xref: /dragonfly/sys/crypto/sha2/sha2.c (revision 86d7f5d3)
1 /*
2  * $KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $
3  * $FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.9 2006/10/22 02:19:33 kevlo Exp $
4  */
5 
6 /*
7  * sha2.c
8  *
9  * Version 1.0.0beta1
10  *
11  * Written by Aaron D. Gifford <me@aarongifford.com>
12  *
13  * Copyright 2000 Aaron D. Gifford.  All rights reserved.
14  *
15  * Redistribution and use in source and binary forms, with or without
16  * modification, are permitted provided that the following conditions
17  * are met:
18  * 1. Redistributions of source code must retain the above copyright
19  *    notice, this list of conditions and the following disclaimer.
20  * 2. Redistributions in binary form must reproduce the above copyright
21  *    notice, this list of conditions and the following disclaimer in the
22  *    documentation and/or other materials provided with the distribution.
23  * 3. Neither the name of the copyright holder nor the names of contributors
24  *    may be used to endorse or promote products derived from this software
25  *    without specific prior written permission.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
28  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
31  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37  * SUCH DAMAGE.
38  */
39 
40 
41 #include <sys/types.h>
42 #include <sys/time.h>
43 #ifdef _KERNEL
44 #include <sys/param.h>
45 #include <sys/systm.h>
46 #else
47 #include <string.h>
48 #endif
49 #include <machine/endian.h>
50 #include <crypto/sha2/sha2.h>
51 
52 /*
53  * ASSERT NOTE:
54  * Some sanity checking code is included using assert().  On my FreeBSD
55  * system, this additional code can be removed by compiling with NDEBUG
56  * defined.  Check your own systems manpage on assert() to see how to
57  * compile WITHOUT the sanity checking code on your system.
58  *
59  * UNROLLED TRANSFORM LOOP NOTE:
60  * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
61  * loop version for the hash transform rounds (defined using macros
62  * later in this file).  Either define on the command line, for example:
63  *
64  *   cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
65  *
66  * or define below:
67  *
68  *   #define SHA2_UNROLL_TRANSFORM
69  *
70  */
71 
72 #if defined(__DragonFly__) || defined(__bsdi__) || defined(__FreeBSD__)
73 #define assert(x)
74 #endif
75 
76 
77 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
78 /*
79  * BYTE_ORDER NOTE:
80  *
81  * Please make sure that your system defines BYTE_ORDER.  If your
82  * architecture is little-endian, make sure it also defines
83  * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
84  * equivilent.
85  *
86  * If your system does not define the above, then you can do so by
87  * hand like this:
88  *
89  *   #define LITTLE_ENDIAN 1234
90  *   #define BIG_ENDIAN    4321
91  *
92  * And for little-endian machines, add:
93  *
94  *   #define BYTE_ORDER LITTLE_ENDIAN
95  *
96  * Or for big-endian machines:
97  *
98  *   #define BYTE_ORDER BIG_ENDIAN
99  *
100  * The FreeBSD machine this was written on defines BYTE_ORDER
101  * appropriately by including <sys/types.h> (which in turn includes
102  * <machine/endian.h> where the appropriate definitions are actually
103  * made).
104  */
105 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
106 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
107 #endif
108 
109 /*
110  * Define the followingsha2_* types to types of the correct length on
111  * the native archtecture.   Most BSD systems and Linux define u_intXX_t
112  * types.  Machines with very recent ANSI C headers, can use the
113  * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
114  * during compile or in the sha.h header file.
115  *
116  * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
117  * will need to define these three typedefs below (and the appropriate
118  * ones in sha.h too) by hand according to their system architecture.
