diff options
author | Colin Watson <cjwatson@debian.org> | 2009-12-29 21:38:40 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2009-12-29 21:38:40 +0000 |
commit | 1b816ea846aca3ee89e7995373ace609e9518424 (patch) | |
tree | b41cdc8495cae7fa9c2e0f98a5f2e71656b61f9a /openbsd-compat/sha2.c | |
parent | fa585019a79ebcb4e0202b1c33f87ff1c5c9ce1c (diff) | |
parent | 086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff) |
import openssh-4.6p1-gsskex-20070312.patch
Diffstat (limited to 'openbsd-compat/sha2.c')
-rwxr-xr-x | openbsd-compat/sha2.c | 882 |
1 files changed, 882 insertions, 0 deletions
diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c new file mode 100755 index 000000000..cf8e0ad66 --- /dev/null +++ b/openbsd-compat/sha2.c | |||
@@ -0,0 +1,882 @@ | |||
1 | /* $OpenBSD: sha2.c,v 1.11 2005/08/08 08:05:35 espie Exp $ */ | ||
2 | |||
3 | /* | ||
4 | * FILE: sha2.c | ||
5 | * AUTHOR: Aaron D. Gifford <me@aarongifford.com> | ||
6 | * | ||
7 | * Copyright (c) 2000-2001, Aaron D. Gifford | ||
8 | * All rights reserved. | ||
9 | * | ||
10 | * Redistribution and use in source and binary forms, with or without | ||
11 | * modification, are permitted provided that the following conditions | ||
12 | * are met: | ||
13 | * 1. Redistributions of source code must retain the above copyright | ||
14 | * notice, this list of conditions and the following disclaimer. | ||
15 | * 2. Redistributions in binary form must reproduce the above copyright | ||
16 | * notice, this list of conditions and the following disclaimer in the | ||
17 | * documentation and/or other materials provided with the distribution. | ||
18 | * 3. Neither the name of the copyright holder nor the names of contributors | ||
19 | * may be used to endorse or promote products derived from this software | ||
20 | * without specific prior written permission. | ||
21 | * | ||
22 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND | ||
23 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
24 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
25 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE | ||
26 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
27 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
28 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
29 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
30 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
31 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
32 | * SUCH DAMAGE. | ||
33 | * | ||
34 | * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ | ||
35 | */ | ||
36 | |||
37 | /* OPENBSD ORIGINAL: lib/libc/hash/sha2.c */ | ||
38 | |||
39 | #include "includes.h" | ||
40 | |||
41 | #include <openssl/opensslv.h> | ||
42 | |||
43 | #if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | ||
44 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
45 | #include <sys/types.h> | ||
46 | #include <string.h> | ||
47 | #include "sha2.h" | ||
48 | |||
49 | /* | ||
50 | * UNROLLED TRANSFORM LOOP NOTE: | ||
51 | * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform | ||
52 | * loop version for the hash transform rounds (defined using macros | ||
53 | * later in this file). Either define on the command line, for example: | ||
54 | * | ||
55 | * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c | ||
56 | * | ||
57 | * or define below: | ||
58 | * | ||
59 | * #define SHA2_UNROLL_TRANSFORM | ||
60 | * | ||
61 | */ | ||
62 | |||
63 | /*** SHA-256/384/512 Machine Architecture Definitions *****************/ | ||
64 | /* | ||
65 | * BYTE_ORDER NOTE: | ||
66 | * | ||
67 | * Please make sure that your system defines BYTE_ORDER. If your | ||
68 | * architecture is little-endian, make sure it also defines | ||
69 | * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are | ||
70 | * equivilent. | ||
71 | * | ||
72 | * If your system does not define the above, then you can do so by | ||
73 | * hand like this: | ||
74 | * | ||
75 | * #define LITTLE_ENDIAN 1234 | ||
76 | * #define BIG_ENDIAN 4321 | ||
77 | * | ||
78 | * And for little-endian machines, add: | ||
79 | * | ||
80 | * #define BYTE_ORDER LITTLE_ENDIAN | ||
81 | * | ||
82 | * Or for big-endian machines: | ||
83 | * | ||
