1 /*
2 ---------------------------------------------------------------------------
3 Copyright (c) 2002, Dr Brian Gladman, Worcester, UK. All rights reserved.
4
5 LICENSE TERMS
6
7 The free distribution and use of this software in both source and binary
8 form is allowed (with or without changes) provided that:
9
10 1. distributions of this source code include the above copyright
11 notice, this list of conditions and the following disclaimer;
12
13 2. distributions in binary form include the above copyright
14 notice, this list of conditions and the following disclaimer
15 in the documentation and/or other associated materials;
16
17 3. the copyright holder's name is not used to endorse products
18 built using this software without specific written permission.
19
20 ALTERNATIVELY, provided that this notice is retained in full, this product
21 may be distributed under the terms of the GNU General Public License (GPL),
22 in which case the provisions of the GPL apply INSTEAD OF those given above.
23
24 DISCLAIMER
25
26 This software is provided 'as is' with no explicit or implied warranties
27 in respect of its properties, including, but not limited to, correctness
28 and/or fitness for purpose.
29 ---------------------------------------------------------------------------
30 Issue Date: 01/08/2005
31
32 This is a byte oriented version of SHA2 that operates on arrays of bytes
33 stored in memory. This code implements sha256, sha384 and sha512 but the
34 latter two functions rely on efficient 64-bit integer operations that
35 may not be very efficient on 32-bit machines
36
37 The sha256 functions use a type 'sha256_ctx' to hold details of the
38 current hash state and uses the following three calls:
39
40 void sha256_begin(sha256_ctx ctx[1])
41 void sha256_hash(const unsigned char data[],
42 unsigned long len, sha256_ctx ctx[1])
43 void sha_end1(unsigned char hval[], sha256_ctx ctx[1])
44
45 The first subroutine initialises a hash computation by setting up the
46 context in the sha256_ctx context. The second subroutine hashes 8-bit
47 bytes from array data[] into the hash state withinh sha256_ctx context,
48 the number of bytes to be hashed being given by the the unsigned long
49 integer len. The third subroutine completes the hash calculation and
50 places the resulting digest value in the array of 8-bit bytes hval[].
51
52 The sha384 and sha512 functions are similar and use the interfaces:
53
54 void sha384_begin(sha384_ctx ctx[1]);
55 void sha384_hash(const unsigned char data[],
56 unsigned long len, sha384_ctx ctx[1]);
57 void sha384_end(unsigned char hval[], sha384_ctx ctx[1]);
58
59 void sha512_begin(sha512_ctx ctx[1]);
60 void sha512_hash(const unsigned char data[],
61 unsigned long len, sha512_ctx ctx[1]);
62 void sha512_end(unsigned char hval[], sha512_ctx ctx[1]);
63
64 In addition there is a function sha2 that can be used to call all these
65 functions using a call with a hash length parameter as follows:
66
67 int sha2_begin(unsigned long len, sha2_ctx ctx[1]);
68 void sha2_hash(const unsigned char data[],
69 unsigned long len, sha2_ctx ctx[1]);
70 void sha2_end(unsigned char hval[], sha2_ctx ctx[1]);
71
72 My thanks to Erik Andersen <andersen@codepoet.org> for testing this code
73 on big-endian systems and for his assistance with corrections
74 */
75
76 #if 0
77 #define UNROLL_SHA2 /* for SHA2 loop unroll */
78 #endif
79
80 #include <string.h> /* for memcpy() etc. */
81
82 #include "sha2.h"
83 #include "brg_endian.h"
84
85 #if defined(__cplusplus)
86 extern "C"
