summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/Modules6
-rw-r--r--lib/sha1.c342
-rw-r--r--lib/sha1.h86
-rw-r--r--lib/sha256.c467
-rw-r--r--lib/sha256.h71
-rw-r--r--lib/sha512.c614
-rw-r--r--lib/sha512.h73
-rw-r--r--lib/unaligned.h19
8 files changed, 1678 insertions, 0 deletions
diff --git a/lib/Modules b/lib/Modules
index 7254df2d..745306d9 100644
--- a/lib/Modules
+++ b/lib/Modules
@@ -1,3 +1,9 @@
+sha256.c
+sha256.h
+sha512.c
+sha512.h
+sha1.c
+sha1.h
birdlib.h
bitops.c
bitops.h
diff --git a/lib/sha1.c b/lib/sha1.c
new file mode 100644
index 00000000..dd29b5fd
--- /dev/null
+++ b/lib/sha1.c
@@ -0,0 +1,342 @@
+/*
+ * BIRD Library -- SHA-1 Hash Function (FIPS 180-1, RFC 3174) and HMAC-SHA-1
+ *
+ * (c) 2015 CZ.NIC z.s.p.o.
+ *
+ * Based on the code from libucw-6.4
+ * (c) 2008--2009 Martin Mares <mj@ucw.cz>
+ *
+ * Based on the code from libgcrypt-1.2.3, which is
+ * (c) 1998, 2001, 2002, 2003 Free Software Foundation, Inc.
+ *
+ * Can be freely distributed and used under the terms of the GNU GPL.
+ */
+
+#include "lib/sha1.h"
+#include "lib/unaligned.h"
+
+void
+sha1_init(struct sha1_context *hd)
+{
+ hd->h0 = 0x67452301;
+ hd->h1 = 0xefcdab89;
+ hd->h2 = 0x98badcfe;
+ hd->h3 = 0x10325476;
+ hd->h4 = 0xc3d2e1f0;
+ hd->nblocks = 0;
+ hd->count = 0;
+}
+
+/*
+ * Transform the message X which consists of 16 32-bit-words
+ */
+static void
+sha1_transform(struct sha1_context *hd, const byte *data)
+{
+ u32 a,b,c,d,e,tm;
+ u32 x[16];
+
+ /* Get values from the chaining vars. */
+ a = hd->h0;
+ b = hd->h1;
+ c = hd->h2;
+ d = hd->h3;
+ e = hd->h4;
+
+#ifdef CPU_BIG_ENDIAN
+ memcpy(x, data, 64);
+#else
+ int i;
+ for (i = 0; i < 16; i++)
+ x[i] = get_u32(data+4*i);
+#endif
+
+#define K1 0x5A827999L
+#define K2 0x6ED9EBA1L
+#define K3 0x8F1BBCDCL
+#define K4 0xCA62C1D6L
+#define F1(x,y,z) ( z ^ ( x & ( y ^ z ) ) )
+#define F2(x,y,z) ( x ^ y ^ z )
+#define F3(x,y,z) ( ( x & y ) | ( z & ( x | y ) ) )
+#define F4(x,y,z) ( x ^ y ^ z )
+
+#define M(i) (tm = x[i&0x0f] ^ x[(i-14)&0x0f] ^ x[(i-8)&0x0f] ^ x[(i-3)&0x0f], (x[i&0x0f] = ROL(tm, 1)))
+
+/* Bitwise rotation of an unsigned int to the left **/
+#define ROL(x, bits) (((x) << (bits)) | ((uint)(x) >> (sizeof(uint)*8 - (bits))))
+
+ #define R(a, b, c, d, e, f, k, m) \
+ do \
+ { \
+ e += ROL(a, 5) + f(b, c, d) + k + m; \
+ b = ROL( b, 30 ); \
+ } while(0)
+
+ R( a, b, c, d, e, F1, K1, x[ 0] );
+ R( e, a, b, c, d, F1, K1, x[ 1] );
+ R( d, e, a, b, c, F1, K1, x[ 2] );
+ R( c, d, e, a, b, F1, K1, x[ 3] );
+ R( b, c, d, e, a, F1, K1, x[ 4] );
+ R( a, b, c, d, e, F1, K1, x[ 5] );
+ R( e, a, b, c, d, F1, K1, x[ 6] );
+ R( d, e, a, b, c, F1, K1, x[ 7] );
+ R( c, d, e, a, b, F1, K1, x[ 8] );
+ R( b, c, d, e, a, F1, K1, x[ 9] );
+ R( a, b, c, d, e, F1, K1, x[10] );
+ R( e, a, b, c, d, F1, K1, x[11] );
+ R( d, e, a, b, c, F1, K1, x[12] );
+ R( c, d, e, a, b, F1, K1, x[13] );
+ R( b, c, d, e, a, F1, K1, x[14] );
+ R( a, b, c, d, e, F1, K1, x[15] );
+ R( e, a, b, c, d, F1, K1, M(16) );
+ R( d, e, a, b, c, F1, K1, M(17) );
+ R( c, d, e, a, b, F1, K1, M(18) );
+ R( b, c, d, e, a, F1, K1, M(19) );
+ R( a, b, c, d, e, F2, K2, M(20) );
+ R( e, a, b, c, d, F2, K2, M(21) );
+ R( d, e, a, b, c, F2, K2, M(22) );
+ R( c, d, e, a, b, F2, K2, M(23) );
+ R( b, c, d, e, a, F2, K2, M(24) );
+ R( a, b, c, d, e, F2, K2, M(25) );
+ R( e, a, b, c, d, F2, K2, M(26) );
+ R( d, e, a, b, c, F2, K2, M(27) );
+ R( c, d, e, a, b, F2, K2, M(28) );
+ R( b, c, d, e, a, F2, K2, M(29) );
+ R( a, b, c, d, e, F2, K2, M(30) );
+ R( e, a, b, c, d, F2, K2, M(31) );
+ R( d, e, a, b, c, F2, K2, M(32) );
+ R( c, d, e, a, b, F2, K2, M(33) );
+ R( b, c, d, e, a, F2, K2, M(34) );
+ R( a, b, c, d, e, F2, K2, M(35) );
+ R( e, a, b, c, d, F2, K2, M(36) );
+ R( d, e, a, b, c, F2, K2, M(37) );
+ R( c, d, e, a, b, F2, K2, M(38) );
+ R( b, c, d, e, a, F2, K2, M(39) );
+ R( a, b, c, d, e, F3, K3, M(40) );
+ R( e, a, b, c, d, F3, K3, M(41) );
+ R( d, e, a, b, c, F3, K3, M(42) );
+ R( c, d, e, a, b, F3, K3, M(43) );
+ R( b, c, d, e, a, F3, K3, M(44) );
+ R( a, b, c, d, e, F3, K3, M(45) );
+ R( e, a, b, c, d, F3, K3, M(46) );
+ R( d, e, a, b, c, F3, K3, M(47) );
+ R( c, d, e, a, b, F3, K3, M(48) );
+ R( b, c, d, e, a, F3, K3, M(49) );
+ R( a, b, c, d, e, F3, K3, M(50) );
+ R( e, a, b, c, d, F3, K3, M(51) );
+ R( d, e, a, b, c, F3, K3, M(52) );
+ R( c, d, e, a, b, F3, K3, M(53) );
+ R( b, c, d, e, a, F3, K3, M(54) );
+ R( a, b, c, d, e, F3, K3, M(55) );
+ R( e, a, b, c, d, F3, K3, M(56) );
+ R( d, e, a, b, c, F3, K3, M(57) );
+ R( c, d, e, a, b, F3, K3, M(58) );
+ R( b, c, d, e, a, F3, K3, M(59) );
+ R( a, b, c, d, e, F4, K4, M(60) );
+ R( e, a, b, c, d, F4, K4, M(61) );
+ R( d, e, a, b, c, F4, K4, M(62) );
+ R( c, d, e, a, b, F4, K4, M(63) );
+ R( b, c, d, e, a, F4, K4, M(64) );
+ R( a, b, c, d, e, F4, K4, M(65) );
+ R( e, a, b, c, d, F4, K4, M(66) );
+ R( d, e, a, b, c, F4, K4, M(67) );
+ R( c, d, e, a, b, F4, K4, M(68) );
+ R( b, c, d, e, a, F4, K4, M(69) );
+ R( a, b, c, d, e, F4, K4, M(70) );
+ R( e, a, b, c, d, F4, K4, M(71) );
+ R( d, e, a, b, c, F4, K4, M(72) );
+ R( c, d, e, a, b, F4, K4, M(73) );
+ R( b, c, d, e, a, F4, K4, M(74) );
+ R( a, b, c, d, e, F4, K4, M(75) );
+ R( e, a, b, c, d, F4, K4, M(76) );
+ R( d, e, a, b, c, F4, K4, M(77) );
+ R( c, d, e, a, b, F4, K4, M(78) );
+ R( b, c, d, e, a, F4, K4, M(79) );
+
+ /* Update chaining vars. */
+ hd->h0 += a;
+ hd->h1 += b;
+ hd->h2 += c;
+ hd->h3 += d;
+ hd->h4 += e;
+}
+
+/*
+ * Update the message digest with the contents
+ * of INBUF with length INLEN.
