1/* from OpenBSD: sha2.c,v 1.11 2005/08/08 08:05:35 espie Exp */ 2 3/* 4 * FILE: sha2.c 5 * AUTHOR: Aaron D. Gifford <me@aarongifford.com> 6 * 7 * Copyright (c) 2000-2001, Aaron D. Gifford 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the copyright holder nor the names of contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ 35 */ 36 37/* OPENBSD ORIGINAL: lib/libc/hash/sha2.c */ 38 39#include "includes.h" 40 41#ifdef __APPLE_CRYPTO__ 42#include "ossl-crypto.h" 43#else 44#include <openssl/opensslv.h> 45#endif 46 47#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ 48 (OPENSSL_VERSION_NUMBER >= 0x00907000L) 49#include <sys/types.h> 50#include <string.h> 51#include "sha2.h" 52 53/* 54 * UNROLLED TRANSFORM LOOP NOTE: 55 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform 56 * loop version for the hash transform rounds (defined using macros 57 * later in this file). Either define on the command line, for example: 58 * 59 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c 60 * 61 * or define below: 62 * 63 * #define SHA2_UNROLL_TRANSFORM 64 * 65 */ 66 67/*** SHA-256/384/512 Machine Architecture Definitions *****************/ 68/* 69 * BYTE_ORDER NOTE: 70 * 71 * Please make sure that your system defines BYTE_ORDER. If your 72 * architecture is little-endian, make sure it also defines 73 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are 74 * equivilent. 75 * 76 * If your system does not define the above, then you can do so by 77 * hand like this: 78 * 79 * #define LITTLE_ENDIAN 1234 80 * #define BIG_ENDIAN 4321 81 * 82 * And for little-endian machines, add: 83 * 84 * #define BYTE_ORDER LITTLE_ENDIAN 85 * 86 * Or for big-endian machines: 87 * 88 * #define BYTE_ORDER BIG_ENDIAN 89 * 90 * The FreeBSD machine this was written on defines BYTE_ORDER 91 * appropriately by including <sys/types.h> (which in turn includes 92 * <machine/endian.h> where the appropriate definitions are actually 93 * made). 94 */ 95#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) 96#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN 97#endif 98 99 100/*** SHA-256/384/512 Various Length Definitions ***********************/ 101/* NOTE: Most of these are in sha2.h */ 102#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) 103#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) 104#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) 105 106/*** ENDIAN SPECIFIC COPY MACROS **************************************/ 107#define BE_8_TO_32(dst, cp) do { \ 108 (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) | \ 109 ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24); \ 110} while(0) 111 112#define BE_8_TO_64(dst, cp) do { \ 113 (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) | \ 114 ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) | \ 115 ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) | \ 116 ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56); \ 117} while (0) 118 119#define BE_64_TO_8(cp, src) do { \ 120 (cp)[0] = (src) >> 56; \ 121 (cp)[1] = (src) >> 48; \ 122 (cp)[2] = (src) >> 40; \ 123 (cp)[3] = (src) >> 32; \ 124 (cp)[4] = (src) >> 24; \ 125 (cp)[5] = (src) >> 16; \ 126 (cp)[6] = (src) >> 8; \ 127 (cp)[7] = (src); \ 128} while (0) 129 130#define BE_32_TO_8(cp, src) do { \ 131 (cp)[0] = (src) >> 24; \ 132 (cp)[1] = (src) >> 16; \ 133 (cp)[2] = (src) >> 8; \ 134 (cp)[3] = (src); \ 135} while (0) 136 137/* 138 * Macro for incrementally adding the unsigned 64-bit integer n to the 139 * unsigned 128-bit integer (represented using a two-element array of 140 * 64-bit words): 141 */ 142#define ADDINC128(w,n) do { \ 143 (w)[0] += (u_int64_t)(n); \ 144 if ((w)[0] < (n)) { \ 145 (w)[1]++; \ 146 } \ 147} while (0) 148 149/*** THE SIX LOGICAL FUNCTIONS ****************************************/ 150/* 151 * Bit shifting and rotation (used by the six SHA-XYZ logical functions: 152 * 153 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and 154 * S is a ROTATION) because the SHA-256/384/512 description document 155 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this 156 * same "backwards" definition. 