1 /* $NetBSD: sha2.c,v 1.2 2016/06/14 20:47:08 agc Exp $ */ 2 /* $KAME: sha2.c,v 1.9 2003/07/20 00:28:38 itojun Exp $ */ 3 4 /* 5 * sha2.c 6 * 7 * Version 1.0.0beta1 8 * 9 * Written by Aaron D. Gifford <me@aarongifford.com> 10 * 11 * Copyright 2000 Aaron D. Gifford. All rights reserved. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. Neither the name of the copyright holder nor the names of contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 */ 38 39 #include <sys/types.h> 40 41 #include <inttypes.h> 42 #include <string.h> 43 44 #include "sha2.h" 45 46 # undef htobe32 47 # undef htobe64 48 # undef be32toh 49 # undef be64toh 50 51 #define __CAST(__dt, __st) ((__dt)(__st)) /* srsly? */ 52 53 static __inline void 54 be32encode(void *buf, uint32_t u) 55 { 56 uint8_t *p = __CAST(uint8_t *, buf); 57 58 p[0] = __CAST(uint8_t, ((u >> 24) & 0xff)); 59 p[1] = __CAST(uint8_t, ((u >> 16) & 0xff)); 60 p[2] = __CAST(uint8_t, ((u >> 8) & 0xff)); 61 p[3] = __CAST(uint8_t, (u & 0xff)); 62 } 63 64 static __inline void 65 be64encode(void *buf, uint64_t u) 66 { 67 uint8_t *p = __CAST(uint8_t *, buf); 68 69 be32encode(p, __CAST(uint32_t, (u >> 32))); 70 be32encode(p + 4, __CAST(uint32_t, (u & 0xffffffffULL))); 71 } 72 73 static uint32_t 74 htobe32(uint32_t x) 75 { 76 uint8_t p[4]; 77 memcpy(p, &x, 4); 78 79 return ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); 80 } 81 82 static uint64_t 83 htobe64(uint64_t x) 84 { 85 uint8_t p[8]; 86 uint32_t u, v; 87 memcpy(p, &x, 8); 88 89 u = ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]); 90 v = ((p[4] << 24) | (p[5] << 16) | (p[6] << 8) | p[7]); 91 92 return ((((uint64_t)u) << 32) | v); 93 } 94 95 static uint32_t 96 be32toh(uint32_t x) 97 { 98 return htobe32(x); 99 } 100 101 static uint64_t 102 be64toh(uint64_t x) 103 { 104 return htobe64(x); 105 } 106 107 /*** SHA-256/384/512 Various Length Definitions ***********************/ 108 /* NOTE: Most of these are in sha2.h */ 109 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 110 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 111 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 112 113 /* 114 * Macro for incrementally adding the unsigned 64-bit integer n to the 115 * unsigned 128-bit integer (represented using a two-element array of 116 * 64-bit words): 117 */ 118 #define ADDINC128(w,n) { \ 119 (w)[0] += (uint64_t)(n); \ 120 if ((w)[0] < (n)) { \ 121 (w)[1]++; \ 122 } \ 123 } 124 125 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 126 /* 127 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 128 * 129 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 130 * S is a ROTATION) because the SHA-256/384/512 description document 131 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 132 * same "backwards" definition. 133 */ 134 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 135 #define R(b,x) ((x) >> (b)) 136 /* 32-bit Rotate-right (used in SHA-256): */ 137 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 138 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 139 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 140 141 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 142 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 143 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 144 145 /* Four of six logical functions used in SHA-256: */ 146 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 147 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 148 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 149 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 150 151 /* Four of six logical functions used in SHA-384 and SHA-512: */ 152 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 153 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 154 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 155 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 156 157 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 158 /* NOTE: These should not be accessed directly from outside this 159 * library -- they are intended for private internal visibility/use 160 * only. 161 */ 162 static void netpgpv_SHA512_Last(NETPGPV_SHA512_CTX *); 163 void netpgpv_SHA224_Transform(NETPGPV_SHA224_CTX *, const uint32_t*); 164 void netpgpv_SHA256_Transform(NETPGPV_SHA256_CTX *, const uint32_t*); 165 void netpgpv_SHA384_Transform(NETPGPV_SHA384_CTX *, const uint64_t*); 166 void netpgpv_SHA512_Transform(NETPGPV_SHA512_CTX *, const uint64_t*); 167 168 169 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 170 /* Hash constant words K for SHA-256: */ 171 static const uint32_t K256[64] = { 172 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 173 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 174 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 175 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 176 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 177 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 178 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 179 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 180 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 181 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 182 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 183 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 184 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 185 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 186 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 187 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 188 }; 189 190 /* Initial hash value H for SHA-224: */ 191 static const uint32_t sha224_initial_hash_value[8] = { 192 0xc1059ed8UL, 193 0x367cd507UL, 194 0x3070dd17UL, 195 0xf70e5939UL, 196 0xffc00b31UL, 197 0x68581511UL, 198 0x64f98fa7UL, 199 0xbefa4fa4UL 200 }; 201 202 /* Initial hash value H for SHA-256: */ 203 static const uint32_t sha256_initial_hash_value[8] = { 204 0x6a09e667UL, 205 0xbb67ae85UL, 206 0x3c6ef372UL, 207 0xa54ff53aUL, 208 0x510e527fUL, 209 0x9b05688cUL, 210 0x1f83d9abUL, 211 0x5be0cd19UL 212 }; 213 214 /* Hash constant words K for SHA-384 and SHA-512: */ 215 static const uint64_t K512[80] = { 216 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 217 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 218 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 219 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 220 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 221 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 222 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 223 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 224 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 225 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 226 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 227 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 228 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 229 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 230 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 231 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 232 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 233 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 234 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 235 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 236 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 237 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 238 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 239 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 240 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 241 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 242 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 243 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 244 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 245 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 246 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 247 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 248 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 249 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 250 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 251 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 252 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 