1 /* $NetBSD: sha2.c,v 1.24 2013/06/09 19:46:56 christos Exp $ */ 2 /* $KAME: sha2.c,v 1.9 2003/07/20 00:28:38 itojun Exp $ */ 3 4 /* 5 * sha2.c 6 * 7 * Version 1.0.0beta1 8 * 9 * Written by Aaron D. Gifford <me@aarongifford.com> 10 * 11 * Copyright 2000 Aaron D. Gifford. All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of the copyright holder nor the names of contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 */ 38 39 #if HAVE_NBTOOL_CONFIG_H 40 #include "nbtool_config.h" 41 #endif 42 43 #include <sys/cdefs.h> 44 45 #if defined(_KERNEL) || defined(_STANDALONE) 46 __KERNEL_RCSID(0, "$NetBSD: sha2.c,v 1.24 2013/06/09 19:46:56 christos Exp $"); 47 48 #include <sys/param.h> /* XXX: to pull <machine/macros.h> for vax memset(9) */ 49 #include <lib/libkern/libkern.h> 50 51 #else 52 53 #if defined(LIBC_SCCS) && !defined(lint) 54 __RCSID("$NetBSD: sha2.c,v 1.24 2013/06/09 19:46:56 christos Exp $"); 55 #endif /* LIBC_SCCS and not lint */ 56 57 #include "namespace.h" 58 #include <string.h> 59 60 #if defined(__minix) && defined(_LIBMINC) 61 #include <stdint.h> /* for uintptr_t */ 62 #endif /* defined(__minix) && defined(_LIBMINC) */ 63 64 #endif 65 66 #include <sys/types.h> 67 #include <sys/sha2.h> 68 69 #if HAVE_SYS_ENDIAN_H 70 # include <sys/endian.h> 71 #endif 72 73 /*** SHA-256/384/512 Various Length Definitions ***********************/ 74 /* NOTE: Most of these are in sha2.h */ 75 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 76 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 77 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 78 79 /* 80 * Macro for incrementally adding the unsigned 64-bit integer n to the 81 * unsigned 128-bit integer (represented using a two-element array of 82 * 64-bit words): 83 */ 84 #define ADDINC128(w,n) { \ 85 (w)[0] += (uint64_t)(n); \ 86 if ((w)[0] < (n)) { \ 87 (w)[1]++; \ 88 } \ 89 } 90 91 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 92 /* 93 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 94 * 95 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 96 * S is a ROTATION) because the SHA-256/384/512 description document 97 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 98 * same "backwards" definition. 99 */ 100 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 101 #define R(b,x) ((x) >> (b)) 102 /* 32-bit Rotate-right (used in SHA-256): */ 103 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 104 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 105 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 106 107 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 108 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 109 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 110 111 /* Four of six logical functions used in SHA-256: */ 112 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 113 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 114 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 115 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 116 117 /* Four of six logical functions used in SHA-384 and SHA-512: */ 118 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 119 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 120 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 121 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 122 123 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 124 /* NOTE: These should not be accessed directly from outside this 125 * library -- they are intended for private internal visibility/use 126 * only. 127 */ 128 static void SHA512_Last(SHA512_CTX *); 129 void SHA224_Transform(SHA224_CTX *, const uint32_t*); 130 void SHA256_Transform(SHA256_CTX *, const uint32_t*); 131 void SHA384_Transform(SHA384_CTX *, const uint64_t*); 132 void SHA512_Transform(SHA512_CTX *, const uint64_t*); 133 134 135 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 136 /* Hash constant words K for SHA-256: */ 137 static const uint32_t K256[64] = { 138 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 139 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 140 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 