119  *
120  * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
121  * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
122  */
123 #if 0 /*def SHA2_USE_INTTYPES_H*/
124 
125 typedef uint8_t  sha2_byte;	/* Exactly 1 byte */
126 typedef uint32_t sha2_word32;	/* Exactly 4 bytes */
127 typedef uint64_t sha2_word64;	/* Exactly 8 bytes */
128 
129 #else /* SHA2_USE_INTTYPES_H */
130 
131 typedef u_int8_t  sha2_byte;	/* Exactly 1 byte */
132 typedef u_int32_t sha2_word32;	/* Exactly 4 bytes */
133 typedef u_int64_t sha2_word64;	/* Exactly 8 bytes */
134 
135 #endif /* SHA2_USE_INTTYPES_H */
136 
137 
138 /*** SHA-256/384/512 Various Length Definitions ***********************/
139 /* NOTE: Most of these are in sha2.h */
140 #define SHA256_SHORT_BLOCK_LENGTH	(SHA256_BLOCK_LENGTH - 8)
141 #define SHA384_SHORT_BLOCK_LENGTH	(SHA384_BLOCK_LENGTH - 16)
142 #define SHA512_SHORT_BLOCK_LENGTH	(SHA512_BLOCK_LENGTH - 16)
143 
144 
145 /*** ENDIAN REVERSAL MACROS *******************************************/
146 #if BYTE_ORDER == LITTLE_ENDIAN
147 #define REVERSE32(w,x)	{ \
148 	sha2_word32 tmp = (w); \
149 	tmp = (tmp >> 16) | (tmp << 16); \
150 	(x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
151 }
152 #define REVERSE64(w,x)	{ \
153 	sha2_word64 tmp = (w); \
154 	tmp = (tmp >> 32) | (tmp << 32); \
155 	tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
156 	      ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
157 	(x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
158 	      ((tmp & 0x0000ffff0000ffffULL) << 16); \
159 }
160 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
161 
162 /*
163  * Macro for incrementally adding the unsigned 64-bit integer n to the
164  * unsigned 128-bit integer (represented using a two-element array of
165  * 64-bit words):
166  */
167 #define ADDINC128(w,n)	{ \
168 	(w)[0] += (sha2_word64)(n); \
169 	if ((w)[0] < (n)) { \
170 		(w)[1]++; \
171 	} \
172 }
173 
174 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
175 /*
176  * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
177  *
178  *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
179  *   S is a ROTATION) because the SHA-256/384/512 description document
180  *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
181  *   same "backwards" definition.
182  */
183 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
184 #define R(b,x) 		((x) >> (b))
185 /* 32-bit Rotate-right (used in SHA-256): */
186 #define S32(b,x)	(((x) >> (b)) | ((x) << (32 - (b))))
187 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
188 #define S64(b,x)	(((x) >> (b)) | ((x) << (64 - (b))))
189 
190 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
191 #define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
192 #define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
193 
194 /* Four of six logical functions used in SHA-256: */
195 #define Sigma0_256(x)	(S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
196 #define Sigma1_256(x)	(S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
197 #define sigma0_256(x)	(S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
198 #define sigma1_256(x)	(S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
199 
200 /* Four of six logical functions used in SHA-384 and SHA-512: */
201 #define Sigma0_512(x)	(S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
202 #define Sigma1_512(x)	(S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
203 #define sigma0_512(x)	(S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
204 #define sigma1_512(x)	(S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
205 
206 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
207 /* NOTE: These should not be accessed directly from outside this
208  * library -- they are intended for private internal visibility/use
209  * only.
210  */
211 void SHA512_Last(SHA512_CTX*);
212 void SHA256_Transform(SHA256_CTX*, const sha2_word32*);
213 void SHA512_Transform(SHA512_CTX*, const sha2_word64*);
214 
215 
216 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
217 /* Hash constant words K for SHA-256: */
218 static const sha2_word32 K256[64] = {
219 	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
220 	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
221 	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
222 	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
223 	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
224 	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
225 	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