157 */ 158/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ 159#define R(b,x) ((x) >> (b)) 160/* 32-bit Rotate-right (used in SHA-256): */ 161#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) 162/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ 163#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) 164 165/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ 166#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) 167#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) 168 169/* Four of six logical functions used in SHA-256: */ 170#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) 171#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) 172#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) 173#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) 174 175/* Four of six logical functions used in SHA-384 and SHA-512: */ 176#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) 177#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) 178#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) 179#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) 180 181 182/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ 183/* Hash constant words K for SHA-256: */ 184const static u_int32_t K256[64] = { 185 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 186 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 187 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 188 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 189 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 190 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 191 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 192 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 193 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 194 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 195 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 196 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 197 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 198 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 199 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 200 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL 201}; 202 203/* Initial hash value H for SHA-256: */ 204const static u_int32_t sha256_initial_hash_value[8] = { 205 0x6a09e667UL, 206 0xbb67ae85UL, 207 0x3c6ef372UL, 208 0xa54ff53aUL, 209 0x510e527fUL, 210 0x9b05688cUL, 211 0x1f83d9abUL, 212 0x5be0cd19UL 213}; 214 215/* Hash constant words K for SHA-384 and SHA-512: */ 216const static u_int64_t K512[80] = { 217 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 218 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, 219 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 220 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 221 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 222 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, 223 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 224 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, 225 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 226 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 227 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 228 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, 229 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 230 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, 231 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 232 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 233 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 234 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, 235 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 236 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, 237 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 238 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 239 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 240 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, 241 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 242 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, 243 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 244 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 245 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 246 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, 247 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 248 