xref: /openbmc/qemu/tests/tcg/multiarch/sha512.c (revision 7c08eefc)
1 /*
2  * sha512 test based on CCAN: https://ccodearchive.net/info/crypto/sha512.html
3  *
4  * src/crypto/sha512.cpp commit f914f1a746d7f91951c1da262a4a749dd3ebfa71
5  * Copyright (c) 2014 The Bitcoin Core developers
6  * Distributed under the MIT software license, see:
7  *  http://www.opensource.org/licenses/mit-license.php.
8  *
9  * SPDX-License-Identifier: MIT CC0-1.0
10  */
11 #define _GNU_SOURCE         /* See feature_test_macros(7) */
12 
13 #include <stdint.h>
14 #include <stdlib.h>
15 #include <stdio.h>
16 #include <unistd.h>
17 #include <ctype.h>
18 #include <stdarg.h>
19 
20 /* Required portions from endian.h */
21 
22 /**
23  * BSWAP_64 - reverse bytes in a constant uint64_t value.
24  * @val: constantvalue whose bytes to swap.
25  *
26  * Designed to be usable in constant-requiring initializers.
27  *
28  * Example:
29  *  struct mystruct {
30  *      char buf[BSWAP_64(0xff00000000000000ULL)];
31  *  };
32  */
33 #define BSWAP_64(val)                       \
34     ((((uint64_t)(val) & 0x00000000000000ffULL) << 56)  \
35      | (((uint64_t)(val) & 0x000000000000ff00ULL) << 40)    \
36      | (((uint64_t)(val) & 0x0000000000ff0000ULL) << 24)    \
37      | (((uint64_t)(val) & 0x00000000ff000000ULL) << 8)     \
38      | (((uint64_t)(val) & 0x000000ff00000000ULL) >> 8)     \
39      | (((uint64_t)(val) & 0x0000ff0000000000ULL) >> 24)    \
40      | (((uint64_t)(val) & 0x00ff000000000000ULL) >> 40)    \
41      | (((uint64_t)(val) & 0xff00000000000000ULL) >> 56))
42 
43 
44 typedef uint64_t beint64_t;
45 
46 #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
47 
48 /**
49  * CPU_TO_BE64 - convert a constant uint64_t value to big-endian
50  * @native: constant to convert
51  */
52 #define CPU_TO_BE64(native) ((beint64_t)(native))
53 /**
54  * BE64_TO_CPU - convert a big-endian uint64_t constant
55  * @le_val: big-endian constant to convert
56  */
57 #define BE64_TO_CPU(le_val) ((uint64_t)(le_val))
58 
59 #else /* ... HAVE_LITTLE_ENDIAN */
60 #define CPU_TO_BE64(native) ((beint64_t)BSWAP_64(native))
61 #define BE64_TO_CPU(le_val) BSWAP_64((uint64_t)le_val)
62 #endif /* HAVE_LITTE_ENDIAN */
63 
64 /**
65  * cpu_to_be64 - convert a uint64_t value to big endian.
66  * @native: value to convert
67  */
68 static inline beint64_t cpu_to_be64(uint64_t native)
69 {
70     return CPU_TO_BE64(native);
71 }
72 
73 /**
74  * be64_to_cpu - convert a big-endian uint64_t value
75  * @be_val: big-endian value to convert
76  */
77 static inline uint64_t be64_to_cpu(beint64_t be_val)
78 {
79     return BE64_TO_CPU(be_val);
80 }
81 
82 /* From compiler.h */
83 
84 #ifndef UNUSED
85 /**
86  * UNUSED - a parameter is unused
87  *
88  * Some compilers (eg. gcc with -W or -Wunused) warn about unused
89  * function parameters.  This suppresses such warnings and indicates
90  * to the reader that it's deliberate.
91  *
92  * Example:
93  *  // This is used as a callback, so needs to have this prototype.
94  *  static int some_callback(void *unused UNUSED)
95  *  {
96  *      return 0;
97  *  }
98  */
99 #define UNUSED __attribute__((__unused__))
100 #endif
101 
102 /* From sha512.h */
103 
104 /**
105  * struct sha512 - structure representing a completed SHA512.
106  * @u.u8: an unsigned char array.
107  * @u.u64: a 64-bit integer array.
108  *
109  * Other fields may be added to the union in future.
110  */
111 struct sha512 {
112     union {
113         uint64_t u64[8];
114         unsigned char u8[64];
115     } u;
116 };
117 
118 /**
119  * sha512 - return sha512 of an object.
120  * @sha512: the sha512 to fill in
121  * @p: pointer to memory,
122  * @size: the number of bytes pointed to by @p
123  *
124  * The bytes pointed to by @p is SHA512 hashed into @sha512.  This is
125  * equivalent to sha512_init(), sha512_update() then sha512_done().
126  */
127 void sha512(struct sha512 *sha, const void *p, size_t size);
128 
129 /**
130  * struct sha512_ctx - structure to store running context for sha512
131  */
132 struct sha512_ctx {
133     uint64_t s[8];
134     union {
135         uint64_t u64[16];
136         unsigned char u8[128];
137     } buf;
138     size_t bytes;
139 };
140 
141 /**
142  * sha512_init - initialize an SHA512 context.
143  * @ctx: the sha512_ctx to initialize
144  *
145  * This must be called before sha512_update or sha512_done, or
146  * alternately you can assign SHA512_INIT.
147  *
148  * If it was already initialized, this forgets anything which was
149  * hashed before.
