1/* $NetBSD: sha2.c,v 1.24 2013/06/09 19:46:56 christos Exp $ */
2/* $KAME: sha2.c,v 1.9 2003/07/20 00:28:38 itojun Exp $ */
3
4/*
5 * sha2.c
6 *
7 * Version 1.0.0beta1
8 *
9 * Written by Aaron D. Gifford <me@aarongifford.com>
10 *
11 * Copyright 2000 Aaron D. Gifford. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. Neither the name of the copyright holder nor the names of contributors
22 * may be used to endorse or promote products derived from this software
23 * without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 *
37 */
38
39#if HAVE_NBTOOL_CONFIG_H
40#include "nbtool_config.h"
41#endif
42
43#include <sys/cdefs.h>
44
45#if defined(_KERNEL) || defined(_STANDALONE)
46__KERNEL_RCSID(0, "$NetBSD: sha2.c,v 1.24 2013/06/09 19:46:56 christos Exp $");
47
48#include <sys/param.h> /* XXX: to pull <machine/macros.h> for vax memset(9) */
49#include <lib/libkern/libkern.h>
50
51#else
52
53#if defined(LIBC_SCCS) && !defined(lint)
54__RCSID("$NetBSD: sha2.c,v 1.24 2013/06/09 19:46:56 christos Exp $");
55#endif /* LIBC_SCCS and not lint */
56
57#include "namespace.h"
58#include <string.h>
59
60#endif
61
62#include <sys/types.h>
63#include <sys/sha2.h>
64
65#if HAVE_SYS_ENDIAN_H
66# include <sys/endian.h>
67#endif
68
69/*** SHA-256/384/512 Various Length Definitions ***********************/
70/* NOTE: Most of these are in sha2.h */
71#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
72#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
73#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
74
75/*
76 * Macro for incrementally adding the unsigned 64-bit integer n to the
77 * unsigned 128-bit integer (represented using a two-element array of
78 * 64-bit words):
79 */
80#define ADDINC128(w,n) { \
81 (w)[0] += (uint64_t)(n); \
82 if ((w)[0] < (n)) { \
83 (w)[1]++; \
84 } \
85}
86
87/*** THE SIX LOGICAL FUNCTIONS ****************************************/
88/*
89 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
90 *
91 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
92 * S is a ROTATION) because the SHA-256/384/512 description document
93 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
94 * same "backwards" definition.
95 */
96/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
97#define R(b,x) ((x) >> (b))
98/* 32-bit Rotate-right (used in SHA-256): */
99#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
100/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
101#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
102
103/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
104#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
105#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
106
107/* Four of six logical functions used in SHA-256: */
108#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
109#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
110#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
111#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
112
113/* Four of six logical functions used in SHA-384 and SHA-512: */
114#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
115#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
116#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
117#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
118
119/*** INTERNAL FUNCTION PROTOTYPES *************************************/
120/* NOTE: These should not be accessed directly from outside this
121 * library -- they are intended for private internal visibility/use
122 * only.
