diff --git a/cipher/ChangeLog b/cipher/ChangeLog index 74a44a673..41c5a86e9 100644 --- a/cipher/ChangeLog +++ b/cipher/ChangeLog @@ -1,3 +1,10 @@ +2003-02-04 David Shaw + + * sha256.c, sha512.c: New. + + * Makefile.am, algorithms.h, md.c (load_digest_module, + string_to_digest_algo): Add read-only support for the new SHAs. + 2002-11-06 Stefan Bellon * rand-internal.h (rndriscos_gather_random): Added prototype. diff --git a/cipher/Makefile.am b/cipher/Makefile.am index c73cccd7e..4a228e0f6 100644 --- a/cipher/Makefile.am +++ b/cipher/Makefile.am @@ -51,7 +51,9 @@ libcipher_a_SOURCES = cipher.c \ rndw32.c \ md5.c \ rmd160.c \ - sha1.c + sha1.c \ + sha256.c \ + sha512.c EXTRA_libcipher_a_SOURCES = idea-stub.c tiger.c diff --git a/cipher/algorithms.h b/cipher/algorithms.h index 694a7e35c..9764ec758 100644 --- a/cipher/algorithms.h +++ b/cipher/algorithms.h @@ -22,8 +22,6 @@ const char *dynload_enum_module_names (int seq); - - const char * md5_get_info (int algo, size_t *contextsize, byte **r_asnoid, int *r_asnlen, int *r_mdlen, @@ -61,6 +59,32 @@ tiger_get_info (int algo, size_t *contextsize, byte *(**r_read)( void *c ) ); +const char * +sha256_get_info (int algo, size_t *contextsize, + byte **r_asnoid, int *r_asnlen, int *r_mdlen, + void (**r_init)( void *c ), + void (**r_write)( void *c, byte *buf, size_t nbytes ), + void (**r_final)( void *c ), + byte *(**r_read)( void *c ) + ); + +const char * +sha384_get_info (int algo, size_t *contextsize, + byte **r_asnoid, int *r_asnlen, int *r_mdlen, + void (**r_init)( void *c ), + void (**r_write)( void *c, byte *buf, size_t nbytes ), + void (**r_final)( void *c ), + byte *(**r_read)( void *c ) + ); + +const char * +sha512_get_info (int algo, size_t *contextsize, + byte **r_asnoid, int *r_asnlen, int *r_mdlen, + void (**r_init)( void *c ), + void (**r_write)( void *c, byte *buf, size_t nbytes ), + void (**r_final)( void *c ), + byte *(**r_read)( void *c ) + ); const char * des_get_info( int algo, size_t *keylen, diff --git a/cipher/md.c b/cipher/md.c index 34888b9a7..512f310fe 100644 --- a/cipher/md.c +++ b/cipher/md.c @@ -28,6 +28,7 @@ #include "cipher.h" #include "errors.h" #include "algorithms.h" +#include "i18n.h" /**************** * This structure is used for the list of available algorithms @@ -99,6 +100,12 @@ load_digest_module (void) if (!new_list_item (DIGEST_ALGO_TIGER, tiger_get_info)) BUG(); #endif + if (!new_list_item (DIGEST_ALGO_SHA512, sha512_get_info)) + BUG (); + if (!new_list_item (DIGEST_ALGO_SHA384, sha384_get_info)) + BUG (); + if (!new_list_item (DIGEST_ALGO_SHA256, sha256_get_info)) + BUG (); if (!new_list_item (DIGEST_ALGO_MD5, md5_get_info)) BUG (); if (!new_list_item (DIGEST_ALGO_RMD160, rmd160_get_info)) @@ -117,6 +124,22 @@ string_to_digest_algo( const char *string ) { struct md_digest_list_s *r; + /* Hi there. I see you changing that code so you can use the new + SHA hashes. Before you do it, please think about it. There + are no official releases of any OpenPGP programs that generate + these hashes, and we're trying to get a code base that can + understand the hashes before we release one that generates + them. - dshaw */ + + if(!ascii_strcasecmp("sha256",string) + || !ascii_strcasecmp("sha384",string) + || !ascii_strcasecmp("sha512",string)) + { + log_info(_("digest algorithm `%s' is read-only in this release\n"), + string); + return 0; + } + do { for(r = digest_list; r; r = r->next ) if( !ascii_strcasecmp( r->name, string ) ) diff --git a/cipher/sha256.c b/cipher/sha256.c new file mode 100644 index 000000000..73f211844 --- /dev/null +++ b/cipher/sha256.c @@ -0,0 +1,318 @@ +/* sha256.c - SHA256 hash function + * Copyright (C) 2003 Free Software Foundation, Inc. + * + * Please see below for more legal information! + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + + +/* Test vectors from FIPS-180-2: + * + * "abc" + * BA7816BF 8F01CFEA 414140DE 5DAE2223 B00361A3 96177A9C B410FF61 F20015AD + * + * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" + * 248D6A61 D20638B8 E5C02693 0C3E6039 A33CE459 64FF2167 F6ECEDD4 19DB06C1 + * + * "a" x 1000000 + * CDC76E5C 9914FB92 81A1C7E2 84D73E67 F1809A48 A497200E 046D39CC C7112CD0 + */ + + +#include +#include +#include "util.h" +#include "algorithms.h" + + +typedef struct { + u32 h0,h1,h2,h3,h4,h5,h6,h7; + u32 nblocks; + byte buf[64]; + int count; +} SHA256_CONTEXT; + +static void +burn_stack (int bytes) +{ + char buf[128]; + + wipememory(buf,sizeof buf); + bytes -= sizeof buf; + if (bytes > 0) + burn_stack (bytes); +} + + +void +sha256_init( SHA256_CONTEXT *hd ) +{ + hd->h0 = 0x6a09e667; + hd->h1 = 0xbb67ae85; + hd->h2 = 0x3c6ef372; + hd->h3 = 0xa54ff53a; + hd->h4 = 0x510e527f; + hd->h5 = 0x9b05688c; + hd->h6 = 0x1f83d9ab; + hd->h7 = 0x5be0cd19; + + hd->nblocks = 0; + hd->count = 0; +} + + +/**************** + * Transform the message w which consists of 16 32-bit words + */ +static void +transform( SHA256_CONTEXT *hd, byte *data ) +{ + u32 a,b,c,d,e,f,g,h; + u32 w[64]; + int t; + static const u32 k[]= + { + 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, + 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, + 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, + 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, + 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, + 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, + 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, + 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, + 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, + 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, + 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 + }; + + /* get values from the chaining vars */ + a = hd->h0; + b = hd->h1; + c = hd->h2; + d = hd->h3; + e = hd->h4; + f = hd->h5; + g = hd->h6; + h = hd->h7; + +#ifdef BIG_ENDIAN_HOST + memcpy( w, data, 64 ); +#else + { + int i; + byte *p2; + + for(i=0, p2=(byte*)w; i < 16; i++, p2 += 4 ) + { + p2[3] = *data++; + p2[2] = *data++; + p2[1] = *data++; + p2[0] = *data++; + } + } +#endif + +#define ROTR(x,n) (((x)>>(n)) | ((x)<<(32-(n)))) +#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +#define Sum0(x) (ROTR((x),2) ^ ROTR((x),13) ^ ROTR((x),22)) +#define Sum1(x) (ROTR((x),6) ^ ROTR((x),11) ^ ROTR((x),25)) +#define S0(x) (ROTR((x),7) ^ ROTR((x),18) ^ ((x)>>3)) +#define S1(x) (ROTR((x),17) ^ ROTR((x),19) ^ ((x)>>10)) + + for(t=16;t<64;t++) + w[t] = S1(w[t-2]) + w[t-7] + S0(w[t-15]) + w[t-16]; + + for(t=0;t<64;t++) + { + u32 t1,t2; + + t1=h+Sum1(e)+Ch(e,f,g)+k[t]+w[t]; + t2=Sum0(a)+Maj(a,b,c); + h=g; + g=f; + f=e; + e=d+t1; + d=c; + c=b; + b=a; + a=t1+t2; + /* printf("t=%d a=%08lX b=%08lX c=%08lX d=%08lX e=%08lX f=%08lX g=%08lX h=%08lX\n",t,a,b,c,d,e,f,g,h); */ + } + + /* update chaining vars */ + hd->h0 += a; + hd->h1 += b; + hd->h2 += c; + hd->h3 += d; + hd->h4 += e; + hd->h5 += f; + hd->h6 += g; + hd->h7 += h; +} + + +/* Update the message digest with the contents + * of INBUF with length INLEN. + */ +static void +sha256_write( SHA256_CONTEXT *hd, byte *inbuf, size_t inlen) +{ + if( hd->count == 64 ) { /* flush the buffer */ + transform( hd, hd->buf ); + burn_stack (328); + hd->count = 0; + hd->nblocks++; + } + if( !inbuf ) + return; + if( hd->count ) { + for( ; inlen && hd->count < 64; inlen-- ) + hd->buf[hd->count++] = *inbuf++; + sha256_write( hd, NULL, 0 ); + if( !inlen ) + return; + } + + while( inlen >= 64 ) { + transform( hd, inbuf ); + hd->count = 0; + hd->nblocks++; + inlen -= 64; + inbuf += 64; + } + burn_stack (328); + for( ; inlen && hd->count < 64; inlen-- ) + hd->buf[hd->count++] = *inbuf++; +} + + +/* The routine final terminates the computation and + * returns the digest. + * The handle is prepared for a new cycle, but adding bytes to the + * handle will the destroy the returned buffer. + * Returns: 32 bytes representing the digest. + */ + +static void +sha256_final(SHA256_CONTEXT *hd) +{ + u32 t, msb, lsb; + byte *p; + + sha256_write(hd, NULL, 0); /* flush */; + + t = hd->nblocks; + /* multiply by 64 to make a byte count */ + lsb = t << 6; + msb = t >> 26; + /* add the count */ + t = lsb; + if( (lsb += hd->count) < t ) + msb++; + /* multiply by 8 to make a bit count */ + t = lsb; + lsb <<= 3; + msb <<= 3; + msb |= t >> 29; + + if( hd->count < 56 ) { /* enough room */ + hd->buf[hd->count++] = 0x80; /* pad */ + while( hd->count < 56 ) + hd->buf[hd->count++] = 0; /* pad */ + } + else { /* need one extra block */ + hd->buf[hd->count++] = 0x80; /* pad character */ + while( hd->count < 64 ) + hd->buf[hd->count++] = 0; + sha256_write(hd, NULL, 0); /* flush */; + memset(hd->buf, 0, 56 ); /* fill next block with zeroes */ + } + /* append the 64 bit count */ + hd->buf[56] = msb >> 24; + hd->buf[57] = msb >> 16; + hd->buf[58] = msb >> 8; + hd->buf[59] = msb ; + hd->buf[60] = lsb >> 24; + hd->buf[61] = lsb >> 16; + hd->buf[62] = lsb >> 8; + hd->buf[63] = lsb ; + transform( hd, hd->buf ); + burn_stack (328); + + p = hd->buf; + #ifdef BIG_ENDIAN_HOST + #define X(a) do { *(u32*)p = hd->h##a ; p += 4; } while(0) + #else /* little endian */ + #define X(a) do { *p++ = hd->h##a >> 24; *p++ = hd->h##a >> 16; \ + *p++ = hd->h##a >> 8; *p++ = hd->h##a; } while(0) + #endif + X(0); + X(1); + X(2); + X(3); + X(4); + X(5); + X(6); + X(7); + #undef X + +} + +static byte * +sha256_read( SHA256_CONTEXT *hd ) +{ + return hd->buf; +} + +/**************** + * Return some information about the algorithm. We need algo here to + * distinguish different flavors of the algorithm. + * Returns: A pointer to string describing the algorithm or NULL if + * the ALGO is invalid. + */ +const char * +sha256_get_info( int algo, size_t *contextsize, + byte **r_asnoid, int *r_asnlen, int *r_mdlen, + void (**r_init)( void *c ), + void (**r_write)( void *c, byte *buf, size_t nbytes ), + void (**r_final)( void *c ), + byte *(**r_read)( void *c ) + ) +{ + static byte asn[] = /* Object ID is 2.16.840.1.101.3.4.2.1 */ + { + 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, + 0x00, 0x04, 0x20 + }; + + if( algo != 8 ) + return NULL; + + *contextsize = sizeof(SHA256_CONTEXT); + *r_asnoid = asn; + *r_asnlen = DIM(asn); + *r_mdlen = 32; + *(void (**)(SHA256_CONTEXT *))r_init = sha256_init; + *(void (**)(SHA256_CONTEXT *, byte*, size_t))r_write = sha256_write; + *(void (**)(SHA256_CONTEXT *))r_final = sha256_final; + *(byte *(**)(SHA256_CONTEXT *))r_read = sha256_read; + + return "SHA256"; +} diff --git a/cipher/sha512.c b/cipher/sha512.c new file mode 100644 index 000000000..9270ef24d --- /dev/null +++ b/cipher/sha512.c @@ -0,0 +1,416 @@ +/* sha512.c - SHA384 and SHA512 hash functions + * Copyright (C) 2003 Free Software Foundation, Inc. + * + * Please see below for more legal information! + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + + +/* Test vectors from FIPS-180-2: + * + * "abc" + * 384: + * CB00753F 45A35E8B B5A03D69 9AC65007 272C32AB 0EDED163 + * 1A8B605A 43FF5BED 8086072B A1E7CC23 58BAECA1 34C825A7 + * 512: + * DDAF35A1 93617ABA CC417349 AE204131 12E6FA4E 89A97EA2 0A9EEEE6 4B55D39A + * 2192992A 274FC1A8 36BA3C23 A3FEEBBD 454D4423 643CE80E 2A9AC94F A54CA49F + * + * "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" + * 384: + * 09330C33 F71147E8 3D192FC7 82CD1B47 53111B17 3B3B05D2 + * 2FA08086 E3B0F712 FCC7C71A 557E2DB9 66C3E9FA 91746039 + * 512: + * 8E959B75 DAE313DA 8CF4F728 14FC143F 8F7779C6 EB9F7FA1 7299AEAD B6889018 + * 501D289E 4900F7E4 331B99DE C4B5433A C7D329EE B6DD2654 5E96E55B 874BE909 + * + * "a" x 1000000 + * 384: + * 9D0E1809 716474CB 086E834E 310A4A1C ED149E9C 00F24852 + * 7972CEC5 704C2A5B 07B8B3DC 38ECC4EB AE97DDD8 7F3D8985 + * 512: + * E718483D 0CE76964 4E2E42C7 BC15B463 8E1F98B1 3B204428 5632A803 AFA973EB + * DE0FF244 877EA60A 4CB0432C E577C31B EB009C5C 2C49AA2E 4EADB217 AD8CC09B + */ + + +#include +#include +#include "util.h" +#include "algorithms.h" + + +typedef struct { + u64 h0,h1,h2,h3,h4,h5,h6,h7; + u64 nblocks; + byte buf[128]; + int count; +} SHA512_CONTEXT; + +static void +burn_stack (int bytes) +{ + char buf[128]; + + wipememory(buf,sizeof buf); + bytes -= sizeof buf; + if (bytes > 0) + burn_stack (bytes); +} + + +void +sha512_init( SHA512_CONTEXT *hd ) +{ + hd->h0 = 0x6a09e667f3bcc908; + hd->h1 = 0xbb67ae8584caa73b; + hd->h2 = 0x3c6ef372fe94f82b; + hd->h3 = 0xa54ff53a5f1d36f1; + hd->h4 = 0x510e527fade682d1; + hd->h5 = 0x9b05688c2b3e6c1f; + hd->h6 = 0x1f83d9abfb41bd6b; + hd->h7 = 0x5be0cd19137e2179; + + hd->nblocks = 0; + hd->count = 0; +} + +void +sha384_init( SHA512_CONTEXT *hd ) +{ + hd->h0 = 0xcbbb9d5dc1059ed8; + hd->h1 = 0x629a292a367cd507; + hd->h2 = 0x9159015a3070dd17; + hd->h3 = 0x152fecd8f70e5939; + hd->h4 = 0x67332667ffc00b31; + hd->h5 = 0x8eb44a8768581511; + hd->h6 = 0xdb0c2e0d64f98fa7; + hd->h7 = 0x47b5481dbefa4fa4; + + hd->nblocks = 0; + hd->count = 0; +} + + +/**************** + * Transform the message W which consists of 16 64-bit-words + */ +static void +transform( SHA512_CONTEXT *hd, byte *data ) +{ + u64 a,b,c,d,e,f,g,h; + u64 w[80]; + int t; + static const u64 k[]= + { + 0x428a2f98d728ae22, 0x7137449123ef65cd, 0xb5c0fbcfec4d3b2f, + 0xe9b5dba58189dbbc, 0x3956c25bf348b538, 0x59f111f1b605d019, + 0x923f82a4af194f9b, 0xab1c5ed5da6d8118, 0xd807aa98a3030242, + 0x12835b0145706fbe, 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2, + 0x72be5d74f27b896f, 0x80deb1fe3b1696b1, 0x9bdc06a725c71235, + 0xc19bf174cf692694, 0xe49b69c19ef14ad2, 0xefbe4786384f25e3, + 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65, 0x2de92c6f592b0275, + 0x4a7484aa6ea6e483, 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5, + 0x983e5152ee66dfab, 0xa831c66d2db43210, 0xb00327c898fb213f, + 0xbf597fc7beef0ee4, 0xc6e00bf33da88fc2, 0xd5a79147930aa725, + 0x06ca6351e003826f, 0x142929670a0e6e70, 0x27b70a8546d22ffc, + 0x2e1b21385c26c926, 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df, + 0x650a73548baf63de, 0x766a0abb3c77b2a8, 0x81c2c92e47edaee6, + 0x92722c851482353b, 0xa2bfe8a14cf10364, 0xa81a664bbc423001, + 0xc24b8b70d0f89791, 0xc76c51a30654be30, 0xd192e819d6ef5218, + 0xd69906245565a910, 0xf40e35855771202a, 0x106aa07032bbd1b8, + 0x19a4c116b8d2d0c8, 0x1e376c085141ab53, 0x2748774cdf8eeb99, + 0x34b0bcb5e19b48a8, 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb, + 0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3, 0x748f82ee5defb2fc, + 0x78a5636f43172f60, 0x84c87814a1f0ab72, 0x8cc702081a6439ec, + 0x90befffa23631e28, 0xa4506cebde82bde9, 0xbef9a3f7b2c67915, + 0xc67178f2e372532b, 0xca273eceea26619c, 0xd186b8c721c0c207, + 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178, 0x06f067aa72176fba, + 0x0a637dc5a2c898a6, 0x113f9804bef90dae, 0x1b710b35131c471b, + 0x28db77f523047d84, 0x32caab7b40c72493, 0x3c9ebe0a15c9bebc, + 0x431d67c49c100d4c, 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a, + 0x5fcb6fab3ad6faec, 0x6c44198c4a475817 + }; + + /* get values from the chaining vars */ + a = hd->h0; + b = hd->h1; + c = hd->h2; + d = hd->h3; + e = hd->h4; + f = hd->h5; + g = hd->h6; + h = hd->h7; + +#ifdef BIG_ENDIAN_HOST + memcpy( w, data, 128 ); +#else + { + int i; + byte *p2; + + for(i=0, p2=(byte*)w; i < 16; i++, p2 += 8 ) + { + p2[7] = *data++; + p2[6] = *data++; + p2[5] = *data++; + p2[4] = *data++; + p2[3] = *data++; + p2[2] = *data++; + p2[1] = *data++; + p2[0] = *data++; + } + } +#endif + +#define ROTR(x,n) (((x)>>(n)) | ((x)<<(64-(n)))) +#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +#define Sum0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) +#define Sum1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) +#define S0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7)) +#define S1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6)) + + for(t=16;t<80;t++) + w[t] = S1(w[t-2]) + w[t-7] + S0(w[t-15]) + w[t-16]; + + for(t=0;t<80;t++) + { + u64 t1,t2; + + t1=h+Sum1(e)+Ch(e,f,g)+k[t]+w[t]; + t2=Sum0(a)+Maj(a,b,c); + h=g; + g=f; + f=e; + e=d+t1; + d=c; + c=b; + b=a; + a=t1+t2; + + /* printf("t=%d a=%016llX b=%016llX c=%016llX d=%016llX e=%016llX f=%016llX g=%016llX h=%016llX\n",t,a,b,c,d,e,f,g,h); */ + } + + /* update chaining vars */ + hd->h0 += a; + hd->h1 += b; + hd->h2 += c; + hd->h3 += d; + hd->h4 += e; + hd->h5 += f; + hd->h6 += g; + hd->h7 += h; +} + + +/* Update the message digest with the contents + * of INBUF with length INLEN. + */ +static void +sha512_write( SHA512_CONTEXT *hd, byte *inbuf, size_t inlen) +{ + if( hd->count == 128 ) { /* flush the buffer */ + transform( hd, hd->buf ); + burn_stack (768); + hd->count = 0; + hd->nblocks++; + } + if( !inbuf ) + return; + if( hd->count ) { + for( ; inlen && hd->count < 128; inlen-- ) + hd->buf[hd->count++] = *inbuf++; + sha512_write( hd, NULL, 0 ); + if( !inlen ) + return; + } + + while( inlen >= 128 ) { + transform( hd, inbuf ); + hd->count = 0; + hd->nblocks++; + inlen -= 128; + inbuf += 128; + } + burn_stack (768); + for( ; inlen && hd->count < 128; inlen-- ) + hd->buf[hd->count++] = *inbuf++; +} + + +/* The routine final terminates the computation and + * returns the digest. + * The handle is prepared for a new cycle, but adding bytes to the + * handle will the destroy the returned buffer. + * Returns: 64 bytes representing the digest. When used for sha384, + * we take the leftmost 48 of those bytes. + */ + +static void +sha512_final(SHA512_CONTEXT *hd) +{ + u64 t, msb, lsb; + byte *p; + + sha512_write(hd, NULL, 0); /* flush */; + + t = hd->nblocks; + /* multiply by 128 to make a byte count */ + lsb = t << 7; + msb = t >> 57; + /* add the count */ + t = lsb; + if( (lsb += hd->count) < t ) + msb++; + /* multiply by 8 to make a bit count */ + t = lsb; + lsb <<= 3; + msb <<= 3; + msb |= t >> 61; + + if( hd->count < 112 ) { /* enough room */ + hd->buf[hd->count++] = 0x80; /* pad */ + while( hd->count < 112 ) + hd->buf[hd->count++] = 0; /* pad */ + } + else { /* need one extra block */ + hd->buf[hd->count++] = 0x80; /* pad character */ + while( hd->count < 128 ) + hd->buf[hd->count++] = 0; + sha512_write(hd, NULL, 0); /* flush */; + memset(hd->buf, 0, 112 ); /* fill next block with zeroes */ + } + /* append the 128 bit count */ + hd->buf[112] = msb >> 