1 /* $NetBSD: sha2.c,v 1.2 2021/08/14 16:14:53 christos Exp $ */
2
3 /* $OpenLDAP$ */
4 /*
5 * FILE: sha2.c
6 * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/
7 *
8 * Copyright (c) 2000-2001, Aaron D. Gifford
9 * All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the copyright holder nor the names of contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 * Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg
36 */
37
38 #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
39 #include <assert.h> /* assert() */
40 #include "sha2.h"
41
42 /*
43 * ASSERT NOTE:
44 * Some sanity checking code is included using assert(). On my FreeBSD
45 * system, this additional code can be removed by compiling with NDEBUG
46 * defined. Check your own systems manpage on assert() to see how to
47 * compile WITHOUT the sanity checking code on your system.
48 *
49 * UNROLLED TRANSFORM LOOP NOTE:
50 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
51 * loop version for the hash transform rounds (defined using macros
52 * later in this file). Either define on the command line, for example:
53 *
54 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
55 *
56 * or define below:
57 *
58 * #define SHA2_UNROLL_TRANSFORM
59 *
60 */
61
62
63 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
64 /*
65 * BYTE_ORDER NOTE:
66 *
67 * Please make sure that your system defines BYTE_ORDER. If your
68 * architecture is little-endian, make sure it also defines
69 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
70 * equivalent.
71 *
72 * If your system does not define the above, then you can do so by
73 * hand like this:
74 *
75 * #define LITTLE_ENDIAN 1234
76 * #define BIG_ENDIAN 4321
77 *
78 * And for little-endian machines, add:
79 *
80 * #define BYTE_ORDER LITTLE_ENDIAN
81 *
82 * Or for big-endian machines:
83 *
84 * #define BYTE_ORDER BIG_ENDIAN
85 *
86 * The FreeBSD machine this was written on defines BYTE_ORDER
87 * appropriately by including <sys/types.h> (which in turn includes
88 * <machine/endian.h> where the appropriate definitions are actually
89 * made).
90 */
91 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
92 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
93 #endif
94
95 /*
96 * Define the followingsha2_* types to types of the correct length on
97 * the native architecture. Most BSD systems and Linux define u_intXX_t
98 * types. Machines with very recent ANSI C headers, can use the
99 * uintXX_t definitions from inttypes.h by defining SHA2_USE_INTTYPES_H
100 * during compile or in the sha.h header file.
101 *
102 * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
103 * will need to define these three typedefs below (and the appropriate
104 * ones in sha.h too) by hand according to their system architecture.
105 *
106 * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
107 * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
108 */
109 #ifdef SHA2_USE_INTTYPES_H
110
111 typedef uint8_t sha2_byte; /* Exactly 1 byte */
112 typedef uint32_t sha2_word32; /* Exactly 4 bytes */
113 typedef uint64_t sha2_word64; /* Exactly 8 bytes */
114
115 #else /* SHA2_USE_INTTYPES_H */
116
117 typedef u_int8_t sha2_byte; /* Exactly 1 byte */
118 typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
119 typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
120
121 #endif /* SHA2_USE_INTTYPES_H */
122
123
124 /*** SHA-256/384/512 Various Length Definitions ***********************/
125 /* NOTE: Most of these are in sha2.h */
126 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
127 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
128 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
129
130
131 /*** ENDIAN REVERSAL MACROS *******************************************/
132 #if BYTE_ORDER == LITTLE_ENDIAN
133 #define REVERSE32(w,x) { \
134 sha2_word32 tmp = (w); \
135 tmp = (tmp >> 16) | (tmp << 16); \
136 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
137 }
138 #define REVERSE64(w,x) { \
139 sha2_word64 tmp = (w); \
140 tmp = (tmp >> 32) | (tmp << 32); \
141 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
142 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
143 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
144 ((tmp & 0x0000ffff0000ffffULL) << 16); \
145 }
146 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
147
148 /*
149 * Macro for incrementally adding the unsigned 64-bit integer n to the
150 * unsigned 128-bit integer (represented using a two-element array of
151 * 64-bit words):
152 */
153 #define ADDINC128(w,n) { \
154 (w)[0] += (sha2_word64)(n); \
155 if ((w)[0] < (n)) { \
156 (w)[1]++; \
157 } \
158 }
159
160 /*
161 * Macros for copying blocks of memory and for zeroing out ranges
162 * of memory. Using these macros makes it easy to switch from
163 * using memset()/memcpy() and using bzero()/bcopy().
