1 /* $NetBSD: sha2.c,v 1.1.1.1 2010/03/08 02:14:20 lukem Exp $ */ 2 3 /* OpenLDAP: pkg/ldap/contrib/slapd-modules/passwd/sha2/sha2.c,v 1.1.2.1 2009/01/26 21:07:06 quanah Exp */ 4 /* 5 * FILE: sha2.c 6 * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/ 7 * 8 * Copyright (c) 2000-2001, Aaron D. Gifford 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of the copyright holder nor the names of contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 * 35 * Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg 36 */ 37 38 #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */ 39 #include <assert.h> /* assert() */ 40 #include "sha2.h" 41 42 /* 43 * ASSERT NOTE: 44 * Some sanity checking code is included using assert(). On my FreeBSD 45 * system, this additional code can be removed by compiling with NDEBUG 46 * defined. Check your own systems manpage on assert() to see how to 47 * compile WITHOUT the sanity checking code on your system. 48 * 49 * UNROLLED TRANSFORM LOOP NOTE: 50 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform 51 * loop version for the hash transform rounds (defined using macros 52 * later in this file). Either define on the command line, for example: 53 * 54 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c 55 * 56 * or define below: 57 * 58 * #define SHA2_UNROLL_TRANSFORM 59 * 60 */ 61 62 63 /*** SHA-256/384/512 Machine Architecture Definitions *****************/ 64 /* 65 * BYTE_ORDER NOTE: 66 * 67 * Please make sure that your system defines BYTE_ORDER. If your 68 * architecture is little-endian, make sure it also defines 69 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are 70 * equivilent. 71 * 72 * If your system does not define the above, then you can do so by 73 * hand like this: 74 * 75 * #define LITTLE_ENDIAN 1234 76 * #define BIG_ENDIAN 4321 77 * 78 * And for little-endian machines, add: 79 * 80 * #define BYTE_ORDER LITTLE_ENDIAN 81 * 82 * Or for big-endian machines: 83 * 84 * #define BYTE_ORDER BIG_ENDIAN 85 * 86 * The FreeBSD machine this was written on defines BYTE_ORDER 87 * appropriately by including <sys/types.h> (which in turn includes 88 * <machine/endian.h> where the appropriate definitions are actually 89 * made). 90 */ 91 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) 92 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN 93 #endif 94 95 /* 96 * Define the followingsha2_* types to types of the correct length on 97 * the native archtecture. Most BSD systems and Linux define u_intXX_t 98 * types. Machines with very recent ANSI C headers, can use the 99 * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H 100 * during compile or in the sha.h header file. 101 * 102 * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t 103 * will need to define these three typedefs below (and the appropriate 104 * ones in sha.h too) by hand according to their system architecture. 105 * 106 * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t 107 * types and pointing out recent ANSI C support for uintXX_t in inttypes.h. 108 */ 109 #ifdef SHA2_USE_INTTYPES_H 110 111 typedef uint8_t sha2_byte; /* Exactly 1 byte */ 112 typedef uint32_t sha2_word32; /* Exactly 4 bytes */ 113 typedef uint64_t sha2_word64; /* Exactly 8 bytes */ 114 115 #else /* SHA2_USE_INTTYPES_H */ 116 117 typedef u_int8_t sha2_byte; /* Exactly 1 byte */ 118 typedef u_int32_t sha2_word32; /* Exactly 4 bytes */ 119 typedef u_int64_t sha2_word64; /* Exactly 8 bytes */ 120 121 #endif /* SHA2_USE_INTTYPES_H */ 122 123 124 /*** SHA-256/384/512 Various Length Definitions ***********************/ 125 /* NOTE: Most of these are in sha2.h */ 126 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 127 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 128 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 129 130 131 /*** ENDIAN REVERSAL MACROS *******************************************/ 132 #if BYTE_ORDER == LITTLE_ENDIAN 133 #define REVERSE32(w,x) { \ 134 sha2_word32 tmp = (w); \ 135 tmp = (tmp >> 16) | (tmp << 16); \ 136 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \ 137 } 138 #define REVERSE64(w,x) { \ 139 sha2_word64 tmp = (w); \ 140 tmp = (tmp >> 32) | (tmp << 32); \ 141 