xref: /haiku/src/libs/compat/openbsd_wlan/crypto/sha2.c (revision 97f11716bfaa0f385eb0e28a52bf56a5023b9e99)
1 /*	$OpenBSD: sha2.c,v 1.19 2021/03/12 10:22:46 jsg Exp $	*/
2 
3 /*
4  * FILE:	sha2.c
5  * AUTHOR:	Aaron D. Gifford <me@aarongifford.com>
6  *
7  * Copyright (c) 2000-2001, Aaron D. Gifford
8  * All rights reserved.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 3. Neither the name of the copyright holder nor the names of contributors
19  *    may be used to endorse or promote products derived from this software
20  *    without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  *
34  * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
35  */
36 
37 #include <sys/time.h>
38 #include <sys/systm.h>
39 #include <crypto/sha2.h>
40 
41 /*
42  * UNROLLED TRANSFORM LOOP NOTE:
43  * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
44  * loop version for the hash transform rounds (defined using macros
45  * later in this file).  Either define on the command line, for example:
46  *
47  *   cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
48  *
49  * or define below:
50  *
51  *   #define SHA2_UNROLL_TRANSFORM
52  *
53  */
54 #ifndef SMALL_KERNEL
55 #if defined(__amd64__) || defined(__i386__)
56 #define SHA2_UNROLL_TRANSFORM
57 #endif
58 #endif
59 
60 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
61 /*
62  * BYTE_ORDER NOTE:
63  *
64  * Please make sure that your system defines BYTE_ORDER.  If your
65  * architecture is little-endian, make sure it also defines
66  * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
67  * equivalent.
68  *
69  * If your system does not define the above, then you can do so by
70  * hand like this:
71  *
72  *   #define LITTLE_ENDIAN 1234
73  *   #define BIG_ENDIAN    4321
74  *
75  * And for little-endian machines, add:
76  *
77  *   #define BYTE_ORDER LITTLE_ENDIAN
78  *
79  * Or for big-endian machines:
80  *
81  *   #define BYTE_ORDER BIG_ENDIAN
82  *
83  * The FreeBSD machine this was written on defines BYTE_ORDER
84  * appropriately by including <sys/types.h> (which in turn includes
85  * <machine/endian.h> where the appropriate definitions are actually
86  * made).
87  */
88 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
89 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
90 #endif
91 
92 
93 /*** SHA-256/384/512 Various Length Definitions ***********************/
94 /* NOTE: Most of these are in sha2.h */
95 #define SHA256_SHORT_BLOCK_LENGTH	(SHA256_BLOCK_LENGTH - 8)
96 #define SHA384_SHORT_BLOCK_LENGTH	(SHA384_BLOCK_LENGTH - 16)
97 #define SHA512_SHORT_BLOCK_LENGTH	(SHA512_BLOCK_LENGTH - 16)
98 
99 /*
100  * Macro for incrementally adding the unsigned 64-bit integer n to the
101  * unsigned 128-bit integer (represented using a two-element array of
102  * 64-bit words):
103  */
104 #define ADDINC128(w,n)	{ \
105 	(w)[0] += (u_int64_t)(n); \
106 	if ((w)[0] < (n)) { \
107 		(w)[1]++; \
108 	} \
109 }
110 
111 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
112 /*
113  * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
114  *
115  *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
116  *   S is a ROTATION) because the SHA-256/384/512 description document
117  *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
118  *   same "backwards" definition.
119  */
120 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
121 #define R(b,x) 		((x) >> (b))
122 /* 32-bit Rotate-right (used in SHA-256): */
123 #define S32(b,x)	(((x) >> (b)) | ((x) << (32 - (b))))
124 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
125 #define S64(b,x)	(((x) >> (b)) | ((x) << (64 - (b))))
126 
127 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
128 #define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
129 #define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
130 
131 /* Four of six logical functions used in SHA-256: */
132 #define Sigma0_256(x)	(S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
133 #define Sigma1_256(x)	(S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
134 #define sigma0_256(x)	(S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
135 #define sigma1_256(x)	(S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
136 
137 /* Four of six logical functions used in SHA-384 and SHA-512: */
138 #define Sigma0_512(x)	(S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
139 #define Sigma1_512(x)	(S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
140 #define sigma0_512(x)	(S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
141 #define sigma1_512(x)	(S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
142 
143 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
144 /* NOTE: These should not be accessed directly from outside this
145  * library -- they are intended for private internal visibility/use
146  * only.