226 	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
227 	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
228 	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
229 	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
230 	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
231 	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
232 	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
233 	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
234 	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
235 };
236 
237 /* Initial hash value H for SHA-256: */
238 static const sha2_word32 sha256_initial_hash_value[8] = {
239 	0x6a09e667UL,
240 	0xbb67ae85UL,
241 	0x3c6ef372UL,
242 	0xa54ff53aUL,
243 	0x510e527fUL,
244 	0x9b05688cUL,
245 	0x1f83d9abUL,
246 	0x5be0cd19UL
247 };
248 
249 /* Hash constant words K for SHA-384 and SHA-512: */
250 static const sha2_word64 K512[80] = {
251 	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
252 	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
253 	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
254 	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
255 	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
256 	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
257 	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
258 	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
259 	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
260 	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
261 	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
262 	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
263 	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
264 	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
265 	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
266 	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
267 	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
268 	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
269 	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
270 	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
271 	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
272 	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
273 	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
274 	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
275 	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
276 	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
277 	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
278 	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
279 	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
280 	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
281 	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
282 	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
283 	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
284 	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
285 	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
286 	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
287 	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
288 	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
289 	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
290 	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
291 };
292 
293 /* Initial hash value H for SHA-384 */
294 static const sha2_word64 sha384_initial_hash_value[8] = {
295 	0xcbbb9d5dc1059ed8ULL,
296 	0x629a292a367cd507ULL,
297 	0x9159015a3070dd17ULL,
298 	0x152fecd8f70e5939ULL,
299 	0x67332667ffc00b31ULL,
300 	0x8eb44a8768581511ULL,
301 	0xdb0c2e0d64f98fa7ULL,
302 	0x47b5481dbefa4fa4ULL
303 };
304 
305 /* Initial hash value H for SHA-512 */
306 static const sha2_word64 sha512_initial_hash_value[8] = {
307 	0x6a09e667f3bcc908ULL,
308 	0xbb67ae8584caa73bULL,
309 	0x3c6ef372fe94f82bULL,
310 	0xa54ff53a5f1d36f1ULL,
311 	0x510e527fade682d1ULL,
312 	0x9b05688c2b3e6c1fULL,
313 	0x1f83d9abfb41bd6bULL,
314 	0x5be0cd19137e2179ULL
315 };
316 
317 /*
318  * Constant used by SHA256/384/512_End() functions for converting the
319  * digest to a readable hexadecimal character string:
320  */
321 static const char *sha2_hex_digits = "0123456789abcdef";
322 
323 
324 /*** SHA-256: *********************************************************/
SHA256_Init(SHA256_CTX * context)325 void SHA256_Init(SHA256_CTX* context) {
326 	if (context == NULL) {
327 		return;
328 	}
329 	bcopy(sha256_initial_hash_value, context->state, SHA256_DIGEST_LENGTH);
330 	bzero(context->buffer, SHA256_BLOCK_LENGTH);
331 	context->bitcount = 0;
332 }
333 
334 #ifdef SHA2_UNROLL_TRANSFORM