141 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 142 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 143 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 144 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 145 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 146 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 147 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 148 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 149 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 150 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 151 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 152 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 153 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 154 }; 155 156 /* Initial hash value H for SHA-224: */ 157 static const uint32_t sha224_initial_hash_value[8] = { 158 0xc1059ed8UL, 159 0x367cd507UL, 160 0x3070dd17UL, 161 0xf70e5939UL, 162 0xffc00b31UL, 163 0x68581511UL, 164 0x64f98fa7UL, 165 0xbefa4fa4UL 166 }; 167 168 /* Initial hash value H for SHA-256: */ 169 static const uint32_t sha256_initial_hash_value[8] = { 170 0x6a09e667UL, 171 0xbb67ae85UL, 172 0x3c6ef372UL, 173 0xa54ff53aUL, 174 0x510e527fUL, 175 0x9b05688cUL, 176 0x1f83d9abUL, 177 0x5be0cd19UL 178 }; 179 180 /* Hash constant words K for SHA-384 and SHA-512: */ 181 static const uint64_t K512[80] = { 182 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 183 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 184 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 185 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 186 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 187 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 188 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 189 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 190 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 191 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 192 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 193 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 194 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 195 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 196 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 197 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 198 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 199 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 200 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 201 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 202 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 203 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 204 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 205 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 206 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 207 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 208 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 209 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 210 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 211 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 212 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 213 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 214 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 215 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 216 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 217 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 218 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 219 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 220 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 221 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 222 }; 223 224 /* Initial hash value H for SHA-384 */ 225 static const uint64_t sha384_initial_hash_value[8] = { 226 0xcbbb9d5dc1059ed8ULL, 227 0x629a292a367cd507ULL, 228 0x9159015a3070dd17ULL, 229 0x152fecd8f70e5939ULL, 230 0x67332667ffc00b31ULL, 231 0x8eb44a8768581511ULL, 232 0xdb0c2e0d64f98fa7ULL, 233 0x47b5481dbefa4fa4ULL 234 }; 235 236 /* Initial hash value H for SHA-512 */ 237 static