root/crypto/sha2.c

DEFINITIONS

1. SHA256_Init
2. SHA256_Transform
3. SHA256_Transform
4. SHA256_Update
5. SHA256_Final
6. SHA512_Init
7. SHA512_Transform
8. SHA512_Transform
9. SHA512_Update
10. SHA512_Last
11. SHA512_Final
12. SHA384_Init
13. SHA384_Update
14. SHA384_Final

    1 /*      $OpenBSD: sha2.c,v 1.6 2004/05/03 02:57:36 millert Exp $        */
    3 /*
    4  * FILE:        sha2.c
    5  * AUTHOR:      Aaron D. Gifford <me@aarongifford.com>
    6  * 
    7  * Copyright (c) 2000-2001, Aaron D. Gifford
    8  * All rights reserved.
    9  *
   10  * Redistribution and use in source and binary forms, with or without
   11  * modification, are permitted provided that the following conditions
   12  * are met:
   13  * 1. Redistributions of source code must retain the above copyright
   14  *    notice, this list of conditions and the following disclaimer.
   15  * 2. Redistributions in binary form must reproduce the above copyright
   16  *    notice, this list of conditions and the following disclaimer in the
   17  *    documentation and/or other materials provided with the distribution.
   18  * 3. Neither the name of the copyright holder nor the names of contributors
   19  *    may be used to endorse or promote products derived from this software
   20  *    without specific prior written permission.
   21  * 
   22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
   23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
   26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   32  * SUCH DAMAGE.
   33  *
   34  * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
   35  */
   37 #include <sys/param.h>
   38 #include <sys/time.h>
   39 #include <sys/systm.h>
   40 #include <crypto/sha2.h>
   42 /*
   43  * UNROLLED TRANSFORM LOOP NOTE:
   44  * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
   45  * loop version for the hash transform rounds (defined using macros
   46  * later in this file).  Either define on the command line, for example:
   47  *
   48  *   cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
   49  *
   50  * or define below:
   51  *
   52  *   #define SHA2_UNROLL_TRANSFORM
   53  *
   54  */
   57 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
   58 /*
   59  * BYTE_ORDER NOTE:
   60  *
   61  * Please make sure that your system defines BYTE_ORDER.  If your
   62  * architecture is little-endian, make sure it also defines
   63  * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
   64  * equivilent.
   65  *
   66  * If your system does not define the above, then you can do so by
   67  * hand like this:
   68  *
   69  *   #define LITTLE_ENDIAN 1234
   70  *   #define BIG_ENDIAN    4321
   71  *
   72  * And for little-endian machines, add:
   73  *
   74  *   #define BYTE_ORDER LITTLE_ENDIAN 
   75  *
   76  * Or for big-endian machines:
   77  *
   78  *   #define BYTE_ORDER BIG_ENDIAN
   79  *
   80  * The FreeBSD machine this was written on defines BYTE_ORDER
   81  * appropriately by including <sys/types.h> (which in turn includes
   82  * <machine/endian.h> where the appropriate definitions are actually
   83  * made).
   84  */
   85 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
   86 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
   87 #endif
   90 /*** SHA-256/384/512 Various Length Definitions ***********************/
   91 /* NOTE: Most of these are in sha2.h */
   92 #define SHA256_SHORT_BLOCK_LENGTH       (SHA256_BLOCK_LENGTH - 8)
   93 #define SHA384_SHORT_BLOCK_LENGTH       (SHA384_BLOCK_LENGTH - 16)
   94 #define SHA512_SHORT_BLOCK_LENGTH       (SHA512_BLOCK_LENGTH - 16)
   97 /*** ENDIAN REVERSAL MACROS *******************************************/
   98 #if BYTE_ORDER == LITTLE_ENDIAN
   99 #define REVERSE32(w,x)  { \
u_int32_t tmp = (w); \
tmp = (tmp >> 16) | (tmp << 16); \
  102         (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
  103 }
  104 #define REVERSE64(w,x)  { \
u_int64_t tmp = (w); \
tmp = (tmp >> 32) | (tmp << 32); \
tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
  108               ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
  109         (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
  110               ((tmp & 0x0000ffff0000ffffULL) << 16); \
  111 }
  112 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
  114 /*
  115  * Macro for incrementally adding the unsigned 64-bit integer n to the
  116  * unsigned 128-bit integer (represented using a two-element array of
  117  * 64-bit words):
  118  */
  119 #define ADDINC128(w,n)  { \
  120         (w)[0] += (u_int64_t)(n); \
  121         if ((w)[0] < (n)) { \
  122                 (w)[1]++; \
  123         } \
  124 }
  126 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
  127 /*
  128  * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
  129  *
  130  *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
  131  *   S is a ROTATION) because the SHA-256/384/512 description document
  132  *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
  133  *   same "backwards" definition.
