1 /* $NetBSD: sha2.c,v 1.26 2024/01/20 14:55:02 christos Exp $ */ 2 /* $KAME: sha2.c,v 1.9 2003/07/20 00:28:38 itojun Exp $ */ 3 4 /* 5 * sha2.c 6 * 7 * Version 1.0.0beta1 8 * 9 * Written by Aaron D. Gifford <me (at) aarongifford.com> 10 * 11 * Copyright 2000 Aaron D. Gifford. All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of the copyright holder nor the names of contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 */ 38 39 #if HAVE_NBTOOL_CONFIG_H 40 #include "nbtool_config.h" 41 #endif 42 43 #include <sys/cdefs.h> 44 45 #if defined(_KERNEL) || defined(_STANDALONE) 46 __KERNEL_RCSID(0, "$NetBSD: sha2.c,v 1.26 2024/01/20 14:55:02 christos Exp $"); 47 48 #include <sys/param.h> /* XXX: to pull <machine/macros.h> for vax memset(9) */ 49 #include <lib/libkern/libkern.h> 50 51 #else 52 53 #if defined(LIBC_SCCS) && !defined(lint) 54 __RCSID("$NetBSD: sha2.c,v 1.26 2024/01/20 14:55:02 christos Exp $"); 55 #endif /* LIBC_SCCS and not lint */ 56 57 #include "namespace.h" 58 #include <string.h> 59 60 #endif 61 62 #ifndef _LIBC_INTERNAL 63 #define _LIBC_INTERNAL 64 #endif 65 66 #include <sys/types.h> 67 #include <sys/sha2.h> 68 69 #if HAVE_SYS_ENDIAN_H 70 # include <sys/endian.h> 71 #endif 72 73 /*** SHA-256/384/512 Various Length Definitions ***********************/ 74 /* NOTE: Most of these are in sha2.h */ 75 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 76 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 77 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 78 79 /* 80 * Macro for incrementally adding the unsigned 64-bit integer n to the 81 * unsigned 128-bit integer (represented using a two-element array of 82 * 64-bit words): 83 */ 84 #define ADDINC128(w,n) { \ 85 (w)[0] += (uint64_t)(n); \ 86 if ((w)[0] < (n)) { \ 87 (w)[1]++; \ 88 } \ 89 } 90 91 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 92 /* 93 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 94 * 95 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 96 * S is a ROTATION) because the SHA-256/384/512 description document 97 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 98 * same "backwards" definition. 99 */ 100 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 101 #define R(b,x) ((x) >> (b)) 102 /* 32-bit Rotate-right (used in SHA-256): */ 103 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 104 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 105 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 106 107 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 108 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 109 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 110 111 /* Four of six logical functions used in SHA-256: */ 112 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 113 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 114 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 115 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 116 117 /* Four of six logical functions used in SHA-384 and SHA-512: */ 118 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 119 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 120 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 121 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 122 123 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 124 /* NOTE: These should not be accessed directly from outside this 125 * library -- they are intended for private internal visibility/use 126 * only. 127 */ 128 static void SHA512_Last(SHA512_CTX *); 129 130 131 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 132 /* Hash constant words K for SHA-256: */ 133 static const uint32_t K256[64] = { 134 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 135 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 136 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 137 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 138 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 139 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 140 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 141 