1 1.2 christos /* $NetBSD: sha2.c,v 1.2 2021/08/14 16:14:53 christos Exp $ */ 2 1.1 lukem 3 1.2 christos /* $OpenLDAP$ */ 4 1.1 lukem /* 5 1.1 lukem * FILE: sha2.c 6 1.1 lukem * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/ 7 1.1 lukem * 8 1.1 lukem * Copyright (c) 2000-2001, Aaron D. Gifford 9 1.1 lukem * All rights reserved. 10 1.1 lukem * 11 1.1 lukem * Redistribution and use in source and binary forms, with or without 12 1.1 lukem * modification, are permitted provided that the following conditions 13 1.1 lukem * are met: 14 1.1 lukem * 1. Redistributions of source code must retain the above copyright 15 1.1 lukem * notice, this list of conditions and the following disclaimer. 16 1.1 lukem * 2. Redistributions in binary form must reproduce the above copyright 17 1.1 lukem * notice, this list of conditions and the following disclaimer in the 18 1.1 lukem * documentation and/or other materials provided with the distribution. 19 1.1 lukem * 3. Neither the name of the copyright holder nor the names of contributors 20 1.1 lukem * may be used to endorse or promote products derived from this software 21 1.1 lukem * without specific prior written permission. 22 1.1 lukem * 23 1.1 lukem * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND 24 1.1 lukem * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 1.1 lukem * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 1.1 lukem * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE 27 1.1 lukem * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 1.1 lukem * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 1.1 lukem * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 1.1 lukem * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 1.1 lukem * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 1.1 lukem * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 1.1 lukem * SUCH DAMAGE. 34 1.1 lukem * 35 1.2 christos * Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg 36 1.1 lukem */ 37 1.1 lukem 38 1.1 lukem #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */ 39 1.1 lukem #include <assert.h> /* assert() */ 40 1.1 lukem #include "sha2.h" 41 1.1 lukem 42 1.1 lukem /* 43 1.1 lukem * ASSERT NOTE: 44 1.1 lukem * Some sanity checking code is included using assert(). On my FreeBSD 45 1.1 lukem * system, this additional code can be removed by compiling with NDEBUG 46 1.1 lukem * defined. Check your own systems manpage on assert() to see how to 47 1.1 lukem * compile WITHOUT the sanity checking code on your system. 48 1.1 lukem * 49 1.1 lukem * UNROLLED TRANSFORM LOOP NOTE: 50 1.1 lukem * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform 51 1.1 lukem * loop version for the hash transform rounds (defined using macros 52 1.1 lukem * later in this file). Either define on the command line, for example: 53 1.1 lukem * 54 1.1 lukem * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c 55 1.1 lukem * 56 1.1 lukem * or define below: 57 1.1 lukem * 58 1.1 lukem * #define SHA2_UNROLL_TRANSFORM 59 1.1 lukem * 60 1.1 lukem */ 61 1.1 lukem 62 1.1 lukem 63 1.1 lukem /*** SHA-256/384/512 Machine Architecture Definitions *****************/ 64 1.1 lukem /* 65 1.1 lukem * BYTE_ORDER NOTE: 66 1.1 lukem * 67 1.1 lukem * Please make sure that your system defines BYTE_ORDER. If your 68 1.1 lukem * architecture is little-endian, make sure it also defines 69 1.1 lukem * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are 70 1.2 christos * equivalent. 71 1.1 lukem * 72 1.1 lukem * If your system does not define the above, then you can do so by 73 1.1 lukem * hand like this: 74 1.1 lukem * 75 1.1 lukem * #define LITTLE_ENDIAN 1234 76 1.1 lukem * #define BIG_ENDIAN 4321 77 1.1 lukem * 78 1.1 lukem * And for little-endian machines, add: 79 1.1 lukem * 80 1.1 lukem * #define BYTE_ORDER LITTLE_ENDIAN 81 1.1 lukem * 82 1.1 lukem * Or for big-endian machines: 83 1.1 lukem * 84 1.1 lukem * #define BYTE_ORDER BIG_ENDIAN 85 1.1 lukem * 86 1.1 lukem * The FreeBSD machine this was written on defines BYTE_ORDER 87 1.1 lukem * appropriately by including <sys/types.h> (which in turn includes 88 1.1 lukem * <machine/endian.h> where the appropriate definitions are actually 89 1.1 lukem * made). 90 1.1 lukem */ 91 1.1 lukem #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) 92 1.1 lukem #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN 93 1.1 lukem #endif 94 1.1 lukem 95 1.1 lukem /* 96 1.1 lukem * Define the followingsha2_* types to types of the correct length on 97 1.2 christos * the native architecture. Most BSD systems and Linux define u_intXX_t 98 1.1 lukem * types. Machines with very recent ANSI C headers, can use the 99 1.2 christos * uintXX_t definitions from inttypes.h by defining SHA2_USE_INTTYPES_H 100 1.1 lukem * during compile or in the sha.h header file. 101 1.1 lukem * 102 1.1 lukem * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t 103 1.1 lukem * will need to define these three typedefs below (and the appropriate 104 1.1 lukem * ones in sha.h too) by hand according to their system architecture. 