3 * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/
5 * Copyright (c) 2000-2001, Aaron D. Gifford
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the copyright holder nor the names of contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
41 * Some sanity checking code is included using assert(). On my FreeBSD
42 * system, this additional code can be removed by compiling with NDEBUG
43 * defined. Check your own systems manpage on assert() to see how to
44 * compile WITHOUT the sanity checking code on your system.
46 * UNROLLED TRANSFORM LOOP NOTE:
47 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
48 * loop version for the hash transform rounds (defined using macros
49 * later in this file). Either define on the command line, for example:
51 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
55 * #define SHA2_UNROLL_TRANSFORM
59 /*** SHA-256/384/512 Various Length Definitions ***********************/
60 /* NOTE: Most of these are in sha2.h */
61 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
62 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
63 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
65 #define SHA2_WORD64_CONST(dw1, dw2) (((sha2_word64)(dw1) << 32) | (dw2))
67 /*** ENDIAN REVERSAL MACROS *******************************************/
68 #ifndef WORDS_BIGENDIAN
69 #define REVERSE32(w,x) { \
70 sha2_word32 tmp = (w); \
71 tmp = (tmp >> 16) | (tmp << 16); \
72 (x) = ((tmp & 0xff00ff00) >> 8) | ((tmp & 0x00ff00ff) << 8); \
74 #define REVERSE64(w,x) { \
75 sha2_word64 tmp = (w); \
76 tmp = (tmp >> 32) | (tmp << 32); \
77 tmp = ((tmp & SHA2_WORD64_CONST(0xff00ff00, 0xff00ff00)) >> 8) | \
78 ((tmp & SHA2_WORD64_CONST(0x00ff00ff, 0x00ff00ff)) << 8); \
79 (x) = ((tmp & SHA2_WORD64_CONST(0xffff0000, 0xffff0000)) >> 16) | \
80 ((tmp & SHA2_WORD64_CONST(0x0000ffff, 0x0000ffff)) << 16); \
85 * Macro for incrementally adding the unsigned 64-bit integer n to the
86 * unsigned 128-bit integer (represented using a two-element array of
89 #define ADDINC128(w,n) { \
90 (w)[0] += (sha2_word64)(n); \
97 * Macros for copying blocks of memory and for zeroing out ranges
98 * of memory. Using these macros makes it easy to switch from
99 * using memset()/memcpy() and using bzero()/bcopy().
101 * Please define either SHA2_USE_MEMSET_MEMCPY or define
102 * SHA2_USE_BZERO_BCOPY depending on which function set you
105 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
106 /* Default to memset()/memcpy() if no option is specified */
107 #define SHA2_USE_MEMSET_MEMCPY 1
109 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
110 /* Abort with an error if BOTH options are defined */
111 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
114 #ifdef SHA2_USE_MEMSET_MEMCPY
115 #define MEMSET_BZERO(p,l) memset((p), 0, (l))
116 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
118 #ifdef SHA2_USE_BZERO_BCOPY
119 #define MEMSET_BZERO(p,l) bzero((p), (l))
120 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
124 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
126 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
128 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
129 * S is a ROTATION) because the SHA-256/384/512 description document
130 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
131 * same "backwards" definition.
133 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
134 #define R(b,x) ((x) >> (b))
135 /* 32-bit Rotate-right (used in SHA-256): */
136 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
137 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
138 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
140 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
