1/************************* sha384-512.c ************************/
2/***************** See RFC 6234 for details. *******************/
3/* Copyright (c) 2011 IETF Trust and the persons identified as */
4/* authors of the code. All rights reserved. */
5/* See sha.h for terms of use and redistribution. */
6
7/*
8 * Description:
9 * This file implements the Secure Hash Algorithms SHA-384 and
10 * SHA-512 as defined in the U.S. National Institute of Standards
11 * and Technology Federal Information Processing Standards
12 * Publication (FIPS PUB) 180-3 published in October 2008
13 * and formerly defined in its predecessors, FIPS PUB 180-1
14 * and FIP PUB 180-2.
15 *
16 * A combined document showing all algorithms is available at
17 * http://csrc.nist.gov/publications/fips/
18 * fips180-3/fips180-3_final.pdf
19 *
20 * The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit
21 * message digests for a given data stream. It should take about
22 * 2**n steps to find a message with the same digest as a given
23 * message and 2**(n/2) to find any two messages with the same
24 * digest, when n is the digest size in bits. Therefore, this
25 * algorithm can serve as a means of providing a
26 * "fingerprint" for a message.
27 *
28 * Portability Issues:
29 * SHA-384 and SHA-512 are defined in terms of 64-bit "words",
30 * but if USE_32BIT_ONLY is #defined, this code is implemented in
31 * terms of 32-bit "words". This code uses <stdint.h> (included
32 * via "sha.h") to define the 64-, 32- and 8-bit unsigned integer
33 * types. If your C compiler does not support 64-bit unsigned
34 * integers and you do not #define USE_32BIT_ONLY, this code is
35 * not appropriate.
36 *
37 * Caveats:
38 * SHA-384 and SHA-512 are designed to work with messages less
39 * than 2^128 bits long. This implementation uses SHA384/512Input()
40 * to hash the bits that are a multiple of the size of an 8-bit
41 * octet, and then optionally uses SHA384/256FinalBits()
42 * to hash the final few bits of the input.
43 *
44 */
45
46#include "sha.h"
47
48#ifdef USE_32BIT_ONLY
49/*
50 * Define 64-bit arithmetic in terms of 32-bit arithmetic.
51 * Each 64-bit number is represented in a 2-word array.
52 * All macros are defined such that the result is the last parameter.
53 */
54
55/*
56 * Define shift, rotate left, and rotate right functions
57 */
58#define SHA512_SHR(bits, word, ret) ( \
59 /* (((uint64_t)((word))) >> (bits)) */ \
60 (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \
61 ((word)[0] >> (bits)) : 0, \
62 (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \
63 ((bits) == 32) ? (word)[0] : \
64 ((bits) >= 0) ? \
65 (((word)[0] << (32 - (bits))) | \
66 ((word)[1] >> (bits))) : 0 )
67
68#define SHA512_SHL(bits, word, ret) ( \
69 /* (((uint64_t)(word)) << (bits)) */ \
70 (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \
71 ((bits) == 32) ? (word)[1] : \
72 ((bits) >= 0) ? \
73 (((word)[0] << (bits)) | \
74 ((word)[1] >> (32 - (bits)))) : \
75 0, \
76 (ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \
77 ((word)[1] << (bits)) : 0 )
78
79/*
80 * Define 64-bit OR
81 */
82#define SHA512_OR(word1, word2, ret) ( \
83 (ret)[0] = (word1)[0] | (word2)[0], \
84 (ret)[1] = (word1)[1] | (word2)[1] )
85
86/*
87 * Define 64-bit XOR
88 */
89#define SHA512_XOR(word1, word2, ret) ( \
90 (ret)[0] = (word1)[0] ^ (word2)[0], \
91 (ret)[1] = (word1)[1] ^ (word2)[1] )
92
93/*
94 * Define 64-bit AND
95 */
96#define SHA512_AND(word1, word2, ret) ( \
97 (ret)[0] = (word1)[0] & (word2)[0], \
98 (ret)[1] = (word1)[1] & (word2)[1] )
99
100/*
101 * Define 64-bit TILDA
102 */
103#define SHA512_TILDA(word, ret) \
104 ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] )
105
106/*
107 * Define 64-bit ADD
108 */
109#define SHA512_ADD(word1, word2, ret) ( \
110 (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \
111 (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) )
112
113/*
114 * Add the 4word value in word2 to word1.
115 */
116static uint32_t ADDTO4_temp, ADDTO4_temp2;
117#define SHA512_ADDTO4(word1, word2) ( \
118 ADDTO4_temp = (word1)[3], \
119 (word1)[3] += (word2)[3], \
120 ADDTO4_temp2 = (word1)[2], \
121 (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \
122 ADDTO4_temp = (word1)[1], \
123 (word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \
124 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp) )
125
126/*
127 * Add the 2word value in word2 to word1.
