File Coverage

sha2.c

Criterion	Covered	Total	%
statement	178	182	97.8
branch	45	48	93.7
condition			n/a
subroutine			n/a
pod			n/a
total	223	230	96.9

line	stmt	bran	code
1			/*
2			* sha2.c - SHA-256 and SHA-512 implementations per FIPS 180-4.
3			*/
4
5			#include "sha2.h"
6			#include
7
8			/* ---------------- shared loaders / storers ---------------- */
9
10			static uint32_t
11	4223184		load32_be(const unsigned char *p)
12			{
13	4223184		return ((uint32_t)p[0] << 24)
14	4223184		\| ((uint32_t)p[1] << 16)
15	4223184		\| ((uint32_t)p[2] << 8)
16	4223184		\| (uint32_t)p[3];
17			}
18
19			static void
20	536		store32_be(unsigned char *p, uint32_t v)
21			{
22	536		p[0] = (unsigned char)((v >> 24) & 0xFFu);
23	536		p[1] = (unsigned char)((v >> 16) & 0xFFu);
24	536		p[2] = (unsigned char)((v >> 8) & 0xFFu);
25	536		p[3] = (unsigned char)( v & 0xFFu);
26	536		}
27
28			static uint64_t
29	80		load64_be(const unsigned char *p)
30			{
31	80		return ((uint64_t)p[0] << 56)
32	80		\| ((uint64_t)p[1] << 48)
33	80		\| ((uint64_t)p[2] << 40)
34	80		\| ((uint64_t)p[3] << 32)
35	80		\| ((uint64_t)p[4] << 24)
36	80		\| ((uint64_t)p[5] << 16)
37	80		\| ((uint64_t)p[6] << 8)
38	80		\| (uint64_t)p[7];
39			}
40
41			static void
42	50		store64_be(unsigned char *p, uint64_t v)
43			{
44	50		p[0] = (unsigned char)((v >> 56) & 0xFFu);
45	50		p[1] = (unsigned char)((v >> 48) & 0xFFu);
46	50		p[2] = (unsigned char)((v >> 40) & 0xFFu);
47	50		p[3] = (unsigned char)((v >> 32) & 0xFFu);
48	50		p[4] = (unsigned char)((v >> 24) & 0xFFu);
49	50		p[5] = (unsigned char)((v >> 16) & 0xFFu);
50	50		p[6] = (unsigned char)((v >> 8) & 0xFFu);
51	50		p[7] = (unsigned char)( v & 0xFFu);
52	50		}
53
54			/* ============================================================
55			* SHA-256
56			* ============================================================ */
57
58			#define ROR32(x, n) (((x) >> (n)) \| ((x) << (32 - (n))))
59
60			#define CH32(x,y,z) (((x) & (y)) ^ (~(x) & (z)))
61			#define MAJ32(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
62			#define BSIG0_32(x) (ROR32(x, 2) ^ ROR32(x,13) ^ ROR32(x,22))
63			#define BSIG1_32(x) (ROR32(x, 6) ^ ROR32(x,11) ^ ROR32(x,25))
64			#define SSIG0_32(x) (ROR32(x, 7) ^ ROR32(x,18) ^ ((x) >> 3))
65			#define SSIG1_32(x) (ROR32(x,17) ^ ROR32(x,19) ^ ((x) >> 10))
66
67			static const uint32_t SHA256_K[64] = {
68			0x428a2f98u, 0x71374491u, 0xb5c0fbcfu, 0xe9b5dba5u,
69			0x3956c25bu, 0x59f111f1u, 0x923f82a4u, 0xab1c5ed5u,
70			0xd807aa98u, 0x12835b01u, 0x243185beu, 0x550c7dc3u,
71			0x72be5d74u, 0x80deb1feu, 0x9bdc06a7u, 0xc19bf174u,