141 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
142 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
144 /* Four of six logical functions used in SHA-256: */
145 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
146 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
147 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
148 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
150 /* Four of six logical functions used in SHA-384 and SHA-512: */
151 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
152 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
153 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
154 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
156 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
157 /* NOTE: These should not be accessed directly from outside this
158 * library -- they are intended for private internal visibility/use
161 void SHA512_Last(SHA512_CTX
*);
162 void SHA256_Transform(SHA256_CTX
*, const sha2_word32
*);
163 void SHA512_Transform(SHA512_CTX
*, const sha2_word64
*);
166 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
167 /* Hash constant words K for SHA-256: */
168 static const sha2_word32 K256
[64] = {
169 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
170 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
171 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
172 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
173 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc,
174 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
175 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7,
176 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
177 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
178 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
179 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3,
180 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
181 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5,
182 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
183 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
184 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
187 /* Initial hash value H for SHA-256: */
188 static const sha2_word32 sha256_initial_hash_value
[8] = {
199 /* Hash constant words K for SHA-384 and SHA-512: */
200 static const sha2_word64 K512
[80] = {
201 SHA2_WORD64_CONST(0x428a2f98, 0xd728ae22), SHA2_WORD64_CONST(0x71374491, 0x23ef65cd),
202 SHA2_WORD64_CONST(0xb5c0fbcf, 0xec4d3b2f), SHA2_WORD64_CONST(0xe9b5dba5, 0x8189dbbc),
203 SHA2_WORD64_CONST(0x3956c25b, 0xf348b538), SHA2_WORD64_CONST(0x59f111f1, 0xb605d019),
204 SHA2_WORD64_CONST(0x923f82a4, 0xaf194f9b), SHA2_WORD64_CONST(0xab1c5ed5, 0xda6d8118),
205 SHA2_WORD64_CONST(0xd807aa98, 0xa3030242), SHA2_WORD64_CONST(0x12835b01, 0x45706fbe),
206 SHA2_WORD64_CONST(0x243185be, 0x4ee4b28c), SHA2_WORD64_CONST(0x550c7dc3, 0xd5ffb4e2),
207 SHA2_WORD64_CONST(0x72be5d74, 0xf27b896f), SHA2_WORD64_CONST(0x80deb1fe, 0x3b1696b1),
208 SHA2_WORD64_CONST(0x9bdc06a7, 0x25c71235), SHA2_WORD64_CONST(0xc19bf174, 0xcf692694),
209 SHA2_WORD64_CONST(0xe49b69c1, 0x9ef14ad2), SHA2_WORD64_CONST(0xefbe4786, 0x384f25e3),
210 SHA2_WORD64_CONST(0x0fc19dc6, 0x8b8cd5b5), SHA2_WORD64_CONST(0x240ca1cc, 0x77ac9c65),
211 SHA2_WORD64_CONST(0x2de92c6f, 0x592b0275), SHA2_WORD64_CONST(0x4a7484aa, 0x6ea6e483),
212 SHA2_WORD64_CONST(0x5cb0a9dc, 0xbd41fbd4), SHA2_WORD64_CONST(0x76f988da, 0x831153b5),
213 SHA2_WORD64_CONST(0x983e5152, 0xee66dfab), SHA2_WORD64_CONST(0xa831c66d, 0x2db43210),
214 SHA2_WORD64_CONST(0xb00327c8, 0x98fb213f), SHA2_WORD64_CONST(0xbf597fc7, 0xbeef0ee4),
215 SHA2_WORD64_CONST(0xc6e00bf3, 0x3da88fc2), SHA2_WORD64_CONST(0xd5a79147, 0x930aa725),