335 
336 /* Unrolled SHA-256 round macros: */
337 
338 #if BYTE_ORDER == LITTLE_ENDIAN
339 
340 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)	\
341 	REVERSE32(*data++, W256[j]); \
342 	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
343              K256[j] + W256[j]; \
344 	(d) += T1; \
345 	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
346 	j++
347 
348 
349 #else /* BYTE_ORDER == LITTLE_ENDIAN */
350 
351 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)	\
352 	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
353 	     K256[j] + (W256[j] = *data++); \
354 	(d) += T1; \
355 	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
356 	j++
357 
358 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
359 
360 #define ROUND256(a,b,c,d,e,f,g,h)	\
361 	s0 = W256[(j+1)&0x0f]; \
362 	s0 = sigma0_256(s0); \
363 	s1 = W256[(j+14)&0x0f]; \
364 	s1 = sigma1_256(s1); \
365 	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
366 	     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
367 	(d) += T1; \
368 	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
369 	j++
370 
SHA256_Transform(SHA256_CTX * context,const sha2_word32 * data)371 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
372 	sha2_word32	a, b, c, d, e, f, g, h, s0, s1;
373 	sha2_word32	T1, *W256;
374 	int		j;
375 
376 	W256 = (sha2_word32*)context->buffer;
377 
378 	/* Initialize registers with the prev. intermediate value */
379 	a = context->state[0];
380 	b = context->state[1];
381 	c = context->state[2];
382 	d = context->state[3];
383 	e = context->state[4];
384 	f = context->state[5];
385 	g = context->state[6];
386 	h = context->state[7];
387 
388 	j = 0;
389 	do {
390 		/* Rounds 0 to 15 (unrolled): */
391 		ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
392 		ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
393 		ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
394 		ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
395 		ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
396 		ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
397 		ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
398 		ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
399 	} while (j < 16);
400 
401 	/* Now for the remaining rounds to 64: */
402 	do {
403 		ROUND256(a,b,c,d,e,f,g,h);
404 		ROUND256(h,a,b,c,d,e,f,g);
405 		ROUND256(g,h,a,b,c,d,e,f);
406 		ROUND256(f,g,h,a,b,c,d,e);
407 		ROUND256(e,f,g,h,a,b,c,d);
408 		ROUND256(d,e,f,g,h,a,b,c);
409 		ROUND256(c,d,e,f,g,h,a,b);
410 		ROUND256(b,c,d,e,f,g,h,a);
411 	} while (j < 64);
412 
413 	/* Compute the current intermediate hash value */
414 	context->state[0] += a;
415 	context->state[1] += b;
416 	context->state[2] += c;
417 	context->state[3] += d;
418 	context->state[4] += e;
419 	context->state[5] += f;
420 	context->state[6] += g;
421 	context->state[7] += h;
422 
423 	/* Clean up */
424 	a = b = c = d = e = f = g = h = T1 = 0;
425 }
426 
427 #else /* SHA2_UNROLL_TRANSFORM */
428 
SHA256_Transform(SHA256_CTX * context,const sha2_word32 * data)429 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
430 	sha2_word32	a, b, c, d, e, f, g, h, s0, s1;
431 	sha2_word32	T1, T2, *W256;
432 	int		j;
433 
434 	W256 = (sha2_word32*)context->buffer;
435 
436 	/* Initialize registers with the prev. intermediate value */
437 	a = context->state[0];
438 	b = context->state[1];
439 	c = context->state[2];
440 	d = context->state[3];
441 	e = context->state[4];
442 	f = context->state[5];
443 	g = context->state[6];
444 	h = context->state[7];
445 
446 	j = 0;
447 	do {
448 #if BYTE_ORDER == LITTLE_ENDIAN
449 		/* Copy data while converting to host byte order */
450 		REVERSE32(*data++,W256[j]);
451 		/* Apply the SHA-256 compression function to update a..h */
452 		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
453 #else /* BYTE_ORDER == LITTLE_ENDIAN */
454 		/* Apply the SHA-256 compression function to update a..h with copy */
455 		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
456 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
457 		T2 = Sigma0_256(a) + Maj(a, b, c);
458 		h = g;
459 		g = f;
460 		f = e;
461 		e = d + T1;
462 		d = c;
463 		c = b;
464 		b = a;
465 		a = T1 + T2;
466 
467 		j++;
468 	} while (j < 16);
469 
470 	do {
471 		/* Part of the message block expansion: */
472 		s0 = W256[(j+1)&0x0f];
473 		s0 = sigma0_256(s0);
474 		s1 = W256[(j+14)&0x0f];
475 		s1 = sigma1_256(s1);
476 
477 		/* Apply the SHA-256 compression function to update a..h */
478 		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
