1 /* $OpenBSD: sha2.c,v 1.8 2011/01/11 15:42:05 deraadt Exp $ */ 2 3 /* 4 * FILE: sha2.c 5 * AUTHOR: Aaron D. Gifford <me@aarongifford.com> 6 * 7 * Copyright (c) 2000-2001, Aaron D. Gifford 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the copyright holder nor the names of contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ 35 */ 36 37 #include <sys/param.h> 38 #include <sys/time.h> 39 #include <sys/systm.h> 40 #include <crypto/sha2.h> 41 42 /* 43 * UNROLLED TRANSFORM LOOP NOTE: 44 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform 45 * loop version for the hash transform rounds (defined using macros 46 * later in this file). Either define on the command line, for example: 47 * 48 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c 49 * 50 * or define below: 51 * 52 * #define SHA2_UNROLL_TRANSFORM 53 * 54 */ 55 56 57 /*** SHA-256/384/512 Machine Architecture Definitions *****************/ 58 /* 59 * BYTE_ORDER NOTE: 60 * 61 * Please make sure that your system defines BYTE_ORDER. If your 62 * architecture is little-endian, make sure it also defines 63 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are 64 * equivilent. 65 * 66 * If your system does not define the above, then you can do so by 67 * hand like this: 68 * 69 * #define LITTLE_ENDIAN 1234 70 * #define BIG_ENDIAN 4321 71 * 72 * And for little-endian machines, add: 73 * 74 * #define BYTE_ORDER LITTLE_ENDIAN 75 * 76 * Or for big-endian machines: 77 * 78 * #define BYTE_ORDER BIG_ENDIAN 79 * 80 * The FreeBSD machine this was written on defines BYTE_ORDER 81 * appropriately by including <sys/types.h> (which in turn includes 82 * <machine/endian.h> where the appropriate definitions are actually 83 * made). 84 */ 85 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) 86 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN 87 #endif 88 89 90 /*** SHA-256/384/512 Various Length Definitions ***********************/ 91 /* NOTE: Most of these are in sha2.h */ 92 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 93 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 94 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 95 96 97 /*** ENDIAN REVERSAL MACROS *******************************************/ 98 #if BYTE_ORDER == LITTLE_ENDIAN 99 #define REVERSE32(w,x) { \ 100 u_int32_t tmp = (w); \ 101 tmp = (tmp >> 16) | (tmp << 16); \ 102 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \ 103 } 104 #define REVERSE64(w,x) { \ 105 u_int64_t tmp = (w); \ 106 tmp = (tmp >> 32) | (tmp << 32); \ 107 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \ 108 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \ 109 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \ 110 ((tmp & 0x0000ffff0000ffffULL) << 16); \ 111 } 112 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 113 114 /* 115 * Macro for incrementally adding the unsigned 64-bit integer n to the 116 * unsigned 128-bit integer (represented using a two-element array of 117 * 64-bit words): 118 */ 119 #define ADDINC128(w,n) { \ 120 (w)[0] += (u_int64_t)(n); \ 121 if ((w)[0] < (n)) { \ 122 (w)[1]++; \ 123 } \ 124 } 125 126 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 127 /* 128 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 129 * 130 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 131 * S is a ROTATION) because the SHA-256/384/512 description document 132 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 133 * same "backwards" definition. 134 */ 135 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 136 #define R(b,x) ((x) >> (b)) 137 /* 32-bit Rotate-right (used in SHA-256): */ 138 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 139 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 140 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 141 142 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 143 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 144 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 145 146 /* Four of six logical functions used in SHA-256: */ 147 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 148 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 149 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 150 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 151 152 /* Four of six logical functions used in SHA-384 and SHA-512: */ 153 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 154 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 155 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 156 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 157 158 