1 /* $NetBSD: sha2.c,v 1.1 2014/03/09 00:15:45 agc Exp $ */
2 /* $KAME: sha2.c,v 1.9 2003/07/20 00:28:38 itojun Exp $ */
3
4 /*
5 * sha2.c
6 *
7 * Version 1.0.0beta1
8 *
9 * Written by Aaron D. Gifford <me@aarongifford.com>
10 *
11 * Copyright 2000 Aaron D. Gifford. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. Neither the name of the copyright holder nor the names of contributors
22 * may be used to endorse or promote products derived from this software
23 * without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 *
37 */
38
39 #include <sys/cdefs.h>
40
41 #include <sys/types.h>
42
43 #include <inttypes.h>
44 #include <string.h>
45
46 #include "sha2.h"
47
48 # undef htobe32
49 # undef htobe64
50 # undef be32toh
51 # undef be64toh
52
53 #define __CAST(__dt, __st) ((__dt)(__st)) /* srsly? */
54
55 static __inline void
be32encode(void * buf,uint32_t u)56 be32encode(void *buf, uint32_t u)
57 {
58 uint8_t *p = __CAST(uint8_t *, buf);
59
60 p[0] = __CAST(uint8_t, ((u >> 24) & 0xff));
61 p[1] = __CAST(uint8_t, ((u >> 16) & 0xff));
62 p[2] = __CAST(uint8_t, ((u >> 8) & 0xff));
63 p[3] = __CAST(uint8_t, (u & 0xff));
64 }
65
66 static __inline void
be64encode(void * buf,uint64_t u)67 be64encode(void *buf, uint64_t u)
68 {
69 uint8_t *p = __CAST(uint8_t *, buf);
70
71 be32encode(p, __CAST(uint32_t, (u >> 32)));
72 be32encode(p + 4, __CAST(uint32_t, (u & 0xffffffffULL)));
73 }
74
75 static uint32_t
htobe32(uint32_t x)76 htobe32(uint32_t x)
77 {
78 uint8_t p[4];
79 memcpy(p, &x, 4);
80
81 return ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
82 }
83
84 static uint64_t
htobe64(uint64_t x)85 htobe64(uint64_t x)
86 {
87 uint8_t p[8];
88 uint32_t u, v;
89 memcpy(p, &x, 8);
90
91 u = ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
92 v = ((p[4] << 24) | (p[5] << 16) | (p[6] << 8) | p[7]);
93
94 return ((((uint64_t)u) << 32) | v);
95 }
96
97 static uint32_t
be32toh(uint32_t x)98 be32toh(uint32_t x)
99 {
100 return htobe32(x);
101 }
102
103 static uint64_t
be64toh(uint64_t x)104 be64toh(uint64_t x)
105 {
106 return htobe64(x);
107 }
108
109 /*** SHA-256/384/512 Various Length Definitions ***********************/
110 /* NOTE: Most of these are in sha2.h */
111 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
112 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
113 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
114
115 /*
116 * Macro for incrementally adding the unsigned 64-bit integer n to the
117 * unsigned 128-bit integer (represented using a two-element array of
118 * 64-bit words):
119 */
120 #define ADDINC128(w,n) { \
121 (w)[0] += (uint64_t)(n); \
122 if ((w)[0] < (n)) { \
123 (w)[1]++; \
124 } \
125 }
126
127 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
128 /*
129 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
130 *
131 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
132 * S is a ROTATION) because the SHA-256/384/512 description document
133 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
134 * same "backwards" definition.
135 */
136 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
137 #define R(b,x) ((x) >> (b))
138 /* 32-bit Rotate-right (used in SHA-256): */
139 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
140 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
141 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
142
143 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
144 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
145 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
146
147 /* Four of six logical functions used in SHA-256: */
148 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
149 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
150 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
151 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
152
153 /* Four of six logical functions used in SHA-384 and SHA-512: */
154 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
155 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
156 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
157 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
158
159 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
160 /* NOTE: These should not be accessed directly from outside this
161 * library -- they are intended for private internal visibility/use
162 * only.
