1 /* $MirOS: src/lib/libc/hash/sha2.c,v 1.4 2006/06/02 02:29:51 tg Exp $ */
2 /* $OpenBSD: sha2.c,v 1.11 2005/08/08 08:05:35 espie Exp $ */
3
4 /*
5 * FILE: sha2.c
6 * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
7 *
8 * Copyright (c) 2000-2001, Aaron D. Gifford
9 * All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the copyright holder nor the names of contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
36 */
37
38 #include <sys/types.h>
39
40 #include <string.h>
41 #include <sha2.h>
42
43 /*
44 * UNROLLED TRANSFORM LOOP NOTE:
45 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
46 * loop version for the hash transform rounds (defined using macros
47 * later in this file). Either define on the command line, for example:
48 *
49 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
50 *
51 * or define below:
52 *
53 * #define SHA2_UNROLL_TRANSFORM
54 *
55 */
56
57 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
58 /*
59 * BYTE_ORDER NOTE:
60 *
61 * Please make sure that your system defines BYTE_ORDER. If your
62 * architecture is little-endian, make sure it also defines
63 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
64 * equivilent.
65 *
66 * If your system does not define the above, then you can do so by
67 * hand like this:
68 *
69 * #define LITTLE_ENDIAN 1234
70 * #define BIG_ENDIAN 4321
71 *
72 * And for little-endian machines, add:
73 *
74 * #define BYTE_ORDER LITTLE_ENDIAN
75 *
76 * Or for big-endian machines:
77 *
78 * #define BYTE_ORDER BIG_ENDIAN
79 *
80 * The FreeBSD machine this was written on defines BYTE_ORDER
81 * appropriately by including <sys/types.h> (which in turn includes
82 * <machine/endian.h> where the appropriate definitions are actually
83 * made).
84 */
85 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
86 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
87 #endif
88
89
90 /*** SHA-256/384/512 Various Length Definitions ***********************/
91 /* NOTE: Most of these are in sha2.h */
92 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
93 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
94 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
95
96 /*** ENDIAN SPECIFIC COPY MACROS **************************************/
97 #define BE_8_TO_32(dst, cp) do { \
98 (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) | \
99 ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24); \
100 } while(0)
101
102 #define BE_8_TO_64(dst, cp) do { \
103 (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) | \
104 ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) | \
105 ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) | \
106 ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56); \
107 } while (0)
108
109 #define BE_64_TO_8(cp, src) do { \
110 (cp)[0] = (src) >> 56; \
111 (cp)[1] = (src) >> 48; \
112 (cp)[2] = (src) >> 40; \
113 (cp)[3] = (src) >> 32; \
114 (cp)[4] = (src) >> 24; \
115 (cp)[5] = (src) >> 16; \
116 (cp)[6] = (src) >> 8; \
117 (cp)[7] = (src); \
118 } while (0)
119
120 #define BE_32_TO_8(cp, src) do { \
121 (cp)[0] = (src) >> 24; \
122 (cp)[1] = (src) >> 16; \
123 (cp)[2] = (src) >> 8; \
124 (cp)[3] = (src); \
125 } while (0)
126
127 /*
128 * Macro for incrementally adding the unsigned 64-bit integer n to the
129 * unsigned 128-bit integer (represented using a two-element array of
130 * 64-bit words):
131 */
132 #define ADDINC128(w,n) do { \
133 (w)[0] += (u_int64_t)(n); \
134 if ((w)[0] < (n)) { \
135 (w)[1]++; \
136 } \
137 } while (0)
138
139 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
140 /*
141 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
142 *
143 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
144 * S is a ROTATION) because the SHA-256/384/512 description document
145 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
146 * same "backwards" definition.
