search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Translated using Weblate (Portuguese (Brazil))
[cygwin-setup.git] / sha2.c
blob67251bc76f0d9adf864037ceaba89060553d9428
1 /* $OpenBSD: sha2.c,v 1.23 2015/01/15 13:05:59 millert Exp $ */
2
3 /*
4 * FILE: sha2.c
5 * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
6 *
7 * Copyright (c) 2000-2001, Aaron D. Gifford
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the copyright holder nor the names of contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $From: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
35 */
36
37 #include <sys/types.h>
38
39 #include <string.h>
40 #include <sha2.h>
41
42 /*
43 * UNROLLED TRANSFORM LOOP NOTE:
44 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
45 * loop version for the hash transform rounds (defined using macros
46 * later in this file). Either define on the command line, for example:
47 *
48 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
49 *
50 * or define below:
51 *
52 * #define SHA2_UNROLL_TRANSFORM
53 *
54 */
55 #ifndef SHA2_SMALL
56 #if defined(__amd64__) || defined(__i386__)
57 #define SHA2_UNROLL_TRANSFORM
58 #endif
59 #endif
60
61 /*** SHA-224/256/384/512 Machine Architecture Definitions *****************/
62 /*
63 * BYTE_ORDER NOTE:
64 *
65 * Please make sure that your system defines BYTE_ORDER. If your
66 * architecture is little-endian, make sure it also defines
67 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
68 * equivilent.
69 *
70 * If your system does not define the above, then you can do so by
71 * hand like this:
72 *
73 * #define LITTLE_ENDIAN 1234
74 * #define BIG_ENDIAN 4321
75 *
76 * And for little-endian machines, add:
77 *
78 * #define BYTE_ORDER LITTLE_ENDIAN
79 *
80 * Or for big-endian machines:
81 *
82 * #define BYTE_ORDER BIG_ENDIAN
83 *
84 * The FreeBSD machine this was written on defines BYTE_ORDER
85 * appropriately by including <sys/types.h> (which in turn includes
86 * <machine/endian.h> where the appropriate definitions are actually
87 * made).
88 */
89 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
90 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
91 #endif
92
93
94 /*** SHA-224/256/384/512 Various Length Definitions ***********************/
95 /* NOTE: Most of these are in sha2.h */
96 #define SHA224_SHORT_BLOCK_LENGTH (SHA224_BLOCK_LENGTH - 8)
97 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
98 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
99 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
100
101 /*** ENDIAN SPECIFIC COPY MACROS **************************************/
102 #define BE_8_TO_32(dst, cp) do { \
103 (dst) = (u_int32_t)(cp)[3] | ((u_int32_t)(cp)[2] << 8) | \
104 ((u_int32_t)(cp)[1] << 16) | ((u_int32_t)(cp)[0] << 24); \
105 } while(0)
106
107 #define BE_8_TO_64(dst, cp) do { \
108 (dst) = (u_int64_t)(cp)[7] | ((u_int64_t)(cp)[6] << 8) | \
109 ((u_int64_t)(cp)[5] << 16) | ((u_int64_t)(cp)[4] << 24) | \
110 ((u_int64_t)(cp)[3] << 32) | ((u_int64_t)(cp)[2] << 40) | \
111 ((u_int64_t)(cp)[1] << 48) | ((u_int64_t)(cp)[0] << 56); \
112 } while (0)
113
114 #define BE_64_TO_8(cp, src) do { \
115 (cp)[0] = (src) >> 56; \
116 (cp)[1] = (src) >> 48; \
117 (cp)[2] = (src) >> 40; \
118 (cp)[3] = (src) >> 32; \
119 (cp)[4] = (src) >> 24; \
120 (cp)[5] = (src) >> 16; \
121 (cp)[6] = (src) >> 8; \
122 (cp)[7] = (src); \
123 } while (0)
124
125 #define BE_32_TO_8(cp, src) do { \
126 (cp)[0] = (src) >> 24; \
127 (cp)[1] = (src) >> 16; \
128 (cp)[2] = (src) >> 8; \
129 (cp)[3] = (src); \
130 } while (0)
131
132 /*
133 * Macro for incrementally adding the unsigned 64-bit integer n to the
134 * unsigned 128-bit integer (represented using a two-element array of
135 * 64-bit words):
136 */
137 #define ADDINC128(w,n) do { \
138 (w)[0] += (u_int64_t)(n); \
139 if ((w)[0] < (n)) { \
140 (w)[1]++; \
141 } \
142 } while (0)
143
144 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
145 /*
146 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
147 *
148 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
149 * S is a ROTATION) because the SHA-224/256/384/512 description document
150 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
151 * same "backwards" definition.
