_BLOCK_LENGTH) 533 { 534 /* Set-up for the last transform: */ 535 memset(&context->buffer[usedspace], 0, PG_SHA256_SHORT_BLOCK_LENGTH - usedspace); 536 } 537 else 538 { 539 if (usedspace < PG_SHA256_BLOCK_LENGTH) 540 { 541 memset(&context->buffer[usedspace], 0, PG_SHA256_BLOCK_LENGTH - usedspace); 542 } 543 /* Do second-to-last transform: */ 544 SHA256_Transform(context, context->buffer); 545 546 /* And set-up for the last transform: */ 547 memset(context->buffer, 0, PG_SHA256_SHORT_BLOCK_LENGTH); 548 } 549 } 550 else 551 { 552 /* Set-up for the last transform: */ 553 memset(context->buffer, 0, PG_SHA256_SHORT_BLOCK_LENGTH); 554 555 /* Begin padding with a 1 bit: */ 556 *context->buffer = 0x80; 557 } 558 /* Set the bit count: */ 559 *(uint64 *) &context->buffer[PG_SHA256_SHORT_BLOCK_LENGTH] = context->bitcount; 560 561 /* Final transform: */ 562 SHA256_Transform(context, context->buffer); 563 } 564 565 void 566 pg_sha256_final(pg_sha256_ctx *context, uint8 *digest) 567 { 568 /* If no digest buffer is passed, we don't bother doing this: */ 569 if (digest != NULL) 570 { 571 SHA256_Last(context); 572 573 #ifndef WORDS_BIGENDIAN 574 { 575 /* Convert TO host byte order */ 576 int j; 577 578 for (j = 0; j < 8; j++) 579 { 580 REVERSE32(context->state[j], context->state[j]); 581 } 582 } 583 #endif 584 memcpy(digest, context->state, PG_SHA256_DIGEST_LENGTH); 585 } 586 587 /* Clean up state data: */ 588 memset(context, 0, sizeof(pg_sha256_ctx)); 589 } 590 591 592 /*** SHA-512: *********************************************************/ 593 void 594 pg_sha512_init(pg_sha512_ctx *context) 595 { 596 if (context == NULL) 597 return; 598 memcpy(context->state, sha512_initial_hash_value, PG_SHA512_DIGEST_LENGTH); 599 memset(context->buffer, 0, PG_SHA512_BLOCK_LENGTH); 600 context->bitcount[0] = context->bitcount[1] = 0; 601 } 602 603 #ifdef SHA2_UNROLL_TRANSFORM 604 605 /* Unrolled SHA-512 round macros: */ 606 607 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \ 608 W512[j] = (uint64)data[7] | ((uint64)data[6] << 8) | \ 609 ((uint64)data[5] << 16) | ((uint64)data[4] << 24) | \ 610 ((uint64)data[3] << 32) | ((uint64)data[2] << 40) | \ 611 ((uint64)data[1] << 48) | ((uint64)data[0] << 56); \ 612 data += 8; \ 613 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \ 614 (d) += T1; \ 615 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ 616 j++; \ 617 } while(0) 618 619 620 #define ROUND512(a,b,c,d,e,f,g,h) do { \ 621 s0 = W512[(j+1)&0x0f]; \ 622 s0 = sigma0_512(s0); \ 623 s1 = W512[(j+14)&0x0f]; \ 624 s1 = sigma1_512(s1); \ 625 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \ 626 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 627 (d) += T1; \ 628 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ 629 j++; \ 630 } while(0) 631 632 static void 633 SHA512_Transform(pg_sha512_ctx *context, const uint8 *data) 634 { 635 uint64 a, 636 b, 637 c, 638 d, 639 e, 640 f, 641 g, 642 h, 643 s0, 644 s1; 645 uint64 T1, 646 *W512 = (uint64 *) context->buffer; 647 int j; 648 649 /* Initialize registers with the prev. intermediate value */ 650 