source: azure_iot_hub_f767zi/trunk/azure_iot_sdk/c-utility/src/sha384-512.c@ 464

Last change on this file since 464 was 464, checked in by coas-nagasima, 3 years ago

WolfSSLとAzure IoT SDKを更新
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/x-csrc;charset=UTF-8
File size: 36.7 KB
Line 
1// Copyright (c) Microsoft. All rights reserved.
2// Licensed under the MIT license. See LICENSE file in the project root for full license information.
3
4/*************************** sha384-512.c ***************************/
5/********************* See RFC 4634 for details *********************/
6/*
7* Description:
8* This file implements the Secure Hash Signature Standard
9* algorithms as defined in the National Institute of Standards
10* and Technology Federal Information Processing Standards
11* Publication (FIPS PUB) 180-1 published on April 17, 1995, 180-2
12* published on August 1, 2002, and the FIPS PUB 180-2 Change
13* Notice published on February 28, 2004.
14*
15* A combined document showing all algorithms is available at
16* http://csrc.nist.gov/publications/fips/
17* fips180-2/fips180-2withchangenotice.pdf
18*
19* The SHA-384 and SHA-512 algorithms produce 384-bit and 512-bit
20* message digests for a given data stream. It should take about
21* 2**n steps to find a message with the same digest as a given
22* message and 2**(n/2) to find any two messages with the same
23* digest, when n is the digest size in bits. Therefore, this
24* algorithm can serve as a means of providing a
25* "fingerprint" for a message.
26*
27* Portability Issues:
28* SHA-384 and SHA-512 are defined in terms of 64-bit "words",
29* but if USE_32BIT_ONLY is #defined, this code is implemented in
30* terms of 32-bit "words". This code uses <stdint.h> (included
31* via "sha.h") to define the 64, 32 and 8 bit unsigned integer
32* types. If your C compiler does not support 64 bit unsigned
33* integers, and you do not #define USE_32BIT_ONLY, this code is
34* not appropriate.
35*
36* Caveats:
37* SHA-384 and SHA-512 are designed to work with messages less
38* than 2^128 bits long. This implementation uses
39* SHA384/512Input() to hash the bits that are a multiple of the
40* size of an 8-bit character, and then uses SHA384/256FinalBits()
41* to hash the final few bits of the input.
42*
43*/
44
45#include <stdlib.h>
46#include "azure_c_shared_utility/gballoc.h"
47
48#include "azure_c_shared_utility/sha.h"
49#include "azure_c_shared_utility/sha-private.h"
50
51#ifdef USE_32BIT_ONLY
52#error IoTHubClient does not support USE_32BIT_ONLY flag
53/*
54* Define 64-bit arithmetic in terms of 32-bit arithmetic.
55* Each 64-bit number is represented in a 2-word array.
56* All macros are defined such that the result is the last parameter.
57*/
58
59/*
60* Define shift, rotate left and rotate right functions
61*/
62#define SHA512_SHR(bits, word, ret) ( \
63 /* (((uint64_t)((word))) >> (bits)) */ \
64 (ret)[0] = (((bits) < 32) && ((bits) >= 0)) ? \
65 ((word)[0] >> (bits)) : 0, \
66 (ret)[1] = ((bits) > 32) ? ((word)[0] >> ((bits) - 32)) : \
67 ((bits) == 32) ? (word)[0] : \
68 ((bits) >= 0) ? \
69 (((word)[0] << (32 - (bits))) | \
70 ((word)[1] >> (bits))) : 0 )
71
72#define SHA512_SHL(bits, word, ret) ( \
73 /* (((uint64_t)(word)) << (bits)) */ \
74 (ret)[0] = ((bits) > 32) ? ((word)[1] << ((bits) - 32)) : \
75 ((bits) == 32) ? (word)[1] : \
76 ((bits) >= 0) ? \
77 (((word)[0] << (bits)) | \
78 ((word)[1] >> (32 - (bits)))) : \
790, \
80(ret)[1] = (((bits) < 32) && ((bits) >= 0)) ? \
81((word)[1] << (bits)) : 0)
82
83/*
84* Define 64-bit OR
85*/
86#define SHA512_OR(word1, word2, ret) ( \
87 (ret)[0] = (word1)[0] | (word2)[0], \
88 (ret)[1] = (word1)[1] | (word2)[1] )
89
90/*
91* Define 64-bit XOR
92*/
93#define SHA512_XOR(word1, word2, ret) ( \
94 (ret)[0] = (word1)[0] ^ (word2)[0], \
95 (ret)[1] = (word1)[1] ^ (word2)[1] )
96
97/*
98* Define 64-bit AND
99*/
100#define SHA512_AND(word1, word2, ret) ( \
101 (ret)[0] = (word1)[0] & (word2)[0], \
102 (ret)[1] = (word1)[1] & (word2)[1] )
103
104/*
105* Define 64-bit TILDA
106*/
107#define SHA512_TILDA(word, ret) \
108 ( (ret)[0] = ~(word)[0], (ret)[1] = ~(word)[1] )
109
110/*
111* Define 64-bit ADD
112*/
113#define SHA512_ADD(word1, word2, ret) ( \
114 (ret)[1] = (word1)[1], (ret)[1] += (word2)[1], \
115 (ret)[0] = (word1)[0] + (word2)[0] + ((ret)[1] < (word1)[1]) )
116
117/*
118* Add the 4word value in word2 to word1.
119*/
120static uint32_t ADDTO4_temp, ADDTO4_temp2;
121#define SHA512_ADDTO4(word1, word2) ( \
122 ADDTO4_temp = (word1)[3], \
123 (word1)[3] += (word2)[3], \
124 ADDTO4_temp2 = (word1)[2], \
125 (word1)[2] += (word2)[2] + ((word1)[3] < ADDTO4_temp), \
126 ADDTO4_temp = (word1)[1], \
127(word1)[1] += (word2)[1] + ((word1)[2] < ADDTO4_temp2), \
128(word1)[0] += (word2)[0] + ((word1)[1] < ADDTO4_temp))
129
130/*
131* Add the 2word value in word2 to word1.