147 */
148 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
149 #define R(b,x) ((x) >> (b))
150 /* 32-bit Rotate-right (used in SHA-256): */
151 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
152 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
153 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
154
155 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
156 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
157 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
158
159 /* Four of six logical functions used in SHA-256: */
160 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
161 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
162 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
163 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
164
165 /* Four of six logical functions used in SHA-384 and SHA-512: */
166 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
167 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
168 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
169 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
170
171
172 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
173 /* Hash constant words K for SHA-256: */
174 static const u_int32_t K256[64] = {
175 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
176 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
177 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
178 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
179 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
180 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
181 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
182 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
183 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
184 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
185 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
186 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
187 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
188 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
189 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
190 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
191 };
192
193 /* Initial hash value H for SHA-256: */
194 static const u_int32_t sha256_initial_hash_value[8] = {
195 0x6a09e667UL,
196 0xbb67ae85UL,
197 0x3c6ef372UL,
198 0xa54ff53aUL,
199 0x510e527fUL,
200 0x9b05688cUL,
201 0x1f83d9abUL,
202 0x5be0cd19UL
203 };
204
205 /* Hash constant words K for SHA-384 and SHA-512: */
206 static const u_int64_t K512[80] = {
207 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
208 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
209 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
210 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
211 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
212 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
213 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
214 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
215 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
216 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
217 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
218 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
219 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
220 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
221 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
222 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
223 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
224 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
225 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
226 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
227 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
228 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
229 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
230 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
231 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
232 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
233 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
234 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
235 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
236 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
237 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
238 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
239 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
240 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
241 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
