sha2.c revision 1.1
1 /* $NetBSD: sha2.c,v 1.1 2006/10/27 21:23:16 christos Exp $ */ 2 /* $KAME: sha2.c,v 1.9 2003/07/20 00:28:38 itojun Exp $ */ 3 4 /* 5 * sha2.c 6 * 7 * Version 1.0.0beta1 8 * 9 * Written by Aaron D. Gifford <me (at) aarongifford.com> 10 * 11 * Copyright 2000 Aaron D. Gifford. All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of the copyright holder nor the names of contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 */ 38 39 #include <sys/cdefs.h> 40 41 #if defined(_KERNEL) || defined(_STANDALONE) 42 __KERNEL_RCSID(0, "$NetBSD: sha2.c,v 1.1 2006/10/27 21:23:16 christos Exp $"); 43 44 #include <lib/libkern/libkern.h> 45 46 #else 47 48 #if defined(LIBC_SCCS) && !defined(lint) 49 __RCSID("$NetBSD: sha2.c,v 1.1 2006/10/27 21:23:16 christos Exp $"); 50 #endif /* LIBC_SCCS and not lint */ 51 52 #include "namespace.h" 53 #include <assert.h> 54 #include <string.h> 55 56 #endif 57 58 #include <sys/types.h> 59 #include <sys/sha2.h> 60 61 /* 62 * ASSERT NOTE: 63 * Some sanity checking code is included using assert(). On my FreeBSD 64 * system, this additional code can be removed by compiling with NDEBUG 65 * defined. Check your own systems manpage on assert() to see how to 66 * compile WITHOUT the sanity checking code on your system. 67 * 68 * UNROLLED TRANSFORM LOOP NOTE: 69 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform 70 * loop version for the hash transform rounds (defined using macros 71 * later in this file). Either define on the command line, for example: 72 * 73 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c 74 * 75 * or define below: 76 * 77 * #define SHA2_UNROLL_TRANSFORM 78 * 79 */ 80 81 #if defined(__bsdi__) || defined(__FreeBSD__) 82 #define assert(x) 83 #endif 84 85 86 /*** SHA-256/384/512 Machine Architecture Definitions *****************/ 87 /* 88 * BYTE_ORDER NOTE: 89 * 90 * Please make sure that your system defines BYTE_ORDER. If your 91 * architecture is little-endian, make sure it also defines 92 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are 93 * equivilent. 94 * 95 * If your system does not define the above, then you can do so by 96 * hand like this: 97 * 98 * #define LITTLE_ENDIAN 1234 99 * #define BIG_ENDIAN 4321 100 * 101 * And for little-endian machines, add: 102 * 103 * #define BYTE_ORDER LITTLE_ENDIAN 104 * 105 * Or for big-endian machines: 106 * 107 * #define BYTE_ORDER BIG_ENDIAN 108 * 109 * The FreeBSD machine this was written on defines BYTE_ORDER 110 * appropriately by including <sys/types.h> (which in turn includes 111 * <machine/endian.h> where the appropriate definitions are actually 112 * made). 113 */ 114 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) 115 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN 116 #endif 117 118 /* 119 * Define the followingsha2_* types to types of the correct length on 120 * the native archtecture. Most BSD systems and Linux define u_intXX_t 121 * types. Machines with very recent ANSI C headers, can use the 122 * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H 123 * during compile or in the sha.h header file. 124 * 125 * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t 126 * will need to define these three typedefs below (and the appropriate 127 * ones in sha.h too) by hand according to their system architecture. 128 * 129 * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t 130 * types and pointing out recent ANSI C support for uintXX_t in inttypes.h. 131 */ 132 #if 0 /*def SHA2_USE_INTTYPES_H*/ 133 134 typedef uint8_t sha2_byte; /* Exactly 1 byte */ 135 typedef uint32_t sha2_word32; /* Exactly 4 bytes */ 136 typedef uint64_t sha2_word64; /* Exactly 8 bytes */ 137 138 #else /* SHA2_USE_INTTYPES_H */ 139 140 typedef u_int8_t sha2_byte; /* Exactly 1 byte */ 141 typedef u_int32_t sha2_word32; /* Exactly 4 bytes */ 142 typedef u_int64_t sha2_word64; /* Exactly 8 bytes */ 143 144 #endif /* SHA2_USE_INTTYPES_H */ 145 146 147 /*** SHA-256/384/512 