sha512.c

   1 /* sha512.c
   2
   3    The sha512 hash function.
   4    See http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
   5
   6    Copyright (C) 2001, 2010 Niels Möller
   7    Copyright (C) 2014 Joachim Strömbergson
   8
   9    This file is part of GNU Nettle.
  10
  11    GNU Nettle is free software: you can redistribute it and/or
  12    modify it under the terms of either:
  13
  14      * the GNU Lesser General Public License as published by the Free
  15        Software Foundation; either version 3 of the License, or (at your
  16        option) any later version.
  17
  18    or
  19
  20      * the GNU General Public License as published by the Free
  21        Software Foundation; either version 2 of the License, or (at your
  22        option) any later version.
  23
  24    or both in parallel, as here.
  25
  26    GNU Nettle is distributed in the hope that it will be useful,
  27    but WITHOUT ANY WARRANTY; without even the implied warranty of
  28    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  29    General Public License for more details.
  30
  31    You should have received copies of the GNU General Public License and
  32    the GNU Lesser General Public License along with this program.  If
  33    not, see http://www.gnu.org/licenses/.
  34 */
  35
  36 /* Modelled after the sha1.c code by Peter Gutmann. */
  37
  38 #if HAVE_CONFIG_H
  39 # include "config.h"
  40 #endif
  41
  42 #include <assert.h>
  43 #include <stdlib.h>
  44 #include <string.h>
  45
  46 #include "sha2.h"
  47
  48 #include "macros.h"
  49
  50 /* Generated by the gp script
  51
  52      {
  53        print("obase=16");
  54        for (i = 1,80,
  55          root = prime(i)^(1/3);
  56          fraction = root - floor(root);
  57          print(floor(2^64 * fraction));
  58        );
  59        quit();
  60      }
  61
  62    piped through
  63
  64      |grep -v '^[' | bc \
  65        |awk '{printf("0x%sULL,%s", $1, NR%3 == 0 ? "\n" : "");}'
  66
  67    to convert it to hex.
  68 */
  69
  70 static const uint64_t
  71 K[80] =
  72 {
  73   0x428A2F98D728AE22ULL,0x7137449123EF65CDULL,
  74   0xB5C0FBCFEC4D3B2FULL,0xE9B5DBA58189DBBCULL,
  75   0x3956C25BF348B538ULL,0x59F111F1B605D019ULL,
  76   0x923F82A4AF194F9BULL,0xAB1C5ED5DA6D8118ULL,
  77   0xD807AA98A3030242ULL,0x12835B0145706FBEULL,
  78   0x243185BE4EE4B28CULL,0x550C7DC3D5FFB4E2ULL,
  79   0x72BE5D74F27B896FULL,0x80DEB1FE3B1696B1ULL,
  80   0x9BDC06A725C71235ULL,0xC19BF174CF692694ULL,
  81   0xE49B69C19EF14AD2ULL,0xEFBE4786384F25E3ULL,
  82   0x0FC19DC68B8CD5B5ULL,0x240CA1CC77AC9C65ULL,
  83   0x2DE92C6F592B0275ULL,0x4A7484AA6EA6E483ULL,
  84   0x5CB0A9DCBD41FBD4ULL,0x76F988DA831153B5ULL,
  85   0x983E5152EE66DFABULL,0xA831C66D2DB43210ULL,
  86   0xB00327C898FB213FULL,0xBF597FC7BEEF0EE4ULL,
  87   0xC6E00BF33DA88FC2ULL,0xD5A79147930AA725ULL,
  88   0x06CA6351E003826FULL,0x142929670A0E6E70ULL,
  89   0x27B70A8546D22FFCULL,0x2E1B21385C26C926ULL,
  90   0x4D2C6DFC5AC42AEDULL,0x53380D139D95B3DFULL,
  91   0x650A73548BAF63DEULL,0x766A0ABB3C77B2A8ULL,
  92   0x81C2C92E47EDAEE6ULL,0x92722C851482353BULL,
  93   0xA2BFE8A14CF10364ULL,0xA81A664BBC423001ULL,
  94   0xC24B8B70D0F89791ULL,0xC76C51A30654BE30ULL,
  95   0xD192E819D6EF5218ULL,0xD69906245565A910ULL,