242 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
243 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
244 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
245 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
246 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
247 };
248
249 /* Initial hash value H for SHA-384 */
250 static const u_int64_t sha384_initial_hash_value[8] = {
251 0xcbbb9d5dc1059ed8ULL,
252 0x629a292a367cd507ULL,
253 0x9159015a3070dd17ULL,
254 0x152fecd8f70e5939ULL,
255 0x67332667ffc00b31ULL,
256 0x8eb44a8768581511ULL,
257 0xdb0c2e0d64f98fa7ULL,
258 0x47b5481dbefa4fa4ULL
259 };
260
261 /* Initial hash value H for SHA-512 */
262 static const u_int64_t sha512_initial_hash_value[8] = {
263 0x6a09e667f3bcc908ULL,
264 0xbb67ae8584caa73bULL,
265 0x3c6ef372fe94f82bULL,
266 0xa54ff53a5f1d36f1ULL,
267 0x510e527fade682d1ULL,
268 0x9b05688c2b3e6c1fULL,
269 0x1f83d9abfb41bd6bULL,
270 0x5be0cd19137e2179ULL
271 };
272
273
274 /*** SHA-256: *********************************************************/
275 void
SHA256_Init(SHA256_CTX * context)276 SHA256_Init(SHA256_CTX *context)
277 {
278 if (context == NULL)
279 return;
280 memcpy(context->state, sha256_initial_hash_value,
281 sizeof(sha256_initial_hash_value));
282 memset(context->buffer, 0, sizeof(context->buffer));
283 context->bitcount = 0;
284 }
285
286 #ifdef SHA2_UNROLL_TRANSFORM
287
288 /* Unrolled SHA-256 round macros: */
289
290 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
291 BE_8_TO_32(W256[j], data); \
292 data += 4; \
293 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
294 (d) += T1; \
295 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
296 j++; \
297 } while(0)
298
299 #define ROUND256(a,b,c,d,e,f,g,h) do { \
300 s0 = W256[(j+1)&0x0f]; \
301 s0 = sigma0_256(s0); \
302 s1 = W256[(j+14)&0x0f]; \
303 s1 = sigma1_256(s1); \
304 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
305 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
306 (d) += T1; \
307 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
308 j++; \
309 } while(0)
310
311 void
SHA256_Transform(u_int32_t state[8],const u_int8_t data[SHA256_BLOCK_LENGTH])312 SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
313 {
314 u_int32_t a, b, c, d, e, f, g, h, s0, s1;
315 u_int32_t T1, W256[16];
316 int j;
317
318 /* Initialize registers with the prev. intermediate value */
319 a = state[0];
320 b = state[1];
321 c = state[2];
322 d = state[3];
323 e = state[4];
324 f = state[5];
325 g = state[6];
326 h = state[7];
327
328 j = 0;
329 do {
330 /* Rounds 0 to 15 (unrolled): */
331 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
332 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
333 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
334 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
335 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
336 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
337 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
338 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
339 } while (j < 16);
340
341 /* Now for the remaining rounds up to 63: */
342 do {
343 ROUND256(a,b,c,d,e,f,g,h);
344 ROUND256(h,a,b,c,d,e,f,g);
345 ROUND256(g,h,a,b,c,d,e,f);
346 ROUND256(f,g,h,a,b,c,d,e);
347 ROUND256(e,f,g,h,a,b,c,d);
348 ROUND256(d,e,f,g,h,a,b,c);
349 ROUND256(c,d,e,f,g,h,a,b);
350 ROUND256(b,c,d,e,f,g,h,a);
351 } while (j < 64);
352
353 /* Compute the current intermediate hash value */
354 state[0] += a;
355 state[1] += b;
356 state[2] += c;
357 state[3] += d;
358 state[4] += e;
359 state[5] += f;
360 state[6] += g;
361 state[7] += h;
362
363 /* Clean up */
364 a = b = c = d = e = f = g = h = T1 = 0;
365 }
366
367 #else /* SHA2_UNROLL_TRANSFORM */
368
369 void
SHA256_Transform(u_int32_t state[8],const u_int8_t data[SHA256_BLOCK_LENGTH])370 SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
371 {
372 u_int32_t a, b, c, d, e, f, g, h, s0, s1;
373 u_int32_t T1, T2, W256[16];
374 int j;
375
376 /* Initialize registers with the prev. intermediate value */
377 a = state[0];
378 b = state[1];
379 c = state[2];
380 d = state[3];
381 e = state[4];
382 f = state[5];
383 g = state[6];
384 h = state[7];
385
386 j = 0;
387 do {
388 BE_8_TO_32(W256[j], data);
389 data += 4;
390 /* Apply the SHA-256 compression function to update a..h */
391 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
392 T2 = Sigma0_256(a) + Maj(a, b, c);
393 h = g;
394 g = f;
395 f = e;
396 e = d + T1;
397 d = c;
398 c = b;
399 b = a;
400 a = T1 + T2;
401
402 j++;
403 } while (j < 16);
404
405 do {
406 /* Part of the message block expansion: */
