1 /* $OpenBSD: sha2.c,v 1.19 2021/03/12 10:22:46 jsg Exp $ */
2
3 /*
4 * FILE: sha2.c
5 * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
6 *
7 * Copyright (c) 2000-2001, Aaron D. Gifford
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the copyright holder nor the names of contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
35 */
36
37 #include <sys/time.h>
38 #include <sys/systm.h>
39 #include <crypto/sha2.h>
40
41 /*
42 * UNROLLED TRANSFORM LOOP NOTE:
43 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
44 * loop version for the hash transform rounds (defined using macros
45 * later in this file). Either define on the command line, for example:
46 *
47 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
48 *
49 * or define below:
50 *
51 * #define SHA2_UNROLL_TRANSFORM
52 *
53 */
54 #ifndef SMALL_KERNEL
55 #if defined(__amd64__) || defined(__i386__)
56 #define SHA2_UNROLL_TRANSFORM
57 #endif
58 #endif
59
60 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
61 /*
62 * BYTE_ORDER NOTE:
63 *
64 * Please make sure that your system defines BYTE_ORDER. If your
65 * architecture is little-endian, make sure it also defines
66 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
67 * equivalent.
68 *
69 * If your system does not define the above, then you can do so by
70 * hand like this:
71 *
72 * #define LITTLE_ENDIAN 1234
73 * #define BIG_ENDIAN 4321
74 *
75 * And for little-endian machines, add:
76 *
77 * #define BYTE_ORDER LITTLE_ENDIAN
78 *
79 * Or for big-endian machines:
80 *
81 * #define BYTE_ORDER BIG_ENDIAN
82 *
83 * The FreeBSD machine this was written on defines BYTE_ORDER
84 * appropriately by including <sys/types.h> (which in turn includes
85 * <machine/endian.h> where the appropriate definitions are actually
86 * made).
87 */
88 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
89 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
90 #endif
91
92
93 /*** SHA-256/384/512 Various Length Definitions ***********************/
94 /* NOTE: Most of these are in sha2.h */
95 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
96 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
97 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
98
99 /*
100 * Macro for incrementally adding the unsigned 64-bit integer n to the
101 * unsigned 128-bit integer (represented using a two-element array of
102 * 64-bit words):
103 */
104 #define ADDINC128(w,n) { \
105 (w)[0] += (u_int64_t)(n); \
106 if ((w)[0] < (n)) { \
107 (w)[1]++; \
108 } \
109 }
110
111 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
112 /*
113 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
114 *
115 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
116 * S is a ROTATION) because the SHA-256/384/512 description document
117 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
118 * same "backwards" definition.
119 */
120 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
121 #define R(b,x) ((x) >> (b))
122 /* 32-bit Rotate-right (used in SHA-256): */
123 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
124 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
125 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
126
127 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
128 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
129 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
130
131 /* Four of six logical functions used in SHA-256: */
132 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
133 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
134 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
135 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
136
137 /* Four of six logical functions used in SHA-384 and SHA-512: */
138 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
139 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
140 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
141 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
142
143 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
144 /* NOTE: These should not be accessed directly from outside this
145 * library -- they are intended for private internal visibility/use
146 * only.
