5
* FIPS 180-2 SHA-224/256/384/512 implementation
6
* Last update: 02/02/2007
7
* Issue date: 04/30/2005
9
* Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
10
* All rights reserved.
12
* Redistribution and use in source and binary forms, with or without
13
* modification, are permitted provided that the following conditions
15
* 1. Redistributions of source code must retain the above copyright
16
* notice, this list of conditions and the following disclaimer.
17
* 2. Redistributions in binary form must reproduce the above copyright
18
* notice, this list of conditions and the following disclaimer in the
19
* documentation and/or other materials provided with the distribution.
20
* 3. Neither the name of the project nor the names of its contributors
21
* may be used to endorse or promote products derived from this software
22
* without specific prior written permission.
24
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
25
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
28
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40
#define UNROLL_LOOPS /* Enable loops unrolling */
46
#define SHFR(x, n) (x >> n)
47
#define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n)))
48
#define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n)))
49
#define CH(x, y, z) ((x & y) ^ (~x & z))
50
#define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
52
#define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
53
#define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
54
#define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3))
55
#define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10))
57
#define SHA512_F1(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
58
#define SHA512_F2(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
59
#define SHA512_F3(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHFR(x, 7))
60
#define SHA512_F4(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHFR(x, 6))
62
#define UNPACK32(x, str) \
64
*((str) + 3) = (uint8) ((x) ); \
65
*((str) + 2) = (uint8) ((x) >> 8); \
66
*((str) + 1) = (uint8) ((x) >> 16); \
67
*((str) + 0) = (uint8) ((x) >> 24); \
70
#define PACK32(str, x) \
72
*(x) = ((uint32) *((str) + 3) ) \
73
| ((uint32) *((str) + 2) << 8) \
74
| ((uint32) *((str) + 1) << 16) \
75
| ((uint32) *((str) + 0) << 24); \
78
#define UNPACK64(x, str) \
80
*((str) + 7) = (uint8) ((x) ); \
81
*((str) + 6) = (uint8) ((x) >> 8); \
82
*((str) + 5) = (uint8) ((x) >> 16); \
83
*((str) + 4) = (uint8) ((x) >> 24); \
84
*((str) + 3) = (uint8) ((x) >> 32); \
85
*((str) + 2) = (uint8) ((x) >> 40); \
86
*((str) + 1) = (uint8) ((x) >> 48); \
87
*((str) + 0) = (uint8) ((x) >> 56); \
90
#define PACK64(str, x) \
92
*(x) = ((uint64) *((str) + 7) ) \
93
| ((uint64) *((str) + 6) << 8) \
94
| ((uint64) *((str) + 5) << 16) \
95
| ((uint64) *((str) + 4) << 24) \
96
| ((uint64) *((str) + 3) << 32) \
97
| ((uint64) *((str) + 2) << 40) \
98
| ((uint64) *((str) + 1) << 48) \
99
| ((uint64) *((str) + 0) << 56); \
102
/* Macros used for loops unrolling */
104
#define SHA256_SCR(i) \
106
w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \
107
+ SHA256_F3(w[i - 15]) + w[i - 16]; \
110
#define SHA512_SCR(i) \
112
w[i] = SHA512_F4(w[i - 2]) + w[i - 7] \
113
+ SHA512_F3(w[i - 15]) + w[i - 16]; \
116
#define SHA256_EXP(a, b, c, d, e, f, g, h, j) \
118
t1 = wv[h] + SHA256_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
119
+ sha256_k[j] + w[j]; \
120