147  */
148 void SHA512Last(SHA2_CTX *);
149 void SHA256Transform(u_int32_t *, const u_int8_t *);
150 void SHA512Transform(u_int64_t *, const u_int8_t *);
151 
152 
153 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
154 /* Hash constant words K for SHA-256: */
155 const static u_int32_t K256[64] = {
156 	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
157 	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
158 	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
159 	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
160 	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
161 	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
162 	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
163 	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
164 	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
165 	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
166 	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
167 	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
168 	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
169 	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
170 	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
171 	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
172 };
173 
174 /* Initial hash value H for SHA-256: */
175 const static u_int32_t sha256_initial_hash_value[8] = {
176 	0x6a09e667UL,
177 	0xbb67ae85UL,
178 	0x3c6ef372UL,
179 	0xa54ff53aUL,
180 	0x510e527fUL,
181 	0x9b05688cUL,
182 	0x1f83d9abUL,
183 	0x5be0cd19UL
184 };
185 
186 /* Hash constant words K for SHA-384 and SHA-512: */
187 const static u_int64_t K512[80] = {
188 	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
189 	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
190 	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
191 	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
192 	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
193 	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
194 	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
195 	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
196 	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
197 	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
198 	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
199 	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
200 	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
201 	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
202 	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
203 	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
204 	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
205 	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
206 	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
207 	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
208 	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
209 	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
210 	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
211 	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
212 	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
213 	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
214 	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
215 	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
216 	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
217 	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
218 	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
219 	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
220 	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
221 	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
222 	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
223 	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
224 	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
225 	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
