sha2.c revision 1.13
1 /* $NetBSD: sha2.c,v 1.13 2009/06/11 20:43:00 christos Exp $ */ 2 /* $KAME: sha2.c,v 1.9 2003/07/20 00:28:38 itojun Exp $ */ 3 4 /* 5 * sha2.c 6 * 7 * Version 1.0.0beta1 8 * 9 * Written by Aaron D. Gifford <me (at) aarongifford.com> 10 * 11 * Copyright 2000 Aaron D. Gifford. All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of the copyright holder nor the names of contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 */ 38 39 #include <sys/cdefs.h> 40 41 #if defined(_KERNEL) || defined(_STANDALONE) 42 __KERNEL_RCSID(0, "$NetBSD: sha2.c,v 1.13 2009/06/11 20:43:00 christos Exp $"); 43 44 #include <lib/libkern/libkern.h> 45 46 #else 47 48 #if defined(LIBC_SCCS) && !defined(lint) 49 __RCSID("$NetBSD: sha2.c,v 1.13 2009/06/11 20:43:00 christos Exp $"); 50 #endif /* LIBC_SCCS and not lint */ 51 52 #include "namespace.h" 53 #include <string.h> 54 55 #endif 56 57 #include <sys/types.h> 58 #include <sys/sha2.h> 59 #include <sys/endian.h> 60 61 /*** SHA-256/384/512 Various Length Definitions ***********************/ 62 /* NOTE: Most of these are in sha2.h */ 63 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 64 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 65 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 66 67 /* 68 * Macro for incrementally adding the unsigned 64-bit integer n to the 69 * unsigned 128-bit integer (represented using a two-element array of 70 * 64-bit words): 71 */ 72 #define ADDINC128(w,n) { \ 73 (w)[0] += (uint64_t)(n); \ 74 if ((w)[0] < (n)) { \ 75 (w)[1]++; \ 76 } \ 77 } 78 79 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 80 /* 81 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 82 * 83 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 84 * S is a ROTATION) because the SHA-256/384/512 description document 85 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 86 * same "backwards" definition. 87 */ 88 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 89 #define R(b,x) ((x) >> (b)) 90 /* 32-bit Rotate-right (used in SHA-256): */ 91 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 92 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 93 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 94 95 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 96 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 97 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 98 99 /* Four of six logical functions used in SHA-256: */ 100 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 101 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 102 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 103 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 104 105 /* Four of six logical functions used in SHA-384 and SHA-512: */ 106 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 107 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 108 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 109 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 110 111 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 112 /* NOTE: These should not be accessed directly from outside this 113 * library -- they are intended for private internal visibility/use 114 * only. 115 */ 116 static void SHA512_Last(SHA512_CTX *); 117 void SHA224_Transform(SHA224_CTX *, const uint64_t*); 118 void SHA256_Transform(SHA256_CTX *, const uint32_t*); 119 void SHA384_Transform(SHA384_CTX *, const uint64_t*); 120 void SHA512_Transform(SHA512_CTX *, const uint64_t*); 121 122 123 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 124 /* Hash constant words K for SHA-256: */ 125 static const uint32_t K256[64] = { 126 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 127 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 128 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 129 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 130 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 131 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 132 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 133 