132*/
133static uint32_t ADDTO2_temp;
134#define SHA512_ADDTO2(word1, word2) ( \
135 ADDTO2_temp = (word1)[1], \
136 (word1)[1] += (word2)[1], \
137 (word1)[0] += (word2)[0] + ((word1)[1] < ADDTO2_temp) )
138
139/*
140* SHA rotate ((word >> bits) | (word << (64-bits)))
141*/
142static uint32_t ROTR_temp1[2], ROTR_temp2[2];
143#define SHA512_ROTR(bits, word, ret) ( \
144 SHA512_SHR((bits), (word), ROTR_temp1), \
145 SHA512_SHL(64-(bits), (word), ROTR_temp2), \
146 SHA512_OR(ROTR_temp1, ROTR_temp2, (ret)) )
147
148/*
149* Define the SHA SIGMA and sigma macros
150* SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word)
151*/
152static uint32_t SIGMA0_temp1[2], SIGMA0_temp2[2],
153SIGMA0_temp3[2], SIGMA0_temp4[2];
154#define SHA512_SIGMA0(word, ret) ( \
155 SHA512_ROTR(28, (word), SIGMA0_temp1), \
156 SHA512_ROTR(34, (word), SIGMA0_temp2), \
157 SHA512_ROTR(39, (word), SIGMA0_temp3), \
158 SHA512_XOR(SIGMA0_temp2, SIGMA0_temp3, SIGMA0_temp4), \
159 SHA512_XOR(SIGMA0_temp1, SIGMA0_temp4, (ret)) )
160
161/*
162* SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word)
163*/
164static uint32_t SIGMA1_temp1[2], SIGMA1_temp2[2],
165SIGMA1_temp3[2], SIGMA1_temp4[2];
166#define SHA512_SIGMA1(word, ret) ( \
167 SHA512_ROTR(14, (word), SIGMA1_temp1), \
168 SHA512_ROTR(18, (word), SIGMA1_temp2), \
169 SHA512_ROTR(41, (word), SIGMA1_temp3), \
170 SHA512_XOR(SIGMA1_temp2, SIGMA1_temp3, SIGMA1_temp4), \
171 SHA512_XOR(SIGMA1_temp1, SIGMA1_temp4, (ret)) )
172
173/*
174* (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
175*/
176static uint32_t sigma0_temp1[2], sigma0_temp2[2],
177sigma0_temp3[2], sigma0_temp4[2];
178#define SHA512_sigma0(word, ret) ( \
179 SHA512_ROTR( 1, (word), sigma0_temp1), \
180 SHA512_ROTR( 8, (word), sigma0_temp2), \
181 SHA512_SHR( 7, (word), sigma0_temp3), \
182 SHA512_XOR(sigma0_temp2, sigma0_temp3, sigma0_temp4), \
183 SHA512_XOR(sigma0_temp1, sigma0_temp4, (ret)) )
184
185/*
186* (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
187*/
188static uint32_t sigma1_temp1[2], sigma1_temp2[2],
189sigma1_temp3[2], sigma1_temp4[2];
190#define SHA512_sigma1(word, ret) ( \
191 SHA512_ROTR(19, (word), sigma1_temp1), \
192 SHA512_ROTR(61, (word), sigma1_temp2), \
193 SHA512_SHR( 6, (word), sigma1_temp3), \
194 SHA512_XOR(sigma1_temp2, sigma1_temp3, sigma1_temp4), \
195 SHA512_XOR(sigma1_temp1, sigma1_temp4, (ret)) )
196
197#undef SHA_Ch
198#undef SHA_Maj
199
200#ifndef USE_MODIFIED_MACROS
201/*
202* These definitions are the ones used in FIPS-180-2, section 4.1.3
203* Ch(x,y,z) ((x & y) ^ (~x & z))
204*/
205static uint32_t Ch_temp1[2], Ch_temp2[2], Ch_temp3[2];
206#define SHA_Ch(x, y, z, ret) ( \
207 SHA512_AND(x, y, Ch_temp1), \
208 SHA512_TILDA(x, Ch_temp2), \
209 SHA512_AND(Ch_temp2, z, Ch_temp3), \
210 SHA512_XOR(Ch_temp1, Ch_temp3, (ret)) )
211/*
212* Maj(x,y,z) (((x)&(y)) ^ ((x)&(z)) ^ ((y)&(z)))
213*/
214static uint32_t Maj_temp1[2], Maj_temp2[2],
215Maj_temp3[2], Maj_temp4[2];
216#define SHA_Maj(x, y, z, ret) ( \
217 SHA512_AND(x, y, Maj_temp1), \
218 SHA512_AND(x, z, Maj_temp2), \
219 SHA512_AND(y, z, Maj_temp3), \
220 SHA512_XOR(Maj_temp2, Maj_temp3, Maj_temp4), \
221 SHA512_XOR(Maj_temp1, Maj_temp4, (ret)) )
222
223#else /* !USE_32BIT_ONLY */
224/*
225* These definitions are potentially faster equivalents for the ones
226* used in FIPS-180-2, section 4.1.3.
