1 /* $OpenBSD: sha2.c,v 1.11 2005/08/08 08:05:35 espie Exp */
2
3 /*
4 * FILE: sha2.c
5 * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
6 *
7 * Copyright (c) 2000-2001, Aaron D. Gifford
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the copyright holder nor the names of contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
35 */
36
37 /* OPENBSD ORIGINAL: lib/libc/hash/sha2.c */
38
39 #include "includes.h"
40
41 #ifdef WITH_OPENSSL
42 # include <openssl/opensslv.h>
43 # if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
44 # define _NEED_SHA2 1
45 # endif
46 #else
47 # define _NEED_SHA2 1
48 #endif
49
50 #if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE)
51
52 #include <string.h>
53
54 /*
55 * UNROLLED TRANSFORM LOOP NOTE:
56 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
57 * loop version for the hash transform rounds (defined using macros
58 * later in this file). Either define on the command line, for example:
59 *
60 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
61 *
62 * or define below:
63 *
64 * #define SHA2_UNROLL_TRANSFORM
65 *
66 */
67
68 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
69 /*
70 * BYTE_ORDER NOTE:
71 *
72 * Please make sure that your system defines BYTE_ORDER. If your
73 * architecture is little-endian, make sure it also defines
74 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
75 * equivilent.
76 *
77 * If your system does not define the above, then you can do so by
78 * hand like this:
79 *
80 * #define LITTLE_ENDIAN 1234
81 * #define BIG_ENDIAN 4321
82 *
83 * And for little-endian machines, add:
84 *
85 * #define BYTE_ORDER LITTLE_ENDIAN
86 *
87 * Or for big-endian machines:
88 *
89 * #define BYTE_ORDER BIG_ENDIAN
90 *
91 * The FreeBSD machine this was written on defines BYTE_ORDER
92 * appropriately by including <sys/types.h> (which in turn includes
93 * <machine/endian.h> where the appropriate definitions are actually
94 * made).
95 */
96 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
97 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
98 #endif
99
100
101 /*** SHA-256/384/512 Various Length Definitions ***********************/
102 /* NOTE: Most of these are in sha2.h */
103 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
104 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
105 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
106
107 /*** ENDIAN SPECIFIC COPY MACROS **************************************/
108 #define BE_8_TO_32(dst, cp) do { \
109 (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) | \
110 ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24); \
111 } while(0)
112
113 #define BE_8_TO_64(dst, cp) do { \
114 (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) | \
115 ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) | \
116 ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) | \
117 ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56); \
118 } while (0)
119
120 #define BE_64_TO_8(cp, src) do { \
121 (cp)[0] = (src) >> 56; \
122 (cp)[1] = (src) >> 48; \
123 (cp)[2] = (src) >> 40; \
124 (cp)[3] = (src) >> 32; \
125 (cp)[4] = (src) >> 24; \
126 (cp)[5] = (src) >> 16; \
127 (cp)[6] = (src) >> 8; \
128 (cp)[7] = (src); \
129 } while (0)
130
131 #define BE_32_TO_8(cp, src) do { \
132 (cp)[0] = (src) >> 24; \
133 (cp)[1] = (src) >> 16; \
134 (cp)[2] = (src) >> 8; \
135 (cp)[3] = (src); \
136 } while (0)
137
138 /*
139 * Macro for incrementally adding the unsigned 64-bit integer n to the
140 * unsigned 128-bit integer (represented using a two-element array of
141 * 64-bit words):
142 */
143 #define ADDINC128(w,n) do { \
144 (w)[0] += (u_int64_t)(n); \
145 if ((w)[0] < (n)) { \
146 (w)[1]++; \
147 } \
148 } while (0)
149
150 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
151 /*
152 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
153 *
154 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
155 * S is a ROTATION) because the SHA-256/384/512 description document
156 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
157 * same "backwards" definition.