253 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 254 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 255 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 256 }; 257 258 /* Initial hash value H for SHA-384 */ 259 static const uint64_t sha384_initial_hash_value[8] = { 260 0xcbbb9d5dc1059ed8ULL, 261 0x629a292a367cd507ULL, 262 0x9159015a3070dd17ULL, 263 0x152fecd8f70e5939ULL, 264 0x67332667ffc00b31ULL, 265 0x8eb44a8768581511ULL, 266 0xdb0c2e0d64f98fa7ULL, 267 0x47b5481dbefa4fa4ULL 268 }; 269 270 /* Initial hash value H for SHA-512 */ 271 static const uint64_t sha512_initial_hash_value[8] = { 272 0x6a09e667f3bcc908ULL, 273 0xbb67ae8584caa73bULL, 274 0x3c6ef372fe94f82bULL, 275 0xa54ff53a5f1d36f1ULL, 276 0x510e527fade682d1ULL, 277 0x9b05688c2b3e6c1fULL, 278 0x1f83d9abfb41bd6bULL, 279 0x5be0cd19137e2179ULL 280 }; 281 282 /*** SHA-256: *********************************************************/ 283 int 284 netpgpv_SHA256_Init(NETPGPV_SHA256_CTX *context) 285 { 286 if (context == NULL) 287 return 1; 288 289 memcpy(context->state, sha256_initial_hash_value, 290 (size_t)(SHA256_DIGEST_LENGTH)); 291 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH)); 292 context->bitcount = 0; 293 294 return 1; 295 } 296 297 #ifdef SHA2_UNROLL_TRANSFORM 298 299 /* Unrolled SHA-256 round macros: */ 300 301 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 302 W256[j] = be32toh(*data); \ 303 ++data; \ 304 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 305 K256[j] + W256[j]; \ 306 (d) += T1; \ 307 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 308 j++ 309 310 #define ROUND256(a,b,c,d,e,f,g,h) \ 311 s0 = W256[(j+1)&0x0f]; \ 312 s0 = sigma0_256(s0); \ 313 s1 = W256[(j+14)&0x0f]; \ 314 s1 = sigma1_256(s1); \ 315 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ 316 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 317 (d) += T1; \ 318 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 319 j++ 320 321 void 322 netpgpv_SHA256_Transform(NETPGPV_SHA256_CTX *context, const uint32_t *data) 323 { 324 uint32_t a, b, c, d, e, f, g, h, s0, s1; 325 uint32_t T1, *W256; 326 int j; 327 328 W256 = (uint32_t *)context->buffer; 329 330 /* Initialize registers with the prev. intermediate value */ 331 a = context->state[0]; 332 b = context->state[1]; 333 c = context->state[2]; 334 d = context->state[3]; 335 e = context->state[4]; 336 f = context->state[5]; 337 g = context->state[6]; 338 h = context->state[7]; 339 340 j = 0; 341 do { 342 /* Rounds 0 to 15 (unrolled): */ 343 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 344 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 345 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 346 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 347 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 348 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 349 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 350 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 351 } while (j < 16); 352 353 /* Now for the remaining rounds to 64: */ 354 do { 355 ROUND256(a,b,c,d,e,f,g,h); 356 ROUND256(h,a,b,c,d,e,f,g); 357 ROUND256(g,h,a,b,c,d,e,f); 358 ROUND256(f,g,h,a,b,c,d,e); 359 ROUND256(e,f,g,h,a,b,c,d); 360 ROUND256(d,e,f,g,h,a,b,c); 361 ROUND256(c,d,e,f,g,h,a,b); 362 ROUND256(b,c,d,e,f,g,h,a); 363 } while (j < 64); 364 365 /* Compute the current intermediate hash value */ 366 context->state[0] += a; 367 context->state[1] += b; 368 context->state[2] += c; 369 context->state[3] += d; 370 context->state[4] += e; 371 context->state[5] += f; 372 context->state[6] += g; 373 context->state[7] += h; 374 375 /* Clean up */ 376 a = b = c = d = e = f = g = h = T1 = 0; 377 } 378 379 #else /* SHA2_UNROLL_TRANSFORM */ 380 381 void 382 netpgpv_SHA256_Transform(NETPGPV_SHA256_CTX *context, const uint32_t *data) 383 { 384 uint32_t a, b, c, d, e, f, g, h, s0, s1; 385 uint32_t T1, T2, *W256; 386 int j; 387 388 W256 = (uint32_t *)(void *)context->buffer; 389 390 /* Initialize registers with the prev. intermediate value */ 391 a = context->state[0]; 392 b = context->state[1]; 393 c = context->state[2]; 394 d = context->state[3]; 395 e = context->state[4]; 396 f = context->state[5]; 397 g = context->state[6]; 398 h = context->state[7]; 399 400 j = 0; 401 do { 402 W256[j] = be32toh(*data); 403 ++data; 404 /* Apply the SHA-256 compression function to update a..h */ 405 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 406 T2 = Sigma0_256(a) + Maj(a, b, c); 407 h = g; 408 g = f; 409 f = e; 410 e = d + T1; 411 d = c; 412 c = b; 413 b = a; 414 a = T1 + T2; 415 416 j++; 417 } while (j < 16); 418 419 do { 420 /* Part of the message block expansion: */ 421 s0 = W256[(j+1)&0x0f]; 422 s0 = sigma0_256(s0); 423 s1 = W256[(j+14)&0x0f]; 424 s1 = sigma1_256(s1); 425 426 /* Apply the SHA-256 compression function to update a..h */ 427 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 428 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 429 T2 = Sigma0_256(a) + Maj(a, b, c); 430 h = g; 431 g = f; 432 f = e; 433 e = d + T1; 434 d = c; 435 c = b; 436 b = a; 437 a = T1 + T2; 438 439 j++; 440 } while (j < 64); 441 442 /* Compute the current intermediate hash value */ 443 context->state[0] += a; 444 context->state[1] += b; 445 context->state[2] += c; 446 context->state[3] += d; 447 context->state[4] += e; 448 context->state[5] += f; 449 context->state[6] += g; 450 context->state[7] += h; 451 452 /* Clean up */ 453 a = b = c = d = e = f = g = h = T1 = T2 = 0; 454 } 455 456 #endif /* SHA2_UNROLL_TRANSFORM */ 457 458 int 459 netpgpv_SHA256_Update(NETPGPV_SHA256_CTX *context, const uint8_t *data, size_t len) 460 { 461 unsigned int freespace, usedspace; 462 463 if (len == 0) { 464 /* Calling with no data is valid - we do nothing */ 465 return 1; 466 } 467 468 usedspace = (unsigned int)((context->bitcount >> 3) % 469 SHA256_BLOCK_LENGTH); 470 if (usedspace > 0) { 471 /* Calculate how much free space is available in the buffer */ 472 freespace = SHA256_BLOCK_LENGTH - usedspace; 473 474 if (len >= freespace) { 475 /* Fill the buffer completely and process it */ 476 memcpy(&context->buffer[usedspace], data, 477 (size_t)(freespace)); 478 context->bitcount += freespace << 3; 479 len -= freespace; 480 data += freespace; 481 netpgpv_SHA256_Transform(context, 482 (uint32_t *)(void *)context->buffer); 483 } else { 484 /* The buffer is not yet full */ 485 memcpy(&context->buffer[usedspace], data, len); 486 context->bitcount += len << 3; 487 /* Clean up: */ 488 usedspace = freespace = 0; 489 return 1; 490 } 491 } 492 /* 493 * Process as many complete blocks as possible. 494 * 495 * Check alignment of the data pointer. If it is 32bit aligned, 496 * SHA256_Transform can be called directly on the data stream, 497 * otherwise enforce the alignment by copy into the buffer. 498 */ 499 if ((uintptr_t)data % 4 == 0) { 500 while (len >= SHA256_BLOCK_LENGTH) { 501 netpgpv_SHA256_Transform(context, 502 (const uint32_t *)(const void *)data); 503 context->bitcount += SHA256_BLOCK_LENGTH << 3; 504 len -= SHA256_BLOCK_LENGTH; 505 data += SHA256_BLOCK_LENGTH; 506 } 507 } else { 508 while (len >= SHA256_BLOCK_LENGTH) { 509 memcpy(context->buffer, data, SHA256_BLOCK_LENGTH); 510 netpgpv_SHA256_Transform(context, 511 (const uint32_t *)(const void *)context->buffer); 512 context->bitcount += SHA256_BLOCK_LENGTH << 3; 513 len -= SHA256_BLOCK_LENGTH; 514 data += SHA256_BLOCK_LENGTH; 515 } 516 } 517 if (len > 0) { 518 /* There's left-overs, so save 'em */ 519 memcpy(context->buffer, data, len); 520 context->bitcount += len << 3; 521 } 522 /* Clean up: */ 523 usedspace = freespace = 0; 524 525 return 1; 526 } 527 528 static int 529 netpgpv_SHA224_256_Final(uint8_t digest[], NETPGPV_SHA256_CTX *context, size_t len) 530 { 531 unsigned int usedspace; 532 size_t i; 533 534 /* If no digest buffer is passed, we don't bother doing this: */ 535 if (digest != NULL) { 536 usedspace = (unsigned int)((context->bitcount >> 3) % 537 SHA256_BLOCK_LENGTH); 538 context->bitcount = htobe64(context->bitcount); 539 if (usedspace > 0) { 540 /* Begin padding with a 1 bit: */ 541 context->buffer[usedspace++] = 0x80; 542 543 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 544 /* Set-up for the last transform: */ 545 memset(&context->buffer[usedspace], 0, 546 (size_t)(SHA256_SHORT_BLOCK_LENGTH - 547 usedspace)); 548 } else { 549 if (usedspace < SHA256_BLOCK_LENGTH) { 550 memset(&context->buffer[usedspace], 0, 551 (size_t)(SHA256_BLOCK_LENGTH - 552 usedspace)); 553 } 554 /* Do second-to-last transform: */ 555 netpgpv_SHA256_Transform(context, 556 (uint32_t *)(void *)context->buffer); 557 558 /* And set-up for the last transform: */ 559 memset(context->buffer, 0, 560 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 561 } 562 } else { 563 /* Set-up for the last transform: */ 564 memset(context->buffer, 0, 565 (size_t)(SHA256_SHORT_BLOCK_LENGTH)); 566 567 /* Begin padding with a 1 bit: */ 568 *context->buffer = 0x80; 569 } 570 /* Set the bit count: */ 571 memcpy(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], 572 &context->bitcount, sizeof(context->bitcount)); 573 574 /* Final transform: */ 575 netpgpv_SHA256_Transform(context, (uint32_t *)(void *)context->buffer); 576 577 for (i = 0; i < len / 4; i++) 578 be32encode(digest + 4 * i, context->state[i]); 579 } 580 581 /* Clean up state data: */ 582 memset(context, 0, sizeof(*context)); 583 usedspace = 0; 584 585 return 1; 586 } 587 588 int 589 netpgpv_SHA256_Final(uint8_t digest[], NETPGPV_SHA256_CTX *context) 590 { 591 return netpgpv_SHA224_256_Final(digest, context, SHA256_DIGEST_LENGTH); 592 } 593 594 /*** SHA-224: *********************************************************/ 595 int 596 netpgpv_SHA224_Init(NETPGPV_SHA224_CTX *context) 597 { 598 if (context == NULL) 599 return 1; 600 601 /* The state and buffer size are driven by SHA256, not by SHA224. */ 602 memcpy(context->state, sha224_initial_hash_value, 603 (size_t)(SHA256_DIGEST_LENGTH)); 604 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH)); 605 context->bitcount = 0; 606 607 return 1; 608 } 609 610 int 611 netpgpv_SHA224_Update(NETPGPV_SHA224_CTX *context, const uint8_t *data, size_t len) 612 { 613 return netpgpv_SHA256_Update((NETPGPV_SHA256_CTX *)context, data, len); 614 } 615 616 void 617 netpgpv_SHA224_Transform(NETPGPV_SHA224_CTX *context, const uint32_t *data) 618 { 619 netpgpv_SHA256_Transform((NETPGPV_SHA256_CTX *)context, data); 620 } 621 622 int 623 netpgpv_SHA224_Final(uint8_t digest[], NETPGPV_SHA224_CTX *context) 624 { 625 return netpgpv_SHA224_256_Final(digest, (NETPGPV_SHA256_CTX *)context, 626 SHA224_DIGEST_LENGTH); 627 } 628 629 /*** SHA-512: *********************************************************/ 630 int 631 netpgpv_SHA512_Init(NETPGPV_SHA512_CTX *context) 632 { 633 if (context == NULL) 634 return 1; 635 636 memcpy(context->state, sha512_initial_hash_value, 637 (size_t)(SHA512_DIGEST_LENGTH)); 638 memset(context->buffer, 0, (size_t)(SHA512_BLOCK_LENGTH)); 639 context->bitcount[0] = context->bitcount[1] = 0; 640 641 return 1; 642 } 643 644 #ifdef SHA2_UNROLL_TRANSFORM 645 646 /* Unrolled SHA-512 round macros: */ 647 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 648 W512[j] = be64toh(*data); \ 649 ++data; \ 650 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 651 K512[j] + W512[j]; \ 652 (d) += T1, \ 653 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 654 j++ 655 656 #define ROUND512(a,b,c,d,e,f,g,h) \ 657 s0 = W512[(j+1)&0x0f]; \ 658 s0 = sigma0_512(s0); \ 659 s1 = W512[(j+14)&0x0f]; \ 660 s1 = sigma1_512(s1); \ 661 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 662 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 663 (d) += T1; \ 664 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 665 j++ 666 667 void 668 netpgpv_SHA512_Transform(NETPGPV_SHA512_CTX *context, const uint64_t *data) 669 { 670 uint64_t a, b, c, d, e, f, g, h, s0, s1; 671 uint64_t T1, *W512 = (uint64_t *)context->buffer; 672 int j; 673 674 /* Initialize registers with the prev. intermediate value */ 675 a = context->state[0]; 676 b = context->state[1]; 677 c = context->state[2]; 678 d = context->state[3]; 679 e = context->state[4]; 680 f = context->state[5]; 681 g = context->state[6]; 682 h = context->state[7]; 683 684 j = 0; 685 do { 686 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 687 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 688 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 689 