1 /* sha512.c - Functions to compute SHA512 and SHA384 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
4 Copyright (C) 2005, 2006 Free Software Foundation, Inc.
6 This program is free software; you can redistribute it and/or modify it
7 under the terms of the GNU General Public License as published by the
8 Free Software Foundation; either version 2, or (at your option) any
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software Foundation,
18 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
20 /* Written by David Madore, considerably copypasting from
21 Scott G. Miller's sha1.c
34 # include "unlocked-io.h"
37 #ifdef WORDS_BIGENDIAN
41 (((n) << 56) | (((n) & 0xff00) << 40) | (((n) & 0xff0000UL) << 24) \
42 | (((n) & 0xff000000UL) << 8) | (((n) >> 8) & 0xff000000UL) \
43 | (((n) >> 24) & 0xff0000UL) | (((n) >> 40) & 0xff00UL) | ((n) >> 56))
46 #define BLOCKSIZE 4096
47 #if BLOCKSIZE % 128 != 0
48 # error "invalid BLOCKSIZE"
51 /* This array contains the bytes used to pad the buffer to the next
53 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
57 Takes a pointer to a 512 bit block of data (eight 64 bit ints) and
58 intializes it to the start constants of the SHA512 algorithm. This
59 must be called before using hash in the call to sha512_hash
62 sha512_init_ctx (struct sha512_ctx *ctx)
64 ctx->state[0] = 0x6a09e667f3bcc908ULL;
65 ctx->state[1] = 0xbb67ae8584caa73bULL;
66 ctx->state[2] = 0x3c6ef372fe94f82bULL;
67 ctx->state[3] = 0xa54ff53a5f1d36f1ULL;
68 ctx->state[4] = 0x510e527fade682d1ULL;
69 ctx->state[5] = 0x9b05688c2b3e6c1fULL;
70 ctx->state[6] = 0x1f83d9abfb41bd6bULL;
71 ctx->state[7] = 0x5be0cd19137e2179ULL;
73 ctx->total[0] = ctx->total[1] = 0;
78 sha384_init_ctx (struct sha512_ctx *ctx)
80 ctx->state[0] = 0xcbbb9d5dc1059ed8ULL;
81 ctx->state[1] = 0x629a292a367cd507ULL;
82 ctx->state[2] = 0x9159015a3070dd17ULL;
83 ctx->state[3] = 0x152fecd8f70e5939ULL;
84 ctx->state[4] = 0x67332667ffc00b31ULL;
85 ctx->state[5] = 0x8eb44a8768581511ULL;
86 ctx->state[6] = 0xdb0c2e0d64f98fa7ULL;
87 ctx->state[7] = 0x47b5481dbefa4fa4ULL;
89 ctx->total[0] = ctx->total[1] = 0;
93 /* Put result from CTX in first 64 bytes following RESBUF. The result
94 must be in little endian byte order.
96 IMPORTANT: On some systems it is required that RESBUF is correctly
97 aligned for a 64-bit value. */
99 sha512_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
103 for (i = 0; i < 8; i++)
104 ((uint64_t *) resbuf)[i] = SWAP (ctx->state[i]);
110 sha384_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
114 for (i = 0; i < 6; i++)
115 ((uint64_t *) resbuf)[i] = SWAP (ctx->state[i]);
120 /* Process the remaining bytes in the internal buffer and the usual
121 prolog according to the standard and write the result to RESBUF.