158 */
159 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
160 #define R(b,x) ((x) >> (b))
161 /* 32-bit Rotate-right (used in SHA-256): */
162 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
163 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
164 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
165
166 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
167 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
168 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
169
170 /* Four of six logical functions used in SHA-256: */
171 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
172 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
173 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
174 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
175
176 /* Four of six logical functions used in SHA-384 and SHA-512: */
177 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
178 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
179 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
180 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
181
182
183 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
184 /* Hash constant words K for SHA-256: */
185 const static u_int32_t K256[64] = {
186 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
187 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
188 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
189 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
190 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
191 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
192 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
193 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
194 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
195 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
196 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
197 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
198 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
199 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
200 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
201 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
202 };
203
204 /* Initial hash value H for SHA-256: */
205 const static u_int32_t sha256_initial_hash_value[8] = {
206 0x6a09e667UL,
207 0xbb67ae85UL,
208 0x3c6ef372UL,
209 0xa54ff53aUL,
210 0x510e527fUL,
211 0x9b05688cUL,
212 0x1f83d9abUL,
213 0x5be0cd19UL
214 };
215
216 /* Hash constant words K for SHA-384 and SHA-512: */
217 const static u_int64_t K512[80] = {
218 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
219 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
220 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
221 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
222 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
223 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
224 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
225 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
226 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
227 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
228 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
229 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
230 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
231 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
232 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
233 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
234 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
235 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
236 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
237 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
238 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
239 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
240 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
241 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
242 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
243 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
244 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
245 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
246 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
247 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
248 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
249 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
250 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
251 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
252 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