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \ 142 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \ 143 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \ 144 ((tmp & 0x0000ffff0000ffffULL) << 16); \ 145 } 146 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 147 148 /* 149 * Macro for incrementally adding the unsigned 64-bit integer n to the 150 * unsigned 128-bit integer (represented using a two-element array of 151 * 64-bit words): 152 */ 153 #define ADDINC128(w,n) { \ 154 (w)[0] += (sha2_word64)(n); \ 155 if ((w)[0] < (n)) { \ 156 (w)[1]++; \ 157 } \ 158 } 159 160 /* 161 * Macros for copying blocks of memory and for zeroing out ranges 162 * of memory. Using these macros makes it easy to switch from 163 * using memset()/memcpy() and using bzero()/bcopy(). 164 * 165 * Please define either SHA2_USE_MEMSET_MEMCPY or define 166 * SHA2_USE_BZERO_BCOPY depending on which function set you 167 * choose to use: 168 */ 169 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY) 170 /* Default to memset()/memcpy() if no option is specified */ 171 #define SHA2_USE_MEMSET_MEMCPY 1 172 #endif 173 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY) 174 /* Abort with an error if BOTH options are defined */ 175 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both! 176 #endif 177 178 #ifdef SHA2_USE_MEMSET_MEMCPY 179 #define MEMSET_BZERO(p,l) memset((p), 0, (l)) 180 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l)) 181 #endif 182 #ifdef SHA2_USE_BZERO_BCOPY 183 #define MEMSET_BZERO(p,l) bzero((p), (l)) 184 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l)) 185 #endif 186 187 188 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 189 /* 190 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 191 * 192 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 193 * S is a ROTATION) because the SHA-256/384/512 description document 194 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 195 * same "backwards" definition. 196 */ 197 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 198 #define R(b,x) ((x) >> (b)) 199 /* 32-bit Rotate-right (used in SHA-256): */ 200 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 201 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 202 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 203 204 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 205 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 206 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 207 208 /* Four of six logical functions used in SHA-256: */ 209 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 210 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 211 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 212 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 213 214 /* Four of six logical functions used in SHA-384 and SHA-512: */ 215 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 216 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 217 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 218 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 219 220 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 221 /* NOTE: These should not be accessed directly from outside this 222 * library -- they are intended for private internal visibility/use 223 * only. 224 */ 225 void SHA512_Last(SHA512_CTX*); 226 void SHA256_Transform(SHA256_CTX*, const sha2_word32*); 227 void SHA512_Transform(SHA512_CTX*, const sha2_word64*); 228 229 230 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 231 /* Hash constant words K for SHA-256: */ 232 const static sha2_word32 K256[64] = { 233 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 234 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 235 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 236 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 237 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 238 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 239 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 240 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 241 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 242 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 243 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 