163 */
164 static void SHA512_Last(SHA512_CTX *);
165 void SHA224_Transform(SHA224_CTX *, const uint32_t*);
166 void SHA256_Transform(SHA256_CTX *, const uint32_t*);
167 void SHA384_Transform(SHA384_CTX *, const uint64_t*);
168 void SHA512_Transform(SHA512_CTX *, const uint64_t*);
169
170
171 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
172 /* Hash constant words K for SHA-256: */
173 static const uint32_t K256[64] = {
174 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
175 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
176 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
177 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
178 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
179 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
180 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
181 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
182 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
183 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
184 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
185 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
186 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
187 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
188 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
189 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
190 };
191
192 /* Initial hash value H for SHA-224: */
193 static const uint32_t sha224_initial_hash_value[8] = {
194 0xc1059ed8UL,
195 0x367cd507UL,
196 0x3070dd17UL,
197 0xf70e5939UL,
198 0xffc00b31UL,
199 0x68581511UL,
200 0x64f98fa7UL,
201 0xbefa4fa4UL
202 };
203
204 /* Initial hash value H for SHA-256: */
205 static const uint32_t sha256_initial_hash_value[8] = {
206 0x6a09e667UL,
207 0xbb67ae85UL,
208 0x3c6ef372UL,
209 0xa54ff53aUL,
210 0x510e527fUL,
211 0x9b05688cUL,
212 0x1f83d9abUL,
213 0x5be0cd19UL
214 };
215
216 /* Hash constant words K for SHA-384 and SHA-512: */
217 static const uint64_t K512[80] = {
218 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
219 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
220 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
221 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
222 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
223 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
224 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
225 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
226 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
227 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
228 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
229 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
230 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
231 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
232 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
233 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
234 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
235 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
236 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
237 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
238 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
239 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
240 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
241 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
242 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
243 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
244 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
245 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
246 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
247 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
248 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
249 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
250 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
251 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
252 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
253 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
254 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
255 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
256 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
257 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
258 };
259
260 /* Initial hash value H for SHA-384 */
261 static const uint64_t sha384_initial_hash_value[8] = {
262 0xcbbb9d5dc1059ed8ULL,
263 0x629a292a367cd507ULL,
264 0x9159015a3070dd17ULL,
265 0x152fecd8f70e5939ULL,
266 0x67332667ffc00b31ULL,
267 0x8eb44a8768581511ULL,
268 0xdb0c2e0d64f98fa7ULL,
269 0x47b5481dbefa4fa4ULL
270 };
271
272 /* Initial hash value H for SHA-512 */
273 static const uint64_t sha512_initial_hash_value[8] = {
274 0x6a09e667f3bcc908ULL,
275 0xbb67ae8584caa73bULL,
276 0x3c6ef372fe94f82bULL,
277 0xa54ff53a5f1d36f1ULL,
278 0x510e527fade682d1ULL,
279 0x9b05688c2b3e6c1fULL,
280 0x1f83d9abfb41bd6bULL,
281 0x5be0cd19137e2179ULL
282 };
283
284 /*** SHA-256: *********************************************************/
285 int
SHA256_Init(SHA256_CTX * context)286 SHA256_Init(SHA256_CTX *context)
287 {
288 if (context == NULL)
289 return 1;
290
291 memcpy(context->state, sha256_initial_hash_value,
292 (size_t)(SHA256_DIGEST_LENGTH));
293 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH));
294 context->bitcount = 0;
295
296 return 1;
297 }
298
299 #ifdef SHA2_UNROLL_TRANSFORM
300