72			0xe49b69c1u, 0xefbe4786u, 0x0fc19dc6u, 0x240ca1ccu,
73			0x2de92c6fu, 0x4a7484aau, 0x5cb0a9dcu, 0x76f988dau,
74			0x983e5152u, 0xa831c66du, 0xb00327c8u, 0xbf597fc7u,
75			0xc6e00bf3u, 0xd5a79147u, 0x06ca6351u, 0x14292967u,
76			0x27b70a85u, 0x2e1b2138u, 0x4d2c6dfcu, 0x53380d13u,
77			0x650a7354u, 0x766a0abbu, 0x81c2c92eu, 0x92722c85u,
78			0xa2bfe8a1u, 0xa81a664bu, 0xc24b8b70u, 0xc76c51a3u,
79			0xd192e819u, 0xd6990624u, 0xf40e3585u, 0x106aa070u,
80			0x19a4c116u, 0x1e376c08u, 0x2748774cu, 0x34b0bcb5u,
81			0x391c0cb3u, 0x4ed8aa4au, 0x5b9cca4fu, 0x682e6ff3u,
82			0x748f82eeu, 0x78a5636fu, 0x84c87814u, 0x8cc70208u,
83			0x90befffau, 0xa4506cebu, 0xbef9a3f7u, 0xc67178f2u
84			};
85
86			static void
87	263949		sha256_compress(sha256_ctx_t ctx, const unsigned char block)
88			{
89			uint32_t W[64];
90	263949		uint32_t a = ctx->state[0], b = ctx->state[1], c = ctx->state[2],
91	263949		d = ctx->state[3], e = ctx->state[4], f = ctx->state[5],
92	263949		g = ctx->state[6], h = ctx->state[7];
93			uint32_t T1, T2;
94			int i;
95
96	4487133	100	for (i = 0; i < 16; i++) W[i] = load32_be(block + i * 4);
97	12933501	100	for (i = 16; i < 64; i++) {
98	12669552		W[i] = SSIG1_32(W[i-2]) + W[i-7] + SSIG0_32(W[i-15]) + W[i-16];
99			}
100
101	17156685	100	for (i = 0; i < 64; i++) {
102	16892736		T1 = h + BSIG1_32(e) + CH32(e, f, g) + SHA256_K[i] + W[i];
103	16892736		T2 = BSIG0_32(a) + MAJ32(a, b, c);
104	16892736		h = g;
105	16892736		g = f;
106	16892736		f = e;
107	16892736		e = d + T1;
108	16892736		d = c;
109	16892736		c = b;
110	16892736		b = a;
111	16892736		a = T1 + T2;
112			}
113
114	263949		ctx->state[0] += a;
115	263949		ctx->state[1] += b;
116	263949		ctx->state[2] += c;
117	263949		ctx->state[3] += d;
118	263949		ctx->state[4] += e;
119	263949		ctx->state[5] += f;
120	263949		ctx->state[6] += g;
121	263949		ctx->state[7] += h;
122	263949		}
123
124			void
125	75		sha256_init(sha256_ctx_t *ctx)
126			{
127	75		ctx->state[0] = 0x6a09e667u;
128	75		ctx->state[1] = 0xbb67ae85u;
129	75		ctx->state[2] = 0x3c6ef372u;
130	75		ctx->state[3] = 0xa54ff53au;
131	75		ctx->state[4] = 0x510e527fu;
132	75		ctx->state[5] = 0x9b05688cu;
133	75		ctx->state[6] = 0x1f83d9abu;
134	75		ctx->state[7] = 0x5be0cd19u;
135	75		ctx->bit_count = 0;
136	75		ctx->buffered = 0;
137	75		}
138
139			void
140	296		sha256_update(sha256_ctx_t ctx, const void data, size_t len)
141			{
142	296		const unsigned char p = (const unsigned char )data;
143			size_t take;
144
145	296		ctx->bit_count += (uint64_t)len << 3;
146
147	296	100	if (ctx->buffered) {
148	118		take = SHA256_BLOCK_SIZE - ctx->buffered;
