sha2.c revision 262706
1/* 2 * Copyright (C) 2005-2007, 2009, 2011, 2012, 2014 Internet Systems Consortium, Inc. ("ISC") 3 * 4 * Permission to use, copy, modify, and/or distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 14 * PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17/* $Id$ */ 18 19/* $FreeBSD: stable/9/contrib/bind9/lib/isc/sha2.c 262706 2014-03-03 09:18:19Z erwin $ */ 20/* $KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $ */ 21 22/* 23 * sha2.c 24 * 25 * Version 1.0.0beta1 26 * 27 * Written by Aaron D. Gifford <me@aarongifford.com> 28 * 29 * Copyright 2000 Aaron D. Gifford. All rights reserved. 30 * 31 * Redistribution and use in source and binary forms, with or without 32 * modification, are permitted provided that the following conditions 33 * are met: 34 * 1. Redistributions of source code must retain the above copyright 35 * notice, this list of conditions and the following disclaimer. 36 * 2. Redistributions in binary form must reproduce the above copyright 37 * notice, this list of conditions and the following disclaimer in the 38 * documentation and/or other materials provided with the distribution. 39 * 3. Neither the name of the copyright holder nor the names of contributors 40 * may be used to endorse or promote products derived from this software 41 * without specific prior written permission. 42 * 43 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND 44 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 45 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 46 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE 47 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 48 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 49 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 50 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 51 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 52 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 53 * SUCH DAMAGE. 54 * 55 */ 56 57 58#include <config.h> 59 60#include <isc/assertions.h> 61#include <isc/platform.h> 62#include <isc/sha2.h> 63#include <isc/string.h> 64#include <isc/util.h> 65 66#ifdef ISC_PLATFORM_OPENSSLHASH 67 68void 69isc_sha224_init(isc_sha224_t *context) { 70 if (context == (isc_sha224_t *)0) { 71 return; 72 } 73 EVP_DigestInit(context, EVP_sha224()); 74} 75 76void 77isc_sha224_invalidate(isc_sha224_t *context) { 78 EVP_MD_CTX_cleanup(context); 79} 80 81void 82isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) { 83 if (len == 0U) { 84 /* Calling with no data is valid - we do nothing */ 85 return; 86 } 87 88 /* Sanity check: */ 89 REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0); 90 91 EVP_DigestUpdate(context, (const void *) data, len); 92} 93 94void 95isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) { 96 /* Sanity check: */ 97 REQUIRE(context != (isc_sha224_t *)0); 98 99 /* If no digest buffer is passed, we don't bother doing this: */ 100 if (digest != (isc_uint8_t*)0) { 101 EVP_DigestFinal(context, digest, NULL); 102 } else { 103 EVP_MD_CTX_cleanup(context); 104 } 105} 106 107void 108isc_sha256_init(isc_sha256_t *context) { 109 if (context == (isc_sha256_t *)0) { 110 return; 111 } 112 EVP_DigestInit(context, EVP_sha256()); 113} 114 115void 116isc_sha256_invalidate(isc_sha256_t *context) { 117 EVP_MD_CTX_cleanup(context); 118} 119 120void 121isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) { 122 if (len == 0U) { 123 /* Calling with no data is valid - we do nothing */ 124 return; 125 } 126 127 /* Sanity check: */ 128 REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0); 129 130 EVP_DigestUpdate(context, (const void *) data, len); 131} 132 133void 134isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) { 135 /* Sanity check: */ 136 REQUIRE(context != (isc_sha256_t *)0); 137 138 /* If no digest buffer is passed, we don't bother doing this: */ 139 if (digest != (isc_uint8_t*)0) { 140 EVP_DigestFinal(context, digest, NULL); 141 } else { 142 EVP_MD_CTX_cleanup(context); 143 } 144} 145 146void 147isc_sha512_init(isc_sha512_t *context) { 148 if (context == (isc_sha512_t *)0) { 149 return; 150 } 151 EVP_DigestInit(context, EVP_sha512()); 152} 153 154void 155isc_sha512_invalidate(isc_sha512_t *context) { 156 EVP_MD_CTX_cleanup(context); 157} 158 159void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) { 160 if (len == 0U) { 161 /* Calling with no data is valid - we do nothing */ 162 return; 163 } 164 165 /* Sanity check: */ 166 REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); 167 168 EVP_DigestUpdate(context, (const void *) data, len); 169} 170 171void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) { 172 /* Sanity check: */ 173 REQUIRE(context != (isc_sha512_t *)0); 174 175 /* If no digest buffer is passed, we don't bother doing this: */ 176 if (digest != (isc_uint8_t*)0) { 177 EVP_DigestFinal(context, digest, NULL); 178 } else { 179 EVP_MD_CTX_cleanup(context); 180 } 181} 182 183void 184isc_sha384_init(isc_sha384_t *context) { 185 if (context == (isc_sha384_t *)0) { 186 return; 187 } 188 EVP_DigestInit(context, EVP_sha384()); 189} 190 191void 192isc_sha384_invalidate(isc_sha384_t *context) { 193 EVP_MD_CTX_cleanup(context); 194} 195 196void 197isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) { 198 if (len == 0U) { 199 /* Calling with no data is valid - we do nothing */ 200 return; 201 } 202 203 /* Sanity check: */ 204 REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); 205 206 EVP_DigestUpdate(context, (const void *) data, len); 207} 208 209void 210isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) { 211 /* Sanity check: */ 212 REQUIRE(context != (isc_sha384_t *)0); 213 214 /* If no digest buffer is passed, we don't bother doing this: */ 215 if (digest != (isc_uint8_t*)0) { 216 EVP_DigestFinal(context, digest, NULL); 217 } else { 218 EVP_MD_CTX_cleanup(context); 219 } 220} 221 222#else 223 224/* 225 * UNROLLED TRANSFORM LOOP NOTE: 226 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform 227 * loop version for the hash transform rounds (defined using macros 228 * later in this file). Either define on the command line, for example: 229 * 230 * cc -DISC_SHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c 231 * 232 * or define below: 233 * 234 * \#define ISC_SHA2_UNROLL_TRANSFORM 235 * 236 */ 237 238/*** SHA-256/384/512 Machine Architecture Definitions *****************/ 239/* 240 * BYTE_ORDER NOTE: 241 * 242 * Please make sure that your system defines BYTE_ORDER. If your 243 * architecture is little-endian, make sure it also defines 244 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are 245 * equivalent. 246 * 247 * If your system does not define the above, then you can do so by 248 * hand like this: 249 * 250 * \#define LITTLE_ENDIAN 1234 251 * \#define BIG_ENDIAN 4321 252 * 253 * And for little-endian machines, add: 254 * 255 * \#define BYTE_ORDER LITTLE_ENDIAN 256 * 257 * Or for big-endian machines: 258 * 259 * \#define BYTE_ORDER BIG_ENDIAN 260 * 261 * The FreeBSD machine this was written on defines BYTE_ORDER 262 * appropriately by including <sys/types.h> (which in turn includes 263 * <machine/endian.h> where the appropriate definitions are actually 264 * made). 265 */ 266#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) 267#ifndef BYTE_ORDER 268#ifndef BIG_ENDIAN 269#define BIG_ENDIAN 4321 270#endif 271#ifndef LITTLE_ENDIAN 272#define LITTLE_ENDIAN 1234 273#endif 274#ifdef WORDS_BIGENDIAN 275#define BYTE_ORDER BIG_ENDIAN 276#else 277#define BYTE_ORDER LITTLE_ENDIAN 278#endif 279#else 280#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN 281#endif 282#endif 283 284/*** SHA-256/384/512 Various Length Definitions ***********************/ 285/* NOTE: Most of these are in sha2.h */ 286#define ISC_SHA256_SHORT_BLOCK_LENGTH (ISC_SHA256_BLOCK_LENGTH - 8) 287#define ISC_SHA384_SHORT_BLOCK_LENGTH (ISC_SHA384_BLOCK_LENGTH - 16) 288#define ISC_SHA512_SHORT_BLOCK_LENGTH (ISC_SHA512_BLOCK_LENGTH - 16) 289 290 291/*** ENDIAN REVERSAL MACROS *******************************************/ 292#if BYTE_ORDER == LITTLE_ENDIAN 293#define REVERSE32(w,x) { \ 294 isc_uint32_t tmp = (w); \ 295 tmp = (tmp >> 16) | (tmp << 16); \ 296 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \ 297} 298#ifdef WIN32 299#define REVERSE64(w,x) { \ 300 isc_uint64_t tmp = (w); \ 301 tmp = (tmp >> 32) | (tmp << 32); \ 302 tmp = ((tmp & 0xff00ff00ff00ff00UL) >> 8) | \ 303 ((tmp & 0x00ff00ff00ff00ffUL) << 8); \ 304 (x) = ((tmp & 0xffff0000ffff0000UL) >> 16) | \ 305 ((tmp & 0x0000ffff0000ffffUL) << 16); \ 306} 307#else 308#define REVERSE64(w,x) { \ 309 isc_uint64_t tmp = (w); \ 310 tmp = (tmp >> 32) | (tmp << 32); \ 311 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \ 312 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \ 313 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \ 314 ((tmp & 0x0000ffff0000ffffULL) << 16); \ 315} 316#endif 317#endif /* BYTE_ORDER == LITTLE_ENDIAN */ 318 319/* 320 * Macro for incrementally adding the unsigned 64-bit integer n to the 321 * unsigned 128-bit integer (represented using a two-element array of 322 * 64-bit words): 323 */ 324#define ADDINC128(w,n) { \ 325 (w)[0] += (isc_uint64_t)(n); \ 326 if ((w)[0] < (n)) { \ 327 (w)[1]++; \ 328 } \ 329} 330 331/*** THE SIX LOGICAL FUNCTIONS ****************************************/ 332/* 333 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 334 * 335 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 336 * S is a ROTATION) because the SHA-256/384/512 description document 337 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 338 * same "backwards" definition. 339 */ 340/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 341#define R(b,x) ((x) >> (b)) 342/* 32-bit Rotate-right (used in SHA-256): */ 343#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 344/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 345#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 346 347/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 348#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 349#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 350 351/* Four of six logical functions used in SHA-256: */ 352#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 353#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 354#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 355#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 356 357/* Four of six logical functions used in SHA-384 and SHA-512: */ 358#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 359#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 360#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 361#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 362 363/*** INTERNAL FUNCTION PROTOTYPES *************************************/ 364/* NOTE: These should not be accessed directly from outside this 365 * library -- they are intended for private internal visibility/use 366 * only. 367 */ 368void isc_sha512_last(isc_sha512_t *); 369void isc_sha256_transform(isc_sha256_t *, const isc_uint32_t*); 370void isc_sha512_transform(isc_sha512_t *, const isc_uint64_t*); 371 372 373/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 374/* Hash constant words