1 #pragma prototyped
2
3 #if _typ_int64_t
4
5 /*
6 * Aaron D. Gifford's SHA {256,384,512} code transcribed into a -lsum method
7 * with bitcount[] order reversed to allow a single noalias buffer copy
8 */
9
10 /*
11 * Copyright (c) 2000-2001, Aaron D. Gifford
12 * All rights reserved.
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
22 * 3. Neither the name of the copyright holder nor the names of contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * SUCH DAMAGE.
37 */
38
39 /*
40 * ASSERT NOTE:
41 * Some sanity checking code is included using assert(). On my FreeBSD
42 * system, this additional code can be removed by compiling with NDEBUG
43 * defined. Check your own systems manpage on assert() to see how to
44 * compile WITHOUT the sanity checking code on your system.
45 *
46 * UNROLLED TRANSFORM LOOP NOTE:
47 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
48 * loop version for the hash transform rounds (defined using macros
49 * later in this file). Either define on the command line, for example:
50 *
51 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
52 *
53 * or define below:
54 *
55 * #define SHA2_UNROLL_TRANSFORM
56 *
57 */
58
59 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
60
61 #if _PACKAGE_ast
62
63 #ifndef __USE_BSD
64 #define __undef__USE_BSD
65 #define __USE_BSD
66 #endif
67 #include <endian.h>
68 #ifdef __undef__USE_BSD
69 #undef __undef__USE_BSD
70 #undef __USE_BSD
71 #endif
72
73 typedef uint8_t sha2_byte; /* Exactly 1 byte */
74 typedef uint32_t sha2_word32; /* Exactly 4 bytes */
75 typedef uint64_t sha2_word64; /* Exactly 8 bytes */
76
77 #define assert(x)
78
79 #undef R
80 #undef S32
81 #undef S64
82
83 #else /* _PACKAGE_ast */
84
85 /*
86 * BYTE_ORDER NOTE:
87 *
88 * Please make sure that your system defines BYTE_ORDER. If your
89 * architecture is little-endian, make sure it also defines
90 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
91 * equivilent.
92 *
93 * If your system does not define the above, then you can do so by
94 * hand like this:
95 *
96 * #define LITTLE_ENDIAN 1234
97 * #define BIG_ENDIAN 4321
98 *
99 * And for little-endian machines, add:
100 *
101 * #define BYTE_ORDER LITTLE_ENDIAN
102 *
103 * Or for big-endian machines:
104 *
105 * #define BYTE_ORDER BIG_ENDIAN
106 *
107 * The FreeBSD machine this was written on defines BYTE_ORDER
108 * appropriately by including <sys/types.h> (which in turn includes
109 * <machine/endian.h> where the appropriate definitions are actually
110 * made).
111 */
112
113 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
114 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
115 #endif
116
117 /*
118 * Define the following sha2_* types to types of the correct length on
119 * the native archtecture. Most BSD systems and Linux define u_intXX_t
120 * types. Machines with very recent ANSI C headers, can use the
121 * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
122 * during compile or in the sha.h header file.
123 *
124 * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
125 * will need to define these three typedefs below (and the appropriate
126 * ones in sha.h too) by hand according to their system architecture.
127 *
128 * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
129 * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
130 */
131
132 #ifdef SHA2_USE_INTTYPES_H
133
134 typedef uint8_t sha2_byte; /* Exactly 1 byte */
135 typedef uint32_t sha2_word32; /* Exactly 4 bytes */
136 typedef uint64_t sha2_word64; /* Exactly 8 bytes */
137
138 #else /* SHA2_USE_INTTYPES_H */
139
140 typedef u_int8_t sha2_byte; /* Exactly 1 byte */
141 typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
142 typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
143
144 #endif /* SHA2_USE_INTTYPES_H */
145
146 #endif /* _PACKAGE_ast */
147
148 /*** SHA-256/384/512 Various Length Definitions ***********************/
149
150 #define SHA256_BLOCK_LENGTH 64
151 #define SHA256_DIGEST_LENGTH 32
152 #define SHA384_BLOCK_LENGTH 128
153 #define SHA384_DIGEST_LENGTH 48
154 #define SHA512_BLOCK_LENGTH 128
155 #define SHA512_DIGEST_LENGTH 64
156
157 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
158 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
159 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
160
161 /*** ENDIAN REVERSAL MACROS *******************************************/
162 #if BYTE_ORDER == LITTLE_ENDIAN
163 #define REVERSE32(w,x) { \
164 sha2_word32 tmp = (w); \
165 tmp = (tmp >> 16) | (tmp << 16); \
166 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
167 }
168 #if _ast_LL
169 #define REVERSE64(w,x) { \
170 sha2_word64 tmp = (w); \
171 tmp = (tmp >> 32) | (tmp << 32); \
172 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
173 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
174 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
175 ((tmp & 0x0000ffff0000ffffULL) << 16); \
176 }
177 #else
178 #define REVERSE64(w,x) { \
179 sha2_word64 tmp = (w); \
180 tmp = (tmp >> 32) | (tmp << 32); \
181 tmp = ((tmp & ((sha2_word64)0xff00ff00ff00ff00)) >> 8) | \
182 ((tmp & ((sha2_word64)0x00ff00ff00ff00ff)) << 8); \
183 (x) = ((tmp & ((sha2_word64)0xffff0000ffff0000)) >> 16) | \
184 ((tmp & ((sha2_word64)0x0000ffff0000ffff)) << 16); \
185 }
186 #endif
187 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
188
189 /*
190 * Macro for incrementally adding the unsigned 64-bit integer n to the
191 * unsigned 128-bit integer (represented using a two-element array of
192 * 64-bit words):
193 */
194
195 #define ADDINC128(w,n) { \
196 (w)[1] += (sha2_word64)(n); \
197 if ((w)[1] < (n)) { \
198 (w)[0]++; \
199 } \
200 }
201
202 /*
203 * Macros for copying blocks of memory and for zeroing out ranges
204 * of memory. Using these macros makes it easy to switch from
205 * using memset()/memcpy() and using bzero()/bcopy().
