Fixed extern declaration from pointer to array
[minix.git] / servers / inet / sha2.c
blob60dd14c43cb74df744f411b20fbee5365a863a91
2 /*
3 * sha2.c
5 * Version 1.0.0beta1
7 * Written by Aaron D. Gifford <me@aarongifford.com>
9 * Copyright 2000 Aaron D. Gifford. All rights reserved.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the copyright holder nor the names of contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
38 #include <sys/types.h>
39 /* #include <sys/time.h> */
40 /* #include <sys/systm.h> */
41 /* #include <machine/endian.h> */
42 #include "sha2.h"
45 * ASSERT NOTE:
46 * Some sanity checking code is included using assert(). On my FreeBSD
47 * system, this additional code can be removed by compiling with NDEBUG
48 * defined. Check your own systems manpage on assert() to see how to
49 * compile WITHOUT the sanity checking code on your system.
51 * UNROLLED TRANSFORM LOOP NOTE:
52 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
53 * loop version for the hash transform rounds (defined using macros
54 * later in this file). Either define on the command line, for example:
56 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
58 * or define below:
60 * #define SHA2_UNROLL_TRANSFORM
64 #if defined(__bsdi__) || defined(__FreeBSD__)
65 #define assert(x)
66 #endif
69 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
71 * SHA2_BYTE_ORDER NOTE:
73 * Please make sure that your system defines SHA2_BYTE_ORDER. If your
74 * architecture is little-endian, make sure it also defines
75 * SHA2_LITTLE_ENDIAN and that the two (SHA2_BYTE_ORDER and
76 * SHA2_LITTLE_ENDIAN) are equivilent.
78 * If your system does not define the above, then you can do so by
79 * hand like this:
81 * #define SHA2_LITTLE_ENDIAN 1234
82 * #define SHA2_BIG_ENDIAN 4321
84 * And for little-endian machines, add:
86 * #define SHA2_BYTE_ORDER SHA2_LITTLE_ENDIAN
88 * Or for big-endian machines:
90 * #define SHA2_BYTE_ORDER SHA2_BIG_ENDIAN
92 * The FreeBSD machine this was written on defines BYTE_ORDER
93 * appropriately by including <sys/types.h> (which in turn includes
94 * <machine/endian.h> where the appropriate definitions are actually
95 * made).
97 #if !defined(SHA2_BYTE_ORDER) || (SHA2_BYTE_ORDER != SHA2_LITTLE_ENDIAN && SHA2_BYTE_ORDER != SHA2_BIG_ENDIAN)
98 #error Define SHA2_BYTE_ORDER to be equal to either SHA2_LITTLE_ENDIAN or SHA2_BIG_ENDIAN
99 #endif
102 * Define the followingsha2_* types to types of the correct length on
103 * the native archtecture. Most BSD systems and Linux define u_intXX_t
104 * types. Machines with very recent ANSI C headers, can use the
105 * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
106 * during compile or in the sha.h header file.
108 * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
109 * will need to define these three typedefs below (and the appropriate
110 * ones in sha.h too) by hand according to their system architecture.
112 * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
113 * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
115 #if 0 /*def SHA2_USE_INTTYPES_H*/
117 typedef uint8_t sha2_byte; /* Exactly 1 byte */
118 typedef uint32_t sha2_word32; /* Exactly 4 bytes */
119 typedef uint64_t sha2_word64; /* Exactly 8 bytes */
121 #else /* SHA2_USE_INTTYPES_H */
123 typedef u_int8_t sha2_byte; /* Exactly 1 byte */
124 typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
125 typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
127 #endif /* SHA2_USE_INTTYPES_H */
130 /*** SHA-256/384/512 Various Length Definitions ***********************/
131 /* NOTE: Most of these are in sha2.h */
132 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
133 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
134 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
137 /*** ENDIAN REVERSAL MACROS *******************************************/
138 #if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
139 #define REVERSE32(w,x) { \
140 sha2_word32 tmp = (w); \
141 tmp = (tmp >> 16) | (tmp << 16); \
142 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
144 #define REVERSE64(w,x) { \
145 sha2_word64 tmp = (w); \
146 tmp = (tmp >> 32) | (tmp << 32); \
147 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
148 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
149 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
150 ((tmp & 0x0000ffff0000ffffULL) << 16); \
152 #if MINIX_64BIT
153 #undef REVERSE64
154 #define REVERSE64(w,x) { \
155 u32_t hi, lo; \
156 REVERSE32(ex64hi((w)), lo); \
157 REVERSE32(ex64lo((w)), hi); \
158 (x) = make64(lo, hi); \
160 #endif /* MINIX_64BIT */
161 #endif /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
164 * Macro for incrementally adding the unsigned 64-bit integer n to the
165 * unsigned 128-bit integer (represented using a two-element array of
166 * 64-bit words):
168 #define ADDINC128(w,n) { \
169 (w)[0] += (sha2_word64)(n); \
170 if ((w)[0] < (n)) { \
171 (w)[1]++; \
175 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
177 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
179 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
180 * S is a ROTATION) because the SHA-256/384/512 description document
181 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
182 * same "backwards" definition.