149	118	100	if (take > len) take = len;
150	118		memcpy(ctx->buffer + ctx->buffered, p, take);
151	118		ctx->buffered += take;
152	118		p += take;
153	118		len -= take;
154	118	100	if (ctx->buffered == SHA256_BLOCK_SIZE) {
155	68		sha256_compress(ctx, ctx->buffer);
156	68		ctx->buffered = 0;
157			}
158			}
159	264177	100	while (len >= SHA256_BLOCK_SIZE) {
160	263881		sha256_compress(ctx, p);
161	263881		p += SHA256_BLOCK_SIZE;
162	263881		len -= SHA256_BLOCK_SIZE;
163			}
164	296	100	if (len) {
165	68		memcpy(ctx->buffer, p, len);
166	68		ctx->buffered = len;
167			}
168	296		}
169
170			void
171	67		sha256_final(sha256_ctx_t *ctx, unsigned char out[SHA256_DIGEST_SIZE])
172			{
173			unsigned char pad[SHA256_BLOCK_SIZE];
174			unsigned char len_be[8];
175	67		uint64_t bits = ctx->bit_count;
176			size_t pad_len;
177			int i;
178
179	67		pad[0] = 0x80;
180	4288	100	for (i = 1; i < SHA256_BLOCK_SIZE; i++) pad[i] = 0;
181
182	67	100	if (ctx->buffered < 56)
183	66		pad_len = 56 - ctx->buffered;
184			else
185	1		pad_len = (SHA256_BLOCK_SIZE + 56) - ctx->buffered;
186
187	67		sha256_update(ctx, pad, pad_len);
188
189	603	100	for (i = 0; i < 8; i++) {
190	536		len_be[i] = (unsigned char)((bits >> (56 - i * 8)) & 0xFFu);
191			}
192	67		sha256_update(ctx, len_be, 8);
193
194	603	100	for (i = 0; i < 8; i++) store32_be(out + i * 4, ctx->state[i]);
195	67		}
196
197			/* ============================================================
198			* SHA-512
199			* ============================================================ */
200
201			#define ROR64(x, n) (((x) >> (n)) \| ((x) << (64 - (n))))
202
203			#define CH64(x,y,z) (((x) & (y)) ^ (~(x) & (z)))
204			#define MAJ64(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
205			#define BSIG0_64(x) (ROR64(x,28) ^ ROR64(x,34) ^ ROR64(x,39))
206			#define BSIG1_64(x) (ROR64(x,14) ^ ROR64(x,18) ^ ROR64(x,41))
207			#define SSIG0_64(x) (ROR64(x, 1) ^ ROR64(x, 8) ^ ((x) >> 7))
208			#define SSIG1_64(x) (ROR64(x,19) ^ ROR64(x,61) ^ ((x) >> 6))
209
210			static const uint64_t SHA512_K[80] = {
211			0x428a2f98d728ae22ull, 0x7137449123ef65cdull,
212			0xb5c0fbcfec4d3b2full, 0xe9b5dba58189dbbcull,
213			0x3956c25bf348b538ull, 0x59f111f1b605d019ull,
214			0x923f82a4af194f9bull, 0xab1c5ed5da6d8118ull,
215			0xd807aa98a3030242ull, 0x12835b0145706fbeull,
216			0x243185be4ee4b28cull, 0x550c7dc3d5ffb4e2ull,
217			0x72be5d74f27b896full, 0x80deb1fe3b1696b1ull,
218			0x9bdc06a725c71235ull, 0xc19bf174cf692694ull,
219			0xe49b69c19ef14ad2ull, 0xefbe4786384f25e3ull,
220			0x0fc19dc68b8cd5b5ull, 0x240ca1cc77ac9c65ull,
221			0x2de92c6f592b0275ull, 0x4a7484aa6ea6e483ull,