87 {
88 #endif
89
90 #if defined( _MSC_VER ) && ( _MSC_VER > 800 )
91 #pragma intrinsic(memcpy)
92 #endif
93
94 #if 0 && defined(_MSC_VER)
95 #define rotl32 _lrotl
96 #define rotr32 _lrotr
97 #else
98 #define rotl32(x,n) (((x) << n) | ((x) >> (32 - n)))
99 #define rotr32(x,n) (((x) >> n) | ((x) << (32 - n)))
100 #endif
101
102 #if !defined(bswap_32)
103 #define bswap_32(x) ((rotr32((x), 24) & 0x00ff00ff) | (rotr32((x), 8) & 0xff00ff00))
104 #endif
105
106 #if (PLATFORM_BYTE_ORDER == IS_LITTLE_ENDIAN)
107 #define SWAP_BYTES
108 #else
109 #undef SWAP_BYTES
110 #endif
111
112 #if 0
113
114 #define ch(x,y,z) (((x) & (y)) ^ (~(x) & (z)))
115 #define maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
116
117 #else /* Thanks to Rich Schroeppel and Colin Plumb for the following */
118
119 #define ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
120 #define maj(x,y,z) (((x) & (y)) | ((z) & ((x) ^ (y))))
121
122 #endif
123
124 /* round transforms for SHA256 and SHA512 compression functions */
125
126 #define vf(n,i) v[(n - i) & 7]
127
128 #define hf(i) (p[i & 15] += \
129 g_1(p[(i + 14) & 15]) + p[(i + 9) & 15] + g_0(p[(i + 1) & 15]))
130
131 #define v_cycle(i,j) \
132 vf(7,i) += (j ? hf(i) : p[i]) + k_0[i+j] \
133 + s_1(vf(4,i)) + ch(vf(4,i),vf(5,i),vf(6,i)); \
134 vf(3,i) += vf(7,i); \
135 vf(7,i) += s_0(vf(0,i))+ maj(vf(0,i),vf(1,i),vf(2,i))
136
137 #if defined(SHA_224) || defined(SHA_256)
138
139 #define SHA256_MASK (SHA256_BLOCK_SIZE - 1)
140
141 #if defined(SWAP_BYTES)
142 #define bsw_32(p,n) \
143 { int _i = (n); while(_i--) ((uint32_t*)p)[_i] = bswap_32(((uint32_t*)p)[_i]); }
144 #else
145 #define bsw_32(p,n)
146 #endif
147
148 #define s_0(x) (rotr32((x), 2) ^ rotr32((x), 13) ^ rotr32((x), 22))
149 #define s_1(x) (rotr32((x), 6) ^ rotr32((x), 11) ^ rotr32((x), 25))
150 #define g_0(x) (rotr32((x), 7) ^ rotr32((x), 18) ^ ((x) >> 3))
151 #define g_1(x) (rotr32((x), 17) ^ rotr32((x), 19) ^ ((x) >> 10))
152 #define k_0 k256
153
154 /* rotated SHA256 round definition. Rather than swapping variables as in */
155 /* FIPS-180, different variables are 'rotated' on each round, returning */
156 /* to their starting positions every eight rounds */
157
158 #define q(n) v##n
159
160 #define one_cycle(a,b,c,d,e,f,g,h,k,w) \
161 q(h) += s_1(q(e)) + ch(q(e), q(f), q(g)) + k + w; \
162 q(d) += q(h); q(h) += s_0(q(a)) + maj(q(a), q(b), q(c))
163
164 /* SHA256 mixing data */
165
166 const uint32_t k256[64] =
167 { 0x428a2f98ul, 0x71374491ul, 0xb5c0fbcful, 0xe9b5dba5ul,
168 0x3956c25bul, 0x59f111f1ul, 0x923f82a4ul, 0xab1c5ed5ul,
169 0xd807aa98ul, 0x12835b01ul, 0x243185beul, 0x550c7dc3ul,
170 0x72be5d74ul, 0x80deb1feul, 0x9bdc06a7ul, 0xc19bf174ul,
171 0xe49b69c1ul, 0xefbe4786ul, 0x0fc19dc6ul, 0x240ca1ccul,
172 0x2de92c6ful, 0x4a7484aaul, 0x5cb0a9dcul, 0x76f988daul,
173 0x983e5152ul, 0xa831c66dul, 0xb00327c8ul, 0xbf597fc7ul,
174 0xc6e00bf3ul, 0xd5a79147ul, 0x06ca6351ul, 0x14292967ul,
175 0x27b70a85ul, 0x2e1b2138ul, 0x4d2c6dfcul, 0x53380d13ul,
176 0x650a7354ul, 0x766a0abbul, 0x81c2c92eul, 0x92722c85ul,
177 0xa2bfe8a1ul, 0xa81a664bul, 0xc24b8b70ul, 0xc76c51a3ul,
178 0xd192e819ul, 0xd6990624ul, 0xf40e3585ul, 0x106aa070ul,
179 0x19a4c116ul, 0x1e376c08ul, 0x2748774cul, 0x34b0bcb5ul,
180 0x391c0cb3ul, 0x4ed8aa4aul, 0x5b9cca4ful, 0x682e6ff3ul,
181 0x748f82eeul, 0x78a5636ful, 0x84c87814ul, 0x8cc70208ul,
182 0x90befffaul, 0xa4506cebul, 0xbef9a3f7ul, 0xc67178f2ul,
183 };
184
185 /* Compile 64 bytes of hash data into SHA256 digest value */
186 /* NOTE: this routine assumes that the byte order in the */