244 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 245 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 246 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 247 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 248 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 249 }; 250 251 /* Initial hash value H for SHA-256: */ 252 const static sha2_word32 sha256_initial_hash_value[8] = { 253 0x6a09e667UL, 254 0xbb67ae85UL, 255 0x3c6ef372UL, 256 0xa54ff53aUL, 257 0x510e527fUL, 258 0x9b05688cUL, 259 0x1f83d9abUL, 260 0x5be0cd19UL 261 }; 262 263 /* Hash constant words K for SHA-384 and SHA-512: */ 264 const static sha2_word64 K512[80] = { 265 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 266 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 267 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 268 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 269 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 270 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 271 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 272 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 273 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 274 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 275 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 276 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 277 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 278 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 279 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 280 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 281 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 282 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 283 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 284 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 285 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 286 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 287 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 288 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 289 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 290 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 291 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 292 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 293 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 294 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 295 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 296 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 297 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 298 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 299 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 300 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 301 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 302 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 303 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 304 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 305 }; 306 307 /* Initial hash value H for SHA-384 */ 308 const static sha2_word64 sha384_initial_hash_value[8] = { 309 0xcbbb9d5dc1059ed8ULL, 310 0x629a292a367cd507ULL, 311 0x9159015a3070dd17ULL, 312 0x152fecd8f70e5939ULL, 313 0x67332667ffc00b31ULL, 314 0x8eb44a8768581511ULL, 315 0xdb0c2e0d64f98fa7ULL, 316 0x47b5481dbefa4fa4ULL 317 }; 318 319 /* Initial hash value H for SHA-512 */ 320 const static sha2_word64 sha512_initial_hash_value[8] = { 321 0x6a09e667f3bcc908ULL, 322 0xbb67ae8584caa73bULL, 323 0x3c6ef372fe94f82bULL, 324 0xa54ff53a5f1d36f1ULL, 325 0x510e527fade682d1ULL, 326 0x9b05688c2b3e6c1fULL, 327 0x1f83d9abfb41bd6bULL, 328 0x5be0cd19137e2179ULL 329 }; 330 331 /* 332 * Constant used by SHA256/384/512_End() functions for converting the 333 * digest to a readable hexadecimal character string: 334 */ 335 static const char *sha2_hex_digits = "0123456789abcdef"; 336 337 338 /*** SHA-256: *********************************************************/ 339 void SHA256_Init(SHA256_CTX* context) { 340 if (context == (SHA256_CTX*)0) { 341 return; 342 } 343 MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH); 344 MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH); 345 context->bitcount = 0; 346 } 347 348 #ifdef SHA2_UNROLL_TRANSFORM 349 350 /* Unrolled SHA-256 round macros: */ 351 352 #if BYTE_ORDER == LITTLE_ENDIAN 353 354 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 355 REVERSE32(*data++, W256[j]); \ 356 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 357 K256[j] + W256[j]; \ 358 (d) += T1; \ 359 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 360 j++ 361 362 363 #else /* BYTE_ORDER == LITTLE_ENDIAN */ 364 365 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 366 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 367 K256[j] + (W256[j] = *data++); \ 368 (d) += T1; \ 369 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 370 j++ 371 372 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 373 374 #define ROUND256(a,b,c,d,e,f,g,h) \ 375 s0 = W256[(j+1)&0x0f]; \ 376 s0 = sigma0_256(s0); \ 377 s1 = W256[(j+14)&0x0f]; \ 378 s1 = sigma1_256(s1); \ 379 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ 380 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 381 (d) += T1; \ 382 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 383 j++ 384 385 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) { 386 sha2_word32 a, b, c, d, e, f, g, h, s0, s1; 387 sha2_word32 T1, *W256; 388 int j; 389 390 W256 = (sha2_word32*)context->buffer; 391 392 /* Initialize registers with the prev. intermediate value */ 393 a = context->state[0]; 394 b = context->state[1]; 395 c = context->state[2]; 396 d = context->state[3]; 397 e = context->state[4]; 398 f = context->state[5]; 399 g = context->state[6]; 400 h = context->state[7]; 401 402 j = 0; 403 do { 404 /* Rounds 0 to 15 (unrolled): */ 405 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 406 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 407 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 408 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 409 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 410 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 411 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 412 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 413 } while (j < 16); 414 415 /* Now for the remaining rounds to 64: */ 416 do { 417 ROUND256(a,b,c,d,e,f,g,h); 418 ROUND256(h,a,b,c,d,e,f,g); 419 ROUND256(g,h,a,b,c,d,e,f); 420 ROUND256(f,g,h,a,b,c,d,e); 421 ROUND256(e,f,g,h,a,b,c,d); 422 ROUND256(d,e,f,g,h,a,b,c); 423 ROUND256(c,d,e,f,g,h,a,b); 424 ROUND256(b,c,d,e,f,g,h,a); 425 } while (j < 64); 426 427 /* Compute the current intermediate hash value */ 428 context->state[0] += a; 429 context->state[1] += b; 430 context->state[2] += c; 431 context->state[3] += d; 432 context->state[4] += e; 433 context->state[5] += f; 434 context->state[6] += g; 435 context->state[7] += h; 436 437 /* Clean up */ 438 a = b = c = d = e = f = g = h = T1 = 0; 439 } 440 441 #else /* SHA2_UNROLL_TRANSFORM */ 442 443 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) { 444 sha2_word32 a, b, c, d, e, f, g, h, s0, s1; 445 sha2_word32 T1, T2, *W256; 446 int j; 447 448 W256 = (sha2_word32*)context->buffer; 449 450 /* Initialize registers with the prev. intermediate value */ 451 a = context->state[0]; 452 b = context->state[1]; 453 c = context->state[2]; 454 d = context->state[3]; 455 e = context->state[4]; 456 f = context->state[5]; 457 g = context->state[6]; 458 h = context->state[7]; 459 460 j = 0; 461 do { 462 #if BYTE_ORDER == LITTLE_ENDIAN 463 /* Copy data while converting to host byte order */ 464 REVERSE32(*data++,W256[j]); 465 /* Apply the SHA-256 compression function to update a..h */ 466 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 467 #else /* BYTE_ORDER == LITTLE_ENDIAN */ 468 /* Apply the SHA-256 compression function to update a..h with copy */ 469 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++); 470 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 471 T2 = Sigma0_256(a) + Maj(a, b, c); 472 h = g; 473 g = f; 474 f = e; 475 e = d + T1; 476 d = c; 477 c = b; 478 b = a; 479 a = T1 + T2; 480 481 j++; 482 } while (j < 16); 483 484 do { 485 /* Part of the message block expansion: */ 486 s0 = W256[(j+1)&0x0f]; 487 s0 = sigma0_256(s0); 488 s1 = W256[(j+14)&0x0f]; 489 s1 = sigma1_256(s1); 490 