+ */
+void
+sha1_update(struct sha1_context *hd, const byte *inbuf, uint inlen)
+{
+ if (hd->count == 64) /* flush the buffer */
+ {
+ sha1_transform(hd, hd->buf);
+ hd->count = 0;
+ hd->nblocks++;
+ }
+ if (!inbuf)
+ return;
+
+ if (hd->count)
+ {
+ for (; inlen && hd->count < 64; inlen--)
+ hd->buf[hd->count++] = *inbuf++;
+ sha1_update( hd, NULL, 0 );
+ if(!inlen)
+ return;
+ }
+
+ while (inlen >= 64)
+ {
+ sha1_transform(hd, inbuf);
+ hd->count = 0;
+ hd->nblocks++;
+ inlen -= 64;
+ inbuf += 64;
+ }
+ for (; inlen && hd->count < 64; inlen--)
+ hd->buf[hd->count++] = *inbuf++;
+}
+
+/*
+ * The routine final terminates the computation and
+ * returns the digest.
+ * The handle is prepared for a new cycle, but adding bytes to the
+ * handle will the destroy the returned buffer.
+ * Returns: 20 bytes representing the digest.
+ */
+byte *
+sha1_final(struct sha1_context *hd)
+{
+ u32 t, msb, lsb;
+ u32 *p;
+
+ sha1_update(hd, NULL, 0); /* flush */;
+
+ t = hd->nblocks;
+ /* multiply by 64 to make a byte count */
+ lsb = t << 6;
+ msb = t >> 26;
+ /* add the count */
+ t = lsb;
+ if ((lsb += hd->count) < t)
+ msb++;
+ /* multiply by 8 to make a bit count */
+ t = lsb;
+ lsb <<= 3;
+ msb <<= 3;
+ msb |= t >> 29;
+
+ if (hd->count < 56) /* enough room */
+ {
+ hd->buf[hd->count++] = 0x80; /* pad */
+ while (hd->count < 56)
+ hd->buf[hd->count++] = 0; /* pad */
+ }
+ else /* need one extra block */
+ {
+ hd->buf[hd->count++] = 0x80; /* pad character */
+ while (hd->count < 64)
+ hd->buf[hd->count++] = 0;
+ sha1_update(hd, NULL, 0); /* flush */;
+ memset(hd->buf, 0, 56 ); /* fill next block with zeroes */
+ }
+ /* append the 64 bit count */
+ hd->buf[56] = msb >> 24;
+ hd->buf[57] = msb >> 16;
+ hd->buf[58] = msb >> 8;
+ hd->buf[59] = msb ;
+ hd->buf[60] = lsb >> 24;
+ hd->buf[61] = lsb >> 16;
+ hd->buf[62] = lsb >> 8;
+ hd->buf[63] = lsb ;
+ sha1_transform(hd, hd->buf);
+
+ p = (u32*) hd->buf;
+#define X(a) do { put_u32(p, hd->h##a); p++; } while(0)
+ X(0);
+ X(1);
+ X(2);
+ X(3);
+ X(4);
+#undef X
+
+ return hd->buf;
+}
+
+
+/*
+ * SHA1-HMAC
+ */
+
+/*
+ * Shortcut function which puts the hash value of the supplied buffer
+ * into outbuf which must have a size of 20 bytes.
+ */
+void
+sha1_hash_buffer(byte *outbuf, const byte *buffer, uint length)
+{
+ struct sha1_context ctx;
+
+ sha1_init(&ctx);
+ sha1_update(&ctx, buffer, length);
+ memcpy(outbuf, sha1_final(&ctx), SHA1_SIZE);
+}
+
+void
+sha1_hmac_init(struct sha1_hmac_context *ctx, const byte *key, uint keylen)
+{
+ byte keybuf[SHA1_BLOCK_SIZE], buf[SHA1_BLOCK_SIZE];
+
+ /* Hash the key if necessary */
+ if (keylen <= SHA1_BLOCK_SIZE)
+ {
+ memcpy(keybuf, key, keylen);
+ bzero(keybuf + keylen, SHA1_BLOCK_SIZE - keylen);
+ }
+ else
+ {
+ sha1_hash_buffer(keybuf, key, keylen);
+ bzero(keybuf + SHA1_SIZE, SHA1_BLOCK_SIZE - SHA1_SIZE);
+ }
+
+ /* Initialize the inner digest */
+ sha1_init(&ctx->ictx);
+ int i;
+ for (i = 0; i < SHA1_BLOCK_SIZE; i++)
+ buf[i] = keybuf[i] ^ 0x36;
+ sha1_update(&ctx->ictx, buf, SHA1_BLOCK_SIZE);
+
+ /* Initialize the outer digest */
+ sha1_init(&ctx->octx);
+ for (i = 0; i < SHA1_BLOCK_SIZE; i++)
+ buf[i] = keybuf[i] ^ 0x5c;
+ sha1_update(&ctx->octx, buf, SHA1_BLOCK_SIZE);
+}
+
+void
+sha1_hmac_update(struct sha1_hmac_context *ctx, const byte *data, uint datalen)
+{
+ /* Just update the inner digest */
+ sha1_update(&ctx->ictx, data, datalen);
+}
+
+byte *sha1_hmac_final(struct sha1_hmac_context *ctx)
+{
+ /* Finish the inner digest */
+ byte *isha = sha1_final(&ctx->ictx);
+
+ /* Finish the outer digest */
+ sha1_update(&ctx->octx, isha, SHA1_SIZE);
+ return sha1_final(&ctx->octx);
+}
+
+void
+sha1_hmac(byte *outbuf, const byte *key, uint keylen, const byte *data, uint datalen)
+{
+ struct sha1_hmac_context hd;
+ sha1_hmac_init(&hd, key, keylen);
+ sha1_hmac_update(&hd, data, datalen);
+ byte *osha = sha1_hmac_final(&hd);
+ memcpy(outbuf, osha, SHA1_SIZE);
+}
diff --git a/lib/sha1.h b/lib/sha1.h
new file mode 100644
index 00000000..425160a0
--- /dev/null
+++ b/lib/sha1.h
@@ -0,0 +1,86 @@
+/*
+ * BIRD Library -- SHA-1 Hash Function (FIPS 180-1, RFC 3174) and HMAC-SHA-1
+ *
+ * (c) 2015 CZ.NIC z.s.p.o.
+ *
+ * Based on the code from libucw-6.4
+ * (c) 2008--2009 Martin Mares <mj@ucw.cz>
+ *
+ * Based on the code from libgcrypt-1.2.3, which is
+ * (c) 1998, 2001, 2002, 2003 Free Software Foundation, Inc.
+ *
+ * Can be freely distributed and used under the terms of the GNU GPL.
+ */
+
+#ifndef _BIRD_SHA1_H_
+#define _BIRD_SHA1_H_
+
+#include "nest/bird.h"
+
+/*
+ * Internal SHA1 state.
+ * You should use it just as an opaque handle only.