123 IMPORTANT: On some systems it is required that RESBUF is correctly
124 aligned for a 64-bit value. */
126 sha512_conclude_ctx (struct sha512_ctx *ctx)
128 /* Take yet unprocessed bytes into account. */
129 uint64_t bytes = ctx->buflen;
130 size_t size = (bytes < 112) ? 128 / 8 : 128 * 2 / 8;
132 /* Now count remaining bytes. */
133 ctx->total[0] += bytes;
134 if (ctx->total[0] < bytes)
137 /* Put the 64-bit file length in *bits* at the end of the buffer. */
138 ctx->buffer[size - 2] = SWAP ((ctx->total[1] << 3) | (ctx->total[0] >> 61));
139 ctx->buffer[size - 1] = SWAP (ctx->total[0] << 3);
141 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 8 - bytes);
143 /* Process last bytes. */
144 sha512_process_block (ctx->buffer, size * 8, ctx);
148 sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
150 sha512_conclude_ctx (ctx);
151 return sha512_read_ctx (ctx, resbuf);
155 sha384_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
157 sha512_conclude_ctx (ctx);
158 return sha384_read_ctx (ctx, resbuf);
161 /* Compute SHA512 message digest for bytes read from STREAM. The
162 resulting message digest number will be written into the 64 bytes
163 beginning at RESBLOCK. */
165 sha512_stream (FILE *stream, void *resblock)
167 struct sha512_ctx ctx;
168 char buffer[BLOCKSIZE + 72];
171 /* Initialize the computation context. */
172 sha512_init_ctx (&ctx);
174 /* Iterate over full file contents. */
177 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
178 computation function processes the whole buffer so that with the
179 next round of the loop another block can be read. */
183 /* Read block. Take care for partial reads. */
186 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
190 if (sum == BLOCKSIZE)
195 /* Check for the error flag IFF N == 0, so that we don't
196 exit the loop after a partial read due to e.g., EAGAIN
200 goto process_partial_block;
203 /* We've read at least one byte, so ignore errors. But always
204 check for EOF, since feof may be true even though N > 0.
205 Otherwise, we could end up calling fread after EOF. */
207 goto process_partial_block;
210 /* Process buffer with BLOCKSIZE bytes. Note that
213 sha512_process_block (buffer, BLOCKSIZE, &ctx);
216 process_partial_block:;
218 /* Process any remaining bytes. */
220 sha512_process_bytes (buffer, sum, &ctx);
222 /* Construct result in desired memory. */
223 sha512_finish_ctx (&ctx, resblock);
227 /* FIXME: Avoid code duplication */
229 sha384_stream (FILE *stream, void *resblock)
231 struct sha512_ctx ctx;
232 char buffer[BLOCKSIZE + 72];
235 /* Initialize the computation context. */
236 sha384_init_ctx (&ctx);
238 /* Iterate over full file contents. */
241 /* We read the file in blocks of BLOCKSIZE bytes. One call of the
242 computation function processes the whole buffer so that with the
243 next round of the loop another block can be read. */
247 /* Read block. Take care for partial reads. */
250 n = fread (buffer + sum, 1, BLOCKSIZE - sum, stream);
254 if (sum == BLOCKSIZE)
259 /* Check for the error flag IFF N == 0, so that we don't
260 exit the loop after a partial read due to e.g., EAGAIN
264 goto process_partial_block;
267 /* We've read at least one byte, so ignore errors. But always
268 check for EOF, since feof may be true even though N > 0.
269 Otherwise, we could end up calling fread after EOF. */
271 goto process_partial_block;
274 /* Process buffer with BLOCKSIZE bytes. Note that
277 sha512_process_block (buffer, BLOCKSIZE, &ctx);
280 process_partial_block:;
282 /* Process any remaining bytes. */
284 sha512_process_bytes (buffer, sum, &ctx);
286 /* Construct result in desired memory. */
287 sha384_finish_ctx (&ctx, resblock);
291 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
292 result is always in little endian byte order, so that a byte-wise
293 output yields to the wanted ASCII representation of the message
296 sha512_buffer (const char *buffer, size_t len, void *resblock)
298 struct sha512_ctx ctx;
300 /* Initialize the computation context. */
301 sha512_init_ctx (&ctx);
303 /* Process whole buffer but last len % 128 bytes. */
