xref: /illumos-gate/usr/src/contrib/ast/src/lib/libsum/sum-sha2.c (revision b30d193948be5a7794d7ae3ba0ed9c2f72c88e0f)
1 #pragma prototyped
2 
3 #if _typ_int64_t
4 
5 /*
6  * Aaron D. Gifford's SHA {256,384,512} code transcribed into a -lsum method
7  * with bitcount[] order reversed to allow a single noalias buffer copy
8  */
9 
10 /*
11  * Copyright (c) 2000-2001, Aaron D. Gifford
12  * All rights reserved.
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  * 2. Redistributions in binary form must reproduce the above copyright
20  *    notice, this list of conditions and the following disclaimer in the
21  *    documentation and/or other materials provided with the distribution.
22  * 3. Neither the name of the copyright holder nor the names of contributors
23  *    may be used to endorse or promote products derived from this software
24  *    without specific prior written permission.
25  *
26  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36  * SUCH DAMAGE.
37  */
38 
39 /*
40  * ASSERT NOTE:
41  * Some sanity checking code is included using assert().  On my FreeBSD
42  * system, this additional code can be removed by compiling with NDEBUG
43  * defined.  Check your own systems manpage on assert() to see how to
44  * compile WITHOUT the sanity checking code on your system.
45  *
46  * UNROLLED TRANSFORM LOOP NOTE:
47  * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
48  * loop version for the hash transform rounds (defined using macros
49  * later in this file).  Either define on the command line, for example:
50  *
51  *   cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
52  *
53  * or define below:
54  *
55  *   #define SHA2_UNROLL_TRANSFORM
56  *
57  */
58 
59 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
60 
61 #if _PACKAGE_ast
62 
63 #ifndef __USE_BSD
64 #define __undef__USE_BSD
65 #define __USE_BSD
66 #endif
67 #include <endian.h>
68 #ifdef	__undef__USE_BSD
69 #undef	__undef__USE_BSD
70 #undef	__USE_BSD
71 #endif
72 
73 typedef  uint8_t sha2_byte;	/* Exactly 1 byte */
74 typedef uint32_t sha2_word32;	/* Exactly 4 bytes */
75 typedef uint64_t sha2_word64;	/* Exactly 8 bytes */
76 
77 #define assert(x)
78 
79 #undef	R
80 #undef	S32
81 #undef	S64
82 
83 #else /* _PACKAGE_ast */
84 
85 /*
86  * BYTE_ORDER NOTE:
87  *
88  * Please make sure that your system defines BYTE_ORDER.  If your
89  * architecture is little-endian, make sure it also defines
90  * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
91  * equivilent.
92  *
93  * If your system does not define the above, then you can do so by
94  * hand like this:
95  *
96  *   #define LITTLE_ENDIAN 1234
97  *   #define BIG_ENDIAN    4321
98  *
99  * And for little-endian machines, add:
100  *
101  *   #define BYTE_ORDER LITTLE_ENDIAN
102  *
103  * Or for big-endian machines:
104  *
105  *   #define BYTE_ORDER BIG_ENDIAN
106  *
107  * The FreeBSD machine this was written on defines BYTE_ORDER
108  * appropriately by including <sys/types.h> (which in turn includes
109  * <machine/endian.h> where the appropriate definitions are actually
110  * made).
111  */
112 
113 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
114 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
115 #endif
116 
117 /*
118  * Define the following sha2_* types to types of the correct length on
119  * the native archtecture.   Most BSD systems and Linux define u_intXX_t
120  * types.  Machines with very recent ANSI C headers, can use the
121  * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
122  * during compile or in the sha.h header file.
123  *
124  * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
125  * will need to define these three typedefs below (and the appropriate
126  * ones in sha.h too) by hand according to their system architecture.
127  *
128  * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
129  * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
130  */
131 
132 #ifdef SHA2_USE_INTTYPES_H
133 
134 typedef uint8_t  sha2_byte;	/* Exactly 1 byte */
135 typedef uint32_t sha2_word32;	/* Exactly 4 bytes */
136 typedef uint64_t sha2_word64;	/* Exactly 8 bytes */
137 
138 #else /* SHA2_USE_INTTYPES_H */
139 
140 typedef u_int8_t  sha2_byte;	/* Exactly 1 byte */
141 typedef u_int32_t sha2_word32;	/* Exactly 4 bytes */
142 typedef u_int64_t sha2_word64;	/* Exactly 8 bytes */
143 
144 #endif /* SHA2_USE_INTTYPES_H */
145 
146 #endif /* _PACKAGE_ast */
147 
148 /*** SHA-256/384/512 Various Length Definitions ***********************/
149 
150 #define SHA256_BLOCK_LENGTH		64
151 #define SHA256_DIGEST_LENGTH		32
152 #define SHA384_BLOCK_LENGTH		128
153 #define SHA384_DIGEST_LENGTH		48
154 #define SHA512_BLOCK_LENGTH		128
155 #define SHA512_DIGEST_LENGTH		64
156 
157 #define SHA256_SHORT_BLOCK_LENGTH	(SHA256_BLOCK_LENGTH - 8)
158 #define SHA384_SHORT_BLOCK_LENGTH	(SHA384_BLOCK_LENGTH - 16)
159 #define SHA512_SHORT_BLOCK_LENGTH	(SHA512_BLOCK_LENGTH - 16)
160 
161 /*** ENDIAN REVERSAL MACROS *******************************************/
162 #if BYTE_ORDER == LITTLE_ENDIAN
163 #define REVERSE32(w,x)	{ \
164 	sha2_word32 tmp = (w); \
165 	tmp = (tmp >> 16) | (tmp << 16); \
166 	(x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
167 }
168 #if _ast_LL
169 #define REVERSE64(w,x)	{ \
170 	sha2_word64 tmp = (w); \
171 	tmp = (tmp >> 32) | (tmp << 32); \
172 	tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
173 	      ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
174 	(x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
175 	      ((tmp & 0x0000ffff0000ffffULL) << 16); \
176 }
177 #else
178 #define REVERSE64(w,x)	{ \
179 	sha2_word64 tmp = (w); \
180 	tmp = (tmp >> 32) | (tmp << 32); \
181 	tmp = ((tmp & ((sha2_word64)0xff00ff00ff00ff00)) >> 8) | \
182 	      ((tmp & ((sha2_word64)0x00ff00ff00ff00ff)) << 8); \
183 	(x) = ((tmp & ((sha2_word64)0xffff0000ffff0000)) >> 16) | \
184 	      ((tmp & ((sha2_word64)0x0000ffff0000ffff)) << 16); \
185 }
186 #endif
187 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
188 
189 /*
190  * Macro for incrementally adding the unsigned 64-bit integer n to the
191  * unsigned 128-bit integer (represented using a two-element array of
192  * 64-bit words):
193  */
194 
195 #define ADDINC128(w,n)	{ \
196 	(w)[1] += (sha2_word64)(n); \
197 	if ((w)[1] < (n)) { \
198 		(w)[0]++; \
199 	} \
200 }
201 
202 /*
203  * Macros for copying blocks of memory and for zeroing out ranges
204  * of memory.  Using these macros makes it easy to switch from
205  * using memset()/memcpy() and using bzero()/bcopy().
