Annotation of sys/crypto/sha2.c, Revision 1.1.1.1
1.1 nbrk 1: /* $OpenBSD: sha2.c,v 1.6 2004/05/03 02:57:36 millert Exp $ */
2:
3: /*
4: * FILE: sha2.c
5: * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
6: *
7: * Copyright (c) 2000-2001, Aaron D. Gifford
8: * All rights reserved.
9: *
10: * Redistribution and use in source and binary forms, with or without
11: * modification, are permitted provided that the following conditions
12: * are met:
13: * 1. Redistributions of source code must retain the above copyright
14: * notice, this list of conditions and the following disclaimer.
15: * 2. Redistributions in binary form must reproduce the above copyright
16: * notice, this list of conditions and the following disclaimer in the
17: * documentation and/or other materials provided with the distribution.
18: * 3. Neither the name of the copyright holder nor the names of contributors
19: * may be used to endorse or promote products derived from this software
20: * without specific prior written permission.
21: *
22: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
23: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25: * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
26: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32: * SUCH DAMAGE.
33: *
34: * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
35: */
36:
37: #include <sys/param.h>
38: #include <sys/time.h>
39: #include <sys/systm.h>
40: #include <crypto/sha2.h>
41:
42: /*
43: * UNROLLED TRANSFORM LOOP NOTE:
44: * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
45: * loop version for the hash transform rounds (defined using macros
46: * later in this file). Either define on the command line, for example:
47: *
48: * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
49: *
50: * or define below:
51: *
52: * #define SHA2_UNROLL_TRANSFORM
53: *
54: */
55:
56:
57: /*** SHA-256/384/512 Machine Architecture Definitions *****************/
58: /*
59: * BYTE_ORDER NOTE:
60: *
61: * Please make sure that your system defines BYTE_ORDER. If your
62: * architecture is little-endian, make sure it also defines
63: * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
64: * equivilent.
65: *
66: * If your system does not define the above, then you can do so by
67: * hand like this:
68: *
69: * #define LITTLE_ENDIAN 1234
70: * #define BIG_ENDIAN 4321
71: *
72: * And for little-endian machines, add:
73: *
74: * #define BYTE_ORDER LITTLE_ENDIAN
75: *
76: * Or for big-endian machines:
77: *
78: * #define BYTE_ORDER BIG_ENDIAN
79: *
80: * The FreeBSD machine this was written on defines BYTE_ORDER
81: * appropriately by including <sys/types.h> (which in turn includes
82: * <machine/endian.h> where the appropriate definitions are actually
83: * made).
84: */
85: #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
86: #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
87: #endif
88:
89:
90: /*** SHA-256/384/512 Various Length Definitions ***********************/
91: /* NOTE: Most of these are in sha2.h */
92: #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
93: #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
94: #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
95:
96:
97: /*** ENDIAN REVERSAL MACROS *******************************************/
98: #if BYTE_ORDER == LITTLE_ENDIAN
99: #define REVERSE32(w,x) { \
100: u_int32_t tmp = (w); \
101: tmp = (tmp >> 16) | (tmp << 16); \
102: (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
103: }
104: #define REVERSE64(w,x) { \
105: u_int64_t tmp = (w); \
106: tmp = (tmp >> 32) | (tmp << 32); \
107: tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
108: ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
109: (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
110: ((tmp & 0x0000ffff0000ffffULL) << 16); \
111: }
112: #endif /* BYTE_ORDER == LITTLE_ENDIAN */
113:
114: /*
115: * Macro for incrementally adding the unsigned 64-bit integer n to the
116: * unsigned 128-bit integer (represented using a two-element array of
117: * 64-bit words):
118: */
119: #define ADDINC128(w,n) { \
120: (w)[0] += (u_int64_t)(n); \
121: if ((w)[0] < (n)) { \
122: (w)[1]++; \
123: } \
124: }
125:
126: /*** THE SIX LOGICAL FUNCTIONS ****************************************/
127: /*
128: * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
129: *
130: * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
131: * S is a ROTATION) because the SHA-256/384/512 description document
132: * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
133: * same "backwards" definition.