const uint64_t sha512_initial_hash_value[8] = { 238 0x6a09e667f3bcc908ULL, 239 0xbb67ae8584caa73bULL, 240 0x3c6ef372fe94f82bULL, 241 0xa54ff53a5f1d36f1ULL, 242 0x510e527fade682d1ULL, 243 0x9b05688c2b3e6c1fULL, 244 0x1f83d9abfb41bd6bULL, 245 0x5be0cd19137e2179ULL 246 }; 247 248 #if !defined(_KERNEL) && !defined(_STANDALONE) 249 #if defined(__weak_alias) 250 __weak_alias(SHA224_Init,_SHA224_Init) 251 __weak_alias(SHA224_Update,_SHA224_Update) 252 __weak_alias(SHA224_Final,_SHA224_Final) 253 __weak_alias(SHA224_Transform,_SHA224_Transform) 254 255 __weak_alias(SHA256_Init,_SHA256_Init) 256 __weak_alias(SHA256_Update,_SHA256_Update) 257 __weak_alias(SHA256_Final,_SHA256_Final) 258 __weak_alias(SHA256_Transform,_SHA256_Transform) 259 260 __weak_alias(SHA384_Init,_SHA384_Init) 261 __weak_alias(SHA384_Update,_SHA384_Update) 262 __weak_alias(SHA384_Final,_SHA384_Final) 263 __weak_alias(SHA384_Transform,_SHA384_Transform) 264 265 __weak_alias(SHA512_Init,_SHA512_Init) 266 __weak_alias(SHA512_Update,_SHA512_Update) 267 __weak_alias(SHA512_Final,_SHA512_Final) 268 __weak_alias(SHA512_Transform,_SHA512_Transform) 269 #endif 270 #endif 271 272 /*** SHA-256: *********************************************************/ 273 int 274 SHA256_Init(SHA256_CTX *context) 275 { 276 if (context == NULL) 277 return 1; 278 279 memcpy(context->state, sha256_initial_hash_value, 280 (size_t)(SHA256_DIGEST_LENGTH)); 281 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH)); 282 context->bitcount = 0; 283 284 return 1; 285 } 286 287 #ifdef SHA2_UNROLL_TRANSFORM 288 289 /* Unrolled SHA-256 round macros: */ 290 291 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 292 W256[j] = be32dec(data); \ 293 ++data; \ 294 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 295 K256[j] + W256[j]; \ 296 (d) += T1; \ 297 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 298 j++ 299 300 #define ROUND256(a,b,c,d,e,f,g,h) \ 301 s0 = W256[(j+1)&0x0f]; \ 302 s0 = sigma0_256(s0); \ 303 s1 = W256[(j+14)&0x0f]; \ 304 s1 = sigma1_256(s1); \ 305 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ 306 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 307 (d) += T1; \ 308 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 309 j++ 310 311 void 312 SHA256_Transform(SHA256_CTX *context, const uint32_t *data) 313 { 314 uint32_t a, b, c, d, e, f, g, h, s0, s1; 315 uint32_t T1, *W256; 316 int j; 317 318 W256 = (uint32_t *)context->buffer; 319 320 /* Initialize registers with the prev. intermediate value */ 321 a = context->state[0]; 322 b = context->state[1]; 323 c = context->state[2]; 324 d = context->state[3]; 325 e = context->state[4]; 326 f = context->state[5]; 327 g = context->state[6]; 328 h = context->state[7]; 329 330 j = 0; 331 do { 332 /* Rounds 0 to 15 (unrolled): */ 333 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 334 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 335 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 336 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 337 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 338 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 339 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 340 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 341 } while (j < 16); 342 343 /* Now for the remaining rounds to 64: */ 344 do { 345 ROUND256(a,b,c,d,e,f,g,h); 346 ROUND256(h,a,b,c,d,e,f,g); 347 ROUND256(g,h,a,b,c,d,e,f); 348 ROUND256(f,g,h,a,b,c,d,e); 349 ROUND256(e,f,g,h,a,b,c,d); 350 ROUND256(d,e,f,g,h,a,b,c); 351 ROUND256(c,d,e,f,g,h,a,b); 352 ROUND256(b,c,d,e,f,g,h,a); 353 } while (j < 64); 354 355 /* Compute the current intermediate hash value */ 356 context->state[0] += a; 357 context->state[1] += b; 358 context->state[2] += c; 359 context->state[3] += d; 360 context->state[4] += e; 361 context->state[5] += f; 362 context->state[6] += g; 363 context->state[7] += h; 364 365 /* Clean up */ 366 a = b = c = d = e = f = g = h = T1 = 0; 367 } 368 369 #else /* SHA2_UNROLL_TRANSFORM */ 370 371 void 372 SHA256_Transform(SHA256_CTX *context, const uint32_t *data) 373 { 374 uint32_t a, b, c, d, e, f, g, h, s0, s1; 