1/*-------------------------------------------------------------------------
2 *
3 * sha2.c
4 * Set of SHA functions for SHA-224, SHA-256, SHA-384 and SHA-512.
5 *
6 * This is the set of in-core functions used when there are no other
7 * alternative options like OpenSSL.
8 *
9 * Portions Copyright (c) 2016-2019, PostgreSQL Global Development Group
10 *
11 * IDENTIFICATION
12 * src/common/sha2.c
13 *
14 *-------------------------------------------------------------------------
15 */
16
17/* $OpenBSD: sha2.c,v 1.6 2004/05/03 02:57:36 millert Exp $ */
18/*
19 * FILE: sha2.c
20 * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
21 *
22 * Copyright (c) 2000-2001, Aaron D. Gifford
23 * All rights reserved.
24 *
25 * Redistribution and use in source and binary forms, with or without
26 * modification, are permitted provided that the following conditions
27 * are met:
28 * 1. Redistributions of source code must retain the above copyright
29 * notice, this list of conditions and the following disclaimer.
30 * 2. Redistributions in binary form must reproduce the above copyright
31 * notice, this list of conditions and the following disclaimer in the
32 * documentation and/or other materials provided with the distribution.
33 * 3. Neither the name of the copyright holder nor the names of contributors
34 * may be used to endorse or promote products derived from this software
35 * without specific prior written permission.
36 *
37 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
38 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
39 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
40 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
41 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
42 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
43 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
45 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
46 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
47 * SUCH DAMAGE.
48 *
49 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
50 */
51
52
53#ifndef FRONTEND
54#include "postgres.h"
55#else
56#include "postgres_fe.h"
57#endif
58
59#include <sys/param.h>
60
61#include "common/sha2.h"
62
63/*
64 * UNROLLED TRANSFORM LOOP NOTE:
65 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
66 * loop version for the hash transform rounds (defined using macros
67 * later in this file). Either define on the command line, for example:
68 *
69 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
70 *
71 * or define below:
72 *
73 * #define SHA2_UNROLL_TRANSFORM
74 *
75 */
76
77/*** SHA-256/384/512 Various Length Definitions ***********************/
78#define PG_SHA256_SHORT_BLOCK_LENGTH (PG_SHA256_BLOCK_LENGTH - 8)
79#define PG_SHA384_SHORT_BLOCK_LENGTH (PG_SHA384_BLOCK_LENGTH - 16)
80#define PG_SHA512_SHORT_BLOCK_LENGTH (PG_SHA512_BLOCK_LENGTH - 16)
81
82/*** ENDIAN REVERSAL MACROS *******************************************/
83#ifndef WORDS_BIGENDIAN
84#define REVERSE32(w,x) { \
85 uint32 tmp = (w); \
86 tmp = (tmp >> 16) | (tmp << 16); \
87 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
88}
89#define REVERSE64(w,x) { \
90 uint64 tmp = (w); \
91 tmp = (tmp >> 32) | (tmp << 32); \
92 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
93 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
94 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
95 ((tmp & 0x0000ffff0000ffffULL) << 16); \
96}
97#endif /* not bigendian */
98
99/*
100 * Macro for incrementally adding the unsigned 64-bit integer n to the
101 * unsigned 128-bit integer (represented using a two-element array of
102 * 64-bit words):
103 */
104#define ADDINC128(w,n) { \
105 (w)[0] += (uint64)(n); \
106 if ((w)[0] < (n)) { \
107 (w)[1]++; \
108 } \
109}
110
111/*** THE SIX LOGICAL FUNCTIONS ****************************************/
112/*
113 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
114 *
115 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
116 * S is a ROTATION) because the SHA-256/384/512 description document
117 * (see http://www.iwar.org.uk/comsec/resources/cipher/sha256-384-512.pdf)
118 * uses this same "backwards" definition.