253 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
254 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
255 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
256 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
257 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
258 };
259
260 /* Initial hash value H for SHA-384 */
261 const static u_int64_t sha384_initial_hash_value[8] = {
262 0xcbbb9d5dc1059ed8ULL,
263 0x629a292a367cd507ULL,
264 0x9159015a3070dd17ULL,
265 0x152fecd8f70e5939ULL,
266 0x67332667ffc00b31ULL,
267 0x8eb44a8768581511ULL,
268 0xdb0c2e0d64f98fa7ULL,
269 0x47b5481dbefa4fa4ULL
270 };
271
272 /* Initial hash value H for SHA-512 */
273 const static u_int64_t sha512_initial_hash_value[8] = {
274 0x6a09e667f3bcc908ULL,
275 0xbb67ae8584caa73bULL,
276 0x3c6ef372fe94f82bULL,
277 0xa54ff53a5f1d36f1ULL,
278 0x510e527fade682d1ULL,
279 0x9b05688c2b3e6c1fULL,
280 0x1f83d9abfb41bd6bULL,
281 0x5be0cd19137e2179ULL
282 };
283
284
285 /*** SHA-256: *********************************************************/
286 void
SHA256_Init(SHA256_CTX * context)287 SHA256_Init(SHA256_CTX *context)
288 {
289 if (context == NULL)
290 return;
291 memcpy(context->state, sha256_initial_hash_value,
292 sizeof(sha256_initial_hash_value));
293 memset(context->buffer, 0, sizeof(context->buffer));
294 context->bitcount = 0;
295 }
296
297 #ifdef SHA2_UNROLL_TRANSFORM
298
299 /* Unrolled SHA-256 round macros: */
300
301 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
302 BE_8_TO_32(W256[j], data); \
303 data += 4; \
304 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
305 (d) += T1; \
306 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
307 j++; \
308 } while(0)
309
310 #define ROUND256(a,b,c,d,e,f,g,h) do { \
311 s0 = W256[(j+1)&0x0f]; \
312 s0 = sigma0_256(s0); \
313 s1 = W256[(j+14)&0x0f]; \
314 s1 = sigma1_256(s1); \
315 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
316 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
317 (d) += T1; \
318 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
319 j++; \
320 } while(0)
321
322 void
SHA256_Transform(u_int32_t state[8],const u_int8_t data[SHA256_BLOCK_LENGTH])323 SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
324 {
325 u_int32_t a, b, c, d, e, f, g, h, s0, s1;
326 u_int32_t T1, W256[16];
327 int j;
328
329 /* Initialize registers with the prev. intermediate value */
330 a = state[0];
331 b = state[1];
332 c = state[2];
333 d = state[3];
334 e = state[4];
335 f = state[5];
336 g = state[6];
337 h = state[7];
338
339 j = 0;
340 do {
341 /* Rounds 0 to 15 (unrolled): */
342 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
343 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
344 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
345 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
346 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
347 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
348 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
349 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
350 } while (j < 16);
351
352 /* Now for the remaining rounds up to 63: */
353 do {
354 ROUND256(a,b,c,d,e,f,g,h);
355 ROUND256(h,a,b,c,d,e,f,g);
356 ROUND256(g,h,a,b,c,d,e,f);
357 ROUND256(f,g,h,a,b,c,d,e);
358 ROUND256(e,f,g,h,a,b,c,d);
359 ROUND256(d,e,f,g,h,a,b,c);
360 ROUND256(c,d,e,f,g,h,a,b);
361 ROUND256(b,c,d,e,f,g,h,a);
362 } while (j < 64);
363
364 /* Compute the current intermediate hash value */
365 state[0] += a;
366 state[1] += b;
367 state[2] += c;
368 state[3] += d;
369 state[4] += e;
370 state[5] += f;
371 state[6] += g;
372 state[7] += h;
373
374 /* Clean up */
375 a = b = c = d = e = f = g = h = T1 = 0;
376 }
377
378 #else /* SHA2_UNROLL_TRANSFORM */
379
380 void
SHA256_Transform(u_int32_t state[8],const u_int8_t data[SHA256_BLOCK_LENGTH])381 SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
382 {
383 u_int32_t a, b, c, d, e, f, g, h, s0, s1;
384 u_int32_t T1, T2, W256[16];
385 int j;
386
387 /* Initialize registers with the prev. intermediate value */
388 a = state[0];
389 b = state[1];
390 c = state[2];
391 d = state[3];
392 e = state[4];
393 f = state[5];
394 g = state[6];
395 h = state[7];
396
397 j = 0;
398 do {
399 BE_8_TO_32(W256[j], data);
400 data += 4;
401 /* Apply the SHA-256 compression function to update a..h */
402 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
403 T2 = Sigma0_256(a) + Maj(a, b, c);
404 h = g;
405 g = f;
406 f = e;
407 e = d + T1;
408 d = c;
409 c = b;
410 b = a;
411 a = T1 + T2;
412
413 j++;
414 } while (j < 16);
415
416 do {
417 /* Part of the message block expansion: */