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 134 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 135 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 136 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 137 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 138 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 139 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 140 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 141 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 142 }; 143 144 /* Initial hash value H for SHA-224: */ 145 static const uint32_t sha224_initial_hash_value[8] = { 146 0xc1059ed8UL, 147 0x367cd507UL, 148 0x3070dd17UL, 149 0xf70e5939UL, 150 0xffc00b31UL, 151 0x68581511UL, 152 0x64f98fa7UL, 153 0xbefa4fa4UL 154 }; 155 156 /* Initial hash value H for SHA-256: */ 157 static const uint32_t sha256_initial_hash_value[8] = { 158 0x6a09e667UL, 159 0xbb67ae85UL, 160 0x3c6ef372UL, 161 0xa54ff53aUL, 162 0x510e527fUL, 163 0x9b05688cUL, 164 0x1f83d9abUL, 165 0x5be0cd19UL 166 }; 167 168 /* Hash constant words K for SHA-384 and SHA-512: */ 169 static const uint64_t K512[80] = { 170 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 171 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 172 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 173 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 174 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 175 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 176 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 177 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 178 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 179 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 180 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 181 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 182 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 183 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 184 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 185 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 186 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 187 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 188 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 189 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 190 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 191 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 192 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 193 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 194 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 195 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 196 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 197 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 198 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 199 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 200 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 201 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 202 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 203 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 204 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 205 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 206 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 207 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 208 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 209 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 210 }; 211 212 /* Initial hash value H for SHA-384 */ 213 static const uint64_t sha384_initial_hash_value[8] = { 214 0xcbbb9d5dc1059ed8ULL, 215 0x629a292a367cd507ULL, 216 0x9159015a3070dd17ULL, 217 0x152fecd8f70e5939ULL, 218 0x67332667ffc00b31ULL, 219 0x8eb44a8768581511ULL, 220 0xdb0c2e0d64f98fa7ULL, 221 0x47b5481dbefa4fa4ULL 222 }; 223 224 /* Initial hash value H for SHA-512 */ 225 static const uint64_t sha512_initial_hash_value[8] = { 226 0x6a09e667f3bcc908ULL, 227 0xbb67ae8584caa73bULL, 228 0x3c6ef372fe94f82bULL, 229 0xa54ff53a5f1d36f1ULL, 230 0x510e527fade682d1ULL, 231 0x9b05688c2b3e6c1fULL, 232 0x1f83d9abfb41bd6bULL, 