Various Length Definitions ***********************/ 148 /* NOTE: Most of these are in sha2.h */ 149 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 150 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 151 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 152 153 154 /*** ENDIAN REVERSAL MACROS *******************************************/ 155 #if BYTE_ORDER == LITTLE_ENDIAN 156 #define REVERSE32(w,x) { \ 157 sha2_word32 tmp = (w); \ 158 tmp = (tmp >> 16) | (tmp << 16); \ 159 (x) = (sha2_word32)(((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8)); \ 160 } 161 #define REVERSE64(w,x) { \ 162 sha2_word64 tmp = (w); \ 163 tmp = (tmp >> 32) | (tmp << 32); \ 164 tmp = (sha2_word64)(((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \ 165 ((tmp & 0x00ff00ff00ff00ffULL) << 8)); \ 166 (x) = (sha2_word64)(((tmp & 0xffff0000ffff0000ULL) >> 16) | \ 167 ((tmp & 0x0000ffff0000ffffULL) << 16)); \ 168 } 169 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 170 171 /* 172 * Macro for incrementally adding the unsigned 64-bit integer n to the 173 * unsigned 128-bit integer (represented using a two-element array of 174 * 64-bit words): 175 */ 176 #define ADDINC128(w,n) { \ 177 (w)[0] += (sha2_word64)(n); \ 178 if ((w)[0] < (n)) { \ 179 (w)[1]++; \ 180 } \ 181 } 182 183 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 184 /* 185 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 186 * 187 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 188 * S is a ROTATION) because the SHA-256/384/512 description document 189 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 190 * same "backwards" definition. 191 */ 192 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 193 #define R(b,x) ((x) >> (b)) 194 /* 32-bit Rotate-right (used in SHA-256): */ 195 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 196 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 197 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 198 199 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 200 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 201 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 202 203 /* Four of six logical functions used in SHA-256: */ 204 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 205 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 206 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 207 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 208 209 /* Four of six logical functions used in SHA-384 and SHA-512: */ 210 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 211 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 212 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 213 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 214 215 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 216 /* NOTE: These should not be accessed directly from outside this 217 * library -- they are intended for private internal visibility/use 218 * only. 219 */ 220 void SHA512_Last(SHA512_CTX*); 221 void SHA256_Transform(SHA256_CTX*, const sha2_word32*); 222 void SHA384_Transform(SHA384_CTX*, const sha2_word64*); 223 void SHA512_Transform(SHA512_CTX*, const sha2_word64*); 224 225 226 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 227 /* Hash constant words K for SHA-256: */ 228 static const sha2_word32 K256[64] = { 229 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 230 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 231 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 232 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 233 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 234 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 235 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 236 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 237 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 238 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 239 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 