128 */
129static uint32_t ADDTO2_temp;
130#define SHA512_ADDTO2(word1, word2) ( \
131 ADDTO2_temp = (word1)[1], \
132 (word1)[1] += (word2)[1], \
133 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) )
134
135/*
136 * SHA rotate ((word >> bits) | (word << (64-bits)))
137 */
138static uint32_t ROTR_temp1[2], ROTR_temp2[2];
139#define SHA512_ROTR(bits, word, ret) ( \
140 SHA512_SHR((bits), (word), ROTR_temp1), \
141 SHA512_SHL(64-(bits), (word), ROTR_temp2), \
142 SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) )
143
144/*
145 * Define the SHA SIGMA and sigma macros
146 *
147 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
148 */
149static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2],
150 SIGMA0_temp3[2], SIGMA0_temp4[2];
151#define SHA512_SIGMA0(word, ret) ( \
152 SHA512_ROTR(28, (word), SIGMA0_temp1), \
153 SHA512_ROTR(34, (word), SIGMA0_temp2), \
154 SHA512_ROTR(39, (word), SIGMA0_temp3), \
155 SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \
156 SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) )
157
158/*
159 * SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)
160 */
161static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2],
162 SIGMA1_temp3[2], SIGMA1_temp4[2];
163#define SHA512_SIGMA1(word, ret) ( \
164 SHA512_ROTR(14, (word), SIGMA1_temp1), \
165 SHA512_ROTR(18, (word), SIGMA1_temp2), \
166 SHA512_ROTR(41, (word), SIGMA1_temp3), \
167 SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \
168 SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) )
169
170/*
171 * (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
172 */
173static uint32_t sigma0_temp1[2], sigma0_temp2[2],
174 sigma0_temp3[2], sigma0_temp4[2];
175#define SHA512_sigma0(word, ret) ( \
176 SHA512_ROTR( 1, (word), sigma0_temp1), \
177 SHA512_ROTR( 8, (word), sigma0_temp2), \
178 SHA512_SHR( 7, (word), sigma0_temp3), \
179 SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \
180 SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) )
181
182/*
183 * (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
184 */
185static uint32_t sigma1_temp1[2], sigma1_temp2[2],
186 sigma1_temp3[2], sigma1_temp4[2];
187#define SHA512_sigma1(word, ret) ( \
188 SHA512_ROTR(19, (word), sigma1_temp1), \
189 SHA512_ROTR(61, (word), sigma1_temp2), \
190 SHA512_SHR( 6, (word), sigma1_temp3), \
191 SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \
192 SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) )
193
194#ifndef USE_MODIFIED_MACROS
195/*
196 * These definitions are the ones used in FIPS 180-3, section 4.1.3
197 * Ch(x,y,z) ((x & y) ^ (~x & z))
198 */
199static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2];
200#define SHA_Ch(x, y, z, ret) ( \
201 SHA512_AND(x, y, Ch_temp1), \
202 SHA512_TILDA(x, Ch_temp2), \
203 SHA512_AND(Ch_temp2, z, Ch_temp3), \
204 SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) )
205
206/*
207 * Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z)))
208 */
209static uint32_t Maj_temp1[2], Maj_temp2[2],
210 Maj_temp3[2], Maj_temp4[2];
211#define SHA_Maj(x, y, z, ret) ( \
212 SHA512_AND(x, y, Maj_temp1), \
213 SHA512_AND(x, z, Maj_temp2), \
214 SHA512_AND(y, z, Maj_temp3), \
215 SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \
216 SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) )
217#else /* !USE_MODIFIED_MACROS */
218/*
219 * These definitions are potentially faster equivalents for the ones
220 * used in FIPS 180-3, section 4.1.3.
221 * ((x & y) ^ (~x & z)) becomes
222 * ((x & (y ^ z)) ^ z)
223 */
224#define SHA_Ch(x, y, z, ret) ( \
225 (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \
226 (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) )
227
228/*
229 * ((x & y) ^ (x & z) ^ (y & z)) becomes
230 * ((x & (y | z)) | (y & z))
231 */
232#define SHA_Maj(x, y, z, ret) ( \
233 ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \
234 ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) )
235#endif /* USE_MODIFIED_MACROS */
236
237/*
238 * Add "length" to the length.
239 * Set Corrupted when overflow has occurred.
