1 /* $NetBSD: sha2.c,v 1.19 2009/08/21 09:40:51 skrll Exp $ */
2 /* $KAME: sha2.c,v 1.9 2003/07/20 00:28:38 itojun Exp $ */
9 * Written by Aaron D. Gifford <me@aarongifford.com>
11 * Copyright 2000 Aaron D. Gifford. All rights reserved.
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. Neither the name of the copyright holder nor the names of contributors
22 * may be used to endorse or promote products derived from this software
23 * without specific prior written permission.
25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39 #if HAVE_NBTOOL_CONFIG_H
40 #include "nbtool_config.h"
43 #include <sys/cdefs.h>
45 #if defined(_KERNEL) || defined(_STANDALONE)
46 __KERNEL_RCSID(0, "$NetBSD: sha2.c,v 1.19 2009/08/21 09:40:51 skrll Exp $");
48 #include <sys/param.h> /* XXX: to pull <machine/macros.h> for vax memset(9) */
49 #include <lib/libkern/libkern.h>
53 #if defined(LIBC_SCCS) && !defined(lint)
54 __RCSID("$NetBSD: sha2.c,v 1.19 2009/08/21 09:40:51 skrll Exp $");
55 #endif /* LIBC_SCCS and not lint */
57 #include "namespace.h"
62 #include <sys/types.h>
65 #if HAVE_NBTOOL_CONFIG_H
66 # if HAVE_SYS_ENDIAN_H
67 # include <sys/endian.h>
80 return ((p
[0] << 24) | (p
[1] << 16) | (p
[2] << 8) | p
[3]);
90 u
= ((p
[0] << 24) | (p
[1] << 16) | (p
[2] << 8) | p
[3]);
91 v
= ((p
[4] << 24) | (p
[5] << 16) | (p
[6] << 8) | p
[7]);
93 return ((((uint64_t)u
) << 32) | v
);
110 /*** SHA-256/384/512 Various Length Definitions ***********************/
111 /* NOTE: Most of these are in sha2.h */
112 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
113 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
114 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
117 * Macro for incrementally adding the unsigned 64-bit integer n to the
118 * unsigned 128-bit integer (represented using a two-element array of
121 #define ADDINC128(w,n) { \
122 (w)[0] += (uint64_t)(n); \
123 if ((w)[0] < (n)) { \
128 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
130 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
132 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
133 * S is a ROTATION) because the SHA-256/384/512 description document
134 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
135 * same "backwards" definition.
137 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
138 #define R(b,x) ((x) >> (b))
139 /* 32-bit Rotate-right (used in SHA-256): */
140 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
141 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
142 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
144 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
145 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
146 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
148 /* Four of six logical functions used in SHA-256: */
149 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
150 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
151 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
152 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
154 /* Four of six logical functions used in SHA-384 and SHA-512: */
155 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
156 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
157 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
158 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
160 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