150  *
151  * Example:
152  * static void hash_all(const char **arr, struct sha512 *hash)
153  * {
154  *  size_t i;
155  *  struct sha512_ctx ctx;
156  *
157  *  sha512_init(&ctx);
158  *  for (i = 0; arr[i]; i++)
159  *      sha512_update(&ctx, arr[i], strlen(arr[i]));
160  *  sha512_done(&ctx, hash);
161  * }
162  */
163 void sha512_init(struct sha512_ctx *ctx);
164 
165 /**
166  * SHA512_INIT - initializer for an SHA512 context.
167  *
168  * This can be used to statically initialize an SHA512 context (instead
169  * of sha512_init()).
170  *
171  * Example:
172  * static void hash_all(const char **arr, struct sha512 *hash)
173  * {
174  *  size_t i;
175  *  struct sha512_ctx ctx = SHA512_INIT;
176  *
177  *  for (i = 0; arr[i]; i++)
178  *      sha512_update(&ctx, arr[i], strlen(arr[i]));
179  *  sha512_done(&ctx, hash);
180  * }
181  */
182 #define SHA512_INIT                                         \
183     { { 0x6a09e667f3bcc908ull, 0xbb67ae8584caa73bull,   \
184         0x3c6ef372fe94f82bull, 0xa54ff53a5f1d36f1ull,   \
185         0x510e527fade682d1ull, 0x9b05688c2b3e6c1full,   \
186         0x1f83d9abfb41bd6bull, 0x5be0cd19137e2179ull }, \
187       { { 0 } }, 0 }
188 
189 /**
190  * sha512_update - include some memory in the hash.
191  * @ctx: the sha512_ctx to use
192  * @p: pointer to memory,
193  * @size: the number of bytes pointed to by @p
194  *
195  * You can call this multiple times to hash more data, before calling
196  * sha512_done().
197  */
198 void sha512_update(struct sha512_ctx *ctx, const void *p, size_t size);
199 
200 /**
201  * sha512_done - finish SHA512 and return the hash
202  * @ctx: the sha512_ctx to complete
203  * @res: the hash to return.
204  *
205  * Note that @ctx is *destroyed* by this, and must be reinitialized.
206  * To avoid that, pass a copy instead.
207  */
208 void sha512_done(struct sha512_ctx *sha512, struct sha512 *res);
209 
210 /* From sha512.c */
211 
212 /*
213  * SHA512 core code translated from the Bitcoin project's C++:
214  *
215  * src/crypto/sha512.cpp commit f914f1a746d7f91951c1da262a4a749dd3ebfa71
216  * Copyright (c) 2014 The Bitcoin Core developers
217  * Distributed under the MIT software license, see the accompanying
218  * file COPYING or http://www.opensource.org/licenses/mit-license.php.
219  */
220 /* #include <ccan/endian/endian.h> */
221 /* #include <ccan/compiler/compiler.h> */
222 #include <stdbool.h>
223 #include <assert.h>
224 #include <string.h>
225 
226 static void invalidate_sha512(struct sha512_ctx *ctx)
227 {
228     ctx->bytes = (size_t)-1;
229 }
230 
231 static void check_sha512(struct sha512_ctx *ctx UNUSED)
232 {
233     assert(ctx->bytes != (size_t)-1);
234 }
235 
236 static uint64_t Ch(uint64_t x, uint64_t y, uint64_t z)
237 {
238     return z ^ (x & (y ^ z));
239 }
240 static uint64_t Maj(uint64_t x, uint64_t y, uint64_t z)
241 {
242     return (x & y) | (z & (x | y));
243 }
244 static uint64_t Sigma0(uint64_t x)
245 {
246     return (x >> 28 | x << 36) ^ (x >> 34 | x << 30) ^ (x >> 39 | x << 25);
247 }
248 static uint64_t Sigma1(uint64_t x)
249 {
250     return (x >> 14 | x << 50) ^ (x >> 18 | x << 46) ^ (x >> 41 | x << 23);
251 }
252 static uint64_t sigma0(uint64_t x)
253 {
254     return (x >> 1 | x << 63) ^ (x >> 8 | x << 56) ^ (x >> 7);
255 }
256 static uint64_t sigma1(uint64_t x)
257 {
258     return (x >> 19 | x << 45) ^ (x >> 61 | x << 3) ^ (x >> 6);
259 }
260 
261 /** One round of SHA-512. */
262 static void Round(uint64_t a, uint64_t b, uint64_t c, uint64_t *d, uint64_t e, uint64_t f, uint64_t g, uint64_t *h, uint64_t k, uint64_t w)
263 {
264     uint64_t t1 = *h + Sigma1(e) + Ch(e, f, g) + k + w;
265     uint64_t t2 = Sigma0(a) + Maj(a, b, c);
266     *d += t1;
267     *h = t1 + t2;
268 }
269 