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 690 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 691 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 692 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 693 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 694 } while (j < 16); 695 696 /* Now for the remaining rounds up to 79: */ 697 do { 698 ROUND512(a,b,c,d,e,f,g,h); 699 ROUND512(h,a,b,c,d,e,f,g); 700 ROUND512(g,h,a,b,c,d,e,f); 701 ROUND512(f,g,h,a,b,c,d,e); 702 ROUND512(e,f,g,h,a,b,c,d); 703 ROUND512(d,e,f,g,h,a,b,c); 704 ROUND512(c,d,e,f,g,h,a,b); 705 ROUND512(b,c,d,e,f,g,h,a); 706 } while (j < 80); 707 708 /* Compute the current intermediate hash value */ 709 context->state[0] += a; 710 context->state[1] += b; 711 context->state[2] += c; 712 context->state[3] += d; 713 context->state[4] += e; 714 context->state[5] += f; 715 context->state[6] += g; 716 context->state[7] += h; 717 718 /* Clean up */ 719 a = b = c = d = e = f = g = h = T1 = 0; 720 } 721 722 #else /* SHA2_UNROLL_TRANSFORM */ 723 724 void 725 netpgpv_SHA512_Transform(NETPGPV_SHA512_CTX *context, const uint64_t *data) 726 { 727 uint64_t a, b, c, d, e, f, g, h, s0, s1; 728 uint64_t T1, T2, *W512 = (void *)context->buffer; 729 int j; 730 731 /* Initialize registers with the prev. intermediate value */ 732 a = context->state[0]; 733 b = context->state[1]; 734 c = context->state[2]; 735 d = context->state[3]; 736 e = context->state[4]; 737 f = context->state[5]; 738 g = context->state[6]; 739 h = context->state[7]; 740 741 j = 0; 742 do { 743 W512[j] = be64toh(*data); 744 ++data; 745 /* Apply the SHA-512 compression function to update a..h */ 746 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 747 T2 = Sigma0_512(a) + Maj(a, b, c); 748 h = g; 749 g = f; 750 f = e; 751 e = d + T1; 752 d = c; 753 c = b; 754 b = a; 755 a = T1 + T2; 756 757 j++; 758 } while (j < 16); 759 760 do { 761 /* Part of the message block expansion: */ 762 s0 = W512[(j+1)&0x0f]; 763 s0 = sigma0_512(s0); 764 s1 = W512[(j+14)&0x0f]; 765 s1 = sigma1_512(s1); 766 767 /* Apply the SHA-512 compression function to update a..h */ 768 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 769 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 770 T2 = Sigma0_512(a) + Maj(a, b, c); 771 h = g; 772 g = f; 773 f = e; 774 e = d + T1; 775 d = c; 776 c = b; 777 b = a; 778 a = T1 + T2; 779 780 j++; 781 } while (j < 80); 782 783 /* Compute the current intermediate hash value */ 784 context->state[0] += a; 785 context->state[1] += b; 786 context->state[2] += c; 787 context->state[3] += d; 788 context->state[4] += e; 789 context->state[5] += f; 790 context->state[6] += g; 791 context->state[7] += h; 792 793 /* Clean up */ 794 a = b = c = d = e = f = g = h = T1 = T2 = 0; 795 } 796 797 #endif /* SHA2_UNROLL_TRANSFORM */ 798 799 int 800 netpgpv_SHA512_Update(NETPGPV_SHA512_CTX *context, const uint8_t *data, size_t len) 801 { 802 unsigned int freespace, usedspace; 803 804 if (len == 0) { 805 /* Calling with no data is valid - we do nothing */ 806 return 1; 807 } 808 809 usedspace = (unsigned int)((context->bitcount[0] >> 3) % 810 SHA512_BLOCK_LENGTH); 811 if (usedspace > 0) { 812 /* Calculate how much free space is available in the buffer */ 813 freespace = SHA512_BLOCK_LENGTH - usedspace; 814 815 if (len >= freespace) { 816 /* Fill the buffer completely and process it */ 817 memcpy(&context->buffer[usedspace], data, 818 (size_t)(freespace)); 819 ADDINC128(context->bitcount, freespace << 3); 820 len -= freespace; 821 data += freespace; 822 netpgpv_SHA512_Transform(context, 823 (uint64_t *)(void *)context->buffer); 824 } else { 825 /* The buffer is not yet full */ 826 memcpy(&context->buffer[usedspace], data, len); 827 ADDINC128(context->bitcount, len << 3); 828 /* Clean up: */ 829 usedspace = freespace = 0; 830 return 1; 831 } 832 } 833 /* 834 * Process as many complete blocks as possible. 835 * 836 * Check alignment of the data pointer. If it is 64bit aligned, 837 * SHA512_Transform can be called directly on the data stream, 838 * otherwise enforce the alignment by copy into the buffer. 