105 1.1 lukem * 106 1.1 lukem * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t 107 1.1 lukem * types and pointing out recent ANSI C support for uintXX_t in inttypes.h. 108 1.1 lukem */ 109 1.1 lukem #ifdef SHA2_USE_INTTYPES_H 110 1.1 lukem 111 1.1 lukem typedef uint8_t sha2_byte; /* Exactly 1 byte */ 112 1.1 lukem typedef uint32_t sha2_word32; /* Exactly 4 bytes */ 113 1.1 lukem typedef uint64_t sha2_word64; /* Exactly 8 bytes */ 114 1.1 lukem 115 1.1 lukem #else /* SHA2_USE_INTTYPES_H */ 116 1.1 lukem 117 1.1 lukem typedef u_int8_t sha2_byte; /* Exactly 1 byte */ 118 1.1 lukem typedef u_int32_t sha2_word32; /* Exactly 4 bytes */ 119 1.1 lukem typedef u_int64_t sha2_word64; /* Exactly 8 bytes */ 120 1.1 lukem 121 1.1 lukem #endif /* SHA2_USE_INTTYPES_H */ 122 1.1 lukem 123 1.1 lukem 124 1.1 lukem /*** SHA-256/384/512 Various Length Definitions ***********************/ 125 1.1 lukem /* NOTE: Most of these are in sha2.h */ 126 1.1 lukem #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 127 1.1 lukem #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 128 1.1 lukem #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 129 1.1 lukem 130 1.1 lukem 131 1.1 lukem /*** ENDIAN REVERSAL MACROS *******************************************/ 132 1.1 lukem #if BYTE_ORDER == LITTLE_ENDIAN 133 1.1 lukem #define REVERSE32(w,x) { \ 134 1.1 lukem sha2_word32 tmp = (w); \ 135 1.1 lukem tmp = (tmp >> 16) | (tmp << 16); \ 136 1.1 lukem (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \ 137 1.1 lukem } 138 1.1 lukem #define REVERSE64(w,x) { \ 139 1.1 lukem sha2_word64 tmp = (w); \ 140 1.1 lukem tmp = (tmp >> 32) | (tmp << 32); \ 141 1.1 lukem tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \ 142 1.1 lukem ((tmp & 0x00ff00ff00ff00ffULL) << 8); \ 143 1.1 lukem (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \ 144 1.1 lukem ((tmp & 0x0000ffff0000ffffULL) << 16); \ 145 1.1 lukem } 146 1.1 lukem #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 147 1.1 lukem 148 1.1 lukem /* 149 1.1 lukem * Macro for incrementally adding the unsigned 64-bit integer n to the 150 1.1 lukem * unsigned 128-bit integer (represented using a two-element array of 151 1.1 lukem * 64-bit words): 152 1.1 lukem */ 153 1.1 lukem #define ADDINC128(w,n) { \ 154 1.1 lukem (w)[0] += (sha2_word64)(n); \ 155 1.1 lukem if ((w)[0] < (n)) { \ 156 1.1 lukem (w)[1]++; \ 157 1.1 lukem } \ 158 1.1 lukem } 159 1.1 lukem 160 1.1 lukem /* 161 1.1 lukem * Macros for copying blocks of memory and for zeroing out ranges 162 1.1 lukem * of memory. Using these macros makes it easy to switch from 163 1.1 lukem * using memset()/memcpy() and using bzero()/bcopy(). 164 1.1 lukem * 165 1.1 lukem * Please define either SHA2_USE_MEMSET_MEMCPY or define 166 1.1 lukem * SHA2_USE_BZERO_BCOPY depending on which function set you 167 1.1 lukem * choose to use: 168 1.1 lukem */ 169 1.1 lukem #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY) 170 1.1 lukem /* Default to memset()/memcpy() if no option is specified */ 171 1.1 lukem #define SHA2_USE_MEMSET_MEMCPY 1 172 1.1 lukem #endif 173 1.1 lukem #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY) 174 1.1 lukem /* Abort with an error if BOTH options are defined */ 175 1.1 lukem #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both! 176 1.1 lukem #endif 177 1.1 lukem 178 1.1 lukem #ifdef SHA2_USE_MEMSET_MEMCPY 179 1.1 lukem #define MEMSET_BZERO(p,l) memset((p), 0, (l)) 180 1.1 lukem #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l)) 181 1.1 lukem #endif 182 1.1 lukem #ifdef SHA2_USE_BZERO_BCOPY 183 1.1 lukem #define MEMSET_BZERO(p,l) bzero((p), (l)) 184 1.1 lukem #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l)) 185 1.1 lukem #endif 186 1.1 lukem 187 1.1 lukem 188 1.1 lukem /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 189 1.1 lukem /* 190 1.1 lukem * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 191 1.1 lukem * 192 1.1 lukem * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 193 1.1 lukem * S is a ROTATION) because the SHA-256/384/512 description document 194 1.1 lukem * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 195 1.1 lukem * same "backwards" definition. 196 1.1 lukem */ 197 1.1 lukem /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 198 1.1 lukem #define R(b,x) ((x) >> (b)) 199 1.1 lukem /* 32-bit Rotate-right (used in SHA-256): */ 200 1.1 lukem #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 201 1.1 lukem /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 202 1.1 lukem #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 203 1.1 lukem 204 1.1 lukem /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 205 1.1 lukem #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 206 1.1 lukem #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 207 1.1 lukem 208 1.1 lukem /* Four of six logical functions used in SHA-256: */ 209 1.1 lukem #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 210 1.1 lukem #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 211 1.1 lukem #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 212 1.1 lukem #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 213 1.1 lukem 214 1.1 lukem /* Four of six logical functions used in SHA-384 and SHA-512: */ 215 1.1 lukem #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 216 1.1 lukem #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 217 1.1 lukem #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 218 1.1 lukem #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 219 1.1 lukem 220 1.1 lukem /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 221 1.1 lukem /* NOTE: These should not be accessed directly from outside this 222 1.1 lukem * library -- they are intended for private internal visibility/use 223 1.1 lukem * only. 224 1.1 lukem */ 225 1.2 christos static void SHA512_Last(SHA512_CTX*); 226 1.2 christos static void SHA256_Transform(SHA256_CTX*, const sha2_word32*); 227 1.2 christos static void SHA512_Transform(SHA512_CTX*, const sha2_word64*); 228 1.1 lukem 229 1.1 lukem 230 1.1 lukem /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 231 1.1 lukem /* Hash constant words K for SHA-256: */ 232 1.1 lukem const static sha2_word32 K256[64] = { 233 1.1 lukem 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 234 1.1 lukem 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 235 1.1 lukem 