t2 = SHA256_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
125
#define SHA512_EXP(a, b, c, d, e, f, g ,h, j) \
127
t1 = wv[h] + SHA512_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
128
+ sha512_k[j] + w[j]; \
129
t2 = SHA512_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
134
uint32 sha224_h0[8] =
135
{0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
136
0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4};
138
uint32 sha256_h0[8] =
139
{0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
140
0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
142
uint64 sha384_h0[8] =
143
{0xcbbb9d5dc1059ed8ULL, 0x629a292a367cd507ULL,
144
0x9159015a3070dd17ULL, 0x152fecd8f70e5939ULL,
145
0x67332667ffc00b31ULL, 0x8eb44a8768581511ULL,
146
0xdb0c2e0d64f98fa7ULL, 0x47b5481dbefa4fa4ULL};
148
uint64 sha512_h0[8] =
149
{0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
150
0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
151
0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
152
0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL};
154
uint32 sha256_k[64] =
155
{0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
156
0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
157
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
158
0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
159
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
160
0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
161
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
162
0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
163
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
164
0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
165
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
166
0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
167
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
168
0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
169
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
170
0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
172
uint64 sha512_k[80] =
173
{0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
174
0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
175
0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
176
0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
177
0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
178
0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
179
0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
180
0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
181
0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
182
0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
183
0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
184
0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
185
0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
186
0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
187
0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
188
0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
189
0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
190
0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
191
0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
192
0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
193
0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
194
0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
195
0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
196
0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
197
