~mdw / secnet / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ec-field-test.c: Make the field-element type use internal format.
[secnet] / sha512.c
CommitLineData
b4a26b17
IJ		 1/* sha512.c - Functions to compute SHA512 and SHA384 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005, 2006, 2008, 2009, 2010 Free Software Foundation, Inc.
5
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>. */
18
19/* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
21*/
22
23#include <config.h>
24
757aecff
MW		 25#include "secnet.h"
26
b4a26b17
IJ		 27#include "sha512.h"
28
29#include <stddef.h>
30#include <stdlib.h>
31#include <string.h>
32
33#if USE_UNLOCKED_IO
34# include "unlocked-io.h"
35#endif
36
37#ifdef WORDS_BIGENDIAN
38# define SWAP(n) (n)
39#else
40# define SWAP(n) \
41 u64or (u64or (u64or (u64shl (n, 56), \
42 u64shl (u64and (n, u64lo (0x0000ff00)), 40)), \
43 u64or (u64shl (u64and (n, u64lo (0x00ff0000)), 24), \
44 u64shl (u64and (n, u64lo (0xff000000)), 8))), \
45 u64or (u64or (u64and (u64shr (n, 8), u64lo (0xff000000)), \
46 u64and (u64shr (n, 24), u64lo (0x00ff0000))), \
47 u64or (u64and (u64shr (n, 40), u64lo (0x0000ff00)), \
48 u64shr (n, 56))))
49#endif
50
51#define BLOCKSIZE 32768
52#if BLOCKSIZE % 128 != 0
53# error "invalid BLOCKSIZE"
54#endif
55
56/* This array contains the bytes used to pad the buffer to the next
57 128-byte boundary. */
58static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
59
60
61/*
62 Takes a pointer to a 512 bit block of data (eight 64 bit ints) and
63 intializes it to the start constants of the SHA512 algorithm. This
64 must be called before using hash in the call to sha512_hash
65*/
66void
67sha512_init_ctx (struct sha512_ctx *ctx)
68{
69 ctx->state[0] = u64hilo (0x6a09e667, 0xf3bcc908);
70 ctx->state[1] = u64hilo (0xbb67ae85, 0x84caa73b);
71 ctx->state[2] = u64hilo (0x3c6ef372, 0xfe94f82b);
72 ctx->state[3] = u64hilo (0xa54ff53a, 0x5f1d36f1);
73 ctx->state[4] = u64hilo (0x510e527f, 0xade682d1);
74 ctx->state[5] = u64hilo (0x9b05688c, 0x2b3e6c1f);
75 ctx->state[6] = u64hilo (0x1f83d9ab, 0xfb41bd6b);
76 ctx->state[7] = u64hilo (0x5be0cd19, 0x137e2179);
77
78 ctx->total[0] = ctx->total[1] = u64lo (0);
79 ctx->buflen = 0;
80}
81
82void
83sha384_init_ctx (struct sha512_ctx *ctx)
84{
85 ctx->state[0] = u64hilo (0xcbbb9d5d, 0xc1059ed8);
86 ctx->state[1] = u64hilo (0x629a292a, 0x367cd507);
87 ctx->state[2] = u64hilo (0x9159015a, 0x3070dd17);
88 ctx->state[3] = u64hilo (0x152fecd8, 0xf70e5939);
89 ctx->state[4] = u64hilo (0x67332667, 0xffc00b31);
90 ctx->state[5] = u64hilo (0x8eb44a87, 0x68581511);
91 ctx->state[6] = u64hilo (0xdb0c2e0d, 0x64f98fa7);
92 ctx->state[7] = u64hilo (0x47b5481d, 0xbefa4fa4);
93
94 ctx->total[0] = ctx->total[1] = u64lo (0);
95 ctx->buflen = 0;
96}
97
98/* Copy the value from V into the memory location pointed to by *CP,
99 If your architecture allows unaligned access, this is equivalent to
100 * (__typeof__ (v) *) cp = v */
101static inline void
102set_uint64 (char *cp, u64 v)
103{
104 memcpy (cp, &v, sizeof v);
105}
106
107/* Put result from CTX in first 64 bytes following RESBUF.