301 /* Unrolled SHA-256 round macros: */
302
303 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
304 W256[j] = be32toh(*data); \
305 ++data; \
306 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
307 K256[j] + W256[j]; \
308 (d) += T1; \
309 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
310 j++
311
312 #define ROUND256(a,b,c,d,e,f,g,h) \
313 s0 = W256[(j+1)&0x0f]; \
314 s0 = sigma0_256(s0); \
315 s1 = W256[(j+14)&0x0f]; \
316 s1 = sigma1_256(s1); \
317 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
318 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
319 (d) += T1; \
320 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
321 j++
322
323 void
SHA256_Transform(SHA256_CTX * context,const uint32_t * data)324 SHA256_Transform(SHA256_CTX *context, const uint32_t *data)
325 {
326 uint32_t a, b, c, d, e, f, g, h, s0, s1;
327 uint32_t T1, *W256;
328 int j;
329
330 W256 = (uint32_t *)context->buffer;
331
332 /* Initialize registers with the prev. intermediate value */
333 a = context->state[0];
334 b = context->state[1];
335 c = context->state[2];
336 d = context->state[3];
337 e = context->state[4];
338 f = context->state[5];
339 g = context->state[6];
340 h = context->state[7];
341
342 j = 0;
343 do {
344 /* Rounds 0 to 15 (unrolled): */
345 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
346 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
347 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
348 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
349 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
350 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
351 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
352 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
353 } while (j < 16);
354
355 /* Now for the remaining rounds to 64: */
356 do {
357 ROUND256(a,b,c,d,e,f,g,h);
358 ROUND256(h,a,b,c,d,e,f,g);
359 ROUND256(g,h,a,b,c,d,e,f);
360 ROUND256(f,g,h,a,b,c,d,e);
361 ROUND256(e,f,g,h,a,b,c,d);
362 ROUND256(d,e,f,g,h,a,b,c);
363 ROUND256(c,d,e,f,g,h,a,b);
364 ROUND256(b,c,d,e,f,g,h,a);
365 } while (j < 64);
366
367 /* Compute the current intermediate hash value */
368 context->state[0] += a;
369 context->state[1] += b;
370 context->state[2] += c;
371 context->state[3] += d;
372 context->state[4] += e;
373 context->state[5] += f;
374 context->state[6] += g;
375 context->state[7] += h;
376
377 /* Clean up */
378 a = b = c = d = e = f = g = h = T1 = 0;
379 }
380
381 #else /* SHA2_UNROLL_TRANSFORM */
382
383 void
SHA256_Transform(SHA256_CTX * context,const uint32_t * data)384 SHA256_Transform(SHA256_CTX *context, const uint32_t *data)
385 {
386 uint32_t a, b, c, d, e, f, g, h, s0, s1;
387 uint32_t T1, T2, *W256;
388 int j;
389
390 W256 = (uint32_t *)(void *)context->buffer;
391
392 /* Initialize registers with the prev. intermediate value */
393 a = context->state[0];
394 b = context->state[1];
395 c = context->state[2];
396 d = context->state[3];
397 e = context->state[4];
398 f = context->state[5];
399 g = context->state[6];
400 h = context->state[7];
401
402 j = 0;
403 do {
404 W256[j] = be32toh(*data);
405 ++data;
406 /* Apply the SHA-256 compression function to update a..h */
407 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
408 T2 = Sigma0_256(a) + Maj(a, b, c);
409 h = g;
410 g = f;
411 f = e;
412 e = d + T1;
413 d = c;
414 c = b;
415 b = a;
416 a = T1 + T2;
417
418 j++;
419 } while (j < 16);
420
421 do {
422 /* Part of the message block expansion: */
423 s0 = W256[(j+1)&0x0f];
424 s0 = sigma0_256(s0);
425 s1 = W256[(j+14)&0x0f];
426 s1 = sigma1_256(s1);
427
428 /* Apply the SHA-256 compression function to update a..h */
429 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
430 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
431 T2 = Sigma0_256(a) + Maj(a, b, c);
432 h = g;
433 g = f;
434 f = e;
435 e = d + T1;
436 d = c;
437 c = b;
438 b = a;
439 a = T1 + T2;
440
441 j++;
442 } while (j < 64);
443
444 /* Compute the current intermediate hash value */
445 context->state[0] += a;
446 context->state[1] += b;
447 context->state[2] += c;
448 context->state[3] += d;
449 context->state[4] += e;
450 context->state[5] += f;
451 context->state[6] += g;
452 context->state[7] += h;
453
454 /* Clean up */
455 a = b = c = d = e = f = g = h = T1 = T2 = 0;
456 }
457
458 #endif /* SHA2_UNROLL_TRANSFORM */
459
460 int
SHA256_Update(SHA256_CTX * context,const uint8_t * data,size_t len)461 SHA256_Update(SHA256_CTX *context, const uint8_t *data, size_t len)
462 {
463 unsigned int freespace, usedspace;
464
465 if (len == 0) {
466 /* Calling with no data is valid - we do nothing */
467 return 1;
468 }
469
470 usedspace = (unsigned int)((context->bitcount >> 3) %
471 SHA256_BLOCK_LENGTH);
472 if (usedspace > 0) {
473 /* Calculate how much free space is available in the buffer */
474 freespace = SHA256_BLOCK_LENGTH - usedspace;
475
476 if (len >= freespace) {
477 /* Fill the buffer completely and process it */
478 memcpy(&context->buffer[usedspace], data,
479 (size_t)(freespace));
480 context->bitcount += freespace << 3;
481 len -= freespace;
482 data += freespace;
483 SHA256_Transform(context,
484 (uint32_t *)(void *)context->buffer);
485 } else {
486 /* The buffer is not yet full */
487 memcpy(&context->buffer[usedspace], data, len);
488 context->bitcount += len << 3;
489 /* Clean up: */
490 usedspace = freespace = 0;
491 return 1;
492 }
493 }
494 /*
495 * Process as many complete blocks as possible.