123 */
124static void SHA512_Last(SHA512_CTX *);
125void SHA224_Transform(SHA224_CTX *, const uint32_t*);
126void SHA256_Transform(SHA256_CTX *, const uint32_t*);
127void SHA384_Transform(SHA384_CTX *, const uint64_t*);
128void SHA512_Transform(SHA512_CTX *, const uint64_t*);
129
130
131/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
132/* Hash constant words K for SHA-256: */
133static const uint32_t K256[64] = {
134 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
135 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
136 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
137 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
138 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
139 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
140 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
141 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
142 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
143 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
144 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
145 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
146 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
147 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
148 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
149 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
150};
151
152/* Initial hash value H for SHA-224: */
153static const uint32_t sha224_initial_hash_value[8] = {
154 0xc1059ed8UL,
155 0x367cd507UL,
156 0x3070dd17UL,
157 0xf70e5939UL,
158 0xffc00b31UL,
159 0x68581511UL,
160 0x64f98fa7UL,
161 0xbefa4fa4UL
162};
163
164/* Initial hash value H for SHA-256: */
165static const uint32_t sha256_initial_hash_value[8] = {
166 0x6a09e667UL,
167 0xbb67ae85UL,
168 0x3c6ef372UL,
169 0xa54ff53aUL,
170 0x510e527fUL,
171 0x9b05688cUL,
172 0x1f83d9abUL,
173 0x5be0cd19UL
174};
175
176/* Hash constant words K for SHA-384 and SHA-512: */
177static const uint64_t K512[80] = {
178 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
179 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
180 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
181 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
182 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
183 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
184 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
185 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
186 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
187 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
188 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
189 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
190 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
191 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
192 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
193 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
194 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
195 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
196 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
197 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
198 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
199 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
200 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
201 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
202 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
203 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
204 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
205 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
206 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
207 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
208 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
209 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
210 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
211 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
212 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
213 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
214 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
215 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
216 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
217 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
218};
219
220/* Initial hash value H for SHA-384 */
221static const uint64_t sha384_initial_hash_value[8] = {
222 0xcbbb9d5dc1059ed8ULL,
223 0x629a292a367cd507ULL,
224 0x9159015a3070dd17ULL,
225 0x152fecd8f70e5939ULL,
226 0x67332667ffc00b31ULL,
227 0x8eb44a8768581511ULL,
228 0xdb0c2e0d64f98fa7ULL,
229 0x47b5481dbefa4fa4ULL
230};
231
232/* Initial hash value H for SHA-512 */
233static const uint64_t sha512_initial_hash_value[8] = {
234 0x6a09e667f3bcc908ULL,
235 0xbb67ae8584caa73bULL,
236 0x3c6ef372fe94f82bULL,
237 0xa54ff53a5f1d36f1ULL,
238 0x510e527fade682d1ULL,
239 0x9b05688c2b3e6c1fULL,
240 0x1f83d9abfb41bd6bULL,
241 0x5be0cd19137e2179ULL
242};
243
244#if !defined(_KERNEL) && !defined(_STANDALONE)
245#if defined(__weak_alias)
246__weak_alias(SHA224_Init,_SHA224_Init)
247__weak_alias(SHA224_Update,_SHA224_Update)
248__weak_alias(SHA224_Final,_SHA224_Final)
249__weak_alias(SHA224_Transform,_SHA224_Transform)
250
251__weak_alias(SHA256_Init,_SHA256_Init)
252__weak_alias(SHA256_Update,_SHA256_Update)
253__weak_alias(SHA256_Final,_SHA256_Final)
254__weak_alias(SHA256_Transform,_SHA256_Transform)
255
256__weak_alias(SHA384_Init,_SHA384_Init)
257__weak_alias(SHA384_Update,_SHA384_Update)
258__weak_alias(SHA384_Final,_SHA384_Final)
259__weak_alias(SHA384_Transform,_SHA384_Transform)
260
261__weak_alias(SHA512_Init,_SHA512_Init)
262__weak_alias(SHA512_Update,_SHA512_Update)
263__weak_alias(SHA512_Final,_SHA512_Final)
