]>
Commit | Line | Data |
---|---|---|
1 | /* $OpenBSD: sha2.c,v 1.11 2005/08/08 08:05:35 espie Exp $ */ | |
2 | ||
3 | /* | |
4 | * FILE: sha2.c | |
5 | * AUTHOR: Aaron D. Gifford <me@aarongifford.com> | |
6 | * | |
7 | * Copyright (c) 2000-2001, Aaron D. Gifford | |
8 | * All rights reserved. | |
9 | * | |
10 | * Redistribution and use in source and binary forms, with or without | |
11 | * modification, are permitted provided that the following conditions | |
12 | * are met: | |
13 | * 1. Redistributions of source code must retain the above copyright | |
14 | * notice, this list of conditions and the following disclaimer. | |
15 | * 2. Redistributions in binary form must reproduce the above copyright | |
16 | * notice, this list of conditions and the following disclaimer in the | |
17 | * documentation and/or other materials provided with the distribution. | |
18 | * 3. Neither the name of the copyright holder nor the names of contributors | |
19 | * may be used to endorse or promote products derived from this software | |
20 | * without specific prior written permission. | |
21 | * | |
22 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND | |
23 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
24 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
25 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE | |
26 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
27 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
28 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
29 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
30 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
31 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
32 | * SUCH DAMAGE. | |
33 | * | |
34 | * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $ | |
35 | */ | |
36 | ||
37 | /* OPENBSD ORIGINAL: lib/libc/hash/sha2.c */ | |
38 | ||
39 | #include "includes.h" | |
40 | ||
41 | #include <openssl/opensslv.h> | |
42 | ||
43 | #if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | |
44 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) | |
45 | #include <sys/types.h> | |
46 | #include <string.h> | |
47 | #include "sha2.h" | |
48 | ||
49 | /* | |
50 | * UNROLLED TRANSFORM LOOP NOTE: | |
51 | * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform | |
52 | * loop version for the hash transform rounds (defined using macros | |
53 | * later in this file). Either define on the command line, for example: | |
54 | * | |
55 | * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c | |
56 | * | |
57 | * or define below: | |
58 | * | |
59 | * #define SHA2_UNROLL_TRANSFORM | |
60 | * | |
61 | */ | |
62 | ||
63 | /*** SHA-256/384/512 Machine Architecture Definitions *****************/ | |
64 | /* | |
65 | * BYTE_ORDER NOTE: | |
66 | * | |
67 | * Please make sure that your system defines BYTE_ORDER. If your | |
68 | * architecture is little-endian, make sure it also defines | |
69 | * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are | |
70 | * equivilent. | |
71 | * | |
72 | * If your system does not define the above, then you can do so by | |
73 | * hand like this: | |
74 | * | |
75 | * #define LITTLE_ENDIAN 1234 | |
76 | * #define BIG_ENDIAN 4321 | |
77 | * | |
78 | * And for little-endian machines, add: | |
79 | * | |
80 | * #define BYTE_ORDER LITTLE_ENDIAN | |
81 | * | |
82 | * Or for big-endian machines: | |
83 | * | |
84 | * #define BYTE_ORDER BIG_ENDIAN | |
85 | * | |
86 | * The FreeBSD machine this was written on defines BYTE_ORDER | |
87 | * appropriately by including <sys/types.h> (which in turn includes | |
88 | * <machine/endian.h> where the appropriate definitions are actually | |
89 | * made). | |
90 | */ | |
91 | #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) | |
92 | #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN | |
93 | #endif | |
94 | ||
95 | ||
96 | /*** SHA-256/384/512 Various Length Definitions ***********************/ | |
97 | /* NOTE: Most of these are in sha2.h */ | |