206 *
207 * Please define either SHA2_USE_MEMSET_MEMCPY or define
208 * SHA2_USE_BZERO_BCOPY depending on which function set you
209 * choose to use:
210 */
211
212 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
213 /* Default to memset()/memcpy() if no option is specified */
214 #define SHA2_USE_MEMSET_MEMCPY 1
215 #endif
216 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
217 /* Abort with an error if BOTH options are defined */
218 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
219 #endif
220
221 #ifdef SHA2_USE_MEMSET_MEMCPY
222 #define MEMSET_BZERO(p,l) memset((p), 0, (l))
223 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
224 #endif
225 #ifdef SHA2_USE_BZERO_BCOPY
226 #define MEMSET_BZERO(p,l) bzero((p), (l))
227 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
228 #endif
229
230
231 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
232 /*
233 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
234 *
235 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
236 * S is a ROTATION) because the SHA-256/384/512 description document
237 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
238 * same "backwards" definition.
239 */
240
241 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
242 #define R(b,x) ((x) >> (b))
243 /* 32-bit Rotate-right (used in SHA-256): */
244 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
245 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
246 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
247
248 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
249 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
250 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
251
252 /* Four of six logical functions used in SHA-256: */
253 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
254 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
255 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
256 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
257
258 /* Four of six logical functions used in SHA-384 and SHA-512: */
259 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
260 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
261 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
262 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
263
264 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
265 /* Hash constant words K for SHA-256: */
266 static const sha2_word32 K256[64] = {
267 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
268 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
269 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
270 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
271 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
272 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
273 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
274 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
275 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
276 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
277 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
278 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
279 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
280 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
281 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
282 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
283 };
284
285 /* Initial hash value H for SHA-256: */
286 static const sha2_word32 sha256_initial_hash_value[8] = {
287 0x6a09e667UL,
288 0xbb67ae85UL,
289 0x3c6ef372UL,
290 0xa54ff53aUL,
291 0x510e527fUL,
292 0x9b05688cUL,
293 0x1f83d9abUL,
294 0x5be0cd19UL
295 };
296
297 /* Hash constant words K for SHA-384 and SHA-512: */
298 static const sha2_word64 K512[80] = {
299 #if _ast_LL
300 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
301 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
302 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
303 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
304 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
305 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
306 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
307 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
308 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
309 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
310 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
311 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
312 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
313 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
314 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
315 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
316 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
317 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
318 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
319 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
320 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
321 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
322 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
323 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
324 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
325 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
326 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