240 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 241 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 242 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 243 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 244 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 245 }; 246 247 /* Initial hash value H for SHA-256: */ 248 static const sha2_word32 sha256_initial_hash_value[8] = { 249 0x6a09e667UL, 250 0xbb67ae85UL, 251 0x3c6ef372UL, 252 0xa54ff53aUL, 253 0x510e527fUL, 254 0x9b05688cUL, 255 0x1f83d9abUL, 256 0x5be0cd19UL 257 }; 258 259 /* Hash constant words K for SHA-384 and SHA-512: */ 260 static const sha2_word64 K512[80] = { 261 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 262 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 263 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 264 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 265 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 266 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 267 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 268 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 269 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 270 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 271 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 272 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 273 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 274 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 275 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 276 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 277 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 278 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 279 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 280 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 281 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 282 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 283 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 284 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 285 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 286 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 287 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 288 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 289 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 290 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 291 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 292 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 293 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 294 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 295 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 296 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 297 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 298 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 299 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 300 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 301 }; 302 303 /* Initial hash value H for SHA-384 */ 304 static const sha2_word64 sha384_initial_hash_value[8] = { 305 0xcbbb9d5dc1059ed8ULL, 306 0x629a292a367cd507ULL, 307 0x9159015a3070dd17ULL, 308 0x152fecd8f70e5939ULL, 309 0x67332667ffc00b31ULL, 310 0x8eb44a8768581511ULL, 311 0xdb0c2e0d64f98fa7ULL, 312 0x47b5481dbefa4fa4ULL 313 }; 314 315 /* Initial hash value H for SHA-512 */ 316 static const sha2_word64 sha512_initial_hash_value[8] = { 317 0x6a09e667f3bcc908ULL, 318 0xbb67ae8584caa73bULL, 319 0x3c6ef372fe94f82bULL, 320 0xa54ff53a5f1d36f1ULL, 321 0x510e527fade682d1ULL, 322 0x9b05688c2b3e6c1fULL, 323 0x1f83d9abfb41bd6bULL, 324 0x5be0cd19137e2179ULL 325 }; 326 327 #if !defined(_KERNEL) && defined(__weak_alias) 328 __weak_alias(SHA256_Init,_SHA256_Init) 329 __weak_alias(SHA256_Update,_SHA256_Update) 330 __weak_alias(SHA256_Final,_SHA256_Final) 331 __weak_alias(SHA256_Transform,_SHA256_Transform) 332 333 __weak_alias(SHA384_Init,_SHA384_Init) 334 __weak_alias(SHA384_Update,_SHA384_Update) 335 __weak_alias(SHA384_Final,_SHA384_Final) 336 __weak_alias(SHA384_Transform,_SHA384_Transform) 337 338 __weak_alias(SHA512_Init,_SHA512_Init) 339 __weak_alias(SHA512_Update,_SHA512_Update) 340 __weak_alias(SHA512_Final,_SHA512_Final) 341 __weak_alias(SHA512_Transform,_SHA512_Transform) 342 #endif 343 344 /*** SHA-256: *********************************************************/ 345 void SHA256_Init(SHA256_CTX* context) { 346 if (context == (SHA256_CTX*)0) { 347 return; 348 } 349 memcpy(context->state, sha256_initial_hash_value, (size_t)(SHA256_DIGEST_LENGTH)); 350 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH)); 351 context->bitcount = 0; 352 } 353 354 #ifdef SHA2_UNROLL_TRANSFORM 355 356 /* Unrolled SHA-256 round macros: */ 357 358 #if BYTE_ORDER == LITTLE_ENDIAN 359 360 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 361 REVERSE32(*data++, W256[j]); \ 362 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 363 K256[j] + W256[j]; \ 364 (d) += T1; \ 365 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 366 j++ 367 368 369 #else /* BYTE_ORDER == LITTLE_ENDIAN */ 370 371 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 372 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 373 K256[j] + (W256[j] = *data++); \ 374 (d) += T1; \ 375 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 376 j++ 377 378 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 379 380 #define ROUND256(a,b,c,d,e,f,g,h) \ 381 s0 = W256[(j+1)&0x0f]; \ 382 s0 = sigma0_256(s0); \ 383 s1 = W256[(j+14)&0x0f]; \ 384 s1 = sigma1_256(s1); \ 385 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ 386 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 387 (d) += T1; \ 388 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 389 j++ 390 391 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) { 392 sha2_word32 a, b, c, d, e, f, g, h, s0, s1; 393 sha2_word32 T1, *W256; 394 int j; 395 396 W256 = (sha2_word32*)context->buffer; 397 398 /* Initialize registers with the prev. intermediate value */ 399 a = context->state[0]; 400 b = context->state[1]; 401 c = context->state[2]; 402 d = context->state[3]; 403 e = context->state[4]; 404 f = context->state[5]; 405 g = context->state[6]; 406 h = context->state[7]; 407 408 j = 0; 409 do { 410 /* Rounds 0 to 15 (unrolled): */ 411 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 412 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 413 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 414 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 415 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 416 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 417 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 418 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 419 } while (j < 16); 420 421 /* Now for the remaining rounds to 64: */ 422 do { 423 ROUND256(a,b,c,d,e,f,g,h); 424 ROUND256(h,a,b,c,d,e,f,g); 425 ROUND256(g,h,a,b,c,d,e,f); 426 ROUND256(f,g,h,a,b,c,d,e); 427 ROUND256(e,f,g,h,a,b,c,d); 428 ROUND256(d,e,f,g,h,a,b,c); 429 ROUND256(c,d,e,f,g,h,a,b); 430 ROUND256(b,c,d,e,f,g,h,a); 431 } while (j < 64); 432 433 /* Compute the current intermediate hash value */ 434 context->state[0] += a; 435 context->state[1] += b; 436 context->state[2] += c; 437 context->state[3] += d; 438 context->state[4] += e; 439 context->state[5] += f; 440 context->state[6] += g; 441 context->state[7] += h; 442 443 /* Clean up */ 444 a = b = c = d = e = f = g = h = T1 = 0; 445 } 446 447 #else /* SHA2_UNROLL_TRANSFORM */ 448 449 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) { 450 sha2_word32 a, b, c, d, e, f, g, h, s0, s1; 451 sha2_word32 T1, T2, *W256; 452 int j; 453 454 W256 = (sha2_word32*)(void *)context->buffer; 455 456 /* Initialize registers with the prev. intermediate value */ 457 a = context->state[0]; 458 b = context->state[1]; 459 c = context->state[2]; 460 d = context->state[3]; 461 e = context->state[4]; 