161 /* NOTE: These should not be accessed directly from outside this
162 * library -- they are intended for private internal visibility/use
165 static void SHA512_Last(SHA512_CTX
*);
166 void SHA224_Transform(SHA224_CTX
*, const uint32_t*);
167 void SHA256_Transform(SHA256_CTX
*, const uint32_t*);
168 void SHA384_Transform(SHA384_CTX
*, const uint64_t*);
169 void SHA512_Transform(SHA512_CTX
*, const uint64_t*);
172 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
173 /* Hash constant words K for SHA-256: */
174 static const uint32_t K256
[64] = {
175 0x428a2f98UL
, 0x71374491UL
, 0xb5c0fbcfUL
, 0xe9b5dba5UL
,
176 0x3956c25bUL
, 0x59f111f1UL
, 0x923f82a4UL
, 0xab1c5ed5UL
,
177 0xd807aa98UL
, 0x12835b01UL
, 0x243185beUL
, 0x550c7dc3UL
,
178 0x72be5d74UL
, 0x80deb1feUL
, 0x9bdc06a7UL
, 0xc19bf174UL
,
179 0xe49b69c1UL
, 0xefbe4786UL
, 0x0fc19dc6UL
, 0x240ca1ccUL
,
180 0x2de92c6fUL
, 0x4a7484aaUL
, 0x5cb0a9dcUL
, 0x76f988daUL
,
181 0x983e5152UL
, 0xa831c66dUL
, 0xb00327c8UL
, 0xbf597fc7UL
,
182 0xc6e00bf3UL
, 0xd5a79147UL
, 0x06ca6351UL
, 0x14292967UL
,
183 0x27b70a85UL
, 0x2e1b2138UL
, 0x4d2c6dfcUL
, 0x53380d13UL
,
184 0x650a7354UL
, 0x766a0abbUL
, 0x81c2c92eUL
, 0x92722c85UL
,
185 0xa2bfe8a1UL
, 0xa81a664bUL
, 0xc24b8b70UL
, 0xc76c51a3UL
,
186 0xd192e819UL
, 0xd6990624UL
, 0xf40e3585UL
, 0x106aa070UL
,
187 0x19a4c116UL
, 0x1e376c08UL
, 0x2748774cUL
, 0x34b0bcb5UL
,
188 0x391c0cb3UL
, 0x4ed8aa4aUL
, 0x5b9cca4fUL
, 0x682e6ff3UL
,
189 0x748f82eeUL
, 0x78a5636fUL
, 0x84c87814UL
, 0x8cc70208UL
,
190 0x90befffaUL
, 0xa4506cebUL
, 0xbef9a3f7UL
, 0xc67178f2UL
193 /* Initial hash value H for SHA-224: */
194 static const uint32_t sha224_initial_hash_value
[8] = {
205 /* Initial hash value H for SHA-256: */
206 static const uint32_t sha256_initial_hash_value
[8] = {
217 /* Hash constant words K for SHA-384 and SHA-512: */
218 static const uint64_t K512
[80] = {
219 0x428a2f98d728ae22ULL
, 0x7137449123ef65cdULL
,
220 0xb5c0fbcfec4d3b2fULL
, 0xe9b5dba58189dbbcULL
,
221 0x3956c25bf348b538ULL
, 0x59f111f1b605d019ULL
,
222 0x923f82a4af194f9bULL
, 0xab1c5ed5da6d8118ULL
,
223 0xd807aa98a3030242ULL
, 0x12835b0145706fbeULL
,
224 0x243185be4ee4b28cULL
, 0x550c7dc3d5ffb4e2ULL
,
225 0x72be5d74f27b896fULL
, 0x80deb1fe3b1696b1ULL
,
226 0x9bdc06a725c71235ULL
, 0xc19bf174cf692694ULL
,
227 0xe49b69c19ef14ad2ULL
, 0xefbe4786384f25e3ULL
,
228 0x0fc19dc68b8cd5b5ULL
, 0x240ca1cc77ac9c65ULL
,
229 0x2de92c6f592b0275ULL
, 0x4a7484aa6ea6e483ULL
,
230 0x5cb0a9dcbd41fbd4ULL
, 0x76f988da831153b5ULL
,
231 0x983e5152ee66dfabULL
, 0xa831c66d2db43210ULL
,
232 0xb00327c898fb213fULL
, 0xbf597fc7beef0ee4ULL
,
233 0xc6e00bf33da88fc2ULL
, 0xd5a79147930aa725ULL
,
234 0x06ca6351e003826fULL
, 0x142929670a0e6e70ULL
,
235 0x27b70a8546d22ffcULL
, 0x2e1b21385c26c926ULL
,
236 0x4d2c6dfc5ac42aedULL
, 0x53380d139d95b3dfULL
,
237 0x650a73548baf63deULL
, 0x766a0abb3c77b2a8ULL
,
238 0x81c2c92e47edaee6ULL
, 0x92722c851482353bULL
,
239 0xa2bfe8a14cf10364ULL
, 0xa81a664bbc423001ULL
,
240 0xc24b8b70d0f89791ULL
, 0xc76c51a30654be30ULL
,
241 0xd192e819d6ef5218ULL
, 0xd69906245565a910ULL
,
242 0xf40e35855771202aULL
, 0x106aa07032bbd1b8ULL
,
243 0x19a4c116b8d2d0c8ULL
, 0x1e376c085141ab53ULL
,
244 0x2748774cdf8eeb99ULL
, 0x34b0bcb5e19b48a8ULL
,
245 0x391c0cb3c5c95a63ULL
, 0x4ed8aa4ae3418acbULL
,
246 0x5b9cca4f7763e373ULL
, 0x682e6ff3d6b2b8a3ULL
,
247 0x748f82ee5defb2fcULL
, 0x78a5636f43172f60ULL
,
248 0x84c87814a1f0ab72ULL
, 0x8cc702081a6439ecULL
,
249 0x90befffa23631e28ULL