227* ((x & y) ^ (~x & z)) becomes
228* ((x & (y ^ z)) ^ z)
229*/
230#define SHA_Ch(x, y, z, ret) ( \
231 (ret)[0] = (((x)[0] & ((y)[0] ^ (z)[0])) ^ (z)[0]), \
232 (ret)[1] = (((x)[1] & ((y)[1] ^ (z)[1])) ^ (z)[1]) )
233
234/*
235* ((x & y) ^ (x & z) ^ (y & z)) becomes
236* ((x & (y | z)) | (y & z))
237*/
238#define SHA_Maj(x, y, z, ret) ( \
239 ret[0] = (((x)[0] & ((y)[0] | (z)[0])) | ((y)[0] & (z)[0])), \
240 ret[1] = (((x)[1] & ((y)[1] | (z)[1])) | ((y)[1] & (z)[1])) )
241#endif /* USE_MODIFIED_MACROS */
242
243/*
244* add "length" to the length
245*/
246static uint32_t addTemp[4] = { 0, 0, 0, 0 };
247#define SHA384_512AddLength(context, length) ( \
248 addTemp[3] = (length), SHA512_ADDTO4((context)->Length, addTemp), \
249 (context)->Corrupted = (((context)->Length[3] == 0) && \
250 ((context)->Length[2] == 0) && ((context)->Length[1] == 0) && \
251 ((context)->Length[0] < 8)) ? 1 : 0 )
252
253/* Local Function Prototypes */
254static void SHA384_512Finalize(SHA512Context *context,
255 uint8_t Pad_Byte);
256static void SHA384_512PadMessage(SHA512Context *context,
257 uint8_t Pad_Byte);
258static void SHA384_512ProcessMessageBlock(SHA512Context *context);
259static int SHA384_512Reset(SHA512Context *context, uint32_t H0[]);
260static int SHA384_512ResultN(SHA512Context *context,
261 uint8_t Message_Digest[], int HashSize);
262
263/* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */
264static uint32_t SHA384_H0[SHA512HashSize / 4] = {
265 0xCBBB9D5D, 0xC1059ED8, 0x629A292A, 0x367CD507, 0x9159015A,
266 0x3070DD17, 0x152FECD8, 0xF70E5939, 0x67332667, 0xFFC00B31,
267 0x8EB44A87, 0x68581511, 0xDB0C2E0D, 0x64F98FA7, 0x47B5481D,
268 0xBEFA4FA4
269};
270
271static uint32_t SHA512_H0[SHA512HashSize / 4] = {
272 0x6A09E667, 0xF3BCC908, 0xBB67AE85, 0x84CAA73B, 0x3C6EF372,
273 0xFE94F82B, 0xA54FF53A, 0x5F1D36F1, 0x510E527F, 0xADE682D1,
274 0x9B05688C, 0x2B3E6C1F, 0x1F83D9AB, 0xFB41BD6B, 0x5BE0CD19,
275 0x137E2179
276};
277
278#else /* !USE_32BIT_ONLY */
279
280/* Define the SHA shift, rotate left and rotate right macro */
281#define SHA512_SHR(bits,word) (((uint64_t)(word)) >> (bits))
282#define SHA512_ROTR(bits,word) ((((uint64_t)(word)) >> (bits)) | \
283 (((uint64_t)(word)) << (64-(bits))))
284
285/* Define the SHA SIGMA and sigma macros */
286#define SHA512_SIGMA0(word) \
287 (SHA512_ROTR(28,word) ^ SHA512_ROTR(34,word) ^ SHA512_ROTR(39,word))
288#define SHA512_SIGMA1(word) \
289 (SHA512_ROTR(14,word) ^ SHA512_ROTR(18,word) ^ SHA512_ROTR(41,word))
290#define SHA512_sigma0(word) \
291 (SHA512_ROTR( 1,word) ^ SHA512_ROTR( 8,word) ^ SHA512_SHR( 7,word))
292#define SHA512_sigma1(word) \
293 (SHA512_ROTR(19,word) ^ SHA512_ROTR(61,word) ^ SHA512_SHR( 6,word))
294
295/*
296* add "length" to the length
297*/
298#define SHA384_512AddLength(context, length) \
299 (addTemp = context->Length_Low, context->Corrupted = \
300 ((context->Length_Low += length) < addTemp) && \
301 (++context->Length_High == 0) ? 1 : 0)
302
303/* Local Function Prototypes */
304static void SHA384_512Finalize(SHA512Context *context,
305 uint8_t Pad_Byte);
306static void SHA384_512PadMessage(SHA512Context *context,
307 uint8_t Pad_Byte);
308static void SHA384_512ProcessMessageBlock(SHA512Context *context);
309static int SHA384_512Reset(SHA512Context *context, uint64_t H0[]);
310static int SHA384_512ResultN(SHA512Context *context,
311 uint8_t Message_Digest[], int HashSize);
312
313/* Initial Hash Values: FIPS-180-2 sections 5.3.3 and 5.3.4 */
314static uint64_t SHA384_H0[] = {
315 0xCBBB9D5DC1059ED8ull, 0x629A292A367CD507ull, 0x9159015A3070DD17ull,
316 0x152FECD8F70E5939ull, 0x67332667FFC00B31ull, 0x8EB44A8768581511ull,
317 0xDB0C2E0D64F98FA7ull, 0x47B5481DBEFA4FA4ull
318};
319static uint64_t SHA512_H0[] = {
320 0x6A09E667F3BCC908ull, 0xBB67AE8584CAA73Bull, 0x3C6EF372FE94F82Bull,
321 0xA54FF53A5F1D36F1ull, 0x510E527FADE682D1ull, 0x9B05688C2B3E6C1Full,
322 0x1F83D9ABFB41BD6Bull, 0x5BE0CD19137E2179ull
323};
324
325#endif /* USE_32BIT_ONLY */
326
327/*
328* SHA384Reset
329*
330* Description:
331* This function will initialize the SHA384Context in preparation
332* for computing a new SHA384 message digest.
333*
334* Parameters:
335* context: [in/out]
336* The context to reset.
337*
338* Returns:
339* sha Error Code.
340*
341*/
342int SHA384Reset(SHA384Context *context)
343{
344 return SHA384_512Reset(context, SHA384_H0);
345}
346
347/*
348* SHA384Input
349*
350* Description:
351* This function accepts an array of octets as the next portion
352* of the message.
353*
354* Parameters:
355* context: [in/out]
356* The SHA context to update
357* message_array: [in]
358* An array of characters representing the next portion of
359* the message.
360* length: [in]
361* The length of the message in message_array
362*
363* Returns:
364* sha Error Code.
365*
366*/
367int SHA384Input(SHA384Context *context,
368 const uint8_t *message_array, unsigned int length)
369{
370 return SHA512Input(context, message_array, length);
371}
372
373/*
374* SHA384FinalBits
375*
376* Description:
377* This function will add in any final bits of the message.
378*
379* Parameters:
380* context: [in/out]
381* The SHA context to update
382* message_bits: [in]
383* The final bits of the message, in the upper portion of the
384* byte. (Use 0b###00000 instead of 0b00000### to input the
385* three bits ###.)
386* length: [in]
387* The number of bits in message_bits, between 1 and 7.
388*
389* Returns:
390* sha Error Code.
