Add hash interface and SHA-{384,512} implementations

Makefile.inc

@@ -1,7 +1,8 @@
 LC_SRCS+=	aead.c aead_chacha20_poly1305.c
 LC_SRCS+=	auth.c auth_poly1305.c
 LC_SRCS+=	cipher.c cipher_chacha20.c
-LC_SRCS+=	impl_chacha20.c impl_poly1305.c
+LC_SRCS+=	hash.c hash_sha384_sha512.c
+LC_SRCS+=	impl_chacha20.c impl_poly1305.c impl_sha512.c
 LC_SRCS+=	ct.c util.c
 
 WARNINGS=	Yes

README

@@ -19,11 +19,16 @@ Utilities
     case might leak information. Would be better to return `0xffffffff`
     if match, `0` otherwise.
 
+Hash
+----
+
+- [x] SHA-384
+- [x] SHA-512 (needed for Ed25519)
+
 Authentication
 --------------
 
 - [x] Poly1305
-- [ ] SHA-512 (needed for Ed25519)
 
 Ciphers
 -------
@@ -54,6 +59,12 @@ Utilities
 - [ ] NaCl interface
 - [ ] signify interface
 
+Hash
+----
+
+- [ ] SHA-256 & SHA-224 (the latter is a truncated form of the former)
+- [ ] SHA-512/224 & SHA-512/256 (most of the work done)
+
 Authentication
 --------------
 

hash.c

@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2024 Lucas Gabriel Vuotto <lucas@lgv5.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include "lilcrypto.h"
+#include "hash.h"
+
+
+int
+lc_hash_init(struct lc_hash_ctx *ctx)
+{
+	return ctx->impl->init(ctx->arg);
+}
+
+int
+lc_hash_update(struct lc_hash_ctx *ctx, const uint8_t *in, size_t inlen)
+{
+	return ctx->impl->update(ctx->arg, in, inlen);
+}
+
+int
+lc_hash_final(struct lc_hash_ctx *ctx, uint8_t *out, size_t *outlen)
+{
+	return ctx->impl->final(ctx->arg, out, outlen);
+}
+
+int
+lc_hash(const struct lc_hash_impl *impl, uint8_t *out, size_t *outlen,
+    const uint8_t *in, size_t inlen)
+{
+	return impl->hash(out, outlen, in, inlen);
+}
+
+struct lc_hash_ctx *
+lc_hash_ctx_new(const struct lc_hash_impl *impl)
+{
+	struct lc_hash_ctx	*ctx;
+
+	ctx = malloc(sizeof(*ctx));
+	if (ctx == NULL)
+		return NULL;
+	if (impl->ctx_new != NULL) {
+		ctx->arg = impl->ctx_new();
+		if (ctx->arg == NULL) {
+			free(ctx);
+			return NULL;
+		}
+	} else
+		ctx->arg = NULL;
+	ctx->impl = impl;
+
+	return ctx;
+}
+
+void
+lc_hash_ctx_free(struct lc_hash_ctx *ctx)
+{
+	if (ctx != NULL) {
+		if (ctx->impl != NULL && ctx->impl->ctx_free != NULL)
+			ctx->impl->ctx_free(ctx->arg);
+		free(ctx->arg);
+	}
+	free(ctx);
+}

hash.h

@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2024 Lucas Gabriel Vuotto <lucas@lgv5.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+
+struct lc_hash_impl {
+	int	 (*init)(void *);
+	int	 (*update)(void *, const uint8_t *, size_t);
+	int	 (*final)(void *, uint8_t *, size_t *);
+	int	 (*hash)(uint8_t *, size_t *, const uint8_t *, size_t);
+
+	void	*(*ctx_new)(void);
+	void	 (*ctx_free)(void *);
+};
+
+struct lc_hash_ctx {
+	const struct lc_hash_impl	*impl;
+	void				*arg;
+};