264__weak_alias(SHA512_Transform,_SHA512_Transform)
265#endif
266#endif
267
268/*** SHA-256: *********************************************************/
269int
270SHA256_Init(SHA256_CTX *context)
271{
272 if (context == NULL)
273 return 1;
274
275 memcpy(context->state, sha256_initial_hash_value,
276 (size_t)(SHA256_DIGEST_LENGTH));
277 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH));
278 context->bitcount = 0;
279
280 return 1;
281}
282
283#ifdef SHA2_UNROLL_TRANSFORM
284
285/* Unrolled SHA-256 round macros: */
286
287#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
288 W256[j] = be32dec(data); \
289 ++data; \
290 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
291 K256[j] + W256[j]; \
292 (d) += T1; \
293 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
294 j++
295
296#define ROUND256(a,b,c,d,e,f,g,h) \
297 s0 = W256[(j+1)&0x0f]; \
298 s0 = sigma0_256(s0); \
299 s1 = W256[(j+14)&0x0f]; \
300 s1 = sigma1_256(s1); \
301 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
302 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
303 (d) += T1; \
304 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
305 j++
306
307void
308SHA256_Transform(SHA256_CTX *context, const uint32_t *data)
309{
310 uint32_t a, b, c, d, e, f, g, h, s0, s1;
311 uint32_t T1, *W256;
312 int j;
313
314 W256 = (uint32_t *)context->buffer;
315
316 /* Initialize registers with the prev. intermediate value */
317 a = context->state[0];
318 b = context->state[1];
319 c = context->state[2];
320 d = context->state[3];
321 e = context->state[4];
322 f = context->state[5];
323 g = context->state[6];
324 h = context->state[7];
325
326 j = 0;
327 do {
328 /* Rounds 0 to 15 (unrolled): */
329 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
330 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
331 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
332 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
333 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
334 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
335 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
336 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
337 } while (j < 16);
338
339 /* Now for the remaining rounds to 64: */
340 do {
341 ROUND256(a,b,c,d,e,f,g,h);
342 ROUND256(h,a,b,c,d,e,f,g);
343 ROUND256(g,h,a,b,c,d,e,f);
344 ROUND256(f,g,h,a,b,c,d,e);
345 ROUND256(e,f,g,h,a,b,c,d);
346 ROUND256(d,e,f,g,h,a,b,c);
347 ROUND256(c,d,e,f,g,h,a,b);
348 ROUND256(b,c,d,e,f,g,h,a);
349 } while (j < 64);
350
351 /* Compute the current intermediate hash value */
352 context->state[0] += a;
353 context->state[1] += b;
354 context->state[2] += c;
355 context->state[3] += d;
356 context->state[4] += e;
357 context->state[5] += f;
358 context->state[6] += g;
359 context->state[7] += h;
360
361 /* Clean up */
362 a = b = c = d = e = f = g = h = T1 = 0;
363}
364
365#else /* SHA2_UNROLL_TRANSFORM */
366
367void
368SHA256_Transform(SHA256_CTX *context, const uint32_t *data)
369{
370 uint32_t a, b, c, d, e, f, g, h, s0, s1;
371 uint32_t T1, T2, *W256;
372 int j;
373
374 W256 = (uint32_t *)(void *)context->buffer;
375
376 /* Initialize registers with the prev. intermediate value */
377 a = context->state[0];
378 b = context->state[1];
379 c = context->state[2];
380 d = context->state[3];
381 e = context->state[4];
382 f = context->state[5];
383 g = context->state[6];
384 h = context->state[7];
385
386 j = 0;
387 do {
388 W256[j] = be32dec(data);
389 ++data;
390 /* Apply the SHA-256 compression function to update a..h */
391 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
392 T2 = Sigma0_256(a) + Maj(a, b, c);
393 h = g;
394 g = f;
395 f = e;
396 e = d + T1;
397 d = c;
398 c = b;
399 b = a;
400 a = T1 + T2;
401
402 j++;
403 } while (j < 16);
404
405 do {
406 /* Part of the message block expansion: */
407 s0 = W256[(j+1)&0x0f];
408 s0 = sigma0_256(s0);
409 s1 = W256[(j+14)&0x0f];
410 s1 = sigma1_256(s1);
411
412 /* Apply the SHA-256 compression function to update a..h */
413 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
414 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
415 T2 = Sigma0_256(a) + Maj(a, b, c);
416 h = g;
417 g = f;
418 f = e;
419 e = d + T1;
420 d = c;
421 c = b;
422 b = a;
423 a = T1 + T2;
424
425 j++;
426 } while (j < 64);
427
428 /* Compute the current intermediate hash value */
429 context->state[0] += a;
430 context->state[1] += b;
431 context->state[2] += c;
432 context->state[3] += d;
433 context->state[4] += e;
434 context->state[5] += f;
435 context->state[6] += g;
436 context->state[7] += h;
437
438 /* Clean up */
439 a = b = c = d = e = f = g = h = T1 = T2 = 0;
440}
441
442#endif /* SHA2_UNROLL_TRANSFORM */
443
444int
445SHA256_Update(SHA256_CTX *context, const uint8_t *data, size_t len)
446{
447 unsigned int freespace, usedspace;
448
449 if (len == 0) {
450 /* Calling with no data is valid - we do nothing */
451 return 1;
452 }
453
454 usedspace = (unsigned int)((context->bitcount >> 3) %
455 SHA256_BLOCK_LENGTH);
456 if (usedspace > 0) {
457 /* Calculate how much free space is available in the buffer */
458 freespace = SHA256_BLOCK_LENGTH - usedspace;
459
460 if (len >= freespace) {
461 /* Fill the buffer completely and process it */
462 memcpy(&context->buffer[usedspace], data,
463 (size_t)(freespace));
464 context->bitcount += freespace << 3;
465 len -= freespace;
466 data += freespace;
467 SHA256_Transform(context,
468 (uint32_t *)(void *)context->buffer);
469 } else {
470 /* The buffer is not yet full */
471 memcpy(&context->buffer[usedspace], data, len);
472 context->bitcount += len << 3;
473 /* Clean up: */
474 usedspace = freespace = 0;
475 return 1;
476 }
477 }
478 /*
479 * Process as many complete blocks as possible.
