Fix comment typo; from OpenSSH Portable

Cast bitcount to u_in64_t before bit shifting to prevent integer overflow
on 32bit platforms which cause incorrect results when adding a block
>=512M in size. sha1 patch from ante84 at gmail.com via openssh github,
sha2 with djm@, ok tedu@

move sha224_initial_hash_value[] under !SHA2_SMALL; ok deraadt@ millert@

Add functions for SHA512/256. The standard says you're supposed to start
with different magic numbers, so we need to add some functions instead
of just asking the user to truncate as desired. Sigh.
SHA512 is quite a bit faster than SHA256 on 64 bit CPUs,
but 256 bit hashes are usually quite sufficient. Best of both.
ok deraadt tom

Wrap blowfish, sha*, md5, and rmd160 so that internal calls go direct

ok deraadt@

Use explicit_bzero instead of memset in hash Final and End functions.
OK deraadt@ djm@

be like the kernel and only unroll if not small

i386 unrolling blows up the media in a big way, due to -Os for
ramdisk libc builds. there has to be a better way without #ifdef's
in gross places, but I don't see it yet.

only unroll on i386 and amd64 (where confirmed to be much faster).
naddy found sparc64 gets a little slower when unrolled.
ok deraadt

unroll loops. much faster on amd64. ok deraadt millert

From ISO/IEC 9899:1999 and 9899:201x,
6.11.5 - Storage-class specifiers:
The placement of a storage-class specifier other than at the
beginning of the declaration specifiers in a declaration is
an obsolescent feature.

Diff from Jean-Philippe Ouellet (jean-philippe (at) ouellet.biz)

calling HashFinal with a null digest should crash, not be silently ignored

rename SHA256_ONLY to SHA2_SMALL; changing things so that sha512 support
is also pulled in

remove unneeded check for null context. ok deraadt gilles millert

SHA-224 is to SHA-256 as SHA-384 is to SHA-512. It was added in a
later revision of FIPS-180. OK miod@ jmc@ guenther@ djm@

allow building without SHA384 and SHA512 (i.e. SHA256 only) with
-DSHA256_ONLY in order to save space; ok deraadt@

Rename SHA256/384/512 API to avoid namespace collisions with
forthcoming OpenSSL update.

Function names lose their underscore (SHA256_Init => SHA256Init) and
the various SHA256_CTX, SHA512_CTX are merged into a single SHA2_CTX
that is used for all these hashes.

ok millert@ manpage bits jmc@ "please commit" deraadt@

zap remaining rcsid.

Kill old files that are no longer compiled.

okay theo

In the Final function, move the context zeroing into the digest != NULL
scope so that passing a NULL digest is equivalent to the Pad function
(like it used to be). Fixes skey w/ sha1 as noticed by David Krause.

Simpler byte order flipping. Now the only place we explicitly check
for the host byte order is when we copy the final digest (and that
is just an optimization).

Make the Transform functions match the other hash types and document them.
Use sizeof() in the Init functions where it makes sense.
Use weak aliases instead of wrapper functions.

Probably should have gone in before the major bump but as these are only
used internally by the sha2 functions themselves there should be no problem.

Add Pad and FileChunk functions for each family of hash functions.
The Pad function does padding like in Final but does not finish processing.
The FileChunk function creates a digest from a portion of a file.
Also made the length parameters consistent (and size_t).

Rev 1.4 was bogus (committed from the wrong tree), this repairs it.

some minor KNF

The data pointer passed to the transform function may not be properly
aligned so copy it in a way that a) is endian indepenent and b) does
not rely on alignment. Problem found and solution tested by hshoexer@

KNF: function names should be at column 0 for easier grepping.

Zap context correctly, from Juergen Buchmueller <pullmoll at stop1984 dot com>
Same as sys/crypto/sha2.c revision 1.2

Add sha2 routines based on code by Aaron D. Gifford with minor
massaging and a man page by me. I used the phk-derived stuff for
sha2hl.c instead of Aaron's for consistency with our other hash
routines.