147 */
148 void SHA512Last(SHA2_CTX *);
149 void SHA256Transform(u_int32_t *, const u_int8_t *);
150 void SHA512Transform(u_int64_t *, const u_int8_t *);
151
152
153 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
154 /* Hash constant words K for SHA-256: */
155 const static u_int32_t K256[64] = {
156 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
157 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
158 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
159 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
160 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
161 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
162 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
163 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
164 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
165 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
166 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
167 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
168 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
169 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
170 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
171 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
172 };
173
174 /* Initial hash value H for SHA-256: */
175 const static u_int32_t sha256_initial_hash_value[8] = {
176 0x6a09e667UL,
177 0xbb67ae85UL,
178 0x3c6ef372UL,
179 0xa54ff53aUL,
180 0x510e527fUL,
181 0x9b05688cUL,
182 0x1f83d9abUL,
183 0x5be0cd19UL
184 };
185
186 /* Hash constant words K for SHA-384 and SHA-512: */
187 const static u_int64_t K512[80] = {
188 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
189 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
190 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
191 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
192 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
193 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
194 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
195 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
196 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
197 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
198 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
199 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
200 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
201 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
202 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
203 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
204 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
205 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
206 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
207 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
208 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
209 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
210 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
211 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
212 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
213 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
214 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
215 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
216 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
217 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
218 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
219 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
220 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
221 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
222 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
223 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
224 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
225 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
226 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
227 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
228 };
229
230 /* Initial hash value H for SHA-384 */
231 const static u_int64_t sha384_initial_hash_value[8] = {
232 0xcbbb9d5dc1059ed8ULL,
233 0x629a292a367cd507ULL,
234 0x9159015a3070dd17ULL,
235 0x152fecd8f70e5939ULL,
236 0x67332667ffc00b31ULL,
237 0x8eb44a8768581511ULL,
238 0xdb0c2e0d64f98fa7ULL,
239 0x47b5481dbefa4fa4ULL
240 };
241
242 /* Initial hash value H for SHA-512 */
243 const static u_int64_t sha512_initial_hash_value[8] = {
