1 /* sha512.c - Functions to compute SHA512 and SHA384 message digest of files or
2 memory blocks according to the NIST specification FIPS-180-2.
3
4 Copyright (C) 2005-2006, 2008-2023 Free Software Foundation, Inc.
5
6 This file is free software: you can redistribute it and/or modify
7 it under the terms of the GNU Lesser General Public License as
8 published by the Free Software Foundation; either version 2.1 of the
9 License, or (at your option) any later version.
10
11 This file is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with this program. If not, see <https://www.gnu.org/licenses/>. */
18
19 /* Written by David Madore, considerably copypasting from
20 Scott G. Miller's sha1.c
21 */
22
23 #include <config.h>
24
25 /* Specification. */
26 #if HAVE_OPENSSL_SHA512
27 # define GL_OPENSSL_INLINE _GL_EXTERN_INLINE
28 #endif
29 #include "sha512.h"
30
31 #include <stdint.h>
32 #include <string.h>
33
34 #include <byteswap.h>
35 #ifdef WORDS_BIGENDIAN
36 # define SWAP(n) (n)
37 #else
38 # define SWAP(n) bswap_64 (n)
39 #endif
40
41 #if ! HAVE_OPENSSL_SHA512
42
43 /* This array contains the bytes used to pad the buffer to the next
44 128-byte boundary. */
45 static const unsigned char fillbuf[128] = { 0x80, 0 /* , 0, 0, ... */ };
46
47
48 /*
49 Takes a pointer to a 512 bit block of data (eight 64 bit ints) and
50 initializes it to the start constants of the SHA512 algorithm. This
51 must be called before using hash in the call to sha512_hash
52 */
53 void
54 sha512_init_ctx (struct sha512_ctx *ctx)
55 {
56 ctx->state[0] = u64hilo (0x6a09e667, 0xf3bcc908);
57 ctx->state[1] = u64hilo (0xbb67ae85, 0x84caa73b);
58 ctx->state[2] = u64hilo (0x3c6ef372, 0xfe94f82b);
59 ctx->state[3] = u64hilo (0xa54ff53a, 0x5f1d36f1);
60 ctx->state[4] = u64hilo (0x510e527f, 0xade682d1);
61 ctx->state[5] = u64hilo (0x9b05688c, 0x2b3e6c1f);
62 ctx->state[6] = u64hilo (0x1f83d9ab, 0xfb41bd6b);
63 ctx->state[7] = u64hilo (0x5be0cd19, 0x137e2179);
64
65 ctx->total[0] = ctx->total[1] = u64lo (0);
66 ctx->buflen = 0;
67 }
68
69 void
70 sha384_init_ctx (struct sha512_ctx *ctx)
71 {
72 ctx->state[0] = u64hilo (0xcbbb9d5d, 0xc1059ed8);
73 ctx->state[1] = u64hilo (0x629a292a, 0x367cd507);
74 ctx->state[2] = u64hilo (0x9159015a, 0x3070dd17);
75 ctx->state[3] = u64hilo (0x152fecd8, 0xf70e5939);
76 ctx->state[4] = u64hilo (0x67332667, 0xffc00b31);
77 ctx->state[5] = u64hilo (0x8eb44a87, 0x68581511);
78 ctx->state[6] = u64hilo (0xdb0c2e0d, 0x64f98fa7);
79 ctx->state[7] = u64hilo (0x47b5481d, 0xbefa4fa4);
80
81 ctx->total[0] = ctx->total[1] = u64lo (0);
82 ctx->buflen = 0;
83 }
84
85 /* Copy the value from V into the memory location pointed to by *CP,
86 If your architecture allows unaligned access, this is equivalent to
87 * (__typeof__ (v) *) cp = v */
88 static void
89 set_uint64 (char *cp, u64 v)
90 {
91 memcpy (cp, &v, sizeof v);
92 }
93
94 /* Put result from CTX in first 64 bytes following RESBUF.
