1 /* 2 * FIPS 180-2 SHA-224/256/384/512 implementation 3 * Last update: 02/02/2007 4 * Issue date: 04/30/2005 5 * 6 * Since this code has been incorporated into a GPLv2 project, it is 7 * distributed under GPLv2 inside mmc-utils. The original BSD license 8 * that the code was released under is included below for clarity. 9 * 10 * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay (at) a3.epfl.ch> 11 * All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of the project nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 */ 37 38 #if 0 39 #define UNROLL_LOOPS /* Enable loops unrolling */ 40 #endif 41 42 #include <string.h> 43 44 #include "sha2.h" 45 46 #define SHFR(x, n) (x >> n) 47 #define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n))) 48 #define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n))) 49 #define CH(x, y, z) ((x & y) ^ (~x & z)) 50 #define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) 51 52 #define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) 53 #define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) 54 #define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3)) 55 #define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10)) 56 57 #define SHA512_F1(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39)) 58 #define SHA512_F2(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41)) 59 #define SHA512_F3(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHFR(x, 7)) 60 #define SHA512_F4(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHFR(x, 6)) 61 62 #define UNPACK32(x, str) \ 63 { \ 64 *((str) + 3) = (uint8) ((x) ); \ 65 *((str) + 2) = (uint8) ((x) >> 8); \ 66 *((str) + 1) = (uint8) ((x) >> 16); \ 67 *((str) + 0) = (uint8) ((x) >> 24); \ 68 } 69 70 #define PACK32(str, x) \ 71 { \ 72 *(x) = ((uint32) *((str) + 3) ) \ 73 | ((uint32) *((str) + 2) << 8) \ 74 | ((uint32) *((str) + 1) << 16) \ 75 | ((uint32) *((str) + 0) << 24); \ 76 } 77 78 #define UNPACK64(x, str) \ 79 { \ 80 *((str) + 7) = (uint8) ((x) ); \ 81 *((str) + 6) = (uint8) ((x) >> 8); \ 82 *((str) + 5) = (uint8) ((x) >> 16); \ 83 *((str) + 4) = (uint8) ((x) >> 24); \ 84 *((str) + 3) = (uint8) ((x) >> 32); \ 85 *((str) + 2) = (uint8) ((x) >> 40); \ 86 *((str) + 1) = (uint8) ((x) >> 48); \ 87 *((str) + 0) = (uint8) ((x) >> 56); \ 88 } 89 90 #define PACK64(str, x) \ 91 { \ 92 *(x) = ((uint64) *((str) + 7) ) \ 93 | ((uint64) *((str) + 6) << 8) \ 94 | ((uint64) *((str) + 5) << 16) \ 95 | ((uint64) *((str) + 4) << 24) \ 96 | ((uint64) *((str) + 3) << 32) \ 97 | ((uint64) *((str) + 2) << 40) \ 98 | ((uint64) *((str) + 1) << 48) \ 99 | ((uint64) *((str) + 0) << 56); \ 100 } 101 102 /* Macros used for loops unrolling */ 103 104 #define SHA256_SCR(i) \ 105 { \ 106 w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \ 107 + SHA256_F3(w[i - 15]) + w[i - 16]; \ 108 } 109 110 #define SHA512_SCR(i) \ 111 { \ 112 w[i] = SHA512_F4(w[i - 2]) + w[i - 7] \ 113 + SHA512_F3(w[i - 15]) + w[i - 16]; \ 114 } 115 116 #define SHA256_EXP(a, b, c, d, e, f, g, h, j) \ 117 { \ 118 t1 = wv[h] + SHA256_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \ 119 + sha256_k[j] + w[j]; \ 120 t2 = SHA256_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \ 121 wv[d] += t1; \ 122 wv[h] = t1 + t2; \ 123 } 124 125 #define SHA512_EXP(a, b, c, d, e, f, g ,h, j) \ 126 { \ 127 t1 = wv[h] + SHA512_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \ 128 + sha512_k[j] + w[j]; \ 129 t2 = SHA512_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \ 130 wv[d] += t1; \ 131 wv[h] = t1 + t2; \ 132 } 133 134 uint32 sha224_h0[8] = 135 {0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 136 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4}; 137 138 uint32 sha256_h0[8] = 139 {0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 140 