496 *
497 * Check alignment of the data pointer. If it is 32bit aligned,
498 * SHA256_Transform can be called directly on the data stream,
499 * otherwise enforce the alignment by copy into the buffer.
500 */
501 if ((uintptr_t)data % 4 == 0) {
502 while (len >= SHA256_BLOCK_LENGTH) {
503 SHA256_Transform(context,
504 (const uint32_t *)(const void *)data);
505 context->bitcount += SHA256_BLOCK_LENGTH << 3;
506 len -= SHA256_BLOCK_LENGTH;
507 data += SHA256_BLOCK_LENGTH;
508 }
509 } else {
510 while (len >= SHA256_BLOCK_LENGTH) {
511 memcpy(context->buffer, data, SHA256_BLOCK_LENGTH);
512 SHA256_Transform(context,
513 (const uint32_t *)(const void *)context->buffer);
514 context->bitcount += SHA256_BLOCK_LENGTH << 3;
515 len -= SHA256_BLOCK_LENGTH;
516 data += SHA256_BLOCK_LENGTH;
517 }
518 }
519 if (len > 0) {
520 /* There's left-overs, so save 'em */
521 memcpy(context->buffer, data, len);
522 context->bitcount += len << 3;
523 }
524 /* Clean up: */
525 usedspace = freespace = 0;
526
527 return 1;
528 }
529
530 static int
SHA224_256_Final(uint8_t digest[],SHA256_CTX * context,size_t len)531 SHA224_256_Final(uint8_t digest[], SHA256_CTX *context, size_t len)
532 {
533 unsigned int usedspace;
534 size_t i;
535
536 /* If no digest buffer is passed, we don't bother doing this: */
537 if (digest != NULL) {
538 usedspace = (unsigned int)((context->bitcount >> 3) %
539 SHA256_BLOCK_LENGTH);
540 context->bitcount = htobe64(context->bitcount);
541 if (usedspace > 0) {
542 /* Begin padding with a 1 bit: */
543 context->buffer[usedspace++] = 0x80;
544
545 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
546 /* Set-up for the last transform: */
547 memset(&context->buffer[usedspace], 0,
548 (size_t)(SHA256_SHORT_BLOCK_LENGTH -
549 usedspace));
550 } else {
551 if (usedspace < SHA256_BLOCK_LENGTH) {
552 memset(&context->buffer[usedspace], 0,
553 (size_t)(SHA256_BLOCK_LENGTH -
554 usedspace));
555 }
556 /* Do second-to-last transform: */
557 SHA256_Transform(context,
558 (uint32_t *)(void *)context->buffer);
559
560 /* And set-up for the last transform: */
561 memset(context->buffer, 0,
562 (size_t)(SHA256_SHORT_BLOCK_LENGTH));
563 }
564 } else {
565 /* Set-up for the last transform: */
566 memset(context->buffer, 0,
567 (size_t)(SHA256_SHORT_BLOCK_LENGTH));
568
569 /* Begin padding with a 1 bit: */
570 *context->buffer = 0x80;
571 }
572 /* Set the bit count: */
573 memcpy(&context->buffer[SHA256_SHORT_BLOCK_LENGTH],
574 &context->bitcount, sizeof(context->bitcount));
575
576 /* Final transform: */
577 SHA256_Transform(context, (uint32_t *)(void *)context->buffer);
578
579 for (i = 0; i < len / 4; i++)
580 be32encode(digest + 4 * i, context->state[i]);
581 }
582
583 /* Clean up state data: */
584 memset(context, 0, sizeof(*context));
585 usedspace = 0;
586
587 return 1;
588 }
589
590 int
SHA256_Final(uint8_t digest[],SHA256_CTX * context)591 SHA256_Final(uint8_t digest[], SHA256_CTX *context)
592 {
593 return SHA224_256_Final(digest, context, SHA256_DIGEST_LENGTH);
594 }
595
596 /*** SHA-224: *********************************************************/
597 int
SHA224_Init(SHA224_CTX * context)598 SHA224_Init(SHA224_CTX *context)
599 {
600 if (context == NULL)
601 return 1;
602
603 /* The state and buffer size are driven by SHA256, not by SHA224. */
604 memcpy(context->state, sha224_initial_hash_value,
605 (size_t)(SHA256_DIGEST_LENGTH));