95 The result must be in little endian byte order. */
96 void *
97 sha512_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
98 {
99 int i;
100 char *r = resbuf;
101
102 for (i = 0; i < 8; i++)
103 set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
104
105 return resbuf;
106 }
107
108 void *
109 sha384_read_ctx (const struct sha512_ctx *ctx, void *resbuf)
110 {
111 int i;
112 char *r = resbuf;
113
114 for (i = 0; i < 6; i++)
115 set_uint64 (r + i * sizeof ctx->state[0], SWAP (ctx->state[i]));
116
117 return resbuf;
118 }
119
120 /* Process the remaining bytes in the internal buffer and the usual
121 prolog according to the standard and write the result to RESBUF. */
122 static void
123 sha512_conclude_ctx (struct sha512_ctx *ctx)
124 {
125 /* Take yet unprocessed bytes into account. */
126 size_t bytes = ctx->buflen;
127 size_t size = (bytes < 112) ? 128 / 8 : 128 * 2 / 8;
128
129 /* Now count remaining bytes. */
130 ctx->total[0] = u64plus (ctx->total[0], u64lo (bytes));
131 if (u64lt (ctx->total[0], u64lo (bytes)))
132 ctx->total[1] = u64plus (ctx->total[1], u64lo (1));
133
134 /* Put the 128-bit file length in *bits* at the end of the buffer.
135 Use set_uint64 rather than a simple assignment, to avoid risk of
136 unaligned access. */
137 set_uint64 ((char *) &ctx->buffer[size - 2],
138 SWAP (u64or (u64shl (ctx->total[1], 3),
139 u64shr (ctx->total[0], 61))));
140 set_uint64 ((char *) &ctx->buffer[size - 1],
141 SWAP (u64shl (ctx->total[0], 3)));
142
143 memcpy (&((char *) ctx->buffer)[bytes], fillbuf, (size - 2) * 8 - bytes);
144
145 /* Process last bytes. */
146 sha512_process_block (ctx->buffer, size * 8, ctx);
147 }
148
149 void *
150 sha512_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
151 {
152 sha512_conclude_ctx (ctx);
153 return sha512_read_ctx (ctx, resbuf);
154 }
155
156 void *
157 sha384_finish_ctx (struct sha512_ctx *ctx, void *resbuf)
158 {
159 sha512_conclude_ctx (ctx);
160 return sha384_read_ctx (ctx, resbuf);
161 }
162
163 /* Compute SHA512 message digest for LEN bytes beginning at BUFFER. The
164 result is always in little endian byte order, so that a byte-wise
165 output yields to the wanted ASCII representation of the message
166 digest. */
167 void *
168 sha512_buffer (const char *buffer, size_t len, void *resblock)
169 {
170 struct sha512_ctx ctx;
171
172 /* Initialize the computation context. */
173 sha512_init_ctx (&ctx);
174
175 /* Process whole buffer but last len % 128 bytes. */
176 sha512_process_bytes (buffer, len, &ctx);
177
178 /* Put result in desired memory area. */
179 return sha512_finish_ctx (&ctx, resblock);
180 }
181
182 void *
183 sha384_buffer (const char *buffer, size_t len, void *resblock)
184 {
185 struct sha512_ctx ctx;
186
187 /* Initialize the computation context. */
188 sha384_init_ctx (&ctx);
189
190 /* Process whole buffer but last len % 128 bytes. */
191 sha512_process_bytes (buffer, len, &ctx);