418 s0 = W256[(j+1)&0x0f];
419 s0 = sigma0_256(s0);
420 s1 = W256[(j+14)&0x0f];
421 s1 = sigma1_256(s1);
422
423 /* Apply the SHA-256 compression function to update a..h */
424 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
425 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
426 T2 = Sigma0_256(a) + Maj(a, b, c);
427 h = g;
428 g = f;
429 f = e;
430 e = d + T1;
431 d = c;
432 c = b;
433 b = a;
434 a = T1 + T2;
435
436 j++;
437 } while (j < 64);
438
439 /* Compute the current intermediate hash value */
440 state[0] += a;
441 state[1] += b;
442 state[2] += c;
443 state[3] += d;
444 state[4] += e;
445 state[5] += f;
446 state[6] += g;
447 state[7] += h;
448
449 /* Clean up */
450 a = b = c = d = e = f = g = h = T1 = T2 = 0;
451 }
452
453 #endif /* SHA2_UNROLL_TRANSFORM */
454
455 void
SHA256_Update(SHA256_CTX * context,const u_int8_t * data,size_t len)456 SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len)
457 {
458 size_t freespace, usedspace;
459
460 /* Calling with no data is valid (we do nothing) */
461 if (len == 0)
462 return;
463
464 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
465 if (usedspace > 0) {
466 /* Calculate how much free space is available in the buffer */
467 freespace = SHA256_BLOCK_LENGTH - usedspace;
468
469 if (len >= freespace) {
470 /* Fill the buffer completely and process it */
471 memcpy(&context->buffer[usedspace], data, freespace);
472 context->bitcount += freespace << 3;
473 len -= freespace;
474 data += freespace;
475 SHA256_Transform(context->state, context->buffer);
476 } else {
477 /* The buffer is not yet full */
478 memcpy(&context->buffer[usedspace], data, len);
479 context->bitcount += len << 3;
480 /* Clean up: */
481 usedspace = freespace = 0;
482 return;
483 }
484 }
485 while (len >= SHA256_BLOCK_LENGTH) {
486 /* Process as many complete blocks as we can */
487 SHA256_Transform(context->state, data);
488 context->bitcount += SHA256_BLOCK_LENGTH << 3;
489 len -= SHA256_BLOCK_LENGTH;
490 data += SHA256_BLOCK_LENGTH;
491 }
492 if (len > 0) {
493 /* There's left-overs, so save 'em */
494 memcpy(context->buffer, data, len);
495 context->bitcount += len << 3;
496 }
497 /* Clean up: */
498 usedspace = freespace = 0;
499 }
500
501 void
SHA256_Pad(SHA256_CTX * context)502 SHA256_Pad(SHA256_CTX *context)
503 {
504 unsigned int usedspace;
505
506 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
507 if (usedspace > 0) {
508 /* Begin padding with a 1 bit: */
509 context->buffer[usedspace++] = 0x80;
510
511 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
512 /* Set-up for the last transform: */
513 memset(&context->buffer[usedspace], 0,
514 SHA256_SHORT_BLOCK_LENGTH - usedspace);
515 } else {
516 if (usedspace < SHA256_BLOCK_LENGTH) {
517 memset(&context->buffer[usedspace], 0,
518 SHA256_BLOCK_LENGTH - usedspace);
519 }
520 /* Do second-to-last transform: */
521 SHA256_Transform(context->state, context->buffer);
522
523 /* Prepare for last transform: */
524 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
525 }
526 } else {
527 /* Set-up for the last transform: */
528 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
529
530 /* Begin padding with a 1 bit: */
531 *context->buffer = 0x80;
532 }
533 /* Store the length of input data (in bits) in big endian format: */
534 BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH],
535 context->bitcount);
536
537 /* Final transform: */
538 SHA256_Transform(context->state, context->buffer);
539
540 /* Clean up: */
541 usedspace = 0;
542 }
543
544 void
SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH],SHA256_CTX * context)545 SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA256_CTX *context)
546 {
547 SHA256_Pad(context);
548
549 /* If no digest buffer is passed, we don't bother doing this: */
550 if (digest != NULL) {
551 #if BYTE_ORDER == LITTLE_ENDIAN
552 int i;
553
554 /* Convert TO host byte order */
555 for (i = 0; i < 8; i++)
556 BE_32_TO_8(digest + i * 4, context->state[i]);
557 #else
558 memcpy(digest, context->state, SHA256_DIGEST_LENGTH);
559 #endif
560 memset(context, 0, sizeof(*context));
561 }
562 }
563
564
565 /*** SHA-512: *********************************************************/
566 void
SHA512_Init(SHA512_CTX * context)567 SHA512_Init(SHA512_CTX *context)
568 {
569 if (context == NULL)
570 return;
571 memcpy(context->state, sha512_initial_hash_value,
572 sizeof(sha512_initial_hash_value));
573 memset(context->buffer, 0, sizeof(context->buffer));
574 context->bitcount[0] = context->bitcount[1] = 0;
575 }
576
577 #ifdef SHA2_UNROLL_TRANSFORM
578
579 /* Unrolled SHA-512 round macros: */
