1/* $OpenBSD: sha2.c,v 1.19 2021/03/12 10:22:46 jsg Exp $ */ 2 3/* 4 * FILE: sha2.c 5 * AUTHOR: Aaron D. Gifford <me@aarongifford.com> 6 * 7 * Copyright (c) 2000-2001, Aaron D. Gifford 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the copyright holder nor the names of contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ 35 */ 36 37#include <sys/time.h> 38#include <sys/systm.h> 39#include <crypto/sha2.h> 40 41/* 42 * UNROLLED TRANSFORM LOOP NOTE: 43 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform 44 * loop version for the hash transform rounds (defined using macros 45 * later in this file). Either define on the command line, for example: 46 * 47 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c 48 * 49 * or define below: 50 * 51 * #define SHA2_UNROLL_TRANSFORM 52 * 53 */ 54#ifndef SMALL_KERNEL 55#if defined(__amd64__) || defined(__i386__) 56#define SHA2_UNROLL_TRANSFORM 57#endif 58#endif 59 60/*** SHA-256/384/512 Machine Architecture Definitions *****************/ 61/* 62 * BYTE_ORDER NOTE: 63 * 64 * Please make sure that your system defines BYTE_ORDER. If your 65 * architecture is little-endian, make sure it also defines 66 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are 67 * equivalent. 68 * 69 * If your system does not define the above, then you can do so by 70 * hand like this: 71 * 72 * #define LITTLE_ENDIAN 1234 73 * #define BIG_ENDIAN 4321 74 * 75 * And for little-endian machines, add: 76 * 77 * #define BYTE_ORDER LITTLE_ENDIAN 78 * 79 * Or for big-endian machines: 80 * 81 * #define BYTE_ORDER BIG_ENDIAN 82 * 83 * The FreeBSD machine this was written on defines BYTE_ORDER 84 * appropriately by including <sys/types.h> (which in turn includes 85 * <machine/endian.h> where the appropriate definitions are actually 86 * made). 87 */ 88#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) 89#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN 90#endif 91 92 93/*** SHA-256/384/512 Various Length Definitions ***********************/ 94/* NOTE: Most of these are in sha2.h */ 95#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 96#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 97#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 98 99/* 100 * Macro for incrementally adding the unsigned 64-bit integer n to the 101 * unsigned 128-bit integer (represented using a two-element array of 102 * 64-bit words): 103 */ 104#define ADDINC128(w,n) { \ 105 (w)[0] += (u_int64_t)(n); \ 106 if ((w)[0] < (n)) { \ 107 (w)[1]++; \ 108 } \ 109} 110 111/*** THE SIX LOGICAL FUNCTIONS ****************************************/ 112/* 113 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 114 * 115 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 116 * S is a ROTATION) because the SHA-256/384/512 description document 117 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 118 * same "backwards" definition. 119 */ 120/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 121#define R(b,x) ((x) >> (b)) 122/* 32-bit Rotate-right (used in SHA-256): */ 123#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 124/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 125#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 126 127/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 128#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 129#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 130 131/* Four of six logical functions used in SHA-256: */ 132#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 133#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 134#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 135#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 136 137/* Four of six logical functions used in SHA-384 and SHA-512: */ 138#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 139#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 140#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 141#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 142 143/*** INTERNAL FUNCTION PROTOTYPES *************************************/ 144/* NOTE: These should not be accessed directly from outside this 145 * library -- they are intended for private internal visibility/use 146 * only. 