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 236 1.1 lukem 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 237 1.1 lukem 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 238 1.1 lukem 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 239 1.1 lukem 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 240 1.1 lukem 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 241 1.1 lukem 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 242 1.1 lukem 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 243 1.1 lukem 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 244 1.1 lukem 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 245 1.1 lukem 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 246 1.1 lukem 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 247 1.1 lukem 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 248 1.1 lukem 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 249 1.1 lukem }; 250 1.1 lukem 251 1.1 lukem /* Initial hash value H for SHA-256: */ 252 1.1 lukem const static sha2_word32 sha256_initial_hash_value[8] = { 253 1.1 lukem 0x6a09e667UL, 254 1.1 lukem 0xbb67ae85UL, 255 1.1 lukem 0x3c6ef372UL, 256 1.1 lukem 0xa54ff53aUL, 257 1.1 lukem 0x510e527fUL, 258 1.1 lukem 0x9b05688cUL, 259 1.1 lukem 0x1f83d9abUL, 260 1.1 lukem 0x5be0cd19UL 261 1.1 lukem }; 262 1.1 lukem 263 1.1 lukem /* Hash constant words K for SHA-384 and SHA-512: */ 264 1.1 lukem const static sha2_word64 K512[80] = { 265 1.1 lukem 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 266 1.1 lukem 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 267 1.1 lukem 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 268 1.1 lukem 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 269 1.1 lukem 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 270 1.1 lukem 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 271 1.1 lukem 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 272 1.1 lukem 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 273 1.1 lukem 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 274 1.1 lukem 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 275 1.1 lukem 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 276 1.1 lukem 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 277 1.1 lukem 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 278 1.1 lukem 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 279 1.1 lukem 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 280 1.1 lukem 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 281 1.1 lukem 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 282 1.1 lukem 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 283 1.1 lukem 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 284 1.1 lukem 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 285 1.1 lukem 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 286 1.1 lukem 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 287 1.1 lukem 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 288 1.1 lukem 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 289 1.1 lukem 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 290 1.1 lukem 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 291 1.1 lukem 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 292 1.1 lukem 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 293 1.1 lukem 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 294 1.1 lukem 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 295 1.1 lukem 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 296 1.1 lukem 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 297 1.1 lukem 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 298 1.1 lukem 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 299 1.1 lukem 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 300 1.1 lukem 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 301 1.1 lukem 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 302 1.1 lukem 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 303 1.1 lukem 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 304 1.1 lukem 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 305 1.1 lukem }; 306 1.1 lukem 307 1.1 lukem /* Initial hash value H for SHA-384 */ 308 1.1 lukem const static sha2_word64 sha384_initial_hash_value[8] = { 309 1.1 lukem 0xcbbb9d5dc1059ed8ULL, 310 1.1 lukem 0x629a292a367cd507ULL, 311 1.1 lukem 0x9159015a3070dd17ULL, 312 1.1 lukem 0x152fecd8f70e5939ULL, 313 1.1 lukem 0x67332667ffc00b31ULL, 314 1.1 lukem 0x8eb44a8768581511ULL, 315 1.1 lukem 0xdb0c2e0d64f98fa7ULL, 316 1.1 lukem 0x47b5481dbefa4fa4ULL 317 1.1 lukem }; 318 1.1 lukem 319 1.1 lukem /* Initial hash value H for SHA-512 */ 320 1.1 lukem const static sha2_word64 sha512_initial_hash_value[8] = { 321 1.1 lukem 0x6a09e667f3bcc908ULL, 322 1.1 lukem 0xbb67ae8584caa73bULL, 323 1.1 lukem 0x3c6ef372fe94f82bULL, 324 1.1 lukem 0xa54ff53a5f1d36f1ULL, 325 1.1 lukem 0x510e527fade682d1ULL, 326 1.1 lukem 0x9b05688c2b3e6c1fULL, 327 1.1 lukem 0x1f83d9abfb41bd6bULL, 328 1.1 lukem 0x5be0cd19137e2179ULL 329 1.1 lukem }; 330 1.1 lukem 331 1.1 lukem /* 332 1.1 lukem * Constant used by SHA256/384/512_End() functions for converting the 333 1.1 lukem * digest to a readable hexadecimal character string: 334 1.1 lukem */ 335 1.1 lukem static const char *sha2_hex_digits = "0123456789abcdef"; 336 1.1 lukem 337 1.1 lukem 338 1.1 lukem /*** SHA-256: *********************************************************/ 339 1.1 lukem void SHA256_Init(SHA256_CTX* context) { 340 1.1 lukem if (context == (SHA256_CTX*)0) { 341 1.1 lukem return; 342 1.1 lukem } 343 1.1 lukem MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH); 344 1.1 lukem MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH); 345 1.1 lukem context->bitcount = 0; 346 1.1 lukem } 347 1.1 lukem 348 1.1 lukem #ifdef SHA2_UNROLL_TRANSFORM 349 1.1 lukem 350 1.1 lukem /* Unrolled SHA-256 round macros: */ 351 1.1 lukem 352 1.1 lukem #if BYTE_ORDER == LITTLE_ENDIAN 353 1.1 lukem 354 1.1 lukem #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 355 1.1 lukem REVERSE32(*data++, W256[j]); \ 356 1.1 lukem T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 357 1.1 lukem K256[j] + W256[j]; \ 358 1.1 lukem (d) += T1; \ 359 1.1 lukem (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 360 1.1 lukem j++ 361 1.1 lukem 362 1.1 lukem 363 1.1 lukem #else /* BYTE_ORDER == LITTLE_ENDIAN */ 364 1.1 lukem 365 1.1 lukem #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 366 1.1 lukem T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 367 1.1 lukem K256[j] + (W256[j] = *data++); \ 368 1.1 lukem (d) += T1; \ 369 1.1 lukem (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 370 1.1 lukem j++ 371 1.1 lukem 372 1.1 lukem #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 373 1.1 lukem 374 1.1 lukem #define ROUND256(a,b,c,d,e,f,g,h) \ 375 1.1 lukem s0 = W256[(j+1)&0x0f]; \ 376 1.1 lukem s0 = sigma0_256(s0); \ 377 1.1 lukem s1 = W256[(j+14)&0x0f]; \ 378 1.1 lukem s1 = sigma1_256(s1); \ 379 1.1 lukem T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ 380 1.1 lukem (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 381 1.1 lukem (d) += T1; \ 382 1.1 lukem (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 383 1.1 lukem j++ 384 1.1 lukem 385 1.1 lukem void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) { 386 1.1 lukem sha2_word32 a, b, c, d, e, f, g, h, s0, s1; 387 1.1 lukem sha2_word32 T1, *W256; 388 1.1 lukem int j; 389 1.1 lukem 390 1.1 lukem W256 = (sha2_word32*)context->buffer; 391 1.1 lukem 392 1.1 lukem /* Initialize registers with the prev. intermediate value */ 393 1.1 lukem a = context->state[0]; 394 1.1 lukem b = context->state[1]; 395 1.1 lukem c = context->state[2]; 396 1.1 lukem d = context->state[3]; 397 1.1 lukem e = context->state[4]; 398 1.1 lukem f = context->state[5]; 399 1.1 lukem g = context->state[6]; 400 1.1 lukem h = context->state[7]; 401 1.1 lukem 402 1.1 lukem j = 0; 403 1.1 lukem do { 404 1.1 lukem /* Rounds 0 to 15 (unrolled): */ 405 1.1 lukem ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 406 1.1 lukem ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 407 1.1 lukem ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 408 1.1 lukem ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 409 1.1 lukem ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 410 1.1 lukem ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 411 1.1 lukem ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 412 1.1 lukem ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 413 1.1 lukem } while (j < 16); 414 1.1 lukem 415 1.1 lukem /* Now for the remaining rounds to 64: */ 416 1.1 lukem do { 417 1.1 lukem ROUND256(a,b,c,d,e,f,g,h); 418 1.1 lukem ROUND256(h,a,b,c,d,e,f,g); 419 1.1 lukem ROUND256(g,h,a,b,c,d,e,f); 420 1.1 lukem ROUND256(f,g,h,a,b,c,d,e); 421 1.1 lukem ROUND256(e,f,g,h,a,b,c,d); 422 1.1 lukem ROUND256(d,e,f,g,h,a,b,c); 423 1.1 lukem ROUND256(c,d,e,f,g,h,a,b); 424 1.1 lukem ROUND256(b,c,d,e,f,g,h,a); 425 1.1 lukem } while (j < 64); 426 1.1 lukem 427 1.1 lukem /* Compute the current intermediate hash value */ 428 1.1 lukem context->state[0] += a; 429 1.1 lukem context->state[1] += b; 430 1.1 lukem context->state[2] += c; 431 1.1 lukem context->state[3] += d; 432 1.1 lukem context->state[4] += e; 433 1.1 lukem context->state[5] += f; 434 1.1 lukem context->state[6] += g; 435 1.1 lukem context->state[7] += h; 436 1.1 lukem 437 1.1 lukem /* Clean up */ 438 1.1 lukem a = b = c = d = e = f = g = h = T1 = 0; 439 1.1 lukem } 440 1.1 lukem 441 1.1 lukem #else /* SHA2_UNROLL_TRANSFORM */ 442 1.1 lukem 443 1.1 lukem void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) { 444 1.1 lukem sha2_word32 a, b, c, d, e, f, g, h, s0, s1; 445 1.1 lukem sha2_word32 T1, T2, *W256; 446 1.1 lukem int j; 447 1.1 lukem 448 1.1 lukem W256 = (sha2_word32*)context->buffer; 449 1.1 lukem 450 1.1 lukem /* Initialize registers with the prev. intermediate value */ 451 1.1 lukem a = context->state[0]; 452 1.1 lukem b = context->state[1]; 453 1.1 lukem c = context->state[2]; 454 1.1 lukem d = context->state[3]; 455 1.1 lukem e = context->state[4]; 456 1.1 lukem f = context->state[5]; 457 1.1 lukem g = context->state[6]; 458 1.1 lukem h = context->state[7]; 459 1.1 lukem 460 1.1 lukem j = 0; 461 1.1 lukem do { 462 1.1 lukem #if BYTE_ORDER == LITTLE_ENDIAN 463 1.1 lukem /* Copy data while converting to host byte order */ 464 1.1 lukem REVERSE32(*data++,W256[j]); 465 1.1 lukem /* Apply the SHA-256 compression function to update a..h */ 466 1.1 lukem T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 467 1.1 lukem #else /* BYTE_ORDER == LITTLE_ENDIAN */ 468 1.1 lukem /* Apply the SHA-256 compression function to update a..h with copy */ 469 1.1 lukem T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++); 470 1.1 lukem #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 471 1.1 lukem T2 = Sigma0_256(a) + Maj(a, b, c); 472 1.1 lukem h = g; 473 1.1 lukem g = f; 474 1.1 lukem f = e; 475 1.1 lukem e = d + T1; 476 1.1 lukem d = c; 477 1.1 lukem c = b; 478 1.1 lukem b = a; 479 1.1 lukem a = T1 + T2; 480 1.1 lukem 481 1.1 lukem j++; 482 1.1 lukem } while (j < 16); 483 1.1 lukem 484 1.1 lukem do { 485 1.1 lukem /* Part of the message block expansion: */ 486 1.1 lukem s0 = W256[(j+1)&0x0f]; 487 1.1 lukem s0 = sigma0_256(s0); 488 1.1 lukem s1 = W256[(j+14)&0x0f]; 489 1.1 lukem s1 = sigma1_256(s1); 490 