sha2.c revision 1.17
1 /* $NetBSD: sha2.c,v 1.17 2009/06/19 05:09:09 tsutsui Exp $ */ 2 /* $KAME: sha2.c,v 1.9 2003/07/20 00:28:38 itojun Exp $ */ 3 4 /* 5 * sha2.c 6 * 7 * Version 1.0.0beta1 8 * 9 * Written by Aaron D. Gifford <me (at) aarongifford.com> 10 * 11 * Copyright 2000 Aaron D. Gifford. All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of the copyright holder nor the names of contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 */ 38 39 #if HAVE_NBTOOL_CONFIG_H 40 #include "nbtool_config.h" 41 #endif 42 43 #include <sys/cdefs.h> 44 45 #if defined(_KERNEL) || defined(_STANDALONE) 46 __KERNEL_RCSID(0, "$NetBSD: sha2.c,v 1.17 2009/06/19 05:09:09 tsutsui Exp $"); 47 48 #include <sys/param.h> /* XXX: to pull <machine/macros.h> for vax memset(9) */ 49 #include <lib/libkern/libkern.h> 50 51 #else 52 53 #if defined(LIBC_SCCS) && !defined(lint) 54 __RCSID("$NetBSD: sha2.c,v 1.17 2009/06/19 05:09:09 tsutsui Exp $"); 55 #endif /* LIBC_SCCS and not lint */ 56 57 #include "namespace.h" 58 #include <string.h> 59 60 #endif 61 62 #include <sys/types.h> 63 #include <sys/sha2.h> 64 65 #if HAVE_NBTOOL_CONFIG_H 66 # if HAVE_SYS_ENDIAN_H 67 # include <sys/endian.h> 68 # else 69 # undef htobe32 70 # undef htobe64 71 # undef be32toh 72 # undef be64toh 73 74 static uint32_t 75 htobe32(uint32_t x) 76 { 77 uint8_t p[4]; 78 memcpy(p, &x, 4); 79 80 return ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); 81 } 82 83 static uint64_t 84 htobe64(uint64_t x) 85 { 86 uint8_t p[8]; 87 uint32_t u, v; 88 memcpy(p, &x, 8); 89 90 u = ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); 91 v = ((p[4] << 24) | (p[5] << 16) | (p[6] << 8) | p[7]); 92 93 return ((((uint64_t)u) << 32) | v); 94 } 95 96 static uint32_t 97 be32toh(uint32_t x) 98 { 99 return htobe32(x); 100 } 101 102 static uint64_t 103 be64toh(uint64_t x) 104 { 105 return htobe64(x); 106 } 107 # endif 108 #endif 109 110 /*** SHA-256/384/512 Various Length Definitions ***********************/ 111 /* NOTE: Most of these are in sha2.h */ 112 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 113 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 114 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 115 116 /* 117 * Macro for incrementally adding the unsigned 64-bit integer n to the 118 * unsigned 128-bit integer (represented using a two-element array of 119 * 64-bit words): 120 */ 121 #define ADDINC128(w,n) { \ 122 (w)[0] += (uint64_t)(n); \ 123 if ((w)[0] < (n)) { \ 124 (w)[1]++; \ 125 } \ 126 } 127 128 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 129 /* 130 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 131 * 132 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 133 * S is a ROTATION) because the SHA-256/384/512 description document 134 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 135 * same "backwards" definition. 136 */ 137 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 138 #define R(b,x) ((x) >> (b)) 139 /* 32-bit Rotate-right (used in SHA-256): */ 140 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 141 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 142 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 143 144 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 145 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 146 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 147 148 /* Four of six logical functions used in SHA-256: */ 149 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 150 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 151 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 152 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 153 154 /* Four of six logical functions used in SHA-384 and SHA-512: */ 155 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 156 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 157 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 158 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 159 160 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 161 /* NOTE: These should not be accessed directly from outside this 162 * library -- they are intended for private internal visibility/use 163 * only. 164 */ 165 static void SHA512_Last(SHA512_CTX *); 166 void SHA224_Transform(SHA224_CTX *, const uint32_t*); 167 void SHA256_Transform(SHA256_CTX *, const uint32_t*); 168 void SHA384_Transform(SHA384_CTX *, const uint64_t*); 169 void SHA512_Transform(SHA512_CTX *, const uint64_t*); 170 171 172 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 173 /* Hash constant words K for SHA-256: */ 174 static const uint32_t K256[64] = { 175 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 176 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 177 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 178 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 179 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 180 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 181 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 182 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 183 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 184 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 185 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 186 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 187 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 188 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 189 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 190 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 191 }; 192 193 /* Initial hash value H for SHA-224: */ 194 static const uint32_t sha224_initial_hash_value[8] = { 195 0xc1059ed8UL, 196 0x367cd507UL, 197 0x3070dd17UL, 198 0xf70e5939UL, 199 0xffc00b31UL, 200 0x68581511UL, 201 0x64f98fa7UL, 202 0xbefa4fa4UL 203 }; 204 205 /* Initial hash value H for SHA-256: */ 206 static const uint32_t sha256_initial_hash_value[8] = { 207 0x6a09e667UL, 208 0xbb67ae85UL, 209 0x3c6ef372UL, 210 0xa54ff53aUL, 211 0x510e527fUL, 212 0x9b05688cUL, 213 0x1f83d9abUL, 214 0x5be0cd19UL 215 }; 216 217 /* Hash constant words K for SHA-384 and SHA-512: */ 218 static const uint64_t K512[80] = { 219 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 220 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 221 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 222 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 223 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 224 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 225 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 226 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 227 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 228 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 229 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 230 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 231 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 232 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 233 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 234 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 235 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 236 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 237 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 238 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 239 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 240 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 241 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 242 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 243 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 244 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 245 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 246 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 247 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 248 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 249 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 250 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 251 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 252 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 253 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 254 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 255 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 256 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 257 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 258 