  134  */
  135 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
  136 #define R(b,x)          ((x) >> (b))
  137 /* 32-bit Rotate-right (used in SHA-256): */
  138 #define S32(b,x)        (((x) >> (b)) | ((x) << (32 - (b))))
  139 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
  140 #define S64(b,x)        (((x) >> (b)) | ((x) << (64 - (b))))
  142 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
  143 #define Ch(x,y,z)       (((x) & (y)) ^ ((~(x)) & (z)))
  144 #define Maj(x,y,z)      (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
  146 /* Four of six logical functions used in SHA-256: */
  147 #define Sigma0_256(x)   (S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
  148 #define Sigma1_256(x)   (S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
  149 #define sigma0_256(x)   (S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
  150 #define sigma1_256(x)   (S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
  152 /* Four of six logical functions used in SHA-384 and SHA-512: */
  153 #define Sigma0_512(x)   (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
  154 #define Sigma1_512(x)   (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
  155 #define sigma0_512(x)   (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
  156 #define sigma1_512(x)   (S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
  158 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
  159 /* NOTE: These should not be accessed directly from outside this
  160  * library -- they are intended for private internal visibility/use
  161  * only.
  162  */
  163 void SHA512_Last(SHA512_CTX *);
  164 void SHA256_Transform(SHA256_CTX *, const u_int8_t *);
  165 void SHA512_Transform(SHA512_CTX *, const u_int8_t *);
  168 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
  169 /* Hash constant words K for SHA-256: */
  170 const static u_int32_t K256[64] = {
  171         0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
  172         0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
  173         0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
  174         0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
  175         0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
  176         0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
  177         0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
  178         0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
  179         0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
  180         0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
  181         0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
  182         0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
  183         0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
  184         0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
  185         0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
  186         0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
  187 };
  189 /* Initial hash value H for SHA-256: */
  190 const static u_int32_t sha256_initial_hash_value[8] = {
  191         0x6a09e667UL,
  192         0xbb67ae85UL,
  193         0x3c6ef372UL,
  194         0xa54ff53aUL,
  195         0x510e527fUL,
  196         0x9b05688cUL,
  197         0x1f83d9abUL,
  198         0x5be0cd19UL
  199 };
  201 /* Hash constant words K for SHA-384 and SHA-512: */
  202 const static u_int64_t K512[80] = {
  203         0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
  204         0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
  205         0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
  206         0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
  207         0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
  208         0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
  209         0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
  210         0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
  211         0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
  212         0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
  213         0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
  214         0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
  215         0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
  216         0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
  217         0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
  218         0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
  219         0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
  220         0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
  221         0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
  222         0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
  223         0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
  224         0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
  225         0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
  226         0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
  227         0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
  228         0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
  229         0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
  230         0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