0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
198
0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
199
0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
200
0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
201
0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
202
0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
203
0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
204
0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
205
0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
206
0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
207
0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
208
0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
209
0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
210
0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
211
0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
212
0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL};
214
/* SHA-256 functions */
216
void sha256_transf(sha256_ctx *ctx, const unsigned char *message,
217
unsigned int block_nb)
222
const unsigned char *sub_block;
229
for (i = 0; i < (int) block_nb; i++) {
230
sub_block = message + (i << 6);
233
for (j = 0; j < 16; j++) {
234
PACK32(&sub_block[j << 2], &w[j]);
237
for (j = 16; j < 64; j++) {
241
for (j = 0; j < 8; j++) {
245
for (j = 0; j < 64; j++) {
246
t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
247
+ sha256_k[j] + w[j];
248
t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
259
for (j = 0; j < 8; j++) {
263
PACK32(&sub_block[ 0], &w[ 0]); PACK32(&sub_block[ 4], &w[ 1]);
264
PACK32(&sub_block[ 8], &w[ 2]); PACK32(&sub_block[12], &w[ 3]);
265
PACK32(&sub_block[16], &w[ 4]); PACK32(&sub_block[20], &w[ 5]);
266
PACK32(&sub_block[24], &w[ 6]); PACK32(&sub_block[28], &w[ 7]);
267
PACK32(&sub_block[32], &w[ 8]); PACK32(&sub_block[36], &w[ 9]);
268
PACK32(&sub_block[40], &w[10]); PACK32(&sub_block[44], &w[11]);
269
PACK32(&sub_block[48], &w[12]); PACK32(&sub_block[52], &w[13]);
270
PACK32(&sub_block[56], &w[14]); PACK32(&sub_block[60], &w[15]);
272
SHA256_SCR(16); SHA256_SCR(17); SHA256_SCR(18); SHA256_SCR(19);
273
SHA256_SCR(20); SHA256_SCR(21); SHA256_SCR(22); SHA256_SCR(23);
274
SHA256_SCR(24); SHA256_SCR(25); SHA256_SCR(26); SHA256_SCR(27);
275
SHA256_SCR(28); SHA256_SCR(29); SHA256_SCR(30); SHA256_SCR(31);
276
SHA256_SCR(32); SHA256_SCR(33); SHA256_SCR(34); SHA256_SCR(35);
277
SHA256_SCR(36); SHA256_SCR(37); SHA256_SCR(38); SHA256_SCR(39);
278
SHA256_SCR(40); SHA256_SCR(41); SHA256_SCR(42); SHA256_SCR(43);
279
SHA256_SCR(44); SHA256_SCR(45); SHA256_SCR(46); SHA256_SCR(47);
280
SHA256_SCR(48); SHA256_SCR(49); SHA256_SCR(50); SHA256_SCR(51);
281
SHA256_SCR(52); SHA256_SCR(53); SHA256_SCR(54); SHA256_SCR(55);
282
SHA256_SCR(56); SHA256_SCR(57); SHA256_SCR(58); SHA256_SCR(59);
283
SHA256_SCR(60); SHA256_SCR(61); SHA256_SCR(62); SHA256_SCR(63);
285
wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
286
wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
287
wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
288
wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
290
SHA256_EXP(0,1,2,3,4,5,6,7, 0); SHA256_EXP(7,0,1,2,3,4,5,6, 1);
291
SHA256_EXP(6,7,0,1,2,3,4,5, 2); SHA256_EXP(5,6,7,0,1,2,3,4, 3);
292
SHA256_EXP(4,5,6,7,0,1,2,3, 4); SHA256_EXP(3,4,5,6,7,0,1,2, 5);
293
SHA256_EXP(2,3,4,5,6,7,0,1, 6); SHA256_EXP(1,2,3,4,5,6,7,0, 7);
294
SHA256_EXP(0,1,2,3,4,5,6,7, 8); SHA256_EXP(7,0,1,2,3,4,5,6, 9);
295
SHA256_EXP(6,7,0,1,2,3,4,5,10); SHA256_EXP(5,6,7,0,1,2,3,4,11);