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 142 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 143 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 144 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 145 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 146 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 147 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 148 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 149 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 150 }; 151 152 /* Initial hash value H for SHA-224: */ 153 static const uint32_t sha224_initial_hash_value[8] = { 154 0xc1059ed8UL, 155 0x367cd507UL, 156 0x3070dd17UL, 157 0xf70e5939UL, 158 0xffc00b31UL, 159 0x68581511UL, 160 0x64f98fa7UL, 161 0xbefa4fa4UL 162 }; 163 164 /* Initial hash value H for SHA-256: */ 165 static const uint32_t sha256_initial_hash_value[8] = { 166 0x6a09e667UL, 167 0xbb67ae85UL, 168 0x3c6ef372UL, 169 0xa54ff53aUL, 170 0x510e527fUL, 171 0x9b05688cUL, 172 0x1f83d9abUL, 173 0x5be0cd19UL 174 }; 175 176 /* Hash constant words K for SHA-384 and SHA-512: */ 177 static const uint64_t K512[80] = { 178 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 179 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 180 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 181 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 182 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 183 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 184 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 185 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 186 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 187 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 188 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 189 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 190 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 191 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 192 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 193 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 194 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 195 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 196 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 197 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 198 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 199 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 200 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 201 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 202 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 203 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 204 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 205 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 206 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 207 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 208 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 209 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 210 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 211 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 212 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 213 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 214 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 215 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 216 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 217 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 218 }; 219 220 /* Initial hash value H for SHA-384 */ 221 static const uint64_t sha384_initial_hash_value[8] = { 222 0xcbbb9d5dc1059ed8ULL, 223 0x629a292a367cd507ULL, 224 0x9159015a3070dd17ULL, 225 0x152fecd8f70e5939ULL, 226 0x67332667ffc00b31ULL, 227 0x8eb44a8768581511ULL, 228 0xdb0c2e0d64f98fa7ULL, 229 0x47b5481dbefa4fa4ULL 230 }; 231 232 /* Initial hash value H for SHA-512 */ 233 static const uint64_t sha512_initial_hash_value[8] = { 234 0x6a09e667f3bcc908ULL, 235 0xbb67ae8584caa73bULL, 236 0x3c6ef372fe94f82bULL, 237 0xa54ff53a5f1d36f1ULL, 238 0x510e527fade682d1ULL, 239 0x9b05688c2b3e6c1fULL, 240 0x1f83d9abfb41bd6bULL, 241 0x5be0cd19137e2179ULL 