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19}; 141 142 uint64 sha384_h0[8] = 143 {0xcbbb9d5dc1059ed8ULL, 0x629a292a367cd507ULL, 144 0x9159015a3070dd17ULL, 0x152fecd8f70e5939ULL, 145 0x67332667ffc00b31ULL, 0x8eb44a8768581511ULL, 146 0xdb0c2e0d64f98fa7ULL, 0x47b5481dbefa4fa4ULL}; 147 148 uint64 sha512_h0[8] = 149 {0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, 150 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, 151 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, 152 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL}; 153 154 uint32 sha256_k[64] = 155 {0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 156 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 157 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 158 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 159 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 160 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 161 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 162 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 163 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 164 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 165 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 166 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 167 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 168 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 169 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 170 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2}; 171 172 uint64 sha512_k[80] = 173 {0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 174 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 175 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 176 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 177 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 178 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 179 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 180 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 181 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 182 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 183 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 184 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 185 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 186 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 187 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 188 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 189 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 190 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 191 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 192 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 193 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 194 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 195 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 196 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 197 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 198 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 199 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 200 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 201 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 202 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 203 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 204 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 205 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 206 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 207 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 208 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 209 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 210 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 211 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 212 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL}; 213 214 /* SHA-256 functions */ 215 216 void sha256_transf(sha256_ctx *ctx, const unsigned char *message, 217 unsigned int block_nb) 218 { 219 uint32 w[64]; 220 uint32 wv[8]; 221 uint32 t1, t2; 222 const unsigned char *sub_block; 223 int i; 224 225 #ifndef UNROLL_LOOPS 226 int j; 227 #endif 228 229 for (i = 0; i < (int) block_nb; i++) { 230 sub_block = message + (i << 6); 231 232 #ifndef UNROLL_LOOPS 233 for (j = 0; j < 16; j++) { 234 PACK32(&sub_block[j << 2], &w[j]); 235 } 236 237 for (j = 16; j < 64; j++) { 238 SHA256_SCR(j); 239 } 240 241 for (j = 0; j < 8; j++) { 242 wv[j] = ctx->h[j]; 243 } 244 245 for (j = 0; j < 64; j++) { 246 t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6]) 247 + sha256_k[j] + w[j]; 248 t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]); 249 wv[7] = wv[6]; 250 wv[6] = wv[5]; 251 wv[5] = wv[4]; 252 wv[4] = wv[3] + t1; 253 wv[3] = wv[2]; 254 wv[2] = wv[1]; 255 wv[1] = wv[0]; 256 wv[0] = t1 + t2; 257 } 258 259 for (j = 0; j < 8; j++) { 260 ctx->h[j] += wv[j]; 261 } 262 #else 263 PACK32(&sub_block[ 0], &w[ 0]); PACK32(&sub_block[ 4], &w[ 1]); 264 PACK32(&sub_block[ 8], &w[ 2]); PACK32(&sub_block[12], &w[ 3]); 265 PACK32(&sub_block[16], &w[ 4]); PACK32(&sub_block[20], &w[ 5]); 266 PACK32(&sub_block[24], &w[ 6]); PACK32(&sub_block[28], &w[ 7]); 267 PACK32(&sub_block[32], &w[ 8]); PACK32(&sub_block[36], &w[ 9]); 268 PACK32(&sub_block[40], &w[10]); PACK32(&sub_block[44], &w[11]); 269 PACK32(&sub_block[48], &w[12]); PACK32(&sub_block[52], &w[13]); 270 PACK32(&sub_block[56], &w[14]); PACK32(&sub_block[60], &w[15]); 271 272 SHA256_SCR(16); SHA256_SCR(17); SHA256_SCR(18); SHA256_SCR(19); 273 SHA256_SCR(20); SHA256_SCR(21); SHA256_SCR(22); SHA256_SCR(23); 274 SHA256_SCR(24); SHA256_SCR(25); SHA256_SCR(26); SHA256_SCR(27); 275 SHA256_SCR(28); SHA256_SCR(29); SHA256_SCR(30); SHA256_SCR(31); 276 SHA256_SCR(32); SHA256_SCR(33); SHA256_SCR(34); SHA256_SCR(35); 277 SHA256_SCR(36); SHA256_SCR(37); SHA256_SCR(38); SHA256_SCR(39); 278 SHA256_SCR(40); SHA256_SCR(41); SHA256_SCR(42); SHA256_SCR(43); 279 SHA256_SCR(44); SHA256_SCR(45); SHA256_SCR(46); SHA256_SCR(47); 280 SHA256_SCR(48); SHA256_SCR(49); SHA256_SCR(50); SHA256_SCR(51); 281 SHA256_SCR(52); SHA256_SCR(53); SHA256_SCR(54); SHA256_SCR(55); 282 SHA256_SCR(56); SHA256_SCR(57); SHA256_SCR(58); SHA256_SCR(59); 283 SHA256_SCR(60); SHA256_SCR(61); SHA256_SCR(62); SHA256_SCR(63); 284 285 wv[0] = ctx->h[0]; wv[1] = ctx->h[1]; 286 wv[2] = ctx->h[2]; wv[3] = ctx->h[3]; 287 wv[4] = ctx->h[4]; wv[5] = ctx->h[5]; 288 wv[6] = ctx->h[6]; wv[7] = ctx->h[7]; 289 290 SHA256_EXP(0,1,2,3,4,5,6,7, 0); SHA256_EXP(7,0,1,2,3,4,5,6, 1); 291 SHA256_EXP(6,7,0,1,2,3,4,5, 2); SHA256_EXP(5,6,7,0,1,2,3,4, 3); 292 SHA256_EXP(4,5,6,7,0,1,2,3, 4); SHA256_EXP(3,4,5,6,7,0,1,2, 5); 293 SHA256_EXP(2,3,4,5,6,7,0,1, 6); SHA256_EXP(1,2,3,4,5,6,7,0, 7); 294 SHA256_EXP(0,1,2,3,4,5,6,7, 8); SHA256_EXP(7,0,1,2,3,4,5,6, 9); 295 SHA256_EXP(6,7,0,1,2,3,4,5,10); SHA256_EXP(5,6,7,0,1,2,3,4,11); 296 SHA256_EXP(4,5,6,7,0,1,2,3,12); SHA256_EXP(3,4,5,6,7,0,1,2,13); 297 SHA256_EXP(2,3,4,5,6,7,0,1,14); SHA256_EXP(1,2,3,4,5,6,7,0,15); 298 SHA256_EXP(0,1,2,3,4,5,6,7,16); SHA256_EXP(7,0,1,2,3,4,5,6,17); 299 SHA256_EXP(6,7,0,1,2,3,4,5,18); SHA256_EXP(5,6,7,0,1,2,3,4,19); 300 SHA256_EXP(4,5,6,7,0,1,2,3,20); SHA256_EXP(3,4,5,6,7,0,1,2,21); 301 SHA256_EXP(2,3,4,5,6,7,0,1,22); SHA256_EXP(1,2,3,4,5,6,7,0,23); 302 SHA256_EXP(0,1,2,3,4,5,6,7,24); SHA256_EXP(7,0,1,2,3,4,5,6,25); 303 SHA256_EXP(6,7,0,1,2,3,4,5,26); SHA256_EXP(5,6,7,0,1,2,3,4,27); 304 SHA256_EXP(4,5,6,7,0,1,2,3,28); SHA256_EXP(3,4,5,6,7,0,1,2,29); 305 SHA256_EXP(2,3,4,5,6,7,0,1,30); SHA256_EXP(1,2,3,4,5,6,7,0,31); 306 SHA256_EXP(0,1,2,3,4,5,6,7,32); SHA256_EXP(7,0,1,2,3,4,5,6,33); 307 SHA256_EXP(6,7,0,1,2,3,4,5,34); SHA256_EXP(5,6,7,0,1,2,3,4,35); 