391*
392*/
393int SHA384FinalBits(SHA384Context *context,
394 const uint8_t message_bits, unsigned int length)
395{
396 return SHA512FinalBits(context, message_bits, length);
397}
398
399/*
400* SHA384Result
401*
402* Description:
403* This function will return the 384-bit message
404* digest into the Message_Digest array provided by the caller.
405* NOTE: The first octet of hash is stored in the 0th element,
406* the last octet of hash in the 48th element.
407*
408* Parameters:
409* context: [in/out]
410* The context to use to calculate the SHA hash.
411* Message_Digest: [out]
412* Where the digest is returned.
413*
414* Returns:
415* sha Error Code.
416*
417*/
418int SHA384Result(SHA384Context *context,
419 uint8_t Message_Digest[SHA384HashSize])
420{
421 return SHA384_512ResultN(context, Message_Digest, SHA384HashSize);
422}
423
424/*
425* SHA512Reset
426*
427* Description:
428* This function will initialize the SHA512Context in preparation
429* for computing a new SHA512 message digest.
430*
431* Parameters:
432* context: [in/out]
433* The context to reset.
434*
435* Returns:
436* sha Error Code.
437*
438*/
439int SHA512Reset(SHA512Context *context)
440{
441 return SHA384_512Reset(context, SHA512_H0);
442}
443
444/*
445* SHA512Input
446*
447* Description:
448* This function accepts an array of octets as the next portion
449* of the message.
450*
451* Parameters:
452* context: [in/out]
453* The SHA context to update
454* message_array: [in]
455* An array of characters representing the next portion of
456* the message.
457* length: [in]
458* The length of the message in message_array
459*
460* Returns:
461* sha Error Code.
462*
463*/
464int SHA512Input(SHA512Context *context,
465 const uint8_t *message_array,
466 unsigned int length)
467{
468 uint64_t addTemp;
469 if (!length)
470 return shaSuccess;
471
472 if (length > (sizeof(context->Message_Block) / sizeof(context->Message_Block[0])))
473 return shaBadParam;
474
475 if (!context || !message_array)
476 return shaNull;
477
478 if (context->Computed) {
479 context->Corrupted = shaStateError;
480 return shaStateError;
481 }
482
483 if (context->Corrupted)
484 return context->Corrupted;
485
486 while (length-- && !context->Corrupted) {
487 context->Message_Block[context->Message_Block_Index++] =
488 (*message_array & 0xFF);
489
490 if (!SHA384_512AddLength(context, 8) &&
491 (context->Message_Block_Index == SHA512_Message_Block_Size))
492 SHA384_512ProcessMessageBlock(context);
493
494 message_array++;
495 }
496
497 return shaSuccess;
498}
499
500/*
501* SHA512FinalBits
502*
503* Description:
504* This function will add in any final bits of the message.
505*
506* Parameters:
507* context: [in/out]
508* The SHA context to update
509* message_bits: [in]
510* The final bits of the message, in the upper portion of the
511* byte. (Use 0b###00000 instead of 0b00000### to input the
512* three bits ###.)
513* length: [in]
514* The number of bits in message_bits, between 1 and 7.
515*
516* Returns:
517* sha Error Code.
518*
519*/
520int SHA512FinalBits(SHA512Context *context,
521 const uint8_t message_bits, unsigned int length)
522{
523 uint64_t addTemp;
524 uint8_t masks[8] = {
525 /* 0 0b00000000 */ 0x00, /* 1 0b10000000 */ 0x80,
526 /* 2 0b11000000 */ 0xC0, /* 3 0b11100000 */ 0xE0,
527 /* 4 0b11110000 */ 0xF0, /* 5 0b11111000 */ 0xF8,
528 /* 6 0b11111100 */ 0xFC, /* 7 0b11111110 */ 0xFE
529 };
530 uint8_t markbit[8] = {
531 /* 0 0b10000000 */ 0x80, /* 1 0b01000000 */ 0x40,
532 /* 2 0b00100000 */ 0x20, /* 3 0b00010000 */ 0x10,
533 /* 4 0b00001000 */ 0x08, /* 5 0b00000100 */ 0x04,
534 /* 6 0b00000010 */ 0x02, /* 7 0b00000001 */ 0x01
535 };
536
537 if (!length)
538 return shaSuccess;
539
540 if (!context)
541 return shaNull;
542
543 if ((context->Computed) || (length >= 8) || (length == 0)) {
544 context->Corrupted = shaStateError;
545 return shaStateError;
546 }
547
548 if (context->Corrupted)
549 return context->Corrupted;
550
551 SHA384_512AddLength(context, length);
552 SHA384_512Finalize(context, (uint8_t)
553 ((message_bits & masks[length]) | markbit[length]));
554
555 return shaSuccess;
556}
557
558/*
559* SHA384_512Finalize
560*
561* Description:
562* This helper function finishes off the digest calculations.
563*
564* Parameters:
565* context: [in/out]
566* The SHA context to update
567* Pad_Byte: [in]
568* The last byte to add to the digest before the 0-padding
569* and length. This will contain the last bits of the message
570* followed by another single bit. If the message was an
571* exact multiple of 8-bits long, Pad_Byte will be 0x80.
572*
573* Returns:
574* sha Error Code.
575*
576*/
577static void SHA384_512Finalize(SHA512Context *context,
578 uint8_t Pad_Byte)
579{
580 int_least16_t i;
581 SHA384_512PadMessage(context, Pad_Byte);
582 /* message may be sensitive, clear it out */
583 for (i = 0; i < SHA512_Message_Block_Size; ++i)
584 context->Message_Block[i] = 0;
585#ifdef USE_32BIT_ONLY /* and clear length */
586 context->Length[0] = context->Length[1] = 0;
587 context->Length[2] = context->Length[3] = 0;
588#else /* !USE_32BIT_ONLY */
589 context->Length_Low = 0;
590 context->Length_High = 0;
591#endif /* USE_32BIT_ONLY */
592 context->Computed = 1;
593}
594
595/*
596* SHA512Result
597*
598* Description:
599* This function will return the 512-bit message
600* digest into the Message_Digest array provided by the caller.
601* NOTE: The first octet of hash is stored in the 0th element,
602* the last octet of hash in the 64th element.