240 */
241static uint32_t addTemp[4] = { 0, 0, 0, 0 };
242#define SHA384_512AddLength(context, length) ( \
243 addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \
244 (context)->Corrupted = (((context)->Length[3] < (length)) && \
245 ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \
246 ((context)->Length[0] == 0)) ? shaInputTooLong : \
247 (context)->Corrupted )
248
249/* Local Function Prototypes */
250static int SHA384_512Reset(SHA512Context *context,
251 uint32_t H0[SHA512HashSize/4]);
252static void SHA384_512ProcessMessageBlock(SHA512Context *context);
253static void SHA384_512Finalize(SHA512Context *context,
254 uint8_t Pad_Byte);
255static void SHA384_512PadMessage(SHA512Context *context,
256 uint8_t Pad_Byte);
257static int SHA384_512ResultN( SHA512Context *context,
258 uint8_t Message_Digest[ ], int HashSize);
259
260/* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */
261static uint32_t SHA384_H0[SHA512HashSize/4] = {
262 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A,
263 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31,
264 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D,
265 0xBEFA4FA4
266};
267static uint32_t SHA512_H0[SHA512HashSize/4] = {
268 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372,
269 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1,
270 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19,
271 0x137E2179
272};
273
274#else /* !USE_32BIT_ONLY */
275
276#include "sha-private.h"
277
278/* Define the SHA shift, rotate left and rotate right macros */
279#define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits))
280#define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \
281 (((uint64_t)(word)) << (64-(bits))))
282
283/*
284 * Define the SHA SIGMA and sigma macros
285 *
286 * SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
287 */
288#define SHA512_SIGMA0(word) \
289 (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word))
290#define SHA512_SIGMA1(word) \
291 (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word))
292#define SHA512_sigma0(word) \
293 (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
294#define SHA512_sigma1(word) \
295 (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
296
297/*
298 * Add "length" to the length.
299 * Set Corrupted when overflow has occurred.
300 */
301/* addTemp commented out by Nokia, static variables are not thread-safe */
302/* static uint64_t addTemp; */
303/* 'M' appended to Macro name by Nokia */
304#define SHA384_512AddLengthM(context, length) \
305 (addTemp = context->Length_Low, context->Corrupted = \
306 ((context->Length_Low += length) < addTemp) && \
307 (++context->Length_High == 0) ? shaInputTooLong : \
308 (context)->Corrupted)
309
310/* Local Function Prototypes */
311static int SHA384_512Reset(SHA512Context *context,
312 uint64_t H0[SHA512HashSize/8]);
313static void SHA384_512ProcessMessageBlock(SHA512Context *context);
314static void SHA384_512Finalize(SHA512Context *context,
315 uint8_t Pad_Byte);
316static void SHA384_512PadMessage(SHA512Context *context,
317 uint8_t Pad_Byte);
318static int SHA384_512ResultN(SHA512Context *context,
319 uint8_t Message_Digest[ ], int HashSize);
320
321/* Initial Hash Values: FIPS 180-3 sections 5.3.4 and 5.3.5 */
322static uint64_t SHA384_H0[ ] = {
323 0xCBBB9D5DC1059ED8ull, 0x629A292A367CD507ull, 0x9159015A3070DD17ull,
324 0x152FECD8F70E5939ull, 0x67332667FFC00B31ull, 0x8EB44A8768581511ull,
325 0xDB0C2E0D64F98FA7ull, 0x47B5481DBEFA4FA4ull
326};
327static uint64_t SHA512_H0[ ] = {
328 0x6A09E667F3BCC908ull, 0xBB67AE8584CAA73Bull, 0x3C6EF372FE94F82Bull,
329 0xA54FF53A5F1D36F1ull, 0x510E527FADE682D1ull, 0x9B05688C2B3E6C1Full,
330 0x1F83D9ABFB41BD6Bull, 0x5BE0CD19137E2179ull
331};
332
333#endif /* USE_32BIT_ONLY */
334
335/*
336 * SHA384Reset
337 *
338 * Description:
339 * This function will initialize the SHA384Context in preparation
340 * for computing a new SHA384 message digest.
341 *
342 * Parameters:
343 * context: [in/out]
344 * The context to reset.
345 *
346 * Returns:
347 * sha Error Code.
348 *
349 */
350int SHA384Reset(SHA384Context *context)
351{
352 return SHA384_512Reset(context, H0: SHA384_H0);
353}
354
355/*
356 * SHA384Input
357 *
358 * Description:
359 * This function accepts an array of octets as the next portion
360 * of the message.
361 *
362 * Parameters:
363 * context: [in/out]
364 * The SHA context to update.
365 * message_array[ ]: [in]
366 * An array of octets representing the next portion of
367 * the message.
368 * length: [in]
369 * The length of the message in message_array.
370 *
371 * Returns:
372 * sha Error Code.
373 *
374 */
375int SHA384Input(SHA384Context *context,
376 const uint8_t *message_array, unsigned int length)
377{
378 return SHA512Input(context, bytes: message_array, bytecount: length);
379}
380
381/*
382 * SHA384FinalBits
383 *
384 * Description:
385 * This function will add in any final bits of the message.
386 *
387 * Parameters:
388 * context: [in/out]
389 * The SHA context to update.
390 * message_bits: [in]
391 * The final bits of the message, in the upper portion of the
392 * byte. (Use 0b###00000 instead of 0b00000### to input the
393 * three bits ###.)
394 * length: [in]
395 * The number of bits in message_bits, between 1 and 7.
396 *
397 * Returns:
398 * sha Error Code.
