1 /*
2 ---------------------------------------------------------------------------
3 Copyright (c) 2002, Dr Brian Gladman < >, Worcester, UK.
4 All rights reserved.
5
6 LICENSE TERMS
7
8 The free distribution and use of this software in both source and binary
9 form is allowed (with or without changes) provided that:
10
11 1. distributions of this source code include the above copyright
12 notice, this list of conditions and the following disclaimer;
13
14 2. distributions in binary form include the above copyright
15 notice, this list of conditions and the following disclaimer
16 in the documentation and/or other associated materials;
17
18 3. the copyright holder's name is not used to endorse products
19 built using this software without specific written permission.
20
21 ALTERNATIVELY, provided that this notice is retained in full, this product
22 may be distributed under the terms of the GNU General Public License (GPL),
23 in which case the provisions of the GPL apply INSTEAD OF those given above.
24
25 DISCLAIMER
26
27 This software is provided 'as is' with no explicit or implied warranties
28 in respect of its properties, including, but not limited to, correctness
29 and/or fitness for purpose.
30 ---------------------------------------------------------------------------
31 Issue Date: 26/08/2003
32
33 This is a byte oriented version of SHA2 that operates on arrays of bytes
34 stored in memory. This code implements sha256, sha384 and sha512 but the
35 latter two functions rely on efficient 64-bit integer operations that
36 may not be very efficient on 32-bit machines
37
38 The sha256 functions use a type 'sha256_ctx' to hold details of the
39 current hash state and uses the following three calls:
40
41 void sha256_begin(sha256_ctx ctx[1])
42 void sha256_hash(const unsigned char data[],
43 unsigned long len, sha256_ctx ctx[1])
44 void sha256_end(unsigned char hval[], sha256_ctx ctx[1])
45
46 The first subroutine initialises a hash computation by setting up the
47 context in the sha256_ctx context. The second subroutine hashes 8-bit
48 bytes from array data[] into the hash state withinh sha256_ctx context,
49 the number of bytes to be hashed being given by the the unsigned long
50 integer len. The third subroutine completes the hash calculation and
51 places the resulting digest value in the array of 8-bit bytes hval[].
52
53 The sha384 and sha512 functions are similar and use the interfaces:
54
55 void sha384_begin(sha384_ctx ctx[1]);
56 void sha384_hash(const unsigned char data[],
57 unsigned long len, sha384_ctx ctx[1]);
58 void sha384_end(unsigned char hval[], sha384_ctx ctx[1]);
59
60 void sha512_begin(sha512_ctx ctx[1]);
61 void sha512_hash(const unsigned char data[],
62 unsigned long len, sha512_ctx ctx[1]);
63 void sha512_end(unsigned char hval[], sha512_ctx ctx[1]);
64
65 In addition there is a function sha2 that can be used to call all these
66 functions using a call with a hash length parameter as follows:
67
68 int sha2_begin(unsigned long len, sha2_ctx ctx[1]);
69 void sha2_hash(const unsigned char data[],
70 unsigned long len, sha2_ctx ctx[1]);
71 void sha2_end(unsigned char hval[], sha2_ctx ctx[1]);
72
73 My thanks to Erik Andersen <andersen@codepoet.org> for testing this code
74 on big-endian systems and for his assistance with corrections
75 */
76
77 /* define the hash functions that you need */
78
79 #define SHA_2 /* for dynamic hash length */
80 #define SHA_256
81 #define SHA_384
82 #define SHA_512
83
84 #include <string.h> /* for memcpy() etc. */
85 #include <stdlib.h> /* for _lrotr with VC++ */
86
87 #include "sha2.h"
88 #include "../os.h"
89
90 /* BYTE ORDER IN 32-BIT WORDS
91
92 To obtain the highest speed on processors with 32-bit words, this code
93 needs to determine the byte order of the target machine. The following
94 block of code is an attempt to capture the most obvious ways in which
95 various environemnts define byte order. It may well fail, in which case
96 the definitions will need to be set by editing at the points marked
97 **** EDIT HERE IF NECESSARY **** below. My thanks to Peter Gutmann for
98 some of these defines (from cryptlib).