187 /* ctx->wbuf[] at this point is such that low address bytes */
188 /* in the ORIGINAL byte stream will go into the high end of */
189 /* words on BOTH big and little endian systems */
190
sha256_compile(sha256_ctx ctx[1])191 VOID_RETURN sha256_compile(sha256_ctx ctx[1])
192 {
193 #if !defined(UNROLL_SHA2)
194
195 uint32_t j, *p = ctx->wbuf, v[8];
196
197 memcpy(v, ctx->hash, 8 * sizeof(uint32_t));
198
199 for(j = 0; j < 64; j += 16)
200 {
201 v_cycle( 0, j); v_cycle( 1, j);
202 v_cycle( 2, j); v_cycle( 3, j);
203 v_cycle( 4, j); v_cycle( 5, j);
204 v_cycle( 6, j); v_cycle( 7, j);
205 v_cycle( 8, j); v_cycle( 9, j);
206 v_cycle(10, j); v_cycle(11, j);
207 v_cycle(12, j); v_cycle(13, j);
208 v_cycle(14, j); v_cycle(15, j);
209 }
210
211 ctx->hash[0] += v[0]; ctx->hash[1] += v[1];
212 ctx->hash[2] += v[2]; ctx->hash[3] += v[3];
213 ctx->hash[4] += v[4]; ctx->hash[5] += v[5];
214 ctx->hash[6] += v[6]; ctx->hash[7] += v[7];
215
216 #else
217
218 uint32_t *p = ctx->wbuf,v0,v1,v2,v3,v4,v5,v6,v7;
219
220 v0 = ctx->hash[0]; v1 = ctx->hash[1];
221 v2 = ctx->hash[2]; v3 = ctx->hash[3];
222 v4 = ctx->hash[4]; v5 = ctx->hash[5];
223 v6 = ctx->hash[6]; v7 = ctx->hash[7];
224
225 one_cycle(0,1,2,3,4,5,6,7,k256[ 0],p[ 0]);
226 one_cycle(7,0,1,2,3,4,5,6,k256[ 1],p[ 1]);
227 one_cycle(6,7,0,1,2,3,4,5,k256[ 2],p[ 2]);
228 one_cycle(5,6,7,0,1,2,3,4,k256[ 3],p[ 3]);
229 one_cycle(4,5,6,7,0,1,2,3,k256[ 4],p[ 4]);
230 one_cycle(3,4,5,6,7,0,1,2,k256[ 5],p[ 5]);
231 one_cycle(2,3,4,5,6,7,0,1,k256[ 6],p[ 6]);
232 one_cycle(1,2,3,4,5,6,7,0,k256[ 7],p[ 7]);
233 one_cycle(0,1,2,3,4,5,6,7,k256[ 8],p[ 8]);
234 one_cycle(7,0,1,2,3,4,5,6,k256[ 9],p[ 9]);
235 one_cycle(6,7,0,1,2,3,4,5,k256[10],p[10]);
236 one_cycle(5,6,7,0,1,2,3,4,k256[11],p[11]);
237 one_cycle(4,5,6,7,0,1,2,3,k256[12],p[12]);
238 one_cycle(3,4,5,6,7,0,1,2,k256[13],p[13]);
239 one_cycle(2,3,4,5,6,7,0,1,k256[14],p[14]);
240 one_cycle(1,2,3,4,5,6,7,0,k256[15],p[15]);
241
242 one_cycle(0,1,2,3,4,5,6,7,k256[16],hf( 0));
243 one_cycle(7,0,1,2,3,4,5,6,k256[17],hf( 1));
244 one_cycle(6,7,0,1,2,3,4,5,k256[18],hf( 2));
245 one_cycle(5,6,7,0,1,2,3,4,k256[19],hf( 3));
246 one_cycle(4,5,6,7,0,1,2,3,k256[20],hf( 4));
247 one_cycle(3,4,5,6,7,0,1,2,k256[21],hf( 5));
248 one_cycle(2,3,4,5,6,7,0,1,k256[22],hf( 6));
249 one_cycle(1,2,3,4,5,6,7,0,k256[23],hf( 7));
250 one_cycle(0,1,2,3,4,5,6,7,k256[24],hf( 8));
251 one_cycle(7,0,1,2,3,4,5,6,k256[25],hf( 9));
252 one_cycle(6,7,0,1,2,3,4,5,k256[26],hf(10));
253 one_cycle(5,6,7,0,1,2,3,4,k256[27],hf(11));
254 one_cycle(4,5,6,7,0,1,2,3,k256[28],hf(12));
255 one_cycle(3,4,5,6,7,0,1,2,k256[29],hf(13));
256 one_cycle(2,3,4,5,6,7,0,1,k256[30],hf(14));
257 one_cycle(1,2,3,4,5,6,7,0,k256[31],hf(15));
258
259 one_cycle(0,1,2,3,4,5,6,7,k256[32],hf( 0));
260 one_cycle(7,0,1,2,3,4,5,6,k256[33],hf( 1));
261 one_cycle(6,7,0,1,2,3,4,5,k256[34],hf( 2));
262 one_cycle(5,6,7,0,1,2,3,4,k256[35],hf( 3));
263 one_cycle(4,5,6,7,0,1,2,3,k256[36],hf( 4));
264 one_cycle(3,4,5,6,7,0,1,2,k256[37],hf( 5));
265 one_cycle(2,3,4,5,6,7,0,1,k256[38],hf( 6));
266 one_cycle(1,2,3,4,5,6,7,0,k256[39],hf( 7));
267 one_cycle(0,1,2,3,4,5,6,7,k256[40],hf( 8));
268 one_cycle(7,0,1,2,3,4,5,6,k256[41],hf( 9));
269 one_cycle(6,7,0,1,2,3,4,5,k256[42],hf(10));
270 one_cycle(5,6,7,0,1,2,3,4,k256[43],hf(11));
271 one_cycle(4,5,6,7,0,1,2,3,k256[44],hf(12));
272 one_cycle(3,4,5,6,7,0,1,2,k256[45],hf(13));
273 one_cycle(2,3,4,5,6,7,0,1,k256[46],hf(14));
274 one_cycle(1,2,3,4,5,6,7,0,k256[47],hf(15));
275
276 one_cycle(0,1,2,3,4,5,6,7,k256[48],hf( 0));
