sha2.c revision 1.23
1 /* $NetBSD: sha2.c,v 1.23 2013/06/09 02:58:58 christos Exp $ */ 2 /* $KAME: sha2.c,v 1.9 2003/07/20 00:28:38 itojun Exp $ */ 3 4 /* 5 * sha2.c 6 * 7 * Version 1.0.0beta1 8 * 9 * Written by Aaron D. Gifford <me (at) aarongifford.com> 10 * 11 * Copyright 2000 Aaron D. Gifford. All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of the copyright holder nor the names of contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 */ 38 39 #if HAVE_NBTOOL_CONFIG_H 40 #include "nbtool_config.h" 41 #endif 42 43 #include <sys/cdefs.h> 44 45 #if defined(_KERNEL) || defined(_STANDALONE) 46 __KERNEL_RCSID(0, "$NetBSD: sha2.c,v 1.23 2013/06/09 02:58:58 christos Exp $"); 47 48 #include <sys/param.h> /* XXX: to pull <machine/macros.h> for vax memset(9) */ 49 #include <lib/libkern/libkern.h> 50 51 #else 52 53 #if defined(LIBC_SCCS) && !defined(lint) 54 __RCSID("$NetBSD: sha2.c,v 1.23 2013/06/09 02:58:58 christos Exp $"); 55 #endif /* LIBC_SCCS and not lint */ 56 57 #include "namespace.h" 58 #include <string.h> 59 60 #endif 61 62 #include <sys/types.h> 63 #include <sys/sha2.h> 64 65 #if HAVE_NBTOOL_CONFIG_H 66 # if HAVE_SYS_ENDIAN_H 67 # include <sys/endian.h> 68 # else 69 # undef be32dec 70 # undef be64dec 71 72 static __inline uint32_t __unused 73 be32dec(const void *buf) 74 { 75 const uint8_t *p = __CAST(const uint8_t *, buf); 76 77 return ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); 78 } 79 80 static __inline uint64_t __unused 81 be64dec(const void *buf) 82 { 83 const uint8_t *p = (const uint8_t *)buf; 84 85 return ((__CAST(uint64_t, be32dec(p)) << 32) | be32dec(p + 4)); 86 } 87 # endif 88 #endif 89 90 /*** SHA-256/384/512 Various Length Definitions ***********************/ 91 /* NOTE: Most of these are in sha2.h */ 92 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 93 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 94 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 95 96 /* 97 * Macro for incrementally adding the unsigned 64-bit integer n to the 98 * unsigned 128-bit integer (represented using a two-element array of 99 * 64-bit words): 100 */ 101 #define ADDINC128(w,n) { \ 102 (w)[0] += (uint64_t)(n); \ 103 if ((w)[0] < (n)) { \ 104 (w)[1]++; \ 105 } \ 106 } 107 108 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 109 /* 110 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 111 * 112 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 113 * S is a ROTATION) because the SHA-256/384/512 description document 114 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 115 * same "backwards" definition. 116 */ 117 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 118 #define R(b,x) ((x) >> (b)) 119 /* 32-bit Rotate-right (used in SHA-256): */ 120 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 121 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 122 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 123 124 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 125 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 126 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 127 128 /* Four of six logical functions used in SHA-256: */ 129 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 130 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 131 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 132 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 133 134 /* Four of six logical functions used in SHA-384 and SHA-512: */ 135 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 136 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 137 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 138 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 139 140 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 141 /* NOTE: These should not be accessed directly from outside this 142 * library -- they are intended for private internal visibility/use 143 * only. 144 */ 145 static void SHA512_Last(SHA512_CTX *); 146 void SHA224_Transform(SHA224_CTX *, const uint32_t*); 147 void SHA256_Transform(SHA256_CTX *, const uint32_t*); 148 void SHA384_Transform(SHA384_CTX *, const uint64_t*); 149 void SHA512_Transform(SHA512_CTX *, const