hash_sha384_sha512.c

@@ -0,0 +1,298 @@
+/*
+ * Copyright (c) 2024 Lucas Gabriel Vuotto <lucas@lgv5.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdlib.h>
+
+#include "lilcrypto.h"
+#include "hash.h"
+#include "hash_sha384_sha512.h"
+#include "impl_sha512.h"
+
+#include "util.h"
+
+
+/*
+ * SHA-384 and SHA-512 implementations.
+ *
+ * This implementation doesn't support arbitrary amounts of bits, but only full
+ * bytes sizes. In particular, size is stored in bytes until the length has to
+ * be appended to the input. This is done to simplify overflow checks for input
+ * length.
+ */
+
+
+#define SHA512_SZHI_MAX	UINT64_C(0x1fffffffffffffff)	/* 2^125 - 1 */
+#define SHA512_SZLO_MAX UINT64_MAX
+
+#define SHA384_H0_0	UINT64_C(0xcbbb9d5dc1059ed8)
+#define SHA384_H0_1	UINT64_C(0x629a292a367cd507)
+#define SHA384_H0_2	UINT64_C(0x9159015a3070dd17)
+#define SHA384_H0_3	UINT64_C(0x152fecd8f70e5939)
+#define SHA384_H0_4	UINT64_C(0x67332667ffc00b31)
+#define SHA384_H0_5	UINT64_C(0x8eb44a8768581511)
+#define SHA384_H0_6	UINT64_C(0xdb0c2e0d64f98fa7)
+#define SHA384_H0_7	UINT64_C(0x47b5481dbefa4fa4)
+
+#define SHA512_H0_0	UINT64_C(0x6a09e667f3bcc908)
+#define SHA512_H0_1	UINT64_C(0xbb67ae8584caa73b)
+#define SHA512_H0_2	UINT64_C(0x3c6ef372fe94f82b)
+#define SHA512_H0_3	UINT64_C(0xa54ff53a5f1d36f1)
+#define SHA512_H0_4	UINT64_C(0x510e527fade682d1)
+#define SHA512_H0_5	UINT64_C(0x9b05688c2b3e6c1f)
+#define SHA512_H0_6	UINT64_C(0x1f83d9abfb41bd6b)
+#define SHA512_H0_7	UINT64_C(0x5be0cd19137e2179)
+
+
+int
+sha384_init(void *arg)
+{
+	struct sha512_ctx	*ctx = arg;
+	size_t			 i;
+
+	ctx->h0 = SHA384_H0_0;
+	ctx->h1 = SHA384_H0_1;
+	ctx->h2 = SHA384_H0_2;
+	ctx->h3 = SHA384_H0_3;
+	ctx->h4 = SHA384_H0_4;
+	ctx->h5 = SHA384_H0_5;
+	ctx->h6 = SHA384_H0_6;
+	ctx->h7 = SHA384_H0_7;
+
+	ctx->szhi = ctx->szlo = 0;
+
+	ctx->mlen = 0;
+	for (i = 0; i < SHA512_CHUNK; i++)
+		ctx->m[i] = 0;
+
+	return 1;
+}
+
+int
+sha512_init(void *arg)
+{
+	struct sha512_ctx	*ctx = arg;
+	size_t			 i;
+
+	ctx->h0 = SHA512_H0_0;