277 one_cycle(7,0,1,2,3,4,5,6,k256[49],hf( 1));
278 one_cycle(6,7,0,1,2,3,4,5,k256[50],hf( 2));
279 one_cycle(5,6,7,0,1,2,3,4,k256[51],hf( 3));
280 one_cycle(4,5,6,7,0,1,2,3,k256[52],hf( 4));
281 one_cycle(3,4,5,6,7,0,1,2,k256[53],hf( 5));
282 one_cycle(2,3,4,5,6,7,0,1,k256[54],hf( 6));
283 one_cycle(1,2,3,4,5,6,7,0,k256[55],hf( 7));
284 one_cycle(0,1,2,3,4,5,6,7,k256[56],hf( 8));
285 one_cycle(7,0,1,2,3,4,5,6,k256[57],hf( 9));
286 one_cycle(6,7,0,1,2,3,4,5,k256[58],hf(10));
287 one_cycle(5,6,7,0,1,2,3,4,k256[59],hf(11));
288 one_cycle(4,5,6,7,0,1,2,3,k256[60],hf(12));
289 one_cycle(3,4,5,6,7,0,1,2,k256[61],hf(13));
290 one_cycle(2,3,4,5,6,7,0,1,k256[62],hf(14));
291 one_cycle(1,2,3,4,5,6,7,0,k256[63],hf(15));
292
293 ctx->hash[0] += v0; ctx->hash[1] += v1;
294 ctx->hash[2] += v2; ctx->hash[3] += v3;
295 ctx->hash[4] += v4; ctx->hash[5] += v5;
296 ctx->hash[6] += v6; ctx->hash[7] += v7;
297 #endif
298 }
299
300 /* SHA256 hash data in an array of bytes into hash buffer */
301 /* and call the hash_compile function as required. */
302
sha256_hash(const unsigned char data[],unsigned long len,sha256_ctx ctx[1])303 VOID_RETURN sha256_hash(const unsigned char data[], unsigned long len, sha256_ctx ctx[1])
304 { uint32_t pos = (uint32_t)(ctx->count[0] & SHA256_MASK),
305 space = SHA256_BLOCK_SIZE - pos;
306 const unsigned char *sp = data;
307
308 if((ctx->count[0] += len) < len)
309 ++(ctx->count[1]);
310
311 while(len >= space) /* tranfer whole blocks while possible */
312 {
313 memcpy(((unsigned char*)ctx->wbuf) + pos, sp, space);
314 sp += space; len -= space; space = SHA256_BLOCK_SIZE; pos = 0;
315 bsw_32(ctx->wbuf, SHA256_BLOCK_SIZE >> 2)
316 sha256_compile(ctx);
317 }
318
319 memcpy(((unsigned char*)ctx->wbuf) + pos, sp, len);
320 }
321
322 /* SHA256 Final padding and digest calculation */
323
sha_end1(unsigned char hval[],sha256_ctx ctx[1],const unsigned int hlen)324 static void sha_end1(unsigned char hval[], sha256_ctx ctx[1], const unsigned int hlen)
325 { uint32_t i = (uint32_t)(ctx->count[0] & SHA256_MASK);
326
327 /* put bytes in the buffer in an order in which references to */
328 /* 32-bit words will put bytes with lower addresses into the */
329 /* top of 32 bit words on BOTH big and little endian machines */
330 bsw_32(ctx->wbuf, (i + 3) >> 2)
331
332 /* we now need to mask valid bytes and add the padding which is */
333 /* a single 1 bit and as many zero bits as necessary. Note that */
334 /* we can always add the first padding byte here because the */
335 /* buffer always has at least one empty slot */
336 ctx->wbuf[i >> 2] &= 0xffffff80 << 8 * (~i & 3);
337 ctx->wbuf[i >> 2] |= 0x00000080 << 8 * (~i & 3);
338
339 /* we need 9 or more empty positions, one for the padding byte */
340 /* (above) and eight for the length count. If there is not */
341 /* enough space pad and empty the buffer */
342 if(i > SHA256_BLOCK_SIZE - 9)
343 {
344 if(i < 60) ctx->wbuf[15] = 0;
345 sha256_compile(ctx);
346 i = 0;
347 }
348 else /* compute a word index for the empty buffer positions */
349 i = (i >> 2) + 1;
350
351 while(i < 14) /* and zero pad all but last two positions */
352 ctx->wbuf[i++] = 0;
353
354 /* the following 32-bit length fields are assembled in the */
355 /* wrong byte order on little endian machines but this is */
356 /* corrected later since they are only ever used as 32-bit */
357 /* word values. */
358 ctx->wbuf[14] = (ctx->count[1] << 3) | (ctx->count[0] >> 29);
359 ctx->wbuf[15] = ctx->count[0] << 3;
360 sha256_compile(ctx);
361
