sha2.c revision 1.15
1 /* $NetBSD: sha2.c,v 1.15 2009/06/14 14:04:07 martin Exp $ */ 2 /* $KAME: sha2.c,v 1.9 2003/07/20 00:28:38 itojun Exp $ */ 3 4 /* 5 * sha2.c 6 * 7 * Version 1.0.0beta1 8 * 9 * Written by Aaron D. Gifford <me (at) aarongifford.com> 10 * 11 * Copyright 2000 Aaron D. Gifford. All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of the copyright holder nor the names of contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 */ 38 39 #if HAVE_NBTOOL_CONFIG_H 40 #include "nbtool_config.h" 41 #endif 42 43 #include <sys/cdefs.h> 44 45 #if defined(_KERNEL) || defined(_STANDALONE) 46 __KERNEL_RCSID(0, "$NetBSD: sha2.c,v 1.15 2009/06/14 14:04:07 martin Exp $"); 47 48 #include <lib/libkern/libkern.h> 49 50 #else 51 52 #if defined(LIBC_SCCS) && !defined(lint) 53 __RCSID("$NetBSD: sha2.c,v 1.15 2009/06/14 14:04:07 martin Exp $"); 54 #endif /* LIBC_SCCS and not lint */ 55 56 #include "namespace.h" 57 #include <string.h> 58 59 #endif 60 61 #include <sys/types.h> 62 #include <sys/sha2.h> 63 64 #if HAVE_NBTOOL_CONFIG_H 65 # if HAVE_SYS_ENDIAN_H 66 # include <sys/endian.h> 67 # else 68 # undef htobe32 69 # undef htobe64 70 # undef be32toh 71 # undef be64toh 72 73 static uint32_t 74 htobe32(uint32_t x) 75 { 76 uint8_t p[4]; 77 memcpy(p, &x, 4); 78 79 return ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); 80 } 81 82 static uint64_t 83 htobe64(uint64_t x) 84 { 85 uint8_t p[8]; 86 uint32_t u, v; 87 memcpy(p, &x, 8); 88 89 u = ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); 90 v = ((p[4] << 24) | (p[5] << 16) | (p[6] << 8) | p[7]); 91 92 return ((((uint64_t)u) << 32) | v); 93 } 94 95 static uint32_t 96 be32toh(uint32_t x) 97 { 98 return htobe32(x); 99 } 100 101 static uint64_t 102 be64toh(uint64_t x) 103 { 104 return htobe64(x); 105 } 106 # endif 107 #endif 108 109 /*** SHA-256/384/512 Various Length Definitions ***********************/ 110 /* NOTE: Most of these are in sha2.h */ 111 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 112 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 113 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 114 115 /* 116 * Macro for incrementally adding the unsigned 64-bit integer n to the 117 * unsigned 128-bit integer (represented using a two-element array of 118 * 64-bit words): 119 */ 120 #define ADDINC128(w,n) { \ 121 (w)[0] += (uint64_t)(n); \ 122 if ((w)[0] < (n)) { \ 123 (w)[1]++; \ 124 } \ 125 } 126 127 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 128 /* 129 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 130 * 131 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 132 * S is a ROTATION) because the SHA-256/384/512 description document 133 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 134 * same "backwards" definition. 135 */ 136 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 137 #define R(b,x) ((x) >> (b)) 138 /* 32-bit Rotate-right (used in SHA-256): */ 139 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 140 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 141 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 142 143 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 144 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 145 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 146 147 /* Four of six logical functions used in SHA-256: */ 148 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 149 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 150 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 151 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 152 153 /* Four of six logical functions used in SHA-384 and SHA-512: */ 154 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 155 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 156 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 157 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 158 159 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 160 /* NOTE: These should not be accessed directly from outside this 161 * library -- they are intended for private internal visibility/use 162 * only. 163 */ 164 static void SHA512_Last(SHA512_CTX *); 165 void SHA224_Transform(SHA224_CTX *, const uint32_t*); 166 void