304 sha512_process_bytes (buffer, len, &ctx);
306 /* Put result in desired memory area. */
307 return sha512_finish_ctx (&ctx, resblock);
311 sha384_buffer (const char *buffer, size_t len, void *resblock)
313 struct sha512_ctx ctx;
315 /* Initialize the computation context. */
316 sha384_init_ctx (&ctx);
318 /* Process whole buffer but last len % 128 bytes. */
319 sha512_process_bytes (buffer, len, &ctx);
321 /* Put result in desired memory area. */
322 return sha384_finish_ctx (&ctx, resblock);
326 sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
328 /* When we already have some bits in our internal buffer concatenate
329 both inputs first. */
330 if (ctx->buflen != 0)
332 size_t left_over = ctx->buflen;
333 size_t add = 256 - left_over > len ? len : 256 - left_over;
335 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
338 if (ctx->buflen > 128)
340 sha512_process_block (ctx->buffer, ctx->buflen & ~63, ctx);
343 /* The regions in the following copy operation cannot overlap. */
345 &((char *) ctx->buffer)[(left_over + add) & ~127],
349 buffer = (const char *) buffer + add;
353 /* Process available complete blocks. */
356 #if !_STRING_ARCH_unaligned
357 # define alignof(type) offsetof (struct { char c; type x; }, x)
358 # define UNALIGNED_P(p) (((size_t) p) % alignof (uint64_t) != 0)
359 if (UNALIGNED_P (buffer))
362 sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128, ctx);
363 buffer = (const char *) buffer + 128;
369 sha512_process_block (buffer, len & ~127, ctx);
370 buffer = (const char *) buffer + (len & ~127);
375 /* Move remaining bytes in internal buffer. */
378 size_t left_over = ctx->buflen;
380 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
382 if (left_over >= 128)
384 sha512_process_block (ctx->buffer, 128, ctx);
386 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
388 ctx->buflen = left_over;
392 /* --- Code below is the primary difference between sha1.c and sha512.c --- */
394 /* SHA512 round constants */
395 #define K(I) sha512_round_constants[I]
396 static const uint64_t sha512_round_constants[80] = {
397 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
398 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
399 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
400 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
401 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
402 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
403 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
404 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
405 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
406 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL,
409 /* Round functions. */
410 #define F2(A,B,C) ( ( A & B ) | ( C & ( A | B ) ) )
411 #define F1(E,F,G) ( G ^ ( E & ( F ^ G ) ) )
413 /* Process LEN bytes of BUFFER, accumulating context into CTX.
414 It is assumed that LEN % 128 == 0.
415 Most of this code comes from GnuPG's cipher/sha1.c. */
418 sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
420 const uint64_t *words = buffer;
421 size_t nwords = len / sizeof (uint64_t);
422 const uint64_t *endp = words + nwords;
424 uint64_t a = ctx->state[0];
425 uint64_t b = ctx->state[1];
426 uint64_t c = ctx->state[2];
427 uint64_t d = ctx->state[3];
428 uint64_t e = ctx->state[4];
429 uint64_t f = ctx->state[5];
430 uint64_t g = ctx->state[6];
431 uint64_t h = ctx->state[7];
433 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
434 length of the file up to 2^128 bits. Here we only compute the
435 number of bytes. Do a double word increment. */
436 ctx->total[0] += len;
437 if (ctx->total[0] < len)
440 #define S0(x) (rol64(x,63)^rol64(x,56)^(x>>7))
441 #define S1(x) (rol64(x,45)^rol64(x,3)^(x>>6))
442 #define SS0(x) (rol64(x,36)^rol64(x,30)^rol64(x,25))
443 #define SS1(x) (rol64(x,50)^rol64(x,46)^rol64(x,23))
445 #define M(I) ( tm = S1(x[(I-2)&0x0f]) + x[(I-7)&0x0f] \
446 + S0(x[(I-15)&0x0f]) + x[I&0x0f] \
449 #define R(A,B,C,D,E,F,G,H,K,M) do { t0 = SS0(A) + F2(A,B,C); \
454 D += t1; H = t0 + t1; \
462 /* FIXME: see sha1.c for a better implementation. */
463 for (t = 0; t < 16; t++)