, 0xa4506cebde82bde9ULL
,
250 0xbef9a3f7b2c67915ULL
, 0xc67178f2e372532bULL
,
251 0xca273eceea26619cULL
, 0xd186b8c721c0c207ULL
,
252 0xeada7dd6cde0eb1eULL
, 0xf57d4f7fee6ed178ULL
,
253 0x06f067aa72176fbaULL
, 0x0a637dc5a2c898a6ULL
,
254 0x113f9804bef90daeULL
, 0x1b710b35131c471bULL
,
255 0x28db77f523047d84ULL
, 0x32caab7b40c72493ULL
,
256 0x3c9ebe0a15c9bebcULL
, 0x431d67c49c100d4cULL
,
257 0x4cc5d4becb3e42b6ULL
, 0x597f299cfc657e2aULL
,
258 0x5fcb6fab3ad6faecULL
, 0x6c44198c4a475817ULL
261 /* Initial hash value H for SHA-384 */
262 static const uint64_t sha384_initial_hash_value
[8] = {
263 0xcbbb9d5dc1059ed8ULL
,
264 0x629a292a367cd507ULL
,
265 0x9159015a3070dd17ULL
,
266 0x152fecd8f70e5939ULL
,
267 0x67332667ffc00b31ULL
,
268 0x8eb44a8768581511ULL
,
269 0xdb0c2e0d64f98fa7ULL
,
270 0x47b5481dbefa4fa4ULL
273 /* Initial hash value H for SHA-512 */
274 static const uint64_t sha512_initial_hash_value
[8] = {
275 0x6a09e667f3bcc908ULL
,
276 0xbb67ae8584caa73bULL
,
277 0x3c6ef372fe94f82bULL
,
278 0xa54ff53a5f1d36f1ULL
,
279 0x510e527fade682d1ULL
,
280 0x9b05688c2b3e6c1fULL
,
281 0x1f83d9abfb41bd6bULL
,
282 0x5be0cd19137e2179ULL
285 #if !defined(_KERNEL) && !defined(_STANDALONE)
286 #if defined(__weak_alias)
287 __weak_alias(SHA224_Init
,_SHA224_Init
)
288 __weak_alias(SHA224_Update
,_SHA224_Update
)
289 __weak_alias(SHA224_Final
,_SHA224_Final
)
290 __weak_alias(SHA224_Transform
,_SHA224_Transform
)
292 __weak_alias(SHA256_Init
,_SHA256_Init
)
293 __weak_alias(SHA256_Update
,_SHA256_Update
)
294 __weak_alias(SHA256_Final
,_SHA256_Final
)
295 __weak_alias(SHA256_Transform
,_SHA256_Transform
)
297 __weak_alias(SHA384_Init
,_SHA384_Init
)
298 __weak_alias(SHA384_Update
,_SHA384_Update
)
299 __weak_alias(SHA384_Final
,_SHA384_Final
)
300 __weak_alias(SHA384_Transform
,_SHA384_Transform
)
302 __weak_alias(SHA512_Init
,_SHA512_Init
)
303 __weak_alias(SHA512_Update
,_SHA512_Update
)
304 __weak_alias(SHA512_Final
,_SHA512_Final
)
305 __weak_alias(SHA512_Transform
,_SHA512_Transform
)
309 /*** SHA-256: *********************************************************/
311 SHA256_Init(SHA256_CTX
*context
)
316 memcpy(context
->state
, sha256_initial_hash_value
,
317 (size_t)(SHA256_DIGEST_LENGTH
));
318 memset(context
->buffer
, 0, (size_t)(SHA256_BLOCK_LENGTH
));
319 context
->bitcount
= 0;
324 #ifdef SHA2_UNROLL_TRANSFORM
326 /* Unrolled SHA-256 round macros: */
328 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
329 W256[j] = be32toh(*data); \
331 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
334 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
337 #define ROUND256(a,b,c,d,e,f,g,h) \
338 s0 = W256[(j+1)&0x0f]; \
339 s0 = sigma0_256(s0); \
340 s1 = W256[(j+14)&0x0f]; \
341 s1 = sigma1_256(s1); \
342 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
343 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
345 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
349 SHA256_Transform(SHA256_CTX
*context
, const uint32_t *data
)
351 uint32_t a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
355 W256
= (uint32_t *)context
->buffer
;
357 /* Initialize registers with the prev. intermediate value */
358 a
= context
->state
[0];
359 b
= context
->state
[1];
360 c
= context
->state
[2];
361 d
= context
->state
[3];
362 e
= context
->state
[4];
363 f
= context
->state
[5];
364 g
= context
->state
[6];
365 h
= context
->state
[7];
369 /* Rounds 0 to 15 (unrolled): */
