Line data Source code
1 : /* $OpenBSD: sha2.c,v 1.18 2015/03/14 03:38:46 jsg Exp $ */
2 :
3 : /*
4 : * FILE: sha2.c
5 : * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
6 : *
7 : * Copyright (c) 2000-2001, Aaron D. Gifford
8 : * All rights reserved.
9 : *
10 : * Redistribution and use in source and binary forms, with or without
11 : * modification, are permitted provided that the following conditions
12 : * are met:
13 : * 1. Redistributions of source code must retain the above copyright
14 : * notice, this list of conditions and the following disclaimer.
15 : * 2. Redistributions in binary form must reproduce the above copyright
16 : * notice, this list of conditions and the following disclaimer in the
17 : * documentation and/or other materials provided with the distribution.
18 : * 3. Neither the name of the copyright holder nor the names of contributors
19 : * may be used to endorse or promote products derived from this software
20 : * without specific prior written permission.
21 : *
22 : * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
23 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 : * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
26 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 : * SUCH DAMAGE.
33 : *
34 : * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
35 : */
36 :
37 : #include <sys/time.h>
38 : #include <sys/systm.h>
39 : #include <crypto/sha2.h>
40 :
41 : /*
42 : * UNROLLED TRANSFORM LOOP NOTE:
43 : * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
44 : * loop version for the hash transform rounds (defined using macros
45 : * later in this file). Either define on the command line, for example:
46 : *
47 : * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
48 : *
49 : * or define below:
50 : *
51 : * #define SHA2_UNROLL_TRANSFORM
52 : *
53 : */
54 : #ifndef SMALL_KERNEL
55 : #if defined(__amd64__) || defined(__i386__)
56 : #define SHA2_UNROLL_TRANSFORM
57 : #endif
58 : #endif
59 :
60 : /*** SHA-256/384/512 Machine Architecture Definitions *****************/
61 : /*
62 : * BYTE_ORDER NOTE:
63 : *
64 : * Please make sure that your system defines BYTE_ORDER. If your
65 : * architecture is little-endian, make sure it also defines
66 : * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
67 : * equivilent.
68 : *
69 : * If your system does not define the above, then you can do so by
70 : * hand like this:
71 : *
72 : * #define LITTLE_ENDIAN 1234
73 : * #define BIG_ENDIAN 4321
74 : *
75 : * And for little-endian machines, add:
76 : *
77 : * #define BYTE_ORDER LITTLE_ENDIAN
78 : *
79 : * Or for big-endian machines:
80 : *
81 : * #define BYTE_ORDER BIG_ENDIAN
82 : *
83 : * The FreeBSD machine this was written on defines BYTE_ORDER
84 : * appropriately by including <sys/types.h> (which in turn includes
85 : * <machine/endian.h> where the appropriate definitions are actually
86 : * made).
87 : */
88 : #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
89 : #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
90 : #endif
91 :
92 :
93 : /*** SHA-256/384/512 Various Length Definitions ***********************/
94 : /* NOTE: Most of these are in sha2.h */
95 : #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
96 : #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
97 : #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
98 :
99 : /*
100 : * Macro for incrementally adding the unsigned 64-bit integer n to the
101 : * unsigned 128-bit integer (represented using a two-element array of
102 : * 64-bit words):
103 : */
104 : #define ADDINC128(w,n) { \
105 : (w)[0] += (u_int64_t)(n); \
106 : if ((w)[0] < (n)) { \
107 : (w)[1]++; \
108 : } \
109 : }
110 :
111 : /*** THE SIX LOGICAL FUNCTIONS ****************************************/
112 : /*
113 : * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
114 : *
115 : * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
116 : * S is a ROTATION) because the SHA-256/384/512 description document
117 : * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
118 : * same "backwards" definition.