244 0x6a09e667f3bcc908ULL,
245 0xbb67ae8584caa73bULL,
246 0x3c6ef372fe94f82bULL,
247 0xa54ff53a5f1d36f1ULL,
248 0x510e527fade682d1ULL,
249 0x9b05688c2b3e6c1fULL,
250 0x1f83d9abfb41bd6bULL,
251 0x5be0cd19137e2179ULL
252 };
253
254
255 /*** SHA-256: *********************************************************/
256 void
SHA256Init(SHA2_CTX * context)257 SHA256Init(SHA2_CTX *context)
258 {
259 memcpy(context->state.st32, sha256_initial_hash_value,
260 SHA256_DIGEST_LENGTH);
261 memset(context->buffer, 0, SHA256_BLOCK_LENGTH);
262 context->bitcount[0] = 0;
263 }
264
265 #ifdef SHA2_UNROLL_TRANSFORM
266
267 /* Unrolled SHA-256 round macros: */
268
269 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
270 W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) | \
271 ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24); \
272 data += 4; \
273 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
274 (d) += T1; \
275 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
276 j++; \
277 } while(0)
278
279 #define ROUND256(a,b,c,d,e,f,g,h) do { \
280 s0 = W256[(j+1)&0x0f]; \
281 s0 = sigma0_256(s0); \
282 s1 = W256[(j+14)&0x0f]; \
283 s1 = sigma1_256(s1); \
284 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
285 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
286 (d) += T1; \
287 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
288 j++; \
289 } while(0)
290
291 void
SHA256Transform(u_int32_t * state,const u_int8_t * data)292 SHA256Transform(u_int32_t *state, const u_int8_t *data)
293 {
294 u_int32_t a, b, c, d, e, f, g, h, s0, s1;
295 u_int32_t T1, W256[16];
296 int j;
297
298 /* Initialize registers with the prev. intermediate value */
299 a = state[0];
300 b = state[1];
301 c = state[2];
302 d = state[3];
303 e = state[4];
304 f = state[5];
305 g = state[6];
306 h = state[7];
307
308 j = 0;
309 do {
310 /* Rounds 0 to 15 (unrolled): */
311 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
312 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
313 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
314 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
315 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
316 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
317 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
318 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
319 } while (j < 16);
320
321 /* Now for the remaining rounds to 64: */
322 do {
323 ROUND256(a,b,c,d,e,f,g,h);
324 ROUND256(h,a,b,c,d,e,f,g);
325 ROUND256(g,h,a,b,c,d,e,f);
326 ROUND256(f,g,h,a,b,c,d,e);
327 ROUND256(e,f,g,h,a,b,c,d);
328 ROUND256(d,e,f,g,h,a,b,c);
329 ROUND256(c,d,e,f,g,h,a,b);
330 ROUND256(b,c,d,e,f,g,h,a);
331 } while (j < 64);
332
333 /* Compute the current intermediate hash value */
334 state[0] += a;
335 state[1] += b;
336 state[2] += c;
337 state[3] += d;
338 state[4] += e;
339 state[5] += f;
340 state[6] += g;
341 state[7] += h;
342
343 /* Clean up */
344 a = b = c = d = e = f = g = h = T1 = 0;
345 }
346
347 #else /* SHA2_UNROLL_TRANSFORM */
348
349 void
SHA256Transform(u_int32_t * state,const u_int8_t * data)350 SHA256Transform(u_int32_t *state, const u_int8_t *data)
351 {
352 u_int32_t a, b, c, d, e, f, g, h, s0, s1;
353 u_int32_t T1, T2, W256[16];
354 int j;
355
356 /* Initialize registers with the prev. intermediate value */
357 a = state[0];
358 b = state[1];
359 c = state[2];
360 d = state[3];
361 e = state[4];
362 f = state[5];
363 g = state[6];
364 h = state[7];
365
366 j = 0;
367 do {
368 W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) |
369 ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24);
370 data += 4;
371 /* Apply the SHA-256 compression function to update a..h */
372 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
373 T2 = Sigma0_256(a) + Maj(a, b, c);
374 h = g;
375 g = f;
376 f = e;
377 e = d + T1;
378 d = c;
379 c = b;
380 b = a;
381 a = T1 + T2;
382
383 j++;
384 } while (j < 16);
385
386 do {
387 /* Part of the message block expansion: */
388 s0 = W256[(j+1)&0x0f];
389 s0 = sigma0_256(s0);
390 s1 = W256[(j+14)&0x0f];
391 s1 = sigma1_256(s1);
392
393 /* Apply the SHA-256 compression function to update a..h */
394 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
395 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
396 T2 = Sigma0_256(a) + Maj(a, b, c);
397 h = g;
398 g = f;
399 f = e;
400 e = d + T1;
401 d = c;