233 0x5be0cd19137e2179ULL 234 }; 235 236 #if !defined(_KERNEL) && defined(__weak_alias) 237 __weak_alias(SHA224_Init,_SHA224_Init) 238 __weak_alias(SHA224_Update,_SHA224_Update) 239 __weak_alias(SHA224_Final,_SHA224_Final) 240 __weak_alias(SHA224_Transform,_SHA224_Transform) 241 242 __weak_alias(SHA256_Init,_SHA256_Init) 243 __weak_alias(SHA256_Update,_SHA256_Update) 244 __weak_alias(SHA256_Final,_SHA256_Final) 245 __weak_alias(SHA256_Transform,_SHA256_Transform) 246 247 __weak_alias(SHA384_Init,_SHA384_Init) 248 __weak_alias(SHA384_Update,_SHA384_Update) 249 __weak_alias(SHA384_Final,_SHA384_Final) 250 __weak_alias(SHA384_Transform,_SHA384_Transform) 251 252 __weak_alias(SHA512_Init,_SHA512_Init) 253 __weak_alias(SHA512_Update,_SHA512_Update) 254 __weak_alias(SHA512_Final,_SHA512_Final) 255 __weak_alias(SHA512_Transform,_SHA512_Transform) 256 #endif 257 258 /*** SHA-256: *********************************************************/ 259 int 260 SHA256_Init(SHA256_CTX *context) 261 { 262 if (context == NULL) 263 return 1; 264 265 memcpy(context->state, sha256_initial_hash_value, 266 (size_t)(SHA256_DIGEST_LENGTH)); 267 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH)); 268 context->bitcount = 0; 269 270 return 1; 271 } 272 273 #ifdef SHA2_UNROLL_TRANSFORM 274 275 /* Unrolled SHA-256 round macros: */ 276 277 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 278 W256[j] = be32toh(*data); \ 279 ++data; \ 280 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 281 K256[j] + W256[j]; \ 282 (d) += T1; \ 283 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 284 j++ 285 286 #define ROUND256(a,b,c,d,e,f,g,h) \ 287 s0 = W256[(j+1)&0x0f]; \ 288 s0 = sigma0_256(s0); \ 289 s1 = W256[(j+14)&0x0f]; \ 290 s1 = sigma1_256(s1); \ 291 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ 292 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 293 (d) += T1; \ 294 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 295 j++ 296 297 void 298 SHA256_Transform(SHA256_CTX *context, const uint32_t *data) 299 { 300 uint32_t a, b, c, d, e, f, g, h, s0, s1; 301 uint32_t T1, *W256; 302 int j; 303 304 W256 = (uint32_t *)context->buffer; 305 306 /* Initialize registers with the prev. intermediate value */ 307 a = context->state[0]; 308 b = context->state[1]; 309 c = context->state[2]; 310 d = context->state[3]; 311 e = context->state[4]; 312 f = context->state[5]; 313 g = context->state[6]; 314 h = context->state[7]; 315 316 j = 0; 317 do { 318 /* Rounds 0 to 15 (unrolled): */ 319 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 320 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 321 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 322 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 323 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 324 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 325 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 326 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 327 } while (j < 16); 328 329 /* Now for the remaining rounds to 64: */ 330 do { 331 ROUND256(a,b,c,d,e,f,g,h); 332 ROUND256(h,a,b,c,d,e,f,g); 333 ROUND256(g,h,a,b,c,d,e,f); 334 ROUND256(f,g,h,a,b,c,d,e); 335 ROUND256(e,f,g,h,a,b,c,d); 336 ROUND256(d,e,f,g,h,a,b,c); 337 ROUND256(c,d,e,f,g,h,a,b); 338 ROUND256(b,c,d,e,f,g,h,a); 339 } while (j < 64); 340 341 /* Compute the current intermediate hash value */ 342 context->state[0] += a; 343 context->state[1] += b; 344 context->state[2] += c; 345 context->state[3] += d; 346 context->state[4] += e; 347 context->state[5] += f; 348 context->state[6] += g; 349 context->state[7] += h; 350 351 /* Clean up */ 352 a = b = c = d = e = f = g = h = T1 = 0; 353 } 354 355 #else /* SHA2_UNROLL_TRANSFORM */ 356 357 void 358 SHA256_Transform(SHA256_CTX *context, const uint32_t *data) 359 { 360 uint32_t a, b, c, d, e, f, g, h, s0, s1; 361 uint32_t T1, T2, *W256; 362 int j; 363 364 W256 = (uint32_t *)(void *)context->buffer; 365 366 /* Initialize registers with the prev. intermediate value */ 367 a = context->state[0]; 368 b = context->state[1]; 369 