327 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
328 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
329 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
330 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
331 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
332 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
333 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
334 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
335 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
336 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
337 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
338 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
339 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
340 #else
341 ((sha2_word64)0x428a2f98d728ae22), ((sha2_word64)0x7137449123ef65cd),
342 ((sha2_word64)0xb5c0fbcfec4d3b2f), ((sha2_word64)0xe9b5dba58189dbbc),
343 ((sha2_word64)0x3956c25bf348b538), ((sha2_word64)0x59f111f1b605d019),
344 ((sha2_word64)0x923f82a4af194f9b), ((sha2_word64)0xab1c5ed5da6d8118),
345 ((sha2_word64)0xd807aa98a3030242), ((sha2_word64)0x12835b0145706fbe),
346 ((sha2_word64)0x243185be4ee4b28c), ((sha2_word64)0x550c7dc3d5ffb4e2),
347 ((sha2_word64)0x72be5d74f27b896f), ((sha2_word64)0x80deb1fe3b1696b1),
348 ((sha2_word64)0x9bdc06a725c71235), ((sha2_word64)0xc19bf174cf692694),
349 ((sha2_word64)0xe49b69c19ef14ad2), ((sha2_word64)0xefbe4786384f25e3),
350 ((sha2_word64)0x0fc19dc68b8cd5b5), ((sha2_word64)0x240ca1cc77ac9c65),
351 ((sha2_word64)0x2de92c6f592b0275), ((sha2_word64)0x4a7484aa6ea6e483),
352 ((sha2_word64)0x5cb0a9dcbd41fbd4), ((sha2_word64)0x76f988da831153b5),
353 ((sha2_word64)0x983e5152ee66dfab), ((sha2_word64)0xa831c66d2db43210),
354 ((sha2_word64)0xb00327c898fb213f), ((sha2_word64)0xbf597fc7beef0ee4),
355 ((sha2_word64)0xc6e00bf33da88fc2), ((sha2_word64)0xd5a79147930aa725),
356 ((sha2_word64)0x06ca6351e003826f), ((sha2_word64)0x142929670a0e6e70),
357 ((sha2_word64)0x27b70a8546d22ffc), ((sha2_word64)0x2e1b21385c26c926),
358 ((sha2_word64)0x4d2c6dfc5ac42aed), ((sha2_word64)0x53380d139d95b3df),
359 ((sha2_word64)0x650a73548baf63de), ((sha2_word64)0x766a0abb3c77b2a8),
360 ((sha2_word64)0x81c2c92e47edaee6), ((sha2_word64)0x92722c851482353b),
361 ((sha2_word64)0xa2bfe8a14cf10364), ((sha2_word64)0xa81a664bbc423001),
362 ((sha2_word64)0xc24b8b70d0f89791), ((sha2_word64)0xc76c51a30654be30),
363 ((sha2_word64)0xd192e819d6ef5218), ((sha2_word64)0xd69906245565a910),
364 ((sha2_word64)0xf40e35855771202a), ((sha2_word64)0x106aa07032bbd1b8),
365 ((sha2_word64)0x19a4c116b8d2d0c8), ((sha2_word64)0x1e376c085141ab53),
366 ((sha2_word64)0x2748774cdf8eeb99), ((sha2_word64)0x34b0bcb5e19b48a8),
367 ((sha2_word64)0x391c0cb3c5c95a63), ((sha2_word64)0x4ed8aa4ae3418acb),
368 ((sha2_word64)0x5b9cca4f7763e373), ((sha2_word64)0x682e6ff3d6b2b8a3),
369 ((sha2_word64)0x748f82ee5defb2fc), ((sha2_word64)0x78a5636f43172f60),
370 ((sha2_word64)0x84c87814a1f0ab72), ((sha2_word64)0x8cc702081a6439ec),
371 ((sha2_word64)0x90befffa23631e28), ((sha2_word64)0xa4506cebde82bde9),
372 ((sha2_word64)0xbef9a3f7b2c67915), ((sha2_word64)0xc67178f2e372532b),
373 ((sha2_word64)0xca273eceea26619c), ((sha2_word64)0xd186b8c721c0c207),
374 ((sha2_word64)0xeada7dd6cde0eb1e), ((sha2_word64)0xf57d4f7fee6ed178),
375 ((sha2_word64)0x06f067aa72176fba), ((sha2_word64)0x0a637dc5a2c898a6),
376 ((sha2_word64)0x113f9804bef90dae), ((sha2_word64)0x1b710b35131c471b),
377 ((sha2_word64)0x28db77f523047d84), ((sha2_word64)0x32caab7b40c72493),
378 ((sha2_word64)0x3c9ebe0a15c9bebc), ((sha2_word64)0x431d67c49c100d4c),
379 ((sha2_word64)0x4cc5d4becb3e42b6), ((sha2_word64)0x597f299cfc657e2a),
380 ((sha2_word64)0x5fcb6fab3ad6faec), ((sha2_word64)0x6c44198c4a475817)
381 #endif
382 };
383
384 /* Initial hash value H for SHA-384 */
385 static const sha2_word64 sha384_initial_hash_value[8] = {
386 #if _ast_LL
387 0xcbbb9d5dc1059ed8ULL,
388 0x629a292a367cd507ULL,
389 0x9159015a3070dd17ULL,
390 0x152fecd8f70e5939ULL,
391 0x67332667ffc00b31ULL,
392 0x8eb44a8768581511ULL,
393 0xdb0c2e0d64f98fa7ULL,
394 0x47b5481dbefa4fa4ULL
395 #else
396 ((sha2_word64)0xcbbb9d5dc1059ed8),
397 ((sha2_word64)0x629a292a367cd507),
398 ((sha2_word64)0x9159015a3070dd17),
399 ((sha2_word64)0x152fecd8f70e5939),
400 ((sha2_word64)0x67332667ffc00b31),
401 ((sha2_word64)0x8eb44a8768581511),
402 ((sha2_word64)0xdb0c2e0d64f98fa7),
403 ((sha2_word64)0x47b5481dbefa4fa4)
404 #endif
405 };
406
407 /* Initial hash value H for SHA-512 */
408 static const sha2_word64 sha512_initial_hash_value[8] = {
409 #if _ast_LL
410 0x6a09e667f3bcc908ULL,
411 0xbb67ae8584caa73bULL,
412 0x3c6ef372fe94f82bULL,
413 0xa54ff53a5f1d36f1ULL,
414 0x510e527fade682d1ULL,
415 0x9b05688c2b3e6c1fULL,
416 0x1f83d9abfb41bd6bULL,
417 0x5be0cd19137e2179ULL
418 #else
419 ((sha2_word64)0x6a09e667f3bcc908),
420 ((sha2_word64)0xbb67ae8584caa73b),
421 ((sha2_word64)0x3c6ef372fe94f82b),
422 ((sha2_word64)0xa54ff53a5f1d36f1),
423 ((sha2_word64)0x510e527fade682d1),
424 ((sha2_word64)0x9b05688c2b3e6c1f),
425 ((sha2_word64)0x1f83d9abfb41bd6b),
426 ((sha2_word64)0x5be0cd19137e2179)
427 #endif
428 };
429
430 /*** SHA-256: *********************************************************/
431
432 #define sha256_description "FIPS SHA-256 secure hash algorithm."