119 : */
120 : /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
121 : #define R(b,x) ((x) >> (b))
122 : /* 32-bit Rotate-right (used in SHA-256): */
123 : #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
124 : /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
125 : #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
126 :
127 : /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
128 : #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
129 : #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
130 :
131 : /* Four of six logical functions used in SHA-256: */
132 : #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
133 : #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
134 : #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
135 : #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
136 :
137 : /* Four of six logical functions used in SHA-384 and SHA-512: */
138 : #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
139 : #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
140 : #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
141 : #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
142 :
143 : /*** INTERNAL FUNCTION PROTOTYPES *************************************/
144 : /* NOTE: These should not be accessed directly from outside this
145 : * library -- they are intended for private internal visibility/use
146 : * only.
147 : */
148 : void SHA512Last(SHA2_CTX *);
149 : void SHA256Transform(u_int32_t *, const u_int8_t *);
150 : void SHA512Transform(u_int64_t *, const u_int8_t *);
151 :
152 :
153 : /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
154 : /* Hash constant words K for SHA-256: */
155 : const static u_int32_t K256[64] = {
156 : 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
157 : 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
158 : 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
159 : 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
160 : 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
161 : 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
162 : 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
163 : 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
164 : 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
165 : 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
166 : 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
167 : 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
168 : 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
169 : 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
170 : 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
171 : 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
172 : };
173 :
174 : /* Initial hash value H for SHA-256: */
175 : const static u_int32_t sha256_initial_hash_value[8] = {
176 : 0x6a09e667UL,
177 : 0xbb67ae85UL,
178 : 0x3c6ef372UL,
179 : 0xa54ff53aUL,
180 : 0x510e527fUL,
181 : 0x9b05688cUL,
182 : 0x1f83d9abUL,
183 : 0x5be0cd19UL
184 : };
185 :
186 : /* Hash constant words K for SHA-384 and SHA-512: */
187 : const static u_int64_t K512[80] = {
188 : 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
189 : 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
190 : 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
191 : 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
192 : 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
193 : 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
194 : 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
195 : 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
196 : 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
197 : 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
198 : 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
199 : 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
200 : 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
201 : 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
202 : 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
203 : 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