98 | #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) | |
99 | #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) | |
100 | #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) | |
101 | ||
102 | /*** ENDIAN SPECIFIC COPY MACROS **************************************/ | |
103 | #define BE_8_TO_32(dst, cp) do { \ | |
104 | (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) | \ | |
105 | ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24); \ | |
106 | } while(0) | |
107 | ||
108 | #define BE_8_TO_64(dst, cp) do { \ | |
109 | (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) | \ | |
110 | ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) | \ | |
111 | ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) | \ | |
112 | ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56); \ | |
113 | } while (0) | |
114 | ||
115 | #define BE_64_TO_8(cp, src) do { \ | |
116 | (cp)[0] = (src) >> 56; \ | |
117 | (cp)[1] = (src) >> 48; \ | |
118 | (cp)[2] = (src) >> 40; \ | |
119 | (cp)[3] = (src) >> 32; \ | |
120 | (cp)[4] = (src) >> 24; \ | |
121 | (cp)[5] = (src) >> 16; \ | |
122 | (cp)[6] = (src) >> 8; \ | |
123 | (cp)[7] = (src); \ | |
124 | } while (0) | |
125 | ||
126 | #define BE_32_TO_8(cp, src) do { \ | |
127 | (cp)[0] = (src) >> 24; \ | |
128 | (cp)[1] = (src) >> 16; \ | |
129 | (cp)[2] = (src) >> 8; \ | |
130 | (cp)[3] = (src); \ | |
131 | } while (0) | |
132 | ||
133 | /* | |
134 | * Macro for incrementally adding the unsigned 64-bit integer n to the | |
135 | * unsigned 128-bit integer (represented using a two-element array of | |
136 | * 64-bit words): | |
137 | */ | |
138 | #define ADDINC128(w,n) do { \ | |
139 | (w)[0] += (u_int64_t)(n); \ | |
140 | if ((w)[0] < (n)) { \ | |
141 | (w)[1]++; \ | |
142 | } \ | |
143 | } while (0) | |
144 | ||
145 | /*** THE SIX LOGICAL FUNCTIONS ****************************************/ | |
146 | /* | |
147 | * Bit shifting and rotation (used by the six SHA-XYZ logical functions: | |
148 | * | |
149 | * NOTE: The naming of R and S appears backwards here (R is a SHIFT and | |
150 | * S is a ROTATION) because the SHA-256/384/512 description document | |
151 | * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this | |
152 | * same "backwards" definition. | |
153 | */ | |
154 | /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ | |
155 | #define R(b,x) ((x) >> (b)) | |
156 | /* 32-bit Rotate-right (used in SHA-256): */ | |
157 | #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) | |
158 | /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ | |
159 | #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) | |
160 | ||
161 | /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ | |
162 | #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) | |
163 | #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) | |
164 | ||
165 | /* Four of six logical functions used in SHA-256: */ | |
166 | #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) | |
167 | #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) | |
168 | #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) | |
169 | #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) | |
170 | ||
171 | /* Four of six logical functions used in SHA-384 and SHA-512: */ | |
172 | #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) | |
173 | #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) | |
174 | #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) | |
175 | #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) | |
176 | ||
177 | ||
178 | /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ | |
179 | /* Hash constant words K for SHA-256: */ | |
180 | const static u_int32_t K256[64] = { | |
181 | 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, | |
182 | 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, | |
183 | 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, | |
184 | 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, | |
185 | 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, | |
