Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / mmc-utils / refs/heads/int/n/fp2 / . / 3rdparty / hmac_sha / sha2.c
blob: 337b414a04c2d53052efbcdde881644bbdf3a6a4 [file] [log] [blame]
Roman Peniaev35c31fe2014-07-21 21:53:44 +0900[diff] [blame]1/*
2 * FIPS 180-2 SHA-224/256/384/512 implementation
3 * Last update: 02/02/2007
4 * Issue date: 04/30/2005
5 *
6 * Since this code has been incorporated into a GPLv2 project, it is
7 * distributed under GPLv2 inside mmc-utils. The original BSD license
8 * that the code was released under is included below for clarity.
9 *
10 * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
11 * All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. Neither the name of the project nor the names of its contributors
22 * may be used to endorse or promote products derived from this software
23 * without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 */
37
38#if 0
39#define UNROLL_LOOPS /* Enable loops unrolling */
40#endif
41
42#include <string.h>
43
44#include "sha2.h"
45
46#define SHFR(x, n) (x >> n)
47#define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n)))
48#define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n)))
49#define CH(x, y, z) ((x & y) ^ (~x & z))
50#define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
51
52#define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
53#define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
54#define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3))
55#define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10))
56
57#define SHA512_F1(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
58#define SHA512_F2(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
59#define SHA512_F3(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHFR(x, 7))
60#define SHA512_F4(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHFR(x, 6))
61
62#define UNPACK32(x, str) \
63{ \
64 *((str) + 3) = (uint8) ((x) ); \
65 *((str) + 2) = (uint8) ((x) >> 8); \
66 *((str) + 1) = (uint8) ((x) >> 16); \
67 *((str) + 0) = (uint8) ((x) >> 24); \
68}
69
70#define PACK32(str, x) \
71{ \
72 *(x) = ((uint32) *((str) + 3) ) \
73 | ((uint32) *((str) + 2) << 8) \
74 | ((uint32) *((str) + 1) << 16) \
75 | ((uint32) *((str) + 0) << 24); \
76}
77
78#define UNPACK64(x, str) \
79{ \
80 *((str) + 7) = (uint8) ((x) ); \
81 *((str) + 6) = (uint8) ((x) >> 8); \
82 *((str) + 5) = (uint8) ((x) >> 16); \
83 *((str) + 4) = (uint8) ((x) >> 24); \
84 *((str) + 3) = (uint8) ((x) >> 32); \
85 *((str) + 2) = (uint8) ((x) >> 40); \
86 *((str) + 1) = (uint8) ((x) >> 48); \
87 *((str) + 0) = (uint8) ((x) >> 56); \
88}
89
90#define PACK64(str, x) \
91{ \
92 *(x) = ((uint64) *((str) + 7) ) \
93 | ((uint64) *((str) + 6) << 8) \
94 | ((uint64) *((str) + 5) << 16) \
95 | ((uint64) *((str) + 4) << 24) \
96 | ((uint64) *((str) + 3) << 32) \
97 | ((uint64) *((str) + 2) << 40) \
98 | ((uint64) *((str) + 1) << 48) \
99 | ((uint64) *((str) + 0) << 56); \
100}
101
102/* Macros used for loops unrolling */
103
104#define SHA256_SCR(i) \
105{ \
106 w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \
107 + SHA256_F3(w[i - 15]) + w[i - 16]; \
108}
109
110#define SHA512_SCR(i) \
111{ \
112 w[i] = SHA512_F4(w[i - 2]) + w[i - 7] \
113 + SHA512_F3(w[i - 15]) + w[i - 16]; \
114}
115
116#define SHA256_EXP(a, b, c, d, e, f, g, h, j) \
117{ \
118 t1 = wv[h] + SHA256_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
119 + sha256_k[j] + w[j]; \
120 t2 = SHA256_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
121 wv[d] += t1; \
122 wv[h] = t1 + t2; \
123}
124
125#define SHA512_EXP(a, b, c, d, e, f, g ,h, j) \
126{ \
127 t1 = wv[h] + SHA512_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
128 + sha512_k[j] + w[j]; \
129 t2 = SHA512_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
130 wv[d] += t1; \
131 wv[h] = t1 + t2; \
132}
133
134uint32 sha224_h0[8] =