206  *
207  * Please define either SHA2_USE_MEMSET_MEMCPY or define
208  * SHA2_USE_BZERO_BCOPY depending on which function set you
209  * choose to use:
210  */
211 
212 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
213 /* Default to memset()/memcpy() if no option is specified */
214 #define	SHA2_USE_MEMSET_MEMCPY	1
215 #endif
216 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
217 /* Abort with an error if BOTH options are defined */
218 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
219 #endif
220 
221 #ifdef SHA2_USE_MEMSET_MEMCPY
222 #define MEMSET_BZERO(p,l)	memset((p), 0, (l))
223 #define MEMCPY_BCOPY(d,s,l)	memcpy((d), (s), (l))
224 #endif
225 #ifdef SHA2_USE_BZERO_BCOPY
226 #define MEMSET_BZERO(p,l)	bzero((p), (l))
227 #define MEMCPY_BCOPY(d,s,l)	bcopy((s), (d), (l))
228 #endif
229 
230 
231 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
232 /*
233  * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
234  *
235  *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
236  *   S is a ROTATION) because the SHA-256/384/512 description document
237  *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
238  *   same "backwards" definition.
239  */
240 
241 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
242 #define R(b,x) 		((x) >> (b))
243 /* 32-bit Rotate-right (used in SHA-256): */
244 #define S32(b,x)	(((x) >> (b)) | ((x) << (32 - (b))))
245 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
246 #define S64(b,x)	(((x) >> (b)) | ((x) << (64 - (b))))
247 
248 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
249 #define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
250 #define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
251 
252 /* Four of six logical functions used in SHA-256: */
253 #define Sigma0_256(x)	(S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
254 #define Sigma1_256(x)	(S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
255 #define sigma0_256(x)	(S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
256 #define sigma1_256(x)	(S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
257 
258 /* Four of six logical functions used in SHA-384 and SHA-512: */
259 #define Sigma0_512(x)	(S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
260 #define Sigma1_512(x)	(S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
261 #define sigma0_512(x)	(S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
262 #define sigma1_512(x)	(S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
263 
264 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
265 /* Hash constant words K for SHA-256: */
266 static const sha2_word32 K256[64] = {
267 	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
268 	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
269 	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
270 	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
271 	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
272 	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
273 	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
274 	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
275 	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
276 	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
277 	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
278 	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
279 	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
280 	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
281 	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
282 	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
283 };
284 
285 /* Initial hash value H for SHA-256: */
286 static const sha2_word32 sha256_initial_hash_value[8] = {
287 	0x6a09e667UL,
288 	0xbb67ae85UL,
289 	0x3c6ef372UL,
290 	0xa54ff53aUL,
291 	0x510e527fUL,
292 	0x9b05688cUL,
293 	0x1f83d9abUL,
294 	0x5be0cd19UL
295 };
296 
297 /* Hash constant words K for SHA-384 and SHA-512: */
298 static const sha2_word64 K512[80] = {
299 #if _ast_LL
300 	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
301 	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
302 	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
303 	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
304 	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
305 	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
306 	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
307 	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
308 	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
309 	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
310 	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
311 	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
312 	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
313 	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
314 	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
315 	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
316 	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
317 	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
318 	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
319 	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
320 	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
321 	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
322 	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
323 	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
324 	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