119 */
120/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
121#define R(b,x) ((x) >> (b))
122/* 32-bit Rotate-right (used in SHA-256): */
123#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
124/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
125#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
126
127/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
128#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
129#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
130
131/* Four of six logical functions used in SHA-256: */
132#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
133#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
134#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
135#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
136
137/* Four of six logical functions used in SHA-384 and SHA-512: */
138#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
139#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
140#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
141#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
142
143/*** INTERNAL FUNCTION PROTOTYPES *************************************/
144/* NOTE: These should not be accessed directly from outside this
145 * library -- they are intended for private internal visibility/use
146 * only.
147 */
148static void SHA512_Last(pg_sha512_ctx *context);
149static void SHA256_Transform(pg_sha256_ctx *context, const uint8 *data);
150static void SHA512_Transform(pg_sha512_ctx *context, const uint8 *data);
151
152/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
153/* Hash constant words K for SHA-256: */
154static const uint32 K256[64] = {
155 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
156 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
157 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
158 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
159 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
160 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
161 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
162 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
163 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
164 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
165 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
166 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
167 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
168 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
169 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
170 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
171};
172
173/* Initial hash value H for SHA-224: */
174static const uint32 sha224_initial_hash_value[8] = {
175 0xc1059ed8UL,
176 0x367cd507UL,
177 0x3070dd17UL,
178 0xf70e5939UL,
179 0xffc00b31UL,
180 0x68581511UL,
181 0x64f98fa7UL,
182 0xbefa4fa4UL
183};
184
185/* Initial hash value H for SHA-256: */
186static const uint32 sha256_initial_hash_value[8] = {
187 0x6a09e667UL,
188 0xbb67ae85UL,
189 0x3c6ef372UL,
190 0xa54ff53aUL,
191 0x510e527fUL,
192 0x9b05688cUL,
193 0x1f83d9abUL,
194 0x5be0cd19UL
195};
196
197/* Hash constant words K for SHA-384 and SHA-512: */
198static const uint64 K512[80] = {
199 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
200 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
201 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
202 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
203 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
204 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
205 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