+ */
+struct sha1_context {
+ u32 h0,h1,h2,h3,h4;
+ u32 nblocks;
+ byte buf[64];
+ int count;
+} ;
+
+void sha1_init(struct sha1_context *hd); /* Initialize new algorithm run in the @hd context. **/
+/*
+ * Push another @inlen bytes of data pointed to by @inbuf onto the
+ * SHA1 hash currently in @hd. You can call this any times you want on
+ * the same hash (and you do not need to reinitialize it by
+ * @sha1_init()). It has the same effect as concatenating all the data
+ * together and passing them at once.
+ */
+void sha1_update(struct sha1_context *hd, const byte *inbuf, uint inlen);
+/*
+ * No more @sha1_update() calls will be done. This terminates the hash
+ * and returns a pointer to it.
+ *
+ * Note that the pointer points into data in the @hd context. If it ceases
+ * to exist, the pointer becomes invalid.
+ *
+ * To convert the hash to its usual hexadecimal representation, see
+ * <<string:mem_to_hex()>>.
+ */
+byte *sha1_final(struct sha1_context *hd);
+
+/*
+ * A convenience one-shot function for SHA1 hash.
+ * It is equivalent to this snippet of code:
+ *
+ * sha1_context hd;
+ * sha1_init(&hd);
+ * sha1_update(&hd, buffer, length);
+ * memcpy(outbuf, sha1_final(&hd), SHA1_SIZE);
+ */
+void sha1_hash_buffer(byte *outbuf, const byte *buffer, uint length);
+
+/*
+ * SHA1 HMAC message authentication. If you provide @key and @data,
+ * the result will be stored in @outbuf.
+ */
+void sha1_hmac(byte *outbuf, const byte *key, uint keylen, const byte *data, uint datalen);
+
+/*
+ * The HMAC also exists in a stream version in a way analogous to the
+ * plain SHA1. Pass this as a context.
+ */
+struct sha1_hmac_context {
+ struct sha1_context ictx;
+ struct sha1_context octx;
+};
+
+void sha1_hmac_init(struct sha1_hmac_context *hd, const byte *key, uint keylen); /* Initialize HMAC with context @hd and the given key. See sha1_init(). */
+void sha1_hmac_update(struct sha1_hmac_context *hd, const byte *data, uint datalen); /* Hash another @datalen bytes of data. See sha1_update(). */
+byte *sha1_hmac_final(struct sha1_hmac_context *hd); /* Terminate the HMAC and return a pointer to the allocated hash. See sha1_final(). */
+
+#define SHA1_SIZE 20 /* Size of the SHA1 hash in its binary representation **/
+#define SHA1_HEX_SIZE 41 /* Buffer length for a string containing SHA1 in hexadecimal format. **/
+#define SHA1_BLOCK_SIZE 64 /* SHA1 splits input to blocks of this size. **/
+
+#endif /* _BIRD_SHA1_H_ */
diff --git a/lib/sha256.c b/lib/sha256.c
new file mode 100644
index 00000000..2d979f90
--- /dev/null
+++ b/lib/sha256.c
@@ -0,0 +1,467 @@
+/*
+ * BIRD Library -- SHA-256 and SHA-224 Hash Functions,
+ * HMAC-SHA-256 and HMAC-SHA-224 Functions
+ *
+ * (c) 2015 CZ.NIC z.s.p.o.
+ *
+ * Based on the code from libgcrypt-1.6.0, which is
+ * (c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
+ *
+ * Can be freely distributed and used under the terms of the GNU GPL.
+ */
+
+#include "lib/sha256.h"
+#include "lib/unaligned.h"
+
+static uint sha256_transform(void *ctx, const byte *data, size_t nblks);
+
+void
+sha256_init(struct sha256_context *ctx)
+{
+ ctx->h0 = 0x6a09e667;
+ ctx->h1 = 0xbb67ae85;
+ ctx->h2 = 0x3c6ef372;
+ ctx->h3 = 0xa54ff53a;
+ ctx->h4 = 0x510e527f;
+ ctx->h5 = 0x9b05688c;
+ ctx->h6 = 0x1f83d9ab;
+ ctx->h7 = 0x5be0cd19;
+
+ ctx->nblocks = 0;
+ ctx->nblocks_high = 0;
+ ctx->count = 0;
+ ctx->blocksize = 64;
+ ctx->transform = sha256_transform;
+}
+
+void
+sha224_init(struct sha224_context *ctx)
+{
+ ctx->h0 = 0xc1059ed8;
+ ctx->h1 = 0x367cd507;
+ ctx->h2 = 0x3070dd17;
+ ctx->h3 = 0xf70e5939;
+ ctx->h4 = 0xffc00b31;
+ ctx->h5 = 0x68581511;
+ ctx->h6 = 0x64f98fa7;
+ ctx->h7 = 0xbefa4fa4;
+
+ ctx->nblocks = 0;
+ ctx->nblocks_high = 0;
+ ctx->count = 0;
+ ctx->blocksize = 64;
+ ctx->transform = sha256_transform;
+}
+
+/* (4.2) same as SHA-1's F1. */
+static inline u32
+f1(u32 x, u32 y, u32 z)
+{
+ return (z ^ (x & (y ^ z)));
+}
+
+/* (4.3) same as SHA-1's F3 */
+static inline u32
+f3(u32 x, u32 y, u32 z)
+{
+ return ((x & y) | (z & (x|y)));
+}
+
+/* Bitwise rotation of an uint to the right */
+static inline u32 ror(u32 x, int n)
+{
+ return ( (x >> (n&(32-1))) | (x << ((32-n)&(32-1))) );
+}
+
+/* (4.4) */
+static inline u32
+sum0(u32 x)
+{
+ return (ror(x, 2) ^ ror(x, 13) ^ ror(x, 22));
+}
+
+/* (4.5) */
+static inline u32
+sum1(u32 x)
+{
+ return (ror(x, 6) ^ ror(x, 11) ^ ror(x, 25));
+}
+
+/*
+ Transform the message X which consists of 16 32-bit-words. See FIPS
+ 180-2 for details. */
+#define S0(x) (ror((x), 7) ^ ror((x), 18) ^ ((x) >> 3)) /* (4.6) */
+#define S1(x) (ror((x), 17) ^ ror((x), 19) ^ ((x) >> 10)) /* (4.7) */
+#define R(a,b,c,d,e,f,g,h,k,w) \
+ do \
+ { \
+ t1 = (h) + sum1((e)) + f1((e),(f),(g)) + (k) + (w); \
+ t2 = sum0((a)) + f3((a),(b),(c)); \
+ h = g; \
+ g = f; \
+ f = e; \
+ e = d + t1; \
+ d = c; \
+ c = b; \
+ b = a; \
+ a = t1 + t2; \
+ } while (0)
+
+/*
+ The SHA-256 core: Transform the message X which consists of 16
+ 32-bit-words. See FIPS 180-2 for details.
