3 * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/
5 * Copyright (c) 2000-2001, Aaron D. Gifford
8 * Modified by Jelte Jansen to fit in ldns, and not clash with any
9 * system-defined SHA code.
11 * - Renamed (external) functions and constants to fit ldns style
12 * - Removed _End and _Data functions
13 * - Added ldns_shaX(data, len, digest) convenience functions
14 * - Removed prototypes of _Transform functions and made those static
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
21 * 2. Redistributions in binary form must reproduce the above copyright
22 * notice, this list of conditions and the following disclaimer in the
23 * documentation and/or other materials provided with the distribution.
24 * 3. Neither the name of the copyright holder nor the names of contributors
25 * may be used to endorse or promote products derived from this software
26 * without specific prior written permission.
28 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 * $Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
43 #include <ldns/config.h>
44 #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
45 #include <assert.h> /* assert() */
46 #include <ldns/sha2.h>
50 * Some sanity checking code is included using assert(). On my FreeBSD
51 * system, this additional code can be removed by compiling with NDEBUG
52 * defined. Check your own systems manpage on assert() to see how to
53 * compile WITHOUT the sanity checking code on your system.
55 * UNROLLED TRANSFORM LOOP NOTE:
56 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
57 * loop version for the hash transform rounds (defined using macros
58 * later in this file). Either define on the command line, for example:
60 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
64 * #define SHA2_UNROLL_TRANSFORM
69 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
73 * Please make sure that your system defines BYTE_ORDER. If your
74 * architecture is little-endian, make sure it also defines
75 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
78 * If your system does not define the above, then you can do so by
81 * #define LITTLE_ENDIAN 1234
82 * #define BIG_ENDIAN 4321
84 * And for little-endian machines, add:
86 * #define BYTE_ORDER LITTLE_ENDIAN
88 * Or for big-endian machines:
90 * #define BYTE_ORDER BIG_ENDIAN
92 * The FreeBSD machine this was written on defines BYTE_ORDER
93 * appropriately by including <sys/types.h> (which in turn includes
94 * <machine/endian.h> where the appropriate definitions are actually
97 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
98 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
101 typedef uint8_t sha2_byte
; /* Exactly 1 byte */
102 typedef uint32_t sha2_word32
; /* Exactly 4 bytes */
104 typedef unsigned long long sha2_word64
; /* lint 8 bytes */
106 typedef uint64_t sha2_word64
; /* Exactly 8 bytes */
109 /*** SHA-256/384/512 Various Length Definitions ***********************/
110 /* NOTE: Most of these are in sha2.h */
111 #define ldns_sha256_SHORT_BLOCK_LENGTH (LDNS_SHA256_BLOCK_LENGTH - 8)
112 #define ldns_sha384_SHORT_BLOCK_LENGTH (LDNS_SHA384_BLOCK_LENGTH - 16)
113 #define ldns_sha512_SHORT_BLOCK_LENGTH (LDNS_SHA512_BLOCK_LENGTH - 16)
116 /*** ENDIAN REVERSAL MACROS *******************************************/
117 #if BYTE_ORDER == LITTLE_ENDIAN
118 #define REVERSE32(w,x) { \
119 sha2_word32 tmp = (w); \
120 tmp = (tmp >> 16) | (tmp << 16); \
121 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
124 #define REVERSE64(w,x) { \
125 sha2_word64 tmp = (w); \
126 tmp = (tmp >> 32) | (tmp << 32); \
127 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
128 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
129 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
130 ((tmp & 0x0000ffff0000ffffULL) << 16); \
133 #define REVERSE64(w,x) /* splint */
135 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
138 * Macro for incrementally adding the unsigned 64-bit integer n to the
139 * unsigned 128-bit integer (represented using a two-element array of
142 #define ADDINC128(w,n) { \
143 (w)[0] += (sha2_word64)(n); \
144 if ((w)[0] < (n)) { \
150 #define ADDINC128(w,n) /* splint */
154 * Macros for copying blocks of memory and for zeroing out ranges
155 * of memory. Using these macros makes it easy to switch from
156 * using memset()/memcpy() and using bzero()/bcopy().