226 	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
227 	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
228 };
229 
230 /* Initial hash value H for SHA-384 */
231 const static u_int64_t sha384_initial_hash_value[8] = {
232 	0xcbbb9d5dc1059ed8ULL,
233 	0x629a292a367cd507ULL,
234 	0x9159015a3070dd17ULL,
235 	0x152fecd8f70e5939ULL,
236 	0x67332667ffc00b31ULL,
237 	0x8eb44a8768581511ULL,
238 	0xdb0c2e0d64f98fa7ULL,
239 	0x47b5481dbefa4fa4ULL
240 };
241 
242 /* Initial hash value H for SHA-512 */
243 const static u_int64_t sha512_initial_hash_value[8] = {
244 	0x6a09e667f3bcc908ULL,
245 	0xbb67ae8584caa73bULL,
246 	0x3c6ef372fe94f82bULL,
247 	0xa54ff53a5f1d36f1ULL,
248 	0x510e527fade682d1ULL,
249 	0x9b05688c2b3e6c1fULL,
250 	0x1f83d9abfb41bd6bULL,
251 	0x5be0cd19137e2179ULL
252 };
253 
254 
255 /*** SHA-256: *********************************************************/
256 void
SHA256Init(SHA2_CTX * context)257 SHA256Init(SHA2_CTX *context)
258 {
259 	memcpy(context->state.st32, sha256_initial_hash_value,
260 	    SHA256_DIGEST_LENGTH);
261 	memset(context->buffer, 0, SHA256_BLOCK_LENGTH);
262 	context->bitcount[0] = 0;
263 }
264 
265 #ifdef SHA2_UNROLL_TRANSFORM
266 
267 /* Unrolled SHA-256 round macros: */
268 
269 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do {				    \
270 	W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) |	    \
271 	    ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24);	    \
272 	data += 4;							    \
273 	T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
274 	(d) += T1;							    \
275 	(h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));		    \
276 	j++;								    \
277 } while(0)
278 
279 #define ROUND256(a,b,c,d,e,f,g,h) do {					    \
280 	s0 = W256[(j+1)&0x0f];						    \
281 	s0 = sigma0_256(s0);						    \
282 	s1 = W256[(j+14)&0x0f];						    \
283 	s1 = sigma1_256(s1);						    \
284 	T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] +	    \
285 	     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);		    \
286 	(d) += T1;							    \
287 	(h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));		    \
288 	j++;								    \
289 } while(0)
290 
291 void
SHA256Transform(u_int32_t * state,const u_int8_t * data)292 SHA256Transform(u_int32_t *state, const u_int8_t *data)
293 {
294 	u_int32_t	a, b, c, d, e, f, g, h, s0, s1;
295 	u_int32_t	T1, W256[16];
296 	int		j;
297 
298 	/* Initialize registers with the prev. intermediate value */
299 	a = state[0];
300 	b = state[1];
301 	c = state[2];
302 	d = state[3];
303 	e = state[4];
304 	f = state[5];
305 	g = state[6];
306 	h = state[7];
307 
308 	j = 0;
309 	do {
310 		/* Rounds 0 to 15 (unrolled): */
311 		ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
312 		ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
313 		ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
314 		ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
315 		ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
316 		ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
317 		ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
318 		ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
319 	} while (j < 16);
320 
321 	/* Now for the remaining rounds to 64: */
322 	do {
323 		ROUND256(a,b,c,d,e,f,g,h);
324 		ROUND256(h,a,b,c,d,e,f,g);
325 		ROUND256(g,h,a,b,c,d,e,f);
326 		ROUND256(f,g,h,a,b,c,d,e);
327 		ROUND256(e,f,g,h,a,b,c,d);
328 		ROUND256(d,e,f,g,h,a,b,c);
329 		ROUND256(c,d,e,f,g,h,a,b);
330 		ROUND256(b,c,d,e,f,g,h,a);
331 	} while (j < 64);
332 
333 	/* Compute the current intermediate hash value */
334 	state[0] += a;
335 	state[1] += b;
336 	state[2] += c;
337 	state[3] += d;
338 	state[4] += e;
339 	state[5] += f;
340 	state[6] += g;
341 	state[7] += h;
342 
343 	/* Clean up */
344 	a = b = c = d = e = f = g = h = T1 = 0;
345 }
346 