a = context->state[0]; 651 b = context->state[1]; 652 c = context->state[2]; 653 d = context->state[3]; 654 e = context->state[4]; 655 f = context->state[5]; 656 g = context->state[6]; 657 h = context->state[7]; 658 659 j = 0; 660 do 661 { 662 ROUND512_0_TO_15(a, b, c, d, e, f, g, h); 663 ROUND512_0_TO_15(h, a, b, c, d, e, f, g); 664 ROUND512_0_TO_15(g, h, a, b, c, d, e, f); 665 ROUND512_0_TO_15(f, g, h, a, b, c, d, e); 666 ROUND512_0_TO_15(e, f, g, h, a, b, c, d); 667 ROUND512_0_TO_15(d, e, f, g, h, a, b, c); 668 ROUND512_0_TO_15(c, d, e, f, g, h, a, b); 669 ROUND512_0_TO_15(b, c, d, e, f, g, h, a); 670 } while (j < 16); 671 672 /* Now for the remaining rounds up to 79: */ 673 do 674 { 675 ROUND512(a, b, c, d, e, f, g, h); 676 ROUND512(h, a, b, c, d, e, f, g); 677 ROUND512(g, h, a, b, c, d, e, f); 678 ROUND512(f, g, h, a, b, c, d, e); 679 ROUND512(e, f, g, h, a, b, c, d); 680 ROUND512(d, e, f, g, h, a, b, c); 681 ROUND512(c, d, e, f, g, h, a, b); 682 ROUND512(b, c, d, e, f, g, h, a); 683 } while (j < 80); 684 685 /* Compute the current intermediate hash value */ 686 context->state[0] += a; 687 context->state[1] += b; 688 context->state[2] += c; 689 context->state[3] += d; 690 context->state[4] += e; 691 context->state[5] += f; 692 context->state[6] += g; 693 context->state[7] += h; 694 695 /* Clean up */ 696 a = b = c = d = e = f = g = h = T1 = 0; 697 } 698 #else /* SHA2_UNROLL_TRANSFORM */ 699 700 static void 701 SHA512_Transform(pg_sha512_ctx *context, const uint8 *data) 702 { 703 uint64 a, 704 b, 705 c, 706 d, 707 e, 708 f, 709 g, 710 h, 711 s0, 712 s1; 713 uint64 T1, 714 T2, 715 *W512 = (uint64 *) context->buffer; 716 int j; 717 718 /* Initialize registers with the prev. intermediate value */ 719 a = context->state[0]; 720 b = context->state[1]; 721 c = context->state[2]; 722 d = context->state[3]; 723 e = context->state[4]; 724 f = context->state[5]; 725 g = context->state[6]; 726 h = context->state[7]; 727 728 j = 0; 729 do 730 { 731 W512[j] = (uint64) data[7] | ((uint64) data[6] << 8) | 732 ((uint64) data[5] << 16) | ((uint64) data[4] << 24) | 733 ((uint64) data[3] << 32) | ((uint64) data[2] << 40) | 734 ((uint64) data[1] << 48) | ((uint64) data[0] << 56); 735 data += 8; 736 /* Apply the SHA-512 compression function to update a..h */ 737 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 738 T2 = Sigma0_512(a) + Maj(a, b, c); 739 h = g; 740 g = f; 741 f = e; 742 e = d + T1; 743 d = c; 744 c = b; 745 b = a; 746 a = T1 + T2; 747 748 j++; 749 } while (j < 16); 750 751 do 752 { 753 /* Part of the message block expansion: */ 754 s0 = W512[(j + 1) & 0x0f]; 755 s0 = sigma0_512(s0); 756 s1 = W512[(j + 14) & 0x0f]; 757 s1 = sigma1_512(s1); 758 759 /* Apply the SHA-512 compression function to update a..h */ 760 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 761 (W512[j & 0x0f] += s1 + W512[(j + 9) & 0x0f] + s0); 762 T2 = Sigma0_512(a) + Maj(a, b, c); 763 h = g; 764 g = f; 765 f = e; 766 e = d + T1; 767 d = c; 768 c = b; 769 b = a; 770 a = T1 + T2; 771 772 j++; 773 } while (j < 80); 774 775 /* Compute the current intermediate