147 */ 148void SHA512Last(SHA2_CTX *); 149void SHA256Transform(u_int32_t *, const u_int8_t *); 150void SHA512Transform(u_int64_t *, const u_int8_t *); 151 152 153/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 154/* Hash constant words K for SHA-256: */ 155const static u_int32_t K256[64] = { 156 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 157 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 158 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 159 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 160 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 161 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 162 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 163 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 164 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 165 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 166 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 167 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 168 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 169 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 170 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 171 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 172}; 173 174/* Initial hash value H for SHA-256: */ 175const static u_int32_t sha256_initial_hash_value[8] = { 176 0x6a09e667UL, 177 0xbb67ae85UL, 178 0x3c6ef372UL, 179 0xa54ff53aUL, 180 0x510e527fUL, 181 0x9b05688cUL, 182 0x1f83d9abUL, 183 0x5be0cd19UL 184}; 185 186/* Hash constant words K for SHA-384 and SHA-512: */ 187const static u_int64_t K512[80] = { 188 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 189 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 190 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 191 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 192 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 193 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 194 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 195 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 196 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 197 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 198 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 199 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 200 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 201 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 202 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 203 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 204 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 205 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 206 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 207 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 208 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 209 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 210 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 211 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 212 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 213 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 214 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 215 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 216 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 217 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 218 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 219 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 220 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 221 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 222 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 223 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 224 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 225 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 226 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 227 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 228}; 229 230/* Initial hash value H for SHA-384 */ 231const static u_int64_t sha384_initial_hash_value[8] = { 232 0xcbbb9d5dc1059ed8ULL, 233 0x629a292a367cd507ULL, 234 0x9159015a3070dd17ULL, 235 0x152fecd8f70e5939ULL, 236 0x67332667ffc00b31ULL, 237 0x8eb44a8768581511ULL, 238 0xdb0c2e0d64f98fa7ULL, 239 