370 ROUND256_0_TO_15(a
,b
,c
,d
,e
,f
,g
,h
);
371 ROUND256_0_TO_15(h
,a
,b
,c
,d
,e
,f
,g
);
372 ROUND256_0_TO_15(g
,h
,a
,b
,c
,d
,e
,f
);
373 ROUND256_0_TO_15(f
,g
,h
,a
,b
,c
,d
,e
);
374 ROUND256_0_TO_15(e
,f
,g
,h
,a
,b
,c
,d
);
375 ROUND256_0_TO_15(d
,e
,f
,g
,h
,a
,b
,c
);
376 ROUND256_0_TO_15(c
,d
,e
,f
,g
,h
,a
,b
);
377 ROUND256_0_TO_15(b
,c
,d
,e
,f
,g
,h
,a
);
380 /* Now for the remaining rounds to 64: */
382 ROUND256(a
,b
,c
,d
,e
,f
,g
,h
);
383 ROUND256(h
,a
,b
,c
,d
,e
,f
,g
);
384 ROUND256(g
,h
,a
,b
,c
,d
,e
,f
);
385 ROUND256(f
,g
,h
,a
,b
,c
,d
,e
);
386 ROUND256(e
,f
,g
,h
,a
,b
,c
,d
);
387 ROUND256(d
,e
,f
,g
,h
,a
,b
,c
);
388 ROUND256(c
,d
,e
,f
,g
,h
,a
,b
);
389 ROUND256(b
,c
,d
,e
,f
,g
,h
,a
);
392 /* Compute the current intermediate hash value */
393 context
->state
[0] += a
;
394 context
->state
[1] += b
;
395 context
->state
[2] += c
;
396 context
->state
[3] += d
;
397 context
->state
[4] += e
;
398 context
->state
[5] += f
;
399 context
->state
[6] += g
;
400 context
->state
[7] += h
;
403 a
= b
= c
= d
= e
= f
= g
= h
= T1
= 0;
406 #else /* SHA2_UNROLL_TRANSFORM */
409 SHA256_Transform(SHA256_CTX
*context
, const uint32_t *data
)
411 uint32_t a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
412 uint32_t T1
, T2
, *W256
;
415 W256
= (uint32_t *)(void *)context
->buffer
;
417 /* Initialize registers with the prev. intermediate value */
418 a
= context
->state
[0];
419 b
= context
->state
[1];
420 c
= context
->state
[2];
421 d
= context
->state
[3];
422 e
= context
->state
[4];
423 f
= context
->state
[5];
424 g
= context
->state
[6];
425 h
= context
->state
[7];
429 W256
[j
] = be32toh(*data
);
431 /* Apply the SHA-256 compression function to update a..h */
432 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] + W256
[j
];
433 T2
= Sigma0_256(a
) + Maj(a
, b
, c
);
447 /* Part of the message block expansion: */
448 s0
= W256
[(j
+1)&0x0f];
450 s1
= W256
[(j
+14)&0x0f];
453 /* Apply the SHA-256 compression function to update a..h */
454 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] +
455 (W256
[j
&0x0f] += s1
+ W256
[(j
+9)&0x0f] + s0
);
456 T2
= Sigma0_256(a
) + Maj(a
, b
, c
);
469 /* Compute the current intermediate hash value */
470 context
->state
[0] += a
;
471 context
->state
[1] += b
;
472 context
->state
[2] += c
;
473 context
->state
[3] += d
;
474 context
->state
[4] += e
;
475 context
->state
[5] += f
;
476 context
->state
[6] += g
;
477 context
->state
[7] += h
;
480 a
= b
= c
= d
= e
= f
= g
= h
= T1
= T2
= 0;
483 #endif /* SHA2_UNROLL_TRANSFORM */
486 SHA256_Update(SHA256_CTX
*context
, const uint8_t *data
, size_t len
)
488 unsigned int freespace
, usedspace
;
491 /* Calling with no data is valid - we do nothing */
495 usedspace
= (unsigned int)((context
->bitcount
>> 3) %
496 SHA256_BLOCK_LENGTH
);
498 /* Calculate how much free space is available in the buffer */
499 freespace
= SHA256_BLOCK_LENGTH
- usedspace
;
501 if (len
>= freespace
) {
502 /* Fill the buffer completely and process it */
503 memcpy(&context
->buffer
[usedspace
], data
,
504 (size_t)(freespace
));
505 context
->bitcount
+= freespace
<< 3;
508 SHA256_Transform(context
,
509 (uint32_t *)(void *)context
->buffer
);
511 /* The buffer is not yet full */
512 memcpy(&context
->buffer
[usedspace
], data
, len
);
513 context
->bitcount
+= len
<< 3;
515 usedspace
= freespace
= 0;
520 * Process as many complete blocks as possible.