186 | 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, | |
187 | 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, | |
188 | 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, | |
189 | 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, | |
190 | 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, | |
191 | 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, | |
192 | 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, | |
193 | 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, | |
194 | 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, | |
195 | 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, | |
196 | 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL | |
197 | }; | |
198 | ||
199 | /* Initial hash value H for SHA-256: */ | |
200 | const static u_int32_t sha256_initial_hash_value[8] = { | |
201 | 0x6a09e667UL, | |
202 | 0xbb67ae85UL, | |
203 | 0x3c6ef372UL, | |
204 | 0xa54ff53aUL, | |
205 | 0x510e527fUL, | |
206 | 0x9b05688cUL, | |
207 | 0x1f83d9abUL, | |
208 | 0x5be0cd19UL | |
209 | }; | |
210 | ||
211 | /* Hash constant words K for SHA-384 and SHA-512: */ | |
212 | const static u_int64_t K512[80] = { | |
213 | 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, | |
214 | 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, | |
215 | 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, | |
216 | 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, | |
217 | 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, | |
218 | 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, | |
219 | 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, | |
220 | 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, | |
221 | 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, | |
222 | 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, | |
223 | 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, | |
224 | 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, | |
225 | 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, | |
226 | 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, | |
227 | 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, | |
228 | 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, | |
229 | 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, | |
230 | 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, | |
231 | 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, | |
232 | 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, | |
233 | 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, | |
234 | 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, | |
235 | 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, | |
236 | 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, | |
237 | 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, | |
238 | 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, | |
239 | 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, | |
240 | 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, | |
241 | 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, | |
242 | 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, | |
243 | 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, | |
244 | 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, | |
245 | 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, | |
246 | 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, | |
247 | 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, | |
248 | 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, | |
249 | 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, | |
250 | 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, | |
251 | 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, | |
252 | 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL | |
253 | }; | |
254 | ||
255 | /* Initial hash value H for SHA-384 */ | |
256 | const static u_int64_t sha384_initial_hash_value[8] = { | |
257 | 0xcbbb9d5dc1059ed8ULL, | |
258 | 0x629a292a367cd507ULL, | |
259 | 0x9159015a3070dd17ULL, | |
260 | 0x152fecd8f70e5939ULL, | |