+ */
+static uint
+sha256_transform_block(struct sha256_context *ctx, const byte *data)
+{
+ static const u32 K[64] = {
+ 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
+ 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+ 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+ 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+ 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
+ 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+ 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
+ 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+ 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+ 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+ 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
+ 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+ 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
+ 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+ 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+ 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+ };
+
+ u32 a,b,c,d,e,f,g,h,t1,t2;
+ u32 w[64];
+ int i;
+
+ a = ctx->h0;
+ b = ctx->h1;
+ c = ctx->h2;
+ d = ctx->h3;
+ e = ctx->h4;
+ f = ctx->h5;
+ g = ctx->h6;
+ h = ctx->h7;
+
+ for (i = 0; i < 16; i++)
+ w[i] = get_u32(data + i * 4);
+ for (; i < 64; i++)
+ w[i] = S1(w[i-2]) + w[i-7] + S0(w[i-15]) + w[i-16];
+
+ for (i = 0; i < 64;)
+ {
+ t1 = h + sum1(e) + f1(e, f, g) + K[i] + w[i];
+ t2 = sum0 (a) + f3(a, b, c);
+ d += t1;
+ h = t1 + t2;
+
+ t1 = g + sum1(d) + f1(d, e, f) + K[i+1] + w[i+1];
+ t2 = sum0 (h) + f3(h, a, b);
+ c += t1;
+ g = t1 + t2;
+
+ t1 = f + sum1(c) + f1(c, d, e) + K[i+2] + w[i+2];
+ t2 = sum0 (g) + f3(g, h, a);
+ b += t1;
+ f = t1 + t2;
+
+ t1 = e + sum1(b) + f1(b, c, d) + K[i+3] + w[i+3];
+ t2 = sum0 (f) + f3(f, g, h);
+ a += t1;
+ e = t1 + t2;
+
+ t1 = d + sum1(a) + f1(a, b, c) + K[i+4] + w[i+4];
+ t2 = sum0 (e) + f3(e, f, g);
+ h += t1;
+ d = t1 + t2;
+
+ t1 = c + sum1(h) + f1(h, a, b) + K[i+5] + w[i+5];
+ t2 = sum0 (d) + f3(d, e, f);
+ g += t1;
+ c = t1 + t2;
+
+ t1 = b + sum1(g) + f1(g, h, a) + K[i+6] + w[i+6];
+ t2 = sum0 (c) + f3(c, d, e);
+ f += t1;
+ b = t1 + t2;
+
+ t1 = a + sum1(f) + f1(f, g, h) + K[i+7] + w[i+7];
+ t2 = sum0 (b) + f3(b, c, d);
+ e += t1;
+ a = t1 + t2;
+
+ i += 8;
+ }
+
+ ctx->h0 += a;
+ ctx->h1 += b;
+ ctx->h2 += c;
+ ctx->h3 += d;
+ ctx->h4 += e;
+ ctx->h5 += f;
+ ctx->h6 += g;
+ ctx->h7 += h;
+
+ return /*burn_stack*/ 74*4+32;
+}
+#undef S0
+#undef S1
+#undef R
+
+static uint
+sha256_transform(void *ctx, const byte *data, size_t nblks)
+{
+ struct sha256_context *hd = ctx;
+ uint burn;
+
+ do
+ {
+ burn = sha256_transform_block(hd, data);
+ data += 64;
+ }
+ while (--nblks);
+
+ return burn;
+}
+
+/* Common function to write a chunk of data to the transform function
+ of a hash algorithm. Note that the use of the term "block" does
+ not imply a fixed size block. Note that we explicitly allow to use
+ this function after the context has been finalized; the result does
+ not have any meaning but writing after finalize is sometimes
+ helpful to mitigate timing attacks. */
+void
+sha256_update(struct sha256_context *ctx, const byte *in_buf, size_t in_len)
+{
+ const uint blocksize = ctx->blocksize;
+ size_t inblocks;
+
+ if (sizeof(ctx->buf) < blocksize)
+ debug("BUG: in file %s at line %d", __FILE__ , __LINE__);
+
+ if (ctx->count == blocksize) /* Flush the buffer. */
+ {
+ ctx->transform(ctx, ctx->buf, 1);
+ ctx->count = 0;
+ if (!++ctx->nblocks)
+ ctx->nblocks_high++;
+ }
+ if (!in_buf)
+ return;
+
+ if (ctx->count)
+ {
+ for (; in_len && ctx->count < blocksize; in_len--)
+ ctx->buf[ctx->count++] = *in_buf++;
+ sha256_update(ctx, NULL, 0);
+ if (!in_len)
+ return;
+ }
+
+ if (in_len >= blocksize)
+ {
+ inblocks = in_len / blocksize;
+ ctx->transform(ctx, in_buf, inblocks);
+ ctx->count = 0;
+ ctx->nblocks_high += (ctx->nblocks + inblocks < inblocks);
+ ctx->nblocks += inblocks;
+ in_len -= inblocks * blocksize;
+ in_buf += inblocks * blocksize;
+ }
+ for (; in_len && ctx->count < blocksize; in_len--)
+ ctx->buf[ctx->count++] = *in_buf++;
+}
+
+/*
+ The routine finally terminates the computation and returns the
+ digest. The handle is prepared for a new cycle, but adding bytes
+ to the handle will the destroy the returned buffer. Returns: 32
+ bytes with the message the digest. */
+byte*
+sha256_final(struct sha256_context *ctx)
+{
+ u32 t, th, msb, lsb;
+ byte *p;
+
+ sha256_update(ctx, NULL, 0); /* flush */;
+
+ t = ctx->nblocks;
+ if (sizeof t == sizeof ctx->nblocks)
+ th = ctx->nblocks_high;
+ else
+ th = 0;
+
+ /* multiply by 64 to make a byte count */
+ lsb = t << 6;
+ msb = (th << 6) | (t >> 26);
+ /* add the count */
+ t = lsb;
+ if ((lsb += ctx->count) < t)
+ msb++;
+ /* multiply by 8 to make a bit count */
+ t = lsb;
+ lsb <<= 3;
+ msb <<= 3;
+ msb |= t >> 29;
+
+ if (ctx->count < 56)
+ { /* enough room */
+ ctx->buf[ctx->count++] = 0x80; /* pad */
+ while (ctx->count < 56)
+ ctx->buf[ctx->count++] = 0; /* pad */
+ }
+ else
+ { /* need one extra block */
+ ctx->buf[ctx->count++] = 0x80; /* pad character */
+ while (ctx->count < 64)
+ ctx->buf[ctx->count++] = 0;
+ sha256_update(ctx, NULL, 0); /* flush */;
+ memset (ctx->buf, 0, 56 ); /* fill next block with zeroes */
+ }
+ /* append the 64 bit count */
+ put_u32(ctx->buf + 56, msb);
+ put_u32(ctx->buf + 60, lsb);
+ sha256_transform(ctx, ctx->buf, 1);
+
+ p = ctx->buf;
+
+#define X(a) do { put_u32(p, ctx->h##a); p += 4; } while(0)
+ X(0);
+ X(1);
+ X(2);
+ X(3);
+ X(4);
+ X(5);
+ X(6);
+ X(7);
+#undef X
+
+ return ctx->buf;
+}
+
+
+/*
+ * SHA256-HMAC
+ */
+
+static void
+sha256_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
+{
+ struct sha256_context hd_tmp;
+
+ sha256_init(&hd_tmp);
