sha512.c

OpenSSL 0.9.8k 最新版OpenSSL

/* crypto/sha/sha512.c */
/* ====================================================================
 * Copyright (c) 2004 The OpenSSL Project.  All rights reserved
 * according to the OpenSSL license [found in ../../LICENSE].
 * ====================================================================
 */
#include <openssl/opensslconf.h>
#ifdef OPENSSL_FIPS
#include <openssl/fips.h>
#endif

#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512)
/*
 * IMPLEMENTATION NOTES.
 *
 * As you might have noticed 32-bit hash algorithms:
 *
 * - permit SHA_LONG to be wider than 32-bit (case on CRAY);
 * - optimized versions implement two transform functions: one operating
 *   on [aligned] data in host byte order and one - on data in input
 *   stream byte order;
 * - share common byte-order neutral collector and padding function
 *   implementations, ../md32_common.h;
 *
 * Neither of the above applies to this SHA-512 implementations. Reasons
 * [in reverse order] are:
 *
 * - it's the only 64-bit hash algorithm for the moment of this writing,
 *   there is no need for common collector/padding implementation [yet];
 * - by supporting only one transform function [which operates on
 *   *aligned* data in input stream byte order, big-endian in this case]
 *   we minimize burden of maintenance in two ways: a) collector/padding
 *   function is simpler; b) only one transform function to stare at;
 * - SHA_LONG64 is required to be exactly 64-bit in order to be able to
 *   apply a number of optimizations to mitigate potential performance
 *   penalties caused by previous design decision;
 *
 * Caveat lector.
 *
 * Implementation relies on the fact that "long long" is 64-bit on
 * both 32- and 64-bit platforms. If some compiler vendor comes up
 * with 128-bit long long, adjustment to sha.h would be required.
 * As this implementation relies on 64-bit integer type, it's totally
 * inappropriate for platforms which don't support it, most notably
 * 16-bit platforms.
 *					<appro@fy.chalmers.se>
 */
#include <stdlib.h>
#include <string.h>

#include <openssl/crypto.h>
#include <openssl/sha.h>
#include <openssl/opensslv.h>

#include "cryptlib.h"

const char SHA512_version[]="SHA-512" OPENSSL_VERSION_PTEXT;

#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
    defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) || \
    defined(__s390__) || defined(__s390x__) || \
    defined(SHA512_ASM)
#define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
#endif

int SHA384_Init (SHA512_CTX *c)
	{
#ifdef OPENSSL_FIPS
	FIPS_selftest_check();
#endif
	c->h[0]=U64(0xcbbb9d5dc1059ed8);
	c->h[1]=U64(0x629a292a367cd507);
	c->h[2]=U64(0x9159015a3070dd17);
	c->h[3]=U64(0x152fecd8f70e5939);
	c->h[4]=U64(0x67332667ffc00b31);
	c->h[5]=U64(0x8eb44a8768581511);
	c->h[6]=U64(0xdb0c2e0d64f98fa7);
	c->h[7]=U64(0x47b5481dbefa4fa4);
        c->Nl=0;        c->Nh=0;
        c->num=0;       c->md_len=SHA384_DIGEST_LENGTH;
        return 1;
	}

int SHA512_Init (SHA512_CTX *c)
	{
#ifdef OPENSSL_FIPS
	FIPS_selftest_check();
#endif
	c->h[0]=U64(0x6a09e667f3bcc908);
	c->h[1]=U64(0xbb67ae8584caa73b);
	c->h[2]=U64(0x3c6ef372fe94f82b);
	c->h[3]=U64(0xa54ff53a5f1d36f1);
	c->h[4]=U64(0x510e527fade682d1);
	c->h[5]=U64(0x9b05688c2b3e6c1f);
	c->h[6]=U64(0x1f83d9abfb41bd6b);
	c->h[7]=U64(0x5be0cd19137e2179);
        c->Nl=0;        c->Nh=0;
        c->num=0;       c->md_len=SHA512_DIGEST_LENGTH;
        return 1;
	}

#ifndef SHA512_ASM
static
#endif
void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num);

int SHA512_Final (unsigned char *md, SHA512_CTX *c)
	{
	unsigned char *p=(unsigned char *)c->u.p;
	size_t n=c->num;

	p[n]=0x80;	/* There always is a room for one */
	n++;
	if (n > (sizeof(c->u)-16))
		memset (p+n,0,sizeof(c->u)-n), n=0,
		sha512_block_data_order (c,p,1);