308 SHA256_EXP(4,5,6,7,0,1,2,3,36); SHA256_EXP(3,4,5,6,7,0,1,2,37); 309 SHA256_EXP(2,3,4,5,6,7,0,1,38); SHA256_EXP(1,2,3,4,5,6,7,0,39); 310 SHA256_EXP(0,1,2,3,4,5,6,7,40); SHA256_EXP(7,0,1,2,3,4,5,6,41); 311 SHA256_EXP(6,7,0,1,2,3,4,5,42); SHA256_EXP(5,6,7,0,1,2,3,4,43); 312 SHA256_EXP(4,5,6,7,0,1,2,3,44); SHA256_EXP(3,4,5,6,7,0,1,2,45); 313 SHA256_EXP(2,3,4,5,6,7,0,1,46); SHA256_EXP(1,2,3,4,5,6,7,0,47); 314 SHA256_EXP(0,1,2,3,4,5,6,7,48); SHA256_EXP(7,0,1,2,3,4,5,6,49); 315 SHA256_EXP(6,7,0,1,2,3,4,5,50); SHA256_EXP(5,6,7,0,1,2,3,4,51); 316 SHA256_EXP(4,5,6,7,0,1,2,3,52); SHA256_EXP(3,4,5,6,7,0,1,2,53); 317 SHA256_EXP(2,3,4,5,6,7,0,1,54); SHA256_EXP(1,2,3,4,5,6,7,0,55); 318 SHA256_EXP(0,1,2,3,4,5,6,7,56); SHA256_EXP(7,0,1,2,3,4,5,6,57); 319 SHA256_EXP(6,7,0,1,2,3,4,5,58); SHA256_EXP(5,6,7,0,1,2,3,4,59); 320 SHA256_EXP(4,5,6,7,0,1,2,3,60); SHA256_EXP(3,4,5,6,7,0,1,2,61); 321 SHA256_EXP(2,3,4,5,6,7,0,1,62); SHA256_EXP(1,2,3,4,5,6,7,0,63); 322 323 ctx->h[0] += wv[0]; ctx->h[1] += wv[1]; 324 ctx->h[2] += wv[2]; ctx->h[3] += wv[3]; 325 ctx->h[4] += wv[4]; ctx->h[5] += wv[5]; 326 ctx->h[6] += wv[6]; ctx->h[7] += wv[7]; 327 #endif /* !UNROLL_LOOPS */ 328 } 329 } 330 331 void sha256(const unsigned char *message, unsigned int len, unsigned char *digest) 332 { 333 sha256_ctx ctx; 334 335 sha256_init(&ctx); 336 sha256_update(&ctx, message, len); 337 sha256_final(&ctx, digest); 338 } 339 340 void sha256_init(sha256_ctx *ctx) 341 { 342 #ifndef UNROLL_LOOPS 343 int i; 344 for (i = 0; i < 8; i++) { 345 ctx->h[i] = sha256_h0[i]; 346 } 347 #else 348 ctx->h[0] = sha256_h0[0]; ctx->h[1] = sha256_h0[1]; 349 ctx->h[2] = sha256_h0[2]; ctx->h[3] = sha256_h0[3]; 350 ctx->h[4] = sha256_h0[4]; ctx->h[5] = sha256_h0[5]; 351 ctx->h[6] = sha256_h0[6]; ctx->h[7] = sha256_h0[7]; 352 #endif /* !UNROLL_LOOPS */ 353 354 ctx->len = 0; 355 ctx->tot_len = 0; 356 } 357 358 void sha256_update(sha256_ctx *ctx, const unsigned char *message, 359 unsigned int len) 360 { 361 unsigned int block_nb; 362 unsigned int new_len, rem_len, tmp_len; 363 const unsigned char *shifted_message; 364 365 tmp_len = SHA256_BLOCK_SIZE - ctx->len; 366 rem_len = len < tmp_len ? len : tmp_len; 367 368 memcpy(&ctx->block[ctx->len], message, rem_len); 369 370 if (ctx->len + len < SHA256_BLOCK_SIZE) { 371 ctx->len += len; 372 return; 373 } 374 375 new_len = len - rem_len; 376 block_nb = new_len / SHA256_BLOCK_SIZE; 377 378 shifted_message = message + rem_len; 379 380 sha256_transf(ctx, ctx->block, 1); 381 sha256_transf(ctx, shifted_message, block_nb); 382 383 rem_len = new_len % SHA256_BLOCK_SIZE; 384 385 memcpy(ctx->block, &shifted_message[block_nb << 6], 386 rem_len); 387 388 ctx->len = rem_len; 389 ctx->tot_len += (block_nb + 1) << 6; 390 } 391 392 void sha256_final(sha256_ctx *ctx, unsigned char *digest) 393 { 394 unsigned int block_nb; 395 unsigned int pm_len; 396 unsigned int len_b; 397 398 #ifndef UNROLL_LOOPS 399 int i; 400 #endif 401 402 block_nb = (1 + ((SHA256_BLOCK_SIZE - 9) 403 < (ctx->len % SHA256_BLOCK_SIZE))); 404 405 len_b = (ctx->tot_len + ctx->len) << 3; 406 pm_len = block_nb << 6; 407 408 memset(ctx->block + ctx->len, 0, pm_len - ctx->len); 409 ctx->block[ctx->len] = 0x80; 410 UNPACK32(len_b, ctx->block + pm_len - 4); 411 412 sha256_transf(ctx, ctx->block, block_nb); 413 414 #ifndef UNROLL_LOOPS 415 for (i = 0 ; i < 8; i++) { 416 UNPACK32(ctx->h[i], &digest[i << 2]); 417 } 418 #else 419 UNPACK32(ctx->h[0], &digest[ 0]); 420 UNPACK32(ctx->h[1], &digest[ 4]); 421 UNPACK32(ctx->h[2], &digest[ 8]); 422 UNPACK32(ctx->h[3], &digest[12]); 423 UNPACK32(ctx->h[4], &digest[16]); 424 UNPACK32(ctx->h[5], &digest[20]); 425 UNPACK32(ctx->h[6], &digest[24]); 426 UNPACK32(ctx->h[7], &digest[28]); 427 #endif /* !UNROLL_LOOPS */ 428 } 429 430 /* SHA-512 functions */ 431 432 void sha512_transf(sha512_ctx *ctx, const