270 /** Perform one SHA-512 transformation, processing a 128-byte chunk. */
271 static void Transform(uint64_t *s, const uint64_t *chunk)
272 {
273     uint64_t a = s[0], b = s[1], c = s[2], d = s[3], e = s[4], f = s[5], g = s[6], h = s[7];
274     uint64_t w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15;
275 
276     Round(a, b, c, &d, e, f, g, &h, 0x428a2f98d728ae22ull, w0 = be64_to_cpu(chunk[0]));
277     Round(h, a, b, &c, d, e, f, &g, 0x7137449123ef65cdull, w1 = be64_to_cpu(chunk[1]));
278     Round(g, h, a, &b, c, d, e, &f, 0xb5c0fbcfec4d3b2full, w2 = be64_to_cpu(chunk[2]));
279     Round(f, g, h, &a, b, c, d, &e, 0xe9b5dba58189dbbcull, w3 = be64_to_cpu(chunk[3]));
280     Round(e, f, g, &h, a, b, c, &d, 0x3956c25bf348b538ull, w4 = be64_to_cpu(chunk[4]));
281     Round(d, e, f, &g, h, a, b, &c, 0x59f111f1b605d019ull, w5 = be64_to_cpu(chunk[5]));
282     Round(c, d, e, &f, g, h, a, &b, 0x923f82a4af194f9bull, w6 = be64_to_cpu(chunk[6]));
283     Round(b, c, d, &e, f, g, h, &a, 0xab1c5ed5da6d8118ull, w7 = be64_to_cpu(chunk[7]));
284     Round(a, b, c, &d, e, f, g, &h, 0xd807aa98a3030242ull, w8 = be64_to_cpu(chunk[8]));
285     Round(h, a, b, &c, d, e, f, &g, 0x12835b0145706fbeull, w9 = be64_to_cpu(chunk[9]));
286     Round(g, h, a, &b, c, d, e, &f, 0x243185be4ee4b28cull, w10 = be64_to_cpu(chunk[10]));
287     Round(f, g, h, &a, b, c, d, &e, 0x550c7dc3d5ffb4e2ull, w11 = be64_to_cpu(chunk[11]));
288     Round(e, f, g, &h, a, b, c, &d, 0x72be5d74f27b896full, w12 = be64_to_cpu(chunk[12]));
289     Round(d, e, f, &g, h, a, b, &c, 0x80deb1fe3b1696b1ull, w13 = be64_to_cpu(chunk[13]));
290     Round(c, d, e, &f, g, h, a, &b, 0x9bdc06a725c71235ull, w14 = be64_to_cpu(chunk[14]));
291     Round(b, c, d, &e, f, g, h, &a, 0xc19bf174cf692694ull, w15 = be64_to_cpu(chunk[15]));
292 
293     Round(a, b, c, &d, e, f, g, &h, 0xe49b69c19ef14ad2ull, w0 += sigma1(w14) + w9 + sigma0(w1));
294     Round(h, a, b, &c, d, e, f, &g, 0xefbe4786384f25e3ull, w1 += sigma1(w15) + w10 + sigma0(w2));
295     Round(g, h, a, &b, c, d, e, &f, 0x0fc19dc68b8cd5b5ull, w2 += sigma1(w0) + w11 + sigma0(w3));
296     Round(f, g, h, &a, b, c, d, &e, 0x240ca1cc77ac9c65ull, w3 += sigma1(w1) + w12 + sigma0(w4));
297     Round(e, f, g, &h, a, b, c, &d, 0x2de92c6f592b0275ull, w4 += sigma1(w2) + w13 + sigma0(w5));
298     Round(d, e, f, &g, h, a, b, &c, 0x4a7484aa6ea6e483ull, w5 += sigma1(w3) + w14 + sigma0(w6));
299     Round(c, d, e, &f, g, h, a, &b, 0x5cb0a9dcbd41fbd4ull, w6 += sigma1(w4) + w15 + sigma0(w7));
300     Round(b, c, d, &e, f, g, h, &a, 0x76f988da831153b5ull, w7 += sigma1(w5) + w0 + sigma0(w8));
301     Round(a, b, c, &d, e, f, g, &h, 0x983e5152ee66dfabull, w8 += sigma1(w6) + w1 + sigma0(w9));
302     Round(h, a, b, &c, d, e, f, &g, 0xa831c66d2db43210ull, w9 += sigma1(w7) + w2 + sigma0(w10));
303     Round(g, h, a, &b, c, d, e, &f, 0xb00327c898fb213full, w10 += sigma1(w8) + w3 + sigma0(w11));
304     Round(f, g, h, &a, b, c, d, &e, 0xbf597fc7beef0ee4ull, w11 += sigma1(w9) + w4 + sigma0(w12));
305     Round(e, f, g, &h, a, b, c, &d, 0xc6e00bf33da88fc2ull, w12 += sigma1(w10) + w5 + sigma0(w13));
306     Round(d, e, f, &g, h, a, b, &c, 0xd5a79147930aa725ull, w13 += sigma1(w11) + w6 + sigma0(w14));
307     Round(c, d, e, &f, g, h, a, &b, 0x06ca6351e003826full, w14 += sigma1(w12) + w7 + sigma0(w15));
308     Round(b, c, d, &e, f, g, h, &a, 0x142929670a0e6e70ull, w15 += sigma1(w13) + w8 + sigma0(w0));
309 
310     Round(a, b, c, &d, e, f, g, &h, 0x27b70a8546d22ffcull, w0 += sigma1(w14) + w9 + sigma0(w1));
311     Round(h, a, b, &c, d, e, f, &g, 0x2e1b21385c26c926ull, w1 += sigma1(w15) + w10 + sigma0(w2));
312     Round(g, h, a, &b, c, d, e, &f, 0x4d2c6dfc5ac42aedull, w2 += sigma1(w0) + w11 + sigma0(w3));