+	ctx->h1 = SHA512_H0_1;
+	ctx->h2 = SHA512_H0_2;
+	ctx->h3 = SHA512_H0_3;
+	ctx->h4 = SHA512_H0_4;
+	ctx->h5 = SHA512_H0_5;
+	ctx->h6 = SHA512_H0_6;
+	ctx->h7 = SHA512_H0_7;
+
+	ctx->szhi = ctx->szlo = 0;
+
+	ctx->mlen = 0;
+	for (i = 0; i < SHA512_CHUNK; i++)
+		ctx->m[i] = 0;
+
+	return 1;
+}
+
+static int
+sha384_sha512_update(void *arg, const uint8_t *in, size_t inlen)
+{
+	struct sha512_ctx	*ctx = arg;
+	size_t			 i;
+
+	if (inlen > SHA512_SZLO_MAX - ctx->szlo) {
+		if (ctx->szhi == SHA512_SZHI_MAX)
+			return 0;
+		ctx->szlo += inlen;
+		ctx->szhi++;
+	} else
+		ctx->szlo += inlen;
+
+	for (i = 0; i + ctx->mlen < SHA512_CHUNK && i < inlen; i++)
+		ctx->m[i + ctx->mlen] = in[i];
+	ctx->mlen += i;
+	in += i;
+	inlen -= i;
+
+	if (ctx->mlen == SHA512_CHUNK) {
+		sha512_block(ctx);
+		ctx->mlen = 0;
+	}
+
+	if (inlen == 0)
+		return 1;
+
+	while (inlen >= SHA512_CHUNK) {
+		for (i = 0; i < SHA512_CHUNK; i++)
+			ctx->m[i] = in[i];
+		in += i;
+		inlen -= i;
+
+		sha512_block(ctx);
+	}
+
+	for (i = 0; i < inlen; i++)
+		ctx->m[i] = in[i];
+	ctx->mlen = inlen;
+
+	return 1;
+}
+
+int
+sha384_update(void *arg, const uint8_t *in, size_t inlen)
+{
+	return sha384_sha512_update(arg, in, inlen);
+}
+
+int
+sha512_update(void *arg, const uint8_t *in, size_t inlen)
+{
+	return sha384_sha512_update(arg, in, inlen);
+}
+
+static void
+sha384_sha512_final(struct sha512_ctx *ctx)
+{
+	size_t	i, mlen;
+
+	mlen = ctx->mlen;
+	ctx->m[mlen++] = 0x80;
+
+	if (mlen >= SHA512_CHUNK - 2 * sizeof(uint64_t)) {
+		for (i = mlen; i < SHA512_CHUNK; i++)
+			ctx->m[i] = 0;
+		sha512_block(ctx);
+		mlen = 0;
+	}
+
+	for (i = mlen; i < SHA512_CHUNK - 2 * sizeof(uint64_t); i++)
+		ctx->m[i] = 0;
+	store64be(&ctx->m[i], (ctx->szhi << 3) | (ctx->szlo >> 63));
+	store64be(&ctx->m[i + sizeof(uint64_t)], ctx->szlo << 3);
+	sha512_block(ctx);
+}
+
+int
+sha384_final(void *arg, uint8_t *out, size_t *outlen)
+{
+	struct sha512_ctx	*ctx = arg;
+
+	*outlen = LC_SHA384_HASHLEN;
+	if (out == NULL)
+		return 1;
+
+	sha384_sha512_final(ctx);