479 		     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
480 		T2 = Sigma0_256(a) + Maj(a, b, c);
481 		h = g;
482 		g = f;
483 		f = e;
484 		e = d + T1;
485 		d = c;
486 		c = b;
487 		b = a;
488 		a = T1 + T2;
489 
490 		j++;
491 	} while (j < 64);
492 
493 	/* Compute the current intermediate hash value */
494 	context->state[0] += a;
495 	context->state[1] += b;
496 	context->state[2] += c;
497 	context->state[3] += d;
498 	context->state[4] += e;
499 	context->state[5] += f;
500 	context->state[6] += g;
501 	context->state[7] += h;
502 
503 	/* Clean up */
504 	a = b = c = d = e = f = g = h = T1 = T2 = 0;
505 }
506 
507 #endif /* SHA2_UNROLL_TRANSFORM */
508 
SHA256_Update(SHA256_CTX * context,const sha2_byte * data,size_t len)509 void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
510 	unsigned int	freespace, usedspace;
511 
512 	if (len == 0) {
513 		/* Calling with no data is valid - we do nothing */
514 		return;
515 	}
516 
517 	/* Sanity check: */
518 	assert(context != NULL && data != NULL);
519 
520 	usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
521 	if (usedspace > 0) {
522 		/* Calculate how much free space is available in the buffer */
523 		freespace = SHA256_BLOCK_LENGTH - usedspace;
524 
525 		if (len >= freespace) {
526 			/* Fill the buffer completely and process it */
527 			bcopy(data, &context->buffer[usedspace], freespace);
528 			context->bitcount += freespace << 3;
529 			len -= freespace;
530 			data += freespace;
531 			SHA256_Transform(context, (sha2_word32*)context->buffer);
532 		} else {
533 			/* The buffer is not yet full */
534 			bcopy(data, &context->buffer[usedspace], len);
535 			context->bitcount += len << 3;
536 			/* Clean up: */
537 			usedspace = freespace = 0;
538 			return;
539 		}
540 	}
541 	while (len >= SHA256_BLOCK_LENGTH) {
542 		/* Process as many complete blocks as we can */
543 		SHA256_Transform(context, (const sha2_word32*)data);
544 		context->bitcount += SHA256_BLOCK_LENGTH << 3;
545 		len -= SHA256_BLOCK_LENGTH;
546 		data += SHA256_BLOCK_LENGTH;
547 	}
548 	if (len > 0) {
549 		/* There's left-overs, so save 'em */
550 		bcopy(data, context->buffer, len);
551 		context->bitcount += len << 3;
552 	}
553 	/* Clean up: */
554 	usedspace = freespace = 0;
555 }
556 
SHA256_Final(sha2_byte digest[],SHA256_CTX * context)557 void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
558 	sha2_word32	*d = (sha2_word32*)digest;
559 	unsigned int	usedspace;
560 
561 	/* Sanity check: */
562 	assert(context != NULL);
563 
564 	/* If no digest buffer is passed, we don't bother doing this: */
565 	if (digest != NULL) {
566 		usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
567 #if BYTE_ORDER == LITTLE_ENDIAN
568 		/* Convert FROM host byte order */
569 		REVERSE64(context->bitcount,context->bitcount);
570 #endif
571 		if (usedspace > 0) {
572 			/* Begin padding with a 1 bit: */
573 			context->buffer[usedspace++] = 0x80;
574 
575 			if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
576 				/* Set-up for the last transform: */
577 				bzero(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
578 			} else {
579 				if (usedspace < SHA256_BLOCK_LENGTH) {
580 					bzero(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
581 				}
582 				/* Do second-to-last transform: */
583 				SHA256_Transform(context, (sha2_word32*)context->buffer);
584 
585 				/* And set-up for the last transform: */
586 				bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
587 			}
588 		} else {
589 			/* Set-up for the last transform: */
590 			bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
591 
592 			/* Begin padding with a 1 bit: */
593 			*context->buffer = 0x80;
594 		}
595 		/* Set the bit count: */
596 		*(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
597 
598 		/* Final transform: */
599 		SHA256_Transform(context, (sha2_word32*)context->buffer);
600 
601 #if BYTE_ORDER == LITTLE_ENDIAN
602 		{
603 			/* Convert TO host byte order */
604 			int	j;
605 			for (j = 0; j < 8; j++) {
606 				REVERSE32(context->state[j],context->state[j]);
607 				*d++ = context->state[j];
608 			}
609 		}
610 #else
611 		bcopy(context->state, d, SHA256_DIGEST_LENGTH);
612 #endif
613 	}
614 
615 	/* Clean up state data: */
616 	bzero(context, sizeof(*context));
617 	usedspace = 0;
618 }
619 
SHA256_End(SHA256_CTX * context,char buffer[])620 char *SHA256_End(SHA256_CTX* context, char buffer[]) {
621 	sha2_byte	digest[SHA256_DIGEST_LENGTH], *d = digest;
622 	int		i;
623 
624 	/* Sanity check: */