164 *
165 * Please define either SHA2_USE_MEMSET_MEMCPY or define
166 * SHA2_USE_BZERO_BCOPY depending on which function set you
167 * choose to use:
168 */
169 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
170 /* Default to memset()/memcpy() if no option is specified */
171 #define SHA2_USE_MEMSET_MEMCPY 1
172 #endif
173 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
174 /* Abort with an error if BOTH options are defined */
175 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
176 #endif
177
178 #ifdef SHA2_USE_MEMSET_MEMCPY
179 #define MEMSET_BZERO(p,l) memset((p), 0, (l))
180 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
181 #endif
182 #ifdef SHA2_USE_BZERO_BCOPY
183 #define MEMSET_BZERO(p,l) bzero((p), (l))
184 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
185 #endif
186
187
188 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
189 /*
190 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
191 *
192 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
193 * S is a ROTATION) because the SHA-256/384/512 description document
194 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
195 * same "backwards" definition.
196 */
197 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
198 #define R(b,x) ((x) >> (b))
199 /* 32-bit Rotate-right (used in SHA-256): */
200 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
201 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
202 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
203
204 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
205 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
206 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
207
208 /* Four of six logical functions used in SHA-256: */
209 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
210 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
211 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
212 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
213
214 /* Four of six logical functions used in SHA-384 and SHA-512: */
215 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
216 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
217 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
218 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
219
220 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
221 /* NOTE: These should not be accessed directly from outside this
222 * library -- they are intended for private internal visibility/use
223 * only.
224 */
225 static void SHA512_Last(SHA512_CTX*);
226 static void SHA256_Transform(SHA256_CTX*, const sha2_word32*);
227 static void SHA512_Transform(SHA512_CTX*, const sha2_word64*);
228
229
230 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
231 /* Hash constant words K for SHA-256: */
232 const static sha2_word32 K256[64] = {
233 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
234 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
235 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
236 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
237 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
238 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
239 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
240 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
241 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
242 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
243 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
244 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
245 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
246 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
247 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
248 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
249 };
250
251 /* Initial hash value H for SHA-256: */
252 const static sha2_word32 sha256_initial_hash_value[8] = {
253 0x6a09e667UL,
254 0xbb67ae85UL,
255 0x3c6ef372UL,
256 0xa54ff53aUL,
257 0x510e527fUL,
258 0x9b05688cUL,
259 0x1f83d9abUL,
260 0x5be0cd19UL
261 };
262
263 /* Hash constant words K for SHA-384 and SHA-512: */
264 const static sha2_word64 K512[80] = {
265 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
266 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
267 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