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 259 }; 260 261 /* Initial hash value H for SHA-384 */ 262 static const uint64_t sha384_initial_hash_value[8] = { 263 0xcbbb9d5dc1059ed8ULL, 264 0x629a292a367cd507ULL, 265 0x9159015a3070dd17ULL, 266 0x152fecd8f70e5939ULL, 267 0x67332667ffc00b31ULL, 268 0x8eb44a8768581511ULL, 269 0xdb0c2e0d64f98fa7ULL, 270 0x47b5481dbefa4fa4ULL 271 }; 272 273 /* Initial hash value H for SHA-512 */ 274 static const uint64_t sha512_initial_hash_value[8] = { 275 0x6a09e667f3bcc908ULL, 276 0xbb67ae8584caa73bULL, 277 0x3c6ef372fe94f82bULL, 278 0xa54ff53a5f1d36f1ULL, 279 0x510e527fade682d1ULL, 280 0x9b05688c2b3e6c1fULL, 281 0x1f83d9abfb41bd6bULL, 282 0x5be0cd19137e2179ULL 283 }; 284 285 #if !defined(_KERNEL) && defined(__weak_alias) 286 __weak_alias(SHA224_Init,_SHA224_Init) 287 __weak_alias(SHA224_Update,_SHA224_Update) 288 __weak_alias(SHA224_Final,_SHA224_Final) 289 __weak_alias(SHA224_Transform,_SHA224_Transform) 290 291 __weak_alias(SHA256_Init,_SHA256_Init) 292 __weak_alias(SHA256_Update,_SHA256_Update) 293 __weak_alias(SHA256_Final,_SHA256_Final) 294 __weak_alias(SHA256_Transform,_SHA256_Transform) 295 296 __weak_alias(SHA384_Init,_SHA384_Init) 297 __weak_alias(SHA384_Update,_SHA384_Update) 298 __weak_alias(SHA384_Final,_SHA384_Final) 299 __weak_alias(SHA384_Transform,_SHA384_Transform) 300 301 __weak_alias(SHA512_Init,_SHA512_Init) 302 __weak_alias(SHA512_Update,_SHA512_Update) 303 __weak_alias(SHA512_Final,_SHA512_Final) 304 __weak_alias(SHA512_Transform,_SHA512_Transform) 305 #endif 306 307 /*** SHA-256: *********************************************************/ 308 int 309 SHA256_Init(SHA256_CTX *context) 310 { 311 if (context == NULL) 312 return 1; 313 314 memcpy(context->state, sha256_initial_hash_value, 315 (size_t)(SHA256_DIGEST_LENGTH)); 316 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH)); 317 context->bitcount = 0; 318 319 return 1; 320 } 321 322 #ifdef SHA2_UNROLL_TRANSFORM 323 324 /* Unrolled SHA-256 round macros: */ 325 326 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 327 W256[j] = be32toh(*data); \ 328 ++data; \ 329 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 330 K256[j] + W256[j]; \ 331 (d) += T1; \ 332 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 333 j++ 334 335 #define ROUND256(a,b,c,d,e,f,g,h) \ 336 s0 = W256[(j+1)&0x0f]; \ 337 s0 = sigma0_256(s0); \ 338 s1 = W256[(j+14)&0x0f]; \ 339 s1 = sigma1_256(s1); \ 340 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ 341 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 342 (d) += T1; \ 343 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 344 j++ 345 346 void 347 SHA256_Transform(SHA256_CTX *context, const uint32_t *data) 348 { 349 uint32_t a, b, c, d, e, f, g, h, s0, s1; 350 uint32_t T1, *W256; 351 int j; 352 353 W256 = (uint32_t *)context->buffer; 354 355 /* Initialize registers with the prev. intermediate value */ 356 a = context->state[0]; 357 b = context->state[1]; 358 c = context->state[2]; 359 d = context->state[3]; 360 e = context->state[4]; 361 f = context->state[5]; 362 g = context->state[6]; 363 h = context->state[7]; 364 365 j = 0; 366 do { 367 /* Rounds 0 to 15 (unrolled): */ 368 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 369 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 370 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 371 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 372 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 373 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 374 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 375 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 376 } while (j < 16); 377 378 /* Now for the remaining rounds to 64: */ 379 do { 380 ROUND256(a,b,c,d,e,f,g,h); 381 ROUND256(h,a,b,c,d,e,f,g); 382 ROUND256(g,h,a,b,c,d,e,f); 383 ROUND256(f,g,h,a,b,c,d,e); 384 ROUND256(e,f,g,h,a,b,c,d); 385 ROUND256(d,e,f,g,h,a,b,c); 386 ROUND256(c,d,e,f,g,h,a,b); 387 ROUND256(b,c,d,e,f,g,h,a); 388 } while (j < 64); 389 390 /* Compute the current intermediate hash value */ 391 context->state[0] += a; 392 context->state[1] += b; 393 context->state[2] += c; 394 context->state[3] += d; 395 context->state[4] += e; 