313     Round(f, g, h, &a, b, c, d, &e, 0x53380d139d95b3dfull, w3 += sigma1(w1) + w12 + sigma0(w4));
314     Round(e, f, g, &h, a, b, c, &d, 0x650a73548baf63deull, w4 += sigma1(w2) + w13 + sigma0(w5));
315     Round(d, e, f, &g, h, a, b, &c, 0x766a0abb3c77b2a8ull, w5 += sigma1(w3) + w14 + sigma0(w6));
316     Round(c, d, e, &f, g, h, a, &b, 0x81c2c92e47edaee6ull, w6 += sigma1(w4) + w15 + sigma0(w7));
317     Round(b, c, d, &e, f, g, h, &a, 0x92722c851482353bull, w7 += sigma1(w5) + w0 + sigma0(w8));
318     Round(a, b, c, &d, e, f, g, &h, 0xa2bfe8a14cf10364ull, w8 += sigma1(w6) + w1 + sigma0(w9));
319     Round(h, a, b, &c, d, e, f, &g, 0xa81a664bbc423001ull, w9 += sigma1(w7) + w2 + sigma0(w10));
320     Round(g, h, a, &b, c, d, e, &f, 0xc24b8b70d0f89791ull, w10 += sigma1(w8) + w3 + sigma0(w11));
321     Round(f, g, h, &a, b, c, d, &e, 0xc76c51a30654be30ull, w11 += sigma1(w9) + w4 + sigma0(w12));
322     Round(e, f, g, &h, a, b, c, &d, 0xd192e819d6ef5218ull, w12 += sigma1(w10) + w5 + sigma0(w13));
323     Round(d, e, f, &g, h, a, b, &c, 0xd69906245565a910ull, w13 += sigma1(w11) + w6 + sigma0(w14));
324     Round(c, d, e, &f, g, h, a, &b, 0xf40e35855771202aull, w14 += sigma1(w12) + w7 + sigma0(w15));
325     Round(b, c, d, &e, f, g, h, &a, 0x106aa07032bbd1b8ull, w15 += sigma1(w13) + w8 + sigma0(w0));
326 
327     Round(a, b, c, &d, e, f, g, &h, 0x19a4c116b8d2d0c8ull, w0 += sigma1(w14) + w9 + sigma0(w1));
328     Round(h, a, b, &c, d, e, f, &g, 0x1e376c085141ab53ull, w1 += sigma1(w15) + w10 + sigma0(w2));
329     Round(g, h, a, &b, c, d, e, &f, 0x2748774cdf8eeb99ull, w2 += sigma1(w0) + w11 + sigma0(w3));
330     Round(f, g, h, &a, b, c, d, &e, 0x34b0bcb5e19b48a8ull, w3 += sigma1(w1) + w12 + sigma0(w4));
331     Round(e, f, g, &h, a, b, c, &d, 0x391c0cb3c5c95a63ull, w4 += sigma1(w2) + w13 + sigma0(w5));
332     Round(d, e, f, &g, h, a, b, &c, 0x4ed8aa4ae3418acbull, w5 += sigma1(w3) + w14 + sigma0(w6));
333     Round(c, d, e, &f, g, h, a, &b, 0x5b9cca4f7763e373ull, w6 += sigma1(w4) + w15 + sigma0(w7));
334     Round(b, c, d, &e, f, g, h, &a, 0x682e6ff3d6b2b8a3ull, w7 += sigma1(w5) + w0 + sigma0(w8));
335     Round(a, b, c, &d, e, f, g, &h, 0x748f82ee5defb2fcull, w8 += sigma1(w6) + w1 + sigma0(w9));
336     Round(h, a, b, &c, d, e, f, &g, 0x78a5636f43172f60ull, w9 += sigma1(w7) + w2 + sigma0(w10));
337     Round(g, h, a, &b, c, d, e, &f, 0x84c87814a1f0ab72ull, w10 += sigma1(w8) + w3 + sigma0(w11));
338     Round(f, g, h, &a, b, c, d, &e, 0x8cc702081a6439ecull, w11 += sigma1(w9) + w4 + sigma0(w12));
339     Round(e, f, g, &h, a, b, c, &d, 0x90befffa23631e28ull, w12 += sigma1(w10) + w5 + sigma0(w13));
340     Round(d, e, f, &g, h, a, b, &c, 0xa4506cebde82bde9ull, w13 += sigma1(w11) + w6 + sigma0(w14));
341     Round(c, d, e, &f, g, h, a, &b, 0xbef9a3f7b2c67915ull, w14 += sigma1(w12) + w7 + sigma0(w15));
342     Round(b, c, d, &e, f, g, h, &a, 0xc67178f2e372532bull, w15 += sigma1(w13) + w8 + sigma0(w0));
343 
344     Round(a, b, c, &d, e, f, g, &h, 0xca273eceea26619cull, w0 += sigma1(w14) + w9 + sigma0(w1));
345     Round(h, a, b, &c, d, e, f, &g, 0xd186b8c721c0c207ull, w1 += sigma1(w15) + w10 + sigma0(w2));
346     Round(g, h, a, &b, c, d, e, &f, 0xeada7dd6cde0eb1eull, w2 += sigma1(w0) + w11 + sigma0(w3));
347     Round(f, g, h, &a, b, c, d, &e, 0xf57d4f7fee6ed178ull, w3 += sigma1(w1) + w12 + sigma0(w4));
348     Round(e, f, g, &h, a, b, c, &d, 0x06f067aa72176fbaull, w4 += sigma1(w2) + w13 + sigma0(w5));
349     Round(d, e, f, &g, h, a, b, &c, 0x0a637dc5a2c898a6ull, w5 += sigma1(w3) + w14 + sigma0(w6));
350     Round(c, d, e, &f, g, h, a, &b, 0x113f9804bef90daeull, w6 += sigma1(w4) + w15 + sigma0(w7));
351     Round(b, c, d, &e, f, g, h, &a, 0x1b710b35131c471bull, w7 += sigma1(w5) + w0 + sigma0(w8));
352     Round(a, b, c, &d, e, f, g, &h, 0x28db77f523047d84ull, w8 += sigma1(w6) + w1 + sigma0(w9));