  231         0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
  232         0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
  233         0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
  234         0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
  235         0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
  236         0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
  237         0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
  238         0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
  239         0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
  240         0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
  241         0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
  242         0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
  243 };
  245 /* Initial hash value H for SHA-384 */
  246 const static u_int64_t sha384_initial_hash_value[8] = {
  247         0xcbbb9d5dc1059ed8ULL,
  248         0x629a292a367cd507ULL,
  249         0x9159015a3070dd17ULL,
  250         0x152fecd8f70e5939ULL,
  251         0x67332667ffc00b31ULL,
  252         0x8eb44a8768581511ULL,
  253         0xdb0c2e0d64f98fa7ULL,
  254         0x47b5481dbefa4fa4ULL
  255 };
  257 /* Initial hash value H for SHA-512 */
  258 const static u_int64_t sha512_initial_hash_value[8] = {
  259         0x6a09e667f3bcc908ULL,
  260         0xbb67ae8584caa73bULL,
  261         0x3c6ef372fe94f82bULL,
  262         0xa54ff53a5f1d36f1ULL,
  263         0x510e527fade682d1ULL,
  264         0x9b05688c2b3e6c1fULL,
  265         0x1f83d9abfb41bd6bULL,
  266         0x5be0cd19137e2179ULL
  267 };
  270 /*** SHA-256: *********************************************************/
  271 void
SHA256_Init(SHA256_CTX *context)
  273 {
  274         if (context == NULL)
  275                 return;
bcopy(sha256_initial_hash_value, context->state, SHA256_DIGEST_LENGTH);
bzero(context->buffer, SHA256_BLOCK_LENGTH);
context->bitcount = 0;
  279 }
  281 #ifdef SHA2_UNROLL_TRANSFORM
  283 /* Unrolled SHA-256 round macros: */
  285 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do {                              \
W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) |          \
  287             ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24);        \
data += 4;                                                          \
T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
  290         (d) += T1;                                                          \
  291         (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));                    \
j++;                                                                \
  293 } while(0)
  295 #define ROUND256(a,b,c,d,e,f,g,h) do {                                      \
s0 = W256[(j+1)&0x0f];                                              \
s0 = sigma0_256(s0);                                                \
s1 = W256[(j+14)&0x0f];                                             \
s1 = sigma1_256(s1);                                                \
T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] +          \
  301              (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);                  \
  302         (d) += T1;                                                          \
  303         (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c));                    \
j++;                                                                \
  305 } while(0)
  307 void
SHA256_Transform(SHA256_CTX *context, const u_int8_t *data)
  309 {
u_int32_t       a, b, c, d, e, f, g, h, s0, s1;
u_int32_t       T1, *W256;
  312         int             j;
W256 = (u_int32_t *)context->buffer;
  316         /* Initialize registers with the prev. intermediate value */
a = context->state[0];
b = context->state[1];
c = context->state[2];
d = context->state[3];
e = context->state[4];
f = context->state[5];
g = context->state[6];
h = context->state[7];
j = 0;
  327         do {
  328                 /* Rounds 0 to 15 (unrolled): */
ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
  337         } while (j < 16);
  339         /* Now for the remaining rounds to 64: */
  340         do {
ROUND256(a,b,c,d,e,f,g,h);
ROUND256(h,a,b,c,d,e,f,g);
ROUND256(g,h,a,b,c,d,e,f);
ROUND256(f,g,h,a,b,c,d,e);
ROUND256(e,f,g,h,a,b,c,d);
ROUND256(d,e,f,g,h,a,b,c);
ROUND256(c,d,e,f,g,h,a,b);
ROUND256(b,c,d,e,f,g,h,a);
  349         } while (j < 64);
  351         /* Compute the current intermediate hash value */
context->state[0] += a;
context->state[1] += b;
context->state[2] += c;
context->state[3] += d;
context->state[4] += e;
context->state[5] += f;
context->state[6] += g;
context->state[7] += h;
  361         /* Clean up */
a = b = c = d = e = f = g = h = T1 = 0;
  363 }
  365 #else /* SHA2_UNROLL_TRANSFORM */
  367 void
SHA256_Transform(SHA256_CTX *context, const u_int8_t *data)
  369 {
u_int32_t       a, b, c, d, e, f, g, h, s0, s1;
u_int32_t       T1, T2, *W256;
  372         int             j;
W256 = (u_int32_t *)context->buffer;
  376         /* Initialize registers with the prev. intermediate value */
a = context->state[0];
b = context->state[1];
c = context->state[2];
d = context->state[3];
e = context->state[4];
f = context->state[5];
g = context->state[6];
h = context->state[7];
j = 0;
  387         do {