135 {0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
136 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4};
137
138uint32 sha256_h0[8] =
139 {0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
140 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
141
142uint64 sha384_h0[8] =
143 {0xcbbb9d5dc1059ed8ULL, 0x629a292a367cd507ULL,
144 0x9159015a3070dd17ULL, 0x152fecd8f70e5939ULL,
145 0x67332667ffc00b31ULL, 0x8eb44a8768581511ULL,
146 0xdb0c2e0d64f98fa7ULL, 0x47b5481dbefa4fa4ULL};
147
148uint64 sha512_h0[8] =
149 {0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
150 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
151 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
152 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL};
153
154uint32 sha256_k[64] =
155 {0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
156 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
157 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
158 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
159 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
160 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
161 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
162 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
163 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
164 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
165 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
166 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
167 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
168 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
169 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
170 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
171
172uint64 sha512_k[80] =
173 {0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
174 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
175 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
176 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
177 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
178 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
179 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
180 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
181 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
182 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
183 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
184 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
185 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
186 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
187 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
188 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
189 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
190 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
191 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
192 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
193 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
194 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
195 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
196 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
197 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
198 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
199 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
200 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
201 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
202 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
203 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
204 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
205 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
206 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
207 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
208 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
209 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
210 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
211 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
212 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL};
213
214/* SHA-256 functions */
215
216void sha256_transf(sha256_ctx *ctx, const unsigned char *message,
217 unsigned int block_nb)
218{
219 uint32 w[64];
220 uint32 wv[8];
221 uint32 t1, t2;
222 const unsigned char *sub_block;
223 int i;
224
225#ifndef UNROLL_LOOPS
226 int j;
227#endif
228
229 for (i = 0; i < (int) block_nb; i++) {
230 sub_block = message + (i << 6);
231
232#ifndef UNROLL_LOOPS
233 for (j = 0; j < 16; j++) {
234 PACK32(&sub_block[j << 2], &w[j]);
235 }
236
237 for (j = 16; j < 64; j++) {
238 SHA256_SCR(j);
239 }
240
241 for (j = 0; j < 8; j++) {
242 wv[j] = ctx->h[j];
243 }
244
245 for (j = 0; j < 64; j++) {
246 t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
247 + sha256_k[j] + w[j];
248 t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
249 wv[7] = wv[6];
250 wv[6] = wv[5];
251 wv[5] = wv[4];
252 wv[4] = wv[3] + t1;
253 wv[3] = wv[2];
254 wv[2] = wv[1];
255 wv[1] = wv[0];
256 wv[0] = t1 + t2;
257 }
258
259 for (j = 0; j < 8; j++) {
260 ctx->h[j] += wv[j];
261 }
262#else
263 PACK32(&sub_block[ 0], &w[ 0]); PACK32(&sub_block[ 4], &w[ 1]);
264 PACK32(&sub_block[ 8], &w[ 2]); PACK32(&sub_block[12], &w[ 3]);
265 PACK32(&sub_block[16], &w[ 4]); PACK32(&sub_block[20], &w[ 5]);
266 PACK32(&sub_block[24], &w[ 6]); PACK32(&sub_block[28], &w[ 7]);
267 PACK32(&sub_block[32], &w[ 8]); PACK32(&sub_block[36], &w[ 9]);
268 PACK32(&sub_block[40], &w[10]); PACK32(&sub_block[44], &w[11]);
269 PACK32(&sub_block[48], &w[12]); PACK32(&sub_block[52], &w[13]);
270 PACK32(&sub_block[56], &w[14]); PACK32(&sub_block[60], &w[15]);
271
272 SHA256_SCR(16); SHA256_SCR(17); SHA256_SCR(18); SHA256_SCR(19);
273 SHA256_SCR(20); SHA256_SCR(21); SHA256_SCR(22); SHA256_SCR(23);
274 SHA256_SCR(24); SHA256_SCR(25); SHA256_SCR(26); SHA256_SCR(27);
275 SHA256_SCR(28); SHA256_SCR(29); SHA256_SCR(30); SHA256_SCR(31);
276 SHA256_SCR(32); SHA256_SCR(33); SHA256_SCR(34); SHA256_SCR(35);
277 SHA256_SCR(36); SHA256_SCR(37); SHA256_SCR(38); SHA256_SCR(39);
278 SHA256_SCR(40); SHA256_SCR(41); SHA256_SCR(42); SHA256_SCR(43);
279 SHA256_SCR(44); SHA256_SCR(45); SHA256_SCR(46); SHA256_SCR(47);
280 SHA256_SCR(48); SHA256_SCR(49); SHA256_SCR(50); SHA256_SCR(51);
281 SHA256_SCR(52); SHA256_SCR(53); SHA256_SCR(54); SHA256_SCR(55);
282 SHA256_SCR(56); SHA256_SCR(57); SHA256_SCR(58); SHA256_SCR(59);
283 SHA256_SCR(60); SHA256_SCR(61); SHA256_SCR(62); SHA256_SCR(63);
284
285 wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
286 wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
287 wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
288 wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
289
290 SHA256_EXP(0,1,2,3,4,5,6,7, 0); SHA256_EXP(7,0,1,2,3,4,5,6, 1);
291 SHA256_EXP(6,7,0,1,2,3,4,5, 2); SHA256_EXP(5,6,7,0,1,2,3,4, 3);
292 SHA256_EXP(4,5,6,7,0,1,2,3, 4); SHA256_EXP(3,4,5,6,7,0,1,2, 5);
293 SHA256_EXP(2,3,4,5,6,7,0,1, 6); SHA256_EXP(1,2,3,4,5,6,7,0, 7);
294 SHA256_EXP(0,1,2,3,4,5,6,7, 8); SHA256_EXP(7,0,1,2,3,4,5,6, 9);
295 SHA256_EXP(6,7,0,1,2,3,4,5,10); SHA256_EXP(5,6,7,0,1,2,3,4,11);
296 SHA256_EXP(4,5,6,7,0,1,2,3,12); SHA256_EXP(3,4,5,6,7,0,1,2,13);
297 SHA256_EXP(2,3,4,5,6,7,0,1,14); SHA256_EXP(1,2,3,4,5,6,7,0,15);
298 SHA256_EXP(0,1,2,3,4,5,6,7,16); SHA256_EXP(7,0,1,2,3,4,5,6,17);
299 SHA256_EXP(6,7,0,1,2,3,4,5,18); SHA256_EXP(5,6,7,0,1,2,3,4,19);
300 SHA256_EXP(4,5,6,7,0,1,2,3,20); SHA256_EXP(3,4,5,6,7,0,1,2,21);
301 SHA256_EXP(2,3,4,5,6,7,0,1,22); SHA256_EXP(1,2,3,4,5,6,7,0,23);
302 SHA256_EXP(0,1,2,3,4,5,6,7,24); SHA256_EXP(7,0,1,2,3,4,5,6,25);
303 SHA256_EXP(6,7,0,1,2,3,4,5,26); SHA256_EXP(5,6,7,0,1,2,3,4,27);
304 SHA256_EXP(4,5,6,7,0,1,2,3,28); SHA256_EXP(3,4,5,6,7,0,1,2,29);