SHA256_Transform(SHA256_CTX *, const uint32_t*); 167 void SHA384_Transform(SHA384_CTX *, const uint64_t*); 168 void SHA512_Transform(SHA512_CTX *, const uint64_t*); 169 170 171 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 172 /* Hash constant words K for SHA-256: */ 173 static const uint32_t K256[64] = { 174 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 175 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 176 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 177 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 178 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 179 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 180 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 181 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 182 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 183 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 184 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 185 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 186 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 187 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 188 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 189 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 190 }; 191 192 /* Initial hash value H for SHA-224: */ 193 static const uint32_t sha224_initial_hash_value[8] = { 194 0xc1059ed8UL, 195 0x367cd507UL, 196 0x3070dd17UL, 197 0xf70e5939UL, 198 0xffc00b31UL, 199 0x68581511UL, 200 0x64f98fa7UL, 201 0xbefa4fa4UL 202 }; 203 204 /* Initial hash value H for SHA-256: */ 205 static const uint32_t sha256_initial_hash_value[8] = { 206 0x6a09e667UL, 207 0xbb67ae85UL, 208 0x3c6ef372UL, 209 0xa54ff53aUL, 210 0x510e527fUL, 211 0x9b05688cUL, 212 0x1f83d9abUL, 213 0x5be0cd19UL 214 }; 215 216 /* Hash constant words K for SHA-384 and SHA-512: */ 217 static const uint64_t K512[80] = { 218 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 219 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 220 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 221 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 222 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 223 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 224 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 225 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 226 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 227 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 228 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 229 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 230 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 231 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 232 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 233 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 234 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 235 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 236 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 237 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 238 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 239 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 240 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 241 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 242 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 243 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 244 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 245 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 246 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 247 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 248 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 249 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 250 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 251 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 252 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 253 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 254 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 255 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 256 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 257 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 258 }; 