462 f = context->state[5]; 463 g = context->state[6]; 464 h = context->state[7]; 465 466 j = 0; 467 do { 468 #if BYTE_ORDER == LITTLE_ENDIAN 469 /* Copy data while converting to host byte order */ 470 REVERSE32(*data++,W256[j]); 471 /* Apply the SHA-256 compression function to update a..h */ 472 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 473 #else /* BYTE_ORDER == LITTLE_ENDIAN */ 474 /* Apply the SHA-256 compression function to update a..h with copy */ 475 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++); 476 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 477 T2 = Sigma0_256(a) + Maj(a, b, c); 478 h = g; 479 g = f; 480 f = e; 481 e = d + T1; 482 d = c; 483 c = b; 484 b = a; 485 a = T1 + T2; 486 487 j++; 488 } while (j < 16); 489 490 do { 491 /* Part of the message block expansion: */ 492 s0 = W256[(j+1)&0x0f]; 493 s0 = sigma0_256(s0); 494 s1 = W256[(j+14)&0x0f]; 495 s1 = sigma1_256(s1); 496 497 /* Apply the SHA-256 compression function to update a..h */ 498 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 499 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 500 T2 = Sigma0_256(a) + Maj(a, b, c); 501 h = g; 502 g = f; 503 f = e; 504 e = d + T1; 505 d = c; 506 c = b; 507 b = a; 508 a = T1 + T2; 509 510 j++; 511 } while (j < 64); 512 513 /* Compute the current intermediate hash value */ 514 context->state[0] += a; 515 context->state[1] += b; 516 context->state[2] += c; 517 context->state[3] += d; 518 context->state[4] += e; 519 context->state[5] += f; 520 context->state[6] += g; 521 context->state[7] += h; 522 523 /* Clean up */ 524 a = b = c = d = e = f = g = h = T1 = T2 = 0; 525 } 526 527 #endif /* SHA2_UNROLL_TRANSFORM */ 528 529 void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) { 530 unsigned int freespace, usedspace; 531 532 if (len == 0) { 533 /* Calling with no data is valid - we do nothing */ 534 return; 535 } 536 537 /* Sanity check: */ 538 assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0); 539 540 usedspace = (unsigned int)((context->bitcount >> 3) % 541 SHA256_BLOCK_LENGTH); 542 if (usedspace > 0) { 543 /* Calculate how much free space is available in the buffer */ 544 freespace = SHA256_BLOCK_LENGTH - usedspace; 545 546 if (len >= freespace) { 547 /* Fill the buffer completely and process it */ 548 memcpy(&context->buffer[usedspace], data, (size_t)(freespace)); 549 context->bitcount += freespace << 3; 550 len -= freespace; 551 data += freespace; 552 SHA256_Transform(context, (sha2_word32*)(void *)context->buffer); 553 } else { 554 /* The buffer is not yet full */ 555 memcpy(&context->buffer[usedspace], data, len); 556 context->bitcount += len << 3; 557 /* Clean up: */ 558 usedspace = freespace = 0; 559 return; 560 } 561 } 562 while (len >= SHA256_BLOCK_LENGTH) { 563 /* Process as many complete blocks as we can */ 564 SHA256_Transform(context, (const sha2_word32*)(const void *)data); 565 context->bitcount += SHA256_BLOCK_LENGTH << 3; 566 len -= SHA256_BLOCK_LENGTH; 567 data += SHA256_BLOCK_LENGTH; 568 } 569 if (len > 0) { 570 /* There's left-overs, so save 'em */ 571 memcpy(context->buffer, data, len); 572 context->bitcount += len << 3; 573 } 574 /* Clean up: */ 575 usedspace = freespace = 0; 576 } 577 578 void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) { 579 sha2_word32 *d = (void *)digest; 580 unsigned int usedspace; 581 582 /* Sanity check: */ 583 assert(context != (SHA256_CTX*)0); 584 585 /* If no digest buffer is passed, we don't bother doing this: */ 586 if (digest != (sha2_byte*)0) { 587 usedspace = (unsigned int)((context->bitcount >> 3) % SHA256_BLOCK_LENGTH); 588 #if BYTE_ORDER == LITTLE_ENDIAN 589 /* Convert FROM host byte order */ 590 REVERSE64(context->bitcount,context->bitcount); 591 #endif 592 if (usedspace > 0) { 593 /* Begin padding with a 1 bit: */ 594 context->buffer[usedspace++] = 0x80; 595 596 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 597 /* Set-up for the last transform: */ 598 