hash value */ 776 context->state[0] += a; 777 context->state[1] += b; 778 context->state[2] += c; 779 context->state[3] += d; 780 context->state[4] += e; 781 context->state[5] += f; 782 context->state[6] += g; 783 context->state[7] += h; 784 785 /* Clean up */ 786 a = b = c = d = e = f = g = h = T1 = T2 = 0; 787 } 788 #endif /* SHA2_UNROLL_TRANSFORM */ 789 790 void 791 pg_sha512_update(pg_sha512_ctx *context, const uint8 *data, size_t len) 792 { 793 size_t freespace, 794 usedspace; 795 796 /* Calling with no data is valid (we do nothing) */ 797 if (len == 0) 798 return; 799 800 usedspace = (context->bitcount[0] >> 3) % PG_SHA512_BLOCK_LENGTH; 801 if (usedspace > 0) 802 { 803 /* Calculate how much free space is available in the buffer */ 804 freespace = PG_SHA512_BLOCK_LENGTH - usedspace; 805 806 if (len >= freespace) 807 { 808 /* Fill the buffer completely and process it */ 809 memcpy(&context->buffer[usedspace], data, freespace); 810 ADDINC128(context->bitcount, freespace << 3); 811 len -= freespace; 812 data += freespace; 813 SHA512_Transform(context, context->buffer); 814 } 815 else 816 { 817 /* The buffer is not yet full */ 818 memcpy(&context->buffer[usedspace], data, len); 819 ADDINC128(context->bitcount, len << 3); 820 /* Clean up: */ 821 usedspace = freespace = 0; 822 return; 823 } 824 } 825 while (len >= PG_SHA512_BLOCK_LENGTH) 826 { 827 /* Process as many complete blocks as we can */ 828 SHA512_Transform(context, data); 829 ADDINC128(context->bitcount, PG_SHA512_BLOCK_LENGTH << 3); 830 len -= PG_SHA512_BLOCK_LENGTH; 831 data += PG_SHA512_BLOCK_LENGTH; 832 } 833 if (len > 0) 834 { 835 /* There's left-overs, so save 'em */ 836 memcpy(context->buffer, data, len); 837 ADDINC128(context->bitcount, len << 3); 838 } 839 /* Clean up: */ 840 usedspace = freespace = 0; 841 } 842 843 static void 844 SHA512_Last(pg_sha512_ctx *context) 845 { 846 unsigned int usedspace; 847 848 usedspace = (context->bitcount[0] >> 3) % PG_SHA512_BLOCK_LENGTH; 849 #ifndef WORDS_BIGENDIAN 850 /* Convert FROM host byte order */ 851 REVERSE64(context->bitcount[0], context->bitcount[0]); 852 REVERSE64(context->bitcount[1], context->bitcount[1]); 853 #endif 854 if (usedspace > 0) 855 { 856 /* Begin padding with a 1 bit: */ 857 context->buffer[usedspace++] = 0x80; 858 859 if (usedspace <= PG_SHA512_SHORT_BLOCK_LENGTH) 860 { 861 /* Set-up for the last transform: */ 862 memset(&context->buffer[usedspace], 0, PG_SHA512_SHORT_BLOCK_LENGTH - usedspace); 863 } 864 else 865 { 866 if (usedspace < PG_SHA512_BLOCK_LENGTH) 867 { 868 memset(&context->buffer[usedspace], 0, PG_SHA512_BLOCK_LENGTH - usedspace); 869 } 870 /* Do second-to-last transform: */ 871 SHA512_Transform(context, context->buffer); 872 873 /* And set-up for the last transform: */ 874 memset(context->buffer, 0, PG_SHA512_BLOCK_LENGTH - 2); 875 } 876 } 877 else 878 { 879 /* Prepare for final transform: */ 880 memset(context->buffer, 0, PG_SHA512_SHORT_BLOCK_LENGTH); 881 882 /* Begin padding with a 1 bit: */ 883 *context->buffer = 0x80; 884 } 885 /* Store the length of input data (in bits): */ 886 *(uint64 *) &context->buffer[PG_SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1]; 887 *(uint64 *) &context->buffer[PG_SHA512_SHORT_BLOCK_LENGTH + 8] = context->bitcount[0]; 888 889 /* Final transform: */ 890 SHA512_Transform(context, context->buffer); 891 } 892 893 void 894 pg_sha512_final(pg_sha512_ctx *context, uint8 *digest) 895 { 896 /* If no digest buffer is passed, we don't bother doing this: */ 897 if (digest != NULL) 898 { 899 SHA512_Last(context); 900 901 /* Save the hash data for output: */ 902 #ifndef WORDS_BIGENDIAN 903 { 904 /* Convert TO host byte order */ 905 int j; 906 907 for (j = 0; j < 8; j++) 908 { 909 REVERSE64(context->state[j], context->state[j]); 910 } 911 } 912 #endif 913 memcpy(digest, context->state, PG_SHA512_DIGEST_LENGTH); 914 } 915 916 /* Zero out state data */ 917 memset(context, 0, sizeof(pg_sha512_ctx)); 918 } 919 920 921 /*** SHA-384: *********************************************************/ 922 void 923 pg_sha384_init(pg_sha384_ctx *context) 924 { 925 if (context == NULL) 926 return; 927 memcpy(context->state, sha384_initial_hash_value, PG_SHA512_DIGEST_LENGTH); 928 memset(context->buffer, 0, PG_SHA384_BLOCK_LENGTH); 929 context->bitcount[0] = context->bitcount[1] = 0; 930 } 931 932 void 933 pg_sha384_update(pg_sha384_ctx *context, const uint8 *data, size_t len) 934 { 935 pg_sha512_update((pg_sha512_ctx *) context, data, len); 936 } 937 938 void 939 pg_sha384_final(pg_sha384_ctx *context, uint8 *digest) 940 { 941 /* If no digest buffer is passed, we don't bother doing this: */ 942 if (digest != NULL) 943 { 944 SHA512_Last((pg_sha512_ctx *) context); 945 946 /* Save the hash data for output: */ 947 #ifndef WORDS_BIGENDIAN 948 { 949 /* Convert TO host byte order */ 950 int j; 951 952 for (j = 0; j < 6; j++) 953 { 954 REVERSE64(context->state[j], context->state[j]); 955 } 956 } 957 #endif 958 memcpy(digest, context->state, PG_SHA384_DIGEST_LENGTH); 959 } 960 961 /* Zero out state data */ 962 memset(context, 0, sizeof(pg_sha384_ctx)); 963 } 964 965 /*** SHA-224: *********************************************************/ 966 void 967 pg_sha224_init(pg_sha224_ctx *context) 968 { 969 if (context == NULL) 970 return; 971 memcpy(context->state, sha224_initial_hash_value, PG_SHA256_DIGEST_LENGTH); 972 memset(context->buffer, 0, PG_SHA256_BLOCK_LENGTH); 973 context->bitcount = 0; 974 } 975 976 void 977 pg_sha224_update(pg_sha224_ctx *context, const uint8 *data, size_t len) 978 { 979 pg_sha256_update((pg_sha256_ctx *) context, data, len); 980 } 981 982 void 983 pg_sha224_final(pg_sha224_ctx *context, uint8 *digest) 984 { 985 /* If no digest buffer is passed, we don't bother doing this: */ 986 if (digest != NULL) 987 { 988 SHA256_Last(context); 989 990 #ifndef WORDS_BIGENDIAN 991 { 992 /* Convert TO host byte order */ 993 int j; 994 995 for (j = 0; j < 8; j++) 996 { 997 REVERSE32(context->state[j], context->state[j]); 998 } 999 } 1000 #endif 1001 memcpy(digest, context->state, PG_SHA224_DIGEST_LENGTH); 1002 } 1003 1004 /* Clean up state data: */ 1005 memset(context, 0, sizeof(pg_sha224_ctx)); 1006 } 1007