2 * FIPS 180-2 SHA-224/256/384/512 implementation
3 * Last update: 02/02/2007
4 * Issue date: 04/30/2005
6 * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch>
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 #define UNROLL_LOOPS /* Enable loops unrolling */
42 #define SHFR(x, n) (x >> n)
43 #define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n)))
44 #define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n)))
45 #define CH(x, y, z) ((x & y) ^ (~x & z))
46 #define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z))
48 #define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22))
49 #define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25))
50 #define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3))
51 #define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10))
53 #define SHA512_F1(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39))
54 #define SHA512_F2(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41))
55 #define SHA512_F3(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHFR(x, 7))
56 #define SHA512_F4(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHFR(x, 6))
58 #define UNPACK32(x, str) \
60 *((str) + 3) = (uint8_t) ((x) ); \
61 *((str) + 2) = (uint8_t) ((x) >> 8); \
62 *((str) + 1) = (uint8_t) ((x) >> 16); \
63 *((str) + 0) = (uint8_t) ((x) >> 24); \
66 #define PACK32(str, x) \
68 *(x) = ((uint32_t) *((str) + 3) ) \
69 | ((uint32_t) *((str) + 2) << 8) \
70 | ((uint32_t) *((str) + 1) << 16) \
71 | ((uint32_t) *((str) + 0) << 24); \
74 #define UNPACK64(x, str) \
76 *((str) + 7) = (uint8_t) ((x) ); \
77 *((str) + 6) = (uint8_t) ((x) >> 8); \
78 *((str) + 5) = (uint8_t) ((x) >> 16); \
79 *((str) + 4) = (uint8_t) ((x) >> 24); \
80 *((str) + 3) = (uint8_t) ((x) >> 32); \
81 *((str) + 2) = (uint8_t) ((x) >> 40); \
82 *((str) + 1) = (uint8_t) ((x) >> 48); \
83 *((str) + 0) = (uint8_t) ((x) >> 56); \
86 #define PACK64(str, x) \
88 *(x) = ((uint64_t) *((str) + 7) ) \
89 | ((uint64_t) *((str) + 6) << 8) \
90 | ((uint64_t) *((str) + 5) << 16) \
91 | ((uint64_t) *((str) + 4) << 24) \
92 | ((uint64_t) *((str) + 3) << 32) \
93 | ((uint64_t) *((str) + 2) << 40) \
94 | ((uint64_t) *((str) + 1) << 48) \
95 | ((uint64_t) *((str) + 0) << 56); \
98 /* Macros used for loops unrolling */
100 #define SHA256_SCR(i) \
102 w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \
103 + SHA256_F3(w[i - 15]) + w[i - 16]; \
106 #define SHA512_SCR(i) \
108 w[i] = SHA512_F4(w[i - 2]) + w[i - 7] \
109 + SHA512_F3(w[i - 15]) + w[i - 16]; \
112 #define SHA256_EXP(a, b, c, d, e, f, g, h, j) \
114 t1 = wv[h] + SHA256_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
115 + sha256_k[j] + w[j]; \
116 t2 = SHA256_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
121 #define SHA512_EXP(a, b, c, d, e, f, g ,h, j) \
123 t1 = wv[h] + SHA512_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \
124 + sha512_k[j] + w[j]; \
125 t2 = SHA512_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \
130 uint32_t sha224_h0[8] =
131 {0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
132 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4};
134 uint32_t sha256_h0[8] =
135 {0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
136 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19};
138 uint64_t sha384_h0[8] =
139 {0xcbbb9d5dc1059ed8ULL, 0x629a292a367cd507ULL,