465 x[t] = SWAP (*words);
469 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
470 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
471 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
472 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
473 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
474 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
475 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
476 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
477 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
478 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
479 R( g, h, a, b, c, d, e, f, K(10), x[10] );
480 R( f, g, h, a, b, c, d, e, K(11), x[11] );
481 R( e, f, g, h, a, b, c, d, K(12), x[12] );
482 R( d, e, f, g, h, a, b, c, K(13), x[13] );
483 R( c, d, e, f, g, h, a, b, K(14), x[14] );
484 R( b, c, d, e, f, g, h, a, K(15), x[15] );
485 R( a, b, c, d, e, f, g, h, K(16), M(16) );
486 R( h, a, b, c, d, e, f, g, K(17), M(17) );
487 R( g, h, a, b, c, d, e, f, K(18), M(18) );
488 R( f, g, h, a, b, c, d, e, K(19), M(19) );
489 R( e, f, g, h, a, b, c, d, K(20), M(20) );
490 R( d, e, f, g, h, a, b, c, K(21), M(21) );
491 R( c, d, e, f, g, h, a, b, K(22), M(22) );
492 R( b, c, d, e, f, g, h, a, K(23), M(23) );
493 R( a, b, c, d, e, f, g, h, K(24), M(24) );
494 R( h, a, b, c, d, e, f, g, K(25), M(25) );
495 R( g, h, a, b, c, d, e, f, K(26), M(26) );
496 R( f, g, h, a, b, c, d, e, K(27), M(27) );
497 R( e, f, g, h, a, b, c, d, K(28), M(28) );
498 R( d, e, f, g, h, a, b, c, K(29), M(29) );
499 R( c, d, e, f, g, h, a, b, K(30), M(30) );
500 R( b, c, d, e, f, g, h, a, K(31), M(31) );
501 R( a, b, c, d, e, f, g, h, K(32), M(32) );
502 R( h, a, b, c, d, e, f, g, K(33), M(33) );
503 R( g, h, a, b, c, d, e, f, K(34), M(34) );
504 R( f, g, h, a, b, c, d, e, K(35), M(35) );
505 R( e, f, g, h, a, b, c, d, K(36), M(36) );
506 R( d, e, f, g, h, a, b, c, K(37), M(37) );
507 R( c, d, e, f, g, h, a, b, K(38), M(38) );
508 R( b, c, d, e, f, g, h, a, K(39), M(39) );
509 R( a, b, c, d, e, f, g, h, K(40), M(40) );
510 R( h, a, b, c, d, e, f, g, K(41), M(41) );
511 R( g, h, a, b, c, d, e, f, K(42), M(42) );
512 R( f, g, h, a, b, c, d, e, K(43), M(43) );
513 R( e, f, g, h, a, b, c, d, K(44), M(44) );
514 R( d, e, f, g, h, a, b, c, K(45), M(45) );
515 R( c, d, e, f, g, h, a, b, K(46), M(46) );
516 R( b, c, d, e, f, g, h, a, K(47), M(47) );
517 R( a, b, c, d, e, f, g, h, K(48), M(48) );
518 R( h, a, b, c, d, e, f, g, K(49), M(49) );
519 R( g, h, a, b, c, d, e, f, K(50), M(50) );
520 R( f, g, h, a, b, c, d, e, K(51), M(51) );
521 R( e, f, g, h, a, b, c, d, K(52), M(52) );
522 R( d, e, f, g, h, a, b, c, K(53), M(53) );
523 R( c, d, e, f, g, h, a, b, K(54), M(54) );
524 R( b, c, d, e, f, g, h, a, K(55), M(55) );
525 R( a, b, c, d, e, f, g, h, K(56), M(56) );
526 R( h, a, b, c, d, e, f, g, K(57), M(57) );
527 R( g, h, a, b, c, d, e, f, K(58), M(58) );
528 R( f, g, h, a, b, c, d, e, K(59), M(59) );
529 R( e, f, g, h, a, b, c, d, K(60), M(60) );
530 R( d, e, f, g, h, a, b, c, K(61), M(61) );
531 R( c, d, e, f, g, h, a, b, K(62), M(62) );
532 R( b, c, d, e, f, g, h, a, K(63), M(63) );
533 R( a, b, c, d, e, f, g, h, K(64), M(64) );
534 R( h, a, b, c, d, e, f, g, K(65), M(65) );
535 R( g, h, a, b, c, d, e, f, K(66), M(66) );
536 R( f, g, h, a, b, c, d, e, K(67), M(67) );
537 R( e, f, g, h, a, b, c, d, K(68), M(68) );
538 R( d, e, f, g, h, a, b, c, K(69), M(69) );
539 R( c, d, e, f, g, h, a, b, K(70), M(70) );
540 R( b, c, d, e, f, g, h, a, K(71), M(71) );
541 R( a, b, c, d, e, f, g, h, K(72), M(72) );
542 R( h, a, b, c, d, e, f, g, K(73), M(73) );
543 R( g, h, a, b, c, d, e, f, K(74), M(74) );
544 R( f, g, h, a, b, c, d, e, K(75), M(75) );
545 R( e, f, g, h, a, b, c, d, K(76), M(76) );
546 R( d, e, f, g, h, a, b, c, K(77), M(77) );
547 R( c, d, e, f, g, h, a, b, K(78), M(78) );
548 R( b, c, d, e, f, g, h, a, K(79), M(79) );
550 a = ctx->state[0] += a;
551 b = ctx->state[1] += b;
552 c = ctx->state[2] += c;
553 d = ctx->state[3] += d;
554 e = ctx->state[4] += e;
555 f = ctx->state[5] += f;
556 g = ctx->state[6] += g;
557 h = ctx->state[7] += h;