~mdw / secnet / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
sha512.[ch]: Remove a bunch of unused code.
[secnet] / sha512.c
1 /* sha512.c - Functions to compute SHA512 and SHA384 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005, 2006, 2008, 2009, 2010 Free Software Foundation, Inc.
5
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>. */
18
19 /* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
21 */
22
23 #include <config.h>
24
25 #include "sha512.h"
26
27 #include <stddef.h>
28 #include <stdlib.h>
29 #include <string.h>
30
31 #if USE_UNLOCKED_IO
32 # include "unlocked-io.h"
33 #endif
34
35 #ifdef WORDS_BIGENDIAN
36 # define SWAP(n) (n)
37 #else
38 # define SWAP(n) \
39 u64or (u64or (u64or (u64shl (n, 56), \
40 u64shl (u64and (n, u64lo (0x0000ff00)), 40)), \
41 u64or (u64shl (u64and (n, u64lo (0x00ff0000)), 24), \
42 u64shl (u64and (n, u64lo (0xff000000)), 8))), \
43 u64or (u64or (u64and (u64shr (n, 8), u64lo (0xff000000)), \
44 u64and (u64shr (n, 24), u64lo (0x00ff0000))), \
45 u64or (u64and (u64shr (n, 40), u64lo (0x0000ff00)), \
46 u64shr (n, 56))))
47 #endif
48
49 #define BLOCKSIZE 32768
50 #if BLOCKSIZE % 128 != 0
51 # error "invalid BLOCKSIZE"
52 #endif
53
54 /* This array contains the bytes used to pad the buffer to the next
55 128-byte boundary. */
56 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
57
58
59 /*
60 Takes a pointer to a 512 bit block of data (eight 64 bit ints) and
61 intializes it to the start constants of the SHA512 algorithm. This
62 must be called before using hash in the call to sha512_hash
63 */
64 void
65 sha512_init_ctx (struct sha512_ctx *ctx)
66 {
67 ctx->state[0] = u64hilo (0x6a09e667, 0xf3bcc908);
68 ctx->state[1] = u64hilo (0xbb67ae85, 0x84caa73b);
69 ctx->state[2] = u64hilo (0x3c6ef372, 0xfe94f82b);
70 ctx->state[3] = u64hilo (0xa54ff53a, 0x5f1d36f1);
71 ctx->state[4] = u64hilo (0x510e527f, 0xade682d1);
72 ctx->state[5] = u64hilo (0x9b05688c, 0x2b3e6c1f);
73 ctx->state[6] = u64hilo (0x1f83d9ab, 0xfb41bd6b);
74 ctx->state[7] = u64hilo (0x5be0cd19, 0x137e2179);
75
76 ctx->total[0] = ctx->total[1] = u64lo (0);
77 ctx->buflen = 0;
78 }
79
80 void
81 sha384_init_ctx (struct sha512_ctx *ctx)
82 {
83 ctx->state[0] = u64hilo (0xcbbb9d5d, 0xc1059ed8);
84 ctx->state[1] = u64hilo (0x629a292a, 0x367cd507);
85 ctx->state[2] = u64hilo (0x9159015a, 0x3070dd17);
86 ctx->state[3] = u64hilo (0x152fecd8, 0xf70e5939);
87 ctx->state[4] = u64hilo (0x67332667, 0xffc00b31);
88 ctx->state[5] = u64hilo (0x8eb44a87, 0x68581511);
89 ctx->state[6] = u64hilo (0xdb0c2e0d, 0x64f98fa7);
90 ctx->state[7] = u64hilo (0x47b5481d, 0xbefa4fa4);
91
92 ctx->total[0] = ctx->total[1] = u64lo (0);
93 ctx->buflen = 0;
94 }
95
96 /* Copy the value from V into the memory location pointed to by *CP,
97 If your architecture allows unaligned access, this is equivalent to
98 * (__typeof__ (v) *) cp = v */
99 static inline void
100 set_uint64 (char *cp, u64 v)
101 {
102 memcpy (cp, &v, sizeof v);
103 }
104
105 /* Put result from CTX in first 64 bytes following RESBUF.