268 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
269 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
270 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
271 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
272 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
273 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
274 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
275 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
276 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
277 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
278 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
279 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
280 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
281 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
282 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
283 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
284 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
285 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
286 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
287 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
288 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
289 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
290 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
291 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
292 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
293 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
294 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
295 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
296 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
297 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
298 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
299 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
300 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
301 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
302 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
303 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
304 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
305 };
306
307 /* Initial hash value H for SHA-384 */
308 const static sha2_word64 sha384_initial_hash_value[8] = {
309 0xcbbb9d5dc1059ed8ULL,
310 0x629a292a367cd507ULL,
311 0x9159015a3070dd17ULL,
312 0x152fecd8f70e5939ULL,
313 0x67332667ffc00b31ULL,
314 0x8eb44a8768581511ULL,
315 0xdb0c2e0d64f98fa7ULL,
316 0x47b5481dbefa4fa4ULL
317 };
318
319 /* Initial hash value H for SHA-512 */
320 const static sha2_word64 sha512_initial_hash_value[8] = {
321 0x6a09e667f3bcc908ULL,
322 0xbb67ae8584caa73bULL,
323 0x3c6ef372fe94f82bULL,
324 0xa54ff53a5f1d36f1ULL,
325 0x510e527fade682d1ULL,
326 0x9b05688c2b3e6c1fULL,
327 0x1f83d9abfb41bd6bULL,
328 0x5be0cd19137e2179ULL
329 };
330
331 /*
332 * Constant used by SHA256/384/512_End() functions for converting the
333 * digest to a readable hexadecimal character string:
334 */
335 static const char *sha2_hex_digits = "0123456789abcdef";
336
337
338 /*** SHA-256: *********************************************************/
SHA256_Init(SHA256_CTX * context)339 void SHA256_Init(SHA256_CTX* context) {
340 if (context == (SHA256_CTX*)0) {
341 return;
342 }
343 MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
344 MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH);
345 context->bitcount = 0;
346 }
347
348 #ifdef SHA2_UNROLL_TRANSFORM
349
350 /* Unrolled SHA-256 round macros: */
351
352 #if BYTE_ORDER == LITTLE_ENDIAN
353
354 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
355 REVERSE32(*data++, W256[j]); \
356 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
357 K256[j] + W256[j]; \
358 (d) += T1; \
359 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
360 j++
361
362
363 #else /* BYTE_ORDER == LITTLE_ENDIAN */
364
365 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
366 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
367 K256[j] + (W256[j] = *data++); \
368 (d) += T1; \
369 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
370 j++
371
372 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
373
374 #define ROUND256(a,b,c,d,e,f,g,h) \
375 s0 = W256[(j+1)&0x0f]; \
376 s0 = sigma0_256(s0); \
377 s1 = W256[(j+14)&0x0f]; \