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 159 /* NOTE: These should not be accessed directly from outside this 160 * library -- they are intended for private internal visibility/use 161 * only. 162 */ 163 void SHA512Last(SHA2_CTX *); 164 void SHA256Transform(SHA2_CTX *, const u_int8_t *); 165 void SHA512Transform(SHA2_CTX *, const u_int8_t *); 166 167 168 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 169 /* Hash constant words K for SHA-256: */ 170 const static u_int32_t K256[64] = { 171 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 172 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 173 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 174 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 175 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 176 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 177 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 178 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 179 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 180 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 181 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 182 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 183 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 184 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 185 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 186 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 187 }; 188 189 /* Initial hash value H for SHA-256: */ 190 const static u_int32_t sha256_initial_hash_value[8] = { 191 0x6a09e667UL, 192 0xbb67ae85UL, 193 0x3c6ef372UL, 194 0xa54ff53aUL, 195 0x510e527fUL, 196 0x9b05688cUL, 197 0x1f83d9abUL, 198 0x5be0cd19UL 199 }; 200 201 /* Hash constant words K for SHA-384 and SHA-512: */ 202 const static u_int64_t K512[80] = { 203 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 204 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 205 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 206 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 207 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 208 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 209 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 210 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 211 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 212 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 213 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 214 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 215 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 216 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 217 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 218 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 219 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 220 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 221 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 222 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 223 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 224 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 225 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 226 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 227 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 228 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 229 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 230 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 231 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 232 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 233 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 234 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 235 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 236 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 237 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 238 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 239 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 240 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 241 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 242 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 243 }; 244 245 /* Initial hash value H for SHA-384 */ 246 const static u_int64_t sha384_initial_hash_value[8] = { 247 0xcbbb9d5dc1059ed8ULL, 248 0x629a292a367cd507ULL, 249 0x9159015a3070dd17ULL, 250 0x152fecd8f70e5939ULL, 251 0x67332667ffc00b31ULL, 252 0x8eb44a8768581511ULL, 253 0xdb0c2e0d64f98fa7ULL, 254 0x47b5481dbefa4fa4ULL 255 }; 256 257 /* Initial hash value H for SHA-512 */ 258 const static u_int64_t sha512_initial_hash_value[8] = { 259 