522 * Check alignment of the data pointer. If it is 32bit aligned,
523 * SHA256_Transform can be called directly on the data stream,
524 * otherwise enforce the alignment by copy into the buffer.
526 if ((uintptr_t)data
% 4 == 0) {
527 while (len
>= SHA256_BLOCK_LENGTH
) {
528 SHA256_Transform(context
,
529 (const uint32_t *)(const void *)data
);
530 context
->bitcount
+= SHA256_BLOCK_LENGTH
<< 3;
531 len
-= SHA256_BLOCK_LENGTH
;
532 data
+= SHA256_BLOCK_LENGTH
;
535 while (len
>= SHA256_BLOCK_LENGTH
) {
536 memcpy(context
->buffer
, data
, SHA256_BLOCK_LENGTH
);
537 SHA256_Transform(context
,
538 (const uint32_t *)(const void *)context
->buffer
);
539 context
->bitcount
+= SHA256_BLOCK_LENGTH
<< 3;
540 len
-= SHA256_BLOCK_LENGTH
;
541 data
+= SHA256_BLOCK_LENGTH
;
545 /* There's left-overs, so save 'em */
546 memcpy(context
->buffer
, data
, len
);
547 context
->bitcount
+= len
<< 3;
550 usedspace
= freespace
= 0;
556 SHA224_256_Final(uint8_t digest
[], SHA256_CTX
*context
, size_t len
)
558 uint32_t *d
= (void *)digest
;
559 unsigned int usedspace
;
562 /* If no digest buffer is passed, we don't bother doing this: */
563 if (digest
!= NULL
) {
564 usedspace
= (unsigned int)((context
->bitcount
>> 3) %
565 SHA256_BLOCK_LENGTH
);
566 context
->bitcount
= htobe64(context
->bitcount
);
568 /* Begin padding with a 1 bit: */
569 context
->buffer
[usedspace
++] = 0x80;
571 if (usedspace
<= SHA256_SHORT_BLOCK_LENGTH
) {
572 /* Set-up for the last transform: */
573 memset(&context
->buffer
[usedspace
], 0,
574 (size_t)(SHA256_SHORT_BLOCK_LENGTH
-
577 if (usedspace
< SHA256_BLOCK_LENGTH
) {
578 memset(&context
->buffer
[usedspace
], 0,
579 (size_t)(SHA256_BLOCK_LENGTH
-
582 /* Do second-to-last transform: */
583 SHA256_Transform(context
,
584 (uint32_t *)(void *)context
->buffer
);
586 /* And set-up for the last transform: */
587 memset(context
->buffer
, 0,
588 (size_t)(SHA256_SHORT_BLOCK_LENGTH
));
591 /* Set-up for the last transform: */
592 memset(context
->buffer
, 0,
593 (size_t)(SHA256_SHORT_BLOCK_LENGTH
));
595 /* Begin padding with a 1 bit: */
596 *context
->buffer
= 0x80;
598 /* Set the bit count: */
599 memcpy(&context
->buffer
[SHA256_SHORT_BLOCK_LENGTH
],
600 &context
->bitcount
, sizeof(context
->bitcount
));
602 /* Final transform: */
603 SHA256_Transform(context
, (uint32_t *)(void *)context
->buffer
);
605 for (i
= 0; i
< len
/ 4; i
++)
606 d
[i
] = htobe32(context
->state
[i
]);
609 /* Clean up state data: */
610 memset(context
, 0, sizeof(*context
));
617 SHA256_Final(uint8_t digest
[], SHA256_CTX
*context
)
619 return SHA224_256_Final(digest
, context
, SHA256_DIGEST_LENGTH
);
622 /*** SHA-224: *********************************************************/
624 SHA224_Init(SHA224_CTX
*context
)
629 /* The state and buffer size are driven by SHA256, not by SHA224. */