134: */
135: /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
136: #define R(b,x) ((x) >> (b))
137: /* 32-bit Rotate-right (used in SHA-256): */
138: #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
139: /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
140: #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
141:
142: /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
143: #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
144: #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
145:
146: /* Four of six logical functions used in SHA-256: */
147: #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
148: #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
149: #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
150: #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
151:
152: /* Four of six logical functions used in SHA-384 and SHA-512: */
153: #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
154: #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
155: #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
156: #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
157:
158: /*** INTERNAL FUNCTION PROTOTYPES *************************************/
159: /* NOTE: These should not be accessed directly from outside this
160: * library -- they are intended for private internal visibility/use
161: * only.
162: */
163: void SHA512_Last(SHA512_CTX *);
164: void SHA256_Transform(SHA256_CTX *, const u_int8_t *);
165: void SHA512_Transform(SHA512_CTX *, const u_int8_t *);
166:
167:
168: /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
169: /* Hash constant words K for SHA-256: */
170: const static u_int32_t K256[64] = {
171: 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
172: 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
173: 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
174: 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
175: 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
176: 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
177: 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
178: 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
179: 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
180: 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
181: 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
182: 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
183: 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
184: 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
185: 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
186: 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
187: };
188:
189: /* Initial hash value H for SHA-256: */
190: const static u_int32_t sha256_initial_hash_value[8] = {
191: 0x6a09e667UL,
192: 0xbb67ae85UL,
193: 0x3c6ef372UL,
194: 0xa54ff53aUL,
195: 0x510e527fUL,
196: 0x9b05688cUL,
197: 0x1f83d9abUL,
198: 0x5be0cd19UL
199: };
200:
201: /* Hash constant words K for SHA-384 and SHA-512: */
202: const static u_int64_t K512[80] = {
203: 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
204: 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
205: 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
206: 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
207: 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
208: 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
209: 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
210: 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
211: 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
212: 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
213: 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
214: 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
215: 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
216: 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
217: 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
218: 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
219: 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
220: 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
221: 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
222: 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
223: 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
224: 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
225: 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
226: 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
227: 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
228: 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
229: 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
230: 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
231: 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
232: 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
233: 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