0x6a09e667f3bcc908ULL, 260 0xbb67ae8584caa73bULL, 261 0x3c6ef372fe94f82bULL, 262 0xa54ff53a5f1d36f1ULL, 263 0x510e527fade682d1ULL, 264 0x9b05688c2b3e6c1fULL, 265 0x1f83d9abfb41bd6bULL, 266 0x5be0cd19137e2179ULL 267 }; 268 269 270 /*** SHA-256: *********************************************************/ 271 void 272 SHA256Init(SHA2_CTX *context) 273 { 274 if (context == NULL) 275 return; 276 bcopy(sha256_initial_hash_value, context->state.st32, 277 SHA256_DIGEST_LENGTH); 278 bzero(context->buffer, SHA256_BLOCK_LENGTH); 279 context->bitcount[0] = 0; 280 } 281 282 #ifdef SHA2_UNROLL_TRANSFORM 283 284 /* Unrolled SHA-256 round macros: */ 285 286 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \ 287 W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) | \ 288 ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24); \ 289 data += 4; \ 290 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \ 291 (d) += T1; \ 292 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ 293 j++; \ 294 } while(0) 295 296 #define ROUND256(a,b,c,d,e,f,g,h) do { \ 297 s0 = W256[(j+1)&0x0f]; \ 298 s0 = sigma0_256(s0); \ 299 s1 = W256[(j+14)&0x0f]; \ 300 s1 = sigma1_256(s1); \ 301 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \ 302 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 303 (d) += T1; \ 304 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ 305 j++; \ 306 } while(0) 307 308 void 309 SHA256Transform(SHA2_CTX *context, const u_int8_t *data) 310 { 311 u_int32_t a, b, c, d, e, f, g, h, s0, s1; 312 u_int32_t T1, *W256; 313 int j; 314 315 W256 = (u_int32_t *)context->buffer; 316 317 /* Initialize registers with the prev. intermediate value */ 318 a = context->state.st32[0]; 319 b = context->state.st32[1]; 320 c = context->state.st32[2]; 321 d = context->state.st32[3]; 322 e = context->state.st32[4]; 323 f = context->state.st32[5]; 324 g = context->state.st32[6]; 325 h = context->state.st32[7]; 326 327 j = 0; 328 do { 329 /* Rounds 0 to 15 (unrolled): */ 330 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 331 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 332 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 333 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 334 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 335 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 336 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 337 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 338 } while (j < 16); 339 340 /* Now for the remaining rounds to 64: */ 341 do { 342 ROUND256(a,b,c,d,e,f,g,h); 343 ROUND256(h,a,b,c,d,e,f,g); 344 ROUND256(g,h,a,b,c,d,e,f); 345 ROUND256(f,g,h,a,b,c,d,e); 346 ROUND256(e,f,g,h,a,b,c,d); 347 ROUND256(d,e,f,g,h,a,b,c); 348 ROUND256(c,d,e,f,g,h,a,b); 349 ROUND256(b,c,d,e,f,g,h,a); 350 } while (j < 64); 351 352 /* Compute the current intermediate hash value */ 353 context->state.st32[0] += a; 354 context->state.st32[1] += b; 355 context->state.st32[2] += c; 356 context->state.st32[3] += d; 357 context->state.st32[4] += e; 358 context->state.st32[5] += f; 359 context->state.st32[6] += g; 360 context->state.st32[7] += h; 361 362 /* Clean up */ 363 a = b = c = d = e = f = g = h = T1 = 0; 364 } 365 366 #else /* SHA2_UNROLL_TRANSFORM */ 367 368 void 369 SHA256Transform(SHA2_CTX *context, const u_int8_t *data) 370 { 371 u_int32_t a, b, c, d, e, f, g, h, s0, s1; 372 u_int32_t T1, T2, *W256; 373 int j; 374 375 W256 = (u_int32_t *)context->buffer; 376 377 /* Initialize registers with the prev. intermediate value */ 378 a = context->state.st32[0]; 379 b = context->state.st32[1]; 380 c = context->state.st32[2]; 381 d = context->state.st32[3]; 382 e = context->state.st32[4]; 383 f = context->state.st32[5]; 384 g = context->state.st32[6]; 385 h = context->state.st32[7]; 386 387 j = 0; 388 do { 389 W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) | 390 ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24); 391 data += 4; 392 /* Apply the SHA-256 compression function to update a..h */ 393 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 394 T2 = Sigma0_256(a) + Maj(a, b, c); 395 h = g; 396 g = f; 397 f = e; 398 e = d + T1; 399 d = c; 400 c = b; 401 b = a; 402 a = T1 + T2; 403 404 j++; 405 } while (j < 16); 406 407 do { 408 /* Part of the message block expansion: */ 409 s0 = W256[(j+1)&0x0f]; 410 s0 = sigma0_256(s0); 411 s1 = W256[(j+14)&0x0f]; 412 s1 = sigma1_256(s1); 413 414 /* Apply the SHA-256 compression function to update a..h */ 415 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 416 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 