summaryrefslogtreecommitdiff
path: root/openbsd-compat/sha2.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2006-03-15 13:02:28 +1100
committerDamien Miller <djm@mindrot.org>2006-03-15 13:02:28 +1100
commitaf87af165f25b7db22e32c0b2e55606bc68c450c (patch)
treec0c8557324164e41b9b09b9db942b7193be69c02 /openbsd-compat/sha2.c
parenta63128d1a8a4077bc992e09d00e2683d1592e500 (diff)
- (djm) [configure.ac defines.h kex.c md-sha256.c]
[openbsd-compat/sha2.h openbsd-compat/openbsd-compat.h] [openbsd-compat/sha2.c] First stab at portability glue for SHA256 KEX support, should work with libc SHA256 support or OpenSSL EVP_sha256 if present
Diffstat (limited to 'openbsd-compat/sha2.c')
-rw-r--r--openbsd-compat/sha2.c876
1 files changed, 876 insertions, 0 deletions
diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c
new file mode 100644
index 000000000..d04fb25f7
--- /dev/null
+++ b/openbsd-compat/sha2.c
@@ -0,0 +1,876 @@
1/* $OpenBSD: sha2.c,v 1.11 2005/08/08 08:05:35 espie Exp $ */
2
3/*
4 * FILE: sha2.c
5 * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
6 *
7 * Copyright (c) 2000-2001, Aaron D. Gifford
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the copyright holder nor the names of contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
35 */
36
37/* OPENBSD ORIGINAL: lib/libc/hash/sha2.c */
38
39#include "includes.h"
40
41#if !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256)
42#include <sys/types.h>
43#include <string.h>
44#include "sha2.h"
45
46/*
47 * UNROLLED TRANSFORM LOOP NOTE:
48 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
49 * loop version for the hash transform rounds (defined using macros
50 * later in this file). Either define on the command line, for example:
51 *
52 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
53 *
54 * or define below:
55 *
56 * #define SHA2_UNROLL_TRANSFORM
57 *
58 */
59
60/*** SHA-256/384/512 Machine Architecture Definitions *****************/
61/*
62 * BYTE_ORDER NOTE:
63 *
64 * Please make sure that your system defines BYTE_ORDER. If your
65 * architecture is little-endian, make sure it also defines
66 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
67 * equivilent.
68 *
69 * If your system does not define the above, then you can do so by
70 * hand like this:
71 *
72 * #define LITTLE_ENDIAN 1234
73 * #define BIG_ENDIAN 4321
74 *
75 * And for little-endian machines, add:
76 *
77 * #define BYTE_ORDER LITTLE_ENDIAN
78 *
79 * Or for big-endian machines:
80 *
81 * #define BYTE_ORDER BIG_ENDIAN
82 *
83 * The FreeBSD machine this was written on defines BYTE_ORDER
84 * appropriately by including <sys/types.h> (which in turn includes
85 * <machine/endian.h> where the appropriate definitions are actually
86 * made).
87 */
88#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
89#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
90#endif
91
92
93/*** SHA-256/384/512 Various Length Definitions ***********************/
94/* NOTE: Most of these are in sha2.h */
95#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
96#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
97#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
98
99/*** ENDIAN SPECIFIC COPY MACROS **************************************/
100#define BE_8_TO_32(dst, cp) do { \
101 (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) | \
102 ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24); \
103} while(0)
104
105#define BE_8_TO_64(dst, cp) do { \
106 (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) | \
107 ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) | \
108 ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) | \
109 ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56); \
110} while (0)
111
112#define BE_64_TO_8(cp, src) do { \
113 (cp)[0] = (src) >> 56; \
114 (cp)[1] = (src) >> 48; \
115 (cp)[2] = (src) >> 40; \
116 (cp)[3] = (src) >> 32; \
117 (cp)[4] = (src) >> 24; \
118 (cp)[5] = (src) >> 16; \
119 (cp)[6] = (src) >> 8; \
120 (cp)[7] = (src); \
121} while (0)
122
123#define BE_32_TO_8(cp, src) do { \
124 (cp)[0] = (src) >> 24; \
125 (cp)[1] = (src) >> 16; \
126 (cp)[2] = (src) >> 8; \
127 (cp)[3] = (src); \
128} while (0)
129
130/*
131 * Macro for incrementally adding the unsigned 64-bit integer n to the
132 * unsigned 128-bit integer (represented using a two-element array of
133 * 64-bit words):
134 */
135#define ADDINC128(w,n) do { \
136 (w)[0] += (u_int64_t)(n); \
137 if ((w)[0] < (n)) { \
138 (w)[1]++; \
139 } \
140} while (0)
141
142/*** THE SIX LOGICAL FUNCTIONS ****************************************/
143/*
144 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
145 *
146 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
147 * S is a ROTATION) because the SHA-256/384/512 description document
148 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
149 * same "backwards" definition.