234: 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
235: 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
236: 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
237: 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
238: 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
239: 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
240: 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
241: 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
242: 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
243: };
244:
245: /* Initial hash value H for SHA-384 */
246: const static u_int64_t sha384_initial_hash_value[8] = {
247: 0xcbbb9d5dc1059ed8ULL,
248: 0x629a292a367cd507ULL,
249: 0x9159015a3070dd17ULL,
250: 0x152fecd8f70e5939ULL,
251: 0x67332667ffc00b31ULL,
252: 0x8eb44a8768581511ULL,
253: 0xdb0c2e0d64f98fa7ULL,
254: 0x47b5481dbefa4fa4ULL
255: };
256:
257: /* Initial hash value H for SHA-512 */
258: const static u_int64_t sha512_initial_hash_value[8] = {
259: 0x6a09e667f3bcc908ULL,
260: 0xbb67ae8584caa73bULL,
261: 0x3c6ef372fe94f82bULL,
262: 0xa54ff53a5f1d36f1ULL,
263: 0x510e527fade682d1ULL,
264: 0x9b05688c2b3e6c1fULL,
265: 0x1f83d9abfb41bd6bULL,
266: 0x5be0cd19137e2179ULL
267: };
268:
269:
270: /*** SHA-256: *********************************************************/
271: void
272: SHA256_Init(SHA256_CTX *context)
273: {
274: if (context == NULL)
275: return;
276: bcopy(sha256_initial_hash_value, context->state, SHA256_DIGEST_LENGTH);
277: bzero(context->buffer, SHA256_BLOCK_LENGTH);
278: context->bitcount = 0;
279: }
280:
281: #ifdef SHA2_UNROLL_TRANSFORM
282:
283: /* Unrolled SHA-256 round macros: */
284:
285: #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
286: W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) | \
287: ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24); \
288: data += 4; \
289: T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
290: (d) += T1; \
291: (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
292: j++; \
293: } while(0)
294:
295: #define ROUND256(a,b,c,d,e,f,g,h) do { \
296: s0 = W256[(j+1)&0x0f]; \
297: s0 = sigma0_256(s0); \
298: s1 = W256[(j+14)&0x0f]; \
299: s1 = sigma1_256(s1); \
300: T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
301: (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
302: (d) += T1; \
303: (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
304: j++; \
305: } while(0)
306:
307: void
308: SHA256_Transform(SHA256_CTX *context, const u_int8_t *data)
309: {
310: u_int32_t a, b, c, d, e, f, g, h, s0, s1;
311: u_int32_t T1, *W256;
312: int j;
313:
314: W256 = (u_int32_t *)context->buffer;
315:
316: /* Initialize registers with the prev. intermediate value */
317: a = context->state[0];
318: b = context->state[1];
319: c = context->state[2];
320: d = context->state[3];
321: e = context->state[4];
322: f = context->state[5];
323: g = context->state[6];
324: h = context->state[7];
325:
326: j = 0;
327: do {
328: /* Rounds 0 to 15 (unrolled): */
329: ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
330: ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
331: ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
332: ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
333: ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
334: ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
335: ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
336: ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
337: } while (j < 16);
338:
339: /* Now for the remaining rounds to 64: */
340: do {
341: ROUND256(a,b,c,d,e,f,g,h);
342: ROUND256(h,a,b,c,d,e,f,g);
343: ROUND256(g,h,a,b,c,d,e,f);
344: ROUND256(f,g,h,a,b,c,d,e);
345: ROUND256(e,f,g,h,a,b,c,d);
346: ROUND256(d,e,f,g,h,a,b,c);
347: ROUND256(c,d,e,f,g,h,a,b);
348: ROUND256(b,c,d,e,f,g,h,a);
349: } while (j < 64);
350:
351: /* Compute the current intermediate hash value */
352: context->state[0] += a;
353: context->state[1] += b;
354: context->state[2] += c;
355: context->state[3] += d;
356: context->state[4] += e;
357: context->state[5] += f;
358: context->state[6] += g;
359: context->state[7] += h;
360:
361: /* Clean up */
362: a = b = c = d = e = f = g = h = T1 = 0;
363: }
364:
365: #else /* SHA2_UNROLL_TRANSFORM */
366:
367: void
368: SHA256_Transform(SHA256_CTX *context, const u_int8_t *data)
369: {
370: u_int32_t a, b, c, d, e, f, g, h, s0, s1;
371: u_int32_t T1, T2, *W256;
372: int j;
373:
374: W256 = (u_int32_t *)context->buffer;
375:
376: /* Initialize registers with the prev. intermediate value */
377: a = context->state[0];
378: b = context->state[1];
379: c = context->state[2];
380: d = context->state[3];
381: e = context->state[4];
382: f = context->state[5];
383: g = context->state[6];
384: h = context->state[7];
385:
386: j = 0;
387: do {
388: W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) |