402 c = b;
403 b = a;
404 a = T1 + T2;
405
406 j++;
407 } while (j < 64);
408
409 /* Compute the current intermediate hash value */
410 state[0] += a;
411 state[1] += b;
412 state[2] += c;
413 state[3] += d;
414 state[4] += e;
415 state[5] += f;
416 state[6] += g;
417 state[7] += h;
418
419 /* Clean up */
420 a = b = c = d = e = f = g = h = T1 = T2 = 0;
421 }
422
423 #endif /* SHA2_UNROLL_TRANSFORM */
424
425 void
SHA256Update(SHA2_CTX * context,const void * dataptr,size_t len)426 SHA256Update(SHA2_CTX *context, const void *dataptr, size_t len)
427 {
428 const uint8_t *data = dataptr;
429 size_t freespace, usedspace;
430
431 /* Calling with no data is valid (we do nothing) */
432 if (len == 0)
433 return;
434
435 usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
436 if (usedspace > 0) {
437 /* Calculate how much free space is available in the buffer */
438 freespace = SHA256_BLOCK_LENGTH - usedspace;
439
440 if (len >= freespace) {
441 /* Fill the buffer completely and process it */
442 memcpy(&context->buffer[usedspace], data, freespace);
443 context->bitcount[0] += freespace << 3;
444 len -= freespace;
445 data += freespace;
446 SHA256Transform(context->state.st32, context->buffer);
447 } else {
448 /* The buffer is not yet full */
449 memcpy(&context->buffer[usedspace], data, len);
450 context->bitcount[0] += len << 3;
451 /* Clean up: */
452 usedspace = freespace = 0;
453 return;
454 }
455 }
456 while (len >= SHA256_BLOCK_LENGTH) {
457 /* Process as many complete blocks as we can */
458 SHA256Transform(context->state.st32, data);
459 context->bitcount[0] += SHA256_BLOCK_LENGTH << 3;
460 len -= SHA256_BLOCK_LENGTH;
461 data += SHA256_BLOCK_LENGTH;
462 }
463 if (len > 0) {
464 /* There's left-overs, so save 'em */
465 memcpy(context->buffer, data, len);
466 context->bitcount[0] += len << 3;
467 }
468 /* Clean up: */
469 usedspace = freespace = 0;
470 }
471
472 void
SHA256Final(u_int8_t digest[],SHA2_CTX * context)473 SHA256Final(u_int8_t digest[], SHA2_CTX *context)
474 {
475 unsigned int usedspace;
476
477 usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
478 #if BYTE_ORDER == LITTLE_ENDIAN
479 /* Convert FROM host byte order */
480 context->bitcount[0] = swap64(context->bitcount[0]);
481 #endif
482 if (usedspace > 0) {
483 /* Begin padding with a 1 bit: */
484 context->buffer[usedspace++] = 0x80;
485
486 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
487 /* Set-up for the last transform: */
488 memset(&context->buffer[usedspace], 0,
489 SHA256_SHORT_BLOCK_LENGTH - usedspace);
490 } else {
491 if (usedspace < SHA256_BLOCK_LENGTH) {
492 memset(&context->buffer[usedspace], 0,
493 SHA256_BLOCK_LENGTH - usedspace);
494 }
495 /* Do second-to-last transform: */
496 SHA256Transform(context->state.st32, context->buffer);
497
498 /* And set-up for the last transform: */
499 memset(context->buffer, 0,
500 SHA256_SHORT_BLOCK_LENGTH);
501 }
502 } else {
503 /* Set-up for the last transform: */
504 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
505
506 /* Begin padding with a 1 bit: */
507 *context->buffer = 0x80;
508 }
509 /* Set the bit count: */
510 *(u_int64_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount[0];
511
512 /* Final transform: */
513 SHA256Transform(context->state.st32, context->buffer);
514
515 #if BYTE_ORDER == LITTLE_ENDIAN
516 {
517 /* Convert TO host byte order */
518 int j;
519 for (j = 0; j < 8; j++) {
520 context->state.st32[j] = swap32(context->state.st32[j]);
521 }
522 }
523 #endif
524 memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH);
525 /* Clean up state data: */
526 explicit_bzero(context, sizeof(*context));
527 usedspace = 0;
528 }
529
530
531 /*** SHA-512: *********************************************************/
532 void
SHA512Init(SHA2_CTX * context)533 SHA512Init(SHA2_CTX *context)
534 {
535 memcpy(context->state.st64, sha512_initial_hash_value,
536 SHA512_DIGEST_LENGTH);
537 memset(context->buffer, 0, SHA512_BLOCK_LENGTH);
538 context->bitcount[0] = context->bitcount[1] = 0;
539 }
540
541 #ifdef SHA2_UNROLL_TRANSFORM
542
543 /* Unrolled SHA-512 round macros: */
544
545 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
546 W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) | \
547 ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) | \
548 ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) | \
549 ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56); \
550 data += 8; \
551 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
552 (d) += T1; \
553 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
554 j++; \
555 } while(0)
556
557
558 #define ROUND512(a,b,c,d,e,f,g,h) do { \
559 s0 = W512[(j+1)&0x0f]; \
560 s0 = sigma0_512(s0); \
561 s1 = W512[(j+14)&0x0f]; \
562 s1 = sigma1_512(s1); \
563 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
564 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
565 (d) += T1; \
566 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
567 j++; \
568 } while(0)
569
570 void
SHA512Transform(u_int64_t * state,const u_int8_t * data)571 SHA512Transform(u_int64_t *state, const u_int8_t *data)
572 {
573 u_int64_t a, b, c, d, e, f, g, h, s0, s1;
574 u_int64_t T1, W512[16];
575 int j;
576
577 /* Initialize registers with the prev. intermediate value */
578 a = state[0];
579 b = state[1];
580 c = state[2];
581 d = state[3];
582 e = state[4];
583 f = state[5];
584 g = state[6];
585 h = state[7];
586
587 j = 0;
588 do {
589 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
590 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
591 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
592 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
593 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
594 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
595 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
596 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
597 } while (j < 16);
598
599 /* Now for the remaining rounds up to 79: */
600 do {
601 ROUND512(a,b,c,d,e,f,g,h);
602 ROUND512(h,a,b,c,d,e,f,g);
603 ROUND512(g,h,a,b,c,d,e,f);
604 ROUND512(f,g,h,a,b,c,d,e);
605 ROUND512(e,f,g,h,a,b,c,d);
606 ROUND512(d,e,f,g,h,a,b,c);
607 ROUND512(c,d,e,f,g,h,a,b);
608 ROUND512(b,c,d,e,f,g,h,a);
609 } while (j < 80);
610
611 /* Compute the current intermediate hash value */
612 state[0] += a;
613 state[1] += b;
614 state[2] += c;
615 state[3] += d;
616 state[4] += e;
617 state[5] += f;
618 state[6] += g;
619 state[7] += h;
620
621 /* Clean up */
622 a = b = c = d = e = f = g = h = T1 = 0;
623 }
624
625 #else /* SHA2_UNROLL_TRANSFORM */
626
627 void
SHA512Transform(u_int64_t * state,const u_int8_t * data)628 SHA512Transform(u_int64_t *state, const u_int8_t *data)
629 {
630 u_int64_t a, b, c, d, e, f, g, h, s0, s1;
631 u_int64_t T1, T2, W512[16];
632 int j;
633
634 /* Initialize registers with the prev. intermediate value */
635 a = state[0];
636 b = state[1];
637 c = state[2];
638 d = state[3];
639 e = state[4];
640 f = state[5];
641 g = state[6];
642 h = state[7];
643
644 j = 0;
645 do {
646 W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) |
647 ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) |
648 ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) |
649 ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56);
650 data += 8;
651 /* Apply the SHA-512 compression function to update a..h */
652 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
653 T2 = Sigma0_512(a) + Maj(a, b, c);
654 h = g;
655 g = f;
656 f = e;
657 e = d + T1;
658 d = c;
659 c = b;
660 b = a;
661 a = T1 + T2;
662
663 j++;
664 } while (j < 16);
665
666 do {
667 /* Part of the message block expansion: */
668 s0 = W512[(j+1)&0x0f];
669 s0 = sigma0_512(s0);
670 s1 = W512[(j+14)&0x0f];
671 s1 = sigma1_512(s1);
672
673 /* Apply the SHA-512 compression function to update a..h */
674 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
675 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
676 T2 = Sigma0_512(a) + Maj(a, b, c);
677 h = g;
678 g = f;
679 f = e;
680 e = d + T1;
681 d = c;
682 c = b;
683 b = a;
684 a = T1 + T2;
685
686 j++;
687 } while (j < 80);
688
689 /* Compute the current intermediate hash value */
690 state[0] += a;
691 state[1] += b;
692 state[2] += c;
693 state[3] += d;
694 state[4] += e;
695 state[5] += f;
696 state[6] += g;
697 state[7] += h;
698
699 /* Clean up */
700 a = b = c = d = e = f = g = h = T1 = T2 = 0;
701 }
702
703 #endif /* SHA2_UNROLL_TRANSFORM */
704
705 void
SHA512Update(SHA2_CTX * context,const void * dataptr,size_t len)706 SHA512Update(SHA2_CTX *context, const void *dataptr, size_t len)
707 {
708 const uint8_t *data = dataptr;
709 size_t freespace, usedspace;
710
711 /* Calling with no data is valid (we do nothing) */