259 260 /* Initial hash value H for SHA-384 */ 261 static const uint64_t sha384_initial_hash_value[8] = { 262 0xcbbb9d5dc1059ed8ULL, 263 0x629a292a367cd507ULL, 264 0x9159015a3070dd17ULL, 265 0x152fecd8f70e5939ULL, 266 0x67332667ffc00b31ULL, 267 0x8eb44a8768581511ULL, 268 0xdb0c2e0d64f98fa7ULL, 269 0x47b5481dbefa4fa4ULL 270 }; 271 272 /* Initial hash value H for SHA-512 */ 273 static const uint64_t sha512_initial_hash_value[8] = { 274 0x6a09e667f3bcc908ULL, 275 0xbb67ae8584caa73bULL, 276 0x3c6ef372fe94f82bULL, 277 0xa54ff53a5f1d36f1ULL, 278 0x510e527fade682d1ULL, 279 0x9b05688c2b3e6c1fULL, 280 0x1f83d9abfb41bd6bULL, 281 0x5be0cd19137e2179ULL 282 }; 283 284 #if !defined(_KERNEL) && defined(__weak_alias) 285 __weak_alias(SHA224_Init,_SHA224_Init) 286 __weak_alias(SHA224_Update,_SHA224_Update) 287 __weak_alias(SHA224_Final,_SHA224_Final) 288 __weak_alias(SHA224_Transform,_SHA224_Transform) 289 290 __weak_alias(SHA256_Init,_SHA256_Init) 291 __weak_alias(SHA256_Update,_SHA256_Update) 292 __weak_alias(SHA256_Final,_SHA256_Final) 293 __weak_alias(SHA256_Transform,_SHA256_Transform) 294 295 __weak_alias(SHA384_Init,_SHA384_Init) 296 __weak_alias(SHA384_Update,_SHA384_Update) 297 __weak_alias(SHA384_Final,_SHA384_Final) 298 __weak_alias(SHA384_Transform,_SHA384_Transform) 299 300 __weak_alias(SHA512_Init,_SHA512_Init) 301 __weak_alias(SHA512_Update,_SHA512_Update) 302 __weak_alias(SHA512_Final,_SHA512_Final) 303 __weak_alias(SHA512_Transform,_SHA512_Transform) 304 #endif 305 306 /*** SHA-256: *********************************************************/ 307 int 308 SHA256_Init(SHA256_CTX *context) 309 { 310 if (context == NULL) 311 return 1; 312 313 memcpy(context->state, sha256_initial_hash_value, 314 (size_t)(SHA256_DIGEST_LENGTH)); 315 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH)); 316 context->bitcount = 0; 317 318 return 1; 319 } 320 321 #ifdef SHA2_UNROLL_TRANSFORM 322 323 /* Unrolled SHA-256 round macros: */ 324 325 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 326 W256[j] = be32toh(*data); \ 327 ++data; \ 328 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 329 K256[j] + W256[j]; \ 330 (d) += T1; \ 331 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 332 j++ 333 334 #define ROUND256(a,b,c,d,e,f,g,h) \ 335 s0 = W256[(j+1)&0x0f]; \ 336 s0 = sigma0_256(s0); \ 337 s1 = W256[(j+14)&0x0f]; \ 338 s1 = sigma1_256(s1); \ 339 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ 340 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 341 (d) += T1; \ 342 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 343 j++ 344 345 void 346 SHA256_Transform(SHA256_CTX *context, const uint32_t *data) 347 { 348 uint32_t a, b, c, d, e, f, g, h, s0, s1; 349 uint32_t T1, *W256; 350 int j; 351 352 W256 = (uint32_t *)context->buffer; 353 354 /* Initialize registers with the prev. intermediate value */ 355 a = context->state[0]; 356 b = context->state[1]; 357 c = context->state[2]; 358 d = context->state[3]; 359 e = context->state[4]; 360 f = context->state[5]; 361 g = context->state[6]; 362 h = context->state[7]; 363 364 j = 0; 365 do { 366 /* Rounds 0 to 15 (unrolled): */ 367 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 368 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 369 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 370 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 371 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 372 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 373 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 374 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 375 } while (j < 16); 376 377 /* Now for the remaining rounds to 64: */ 378 do { 379 ROUND256(a,b,c,d,e,f,g,h); 380 ROUND256(h,a,b,c,d,e,f,g); 381 ROUND256(g,h,a,b,c,d,e,f); 382 ROUND256(f,g,h,a,b,c,d,e); 383 ROUND256(e,f,g,h,a,b,c,d); 384 ROUND256(d,e,f,g,h,a,b,c); 385 ROUND256(c,d,e,f,g,h,a,b); 386 ROUND256(b,c,d,e,f,g,h,a); 387 } while (j < 64); 388 389 /* Compute the current intermediate hash value */ 390 context->state[0] += a; 391 context->state[1] += b; 392 context->state[2] += c; 393 context->state[3] += d; 394 context->state[4] += e; 395 context->state[5] += f; 396 context->state[6] += g; 