206 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
207 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
208 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
209 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
210 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
211 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
212 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
213 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
214 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
215 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
216 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
217 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
218 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
219 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
220 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
221 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
222 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
223 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
224 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
225 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
226 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
227 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
228 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
229 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
230 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
231 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
232 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
233 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
234 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
235 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
236 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
237 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
238 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
239};
240
241/* Initial hash value H for SHA-384 */
242static const uint64 sha384_initial_hash_value[8] = {
243 0xcbbb9d5dc1059ed8ULL,
244 0x629a292a367cd507ULL,
245 0x9159015a3070dd17ULL,
246 0x152fecd8f70e5939ULL,
247 0x67332667ffc00b31ULL,
248 0x8eb44a8768581511ULL,
249 0xdb0c2e0d64f98fa7ULL,
250 0x47b5481dbefa4fa4ULL
251};
252
253/* Initial hash value H for SHA-512 */
254static const uint64 sha512_initial_hash_value[8] = {
255 0x6a09e667f3bcc908ULL,
256 0xbb67ae8584caa73bULL,
257 0x3c6ef372fe94f82bULL,
258 0xa54ff53a5f1d36f1ULL,
259 0x510e527fade682d1ULL,
260 0x9b05688c2b3e6c1fULL,
261 0x1f83d9abfb41bd6bULL,
262 0x5be0cd19137e2179ULL
263};
264
265
266/*** SHA-256: *********************************************************/
267void
268pg_sha256_init(pg_sha256_ctx *context)
269{
270 if (context == NULL)
271 return;
272 memcpy(context->state, sha256_initial_hash_value, PG_SHA256_DIGEST_LENGTH);
273 memset(context->buffer, 0, PG_SHA256_BLOCK_LENGTH);
274 context->bitcount = 0;
275}
276
277#ifdef SHA2_UNROLL_TRANSFORM
278
279/* Unrolled SHA-256 round macros: */
280
281#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
282 W256[j] = (uint32)data[3] | ((uint32)data[2] << 8) | \
283 ((uint32)data[1] << 16) | ((uint32)data[0] << 24); \
284 data += 4; \
285 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
286 (d) += T1; \
287 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
288 j++; \
289} while(0)
290
291#define ROUND256(a,b,c,d,e,f,g,h) do { \
292 s0 = W256[(j+1)&0x0f]; \
293 s0 = sigma0_256(s0); \
294 s1 = W256[(j+14)&0x0f]; \
295 s1 = sigma1_256(s1); \
296 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