uint64_t*); 150 151 152 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 153 /* Hash constant words K for SHA-256: */ 154 static const uint32_t K256[64] = { 155 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 156 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 157 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 158 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 159 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 160 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 161 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 162 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 163 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 164 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 165 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 166 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 167 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 168 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 169 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 170 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 171 }; 172 173 /* Initial hash value H for SHA-224: */ 174 static const uint32_t sha224_initial_hash_value[8] = { 175 0xc1059ed8UL, 176 0x367cd507UL, 177 0x3070dd17UL, 178 0xf70e5939UL, 179 0xffc00b31UL, 180 0x68581511UL, 181 0x64f98fa7UL, 182 0xbefa4fa4UL 183 }; 184 185 /* Initial hash value H for SHA-256: */ 186 static const uint32_t sha256_initial_hash_value[8] = { 187 0x6a09e667UL, 188 0xbb67ae85UL, 189 0x3c6ef372UL, 190 0xa54ff53aUL, 191 0x510e527fUL, 192 0x9b05688cUL, 193 0x1f83d9abUL, 194 0x5be0cd19UL 195 }; 196 197 /* Hash constant words K for SHA-384 and SHA-512: */ 198 static const uint64_t K512[80] = { 199 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 200 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 201 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 202 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 203 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 204 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 205 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 206 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 207 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 208 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 209 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 210 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 211 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 212 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 213 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 214 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 215 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 216 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 217 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 218 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 219 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 220 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 221 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 222 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 223 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 224 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 225 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 226 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 227 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 228 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 229 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 230 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 231 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 232 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 233 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 234 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 235 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 236 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 237 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 238 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 239 }; 240 241 /* Initial hash value H for SHA-384 */ 242 static const uint64_t sha384_initial_hash_value[8] = { 243 0xcbbb9d5dc1059ed8ULL, 