397 context->state[7] += h; 398 399 /* Clean up */ 400 a = b = c = d = e = f = g = h = T1 = 0; 401 } 402 403 #else /* SHA2_UNROLL_TRANSFORM */ 404 405 void 406 SHA256_Transform(SHA256_CTX *context, const uint32_t *data) 407 { 408 uint32_t a, b, c, d, e, f, g, h, s0, s1; 409 uint32_t T1, T2, *W256; 410 int j; 411 412 W256 = (uint32_t *)(void *)context->buffer; 413 414 /* Initialize registers with the prev. intermediate value */ 415 a = context->state[0]; 416 b = context->state[1]; 417 c = context->state[2]; 418 d = context->state[3]; 419 e = context->state[4]; 420 f = context->state[5]; 421 g = context->state[6]; 422 h = context->state[7]; 423 424 j = 0; 425 do { 426 W256[j] = be32toh(*data); 427 ++data; 428 /* Apply the SHA-256 compression function to update a..h */ 429 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 430 T2 = Sigma0_256(a) + Maj(a, b, c); 431 h = g; 432 g = f; 433 f = e; 434 e = d + T1; 435 d = c; 436 c = b; 437 b = a; 438 a = T1 + T2; 439 440 j++; 441 } while (j < 16); 442 443 do { 444 /* Part of the message block expansion: */ 445 s0 = W256[(j+1)&0x0f]; 446 s0 = sigma0_256(s0); 447 s1 = W256[(j+14)&0x0f]; 448 s1 = sigma1_256(s1); 449 450 /* Apply the SHA-256 compression function to update a..h */ 451 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 452 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 453 T2 = Sigma0_256(a) + Maj(a, b, c); 454 h = g; 455 g = f; 456 f = e; 457 e = d + T1; 458 d = c; 459 c = b; 460 b = a; 461 a = T1 + T2; 462 463 j++; 464 } while (j < 64); 465 466 /* Compute the current intermediate hash value */ 467 context->state[0] += a; 468 context->state[1] += b; 469 context->state[2] += c; 470 context->state[3] += d; 471 context->state[4] += e; 472 context->state[5] += f; 473 context->state[6] += g; 474 context->state[7] += h; 475 476 /* Clean up */ 477 a = b = c = d = e = f = g = h = T1 = T2 = 0; 478 } 479 480 #endif /* SHA2_UNROLL_TRANSFORM */ 481 482 int 483 SHA256_Update(SHA256_CTX *context, const uint8_t *data, size_t len) 484 { 485 unsigned int freespace, usedspace; 486 487 if (len == 0) { 488 /* Calling with no data is valid - we do nothing */ 489 return 1; 490 } 491 492 usedspace = (unsigned int)((context->bitcount >> 3) % 493 SHA256_BLOCK_LENGTH); 494 if (usedspace > 0) { 495 /* Calculate how much free space is available in the buffer */ 496 freespace = SHA256_BLOCK_LENGTH - usedspace; 497 498 if (len >= freespace) { 499 /* Fill the buffer completely and process it */ 500 memcpy(&context->buffer[usedspace], data, 501 (size_t)(freespace)); 502 context->bitcount += freespace << 3; 503 len -= freespace; 504 data += freespace; 505 SHA256_Transform(context, 506 (uint32_t *)(void *)context->buffer); 507 } else { 508 /* The buffer is not yet full */ 509 memcpy(&context->buffer[usedspace], data, len); 510 context->bitcount += len << 3; 511 /* Clean up: */ 512 usedspace = freespace = 0; 513 return 1; 514 } 515 } 516 /* 517 * Process as many complete blocks as possible. 518 * 519 * Check alignment of the data pointer. If it is 32bit aligned, 520 * SHA256_Transform can be called directly on the data stream, 521 * otherwise enforce the alignment by copy into the buffer. 522 */ 523 if ((uintptr_t)data % 4 == 0) { 524 while (len >= SHA256_BLOCK_LENGTH) { 525 SHA256_Transform(context, 526 (const uint32_t *)(const void *)data); 527 context->bitcount += SHA256_BLOCK_LENGTH << 3; 528 len -= SHA256_BLOCK_LENGTH; 529 data += SHA256_BLOCK_LENGTH; 530 } 531 } else { 532 while (len >= SHA256_BLOCK_LENGTH) { 533 memcpy(context->buffer, data, SHA256_BLOCK_LENGTH); 534 SHA256_Transform(context, 535 (const uint32_t *)(const void *)context->buffer); 536 context->bitcount += SHA256_BLOCK_LENGTH << 3; 537 len -= SHA256_BLOCK_LENGTH; 538 data += SHA256_BLOCK_LENGTH; 539 } 540 } 541 if (len > 0) { 542 /* There's left-overs, so save 'em */ 543 memcpy(context->buffer, data, len); 544 context->bitcount += len << 3; 545 } 546 /* Clean up: */ 547 usedspace = freespace = 0; 548 549 return 1; 550 } 551 552 static int 553 SHA224_256_Final(uint8_t digest[], SHA256_CTX *context, size_t len) 554 { 555 uint32_t *d = (void *)digest; 556 unsigned int usedspace; 557 size_t i; 558 559 /* If no