99 */
100
101 #define BRG_LITTLE_ENDIAN 1234 /* byte 0 is least significant (i386) */
102 #define BRG_BIG_ENDIAN 4321 /* byte 0 is most significant (mc68k) */
103
104 #ifdef __BIG_ENDIAN__
105 #define PLATFORM_BYTE_ORDER BRG_BIG_ENDIAN
106 #else
107 #define PLATFORM_BYTE_ORDER BRG_LITTLE_ENDIAN
108 #endif
109
110 #ifdef _MSC_VER
111 #pragma intrinsic(memcpy)
112 #endif
113
114 #define rotr32(x,n) (((x) >> n) | ((x) << (32 - n)))
115
116 #if !defined(bswap_32)
117 #define bswap_32(x) irr::os::Byteswap::byteswap(x)
118 #endif
119
120 #if (PLATFORM_BYTE_ORDER == BRG_LITTLE_ENDIAN)
121 #define SWAP_BYTES
122 #else
123 #undef SWAP_BYTES
124 #endif
125
126 #if defined(SHA_2) || defined(SHA_256)
127
128 #define SHA256_MASK (SHA256_BLOCK_SIZE - 1)
129
130 #if defined(SWAP_BYTES)
131 #define bsw_32(p,n) { int _i = (n); while(_i--) p[_i] = bswap_32(p[_i]); }
132 #else
133 #define bsw_32(p,n)
134 #endif
135
136 /* SHA256 mixing function definitions */
137
138 #if 0
139
140 #define ch(x,y,z) (((x) & (y)) ^ (~(x) & (z)))
141 #define maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
142
143 #else /* Thanks to Rich Schroeppel and Colin Plumb for the following */
144
145 #define ch(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
146 #define maj(x,y,z) (((x) & (y)) | ((z) & ((x) ^ (y))))
147
148 #endif
149
150 #define s256_0(x) (rotr32((x), 2) ^ rotr32((x), 13) ^ rotr32((x), 22))
151 #define s256_1(x) (rotr32((x), 6) ^ rotr32((x), 11) ^ rotr32((x), 25))
152 #define g256_0(x) (rotr32((x), 7) ^ rotr32((x), 18) ^ ((x) >> 3))
153 #define g256_1(x) (rotr32((x), 17) ^ rotr32((x), 19) ^ ((x) >> 10))
154
155 /* rotated SHA256 round definition. Rather than swapping variables as in */
156 /* FIPS-180, different variables are 'rotated' on each round, returning */
157 /* to their starting positions every eight rounds */
158
159 #define h2(i) p[i & 15] += \
160 g256_1(p[(i + 14) & 15]) + p[(i + 9) & 15] + g256_0(p[(i + 1) & 15])
161
162 #define h2_cycle(i,j) \
163 v[(7 - i) & 7] += (j ? h2(i) : p[i & 15]) + k256[i + j] \
164 + s256_1(v[(4 - i) & 7]) + ch(v[(4 - i) & 7], v[(5 - i) & 7], v[(6 - i) & 7]); \
165 v[(3 - i) & 7] += v[(7 - i) & 7]; \
166 v[(7 - i) & 7] += s256_0(v[(0 - i) & 7]) + maj(v[(0 - i) & 7], v[(1 - i) & 7], v[(2 - i) & 7])
167
168 /* SHA256 mixing data */
169
170 const sha2_32t k256[64] =
171 { n_u32(428a2f98), n_u32(71374491), n_u32(b5c0fbcf), n_u32(e9b5dba5),
172 n_u32(3956c25b), n_u32(59f111f1), n_u32(923f82a4), n_u32(ab1c5ed5),
173 n_u32(d807aa98), n_u32(12835b01), n_u32(243185be), n_u32(550c7dc3),
174 n_u32(72be5d74), n_u32(80deb1fe), n_u32(9bdc06a7), n_u32(c19bf174),
175 n_u32(e49b69c1), n_u32(efbe4786), n_u32(0fc19dc6), n_u32(240ca1cc),
176 n_u32(2de92c6f), n_u32(4a7484aa), n_u32(5cb0a9dc), n_u32(76f988da),
177 n_u32(983e5152), n_u32(a831c66d), n_u32(b00327c8), n_u32(bf597fc7),