261 | 0x67332667ffc00b31ULL, | |
262 | 0x8eb44a8768581511ULL, | |
263 | 0xdb0c2e0d64f98fa7ULL, | |
264 | 0x47b5481dbefa4fa4ULL | |
265 | }; | |
266 | ||
267 | /* Initial hash value H for SHA-512 */ | |
268 | const static u_int64_t sha512_initial_hash_value[8] = { | |
269 | 0x6a09e667f3bcc908ULL, | |
270 | 0xbb67ae8584caa73bULL, | |
271 | 0x3c6ef372fe94f82bULL, | |
272 | 0xa54ff53a5f1d36f1ULL, | |
273 | 0x510e527fade682d1ULL, | |
274 | 0x9b05688c2b3e6c1fULL, | |
275 | 0x1f83d9abfb41bd6bULL, | |
276 | 0x5be0cd19137e2179ULL | |
277 | }; | |
278 | ||
279 | ||
280 | /*** SHA-256: *********************************************************/ | |
281 | void | |
282 | SHA256_Init(SHA256_CTX *context) | |
283 | { | |
284 | if (context == NULL) | |
285 | return; | |
286 | memcpy(context->state, sha256_initial_hash_value, | |
287 | sizeof(sha256_initial_hash_value)); | |
288 | memset(context->buffer, 0, sizeof(context->buffer)); | |
289 | context->bitcount = 0; | |
290 | } | |
291 | ||
292 | #ifdef SHA2_UNROLL_TRANSFORM | |
293 | ||
294 | /* Unrolled SHA-256 round macros: */ | |
295 | ||
296 | #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \ | |
297 | BE_8_TO_32(W256[j], data); \ | |
298 | data += 4; \ | |
299 | T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \ | |
300 | (d) += T1; \ | |
301 | (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ | |
302 | j++; \ | |
303 | } while(0) | |
304 | ||
305 | #define ROUND256(a,b,c,d,e,f,g,h) do { \ | |
306 | s0 = W256[(j+1)&0x0f]; \ | |
307 | s0 = sigma0_256(s0); \ | |
308 | s1 = W256[(j+14)&0x0f]; \ | |
309 | s1 = sigma1_256(s1); \ | |
310 | T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \ | |
311 | (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ | |
312 | (d) += T1; \ | |
313 | (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \ | |
314 | j++; \ | |
315 | } while(0) | |
316 | ||
317 | void | |
318 | SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH]) | |
319 | { | |
320 | u_int32_t a, b, c, d, e, f, g, h, s0, s1; | |
321 | u_int32_t T1, W256[16]; | |
322 | int j; | |
323 | ||
324 | /* Initialize registers with the prev. intermediate value */ | |
325 | a = state[0]; | |
326 | b = state[1]; | |
327 | c = state[2]; | |
328 | d = state[3]; | |
329 | e = state[4]; | |
330 | f = state[5]; | |
331 | g = state[6]; | |
332 | h = state[7]; | |
333 | ||
334 | j = 0; | |
335 | do { | |
336 | /* Rounds 0 to 15 (unrolled): */ | |
337 | ROUND256_0_TO_15(a,b,c,d,e,f,g,h); | |
338 | ROUND256_0_TO_15(h,a,b,c,d,e,f,g); | |
339 | ROUND256_0_TO_15(g,h,a,b,c,d,e,f); | |
340 | ROUND256_0_TO_15(f,g,h,a,b,c,d,e); | |
341 | ROUND256_0_TO_15(e,f,g,h,a,b,c,d); | |
342 | ROUND256_0_TO_15(d,e,f,g,h,a,b,c); | |
343 | ROUND256_0_TO_15(c,d,e,f,g,h,a,b); | |
344 | ROUND256_0_TO_15(b,c,d,e,f,g,h,a); | |
345 | } while (j < 16); | |
346 | ||
347 | /* Now for the remaining rounds up to 63: */ | |
348 | do { | |
349 | ROUND256(a,b,c,d,e,f,g,h); | |
350 | ROUND256(h,a,b,c,d,e,f,g); | |
351 | ROUND256(g,h,a,b,c,d,e,f); | |
352 | ROUND256(f,g,h,a,b,c,d,e); | |
353 | ROUND256(e,f,g,h,a,b,c,d); | |
354 | ROUND256(d,e,f,g,h,a,b,c); | |
355 | ROUND256(c,d,e,f,g,h,a,b); | |
356 | ROUND256(b,c,d,e,f,g,h,a); | |
357 | } while (j < 64); | |
358 | ||
359 | /* Compute the current intermediate hash value */ | |
360 | state[0] += a; | |
361 | state[1] += b; | |
362 | state[2] += c; | |
363 | state[3] += d; | |
364 | state[4] += e; | |
365 | state[5] += f; | |
366 | state[6] += g; | |
367 | state[7] += h; | |
368 | ||
369 | /* Clean up */ | |
370 | a = b = c = d = e = f = g = h = T1 = 0; | |
371 | } | |
372 | ||
373 | #else /* SHA2_UNROLL_TRANSFORM */ | |
374 | ||
375 | void | |
376 | SHA256_Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH]) | |
377 | { | |
378 | u_int32_t a, b, c, d, e, f, g, h, s0, s1; | |
379 | u_int32_t T1, T2, W256[16]; | |
380 | int j; | |
381 | ||
382 | /* Initialize registers with the prev. intermediate value */ | |
383 | a = state[0]; | |
384 | b = state[1]; | |
385 | c = state[2]; | |