296
SHA256_EXP(4,5,6,7,0,1,2,3,12); SHA256_EXP(3,4,5,6,7,0,1,2,13);
297
SHA256_EXP(2,3,4,5,6,7,0,1,14); SHA256_EXP(1,2,3,4,5,6,7,0,15);
298
SHA256_EXP(0,1,2,3,4,5,6,7,16); SHA256_EXP(7,0,1,2,3,4,5,6,17);
299
SHA256_EXP(6,7,0,1,2,3,4,5,18); SHA256_EXP(5,6,7,0,1,2,3,4,19);
300
SHA256_EXP(4,5,6,7,0,1,2,3,20); SHA256_EXP(3,4,5,6,7,0,1,2,21);
301
SHA256_EXP(2,3,4,5,6,7,0,1,22); SHA256_EXP(1,2,3,4,5,6,7,0,23);
302
SHA256_EXP(0,1,2,3,4,5,6,7,24); SHA256_EXP(7,0,1,2,3,4,5,6,25);
303
SHA256_EXP(6,7,0,1,2,3,4,5,26); SHA256_EXP(5,6,7,0,1,2,3,4,27);
304
SHA256_EXP(4,5,6,7,0,1,2,3,28); SHA256_EXP(3,4,5,6,7,0,1,2,29);
305
SHA256_EXP(2,3,4,5,6,7,0,1,30); SHA256_EXP(1,2,3,4,5,6,7,0,31);
306
SHA256_EXP(0,1,2,3,4,5,6,7,32); SHA256_EXP(7,0,1,2,3,4,5,6,33);
307
SHA256_EXP(6,7,0,1,2,3,4,5,34); SHA256_EXP(5,6,7,0,1,2,3,4,35);
308
SHA256_EXP(4,5,6,7,0,1,2,3,36); SHA256_EXP(3,4,5,6,7,0,1,2,37);
309
SHA256_EXP(2,3,4,5,6,7,0,1,38); SHA256_EXP(1,2,3,4,5,6,7,0,39);
310
SHA256_EXP(0,1,2,3,4,5,6,7,40); SHA256_EXP(7,0,1,2,3,4,5,6,41);
311
SHA256_EXP(6,7,0,1,2,3,4,5,42); SHA256_EXP(5,6,7,0,1,2,3,4,43);
312
SHA256_EXP(4,5,6,7,0,1,2,3,44); SHA256_EXP(3,4,5,6,7,0,1,2,45);
313
SHA256_EXP(2,3,4,5,6,7,0,1,46); SHA256_EXP(1,2,3,4,5,6,7,0,47);
314
SHA256_EXP(0,1,2,3,4,5,6,7,48); SHA256_EXP(7,0,1,2,3,4,5,6,49);
315
SHA256_EXP(6,7,0,1,2,3,4,5,50); SHA256_EXP(5,6,7,0,1,2,3,4,51);
316
SHA256_EXP(4,5,6,7,0,1,2,3,52); SHA256_EXP(3,4,5,6,7,0,1,2,53);
317
SHA256_EXP(2,3,4,5,6,7,0,1,54); SHA256_EXP(1,2,3,4,5,6,7,0,55);
318
SHA256_EXP(0,1,2,3,4,5,6,7,56); SHA256_EXP(7,0,1,2,3,4,5,6,57);
319
SHA256_EXP(6,7,0,1,2,3,4,5,58); SHA256_EXP(5,6,7,0,1,2,3,4,59);
320
SHA256_EXP(4,5,6,7,0,1,2,3,60); SHA256_EXP(3,4,5,6,7,0,1,2,61);
321
SHA256_EXP(2,3,4,5,6,7,0,1,62); SHA256_EXP(1,2,3,4,5,6,7,0,63);
323
ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
324
ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
325
ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
326
ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
327
#endif /* !UNROLL_LOOPS */
331
void sha256(const unsigned char *message, unsigned int len, unsigned char *digest)
336
sha256_update(&ctx, message, len);
337
sha256_final(&ctx, digest);
340
void sha256_init(sha256_ctx *ctx)
344
for (i = 0; i < 8; i++) {
345
ctx->h[i] = sha256_h0[i];
348
ctx->h[0] = sha256_h0[0]; ctx->h[1] = sha256_h0[1];
349
ctx->h[2] = sha256_h0[2]; ctx->h[3] = sha256_h0[3];
350
ctx->h[4] = sha256_h0[4]; ctx->h[5] = sha256_h0[5];
351
ctx->h[6] = sha256_h0[6]; ctx->h[7] = sha256_h0[7];
352
#endif /* !UNROLL_LOOPS */
358
void sha256_update(sha256_ctx *ctx, const unsigned char *message,
361
unsigned int block_nb;
362
unsigned int new_len, rem_len, tmp_len;
363
const unsigned char *shifted_message;
365
tmp_len = SHA256_BLOCK_SIZE - ctx->len;
366
rem_len = len < tmp_len ? len : tmp_len;
368
memcpy(&ctx->block[ctx->len], message, rem_len);
370
if (ctx->len + len < SHA256_BLOCK_SIZE) {
375
new_len = len - rem_len;
376
block_nb = new_len / SHA256_BLOCK_SIZE;
378
shifted_message = message + rem_len;
380
sha256_transf(ctx, ctx->block, 1);
381
sha256_transf(ctx, shifted_message, block_nb);
383
rem_len = new_len % SHA256_BLOCK_SIZE;
385
memcpy(ctx->block, &shifted_message[block_nb << 6],
389
ctx->tot_len += (block_nb + 1) << 6;
392
void sha256_final(sha256_ctx *ctx, unsigned char *digest)
394
unsigned int block_nb;
402
block_nb = (1 + ((SHA256_BLOCK_SIZE - 9)
403
< (ctx->len % SHA256_BLOCK_SIZE)));
405
len_b = (ctx->tot_len + ctx->len) << 3;