378 s1 = sigma1_256(s1); \
379 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
380 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
381 (d) += T1; \
382 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
383 j++
384
SHA256_Transform(SHA256_CTX * context,const sha2_word32 * data)385 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
386 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
387 sha2_word32 T1, *W256;
388 int j;
389
390 W256 = (sha2_word32*)context->buffer;
391
392 /* Initialize registers with the prev. intermediate value */
393 a = context->state[0];
394 b = context->state[1];
395 c = context->state[2];
396 d = context->state[3];
397 e = context->state[4];
398 f = context->state[5];
399 g = context->state[6];
400 h = context->state[7];
401
402 j = 0;
403 do {
404 /* Rounds 0 to 15 (unrolled): */
405 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
406 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
407 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
408 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
409 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
410 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
411 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
412 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
413 } while (j < 16);
414
415 /* Now for the remaining rounds to 64: */
416 do {
417 ROUND256(a,b,c,d,e,f,g,h);
418 ROUND256(h,a,b,c,d,e,f,g);
419 ROUND256(g,h,a,b,c,d,e,f);
420 ROUND256(f,g,h,a,b,c,d,e);
421 ROUND256(e,f,g,h,a,b,c,d);
422 ROUND256(d,e,f,g,h,a,b,c);
423 ROUND256(c,d,e,f,g,h,a,b);
424 ROUND256(b,c,d,e,f,g,h,a);
425 } while (j < 64);
426
427 /* Compute the current intermediate hash value */
428 context->state[0] += a;
429 context->state[1] += b;
430 context->state[2] += c;
431 context->state[3] += d;
432 context->state[4] += e;
433 context->state[5] += f;
434 context->state[6] += g;
435 context->state[7] += h;
436
437 /* Clean up */
438 a = b = c = d = e = f = g = h = T1 = 0;
439 }
440
441 #else /* SHA2_UNROLL_TRANSFORM */
442
SHA256_Transform(SHA256_CTX * context,const sha2_word32 * data)443 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
444 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
445 sha2_word32 T1, T2, *W256;
446 int j;
447
448 W256 = (sha2_word32*)context->buffer;
449
450 /* Initialize registers with the prev. intermediate value */
451 a = context->state[0];
452 b = context->state[1];
453 c = context->state[2];
454 d = context->state[3];
455 e = context->state[4];
456 f = context->state[5];
457 g = context->state[6];
458 h = context->state[7];
459
460 j = 0;
461 do {
462 #if BYTE_ORDER == LITTLE_ENDIAN
463 /* Copy data while converting to host byte order */
464 REVERSE32(*data++,W256[j]);
465 /* Apply the SHA-256 compression function to update a..h */
466 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
467 #else /* BYTE_ORDER == LITTLE_ENDIAN */
468 /* Apply the SHA-256 compression function to update a..h with copy */
469 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
470 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
471 T2 = Sigma0_256(a) + Maj(a, b, c);
472 h = g;
473 g = f;
474 f = e;
475 e = d + T1;
476 d = c;
477 c = b;
478 b = a;
479 a = T1 + T2;
480
481 j++;
482 } while (j < 16);
483
484 do {
485 /* Part of the message block expansion: */
486 s0 = W256[(j+1)&0x0f];
487 s0 = sigma0_256(s0);
488 s1 = W256[(j+14)&0x0f];
489 s1 = sigma1_256(s1);
490
491 /* Apply the SHA-256 compression function to update a..h */
492 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
493 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
494 T2 = Sigma0_256(a) + Maj(a, b, c);
495 h = g;
496 g = f;
497 f = e;
498 e = d + T1;
499 d = c;
500 c = b;
501 b = a;
502 a = T1 + T2;
503
504 j++;
505 } while (j < 64);
506
507 /* Compute the current intermediate hash value */
508 context->state[0] += a;
509 context->state[1] += b;
510 context->state[2] += c;
511 context->state[3] += d;
512 context->state[4] += e;
513 context->state[5] += f;
514 context->state[6] += g;
515 context->state[7] += h;
516
517 /* Clean up */
518 a = b = c = d = e = f = g = h = T1 = T2 = 0;
519 }
520
521 #endif /* SHA2_UNROLL_TRANSFORM */
522