W256[j] = (u_int32_t)data[3] | ((u_int32_t)data[2] << 8) |
  389                     ((u_int32_t)data[1] << 16) | ((u_int32_t)data[0] << 24);
data += 4;
  391                 /* Apply the SHA-256 compression function to update a..h */
T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
T2 = Sigma0_256(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
j++;
  404         } while (j < 16);
  406         do {
  407                 /* Part of the message block expansion: */
s0 = W256[(j+1)&0x0f];
s0 = sigma0_256(s0);
s1 = W256[(j+14)&0x0f]; 
s1 = sigma1_256(s1);
  413                 /* Apply the SHA-256 compression function to update a..h */
T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 
  415                      (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
T2 = Sigma0_256(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
j++;
  427         } while (j < 64);
  429         /* Compute the current intermediate hash value */
context->state[0] += a;
context->state[1] += b;
context->state[2] += c;
context->state[3] += d;
context->state[4] += e;
context->state[5] += f;
context->state[6] += g;
context->state[7] += h;
  439         /* Clean up */
a = b = c = d = e = f = g = h = T1 = T2 = 0;
  441 }
  443 #endif /* SHA2_UNROLL_TRANSFORM */
  445 void
SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len)
  447 {
size_t  freespace, usedspace;
  450         /* Calling with no data is valid (we do nothing) */
  451         if (len == 0)
  452                 return;
usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
  455         if (usedspace > 0) {
  456                 /* Calculate how much free space is available in the buffer */
freespace = SHA256_BLOCK_LENGTH - usedspace;
  459                 if (len >= freespace) {
  460                         /* Fill the buffer completely and process it */
bcopy(data, &context->buffer[usedspace], freespace);
context->bitcount += freespace << 3;
len -= freespace;
data += freespace;
SHA256_Transform(context, context->buffer);
  466                 } else {
  467                         /* The buffer is not yet full */
bcopy(data, &context->buffer[usedspace], len);
context->bitcount += len << 3;
  470                         /* Clean up: */
usedspace = freespace = 0;
  472                         return;
  473                 }
  474         }
  475         while (len >= SHA256_BLOCK_LENGTH) {
  476                 /* Process as many complete blocks as we can */
SHA256_Transform(context, data);
context->bitcount += SHA256_BLOCK_LENGTH << 3;
len -= SHA256_BLOCK_LENGTH;
data += SHA256_BLOCK_LENGTH;
  481         }
  482         if (len > 0) {
  483                 /* There's left-overs, so save 'em */
bcopy(data, context->buffer, len);
context->bitcount += len << 3;
  486         }
  487         /* Clean up: */
usedspace = freespace = 0;
  489 }
  491 void
SHA256_Final(u_int8_t digest[], SHA256_CTX *context)
  493 {
u_int32_t       *d = (u_int32_t *)digest;
  495         unsigned int    usedspace;
  497         /* If no digest buffer is passed, we don't bother doing this: */
  498         if (digest != NULL) {
usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
  500 #if BYTE_ORDER == LITTLE_ENDIAN
  501                 /* Convert FROM host byte order */
REVERSE64(context->bitcount,context->bitcount);
  503 #endif
  504                 if (usedspace > 0) {
  505                         /* Begin padding with a 1 bit: */
context->buffer[usedspace++] = 0x80;
  508                         if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
  509                                 /* Set-up for the last transform: */
bzero(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
  511                         } else {
  512                                 if (usedspace < SHA256_BLOCK_LENGTH) {
bzero(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
  514                                 }
  515                                 /* Do second-to-last transform: */
SHA256_Transform(context, context->buffer);
  518                                 /* And set-up for the last transform: */
bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
  520                         }
  521                 } else {
  522                         /* Set-up for the last transform: */
bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
  525                         /* Begin padding with a 1 bit: */
  526                         *context->buffer = 0x80;
  527                 }
  528                 /* Set the bit count: */
  529                 *(u_int64_t *)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
  531                 /* Final transform: */
SHA256_Transform(context, context->buffer);
  534 #if BYTE_ORDER == LITTLE_ENDIAN
  535                 {
  536                         /* Convert TO host byte order */
  537                         int     j;
  538                         for (j = 0; j < 8; j++) {
REVERSE32(context->state[j],context->state[j]);
  540                                 *d++ = context->state[j];
  541                         }
  542                 }
  543 #else
bcopy(context->state, d, SHA256_DIGEST_LENGTH);
  545 #endif
  546         }
  548         /* Clean up state data: */
bzero(context, sizeof(*context));
usedspace = 0;
  551 }
  554 /*** SHA-512: *********************************************************/
  555 void