204 : 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
205 : 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
206 : 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
207 : 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
208 : 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
209 : 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
210 : 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
211 : 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
212 : 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
213 : 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
214 : 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
215 : 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
216 : 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
217 : 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
218 : 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
219 : 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
220 : 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
221 : 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
222 : 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
223 : 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
224 : 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
225 : 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
226 : 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
227 : 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
228 : };
229 :
230 : /* Initial hash value H for SHA-384 */
231 : const static u_int64_t sha384_initial_hash_value[8] = {
232 : 0xcbbb9d5dc1059ed8ULL,
233 : 0x629a292a367cd507ULL,
234 : 0x9159015a3070dd17ULL,
235 : 0x152fecd8f70e5939ULL,
236 : 0x67332667ffc00b31ULL,
237 : 0x8eb44a8768581511ULL,
238 : 0xdb0c2e0d64f98fa7ULL,
239 : 0x47b5481dbefa4fa4ULL
240 : };
241 :
242 : /* Initial hash value H for SHA-512 */
243 : const static u_int64_t sha512_initial_hash_value[8] = {
244 : 0x6a09e667f3bcc908ULL,
245 : 0xbb67ae8584caa73bULL,
246 : 0x3c6ef372fe94f82bULL,
247 : 0xa54ff53a5f1d36f1ULL,
248 : 0x510e527fade682d1ULL,
249 : 0x9b05688c2b3e6c1fULL,
250 : 0x1f83d9abfb41bd6bULL,
251 : 0x5be0cd19137e2179ULL
252 : };
253 :
254 :
255 : /*** SHA-256: *********************************************************/
256 : void
257 0 : SHA256Init(SHA2_CTX *context)
258 : {
259 0 : memcpy(context->state.st32, sha256_initial_hash_value,
260 : SHA256_DIGEST_LENGTH);
261 0 : memset(context->buffer, 0, SHA256_BLOCK_LENGTH);
262 0 : context->bitcount[0] = 0;
263 0 : }
264 :
265 : #ifdef SHA2_UNROLL_TRANSFORM
266 :
267 : /* Unrolled SHA-256 round macros: */
268 :
269 : #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
270 : W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) | \
271 : ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24); \
272 : data += 4; \
273 : T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
274 : (d) += T1; \
275 : (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
276 : j++; \
277 : } while(0)
278 :
279 : #define ROUND256(a,b,c,d,e,f,g,h) do { \
280 : s0 = W256[(j+1)&0x0f]; \
281 : s0 = sigma0_256(s0); \
282 : s1 = W256[(j+14)&0x0f]; \
283 : s1 = sigma1_256(s1); \
284 : T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
285 : (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
286 : (d) += T1; \
287 : (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
288 : j++; \
289 : } while(0)
290 :
291 : void
292 0 : SHA256Transform(u_int32_t *state, const u_int8_t *data)
293 : {
294 : u_int32_t a, b, c, d, e, f, g, h, s0, s1;
295 0 : u_int32_t T1, W256[16];
296 : int j;
297 :
298 : /* Initialize registers with the prev. intermediate value */
299 0 : a = state[0];
300 0 : b = state[1];
301 0 : c = state[2];
302 0 : d = state[3];
303 0 : e = state[4];
304 0 : f = state[5];
305 0 : g = state[6];
306 0 : h = state[7];
307 :
308 : j = 0;
309 0 : do {
310 : /* Rounds 0 to 15 (unrolled): */
311 0 : ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
312 0 : ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
313 0 : ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