216 SHA2_WORD64_CONST(0x06ca6351, 0xe003826f), SHA2_WORD64_CONST(0x14292967, 0x0a0e6e70),
217 SHA2_WORD64_CONST(0x27b70a85, 0x46d22ffc), SHA2_WORD64_CONST(0x2e1b2138, 0x5c26c926),
218 SHA2_WORD64_CONST(0x4d2c6dfc, 0x5ac42aed), SHA2_WORD64_CONST(0x53380d13, 0x9d95b3df),
219 SHA2_WORD64_CONST(0x650a7354, 0x8baf63de), SHA2_WORD64_CONST(0x766a0abb, 0x3c77b2a8),
220 SHA2_WORD64_CONST(0x81c2c92e, 0x47edaee6), SHA2_WORD64_CONST(0x92722c85, 0x1482353b),
221 SHA2_WORD64_CONST(0xa2bfe8a1, 0x4cf10364), SHA2_WORD64_CONST(0xa81a664b, 0xbc423001),
222 SHA2_WORD64_CONST(0xc24b8b70, 0xd0f89791), SHA2_WORD64_CONST(0xc76c51a3, 0x0654be30),
223 SHA2_WORD64_CONST(0xd192e819, 0xd6ef5218), SHA2_WORD64_CONST(0xd6990624, 0x5565a910),
224 SHA2_WORD64_CONST(0xf40e3585, 0x5771202a), SHA2_WORD64_CONST(0x106aa070, 0x32bbd1b8),
225 SHA2_WORD64_CONST(0x19a4c116, 0xb8d2d0c8), SHA2_WORD64_CONST(0x1e376c08, 0x5141ab53),
226 SHA2_WORD64_CONST(0x2748774c, 0xdf8eeb99), SHA2_WORD64_CONST(0x34b0bcb5, 0xe19b48a8),
227 SHA2_WORD64_CONST(0x391c0cb3, 0xc5c95a63), SHA2_WORD64_CONST(0x4ed8aa4a, 0xe3418acb),
228 SHA2_WORD64_CONST(0x5b9cca4f, 0x7763e373), SHA2_WORD64_CONST(0x682e6ff3, 0xd6b2b8a3),
229 SHA2_WORD64_CONST(0x748f82ee, 0x5defb2fc), SHA2_WORD64_CONST(0x78a5636f, 0x43172f60),
230 SHA2_WORD64_CONST(0x84c87814, 0xa1f0ab72), SHA2_WORD64_CONST(0x8cc70208, 0x1a6439ec),
231 SHA2_WORD64_CONST(0x90befffa, 0x23631e28), SHA2_WORD64_CONST(0xa4506ceb, 0xde82bde9),
232 SHA2_WORD64_CONST(0xbef9a3f7, 0xb2c67915), SHA2_WORD64_CONST(0xc67178f2, 0xe372532b),
233 SHA2_WORD64_CONST(0xca273ece, 0xea26619c), SHA2_WORD64_CONST(0xd186b8c7, 0x21c0c207),
234 SHA2_WORD64_CONST(0xeada7dd6, 0xcde0eb1e), SHA2_WORD64_CONST(0xf57d4f7f, 0xee6ed178),
235 SHA2_WORD64_CONST(0x06f067aa, 0x72176fba), SHA2_WORD64_CONST(0x0a637dc5, 0xa2c898a6),
236 SHA2_WORD64_CONST(0x113f9804, 0xbef90dae), SHA2_WORD64_CONST(0x1b710b35, 0x131c471b),
237 SHA2_WORD64_CONST(0x28db77f5, 0x23047d84), SHA2_WORD64_CONST(0x32caab7b, 0x40c72493),
238 SHA2_WORD64_CONST(0x3c9ebe0a, 0x15c9bebc), SHA2_WORD64_CONST(0x431d67c4, 0x9c100d4c),
239 SHA2_WORD64_CONST(0x4cc5d4be, 0xcb3e42b6), SHA2_WORD64_CONST(0x597f299c, 0xfc657e2a),
240 SHA2_WORD64_CONST(0x5fcb6fab, 0x3ad6faec), SHA2_WORD64_CONST(0x6c44198c, 0x4a475817)
243 /* Initial hash value H for SHA-384 */
244 static const sha2_word64 sha384_initial_hash_value
[8] = {
245 SHA2_WORD64_CONST(0xcbbb9d5d, 0xc1059ed8),
246 SHA2_WORD64_CONST(0x629a292a, 0x367cd507),
247 SHA2_WORD64_CONST(0x9159015a, 0x3070dd17),
248 SHA2_WORD64_CONST(0x152fecd8, 0xf70e5939),
249 SHA2_WORD64_CONST(0x67332667, 0xffc00b31),
250 SHA2_WORD64_CONST(0x8eb44a87, 0x68581511),
251 SHA2_WORD64_CONST(0xdb0c2e0d, 0x64f98fa7),
252 SHA2_WORD64_CONST(0x47b5481d, 0xbefa4fa4)
255 /* Initial hash value H for SHA-512 */
256 static const sha2_word64 sha512_initial_hash_value
[8] = {
257 SHA2_WORD64_CONST(0x6a09e667, 0xf3bcc908),
258 SHA2_WORD64_CONST(0xbb67ae85, 0x84caa73b),
259 SHA2_WORD64_CONST(0x3c6ef372, 0xfe94f82b),
260 SHA2_WORD64_CONST(0xa54ff53a, 0x5f1d36f1),
261 SHA2_WORD64_CONST(0x510e527f, 0xade682d1),
262 SHA2_WORD64_CONST(0x9b05688c, 0x2b3e6c1f),
263 SHA2_WORD64_CONST(0x1f83d9ab, 0xfb41bd6b),
264 SHA2_WORD64_CONST(0x5be0cd19, 0x137e2179)
268 * Constant used by SHA256/384/512_End() functions for converting the
269 * digest to a readable hexadecimal character string:
271 static const char sha2_hex_digits
[] = "0123456789abcdef";
274 /*** SHA-256: *********************************************************/
275 void SHA256_Init(SHA256_CTX
* context
) {
276 if (context
== NULL
) {
279 MEMCPY_BCOPY(context
->state
, sha256_initial_hash_value
, SHA256_DIGEST_LENGTH
);
280 MEMSET_BZERO(context