memset(&context->buffer[usedspace], 0, (size_t)(SHA256_SHORT_BLOCK_LENGTH - usedspace)); 599 } else { 600 if (usedspace < SHA256_BLOCK_LENGTH) { 601 memset(&context->buffer[usedspace], 0, (size_t)(SHA256_BLOCK_LENGTH - usedspace)); 602 } 603 /* Do second-to-last transform: */ 604 SHA256_Transform(context, (sha2_word32*)(void *)context->buffer); 605 606 /* And set-up for the last transform: */ 607 memset(context->buffer, 0, (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 608 } 609 } else { 610 /* Set-up for the last transform: */ 611 memset(context->buffer, 0, (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 612 613 /* Begin padding with a 1 bit: */ 614 *context->buffer = 0x80; 615 } 616 /* Set the bit count: */ 617 *(sha2_word64*)(void *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount; 618 619 /* Final transform: */ 620 SHA256_Transform(context, (sha2_word32*)(void *)context->buffer); 621 622 #if BYTE_ORDER == LITTLE_ENDIAN 623 { 624 /* Convert TO host byte order */ 625 int j; 626 for (j = 0; j < 8; j++) { 627 REVERSE32(context->state[j],context->state[j]); 628 *d++ = context->state[j]; 629 } 630 } 631 #else 632 memcpy(d, context->state, SHA256_DIGEST_LENGTH); 633 #endif 634 } 635 636 /* Clean up state data: */ 637 memset(context, 0, sizeof(*context)); 638 usedspace = 0; 639 } 640 641 /*** SHA-512: *********************************************************/ 642 void SHA512_Init(SHA512_CTX* context) { 643 if (context == (SHA512_CTX*)0) { 644 return; 645 } 646 memcpy(context->state, sha512_initial_hash_value, (size_t)(SHA512_DIGEST_LENGTH)); 647 memset(context->buffer, 0, (size_t)(SHA512_BLOCK_LENGTH)); 648 context->bitcount[0] = context->bitcount[1] = 0; 649 } 650 651 #ifdef SHA2_UNROLL_TRANSFORM 652 653 /* Unrolled SHA-512 round macros: */ 654 #if BYTE_ORDER == LITTLE_ENDIAN 655 656 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 657 REVERSE64(*data++, W512[j]); \ 658 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 659 K512[j] + W512[j]; \ 660 (d) += T1, \ 661 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 662 j++ 663 664 665 #else /* BYTE_ORDER == LITTLE_ENDIAN */ 666 667 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 668 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 669 K512[j] + (W512[j] = *data++); \ 670 (d) += T1; \ 671 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 672 j++ 673 674 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 675 676 #define ROUND512(a,b,c,d,e,f,g,h) \ 677 s0 = W512[(j+1)&0x0f]; \ 678 s0 = sigma0_512(s0); \ 679 s1 = W512[(j+14)&0x0f]; \ 680 s1 = sigma1_512(s1); \ 681 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 682 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 683 (d) += T1; \ 684 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 685 j++ 686 687 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { 688 sha2_word64 a, b, c, d, e, f, g, h, s0, s1; 689 sha2_word64 T1, *W512 = (sha2_word64*)context->buffer; 690 int j; 691 692 /* Initialize registers with the prev. intermediate value */ 693 a = context->state[0]; 694 b = context->state[1]; 695 c = context->state[2]; 696 d = context->state[3]; 697 e = context->state[4]; 698 f = context->state[5]; 699 g = context->state[6]; 700 h = context->state[7]; 701 702 j = 0; 703 do { 704 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 705 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 706 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 707 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 708 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 709 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 710 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 711 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 712 } while (j < 16); 713 714 /* Now for the remaining rounds up to 79: */ 715 do { 716 ROUND512(a,b,c,d,e,f,g,h); 717 ROUND512(h,a,b,c,d,e,f,g); 718 ROUND512(g,h,a,b,c,d,e,f); 719 ROUND512(f,g,h,a,b,c,d,e); 