152 */
153 /* Shift-right (used in SHA-224, SHA-256, SHA-384, and SHA-512): */
154 #define R(b,x) ((x) >> (b))
155 /* 32-bit Rotate-right (used in SHA-224 and SHA-256): */
156 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
157 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
158 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
159
160 /* Two of six logical functions used in SHA-224, SHA-256, SHA-384, and SHA-512: */
161 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
162 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
163
164 /* Four of six logical functions used in SHA-224 and SHA-256: */
165 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
166 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
167 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
168 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
169
170 /* Four of six logical functions used in SHA-384 and SHA-512: */
171 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
172 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
173 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
174 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
175
176
177 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
178 /* Hash constant words K for SHA-224 and SHA-256: */
179 static const u_int32_t K256[64] = {
180 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
181 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
182 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
183 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
184 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
185 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
186 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
187 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
188 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
189 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
190 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
191 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
192 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
193 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
194 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
195 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
196 };
197
198 #if !defined(SHA2_SMALL)
199 /* Initial hash value H for SHA-224: */
200 static const u_int32_t sha224_initial_hash_value[8] = {
201 0xc1059ed8UL,
202 0x367cd507UL,
203 0x3070dd17UL,
204 0xf70e5939UL,
205 0xffc00b31UL,
206 0x68581511UL,
207 0x64f98fa7UL,
208 0xbefa4fa4UL
209 };
210 #endif
211
212 /* Initial hash value H for SHA-256: */
213 static const u_int32_t sha256_initial_hash_value[8] = {
214 0x6a09e667UL,
215 0xbb67ae85UL,
216 0x3c6ef372UL,
217 0xa54ff53aUL,
218 0x510e527fUL,
219 0x9b05688cUL,
220 0x1f83d9abUL,
221 0x5be0cd19UL
222 };
223
224 /* Hash constant words K for SHA-384 and SHA-512: */
225 static const u_int64_t K512[80] = {
226 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
227 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
228 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
229 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
230 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
231 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
232 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
233 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
234 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
235 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
236 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
237 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
238 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
239 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
240 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