242 }; 243 244 #if !defined(_KERNEL) && !defined(_STANDALONE) 245 #if defined(__weak_alias) 246 __weak_alias(SHA224_Init,_SHA224_Init) 247 __weak_alias(SHA224_Update,_SHA224_Update) 248 __weak_alias(SHA224_Final,_SHA224_Final) 249 __weak_alias(SHA224_Transform,_SHA224_Transform) 250 251 __weak_alias(SHA256_Init,_SHA256_Init) 252 __weak_alias(SHA256_Update,_SHA256_Update) 253 __weak_alias(SHA256_Final,_SHA256_Final) 254 __weak_alias(SHA256_Transform,_SHA256_Transform) 255 256 __weak_alias(SHA384_Init,_SHA384_Init) 257 __weak_alias(SHA384_Update,_SHA384_Update) 258 __weak_alias(SHA384_Final,_SHA384_Final) 259 __weak_alias(SHA384_Transform,_SHA384_Transform) 260 261 __weak_alias(SHA512_Init,_SHA512_Init) 262 __weak_alias(SHA512_Update,_SHA512_Update) 263 __weak_alias(SHA512_Final,_SHA512_Final) 264 __weak_alias(SHA512_Transform,_SHA512_Transform) 265 #endif 266 #endif 267 268 /*** SHA-256: *********************************************************/ 269 int 270 SHA256_Init(SHA256_CTX *context) 271 { 272 if (context == NULL) 273 return 1; 274 275 memcpy(context->state, sha256_initial_hash_value, 276 (size_t)(SHA256_DIGEST_LENGTH)); 277 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH)); 278 context->bitcount = 0; 279 280 return 1; 281 } 282 283 #ifdef SHA2_UNROLL_TRANSFORM 284 285 /* Unrolled SHA-256 round macros: */ 286 287 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 288 W256[j] = be32dec(data); \ 289 ++data; \ 290 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 291 K256[j] + W256[j]; \ 292 (d) += T1; \ 293 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 294 j++ 295 296 #define ROUND256(a,b,c,d,e,f,g,h) \ 297 s0 = W256[(j+1)&0x0f]; \ 298 s0 = sigma0_256(s0); \ 299 s1 = W256[(j+14)&0x0f]; \ 300 s1 = sigma1_256(s1); \ 301 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ 302 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 303 (d) += T1; \ 304 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 305 j++ 306 307 void 308 SHA256_Transform(SHA256_CTX *context, const uint32_t *data) 309 { 310 uint32_t a, b, c, d, e, f, g, h, s0, s1; 311 uint32_t T1, *W256; 312 int j; 313 314 W256 = (uint32_t *)context->buffer; 315 316 /* Initialize registers with the prev. intermediate value */ 317 a = context->state[0]; 318 b = context->state[1]; 319 c = context->state[2]; 320 d = context->state[3]; 321 e = context->state[4]; 322 f = context->state[5]; 323 g = context->state[6]; 324 h = context->state[7]; 325 326 j = 0; 327 do { 328 /* Rounds 0 to 15 (unrolled): */ 329 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 330 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 331 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 332 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 333 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 334 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 335 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 336 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 337 } while (j < 16); 338 339 /* Now for the remaining rounds to 64: */ 340 do { 341 ROUND256(a,b,c,d,e,f,g,h); 342 ROUND256(h,a,b,c,d,e,f,g); 343 ROUND256(g,h,a,b,c,d,e,f); 344 ROUND256(f,g,h,a,b,c,d,e); 345 ROUND256(e,f,g,h,a,b,c,d); 346 ROUND256(d,e,f,g,h,a,b,c); 347 ROUND256(c,d,e,f,g,h,a,b); 348 ROUND256(b,c,d,e,f,g,h,a); 349 } while (j < 64); 350 351 /* Compute the current intermediate hash value */ 352 context->state[0] += a; 353 context->state[1] += b; 354 context->state[2] += c; 355 context->state[3] += d; 356 context->state[4] += e; 357 context->state[5] += f; 358 context->state[6] += g; 359 context->state[7] += h; 360 361 /* Clean up */ 362 a = b = c = d = e = f = g = h = T1 = 0; 363 } 364 365 #else /* SHA2_UNROLL_TRANSFORM */ 366 367 void 368 SHA256_Transform(SHA256_CTX *context, const uint32_t *data) 369 { 370 uint32_t a, b, c, d, e, f, g, h, s0, s1; 371 uint32_t T1, T2, *W256; 372 int j; 373 374 W256 = (uint32_t *)(void *)context->buffer; 375 376 /* Initialize registers with the prev. intermediate value */ 377 a = context->state[0]; 378 b = context->state[1]; 379 c = context->state[2]; 380 d = context->state[3]; 381 e = context->state[4]; 382 f = context->state[5]; 383 g = context->state[6]; 384 h = context->state[7]; 385 386 j = 0; 387 do { 388 W256[j] = be32dec(data); 389 ++data; 390 /* Apply the SHA-256 compression function to update a..h */ 391 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 392 T2 = Sigma0_256(a) + Maj(a, b, c); 393 h = g; 394 g = f; 395 f = e; 396 e = d + T1; 397 d = c; 398 c = b; 399 b = a; 400 a = T1 + T2; 401 402 j++; 403 } while (j < 16); 404 405 do { 406 /* Part of the message block expansion: */ 407 s0 = W256[(j+1)&0x0f]; 408 s0 = sigma0_256(s0); 409 s1 = W256[(j+14)&0x0f]; 410 s1 = sigma1_256(s1); 411 412 /* Apply the SHA-256 compression function to update a..h */ 413 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 414 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 415 T2 = Sigma0_256(a) + Maj(a, b, c); 416 h = g; 417 g = f; 418 f = e; 419 e = d + T1; 420 d = c; 421 c = b; 422 b = a; 423 a = T1 + T2; 424 425 j++; 426 } while (j < 64); 427 428 /* Compute the current intermediate hash value */ 429 context->state[0] += a; 430 context->state[1] += b; 431 context->state[2] += c; 432 context->state[3] += d; 433 context->state[4] += e; 434 context->state[5] += f; 435 context->state[6] += g; 436 context->state[7] += h; 437 438 /* Clean up */ 439 a = b = c = d = e = f = g = h = T1 = T2 = 0; 440 } 441 442 #endif /* SHA2_UNROLL_TRANSFORM */ 443 444 int 445 SHA256_Update(SHA256_CTX *context, const uint8_t *data, size_t len) 446 { 447 unsigned int freespace, usedspace; 448 449 if (len == 0) { 450 /* Calling with no data is valid - we do nothing */ 451 return 1; 452 } 453 454 usedspace = (unsigned int)((context->bitcount >> 3) % 455 SHA256_BLOCK_LENGTH); 456 if (usedspace > 0) { 457 /* Calculate how much free space is available in the buffer */ 458 freespace = SHA256_BLOCK_LENGTH - usedspace; 459 460 if (len >= freespace) { 461 /* Fill the buffer completely and process it */ 462 memcpy(&context->buffer[usedspace], data, 463 (size_t)(freespace)); 464 context->bitcount += freespace << 3; 465 len -= freespace; 466 data += freespace; 467 SHA256_Transform(context, 468 (uint32_t *)(void *)context->buffer); 469 } else { 470 /* The buffer is not yet full */ 471 memcpy(&context->buffer[usedspace], data, len); 472 context->bitcount += len << 3; 473 /* Clean up: */ 474 usedspace = freespace = 0; 475 return 1; 476 } 477 } 478 /* 479 * Process as many complete blocks as possible. 480 * 481 * Check alignment of the data pointer. If it is 32bit aligned, 482 * SHA256_Transform can be called directly on the data stream, 483 * otherwise enforce the alignment by copy into the buffer. 484 */ 485 if ((uintptr_t)data % 4 == 0) { 486 while (len >= SHA256_BLOCK_LENGTH) { 487 SHA256_Transform(context, 488 (const uint32_t *)(const void *)data); 489 context->bitcount += SHA256_BLOCK_LENGTH << 3; 490 len -= SHA256_BLOCK_LENGTH; 491 data += SHA256_BLOCK_LENGTH; 492 } 493 } else { 494 while (len >= SHA256_BLOCK_LENGTH) { 495 memcpy(context->buffer, data, SHA256_BLOCK_LENGTH); 496 SHA256_Transform(context, 497 (const uint32_t *)(const void *)context->buffer); 498 context->bitcount += SHA256_BLOCK_LENGTH << 3; 499 len -= SHA256_BLOCK_LENGTH; 500 data += SHA256_BLOCK_LENGTH; 501 } 502 } 503 if (len > 0) { 504 /* There's left-overs, so save 'em */ 505 memcpy(context->buffer, data, len); 506 context->bitcount += len << 3; 507 } 508 /* Clean up: */ 509 usedspace = freespace = 0; 510 511 return 1; 512 } 513 514 static int 515 SHA224_256_Final(uint8_t digest[], SHA256_CTX *context, size_t len) 516 { 517 unsigned int usedspace; 518 size_t i; 519 520 /* If no digest buffer is passed, we don't bother doing this: */ 521 if (digest != NULL) { 522 usedspace = (unsigned int)((context->bitcount >> 3) % 523 SHA256_BLOCK_LENGTH); 524 context->bitcount = htobe64(context->bitcount); 525 if (usedspace > 0) { 526 /* Begin padding with a 1 bit: */ 527 context->buffer[usedspace++] = 0x80; 528 529 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 530 /* Set-up for the last transform: */ 