56; + hd->buf[113] = msb >> 48; + hd->buf[114] = msb >> 40; + hd->buf[115] = msb >> 32; + hd->buf[116] = msb >> 24; + hd->buf[117] = msb >> 16; + hd->buf[118] = msb >> 8; + hd->buf[119] = msb ; + + hd->buf[120] = lsb >> 56; + hd->buf[121] = lsb >> 48; + hd->buf[122] = lsb >> 40; + hd->buf[123] = lsb >> 32; + hd->buf[124] = lsb >> 24; + hd->buf[125] = lsb >> 16; + hd->buf[126] = lsb >> 8; + hd->buf[127] = lsb ; + transform( hd, hd->buf ); + burn_stack (768); + + p = hd->buf; + #ifdef BIG_ENDIAN_HOST + #define X(a) do { *(u64*)p = hd->h##a ; p += 8; } while(0) + #else /* little endian */ + #define X(a) do { *p++ = hd->h##a >> 56; *p++ = hd->h##a >> 48; \ + *p++ = hd->h##a >> 40; *p++ = hd->h##a >> 32; \ + *p++ = hd->h##a >> 24; *p++ = hd->h##a >> 16; \ + *p++ = hd->h##a >> 8; *p++ = hd->h##a; } while(0) + #endif + X(0); + X(1); + X(2); + X(3); + X(4); + X(5); + /* Note that these last two chunks are included even for SHA384. + We just ignore them. */ + X(6); + X(7); + #undef X +} + +static byte * +sha512_read( SHA512_CONTEXT *hd ) +{ + return hd->buf; +} + +/**************** + * Return some information about the algorithm. We need algo here to + * distinguish different flavors of the algorithm. + * Returns: A pointer to string describing the algorithm or NULL if + * the ALGO is invalid. + */ +const char * +sha512_get_info( int algo, size_t *contextsize, + byte **r_asnoid, int *r_asnlen, int *r_mdlen, + void (**r_init)( void *c ), + void (**r_write)( void *c, byte *buf, size_t nbytes ), + void (**r_final)( void *c ), + byte *(**r_read)( void *c ) + ) +{ + static byte asn[] = /* Object ID is 2.16.840.1.101.3.4.2.3 */ + { + 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, + 0x00, 0x04, 0x40 + }; + + if( algo != 10 ) + return NULL; + + *contextsize = sizeof(SHA512_CONTEXT); + *r_asnoid = asn; + *r_asnlen = DIM(asn); + *r_mdlen = 64; + *(void (**)(SHA512_CONTEXT *))r_init = sha512_init; + *(void (**)(SHA512_CONTEXT *, byte*, size_t))r_write = sha512_write; + *(void (**)(SHA512_CONTEXT *))r_final = sha512_final; + *(byte *(**)(SHA512_CONTEXT *))r_read = sha512_read; + + return "SHA512"; +} + +/* SHA384 is really a truncated SHA512 with a different + initialization */ +const char * +sha384_get_info( int algo, size_t *contextsize, + byte **r_asnoid, int *r_asnlen, int *r_mdlen, + void (**r_init)( void *c ), + void (**r_write)( void *c, byte *buf, size_t nbytes ), + void (**r_final)( void *c ), + byte *(**r_read)( void *c ) + ) +{ + static byte asn[] = /* Object ID is 2.16.840.1.101.3.4.2.2 */ + { + 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, + 0x00, 0x04, 0x30 + }; + + if( algo != 9 ) + return NULL; + + *contextsize = sizeof(SHA512_CONTEXT); + *r_asnoid = asn; + *r_asnlen = DIM(asn); + *r_mdlen = 48; + *(void (**)(SHA512_CONTEXT *))r_init = sha384_init; + *(void (**)(SHA512_CONTEXT *, byte*, size_t))r_write = sha512_write; + *(void (**)(SHA512_CONTEXT *))r_final = sha512_final; + *(byte *(**)(SHA512_CONTEXT *))r_read = sha512_read; + + return "SHA384"; +}