SHA512_Init(SHA512_CTX *context)
  557 {
  558         if (context == NULL)
  559                 return;
bcopy(sha512_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
bzero(context->buffer, SHA512_BLOCK_LENGTH);
context->bitcount[0] = context->bitcount[1] =  0;
  563 }
  565 #ifdef SHA2_UNROLL_TRANSFORM
  567 /* Unrolled SHA-512 round macros: */
  569 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do {                              \
W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) |          \
  571             ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) |       \
  572             ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) |       \
  573             ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56);        \
data += 8;                                                          \
T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
  576         (d) += T1;                                                          \
  577         (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c));                    \
j++;                                                                \
  579 } while(0)
  582 #define ROUND512(a,b,c,d,e,f,g,h) do {                                      \
s0 = W512[(j+1)&0x0f];                                              \
s0 = sigma0_512(s0);                                                \
s1 = W512[(j+14)&0x0f];                                             \
s1 = sigma1_512(s1);                                                \
T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] +          \
  588              (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);                  \
  589         (d) += T1;                                                          \
  590         (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c));                    \
j++;                                                                \
  592 } while(0)
  594 void
SHA512_Transform(SHA512_CTX *context, const u_int8_t *data)
  596 {
u_int64_t       a, b, c, d, e, f, g, h, s0, s1;
u_int64_t       T1, *W512 = (u_int64_t *)context->buffer;
  599         int             j;
  601         /* Initialize registers with the prev. intermediate value */
a = context->state[0];
b = context->state[1];
c = context->state[2];
d = context->state[3];
e = context->state[4];
f = context->state[5];
g = context->state[6];
h = context->state[7];
j = 0;
  612         do {
ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
  621         } while (j < 16);
  623         /* Now for the remaining rounds up to 79: */
  624         do {
ROUND512(a,b,c,d,e,f,g,h);
ROUND512(h,a,b,c,d,e,f,g);
ROUND512(g,h,a,b,c,d,e,f);
ROUND512(f,g,h,a,b,c,d,e);
ROUND512(e,f,g,h,a,b,c,d);
ROUND512(d,e,f,g,h,a,b,c);
ROUND512(c,d,e,f,g,h,a,b);
ROUND512(b,c,d,e,f,g,h,a);
  633         } while (j < 80);
  635         /* Compute the current intermediate hash value */
context->state[0] += a;
context->state[1] += b;
context->state[2] += c;
context->state[3] += d;
context->state[4] += e;
context->state[5] += f;
context->state[6] += g;
context->state[7] += h;
  645         /* Clean up */
a = b = c = d = e = f = g = h = T1 = 0;
  647 }
  649 #else /* SHA2_UNROLL_TRANSFORM */
  651 void
SHA512_Transform(SHA512_CTX *context, const u_int8_t *data)
  653 {
u_int64_t       a, b, c, d, e, f, g, h, s0, s1;
u_int64_t       T1, T2, *W512 = (u_int64_t *)context->buffer;
  656         int             j;
  658         /* Initialize registers with the prev. intermediate value */
a = context->state[0];
b = context->state[1];
c = context->state[2];
d = context->state[3];
e = context->state[4];
f = context->state[5];
g = context->state[6];
h = context->state[7];
j = 0;
  669         do {
W512[j] = (u_int64_t)data[7] | ((u_int64_t)data[6] << 8) |
  671                     ((u_int64_t)data[5] << 16) | ((u_int64_t)data[4] << 24) |
  672                     ((u_int64_t)data[3] << 32) | ((u_int64_t)data[2] << 40) |
  673                     ((u_int64_t)data[1] << 48) | ((u_int64_t)data[0] << 56);
data += 8;
  675                 /* Apply the SHA-512 compression function to update a..h */
T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
T2 = Sigma0_512(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
j++;
  688         } while (j < 16);
  690         do {
  691                 /* Part of the message block expansion: */
s0 = W512[(j+1)&0x0f];
s0 = sigma0_512(s0);
s1 = W512[(j+14)&0x0f];
s1 =  sigma1_512(s1);
  697                 /* Apply the SHA-512 compression function to update a..h */
T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
  699                      (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
T2 = Sigma0_512(a) + Maj(a, b, c);
h = g;
g = f;
f = e;
e = d + T1;
d = c;
c = b;
b = a;
a = T1 + T2;
j++;
  711         } while (j < 80);
  713         /* Compute the current intermediate hash value */
context->state[0] += a;
context->state[1] += b;
context->state[2] += c;
context->state[3] += d;
context->state[4] += e;
context->state[5] += f;
context->state[6] += g;
context->state[7] += h;
  723         /* Clean up */
a = b = c = d = e = f = g = h = T1 = T2 = 0;
  725 }
  727 #endif /* SHA2_UNROLL_TRANSFORM */
  729 void
SHA512_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
  731 {
size_t  freespace, usedspace;
  734         /* Calling with no data is valid (we do nothing) */
