search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libcrypt - Internalize additional symbols
[dragonfly.git] / lib / libmd / sha512c.c
blob5eb50db9ca01061625b23b4780edad78a2baefd9
1 /*
2 * sha2.c
3 *
4 * Version 1.0.0beta1
5 *
6 * Written by Aaron D. Gifford <me@aarongifford.com>
7 *
8 * Copyright 2000 Aaron D. Gifford. All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the copyright holder nor the names of contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include <sys/cdefs.h>
36 #include <sys/endian.h>
37 #include <sys/types.h>
38 #include <strings.h>
39 #include <stdlib.h>
40 #include <string.h>
41 #include <assert.h>
42
43 #include "sha512.h"
44
45 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
46
47 /*
48 * Macro for incrementally adding the unsigned 64-bit integer n to the
49 * unsigned 128-bit integer (represented using a two-element array of
50 * 64-bit words):
51 */
52 #define ADDINC128(w,n) { \
53 (w)[0] += (sha2_word64)(n); \
54 if ((w)[0] < (n)) { \
55 (w)[1]++; \
56 } \
57 }
58
59 /*** ENDIAN REVERSAL MACROS *******************************************/
60 #if BYTE_ORDER == LITTLE_ENDIAN
61 #define REVERSE32(w,x) { \
62 sha2_word32 tmp = (w); \
63 tmp = (tmp >> 16) | (tmp << 16); \
64 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
65 }
66 #define REVERSE64(w,x) { \
67 sha2_word64 tmp = (w); \
68 tmp = (tmp >> 32) | (tmp << 32); \
69 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
70 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
71 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
72 ((tmp & 0x0000ffff0000ffffULL) << 16); \
73 }
74 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
75
76 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
77 #define R(b,x) ((x) >> (b))
78 /* 32-bit Rotate-right (used in SHA-256): */
79 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
80 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
81 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
82
83 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
84 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
85 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
86
87 /* Four of six logical functions used in SHA-384 and SHA-512: */
88 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
89 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
90 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
91 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
92
93 typedef u_int8_t sha2_byte; /* Exactly 1 byte */
94 typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
95 typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
96
97 /* Initial hash value H for SHA-384 */
98 static const sha2_word64 sha384_initial_hash_value[8] = {
99 0xcbbb9d5dc1059ed8ULL,
100 0x629a292a367cd507ULL,
101 0x9159015a3070dd17ULL,
102 0x152fecd8f70e5939ULL,
103 0x67332667ffc00b31ULL,
104 0x8eb44a8768581511ULL,
105 0xdb0c2e0d64f98fa7ULL,
106 0x47b5481dbefa4fa4ULL
107 };
108
109 /* Initial hash value H for SHA-512 */
110 static const sha2_word64 sha512_initial_hash_value[8] = {
111 0x6a09e667f3bcc908ULL,
112 0xbb67ae8584caa73bULL,
113 0x3c6ef372fe94f82bULL,
114 0xa54ff53a5f1d36f1ULL,
115 0x510e527fade682d1ULL,
116 0x9b05688c2b3e6c1fULL,
117 0x1f83d9abfb41bd6bULL,
118 0x5be0cd19137e2179ULL
119 };
120
121 #if 0
122 /*
123 * Constant used by SHA256/384/512_End() functions for converting the
124 * digest to a readable hexadecimal character string:
125 */
126 static const char *sha2_hex_digits = "0123456789abcdef";
127 #endif
128
129 /* Hash constant words K for SHA-384 and SHA-512: */
130 static const sha2_word64 K512[80] = {
131 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
132 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
133 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
134 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
135 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
136 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
137 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
138 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
139 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
140 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
141 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
142 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
143 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
144 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
145 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
146 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
147 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
148 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
149 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
150 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
151 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
152 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
153 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
154 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
155 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
156 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
157 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