603*
604* Parameters:
605* context: [in/out]
606* The context to use to calculate the SHA hash.
607* Message_Digest: [out]
608* Where the digest is returned.
609*
610* Returns:
611* sha Error Code.
612*
613*/
614int SHA512Result(SHA512Context *context,
615 uint8_t Message_Digest[SHA512HashSize])
616{
617 return SHA384_512ResultN(context, Message_Digest, SHA512HashSize);
618}
619
620/*
621* SHA384_512PadMessage
622*
623* Description:
624* According to the standard, the message must be padded to an
625* even 1024 bits. The first padding bit must be a '1'. The
626* last 128 bits represent the length of the original message.
627* All bits in between should be 0. This helper function will
628* pad the message according to those rules by filling the
629* Message_Block array accordingly. When it returns, it can be
630* assumed that the message digest has been computed.
631*
632* Parameters:
633* context: [in/out]
634* The context to pad
635* Pad_Byte: [in]
636* The last byte to add to the digest before the 0-padding
637* and length. This will contain the last bits of the message
638* followed by another single bit. If the message was an
639* exact multiple of 8-bits long, Pad_Byte will be 0x80.
640*
641* Returns:
642* Nothing.
643*
644*/
645static void SHA384_512PadMessage(SHA512Context *context,
646 uint8_t Pad_Byte)
647{
648 /*
649 * Check to see if the current message block is too small to hold
650 * the initial padding bits and length. If so, we will pad the
651 * block, process it, and then continue padding into a second
652 * block.
653 */
654 if (context->Message_Block_Index >= (SHA512_Message_Block_Size - 16)) {
655 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
656 while (context->Message_Block_Index < SHA512_Message_Block_Size)
657 context->Message_Block[context->Message_Block_Index++] = 0;
658
659 SHA384_512ProcessMessageBlock(context);
660 }
661 else
662 context->Message_Block[context->Message_Block_Index++] = Pad_Byte;
663
664 while (context->Message_Block_Index < (SHA512_Message_Block_Size - 16))
665 context->Message_Block[context->Message_Block_Index++] = 0;
666
667 /*
668 * Store the message length as the last 16 octets
669 */
670#ifdef USE_32BIT_ONLY
671 context->Message_Block[112] = (uint8_t)(context->Length[0] >> 24);
672 context->Message_Block[113] = (uint8_t)(context->Length[0] >> 16);
673 context->Message_Block[114] = (uint8_t)(context->Length[0] >> 8);
674 context->Message_Block[115] = (uint8_t)(context->Length[0]);
675 context->Message_Block[116] = (uint8_t)(context->Length[1] >> 24);
676 context->Message_Block[117] = (uint8_t)(context->Length[1] >> 16);
677 context->Message_Block[118] = (uint8_t)(context->Length[1] >> 8);
678 context->Message_Block[119] = (uint8_t)(context->Length[1]);
679
680 context->Message_Block[120] = (uint8_t)(context->Length[2] >> 24);
681 context->Message_Block[121] = (uint8_t)(context->Length[2] >> 16);
682 context->Message_Block[122] = (uint8_t)(context->Length[2] >> 8);
683 context->Message_Block[123] = (uint8_t)(context->Length[2]);
684 context->Message_Block[124] = (uint8_t)(context->Length[3] >> 24);
685 context->Message_Block[125] = (uint8_t)(context->Length[3] >> 16);
686 context->Message_Block[126] = (uint8_t)(context->Length[3] >> 8);
687 context->Message_Block[127] = (uint8_t)(context->Length[3]);
688#else /* !USE_32BIT_ONLY */
689 context->Message_Block[112] = (uint8_t)(context->Length_High >> 56);
690 context->Message_Block[113] = (uint8_t)(context->Length_High >> 48);
691 context->Message_Block[114] = (uint8_t)(context->Length_High >> 40);
692 context->Message_Block[115] = (uint8_t)(context->Length_High >> 32);
693 context->Message_Block[116] = (uint8_t)(context->Length_High >> 24);
694 context->Message_Block[117] = (uint8_t)(context->Length_High >> 16);
695 context->Message_Block[118] = (uint8_t)(context->Length_High >> 8);
696 context->Message_Block[119] = (uint8_t)(context->Length_High);
697
698 context->Message_Block[120] = (uint8_t)(context->Length_Low >> 56);
699 context->Message_Block[121] = (uint8_t)(context->Length_Low >> 48);
700 context->Message_Block[122] = (uint8_t)(context->Length_Low >> 40);
701 context->Message_Block[123] = (uint8_t)(context->Length_Low >> 32);
702 context->Message_Block[124] = (uint8_t)(context->Length_Low >> 24);
703 context->Message_Block[125] = (uint8_t)(context->Length_Low >> 16);
704 context->Message_Block[126] = (uint8_t)(context->Length_Low >> 8);
705 context->Message_Block[127] = (uint8_t)(context->Length_Low);
706#endif /* USE_32BIT_ONLY */
707
708 SHA384_512ProcessMessageBlock(context);
709}
710
711/*
712* SHA384_512ProcessMessageBlock
713*
714* Description:
715* This helper function will process the next 1024 bits of the
716* message stored in the Message_Block array.
717*
718* Parameters:
719* context: [in/out]
720* The SHA context to update
721*
722* Returns:
723* Nothing.
724*
725* Comments:
726* Many of the variable names in this code, especially the
727* single character names, were used because those were the
728* names used in the publication.