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, 249 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 250 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 251 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 252 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, 253 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 254 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, 255 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 256 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL 257}; 258 259/* Initial hash value H for SHA-384 */ 260const static u_int64_t sha384_initial_hash_value[8] = { 261 0xcbbb9d5dc1059ed8ULL, 262 0x629a292a367cd507ULL, 263 0x9159015a3070dd17ULL, 264 0x152fecd8f70e5939ULL, 265 0x67332667ffc00b31ULL, 266 0x8eb44a8768581511ULL, 267 0xdb0c2e0d64f98fa7ULL, 268 0x47b5481dbefa4fa4ULL 269}; 270 271/* Initial hash value H for SHA-512 */ 272const static u_int64_t sha512_initial_hash_value[8] = { 273 0x6a09e667f3bcc908ULL, 274 0xbb67ae8584caa73bULL, 275 0x3c6ef372fe94f82bULL, 276 0xa54ff53a5f1d36f1ULL, 277 0x510e527fade682d1ULL, 278 0x9b05688c2b3e6c1fULL, 279 0x1f83d9abfb41bd6bULL, 280 0x5be0cd19137e2179ULL 281}; 282 283 284/*** SHA-256: *********************************************************/ 285void 286SHA256_Init(SHA256_CTX *context) 287{ 288 if (context == NULL) 289 return; 290 memcpy(context->state, sha256_initial_hash_value, 291 sizeof(sha256_initial_hash_value)); 292 memset(context->buffer, 0, sizeof(context->buffer)); 293 context->bitcount = 0; 294} 295 296#ifdef SHA2_UNROLL_TRANSFORM 297 298/* Unrolled SHA-256 round macros: */ 299 300#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \ 301 BE_8_TO_32(W256[j], data); \ 302 data += 4; \ 303 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \ 304 (d) += T1; \ 305 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ 306 j++; \ 307} while(0) 308 309#define ROUND256(a,b,c,d,e,f,g,h) do { \ 310 s0 = W256[(j+1)&0x0f]; \ 311 s0 = sigma0_256(s0); \ 312 s1 = W256[(j+14)&0x0f]; \ 313 s1 = sigma1_256(s1); \ 314 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \ 315 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ 316 (d) += T1; \ 317 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ 318 j++; \ 319} while(0) 320 321void 322SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH]) 323{ 324 u_int32_t a, b, c, d, e, f, g, h, s0, s1; 325 u_int32_t T1, W256[16]; 326 int j; 327 328 /* Initialize registers with the prev. intermediate value */ 329 a = state[0]; 330 b = state[1]; 331 c = state[2]; 332 d = state[3]; 333 e = state[4]; 334 f = state[5]; 335 g = state[6]; 336 h = state[7]; 337 338 j = 0; 339 do { 340 /* Rounds 0 to 15 (unrolled): */ 341 ROUND256_0_TO_15(a,b,c,d,e,f,g,h); 342 ROUND256_0_TO_15(h,a,b,c,d,e,f,g); 343 ROUND256_0_TO_15(g,h,a,b,c,d,e,f); 344 ROUND256_0_TO_15(f,g,h,a,b,c,d,e); 345 ROUND256_0_TO_15(e,f,g,h,a,b,c,d); 346 ROUND256_0_TO_15(d,e,f,g,h,a,b,c); 347 ROUND256_0_TO_15(c,d,e,f,g,h,a,b); 348 ROUND256_0_TO_15(b,c,d,e,f,g,h,a); 349 } while (j < 16); 350 351 /* Now for the remaining rounds up to 63: */ 352 do { 353 ROUND256(a,b,c,d,e,f,g,h); 354 ROUND256(h,a,b,c,d,e,f,g); 355 ROUND256(g,h,a,b,c,d,e,f); 356 ROUND256(f,g,h,a,b,c,d,e); 357 ROUND256(e,f,g,h,a,b,c,d); 358 ROUND256(d,e,f,g,h,a,b,c); 359 ROUND256(c,d,e,f,g,h,a,b); 360 ROUND256(b,c,d,e,f,g,h,a); 361 } while (j < 64); 362 363 /* Compute the current intermediate hash value */ 364 state[0] += a; 365 state[1] += b; 366 state[2] += c; 367 state[3] += d; 368 state[4] += e; 369 state[5] += f; 370 state[6] += g; 371 state[7] += h; 372 373 /* Clean up */ 374 a = b = c = d = e = f = g = h = T1 = 0; 375} 376 377#else /* SHA2_UNROLL_TRANSFORM */ 378 379void 380SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH]) 381{ 382 u_int32_t a, b, c, d, e, f, g, h, s0, s1; 383 u_int32_t T1, T2, W256[16]; 384 int j; 385 386 /* Initialize registers with the prev. intermediate value */ 387 a = state[0]; 388 b = state[1]; 389 c = state[2]; 390 d = state[3]; 391 e = state[4]; 392 f = state[5]; 393 g = state[6]; 394 h = state[7]; 395 396 j = 0; 397 do { 398 BE_8_TO_32(W256[j], data); 399 data += 4; 400 /* Apply the SHA-256 compression function to update a..h */ 401 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; 