1.1 lukem 491 1.1 lukem /* Apply the SHA-256 compression function to update a..h */ 492 1.1 lukem T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 493 1.1 lukem (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 494 1.1 lukem T2 = Sigma0_256(a) + Maj(a, b, c); 495 1.1 lukem h = g; 496 1.1 lukem g = f; 497 1.1 lukem f = e; 498 1.1 lukem e = d + T1; 499 1.1 lukem d = c; 500 1.1 lukem c = b; 501 1.1 lukem b = a; 502 1.1 lukem a = T1 + T2; 503 1.1 lukem 504 1.1 lukem j++; 505 1.1 lukem } while (j < 64); 506 1.1 lukem 507 1.1 lukem /* Compute the current intermediate hash value */ 508 1.1 lukem context->state[0] += a; 509 1.1 lukem context->state[1] += b; 510 1.1 lukem context->state[2] += c; 511 1.1 lukem context->state[3] += d; 512 1.1 lukem context->state[4] += e; 513 1.1 lukem context->state[5] += f; 514 1.1 lukem context->state[6] += g; 515 1.1 lukem context->state[7] += h; 516 1.1 lukem 517 1.1 lukem /* Clean up */ 518 1.1 lukem a = b = c = d = e = f = g = h = T1 = T2 = 0; 519 1.1 lukem } 520 1.1 lukem 521 1.1 lukem #endif /* SHA2_UNROLL_TRANSFORM */ 522 1.1 lukem 523 1.1 lukem void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) { 524 1.1 lukem unsigned int freespace, usedspace; 525 1.1 lukem 526 1.1 lukem if (len == 0) { 527 1.1 lukem /* Calling with no data is valid - we do nothing */ 528 1.1 lukem return; 529 1.1 lukem } 530 1.1 lukem 531 1.1 lukem /* Sanity check: */ 532 1.1 lukem assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0); 533 1.1 lukem 534 1.1 lukem usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; 535 1.1 lukem if (usedspace > 0) { 536 1.1 lukem /* Calculate how much free space is available in the buffer */ 537 1.1 lukem freespace = SHA256_BLOCK_LENGTH - usedspace; 538 1.1 lukem 539 1.1 lukem if (len >= freespace) { 540 1.1 lukem /* Fill the buffer completely and process it */ 541 1.1 lukem MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace); 542 1.1 lukem context->bitcount += freespace << 3; 543 1.1 lukem len -= freespace; 544 1.1 lukem data += freespace; 545 1.1 lukem SHA256_Transform(context, (sha2_word32*)context->buffer); 546 1.1 lukem } else { 547 1.1 lukem /* The buffer is not yet full */ 548 1.1 lukem MEMCPY_BCOPY(&context->buffer[usedspace], data, len); 549 1.1 lukem context->bitcount += len << 3; 550 1.1 lukem /* Clean up: */ 551 1.1 lukem usedspace = freespace = 0; 552 1.1 lukem return; 553 1.1 lukem } 554 1.1 lukem } 555 1.1 lukem while (len >= SHA256_BLOCK_LENGTH) { 556 1.1 lukem /* Process as many complete blocks as we can */ 557 1.1 lukem SHA256_Transform(context, (sha2_word32*)data); 558 1.1 lukem context->bitcount += SHA256_BLOCK_LENGTH << 3; 559 1.1 lukem len -= SHA256_BLOCK_LENGTH; 560 1.1 lukem data += SHA256_BLOCK_LENGTH; 561 1.1 lukem } 562 1.1 lukem if (len > 0) { 563 1.1 lukem /* There's left-overs, so save 'em */ 564 1.1 lukem MEMCPY_BCOPY(context->buffer, data, len); 565 1.1 lukem context->bitcount += len << 3; 566 1.1 lukem } 567 1.1 lukem /* Clean up: */ 568 1.1 lukem usedspace = freespace = 0; 569 1.1 lukem } 570 1.1 lukem 571 1.1 lukem void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) { 572 1.1 lukem sha2_word32 *d = (sha2_word32*)digest; 573 1.2 christos sha2_word64 *p; 574 1.1 lukem unsigned int usedspace; 575 1.1 lukem 576 1.1 lukem /* Sanity check: */ 577 1.1 lukem assert(context != (SHA256_CTX*)0); 578 1.1 lukem 579 1.1 lukem /* If no digest buffer is passed, we don't bother doing this: */ 580 1.1 lukem if (digest != (sha2_byte*)0) { 581 1.1 lukem usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; 582 1.1 lukem #if BYTE_ORDER == LITTLE_ENDIAN 583 1.1 lukem /* Convert FROM host byte order */ 584 1.1 lukem REVERSE64(context->bitcount,context->bitcount); 585 1.1 lukem #endif 586 1.1 lukem if (usedspace > 0) { 587 1.1 lukem /* Begin padding with a 1 bit: */ 588 1.1 lukem context->buffer[usedspace++] = 0x80; 589 1.1 lukem 590 1.1 lukem if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 591 1.1 lukem /* Set-up for the last transform: */ 592 1.1 lukem MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace); 593 1.1 lukem } else { 594 1.1 lukem if (usedspace < SHA256_BLOCK_LENGTH) { 595 1.1 lukem MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace); 596 1.1 lukem } 597 1.1 lukem /* Do second-to-last transform: */ 598 1.1 lukem SHA256_Transform(context, (sha2_word32*)context->buffer); 599 1.1 lukem 600 1.1 lukem /* And set-up for the last transform: */ 601 1.1 lukem MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH); 602 1.1 lukem } 603 1.1 lukem } else { 604 1.1 lukem /* Set-up for the last transform: */ 605 1.1 lukem MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH); 606 1.1 lukem 607 1.1 lukem /* Begin padding with a 1 bit: */ 608 1.1 lukem *context->buffer = 0x80; 609 1.1 lukem } 610 1.1 lukem /* Set the bit count: */ 611 1.2 christos p = (sha2_word64 *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH]; 612 1.2 christos *p = context->bitcount; 613 1.1 lukem 614 1.1 lukem /* Final transform: */ 615 1.1 lukem SHA256_Transform(context, (sha2_word32*)context->buffer); 616 1.1 lukem 617 1.1 lukem #if BYTE_ORDER == LITTLE_ENDIAN 618 1.1 lukem { 619 1.1 lukem /* Convert TO host byte order */ 620 1.1 lukem int j; 621 1.1 lukem for (j = 0; j < 8; j++) { 622 1.1 lukem REVERSE32(context->state[j],context->state[j]); 623 1.1 lukem *d++ = context->state[j]; 624 1.1 lukem } 625 1.1 lukem } 626 1.1 lukem #else 627 1.1 lukem MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH); 628 1.1 lukem #endif 629 1.1 lukem } 630 1.1 lukem 631 1.1 lukem /* Clean up state data: */ 632 1.2 christos MEMSET_BZERO(context, sizeof(*context)); 633 1.1 lukem usedspace = 0; 634 1.1 lukem } 635 1.1 lukem 636 1.1 lukem