241 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
242 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
243 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
244 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
245 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
246 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
247 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
248 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
249 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
250 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
251 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
252 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
253 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
254 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
255 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
256 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
257 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
258 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
259 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
260 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
261 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
262 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
263 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
264 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
265 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
266 };
267
268 /* Initial hash value H for SHA-512 */
269 static const u_int64_t sha512_initial_hash_value[8] = {
270 0x6a09e667f3bcc908ULL,
271 0xbb67ae8584caa73bULL,
272 0x3c6ef372fe94f82bULL,
273 0xa54ff53a5f1d36f1ULL,
274 0x510e527fade682d1ULL,
275 0x9b05688c2b3e6c1fULL,
276 0x1f83d9abfb41bd6bULL,
277 0x5be0cd19137e2179ULL
278 };
279
280 #if !defined(SHA2_SMALL)
281 /* Initial hash value H for SHA-384 */
282 static const u_int64_t sha384_initial_hash_value[8] = {
283 0xcbbb9d5dc1059ed8ULL,
284 0x629a292a367cd507ULL,
285 0x9159015a3070dd17ULL,
286 0x152fecd8f70e5939ULL,
287 0x67332667ffc00b31ULL,
288 0x8eb44a8768581511ULL,
289 0xdb0c2e0d64f98fa7ULL,
290 0x47b5481dbefa4fa4ULL
291 };
292
293 /*** SHA-224: *********************************************************/
294 void
295 SHA224Init(SHA2_CTX *context)
296 {
297 memcpy(context->state.st32, sha224_initial_hash_value,
298 sizeof(sha224_initial_hash_value));
299 memset(context->buffer, 0, sizeof(context->buffer));
300 context->bitcount[0] = 0;
301 }
302
303 __weak_alias(SHA224Transform, SHA256Transform);
304 __weak_alias(SHA224Update, SHA256Update);
305 __weak_alias(SHA224Pad, SHA256Pad);
306
307 void
308 SHA224Final(u_int8_t digest[SHA224_DIGEST_LENGTH], SHA2_CTX *context)
309 {
310 SHA224Pad(context);
311
312 #if BYTE_ORDER == LITTLE_ENDIAN
313 int i;
314
315 /* Convert TO host byte order */
316 for (i = 0; i < 7; i++)
317 BE_32_TO_8(digest + i * 4, context->state.st32[i]);
318 #else
319 memcpy(digest, context->state.st32, SHA224_DIGEST_LENGTH);
320 #endif
321 explicit_bzero(context, sizeof(*context));
322 }
323 #endif /* !defined(SHA2_SMALL) */
324
325 /*** SHA-256: *********************************************************/
326 void
327 SHA256Init(SHA2_CTX *context)
328 {
329 memcpy(context->state.st32, sha256_initial_hash_value,
330 sizeof(sha256_initial_hash_value));
331 memset(context->buffer, 0, sizeof(context->buffer));
332 context->bitcount[0] = 0;
333 }
334
335 #ifdef SHA2_UNROLL_TRANSFORM
336
337 /* Unrolled SHA-256 round macros: */
338
339 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) do { \
340 BE_8_TO_32(W256[j], data); \
341 data += 4; \
342 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + W256[j]; \
343 (d) += T1; \
344 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
345 j++; \
346 } while(0)
347
348 #define ROUND256(a,b,c,d,e,f,g,h) do { \