402 T2 = Sigma0_256(a) + Maj(a, b, c); 403 h = g; 404 g = f; 405 f = e; 406 e = d + T1; 407 d = c; 408 c = b; 409 b = a; 410 a = T1 + T2; 411 412 j++; 413 } while (j < 16); 414 415 do { 416 /* Part of the message block expansion: */ 417 s0 = W256[(j+1)&0x0f]; 418 s0 = sigma0_256(s0); 419 s1 = W256[(j+14)&0x0f]; 420 s1 = sigma1_256(s1); 421 422 /* Apply the SHA-256 compression function to update a..h */ 423 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 424 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); 425 T2 = Sigma0_256(a) + Maj(a, b, c); 426 h = g; 427 g = f; 428 f = e; 429 e = d + T1; 430 d = c; 431 c = b; 432 b = a; 433 a = T1 + T2; 434 435 j++; 436 } while (j < 64); 437 438 /* Compute the current intermediate hash value */ 439 state[0] += a; 440 state[1] += b; 441 state[2] += c; 442 state[3] += d; 443 state[4] += e; 444 state[5] += f; 445 state[6] += g; 446 state[7] += h; 447 448 /* Clean up */ 449 a = b = c = d = e = f = g = h = T1 = T2 = 0; 450} 451 452#endif /* SHA2_UNROLL_TRANSFORM */ 453 454void 455SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len) 456{ 457 size_t freespace, usedspace; 458 459 /* Calling with no data is valid (we do nothing) */ 460 if (len == 0) 461 return; 462 463 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; 464 if (usedspace > 0) { 465 /* Calculate how much free space is available in the buffer */ 466 freespace = SHA256_BLOCK_LENGTH - usedspace; 467 468 if (len >= freespace) { 469 /* Fill the buffer completely and process it */ 470 memcpy(&context->buffer[usedspace], data, freespace); 471 context->bitcount += freespace << 3; 472 len -= freespace; 473 data += freespace; 474 SHA256_Transform(context->state, context->buffer); 475 } else { 476 /* The buffer is not yet full */ 477 memcpy(&context->buffer[usedspace], data, len); 478 context->bitcount += len << 3; 479 /* Clean up: */ 480 usedspace = freespace = 0; 481 return; 482 } 483 } 484 while (len >= SHA256_BLOCK_LENGTH) { 485 /* Process as many complete blocks as we can */ 486 SHA256_Transform(context->state, data); 487 context->bitcount += SHA256_BLOCK_LENGTH << 3; 488 len -= SHA256_BLOCK_LENGTH; 489 data += SHA256_BLOCK_LENGTH; 490 } 491 if (len > 0) { 492 /* There's left-overs, so save 'em */ 493 memcpy(context->buffer, data, len); 494 context->bitcount += len << 3; 495 } 496 /* Clean up: */ 497 usedspace = freespace = 0; 498} 499 500void 501SHA256_Pad(SHA256_CTX *context) 502{ 503 unsigned int usedspace; 504 505 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; 506 if (usedspace > 0) { 507 /* Begin padding with a 1 bit: */ 508 context->buffer[usedspace++] = 0x80; 509 510 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { 511 /* Set-up for the last transform: */ 512 memset(&context->buffer[usedspace], 0, 513 SHA256_SHORT_BLOCK_LENGTH - usedspace); 514 } else { 515 if (usedspace < SHA256_BLOCK_LENGTH) { 516 memset(&context->buffer[usedspace], 0, 517 SHA256_BLOCK_LENGTH - usedspace); 518 } 519 /* Do second-to-last transform: */ 520 SHA256_Transform(context->state, context->buffer); 521 522 /* Prepare for last transform: */ 523 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); 524 } 525 } else { 526 /* Set-up for the last transform: */ 527 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); 528 529 /* Begin padding with a 1 bit: */ 530 *context->buffer = 0x80; 531 } 532 /* Store the length of input data (in bits) in big endian format: */ 533 BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], 534 context->bitcount); 535 536 /* Final transform: */ 537 SHA256_Transform(context->state, context->buffer); 538 539 /* Clean up: */ 540 usedspace = 0; 541} 542 543void 544SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA256_CTX *context) 545{ 546 SHA256_Pad(context); 547 548 /* If no digest buffer is passed, we don't bother doing this: */ 549 if (digest != NULL) { 550#if BYTE_ORDER == LITTLE_ENDIAN 551 int i; 552 553 /* Convert TO host byte order */ 554 for (i = 0; i < 8; i++) 555 BE_32_TO_8(digest + i * 4, context->state[i]); 556#else 557 memcpy(digest, context->state, SHA256_DIGEST_LENGTH); 558#endif 559 memset(context, 0, sizeof(*context)); 560 } 561} 562 563 564/*** SHA-512: *********************************************************/ 