140 0x9159015a3070dd17ULL, 0x152fecd8f70e5939ULL,
141 0x67332667ffc00b31ULL, 0x8eb44a8768581511ULL,
142 0xdb0c2e0d64f98fa7ULL, 0x47b5481dbefa4fa4ULL};
144 uint64_t sha512_h0[8] =
145 {0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
146 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
147 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
148 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL};
150 uint32_t sha256_k[64] =
151 {0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
152 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
153 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
154 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
155 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
156 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
157 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
158 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
159 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
160 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
161 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
162 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
163 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
164 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
165 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
166 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2};
168 uint64_t sha512_k[80] =
169 {0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
170 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
171 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
172 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
173 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
174 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
175 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
176 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
177 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
178 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
179 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
180 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
181 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
182 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
183 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
184 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
185 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
186 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
187 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
188 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
189 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
190 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
191 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
192 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
193 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
194 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
195 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
196 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
197 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
198 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
199 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
200 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
201 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
202 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
203 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
204 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
205 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
206 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
207 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
208 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL};
210 /* SHA-256 functions */
212 void sha256_transf(sha256_ctx *ctx, const unsigned char *message,
213 unsigned int block_nb)
218 const unsigned char *sub_block;
225 for (i = 0; i < (int) block_nb; i++) {
226 sub_block = message + (i << 6);
229 for (j = 0; j < 16; j++) {
230 PACK32(&sub_block[j << 2], &w[j]);
233 for (j = 16; j < 64; j++) {
237 for (j = 0; j < 8; j++) {
241 for (j = 0; j < 64; j++) {
242 t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
243 + sha256_k[j] + w[j];
244 t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
255 for (j = 0; j < 8; j++) {
259 PACK32(&sub_block[ 0], &w[ 0]); PACK32(&sub_block[ 4], &w[ 1]);
260 PACK32(&sub_block[ 8], &w[ 2]); PACK32(&sub_block[12], &w[ 3]);
261 PACK32(&sub_block[16], &w[ 4]); PACK32(&sub_block[20], &w[ 5]);
262 PACK32(&sub_block[24], &w[ 6]); PACK32(&sub_block[28], &w[ 7]);
263 PACK32(&sub_block[32], &w[ 8]); PACK32(&sub_block[36], &w[ 9]);
264 PACK32(&sub_block[40], &w[10]); PACK32(&sub_block[44], &w[11]);
265 PACK32(&sub_block[48], &w[12]); PACK32(&sub_block[52], &w[13]);
266 PACK32(&sub_block[56], &w[14]); PACK32(&sub_block[60], &w[15]);
268 SHA256_SCR(16); SHA256_SCR(17); SHA256_SCR(18); SHA256_SCR(19);
269 SHA256_SCR(20); SHA256_SCR(21); SHA256_SCR(22); SHA256_SCR(23);
270 SHA256_SCR(24); SHA256_SCR(25); SHA256_SCR(26); SHA256_SCR(27);
271 SHA256_SCR(28); SHA256_SCR(29); SHA256_SCR(30); SHA256_SCR(31);
272 SHA256_SCR(32); SHA256_SCR(33); SHA256_SCR(34); SHA256_SCR(35);
273 SHA256_SCR(36); SHA256_SCR(37); SHA256_SCR(38); SHA256_SCR(39);
274 SHA256_SCR(40); SHA256_SCR(41); SHA256_SCR(42); SHA256_SCR(43);
275 SHA256_SCR(44); SHA256_SCR(45); SHA256_SCR(46); SHA256_SCR(47);
276 SHA256_SCR(48); SHA256_SCR(49); SHA256_SCR(50); SHA256_SCR(51);
277 SHA256_SCR(52); SHA256_SCR(53); SHA256_SCR(54); SHA256_SCR(55);
278 SHA256_SCR(56); SHA256_SCR(57); SHA256_SCR(58); SHA256_SCR(59);
279 SHA256_SCR(60); SHA256_SCR(61); SHA256_SCR(62); SHA256_SCR(63);
281 wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
282 wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
283 wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
284 wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
286 SHA256_EXP(0,1,2,3,4,5,6,7, 0); SHA256_EXP(7,0,1,2,3,4,5,6, 1);
287 SHA256_EXP(6,7,0,1,2,3,4,5, 2); SHA256_EXP(5,6,7,0,1,2,3,4, 3);
288 SHA256_EXP(4,5,6,7,0,1,2,3, 4); SHA256_EXP(3,4,5,6,7,0,1,2, 5);
289 SHA256_EXP(2,3,4,5,6,7,0,1, 6); SHA256_EXP(1,2,3,4,5,6,7,0, 7);
290 SHA256_EXP(0,1,2,3,4,5,6,7, 8); SHA256_EXP(7,0,1,2,3,4,5,6, 9);
291 SHA256_EXP(6,7,0,1,2,3,4,5,10); SHA256_EXP(5,6,7,0,1,2,3,4,11);
292 SHA256_EXP(4,5,6,7,0,1,2,3,12); SHA256_EXP(3,4,5,6,7,0,1,2,13);
293 SHA256_EXP(2,3,4,5,6,7,0,1,14); SHA256_EXP(1,2,3,4,5,6,7,0,15);
294 SHA256_EXP(0,1,2,3,4,5,6,7,16); SHA256_EXP(7,0,1,2,3,4,5,6,17);
295 SHA256_EXP(6,7,0,1,2,3,4,5,18); SHA256_EXP(5,6,7,0,1,2,3,4,19);
296 SHA256_EXP(4,5,6,7,0,1,2,3,20); SHA256_EXP(3,4,5,6,7,0,1,2,21);