406
pm_len = block_nb << 6;
408
memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
409
ctx->block[ctx->len] = 0x80;
410
UNPACK32(len_b, ctx->block + pm_len - 4);
412
sha256_transf(ctx, ctx->block, block_nb);
415
for (i = 0 ; i < 8; i++) {
416
UNPACK32(ctx->h[i], &digest[i << 2]);
419
UNPACK32(ctx->h[0], &digest[ 0]);
420
UNPACK32(ctx->h[1], &digest[ 4]);
421
UNPACK32(ctx->h[2], &digest[ 8]);
422
UNPACK32(ctx->h[3], &digest[12]);
423
UNPACK32(ctx->h[4], &digest[16]);
424
UNPACK32(ctx->h[5], &digest[20]);
425
UNPACK32(ctx->h[6], &digest[24]);
426
UNPACK32(ctx->h[7], &digest[28]);
427
#endif /* !UNROLL_LOOPS */
430
/* SHA-512 functions */
432
void sha512_transf(sha512_ctx *ctx, const unsigned char *message,
433
unsigned int block_nb)
438
const unsigned char *sub_block;
441
for (i = 0; i < (int) block_nb; i++) {
442
sub_block = message + (i << 7);
445
for (j = 0; j < 16; j++) {
446
PACK64(&sub_block[j << 3], &w[j]);
449
for (j = 16; j < 80; j++) {
453
for (j = 0; j < 8; j++) {
457
for (j = 0; j < 80; j++) {
458
t1 = wv[7] + SHA512_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
459
+ sha512_k[j] + w[j];
460
t2 = SHA512_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
471
for (j = 0; j < 8; j++) {
475
PACK64(&sub_block[ 0], &w[ 0]); PACK64(&sub_block[ 8], &w[ 1]);
476
PACK64(&sub_block[ 16], &w[ 2]); PACK64(&sub_block[ 24], &w[ 3]);
477
PACK64(&sub_block[ 32], &w[ 4]); PACK64(&sub_block[ 40], &w[ 5]);
478
PACK64(&sub_block[ 48], &w[ 6]); PACK64(&sub_block[ 56], &w[ 7]);
479
PACK64(&sub_block[ 64], &w[ 8]); PACK64(&sub_block[ 72], &w[ 9]);
480
PACK64(&sub_block[ 80], &w[10]); PACK64(&sub_block[ 88], &w[11]);
481
PACK64(&sub_block[ 96], &w[12]); PACK64(&sub_block[104], &w[13]);
482
PACK64(&sub_block[112], &w[14]); PACK64(&sub_block[120], &w[15]);
484
SHA512_SCR(16); SHA512_SCR(17); SHA512_SCR(18); SHA512_SCR(19);
485
SHA512_SCR(20); SHA512_SCR(21); SHA512_SCR(22); SHA512_SCR(23);
486
SHA512_SCR(24); SHA512_SCR(25); SHA512_SCR(26); SHA512_SCR(27);
487
SHA512_SCR(28); SHA512_SCR(29); SHA512_SCR(30); SHA512_SCR(31);
488
SHA512_SCR(32); SHA512_SCR(33); SHA512_SCR(34); SHA512_SCR(35);
489
SHA512_SCR(36); SHA512_SCR(37); SHA512_SCR(38); SHA512_SCR(39);
490
SHA512_SCR(40); SHA512_SCR(41); SHA512_SCR(42); SHA512_SCR(43);
491
SHA512_SCR(44); SHA512_SCR(45); SHA512_SCR(46); SHA512_SCR(47);
492
SHA512_SCR(48); SHA512_SCR(49); SHA512_SCR(50); SHA512_SCR(51);
493
SHA512_SCR(52); SHA512_SCR(53); SHA512_SCR(54); SHA512_SCR(55);
494
SHA512_SCR(56); SHA512_SCR(57); SHA512_SCR(58); SHA512_SCR(59);
495
SHA512_SCR(60); SHA512_SCR(61); SHA512_SCR(62); SHA512_SCR(63);
496
SHA512_SCR(64); SHA512_SCR(65); SHA512_SCR(66); SHA512_SCR(67);
497
SHA512_SCR(68); SHA512_SCR(69); SHA512_SCR(70); SHA512_SCR(71);
498
SHA512_SCR(72); SHA512_SCR(73); SHA512_SCR(74); SHA512_SCR(75);
499
SHA512_SCR(76); SHA512_SCR(77); SHA512_SCR(78); SHA512_SCR(79);
501
wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
502
wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
503
wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
504
wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
509
SHA512_EXP(0,1,2,3,4,5,6,7,j); j++;
510
SHA512_EXP(7,0,1,2,3,4,5,6,j); j++;
511
SHA512_EXP(6,7,0,1,2,3,4,5,j); j++;
512
SHA512_EXP(5,6,7,0,1,2,3,4,j); j++;
513
SHA512_EXP(4,5,6,7,0,1,2,3,j); j++;
514
SHA512_EXP(3,4,5,6,7,0,1,2,j); j++;
515
SHA512_EXP(2,3,4,5,6,7,0,1,j); j++;
516
SHA512_EXP(1,2,3,4,5,6,7,0,j); j++;
519
ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