580
581 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
582 BE_8_TO_64(W512[j], data); \
583 data += 8; \
584 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
585 (d) += T1; \
586 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
587 j++; \
588 } while(0)
589
590
591 #define ROUND512(a,b,c,d,e,f,g,h) do { \
592 s0 = W512[(j+1)&0x0f]; \
593 s0 = sigma0_512(s0); \
594 s1 = W512[(j+14)&0x0f]; \
595 s1 = sigma1_512(s1); \
596 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
597 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
598 (d) += T1; \
599 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
600 j++; \
601 } while(0)
602
603 void
SHA512_Transform(u_int64_t state[8],const u_int8_t data[SHA512_BLOCK_LENGTH])604 SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
605 {
606 u_int64_t a, b, c, d, e, f, g, h, s0, s1;
607 u_int64_t T1, W512[16];
608 int j;
609
610 /* Initialize registers with the prev. intermediate value */
611 a = state[0];
612 b = state[1];
613 c = state[2];
614 d = state[3];
615 e = state[4];
616 f = state[5];
617 g = state[6];
618 h = state[7];
619
620 j = 0;
621 do {
622 /* Rounds 0 to 15 (unrolled): */
623 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
624 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
625 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
626 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
627 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
628 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
629 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
630 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
631 } while (j < 16);
632
633 /* Now for the remaining rounds up to 79: */
634 do {
635 ROUND512(a,b,c,d,e,f,g,h);
636 ROUND512(h,a,b,c,d,e,f,g);
637 ROUND512(g,h,a,b,c,d,e,f);
638 ROUND512(f,g,h,a,b,c,d,e);
639 ROUND512(e,f,g,h,a,b,c,d);
640 ROUND512(d,e,f,g,h,a,b,c);
641 ROUND512(c,d,e,f,g,h,a,b);
642 ROUND512(b,c,d,e,f,g,h,a);
643 } while (j < 80);
644
645 /* Compute the current intermediate hash value */
646 state[0] += a;
647 state[1] += b;
648 state[2] += c;
649 state[3] += d;
650 state[4] += e;
651 state[5] += f;
652 state[6] += g;
653 state[7] += h;
654
655 /* Clean up */
656 a = b = c = d = e = f = g = h = T1 = 0;
657 }
658
659 #else /* SHA2_UNROLL_TRANSFORM */
660
661 void
SHA512_Transform(u_int64_t state[8],const u_int8_t data[SHA512_BLOCK_LENGTH])662 SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
663 {
664 u_int64_t a, b, c, d, e, f, g, h, s0, s1;
665 u_int64_t T1, T2, W512[16];
666 int j;
667
668 /* Initialize registers with the prev. intermediate value */
669 a = state[0];
670 b = state[1];
671 c = state[2];
672 d = state[3];
673 e = state[4];
674 f = state[5];
675 g = state[6];
676 h = state[7];
677
678 j = 0;
679 do {
680 BE_8_TO_64(W512[j], data);
681 data += 8;
682 /* Apply the SHA-512 compression function to update a..h */
683 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
684 T2 = Sigma0_512(a) + Maj(a, b, c);
685 h = g;
686 g = f;
687 f = e;
688 e = d + T1;
689 d = c;
690 c = b;
691 b = a;
692 a = T1 + T2;
693
694 j++;
695 } while (j < 16);
696
697 do {
698 /* Part of the message block expansion: */
699 s0 = W512[(j+1)&0x0f];
700 s0 = sigma0_512(s0);
701 s1 = W512[(j+14)&0x0f];
702 s1 = sigma1_512(s1);
703
704 /* Apply the SHA-512 compression function to update a..h */
705 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
706 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
707 T2 = Sigma0_512(a) + Maj(a, b, c);
708 h = g;
709 g = f;
710 f = e;
711 e = d + T1;
712 d = c;
713 c = b;
714 b = a;
715 a = T1 + T2;
716
717 j++;
718 } while (j < 80);
719
720 /* Compute the current intermediate hash value */
721 state[0] += a;
722 state[1] += b;
723 state[2] += c;
724 state[3] += d;
725 state[4] += e;
726 state[5] += f;
727 state[6] += g;
728 state[7] += h;
729
730 /* Clean up */
731 a = b = c = d = e = f = g = h = T1 = T2 = 0;
732 }
733
734 #endif /* SHA2_UNROLL_TRANSFORM */
735
736 void
SHA512_Update(SHA512_CTX * context,const u_int8_t * data,size_t len)737 SHA512_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
738 {
739 size_t freespace, usedspace;
740
741 /* Calling with no data is valid (we do nothing) */
742 if (len == 0)
743 return;
744
745 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
746 if (usedspace > 0) {
747 /* Calculate how much free space is available in the buffer */
748 freespace = SHA512_BLOCK_LENGTH - usedspace;
749
750 if (len >= freespace) {
751 /* Fill the buffer completely and process it */
752 memcpy(&context->buffer[usedspace], data, freespace);