297 SHA256_EXP(2,3,4,5,6,7,0,1,22); SHA256_EXP(1,2,3,4,5,6,7,0,23);
298 SHA256_EXP(0,1,2,3,4,5,6,7,24); SHA256_EXP(7,0,1,2,3,4,5,6,25);
299 SHA256_EXP(6,7,0,1,2,3,4,5,26); SHA256_EXP(5,6,7,0,1,2,3,4,27);
300 SHA256_EXP(4,5,6,7,0,1,2,3,28); SHA256_EXP(3,4,5,6,7,0,1,2,29);
301 SHA256_EXP(2,3,4,5,6,7,0,1,30); SHA256_EXP(1,2,3,4,5,6,7,0,31);
302 SHA256_EXP(0,1,2,3,4,5,6,7,32); SHA256_EXP(7,0,1,2,3,4,5,6,33);
303 SHA256_EXP(6,7,0,1,2,3,4,5,34); SHA256_EXP(5,6,7,0,1,2,3,4,35);
304 SHA256_EXP(4,5,6,7,0,1,2,3,36); SHA256_EXP(3,4,5,6,7,0,1,2,37);
305 SHA256_EXP(2,3,4,5,6,7,0,1,38); SHA256_EXP(1,2,3,4,5,6,7,0,39);
306 SHA256_EXP(0,1,2,3,4,5,6,7,40); SHA256_EXP(7,0,1,2,3,4,5,6,41);
307 SHA256_EXP(6,7,0,1,2,3,4,5,42); SHA256_EXP(5,6,7,0,1,2,3,4,43);
308 SHA256_EXP(4,5,6,7,0,1,2,3,44); SHA256_EXP(3,4,5,6,7,0,1,2,45);
309 SHA256_EXP(2,3,4,5,6,7,0,1,46); SHA256_EXP(1,2,3,4,5,6,7,0,47);
310 SHA256_EXP(0,1,2,3,4,5,6,7,48); SHA256_EXP(7,0,1,2,3,4,5,6,49);
311 SHA256_EXP(6,7,0,1,2,3,4,5,50); SHA256_EXP(5,6,7,0,1,2,3,4,51);
312 SHA256_EXP(4,5,6,7,0,1,2,3,52); SHA256_EXP(3,4,5,6,7,0,1,2,53);
313 SHA256_EXP(2,3,4,5,6,7,0,1,54); SHA256_EXP(1,2,3,4,5,6,7,0,55);
314 SHA256_EXP(0,1,2,3,4,5,6,7,56); SHA256_EXP(7,0,1,2,3,4,5,6,57);
315 SHA256_EXP(6,7,0,1,2,3,4,5,58); SHA256_EXP(5,6,7,0,1,2,3,4,59);
316 SHA256_EXP(4,5,6,7,0,1,2,3,60); SHA256_EXP(3,4,5,6,7,0,1,2,61);
317 SHA256_EXP(2,3,4,5,6,7,0,1,62); SHA256_EXP(1,2,3,4,5,6,7,0,63);
319 ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
320 ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
321 ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
322 ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
323 #endif /* !UNROLL_LOOPS */
327 void sha256(const unsigned char *message, unsigned int len, unsigned char *digest)
332 sha256_update(&ctx, message, len);
333 sha256_final(&ctx, digest);
336 void sha256_init(sha256_ctx *ctx)
340 for (i = 0; i < 8; i++) {
341 ctx->h[i] = sha256_h0[i];
344 ctx->h[0] = sha256_h0[0]; ctx->h[1] = sha256_h0[1];
345 ctx->h[2] = sha256_h0[2]; ctx->h[3] = sha256_h0[3];
346 ctx->h[4] = sha256_h0[4]; ctx->h[5] = sha256_h0[5];
347 ctx->h[6] = sha256_h0[6]; ctx->h[7] = sha256_h0[7];
348 #endif /* !UNROLL_LOOPS */
354 void sha256_update(sha256_ctx *ctx, const unsigned char *message,
357 unsigned int block_nb;
358 unsigned int new_len, rem_len, tmp_len;
359 const unsigned char *shifted_message;
361 tmp_len = SHA256_BLOCK_SIZE - ctx->len;
362 rem_len = len < tmp_len ? len : tmp_len;
364 memcpy(&ctx->block[ctx->len], message, rem_len);
366 if (ctx->len + len < SHA256_BLOCK_SIZE) {
371 new_len = len - rem_len;
372 block_nb = new_len / SHA256_BLOCK_SIZE;
374 shifted_message = message + rem_len;
376 sha256_transf(ctx, ctx->block, 1);
377 sha256_transf(ctx, shifted_message, block_nb);
379 rem_len = new_len % SHA256_BLOCK_SIZE;
381 memcpy(ctx->block, &shifted_message[block_nb << 6],
385 ctx->tot_len += (block_nb + 1) << 6;
388 void sha256_final(sha256_ctx *ctx, unsigned char *digest)
390 unsigned int block_nb;
398 block_nb = (1 + ((SHA256_BLOCK_SIZE - 9)
399 < (ctx->len % SHA256_BLOCK_SIZE)));
401 len_b = (ctx->tot_len + ctx->len) << 3;
402 pm_len = block_nb << 6;
404 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
405 ctx->block[ctx->len] = 0x80;
406 UNPACK32(len_b, ctx->block + pm_len - 4);
408 sha256_transf(ctx, ctx->block, block_nb);