491 /* Apply the SHA-256 compression function to update a..h */ 492 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 493 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 494 T2 = Sigma0_256(a) + Maj(a, b, c); 495 h = g; 496 g = f; 497 f = e; 498 e = d + T1; 499 d = c; 500 c = b; 501 b = a; 502 a = T1 + T2; 503 504 j++; 505 } while (j < 64); 506 507 /* Compute the current intermediate hash value */ 508 context->state[0] += a; 509 context->state[1] += b; 510 context->state[2] += c; 511 context->state[3] += d; 512 context->state[4] += e; 513 context->state[5] += f; 514 context->state[6] += g; 515 context->state[7] += h; 516 517 /* Clean up */ 518 a = b = c = d = e = f = g = h = T1 = T2 = 0; 519 } 520 521 #endif /* SHA2_UNROLL_TRANSFORM */ 522 523 void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) { 524 unsigned int freespace, usedspace; 525 526 if (len == 0) { 527 /* Calling with no data is valid - we do nothing */ 528 return; 529 } 530 531 /* Sanity check: */ 532 assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0); 533 534 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; 535 if (usedspace > 0) { 536 /* Calculate how much free space is available in the buffer */ 537 freespace = SHA256_BLOCK_LENGTH - usedspace; 538 539 if (len >= freespace) { 540 /* Fill the buffer completely and process it */ 541 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace); 542 context->bitcount += freespace << 3; 543 len -= freespace; 544 data += freespace; 545 SHA256_Transform(context, (sha2_word32*)context->buffer); 546 } else { 547 /* The buffer is not yet full */ 548 MEMCPY_BCOPY(&context->buffer[usedspace], data, len); 549 context->bitcount += len << 3; 550 /* Clean up: */ 551 usedspace = freespace = 0; 552 return; 553 } 554 } 555 while (len >= SHA256_BLOCK_LENGTH) { 556 /* Process as many complete blocks as we can */ 557 SHA256_Transform(context, (sha2_word32*)data); 558 context->bitcount += SHA256_BLOCK_LENGTH << 3; 559 len -= SHA256_BLOCK_LENGTH; 560 data += SHA256_BLOCK_LENGTH; 561 } 562 if (len > 0) { 563 /* There's left-overs, so save 'em */ 564 MEMCPY_BCOPY(context->buffer, data, len); 565 context->bitcount += len << 3; 566 } 567 /* Clean up: */ 568 usedspace = freespace = 0; 569 } 570 571 void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) { 572 sha2_word32 *d = (sha2_word32*)digest; 573 unsigned int usedspace; 574 575 /* Sanity check: */ 576 assert(context != (SHA256_CTX*)0); 577 578 /* If no digest buffer is passed, we don't bother doing this: */ 579 if (digest != (sha2_byte*)0) { 580 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; 581 #if BYTE_ORDER == LITTLE_ENDIAN 582 /* Convert FROM host byte order */ 583 REVERSE64(context->bitcount,context->bitcount); 584 #endif 585 if (usedspace > 0) { 586 /* Begin padding with a 1 bit: */ 587 context->buffer[usedspace++] = 0x80; 588 589 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 590 /* Set-up for the last transform: */ 591 MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace); 592 } else { 593 if (usedspace < SHA256_BLOCK_LENGTH) { 594 MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace); 595 } 596 /* Do second-to-last transform: */ 597 SHA256_Transform(context, (sha2_word32*)context->buffer); 598 599 /* And set-up for the last transform: */ 600 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH); 601 } 602 } else { 603 /* Set-up for the last transform: */ 604 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH); 605 606 /* Begin padding with a 1 bit: */ 607 *context->buffer = 0x80; 608 } 609 /* Set the bit count: */ 610 *(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount; 611 612 /* Final transform: */ 613 SHA256_Transform(context, (sha2_word32*)context->buffer); 614 615 #if BYTE_ORDER == LITTLE_ENDIAN 616 { 617 /* Convert TO host byte order */ 618 int j; 619 for (j = 0; j < 8; j++) { 620 REVERSE32(context->state[j],context->state[j]); 621 *d++ = context->state[j]; 622 } 623 } 624 #else 625 MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH); 626 #endif 627 } 628 629 /* Clean up state data: */ 630 MEMSET_BZERO(context, sizeof(context)); 631 usedspace = 0; 632 } 633 634 char *SHA256_End(SHA256_CTX* context, char