184 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
185 #define R(b,x) ((x) >> (b))
186 /* 32-bit Rotate-right (used in SHA-256): */
187 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
188 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
189 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
191 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
192 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
193 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
195 /* Four of six logical functions used in SHA-256: */
196 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
197 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
198 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
199 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
201 /* Four of six logical functions used in SHA-384 and SHA-512: */
202 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
203 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
204 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
205 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
207 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
208 /* NOTE: These should not be accessed directly from outside this
209 * library -- they are intended for private internal visibility/use
210 * only.
212 void SHA512_Last(SHA512_CTX*);
213 void SHA256_Transform(SHA256_CTX*, const sha2_word32*);
214 void SHA512_Transform(SHA512_CTX*, const sha2_word64*);
217 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
218 /* Hash constant words K for SHA-256: */
219 const static sha2_word32 K256[64] = {
220 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
221 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
222 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
223 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
224 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
225 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
226 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
227 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
228 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
229 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
230 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
231 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
232 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
233 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
234 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
235 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
238 /* Initial hash value H for SHA-256: */
239 const static sha2_word32 sha256_initial_hash_value[8] = {
240 0x6a09e667UL,
241 0xbb67ae85UL,
242 0x3c6ef372UL,
243 0xa54ff53aUL,
244 0x510e527fUL,
245 0x9b05688cUL,
246 0x1f83d9abUL,
247 0x5be0cd19UL
250 #if !NO_64BIT
251 /* Hash constant words K for SHA-384 and SHA-512: */
252 const static sha2_word64 K512[80] = {
253 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
254 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
255 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
256 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
257 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
258 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
259 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
260 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
261 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
262 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
263 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
264 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
265 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
266 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
267 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
268 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
269 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
270 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
271 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
272 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
273 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
274 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
275 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
276 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
277 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
278 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
279 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
280 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
281 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
282 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