411 for (i = 0 ; i < 8; i++) {
412 UNPACK32(ctx->h[i], &digest[i << 2]);
415 UNPACK32(ctx->h[0], &digest[ 0]);
416 UNPACK32(ctx->h[1], &digest[ 4]);
417 UNPACK32(ctx->h[2], &digest[ 8]);
418 UNPACK32(ctx->h[3], &digest[12]);
419 UNPACK32(ctx->h[4], &digest[16]);
420 UNPACK32(ctx->h[5], &digest[20]);
421 UNPACK32(ctx->h[6], &digest[24]);
422 UNPACK32(ctx->h[7], &digest[28]);
423 #endif /* !UNROLL_LOOPS */
426 /* SHA-512 functions */
428 void sha512_transf(sha512_ctx *ctx, const unsigned char *message,
429 unsigned int block_nb)
434 const unsigned char *sub_block;
437 for (i = 0; i < (int) block_nb; i++) {
438 sub_block = message + (i << 7);
441 for (j = 0; j < 16; j++) {
442 PACK64(&sub_block[j << 3], &w[j]);
445 for (j = 16; j < 80; j++) {
449 for (j = 0; j < 8; j++) {
453 for (j = 0; j < 80; j++) {
454 t1 = wv[7] + SHA512_F2(wv[4]) + CH(wv[4], wv[5], wv[6])
455 + sha512_k[j] + w[j];
456 t2 = SHA512_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]);
467 for (j = 0; j < 8; j++) {
471 PACK64(&sub_block[ 0], &w[ 0]); PACK64(&sub_block[ 8], &w[ 1]);
472 PACK64(&sub_block[ 16], &w[ 2]); PACK64(&sub_block[ 24], &w[ 3]);
473 PACK64(&sub_block[ 32], &w[ 4]); PACK64(&sub_block[ 40], &w[ 5]);
474 PACK64(&sub_block[ 48], &w[ 6]); PACK64(&sub_block[ 56], &w[ 7]);
475 PACK64(&sub_block[ 64], &w[ 8]); PACK64(&sub_block[ 72], &w[ 9]);
476 PACK64(&sub_block[ 80], &w[10]); PACK64(&sub_block[ 88], &w[11]);
477 PACK64(&sub_block[ 96], &w[12]); PACK64(&sub_block[104], &w[13]);
478 PACK64(&sub_block[112], &w[14]); PACK64(&sub_block[120], &w[15]);
480 SHA512_SCR(16); SHA512_SCR(17); SHA512_SCR(18); SHA512_SCR(19);
481 SHA512_SCR(20); SHA512_SCR(21); SHA512_SCR(22); SHA512_SCR(23);
482 SHA512_SCR(24); SHA512_SCR(25); SHA512_SCR(26); SHA512_SCR(27);
483 SHA512_SCR(28); SHA512_SCR(29); SHA512_SCR(30); SHA512_SCR(31);
484 SHA512_SCR(32); SHA512_SCR(33); SHA512_SCR(34); SHA512_SCR(35);
485 SHA512_SCR(36); SHA512_SCR(37); SHA512_SCR(38); SHA512_SCR(39);
486 SHA512_SCR(40); SHA512_SCR(41); SHA512_SCR(42); SHA512_SCR(43);
487 SHA512_SCR(44); SHA512_SCR(45); SHA512_SCR(46); SHA512_SCR(47);
488 SHA512_SCR(48); SHA512_SCR(49); SHA512_SCR(50); SHA512_SCR(51);
489 SHA512_SCR(52); SHA512_SCR(53); SHA512_SCR(54); SHA512_SCR(55);
490 SHA512_SCR(56); SHA512_SCR(57); SHA512_SCR(58); SHA512_SCR(59);
491 SHA512_SCR(60); SHA512_SCR(61); SHA512_SCR(62); SHA512_SCR(63);
492 SHA512_SCR(64); SHA512_SCR(65); SHA512_SCR(66); SHA512_SCR(67);
493 SHA512_SCR(68); SHA512_SCR(69); SHA512_SCR(70); SHA512_SCR(71);
494 SHA512_SCR(72); SHA512_SCR(73); SHA512_SCR(74); SHA512_SCR(75);
495 SHA512_SCR(76); SHA512_SCR(77); SHA512_SCR(78); SHA512_SCR(79);
497 wv[0] = ctx->h[0]; wv[1] = ctx->h[1];
498 wv[2] = ctx->h[2]; wv[3] = ctx->h[3];
499 wv[4] = ctx->h[4]; wv[5] = ctx->h[5];
500 wv[6] = ctx->h[6]; wv[7] = ctx->h[7];
505 SHA512_EXP(0,1,2,3,4,5,6,7,j); j++;
506 SHA512_EXP(7,0,1,2,3,4,5,6,j); j++;
507 SHA512_EXP(6,7,0,1,2,3,4,5,j); j++;
508 SHA512_EXP(5,6,7,0,1,2,3,4,j); j++;
509 SHA512_EXP(4,5,6,7,0,1,2,3,j); j++;
510 SHA512_EXP(3,4,5,6,7,0,1,2,j); j++;
511 SHA512_EXP(2,3,4,5,6,7,0,1,j); j++;
512 SHA512_EXP(1,2,3,4,5,6,7,0,j); j++;
515 ctx->h[0] += wv[0]; ctx->h[1] += wv[1];
516 ctx->h[2] += wv[2]; ctx->h[3] += wv[3];
517 ctx->h[4] += wv[4]; ctx->h[5] += wv[5];
518 ctx->h[6] += wv[6]; ctx->h[7] += wv[7];
519 #endif /* !UNROLL_LOOPS */