297 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
298 (d) += T1; \
299 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
300 j++; \
301} while(0)
302
303static void
304SHA256_Transform(pg_sha256_ctx *context, const uint8 *data)
305{
306 uint32 a,
307 b,
308 c,
309 d,
310 e,
311 f,
312 g,
313 h,
314 s0,
315 s1;
316 uint32 T1,
317 *W256;
318 int j;
319
320 W256 = (uint32 *) context->buffer;
321
322 /* Initialize registers with the prev. intermediate value */
323 a = context->state[0];
324 b = context->state[1];
325 c = context->state[2];
326 d = context->state[3];
327 e = context->state[4];
328 f = context->state[5];
329 g = context->state[6];
330 h = context->state[7];
331
332 j = 0;
333 do
334 {
335 /* Rounds 0 to 15 (unrolled): */
336 ROUND256_0_TO_15(a, b, c, d, e, f, g, h);
337 ROUND256_0_TO_15(h, a, b, c, d, e, f, g);
338 ROUND256_0_TO_15(g, h, a, b, c, d, e, f);
339 ROUND256_0_TO_15(f, g, h, a, b, c, d, e);
340 ROUND256_0_TO_15(e, f, g, h, a, b, c, d);
341 ROUND256_0_TO_15(d, e, f, g, h, a, b, c);
342 ROUND256_0_TO_15(c, d, e, f, g, h, a, b);
343 ROUND256_0_TO_15(b, c, d, e, f, g, h, a);
344 } while (j < 16);
345
346 /* Now for the remaining rounds to 64: */
347 do
348 {
349 ROUND256(a, b, c, d, e, f, g, h);
350 ROUND256(h, a, b, c, d, e, f, g);
351 ROUND256(g, h, a, b, c, d, e, f);
352 ROUND256(f, g, h, a, b, c, d, e);
353 ROUND256(e, f, g, h, a, b, c, d);
354 ROUND256(d, e, f, g, h, a, b, c);
355 ROUND256(c, d, e, f, g, h, a, b);
356 ROUND256(b, c, d, e, f, g, h, a);
357 } while (j < 64);
358
359 /* Compute the current intermediate hash value */
360 context->state[0] += a;
361 context->state[1] += b;
362 context->state[2] += c;
363 context->state[3] += d;
364 context->state[4] += e;
365 context->state[5] += f;
366 context->state[6] += g;
367 context->state[7] += h;
368
369 /* Clean up */
370 a = b = c = d = e = f = g = h = T1 = 0;
371}
372#else /* SHA2_UNROLL_TRANSFORM */
373
374static void
375SHA256_Transform(pg_sha256_ctx *context, const uint8 *data)
376{
377 uint32 a,
378 b,
379 c,
380 d,
381 e,
382 f,
383 g,
384 h,
385 s0,
386 s1;
387 uint32 T1,
388 T2,
389 *W256;
390 int j;
391
392 W256 = (uint32 *) context->buffer;
393
394 /* Initialize registers with the prev. intermediate value */
395 a = context->state[0];
396 b = context->state[1];
397 c = context->state[2];
398 d = context->state[3];
399 e = context->state[4];
400 f = context->state[5];
401 g = context->state[6];
402 h = context->state[7];
403
404 j = 0;
405 do
406 {
407 W256[j] = (uint32) data[3] | ((uint32) data[2] << 8) |
408 ((uint32) data[1] << 16) | ((uint32) data[0] << 24);
409 data += 4;
410 /* Apply the SHA-256 compression function to update a..h */
411 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
412 T2 = Sigma0_256(a) + Maj(a, b, c);
413 h = g;
414 g = f;
415 f = e;
416 e = d + T1;
417 d = c;
418 c = b;
419 b = a;
420 a = T1 + T2;
421
422 j++;
423 } while (j < 16);
424
425 do
426 {
427 /* Part of the message block expansion: */
428 s0 = W256[(j + 1) & 0x0f];
429 s0 = sigma0_256(s0);
430 s1 = W256[(j + 14) & 0x0f];
431 s1 = sigma1_256(s1);
432
433 /* Apply the SHA-256 compression function to update a..h */
434 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
435 (W256[j & 0x0f] += s1 + W256[(j + 9) & 0x0f] + s0);
436 T2 = Sigma0_256(a) + Maj(a, b, c);
437 h = g;
438 g = f;
439 f = e;
440 e = d + T1;
441 d = c;
442 c = b;
443 b = a;
444 a = T1 + T2;
445
446 j++;
447 } while (j < 64);
448
449 /* Compute the current intermediate hash value */
450 context->state[0] += a;
451 context->state[1] += b;
452 context->state[2] += c;