106 The result must be in little endian byte order. */
107 void *
108 sha512_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
109 {
110 int i;
111 char *r = resbuf;
112
113 for (i = 0; i < 8; i++)
114 set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
115
116 return resbuf;
117 }
118
119 void *
120 sha384_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
121 {
122 int i;
123 char *r = resbuf;
124
125 for (i = 0; i < 6; i++)
126 set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
127
128 return resbuf;
129 }
130
131 /* Process the remaining bytes in the internal buffer and the usual
132 prolog according to the standard and write the result to RESBUF. */
133 static void
134 sha512_conclude_ctx (struct sha512_ctx *ctx)
135 {
136 /* Take yet unprocessed bytes into account. */
137 size_t bytes = ctx->buflen;
138 size_t size = (bytes < 112) ? 128 / 8 : 128 * 2 / 8;
139
140 /* Now count remaining bytes. */
141 ctx->total[0] = u64plus (ctx->total[0], u64lo (bytes));
142 if (u64lt (ctx->total[0], u64lo (bytes)))
143 ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
144
145 /* Put the 128-bit file length in *bits* at the end of the buffer.
146 Use set_uint64 rather than a simple assignment, to avoid risk of
147 unaligned access. */
148 set_uint64 ((char *) &ctx->buffer[size - 2],
149 SWAP (u64or (u64shl (ctx->total[1], 3),
150 u64shr (ctx->total[0], 61))));
151 set_uint64 ((char *) &ctx->buffer[size - 1],
152 SWAP (u64shl (ctx->total[0], 3)));
153
154 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 8 - bytes);
155
156 /* Process last bytes. */
157 sha512_process_block (ctx->buffer, size * 8, ctx);
158 }
159
160 void *
161 sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
162 {
163 sha512_conclude_ctx (ctx);
164 return sha512_read_ctx (ctx, resbuf);
165 }
166
167 void *
168 sha384_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
169 {
170 sha512_conclude_ctx (ctx);
171 return sha384_read_ctx (ctx, resbuf);
172 }
173
174 void
175 sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
176 {
177 /* When we already have some bits in our internal buffer concatenate
178 both inputs first. */
179 if (ctx->buflen != 0)
180 {
181 size_t left_over = ctx->buflen;
182 size_t add = 256 - left_over > len ? len : 256 - left_over;
183
184 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
185 ctx->buflen += add;
186
187 if (ctx->buflen > 128)
188 {
189 sha512_process_block (ctx->buffer, ctx->buflen & ~127, ctx);
190
191 ctx->buflen &= 127;
192 /* The regions in the following copy operation cannot overlap. */
193 memcpy (ctx->buffer,
194 &((char *) ctx->buffer)[(left_over + add) & ~127],
195 ctx->buflen);
196 }
197
198 buffer = (const char *) buffer + add;
199 len -= add;
200 }
201
202 /* Process available complete blocks. */
203 if (len >= 128)
204 {
205 #if !_STRING_ARCH_unaligned
206 # define alignof(type) offsetof (struct { char c; type x; }, x)
207 # define UNALIGNED_P(p) (((size_t) p) % alignof (u64) != 0)
208 if (UNALIGNED_P (buffer))
209 while (len > 128)
210 {
211 sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128, ctx);
212 buffer = (const char *) buffer + 128;
213 len -= 128;
214 }
215 else
216 #endif
217 {
218 sha512_process_block (buffer, len & ~127, ctx);
219 buffer = (const char *) buffer + (len & ~127);
220 len &= 127;
221 }
222 }
223
224 /* Move remaining bytes in internal buffer. */
225 if (len > 0)
226 {
227 size_t left_over = ctx->buflen;
228
229 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
230 left_over += len;