->buffer
, SHA256_BLOCK_LENGTH
);
281 context
->bitcount
= 0;
284 #ifdef SHA2_UNROLL_TRANSFORM
286 /* Unrolled SHA-256 round macros: */
288 #ifndef WORDS_BIGENDIAN
290 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
291 REVERSE32(*data++, W256[j]); \
292 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
295 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
301 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
302 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
303 K256[j] + (W256[j] = *data++); \
305 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
310 #define ROUND256(a,b,c,d,e,f,g,h) \
311 s0 = W256[(j+1)&0x0f]; \
312 s0 = sigma0_256(s0); \
313 s1 = W256[(j+14)&0x0f]; \
314 s1 = sigma1_256(s1); \
315 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
316 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
318 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
321 void SHA256_Transform(SHA256_CTX
* context
, const sha2_word32
* data
) {
322 sha2_word32 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
323 sha2_word32 T1
, *W256
;
326 W256
= (sha2_word32
*)context
->buffer
;
328 /* Initialize registers with the prev. intermediate value */
329 a
= context
->state
[0];
330 b
= context
->state
[1];
331 c
= context
->state
[2];
332 d
= context
->state
[3];
333 e
= context
->state
[4];
334 f
= context
->state
[5];
335 g
= context
->state
[6];
336 h
= context
->state
[7];
340 /* Rounds 0 to 15 (unrolled): */
341 ROUND256_0_TO_15(a
,b
,c
,d
,e
,f
,g
,h
);
342 ROUND256_0_TO_15(h
,a
,b
,c
,d
,e
,f
,g
);
343 ROUND256_0_TO_15(g
,h
,a
,b
,c
,d
,e
,f
);
344 ROUND256_0_TO_15(f
,g
,h
,a
,b
,c
,d
,e
);
345 ROUND256_0_TO_15(e
,f
,g
,h
,a
,b
,c
,d
);
346 ROUND256_0_TO_15(d
,e
,f
,g
,h
,a
,b
,c
);
347 ROUND256_0_TO_15(c
,d
,e
,f
,g
,h
,a
,b
);
348 ROUND256_0_TO_15(b
,c
,d
,e
,f
,g
,h
,a
);
351 /* Now for the remaining rounds to 64: */
353 ROUND256(a
,b
,c
,d
,e
,f
,g
,h
);
354 ROUND256(h
,a
,b
,c
,d
,e
,f
,g
);
355 ROUND256(g
,h
,a
,b
,c
,d
,e
,f
);
356 ROUND256(f
,g
,h
,a
,b
,c
,d
,e
);
357 ROUND256(e
,f
,g
,h
,a
,b
,c
,d
);
358 ROUND256(d
,e
,f
,g
,h
,a
,b
,c
);
359 ROUND256(c
,d
,e
,f
,g
,h
,a
,b
);
360 ROUND256(b
,c
,d
,e
,f
,g
,h
,a
);
363 /* Compute the current intermediate hash value */
364 context
->state
[0] += a
;
365 context
->state
[1] += b
;
366 context
->state
[2] += c
;
367 context
->state
[3] += d
;
368 context
->state
[4] += e
;
369 context
->state
[5] += f
;
370 context
->state
[6] += g
;
371 context
->state
[7] += h
;
374 a
= b
= c
= d
= e
= f
= g
= h
= T1
= 0;
377 #else /* SHA2_UNROLL_TRANSFORM */
379 void SHA256_Transform(SHA256_CTX
* context
, const sha2_word32
* data
) {
380 sha2_word32 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
381 sha2_word32 T1
, T2
, *W256
;
384 W256
= (sha2_word32
*)context
->buffer
;
386 /* Initialize registers with the prev. intermediate value */
387 a
= context
->state
[0];
388 b
= context
->state
[1];
389 c
= context
->state
[2];
390 d
= context
->state
[3];
391 e
= context
->state
[4];
392 f
= context
->state
[5];
393 g
= context
->state
[6];
394 h
= context
->state
[7];
398 #ifndef WORDS_BIGENDIAN
399 /* Copy data while converting to host byte order */
400 REVERSE32(*data
++,W256
[j
]);
401 /* Apply the SHA-256 compression function to update a..h */
402 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] + W256
[j
];
404 /* Apply the SHA-256 compression function to update a..h with copy */
405 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] + (W256
[j
] = *data
++);
407 T2
= Sigma0_256(a
) + Maj(a
, b
, c
);
421 /* Part of the message block expansion: */
422 s0
= W256
[(j
+1)&0x0f];
424 s1
= W256
[(j
+14)&0x0f];