389: ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24);
390: data += 4;
391: /* Apply the SHA-256 compression function to update a..h */
392: T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
393: T2 = Sigma0_256(a) + Maj(a, b, c);
394: h = g;
395: g = f;
396: f = e;
397: e = d + T1;
398: d = c;
399: c = b;
400: b = a;
401: a = T1 + T2;
402:
403: j++;
404: } while (j < 16);
405:
406: do {
407: /* Part of the message block expansion: */
408: s0 = W256[(j+1)&0x0f];
409: s0 = sigma0_256(s0);
410: s1 = W256[(j+14)&0x0f];
411: s1 = sigma1_256(s1);
412:
413: /* Apply the SHA-256 compression function to update a..h */
414: T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
415: (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
416: T2 = Sigma0_256(a) + Maj(a, b, c);
417: h = g;
418: g = f;
419: f = e;
420: e = d + T1;
421: d = c;
422: c = b;
423: b = a;
424: a = T1 + T2;
425:
426: j++;
427: } while (j < 64);
428:
429: /* Compute the current intermediate hash value */
430: context->state[0] += a;
431: context->state[1] += b;
432: context->state[2] += c;
433: context->state[3] += d;
434: context->state[4] += e;
435: context->state[5] += f;
436: context->state[6] += g;
437: context->state[7] += h;
438:
439: /* Clean up */
440: a = b = c = d = e = f = g = h = T1 = T2 = 0;
441: }
442:
443: #endif /* SHA2_UNROLL_TRANSFORM */
444:
445: void
446: SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len)
447: {
448: size_t freespace, usedspace;
449:
450: /* Calling with no data is valid (we do nothing) */
451: if (len == 0)
452: return;
453:
454: usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
455: if (usedspace > 0) {
456: /* Calculate how much free space is available in the buffer */
457: freespace = SHA256_BLOCK_LENGTH - usedspace;
458:
459: if (len >= freespace) {
460: /* Fill the buffer completely and process it */
461: bcopy(data, &context->buffer[usedspace], freespace);
462: context->bitcount += freespace << 3;
463: len -= freespace;
464: data += freespace;
465: SHA256_Transform(context, context->buffer);
466: } else {
467: /* The buffer is not yet full */
468: bcopy(data, &context->buffer[usedspace], len);
469: context->bitcount += len << 3;
470: /* Clean up: */
471: usedspace = freespace = 0;
472: return;
473: }
474: }
475: while (len >= SHA256_BLOCK_LENGTH) {
476: /* Process as many complete blocks as we can */
477: SHA256_Transform(context, data);
478: context->bitcount += SHA256_BLOCK_LENGTH << 3;
479: len -= SHA256_BLOCK_LENGTH;
480: data += SHA256_BLOCK_LENGTH;
481: }
482: if (len > 0) {
483: /* There's left-overs, so save 'em */
484: bcopy(data, context->buffer, len);
485: context->bitcount += len << 3;
486: }
487: /* Clean up: */
488: usedspace = freespace = 0;
489: }
490:
491: void
492: SHA256_Final(u_int8_t digest[], SHA256_CTX *context)
493: {
494: u_int32_t *d = (u_int32_t *)digest;
495: unsigned int usedspace;
496:
497: /* If no digest buffer is passed, we don't bother doing this: */
498: if (digest != NULL) {
499: usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
500: #if BYTE_ORDER == LITTLE_ENDIAN
501: /* Convert FROM host byte order */
502: REVERSE64(context->bitcount,context->bitcount);
503: #endif
504: if (usedspace > 0) {
505: /* Begin padding with a 1 bit: */
506: context->buffer[usedspace++] = 0x80;
507:
508: if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
509: /* Set-up for the last transform: */
510: bzero(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
511: } else {
512: if (usedspace < SHA256_BLOCK_LENGTH) {
513: bzero(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
514: }
515: /* Do second-to-last transform: */
516: SHA256_Transform(context, context->buffer);
517:
518: /* And set-up for the last transform: */
519: bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
520: }
521: } else {
522: /* Set-up for the last transform: */
523: bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
524:
525: /* Begin padding with a 1 bit: */
526: *context->buffer = 0x80;
527: }
528: /* Set the bit count: */
529: *(u_int64_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
530:
531: /* Final transform: */
532: SHA256_Transform(context, context->buffer);
533:
534: #if BYTE_ORDER == LITTLE_ENDIAN
535: {
536: /* Convert TO host byte order */
537: int j;
538: for (j = 0; j < 8; j++) {
539: REVERSE32(context->state[j],context->state[j]);
540: *d++ = context->state[j];
541: }
542: }
543: #else
544: bcopy(context->state, d, SHA256_DIGEST_LENGTH);
545: #endif
546: }
547:
548: /* Clean up state data: */
549: bzero(context, sizeof(*context));
550: usedspace = 0;
551: }
552:
553:
554: /*** SHA-512: *********************************************************/
555: void
556: SHA512_Init(SHA512_CTX *context)
557: {
558: if (context == NULL)
559: return;
560: bcopy(sha512_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