84 | * #define BYTE_ORDER BIG_ENDIAN | ||
85 | * | ||
86 | * The FreeBSD machine this was written on defines BYTE_ORDER | ||
87 | * appropriately by including <sys/types.h> (which in turn includes | ||
88 | * <machine/endian.h> where the appropriate definitions are actually | ||
89 | * made). | ||
90 | */ | ||
91 | #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) | ||
92 | #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN | ||
93 | #endif | ||
94 | |||
95 | |||
96 | /*** SHA-256/384/512 Various Length Definitions ***********************/ | ||
97 | /* NOTE: Most of these are in sha2.h */ | ||
98 | #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) | ||
99 | #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) | ||
100 | #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) | ||
101 | |||
102 | /*** ENDIAN SPECIFIC COPY MACROS **************************************/ | ||
103 | #define BE_8_TO_32(dst, cp) do { \ | ||
104 | (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) | \ | ||
105 | ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24); \ | ||
106 | } while(0) | ||
107 | |||
108 | #define BE_8_TO_64(dst, cp) do { \ | ||
109 | (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) | \ | ||
110 | ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) | \ | ||
111 | ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) | \ | ||
112 | ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56); \ | ||
113 | } while (0) | ||
114 | |||
115 | #define BE_64_TO_8(cp, src) do { \ | ||
116 | (cp)[0] = (src) >> 56; \ | ||
117 | (cp)[1] = (src) >> 48; \ | ||
118 | (cp)[2] = (src) >> 40; \ | ||
119 | (cp)[3] = (src) >> 32; \ | ||
120 | (cp)[4] = (src) >> 24; \ | ||
121 | (cp)[5] = (src) >> 16; \ | ||
122 | (cp)[6] = (src) >> 8; \ | ||
123 | (cp)[7] = (src); \ | ||
124 | } while (0) | ||
125 | |||
126 | #define BE_32_TO_8(cp, src) do { \ | ||
127 | (cp)[0] = (src) >> 24; \ | ||
128 | (cp)[1] = (src) >> 16; \ | ||
129 | (cp)[2] = (src) >> 8; \ | ||
130 | (cp)[3] = (src); \ | ||
131 | } while (0) | ||
132 | |||
133 | /* | ||
134 | * Macro for incrementally adding the unsigned 64-bit integer n to the | ||
135 | * unsigned 128-bit integer (represented using a two-element array of | ||
136 | * 64-bit words): | ||
137 | */ | ||
138 | #define ADDINC128(w,n) do { \ | ||
139 | (w)[0] += (u_int64_t)(n); \ | ||
140 | if ((w)[0] < (n)) { \ | ||
141 | (w)[1]++; \ | ||
142 | } \ | ||
143 | } while (0) | ||
144 | |||
145 | /*** THE SIX LOGICAL FUNCTIONS ****************************************/ | ||
146 | /* | ||
147 | * Bit shifting and rotation (used by the six SHA-XYZ logical functions: | ||
148 | * | ||
149 | * NOTE: The naming of R and S appears backwards here (R is a SHIFT and | ||
150 | * S is a ROTATION) because the SHA-256/384/512 description document | ||
151 | * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this | ||
152 | * same "backwards" definition. | ||
153 | */ | ||
154 | /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ | ||
155 | #define R(b,x) ((x) >> (b)) | ||
156 | /* 32-bit Rotate-right (used in SHA-256): */ | ||
157 | #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) | ||
158 | /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ | ||
159 | #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) | ||
160 | |||
161 | /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ | ||
162 | #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) | ||
163 | #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) | ||
164 | |||
165 | /* Four of six logical functions used in SHA-256: */ | ||
166 | #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) | ||
167 | #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) | ||
168 | #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) | ||
169 | #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) | ||
170 | |||
171 | /* Four of six logical functions used in SHA-384 and SHA-512: */ | ||
172 | #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) | ||
173 | #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) | ||
174 | #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) | ||
175 | #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) | ||
176 | |||