375 uint32_t T1, T2, *W256; 376 int j; 377 378 W256 = (uint32_t *)(void *)context->buffer; 379 380 /* Initialize registers with the prev. intermediate value */ 381 a = context->state[0]; 382 b = context->state[1]; 383 c = context->state[2]; 384 d = context->state[3]; 385 e = context->state[4]; 386 f = context->state[5]; 387 g = context->state[6]; 388 h = context->state[7]; 389 390 j = 0; 391 do { 392 W256[j] = be32dec(data); 393 ++data; 394 /* Apply the SHA-256 compression function to update a..h */ 395 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 396 T2 = Sigma0_256(a) + Maj(a, b, c); 397 h = g; 398 g = f; 399 f = e; 400 e = d + T1; 401 d = c; 402 c = b; 403 b = a; 404 a = T1 + T2; 405 406 j++; 407 } while (j < 16); 408 409 do { 410 /* Part of the message block expansion: */ 411 s0 = W256[(j+1)&0x0f]; 412 s0 = sigma0_256(s0); 413 s1 = W256[(j+14)&0x0f]; 414 s1 = sigma1_256(s1); 415 416 /* Apply the SHA-256 compression function to update a..h */ 417 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 418 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 419 T2 = Sigma0_256(a) + Maj(a, b, c); 420 h = g; 421 g = f; 422 f = e; 423 e = d + T1; 424 d = c; 425 c = b; 426 b = a; 427 a = T1 + T2; 428 429 j++; 430 } while (j < 64); 431 432 /* Compute the current intermediate hash value */ 433 context->state[0] += a; 434 context->state[1] += b; 435 context->state[2] += c; 436 context->state[3] += d; 437 context->state[4] += e; 438 context->state[5] += f; 439 context->state[6] += g; 440 context->state[7] += h; 441 442 /* Clean up */ 443 a = b = c = d = e = f = g = h = T1 = T2 = 0; 444 } 445 446 #endif /* SHA2_UNROLL_TRANSFORM */ 447 448 int 449 SHA256_Update(SHA256_CTX *context, const uint8_t *data, size_t len) 450 { 451 unsigned int freespace, usedspace; 452 453 if (len == 0) { 454 /* Calling with no data is valid - we do nothing */ 455 return 1; 456 } 457 458 usedspace = (unsigned int)((context->bitcount >> 3) % 459 SHA256_BLOCK_LENGTH); 460 if (usedspace > 0) { 461 /* Calculate how much free space is available in the buffer */ 462 freespace = SHA256_BLOCK_LENGTH - usedspace; 463 464 if (len >= freespace) { 465 /* Fill the buffer completely and process it */ 466 memcpy(&context->buffer[usedspace], data, 467 (size_t)(freespace)); 468 context->bitcount += freespace << 3; 469 len -= freespace; 470 data += freespace; 471 SHA256_Transform(context, 472 (uint32_t *)(void *)context->buffer); 473 } else { 474 /* The buffer is not yet full */ 475 memcpy(&context->buffer[usedspace], data, len); 476 context->bitcount += len << 3; 477 /* Clean up: */ 478 usedspace = freespace = 0; 479 return 1; 480 } 481 } 482 /* 483 * Process as many complete blocks as possible. 484 * 485 * Check alignment of the data pointer. If it is 32bit aligned, 486 * SHA256_Transform can be called directly on the data stream, 487 * otherwise enforce the alignment by copy into the buffer. 488 */ 489 if ((uintptr_t)data % 4 == 0) { 490 while (len >= SHA256_BLOCK_LENGTH) { 491 SHA256_Transform(context, 492 (const uint32_t *)(const void *)data); 493 context->bitcount += SHA256_BLOCK_LENGTH << 3; 494 len -= SHA256_BLOCK_LENGTH; 495 data += SHA256_BLOCK_LENGTH; 496 } 497 } else { 498 while (len >= SHA256_BLOCK_LENGTH) { 499 memcpy(context->buffer, data, SHA256_BLOCK_LENGTH); 500 SHA256_Transform(context, 501 (const uint32_t *)(const void *)context->buffer); 502 context->bitcount += SHA256_BLOCK_LENGTH << 3; 503 len -= SHA256_BLOCK_LENGTH; 504 data += SHA256_BLOCK_LENGTH; 505 } 506 } 507 if (len > 0) { 508 /* There's left-overs, so save 'em */ 509 memcpy(context->buffer, data, len); 510 context->bitcount += len << 3; 511 } 512 /* Clean up: */ 513 usedspace = freespace = 0; 514 515 return 1; 516 } 517 518 static int 519 SHA224_256_Final(uint8_t digest[], SHA256_CTX *context, size_t len) 520 { 521 unsigned int usedspace; 522 size_t i; 523 524 /* If no digest buffer is passed, we don't bother doing this: */ 525 if (digest != NULL) { 526 usedspace = (unsigned int)((context->bitcount >> 3) % 527 SHA256_BLOCK_LENGTH); 528 context->bitcount = htobe64(context->bitcount); 