561: bzero(context->buffer, SHA512_BLOCK_LENGTH);
562: context->bitcount[0] = context->bitcount[1] = 0;
563: }
564:
565: #ifdef SHA2_UNROLL_TRANSFORM
566:
567: /* Unrolled SHA-512 round macros: */
568:
569: #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
570: W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) | \
571: ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) | \
572: ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) | \
573: ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56); \
574: data += 8; \
575: T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
576: (d) += T1; \
577: (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
578: j++; \
579: } while(0)
580:
581:
582: #define ROUND512(a,b,c,d,e,f,g,h) do { \
583: s0 = W512[(j+1)&0x0f]; \
584: s0 = sigma0_512(s0); \
585: s1 = W512[(j+14)&0x0f]; \
586: s1 = sigma1_512(s1); \
587: T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
588: (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
589: (d) += T1; \
590: (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
591: j++; \
592: } while(0)
593:
594: void
595: SHA512_Transform(SHA512_CTX *context, const u_int8_t *data)
596: {
597: u_int64_t a, b, c, d, e, f, g, h, s0, s1;
598: u_int64_t T1, *W512 = (u_int64_t *)context->buffer;
599: int j;
600:
601: /* Initialize registers with the prev. intermediate value */
602: a = context->state[0];
603: b = context->state[1];
604: c = context->state[2];
605: d = context->state[3];
606: e = context->state[4];
607: f = context->state[5];
608: g = context->state[6];
609: h = context->state[7];
610:
611: j = 0;
612: do {
613: ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
614: ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
615: ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
616: ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
617: ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
618: ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
619: ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
620: ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
621: } while (j < 16);
622:
623: /* Now for the remaining rounds up to 79: */
624: do {
625: ROUND512(a,b,c,d,e,f,g,h);
626: ROUND512(h,a,b,c,d,e,f,g);
627: ROUND512(g,h,a,b,c,d,e,f);
628: ROUND512(f,g,h,a,b,c,d,e);
629: ROUND512(e,f,g,h,a,b,c,d);
630: ROUND512(d,e,f,g,h,a,b,c);
631: ROUND512(c,d,e,f,g,h,a,b);
632: ROUND512(b,c,d,e,f,g,h,a);
633: } while (j < 80);
634:
635: /* Compute the current intermediate hash value */
636: context->state[0] += a;
637: context->state[1] += b;
638: context->state[2] += c;
639: context->state[3] += d;
640: context->state[4] += e;
641: context->state[5] += f;
642: context->state[6] += g;
643: context->state[7] += h;
644:
645: /* Clean up */
646: a = b = c = d = e = f = g = h = T1 = 0;
647: }
648:
649: #else /* SHA2_UNROLL_TRANSFORM */
650:
651: void
652: SHA512_Transform(SHA512_CTX *context, const u_int8_t *data)
653: {
654: u_int64_t a, b, c, d, e, f, g, h, s0, s1;
655: u_int64_t T1, T2, *W512 = (u_int64_t *)context->buffer;
656: int j;
657:
658: /* Initialize registers with the prev. intermediate value */
659: a = context->state[0];
660: b = context->state[1];
661: c = context->state[2];
662: d = context->state[3];
663: e = context->state[4];
664: f = context->state[5];
665: g = context->state[6];
666: h = context->state[7];
667:
668: j = 0;
669: do {
670: W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) |
671: ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) |
672: ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) |
673: ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56);
674: data += 8;
675: /* Apply the SHA-512 compression function to update a..h */
676: T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
677: T2 = Sigma0_512(a) + Maj(a, b, c);
678: h = g;
679: g = f;
680: f = e;
681: e = d + T1;
682: d = c;
683: c = b;
684: b = a;
685: a = T1 + T2;
686:
687: j++;
688: } while (j < 16);
689:
690: do {
691: /* Part of the message block expansion: */
692: s0 = W512[(j+1)&0x0f];
693: s0 = sigma0_512(s0);
694: s1 = W512[(j+14)&0x0f];
695: s1 = sigma1_512(s1);
696:
697: /* Apply the SHA-512 compression function to update a..h */
698: T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
699: (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
700: T2 = Sigma0_512(a) + Maj(a, b, c);
701: h = g;
702: g = f;
703: f = e;
704: e = d + T1;
705: d = c;
706: c = b;
707: b = a;
708: a = T1 + T2;
709:
710: j++;
711: } while (j < 80);
712:
713: /* Compute the current intermediate hash value */
714: context->state[0] += a;
715: context->state[1] += b;
716: context->state[2] += c;
717: context->state[3] += d;
718: context->state[4] += e;
719: context->state[5] += f;
720: context->state[6] += g;
721: context->state[7] += h;
722:
723: /* Clean up */