565void 566SHA512_Init(SHA512_CTX *context) 567{ 568 if (context == NULL) 569 return; 570 memcpy(context->state, sha512_initial_hash_value, 571 sizeof(sha512_initial_hash_value)); 572 memset(context->buffer, 0, sizeof(context->buffer)); 573 context->bitcount[0] = context->bitcount[1] = 0; 574} 575 576#ifdef SHA2_UNROLL_TRANSFORM 577 578/* Unrolled SHA-512 round macros: */ 579 580#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \ 581 BE_8_TO_64(W512[j], data); \ 582 data += 8; \ 583 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \ 584 (d) += T1; \ 585 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ 586 j++; \ 587} while(0) 588 589 590#define ROUND512(a,b,c,d,e,f,g,h) do { \ 591 s0 = W512[(j+1)&0x0f]; \ 592 s0 = sigma0_512(s0); \ 593 s1 = W512[(j+14)&0x0f]; \ 594 s1 = sigma1_512(s1); \ 595 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \ 596 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ 597 (d) += T1; \ 598 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ 599 j++; \ 600} while(0) 601 602void 603SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) 604{ 605 u_int64_t a, b, c, d, e, f, g, h, s0, s1; 606 u_int64_t T1, W512[16]; 607 int j; 608 609 /* Initialize registers with the prev. intermediate value */ 610 a = state[0]; 611 b = state[1]; 612 c = state[2]; 613 d = state[3]; 614 e = state[4]; 615 f = state[5]; 616 g = state[6]; 617 h = state[7]; 618 619 j = 0; 620 do { 621 /* Rounds 0 to 15 (unrolled): */ 622 ROUND512_0_TO_15(a,b,c,d,e,f,g,h); 623 ROUND512_0_TO_15(h,a,b,c,d,e,f,g); 624 ROUND512_0_TO_15(g,h,a,b,c,d,e,f); 625 ROUND512_0_TO_15(f,g,h,a,b,c,d,e); 626 ROUND512_0_TO_15(e,f,g,h,a,b,c,d); 627 ROUND512_0_TO_15(d,e,f,g,h,a,b,c); 628 ROUND512_0_TO_15(c,d,e,f,g,h,a,b); 629 ROUND512_0_TO_15(b,c,d,e,f,g,h,a); 630 } while (j < 16); 631 632 /* Now for the remaining rounds up to 79: */ 633 do { 634 ROUND512(a,b,c,d,e,f,g,h); 635 ROUND512(h,a,b,c,d,e,f,g); 636 ROUND512(g,h,a,b,c,d,e,f); 637 ROUND512(f,g,h,a,b,c,d,e); 638 ROUND512(e,f,g,h,a,b,c,d); 639 ROUND512(d,e,f,g,h,a,b,c); 640 ROUND512(c,d,e,f,g,h,a,b); 641 ROUND512(b,c,d,e,f,g,h,a); 642 } while (j < 80); 643 644 /* Compute the current intermediate hash value */ 645 state[0] += a; 646 state[1] += b; 647 state[2] += c; 648 state[3] += d; 649 state[4] += e; 650 state[5] += f; 651 state[6] += g; 652 state[7] += h; 653 654 /* Clean up */ 655 a = b = c = d = e = f = g = h = T1 = 0; 656} 657 658#else /* SHA2_UNROLL_TRANSFORM */ 659 660void 661SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) 662{ 663 u_int64_t a, b, c, d, e, f, g, h, s0, s1; 664 u_int64_t T1, T2, W512[16]; 665 int j; 666 667 /* Initialize registers with the prev. intermediate value */ 668 a = state[0]; 669 b = state[1]; 670 c = state[2]; 671 d = state[3]; 672 e = state[4]; 673 f = state[5]; 674 g = state[6]; 675 h = state[7]; 676 677 j = 0; 678 do { 679 BE_8_TO_64(W512[j], data); 680 data += 8; 681 /* Apply the SHA-512 compression function to update a..h */ 682 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; 683 T2 = Sigma0_512(a) + Maj(a, b, c); 684 h = g; 685 g = f; 686 f = e; 687 e = d + T1; 688 d = c; 689 c = b; 690 b = a; 691 a = T1 + T2; 692 693 j++; 694 } while (j < 16); 695 696 do { 697 /* Part of the message block expansion: */ 698 s0 = W512[(j+1)&0x0f]; 699 s0 = sigma0_512(s0); 700 s1 = W512[(j+14)&0x0f]; 701 s1 = sigma1_512(s1); 702 703 /* Apply the SHA-512 compression function to update a..h */ 704 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + 705 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); 706 T2 = Sigma0_512(a) + Maj(a, b, c); 707 h = g; 708 g = f; 709 f = e; 710 e = d + T1; 711 d = c; 712 c = b; 713 b = a; 714 a = T1 + T2; 715 716 j++; 717 } while (j < 80); 718 719 /* Compute the current intermediate hash value */ 720 state[0] += a; 721 state[1] += b; 722 state[2] += c; 723 state[3] += d; 724 state[4] += e; 725 state[5] += f; 726 state[6] += g; 727 state[7] += h; 728 729 /* Clean up */ 730 a = b = c = d = e = f = g = h = T1 = T2 = 0; 731} 732 733#endif /* SHA2_UNROLL_TRANSFORM */ 734 735void 736SHA512_Update(SHA512_CTX *context, const u_int8_t *data, size_t len) 737{ 738 size_t freespace, usedspace; 739 740 /* Calling with no data is valid (we do nothing) */ 