1 /* $OpenBSD: sha2.c,v 1.11 2005/08/08 08:05:35 espie Exp */ 2 3 /* 4 * FILE: sha2.c 5 * AUTHOR: Aaron D. Gifford <me@aarongifford.com> 6 * 7 * Copyright (c) 2000-2001, Aaron D. Gifford 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the copyright holder nor the names of contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ 35 */ 36 37 /* OPENBSD ORIGINAL: lib/libc/hash/sha2.c */ 38 39 #include "includes.h" 40 41 #ifdef WITH_OPENSSL 42 # include <openssl/opensslv.h> 43 # if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) 44 # define _NEED_SHA2 1 45 # endif 46 #else 47 # define _NEED_SHA2 1 48 #endif 49 50 #if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) 51 52 #include <string.h> 53 54 /* 55 * UNROLLED TRANSFORM LOOP NOTE: 56 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform 57 * loop version for the hash transform rounds (defined using macros 58 * later in this file). Either define on the command line, for example: 59 * 60 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c 61 * 62 * or define below: 63 * 64 * #define SHA2_UNROLL_TRANSFORM 65 * 66 */ 67 68 /*** SHA-256/384/512 Machine Architecture Definitions *****************/ 69 /* 70 * BYTE_ORDER NOTE: 71 * 72 * Please make sure that your system defines BYTE_ORDER. If your 73 * architecture is little-endian, make sure it also defines 74 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are 75 * equivalent. 76 * 77 * If your system does not define the above, then you can do so by 78 * hand like this: 79 * 80 * #define LITTLE_ENDIAN 1234 81 * #define BIG_ENDIAN 4321 82 * 83 * And for little-endian machines, add: 84 * 85 * #define BYTE_ORDER LITTLE_ENDIAN 86 * 87 * Or for big-endian machines: 88 * 89 * #define BYTE_ORDER BIG_ENDIAN 90 * 91 * The FreeBSD machine this was written on defines BYTE_ORDER 92 * appropriately by including <sys/types.h> (which in turn includes 93 * <machine/endian.h> where the appropriate definitions are actually 94 * made). 95 */ 96 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) 97 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN 98 #endif 99 100 101 /*** SHA-256/384/512 Various Length Definitions ***********************/ 102 /* NOTE: Most of these are in sha2.h */ 103 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 104 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 105 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 106 107 /*** ENDIAN SPECIFIC COPY MACROS **************************************/ 108 #define BE_8_TO_32(dst, cp) do { \ 109 (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) | \ 110 ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24); \ 111 } while(0) 112 113 #define BE_8_TO_64(dst, cp) do { \ 114 (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) | \ 115 ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) | \ 116 ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) | \ 117 ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56); \ 118 } while (0) 119 120 #define BE_64_TO_8(cp, src) do { \ 121 (cp)[0] = (src) >> 56; \ 122 (cp)[1] = (src) >> 48; \ 123 (cp)[2] = (src) >> 40; \ 124 (cp)[3] = (src) >> 32; \ 125 (cp)[4] = (src) >> 24; \ 126 (cp)[5] = (src) >> 16; \ 127 (cp)[6] = (src) >> 8; \ 128 (cp)[7] = (src); \ 129 } while (0) 130 131 #define BE_32_TO_8(cp, src) do { \ 132 (cp)[0] = (src) >> 24; \ 133 (cp)[1] = (src) >> 16; \ 134 (cp)[2] = (src) >> 8; \ 135 (cp)[3] = (src); \ 136 } while (0) 137 138 /* 139 * Macro for incrementally adding the unsigned 64-bit integer n to the 140 * unsigned 128-bit integer (represented using a two-element array of 141 * 64-bit words): 142 */ 143 #define ADDINC128(w,n) do { \ 144 (w)[0] += (u_int64_t)(n); \ 145 if ((w)[0] < (n)) { \ 146 (w)[1]++; \ 147 } \ 148 } while (0) 149 150 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 151 /* 152 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 153 * 154 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 155 * S is a ROTATION) because the SHA-256/384/512 description document 156 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 157 * same "backwards" definition. 