606 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH));
607 context->bitcount = 0;
608
609 return 1;
610 }
611
612 int
SHA224_Update(SHA224_CTX * context,const uint8_t * data,size_t len)613 SHA224_Update(SHA224_CTX *context, const uint8_t *data, size_t len)
614 {
615 return SHA256_Update((SHA256_CTX *)context, data, len);
616 }
617
618 void
SHA224_Transform(SHA224_CTX * context,const uint32_t * data)619 SHA224_Transform(SHA224_CTX *context, const uint32_t *data)
620 {
621 SHA256_Transform((SHA256_CTX *)context, data);
622 }
623
624 int
SHA224_Final(uint8_t digest[],SHA224_CTX * context)625 SHA224_Final(uint8_t digest[], SHA224_CTX *context)
626 {
627 return SHA224_256_Final(digest, (SHA256_CTX *)context,
628 SHA224_DIGEST_LENGTH);
629 }
630
631 /*** SHA-512: *********************************************************/
632 int
SHA512_Init(SHA512_CTX * context)633 SHA512_Init(SHA512_CTX *context)
634 {
635 if (context == NULL)
636 return 1;
637
638 memcpy(context->state, sha512_initial_hash_value,
639 (size_t)(SHA512_DIGEST_LENGTH));
640 memset(context->buffer, 0, (size_t)(SHA512_BLOCK_LENGTH));
641 context->bitcount[0] = context->bitcount[1] = 0;
642
643 return 1;
644 }
645
646 #ifdef SHA2_UNROLL_TRANSFORM
647
648 /* Unrolled SHA-512 round macros: */
649 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
650 W512[j] = be64toh(*data); \
651 ++data; \
652 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
653 K512[j] + W512[j]; \
654 (d) += T1, \
655 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
656 j++
657
658 #define ROUND512(a,b,c,d,e,f,g,h) \
659 s0 = W512[(j+1)&0x0f]; \
660 s0 = sigma0_512(s0); \
661 s1 = W512[(j+14)&0x0f]; \
662 s1 = sigma1_512(s1); \
663 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
664 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
665 (d) += T1; \
666 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
667 j++
668
669 void
SHA512_Transform(SHA512_CTX * context,const uint64_t * data)670 SHA512_Transform(SHA512_CTX *context, const uint64_t *data)
671 {
672 uint64_t a, b, c, d, e, f, g, h, s0, s1;
673 uint64_t T1, *W512 = (uint64_t *)context->buffer;
674 int j;
675
676 /* Initialize registers with the prev. intermediate value */
677 a = context->state[0];
678 b = context->state[1];
679 c = context->state[2];
680 d = context->state[3];
681 e = context->state[4];
682 f = context->state[5];
683 g = context->state[6];
684 h = context->state[7];
685
686 j = 0;
687 do {
688 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
689 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
690 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
691 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
692 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
693 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
694 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
695 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
696 } while (j < 16);
697
698 /* Now for the remaining rounds up to 79: */
699 do {
700 ROUND512(a,b,c,d,e,f,g,h);
701 ROUND512(h,a,b,c,d,e,f,g);
702 ROUND512(g,h,a,b,c,d,e,f);
703 ROUND512(f,g,h,a,b,c,d,e);
704 ROUND512(e,f,g,h,a,b,c,d);
705 ROUND512(d,e,f,g,h,a,b,c);
706 ROUND512(c,d,e,f,g,h,a,b);
707 ROUND512(b,c,d,e,f,g,h,a);
708 } while (j < 80);
709
710 /* Compute the current intermediate hash value */
711 context->state[0] += a;
712 context->state[1] += b;
713 context->state[2] += c;