325 	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
326 	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
327 	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
328 	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
329 	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
330 	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
331 	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
332 	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
333 	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
334 	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
335 	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
336 	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
337 	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
338 	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
339 	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
340 #else
341 	((sha2_word64)0x428a2f98d728ae22), ((sha2_word64)0x7137449123ef65cd),
342 	((sha2_word64)0xb5c0fbcfec4d3b2f), ((sha2_word64)0xe9b5dba58189dbbc),
343 	((sha2_word64)0x3956c25bf348b538), ((sha2_word64)0x59f111f1b605d019),
344 	((sha2_word64)0x923f82a4af194f9b), ((sha2_word64)0xab1c5ed5da6d8118),
345 	((sha2_word64)0xd807aa98a3030242), ((sha2_word64)0x12835b0145706fbe),
346 	((sha2_word64)0x243185be4ee4b28c), ((sha2_word64)0x550c7dc3d5ffb4e2),
347 	((sha2_word64)0x72be5d74f27b896f), ((sha2_word64)0x80deb1fe3b1696b1),
348 	((sha2_word64)0x9bdc06a725c71235), ((sha2_word64)0xc19bf174cf692694),
349 	((sha2_word64)0xe49b69c19ef14ad2), ((sha2_word64)0xefbe4786384f25e3),
350 	((sha2_word64)0x0fc19dc68b8cd5b5), ((sha2_word64)0x240ca1cc77ac9c65),
351 	((sha2_word64)0x2de92c6f592b0275), ((sha2_word64)0x4a7484aa6ea6e483),
352 	((sha2_word64)0x5cb0a9dcbd41fbd4), ((sha2_word64)0x76f988da831153b5),
353 	((sha2_word64)0x983e5152ee66dfab), ((sha2_word64)0xa831c66d2db43210),
354 	((sha2_word64)0xb00327c898fb213f), ((sha2_word64)0xbf597fc7beef0ee4),
355 	((sha2_word64)0xc6e00bf33da88fc2), ((sha2_word64)0xd5a79147930aa725),
356 	((sha2_word64)0x06ca6351e003826f), ((sha2_word64)0x142929670a0e6e70),
357 	((sha2_word64)0x27b70a8546d22ffc), ((sha2_word64)0x2e1b21385c26c926),
358 	((sha2_word64)0x4d2c6dfc5ac42aed), ((sha2_word64)0x53380d139d95b3df),
359 	((sha2_word64)0x650a73548baf63de), ((sha2_word64)0x766a0abb3c77b2a8),
360 	((sha2_word64)0x81c2c92e47edaee6), ((sha2_word64)0x92722c851482353b),
361 	((sha2_word64)0xa2bfe8a14cf10364), ((sha2_word64)0xa81a664bbc423001),
362 	((sha2_word64)0xc24b8b70d0f89791), ((sha2_word64)0xc76c51a30654be30),
363 	((sha2_word64)0xd192e819d6ef5218), ((sha2_word64)0xd69906245565a910),
364 	((sha2_word64)0xf40e35855771202a), ((sha2_word64)0x106aa07032bbd1b8),
365 	((sha2_word64)0x19a4c116b8d2d0c8), ((sha2_word64)0x1e376c085141ab53),
366 	((sha2_word64)0x2748774cdf8eeb99), ((sha2_word64)0x34b0bcb5e19b48a8),
367 	((sha2_word64)0x391c0cb3c5c95a63), ((sha2_word64)0x4ed8aa4ae3418acb),
368 	((sha2_word64)0x5b9cca4f7763e373), ((sha2_word64)0x682e6ff3d6b2b8a3),
369 	((sha2_word64)0x748f82ee5defb2fc), ((sha2_word64)0x78a5636f43172f60),
370 	((sha2_word64)0x84c87814a1f0ab72), ((sha2_word64)0x8cc702081a6439ec),
371 	((sha2_word64)0x90befffa23631e28), ((sha2_word64)0xa4506cebde82bde9),
372 	((sha2_word64)0xbef9a3f7b2c67915), ((sha2_word64)0xc67178f2e372532b),
373 	((sha2_word64)0xca273eceea26619c), ((sha2_word64)0xd186b8c721c0c207),
374 	((sha2_word64)0xeada7dd6cde0eb1e), ((sha2_word64)0xf57d4f7fee6ed178),
375 	((sha2_word64)0x06f067aa72176fba), ((sha2_word64)0x0a637dc5a2c898a6),
376 	((sha2_word64)0x113f9804bef90dae), ((sha2_word64)0x1b710b35131c471b),
377 	((sha2_word64)0x28db77f523047d84), ((sha2_word64)0x32caab7b40c72493),
378 	((sha2_word64)0x3c9ebe0a15c9bebc), ((sha2_word64)0x431d67c49c100d4c),
379 	((sha2_word64)0x4cc5d4becb3e42b6), ((sha2_word64)0x597f299cfc657e2a),
380 	((sha2_word64)0x5fcb6fab3ad6faec), ((sha2_word64)0x6c44198c4a475817)
381 #endif
382 };
383 
384 /* Initial hash value H for SHA-384 */
385 static const sha2_word64 sha384_initial_hash_value[8] = {
386 #if _ast_LL
387 	0xcbbb9d5dc1059ed8ULL,
388 	0x629a292a367cd507ULL,
389 	0x9159015a3070dd17ULL,
390 	0x152fecd8f70e5939ULL,
391 	0x67332667ffc00b31ULL,
392 	0x8eb44a8768581511ULL,
393 	0xdb0c2e0d64f98fa7ULL,
394 	0x47b5481dbefa4fa4ULL
395 #else
396 	((sha2_word64)0xcbbb9d5dc1059ed8),
397 	((sha2_word64)0x629a292a367cd507),
398 	((sha2_word64)0x9159015a3070dd17),
399 	((sha2_word64)0x152fecd8f70e5939),
400 	((sha2_word64)0x67332667ffc00b31),
401 	((sha2_word64)0x8eb44a8768581511),
402 	((sha2_word64)0xdb0c2e0d64f98fa7),
403 	((sha2_word64)0x47b5481dbefa4fa4)
404 #endif
405 };
406 
407 /* Initial hash value H for SHA-512 */
408 static const sha2_word64 sha512_initial_hash_value[8] = {
409 #if _ast_LL
410 	0x6a09e667f3bcc908ULL,
411 	0xbb67ae8584caa73bULL,
412 	0x3c6ef372fe94f82bULL,
413 	0xa54ff53a5f1d36f1ULL,
414 	0x510e527fade682d1ULL,
415 	0x9b05688c2b3e6c1fULL,
416 	0x1f83d9abfb41bd6bULL,
417 	0x5be0cd19137e2179ULL
418 #else
419 	((sha2_word64)0x6a09e667f3bcc908),
420 	((sha2_word64)0xbb67ae8584caa73b),
421 	((sha2_word64)0x3c6ef372fe94f82b),
422 	((sha2_word64)0xa54ff53a5f1d36f1),
423 	((sha2_word64)0x510e527fade682d1),
424 	((sha2_word64)0x9b05688c2b3e6c1f),
425 	((sha2_word64)0x1f83d9abfb41bd6b),
426 	((sha2_word64)0x5be0cd19137e2179)
427 #endif
428 };
429 
430 /*** SHA-256: *********************************************************/
431 
432 #define sha256_description "FIPS SHA-256 secure hash algorithm."