283 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
284 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
285 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
286 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
287 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
288 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
289 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
290 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
291 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
292 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
295 /* Initial hash value H for SHA-384 */
296 const static sha2_word64 sha384_initial_hash_value[8] = {
297 0xcbbb9d5dc1059ed8ULL,
298 0x629a292a367cd507ULL,
299 0x9159015a3070dd17ULL,
300 0x152fecd8f70e5939ULL,
301 0x67332667ffc00b31ULL,
302 0x8eb44a8768581511ULL,
303 0xdb0c2e0d64f98fa7ULL,
304 0x47b5481dbefa4fa4ULL
307 /* Initial hash value H for SHA-512 */
308 const static sha2_word64 sha512_initial_hash_value[8] = {
309 0x6a09e667f3bcc908ULL,
310 0xbb67ae8584caa73bULL,
311 0x3c6ef372fe94f82bULL,
312 0xa54ff53a5f1d36f1ULL,
313 0x510e527fade682d1ULL,
314 0x9b05688c2b3e6c1fULL,
315 0x1f83d9abfb41bd6bULL,
316 0x5be0cd19137e2179ULL
318 #endif /* !NO_64BIT */
321 * Constant used by SHA256/384/512_End() functions for converting the
322 * digest to a readable hexadecimal character string:
324 static const char *sha2_hex_digits = "0123456789abcdef";
327 /*** SHA-256: *********************************************************/
328 void SHA256_Init(SHA256_CTX* context) {
329 if (context == (SHA256_CTX*)0) {
330 return;
332 bcopy(sha256_initial_hash_value, context->state, SHA256_DIGEST_LENGTH);
333 bzero(context->buffer, SHA256_BLOCK_LENGTH);
334 #if MINIX_64BIT
335 context->bitcount= cvu64(0);
336 #else /* !MINIX_64BIT */
337 context->bitcount = 0;
338 #endif /* MINIX_64BIT */
341 #ifdef SHA2_UNROLL_TRANSFORM
343 /* Unrolled SHA-256 round macros: */
345 #if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
347 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
348 REVERSE32(*data++, W256[j]); \
349 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
350 K256[j] + W256[j]; \
351 (d) += T1; \
352 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
356 #else /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
358 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
359 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
360 K256[j] + (W256[j] = *data++); \
361 (d) += T1; \
362 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
365 #endif /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
367 #define ROUND256(a,b,c,d,e,f,g,h) \
368 s0 = W256[(j+1)&0x0f]; \
369 s0 = sigma0_256(s0); \
370 s1 = W256[(j+14)&0x0f]; \
371 s1 = sigma1_256(s1); \
372 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
373 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
374 (d) += T1; \
375 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
378 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
379 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
380 sha2_word32 T1, *W256;
381 int j;
383 W256 = (sha2_word32*)context->buffer;
385 /* Initialize registers with the prev. intermediate value */
386 a = context->state[0];
387 b = context->state[1];
388 c = context->state[2];
389 d = context->state[3];
390 e = context->state[4];
391 f = context->state[5];
392 g = context->state[6];
393 h = context->state[7];
395 j = 0;
396 do {
397 /* Rounds 0 to 15 (unrolled): */
398 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
399 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
400 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
401 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
402 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
403 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
404 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
405 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
406 } while (j < 16);
408 /* Now for the remaining rounds to 64: */
409 do {
410 ROUND256(a,b,c,d,e,f,g,h);
411 ROUND256(h,a,b,c,d,e,f,g);
412 ROUND256(g,h,a,b,c,d,e,f);
413 ROUND256(f,g,h,a,b,c,d,e);
414 ROUND256(e,f,g,h,a,b,c,d);
415 ROUND256(d,e,f,g,h,a,b,c);
416 ROUND256(c,d,e,f,g,h,a,b);
417 ROUND256(b,c,d,e,f,g,h,a);
418 } while (j < 64);
420 /* Compute the current intermediate hash value */
421 context->state[0] += a;
422 context->state[1] += b;
423 context->state[2] += c;
424 context->state[3] += d;
425 context->state[4] += e;
426 context->state[5] += f;
427 context->state[6] += g;
428 context->state[7] += h;
430 /* Clean up */
431 a = b = c = d = e = f = g = h = T1 = 0;