digest buffer is passed, we don't bother doing this: */ 560 if (digest != NULL) { 561 usedspace = (unsigned int)((context->bitcount >> 3) % 562 SHA256_BLOCK_LENGTH); 563 context->bitcount = htobe64(context->bitcount); 564 if (usedspace > 0) { 565 /* Begin padding with a 1 bit: */ 566 context->buffer[usedspace++] = 0x80; 567 568 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 569 /* Set-up for the last transform: */ 570 memset(&context->buffer[usedspace], 0, 571 (size_t)(SHA256_SHORT_BLOCK_LENGTH - 572 usedspace)); 573 } else { 574 if (usedspace < SHA256_BLOCK_LENGTH) { 575 memset(&context->buffer[usedspace], 0, 576 (size_t)(SHA256_BLOCK_LENGTH - 577 usedspace)); 578 } 579 /* Do second-to-last transform: */ 580 SHA256_Transform(context, 581 (uint32_t *)(void *)context->buffer); 582 583 /* And set-up for the last transform: */ 584 memset(context->buffer, 0, 585 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 586 } 587 } else { 588 /* Set-up for the last transform: */ 589 memset(context->buffer, 0, 590 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 591 592 /* Begin padding with a 1 bit: */ 593 *context->buffer = 0x80; 594 } 595 /* Set the bit count: */ 596 memcpy(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], 597 &context->bitcount, sizeof(context->bitcount)); 598 599 /* Final transform: */ 600 SHA256_Transform(context, (uint32_t *)(void *)context->buffer); 601 602 for (i = 0; i < len / 4; i++) 603 d[i] = htobe32(context->state[i]); 604 } 605 606 /* Clean up state data: */ 607 memset(context, 0, sizeof(*context)); 608 usedspace = 0; 609 610 return 1; 611 } 612 613 int 614 SHA256_Final(uint8_t digest[], SHA256_CTX *context) 615 { 616 return SHA224_256_Final(digest, context, SHA256_DIGEST_LENGTH); 617 } 618 619 /*** SHA-224: *********************************************************/ 620 int 621 SHA224_Init(SHA224_CTX *context) 622 { 623 if (context == NULL) 624 return 1; 625 626 memcpy(context->state, sha224_initial_hash_value, 627 (size_t)(SHA224_DIGEST_LENGTH)); 628 memset(context->buffer, 0, (size_t)(SHA224_BLOCK_LENGTH)); 629 context->bitcount = 0; 630 631 return 1; 632 } 633 634 int 635 SHA224_Update(SHA224_CTX *context, const uint8_t *data, size_t len) 636 { 637 return SHA256_Update((SHA256_CTX *)context, data, len); 638 } 639 640 void 641 SHA224_Transform(SHA224_CTX *context, const uint32_t *data) 642 { 643 SHA256_Transform((SHA256_CTX *)context, data); 644 } 645 646 int 647 SHA224_Final(uint8_t digest[], SHA224_CTX *context) 648 { 649 return SHA224_256_Final(digest, (SHA256_CTX *)context, 650 SHA224_DIGEST_LENGTH); 651 } 652 653 /*** SHA-512: *********************************************************/ 654 int 655 SHA512_Init(SHA512_CTX *context) 656 { 657 if (context == NULL) 658 return 1; 659 660 memcpy(context->state, sha512_initial_hash_value, 661 (size_t)(SHA512_DIGEST_LENGTH)); 662 memset(context->buffer, 0, (size_t)(SHA512_BLOCK_LENGTH)); 663 context->bitcount[0] = context->bitcount[1] = 0; 664 665 return 1; 666 } 667 668 #ifdef SHA2_UNROLL_TRANSFORM 669 670 /* Unrolled SHA-512 round macros: */ 671 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 672 W512[j] = be64toh(*data); \ 673 ++data; \ 674 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 675 K512[j] + W512[j]; \ 676 (d) += T1, \ 677 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 678 j++ 679 680 #define ROUND512(a,b,c,d,e,f,g,h) \ 681 s0 = W512[(j+1)&0x0f]; \ 682 s0 = sigma0_512(s0); \ 683 s1 = W512[(j+14)&0x0f]; \ 684 s1 = sigma1_512(s1); \ 685 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 686 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 687 (d) += T1; \ 688 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 689 j++ 690 691 void 692 SHA512_Transform(SHA512_CTX *context, const uint64_t *data) 693 { 694 uint64_t a, b, c, d, e, f, g, h, s0, s1; 695 uint64_t T1, *W512 = (uint64_t *)context->buffer; 696 int j; 697 698 /* Initialize registers with the prev. intermediate value */ 699 a = context->state[0]; 700 b = context->state[1]; 701 c = context->state[2]; 702 d = context->state[3]; 703 e = context->state[4]; 704 f = context->state[5]; 705 g = context->state[6]; 706 h = context->state[7]; 