c = context->state[2]; 370 d = context->state[3]; 371 e = context->state[4]; 372 f = context->state[5]; 373 g = context->state[6]; 374 h = context->state[7]; 375 376 j = 0; 377 do { 378 W256[j] = be32toh(*data); 379 ++data; 380 /* Apply the SHA-256 compression function to update a..h */ 381 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 382 T2 = Sigma0_256(a) + Maj(a, b, c); 383 h = g; 384 g = f; 385 f = e; 386 e = d + T1; 387 d = c; 388 c = b; 389 b = a; 390 a = T1 + T2; 391 392 j++; 393 } while (j < 16); 394 395 do { 396 /* Part of the message block expansion: */ 397 s0 = W256[(j+1)&0x0f]; 398 s0 = sigma0_256(s0); 399 s1 = W256[(j+14)&0x0f]; 400 s1 = sigma1_256(s1); 401 402 /* Apply the SHA-256 compression function to update a..h */ 403 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 404 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 405 T2 = Sigma0_256(a) + Maj(a, b, c); 406 h = g; 407 g = f; 408 f = e; 409 e = d + T1; 410 d = c; 411 c = b; 412 b = a; 413 a = T1 + T2; 414 415 j++; 416 } while (j < 64); 417 418 /* Compute the current intermediate hash value */ 419 context->state[0] += a; 420 context->state[1] += b; 421 context->state[2] += c; 422 context->state[3] += d; 423 context->state[4] += e; 424 context->state[5] += f; 425 context->state[6] += g; 426 context->state[7] += h; 427 428 /* Clean up */ 429 a = b = c = d = e = f = g = h = T1 = T2 = 0; 430 } 431 432 #endif /* SHA2_UNROLL_TRANSFORM */ 433 434 int 435 SHA256_Update(SHA256_CTX *context, const uint8_t *data, size_t len) 436 { 437 unsigned int freespace, usedspace; 438 439 if (len == 0) { 440 /* Calling with no data is valid - we do nothing */ 441 return 1; 442 } 443 444 usedspace = (unsigned int)((context->bitcount >> 3) % 445 SHA256_BLOCK_LENGTH); 446 if (usedspace > 0) { 447 /* Calculate how much free space is available in the buffer */ 448 freespace = SHA256_BLOCK_LENGTH - usedspace; 449 450 if (len >= freespace) { 451 /* Fill the buffer completely and process it */ 452 memcpy(&context->buffer[usedspace], data, 453 (size_t)(freespace)); 454 context->bitcount += freespace << 3; 455 len -= freespace; 456 data += freespace; 457 SHA256_Transform(context, 458 (uint32_t *)(void *)context->buffer); 459 } else { 460 /* The buffer is not yet full */ 461 memcpy(&context->buffer[usedspace], data, len); 462 context->bitcount += len << 3; 463 /* Clean up: */ 464 usedspace = freespace = 0; 465 return 1; 466 } 467 } 468 /* 469 * Process as many complete blocks as possible. 470 * 471 * Check alignment of the data pointer. If it is 32bit aligned, 472 * SHA256_Transform can be called directly on the data stream, 473 * otherwise enforce the alignment by copy into the buffer. 474 */ 475 if ((uintptr_t)data % 4 == 0) { 476 while (len >= SHA256_BLOCK_LENGTH) { 477 SHA256_Transform(context, 478 (const uint32_t *)(const void *)data); 479 context->bitcount += SHA256_BLOCK_LENGTH << 3; 480 len -= SHA256_BLOCK_LENGTH; 481 data += SHA256_BLOCK_LENGTH; 482 } 483 } else { 484 while (len >= SHA256_BLOCK_LENGTH) { 485 memcpy(context->buffer, data, SHA256_BLOCK_LENGTH); 486 SHA256_Transform(context, 487 (const uint32_t *)(const void *)context->buffer); 488 context->bitcount += SHA256_BLOCK_LENGTH << 3; 489 len -= SHA256_BLOCK_LENGTH; 490 data += SHA256_BLOCK_LENGTH; 491 } 492 } 493 if (len > 0) { 494 /* There's left-overs, so save 'em */ 495 memcpy(context->buffer, data, len); 496 context->bitcount += len << 3; 497 } 498 /* Clean up: */ 499 usedspace = freespace = 0; 500 501 return 1; 502 } 503 504 static int 505 SHA224_256_Final(uint8_t digest[], SHA256_CTX *context, size_t len) 506 { 507 uint32_t *d = (void *)digest; 508 unsigned int usedspace; 509 size_t i; 510 511 /* If no digest buffer is passed, we don't bother doing this: */ 512 if (digest != NULL) { 513 usedspace = (unsigned int)((context->bitcount >> 3) % 514 SHA256_BLOCK_LENGTH); 515 context->bitcount = htobe64(context->bitcount); 516 if (usedspace > 0) { 517 /* Begin padding with a 1 bit: */ 518 context->buffer[usedspace++] = 0x80; 519 520 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 