158 */ 159 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 160 #define R(b,x) ((x) >> (b)) 161 /* 32-bit Rotate-right (used in SHA-256): */ 162 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 163 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 164 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 165 166 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 167 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 168 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 169 170 /* Four of six logical functions used in SHA-256: */ 171 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 172 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 173 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 174 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 175 176 /* Four of six logical functions used in SHA-384 and SHA-512: */ 177 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 178 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 179 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 180 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 181 182 183 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 184 /* Hash constant words K for SHA-256: */ 185 const static u_int32_t K256[64] = { 186 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 187 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 188 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 189 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 190 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 191 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 192 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 193 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 194 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 195 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 196 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 197 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 198 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 199 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 200 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 201 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 202 }; 203 204 /* Initial hash value H for SHA-256: */ 205 const static u_int32_t sha256_initial_hash_value[8] = { 206 0x6a09e667UL, 207 0xbb67ae85UL, 208 0x3c6ef372UL, 209 0xa54ff53aUL, 210 0x510e527fUL, 211 0x9b05688cUL, 212 0x1f83d9abUL, 213 0x5be0cd19UL 214 }; 215 216 /* Hash constant words K for SHA-384 and SHA-512: */ 217 const static u_int64_t K512[80] = { 218 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 219 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 220 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 221 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 222 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 223 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 224 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 225 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 226 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 227 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 228 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 229 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 230 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 231 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 232 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 233 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 234 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 235 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 236 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 237 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 238 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 239 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 240 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 241 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 242 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 243 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 244 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 245 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 246 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 247 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 248 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 249 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 250 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 251 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 252 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 253 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 