  96   0xF40E35855771202AULL,0x106AA07032BBD1B8ULL,
  97   0x19A4C116B8D2D0C8ULL,0x1E376C085141AB53ULL,
  98   0x2748774CDF8EEB99ULL,0x34B0BCB5E19B48A8ULL,
  99   0x391C0CB3C5C95A63ULL,0x4ED8AA4AE3418ACBULL,
 100   0x5B9CCA4F7763E373ULL,0x682E6FF3D6B2B8A3ULL,
 101   0x748F82EE5DEFB2FCULL,0x78A5636F43172F60ULL,
 102   0x84C87814A1F0AB72ULL,0x8CC702081A6439ECULL,
 103   0x90BEFFFA23631E28ULL,0xA4506CEBDE82BDE9ULL,
 104   0xBEF9A3F7B2C67915ULL,0xC67178F2E372532BULL,
 105   0xCA273ECEEA26619CULL,0xD186B8C721C0C207ULL,
 106   0xEADA7DD6CDE0EB1EULL,0xF57D4F7FEE6ED178ULL,
 107   0x06F067AA72176FBAULL,0x0A637DC5A2C898A6ULL,
 108   0x113F9804BEF90DAEULL,0x1B710B35131C471BULL,
 109   0x28DB77F523047D84ULL,0x32CAAB7B40C72493ULL,
 110   0x3C9EBE0A15C9BEBCULL,0x431D67C49C100D4CULL,
 111   0x4CC5D4BECB3E42B6ULL,0x597F299CFC657E2AULL,
 112   0x5FCB6FAB3AD6FAECULL,0x6C44198C4A475817ULL,
 113 };
 114
 115 #define COMPRESS(ctx, data) (_nettle_sha512_compress((ctx)->state, (data), K))
 116
 117 void
 118 sha512_init(struct sha512_ctx *ctx)
 119 {
 120   /* Initial values, generated by the gp script
 121        {
 122          for (i = 1,8,
 123            root = prime(i)^(1/2);
 124            fraction = root - floor(root);
 125            print(floor(2^64 * fraction));
 126          );
 127        }
 128 . */
 129   static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
 130   {
 131     0x6A09E667F3BCC908ULL,0xBB67AE8584CAA73BULL,
 132     0x3C6EF372FE94F82BULL,0xA54FF53A5F1D36F1ULL,
 133     0x510E527FADE682D1ULL,0x9B05688C2B3E6C1FULL,
 134     0x1F83D9ABFB41BD6BULL,0x5BE0CD19137E2179ULL,
 135   };
 136
 137   memcpy(ctx->state, H0, sizeof(H0));
 138
 139   /* Initialize bit count */
 140   ctx->count_low = ctx->count_high = 0;
 141
 142   /* Initialize buffer */
 143   ctx->index = 0;
 144 }
 145
 146 void
 147 sha512_update(struct sha512_ctx *ctx,
 148               size_t length, const uint8_t *data)
 149 {
 150   MD_UPDATE (ctx, length, data, COMPRESS, MD_INCR(ctx));
 151 }
 152
 153 static void
 154 sha512_write_digest(struct sha512_ctx *ctx,
 155                     size_t length,
 156                     uint8_t *digest)
 157 {
 158   uint64_t high, low;
 159
 160   unsigned i;
 161   unsigned words;
 162   unsigned leftover;
 163
 164   assert(length <= SHA512_DIGEST_SIZE);
 165
 166   MD_PAD(ctx, 16, COMPRESS);
 167
 168   /* There are 1024 = 2^10 bits in one block */
 169   high = (ctx->count_high << 10) | (ctx->count_low >> 54);
 170   low = (ctx->count_low << 10) | (ctx->index << 3);
 171
 172   /* This is slightly inefficient, as the numbers are converted to
 173      big-endian format, and will be converted back by the compression
 174      function. It's probably not worth the effort to fix this. */
 175   WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 16), high);
 176   WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 8), low);
 177   COMPRESS(ctx, ctx->block);
 178
 179   words = length / 8;
 180   leftover = length % 8;
 181
 182   for (i = 0; i < words; i++, digest += 8)
 183     WRITE_UINT64(digest, ctx->state[i]);
 184
 185   if (leftover)
 186     {
 187       /* Truncate to the right size */
 188       uint64_t word = ctx->state[i] >> (8*(8 - leftover));
 189
 190       do {