108 The result must be in little endian byte order. */
109void *
110sha512_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
111{
112 int i;
113 char *r = resbuf;
114
115 for (i = 0; i < 8; i++)
116 set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
117
118 return resbuf;
119}
120
121void *
122sha384_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
123{
124 int i;
125 char *r = resbuf;
126
127 for (i = 0; i < 6; i++)
128 set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
129
130 return resbuf;
131}
132
133/* Process the remaining bytes in the internal buffer and the usual
134 prolog according to the standard and write the result to RESBUF. */
135static void
136sha512_conclude_ctx (struct sha512_ctx *ctx)
137{
138 /* Take yet unprocessed bytes into account. */
139 size_t bytes = ctx->buflen;
140 size_t size = (bytes < 112) ? 128 / 8 : 128 * 2 / 8;
141
142 /* Now count remaining bytes. */
143 ctx->total[0] = u64plus (ctx->total[0], u64lo (bytes));
144 if (u64lt (ctx->total[0], u64lo (bytes)))
145 ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
146
147 /* Put the 128-bit file length in *bits* at the end of the buffer.
148 Use set_uint64 rather than a simple assignment, to avoid risk of
149 unaligned access. */
150 set_uint64 ((char *) &ctx->buffer[size - 2],
151 SWAP (u64or (u64shl (ctx->total[1], 3),
152 u64shr (ctx->total[0], 61))));
153 set_uint64 ((char *) &ctx->buffer[size - 1],
154 SWAP (u64shl (ctx->total[0], 3)));
155
156 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 8 - bytes);
157
158 /* Process last bytes. */
159 sha512_process_block (ctx->buffer, size * 8, ctx);
160}
161
162void *
163sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
164{
165 sha512_conclude_ctx (ctx);
166 return sha512_read_ctx (ctx, resbuf);
167}
168
169void *
170sha384_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
171{
172 sha512_conclude_ctx (ctx);
173 return sha384_read_ctx (ctx, resbuf);
174}
175
b4a26b17
IJ		 176void
177sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
178{
179 /* When we already have some bits in our internal buffer concatenate
180 both inputs first. */
181 if (ctx->buflen != 0)
182 {
183 size_t left_over = ctx->buflen;
184 size_t add = 256 - left_over > len ? len : 256 - left_over;
185
186 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
187 ctx->buflen += add;
188
189 if (ctx->buflen > 128)
190 {
191 sha512_process_block (ctx->buffer, ctx->buflen & ~127, ctx);
192
193 ctx->buflen &= 127;
194 /* The regions in the following copy operation cannot overlap. */
195 memcpy (ctx->buffer,
196 &((char *) ctx->buffer)[(left_over + add) & ~127],
197 ctx->buflen);
198 }
199
200 buffer = (const char *) buffer + add;
201 len -= add;
202 }
203
204 /* Process available complete blocks. */
205 if (len >= 128)
206 {
207#if !_STRING_ARCH_unaligned
208# define alignof(type) offsetof (struct { char c; type x; }, x)
209# define UNALIGNED_P(p) (((size_t) p) % alignof (u64) != 0)
210 if (UNALIGNED_P (buffer))
211 while (len > 128)
212 {
213 sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128, ctx);
214 buffer = (const char *) buffer + 128;
215 len -= 128;
216 }
217 else
218#endif
219 {
220 sha512_process_block (buffer, len & ~127, ctx);
221 buffer = (const char *) buffer + (len & ~127);
222 len &= 127;
223 }
224 }
225
226 /* Move remaining bytes in internal buffer. */
227 if (len > 0)
228 {
229 size_t left_over = ctx->buflen;
230
231 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
232 left_over += len;
233 if (left_over >= 128)