0x47b5481dbefa4fa4ULL 240}; 241 242/* Initial hash value H for SHA-512 */ 243const static u_int64_t sha512_initial_hash_value[8] = { 244 0x6a09e667f3bcc908ULL, 245 0xbb67ae8584caa73bULL, 246 0x3c6ef372fe94f82bULL, 247 0xa54ff53a5f1d36f1ULL, 248 0x510e527fade682d1ULL, 249 0x9b05688c2b3e6c1fULL, 250 0x1f83d9abfb41bd6bULL, 251 0x5be0cd19137e2179ULL 252}; 253 254 255/*** SHA-256: *********************************************************/ 256void 257SHA256Init(SHA2_CTX *context) 258{ 259 memcpy(context->state.st32, sha256_initial_hash_value, 260 SHA256_DIGEST_LENGTH); 261 memset(context->buffer, 0, SHA256_BLOCK_LENGTH); 262 context->bitcount[0] = 0; 263} 264 265#ifdef SHA2_UNROLL_TRANSFORM 266 267/* Unrolled SHA-256 round macros: */ 268 269#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \ 270 W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) | \ 271 ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24); \ 272 data += 4; \ 273 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \ 274 (d) += T1; \ 275 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ 276 j++; \ 277} while(0) 278 279#define ROUND256(a,b,c,d,e,f,g,h) do { \ 280 s0 = W256[(j+1)&0x0f]; \ 281 s0 = sigma0_256(s0); \ 282 s1 = W256[(j+14)&0x0f]; \ 283 s1 = sigma1_256(s1); \ 284 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \ 285 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 286 (d) += T1; \ 287 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ 288 j++; \ 289} while(0) 290 291void 292SHA256Transform(u_int32_t *state, const u_int8_t *data) 293{ 294 u_int32_t a, b, c, d, e, f, g, h, s0, s1; 295 u_int32_t T1, W256[16]; 296 int j; 297 298 /* Initialize registers with the prev. intermediate value */ 299 a = state[0]; 300 b = state[1]; 301 c = state[2]; 302 d = state[3]; 303 e = state[4]; 304 f = state[5]; 305 g = state[6]; 306 h = state[7]; 307 308 j = 0; 309 do { 310 /* Rounds 0 to 15 (unrolled): */ 311 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 312 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 313 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 314 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 315 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 316 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 317 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 318 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 319 } while (j < 16); 320 321 /* Now for the remaining rounds to 64: */ 322 do { 323 ROUND256(a,b,c,d,e,f,g,h); 324 ROUND256(h,a,b,c,d,e,f,g); 325 ROUND256(g,h,a,b,c,d,e,f); 326 ROUND256(f,g,h,a,b,c,d,e); 327 ROUND256(e,f,g,h,a,b,c,d); 328 ROUND256(d,e,f,g,h,a,b,c); 329 ROUND256(c,d,e,f,g,h,a,b); 330 ROUND256(b,c,d,e,f,g,h,a); 331 } while (j < 64); 332 333 /* Compute the current intermediate hash value */ 334 state[0] += a; 335 state[1] += b; 336 state[2] += c; 337 state[3] += d; 338 state[4] += e; 339 state[5] += f; 340 state[6] += g; 341 state[7] += h; 342 343 /* Clean up */ 344 a = b = c = d = e = f = g = h = T1 = 0; 345} 346 347#else /* SHA2_UNROLL_TRANSFORM */ 348 349void 350SHA256Transform(u_int32_t *state, const u_int8_t *data) 351{ 352 u_int32_t a, b, c, d, e, f, g, h, s0, s1; 353 u_int32_t T1, T2, W256[16]; 354 int j; 355 356 /* Initialize registers with the prev. intermediate value */ 357 a = state[0]; 358 b = state[1]; 359 c = state[2]; 360 d = state[3]; 361 e = state[4]; 362 f = state[5]; 363 g = state[6]; 364 h = state[7]; 365 366 j = 0; 367 do { 368 W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) | 369 ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24); 370 data += 4; 371 /* Apply the SHA-256 compression function to update a..h */ 372 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 373 T2 = Sigma0_256(a) + Maj(a, b, c); 374 h = g; 375 g = f; 376 f = e; 377 e = d + T1; 378 d = c; 379 c = b; 380 b = a; 381 a = T1 + T2; 382 383 j++; 384 } while (j < 16); 385 386 do { 387 /* Part of the message block expansion: */ 388 s0 = W256[(j+1)&0x0f]; 389 s0 = sigma0_256(s0); 390 s1 = W256[(j+14)&0x0f]; 391 s1 = sigma1_256(s1); 392 393 /* Apply the SHA-256 compression function to update a..h */ 394 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 395 