K for SHA-224 and SHA-256: */ 375static const isc_uint32_t K256[64] = { 376 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 377 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 378 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 379 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 380 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 381 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 382 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 383 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 384 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 385 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 386 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 387 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 388 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 389 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 390 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 391 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 392}; 393 394/* Initial hash value H for SHA-224: */ 395static const isc_uint32_t sha224_initial_hash_value[8] = { 396 0xc1059ed8UL, 397 0x367cd507UL, 398 0x3070dd17UL, 399 0xf70e5939UL, 400 0xffc00b31UL, 401 0x68581511UL, 402 0x64f98fa7UL, 403 0xbefa4fa4UL 404}; 405 406/* Initial hash value H for SHA-256: */ 407static const isc_uint32_t sha256_initial_hash_value[8] = { 408 0x6a09e667UL, 409 0xbb67ae85UL, 410 0x3c6ef372UL, 411 0xa54ff53aUL, 412 0x510e527fUL, 413 0x9b05688cUL, 414 0x1f83d9abUL, 415 0x5be0cd19UL 416}; 417 418#ifdef WIN32 419/* Hash constant words K for SHA-384 and SHA-512: */ 420static const isc_uint64_t K512[80] = { 421 0x428a2f98d728ae22UL, 0x7137449123ef65cdUL, 422 0xb5c0fbcfec4d3b2fUL, 0xe9b5dba58189dbbcUL, 423 0x3956c25bf348b538UL, 0x59f111f1b605d019UL, 424 0x923f82a4af194f9bUL, 0xab1c5ed5da6d8118UL, 425 0xd807aa98a3030242UL, 0x12835b0145706fbeUL, 426 0x243185be4ee4b28cUL, 0x550c7dc3d5ffb4e2UL, 427 0x72be5d74f27b896fUL, 0x80deb1fe3b1696b1UL, 428 0x9bdc06a725c71235UL, 0xc19bf174cf692694UL, 429 0xe49b69c19ef14ad2UL, 0xefbe4786384f25e3UL, 430 0x0fc19dc68b8cd5b5UL, 0x240ca1cc77ac9c65UL, 431 0x2de92c6f592b0275UL, 0x4a7484aa6ea6e483UL, 432 0x5cb0a9dcbd41fbd4UL, 0x76f988da831153b5UL, 433 0x983e5152ee66dfabUL, 0xa831c66d2db43210UL, 434 0xb00327c898fb213fUL, 0xbf597fc7beef0ee4UL, 435 0xc6e00bf33da88fc2UL, 0xd5a79147930aa725UL, 436 0x06ca6351e003826fUL, 0x142929670a0e6e70UL, 437 0x27b70a8546d22ffcUL, 0x2e1b21385c26c926UL, 438 0x4d2c6dfc5ac42aedUL, 0x53380d139d95b3dfUL, 439 0x650a73548baf63deUL, 0x766a0abb3c77b2a8UL, 440 0x81c2c92e47edaee6UL, 0x92722c851482353bUL, 441 0xa2bfe8a14cf10364UL, 0xa81a664bbc423001UL, 442 0xc24b8b70d0f89791UL, 0xc76c51a30654be30UL, 443 0xd192e819d6ef5218UL, 0xd69906245565a910UL, 444 0xf40e35855771202aUL, 0x106aa07032bbd1b8UL, 445 0x19a4c116b8d2d0c8UL, 0x1e376c085141ab53UL, 446 0x2748774cdf8eeb99UL, 0x34b0bcb5e19b48a8UL, 447 0x391c0cb3c5c95a63UL, 0x4ed8aa4ae3418acbUL, 448 0x5b9cca4f7763e373UL, 0x682e6ff3d6b2b8a3UL, 449 0x748f82ee5defb2fcUL, 0x78a5636f43172f60UL, 450 0x84c87814a1f0ab72UL, 0x8cc702081a6439ecUL, 451 0x90befffa23631e28UL, 0xa4506cebde82bde9UL, 452 0xbef9a3f7b2c67915UL, 0xc67178f2e372532bUL, 453 0xca273eceea26619cUL, 0xd186b8c721c0c207UL, 454 0xeada7dd6cde0eb1eUL, 0xf57d4f7fee6ed178UL, 455 0x06f067aa72176fbaUL, 0x0a637dc5a2c898a6UL, 456 0x113f9804bef90daeUL, 0x1b710b35131c471bUL, 457 0x28db77f523047d84UL, 0x32caab7b40c72493UL, 458 0x3c9ebe0a15c9bebcUL, 0x431d67c49c100d4cUL, 459 0x4cc5d4becb3e42b6UL, 0x597f299cfc657e2aUL, 460 0x5fcb6fab3ad6faecUL, 0x6c44198c4a475817UL 461}; 462 463/* Initial hash value H for SHA-384: */ 464static const isc_uint64_t sha384_initial_hash_value[8] = { 465 0xcbbb9d5dc1059ed8UL, 466 0x629a292a367cd507UL, 467 0x9159015a3070dd17UL, 468 0x152fecd8f70e5939UL, 469 0x67332667ffc00b31UL, 470 0x8eb44a8768581511UL, 471 0xdb0c2e0d64f98fa7UL, 472 0x47b5481dbefa4fa4UL 473}; 474 475/* Initial hash value H for SHA-512: */ 476static const isc_uint64_t sha512_initial_hash_value[8] = { 477 0x6a09e667f3bcc908U, 478 0xbb67ae8584caa73bUL, 479 0x3c6ef372fe94f82bUL, 480 0xa54ff53a5f1d36f1UL, 481 0x510e527fade682d1UL, 482 0x9b05688c2b3e6c1fUL, 483 0x1f83d9abfb41bd6bUL, 484 0x5be0cd19137e2179UL 485}; 486#else 487/* Hash constant words K for SHA-384 and SHA-512: */ 488static const isc_uint64_t K512[80] = { 489 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 490 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 491 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 492 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 493 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 494 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 495 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 496 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 497 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 498 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 499 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 500 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 501 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 502 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 503 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 504 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 505 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 506 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 507 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 508 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 509 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 510 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 511 