234 {
235 sha512_process_block (ctx->buffer, 128, ctx);
236 left_over -= 128;
237 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
238 }
239 ctx->buflen = left_over;
240 }
241}
242
243/* --- Code below is the primary difference between sha1.c and sha512.c --- */
244
245/* SHA512 round constants */
246#define K(I) sha512_round_constants[I]
247static u64 const sha512_round_constants[80] = {
248 u64init (0x428a2f98, 0xd728ae22), u64init (0x71374491, 0x23ef65cd),
249 u64init (0xb5c0fbcf, 0xec4d3b2f), u64init (0xe9b5dba5, 0x8189dbbc),
250 u64init (0x3956c25b, 0xf348b538), u64init (0x59f111f1, 0xb605d019),
251 u64init (0x923f82a4, 0xaf194f9b), u64init (0xab1c5ed5, 0xda6d8118),
252 u64init (0xd807aa98, 0xa3030242), u64init (0x12835b01, 0x45706fbe),
253 u64init (0x243185be, 0x4ee4b28c), u64init (0x550c7dc3, 0xd5ffb4e2),
254 u64init (0x72be5d74, 0xf27b896f), u64init (0x80deb1fe, 0x3b1696b1),
255 u64init (0x9bdc06a7, 0x25c71235), u64init (0xc19bf174, 0xcf692694),
256 u64init (0xe49b69c1, 0x9ef14ad2), u64init (0xefbe4786, 0x384f25e3),
257 u64init (0x0fc19dc6, 0x8b8cd5b5), u64init (0x240ca1cc, 0x77ac9c65),
258 u64init (0x2de92c6f, 0x592b0275), u64init (0x4a7484aa, 0x6ea6e483),
259 u64init (0x5cb0a9dc, 0xbd41fbd4), u64init (0x76f988da, 0x831153b5),
260 u64init (0x983e5152, 0xee66dfab), u64init (0xa831c66d, 0x2db43210),
261 u64init (0xb00327c8, 0x98fb213f), u64init (0xbf597fc7, 0xbeef0ee4),
262 u64init (0xc6e00bf3, 0x3da88fc2), u64init (0xd5a79147, 0x930aa725),
263 u64init (0x06ca6351, 0xe003826f), u64init (0x14292967, 0x0a0e6e70),
264 u64init (0x27b70a85, 0x46d22ffc), u64init (0x2e1b2138, 0x5c26c926),
265 u64init (0x4d2c6dfc, 0x5ac42aed), u64init (0x53380d13, 0x9d95b3df),
266 u64init (0x650a7354, 0x8baf63de), u64init (0x766a0abb, 0x3c77b2a8),
267 u64init (0x81c2c92e, 0x47edaee6), u64init (0x92722c85, 0x1482353b),
268 u64init (0xa2bfe8a1, 0x4cf10364), u64init (0xa81a664b, 0xbc423001),
269 u64init (0xc24b8b70, 0xd0f89791), u64init (0xc76c51a3, 0x0654be30),
270 u64init (0xd192e819, 0xd6ef5218), u64init (0xd6990624, 0x5565a910),
271 u64init (0xf40e3585, 0x5771202a), u64init (0x106aa070, 0x32bbd1b8),
272 u64init (0x19a4c116, 0xb8d2d0c8), u64init (0x1e376c08, 0x5141ab53),
273 u64init (0x2748774c, 0xdf8eeb99), u64init (0x34b0bcb5, 0xe19b48a8),
274 u64init (0x391c0cb3, 0xc5c95a63), u64init (0x4ed8aa4a, 0xe3418acb),
275 u64init (0x5b9cca4f, 0x7763e373), u64init (0x682e6ff3, 0xd6b2b8a3),
276 u64init (0x748f82ee, 0x5defb2fc), u64init (0x78a5636f, 0x43172f60),
277 u64init (0x84c87814, 0xa1f0ab72), u64init (0x8cc70208, 0x1a6439ec),
278 u64init (0x90befffa, 0x23631e28), u64init (0xa4506ceb, 0xde82bde9),
279 u64init (0xbef9a3f7, 0xb2c67915), u64init (0xc67178f2, 0xe372532b),
280 u64init (0xca273ece, 0xea26619c), u64init (0xd186b8c7, 0x21c0c207),
281 u64init (0xeada7dd6, 0xcde0eb1e), u64init (0xf57d4f7f, 0xee6ed178),
282 u64init (0x06f067aa, 0x72176fba), u64init (0x0a637dc5, 0xa2c898a6),
283 u64init (0x113f9804, 0xbef90dae), u64init (0x1b710b35, 0x131c471b),
284 u64init (0x28db77f5, 0x23047d84), u64init (0x32caab7b, 0x40c72493),
285 u64init (0x3c9ebe0a, 0x15c9bebc), u64init (0x431d67c4, 0x9c100d4c),
286 u64init (0x4cc5d4be, 0xcb3e42b6), u64init (0x597f299c, 0xfc657e2a),
287 u64init (0x5fcb6fab, 0x3ad6faec), u64init (0x6c44198c, 0x4a475817),
288};
289
290/* Round functions. */
291#define F2(A, B, C) u64or (u64and (A, B), u64and (C, u64or (A, B)))
292#define F1(E, F, G) u64xor (G, u64and (E, u64xor (F, G)))
293
294/* Process LEN bytes of BUFFER, accumulating context into CTX.