231 if (left_over >= 128)
232 {
233 sha512_process_block (ctx->buffer, 128, ctx);
234 left_over -= 128;
235 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
236 }
237 ctx->buflen = left_over;
238 }
239 }
240
241 /* --- Code below is the primary difference between sha1.c and sha512.c --- */
242
243 /* SHA512 round constants */
244 #define K(I) sha512_round_constants[I]
245 static u64 const sha512_round_constants[80] = {
246 u64init (0x428a2f98, 0xd728ae22), u64init (0x71374491, 0x23ef65cd),
247 u64init (0xb5c0fbcf, 0xec4d3b2f), u64init (0xe9b5dba5, 0x8189dbbc),
248 u64init (0x3956c25b, 0xf348b538), u64init (0x59f111f1, 0xb605d019),
249 u64init (0x923f82a4, 0xaf194f9b), u64init (0xab1c5ed5, 0xda6d8118),
250 u64init (0xd807aa98, 0xa3030242), u64init (0x12835b01, 0x45706fbe),
251 u64init (0x243185be, 0x4ee4b28c), u64init (0x550c7dc3, 0xd5ffb4e2),
252 u64init (0x72be5d74, 0xf27b896f), u64init (0x80deb1fe, 0x3b1696b1),
253 u64init (0x9bdc06a7, 0x25c71235), u64init (0xc19bf174, 0xcf692694),
254 u64init (0xe49b69c1, 0x9ef14ad2), u64init (0xefbe4786, 0x384f25e3),
255 u64init (0x0fc19dc6, 0x8b8cd5b5), u64init (0x240ca1cc, 0x77ac9c65),
256 u64init (0x2de92c6f, 0x592b0275), u64init (0x4a7484aa, 0x6ea6e483),
257 u64init (0x5cb0a9dc, 0xbd41fbd4), u64init (0x76f988da, 0x831153b5),
258 u64init (0x983e5152, 0xee66dfab), u64init (0xa831c66d, 0x2db43210),
259 u64init (0xb00327c8, 0x98fb213f), u64init (0xbf597fc7, 0xbeef0ee4),
260 u64init (0xc6e00bf3, 0x3da88fc2), u64init (0xd5a79147, 0x930aa725),
261 u64init (0x06ca6351, 0xe003826f), u64init (0x14292967, 0x0a0e6e70),
262 u64init (0x27b70a85, 0x46d22ffc), u64init (0x2e1b2138, 0x5c26c926),
263 u64init (0x4d2c6dfc, 0x5ac42aed), u64init (0x53380d13, 0x9d95b3df),
264 u64init (0x650a7354, 0x8baf63de), u64init (0x766a0abb, 0x3c77b2a8),
265 u64init (0x81c2c92e, 0x47edaee6), u64init (0x92722c85, 0x1482353b),
266 u64init (0xa2bfe8a1, 0x4cf10364), u64init (0xa81a664b, 0xbc423001),
267 u64init (0xc24b8b70, 0xd0f89791), u64init (0xc76c51a3, 0x0654be30),
268 u64init (0xd192e819, 0xd6ef5218), u64init (0xd6990624, 0x5565a910),
269 u64init (0xf40e3585, 0x5771202a), u64init (0x106aa070, 0x32bbd1b8),
270 u64init (0x19a4c116, 0xb8d2d0c8), u64init (0x1e376c08, 0x5141ab53),
271 u64init (0x2748774c, 0xdf8eeb99), u64init (0x34b0bcb5, 0xe19b48a8),
272 u64init (0x391c0cb3, 0xc5c95a63), u64init (0x4ed8aa4a, 0xe3418acb),
273 u64init (0x5b9cca4f, 0x7763e373), u64init (0x682e6ff3, 0xd6b2b8a3),
274 u64init (0x748f82ee, 0x5defb2fc), u64init (0x78a5636f, 0x43172f60),
275 u64init (0x84c87814, 0xa1f0ab72), u64init (0x8cc70208, 0x1a6439ec),
276 u64init (0x90befffa, 0x23631e28), u64init (0xa4506ceb, 0xde82bde9),
277 u64init (0xbef9a3f7, 0xb2c67915), u64init (0xc67178f2, 0xe372532b),
278 u64init (0xca273ece, 0xea26619c), u64init (0xd186b8c7, 0x21c0c207),
279 u64init (0xeada7dd6, 0xcde0eb1e), u64init (0xf57d4f7f, 0xee6ed178),
280 u64init (0x06f067aa, 0x72176fba), u64init (0x0a637dc5, 0xa2c898a6),
281 u64init (0x113f9804, 0xbef90dae), u64init (0x1b710b35, 0x131c471b),
282 u64init (0x28db77f5, 0x23047d84), u64init (0x32caab7b, 0x40c72493),
283 u64init (0x3c9ebe0a, 0x15c9bebc), u64init (0x431d67c4, 0x9c100d4c),
284 u64init (0x4cc5d4be, 0xcb3e42b6), u64init (0x597f299c, 0xfc657e2a),
285 u64init (0x5fcb6fab, 0x3ad6faec), u64init (0x6c44198c, 0x4a475817),
286 };
287
288 /* Round functions. */
289 #define F2(A, B, C) u64or (u64and (A, B), u64and (C, u64or (A, B)))
290 #define F1(E, F, G) u64xor (G, u64and (E, u64xor (F, G)))
291
292 /* Process LEN bytes of BUFFER, accumulating context into CTX.