158 * Please define either SHA2_USE_MEMSET_MEMCPY or define
159 * SHA2_USE_BZERO_BCOPY depending on which function set you
162 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
163 /* Default to memset()/memcpy() if no option is specified */
164 #define SHA2_USE_MEMSET_MEMCPY 1
166 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
167 /* Abort with an error if BOTH options are defined */
168 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
171 #ifdef SHA2_USE_MEMSET_MEMCPY
172 #define MEMSET_BZERO(p,l) memset((p), 0, (l))
173 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
175 #ifdef SHA2_USE_BZERO_BCOPY
176 #define MEMSET_BZERO(p,l) bzero((p), (l))
177 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
181 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
183 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
185 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
186 * S is a ROTATION) because the SHA-256/384/512 description document
187 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
188 * same "backwards" definition.
190 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
191 #define R(b,x) ((x) >> (b))
192 /* 32-bit Rotate-right (used in SHA-256): */
193 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
194 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
195 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
197 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
198 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
199 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
201 /* Four of six logical functions used in SHA-256: */
202 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
203 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
204 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
205 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
207 /* Four of six logical functions used in SHA-384 and SHA-512: */
208 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
209 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
210 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
211 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
213 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
214 /* Hash constant words K for SHA-256: */
215 static const sha2_word32 K256
[64] = {
216 0x428a2f98UL
, 0x71374491UL
, 0xb5c0fbcfUL
, 0xe9b5dba5UL
,
217 0x3956c25bUL
, 0x59f111f1UL
, 0x923f82a4UL
, 0xab1c5ed5UL
,
218 0xd807aa98UL
, 0x12835b01UL
, 0x243185beUL
, 0x550c7dc3UL
,
219 0x72be5d74UL
, 0x80deb1feUL
, 0x9bdc06a7UL
, 0xc19bf174UL
,
220 0xe49b69c1UL
, 0xefbe4786UL
, 0x0fc19dc6UL
, 0x240ca1ccUL
,
221 0x2de92c6fUL
, 0x4a7484aaUL
, 0x5cb0a9dcUL
, 0x76f988daUL
,
222 0x983e5152UL
, 0xa831c66dUL
, 0xb00327c8UL
, 0xbf597fc7UL
,
223 0xc6e00bf3UL
, 0xd5a79147UL
, 0x06ca6351UL
, 0x14292967UL
,
224 0x27b70a85UL
, 0x2e1b2138UL
, 0x4d2c6dfcUL
, 0x53380d13UL
,
225 0x650a7354UL
, 0x766a0abbUL
, 0x81c2c92eUL
, 0x92722c85UL
,
226 0xa2bfe8a1UL
, 0xa81a664bUL
, 0xc24b8b70UL
, 0xc76c51a3UL
,
227 0xd192e819UL
, 0xd6990624UL
, 0xf40e3585UL
, 0x106aa070UL
,