417 T2 = Sigma0_256(a) + Maj(a, b, c); 418 h = g; 419 g = f; 420 f = e; 421 e = d + T1; 422 d = c; 423 c = b; 424 b = a; 425 a = T1 + T2; 426 427 j++; 428 } while (j < 64); 429 430 /* Compute the current intermediate hash value */ 431 context->state.st32[0] += a; 432 context->state.st32[1] += b; 433 context->state.st32[2] += c; 434 context->state.st32[3] += d; 435 context->state.st32[4] += e; 436 context->state.st32[5] += f; 437 context->state.st32[6] += g; 438 context->state.st32[7] += h; 439 440 /* Clean up */ 441 a = b = c = d = e = f = g = h = T1 = T2 = 0; 442 } 443 444 #endif /* SHA2_UNROLL_TRANSFORM */ 445 446 void 447 SHA256Update(SHA2_CTX *context, const u_int8_t *data, size_t len) 448 { 449 size_t freespace, usedspace; 450 451 /* Calling with no data is valid (we do nothing) */ 452 if (len == 0) 453 return; 454 455 usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH; 456 if (usedspace > 0) { 457 /* Calculate how much free space is available in the buffer */ 458 freespace = SHA256_BLOCK_LENGTH - usedspace; 459 460 if (len >= freespace) { 461 /* Fill the buffer completely and process it */ 462 bcopy(data, &context->buffer[usedspace], freespace); 463 context->bitcount[0] += freespace << 3; 464 len -= freespace; 465 data += freespace; 466 SHA256Transform(context, context->buffer); 467 } else { 468 /* The buffer is not yet full */ 469 bcopy(data, &context->buffer[usedspace], len); 470 context->bitcount[0] += len << 3; 471 /* Clean up: */ 472 usedspace = freespace = 0; 473 return; 474 } 475 } 476 while (len >= SHA256_BLOCK_LENGTH) { 477 /* Process as many complete blocks as we can */ 478 SHA256Transform(context, data); 479 context->bitcount[0] += SHA256_BLOCK_LENGTH << 3; 480 len -= SHA256_BLOCK_LENGTH; 481 data += SHA256_BLOCK_LENGTH; 482 } 483 if (len > 0) { 484 /* There's left-overs, so save 'em */ 485 bcopy(data, context->buffer, len); 486 context->bitcount[0] += len << 3; 487 } 488 /* Clean up: */ 489 usedspace = freespace = 0; 490 } 491 492 void 493 SHA256Final(u_int8_t digest[], SHA2_CTX *context) 494 { 495 u_int32_t *d = (u_int32_t *)digest; 496 unsigned int usedspace; 497 498 /* If no digest buffer is passed, we don't bother doing this: */ 499 if (digest != NULL) { 500 usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH; 501 #if BYTE_ORDER == LITTLE_ENDIAN 502 /* Convert FROM host byte order */ 503 REVERSE64(context->bitcount[0], context->bitcount[0]); 504 #endif 505 if (usedspace > 0) { 506 /* Begin padding with a 1 bit: */ 507 context->buffer[usedspace++] = 0x80; 508 509 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 510 /* Set-up for the last transform: */ 511 bzero(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace); 512 } else { 513 if (usedspace < SHA256_BLOCK_LENGTH) { 514 bzero(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace); 515 } 516 /* Do second-to-last transform: */ 517 SHA256Transform(context, context->buffer); 518 519 /* And set-up for the last transform: */ 520 bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH); 521 } 522 } else { 523 /* Set-up for the last transform: */ 524 bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH); 525 526 /* Begin padding with a 1 bit: */ 527 *context->buffer = 0x80; 528 } 529 /* Set the bit count: */ 530 *(u_int64_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount[0]; 531 532 /* Final transform: */ 533 SHA256Transform(context, context->buffer); 534 535 #if BYTE_ORDER == LITTLE_ENDIAN 536 { 537 /* Convert TO host byte order */ 538 int j; 539 for (j = 0; j < 8; j++) { 540 REVERSE32(context->state.st32[j], 541 context->state.st32[j]); 542 *d++ = context->state.st32[j]; 543 } 544 } 545 #else 546 bcopy(context->state.st32, d, SHA256_DIGEST_LENGTH); 547 #endif 548 } 549 550 /* Clean up state data: */ 551 explicit_bzero(context, sizeof(*context)); 552 usedspace = 0; 553 } 554 555 556 /*** SHA-512: *********************************************************/ 557 void 558 SHA512Init(SHA2_CTX *context) 559 { 560 if (context == NULL) 561 return; 562 bcopy(sha512_initial_hash_value, context->state.st64, 563 SHA512_DIGEST_LENGTH); 564 bzero(context->buffer, SHA512_BLOCK_LENGTH); 565 context->bitcount[0] = context->bitcount[1] = 0; 566 } 567 568 #ifdef SHA2_UNROLL_TRANSFORM 569 570 /* Unrolled SHA-512 round macros: */ 571 572 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \ 573 W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) | \ 574 ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) | \ 575 ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) | \ 576 ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56); \ 577 data += 8; \ 578 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \ 579 (d) += T1; \ 580 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ 581 j++; \ 582 } while(0) 583 584 585 #define ROUND512(a,b,c,d,e,f,g,h) do { \ 586 s0 = W512[(j+1)&0x0f]; \ 587 s0 = sigma0_512(s0); \ 588 s1 = W512[(j+14)&0x0f]; \ 589 s1 = sigma1_512(s1); \ 590 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \ 591 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 592 (d) += T1; \ 593 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ 594 j++; \ 595 } while(0) 596 597 void 598 SHA512Transform(SHA2_CTX *context, const u_int8_t *data) 599 { 600 u_int64_t a, b, c, d, e, f, g, h, s0, s1; 601 u_int64_t T1, *W512 = (u_int64_t *)context->buffer; 602 int j; 603 604 /* Initialize registers with the prev. intermediate value */ 605 a = context->state.st64[0]; 606 b = context->state.st64[1]; 607 c = context->state.st64[2]; 608 d = context->state.st64[3]; 609 e = context->state.st64[4]; 610 f = context->state.st64[5]; 611 g = context->state.st64[6]; 612 h = context->state.st64[7]; 613 614 j = 0; 615 do { 616 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 617 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 618 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 619 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 620 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 621 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 622 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 623 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 624 } while (j < 16); 625 626 /* Now for the remaining rounds up to 79: */ 627 do { 628 ROUND512(a,b,c,d,e,f,g,h); 629 ROUND512(h,a,b,c,d,e,f,g); 630 ROUND512(g,h,a,b,c,d,e,f); 631 ROUND512(f,g,h,a,b,c,d,e); 632 ROUND512(e,f,g,h,a,b,c,d); 633 ROUND512(d,e,f,g,h,a,b,c); 634 ROUND512(c,d,e,f,g,h,a,b); 635 ROUND512(b,c,d,e,f,g,h,a); 636 } while (j < 80); 637 638 /* Compute the current intermediate hash value */ 639 context->state.st64[0] += a; 640 context->state.st64[1] += b; 641 context->state.st64[2] += c; 642 context->state.st64[3] += d; 643 context->state.st64[4] += e; 644 context->state.st64[5] += f; 645 context->state.st64[6] += g; 646 context->state.st64[7] += h; 647 648 /* Clean up */ 649 a = b = c = d = e = f = g = h = T1 = 0; 650 } 651 652 #else /* SHA2_UNROLL_TRANSFORM */ 653 654 void 655 SHA512Transform(SHA2_CTX *context, const u_int8_t *data) 656 { 657 u_int64_t a, b, c, d, e, f, g, h, s0, s1; 658 u_int64_t T1, T2, *W512 = (u_int64_t *)context->buffer; 659 int j; 660 661 /* Initialize registers with the prev. intermediate value */ 662 a = context->state.st64[0]; 663 b = context->state.st64[1]; 664 c = context->state.st64[2]; 665 d = context->state.st64[3]; 666 e = context->state.st64[4]; 667 f = context->state.st64[5]; 668 g = context->state.st64[6]; 669 h = context->state.st64[7]; 670 671 j = 0; 672 do { 673 W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) | 674 ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) | 675 ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) | 676 ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56); 677 data += 8; 678 /* Apply the SHA-512 compression function to update a..h */ 679 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 680 T2 = Sigma0_512(a) + Maj(a, b, c); 681 h = g; 682 g = f; 683 f = e; 684 e = d + T1; 685 d = c; 686 c = b; 687 b = a; 688 a = T1 + T2; 689 690 j++; 691 } while (j < 16); 692 693 do { 694 /* Part of the message block expansion: */ 695 s0 = W512[(j+1)&0x0f]; 696 s0 = sigma0_512(s0); 697 s1 = W512[(j+14)&0x0f]; 698 s1 = sigma1_512(s1); 699 700 /* Apply the SHA-512 compression function to update a..h */ 701 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 702 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 703 T2 = Sigma0_512(a) + Maj(a, b, c); 704 h = g; 705 g = f; 706 f = e; 707 e = d + T1; 708 d = c; 709 c = b; 710 b = a; 711 a = T1 + T2; 712 713 j++; 714 } while (j < 80); 715 716 /* Compute the current intermediate hash value */ 717 context->state.st64[0] += a; 718 context->state.st64[1] += b; 719 context->state.st64[2] += c; 720 context->state.st64[3] += d; 721 context->state.st64[4] += e; 722 context->state.st64[5] += f; 723 context->state.st64[6] += g; 724 context->state.st64[7] += h; 725 726 /* Clean up */ 727 a = b = c = d = e = f = g = h = T1 = T2 = 0; 728 } 729 730 #endif /* SHA2_UNROLL_TRANSFORM */ 731 732 void 733 SHA512Update(SHA2_CTX *context, const u_int8_t *data, size_t len) 734 { 735 size_t