729*
730*
731*/
732static void SHA384_512ProcessMessageBlock(SHA512Context *context)
733{
734 /* Constants defined in FIPS-180-2, section 4.2.3 */
735#ifdef USE_32BIT_ONLY
736 static const uint32_t K[80 * 2] = {
737 0x428A2F98, 0xD728AE22, 0x71374491, 0x23EF65CD, 0xB5C0FBCF,
738 0xEC4D3B2F, 0xE9B5DBA5, 0x8189DBBC, 0x3956C25B, 0xF348B538,
739 0x59F111F1, 0xB605D019, 0x923F82A4, 0xAF194F9B, 0xAB1C5ED5,
740 0xDA6D8118, 0xD807AA98, 0xA3030242, 0x12835B01, 0x45706FBE,
741 0x243185BE, 0x4EE4B28C, 0x550C7DC3, 0xD5FFB4E2, 0x72BE5D74,
742 0xF27B896F, 0x80DEB1FE, 0x3B1696B1, 0x9BDC06A7, 0x25C71235,
743 0xC19BF174, 0xCF692694, 0xE49B69C1, 0x9EF14AD2, 0xEFBE4786,
744 0x384F25E3, 0x0FC19DC6, 0x8B8CD5B5, 0x240CA1CC, 0x77AC9C65,
745 0x2DE92C6F, 0x592B0275, 0x4A7484AA, 0x6EA6E483, 0x5CB0A9DC,
746 0xBD41FBD4, 0x76F988DA, 0x831153B5, 0x983E5152, 0xEE66DFAB,
747 0xA831C66D, 0x2DB43210, 0xB00327C8, 0x98FB213F, 0xBF597FC7,
748 0xBEEF0EE4, 0xC6E00BF3, 0x3DA88FC2, 0xD5A79147, 0x930AA725,
749 0x06CA6351, 0xE003826F, 0x14292967, 0x0A0E6E70, 0x27B70A85,
750 0x46D22FFC, 0x2E1B2138, 0x5C26C926, 0x4D2C6DFC, 0x5AC42AED,
751 0x53380D13, 0x9D95B3DF, 0x650A7354, 0x8BAF63DE, 0x766A0ABB,
752 0x3C77B2A8, 0x81C2C92E, 0x47EDAEE6, 0x92722C85, 0x1482353B,
753 0xA2BFE8A1, 0x4CF10364, 0xA81A664B, 0xBC423001, 0xC24B8B70,
754 0xD0F89791, 0xC76C51A3, 0x0654BE30, 0xD192E819, 0xD6EF5218,
755 0xD6990624, 0x5565A910, 0xF40E3585, 0x5771202A, 0x106AA070,
756 0x32BBD1B8, 0x19A4C116, 0xB8D2D0C8, 0x1E376C08, 0x5141AB53,
757 0x2748774C, 0xDF8EEB99, 0x34B0BCB5, 0xE19B48A8, 0x391C0CB3,
758 0xC5C95A63, 0x4ED8AA4A, 0xE3418ACB, 0x5B9CCA4F, 0x7763E373,
759 0x682E6FF3, 0xD6B2B8A3, 0x748F82EE, 0x5DEFB2FC, 0x78A5636F,
760 0x43172F60, 0x84C87814, 0xA1F0AB72, 0x8CC70208, 0x1A6439EC,
761 0x90BEFFFA, 0x23631E28, 0xA4506CEB, 0xDE82BDE9, 0xBEF9A3F7,
762 0xB2C67915, 0xC67178F2, 0xE372532B, 0xCA273ECE, 0xEA26619C,
763 0xD186B8C7, 0x21C0C207, 0xEADA7DD6, 0xCDE0EB1E, 0xF57D4F7F,
764 0xEE6ED178, 0x06F067AA, 0x72176FBA, 0x0A637DC5, 0xA2C898A6,
765 0x113F9804, 0xBEF90DAE, 0x1B710B35, 0x131C471B, 0x28DB77F5,
766 0x23047D84, 0x32CAAB7B, 0x40C72493, 0x3C9EBE0A, 0x15C9BEBC,
767 0x431D67C4, 0x9C100D4C, 0x4CC5D4BE, 0xCB3E42B6, 0x597F299C,
768 0xFC657E2A, 0x5FCB6FAB, 0x3AD6FAEC, 0x6C44198C, 0x4A475817
769 };
770 int t, t2, t8; /* Loop counter */
771 uint32_t temp1[2], temp2[2], /* Temporary word values */
772 temp3[2], temp4[2], temp5[2];
773 uint32_t W[2 * 80]; /* Word sequence */
774 uint32_t A[2], B[2], C[2], D[2], /* Word buffers */
775 E[2], F[2], G[2], H[2];
776
777 /* Initialize the first 16 words in the array W */
778 for (t = t2 = t8 = 0; t < 16; t++, t8 += 8) {
779 W[t2++] = ((((uint32_t)context->Message_Block[t8])) << 24) |
780 ((((uint32_t)context->Message_Block[t8 + 1])) << 16) |
781 ((((uint32_t)context->Message_Block[t8 + 2])) << 8) |
782 ((((uint32_t)context->Message_Block[t8 + 3])));
783 W[t2++] = ((((uint32_t)context->Message_Block[t8 + 4])) << 24) |
784 ((((uint32_t)context->Message_Block[t8 + 5])) << 16) |
785 ((((uint32_t)context->Message_Block[t8 + 6])) << 8) |
786 ((((uint32_t)context->Message_Block[t8 + 7])));
787 }
788
789 for (t = 16; t < 80; t++, t2 += 2) {
790 /* W[t] = SHA512_sigma1(W[t-2]) + W[t-7] +
791 SHA512_sigma0(W[t-15]) + W[t-16]; */
792 uint32_t *Wt2 = &W[t2 - 2 * 2];
793 uint32_t *Wt7 = &W[t2 - 7 * 2];
794 uint32_t *Wt15 = &W[t2 - 15 * 2];
795 uint32_t *Wt16 = &W[t2 - 16 * 2];
796 SHA512_sigma1(Wt2, temp1);
797 SHA512_ADD(temp1, Wt7, temp2);
798 SHA512_sigma0(Wt15, temp1);
799 SHA512_ADD(temp1, Wt16, temp3);
800 SHA512_ADD(temp2, temp3, &W[t2]);
801 }
802
803 A[0] = context->Intermediate_Hash[0];
804 A[1] = context->Intermediate_Hash[1];
805 B[0] = context->Intermediate_Hash[2];
806 B[1] = context->Intermediate_Hash[3];
807 C[0] = context->Intermediate_Hash[4];
808 C[1] = context->Intermediate_Hash[5];
809 D[0] = context->Intermediate_Hash[6];
810 D[1] = context->Intermediate_Hash[7];
811 E[0] = context->Intermediate_Hash[8];
812 E[1] = context->Intermediate_Hash[9];
813 F[0] = context->Intermediate_Hash[10];
814 F[1] = context->Intermediate_Hash[11];
815 G[0] = context->Intermediate_Hash[12];
816 G[1] = context->Intermediate_Hash[13];