399 *
400 */
401int SHA384FinalBits(SHA384Context *context,
402 uint8_t message_bits, unsigned int length)
403{
404 return SHA512FinalBits(context, bits: message_bits, bit_count: length);
405}
406
407/*
408 * SHA384Result
409 *
410 * Description:
411 * This function will return the 384-bit message digest
412 * into the Message_Digest array provided by the caller.
413 * NOTE:
414 * The first octet of hash is stored in the element with index 0,
415 * the last octet of hash in the element with index 47.
416 *
417 * Parameters:
418 * context: [in/out]
419 * The context to use to calculate the SHA hash.
420 * Message_Digest[ ]: [out]
421 * Where the digest is returned.
422 *
423 * Returns:
424 * sha Error Code.
425 *
426 */
427int SHA384Result(SHA384Context *context,
428 uint8_t Message_Digest[SHA384HashSize])
429{
430 return SHA384_512ResultN(context, Message_Digest, HashSize: SHA384HashSize);
431}
432
433/*
434 * SHA512Reset
435 *
436 * Description:
437 * This function will initialize the SHA512Context in preparation
438 * for computing a new SHA512 message digest.
439 *
440 * Parameters:
441 * context: [in/out]
442 * The context to reset.
443 *
444 * Returns:
445 * sha Error Code.
446 *
447 */
448int SHA512Reset(SHA512Context *context)
449{
450 return SHA384_512Reset(context, H0: SHA512_H0);
451}
452
453/*
454 * SHA512Input
455 *
456 * Description:
457 * This function accepts an array of octets as the next portion
458 * of the message.
459 *
460 * Parameters:
461 * context: [in/out]
462 * The SHA context to update.
463 * message_array[ ]: [in]
464 * An array of octets representing the next portion of
465 * the message.
466 * length: [in]
467 * The length of the message in message_array.
468 *
469 * Returns:
470 * sha Error Code.
471 *
472 */
473int SHA512Input(SHA512Context *context,
474 const uint8_t *message_array,
475 unsigned int length)
476{
477 if (!context) return shaNull;
478 if (!length) return shaSuccess;
479 if (!message_array) return shaNull;
480 if (context->Computed) return context->Corrupted = shaStateError;
481 if (context->Corrupted) return context->Corrupted;
482
483 while (length--) {
484 context->Message_Block[context->Message_Block_Index++] =
485 *message_array;
486
487 if ((SHA384_512AddLength(context, length: 8) == shaSuccess) &&
488 (context->Message_Block_Index == SHA512_Message_Block_Size))
489 SHA384_512ProcessMessageBlock(context);
490
491 message_array++;
492 }
493
494 return context->Corrupted;
495}
496
497/*
498 * SHA512FinalBits
499 *
500 * Description:
501 * This function will add in any final bits of the message.
502 *
503 * Parameters:
504 * context: [in/out]
505 * The SHA context to update.
506 * message_bits: [in]
507 * The final bits of the message, in the upper portion of the
508 * byte. (Use 0b###00000 instead of 0b00000### to input the
509 * three bits ###.)
510 * length: [in]
511 * The number of bits in message_bits, between 1 and 7.
512 *
513 * Returns:
514 * sha Error Code.
515 *
516 */
517int SHA512FinalBits(SHA512Context *context,
518 uint8_t message_bits, unsigned int length)
519{
520 static uint8_t masks[8] = {
521 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
522 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
523 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
524 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
525 };
526 static uint8_t markbit[8] = {
527 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
528 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
529 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
530 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
531 };
532
533 if (!context) return shaNull;
534 if (!length) return shaSuccess;
535 if (context->Corrupted) return context->Corrupted;
536 if (context->Computed) return context->Corrupted = shaStateError;
537 if (length >= 8) return context->Corrupted = shaBadParam;
538
539 SHA384_512AddLength(context, length);
540 SHA384_512Finalize(context, Pad_Byte: (uint8_t)
541 ((message_bits & masks[length]) | markbit[length]));
542
543 return context->Corrupted;
544}
545
546/*
547 * SHA512Result
548 *
549 * Description:
550 * This function will return the 512-bit message digest
551 * into the Message_Digest array provided by the caller.
552 * NOTE:
553 * The first octet of hash is stored in the element with index 0,
554 * the last octet of hash in the element with index 63.
555 *
556 * Parameters:
557 * context: [in/out]
558 * The context to use to calculate the SHA hash.
559 * Message_Digest[ ]: [out]
560 * Where the digest is returned.
561 *
562 * Returns:
563 * sha Error Code.
564 *
565 */
566int SHA512Result(SHA512Context *context,
567 uint8_t Message_Digest[SHA512HashSize])
568{
569 return SHA384_512ResultN(context, Message_Digest, HashSize: SHA512HashSize);
570}
571
572/*
573 * SHA384_512Reset
574 *
575 * Description:
576 * This helper function will initialize the SHA512Context in
577 * preparation for computing a new SHA384 or SHA512 message
578 * digest.