520
ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
521
ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
522
ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
523
#endif /* !UNROLL_LOOPS */
527
void sha512(const unsigned char *message, unsigned int len,
528
unsigned char *digest)
533
sha512_update(&ctx, message, len);
534
sha512_final(&ctx, digest);
537
void sha512_init(sha512_ctx *ctx)
541
for (i = 0; i < 8; i++) {
542
ctx->h[i] = sha512_h0[i];
545
ctx->h[0] = sha512_h0[0]; ctx->h[1] = sha512_h0[1];
546
ctx->h[2] = sha512_h0[2]; ctx->h[3] = sha512_h0[3];
547
ctx->h[4] = sha512_h0[4]; ctx->h[5] = sha512_h0[5];
548
ctx->h[6] = sha512_h0[6]; ctx->h[7] = sha512_h0[7];
549
#endif /* !UNROLL_LOOPS */
555
void sha512_update(sha512_ctx *ctx, const unsigned char *message,
558
unsigned int block_nb;
559
unsigned int new_len, rem_len, tmp_len;
560
const unsigned char *shifted_message;
562
tmp_len = SHA512_BLOCK_SIZE - ctx->len;
563
rem_len = len < tmp_len ? len : tmp_len;
565
memcpy(&ctx->block[ctx->len], message, rem_len);
567
if (ctx->len + len < SHA512_BLOCK_SIZE) {
572
new_len = len - rem_len;
573
block_nb = new_len / SHA512_BLOCK_SIZE;
575
shifted_message = message + rem_len;
577
sha512_transf(ctx, ctx->block, 1);
578
sha512_transf(ctx, shifted_message, block_nb);
580
rem_len = new_len % SHA512_BLOCK_SIZE;
582
memcpy(ctx->block, &shifted_message[block_nb << 7],
586
ctx->tot_len += (block_nb + 1) << 7;
589
void sha512_final(sha512_ctx *ctx, unsigned char *digest)
591
unsigned int block_nb;
599
block_nb = 1 + ((SHA512_BLOCK_SIZE - 17)
600
< (ctx->len % SHA512_BLOCK_SIZE));
602
len_b = (ctx->tot_len + ctx->len) << 3;
603
pm_len = block_nb << 7;
605
memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
606
ctx->block[ctx->len] = 0x80;
607
UNPACK32(len_b, ctx->block + pm_len - 4);
609
sha512_transf(ctx, ctx->block, block_nb);
612
for (i = 0 ; i < 8; i++) {
613
UNPACK64(ctx->h[i], &digest[i << 3]);
616
UNPACK64(ctx->h[0], &digest[ 0]);
617
UNPACK64(ctx->h[1], &digest[ 8]);
618
UNPACK64(ctx->h[2], &digest[16]);
619
UNPACK64(ctx->h[3], &digest[24]);
620
UNPACK64(ctx->h[4], &digest[32]);
621
UNPACK64(ctx->h[5], &digest[40]);
622
UNPACK64(ctx->h[6], &digest[48]);
623
UNPACK64(ctx->h[7], &digest[56]);
624
#endif /* !UNROLL_LOOPS */
627
/* SHA-384 functions */
629
void sha384(const unsigned char *message, unsigned int len,
630
unsigned char *digest)
635
sha384_update(&ctx, message, len);
636
sha384_final(&ctx, digest);
639
void sha384_init(sha384_ctx *ctx)
643
for (i = 0; i < 8; i++) {
644
ctx->h[i] = sha384_h0[i];
647
ctx->h[0] = sha384_h0[0]; ctx->h[1] = sha384_h0[1];
648
ctx->h[2] = sha384_h0[2]; ctx->h[3] = sha384_h0[3];
649
ctx->h[4] = sha384_h0[4]; ctx->h[5] = sha384_h0[5];
650
ctx->h[6] = sha384_h0[6]; ctx->h[7] = sha384_h0[7];
651
#endif /* !UNROLL_LOOPS */
657
void sha384_update(sha384_ctx *ctx, const unsigned char *message,
660
unsigned int block_nb;
661
unsigned int new_len, rem_len, tmp_len;
662
const unsigned char *shifted_message;
664
tmp_len = SHA384_BLOCK_SIZE - ctx->len;
665
rem_len = len < tmp_len ? len : tmp_len;
667
memcpy(&ctx->block[ctx->len], message, rem_len);
669
if (ctx->len + len < SHA384_BLOCK_SIZE) {
674
new_len = len - rem_len;
675
block_nb = new_len / SHA384_BLOCK_SIZE;
677
shifted_message = message + rem_len;
679
sha512_transf(ctx, ctx->block, 1);
680
sha512_transf(ctx, shifted_message, block_nb);
682
rem_len = new_len % SHA384_BLOCK_SIZE;
684
memcpy(ctx->block, &shifted_message[block_nb << 7],