396 context->state[5] += f; 397 context->state[6] += g; 398 context->state[7] += h; 399 400 /* Clean up */ 401 a = b = c = d = e = f = g = h = T1 = 0; 402 } 403 404 #else /* SHA2_UNROLL_TRANSFORM */ 405 406 void 407 SHA256_Transform(SHA256_CTX *context, const uint32_t *data) 408 { 409 uint32_t a, b, c, d, e, f, g, h, s0, s1; 410 uint32_t T1, T2, *W256; 411 int j; 412 413 W256 = (uint32_t *)(void *)context->buffer; 414 415 /* Initialize registers with the prev. intermediate value */ 416 a = context->state[0]; 417 b = context->state[1]; 418 c = context->state[2]; 419 d = context->state[3]; 420 e = context->state[4]; 421 f = context->state[5]; 422 g = context->state[6]; 423 h = context->state[7]; 424 425 j = 0; 426 do { 427 W256[j] = be32toh(*data); 428 ++data; 429 /* Apply the SHA-256 compression function to update a..h */ 430 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 431 T2 = Sigma0_256(a) + Maj(a, b, c); 432 h = g; 433 g = f; 434 f = e; 435 e = d + T1; 436 d = c; 437 c = b; 438 b = a; 439 a = T1 + T2; 440 441 j++; 442 } while (j < 16); 443 444 do { 445 /* Part of the message block expansion: */ 446 s0 = W256[(j+1)&0x0f]; 447 s0 = sigma0_256(s0); 448 s1 = W256[(j+14)&0x0f]; 449 s1 = sigma1_256(s1); 450 451 /* Apply the SHA-256 compression function to update a..h */ 452 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 453 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 454 T2 = Sigma0_256(a) + Maj(a, b, c); 455 h = g; 456 g = f; 457 f = e; 458 e = d + T1; 459 d = c; 460 c = b; 461 b = a; 462 a = T1 + T2; 463 464 j++; 465 } while (j < 64); 466 467 /* Compute the current intermediate hash value */ 468 context->state[0] += a; 469 context->state[1] += b; 470 context->state[2] += c; 471 context->state[3] += d; 472 context->state[4] += e; 473 context->state[5] += f; 474 context->state[6] += g; 475 context->state[7] += h; 476 477 /* Clean up */ 478 a = b = c = d = e = f = g = h = T1 = T2 = 0; 479 } 480 481 #endif /* SHA2_UNROLL_TRANSFORM */ 482 483 int 484 SHA256_Update(SHA256_CTX *context, const uint8_t *data, size_t len) 485 { 486 unsigned int freespace, usedspace; 487 488 if (len == 0) { 489 /* Calling with no data is valid - we do nothing */ 490 return 1; 491 } 492 493 usedspace = (unsigned int)((context->bitcount >> 3) % 494 SHA256_BLOCK_LENGTH); 495 if (usedspace > 0) { 496 /* Calculate how much free space is available in the buffer */ 497 freespace = SHA256_BLOCK_LENGTH - usedspace; 498 499 if (len >= freespace) { 500 /* Fill the buffer completely and process it */ 501 memcpy(&context->buffer[usedspace], data, 502 (size_t)(freespace)); 503 context->bitcount += freespace << 3; 504 len -= freespace; 505 data += freespace; 506 SHA256_Transform(context, 507 (uint32_t *)(void *)context->buffer); 508 } else { 509 /* The buffer is not yet full */ 510 memcpy(&context->buffer[usedspace], data, len); 511 context->bitcount += len << 3; 512 /* Clean up: */ 513 usedspace = freespace = 0; 514 return 1; 515 } 516 } 517 /* 518 * Process as many complete blocks as possible. 519 * 520 * Check alignment of the data pointer. If it is 32bit aligned, 521 * SHA256_Transform can be called directly on the data stream, 522 * otherwise enforce the alignment by copy into the buffer. 523 */ 524 if ((uintptr_t)data % 4 == 0) { 525 while (len >= SHA256_BLOCK_LENGTH) { 526 SHA256_Transform(context, 527 (const uint32_t *)(const void *)data); 528 context->bitcount += SHA256_BLOCK_LENGTH << 3; 529 len -= SHA256_BLOCK_LENGTH; 530 data += SHA256_BLOCK_LENGTH; 531 } 532 } else { 533 while (len >= SHA256_BLOCK_LENGTH) { 534 memcpy(context->buffer, data, SHA256_BLOCK_LENGTH); 535 SHA256_Transform(context, 536 (const uint32_t *)(const void *)context->buffer); 537 context->bitcount += SHA256_BLOCK_LENGTH << 3; 538 len -= SHA256_BLOCK_LENGTH; 539 data += SHA256_BLOCK_LENGTH; 540 } 541 } 542 if (len > 0) { 543 /* There's left-overs, so save 'em */ 544 memcpy(context->buffer, data, len); 545 context->bitcount += len << 3; 546 } 547 /* Clean up: */ 548 usedspace = freespace = 0; 549 550 return 1; 551 } 552 553 static int 554 SHA224_256_Final(uint8_t digest[], SHA256_CTX *context, size_t len) 555 { 556 uint32_t *d = (void *)digest; 557 unsigned int