228 0x19a4c116UL
, 0x1e376c08UL
, 0x2748774cUL
, 0x34b0bcb5UL
,
229 0x391c0cb3UL
, 0x4ed8aa4aUL
, 0x5b9cca4fUL
, 0x682e6ff3UL
,
230 0x748f82eeUL
, 0x78a5636fUL
, 0x84c87814UL
, 0x8cc70208UL
,
231 0x90befffaUL
, 0xa4506cebUL
, 0xbef9a3f7UL
, 0xc67178f2UL
234 /* initial hash value H for SHA-256: */
235 static const sha2_word32 ldns_sha256_initial_hash_value
[8] = {
246 /* Hash constant words K for SHA-384 and SHA-512: */
247 static const sha2_word64 K512
[80] = {
248 0x428a2f98d728ae22ULL
, 0x7137449123ef65cdULL
,
249 0xb5c0fbcfec4d3b2fULL
, 0xe9b5dba58189dbbcULL
,
250 0x3956c25bf348b538ULL
, 0x59f111f1b605d019ULL
,
251 0x923f82a4af194f9bULL
, 0xab1c5ed5da6d8118ULL
,
252 0xd807aa98a3030242ULL
, 0x12835b0145706fbeULL
,
253 0x243185be4ee4b28cULL
, 0x550c7dc3d5ffb4e2ULL
,
254 0x72be5d74f27b896fULL
, 0x80deb1fe3b1696b1ULL
,
255 0x9bdc06a725c71235ULL
, 0xc19bf174cf692694ULL
,
256 0xe49b69c19ef14ad2ULL
, 0xefbe4786384f25e3ULL
,
257 0x0fc19dc68b8cd5b5ULL
, 0x240ca1cc77ac9c65ULL
,
258 0x2de92c6f592b0275ULL
, 0x4a7484aa6ea6e483ULL
,
259 0x5cb0a9dcbd41fbd4ULL
, 0x76f988da831153b5ULL
,
260 0x983e5152ee66dfabULL
, 0xa831c66d2db43210ULL
,
261 0xb00327c898fb213fULL
, 0xbf597fc7beef0ee4ULL
,
262 0xc6e00bf33da88fc2ULL
, 0xd5a79147930aa725ULL
,
263 0x06ca6351e003826fULL
, 0x142929670a0e6e70ULL
,
264 0x27b70a8546d22ffcULL
, 0x2e1b21385c26c926ULL
,
265 0x4d2c6dfc5ac42aedULL
, 0x53380d139d95b3dfULL
,
266 0x650a73548baf63deULL
, 0x766a0abb3c77b2a8ULL
,
267 0x81c2c92e47edaee6ULL
, 0x92722c851482353bULL
,
268 0xa2bfe8a14cf10364ULL
, 0xa81a664bbc423001ULL
,
269 0xc24b8b70d0f89791ULL
, 0xc76c51a30654be30ULL
,
270 0xd192e819d6ef5218ULL
, 0xd69906245565a910ULL
,
271 0xf40e35855771202aULL
, 0x106aa07032bbd1b8ULL
,
272 0x19a4c116b8d2d0c8ULL
, 0x1e376c085141ab53ULL
,
273 0x2748774cdf8eeb99ULL
, 0x34b0bcb5e19b48a8ULL
,
274 0x391c0cb3c5c95a63ULL
, 0x4ed8aa4ae3418acbULL
,
275 0x5b9cca4f7763e373ULL
, 0x682e6ff3d6b2b8a3ULL
,
276 0x748f82ee5defb2fcULL
, 0x78a5636f43172f60ULL
,
277 0x84c87814a1f0ab72ULL
, 0x8cc702081a6439ecULL
,
278 0x90befffa23631e28ULL
, 0xa4506cebde82bde9ULL
,
279 0xbef9a3f7b2c67915ULL
, 0xc67178f2e372532bULL
,
280 0xca273eceea26619cULL
, 0xd186b8c721c0c207ULL
,
281 0xeada7dd6cde0eb1eULL
, 0xf57d4f7fee6ed178ULL
,
282 0x06f067aa72176fbaULL
, 0x0a637dc5a2c898a6ULL
,
283 0x113f9804bef90daeULL
, 0x1b710b35131c471bULL
,
284 0x28db77f523047d84ULL
, 0x32caab7b40c72493ULL
,
285 0x3c9ebe0a15c9bebcULL
, 0x431d67c49c100d4cULL
,
286 0x4cc5d4becb3e42b6ULL
, 0x597f299cfc657e2aULL
,
287 0x5fcb6fab3ad6faecULL
, 0x6c44198c4a475817ULL
290 /* initial hash value H for SHA-384 */
291 static const sha2_word64 sha384_initial_hash_value
[8] = {
292 0xcbbb9d5dc1059ed8ULL
,
293 0x629a292a367cd507ULL
,
294 0x9159015a3070dd17ULL
,
295 0x152fecd8f70e5939ULL
,
296 0x67332667ffc00b31ULL
,
297 0x8eb44a8768581511ULL
,
298 0xdb0c2e0d64f98fa7ULL
,
299 0x47b5481dbefa4fa4ULL
302 /* initial hash value H for SHA-512 */
303 static const sha2_word64 sha512_initial_hash_value
[8] = {
304 0x6a09e667f3bcc908ULL
,
305 0xbb67ae8584caa73bULL
,
306 0x3c6ef372fe94f82bULL
,