347 #else /* SHA2_UNROLL_TRANSFORM */
348 
349 void
SHA256Transform(u_int32_t * state,const u_int8_t * data)350 SHA256Transform(u_int32_t *state, const u_int8_t *data)
351 {
352 	u_int32_t	a, b, c, d, e, f, g, h, s0, s1;
353 	u_int32_t	T1, T2, W256[16];
354 	int		j;
355 
356 	/* Initialize registers with the prev. intermediate value */
357 	a = state[0];
358 	b = state[1];
359 	c = state[2];
360 	d = state[3];
361 	e = state[4];
362 	f = state[5];
363 	g = state[6];
364 	h = state[7];
365 
366 	j = 0;
367 	do {
368 		W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) |
369 		    ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24);
370 		data += 4;
371 		/* Apply the SHA-256 compression function to update a..h */
372 		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
373 		T2 = Sigma0_256(a) + Maj(a, b, c);
374 		h = g;
375 		g = f;
376 		f = e;
377 		e = d + T1;
378 		d = c;
379 		c = b;
380 		b = a;
381 		a = T1 + T2;
382 
383 		j++;
384 	} while (j < 16);
385 
386 	do {
387 		/* Part of the message block expansion: */
388 		s0 = W256[(j+1)&0x0f];
389 		s0 = sigma0_256(s0);
390 		s1 = W256[(j+14)&0x0f];
391 		s1 = sigma1_256(s1);
392 
393 		/* Apply the SHA-256 compression function to update a..h */
394 		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
395 		     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
396 		T2 = Sigma0_256(a) + Maj(a, b, c);
397 		h = g;
398 		g = f;
399 		f = e;
400 		e = d + T1;
401 		d = c;
402 		c = b;
403 		b = a;
404 		a = T1 + T2;
405 
406 		j++;
407 	} while (j < 64);
408 
409 	/* Compute the current intermediate hash value */
410 	state[0] += a;
411 	state[1] += b;
412 	state[2] += c;
413 	state[3] += d;
414 	state[4] += e;
415 	state[5] += f;
416 	state[6] += g;
417 	state[7] += h;
418 
419 	/* Clean up */
420 	a = b = c = d = e = f = g = h = T1 = T2 = 0;
421 }
422 
423 #endif /* SHA2_UNROLL_TRANSFORM */
424 
425 void
SHA256Update(SHA2_CTX * context,const void * dataptr,size_t len)426 SHA256Update(SHA2_CTX *context, const void *dataptr, size_t len)
427 {
428 	const uint8_t *data = dataptr;
429 	size_t	freespace, usedspace;
430 
431 	/* Calling with no data is valid (we do nothing) */
432 	if (len == 0)
433 		return;
434 
435 	usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
436 	if (usedspace > 0) {
437 		/* Calculate how much free space is available in the buffer */
438 		freespace = SHA256_BLOCK_LENGTH - usedspace;
439 
440 		if (len >= freespace) {
441 			/* Fill the buffer completely and process it */
442 			memcpy(&context->buffer[usedspace], data, freespace);
443 			context->bitcount[0] += freespace << 3;
444 			len -= freespace;
445 			data += freespace;
446 			SHA256Transform(context->state.st32, context->buffer);
447 		} else {
448 			/* The buffer is not yet full */
449 			memcpy(&context->buffer[usedspace], data, len);
450 			context->bitcount[0] += len << 3;
451 			/* Clean up: */
452 			usedspace = freespace = 0;
453 			return;
454 		}
455 	}
456 	while (len >= SHA256_BLOCK_LENGTH) {
457 		/* Process as many complete blocks as we can */
458 		SHA256Transform(context->state.st32, data);
459 		context->bitcount[0] += SHA256_BLOCK_LENGTH << 3;
460 		len -= SHA256_BLOCK_LENGTH;
461 		data += SHA256_BLOCK_LENGTH;
462 	}
463 	if (len > 0) {
464 		/* There's left-overs, so save 'em */
465 		memcpy(context->buffer, data, len);
466 		context->bitcount[0] += len << 3;
467 	}
468 	/* Clean up: */
469 	usedspace = freespace = 0;
470 }
471 
472 void
SHA256Final(u_int8_t digest[],SHA2_CTX * context)473 SHA256Final(u_int8_t digest[], SHA2_CTX *context)
474 {
475 	unsigned int	usedspace;
476 
477 	usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
478 #if BYTE_ORDER == LITTLE_ENDIAN
479 	/* Convert FROM host byte order */
480 	context->bitcount[0] = swap64(context->bitcount[0]);
481 #endif
482 	if (usedspace > 0) {