Cast bitcount to u_in64_t before bit shifting to prevent integer overflow
on 32bit platforms which cause incorrect results when adding a block
>=512M in size. sha1 patch from ante84 at gmail.com via openssh github,
sha2 with djm@, ok tedu@

move sha224_initial_hash_value[] under !SHA2_SMALL; ok deraadt@ millert@

Add functions for SHA512/256. The standard says you're supposed to start
with different magic numbers, so we need to add some functions instead
of just asking the user to truncate as desired. Sigh.
SHA512 is quite a bit faster than SHA256 on 64 bit CPUs,
but 256 bit hashes are usually quite sufficient. Best of both.
ok deraadt tom

Wrap blowfish, sha*, md5, and rmd160 so that internal calls go direct

ok deraadt@

Use explicit_bzero instead of memset in hash Final and End functions.
OK deraadt@ djm@

be like the kernel and only unroll if not small

i386 unrolling blows up the media in a big way, due to -Os for
ramdisk libc builds. there has to be a better way without #ifdef's
in gross places, but I don't see it yet.

only unroll on i386 and amd64 (where confirmed to be much faster).
naddy found sparc64 gets a little slower when unrolled.
ok deraadt

unroll loops. much faster on amd64. ok deraadt millert

From ISO/IEC 9899:1999 and 9899:201x,
6.11.5 - Storage-class specifiers:
The placement of a storage-class specifier other than at the
beginning of the declaration specifiers in a declaration is
an obsolescent feature.

Diff from Jean-Philippe Ouellet (jean-philippe (at) ouellet.biz)

calling HashFinal with a null digest should crash, not be silently ignored

rename SHA256_ONLY to SHA2_SMALL; changing things so that sha512 support
is also pulled in

remove unneeded check for null context. ok deraadt gilles millert

SHA-224 is to SHA-256 as SHA-384 is to SHA-512. It was added in a
later revision of FIPS-180. OK miod@ jmc@ guenther@ djm@

allow building without SHA384 and SHA512 (i.e. SHA256 only) with
-DSHA256_ONLY in order to save space; ok deraadt@

Rename SHA256/384/512 API to avoid namespace collisions with
forthcoming OpenSSL update.

Function names lose their underscore (SHA256_Init => SHA256Init) and
the various SHA256_CTX, SHA512_CTX are merged into a single SHA2_CTX
that is used for all these hashes.

ok millert@ manpage bits jmc@ "please commit" deraadt@

zap remaining rcsid.

Kill old files that are no longer compiled.

okay theo

In the Final function, move the context zeroing into the digest != NULL
scope so that passing a NULL digest is equivalent to the Pad function
(like it used to be). Fixes skey w/ sha1 as noticed by David Krause.

Simpler byte order flipping. Now the only place we explicitly check
for the host byte order is when we copy the final digest (and that
is just an optimization).

Make the Transform functions match the other hash types and document them.
Use sizeof() in the Init functions where it makes sense.
Use weak aliases instead of wrapper functions.

Probably should have gone in before the major bump but as these are only
used internally by the sha2 functions themselves there should be no problem.

Add Pad and FileChunk functions for each family of hash functions.
The Pad function does padding like in Final but does not finish processing.
The FileChunk function creates a digest from a portion of a file.
Also made the length parameters consistent (and size_t).

Rev 1.4 was bogus (committed from the wrong tree), this repairs it.

some minor KNF

The data pointer passed to the transform function may not be properly
aligned so copy it in a way that a) is endian indepenent and b) does
not rely on alignment. Problem found and solution tested by hshoexer@

KNF: function names should be at column 0 for easier grepping.