unsigned char *message, 433 unsigned int block_nb) 434 { 435 uint64 w[80]; 436 uint64 wv[8]; 437 uint64 t1, t2; 438 const unsigned char *sub_block; 439 int i, j; 440 441 for (i = 0; i < (int) block_nb; i++) { 442 sub_block = message + (i << 7); 443 444 #ifndef UNROLL_LOOPS 445 for (j = 0; j < 16; j++) { 446 PACK64(&sub_block[j << 3], &w[j]); 447 } 448 449 for (j = 16; j < 80; j++) { 450 SHA512_SCR(j); 451 } 452 453 for (j = 0; j < 8; j++) { 454 wv[j] = ctx->h[j]; 455 } 456 457 for (j = 0; j < 80; j++) { 458 t1 = wv[7] + SHA512_F2(wv[4]) + CH(wv[4], wv[5], wv[6]) 459 + sha512_k[j] + w[j]; 460 t2 = SHA512_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]); 461 wv[7] = wv[6]; 462 wv[6] = wv[5]; 463 wv[5] = wv[4]; 464 wv[4] = wv[3] + t1; 465 wv[3] = wv[2]; 466 wv[2] = wv[1]; 467 wv[1] = wv[0]; 468 wv[0] = t1 + t2; 469 } 470 471 for (j = 0; j < 8; j++) { 472 ctx->h[j] += wv[j]; 473 } 474 #else 475 PACK64(&sub_block[ 0], &w[ 0]); PACK64(&sub_block[ 8], &w[ 1]); 476 PACK64(&sub_block[ 16], &w[ 2]); PACK64(&sub_block[ 24], &w[ 3]); 477 PACK64(&sub_block[ 32], &w[ 4]); PACK64(&sub_block[ 40], &w[ 5]); 478 PACK64(&sub_block[ 48], &w[ 6]); PACK64(&sub_block[ 56], &w[ 7]); 479 PACK64(&sub_block[ 64], &w[ 8]); PACK64(&sub_block[ 72], &w[ 9]); 480 PACK64(&sub_block[ 80], &w[10]); PACK64(&sub_block[ 88], &w[11]); 481 PACK64(&sub_block[ 96], &w[12]); PACK64(&sub_block[104], &w[13]); 482 PACK64(&sub_block[112], &w[14]); PACK64(&sub_block[120], &w[15]); 483 484 SHA512_SCR(16); SHA512_SCR(17); SHA512_SCR(18); SHA512_SCR(19); 485 SHA512_SCR(20); SHA512_SCR(21); SHA512_SCR(22); SHA512_SCR(23); 486 SHA512_SCR(24); SHA512_SCR(25); SHA512_SCR(26); SHA512_SCR(27); 487 SHA512_SCR(28); SHA512_SCR(29); SHA512_SCR(30); SHA512_SCR(31); 488 SHA512_SCR(32); SHA512_SCR(33); SHA512_SCR(34); SHA512_SCR(35); 489 SHA512_SCR(36); SHA512_SCR(37); SHA512_SCR(38); SHA512_SCR(39); 490 SHA512_SCR(40); SHA512_SCR(41); SHA512_SCR(42); SHA512_SCR(43); 491 SHA512_SCR(44); SHA512_SCR(45); SHA512_SCR(46); SHA512_SCR(47); 492 SHA512_SCR(48); SHA512_SCR(49); SHA512_SCR(50); SHA512_SCR(51); 493 SHA512_SCR(52); SHA512_SCR(53); SHA512_SCR(54); SHA512_SCR(55); 494 SHA512_SCR(56); SHA512_SCR(57); SHA512_SCR(58); SHA512_SCR(59); 495 SHA512_SCR(60); SHA512_SCR(61); SHA512_SCR(62); SHA512_SCR(63); 496 SHA512_SCR(64); SHA512_SCR(65); SHA512_SCR(66); SHA512_SCR(67); 497 SHA512_SCR(68); SHA512_SCR(69); SHA512_SCR(70); SHA512_SCR(71); 498 SHA512_SCR(72); SHA512_SCR(73); SHA512_SCR(74); SHA512_SCR(75); 499 SHA512_SCR(76); SHA512_SCR(77); SHA512_SCR(78); SHA512_SCR(79); 500 501 wv[0] = ctx->h[0]; wv[1] = ctx->h[1]; 502 wv[2] = ctx->h[2]; wv[3] = ctx->h[3]; 503 wv[4] = ctx->h[4]; wv[5] = ctx->h[5]; 504 wv[6] = ctx->h[6]; wv[7] = ctx->h[7]; 505 506 j = 0; 507 508 do { 509 SHA512_EXP(0,1,2,3,4,5,6,7,j); j++; 510 SHA512_EXP(7,0,1,2,3,4,5,6,j); j++; 511 SHA512_EXP(6,7,0,1,2,3,4,5,j); j++; 512 SHA512_EXP(5,6,7,0,1,2,3,4,j); j++; 513 SHA512_EXP(4,5,6,7,0,1,2,3,j); j++; 514 SHA512_EXP(3,4,5,6,7,0,1,2,j); j++; 515 SHA512_EXP(2,3,4,5,6,7,0,1,j); j++; 516 SHA512_EXP(1,2,3,4,5,6,7,0,j); j++; 517 } while (j < 80); 518 519 ctx->h[0] += wv[0]; ctx->h[1] += wv[1]; 520 ctx->h[2] += wv[2]; ctx->h[3] += wv[3]; 521 ctx->h[4] += wv[4]; ctx->h[5] += wv[5]; 522 ctx->h[6] += wv[6]; ctx->h[7] += wv[7]; 523 #endif /* !UNROLL_LOOPS */ 524 } 525 } 526 527 void sha512(const unsigned char *message, unsigned int len, 528 unsigned char *digest) 529 { 530 sha512_ctx ctx; 531 532 sha512_init(&ctx); 533 sha512_update(&ctx, message, len); 534 sha512_final(&ctx, digest); 535 } 536 537 void sha512_init(sha512_ctx *ctx) 538 { 539 #ifndef UNROLL_LOOPS 540 int i; 541 for (i = 0; i < 8; i++) { 542 ctx->h[i] = sha512_h0[i]; 543 } 544 #else 545 ctx->h[0] = sha512_h0[0]; ctx->h[1] = sha512_h0[1]; 546 ctx->h[2] = sha512_h0[2]; ctx->h[3] = sha512_h0[3]; 