362 /* extract the hash value as bytes in case the hash buffer is */
363 /* mislaigned for 32-bit words */
364 for(i = 0; i < hlen; ++i)
365 hval[i] = (unsigned char)(ctx->hash[i >> 2] >> (8 * (~i & 3)));
366 }
367
368 #endif
369
370 #if defined(SHA_224)
371
372 const uint32_t i224[8] =
373 {
374 0xc1059ed8ul, 0x367cd507ul, 0x3070dd17ul, 0xf70e5939ul,
375 0xffc00b31ul, 0x68581511ul, 0x64f98fa7ul, 0xbefa4fa4ul
376 };
377
sha224_begin(sha224_ctx ctx[1])378 VOID_RETURN sha224_begin(sha224_ctx ctx[1])
379 {
380 ctx->count[0] = ctx->count[1] = 0;
381 memcpy(ctx->hash, i224, 8 * sizeof(uint32_t));
382 }
383
sha224_end(unsigned char hval[],sha224_ctx ctx[1])384 VOID_RETURN sha224_end(unsigned char hval[], sha224_ctx ctx[1])
385 {
386 sha_end1(hval, ctx, SHA224_DIGEST_SIZE);
387 }
388
sha224(unsigned char hval[],const unsigned char data[],unsigned long len)389 VOID_RETURN sha224(unsigned char hval[], const unsigned char data[], unsigned long len)
390 { sha224_ctx cx[1];
391
392 sha224_begin(cx);
393 sha224_hash(data, len, cx);
394 sha_end1(hval, cx, SHA224_DIGEST_SIZE);
395 }
396
397 #endif
398
399 #if defined(SHA_256)
400
401 const uint32_t i256[8] =
402 {
403 0x6a09e667ul, 0xbb67ae85ul, 0x3c6ef372ul, 0xa54ff53aul,
404 0x510e527ful, 0x9b05688cul, 0x1f83d9abul, 0x5be0cd19ul
405 };
406
sha256_begin(sha256_ctx ctx[1])407 VOID_RETURN sha256_begin(sha256_ctx ctx[1])
408 {
409 ctx->count[0] = ctx->count[1] = 0;
410 memcpy(ctx->hash, i256, 8 * sizeof(uint32_t));
411 }
412
sha256_end(unsigned char hval[],sha256_ctx ctx[1])413 VOID_RETURN sha256_end(unsigned char hval[], sha256_ctx ctx[1])
414 {
415 sha_end1(hval, ctx, SHA256_DIGEST_SIZE);
416 }
417
sha256(unsigned char hval[],const unsigned char data[],unsigned long len)418 VOID_RETURN sha256(unsigned char hval[], const unsigned char data[], unsigned long len)
419 { sha256_ctx cx[1];
420
421 sha256_begin(cx);
422 sha256_hash(data, len, cx);
423 sha_end1(hval, cx, SHA256_DIGEST_SIZE);
424 }
425
426 #endif
427
428 #if defined(SHA_384) || defined(SHA_512)
429
430 #define SHA512_MASK (SHA512_BLOCK_SIZE - 1)
431
432 #define rotr64(x,n) (((x) >> n) | ((x) << (64 - n)))
433
434 #if !defined(bswap_64)
435 #define bswap_64(x) (((uint64_t)(bswap_32((uint32_t)(x)))) << 32 | bswap_32((uint32_t)((x) >> 32)))
436 #endif
437
438 #if defined(SWAP_BYTES)
439 #define bsw_64(p,n) \
440 { int _i = (n); while(_i--) ((uint64_t*)p)[_i] = bswap_64(((uint64_t*)p)[_i]); }
441 #else
442 #define bsw_64(p,n)
443 #endif
444
445 /* SHA512 mixing function definitions */
446
447 #ifdef s_0
448 # undef s_0
449 # undef s_1
450 # undef g_0
451 # undef g_1
452 # undef k_0
453 #endif
454
455 #define s_0(x) (rotr64((x), 28) ^ rotr64((x), 34) ^ rotr64((x), 39))
456 #define s_1(x) (rotr64((x), 14) ^ rotr64((x), 18) ^ rotr64((x), 41))
457 #define g_0(x) (rotr64((x), 1) ^ rotr64((x), 8) ^ ((x) >> 7))
458 #define g_1(x) (rotr64((x), 19) ^ rotr64((x), 61) ^ ((x) >> 6))
459 #define k_0 k512
460
461 /* SHA384/SHA512 mixing data */
462
463 const uint64_t k512[80] =
464 {
465 li_64(428a2f98d728ae22), li_64(7137449123ef65cd),
466 li_64(b5c0fbcfec4d3b2f), li_64(e9b5dba58189dbbc),
467 li_64(3956c25bf348b538), li_64(59f111f1b605d019),
468 li_64(923f82a4af194f9b), li_64(ab1c5ed5da6d8118),
469 li_64(d807aa98a3030242), li_64(12835b0145706fbe),
470 li_64(243185be4ee4b28c), li_64(550c7dc3d5ffb4e2),
471 li_64(72be5d74f27b896f), li_64(80deb1fe3b1696b1),
472 li_64(9bdc06a725c71235), li_64(c19bf174cf692694),
473 li_64(e49b69c19ef14ad2), li_64(efbe4786384f25e3),
474 li_64(0fc19dc68b8cd5b5), li_64(240ca1cc77ac9c65),