usedspace; 558 size_t i; 559 560 /* If no digest buffer is passed, we don't bother doing this: */ 561 if (digest != NULL) { 562 usedspace = (unsigned int)((context->bitcount >> 3) % 563 SHA256_BLOCK_LENGTH); 564 context->bitcount = htobe64(context->bitcount); 565 if (usedspace > 0) { 566 /* Begin padding with a 1 bit: */ 567 context->buffer[usedspace++] = 0x80; 568 569 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 570 /* Set-up for the last transform: */ 571 memset(&context->buffer[usedspace], 0, 572 (size_t)(SHA256_SHORT_BLOCK_LENGTH - 573 usedspace)); 574 } else { 575 if (usedspace < SHA256_BLOCK_LENGTH) { 576 memset(&context->buffer[usedspace], 0, 577 (size_t)(SHA256_BLOCK_LENGTH - 578 usedspace)); 579 } 580 /* Do second-to-last transform: */ 581 SHA256_Transform(context, 582 (uint32_t *)(void *)context->buffer); 583 584 /* And set-up for the last transform: */ 585 memset(context->buffer, 0, 586 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 587 } 588 } else { 589 /* Set-up for the last transform: */ 590 memset(context->buffer, 0, 591 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 592 593 /* Begin padding with a 1 bit: */ 594 *context->buffer = 0x80; 595 } 596 /* Set the bit count: */ 597 memcpy(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], 598 &context->bitcount, sizeof(context->bitcount)); 599 600 /* Final transform: */ 601 SHA256_Transform(context, (uint32_t *)(void *)context->buffer); 602 603 for (i = 0; i < len / 4; i++) 604 d[i] = htobe32(context->state[i]); 605 } 606 607 /* Clean up state data: */ 608 memset(context, 0, sizeof(*context)); 609 usedspace = 0; 610 611 return 1; 612 } 613 614 int 615 SHA256_Final(uint8_t digest[], SHA256_CTX *context) 616 { 617 return SHA224_256_Final(digest, context, SHA256_DIGEST_LENGTH); 618 } 619 620 /*** SHA-224: *********************************************************/ 621 int 622 SHA224_Init(SHA224_CTX *context) 623 { 624 if (context == NULL) 625 return 1; 626 627 memcpy(context->state, sha224_initial_hash_value, 628 (size_t)(SHA224_DIGEST_LENGTH)); 629 memset(context->buffer, 0, (size_t)(SHA224_BLOCK_LENGTH)); 630 context->bitcount = 0; 631 632 return 1; 633 } 634 635 int 636 SHA224_Update(SHA224_CTX *context, const uint8_t *data, size_t len) 637 { 638 return SHA256_Update((SHA256_CTX *)context, data, len); 639 } 640 641 void 642 SHA224_Transform(SHA224_CTX *context, const uint32_t *data) 643 { 644 SHA256_Transform((SHA256_CTX *)context, data); 645 } 646 647 int 648 SHA224_Final(uint8_t digest[], SHA224_CTX *context) 649 { 650 return SHA224_256_Final(digest, (SHA256_CTX *)context, 651 SHA224_DIGEST_LENGTH); 652 } 653 654 /*** SHA-512: *********************************************************/ 655 int 656 SHA512_Init(SHA512_CTX *context) 657 { 658 if (context == NULL) 659 return 1; 660 661 memcpy(context->state, sha512_initial_hash_value, 662 (size_t)(SHA512_DIGEST_LENGTH)); 663 memset(context->buffer, 0, (size_t)(SHA512_BLOCK_LENGTH)); 664 context->bitcount[0] = context->bitcount[1] = 0; 665 666 return 1; 667 } 668 669 #ifdef SHA2_UNROLL_TRANSFORM 670 671 /* Unrolled SHA-512 round macros: */ 672 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 673 W512[j] = be64toh(*data); \ 674 ++data; \ 675 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 676 K512[j] + W512[j]; \ 677 (d) += T1, \ 678 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 679 j++ 680 681 #define ROUND512(a,b,c,d,e,f,g,h) \ 682 s0 = W512[(j+1)&0x0f]; \ 683 s0 = sigma0_512(s0); \ 684 s1 = W512[(j+14)&0x0f]; \ 685 s1 = sigma1_512(s1); \ 686 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 687 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 688 (d) += T1; \ 689 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 690 j++ 691 692 void 693 SHA512_Transform(SHA512_CTX *context, const uint64_t *data) 694 { 695 uint64_t a, b, c, d, e, f, g, h, s0, s1; 696 uint64_t T1, *W512 = (uint64_t *)context->buffer; 697 int j; 698 699 /* Initialize registers with the prev. intermediate value */ 700 a = context->state[0]; 701 b = context->state[1]; 702 c = context->state[2]; 703 d = context->state[3]; 704 e = context->state[4]; 705 f = context->state[5]; 706 g = context->state[6]; 707 