386 | d = state[3]; | |
387 | e = state[4]; | |
388 | f = state[5]; | |
389 | g = state[6]; | |
390 | h = state[7]; | |
391 | ||
392 | j = 0; | |
393 | do { | |
394 | BE_8_TO_32(W256[j], data); | |
395 | data += 4; | |
396 | /* Apply the SHA-256 compression function to update a..h */ | |
397 | T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; | |
398 | T2 = Sigma0_256(a) + Maj(a, b, c); | |
399 | h = g; | |
400 | g = f; | |
401 | f = e; | |
402 | e = d + T1; | |
403 | d = c; | |
404 | c = b; | |
405 | b = a; | |
406 | a = T1 + T2; | |
407 | ||
408 | j++; | |
409 | } while (j < 16); | |
410 | ||
411 | do { | |
412 | /* Part of the message block expansion: */ | |
413 | s0 = W256[(j+1)&0x0f]; | |
414 | s0 = sigma0_256(s0); | |
415 | s1 = W256[(j+14)&0x0f]; | |
416 | s1 = sigma1_256(s1); | |
417 | ||
418 | /* Apply the SHA-256 compression function to update a..h */ | |
419 | T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + | |
420 | (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); | |
421 | T2 = Sigma0_256(a) + Maj(a, b, c); | |
422 | h = g; | |
423 | g = f; | |
424 | f = e; | |
425 | e = d + T1; | |
426 | d = c; | |
427 | c = b; | |
428 | b = a; | |
429 | a = T1 + T2; | |
430 | ||
431 | j++; | |
432 | } while (j < 64); | |
433 | ||
434 | /* Compute the current intermediate hash value */ | |
435 | state[0] += a; | |
436 | state[1] += b; | |
437 | state[2] += c; | |
438 | state[3] += d; | |
439 | state[4] += e; | |
440 | state[5] += f; | |
441 | state[6] += g; | |
442 | state[7] += h; | |
443 | ||
444 | /* Clean up */ | |
445 | a = b = c = d = e = f = g = h = T1 = T2 = 0; | |
446 | } | |
447 | ||
448 | #endif /* SHA2_UNROLL_TRANSFORM */ | |
449 | ||
450 | void | |
451 | SHA256_Update(SHA256_CTX *context, const u_int8_t *data, size_t len) | |
452 | { | |
453 | size_t freespace, usedspace; | |
454 | ||
455 | /* Calling with no data is valid (we do nothing) */ | |
456 | if (len == 0) | |
457 | return; | |
458 | ||
459 | usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; | |
460 | if (usedspace > 0) { | |
461 | /* Calculate how much free space is available in the buffer */ | |
462 | freespace = SHA256_BLOCK_LENGTH - usedspace; | |
463 | ||
464 | if (len >= freespace) { | |
465 | /* Fill the buffer completely and process it */ | |
466 | memcpy(&context->buffer[usedspace], data, freespace); | |
467 | context->bitcount += freespace << 3; | |
468 | len -= freespace; | |
469 | data += freespace; | |
470 | SHA256_Transform(context->state, context->buffer); | |
471 | } else { | |
472 | /* The buffer is not yet full */ | |
473 | memcpy(&context->buffer[usedspace], data, len); | |
474 | context->bitcount += len << 3; | |
475 | /* Clean up: */ | |
476 | usedspace = freespace = 0; | |
477 | return; | |
478 | } | |
479 | } | |
480 | while (len >= SHA256_BLOCK_LENGTH) { | |
481 | /* Process as many complete blocks as we can */ | |
482 | SHA256_Transform(context->state, data); | |
483 | context->bitcount += SHA256_BLOCK_LENGTH << 3; | |
484 | len -= SHA256_BLOCK_LENGTH; | |
485 | data += SHA256_BLOCK_LENGTH; | |
486 | } | |
487 | if (len > 0) { | |
488 | /* There's left-overs, so save 'em */ | |
489 | memcpy(context->buffer, data, len); | |
490 | context->bitcount += len << 3; | |
491 | } | |
492 | /* Clean up: */ | |
493 | usedspace = freespace = 0; | |
494 | } | |
495 | ||
496 | void | |
497 | SHA256_Pad(SHA256_CTX *context) | |
498 | { | |
499 | unsigned int usedspace; | |
500 | ||
501 | usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; | |
502 | if (usedspace > 0) { | |
503 | /* Begin padding with a 1 bit: */ | |
504 | context->buffer[usedspace++] = 0x80; | |
505 | ||
506 | if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { | |
507 | /* Set-up for the last transform: */ | |
508 | memset(&context->buffer[usedspace], 0, | |
509 | SHA256_SHORT_BLOCK_LENGTH - usedspace); | |
510 | } else { | |
511 | if (usedspace < SHA256_BLOCK_LENGTH) { | |
512 | memset(&context->buffer[usedspace], 0, | |
513 | SHA256_BLOCK_LENGTH - usedspace); | |