Zap context correctly, from Juergen Buchmueller <pullmoll at stop1984 dot com>
Same as sys/crypto/sha2.c revision 1.2

Add sha2 routines based on code by Aaron D. Gifford with minor
massaging and a man page by me. I used the phk-derived stuff for
sha2hl.c instead of Aaron's for consistency with our other hash
routines.

move sha224_initial_hash_value[] under !SHA2_SMALL; ok deraadt@ millert@

Add functions for SHA512/256. The standard says you're supposed to start
with different magic numbers, so we need to add some functions instead
of just asking the user to truncate as desired. Sigh.
SHA512 is quite a bit faster than SHA256 on 64 bit CPUs,
but 256 bit hashes are usually quite sufficient. Best of both.
ok deraadt tom

Wrap blowfish, sha*, md5, and rmd160 so that internal calls go direct

ok deraadt@

Use explicit_bzero instead of memset in hash Final and End functions.
OK deraadt@ djm@

be like the kernel and only unroll if not small

i386 unrolling blows up the media in a big way, due to -Os for
ramdisk libc builds. there has to be a better way without #ifdef's
in gross places, but I don't see it yet.

only unroll on i386 and amd64 (where confirmed to be much faster).
naddy found sparc64 gets a little slower when unrolled.
ok deraadt

unroll loops. much faster on amd64. ok deraadt millert

From ISO/IEC 9899:1999 and 9899:201x,
6.11.5 - Storage-class specifiers:
The placement of a storage-class specifier other than at the
beginning of the declaration specifiers in a declaration is
an obsolescent feature.

Diff from Jean-Philippe Ouellet (jean-philippe (at) ouellet.biz)

calling HashFinal with a null digest should crash, not be silently ignored

rename SHA256_ONLY to SHA2_SMALL; changing things so that sha512 support
is also pulled in

remove unneeded check for null context. ok deraadt gilles millert

SHA-224 is to SHA-256 as SHA-384 is to SHA-512. It was added in a
later revision of FIPS-180. OK miod@ jmc@ guenther@ djm@

allow building without SHA384 and SHA512 (i.e. SHA256 only) with
-DSHA256_ONLY in order to save space; ok deraadt@

Rename SHA256/384/512 API to avoid namespace collisions with
forthcoming OpenSSL update.

Function names lose their underscore (SHA256_Init => SHA256Init) and
the various SHA256_CTX, SHA512_CTX are merged into a single SHA2_CTX
that is used for all these hashes.

ok millert@ manpage bits jmc@ "please commit" deraadt@

zap remaining rcsid.

Kill old files that are no longer compiled.

okay theo

In the Final function, move the context zeroing into the digest != NULL
scope so that passing a NULL digest is equivalent to the Pad function
(like it used to be). Fixes skey w/ sha1 as noticed by David Krause.

Simpler byte order flipping. Now the only place we explicitly check
for the host byte order is when we copy the final digest (and that
is just an optimization).

Make the Transform functions match the other hash types and document them.
Use sizeof() in the Init functions where it makes sense.
Use weak aliases instead of wrapper functions.

Probably should have gone in before the major bump but as these are only
used internally by the sha2 functions themselves there should be no problem.

Add Pad and FileChunk functions for each family of hash functions.
The Pad function does padding like in Final but does not finish processing.
The FileChunk function creates a digest from a portion of a file.
Also made the length parameters consistent (and size_t).

Rev 1.4 was bogus (committed from the wrong tree), this repairs it.

some minor KNF

The data pointer passed to the transform function may not be properly
aligned so copy it in a way that a) is endian indepenent and b) does
not rely on alignment. Problem found and solution tested by hshoexer@

KNF: function names should be at column 0 for easier grepping.

Zap context correctly, from Juergen Buchmueller <pullmoll at stop1984 dot com>
Same as sys/crypto/sha2.c revision 1.2

Add sha2 routines based on code by Aaron D. Gifford with minor
massaging and a man page by me. I used the phk-derived stuff for
sha2hl.c instead of Aaron's for consistency with our other hash
routines.