817 H[0] = context->Intermediate_Hash[14];
818 H[1] = context->Intermediate_Hash[15];
819
820 for (t = t2 = 0; t < 80; t++, t2 += 2) {
821 /*
822 * temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E,F,G) + K[t] + W[t];
823 */
824 SHA512_SIGMA1(E, temp1);
825 SHA512_ADD(H, temp1, temp2);
826 SHA_Ch(E, F, G, temp3);
827 SHA512_ADD(temp2, temp3, temp4);
828 SHA512_ADD(&K[t2], &W[t2], temp5);
829 SHA512_ADD(temp4, temp5, temp1);
830 /*
831 * temp2 = SHA512_SIGMA0(A) + SHA_Maj(A,B,C);
832 */
833 SHA512_SIGMA0(A, temp3);
834 SHA_Maj(A, B, C, temp4);
835 SHA512_ADD(temp3, temp4, temp2);
836 H[0] = G[0]; H[1] = G[1];
837 G[0] = F[0]; G[1] = F[1];
838 F[0] = E[0]; F[1] = E[1];
839 SHA512_ADD(D, temp1, E);
840 D[0] = C[0]; D[1] = C[1];
841 C[0] = B[0]; C[1] = B[1];
842 B[0] = A[0]; B[1] = A[1];
843 SHA512_ADD(temp1, temp2, A);
844 }
845
846 SHA512_ADDTO2(&context->Intermediate_Hash[0], A);
847 SHA512_ADDTO2(&context->Intermediate_Hash[2], B);
848 SHA512_ADDTO2(&context->Intermediate_Hash[4], C);
849 SHA512_ADDTO2(&context->Intermediate_Hash[6], D);
850 SHA512_ADDTO2(&context->Intermediate_Hash[8], E);
851 SHA512_ADDTO2(&context->Intermediate_Hash[10], F);
852 SHA512_ADDTO2(&context->Intermediate_Hash[12], G);
853 SHA512_ADDTO2(&context->Intermediate_Hash[14], H);
854
855#else /* !USE_32BIT_ONLY */
856 static const uint64_t K[80] = {
857 0x428A2F98D728AE22ull, 0x7137449123EF65CDull, 0xB5C0FBCFEC4D3B2Full,
858 0xE9B5DBA58189DBBCull, 0x3956C25BF348B538ull, 0x59F111F1B605D019ull,
859 0x923F82A4AF194F9Bull, 0xAB1C5ED5DA6D8118ull, 0xD807AA98A3030242ull,
860 0x12835B0145706FBEull, 0x243185BE4EE4B28Cull, 0x550C7DC3D5FFB4E2ull,
861 0x72BE5D74F27B896Full, 0x80DEB1FE3B1696B1ull, 0x9BDC06A725C71235ull,
862 0xC19BF174CF692694ull, 0xE49B69C19EF14AD2ull, 0xEFBE4786384F25E3ull,
863 0x0FC19DC68B8CD5B5ull, 0x240CA1CC77AC9C65ull, 0x2DE92C6F592B0275ull,
864 0x4A7484AA6EA6E483ull, 0x5CB0A9DCBD41FBD4ull, 0x76F988DA831153B5ull,
865 0x983E5152EE66DFABull, 0xA831C66D2DB43210ull, 0xB00327C898FB213Full,
866 0xBF597FC7BEEF0EE4ull, 0xC6E00BF33DA88FC2ull, 0xD5A79147930AA725ull,
867 0x06CA6351E003826Full, 0x142929670A0E6E70ull, 0x27B70A8546D22FFCull,
868 0x2E1B21385C26C926ull, 0x4D2C6DFC5AC42AEDull, 0x53380D139D95B3DFull,
869 0x650A73548BAF63DEull, 0x766A0ABB3C77B2A8ull, 0x81C2C92E47EDAEE6ull,
870 0x92722C851482353Bull, 0xA2BFE8A14CF10364ull, 0xA81A664BBC423001ull,
871 0xC24B8B70D0F89791ull, 0xC76C51A30654BE30ull, 0xD192E819D6EF5218ull,
872 0xD69906245565A910ull, 0xF40E35855771202Aull, 0x106AA07032BBD1B8ull,
873 0x19A4C116B8D2D0C8ull, 0x1E376C085141AB53ull, 0x2748774CDF8EEB99ull,
874 0x34B0BCB5E19B48A8ull, 0x391C0CB3C5C95A63ull, 0x4ED8AA4AE3418ACBull,
875 0x5B9CCA4F7763E373ull, 0x682E6FF3D6B2B8A3ull, 0x748F82EE5DEFB2FCull,
876 0x78A5636F43172F60ull, 0x84C87814A1F0AB72ull, 0x8CC702081A6439ECull,
877 0x90BEFFFA23631E28ull, 0xA4506CEBDE82BDE9ull, 0xBEF9A3F7B2C67915ull,
878 0xC67178F2E372532Bull, 0xCA273ECEEA26619Cull, 0xD186B8C721C0C207ull,
879 0xEADA7DD6CDE0EB1Eull, 0xF57D4F7FEE6ED178ull, 0x06F067AA72176FBAull,
880 0x0A637DC5A2C898A6ull, 0x113F9804BEF90DAEull, 0x1B710B35131C471Bull,
881 0x28DB77F523047D84ull, 0x32CAAB7B40C72493ull, 0x3C9EBE0A15C9BEBCull,
882 0x431D67C49C100D4Cull, 0x4CC5D4BECB3E42B6ull, 0x597F299CFC657E2Aull,
883 0x5FCB6FAB3AD6FAECull, 0x6C44198C4A475817ull
884 };
885 int t, t8; /* Loop counter */
886 uint64_t temp1, temp2; /* Temporary word value */
887 uint64_t W[80]; /* Word sequence */
888 uint64_t A, B, C, D, E, F, G, H; /* Word buffers */
889
890 /*
891 * Initialize the first 16 words in the array W
892 */
893 for (t = t8 = 0; t < 16; t++, t8 += 8)
894 W[t] = ((uint64_t)(context->Message_Block[t8]) << 56) |
895 ((uint64_t)(context->Message_Block[t8 + 1]) << 48) |
896 ((uint64_t)(context->Message_Block[t8 + 2]) << 40) |
897 ((uint64_t)(context->Message_Block[t8 + 3]) << 32) |
898 ((uint64_t)(context->Message_Block[t8 + 4]) << 24) |
899 ((uint64_t)(context->Message_Block[t8 + 5]) << 16) |
900 ((uint64_t)(context->Message_Block[t8 + 6]) << 8) |
901 ((uint64_t)(context->Message_Block[t8 + 7]));
902
903 for (t = 16; t < 80; t++)
904 W[t] = SHA512_sigma1(W[t - 2]) + W[t - 7] +
905 SHA512_sigma0(W[t - 15]) + W[t - 16];