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 396 T2 = Sigma0_256(a) + Maj(a, b, c); 397 h = g; 398 g = f; 399 f = e; 400 e = d + T1; 401 d = c; 402 c = b; 403 b = a; 404 a = T1 + T2; 405 406 j++; 407 } while (j < 64); 408 409 /* Compute the current intermediate hash value */ 410 state[0] += a; 411 state[1] += b; 412 state[2] += c; 413 state[3] += d; 414 state[4] += e; 415 state[5] += f; 416 state[6] += g; 417 state[7] += h; 418 419 /* Clean up */ 420 a = b = c = d = e = f = g = h = T1 = T2 = 0; 421} 422 423#endif /* SHA2_UNROLL_TRANSFORM */ 424 425void 426SHA256Update(SHA2_CTX *context, const void *dataptr, size_t len) 427{ 428 const uint8_t *data = dataptr; 429 size_t freespace, usedspace; 430 431 /* Calling with no data is valid (we do nothing) */ 432 if (len == 0) 433 return; 434 435 usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH; 436 if (usedspace > 0) { 437 /* Calculate how much free space is available in the buffer */ 438 freespace = SHA256_BLOCK_LENGTH - usedspace; 439 440 if (len >= freespace) { 441 /* Fill the buffer completely and process it */ 442 memcpy(&context->buffer[usedspace], data, freespace); 443 context->bitcount[0] += freespace << 3; 444 len -= freespace; 445 data += freespace; 446 SHA256Transform(context->state.st32, context->buffer); 447 } else { 448 /* The buffer is not yet full */ 449 memcpy(&context->buffer[usedspace], data, len); 450 context->bitcount[0] += len << 3; 451 /* Clean up: */ 452 usedspace = freespace = 0; 453 return; 454 } 455 } 456 while (len >= SHA256_BLOCK_LENGTH) { 457 /* Process as many complete blocks as we can */ 458 SHA256Transform(context->state.st32, data); 459 context->bitcount[0] += SHA256_BLOCK_LENGTH << 3; 460 len -= SHA256_BLOCK_LENGTH; 461 data += SHA256_BLOCK_LENGTH; 462 } 463 if (len > 0) { 464 /* There's left-overs, so save 'em */ 465 memcpy(context->buffer, data, len); 466 context->bitcount[0] += len << 3; 467 } 468 /* Clean up: */ 469 usedspace = freespace = 0; 470} 471 472void 473SHA256Final(u_int8_t digest[], SHA2_CTX *context) 474{ 475 unsigned int usedspace; 476 477 usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH; 478#if BYTE_ORDER == LITTLE_ENDIAN 479 /* Convert FROM host byte order */ 480 context->bitcount[0] = swap64(context->bitcount[0]); 481#endif 482 if (usedspace > 0) { 483 /* Begin padding with a 1 bit: */ 484 context->buffer[usedspace++] = 0x80; 485 486 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 487 /* Set-up for the last transform: */ 488 memset(&context->buffer[usedspace], 0, 489 SHA256_SHORT_BLOCK_LENGTH - usedspace); 490 } else { 491 if (usedspace < SHA256_BLOCK_LENGTH) { 492 memset(&context->buffer[usedspace], 0, 493 SHA256_BLOCK_LENGTH - usedspace); 494 } 495 /* Do second-to-last transform: */ 496 SHA256Transform(context->state.st32, context->buffer); 497 498 /* And set-up for the last transform: */ 499 memset(context->buffer, 0, 500 SHA256_SHORT_BLOCK_LENGTH); 501 } 502 } else { 503 /* Set-up for the last transform: */ 504 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); 505 506 /* Begin padding with a 1 bit: */ 507 *context->buffer = 0x80; 508 } 509 /* Set the bit count: */ 510 *(u_int64_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount[0]; 511 512 /* Final transform: */ 513 SHA256Transform(context->state.st32, context->buffer); 514 515#if BYTE_ORDER == LITTLE_ENDIAN 516 { 517 /* Convert TO host byte order */ 518 int j; 519 for (j = 0; j < 8; j++) { 520 context->state.st32[j] = swap32(context->state.st32[j]); 521 } 522 } 523#endif 524 memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH); 525 /* Clean up state data: */ 526 explicit_bzero(context, sizeof(*context)); 527 usedspace = 0; 528} 529 530 531/*** SHA-512: *********************************************************/ 532void 533SHA512Init(SHA2_CTX *context) 534{ 535 memcpy(context->state.st64, sha512_initial_hash_value, 536 SHA512_DIGEST_LENGTH); 537 memset(context->buffer, 0, SHA512_BLOCK_LENGTH); 538 context->bitcount[0] = context->bitcount[1] = 0; 539} 540 541#ifdef SHA2_UNROLL_TRANSFORM 542 543/* Unrolled SHA-512 round macros: */ 544 545#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \ 546 W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) | \ 547 ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) | \ 548 ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) | \ 549 ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56); \ 550 data += 8; \ 551 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \ 552 (d) += T1; \ 553 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ 554 j++; \ 555} while(0) 556 557 558#define ROUND512(a,b,c,d,e,f,g,h) do { \ 559 s0 = W512[(j+1)&0x0f]; \ 560 s0 = sigma0_512(s0); \ 561 s1 = W512[(j+14)&0x0f]; \ 562 s1 = sigma1_512(s1); \ 563 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \ 564 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 565 (d) += T1; \ 566 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ 567 j++; \ 568} while(0) 569 570void 571SHA512Transform(u_int64_t *state, const u_int8_t *data) 572{ 573 u_int64_t a, b, c, d, e, f, g, h, s0, s1; 574 u_int64_t T1, W512[16]; 575 int j; 576 577 /* Initialize registers with the prev. intermediate value */ 578 a = state[0]; 579 b = state[1]; 580 c = state[2]; 581 d = state[3]; 582 e = state[4]; 583 f = state[5]; 584 g = state[6]; 585 h = state[7]; 586 587 j = 0; 588 do { 589 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 590 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 591 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 592 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 593 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 594 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 595 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 596 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 597 } while (j < 16); 598 599 /* Now for the remaining rounds up to 79: */ 600 do { 601 ROUND512(a,b,c,d,e,f,g,h); 602 ROUND512(h,a,b,c,d,e,f,g); 603 ROUND512(g,h,a,b,c,d,e,f); 604 ROUND512(f,g,h,a,b,c,d,e); 605 ROUND512(e,f,g,h,a,b,c,d); 606 ROUND512(d,e,f,g,h,a,b,c); 607 ROUND512(c,d,e,f,g,h,a,b); 608 ROUND512(b,c,d,e,f,g,h,a); 609 } while (j < 80); 610 611 /* Compute the current intermediate hash value */ 612 state[0] += a; 613 state[1] += b; 614 state[2] += c; 615 state[3] += d; 616 state[4] += e; 617 state[5] += f; 618 state[6] += g; 619 state[7] += h; 620 621 /* Clean up */ 622 a = b = c = d = e = f = g = h = T1 = 0; 623} 624 625#else /* SHA2_UNROLL_TRANSFORM */ 626 627void 628SHA512Transform(u_int64_t *state, const u_int8_t *data) 629{ 630 u_int64_t a, b, c, d, e, f, g, h, s0, s1; 631 u_int64_t T1, T2, W512[16]; 632 int j; 633 634 /* Initialize registers with the prev. intermediate value */ 635 a = state[0]; 636 b = state[1]; 637 c = state[2]; 638 d = state[3]; 639 e = state[4]; 640 f = state[5]; 641 g = state[6]; 642 h = state[7]; 643 644 j = 0; 645 do { 646 W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) | 647 ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) | 648 ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) | 649 ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56); 650 data += 8; 651 /* Apply the SHA-512 compression function to update a..h */ 652 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 653 T2 = Sigma0_512(a) + Maj(a, b, c); 654 h = g; 655 g = f; 656 f = e; 657 e = d + T1; 658 d = c; 659 c = b; 660 b = a; 661 a = T1 + T2; 662 663 j++; 664 } while (j < 16); 665 666 do { 667 /* Part of the message block expansion: */ 668 s0 = W512[(j+1)&0x0f]; 669 s0 = sigma0_512(s0); 670 s1 = W512[(j+14)&0x0f]; 671 s1 = sigma1_512(s1); 672 673 /* Apply the SHA-512 compression function to update a..h */ 674 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 675 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 676 T2 = Sigma0_512(a) + Maj(a, b, c); 677 h = g; 678 g = f; 679 f = e; 680 e = d + T1; 681 d = c; 682 c = b; 683 b = a; 684 a = T1 + T2; 685 686 j++; 687 } while (j < 80); 688 689 /* Compute the current intermediate hash value */ 690 state[0] += a; 691 state[1] += b; 692 state[2] += c; 693 state[3] += d; 694 state[4] += e; 695 state[5] += f; 696 state[6] += g; 697 state[7] += h; 698 699 /* Clean up */ 700 a = b = c = d = e = f = g = h = T1 = T2 = 0; 701} 702 703#endif /* SHA2_UNROLL_TRANSFORM */ 704 705void 706SHA512Update(SHA2_CTX *context, const void *dataptr, size_t len) 707{ 708 const uint8_t *data = dataptr; 709 