150 */
151/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
152#define R(b,x) ((x) >> (b))
153/* 32-bit Rotate-right (used in SHA-256): */
154#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
155/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
156#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
157
158/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
159#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
160#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
161
162/* Four of six logical functions used in SHA-256: */
163#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
164#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
165#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
166#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
167
168/* Four of six logical functions used in SHA-384 and SHA-512: */
169#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
170#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
171#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
172#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
173
174
175/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
176/* Hash constant words K for SHA-256: */
177const static u_int32_t K256[64] = {
178 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
179 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
180 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
181 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
182 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
183 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
184 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
185 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
186 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
187 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
188 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
189 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
190 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
191 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
192 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
193 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
194};
195
196/* Initial hash value H for SHA-256: */
197const static u_int32_t sha256_initial_hash_value[8] = {
198 0x6a09e667UL,
199 0xbb67ae85UL,
200 0x3c6ef372UL,
201 0xa54ff53aUL,
202 0x510e527fUL,
203 0x9b05688cUL,
204 0x1f83d9abUL,
205 0x5be0cd19UL
206};
207
208/* Hash constant words K for SHA-384 and SHA-512: */
209const static u_int64_t K512[80] = {
210 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
211 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
212 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
213 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
214 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
215 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
216 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
217 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
218 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
219 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
220 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
221 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
222 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
223 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
224 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
225 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
226 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
227 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
228 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
229 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
230 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
231 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
232 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
233 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
234 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
235 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
236 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
237 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
238 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
239 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
240 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
