1 /* $NetBSD: sha2.c,v 1.2 2021/08/14 16:14:53 christos Exp $ */ 2 3 /* $OpenLDAP$ */ 4 /* 5 * FILE: sha2.c 6 * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/ 7 * 8 * Copyright (c) 2000-2001, Aaron D. Gifford 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of the copyright holder nor the names of contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 * 35 * Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg 36 */ 37 38 #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */ 39 #include <assert.h> /* assert() */ 40 #include "sha2.h" 41 42 /* 43 * ASSERT NOTE: 44 * Some sanity checking code is included using assert(). On my FreeBSD 45 * system, this additional code can be removed by compiling with NDEBUG 46 * defined. Check your own systems manpage on assert() to see how to 47 * compile WITHOUT the sanity checking code on your system. 48 * 49 * UNROLLED TRANSFORM LOOP NOTE: 50 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform 51 * loop version for the hash transform rounds (defined using macros 52 * later in this file). Either define on the command line, for example: 53 * 54 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c 55 * 56 * or define below: 57 * 58 * #define SHA2_UNROLL_TRANSFORM 59 * 60 */ 61 62 63 /*** SHA-256/384/512 Machine Architecture Definitions *****************/ 64 /* 65 * BYTE_ORDER NOTE: 66 * 67 * Please make sure that your system defines BYTE_ORDER. If your 68 * architecture is little-endian, make sure it also defines 69 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are 70 * equivalent. 71 * 72 * If your system does not define the above, then you can do so by 73 * hand like this: 74 * 75 * #define LITTLE_ENDIAN 1234 76 * #define BIG_ENDIAN 4321 77 * 78 * And for little-endian machines, add: 79 * 80 * #define BYTE_ORDER LITTLE_ENDIAN 81 * 82 * Or for big-endian machines: 83 * 84 * #define BYTE_ORDER BIG_ENDIAN 85 * 86 * The FreeBSD machine this was written on defines BYTE_ORDER 87 * appropriately by including <sys/types.h> (which in turn includes 88 * <machine/endian.h> where the appropriate definitions are actually 89 * made). 90 */ 91 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) 92 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN 93 #endif 94 95 /* 96 * Define the followingsha2_* types to types of the correct length on 97 * the native architecture. Most BSD systems and Linux define u_intXX_t 98 * types. Machines with very recent ANSI C headers, can use the 99 * uintXX_t definitions from inttypes.h by defining SHA2_USE_INTTYPES_H 100 * during compile or in the sha.h header file. 101 * 102 * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t 103 * will need to define these three typedefs below (and the appropriate 104 * ones in sha.h too) by hand according to their system architecture. 105 * 106 * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t 107 * types and pointing out recent ANSI C support for uintXX_t in inttypes.h. 108 */ 109 #ifdef SHA2_USE_INTTYPES_H 110 111 typedef uint8_t sha2_byte; /* Exactly 1 byte */ 112 typedef uint32_t sha2_word32; /* Exactly 4 bytes */ 113 typedef uint64_t sha2_word64; /* Exactly 8 bytes */ 114 115 #else /* SHA2_USE_INTTYPES_H */ 116 117 typedef u_int8_t sha2_byte; /* Exactly 1 byte */ 118 typedef u_int32_t sha2_word32; /* Exactly 4 bytes */ 119 typedef u_int64_t sha2_word64; /* Exactly 8 bytes */ 120 121 #endif /* SHA2_USE_INTTYPES_H */ 122 123 124 /*** SHA-256/384/512 Various Length Definitions ***********************/ 125 /* NOTE: Most of these are in sha2.h */ 126 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 127 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 128 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 129 130 131 /*** ENDIAN REVERSAL MACROS *******************************************/ 132 #if BYTE_ORDER == LITTLE_ENDIAN 133 #define REVERSE32(w,x) { \ 134 sha2_word32 tmp = (w); \ 135 tmp = (tmp >> 16) | (tmp << 16); \ 136 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \ 137 } 138 #define REVERSE64(w,x) { \ 139 sha2_word64 tmp = (w); \ 140 tmp = (tmp >> 32) | (tmp << 32); \ 141 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \ 142 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \ 143 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \ 144 ((tmp & 0x0000ffff0000ffffULL) << 16); \ 145 } 146 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 147 148 /* 149 * Macro for incrementally adding the unsigned 64-bit integer n to the 150 * unsigned 128-bit integer (represented using a two-element array of 151 * 64-bit words): 152 */ 153 #define ADDINC128(w,n) { \ 154 (w)[0] += (sha2_word64)(n); \ 155 if ((w)[0] < (n)) { \ 156 (w)[1]++; \ 157 } \ 158 } 159 160 /* 161 * Macros for copying blocks of memory and for zeroing out ranges 162 * of memory. Using these macros makes it easy to switch from 163 * using memset()/memcpy() and using bzero()/bcopy(). 164 * 165 * Please define either SHA2_USE_MEMSET_MEMCPY or define 166 * SHA2_USE_BZERO_BCOPY depending on which function set you 167 * choose to use: 168 */ 169 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY) 170 /* Default to memset()/memcpy() if no option is specified */ 171 #define SHA2_USE_MEMSET_MEMCPY 1 172 #endif 173 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY) 174 /* Abort with an error if BOTH options are defined */ 175 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both! 176 #endif 177 178 #ifdef SHA2_USE_MEMSET_MEMCPY 179 #define MEMSET_BZERO(p,l) memset((p), 0, (l)) 180 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l)) 181 #endif 182 #ifdef SHA2_USE_BZERO_BCOPY 183 #define MEMSET_BZERO(p,l) bzero((p), (l)) 184 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l)) 185 #endif 186 187 188 /*** THE SIX LOGICAL FUNCTIONS ****************************************/ 189 /* 190 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 191 * 192 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 193 * S is a ROTATION) because the SHA-256/384/512 description document 194 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 195 * same "backwards" definition. 196 */ 197 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 198 #define R(b,x) ((x) >> (b)) 199 /* 32-bit Rotate-right (used in SHA-256): */ 200 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 201 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 202 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 203 204 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 205 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 206 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 207 208 /* Four of six logical functions used in SHA-256: */ 209 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 210 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 211 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 212 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 213 214 /* Four of six logical functions used in SHA-384 and SHA-512: */ 215 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 216 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 217 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 218 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 219 220 /*** INTERNAL FUNCTION PROTOTYPES *************************************/ 221 /* NOTE: These should not be accessed directly from outside this 222 * library -- they are intended for private internal visibility/use 223 * only. 224 */ 225 static void SHA512_Last(SHA512_CTX*); 226 static void SHA256_Transform(SHA256_CTX*, const sha2_word32*); 227 static void SHA512_Transform(SHA512_CTX*, const sha2_word64*); 228 229 230 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 231 /* Hash constant words K for SHA-256: */ 232 const static sha2_word32 K256[64] = { 233 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 234 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 235 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 236 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 237 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 238 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 239 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 240 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 241 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 242 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 243 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 244 