483 		/* Begin padding with a 1 bit: */
484 		context->buffer[usedspace++] = 0x80;
485 
486 		if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
487 			/* Set-up for the last transform: */
488 			memset(&context->buffer[usedspace], 0,
489 			    SHA256_SHORT_BLOCK_LENGTH - usedspace);
490 		} else {
491 			if (usedspace < SHA256_BLOCK_LENGTH) {
492 				memset(&context->buffer[usedspace], 0,
493 				    SHA256_BLOCK_LENGTH - usedspace);
494 			}
495 			/* Do second-to-last transform: */
496 			SHA256Transform(context->state.st32, context->buffer);
497 
498 			/* And set-up for the last transform: */
499 			memset(context->buffer, 0,
500 			    SHA256_SHORT_BLOCK_LENGTH);
501 		}
502 	} else {
503 		/* Set-up for the last transform: */
504 		memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
505 
506 		/* Begin padding with a 1 bit: */
507 		*context->buffer = 0x80;
508 	}
509 	/* Set the bit count: */
510 	*(u_int64_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount[0];
511 
512 	/* Final transform: */
513 	SHA256Transform(context->state.st32, context->buffer);
514 
515 #if BYTE_ORDER == LITTLE_ENDIAN
516 	{
517 		/* Convert TO host byte order */
518 		int	j;
519 		for (j = 0; j < 8; j++) {
520 			context->state.st32[j] = swap32(context->state.st32[j]);
521 		}
522 	}
523 #endif
524 	memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH);
525 	/* Clean up state data: */
526 	explicit_bzero(context, sizeof(*context));
527 	usedspace = 0;
528 }
529 
530 
531 /*** SHA-512: *********************************************************/
532 void
SHA512Init(SHA2_CTX * context)533 SHA512Init(SHA2_CTX *context)
534 {
535 	memcpy(context->state.st64, sha512_initial_hash_value,
536 	    SHA512_DIGEST_LENGTH);
537 	memset(context->buffer, 0, SHA512_BLOCK_LENGTH);
538 	context->bitcount[0] = context->bitcount[1] =  0;
539 }
540 
541 #ifdef SHA2_UNROLL_TRANSFORM
542 
543 /* Unrolled SHA-512 round macros: */
544 
545 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do {				    \
546 	W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) |	    \
547 	    ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) |	    \
548 	    ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) |	    \
549 	    ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56);	    \
550 	data += 8;							    \
551 	T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
552 	(d) += T1;							    \
553 	(h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c));		    \
554 	j++;								    \
555 } while(0)
556 
557 
558 #define ROUND512(a,b,c,d,e,f,g,h) do {					    \
559 	s0 = W512[(j+1)&0x0f];						    \
560 	s0 = sigma0_512(s0);						    \
561 	s1 = W512[(j+14)&0x0f];						    \
562 	s1 = sigma1_512(s1);						    \
563 	T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] +	    \
564              (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);		    \
565 	(d) += T1;							    \
566 	(h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c));		    \
567 	j++;								    \
568 } while(0)
569 
570 void
SHA512Transform(u_int64_t * state,const u_int8_t * data)571 SHA512Transform(u_int64_t *state, const u_int8_t *data)
572 {
573 	u_int64_t	a, b, c, d, e, f, g, h, s0, s1;
574 	u_int64_t	T1, W512[16];
575 	int		j;
576 
577 	/* Initialize registers with the prev. intermediate value */
578 	a = state[0];
579 	b = state[1];
580 	c = state[2];
581 	d = state[3];
582 	e = state[4];
583 	f = state[5];
584 	g = state[6];
585 	h = state[7];
586 
587 	j = 0;
588 	do {
589 		ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
590 		ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
591 		ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
592 		ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
593 		ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
594 		ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