724: a = b = c = d = e = f = g = h = T1 = T2 = 0;
725: }
726:
727: #endif /* SHA2_UNROLL_TRANSFORM */
728:
729: void
730: SHA512_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
731: {
732: size_t freespace, usedspace;
733:
734: /* Calling with no data is valid (we do nothing) */
735: if (len == 0)
736: return;
737:
738: usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
739: if (usedspace > 0) {
740: /* Calculate how much free space is available in the buffer */
741: freespace = SHA512_BLOCK_LENGTH - usedspace;
742:
743: if (len >= freespace) {
744: /* Fill the buffer completely and process it */
745: bcopy(data, &context->buffer[usedspace], freespace);
746: ADDINC128(context->bitcount, freespace << 3);
747: len -= freespace;
748: data += freespace;
749: SHA512_Transform(context, context->buffer);
750: } else {
751: /* The buffer is not yet full */
752: bcopy(data, &context->buffer[usedspace], len);
753: ADDINC128(context->bitcount, len << 3);
754: /* Clean up: */
755: usedspace = freespace = 0;
756: return;
757: }
758: }
759: while (len >= SHA512_BLOCK_LENGTH) {
760: /* Process as many complete blocks as we can */
761: SHA512_Transform(context, data);
762: ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
763: len -= SHA512_BLOCK_LENGTH;
764: data += SHA512_BLOCK_LENGTH;
765: }
766: if (len > 0) {
767: /* There's left-overs, so save 'em */
768: bcopy(data, context->buffer, len);
769: ADDINC128(context->bitcount, len << 3);
770: }
771: /* Clean up: */
772: usedspace = freespace = 0;
773: }
774:
775: void
776: SHA512_Last(SHA512_CTX *context)
777: {
778: unsigned int usedspace;
779:
780: usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
781: #if BYTE_ORDER == LITTLE_ENDIAN
782: /* Convert FROM host byte order */
783: REVERSE64(context->bitcount[0],context->bitcount[0]);
784: REVERSE64(context->bitcount[1],context->bitcount[1]);
785: #endif
786: if (usedspace > 0) {
787: /* Begin padding with a 1 bit: */
788: context->buffer[usedspace++] = 0x80;
789:
790: if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
791: /* Set-up for the last transform: */
792: bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
793: } else {
794: if (usedspace < SHA512_BLOCK_LENGTH) {
795: bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
796: }
797: /* Do second-to-last transform: */
798: SHA512_Transform(context, context->buffer);
799:
800: /* And set-up for the last transform: */
801: bzero(context->buffer, SHA512_BLOCK_LENGTH - 2);
802: }
803: } else {
804: /* Prepare for final transform: */
805: bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
806:
807: /* Begin padding with a 1 bit: */
808: *context->buffer = 0x80;
809: }
810: /* Store the length of input data (in bits): */
811: *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
812: *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
813:
814: /* Final transform: */
815: SHA512_Transform(context, context->buffer);
816: }
817:
818: void
819: SHA512_Final(u_int8_t digest[], SHA512_CTX *context)
820: {
821: u_int64_t *d = (u_int64_t *)digest;
822:
823: /* If no digest buffer is passed, we don't bother doing this: */
824: if (digest != NULL) {
825: SHA512_Last(context);
826:
827: /* Save the hash data for output: */
828: #if BYTE_ORDER == LITTLE_ENDIAN
829: {
830: /* Convert TO host byte order */
831: int j;
832: for (j = 0; j < 8; j++) {
833: REVERSE64(context->state[j],context->state[j]);
834: *d++ = context->state[j];
835: }
836: }
837: #else
838: bcopy(context->state, d, SHA512_DIGEST_LENGTH);
839: #endif
840: }
841:
842: /* Zero out state data */
843: bzero(context, sizeof(*context));
844: }
845:
846:
847: /*** SHA-384: *********************************************************/
848: void
849: SHA384_Init(SHA384_CTX *context)
850: {
851: if (context == NULL)
852: return;
853: bcopy(sha384_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
854: bzero(context->buffer, SHA384_BLOCK_LENGTH);
855: context->bitcount[0] = context->bitcount[1] = 0;
856: }
857:
858: void
859: SHA384_Update(SHA384_CTX *context, const u_int8_t *data, size_t len)
860: {
861: SHA512_Update((SHA512_CTX *)context, data, len);
862: }
863:
864: void
865: SHA384_Final(u_int8_t digest[], SHA384_CTX *context)
866: {
867: u_int64_t *d = (u_int64_t *)digest;
868:
869: /* If no digest buffer is passed, we don't bother doing this: */
870: if (digest != NULL) {
871: SHA512_Last((SHA512_CTX *)context);
872:
873: /* Save the hash data for output: */
874: #if BYTE_ORDER == LITTLE_ENDIAN
875: {
876: /* Convert TO host byte order */
877: int j;
878: for (j = 0; j < 6; j++) {
879: REVERSE64(context->state[j],context->state[j]);
880: *d++ = context->state[j];
881: }
882: }
883: #else
884: bcopy(context->state, d, SHA384_DIGEST_LENGTH);
885: #endif
886: }
887:
888: /* Zero out state data */
889: bzero(context, sizeof(*context));
890: }
CVSweb