480 *
481 * Check alignment of the data pointer. If it is 32bit aligned,
482 * SHA256_Transform can be called directly on the data stream,
483 * otherwise enforce the alignment by copy into the buffer.
484 */
485 if ((uintptr_t)data % 4 == 0) {
486 while (len >= SHA256_BLOCK_LENGTH) {
487 SHA256_Transform(context,
488 (const uint32_t *)(const void *)data);
489 context->bitcount += SHA256_BLOCK_LENGTH << 3;
490 len -= SHA256_BLOCK_LENGTH;
491 data += SHA256_BLOCK_LENGTH;
492 }
493 } else {
494 while (len >= SHA256_BLOCK_LENGTH) {
495 memcpy(context->buffer, data, SHA256_BLOCK_LENGTH);
496 SHA256_Transform(context,
497 (const uint32_t *)(const void *)context->buffer);
498 context->bitcount += SHA256_BLOCK_LENGTH << 3;
499 len -= SHA256_BLOCK_LENGTH;
500 data += SHA256_BLOCK_LENGTH;
501 }
502 }
503 if (len > 0) {
504 /* There's left-overs, so save 'em */
505 memcpy(context->buffer, data, len);
506 context->bitcount += len << 3;
507 }
508 /* Clean up: */
509 usedspace = freespace = 0;
510
511 return 1;
512}
513
514static int
515SHA224_256_Final(uint8_t digest[], SHA256_CTX *context, size_t len)
516{
517 unsigned int usedspace;
518 size_t i;
519
520 /* If no digest buffer is passed, we don't bother doing this: */
521 if (digest != NULL) {
522 usedspace = (unsigned int)((context->bitcount >> 3) %
523 SHA256_BLOCK_LENGTH);
524 context->bitcount = htobe64(context->bitcount);
525 if (usedspace > 0) {
526 /* Begin padding with a 1 bit: */
527 context->buffer[usedspace++] = 0x80;
528
529 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
530 /* Set-up for the last transform: */
531 memset(&context->buffer[usedspace], 0,
532 (size_t)(SHA256_SHORT_BLOCK_LENGTH -
533 usedspace));
534 } else {
535 if (usedspace < SHA256_BLOCK_LENGTH) {
536 memset(&context->buffer[usedspace], 0,
537 (size_t)(SHA256_BLOCK_LENGTH -
538 usedspace));
539 }
540 /* Do second-to-last transform: */
541 SHA256_Transform(context,
542 (uint32_t *)(void *)context->buffer);
543
544 /* And set-up for the last transform: */
545 memset(context->buffer, 0,
546 (size_t)(SHA256_SHORT_BLOCK_LENGTH));
547 }
548 } else {
549 /* Set-up for the last transform: */
550 memset(context->buffer, 0,
551 (size_t)(SHA256_SHORT_BLOCK_LENGTH));
552
553 /* Begin padding with a 1 bit: */
554 *context->buffer = 0x80;
555 }
556 /* Set the bit count: */
557 memcpy(&context->buffer[SHA256_SHORT_BLOCK_LENGTH],
558 &context->bitcount, sizeof(context->bitcount));
559
560 /* Final transform: */
561 SHA256_Transform(context, (uint32_t *)(void *)context->buffer);
562
563 for (i = 0; i < len / 4; i++)
564 be32enc(digest + 4 * i, context->state[i]);
565 }
566
567 /* Clean up state data: */
568 memset(context, 0, sizeof(*context));
569 usedspace = 0;
570
571 return 1;
572}
573
574int
575SHA256_Final(uint8_t digest[], SHA256_CTX *context)
576{
577 return SHA224_256_Final(digest, context, SHA256_DIGEST_LENGTH);
578}
579
580/*** SHA-224: *********************************************************/
581int
582SHA224_Init(SHA224_CTX *context)
583{
584 if (context == NULL)
585 return 1;
586
587 /* The state and buffer size are driven by SHA256, not by SHA224. */
588 memcpy(context->state, sha224_initial_hash_value,
589 (size_t)(SHA256_DIGEST_LENGTH));