433 #define sha256_options	"\
434 [+(version)?sha-256 (FIPS) 2000-01-01]\
435 [+(author)?Aaron D. Gifford]\
436 "
437 #define sha256_match	"sha256|sha-256|SHA256|SHA-256"
438 #define sha256_scale	0
439 
440 #define sha256_padding	md5_pad
441 
442 #define SHA256_CTX	Sha256_t
443 
444 typedef struct Sha256_s
445 {
446 	_SUM_PUBLIC_
447 	_SUM_PRIVATE_
448 	sha2_byte	digest[SHA256_DIGEST_LENGTH];
449 	sha2_byte	digest_sum[SHA256_DIGEST_LENGTH];
450 	sha2_word32	state[8];
451 	sha2_word64	bitcount;
452 	sha2_byte	buffer[SHA256_BLOCK_LENGTH];
453 } Sha256_t;
454 
455 #ifdef SHA2_UNROLL_TRANSFORM
456 
457 /* Unrolled SHA-256 round macros: */
458 
459 #if BYTE_ORDER == LITTLE_ENDIAN
460 
461 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)	\
462 	REVERSE32(*data++, W256[j]); \
463 	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
464              K256[j] + W256[j]; \
465 	(d) += T1; \
466 	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
467 	j++
468 
469 
470 #else /* BYTE_ORDER == LITTLE_ENDIAN */
471 
472 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)	\
473 	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
474 	     K256[j] + (W256[j] = *data++); \
475 	(d) += T1; \
476 	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
477 	j++
478 
479 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
480 
481 #define ROUND256(a,b,c,d,e,f,g,h)	\
482 	s0 = W256[(j+1)&0x0f]; \
483 	s0 = sigma0_256(s0); \
484 	s1 = W256[(j+14)&0x0f]; \
485 	s1 = sigma1_256(s1); \
486 	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
487 	     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
488 	(d) += T1; \
489 	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
490 	j++
491 
SHA256_Transform(SHA256_CTX * sha,const sha2_word32 * data)492 static void SHA256_Transform(SHA256_CTX* sha, const sha2_word32* data) {
493 	sha2_word32	a, b, c, d, e, f, g, h, s0, s1;
494 	sha2_word32	T1, *W256;
495 	int		j;
496 
497 	W256 = (sha2_word32*)sha->buffer;
498 
499 	/* Initialize registers with the prev. intermediate value */
500 	a = sha->state[0];
501 	b = sha->state[1];
502 	c = sha->state[2];
503 	d = sha->state[3];
504 	e = sha->state[4];
505 	f = sha->state[5];
506 	g = sha->state[6];
507 	h = sha->state[7];
508 
509 	j = 0;
510 	do {
511 		/* Rounds 0 to 15 (unrolled): */
512 		ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
513 		ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
514 		ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
515 		ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
516 		ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
517 		ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
518 		ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
519 		ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
520 	} while (j < 16);
521 
522 	/* Now for the remaining rounds to 64: */
523 	do {
524 		ROUND256(a,b,c,d,e,f,g,h);
525 		ROUND256(h,a,b,c,d,e,f,g);
526 		ROUND256(g,h,a,b,c,d,e,f);
527 		ROUND256(f,g,h,a,b,c,d,e);
528 		ROUND256(e,f,g,h,a,b,c,d);
529 		ROUND256(d,e,f,g,h,a,b,c);
530 		ROUND256(c,d,e,f,g,h,a,b);
531 		ROUND256(b,c,d,e,f,g,h,a);
532 	} while (j < 64);
533 
534 	/* Compute the current intermediate hash value */
535 	sha->state[0] += a;
536 	sha->state[1] += b;
537 	sha->state[2] += c;
538 	sha->state[3] += d;
539 	sha->state[4] += e;
540 	sha->state[5] += f;
541 	sha->state[6] += g;
542 	sha->state[7] += h;
543 
544 	/* Clean up */
545 	a = b = c = d = e = f = g = h = T1 = 0;
546 }
547 
548 #else /* SHA2_UNROLL_TRANSFORM */
549 
SHA256_Transform(SHA256_CTX * sha,const sha2_word32 * data)550 static void SHA256_Transform(SHA256_CTX* sha, const sha2_word32* data) {
551 	sha2_word32	a, b, c, d, e, f, g, h, s0, s1;
552 	sha2_word32	T1, T2, *W256;
553 	int		j;
554 
555 	W256 = (sha2_word32*)sha->buffer;
556 
557 	/* Initialize registers with the prev. intermediate value */
558 	a = sha->state[0];
559 	b = sha->state[1];
560 	c = sha->state[2];
561 	d = sha->state[3];
562 	e = sha->state[4];
563 	f = sha->state[5];
564 	g = sha->state[6];
565 	h = sha->state[7];
566 
567 	j = 0;
568 	do {
569 #if BYTE_ORDER == LITTLE_ENDIAN
570 		/* Copy data while converting to host byte order */
571 		REVERSE32(*data++,W256[j]);
572 		/* Apply the SHA-256 compression function to update a..h */
573 		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
574 #else /* BYTE_ORDER == LITTLE_ENDIAN */
575 		/* Apply the SHA-256 compression function to update a..h with copy */
576 		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
577 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
578 		T2 = Sigma0_256(a) + Maj(a, b, c);
579 		h = g;
580 		g = f;
581 		f = e;
582 		e = d + T1;
583 		d = c;
584 		c = b;
585 		b = a;
586 		a = T1 + T2;
587 
588 		j++;
589 	} while (j < 16);
590 
591 	do {
592 		/* Part of the message block expansion: */
593 		s0 = W256[(j+1)&0x0f];
594 		s0 = sigma0_256(s0);
595 		s1 = W256[(j+14)&0x0f];
596 		s1 = sigma1_256(s1);
597 
598 		/* Apply the SHA-256 compression function to update a..h */
599 		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
600 		     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
601 		T2 = Sigma0_256(a) + Maj(a, b, c);
602 		h = g;
603 		g = f;
604 		f = e;
605 		e = d + T1;
606 		d = c;
607 		c = b;
608 		b = a;
609 		a = T1 + T2;
610 
611 		j++;
612 	} while (j < 64);
613 
614 	/* Compute the current intermediate hash value */
615 	sha->state[0] += a;
616 	sha->state[1] += b;