625 	assert(context != NULL);
626 
627 	if (buffer != NULL) {
628 		SHA256_Final(digest, context);
629 
630 		for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
631 			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
632 			*buffer++ = sha2_hex_digits[*d & 0x0f];
633 			d++;
634 		}
635 		*buffer = (char)0;
636 	} else {
637 		bzero(context, sizeof(*context));
638 	}
639 	bzero(digest, SHA256_DIGEST_LENGTH);
640 	return buffer;
641 }
642 
SHA256_Data(const sha2_byte * data,size_t len,char digest[SHA256_DIGEST_STRING_LENGTH])643 char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
644 	SHA256_CTX	context;
645 
646 	SHA256_Init(&context);
647 	SHA256_Update(&context, data, len);
648 	return SHA256_End(&context, digest);
649 }
650 
651 
652 /*** SHA-512: *********************************************************/
SHA512_Init(SHA512_CTX * context)653 void SHA512_Init(SHA512_CTX* context) {
654 	if (context == NULL) {
655 		return;
656 	}
657 	bcopy(sha512_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
658 	bzero(context->buffer, SHA512_BLOCK_LENGTH);
659 	context->bitcount[0] = context->bitcount[1] =  0;
660 }
661 
662 #ifdef SHA2_UNROLL_TRANSFORM
663 
664 /* Unrolled SHA-512 round macros: */
665 #if BYTE_ORDER == LITTLE_ENDIAN
666 
667 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)	\
668 	REVERSE64(*data++, W512[j]); \
669 	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
670              K512[j] + W512[j]; \
671 	(d) += T1, \
672 	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
673 	j++
674 
675 
676 #else /* BYTE_ORDER == LITTLE_ENDIAN */
677 
678 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)	\
679 	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
680              K512[j] + (W512[j] = *data++); \
681 	(d) += T1; \
682 	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
683 	j++
684 
685 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
686 
687 #define ROUND512(a,b,c,d,e,f,g,h)	\
688 	s0 = W512[(j+1)&0x0f]; \
689 	s0 = sigma0_512(s0); \
690 	s1 = W512[(j+14)&0x0f]; \
691 	s1 = sigma1_512(s1); \
692 	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
693              (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
694 	(d) += T1; \
695 	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
696 	j++
697 
SHA512_Transform(SHA512_CTX * context,const sha2_word64 * data)698 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
699 	sha2_word64	a, b, c, d, e, f, g, h, s0, s1;
700 	sha2_word64	T1 = 0, T2 = 0, *W512 = (sha2_word64*)context->buffer;
701 	int		j;
702 
703 	/* Initialize registers with the prev. intermediate value */
704 	a = context->state[0];
705 	b = context->state[1];
706 	c = context->state[2];
707 	d = context->state[3];
708 	e = context->state[4];
709 	f = context->state[5];
710 	g = context->state[6];
711 	h = context->state[7];
712 
713 	j = 0;
714 	do {
715 		ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
716 		ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
717 		ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
718 		ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
719 		ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
720 		ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
721 		ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
722 		ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
723 	} while (j < 16);
724 
725 	/* Now for the remaining rounds up to 79: */
726 	do {
727 		ROUND512(a,b,c,d,e,f,g,h);
728 		ROUND512(h,a,b,c,d,e,f,g);
729 		ROUND512(g,h,a,b,c,d,e,f);
730 		ROUND512(f,g,h,a,b,c,d,e);
731 		ROUND512(e,f,g,h,a,b,c,d);
732 		ROUND512(d,e,f,g,h,a,b,c);
733 		ROUND512(c,d,e,f,g,h,a,b);
734 		ROUND512(b,c,d,e,f,g,h,a);
735 	} while (j < 80);
736 
737 	/* Compute the current intermediate hash value */
738 	context->state[0] += a;
739 	context->state[1] += b;
740 	context->state[2] += c;
741 	context->state[3] += d;
742 	context->state[4] += e;
743 	context->state[5] += f;
744 	context->state[6] += g;
745 	context->state[7] += h;
746 
747 	/* Clean up */
748 	a = b = c = d = e = f = g = h = T1 = 0;
749 }
750 
751 #else /* SHA2_UNROLL_TRANSFORM */
752 
SHA512_Transform(SHA512_CTX * context,const sha2_word64 * data)753 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
754 	sha2_word64	a, b, c, d, e, f, g, h, s0, s1;
755 	sha2_word64	T1, T2, *W512 = (sha2_word64*)context->buffer;
756 	int		j;
757 
758 	/* Initialize registers with the prev. intermediate value */
759 	a = context->state[0];
760 	b = context->state[1];
761 	c = context->state[2];