407 s0 = W256[(j+1)&0x0f];
408 s0 = sigma0_256(s0);
409 s1 = W256[(j+14)&0x0f];
410 s1 = sigma1_256(s1);
411
412 /* Apply the SHA-256 compression function to update a..h */
413 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
414 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
415 T2 = Sigma0_256(a) + Maj(a, b, c);
416 h = g;
417 g = f;
418 f = e;
419 e = d + T1;
420 d = c;
421 c = b;
422 b = a;
423 a = T1 + T2;
424
425 j++;
426 } while (j < 64);
427
428 /* Compute the current intermediate hash value */
429 state[0] += a;
430 state[1] += b;
431 state[2] += c;
432 state[3] += d;
433 state[4] += e;
434 state[5] += f;
435 state[6] += g;
436 state[7] += h;
437
438 /* Clean up */
439 a = b = c = d = e = f = g = h = T1 = T2 = 0;
440 }
441
442 #endif /* SHA2_UNROLL_TRANSFORM */
443
444 void
SHA256_Update(SHA256_CTX * context,const u_int8_t * data,size_t len)445 SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len)
446 {
447 size_t freespace, usedspace;
448
449 /* Calling with no data is valid (we do nothing) */
450 if (len == 0)
451 return;
452
453 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
454 if (usedspace > 0) {
455 /* Calculate how much free space is available in the buffer */
456 freespace = SHA256_BLOCK_LENGTH - usedspace;
457
458 if (len >= freespace) {
459 /* Fill the buffer completely and process it */
460 memcpy(&context->buffer[usedspace], data, freespace);
461 context->bitcount += freespace << 3;
462 len -= freespace;
463 data += freespace;
464 SHA256_Transform(context->state, context->buffer);
465 } else {
466 /* The buffer is not yet full */
467 memcpy(&context->buffer[usedspace], data, len);
468 context->bitcount += len << 3;
469 /* Clean up: */
470 usedspace = freespace = 0;
471 return;
472 }
473 }
474 while (len >= SHA256_BLOCK_LENGTH) {
475 /* Process as many complete blocks as we can */
476 SHA256_Transform(context->state, data);
477 context->bitcount += SHA256_BLOCK_LENGTH << 3;
478 len -= SHA256_BLOCK_LENGTH;
479 data += SHA256_BLOCK_LENGTH;
480 }
481 if (len > 0) {
482 /* There's left-overs, so save 'em */
483 memcpy(context->buffer, data, len);
484 context->bitcount += len << 3;
485 }
486 /* Clean up: */
487 usedspace = freespace = 0;
488 }
489
490 void
SHA256_Pad(SHA256_CTX * context)491 SHA256_Pad(SHA256_CTX *context)
492 {
493 unsigned int usedspace;
494
495 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
496 if (usedspace > 0) {
497 /* Begin padding with a 1 bit: */
498 context->buffer[usedspace++] = 0x80;
499
500 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
501 /* Set-up for the last transform: */
502 memset(&context->buffer[usedspace], 0,
503 SHA256_SHORT_BLOCK_LENGTH - usedspace);
504 } else {
505 if (usedspace < SHA256_BLOCK_LENGTH) {
506 memset(&context->buffer[usedspace], 0,
507 SHA256_BLOCK_LENGTH - usedspace);
508 }
509 /* Do second-to-last transform: */
510 SHA256_Transform(context->state, context->buffer);
511
512 /* Prepare for last transform: */
513 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
514 }
515 } else {
516 /* Set-up for the last transform: */
517 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
518
519 /* Begin padding with a 1 bit: */
520 *context->buffer = 0x80;
521 }
522 /* Store the length of input data (in bits) in big endian format: */
523 BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH],
524 context->bitcount);
525
526 /* Final transform: */
527 SHA256_Transform(context->state, context->buffer);
528
529 /* Clean up: */
530 usedspace = 0;
531 }
532
533 void
SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH],SHA256_CTX * context)534 SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA256_CTX *context)
535 {
536 SHA256_Pad(context);
537
538 /* If no digest buffer is passed, we don't bother doing this: */
539 if (digest != NULL) {
540 #if BYTE_ORDER == LITTLE_ENDIAN
541 int i;
542
543 /* Convert TO host byte order */
544 for (i = 0; i < 8; i++)
545 BE_32_TO_8(digest + i * 4, context->state[i]);
546 #else
547 memcpy(digest, context->state, SHA256_DIGEST_LENGTH);
548 #endif
549 memset(context, 0, sizeof(*context));
550 }
551 }
552
553
554 /*** SHA-512: *********************************************************/
555 void
SHA512_Init(SHA512_CTX * context)556 SHA512_Init(SHA512_CTX *context)
557 {
558 if (context == NULL)
559 return;
560 memcpy(context->state, sha512_initial_hash_value,
561 sizeof(sha512_initial_hash_value));
562 memset(context->buffer, 0, sizeof(context->buffer));
563 context->bitcount[0] = context->bitcount[1] = 0;
564 }
565
566 #ifdef SHA2_UNROLL_TRANSFORM
567
568 /* Unrolled SHA-512 round macros: */