177 | |||
178 | /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ | ||
179 | /* Hash constant words K for SHA-256: */ | ||
180 | const static u_int32_t K256[64] = { | ||
181 | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, | ||
182 | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, | ||
183 | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, | ||
184 | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, | ||
185 | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, | ||
186 | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, | ||
187 | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, | ||
188 | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, | ||
189 | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, | ||
190 | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, | ||
191 | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, | ||
192 | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, | ||
193 | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, | ||
194 | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, | ||
195 | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, | ||
196 | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL | ||
197 | }; | ||
198 | |||
199 | /* Initial hash value H for SHA-256: */ | ||
200 | const static u_int32_t sha256_initial_hash_value[8] = { | ||
201 | 0x6a09e667UL, | ||
202 | 0xbb67ae85UL, | ||
203 | 0x3c6ef372UL, | ||
204 | 0xa54ff53aUL, | ||
205 | 0x510e527fUL, | ||
206 | 0x9b05688cUL, | ||
207 | 0x1f83d9abUL, | ||
208 | 0x5be0cd19UL | ||
209 | }; | ||
210 | |||
211 | /* Hash constant words K for SHA-384 and SHA-512: */ | ||
212 | const static u_int64_t K512[80] = { | ||
213 | 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, | ||
214 | 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, | ||
215 | 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, | ||
216 | 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, | ||
217 | 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, | ||
218 | 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, | ||
219 | 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, | ||
220 | 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, | ||
221 | 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, | ||
222 | 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, | ||
223 | 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, | ||
224 | 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, | ||
225 | 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, | ||
226 | 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, | ||
227 | 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, | ||
228 | 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, | ||
229 | 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, | ||
230 | 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, | ||
231 | 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, | ||
232 | 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, | ||
233 | 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, | ||
234 | 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, | ||
235 | 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, | ||
236 | 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, | ||
237 | 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, | ||
238 | 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, | ||
239 | 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, | ||
240 | 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, | ||
241 | 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, | ||
242 | 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, | ||
243 | 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, | ||
244 | 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, | ||
245 | 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, | ||
246 | 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, | ||
247 | 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, | ||
248 | 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, | ||
249 | 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, | ||
250 | 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, | ||
