Skip to content
Snippets Groups Projects
Select Git revision
  • ae15d22ab59c8d01b7934d49d7cd40c7f76ca86a
  • master default
  • chacha-poly1305-test
  • rsa-crt-hardening
  • chacha96
  • fat-library
  • versioned-symbols
  • curve25519
  • dsa-reorg
  • aead-api
  • set_key-changes
  • poly1305
  • aes-reorg
  • nettle-2.7-fixes
  • size_t-changes
  • ecc-support
  • experimental-20050201
  • lsh-1.4.2
  • nettle_3.1.1_release_20150424
  • nettle_3.1_release_20150407
  • nettle_3.1rc3
  • nettle_3.1rc2
  • nettle_3.1rc1
  • nettle_3.0_release_20140607
  • nettle_2.7.1_release_20130528
  • nettle_2.7_release_20130424
  • nettle_2.6_release_20130116
  • nettle_2.5_release_20120707
  • converted-master-branch-to-git
  • nettle_2.4_release_20110903
  • nettle_2.3_release_20110902
  • nettle_2.2_release_20110711
  • nettle_2.1_release_20100725
  • camellia_32bit_20100720
  • nettle_2.0_release_20090608
  • nettle_1.15_release_20061128
  • after_experimental_merge_20060516
  • head_before_experimental_merge_20060516
38 results

pgp.h

Blame
    • Forked from Nettle / nettle
    Source project has a limited visibility.
    sha512.c 7.27 KiB 
    /* sha512.c
 *
 * The sha512 hash function FIXME: Add the SHA384 variant.
 *
 * See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
 */

/* nettle, low-level cryptographics library
 *
 * Copyright (C) 2001, 2010 Niels Mller
 *  
 * The nettle library is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation; either version 2.1 of the License, or (at your
 * option) any later version.
 *
 * The nettle library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
 * License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with the nettle library; see the file COPYING.LIB.  If not, write to
 * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/* Modelled after the sha1.c code by Peter Gutmann. */

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>
#include <stdlib.h>
#include <string.h>

#include "sha.h"

#include "macros.h"

/* Generated by the gp script

     {
       print("obase=16");
       for (i = 1,80,
         root = prime(i)^(1/3);
         fraction = root - floor(root);
         print(floor(2^64 * fraction));
       );
       quit();
     }

   piped through

     |grep -v '^[' | bc \
       |awk '{printf("0x%sULL,%s", $1, NR%3 == 0 ? "\n" : "");}'

   to convert it to hex.
*/

static const uint64_t
K[80] =
{
  0x428A2F98D728AE22ULL,0x7137449123EF65CDULL,
  0xB5C0FBCFEC4D3B2FULL,0xE9B5DBA58189DBBCULL,
  0x3956C25BF348B538ULL,0x59F111F1B605D019ULL,
  0x923F82A4AF194F9BULL,0xAB1C5ED5DA6D8118ULL,
  0xD807AA98A3030242ULL,0x12835B0145706FBEULL,
  0x243185BE4EE4B28CULL,0x550C7DC3D5FFB4E2ULL,
      0x72BE5D74F27B896FULL,0x80DEB1FE3B1696B1ULL,
  0x9BDC06A725C71235ULL,0xC19BF174CF692694ULL,
  0xE49B69C19EF14AD2ULL,0xEFBE4786384F25E3ULL,
  0xFC19DC68B8CD5B5ULL,0x240CA1CC77AC9C65ULL,
  0x2DE92C6F592B0275ULL,0x4A7484AA6EA6E483ULL,
  0x5CB0A9DCBD41FBD4ULL,0x76F988DA831153B5ULL,
  0x983E5152EE66DFABULL,0xA831C66D2DB43210ULL,
  0xB00327C898FB213FULL,0xBF597FC7BEEF0EE4ULL,
  0xC6E00BF33DA88FC2ULL,0xD5A79147930AA725ULL,
  0x6CA6351E003826FULL,0x142929670A0E6E70ULL,
  0x27B70A8546D22FFCULL,0x2E1B21385C26C926ULL,
  0x4D2C6DFC5AC42AEDULL,0x53380D139D95B3DFULL,
  0x650A73548BAF63DEULL,0x766A0ABB3C77B2A8ULL,
  0x81C2C92E47EDAEE6ULL,0x92722C851482353BULL,
  0xA2BFE8A14CF10364ULL,0xA81A664BBC423001ULL,
  0xC24B8B70D0F89791ULL,0xC76C51A30654BE30ULL,
  0xD192E819D6EF5218ULL,0xD69906245565A910ULL,
  0xF40E35855771202AULL,0x106AA07032BBD1B8ULL,
  0x19A4C116B8D2D0C8ULL,0x1E376C085141AB53ULL,
  0x2748774CDF8EEB99ULL,0x34B0BCB5E19B48A8ULL,
  0x391C0CB3C5C95A63ULL,0x4ED8AA4AE3418ACBULL,
  0x5B9CCA4F7763E373ULL,0x682E6FF3D6B2B8A3ULL,
  0x748F82EE5DEFB2FCULL,0x78A5636F43172F60ULL,
  0x84C87814A1F0AB72ULL,0x8CC702081A6439ECULL,
  0x90BEFFFA23631E28ULL,0xA4506CEBDE82BDE9ULL,
  0xBEF9A3F7B2C67915ULL,0xC67178F2E372532BULL,
  0xCA273ECEEA26619CULL,0xD186B8C721C0C207ULL,
  0xEADA7DD6CDE0EB1EULL,0xF57D4F7FEE6ED178ULL,
  0x6F067AA72176FBAULL,0xA637DC5A2C898A6ULL,
  0x113F9804BEF90DAEULL,0x1B710B35131C471BULL,
  0x28DB77F523047D84ULL,0x32CAAB7B40C72493ULL,
  0x3C9EBE0A15C9BEBCULL,0x431D67C49C100D4CULL,
  0x4CC5D4BECB3E42B6ULL,0x597F299CFC657E2AULL,
  0x5FCB6FAB3AD6FAECULL,0x6C44198C4A475817ULL,
};