SHA256_Update(SHA256_CTX * context,const sha2_byte * data,size_t len)523 void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
524 unsigned int freespace, usedspace;
525
526 if (len == 0) {
527 /* Calling with no data is valid - we do nothing */
528 return;
529 }
530
531 /* Sanity check: */
532 assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0);
533
534 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
535 if (usedspace > 0) {
536 /* Calculate how much free space is available in the buffer */
537 freespace = SHA256_BLOCK_LENGTH - usedspace;
538
539 if (len >= freespace) {
540 /* Fill the buffer completely and process it */
541 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
542 context->bitcount += freespace << 3;
543 len -= freespace;
544 data += freespace;
545 SHA256_Transform(context, (sha2_word32*)context->buffer);
546 } else {
547 /* The buffer is not yet full */
548 MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
549 context->bitcount += len << 3;
550 /* Clean up: */
551 usedspace = freespace = 0;
552 return;
553 }
554 }
555 while (len >= SHA256_BLOCK_LENGTH) {
556 /* Process as many complete blocks as we can */
557 SHA256_Transform(context, (sha2_word32*)data);
558 context->bitcount += SHA256_BLOCK_LENGTH << 3;
559 len -= SHA256_BLOCK_LENGTH;
560 data += SHA256_BLOCK_LENGTH;
561 }
562 if (len > 0) {
563 /* There's left-overs, so save 'em */
564 MEMCPY_BCOPY(context->buffer, data, len);
565 context->bitcount += len << 3;
566 }
567 /* Clean up: */
568 usedspace = freespace = 0;
569 }
570
SHA256_Final(sha2_byte digest[],SHA256_CTX * context)571 void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
572 sha2_word32 *d = (sha2_word32*)digest;
573 sha2_word64 *p;
574 unsigned int usedspace;
575
576 /* Sanity check: */
577 assert(context != (SHA256_CTX*)0);
578
579 /* If no digest buffer is passed, we don't bother doing this: */
580 if (digest != (sha2_byte*)0) {
581 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
582 #if BYTE_ORDER == LITTLE_ENDIAN
583 /* Convert FROM host byte order */
584 REVERSE64(context->bitcount,context->bitcount);
585 #endif
586 if (usedspace > 0) {
587 /* Begin padding with a 1 bit: */
588 context->buffer[usedspace++] = 0x80;
589
590 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
591 /* Set-up for the last transform: */
592 MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
593 } else {
594 if (usedspace < SHA256_BLOCK_LENGTH) {
595 MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
596 }
597 /* Do second-to-last transform: */
598 SHA256_Transform(context, (sha2_word32*)context->buffer);
599
600 /* And set-up for the last transform: */
601 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
602 }
603 } else {
604 /* Set-up for the last transform: */
605 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
606
607 /* Begin padding with a 1 bit: */
608 *context->buffer = 0x80;
609 }
610 /* Set the bit count: */
611 p = (sha2_word64 *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH];
612 *p = context->bitcount;
613
614 /* Final transform: */
615 SHA256_Transform(context, (sha2_word32*)context->buffer);
616
617 #if BYTE_ORDER == LITTLE_ENDIAN
618 {
619 /* Convert TO host byte order */
620 int j;
621 for (j = 0; j < 8; j++) {
622 REVERSE32(context->state[j],context->state[j]);
623 *d++ = context->state[j];
624 }
625 }
626 #else
627 MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH);
628 #endif
629 }
630
631 /* Clean up state data: */
632 MEMSET_BZERO(context, sizeof(*context));
633 usedspace = 0;
634 }
635
SHA256_End(SHA256_CTX * context,char buffer[])636 char *SHA256_End(SHA256_CTX* context, char buffer[]) {
637 sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest;
638 int i;
639
640 /* Sanity check: */
641 assert(context != (SHA256_CTX*)0);
642
643 if (buffer != (char*)0) {
644 SHA256_Final(digest, context);
645
646 for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
647 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
648 *buffer++ = sha2_hex_digits[*d & 0x0f];
649 d++;
650 }
651 *buffer = (char)0;
652 } else {
653 MEMSET_BZERO(context, sizeof(*context));
654 }
655 MEMSET_BZERO(digest, SHA256_DIGEST_LENGTH);
656 return buffer;
657 }
658
SHA256_Data(const sha2_byte * data,size_t len,char digest[SHA256_DIGEST_STRING_LENGTH])659 char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