714 context->state[3] += d;
715 context->state[4] += e;
716 context->state[5] += f;
717 context->state[6] += g;
718 context->state[7] += h;
719
720 /* Clean up */
721 a = b = c = d = e = f = g = h = T1 = 0;
722 }
723
724 #else /* SHA2_UNROLL_TRANSFORM */
725
726 void
SHA512_Transform(SHA512_CTX * context,const uint64_t * data)727 SHA512_Transform(SHA512_CTX *context, const uint64_t *data)
728 {
729 uint64_t a, b, c, d, e, f, g, h, s0, s1;
730 uint64_t T1, T2, *W512 = (void *)context->buffer;
731 int j;
732
733 /* Initialize registers with the prev. intermediate value */
734 a = context->state[0];
735 b = context->state[1];
736 c = context->state[2];
737 d = context->state[3];
738 e = context->state[4];
739 f = context->state[5];
740 g = context->state[6];
741 h = context->state[7];
742
743 j = 0;
744 do {
745 W512[j] = be64toh(*data);
746 ++data;
747 /* Apply the SHA-512 compression function to update a..h */
748 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
749 T2 = Sigma0_512(a) + Maj(a, b, c);
750 h = g;
751 g = f;
752 f = e;
753 e = d + T1;
754 d = c;
755 c = b;
756 b = a;
757 a = T1 + T2;
758
759 j++;
760 } while (j < 16);
761
762 do {
763 /* Part of the message block expansion: */
764 s0 = W512[(j+1)&0x0f];
765 s0 = sigma0_512(s0);
766 s1 = W512[(j+14)&0x0f];
767 s1 = sigma1_512(s1);
768
769 /* Apply the SHA-512 compression function to update a..h */
770 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
771 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
772 T2 = Sigma0_512(a) + Maj(a, b, c);
773 h = g;
774 g = f;
775 f = e;
776 e = d + T1;
777 d = c;
778 c = b;
779 b = a;
780 a = T1 + T2;
781
782 j++;
783 } while (j < 80);
784
785 /* Compute the current intermediate hash value */
786 context->state[0] += a;
787 context->state[1] += b;
788 context->state[2] += c;
789 context->state[3] += d;
790 context->state[4] += e;
791 context->state[5] += f;
792 context->state[6] += g;
793 context->state[7] += h;
794
795 /* Clean up */
796 a = b = c = d = e = f = g = h = T1 = T2 = 0;
797 }
798
799 #endif /* SHA2_UNROLL_TRANSFORM */
800
801 int
SHA512_Update(SHA512_CTX * context,const uint8_t * data,size_t len)802 SHA512_Update(SHA512_CTX *context, const uint8_t *data, size_t len)
803 {
804 unsigned int freespace, usedspace;
805
806 if (len == 0) {
807 /* Calling with no data is valid - we do nothing */
808 return 1;
809 }
810
811 usedspace = (unsigned int)((context->bitcount[0] >> 3) %
812 SHA512_BLOCK_LENGTH);
813 if (usedspace > 0) {
814 /* Calculate how much free space is available in the buffer */
815 freespace = SHA512_BLOCK_LENGTH - usedspace;
816
817 if (len >= freespace) {
818 /* Fill the buffer completely and process it */
819 memcpy(&context->buffer[usedspace], data,
820 (size_t)(freespace));
821 ADDINC128(context->bitcount, freespace << 3);
822 len -= freespace;
823 data += freespace;
824 SHA512_Transform(context,
825 (uint64_t *)(void *)context->buffer);
826 } else {
827 /* The buffer is not yet full */
828 memcpy(&context->buffer[usedspace], data, len);
829 ADDINC128(context->bitcount, len << 3);
830 /* Clean up: */
831 usedspace = freespace = 0;
832 return 1;
833 }
834 }
835 /*
836 * Process as many complete blocks as possible.
837 *
838 * Check alignment of the data pointer. If it is 64bit aligned,
839 * SHA512_Transform can be called directly on the data stream,
840 * otherwise enforce the alignment by copy into the buffer.