434 #else /* SHA2_UNROLL_TRANSFORM */
436 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
437 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
438 sha2_word32 T1, T2, *W256;
439 int j;
441 W256 = (sha2_word32*)context->buffer;
443 /* Initialize registers with the prev. intermediate value */
444 a = context->state[0];
445 b = context->state[1];
446 c = context->state[2];
447 d = context->state[3];
448 e = context->state[4];
449 f = context->state[5];
450 g = context->state[6];
451 h = context->state[7];
453 j = 0;
454 do {
455 #if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
456 /* Copy data while converting to host byte order */
457 REVERSE32(*data++,W256[j]);
458 /* Apply the SHA-256 compression function to update a..h */
459 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
460 #else /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
461 /* Apply the SHA-256 compression function to update a..h with copy */
462 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
463 #endif /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
464 T2 = Sigma0_256(a) + Maj(a, b, c);
465 h = g;
466 g = f;
467 f = e;
468 e = d + T1;
469 d = c;
470 c = b;
471 b = a;
472 a = T1 + T2;
474 j++;
475 } while (j < 16);
477 do {
478 /* Part of the message block expansion: */
479 s0 = W256[(j+1)&0x0f];
480 s0 = sigma0_256(s0);
481 s1 = W256[(j+14)&0x0f];
482 s1 = sigma1_256(s1);
484 /* Apply the SHA-256 compression function to update a..h */
485 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
486 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
487 T2 = Sigma0_256(a) + Maj(a, b, c);
488 h = g;
489 g = f;
490 f = e;
491 e = d + T1;
492 d = c;
493 c = b;
494 b = a;
495 a = T1 + T2;
497 j++;
498 } while (j < 64);
500 /* Compute the current intermediate hash value */
501 context->state[0] += a;
502 context->state[1] += b;
503 context->state[2] += c;
504 context->state[3] += d;
505 context->state[4] += e;
506 context->state[5] += f;
507 context->state[6] += g;
508 context->state[7] += h;
510 /* Clean up */
511 a = b = c = d = e = f = g = h = T1 = T2 = 0;
514 #endif /* SHA2_UNROLL_TRANSFORM */
516 void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
517 unsigned int freespace, usedspace;
519 if (len == 0) {
520 /* Calling with no data is valid - we do nothing */
521 return;
524 /* Sanity check: */
525 assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0);
527 #if MINIX_64BIT
528 usedspace= rem64u(context->bitcount, SHA256_BLOCK_LENGTH*8)/8;
529 #else /* !MINIX_64BIT */
530 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
531 #endif /* MINIX_64BIT */
532 if (usedspace > 0) {
533 /* Calculate how much free space is available in the buffer */
534 freespace = SHA256_BLOCK_LENGTH - usedspace;
536 if (len >= freespace) {
537 /* Fill the buffer completely and process it */
538 bcopy(data, &context->buffer[usedspace], freespace);
539 #if MINIX_64BIT
540 context->bitcount= add64u(context->bitcount,
541 freespace << 3);
542 #else /* !MINIX_64BIT */
543 context->bitcount += freespace << 3;
544 #endif /* MINIX_64BIT */
545 len -= freespace;
546 data += freespace;
547 SHA256_Transform(context, (sha2_word32*)context->buffer);
548 } else {
549 /* The buffer is not yet full */
550 bcopy(data, &context->buffer[usedspace], len);
551 #if MINIX_64BIT
552 context->bitcount= add64u(context->bitcount, len << 3);
553 #else /* !MINIX_64BIT */
554 context->bitcount += len << 3;
555 #endif /* MINIX_64BIT */
556 /* Clean up: */
557 usedspace = freespace = 0;
558 return;
561 while (len >= SHA256_BLOCK_LENGTH) {
562 /* Process as many complete blocks as we can */
563 SHA256_Transform(context, (const sha2_word32*)data);
564 #if MINIX_64BIT
565 context->bitcount= add64u(context->bitcount,
566 SHA256_BLOCK_LENGTH << 3);
567 #else /* !MINIX_64BIT */
568 context->bitcount += SHA256_BLOCK_LENGTH << 3;
569 #endif /* MINIX_64BIT */
570 len -= SHA256_BLOCK_LENGTH;
571 data += SHA256_BLOCK_LENGTH;
573 if (len > 0) {
574 /* There's left-overs, so save 'em */
575 bcopy(data, context->buffer, len);
576 #if MINIX_64BIT
577 context->bitcount= add64u(context->bitcount, len << 3);
578 #else /* !MINIX_64BIT */
579 context->bitcount += len << 3;
580 #endif /* MINIX_64BIT */
582 /* Clean up: */
583 usedspace = freespace = 0;
586 void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
587 sha2_word32 *d = (sha2_word32*)digest;
588 unsigned int usedspace;
590 /* Sanity check: */
591 assert(context != (SHA256_CTX*)0);
593 /* If no digest buffer is passed, we don't bother doing this: */
594 if (digest != (sha2_byte*)0) {
595 #if MINIX_64BIT
596 usedspace= rem64u(context->bitcount, SHA256_BLOCK_LENGTH*8)/8;