349 s0 = W256[(j+1)&0x0f]; \
350 s0 = sigma0_256(s0); \
351 s1 = W256[(j+14)&0x0f]; \
352 s1 = sigma1_256(s1); \
353 T1 = (h) + Sigma1_256((e)) + Ch((e), (f), (g)) + K256[j] + \
354 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
355 (d) += T1; \
356 (h) = T1 + Sigma0_256((a)) + Maj((a), (b), (c)); \
357 j++; \
358 } while(0)
359
360 void
361 SHA256Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
362 {
363 u_int32_t a, b, c, d, e, f, g, h, s0, s1;
364 u_int32_t T1, W256[16];
365 int j;
366
367 /* Initialize registers with the prev. intermediate value */
368 a = state[0];
369 b = state[1];
370 c = state[2];
371 d = state[3];
372 e = state[4];
373 f = state[5];
374 g = state[6];
375 h = state[7];
376
377 j = 0;
378 do {
379 /* Rounds 0 to 15 (unrolled): */
380 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
381 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
382 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
383 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
384 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
385 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
386 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
387 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
388 } while (j < 16);
389
390 /* Now for the remaining rounds up to 63: */
391 do {
392 ROUND256(a,b,c,d,e,f,g,h);
393 ROUND256(h,a,b,c,d,e,f,g);
394 ROUND256(g,h,a,b,c,d,e,f);
395 ROUND256(f,g,h,a,b,c,d,e);
396 ROUND256(e,f,g,h,a,b,c,d);
397 ROUND256(d,e,f,g,h,a,b,c);
398 ROUND256(c,d,e,f,g,h,a,b);
399 ROUND256(b,c,d,e,f,g,h,a);
400 } while (j < 64);
401
402 /* Compute the current intermediate hash value */
403 state[0] += a;
404 state[1] += b;
405 state[2] += c;
406 state[3] += d;
407 state[4] += e;
408 state[5] += f;
409 state[6] += g;
410 state[7] += h;
411
412 /* Clean up */
413 a = b = c = d = e = f = g = h = T1 = 0;
414 }
415
416 #else /* SHA2_UNROLL_TRANSFORM */
417
418 void
419 SHA256Transform(u_int32_t state[8], const u_int8_t data[SHA256_BLOCK_LENGTH])
420 {
421 u_int32_t a, b, c, d, e, f, g, h, s0, s1;
422 u_int32_t T1, T2, W256[16];
423 int j;
424
425 /* Initialize registers with the prev. intermediate value */
426 a = state[0];
427 b = state[1];
428 c = state[2];
429 d = state[3];
430 e = state[4];
431 f = state[5];
432 g = state[6];
433 h = state[7];
434
435 j = 0;
436 do {
437 BE_8_TO_32(W256[j], data);
438 data += 4;
439 /* Apply the SHA-256 compression function to update a..h */
440 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
441 T2 = Sigma0_256(a) + Maj(a, b, c);
442 h = g;
443 g = f;
444 f = e;
445 e = d + T1;
446 d = c;
447 c = b;
448 b = a;
449 a = T1 + T2;
450
451 j++;
452 } while (j < 16);
453
454 do {
455 /* Part of the message block expansion: */
456 s0 = W256[(j+1)&0x0f];
457 s0 = sigma0_256(s0);
458 s1 = W256[(j+14)&0x0f];
459 s1 = sigma1_256(s1);
460
461 /* Apply the SHA-256 compression function to update a..h */
462 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
463 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
464 T2 = Sigma0_256(a) + Maj(a, b, c);
465 h = g;
466 g = f;
467 f = e;
468 e = d + T1;
469 d = c;
470 c = b;
471 b = a;
472 a = T1 + T2;
473
474 j++;
475 } while (j < 64);
476
477 /* Compute the current intermediate hash value */
478 state[0] += a;
479 state[1] += b;
480 state[2] += c;
481 state[3] += d;
482 state[4] += e;
483 state[5] += f;
484 state[6] += g;
485 state[7] += h;
486
487 /* Clean up */
488 a = b = c = d = e = f = g = h = T1 = T2 = 0;
489 }
490
491 #endif /* SHA2_UNROLL_TRANSFORM */
492
493 void
494 SHA256Update(SHA2_CTX *context, const u_int8_t *data, size_t len)
495 {
496 size_t freespace, usedspace;
497
498 /* Calling with no data is valid (we do nothing) */
499 if (len == 0)
500 return;
501
502 usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