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 512 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 513 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 514 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 515 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 516 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 517 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 518 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 519 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 520 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 521 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 522 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 523 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 524 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 525 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 526 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 527 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 528 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 529}; 530 531/* Initial hash value H for SHA-384: */ 532static const isc_uint64_t sha384_initial_hash_value[8] = { 533 0xcbbb9d5dc1059ed8ULL, 534 0x629a292a367cd507ULL, 535 0x9159015a3070dd17ULL, 536 0x152fecd8f70e5939ULL, 537 0x67332667ffc00b31ULL, 538 0x8eb44a8768581511ULL, 539 0xdb0c2e0d64f98fa7ULL, 540 0x47b5481dbefa4fa4ULL 541}; 542 543/* Initial hash value H for SHA-512: */ 544static const isc_uint64_t sha512_initial_hash_value[8] = { 545 0x6a09e667f3bcc908ULL, 546 0xbb67ae8584caa73bULL, 547 0x3c6ef372fe94f82bULL, 548 0xa54ff53a5f1d36f1ULL, 549 0x510e527fade682d1ULL, 550 0x9b05688c2b3e6c1fULL, 551 0x1f83d9abfb41bd6bULL, 552 0x5be0cd19137e2179ULL 553}; 554#endif 555 556 557/*** SHA-224: *********************************************************/ 558void 559isc_sha224_init(isc_sha224_t *context) { 560 if (context == (isc_sha256_t *)0) { 561 return; 562 } 563 memmove(context->state, sha224_initial_hash_value, 564 ISC_SHA256_DIGESTLENGTH); 565 memset(context->buffer, 0, ISC_SHA256_BLOCK_LENGTH); 566 context->bitcount = 0; 567} 568 569void 570isc_sha224_invalidate(isc_sha224_t *context) { 571 memset(context, 0, sizeof(isc_sha224_t)); 572} 573 574void 575isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) { 576 isc_sha256_update((isc_sha256_t *)context, data, len); 577} 578 579void 580isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) { 581 isc_uint8_t sha256_digest[ISC_SHA256_DIGESTLENGTH]; 582 isc_sha256_final(sha256_digest, (isc_sha256_t *)context); 583 memmove(digest, sha256_digest, ISC_SHA224_DIGESTLENGTH); 584 memset(sha256_digest, 0, ISC_SHA256_DIGESTLENGTH); 585} 586 587/*** SHA-256: *********************************************************/ 588void 589isc_sha256_init(isc_sha256_t *context) { 590 if (context == (isc_sha256_t *)0) { 591 return; 592 } 593 memmove(context->state, sha256_initial_hash_value, 594 ISC_SHA256_DIGESTLENGTH); 595 memset(context->buffer, 0, ISC_SHA256_BLOCK_LENGTH); 596 context->bitcount = 0; 597} 598 599void 600isc_sha256_invalidate(isc_sha256_t *context) { 601 memset(context, 0, sizeof(isc_sha256_t)); 602} 603 604#ifdef ISC_SHA2_UNROLL_TRANSFORM 605 606/* Unrolled SHA-256 round macros: */ 607 608#if BYTE_ORDER == LITTLE_ENDIAN 609 610#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 611 REVERSE32(*data++, W256[j]); \ 612 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 613 K256[j] + W256[j]; \ 614 (d) += T1; \ 615 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 616 j++ 617 618 619#else /* BYTE_ORDER == LITTLE_ENDIAN */ 620 621#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ 622 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ 623 K256[j] + (W256[j] = *data++); \ 624 (d) += T1; \ 625 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 626 j++ 627 628#endif /* BYTE_ORDER == LITTLE_ENDIAN */ 629 630#define ROUND256(a,b,c,d,e,f,g,h) \ 631 s0 = W256[(j+1)&0x0f]; \ 632 s0 = sigma0_256(s0); \ 633 s1 = W256[(j+14)&0x0f]; \ 634 s1 = sigma1_256(s1); \ 635 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ 636 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 637 (d) += T1; \ 638 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ 639 j++ 640 641void isc_sha256_transform(isc_sha256_t *context, const isc_uint32_t* data) { 642 isc_uint32_t a, b, c, d, e, f, g, h, s0, s1; 643 isc_uint32_t T1, *W256; 644 int j; 645 646 W256 = (isc_uint32_t*)context->buffer; 647 648 /* Initialize registers with the prev. intermediate value */ 649 a = context->state[0]; 650 b = context->state[1]; 651 c = context->state[2]; 652 d = context->state[3]; 653 e = context->state[4]; 654 f = context->state[5]; 655 g = context->state[6]; 656 h = context->state[7]; 657 658 j = 0; 659 do { 660 /* Rounds 0 to 15 (unrolled): */ 661 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 662 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 663 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 664 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 665 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 666 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 667 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 668 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 669 } while (j < 16); 670 671 /* Now for the remaining rounds to 64: */ 672 do { 673 ROUND256(a,b,c,d,e,f,g,h); 674 ROUND256(h,a,b,c,d,e,f,g); 675 ROUND256(g,h,a,b,c,d,e,f); 676 ROUND256(f,g,h,a,b,c,d,e); 677 ROUND256(e,f,g,h,a,b,c,d); 678 ROUND256(d,e,f,g,h,a,b,c); 679 ROUND256(c,d,e,f,g,h,a,b); 680 ROUND256(b,c,d,e,f,g,h,a); 681 } while (j < 64); 682 683 /* Compute the current