531 memset(&context->buffer[usedspace], 0, 532 (size_t)(SHA256_SHORT_BLOCK_LENGTH - 533 usedspace)); 534 } else { 535 if (usedspace < SHA256_BLOCK_LENGTH) { 536 memset(&context->buffer[usedspace], 0, 537 (size_t)(SHA256_BLOCK_LENGTH - 538 usedspace)); 539 } 540 /* Do second-to-last transform: */ 541 SHA256_Transform(context, 542 (uint32_t *)(void *)context->buffer); 543 544 /* And set-up for the last transform: */ 545 memset(context->buffer, 0, 546 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 547 } 548 } else { 549 /* Set-up for the last transform: */ 550 memset(context->buffer, 0, 551 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 552 553 /* Begin padding with a 1 bit: */ 554 *context->buffer = 0x80; 555 } 556 /* Set the bit count: */ 557 memcpy(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], 558 &context->bitcount, sizeof(context->bitcount)); 559 560 /* Final transform: */ 561 SHA256_Transform(context, (uint32_t *)(void *)context->buffer); 562 563 for (i = 0; i < len / 4; i++) 564 be32enc(digest + 4 * i, context->state[i]); 565 } 566 567 /* Clean up state data: */ 568 memset(context, 0, sizeof(*context)); 569 usedspace = 0; 570 571 return 1; 572 } 573 574 int 575 SHA256_Final(uint8_t digest[SHA256_DIGEST_LENGTH], SHA256_CTX *context) 576 { 577 return SHA224_256_Final(digest, context, SHA256_DIGEST_LENGTH); 578 } 579 580 /*** SHA-224: *********************************************************/ 581 int 582 SHA224_Init(SHA224_CTX *context) 583 { 584 if (context == NULL) 585 return 1; 586 587 /* The state and buffer size are driven by SHA256, not by SHA224. */ 588 memcpy(context->state, sha224_initial_hash_value, 589 (size_t)(SHA256_DIGEST_LENGTH)); 590 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH)); 591 context->bitcount = 0; 592 593 return 1; 594 } 595 596 int 597 SHA224_Update(SHA224_CTX *context, const uint8_t *data, size_t len) 598 { 599 return SHA256_Update((SHA256_CTX *)context, data, len); 600 } 601 602 void 603 SHA224_Transform(SHA224_CTX *context, const uint32_t *data) 604 { 605 SHA256_Transform((SHA256_CTX *)context, data); 606 } 607 608 int 609 SHA224_Final(uint8_t digest[SHA224_DIGEST_LENGTH], SHA224_CTX *context) 610 { 611 return SHA224_256_Final(digest, (SHA256_CTX *)context, 612 SHA224_DIGEST_LENGTH); 613 } 614 615 /*** SHA-512: *********************************************************/ 616 int 617 SHA512_Init(SHA512_CTX *context) 618 { 619 if (context == NULL) 620 return 1; 621 622 memcpy(context->state, sha512_initial_hash_value, 623 (size_t)(SHA512_DIGEST_LENGTH)); 624 memset(context->buffer, 0, (size_t)(SHA512_BLOCK_LENGTH)); 625 context->bitcount[0] = context->bitcount[1] = 0; 626 627 return 1; 628 } 629 630 #ifdef SHA2_UNROLL_TRANSFORM 631 632 /* Unrolled SHA-512 round macros: */ 633 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 634 W512[j] = be64dec(data); \ 635 ++data; \ 636 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 637 K512[j] + W512[j]; \ 638 (d) += T1, \ 639 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 640 j++ 641 642 #define ROUND512(a,b,c,d,e,f,g,h) \ 643 s0 = W512[(j+1)&0x0f]; \ 644 s0 = sigma0_512(s0); \ 645 s1 = W512[(j+14)&0x0f]; \ 646 s1 = sigma1_512(s1); \ 647 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 648 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 649 (d) += T1; \ 650 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 651 j++ 652 653 void 654 SHA512_Transform(SHA512_CTX *context, const uint64_t *data) 655 { 656 uint64_t a, b, c, d, e, f, g, h, s0, s1; 657 uint64_t T1, *W512 = (uint64_t *)context->buffer; 658 int j; 659 660 /* Initialize registers with the prev. intermediate value */ 661 a = context->state[0]; 662 b = context->state[1]; 663 c = context->state[2]; 664 d = context->state[3]; 665 e = context->state[4]; 666 f = context->state[5]; 667 g = context->state[6]; 668 h = context->state[7]; 669 670 j = 0; 671 do { 672 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 673 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 674 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 675 