433 #define sha256_options "\
434 [+(version)?sha-256 (FIPS) 2000-01-01]\
435 [+(author)?Aaron D. Gifford]\
436 "
437 #define sha256_match "sha256|sha-256|SHA256|SHA-256"
438 #define sha256_scale 0
439
440 #define sha256_padding md5_pad
441
442 #define SHA256_CTX Sha256_t
443
444 typedef struct Sha256_s
445 {
446 _SUM_PUBLIC_
447 _SUM_PRIVATE_
448 sha2_byte digest[SHA256_DIGEST_LENGTH];
449 sha2_byte digest_sum[SHA256_DIGEST_LENGTH];
450 sha2_word32 state[8];
451 sha2_word64 bitcount;
452 sha2_byte buffer[SHA256_BLOCK_LENGTH];
453 } Sha256_t;
454
455 #ifdef SHA2_UNROLL_TRANSFORM
456
457 /* Unrolled SHA-256 round macros: */
458
459 #if BYTE_ORDER == LITTLE_ENDIAN
460
461 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
462 REVERSE32(*data++, W256[j]); \
463 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
464 K256[j] + W256[j]; \
465 (d) += T1; \
466 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
467 j++
468
469
470 #else /* BYTE_ORDER == LITTLE_ENDIAN */
471
472 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
473 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
474 K256[j] + (W256[j] = *data++); \
475 (d) += T1; \
476 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
477 j++
478
479 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
480
481 #define ROUND256(a,b,c,d,e,f,g,h) \
482 s0 = W256[(j+1)&0x0f]; \
483 s0 = sigma0_256(s0); \
484 s1 = W256[(j+14)&0x0f]; \
485 s1 = sigma1_256(s1); \
486 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
487 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
488 (d) += T1; \
489 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
490 j++
491
SHA256_Transform(SHA256_CTX * sha,const sha2_word32 * data)492 static void SHA256_Transform(SHA256_CTX* sha, const sha2_word32* data) {
493 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
494 sha2_word32 T1, *W256;
495 int j;
496
497 W256 = (sha2_word32*)sha->buffer;
498
499 /* Initialize registers with the prev. intermediate value */
500 a = sha->state[0];
501 b = sha->state[1];
502 c = sha->state[2];
503 d = sha->state[3];
504 e = sha->state[4];
505 f = sha->state[5];
506 g = sha->state[6];
507 h = sha->state[7];
508
509 j = 0;
510 do {
511 /* Rounds 0 to 15 (unrolled): */
512 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
513 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
514 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
515 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
516 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
517 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
518 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
519 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
520 } while (j < 16);
521
522 /* Now for the remaining rounds to 64: */
523 do {
524 ROUND256(a,b,c,d,e,f,g,h);
525 ROUND256(h,a,b,c,d,e,f,g);
526 ROUND256(g,h,a,b,c,d,e,f);
527 ROUND256(f,g,h,a,b,c,d,e);
528 ROUND256(e,f,g,h,a,b,c,d);
529 ROUND256(d,e,f,g,h,a,b,c);
530 ROUND256(c,d,e,f,g,h,a,b);
531 ROUND256(b,c,d,e,f,g,h,a);
532 } while (j < 64);
533
534 /* Compute the current intermediate hash value */
535 sha->state[0] += a;
536 sha->state[1] += b;
537 sha->state[2] += c;
538 sha->state[3] += d;
539 sha->state[4] += e;
540 sha->state[5] += f;
541 sha->state[6] += g;
542 sha->state[7] += h;
543
544 /* Clean up */
545 a = b = c = d = e = f = g = h = T1 = 0;
546 }
547
548 #else /* SHA2_UNROLL_TRANSFORM */
549
SHA256_Transform(SHA256_CTX * sha,const sha2_word32 * data)550 static void SHA256_Transform(SHA256_CTX* sha, const sha2_word32* data) {
551 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
552 sha2_word32 T1, T2, *W256;
553 int j;
554
555 W256 = (sha2_word32*)sha->buffer;
556
557 /* Initialize registers with the prev. intermediate value */
558 a = sha->state[0];
559 b = sha->state[1];
560 c = sha->state[2];
561 d = sha->state[3];
562 e = sha->state[4];
563 f = sha->state[5];
564 g = sha->state[6];
565 h = sha->state[7];
566
567 j = 0;
568 do {
569 #if BYTE_ORDER == LITTLE_ENDIAN
570 /* Copy data while converting to host byte order */
571 REVERSE32(*data++,W256[j]);
572 /* Apply the SHA-256 compression function to update a..h */
573 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
574 #else /* BYTE_ORDER == LITTLE_ENDIAN */
575 /* Apply the SHA-256 compression function to update a..h with copy */
576 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
577 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
578 T2 = Sigma0_256(a) + Maj(a, b, c);
579 h = g;
580 g = f;
581 f = e;
582 e = d + T1;
583 d = c;
584 c = b;
585 b = a;
586 a = T1 + T2;
587
588 j++;
589 } while (j < 16);
590
591 do {
592 /* Part of the message block expansion: */
593 s0 = W256[(j+1)&0x0f];
594 s0 = sigma0_256(s0);
595 s1 = W256[(j+14)&0x0f];
596 s1 = sigma1_256(s1);
597
598 /* Apply the SHA-256 compression function to update a..h */
599 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
600 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
601 T2 = Sigma0_256(a) + Maj(a, b, c);
602 h = g;
603 g = f;
604 f = e;
605 e = d + T1;
606 d = c;
607 c = b;
608 b = a;
609 a = T1 + T2;
610
611 j++;
612 } while (j < 64);
613
614 /* Compute the current intermediate hash value */
615 sha->state[0] += a;
616 sha->state[1] += b;