707 708 j = 0; 709 do { 710 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 711 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 712 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 713 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 714 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 715 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 716 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 717 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 718 } while (j < 16); 719 720 /* Now for the remaining rounds up to 79: */ 721 do { 722 ROUND512(a,b,c,d,e,f,g,h); 723 ROUND512(h,a,b,c,d,e,f,g); 724 ROUND512(g,h,a,b,c,d,e,f); 725 ROUND512(f,g,h,a,b,c,d,e); 726 ROUND512(e,f,g,h,a,b,c,d); 727 ROUND512(d,e,f,g,h,a,b,c); 728 ROUND512(c,d,e,f,g,h,a,b); 729 ROUND512(b,c,d,e,f,g,h,a); 730 } while (j < 80); 731 732 /* Compute the current intermediate hash value */ 733 context->state[0] += a; 734 context->state[1] += b; 735 context->state[2] += c; 736 context->state[3] += d; 737 context->state[4] += e; 738 context->state[5] += f; 739 context->state[6] += g; 740 context->state[7] += h; 741 742 /* Clean up */ 743 a = b = c = d = e = f = g = h = T1 = 0; 744 } 745 746 #else /* SHA2_UNROLL_TRANSFORM */ 747 748 void 749 SHA512_Transform(SHA512_CTX *context, const uint64_t *data) 750 { 751 uint64_t a, b, c, d, e, f, g, h, s0, s1; 752 uint64_t T1, T2, *W512 = (void *)context->buffer; 753 int j; 754 755 /* Initialize registers with the prev. intermediate value */ 756 a = context->state[0]; 757 b = context->state[1]; 758 c = context->state[2]; 759 d = context->state[3]; 760 e = context->state[4]; 761 f = context->state[5]; 762 g = context->state[6]; 763 h = context->state[7]; 764 765 j = 0; 766 do { 767 W512[j] = be64toh(*data); 768 ++data; 769 /* Apply the SHA-512 compression function to update a..h */ 770 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 771 T2 = Sigma0_512(a) + Maj(a, b, c); 772 h = g; 773 g = f; 774 f = e; 775 e = d + T1; 776 d = c; 777 c = b; 778 b = a; 779 a = T1 + T2; 780 781 j++; 782 } while (j < 16); 783 784 do { 785 /* Part of the message block expansion: */ 786 s0 = W512[(j+1)&0x0f]; 787 s0 = sigma0_512(s0); 788 s1 = W512[(j+14)&0x0f]; 789 s1 = sigma1_512(s1); 790 791 /* Apply the SHA-512 compression function to update a..h */ 792 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 793 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 794 T2 = Sigma0_512(a) + Maj(a, b, c); 795 h = g; 796 g = f; 797 f = e; 798 e = d + T1; 799 d = c; 800 c = b; 801 b = a; 802 a = T1 + T2; 803 804 j++; 805 } while (j < 80); 806 807 /* Compute the current intermediate hash value */ 808 context->state[0] += a; 809 context->state[1] += b; 810 context->state[2] += c; 811 context->state[3] += d; 812 context->state[4] += e; 813 context->state[5] += f; 814 context->state[6] += g; 815 context->state[7] += h; 816 817 /* Clean up */ 818 a = b = c = d = e = f = g = h = T1 = T2 = 0; 819 } 820 821 #endif /* SHA2_UNROLL_TRANSFORM */ 822 823 int 824 SHA512_Update(SHA512_CTX *context, const uint8_t *data, size_t len) 825 { 826 unsigned int freespace, usedspace; 827 828 if (len == 0) { 829 /* Calling with no data is valid - we do nothing */ 830 return 1; 831 } 832 833 usedspace = (unsigned int)((context->bitcount[0] >> 3) % 834 SHA512_BLOCK_LENGTH); 835 if (usedspace > 0) { 836 /* Calculate how much free space is available in the buffer */ 837 freespace = SHA512_BLOCK_LENGTH - usedspace; 838 839 if (len >= freespace) { 840 /* Fill the buffer completely and process it */ 841 memcpy(&context->buffer[usedspace], data, 842 (size_t)(freespace)); 843 ADDINC128(context->bitcount, freespace << 3); 844 len -= freespace; 845 data += freespace; 846 SHA512_Transform(context, 847 (uint64_t *)(void *)context->buffer); 848 } else { 849 /* The buffer is not yet full */ 850 memcpy(&context->buffer[usedspace], data, len); 851 ADDINC128(context->bitcount, len << 3); 852 /* Clean up: */ 853 usedspace = freespace = 0; 854 return 1; 855 } 856 } 857 /* 858 * Process as many complete blocks as possible. 859 * 860 * Check alignment of the data pointer. If it is 64bit aligned, 861 * SHA512_Transform can be called directly on the data stream, 862 * otherwise enforce the alignment by copy into the buffer. 