453 context->state[3] += d;
454 context->state[4] += e;
455 context->state[5] += f;
456 context->state[6] += g;
457 context->state[7] += h;
458
459 /* Clean up */
460 a = b = c = d = e = f = g = h = T1 = T2 = 0;
461}
462#endif /* SHA2_UNROLL_TRANSFORM */
463
464void
465pg_sha256_update(pg_sha256_ctx *context, const uint8 *data, size_t len)
466{
467 size_t freespace,
468 usedspace;
469
470 /* Calling with no data is valid (we do nothing) */
471 if (len == 0)
472 return;
473
474 usedspace = (context->bitcount >> 3) % PG_SHA256_BLOCK_LENGTH;
475 if (usedspace > 0)
476 {
477 /* Calculate how much free space is available in the buffer */
478 freespace = PG_SHA256_BLOCK_LENGTH - usedspace;
479
480 if (len >= freespace)
481 {
482 /* Fill the buffer completely and process it */
483 memcpy(&context->buffer[usedspace], data, freespace);
484 context->bitcount += freespace << 3;
485 len -= freespace;
486 data += freespace;
487 SHA256_Transform(context, context->buffer);
488 }
489 else
490 {
491 /* The buffer is not yet full */
492 memcpy(&context->buffer[usedspace], data, len);
493 context->bitcount += len << 3;
494 /* Clean up: */
495 usedspace = freespace = 0;
496 return;
497 }
498 }
499 while (len >= PG_SHA256_BLOCK_LENGTH)
500 {
501 /* Process as many complete blocks as we can */
502 SHA256_Transform(context, data);
503 context->bitcount += PG_SHA256_BLOCK_LENGTH << 3;
504 len -= PG_SHA256_BLOCK_LENGTH;
505 data += PG_SHA256_BLOCK_LENGTH;
506 }
507 if (len > 0)
508 {
509 /* There's left-overs, so save 'em */
510 memcpy(context->buffer, data, len);
511 context->bitcount += len << 3;
512 }
513 /* Clean up: */
514 usedspace = freespace = 0;
515}
516
517static void
518SHA256_Last(pg_sha256_ctx *context)
519{
520 unsigned int usedspace;
521
522 usedspace = (context->bitcount >> 3) % PG_SHA256_BLOCK_LENGTH;
523#ifndef WORDS_BIGENDIAN
524 /* Convert FROM host byte order */
525 REVERSE64(context->bitcount, context->bitcount);
526#endif
527 if (usedspace > 0)
528 {
529 /* Begin padding with a 1 bit: */
530 context->buffer[usedspace++] = 0x80;
531
532 if (usedspace <= PG_SHA256_SHORT_BLOCK_LENGTH)
533 {
534 /* Set-up for the last transform: */
535 memset(&context->buffer[usedspace], 0, PG_SHA256_SHORT_BLOCK_LENGTH - usedspace);
536 }
537 else
538 {
539 if (usedspace < PG_SHA256_BLOCK_LENGTH)
540 {
541 memset(&context->buffer[usedspace], 0, PG_SHA256_BLOCK_LENGTH - usedspace);
542 }
543 /* Do second-to-last transform: */
544 SHA256_Transform(context, context->buffer);
545
546 /* And set-up for the last transform: */
547 memset(context->buffer, 0, PG_SHA256_SHORT_BLOCK_LENGTH);
548 }
549 }
550 else
551 {
552 /* Set-up for the last transform: */
553 memset(context->buffer, 0, PG_SHA256_SHORT_BLOCK_LENGTH);
554
555 /* Begin padding with a 1 bit: */
556 *context->buffer = 0x80;
557 }
558 /* Set the bit count: */
559 *(uint64 *) &context->buffer[PG_SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
560
561 /* Final transform: */
562 SHA256_Transform(context, context->buffer);
563}
564
565void
566pg_sha256_final(pg_sha256_ctx *context, uint8 *digest)
567{
568 /* If no digest buffer is passed, we don't bother doing this: */
569 if (digest != NULL)
570 {
571 SHA256_Last(context);
572
573#ifndef WORDS_BIGENDIAN
574 {
575 /* Convert TO host byte order */
576 int j;
577
578 for (j = 0; j < 8; j++)
579 {
580 REVERSE32(context->state[j], context->state[j]);
581 }
582 }
583#endif
584 memcpy(digest, context->state, PG_SHA256_DIGEST_LENGTH);
585 }
586
587 /* Clean up state data: */
588 memset(context, 0, sizeof(pg_sha256_ctx));
589}
590
591