503 if (usedspace > 0) {
504 /* Calculate how much free space is available in the buffer */
505 freespace = SHA256_BLOCK_LENGTH - usedspace;
506
507 if (len >= freespace) {
508 /* Fill the buffer completely and process it */
509 memcpy(&context->buffer[usedspace], data, freespace);
510 context->bitcount[0] += freespace << 3;
511 len -= freespace;
512 data += freespace;
513 SHA256Transform(context->state.st32, context->buffer);
514 } else {
515 /* The buffer is not yet full */
516 memcpy(&context->buffer[usedspace], data, len);
517 context->bitcount[0] += len << 3;
518 /* Clean up: */
519 usedspace = freespace = 0;
520 return;
521 }
522 }
523 while (len >= SHA256_BLOCK_LENGTH) {
524 /* Process as many complete blocks as we can */
525 SHA256Transform(context->state.st32, data);
526 context->bitcount[0] += SHA256_BLOCK_LENGTH << 3;
527 len -= SHA256_BLOCK_LENGTH;
528 data += SHA256_BLOCK_LENGTH;
529 }
530 if (len > 0) {
531 /* There's left-overs, so save 'em */
532 memcpy(context->buffer, data, len);
533 context->bitcount[0] += len << 3;
534 }
535 /* Clean up: */
536 usedspace = freespace = 0;
537 }
538
539 void
540 SHA256Pad(SHA2_CTX *context)
541 {
542 unsigned int usedspace;
543
544 usedspace = (context->bitcount[0] >> 3) % SHA256_BLOCK_LENGTH;
545 if (usedspace > 0) {
546 /* Begin padding with a 1 bit: */
547 context->buffer[usedspace++] = 0x80;
548
549 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
550 /* Set-up for the last transform: */
551 memset(&context->buffer[usedspace], 0,
552 SHA256_SHORT_BLOCK_LENGTH - usedspace);
553 } else {
554 if (usedspace < SHA256_BLOCK_LENGTH) {
555 memset(&context->buffer[usedspace], 0,
556 SHA256_BLOCK_LENGTH - usedspace);
557 }
558 /* Do second-to-last transform: */
559 SHA256Transform(context->state.st32, context->buffer);
560
561 /* Prepare for last transform: */
562 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
563 }
564 } else {
565 /* Set-up for the last transform: */
566 memset(context->buffer, 0, SHA256_SHORT_BLOCK_LENGTH);
567
568 /* Begin padding with a 1 bit: */
569 *context->buffer = 0x80;
570 }
571 /* Store the length of input data (in bits) in big endian format: */
572 BE_64_TO_8(&context->buffer[SHA256_SHORT_BLOCK_LENGTH],
573 context->bitcount[0]);
574
575 /* Final transform: */
576 SHA256Transform(context->state.st32, context->buffer);
577
578 /* Clean up: */
579 usedspace = 0;
580 }
581
582 void
583 SHA256Final(u_int8_t digest[SHA256_DIGEST_LENGTH], SHA2_CTX *context)
584 {
585 SHA256Pad(context);
586
587 #if BYTE_ORDER == LITTLE_ENDIAN
588 int i;
589
590 /* Convert TO host byte order */
591 for (i = 0; i < 8; i++)
592 BE_32_TO_8(digest + i * 4, context->state.st32[i]);
593 #else
594 memcpy(digest, context->state.st32, SHA256_DIGEST_LENGTH);
595 #endif
596 explicit_bzero(context, sizeof(*context));
597 }
598
599
600 /*** SHA-512: *********************************************************/
601 void
602 SHA512Init(SHA2_CTX *context)
603 {
604 memcpy(context->state.st64, sha512_initial_hash_value,
605 sizeof(sha512_initial_hash_value));
606 memset(context->buffer, 0, sizeof(context->buffer));
607 context->bitcount[0] = context->bitcount[1] = 0;
608 }
609
610 #ifdef SHA2_UNROLL_TRANSFORM
611
612 /* Unrolled SHA-512 round macros: */
613
614 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) do { \
615 BE_8_TO_64(W512[j], data); \
616 data += 8; \
617 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + W512[j]; \
618 (d) += T1; \
619 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
620 j++; \
621 } while(0)
622
623
624 #define ROUND512(a,b,c,d,e,f,g,h) do { \
625 s0 = W512[(j+1)&0x0f]; \
626 s0 = sigma0_512(s0); \
627 s1 = W512[(j+14)&0x0f]; \
628 s1 = sigma1_512(s1); \
629 T1 = (h) + Sigma1_512((e)) + Ch((e), (f), (g)) + K512[j] + \