+ sha256_update(&hd_tmp, buffer, length);
+ memcpy(outbuf, sha256_final(&hd_tmp), SHA256_SIZE);
+}
+
+void
+sha256_hmac_init(struct sha256_hmac_context *ctx, const byte *key, size_t keylen)
+{
+ byte keybuf[SHA256_BLOCK_SIZE], buf[SHA256_BLOCK_SIZE];
+
+ /* Hash the key if necessary */
+ if (keylen <= SHA256_BLOCK_SIZE)
+ {
+ memcpy(keybuf, key, keylen);
+ bzero(keybuf + keylen, SHA256_BLOCK_SIZE - keylen);
+ }
+ else
+ {
+ sha256_hash_buffer(keybuf, key, keylen);
+ bzero(keybuf + SHA256_SIZE, SHA256_BLOCK_SIZE - SHA256_SIZE);
+ }
+
+ /* Initialize the inner digest */
+ sha256_init(&ctx->ictx);
+ int i;
+ for (i = 0; i < SHA256_BLOCK_SIZE; i++)
+ buf[i] = keybuf[i] ^ 0x36;
+ sha256_update(&ctx->ictx, buf, SHA256_BLOCK_SIZE);
+
+ /* Initialize the outer digest */
+ sha256_init(&ctx->octx);
+ for (i = 0; i < SHA256_BLOCK_SIZE; i++)
+ buf[i] = keybuf[i] ^ 0x5c;
+ sha256_update(&ctx->octx, buf, SHA256_BLOCK_SIZE);
+}
+
+void sha256_hmac_update(struct sha256_hmac_context *ctx, const byte *buf, size_t buflen)
+{
+ /* Just update the inner digest */
+ sha256_update(&ctx->ictx, buf, buflen);
+}
+
+byte *sha256_hmac_final(struct sha256_hmac_context *ctx)
+{
+ /* Finish the inner digest */
+ byte *isha = sha256_final(&ctx->ictx);
+
+ /* Finish the outer digest */
+ sha256_update(&ctx->octx, isha, SHA256_SIZE);
+ return sha256_final(&ctx->octx);
+}
+
+
+/*
+ * SHA224-HMAC
+ */
+
+static void
+sha224_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
+{
+ struct sha224_context hd_tmp;
+
+ sha224_init(&hd_tmp);
+ sha224_update(&hd_tmp, buffer, length);
+ memcpy(outbuf, sha224_final(&hd_tmp), SHA224_SIZE);
+}
+
+void
+sha224_hmac_init(struct sha224_hmac_context *ctx, const byte *key, size_t keylen)
+{
+ byte keybuf[SHA224_BLOCK_SIZE], buf[SHA224_BLOCK_SIZE];
+
+ /* Hash the key if necessary */
+ if (keylen <= SHA224_BLOCK_SIZE)
+ {
+ memcpy(keybuf, key, keylen);
+ bzero(keybuf + keylen, SHA224_BLOCK_SIZE - keylen);
+ }
+ else
+ {
+ sha224_hash_buffer(keybuf, key, keylen);
+ bzero(keybuf + SHA224_SIZE, SHA224_BLOCK_SIZE - SHA224_SIZE);
+ }
+
+ /* Initialize the inner digest */
+ sha224_init(&ctx->ictx);
+ int i;
+ for (i = 0; i < SHA224_BLOCK_SIZE; i++)
+ buf[i] = keybuf[i] ^ 0x36;
+ sha224_update(&ctx->ictx, buf, SHA224_BLOCK_SIZE);
+
+ /* Initialize the outer digest */
+ sha224_init(&ctx->octx);
+ for (i = 0; i < SHA224_BLOCK_SIZE; i++)
+ buf[i] = keybuf[i] ^ 0x5c;
+ sha224_update(&ctx->octx, buf, SHA224_BLOCK_SIZE);
+}
+
+void sha224_hmac_update(struct sha224_hmac_context *ctx, const byte *buf, size_t buflen)
+{
+ /* Just update the inner digest */
+ sha256_update(&ctx->ictx, buf, buflen);
+}
+
+byte *sha224_hmac_final(struct sha224_hmac_context *ctx)
+{
+ /* Finish the inner digest */
+ byte *isha = sha224_final(&ctx->ictx);
+
+ /* Finish the outer digest */
+ sha224_update(&ctx->octx, isha, SHA224_SIZE);
+ return sha224_final(&ctx->octx);
+}
diff --git a/lib/sha256.h b/lib/sha256.h
new file mode 100644
index 00000000..848d2176
--- /dev/null
+++ b/lib/sha256.h
@@ -0,0 +1,71 @@
+/*
+ * BIRD Library -- SHA-256 and SHA-224 Hash Functions,
+ * HMAC-SHA-256 and HMAC-SHA-224 Functions
+ *
+ * (c) 2015 CZ.NIC z.s.p.o.
+ *
+ * Based on the code from libgcrypt-1.6.0, which is
+ * (c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
+ *
+ * Can be freely distributed and used under the terms of the GNU GPL.
+ */
+
+#ifndef _BIRD_SHA256_H_
+#define _BIRD_SHA256_H_
+
+#include "nest/bird.h"
+
+#define SHA224_SIZE 28
+#define SHA224_HEX_SIZE 57
+#define SHA224_BLOCK_SIZE 64
+
+#define SHA256_SIZE 32
+#define SHA256_HEX_SIZE 65
+#define SHA256_BLOCK_SIZE 64
+
+struct sha256_context {
+ u32 h0,h1,h2,h3,h4,h5,h6,h7;
+ byte buf[128]; /* 128 is for SHA384 and SHA512 support, otherwise for SHA224 and SHA256 is 64 enough */
+ u32 nblocks;
+ u32 nblocks_high;
+ int count;
+ u32 blocksize;
+ uint (*transform)(void *c, const byte *blks, size_t nblks);
+};
+#define sha224_context sha256_context /* aliasing 'struct sha224_context' to 'struct sha256_context' */
+
+void sha256_init(struct sha256_context *ctx);
+void sha224_init(struct sha224_context *ctx);
+
+void sha256_update(struct sha256_context *ctx, const byte *in_buf, size_t in_len);
+static inline void sha224_update(struct sha224_context *ctx, const byte *in_buf, size_t in_len)
+{
+ sha256_update(ctx, in_buf, in_len);
+}
+
+byte* sha256_final(struct sha256_context *ctx);
+static inline byte* sha224_final(struct sha224_context *ctx)
+{
+ return sha256_final(ctx);
+}
+
+/*
+ * HMAC-SHA256, HMAC-SHA224
+ */
+struct sha256_hmac_context
+{
+ struct sha256_context ictx;
+ struct sha256_context octx;
+};
+#define sha224_hmac_context sha256_hmac_context /* aliasing 'struct sha224_hmac_context' to 'struct sha256_hmac_context' */
+
+void sha256_hmac_init(struct sha256_hmac_context *ctx, const byte *key, size_t keylen);
+void sha224_hmac_init(struct sha224_hmac_context *ctx, const byte *key, size_t keylen);
+
+void sha256_hmac_update(struct sha256_hmac_context *ctx, const byte *buf, size_t buflen);
+void sha224_hmac_update(struct sha224_hmac_context *ctx, const byte *buf, size_t buflen);
+
+byte *sha256_hmac_final(struct sha256_hmac_context *ctx);
+byte *sha224_hmac_final(struct sha224_hmac_context *ctx);
+
+#endif /* _BIRD_SHA256_H_ */
diff --git a/lib/sha512.c b/lib/sha512.c
new file mode 100644
index 00000000..e46e4c98
--- /dev/null
+++ b/lib/sha512.c
@@ -0,0 +1,614 @@
+/*
+ * BIRD Library -- SHA-512 and SHA-384 Hash Functions,
+ * HMAC-SHA-512 and HMAC-SHA-384 Functions
+ *
+ * (c) 2015 CZ.NIC z.s.p.o.
+ *
+ * Based on the code from libgcrypt-1.6.0, which is
+ * (c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
+ *
+ * Can be freely distributed and used under the terms of the GNU GPL.