295 It is assumed that LEN % 128 == 0.
296 Most of this code comes from GnuPG's cipher/sha1.c. */
297
298void
299sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
300{
301 u64 const *words = buffer;
302 u64 const *endp = words + len / sizeof (u64);
303 u64 x[16];
304 u64 a = ctx->state[0];
305 u64 b = ctx->state[1];
306 u64 c = ctx->state[2];
307 u64 d = ctx->state[3];
308 u64 e = ctx->state[4];
309 u64 f = ctx->state[5];
310 u64 g = ctx->state[6];
311 u64 h = ctx->state[7];
312
313 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
314 length of the file up to 2^128 bits. Here we only compute the
315 number of bytes. Do a double word increment. */
316 ctx->total[0] = u64plus (ctx->total[0], u64lo (len));
317 if (u64lt (ctx->total[0], u64lo (len)))
318 ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
319
320#define S0(x) u64xor (u64rol(x, 63), u64xor (u64rol (x, 56), u64shr (x, 7)))
321#define S1(x) u64xor (u64rol (x, 45), u64xor (u64rol (x, 3), u64shr (x, 6)))
322#define SS0(x) u64xor (u64rol (x, 36), u64xor (u64rol (x, 30), u64rol (x, 25)))
323#define SS1(x) u64xor (u64rol(x, 50), u64xor (u64rol (x, 46), u64rol (x, 23)))
324
325#define M(I) (x[(I) & 15] \
326 = u64plus (x[(I) & 15], \
327 u64plus (S1 (x[((I) - 2) & 15]), \
328 u64plus (x[((I) - 7) & 15], \
329 S0 (x[((I) - 15) & 15])))))
330
331#define R(A, B, C, D, E, F, G, H, K, M) \
332 do \
333 { \
334 u64 t0 = u64plus (SS0 (A), F2 (A, B, C)); \
335 u64 t1 = \
336 u64plus (H, u64plus (SS1 (E), \
337 u64plus (F1 (E, F, G), u64plus (K, M)))); \
338 D = u64plus (D, t1); \
339 H = u64plus (t0, t1); \
340 } \
341 while (0)
342
343 while (words < endp)
344 {
345 int t;
346 /* FIXME: see sha1.c for a better implementation. */
347 for (t = 0; t < 16; t++)
348 {
349 x[t] = SWAP (*words);
350 words++;
351 }
352
353 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
354 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
355 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
356 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
357 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
358 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
359 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
360 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
361 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
362 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
363 R( g, h, a, b, c, d, e, f, K(10), x[10] );
364 R( f, g, h, a, b, c, d, e, K(11), x[11] );
365 R( e, f, g, h, a, b, c, d, K(12), x[12] );
366 R( d, e, f, g, h, a, b, c, K(13), x[13] );
367 R( c, d, e, f, g, h, a, b, K(14), x[14] );
368 R( b, c, d, e, f, g, h, a, K(15), x[15] );
369 R( a, b, c, d, e, f, g, h, K(16), M(16) );
370 R( h, a, b, c, d, e, f, g, K(17), M(17) );
371 R( g, h, a, b, c, d, e, f, K(18), M(18) );
372 R( f, g, h, a, b, c, d, e, K(19), M(19) );
373 R( e, f, g, h, a, b, c, d, K(20), M(20) );
374 R( d, e, f, g, h, a, b, c, K(21), M(21) );
375 R( c, d, e, f, g, h, a, b, K(22), M(22) );
376 R( b, c, d, e, f, g, h, a, K(23), M(23) );
377 R( a, b, c, d, e, f, g, h, K(24), M(24) );
378 R( h, a, b, c, d, e, f, g, K(25), M(25) );
379 R( g, h, a, b, c, d, e, f, K(26), M(26) );
380 R( f, g, h, a, b, c, d, e, K(27), M(27) );
381 R( e, f, g, h, a, b, c, d, K(28), M(28) );
382 R( d, e, f, g, h, a, b, c, K(29), M(29) );
383 R( c, d, e, f, g, h, a, b, K(30), M(30) );
384 R( b, c, d, e, f, g, h, a, K(31), M(31) );
385 R( a, b, c, d, e, f, g, h, K(32), M(32) );
386 R( h, a, b, c, d, e, f, g, K(33), M(33) );