660 SHA256_CTX context;
661
662 SHA256_Init(&context);
663 SHA256_Update(&context, data, len);
664 return SHA256_End(&context, digest);
665 }
666
667
668 /*** SHA-512: *********************************************************/
SHA512_Init(SHA512_CTX * context)669 void SHA512_Init(SHA512_CTX* context) {
670 if (context == (SHA512_CTX*)0) {
671 return;
672 }
673 MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
674 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH);
675 context->bitcount[0] = context->bitcount[1] = 0;
676 }
677
678 #ifdef SHA2_UNROLL_TRANSFORM
679
680 /* Unrolled SHA-512 round macros: */
681 #if BYTE_ORDER == LITTLE_ENDIAN
682
683 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
684 REVERSE64(*data++, W512[j]); \
685 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
686 K512[j] + W512[j]; \
687 (d) += T1, \
688 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
689 j++
690
691
692 #else /* BYTE_ORDER == LITTLE_ENDIAN */
693
694 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
695 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
696 K512[j] + (W512[j] = *data++); \
697 (d) += T1; \
698 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
699 j++
700
701 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
702
703 #define ROUND512(a,b,c,d,e,f,g,h) \
704 s0 = W512[(j+1)&0x0f]; \
705 s0 = sigma0_512(s0); \
706 s1 = W512[(j+14)&0x0f]; \
707 s1 = sigma1_512(s1); \
708 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
709 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
710 (d) += T1; \
711 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
712 j++
713
SHA512_Transform(SHA512_CTX * context,const sha2_word64 * data)714 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
715 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
716 sha2_word64 T1, *W512 = (sha2_word64*)context->buffer;
717 int j;
718
719 /* Initialize registers with the prev. intermediate value */
720 a = context->state[0];
721 b = context->state[1];
722 c = context->state[2];
723 d = context->state[3];
724 e = context->state[4];
725 f = context->state[5];
726 g = context->state[6];
727 h = context->state[7];
728
729 j = 0;
730 do {
731 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
732 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
733 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
734 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
735 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
736 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
737 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
738 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
739 } while (j < 16);
740
741 /* Now for the remaining rounds up to 79: */
742 do {
743 ROUND512(a,b,c,d,e,f,g,h);
744 ROUND512(h,a,b,c,d,e,f,g);
745 ROUND512(g,h,a,b,c,d,e,f);
746 ROUND512(f,g,h,a,b,c,d,e);
747 ROUND512(e,f,g,h,a,b,c,d);
748 ROUND512(d,e,f,g,h,a,b,c);
749 ROUND512(c,d,e,f,g,h,a,b);
750 ROUND512(b,c,d,e,f,g,h,a);
751 } while (j < 80);
752
753 /* Compute the current intermediate hash value */
754 context->state[0] += a;
755 context->state[1] += b;
756 context->state[2] += c;
757 context->state[3] += d;
758 context->state[4] += e;
759 context->state[5] += f;
760 context->state[6] += g;
761 context->state[7] += h;
762
763 /* Clean up */
764 a = b = c = d = e = f = g = h = T1 = 0;
765 }
766
767 #else /* SHA2_UNROLL_TRANSFORM */
768
SHA512_Transform(SHA512_CTX * context,const sha2_word64 * data)769 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
770 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
771 sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer;
772 int j;
773
774 /* Initialize registers with the prev. intermediate value */
775 a = context->state[0];
776 b = context->state[1];
777 c = context->state[2];
778 d = context->state[3];
779 e = context->state[4];
780 f = context->state[5];
781 g = context->state[6];
782 h = context->state[7];
783
784 j = 0;
785 do {
786 #if BYTE_ORDER == LITTLE_ENDIAN
787 /* Convert TO host byte order */
788 REVERSE64(*data++, W512[j]);
789 /* Apply the SHA-512 compression function to update a..h */
790 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