	memset (p+n,0,sizeof(c->u)-16-n);
#ifdef	B_ENDIAN
	c->u.d[SHA_LBLOCK-2] = c->Nh;
	c->u.d[SHA_LBLOCK-1] = c->Nl;
#else
	p[sizeof(c->u)-1]  = (unsigned char)(c->Nl);
	p[sizeof(c->u)-2]  = (unsigned char)(c->Nl>>8);
	p[sizeof(c->u)-3]  = (unsigned char)(c->Nl>>16);
	p[sizeof(c->u)-4]  = (unsigned char)(c->Nl>>24);
	p[sizeof(c->u)-5]  = (unsigned char)(c->Nl>>32);
	p[sizeof(c->u)-6]  = (unsigned char)(c->Nl>>40);
	p[sizeof(c->u)-7]  = (unsigned char)(c->Nl>>48);
	p[sizeof(c->u)-8]  = (unsigned char)(c->Nl>>56);
	p[sizeof(c->u)-9]  = (unsigned char)(c->Nh);
	p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8);
	p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16);
	p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24);
	p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32);
	p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40);
	p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48);
	p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56);
#endif

	sha512_block_data_order (c,p,1);

	if (md==0) return 0;

	switch (c->md_len)
		{
		/* Let compiler decide if it's appropriate to unroll... */
		case SHA384_DIGEST_LENGTH:
			for (n=0;n<SHA384_DIGEST_LENGTH/8;n++)
				{
				SHA_LONG64 t = c->h[n];

				*(md++)	= (unsigned char)(t>>56);
				*(md++)	= (unsigned char)(t>>48);
				*(md++)	= (unsigned char)(t>>40);
				*(md++)	= (unsigned char)(t>>32);
				*(md++)	= (unsigned char)(t>>24);
				*(md++)	= (unsigned char)(t>>16);
				*(md++)	= (unsigned char)(t>>8);
				*(md++)	= (unsigned char)(t);
				}
			break;
		case SHA512_DIGEST_LENGTH:
			for (n=0;n<SHA512_DIGEST_LENGTH/8;n++)
				{
				SHA_LONG64 t = c->h[n];

				*(md++)	= (unsigned char)(t>>56);
				*(md++)	= (unsigned char)(t>>48);
				*(md++)	= (unsigned char)(t>>40);
				*(md++)	= (unsigned char)(t>>32);
				*(md++)	= (unsigned char)(t>>24);
				*(md++)	= (unsigned char)(t>>16);
				*(md++)	= (unsigned char)(t>>8);
				*(md++)	= (unsigned char)(t);
				}
			break;
		/* ... as well as make sure md_len is not abused. */
		default:	return 0;
		}

	return 1;
	}

int SHA384_Final (unsigned char *md,SHA512_CTX *c)
{   return SHA512_Final (md,c);   }

int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len)
	{
	SHA_LONG64	l;
	unsigned char  *p=c->u.p;
	const unsigned char *data=(const unsigned char *)_data;

	if (len==0) return  1;

	l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff);
	if (l < c->Nl)		c->Nh++;
	if (sizeof(len)>=8)	c->Nh+=(((SHA_LONG64)len)>>61);
	c->Nl=l;

	if (c->num != 0)
		{
		size_t n = sizeof(c->u) - c->num;

		if (len < n)
			{
			memcpy (p+c->num,data,len), c->num += len;
			return 1;
			}
		else	{
			memcpy (p+c->num,data,n), c->num = 0;
			len-=n, data+=n;
			sha512_block_data_order (c,p,1);
			}
		}

	if (len >= sizeof(c->u))
		{
#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
		if ((size_t)data%sizeof(c->u.d[0]) != 0)
			while (len >= sizeof(c->u))
				memcpy (p,data,sizeof(c->u)),
				sha512_block_data_order (c,p,1),
				len  -= sizeof(c->u),
				data += sizeof(c->u);
		else
#endif
			sha512_block_data_order (c,data,len/sizeof(c->u)),
			data += len,
			len  %= sizeof(c->u),
			data -= len;
		}

	if (len != 0)	memcpy (p,data,len), c->num = (int)len;

	return 1;
	}

int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
{   return SHA512_Update (c,data,len);   }

void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
{   sha512_block_data_order (c,data,1);  }

unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
	{
	SHA512_CTX c;
	static unsigned char m[SHA384_DIGEST_LENGTH];

	if (md == NULL) md=m;
	SHA384_Init(&c);
	SHA512_Update(&c,d,n);
	SHA512_Final(md,&c);
	OPENSSL_cleanse(&c,sizeof(c));
	return(md);
	}

unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
	{
	SHA512_CTX c;
	static unsigned char m[SHA512_DIGEST_LENGTH];

	if (md == NULL) md=m;
	SHA512_Init(&c);
	SHA512_Update(&c,d,n);
	SHA512_Final(md,&c);
	OPENSSL_cleanse(&c,sizeof(c));
	return(md);
	}

#ifndef SHA512_ASM
static const SHA_LONG64 K512[80] = {
        U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd),
        U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc),