/src/nettle/sha512.c

Source (jump to first uncovered line)
/* sha512.c

   The sha512 hash function.
   See http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf

   Copyright (C) 2001, 2010 Niels Möller
   Copyright (C) 2014 Joachim Strömbergson

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/

/* Modelled after the sha1.c code by Peter Gutmann. */

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>
#include <stdlib.h>
#include <string.h>

#include "sha2.h"
#include "sha2-internal.h"

#include "macros.h"

/* Generated by the gp script

     {
       print("obase=16");
       for (i = 1,80,
         root = prime(i)^(1/3);
         fraction = root - floor(root);
         print(floor(2^64 * fraction));
       );
       quit();
     }

   piped through

     |grep -v '^[' | bc \
       |awk '{printf("0x%sULL,%s", $1, NR%3 == 0 ? "\n" : "");}'

   to convert it to hex.
*/

static const uint64_t
K[80] =
{
  0x428A2F98D728AE22ULL,0x7137449123EF65CDULL,
  0xB5C0FBCFEC4D3B2FULL,0xE9B5DBA58189DBBCULL,
  0x3956C25BF348B538ULL,0x59F111F1B605D019ULL,
  0x923F82A4AF194F9BULL,0xAB1C5ED5DA6D8118ULL,
  0xD807AA98A3030242ULL,0x12835B0145706FBEULL,
  0x243185BE4EE4B28CULL,0x550C7DC3D5FFB4E2ULL,
  0x72BE5D74F27B896FULL,0x80DEB1FE3B1696B1ULL,
  0x9BDC06A725C71235ULL,0xC19BF174CF692694ULL,
  0xE49B69C19EF14AD2ULL,0xEFBE4786384F25E3ULL,
  0x0FC19DC68B8CD5B5ULL,0x240CA1CC77AC9C65ULL,
  0x2DE92C6F592B0275ULL,0x4A7484AA6EA6E483ULL,
  0x5CB0A9DCBD41FBD4ULL,0x76F988DA831153B5ULL,
  0x983E5152EE66DFABULL,0xA831C66D2DB43210ULL,
  0xB00327C898FB213FULL,0xBF597FC7BEEF0EE4ULL,
  0xC6E00BF33DA88FC2ULL,0xD5A79147930AA725ULL,
  0x06CA6351E003826FULL,0x142929670A0E6E70ULL,
  0x27B70A8546D22FFCULL,0x2E1B21385C26C926ULL,
  0x4D2C6DFC5AC42AEDULL,0x53380D139D95B3DFULL,
  0x650A73548BAF63DEULL,0x766A0ABB3C77B2A8ULL,
  0x81C2C92E47EDAEE6ULL,0x92722C851482353BULL,
  0xA2BFE8A14CF10364ULL,0xA81A664BBC423001ULL,
  0xC24B8B70D0F89791ULL,0xC76C51A30654BE30ULL,
  0xD192E819D6EF5218ULL,0xD69906245565A910ULL,
  0xF40E35855771202AULL,0x106AA07032BBD1B8ULL,
  0x19A4C116B8D2D0C8ULL,0x1E376C085141AB53ULL,
  0x2748774CDF8EEB99ULL,0x34B0BCB5E19B48A8ULL,
  0x391C0CB3C5C95A63ULL,0x4ED8AA4AE3418ACBULL,
  0x5B9CCA4F7763E373ULL,0x682E6FF3D6B2B8A3ULL,
  0x748F82EE5DEFB2FCULL,0x78A5636F43172F60ULL,
  0x84C87814A1F0AB72ULL,0x8CC702081A6439ECULL,
  0x90BEFFFA23631E28ULL,0xA4506CEBDE82BDE9ULL,
  0xBEF9A3F7B2C67915ULL,0xC67178F2E372532BULL,
  0xCA273ECEEA26619CULL,0xD186B8C721C0C207ULL,
  0xEADA7DD6CDE0EB1EULL,0xF57D4F7FEE6ED178ULL,
  0x06F067AA72176FBAULL,0x0A637DC5A2C898A6ULL,
  0x113F9804BEF90DAEULL,0x1B710B35131C471BULL,
  0x28DB77F523047D84ULL,0x32CAAB7B40C72493ULL,
  0x3C9EBE0A15C9BEBCULL,0x431D67C49C100D4CULL,
  0x4CC5D4BECB3E42B6ULL,0x597F299CFC657E2AULL,
  0x5FCB6FAB3AD6FAECULL,0x6C44198C4A475817ULL,
};

#define COMPRESS(ctx, data) (sha512_compress((ctx)->state, (data)))

void
sha512_init(struct sha512_ctx *ctx)
{
  /* Initial values, generated by the gp script
       {
         for (i = 1,8,
     root = prime(i)^(1/2);
     fraction = root - floor(root);
     print(floor(2^64 * fraction));
   );
       }
. */
  static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
  {
    0x6A09E667F3BCC908ULL,0xBB67AE8584CAA73BULL,
    0x3C6EF372FE94F82BULL,0xA54FF53A5F1D36F1ULL,
    0x510E527FADE682D1ULL,0x9B05688C2B3E6C1FULL,
    0x1F83D9ABFB41BD6BULL,0x5BE0CD19137E2179ULL,
  };

  memcpy(ctx->state, H0, sizeof(H0));

  /* Initialize bit count */
  ctx->count_low = ctx->count_high = 0;
  
  /* Initialize buffer */
  ctx->index = 0;
}

void
sha512_update(struct sha512_ctx *ctx,
        size_t length, const uint8_t *data)
{
  MD_UPDATE (ctx, length, data, COMPRESS, MD_INCR(ctx));
}

static void
sha512_write_digest(struct sha512_ctx *ctx,
        size_t length,
        uint8_t *digest)
{
  uint64_t high, low;

  unsigned i;
  unsigned words;
  unsigned leftover;

  assert(length <= SHA512_DIGEST_SIZE);

  MD_PAD(ctx, 16, COMPRESS);

  /* There are 1024 = 2^10 bits in one block */  
  high = (ctx->count_high << 10) | (ctx->count_low >> 54);
  low = (ctx->count_low << 10) | (ctx->index << 3);

  /* This is slightly inefficient, as the numbers are converted to
     big-endian format, and will be converted back by the compression
     function. It's probably not worth the effort to fix this. */
  WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 16), high);
  WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 8), low);
  sha512_compress(ctx->state, ctx->block);

  words = length / 8;
  leftover = length % 8;

  for (i = 0; i < words; i++, digest += 8)
    WRITE_UINT64(digest, ctx->state[i]);

  if (leftover)
    {
      /* Truncate to the right size */
      uint64_t word = ctx->state[i] >> (8*(8 - leftover));

      do {
  digest[--leftover] = word & 0xff;
  word >>= 8;
      } while (leftover);
    }
}

void
sha512_digest(struct sha512_ctx *ctx,
        size_t length,
        uint8_t *digest)
{
  assert(length <= SHA512_DIGEST_SIZE);

  sha512_write_digest(ctx, length, digest);
  sha512_init(ctx);
}

/* sha384 variant. */
void
sha384_init(struct sha512_ctx *ctx)
{
  /* Initial values, generated by the gp script
       {
         for (i = 9,16,
     root = prime(i)^(1/2);
     fraction = root - floor(root);
     print(floor(2^64 * fraction));
   );
       }
. */
  static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
  {
    0xCBBB9D5DC1059ED8ULL, 0x629A292A367CD507ULL,
    0x9159015A3070DD17ULL, 0x152FECD8F70E5939ULL,
    0x67332667FFC00B31ULL, 0x8EB44A8768581511ULL,
    0xDB0C2E0D64F98FA7ULL, 0x47B5481DBEFA4FA4ULL,
  };

  memcpy(ctx->state, H0, sizeof(H0));