617 	sha->state[2] += c;
618 	sha->state[3] += d;
619 	sha->state[4] += e;
620 	sha->state[5] += f;
621 	sha->state[6] += g;
622 	sha->state[7] += h;
623 
624 	/* Clean up */
625 	a = b = c = d = e = f = g = h = T1 = T2 = 0;
626 }
627 
628 #endif /* SHA2_UNROLL_TRANSFORM */
629 
630 static int
sha256_block(register Sum_t * p,const void * s,size_t len)631 sha256_block(register Sum_t* p, const void* s, size_t len)
632 {
633 	Sha256_t*	sha = (Sha256_t*)p;
634 	sha2_byte*	data = (sha2_byte*)s;
635 	unsigned int	freespace, usedspace;
636 
637 	if (!len)
638 		return 0;
639 	usedspace = (sha->bitcount >> 3) % SHA256_BLOCK_LENGTH;
640 	if (usedspace > 0) {
641 		/* Calculate how much free space is available in the buffer */
642 		freespace = SHA256_BLOCK_LENGTH - usedspace;
643 
644 		if (len >= freespace) {
645 			/* Fill the buffer completely and process it */
646 			MEMCPY_BCOPY(&sha->buffer[usedspace], data, freespace);
647 			sha->bitcount += freespace << 3;
648 			len -= freespace;
649 			data += freespace;
650 			SHA256_Transform(sha, (sha2_word32*)sha->buffer);
651 		} else {
652 			/* The buffer is not yet full */
653 			MEMCPY_BCOPY(&sha->buffer[usedspace], data, len);
654 			sha->bitcount += len << 3;
655 			/* Clean up: */
656 			usedspace = freespace = 0;
657 			return 0;
658 		}
659 	}
660 	while (len >= SHA256_BLOCK_LENGTH) {
661 		/* Process as many complete blocks as we can */
662 		SHA256_Transform(sha, (sha2_word32*)data);
663 		sha->bitcount += SHA256_BLOCK_LENGTH << 3;
664 		len -= SHA256_BLOCK_LENGTH;
665 		data += SHA256_BLOCK_LENGTH;
666 	}
667 	if (len > 0) {
668 		/* There's left-overs, so save 'em */
669 		MEMCPY_BCOPY(sha->buffer, data, len);
670 		sha->bitcount += len << 3;
671 	}
672 	/* Clean up: */
673 	usedspace = freespace = 0;
674 
675 	return 0;
676 }
677 
678 static int
sha256_init(Sum_t * p)679 sha256_init(Sum_t* p)
680 {
681 	register Sha256_t*	sha = (Sha256_t*)p;
682 
683 	MEMCPY_BCOPY(sha->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
684 	MEMSET_BZERO(sha->buffer, SHA256_BLOCK_LENGTH);
685 	sha->bitcount = 0;
686 
687 	return 0;
688 }
689 
690 static Sum_t*
sha256_open(const Method_t * method,const char * name)691 sha256_open(const Method_t* method, const char* name)
692 {
693 	Sha256_t*	sha;
694 
695 	if (sha = newof(0, Sha256_t, 1, 0))
696 	{
697 		sha->method = (Method_t*)method;
698 		sha->name = name;
699 		sha256_init((Sum_t*)sha);
700 	}
701 	return (Sum_t*)sha;
702 }
703 
704 static int
sha256_done(Sum_t * p)705 sha256_done(Sum_t* p)
706 {
707 	Sha256_t*	sha = (Sha256_t*)p;
708 	unsigned int	usedspace;
709 	register int	i;
710 
711 	/* Sanity check: */
712 	assert(sha != (SHA256_CTX*)0);
713 
714 	usedspace = (sha->bitcount >> 3) % SHA256_BLOCK_LENGTH;
715 #if BYTE_ORDER == LITTLE_ENDIAN
716 	/* Convert FROM host byte order */
717 	REVERSE64(sha->bitcount,sha->bitcount);
718 #endif
719 	if (usedspace > 0) {
720 		/* Begin padding with a 1 bit: */
721 		sha->buffer[usedspace++] = 0x80;
722 
723 		if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
724 			/* Set-up for the last transform: */
725 			MEMSET_BZERO(&sha->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
726 		} else {
727 			if (usedspace < SHA256_BLOCK_LENGTH) {
728 				MEMSET_BZERO(&sha->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
729 			}
730 			/* Do second-to-last transform: */
731 			SHA256_Transform(sha, (sha2_word32*)sha->buffer);
732 
733 			/* And set-up for the last transform: */
734 			MEMSET_BZERO(sha->buffer, SHA256_SHORT_BLOCK_LENGTH);
735 		}
736 	} else {
737 		/* Set-up for the last transform: */
738 		MEMSET_BZERO(sha->buffer, SHA256_SHORT_BLOCK_LENGTH);
739 
740 		/* Begin padding with a 1 bit: */
741 		*sha->buffer = 0x80;
742 	}
743 	/* Store the length of input data (in bits): */
744 	MEMCPY_BCOPY(&sha->buffer[SHA256_SHORT_BLOCK_LENGTH], &sha->bitcount, 8);
745 
746 	/* Final transform: */
747 	SHA256_Transform(sha, (sha2_word32*)sha->buffer);
748 
749 #if BYTE_ORDER == LITTLE_ENDIAN
750 	{
751 		/* Convert TO host byte order */
752 		int		j;
753 		sha2_word32*	d = (sha2_word32*)sha->digest;
754 		for (j = 0; j < 8; j++) {
755 			REVERSE32(sha->state[j],sha->state[j]);
756 			*d++ = sha->state[j];
757 		}
758 	}
759 #else
760 	MEMCPY_BCOPY(sha->digest, sha->state, SHA256_DIGEST_LENGTH);
761 #endif
762 
763 	/* accumulate the digests */
764 	for (i = 0; i < SHA256_DIGEST_LENGTH; i++)
765 		sha->digest_sum[i] ^= sha->digest[i];
766 
767 	/* Clean up state data: */
768 	MEMSET_BZERO(&sha->state, sizeof(*sha) - offsetof(Sha256_t, state));
769 	usedspace = 0;
770 
771 	return 0;
772 }
773 
774 static int
sha256_print(Sum_t * p,Sfio_t * sp,register int flags,size_t scale)775 sha256_print(Sum_t* p, Sfio_t* sp, register int flags, size_t scale)
776 {
777 	register Sha256_t*	sha = (Sha256_t*)p;
778 	register sha2_byte*	d;
779 	register sha2_byte*	e;
780 
781 	d = (flags & SUM_TOTAL) ? sha->digest_sum : sha->digest;
782 	e = d + SHA256_DIGEST_LENGTH;
783 	while (d < e)
784 		sfprintf(sp, "%02x", *d++);
785 	return 0;
786 }
787 
788 static int
sha256_data(Sum_t * p,Sumdata_t * data)789 sha256_data(Sum_t* p, Sumdata_t* data)
790 {
791 	register Sha256_t*	sha = (Sha256_t*)p;
792 
793 	data->size = SHA256_DIGEST_LENGTH;
794 	data->num = 0;
795 	data->buf = sha->digest;
796 	return 0;
797 }
798 
799 /*** SHA-512: *********************************************************/
800 
801 #define sha512_description "FIPS SHA-512 secure hash algorithm."