+	store64be(out, ctx->h0);
+	store64be(out + 8, ctx->h1);
+	store64be(out + 16, ctx->h2);
+	store64be(out + 24, ctx->h3);
+	store64be(out + 32, ctx->h4);
+	store64be(out + 40, ctx->h5);
+
+	lc_scrub(ctx, sizeof(*ctx));
+
+	return 1;
+}
+
+int
+sha512_final(void *arg, uint8_t *out, size_t *outlen)
+{
+	struct sha512_ctx	*ctx = arg;
+
+	*outlen = LC_SHA512_HASHLEN;
+	if (out == NULL)
+		return 1;
+
+	sha384_sha512_final(ctx);
+	store64be(out, ctx->h0);
+	store64be(out + 8, ctx->h1);
+	store64be(out + 16, ctx->h2);
+	store64be(out + 24, ctx->h3);
+	store64be(out + 32, ctx->h4);
+	store64be(out + 40, ctx->h5);
+	store64be(out + 48, ctx->h6);
+	store64be(out + 56, ctx->h7);
+
+	lc_scrub(ctx, sizeof(*ctx));
+
+	return 1;
+}
+
+static int
+sha384_hash(uint8_t *out, size_t *outlen, const uint8_t *in, size_t inlen)
+{
+	struct sha512_ctx	ctx;
+
+	if (out == NULL) {
+		*outlen = LC_SHA384_HASHLEN;
+		return 1;
+	}
+
+	return sha384_init(&ctx) &&
+	    sha384_update(&ctx, in, inlen) &&
+	    sha384_final(&ctx, out, outlen);
+}
+
+static int
+sha512_hash(uint8_t *out, size_t *outlen, const uint8_t *in, size_t inlen)
+{
+	struct sha512_ctx	ctx;
+
+	if (out == NULL) {
+		*outlen = LC_SHA512_HASHLEN;
+		return 1;
+	}
+
+	return sha512_init(&ctx) &&
+	    sha512_update(&ctx, in, inlen) &&
+	    sha512_final(&ctx, out, outlen);
+}
+
+static void *
+sha384_sha512_ctx_new(void)
+{
+	return malloc(sizeof(struct sha512_ctx));
+}
+
+
+static struct lc_hash_impl	sha384_impl = {
+	.init = &sha384_init,
+	.update = &sha384_update,
+	.final = &sha384_final,
+	.hash = &sha384_hash,
+
+	.ctx_new = &sha384_sha512_ctx_new,
+	.ctx_free = NULL,
+};
+
+static struct lc_hash_impl	sha512_impl = {
+	.init = &sha512_init,
+	.update = &sha512_update,
+	.final = &sha512_final,
+	.hash = &sha512_hash,
+
+	.ctx_new = &sha384_sha512_ctx_new,
+	.ctx_free = NULL,
+};
+
+const struct lc_hash_impl *
+lc_hash_impl_sha384(void)
+{
+	return &sha384_impl;
+}
+
+const struct lc_hash_impl *
+lc_hash_impl_sha512(void)
+{
+	return &sha512_impl;
+}