intermediate hash value */ 684 context->state[0] += a; 685 context->state[1] += b; 686 context->state[2] += c; 687 context->state[3] += d; 688 context->state[4] += e; 689 context->state[5] += f; 690 context->state[6] += g; 691 context->state[7] += h; 692 693 /* Clean up */ 694 a = b = c = d = e = f = g = h = T1 = 0; 695 /* Avoid compiler warnings */ 696 POST(a); POST(b); POST(c); POST(d); POST(e); POST(f); 697 POST(g); POST(h); POST(T1); 698} 699 700#else /* ISC_SHA2_UNROLL_TRANSFORM */ 701 702void 703isc_sha256_transform(isc_sha256_t *context, const isc_uint32_t* data) { 704 isc_uint32_t a, b, c, d, e, f, g, h, s0, s1; 705 isc_uint32_t T1, T2, *W256; 706 int j; 707 708 W256 = (isc_uint32_t*)context->buffer; 709 710 /* Initialize registers with the prev. intermediate value */ 711 a = context->state[0]; 712 b = context->state[1]; 713 c = context->state[2]; 714 d = context->state[3]; 715 e = context->state[4]; 716 f = context->state[5]; 717 g = context->state[6]; 718 h = context->state[7]; 719 720 j = 0; 721 do { 722#if BYTE_ORDER == LITTLE_ENDIAN 723 /* Copy data while converting to host byte order */ 724 REVERSE32(*data++,W256[j]); 725 /* Apply the SHA-256 compression function to update a..h */ 726 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 727#else /* BYTE_ORDER == LITTLE_ENDIAN */ 728 /* Apply the SHA-256 compression function to update a..h with copy */ 729 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++); 730#endif /* BYTE_ORDER == LITTLE_ENDIAN */ 731 T2 = Sigma0_256(a) + Maj(a, b, c); 732 h = g; 733 g = f; 734 f = e; 735 e = d + T1; 736 d = c; 737 c = b; 738 b = a; 739 a = T1 + T2; 740 741 j++; 742 } while (j < 16); 743 744 do { 745 /* Part of the message block expansion: */ 746 s0 = W256[(j+1)&0x0f]; 747 s0 = sigma0_256(s0); 748 s1 = W256[(j+14)&0x0f]; 749 s1 = sigma1_256(s1); 750 751 /* Apply the SHA-256 compression function to update a..h */ 752 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 753 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 754 T2 = Sigma0_256(a) + Maj(a, b, c); 755 h = g; 756 g = f; 757 f = e; 758 e = d + T1; 759 d = c; 760 c = b; 761 b = a; 762 a = T1 + T2; 763 764 j++; 765 } while (j < 64); 766 767 /* Compute the current intermediate hash value */ 768 context->state[0] += a; 769 context->state[1] += b; 770 context->state[2] += c; 771 context->state[3] += d; 772 context->state[4] += e; 773 context->state[5] += f; 774 context->state[6] += g; 775 context->state[7] += h; 776 777 /* Clean up */ 778 a = b = c = d = e = f = g = h = T1 = T2 = 0; 779 /* Avoid compiler warnings */ 780 POST(a); POST(b); POST(c); POST(d); POST(e); POST(f); 781 POST(g); POST(h); POST(T1); POST(T2); 782} 783 784#endif /* ISC_SHA2_UNROLL_TRANSFORM */ 785 786void 787isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) { 788 unsigned int freespace, usedspace; 789 790 if (len == 0U) { 791 /* Calling with no data is valid - we do nothing */ 792 return; 793 } 794 795 /* Sanity check: */ 796 REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0); 797 798 usedspace = (unsigned int)((context->bitcount >> 3) % 799 ISC_SHA256_BLOCK_LENGTH); 800 if (usedspace > 0) { 801 /* Calculate how much free space is available in the buffer */ 802 freespace = ISC_SHA256_BLOCK_LENGTH - usedspace; 803 804 if (len >= freespace) { 805 /* Fill the buffer completely and process it */ 806 memmove(&context->buffer[usedspace], data, freespace); 807 context->bitcount += freespace << 3; 808 len -= freespace; 809 data += freespace; 810 isc_sha256_transform(context, 811 (isc_uint32_t*)context->buffer); 812 } else { 813 /* The buffer is not yet full */ 814 memmove(&context->buffer[usedspace], data, len); 815 context->bitcount += len << 3; 816 /* Clean up: */ 817 usedspace = freespace = 0; 818 /* Avoid compiler warnings: */ 819 POST(usedspace); POST(freespace); 820 return; 821 } 822 } 823 while (len >= ISC_SHA256_BLOCK_LENGTH) { 824 /* Process as many complete blocks as we can */ 825 memmove(context->buffer, data, ISC_SHA256_BLOCK_LENGTH); 826 isc_sha256_transform(context, (isc_uint32_t*)context->buffer); 827 context->bitcount += ISC_SHA256_BLOCK_LENGTH << 3; 828 len -= ISC_SHA256_BLOCK_LENGTH; 829 data += ISC_SHA256_BLOCK_LENGTH; 830 } 831 if (len > 0U) { 832 /* There's left-overs, so save 'em */ 833 memmove(context->buffer, data, len); 834 context->bitcount += len << 3; 835 } 836 /* Clean up: */ 837 usedspace = freespace = 0; 838 /* Avoid compiler warnings: */ 839 POST(usedspace); POST(freespace); 840} 841 842void 843isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) { 844 isc_uint32_t *d = (isc_uint32_t*)digest; 845 unsigned int usedspace; 846 847 /* Sanity check: */ 848 REQUIRE(context != (isc_sha256_t *)0); 849 850 /* If no digest buffer is passed, we don't bother doing this: */ 851 if (digest != (isc_uint8_t*)0) { 852 usedspace = (unsigned int)((context->bitcount >> 3) % 853 ISC_SHA256_BLOCK_LENGTH); 854#if BYTE_ORDER == LITTLE_ENDIAN 855 /* Convert FROM host byte order */ 856 REVERSE64(context->bitcount,context->bitcount); 857#endif 858 if (usedspace > 0) { 859 /* Begin padding with a 1 bit: */ 860 context->buffer[usedspace++] = 0x80; 861 862 if (usedspace <= ISC_SHA256_SHORT_BLOCK_LENGTH) { 863 /* Set-up for the last transform: */ 864 memset(&context->buffer[usedspace], 0, 865 ISC_SHA256_SHORT_BLOCK_LENGTH - usedspace); 866 } else { 867 if (usedspace < ISC_SHA256_BLOCK_LENGTH) { 868 memset(&context->buffer[usedspace], 0, 869 ISC_SHA256_BLOCK_LENGTH - 870 usedspace); 871 } 872 /* Do second-to-last transform: */ 873 isc_sha256_transform(context, 874 (isc_uint32_t*)context->buffer); 875 876 /* And set-up for the last transform: */ 877 memset(context->buffer, 0, 878 ISC_SHA256_SHORT_BLOCK_LENGTH); 879 } 880 } else { 881 /* Set-up for the last transform: */ 882 memset(context->buffer, 0, ISC_SHA256_SHORT_BLOCK_LENGTH); 883 884 /* Begin padding with a 1 bit: */ 885 *context->buffer = 0x80; 886 } 887 /* Set the bit count: */ 888 *(isc_uint64_t*)&context->buffer[ISC_SHA256_SHORT_BLOCK_LENGTH] = context->bitcount; 889 890 /* Final transform: */ 891 isc_sha256_transform(context, (isc_uint32_t*)context->buffer); 892 893#if BYTE_ORDER == LITTLE_ENDIAN 894 { 895 /* Convert TO host byte order */ 896 int j; 897 for (j = 0; j < 8; j++) { 898 REVERSE32(context->state[j],context->state[j]); 899 *d++ = context->state[j]; 900 } 901 } 902#else 903 memmove(d, context->state, ISC_SHA256_DIGESTLENGTH); 904#endif 905 } 906 907 /* Clean up state data: */ 908 memset(context, 0, sizeof(*context)); 909 usedspace = 0; 910 POST(usedspace); 911} 912 913/*** SHA-512: *********************************************************/ 914void 915isc_sha512_init(isc_sha512_t *context) { 916 if (context == (isc_sha512_t *)0) { 917 return; 918 } 919 memmove(context->state, sha512_initial_hash_value, 920 ISC_SHA512_DIGESTLENGTH); 921 memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH); 922 context->bitcount[0] = context->bitcount[1] = 0; 923} 924 925void 926isc_sha512_invalidate(isc_sha512_t *context) { 927 memset(context, 0, sizeof(isc_sha512_t)); 928} 929 930#ifdef ISC_SHA2_UNROLL_TRANSFORM 931 932/* Unrolled SHA-512 round macros: */ 933#if BYTE_ORDER == LITTLE_ENDIAN 934 935#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 936 REVERSE64(*data++, W512[j]); \ 937 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 938 K512[j] + W512[j]; \ 939 (d) += T1, \ 940 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ 941 j++ 942 943 944#else /* BYTE_ORDER == LITTLE_ENDIAN */ 945 946#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ 947 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ 948 K512[j] + (W512[j] = *data++); \ 949 (d) += T1; \ 950 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 951 j++ 952 953#endif /* BYTE_ORDER == LITTLE_ENDIAN */ 954 955#define ROUND512(a,b,c,d,e,f,g,h) \ 956 s0 = W512[(j+1)&0x0f]; \ 957 s0 = sigma0_512(s0); \ 958 s1 = W512[(j+14)&0x0f]; \ 959 s1 = sigma1_512(s1); \ 960 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ 961 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 962 (d) += T1; \ 963 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ 964 j++ 965 966void isc_sha512_transform(isc_sha512_t *context, const isc_uint64_t* data) { 967 isc_uint64_t a, b, c, d, e, f, g, h, s0, s1; 968 isc_uint64_t T1, *W512 = (isc_uint64_t*)context->buffer; 969 int j; 970 971 /* Initialize registers with the prev. intermediate value */ 972 a = context->state[0]; 973 b = context->state[1]; 974 c = context->state[2]; 975 d = context->state[3]; 976 e = context->state[4]; 977 f = context->state[5]; 978 g = context->state[6]; 979 h = context->state[7]; 980 981 j = 0; 982 do { 983 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 984 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 985 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 986 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 987 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 988 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 989 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 990 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 991 } while (j < 16); 992 993 /* Now for the remaining rounds up to 79: */ 994 do { 995 ROUND512(a,b,c,d,e,f,g,h); 996 ROUND512(h,a,b,c,d,e,f,g); 997 ROUND512(g,h,a,b,c,d,e,f); 998 ROUND512(f,g,h,a,b,c,d,e); 999 ROUND512(e,f,g,h,a,b,c,d); 1000 ROUND512(d,e,f,g,h,a,b,c); 1001 ROUND512(c,d,e,f,g,h,a,b); 1002 ROUND512(b,c,d,e,f,g,h,a); 1003 } while (j < 80); 1004 1005 /* Compute the current intermediate hash value */ 1006 context->state[0] += a; 1007 context->state[1] += b; 1008 context->state[2] += c; 1009 context->state[3] += d; 1010 context->state[4] += e; 1011 context->state[5] += f; 1012 context->state[6] += g; 1013 context->state[7] += h; 1014 1015 /* Clean up */ 1016 a = b = c = d = e = f = g = h = T1 = 0; 1017 /* Avoid compiler warnings */ 1018 POST(a); POST(b); POST(c); POST(d); POST(e); POST(f); 1019 POST(g); POST(h); POST(T1); 1020} 1021 1022#else /* ISC_SHA2_UNROLL_TRANSFORM */ 1023 1024void 1025isc_sha512_transform(isc_sha512_t *context, const isc_uint64_t* data) { 1026 isc_uint64_t a, b, c, d, e, f, g, h, s0, s1; 1027 isc_uint64_t T1, T2, *W512 = (isc_uint64_t*)context->buffer; 1028 int j; 1029 1030 /* Initialize registers with the prev. intermediate value */ 1031 a = context->state[0]; 1032 b = context->state[1]; 1033 c = context->state[2]; 1034 d = context->state[3]; 1035 e = context->state[4]; 1036 f = context->state[5]; 1037 g = context->state[6]; 1038 h = context->state[7]; 1039 1040 j = 0; 1041 do { 1042#if BYTE_ORDER == LITTLE_ENDIAN 1043 /* Convert TO host byte order */ 1044 REVERSE64(*data++, W512[j]); 1045 /* Apply the SHA-512 compression function to update a..h */ 1046 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 1047#else /* BYTE_ORDER == LITTLE_ENDIAN */ 1048 /* Apply the SHA-512 compression function to update a..h with copy */ 1049 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++); 1050#endif /* BYTE_ORDER == LITTLE_ENDIAN */ 1051 T2 = Sigma0_512(a) + Maj(a, b, c); 1052 h = g; 1053 g = f; 1054 f = e; 1055 e = d + T1; 1056 d = c; 1057 c = b; 1058 b = a; 1059 a = T1 + T2; 1060 1061 j++; 1062 } while (j < 16); 1063 1064 do { 1065 /* Part of the message block expansion: */ 1066 s0 = W512[(j+1)&0x0f]; 1067 s0 = sigma0_512(s0); 1068 s1 = W512[(j+14)&0x0f]; 1069 s1 = sigma1_512(s1); 1070 1071 /* Apply the SHA-512 compression function to update a..h */ 1072 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 1073 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 1074 T2 = Sigma0_512(a) + Maj(a, b, c); 1075 h = g; 1076 g = f; 1077 f = e; 1078 e = d + T1; 1079 d = c; 1080 c = b; 1081 b = a; 1082 a = T1 + T2; 1083 1084 j++; 1085 } while (j < 80); 1086 1087 /* Compute the current intermediate hash value */ 1088 context->state[0] += a; 1089 context->state[1] += b; 1090 context->state[2] += c; 1091 context->state[3] += d; 1092 context->state[4] += e; 1093 context->state[5] += f; 1094 context->state[6] += g; 1095 context->state[7] += h; 1096 1097 /* Clean up */ 1098 a = b = c = d = e = f = g = h = T1 = T2 = 0; 1099 /* Avoid compiler warnings */ 1100 POST(a); POST(b); POST(c); POST(d); POST(e); POST(f); 1101 POST(g); POST(h); POST(T1); POST(T2); 1102} 1103 1104#endif /* ISC_SHA2_UNROLL_TRANSFORM */ 1105 1106void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) { 1107 unsigned int freespace, usedspace; 1108 1109 if (len == 0U) { 1110 /* Calling with no data is valid - we do nothing */ 1111 return; 1112 } 1113 1114 /* Sanity check: */ 1115 REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); 1116 1117 usedspace = (unsigned int)((context->bitcount[0] >> 3) % 1118 ISC_SHA512_BLOCK_LENGTH); 1119 if (usedspace > 0) { 1120 /* Calculate how much free space is available in the buffer */ 1121 freespace = ISC_SHA512_BLOCK_LENGTH - usedspace; 1122 1123 if (len >= freespace) { 1124 /* Fill the buffer completely and process it */ 1125 memmove(&context->buffer[usedspace], data, freespace); 1126 ADDINC128(context->bitcount, freespace << 3); 1127 len -= freespace; 1128 data += freespace; 1129 isc_sha512_transform(context, 1130 (isc_uint64_t*)context->buffer); 1131 } else { 1132 /* The buffer is not yet full */ 1133 memmove(&context->buffer[usedspace], data, len); 1134 ADDINC128(context->bitcount, len << 3); 1135 /* Clean up: */ 1136 usedspace = freespace = 0; 1137 /* Avoid compiler warnings: */ 1138 POST(usedspace); POST(freespace); 1139 return; 1140 } 1141 } 1142 while (len >= ISC_SHA512_BLOCK_LENGTH) { 1143 /* Process as many complete blocks as we can */ 1144 memmove(context->buffer, data, ISC_SHA512_BLOCK_LENGTH); 1145 isc_sha512_transform(context, (isc_uint64_t*)context->buffer); 1146 ADDINC128(context->bitcount, ISC_SHA512_BLOCK_LENGTH << 3); 1147 len -= ISC_SHA512_BLOCK_LENGTH; 1148 data += ISC_SHA512_BLOCK_LENGTH; 1149 } 1150 if (len > 0U) { 1151 /* There's left-overs, so save 'em */ 1152 memmove(context->buffer, data, len); 1153 ADDINC128(context->bitcount, len << 3); 1154 } 1155 /* Clean up: */ 1156 usedspace = freespace = 0; 1157 /* Avoid compiler warnings: */ 1158 POST(usedspace); POST(freespace); 1159} 1160 1161void isc_sha512_last(isc_sha512_t *context) { 1162 unsigned int usedspace; 1163 1164 usedspace = (unsigned int)((context->bitcount[0] >> 3) % 1165 ISC_SHA512_BLOCK_LENGTH); 1166#if BYTE_ORDER == LITTLE_ENDIAN 1167 /* Convert FROM host byte order */ 1168 REVERSE64(context->bitcount[0],context->bitcount[0]); 1169 REVERSE64(context->bitcount[1],context->bitcount[1]); 1170#endif 1171 if (usedspace > 0) { 1172 /* Begin padding with a 1 bit: */ 1173 context->buffer[usedspace++] = 0x80; 1174 1175 if (usedspace <= ISC_SHA512_SHORT_BLOCK_LENGTH) { 1176 /* Set-up for the last transform: */ 1177 memset(&context->buffer[usedspace], 0, 1178 ISC_SHA512_SHORT_BLOCK_LENGTH - usedspace); 1179 } else { 1180 if (usedspace < ISC_SHA512_BLOCK_LENGTH) { 1181 memset(&context->buffer[usedspace], 0, 1182 ISC_SHA512_BLOCK_LENGTH - usedspace); 1183 } 1184 /* Do second-to-last transform: */ 1185 isc_sha512_transform(context, 1186 (isc_uint64_t*)context->buffer); 1187 1188 /* And set-up for the last transform: */ 1189 memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH - 2); 1190 } 1191 } else { 1192 /* Prepare for final transform: */ 1193 memset(context->buffer, 0, ISC_SHA512_SHORT_BLOCK_LENGTH); 1194 1195 /* Begin padding with a 1 bit: */ 1196 *context->buffer = 0x80; 1197 } 1198 /* Store the length of input data (in bits): */ 1199 *(isc_uint64_t*)&context->buffer[ISC_SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1]; 1200 *(isc_uint64_t*)&context->buffer[ISC_SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0]; 1201 1202 /* Final transform: */ 1203 isc_sha512_transform(context, (isc_uint64_t*)context->buffer); 1204} 1205 1206void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) { 1207 isc_uint64_t *d = (isc_uint64_t*)digest; 1208 1209 /* Sanity check: */ 1210 REQUIRE(context != (isc_sha512_t *)0); 1211 1212 /* If no digest buffer is passed, we don't bother doing this: */ 1213 if (digest != (isc_uint8_t*)0) { 1214 isc_sha512_last(context); 1215 1216 /* Save the hash data for output: */ 1217#if BYTE_ORDER == LITTLE_ENDIAN 1218 { 1219 /* Convert TO host byte order */ 1220 int j; 1221 for (j = 0; j < 8; j++) { 1222 REVERSE64(context->state[j],context->state[j]); 1223 *d++ = context->state[j]; 1224 } 1225 } 1226#else 1227 memmove(d, context->state, ISC_SHA512_DIGESTLENGTH); 1228#endif 1229 } 1230 1231 /* Zero out state data */ 1232 memset(context, 0, sizeof(*context)); 1233} 1234 1235 1236/*** SHA-384: *********************************************************/ 1237void 1238isc_sha384_init(isc_sha384_t *context) { 1239 if (context == (isc_sha384_t *)0) { 1240 return; 1241 } 1242 memmove(context->state, sha384_initial_hash_value, 