802 #define sha512_options	"\
803 [+(version)?sha-512 (FIPS) 2000-01-01]\
804 [+(author)?Aaron D. Gifford]\
805 "
806 #define sha512_match	"sha512|sha-512|SHA512|SHA-512"
807 #define sha512_scale	0
808 
809 #define sha512_padding	md5_pad
810 
811 #define SHA512_CTX	Sha512_t
812 
813 typedef struct Sha512_s
814 {
815 	_SUM_PUBLIC_
816 	_SUM_PRIVATE_
817 	sha2_byte	digest[SHA512_DIGEST_LENGTH];
818 	sha2_byte	digest_sum[SHA512_DIGEST_LENGTH];
819 	sha2_word64	state[8];
820 	sha2_word64	bitcount[2];
821 	sha2_byte	buffer[SHA512_BLOCK_LENGTH];
822 } Sha512_t;
823 
824 #ifdef SHA2_UNROLL_TRANSFORM
825 
826 /* Unrolled SHA-512 round macros: */
827 #if BYTE_ORDER == LITTLE_ENDIAN
828 
829 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)	\
830 	REVERSE64(*data++, W512[j]); \
831 	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
832              K512[j] + W512[j]; \
833 	(d) += T1, \
834 	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
835 	j++
836 
837 
838 #else /* BYTE_ORDER == LITTLE_ENDIAN */
839 
840 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)	\
841 	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
842              K512[j] + (W512[j] = *data++); \
843 	(d) += T1; \
844 	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
845 	j++
846 
847 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
848 
849 #define ROUND512(a,b,c,d,e,f,g,h)	\
850 	s0 = W512[(j+1)&0x0f]; \
851 	s0 = sigma0_512(s0); \
852 	s1 = W512[(j+14)&0x0f]; \
853 	s1 = sigma1_512(s1); \
854 	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
855              (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
856 	(d) += T1; \
857 	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
858 	j++
859 
SHA512_Transform(SHA512_CTX * sha,const sha2_word64 * data)860 static void SHA512_Transform(SHA512_CTX* sha, const sha2_word64* data) {
861 	sha2_word64	a, b, c, d, e, f, g, h, s0, s1;
862 	sha2_word64	T1, *W512 = (sha2_word64*)sha->buffer;
863 	int		j;
864 
865 	/* Initialize registers with the prev. intermediate value */
866 	a = sha->state[0];
867 	b = sha->state[1];
868 	c = sha->state[2];
869 	d = sha->state[3];
870 	e = sha->state[4];
871 	f = sha->state[5];
872 	g = sha->state[6];
873 	h = sha->state[7];
874 
875 	j = 0;
876 	do {
877 		ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
878 		ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
879 		ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
880 		ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
881 		ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
882 		ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
883 		ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
884 		ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
885 	} while (j < 16);
886 
887 	/* Now for the remaining rounds up to 79: */
888 	do {
889 		ROUND512(a,b,c,d,e,f,g,h);
890 		ROUND512(h,a,b,c,d,e,f,g);
891 		ROUND512(g,h,a,b,c,d,e,f);
892 		ROUND512(f,g,h,a,b,c,d,e);
893 		ROUND512(e,f,g,h,a,b,c,d);
894 		ROUND512(d,e,f,g,h,a,b,c);
895 		ROUND512(c,d,e,f,g,h,a,b);
896 		ROUND512(b,c,d,e,f,g,h,a);
897 	} while (j < 80);
898 
899 	/* Compute the current intermediate hash value */
900 	sha->state[0] += a;
901 	sha->state[1] += b;
902 	sha->state[2] += c;
903 	sha->state[3] += d;
904 	sha->state[4] += e;
905 	sha->state[5] += f;
906 	sha->state[6] += g;
907 	sha->state[7] += h;
908 
909 	/* Clean up */
910 	a = b = c = d = e = f = g = h = T1 = 0;
911 }
912 
913 #else /* SHA2_UNROLL_TRANSFORM */
914 
SHA512_Transform(SHA512_CTX * sha,const sha2_word64 * data)915 static void SHA512_Transform(SHA512_CTX* sha, const sha2_word64* data) {
916 	sha2_word64	a, b, c, d, e, f, g, h, s0, s1;
917 	sha2_word64	T1, T2, *W512 = (sha2_word64*)sha->buffer;
918 	int		j;
919 
920 	/* Initialize registers with the prev. intermediate value */
921 	a = sha->state[0];
922 	b = sha->state[1];
923 	c = sha->state[2];
924 	d = sha->state[3];
925 	e = sha->state[4];
926 	f = sha->state[5];
927 	g = sha->state[6];
928 	h = sha->state[7];
929 
930 	j = 0;
931 	do {
932 #if BYTE_ORDER == LITTLE_ENDIAN
933 		/* Convert TO host byte order */
934 		REVERSE64(*data++, W512[j]);
935 		/* Apply the SHA-512 compression function to update a..h */
936 		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
937 #else /* BYTE_ORDER == LITTLE_ENDIAN */