h = context->state[7]; 708 709 j = 0; 710 do { 711 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 712 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 713 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 714 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 715 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 716 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 717 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 718 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 719 } while (j < 16); 720 721 /* Now for the remaining rounds up to 79: */ 722 do { 723 ROUND512(a,b,c,d,e,f,g,h); 724 ROUND512(h,a,b,c,d,e,f,g); 725 ROUND512(g,h,a,b,c,d,e,f); 726 ROUND512(f,g,h,a,b,c,d,e); 727 ROUND512(e,f,g,h,a,b,c,d); 728 ROUND512(d,e,f,g,h,a,b,c); 729 ROUND512(c,d,e,f,g,h,a,b); 730 ROUND512(b,c,d,e,f,g,h,a); 731 } while (j < 80); 732 733 /* Compute the current intermediate hash value */ 734 context->state[0] += a; 735 context->state[1] += b; 736 context->state[2] += c; 737 context->state[3] += d; 738 context->state[4] += e; 739 context->state[5] += f; 740 context->state[6] += g; 741 context->state[7] += h; 742 743 /* Clean up */ 744 a = b = c = d = e = f = g = h = T1 = 0; 745 } 746 747 #else /* SHA2_UNROLL_TRANSFORM */ 748 749 void 750 SHA512_Transform(SHA512_CTX *context, const uint64_t *data) 751 { 752 uint64_t a, b, c, d, e, f, g, h, s0, s1; 753 uint64_t T1, T2, *W512 = (void *)context->buffer; 754 int j; 755 756 /* Initialize registers with the prev. intermediate value */ 757 a = context->state[0]; 758 b = context->state[1]; 759 c = context->state[2]; 760 d = context->state[3]; 761 e = context->state[4]; 762 f = context->state[5]; 763 g = context->state[6]; 764 h = context->state[7]; 765 766 j = 0; 767 do { 768 W512[j] = be64toh(*data); 769 ++data; 770 /* Apply the SHA-512 compression function to update a..h */ 771 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 772 T2 = Sigma0_512(a) + Maj(a, b, c); 773 h = g; 774 g = f; 775 f = e; 776 e = d + T1; 777 d = c; 778 c = b; 779 b = a; 780 a = T1 + T2; 781 782 j++; 783 } while (j < 16); 784 785 do { 786 /* Part of the message block expansion: */ 787 s0 = W512[(j+1)&0x0f]; 788 s0 = sigma0_512(s0); 789 s1 = W512[(j+14)&0x0f]; 790 s1 = sigma1_512(s1); 791 792 /* Apply the SHA-512 compression function to update a..h */ 793 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 794 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 795 T2 = Sigma0_512(a) + Maj(a, b, c); 796 h = g; 797 g = f; 798 f = e; 799 e = d + T1; 800 d = c; 801 c = b; 802 b = a; 803 a = T1 + T2; 804 805 j++; 806 } while (j < 80); 807 808 /* Compute the current intermediate hash value */ 809 context->state[0] += a; 810 context->state[1] += b; 811 context->state[2] += c; 812 context->state[3] += d; 813 context->state[4] += e; 814 context->state[5] += f; 815 context->state[6] += g; 816 context->state[7] += h; 817 818 /* Clean up */ 819 a = b = c = d = e = f = g = h = T1 = T2 = 0; 820 } 821 822 #endif /* SHA2_UNROLL_TRANSFORM */ 823 824 int 825 SHA512_Update(SHA512_CTX *context, const uint8_t *data, size_t len) 826 { 827 unsigned int freespace, usedspace; 828 829 if (len == 0) { 830 /* Calling with no data is valid - we do nothing */ 831 return 1; 832 } 833 834 usedspace = (unsigned int)((context->bitcount[0] >> 3) % 835 SHA512_BLOCK_LENGTH); 836 if (usedspace > 0) { 837 /* Calculate how much free space is available in the buffer */ 838 freespace = SHA512_BLOCK_LENGTH - usedspace; 839 840 if (len >= freespace) { 841 /* Fill the buffer completely and process it */ 842 memcpy(&context->buffer[usedspace], data, 843 (size_t)(freespace)); 844 ADDINC128(context->bitcount, freespace << 3); 845 len -= freespace; 846 data += freespace; 847 SHA512_Transform(context, 848 (uint64_t *)(void *)context->buffer); 849 } else { 850 /* The buffer is not yet full */ 851 memcpy(&context->buffer[usedspace], data, len); 852 ADDINC128(context->bitcount, len << 3); 853 /* Clean up: */ 854 usedspace = freespace = 0; 855 return 1; 856 } 857 } 858 /* 859 * Process as many complete blocks as possible. 860 * 861 * Check alignment of the data pointer. If it is 64bit aligned, 862 * SHA512_Transform can be called directly on the data stream, 863 * otherwise enforce the alignment by copy into the buffer. 