241 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
242 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
243 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
244 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
245 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
246 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
247 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
248 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
249 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
250};
251
252/* Initial hash value H for SHA-384 */
253const static u_int64_t sha384_initial_hash_value[8] = {
254 0xcbbb9d5dc1059ed8ULL,
255 0x629a292a367cd507ULL,
256 0x9159015a3070dd17ULL,
257 0x152fecd8f70e5939ULL,
258 0x67332667ffc00b31ULL,
259 0x8eb44a8768581511ULL,
260 0xdb0c2e0d64f98fa7ULL,
261 0x47b5481dbefa4fa4ULL
262};
263
264/* Initial hash value H for SHA-512 */
265const static u_int64_t sha512_initial_hash_value[8] = {
266 0x6a09e667f3bcc908ULL,
267 0xbb67ae8584caa73bULL,
268 0x3c6ef372fe94f82bULL,
269 0xa54ff53a5f1d36f1ULL,
270 0x510e527fade682d1ULL,
271 0x9b05688c2b3e6c1fULL,
272 0x1f83d9abfb41bd6bULL,
273 0x5be0cd19137e2179ULL
274};
275
276
277/*** SHA-256: *********************************************************/
278void
279SHA256_Init(SHA256_CTX *context)
280{
281 if (context == NULL)
282 return;
283 memcpy(context->state, sha256_initial_hash_value,
284 sizeof(sha256_initial_hash_value));
285 memset(context->buffer, 0, sizeof(context->buffer));
286 context->bitcount = 0;
287}
288
289#ifdef SHA2_UNROLL_TRANSFORM
290
291/* Unrolled SHA-256 round macros: */
292
293#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
294 BE_8_TO_32(W256[j], data); \
295 data += 4; \
296 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
297 (d) += T1; \
298 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
299 j++; \
300} while(0)
301
302#define ROUND256(a,b,c,d,e,f,g,h) do { \
303 s0 = W256[(j+1)&0x0f]; \
304 s0 = sigma0_256(s0); \
305 s1 = W256[(j+14)&0x0f]; \
306 s1 = sigma1_256(s1); \
307 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
308 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
309 (d) += T1; \
310 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
311 j++; \
312} while(0)
313
314void
315SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
316{
317 u_int32_t a, b, c, d, e, f, g, h, s0, s1;
318 u_int32_t T1, W256[16];
319 int j;
320
321 /* Initialize registers with the prev. intermediate value */
322 a = state[0];
323 b = state[1];
324 c = state[2];
325 d = state[3];
326 e = state[4];
327 f = state[5];
328 g = state[6];
329 h = state[7];
330
331 j = 0;
332 do {
333 /* Rounds 0 to 15 (unrolled): */
334 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
335 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
336 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
337 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
338 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
339 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
340 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
341 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
342 } while (j < 16);
343
344 /* Now for the remaining rounds up to 63: */
345 do {
346 ROUND256(a,b,c,d,e,f,g,h);
347 ROUND256(h,a,b,c,d,e,f,g);
348 ROUND256(g,h,a,b,c,d,e,f);
349 ROUND256(f,g,h,a,b,c,d,e);
350 ROUND256(e,f,g,h,a,b,c,d);
351 ROUND256(d,e,f,g,h,a,b,c);
352 ROUND256(c,d,e,f,g,h,a,b);
353 ROUND256(b,c,d,e,f,g,h,a);
354 } while (j < 64);
355
356 /* Compute the current intermediate hash value */
357 state[0] += a;
358 state[1] += b;
359 state[2] += c;
360 state[3] += d;
361 state[4] += e;
362 state[5] += f;
363 state[6] += g;
364 state[7] += h;
365
366 /* Clean up */
367 a = b = c = d = e = f = g = h = T1 = 0;
368}
369
370#else /* SHA2_UNROLL_TRANSFORM */
371
372void
373SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
374{
375 u_int32_t a, b, c, d, e, f, g, h, s0, s1;
376 u_int32_t T1, T2, W256[16];
377 int j;
378
379 /* Initialize registers with the prev. intermediate value */
380 a = state[0];
381 b = state[1];
382 c = state[2];
383 d = state[3];
384 e = state[4];
385 f = state[5];
386 g = state[6];
387 h = state[7];
388
389 j = 0;
390 do {
391 BE_8_TO_32(W256[j], data);
392 data += 4;