592/*** SHA-512: *********************************************************/
593void
594pg_sha512_init(pg_sha512_ctx *context)
595{
596 if (context == NULL)
597 return;
598 memcpy(context->state, sha512_initial_hash_value, PG_SHA512_DIGEST_LENGTH);
599 memset(context->buffer, 0, PG_SHA512_BLOCK_LENGTH);
600 context->bitcount[0] = context->bitcount[1] = 0;
601}
602
603#ifdef SHA2_UNROLL_TRANSFORM
604
605/* Unrolled SHA-512 round macros: */
606
607#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
608 W512[j] = (uint64)data[7] | ((uint64)data[6] << 8) | \
609 ((uint64)data[5] << 16) | ((uint64)data[4] << 24) | \
610 ((uint64)data[3] << 32) | ((uint64)data[2] << 40) | \
611 ((uint64)data[1] << 48) | ((uint64)data[0] << 56); \
612 data += 8; \
613 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
614 (d) += T1; \
615 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
616 j++; \
617} while(0)
618
619
620#define ROUND512(a,b,c,d,e,f,g,h) do { \
621 s0 = W512[(j+1)&0x0f]; \
622 s0 = sigma0_512(s0); \
623 s1 = W512[(j+14)&0x0f]; \
624 s1 = sigma1_512(s1); \
625 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
626 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
627 (d) += T1; \
628 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
629 j++; \
630} while(0)
631
632static void
633SHA512_Transform(pg_sha512_ctx *context, const uint8 *data)
634{
635 uint64 a,
636 b,
637 c,
638 d,
639 e,
640 f,
641 g,
642 h,
643 s0,
644 s1;
645 uint64 T1,
646 *W512 = (uint64 *) context->buffer;
647 int j;
648
649 /* Initialize registers with the prev. intermediate value */
650 a = context->state[0];
651 b = context->state[1];
652 c = context->state[2];
653 d = context->state[3];
654 e = context->state[4];
655 f = context->state[5];
656 g = context->state[6];
657 h = context->state[7];
658
659 j = 0;
660 do
661 {
662 ROUND512_0_TO_15(a, b, c, d, e, f, g, h);
663 ROUND512_0_TO_15(h, a, b, c, d, e, f, g);
664 ROUND512_0_TO_15(g, h, a, b, c, d, e, f);
665 ROUND512_0_TO_15(f, g, h, a, b, c, d, e);
666 ROUND512_0_TO_15(e, f, g, h, a, b, c, d);
667 ROUND512_0_TO_15(d, e, f, g, h, a, b, c);
668 ROUND512_0_TO_15(c, d, e, f, g, h, a, b);
669 ROUND512_0_TO_15(b, c, d, e, f, g, h, a);
670 } while (j < 16);
671
672 /* Now for the remaining rounds up to 79: */
673 do
674 {
675 ROUND512(a, b, c, d, e, f, g, h);
676 ROUND512(h, a, b, c, d, e, f, g);
677 ROUND512(g, h, a, b, c, d, e, f);
678 ROUND512(f, g, h, a, b, c, d, e);
679 ROUND512(e, f, g, h, a, b, c, d);
680 ROUND512(d, e, f, g, h, a, b, c);
681 ROUND512(c, d, e, f, g, h, a, b);
682 ROUND512(b, c, d, e, f, g, h, a);
683 } while (j < 80);
684
685 /* Compute the current intermediate hash value */
686 context->state[0] += a;
687 context->state[1] += b;
688 context->state[2] += c;
689 context->state[3] += d;
690 context->state[4] += e;
691 context->state[5] += f;
692 context->state[6] += g;
693 context->state[7] += h;
694
695 /* Clean up */
696 a = b = c = d = e = f = g = h = T1 = 0;
697}
698#else /* SHA2_UNROLL_TRANSFORM */
699
700static void
701SHA512_Transform(pg_sha512_ctx *context, const uint8 *data)
702{
703 uint64 a,
704 b,
705 c,
706 d,
707 e,
708 f,
709 g,
710 h,
711 s0,
712 s1;
713 uint64 T1,
714 T2,
715 *W512 = (uint64 *) context->buffer;
716 int j;
717
718 /* Initialize registers with the prev. intermediate value */
719 a = context->state[0];
720 b = context->state[1];
721 c = context->state[2];
722 d = context->state[3];
723 e = context->state[4];
724 f = context->state[5];
725 g = context->state[6];
726 h = context->state[7];
727
728 j = 0;
729 do
730 {
731 W512[j] = (uint64) data[7] | ((uint64) data[6] << 8) |