254 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 255 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 256 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 257 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 258 }; 259 260 /* Initial hash value H for SHA-384 */ 261 const static u_int64_t sha384_initial_hash_value[8] = { 262 0xcbbb9d5dc1059ed8ULL, 263 0x629a292a367cd507ULL, 264 0x9159015a3070dd17ULL, 265 0x152fecd8f70e5939ULL, 266 0x67332667ffc00b31ULL, 267 0x8eb44a8768581511ULL, 268 0xdb0c2e0d64f98fa7ULL, 269 0x47b5481dbefa4fa4ULL 270 }; 271 272 /* Initial hash value H for SHA-512 */ 273 const static u_int64_t sha512_initial_hash_value[8] = { 274 0x6a09e667f3bcc908ULL, 275 0xbb67ae8584caa73bULL, 276 0x3c6ef372fe94f82bULL, 277 0xa54ff53a5f1d36f1ULL, 278 0x510e527fade682d1ULL, 279 0x9b05688c2b3e6c1fULL, 280 0x1f83d9abfb41bd6bULL, 281 0x5be0cd19137e2179ULL 282 }; 283 284 285 /*** SHA-256: *********************************************************/ 286 void 287 SHA256_Init(SHA256_CTX *context) 288 { 289 if (context == NULL) 290 return; 291 memcpy(context->state, sha256_initial_hash_value, 292 sizeof(sha256_initial_hash_value)); 293 memset(context->buffer, 0, sizeof(context->buffer)); 294 context->bitcount = 0; 295 } 296 297 #ifdef SHA2_UNROLL_TRANSFORM 298 299 /* Unrolled SHA-256 round macros: */ 300 301 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \ 302 BE_8_TO_32(W256[j], data); \ 303 data += 4; \ 304 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \ 305 (d) += T1; \ 306 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ 307 j++; \ 308 } while(0) 309 310 #define ROUND256(a,b,c,d,e,f,g,h) do { \ 311 s0 = W256[(j+1)&0x0f]; \ 312 s0 = sigma0_256(s0); \ 313 s1 = W256[(j+14)&0x0f]; \ 314 s1 = sigma1_256(s1); \ 315 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \ 316 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 317 (d) += T1; \ 318 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ 319 j++; \ 320 } while(0) 321 322 void 323 SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH]) 324 { 325 u_int32_t a, b, c, d, e, f, g, h, s0, s1; 326 u_int32_t T1, W256[16]; 327 int j; 328 329 /* Initialize registers with the prev. intermediate value */ 330 a = state[0]; 331 b = state[1]; 332 c = state[2]; 333 d = state[3]; 334 e = state[4]; 335 f = state[5]; 336 g = state[6]; 337 h = state[7]; 338 339 j = 0; 340 do { 341 /* Rounds 0 to 15 (unrolled): */ 342 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 343 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 344 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 345 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 346 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 347 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 348 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 349 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 350 } while (j < 16); 351 352 /* Now for the remaining rounds up to 63: */ 353 do { 354 ROUND256(a,b,c,d,e,f,g,h); 355 ROUND256(h,a,b,c,d,e,f,g); 356 ROUND256(g,h,a,b,c,d,e,f); 357 ROUND256(f,g,h,a,b,c,d,e); 358 ROUND256(e,f,g,h,a,b,c,d); 359 ROUND256(d,e,f,g,h,a,b,c); 360 ROUND256(c,d,e,f,g,h,a,b); 361 ROUND256(b,c,d,e,f,g,h,a); 362 } while (j < 64); 363 364 /* Compute the current intermediate hash value */ 365 state[0] += a; 366 state[1] += b; 367 state[2] += c; 368 state[3] += d; 369 state[4] += e; 370 state[5] += f; 371 state[6] += g; 372 state[7] += h; 373 374 /* Clean up */ 375 a = b = c = d = e = f = g = h = T1 = 0; 376 } 377 378 #else /* SHA2_UNROLL_TRANSFORM */ 379 380 void 381 SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH]) 382 { 383 u_int32_t a, b, c, d, e, f, g, h, s0, s1; 384 u_int32_t T1, T2, W256[16]; 385 int j; 386 387 /* Initialize registers with the prev. intermediate value */ 388 a = state[0]; 389 b = state[1]; 390 c = state[2]; 391 d = state[3]; 392 e = state[4]; 393 f = state[5]; 394 g = state[6]; 395 h = state[7]; 396 397 j = 0; 398 do { 399 BE_8_TO_32(W256[j], data); 400 data += 4; 401 /* Apply the SHA-256 compression function to update a..h */ 402 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 403 T2 = Sigma0_256(a) + Maj(a, b, c); 404 h = g; 405 g = f; 406 f = e; 407 e = d + T1; 408 d = c; 409 c = b; 410 b = a; 411 a = T1 + T2; 412 413 j++; 414 } while (j < 16); 415 416 