353     Round(h, a, b, &c, d, e, f, &g, 0x32caab7b40c72493ull, w9 += sigma1(w7) + w2 + sigma0(w10));
354     Round(g, h, a, &b, c, d, e, &f, 0x3c9ebe0a15c9bebcull, w10 += sigma1(w8) + w3 + sigma0(w11));
355     Round(f, g, h, &a, b, c, d, &e, 0x431d67c49c100d4cull, w11 += sigma1(w9) + w4 + sigma0(w12));
356     Round(e, f, g, &h, a, b, c, &d, 0x4cc5d4becb3e42b6ull, w12 += sigma1(w10) + w5 + sigma0(w13));
357     Round(d, e, f, &g, h, a, b, &c, 0x597f299cfc657e2aull, w13 += sigma1(w11) + w6 + sigma0(w14));
358     Round(c, d, e, &f, g, h, a, &b, 0x5fcb6fab3ad6faecull, w14 + sigma1(w12) + w7 + sigma0(w15));
359     Round(b, c, d, &e, f, g, h, &a, 0x6c44198c4a475817ull, w15 + sigma1(w13) + w8 + sigma0(w0));
360 
361     s[0] += a;
362     s[1] += b;
363     s[2] += c;
364     s[3] += d;
365     s[4] += e;
366     s[5] += f;
367     s[6] += g;
368     s[7] += h;
369 }
370 
371 static bool alignment_ok(const void *p UNUSED, size_t n UNUSED)
372 {
373 #if HAVE_UNALIGNED_ACCESS
374     return true;
375 #else
376     return ((size_t)p % n == 0);
377 #endif
378 }
379 
380 static void add(struct sha512_ctx *ctx, const void *p, size_t len)
381 {
382     const unsigned char *data = p;
383     size_t bufsize = ctx->bytes % 128;
384 
385     if (bufsize + len >= 128) {
386         /* Fill the buffer, and process it. */
387         memcpy(ctx->buf.u8 + bufsize, data, 128 - bufsize);
388         ctx->bytes += 128 - bufsize;
389         data += 128 - bufsize;
390         len -= 128 - bufsize;
391         Transform(ctx->s, ctx->buf.u64);
392         bufsize = 0;
393     }
394 
395     while (len >= 128) {
396         /* Process full chunks directly from the source. */
397         if (alignment_ok(data, sizeof(uint64_t)))
398             Transform(ctx->s, (const uint64_t *)data);
399         else {
400             memcpy(ctx->buf.u8, data, sizeof(ctx->buf));
401             Transform(ctx->s, ctx->buf.u64);
402         }
403         ctx->bytes += 128;
404         data += 128;
405         len -= 128;
406     }
407 
408     if (len) {
409         /* Fill the buffer with what remains. */
410         memcpy(ctx->buf.u8 + bufsize, data, len);
411         ctx->bytes += len;
412     }
413 }
414 
415 void sha512_init(struct sha512_ctx *ctx)
416 {
417     struct sha512_ctx init = SHA512_INIT;
418     *ctx = init;
419 }
420 
421 void sha512_update(struct sha512_ctx *ctx, const void *p, size_t size)
422 {
423     check_sha512(ctx);
424     add(ctx, p, size);
425 }
426 
427 void sha512_done(struct sha512_ctx *ctx, struct sha512 *res)
428 {
429     static const unsigned char pad[128] = { 0x80 };
430     uint64_t sizedesc[2] = { 0, 0 };
431     size_t i;
432 
433     sizedesc[1] = cpu_to_be64((uint64_t)ctx->bytes << 3);
434 
435     /* Add '1' bit to terminate, then all 0 bits, up to next block - 16. */
436     add(ctx, pad, 1 + ((256 - 16 - (ctx->bytes % 128) - 1) % 128));
437     /* Add number of bits of data (big endian) */
438     add(ctx, sizedesc, sizeof(sizedesc));
439     for (i = 0; i < sizeof(ctx->s) / sizeof(ctx->s[0]); i++)
440         res->u.u64[i] = cpu_to_be64(ctx->s[i]);
441     invalidate_sha512(ctx);
442 }
443 
444 void sha512(struct sha512 *sha, const void *p, size_t size)
445 {
446     struct sha512_ctx ctx;
447 
448     sha512_init(&ctx);
449     sha512_update(&ctx, p, size);
450     sha512_done(&ctx, sha);
451 }
452 
453 /* From hex.h */
454 /**
455  * hex_decode - Unpack a hex string.
456  * @str: the hexadecimal string
457  * @slen: the length of @str
458  * @buf: the buffer to write the data into
459  * @bufsize: the length of @buf
460  *
461  * Returns false if there are any characters which aren't 0-9, a-f or A-F,
462  * of the string wasn't the right length for @bufsize.