630 memcpy(context
->state
, sha224_initial_hash_value
,
631 (size_t)(SHA256_DIGEST_LENGTH
));
632 memset(context
->buffer
, 0, (size_t)(SHA256_BLOCK_LENGTH
));
633 context
->bitcount
= 0;
639 SHA224_Update(SHA224_CTX
*context
, const uint8_t *data
, size_t len
)
641 return SHA256_Update((SHA256_CTX
*)context
, data
, len
);
645 SHA224_Transform(SHA224_CTX
*context
, const uint32_t *data
)
647 SHA256_Transform((SHA256_CTX
*)context
, data
);
651 SHA224_Final(uint8_t digest
[], SHA224_CTX
*context
)
653 return SHA224_256_Final(digest
, (SHA256_CTX
*)context
,
654 SHA224_DIGEST_LENGTH
);
657 /*** SHA-512: *********************************************************/
659 SHA512_Init(SHA512_CTX
*context
)
664 memcpy(context
->state
, sha512_initial_hash_value
,
665 (size_t)(SHA512_DIGEST_LENGTH
));
666 memset(context
->buffer
, 0, (size_t)(SHA512_BLOCK_LENGTH
));
667 context
->bitcount
[0] = context
->bitcount
[1] = 0;
672 #ifdef SHA2_UNROLL_TRANSFORM
674 /* Unrolled SHA-512 round macros: */
675 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
676 W512[j] = be64toh(*data); \
678 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
681 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
684 #define ROUND512(a,b,c,d,e,f,g,h) \
685 s0 = W512[(j+1)&0x0f]; \
686 s0 = sigma0_512(s0); \
687 s1 = W512[(j+14)&0x0f]; \
688 s1 = sigma1_512(s1); \
689 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
690 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
692 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
696 SHA512_Transform(SHA512_CTX
*context
, const uint64_t *data
)
698 uint64_t a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
699 uint64_t T1
, *W512
= (uint64_t *)context
->buffer
;
702 /* Initialize registers with the prev. intermediate value */
703 a
= context
->state
[0];
704 b
= context
->state
[1];
705 c
= context
->state
[2];
706 d
= context
->state
[3];
707 e
= context
->state
[4];
708 f
= context
->state
[5];
709 g
= context
->state
[6];
710 h
= context
->state
[7];
714 ROUND512_0_TO_15(a
,b
,c
,d
,e
,f
,g
,h
);
715 ROUND512_0_TO_15(h
,a
,b
,c
,d
,e
,f
,g
);
716 ROUND512_0_TO_15(g
,h
,a
,b
,c
,d
,e
,f
);
717 ROUND512_0_TO_15(f
,g
,h
,a
,b
,c
,d
,e
);
718 ROUND512_0_TO_15(e
,f
,g
,h
,a
,b
,c
,d
);
719 ROUND512_0_TO_15(d
,e
,f
,g
,h
,a
,b
,c
);
720 ROUND512_0_TO_15(c
,d
,e
,f
,g
,h
,a
,b
);
721 ROUND512_0_TO_15(b
,c
,d
,e
,f
,g
,h
,a
);
724 /* Now for the remaining rounds up to 79: */
726 ROUND512(a
,b
,c
,d
,e
,f
,g
,h
);
727 ROUND512(h
,a
,b
,c
,d
,e
,f
,g
);
728 ROUND512(g
,h
,a
,b
,c
,d
,e
,f
);
729 ROUND512(f
,g
,h
,a
,b
,c
,d
,e
);
730 ROUND512(e
,f
,g
,h
,a
,b
,c
,d
);
731 ROUND512(d
,e
,f
,g
,h
,a
,b
,c
);
732 ROUND512(c
,d
,e
,f
,g
,h
,a
,b
);
733 ROUND512(b
,c
,d
,e
,f
,g
,h
,a
);
736 /* Compute the current intermediate hash value */
737 context