393 /* Apply the SHA-256 compression function to update a..h */
394 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
395 T2 = Sigma0_256(a) + Maj(a, b, c);
396 h = g;
397 g = f;
398 f = e;
399 e = d + T1;
400 d = c;
401 c = b;
402 b = a;
403 a = T1 + T2;
404
405 j++;
406 } while (j < 16);
407
408 do {
409 /* Part of the message block expansion: */
410 s0 = W256[(j+1)&0x0f];
411 s0 = sigma0_256(s0);
412 s1 = W256[(j+14)&0x0f];
413 s1 = sigma1_256(s1);
414
415 /* Apply the SHA-256 compression function to update a..h */
416 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
417 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
418 T2 = Sigma0_256(a) + Maj(a, b, c);
419 h = g;
420 g = f;
421 f = e;
422 e = d + T1;
423 d = c;
424 c = b;
425 b = a;
426 a = T1 + T2;
427
428 j++;
429 } while (j < 64);
430
431 /* Compute the current intermediate hash value */
432 state[0] += a;
433 state[1] += b;
434 state[2] += c;
435 state[3] += d;
436 state[4] += e;
437 state[5] += f;
438 state[6] += g;
439 state[7] += h;
440
441 /* Clean up */
442 a = b = c = d = e = f = g = h = T1 = T2 = 0;
443}
444
445#endif /* SHA2_UNROLL_TRANSFORM */
446
447void
448SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len)
449{
450 size_t freespace, usedspace;
451
452 /* Calling with no data is valid (we do nothing) */
453 if (len == 0)
454 return;
455
456 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
457 if (usedspace > 0) {
458 /* Calculate how much free space is available in the buffer */
459 freespace = SHA256_BLOCK_LENGTH - usedspace;
460
461 if (len >= freespace) {
462 /* Fill the buffer completely and process it */
463 memcpy(&context->buffer[usedspace], data, freespace);
464 context->bitcount += freespace << 3;
465 len -= freespace;
466 data += freespace;
467 SHA256_Transform(context->state, context->buffer);
468 } else {
469 /* The buffer is not yet full */
470 memcpy(&context->buffer[usedspace], data, len);
471 context->bitcount += len << 3;
472 /* Clean up: */
473 usedspace = freespace = 0;
474 return;
475 }
476 }
477 while (len >= SHA256_BLOCK_LENGTH) {
478 /* Process as many complete blocks as we can */
479 SHA256_Transform(context->state, data);
480 context->bitcount += SHA256_BLOCK_LENGTH << 3;
481 len -= SHA256_BLOCK_LENGTH;
482 data += SHA256_BLOCK_LENGTH;
483 }
484 if (len > 0) {
485 /* There's left-overs, so save 'em */
486 memcpy(context->buffer, data, len);
487 context->bitcount += len << 3;
488 }
489 /* Clean up: */
490 usedspace = freespace = 0;
491}
492
493void
494SHA256_Pad(SHA256_CTX *context)
495{
496 unsigned int usedspace;
497
498 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
499 if (usedspace > 0) {
500 /* Begin padding with a 1 bit: */
501 context->buffer[usedspace++] = 0x80;
502
503 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
504 /* Set-up for the last transform: */
505 memset(&context->buffer[usedspace], 0,
506 SHA256_SHORT_BLOCK_LENGTH - usedspace);
507 } else {
508 if (usedspace < SHA256_BLOCK_LENGTH) {
509 memset(&context->buffer[usedspace], 0,
510 SHA256_BLOCK_LENGTH - usedspace);
511 }
512 /* Do second-to-last transform: */
513 SHA256_Transform(context->state, context->buffer);
514
515 /* Prepare for last transform: */
516 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
517 }
518 } else {
519 /* Set-up for the last transform: */
520 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
521
522 /* Begin padding with a 1 bit: */
523 *context->buffer = 0x80;
524 }
525 /* Store the length of input data (in bits) in big endian format: */
526 BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH],
527 context->bitcount);
528
529 /* Final transform: */
530 SHA256_Transform(context->state, context->buffer);
531
532 /* Clean up: */
533 usedspace = 0;
534}
535
536void
537SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA256_CTX *context)
538{
539 SHA256_Pad(context);
540
541 /* If no digest buffer is passed, we don't bother doing this: */
542 if (digest != NULL) {
543#if BYTE_ORDER == LITTLE_ENDIAN
544 int i;
545
546 /* Convert TO host byte order */
547 for (i = 0; i < 8; i++)
548 BE_32_TO_8(digest + i * 4, context->state[i]);
549#else
550 memcpy(digest, context->state, SHA256_DIGEST_LENGTH);
551#endif
552 memset(context, 0, sizeof(*context));
553 }
554}
555
556
557/*** SHA-512: *********************************************************/