569
570 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
571 BE_8_TO_64(W512[j], data); \
572 data += 8; \
573 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
574 (d) += T1; \
575 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
576 j++; \
577 } while(0)
578
579
580 #define ROUND512(a,b,c,d,e,f,g,h) do { \
581 s0 = W512[(j+1)&0x0f]; \
582 s0 = sigma0_512(s0); \
583 s1 = W512[(j+14)&0x0f]; \
584 s1 = sigma1_512(s1); \
585 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
586 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
587 (d) += T1; \
588 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
589 j++; \
590 } while(0)
591
592 void
SHA512_Transform(u_int64_t state[8],const u_int8_t data[SHA512_BLOCK_LENGTH])593 SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
594 {
595 u_int64_t a, b, c, d, e, f, g, h, s0, s1;
596 u_int64_t T1, W512[16];
597 int j;
598
599 /* Initialize registers with the prev. intermediate value */
600 a = state[0];
601 b = state[1];
602 c = state[2];
603 d = state[3];
604 e = state[4];
605 f = state[5];
606 g = state[6];
607 h = state[7];
608
609 j = 0;
610 do {
611 /* Rounds 0 to 15 (unrolled): */
612 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
613 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
614 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
615 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
616 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
617 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
618 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
619 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
620 } while (j < 16);
621
622 /* Now for the remaining rounds up to 79: */
623 do {
624 ROUND512(a,b,c,d,e,f,g,h);
625 ROUND512(h,a,b,c,d,e,f,g);
626 ROUND512(g,h,a,b,c,d,e,f);
627 ROUND512(f,g,h,a,b,c,d,e);
628 ROUND512(e,f,g,h,a,b,c,d);
629 ROUND512(d,e,f,g,h,a,b,c);
630 ROUND512(c,d,e,f,g,h,a,b);
631 ROUND512(b,c,d,e,f,g,h,a);
632 } while (j < 80);
633
634 /* Compute the current intermediate hash value */
635 state[0] += a;
636 state[1] += b;
637 state[2] += c;
638 state[3] += d;
639 state[4] += e;
640 state[5] += f;
641 state[6] += g;
642 state[7] += h;
643
644 /* Clean up */
645 a = b = c = d = e = f = g = h = T1 = 0;
646 }
647
648 #else /* SHA2_UNROLL_TRANSFORM */
649
650 void
SHA512_Transform(u_int64_t state[8],const u_int8_t data[SHA512_BLOCK_LENGTH])651 SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
652 {
653 u_int64_t a, b, c, d, e, f, g, h, s0, s1;
654 u_int64_t T1, T2, W512[16];
655 int j;
656
657 /* Initialize registers with the prev. intermediate value */
658 a = state[0];
659 b = state[1];
660 c = state[2];
661 d = state[3];
662 e = state[4];
663 f = state[5];
664 g = state[6];
665 h = state[7];
666
667 j = 0;
668 do {
669 BE_8_TO_64(W512[j], data);
670 data += 8;
671 /* Apply the SHA-512 compression function to update a..h */
672 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
673 T2 = Sigma0_512(a) + Maj(a, b, c);
674 h = g;
675 g = f;
676 f = e;
677 e = d + T1;
678 d = c;
679 c = b;
680 b = a;
681 a = T1 + T2;
682
683 j++;
684 } while (j < 16);
685
686 do {
687 /* Part of the message block expansion: */
688 s0 = W512[(j+1)&0x0f];
689 s0 = sigma0_512(s0);
690 s1 = W512[(j+14)&0x0f];
691 s1 = sigma1_512(s1);
692
693 /* Apply the SHA-512 compression function to update a..h */
694 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
695 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
696 T2 = Sigma0_512(a) + Maj(a, b, c);
697 h = g;
698 g = f;
699 f = e;
700 e = d + T1;
701 d = c;
702 c = b;
703 b = a;
704 a = T1 + T2;
705
706 j++;
707 } while (j < 80);
708
709 /* Compute the current intermediate hash value */
710 state[0] += a;
711 state[1] += b;
712 state[2] += c;
713 state[3] += d;
714 state[4] += e;
715 state[5] += f;
716 state[6] += g;
717 state[7] += h;
718
719 /* Clean up */
720 a = b = c = d = e = f = g = h = T1 = T2 = 0;
721 }
722
723 #endif /* SHA2_UNROLL_TRANSFORM */
724
725 void
SHA512_Update(SHA512_CTX * context,const u_int8_t * data,size_t len)726 SHA512_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
727 {
728 size_t freespace, usedspace;
729
730 /* Calling with no data is valid (we do nothing) */
731 if (len == 0)
732 return;
733
734 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
735 if (usedspace > 0) {
736 /* Calculate how much free space is available in the buffer */
737 freespace = SHA512_BLOCK_LENGTH - usedspace;
738
739 if (len >= freespace) {
740 /* Fill the buffer completely and process it */