514 | } | |
515 | /* Do second-to-last transform: */ | |
516 | SHA256_Transform(context->state, context->buffer); | |
517 | ||
518 | /* Prepare for last transform: */ | |
519 | memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); | |
520 | } | |
521 | } else { | |
522 | /* Set-up for the last transform: */ | |
523 | memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH); | |
524 | ||
525 | /* Begin padding with a 1 bit: */ | |
526 | *context->buffer = 0x80; | |
527 | } | |
528 | /* Store the length of input data (in bits) in big endian format: */ | |
529 | BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH], | |
530 | context->bitcount); | |
531 | ||
532 | /* Final transform: */ | |
533 | SHA256_Transform(context->state, context->buffer); | |
534 | ||
535 | /* Clean up: */ | |
536 | usedspace = 0; | |
537 | } | |
538 | ||
539 | void | |
540 | SHA256_Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA256_CTX *context) | |
541 | { | |
542 | SHA256_Pad(context); | |
543 | ||
544 | /* If no digest buffer is passed, we don't bother doing this: */ | |
545 | if (digest != NULL) { | |
546 | #if BYTE_ORDER == LITTLE_ENDIAN | |
547 | int i; | |
548 | ||
549 | /* Convert TO host byte order */ | |
550 | for (i = 0; i < 8; i++) | |
551 | BE_32_TO_8(digest + i * 4, context->state[i]); | |
552 | #else | |
553 | memcpy(digest, context->state, SHA256_DIGEST_LENGTH); | |
554 | #endif | |
555 | memset(context, 0, sizeof(*context)); | |
556 | } | |
557 | } | |
558 | ||
559 | ||
560 | /*** SHA-512: *********************************************************/ | |
561 | void | |
562 | SHA512_Init(SHA512_CTX *context) | |
563 | { | |
564 | if (context == NULL) | |
565 | return; | |
566 | memcpy(context->state, sha512_initial_hash_value, | |
567 | sizeof(sha512_initial_hash_value)); | |
568 | memset(context->buffer, 0, sizeof(context->buffer)); | |
569 | context->bitcount[0] = context->bitcount[1] = 0; | |
570 | } | |
571 | ||
572 | #ifdef SHA2_UNROLL_TRANSFORM | |
573 | ||
574 | /* Unrolled SHA-512 round macros: */ | |
575 | ||
576 | #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \ | |
577 | BE_8_TO_64(W512[j], data); \ | |
578 | data += 8; \ | |
579 | T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \ | |
580 | (d) += T1; \ | |
581 | (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ | |
582 | j++; \ | |
583 | } while(0) | |
584 | ||
585 | ||
586 | #define ROUND512(a,b,c,d,e,f,g,h) do { \ | |
587 | s0 = W512[(j+1)&0x0f]; \ | |
588 | s0 = sigma0_512(s0); \ | |
589 | s1 = W512[(j+14)&0x0f]; \ | |
590 | s1 = sigma1_512(s1); \ | |
591 | T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \ | |
592 | (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ | |
593 | (d) += T1; \ | |
594 | (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \ | |
595 | j++; \ | |
596 | } while(0) | |
597 | ||
598 | void | |
599 | SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) | |
600 | { | |
601 | u_int64_t a, b, c, d, e, f, g, h, s0, s1; | |
602 | u_int64_t T1, W512[16]; | |
603 | int j; | |
604 | ||
605 | /* Initialize registers with the prev. intermediate value */ | |
606 | a = state[0]; | |
607 | b = state[1]; | |
608 | c = state[2]; | |
609 | d = state[3]; | |
610 | e = state[4]; | |
611 | f = state[5]; | |
612 | g = state[6]; | |
613 | h = state[7]; | |
614 | ||
615 | j = 0; | |
616 | do { | |
617 | /* Rounds 0 to 15 (unrolled): */ | |
618 | ROUND512_0_TO_15(a,b,c,d,e,f,g,h); | |
619 | ROUND512_0_TO_15(h,a,b,c,d,e,f,g); | |
620 | ROUND512_0_TO_15(g,h,a,b,c,d,e,f); | |
621 | ROUND512_0_TO_15(f,g,h,a,b,c,d,e); | |
622 | ROUND512_0_TO_15(e,f,g,h,a,b,c,d); | |
623 | ROUND512_0_TO_15(d,e,f,g,h,a,b,c); | |
624 | ROUND512_0_TO_15(c,d,e,f,g,h,a,b); | |
625 | ROUND512_0_TO_15(b,c,d,e,f,g,h,a); | |
626 | } while (j < 16); | |
627 | ||
628 | /* Now for the remaining rounds up to 79: */ | |
629 | do { | |
630 | ROUND512(a,b,c,d,e,f,g,h); | |
631 | ROUND512(h,a,b,c,d,e,f,g); | |
632 | ROUND512(g,h,a,b,c,d,e,f); | |
633 | ROUND512(f,g,h,a,b,c,d,e); | |