387 R( g, h, a, b, c, d, e, f, K(34), M(34) );
388 R( f, g, h, a, b, c, d, e, K(35), M(35) );
389 R( e, f, g, h, a, b, c, d, K(36), M(36) );
390 R( d, e, f, g, h, a, b, c, K(37), M(37) );
391 R( c, d, e, f, g, h, a, b, K(38), M(38) );
392 R( b, c, d, e, f, g, h, a, K(39), M(39) );
393 R( a, b, c, d, e, f, g, h, K(40), M(40) );
394 R( h, a, b, c, d, e, f, g, K(41), M(41) );
395 R( g, h, a, b, c, d, e, f, K(42), M(42) );
396 R( f, g, h, a, b, c, d, e, K(43), M(43) );
397 R( e, f, g, h, a, b, c, d, K(44), M(44) );
398 R( d, e, f, g, h, a, b, c, K(45), M(45) );
399 R( c, d, e, f, g, h, a, b, K(46), M(46) );
400 R( b, c, d, e, f, g, h, a, K(47), M(47) );
401 R( a, b, c, d, e, f, g, h, K(48), M(48) );
402 R( h, a, b, c, d, e, f, g, K(49), M(49) );
403 R( g, h, a, b, c, d, e, f, K(50), M(50) );
404 R( f, g, h, a, b, c, d, e, K(51), M(51) );
405 R( e, f, g, h, a, b, c, d, K(52), M(52) );
406 R( d, e, f, g, h, a, b, c, K(53), M(53) );
407 R( c, d, e, f, g, h, a, b, K(54), M(54) );
408 R( b, c, d, e, f, g, h, a, K(55), M(55) );
409 R( a, b, c, d, e, f, g, h, K(56), M(56) );
410 R( h, a, b, c, d, e, f, g, K(57), M(57) );
411 R( g, h, a, b, c, d, e, f, K(58), M(58) );
412 R( f, g, h, a, b, c, d, e, K(59), M(59) );
413 R( e, f, g, h, a, b, c, d, K(60), M(60) );
414 R( d, e, f, g, h, a, b, c, K(61), M(61) );
415 R( c, d, e, f, g, h, a, b, K(62), M(62) );
416 R( b, c, d, e, f, g, h, a, K(63), M(63) );
417 R( a, b, c, d, e, f, g, h, K(64), M(64) );
418 R( h, a, b, c, d, e, f, g, K(65), M(65) );
419 R( g, h, a, b, c, d, e, f, K(66), M(66) );
420 R( f, g, h, a, b, c, d, e, K(67), M(67) );
421 R( e, f, g, h, a, b, c, d, K(68), M(68) );
422 R( d, e, f, g, h, a, b, c, K(69), M(69) );
423 R( c, d, e, f, g, h, a, b, K(70), M(70) );
424 R( b, c, d, e, f, g, h, a, K(71), M(71) );
425 R( a, b, c, d, e, f, g, h, K(72), M(72) );
426 R( h, a, b, c, d, e, f, g, K(73), M(73) );
427 R( g, h, a, b, c, d, e, f, K(74), M(74) );
428 R( f, g, h, a, b, c, d, e, K(75), M(75) );
429 R( e, f, g, h, a, b, c, d, K(76), M(76) );
430 R( d, e, f, g, h, a, b, c, K(77), M(77) );
431 R( c, d, e, f, g, h, a, b, K(78), M(78) );
432 R( b, c, d, e, f, g, h, a, K(79), M(79) );
433
434 a = ctx->state[0] = u64plus (ctx->state[0], a);
435 b = ctx->state[1] = u64plus (ctx->state[1], b);
436 c = ctx->state[2] = u64plus (ctx->state[2], c);
437 d = ctx->state[3] = u64plus (ctx->state[3], d);
438 e = ctx->state[4] = u64plus (ctx->state[4], e);
439 f = ctx->state[5] = u64plus (ctx->state[5], f);
440 g = ctx->state[6] = u64plus (ctx->state[6], g);
441 h = ctx->state[7] = u64plus (ctx->state[7], h);
442 }
443}
757aecff
MW		 444
445struct sha512 {
446 closure_t cl;
447 struct hash_if ops;
448};
449
450static void *sha512_init(void)
451 { struct sha512_ctx *ctx; NEW(ctx); sha512_init_ctx(ctx); return ctx; }
452
453static void sha512_update(void *st, const void *buf, int32_t len)
454 { struct sha512_ctx *ctx = st; sha512_process_bytes(buf, len, ctx); }
455
456static void sha512_final(void *st, uint8_t *digest)
457 { struct sha512_ctx *ctx = st; sha512_finish_ctx(ctx, digest); free(ctx); }
458
459void sha512_module(dict_t *dict)
460{
461 struct sha512 *st;
462
463 NEW(st);
464 st->cl.description="sha512";
465 st->cl.type=CL_HASH;
466 st->cl.apply=NULL;
467 st->cl.interface=&st->ops;
468 st->ops.len=64;
469 st->ops.init=sha512_init;
470 st->ops.update=sha512_update;
471 st->ops.final=sha512_final;
472
473 dict_add(dict,"sha512",new_closure(&st->cl));
474}
Secnet virtual private network: clone of http://www.chiark.greenend.org.uk/ucgi/~ian/git/secnet.git/