314 0 : ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
315 0 : ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
316 0 : ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
317 0 : ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
318 0 : ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
319 0 : } while (j < 16);
320 :
321 : /* Now for the remaining rounds to 64: */
322 0 : do {
323 0 : ROUND256(a,b,c,d,e,f,g,h);
324 0 : ROUND256(h,a,b,c,d,e,f,g);
325 0 : ROUND256(g,h,a,b,c,d,e,f);
326 0 : ROUND256(f,g,h,a,b,c,d,e);
327 0 : ROUND256(e,f,g,h,a,b,c,d);
328 0 : ROUND256(d,e,f,g,h,a,b,c);
329 0 : ROUND256(c,d,e,f,g,h,a,b);
330 0 : ROUND256(b,c,d,e,f,g,h,a);
331 0 : } while (j < 64);
332 :
333 : /* Compute the current intermediate hash value */
334 0 : state[0] += a;
335 0 : state[1] += b;
336 0 : state[2] += c;
337 0 : state[3] += d;
338 0 : state[4] += e;
339 0 : state[5] += f;
340 0 : state[6] += g;
341 0 : state[7] += h;
342 :
343 : /* Clean up */
344 : a = b = c = d = e = f = g = h = T1 = 0;
345 0 : }
346 :
347 : #else /* SHA2_UNROLL_TRANSFORM */
348 :
349 : void
350 : SHA256Transform(u_int32_t *state, const u_int8_t *data)
351 : {
352 : u_int32_t a, b, c, d, e, f, g, h, s0, s1;
353 : u_int32_t T1, T2, W256[16];
354 : int j;
355 :
356 : /* Initialize registers with the prev. intermediate value */
357 : a = state[0];
358 : b = state[1];
359 : c = state[2];
360 : d = state[3];
361 : e = state[4];
362 : f = state[5];
363 : g = state[6];
364 : h = state[7];
365 :
366 : j = 0;
367 : do {
368 : W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) |
369 : ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24);
370 : data += 4;
371 : /* Apply the SHA-256 compression function to update a..h */
372 : T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
373 : T2 = Sigma0_256(a) + Maj(a, b, c);
374 : h = g;
375 : g = f;
376 : f = e;
377 : e = d + T1;
378 : d = c;
379 : c = b;
380 : b = a;
381 : a = T1 + T2;
382 :
383 : j++;
384 : } while (j < 16);
385 :
386 : do {
387 : /* Part of the message block expansion: */
388 : s0 = W256[(j+1)&0x0f];
389 : s0 = sigma0_256(s0);
390 : s1 = W256[(j+14)&0x0f];
391 : s1 = sigma1_256(s1);
392 :
393 : /* Apply the SHA-256 compression function to update a..h */
394 : T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
395 : (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
396 : T2 = Sigma0_256(a) + Maj(a, b, c);
397 : h = g;
398 : g = f;
399 : f = e;
400 : e = d + T1;
401 : d = c;
402 : c = b;
403 : b = a;
404 : a = T1 + T2;
405 :
406 : j++;
407 : } while (j < 64);
408 :
409 : /* Compute the current intermediate hash value */
410 : state[0] += a;
411 : state[1] += b;
412 : state[2] += c;
413 : state[3] += d;
414 : state[4] += e;
415 : state[5] += f;
416 : state[6] += g;
417 : state[7] += h;
418 :
419 : /* Clean up */
420 : a = b = c = d = e = f = g = h = T1 = T2 = 0;
421 : }
422 :
423 : #endif /* SHA2_UNROLL_TRANSFORM */
424 :
425 : void
426 0 : SHA256Update(SHA2_CTX *context, const void *dataptr, size_t len)
427 : {
428 : const uint8_t *data = dataptr;
429 : size_t freespace, usedspace;
430 :
431 : /* Calling with no data is valid (we do nothing) */
432 0 : if (len == 0)
433 0 : return;
434 :
435 0 : usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
436 0 : if (usedspace > 0) {
437 : /* Calculate how much free space is available in the buffer */
438 0 : freespace = SHA256_BLOCK_LENGTH - usedspace;
439 :
440 0 : if (len >= freespace) {
441 : /* Fill the buffer completely and process it */
442 0 : memcpy(&context->buffer[usedspace], data, freespace);
443 0 : context->bitcount[0] += freespace << 3;
444 0 : len -= freespace;
445 0 : data += freespace;
446 0 : SHA256Transform(context->state.st32, context->buffer);
447 : } else {
448 : /* The buffer is not yet full */
449 0 : memcpy(&context->buffer[usedspace], data, len);
450 0 : context->bitcount[0] += len << 3;
451 : /* Clean up: */
452 : usedspace = freespace = 0;
453 0 : return;
454 : }
455 0 : }
456 0 : while (len >= SHA256_BLOCK_LENGTH) {
457 : /* Process as many complete blocks as we can */