307 0xa54ff53a5f1d36f1ULL
,
308 0x510e527fade682d1ULL
,
309 0x9b05688c2b3e6c1fULL
,
310 0x1f83d9abfb41bd6bULL
,
311 0x5be0cd19137e2179ULL
314 /*** SHA-256: *********************************************************/
315 void ldns_sha256_init(ldns_sha256_CTX
* context
) {
316 if (context
== (ldns_sha256_CTX
*)0) {
319 MEMCPY_BCOPY(context
->state
, ldns_sha256_initial_hash_value
, LDNS_SHA256_DIGEST_LENGTH
);
320 MEMSET_BZERO(context
->buffer
, LDNS_SHA256_BLOCK_LENGTH
);
321 context
->bitcount
= 0;
324 #ifdef SHA2_UNROLL_TRANSFORM
326 /* Unrolled SHA-256 round macros: */
328 #if BYTE_ORDER == LITTLE_ENDIAN
330 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
331 REVERSE32(*data++, W256[j]); \
332 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
335 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
339 #else /* BYTE_ORDER == LITTLE_ENDIAN */
341 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
342 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
343 K256[j] + (W256[j] = *data++); \
345 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
348 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
350 #define ROUND256(a,b,c,d,e,f,g,h) \
351 s0 = W256[(j+1)&0x0f]; \
352 s0 = sigma0_256(s0); \
353 s1 = W256[(j+14)&0x0f]; \
354 s1 = sigma1_256(s1); \
355 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
356 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
358 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
361 static void ldns_sha256_Transform(ldns_sha256_CTX
* context
,
362 const sha2_word32
* data
) {
363 sha2_word32 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
364 sha2_word32 T1
, *W256
;
367 W256
= (sha2_word32
*)context
->buffer
;
369 /* initialize registers with the prev. intermediate value */
370 a
= context
->state
[0];
371 b
= context
->state
[1];
372 c
= context
->state
[2];
373 d
= context
->state
[3];
374 e
= context
->state
[4];
375 f
= context
->state
[5];
376 g
= context
->state
[6];
377 h
= context
->state
[7];
381 /* Rounds 0 to 15 (unrolled): */
382 ROUND256_0_TO_15(a
,b
,c
,d
,e
,f
,g
,h
);
383 ROUND256_0_TO_15(h
,a
,b
,c
,d
,e
,f
,g
);
384 ROUND256_0_TO_15(g
,h
,a
,b
,c
,d
,e
,f
);
385 ROUND256_0_TO_15(f
,g
,h
,a
,b
,c
,d
,e
);
386 ROUND256_0_TO_15(e
,f
,g
,h
,a
,b
,c
,d
);
387 ROUND256_0_TO_15(d
,e
,f
,g
,h
,a
,b
,c
);
388 ROUND256_0_TO_15(c
,d
,e
,f
,g
,h
,a
,b
);
389 ROUND256_0_TO_15(b
,c
,d
,e
,f
,g
,h
,a
);
392 /* Now for the remaining rounds to 64: */
394 ROUND256(a
,b
,c
,d
,e
,f
,g
,h
);
395 ROUND256(h
,a
,b
,c
,d
,e
,f
,g
);
396 ROUND256(g
,h
,a
,b
,c
,d
,e
,f
);
397 ROUND256(f
,g
,h
,a
,b
,c
,d
,e
);
398 ROUND256(e
,f
,g
,h
,a
,b
,c
,d
);
399 ROUND256(d
,e
,f
,g
,h
,a
,b
,c
);
400 ROUND256(c
,d
,e
,f
,g
,h
,a
,b
);
401 ROUND256(b
,c
,d
,e
,f
,g
,h
,a
);
404 /* Compute the current intermediate hash value */
405 context
->state
[0] += a
;
406 context
->state
[1] += b
;
407 context
->state
[2] += c
;
408 context
->state
[3] += d
;
409 context
->state
[4] += e
;
410 context
->state
[5] += f
;
411 context
->state
[6] += g
;
412 context
->state
[7] += h
;
415 a