547 ctx->h[4] = sha512_h0[4]; ctx->h[5] = sha512_h0[5]; 548 ctx->h[6] = sha512_h0[6]; ctx->h[7] = sha512_h0[7]; 549 #endif /* !UNROLL_LOOPS */ 550 551 ctx->len = 0; 552 ctx->tot_len = 0; 553 } 554 555 void sha512_update(sha512_ctx *ctx, const unsigned char *message, 556 unsigned int len) 557 { 558 unsigned int block_nb; 559 unsigned int new_len, rem_len, tmp_len; 560 const unsigned char *shifted_message; 561 562 tmp_len = SHA512_BLOCK_SIZE - ctx->len; 563 rem_len = len < tmp_len ? len : tmp_len; 564 565 memcpy(&ctx->block[ctx->len], message, rem_len); 566 567 if (ctx->len + len < SHA512_BLOCK_SIZE) { 568 ctx->len += len; 569 return; 570 } 571 572 new_len = len - rem_len; 573 block_nb = new_len / SHA512_BLOCK_SIZE; 574 575 shifted_message = message + rem_len; 576 577 sha512_transf(ctx, ctx->block, 1); 578 sha512_transf(ctx, shifted_message, block_nb); 579 580 rem_len = new_len % SHA512_BLOCK_SIZE; 581 582 memcpy(ctx->block, &shifted_message[block_nb << 7], 583 rem_len); 584 585 ctx->len = rem_len; 586 ctx->tot_len += (block_nb + 1) << 7; 587 } 588 589 void sha512_final(sha512_ctx *ctx, unsigned char *digest) 590 { 591 unsigned int block_nb; 592 unsigned int pm_len; 593 unsigned int len_b; 594 595 #ifndef UNROLL_LOOPS 596 int i; 597 #endif 598 599 block_nb = 1 + ((SHA512_BLOCK_SIZE - 17) 600 < (ctx->len % SHA512_BLOCK_SIZE)); 601 602 len_b = (ctx->tot_len + ctx->len) << 3; 603 pm_len = block_nb << 7; 604 605 memset(ctx->block + ctx->len, 0, pm_len - ctx->len); 606 ctx->block[ctx->len] = 0x80; 607 UNPACK32(len_b, ctx->block + pm_len - 4); 608 609 sha512_transf(ctx, ctx->block, block_nb); 610 611 #ifndef UNROLL_LOOPS 612 for (i = 0 ; i < 8; i++) { 613 UNPACK64(ctx->h[i], &digest[i << 3]); 614 } 615 #else 616 UNPACK64(ctx->h[0], &digest[ 0]); 617 UNPACK64(ctx->h[1], &digest[ 8]); 618 UNPACK64(ctx->h[2], &digest[16]); 619 UNPACK64(ctx->h[3], &digest[24]); 620 UNPACK64(ctx->h[4], &digest[32]); 621 UNPACK64(ctx->h[5], &digest[40]); 622 UNPACK64(ctx->h[6], &digest[48]); 623 UNPACK64(ctx->h[7], &digest[56]); 624 #endif /* !UNROLL_LOOPS */ 625 } 626 627 /* SHA-384 functions */ 628 629 void sha384(const unsigned char *message, unsigned int len, 630 unsigned char *digest) 631 { 632 sha384_ctx ctx; 633 634 sha384_init(&ctx); 635 sha384_update(&ctx, message, len); 636 sha384_final(&ctx, digest); 637 } 638 639 void sha384_init(sha384_ctx *ctx) 640 { 641 #ifndef UNROLL_LOOPS 642 int i; 643 for (i = 0; i < 8; i++) { 644 ctx->h[i] = sha384_h0[i]; 645 } 646 #else 647 ctx->h[0] = sha384_h0[0]; ctx->h[1] = sha384_h0[1]; 648 ctx->h[2] = sha384_h0[2]; ctx->h[3] = sha384_h0[3]; 649 ctx->h[4] = sha384_h0[4]; ctx->h[5] = sha384_h0[5]; 650 ctx->h[6] = sha384_h0[6]; ctx->h[7] = sha384_h0[7]; 651 #endif /* !UNROLL_LOOPS */ 652 653 ctx->len = 0; 654 ctx->tot_len = 0; 655 } 656 657 void sha384_update(sha384_ctx *ctx, const unsigned char *message, 658 unsigned int len) 659 { 660 unsigned int block_nb; 661 unsigned int new_len, rem_len, tmp_len; 662 const unsigned char *shifted_message; 663 664 tmp_len = SHA384_BLOCK_SIZE - ctx->len; 665 rem_len = len < tmp_len ? len : tmp_len; 666 667 memcpy(&ctx->block[ctx->len], message, rem_len); 668 669 if (ctx->len + len < SHA384_BLOCK_SIZE) { 670 ctx->len += len; 671 return; 672 } 673 674 new_len = len - rem_len; 675 block_nb = new_len / SHA384_BLOCK_SIZE; 676 677 shifted_message = message + rem_len; 678 679 sha512_transf(ctx, ctx->block, 1); 680 sha512_transf(ctx, shifted_message, block_nb); 681 682 rem_len = new_len % SHA384_BLOCK_SIZE; 683 684 memcpy(ctx->block, &shifted_message[block_nb << 7], 685 rem_len); 686 687 ctx->len = rem_len; 688 ctx->tot_len += (block_nb + 1) << 7; 689 } 690 691 void sha384_final(sha384_ctx *ctx, unsigned char *digest) 692 { 693 unsigned int block_nb; 694 unsigned int pm_len; 695 unsigned int len_b; 696 697 #ifndef