463  *
464  * Example:
465  *  unsigned char data[20];
466  *
467  *  if (!hex_decode(argv[1], strlen(argv[1]), data, 20))
468  *      printf("String is malformed!\n");
469  */
470 bool hex_decode(const char *str, size_t slen, void *buf, size_t bufsize);
471 
472 /**
473  * hex_encode - Create a nul-terminated hex string
474  * @buf: the buffer to read the data from
475  * @bufsize: the length of @buf
476  * @dest: the string to fill
477  * @destsize: the max size of the string
478  *
479  * Returns true if the string, including terminator, fit in @destsize;
480  *
481  * Example:
482  *  unsigned char buf[] = { 0x1F, 0x2F };
483  *  char str[5];
484  *
485  *  if (!hex_encode(buf, sizeof(buf), str, sizeof(str)))
486  *      abort();
487  */
488 bool hex_encode(const void *buf, size_t bufsize, char *dest, size_t destsize);
489 
490 /**
491  * hex_str_size - Calculate how big a nul-terminated hex string is
492  * @bytes: bytes of data to represent
493  *
494  * Example:
495  *  unsigned char buf[] = { 0x1F, 0x2F };
496  *  char str[hex_str_size(sizeof(buf))];
497  *
498  *  hex_encode(buf, sizeof(buf), str, sizeof(str));
499  */
500 static inline size_t hex_str_size(size_t bytes)
501 {
502     return 2 * bytes + 1;
503 }
504 
505 /* From hex.c */
506 static bool char_to_hex(unsigned char *val, char c)
507 {
508     if (c >= '0' && c <= '9') {
509         *val = c - '0';
510         return true;
511     }
512     if (c >= 'a' && c <= 'f') {
513         *val = c - 'a' + 10;
514         return true;
515     }
516     if (c >= 'A' && c <= 'F') {
517         *val = c - 'A' + 10;
518         return true;
519     }
520     return false;
521 }
522 
523 bool hex_decode(const char *str, size_t slen, void *buf, size_t bufsize)
524 {
525     unsigned char v1, v2;
526     unsigned char *p = buf;
527 
528     while (slen > 1) {
529         if (!char_to_hex(&v1, str[0]) || !char_to_hex(&v2, str[1]))
530             return false;
531         if (!bufsize)
532             return false;
533         *(p++) = (v1 << 4) | v2;
534         str += 2;
535         slen -= 2;
536         bufsize--;
537     }
538     return slen == 0 && bufsize == 0;
539 }
540 
541 static char hexchar(unsigned int val)
542 {
543     if (val < 10)
544         return '0' + val;
545     if (val < 16)
546         return 'a' + val - 10;
547     abort();
548 }
549 
550 bool hex_encode(const void *buf, size_t bufsize, char *dest, size_t destsize)
551 {
552     size_t i;
553 
554     if (destsize < hex_str_size(bufsize))
555         return false;
556 
557     for (i = 0; i < bufsize; i++) {
558         unsigned int c = ((const unsigned char *)buf)[i];
559         *(dest++) = hexchar(c >> 4);
560         *(dest++) = hexchar(c & 0xF);
561     }
562     *dest = '\0';
563 
564     return true;
565 }
566 
567 /* From tap.h */
568 /**
569  * plan_tests - announce the number of tests you plan to run
570  * @tests: the number of tests
571  *
572  * This should be the first call in your test program: it allows tracing
573  * of failures which mean that not all tests are run.
574  *
575  * If you don't know how many tests will actually be run, assume all of them
576  * and use skip() if you don't actually run some tests.
577  *
578  * Example:
579  *  plan_tests(13);
580  */
581 void plan_tests(unsigned int tests);
582 
583 /**
584  * ok1 - Simple conditional test
585  * @e: the expression which we expect to be true.
586  *
587  * This is the simplest kind of test: if the expression is true, the
588  * test passes.  The name of the test which is printed will simply be
589  * file name, line number, and the expression itself.
590  *
591  * Example:
592  *  ok1(somefunc() == 1);
593  */
594 # define ok1(e) ((e) ?                          \
595          _gen_result(1, __func__, __FILE__, __LINE__, "%s", #e) : \
596          _gen_result(0, __func__, __FILE__, __LINE__, "%s", #e))
597 
598 /**
599  * exit_status - the value that main should return.
600  *
601  * For maximum compatibility your test program should return a particular exit
602  * code (ie. 0 if all tests were run, and every test which was expected to
603  * succeed succeeded).
604  *
605  * Example:
606  *  exit(exit_status());
607  */
608 int exit_status(void);
609 
610 /**
611  * tap_fail_callback - function to call when we fail
612  *
613  * This can be used to ease debugging, or exit on the first failure.
614  */
615 void (*tap_fail_callback)(void);
616 
617 /* From tap.c */
618 
619 static int no_plan = 0;
620 static int skip_all = 0;
621 static int have_plan = 0;
622 static unsigned int test_count = 0; /* Number of tests that have been run */
623 static unsigned int e_tests = 0; /* Expected number of tests to run */
624 static unsigned int failures = 0; /* Number of tests that failed */
625 static char *todo_msg = NULL;
626 static const char *todo_msg_fixed = "libtap malloc issue";
627 static int todo = 0;
628 static int test_died = 0;
629 static int test_pid;
630 
631 static void
632 _expected_tests(unsigned int tests)
633 {
634     printf("1..%d\n", tests);
635     e_tests = tests;
636 }
637 
638 static void
639 diagv(const char *fmt, va_list ap)
640 {
641     fputs("# ", stdout);
642     vfprintf(stdout, fmt, ap);
643     fputs("\n", stdout);
644 }
645 
646 static void
647 _diag(const char *fmt, ...)
648 {
649     va_list ap;
650     va_start(ap, fmt);
651     diagv(fmt, ap);
652     va_end(ap);
653 }
654 
655 /*
656  * Generate a test result.
657  *
658  * ok -- boolean, indicates whether or not the test passed.
659  * test_name -- the name of the test, may be NULL
660  * test_comment -- a comment to print afterwards, may be NULL
661  */
662 unsigned int
663 _gen_result(int ok, const char *func, const char *file, unsigned int line,
664         const char *test_name, ...)