305 SHA256_EXP(2,3,4,5,6,7,0,1,30); SHA256_EXP(1,2,3,4,5,6,7,0,31);
306 SHA256_EXP(0,1,2,3,4,5,6,7,32); SHA256_EXP(7,0,1,2,3,4,5,6,33);
307 SHA256_EXP(6,7,0,1,2,3,4,5,34); SHA256_EXP(5,6,7,0,1,2,3,4,35);
308 SHA256_EXP(4,5,6,7,0,1,2,3,36); SHA256_EXP(3,4,5,6,7,0,1,2,37);
309 SHA256_EXP(2,3,4,5,6,7,0,1,38); SHA256_EXP(1,2,3,4,5,6,7,0,39);
310 SHA256_EXP(0,1,2,3,4,5,6,7,40); SHA256_EXP(7,0,1,2,3,4,5,6,41);
311 SHA256_EXP(6,7,0,1,2,3,4,5,42); SHA256_EXP(5,6,7,0,1,2,3,4,43);
312 SHA256_EXP(4,5,6,7,0,1,2,3,44); SHA256_EXP(3,4,5,6,7,0,1,2,45);
313 SHA256_EXP(2,3,4,5,6,7,0,1,46); SHA256_EXP(1,2,3,4,5,6,7,0,47);
314 SHA256_EXP(0,1,2,3,4,5,6,7,48); SHA256_EXP(7,0,1,2,3,4,5,6,49);
315 SHA256_EXP(6,7,0,1,2,3,4,5,50); SHA256_EXP(5,6,7,0,1,2,3,4,51);
316 SHA256_EXP(4,5,6,7,0,1,2,3,52); SHA256_EXP(3,4,5,6,7,0,1,2,53);
317 SHA256_EXP(2,3,4,5,6,7,0,1,54); SHA256_EXP(1,2,3,4,5,6,7,0,55);
318 SHA256_EXP(0,1,2,3,4,5,6,7,56); SHA256_EXP(7,0,1,2,3,4,5,6,57);
319 SHA256_EXP(6,7,0,1,2,3,4,5,58); SHA256_EXP(5,6,7,0,1,2,3,4,59);
320 SHA256_EXP(4,5,6,7,0,1,2,3,60); SHA256_EXP(3,4,5,6,7,0,1,2,61);
321 SHA256_EXP(2,3,4,5,6,7,0,1,62); SHA256_EXP(1,2,3,4,5,6,7,0,63);
322
323 ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
324 ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
325 ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
326 ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
327#endif /* !UNROLL_LOOPS */
328 }
329}
330
331void sha256(const unsigned char *message, unsigned int len, unsigned char *digest)
332{
333 sha256_ctx ctx;
334
335 sha256_init(&ctx);
336 sha256_update(&ctx, message, len);
337 sha256_final(&ctx, digest);
338}
339
340void sha256_init(sha256_ctx *ctx)
341{
342#ifndef UNROLL_LOOPS
343 int i;
344 for (i = 0; i < 8; i++) {
345 ctx->h[i] = sha256_h0[i];
346 }
347#else
348 ctx->h[0] = sha256_h0[0]; ctx->h[1] = sha256_h0[1];
349 ctx->h[2] = sha256_h0[2]; ctx->h[3] = sha256_h0[3];
350 ctx->h[4] = sha256_h0[4]; ctx->h[5] = sha256_h0[5];
351 ctx->h[6] = sha256_h0[6]; ctx->h[7] = sha256_h0[7];
352#endif /* !UNROLL_LOOPS */
353
354 ctx->len = 0;
355 ctx->tot_len = 0;
356}
357
358void sha256_update(sha256_ctx *ctx, const unsigned char *message,
359 unsigned int len)
360{
361 unsigned int block_nb;
362 unsigned int new_len, rem_len, tmp_len;
363 const unsigned char *shifted_message;
364
365 tmp_len = SHA256_BLOCK_SIZE - ctx->len;
366 rem_len = len < tmp_len ? len : tmp_len;
367
368 memcpy(&ctx->block[ctx->len], message, rem_len);
369
370 if (ctx->len + len < SHA256_BLOCK_SIZE) {
371 ctx->len += len;
372 return;
373 }
374
375 new_len = len - rem_len;
376 block_nb = new_len / SHA256_BLOCK_SIZE;
377
378 shifted_message = message + rem_len;
379
380 sha256_transf(ctx, ctx->block, 1);
381 sha256_transf(ctx, shifted_message, block_nb);
382
383 rem_len = new_len % SHA256_BLOCK_SIZE;
384
385 memcpy(ctx->block, &shifted_message[block_nb << 6],
386 rem_len);
387
388 ctx->len = rem_len;
389 ctx->tot_len += (block_nb + 1) << 6;
390}
391
392void sha256_final(sha256_ctx *ctx, unsigned char *digest)
393{
394 unsigned int block_nb;
395 unsigned int pm_len;
396 unsigned int len_b;
397
398#ifndef UNROLL_LOOPS
399 int i;
400#endif
401
402 block_nb = (1 + ((SHA256_BLOCK_SIZE - 9)
403 < (ctx->len % SHA256_BLOCK_SIZE)));
404
405 len_b = (ctx->tot_len + ctx->len) << 3;
406 pm_len = block_nb << 6;
407
408 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
409 ctx->block[ctx->len] = 0x80;
410 UNPACK32(len_b, ctx->block + pm_len - 4);
411
412 sha256_transf(ctx, ctx->block, block_nb);
413
414#ifndef UNROLL_LOOPS
415 for (i = 0 ; i < 8; i++) {
416 UNPACK32(ctx->h[i], &digest[i << 2]);
417 }
418#else
419 UNPACK32(ctx->h[0], &digest[ 0]);
420 UNPACK32(ctx->h[1], &digest[ 4]);
421 UNPACK32(ctx->h[2], &digest[ 8]);
422 UNPACK32(ctx->h[3], &digest[12]);
423 UNPACK32(ctx->h[4], &digest[16]);
424 UNPACK32(ctx->h[5], &digest[20]);
425 UNPACK32(ctx->h[6], &digest[24]);