178 n_u32(c6e00bf3), n_u32(d5a79147), n_u32(06ca6351), n_u32(14292967),
179 n_u32(27b70a85), n_u32(2e1b2138), n_u32(4d2c6dfc), n_u32(53380d13),
180 n_u32(650a7354), n_u32(766a0abb), n_u32(81c2c92e), n_u32(92722c85),
181 n_u32(a2bfe8a1), n_u32(a81a664b), n_u32(c24b8b70), n_u32(c76c51a3),
182 n_u32(d192e819), n_u32(d6990624), n_u32(f40e3585), n_u32(106aa070),
183 n_u32(19a4c116), n_u32(1e376c08), n_u32(2748774c), n_u32(34b0bcb5),
184 n_u32(391c0cb3), n_u32(4ed8aa4a), n_u32(5b9cca4f), n_u32(682e6ff3),
185 n_u32(748f82ee), n_u32(78a5636f), n_u32(84c87814), n_u32(8cc70208),
186 n_u32(90befffa), n_u32(a4506ceb), n_u32(bef9a3f7), n_u32(c67178f2),
187 };
188
189 /* SHA256 initialisation data */
190
191 const sha2_32t i256[8] =
192 {
193 n_u32(6a09e667), n_u32(bb67ae85), n_u32(3c6ef372), n_u32(a54ff53a),
194 n_u32(510e527f), n_u32(9b05688c), n_u32(1f83d9ab), n_u32(5be0cd19)
195 };
196
sha256_begin(sha256_ctx ctx[1])197 sha2_void sha256_begin(sha256_ctx ctx[1])
198 {
199 ctx->count[0] = ctx->count[1] = 0;
200 memcpy(ctx->hash, i256, 8 * sizeof(sha2_32t));
201 }
202
203 /* Compile 64 bytes of hash data into SHA256 digest value */
204 /* NOTE: this routine assumes that the byte order in the */
205 /* ctx->wbuf[] at this point is in such an order that low */
206 /* address bytes in the ORIGINAL byte stream placed in this */
207 /* buffer will now go to the high end of words on BOTH big */
208 /* and little endian systems */
209
sha256_compile(sha256_ctx ctx[1])210 sha2_void sha256_compile(sha256_ctx ctx[1])
211 { sha2_32t v[8], j, *p = ctx->wbuf;
212
213 memcpy(v, ctx->hash, 8 * sizeof(sha2_32t));
214
215 for(j = 0; j < 64; j += 16)
216 {
217 h2_cycle( 0, j); h2_cycle( 1, j); h2_cycle( 2, j); h2_cycle( 3, j);
218 h2_cycle( 4, j); h2_cycle( 5, j); h2_cycle( 6, j); h2_cycle( 7, j);
219 h2_cycle( 8, j); h2_cycle( 9, j); h2_cycle(10, j); h2_cycle(11, j);
220 h2_cycle(12, j); h2_cycle(13, j); h2_cycle(14, j); h2_cycle(15, j);
221 }
222
223 ctx->hash[0] += v[0]; ctx->hash[1] += v[1]; ctx->hash[2] += v[2]; ctx->hash[3] += v[3];
224 ctx->hash[4] += v[4]; ctx->hash[5] += v[5]; ctx->hash[6] += v[6]; ctx->hash[7] += v[7];
225 }
226
227 /* SHA256 hash data in an array of bytes into hash buffer */
228 /* and call the hash_compile function as required. */
229
sha256_hash(const unsigned char data[],unsigned long len,sha256_ctx ctx[1])230 sha2_void sha256_hash(const unsigned char data[], unsigned long len, sha256_ctx ctx[1])
231 { sha2_32t pos = (sha2_32t)(ctx->count[0] & SHA256_MASK),
232 space = SHA256_BLOCK_SIZE - pos;
233 const unsigned char *sp = data;
234
235 if((ctx->count[0] += len) < len)
236 ++(ctx->count[1]);
237
238 while(len >= space) /* tranfer whole blocks while possible */
239 {
240 memcpy(((unsigned char*)ctx->wbuf) + pos, sp, space);
241 sp += space; len -= space; space = SHA256_BLOCK_SIZE; pos = 0;
242 bsw_32(ctx->wbuf, SHA256_BLOCK_SIZE >> 2)
243 sha256_compile(ctx);