158 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
159 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
160 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
161 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
162 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
163 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
164 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
165 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
166 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
167 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
168 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
169 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
170 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
171 };
172 /*** SHA-512: *********************************************************/
173 int SHA512_Init(SHA512_CTX* context) {
174 if (context == NULL) {
175 return 0;
176 }
177 bcopy(sha512_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
178 bzero(context->buffer, SHA512_BLOCK_LENGTH);
179 context->bitcount[0] = context->bitcount[1] = 0;
180 return 1;
181 }
182
183 /* Unrolled SHA-512 round macros: */
184 #if BYTE_ORDER == LITTLE_ENDIAN
185
186 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
187 REVERSE64(*data++, W512[j]); \
188 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
189 K512[j] + W512[j]; \
190 (d) += T1, \
191 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
192 j++
193
194
195 #else /* BYTE_ORDER == LITTLE_ENDIAN */
196
197 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
198 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
199 K512[j] + (W512[j] = *data++); \
200 (d) += T1; \
201 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
202 j++
203
204 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
205
206 #define ROUND512(a,b,c,d,e,f,g,h) \
207 s0 = W512[(j+1)&0x0f]; \
208 s0 = sigma0_512(s0); \
209 s1 = W512[(j+14)&0x0f]; \
210 s1 = sigma1_512(s1); \
211 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
212 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
213 (d) += T1; \
214 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
215 j++
216 static
217 void
218 SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
219 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
220 sha2_word64 T1 = 0, /*T2 = 0, */*W512 = (sha2_word64*)context->buffer;
221 int j;
222
223 /* Initialize registers with the prev. intermediate value */
224 a = context->state[0];
225 b = context->state[1];
226 c = context->state[2];
227 d = context->state[3];
228 e = context->state[4];
229 f = context->state[5];
230 g = context->state[6];
231 h = context->state[7];
232
233 j = 0;
234 do {
235 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
236 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
237 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
238 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
239 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
240 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
241 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
242 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
243 } while (j < 16);
244
245 /* Now for the remaining rounds up to 79: */
246 do {
247 ROUND512(a,b,c,d,e,f,g,h);
248 ROUND512(h,a,b,c,d,e,f,g);
249 ROUND512(g,h,a,b,c,d,e,f);
250 ROUND512(f,g,h,a,b,c,d,e);
251 ROUND512(e,f,g,h,a,b,c,d);
252 ROUND512(d,e,f,g,h,a,b,c);
253 ROUND512(c,d,e,f,g,h,a,b);
254 ROUND512(b,c,d,e,f,g,h,a);
255 } while (j < 80);
256
257 /* Compute the current intermediate hash value */
258 context->state[0] += a;
259 context->state[1] += b;
260 context->state[2] += c;
261 context->state[3] += d;
262 context->state[4] += e;
263 context->state[5] += f;
264 context->state[6] += g;
265 context->state[7] += h;
266
267 /* Clean up */
268 a = b = c = d = e = f = g = h = T1 = 0;
269 }
270
271 void SHA512_Update(SHA512_CTX* context, const void *data_arg, size_t len) {
272 const sha2_byte *data = (const sha2_byte *)data_arg;
273 unsigned int freespace, usedspace;
274
275 if (len == 0) {
276 /* Calling with no data is valid - we do nothing */
277 return;
278 }
279
280 /* Sanity check: */
281 assert(context != NULL && data != NULL);
282
283 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
284 if (usedspace > 0) {
285 /* Calculate how much free space is available in the buffer */
286 freespace = SHA512_BLOCK_LENGTH - usedspace;
287
288 if (len >= freespace) {
289 /* Fill the buffer completely and process it */
290 bcopy(data, &context->buffer[usedspace], freespace);
291 ADDINC128(context->bitcount, freespace << 3);
292 len -= freespace;
293 data += freespace;
294 SHA512_Transform(context, (sha2_word64*)context->buffer);
295 } else {
296 /* The buffer is not yet full */
297 bcopy(data, &context->buffer[usedspace], len);
298 ADDINC128(context->bitcount, len << 3);
299 /* Clean up: */
300 usedspace = freespace = 0;
301 return;
302 }
303 }
304 while (len >= SHA512_BLOCK_LENGTH) {
305 /* Process as many complete blocks as we can */
306 SHA512_Transform(context, (const sha2_word64*)data);
307 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
308 len -= SHA512_BLOCK_LENGTH;