458 0 : SHA256Transform(context->state.st32, data);
459 0 : context->bitcount[0] += SHA256_BLOCK_LENGTH << 3;
460 0 : len -= SHA256_BLOCK_LENGTH;
461 0 : data += SHA256_BLOCK_LENGTH;
462 : }
463 0 : if (len > 0) {
464 : /* There's left-overs, so save 'em */
465 0 : memcpy(context->buffer, data, len);
466 0 : context->bitcount[0] += len << 3;
467 0 : }
468 : /* Clean up: */
469 : usedspace = freespace = 0;
470 0 : }
471 :
472 : void
473 0 : SHA256Final(u_int8_t digest[], SHA2_CTX *context)
474 : {
475 : unsigned int usedspace;
476 :
477 0 : usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
478 : #if BYTE_ORDER == LITTLE_ENDIAN
479 : /* Convert FROM host byte order */
480 0 : context->bitcount[0] = swap64(context->bitcount[0]);
481 : #endif
482 0 : if (usedspace > 0) {
483 : /* Begin padding with a 1 bit: */
484 0 : context->buffer[usedspace++] = 0x80;
485 :
486 0 : if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
487 : /* Set-up for the last transform: */
488 0 : memset(&context->buffer[usedspace], 0,
489 : SHA256_SHORT_BLOCK_LENGTH - usedspace);
490 0 : } else {
491 0 : if (usedspace < SHA256_BLOCK_LENGTH) {
492 0 : memset(&context->buffer[usedspace], 0,
493 : SHA256_BLOCK_LENGTH - usedspace);
494 0 : }
495 : /* Do second-to-last transform: */
496 0 : SHA256Transform(context->state.st32, context->buffer);
497 :
498 : /* And set-up for the last transform: */
499 0 : memset(context->buffer, 0,
500 : SHA256_SHORT_BLOCK_LENGTH);
501 : }
502 : } else {
503 : /* Set-up for the last transform: */
504 0 : memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
505 :
506 : /* Begin padding with a 1 bit: */
507 0 : *context->buffer = 0x80;
508 : }
509 : /* Set the bit count: */
510 0 : *(u_int64_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount[0];
511 :
512 : /* Final transform: */
513 0 : SHA256Transform(context->state.st32, context->buffer);
514 :
515 : #if BYTE_ORDER == LITTLE_ENDIAN
516 : {
517 : /* Convert TO host byte order */
518 : int j;
519 0 : for (j = 0; j < 8; j++) {
520 0 : context->state.st32[j] = swap32(context->state.st32[j]);
521 : }
522 : }
523 : #endif
524 0 : memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH);
525 : /* Clean up state data: */
526 0 : explicit_bzero(context, sizeof(*context));
527 : usedspace = 0;
528 0 : }
529 :
530 :
531 : /*** SHA-512: *********************************************************/
532 : void
533 0 : SHA512Init(SHA2_CTX *context)
534 : {
535 0 : memcpy(context->state.st64, sha512_initial_hash_value,
536 : SHA512_DIGEST_LENGTH);
537 0 : memset(context->buffer, 0, SHA512_BLOCK_LENGTH);
538 0 : context->bitcount[0] = context->bitcount[1] = 0;
539 0 : }
540 :
541 : #ifdef SHA2_UNROLL_TRANSFORM
542 :
543 : /* Unrolled SHA-512 round macros: */
544 :
545 : #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
546 : W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) | \
547 : ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) | \
548 : ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) | \
549 : ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56); \
550 : data += 8; \
551 : T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
552 : (d) += T1; \
553 : (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
554 : j++; \
555 : } while(0)
556 :
557 :
558 : #define ROUND512(a,b,c,d,e,f,g,h) do { \
559 : s0 = W512[(j+1)&0x0f]; \
560 : s0 = sigma0_512(s0); \
561 : s1 = W512[(j+14)&0x0f]; \
562 : s1 = sigma1_512(s1); \
563 : T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
564 : (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
565 : (d) += T1; \
566 : (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
567 : j++; \
568 : } while(0)
569 :
570 : void
571 0 : SHA512Transform(u_int64_t *state, const u_int8_t *data)
572 : {
573 : u_int64_t a, b, c, d, e, f, g, h, s0, s1;
574 0 : u_int64_t T1, W512[16];
575 : int j;
576 :
577 : /* Initialize registers with the prev. intermediate value */
578 0 : a = state[0];
579 0 : b = state[1];
580 0 : c = state[2];
581 0 : d = state[3];
582 0 : e = state[4];
583 0 : f = state[5];