222			0x5cb0a9dcbd41fbd4ull, 0x76f988da831153b5ull,
223			0x983e5152ee66dfabull, 0xa831c66d2db43210ull,
224			0xb00327c898fb213full, 0xbf597fc7beef0ee4ull,
225			0xc6e00bf33da88fc2ull, 0xd5a79147930aa725ull,
226			0x06ca6351e003826full, 0x142929670a0e6e70ull,
227			0x27b70a8546d22ffcull, 0x2e1b21385c26c926ull,
228			0x4d2c6dfc5ac42aedull, 0x53380d139d95b3dfull,
229			0x650a73548baf63deull, 0x766a0abb3c77b2a8ull,
230			0x81c2c92e47edaee6ull, 0x92722c851482353bull,
231			0xa2bfe8a14cf10364ull, 0xa81a664bbc423001ull,
232			0xc24b8b70d0f89791ull, 0xc76c51a30654be30ull,
233			0xd192e819d6ef5218ull, 0xd69906245565a910ull,
234			0xf40e35855771202aull, 0x106aa07032bbd1b8ull,
235			0x19a4c116b8d2d0c8ull, 0x1e376c085141ab53ull,
236			0x2748774cdf8eeb99ull, 0x34b0bcb5e19b48a8ull,
237			0x391c0cb3c5c95a63ull, 0x4ed8aa4ae3418acbull,
238			0x5b9cca4f7763e373ull, 0x682e6ff3d6b2b8a3ull,
239			0x748f82ee5defb2fcull, 0x78a5636f43172f60ull,
240			0x84c87814a1f0ab72ull, 0x8cc702081a6439ecull,
241			0x90befffa23631e28ull, 0xa4506cebde82bde9ull,
242			0xbef9a3f7b2c67915ull, 0xc67178f2e372532bull,
243			0xca273eceea26619cull, 0xd186b8c721c0c207ull,
244			0xeada7dd6cde0eb1eull, 0xf57d4f7fee6ed178ull,
245			0x06f067aa72176fbaull, 0x0a637dc5a2c898a6ull,
246			0x113f9804bef90daeull, 0x1b710b35131c471bull,
247			0x28db77f523047d84ull, 0x32caab7b40c72493ull,
248			0x3c9ebe0a15c9bebcull, 0x431d67c49c100d4cull,
249			0x4cc5d4becb3e42b6ull, 0x597f299cfc657e2aull,
250			0x5fcb6fab3ad6faecull, 0x6c44198c4a475817ull
251			};
252
253			static void
254	5		sha512_compress(sha512_ctx_t ctx, const unsigned char block)
255			{
256			uint64_t W[80];
257	5		uint64_t a = ctx->state[0], b = ctx->state[1], c = ctx->state[2],
258	5		d = ctx->state[3], e = ctx->state[4], f = ctx->state[5],
259	5		g = ctx->state[6], h = ctx->state[7];
260			uint64_t T1, T2;
261			int i;
262
263	85	100	for (i = 0; i < 16; i++) W[i] = load64_be(block + i * 8);
264	325	100	for (i = 16; i < 80; i++) {
265	320		W[i] = SSIG1_64(W[i-2]) + W[i-7] + SSIG0_64(W[i-15]) + W[i-16];
266			}
267
268	405	100	for (i = 0; i < 80; i++) {
269	400		T1 = h + BSIG1_64(e) + CH64(e, f, g) + SHA512_K[i] + W[i];
270	400		T2 = BSIG0_64(a) + MAJ64(a, b, c);
271	400		h = g;
272	400		g = f;
273	400		f = e;
274	400		e = d + T1;
275	400		d = c;
276	400		c = b;
277	400		b = a;
278	400		a = T1 + T2;
279			}
280
281	5		ctx->state[0] += a;
282	5		ctx->state[1] += b;
283	5		ctx->state[2] += c;
284	5		ctx->state[3] += d;
285	5		ctx->state[4] += e;
286	5		ctx->state[5] += f;
287	5		ctx->state[6] += g;
288	5		ctx->state[7] += h;
289	5		}