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 245 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 246 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 247 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 248 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 249 }; 250 251 /* Initial hash value H for SHA-256: */ 252 const static sha2_word32 sha256_initial_hash_value[8] = { 253 0x6a09e667UL, 254 0xbb67ae85UL, 255 0x3c6ef372UL, 256 0xa54ff53aUL, 257 0x510e527fUL, 258 0x9b05688cUL, 259 0x1f83d9abUL, 260 0x5be0cd19UL 261 }; 262 263 /* Hash constant words K for SHA-384 and SHA-512: */ 264 const static sha2_word64 K512[80] = { 265 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 266 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 267 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 268 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 269 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 270 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 271 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 272 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 273 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 274 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 275 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 276 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 277 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 278 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 279 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 280 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 281 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 282 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 283 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 284 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 285 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 286 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 287 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 288 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 289 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 290 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 291 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 292 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 293 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 294 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 295 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 296 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 297 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 298 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 299 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 300 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 301 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 302 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 303 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 304 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 305 }; 306 307 /* Initial hash value H for SHA-384 */ 308 const static sha2_word64 sha384_initial_hash_value[8] = { 309 0xcbbb9d5dc1059ed8ULL, 310 0x629a292a367cd507ULL, 311 0x9159015a3070dd17ULL, 312 0x152fecd8f70e5939ULL, 313 0x67332667ffc00b31ULL, 314 0x8eb44a8768581511ULL, 315 0xdb0c2e0d64f98fa7ULL, 316 0x47b5481dbefa4fa4ULL 317 }; 318 319 /* Initial hash value H for SHA-512 */ 320 const static sha2_word64 sha512_initial_hash_value[8] = { 321 0x6a09e667f3bcc908ULL, 322 0xbb67ae8584caa73bULL, 323 0x3c6ef372fe94f82bULL, 324 0xa54ff53a5f1d36f1ULL, 325 0x510e527fade682d1ULL, 326 0x9b05688c2b3e6c1fULL, 327 0x1f83d9abfb41bd6bULL, 328 0x5be0cd19137e2179ULL 329 }; 330 331 /* 332 * Constant used by SHA256/384/512_End() functions for converting the 333 * digest to a readable hexadecimal character string: 334 */ 335 static const char *sha2_hex_digits = "0123456789abcdef"; 336 337 338 /*** SHA-256: *********************************************************/ 339 void SHA256_Init(SHA256_CTX* context) { 340 if (context == (SHA256_CTX*)0) { 341 return; 342 } 343 MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH); 344 MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH); 345 context->bitcount = 0; 346 } 347 348 #ifdef SHA2_UNROLL_TRANSFORM 