688
ctx->tot_len += (block_nb + 1) << 7;
691
void sha384_final(sha384_ctx *ctx, unsigned char *digest)
693
unsigned int block_nb;
701
block_nb = (1 + ((SHA384_BLOCK_SIZE - 17)
702
< (ctx->len % SHA384_BLOCK_SIZE)));
704
len_b = (ctx->tot_len + ctx->len) << 3;
705
pm_len = block_nb << 7;
707
memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
708
ctx->block[ctx->len] = 0x80;
709
UNPACK32(len_b, ctx->block + pm_len - 4);
711
sha512_transf(ctx, ctx->block, block_nb);
714
for (i = 0 ; i < 6; i++) {
715
UNPACK64(ctx->h[i], &digest[i << 3]);
718
UNPACK64(ctx->h[0], &digest[ 0]);
719
UNPACK64(ctx->h[1], &digest[ 8]);
720
UNPACK64(ctx->h[2], &digest[16]);
721
UNPACK64(ctx->h[3], &digest[24]);
722
UNPACK64(ctx->h[4], &digest[32]);
723
UNPACK64(ctx->h[5], &digest[40]);
724
#endif /* !UNROLL_LOOPS */
727
/* SHA-224 functions */
729
void sha224(const unsigned char *message, unsigned int len,
730
unsigned char *digest)
735
sha224_update(&ctx, message, len);
736
sha224_final(&ctx, digest);
739
void sha224_init(sha224_ctx *ctx)
743
for (i = 0; i < 8; i++) {
744
ctx->h[i] = sha224_h0[i];
747
ctx->h[0] = sha224_h0[0]; ctx->h[1] = sha224_h0[1];
748
ctx->h[2] = sha224_h0[2]; ctx->h[3] = sha224_h0[3];
749
ctx->h[4] = sha224_h0[4]; ctx->h[5] = sha224_h0[5];
750
ctx->h[6] = sha224_h0[6]; ctx->h[7] = sha224_h0[7];
751
#endif /* !UNROLL_LOOPS */
757
void sha224_update(sha224_ctx *ctx, const unsigned char *message,
760
unsigned int block_nb;
761
unsigned int new_len, rem_len, tmp_len;
762
const unsigned char *shifted_message;
764
tmp_len = SHA224_BLOCK_SIZE - ctx->len;
765
rem_len = len < tmp_len ? len : tmp_len;
767
memcpy(&ctx->block[ctx->len], message, rem_len);
769
if (ctx->len + len < SHA224_BLOCK_SIZE) {
774
new_len = len - rem_len;
775
block_nb = new_len / SHA224_BLOCK_SIZE;
777
shifted_message = message + rem_len;
779
sha256_transf(ctx, ctx->block, 1);
780
sha256_transf(ctx, shifted_message, block_nb);
782
rem_len = new_len % SHA224_BLOCK_SIZE;
784
memcpy(ctx->block, &shifted_message[block_nb << 6],
788
ctx->tot_len += (block_nb + 1) << 6;
791
void sha224_final(sha224_ctx *ctx, unsigned char *digest)
793
unsigned int block_nb;
801
block_nb = (1 + ((SHA224_BLOCK_SIZE - 9)
802
< (ctx->len % SHA224_BLOCK_SIZE)));
804
len_b = (ctx->tot_len + ctx->len) << 3;
805
pm_len = block_nb << 6;
807
memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
808
ctx->block[ctx->len] = 0x80;
809
UNPACK32(len_b, ctx->block + pm_len - 4);
811
sha256_transf(ctx, ctx->block, block_nb);
814
for (i = 0 ; i < 7; i++) {
815
UNPACK32(ctx->h[i], &digest[i << 2]);
818
UNPACK32(ctx->h[0], &digest[ 0]);
819
UNPACK32(ctx->h[1], &digest[ 4]);
820
UNPACK32(ctx->h[2], &digest[ 8]);
821
UNPACK32(ctx->h[3], &digest[12]);
822
UNPACK32(ctx->h[4], &digest[16]);
823
UNPACK32(ctx->h[5], &digest[20]);
824
UNPACK32(ctx->h[6], &digest[24]);
825
#endif /* !UNROLL_LOOPS */
830
// #ifdef TEST_VECTORS
832
// /* FIPS 180-2 Validation tests */
834
// #include <stdio.h>
835
// #include <stdlib.h>
837
// void test(const unsigned char *vector, unsigned char *digest,
838
// unsigned int digest_size)
840
// unsigned char output[2 * SHA512_DIGEST_SIZE + 1];
843
// output[2 * digest_size] = '\0';
845
// for (i = 0; i < (int) digest_size ; i++) {
846
// sprintf((char *) output + 2 * i, "%02x", digest[i]);
849
// printf("H: %s\n", output);
850
// if (strcmp((char *) vector, (char *) output)) {
851
// fprintf(stderr, "Test failed.\n");
852
// exit(EXIT_FAILURE);
858
// static const unsigned char *vectors[4][3] =