char *SHA256_End(SHA256_CTX* context, char buffer[]) { 637 1.1 lukem sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest; 638 1.1 lukem int i; 639 1.1 lukem 640 1.1 lukem /* Sanity check: */ 641 1.1 lukem assert(context != (SHA256_CTX*)0); 642 1.1 lukem 643 1.1 lukem if (buffer != (char*)0) { 644 1.1 lukem SHA256_Final(digest, context); 645 1.1 lukem 646 1.1 lukem for (i = 0; i < SHA256_DIGEST_LENGTH; i++) { 647 1.1 lukem *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 648 1.1 lukem *buffer++ = sha2_hex_digits[*d & 0x0f]; 649 1.1 lukem d++; 650 1.1 lukem } 651 1.1 lukem *buffer = (char)0; 652 1.1 lukem } else { 653 1.2 christos MEMSET_BZERO(context, sizeof(*context)); 654 1.1 lukem } 655 1.1 lukem MEMSET_BZERO(digest, SHA256_DIGEST_LENGTH); 656 1.1 lukem return buffer; 657 1.1 lukem } 658 1.1 lukem 659 1.1 lukem char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) { 660 1.1 lukem SHA256_CTX context; 661 1.1 lukem 662 1.1 lukem SHA256_Init(&context); 663 1.1 lukem SHA256_Update(&context, data, len); 664 1.1 lukem return SHA256_End(&context, digest); 665 1.1 lukem } 666 1.1 lukem 667 1.1 lukem 668 1.1 lukem /*** SHA-512: *********************************************************/ 669 1.1 lukem void SHA512_Init(SHA512_CTX* context) { 670 1.1 lukem if (context == (SHA512_CTX*)0) { 671 1.1 lukem return; 672 1.1 lukem } 673 1.1 lukem MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH); 674 1.1 lukem MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH); 675 1.1 lukem context->bitcount[0] = context->bitcount[1] = 0; 676 1.1 lukem } 677 1.1 lukem 678 1.1 lukem #ifdef SHA2_UNROLL_TRANSFORM 679 1.1 lukem 680 1.1 lukem /* Unrolled SHA-512 round macros: */ 681 1.1 lukem #if BYTE_ORDER == LITTLE_ENDIAN 682 1.1 lukem 683 1.1 lukem #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 684 1.1 lukem REVERSE64(*data++, W512[j]); \ 685 1.1 lukem T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 686 1.1 lukem K512[j] + W512[j]; \ 687 1.1 lukem (d) += T1, \ 688 1.1 lukem (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 689 1.1 lukem j++ 690 1.1 lukem 691 1.1 lukem 692 1.1 lukem #else /* BYTE_ORDER == LITTLE_ENDIAN */ 693 1.1 lukem 694 1.1 lukem #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 695 1.1 lukem T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 696 1.1 lukem K512[j] + (W512[j] = *data++); \ 697 1.1 lukem (d) += T1; \ 698 1.1 lukem (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 699 1.1 lukem j++ 700 1.1 lukem 701 1.1 lukem #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 702 1.1 lukem 703 1.1 lukem #define ROUND512(a,b,c,d,e,f,g,h) \ 704 1.1 lukem s0 = W512[(j+1)&0x0f]; \ 705 1.1 lukem s0 = sigma0_512(s0); \ 706 1.1 lukem s1 = W512[(j+14)&0x0f]; \ 707 1.1 lukem s1 = sigma1_512(s1); \ 708 1.1 lukem T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 709 1.1 lukem (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 710 1.1 lukem (d) += T1; \ 711 1.1 lukem (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 712 1.1 lukem j++ 713 1.1 lukem 714 1.1 lukem void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { 715 1.1 lukem sha2_word64 a, b, c, d, e, f, g, h, s0, s1; 716 1.1 lukem sha2_word64 T1, *W512 = (sha2_word64*)context->buffer; 717 1.1 lukem int j; 718 1.1 lukem 719 1.1 lukem /* Initialize registers with the prev. intermediate value */ 720 1.1 lukem a = context->state[0]; 721 1.1 lukem b = context->state[1]; 722 1.1 lukem c = context->state[2]; 723 1.1 lukem d = context->state[3]; 724 1.1 lukem e = context->state[4]; 725 1.1 lukem f = context->state[5]; 726 1.1 lukem g = context->state[6]; 727 1.1 lukem h = context->state[7]; 728 1.1 lukem 729 1.1 lukem j = 0; 730 1.1 lukem do { 731 1.1 lukem ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 732 1.1 lukem ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 733 1.1 lukem ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 734 1.1 lukem ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 735 1.1 lukem ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 736 1.1 lukem ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 737 1.1 lukem ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 738 1.1 lukem ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 739 1.1 lukem } while (j < 16); 740 1.1 lukem 741 1.1 lukem /* Now for the remaining rounds up to 79: */ 742 1.1 lukem do { 743 1.1 lukem ROUND512(a,b,c,d,e,f,g,h); 744 1.1 lukem ROUND512(h,a,b,c,d,e,f,g); 745 1.1 lukem ROUND512(g,h,a,b,c,d,e,f); 746 1.1 lukem ROUND512(f,g,h,a,b,c,d,e); 747 1.1 lukem ROUND512(e,f,g,h,a,b,c,d); 748 1.1 lukem ROUND512(d,e,f,g,h,a,b,c); 749 1.1 lukem ROUND512(c,d,e,f,g,h,a,b); 750 1.1 lukem ROUND512(b,c,d,e,f,g,h,a); 751 1.1 lukem } while (j < 80); 752 1.1 lukem 753 1.1 lukem /* Compute the current intermediate hash value */ 754 1.1 lukem context->state[0] += a; 755 1.1 lukem context->state[1] += b; 756 1.1 lukem context->state[2] += c; 757 1.1 lukem context->state[3] += d; 758 1.1 lukem context->state[4] += e; 759 1.1 lukem context->state[5] += f; 760 1.1 lukem context->state[6] += g; 761 1.1 lukem context->state[7] += h; 762 1.1 lukem 763 1.1 lukem /* Clean up */ 764 1.1 lukem a = b = c = d = e = f = g = h = T1 = 0; 765 1.1 lukem } 766 1.1 lukem 767 1.1 lukem #else /* SHA2_UNROLL_TRANSFORM */ 768 1.1 lukem 769 1.1 lukem void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { 770 1.1 lukem sha2_word64 a, b, c, d, e, f, g, h, s0, s1; 771 1.1 lukem sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer; 772 1.1 lukem int j; 773 1.1 lukem 774 1.1 lukem /* Initialize registers with the prev. intermediate value */ 775 1.1 lukem a = context->state[0]; 776 1.1 lukem b = context->state[1]; 777 1.1 lukem c = context->state[2]; 