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 676 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 677 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 678 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 679 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 680 } while (j < 16); 681 682 /* Now for the remaining rounds up to 79: */ 683 do { 684 ROUND512(a,b,c,d,e,f,g,h); 685 ROUND512(h,a,b,c,d,e,f,g); 686 ROUND512(g,h,a,b,c,d,e,f); 687 ROUND512(f,g,h,a,b,c,d,e); 688 ROUND512(e,f,g,h,a,b,c,d); 689 ROUND512(d,e,f,g,h,a,b,c); 690 ROUND512(c,d,e,f,g,h,a,b); 691 ROUND512(b,c,d,e,f,g,h,a); 692 } while (j < 80); 693 694 /* Compute the current intermediate hash value */ 695 context->state[0] += a; 696 context->state[1] += b; 697 context->state[2] += c; 698 context->state[3] += d; 699 context->state[4] += e; 700 context->state[5] += f; 701 context->state[6] += g; 702 context->state[7] += h; 703 704 /* Clean up */ 705 a = b = c = d = e = f = g = h = T1 = 0; 706 } 707 708 #else /* SHA2_UNROLL_TRANSFORM */ 709 710 void 711 SHA512_Transform(SHA512_CTX *context, const uint64_t *data) 712 { 713 uint64_t a, b, c, d, e, f, g, h, s0, s1; 714 uint64_t T1, T2, *W512 = (void *)context->buffer; 715 int j; 716 717 /* Initialize registers with the prev. intermediate value */ 718 a = context->state[0]; 719 b = context->state[1]; 720 c = context->state[2]; 721 d = context->state[3]; 722 e = context->state[4]; 723 f = context->state[5]; 724 g = context->state[6]; 725 h = context->state[7]; 726 727 j = 0; 728 do { 729 W512[j] = be64dec(data); 730 ++data; 731 /* Apply the SHA-512 compression function to update a..h */ 732 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 733 T2 = Sigma0_512(a) + Maj(a, b, c); 734 h = g; 735 g = f; 736 f = e; 737 e = d + T1; 738 d = c; 739 c = b; 740 b = a; 741 a = T1 + T2; 742 743 j++; 744 } while (j < 16); 745 746 do { 747 /* Part of the message block expansion: */ 748 s0 = W512[(j+1)&0x0f]; 749 s0 = sigma0_512(s0); 750 s1 = W512[(j+14)&0x0f]; 751 s1 = sigma1_512(s1); 752 753 /* Apply the SHA-512 compression function to update a..h */ 754 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 755 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 756 T2 = Sigma0_512(a) + Maj(a, b, c); 757 h = g; 758 g = f; 759 f = e; 760 e = d + T1; 761 d = c; 762 c = b; 763 b = a; 764 a = T1 + T2; 765 766 j++; 767 } while (j < 80); 768 769 /* Compute the current intermediate hash value */ 770 context->state[0] += a; 771 context->state[1] += b; 772 context->state[2] += c; 773 context->state[3] += d; 774 context->state[4] += e; 775 context->state[5] += f; 776 context->state[6] += g; 777 context->state[7] += h; 778 779 /* Clean up */ 780 a = b = c = d = e = f = g = h = T1 = T2 = 0; 781 } 782 783 #endif /* SHA2_UNROLL_TRANSFORM */ 784 785 int 786 SHA512_Update(SHA512_CTX *context, const uint8_t *data, size_t len) 787 { 788 unsigned int freespace, usedspace; 789 790 if (len == 0) { 791 /* Calling with no data is valid - we do nothing */ 792 return 1; 793 } 794 795 usedspace = (unsigned int)((context->bitcount[0] >> 3) % 796 SHA512_BLOCK_LENGTH); 797 if (usedspace > 0) { 798 /* Calculate how much free space is available in the buffer */ 799 freespace = SHA512_BLOCK_LENGTH - usedspace; 800 801 if (len >= freespace) { 802 /* Fill the buffer completely and process it */ 803 memcpy(&context->buffer[usedspace], data, 804 (size_t)(freespace)); 805 ADDINC128(context->bitcount, freespace << 3); 806 len -= freespace; 807 data += freespace; 808 SHA512_Transform(context, 809 (uint64_t *)(void *)context->buffer); 810 } else { 811 /* The buffer is not yet full */ 812 memcpy(&context->buffer[usedspace], data, len); 813 ADDINC128(context->bitcount, len << 3); 814 /* Clean up: */ 815 usedspace = freespace = 0; 816 return 1; 817 } 818 } 819 /* 820 * Process as many complete blocks as possible. 821 * 822 * Check alignment of the data pointer. If it is 64bit aligned, 823 * SHA512_Transform can be called directly on the data stream, 824 * otherwise enforce the alignment by copy into the buffer. 