290
291			void
292	5		sha512_init(sha512_ctx_t *ctx)
293			{
294	5		ctx->state[0] = 0x6a09e667f3bcc908ull;
295	5		ctx->state[1] = 0xbb67ae8584caa73bull;
296	5		ctx->state[2] = 0x3c6ef372fe94f82bull;
297	5		ctx->state[3] = 0xa54ff53a5f1d36f1ull;
298	5		ctx->state[4] = 0x510e527fade682d1ull;
299	5		ctx->state[5] = 0x9b05688c2b3e6c1full;
300	5		ctx->state[6] = 0x1f83d9abfb41bd6bull;
301	5		ctx->state[7] = 0x5be0cd19137e2179ull;
302	5		ctx->bit_count_low = 0;
303	5		ctx->bit_count_high = 0;
304	5		ctx->buffered = 0;
305	5		}
306
307			void
308	13		sha512_update(sha512_ctx_t ctx, const void data, size_t len)
309			{
310	13		const unsigned char p = (const unsigned char )data;
311	13		uint64_t add_bits = (uint64_t)len << 3;
312			uint64_t prev_low;
313			size_t take;
314
315	13		prev_low = ctx->bit_count_low;
316	13		ctx->bit_count_low += add_bits;
317	13	50	if (ctx->bit_count_low < prev_low) ctx->bit_count_high++;
318			/* len >> 61 contributes to high if huge — not realistically
319			* triggered, but handle for spec fidelity. */
320	13		ctx->bit_count_high += (uint64_t)len >> 61;
321
322	13	100	if (ctx->buffered) {
323	8		take = SHA512_BLOCK_SIZE - ctx->buffered;
324	8	100	if (take > len) take = len;
325	8		memcpy(ctx->buffer + ctx->buffered, p, take);
326	8		ctx->buffered += take;
327	8		p += take;
328	8		len -= take;
329	8	100	if (ctx->buffered == SHA512_BLOCK_SIZE) {
330	5		sha512_compress(ctx, ctx->buffer);
331	5		ctx->buffered = 0;
332			}
333			}
334	13	50	while (len >= SHA512_BLOCK_SIZE) {
335	0		sha512_compress(ctx, p);
336	0		p += SHA512_BLOCK_SIZE;
337	0		len -= SHA512_BLOCK_SIZE;
338			}
339	13	100	if (len) {
340	5		memcpy(ctx->buffer, p, len);
341	5		ctx->buffered = len;
342			}
343	13		}
344
345			void
346	5		sha512_final(sha512_ctx_t *ctx, unsigned char out[SHA512_DIGEST_SIZE])
347			{
348			unsigned char pad[SHA512_BLOCK_SIZE];
349			unsigned char len_be[16];
350	5		uint64_t bits_low = ctx->bit_count_low;
351	5		uint64_t bits_high = ctx->bit_count_high;
352			size_t pad_len;
353			int i;
354
355	5		pad[0] = 0x80;
356	640	100	for (i = 1; i < SHA512_BLOCK_SIZE; i++) pad[i] = 0;
357
358			/* SHA-512 reserves the last 16 bytes for the 128-bit length. */
359	5	50	if (ctx->buffered < 112)
360	5		pad_len = 112 - ctx->buffered;
361			else
362	0		pad_len = (SHA512_BLOCK_SIZE + 112) - ctx->buffered;
363
364	5		sha512_update(ctx, pad, pad_len);
365
366	5		store64_be(len_be, bits_high);
367	5		store64_be(len_be + 8, bits_low);
368	5		sha512_update(ctx, len_be, 16);
369
370	45	100	for (i = 0; i < 8; i++) store64_be(out + i * 8, ctx->state[i]);
371	5		}