349 350 /* Unrolled SHA-256 round macros: */ 351 352 #if BYTE_ORDER == LITTLE_ENDIAN 353 354 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 355 REVERSE32(*data++, W256[j]); \ 356 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 357 K256[j] + W256[j]; \ 358 (d) += T1; \ 359 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 360 j++ 361 362 363 #else /* BYTE_ORDER == LITTLE_ENDIAN */ 364 365 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 366 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 367 K256[j] + (W256[j] = *data++); \ 368 (d) += T1; \ 369 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 370 j++ 371 372 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 373 374 #define ROUND256(a,b,c,d,e,f,g,h) \ 375 s0 = W256[(j+1)&0x0f]; \ 376 s0 = sigma0_256(s0); \ 377 s1 = W256[(j+14)&0x0f]; \ 378 s1 = sigma1_256(s1); \ 379 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ 380 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 381 (d) += T1; \ 382 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 383 j++ 384 385 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) { 386 sha2_word32 a, b, c, d, e, f, g, h, s0, s1; 387 sha2_word32 T1, *W256; 388 int j; 389 390 W256 = (sha2_word32*)context->buffer; 391 392 /* Initialize registers with the prev. intermediate value */ 393 a = context->state[0]; 394 b = context->state[1]; 395 c = context->state[2]; 396 d = context->state[3]; 397 e = context->state[4]; 398 f = context->state[5]; 399 g = context->state[6]; 400 h = context->state[7]; 401 402 j = 0; 403 do { 404 /* Rounds 0 to 15 (unrolled): */ 405 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 406 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 407 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 408 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 409 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 410 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 411 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 412 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 413 } while (j < 16); 414 415 /* Now for the remaining rounds to 64: */ 416 do { 417 ROUND256(a,b,c,d,e,f,g,h); 418 ROUND256(h,a,b,c,d,e,f,g); 419 ROUND256(g,h,a,b,c,d,e,f); 420 ROUND256(f,g,h,a,b,c,d,e); 421 ROUND256(e,f,g,h,a,b,c,d); 422 ROUND256(d,e,f,g,h,a,b,c); 423 ROUND256(c,d,e,f,g,h,a,b); 424 ROUND256(b,c,d,e,f,g,h,a); 425 } while (j < 64); 426 427 /* Compute the current intermediate hash value */ 428 context->state[0] += a; 429 context->state[1] += b; 430 context->state[2] += c; 431 context->state[3] += d; 432 context->state[4] += e; 433 context->state[5] += f; 434 context->state[6] += g; 435 context->state[7] += h; 436 437 /* Clean up */ 438 a = b = c = d = e = f = g = h = T1 = 0; 439 } 440 441 #else /* SHA2_UNROLL_TRANSFORM */ 442 443 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) { 444 sha2_word32 a, b, c, d, e, f, g, h, s0, s1; 445 sha2_word32 T1, T2, *W256; 446 int j; 447 448 W256 = (sha2_word32*)context->buffer; 449 450 /* Initialize registers with the prev. intermediate value */ 451 a = context->state[0]; 452 b = context->state[1]; 453 c = context->state[2]; 454 d = context->state[3]; 455 e = context->state[4]; 456 f = context->state[5]; 457 g = context->state[6]; 458 h = context->state[7]; 459 460 j = 0; 461 do { 462 #if BYTE_ORDER == LITTLE_ENDIAN 463 /* Copy data while converting to host byte order */ 464 REVERSE32(*data++,W256[j]); 465 /* Apply the SHA-256 compression function to update a..h */ 466 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 467 #else /* BYTE_ORDER == LITTLE_ENDIAN */ 468 /* Apply the SHA-256 compression function to update a..h with copy */ 469 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++); 470 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 471 T2 = Sigma0_256(a) + Maj(a, b, c); 472 h = g; 473 g = f; 474 f = e; 475 e = d + T1; 476 d = c; 477 c = b; 478 b = a; 479 a = T1 + T2; 480 481 j++; 482 } while (j < 16); 483 484 do { 485 /* Part of the message block expansion: */ 486 s0 = W256[(j+1)&0x0f]; 487 s0 = sigma0_256(s0); 488 s1 = W256[(j+14)&0x0f]; 489 s1 = sigma1_256(s1); 490 491 /* Apply the SHA-256 compression function to update a..h */ 492 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 493 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 494 T2 = Sigma0_256(a) + Maj(a, b, c); 495 h = g; 496 g = f; 497 f = e; 498 e = d + T1; 499 d = c; 500 c = b; 501 b = a; 502 a = T1 + T2; 503 504 j++; 505 } while (j < 64); 506 507 /* Compute the current intermediate hash value */ 508 context->state[0] += a; 509 context->state[1] += b; 510 context->state[2] += c; 511 context->state[3] += d; 512 context->state[4] += e; 513 context->state[5] += f; 514 context->state[6] += g; 515 context->state[7] += h; 516 517 /* Clean up */ 518 a = b = c = d = e = f = g = h = T1 = T2 = 0; 519 } 520 521 #endif /* SHA2_UNROLL_TRANSFORM */ 522 523 void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) { 524 unsigned int freespace, usedspace; 525 526 if (len == 0) { 527 /* Calling with no data is valid - we do nothing */ 528 return; 529 } 530 531 /* Sanity check: */ 532 assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0); 533 534 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; 535 if (usedspace > 0) { 536 /* Calculate how much free space is available in the buffer */ 537 freespace = SHA256_BLOCK_LENGTH - usedspace; 538 539 if (len >= freespace) { 540 /* Fill the buffer completely and process it */ 541 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace); 542 context->bitcount += freespace << 3; 543 len -= freespace; 544 data += freespace; 545 SHA256_Transform(context, (sha2_word32*)context->buffer); 546 } else { 547 /* The buffer is not yet full */ 548 MEMCPY_BCOPY(&context->buffer[usedspace], data, len); 549 context->bitcount += len << 3; 550 /* Clean up: */ 551 usedspace = freespace = 0; 552 return; 553 } 554 } 555 while (len >= SHA256_BLOCK_LENGTH) { 556 /* Process as many complete blocks as we can */ 557 SHA256_Transform(context, (sha2_word32*)data); 558 context->bitcount += SHA256_BLOCK_LENGTH << 3; 559 len -= SHA256_BLOCK_LENGTH; 560 data += SHA256_BLOCK_LENGTH; 561 } 562 if (len > 0) { 563 /* There's left-overs, so save 'em */ 564 MEMCPY_BCOPY(context->buffer, data, len); 565 context->bitcount += len << 3; 566 } 567 /* Clean up: */ 568 usedspace = freespace = 0; 569 } 570 571 void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) { 572 sha2_word32 *d = (sha2_word32*)digest; 573 sha2_word64 *p; 574 unsigned int usedspace; 575 576 /* Sanity check: */ 577 assert(context != (SHA256_CTX*)0); 578 579 /* If no digest buffer is passed, we don't bother doing this: */ 580 if (digest != (sha2_byte*)0) { 581 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; 582 #if BYTE_ORDER == LITTLE_ENDIAN 583 /* Convert FROM host byte order */ 584 REVERSE64(context->bitcount,context->bitcount); 585 #endif 586 if (usedspace > 0) { 587 /* Begin padding with a 1 bit: */ 588 context->buffer[usedspace++] = 0x80; 589 590 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 591 /* Set-up for the last transform: */ 592 MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace); 593 } else { 594 if (usedspace < SHA256_BLOCK_LENGTH) { 595 MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace); 596 } 597 /* Do second-to-last transform: */ 598 SHA256_Transform(context, (sha2_word32*)context->buffer); 599 600 /* And set-up for the last transform: */ 601 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH); 602 } 603 } else { 604 /* Set-up for the last transform: */ 605 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH); 606 607 /* Begin padding with a 1 bit: */ 608 *context->buffer = 0x80; 609 } 610 /* Set the bit count: */ 611 p = (sha2_word64 *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH]; 612 *p = context->bitcount; 613 614 /* Final transform: */ 615 SHA256_Transform(context, (sha2_word32*)context->buffer); 616 617 #if BYTE_ORDER == LITTLE_ENDIAN 618 { 619 /* Convert TO host byte order */ 620 int j; 621 for (j = 0; j < 8; j++) { 622 REVERSE32(context->state[j],context->state[j]); 623 *d++ = context->state[j]; 624 } 625 } 626 #else 627 MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH); 628 #endif 629 } 630 631 /* Clean up state data: */ 632 MEMSET_BZERO(context, sizeof(*context)); 633 usedspace = 0; 634 } 635 636 char *SHA256_End(SHA256_CTX* context, char