630 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
631 (d) += T1; \
632 (h) = T1 + Sigma0_512((a)) + Maj((a), (b), (c)); \
633 j++; \
634 } while(0)
635
636 void
637 SHA512Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
638 {
639 u_int64_t a, b, c, d, e, f, g, h, s0, s1;
640 u_int64_t T1, W512[16];
641 int j;
642
643 /* Initialize registers with the prev. intermediate value */
644 a = state[0];
645 b = state[1];
646 c = state[2];
647 d = state[3];
648 e = state[4];
649 f = state[5];
650 g = state[6];
651 h = state[7];
652
653 j = 0;
654 do {
655 /* Rounds 0 to 15 (unrolled): */
656 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
657 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
658 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
659 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
660 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
661 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
662 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
663 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
664 } while (j < 16);
665
666 /* Now for the remaining rounds up to 79: */
667 do {
668 ROUND512(a,b,c,d,e,f,g,h);
669 ROUND512(h,a,b,c,d,e,f,g);
670 ROUND512(g,h,a,b,c,d,e,f);
671 ROUND512(f,g,h,a,b,c,d,e);
672 ROUND512(e,f,g,h,a,b,c,d);
673 ROUND512(d,e,f,g,h,a,b,c);
674 ROUND512(c,d,e,f,g,h,a,b);
675 ROUND512(b,c,d,e,f,g,h,a);
676 } while (j < 80);
677
678 /* Compute the current intermediate hash value */
679 state[0] += a;
680 state[1] += b;
681 state[2] += c;
682 state[3] += d;
683 state[4] += e;
684 state[5] += f;
685 state[6] += g;
686 state[7] += h;
687
688 /* Clean up */
689 a = b = c = d = e = f = g = h = T1 = 0;
690 }
691
692 #else /* SHA2_UNROLL_TRANSFORM */
693
694 void
695 SHA512Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
696 {
697 u_int64_t a, b, c, d, e, f, g, h, s0, s1;
698 u_int64_t T1, T2, W512[16];
699 int j;
700
701 /* Initialize registers with the prev. intermediate value */
702 a = state[0];
703 b = state[1];
704 c = state[2];
705 d = state[3];
706 e = state[4];
707 f = state[5];
708 g = state[6];
709 h = state[7];
710
711 j = 0;
712 do {
713 BE_8_TO_64(W512[j], data);
714 data += 8;
715 /* Apply the SHA-512 compression function to update a..h */
716 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
717 T2 = Sigma0_512(a) + Maj(a, b, c);
718 h = g;
719 g = f;
720 f = e;
721 e = d + T1;
722 d = c;
723 c = b;
724 b = a;
725 a = T1 + T2;
726
727 j++;
728 } while (j < 16);
729
730 do {
731 /* Part of the message block expansion: */
732 s0 = W512[(j+1)&0x0f];
733 s0 = sigma0_512(s0);
734 s1 = W512[(j+14)&0x0f];
735 s1 = sigma1_512(s1);
736
737 /* Apply the SHA-512 compression function to update a..h */
738 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
739 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
740 T2 = Sigma0_512(a) + Maj(a, b, c);
741 h = g;
742 g = f;
743 f = e;
744 e = d + T1;
745 d = c;
746 c = b;
747 b = a;
748 a = T1 + T2;
749
750 j++;
751 } while (j < 80);
752
753 /* Compute the current intermediate hash value */
754 state[0] += a;
755 state[1] += b;
756 state[2] += c;
757 state[3] += d;
758 state[4] += e;
759 state[5] += f;
760 state[6] += g;
761 state[7] += h;
762
763 /* Clean up */
764 a = b = c = d = e = f = g = h = T1 = T2 = 0;
765 }
766
767 #endif /* SHA2_UNROLL_TRANSFORM */
768
769 void
770 SHA512Update(SHA2_CTX *context, const u_int8_t *data, size_t len)
771 {
772 size_t freespace, usedspace;
773
774 /* Calling with no data is valid (we do nothing) */
775 if (len == 0)
776 return;
777
778 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
779 if (usedspace > 0) {
780 /* Calculate how much free space is available in the buffer */
781 freespace = SHA512_BLOCK_LENGTH - usedspace;
782
783 if (len >= freespace) {