  /* Initialize bit count */
  ctx->count_low = ctx->count_high = 0;
  
  /* Initialize buffer */
  ctx->index = 0;
}

void
sha384_digest(struct sha512_ctx *ctx,
        size_t length,
        uint8_t *digest)
{
  assert(length <= SHA384_DIGEST_SIZE);

  sha512_write_digest(ctx, length, digest);
  sha384_init(ctx);
}


/* sha-512/224 variant. */
void
sha512_224_init(struct sha512_224_ctx *ctx)
{
  static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
  {
    0x8c3d37c819544da2ULL, 0x73e1996689dcd4d6ULL,
    0x1dfab7ae32ff9c82ULL, 0x679dd514582f9fcfULL,
    0x0f6d2b697bd44da8ULL, 0x77e36f7304c48942ULL,
    0x3f9d85a86a1d36c8ULL, 0x1112e6ad91d692a1ULL,
  };

  memcpy(ctx->state, H0, sizeof(H0));

  /* Initialize bit count */
  ctx->count_low = ctx->count_high = 0;
  
  /* Initialize buffer */
  ctx->index = 0;
}

void
sha512_224_digest(struct sha512_224_ctx *ctx,
        size_t length,
        uint8_t *digest)
{
  assert(length <= SHA224_DIGEST_SIZE);

  sha512_write_digest(ctx, length, digest);
  sha512_224_init(ctx);
}


/* sha-512/256 variant. */
void
sha512_256_init(struct sha512_256_ctx *ctx)
{
  static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
    {
      0x22312194fc2bf72cULL, 0x9f555fa3c84c64c2ULL, 
      0x2393b86b6f53b151ULL, 0x963877195940eabdULL, 
      0x96283ee2a88effe3ULL, 0xbe5e1e2553863992ULL, 
      0x2b0199fc2c85b8aaULL, 0x0eb72ddc81c52ca2ULL,
    };

  memcpy(ctx->state, H0, sizeof(H0));

  /* Initialize bit count */
  ctx->count_low = ctx->count_high = 0;
  
  /* Initialize buffer */
  ctx->index = 0;
}

void
sha512_256_digest(struct sha512_256_ctx *ctx,
        size_t length,
        uint8_t *digest)
{
  assert(length <= SHA256_DIGEST_SIZE);

  sha512_write_digest(ctx, length, digest);
  sha512_256_init(ctx);
}

void
sha512_compress(uint64_t *state, const uint8_t *input)
{
  _nettle_sha512_compress(state, input, K);
}