665 {
666     va_list ap;
667     char *local_test_name = NULL;
668     char *c;
669     int name_is_digits;
670 
671     test_count++;
672 
673     /* Start by taking the test name and performing any printf()
674        expansions on it */
675     if(test_name != NULL) {
676         va_start(ap, test_name);
677         if (vasprintf(&local_test_name, test_name, ap) < 0)
678             local_test_name = NULL;
679         va_end(ap);
680 
681         /* Make sure the test name contains more than digits
682            and spaces.  Emit an error message and exit if it
683            does */
684         if(local_test_name) {
685             name_is_digits = 1;
686             for(c = local_test_name; *c != '\0'; c++) {
687                 if(!isdigit((unsigned char)*c)
688                    && !isspace((unsigned char)*c)) {
689                     name_is_digits = 0;
690                     break;
691                 }
692             }
693 
694             if(name_is_digits) {
695                 _diag("    You named your test '%s'.  You shouldn't use numbers for your test names.", local_test_name);
696                 _diag("    Very confusing.");
697             }
698         }
699     }
700 
701     if(!ok) {
702         printf("not ");
703         failures++;
704     }
705 
706     printf("ok %d", test_count);
707 
708     if(test_name != NULL) {
709         printf(" - ");
710 
711         /* Print the test name, escaping any '#' characters it
712            might contain */
713         if(local_test_name != NULL) {
714             flockfile(stdout);
715             for(c = local_test_name; *c != '\0'; c++) {
716                 if(*c == '#')
717                     fputc('\\', stdout);
718                 fputc((int)*c, stdout);
719             }
720             funlockfile(stdout);
721         } else {    /* vasprintf() failed, use a fixed message */
722             printf("%s", todo_msg_fixed);
723         }
724     }
725 
726     /* If we're in a todo_start() block then flag the test as being
727        TODO.  todo_msg should contain the message to print at this
728        point.  If it's NULL then asprintf() failed, and we should
729        use the fixed message.
730 
731        This is not counted as a failure, so decrement the counter if
732        the test failed. */
733     if(todo) {
734         printf(" # TODO %s", todo_msg ? todo_msg : todo_msg_fixed);
735         if(!ok)
736             failures--;
737     }
738 
739     printf("\n");
740 
741     if(!ok)
742         _diag("    Failed %stest (%s:%s() at line %d)",
743               todo ? "(TODO) " : "", file, func, line);
744 
745     free(local_test_name);
746 
747     if (!ok && tap_fail_callback)
748         tap_fail_callback();
749 
750     /* We only care (when testing) that ok is positive, but here we
751        specifically only want to return 1 or 0 */
752     return ok ? 1 : 0;
753 }
754 
755 /*
756  * Cleanup at the end of the run, produce any final output that might be
757  * required.
758  */
759 static void
760 _cleanup(void)
761 {
762     /* If we forked, don't do cleanup in child! */
763     if (getpid() != test_pid)
764         return;
765 
766     /* If plan_no_plan() wasn't called, and we don't have a plan,
767        and we're not skipping everything, then something happened
768        before we could produce any output */
769     if(!no_plan && !have_plan && !skip_all) {
770         _diag("Looks like your test died before it could output anything.");
771         return;
772     }
773 
774     if(test_died) {
775         _diag("Looks like your test died just after %d.", test_count);
776         return;
777     }
778 
779 
780     /* No plan provided, but now we know how many tests were run, and can
781        print the header at the end */
782     if(!skip_all && (no_plan || !have_plan)) {
783         printf("1..%d\n", test_count);
784     }
785 
786     if((have_plan && !no_plan) && e_tests < test_count) {
787         _diag("Looks like you planned %d tests but ran %d extra.",
788               e_tests, test_count - e_tests);
789         return;
790     }
791 
792     if((have_plan || !no_plan) && e_tests > test_count) {
793         _diag("Looks like you planned %d tests but only ran %d.",
794               e_tests, test_count);
795         if(failures) {
796             _diag("Looks like you failed %d tests of %d run.",
797                   failures, test_count);
798         }
799         return;
800     }
801 
802     if(failures)
803         _diag("Looks like you failed %d tests of %d.",
804               failures, test_count);
805 
806 }
807 
808 /*
809  * Initialise the TAP library.  Will only do so once, however many times it's
810  * called.
811  */
812 static void
813 _tap_init(void)
814 {
815     static int run_once = 0;
816 
817     if(!run_once) {
818         test_pid = getpid();
819         atexit(_cleanup);
820 
821         /* stdout needs to be unbuffered so that the output appears
822            in the same place relative to stderr output as it does
823            with Test::Harness */
824 //      setbuf(stdout, 0);
825         run_once = 1;
826     }
827 }
828 
829 /*
830  * Note the number of tests that will be run.