251 | 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, | ||
252 | 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL | ||
253 | }; | ||
254 | |||
255 | /* Initial hash value H for SHA-384 */ | ||
256 | const static u_int64_t sha384_initial_hash_value[8] = { | ||
257 | 0xcbbb9d5dc1059ed8ULL, | ||
258 | 0x629a292a367cd507ULL, | ||
259 | 0x9159015a3070dd17ULL, | ||
260 | 0x152fecd8f70e5939ULL, | ||
261 | 0x67332667ffc00b31ULL, | ||
262 | 0x8eb44a8768581511ULL, | ||
263 | 0xdb0c2e0d64f98fa7ULL, | ||
264 | 0x47b5481dbefa4fa4ULL | ||
265 | }; | ||
266 | |||
267 | /* Initial hash value H for SHA-512 */ | ||
268 | const static u_int64_t sha512_initial_hash_value[8] = { | ||
269 | 0x6a09e667f3bcc908ULL, | ||
270 | 0xbb67ae8584caa73bULL, | ||
271 | 0x3c6ef372fe94f82bULL, | ||
272 | 0xa54ff53a5f1d36f1ULL, | ||
273 | 0x510e527fade682d1ULL, | ||
274 | 0x9b05688c2b3e6c1fULL, | ||
275 | 0x1f83d9abfb41bd6bULL, | ||
276 | 0x5be0cd19137e2179ULL | ||
277 | }; | ||
278 | |||
279 | |||
280 | /*** SHA-256: *********************************************************/ | ||
281 | void | ||
282 | SHA256_Init(SHA256_CTX *context) | ||
283 | { | ||
284 | if (context == NULL) | ||
285 | return; | ||
286 | memcpy(context->state, sha256_initial_hash_value, | ||
287 | sizeof(sha256_initial_hash_value)); | ||
288 | memset(context->buffer, 0, sizeof(context->buffer)); | ||
289 | context->bitcount = 0; | ||
290 | } | ||
291 | |||
292 | #ifdef SHA2_UNROLL_TRANSFORM | ||
293 | |||
294 | /* Unrolled SHA-256 round macros: */ | ||
295 | |||
296 | #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \ | ||
297 | BE_8_TO_32(W256[j], data); \ | ||
298 | data += 4; \ | ||
299 | T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \ | ||
300 | (d) += T1; \ | ||
301 | (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ | ||
302 | j++; \ | ||
303 | } while(0) | ||
304 | |||
305 | #define ROUND256(a,b,c,d,e,f,g,h) do { \ | ||
306 | s0 = W256[(j+1)&0x0f]; \ | ||
307 | s0 = sigma0_256(s0); \ | ||
308 | s1 = W256[(j+14)&0x0f]; \ | ||
309 | s1 = sigma1_256(s1); \ | ||
310 | T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \ | ||
311 | (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ | ||
312 | (d) += T1; \ | ||
313 | (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ | ||
314 | j++; \ | ||
315 | } while(0) | ||
316 | |||
317 | void | ||
318 | SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH]) | ||
319 | { | ||
320 | u_int32_t a, b, c, d, e, f, g, h, s0, s1; | ||
321 | u_int32_t T1, W256[16]; | ||
322 | int j; | ||
323 | |||
324 | /* Initialize registers with the prev. intermediate value */ | ||
325 | a = state[0]; | ||
326 | b = state[1]; | ||
327 | c = state[2]; | ||
328 | d = state[3]; | ||
329 | e = state[4]; | ||
330 | f = state[5]; | ||
331 | g = state[6]; | ||
332 | h = state[7]; | ||
333 | |||
334 | j = 0; | ||
335 | do { | ||
336 | /* Rounds 0 to 15 (unrolled): */ | ||
337 | ROUND256_0_TO_15(a,b,c,d,e,f,g,h); | ||
338 | ROUND256_0_TO_15(h,a,b,c,d,e,f,g); | ||
339 | ROUND256_0_TO_15(g,h,a,b,c,d,e,f); | ||
340 | ROUND256_0_TO_15(f,g,h,a,b,c,d,e); | ||
341 | ROUND256_0_TO_15(e,f,g,h,a,b,c,d); | ||
342 | ROUND256_0_TO_15(d,e,f,g,h,a,b,c); | ||
343 | ROUND256_0_TO_15(c,d,e,f,g,h,a,b); | ||
344 | ROUND256_0_TO_15(b,c,d,e,f,g,h,a); | ||
345 | } while (j < 16); | ||
346 | |||
347 | /* Now for the remaining rounds up to 63: */ | ||
348 | do { | ||
349 | ROUND256(a,b,c,d,e,f,g,h); | ||
350 | ROUND256(h,a,b,c,d,e,f,g); | ||
351 | ROUND256(g,h,a,b,c,d,e,f); | ||
352 | ROUND256(f,g,h,a,b,c,d,e); | ||
353 | ROUND256(e,f,g,h,a,b,c,d); | ||
354 | ROUND256(d,e,f,g,h,a,b,c); | ||
355 | ROUND256(c,d,e,f,g,h,a,b); | ||
356 | ROUND256(b,c,d,e,f,g,h,a); | ||
357 | } while (j < 64); | ||
358 | |||
359 | /* Compute the current intermediate hash value */ | ||
360 | state[0] += a; | ||
361 | state[1] += b; | ||
362 | state[2] += c; | ||
363 | state[3] += d; | ||
364 | state[4] += e; | ||
365 | state[5] += f; | ||
366 | state[6] += g; | ||
367 | state[7] += h; | ||
368 | |||
369 | /* Clean up */ | ||
370 | a = b = c = d = e = f = g = h = T1 = 0; | ||
371 | } | ||
372 | |||
373 | #else /* SHA2_UNROLL_TRANSFORM */ | ||
374 | |||
375 | void | ||
376 | SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH]) | ||