244 }
245
246 memcpy(((unsigned char*)ctx->wbuf) + pos, sp, len);
247 }
248
249 /* SHA256 Final padding and digest calculation */
250
251 static sha2_32t m1[4] =
252 {
253 n_u32(00000000), n_u32(ff000000), n_u32(ffff0000), n_u32(ffffff00)
254 };
255
256 static sha2_32t b1[4] =
257 {
258 n_u32(80000000), n_u32(00800000), n_u32(00008000), n_u32(00000080)
259 };
260
sha256_end(unsigned char hval[],sha256_ctx ctx[1])261 sha2_void sha256_end(unsigned char hval[], sha256_ctx ctx[1])
262 { sha2_32t i = (sha2_32t)(ctx->count[0] & SHA256_MASK);
263
264 bsw_32(ctx->wbuf, (i + 3) >> 2)
265 /* bytes in the buffer are now in an order in which references */
266 /* to 32-bit words will put bytes with lower addresses into the */
267 /* top of 32 bit words on BOTH big and little endian machines */
268
269 /* we now need to mask valid bytes and add the padding which is */
270 /* a single 1 bit and as many zero bits as necessary. */
271 ctx->wbuf[i >> 2] = (ctx->wbuf[i >> 2] & m1[i & 3]) | b1[i & 3];
272
273 /* we need 9 or more empty positions, one for the padding byte */
274 /* (above) and eight for the length count. If there is not */
275 /* enough space pad and empty the buffer */
276 if(i > SHA256_BLOCK_SIZE - 9)
277 {
278 if(i < 60) ctx->wbuf[15] = 0;
279 sha256_compile(ctx);
280 i = 0;
281 }
282 else /* compute a word index for the empty buffer positions */
283 i = (i >> 2) + 1;
284
285 while(i < 14) /* and zero pad all but last two positions */
286 ctx->wbuf[i++] = 0;
287
288 /* the following 32-bit length fields are assembled in the */
289 /* wrong byte order on little endian machines but this is */
290 /* corrected later since they are only ever used as 32-bit */
291 /* word values. */
292
293 ctx->wbuf[14] = (ctx->count[1] << 3) | (ctx->count[0] >> 29);
294 ctx->wbuf[15] = ctx->count[0] << 3;
295
296 sha256_compile(ctx);
297
298 /* extract the hash value as bytes in case the hash buffer is */
299 /* mislaigned for 32-bit words */
300 for(i = 0; i < SHA256_DIGEST_SIZE; ++i)
301 hval[i] = (unsigned char)(ctx->hash[i >> 2] >> (8 * (~i & 3)));
302 }
303
sha256(unsigned char hval[],const unsigned char data[],unsigned long len)304 sha2_void sha256(unsigned char hval[], const unsigned char data[], unsigned long len)
305 { sha256_ctx cx[1];
306
307 sha256_begin(cx); sha256_hash(data, len, cx); sha256_end(hval, cx);
308 }
309
310 #endif
311
312 #if defined(SHA_2) || defined(SHA_384) || defined(SHA_512)
313
314 #define SHA512_MASK (SHA512_BLOCK_SIZE - 1)
315
316 #define rotr64(x,n) (((x) >> n) | ((x) << (64 - n)))
317
318 #if !defined(bswap_64)
319 #define bswap_64(x) ((((sha2_64t)(bswap_32((sha2_32t)(x)))) << 32) | (bswap_32((sha2_32t)((x) >> 32))))
320 #endif
321
322 #if defined(SWAP_BYTES)
323 #define bsw_64(p,n) { int _i = (n); while(_i--) p[_i] = bswap_64(p[_i]); }
324 #else
325 #define bsw_64(p,n)
326 #endif
327