521 /* Set-up for the last transform: */ 522 memset(&context->buffer[usedspace], 0, 523 (size_t)(SHA256_SHORT_BLOCK_LENGTH - 524 usedspace)); 525 } else { 526 if (usedspace < SHA256_BLOCK_LENGTH) { 527 memset(&context->buffer[usedspace], 0, 528 (size_t)(SHA256_BLOCK_LENGTH - 529 usedspace)); 530 } 531 /* Do second-to-last transform: */ 532 SHA256_Transform(context, 533 (uint32_t *)(void *)context->buffer); 534 535 /* And set-up for the last transform: */ 536 memset(context->buffer, 0, 537 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 538 } 539 } else { 540 /* Set-up for the last transform: */ 541 memset(context->buffer, 0, 542 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 543 544 /* Begin padding with a 1 bit: */ 545 *context->buffer = 0x80; 546 } 547 /* Set the bit count: */ 548 memcpy(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], 549 &context->bitcount, sizeof(context->bitcount)); 550 551 /* Final transform: */ 552 SHA256_Transform(context, (uint32_t *)(void *)context->buffer); 553 554 for (i = 0; i < len / 4; i++) 555 d[i] = htobe32(context->state[i]); 556 } 557 558 /* Clean up state data: */ 559 memset(context, 0, sizeof(*context)); 560 usedspace = 0; 561 562 return 1; 563 } 564 565 int 566 SHA256_Final(uint8_t digest[], SHA256_CTX *context) 567 { 568 return SHA224_256_Final(digest, context, SHA256_DIGEST_LENGTH); 569 } 570 571 /*** SHA-224: *********************************************************/ 572 int 573 SHA224_Init(SHA224_CTX *context) 574 { 575 if (context == NULL) 576 return 1; 577 578 memcpy(context->state, sha224_initial_hash_value, 579 (size_t)(SHA224_DIGEST_LENGTH)); 580 memset(context->buffer, 0, (size_t)(SHA224_BLOCK_LENGTH)); 581 context->bitcount = 0; 582 583 return 1; 584 } 585 586 int 587 SHA224_Update(SHA224_CTX *context, const uint8_t *data, size_t len) 588 { 589 return SHA256_Update((SHA256_CTX *)context, data, len); 590 } 591 592 void 593 SHA224_Transform(SHA224_CTX *context, const uint64_t *data) 594 { 595 SHA224_Transform((SHA256_CTX *)context, data); 596 } 597 598 int 599 SHA224_Final(uint8_t digest[], SHA224_CTX *context) 600 { 601 return SHA224_256_Final(digest, (SHA256_CTX *)context, 602 SHA224_DIGEST_LENGTH); 603 } 604 605 /*** SHA-512: *********************************************************/ 606 int 607 SHA512_Init(SHA512_CTX *context) 608 { 609 if (context == NULL) 610 return 1; 611 612 memcpy(context->state, sha512_initial_hash_value, 613 (size_t)(SHA512_DIGEST_LENGTH)); 614 memset(context->buffer, 0, (size_t)(SHA512_BLOCK_LENGTH)); 615 context->bitcount[0] = context->bitcount[1] = 0; 616 617 return 1; 618 } 619 620 #ifdef SHA2_UNROLL_TRANSFORM 621 622 /* Unrolled SHA-512 round macros: */ 623 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 624 W512[j] = be64toh(*data); \ 625 ++data; \ 626 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 627 K512[j] + W512[j]; \ 628 (d) += T1, \ 629 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 630 j++ 631 632 #define ROUND512(a,b,c,d,e,f,g,h) \ 633 s0 = W512[(j+1)&0x0f]; \ 634 s0 = sigma0_512(s0); \ 635 s1 = W512[(j+14)&0x0f]; \ 636 s1 = sigma1_512(s1); \ 637 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 638 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 639 (d) += T1; \ 640 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 641 j++ 642 643 void 644 SHA512_Transform(SHA512_CTX *context, const uint64_t *data) 645 { 646 uint64_t a, b, c, d, e, f, g, h, s0, s1; 647 uint64_t T1, *W512 = (uint64_t *)context->buffer; 648 int j; 649 650 /* Initialize registers with the prev. intermediate value */ 651 a = context->state[0]; 652 b = context->state[1]; 653 c = context->state[2]; 654 d = context->state[3]; 655 e = context->state[4]; 656 f = context->state[5]; 657 g = context->state[6]; 658 h = context->state[7]; 659 660 j = 0; 661 do { 662 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 663 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 664 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 665 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 