831  */
832 void
833 plan_tests(unsigned int tests)
834 {
835 
836     _tap_init();
837 
838     if(have_plan != 0) {
839         fprintf(stderr, "You tried to plan twice!\n");
840         test_died = 1;
841         exit(255);
842     }
843 
844     if(tests == 0) {
845         fprintf(stderr, "You said to run 0 tests!  You've got to run something.\n");
846         test_died = 1;
847         exit(255);
848     }
849 
850     have_plan = 1;
851 
852     _expected_tests(tests);
853 }
854 
855 static int
856 exit_status_(void)
857 {
858     /* If there's no plan, just return the number of failures */
859     if(no_plan || !have_plan) {
860         return failures;
861     }
862 
863     /* Ran too many tests?  Return the number of tests that were run
864        that shouldn't have been */
865     if(e_tests < test_count) {
866         return test_count - e_tests;
867     }
868 
869     /* Return the number of tests that failed + the number of tests
870        that weren't run */
871     return failures + e_tests - test_count;
872 }
873 
874 int
875 exit_status(void)
876 {
877     int r = exit_status_();
878     if (r > 255)
879         r = 255;
880     return r;
881 }
882 
883 /* From run-test-vectors.c */
884 
885 /* Test vectors. */
886 struct test {
887     const char *vector;
888     size_t repetitions;
889     const char *expected;
890 };
891 
892 static const char ZEROES[] =
893     "0000000000000000000000000000000000000000000000000000000000000000"
894     "0000000000000000000000000000000000000000000000000000000000000000";
895 
896 static struct test tests[] = {
897     /* http://csrc.nist.gov/groups/STM/cavp/secure-hashing.html ShortMsg */
898     { "21", 1,
899       "3831a6a6155e509dee59a7f451eb35324d8f8f2df6e3708894740f98fdee2388"
900       "9f4de5adb0c5010dfb555cda77c8ab5dc902094c52de3278f35a75ebc25f093a" },
901     { "9083", 1,
902       "55586ebba48768aeb323655ab6f4298fc9f670964fc2e5f2731e34dfa4b0c09e"
903       "6e1e12e3d7286b3145c61c2047fb1a2a1297f36da64160b31fa4c8c2cddd2fb4" },
904     { "0a55db", 1,
905       "7952585e5330cb247d72bae696fc8a6b0f7d0804577e347d99bc1b11e52f3849"
906       "85a428449382306a89261ae143c2f3fb613804ab20b42dc097e5bf4a96ef919b" },
907     { "23be86d5", 1,
908       "76d42c8eadea35a69990c63a762f330614a4699977f058adb988f406fb0be8f2"
909       "ea3dce3a2bbd1d827b70b9b299ae6f9e5058ee97b50bd4922d6d37ddc761f8eb" },
910     { "eb0ca946c1", 1,
911       "d39ecedfe6e705a821aee4f58bfc489c3d9433eb4ac1b03a97e321a2586b40dd"
912       "0522f40fa5aef36afff591a78c916bfc6d1ca515c4983dd8695b1ec7951d723e" },
913     { "38667f39277b", 1,
914       "85708b8ff05d974d6af0801c152b95f5fa5c06af9a35230c5bea2752f031f9bd"
915       "84bd844717b3add308a70dc777f90813c20b47b16385664eefc88449f04f2131" },
916     { "b39f71aaa8a108", 1,
917       "258b8efa05b4a06b1e63c7a3f925c5ef11fa03e3d47d631bf4d474983783d8c0"
918       "b09449009e842fc9fa15de586c67cf8955a17d790b20f41dadf67ee8cdcdfce6" },
919     { "dc28484ebfd293d62ac759d5754bdf502423e4d419fa79020805134b2ce3dff7"
920       "38c7556c91d810adbad8dd210f041296b73c2185d4646c97fc0a5b69ed49ac8c"
921       "7ced0bd1cfd7e3c3cca47374d189247da6811a40b0ab097067ed4ad40ade2e47"
922       "91e39204e398b3204971445822a1be0dd93af8", 1,
923       "615115d2e8b62e345adaa4bdb95395a3b4fe27d71c4a111b86c1841463c5f03d"
924       "6b20d164a39948ab08ae060720d05c10f6022e5c8caf2fa3bca2e04d9c539ded" },
925     { "fd2203e467574e834ab07c9097ae164532f24be1eb5d88f1af7748ceff0d2c67"
926       "a21f4e4097f9d3bb4e9fbf97186e0db6db0100230a52b453d421f8ab9c9a6043"
927       "aa3295ea20d2f06a2f37470d8a99075f1b8a8336f6228cf08b5942fc1fb4299c"
928       "7d2480e8e82bce175540bdfad7752bc95b577f229515394f3ae5cec870a4b2f8",
929       1,
930       "a21b1077d52b27ac545af63b32746c6e3c51cb0cb9f281eb9f3580a6d4996d5c"
931       "9917d2a6e484627a9d5a06fa1b25327a9d710e027387fc3e07d7c4d14c6086cc" },
932     /* http://www.di-mgt.com.au/sha_testvectors.html */
933     { ZEROES, 1,
934       "7be9fda48f4179e611c698a73cff09faf72869431efee6eaad14de0cb44bbf66"
935       "503f752b7a8eb17083355f3ce6eb7d2806f236b25af96a24e22b887405c20081" }
936 };
937 
938 static void *xmalloc(size_t size)
939 {
940     char * ret;
941     ret = malloc(size);
942     if (ret == NULL) {
943         perror("malloc");
944         abort();
945     }
946     return ret;
947 }
948 
949 static bool do_test(const struct test *t)
950 {
951     struct sha512 h;
952     char got[128 + 1];
953     bool passed;
954     size_t i, vector_len = strlen(t->vector) / 2;
955     void *vector = xmalloc(vector_len);
956 
957     hex_decode(t->vector, vector_len * 2, vector, vector_len);
958 
959     for (i = 0; i < t->repetitions; i++) {
960         sha512(&h, vector, vector_len);
961         if (t->repetitions > 1)
962             memcpy(vector, &h, sizeof(h));
963     }
964 
965     hex_encode(&h, sizeof(h), got, sizeof(got));
966 
967     passed = strcmp(t->expected, got) == 0;
968     free(vector);
969     return passed;
970 }
971 
972 int main(void)
973 {
974     const size_t num_tests = sizeof(tests) / sizeof(tests[0]);
975     size_t i;
976 
977     /* This is how many tests you plan to run */
978     plan_tests(num_tests);
979 
980     for (i = 0; i < num_tests; i++)
981         ok1(do_test(&tests[i]));
982 
983     /* This exits depending on whether all tests passed */
984     return exit_status();
985 }
986