Coverage Report

Created: 2024-11-25 06:27

Line	Count	Source (jump to first uncovered line)
1		/* sha512.c
2
3		The sha512 hash function.
4		See http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
5
6		Copyright (C) 2001, 2010 Niels Möller
7		Copyright (C) 2014 Joachim Strömbergson
8
9		This file is part of GNU Nettle.
10
11		GNU Nettle is free software: you can redistribute it and/or
12		modify it under the terms of either:
13
14		* the GNU Lesser General Public License as published by the Free
15		Software Foundation; either version 3 of the License, or (at your
16		option) any later version.
17
18		or
19
20		* the GNU General Public License as published by the Free
21		Software Foundation; either version 2 of the License, or (at your
22		option) any later version.
23
24		or both in parallel, as here.
25
26		GNU Nettle is distributed in the hope that it will be useful,
27		but WITHOUT ANY WARRANTY; without even the implied warranty of
28		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
29		General Public License for more details.
30
31		You should have received copies of the GNU General Public License and
32		the GNU Lesser General Public License along with this program. If
33		not, see http://www.gnu.org/licenses/.
34		*/
35
36		/* Modelled after the sha1.c code by Peter Gutmann. */
37
38		#if HAVE_CONFIG_H
39		# include "config.h"
40		#endif
41
42		#include <assert.h>
43		#include <stdlib.h>
44		#include <string.h>
45
46		#include "sha2.h"
47		#include "sha2-internal.h"
48
49		#include "macros.h"
50
51		/* Generated by the gp script
52
53		{
54		print("obase=16");
55		for (i = 1,80,
56		root = prime(i)^(1/3);
57		fraction = root - floor(root);
58		print(floor(2^64 * fraction));
59		);
60		quit();
61		}
62
63		piped through
64
65		\|grep -v '^[' \| bc \
66		\|awk '{printf("0x%sULL,%s", $1, NR%3 == 0 ? "\n" : "");}'
67
68		to convert it to hex.
69		*/
70
71		static const uint64_t
72		K[80] =
73		{
74		0x428A2F98D728AE22ULL,0x7137449123EF65CDULL,
75		0xB5C0FBCFEC4D3B2FULL,0xE9B5DBA58189DBBCULL,
76		0x3956C25BF348B538ULL,0x59F111F1B605D019ULL,
77		0x923F82A4AF194F9BULL,0xAB1C5ED5DA6D8118ULL,
78		0xD807AA98A3030242ULL,0x12835B0145706FBEULL,
79		0x243185BE4EE4B28CULL,0x550C7DC3D5FFB4E2ULL,
80		0x72BE5D74F27B896FULL,0x80DEB1FE3B1696B1ULL,
81		0x9BDC06A725C71235ULL,0xC19BF174CF692694ULL,
82		0xE49B69C19EF14AD2ULL,0xEFBE4786384F25E3ULL,
83		0x0FC19DC68B8CD5B5ULL,0x240CA1CC77AC9C65ULL,
84		0x2DE92C6F592B0275ULL,0x4A7484AA6EA6E483ULL,
85		0x5CB0A9DCBD41FBD4ULL,0x76F988DA831153B5ULL,
86		0x983E5152EE66DFABULL,0xA831C66D2DB43210ULL,
87		0xB00327C898FB213FULL,0xBF597FC7BEEF0EE4ULL,
88		0xC6E00BF33DA88FC2ULL,0xD5A79147930AA725ULL,
89		0x06CA6351E003826FULL,0x142929670A0E6E70ULL,
90		0x27B70A8546D22FFCULL,0x2E1B21385C26C926ULL,
91		0x4D2C6DFC5AC42AEDULL,0x53380D139D95B3DFULL,
92		0x650A73548BAF63DEULL,0x766A0ABB3C77B2A8ULL,
93		0x81C2C92E47EDAEE6ULL,0x92722C851482353BULL,
94		0xA2BFE8A14CF10364ULL,0xA81A664BBC423001ULL,
95		0xC24B8B70D0F89791ULL,0xC76C51A30654BE30ULL,
96		0xD192E819D6EF5218ULL,0xD69906245565A910ULL,
97		0xF40E35855771202AULL,0x106AA07032BBD1B8ULL,
98		0x19A4C116B8D2D0C8ULL,0x1E376C085141AB53ULL,