864 */ 865 if ((uintptr_t)data % 8 == 0) { 866 while (len >= SHA512_BLOCK_LENGTH) { 867 SHA512_Transform(context, 868 (const uint64_t*)(const void *)data); 869 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 870 len -= SHA512_BLOCK_LENGTH; 871 data += SHA512_BLOCK_LENGTH; 872 } 873 } else { 874 while (len >= SHA512_BLOCK_LENGTH) { 875 memcpy(context->buffer, data, SHA512_BLOCK_LENGTH); 876 SHA512_Transform(context, 877 (const void *)context->buffer); 878 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 879 len -= SHA512_BLOCK_LENGTH; 880 data += SHA512_BLOCK_LENGTH; 881 } 882 } 883 if (len > 0) { 884 /* There's left-overs, so save 'em */ 885 memcpy(context->buffer, data, len); 886 ADDINC128(context->bitcount, len << 3); 887 } 888 /* Clean up: */ 889 usedspace = freespace = 0; 890 891 return 1; 892 } 893 894 static void 895 SHA512_Last(SHA512_CTX *context) 896 { 897 unsigned int usedspace; 898 899 usedspace = (unsigned int)((context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH); 900 context->bitcount[0] = htobe64(context->bitcount[0]); 901 context->bitcount[1] = htobe64(context->bitcount[1]); 902 if (usedspace > 0) { 903 /* Begin padding with a 1 bit: */ 904 context->buffer[usedspace++] = 0x80; 905 906 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 907 /* Set-up for the last transform: */ 908 memset(&context->buffer[usedspace], 0, 909 (size_t)(SHA512_SHORT_BLOCK_LENGTH - usedspace)); 910 } else { 911 if (usedspace < SHA512_BLOCK_LENGTH) { 912 memset(&context->buffer[usedspace], 0, 913 (size_t)(SHA512_BLOCK_LENGTH - usedspace)); 914 } 915 /* Do second-to-last transform: */ 916 SHA512_Transform(context, 917 (uint64_t *)(void *)context->buffer); 918 919 /* And set-up for the last transform: */ 920 memset(context->buffer, 0, 921 (size_t)(SHA512_BLOCK_LENGTH - 2)); 922 } 923 } else { 924 /* Prepare for final transform: */ 925 memset(context->buffer, 0, (size_t)(SHA512_SHORT_BLOCK_LENGTH)); 926 927 /* Begin padding with a 1 bit: */ 928 *context->buffer = 0x80; 929 } 930 /* Store the length of input data (in bits): */ 931 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], 932 &context->bitcount[1], sizeof(context->bitcount[1])); 933 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], 934 &context->bitcount[0], sizeof(context->bitcount[0])); 935 936 /* Final transform: */ 937 SHA512_Transform(context, (uint64_t *)(void *)context->buffer); 938 } 939 940 int 941 SHA512_Final(uint8_t digest[], SHA512_CTX *context) 942 { 943 uint64_t *d = (void *)digest; 944 size_t i; 945 946 /* If no digest buffer is passed, we don't bother doing this: */ 947 if (digest != NULL) { 948 SHA512_Last(context); 949 950 /* Save the hash data for output: */ 951 for (i = 0; i < 8; ++i) 952 d[i] = htobe64(context->state[i]); 953 } 954 955 /* Zero out state data */ 956 memset(context, 0, sizeof(*context)); 957 958 return 1; 959 } 960 961 /*** SHA-384: *********************************************************/ 962 int 963 SHA384_Init(SHA384_CTX *context) 964 { 965 if (context == NULL) 966 return 1; 967 968 memcpy(context->state, sha384_initial_hash_value, 969 (size_t)(SHA512_DIGEST_LENGTH)); 970 memset(context->buffer, 0, (size_t)(SHA384_BLOCK_LENGTH)); 971 context->bitcount[0] = context->bitcount[1] = 0; 972 973 return 1; 974 } 975 976 int 977 SHA384_Update(SHA384_CTX *context, const uint8_t *data, size_t len) 978 { 979 return SHA512_Update((SHA512_CTX *)context, data, len); 980 } 981 982 void 983 SHA384_Transform(SHA512_CTX *context, const uint64_t *data) 984 { 985 SHA512_Transform((SHA512_CTX *)context, data); 986 } 987 988 int 989 SHA384_Final(uint8_t digest[], SHA384_CTX *context) 990 { 991 uint64_t *d = (void *)digest; 992 size_t i; 993 994 /* If no digest buffer is passed, we don't bother doing this: */ 995 if (digest != NULL) { 996 SHA512_Last((SHA512_CTX *)context); 997 998 /* Save the hash data for output: */ 999 for (i = 0; i < 6; ++i) 1000 d[i] = be64toh(context->state[i]); 1001 } 1002 1003 /* Zero out state data */ 1004 memset(context, 0, sizeof(*context)); 1005 1006 return 1; 1007 } 1008
Indexes created Mon Sep 29 21:09:56 GMT 2025