597 #else /* !MINIX_64BIT */
598 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
599 #endif /* MINIX_64BIT */
600 #if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
601 /* Convert FROM host byte order */
602 REVERSE64(context->bitcount,context->bitcount);
603 #endif
604 if (usedspace > 0) {
605 /* Begin padding with a 1 bit: */
606 context->buffer[usedspace++] = 0x80;
608 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
609 /* Set-up for the last transform: */
610 bzero(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
611 } else {
612 if (usedspace < SHA256_BLOCK_LENGTH) {
613 bzero(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
615 /* Do second-to-last transform: */
616 SHA256_Transform(context, (sha2_word32*)context->buffer);
618 /* And set-up for the last transform: */
619 bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
621 } else {
622 /* Set-up for the last transform: */
623 bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
625 /* Begin padding with a 1 bit: */
626 *context->buffer = 0x80;
628 /* Set the bit count: */
629 *(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
631 /* Final transform: */
632 SHA256_Transform(context, (sha2_word32*)context->buffer);
634 #if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
636 /* Convert TO host byte order */
637 int j;
638 for (j = 0; j < 8; j++) {
639 REVERSE32(context->state[j],context->state[j]);
640 *d++ = context->state[j];
643 #else
644 bcopy(context->state, d, SHA256_DIGEST_LENGTH);
645 #endif
648 /* Clean up state data: */
649 bzero(context, sizeof(context));
650 usedspace = 0;
653 char *SHA256_End(SHA256_CTX* context, char buffer[]) {
654 sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest;
655 int i;
657 /* Sanity check: */
658 assert(context != (SHA256_CTX*)0);
660 if (buffer != (char*)0) {
661 SHA256_Final(digest, context);
663 for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
664 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
665 *buffer++ = sha2_hex_digits[*d & 0x0f];
666 d++;
668 *buffer = (char)0;
669 } else {
670 bzero(context, sizeof(context));
672 bzero(digest, SHA256_DIGEST_LENGTH);
673 return buffer;
676 char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
677 SHA256_CTX context;
679 SHA256_Init(&context);
680 SHA256_Update(&context, data, len);
681 return SHA256_End(&context, digest);
684 #if !NO_64BIT
686 /*** SHA-512: *********************************************************/
687 void SHA512_Init(SHA512_CTX* context) {
688 if (context == (SHA512_CTX*)0) {
689 return;
691 bcopy(sha512_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
692 bzero(context->buffer, SHA512_BLOCK_LENGTH);
693 context->bitcount[0] = context->bitcount[1] = 0;
696 #ifdef SHA2_UNROLL_TRANSFORM
698 /* Unrolled SHA-512 round macros: */
699 #if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
701 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
702 REVERSE64(*data++, W512[j]); \
703 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
704 K512[j] + W512[j]; \
705 (d) += T1, \
706 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
710 #else /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
712 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
713 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
714 K512[j] + (W512[j] = *data++); \
715 (d) += T1; \
716 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
719 #endif /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
721 #define ROUND512(a,b,c,d,e,f,g,h) \
722 s0 = W512[(j+1)&0x0f]; \
723 s0 = sigma0_512(s0); \
724 s1 = W512[(j+14)&0x0f]; \
725 s1 = sigma1_512(s1); \
726 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
727 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
728 (d) += T1; \
729 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
732 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
733 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
734 sha2_word64 T1, *W512 = (sha2_word64*)context->buffer;
735 int j;
737 /* Initialize registers with the prev. intermediate value */
738 a = context->state[0];
739 b = context->state[1];
740 c = context->state[2];
741 d = context->state[3];
742 e = context->state[4];
743 f = context->state[5];
744 g = context->state[6];
745 h = context->state[7];
747 j = 0;
748 do {
749 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
750 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
751 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
752 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
753 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