558void
559SHA512_Init(SHA512_CTX *context)
560{
561 if (context == NULL)
562 return;
563 memcpy(context->state, sha512_initial_hash_value,
564 sizeof(sha512_initial_hash_value));
565 memset(context->buffer, 0, sizeof(context->buffer));
566 context->bitcount[0] = context->bitcount[1] = 0;
567}
568
569#ifdef SHA2_UNROLL_TRANSFORM
570
571/* Unrolled SHA-512 round macros: */
572
573#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
574 BE_8_TO_64(W512[j], data); \
575 data += 8; \
576 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
577 (d) += T1; \
578 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
579 j++; \
580} while(0)
581
582
583#define ROUND512(a,b,c,d,e,f,g,h) do { \
584 s0 = W512[(j+1)&0x0f]; \
585 s0 = sigma0_512(s0); \
586 s1 = W512[(j+14)&0x0f]; \
587 s1 = sigma1_512(s1); \
588 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
589 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
590 (d) += T1; \
591 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
592 j++; \
593} while(0)
594
595void
596SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
597{
598 u_int64_t a, b, c, d, e, f, g, h, s0, s1;
599 u_int64_t T1, W512[16];
600 int j;
601
602 /* Initialize registers with the prev. intermediate value */
603 a = state[0];
604 b = state[1];
605 c = state[2];
606 d = state[3];
607 e = state[4];
608 f = state[5];
609 g = state[6];
610 h = state[7];
611
612 j = 0;
613 do {
614 /* Rounds 0 to 15 (unrolled): */
615 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
616 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
617 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
618 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
619 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
620 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
621 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
622 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
623 } while (j < 16);
624
625 /* Now for the remaining rounds up to 79: */
626 do {
627 ROUND512(a,b,c,d,e,f,g,h);
628 ROUND512(h,a,b,c,d,e,f,g);
629 ROUND512(g,h,a,b,c,d,e,f);
630 ROUND512(f,g,h,a,b,c,d,e);
631 ROUND512(e,f,g,h,a,b,c,d);
632 ROUND512(d,e,f,g,h,a,b,c);
633 ROUND512(c,d,e,f,g,h,a,b);
634 ROUND512(b,c,d,e,f,g,h,a);
635 } while (j < 80);
636
637 /* Compute the current intermediate hash value */
638 state[0] += a;
639 state[1] += b;
640 state[2] += c;
641 state[3] += d;
642 state[4] += e;
643 state[5] += f;
644 state[6] += g;
645 state[7] += h;
646
647 /* Clean up */
648 a = b = c = d = e = f = g = h = T1 = 0;
649}
650
651#else /* SHA2_UNROLL_TRANSFORM */
652
653void
654SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
655{
656 u_int64_t a, b, c, d, e, f, g, h, s0, s1;
657 u_int64_t T1, T2, W512[16];
658 int j;
659
660 /* Initialize registers with the prev. intermediate value */
661 a = state[0];
662 b = state[1];
663 c = state[2];
664 d = state[3];
665 e = state[4];
666 f = state[5];
667 g = state[6];
668 h = state[7];
669
670 j = 0;
671 do {
672 BE_8_TO_64(W512[j], data);
673 data += 8;
674 /* Apply the SHA-512 compression function to update a..h */
675 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
676 T2 = Sigma0_512(a) + Maj(a, b, c);
677 h = g;
678 g = f;
679 f = e;
680 e = d + T1;
681 d = c;
682 c = b;
683 b = a;
684 a = T1 + T2;
685
686 j++;
687 } while (j < 16);
688
689 do {
690 /* Part of the message block expansion: */
691 s0 = W512[(j+1)&0x0f];
692 s0 = sigma0_512(s0);
693 s1 = W512[(j+14)&0x0f];
694 s1 = sigma1_512(s1);
695
696 /* Apply the SHA-512 compression function to update a..h */
697 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
698 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
699 T2 = Sigma0_512(a) + Maj(a, b, c);
700 h = g;
701 g = f;
702 f = e;
703 e = d + T1;
704 d = c;
705 c = b;
706 b = a;
707 a = T1 + T2;
708
709 j++;
710 } while (j < 80);
711
712 /* Compute the current intermediate hash value */
713 state[0] += a;
714 state[1] += b;
715 state[2] += c;
716 state[3] += d;
717 state[4] += e;
718 state[5] += f;
719 state[6] += g;
720 state[7] += h;
721
722 /* Clean up */
723 a = b = c = d = e = f = g = h = T1 = T2 = 0;
724}
725
726#endif /* SHA2_UNROLL_TRANSFORM */
727
728void
729SHA512_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
730{
731 size_t freespace, usedspace;