617 sha->state[2] += c;
618 sha->state[3] += d;
619 sha->state[4] += e;
620 sha->state[5] += f;
621 sha->state[6] += g;
622 sha->state[7] += h;
623
624 /* Clean up */
625 a = b = c = d = e = f = g = h = T1 = T2 = 0;
626 }
627
628 #endif /* SHA2_UNROLL_TRANSFORM */
629
630 static int
sha256_block(register Sum_t * p,const void * s,size_t len)631 sha256_block(register Sum_t* p, const void* s, size_t len)
632 {
633 Sha256_t* sha = (Sha256_t*)p;
634 sha2_byte* data = (sha2_byte*)s;
635 unsigned int freespace, usedspace;
636
637 if (!len)
638 return 0;
639 usedspace = (sha->bitcount >> 3) % SHA256_BLOCK_LENGTH;
640 if (usedspace > 0) {
641 /* Calculate how much free space is available in the buffer */
642 freespace = SHA256_BLOCK_LENGTH - usedspace;
643
644 if (len >= freespace) {
645 /* Fill the buffer completely and process it */
646 MEMCPY_BCOPY(&sha->buffer[usedspace], data, freespace);
647 sha->bitcount += freespace << 3;
648 len -= freespace;
649 data += freespace;
650 SHA256_Transform(sha, (sha2_word32*)sha->buffer);
651 } else {
652 /* The buffer is not yet full */
653 MEMCPY_BCOPY(&sha->buffer[usedspace], data, len);
654 sha->bitcount += len << 3;
655 /* Clean up: */
656 usedspace = freespace = 0;
657 return 0;
658 }
659 }
660 while (len >= SHA256_BLOCK_LENGTH) {
661 /* Process as many complete blocks as we can */
662 SHA256_Transform(sha, (sha2_word32*)data);
663 sha->bitcount += SHA256_BLOCK_LENGTH << 3;
664 len -= SHA256_BLOCK_LENGTH;
665 data += SHA256_BLOCK_LENGTH;
666 }
667 if (len > 0) {
668 /* There's left-overs, so save 'em */
669 MEMCPY_BCOPY(sha->buffer, data, len);
670 sha->bitcount += len << 3;
671 }
672 /* Clean up: */
673 usedspace = freespace = 0;
674
675 return 0;
676 }
677
678 static int
sha256_init(Sum_t * p)679 sha256_init(Sum_t* p)
680 {
681 register Sha256_t* sha = (Sha256_t*)p;
682
683 MEMCPY_BCOPY(sha->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
684 MEMSET_BZERO(sha->buffer, SHA256_BLOCK_LENGTH);
685 sha->bitcount = 0;
686
687 return 0;
688 }
689
690 static Sum_t*
sha256_open(const Method_t * method,const char * name)691 sha256_open(const Method_t* method, const char* name)
692 {
693 Sha256_t* sha;
694
695 if (sha = newof(0, Sha256_t, 1, 0))
696 {
697 sha->method = (Method_t*)method;
698 sha->name = name;
699 sha256_init((Sum_t*)sha);
700 }
701 return (Sum_t*)sha;
702 }
703
704 static int
sha256_done(Sum_t * p)705 sha256_done(Sum_t* p)
706 {
707 Sha256_t* sha = (Sha256_t*)p;
708 unsigned int usedspace;
709 register int i;
710
711 /* Sanity check: */
712 assert(sha != (SHA256_CTX*)0);
713
714 usedspace = (sha->bitcount >> 3) % SHA256_BLOCK_LENGTH;
715 #if BYTE_ORDER == LITTLE_ENDIAN
716 /* Convert FROM host byte order */
717 REVERSE64(sha->bitcount,sha->bitcount);
718 #endif
719 if (usedspace > 0) {
720 /* Begin padding with a 1 bit: */
721 sha->buffer[usedspace++] = 0x80;
722
723 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
724 /* Set-up for the last transform: */
725 MEMSET_BZERO(&sha->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
726 } else {
727 if (usedspace < SHA256_BLOCK_LENGTH) {
728 MEMSET_BZERO(&sha->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
729 }
730 /* Do second-to-last transform: */
731 SHA256_Transform(sha, (sha2_word32*)sha->buffer);
732
733 /* And set-up for the last transform: */
734 MEMSET_BZERO(sha->buffer, SHA256_SHORT_BLOCK_LENGTH);
735 }
736 } else {
737 /* Set-up for the last transform: */
738 MEMSET_BZERO(sha->buffer, SHA256_SHORT_BLOCK_LENGTH);
739
740 /* Begin padding with a 1 bit: */
741 *sha->buffer = 0x80;
742 }
743 /* Store the length of input data (in bits): */
744 MEMCPY_BCOPY(&sha->buffer[SHA256_SHORT_BLOCK_LENGTH], &sha->bitcount, 8);
745
746 /* Final transform: */
747 SHA256_Transform(sha, (sha2_word32*)sha->buffer);
748
749 #if BYTE_ORDER == LITTLE_ENDIAN
750 {
751 /* Convert TO host byte order */
752 int j;
753 sha2_word32* d = (sha2_word32*)sha->digest;
754 for (j = 0; j < 8; j++) {
755 REVERSE32(sha->state[j],sha->state[j]);
756 *d++ = sha->state[j];
757 }
758 }
759 #else
760 MEMCPY_BCOPY(sha->digest, sha->state, SHA256_DIGEST_LENGTH);
761 #endif
762
763 /* accumulate the digests */
764 for (i = 0; i < SHA256_DIGEST_LENGTH; i++)
765 sha->digest_sum[i] ^= sha->digest[i];
766
767 /* Clean up state data: */
768 MEMSET_BZERO(&sha->state, sizeof(*sha) - offsetof(Sha256_t, state));
769 usedspace = 0;
770
771 return 0;
772 }
773
774 static int
sha256_print(Sum_t * p,Sfio_t * sp,register int flags,size_t scale)775 sha256_print(Sum_t* p, Sfio_t* sp, register int flags, size_t scale)
776 {
777 register Sha256_t* sha = (Sha256_t*)p;
778 register sha2_byte* d;
779 register sha2_byte* e;
780
781 d = (flags & SUM_TOTAL) ? sha->digest_sum : sha->digest;
782 e = d + SHA256_DIGEST_LENGTH;
783 while (d < e)
784 sfprintf(sp, "%02x", *d++);
785 return 0;
786 }
787
788 static int
sha256_data(Sum_t * p,Sumdata_t * data)789 sha256_data(Sum_t* p, Sumdata_t* data)
790 {
791 register Sha256_t* sha = (Sha256_t*)p;
792
793 data->size = SHA256_DIGEST_LENGTH;
794 data->num = 0;
795 data->buf = sha->digest;
796 return 0;
797 }
798
799 /*** SHA-512: *********************************************************/
800
801 #define sha512_description "FIPS SHA-512 secure hash algorithm."