UNROLL_LOOPS 698 int i; 699 #endif 700 701 block_nb = (1 + ((SHA384_BLOCK_SIZE - 17) 702 < (ctx->len % SHA384_BLOCK_SIZE))); 703 704 len_b = (ctx->tot_len + ctx->len) << 3; 705 pm_len = block_nb << 7; 706 707 memset(ctx->block + ctx->len, 0, pm_len - ctx->len); 708 ctx->block[ctx->len] = 0x80; 709 UNPACK32(len_b, ctx->block + pm_len - 4); 710 711 sha512_transf(ctx, ctx->block, block_nb); 712 713 #ifndef UNROLL_LOOPS 714 for (i = 0 ; i < 6; i++) { 715 UNPACK64(ctx->h[i], &digest[i << 3]); 716 } 717 #else 718 UNPACK64(ctx->h[0], &digest[ 0]); 719 UNPACK64(ctx->h[1], &digest[ 8]); 720 UNPACK64(ctx->h[2], &digest[16]); 721 UNPACK64(ctx->h[3], &digest[24]); 722 UNPACK64(ctx->h[4], &digest[32]); 723 UNPACK64(ctx->h[5], &digest[40]); 724 #endif /* !UNROLL_LOOPS */ 725 } 726 727 /* SHA-224 functions */ 728 729 void sha224(const unsigned char *message, unsigned int len, 730 unsigned char *digest) 731 { 732 sha224_ctx ctx; 733 734 sha224_init(&ctx); 735 sha224_update(&ctx, message, len); 736 sha224_final(&ctx, digest); 737 } 738 739 void sha224_init(sha224_ctx *ctx) 740 { 741 #ifndef UNROLL_LOOPS 742 int i; 743 for (i = 0; i < 8; i++) { 744 ctx->h[i] = sha224_h0[i]; 745 } 746 #else 747 ctx->h[0] = sha224_h0[0]; ctx->h[1] = sha224_h0[1]; 748 ctx->h[2] = sha224_h0[2]; ctx->h[3] = sha224_h0[3]; 749 ctx->h[4] = sha224_h0[4]; ctx->h[5] = sha224_h0[5]; 750 ctx->h[6] = sha224_h0[6]; ctx->h[7] = sha224_h0[7]; 751 #endif /* !UNROLL_LOOPS */ 752 753 ctx->len = 0; 754 ctx->tot_len = 0; 755 } 756 757 void sha224_update(sha224_ctx *ctx, const unsigned char *message, 758 unsigned int len) 759 { 760 unsigned int block_nb; 761 unsigned int new_len, rem_len, tmp_len; 762 const unsigned char *shifted_message; 763 764 tmp_len = SHA224_BLOCK_SIZE - ctx->len; 765 rem_len = len < tmp_len ? len : tmp_len; 766 767 memcpy(&ctx->block[ctx->len], message, rem_len); 768 769 if (ctx->len + len < SHA224_BLOCK_SIZE) { 770 ctx->len += len; 771 return; 772 } 773 774 new_len = len - rem_len; 775 block_nb = new_len / SHA224_BLOCK_SIZE; 776 777 shifted_message = message + rem_len; 778 779 sha256_transf(ctx, ctx->block, 1); 780 sha256_transf(ctx, shifted_message, block_nb); 781 782 rem_len = new_len % SHA224_BLOCK_SIZE; 783 784 memcpy(ctx->block, &shifted_message[block_nb << 6], 785 rem_len); 786 787 ctx->len = rem_len; 788 ctx->tot_len += (block_nb + 1) << 6; 789 } 790 791 void sha224_final(sha224_ctx *ctx, unsigned char *digest) 792 { 793 unsigned int block_nb; 794 unsigned int pm_len; 795 unsigned int len_b; 796 797 #ifndef UNROLL_LOOPS 798 int i; 799 #endif 800 801 block_nb = (1 + ((SHA224_BLOCK_SIZE - 9) 802 < (ctx->len % SHA224_BLOCK_SIZE))); 803 804 len_b = (ctx->tot_len + ctx->len) << 3; 805 pm_len = block_nb << 6; 806 807 memset(ctx->block + ctx->len, 0, pm_len - ctx->len); 808 ctx->block[ctx->len] = 0x80; 809 UNPACK32(len_b, ctx->block + pm_len - 4); 810 811 sha256_transf(ctx, ctx->block, block_nb); 812 813 #ifndef UNROLL_LOOPS 814 for (i = 0 ; i < 7; i++) { 815 UNPACK32(ctx->h[i], &digest[i << 2]); 816 } 817 #else 818 UNPACK32(ctx->h[0], &digest[ 0]); 819 UNPACK32(ctx->h[1], &digest[ 4]); 820 UNPACK32(ctx->h[2], &digest[ 8]); 821 UNPACK32(ctx->h[3], &digest[12]); 822 UNPACK32(ctx->h[4], &digest[16]); 823 UNPACK32(ctx->h[5], &digest[20]); 824 UNPACK32(ctx->h[6], &digest[24]); 825 #endif /* !UNROLL_LOOPS */ 826 } 827 828 #ifdef TEST_VECTORS 829 830 /* FIPS 180-2 Validation tests */ 831 832 #include <stdio.h> 833 #include <stdlib.h> 834 835 void test(const char *vector, unsigned char *digest, 836 unsigned int digest_size) 837 { 838 char output[2 * SHA512_DIGEST_SIZE + 1]; 839 int i; 840 841 output[2 * digest_size] = '\0'; 842 843 for (i = 0; i < (int) digest_size ; i++) { 844 sprintf(output + 2 * i, "%02x", digest[i]); 845 } 846 847 printf("H: %s\n", output); 848 if (strcmp(vector, output)) { 849 fprintf(stderr, "Test failed.