791 #else /* BYTE_ORDER == LITTLE_ENDIAN */
792 /* Apply the SHA-512 compression function to update a..h with copy */
793 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
794 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
795 T2 = Sigma0_512(a) + Maj(a, b, c);
796 h = g;
797 g = f;
798 f = e;
799 e = d + T1;
800 d = c;
801 c = b;
802 b = a;
803 a = T1 + T2;
804
805 j++;
806 } while (j < 16);
807
808 do {
809 /* Part of the message block expansion: */
810 s0 = W512[(j+1)&0x0f];
811 s0 = sigma0_512(s0);
812 s1 = W512[(j+14)&0x0f];
813 s1 = sigma1_512(s1);
814
815 /* Apply the SHA-512 compression function to update a..h */
816 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
817 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
818 T2 = Sigma0_512(a) + Maj(a, b, c);
819 h = g;
820 g = f;
821 f = e;
822 e = d + T1;
823 d = c;
824 c = b;
825 b = a;
826 a = T1 + T2;
827
828 j++;
829 } while (j < 80);
830
831 /* Compute the current intermediate hash value */
832 context->state[0] += a;
833 context->state[1] += b;
834 context->state[2] += c;
835 context->state[3] += d;
836 context->state[4] += e;
837 context->state[5] += f;
838 context->state[6] += g;
839 context->state[7] += h;
840
841 /* Clean up */
842 a = b = c = d = e = f = g = h = T1 = T2 = 0;
843 }
844
845 #endif /* SHA2_UNROLL_TRANSFORM */
846
SHA512_Update(SHA512_CTX * context,const sha2_byte * data,size_t len)847 void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
848 unsigned int freespace, usedspace;
849
850 if (len == 0) {
851 /* Calling with no data is valid - we do nothing */
852 return;
853 }
854
855 /* Sanity check: */
856 assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0);
857
858 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
859 if (usedspace > 0) {
860 /* Calculate how much free space is available in the buffer */
861 freespace = SHA512_BLOCK_LENGTH - usedspace;
862
863 if (len >= freespace) {
864 /* Fill the buffer completely and process it */
865 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
866 ADDINC128(context->bitcount, freespace << 3);
867 len -= freespace;
868 data += freespace;
869 SHA512_Transform(context, (sha2_word64*)context->buffer);
870 } else {
871 /* The buffer is not yet full */
872 MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
873 ADDINC128(context->bitcount, len << 3);
874 /* Clean up: */
875 usedspace = freespace = 0;
876 return;
877 }
878 }
879 while (len >= SHA512_BLOCK_LENGTH) {
880 /* Process as many complete blocks as we can */
881 SHA512_Transform(context, (sha2_word64*)data);
882 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
883 len -= SHA512_BLOCK_LENGTH;
884 data += SHA512_BLOCK_LENGTH;
885 }
886 if (len > 0) {
887 /* There's left-overs, so save 'em */
888 MEMCPY_BCOPY(context->buffer, data, len);
889 ADDINC128(context->bitcount, len << 3);
890 }
891 /* Clean up: */
892 usedspace = freespace = 0;
893 }
894
SHA512_Last(SHA512_CTX * context)895 void SHA512_Last(SHA512_CTX* context) {
896 sha2_word64 *p;
897 unsigned int usedspace;
898
899 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
900 #if BYTE_ORDER == LITTLE_ENDIAN
901 /* Convert FROM host byte order */
902 REVERSE64(context->bitcount[0],context->bitcount[0]);
903 REVERSE64(context->bitcount[1],context->bitcount[1]);
904 #endif
905 if (usedspace > 0) {
906 /* Begin padding with a 1 bit: */
907 context->buffer[usedspace++] = 0x80;
908
909 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
910 /* Set-up for the last transform: */
911 MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
912 } else {
913 if (usedspace < SHA512_BLOCK_LENGTH) {
914 MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
915 }
916 /* Do second-to-last transform: */
917 SHA512_Transform(context, (sha2_word64*)context->buffer);
918
919 /* And set-up for the last transform: */
920 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2);
921 }
922 } else {
923 /* Prepare for final transform: */
924 MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
925
926 /* Begin padding with a 1 bit: */
927 *context->buffer = 0x80;
928 }
929 /* Store the length of input data (in bits): */
930 p = (sha2_word64 *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH];
931 p[0] = context->bitcount[1];
932 p[1] = context->bitcount[0];