buffer[]) { 637 sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest; 638 int i; 639 640 /* Sanity check: */ 641 assert(context != (SHA256_CTX*)0); 642 643 if (buffer != (char*)0) { 644 SHA256_Final(digest, context); 645 646 for (i = 0; i < SHA256_DIGEST_LENGTH; i++) { 647 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 648 *buffer++ = sha2_hex_digits[*d & 0x0f]; 649 d++; 650 } 651 *buffer = (char)0; 652 } else { 653 MEMSET_BZERO(context, sizeof(*context)); 654 } 655 MEMSET_BZERO(digest, SHA256_DIGEST_LENGTH); 656 return buffer; 657 } 658 659 char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) { 660 SHA256_CTX context; 661 662 SHA256_Init(&context); 663 SHA256_Update(&context, data, len); 664 return SHA256_End(&context, digest); 665 } 666 667 668 /*** SHA-512: *********************************************************/ 669 void SHA512_Init(SHA512_CTX* context) { 670 if (context == (SHA512_CTX*)0) { 671 return; 672 } 673 MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH); 674 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH); 675 context->bitcount[0] = context->bitcount[1] = 0; 676 } 677 678 #ifdef SHA2_UNROLL_TRANSFORM 679 680 /* Unrolled SHA-512 round macros: */ 681 #if BYTE_ORDER == LITTLE_ENDIAN 682 683 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 684 REVERSE64(*data++, W512[j]); \ 685 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 686 K512[j] + W512[j]; \ 687 (d) += T1, \ 688 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 689 j++ 690 691 692 #else /* BYTE_ORDER == LITTLE_ENDIAN */ 693 694 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 695 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 696 K512[j] + (W512[j] = *data++); \ 697 (d) += T1; \ 698 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 699 j++ 700 701 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 702 703 #define ROUND512(a,b,c,d,e,f,g,h) \ 704 s0 = W512[(j+1)&0x0f]; \ 705 s0 = sigma0_512(s0); \ 706 s1 = W512[(j+14)&0x0f]; \ 707 s1 = sigma1_512(s1); \ 708 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 709 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 710 (d) += T1; \ 711 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 712 j++ 713 714 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { 715 sha2_word64 a, b, c, d, e, f, g, h, s0, s1; 716 sha2_word64 T1, *W512 = (sha2_word64*)context->buffer; 717 int j; 718 719 /* Initialize registers with the prev. intermediate value */ 720 a = context->state[0]; 721 b = context->state[1]; 722 c = context->state[2]; 723 d = context->state[3]; 724 e = context->state[4]; 725 f = context->state[5]; 726 g = context->state[6]; 727 h = context->state[7]; 728 729 j = 0; 730 do { 731 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 732 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 733 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 734 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 735 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 736 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 737 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 738 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 739 } while (j < 16); 740 741 /* Now for the remaining rounds up to 79: */ 742 do { 743 ROUND512(a,b,c,d,e,f,g,h); 744 ROUND512(h,a,b,c,d,e,f,g); 745 ROUND512(g,h,a,b,c,d,e,f); 746 ROUND512(f,g,h,a,b,c,d,e); 747 ROUND512(e,f,g,h,a,b,c,d); 748 ROUND512(d,e,f,g,h,a,b,c); 749 ROUND512(c,d,e,f,g,h,a,b); 750 ROUND512(b,c,d,e,f,g,h,a); 751 } while (j < 80); 752 753 /* Compute the current intermediate hash value */ 754 context->state[0] += a; 755 context->state[1] += b; 756 context->state[2] += c; 757 context->state[3] += d; 758 context->state[4] += e; 759 context->state[5] += f; 760 context->state[6] += g; 761 context->state[7] += h; 762 763 /* Clean up */ 764 a = b = c = d = e = f = g = h = T1 = 0; 765 } 766 767 #else /* SHA2_UNROLL_TRANSFORM */ 768 769 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { 770 sha2_word64 a, b, c, d, e, f, g, h, s0, s1; 771 sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer; 772 int j; 773 774 /* Initialize registers with the prev. intermediate value */ 775 a = context->state[0]; 776 b = context->state[1]; 777 c = context->state[2]; 778 d = context->state[3]; 779 e = context->state[4]; 780 f = context->state[5]; 781 g = context->state[6]; 782 h = context->state[7]; 783 784 j = 0; 785 do { 786 #if BYTE_ORDER == LITTLE_ENDIAN 787 /* Convert TO host byte order */ 788 REVERSE64(*data++, W512[j]); 789 /* Apply the SHA-512 compression function to update a..h */ 790 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 791 #else /* BYTE_ORDER == LITTLE_ENDIAN */ 792 /* Apply the SHA-512 compression function to update a..h with copy */ 793 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++); 794 #endif /* BYTE_ORDER == LITTLE_ENDIAN */ 795 T2 = Sigma0_512(a) + Maj(a, b, c); 796 h = g; 797 g = f; 798 f = e; 799 e = d + T1; 800 d = c; 801 c = b; 802 b = a; 803 a = T1 + T2; 804 805 j++; 806 } while (j < 16); 807 808 do { 809 /* Part of the message block expansion: */ 810 s0 = W512[(j+1)&0x0f]; 811 s0 = sigma0_512(s0); 812 s1 = W512[(j+14)&0x0f]; 813 s1 = sigma1_512(s1); 814 815 /* Apply the SHA-512 compression function to update a..h */ 816 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 817 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 818 T2 = Sigma0_512(a) + Maj(a, b, c); 819 h = g; 820 g = f; 821 f = e; 822 e = d + T1; 823 d = c; 824 c = b; 825 b = a; 826 a = T1 + T2; 827 828 j++; 829 } while (j < 80); 830 831 /* Compute the current intermediate hash value */ 832 context->state[0] += a; 833 context->state[1] += b; 834 context->state[2] += c; 835 context->state[3] += d; 836 context->state[4] += e; 837 context->state[5] += f; 838 context->state[6] += g; 839 context->state[7] += h; 840 841 /* Clean up */ 842 a = b = c = d = e = f = g = h = T1 = T2 = 0; 843 } 844 845 #endif /* SHA2_UNROLL_TRANSFORM */ 846 847 void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) { 848 unsigned int freespace, usedspace; 849 850 if (len == 0) { 851 /* Calling with no data is valid - we do nothing */ 852 return; 853 } 854 855 /* Sanity check: */ 856 assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0); 857 858 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 859 if (usedspace > 0) { 860 /* Calculate how much free space is available in the buffer */ 861 freespace = SHA512_BLOCK_LENGTH - usedspace; 862 863 if (len >= freespace) { 864 /* Fill the buffer completely and process it */ 865 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace); 866 ADDINC128(context->bitcount, freespace << 3); 867 len -= freespace; 868 data += freespace; 869 SHA512_Transform(context, (sha2_word64*)context->buffer); 870 } else { 871 /* The buffer is not yet full */ 872 MEMCPY_BCOPY(&context->buffer[usedspace], data, len); 873 ADDINC128(context->bitcount, len << 3); 874 /* Clean up: */ 875 usedspace = freespace = 0; 876 return; 877 } 878 } 879 while (len >= SHA512_BLOCK_LENGTH) { 880 /* Process as many complete blocks as we can */ 881 SHA512_Transform(context, (sha2_word64*)data); 882 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 883 len -= SHA512_BLOCK_LENGTH; 884 data += SHA512_BLOCK_LENGTH; 885 } 886 if (len > 0) { 887 /* There's left-overs, so save 'em */ 888 MEMCPY_BCOPY(context->buffer, data, len); 889 ADDINC128(context->bitcount, len << 3); 890 } 891 /* Clean up: */ 892 usedspace = freespace = 0; 893 } 894 895 void SHA512_Last(SHA512_CTX* context) { 896 sha2_word64 *p; 897 unsigned int usedspace; 898 899 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 900 #if BYTE_ORDER == LITTLE_ENDIAN 901 /* Convert FROM host byte order */ 902 REVERSE64(context->bitcount[0],context->bitcount[0]); 903 REVERSE64(context->bitcount[1],context->bitcount[1]); 904 #endif 905 if (usedspace > 0) { 906 /* Begin padding with a 1 bit: */ 907 context->buffer[usedspace++] = 0x80; 908 909 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 910 /* Set-up for the last transform: */ 911 MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace); 912 } else { 913 if (usedspace < SHA512_BLOCK_LENGTH) { 914 MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace); 915 } 916 /* Do second-to-last transform: */ 917 SHA512_Transform(context, (sha2_word64*)context->buffer); 918 919 /* And set-up for the last transform: */ 920 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2); 