762 	d = context->state[3];
763 	e = context->state[4];
764 	f = context->state[5];
765 	g = context->state[6];
766 	h = context->state[7];
767 
768 	j = 0;
769 	do {
770 #if BYTE_ORDER == LITTLE_ENDIAN
771 		/* Convert TO host byte order */
772 		REVERSE64(*data++, W512[j]);
773 		/* Apply the SHA-512 compression function to update a..h */
774 		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
775 #else /* BYTE_ORDER == LITTLE_ENDIAN */
776 		/* Apply the SHA-512 compression function to update a..h with copy */
777 		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
778 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
779 		T2 = Sigma0_512(a) + Maj(a, b, c);
780 		h = g;
781 		g = f;
782 		f = e;
783 		e = d + T1;
784 		d = c;
785 		c = b;
786 		b = a;
787 		a = T1 + T2;
788 
789 		j++;
790 	} while (j < 16);
791 
792 	do {
793 		/* Part of the message block expansion: */
794 		s0 = W512[(j+1)&0x0f];
795 		s0 = sigma0_512(s0);
796 		s1 = W512[(j+14)&0x0f];
797 		s1 =  sigma1_512(s1);
798 
799 		/* Apply the SHA-512 compression function to update a..h */
800 		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
801 		     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
802 		T2 = Sigma0_512(a) + Maj(a, b, c);
803 		h = g;
804 		g = f;
805 		f = e;
806 		e = d + T1;
807 		d = c;
808 		c = b;
809 		b = a;
810 		a = T1 + T2;
811 
812 		j++;
813 	} while (j < 80);
814 
815 	/* Compute the current intermediate hash value */
816 	context->state[0] += a;
817 	context->state[1] += b;
818 	context->state[2] += c;
819 	context->state[3] += d;
820 	context->state[4] += e;
821 	context->state[5] += f;
822 	context->state[6] += g;
823 	context->state[7] += h;
824 
825 	/* Clean up */
826 	a = b = c = d = e = f = g = h = T1 = T2 = 0;
827 }
828 
829 #endif /* SHA2_UNROLL_TRANSFORM */
830 
SHA512_Update(SHA512_CTX * context,const sha2_byte * data,size_t len)831 void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
832 	unsigned int	freespace, usedspace;
833 
834 	if (len == 0) {
835 		/* Calling with no data is valid - we do nothing */
836 		return;
837 	}
838 
839 	/* Sanity check: */
840 	assert(context != NULL && data != NULL);
841 
842 	usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
843 	if (usedspace > 0) {
844 		/* Calculate how much free space is available in the buffer */
845 		freespace = SHA512_BLOCK_LENGTH - usedspace;
846 
847 		if (len >= freespace) {
848 			/* Fill the buffer completely and process it */
849 			bcopy(data, &context->buffer[usedspace], freespace);
850 			ADDINC128(context->bitcount, freespace << 3);
851 			len -= freespace;
852 			data += freespace;
853 			SHA512_Transform(context, (sha2_word64*)context->buffer);
854 		} else {
855 			/* The buffer is not yet full */
856 			bcopy(data, &context->buffer[usedspace], len);
857 			ADDINC128(context->bitcount, len << 3);
858 			/* Clean up: */
859 			usedspace = freespace = 0;
860 			return;
861 		}
862 	}
863 	while (len >= SHA512_BLOCK_LENGTH) {
864 		/* Process as many complete blocks as we can */
865 		SHA512_Transform(context, (const sha2_word64*)data);
866 		ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
867 		len -= SHA512_BLOCK_LENGTH;
868 		data += SHA512_BLOCK_LENGTH;
869 	}
870 	if (len > 0) {
871 		/* There's left-overs, so save 'em */
872 		bcopy(data, context->buffer, len);
873 		ADDINC128(context->bitcount, len << 3);
874 	}
875 	/* Clean up: */
876 	usedspace = freespace = 0;
877 }
878 
SHA512_Last(SHA512_CTX * context)879 void SHA512_Last(SHA512_CTX* context) {
880 	unsigned int	usedspace;
881 
882 	usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
883 #if BYTE_ORDER == LITTLE_ENDIAN
884 	/* Convert FROM host byte order */
885 	REVERSE64(context->bitcount[0],context->bitcount[0]);
886 	REVERSE64(context->bitcount[1],context->bitcount[1]);
887 #endif
888 	if (usedspace > 0) {
889 		/* Begin padding with a 1 bit: */
890 		context->buffer[usedspace++] = 0x80;
891 
892 		if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
893 			/* Set-up for the last transform: */
894 			bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
895 		} else {
896 			if (usedspace < SHA512_BLOCK_LENGTH) {
897 				bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
898 			}
899 			/* Do second-to-last transform: */
900 			SHA512_Transform(context, (sha2_word64*)context->buffer);
901 
902 			/* And set-up for the last transform: */
903 			bzero(context->buffer, SHA512_BLOCK_LENGTH - 2);
904 		}
905 	} else {
906 		/* Prepare for final transform: */
907 		bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