+ */
+
+#include "lib/sha256.h"
+#include "lib/sha512.h"
+#include "lib/unaligned.h"
+
+static uint sha512_transform(void *context, const byte *data, size_t nblks);
+
+void
+sha512_init(struct sha512_context *ctx)
+{
+ struct sha512_state *hd = &ctx->state;
+
+ hd->h0 = UINT64_C(0x6a09e667f3bcc908);
+ hd->h1 = UINT64_C(0xbb67ae8584caa73b);
+ hd->h2 = UINT64_C(0x3c6ef372fe94f82b);
+ hd->h3 = UINT64_C(0xa54ff53a5f1d36f1);
+ hd->h4 = UINT64_C(0x510e527fade682d1);
+ hd->h5 = UINT64_C(0x9b05688c2b3e6c1f);
+ hd->h6 = UINT64_C(0x1f83d9abfb41bd6b);
+ hd->h7 = UINT64_C(0x5be0cd19137e2179);
+
+ ctx->bctx.nblocks = 0;
+ ctx->bctx.nblocks_high = 0;
+ ctx->bctx.count = 0;
+ ctx->bctx.blocksize = 128;
+ ctx->bctx.transform = sha512_transform;
+}
+
+void
+sha384_init(struct sha384_context *ctx)
+{
+ struct sha512_state *hd = &ctx->state;
+
+ hd->h0 = UINT64_C(0xcbbb9d5dc1059ed8);
+ hd->h1 = UINT64_C(0x629a292a367cd507);
+ hd->h2 = UINT64_C(0x9159015a3070dd17);
+ hd->h3 = UINT64_C(0x152fecd8f70e5939);
+ hd->h4 = UINT64_C(0x67332667ffc00b31);
+ hd->h5 = UINT64_C(0x8eb44a8768581511);
+ hd->h6 = UINT64_C(0xdb0c2e0d64f98fa7);
+ hd->h7 = UINT64_C(0x47b5481dbefa4fa4);
+
+ ctx->bctx.nblocks = 0;
+ ctx->bctx.nblocks_high = 0;
+ ctx->bctx.count = 0;
+ ctx->bctx.blocksize = 128;
+ ctx->bctx.transform = sha512_transform;
+}
+
+void sha512_update(struct sha512_context *ctx, const byte *in_buf, size_t in_len)
+{
+ sha256_update(&ctx->bctx, in_buf, in_len);
+}
+
+static inline u64
+ROTR(u64 x, u64 n)
+{
+ return ((x >> n) | (x << (64 - n)));
+}
+
+static inline u64
+Ch(u64 x, u64 y, u64 z)
+{
+ return ((x & y) ^ ( ~x & z));
+}
+
+static inline u64
+Maj(u64 x, u64 y, u64 z)
+{
+ return ((x & y) ^ (x & z) ^ (y & z));
+}
+
+static inline u64
+Sum0(u64 x)
+{
+ return (ROTR (x, 28) ^ ROTR (x, 34) ^ ROTR (x, 39));
+}
+
+static inline u64
+Sum1 (u64 x)
+{
+ return (ROTR (x, 14) ^ ROTR (x, 18) ^ ROTR (x, 41));
+}
+
+static const u64 k[] =
+{
+ UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd),
+ UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc),
+ UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019),
+ UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118),
+ UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe),
+ UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2),
+ UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1),
+ UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694),
+ UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3),
+ UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65),
+ UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483),
+ UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5),
+ UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210),
+ UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4),
+ UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725),
+ UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70),
+ UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926),
+ UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df),
+ UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8),
+ UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b),
+ UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001),
+ UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30),
+ UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910),
+ UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8),
+ UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53),
+ UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8),
+ UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb),
+ UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3),
+ UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60),
+ UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec),
+ UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9),
+ UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b),
+ UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207),
+ UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178),
+ UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6),
+ UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b),
+ UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493),
+ UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c),
+ UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a),
+ UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817)
+};
+
+/*
+ * Transform the message W which consists of 16 64-bit-words
+ */
+static uint
+sha512_transform_block(struct sha512_state *hd, const byte *data)
+{
+ u64 a, b, c, d, e, f, g, h;
+ u64 w[16];
+ int t;
+
+ /* get values from the chaining vars */
+ a = hd->h0;
+ b = hd->h1;
+ c = hd->h2;
+ d = hd->h3;
+ e = hd->h4;
+ f = hd->h5;
+ g = hd->h6;
+ h = hd->h7;
+
+ for ( t = 0; t < 16; t++ )
+ w[t] = get_u64(data + t * 8);
+
+#define S0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7))
+#define S1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))
+
+ for (t = 0; t < 80 - 16; )
+ {
+ u64 t1, t2;
+
+ /* Performance on a AMD Athlon(tm) Dual Core Processor 4050e
+ with gcc 4.3.3 using gcry_md_hash_buffer of each 10000 bytes
+ initialized to 0,1,2,3...255,0,... and 1000 iterations:
+
+ Not unrolled with macros: 440ms
+ Unrolled with macros: 350ms
+ Unrolled with inline: 330ms
+ */
+#if 0 /* Not unrolled. */
+ t1 = h + Sum1 (e) + Ch(e, f, g) + k[t] + w[t%16];
+ w[t%16] += S1 (w[(t - 2)%16]) + w[(t - 7)%16] + S0 (w[(t - 15)%16]);
+ t2 = Sum0 (a) + Maj(a, b, c);
+ h = g;
+ g = f;
+ f = e;
+ e = d + t1;
+ d = c;
+ c = b;
+ b = a;
+ a = t1 + t2;
+ t++;
+#else /* Unrolled to interweave the chain variables. */
+ t1 = h + Sum1 (e) + Ch(e, f, g) + k[t] + w[0];
+ w[0] += S1 (w[14]) + w[9] + S0 (w[1]);
+ t2 = Sum0 (a) + Maj(a, b, c);
+ d += t1;
+ h = t1 + t2;
+
+ t1 = g + Sum1 (d) + Ch(d, e, f) + k[t+1] + w[1];
+ w[1] += S1 (w[15]) + w[10] + S0 (w[2]);
+ t2 = Sum0 (h) + Maj(h, a, b);
+ c += t1;
+ g = t1 + t2;
+
+ t1 = f + Sum1 (c) + Ch(c, d, e) + k[t+2] + w[2];
+ w[2] += S1 (w[0]) + w[11] + S0 (w[3]);
+ t2 = Sum0 (g) + Maj(g, h, a);
+ b += t1;
+ f = t1 + t2;
+
+ t1 = e + Sum1 (b) + Ch(b, c, d) + k[t+3] + w[3];
+ w[3] += S1 (w[1]) + w[12] + S0 (w[4]);
+ t2 = Sum0 (f) + Maj(f, g, h);
+ a += t1;
+ e = t1 + t2;
+