  735         if (len == 0)
  736                 return;
usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
  739         if (usedspace > 0) {
  740                 /* Calculate how much free space is available in the buffer */
freespace = SHA512_BLOCK_LENGTH - usedspace;
  743                 if (len >= freespace) {
  744                         /* Fill the buffer completely and process it */
bcopy(data, &context->buffer[usedspace], freespace);
ADDINC128(context->bitcount, freespace << 3);
len -= freespace;
data += freespace;
SHA512_Transform(context, context->buffer);
  750                 } else {
  751                         /* The buffer is not yet full */
bcopy(data, &context->buffer[usedspace], len);
ADDINC128(context->bitcount, len << 3);
  754                         /* Clean up: */
usedspace = freespace = 0;
  756                         return;
  757                 }
  758         }
  759         while (len >= SHA512_BLOCK_LENGTH) {
  760                 /* Process as many complete blocks as we can */
SHA512_Transform(context, data);
ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
len -= SHA512_BLOCK_LENGTH;
data += SHA512_BLOCK_LENGTH;
  765         }
  766         if (len > 0) {
  767                 /* There's left-overs, so save 'em */
bcopy(data, context->buffer, len);
ADDINC128(context->bitcount, len << 3);
  770         }
  771         /* Clean up: */
usedspace = freespace = 0;
  773 }
  775 void
SHA512_Last(SHA512_CTX *context)
  777 {
  778         unsigned int    usedspace;
usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
  781 #if BYTE_ORDER == LITTLE_ENDIAN
  782         /* Convert FROM host byte order */
REVERSE64(context->bitcount[0],context->bitcount[0]);
REVERSE64(context->bitcount[1],context->bitcount[1]);
  785 #endif
  786         if (usedspace > 0) {
  787                 /* Begin padding with a 1 bit: */
context->buffer[usedspace++] = 0x80;
  790                 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
  791                         /* Set-up for the last transform: */
bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
  793                 } else {
  794                         if (usedspace < SHA512_BLOCK_LENGTH) {
bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
  796                         }
  797                         /* Do second-to-last transform: */
SHA512_Transform(context, context->buffer);
  800                         /* And set-up for the last transform: */
bzero(context->buffer, SHA512_BLOCK_LENGTH - 2);
  802                 }
  803         } else {
  804                 /* Prepare for final transform: */
bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
  807                 /* Begin padding with a 1 bit: */
  808                 *context->buffer = 0x80;
  809         }
  810         /* Store the length of input data (in bits): */
  811         *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
  812         *(u_int64_t *)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
  814         /* Final transform: */
SHA512_Transform(context, context->buffer);
  816 }
  818 void
SHA512_Final(u_int8_t digest[], SHA512_CTX *context)
  820 {
u_int64_t       *d = (u_int64_t *)digest;
  823         /* If no digest buffer is passed, we don't bother doing this: */
  824         if (digest != NULL) {
SHA512_Last(context);
  827                 /* Save the hash data for output: */
  828 #if BYTE_ORDER == LITTLE_ENDIAN
  829                 {
  830                         /* Convert TO host byte order */
  831                         int     j;
  832                         for (j = 0; j < 8; j++) {
REVERSE64(context->state[j],context->state[j]);
  834                                 *d++ = context->state[j];
  835                         }
  836                 }
  837 #else
bcopy(context->state, d, SHA512_DIGEST_LENGTH);
  839 #endif
  840         }
  842         /* Zero out state data */
bzero(context, sizeof(*context));
  844 }
  847 /*** SHA-384: *********************************************************/
  848 void
SHA384_Init(SHA384_CTX *context)
  850 {
  851         if (context == NULL)
  852                 return;
bcopy(sha384_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
bzero(context->buffer, SHA384_BLOCK_LENGTH);
context->bitcount[0] = context->bitcount[1] = 0;
  856 }
  858 void
SHA384_Update(SHA384_CTX *context, const u_int8_t *data, size_t len)
  860 {
SHA512_Update((SHA512_CTX *)context, data, len);
  862 }
  864 void
SHA384_Final(u_int8_t digest[], SHA384_CTX *context)
  866 {
u_int64_t       *d = (u_int64_t *)digest;
  869         /* If no digest buffer is passed, we don't bother doing this: */
  870         if (digest != NULL) {
SHA512_Last((SHA512_CTX *)context);
  873                 /* Save the hash data for output: */
  874 #if BYTE_ORDER == LITTLE_ENDIAN
  875                 {
  876                         /* Convert TO host byte order */
  877                         int     j;
  878                         for (j = 0; j < 6; j++) {
REVERSE64(context->state[j],context->state[j]);
  880                                 *d++ = context->state[j];
  881                         }
  882                 }
  883 #else
bcopy(context->state, d, SHA384_DIGEST_LENGTH);
  885 #endif
  886         }
  888         /* Zero out state data */
bzero(context, sizeof(*context));
  890 }