buffer[]) { 635 sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest; 636 int i; 637 638 /* Sanity check: */ 639 assert(context != (SHA256_CTX*)0); 640 641 if (buffer != (char*)0) { 642 SHA256_Final(digest, context); 643 644 for (i = 0; i < SHA256_DIGEST_LENGTH; i++) { 645 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 646 *buffer++ = sha2_hex_digits[*d & 0x0f]; 647 d++; 648 } 649 *buffer = (char)0; 650 } else { 651 MEMSET_BZERO(context, sizeof(context)); 652 } 653 MEMSET_BZERO(digest, SHA256_DIGEST_LENGTH); 654 return buffer; 655 } 656 657 char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) { 658 SHA256_CTX context; 659 660 SHA256_Init(&context); 661 SHA256_Update(&context, data, len); 662 return SHA256_End(&context, digest); 663 } 664 665 666 /*** SHA-512: *********************************************************/ 667 void SHA512_Init(SHA512_CTX* context) { 668 if (context == (SHA512_CTX*)0) { 669 return; 670 } 671 MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH); 672 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH); 673 context->bitcount[0] = context->bitcount[1] = 0; 674 } 675 676 #ifdef SHA2_UNROLL_TRANSFORM 677 678 /* Unrolled SHA-512 round macros: */ 679 #if BYTE_ORDER == LITTLE_ENDIAN 680 681 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 682 REVERSE64(*data++, W512[j]); \ 683 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 684 K512[j] + W512[j]; \ 685 (d) += T1, \ 686 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 687 j++ 688 689 690 #else /* BYTE_ORDER == LITTLE_ENDIAN */ 691 692 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 693 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 694 K512[j] + (W512[j] = *data++); \ 695 (d) += T1; \ 696 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 697 j++ 698 699 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 700 701 #define ROUND512(a,b,c,d,e,f,g,h) \ 702 s0 = W512[(j+1)&0x0f]; \ 703 s0 = sigma0_512(s0); \ 704 s1 = W512[(j+14)&0x0f]; \ 705 s1 = sigma1_512(s1); \ 706 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 707 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 708 (d) += T1; \ 709 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 710 j++ 711 712 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { 713 sha2_word64 a, b, c, d, e, f, g, h, s0, s1; 714 sha2_word64 T1, *W512 = (sha2_word64*)context->buffer; 715 int j; 716 717 /* Initialize registers with the prev. intermediate value */ 718 a = context->state[0]; 719 b = context->state[1]; 720 c = context->state[2]; 721 d = context->state[3]; 722 e = context->state[4]; 723 f = context->state[5]; 724 g = context->state[6]; 725 h = context->state[7]; 726 727 j = 0; 728 do { 729 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 730 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 731 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 732 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 733 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 734 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 735 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 736 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 737 } while (j < 16); 738 739 /* Now for the remaining rounds up to 79: */ 740 do { 741 ROUND512(a,b,c,d,e,f,g,h); 742 ROUND512(h,a,b,c,d,e,f,g); 743 ROUND512(g,h,a,b,c,d,e,f); 744 ROUND512(f,g,h,a,b,c,d,e); 745 ROUND512(e,f,g,h,a,b,c,d); 746 ROUND512(d,e,f,g,h,a,b,c); 747 ROUND512(c,d,e,f,g,h,a,b); 748 ROUND512(b,c,d,e,f,g,h,a); 749 } while (j < 80); 750 751 /* Compute the current intermediate hash value */ 752 context->state[0] += a; 753 context->state[1] += b; 754 context->state[2] += c; 755 context->state[3] += d; 756 context->state[4] += e; 757 context->state[5] += f; 758 context->state[6] += g; 759 context->state[7] += h; 760 761 /* Clean up */ 762 a = b = c = d = e = f = g = h = T1 = 0; 763 } 764 765 #else /* SHA2_UNROLL_TRANSFORM */ 766 767 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { 768 sha2_word64 a, b, c, d, e, f, g, h, s0, s1; 769 sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer; 770 int j; 771 772 /* Initialize registers with the prev. intermediate value */ 773 a = context->state[0]; 