784 /* Fill the buffer completely and process it */
785 memcpy(&context->buffer[usedspace], data, freespace);
786 ADDINC128(context->bitcount, freespace << 3);
787 len -= freespace;
788 data += freespace;
789 SHA512Transform(context->state.st64, context->buffer);
790 } else {
791 /* The buffer is not yet full */
792 memcpy(&context->buffer[usedspace], data, len);
793 ADDINC128(context->bitcount, len << 3);
794 /* Clean up: */
795 usedspace = freespace = 0;
796 return;
797 }
798 }
799 while (len >= SHA512_BLOCK_LENGTH) {
800 /* Process as many complete blocks as we can */
801 SHA512Transform(context->state.st64, data);
802 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
803 len -= SHA512_BLOCK_LENGTH;
804 data += SHA512_BLOCK_LENGTH;
805 }
806 if (len > 0) {
807 /* There's left-overs, so save 'em */
808 memcpy(context->buffer, data, len);
809 ADDINC128(context->bitcount, len << 3);
810 }
811 /* Clean up: */
812 usedspace = freespace = 0;
813 }
814
815 void
816 SHA512Pad(SHA2_CTX *context)
817 {
818 unsigned int usedspace;
819
820 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
821 if (usedspace > 0) {
822 /* Begin padding with a 1 bit: */
823 context->buffer[usedspace++] = 0x80;
824
825 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
826 /* Set-up for the last transform: */
827 memset(&context->buffer[usedspace], 0, SHA512_SHORT_BLOCK_LENGTH - usedspace);
828 } else {
829 if (usedspace < SHA512_BLOCK_LENGTH) {
830 memset(&context->buffer[usedspace], 0, SHA512_BLOCK_LENGTH - usedspace);
831 }
832 /* Do second-to-last transform: */
833 SHA512Transform(context->state.st64, context->buffer);
834
835 /* And set-up for the last transform: */
836 memset(context->buffer, 0, SHA512_BLOCK_LENGTH - 2);
837 }
838 } else {
839 /* Prepare for final transform: */
840 memset(context->buffer, 0, SHA512_SHORT_BLOCK_LENGTH);
841
842 /* Begin padding with a 1 bit: */
843 *context->buffer = 0x80;
844 }
845 /* Store the length of input data (in bits) in big endian format: */
846 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH],
847 context->bitcount[1]);
848 BE_64_TO_8(&context->buffer[SHA512_SHORT_BLOCK_LENGTH + 8],
849 context->bitcount[0]);
850
851 /* Final transform: */
852 SHA512Transform(context->state.st64, context->buffer);
853
854 /* Clean up: */
855 usedspace = 0;
856 }
857
858 void
859 SHA512Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA2_CTX *context)
860 {
861 SHA512Pad(context);
862
863 #if BYTE_ORDER == LITTLE_ENDIAN
864 int i;
865
866 /* Convert TO host byte order */
867 for (i = 0; i < 8; i++)
868 BE_64_TO_8(digest + i * 8, context->state.st64[i]);
869 #else
870 memcpy(digest, context->state.st64, SHA512_DIGEST_LENGTH);
871 #endif
872 explicit_bzero(context, sizeof(*context));
873 }
874
875 #if !defined(SHA2_SMALL)
876
877 /*** SHA-384: *********************************************************/
878 void
879 SHA384Init(SHA2_CTX *context)
880 {
881 memcpy(context->state.st64, sha384_initial_hash_value,
882 sizeof(sha384_initial_hash_value));
883 memset(context->buffer, 0, sizeof(context->buffer));
884 context->bitcount[0] = context->bitcount[1] = 0;
885 }
886
887 __weak_alias(SHA384Transform, SHA512Transform);
888 __weak_alias(SHA384Update, SHA512Update);
889 __weak_alias(SHA384Pad, SHA512Pad);
890
891 void
892 SHA384Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA2_CTX *context)
893 {
894 SHA384Pad(context);
895
896 #if BYTE_ORDER == LITTLE_ENDIAN
897 int i;
898
899 /* Convert TO host byte order */
900 for (i = 0; i < 6; i++)
901 BE_64_TO_8(digest + i * 8, context->state.st64[i]);
902 #else
903 memcpy(digest, context->state.st64, SHA384_DIGEST_LENGTH);
904 #endif
905 /* Zero out state data */
906 explicit_bzero(context, sizeof(*context));
907 }
908 #endif /* !defined(SHA2_SMALL) */
Mirror of Cygwin-Setup