426 UNPACK32(ctx->h[7], &digest[28]);
427#endif /* !UNROLL_LOOPS */
428}
429
430/* SHA-512 functions */
431
432void sha512_transf(sha512_ctx *ctx, const unsigned char *message,
433 unsigned int block_nb)
434{
435 uint64 w[80];
436 uint64 wv[8];
437 uint64 t1, t2;
438 const unsigned char *sub_block;
439 int i, j;
440
441 for (i = 0; i < (int) block_nb; i++) {
442 sub_block = message + (i << 7);
443
444#ifndef UNROLL_LOOPS
445 for (j = 0; j < 16; j++) {
446 PACK64(&sub_block[j << 3], &w[j]);
447 }
448
449 for (j = 16; j < 80; j++) {
450 SHA512_SCR(j);
451 }
452
453 for (j = 0; j < 8; j++) {
454 wv[j] = ctx->h[j];
455 }
456
457 for (j = 0; j < 80; j++) {
458 t1 = wv[7] + SHA512_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
459 + sha512_k[j] + w[j];
460 t2 = SHA512_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
461 wv[7] = wv[6];
462 wv[6] = wv[5];
463 wv[5] = wv[4];
464 wv[4] = wv[3] + t1;
465 wv[3] = wv[2];
466 wv[2] = wv[1];
467 wv[1] = wv[0];
468 wv[0] = t1 + t2;
469 }
470
471 for (j = 0; j < 8; j++) {
472 ctx->h[j] += wv[j];
473 }
474#else
475 PACK64(&sub_block[ 0], &w[ 0]); PACK64(&sub_block[ 8], &w[ 1]);
476 PACK64(&sub_block[ 16], &w[ 2]); PACK64(&sub_block[ 24], &w[ 3]);
477 PACK64(&sub_block[ 32], &w[ 4]); PACK64(&sub_block[ 40], &w[ 5]);
478 PACK64(&sub_block[ 48], &w[ 6]); PACK64(&sub_block[ 56], &w[ 7]);
479 PACK64(&sub_block[ 64], &w[ 8]); PACK64(&sub_block[ 72], &w[ 9]);
480 PACK64(&sub_block[ 80], &w[10]); PACK64(&sub_block[ 88], &w[11]);
481 PACK64(&sub_block[ 96], &w[12]); PACK64(&sub_block[104], &w[13]);
482 PACK64(&sub_block[112], &w[14]); PACK64(&sub_block[120], &w[15]);
483
484 SHA512_SCR(16); SHA512_SCR(17); SHA512_SCR(18); SHA512_SCR(19);
485 SHA512_SCR(20); SHA512_SCR(21); SHA512_SCR(22); SHA512_SCR(23);
486 SHA512_SCR(24); SHA512_SCR(25); SHA512_SCR(26); SHA512_SCR(27);
487 SHA512_SCR(28); SHA512_SCR(29); SHA512_SCR(30); SHA512_SCR(31);
488 SHA512_SCR(32); SHA512_SCR(33); SHA512_SCR(34); SHA512_SCR(35);
489 SHA512_SCR(36); SHA512_SCR(37); SHA512_SCR(38); SHA512_SCR(39);
490 SHA512_SCR(40); SHA512_SCR(41); SHA512_SCR(42); SHA512_SCR(43);
491 SHA512_SCR(44); SHA512_SCR(45); SHA512_SCR(46); SHA512_SCR(47);
492 SHA512_SCR(48); SHA512_SCR(49); SHA512_SCR(50); SHA512_SCR(51);
493 SHA512_SCR(52); SHA512_SCR(53); SHA512_SCR(54); SHA512_SCR(55);
494 SHA512_SCR(56); SHA512_SCR(57); SHA512_SCR(58); SHA512_SCR(59);
495 SHA512_SCR(60); SHA512_SCR(61); SHA512_SCR(62); SHA512_SCR(63);
496 SHA512_SCR(64); SHA512_SCR(65); SHA512_SCR(66); SHA512_SCR(67);
497 SHA512_SCR(68); SHA512_SCR(69); SHA512_SCR(70); SHA512_SCR(71);
498 SHA512_SCR(72); SHA512_SCR(73); SHA512_SCR(74); SHA512_SCR(75);
499 SHA512_SCR(76); SHA512_SCR(77); SHA512_SCR(78); SHA512_SCR(79);
500
501 wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
502 wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
503 wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
504 wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
505
506 j = 0;
507
508 do {
509 SHA512_EXP(0,1,2,3,4,5,6,7,j); j++;
510 SHA512_EXP(7,0,1,2,3,4,5,6,j); j++;
511 SHA512_EXP(6,7,0,1,2,3,4,5,j); j++;
512 SHA512_EXP(5,6,7,0,1,2,3,4,j); j++;
513 SHA512_EXP(4,5,6,7,0,1,2,3,j); j++;
514 SHA512_EXP(3,4,5,6,7,0,1,2,j); j++;
515 SHA512_EXP(2,3,4,5,6,7,0,1,j); j++;
516 SHA512_EXP(1,2,3,4,5,6,7,0,j); j++;
517 } while (j < 80);
518
519 ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
520 ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
521 ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
522 ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
523#endif /* !UNROLL_LOOPS */
524 }
525}
526
527void sha512(const unsigned char *message, unsigned int len,
528 unsigned char *digest)
529{
530 sha512_ctx ctx;
531
532 sha512_init(&ctx);
533 sha512_update(&ctx, message, len);
534 sha512_final(&ctx, digest);
535}
536
537void sha512_init(sha512_ctx *ctx)