427 /* Apply the SHA-256 compression function to update a..h */
428 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] +
429 (W256
[j
&0x0f] += s1
+ W256
[(j
+9)&0x0f] + s0
);
430 T2
= Sigma0_256(a
) + Maj(a
, b
, c
);
443 /* Compute the current intermediate hash value */
444 context
->state
[0] += a
;
445 context
->state
[1] += b
;
446 context
->state
[2] += c
;
447 context
->state
[3] += d
;
448 context
->state
[4] += e
;
449 context
->state
[5] += f
;
450 context
->state
[6] += g
;
451 context
->state
[7] += h
;
454 a
= b
= c
= d
= e
= f
= g
= h
= T1
= T2
= 0;
457 #endif /* SHA2_UNROLL_TRANSFORM */
459 void SHA256_Update(SHA256_CTX
* context
, const sha2_byte
*data
, size_t len
) {
460 unsigned int freespace
, usedspace
;
463 /* Calling with no data is valid - we do nothing */
468 assert(context
!= NULL
&& data
!= NULL
);
470 usedspace
= (context
->bitcount
>> 3) % SHA256_BLOCK_LENGTH
;
472 /* Calculate how much free space is available in the buffer */
473 freespace
= SHA256_BLOCK_LENGTH
- usedspace
;
475 if (len
>= freespace
) {
476 /* Fill the buffer completely and process it */
477 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, freespace
);
478 context
->bitcount
+= freespace
<< 3;
481 SHA256_Transform(context
, (sha2_word32
*)context
->buffer
);
483 /* The buffer is not yet full */
484 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, len
);
485 context
->bitcount
+= len
<< 3;
487 usedspace
= freespace
= 0;
491 while (len
>= SHA256_BLOCK_LENGTH
) {
492 /* Process as many complete blocks as we can */
493 SHA256_Transform(context
, (const sha2_word32
*)data
);
494 context
->bitcount
+= SHA256_BLOCK_LENGTH
<< 3;
495 len
-= SHA256_BLOCK_LENGTH
;
496 data
+= SHA256_BLOCK_LENGTH
;
499 /* There's left-overs, so save 'em */
500 MEMCPY_BCOPY(context
->buffer
, data
, len
);
501 context
->bitcount
+= len
<< 3;
504 usedspace
= freespace
= 0;
507 void SHA256_Final(sha2_byte digest
[], SHA256_CTX
* context
) {
508 sha2_word32
*d
= (sha2_word32
*)digest
;
509 unsigned int usedspace
;
512 assert(context
!= NULL
);
514 /* If no digest buffer is passed, we don't bother doing this: */
515 if (digest
!= NULL
) {
516 usedspace
= (context
->bitcount
>> 3) % SHA256_BLOCK_LENGTH
;
517 #ifndef WORDS_BIGENDIAN
518 /* Convert FROM host byte order */
519 REVERSE64(context
->bitcount
,context
->bitcount
);
522 /* Begin padding with a 1 bit: */
523 context
->buffer
[usedspace
++] = 0x80;
525 if (usedspace
<= SHA256_SHORT_BLOCK_LENGTH
) {
526 /* Set-up for the last transform: */
527 MEMSET_BZERO(&context
->buffer
[usedspace
], SHA256_SHORT_BLOCK_LENGTH
- usedspace
);
529 if (usedspace
< SHA256_BLOCK_LENGTH
) {
530 MEMSET_BZERO(&context
->buffer
[usedspace
], SHA256_BLOCK_LENGTH
- usedspace
);
532 /* Do second-to-last transform: */
533 SHA256_Transform(context
, (sha2_word32
*)context
->buffer
);
535 /* And set-up for the last transform: */
536 MEMSET_BZERO(context
->buffer
, SHA256_SHORT_BLOCK_LENGTH
);
539 /* Set-up for the last transform: */
540 MEMSET_BZERO(context
->buffer
, SHA256_SHORT_BLOCK_LENGTH
);
542 /* Begin padding with a 1 bit: */
543 *context
->buffer
= 0x80;
545 /* Set the bit count: */
546 *(sha2_word64
*)&context
->buffer
[SHA256_SHORT_BLOCK_LENGTH
] = context
->bitcount
;
548 /* Final transform: */
549 SHA256_Transform(context
, (sha2_word32
*)context
->buffer
);
551 #ifndef WORDS_BIGENDIAN
553 /* Convert TO host byte order */
555 for (j
= 0; j
< 8; j
++) {
556 REVERSE32(context
->state
[j
],context
->state
[j
]);
557 *d
++ = context
->state
[j
];
561 MEMCPY_BCOPY(d
, context
->state
, SHA256_DIGEST_LENGTH
);
565 /* Clean up state data: */
566 MEMSET_BZERO(context
, sizeof(context
));
570 char *SHA256_End(SHA256_CTX