377 | { | ||
378 | u_int32_t a, b, c, d, e, f, g, h, s0, s1; | ||
379 | u_int32_t T1, T2, W256[16]; | ||
380 | int j; | ||
381 | |||
382 | /* Initialize registers with the prev. intermediate value */ | ||
383 | a = state[0]; | ||
384 | b = state[1]; | ||
385 | c = state[2]; | ||
386 | d = state[3]; | ||
387 | e = state[4]; | ||
388 | f = state[5]; | ||
389 | g = state[6]; | ||
390 | h = state[7]; | ||
391 | |||
392 | j = 0; | ||
393 | do { | ||
394 | BE_8_TO_32(W256[j], data); | ||
395 | data += 4; | ||
396 | /* Apply the SHA-256 compression function to update a..h */ | ||
397 | T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; | ||
398 | T2 = Sigma0_256(a) + Maj(a, b, c); | ||
399 | h = g; | ||
400 | g = f; | ||
401 | f = e; | ||
402 | e = d + T1; | ||
403 | d = c; | ||
404 | c = b; | ||
405 | b = a; | ||
406 | a = T1 + T2; | ||
407 | |||
408 | j++; | ||
409 | } while (j < 16); | ||
410 | |||
411 | do { | ||
412 | /* Part of the message block expansion: */ | ||
413 | s0 = W256[(j+1)&0x0f]; | ||
414 | s0 = sigma0_256(s0); | ||
415 | s1 = W256[(j+14)&0x0f]; | ||
416 | s1 = sigma1_256(s1); | ||
417 | |||
418 | /* Apply the SHA-256 compression function to update a..h */ | ||
419 | T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + | ||
420 | (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); | ||
421 | T2 = Sigma0_256(a) + Maj(a, b, c); | ||
422 | h = g; | ||
423 | g = f; | ||
424 | f = e; | ||
425 | e = d + T1; | ||
426 | d = c; | ||
427 | c = b; | ||
428 | b = a; | ||
429 | a = T1 + T2; | ||
430 | |||
431 | j++; | ||
432 | } while (j < 64); | ||
433 | |||
434 | /* Compute the current intermediate hash value */ | ||
435 | state[0] += a; | ||
436 | state[1] += b; | ||
437 | state[2] += c; | ||
438 | state[3] += d; | ||
439 | state[4] += e; | ||
440 | state[5] += f; | ||
441 | state[6] += g; | ||
442 | state[7] += h; | ||
443 | |||
444 | /* Clean up */ | ||
445 | a = b = c = d = e = f = g = h = T1 = T2 = 0; | ||
446 | } | ||
447 | |||
448 | #endif /* SHA2_UNROLL_TRANSFORM */ | ||
449 | |||
450 | void | ||
451 | SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len) | ||
452 | { | ||
453 | size_t freespace, usedspace; | ||
454 | |||
455 | /* Calling with no data is valid (we do nothing) */ | ||
456 | if (len == 0) | ||
457 | return; | ||
458 | |||
459 | usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; | ||
460 | if (usedspace > 0) { | ||
461 | /* Calculate how much free space is available in the buffer */ | ||
462 | freespace = SHA256_BLOCK_LENGTH - usedspace; | ||
463 | |||
464 | if (len >= freespace) { | ||
465 | /* Fill the buffer completely and process it */ | ||
466 | memcpy(&context->buffer[usedspace], data, freespace); | ||
467 | context->bitcount += freespace << 3; | ||
468 | len -= freespace; | ||
469 | data += freespace; | ||
470 | SHA256_Transform(context->state, context->buffer); | ||
471 | } else { | ||
472 | /* The buffer is not yet full */ | ||
473 | memcpy(&context->buffer[usedspace], data, len); | ||
474 | context->bitcount += len << 3; | ||
475 | /* Clean up: */ | ||
476 | usedspace = freespace = 0; | ||
477 | return; | ||
478 | } | ||
479 | } | ||
480 | while (len >= SHA256_BLOCK_LENGTH) { | ||
481 | /* Process as many complete blocks as we can */ | ||
482 | SHA256_Transform(context->state, data); | ||
483 | context->bitcount += SHA256_BLOCK_LENGTH << 3; | ||
484 | len -= SHA256_BLOCK_LENGTH; | ||
485 | data += SHA256_BLOCK_LENGTH; | ||
486 | } | ||
487 | if (len > 0) { | ||
488 | /* There's left-overs, so save 'em */ | ||
489 | memcpy(context->buffer, data, len); | ||
490 | context->bitcount += len << 3; | ||
491 | } | ||
492 | /* Clean up: */ | ||
493 | usedspace = freespace = 0; | ||
494 | } | ||
495 | |||
496 | void | ||
497 | SHA256_Pad(SHA256_CTX *context) | ||
498 | { | ||
499 | unsigned int usedspace; | ||
500 | |||
501 | usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; | ||
502 | if (usedspace > 0) { | ||
503 | /* Begin padding with a 1 bit: */ | ||
504 | context->buffer[usedspace++] = 0x80; | ||
505 | |||
506 | if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { | ||
507 | /* Set-up for the last transform: */ | ||