590 memset(context->buffer, 0, (size_t)(SHA256_BLOCK_LENGTH));
591 context->bitcount = 0;
592
593 return 1;
594}
595
596int
597SHA224_Update(SHA224_CTX *context, const uint8_t *data, size_t len)
598{
599 return SHA256_Update((SHA256_CTX *)context, data, len);
600}
601
602void
603SHA224_Transform(SHA224_CTX *context, const uint32_t *data)
604{
605 SHA256_Transform((SHA256_CTX *)context, data);
606}
607
608int
609SHA224_Final(uint8_t digest[], SHA224_CTX *context)
610{
611 return SHA224_256_Final(digest, (SHA256_CTX *)context,
612 SHA224_DIGEST_LENGTH);
613}
614
615/*** SHA-512: *********************************************************/
616int
617SHA512_Init(SHA512_CTX *context)
618{
619 if (context == NULL)
620 return 1;
621
622 memcpy(context->state, sha512_initial_hash_value,
623 (size_t)(SHA512_DIGEST_LENGTH));
624 memset(context->buffer, 0, (size_t)(SHA512_BLOCK_LENGTH));
625 context->bitcount[0] = context->bitcount[1] = 0;
626
627 return 1;
628}
629
630#ifdef SHA2_UNROLL_TRANSFORM
631
632/* Unrolled SHA-512 round macros: */
633#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
634 W512[j] = be64dec(data); \
635 ++data; \
636 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
637 K512[j] + W512[j]; \
638 (d) += T1, \
639 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
640 j++
641
642#define ROUND512(a,b,c,d,e,f,g,h) \
643 s0 = W512[(j+1)&0x0f]; \
644 s0 = sigma0_512(s0); \
645 s1 = W512[(j+14)&0x0f]; \
646 s1 = sigma1_512(s1); \
647 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
648 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
649 (d) += T1; \
650 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
651 j++
652
653void
654SHA512_Transform(SHA512_CTX *context, const uint64_t *data)
655{
656 uint64_t a, b, c, d, e, f, g, h, s0, s1;
657 uint64_t T1, *W512 = (uint64_t *)context->buffer;
658 int j;
659
660 /* Initialize registers with the prev. intermediate value */
661 a = context->state[0];
662 b = context->state[1];
663 c = context->state[2];
664 d = context->state[3];
665 e = context->state[4];
666 f = context->state[5];
667 g = context->state[6];
668 h = context->state[7];
669
670 j = 0;
671 do {
672 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
673 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
674 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
675 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
676 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
677 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
678 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
679 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
680 } while (j < 16);
681
682 /* Now for the remaining rounds up to 79: */
683 do {
684 ROUND512(a,b,c,d,e,f,g,h);
685 ROUND512(h,a,b,c,d,e,f,g);
686 ROUND512(g,h,a,b,c,d,e,f);
687 ROUND512(f,g,h,a,b,c,d,e);
688 ROUND512(e,f,g,h,a,b,c,d);
689 ROUND512(d,e,f,g,h,a,b,c);
690 ROUND512(c,d,e,f,g,h,a,b);
691 ROUND512(b,c,d,e,f,g,h,a);
692 } while (j < 80);
693
694 /* Compute the current intermediate hash value */
695 context->state[0] += a;
696 context->state[1] += b;
697 context->state[2] += c;
698 context->state[3] += d;
699 context->state[4] += e;