595 		ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
596 		ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
597 	} while (j < 16);
598 
599 	/* Now for the remaining rounds up to 79: */
600 	do {
601 		ROUND512(a,b,c,d,e,f,g,h);
602 		ROUND512(h,a,b,c,d,e,f,g);
603 		ROUND512(g,h,a,b,c,d,e,f);
604 		ROUND512(f,g,h,a,b,c,d,e);
605 		ROUND512(e,f,g,h,a,b,c,d);
606 		ROUND512(d,e,f,g,h,a,b,c);
607 		ROUND512(c,d,e,f,g,h,a,b);
608 		ROUND512(b,c,d,e,f,g,h,a);
609 	} while (j < 80);
610 
611 	/* Compute the current intermediate hash value */
612 	state[0] += a;
613 	state[1] += b;
614 	state[2] += c;
615 	state[3] += d;
616 	state[4] += e;
617 	state[5] += f;
618 	state[6] += g;
619 	state[7] += h;
620 
621 	/* Clean up */
622 	a = b = c = d = e = f = g = h = T1 = 0;
623 }
624 
625 #else /* SHA2_UNROLL_TRANSFORM */
626 
627 void
SHA512Transform(u_int64_t * state,const u_int8_t * data)628 SHA512Transform(u_int64_t *state, const u_int8_t *data)
629 {
630 	u_int64_t	a, b, c, d, e, f, g, h, s0, s1;
631 	u_int64_t	T1, T2, W512[16];
632 	int		j;
633 
634 	/* Initialize registers with the prev. intermediate value */
635 	a = state[0];
636 	b = state[1];
637 	c = state[2];
638 	d = state[3];
639 	e = state[4];
640 	f = state[5];
641 	g = state[6];
642 	h = state[7];
643 
644 	j = 0;
645 	do {
646 		W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) |
647 		    ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) |
648 		    ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) |
649 		    ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56);
650 		data += 8;
651 		/* Apply the SHA-512 compression function to update a..h */
652 		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
653 		T2 = Sigma0_512(a) + Maj(a, b, c);
654 		h = g;
655 		g = f;
656 		f = e;
657 		e = d + T1;
658 		d = c;
659 		c = b;
660 		b = a;
661 		a = T1 + T2;
662 
663 		j++;
664 	} while (j < 16);
665 
666 	do {
667 		/* Part of the message block expansion: */
668 		s0 = W512[(j+1)&0x0f];
669 		s0 = sigma0_512(s0);
670 		s1 = W512[(j+14)&0x0f];
671 		s1 =  sigma1_512(s1);
672 
673 		/* Apply the SHA-512 compression function to update a..h */
674 		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
675 		     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
676 		T2 = Sigma0_512(a) + Maj(a, b, c);
677 		h = g;
678 		g = f;
679 		f = e;
680 		e = d + T1;
681 		d = c;
682 		c = b;
683 		b = a;
684 		a = T1 + T2;
685 
686 		j++;
687 	} while (j < 80);
688 
689 	/* Compute the current intermediate hash value */
690 	state[0] += a;
691 	state[1] += b;
692 	state[2] += c;
693 	state[3] += d;
694 	state[4] += e;
695 	state[5] += f;
696 	state[6] += g;
697 	state[7] += h;
698 
699 	/* Clean up */
700 	a = b = c = d = e = f = g = h = T1 = T2 = 0;
701 }
702 
703 #endif /* SHA2_UNROLL_TRANSFORM */
704 
705 void
SHA512Update(SHA2_CTX * context,const void * dataptr,size_t len)706 SHA512Update(SHA2_CTX *context, const void *dataptr, size_t len)
707 {
708 	const uint8_t *data = dataptr;
709 	size_t	freespace, usedspace;
710 
711 	/* Calling with no data is valid (we do nothing) */
712 	if (len == 0)
713 		return;
714 
715 	usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
716 	if (usedspace > 0) {
717 		/* Calculate how much free space is available in the buffer */
718 		freespace = SHA512_BLOCK_LENGTH - usedspace;
719 
720 		if (len >= freespace) {
721 			/* Fill the buffer completely and process it */
722 			memcpy(&context->buffer[usedspace], data, freespace);
723 			ADDINC128(context->bitcount, freespace << 3);
724 			len -= freespace;
725 			data += freespace;
726 			SHA512Transform(context->state.st64, context->buffer);
727 		} else {
728 			/* The buffer is not yet full */
729 			memcpy(&context->buffer[usedspace], data, len);
730 			ADDINC128(context->bitcount, len << 3);