732 ((uint64) data[5] << 16) | ((uint64) data[4] << 24) |
733 ((uint64) data[3] << 32) | ((uint64) data[2] << 40) |
734 ((uint64) data[1] << 48) | ((uint64) data[0] << 56);
735 data += 8;
736 /* Apply the SHA-512 compression function to update a..h */
737 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
738 T2 = Sigma0_512(a) + Maj(a, b, c);
739 h = g;
740 g = f;
741 f = e;
742 e = d + T1;
743 d = c;
744 c = b;
745 b = a;
746 a = T1 + T2;
747
748 j++;
749 } while (j < 16);
750
751 do
752 {
753 /* Part of the message block expansion: */
754 s0 = W512[(j + 1) & 0x0f];
755 s0 = sigma0_512(s0);
756 s1 = W512[(j + 14) & 0x0f];
757 s1 = sigma1_512(s1);
758
759 /* Apply the SHA-512 compression function to update a..h */
760 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
761 (W512[j & 0x0f] += s1 + W512[(j + 9) & 0x0f] + s0);
762 T2 = Sigma0_512(a) + Maj(a, b, c);
763 h = g;
764 g = f;
765 f = e;
766 e = d + T1;
767 d = c;
768 c = b;
769 b = a;
770 a = T1 + T2;
771
772 j++;
773 } while (j < 80);
774
775 /* Compute the current intermediate hash value */
776 context->state[0] += a;
777 context->state[1] += b;
778 context->state[2] += c;
779 context->state[3] += d;
780 context->state[4] += e;
781 context->state[5] += f;
782 context->state[6] += g;
783 context->state[7] += h;
784
785 /* Clean up */
786 a = b = c = d = e = f = g = h = T1 = T2 = 0;
787}
788#endif /* SHA2_UNROLL_TRANSFORM */
789
790void
791pg_sha512_update(pg_sha512_ctx *context, const uint8 *data, size_t len)
792{
793 size_t freespace,
794 usedspace;
795
796 /* Calling with no data is valid (we do nothing) */
797 if (len == 0)
798 return;
799
800 usedspace = (context->bitcount[0] >> 3) % PG_SHA512_BLOCK_LENGTH;
801 if (usedspace > 0)
802 {
803 /* Calculate how much free space is available in the buffer */
804 freespace = PG_SHA512_BLOCK_LENGTH - usedspace;
805
806 if (len >= freespace)
807 {
808 /* Fill the buffer completely and process it */
809 memcpy(&context->buffer[usedspace], data, freespace);
810 ADDINC128(context->bitcount, freespace << 3);
811 len -= freespace;
812 data += freespace;
813 SHA512_Transform(context, context->buffer);
814 }
815 else
816 {
817 /* The buffer is not yet full */
818 memcpy(&context->buffer[usedspace], data, len);
819 ADDINC128(context->bitcount, len << 3);
820 /* Clean up: */
821 usedspace = freespace = 0;
822 return;
823 }
824 }
825 while (len >= PG_SHA512_BLOCK_LENGTH)
826 {
827 /* Process as many complete blocks as we can */
828 SHA512_Transform(context, data);
829 ADDINC128(context->bitcount, PG_SHA512_BLOCK_LENGTH << 3);
830 len -= PG_SHA512_BLOCK_LENGTH;
831 data += PG_SHA512_BLOCK_LENGTH;
832 }
833 if (len > 0)
834 {
835 /* There's left-overs, so save 'em */
836 memcpy(context->buffer, data, len);
837 ADDINC128(context->bitcount, len << 3);
838 }
839 /* Clean up: */
840 usedspace = freespace = 0;
841}
842
843static void
844SHA512_Last(pg_sha512_ctx *context)
845{
846 unsigned int usedspace;
847
848 usedspace = (context->bitcount[0] >> 3) % PG_SHA512_BLOCK_LENGTH;
849#ifndef WORDS_BIGENDIAN
850 /* Convert FROM host byte order */
851 REVERSE64(context->bitcount[0], context->bitcount[0]);
852 REVERSE64(context->bitcount[1], context->bitcount[1]);
853#endif
854 if (usedspace > 0)
855 {
856 /* Begin padding with a 1 bit: */
857 context->buffer[usedspace++] = 0x80;
858
859 if (usedspace <= PG_SHA512_SHORT_BLOCK_LENGTH)
860 {
861 /* Set-up for the last transform: */
862 memset(&context->buffer[usedspace], 0, PG_SHA512_SHORT_BLOCK_LENGTH - usedspace);
863 }
864 else
865 {
866 if (usedspace < PG_SHA512_BLOCK_LENGTH)
867 {