328 /* SHA512 mixing function definitions */
329
330 #define s512_0(x) (rotr64((x), 28) ^ rotr64((x), 34) ^ rotr64((x), 39))
331 #define s512_1(x) (rotr64((x), 14) ^ rotr64((x), 18) ^ rotr64((x), 41))
332 #define g512_0(x) (rotr64((x), 1) ^ rotr64((x), 8) ^ ((x) >> 7))
333 #define g512_1(x) (rotr64((x), 19) ^ rotr64((x), 61) ^ ((x) >> 6))
334
335 /* rotated SHA512 round definition. Rather than swapping variables as in */
336 /* FIPS-180, different variables are 'rotated' on each round, returning */
337 /* to their starting positions every eight rounds */
338
339 #define h5(i) ctx->wbuf[i & 15] += \
340 g512_1(ctx->wbuf[(i + 14) & 15]) + ctx->wbuf[(i + 9) & 15] + g512_0(ctx->wbuf[(i + 1) & 15])
341
342 #define h5_cycle(i,j) \
343 v[(7 - i) & 7] += (j ? h5(i) : ctx->wbuf[i & 15]) + k512[i + j] \
344 + s512_1(v[(4 - i) & 7]) + ch(v[(4 - i) & 7], v[(5 - i) & 7], v[(6 - i) & 7]); \
345 v[(3 - i) & 7] += v[(7 - i) & 7]; \
346 v[(7 - i) & 7] += s512_0(v[(0 - i) & 7]) + maj(v[(0 - i) & 7], v[(1 - i) & 7], v[(2 - i) & 7])
347
348 /* SHA384/SHA512 mixing data */
349
350 const sha2_64t k512[80] =
351 {
352 n_u64(428a2f98d728ae22), n_u64(7137449123ef65cd),
353 n_u64(b5c0fbcfec4d3b2f), n_u64(e9b5dba58189dbbc),
354 n_u64(3956c25bf348b538), n_u64(59f111f1b605d019),
355 n_u64(923f82a4af194f9b), n_u64(ab1c5ed5da6d8118),
356 n_u64(d807aa98a3030242), n_u64(12835b0145706fbe),
357 n_u64(243185be4ee4b28c), n_u64(550c7dc3d5ffb4e2),
358 n_u64(72be5d74f27b896f), n_u64(80deb1fe3b1696b1),
359 n_u64(9bdc06a725c71235), n_u64(c19bf174cf692694),
360 n_u64(e49b69c19ef14ad2), n_u64(efbe4786384f25e3),
361 n_u64(0fc19dc68b8cd5b5), n_u64(240ca1cc77ac9c65),
362 n_u64(2de92c6f592b0275), n_u64(4a7484aa6ea6e483),
363 n_u64(5cb0a9dcbd41fbd4), n_u64(76f988da831153b5),
364 n_u64(983e5152ee66dfab), n_u64(a831c66d2db43210),
365 n_u64(b00327c898fb213f), n_u64(bf597fc7beef0ee4),
366 n_u64(c6e00bf33da88fc2), n_u64(d5a79147930aa725),
367 n_u64(06ca6351e003826f), n_u64(142929670a0e6e70),
368 n_u64(27b70a8546d22ffc), n_u64(2e1b21385c26c926),
369 n_u64(4d2c6dfc5ac42aed), n_u64(53380d139d95b3df),
370 n_u64(650a73548baf63de), n_u64(766a0abb3c77b2a8),
371 n_u64(81c2c92e47edaee6), n_u64(92722c851482353b),
372 n_u64(a2bfe8a14cf10364), n_u64(a81a664bbc423001),
373 n_u64(c24b8b70d0f89791), n_u64(c76c51a30654be30),
374 n_u64(d192e819d6ef5218), n_u64(d69906245565a910),
375 n_u64(f40e35855771202a), n_u64(106aa07032bbd1b8),
376 n_u64(19a4c116b8d2d0c8), n_u64(1e376c085141ab53),
377 n_u64(2748774cdf8eeb99), n_u64(34b0bcb5e19b48a8),
378 n_u64(391c0cb3c5c95a63), n_u64(4ed8aa4ae3418acb),
379 n_u64(5b9cca4f7763e373), n_u64(682e6ff3d6b2b8a3),
380 n_u64(748f82ee5defb2fc), n_u64(78a5636f43172f60),
381 n_u64(84c87814a1f0ab72), n_u64(8cc702081a6439ec),
382 n_u64(90befffa23631e28), n_u64(a4506cebde82bde9),
383 n_u64(bef9a3f7b2c67915), n_u64(c67178f2e372532b),
384 n_u64(ca273eceea26619c), n_u64(d186b8c721c0c207),