933
934 /* Final transform: */
935 SHA512_Transform(context, (sha2_word64*)context->buffer);
936 }
937
SHA512_Final(sha2_byte digest[],SHA512_CTX * context)938 void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
939 sha2_word64 *d = (sha2_word64*)digest;
940
941 /* Sanity check: */
942 assert(context != (SHA512_CTX*)0);
943
944 /* If no digest buffer is passed, we don't bother doing this: */
945 if (digest != (sha2_byte*)0) {
946 SHA512_Last(context);
947
948 /* Save the hash data for output: */
949 #if BYTE_ORDER == LITTLE_ENDIAN
950 {
951 /* Convert TO host byte order */
952 int j;
953 for (j = 0; j < 8; j++) {
954 REVERSE64(context->state[j],context->state[j]);
955 *d++ = context->state[j];
956 }
957 }
958 #else
959 MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH);
960 #endif
961 }
962
963 /* Zero out state data */
964 MEMSET_BZERO(context, sizeof(*context));
965 }
966
SHA512_End(SHA512_CTX * context,char buffer[])967 char *SHA512_End(SHA512_CTX* context, char buffer[]) {
968 sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
969 int i;
970
971 /* Sanity check: */
972 assert(context != (SHA512_CTX*)0);
973
974 if (buffer != (char*)0) {
975 SHA512_Final(digest, context);
976
977 for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
978 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
979 *buffer++ = sha2_hex_digits[*d & 0x0f];
980 d++;
981 }
982 *buffer = (char)0;
983 } else {
984 MEMSET_BZERO(context, sizeof(*context));
985 }
986 MEMSET_BZERO(digest, SHA512_DIGEST_LENGTH);
987 return buffer;
988 }
989
SHA512_Data(const sha2_byte * data,size_t len,char digest[SHA512_DIGEST_STRING_LENGTH])990 char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
991 SHA512_CTX context;
992
993 SHA512_Init(&context);
994 SHA512_Update(&context, data, len);
995 return SHA512_End(&context, digest);
996 }
997
998
999 /*** SHA-384: *********************************************************/
SHA384_Init(SHA384_CTX * context)1000 void SHA384_Init(SHA384_CTX* context) {
1001 if (context == (SHA384_CTX*)0) {
1002 return;
1003 }
1004 MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH);
1005 MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH);
1006 context->bitcount[0] = context->bitcount[1] = 0;
1007 }
1008
SHA384_Update(SHA384_CTX * context,const sha2_byte * data,size_t len)1009 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
1010 SHA512_Update((SHA512_CTX*)context, data, len);
1011 }
1012
SHA384_Final(sha2_byte digest[],SHA384_CTX * context)1013 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
1014 sha2_word64 *d = (sha2_word64*)digest;
1015
1016 /* Sanity check: */
1017 assert(context != (SHA384_CTX*)0);
1018
1019 /* If no digest buffer is passed, we don't bother doing this: */
1020 if (digest != (sha2_byte*)0) {
1021 SHA512_Last((SHA512_CTX*)context);
1022
1023 /* Save the hash data for output: */
1024 #if BYTE_ORDER == LITTLE_ENDIAN
1025 {
1026 /* Convert TO host byte order */
1027 int j;
1028 for (j = 0; j < 6; j++) {
1029 REVERSE64(context->state[j],context->state[j]);
1030 *d++ = context->state[j];
1031 }
1032 }
1033 #else
1034 MEMCPY_BCOPY(d, context->state, SHA384_DIGEST_LENGTH);
1035 #endif
1036 }
1037
1038 /* Zero out state data */
1039 MEMSET_BZERO(context, sizeof(*context));
1040 }
1041
SHA384_End(SHA384_CTX * context,char buffer[])1042 char *SHA384_End(SHA384_CTX* context, char buffer[]) {
1043 sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
1044 int i;
1045
1046 /* Sanity check: */
1047 assert(context != (SHA384_CTX*)0);
1048
1049 if (buffer != (char*)0) {
1050 SHA384_Final(digest, context);
1051
1052 for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
1053 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
1054 *buffer++ = sha2_hex_digits[*d & 0x0f];
1055 d++;
1056 }
1057 *buffer = (char)0;
1058 } else {
1059 MEMSET_BZERO(context, sizeof(*context));
1060 }
1061 MEMSET_BZERO(digest, SHA384_DIGEST_LENGTH);
1062 return buffer;
1063 }
1064
SHA384_Data(const sha2_byte * data,size_t len,char digest[SHA384_DIGEST_STRING_LENGTH])1065 char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
1066 SHA384_CTX context;
1067
1068 SHA384_Init(&context);
1069 SHA384_Update(&context, data, len);
1070 return SHA384_End(&context, digest);
1071 }
1072
1073