868 memset(&context->buffer[usedspace], 0, PG_SHA512_BLOCK_LENGTH - usedspace);
869 }
870 /* Do second-to-last transform: */
871 SHA512_Transform(context, context->buffer);
872
873 /* And set-up for the last transform: */
874 memset(context->buffer, 0, PG_SHA512_BLOCK_LENGTH - 2);
875 }
876 }
877 else
878 {
879 /* Prepare for final transform: */
880 memset(context->buffer, 0, PG_SHA512_SHORT_BLOCK_LENGTH);
881
882 /* Begin padding with a 1 bit: */
883 *context->buffer = 0x80;
884 }
885 /* Store the length of input data (in bits): */
886 *(uint64 *) &context->buffer[PG_SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
887 *(uint64 *) &context->buffer[PG_SHA512_SHORT_BLOCK_LENGTH + 8] = context->bitcount[0];
888
889 /* Final transform: */
890 SHA512_Transform(context, context->buffer);
891}
892
893void
894pg_sha512_final(pg_sha512_ctx *context, uint8 *digest)
895{
896 /* If no digest buffer is passed, we don't bother doing this: */
897 if (digest != NULL)
898 {
899 SHA512_Last(context);
900
901 /* Save the hash data for output: */
902#ifndef WORDS_BIGENDIAN
903 {
904 /* Convert TO host byte order */
905 int j;
906
907 for (j = 0; j < 8; j++)
908 {
909 REVERSE64(context->state[j], context->state[j]);
910 }
911 }
912#endif
913 memcpy(digest, context->state, PG_SHA512_DIGEST_LENGTH);
914 }
915
916 /* Zero out state data */
917 memset(context, 0, sizeof(pg_sha512_ctx));
918}
919
920
921/*** SHA-384: *********************************************************/
922void
923pg_sha384_init(pg_sha384_ctx *context)
924{
925 if (context == NULL)
926 return;
927 memcpy(context->state, sha384_initial_hash_value, PG_SHA512_DIGEST_LENGTH);
928 memset(context->buffer, 0, PG_SHA384_BLOCK_LENGTH);
929 context->bitcount[0] = context->bitcount[1] = 0;
930}
931
932void
933pg_sha384_update(pg_sha384_ctx *context, const uint8 *data, size_t len)
934{
935 pg_sha512_update((pg_sha512_ctx *) context, data, len);
936}
937
938void
939pg_sha384_final(pg_sha384_ctx *context, uint8 *digest)
940{
941 /* If no digest buffer is passed, we don't bother doing this: */
942 if (digest != NULL)
943 {
944 SHA512_Last((pg_sha512_ctx *) context);
945
946 /* Save the hash data for output: */
947#ifndef WORDS_BIGENDIAN
948 {
949 /* Convert TO host byte order */
950 int j;
951
952 for (j = 0; j < 6; j++)
953 {
954 REVERSE64(context->state[j], context->state[j]);
955 }
956 }
957#endif
958 memcpy(digest, context->state, PG_SHA384_DIGEST_LENGTH);
959 }
960
961 /* Zero out state data */
962 memset(context, 0, sizeof(pg_sha384_ctx));
963}
964
965/*** SHA-224: *********************************************************/
966void
967pg_sha224_init(pg_sha224_ctx *context)
968{
969 if (context == NULL)
970 return;
971 memcpy(context->state, sha224_initial_hash_value, PG_SHA256_DIGEST_LENGTH);
972 memset(context->buffer, 0, PG_SHA256_BLOCK_LENGTH);
973 context->bitcount = 0;
974}
975
976void
977pg_sha224_update(pg_sha224_ctx *context, const uint8 *data, size_t len)
978{
979 pg_sha256_update((pg_sha256_ctx *) context, data, len);
980}
981
982void
983pg_sha224_final(pg_sha224_ctx *context, uint8 *digest)
984{
985 /* If no digest buffer is passed, we don't bother doing this: */
986 if (digest != NULL)
987 {
988 SHA256_Last(context);
989
990#ifndef WORDS_BIGENDIAN
991 {
992 /* Convert TO host byte order */
993 int j;
994
995 for (j = 0; j < 8; j++)
996 {
997 REVERSE32(context->state[j], context->state[j]);
998 }
999 }
1000#endif
1001 memcpy(digest, context->state, PG_SHA224_DIGEST_LENGTH);
1002 }
1003
1004 /* Clean up state data: */
1005 memset(context, 0, sizeof(pg_sha224_ctx));
1006}
1007