244 0x629a292a367cd507ULL, 245 0x9159015a3070dd17ULL, 246 0x152fecd8f70e5939ULL, 247 0x67332667ffc00b31ULL, 248 0x8eb44a8768581511ULL, 249 0xdb0c2e0d64f98fa7ULL, 250 0x47b5481dbefa4fa4ULL 251 }; 252 253 /* Initial hash value H for SHA-512 */ 254 static const uint64_t sha512_initial_hash_value[8] = { 255 0x6a09e667f3bcc908ULL, 256 0xbb67ae8584caa73bULL, 257 0x3c6ef372fe94f82bULL, 258 0xa54ff53a5f1d36f1ULL, 259 0x510e527fade682d1ULL, 260 0x9b05688c2b3e6c1fULL, 261 0x1f83d9abfb41bd6bULL, 262 0x5be0cd19137e2179ULL 263 }; 264 265 #if !defined(_KERNEL) && !defined(_STANDALONE) 266 #if defined(__weak_alias) 267 __weak_alias(SHA224_Init,_SHA224_Init) 268 __weak_alias(SHA224_Update,_SHA224_Update) 269 __weak_alias(SHA224_Final,_SHA224_Final) 270 __weak_alias(SHA224_Transform,_SHA224_Transform) 271 272 __weak_alias(SHA256_Init,_SHA256_Init) 273 __weak_alias(SHA256_Update,_SHA256_Update) 274 __weak_alias(SHA256_Final,_SHA256_Final) 275 __weak_alias(SHA256_Transform,_SHA256_Transform) 276 277 __weak_alias(SHA384_Init,_SHA384_Init) 278 __weak_alias(SHA384_Update,_SHA384_Update) 279 __weak_alias(SHA384_Final,_SHA384_Final) 280 __weak_alias(SHA384_Transform,_SHA384_Transform) 281 282 __weak_alias(SHA512_Init,_SHA512_Init) 283 __weak_alias(SHA512_Update,_SHA512_Update) 284 __weak_alias(SHA512_Final,_SHA512_Final) 285 __weak_alias(SHA512_Transform,_SHA512_Transform) 286 #endif 287 #endif 288 289 /*** SHA-256: *********************************************************/ 290 int 291 SHA256_Init(SHA256_CTX *context) 292 { 293 if (context == NULL) 294 return 1; 295 296 memcpy(context->state, sha256_initial_hash_value, 297 (size_t)(SHA256_DIGEST_LENGTH)); 298 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH)); 299 context->bitcount = 0; 300 301 return 1; 302 } 303 304 #ifdef SHA2_UNROLL_TRANSFORM 305 306 /* Unrolled SHA-256 round macros: */ 307 308 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 309 W256[j] = be32dec(data); \ 310 ++data; \ 311 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 312 K256[j] + W256[j]; \ 313 (d) += T1; \ 314 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 315 j++ 316 317 #define ROUND256(a,b,c,d,e,f,g,h) \ 318 s0 = W256[(j+1)&0x0f]; \ 319 s0 = sigma0_256(s0); \ 320 s1 = W256[(j+14)&0x0f]; \ 321 s1 = sigma1_256(s1); \ 322 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ 323 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 324 (d) += T1; \ 325 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 326 j++ 327 328 void 329 SHA256_Transform(SHA256_CTX *context, const uint32_t *data) 330 { 331 uint32_t a, b, c, d, e, f, g, h, s0, s1; 332 uint32_t T1, *W256; 333 int j; 334 335 W256 = (uint32_t *)context->buffer; 336 337 /* Initialize registers with the prev. intermediate value */ 338 a = context->state[0]; 339 b = context->state[1]; 340 c = context->state[2]; 341 d = context->state[3]; 342 e = context->state[4]; 343 f = context->state[5]; 344 g = context->state[6]; 345 h = context->state[7]; 346 347 j = 0; 348 do { 349 /* Rounds 0 to 15 (unrolled): */ 350 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 351 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 352 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 353 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 354 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 355 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 356 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 357 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 358 } while (j < 16); 359 360 /* Now for the remaining rounds to 64: */ 361 do { 362 ROUND256(a,b,c,d,e,f,g,h); 363 ROUND256(h,a,b,c,d,e,f,g); 364 ROUND256(g,h,a,b,c,d,e,f); 365 ROUND256(f,g,h,a,b,c,d,e); 366 ROUND256(e,f,g,h,a,b,c,d); 367 ROUND256(d,e,f,g,h,a,b,c); 368 ROUND256(c,d,e,f,g,h,a,b); 369 ROUND256(b,c,d,e,f,g,h,a); 370 } while (j < 64); 371 372 /* Compute the current intermediate hash value */ 373 context->state[0] += a; 374 context->state[1] += b; 375 context->state[2] += c; 376 context->state[3] += d; 377 context->state[4] += e; 378 context->state[5] += f; 379 context->state[6] += g; 380 context->state[7] += h; 381 382 /* Clean up */ 383 a = b = c = d = e = f = g = h = T1 = 0; 384 } 385 386 #else /* SHA2_UNROLL_TRANSFORM */ 387 388 void 389 SHA256_Transform(SHA256_CTX *context, const uint32_t *data) 390 { 391 uint32_t a, b, c, d, e, f, g, h, s0, s1; 392 uint32_t T1, T2, *W256; 393 int j; 394 395 W256 = (uint32_t *)(void *)context->buffer; 396 397 /* Initialize registers with the prev. intermediate value */ 398 a = context->state[0]; 399 b = context->state[1]; 400 c = context->state[2]; 401 d = context->state[3]; 402 e = context->state[4]; 403 f = context->state[5]; 404 g = context->state[6]; 405 h = context->state[7]; 406 407 j = 0; 408 do { 409 W256[j] = be32dec(data); 410 ++data; 411 /* Apply the SHA-256 compression function to update a..h */ 412 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 413 T2 = Sigma0_256(a) + Maj(a, b, c); 414 h = g; 415 g = f; 416 f = e; 417 e = d + T1; 418 d = c; 419 c = b; 420 b = a; 421 a = T1 + T2; 422 423 j++; 424 } while (j < 16); 425 426 do { 427 /* Part of the message block expansion: */ 428 s0 = W256[(j+1)&0x0f]; 429 s0 = sigma0_256(s0); 430 s1 = W256[(j+14)&0x0f]; 431 s1 = sigma1_256(s1); 432 433 /* Apply the SHA-256 compression function to update a..h */ 434 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 435 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 436 T2 = Sigma0_256(a) + Maj(a, b, c); 437 h = g; 438 g = f; 439 f = e; 440 e = d + T1; 441 d = c; 442 c = b; 443 b = a; 444 a = T1 + T2; 445 446 j++; 447 } while (j < 64); 448 449 /* Compute the current intermediate hash value */ 450 context->state[0] += a; 451 context->state[1] += b; 452 context->state[2] += c; 453 context->state[3] += d; 454 context->state[4] += e; 455 context->state[5] += f; 456 context->state[6] += g; 457 context->state[7] += h; 458 459 /* Clean up */ 460 a = b = c = d = e = f = g = h = T1 = T2 = 0; 461 } 462 463 #endif /* SHA2_UNROLL_TRANSFORM */ 464 465 int 466 SHA256_Update(SHA256_CTX *context, const uint8_t *data, size_t len) 467 { 468 unsigned int freespace, usedspace; 469 470 if (len == 0) { 471 /* Calling with no data is valid - we do nothing */ 472 return 1; 473 } 474 475 usedspace = (unsigned int)((context->bitcount >> 3) % 476 SHA256_BLOCK_LENGTH); 477 if (usedspace > 0) { 478 /* Calculate how much free space is available in the buffer */ 479 freespace = SHA256_BLOCK_LENGTH - usedspace; 480 481 if (len >= freespace) { 482 /* Fill the buffer completely and process it */ 483 memcpy(&context->buffer[usedspace], data, 484 (size_t)(freespace)); 485 context->bitcount += freespace << 3; 486 len -= freespace; 487 data += freespace; 488 SHA256_Transform(context, 489 (uint32_t *)(void *)context->buffer); 490 } else { 491 /* The buffer is not yet full */ 492 memcpy(&context->buffer[usedspace], data, len); 493 context->bitcount += len << 3; 494 /* Clean up: */ 495 usedspace = freespace = 0; 496 return 1; 497 } 498 } 499 /* 500 * Process as many complete blocks as possible. 501 * 502 * Check alignment of the data pointer. If it is 32bit aligned, 503 * SHA256_Transform can be called directly on the data stream, 504 * otherwise enforce the alignment by copy into the buffer. 505 */ 506 if ((uintptr_t)data % 4 == 0) { 507 while (len >= SHA256_BLOCK_LENGTH) { 508 SHA256_Transform(context, 509 (const uint32_t *)(const void *)data); 510 context->bitcount += SHA256_BLOCK_LENGTH << 3; 511 len -= SHA256_BLOCK_LENGTH; 512 data += SHA256_BLOCK_LENGTH; 513 } 514 } else { 515 while (len >= SHA256_BLOCK_LENGTH) { 516 memcpy(context->buffer, data, SHA256_BLOCK_LENGTH); 517 SHA256_Transform(context, 518 (const uint32_t *)(const void *)context->buffer); 519 context->bitcount += SHA256_BLOCK_LENGTH << 3; 520 len -= SHA256_BLOCK_LENGTH; 521 data += SHA256_BLOCK_LENGTH; 522 } 523 } 524 if (len > 0) { 525 /* There's left-overs, so save 'em */ 526 memcpy(context->buffer, data, len); 527 context->bitcount += len << 3; 528 } 529 /* Clean up: */ 530 usedspace = freespace = 0; 531 532 return 1; 533 } 534 535 static int 536 SHA224_256_Final(uint8_t digest[], SHA256_CTX *context, size_t len) 537 { 538 unsigned int usedspace; 539 size_t i; 540 541 /* If no digest buffer is passed, we don't bother doing this: */ 542 if (digest != NULL) { 