->state
[0] += a
;
738 context
->state
[1] += b
;
739 context
->state
[2] += c
;
740 context
->state
[3] += d
;
741 context
->state
[4] += e
;
742 context
->state
[5] += f
;
743 context
->state
[6] += g
;
744 context
->state
[7] += h
;
747 a
= b
= c
= d
= e
= f
= g
= h
= T1
= 0;
750 #else /* SHA2_UNROLL_TRANSFORM */
753 SHA512_Transform(SHA512_CTX
*context
, const uint64_t *data
)
755 uint64_t a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
756 uint64_t T1
, T2
, *W512
= (void *)context
->buffer
;
759 /* Initialize registers with the prev. intermediate value */
760 a
= context
->state
[0];
761 b
= context
->state
[1];
762 c
= context
->state
[2];
763 d
= context
->state
[3];
764 e
= context
->state
[4];
765 f
= context
->state
[5];
766 g
= context
->state
[6];
767 h
= context
->state
[7];
771 W512
[j
] = be64toh(*data
);
773 /* Apply the SHA-512 compression function to update a..h */
774 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] + W512
[j
];
775 T2
= Sigma0_512(a
) + Maj(a
, b
, c
);
789 /* Part of the message block expansion: */
790 s0
= W512
[(j
+1)&0x0f];
792 s1
= W512
[(j
+14)&0x0f];
795 /* Apply the SHA-512 compression function to update a..h */
796 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] +
797 (W512
[j
&0x0f] += s1
+ W512
[(j
+9)&0x0f] + s0
);
798 T2
= Sigma0_512(a
) + Maj(a
, b
, c
);
811 /* Compute the current intermediate hash value */
812 context
->state
[0] += a
;
813 context
->state
[1] += b
;
814 context
->state
[2] += c
;
815 context
->state
[3] += d
;
816 context
->state
[4] += e
;
817 context
->state
[5] += f
;
818 context
->state
[6] += g
;
819 context
->state
[7] += h
;
822 a
= b
= c
= d
= e
= f
= g
= h
= T1
= T2
= 0;
825 #endif /* SHA2_UNROLL_TRANSFORM */
828 SHA512_Update(SHA512_CTX
*context
, const uint8_t *data
, size_t len
)
830 unsigned int freespace
, usedspace
;
833 /* Calling with no data is valid - we do nothing */
837 usedspace
= (unsigned int)((context
->bitcount
[0] >> 3) %
838 SHA512_BLOCK_LENGTH
);
840 /* Calculate how much free space is available in the buffer */
841 freespace
= SHA512_BLOCK_LENGTH
- usedspace
;
843 if (len
>= freespace
) {
844 /* Fill the buffer completely and process it */
845 memcpy(&context
->buffer
[usedspace
], data
,
846 (size_t)(freespace
));
847 ADDINC128(context
->bitcount
, freespace
<< 3);
850 SHA512_Transform(context
,
851 (uint64_t *)(void *)context
->buffer
);
853 /* The buffer is not yet full */
854 memcpy(&context
->buffer
[usedspace
], data
, len
);
855 ADDINC128(context
->bitcount
, len
<< 3);
857 usedspace
= freespace
= 0;
862 * Process as many complete blocks as possible.
864 * Check alignment of the data pointer. If it is 64bit aligned,
865 * SHA512_Transform can be called directly on the data stream,
866 * otherwise enforce the alignment by copy into the buffer.