666 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 667 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 668 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 669 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 670 } while (j < 16); 671 672 /* Now for the remaining rounds up to 79: */ 673 do { 674 ROUND512(a,b,c,d,e,f,g,h); 675 ROUND512(h,a,b,c,d,e,f,g); 676 ROUND512(g,h,a,b,c,d,e,f); 677 ROUND512(f,g,h,a,b,c,d,e); 678 ROUND512(e,f,g,h,a,b,c,d); 679 ROUND512(d,e,f,g,h,a,b,c); 680 ROUND512(c,d,e,f,g,h,a,b); 681 ROUND512(b,c,d,e,f,g,h,a); 682 } while (j < 80); 683 684 /* Compute the current intermediate hash value */ 685 context->state[0] += a; 686 context->state[1] += b; 687 context->state[2] += c; 688 context->state[3] += d; 689 context->state[4] += e; 690 context->state[5] += f; 691 context->state[6] += g; 692 context->state[7] += h; 693 694 /* Clean up */ 695 a = b = c = d = e = f = g = h = T1 = 0; 696 } 697 698 #else /* SHA2_UNROLL_TRANSFORM */ 699 700 void 701 SHA512_Transform(SHA512_CTX *context, const uint64_t *data) 702 { 703 uint64_t a, b, c, d, e, f, g, h, s0, s1; 704 uint64_t T1, T2, *W512 = (void *)context->buffer; 705 int j; 706 707 /* Initialize registers with the prev. intermediate value */ 708 a = context->state[0]; 709 b = context->state[1]; 710 c = context->state[2]; 711 d = context->state[3]; 712 e = context->state[4]; 713 f = context->state[5]; 714 g = context->state[6]; 715 h = context->state[7]; 716 717 j = 0; 718 do { 719 W512[j] = be64toh(*data); 720 ++data; 721 /* Apply the SHA-512 compression function to update a..h */ 722 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 723 T2 = Sigma0_512(a) + Maj(a, b, c); 724 h = g; 725 g = f; 726 f = e; 727 e = d + T1; 728 d = c; 729 c = b; 730 b = a; 731 a = T1 + T2; 732 733 j++; 734 } while (j < 16); 735 736 do { 737 /* Part of the message block expansion: */ 738 s0 = W512[(j+1)&0x0f]; 739 s0 = sigma0_512(s0); 740 s1 = W512[(j+14)&0x0f]; 741 s1 = sigma1_512(s1); 742 743 /* Apply the SHA-512 compression function to update a..h */ 744 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 745 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 746 T2 = Sigma0_512(a) + Maj(a, b, c); 747 h = g; 748 g = f; 749 f = e; 750 e = d + T1; 751 d = c; 752 c = b; 753 b = a; 754 a = T1 + T2; 755 756 j++; 757 } while (j < 80); 758 759 /* Compute the current intermediate hash value */ 760 context->state[0] += a; 761 context->state[1] += b; 762 context->state[2] += c; 763 context->state[3] += d; 764 context->state[4] += e; 765 context->state[5] += f; 766 context->state[6] += g; 767 context->state[7] += h; 768 769 /* Clean up */ 770 a = b = c = d = e = f = g = h = T1 = T2 = 0; 771 } 772 773 #endif /* SHA2_UNROLL_TRANSFORM */ 774 775 int 776 SHA512_Update(SHA512_CTX *context, const uint8_t *data, size_t len) 777 { 778 unsigned int freespace, usedspace; 779 780 if (len == 0) { 781 /* Calling with no data is valid - we do nothing */ 782 return 1; 783 } 784 785 usedspace = (unsigned int)((context->bitcount[0] >> 3) % 786 SHA512_BLOCK_LENGTH); 787 if (usedspace > 0) { 788 /* Calculate how much free space is available in the buffer */ 789 freespace = SHA512_BLOCK_LENGTH - usedspace; 790 791 if (len >= freespace) { 792 /* Fill the buffer completely and process it */ 793 memcpy(&context->buffer[usedspace], data, 794 (size_t)(freespace)); 795 ADDINC128(context->bitcount, freespace << 3); 796 len -= freespace; 797 data += freespace; 798 SHA512_Transform(context, 799 (uint64_t *)(void *)context->buffer); 800 } else { 801 /* The buffer is not yet full */ 802 memcpy(&context->buffer[usedspace], data, len); 803 ADDINC128(context->bitcount, len << 3); 804 /* Clean up: */ 805 usedspace = freespace = 0; 806 return 1; 807 } 808 } 809 /* 810 * Process as many complete blocks as possible. 811 * 812 * Check alignment of the data pointer. If it is 64bit aligned, 813 * SHA512_Transform can be called directly on the data stream, 814 * otherwise enforce the alignment by copy into the buffer. 