99		0x2748774CDF8EEB99ULL,0x34B0BCB5E19B48A8ULL,
100		0x391C0CB3C5C95A63ULL,0x4ED8AA4AE3418ACBULL,
101		0x5B9CCA4F7763E373ULL,0x682E6FF3D6B2B8A3ULL,
102		0x748F82EE5DEFB2FCULL,0x78A5636F43172F60ULL,
103		0x84C87814A1F0AB72ULL,0x8CC702081A6439ECULL,
104		0x90BEFFFA23631E28ULL,0xA4506CEBDE82BDE9ULL,
105		0xBEF9A3F7B2C67915ULL,0xC67178F2E372532BULL,
106		0xCA273ECEEA26619CULL,0xD186B8C721C0C207ULL,
107		0xEADA7DD6CDE0EB1EULL,0xF57D4F7FEE6ED178ULL,
108		0x06F067AA72176FBAULL,0x0A637DC5A2C898A6ULL,
109		0x113F9804BEF90DAEULL,0x1B710B35131C471BULL,
110		0x28DB77F523047D84ULL,0x32CAAB7B40C72493ULL,
111		0x3C9EBE0A15C9BEBCULL,0x431D67C49C100D4CULL,
112		0x4CC5D4BECB3E42B6ULL,0x597F299CFC657E2AULL,
113		0x5FCB6FAB3AD6FAECULL,0x6C44198C4A475817ULL,
114		};
115
116	5.18k	#define COMPRESS(ctx, data) (sha512_compress((ctx)->state, (data)))
117
118		void
119		sha512_init(struct sha512_ctx *ctx)
120	9.11k	{
121		/* Initial values, generated by the gp script
122		{
123		for (i = 1,8,
124		root = prime(i)^(1/2);
125		fraction = root - floor(root);
126		print(floor(2^64 * fraction));
127		);
128		}
129		. */
130	9.11k	static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
131	9.11k	{
132	9.11k	0x6A09E667F3BCC908ULL,0xBB67AE8584CAA73BULL,
133	9.11k	0x3C6EF372FE94F82BULL,0xA54FF53A5F1D36F1ULL,
134	9.11k	0x510E527FADE682D1ULL,0x9B05688C2B3E6C1FULL,
135	9.11k	0x1F83D9ABFB41BD6BULL,0x5BE0CD19137E2179ULL,
136	9.11k	};
137
138	9.11k	memcpy(ctx->state, H0, sizeof(H0));
139
140		/* Initialize bit count */
141	9.11k	ctx->count_low = ctx->count_high = 0;
142
143		/* Initialize buffer */
144	9.11k	ctx->index = 0;
145	9.11k	}
146
147		void
148		sha512_update(struct sha512_ctx *ctx,
149		size_t length, const uint8_t *data)
150	18.5k	{
151	18.5k	MD_UPDATE (ctx, length, data, COMPRESS, MD_INCR(ctx));
152	18.5k	}
153
154		static void
155		sha512_write_digest(struct sha512_ctx *ctx,
156		size_t length,
157		uint8_t *digest)
158	11.8k	{
159	11.8k	uint64_t high, low;
160
161	11.8k	unsigned i;
162	11.8k	unsigned words;
163	11.8k	unsigned leftover;
164
165	11.8k	assert(length <= SHA512_DIGEST_SIZE);
166
167	11.8k	MD_PAD(ctx, 16, COMPRESS);
168
169		/* There are 1024 = 2^10 bits in one block */
170	11.8k	high = (ctx->count_high << 10) \| (ctx->count_low >> 54);
171	11.8k	low = (ctx->count_low << 10) \| (ctx->index << 3);
172
173		/* This is slightly inefficient, as the numbers are converted to
174		big-endian format, and will be converted back by the compression
175		function. It's probably not worth the effort to fix this. */
176	11.8k	WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 16), high);
177	11.8k	WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 8), low);
178	11.8k	sha512_compress(ctx->state, ctx->block);
179
180	11.8k	words = length / 8;
181	11.8k	leftover = length % 8;
182
183	89.0k	for (i = 0; i < words; i++, digest += 8)
184	77.2k	WRITE_UINT64(digest, ctx->state[i]);
185
186	11.8k	if (leftover)
187	496	{
188		/* Truncate to the right size */
189	496	uint64_t word = ctx->state[i] >> (8*(8 - leftover));
190
191	2.20k	do {
192	2.20k	digest[--leftover] = word & 0xff;
193	2.20k	word >>= 8;
194	2.20k	} while (leftover);