861
// "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7",
862
// "75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525",
863
// "20794655980c91d8bbb4c1ea97618a4bf03f42581948b2ee4ee7ad67",
867
// "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad",
868
// "248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1",
869
// "cdc76e5c9914fb9281a1c7e284d73e67f1809a48a497200e046d39ccc7112cd0",
873
// "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed"
874
// "8086072ba1e7cc2358baeca134c825a7",
875
// "09330c33f71147e83d192fc782cd1b4753111b173b3b05d22fa08086e3b0f712"
876
// "fcc7c71a557e2db966c3e9fa91746039",
877
// "9d0e1809716474cb086e834e310a4a1ced149e9c00f248527972cec5704c2a5b"
878
// "07b8b3dc38ecc4ebae97ddd87f3d8985",
882
// "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
883
// "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f",
884
// "8e959b75dae313da8cf4f72814fc143f8f7779c6eb9f7fa17299aeadb6889018"
885
// "501d289e4900f7e4331b99dec4b5433ac7d329eeb6dd26545e96e55b874be909",
886
// "e718483d0ce769644e2e42c7bc15b4638e1f98b13b2044285632a803afa973eb"
887
// "de0ff244877ea60a4cb0432ce577c31beb009c5c2c49aa2e4eadb217ad8cc09b"
891
// static const unsigned char message1[] = "abc";
892
// static const unsigned char message2a[] = "abcdbcdecdefdefgefghfghighijhi"
893
// "jkijkljklmklmnlmnomnopnopq";
894
// static const unsigned char message2b[] =
895
// "abcdefghbcdefghicdefghijdefghijkefghij"
896
// "klfghijklmghijklmnhijklmnoijklmnopjklm"
897
// "nopqklmnopqrlmnopqrsmnopqrstnopqrstu";
898
// unsigned char *message3;
899
// unsigned int message3_len = 1000000;
900
// unsigned char digest[SHA512_DIGEST_SIZE];
902
// message3 = malloc(message3_len);
903
// if (message3 == NULL) {
904
// fprintf(stderr, "Can't allocate memory\n");
907
// memset(message3, 'a', message3_len);
909
// printf("SHA-2 FIPS 180-2 Validation tests\n\n");
910
// printf("SHA-224 Test vectors\n");
912
// sha224(message1, strlen((char *) message1), digest);
913
// test(vectors[0][0], digest, SHA224_DIGEST_SIZE);
914
// sha224(message2a, strlen((char *) message2a), digest);
915
// test(vectors[0][1], digest, SHA224_DIGEST_SIZE);
916
// sha224(message3, message3_len, digest);
917
// test(vectors[0][2], digest, SHA224_DIGEST_SIZE);
920
// printf("SHA-256 Test vectors\n");
922
// sha256(message1, strlen((char *) message1), digest);
923
// test(vectors[1][0], digest, SHA256_DIGEST_SIZE);
924
// sha256(message2a, strlen((char *) message2a), digest);
925
// test(vectors[1][1], digest, SHA256_DIGEST_SIZE);
926
// sha256(message3, message3_len, digest);
927
// test(vectors[1][2], digest, SHA256_DIGEST_SIZE);
930
// printf("SHA-384 Test vectors\n");
932
// sha384(message1, strlen((char *) message1), digest);
933
// test(vectors[2][0], digest, SHA384_DIGEST_SIZE);
934
// sha384(message2b, strlen((char *) message2b), digest);
935
// test(vectors[2][1], digest, SHA384_DIGEST_SIZE);
936
// sha384(message3, message3_len, digest);
937
// test(vectors[2][2], digest, SHA384_DIGEST_SIZE);
940
// printf("SHA-512 Test vectors\n");
942
// sha512(message1, strlen((char *) message1), digest);
943
// test(vectors[3][0], digest, SHA512_DIGEST_SIZE);
944
// sha512(message2b, strlen((char *) message2b), digest);
945
// test(vectors[3][1], digest, SHA512_DIGEST_SIZE);
946
// sha512(message3, message3_len, digest);
947
// test(vectors[3][2], digest, SHA512_DIGEST_SIZE);
950
// printf("All tests passed.\n");
955
// #endif /* TEST_VECTORS */