634 | ROUND512(e,f,g,h,a,b,c,d); | |
635 | ROUND512(d,e,f,g,h,a,b,c); | |
636 | ROUND512(c,d,e,f,g,h,a,b); | |
637 | ROUND512(b,c,d,e,f,g,h,a); | |
638 | } while (j < 80); | |
639 | ||
640 | /* Compute the current intermediate hash value */ | |
641 | state[0] += a; | |
642 | state[1] += b; | |
643 | state[2] += c; | |
644 | state[3] += d; | |
645 | state[4] += e; | |
646 | state[5] += f; | |
647 | state[6] += g; | |
648 | state[7] += h; | |
649 | ||
650 | /* Clean up */ | |
651 | a = b = c = d = e = f = g = h = T1 = 0; | |
652 | } | |
653 | ||
654 | #else /* SHA2_UNROLL_TRANSFORM */ | |
655 | ||
656 | void | |
657 | SHA512_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) | |
658 | { | |
659 | u_int64_t a, b, c, d, e, f, g, h, s0, s1; | |
660 | u_int64_t T1, T2, W512[16]; | |
661 | int j; | |
662 | ||
663 | /* Initialize registers with the prev. intermediate value */ | |
664 | a = state[0]; | |
665 | b = state[1]; | |
666 | c = state[2]; | |
667 | d = state[3]; | |
668 | e = state[4]; | |
669 | f = state[5]; | |
670 | g = state[6]; | |
671 | h = state[7]; | |
672 | ||
673 | j = 0; | |
674 | do { | |
675 | BE_8_TO_64(W512[j], data); | |
676 | data += 8; | |
677 | /* Apply the SHA-512 compression function to update a..h */ | |
678 | T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; | |
679 | T2 = Sigma0_512(a) + Maj(a, b, c); | |
680 | h = g; | |
681 | g = f; | |
682 | f = e; | |
683 | e = d + T1; | |
684 | d = c; | |
685 | c = b; | |
686 | b = a; | |
687 | a = T1 + T2; | |
688 | ||
689 | j++; | |
690 | } while (j < 16); | |
691 | ||
692 | do { | |
693 | /* Part of the message block expansion: */ | |
694 | s0 = W512[(j+1)&0x0f]; | |
695 | s0 = sigma0_512(s0); | |
696 | s1 = W512[(j+14)&0x0f]; | |
697 | s1 = sigma1_512(s1); | |
698 | ||
699 | /* Apply the SHA-512 compression function to update a..h */ | |
700 | T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + | |
701 | (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); | |
702 | T2 = Sigma0_512(a) + Maj(a, b, c); | |
703 | h = g; | |
704 | g = f; | |
705 | f = e; | |
706 | e = d + T1; | |
707 | d = c; | |
708 | c = b; | |
709 | b = a; | |
710 | a = T1 + T2; | |
711 | ||
712 | j++; | |
713 | } while (j < 80); | |
714 | ||
715 | /* Compute the current intermediate hash value */ | |
716 | state[0] += a; | |
717 | state[1] += b; | |
718 | state[2] += c; | |
719 | state[3] += d; | |
720 | state[4] += e; | |
721 | state[5] += f; | |
722 | state[6] += g; | |
723 | state[7] += h; | |
724 | ||
725 | /* Clean up */ | |
726 | a = b = c = d = e = f = g = h = T1 = T2 = 0; | |
727 | } | |
728 | ||
729 | #endif /* SHA2_UNROLL_TRANSFORM */ | |
730 | ||
731 | void | |
732 | SHA512_Update(SHA512_CTX *context, const u_int8_t *data, size_t len) | |
733 | { | |
734 | size_t freespace, usedspace; | |
735 | ||
736 | /* Calling with no data is valid (we do nothing) */ | |
737 | if (len == 0) | |
738 | return; | |
739 | ||
740 | usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; | |
741 | if (usedspace > 0) { | |
742 | /* Calculate how much free space is available in the buffer */ | |
743 | freespace = SHA512_BLOCK_LENGTH - usedspace; | |
744 | ||
745 | if (len >= freespace) { | |
746 | /* Fill the buffer completely and process it */ | |
747 | memcpy(&context->buffer[usedspace], data, freespace); | |
748 | ADDINC128(context->bitcount, freespace << 3); | |
749 | len -= freespace; | |
750 | data += freespace; | |
751 | SHA512_Transform(context->state, context->buffer); | |
752 | } else { | |
753 | /* The buffer is not yet full */ | |
754 | memcpy(&context->buffer[usedspace], data, len); | |
755 | ADDINC128(context->bitcount, len << 3); | |
756 | /* Clean up: */ | |
757 | usedspace = freespace = 0; | |
758 | return; | |
759 | } | |
760 | } | |
761 | while (len >= SHA512_BLOCK_LENGTH) { | |
762 | /* Process as many complete blocks as we can */ | |
763 | SHA512_Transform(context->state, data); | |
764 | ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); | |
765 | len -= SHA512_BLOCK_LENGTH; | |