906
907 A = context->Intermediate_Hash[0];
908 B = context->Intermediate_Hash[1];
909 C = context->Intermediate_Hash[2];
910 D = context->Intermediate_Hash[3];
911 E = context->Intermediate_Hash[4];
912 F = context->Intermediate_Hash[5];
913 G = context->Intermediate_Hash[6];
914 H = context->Intermediate_Hash[7];
915
916 for (t = 0; t < 80; t++) {
917 temp1 = H + SHA512_SIGMA1(E) + SHA_Ch(E, F, G) + K[t] + W[t];
918 temp2 = SHA512_SIGMA0(A) + SHA_Maj(A, B, C);
919 H = G;
920 G = F;
921 F = E;
922 E = D + temp1;
923 D = C;
924 C = B;
925 B = A;
926 A = temp1 + temp2;
927 }
928
929 context->Intermediate_Hash[0] += A;
930 context->Intermediate_Hash[1] += B;
931 context->Intermediate_Hash[2] += C;
932 context->Intermediate_Hash[3] += D;
933 context->Intermediate_Hash[4] += E;
934 context->Intermediate_Hash[5] += F;
935 context->Intermediate_Hash[6] += G;
936 context->Intermediate_Hash[7] += H;
937#endif /* USE_32BIT_ONLY */
938
939 context->Message_Block_Index = 0;
940}
941
942/*
943* SHA384_512Reset
944*
945* Description:
946* This helper function will initialize the SHA512Context in
947* preparation for computing a new SHA384 or SHA512 message
948* digest.
949*
950* Parameters:
951* context: [in/out]
952* The context to reset.
953* H0
954* The initial hash value to use.
955*
956* Returns:
957* sha Error Code.
958*
959*/
960#ifdef USE_32BIT_ONLY
961static int SHA384_512Reset(SHA512Context *context, uint32_t H0[])
962#else /* !USE_32BIT_ONLY */
963static int SHA384_512Reset(SHA512Context *context, uint64_t H0[])
964#endif /* USE_32BIT_ONLY */
965{
966 int i;
967 if (!context)
968 return shaNull;
969
970 context->Message_Block_Index = 0;
971
972#ifdef USE_32BIT_ONLY
973 context->Length[0] = context->Length[1] = 0;
974 context->Length[2] = context->Length[3] = 0;
975
976 for (i = 0; i < SHA512HashSize / 4; i++)
977 context->Intermediate_Hash[i] = H0[i];
978#else /* !USE_32BIT_ONLY */
979 context->Length_High = context->Length_Low = 0;
980
981 for (i = 0; i < SHA512HashSize / 8; i++)
982 context->Intermediate_Hash[i] = H0[i];
983#endif /* USE_32BIT_ONLY */
984
985 context->Computed = 0;
986 context->Corrupted = 0;
987
988 return shaSuccess;
989}
990
991/*
992* SHA384_512ResultN
993*
994* Description:
995* This helper function will return the 384-bit or 512-bit message
996* digest into the Message_Digest array provided by the caller.
997* NOTE: The first octet of hash is stored in the 0th element,
998* the last octet of hash in the 48th/64th element.
999*
1000* Parameters:
1001* context: [in/out]
1002* The context to use to calculate the SHA hash.
1003* Message_Digest: [out]
1004* Where the digest is returned.
1005* HashSize: [in]
1006* The size of the hash, either 48 or 64.
1007*
1008* Returns:
1009* sha Error Code.
1010*
1011*/
1012static int SHA384_512ResultN(SHA512Context *context,
1013 uint8_t Message_Digest[], int HashSize)
1014{
1015 int i;
1016
1017#ifdef USE_32BIT_ONLY
1018 int i2;
1019#endif /* USE_32BIT_ONLY */
1020
1021 if (!context || !Message_Digest)
1022 return shaNull;
1023
1024 if (context->Corrupted)
1025 return context->Corrupted;
1026
1027 if (!context->Computed)
1028 SHA384_512Finalize(context, 0x80);
1029
1030#ifdef USE_32BIT_ONLY
1031 for (i = i2 = 0; i < HashSize;) {
1032 Message_Digest[i++] = (uint8_t)(context->Intermediate_Hash[i2] >> 24);
1033 Message_Digest[i++] = (uint8_t)(context->Intermediate_Hash[i2] >> 16);
1034 Message_Digest[i++] = (uint8_t)(context->Intermediate_Hash[i2] >> 8);
1035 Message_Digest[i++] = (uint8_t)(context->Intermediate_Hash[i2++]);
1036 Message_Digest[i++] = (uint8_t)(context->Intermediate_Hash[i2] >> 24);
1037 Message_Digest[i++] = (uint8_t)(context->Intermediate_Hash[i2] >> 16);
1038 Message_Digest[i++] = (uint8_t)(context->Intermediate_Hash[i2] >> 8);
1039 Message_Digest[i++] = (uint8_t)(context->Intermediate_Hash[i2++]);
1040 }
1041#else /* !USE_32BIT_ONLY */
1042 for (i = 0; i < HashSize; ++i)
1043 Message_Digest[i] = (uint8_t)
1044 (context->Intermediate_Hash[i >> 3] >> 8 * (7 - (i % 8)));
1045#endif /* USE_32BIT_ONLY */
1046
1047 return shaSuccess;
1048}
1049
Note: See TracBrowser for help on using the repository browser.