\n"); 850 exit(EXIT_FAILURE); 851 } 852 } 853 854 int main(void) 855 { 856 static const char *vectors[4][3] = 857 { /* SHA-224 */ 858 { 859 "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7", 860 "75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525", 861 "20794655980c91d8bbb4c1ea97618a4bf03f42581948b2ee4ee7ad67", 862 }, 863 /* SHA-256 */ 864 { 865 "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad", 866 "248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1", 867 "cdc76e5c9914fb9281a1c7e284d73e67f1809a48a497200e046d39ccc7112cd0", 868 }, 869 /* SHA-384 */ 870 { 871 "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed" 872 "8086072ba1e7cc2358baeca134c825a7", 873 "09330c33f71147e83d192fc782cd1b4753111b173b3b05d22fa08086e3b0f712" 874 "fcc7c71a557e2db966c3e9fa91746039", 875 "9d0e1809716474cb086e834e310a4a1ced149e9c00f248527972cec5704c2a5b" 876 "07b8b3dc38ecc4ebae97ddd87f3d8985", 877 }, 878 /* SHA-512 */ 879 { 880 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a" 881 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f", 882 "8e959b75dae313da8cf4f72814fc143f8f7779c6eb9f7fa17299aeadb6889018" 883 "501d289e4900f7e4331b99dec4b5433ac7d329eeb6dd26545e96e55b874be909", 884 "e718483d0ce769644e2e42c7bc15b4638e1f98b13b2044285632a803afa973eb" 885 "de0ff244877ea60a4cb0432ce577c31beb009c5c2c49aa2e4eadb217ad8cc09b" 886 } 887 }; 888 889 static const char message1[] = "abc"; 890 static const char message2a[] = "abcdbcdecdefdefgefghfghighijhi" 891 "jkijkljklmklmnlmnomnopnopq"; 892 static const char message2b[] = "abcdefghbcdefghicdefghijdefghijkefghij" 893 "klfghijklmghijklmnhijklmnoijklmnopjklm" 894 "nopqklmnopqrlmnopqrsmnopqrstnopqrstu"; 895 unsigned char *message3; 896 unsigned int message3_len = 1000000; 897 unsigned char digest[SHA512_DIGEST_SIZE]; 898 899 message3 = malloc(message3_len); 900 if (message3 == NULL) { 901 fprintf(stderr, "Can't allocate memory\n"); 902 return -1; 903 } 904 memset(message3, 'a', message3_len); 905 906 printf("SHA-2 FIPS 180-2 Validation tests\n\n"); 907 printf("SHA-224 Test vectors\n"); 908 909 sha224((const unsigned char *) message1, strlen(message1), digest); 910 test(vectors[0][0], digest, SHA224_DIGEST_SIZE); 911 sha224((const unsigned char *) message2a, strlen(message2a), digest); 912 test(vectors[0][1], digest, SHA224_DIGEST_SIZE); 913 sha224(message3, message3_len, digest); 914 test(vectors[0][2], digest, SHA224_DIGEST_SIZE); 915 printf("\n"); 916 917 printf("SHA-256 Test vectors\n"); 918 919 sha256((const unsigned char *) message1, strlen(message1), digest); 920 test(vectors[1][0], digest, SHA256_DIGEST_SIZE); 921 sha256((const unsigned char *) message2a, strlen(message2a), digest); 922 test(vectors[1][1], digest, SHA256_DIGEST_SIZE); 923 sha256(message3, message3_len, digest); 924 test(vectors[1][2], digest, SHA256_DIGEST_SIZE); 925 printf("\n"); 926 927 printf("SHA-384 Test vectors\n"); 928 929 sha384((const unsigned char *) message1, strlen(message1), digest); 930 test(vectors[2][0], digest, SHA384_DIGEST_SIZE); 931 sha384((const unsigned char *)message2b, strlen(message2b), digest); 932 test(vectors[2][1], digest, SHA384_DIGEST_SIZE); 933 sha384(message3, message3_len, digest); 934 test(vectors[2][2], digest, SHA384_DIGEST_SIZE); 935 printf("\n"); 936 937 printf("SHA-512 Test vectors\n"); 938 939 sha512((const unsigned char *) message1, strlen(message1), digest); 940 test(vectors[3][0], digest, SHA512_DIGEST_SIZE); 941 sha512((const unsigned char *) message2b, strlen(message2b), digest); 942 test(vectors[3][1], digest, SHA512_DIGEST_SIZE); 943 sha512(message3, message3_len, digest); 944 test(vectors[3][2], digest, SHA512_DIGEST_SIZE); 945 printf("\n"); 946 947 printf("All tests passed.\n"); 948 949 return 0; 950 } 951 952 #endif /* TEST_VECTORS */ 953 954