hash_sha384_sha512.h

@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) 2024 Lucas Gabriel Vuotto <lucas@lgv5.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+
+int	sha384_init(void *);
+int	sha384_update(void *, const uint8_t *, size_t);
+int	sha384_final(void *, uint8_t *, size_t *);
+
+int	sha512_init(void *);
+int	sha512_update(void *, const uint8_t *, size_t);
+int	sha512_final(void *, uint8_t *, size_t *);

impl_sha512.c

@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 2024 Lucas Gabriel Vuotto <lucas@lgv5.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "impl_sha512.h"
+#include "util.h"
+
+
+static const uint64_t K[SHA512_ROUNDS] = {
+   0x428a2f98d728ae22, 0x7137449123ef65cd,
+   0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc,
+   0x3956c25bf348b538, 0x59f111f1b605d019,
+   0x923f82a4af194f9b, 0xab1c5ed5da6d8118,
+   0xd807aa98a3030242, 0x12835b0145706fbe,
+   0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2,
+   0x72be5d74f27b896f, 0x80deb1fe3b1696b1,
+   0x9bdc06a725c71235, 0xc19bf174cf692694,
+   0xe49b69c19ef14ad2, 0xefbe4786384f25e3,
+   0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65,
+   0x2de92c6f592b0275, 0x4a7484aa6ea6e483,
+   0x5cb0a9dcbd41fbd4, 0x76f988da831153b5,
+   0x983e5152ee66dfab, 0xa831c66d2db43210,
+   0xb00327c898fb213f, 0xbf597fc7beef0ee4,
+   0xc6e00bf33da88fc2, 0xd5a79147930aa725,
+   0x06ca6351e003826f, 0x142929670a0e6e70,
+   0x27b70a8546d22ffc, 0x2e1b21385c26c926,
+   0x4d2c6dfc5ac42aed, 0x53380d139d95b3df,
+   0x650a73548baf63de, 0x766a0abb3c77b2a8,
+   0x81c2c92e47edaee6, 0x92722c851482353b,
+   0xa2bfe8a14cf10364, 0xa81a664bbc423001,
+   0xc24b8b70d0f89791, 0xc76c51a30654be30,
+   0xd192e819d6ef5218, 0xd69906245565a910,
+   0xf40e35855771202a, 0x106aa07032bbd1b8,
+   0x19a4c116b8d2d0c8, 0x1e376c085141ab53,
+   0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8,
+   0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb,
+   0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3,
+   0x748f82ee5defb2fc, 0x78a5636f43172f60,
+   0x84c87814a1f0ab72, 0x8cc702081a6439ec,
+   0x90befffa23631e28, 0xa4506cebde82bde9,
+   0xbef9a3f7b2c67915, 0xc67178f2e372532b,
+   0xca273eceea26619c, 0xd186b8c721c0c207,
+   0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178,
+   0x06f067aa72176fba, 0x0a637dc5a2c898a6,
+   0x113f9804bef90dae, 0x1b710b35131c471b,
+   0x28db77f523047d84, 0x32caab7b40c72493,
+   0x3c9ebe0a15c9bebc, 0x431d67c49c100d4c,
+   0x4cc5d4becb3e42b6, 0x597f299cfc657e2a,
+   0x5fcb6fab3ad6faec, 0x6c44198c4a475817,
+};
+
+#define CH(x, y, z)	((x & y) ^ (~x & z))
+#define MAJ(x, y, z)	((x & y) ^ (x & z) ^ (y & z))
+#define BSIG0(x)	(rotr64(x, 28) ^ rotr64(x, 34) ^ rotr64(x, 39))
+#define BSIG1(x)	(rotr64(x, 14) ^ rotr64(x, 18) ^ rotr64(x, 41))
+#define SSIG0(x)	(rotr64(x, 1) ^ rotr64(x, 8) ^ (x >> 7))
+#define SSIG1(x)	(rotr64(x, 19) ^ rotr64(x, 61) ^ (x >> 6))
+
+void
+sha512_block(struct sha512_ctx *ctx)
+{
+	uint64_t	m[SHA512_CHUNK_WORDS], W[SHA512_ROUNDS];
+	uint64_t	a, b, c, d, e, f, g, h, T1, T2;
+	size_t		i;
+
+	for (i = 0; i < SHA512_CHUNK_WORDS; i++)
+		W[i] = m[i] = load64be(&ctx->m[i * 8]);
+	for (; i < SHA512_ROUNDS; i++)
+		W[i] = SSIG1(W[i - 2]) + W[i - 7] + SSIG0(W[i - 15]) +
+		    W[i - 16];
+
+	a = ctx->h0;
+	b = ctx->h1;
+	c = ctx->h2;
+	d = ctx->h3;
+	e = ctx->h4;
+	f = ctx->h5;
+	g = ctx->h6;
+	h = ctx->h7;
+
+	for (i = 0; i < SHA512_ROUNDS; i++) {
+		T1 = h + BSIG1(e) + CH(e, f, g) + K[i] + W[i];
+		T2 = BSIG0(a) + MAJ(a, b, c);
+		h = g;
+		g = f;
+		f = e;
+		e = d + T1;
+		d = c;
+		c = b;
+		b = a;
+		a = T1 + T2;
+	}
+
+	ctx->h0 += a;
+	ctx->h1 += b;
+	ctx->h2 += c;
+	ctx->h3 += d;
+	ctx->h4 += e;
+	ctx->h5 += f;
+	ctx->h6 += g;
+	ctx->h7 += h;
+}