475 li_64(2de92c6f592b0275), li_64(4a7484aa6ea6e483),
476 li_64(5cb0a9dcbd41fbd4), li_64(76f988da831153b5),
477 li_64(983e5152ee66dfab), li_64(a831c66d2db43210),
478 li_64(b00327c898fb213f), li_64(bf597fc7beef0ee4),
479 li_64(c6e00bf33da88fc2), li_64(d5a79147930aa725),
480 li_64(06ca6351e003826f), li_64(142929670a0e6e70),
481 li_64(27b70a8546d22ffc), li_64(2e1b21385c26c926),
482 li_64(4d2c6dfc5ac42aed), li_64(53380d139d95b3df),
483 li_64(650a73548baf63de), li_64(766a0abb3c77b2a8),
484 li_64(81c2c92e47edaee6), li_64(92722c851482353b),
485 li_64(a2bfe8a14cf10364), li_64(a81a664bbc423001),
486 li_64(c24b8b70d0f89791), li_64(c76c51a30654be30),
487 li_64(d192e819d6ef5218), li_64(d69906245565a910),
488 li_64(f40e35855771202a), li_64(106aa07032bbd1b8),
489 li_64(19a4c116b8d2d0c8), li_64(1e376c085141ab53),
490 li_64(2748774cdf8eeb99), li_64(34b0bcb5e19b48a8),
491 li_64(391c0cb3c5c95a63), li_64(4ed8aa4ae3418acb),
492 li_64(5b9cca4f7763e373), li_64(682e6ff3d6b2b8a3),
493 li_64(748f82ee5defb2fc), li_64(78a5636f43172f60),
494 li_64(84c87814a1f0ab72), li_64(8cc702081a6439ec),
495 li_64(90befffa23631e28), li_64(a4506cebde82bde9),
496 li_64(bef9a3f7b2c67915), li_64(c67178f2e372532b),
497 li_64(ca273eceea26619c), li_64(d186b8c721c0c207),
498 li_64(eada7dd6cde0eb1e), li_64(f57d4f7fee6ed178),
499 li_64(06f067aa72176fba), li_64(0a637dc5a2c898a6),
500 li_64(113f9804bef90dae), li_64(1b710b35131c471b),
501 li_64(28db77f523047d84), li_64(32caab7b40c72493),
502 li_64(3c9ebe0a15c9bebc), li_64(431d67c49c100d4c),
503 li_64(4cc5d4becb3e42b6), li_64(597f299cfc657e2a),
504 li_64(5fcb6fab3ad6faec), li_64(6c44198c4a475817)
505 };
506
507 /* Compile 128 bytes of hash data into SHA384/512 digest */
508 /* NOTE: this routine assumes that the byte order in the */
509 /* ctx->wbuf[] at this point is such that low address bytes */
510 /* in the ORIGINAL byte stream will go into the high end of */
511 /* words on BOTH big and little endian systems */
512
sha512_compile(sha512_ctx ctx[1])513 VOID_RETURN sha512_compile(sha512_ctx ctx[1])
514 { uint64_t v[8], *p = ctx->wbuf;
515 uint32_t j;
516
517 memcpy(v, ctx->hash, 8 * sizeof(uint64_t));
518
519 for(j = 0; j < 80; j += 16)
520 {
521 v_cycle( 0, j); v_cycle( 1, j);
522 v_cycle( 2, j); v_cycle( 3, j);
523 v_cycle( 4, j); v_cycle( 5, j);
524 v_cycle( 6, j); v_cycle( 7, j);
525 v_cycle( 8, j); v_cycle( 9, j);
526 v_cycle(10, j); v_cycle(11, j);
527 v_cycle(12, j); v_cycle(13, j);
528 v_cycle(14, j); v_cycle(15, j);
529 }
530
531 ctx->hash[0] += v[0]; ctx->hash[1] += v[1];
532 ctx->hash[2] += v[2]; ctx->hash[3] += v[3];
533 ctx->hash[4] += v[4]; ctx->hash[5] += v[5];
534 ctx->hash[6] += v[6]; ctx->hash[7] += v[7];
535 }
536
537 /* Compile 128 bytes of hash data into SHA256 digest value */
538 /* NOTE: this routine assumes that the byte order in the */
539 /* ctx->wbuf[] at this point is in such an order that low */
540 /* address bytes in the ORIGINAL byte stream placed in this */
541 /* buffer will now go to the high end of words on BOTH big */
542 /* and little endian systems */
543
sha512_hash(const unsigned char data[],unsigned long len,sha512_ctx ctx[1])544 VOID_RETURN sha512_hash(const unsigned char data[], unsigned long len, sha512_ctx ctx[1])
545 { uint32_t pos = (uint32_t)(ctx->count[0] & SHA512_MASK),
546 space = SHA512_BLOCK_SIZE - pos;
547 const unsigned char *sp = data;
548
549 if((ctx->count[0] += len) < len)
550 ++(ctx->count[1]);
551
552 while(len >= space) /* tranfer whole blocks while possible */
553 {