538{
539#ifndef UNROLL_LOOPS
540 int i;
541 for (i = 0; i < 8; i++) {
542 ctx->h[i] = sha512_h0[i];
543 }
544#else
545 ctx->h[0] = sha512_h0[0]; ctx->h[1] = sha512_h0[1];
546 ctx->h[2] = sha512_h0[2]; ctx->h[3] = sha512_h0[3];
547 ctx->h[4] = sha512_h0[4]; ctx->h[5] = sha512_h0[5];
548 ctx->h[6] = sha512_h0[6]; ctx->h[7] = sha512_h0[7];
549#endif /* !UNROLL_LOOPS */
550
551 ctx->len = 0;
552 ctx->tot_len = 0;
553}
554
555void sha512_update(sha512_ctx *ctx, const unsigned char *message,
556 unsigned int len)
557{
558 unsigned int block_nb;
559 unsigned int new_len, rem_len, tmp_len;
560 const unsigned char *shifted_message;
561
562 tmp_len = SHA512_BLOCK_SIZE - ctx->len;
563 rem_len = len < tmp_len ? len : tmp_len;
564
565 memcpy(&ctx->block[ctx->len], message, rem_len);
566
567 if (ctx->len + len < SHA512_BLOCK_SIZE) {
568 ctx->len += len;
569 return;
570 }
571
572 new_len = len - rem_len;
573 block_nb = new_len / SHA512_BLOCK_SIZE;
574
575 shifted_message = message + rem_len;
576
577 sha512_transf(ctx, ctx->block, 1);
578 sha512_transf(ctx, shifted_message, block_nb);
579
580 rem_len = new_len % SHA512_BLOCK_SIZE;
581
582 memcpy(ctx->block, &shifted_message[block_nb << 7],
583 rem_len);
584
585 ctx->len = rem_len;
586 ctx->tot_len += (block_nb + 1) << 7;
587}
588
589void sha512_final(sha512_ctx *ctx, unsigned char *digest)
590{
591 unsigned int block_nb;
592 unsigned int pm_len;
593 unsigned int len_b;
594
595#ifndef UNROLL_LOOPS
596 int i;
597#endif
598
599 block_nb = 1 + ((SHA512_BLOCK_SIZE - 17)
600 < (ctx->len % SHA512_BLOCK_SIZE));
601
602 len_b = (ctx->tot_len + ctx->len) << 3;
603 pm_len = block_nb << 7;
604
605 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
606 ctx->block[ctx->len] = 0x80;
607 UNPACK32(len_b, ctx->block + pm_len - 4);
608
609 sha512_transf(ctx, ctx->block, block_nb);
610
611#ifndef UNROLL_LOOPS
612 for (i = 0 ; i < 8; i++) {
613 UNPACK64(ctx->h[i], &digest[i << 3]);
614 }
615#else
616 UNPACK64(ctx->h[0], &digest[ 0]);
617 UNPACK64(ctx->h[1], &digest[ 8]);
618 UNPACK64(ctx->h[2], &digest[16]);
619 UNPACK64(ctx->h[3], &digest[24]);
620 UNPACK64(ctx->h[4], &digest[32]);
621 UNPACK64(ctx->h[5], &digest[40]);
622 UNPACK64(ctx->h[6], &digest[48]);
623 UNPACK64(ctx->h[7], &digest[56]);
624#endif /* !UNROLL_LOOPS */
625}
626
627/* SHA-384 functions */
628
629void sha384(const unsigned char *message, unsigned int len,
630 unsigned char *digest)
631{
632 sha384_ctx ctx;
633
634 sha384_init(&ctx);
635 sha384_update(&ctx, message, len);
636 sha384_final(&ctx, digest);
637}
638
639void sha384_init(sha384_ctx *ctx)
640{
641#ifndef UNROLL_LOOPS
642 int i;
643 for (i = 0; i < 8; i++) {
644 ctx->h[i] = sha384_h0[i];
645 }
646#else
647 ctx->h[0] = sha384_h0[0]; ctx->h[1] = sha384_h0[1];
648 ctx->h[2] = sha384_h0[2]; ctx->h[3] = sha384_h0[3];
649 ctx->h[4] = sha384_h0[4]; ctx->h[5] = sha384_h0[5];
650 ctx->h[6] = sha384_h0[6]; ctx->h[7] = sha384_h0[7];
651#endif /* !UNROLL_LOOPS */
652
653 ctx->len = 0;
654 ctx->tot_len = 0;
655}
656
657void sha384_update(sha384_ctx *ctx, const unsigned char *message,
658 unsigned int len)
659{
660 unsigned int block_nb;
661 unsigned int new_len, rem_len, tmp_len;
662 const unsigned char *shifted_message;
663
664 tmp_len = SHA384_BLOCK_SIZE - ctx->len;
665 rem_len = len < tmp_len ? len : tmp_len;
666
667 memcpy(&ctx->block[ctx->len], message, rem_len);
668
669 if (ctx->len + len < SHA384_BLOCK_SIZE) {
670 ctx->len += len;
671 return;
672 }
673
674 new_len = len - rem_len;
675 block_nb = new_len / SHA384_BLOCK_SIZE;
676
677 shifted_message = message + rem_len;
678
679 sha512_transf(ctx, ctx->block, 1);
680 sha512_transf(ctx, shifted_message, block_nb);
681
682 rem_len = new_len % SHA384_BLOCK_SIZE;
683
684 memcpy(ctx->block, &shifted_message[block_nb << 7],
685 rem_len);
686
687 ctx->len = rem_len;
688 ctx->tot_len += (block_nb + 1) << 7;
689}
690