508 | memset(&context->buffer[usedspace], 0, | ||
509 | SHA256_SHORT_BLOCK_LENGTH - usedspace); | ||
510 | } else { | ||
511 | if (usedspace < SHA256_BLOCK_LENGTH) { | ||
512 | memset(&context->buffer[usedspace], 0, | ||
513 | SHA256_BLOCK_LENGTH - usedspace); | ||
514 | } | ||
515 | /* Do second-to-last transform: */ | ||
516 | SHA256_Transform(context->state, context->buffer); | ||
517 | |||
518 | /* Prepare for last transform: */ | ||
519 | memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); | ||
520 | } | ||
521 | } else { | ||
522 | /* Set-up for the last transform: */ | ||
523 | memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); | ||
524 | |||
525 | /* Begin padding with a 1 bit: */ | ||
526 | *context->buffer = 0x80; | ||
527 | } | ||
528 | /* Store the length of input data (in bits) in big endian format: */ | ||
529 | BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], | ||
530 | context->bitcount); | ||
531 | |||
532 | /* Final transform: */ | ||
533 | SHA256_Transform(context->state, context->buffer); | ||
534 | |||
535 | /* Clean up: */ | ||
536 | usedspace = 0; | ||
537 | } | ||
538 | |||
539 | void | ||
540 | SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA256_CTX *context) | ||
541 | { | ||
542 | SHA256_Pad(context); | ||
543 | |||
544 | /* If no digest buffer is passed, we don't bother doing this: */ | ||
545 | if (digest != NULL) { | ||
546 | #if BYTE_ORDER == LITTLE_ENDIAN | ||
547 | int i; | ||
548 | |||
549 | /* Convert TO host byte order */ | ||
550 | for (i = 0; i < 8; i++) | ||
551 | BE_32_TO_8(digest + i * 4, context->state[i]); | ||
552 | #else | ||
553 | memcpy(digest, context->state, SHA256_DIGEST_LENGTH); | ||
554 | #endif | ||
555 | memset(context, 0, sizeof(*context)); | ||
556 | } | ||
557 | } | ||
558 | |||
559 | |||
560 | /*** SHA-512: *********************************************************/ | ||
561 | void | ||
562 | SHA512_Init(SHA512_CTX *context) | ||
563 | { | ||
564 | if (context == NULL) | ||
565 | return; | ||
566 | memcpy(context->state, sha512_initial_hash_value, | ||
567 | sizeof(sha512_initial_hash_value)); | ||
568 | memset(context->buffer, 0, sizeof(context->buffer)); | ||
569 | context->bitcount[0] = context->bitcount[1] = 0; | ||
570 | } | ||
571 | |||
572 | #ifdef SHA2_UNROLL_TRANSFORM | ||
573 | |||
574 | /* Unrolled SHA-512 round macros: */ | ||
575 | |||
576 | #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \ | ||
577 | BE_8_TO_64(W512[j], data); \ | ||
578 | data += 8; \ | ||
579 | T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \ | ||
580 | (d) += T1; \ | ||
581 | (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ | ||
582 | j++; \ | ||
583 | } while(0) | ||
584 | |||
585 | |||
586 | #define ROUND512(a,b,c,d,e,f,g,h) do { \ | ||
587 | s0 = W512[(j+1)&0x0f]; \ | ||
588 | s0 = sigma0_512(s0); \ | ||
589 | s1 = W512[(j+14)&0x0f]; \ | ||
590 | s1 = sigma1_512(s1); \ | ||
591 | T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \ | ||
592 | (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ | ||
593 | (d) += T1; \ | ||
594 | (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ | ||
595 | j++; \ | ||
596 | } while(0) | ||
597 | |||
598 | void | ||
599 | SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) | ||
600 | { | ||
601 | u_int64_t a, b, c, d, e, f, g, h, s0, s1; | ||
602 | u_int64_t T1, W512[16]; | ||
603 | int j; | ||
604 | |||
605 | /* Initialize registers with the prev. intermediate value */ | ||
606 | a = state[0]; | ||
607 | b = state[1]; | ||
608 | c = state[2]; | ||
609 | d = state[3]; | ||
610 | e = state[4]; | ||
611 | f = state[5]; | ||
612 | g = state[6]; | ||
613 | h = state[7]; | ||
614 | |||
615 | j = 0; | ||
616 | do { | ||
617 | /* Rounds 0 to 15 (unrolled): */ | ||
618 | ROUND512_0_TO_15(a,b,c,d,e,f,g,h); | ||
619 | ROUND512_0_TO_15(h,a,b,c,d,e,f,g); | ||
620 | ROUND512_0_TO_15(g,h,a,b,c,d,e,f); | ||
621 | ROUND512_0_TO_15(f,g,h,a,b,c,d,e); | ||
622 | ROUND512_0_TO_15(e,f,g,h,a,b,c,d); | ||
623 | ROUND512_0_TO_15(d,e,f,g,h,a,b,c); | ||
624 | ROUND512_0_TO_15(c,d,e,f,g,h,a,b); | ||
625 | ROUND512_0_TO_15(b,c,d,e,f,g,h,a); | ||
626 | } while (j < 16); | ||
627 | |||
628 | /* Now for the remaining rounds up to 79: */ | ||