543 usedspace = (unsigned int)((context->bitcount >> 3) % 544 SHA256_BLOCK_LENGTH); 545 context->bitcount = htobe64(context->bitcount); 546 if (usedspace > 0) { 547 /* Begin padding with a 1 bit: */ 548 context->buffer[usedspace++] = 0x80; 549 550 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 551 /* Set-up for the last transform: */ 552 memset(&context->buffer[usedspace], 0, 553 (size_t)(SHA256_SHORT_BLOCK_LENGTH - 554 usedspace)); 555 } else { 556 if (usedspace < SHA256_BLOCK_LENGTH) { 557 memset(&context->buffer[usedspace], 0, 558 (size_t)(SHA256_BLOCK_LENGTH - 559 usedspace)); 560 } 561 /* Do second-to-last transform: */ 562 SHA256_Transform(context, 563 (uint32_t *)(void *)context->buffer); 564 565 /* And set-up for the last transform: */ 566 memset(context->buffer, 0, 567 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 568 } 569 } else { 570 /* Set-up for the last transform: */ 571 memset(context->buffer, 0, 572 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 573 574 /* Begin padding with a 1 bit: */ 575 *context->buffer = 0x80; 576 } 577 /* Set the bit count: */ 578 memcpy(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], 579 &context->bitcount, sizeof(context->bitcount)); 580 581 /* Final transform: */ 582 SHA256_Transform(context, (uint32_t *)(void *)context->buffer); 583 584 for (i = 0; i < len / 4; i++) 585 be32enc(digest + 4 * i, context->state[i]); 586 } 587 588 /* Clean up state data: */ 589 memset(context, 0, sizeof(*context)); 590 usedspace = 0; 591 592 return 1; 593 } 594 595 int 596 SHA256_Final(uint8_t digest[], SHA256_CTX *context) 597 { 598 return SHA224_256_Final(digest, context, SHA256_DIGEST_LENGTH); 599 } 600 601 /*** SHA-224: *********************************************************/ 602 int 603 SHA224_Init(SHA224_CTX *context) 604 { 605 if (context == NULL) 606 return 1; 607 608 /* The state and buffer size are driven by SHA256, not by SHA224. */ 609 memcpy(context->state, sha224_initial_hash_value, 610 (size_t)(SHA256_DIGEST_LENGTH)); 611 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH)); 612 context->bitcount = 0; 613 614 return 1; 615 } 616 617 int 618 SHA224_Update(SHA224_CTX *context, const uint8_t *data, size_t len) 619 { 620 return SHA256_Update((SHA256_CTX *)context, data, len); 621 } 622 623 void 624 SHA224_Transform(SHA224_CTX *context, const uint32_t *data) 625 { 626 SHA256_Transform((SHA256_CTX *)context, data); 627 } 628 629 int 630 SHA224_Final(uint8_t digest[], SHA224_CTX *context) 631 { 632 return SHA224_256_Final(digest, (SHA256_CTX *)context, 633 SHA224_DIGEST_LENGTH); 634 } 635 636 /*** SHA-512: *********************************************************/ 637 int 638 SHA512_Init(SHA512_CTX *context) 639 { 640 if (context == NULL) 641 return 1; 642 643 memcpy(context->state, sha512_initial_hash_value, 644 (size_t)(SHA512_DIGEST_LENGTH)); 645 memset(context->buffer, 0, (size_t)(SHA512_BLOCK_LENGTH)); 646 context->bitcount[0] = context->bitcount[1] = 0; 647 648 return 1; 649 } 650 651 #ifdef SHA2_UNROLL_TRANSFORM 652 653 /* Unrolled SHA-512 round macros: */ 654 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 655 W512[j] = be64dec(data); \ 656 ++data; \ 657 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 658 K512[j] + W512[j]; \ 659 (d) += T1, \ 660 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 661 j++ 662 663 #define ROUND512(a,b,c,d,e,f,g,h) \ 664 s0 = W512[(j+1)&0x0f]; \ 665 s0 = sigma0_512(s0); \ 666 s1 = W512[(j+14)&0x0f]; \ 667 s1 = sigma1_512(s1); \ 668 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 669 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 670 (d) += T1; \ 671 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 672 j++ 673 674 void 675 SHA512_Transform(SHA512_CTX *context, const uint64_t *data) 676 { 677 uint64_t a, b, c, d, e, f, g, h, s0, s1; 678 uint64_t T1, *W512 = (uint64_t *)context->buffer; 679 int j; 680 681 /* Initialize registers with the prev. intermediate value */ 682 a = context->state[0]; 683 b = context->state[1]; 684 c = context->state[2]; 685 d = context->state[3]; 686 e = context->state[4]; 687 f = context->state[5]; 688 g = context->state[6]; 689 h = context->state[7]; 690 691 j = 0; 692 do { 693 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 694 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 695 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 696 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 697 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 698 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 699 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 700 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 701 } while (j < 16); 702 703 /* Now for the remaining rounds up to 79: */ 704 do { 705 ROUND512(a,b,c,d,e,f,g,h); 706 ROUND512(h,a,b,c,d,e,f,g); 707 ROUND512(g,h,a,b,c,d,e,f); 708 ROUND512(f,g,h,a,b,c,d,e); 709 ROUND512(e,f,g,h,a,b,c,d); 710 ROUND512(d,e,f,g,h,a,b,c); 711 ROUND512(c,d,e,f,g,h,a,b); 712 ROUND512(b,c,d,e,f,g,h,a); 713 } while (j < 80); 714 715 /* Compute the current intermediate hash value */ 716 context->state[0] += a; 717 context->state[1] += b; 718 context->state[2] += c; 719 context->state[3] += d; 720 context->state[4] += e; 721 context->state[5] += f; 722 context->state[6] += g; 723 context->state[7] += h; 724 725 /* Clean up */ 726 a = b = c = d = e = f = g = h = T1 = 0; 727 } 728 729 #else /* SHA2_UNROLL_TRANSFORM */ 730 731 void 732 SHA512_Transform(SHA512_CTX *context, const uint64_t *data) 733 { 734 uint64_t a, b, c, d, e, f, g, h, s0, s1; 735 uint64_t T1, T2, *W512 = (void *)context->buffer; 736 int j; 737 738 /* Initialize registers with the prev. intermediate value */ 739 a = context->state[0]; 740 b = context->state[1]; 741 c = context->state[2]; 742 d = context->state[3]; 743 e = context->state[4]; 744 f = context->state[5]; 745 g = context->state[6]; 746 h = context->state[7]; 747 748 j = 0; 749 do { 750 W512[j] = be64dec(data); 751 ++data; 752 /* Apply the SHA-512 compression function to update a..h */ 753 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 754 T2 = Sigma0_512(a) + Maj(a, b, c); 755 h = g; 756 g = f; 757 f = e; 758 e = d + T1; 759 d = c; 760 c = b; 761 b = a; 762 a = T1 + T2; 763 764 j++; 765 } while (j < 16); 766 767 do { 768 /* Part of the message block expansion: */ 769 s0 = W512[(j+1)&0x0f]; 770 s0 = sigma0_512(s0); 771 s1 = W512[(j+14)&0x0f]; 772 s1 = sigma1_512(s1); 773 774 /* Apply the SHA-512 compression function to update a..h */ 775 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 776 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 777 T2 = Sigma0_512(a) + Maj(a, b, c); 778 h = g; 779 g = f; 780 f = e; 781 e = d + T1; 782 d = c; 783 c = b; 784 b = a; 785 a = T1 + T2; 786 787 j++; 788 } while (j < 80); 789 790 /* Compute the current intermediate hash value */ 791 context->state[0] += a; 792 context->state[1] += b; 793 context->state[2] += c; 794 context->state[3] += d; 795 context->state[4] += e; 796 context->state[5] += f; 797 context->state[6] += g; 798 context->state[7] += h; 799 800 /* Clean up */ 801 a = b = c = d = e = f = g = h = T1 = T2 = 0; 802 } 803 804 #endif /* SHA2_UNROLL_TRANSFORM */ 805 806 int 807 SHA512_Update(SHA512_CTX *context, const uint8_t *data, size_t len) 808 { 809 unsigned int freespace, usedspace; 810 811 if (len == 0) { 812 /* Calling with no data is valid - we do nothing */ 813 return 1; 814 } 815 816 usedspace = (unsigned int)((context->bitcount[0] >> 3) % 817 SHA512_BLOCK_LENGTH); 818 if (usedspace > 0) { 819 /* Calculate how much free space is available in the buffer */ 820 freespace = SHA512_BLOCK_LENGTH - usedspace; 821 822 if (len >= freespace) { 823 /* Fill the buffer completely and process it */ 824 memcpy(&context->buffer[usedspace], data, 825 (size_t)(freespace)); 826 ADDINC128(context->bitcount, freespace << 3); 827 len -= freespace; 828 data += freespace; 829 SHA512_Transform(context, 830 (uint64_t *)(void *)context->buffer); 831 } else { 832 /* The buffer is not yet full */ 833 memcpy(&context->buffer[usedspace], data, len); 834 ADDINC128(context->bitcount, len << 3); 835 /* Clean up: */ 836 usedspace = freespace = 0; 837 return 1; 838 } 839 } 840 /* 841 * Process as many complete blocks as possible. 