385 n_u64(eada7dd6cde0eb1e), n_u64(f57d4f7fee6ed178),
386 n_u64(06f067aa72176fba), n_u64(0a637dc5a2c898a6),
387 n_u64(113f9804bef90dae), n_u64(1b710b35131c471b),
388 n_u64(28db77f523047d84), n_u64(32caab7b40c72493),
389 n_u64(3c9ebe0a15c9bebc), n_u64(431d67c49c100d4c),
390 n_u64(4cc5d4becb3e42b6), n_u64(597f299cfc657e2a),
391 n_u64(5fcb6fab3ad6faec), n_u64(6c44198c4a475817)
392 };
393
394 /* Compile 64 bytes of hash data into SHA384/SHA512 digest value */
395
sha512_compile(sha512_ctx ctx[1])396 sha2_void sha512_compile(sha512_ctx ctx[1])
397 { sha2_64t v[8];
398 sha2_32t j;
399
400 memcpy(v, ctx->hash, 8 * sizeof(sha2_64t));
401
402 for(j = 0; j < 80; j += 16)
403 {
404 h5_cycle( 0, j); h5_cycle( 1, j); h5_cycle( 2, j); h5_cycle( 3, j);
405 h5_cycle( 4, j); h5_cycle( 5, j); h5_cycle( 6, j); h5_cycle( 7, j);
406 h5_cycle( 8, j); h5_cycle( 9, j); h5_cycle(10, j); h5_cycle(11, j);
407 h5_cycle(12, j); h5_cycle(13, j); h5_cycle(14, j); h5_cycle(15, j);
408 }
409
410 ctx->hash[0] += v[0]; ctx->hash[1] += v[1]; ctx->hash[2] += v[2]; ctx->hash[3] += v[3];
411 ctx->hash[4] += v[4]; ctx->hash[5] += v[5]; ctx->hash[6] += v[6]; ctx->hash[7] += v[7];
412 }
413
414 /* Compile 128 bytes of hash data into SHA256 digest value */
415 /* NOTE: this routine assumes that the byte order in the */
416 /* ctx->wbuf[] at this point is in such an order that low */
417 /* address bytes in the ORIGINAL byte stream placed in this */
418 /* buffer will now go to the high end of words on BOTH big */
419 /* and little endian systems */
420
sha512_hash(const unsigned char data[],unsigned long len,sha512_ctx ctx[1])421 sha2_void sha512_hash(const unsigned char data[], unsigned long len, sha512_ctx ctx[1])
422 { sha2_32t pos = (sha2_32t)(ctx->count[0] & SHA512_MASK),
423 space = SHA512_BLOCK_SIZE - pos;
424 const unsigned char *sp = data;
425
426 if((ctx->count[0] += len) < len)
427 ++(ctx->count[1]);
428
429 while(len >= space) /* tranfer whole blocks while possible */
430 {
431 memcpy(((unsigned char*)ctx->wbuf) + pos, sp, space);
432 sp += space; len -= space; space = SHA512_BLOCK_SIZE; pos = 0;
433 bsw_64(ctx->wbuf, SHA512_BLOCK_SIZE >> 3);
434 sha512_compile(ctx);
435 }
436
437 memcpy(((unsigned char*)ctx->wbuf) + pos, sp, len);
438 }
439
440 /* SHA384/512 Final padding and digest calculation */
441
442 static sha2_64t m2[8] =
443 {
444 n_u64(0000000000000000), n_u64(ff00000000000000),
445 n_u64(ffff000000000000), n_u64(ffffff0000000000),
446 n_u64(ffffffff00000000), n_u64(ffffffffff000000),
447 n_u64(ffffffffffff0000), n_u64(ffffffffffffff00)
448 };
449
450 static sha2_64t b2[8] =
451 {
452 n_u64(8000000000000000), n_u64(0080000000000000),
453 n_u64(0000800000000000), n_u64(0000008000000000),
454 n_u64(0000000080000000), n_u64(0000000000800000),
455 n_u64(0000000000008000), n_u64(0000000000000080)
456 };
457