do { 417 /* Part of the message block expansion: */ 418 s0 = W256[(j+1)&0x0f]; 419 s0 = sigma0_256(s0); 420 s1 = W256[(j+14)&0x0f]; 421 s1 = sigma1_256(s1); 422 423 /* Apply the SHA-256 compression function to update a..h */ 424 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 425 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 426 T2 = Sigma0_256(a) + Maj(a, b, c); 427 h = g; 428 g = f; 429 f = e; 430 e = d + T1; 431 d = c; 432 c = b; 433 b = a; 434 a = T1 + T2; 435 436 j++; 437 } while (j < 64); 438 439 /* Compute the current intermediate hash value */ 440 state[0] += a; 441 state[1] += b; 442 state[2] += c; 443 state[3] += d; 444 state[4] += e; 445 state[5] += f; 446 state[6] += g; 447 state[7] += h; 448 449 /* Clean up */ 450 a = b = c = d = e = f = g = h = T1 = T2 = 0; 451 } 452 453 #endif /* SHA2_UNROLL_TRANSFORM */ 454 455 void 456 SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len) 457 { 458 size_t freespace, usedspace; 459 460 /* Calling with no data is valid (we do nothing) */ 461 if (len == 0) 462 return; 463 464 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; 465 if (usedspace > 0) { 466 /* Calculate how much free space is available in the buffer */ 467 freespace = SHA256_BLOCK_LENGTH - usedspace; 468 469 if (len >= freespace) { 470 /* Fill the buffer completely and process it */ 471 memcpy(&context->buffer[usedspace], data, freespace); 472 context->bitcount += freespace << 3; 473 len -= freespace; 474 data += freespace; 475 SHA256_Transform(context->state, context->buffer); 476 } else { 477 /* The buffer is not yet full */ 478 memcpy(&context->buffer[usedspace], data, len); 479 context->bitcount += len << 3; 480 /* Clean up: */ 481 usedspace = freespace = 0; 482 return; 483 } 484 } 485 while (len >= SHA256_BLOCK_LENGTH) { 486 /* Process as many complete blocks as we can */ 487 SHA256_Transform(context->state, data); 488 context->bitcount += SHA256_BLOCK_LENGTH << 3; 489 len -= SHA256_BLOCK_LENGTH; 490 data += SHA256_BLOCK_LENGTH; 491 } 492 if (len > 0) { 493 /* There's left-overs, so save 'em */ 494 memcpy(context->buffer, data, len); 495 context->bitcount += len << 3; 496 } 497 /* Clean up: */ 498 usedspace = freespace = 0; 499 } 500 501 void 502 SHA256_Pad(SHA256_CTX *context) 503 { 504 unsigned int usedspace; 505 506 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; 507 if (usedspace > 0) { 508 /* Begin padding with a 1 bit: */ 509 context->buffer[usedspace++] = 0x80; 510 511 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 512 /* Set-up for the last transform: */ 513 memset(&context->buffer[usedspace], 0, 514 SHA256_SHORT_BLOCK_LENGTH - usedspace); 515 } else { 516 if (usedspace < SHA256_BLOCK_LENGTH) { 517 memset(&context->buffer[usedspace], 0, 518 SHA256_BLOCK_LENGTH - usedspace); 519 } 520 /* Do second-to-last transform: */ 521 SHA256_Transform(context->state, context->buffer); 522 523 /* Prepare for last transform: */ 524 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); 525 } 526 } else { 527 /* Set-up for the last transform: */ 528 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); 529 530 /* Begin padding with a 1 bit: */ 531 *context->buffer = 0x80; 532 } 533 /* Store the length of input data (in bits) in big endian format: */ 534 BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], 535 context->bitcount); 536 537 /* Final transform: */ 538 SHA256_Transform(context->state, context->buffer); 539 540 /* Clean up: */ 541 usedspace = 0; 542 } 543 544 void 545 SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA256_CTX *context) 546 { 547 SHA256_Pad(context); 548 549 /* If no digest buffer is passed, we don't bother doing this: */ 550 if (digest != NULL) { 551 #if BYTE_ORDER == LITTLE_ENDIAN 552 int i; 553 554 /* Convert TO host byte order */ 555 for (i = 0; i < 8; i++) 556 BE_32_TO_8(digest + i * 4, context->state[i]); 557 #else 558 memcpy(digest, context->state, SHA256_DIGEST_LENGTH); 559 #endif 560 memset(context, 0, sizeof(*context)); 561 } 562 } 563 564 565 /*** SHA-512: *********************************************************/ 566 void 567 SHA512_Init(SHA512_CTX *context) 568 { 569 if (context == NULL) 570 return; 571 memcpy(context->state, sha512_initial_hash_value, 572 sizeof(sha512_initial_hash_value)); 573 memset(context->buffer, 0, sizeof(context->buffer)); 574 context->bitcount[0] = context->bitcount[1] = 