579 *
580 * Parameters:
581 * context: [in/out]
582 * The context to reset.
583 * H0[ ]: [in]
584 * The initial hash value array to use.
585 *
586 * Returns:
587 * sha Error Code.
588 *
589 */
590#ifdef USE_32BIT_ONLY
591static int SHA384_512Reset(SHA512Context *context,
592 uint32_t H0[SHA512HashSize/4])
593#else /* !USE_32BIT_ONLY */
594static int SHA384_512Reset(SHA512Context *context,
595 uint64_t H0[SHA512HashSize/8])
596#endif /* USE_32BIT_ONLY */
597{
598 int i;
599 if (!context) return shaNull;
600
601 context->Message_Block_Index = 0;
602
603#ifdef USE_32BIT_ONLY
604 context->Length[0] = context->Length[1] =
605 context->Length[2] = context->Length[3] = 0;
606
607 for (i = 0; i < SHA512HashSize/4; i++)
608 context->Intermediate_Hash[i] = H0[i];
609#else /* !USE_32BIT_ONLY */
610 context->Length_High = context->Length_Low = 0;
611
612 for (i = 0; i < SHA512HashSize/8; i++)
613 context->Intermediate_Hash[i] = H0[i];
614#endif /* USE_32BIT_ONLY */
615
616 context->Computed = 0;
617 context->Corrupted = shaSuccess;
618
619 return shaSuccess;
620}
621
622/*
623 * SHA384_512ProcessMessageBlock
624 *
625 * Description:
626 * This helper function will process the next 1024 bits of the
627 * message stored in the Message_Block array.
628 *
629 * Parameters:
630 * context: [in/out]
631 * The SHA context to update.
632 *
633 * Returns:
634 * Nothing.
635 *
636 * Comments:
637 * Many of the variable names in this code, especially the
638 * single character names, were used because those were the
639 * names used in the Secure Hash Standard.
640 *
641 *
642 */
643static void SHA384_512ProcessMessageBlock(SHA512Context *context)
644{
645#ifdef USE_32BIT_ONLY
646 /* Constants defined in FIPS 180-3, section 4.2.3 */
647 static const uint32_t K[80*2] = {
648 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF,
649 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538,
650 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5,
651 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE,
652 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74,
653 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235,
654 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786,
655 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65,
656 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC,
657 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB,
658 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7,
659 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725,
660 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85,
661 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED,
662 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB,
663 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B,
664 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70,
665 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218,
666 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070,
667 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53,
668 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3,
669 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373,
670 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F,
671 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC,
672 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7,
673 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C,
674 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F,
675 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6,
676 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5,
677 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC,
678 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C,
679 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817
680 };
681 int t, t2, t8; /* Loop counter */
682 uint32_t temp1[2], temp2[2], /* Temporary word values */
683 temp3[2], temp4[2], temp5[2];
684 uint32_t W[2*80]; /* Word sequence */
685 uint32_t A[2], B[2], C[2], D[2], /* Word buffers */
686 E[2], F[2], G[2], H[2];
687
688 /* Initialize the first 16 words in the array W */
689 for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) {
690 W[t2++] = ((((uint32_t)context->Message_Block[t8 ])) << 24) |