732
733 /* Calling with no data is valid (we do nothing) */
734 if (len == 0)
735 return;
736
737 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
738 if (usedspace > 0) {
739 /* Calculate how much free space is available in the buffer */
740 freespace = SHA512_BLOCK_LENGTH - usedspace;
741
742 if (len >= freespace) {
743 /* Fill the buffer completely and process it */
744 memcpy(&context->buffer[usedspace], data, freespace);
745 ADDINC128(context->bitcount, freespace << 3);
746 len -= freespace;
747 data += freespace;
748 SHA512_Transform(context->state, context->buffer);
749 } else {
750 /* The buffer is not yet full */
751 memcpy(&context->buffer[usedspace], data, len);
752 ADDINC128(context->bitcount, len << 3);
753 /* Clean up: */
754 usedspace = freespace = 0;
755 return;
756 }
757 }
758 while (len >= SHA512_BLOCK_LENGTH) {
759 /* Process as many complete blocks as we can */
760 SHA512_Transform(context->state, data);
761 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
762 len -= SHA512_BLOCK_LENGTH;
763 data += SHA512_BLOCK_LENGTH;
764 }
765 if (len > 0) {
766 /* There's left-overs, so save 'em */
767 memcpy(context->buffer, data, len);
768 ADDINC128(context->bitcount, len << 3);
769 }
770 /* Clean up: */
771 usedspace = freespace = 0;
772}
773
774void
775SHA512_Pad(SHA512_CTX *context)
776{
777 unsigned int usedspace;
778
779 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
780 if (usedspace > 0) {
781 /* Begin padding with a 1 bit: */
782 context->buffer[usedspace++] = 0x80;
783
784 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
785 /* Set-up for the last transform: */
786 memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace);
787 } else {
788 if (usedspace < SHA512_BLOCK_LENGTH) {
789 memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace);
790 }
791 /* Do second-to-last transform: */
792 SHA512_Transform(context->state, context->buffer);
793
794 /* And set-up for the last transform: */
795 memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
796 }
797 } else {
798 /* Prepare for final transform: */
799 memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
800
801 /* Begin padding with a 1 bit: */
802 *context->buffer = 0x80;
803 }
804 /* Store the length of input data (in bits) in big endian format: */
805 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH],
806 context->bitcount[1]);
807 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8],
808 context->bitcount[0]);
809
810 /* Final transform: */
811 SHA512_Transform(context->state, context->buffer);
812
813 /* Clean up: */
814 usedspace = 0;
815}
816
817void
818SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context)
819{
820 SHA512_Pad(context);
821
822 /* If no digest buffer is passed, we don't bother doing this: */
823 if (digest != NULL) {
824#if BYTE_ORDER == LITTLE_ENDIAN
825 int i;
826
827 /* Convert TO host byte order */
828 for (i = 0; i < 8; i++)
829 BE_64_TO_8(digest + i * 8, context->state[i]);
830#else
831 memcpy(digest, context->state, SHA512_DIGEST_LENGTH);
832#endif
833 memset(context, 0, sizeof(*context));
834 }
835}
836
837
838/*** SHA-384: *********************************************************/
839void
840SHA384_Init(SHA384_CTX *context)
841{
842 if (context == NULL)
843 return;
844 memcpy(context->state, sha384_initial_hash_value,
845 sizeof(sha384_initial_hash_value));
846 memset(context->buffer, 0, sizeof(context->buffer));
847 context->bitcount[0] = context->bitcount[1] = 0;
848}
849
850__weak_alias(SHA384_Transform, SHA512_Transform);
851__weak_alias(SHA384_Update, SHA512_Update);
852__weak_alias(SHA384_Pad, SHA512_Pad);
853
854void
855SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
856{
857 SHA384_Pad(context);
858
859 /* If no digest buffer is passed, we don't bother doing this: */
860 if (digest != NULL) {
861#if BYTE_ORDER == LITTLE_ENDIAN
862 int i;
863
864 /* Convert TO host byte order */
865 for (i = 0; i < 6; i++)
866 BE_64_TO_8(digest + i * 8, context->state[i]);
867#else
868 memcpy(digest, context->state, SHA384_DIGEST_LENGTH);
869#endif
870 }
871
872 /* Zero out state data */
873 memset(context, 0, sizeof(*context));
874}
875
876#endif /* !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256) */
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-28 00:19:41 +0000