554 memcpy(((unsigned char*)ctx->wbuf) + pos, sp, space);
555 sp += space; len -= space; space = SHA512_BLOCK_SIZE; pos = 0;
556 bsw_64(ctx->wbuf, SHA512_BLOCK_SIZE >> 3);
557 sha512_compile(ctx);
558 }
559
560 memcpy(((unsigned char*)ctx->wbuf) + pos, sp, len);
561 }
562
563 /* SHA384/512 Final padding and digest calculation */
564
sha_end2(unsigned char hval[],sha512_ctx ctx[1],const unsigned int hlen)565 static void sha_end2(unsigned char hval[], sha512_ctx ctx[1], const unsigned int hlen)
566 { uint32_t i = (uint32_t)(ctx->count[0] & SHA512_MASK);
567
568 /* put bytes in the buffer in an order in which references to */
569 /* 32-bit words will put bytes with lower addresses into the */
570 /* top of 32 bit words on BOTH big and little endian machines */
571 bsw_64(ctx->wbuf, (i + 7) >> 3);
572
573 /* we now need to mask valid bytes and add the padding which is */
574 /* a single 1 bit and as many zero bits as necessary. Note that */
575 /* we can always add the first padding byte here because the */
576 /* buffer always has at least one empty slot */
577 ctx->wbuf[i >> 3] &= li_64(ffffffffffffff00) << 8 * (~i & 7);
578 ctx->wbuf[i >> 3] |= li_64(0000000000000080) << 8 * (~i & 7);
579
580 /* we need 17 or more empty byte positions, one for the padding */
581 /* byte (above) and sixteen for the length count. If there is */
582 /* not enough space pad and empty the buffer */
583 if(i > SHA512_BLOCK_SIZE - 17)
584 {
585 if(i < 120) ctx->wbuf[15] = 0;
586 sha512_compile(ctx);
587 i = 0;
588 }
589 else
590 i = (i >> 3) + 1;
591
592 while(i < 14)
593 ctx->wbuf[i++] = 0;
594
595 /* the following 64-bit length fields are assembled in the */
596 /* wrong byte order on little endian machines but this is */
597 /* corrected later since they are only ever used as 64-bit */
598 /* word values. */
599 ctx->wbuf[14] = (ctx->count[1] << 3) | (ctx->count[0] >> 61);
600 ctx->wbuf[15] = ctx->count[0] << 3;
601 sha512_compile(ctx);
602
603 /* extract the hash value as bytes in case the hash buffer is */
604 /* misaligned for 32-bit words */
605 for(i = 0; i < hlen; ++i)
606 hval[i] = (unsigned char)(ctx->hash[i >> 3] >> (8 * (~i & 7)));
607 }
608
609 #endif
610
611 #if defined(SHA_384)
612
613 /* SHA384 initialisation data */
614
615 const uint64_t i384[80] =
616 {
617 li_64(cbbb9d5dc1059ed8), li_64(629a292a367cd507),
618 li_64(9159015a3070dd17), li_64(152fecd8f70e5939),
619 li_64(67332667ffc00b31), li_64(8eb44a8768581511),
620 li_64(db0c2e0d64f98fa7), li_64(47b5481dbefa4fa4)
621 };
622
sha384_begin(sha384_ctx ctx[1])623 VOID_RETURN sha384_begin(sha384_ctx ctx[1])
624 {
625 ctx->count[0] = ctx->count[1] = 0;
626 memcpy(ctx->hash, i384, 8 * sizeof(uint64_t));
627 }
628
sha384_end(unsigned char hval[],sha384_ctx ctx[1])629 VOID_RETURN sha384_end(unsigned char hval[], sha384_ctx ctx[1])
630 {
631 sha_end2(hval, ctx, SHA384_DIGEST_SIZE);
632 }
633
sha384(unsigned char hval[],const unsigned char data[],unsigned long len)634 VOID_RETURN sha384(unsigned char hval[], const unsigned char data[], unsigned long len)
635 { sha384_ctx cx[1];
636
637 sha384_begin(cx);
638 sha384_hash(data, len, cx);
639 sha_end2(hval, cx, SHA384_DIGEST_SIZE);
640 }
641
642 #endif
643
644 #if defined(SHA_512)
645
646 /* SHA512 initialisation data */
647
648 const uint64_t i512[80] =
649 {
650 li_64(6a09e667f3bcc908), li_64(bb67ae8584caa73b),
651 li_64(3c6ef372fe94f82b), li_64(a54ff53a5f1d36f1),
652 li_64(510e527fade682d1), li_64(9b05688c2b3e6c1f),
653 li_64(1f83d9abfb41bd6b), li_64(5be0cd19137e2179)
654 };
655