741 memcpy(&context->buffer[usedspace], data, freespace);
742 ADDINC128(context->bitcount, freespace << 3);
743 len -= freespace;
744 data += freespace;
745 SHA512_Transform(context->state, context->buffer);
746 } else {
747 /* The buffer is not yet full */
748 memcpy(&context->buffer[usedspace], data, len);
749 ADDINC128(context->bitcount, len << 3);
750 /* Clean up: */
751 usedspace = freespace = 0;
752 return;
753 }
754 }
755 while (len >= SHA512_BLOCK_LENGTH) {
756 /* Process as many complete blocks as we can */
757 SHA512_Transform(context->state, data);
758 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
759 len -= SHA512_BLOCK_LENGTH;
760 data += SHA512_BLOCK_LENGTH;
761 }
762 if (len > 0) {
763 /* There's left-overs, so save 'em */
764 memcpy(context->buffer, data, len);
765 ADDINC128(context->bitcount, len << 3);
766 }
767 /* Clean up: */
768 usedspace = freespace = 0;
769 }
770
771 void
SHA512_Pad(SHA512_CTX * context)772 SHA512_Pad(SHA512_CTX *context)
773 {
774 unsigned int usedspace;
775
776 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
777 if (usedspace > 0) {
778 /* Begin padding with a 1 bit: */
779 context->buffer[usedspace++] = 0x80;
780
781 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
782 /* Set-up for the last transform: */
783 memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace);
784 } else {
785 if (usedspace < SHA512_BLOCK_LENGTH) {
786 memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace);
787 }
788 /* Do second-to-last transform: */
789 SHA512_Transform(context->state, context->buffer);
790
791 /* And set-up for the last transform: */
792 memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
793 }
794 } else {
795 /* Prepare for final transform: */
796 memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
797
798 /* Begin padding with a 1 bit: */
799 *context->buffer = 0x80;
800 }
801 /* Store the length of input data (in bits) in big endian format: */
802 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH],
803 context->bitcount[1]);
804 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8],
805 context->bitcount[0]);
806
807 /* Final transform: */
808 SHA512_Transform(context->state, context->buffer);
809
810 /* Clean up: */
811 usedspace = 0;
812 }
813
814 void
SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH],SHA512_CTX * context)815 SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context)
816 {
817 SHA512_Pad(context);
818
819 /* If no digest buffer is passed, we don't bother doing this: */
820 if (digest != NULL) {
821 #if BYTE_ORDER == LITTLE_ENDIAN
822 int i;
823
824 /* Convert TO host byte order */
825 for (i = 0; i < 8; i++)
826 BE_64_TO_8(digest + i * 8, context->state[i]);
827 #else
828 memcpy(digest, context->state, SHA512_DIGEST_LENGTH);
829 #endif
830 memset(context, 0, sizeof(*context));
831 }
832 }
833
834
835 /*** SHA-384: *********************************************************/
836 void
SHA384_Init(SHA384_CTX * context)837 SHA384_Init(SHA384_CTX *context)
838 {
839 if (context == NULL)
840 return;
841 memcpy(context->state, sha384_initial_hash_value,
842 sizeof(sha384_initial_hash_value));
843 memset(context->buffer, 0, sizeof(context->buffer));
844 context->bitcount[0] = context->bitcount[1] = 0;
845 }
846
847 #ifdef __weak_alias
848 __weak_alias(SHA384_Transform, SHA512_Transform);
849 __weak_alias(SHA384_Update, SHA512_Update);
850 __weak_alias(SHA384_Pad, SHA512_Pad);
851 #else
852 inline void
SHA384_Transform(u_int64_t state[8],const u_int8_t data[SHA512_BLOCK_LENGTH])853 SHA384_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
854 {
855 SHA512_Transform(state, data);
856 }
857
858 inline void
SHA384_Update(SHA384_CTX * context,const u_int8_t * data,size_t len)859 SHA384_Update(SHA384_CTX *context, const u_int8_t *data, size_t len)
860 {
861 SHA512_Update(context, data, len);
862 }
863
864 inline void
SHA384_Pad(SHA384_CTX * context)865 SHA384_Pad(SHA384_CTX *context)
866 {
867 SHA512_Pad(context);
868 }
869 #endif
870
871 void
SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH],SHA384_CTX * context)872 SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
873 {
874 SHA384_Pad(context);
875
876 /* If no digest buffer is passed, we don't bother doing this: */
877 if (digest != NULL) {
878 #if BYTE_ORDER == LITTLE_ENDIAN
879 int i;
880
881 /* Convert TO host byte order */
882 for (i = 0; i < 6; i++)
883 BE_64_TO_8(digest + i * 8, context->state[i]);
884 #else
885 memcpy(digest, context->state, SHA384_DIGEST_LENGTH);
886 #endif
887 }
888
889 /* Zero out state data */
890 memset(context, 0, sizeof(*context));
891 }
892