766 | data += SHA512_BLOCK_LENGTH; | |
767 | } | |
768 | if (len > 0) { | |
769 | /* There's left-overs, so save 'em */ | |
770 | memcpy(context->buffer, data, len); | |
771 | ADDINC128(context->bitcount, len << 3); | |
772 | } | |
773 | /* Clean up: */ | |
774 | usedspace = freespace = 0; | |
775 | } | |
776 | ||
777 | void | |
778 | SHA512_Pad(SHA512_CTX *context) | |
779 | { | |
780 | unsigned int usedspace; | |
781 | ||
782 | usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; | |
783 | if (usedspace > 0) { | |
784 | /* Begin padding with a 1 bit: */ | |
785 | context->buffer[usedspace++] = 0x80; | |
786 | ||
787 | if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { | |
788 | /* Set-up for the last transform: */ | |
789 | memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace); | |
790 | } else { | |
791 | if (usedspace < SHA512_BLOCK_LENGTH) { | |
792 | memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace); | |
793 | } | |
794 | /* Do second-to-last transform: */ | |
795 | SHA512_Transform(context->state, context->buffer); | |
796 | ||
797 | /* And set-up for the last transform: */ | |
798 | memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2); | |
799 | } | |
800 | } else { | |
801 | /* Prepare for final transform: */ | |
802 | memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH); | |
803 | ||
804 | /* Begin padding with a 1 bit: */ | |
805 | *context->buffer = 0x80; | |
806 | } | |
807 | /* Store the length of input data (in bits) in big endian format: */ | |
808 | BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH], | |
809 | context->bitcount[1]); | |
810 | BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8], | |
811 | context->bitcount[0]); | |
812 | ||
813 | /* Final transform: */ | |
814 | SHA512_Transform(context->state, context->buffer); | |
815 | ||
816 | /* Clean up: */ | |
817 | usedspace = 0; | |
818 | } | |
819 | ||
820 | void | |
821 | SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context) | |
822 | { | |
823 | SHA512_Pad(context); | |
824 | ||
825 | /* If no digest buffer is passed, we don't bother doing this: */ | |
826 | if (digest != NULL) { | |
827 | #if BYTE_ORDER == LITTLE_ENDIAN | |
828 | int i; | |
829 | ||
830 | /* Convert TO host byte order */ | |
831 | for (i = 0; i < 8; i++) | |
832 | BE_64_TO_8(digest + i * 8, context->state[i]); | |
833 | #else | |
834 | memcpy(digest, context->state, SHA512_DIGEST_LENGTH); | |
835 | #endif | |
836 | memset(context, 0, sizeof(*context)); | |
837 | } | |
838 | } | |
839 | ||
840 | ||
841 | #if 0 | |
842 | /*** SHA-384: *********************************************************/ | |
843 | void | |
844 | SHA384_Init(SHA384_CTX *context) | |
845 | { | |
846 | if (context == NULL) | |
847 | return; | |
848 | memcpy(context->state, sha384_initial_hash_value, | |
849 | sizeof(sha384_initial_hash_value)); | |
850 | memset(context->buffer, 0, sizeof(context->buffer)); | |
851 | context->bitcount[0] = context->bitcount[1] = 0; | |
852 | } | |
853 | ||
854 | __weak_alias(SHA384_Transform, SHA512_Transform); | |
855 | __weak_alias(SHA384_Update, SHA512_Update); | |
856 | __weak_alias(SHA384_Pad, SHA512_Pad); | |
857 | ||
858 | void | |
859 | SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) | |
860 | { | |
861 | SHA384_Pad(context); | |
862 | ||
863 | /* If no digest buffer is passed, we don't bother doing this: */ | |
864 | if (digest != NULL) { | |
865 | #if BYTE_ORDER == LITTLE_ENDIAN | |
866 | int i; | |
867 | ||
868 | /* Convert TO host byte order */ | |
869 | for (i = 0; i < 6; i++) | |
870 | BE_64_TO_8(digest + i * 8, context->state[i]); | |
871 | #else | |
872 | memcpy(digest, context->state, SHA384_DIGEST_LENGTH); | |
873 | #endif | |
874 | } | |
875 | ||
876 | /* Zero out state data */ | |
877 | memset(context, 0, sizeof(*context)); | |
878 | } | |
879 | #endif | |
880 | ||
881 | #endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | |
882 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) */ |