529 if (usedspace > 0) { 530 /* Begin padding with a 1 bit: */ 531 context->buffer[usedspace++] = 0x80; 532 533 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 534 /* Set-up for the last transform: */ 535 memset(&context->buffer[usedspace], 0, 536 (size_t)(SHA256_SHORT_BLOCK_LENGTH - 537 usedspace)); 538 } else { 539 if (usedspace < SHA256_BLOCK_LENGTH) { 540 memset(&context->buffer[usedspace], 0, 541 (size_t)(SHA256_BLOCK_LENGTH - 542 usedspace)); 543 } 544 /* Do second-to-last transform: */ 545 SHA256_Transform(context, 546 (uint32_t *)(void *)context->buffer); 547 548 /* And set-up for the last transform: */ 549 memset(context->buffer, 0, 550 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 551 } 552 } else { 553 /* Set-up for the last transform: */ 554 memset(context->buffer, 0, 555 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 556 557 /* Begin padding with a 1 bit: */ 558 *context->buffer = 0x80; 559 } 560 /* Set the bit count: */ 561 memcpy(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], 562 &context->bitcount, sizeof(context->bitcount)); 563 564 /* Final transform: */ 565 SHA256_Transform(context, (uint32_t *)(void *)context->buffer); 566 567 for (i = 0; i < len / 4; i++) 568 be32enc(digest + 4 * i, context->state[i]); 569 } 570 571 /* Clean up state data: */ 572 memset(context, 0, sizeof(*context)); 573 usedspace = 0; 574 575 return 1; 576 } 577 578 int 579 SHA256_Final(uint8_t digest[], SHA256_CTX *context) 580 { 581 return SHA224_256_Final(digest, context, SHA256_DIGEST_LENGTH); 582 } 583 584 /*** SHA-224: *********************************************************/ 585 int 586 SHA224_Init(SHA224_CTX *context) 587 { 588 if (context == NULL) 589 return 1; 590 591 /* The state and buffer size are driven by SHA256, not by SHA224. */ 592 memcpy(context->state, sha224_initial_hash_value, 593 (size_t)(SHA256_DIGEST_LENGTH)); 594 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH)); 595 context->bitcount = 0; 596 597 return 1; 598 } 599 600 int 601 SHA224_Update(SHA224_CTX *context, const uint8_t *data, size_t len) 602 { 603 return SHA256_Update((SHA256_CTX *)context, data, len); 604 } 605 606 void 607 SHA224_Transform(SHA224_CTX *context, const uint32_t *data) 608 { 609 SHA256_Transform((SHA256_CTX *)context, data); 610 } 611 612 int 613 SHA224_Final(uint8_t digest[], SHA224_CTX *context) 614 { 615 return SHA224_256_Final(digest, (SHA256_CTX *)context, 616 SHA224_DIGEST_LENGTH); 617 } 618 619 /*** SHA-512: *********************************************************/ 620 int 621 SHA512_Init(SHA512_CTX *context) 622 { 623 if (context == NULL) 624 return 1; 625 626 memcpy(context->state, sha512_initial_hash_value, 627 (size_t)(SHA512_DIGEST_LENGTH)); 628 memset(context->buffer, 0, (size_t)(SHA512_BLOCK_LENGTH)); 629 context->bitcount[0] = context->bitcount[1] = 0; 630 631 return 1; 632 } 633 634 #ifdef SHA2_UNROLL_TRANSFORM 635 636 /* Unrolled SHA-512 round macros: */ 637 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 638 W512[j] = be64dec(data); \ 639 ++data; \ 640 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 641 K512[j] + W512[j]; \ 642 (d) += T1, \ 643 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 644 j++ 645 646 #define ROUND512(a,b,c,d,e,f,g,h) \ 647 s0 = W512[(j+1)&0x0f]; \ 648 s0 = sigma0_512(s0); \ 649 s1 = W512[(j+14)&0x0f]; \ 650 s1 = sigma1_512(s1); \ 651 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 652 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 653 (d) += T1; \ 654 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 655 j++ 656 657 void 658 SHA512_Transform(SHA512_CTX *context, const uint64_t *data) 659 { 660 uint64_t a, b, c, d, e, f, g, h, s0, s1; 661 uint64_t T1, *W512 = (uint64_t *)context->buffer; 662 int j; 663 664 /* Initialize registers with the prev. intermediate value */ 665 a = context->state[0]; 666 b = context->state[1]; 667 c = context->state[2]; 668 d = context->state[3]; 669 e = context->state[4]; 670 f = context->state[5]; 671 g = context->state[6]; 672 h = context->state[7]; 673 674 j = 0; 675 do { 676 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 