void
sha512_init(struct sha512_ctx *ctx)
{
  /* Initial values, generated by the gp script
       {
         for (i = 1,8,
	   root = prime(i)^(1/2);
	   fraction = root - floor(root);
	   print(floor(2^64 * fraction));
	 );
       }
. */
  static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
  {
    0x6A09E667F3BCC908ULL,0xBB67AE8584CAA73BULL,
    0x3C6EF372FE94F82BULL,0xA54FF53A5F1D36F1ULL,
    0x510E527FADE682D1ULL,0x9B05688C2B3E6C1FULL,
    0x1F83D9ABFB41BD6BULL,0x5BE0CD19137E2179ULL,
  };

  memcpy(ctx->state, H0, sizeof(H0));

  /* Initialize bit count */
  ctx->count_low = ctx->count_high = 0;
  
  /* Initialize buffer */
  ctx->index = 0;
}

#define SHA512_INCR(ctx) ((ctx)->count_high += !++(ctx)->count_low)

void
sha512_update(struct sha512_ctx *ctx,
	      unsigned length, const uint8_t *buffer)
    {
  if (ctx->index)
    { /* Try to fill partial block */
      unsigned left = SHA512_DATA_SIZE - ctx->index;
      if (length < left)
	{
	  memcpy(ctx->block + ctx->index, buffer, length);
	  ctx->index += length;
	  return; /* Finished */
	}
      else
	{
	  memcpy(ctx->block + ctx->index, buffer, left);

	  _nettle_sha512_compress(ctx->state, ctx->block, K);
	  SHA512_INCR(ctx);

	  buffer += left;
	  length -= left;
	}
    }
  while (length >= SHA512_DATA_SIZE)
    {
      _nettle_sha512_compress(ctx->state, buffer, K);
      SHA512_INCR(ctx);

      buffer += SHA512_DATA_SIZE;
      length -= SHA512_DATA_SIZE;
    }

  /* Buffer leftovers */
  memcpy(ctx->block, buffer, length);
  ctx->index = length;
}

/* Final wrapup - pad to SHA1_DATA_SIZE-byte boundary with the bit pattern
   1 0* (64-bit count of bits processed, MSB-first) */

static void
sha512_final(struct sha512_ctx *ctx)
{
  uint64_t bitcount_high;
  uint64_t bitcount_low;
  int i;

  i = ctx->index;
  
  /* Set the first char of padding to 0x80.  This is safe since there is
     always at least one byte free */

  assert(i < SHA512_DATA_SIZE);
  ctx->block[i++] = 0x80;

  if (i > (SHA512_DATA_SIZE-16))
    { /* No room for length in this block. Process it and
       * pad with another one */
      memset(ctx->block + i, 0, SHA512_DATA_SIZE - i);
      _nettle_sha512_compress(ctx->state, ctx->block, K);

      i = 0;
    }

  if (i < (SHA512_DATA_SIZE - 16))
    memset(ctx->block + i, 0, (SHA512_DATA_SIZE - 16) - i);

  /* There are 1024 = 2^10 bits in one block */
  bitcount_high = (ctx->count_high << 10) | (ctx->count_low >> 54);
  bitcount_low = (ctx->count_low << 10) | (ctx->index << 3);

  /* This is slightly inefficient, as the numbers are converted to
         big-endian format, and will be converted back by the compression
     function. It's probably not worth the effort to fix this. */
  WRITE_UINT64(ctx->block + (SHA512_DATA_SIZE - 16), bitcount_high);
  WRITE_UINT64(ctx->block + (SHA512_DATA_SIZE - 8), bitcount_low);

  _nettle_sha512_compress(ctx->state, ctx->block, K);
}

void
sha512_digest(struct sha512_ctx *ctx,
	      unsigned length,
	      uint8_t *digest)
{
  unsigned i;
  unsigned words;
  unsigned leftover;
  
  assert(length <= SHA512_DIGEST_SIZE);

  sha512_final(ctx);
  
  words = length / 8;
  leftover = length % 8;

  for (i = 0; i < words; i++, digest += 8)
    WRITE_UINT64(digest, ctx->state[i]);

  if (leftover)
    {
      uint64_t word;
      unsigned j = leftover;
      
      assert(i < _SHA512_DIGEST_LENGTH);
      
      word = ctx->state[i];
      
      switch (leftover)
	{
	default:
	  abort();
	case 7:
	  digest[--j] = (word >> 8) & 0xff;
	  /* Fall through */
	case 6:
	  digest[--j] = (word >> 16) & 0xff;
	  /* Fall through */
	case 5:
	  digest[--j] = (word >> 24) & 0xff;
	  /* Fall through */
	case 4:
	  digest[--j] = (word >> 32) & 0xff;
	case 3:
	  digest[--j] = (word >> 40) & 0xff;
	  /* Fall through */
	case 2:
	  digest[--j] = (word >> 48) & 0xff;
	  /* Fall through */
	case 1:
	  digest[--j] = (word >> 56) & 0xff;
	}
    }
  sha512_init(ctx);
}