720 ROUND512(e,f,g,h,a,b,c,d); 721 ROUND512(d,e,f,g,h,a,b,c); 722 ROUND512(c,d,e,f,g,h,a,b); 723 ROUND512(b,c,d,e,f,g,h,a); 724 } while (j < 80); 725 726 /* Compute the current intermediate hash value */ 727 context->state[0] += a; 728 context->state[1] += b; 729 context->state[2] += c; 730 context->state[3] += d; 731 context->state[4] += e; 732 context->state[5] += f; 733 context->state[6] += g; 734 context->state[7] += h; 735 736 /* Clean up */ 737 a = b = c = d = e = f = g = h = T1 = 0; 738 } 739 740 #else /* SHA2_UNROLL_TRANSFORM */ 741 742 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { 743 sha2_word64 a, b, c, d, e, f, g, h, s0, s1; 744 sha2_word64 T1, T2, *W512 = (void *)context->buffer; 745 int j; 746 747 /* Initialize registers with the prev. intermediate value */ 748 a = context->state[0]; 749 b = context->state[1]; 750 c = context->state[2]; 751 d = context->state[3]; 752 e = context->state[4]; 753 f = context->state[5]; 754 g = context->state[6]; 755 h = context->state[7]; 756 757 j = 0; 758 do { 759 #if BYTE_ORDER == LITTLE_ENDIAN 760 /* Convert TO host byte order */ 761 REVERSE64(*data++, W512[j]); 762 /* Apply the SHA-512 compression function to update a..h */ 763 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 764 #else /* BYTE_ORDER == LITTLE_ENDIAN */ 765 /* Apply the SHA-512 compression function to update a..h with copy */ 766 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++); 767 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 768 T2 = Sigma0_512(a) + Maj(a, b, c); 769 h = g; 770 g = f; 771 f = e; 772 e = d + T1; 773 d = c; 774 c = b; 775 b = a; 776 a = T1 + T2; 777 778 j++; 779 } while (j < 16); 780 781 do { 782 /* Part of the message block expansion: */ 783 s0 = W512[(j+1)&0x0f]; 784 s0 = sigma0_512(s0); 785 s1 = W512[(j+14)&0x0f]; 786 s1 = sigma1_512(s1); 787 788 /* Apply the SHA-512 compression function to update a..h */ 789 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 790 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 791 T2 = Sigma0_512(a) + Maj(a, b, c); 792 h = g; 793 g = f; 794 f = e; 795 e = d + T1; 796 d = c; 797 c = b; 798 b = a; 799 a = T1 + T2; 800 801 j++; 802 } while (j < 80); 803 804 /* Compute the current intermediate hash value */ 805 context->state[0] += a; 806 context->state[1] += b; 807 context->state[2] += c; 808 context->state[3] += d; 809 context->state[4] += e; 810 context->state[5] += f; 811 context->state[6] += g; 812 context->state[7] += h; 813 814 /* Clean up */ 815 a = b = c = d = e = f = g = h = T1 = T2 = 0; 816 } 817 818 #endif /* SHA2_UNROLL_TRANSFORM */ 819 820 void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) { 821 unsigned int freespace, usedspace; 822 823 if (len == 0) { 824 /* Calling with no data is valid - we do nothing */ 825 return; 826 } 827 828 /* Sanity check: */ 829 assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0); 830 831 usedspace = (unsigned int)((context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH); 832 if (usedspace > 0) { 833 /* Calculate how much free space is available in the buffer */ 834 freespace = SHA512_BLOCK_LENGTH - usedspace; 835 836 if (len >= freespace) { 837 /* Fill the buffer completely and process it */ 838 memcpy(&context->buffer[usedspace], data, (size_t)(freespace)); 839 ADDINC128(context->bitcount, freespace << 3); 840 len -= freespace; 841 data += freespace; 842 SHA512_Transform(context, (sha2_word64*)(void *)context->buffer); 843 } else { 844 /* The buffer is not yet full */ 845 memcpy(&context->buffer[usedspace], data, len); 846 ADDINC128(context->bitcount, len << 3); 847 /* Clean up: */ 848 usedspace = freespace = 0; 849 return; 850 } 851 } 852 while (len >= SHA512_BLOCK_LENGTH) { 853 /* Process as many complete blocks as we can */ 854 SHA512_Transform(context, (const sha2_word64*)(const void *)data); 855 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 856 len -= SHA512_BLOCK_LENGTH; 857 data += SHA512_BLOCK_LENGTH; 