Lines Matching +full:- +full:8 +full:g
7 * Copyright (c) 2000-2001, Aaron D. Gifford
44 /* no-op out, similar to DEF_WEAK but only needed here */
48 #include "openbsd-compat/sha2.h"
56 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
69 /*** SHA-224/256/384/512 Machine Architecture Definitions *****************/
74 * architecture is little-endian, make sure it also defines
84 * And for little-endian machines, add:
88 * Or for big-endian machines:
102 /*** SHA-224/256/384/512 Various Length Definitions ***********************/
104 #define SHA224_SHORT_BLOCK_LENGTH (SHA224_BLOCK_LENGTH - 8)
105 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
106 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
107 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
111 (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) | \
116 (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) | \
129 (cp)[6] = (src) >> 8; \
136 (cp)[2] = (src) >> 8; \
141 * Macro for incrementally adding the unsigned 64-bit integer n to the
142 * unsigned 128-bit integer (represented using a two-element array of
143 * 64-bit words):
154 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
157 * S is a ROTATION) because the SHA-224/256/384/512 description document
158 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
161 /* Shift-right (used in SHA-224, SHA-256, SHA-384, and SHA-512): */
163 /* 32-bit Rotate-right (used in SHA-224 and SHA-256): */
164 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
165 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
166 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
168 /* Two of six logical functions used in SHA-224, SHA-256, SHA-384, and SHA-512: */
172 /* Four of six logical functions used in SHA-224 and SHA-256: */
178 /* Four of six logical functions used in SHA-384 and SHA-512: */
181 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
185 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
186 /* Hash constant words K for SHA-224 and SHA-256: */
206 /* Initial hash value H for SHA-256: */
207 static const u_int32_t sha256_initial_hash_value[8] = {
218 /* Hash constant words K for SHA-384 and SHA-512: */
262 /* Initial hash value H for SHA-512 */
263 static const u_int64_t sha512_initial_hash_value[8] = {
276 /* Initial hash value H for SHA-224: */
277 static const u_int32_t sha224_initial_hash_value[8] = {
289 /* Initial hash value H for SHA-384 */
290 static const u_int64_t sha384_initial_hash_value[8] = {
302 /* Initial hash value H for SHA-512-256 */
303 static const u_int64_t sha512_256_initial_hash_value[8] = {
314 /*** SHA-224: *********************************************************/
318 memcpy(context->state.st32, sha224_initial_hash_value,
320 memset(context->buffer, 0, sizeof(context->buffer));
321 context->bitcount[0] = 0;
342 BE_32_TO_8(digest + i * 4, context->state.st32[i]);
344 memcpy(digest, context->state.st32, SHA224_DIGEST_LENGTH);
352 /*** SHA-256: *********************************************************/
356 memcpy(context->state.st32, sha256_initial_hash_value, in SHA256Init()
358 memset(context->buffer, 0, sizeof(context->buffer)); in SHA256Init()
359 context->bitcount[0] = 0; in SHA256Init()
365 /* Unrolled SHA-256 round macros: */
367 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \ argument
370 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
376 #define ROUND256(a,b,c,d,e,f,g,h) do { \ argument
381 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
389 SHA256Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH]) in SHA256Transform() argument
391 u_int32_t a, b, c, d, e, f, g, h, s0, s1; in SHA256Transform() local
402 g = state[6]; in SHA256Transform()
408 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); in SHA256Transform()
409 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); in SHA256Transform()
410 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); in SHA256Transform()
411 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); in SHA256Transform()
412 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); in SHA256Transform()
413 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); in SHA256Transform()
414 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); in SHA256Transform()
415 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); in SHA256Transform()
420 ROUND256(a,b,c,d,e,f,g,h); in SHA256Transform()
421 ROUND256(h,a,b,c,d,e,f,g); in SHA256Transform()
422 ROUND256(g,h,a,b,c,d,e,f); in SHA256Transform()
423 ROUND256(f,g,h,a,b,c,d,e); in SHA256Transform()