754 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
755 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
756 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
757 } while (j < 16);
759 /* Now for the remaining rounds up to 79: */
760 do {
761 ROUND512(a,b,c,d,e,f,g,h);
762 ROUND512(h,a,b,c,d,e,f,g);
763 ROUND512(g,h,a,b,c,d,e,f);
764 ROUND512(f,g,h,a,b,c,d,e);
765 ROUND512(e,f,g,h,a,b,c,d);
766 ROUND512(d,e,f,g,h,a,b,c);
767 ROUND512(c,d,e,f,g,h,a,b);
768 ROUND512(b,c,d,e,f,g,h,a);
769 } while (j < 80);
771 /* Compute the current intermediate hash value */
772 context->state[0] += a;
773 context->state[1] += b;
774 context->state[2] += c;
775 context->state[3] += d;
776 context->state[4] += e;
777 context->state[5] += f;
778 context->state[6] += g;
779 context->state[7] += h;
781 /* Clean up */
782 a = b = c = d = e = f = g = h = T1 = 0;
785 #else /* SHA2_UNROLL_TRANSFORM */
787 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
788 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
789 sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer;
790 int j;
792 /* Initialize registers with the prev. intermediate value */
793 a = context->state[0];
794 b = context->state[1];
795 c = context->state[2];
796 d = context->state[3];
797 e = context->state[4];
798 f = context->state[5];
799 g = context->state[6];
800 h = context->state[7];
802 j = 0;
803 do {
804 #if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
805 /* Convert TO host byte order */
806 REVERSE64(*data++, W512[j]);
807 /* Apply the SHA-512 compression function to update a..h */
808 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
809 #else /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
810 /* Apply the SHA-512 compression function to update a..h with copy */
811 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
812 #endif /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
813 T2 = Sigma0_512(a) + Maj(a, b, c);
814 h = g;
815 g = f;
816 f = e;
817 e = d + T1;
818 d = c;
819 c = b;
820 b = a;
821 a = T1 + T2;
823 j++;
824 } while (j < 16);
826 do {
827 /* Part of the message block expansion: */
828 s0 = W512[(j+1)&0x0f];
829 s0 = sigma0_512(s0);
830 s1 = W512[(j+14)&0x0f];
831 s1 = sigma1_512(s1);
833 /* Apply the SHA-512 compression function to update a..h */
834 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
835 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
836 T2 = Sigma0_512(a) + Maj(a, b, c);
837 h = g;
838 g = f;
839 f = e;
840 e = d + T1;
841 d = c;
842 c = b;
843 b = a;
844 a = T1 + T2;
846 j++;
847 } while (j < 80);
849 /* Compute the current intermediate hash value */
850 context->state[0] += a;
851 context->state[1] += b;
852 context->state[2] += c;
853 context->state[3] += d;
854 context->state[4] += e;
855 context->state[5] += f;
856 context->state[6] += g;
857 context->state[7] += h;
859 /* Clean up */
860 a = b = c = d = e = f = g = h = T1 = T2 = 0;
863 #endif /* SHA2_UNROLL_TRANSFORM */
865 void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
866 unsigned int freespace, usedspace;
868 if (len == 0) {
869 /* Calling with no data is valid - we do nothing */
870 return;
873 /* Sanity check: */
874 assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0);
876 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
877 if (usedspace > 0) {
878 /* Calculate how much free space is available in the buffer */
879 freespace = SHA512_BLOCK_LENGTH - usedspace;
881 if (len >= freespace) {
882 /* Fill the buffer completely and process it */
883 bcopy(data, &context->buffer[usedspace], freespace);
884 ADDINC128(context->bitcount, freespace << 3);
885 len -= freespace;
886 data += freespace;
887 SHA512_Transform(context, (sha2_word64*)context->buffer);
888 } else {
889 /* The buffer is not yet full */
890 bcopy(data, &context->buffer[usedspace], len);
891 ADDINC128(context->bitcount, len << 3);
892 /* Clean up: */
893 usedspace = freespace = 0;
894 return;
897 while (len >= SHA512_BLOCK_LENGTH) {
898 /* Process as many complete blocks as we can */
899 SHA512_Transform(context, (const sha2_word64*)data);
900 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
901 len -= SHA512_BLOCK_LENGTH;
902 data += SHA512_BLOCK_LENGTH;
904 if (len > 0) {
905 /* There's left-overs, so save 'em */
906 bcopy(data, context->buffer, len);
907 ADDINC128(context->bitcount, len << 3);
909 /* Clean up: */
910 usedspace = freespace = 0;
913 void SHA512_Last(SHA512_CTX* context) {
914 unsigned int usedspace;
916 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
917 #if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
918 /* Convert FROM host byte order */