* context
, char buffer
[]) {
571 sha2_byte digest
[SHA256_DIGEST_LENGTH
], *d
= digest
;
575 assert(context
!= NULL
);
577 if (buffer
!= NULL
) {
578 SHA256_Final(digest
, context
);
580 for (i
= 0; i
< SHA256_DIGEST_LENGTH
; i
++) {
581 *buffer
++ = sha2_hex_digits
[(*d
& 0xf0) >> 4];
582 *buffer
++ = sha2_hex_digits
[*d
& 0x0f];
587 MEMSET_BZERO(context
, sizeof(context
));
589 MEMSET_BZERO(digest
, SHA256_DIGEST_LENGTH
);
593 char* SHA256_Data(const sha2_byte
* data
, size_t len
, char digest
[SHA256_DIGEST_STRING_LENGTH
]) {
596 SHA256_Init(&context
);
597 SHA256_Update(&context
, data
, len
);
598 return SHA256_End(&context
, digest
);
602 /*** SHA-512: *********************************************************/
603 void SHA512_Init(SHA512_CTX
* context
) {
604 if (context
== NULL
) {
607 MEMCPY_BCOPY(context
->state
, sha512_initial_hash_value
, SHA512_DIGEST_LENGTH
);
608 MEMSET_BZERO(context
->buffer
, SHA512_BLOCK_LENGTH
);
609 context
->bitcount
[0] = context
->bitcount
[1] = 0;
612 #ifdef SHA2_UNROLL_TRANSFORM
614 /* Unrolled SHA-512 round macros: */
615 #ifndef WORDS_BIGENDIAN
617 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
618 REVERSE64(*data++, W512[j]); \
619 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
622 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
628 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
629 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
630 K512[j] + (W512[j] = *data++); \
632 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
637 #define ROUND512(a,b,c,d,e,f,g,h) \
638 s0 = W512[(j+1)&0x0f]; \
639 s0 = sigma0_512(s0); \
640 s1 = W512[(j+14)&0x0f]; \
641 s1 = sigma1_512(s1); \
642 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
643 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
645 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
648 void SHA512_Transform(SHA512_CTX
* context
, const sha2_word64
* data
) {
649 sha2_word64 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
650 sha2_word64 T1
, *W512
= (sha2_word64
*)context
->buffer
;
653 /* Initialize registers with the prev. intermediate value */
654 a
= context
->state
[0];
655 b
= context
->state
[1];
656 c
= context
->state
[2];
657 d
= context
->state
[3];
658 e
= context
->state
[4];
659 f
= context
->state
[5];
660 g
= context
->state
[6];
661 h
= context
->state
[7];
665 ROUND512_0_TO_15(a
,b
,c
,d
,e
,f
,g
,h
);
666 ROUND512_0_TO_15(h
,a
,b
,c
,d
,e
,f
,g
);
667 ROUND512_0_TO_15(g
,h
,a
,b
,c
,d
,e
,f
);
668 ROUND512_0_TO_15(f
,g
,h
,a
,b
,c
,d
,e
);
669 ROUND512_0_TO_15(e
,f
,g
,h
,a
,b
,c
,d
);
670 ROUND512_0_TO_15(d
,e
,f
,g
,h
,a
,b
,c
);
671 ROUND512_0_TO_15(c
,d
,e
,f
,g
,h
,a
,b
);
672 ROUND512_0_TO_15(b
,c
,d
,e
,f
,g
,h
,a
);
675 /* Now for the remaining rounds up to 79: */
677 ROUND512(a
,b
,c
,d
,e
,f
,g
,h
);
678 ROUND512(h
,a
,b
,c
,d
,e
,f
,g
);
679 ROUND512(g
,h
,a
,b
,c
,d
,e
,f
);
680 ROUND512(f
,g
,h
,a
,b
,c
,d
,e
);
681 ROUND512(e
,f
,g
,h
,a
,b
,c
,d
);
682 ROUND512(d
,e
,f
,g
,h
,a
,b
,c
);
683 ROUND512(c
,d
,e
,f
,g
,h
,a
,b
);
684 ROUND512(b
,c
,d
,e
,f
,g
,h
,a
);
687 /* Compute the current intermediate hash value */
688 context
->state
[0] += a
;
689 context
->state
[1] += b
;
690 context
->state
[2] += c
;
691 context
->state
[3] += d
;
692 context
->state
[4] += e
;
693 context
->state
[5] += f
;
694 context
->state
[6] += g
;
695 context
->state
[7] += h
;
698 a
= b
= c
= d
= e
= f
= g
= h
= T1
= 0;
701 #else /* SHA2_UNROLL_TRANSFORM */
703 void SHA512_Transform(SHA512_CTX
* context
, const sha2_word64
* data
) {
704 sha2_word64 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
705 sha2_word64 T1
, T2
, *W512
= (sha2_word64
*)context