192
193 /* Put result in desired memory area. */
194 return sha384_finish_ctx (&ctx, resblock);
195 }
196
197 void
198 sha512_process_bytes (const void *buffer, size_t len, struct sha512_ctx *ctx)
199 {
200 /* When we already have some bits in our internal buffer concatenate
201 both inputs first. */
202 if (ctx->buflen != 0)
203 {
204 size_t left_over = ctx->buflen;
205 size_t add = 256 - left_over > len ? len : 256 - left_over;
206
207 memcpy (&((char *) ctx->buffer)[left_over], buffer, add);
208 ctx->buflen += add;
209
210 if (ctx->buflen > 128)
211 {
212 sha512_process_block (ctx->buffer, ctx->buflen & ~127, ctx);
213
214 ctx->buflen &= 127;
215 /* The regions in the following copy operation cannot overlap,
216 because ctx->buflen < 128 ≤ (left_over + add) & ~127. */
217 memcpy (ctx->buffer,
218 &((char *) ctx->buffer)[(left_over + add) & ~127],
219 ctx->buflen);
220 }
221
222 buffer = (const char *) buffer + add;
223 len -= add;
224 }
225
226 /* Process available complete blocks. */
227 if (len >= 128)
228 {
229 #if !(_STRING_ARCH_unaligned || _STRING_INLINE_unaligned)
230 # define UNALIGNED_P(p) ((uintptr_t) (p) % alignof (u64) != 0)
231 if (UNALIGNED_P (buffer))
232 while (len > 128)
233 {
234 sha512_process_block (memcpy (ctx->buffer, buffer, 128), 128, ctx);
235 buffer = (const char *) buffer + 128;
236 len -= 128;
237 }
238 else
239 #endif
240 {
241 sha512_process_block (buffer, len & ~127, ctx);
242 buffer = (const char *) buffer + (len & ~127);
243 len &= 127;
244 }
245 }
246
247 /* Move remaining bytes in internal buffer. */
248 if (len > 0)
249 {
250 size_t left_over = ctx->buflen;
251
252 memcpy (&((char *) ctx->buffer)[left_over], buffer, len);
253 left_over += len;
254 if (left_over >= 128)
255 {
256 sha512_process_block (ctx->buffer, 128, ctx);
257 left_over -= 128;
258 /* The regions in the following copy operation cannot overlap,
259 because left_over ≤ 128. */
260 memcpy (ctx->buffer, &ctx->buffer[16], left_over);
261 }
262 ctx->buflen = left_over;
263 }
264 }
265
266 /* --- Code below is the primary difference between sha1.c and sha512.c --- */
267
268 /* SHA512 round constants */
269 #define K(I) sha512_round_constants[I]
270 static u64 const sha512_round_constants[80] = {
271 u64init (0x428a2f98, 0xd728ae22), u64init (0x71374491, 0x23ef65cd),
272 u64init (0xb5c0fbcf, 0xec4d3b2f), u64init (0xe9b5dba5, 0x8189dbbc),
273 u64init (0x3956c25b, 0xf348b538), u64init (0x59f111f1, 0xb605d019),
274 u64init (0x923f82a4, 0xaf194f9b), u64init (0xab1c5ed5, 0xda6d8118),
275 u64init (0xd807aa98, 0xa3030242), u64init (0x12835b01, 0x45706fbe),
276 u64init (0x243185be, 0x4ee4b28c), u64init (0x550c7dc3, 0xd5ffb4e2),
277 u64init (0x72be5d74, 0xf27b896f), u64init (0x80deb1fe, 0x3b1696b1),
278 u64init (0x9bdc06a7, 0x25c71235), u64init (0xc19bf174, 0xcf692694),
279 u64init (0xe49b69c1, 0x9ef14ad2), u64init (0xefbe4786, 0x384f25e3),