293 It is assumed that LEN % 128 == 0.
294 Most of this code comes from GnuPG's cipher/sha1.c. */
295
296 void
297 sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
298 {
299 u64 const *words = buffer;
300 u64 const *endp = words + len / sizeof (u64);
301 u64 x[16];
302 u64 a = ctx->state[0];
303 u64 b = ctx->state[1];
304 u64 c = ctx->state[2];
305 u64 d = ctx->state[3];
306 u64 e = ctx->state[4];
307 u64 f = ctx->state[5];
308 u64 g = ctx->state[6];
309 u64 h = ctx->state[7];
310
311 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
312 length of the file up to 2^128 bits. Here we only compute the
313 number of bytes. Do a double word increment. */
314 ctx->total[0] = u64plus (ctx->total[0], u64lo (len));
315 if (u64lt (ctx->total[0], u64lo (len)))
316 ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
317
318 #define S0(x) u64xor (u64rol(x, 63), u64xor (u64rol (x, 56), u64shr (x, 7)))
319 #define S1(x) u64xor (u64rol (x, 45), u64xor (u64rol (x, 3), u64shr (x, 6)))
320 #define SS0(x) u64xor (u64rol (x, 36), u64xor (u64rol (x, 30), u64rol (x, 25)))
321 #define SS1(x) u64xor (u64rol(x, 50), u64xor (u64rol (x, 46), u64rol (x, 23)))
322
323 #define M(I) (x[(I) & 15] \
324 = u64plus (x[(I) & 15], \
325 u64plus (S1 (x[((I) - 2) & 15]), \
326 u64plus (x[((I) - 7) & 15], \
327 S0 (x[((I) - 15) & 15])))))
328
329 #define R(A, B, C, D, E, F, G, H, K, M) \
330 do \
331 { \
332 u64 t0 = u64plus (SS0 (A), F2 (A, B, C)); \
333 u64 t1 = \
334 u64plus (H, u64plus (SS1 (E), \
335 u64plus (F1 (E, F, G), u64plus (K, M)))); \
336 D = u64plus (D, t1); \
337 H = u64plus (t0, t1); \
338 } \
339 while (0)
340
341 while (words < endp)
342 {
343 int t;
344 /* FIXME: see sha1.c for a better implementation. */
345 for (t = 0; t < 16; t++)
346 {
347 x[t] = SWAP (*words);
348 words++;
349 }
350
351 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
352 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
353 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
354 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
355 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
356 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
357 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
358 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
359 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
360 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
361 R( g, h, a, b, c, d, e, f, K(10), x[10] );
362 R( f, g, h, a, b, c, d, e, K(11), x[11] );
363 R( e, f, g, h, a, b, c, d, K(12), x[12] );
364 R( d, e, f, g, h, a, b, c, K(13), x[13] );
365 R( c, d, e, f, g, h, a, b, K(14), x[14] );
366 R( b, c, d, e, f, g, h, a, K(15), x[15] );
367 R( a, b, c, d, e, f, g, h, K(16), M(16) );
368 R( h, a, b, c, d, e, f, g, K(17), M(17) );
369 R( g, h, a, b, c, d, e, f, K(18), M(18) );
370 R( f, g, h, a, b, c, d, e, K(19), M(19) );
371 R( e, f, g, h, a, b, c, d, K(20), M(20) );
372 R( d, e, f, g, h, a, b, c, K(21), M(21) );
373 R( c, d, e, f, g, h, a, b, K(22), M(22) );
374 R( b, c, d, e, f, g, h, a, K(23), M(23) );
375 R( a, b, c, d, e, f, g, h, K(24), M(24) );