->buffer
;
708 /* Initialize registers with the prev. intermediate value */
709 a
= context
->state
[0];
710 b
= context
->state
[1];
711 c
= context
->state
[2];
712 d
= context
->state
[3];
713 e
= context
->state
[4];
714 f
= context
->state
[5];
715 g
= context
->state
[6];
716 h
= context
->state
[7];
720 #ifndef WORDS_BIGENDIAN
721 /* Convert TO host byte order */
722 REVERSE64(*data
++, W512
[j
]);
723 /* Apply the SHA-512 compression function to update a..h */
724 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] + W512
[j
];
726 /* Apply the SHA-512 compression function to update a..h with copy */
727 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] + (W512
[j
] = *data
++);
729 T2
= Sigma0_512(a
) + Maj(a
, b
, c
);
743 /* Part of the message block expansion: */
744 s0
= W512
[(j
+1)&0x0f];
746 s1
= W512
[(j
+14)&0x0f];
749 /* Apply the SHA-512 compression function to update a..h */
750 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] +
751 (W512
[j
&0x0f] += s1
+ W512
[(j
+9)&0x0f] + s0
);
752 T2
= Sigma0_512(a
) + Maj(a
, b
, c
);
765 /* Compute the current intermediate hash value */
766 context
->state
[0] += a
;
767 context
->state
[1] += b
;
768 context
->state
[2] += c
;
769 context
->state
[3] += d
;
770 context
->state
[4] += e
;
771 context
->state
[5] += f
;
772 context
->state
[6] += g
;
773 context
->state
[7] += h
;
776 a
= b
= c
= d
= e
= f
= g
= h
= T1
= T2
= 0;
779 #endif /* SHA2_UNROLL_TRANSFORM */
781 void SHA512_Update(SHA512_CTX
* context
, const sha2_byte
*data
, size_t len
) {
782 unsigned int freespace
, usedspace
;
785 /* Calling with no data is valid - we do nothing */
790 assert(context
!= NULL
&& data
!= NULL
);
792 usedspace
= (context
->bitcount
[0] >> 3) % SHA512_BLOCK_LENGTH
;
794 /* Calculate how much free space is available in the buffer */
795 freespace
= SHA512_BLOCK_LENGTH
- usedspace
;
797 if (len
>= freespace
) {
798 /* Fill the buffer completely and process it */
799 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, freespace
);
800 ADDINC128(context
->bitcount
, freespace
<< 3);
803 SHA512_Transform(context
, (sha2_word64
*)context
->buffer
);
805 /* The buffer is not yet full */
806 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, len
);
807 ADDINC128(context
->bitcount
, len
<< 3);
809 usedspace
= freespace
= 0;
813 while (len
>= SHA512_BLOCK_LENGTH
) {
814 /* Process as many complete blocks as we can */
815 SHA512_Transform(context
, (const sha2_word64
*)data
);
816 ADDINC128(context
->bitcount
, SHA512_BLOCK_LENGTH
<< 3);
817 len
-= SHA512_BLOCK_LENGTH
;
818 data
+= SHA512_BLOCK_LENGTH
;
821 /* There's left-overs, so save 'em */
822 MEMCPY_BCOPY(context
->buffer
, data
, len
);
823 ADDINC128(context
->bitcount
, len
<< 3);
826 usedspace
= freespace
= 0;
829 void SHA512_Last(SHA512_CTX
* context
) {
830 unsigned int usedspace
;
832 usedspace
= (context
->bitcount
[0] >> 3) % SHA512_BLOCK_LENGTH
;
833 #ifndef WORDS_BIGENDIAN
834 /* Convert FROM host byte order */
835 REVERSE64(context
->bitcount
[0],context
->bitcount
[0]);
836 REVERSE64(context
->bitcount
[1],context
->bitcount
[1]);
839 /* Begin padding with a 1 bit: */
840 context
->buffer
[usedspace
++] = 0x80;
842 if (usedspace
<= SHA512_SHORT_BLOCK_LENGTH
) {
843 /* Set-up for the last transform: */
844 MEMSET_BZERO(&context
->buffer
[usedspace
], SHA512_SHORT_BLOCK_LENGTH
- usedspace
);
846 if (usedspace
< SHA512_BLOCK_LENGTH
) {
847 MEMSET_BZERO(&context
->buffer
[usedspace
], SHA512_BLOCK_LENGTH
- usedspace
);
849 /* Do second-to-last transform: */
850 SHA512_Transform(context
, (sha2_word64
*)context
->buffer
);
852 /* And set-up for the last transform: */
853 MEMSET_BZERO(context