863 */ 864 if ((uintptr_t)data % 8 == 0) { 865 while (len >= SHA512_BLOCK_LENGTH) { 866 SHA512_Transform(context, 867 (const uint64_t*)(const void *)data); 868 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 869 len -= SHA512_BLOCK_LENGTH; 870 data += SHA512_BLOCK_LENGTH; 871 } 872 } else { 873 while (len >= SHA512_BLOCK_LENGTH) { 874 memcpy(context->buffer, data, SHA512_BLOCK_LENGTH); 875 SHA512_Transform(context, 876 (const void *)context->buffer); 877 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 878 len -= SHA512_BLOCK_LENGTH; 879 data += SHA512_BLOCK_LENGTH; 880 } 881 } 882 if (len > 0) { 883 /* There's left-overs, so save 'em */ 884 memcpy(context->buffer, data, len); 885 ADDINC128(context->bitcount, len << 3); 886 } 887 /* Clean up: */ 888 usedspace = freespace = 0; 889 890 return 1; 891 } 892 893 static void 894 SHA512_Last(SHA512_CTX *context) 895 { 896 unsigned int usedspace; 897 898 usedspace = (unsigned int)((context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH); 899 context->bitcount[0] = htobe64(context->bitcount[0]); 900 context->bitcount[1] = htobe64(context->bitcount[1]); 901 if (usedspace > 0) { 902 /* Begin padding with a 1 bit: */ 903 context->buffer[usedspace++] = 0x80; 904 905 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 906 /* Set-up for the last transform: */ 907 memset(&context->buffer[usedspace], 0, 908 (size_t)(SHA512_SHORT_BLOCK_LENGTH - usedspace)); 909 } else { 910 if (usedspace < SHA512_BLOCK_LENGTH) { 911 memset(&context->buffer[usedspace], 0, 912 (size_t)(SHA512_BLOCK_LENGTH - usedspace)); 913 } 914 /* Do second-to-last transform: */ 915 SHA512_Transform(context, 916 (uint64_t *)(void *)context->buffer); 917 918 /* And set-up for the last transform: */ 919 memset(context->buffer, 0, 920 (size_t)(SHA512_BLOCK_LENGTH - 2)); 921 } 922 } else { 923 /* Prepare for final transform: */ 924 memset(context->buffer, 0, (size_t)(SHA512_SHORT_BLOCK_LENGTH)); 925 926 /* Begin padding with a 1 bit: */ 927 *context->buffer = 0x80; 928 } 929 /* Store the length of input data (in bits): */ 930 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], 931 &context->bitcount[1], sizeof(context->bitcount[1])); 932 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], 933 &context->bitcount[0], sizeof(context->bitcount[0])); 934 935 /* Final transform: */ 936 SHA512_Transform(context, (uint64_t *)(void *)context->buffer); 937 } 938 939 int 940 SHA512_Final(uint8_t digest[], SHA512_CTX *context) 941 { 942 uint64_t *d = (void *)digest; 943 size_t i; 944 945 /* If no digest buffer is passed, we don't bother doing this: */ 946 if (digest != NULL) { 947 SHA512_Last(context); 948 949 /* Save the hash data for output: */ 950 for (i = 0; i < 8; ++i) 951 d[i] = htobe64(context->state[i]); 952 } 953 954 /* Zero out state data */ 955 memset(context, 0, sizeof(*context)); 956 957 return 1; 958 } 959 960 /*** SHA-384: *********************************************************/ 961 int 962 SHA384_Init(SHA384_CTX *context) 963 { 964 if (context == NULL) 965 return 1; 966 967 memcpy(context->state, sha384_initial_hash_value, 968 (size_t)(SHA512_DIGEST_LENGTH)); 969 memset(context->buffer, 0, (size_t)(SHA384_BLOCK_LENGTH)); 970 context->bitcount[0] = context->bitcount[1] = 0; 971 972 return 1; 973 } 974 975 int 976 SHA384_Update(SHA384_CTX *context, const uint8_t *data, size_t len) 977 { 978 return SHA512_Update((SHA512_CTX *)context, data, len); 979 } 980 981 void 982 SHA384_Transform(SHA512_CTX *context, const uint64_t *data) 983 { 984 SHA512_Transform((SHA512_CTX *)context, data); 985 } 986 987 int 988 SHA384_Final(uint8_t digest[], SHA384_CTX *context) 989 { 990 uint64_t *d = (void *)digest; 991 size_t i; 992 993 /* If no digest buffer is passed, we don't bother doing this: */ 994 if (digest != NULL) { 995 SHA512_Last((SHA512_CTX *)context); 996 997 /* Save the hash data for output: */ 998 for (i = 0; i < 6; ++i) 999 d[i] = be64toh(context->state[i]); 1000 } 1001 1002 /* Zero out state data */ 1003 memset(context, 0, sizeof(*context)); 1004 1005 return 1; 1006 } 1007
Indexes created Mon Sep 29 21:09:56 GMT 2025