280 u64init (0x0fc19dc6, 0x8b8cd5b5), u64init (0x240ca1cc, 0x77ac9c65),
281 u64init (0x2de92c6f, 0x592b0275), u64init (0x4a7484aa, 0x6ea6e483),
282 u64init (0x5cb0a9dc, 0xbd41fbd4), u64init (0x76f988da, 0x831153b5),
283 u64init (0x983e5152, 0xee66dfab), u64init (0xa831c66d, 0x2db43210),
284 u64init (0xb00327c8, 0x98fb213f), u64init (0xbf597fc7, 0xbeef0ee4),
285 u64init (0xc6e00bf3, 0x3da88fc2), u64init (0xd5a79147, 0x930aa725),
286 u64init (0x06ca6351, 0xe003826f), u64init (0x14292967, 0x0a0e6e70),
287 u64init (0x27b70a85, 0x46d22ffc), u64init (0x2e1b2138, 0x5c26c926),
288 u64init (0x4d2c6dfc, 0x5ac42aed), u64init (0x53380d13, 0x9d95b3df),
289 u64init (0x650a7354, 0x8baf63de), u64init (0x766a0abb, 0x3c77b2a8),
290 u64init (0x81c2c92e, 0x47edaee6), u64init (0x92722c85, 0x1482353b),
291 u64init (0xa2bfe8a1, 0x4cf10364), u64init (0xa81a664b, 0xbc423001),
292 u64init (0xc24b8b70, 0xd0f89791), u64init (0xc76c51a3, 0x0654be30),
293 u64init (0xd192e819, 0xd6ef5218), u64init (0xd6990624, 0x5565a910),
294 u64init (0xf40e3585, 0x5771202a), u64init (0x106aa070, 0x32bbd1b8),
295 u64init (0x19a4c116, 0xb8d2d0c8), u64init (0x1e376c08, 0x5141ab53),
296 u64init (0x2748774c, 0xdf8eeb99), u64init (0x34b0bcb5, 0xe19b48a8),
297 u64init (0x391c0cb3, 0xc5c95a63), u64init (0x4ed8aa4a, 0xe3418acb),
298 u64init (0x5b9cca4f, 0x7763e373), u64init (0x682e6ff3, 0xd6b2b8a3),
299 u64init (0x748f82ee, 0x5defb2fc), u64init (0x78a5636f, 0x43172f60),
300 u64init (0x84c87814, 0xa1f0ab72), u64init (0x8cc70208, 0x1a6439ec),
301 u64init (0x90befffa, 0x23631e28), u64init (0xa4506ceb, 0xde82bde9),
302 u64init (0xbef9a3f7, 0xb2c67915), u64init (0xc67178f2, 0xe372532b),
303 u64init (0xca273ece, 0xea26619c), u64init (0xd186b8c7, 0x21c0c207),
304 u64init (0xeada7dd6, 0xcde0eb1e), u64init (0xf57d4f7f, 0xee6ed178),
305 u64init (0x06f067aa, 0x72176fba), u64init (0x0a637dc5, 0xa2c898a6),
306 u64init (0x113f9804, 0xbef90dae), u64init (0x1b710b35, 0x131c471b),
307 u64init (0x28db77f5, 0x23047d84), u64init (0x32caab7b, 0x40c72493),
308 u64init (0x3c9ebe0a, 0x15c9bebc), u64init (0x431d67c4, 0x9c100d4c),
309 u64init (0x4cc5d4be, 0xcb3e42b6), u64init (0x597f299c, 0xfc657e2a),
310 u64init (0x5fcb6fab, 0x3ad6faec), u64init (0x6c44198c, 0x4a475817),
311 };
312
313 /* Round functions. */
314 #define F2(A, B, C) u64or (u64and (A, B), u64and (C, u64or (A, B)))
315 #define F1(E, F, G) u64xor (G, u64and (E, u64xor (F, G)))
316
317 /* Process LEN bytes of BUFFER, accumulating context into CTX.
318 It is assumed that LEN % 128 == 0.
319 Most of this code comes from GnuPG's cipher/sha1.c. */
320
321 void
322 sha512_process_block (const void *buffer, size_t len, struct sha512_ctx *ctx)
323 {
324 u64 const *words = buffer;
325 u64 const *endp = words + len / sizeof (u64);
326 u64 x[16];
327 u64 a = ctx->state[0];
328 u64 b = ctx->state[1];
329 u64 c = ctx->state[2];
330 u64 d = ctx->state[3];