sha_end(unsigned char hval[],sha512_ctx ctx[1],const unsigned int hlen)458 static void sha_end(unsigned char hval[], sha512_ctx ctx[1], const unsigned int hlen)
459 { sha2_32t i = (sha2_32t)(ctx->count[0] & SHA512_MASK);
460
461 bsw_64(ctx->wbuf, (i + 7) >> 3);
462
463 /* bytes in the buffer are now in an order in which references */
464 /* to 64-bit words will put bytes with lower addresses into the */
465 /* top of 64 bit words on BOTH big and little endian machines */
466
467 /* we now need to mask valid bytes and add the padding which is */
468 /* a single 1 bit and as many zero bits as necessary. */
469 ctx->wbuf[i >> 3] = (ctx->wbuf[i >> 3] & m2[i & 7]) | b2[i & 7];
470
471 /* we need 17 or more empty byte positions, one for the padding */
472 /* byte (above) and sixteen for the length count. If there is */
473 /* not enough space pad and empty the buffer */
474 if(i > SHA512_BLOCK_SIZE - 17)
475 {
476 if(i < 120) ctx->wbuf[15] = 0;
477 sha512_compile(ctx);
478 i = 0;
479 }
480 else
481 i = (i >> 3) + 1;
482
483 while(i < 14)
484 ctx->wbuf[i++] = 0;
485
486 /* the following 64-bit length fields are assembled in the */
487 /* wrong byte order on little endian machines but this is */
488 /* corrected later since they are only ever used as 64-bit */
489 /* word values. */
490
491 ctx->wbuf[14] = (ctx->count[1] << 3) | (ctx->count[0] >> 61);
492 ctx->wbuf[15] = ctx->count[0] << 3;
493
494 sha512_compile(ctx);
495
496 /* extract the hash value as bytes in case the hash buffer is */
497 /* misaligned for 32-bit words */
498 for(i = 0; i < hlen; ++i)
499 hval[i] = (unsigned char)(ctx->hash[i >> 3] >> (8 * (~i & 7)));
500 }
501
502 #endif
503
504 #if defined(SHA_2) || defined(SHA_384)
505
506 /* SHA384 initialisation data */
507
508 const sha2_64t i384[80] =
509 {
510 n_u64(cbbb9d5dc1059ed8), n_u64(629a292a367cd507),
511 n_u64(9159015a3070dd17), n_u64(152fecd8f70e5939),
512 n_u64(67332667ffc00b31), n_u64(8eb44a8768581511),
513 n_u64(db0c2e0d64f98fa7), n_u64(47b5481dbefa4fa4)
514 };
515
sha384_begin(sha384_ctx ctx[1])516 sha2_void sha384_begin(sha384_ctx ctx[1])
517 {
518 ctx->count[0] = ctx->count[1] = 0;
519 memcpy(ctx->hash, i384, 8 * sizeof(sha2_64t));
520 }
521
sha384_end(unsigned char hval[],sha384_ctx ctx[1])522 sha2_void sha384_end(unsigned char hval[], sha384_ctx ctx[1])
523 {
524 sha_end(hval, ctx, SHA384_DIGEST_SIZE);
525 }
526
sha384(unsigned char hval[],const unsigned char data[],unsigned long len)527 sha2_void sha384(unsigned char hval[], const unsigned char data[], unsigned long len)
528 { sha384_ctx cx[1];
529
530 sha384_begin(cx); sha384_hash(data, len, cx); sha384_end(hval, cx);
531 }
532
533 #endif
534
535 #if defined(SHA_2) || defined(SHA_512)
536
537 /* SHA512 initialisation data */
538
539 const sha2_64t i512[80] =
540 {
541 n_u64(6a09e667f3bcc908), n_u64(bb67ae8584caa73b),
542 n_u64(3c6ef372fe94f82b), n_u64(a54ff53a5f1d36f1),