691void sha384_final(sha384_ctx *ctx, unsigned char *digest)
692{
693 unsigned int block_nb;
694 unsigned int pm_len;
695 unsigned int len_b;
696
697#ifndef UNROLL_LOOPS
698 int i;
699#endif
700
701 block_nb = (1 + ((SHA384_BLOCK_SIZE - 17)
702 < (ctx->len % SHA384_BLOCK_SIZE)));
703
704 len_b = (ctx->tot_len + ctx->len) << 3;
705 pm_len = block_nb << 7;
706
707 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
708 ctx->block[ctx->len] = 0x80;
709 UNPACK32(len_b, ctx->block + pm_len - 4);
710
711 sha512_transf(ctx, ctx->block, block_nb);
712
713#ifndef UNROLL_LOOPS
714 for (i = 0 ; i < 6; i++) {
715 UNPACK64(ctx->h[i], &digest[i << 3]);
716 }
717#else
718 UNPACK64(ctx->h[0], &digest[ 0]);
719 UNPACK64(ctx->h[1], &digest[ 8]);
720 UNPACK64(ctx->h[2], &digest[16]);
721 UNPACK64(ctx->h[3], &digest[24]);
722 UNPACK64(ctx->h[4], &digest[32]);
723 UNPACK64(ctx->h[5], &digest[40]);
724#endif /* !UNROLL_LOOPS */
725}
726
727/* SHA-224 functions */
728
729void sha224(const unsigned char *message, unsigned int len,
730 unsigned char *digest)
731{
732 sha224_ctx ctx;
733
734 sha224_init(&ctx);
735 sha224_update(&ctx, message, len);
736 sha224_final(&ctx, digest);
737}
738
739void sha224_init(sha224_ctx *ctx)
740{
741#ifndef UNROLL_LOOPS
742 int i;
743 for (i = 0; i < 8; i++) {
744 ctx->h[i] = sha224_h0[i];
745 }
746#else
747 ctx->h[0] = sha224_h0[0]; ctx->h[1] = sha224_h0[1];
748 ctx->h[2] = sha224_h0[2]; ctx->h[3] = sha224_h0[3];
749 ctx->h[4] = sha224_h0[4]; ctx->h[5] = sha224_h0[5];
750 ctx->h[6] = sha224_h0[6]; ctx->h[7] = sha224_h0[7];
751#endif /* !UNROLL_LOOPS */
752
753 ctx->len = 0;
754 ctx->tot_len = 0;
755}
756
757void sha224_update(sha224_ctx *ctx, const unsigned char *message,
758 unsigned int len)
759{
760 unsigned int block_nb;
761 unsigned int new_len, rem_len, tmp_len;
762 const unsigned char *shifted_message;
763
764 tmp_len = SHA224_BLOCK_SIZE - ctx->len;
765 rem_len = len < tmp_len ? len : tmp_len;
766
767 memcpy(&ctx->block[ctx->len], message, rem_len);
768
769 if (ctx->len + len < SHA224_BLOCK_SIZE) {
770 ctx->len += len;
771 return;
772 }
773
774 new_len = len - rem_len;
775 block_nb = new_len / SHA224_BLOCK_SIZE;
776
777 shifted_message = message + rem_len;
778
779 sha256_transf(ctx, ctx->block, 1);
780 sha256_transf(ctx, shifted_message, block_nb);
781
782 rem_len = new_len % SHA224_BLOCK_SIZE;
783
784 memcpy(ctx->block, &shifted_message[block_nb << 6],
785 rem_len);
786
787 ctx->len = rem_len;
788 ctx->tot_len += (block_nb + 1) << 6;
789}
790
791void sha224_final(sha224_ctx *ctx, unsigned char *digest)
792{
793 unsigned int block_nb;
794 unsigned int pm_len;
795 unsigned int len_b;
796
797#ifndef UNROLL_LOOPS
798 int i;
799#endif
800
801 block_nb = (1 + ((SHA224_BLOCK_SIZE - 9)
802 < (ctx->len % SHA224_BLOCK_SIZE)));
803
804 len_b = (ctx->tot_len + ctx->len) << 3;
805 pm_len = block_nb << 6;
806
807 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
808 ctx->block[ctx->len] = 0x80;
809 UNPACK32(len_b, ctx->block + pm_len - 4);
810
811 sha256_transf(ctx, ctx->block, block_nb);
812
813#ifndef UNROLL_LOOPS
814 for (i = 0 ; i < 7; i++) {
815 UNPACK32(ctx->h[i], &digest[i << 2]);
816 }
817#else
818 UNPACK32(ctx->h[0], &digest[ 0]);
819 UNPACK32(ctx->h[1], &digest[ 4]);
820 UNPACK32(ctx->h[2], &digest[ 8]);
821 UNPACK32(ctx->h[3], &digest[12]);
822 UNPACK32(ctx->h[4], &digest[16]);
823 UNPACK32(ctx->h[5], &digest[20]);
824 UNPACK32(ctx->h[6], &digest[24]);
825#endif /* !UNROLL_LOOPS */
826}
827
828#ifdef TEST_VECTORS
829
830/* FIPS 180-2 Validation tests */
831
832#include <stdio.h>
833#include <stdlib.h>
834
835void test(const char *vector, unsigned char *digest,
836 unsigned int digest_size)
837{
838 char output[2 * SHA512_DIGEST_SIZE + 1];
839 int i;
840
841 output[2 * digest_size] = '\0';
842
843 for (i = 0; i < (int) digest_size ; i++) {
844 sprintf(output + 2 * i, "%02x", digest[i]);