938 		/* Apply the SHA-512 compression function to update a..h with copy */
939 		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
940 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
941 		T2 = Sigma0_512(a) + Maj(a, b, c);
942 		h = g;
943 		g = f;
944 		f = e;
945 		e = d + T1;
946 		d = c;
947 		c = b;
948 		b = a;
949 		a = T1 + T2;
950 
951 		j++;
952 	} while (j < 16);
953 
954 	do {
955 		/* Part of the message block expansion: */
956 		s0 = W512[(j+1)&0x0f];
957 		s0 = sigma0_512(s0);
958 		s1 = W512[(j+14)&0x0f];
959 		s1 =  sigma1_512(s1);
960 
961 		/* Apply the SHA-512 compression function to update a..h */
962 		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
963 		     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
964 		T2 = Sigma0_512(a) + Maj(a, b, c);
965 		h = g;
966 		g = f;
967 		f = e;
968 		e = d + T1;
969 		d = c;
970 		c = b;
971 		b = a;
972 		a = T1 + T2;
973 
974 		j++;
975 	} while (j < 80);
976 
977 	/* Compute the current intermediate hash value */
978 	sha->state[0] += a;
979 	sha->state[1] += b;
980 	sha->state[2] += c;
981 	sha->state[3] += d;
982 	sha->state[4] += e;
983 	sha->state[5] += f;
984 	sha->state[6] += g;
985 	sha->state[7] += h;
986 
987 	/* Clean up */
988 	a = b = c = d = e = f = g = h = T1 = T2 = 0;
989 }
990 
991 #endif /* SHA2_UNROLL_TRANSFORM */
992 
993 static int
sha512_block(register Sum_t * p,const void * s,size_t len)994 sha512_block(register Sum_t* p, const void* s, size_t len)
995 {
996 	Sha512_t*	sha = (Sha512_t*)p;
997 	sha2_byte*	data = (sha2_byte*)s;
998 	unsigned int	freespace, usedspace;
999 
1000 	if (!len)
1001 		return 0;
1002 	usedspace = (sha->bitcount[1] >> 3) % SHA512_BLOCK_LENGTH;
1003 	if (usedspace > 0) {
1004 		/* Calculate how much free space is available in the buffer */
1005 		freespace = SHA512_BLOCK_LENGTH - usedspace;
1006 
1007 		if (len >= freespace) {
1008 			/* Fill the buffer completely and process it */
1009 			MEMCPY_BCOPY(&sha->buffer[usedspace], data, freespace);
1010 			ADDINC128(sha->bitcount, freespace << 3);
1011 			len -= freespace;
1012 			data += freespace;
1013 			SHA512_Transform(sha, (sha2_word64*)sha->buffer);
1014 		} else {
1015 			/* The buffer is not yet full */
1016 			MEMCPY_BCOPY(&sha->buffer[usedspace], data, len);
1017 			ADDINC128(sha->bitcount, len << 3);
1018 			/* Clean up: */
1019 			usedspace = freespace = 0;
1020 			return 0;
1021 		}
1022 	}
1023 	while (len >= SHA512_BLOCK_LENGTH) {
1024 		/* Process as many complete blocks as we can */
1025 		SHA512_Transform(sha, (sha2_word64*)data);
1026 		ADDINC128(sha->bitcount, SHA512_BLOCK_LENGTH << 3);
1027 		len -= SHA512_BLOCK_LENGTH;
1028 		data += SHA512_BLOCK_LENGTH;
1029 	}
1030 	if (len > 0) {
1031 		/* There's left-overs, so save 'em */
1032 		MEMCPY_BCOPY(sha->buffer, data, len);
1033 		ADDINC128(sha->bitcount, len << 3);
1034 	}
1035 	/* Clean up: */
1036 	usedspace = freespace = 0;
1037 
1038 	return 0;
1039 }
1040 
1041 static int
sha512_init(Sum_t * p)1042 sha512_init(Sum_t* p)
1043 {
1044 	register Sha512_t*	sha = (Sha512_t*)p;
1045 
1046 	MEMCPY_BCOPY(sha->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
1047 	MEMSET_BZERO(sha->buffer, SHA512_BLOCK_LENGTH);
1048 	sha->bitcount[0] = sha->bitcount[1] =  0;
1049 
1050 	return 0;
1051 }
1052 
1053 static Sum_t*
sha512_open(const Method_t * method,const char * name)1054 sha512_open(const Method_t* method, const char* name)
1055 {
1056 	Sha512_t*	sha;
1057 
1058 	if (sha = newof(0, Sha512_t, 1, 0))
1059 	{
1060 		sha->method = (Method_t*)method;
1061 		sha->name = name;
1062 		sha512_init((Sum_t*)sha);
1063 	}
1064 	return (Sum_t*)sha;
1065 }
1066 
1067 static int
sha512_done(Sum_t * p)1068 sha512_done(Sum_t* p)
1069 {
1070 	Sha512_t*	sha = (Sha512_t*)p;
1071 	unsigned int	usedspace;
1072 	register int	i;
1073 
1074 	usedspace = (sha->bitcount[1] >> 3) % SHA512_BLOCK_LENGTH;
1075 #if BYTE_ORDER == LITTLE_ENDIAN
1076 	/* Convert FROM host byte order */
1077 	REVERSE64(sha->bitcount[0],sha->bitcount[0]);
1078 	REVERSE64(sha->bitcount[1],sha->bitcount[1]);
1079 #endif
1080 	if (usedspace > 0) {
1081 		/* Begin padding with a 1 bit: */
1082 		sha->buffer[usedspace++] = 0x80;
1083 
1084 		if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
1085 			/* Set-up for the last transform: */