629 | do { | ||
630 | ROUND512(a,b,c,d,e,f,g,h); | ||
631 | ROUND512(h,a,b,c,d,e,f,g); | ||
632 | ROUND512(g,h,a,b,c,d,e,f); | ||
633 | ROUND512(f,g,h,a,b,c,d,e); | ||
634 | ROUND512(e,f,g,h,a,b,c,d); | ||
635 | ROUND512(d,e,f,g,h,a,b,c); | ||
636 | ROUND512(c,d,e,f,g,h,a,b); | ||
637 | ROUND512(b,c,d,e,f,g,h,a); | ||
638 | } while (j < 80); | ||
639 | |||
640 | /* Compute the current intermediate hash value */ | ||
641 | state[0] += a; | ||
642 | state[1] += b; | ||
643 | state[2] += c; | ||
644 | state[3] += d; | ||
645 | state[4] += e; | ||
646 | state[5] += f; | ||
647 | state[6] += g; | ||
648 | state[7] += h; | ||
649 | |||
650 | /* Clean up */ | ||
651 | a = b = c = d = e = f = g = h = T1 = 0; | ||
652 | } | ||
653 | |||
654 | #else /* SHA2_UNROLL_TRANSFORM */ | ||
655 | |||
656 | void | ||
657 | SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) | ||
658 | { | ||
659 | u_int64_t a, b, c, d, e, f, g, h, s0, s1; | ||
660 | u_int64_t T1, T2, W512[16]; | ||
661 | int j; | ||
662 | |||
663 | /* Initialize registers with the prev. intermediate value */ | ||
664 | a = state[0]; | ||
665 | b = state[1]; | ||
666 | c = state[2]; | ||
667 | d = state[3]; | ||
668 | e = state[4]; | ||
669 | f = state[5]; | ||
670 | g = state[6]; | ||
671 | h = state[7]; | ||
672 | |||
673 | j = 0; | ||
674 | do { | ||
675 | BE_8_TO_64(W512[j], data); | ||
676 | data += 8; | ||
677 | /* Apply the SHA-512 compression function to update a..h */ | ||
678 | T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; | ||
679 | T2 = Sigma0_512(a) + Maj(a, b, c); | ||
680 | h = g; | ||
681 | g = f; | ||
682 | f = e; | ||
683 | e = d + T1; | ||
684 | d = c; | ||
685 | c = b; | ||
686 | b = a; | ||
687 | a = T1 + T2; | ||
688 | |||
689 | j++; | ||
690 | } while (j < 16); | ||
691 | |||
692 | do { | ||
693 | /* Part of the message block expansion: */ | ||
694 | s0 = W512[(j+1)&0x0f]; | ||
695 | s0 = sigma0_512(s0); | ||
696 | s1 = W512[(j+14)&0x0f]; | ||
697 | s1 = sigma1_512(s1); | ||
698 | |||
699 | /* Apply the SHA-512 compression function to update a..h */ | ||
700 | T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + | ||
701 | (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); | ||
702 | T2 = Sigma0_512(a) + Maj(a, b, c); | ||
703 | h = g; | ||
704 | g = f; | ||
705 | f = e; | ||
706 | e = d + T1; | ||
707 | d = c; | ||
708 | c = b; | ||
709 | b = a; | ||
710 | a = T1 + T2; | ||
711 | |||
712 | j++; | ||
713 | } while (j < 80); | ||
714 | |||
715 | /* Compute the current intermediate hash value */ | ||
716 | state[0] += a; | ||
717 | state[1] += b; | ||
718 | state[2] += c; | ||
719 | state[3] += d; | ||
720 | state[4] += e; | ||
721 | state[5] += f; | ||
722 | state[6] += g; | ||
723 | state[7] += h; | ||
724 | |||
725 | /* Clean up */ | ||
726 | a = b = c = d = e = f = g = h = T1 = T2 = 0; | ||
727 | } | ||
728 | |||
729 | #endif /* SHA2_UNROLL_TRANSFORM */ | ||
730 | |||
731 | void | ||
732 | SHA512_Update(SHA512_CTX *context, const u_int8_t *data, size_t len) | ||
733 | { | ||
734 | size_t freespace, usedspace; | ||
735 | |||
736 | /* Calling with no data is valid (we do nothing) */ | ||
737 | if (len == 0) | ||
738 | return; | ||
739 | |||
740 | usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; | ||
741 | if (usedspace > 0) { | ||
742 | /* Calculate how much free space is available in the buffer */ | ||
743 | freespace = SHA512_BLOCK_LENGTH - usedspace; | ||
744 | |||
745 | if (len >= freespace) { | ||
746 | /* Fill the buffer completely and process it */ | ||
747 | memcpy(&context->buffer[usedspace], data, freespace); | ||
748 | ADDINC128(context->bitcount, freespace << 3); | ||
749 | len -= freespace; | ||
750 | data += freespace; | ||
751 | SHA512_Transform(context->state, context->buffer); | ||
752 | } else { | ||
753 | /* The buffer is not yet full */ | ||
754 | memcpy(&context->buffer[usedspace], data, len); | ||
755 | ADDINC128(context->bitcount, len << 3); | ||
756 | /* Clean up: */ | ||
757 | usedspace = freespace = 0; | ||
758 | return; | ||
759 | } | ||
760 | } | ||
761 | while (len >= SHA512_BLOCK_LENGTH) { | ||
762 | /* Process as many complete blocks as we can */ | ||
763 | SHA512_Transform(context->state, data); | ||