712 if (len == 0)
713 return;
714
715 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
716 if (usedspace > 0) {
717 /* Calculate how much free space is available in the buffer */
718 freespace = SHA512_BLOCK_LENGTH - usedspace;
719
720 if (len >= freespace) {
721 /* Fill the buffer completely and process it */
722 memcpy(&context->buffer[usedspace], data, freespace);
723 ADDINC128(context->bitcount, freespace << 3);
724 len -= freespace;
725 data += freespace;
726 SHA512Transform(context->state.st64, context->buffer);
727 } else {
728 /* The buffer is not yet full */
729 memcpy(&context->buffer[usedspace], data, len);
730 ADDINC128(context->bitcount, len << 3);
731 /* Clean up: */
732 usedspace = freespace = 0;
733 return;
734 }
735 }
736 while (len >= SHA512_BLOCK_LENGTH) {
737 /* Process as many complete blocks as we can */
738 SHA512Transform(context->state.st64, data);
739 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
740 len -= SHA512_BLOCK_LENGTH;
741 data += SHA512_BLOCK_LENGTH;
742 }
743 if (len > 0) {
744 /* There's left-overs, so save 'em */
745 memcpy(context->buffer, data, len);
746 ADDINC128(context->bitcount, len << 3);
747 }
748 /* Clean up: */
749 usedspace = freespace = 0;
750 }
751
752 void
SHA512Last(SHA2_CTX * context)753 SHA512Last(SHA2_CTX *context)
754 {
755 unsigned int usedspace;
756
757 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
758 #if BYTE_ORDER == LITTLE_ENDIAN
759 /* Convert FROM host byte order */
760 context->bitcount[0] = swap64(context->bitcount[0]);
761 context->bitcount[1] = swap64(context->bitcount[1]);
762 #endif
763 if (usedspace > 0) {
764 /* Begin padding with a 1 bit: */
765 context->buffer[usedspace++] = 0x80;
766
767 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
768 /* Set-up for the last transform: */
769 memset(&context->buffer[usedspace], 0,
770 SHA512_SHORT_BLOCK_LENGTH - usedspace);
771 } else {
772 if (usedspace < SHA512_BLOCK_LENGTH) {
773 memset(&context->buffer[usedspace], 0,
774 SHA512_BLOCK_LENGTH - usedspace);
775 }
776 /* Do second-to-last transform: */
777 SHA512Transform(context->state.st64, context->buffer);
778
779 /* And set-up for the last transform: */
780 memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
781 }
782 } else {
783 /* Prepare for final transform: */
784 memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
785
786 /* Begin padding with a 1 bit: */
787 *context->buffer = 0x80;
788 }
789 /* Store the length of input data (in bits): */
790 *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
791 *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
792
793 /* Final transform: */
794 SHA512Transform(context->state.st64, context->buffer);
795 }
796
797 void
SHA512Final(u_int8_t digest[],SHA2_CTX * context)798 SHA512Final(u_int8_t digest[], SHA2_CTX *context)
799 {
800
801 SHA512Last(context);
802
803 /* Save the hash data for output: */
804 #if BYTE_ORDER == LITTLE_ENDIAN
805 {
806 /* Convert TO host byte order */
807 int j;
808 for (j = 0; j < 8; j++) {
809 context->state.st64[j] = swap64(context->state.st64[j]);
810 }
811 }
812 #endif
813 memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH);
814
815 /* Zero out state data */
816 explicit_bzero(context, sizeof(*context));
817 }
818
819
820 /*** SHA-384: *********************************************************/
821 void
SHA384Init(SHA2_CTX * context)822 SHA384Init(SHA2_CTX *context)
823 {
824 memcpy(context->state.st64, sha384_initial_hash_value,
825 SHA512_DIGEST_LENGTH);
826 memset(context->buffer, 0, SHA384_BLOCK_LENGTH);
827 context->bitcount[0] = context->bitcount[1] = 0;
828 }
829
830 void
SHA384Update(SHA2_CTX * context,const void * data,size_t len)831 SHA384Update(SHA2_CTX *context, const void *data, size_t len)
832 {
833 SHA512Update(context, data, len);
834 }
835
836 void
SHA384Final(u_int8_t digest[],SHA2_CTX * context)837 SHA384Final(u_int8_t digest[], SHA2_CTX *context)
838 {
839
840 SHA512Last(context);
841
842 /* Save the hash data for output: */
843 #if BYTE_ORDER == LITTLE_ENDIAN
844 {
845 /* Convert TO host byte order */
846 int j;
847 for (j = 0; j < 6; j++) {
848 context->state.st64[j] = swap64(context->state.st64[j]);
849 }
850 }
851 #endif
852 memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH);
853 /* Zero out state data */
854 explicit_bzero(context, sizeof(*context));
855 }
856