1086 			MEMSET_BZERO(&sha->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
1087 		} else {
1088 			if (usedspace < SHA512_BLOCK_LENGTH) {
1089 				MEMSET_BZERO(&sha->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
1090 			}
1091 			/* Do second-to-last transform: */
1092 			SHA512_Transform(sha, (sha2_word64*)sha->buffer);
1093 
1094 			/* And set-up for the last transform: */
1095 			MEMSET_BZERO(sha->buffer, SHA512_BLOCK_LENGTH - 2);
1096 		}
1097 	} else {
1098 		/* Prepare for final transform: */
1099 		MEMSET_BZERO(sha->buffer, SHA512_SHORT_BLOCK_LENGTH);
1100 
1101 		/* Begin padding with a 1 bit: */
1102 		*sha->buffer = 0x80;
1103 	}
1104 	/* Store the length of input data (in bits): */
1105 	MEMCPY_BCOPY(&sha->buffer[SHA512_SHORT_BLOCK_LENGTH], &sha->bitcount[0], 16);
1106 
1107 	/* Final transform: */
1108 	SHA512_Transform(sha, (sha2_word64*)sha->buffer);
1109 
1110 #if BYTE_ORDER == LITTLE_ENDIAN
1111 	{
1112 		/* Convert TO host byte order */
1113 		sha2_word64*	d = (sha2_word64*)sha->digest;
1114 		int		j;
1115 		for (j = 0; j < 8; j++) {
1116 			REVERSE64(sha->state[j],sha->state[j]);
1117 			*d++ = sha->state[j];
1118 		}
1119 	}
1120 #else
1121 	MEMCPY_BCOPY(sha->digest, sha->state, SHA512_DIGEST_LENGTH);
1122 #endif
1123 
1124 	/* accumulate the digests */
1125 	for (i = 0; i < SHA512_DIGEST_LENGTH; i++)
1126 		sha->digest_sum[i] ^= sha->digest[i];
1127 
1128 	/* Clean up state data: */
1129 	MEMSET_BZERO(&sha->state, sizeof(*sha) - offsetof(Sha512_t, state));
1130 	usedspace = 0;
1131 
1132 	return 0;
1133 }
1134 
1135 static int
sha512_print(Sum_t * p,Sfio_t * sp,register int flags,size_t scale)1136 sha512_print(Sum_t* p, Sfio_t* sp, register int flags, size_t scale)
1137 {
1138 	register Sha512_t*	sha = (Sha512_t*)p;
1139 	register sha2_byte*	d;
1140 	register sha2_byte*	e;
1141 
1142 	d = (flags & SUM_TOTAL) ? sha->digest_sum : sha->digest;
1143 	e = d + SHA512_DIGEST_LENGTH;
1144 	while (d < e)
1145 		sfprintf(sp, "%02x", *d++);
1146 	return 0;
1147 }
1148 
1149 static int
sha512_data(Sum_t * p,Sumdata_t * data)1150 sha512_data(Sum_t* p, Sumdata_t* data)
1151 {
1152 	register Sha512_t*	sha = (Sha512_t*)p;
1153 
1154 	data->size = SHA512_DIGEST_LENGTH;
1155 	data->num = 0;
1156 	data->buf = sha->digest;
1157 	return 0;
1158 }
1159 
1160 /*** SHA-384: *********************************************************/
1161 
1162 #define sha384_description "FIPS SHA-384 secure hash algorithm."
1163 #define sha384_options	"\
1164 [+(version)?sha-384 (FIPS) 2000-01-01]\
1165 [+(author)?Aaron D. Gifford]\
1166 "
1167 #define sha384_match	"sha384|sha-384|SHA384|SHA-384"
1168 #define sha384_scale	0
1169 #define sha384_block	sha512_block
1170 #define sha384_done	sha512_done
1171 
1172 #define sha384_padding	md5_pad
1173 
1174 #define Sha384_t		Sha512_t
1175 #define SHA384_CTX		Sha384_t
1176 #define SHA384_DIGEST_LENGTH	48
1177 
1178 static int
sha384_init(Sum_t * p)1179 sha384_init(Sum_t* p)
1180 {
1181 	register Sha384_t*	sha = (Sha384_t*)p;
1182 
1183 	MEMCPY_BCOPY(sha->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH);
1184 	MEMSET_BZERO(sha->buffer, SHA384_BLOCK_LENGTH);
1185 	sha->bitcount[0] = sha->bitcount[1] = 0;
1186 
1187 	return 0;
1188 }
1189 
1190 static Sum_t*
sha384_open(const Method_t * method,const char * name)1191 sha384_open(const Method_t* method, const char* name)
1192 {
1193 	Sha384_t*	sha;
1194 
1195 	if (sha = newof(0, Sha384_t, 1, 0))
1196 	{
1197 		sha->method = (Method_t*)method;
1198 		sha->name = name;
1199 		sha384_init((Sum_t*)sha);
1200 	}
1201 	return (Sum_t*)sha;
1202 }
1203 
1204 static int
sha384_print(Sum_t * p,Sfio_t * sp,register int flags,size_t scale)1205 sha384_print(Sum_t* p, Sfio_t* sp, register int flags, size_t scale)
1206 {
1207 	register Sha384_t*	sha = (Sha384_t*)p;
1208 	register sha2_byte*	d;
1209 	register sha2_byte*	e;
1210 
1211 	d = (flags & SUM_TOTAL) ? sha->digest_sum : sha->digest;
1212 	e = d + SHA384_DIGEST_LENGTH;
1213 	while (d < e)
1214 		sfprintf(sp, "%02x", *d++);
1215 	return 0;
1216 }
1217 
1218 static int
sha384_data(Sum_t * p,Sumdata_t * data)1219 sha384_data(Sum_t* p, Sumdata_t* data)
1220 {
1221 	register Sha384_t*	sha = (Sha384_t*)p;
1222 
1223 	data->size = SHA384_DIGEST_LENGTH;
1224 	data->num = 0;
1225 	data->buf = sha->digest;
1226 	return 0;
1227 }
1228 
1229 #endif /* _typ_int64_t */
1230