424 ROUND256(e,f,g,h,a,b,c,d); in SHA256Transform()
425 ROUND256(d,e,f,g,h,a,b,c); in SHA256Transform()
426 ROUND256(c,d,e,f,g,h,a,b); in SHA256Transform()
427 ROUND256(b,c,d,e,f,g,h,a); in SHA256Transform()
437 state[6] += g; in SHA256Transform()
441 a = b = c = d = e = f = g = h = T1 = 0; in SHA256Transform()
447 SHA256Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH]) in SHA256Transform() argument
449 u_int32_t a, b, c, d, e, f, g, h, s0, s1; in SHA256Transform() local
460 g = state[6]; in SHA256Transform()
467 /* Apply the SHA-256 compression function to update a..h */ in SHA256Transform()
468 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; in SHA256Transform()
470 h = g; in SHA256Transform()
471 g = f; in SHA256Transform()
489 /* Apply the SHA-256 compression function to update a..h */ in SHA256Transform()
490 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + in SHA256Transform()
493 h = g; in SHA256Transform()
494 g = f; in SHA256Transform()
512 state[6] += g; in SHA256Transform()
516 a = b = c = d = e = f = g = h = T1 = T2 = 0; in SHA256Transform()
531 usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH; in SHA256Update()
534 freespace = SHA256_BLOCK_LENGTH - usedspace; in SHA256Update()
538 memcpy(&context->buffer[usedspace], data, freespace); in SHA256Update()
539 context->bitcount[0] += freespace << 3; in SHA256Update()
540 len -= freespace; in SHA256Update()
542 SHA256Transform(context->state.st32, context->buffer); in SHA256Update()
545 memcpy(&context->buffer[usedspace], data, len); in SHA256Update()
546 context->bitcount[0] += (u_int64_t)len << 3; in SHA256Update()
554 SHA256Transform(context->state.st32, data); in SHA256Update()
555 context->bitcount[0] += SHA256_BLOCK_LENGTH << 3; in SHA256Update()
556 len -= SHA256_BLOCK_LENGTH; in SHA256Update()
560 /* There's left-overs, so save 'em */ in SHA256Update()
561 memcpy(context->buffer, data, len); in SHA256Update()
562 context->bitcount[0] += len << 3; in SHA256Update()
574 usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH; in SHA256Pad()
577 context->buffer[usedspace++] = 0x80; in SHA256Pad()
580 /* Set-up for the last transform: */ in SHA256Pad()
581 memset(&context->buffer[usedspace], 0, in SHA256Pad()
582 SHA256_SHORT_BLOCK_LENGTH - usedspace); in SHA256Pad()
585 memset(&context->buffer[usedspace], 0, in SHA256Pad()
586 SHA256_BLOCK_LENGTH - usedspace); in SHA256Pad()
588 /* Do second-to-last transform: */ in SHA256Pad()
589 SHA256Transform(context->state.st32, context->buffer); in SHA256Pad()
592 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); in SHA256Pad()
595 /* Set-up for the last transform: */ in SHA256Pad()
596 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); in SHA256Pad()
599 *context->buffer = 0x80; in SHA256Pad()
602 BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], in SHA256Pad()
603 context->bitcount[0]); in SHA256Pad()
606 SHA256Transform(context->state.st32, context->buffer); in SHA256Pad()
622 for (i = 0; i < 8; i++) in SHA256Final()
623 BE_32_TO_8(digest + i * 4, context->state.st32[i]); in SHA256Final()
625 memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH); in SHA256Final()
632 /*** SHA-512: *********************************************************/
636 memcpy(context->state.st64, sha512_initial_hash_value, in SHA512Init()
638 memset(context->buffer, 0, sizeof(context->buffer)); in SHA512Init()
639 context->bitcount[0] = context->bitcount[1] = 0; in SHA512Init()
645 /* Unrolled SHA-512 round macros: */
647 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \ argument
649 data += 8; \
650 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
657 #define ROUND512(a,b,c,d,e,f,g,h) do { \ argument
662 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
670 SHA512Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) in SHA512Transform() argument
672 u_int64_t a, b, c, d, e, f, g, h, s0, s1; in SHA512Transform() local
683 g = state[6]; in SHA512Transform()
689 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); in SHA512Transform()
690 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); in SHA512Transform()
691 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); in SHA512Transform()
692 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); in SHA512Transform()
693 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); in SHA512Transform()
694 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); in SHA512Transform()
695 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); in SHA512Transform()