523 void sha512(const unsigned char *message, unsigned int len,
524 unsigned char *digest)
529 sha512_update(&ctx, message, len);
530 sha512_final(&ctx, digest);
533 void sha512_init(sha512_ctx *ctx)
537 for (i = 0; i < 8; i++) {
538 ctx->h[i] = sha512_h0[i];
541 ctx->h[0] = sha512_h0[0]; ctx->h[1] = sha512_h0[1];
542 ctx->h[2] = sha512_h0[2]; ctx->h[3] = sha512_h0[3];
543 ctx->h[4] = sha512_h0[4]; ctx->h[5] = sha512_h0[5];
544 ctx->h[6] = sha512_h0[6]; ctx->h[7] = sha512_h0[7];
545 #endif /* !UNROLL_LOOPS */
551 void sha512_update(sha512_ctx *ctx, const unsigned char *message,
554 unsigned int block_nb;
555 unsigned int new_len, rem_len, tmp_len;
556 const unsigned char *shifted_message;
558 tmp_len = SHA512_BLOCK_SIZE - ctx->len;
559 rem_len = len < tmp_len ? len : tmp_len;
561 memcpy(&ctx->block[ctx->len], message, rem_len);
563 if (ctx->len + len < SHA512_BLOCK_SIZE) {
568 new_len = len - rem_len;
569 block_nb = new_len / SHA512_BLOCK_SIZE;
571 shifted_message = message + rem_len;
573 sha512_transf(ctx, ctx->block, 1);
574 sha512_transf(ctx, shifted_message, block_nb);
576 rem_len = new_len % SHA512_BLOCK_SIZE;
578 memcpy(ctx->block, &shifted_message[block_nb << 7],
582 ctx->tot_len += (block_nb + 1) << 7;
585 void sha512_final(sha512_ctx *ctx, unsigned char *digest)
587 unsigned int block_nb;
595 block_nb = 1 + ((SHA512_BLOCK_SIZE - 17)
596 < (ctx->len % SHA512_BLOCK_SIZE));
598 len_b = (ctx->tot_len + ctx->len) << 3;
599 pm_len = block_nb << 7;
601 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
602 ctx->block[ctx->len] = 0x80;
603 UNPACK32(len_b, ctx->block + pm_len - 4);
605 sha512_transf(ctx, ctx->block, block_nb);
608 for (i = 0 ; i < 8; i++) {
609 UNPACK64(ctx->h[i], &digest[i << 3]);
612 UNPACK64(ctx->h[0], &digest[ 0]);
613 UNPACK64(ctx->h[1], &digest[ 8]);
614 UNPACK64(ctx->h[2], &digest[16]);
615 UNPACK64(ctx->h[3], &digest[24]);
616 UNPACK64(ctx->h[4], &digest[32]);
617 UNPACK64(ctx->h[5], &digest[40]);
618 UNPACK64(ctx->h[6], &digest[48]);
619 UNPACK64(ctx->h[7], &digest[56]);
620 #endif /* !UNROLL_LOOPS */
623 /* SHA-384 functions */
625 void sha384(const unsigned char *message, unsigned int len,
626 unsigned char *digest)
631 sha384_update(&ctx, message, len);
632 sha384_final(&ctx, digest);
635 void sha384_init(sha384_ctx *ctx)
639 for (i = 0; i < 8; i++) {
640 ctx->h[i] = sha384_h0[i];
643 ctx->h[0] = sha384_h0[0]; ctx->h[1] = sha384_h0[1];
644 ctx->h[2] = sha384_h0[2]; ctx->h[3] = sha384_h0[3];
645 ctx->h[4] = sha384_h0[4]; ctx->h[5] = sha384_h0[5];
646 ctx->h[6] = sha384_h0[6]; ctx->h[7] = sha384_h0[7];
647 #endif /* !UNROLL_LOOPS */
653 void sha384_update(sha384_ctx *ctx, const unsigned char *message,
656 unsigned int block_nb;
657 unsigned int new_len, rem_len, tmp_len;
658 const unsigned char *shifted_message;
660 tmp_len = SHA384_BLOCK_SIZE - ctx->len;
661 rem_len = len < tmp_len ? len : tmp_len;
663 memcpy(&ctx->block[ctx->len], message, rem_len);
665 if (ctx->len + len < SHA384_BLOCK_SIZE) {
670 new_len = len - rem_len;
671 block_nb = new_len / SHA384_BLOCK_SIZE;
673 shifted_message = message + rem_len;
675 sha512_transf(ctx, ctx->block, 1);
676 sha512_transf(ctx, shifted_message, block_nb);
678 rem_len = new_len % SHA384_BLOCK_SIZE;
680 memcpy(ctx->block, &shifted_message[block_nb << 7],
684 ctx->tot_len += (block_nb + 1) << 7;