376 R( h, a, b, c, d, e, f, g, K(25), M(25) );
377 R( g, h, a, b, c, d, e, f, K(26), M(26) );
378 R( f, g, h, a, b, c, d, e, K(27), M(27) );
379 R( e, f, g, h, a, b, c, d, K(28), M(28) );
380 R( d, e, f, g, h, a, b, c, K(29), M(29) );
381 R( c, d, e, f, g, h, a, b, K(30), M(30) );
382 R( b, c, d, e, f, g, h, a, K(31), M(31) );
383 R( a, b, c, d, e, f, g, h, K(32), M(32) );
384 R( h, a, b, c, d, e, f, g, K(33), M(33) );
385 R( g, h, a, b, c, d, e, f, K(34), M(34) );
386 R( f, g, h, a, b, c, d, e, K(35), M(35) );
387 R( e, f, g, h, a, b, c, d, K(36), M(36) );
388 R( d, e, f, g, h, a, b, c, K(37), M(37) );
389 R( c, d, e, f, g, h, a, b, K(38), M(38) );
390 R( b, c, d, e, f, g, h, a, K(39), M(39) );
391 R( a, b, c, d, e, f, g, h, K(40), M(40) );
392 R( h, a, b, c, d, e, f, g, K(41), M(41) );
393 R( g, h, a, b, c, d, e, f, K(42), M(42) );
394 R( f, g, h, a, b, c, d, e, K(43), M(43) );
395 R( e, f, g, h, a, b, c, d, K(44), M(44) );
396 R( d, e, f, g, h, a, b, c, K(45), M(45) );
397 R( c, d, e, f, g, h, a, b, K(46), M(46) );
398 R( b, c, d, e, f, g, h, a, K(47), M(47) );
399 R( a, b, c, d, e, f, g, h, K(48), M(48) );
400 R( h, a, b, c, d, e, f, g, K(49), M(49) );
401 R( g, h, a, b, c, d, e, f, K(50), M(50) );
402 R( f, g, h, a, b, c, d, e, K(51), M(51) );
403 R( e, f, g, h, a, b, c, d, K(52), M(52) );
404 R( d, e, f, g, h, a, b, c, K(53), M(53) );
405 R( c, d, e, f, g, h, a, b, K(54), M(54) );
406 R( b, c, d, e, f, g, h, a, K(55), M(55) );
407 R( a, b, c, d, e, f, g, h, K(56), M(56) );
408 R( h, a, b, c, d, e, f, g, K(57), M(57) );
409 R( g, h, a, b, c, d, e, f, K(58), M(58) );
410 R( f, g, h, a, b, c, d, e, K(59), M(59) );
411 R( e, f, g, h, a, b, c, d, K(60), M(60) );
412 R( d, e, f, g, h, a, b, c, K(61), M(61) );
413 R( c, d, e, f, g, h, a, b, K(62), M(62) );
414 R( b, c, d, e, f, g, h, a, K(63), M(63) );
415 R( a, b, c, d, e, f, g, h, K(64), M(64) );
416 R( h, a, b, c, d, e, f, g, K(65), M(65) );
417 R( g, h, a, b, c, d, e, f, K(66), M(66) );
418 R( f, g, h, a, b, c, d, e, K(67), M(67) );
419 R( e, f, g, h, a, b, c, d, K(68), M(68) );
420 R( d, e, f, g, h, a, b, c, K(69), M(69) );
421 R( c, d, e, f, g, h, a, b, K(70), M(70) );
422 R( b, c, d, e, f, g, h, a, K(71), M(71) );
423 R( a, b, c, d, e, f, g, h, K(72), M(72) );
424 R( h, a, b, c, d, e, f, g, K(73), M(73) );
425 R( g, h, a, b, c, d, e, f, K(74), M(74) );
426 R( f, g, h, a, b, c, d, e, K(75), M(75) );
427 R( e, f, g, h, a, b, c, d, K(76), M(76) );
428 R( d, e, f, g, h, a, b, c, K(77), M(77) );
429 R( c, d, e, f, g, h, a, b, K(78), M(78) );
430 R( b, c, d, e, f, g, h, a, K(79), M(79) );
431
432 a = ctx->state[0] = u64plus (ctx->state[0], a);
433 b = ctx->state[1] = u64plus (ctx->state[1], b);
434 c = ctx->state[2] = u64plus (ctx->state[2], c);
435 d = ctx->state[3] = u64plus (ctx->state[3], d);
436 e = ctx->state[4] = u64plus (ctx->state[4], e);
437 f = ctx->state[5] = u64plus (ctx->state[5], f);
438 g = ctx->state[6] = u64plus (ctx->state[6], g);
439 h = ctx->state[7] = u64plus (ctx->state[7], h);
440 }
441 }
Secnet virtual private network: clone of http://www.chiark.greenend.org.uk/ucgi/~ian/git/secnet.git/