858 } 859 if (len > 0) { 860 /* There's left-overs, so save 'em */ 861 memcpy(context->buffer, data, len); 862 ADDINC128(context->bitcount, len << 3); 863 } 864 /* Clean up: */ 865 usedspace = freespace = 0; 866 } 867 868 void SHA512_Last(SHA512_CTX* context) { 869 unsigned int usedspace; 870 871 usedspace = (unsigned int)((context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH); 872 #if BYTE_ORDER == LITTLE_ENDIAN 873 /* Convert FROM host byte order */ 874 REVERSE64(context->bitcount[0],context->bitcount[0]); 875 REVERSE64(context->bitcount[1],context->bitcount[1]); 876 #endif 877 if (usedspace > 0) { 878 /* Begin padding with a 1 bit: */ 879 context->buffer[usedspace++] = 0x80; 880 881 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 882 /* Set-up for the last transform: */ 883 memset(&context->buffer[usedspace], 0, (size_t)(SHA512_SHORT_BLOCK_LENGTH - usedspace)); 884 } else { 885 if (usedspace < SHA512_BLOCK_LENGTH) { 886 memset(&context->buffer[usedspace], 0, (size_t)(SHA512_BLOCK_LENGTH - usedspace)); 887 } 888 /* Do second-to-last transform: */ 889 SHA512_Transform(context, (sha2_word64*)(void *)context->buffer); 890 891 /* And set-up for the last transform: */ 892 memset(context->buffer, 0, (size_t)(SHA512_BLOCK_LENGTH - 2)); 893 } 894 } else { 895 /* Prepare for final transform: */ 896 memset(context->buffer, 0, (size_t)(SHA512_SHORT_BLOCK_LENGTH)); 897 898 /* Begin padding with a 1 bit: */ 899 *context->buffer = 0x80; 900 } 901 /* Store the length of input data (in bits): */ 902 *(sha2_word64*)(void *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1]; 903 *(sha2_word64*)(void *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0]; 904 905 /* Final transform: */ 906 SHA512_Transform(context, (sha2_word64*)(void *)context->buffer); 907 } 908 909 void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) { 910 sha2_word64 *d = (void *)digest; 911 912 /* Sanity check: */ 913 assert(context != (SHA512_CTX*)0); 914 915 /* If no digest buffer is passed, we don't bother doing this: */ 916 if (digest != (sha2_byte*)0) { 917 SHA512_Last(context); 918 919 /* Save the hash data for output: */ 920 #if BYTE_ORDER == LITTLE_ENDIAN 921 { 922 /* Convert TO host byte order */ 923 int j; 924 for (j = 0; j < 8; j++) { 925 REVERSE64(context->state[j],context->state[j]); 926 *d++ = context->state[j]; 927 } 928 } 929 #else 930 memcpy(d, context->state, SHA512_DIGEST_LENGTH); 931 #endif 932 } 933 934 /* Zero out state data */ 935 memset(context, 0, sizeof(*context)); 936 } 937 938 /*** SHA-384: *********************************************************/ 939 void SHA384_Init(SHA384_CTX* context) { 940 if (context == (SHA384_CTX*)0) { 941 return; 942 } 943 memcpy(context->state, sha384_initial_hash_value, (size_t)(SHA512_DIGEST_LENGTH)); 944 memset(context->buffer, 0, (size_t)(SHA384_BLOCK_LENGTH)); 945 context->bitcount[0] = context->bitcount[1] = 0; 946 } 947 948 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) { 949 SHA512_Update((SHA512_CTX*)context, data, len); 950 } 951 952 void SHA384_Transform(SHA512_CTX* context, const sha2_word64* data) { 953 SHA512_Transform((SHA512_CTX*)context, data); 954 } 955 956 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) { 957 sha2_word64 *d = (void *)digest; 958 959 /* Sanity check: */ 960 assert(context != (SHA384_CTX*)0); 961 962 /* If no digest buffer is passed, we don't bother doing this: */ 963 if (digest != (sha2_byte*)0) { 964 SHA512_Last((SHA512_CTX*)context); 965 966 /* Save the hash data for output: */ 967 #if BYTE_ORDER == LITTLE_ENDIAN 968 { 969 /* Convert TO host byte order */ 970 int j; 971 for (j = 0; j < 6; j++) { 972 REVERSE64(context->state[j],context->state[j]); 973 *d++ = context->state[j]; 974 } 975 } 976 #else 977 memcpy(d, context->state, SHA384_DIGEST_LENGTH); 978 #endif 979 } 980 981 /* Zero out state data */ 982 memset(context, 0, sizeof(*context)); 983 } 984
Indexes created Mon Sep 29 18:09:42 GMT 2025