802 #define sha512_options "\
803 [+(version)?sha-512 (FIPS) 2000-01-01]\
804 [+(author)?Aaron D. Gifford]\
805 "
806 #define sha512_match "sha512|sha-512|SHA512|SHA-512"
807 #define sha512_scale 0
808
809 #define sha512_padding md5_pad
810
811 #define SHA512_CTX Sha512_t
812
813 typedef struct Sha512_s
814 {
815 _SUM_PUBLIC_
816 _SUM_PRIVATE_
817 sha2_byte digest[SHA512_DIGEST_LENGTH];
818 sha2_byte digest_sum[SHA512_DIGEST_LENGTH];
819 sha2_word64 state[8];
820 sha2_word64 bitcount[2];
821 sha2_byte buffer[SHA512_BLOCK_LENGTH];
822 } Sha512_t;
823
824 #ifdef SHA2_UNROLL_TRANSFORM
825
826 /* Unrolled SHA-512 round macros: */
827 #if BYTE_ORDER == LITTLE_ENDIAN
828
829 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
830 REVERSE64(*data++, W512[j]); \
831 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
832 K512[j] + W512[j]; \
833 (d) += T1, \
834 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
835 j++
836
837
838 #else /* BYTE_ORDER == LITTLE_ENDIAN */
839
840 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
841 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
842 K512[j] + (W512[j] = *data++); \
843 (d) += T1; \
844 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
845 j++
846
847 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
848
849 #define ROUND512(a,b,c,d,e,f,g,h) \
850 s0 = W512[(j+1)&0x0f]; \
851 s0 = sigma0_512(s0); \
852 s1 = W512[(j+14)&0x0f]; \
853 s1 = sigma1_512(s1); \
854 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
855 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
856 (d) += T1; \
857 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
858 j++
859
SHA512_Transform(SHA512_CTX * sha,const sha2_word64 * data)860 static void SHA512_Transform(SHA512_CTX* sha, const sha2_word64* data) {
861 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
862 sha2_word64 T1, *W512 = (sha2_word64*)sha->buffer;
863 int j;
864
865 /* Initialize registers with the prev. intermediate value */
866 a = sha->state[0];
867 b = sha->state[1];
868 c = sha->state[2];
869 d = sha->state[3];
870 e = sha->state[4];
871 f = sha->state[5];
872 g = sha->state[6];
873 h = sha->state[7];
874
875 j = 0;
876 do {
877 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
878 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
879 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
880 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
881 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
882 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
883 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
884 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
885 } while (j < 16);
886
887 /* Now for the remaining rounds up to 79: */
888 do {
889 ROUND512(a,b,c,d,e,f,g,h);
890 ROUND512(h,a,b,c,d,e,f,g);
891 ROUND512(g,h,a,b,c,d,e,f);
892 ROUND512(f,g,h,a,b,c,d,e);
893 ROUND512(e,f,g,h,a,b,c,d);
894 ROUND512(d,e,f,g,h,a,b,c);
895 ROUND512(c,d,e,f,g,h,a,b);
896 ROUND512(b,c,d,e,f,g,h,a);
897 } while (j < 80);
898
899 /* Compute the current intermediate hash value */
900 sha->state[0] += a;
901 sha->state[1] += b;
902 sha->state[2] += c;
903 sha->state[3] += d;
904 sha->state[4] += e;
905 sha->state[5] += f;
906 sha->state[6] += g;
907 sha->state[7] += h;
908
909 /* Clean up */
910 a = b = c = d = e = f = g = h = T1 = 0;
911 }
912
913 #else /* SHA2_UNROLL_TRANSFORM */
914
SHA512_Transform(SHA512_CTX * sha,const sha2_word64 * data)915 static void SHA512_Transform(SHA512_CTX* sha, const sha2_word64* data) {
916 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
917 sha2_word64 T1, T2, *W512 = (sha2_word64*)sha->buffer;
918 int j;
919
920 /* Initialize registers with the prev. intermediate value */
921 a = sha->state[0];
922 b = sha->state[1];
923 c = sha->state[2];
924 d = sha->state[3];
925 e = sha->state[4];
926 f = sha->state[5];
927 g = sha->state[6];
928 h = sha->state[7];
929
930 j = 0;
931 do {
932 #if BYTE_ORDER == LITTLE_ENDIAN
933 /* Convert TO host byte order */
934 REVERSE64(*data++, W512[j]);
935 /* Apply the SHA-512 compression function to update a..h */
936 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
937 #else /* BYTE_ORDER == LITTLE_ENDIAN */