691 ((((uint32_t)context->Message_Block[t8 + 1])) << 16) |
692 ((((uint32_t)context->Message_Block[t8 + 2])) << 8) |
693 ((((uint32_t)context->Message_Block[t8 + 3])));
694 W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) |
695 ((((uint32_t)context->Message_Block[t8 + 5])) << 16) |
696 ((((uint32_t)context->Message_Block[t8 + 6])) << 8) |
697 ((((uint32_t)context->Message_Block[t8 + 7])));
698 }
699
700 for (t = 16; t < 80; t++, t2 += 2) {
701 /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
702 SHA512_sigma0(W[t-15]) + W[t-16]; */
703 uint32_t *Wt2 = &W[t2-2*2];
704 uint32_t *Wt7 = &W[t2-7*2];
705 uint32_t *Wt15 = &W[t2-15*2];
706 uint32_t *Wt16 = &W[t2-16*2];
707 SHA512_sigma1(Wt2, temp1);
708 SHA512_ADD(temp1, Wt7, temp2);
709 SHA512_sigma0(Wt15, temp1);
710 SHA512_ADD(temp1, Wt16, temp3);
711 SHA512_ADD(temp2, temp3, &W[t2]);
712 }
713
714 A[0] = context->Intermediate_Hash[0];
715 A[1] = context->Intermediate_Hash[1];
716 B[0] = context->Intermediate_Hash[2];
717 B[1] = context->Intermediate_Hash[3];
718 C[0] = context->Intermediate_Hash[4];
719 C[1] = context->Intermediate_Hash[5];
720 D[0] = context->Intermediate_Hash[6];
721 D[1] = context->Intermediate_Hash[7];
722 E[0] = context->Intermediate_Hash[8];
723 E[1] = context->Intermediate_Hash[9];
724 F[0] = context->Intermediate_Hash[10];
725 F[1] = context->Intermediate_Hash[11];
726 G[0] = context->Intermediate_Hash[12];
727 G[1] = context->Intermediate_Hash[13];
728 H[0] = context->Intermediate_Hash[14];
729 H[1] = context->Intermediate_Hash[15];
730
731 for (t = t2 = 0; t < 80; t++, t2 += 2) {
732 /*
733 * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
734 */
735 SHA512_SIGMA1(E,temp1);
736 SHA512_ADD(H, temp1, temp2);
737 SHA_Ch(E,F,G,temp3);
738 SHA512_ADD(temp2, temp3, temp4);
739 SHA512_ADD(&K[t2], &W[t2], temp5);
740 SHA512_ADD(temp4, temp5, temp1);
741 /*
742 * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
743 */
744 SHA512_SIGMA0(A,temp3);
745 SHA_Maj(A,B,C,temp4);
746 SHA512_ADD(temp3, temp4, temp2);
747 H[0] = G[0]; H[1] = G[1];
748 G[0] = F[0]; G[1] = F[1];
749 F[0] = E[0]; F[1] = E[1];
750 SHA512_ADD(D, temp1, E);
751 D[0] = C[0]; D[1] = C[1];
752 C[0] = B[0]; C[1] = B[1];
753 B[0] = A[0]; B[1] = A[1];
754 SHA512_ADD(temp1, temp2, A);
755 }
756
757 SHA512_ADDTO2(&context->Intermediate_Hash[0], A);
758 SHA512_ADDTO2(&context->Intermediate_Hash[2], B);
759 SHA512_ADDTO2(&context->Intermediate_Hash[4], C);
760 SHA512_ADDTO2(&context->Intermediate_Hash[6], D);
761 SHA512_ADDTO2(&context->Intermediate_Hash[8], E);
762 SHA512_ADDTO2(&context->Intermediate_Hash[10], F);
763 SHA512_ADDTO2(&context->Intermediate_Hash[12], G);
764 SHA512_ADDTO2(&context->Intermediate_Hash[14], H);
765
766#else /* !USE_32BIT_ONLY */
767 /* Constants defined in FIPS 180-3, section 4.2.3 */
768 static const uint64_t K[80] = {
769 0x428A2F98D728AE22ull, 0x7137449123EF65CDull, 0xB5C0FBCFEC4D3B2Full,
770 0xE9B5DBA58189DBBCull, 0x3956C25BF348B538ull, 0x59F111F1B605D019ull,
771 0x923F82A4AF194F9Bull, 0xAB1C5ED5DA6D8118ull, 0xD807AA98A3030242ull,
772 0x12835B0145706FBEull, 0x243185BE4EE4B28Cull, 0x550C7DC3D5FFB4E2ull,
773 0x72BE5D74F27B896Full, 0x80DEB1FE3B1696B1ull, 0x9BDC06A725C71235ull,
774 0xC19BF174CF692694ull, 0xE49B69C19EF14AD2ull, 0xEFBE4786384F25E3ull,
775 0x0FC19DC68B8CD5B5ull, 0x240CA1CC77AC9C65ull, 0x2DE92C6F592B0275ull,
776 0x4A7484AA6EA6E483ull, 0x5CB0A9DCBD41FBD4ull, 0x76F988DA831153B5ull,
777 0x983E5152EE66DFABull, 0xA831C66D2DB43210ull, 0xB00327C898FB213Full,
778 0xBF597FC7BEEF0EE4ull, 0xC6E00BF33DA88FC2ull, 0xD5A79147930AA725ull,
779 0x06CA6351E003826Full, 0x142929670A0E6E70ull, 0x27B70A8546D22FFCull,
780 0x2E1B21385C26C926ull, 0x4D2C6DFC5AC42AEDull, 0x53380D139D95B3DFull,
781 0x650A73548BAF63DEull, 0x766A0ABB3C77B2A8ull, 0x81C2C92E47EDAEE6ull,
782 0x92722C851482353Bull, 0xA2BFE8A14CF10364ull, 0xA81A664BBC423001ull,
783 0xC24B8B70D0F89791ull, 0xC76C51A30654BE30ull, 0xD192E819D6EF5218ull,
784 0xD69906245565A910ull, 0xF40E35855771202Aull, 0x106AA07032BBD1B8ull,
785 0x19A4C116B8D2D0C8ull, 0x1E376C085141AB53ull, 0x2748774CDF8EEB99ull,
786 0x34B0BCB5E19B48A8ull, 0x391C0CB3C5C95A63ull, 0x4ED8AA4AE3418ACBull,