696 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); in SHA512Transform()
701 ROUND512(a,b,c,d,e,f,g,h); in SHA512Transform()
702 ROUND512(h,a,b,c,d,e,f,g); in SHA512Transform()
703 ROUND512(g,h,a,b,c,d,e,f); in SHA512Transform()
704 ROUND512(f,g,h,a,b,c,d,e); in SHA512Transform()
705 ROUND512(e,f,g,h,a,b,c,d); in SHA512Transform()
706 ROUND512(d,e,f,g,h,a,b,c); in SHA512Transform()
707 ROUND512(c,d,e,f,g,h,a,b); in SHA512Transform()
708 ROUND512(b,c,d,e,f,g,h,a); in SHA512Transform()
718 state[6] += g; in SHA512Transform()
722 a = b = c = d = e = f = g = h = T1 = 0; in SHA512Transform()
728 SHA512Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) in SHA512Transform() argument
730 u_int64_t a, b, c, d, e, f, g, h, s0, s1; in SHA512Transform() local
741 g = state[6]; in SHA512Transform()
747 data += 8; in SHA512Transform()
748 /* Apply the SHA-512 compression function to update a..h */ in SHA512Transform()
749 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; in SHA512Transform()
751 h = g; in SHA512Transform()
752 g = f; in SHA512Transform()
770 /* Apply the SHA-512 compression function to update a..h */ in SHA512Transform()
771 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + in SHA512Transform()
774 h = g; in SHA512Transform()
775 g = f; in SHA512Transform()
793 state[6] += g; in SHA512Transform()
797 a = b = c = d = e = f = g = h = T1 = T2 = 0; in SHA512Transform()
812 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; in SHA512Update()
815 freespace = SHA512_BLOCK_LENGTH - usedspace; in SHA512Update()
819 memcpy(&context->buffer[usedspace], data, freespace); in SHA512Update()
820 ADDINC128(context->bitcount, freespace << 3); in SHA512Update()
821 len -= freespace; in SHA512Update()
823 SHA512Transform(context->state.st64, context->buffer); in SHA512Update()
826 memcpy(&context->buffer[usedspace], data, len); in SHA512Update()
827 ADDINC128(context->bitcount, len << 3); in SHA512Update()
835 SHA512Transform(context->state.st64, data); in SHA512Update()
836 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); in SHA512Update()
837 len -= SHA512_BLOCK_LENGTH; in SHA512Update()
841 /* There's left-overs, so save 'em */ in SHA512Update()
842 memcpy(context->buffer, data, len); in SHA512Update()
843 ADDINC128(context->bitcount, len << 3); in SHA512Update()
855 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; in SHA512Pad()
858 context->buffer[usedspace++] = 0x80; in SHA512Pad()
861 /* Set-up for the last transform: */ in SHA512Pad()
862 memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace); in SHA512Pad()
865 memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace); in SHA512Pad()
867 /* Do second-to-last transform: */ in SHA512Pad()
868 SHA512Transform(context->state.st64, context->buffer); in SHA512Pad()
870 /* And set-up for the last transform: */ in SHA512Pad()
871 memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2); in SHA512Pad()
875 memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH); in SHA512Pad()
878 *context->buffer = 0x80; in SHA512Pad()
881 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], in SHA512Pad()
882 context->bitcount[1]); in SHA512Pad()
883 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], in SHA512Pad()
884 context->bitcount[0]); in SHA512Pad()
887 SHA512Transform(context->state.st64, context->buffer); in SHA512Pad()
903 for (i = 0; i < 8; i++) in SHA512Final()
904 BE_64_TO_8(digest + i * 8, context->state.st64[i]); in SHA512Final()
906 memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH); in SHA512Final()
914 /*** SHA-384: *********************************************************/
918 memcpy(context->state.st64, sha384_initial_hash_value, in SHA384Init()
920 memset(context->buffer, 0, sizeof(context->buffer)); in SHA384Init()
921 context->bitcount[0] = context->bitcount[1] = 0; in SHA384Init()
932 /* Equivalent of MAKE_CLONE (which is a no-op) for SHA384 funcs */
934 SHA384Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) in SHA384Transform() argument
961 BE_64_TO_8(digest + i * 8, context->state.st64[i]); in SHA384Final()
963 memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH); in SHA384Final()
971 /*** SHA-512/256: *********************************************************/
975 memcpy(context->state.st64, sha512_256_initial_hash_value,
977 memset(context->buffer, 0, sizeof(context->buffer));
978 context->bitcount[0] = context->bitcount[1] = 0;
999 BE_64_TO_8(digest + i * 8, context->state.st64[i]);
1001 memcpy(digest, context->state.st64, SHA512_256_DIGEST_LENGTH);