919 REVERSE64(context->bitcount[0],context->bitcount[0]);
920 REVERSE64(context->bitcount[1],context->bitcount[1]);
921 #endif
922 if (usedspace > 0) {
923 /* Begin padding with a 1 bit: */
924 context->buffer[usedspace++] = 0x80;
926 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
927 /* Set-up for the last transform: */
928 bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
929 } else {
930 if (usedspace < SHA512_BLOCK_LENGTH) {
931 bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
933 /* Do second-to-last transform: */
934 SHA512_Transform(context, (sha2_word64*)context->buffer);
936 /* And set-up for the last transform: */
937 bzero(context->buffer, SHA512_BLOCK_LENGTH - 2);
939 } else {
940 /* Prepare for final transform: */
941 bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
943 /* Begin padding with a 1 bit: */
944 *context->buffer = 0x80;
946 /* Store the length of input data (in bits): */
947 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
948 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
950 /* Final transform: */
951 SHA512_Transform(context, (sha2_word64*)context->buffer);
954 void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
955 sha2_word64 *d = (sha2_word64*)digest;
957 /* Sanity check: */
958 assert(context != (SHA512_CTX*)0);
960 /* If no digest buffer is passed, we don't bother doing this: */
961 if (digest != (sha2_byte*)0) {
962 SHA512_Last(context);
964 /* Save the hash data for output: */
965 #if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
967 /* Convert TO host byte order */
968 int j;
969 for (j = 0; j < 8; j++) {
970 REVERSE64(context->state[j],context->state[j]);
971 *d++ = context->state[j];
974 #else
975 bcopy(context->state, d, SHA512_DIGEST_LENGTH);
976 #endif
979 /* Zero out state data */
980 bzero(context, sizeof(context));
983 char *SHA512_End(SHA512_CTX* context, char buffer[]) {
984 sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
985 int i;
987 /* Sanity check: */
988 assert(context != (SHA512_CTX*)0);
990 if (buffer != (char*)0) {
991 SHA512_Final(digest, context);
993 for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
994 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
995 *buffer++ = sha2_hex_digits[*d & 0x0f];
996 d++;
998 *buffer = (char)0;
999 } else {
1000 bzero(context, sizeof(context));
1002 bzero(digest, SHA512_DIGEST_LENGTH);
1003 return buffer;
1006 char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
1007 SHA512_CTX context;
1009 SHA512_Init(&context);
1010 SHA512_Update(&context, data, len);
1011 return SHA512_End(&context, digest);
1015 /*** SHA-384: *********************************************************/
1016 void SHA384_Init(SHA384_CTX* context) {
1017 if (context == (SHA384_CTX*)0) {
1018 return;
1020 bcopy(sha384_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
1021 bzero(context->buffer, SHA384_BLOCK_LENGTH);
1022 context->bitcount[0] = context->bitcount[1] = 0;
1025 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
1026 SHA512_Update((SHA512_CTX*)context, data, len);
1029 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
1030 sha2_word64 *d = (sha2_word64*)digest;
1032 /* Sanity check: */
1033 assert(context != (SHA384_CTX*)0);
1035 /* If no digest buffer is passed, we don't bother doing this: */
1036 if (digest != (sha2_byte*)0) {
1037 SHA512_Last((SHA512_CTX*)context);
1039 /* Save the hash data for output: */
1040 #if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
1042 /* Convert TO host byte order */
1043 int j;
1044 for (j = 0; j < 6; j++) {
1045 REVERSE64(context->state[j],context->state[j]);
1046 *d++ = context->state[j];
1049 #else
1050 bcopy(context->state, d, SHA384_DIGEST_LENGTH);
1051 #endif
1054 /* Zero out state data */
1055 bzero(context, sizeof(context));
1058 char *SHA384_End(SHA384_CTX* context, char buffer[]) {
1059 sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
1060 int i;
1062 /* Sanity check: */
1063 assert(context != (SHA384_CTX*)0);
1065 if (buffer != (char*)0) {
1066 SHA384_Final(digest, context);
1068 for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
1069 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
1070 *buffer++ = sha2_hex_digits[*d & 0x0f];
1071 d++;
1073 *buffer = (char)0;
1074 } else {
1075 bzero(context, sizeof(context));
1077 bzero(digest, SHA384_DIGEST_LENGTH);
1078 return buffer;
1081 char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
1082 SHA384_CTX context;
1084 SHA384_Init(&context);
1085 SHA384_Update(&context, data, len);
1086 return SHA384_End(&context, digest);
1089 #endif /* !NO_64BIT */
1092 * $PchId: sha2.c,v 1.1 2005/06/28 14:29:23 philip Exp $