787 0x5B9CCA4F7763E373ull, 0x682E6FF3D6B2B8A3ull, 0x748F82EE5DEFB2FCull,
788 0x78A5636F43172F60ull, 0x84C87814A1F0AB72ull, 0x8CC702081A6439ECull,
789 0x90BEFFFA23631E28ull, 0xA4506CEBDE82BDE9ull, 0xBEF9A3F7B2C67915ull,
790 0xC67178F2E372532Bull, 0xCA273ECEEA26619Cull, 0xD186B8C721C0C207ull,
791 0xEADA7DD6CDE0EB1Eull, 0xF57D4F7FEE6ED178ull, 0x06F067AA72176FBAull,
792 0x0A637DC5A2C898A6ull, 0x113F9804BEF90DAEull, 0x1B710B35131C471Bull,
793 0x28DB77F523047D84ull, 0x32CAAB7B40C72493ull, 0x3C9EBE0A15C9BEBCull,
794 0x431D67C49C100D4Cull, 0x4CC5D4BECB3E42B6ull, 0x597F299CFC657E2Aull,
795 0x5FCB6FAB3AD6FAECull, 0x6C44198C4A475817ull
796 };
797 int t, t8; /* Loop counter */
798 uint64_t temp1, temp2; /* Temporary word value */
799 uint64_t W[80]; /* Word sequence */
800 uint64_t A, B, C, D, E, F, G, H; /* Word buffers */
801
802 /*
803 * Initialize the first 16 words in the array W
804 */
805 for (t = t8 = 0; t < 16; t++, t8 += 8)
806 W[t] = ((uint64_t)(context->Message_Block[t8 ]) << 56) |
807 ((uint64_t)(context->Message_Block[t8 + 1]) << 48) |
808 ((uint64_t)(context->Message_Block[t8 + 2]) << 40) |
809 ((uint64_t)(context->Message_Block[t8 + 3]) << 32) |
810 ((uint64_t)(context->Message_Block[t8 + 4]) << 24) |
811 ((uint64_t)(context->Message_Block[t8 + 5]) << 16) |
812 ((uint64_t)(context->Message_Block[t8 + 6]) << 8) |
813 ((uint64_t)(context->Message_Block[t8 + 7]));
814
815 for (t = 16; t < 80; t++)
816 W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
817 SHA512_sigma0(W[t-15]) + W[t-16];
818 A = context->Intermediate_Hash[0];
819 B = context->Intermediate_Hash[1];
820 C = context->Intermediate_Hash[2];
821 D = context->Intermediate_Hash[3];
822 E = context->Intermediate_Hash[4];
823 F = context->Intermediate_Hash[5];
824 G = context->Intermediate_Hash[6];
825 H = context->Intermediate_Hash[7];
826
827 for (t = 0; t < 80; t++) {
828 temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
829 temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
830 H = G;
831 G = F;
832 F = E;
833 E = D + temp1;
834 D = C;
835 C = B;
836 B = A;
837 A = temp1 + temp2;
838 }
839
840 context->Intermediate_Hash[0] += A;
841 context->Intermediate_Hash[1] += B;
842 context->Intermediate_Hash[2] += C;
843 context->Intermediate_Hash[3] += D;
844 context->Intermediate_Hash[4] += E;
845 context->Intermediate_Hash[5] += F;
846 context->Intermediate_Hash[6] += G;
847 context->Intermediate_Hash[7] += H;
848#endif /* USE_32BIT_ONLY */
849
850 context->Message_Block_Index = 0;
851}
852
853/*
854 * SHA384_512Finalize
855 *
856 * Description:
857 * This helper function finishes off the digest calculations.
858 *
859 * Parameters:
860 * context: [in/out]
861 * The SHA context to update.
862 * Pad_Byte: [in]
863 * The last byte to add to the message block before the 0-padding
864 * and length. This will contain the last bits of the message
865 * followed by another single bit. If the message was an
866 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
867 *
868 * Returns:
869 * sha Error Code.
870 *
871 */
872static void SHA384_512Finalize(SHA512Context *context,
873 uint8_t Pad_Byte)
874{
875 int_least16_t i;
876 SHA384_512PadMessage(context, Pad_Byte);
877 /* message may be sensitive, clear it out */
878 for (i = 0; i < SHA512_Message_Block_Size; ++i)
879 context->Message_Block[i] = 0;
880#ifdef USE_32BIT_ONLY /* and clear length */
881 context->Length[0] = context->Length[1] = 0;
882 context->Length[2] = context->Length[3] = 0;
883#else /* !USE_32BIT_ONLY */
884 context->Length_High = context->Length_Low = 0;
885#endif /* USE_32BIT_ONLY */
886 context->Computed = 1;
887}
888
889/*
890 * SHA384_512PadMessage
891 *
892 * Description:
893 * According to the standard, the message must be padded to the next
894 * even multiple of 1024 bits. The first padding bit must be a '1'.
895 * The last 128 bits represent the length of the original message.
896 * All bits in between should be 0. This helper function will
897 * pad the message according to those rules by filling the
898 * Message_Block array accordingly. When it returns, it can be
899 * assumed that the message digest has been computed.