309 data += SHA512_BLOCK_LENGTH;
310 }
311 if (len > 0) {
312 /* There's left-overs, so save 'em */
313 bcopy(data, context->buffer, len);
314 ADDINC128(context->bitcount, len << 3);
315 }
316 /* Clean up: */
317 usedspace = freespace = 0;
318 }
319
320 static
321 void SHA512_Last(SHA512_CTX* context) {
322 unsigned int usedspace;
323
324 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
325 #if BYTE_ORDER == LITTLE_ENDIAN
326 /* Convert FROM host byte order */
327 REVERSE64(context->bitcount[0],context->bitcount[0]);
328 REVERSE64(context->bitcount[1],context->bitcount[1]);
329 #endif
330 if (usedspace > 0) {
331 /* Begin padding with a 1 bit: */
332 context->buffer[usedspace++] = 0x80;
333
334 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
335 /* Set-up for the last transform: */
336 bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
337 } else {
338 if (usedspace < SHA512_BLOCK_LENGTH) {
339 bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
340 }
341 /* Do second-to-last transform: */
342 SHA512_Transform(context, (sha2_word64*)context->buffer);
343
344 /* And set-up for the last transform: */
345 bzero(context->buffer, SHA512_BLOCK_LENGTH - 2);
346 }
347 } else {
348 /* Prepare for final transform: */
349 bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
350
351 /* Begin padding with a 1 bit: */
352 *context->buffer = 0x80;
353 }
354 /* Store the length of input data (in bits): */
355 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
356 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
357
358 /* Final transform: */
359 SHA512_Transform(context, (sha2_word64*)context->buffer);
360 }
361
362 void SHA512_Final(unsigned char digest[], SHA512_CTX* context) {
363 sha2_word64 *d = (sha2_word64*)digest;
364
365 /* Sanity check: */
366 assert(context != NULL);
367
368 /* If no digest buffer is passed, we don't bother doing this: */
369 if (digest != NULL) {
370 SHA512_Last(context);
371
372 /* Save the hash data for output: */
373 #if BYTE_ORDER == LITTLE_ENDIAN
374 {
375 /* Convert TO host byte order */
376 int j;
377 for (j = 0; j < 8; j++) {
378 REVERSE64(context->state[j],context->state[j]);
379 *d++ = context->state[j];
380 }
381 }
382 #else
383 bcopy(context->state, d, SHA512_DIGEST_LENGTH);
384 #endif
385 }
386
387 /* Zero out state data */
388 bzero(context, sizeof(*context));
389 }
390
391 #if 0
392 char *SHA512_End(SHA512_CTX* context, char *buffer) {
393 sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
394 int i;
395
396 /* Sanity check: */
397 assert(context != NULL);
398
399 if (buffer != NULL) {
400 SHA512_Final(digest, context);
401
402 for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
403 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
404 *buffer++ = sha2_hex_digits[*d & 0x0f];
405 d++;
406 }
407 *buffer = (char)0;
408 } else {
409 bzero(context, sizeof(*context));
410 }
411 bzero(digest, SHA512_DIGEST_LENGTH);
412 return buffer;
413 }
414
415 char* SHA512_Data(const void *data, size_t len, char *digest) {
416 SHA512_CTX context;
417
418 SHA512_Init(&context);
419 SHA512_Update(&context, data, len);
420 return SHA512_End(&context, digest);
421 }
422 #endif
423
424
425 /*** SHA-384: *********************************************************/
426 int SHA384_Init(SHA384_CTX* context) {
427 if (context == NULL) {
428 return 0;
429 }
430 bcopy(sha384_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
431 bzero(context->buffer, SHA384_BLOCK_LENGTH);
432 context->bitcount[0] = context->bitcount[1] = 0;
433 return 1;
434 }
435
436 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
437 SHA512_Update((SHA512_CTX*)context, data, len);
438 }
439
440 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
441 sha2_word64 *d = (sha2_word64*)digest;
442
443 /* Sanity check: */
444 assert(context != NULL);
445
446 /* If no digest buffer is passed, we don't bother doing this: */
447 if (digest != NULL) {
448 SHA512_Last((SHA512_CTX*)context);
449
450 /* Save the hash data for output: */
451 #if BYTE_ORDER == LITTLE_ENDIAN
452 {
453 /* Convert TO host byte order */
454 int j;
455 for (j = 0; j < 6; j++) {
456 REVERSE64(context->state[j],context->state[j]);
457 *d++ = context->state[j];
458 }
459 }
460 #else
461 bcopy(context->state, d, SHA384_DIGEST_LENGTH);
462 #endif
463 }
464
465 /* Zero out state data */
466 bzero(context, sizeof(*context));
467 }
468
469 #if 0
470 char *SHA384_End(SHA384_CTX* context, char buffer[]) {
471 sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
472 int i;
473
474 /* Sanity check: */
475 assert(context != NULL);
476
477 if (buffer != NULL) {
478 SHA384_Final(digest, context);
479
480 for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
481 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
482 *buffer++ = sha2_hex_digits[*d & 0x0f];
483 d++;
484 }
485 *buffer = (char)0;
486 } else {
487 bzero(context, sizeof(*context));
488 }
489 bzero(digest, SHA384_DIGEST_LENGTH);
490 return buffer;
491 }
492
493 char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
494 SHA384_CTX context;
495
496 SHA384_Init(&context);
497 SHA384_Update(&context, data, len);
498 return SHA384_End(&context, digest);
499 }
500 #endif
DragonFly BSD