331 u64 e = ctx->state[4];
332 u64 f = ctx->state[5];
333 u64 g = ctx->state[6];
334 u64 h = ctx->state[7];
335 u64 lolen = u64size (len);
336
337 /* First increment the byte count. FIPS PUB 180-2 specifies the possible
338 length of the file up to 2^128 bits. Here we only compute the
339 number of bytes. Do a double word increment. */
340 ctx->total[0] = u64plus (ctx->total[0], lolen);
341 ctx->total[1] = u64plus (ctx->total[1],
342 u64plus (u64size (len >> 31 >> 31 >> 2),
343 u64lo (u64lt (ctx->total[0], lolen))));
344
345 #define S0(x) u64xor (u64rol(x, 63), u64xor (u64rol (x, 56), u64shr (x, 7)))
346 #define S1(x) u64xor (u64rol (x, 45), u64xor (u64rol (x, 3), u64shr (x, 6)))
347 #define SS0(x) u64xor (u64rol (x, 36), u64xor (u64rol (x, 30), u64rol (x, 25)))
348 #define SS1(x) u64xor (u64rol(x, 50), u64xor (u64rol (x, 46), u64rol (x, 23)))
349
350 #define M(I) (x[(I) & 15] \
351 = u64plus (x[(I) & 15], \
352 u64plus (S1 (x[((I) - 2) & 15]), \
353 u64plus (x[((I) - 7) & 15], \
354 S0 (x[((I) - 15) & 15])))))
355
356 #define R(A, B, C, D, E, F, G, H, K, M) \
357 do \
358 { \
359 u64 t0 = u64plus (SS0 (A), F2 (A, B, C)); \
360 u64 t1 = \
361 u64plus (H, u64plus (SS1 (E), \
362 u64plus (F1 (E, F, G), u64plus (K, M)))); \
363 D = u64plus (D, t1); \
364 H = u64plus (t0, t1); \
365 } \
366 while (0)
367
368 while (words < endp)
369 {
370 int t;
371 /* FIXME: see sha1.c for a better implementation. */
372 for (t = 0; t < 16; t++)
373 {
374 x[t] = SWAP (*words);
375 words++;
376 }
377
378 R( a, b, c, d, e, f, g, h, K( 0), x[ 0] );
379 R( h, a, b, c, d, e, f, g, K( 1), x[ 1] );
380 R( g, h, a, b, c, d, e, f, K( 2), x[ 2] );
381 R( f, g, h, a, b, c, d, e, K( 3), x[ 3] );
382 R( e, f, g, h, a, b, c, d, K( 4), x[ 4] );
383 R( d, e, f, g, h, a, b, c, K( 5), x[ 5] );
384 R( c, d, e, f, g, h, a, b, K( 6), x[ 6] );
385 R( b, c, d, e, f, g, h, a, K( 7), x[ 7] );
386 R( a, b, c, d, e, f, g, h, K( 8), x[ 8] );
387 R( h, a, b, c, d, e, f, g, K( 9), x[ 9] );
388 R( g, h, a, b, c, d, e, f, K(10), x[10] );
389 R( f, g, h, a, b, c, d, e, K(11), x[11] );
390 R( e, f, g, h, a, b, c, d, K(12), x[12] );
391 R( d, e, f, g, h, a, b, c, K(13), x[13] );
392 R( c, d, e, f, g, h, a, b, K(14), x[14] );
393 R( b, c, d, e, f, g, h, a, K(15), x[15] );
394 R( a, b, c, d, e, f, g, h, K(16), M(16) );
395 R( h, a, b, c, d, e, f, g, K(17), M(17) );
396 R( g, h, a, b, c, d, e, f, K(18), M(18) );
397 R( f, g, h, a, b, c, d, e, K(19), M(19) );
398 R( e, f, g, h, a, b, c, d, K(20), M(20) );
399 R( d, e, f, g, h, a, b, c, K(21), M(21) );
400 R( c, d, e, f, g, h, a, b, K(22), M(22) );
401 R( b, c, d, e, f, g, h, a, K(23), M(23) );
402 R( a, b, c, d, e, f, g, h, K(24), M(24) );
403 R( h, a, b, c, d, e, f, g, K(25), M(25) );
404 R( g, h, a, b, c, d, e, f, K(26), M(26) );
405 R( f, g, h, a, b, c, d, e, K(27), M(27) );
406 R( e, f, g, h, a, b, c, d, K(28), M(28) );
407 R( d, e, f, g, h, a, b, c, K(29), M(29) );