543 n_u64(510e527fade682d1), n_u64(9b05688c2b3e6c1f),
544 n_u64(1f83d9abfb41bd6b), n_u64(5be0cd19137e2179)
545 };
546
sha512_begin(sha512_ctx ctx[1])547 sha2_void sha512_begin(sha512_ctx ctx[1])
548 {
549 ctx->count[0] = ctx->count[1] = 0;
550 memcpy(ctx->hash, i512, 8 * sizeof(sha2_64t));
551 }
552
sha512_end(unsigned char hval[],sha512_ctx ctx[1])553 sha2_void sha512_end(unsigned char hval[], sha512_ctx ctx[1])
554 {
555 sha_end(hval, ctx, SHA512_DIGEST_SIZE);
556 }
557
sha512(unsigned char hval[],const unsigned char data[],unsigned long len)558 sha2_void sha512(unsigned char hval[], const unsigned char data[], unsigned long len)
559 { sha512_ctx cx[1];
560
561 sha512_begin(cx); sha512_hash(data, len, cx); sha512_end(hval, cx);
562 }
563
564 #endif
565
566 #if defined(SHA_2)
567
568 #define CTX_256(x) ((x)->uu->ctx256)
569 #define CTX_384(x) ((x)->uu->ctx512)
570 #define CTX_512(x) ((x)->uu->ctx512)
571
572 /* SHA2 initialisation */
573
sha2_begin(unsigned long len,sha2_ctx ctx[1])574 sha2_int sha2_begin(unsigned long len, sha2_ctx ctx[1])
575 { unsigned long l = len;
576 switch(len)
577 {
578 case 256: l = len >> 3;
579 /* Falls through. */
580 case 32: CTX_256(ctx)->count[0] = CTX_256(ctx)->count[1] = 0;
581 memcpy(CTX_256(ctx)->hash, i256, 32); break;
582 case 384: l = len >> 3;
583 /* Falls through. */
584 case 48: CTX_384(ctx)->count[0] = CTX_384(ctx)->count[1] = 0;
585 memcpy(CTX_384(ctx)->hash, i384, 64); break;
586 case 512: l = len >> 3;
587 /* Falls through. */
588 case 64: CTX_512(ctx)->count[0] = CTX_512(ctx)->count[1] = 0;
589 memcpy(CTX_512(ctx)->hash, i512, 64); break;
590 default: return SHA2_BAD;
591 }
592
593 ctx->sha2_len = l; return SHA2_GOOD;
594 }
595
sha2_hash(const unsigned char data[],unsigned long len,sha2_ctx ctx[1])596 sha2_void sha2_hash(const unsigned char data[], unsigned long len, sha2_ctx ctx[1])
597 {
598 switch(ctx->sha2_len)
599 {
600 case 32: sha256_hash(data, len, CTX_256(ctx)); return;
601 case 48: sha384_hash(data, len, CTX_384(ctx)); return;
602 case 64: sha512_hash(data, len, CTX_512(ctx)); return;
603 }
604 }
605
sha2_end(unsigned char hval[],sha2_ctx ctx[1])606 sha2_void sha2_end(unsigned char hval[], sha2_ctx ctx[1])
607 {
608 switch(ctx->sha2_len)
609 {
610 case 32: sha256_end(hval, CTX_256(ctx)); return;
611 case 48: sha_end(hval, CTX_384(ctx), SHA384_DIGEST_SIZE); return;
612 case 64: sha_end(hval, CTX_512(ctx), SHA512_DIGEST_SIZE); return;
613 }
614 }
615
sha2(unsigned char hval[],unsigned long size,const unsigned char data[],unsigned long len)616 sha2_int sha2(unsigned char hval[], unsigned long size,
617 const unsigned char data[], unsigned long len)
618 { sha2_ctx cx[1];
619
620 if(sha2_begin(size, cx) == SHA2_GOOD)
621 {
622 sha2_hash(data, len, cx); sha2_end(hval, cx); return SHA2_GOOD;
623 }
624 else
625 return SHA2_BAD;
626 }
627
628 #endif
629
630