842 * 843 * Check alignment of the data pointer. If it is 64bit aligned, 844 * SHA512_Transform can be called directly on the data stream, 845 * otherwise enforce the alignment by copy into the buffer. 846 */ 847 if ((uintptr_t)data % 8 == 0) { 848 while (len >= SHA512_BLOCK_LENGTH) { 849 SHA512_Transform(context, 850 (const uint64_t*)(const void *)data); 851 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 852 len -= SHA512_BLOCK_LENGTH; 853 data += SHA512_BLOCK_LENGTH; 854 } 855 } else { 856 while (len >= SHA512_BLOCK_LENGTH) { 857 memcpy(context->buffer, data, SHA512_BLOCK_LENGTH); 858 SHA512_Transform(context, 859 (const void *)context->buffer); 860 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 861 len -= SHA512_BLOCK_LENGTH; 862 data += SHA512_BLOCK_LENGTH; 863 } 864 } 865 if (len > 0) { 866 /* There's left-overs, so save 'em */ 867 memcpy(context->buffer, data, len); 868 ADDINC128(context->bitcount, len << 3); 869 } 870 /* Clean up: */ 871 usedspace = freespace = 0; 872 873 return 1; 874 } 875 876 static void 877 SHA512_Last(SHA512_CTX *context) 878 { 879 unsigned int usedspace; 880 881 usedspace = (unsigned int)((context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH); 882 context->bitcount[0] = htobe64(context->bitcount[0]); 883 context->bitcount[1] = htobe64(context->bitcount[1]); 884 if (usedspace > 0) { 885 /* Begin padding with a 1 bit: */ 886 context->buffer[usedspace++] = 0x80; 887 888 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 889 /* Set-up for the last transform: */ 890 memset(&context->buffer[usedspace], 0, 891 (size_t)(SHA512_SHORT_BLOCK_LENGTH - usedspace)); 892 } else { 893 if (usedspace < SHA512_BLOCK_LENGTH) { 894 memset(&context->buffer[usedspace], 0, 895 (size_t)(SHA512_BLOCK_LENGTH - usedspace)); 896 } 897 /* Do second-to-last transform: */ 898 SHA512_Transform(context, 899 (uint64_t *)(void *)context->buffer); 900 901 /* And set-up for the last transform: */ 902 memset(context->buffer, 0, 903 (size_t)(SHA512_BLOCK_LENGTH - 2)); 904 } 905 } else { 906 /* Prepare for final transform: */ 907 memset(context->buffer, 0, (size_t)(SHA512_SHORT_BLOCK_LENGTH)); 908 909 /* Begin padding with a 1 bit: */ 910 *context->buffer = 0x80; 911 } 912 /* Store the length of input data (in bits): */ 913 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], 914 &context->bitcount[1], sizeof(context->bitcount[1])); 915 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], 916 &context->bitcount[0], sizeof(context->bitcount[0])); 917 918 /* Final transform: */ 919 SHA512_Transform(context, (uint64_t *)(void *)context->buffer); 920 } 921 922 int 923 SHA512_Final(uint8_t digest[], SHA512_CTX *context) 924 { 925 size_t i; 926 927 /* If no digest buffer is passed, we don't bother doing this: */ 928 if (digest != NULL) { 929 SHA512_Last(context); 930 931 /* Save the hash data for output: */ 932 for (i = 0; i < 8; ++i) 933 be64enc(digest + 8 * i, context->state[i]); 934 } 935 936 /* Zero out state data */ 937 memset(context, 0, sizeof(*context)); 938 939 return 1; 940 } 941 942 /*** SHA-384: *********************************************************/ 943 int 944 SHA384_Init(SHA384_CTX *context) 945 { 946 if (context == NULL) 947 return 1; 948 949 memcpy(context->state, sha384_initial_hash_value, 950 (size_t)(SHA512_DIGEST_LENGTH)); 951 memset(context->buffer, 0, (size_t)(SHA384_BLOCK_LENGTH)); 952 context->bitcount[0] = context->bitcount[1] = 0; 953 954 return 1; 955 } 956 957 int 958 SHA384_Update(SHA384_CTX *context, const uint8_t *data, size_t len) 959 { 960 return SHA512_Update((SHA512_CTX *)context, data, len); 961 } 962 963 void 964 SHA384_Transform(SHA512_CTX *context, const uint64_t *data) 965 { 966 SHA512_Transform((SHA512_CTX *)context, data); 967 } 968 969 int 970 SHA384_Final(uint8_t digest[], SHA384_CTX *context) 971 { 972 size_t i; 973 974 /* If no digest buffer is passed, we don't bother doing this: */ 975 if (digest != NULL) { 976 SHA512_Last((SHA512_CTX *)context); 977 978 /* Save the hash data for output: */ 979 for (i = 0; i < 6; ++i) 980 be64enc(digest + 8 * i, context->state[i]); 981 } 982 983 /* Zero out state data */ 984 memset(context, 0, sizeof(*context)); 985 986 return 1; 987 } 988
Indexes created Mon Sep 29 21:09:56 GMT 2025