921 } 922 } else { 923 /* Prepare for final transform: */ 924 MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH); 925 926 /* Begin padding with a 1 bit: */ 927 *context->buffer = 0x80; 928 } 929 /* Store the length of input data (in bits): */ 930 p = (sha2_word64 *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH]; 931 p[0] = context->bitcount[1]; 932 p[1] = context->bitcount[0]; 933 934 /* Final transform: */ 935 SHA512_Transform(context, (sha2_word64*)context->buffer); 936 } 937 938 void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) { 939 sha2_word64 *d = (sha2_word64*)digest; 940 941 /* Sanity check: */ 942 assert(context != (SHA512_CTX*)0); 943 944 /* If no digest buffer is passed, we don't bother doing this: */ 945 if (digest != (sha2_byte*)0) { 946 SHA512_Last(context); 947 948 /* Save the hash data for output: */ 949 #if BYTE_ORDER == LITTLE_ENDIAN 950 { 951 /* Convert TO host byte order */ 952 int j; 953 for (j = 0; j < 8; j++) { 954 REVERSE64(context->state[j],context->state[j]); 955 *d++ = context->state[j]; 956 } 957 } 958 #else 959 MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH); 960 #endif 961 } 962 963 /* Zero out state data */ 964 MEMSET_BZERO(context, sizeof(*context)); 965 } 966 967 char *SHA512_End(SHA512_CTX* context, char buffer[]) { 968 sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest; 969 int i; 970 971 /* Sanity check: */ 972 assert(context != (SHA512_CTX*)0); 973 974 if (buffer != (char*)0) { 975 SHA512_Final(digest, context); 976 977 for (i = 0; i < SHA512_DIGEST_LENGTH; i++) { 978 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 979 *buffer++ = sha2_hex_digits[*d & 0x0f]; 980 d++; 981 } 982 *buffer = (char)0; 983 } else { 984 MEMSET_BZERO(context, sizeof(*context)); 985 } 986 MEMSET_BZERO(digest, SHA512_DIGEST_LENGTH); 987 return buffer; 988 } 989 990 char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) { 991 SHA512_CTX context; 992 993 SHA512_Init(&context); 994 SHA512_Update(&context, data, len); 995 return SHA512_End(&context, digest); 996 } 997 998 999 /*** SHA-384: *********************************************************/ 1000 void SHA384_Init(SHA384_CTX* context) { 1001 if (context == (SHA384_CTX*)0) { 1002 return; 1003 } 1004 MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH); 1005 MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH); 1006 context->bitcount[0] = context->bitcount[1] = 0; 1007 } 1008 1009 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) { 1010 SHA512_Update((SHA512_CTX*)context, data, len); 1011 } 1012 1013 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) { 1014 sha2_word64 *d = (sha2_word64*)digest; 1015 1016 /* Sanity check: */ 1017 assert(context != (SHA384_CTX*)0); 1018 1019 /* If no digest buffer is passed, we don't bother doing this: */ 1020 if (digest != (sha2_byte*)0) { 1021 SHA512_Last((SHA512_CTX*)context); 1022 1023 /* Save the hash data for output: */ 1024 #if BYTE_ORDER == LITTLE_ENDIAN 1025 { 1026 /* Convert TO host byte order */ 1027 int j; 1028 for (j = 0; j < 6; j++) { 1029 REVERSE64(context->state[j],context->state[j]); 1030 *d++ = context->state[j]; 1031 } 1032 } 1033 #else 1034 MEMCPY_BCOPY(d, context->state, SHA384_DIGEST_LENGTH); 1035 #endif 1036 } 1037 1038 /* Zero out state data */ 1039 MEMSET_BZERO(context, sizeof(*context)); 1040 } 1041 1042 char *SHA384_End(SHA384_CTX* context, char buffer[]) { 1043 sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest; 1044 int i; 1045 1046 /* Sanity check: */ 1047 assert(context != (SHA384_CTX*)0); 1048 1049 if (buffer != (char*)0) { 1050 SHA384_Final(digest, context); 1051 1052 for (i = 0; i < SHA384_DIGEST_LENGTH; i++) { 1053 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 1054 *buffer++ = sha2_hex_digits[*d & 0x0f]; 1055 d++; 1056 } 1057 *buffer = (char)0; 1058 } else { 1059 MEMSET_BZERO(context, sizeof(*context)); 1060 } 1061 MEMSET_BZERO(digest, SHA384_DIGEST_LENGTH); 1062 return buffer; 1063 } 1064 1065 char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) { 1066 SHA384_CTX context; 1067 1068 SHA384_Init(&context); 1069 SHA384_Update(&context, data, len); 1070 return SHA384_End(&context, digest); 1071 } 1072 1073