677 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 678 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 679 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 680 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 681 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 682 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 683 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 684 } while (j < 16); 685 686 /* Now for the remaining rounds up to 79: */ 687 do { 688 ROUND512(a,b,c,d,e,f,g,h); 689 ROUND512(h,a,b,c,d,e,f,g); 690 ROUND512(g,h,a,b,c,d,e,f); 691 ROUND512(f,g,h,a,b,c,d,e); 692 ROUND512(e,f,g,h,a,b,c,d); 693 ROUND512(d,e,f,g,h,a,b,c); 694 ROUND512(c,d,e,f,g,h,a,b); 695 ROUND512(b,c,d,e,f,g,h,a); 696 } while (j < 80); 697 698 /* Compute the current intermediate hash value */ 699 context->state[0] += a; 700 context->state[1] += b; 701 context->state[2] += c; 702 context->state[3] += d; 703 context->state[4] += e; 704 context->state[5] += f; 705 context->state[6] += g; 706 context->state[7] += h; 707 708 /* Clean up */ 709 a = b = c = d = e = f = g = h = T1 = 0; 710 } 711 712 #else /* SHA2_UNROLL_TRANSFORM */ 713 714 void 715 SHA512_Transform(SHA512_CTX *context, const uint64_t *data) 716 { 717 uint64_t a, b, c, d, e, f, g, h, s0, s1; 718 uint64_t T1, T2, *W512 = (void *)context->buffer; 719 int j; 720 721 /* Initialize registers with the prev. intermediate value */ 722 a = context->state[0]; 723 b = context->state[1]; 724 c = context->state[2]; 725 d = context->state[3]; 726 e = context->state[4]; 727 f = context->state[5]; 728 g = context->state[6]; 729 h = context->state[7]; 730 731 j = 0; 732 do { 733 W512[j] = be64dec(data); 734 ++data; 735 /* Apply the SHA-512 compression function to update a..h */ 736 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 737 T2 = Sigma0_512(a) + Maj(a, b, c); 738 h = g; 739 g = f; 740 f = e; 741 e = d + T1; 742 d = c; 743 c = b; 744 b = a; 745 a = T1 + T2; 746 747 j++; 748 } while (j < 16); 749 750 do { 751 /* Part of the message block expansion: */ 752 s0 = W512[(j+1)&0x0f]; 753 s0 = sigma0_512(s0); 754 s1 = W512[(j+14)&0x0f]; 755 s1 = sigma1_512(s1); 756 757 /* Apply the SHA-512 compression function to update a..h */ 758 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 759 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 760 T2 = Sigma0_512(a) + Maj(a, b, c); 761 h = g; 762 g = f; 763 f = e; 764 e = d + T1; 765 d = c; 766 c = b; 767 b = a; 768 a = T1 + T2; 769 770 j++; 771 } while (j < 80); 772 773 /* Compute the current intermediate hash value */ 774 context->state[0] += a; 775 context->state[1] += b; 776 context->state[2] += c; 777 context->state[3] += d; 778 context->state[4] += e; 779 context->state[5] += f; 780 context->state[6] += g; 781 context->state[7] += h; 782 783 /* Clean up */ 784 a = b = c = d = e = f = g = h = T1 = T2 = 0; 785 } 786 787 #endif /* SHA2_UNROLL_TRANSFORM */ 788 789 int 790 SHA512_Update(SHA512_CTX *context, const uint8_t *data, size_t len) 791 { 792 unsigned int freespace, usedspace; 793 794 if (len == 0) { 795 /* Calling with no data is valid - we do nothing */ 796 return 1; 797 } 798 799 usedspace = (unsigned int)((context->bitcount[0] >> 3) % 800 SHA512_BLOCK_LENGTH); 801 if (usedspace > 0) { 802 /* Calculate how much free space is available in the buffer */ 803 freespace = SHA512_BLOCK_LENGTH - usedspace; 804 805 if (len >= freespace) { 806 /* Fill the buffer completely and process it */ 807 memcpy(&context->buffer[usedspace], data, 808 (size_t)(freespace)); 809 ADDINC128(context->bitcount, freespace << 3); 810 len -= freespace; 811 data += freespace; 812 SHA512_Transform(context, 813 (uint64_t *)(void *)context->buffer); 814 } else { 815 /* The buffer is not yet full */ 816 memcpy(&context->buffer[usedspace], data, len); 817 ADDINC128(context->bitcount, len << 3); 818 /* Clean up: */ 819 usedspace = freespace = 0; 820 return 1; 821 } 822 } 823 /* 824 * Process as many complete blocks as possible. 825 * 826 * Check alignment of the data pointer. If it is 64bit aligned, 827 * SHA512_Transform can be called directly on the data stream, 828 * otherwise enforce the alignment by copy into the buffer. 