774 b = context->state[1]; 775 c = context->state[2]; 776 d = context->state[3]; 777 e = context->state[4]; 778 f = context->state[5]; 779 g = context->state[6]; 780 h = context->state[7]; 781 782 j = 0; 783 do { 784 #if BYTE_ORDER == LITTLE_ENDIAN 785 /* Convert TO host byte order */ 786 REVERSE64(*data++, W512[j]); 787 /* Apply the SHA-512 compression function to update a..h */ 788 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 789 #else /* BYTE_ORDER == LITTLE_ENDIAN */ 790 /* Apply the SHA-512 compression function to update a..h with copy */ 791 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++); 792 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 793 T2 = Sigma0_512(a) + Maj(a, b, c); 794 h = g; 795 g = f; 796 f = e; 797 e = d + T1; 798 d = c; 799 c = b; 800 b = a; 801 a = T1 + T2; 802 803 j++; 804 } while (j < 16); 805 806 do { 807 /* Part of the message block expansion: */ 808 s0 = W512[(j+1)&0x0f]; 809 s0 = sigma0_512(s0); 810 s1 = W512[(j+14)&0x0f]; 811 s1 = sigma1_512(s1); 812 813 /* Apply the SHA-512 compression function to update a..h */ 814 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 815 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 816 T2 = Sigma0_512(a) + Maj(a, b, c); 817 h = g; 818 g = f; 819 f = e; 820 e = d + T1; 821 d = c; 822 c = b; 823 b = a; 824 a = T1 + T2; 825 826 j++; 827 } while (j < 80); 828 829 /* Compute the current intermediate hash value */ 830 context->state[0] += a; 831 context->state[1] += b; 832 context->state[2] += c; 833 context->state[3] += d; 834 context->state[4] += e; 835 context->state[5] += f; 836 context->state[6] += g; 837 context->state[7] += h; 838 839 /* Clean up */ 840 a = b = c = d = e = f = g = h = T1 = T2 = 0; 841 } 842 843 #endif /* SHA2_UNROLL_TRANSFORM */ 844 845 void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) { 846 unsigned int freespace, usedspace; 847 848 if (len == 0) { 849 /* Calling with no data is valid - we do nothing */ 850 return; 851 } 852 853 /* Sanity check: */ 854 assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0); 855 856 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 857 if (usedspace > 0) { 858 /* Calculate how much free space is available in the buffer */ 859 freespace = SHA512_BLOCK_LENGTH - usedspace; 860 861 if (len >= freespace) { 862 /* Fill the buffer completely and process it */ 863 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace); 864 ADDINC128(context->bitcount, freespace << 3); 865 len -= freespace; 866 data += freespace; 867 SHA512_Transform(context, (sha2_word64*)context->buffer); 868 } else { 869 /* The buffer is not yet full */ 870 MEMCPY_BCOPY(&context->buffer[usedspace], data, len); 871 ADDINC128(context->bitcount, len << 3); 872 /* Clean up: */ 873 usedspace = freespace = 0; 874 return; 875 } 876 } 877 while (len >= SHA512_BLOCK_LENGTH) { 878 /* Process as many complete blocks as we can */ 879 SHA512_Transform(context, (sha2_word64*)data); 880 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 881 len -= SHA512_BLOCK_LENGTH; 882 data += SHA512_BLOCK_LENGTH; 883 } 884 if (len > 0) { 885 /* There's left-overs, so save 'em */ 886 MEMCPY_BCOPY(context->buffer, data, len); 887 ADDINC128(context->bitcount, len << 3); 888 } 889 /* Clean up: */ 890 usedspace = freespace = 0; 891 } 892 893 void SHA512_Last(SHA512_CTX* context) { 894 unsigned int usedspace; 895 896 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 897 #if BYTE_ORDER == LITTLE_ENDIAN 898 /* Convert FROM host byte order */ 899 REVERSE64(context->bitcount[0],context->bitcount[0]); 900 REVERSE64(context->bitcount[1],context->bitcount[1]); 901 #endif 902 if (usedspace > 0) { 903 /* Begin padding with a 1 bit: */ 904 context->buffer[usedspace++] = 0x80; 905 906 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 907 /* Set-up for the last transform: */ 908 MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace); 909 } else { 910 if (usedspace < SHA512_BLOCK_LENGTH) { 911 MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace); 912 } 913 /* Do second-to-last transform: */ 914 SHA512_Transform(context, (sha2_word64*)context->buffer); 915 916 /* And set-up for the last transform: */ 917 