700 context->state[5] += f;
701 context->state[6] += g;
702 context->state[7] += h;
703
704 /* Clean up */
705 a = b = c = d = e = f = g = h = T1 = 0;
706}
707
708#else /* SHA2_UNROLL_TRANSFORM */
709
710void
711SHA512_Transform(SHA512_CTX *context, const uint64_t *data)
712{
713 uint64_t a, b, c, d, e, f, g, h, s0, s1;
714 uint64_t T1, T2, *W512 = (void *)context->buffer;
715 int j;
716
717 /* Initialize registers with the prev. intermediate value */
718 a = context->state[0];
719 b = context->state[1];
720 c = context->state[2];
721 d = context->state[3];
722 e = context->state[4];
723 f = context->state[5];
724 g = context->state[6];
725 h = context->state[7];
726
727 j = 0;
728 do {
729 W512[j] = be64dec(data);
730 ++data;
731 /* Apply the SHA-512 compression function to update a..h */
732 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
733 T2 = Sigma0_512(a) + Maj(a, b, c);
734 h = g;
735 g = f;
736 f = e;
737 e = d + T1;
738 d = c;
739 c = b;
740 b = a;
741 a = T1 + T2;
742
743 j++;
744 } while (j < 16);
745
746 do {
747 /* Part of the message block expansion: */
748 s0 = W512[(j+1)&0x0f];
749 s0 = sigma0_512(s0);
750 s1 = W512[(j+14)&0x0f];
751 s1 = sigma1_512(s1);
752
753 /* Apply the SHA-512 compression function to update a..h */
754 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
755 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
756 T2 = Sigma0_512(a) + Maj(a, b, c);
757 h = g;
758 g = f;
759 f = e;
760 e = d + T1;
761 d = c;
762 c = b;
763 b = a;
764 a = T1 + T2;
765
766 j++;
767 } while (j < 80);
768
769 /* Compute the current intermediate hash value */
770 context->state[0] += a;
771 context->state[1] += b;
772 context->state[2] += c;
773 context->state[3] += d;
774 context->state[4] += e;
775 context->state[5] += f;
776 context->state[6] += g;
777 context->state[7] += h;
778
779 /* Clean up */
780 a = b = c = d = e = f = g = h = T1 = T2 = 0;
781}
782
783#endif /* SHA2_UNROLL_TRANSFORM */
784
785int
786SHA512_Update(SHA512_CTX *context, const uint8_t *data, size_t len)
787{
788 unsigned int freespace, usedspace;
789
790 if (len == 0) {
791 /* Calling with no data is valid - we do nothing */
792 return 1;
793 }
794
795 usedspace = (unsigned int)((context->bitcount[0] >> 3) %
796 SHA512_BLOCK_LENGTH);
797 if (usedspace > 0) {
798 /* Calculate how much free space is available in the buffer */
799 freespace = SHA512_BLOCK_LENGTH - usedspace;
800
801 if (len >= freespace) {
802 /* Fill the buffer completely and process it */
803 memcpy(&context->buffer[usedspace], data,
804 (size_t)(freespace));
805 ADDINC128(context->bitcount, freespace << 3);
806 len -= freespace;
807 data += freespace;
808 SHA512_Transform(context,
809 (uint64_t *)(void *)context->buffer);
810 } else {
811 /* The buffer is not yet full */
812 memcpy(&context->buffer[usedspace], data, len);
813 ADDINC128(context->bitcount, len << 3);
814 /* Clean up: */
815 usedspace = freespace = 0;
816 return 1;
817 }
818 }
819 /*
820 * Process as many complete blocks as possible.
821 *
822 * Check alignment of the data pointer. If it is 64bit aligned,
823 * SHA512_Transform can be called directly on the data stream,
824 * otherwise enforce the alignment by copy into the buffer.