741 if (len == 0) 742 return; 743 744 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 745 if (usedspace > 0) { 746 /* Calculate how much free space is available in the buffer */ 747 freespace = SHA512_BLOCK_LENGTH - usedspace; 748 749 if (len >= freespace) { 750 /* Fill the buffer completely and process it */ 751 memcpy(&context->buffer[usedspace], data, freespace); 752 ADDINC128(context->bitcount, freespace << 3); 753 len -= freespace; 754 data += freespace; 755 SHA512_Transform(context->state, context->buffer); 756 } else { 757 /* The buffer is not yet full */ 758 memcpy(&context->buffer[usedspace], data, len); 759 ADDINC128(context->bitcount, len << 3); 760 /* Clean up: */ 761 usedspace = freespace = 0; 762 return; 763 } 764 } 765 while (len >= SHA512_BLOCK_LENGTH) { 766 /* Process as many complete blocks as we can */ 767 SHA512_Transform(context->state, data); 768 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); 769 len -= SHA512_BLOCK_LENGTH; 770 data += SHA512_BLOCK_LENGTH; 771 } 772 if (len > 0) { 773 /* There's left-overs, so save 'em */ 774 memcpy(context->buffer, data, len); 775 ADDINC128(context->bitcount, len << 3); 776 } 777 /* Clean up: */ 778 usedspace = freespace = 0; 779} 780 781void 782SHA512_Pad(SHA512_CTX *context) 783{ 784 unsigned int usedspace; 785 786 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; 787 if (usedspace > 0) { 788 /* Begin padding with a 1 bit: */ 789 context->buffer[usedspace++] = 0x80; 790 791 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { 792 /* Set-up for the last transform: */ 793 memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace); 794 } else { 795 if (usedspace < SHA512_BLOCK_LENGTH) { 796 memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace); 797 } 798 /* Do second-to-last transform: */ 799 SHA512_Transform(context->state, context->buffer); 800 801 /* And set-up for the last transform: */ 802 memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2); 803 } 804 } else { 805 /* Prepare for final transform: */ 806 memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH); 807 808 /* Begin padding with a 1 bit: */ 809 *context->buffer = 0x80; 810 } 811 /* Store the length of input data (in bits) in big endian format: */ 812 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], 813 context->bitcount[1]); 814 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], 815 context->bitcount[0]); 816 817 /* Final transform: */ 818 SHA512_Transform(context->state, context->buffer); 819 820 /* Clean up: */ 821 usedspace = 0; 822} 823 824void 825SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context) 826{ 827 SHA512_Pad(context); 828 829 /* If no digest buffer is passed, we don't bother doing this: */ 830 if (digest != NULL) { 831#if BYTE_ORDER == LITTLE_ENDIAN 832 int i; 833 834 /* Convert TO host byte order */ 835 for (i = 0; i < 8; i++) 836 BE_64_TO_8(digest + i * 8, context->state[i]); 837#else 838 memcpy(digest, context->state, SHA512_DIGEST_LENGTH); 839#endif 840 memset(context, 0, sizeof(*context)); 841 } 842} 843 844 845#if 0 846/*** SHA-384: *********************************************************/ 847void 848SHA384_Init(SHA384_CTX *context) 849{ 850 if (context == NULL) 851 return; 852 memcpy(context->state, sha384_initial_hash_value, 853 sizeof(sha384_initial_hash_value)); 854 memset(context->buffer, 0, sizeof(context->buffer)); 855 context->bitcount[0] = context->bitcount[1] = 0; 856} 857 858__weak_alias(SHA384_Transform, SHA512_Transform); 859__weak_alias(SHA384_Update, SHA512_Update); 860__weak_alias(SHA384_Pad, SHA512_Pad); 861 862void 863SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) 864{ 865 SHA384_Pad(context); 866 867 /* If no digest buffer is passed, we don't bother doing this: */ 868 if (digest != NULL) { 869#if BYTE_ORDER == LITTLE_ENDIAN 870 int i; 871 872 /* Convert TO host byte order */ 873 for (i = 0; i < 6; i++) 874 BE_64_TO_8(digest + i * 8, context->state[i]); 875#else 876 memcpy(digest, context->state, SHA384_DIGEST_LENGTH); 877#endif 878 } 879 880 /* Zero out state data */ 881 memset(context, 0, sizeof(*context)); 882} 883#endif 884 885#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ 886 (OPENSSL_VERSION_NUMBER >= 0x00907000L) */ 887