impl_sha512.h

@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2024 Lucas Gabriel Vuotto <lucas@lgv5.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "lilcrypto.h"
+
+
+#define SHA512_CHUNK		128
+#define SHA512_CHUNK_WORDS	(SHA512_CHUNK / sizeof(uint64_t))
+#define SHA512_ROUNDS		80
+
+
+struct sha512_ctx {
+	uint64_t	h0, h1, h2, h3, h4, h5, h6, h7;
+	uint64_t	szhi, szlo;
+	size_t		mlen;
+	uint8_t		m[SHA512_CHUNK];
+};
+
+
+void	sha512_block(struct sha512_ctx *);

lilcrypto.h

@@ -23,6 +23,10 @@
  * Constants.
  */
 
+/* Hashes. */
+#define LC_SHA384_HASHLEN	48
+#define LC_SHA512_HASHLEN	64
+
 /* Authentitcation. */
 #define LC_POLY1305_KEYLEN	32
 #define LC_POLY1305_TAGLEN	16
@@ -40,7 +44,28 @@ uint32_t	lc_ct_cmp(const uint8_t *, const uint8_t *, size_t);
 
 
 /*
- * Message authentication code.
+ * Hashes.
+ */
+
+struct lc_hash_ctx;
+struct lc_hash_impl;
+
+
+int	lc_hash_init(struct lc_hash_ctx *);
+int	lc_hash_update(struct lc_hash_ctx *, const uint8_t *, size_t);
+int	lc_hash_final(struct lc_hash_ctx *, uint8_t *, size_t *);
+int	lc_hash(const struct lc_hash_impl *, uint8_t *, size_t *,
+	    const uint8_t *, size_t);
+
+struct lc_hash_ctx	*lc_hash_ctx_new(const struct lc_hash_impl *);
+void			 lc_hash_ctx_free(struct lc_hash_ctx *);
+
+const struct lc_hash_impl	*lc_hash_impl_sha384(void);
+const struct lc_hash_impl	*lc_hash_impl_sha512(void);
+
+
+/*
+ * Authentication.
  */
 
 struct lc_auth_ctx;

util.h

@@ -72,6 +72,53 @@ store64le(uint8_t *x, uint64_t v)
 	x[7] = v >> 56;
 }
 
+static inline uint16_t
+load16be(const uint8_t *x)
+{
+	return (x[0] << 8) | x[1];
+}
+
+static inline uint32_t
+load32be(const uint8_t *x)
+{
+	return (x[0] << 24) | (x[1] << 16) | (x[2] << 8) | x[3];
+}
+
+static inline uint64_t
+load64be(const uint8_t *x)
+{
+	return ((uint64_t)load32be(x) << 32) | load32be(x + 4);
+}
+
+static inline void
+store16be(uint8_t *x, uint64_t v)
+{
+	x[0] = v >> 8;
+	x[1] = v & 0xff;
+}
+
+static inline void
+store32be(uint8_t *x, uint32_t v)
+{
+	x[0] = v >> 24;
+	x[1] = (v >> 16) & 0xff;
+	x[2] = (v >> 8) & 0xff;
+	x[3] = v & 0xff;
+}
+
+static inline void
+store64be(uint8_t *x, uint64_t v)
+{
+	x[0] = v >> 56;
+	x[1] = (v >> 48) & 0xff;
+	x[2] = (v >> 40) & 0xff;
+	x[3] = (v >> 32) & 0xff;
+	x[4] = (v >> 24) & 0xff;
+	x[5] = (v >> 16) & 0xff;
+	x[6] = (v >> 8) & 0xff;
+	x[7] = v & 0xff;
+}
+
 
 /*
  * rotr and rotl.
@@ -92,11 +139,11 @@ rotl64(uint64_t x, uint64_t r)
 static inline uint32_t
 rotr32(uint32_t x, uint32_t r)
 {
-	return rotl32(x, 32 - r);
+	return (x >> r) | (x << (32 - r));
 }
 
 static inline uint64_t
 rotr64(uint64_t x, uint64_t r)
 {
-	return rotl64(x, 64 - r);
+	return (x >> r) | (x << (64 - r));
 }