825 */
826 if ((uintptr_t)data % 8 == 0) {
827 while (len >= SHA512_BLOCK_LENGTH) {
828 SHA512_Transform(context,
829 (const uint64_t*)(const void *)data);
830 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
831 len -= SHA512_BLOCK_LENGTH;
832 data += SHA512_BLOCK_LENGTH;
833 }
834 } else {
835 while (len >= SHA512_BLOCK_LENGTH) {
836 memcpy(context->buffer, data, SHA512_BLOCK_LENGTH);
837 SHA512_Transform(context,
838 (const void *)context->buffer);
839 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
840 len -= SHA512_BLOCK_LENGTH;
841 data += SHA512_BLOCK_LENGTH;
842 }
843 }
844 if (len > 0) {
845 /* There's left-overs, so save 'em */
846 memcpy(context->buffer, data, len);
847 ADDINC128(context->bitcount, len << 3);
848 }
849 /* Clean up: */
850 usedspace = freespace = 0;
851
852 return 1;
853}
854
855static void
856SHA512_Last(SHA512_CTX *context)
857{
858 unsigned int usedspace;
859
860 usedspace = (unsigned int)((context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH);
861 context->bitcount[0] = htobe64(context->bitcount[0]);
862 context->bitcount[1] = htobe64(context->bitcount[1]);
863 if (usedspace > 0) {
864 /* Begin padding with a 1 bit: */
865 context->buffer[usedspace++] = 0x80;
866
867 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
868 /* Set-up for the last transform: */
869 memset(&context->buffer[usedspace], 0,
870 (size_t)(SHA512_SHORT_BLOCK_LENGTH - usedspace));
871 } else {
872 if (usedspace < SHA512_BLOCK_LENGTH) {
873 memset(&context->buffer[usedspace], 0,
874 (size_t)(SHA512_BLOCK_LENGTH - usedspace));
875 }
876 /* Do second-to-last transform: */
877 SHA512_Transform(context,
878 (uint64_t *)(void *)context->buffer);
879
880 /* And set-up for the last transform: */
881 memset(context->buffer, 0,
882 (size_t)(SHA512_BLOCK_LENGTH - 2));
883 }
884 } else {
885 /* Prepare for final transform: */
886 memset(context->buffer, 0, (size_t)(SHA512_SHORT_BLOCK_LENGTH));
887
888 /* Begin padding with a 1 bit: */
889 *context->buffer = 0x80;
890 }
891 /* Store the length of input data (in bits): */
892 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH],
893 &context->bitcount[1], sizeof(context->bitcount[1]));
894 memcpy(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8],
895 &context->bitcount[0], sizeof(context->bitcount[0]));
896
897 /* Final transform: */
898 SHA512_Transform(context, (uint64_t *)(void *)context->buffer);
899}
900
901int
902SHA512_Final(uint8_t digest[], SHA512_CTX *context)
903{
904 size_t i;
905
906 /* If no digest buffer is passed, we don't bother doing this: */
907 if (digest != NULL) {
908 SHA512_Last(context);
909
910 /* Save the hash data for output: */
911 for (i = 0; i < 8; ++i)
912 be64enc(digest + 8 * i, context->state[i]);
913 }
914
915 /* Zero out state data */
916 memset(context, 0, sizeof(*context));
917
918 return 1;
919}
920
921/*** SHA-384: *********************************************************/
922int
923SHA384_Init(SHA384_CTX *context)
924{
925 if (context == NULL)
926 return 1;
927
928 memcpy(context->state, sha384_initial_hash_value,
929 (size_t)(SHA512_DIGEST_LENGTH));
930 memset(context->buffer, 0, (size_t)(SHA384_BLOCK_LENGTH));
931 context->bitcount[0] = context->bitcount[1] = 0;
932
933 return 1;
934}
935
936int
937SHA384_Update(SHA384_CTX *context, const uint8_t *data, size_t len)
938{
939 return SHA512_Update((SHA512_CTX *)context, data, len);
940}
941
942void
943SHA384_Transform(SHA512_CTX *context, const uint64_t *data)
944{
945 SHA512_Transform((SHA512_CTX *)context, data);
946}
947
948int
949SHA384_Final(uint8_t digest[], SHA384_CTX *context)
950{
951 size_t i;
952
953 /* If no digest buffer is passed, we don't bother doing this: */
954 if (digest != NULL) {
955 SHA512_Last((SHA512_CTX *)context);
956
957 /* Save the hash data for output: */
958 for (i = 0; i < 6; ++i)
959 be64enc(digest + 8 * i, context->state[i]);
960 }
961
962 /* Zero out state data */
963 memset(context, 0, sizeof(*context));
964
965 return 1;
966}
967