938 /* Apply the SHA-512 compression function to update a..h with copy */
939 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
940 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
941 T2 = Sigma0_512(a) + Maj(a, b, c);
942 h = g;
943 g = f;
944 f = e;
945 e = d + T1;
946 d = c;
947 c = b;
948 b = a;
949 a = T1 + T2;
950
951 j++;
952 } while (j < 16);
953
954 do {
955 /* Part of the message block expansion: */
956 s0 = W512[(j+1)&0x0f];
957 s0 = sigma0_512(s0);
958 s1 = W512[(j+14)&0x0f];
959 s1 = sigma1_512(s1);
960
961 /* Apply the SHA-512 compression function to update a..h */
962 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
963 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
964 T2 = Sigma0_512(a) + Maj(a, b, c);
965 h = g;
966 g = f;
967 f = e;
968 e = d + T1;
969 d = c;
970 c = b;
971 b = a;
972 a = T1 + T2;
973
974 j++;
975 } while (j < 80);
976
977 /* Compute the current intermediate hash value */
978 sha->state[0] += a;
979 sha->state[1] += b;
980 sha->state[2] += c;
981 sha->state[3] += d;
982 sha->state[4] += e;
983 sha->state[5] += f;
984 sha->state[6] += g;
985 sha->state[7] += h;
986
987 /* Clean up */
988 a = b = c = d = e = f = g = h = T1 = T2 = 0;
989 }
990
991 #endif /* SHA2_UNROLL_TRANSFORM */
992
993 static int
sha512_block(register Sum_t * p,const void * s,size_t len)994 sha512_block(register Sum_t* p, const void* s, size_t len)
995 {
996 Sha512_t* sha = (Sha512_t*)p;
997 sha2_byte* data = (sha2_byte*)s;
998 unsigned int freespace, usedspace;
999
1000 if (!len)
1001 return 0;
1002 usedspace = (sha->bitcount[1] >> 3) % SHA512_BLOCK_LENGTH;
1003 if (usedspace > 0) {
1004 /* Calculate how much free space is available in the buffer */
1005 freespace = SHA512_BLOCK_LENGTH - usedspace;
1006
1007 if (len >= freespace) {
1008 /* Fill the buffer completely and process it */
1009 MEMCPY_BCOPY(&sha->buffer[usedspace], data, freespace);
1010 ADDINC128(sha->bitcount, freespace << 3);
1011 len -= freespace;
1012 data += freespace;
1013 SHA512_Transform(sha, (sha2_word64*)sha->buffer);
1014 } else {
1015 /* The buffer is not yet full */
1016 MEMCPY_BCOPY(&sha->buffer[usedspace], data, len);
1017 ADDINC128(sha->bitcount, len << 3);
1018 /* Clean up: */
1019 usedspace = freespace = 0;
1020 return 0;
1021 }
1022 }
1023 while (len >= SHA512_BLOCK_LENGTH) {
1024 /* Process as many complete blocks as we can */
1025 SHA512_Transform(sha, (sha2_word64*)data);
1026 ADDINC128(sha->bitcount, SHA512_BLOCK_LENGTH << 3);
1027 len -= SHA512_BLOCK_LENGTH;
1028 data += SHA512_BLOCK_LENGTH;
1029 }
1030 if (len > 0) {
1031 /* There's left-overs, so save 'em */
1032 MEMCPY_BCOPY(sha->buffer, data, len);
1033 ADDINC128(sha->bitcount, len << 3);
1034 }
1035 /* Clean up: */
1036 usedspace = freespace = 0;
1037
1038 return 0;
1039 }
1040
1041 static int
sha512_init(Sum_t * p)1042 sha512_init(Sum_t* p)
1043 {
1044 register Sha512_t* sha = (Sha512_t*)p;
1045
1046 MEMCPY_BCOPY(sha->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
1047 MEMSET_BZERO(sha->buffer, SHA512_BLOCK_LENGTH);
1048 sha->bitcount[0] = sha->bitcount[1] = 0;
1049
1050 return 0;
1051 }
1052
1053 static Sum_t*
sha512_open(const Method_t * method,const char * name)1054 sha512_open(const Method_t* method, const char* name)
1055 {
1056 Sha512_t* sha;
1057
1058 if (sha = newof(0, Sha512_t, 1, 0))
1059 {
1060 sha->method = (Method_t*)method;
1061 sha->name = name;
1062 sha512_init((Sum_t*)sha);
1063 }
1064 return (Sum_t*)sha;
1065 }
1066
1067 static int
sha512_done(Sum_t * p)1068 sha512_done(Sum_t* p)
1069 {
1070 Sha512_t* sha = (Sha512_t*)p;
1071 unsigned int usedspace;
1072 register int i;
1073
1074 usedspace = (sha->bitcount[1] >> 3) % SHA512_BLOCK_LENGTH;
1075 #if BYTE_ORDER == LITTLE_ENDIAN
1076 /* Convert FROM host byte order */
1077 REVERSE64(sha->bitcount[0],sha->bitcount[0]);
1078 REVERSE64(sha->bitcount[1],sha->bitcount[1]);
1079 #endif
1080 if (usedspace > 0) {
1081 /* Begin padding with a 1 bit: */
1082 sha->buffer[usedspace++] = 0x80;
1083
1084 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
1085 /* Set-up for the last transform: */
1086 MEMSET_BZERO(&sha->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