764 | ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); | ||
765 | len -= SHA512_BLOCK_LENGTH; | ||
766 | data += SHA512_BLOCK_LENGTH; | ||
767 | } | ||
768 | if (len > 0) { | ||
769 | /* There's left-overs, so save 'em */ | ||
770 | memcpy(context->buffer, data, len); | ||
771 | ADDINC128(context->bitcount, len << 3); | ||
772 | } | ||
773 | /* Clean up: */ | ||
774 | usedspace = freespace = 0; | ||
775 | } | ||
776 | |||
777 | void | ||
778 | SHA512_Pad(SHA512_CTX *context) | ||
779 | { | ||
780 | unsigned int usedspace; | ||
781 | |||
782 | usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; | ||
783 | if (usedspace > 0) { | ||
784 | /* Begin padding with a 1 bit: */ | ||
785 | context->buffer[usedspace++] = 0x80; | ||
786 | |||
787 | if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { | ||
788 | /* Set-up for the last transform: */ | ||
789 | memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace); | ||
790 | } else { | ||
791 | if (usedspace < SHA512_BLOCK_LENGTH) { | ||
792 | memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace); | ||
793 | } | ||
794 | /* Do second-to-last transform: */ | ||
795 | SHA512_Transform(context->state, context->buffer); | ||
796 | |||
797 | /* And set-up for the last transform: */ | ||
798 | memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2); | ||
799 | } | ||
800 | } else { | ||
801 | /* Prepare for final transform: */ | ||
802 | memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH); | ||
803 | |||
804 | /* Begin padding with a 1 bit: */ | ||
805 | *context->buffer = 0x80; | ||
806 | } | ||
807 | /* Store the length of input data (in bits) in big endian format: */ | ||
808 | BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], | ||
809 | context->bitcount[1]); | ||
810 | BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], | ||
811 | context->bitcount[0]); | ||
812 | |||
813 | /* Final transform: */ | ||
814 | SHA512_Transform(context->state, context->buffer); | ||
815 | |||
816 | /* Clean up: */ | ||
817 | usedspace = 0; | ||
818 | } | ||
819 | |||
820 | void | ||
821 | SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context) | ||
822 | { | ||
823 | SHA512_Pad(context); | ||
824 | |||
825 | /* If no digest buffer is passed, we don't bother doing this: */ | ||
826 | if (digest != NULL) { | ||
827 | #if BYTE_ORDER == LITTLE_ENDIAN | ||
828 | int i; | ||
829 | |||
830 | /* Convert TO host byte order */ | ||
831 | for (i = 0; i < 8; i++) | ||
832 | BE_64_TO_8(digest + i * 8, context->state[i]); | ||
833 | #else | ||
834 | memcpy(digest, context->state, SHA512_DIGEST_LENGTH); | ||
835 | #endif | ||
836 | memset(context, 0, sizeof(*context)); | ||
837 | } | ||
838 | } | ||
839 | |||
840 | |||
841 | #if 0 | ||
842 | /*** SHA-384: *********************************************************/ | ||
843 | void | ||
844 | SHA384_Init(SHA384_CTX *context) | ||
845 | { | ||
846 | if (context == NULL) | ||
847 | return; | ||
848 | memcpy(context->state, sha384_initial_hash_value, | ||
849 | sizeof(sha384_initial_hash_value)); | ||
850 | memset(context->buffer, 0, sizeof(context->buffer)); | ||
851 | context->bitcount[0] = context->bitcount[1] = 0; | ||
852 | } | ||
853 | |||
854 | __weak_alias(SHA384_Transform, SHA512_Transform); | ||
855 | __weak_alias(SHA384_Update, SHA512_Update); | ||
856 | __weak_alias(SHA384_Pad, SHA512_Pad); | ||
857 | |||
858 | void | ||
859 | SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) | ||
860 | { | ||
861 | SHA384_Pad(context); | ||
862 | |||
863 | /* If no digest buffer is passed, we don't bother doing this: */ | ||
864 | if (digest != NULL) { | ||
865 | #if BYTE_ORDER == LITTLE_ENDIAN | ||
866 | int i; | ||
867 | |||
868 | /* Convert TO host byte order */ | ||
869 | for (i = 0; i < 6; i++) | ||
870 | BE_64_TO_8(digest + i * 8, context->state[i]); | ||
871 | #else | ||
872 | memcpy(digest, context->state, SHA384_DIGEST_LENGTH); | ||
873 | #endif | ||
874 | } | ||
875 | |||
876 | /* Zero out state data */ | ||
877 | memset(context, 0, sizeof(*context)); | ||
878 | } | ||
879 | #endif | ||
880 | |||
881 | #endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | ||
882 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) */ | ||