731 			/* Clean up: */
732 			usedspace = freespace = 0;
733 			return;
734 		}
735 	}
736 	while (len >= SHA512_BLOCK_LENGTH) {
737 		/* Process as many complete blocks as we can */
738 		SHA512Transform(context->state.st64, data);
739 		ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
740 		len -= SHA512_BLOCK_LENGTH;
741 		data += SHA512_BLOCK_LENGTH;
742 	}
743 	if (len > 0) {
744 		/* There's left-overs, so save 'em */
745 		memcpy(context->buffer, data, len);
746 		ADDINC128(context->bitcount, len << 3);
747 	}
748 	/* Clean up: */
749 	usedspace = freespace = 0;
750 }
751 
752 void
SHA512Last(SHA2_CTX * context)753 SHA512Last(SHA2_CTX *context)
754 {
755 	unsigned int	usedspace;
756 
757 	usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
758 #if BYTE_ORDER == LITTLE_ENDIAN
759 	/* Convert FROM host byte order */
760 	context->bitcount[0] = swap64(context->bitcount[0]);
761 	context->bitcount[1] = swap64(context->bitcount[1]);
762 #endif
763 	if (usedspace > 0) {
764 		/* Begin padding with a 1 bit: */
765 		context->buffer[usedspace++] = 0x80;
766 
767 		if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
768 			/* Set-up for the last transform: */
769 			memset(&context->buffer[usedspace], 0,
770 			    SHA512_SHORT_BLOCK_LENGTH - usedspace);
771 		} else {
772 			if (usedspace < SHA512_BLOCK_LENGTH) {
773 				memset(&context->buffer[usedspace], 0,
774 				    SHA512_BLOCK_LENGTH - usedspace);
775 			}
776 			/* Do second-to-last transform: */
777 			SHA512Transform(context->state.st64, context->buffer);
778 
779 			/* And set-up for the last transform: */
780 			memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
781 		}
782 	} else {
783 		/* Prepare for final transform: */
784 		memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
785 
786 		/* Begin padding with a 1 bit: */
787 		*context->buffer = 0x80;
788 	}
789 	/* Store the length of input data (in bits): */
790 	*(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
791 	*(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
792 
793 	/* Final transform: */
794 	SHA512Transform(context->state.st64, context->buffer);
795 }
796 
797 void
SHA512Final(u_int8_t digest[],SHA2_CTX * context)798 SHA512Final(u_int8_t digest[], SHA2_CTX *context)
799 {
800 
801 	SHA512Last(context);
802 
803 	/* Save the hash data for output: */
804 #if BYTE_ORDER == LITTLE_ENDIAN
805 	{
806 		/* Convert TO host byte order */
807 		int	j;
808 		for (j = 0; j < 8; j++) {
809 			context->state.st64[j] = swap64(context->state.st64[j]);
810 		}
811 	}
812 #endif
813 	memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH);
814 
815 	/* Zero out state data */
816 	explicit_bzero(context, sizeof(*context));
817 }
818 
819 
820 /*** SHA-384: *********************************************************/
821 void
SHA384Init(SHA2_CTX * context)822 SHA384Init(SHA2_CTX *context)
823 {
824 	memcpy(context->state.st64, sha384_initial_hash_value,
825 	    SHA512_DIGEST_LENGTH);
826 	memset(context->buffer, 0, SHA384_BLOCK_LENGTH);
827 	context->bitcount[0] = context->bitcount[1] = 0;
828 }
829 
830 void
SHA384Update(SHA2_CTX * context,const void * data,size_t len)831 SHA384Update(SHA2_CTX *context, const void *data, size_t len)
832 {
833 	SHA512Update(context, data, len);
834 }
835 
836 void
SHA384Final(u_int8_t digest[],SHA2_CTX * context)837 SHA384Final(u_int8_t digest[], SHA2_CTX *context)
838 {
839 
840 	SHA512Last(context);
841 
842 	/* Save the hash data for output: */
843 #if BYTE_ORDER == LITTLE_ENDIAN
844 	{
845 		/* Convert TO host byte order */
846 		int	j;
847 		for (j = 0; j < 6; j++) {
848 			context->state.st64[j] = swap64(context->state.st64[j]);
849 		}
850 	}
851 #endif
852 	memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH);
853 	/* Zero out state data */
854 	explicit_bzero(context, sizeof(*context));
855 }
856