584 0 : g = state[6];
585 0 : h = state[7];
586 :
587 : j = 0;
588 0 : do {
589 0 : ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
590 0 : ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
591 0 : ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
592 0 : ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
593 0 : ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
594 0 : ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
595 0 : ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
596 0 : ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
597 0 : } while (j < 16);
598 :
599 : /* Now for the remaining rounds up to 79: */
600 0 : do {
601 0 : ROUND512(a,b,c,d,e,f,g,h);
602 0 : ROUND512(h,a,b,c,d,e,f,g);
603 0 : ROUND512(g,h,a,b,c,d,e,f);
604 0 : ROUND512(f,g,h,a,b,c,d,e);
605 0 : ROUND512(e,f,g,h,a,b,c,d);
606 0 : ROUND512(d,e,f,g,h,a,b,c);
607 0 : ROUND512(c,d,e,f,g,h,a,b);
608 0 : ROUND512(b,c,d,e,f,g,h,a);
609 0 : } while (j < 80);
610 :
611 : /* Compute the current intermediate hash value */
612 0 : state[0] += a;
613 0 : state[1] += b;
614 0 : state[2] += c;
615 0 : state[3] += d;
616 0 : state[4] += e;
617 0 : state[5] += f;
618 0 : state[6] += g;
619 0 : state[7] += h;
620 :
621 : /* Clean up */
622 : a = b = c = d = e = f = g = h = T1 = 0;
623 0 : }
624 :
625 : #else /* SHA2_UNROLL_TRANSFORM */
626 :
627 : void
628 : SHA512Transform(u_int64_t *state, const u_int8_t *data)
629 : {
630 : u_int64_t a, b, c, d, e, f, g, h, s0, s1;
631 : u_int64_t T1, T2, W512[16];
632 : int j;
633 :
634 : /* Initialize registers with the prev. intermediate value */
635 : a = state[0];
636 : b = state[1];
637 : c = state[2];
638 : d = state[3];
639 : e = state[4];
640 : f = state[5];
641 : g = state[6];
642 : h = state[7];
643 :
644 : j = 0;
645 : do {
646 : W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) |
647 : ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) |
648 : ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) |
649 : ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56);
650 : data += 8;
651 : /* Apply the SHA-512 compression function to update a..h */
652 : T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
653 : T2 = Sigma0_512(a) + Maj(a, b, c);
654 : h = g;
655 : g = f;
656 : f = e;
657 : e = d + T1;
658 : d = c;
659 : c = b;
660 : b = a;
661 : a = T1 + T2;
662 :
663 : j++;
664 : } while (j < 16);
665 :
666 : do {
667 : /* Part of the message block expansion: */
668 : s0 = W512[(j+1)&0x0f];
669 : s0 = sigma0_512(s0);
670 : s1 = W512[(j+14)&0x0f];
671 : s1 = sigma1_512(s1);
672 :
673 : /* Apply the SHA-512 compression function to update a..h */
674 : T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
675 : (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
676 : T2 = Sigma0_512(a) + Maj(a, b, c);
677 : h = g;
678 : g = f;
679 : f = e;
680 : e = d + T1;
681 : d = c;
682 : c = b;
683 : b = a;
684 : a = T1 + T2;
685 :
686 : j++;
687 : } while (j < 80);
688 :
689 : /* Compute the current intermediate hash value */
690 : state[0] += a;
691 : state[1] += b;
692 : state[2] += c;
693 : state[3] += d;
694 : state[4] += e;
695 : state[5] += f;
696 : state[6] += g;
697 : state[7] += h;
698 :
699 : /* Clean up */
700 : a = b = c = d = e = f = g = h = T1 = T2 = 0;
701 : }
702 :
703 : #endif /* SHA2_UNROLL_TRANSFORM */
704 :
705 : void
706 0 : SHA512Update(SHA2_CTX *context, const void *dataptr, size_t len)
707 : {
708 : const uint8_t *data = dataptr;
709 : size_t freespace, usedspace;
710 :
711 : /* Calling with no data is valid (we do nothing) */
712 0 : if (len == 0)
713 0 : return;
714 :
715 0 : usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
716 0 : if (usedspace > 0) {
717 : /* Calculate how much free space is available in the buffer */
718 0 : freespace = SHA512_BLOCK_LENGTH - usedspace;
719 :
720 0 : if (len >= freespace) {
721 : /* Fill the buffer completely and process it */
722 0 : memcpy(&context->buffer[usedspace], data, freespace);
723 0 : ADDINC128(context->bitcount, freespace << 3);
724 0 : len -= freespace;