868 if ((uintptr_t)data
% 8 == 0) {
869 while (len
>= SHA512_BLOCK_LENGTH
) {
870 SHA512_Transform(context
,
871 (const uint64_t*)(const void *)data
);
872 ADDINC128(context
->bitcount
, SHA512_BLOCK_LENGTH
<< 3);
873 len
-= SHA512_BLOCK_LENGTH
;
874 data
+= SHA512_BLOCK_LENGTH
;
877 while (len
>= SHA512_BLOCK_LENGTH
) {
878 memcpy(context
->buffer
, data
, SHA512_BLOCK_LENGTH
);
879 SHA512_Transform(context
,
880 (const void *)context
->buffer
);
881 ADDINC128(context
->bitcount
, SHA512_BLOCK_LENGTH
<< 3);
882 len
-= SHA512_BLOCK_LENGTH
;
883 data
+= SHA512_BLOCK_LENGTH
;
887 /* There's left-overs, so save 'em */
888 memcpy(context
->buffer
, data
, len
);
889 ADDINC128(context
->bitcount
, len
<< 3);
892 usedspace
= freespace
= 0;
898 SHA512_Last(SHA512_CTX
*context
)
900 unsigned int usedspace
;
902 usedspace
= (unsigned int)((context
->bitcount
[0] >> 3) % SHA512_BLOCK_LENGTH
);
903 context
->bitcount
[0] = htobe64(context
->bitcount
[0]);
904 context
->bitcount
[1] = htobe64(context
->bitcount
[1]);
906 /* Begin padding with a 1 bit: */
907 context
->buffer
[usedspace
++] = 0x80;
909 if (usedspace
<= SHA512_SHORT_BLOCK_LENGTH
) {
910 /* Set-up for the last transform: */
911 memset(&context
->buffer
[usedspace
], 0,
912 (size_t)(SHA512_SHORT_BLOCK_LENGTH
- usedspace
));
914 if (usedspace
< SHA512_BLOCK_LENGTH
) {
915 memset(&context
->buffer
[usedspace
], 0,
916 (size_t)(SHA512_BLOCK_LENGTH
- usedspace
));
918 /* Do second-to-last transform: */
919 SHA512_Transform(context
,
920 (uint64_t *)(void *)context
->buffer
);
922 /* And set-up for the last transform: */
923 memset(context
->buffer
, 0,
924 (size_t)(SHA512_BLOCK_LENGTH
- 2));
927 /* Prepare for final transform: */
928 memset(context
->buffer
, 0, (size_t)(SHA512_SHORT_BLOCK_LENGTH
));
930 /* Begin padding with a 1 bit: */
931 *context
->buffer
= 0x80;
933 /* Store the length of input data (in bits): */
934 memcpy(&context
->buffer
[SHA512_SHORT_BLOCK_LENGTH
],
935 &context
->bitcount
[1], sizeof(context
->bitcount
[1]));
936 memcpy(&context
->buffer
[SHA512_SHORT_BLOCK_LENGTH
+ 8],
937 &context
->bitcount
[0], sizeof(context
->bitcount
[0]));
939 /* Final transform: */
940 SHA512_Transform(context
, (uint64_t *)(void *)context
->buffer
);
944 SHA512_Final(uint8_t digest
[], SHA512_CTX
*context
)
948 /* If no digest buffer is passed, we don't bother doing this: */
949 if (digest
!= NULL
) {
950 SHA512_Last(context
);
952 /* Save the hash data for output: */
953 for (i
= 0; i
< 8; ++i
)
954 be64enc(digest
+ 8 * i
, context
->state
[i
]);
957 /* Zero out state data */
958 memset(context
, 0, sizeof(*context
));
963 /*** SHA-384: *********************************************************/
965 SHA384_Init(SHA384_CTX
*context
)
970 memcpy(context
->state
, sha384_initial_hash_value
,
971 (size_t)(SHA512_DIGEST_LENGTH
));
972 memset(context
->buffer
, 0, (size_t)(SHA384_BLOCK_LENGTH
));
973 context
->bitcount
[0] = context
->bitcount
[1] = 0;
979 SHA384_Update(SHA384_CTX
*context
, const uint8_t *data
, size_t len
)
981 return SHA512_Update((SHA512_CTX
*)context
, data
, len
);
985 SHA384_Transform(SHA512_CTX
*context
, const uint64_t *data
)
987 SHA512_Transform((SHA512_CTX
*)context
, data
);
991 SHA384_Final(uint8_t digest
[], SHA384_CTX
*context
)
993 uint64_t *d
= (void *)digest
;
996 /* If no digest buffer is passed, we don't bother doing this: */
997 if (digest
!= NULL
) {
998 SHA512_Last((SHA512_CTX
*)context
);
1000 /* Save the hash data for output: */
1001 for (i
= 0; i
< 6; ++i
)
1002 d
[i
] = be64toh(context
->state
[i
]);
1005 /* Zero out state data */
1006 memset(context
, 0, sizeof(*context
));