->buffer
, SHA512_BLOCK_LENGTH
- 2);
856 /* Prepare for final transform: */
857 MEMSET_BZERO(context
->buffer
, SHA512_SHORT_BLOCK_LENGTH
);
859 /* Begin padding with a 1 bit: */
860 *context
->buffer
= 0x80;
862 /* Store the length of input data (in bits): */
863 *(sha2_word64
*)&context
->buffer
[SHA512_SHORT_BLOCK_LENGTH
] = context
->bitcount
[1];
864 *(sha2_word64
*)&context
->buffer
[SHA512_SHORT_BLOCK_LENGTH
+8] = context
->bitcount
[0];
866 /* Final transform: */
867 SHA512_Transform(context
, (sha2_word64
*)context
->buffer
);
870 void SHA512_Final(sha2_byte digest
[], SHA512_CTX
* context
) {
871 sha2_word64
*d
= (sha2_word64
*)digest
;
874 assert(context
!= NULL
);
876 /* If no digest buffer is passed, we don't bother doing this: */
877 if (digest
!= NULL
) {
878 SHA512_Last(context
);
880 /* Save the hash data for output: */
881 #ifndef WORDS_BIGENDIAN
883 /* Convert TO host byte order */
885 for (j
= 0; j
< 8; j
++) {
886 REVERSE64(context
->state
[j
],context
->state
[j
]);
887 *d
++ = context
->state
[j
];
891 MEMCPY_BCOPY(d
, context
->state
, SHA512_DIGEST_LENGTH
);
895 /* Zero out state data */
896 MEMSET_BZERO(context
, sizeof(context
));
899 char *SHA512_End(SHA512_CTX
* context
, char buffer
[]) {
900 sha2_byte digest
[SHA512_DIGEST_LENGTH
], *d
= digest
;
904 assert(context
!= NULL
);
906 if (buffer
!= NULL
) {
907 SHA512_Final(digest
, context
);
909 for (i
= 0; i
< SHA512_DIGEST_LENGTH
; i
++) {
910 *buffer
++ = sha2_hex_digits
[(*d
& 0xf0) >> 4];
911 *buffer
++ = sha2_hex_digits
[*d
& 0x0f];
916 MEMSET_BZERO(context
, sizeof(context
));
918 MEMSET_BZERO(digest
, SHA512_DIGEST_LENGTH
);
922 char* SHA512_Data(const sha2_byte
* data
, size_t len
, char digest
[SHA512_DIGEST_STRING_LENGTH
]) {
925 SHA512_Init(&context
);
926 SHA512_Update(&context
, data
, len
);
927 return SHA512_End(&context
, digest
);
931 /*** SHA-384: *********************************************************/
932 void SHA384_Init(SHA384_CTX
* context
) {
933 if (context
== NULL
) {
936 MEMCPY_BCOPY(context
->state
, sha384_initial_hash_value
, SHA512_DIGEST_LENGTH
);
937 MEMSET_BZERO(context
->buffer
, SHA384_BLOCK_LENGTH
);
938 context
->bitcount
[0] = context
->bitcount
[1] = 0;
941 void SHA384_Update(SHA384_CTX
* context
, const sha2_byte
* data
, size_t len
) {
942 SHA512_Update((SHA512_CTX
*)context
, data
, len
);
945 void SHA384_Final(sha2_byte digest
[], SHA384_CTX
* context
) {
946 sha2_word64
*d
= (sha2_word64
*)digest
;
949 assert(context
!= NULL
);
951 /* If no digest buffer is passed, we don't bother doing this: */
952 if (digest
!= NULL
) {
953 SHA512_Last((SHA512_CTX
*)context
);
955 /* Save the hash data for output: */
956 #ifndef WORDS_BIGENDIAN
958 /* Convert TO host byte order */
960 for (j
= 0; j
< 6; j
++) {
961 REVERSE64(context
->state
[j
],context
->state
[j
]);
962 *d
++ = context
->state
[j
];
966 MEMCPY_BCOPY(d
, context
->state
, SHA384_DIGEST_LENGTH
);
970 /* Zero out state data */
971 MEMSET_BZERO(context
, sizeof(context
));
974 char *SHA384_End(SHA384_CTX
* context
, char buffer
[]) {
975 sha2_byte digest
[SHA384_DIGEST_LENGTH
], *d
= digest
;
979 assert(context
!= NULL
);
981 if (buffer
!= NULL
) {
982 SHA384_Final(digest
, context
);
984 for (i
= 0; i
< SHA384_DIGEST_LENGTH
; i
++) {
985 *buffer
++ = sha2_hex_digits
[(*d
& 0xf0) >> 4];
986 *buffer
++ = sha2_hex_digits
[*d
& 0x0f];
991 MEMSET_BZERO(context
, sizeof(context
));
993 MEMSET_BZERO(digest
, SHA384_DIGEST_LENGTH
);
997 char* SHA384_Data(const sha2_byte
* data
, size_t len
, char digest
[SHA384_DIGEST_STRING_LENGTH
]) {
1000 SHA384_Init(&context
);
1001 SHA384_Update(&context
, data
, len
);
1002 return SHA384_End(&context
, digest
);