753 ADDINC128(context->bitcount, freespace << 3);
754 len -= freespace;
755 data += freespace;
756 SHA512_Transform(context->state, context->buffer);
757 } else {
758 /* The buffer is not yet full */
759 memcpy(&context->buffer[usedspace], data, len);
760 ADDINC128(context->bitcount, len << 3);
761 /* Clean up: */
762 usedspace = freespace = 0;
763 return;
764 }
765 }
766 while (len >= SHA512_BLOCK_LENGTH) {
767 /* Process as many complete blocks as we can */
768 SHA512_Transform(context->state, data);
769 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
770 len -= SHA512_BLOCK_LENGTH;
771 data += SHA512_BLOCK_LENGTH;
772 }
773 if (len > 0) {
774 /* There's left-overs, so save 'em */
775 memcpy(context->buffer, data, len);
776 ADDINC128(context->bitcount, len << 3);
777 }
778 /* Clean up: */
779 usedspace = freespace = 0;
780 }
781
782 void
SHA512_Pad(SHA512_CTX * context)783 SHA512_Pad(SHA512_CTX *context)
784 {
785 unsigned int usedspace;
786
787 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
788 if (usedspace > 0) {
789 /* Begin padding with a 1 bit: */
790 context->buffer[usedspace++] = 0x80;
791
792 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
793 /* Set-up for the last transform: */
794 memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace);
795 } else {
796 if (usedspace < SHA512_BLOCK_LENGTH) {
797 memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace);
798 }
799 /* Do second-to-last transform: */
800 SHA512_Transform(context->state, context->buffer);
801
802 /* And set-up for the last transform: */
803 memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
804 }
805 } else {
806 /* Prepare for final transform: */
807 memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
808
809 /* Begin padding with a 1 bit: */
810 *context->buffer = 0x80;
811 }
812 /* Store the length of input data (in bits) in big endian format: */
813 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH],
814 context->bitcount[1]);
815 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8],
816 context->bitcount[0]);
817
818 /* Final transform: */
819 SHA512_Transform(context->state, context->buffer);
820
821 /* Clean up: */
822 usedspace = 0;
823 }
824
825 void
SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH],SHA512_CTX * context)826 SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context)
827 {
828 SHA512_Pad(context);
829
830 /* If no digest buffer is passed, we don't bother doing this: */
831 if (digest != NULL) {
832 #if BYTE_ORDER == LITTLE_ENDIAN
833 int i;
834
835 /* Convert TO host byte order */
836 for (i = 0; i < 8; i++)
837 BE_64_TO_8(digest + i * 8, context->state[i]);
838 #else
839 memcpy(digest, context->state, SHA512_DIGEST_LENGTH);
840 #endif
841 memset(context, 0, sizeof(*context));
842 }
843 }
844
845
846 /*** SHA-384: *********************************************************/
847 void
SHA384_Init(SHA384_CTX * context)848 SHA384_Init(SHA384_CTX *context)
849 {
850 if (context == NULL)
851 return;
852 memcpy(context->state, sha384_initial_hash_value,
853 sizeof(sha384_initial_hash_value));
854 memset(context->buffer, 0, sizeof(context->buffer));
855 context->bitcount[0] = context->bitcount[1] = 0;
856 }
857
858 #if 0
859 __weak_alias(SHA384_Transform, SHA512_Transform);
860 __weak_alias(SHA384_Update, SHA512_Update);
861 __weak_alias(SHA384_Pad, SHA512_Pad);
862 #endif
863
864 void
SHA384_Transform(u_int64_t state[8],const u_int8_t data[SHA512_BLOCK_LENGTH])865 SHA384_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
866 {
867 return SHA512_Transform(state, data);
868 }
869
870 void
SHA384_Update(SHA512_CTX * context,const u_int8_t * data,size_t len)871 SHA384_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
872 {
873 SHA512_Update(context, data, len);
874 }
875
876 void
SHA384_Pad(SHA512_CTX * context)877 SHA384_Pad(SHA512_CTX *context)
878 {
879 SHA512_Pad(context);
880 }
881
882 void
SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH],SHA384_CTX * context)883 SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
884 {
885 SHA384_Pad(context);
886
887 /* If no digest buffer is passed, we don't bother doing this: */
888 if (digest != NULL) {
889 #if BYTE_ORDER == LITTLE_ENDIAN
890 int i;
891
892 /* Convert TO host byte order */
893 for (i = 0; i < 6; i++)
894 BE_64_TO_8(digest + i * 8, context->state[i]);
895 #else
896 memcpy(digest, context->state, SHA384_DIGEST_LENGTH);
897 #endif
898 }
899
900 /* Zero out state data */
901 memset(context, 0, sizeof(*context));
902 }
903
904 #endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */
905