778 1.1 lukem d = context->state[3]; 779 1.1 lukem e = context->state[4]; 780 1.1 lukem f = context->state[5]; 781 1.1 lukem g = context->state[6]; 782 1.1 lukem h = context->state[7]; 783 1.1 lukem 784 1.1 lukem j = 0; 785 1.1 lukem do { 786 1.1 lukem #if BYTE_ORDER == LITTLE_ENDIAN 787 1.1 lukem /* Convert TO host byte order */ 788 1.1 lukem REVERSE64(*data++, W512[j]); 789 1.1 lukem /* Apply the SHA-512 compression function to update a..h */ 790 1.1 lukem T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 791 1.1 lukem #else /* BYTE_ORDER == LITTLE_ENDIAN */ 792 1.1 lukem /* Apply the SHA-512 compression function to update a..h with copy */ 793 1.1 lukem T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++); 794 1.1 lukem #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 795 1.1 lukem T2 = Sigma0_512(a) + Maj(a, b, c); 796 1.1 lukem h = g; 797 1.1 lukem g = f; 798 1.1 lukem f = e; 799 1.1 lukem e = d + T1; 800 1.1 lukem d = c; 801 1.1 lukem c = b; 802 1.1 lukem b = a; 803 1.1 lukem a = T1 + T2; 804 1.1 lukem 805 1.1 lukem j++; 806 1.1 lukem } while (j < 16); 807 1.1 lukem 808 1.1 lukem do { 809 1.1 lukem /* Part of the message block expansion: */ 810 1.1 lukem s0 = W512[(j+1)&0x0f]; 811 1.1 lukem s0 = sigma0_512(s0); 812 1.1 lukem s1 = W512[(j+14)&0x0f]; 813 1.1 lukem s1 = sigma1_512(s1); 814 1.1 lukem 815 1.1 lukem /* Apply the SHA-512 compression function to update a..h */ 816 1.1 lukem T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 817 1.1 lukem (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 818 1.1 lukem T2 = Sigma0_512(a) + Maj(a, b, c); 819 1.1 lukem h = g; 820 1.1 lukem g = f; 821 1.1 lukem f = e; 822 1.1 lukem e = d + T1; 823 1.1 lukem d = c; 824 1.1 lukem c = b; 825 1.1 lukem b = a; 826 1.1 lukem a = T1 + T2; 827 1.1 lukem 828 1.1 lukem j++; 829 1.1 lukem } while (j < 80); 830 1.1 lukem 831 1.1 lukem /* Compute the current intermediate hash value */ 832 1.1 lukem context->state[0] += a; 833 1.1 lukem context->state[1] += b; 834 1.1 lukem context->state[2] += c; 835 1.1 lukem context->state[3] += d; 836 1.1 lukem context->state[4] += e; 837 1.1 lukem context->state[5] += f; 838 1.1 lukem context->state[6] += g; 839 1.1 lukem context->state[7] += h; 840 1.1 lukem 841 1.1 lukem /* Clean up */ 842 1.1 lukem a = b = c = d = e = f = g = h = T1 = T2 = 0; 843 1.1 lukem } 844 1.1 lukem 845 1.1 lukem #endif /* SHA2_UNROLL_TRANSFORM */ 846 1.1 lukem 847 1.1 lukem void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) { 848 1.1 lukem unsigned int freespace, usedspace; 849 1.1 lukem 850 1.1 lukem if (len == 0) { 851 1.1 lukem /* Calling with no data is valid - we do nothing */ 852 1.1 lukem return; 853 1.1 lukem } 854 1.1 lukem 855 1.1 lukem /* Sanity check: */ 856 1.1 lukem assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0); 857 1.1 lukem 858 1.1 lukem usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 859 1.1 lukem if (usedspace > 0) { 860 1.1 lukem /* Calculate how much free space is available in the buffer */ 861 1.1 lukem freespace = SHA512_BLOCK_LENGTH - usedspace; 862 1.1 lukem 863 1.1 lukem if (len >= freespace) { 864 1.1 lukem /* Fill the buffer completely and process it */ 865 1.1 lukem MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace); 866 1.1 lukem ADDINC128(context->bitcount, freespace << 3); 867 1.1 lukem len -= freespace; 868 1.1 lukem data += freespace; 869 1.1 lukem SHA512_Transform(context, (sha2_word64*)context->buffer); 870 1.1 lukem } else { 871 1.1 lukem /* The buffer is not yet full */ 872 1.1 lukem MEMCPY_BCOPY(&context->buffer[usedspace], data, len); 873 1.1 lukem ADDINC128(context->bitcount, len << 3); 874 1.1 lukem /* Clean up: */ 875 1.1 lukem usedspace = freespace = 0; 876 1.1 lukem return; 877 1.1 lukem } 878 1.1 lukem } 879 1.1 lukem while (len >= SHA512_BLOCK_LENGTH) { 880 1.1 lukem /* Process as many complete blocks as we can */ 881 1.1 lukem SHA512_Transform(context, (sha2_word64*)data); 882 1.1 lukem ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 883 1.1 lukem len -= SHA512_BLOCK_LENGTH; 884 1.1 lukem data += SHA512_BLOCK_LENGTH; 885 1.1 lukem } 886 1.1 lukem if (len > 0) { 887 1.1 lukem /* There's left-overs, so save 'em */ 888 1.1 lukem MEMCPY_BCOPY(context->buffer, data, len); 889 1.1 lukem ADDINC128(context->bitcount, len << 3); 890 1.1 lukem } 891 1.1 lukem /* Clean up: */ 892 1.1 lukem usedspace = freespace = 0; 893 1.1 lukem } 894 1.1 lukem 895 1.1 lukem void SHA512_Last(SHA512_CTX* context) { 896 1.2 christos sha2_word64 *p; 897 1.1 lukem unsigned int usedspace; 898 1.1 lukem 899 1.1 lukem usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 900 1.1 lukem #if BYTE_ORDER == LITTLE_ENDIAN 901 1.1 lukem /* Convert FROM host byte order */ 902 1.1 lukem REVERSE64(context->bitcount[0],context->bitcount[0]); 903 1.1 lukem REVERSE64(context->bitcount[1],context->bitcount[1]); 904 1.1 lukem #endif 905 1.1 lukem if (usedspace > 0) { 906 1.1 lukem /* Begin padding with a 1 bit: */ 907 1.1 lukem context->buffer[usedspace++] = 0x80; 908 1.1 lukem 909 1.1 lukem if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 910 1.1 lukem /* Set-up for the last transform: */ 911 1.1 lukem MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace); 912 1.1 lukem } else { 913 1.1 lukem if (usedspace < SHA512_BLOCK_LENGTH) { 914 1.1 lukem MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace); 915 1.1 lukem } 916 1.1 lukem /* Do second-to-last transform: */ 917 1.1 lukem SHA512_Transform(context, (sha2_word64*)context->buffer); 918 1.1 lukem 919 1.1 lukem /* And set-up for the last transform: */ 920 1.1 lukem MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2); 921 1.1 lukem } 922 1.1 lukem } else { 923 1.1 lukem /* Prepare