408 R( c, d, e, f, g, h, a, b, K(30), M(30) );
409 R( b, c, d, e, f, g, h, a, K(31), M(31) );
410 R( a, b, c, d, e, f, g, h, K(32), M(32) );
411 R( h, a, b, c, d, e, f, g, K(33), M(33) );
412 R( g, h, a, b, c, d, e, f, K(34), M(34) );
413 R( f, g, h, a, b, c, d, e, K(35), M(35) );
414 R( e, f, g, h, a, b, c, d, K(36), M(36) );
415 R( d, e, f, g, h, a, b, c, K(37), M(37) );
416 R( c, d, e, f, g, h, a, b, K(38), M(38) );
417 R( b, c, d, e, f, g, h, a, K(39), M(39) );
418 R( a, b, c, d, e, f, g, h, K(40), M(40) );
419 R( h, a, b, c, d, e, f, g, K(41), M(41) );
420 R( g, h, a, b, c, d, e, f, K(42), M(42) );
421 R( f, g, h, a, b, c, d, e, K(43), M(43) );
422 R( e, f, g, h, a, b, c, d, K(44), M(44) );
423 R( d, e, f, g, h, a, b, c, K(45), M(45) );
424 R( c, d, e, f, g, h, a, b, K(46), M(46) );
425 R( b, c, d, e, f, g, h, a, K(47), M(47) );
426 R( a, b, c, d, e, f, g, h, K(48), M(48) );
427 R( h, a, b, c, d, e, f, g, K(49), M(49) );
428 R( g, h, a, b, c, d, e, f, K(50), M(50) );
429 R( f, g, h, a, b, c, d, e, K(51), M(51) );
430 R( e, f, g, h, a, b, c, d, K(52), M(52) );
431 R( d, e, f, g, h, a, b, c, K(53), M(53) );
432 R( c, d, e, f, g, h, a, b, K(54), M(54) );
433 R( b, c, d, e, f, g, h, a, K(55), M(55) );
434 R( a, b, c, d, e, f, g, h, K(56), M(56) );
435 R( h, a, b, c, d, e, f, g, K(57), M(57) );
436 R( g, h, a, b, c, d, e, f, K(58), M(58) );
437 R( f, g, h, a, b, c, d, e, K(59), M(59) );
438 R( e, f, g, h, a, b, c, d, K(60), M(60) );
439 R( d, e, f, g, h, a, b, c, K(61), M(61) );
440 R( c, d, e, f, g, h, a, b, K(62), M(62) );
441 R( b, c, d, e, f, g, h, a, K(63), M(63) );
442 R( a, b, c, d, e, f, g, h, K(64), M(64) );
443 R( h, a, b, c, d, e, f, g, K(65), M(65) );
444 R( g, h, a, b, c, d, e, f, K(66), M(66) );
445 R( f, g, h, a, b, c, d, e, K(67), M(67) );
446 R( e, f, g, h, a, b, c, d, K(68), M(68) );
447 R( d, e, f, g, h, a, b, c, K(69), M(69) );
448 R( c, d, e, f, g, h, a, b, K(70), M(70) );
449 R( b, c, d, e, f, g, h, a, K(71), M(71) );
450 R( a, b, c, d, e, f, g, h, K(72), M(72) );
451 R( h, a, b, c, d, e, f, g, K(73), M(73) );
452 R( g, h, a, b, c, d, e, f, K(74), M(74) );
453 R( f, g, h, a, b, c, d, e, K(75), M(75) );
454 R( e, f, g, h, a, b, c, d, K(76), M(76) );
455 R( d, e, f, g, h, a, b, c, K(77), M(77) );
456 R( c, d, e, f, g, h, a, b, K(78), M(78) );
457 R( b, c, d, e, f, g, h, a, K(79), M(79) );
458
459 a = ctx->state[0] = u64plus (ctx->state[0], a);
460 b = ctx->state[1] = u64plus (ctx->state[1], b);
461 c = ctx->state[2] = u64plus (ctx->state[2], c);
462 d = ctx->state[3] = u64plus (ctx->state[3], d);
463 e = ctx->state[4] = u64plus (ctx->state[4], e);
464 f = ctx->state[5] = u64plus (ctx->state[5], f);
465 g = ctx->state[6] = u64plus (ctx->state[6], g);
466 h = ctx->state[7] = u64plus (ctx->state[7], h);
467 }
468 }
469
470 #endif
471
472 /*
473 * Hey Emacs!
474 * Local Variables:
475 * coding: utf-8
476 * End:
477 */