+ t1 = d + Sum1 (a) + Ch(a, b, c) + k[t+4] + w[4];
+ w[4] += S1 (w[2]) + w[13] + S0 (w[5]);
+ t2 = Sum0 (e) + Maj(e, f, g);
+ h += t1;
+ d = t1 + t2;
+
+ t1 = c + Sum1 (h) + Ch(h, a, b) + k[t+5] + w[5];
+ w[5] += S1 (w[3]) + w[14] + S0 (w[6]);
+ t2 = Sum0 (d) + Maj(d, e, f);
+ g += t1;
+ c = t1 + t2;
+
+ t1 = b + Sum1 (g) + Ch(g, h, a) + k[t+6] + w[6];
+ w[6] += S1 (w[4]) + w[15] + S0 (w[7]);
+ t2 = Sum0 (c) + Maj(c, d, e);
+ f += t1;
+ b = t1 + t2;
+
+ t1 = a + Sum1 (f) + Ch(f, g, h) + k[t+7] + w[7];
+ w[7] += S1 (w[5]) + w[0] + S0 (w[8]);
+ t2 = Sum0 (b) + Maj(b, c, d);
+ e += t1;
+ a = t1 + t2;
+
+ t1 = h + Sum1 (e) + Ch(e, f, g) + k[t+8] + w[8];
+ w[8] += S1 (w[6]) + w[1] + S0 (w[9]);
+ t2 = Sum0 (a) + Maj(a, b, c);
+ d += t1;
+ h = t1 + t2;
+
+ t1 = g + Sum1 (d) + Ch(d, e, f) + k[t+9] + w[9];
+ w[9] += S1 (w[7]) + w[2] + S0 (w[10]);
+ t2 = Sum0 (h) + Maj(h, a, b);
+ c += t1;
+ g = t1 + t2;
+
+ t1 = f + Sum1 (c) + Ch(c, d, e) + k[t+10] + w[10];
+ w[10] += S1 (w[8]) + w[3] + S0 (w[11]);
+ t2 = Sum0 (g) + Maj(g, h, a);
+ b += t1;
+ f = t1 + t2;
+
+ t1 = e + Sum1 (b) + Ch(b, c, d) + k[t+11] + w[11];
+ w[11] += S1 (w[9]) + w[4] + S0 (w[12]);
+ t2 = Sum0 (f) + Maj(f, g, h);
+ a += t1;
+ e = t1 + t2;
+
+ t1 = d + Sum1 (a) + Ch(a, b, c) + k[t+12] + w[12];
+ w[12] += S1 (w[10]) + w[5] + S0 (w[13]);
+ t2 = Sum0 (e) + Maj(e, f, g);
+ h += t1;
+ d = t1 + t2;
+
+ t1 = c + Sum1 (h) + Ch(h, a, b) + k[t+13] + w[13];
+ w[13] += S1 (w[11]) + w[6] + S0 (w[14]);
+ t2 = Sum0 (d) + Maj(d, e, f);
+ g += t1;
+ c = t1 + t2;
+
+ t1 = b + Sum1 (g) + Ch(g, h, a) + k[t+14] + w[14];
+ w[14] += S1 (w[12]) + w[7] + S0 (w[15]);
+ t2 = Sum0 (c) + Maj(c, d, e);
+ f += t1;
+ b = t1 + t2;
+
+ t1 = a + Sum1 (f) + Ch(f, g, h) + k[t+15] + w[15];
+ w[15] += S1 (w[13]) + w[8] + S0 (w[0]);
+ t2 = Sum0 (b) + Maj(b, c, d);
+ e += t1;
+ a = t1 + t2;
+
+ t += 16;
+#endif
+ }
+
+ for (; t < 80; )
+ {
+ u64 t1, t2;
+
+#if 0 /* Not unrolled. */
+ t1 = h + Sum1 (e) + Ch(e, f, g) + k[t] + w[t%16];
+ t2 = Sum0 (a) + Maj(a, b, c);
+ h = g;
+ g = f;
+ f = e;
+ e = d + t1;
+ d = c;
+ c = b;
+ b = a;
+ a = t1 + t2;
+ t++;
+#else /* Unrolled to interweave the chain variables. */
+ t1 = h + Sum1 (e) + Ch(e, f, g) + k[t] + w[0];
+ t2 = Sum0 (a) + Maj(a, b, c);
+ d += t1;
+ h = t1 + t2;
+
+ t1 = g + Sum1 (d) + Ch(d, e, f) + k[t+1] + w[1];
+ t2 = Sum0 (h) + Maj(h, a, b);
+ c += t1;
+ g = t1 + t2;
+
+ t1 = f + Sum1 (c) + Ch(c, d, e) + k[t+2] + w[2];
+ t2 = Sum0 (g) + Maj(g, h, a);
+ b += t1;
+ f = t1 + t2;
+
+ t1 = e + Sum1 (b) + Ch(b, c, d) + k[t+3] + w[3];
+ t2 = Sum0 (f) + Maj(f, g, h);
+ a += t1;
+ e = t1 + t2;
+
+ t1 = d + Sum1 (a) + Ch(a, b, c) + k[t+4] + w[4];
+ t2 = Sum0 (e) + Maj(e, f, g);
+ h += t1;
+ d = t1 + t2;
+
+ t1 = c + Sum1 (h) + Ch(h, a, b) + k[t+5] + w[5];
+ t2 = Sum0 (d) + Maj(d, e, f);
+ g += t1;
+ c = t1 + t2;
+
+ t1 = b + Sum1 (g) + Ch(g, h, a) + k[t+6] + w[6];
+ t2 = Sum0 (c) + Maj(c, d, e);
+ f += t1;
+ b = t1 + t2;
+
+ t1 = a + Sum1 (f) + Ch(f, g, h) + k[t+7] + w[7];
+ t2 = Sum0 (b) + Maj(b, c, d);
+ e += t1;
+ a = t1 + t2;
+
+ t1 = h + Sum1 (e) + Ch(e, f, g) + k[t+8] + w[8];
+ t2 = Sum0 (a) + Maj(a, b, c);
+ d += t1;
+ h = t1 + t2;
+
+ t1 = g + Sum1 (d) + Ch(d, e, f) + k[t+9] + w[9];
+ t2 = Sum0 (h) + Maj(h, a, b);
+ c += t1;
+ g = t1 + t2;
+
+ t1 = f + Sum1 (c) + Ch(c, d, e) + k[t+10] + w[10];
+ t2 = Sum0 (g) + Maj(g, h, a);
+ b += t1;
+ f = t1 + t2;
+
+ t1 = e + Sum1 (b) + Ch(b, c, d) + k[t+11] + w[11];
+ t2 = Sum0 (f) + Maj(f, g, h);
+ a += t1;
+ e = t1 + t2;
+
+ t1 = d + Sum1 (a) + Ch(a, b, c) + k[t+12] + w[12];
+ t2 = Sum0 (e) + Maj(e, f, g);
+ h += t1;
+ d = t1 + t2;
+
+ t1 = c + Sum1 (h) + Ch(h, a, b) + k[t+13] + w[13];
+ t2 = Sum0 (d) + Maj(d, e, f);
+ g += t1;
+ c = t1 + t2;
+
+ t1 = b + Sum1 (g) + Ch(g, h, a) + k[t+14] + w[14];
+ t2 = Sum0 (c) + Maj(c, d, e);
+ f += t1;
+ b = t1 + t2;
+
+ t1 = a + Sum1 (f) + Ch(f, g, h) + k[t+15] + w[15];
+ t2 = Sum0 (b) + Maj(b, c, d);
+ e += t1;
+ a = t1 + t2;
+
+ t += 16;
+#endif
+ }
+
+ /* Update chaining vars. */
+ hd->h0 += a;
+ hd->h1 += b;
+ hd->h2 += c;
+ hd->h3 += d;
+ hd->h4 += e;
+ hd->h5 += f;
+ hd->h6 += g;
+ hd->h7 += h;
+
+ return /* burn_stack */ (8 + 16) * sizeof(u64) + sizeof(u32) + 3 * sizeof(void*);
+}
+
+static uint
+sha512_transform(void *context, const byte *data, size_t nblks)
+{
+ struct sha512_context *ctx = context;
+ uint burn;
+
+ do
+ {
+ burn = sha512_transform_block(&ctx->state, data) + 3 * sizeof(void*);
+ data += 128;
+ }
+ while(--nblks);
+
+ return burn;
+}
+
+/* The routine final terminates the computation and
+ * returns the digest.
+ * The handle is prepared for a new cycle, but adding bytes to the
+ * handle will the destroy the returned buffer.
+ * Returns: 64 bytes representing the digest. When used for sha384,
+ * we take the leftmost 48 of those bytes.
+ */
+byte *
+sha512_final(struct sha512_context *ctx)
+{
+ u64 t, th, msb, lsb;
+ byte *p;
+
+ sha256_update(&ctx->bctx, NULL, 0); /* flush */ ;
+
+ t = ctx->bctx.nblocks;
+ /* if (sizeof t == sizeof ctx->bctx.nblocks) */
+ th = ctx->bctx.nblocks_high;
+ /* else */
+ /* th = ctx->bctx.nblocks >> 64; In case we ever use u128 */
+
+ /* multiply by 128 to make a byte count */
+ lsb = t << 7;
+ msb = (th << 7) | (t >> 57);
+ /* add the count */
+ t = lsb;
+ if ((lsb += ctx->bctx.count) < t)
+ msb++;
+ /* multiply by 8 to make a bit count */
+ t = lsb;
+ lsb <<= 3;
+ msb <<= 3;
+ msb |= t >> 61;
+
+ if (ctx->bctx.count < 112)
+ { /* enough room */
+ ctx->bctx.buf[ctx->bctx.count++] = 0x80; /* pad */
+ while(ctx->bctx.count < 112)
+ ctx->bctx.buf[ctx->bctx.count++] = 0; /* pad */
+ }
+ else
+ { /* need one extra block */
+ ctx->bctx.buf[ctx->bctx.count++] = 0x80; /* pad character */
+ while(ctx->bctx.count < 128)
+ ctx->bctx.buf[ctx->bctx.count++] = 0;
+ sha256_update(&ctx->bctx, NULL, 0); /* flush */ ;
+ memset(ctx->bctx.buf, 0, 112); /* fill next block with zeroes */
+ }
+ /* append the 128 bit count */
+ put_u64(ctx->bctx.buf + 112, msb);
+ put_u64(ctx->bctx.buf + 120, lsb);
+ sha512_transform(ctx, ctx->bctx.buf, 1);
+
+ p = ctx->bctx.buf;
+#define X(a) do { put_u64(p, ctx->state.h##a); p += 8; } while(0)
+ X (0);
+ X (1);
+ X (2);
+ X (3);
+ X (4);
+ X (5);
+ /* Note that these last two chunks are included even for SHA384.