sha512_begin(sha512_ctx ctx[1])656 VOID_RETURN sha512_begin(sha512_ctx ctx[1])
657 {
658 ctx->count[0] = ctx->count[1] = 0;
659 memcpy(ctx->hash, i512, 8 * sizeof(uint64_t));
660 }
661
sha512_end(unsigned char hval[],sha512_ctx ctx[1])662 VOID_RETURN sha512_end(unsigned char hval[], sha512_ctx ctx[1])
663 {
664 sha_end2(hval, ctx, SHA512_DIGEST_SIZE);
665 }
666
sha512(unsigned char hval[],const unsigned char data[],unsigned long len)667 VOID_RETURN sha512(unsigned char hval[], const unsigned char data[], unsigned long len)
668 { sha512_ctx cx[1];
669
670 sha512_begin(cx);
671 sha512_hash(data, len, cx);
672 sha_end2(hval, cx, SHA512_DIGEST_SIZE);
673 }
674
675 #endif
676
677 #if defined(SHA_2)
678
679 #define CTX_224(x) ((x)->uu->ctx256)
680 #define CTX_256(x) ((x)->uu->ctx256)
681 #define CTX_384(x) ((x)->uu->ctx512)
682 #define CTX_512(x) ((x)->uu->ctx512)
683
684 /* SHA2 initialisation */
685
sha2_begin(unsigned long len,sha2_ctx ctx[1])686 INT_RETURN sha2_begin(unsigned long len, sha2_ctx ctx[1])
687 {
688 switch(len)
689 {
690 #if defined(SHA_224)
691 case 224:
692 case 28: CTX_256(ctx)->count[0] = CTX_256(ctx)->count[1] = 0;
693 memcpy(CTX_256(ctx)->hash, i224, 32);
694 ctx->sha2_len = 28; return EXIT_SUCCESS;
695 #endif
696 #if defined(SHA_256)
697 case 256:
698 case 32: CTX_256(ctx)->count[0] = CTX_256(ctx)->count[1] = 0;
699 memcpy(CTX_256(ctx)->hash, i256, 32);
700 ctx->sha2_len = 32; return EXIT_SUCCESS;
701 #endif
702 #if defined(SHA_384)
703 case 384:
704 case 48: CTX_384(ctx)->count[0] = CTX_384(ctx)->count[1] = 0;
705 memcpy(CTX_384(ctx)->hash, i384, 64);
706 ctx->sha2_len = 48; return EXIT_SUCCESS;
707 #endif
708 #if defined(SHA_512)
709 case 512:
710 case 64: CTX_512(ctx)->count[0] = CTX_512(ctx)->count[1] = 0;
711 memcpy(CTX_512(ctx)->hash, i512, 64);
712 ctx->sha2_len = 64; return EXIT_SUCCESS;
713 #endif
714 default: return EXIT_FAILURE;
715 }
716 }
717
sha2_hash(const unsigned char data[],unsigned long len,sha2_ctx ctx[1])718 VOID_RETURN sha2_hash(const unsigned char data[], unsigned long len, sha2_ctx ctx[1])
719 {
720 switch(ctx->sha2_len)
721 {
722 #if defined(SHA_224)
723 case 28: sha224_hash(data, len, CTX_224(ctx)); return;
724 #endif
725 #if defined(SHA_256)
726 case 32: sha256_hash(data, len, CTX_256(ctx)); return;
727 #endif
728 #if defined(SHA_384)
729 case 48: sha384_hash(data, len, CTX_384(ctx)); return;
730 #endif
731 #if defined(SHA_512)
732 case 64: sha512_hash(data, len, CTX_512(ctx)); return;
733 #endif
734 }
735 }
736
sha2_end(unsigned char hval[],sha2_ctx ctx[1])737 VOID_RETURN sha2_end(unsigned char hval[], sha2_ctx ctx[1])
738 {
739 switch(ctx->sha2_len)
740 {
741 #if defined(SHA_224)
742 case 28: sha_end1(hval, CTX_224(ctx), SHA224_DIGEST_SIZE); return;
743 #endif
744 #if defined(SHA_256)
745 case 32: sha_end1(hval, CTX_256(ctx), SHA256_DIGEST_SIZE); return;
746 #endif
747 #if defined(SHA_384)
748 case 48: sha_end2(hval, CTX_384(ctx), SHA384_DIGEST_SIZE); return;
749 #endif
750 #if defined(SHA_512)
751 case 64: sha_end2(hval, CTX_512(ctx), SHA512_DIGEST_SIZE); return;
752 #endif
753 }
754 }
755
sha2(unsigned char hval[],unsigned long size,const unsigned char data[],unsigned long len)756 INT_RETURN sha2(unsigned char hval[], unsigned long size,
757 const unsigned char data[], unsigned long len)
758 { sha2_ctx cx[1];
759
760 if(sha2_begin(size, cx) == EXIT_SUCCESS)
761 {
762 sha2_hash(data, len, cx); sha2_end(hval, cx); return EXIT_SUCCESS;
763 }
764 else
765 return EXIT_FAILURE;
766 }
767
768 #endif
769
770 #if defined(__cplusplus)
771 }
772 #endif
773