 191         digest[--leftover] = word & 0xff;
 192         word >>= 8;
 193       } while (leftover);
 194     }
 195 }
 196
 197 void
 198 sha512_digest(struct sha512_ctx *ctx,
 199               size_t length,
 200               uint8_t *digest)
 201 {
 202   assert(length <= SHA512_DIGEST_SIZE);
 203
 204   sha512_write_digest(ctx, length, digest);
 205   sha512_init(ctx);
 206 }
 207
 208 /* sha384 variant. */
 209 void
 210 sha384_init(struct sha512_ctx *ctx)
 211 {
 212   /* Initial values, generated by the gp script
 213        {
 214          for (i = 9,16,
 215            root = prime(i)^(1/2);
 216            fraction = root - floor(root);
 217            print(floor(2^64 * fraction));
 218          );
 219        }
 220 . */
 221   static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
 222   {
 223     0xCBBB9D5DC1059ED8ULL, 0x629A292A367CD507ULL,
 224     0x9159015A3070DD17ULL, 0x152FECD8F70E5939ULL,
 225     0x67332667FFC00B31ULL, 0x8EB44A8768581511ULL,
 226     0xDB0C2E0D64F98FA7ULL, 0x47B5481DBEFA4FA4ULL,
 227   };
 228
 229   memcpy(ctx->state, H0, sizeof(H0));
 230
 231   /* Initialize bit count */
 232   ctx->count_low = ctx->count_high = 0;
 233
 234   /* Initialize buffer */
 235   ctx->index = 0;
 236 }
 237
 238 void
 239 sha384_digest(struct sha512_ctx *ctx,
 240               size_t length,
 241               uint8_t *digest)
 242 {
 243   assert(length <= SHA384_DIGEST_SIZE);
 244
 245   sha512_write_digest(ctx, length, digest);
 246   sha384_init(ctx);
 247 }
 248
 249
 250 /* sha-512/224 variant. */
 251 void
 252 sha512_224_init(struct sha512_224_ctx *ctx)
 253 {
 254   static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
 255   {
 256     0x8c3d37c819544da2ULL, 0x73e1996689dcd4d6ULL,
 257     0x1dfab7ae32ff9c82ULL, 0x679dd514582f9fcfULL,
 258     0x0f6d2b697bd44da8ULL, 0x77e36f7304c48942ULL,
 259     0x3f9d85a86a1d36c8ULL, 0x1112e6ad91d692a1ULL,
 260   };
 261
 262   memcpy(ctx->state, H0, sizeof(H0));
 263
 264   /* Initialize bit count */
 265   ctx->count_low = ctx->count_high = 0;
 266
 267   /* Initialize buffer */
 268   ctx->index = 0;
 269 }
 270
 271 void
 272 sha512_224_digest(struct sha512_224_ctx *ctx,
 273               size_t length,
 274               uint8_t *digest)
 275 {
 276   assert(length <= SHA224_DIGEST_SIZE);
 277
 278   sha512_write_digest(ctx, length, digest);
 279   sha512_224_init(ctx);
 280 }
 281
 282
 283 /* sha-512/256 variant. */
 284 void
 285 sha512_256_init(struct sha512_256_ctx *ctx)
 286 {
 287   static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
 288     {
 289       0x22312194fc2bf72cULL, 0x9f555fa3c84c64c2ULL,
 290       0x2393b86b6f53b151ULL, 0x963877195940eabdULL,
 291       0x96283ee2a88effe3ULL, 0xbe5e1e2553863992ULL,
 292       0x2b0199fc2c85b8aaULL, 0x0eb72ddc81c52ca2ULL,
 293     };
 294
 295   memcpy(ctx->state, H0, sizeof(H0));
 296
 297   /* Initialize bit count */
 298   ctx->count_low = ctx->count_high = 0;
 299
 300   /* Initialize buffer */
 301   ctx->index = 0;
 302 }
 303
 304 void
 305 sha512_256_digest(struct sha512_256_ctx *ctx,
 306               size_t length,
 307               uint8_t *digest)
 308 {
 309   assert(length <= SHA256_DIGEST_SIZE);
 310
 311   sha512_write_digest(ctx, length, digest);
 312   sha512_256_init(ctx);
 313 }