725 0 : data += freespace;
726 0 : SHA512Transform(context->state.st64, context->buffer);
727 : } else {
728 : /* The buffer is not yet full */
729 0 : memcpy(&context->buffer[usedspace], data, len);
730 0 : ADDINC128(context->bitcount, len << 3);
731 : /* Clean up: */
732 : usedspace = freespace = 0;
733 0 : return;
734 : }
735 0 : }
736 0 : while (len >= SHA512_BLOCK_LENGTH) {
737 : /* Process as many complete blocks as we can */
738 0 : SHA512Transform(context->state.st64, data);
739 0 : ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
740 0 : len -= SHA512_BLOCK_LENGTH;
741 0 : data += SHA512_BLOCK_LENGTH;
742 : }
743 0 : if (len > 0) {
744 : /* There's left-overs, so save 'em */
745 0 : memcpy(context->buffer, data, len);
746 0 : ADDINC128(context->bitcount, len << 3);
747 : }
748 : /* Clean up: */
749 : usedspace = freespace = 0;
750 0 : }
751 :
752 : void
753 0 : SHA512Last(SHA2_CTX *context)
754 : {
755 : unsigned int usedspace;
756 :
757 0 : usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
758 : #if BYTE_ORDER == LITTLE_ENDIAN
759 : /* Convert FROM host byte order */
760 0 : context->bitcount[0] = swap64(context->bitcount[0]);
761 0 : context->bitcount[1] = swap64(context->bitcount[1]);
762 : #endif
763 0 : if (usedspace > 0) {
764 : /* Begin padding with a 1 bit: */
765 0 : context->buffer[usedspace++] = 0x80;
766 :
767 0 : if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
768 : /* Set-up for the last transform: */
769 0 : memset(&context->buffer[usedspace], 0,
770 : SHA512_SHORT_BLOCK_LENGTH - usedspace);
771 0 : } else {
772 0 : if (usedspace < SHA512_BLOCK_LENGTH) {
773 0 : memset(&context->buffer[usedspace], 0,
774 : SHA512_BLOCK_LENGTH - usedspace);
775 0 : }
776 : /* Do second-to-last transform: */
777 0 : SHA512Transform(context->state.st64, context->buffer);
778 :
779 : /* And set-up for the last transform: */
780 0 : memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
781 : }
782 : } else {
783 : /* Prepare for final transform: */
784 0 : memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
785 :
786 : /* Begin padding with a 1 bit: */
787 0 : *context->buffer = 0x80;
788 : }
789 : /* Store the length of input data (in bits): */
790 0 : *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
791 0 : *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
792 :
793 : /* Final transform: */
794 0 : SHA512Transform(context->state.st64, context->buffer);
795 0 : }
796 :
797 : void
798 0 : SHA512Final(u_int8_t digest[], SHA2_CTX *context)
799 : {
800 :
801 0 : SHA512Last(context);
802 :
803 : /* Save the hash data for output: */
804 : #if BYTE_ORDER == LITTLE_ENDIAN
805 : {
806 : /* Convert TO host byte order */
807 : int j;
808 0 : for (j = 0; j < 8; j++) {
809 0 : context->state.st64[j] = swap64(context->state.st64[j]);
810 : }
811 : }
812 : #endif
813 0 : memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH);
814 :
815 : /* Zero out state data */
816 0 : explicit_bzero(context, sizeof(*context));
817 0 : }
818 :
819 :
820 : /*** SHA-384: *********************************************************/
821 : void
822 0 : SHA384Init(SHA2_CTX *context)
823 : {
824 0 : memcpy(context->state.st64, sha384_initial_hash_value,
825 : SHA512_DIGEST_LENGTH);
826 0 : memset(context->buffer, 0, SHA384_BLOCK_LENGTH);
827 0 : context->bitcount[0] = context->bitcount[1] = 0;
828 0 : }
829 :
830 : void
831 0 : SHA384Update(SHA2_CTX *context, const void *data, size_t len)
832 : {
833 0 : SHA512Update(context, data, len);
834 0 : }
835 :
836 : void
837 0 : SHA384Final(u_int8_t digest[], SHA2_CTX *context)
838 : {
839 :
840 0 : SHA512Last(context);
841 :
842 : /* Save the hash data for output: */
843 : #if BYTE_ORDER == LITTLE_ENDIAN
844 : {
845 : /* Convert TO host byte order */
846 : int j;
847 0 : for (j = 0; j < 6; j++) {
848 0 : context->state.st64[j] = swap64(context->state.st64[j]);
849 : }
850 : }
851 : #endif
852 0 : memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH);
853 : /* Zero out state data */
854 0 : explicit_bzero(context, sizeof(*context));
855 0 : }
|