195	496	}
196	11.8k	}
197
198		void
199		sha512_digest(struct sha512_ctx *ctx,
200		size_t length,
201		uint8_t *digest)
202	4.62k	{
203	4.62k	assert(length <= SHA512_DIGEST_SIZE);
204
205	4.62k	sha512_write_digest(ctx, length, digest);
206	4.62k	sha512_init(ctx);
207	4.62k	}
208
209		/* sha384 variant. */
210		void
211		sha384_init(struct sha512_ctx *ctx)
212	14.3k	{
213		/* Initial values, generated by the gp script
214		{
215		for (i = 9,16,
216		root = prime(i)^(1/2);
217		fraction = root - floor(root);
218		print(floor(2^64 * fraction));
219		);
220		}
221		. */
222	14.3k	static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
223	14.3k	{
224	14.3k	0xCBBB9D5DC1059ED8ULL, 0x629A292A367CD507ULL,
225	14.3k	0x9159015A3070DD17ULL, 0x152FECD8F70E5939ULL,
226	14.3k	0x67332667FFC00B31ULL, 0x8EB44A8768581511ULL,
227	14.3k	0xDB0C2E0D64F98FA7ULL, 0x47B5481DBEFA4FA4ULL,
228	14.3k	};
229
230	14.3k	memcpy(ctx->state, H0, sizeof(H0));
231
232		/* Initialize bit count */
233	14.3k	ctx->count_low = ctx->count_high = 0;
234
235		/* Initialize buffer */
236	14.3k	ctx->index = 0;
237	14.3k	}
238
239		void
240		sha384_digest(struct sha512_ctx *ctx,
241		size_t length,
242		uint8_t *digest)
243	7.22k	{
244	7.22k	assert(length <= SHA384_DIGEST_SIZE);
245
246	7.22k	sha512_write_digest(ctx, length, digest);
247	7.22k	sha384_init(ctx);
248	7.22k	}
249
250
251		/* sha-512/224 variant. */
252		void
253		sha512_224_init(struct sha512_224_ctx *ctx)
254	0	{
255	0	static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
256	0	{
257	0	0x8c3d37c819544da2ULL, 0x73e1996689dcd4d6ULL,
258	0	0x1dfab7ae32ff9c82ULL, 0x679dd514582f9fcfULL,
259	0	0x0f6d2b697bd44da8ULL, 0x77e36f7304c48942ULL,
260	0	0x3f9d85a86a1d36c8ULL, 0x1112e6ad91d692a1ULL,
261	0	};
262
263	0	memcpy(ctx->state, H0, sizeof(H0));
264
265		/* Initialize bit count */
266	0	ctx->count_low = ctx->count_high = 0;
267
268		/* Initialize buffer */
269	0	ctx->index = 0;
270	0	}
271
272		void
273		sha512_224_digest(struct sha512_224_ctx *ctx,
274		size_t length,
275		uint8_t *digest)
276	0	{
277	0	assert(length <= SHA224_DIGEST_SIZE);
278
279	0	sha512_write_digest(ctx, length, digest);
280	0	sha512_224_init(ctx);
281	0	}
282
283
284		/* sha-512/256 variant. */
285		void
286		sha512_256_init(struct sha512_256_ctx *ctx)
287	0	{
288	0	static const uint64_t H0[_SHA512_DIGEST_LENGTH] =
289	0	{
290	0	0x22312194fc2bf72cULL, 0x9f555fa3c84c64c2ULL,
291	0	0x2393b86b6f53b151ULL, 0x963877195940eabdULL,
292	0	0x96283ee2a88effe3ULL, 0xbe5e1e2553863992ULL,
293	0	0x2b0199fc2c85b8aaULL, 0x0eb72ddc81c52ca2ULL,
294	0	};
295
296	0	memcpy(ctx->state, H0, sizeof(H0));
297
298		/* Initialize bit count */
299	0	ctx->count_low = ctx->count_high = 0;
300
301		/* Initialize buffer */
302	0	ctx->index = 0;
303	0	}
304
305		void
306		sha512_256_digest(struct sha512_256_ctx *ctx,
307		size_t length,
308		uint8_t *digest)
309	0	{
310	0	assert(length <= SHA256_DIGEST_SIZE);
311
312	0	sha512_write_digest(ctx, length, digest);
313	0	sha512_256_init(ctx);
314	0	}
315
316		void
317		sha512_compress(uint64_t state, const uint8_t input)
318	17.0k	{
319	17.0k	_nettle_sha512_compress(state, input, K);
320	17.0k	}