841 */
842 if ((uintptr_t)data % 8 == 0) {
843 while (len >= SHA512_BLOCK_LENGTH) {
844 SHA512_Transform(context,
845 (const uint64_t*)(const void *)data);
846 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
847 len -= SHA512_BLOCK_LENGTH;
848 data += SHA512_BLOCK_LENGTH;
849 }
850 } else {
851 while (len >= SHA512_BLOCK_LENGTH) {
852 memcpy(context->buffer, data, SHA512_BLOCK_LENGTH);
853 SHA512_Transform(context,
854 (const void *)context->buffer);
855 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
856 len -= SHA512_BLOCK_LENGTH;
857 data += SHA512_BLOCK_LENGTH;
858 }
859 }
860 if (len > 0) {
861 /* There's left-overs, so save 'em */
862 memcpy(context->buffer, data, len);
863 ADDINC128(context->bitcount, len << 3);
864 }
865 /* Clean up: */
866 usedspace = freespace = 0;
867
868 return 1;
869 }
870
871 static void
SHA512_Last(SHA512_CTX * context)872 SHA512_Last(SHA512_CTX *context)
873 {
874 unsigned int usedspace;
875
876 usedspace = (unsigned int)((context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH);
877 context->bitcount[0] = htobe64(context->bitcount[0]);
878 context->bitcount[1] = htobe64(context->bitcount[1]);
879 if (usedspace > 0) {
880 /* Begin padding with a 1 bit: */
881 context->buffer[usedspace++] = 0x80;
882
883 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
884 /* Set-up for the last transform: */
885 memset(&context->buffer[usedspace], 0,
886 (size_t)(SHA512_SHORT_BLOCK_LENGTH - usedspace));
887 } else {
888 if (usedspace < SHA512_BLOCK_LENGTH) {
889 memset(&context->buffer[usedspace], 0,
890 (size_t)(SHA512_BLOCK_LENGTH - usedspace));
891 }
892 /* Do second-to-last transform: */
893 SHA512_Transform(context,
894 (uint64_t *)(void *)context->buffer);
895
896 /* And set-up for the last transform: */
897 memset(context->buffer, 0,
898 (size_t)(SHA512_BLOCK_LENGTH - 2));
899 }
900 } else {
901 /* Prepare for final transform: */
902 memset(context->buffer, 0, (size_t)(SHA512_SHORT_BLOCK_LENGTH));
903
904 /* Begin padding with a 1 bit: */
905 *context->buffer = 0x80;
906 }
907 /* Store the length of input data (in bits): */
908 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH],
909 &context->bitcount[1], sizeof(context->bitcount[1]));
910 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8],
911 &context->bitcount[0], sizeof(context->bitcount[0]));
912
913 /* Final transform: */
914 SHA512_Transform(context, (uint64_t *)(void *)context->buffer);
915 }
916
917 int
SHA512_Final(uint8_t digest[],SHA512_CTX * context)918 SHA512_Final(uint8_t digest[], SHA512_CTX *context)
919 {
920 size_t i;
921
922 /* If no digest buffer is passed, we don't bother doing this: */
923 if (digest != NULL) {
924 SHA512_Last(context);
925
926 /* Save the hash data for output: */
927 for (i = 0; i < 8; ++i)
928 be64encode(digest + 8 * i, context->state[i]);
929 }
930
931 /* Zero out state data */
932 memset(context, 0, sizeof(*context));
933
934 return 1;
935 }
936
937 /*** SHA-384: *********************************************************/
938 int
SHA384_Init(SHA384_CTX * context)939 SHA384_Init(SHA384_CTX *context)
940 {
941 if (context == NULL)
942 return 1;
943
944 memcpy(context->state, sha384_initial_hash_value,
945 (size_t)(SHA512_DIGEST_LENGTH));
946 memset(context->buffer, 0, (size_t)(SHA384_BLOCK_LENGTH));
947 context->bitcount[0] = context->bitcount[1] = 0;
948
949 return 1;
950 }
951
952 int
SHA384_Update(SHA384_CTX * context,const uint8_t * data,size_t len)953 SHA384_Update(SHA384_CTX *context, const uint8_t *data, size_t len)
954 {
955 return SHA512_Update((SHA512_CTX *)context, data, len);
956 }
957
958 void
SHA384_Transform(SHA512_CTX * context,const uint64_t * data)959 SHA384_Transform(SHA512_CTX *context, const uint64_t *data)
960 {
961 SHA512_Transform((SHA512_CTX *)context, data);
962 }
963
964 int
SHA384_Final(uint8_t digest[],SHA384_CTX * context)965 SHA384_Final(uint8_t digest[], SHA384_CTX *context)
966 {
967 size_t i;
968
969 /* If no digest buffer is passed, we don't bother doing this: */
970 if (digest != NULL) {
971 SHA512_Last((SHA512_CTX *)context);
972
973 /* Save the hash data for output: */
974 for (i = 0; i < 6; ++i)
975 be64encode(digest + 8 * i, context->state[i]);
976 }
977
978 /* Zero out state data */
979 memset(context, 0, sizeof(*context));
980
981 return 1;
982 }
983