for final transform: */ 924 1.1 lukem MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH); 925 1.1 lukem 926 1.1 lukem /* Begin padding with a 1 bit: */ 927 1.1 lukem *context->buffer = 0x80; 928 1.1 lukem } 929 1.1 lukem /* Store the length of input data (in bits): */ 930 1.2 christos p = (sha2_word64 *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH]; 931 1.2 christos p[0] = context->bitcount[1]; 932 1.2 christos p[1] = context->bitcount[0]; 933 1.1 lukem 934 1.1 lukem /* Final transform: */ 935 1.1 lukem SHA512_Transform(context, (sha2_word64*)context->buffer); 936 1.1 lukem } 937 1.1 lukem 938 1.1 lukem void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) { 939 1.1 lukem sha2_word64 *d = (sha2_word64*)digest; 940 1.1 lukem 941 1.1 lukem /* Sanity check: */ 942 1.1 lukem assert(context != (SHA512_CTX*)0); 943 1.1 lukem 944 1.1 lukem /* If no digest buffer is passed, we don't bother doing this: */ 945 1.1 lukem if (digest != (sha2_byte*)0) { 946 1.1 lukem SHA512_Last(context); 947 1.1 lukem 948 1.1 lukem /* Save the hash data for output: */ 949 1.1 lukem #if BYTE_ORDER == LITTLE_ENDIAN 950 1.1 lukem { 951 1.1 lukem /* Convert TO host byte order */ 952 1.1 lukem int j; 953 1.1 lukem for (j = 0; j < 8; j++) { 954 1.1 lukem REVERSE64(context->state[j],context->state[j]); 955 1.1 lukem *d++ = context->state[j]; 956 1.1 lukem } 957 1.1 lukem } 958 1.1 lukem #else 959 1.1 lukem MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH); 960 1.1 lukem #endif 961 1.1 lukem } 962 1.1 lukem 963 1.1 lukem /* Zero out state data */ 964 1.2 christos MEMSET_BZERO(context, sizeof(*context)); 965 1.1 lukem } 966 1.1 lukem 967 1.1 lukem char *SHA512_End(SHA512_CTX* context, char buffer[]) { 968 1.1 lukem sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest; 969 1.1 lukem int i; 970 1.1 lukem 971 1.1 lukem /* Sanity check: */ 972 1.1 lukem assert(context != (SHA512_CTX*)0); 973 1.1 lukem 974 1.1 lukem if (buffer != (char*)0) { 975 1.1 lukem SHA512_Final(digest, context); 976 1.1 lukem 977 1.1 lukem for (i = 0; i < SHA512_DIGEST_LENGTH; i++) { 978 1.1 lukem *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 979 1.1 lukem *buffer++ = sha2_hex_digits[*d & 0x0f]; 980 1.1 lukem d++; 981 1.1 lukem } 982 1.1 lukem *buffer = (char)0; 983 1.1 lukem } else { 984 1.2 christos MEMSET_BZERO(context, sizeof(*context)); 985 1.1 lukem } 986 1.1 lukem MEMSET_BZERO(digest, SHA512_DIGEST_LENGTH); 987 1.1 lukem return buffer; 988 1.1 lukem } 989 1.1 lukem 990 1.1 lukem char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) { 991 1.1 lukem SHA512_CTX context; 992 1.1 lukem 993 1.1 lukem SHA512_Init(&context); 994 1.1 lukem SHA512_Update(&context, data, len); 995 1.1 lukem return SHA512_End(&context, digest); 996 1.1 lukem } 997 1.1 lukem 998 1.1 lukem 999 1.1 lukem /*** SHA-384: *********************************************************/ 1000 1.1 lukem void SHA384_Init(SHA384_CTX* context) { 1001 1.1 lukem if (context == (SHA384_CTX*)0) { 1002 1.1 lukem return; 1003 1.1 lukem } 1004 1.1 lukem MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH); 1005 1.1 lukem MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH); 1006 1.1 lukem context->bitcount[0] = context->bitcount[1] = 0; 1007 1.1 lukem } 1008 1.1 lukem 1009 1.1 lukem void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) { 1010 1.1 lukem SHA512_Update((SHA512_CTX*)context, data, len); 1011 1.1 lukem } 1012 1.1 lukem 1013 1.1 lukem void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) { 1014 1.1 lukem sha2_word64 *d = (sha2_word64*)digest; 1015 1.1 lukem 1016 1.1 lukem /* Sanity check: */ 1017 1.1 lukem assert(context != (SHA384_CTX*)0); 1018 1.1 lukem 1019 1.1 lukem /* If no digest buffer is passed, we don't bother doing this: */ 1020 1.1 lukem if (digest != (sha2_byte*)0) { 1021 1.1 lukem SHA512_Last((SHA512_CTX*)context); 1022 1.1 lukem 1023 1.1 lukem /* Save the hash data for output: */ 1024 1.1 lukem #if BYTE_ORDER == LITTLE_ENDIAN 1025 1.1 lukem { 1026 1.1 lukem /* Convert TO host byte order */ 1027 1.1 lukem int j; 1028 1.1 lukem for (j = 0; j < 6; j++) { 1029 1.1 lukem REVERSE64(context->state[j],context->state[j]); 1030 1.1 lukem *d++ = context->state[j]; 1031 1.1 lukem } 1032 1.1 lukem } 1033 1.1 lukem #else 1034 1.1 lukem MEMCPY_BCOPY(d, context->state, SHA384_DIGEST_LENGTH); 1035 1.1 lukem #endif 1036 1.1 lukem } 1037 1.1 lukem 1038 1.1 lukem /* Zero out state data */ 1039 1.2 christos MEMSET_BZERO(context, sizeof(*context)); 1040 1.1 lukem } 1041 1.1 lukem 1042 1.1 lukem char *SHA384_End(SHA384_CTX* context, char buffer[]) { 1043 1.1 lukem sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest; 1044 1.1 lukem int i; 1045 1.1 lukem 1046 1.1 lukem /* Sanity check: */ 1047 1.1 lukem assert(context != (SHA384_CTX*)0); 1048 1.1 lukem 1049 1.1 lukem if (buffer != (char*)0) { 1050 1.1 lukem SHA384_Final(digest, context); 1051 1.1 lukem 1052 1.1 lukem for (i = 0; i < SHA384_DIGEST_LENGTH; i++) { 1053 1.1 lukem *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 1054 1.1 lukem *buffer++ = sha2_hex_digits[*d & 0x0f]; 1055 1.1 lukem d++; 1056 1.1 lukem } 1057 1.1 lukem *buffer = (char)0; 1058 1.1 lukem } else { 1059 1.2 christos MEMSET_BZERO(context, sizeof(*context)); 1060 1.1 lukem } 1061 1.1 lukem MEMSET_BZERO(digest, SHA384_DIGEST_LENGTH); 1062 1.1 lukem return buffer; 1063 1.1 lukem } 1064 1.1 lukem 1065 1.1 lukem char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) { 1066 1.1 lukem SHA384_CTX context; 1067 1.1 lukem 1068 1.1 lukem SHA384_Init(&context); 1069 1.1 lukem SHA384_Update(&context, data, len); 1070 1.1 lukem return SHA384_End(&context, digest); 1071 1.1 lukem } 1072 1.1 lukem 1073
Indexes created Tue May 05 00:25:04 UTC 2026