829 */ 830 if ((uintptr_t)data % 8 == 0) { 831 while (len >= SHA512_BLOCK_LENGTH) { 832 SHA512_Transform(context, 833 (const uint64_t*)(const void *)data); 834 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 835 len -= SHA512_BLOCK_LENGTH; 836 data += SHA512_BLOCK_LENGTH; 837 } 838 } else { 839 while (len >= SHA512_BLOCK_LENGTH) { 840 memcpy(context->buffer, data, SHA512_BLOCK_LENGTH); 841 SHA512_Transform(context, 842 (const void *)context->buffer); 843 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 844 len -= SHA512_BLOCK_LENGTH; 845 data += SHA512_BLOCK_LENGTH; 846 } 847 } 848 if (len > 0) { 849 /* There's left-overs, so save 'em */ 850 memcpy(context->buffer, data, len); 851 ADDINC128(context->bitcount, len << 3); 852 } 853 /* Clean up: */ 854 usedspace = freespace = 0; 855 856 return 1; 857 } 858 859 static void 860 SHA512_Last(SHA512_CTX *context) 861 { 862 unsigned int usedspace; 863 864 usedspace = (unsigned int)((context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH); 865 context->bitcount[0] = htobe64(context->bitcount[0]); 866 context->bitcount[1] = htobe64(context->bitcount[1]); 867 if (usedspace > 0) { 868 /* Begin padding with a 1 bit: */ 869 context->buffer[usedspace++] = 0x80; 870 871 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 872 /* Set-up for the last transform: */ 873 memset(&context->buffer[usedspace], 0, 874 (size_t)(SHA512_SHORT_BLOCK_LENGTH - usedspace)); 875 } else { 876 if (usedspace < SHA512_BLOCK_LENGTH) { 877 memset(&context->buffer[usedspace], 0, 878 (size_t)(SHA512_BLOCK_LENGTH - usedspace)); 879 } 880 /* Do second-to-last transform: */ 881 SHA512_Transform(context, 882 (uint64_t *)(void *)context->buffer); 883 884 /* And set-up for the last transform: */ 885 memset(context->buffer, 0, 886 (size_t)(SHA512_BLOCK_LENGTH - 2)); 887 } 888 } else { 889 /* Prepare for final transform: */ 890 memset(context->buffer, 0, (size_t)(SHA512_SHORT_BLOCK_LENGTH)); 891 892 /* Begin padding with a 1 bit: */ 893 *context->buffer = 0x80; 894 } 895 /* Store the length of input data (in bits): */ 896 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], 897 &context->bitcount[1], sizeof(context->bitcount[1])); 898 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], 899 &context->bitcount[0], sizeof(context->bitcount[0])); 900 901 /* Final transform: */ 902 SHA512_Transform(context, (uint64_t *)(void *)context->buffer); 903 } 904 905 int 906 SHA512_Final(uint8_t digest[], SHA512_CTX *context) 907 { 908 size_t i; 909 910 /* If no digest buffer is passed, we don't bother doing this: */ 911 if (digest != NULL) { 912 SHA512_Last(context); 913 914 /* Save the hash data for output: */ 915 for (i = 0; i < 8; ++i) 916 be64enc(digest + 8 * i, context->state[i]); 917 } 918 919 /* Zero out state data */ 920 memset(context, 0, sizeof(*context)); 921 922 return 1; 923 } 924 925 /*** SHA-384: *********************************************************/ 926 int 927 SHA384_Init(SHA384_CTX *context) 928 { 929 if (context == NULL) 930 return 1; 931 932 memcpy(context->state, sha384_initial_hash_value, 933 (size_t)(SHA512_DIGEST_LENGTH)); 934 memset(context->buffer, 0, (size_t)(SHA384_BLOCK_LENGTH)); 935 context->bitcount[0] = context->bitcount[1] = 0; 936 937 return 1; 938 } 939 940 int 941 SHA384_Update(SHA384_CTX *context, const uint8_t *data, size_t len) 942 { 943 return SHA512_Update((SHA512_CTX *)context, data, len); 944 } 945 946 void 947 SHA384_Transform(SHA512_CTX *context, const uint64_t *data) 948 { 949 SHA512_Transform((SHA512_CTX *)context, data); 950 } 951 952 int 953 SHA384_Final(uint8_t digest[], SHA384_CTX *context) 954 { 955 size_t i; 956 957 /* If no digest buffer is passed, we don't bother doing this: */ 958 if (digest != NULL) { 959 SHA512_Last((SHA512_CTX *)context); 960 961 /* Save the hash data for output: */ 962 for (i = 0; i < 6; ++i) 963 be64enc(digest + 8 * i, context->state[i]); 964 } 965 966 /* Zero out state data */ 967 memset(context, 0, sizeof(*context)); 968 969 return 1; 970 } 971