size_t freespace, usedspace; 710 711 /* Calling with no data is valid (we do nothing) */ 712 if (len == 0) 713 return; 714 715 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 716 if (usedspace > 0) { 717 /* Calculate how much free space is available in the buffer */ 718 freespace = SHA512_BLOCK_LENGTH - usedspace; 719 720 if (len >= freespace) { 721 /* Fill the buffer completely and process it */ 722 memcpy(&context->buffer[usedspace], data, freespace); 723 ADDINC128(context->bitcount, freespace << 3); 724 len -= freespace; 725 data += freespace; 726 SHA512Transform(context->state.st64, context->buffer); 727 } else { 728 /* The buffer is not yet full */ 729 memcpy(&context->buffer[usedspace], data, len); 730 ADDINC128(context->bitcount, len << 3); 731 /* Clean up: */ 732 usedspace = freespace = 0; 733 return; 734 } 735 } 736 while (len >= SHA512_BLOCK_LENGTH) { 737 /* Process as many complete blocks as we can */ 738 SHA512Transform(context->state.st64, data); 739 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 740 len -= SHA512_BLOCK_LENGTH; 741 data += SHA512_BLOCK_LENGTH; 742 } 743 if (len > 0) { 744 /* There's left-overs, so save 'em */ 745 memcpy(context->buffer, data, len); 746 ADDINC128(context->bitcount, len << 3); 747 } 748 /* Clean up: */ 749 usedspace = freespace = 0; 750} 751 752void 753SHA512Last(SHA2_CTX *context) 754{ 755 unsigned int usedspace; 756 757 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 758#if BYTE_ORDER == LITTLE_ENDIAN 759 /* Convert FROM host byte order */ 760 context->bitcount[0] = swap64(context->bitcount[0]); 761 context->bitcount[1] = swap64(context->bitcount[1]); 762#endif 763 if (usedspace > 0) { 764 /* Begin padding with a 1 bit: */ 765 context->buffer[usedspace++] = 0x80; 766 767 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 768 /* Set-up for the last transform: */ 769 memset(&context->buffer[usedspace], 0, 770 SHA512_SHORT_BLOCK_LENGTH - usedspace); 771 } else { 772 if (usedspace < SHA512_BLOCK_LENGTH) { 773 memset(&context->buffer[usedspace], 0, 774 SHA512_BLOCK_LENGTH - usedspace); 775 } 776 /* Do second-to-last transform: */ 777 SHA512Transform(context->state.st64, context->buffer); 778 779 /* And set-up for the last transform: */ 780 memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2); 781 } 782 } else { 783 /* Prepare for final transform: */ 784 memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH); 785 786 /* Begin padding with a 1 bit: */ 787 *context->buffer = 0x80; 788 } 789 /* Store the length of input data (in bits): */ 790 *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1]; 791 *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0]; 792 793 /* Final transform: */ 794 SHA512Transform(context->state.st64, context->buffer); 795} 796 797void 798SHA512Final(u_int8_t digest[], SHA2_CTX *context) 799{ 800 801 SHA512Last(context); 802 803 /* Save the hash data for output: */ 804#if BYTE_ORDER == LITTLE_ENDIAN 805 { 806 /* Convert TO host byte order */ 807 int j; 808 for (j = 0; j < 8; j++) { 809 context->state.st64[j] = swap64(context->state.st64[j]); 810 } 811 } 812#endif 813 memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH); 814 815 /* Zero out state data */ 816 explicit_bzero(context, sizeof(*context)); 817} 818 819 820/*** SHA-384: *********************************************************/ 821void 822SHA384Init(SHA2_CTX *context) 823{ 824 memcpy(context->state.st64, sha384_initial_hash_value, 825 SHA512_DIGEST_LENGTH); 826 memset(context->buffer, 0, SHA384_BLOCK_LENGTH); 827 context->bitcount[0] = context->bitcount[1] = 0; 828} 829 830void 831SHA384Update(SHA2_CTX *context, const void *data, size_t len) 832{ 833 SHA512Update(context, data, len); 834} 835 836void 837SHA384Final(u_int8_t digest[], SHA2_CTX *context) 838{ 839 840 SHA512Last(context); 841 842 /* Save the hash data for output: */ 843#if BYTE_ORDER == LITTLE_ENDIAN 844 { 845 /* Convert TO host byte order */ 846 int j; 847 for (j = 0; j < 6; j++) { 848 context->state.st64[j] = swap64(context->state.st64[j]); 849 } 850 } 851#endif 852 memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH); 853 /* Zero out state data */ 854 explicit_bzero(context, sizeof(*context)); 855} 856