845 }
846
847 printf("H: %s\n", output);
848 if (strcmp(vector, output)) {
849 fprintf(stderr, "Test failed.\n");
850 exit(EXIT_FAILURE);
851 }
852}
853
854int main(void)
855{
856 static const char *vectors[4][3] =
857 { /* SHA-224 */
858 {
859 "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7",
860 "75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525",
861 "20794655980c91d8bbb4c1ea97618a4bf03f42581948b2ee4ee7ad67",
862 },
863 /* SHA-256 */
864 {
865 "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad",
866 "248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1",
867 "cdc76e5c9914fb9281a1c7e284d73e67f1809a48a497200e046d39ccc7112cd0",
868 },
869 /* SHA-384 */
870 {
871 "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed"
872 "8086072ba1e7cc2358baeca134c825a7",
873 "09330c33f71147e83d192fc782cd1b4753111b173b3b05d22fa08086e3b0f712"
874 "fcc7c71a557e2db966c3e9fa91746039",
875 "9d0e1809716474cb086e834e310a4a1ced149e9c00f248527972cec5704c2a5b"
876 "07b8b3dc38ecc4ebae97ddd87f3d8985",
877 },
878 /* SHA-512 */
879 {
880 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
881 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f",
882 "8e959b75dae313da8cf4f72814fc143f8f7779c6eb9f7fa17299aeadb6889018"
883 "501d289e4900f7e4331b99dec4b5433ac7d329eeb6dd26545e96e55b874be909",
884 "e718483d0ce769644e2e42c7bc15b4638e1f98b13b2044285632a803afa973eb"
885 "de0ff244877ea60a4cb0432ce577c31beb009c5c2c49aa2e4eadb217ad8cc09b"
886 }
887 };
888
889 static const char message1[] = "abc";
890 static const char message2a[] = "abcdbcdecdefdefgefghfghighijhi"
891 "jkijkljklmklmnlmnomnopnopq";
892 static const char message2b[] = "abcdefghbcdefghicdefghijdefghijkefghij"
893 "klfghijklmghijklmnhijklmnoijklmnopjklm"
894 "nopqklmnopqrlmnopqrsmnopqrstnopqrstu";
895 unsigned char *message3;
896 unsigned int message3_len = 1000000;
897 unsigned char digest[SHA512_DIGEST_SIZE];
898
899 message3 = malloc(message3_len);
900 if (message3 == NULL) {
901 fprintf(stderr, "Can't allocate memory\n");
902 return -1;
903 }
904 memset(message3, 'a', message3_len);
905
906 printf("SHA-2 FIPS 180-2 Validation tests\n\n");
907 printf("SHA-224 Test vectors\n");
908
909 sha224((const unsigned char *) message1, strlen(message1), digest);
910 test(vectors[0][0], digest, SHA224_DIGEST_SIZE);
911 sha224((const unsigned char *) message2a, strlen(message2a), digest);
912 test(vectors[0][1], digest, SHA224_DIGEST_SIZE);
913 sha224(message3, message3_len, digest);
914 test(vectors[0][2], digest, SHA224_DIGEST_SIZE);
915 printf("\n");
916
917 printf("SHA-256 Test vectors\n");
918
919 sha256((const unsigned char *) message1, strlen(message1), digest);
920 test(vectors[1][0], digest, SHA256_DIGEST_SIZE);
921 sha256((const unsigned char *) message2a, strlen(message2a), digest);
922 test(vectors[1][1], digest, SHA256_DIGEST_SIZE);
923 sha256(message3, message3_len, digest);
924 test(vectors[1][2], digest, SHA256_DIGEST_SIZE);
925 printf("\n");
926
927 printf("SHA-384 Test vectors\n");
928
929 sha384((const unsigned char *) message1, strlen(message1), digest);
930 test(vectors[2][0], digest, SHA384_DIGEST_SIZE);
931 sha384((const unsigned char *)message2b, strlen(message2b), digest);
932 test(vectors[2][1], digest, SHA384_DIGEST_SIZE);
933 sha384(message3, message3_len, digest);
934 test(vectors[2][2], digest, SHA384_DIGEST_SIZE);
935 printf("\n");
936
937 printf("SHA-512 Test vectors\n");
938
939 sha512((const unsigned char *) message1, strlen(message1), digest);
940 test(vectors[3][0], digest, SHA512_DIGEST_SIZE);
941 sha512((const unsigned char *) message2b, strlen(message2b), digest);
942 test(vectors[3][1], digest, SHA512_DIGEST_SIZE);
943 sha512(message3, message3_len, digest);
944 test(vectors[3][2], digest, SHA512_DIGEST_SIZE);
945 printf("\n");
946
947 printf("All tests passed.\n");
948
949 return 0;
950}
951
952#endif /* TEST_VECTORS */
953