908 
909 		/* Begin padding with a 1 bit: */
910 		*context->buffer = 0x80;
911 	}
912 	/* Store the length of input data (in bits): */
913 	*(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
914 	*(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
915 
916 	/* Final transform: */
917 	SHA512_Transform(context, (sha2_word64*)context->buffer);
918 }
919 
SHA512_Final(sha2_byte digest[],SHA512_CTX * context)920 void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
921 	sha2_word64	*d = (sha2_word64*)digest;
922 
923 	/* Sanity check: */
924 	assert(context != NULL);
925 
926 	/* If no digest buffer is passed, we don't bother doing this: */
927 	if (digest != NULL) {
928 		SHA512_Last(context);
929 
930 		/* Save the hash data for output: */
931 #if BYTE_ORDER == LITTLE_ENDIAN
932 		{
933 			/* Convert TO host byte order */
934 			int	j;
935 			for (j = 0; j < 8; j++) {
936 				REVERSE64(context->state[j],context->state[j]);
937 				*d++ = context->state[j];
938 			}
939 		}
940 #else
941 		bcopy(context->state, d, SHA512_DIGEST_LENGTH);
942 #endif
943 	}
944 
945 	/* Zero out state data */
946 	bzero(context, sizeof(*context));
947 }
948 
SHA512_End(SHA512_CTX * context,char buffer[])949 char *SHA512_End(SHA512_CTX* context, char buffer[]) {
950 	sha2_byte	digest[SHA512_DIGEST_LENGTH], *d = digest;
951 	int		i;
952 
953 	/* Sanity check: */
954 	assert(context != NULL);
955 
956 	if (buffer != NULL) {
957 		SHA512_Final(digest, context);
958 
959 		for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
960 			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
961 			*buffer++ = sha2_hex_digits[*d & 0x0f];
962 			d++;
963 		}
964 		*buffer = (char)0;
965 	} else {
966 		bzero(context, sizeof(*context));
967 	}
968 	bzero(digest, SHA512_DIGEST_LENGTH);
969 	return buffer;
970 }
971 
SHA512_Data(const sha2_byte * data,size_t len,char digest[SHA512_DIGEST_STRING_LENGTH])972 char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
973 	SHA512_CTX	context;
974 
975 	SHA512_Init(&context);
976 	SHA512_Update(&context, data, len);
977 	return SHA512_End(&context, digest);
978 }
979 
980 
981 /*** SHA-384: *********************************************************/
SHA384_Init(SHA384_CTX * context)982 void SHA384_Init(SHA384_CTX* context) {
983 	if (context == NULL) {
984 		return;
985 	}
986 	bcopy(sha384_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
987 	bzero(context->buffer, SHA384_BLOCK_LENGTH);
988 	context->bitcount[0] = context->bitcount[1] = 0;
989 }
990 
SHA384_Update(SHA384_CTX * context,const sha2_byte * data,size_t len)991 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
992 	SHA512_Update((SHA512_CTX*)context, data, len);
993 }
994 
SHA384_Final(sha2_byte digest[],SHA384_CTX * context)995 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
996 	sha2_word64	*d = (sha2_word64*)digest;
997 
998 	/* Sanity check: */
999 	assert(context != NULL);
1000 
1001 	/* If no digest buffer is passed, we don't bother doing this: */
1002 	if (digest != NULL) {
1003 		SHA512_Last((SHA512_CTX*)context);
1004 
1005 		/* Save the hash data for output: */
1006 #if BYTE_ORDER == LITTLE_ENDIAN
1007 		{
1008 			/* Convert TO host byte order */
1009 			int	j;
1010 			for (j = 0; j < 6; j++) {
1011 				REVERSE64(context->state[j],context->state[j]);
1012 				*d++ = context->state[j];
1013 			}
1014 		}
1015 #else
1016 		bcopy(context->state, d, SHA384_DIGEST_LENGTH);
1017 #endif
1018 	}
1019 
1020 	/* Zero out state data */
1021 	bzero(context, sizeof(*context));
1022 }
1023 
SHA384_End(SHA384_CTX * context,char buffer[])1024 char *SHA384_End(SHA384_CTX* context, char buffer[]) {
1025 	sha2_byte	digest[SHA384_DIGEST_LENGTH], *d = digest;
1026 	int		i;
1027 
1028 	/* Sanity check: */
1029 	assert(context != NULL);
1030 
1031 	if (buffer != NULL) {
1032 		SHA384_Final(digest, context);
1033 
1034 		for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
1035 			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
1036 			*buffer++ = sha2_hex_digits[*d & 0x0f];
1037 			d++;
1038 		}
1039 		*buffer = (char)0;
1040 	} else {
1041 		bzero(context, sizeof(*context));
1042 	}
1043 	bzero(digest, SHA384_DIGEST_LENGTH);
1044 	return buffer;
1045 }
1046 
SHA384_Data(const sha2_byte * data,size_t len,char digest[SHA384_DIGEST_STRING_LENGTH])1047 char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
1048 	SHA384_CTX	context;
1049 
1050 	SHA384_Init(&context);
1051 	SHA384_Update(&context, data, len);
1052 	return SHA384_End(&context, digest);
1053 }
1054 
1055