815 */ 816 if ((uintptr_t)data % 8 == 0) { 817 while (len >= SHA512_BLOCK_LENGTH) { 818 SHA512_Transform(context, 819 (const uint64_t*)(const void *)data); 820 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 821 len -= SHA512_BLOCK_LENGTH; 822 data += SHA512_BLOCK_LENGTH; 823 } 824 } else { 825 while (len >= SHA512_BLOCK_LENGTH) { 826 memcpy(context->buffer, data, SHA512_BLOCK_LENGTH); 827 SHA512_Transform(context, 828 (const void *)context->buffer); 829 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 830 len -= SHA512_BLOCK_LENGTH; 831 data += SHA512_BLOCK_LENGTH; 832 } 833 } 834 if (len > 0) { 835 /* There's left-overs, so save 'em */ 836 memcpy(context->buffer, data, len); 837 ADDINC128(context->bitcount, len << 3); 838 } 839 /* Clean up: */ 840 usedspace = freespace = 0; 841 842 return 1; 843 } 844 845 static void 846 SHA512_Last(SHA512_CTX *context) 847 { 848 unsigned int usedspace; 849 850 usedspace = (unsigned int)((context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH); 851 context->bitcount[0] = htobe64(context->bitcount[0]); 852 context->bitcount[1] = htobe64(context->bitcount[1]); 853 if (usedspace > 0) { 854 /* Begin padding with a 1 bit: */ 855 context->buffer[usedspace++] = 0x80; 856 857 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 858 /* Set-up for the last transform: */ 859 memset(&context->buffer[usedspace], 0, 860 (size_t)(SHA512_SHORT_BLOCK_LENGTH - usedspace)); 861 } else { 862 if (usedspace < SHA512_BLOCK_LENGTH) { 863 memset(&context->buffer[usedspace], 0, 864 (size_t)(SHA512_BLOCK_LENGTH - usedspace)); 865 } 866 /* Do second-to-last transform: */ 867 SHA512_Transform(context, 868 (uint64_t *)(void *)context->buffer); 869 870 /* And set-up for the last transform: */ 871 memset(context->buffer, 0, 872 (size_t)(SHA512_BLOCK_LENGTH - 2)); 873 } 874 } else { 875 /* Prepare for final transform: */ 876 memset(context->buffer, 0, (size_t)(SHA512_SHORT_BLOCK_LENGTH)); 877 878 /* Begin padding with a 1 bit: */ 879 *context->buffer = 0x80; 880 } 881 /* Store the length of input data (in bits): */ 882 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], 883 &context->bitcount[1], sizeof(context->bitcount[1])); 884 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], 885 &context->bitcount[0], sizeof(context->bitcount[0])); 886 887 /* Final transform: */ 888 SHA512_Transform(context, (uint64_t *)(void *)context->buffer); 889 } 890 891 int 892 SHA512_Final(uint8_t digest[], SHA512_CTX *context) 893 { 894 uint64_t *d = (void *)digest; 895 size_t i; 896 897 /* If no digest buffer is passed, we don't bother doing this: */ 898 if (digest != NULL) { 899 SHA512_Last(context); 900 901 /* Save the hash data for output: */ 902 for (i = 0; i < 8; ++i) 903 d[i] = htobe64(context->state[i]); 904 } 905 906 /* Zero out state data */ 907 memset(context, 0, sizeof(*context)); 908 909 return 1; 910 } 911 912 /*** SHA-384: *********************************************************/ 913 int 914 SHA384_Init(SHA384_CTX *context) 915 { 916 if (context == NULL) 917 return 1; 918 919 memcpy(context->state, sha384_initial_hash_value, 920 (size_t)(SHA512_DIGEST_LENGTH)); 921 memset(context->buffer, 0, (size_t)(SHA384_BLOCK_LENGTH)); 922 context->bitcount[0] = context->bitcount[1] = 0; 923 924 return 1; 925 } 926 927 int 928 SHA384_Update(SHA384_CTX *context, const uint8_t *data, size_t len) 929 { 930 return SHA512_Update((SHA512_CTX *)context, data, len); 931 } 932 933 void 934 SHA384_Transform(SHA512_CTX *context, const uint64_t *data) 935 { 936 SHA512_Transform((SHA512_CTX *)context, data); 937 } 938 939 int 940 SHA384_Final(uint8_t digest[], SHA384_CTX *context) 941 { 942 uint64_t *d = (void *)digest; 943 size_t i; 944 945 /* If no digest buffer is passed, we don't bother doing this: */ 946 if (digest != NULL) { 947 SHA512_Last((SHA512_CTX *)context); 948 949 /* Save the hash data for output: */ 950 for (i = 0; i < 6; ++i) 951 d[i] = be64toh(context->state[i]); 952 } 953 954 /* Zero out state data */ 955 memset(context, 0, sizeof(*context)); 956 957 return 1; 958 } 959
Indexes created Mon Sep 29 21:09:56 GMT 2025