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2); 918 } 919 } else { 920 /* Prepare for final transform: */ 921 MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH); 922 923 /* Begin padding with a 1 bit: */ 924 *context->buffer = 0x80; 925 } 926 /* Store the length of input data (in bits): */ 927 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1]; 928 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0]; 929 930 /* Final transform: */ 931 SHA512_Transform(context, (sha2_word64*)context->buffer); 932 } 933 934 void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) { 935 sha2_word64 *d = (sha2_word64*)digest; 936 937 /* Sanity check: */ 938 assert(context != (SHA512_CTX*)0); 939 940 /* If no digest buffer is passed, we don't bother doing this: */ 941 if (digest != (sha2_byte*)0) { 942 SHA512_Last(context); 943 944 /* Save the hash data for output: */ 945 #if BYTE_ORDER == LITTLE_ENDIAN 946 { 947 /* Convert TO host byte order */ 948 int j; 949 for (j = 0; j < 8; j++) { 950 REVERSE64(context->state[j],context->state[j]); 951 *d++ = context->state[j]; 952 } 953 } 954 #else 955 MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH); 956 #endif 957 } 958 959 /* Zero out state data */ 960 MEMSET_BZERO(context, sizeof(context)); 961 } 962 963 char *SHA512_End(SHA512_CTX* context, char buffer[]) { 964 sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest; 965 int i; 966 967 /* Sanity check: */ 968 assert(context != (SHA512_CTX*)0); 969 970 if (buffer != (char*)0) { 971 SHA512_Final(digest, context); 972 973 for (i = 0; i < SHA512_DIGEST_LENGTH; i++) { 974 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 975 *buffer++ = sha2_hex_digits[*d & 0x0f]; 976 d++; 977 } 978 *buffer = (char)0; 979 } else { 980 MEMSET_BZERO(context, sizeof(context)); 981 } 982 MEMSET_BZERO(digest, SHA512_DIGEST_LENGTH); 983 return buffer; 984 } 985 986 char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) { 987 SHA512_CTX context; 988 989 SHA512_Init(&context); 990 SHA512_Update(&context, data, len); 991 return SHA512_End(&context, digest); 992 } 993 994 995 /*** SHA-384: *********************************************************/ 996 void SHA384_Init(SHA384_CTX* context) { 997 if (context == (SHA384_CTX*)0) { 998 return; 999 } 1000 MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH); 1001 MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH); 1002 context->bitcount[0] = context->bitcount[1] = 0; 1003 } 1004 1005 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) { 1006 SHA512_Update((SHA512_CTX*)context, data, len); 1007 } 1008 1009 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) { 1010 sha2_word64 *d = (sha2_word64*)digest; 1011 1012 /* Sanity check: */ 1013 assert(context != (SHA384_CTX*)0); 1014 1015 /* If no digest buffer is passed, we don't bother doing this: */ 1016 if (digest != (sha2_byte*)0) { 1017 SHA512_Last((SHA512_CTX*)context); 1018 1019 /* Save the hash data for output: */ 1020 #if BYTE_ORDER == LITTLE_ENDIAN 1021 { 1022 /* Convert TO host byte order */ 1023 int j; 1024 for (j = 0; j < 6; j++) { 1025 REVERSE64(context->state[j],context->state[j]); 1026 *d++ = context->state[j]; 1027 } 1028 } 1029 #else 1030 MEMCPY_BCOPY(d, context->state, SHA384_DIGEST_LENGTH); 1031 #endif 1032 } 1033 1034 /* Zero out state data */ 1035 MEMSET_BZERO(context, sizeof(context)); 1036 } 1037 1038 char *SHA384_End(SHA384_CTX* context, char buffer[]) { 1039 sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest; 1040 int i; 1041 1042 /* Sanity check: */ 1043 assert(context != (SHA384_CTX*)0); 1044 1045 if (buffer != (char*)0) { 1046 SHA384_Final(digest, context); 1047 1048 for (i = 0; i < SHA384_DIGEST_LENGTH; i++) { 1049 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 1050 *buffer++ = sha2_hex_digits[*d & 0x0f]; 1051 d++; 1052 } 1053 *buffer = (char)0; 1054 } else { 1055 MEMSET_BZERO(context, sizeof(context)); 1056 } 1057 MEMSET_BZERO(digest, SHA384_DIGEST_LENGTH); 1058 return buffer; 1059 } 1060 1061 char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) { 1062 SHA384_CTX context; 1063 1064 SHA384_Init(&context); 1065 SHA384_Update(&context, data, len); 1066 return SHA384_End(&context, digest); 1067 } 1068 1069