687 void sha384_final(sha384_ctx *ctx, unsigned char *digest)
689 unsigned int block_nb;
697 block_nb = (1 + ((SHA384_BLOCK_SIZE - 17)
698 < (ctx->len % SHA384_BLOCK_SIZE)));
700 len_b = (ctx->tot_len + ctx->len) << 3;
701 pm_len = block_nb << 7;
703 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
704 ctx->block[ctx->len] = 0x80;
705 UNPACK32(len_b, ctx->block + pm_len - 4);
707 sha512_transf(ctx, ctx->block, block_nb);
710 for (i = 0 ; i < 6; i++) {
711 UNPACK64(ctx->h[i], &digest[i << 3]);
714 UNPACK64(ctx->h[0], &digest[ 0]);
715 UNPACK64(ctx->h[1], &digest[ 8]);
716 UNPACK64(ctx->h[2], &digest[16]);
717 UNPACK64(ctx->h[3], &digest[24]);
718 UNPACK64(ctx->h[4], &digest[32]);
719 UNPACK64(ctx->h[5], &digest[40]);
720 #endif /* !UNROLL_LOOPS */
723 /* SHA-224 functions */
725 void sha224(const unsigned char *message, unsigned int len,
726 unsigned char *digest)
731 sha224_update(&ctx, message, len);
732 sha224_final(&ctx, digest);
735 void sha224_init(sha224_ctx *ctx)
739 for (i = 0; i < 8; i++) {
740 ctx->h[i] = sha224_h0[i];
743 ctx->h[0] = sha224_h0[0]; ctx->h[1] = sha224_h0[1];
744 ctx->h[2] = sha224_h0[2]; ctx->h[3] = sha224_h0[3];
745 ctx->h[4] = sha224_h0[4]; ctx->h[5] = sha224_h0[5];
746 ctx->h[6] = sha224_h0[6]; ctx->h[7] = sha224_h0[7];
747 #endif /* !UNROLL_LOOPS */
753 void sha224_update(sha224_ctx *ctx, const unsigned char *message,
756 unsigned int block_nb;
757 unsigned int new_len, rem_len, tmp_len;
758 const unsigned char *shifted_message;
760 tmp_len = SHA224_BLOCK_SIZE - ctx->len;
761 rem_len = len < tmp_len ? len : tmp_len;
763 memcpy(&ctx->block[ctx->len], message, rem_len);
765 if (ctx->len + len < SHA224_BLOCK_SIZE) {
770 new_len = len - rem_len;
771 block_nb = new_len / SHA224_BLOCK_SIZE;
773 shifted_message = message + rem_len;
775 sha256_transf(ctx, ctx->block, 1);
776 sha256_transf(ctx, shifted_message, block_nb);
778 rem_len = new_len % SHA224_BLOCK_SIZE;
780 memcpy(ctx->block, &shifted_message[block_nb << 6],
784 ctx->tot_len += (block_nb + 1) << 6;
787 void sha224_final(sha224_ctx *ctx, unsigned char *digest)
789 unsigned int block_nb;
797 block_nb = (1 + ((SHA224_BLOCK_SIZE - 9)
798 < (ctx->len % SHA224_BLOCK_SIZE)));
800 len_b = (ctx->tot_len + ctx->len) << 3;
801 pm_len = block_nb << 6;
803 memset(ctx->block + ctx->len, 0, pm_len - ctx->len);
804 ctx->block[ctx->len] = 0x80;
805 UNPACK32(len_b, ctx->block + pm_len - 4);
807 sha256_transf(ctx, ctx->block, block_nb);
810 for (i = 0 ; i < 7; i++) {
811 UNPACK32(ctx->h[i], &digest[i << 2]);
814 UNPACK32(ctx->h[0], &digest[ 0]);
815 UNPACK32(ctx->h[1], &digest[ 4]);
816 UNPACK32(ctx->h[2], &digest[ 8]);
817 UNPACK32(ctx->h[3], &digest[12]);
818 UNPACK32(ctx->h[4], &digest[16]);
819 UNPACK32(ctx->h[5], &digest[20]);
820 UNPACK32(ctx->h[6], &digest[24]);
821 #endif /* !UNROLL_LOOPS */
823 #endif /* HAVE_SHA2 */
827 /* FIPS 180-2 Validation tests */
832 void test(const char *vector, unsigned char *digest,
833 unsigned int digest_size)
835 char output[2 * SHA512_DIGEST_SIZE + 1];
838 output[2 * digest_size] = '\0';
840 for (i = 0; i < (int) digest_size ; i++) {
841 sprintf(output + 2 * i, "%02x", digest[i]);
844 printf("H: %s\n", output);
845 if (strcmp(vector, output)) {
846 fprintf(stderr, "Test failed.\n");
853 static const char *vectors[4][3] =
856 "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7",