1087 } else {
1088 if (usedspace < SHA512_BLOCK_LENGTH) {
1089 MEMSET_BZERO(&sha->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
1090 }
1091 /* Do second-to-last transform: */
1092 SHA512_Transform(sha, (sha2_word64*)sha->buffer);
1093
1094 /* And set-up for the last transform: */
1095 MEMSET_BZERO(sha->buffer, SHA512_BLOCK_LENGTH - 2);
1096 }
1097 } else {
1098 /* Prepare for final transform: */
1099 MEMSET_BZERO(sha->buffer, SHA512_SHORT_BLOCK_LENGTH);
1100
1101 /* Begin padding with a 1 bit: */
1102 *sha->buffer = 0x80;
1103 }
1104 /* Store the length of input data (in bits): */
1105 MEMCPY_BCOPY(&sha->buffer[SHA512_SHORT_BLOCK_LENGTH], &sha->bitcount[0], 16);
1106
1107 /* Final transform: */
1108 SHA512_Transform(sha, (sha2_word64*)sha->buffer);
1109
1110 #if BYTE_ORDER == LITTLE_ENDIAN
1111 {
1112 /* Convert TO host byte order */
1113 sha2_word64* d = (sha2_word64*)sha->digest;
1114 int j;
1115 for (j = 0; j < 8; j++) {
1116 REVERSE64(sha->state[j],sha->state[j]);
1117 *d++ = sha->state[j];
1118 }
1119 }
1120 #else
1121 MEMCPY_BCOPY(sha->digest, sha->state, SHA512_DIGEST_LENGTH);
1122 #endif
1123
1124 /* accumulate the digests */
1125 for (i = 0; i < SHA512_DIGEST_LENGTH; i++)
1126 sha->digest_sum[i] ^= sha->digest[i];
1127
1128 /* Clean up state data: */
1129 MEMSET_BZERO(&sha->state, sizeof(*sha) - offsetof(Sha512_t, state));
1130 usedspace = 0;
1131
1132 return 0;
1133 }
1134
1135 static int
sha512_print(Sum_t * p,Sfio_t * sp,register int flags,size_t scale)1136 sha512_print(Sum_t* p, Sfio_t* sp, register int flags, size_t scale)
1137 {
1138 register Sha512_t* sha = (Sha512_t*)p;
1139 register sha2_byte* d;
1140 register sha2_byte* e;
1141
1142 d = (flags & SUM_TOTAL) ? sha->digest_sum : sha->digest;
1143 e = d + SHA512_DIGEST_LENGTH;
1144 while (d < e)
1145 sfprintf(sp, "%02x", *d++);
1146 return 0;
1147 }
1148
1149 static int
sha512_data(Sum_t * p,Sumdata_t * data)1150 sha512_data(Sum_t* p, Sumdata_t* data)
1151 {
1152 register Sha512_t* sha = (Sha512_t*)p;
1153
1154 data->size = SHA512_DIGEST_LENGTH;
1155 data->num = 0;
1156 data->buf = sha->digest;
1157 return 0;
1158 }
1159
1160 /*** SHA-384: *********************************************************/
1161
1162 #define sha384_description "FIPS SHA-384 secure hash algorithm."
1163 #define sha384_options "\
1164 [+(version)?sha-384 (FIPS) 2000-01-01]\
1165 [+(author)?Aaron D. Gifford]\
1166 "
1167 #define sha384_match "sha384|sha-384|SHA384|SHA-384"
1168 #define sha384_scale 0
1169 #define sha384_block sha512_block
1170 #define sha384_done sha512_done
1171
1172 #define sha384_padding md5_pad
1173
1174 #define Sha384_t Sha512_t
1175 #define SHA384_CTX Sha384_t
1176 #define SHA384_DIGEST_LENGTH 48
1177
1178 static int
sha384_init(Sum_t * p)1179 sha384_init(Sum_t* p)
1180 {
1181 register Sha384_t* sha = (Sha384_t*)p;
1182
1183 MEMCPY_BCOPY(sha->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH);
1184 MEMSET_BZERO(sha->buffer, SHA384_BLOCK_LENGTH);
1185 sha->bitcount[0] = sha->bitcount[1] = 0;
1186
1187 return 0;
1188 }
1189
1190 static Sum_t*
sha384_open(const Method_t * method,const char * name)1191 sha384_open(const Method_t* method, const char* name)
1192 {
1193 Sha384_t* sha;
1194
1195 if (sha = newof(0, Sha384_t, 1, 0))
1196 {
1197 sha->method = (Method_t*)method;
1198 sha->name = name;
1199 sha384_init((Sum_t*)sha);
1200 }
1201 return (Sum_t*)sha;
1202 }
1203
1204 static int
sha384_print(Sum_t * p,Sfio_t * sp,register int flags,size_t scale)1205 sha384_print(Sum_t* p, Sfio_t* sp, register int flags, size_t scale)
1206 {
1207 register Sha384_t* sha = (Sha384_t*)p;
1208 register sha2_byte* d;
1209 register sha2_byte* e;
1210
1211 d = (flags & SUM_TOTAL) ? sha->digest_sum : sha->digest;
1212 e = d + SHA384_DIGEST_LENGTH;
1213 while (d < e)
1214 sfprintf(sp, "%02x", *d++);
1215 return 0;
1216 }
1217
1218 static int
sha384_data(Sum_t * p,Sumdata_t * data)1219 sha384_data(Sum_t* p, Sumdata_t* data)
1220 {
1221 register Sha384_t* sha = (Sha384_t*)p;
1222
1223 data->size = SHA384_DIGEST_LENGTH;
1224 data->num = 0;
1225 data->buf = sha->digest;
1226 return 0;
1227 }
1228
1229 #endif /* _typ_int64_t */
1230