825 */ 826 if ((uintptr_t)data % 8 == 0) { 827 while (len >= SHA512_BLOCK_LENGTH) { 828 SHA512_Transform(context, 829 (const uint64_t*)(const void *)data); 830 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 831 len -= SHA512_BLOCK_LENGTH; 832 data += SHA512_BLOCK_LENGTH; 833 } 834 } else { 835 while (len >= SHA512_BLOCK_LENGTH) { 836 memcpy(context->buffer, data, SHA512_BLOCK_LENGTH); 837 SHA512_Transform(context, 838 (const void *)context->buffer); 839 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 840 len -= SHA512_BLOCK_LENGTH; 841 data += SHA512_BLOCK_LENGTH; 842 } 843 } 844 if (len > 0) { 845 /* There's left-overs, so save 'em */ 846 memcpy(context->buffer, data, len); 847 ADDINC128(context->bitcount, len << 3); 848 } 849 /* Clean up: */ 850 usedspace = freespace = 0; 851 852 return 1; 853 } 854 855 static void 856 SHA512_Last(SHA512_CTX *context) 857 { 858 unsigned int usedspace; 859 860 usedspace = (unsigned int)((context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH); 861 context->bitcount[0] = htobe64(context->bitcount[0]); 862 context->bitcount[1] = htobe64(context->bitcount[1]); 863 if (usedspace > 0) { 864 /* Begin padding with a 1 bit: */ 865 context->buffer[usedspace++] = 0x80; 866 867 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 868 /* Set-up for the last transform: */ 869 memset(&context->buffer[usedspace], 0, 870 (size_t)(SHA512_SHORT_BLOCK_LENGTH - usedspace)); 871 } else { 872 if (usedspace < SHA512_BLOCK_LENGTH) { 873 memset(&context->buffer[usedspace], 0, 874 (size_t)(SHA512_BLOCK_LENGTH - usedspace)); 875 } 876 /* Do second-to-last transform: */ 877 SHA512_Transform(context, 878 (uint64_t *)(void *)context->buffer); 879 880 /* And set-up for the last transform: */ 881 memset(context->buffer, 0, 882 (size_t)(SHA512_BLOCK_LENGTH - 2)); 883 } 884 } else { 885 /* Prepare for final transform: */ 886 memset(context->buffer, 0, (size_t)(SHA512_SHORT_BLOCK_LENGTH)); 887 888 /* Begin padding with a 1 bit: */ 889 *context->buffer = 0x80; 890 } 891 /* Store the length of input data (in bits): */ 892 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], 893 &context->bitcount[1], sizeof(context->bitcount[1])); 894 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], 895 &context->bitcount[0], sizeof(context->bitcount[0])); 896 897 /* Final transform: */ 898 SHA512_Transform(context, (uint64_t *)(void *)context->buffer); 899 } 900 901 int 902 SHA512_Final(uint8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context) 903 { 904 size_t i; 905 906 /* If no digest buffer is passed, we don't bother doing this: */ 907 if (digest != NULL) { 908 SHA512_Last(context); 909 910 /* Save the hash data for output: */ 911 for (i = 0; i < 8; ++i) 912 be64enc(digest + 8 * i, context->state[i]); 913 } 914 915 /* Zero out state data */ 916 memset(context, 0, sizeof(*context)); 917 918 return 1; 919 } 920 921 /*** SHA-384: *********************************************************/ 922 int 923 SHA384_Init(SHA384_CTX *context) 924 { 925 if (context == NULL) 926 return 1; 927 928 memcpy(context->state, sha384_initial_hash_value, 929 (size_t)(SHA512_DIGEST_LENGTH)); 930 memset(context->buffer, 0, (size_t)(SHA384_BLOCK_LENGTH)); 931 context->bitcount[0] = context->bitcount[1] = 0; 932 933 return 1; 934 } 935 936 int 937 SHA384_Update(SHA384_CTX *context, const uint8_t *data, size_t len) 938 { 939 return SHA512_Update((SHA512_CTX *)context, data, len); 940 } 941 942 void 943 SHA384_Transform(SHA512_CTX *context, const uint64_t *data) 944 { 945 SHA512_Transform((SHA512_CTX *)context, data); 946 } 947 948 int 949 SHA384_Final(uint8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) 950 { 951 size_t i; 952 953 /* If no digest buffer is passed, we don't bother doing this: */ 954 if (digest != NULL) { 955 SHA512_Last((SHA512_CTX *)context); 956 957 /* Save the hash data for output: */ 958 for (i = 0; i < 6; ++i) 959 be64enc(digest + 8 * i, context->state[i]); 960 } 961 962 /* Zero out state data */ 963 memset(context, 0, sizeof(*context)); 964 965 return 1; 966 } 967
Indexes created Mon Sep 29 15:09:53 GMT 2025