0; 575 } 576 577 #ifdef SHA2_UNROLL_TRANSFORM 578 579 /* Unrolled SHA-512 round macros: */ 580 581 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \ 582 BE_8_TO_64(W512[j], data); \ 583 data += 8; \ 584 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \ 585 (d) += T1; \ 586 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ 587 j++; \ 588 } while(0) 589 590 591 #define ROUND512(a,b,c,d,e,f,g,h) do { \ 592 s0 = W512[(j+1)&0x0f]; \ 593 s0 = sigma0_512(s0); \ 594 s1 = W512[(j+14)&0x0f]; \ 595 s1 = sigma1_512(s1); \ 596 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \ 597 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 598 (d) += T1; \ 599 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ 600 j++; \ 601 } while(0) 602 603 void 604 SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) 605 { 606 u_int64_t a, b, c, d, e, f, g, h, s0, s1; 607 u_int64_t T1, W512[16]; 608 int j; 609 610 /* Initialize registers with the prev. intermediate value */ 611 a = state[0]; 612 b = state[1]; 613 c = state[2]; 614 d = state[3]; 615 e = state[4]; 616 f = state[5]; 617 g = state[6]; 618 h = state[7]; 619 620 j = 0; 621 do { 622 /* Rounds 0 to 15 (unrolled): */ 623 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 624 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 625 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 626 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 627 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 628 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 629 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 630 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 631 } while (j < 16); 632 633 /* Now for the remaining rounds up to 79: */ 634 do { 635 ROUND512(a,b,c,d,e,f,g,h); 636 ROUND512(h,a,b,c,d,e,f,g); 637 ROUND512(g,h,a,b,c,d,e,f); 638 ROUND512(f,g,h,a,b,c,d,e); 639 ROUND512(e,f,g,h,a,b,c,d); 640 ROUND512(d,e,f,g,h,a,b,c); 641 ROUND512(c,d,e,f,g,h,a,b); 642 ROUND512(b,c,d,e,f,g,h,a); 643 } while (j < 80); 644 645 /* Compute the current intermediate hash value */ 646 state[0] += a; 647 state[1] += b; 648 state[2] += c; 649 state[3] += d; 650 state[4] += e; 651 state[5] += f; 652 state[6] += g; 653 state[7] += h; 654 655 /* Clean up */ 656 a = b = c = d = e = f = g = h = T1 = 0; 657 } 658 659 #else /* SHA2_UNROLL_TRANSFORM */ 660 661 void 662 SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) 663 { 664 u_int64_t a, b, c, d, e, f, g, h, s0, s1; 665 u_int64_t T1, T2, W512[16]; 666 int j; 667 668 /* Initialize registers with the prev. intermediate value */ 669 a = state[0]; 670 b = state[1]; 671 c = state[2]; 672 d = state[3]; 673 e = state[4]; 674 f = state[5]; 675 g = state[6]; 676 h = state[7]; 677 678 j = 0; 679 do { 680 BE_8_TO_64(W512[j], data); 681 data += 8; 682 /* Apply the SHA-512 compression function to update a..h */ 683 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 684 T2 = Sigma0_512(a) + Maj(a, b, c); 685 h = g; 686 g = f; 687 f = e; 688 e = d + T1; 689 d = c; 690 c = b; 691 b = a; 692 a = T1 + T2; 693 694 j++; 695 } while (j < 16); 696 697 do { 698 /* Part of the message block expansion: */ 699 s0 = W512[(j+1)&0x0f]; 700 s0 = sigma0_512(s0); 701 s1 = W512[(j+14)&0x0f]; 702 s1 = sigma1_512(s1); 703 704 /* Apply the SHA-512 compression function to update a..h */ 705 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 706 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 707 T2 = Sigma0_512(a) + Maj(a, b, c); 708 h = g; 709 g = f; 710 f = e; 711 e = d + T1; 712 d = c; 713 c = b; 714 b = a; 715 a = T1 + T2; 716 717 j++; 718 } while (j < 80); 719 720 /* Compute the current intermediate hash value */ 721 state[0] += a; 722 state[1] += b; 723 state[2] += c; 724 state[3] += d; 725 state[4] += e; 726 state[5] += f; 727 state[6] += g; 728 state[7] += h; 729 730 /* Clean up */ 731 a = b = c = d = e = f = g = h = T1 = T2 = 0; 732 } 733 734 #endif /* SHA2_UNROLL_TRANSFORM */ 735 736 void 737 SHA512_Update(SHA512_CTX *context, const u_int8_t *data, size_t len) 738 { 739 size_t freespace, usedspace; 740 741 /* Calling with no data is valid (we do nothing) */ 742 if (len == 0) 743 return; 744 745 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 746 if (usedspace > 0) { 747 /* Calculate how much free space is available in the buffer */ 748 freespace = SHA512_BLOCK_LENGTH - usedspace; 749 750 if (len >= freespace) { 751 /* Fill the buffer completely and process it */ 752 memcpy(&context->buffer[usedspace], data, freespace); 753 ADDINC128(context->bitcount, freespace << 3); 754 len -= freespace; 755 data += freespace; 756 SHA512_Transform(context->state, context->buffer); 757 } else { 758 /* The buffer is not yet full */ 759 memcpy(&context->buffer[usedspace], data, len); 760 ADDINC128(context->bitcount, len << 3); 761 /* Clean up: */ 762 usedspace = freespace = 0; 763 return; 764 } 765 } 766 while (len >= SHA512_BLOCK_LENGTH) { 767 /* Process as many complete blocks as we can */ 768 SHA512_Transform(context->state, data); 769 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 770 len -= SHA512_BLOCK_LENGTH; 771 data += SHA512_BLOCK_LENGTH; 772 } 773 if (len > 0) { 774 /* There's left-overs, so save 'em */ 775 memcpy(context->buffer, data, len); 776 ADDINC128(context->bitcount, len << 3); 777 } 778 /* Clean up: */ 779 usedspace = freespace = 0; 780 } 781 782 void 783 SHA512_Pad(SHA512_CTX *context) 784 { 785 unsigned int usedspace; 786 787 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 788 if (usedspace > 0) { 789 /* Begin padding with a 1 bit: */ 790 context->buffer[usedspace++] = 0x80; 791 792 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 793 /* Set-up for the last transform: */ 794 memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace); 795 } else { 796 if (usedspace < SHA512_BLOCK_LENGTH) { 797 memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace); 798 } 799 /* Do second-to-last transform: */ 800 SHA512_Transform(context->state, context->buffer); 801 802 /* And set-up for the last transform: */ 803 memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2); 804 } 805 } else { 806 /* Prepare for final transform: */ 807 memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH); 808 809 /* Begin padding with a 1 bit: */ 810 *context->buffer = 0x80; 811 } 812 /* Store the length of input data (in bits) in big endian format: */ 813 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], 814 context->bitcount[1]); 815 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], 816 context->bitcount[0]); 817 818 /* Final transform: */ 819 SHA512_Transform(context->state, context->buffer); 820 821 /* Clean up: */ 822 usedspace = 0; 823 } 824 825 void 826 SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context) 827 { 828 SHA512_Pad(context); 829 830 /* If no digest buffer is passed, we don't bother doing this: */ 831 if (digest != NULL) { 832 #if BYTE_ORDER == LITTLE_ENDIAN 833 int i; 834 835 /* Convert TO host byte order */ 836 for (i = 0; i < 8; i++) 837 BE_64_TO_8(digest + i * 8, context->state[i]); 838 #else 839 memcpy(digest, context->state, SHA512_DIGEST_LENGTH); 840 #endif 841 memset(context, 0, sizeof(*context)); 842 } 843 } 844 845 846 /*** SHA-384: *********************************************************/ 847 void 848 SHA384_Init(SHA384_CTX *context) 849 { 850 if (context == NULL) 851 return; 852 memcpy(context->state, sha384_initial_hash_value, 853 sizeof(sha384_initial_hash_value)); 854 memset(context->buffer, 0, sizeof(context->buffer)); 855 context->bitcount[0] = context->bitcount[1] = 0; 856 } 857 858 #if 0 859 __weak_alias(SHA384_Transform, SHA512_Transform); 860 __weak_alias(SHA384_Update, SHA512_Update); 861 __weak_alias(SHA384_Pad, SHA512_Pad); 862 #endif 863 864 void 865 SHA384_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) 866 { 867 return SHA512_Transform(state, data); 868 } 869 870 void 871 SHA384_Update(SHA512_CTX *context, const u_int8_t *data, size_t len) 872 { 873 SHA512_Update(context, data, len); 874 } 875 876 void 877 SHA384_Pad(SHA512_CTX *context) 878 { 879 SHA512_Pad(context); 880 } 881 882 void 883 SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) 884 { 885 SHA384_Pad(context); 886 887 /* If no digest buffer is passed, we don't bother doing this: */ 888 if (digest != NULL) { 889 #if BYTE_ORDER == LITTLE_ENDIAN 890 int i; 891 892 /* Convert TO host byte order */ 893 for (i = 0; i < 6; i++) 894 BE_64_TO_8(digest + i * 8, context->state[i]); 895 #else 896 memcpy(digest, context->state, SHA384_DIGEST_LENGTH); 897 #endif 898 } 899 900 /* Zero out state data */ 901 memset(context, 0, sizeof(*context)); 902 } 903 904 #endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */ 905