900 *
901 * Parameters:
902 * context: [in/out]
903 * The context to pad.
904 * Pad_Byte: [in]
905 * The last byte to add to the message block before the 0-padding
906 * and length. This will contain the last bits of the message
907 * followed by another single bit. If the message was an
908 * exact multiple of 8-bits long, Pad_Byte will be 0x80.
909 *
910 * Returns:
911 * Nothing.
912 *
913 */
914static void SHA384_512PadMessage(SHA512Context *context,
915 uint8_t Pad_Byte)
916{
917 /*
918 * Check to see if the current message block is too small to hold
919 * the initial padding bits and length. If so, we will pad the
920 * block, process it, and then continue padding into a second
921 * block.
922 */
923 if (context->Message_Block_Index >= (SHA512_Message_Block_Size-16)) {
924 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
925 while (context->Message_Block_Index < SHA512_Message_Block_Size)
926 context->Message_Block[context->Message_Block_Index++] = 0;
927
928 SHA384_512ProcessMessageBlock(context);
929 } else
930 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
931
932 while (context->Message_Block_Index < (SHA512_Message_Block_Size-16))
933 context->Message_Block[context->Message_Block_Index++] = 0;
934
935 /*
936 * Store the message length as the last 16 octets
937 */
938#ifdef USE_32BIT_ONLY
939 context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24);
940 context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16);
941 context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8);
942 context->Message_Block[115] = (uint8_t)(context->Length[0]);
943 context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24);
944 context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16);
945 context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8);
946 context->Message_Block[119] = (uint8_t)(context->Length[1]);
947
948 context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24);
949 context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16);
950 context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8);
951 context->Message_Block[123] = (uint8_t)(context->Length[2]);
952 context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24);
953 context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16);
954 context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8);
955 context->Message_Block[127] = (uint8_t)(context->Length[3]);
956#else /* !USE_32BIT_ONLY */
957 context->Message_Block[112] = (uint8_t)(context->Length_High >> 56);
958 context->Message_Block[113] = (uint8_t)(context->Length_High >> 48);
959 context->Message_Block[114] = (uint8_t)(context->Length_High >> 40);
960 context->Message_Block[115] = (uint8_t)(context->Length_High >> 32);
961 context->Message_Block[116] = (uint8_t)(context->Length_High >> 24);
962 context->Message_Block[117] = (uint8_t)(context->Length_High >> 16);
963 context->Message_Block[118] = (uint8_t)(context->Length_High >> 8);
964 context->Message_Block[119] = (uint8_t)(context->Length_High);
965
966 context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56);
967 context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48);
968 context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40);
969 context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32);
970 context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24);
971 context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16);
972 context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8);
973 context->Message_Block[127] = (uint8_t)(context->Length_Low);
974#endif /* USE_32BIT_ONLY */
975
976 SHA384_512ProcessMessageBlock(context);
977}
978
979/*
980 * SHA384_512ResultN
981 *
982 * Description:
983 * This helper function will return the 384-bit or 512-bit message
984 * digest into the Message_Digest array provided by the caller.
985 * NOTE:
986 * The first octet of hash is stored in the element with index 0,
987 * the last octet of hash in the element with index 47/63.
988 *
989 * Parameters:
990 * context: [in/out]
991 * The context to use to calculate the SHA hash.
992 * Message_Digest[ ]: [out]
993 * Where the digest is returned.
994 * HashSize: [in]
995 * The size of the hash, either 48 or 64.
996 *
997 * Returns:
998 * sha Error Code.
999 *
1000 */
1001static int SHA384_512ResultN(SHA512Context *context,
1002 uint8_t Message_Digest[ ], int HashSize)
1003{
1004 int i;
1005#ifdef USE_32BIT_ONLY
1006 int i2;
1007#endif /* USE_32BIT_ONLY */
1008
1009 if (!context) return shaNull;
1010 if (!Message_Digest) return shaNull;
1011 if (context->Corrupted) return context->Corrupted;
1012
1013 if (!context->Computed)
1014 SHA384_512Finalize(context, Pad_Byte: 0x80);
1015
1016#ifdef USE_32BIT_ONLY
1017 for (i = i2 = 0; i < HashSize; ) {
1018 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24);
1019 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16);
1020 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8);
1021 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]);
1022 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>24);
1023 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>16);
1024 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2]>>8);
1025 Message_Digest[i++]=(uint8_t)(context->Intermediate_Hash[i2++]);
1026 }
1027#else /* !USE_32BIT_ONLY */
1028 for (i = 0; i < HashSize; ++i)
1029 Message_Digest[i] = (uint8_t)
1030 (context->Intermediate_Hash[i>>3] >> 8 * ( 7 - ( i % 8 ) ));
1031#endif /* USE_32BIT_ONLY */
1032
1033 return shaSuccess;
1034}
1035

source code of qtbase/src/3rdparty/rfc6234/sha384-512.c