+ We just ignore them. */
+ X (6);
+ X (7);
+#undef X
+
+ return ctx->bctx.buf;
+}
+
+
+/*
+ * SHA512-HMAC
+ */
+
+static void
+sha512_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
+{
+ struct sha512_context hd_tmp;
+
+ sha512_init(&hd_tmp);
+ sha512_update(&hd_tmp, buffer, length);
+ memcpy(outbuf, sha512_final(&hd_tmp), SHA512_SIZE);
+}
+
+void
+sha512_hmac_init(struct sha512_hmac_context *ctx, const byte *key, size_t keylen)
+{
+ byte keybuf[SHA512_BLOCK_SIZE], buf[SHA512_BLOCK_SIZE];
+
+ /* Hash the key if necessary */
+ if (keylen <= SHA512_BLOCK_SIZE)
+ {
+ memcpy(keybuf, key, keylen);
+ bzero(keybuf + keylen, SHA512_BLOCK_SIZE - keylen);
+ }
+ else
+ {
+ sha512_hash_buffer(keybuf, key, keylen);
+ bzero(keybuf + SHA512_SIZE, SHA512_BLOCK_SIZE - SHA512_SIZE);
+ }
+
+ /* Initialize the inner digest */
+ sha512_init(&ctx->ictx);
+ int i;
+ for (i = 0; i < SHA512_BLOCK_SIZE; i++)
+ buf[i] = keybuf[i] ^ 0x36;
+ sha512_update(&ctx->ictx, buf, SHA512_BLOCK_SIZE);
+
+ /* Initialize the outer digest */
+ sha512_init(&ctx->octx);
+ for (i = 0; i < SHA512_BLOCK_SIZE; i++)
+ buf[i] = keybuf[i] ^ 0x5c;
+ sha512_update(&ctx->octx, buf, SHA512_BLOCK_SIZE);
+}
+
+void sha512_hmac_update(struct sha512_hmac_context *ctx, const byte *buf, size_t buflen)
+{
+ /* Just update the inner digest */
+ sha512_update(&ctx->ictx, buf, buflen);
+}
+
+byte *sha512_hmac_final(struct sha512_hmac_context *ctx)
+{
+ /* Finish the inner digest */
+ byte *isha = sha512_final(&ctx->ictx);
+
+ /* Finish the outer digest */
+ sha512_update(&ctx->octx, isha, SHA512_SIZE);
+ return sha512_final(&ctx->octx);
+}
+
+
+/*
+ * SHA384-HMAC
+ */
+
+static void
+sha384_hash_buffer(byte *outbuf, const byte *buffer, size_t length)
+{
+ struct sha384_context hd_tmp;
+
+ sha384_init(&hd_tmp);
+ sha384_update(&hd_tmp, buffer, length);
+ memcpy(outbuf, sha384_final(&hd_tmp), SHA384_SIZE);
+}
+
+void
+sha384_hmac_init(struct sha384_hmac_context *ctx, const byte *key, size_t keylen)
+{
+ byte keybuf[SHA384_BLOCK_SIZE], buf[SHA384_BLOCK_SIZE];
+
+ /* Hash the key if necessary */
+ if (keylen <= SHA384_BLOCK_SIZE)
+ {
+ memcpy(keybuf, key, keylen);
+ bzero(keybuf + keylen, SHA384_BLOCK_SIZE - keylen);
+ }
+ else
+ {
+ sha384_hash_buffer(keybuf, key, keylen);
+ bzero(keybuf + SHA384_SIZE, SHA384_BLOCK_SIZE - SHA384_SIZE);
+ }
+
+ /* Initialize the inner digest */
+ sha384_init(&ctx->ictx);
+ int i;
+ for (i = 0; i < SHA384_BLOCK_SIZE; i++)
+ buf[i] = keybuf[i] ^ 0x36;
+ sha384_update(&ctx->ictx, buf, SHA384_BLOCK_SIZE);
+
+ /* Initialize the outer digest */
+ sha384_init(&ctx->octx);
+ for (i = 0; i < SHA384_BLOCK_SIZE; i++)
+ buf[i] = keybuf[i] ^ 0x5c;
+ sha384_update(&ctx->octx, buf, SHA384_BLOCK_SIZE);
+}
+
+void sha384_hmac_update(struct sha384_hmac_context *ctx, const byte *buf, size_t buflen)
+{
+ /* Just update the inner digest */
+ sha384_update(&ctx->ictx, buf, buflen);
+}
+
+byte *sha384_hmac_final(struct sha384_hmac_context *ctx)
+{
+ /* Finish the inner digest */
+ byte *isha = sha384_final(&ctx->ictx);
+
+ /* Finish the outer digest */
+ sha384_update(&ctx->octx, isha, SHA384_SIZE);
+ return sha384_final(&ctx->octx);
+}
diff --git a/lib/sha512.h b/lib/sha512.h
new file mode 100644
index 00000000..bd998152
--- /dev/null
+++ b/lib/sha512.h
@@ -0,0 +1,73 @@
+/*
+ * BIRD Library -- SHA-512 and SHA-384 Hash Functions,
+ * HMAC-SHA-512 and HMAC-SHA-384 Functions
+ *
+ * (c) 2015 CZ.NIC z.s.p.o.
+ *
+ * Based on the code from libgcrypt-1.6.0, which is
+ * (c) 2003, 2006, 2008, 2009 Free Software Foundation, Inc.
+ *
+ * Can be freely distributed and used under the terms of the GNU GPL.
+ */
+
+#ifndef _BIRD_SHA512_H_
+#define _BIRD_SHA512_H_
+
+#include "lib/sha256.h"
+
+#define SHA384_SIZE 48
+#define SHA384_HEX_SIZE 97
+#define SHA384_BLOCK_SIZE 128
+
+#define SHA512_SIZE 64
+#define SHA512_HEX_SIZE 129
+#define SHA512_BLOCK_SIZE 128
+
+struct sha512_state
+{
+ u64 h0, h1, h2, h3, h4, h5, h6, h7;
+};
+
+struct sha512_context
+{
+ struct sha256_context bctx;
+ struct sha512_state state;
+};
+#define sha384_context sha512_context /* aliasing 'struct sha384_context' to 'struct sha512_context' */
+
+
+void sha512_init(struct sha512_context *ctx);
+void sha384_init(struct sha384_context *ctx);
+
+void sha512_update(struct sha512_context *ctx, const byte *in_buf, size_t in_len);
+static inline void sha384_update(struct sha384_context *ctx, const byte *in_buf, size_t in_len)
+{
+ sha512_update(ctx, in_buf, in_len);
+}
+
+byte* sha512_final(struct sha512_context *ctx);
+static inline byte* sha384_final(struct sha384_context *ctx)
+{
+ return sha512_final(ctx);
+}
+
+/*
+ * HMAC-SHA512, HMAC-SHA384
+ */
+struct sha512_hmac_context
+{
+ struct sha512_context ictx;
+ struct sha512_context octx;
+} ;
+#define sha384_hmac_context sha512_hmac_context /* aliasing 'struct sha384_hmac_context' to 'struct sha384_hmac_context' */
+
+void sha512_hmac_init(struct sha512_hmac_context *ctx, const byte *key, size_t keylen);
+void sha384_hmac_init(struct sha384_hmac_context *ctx, const byte *key, size_t keylen);
+
+void sha512_hmac_update(struct sha512_hmac_context *ctx, const byte *buf, size_t buflen);
+void sha384_hmac_update(struct sha384_hmac_context *ctx, const byte *buf, size_t buflen);
+
+byte *sha512_hmac_final(struct sha512_hmac_context *ctx);
+byte *sha384_hmac_final(struct sha384_hmac_context *ctx);
+
+#endif /* _BIRD_SHA512_H_ */
diff --git a/lib/unaligned.h b/lib/unaligned.h
index af655204..a2dbae4f 100644
--- a/lib/unaligned.h
+++ b/lib/unaligned.h
@@ -35,6 +35,15 @@ get_u32(void *p)
return ntohl(x);
}
+static inline u64
+get_u64(const void *p)
+{
+ u32 xh, xl;
+ memcpy(&xh, p, 4);
+ memcpy(&xl, p+4, 4);
+ return (((u64) ntohl(xh)) << 32) | ntohl(xl);
+}
+
static inline void
put_u16(void *p, u16 x)
{
@@ -49,4 +58,14 @@ put_u32(void *p, u32 x)
memcpy(p, &x, 4);
}
+static inline void
+put_u64(void *p, u64 x)
+{
+ u32 xh, xl;
+ xh = htonl(x >> 32);
+ xl = htonl((u32) x);
+ memcpy(p, &xh, 4);
+ memcpy(p+4, &xl, 4);
+}
+
#endif