freespace, usedspace; 736 737 /* Calling with no data is valid (we do nothing) */ 738 if (len == 0) 739 return; 740 741 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 742 if (usedspace > 0) { 743 /* Calculate how much free space is available in the buffer */ 744 freespace = SHA512_BLOCK_LENGTH - usedspace; 745 746 if (len >= freespace) { 747 /* Fill the buffer completely and process it */ 748 bcopy(data, &context->buffer[usedspace], freespace); 749 ADDINC128(context->bitcount, freespace << 3); 750 len -= freespace; 751 data += freespace; 752 SHA512Transform(context, context->buffer); 753 } else { 754 /* The buffer is not yet full */ 755 bcopy(data, &context->buffer[usedspace], len); 756 ADDINC128(context->bitcount, len << 3); 757 /* Clean up: */ 758 usedspace = freespace = 0; 759 return; 760 } 761 } 762 while (len >= SHA512_BLOCK_LENGTH) { 763 /* Process as many complete blocks as we can */ 764 SHA512Transform(context, data); 765 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 766 len -= SHA512_BLOCK_LENGTH; 767 data += SHA512_BLOCK_LENGTH; 768 } 769 if (len > 0) { 770 /* There's left-overs, so save 'em */ 771 bcopy(data, context->buffer, len); 772 ADDINC128(context->bitcount, len << 3); 773 } 774 /* Clean up: */ 775 usedspace = freespace = 0; 776 } 777 778 void 779 SHA512Last(SHA2_CTX *context) 780 { 781 unsigned int usedspace; 782 783 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 784 #if BYTE_ORDER == LITTLE_ENDIAN 785 /* Convert FROM host byte order */ 786 REVERSE64(context->bitcount[0],context->bitcount[0]); 787 REVERSE64(context->bitcount[1],context->bitcount[1]); 788 #endif 789 if (usedspace > 0) { 790 /* Begin padding with a 1 bit: */ 791 context->buffer[usedspace++] = 0x80; 792 793 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 794 /* Set-up for the last transform: */ 795 bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace); 796 } else { 797 if (usedspace < SHA512_BLOCK_LENGTH) { 798 bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace); 799 } 800 /* Do second-to-last transform: */ 801 SHA512Transform(context, context->buffer); 802 803 /* And set-up for the last transform: */ 804 bzero(context->buffer, SHA512_BLOCK_LENGTH - 2); 805 } 806 } else { 807 /* Prepare for final transform: */ 808 bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH); 809 810 /* Begin padding with a 1 bit: */ 811 *context->buffer = 0x80; 812 } 813 /* Store the length of input data (in bits): */ 814 *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1]; 815 *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0]; 816 817 /* Final transform: */ 818 SHA512Transform(context, context->buffer); 819 } 820 821 void 822 SHA512Final(u_int8_t digest[], SHA2_CTX *context) 823 { 824 u_int64_t *d = (u_int64_t *)digest; 825 826 /* If no digest buffer is passed, we don't bother doing this: */ 827 if (digest != NULL) { 828 SHA512Last(context); 829 830 /* Save the hash data for output: */ 831 #if BYTE_ORDER == LITTLE_ENDIAN 832 { 833 /* Convert TO host byte order */ 834 int j; 835 for (j = 0; j < 8; j++) { 836 REVERSE64(context->state.st64[j], 837 context->state.st64[j]); 838 *d++ = context->state.st64[j]; 839 } 840 } 841 #else 842 bcopy(context->state.st64, d, SHA512_DIGEST_LENGTH); 843 #endif 844 } 845 846 /* Zero out state data */ 847 explicit_bzero(context, sizeof(*context)); 848 } 849 850 851 /*** SHA-384: *********************************************************/ 852 void 853 SHA384Init(SHA2_CTX *context) 854 { 855 if (context == NULL) 856 return; 857 bcopy(sha384_initial_hash_value, context->state.st64, 858 SHA512_DIGEST_LENGTH); 859 bzero(context->buffer, SHA384_BLOCK_LENGTH); 860 context->bitcount[0] = context->bitcount[1] = 0; 861 } 862 863 void 864 SHA384Update(SHA2_CTX *context, const u_int8_t *data, size_t len) 865 { 866 SHA512Update((SHA2_CTX *)context, data, len); 867 } 868 869 void 870 SHA384Final(u_int8_t digest[], SHA2_CTX *context) 871 { 872 u_int64_t *d = (u_int64_t *)digest; 873 874 /* If no digest buffer is passed, we don't bother doing this: */ 875 if (digest != NULL) { 876 SHA512Last((SHA2_CTX *)context); 877 878 /* Save the hash data for output: */ 879 #if BYTE_ORDER == LITTLE_ENDIAN 880 { 881 /* Convert TO host byte order */ 882 int j; 883 for (j = 0; j < 6; j++) { 884 REVERSE64(context->state.st64[j], 885 context->state.st64[j]); 886 *d++ = context->state.st64[j]; 887 } 888 } 889 #else 890 bcopy(context->state.st64, d, SHA384_DIGEST_LENGTH); 891 #endif 892 } 893 894 /* Zero out state data */ 895 explicit_bzero(context, sizeof(*context)); 896 } 897