857 "75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525",
858 "20794655980c91d8bbb4c1ea97618a4bf03f42581948b2ee4ee7ad67",
862 "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad",
863 "248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1",
864 "cdc76e5c9914fb9281a1c7e284d73e67f1809a48a497200e046d39ccc7112cd0",
868 "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed"
869 "8086072ba1e7cc2358baeca134c825a7",
870 "09330c33f71147e83d192fc782cd1b4753111b173b3b05d22fa08086e3b0f712"
871 "fcc7c71a557e2db966c3e9fa91746039",
872 "9d0e1809716474cb086e834e310a4a1ced149e9c00f248527972cec5704c2a5b"
873 "07b8b3dc38ecc4ebae97ddd87f3d8985",
877 "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
878 "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f",
879 "8e959b75dae313da8cf4f72814fc143f8f7779c6eb9f7fa17299aeadb6889018"
880 "501d289e4900f7e4331b99dec4b5433ac7d329eeb6dd26545e96e55b874be909",
881 "e718483d0ce769644e2e42c7bc15b4638e1f98b13b2044285632a803afa973eb"
882 "de0ff244877ea60a4cb0432ce577c31beb009c5c2c49aa2e4eadb217ad8cc09b"
886 static const char message1[] = "abc";
887 static const char message2a[] = "abcdbcdecdefdefgefghfghighijhi"
888 "jkijkljklmklmnlmnomnopnopq";
889 static const char message2b[] = "abcdefghbcdefghicdefghijdefghijkefghij"
890 "klfghijklmghijklmnhijklmnoijklmnopjklm"
891 "nopqklmnopqrlmnopqrsmnopqrstnopqrstu";
892 unsigned char *message3;
893 unsigned int message3_len = 1000000;
894 unsigned char digest[SHA512_DIGEST_SIZE];
896 message3 = malloc(message3_len);
897 if (message3 == NULL) {
898 fprintf(stderr, "Can't allocate memory\n");
901 memset(message3, 'a', message3_len);
903 printf("SHA-2 FIPS 180-2 Validation tests\n\n");
904 printf("SHA-224 Test vectors\n");
906 sha224((const unsigned char *) message1, strlen(message1), digest);
907 test(vectors[0][0], digest, SHA224_DIGEST_SIZE);
908 sha224((const unsigned char *) message2a, strlen(message2a), digest);
909 test(vectors[0][1], digest, SHA224_DIGEST_SIZE);
910 sha224(message3, message3_len, digest);
911 test(vectors[0][2], digest, SHA224_DIGEST_SIZE);
914 printf("SHA-256 Test vectors\n");
916 sha256((const unsigned char *) message1, strlen(message1), digest);
917 test(vectors[1][0], digest, SHA256_DIGEST_SIZE);
918 sha256((const unsigned char *) message2a, strlen(message2a), digest);
919 test(vectors[1][1], digest, SHA256_DIGEST_SIZE);
920 sha256(message3, message3_len, digest);
921 test(vectors[1][2], digest, SHA256_DIGEST_SIZE);
924 printf("SHA-384 Test vectors\n");
926 sha384((const unsigned char *) message1, strlen(message1), digest);
927 test(vectors[2][0], digest, SHA384_DIGEST_SIZE);
928 sha384((const unsigned char *)message2b, strlen(message2b), digest);
929 test(vectors[2][1], digest, SHA384_DIGEST_SIZE);
930 sha384(message3, message3_len, digest);
931 test(vectors[2][2], digest, SHA384_DIGEST_SIZE);
934 printf("SHA-512 Test vectors\n");
936 sha512((const unsigned char *) message1, strlen(message1), digest);
937 test(vectors[3][0], digest, SHA512_DIGEST_SIZE);
938 sha512((const unsigned char *) message2b, strlen(message2b), digest);
939 test(vectors[3][1], digest, SHA512_DIGEST_SIZE);
940 sha512(message3, message3_len, digest);
941 test(vectors[3][2], digest, SHA512_DIGEST_SIZE);
944 printf("All tests passed.\n");
949 #endif /* TEST_VECTORS */
projects / bacula / bacula / blob