839 */ 840 if ((uintptr_t)data % 8 == 0) { 841 while (len >= SHA512_BLOCK_LENGTH) { 842 netpgpv_SHA512_Transform(context, 843 (const uint64_t*)(const void *)data); 844 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 845 len -= SHA512_BLOCK_LENGTH; 846 data += SHA512_BLOCK_LENGTH; 847 } 848 } else { 849 while (len >= SHA512_BLOCK_LENGTH) { 850 memcpy(context->buffer, data, SHA512_BLOCK_LENGTH); 851 netpgpv_SHA512_Transform(context, 852 (const void *)context->buffer); 853 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 854 len -= SHA512_BLOCK_LENGTH; 855 data += SHA512_BLOCK_LENGTH; 856 } 857 } 858 if (len > 0) { 859 /* There's left-overs, so save 'em */ 860 memcpy(context->buffer, data, len); 861 ADDINC128(context->bitcount, len << 3); 862 } 863 /* Clean up: */ 864 usedspace = freespace = 0; 865 866 return 1; 867 } 868 869 static void 870 netpgpv_SHA512_Last(NETPGPV_SHA512_CTX *context) 871 { 872 unsigned int usedspace; 873 874 usedspace = (unsigned int)((context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH); 875 context->bitcount[0] = htobe64(context->bitcount[0]); 876 context->bitcount[1] = htobe64(context->bitcount[1]); 877 if (usedspace > 0) { 878 /* Begin padding with a 1 bit: */ 879 context->buffer[usedspace++] = 0x80; 880 881 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 882 /* Set-up for the last transform: */ 883 memset(&context->buffer[usedspace], 0, 884 (size_t)(SHA512_SHORT_BLOCK_LENGTH - usedspace)); 885 } else { 886 if (usedspace < SHA512_BLOCK_LENGTH) { 887 memset(&context->buffer[usedspace], 0, 888 (size_t)(SHA512_BLOCK_LENGTH - usedspace)); 889 } 890 /* Do second-to-last transform: */ 891 netpgpv_SHA512_Transform(context, 892 (uint64_t *)(void *)context->buffer); 893 894 /* And set-up for the last transform: */ 895 memset(context->buffer, 0, 896 (size_t)(SHA512_BLOCK_LENGTH - 2)); 897 } 898 } else { 899 /* Prepare for final transform: */ 900 memset(context->buffer, 0, (size_t)(SHA512_SHORT_BLOCK_LENGTH)); 901 902 /* Begin padding with a 1 bit: */ 903 *context->buffer = 0x80; 904 } 905 /* Store the length of input data (in bits): */ 906 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], 907 &context->bitcount[1], sizeof(context->bitcount[1])); 908 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], 909 &context->bitcount[0], sizeof(context->bitcount[0])); 910 911 /* Final transform: */ 912 netpgpv_SHA512_Transform(context, (uint64_t *)(void *)context->buffer); 913 } 914 915 int 916 netpgpv_SHA512_Final(uint8_t digest[], NETPGPV_SHA512_CTX *context) 917 { 918 size_t i; 919 920 /* If no digest buffer is passed, we don't bother doing this: */ 921 if (digest != NULL) { 922 netpgpv_SHA512_Last(context); 923 924 /* Save the hash data for output: */ 925 for (i = 0; i < 8; ++i) 926 be64encode(digest + 8 * i, context->state[i]); 927 } 928 929 /* Zero out state data */ 930 memset(context, 0, sizeof(*context)); 931 932 return 1; 933 } 934 935 /*** SHA-384: *********************************************************/ 936 int 937 netpgpv_SHA384_Init(NETPGPV_SHA384_CTX *context) 938 { 939 if (context == NULL) 940 return 1; 941 942 memcpy(context->state, sha384_initial_hash_value, 943 (size_t)(SHA512_DIGEST_LENGTH)); 944 memset(context->buffer, 0, (size_t)(SHA384_BLOCK_LENGTH)); 945 context->bitcount[0] = context->bitcount[1] = 0; 946 947 return 1; 948 } 949 950 int 951 netpgpv_SHA384_Update(NETPGPV_SHA384_CTX *context, const uint8_t *data, size_t len) 952 { 953 return netpgpv_SHA512_Update((NETPGPV_SHA512_CTX *)context, data, len); 954 } 955 956 void 957 netpgpv_SHA384_Transform(NETPGPV_SHA512_CTX *context, const uint64_t *data) 958 { 959 netpgpv_SHA512_Transform((NETPGPV_SHA512_CTX *)context, data); 960 } 961 962 int 963 netpgpv_SHA384_Final(uint8_t digest[], NETPGPV_SHA384_CTX *context) 964 { 965 size_t i; 966 967 /* If no digest buffer is passed, we don't bother doing this: */ 968 if (digest != NULL) { 969 netpgpv_SHA512_Last((NETPGPV_SHA512_CTX *)context); 970 971 /* Save the hash data for output: */ 972 for (i = 0; i < 6; ++i) 973 be64encode(digest + 8 * i, context->state[i]); 974 } 975 976 /* Zero out state data */ 977 memset(context, 0, sizeof(*context)); 978 979 return 1; 980 } 981