1243 ISC_SHA512_DIGESTLENGTH); 1244 memset(context->buffer, 0, ISC_SHA384_BLOCK_LENGTH); 1245 context->bitcount[0] = context->bitcount[1] = 0; 1246} 1247 1248void 1249isc_sha384_invalidate(isc_sha384_t *context) { 1250 memset(context, 0, sizeof(isc_sha384_t)); 1251} 1252 1253void 1254isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) { 1255 isc_sha512_update((isc_sha512_t *)context, data, len); 1256} 1257 1258void 1259isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) { 1260 isc_uint64_t *d = (isc_uint64_t*)digest; 1261 1262 /* Sanity check: */ 1263 REQUIRE(context != (isc_sha384_t *)0); 1264 1265 /* If no digest buffer is passed, we don't bother doing this: */ 1266 if (digest != (isc_uint8_t*)0) { 1267 isc_sha512_last((isc_sha512_t *)context); 1268 1269 /* Save the hash data for output: */ 1270#if BYTE_ORDER == LITTLE_ENDIAN 1271 { 1272 /* Convert TO host byte order */ 1273 int j; 1274 for (j = 0; j < 6; j++) { 1275 REVERSE64(context->state[j],context->state[j]); 1276 *d++ = context->state[j]; 1277 } 1278 } 1279#else 1280 memmove(d, context->state, ISC_SHA384_DIGESTLENGTH); 1281#endif 1282 } 1283 1284 /* Zero out state data */ 1285 memset(context, 0, sizeof(*context)); 1286} 1287#endif /* !ISC_PLATFORM_OPENSSLHASH */ 1288 1289/* 1290 * Constant used by SHA256/384/512_End() functions for converting the 1291 * digest to a readable hexadecimal character string: 1292 */ 1293static const char *sha2_hex_digits = "0123456789abcdef"; 1294 1295char * 1296isc_sha224_end(isc_sha224_t *context, char buffer[]) { 1297 isc_uint8_t digest[ISC_SHA224_DIGESTLENGTH], *d = digest; 1298 unsigned int i; 1299 1300 /* Sanity check: */ 1301 REQUIRE(context != (isc_sha224_t *)0); 1302 1303 if (buffer != (char*)0) { 1304 isc_sha224_final(digest, context); 1305 1306 for (i = 0; i < ISC_SHA224_DIGESTLENGTH; i++) { 1307 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 1308 *buffer++ = sha2_hex_digits[*d & 0x0f]; 1309 d++; 1310 } 1311 *buffer = (char)0; 1312 } else { 1313#ifdef ISC_PLATFORM_OPENSSLHASH 1314 EVP_MD_CTX_cleanup(context); 1315#else 1316 memset(context, 0, sizeof(*context)); 1317#endif 1318 } 1319 memset(digest, 0, ISC_SHA224_DIGESTLENGTH); 1320 return buffer; 1321} 1322 1323char * 1324isc_sha224_data(const isc_uint8_t *data, size_t len, 1325 char digest[ISC_SHA224_DIGESTSTRINGLENGTH]) 1326{ 1327 isc_sha224_t context; 1328 1329 isc_sha224_init(&context); 1330 isc_sha224_update(&context, data, len); 1331 return (isc_sha224_end(&context, digest)); 1332} 1333 1334char * 1335isc_sha256_end(isc_sha256_t *context, char buffer[]) { 1336 isc_uint8_t digest[ISC_SHA256_DIGESTLENGTH], *d = digest; 1337 unsigned int i; 1338 1339 /* Sanity check: */ 1340 REQUIRE(context != (isc_sha256_t *)0); 1341 1342 if (buffer != (char*)0) { 1343 isc_sha256_final(digest, context); 1344 1345 for (i = 0; i < ISC_SHA256_DIGESTLENGTH; i++) { 1346 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 1347 *buffer++ = sha2_hex_digits[*d & 0x0f]; 1348 d++; 1349 } 1350 *buffer = (char)0; 1351 } else { 1352#ifdef ISC_PLATFORM_OPENSSLHASH 1353 EVP_MD_CTX_cleanup(context); 1354#else 1355 memset(context, 0, sizeof(*context)); 1356#endif 1357 } 1358 memset(digest, 0, ISC_SHA256_DIGESTLENGTH); 1359 return buffer; 1360} 1361 1362char * 1363isc_sha256_data(const isc_uint8_t* data, size_t len, 1364 char digest[ISC_SHA256_DIGESTSTRINGLENGTH]) 1365{ 1366 isc_sha256_t context; 1367 1368 isc_sha256_init(&context); 1369 isc_sha256_update(&context, data, len); 1370 return (isc_sha256_end(&context, digest)); 1371} 1372 1373char * 1374isc_sha512_end(isc_sha512_t *context, char buffer[]) { 1375 isc_uint8_t digest[ISC_SHA512_DIGESTLENGTH], *d = digest; 1376 unsigned int i; 1377 1378 /* Sanity check: */ 1379 REQUIRE(context != (isc_sha512_t *)0); 1380 1381 if (buffer != (char*)0) { 1382 isc_sha512_final(digest, context); 1383 1384 for (i = 0; i < ISC_SHA512_DIGESTLENGTH; i++) { 1385 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 1386 *buffer++ = sha2_hex_digits[*d & 0x0f]; 1387 d++; 1388 } 1389 *buffer = (char)0; 1390 } else { 1391#ifdef ISC_PLATFORM_OPENSSLHASH 1392 EVP_MD_CTX_cleanup(context); 1393#else 1394 memset(context, 0, sizeof(*context)); 1395#endif 1396 } 1397 memset(digest, 0, ISC_SHA512_DIGESTLENGTH); 1398 return buffer; 1399} 1400 1401char * 1402isc_sha512_data(const isc_uint8_t *data, size_t len, 1403 char digest[ISC_SHA512_DIGESTSTRINGLENGTH]) 1404{ 1405 isc_sha512_t context; 1406 1407 isc_sha512_init(&context); 1408 isc_sha512_update(&context, data, len); 1409 return (isc_sha512_end(&context, digest)); 1410} 1411 1412char * 1413isc_sha384_end(isc_sha384_t *context, char buffer[]) { 1414 isc_uint8_t digest[ISC_SHA384_DIGESTLENGTH], *d = digest; 1415 unsigned int i; 1416 1417 /* Sanity check: */ 1418 REQUIRE(context != (isc_sha384_t *)0); 1419 1420 if (buffer != (char*)0) { 1421 isc_sha384_final(digest, context); 1422 1423 for (i = 0; i < ISC_SHA384_DIGESTLENGTH; i++) { 1424 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; 1425 *buffer++ = sha2_hex_digits[*d & 0x0f]; 1426 d++; 1427 } 1428 *buffer = (char)0; 1429 } else { 1430#ifdef ISC_PLATFORM_OPENSSLHASH 1431 EVP_MD_CTX_cleanup(context); 1432#else 1433 memset(context, 0, sizeof(*context)); 1434#endif 1435 } 1436 memset(digest, 0, ISC_SHA384_DIGESTLENGTH); 1437 return buffer; 1438} 1439 1440char * 1441isc_sha384_data(const isc_uint8_t *data, size_t len, 1442 char digest[ISC_SHA384_DIGESTSTRINGLENGTH]) 1443{ 1444 isc_sha384_t context; 1445 1446 isc_sha384_init(&context); 1447 isc_sha384_update(&context, data, len); 1448 return (isc_sha384_end(&context, digest)); 1449} 1450