= b
= c
= d
= e
= f
= g
= h
= T1
= 0;
418 #else /* SHA2_UNROLL_TRANSFORM */
420 static void ldns_sha256_Transform(ldns_sha256_CTX
* context
,
421 const sha2_word32
* data
) {
422 sha2_word32 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
423 sha2_word32 T1
, T2
, *W256
;
426 W256
= (sha2_word32
*)context
->buffer
;
428 /* initialize registers with the prev. intermediate value */
429 a
= context
->state
[0];
430 b
= context
->state
[1];
431 c
= context
->state
[2];
432 d
= context
->state
[3];
433 e
= context
->state
[4];
434 f
= context
->state
[5];
435 g
= context
->state
[6];
436 h
= context
->state
[7];
440 #if BYTE_ORDER == LITTLE_ENDIAN
441 /* Copy data while converting to host byte order */
442 REVERSE32(*data
++,W256
[j
]);
443 /* Apply the SHA-256 compression function to update a..h */
444 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] + W256
[j
];
445 #else /* BYTE_ORDER == LITTLE_ENDIAN */
446 /* Apply the SHA-256 compression function to update a..h with copy */
447 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] + (W256
[j
] = *data
++);
448 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
449 T2
= Sigma0_256(a
) + Maj(a
, b
, c
);
463 /* Part of the message block expansion: */
464 s0
= W256
[(j
+1)&0x0f];
466 s1
= W256
[(j
+14)&0x0f];
469 /* Apply the SHA-256 compression function to update a..h */
470 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] +
471 (W256
[j
&0x0f] += s1
+ W256
[(j
+9)&0x0f] + s0
);
472 T2
= Sigma0_256(a
) + Maj(a
, b
, c
);
485 /* Compute the current intermediate hash value */
486 context
->state
[0] += a
;
487 context
->state
[1] += b
;
488 context
->state
[2] += c
;
489 context
->state
[3] += d
;
490 context
->state
[4] += e
;
491 context
->state
[5] += f
;
492 context
->state
[6] += g
;
493 context
->state
[7] += h
;
496 a
= b
= c
= d
= e
= f
= g
= h
= T1
= T2
= 0;
499 #endif /* SHA2_UNROLL_TRANSFORM */
501 void ldns_sha256_update(ldns_sha256_CTX
* context
, const sha2_byte
*data
, size_t len
) {
502 size_t freespace
, usedspace
;
505 /* Calling with no data is valid - we do nothing */
510 assert(context
!= (ldns_sha256_CTX
*)0 && data
!= (sha2_byte
*)0);
512 usedspace
= (context
->bitcount
>> 3) % LDNS_SHA256_BLOCK_LENGTH
;
514 /* Calculate how much free space is available in the buffer */
515 freespace
= LDNS_SHA256_BLOCK_LENGTH
- usedspace
;
517 if (len
>= freespace
) {
518 /* Fill the buffer completely and process it */
519 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, freespace
);
520 context
->bitcount
+= freespace
<< 3;
523 ldns_sha256_Transform(context
, (sha2_word32
*)context
->buffer
);
525 /* The buffer is not yet full */
526 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, len
);
527 context
->bitcount
+= len
<< 3;
529 usedspace
= freespace
= 0;
533 while (len
>= LDNS_SHA256_BLOCK_LENGTH
) {
534 /* Process as many complete blocks as we can */
535 ldns_sha256_Transform(context
, (sha2_word32
*)data
);
536 context
->bitcount
+= LDNS_SHA256_BLOCK_LENGTH
<< 3;
537 len
-= LDNS_SHA256_BLOCK_LENGTH
;
538 data
+= LDNS_SHA256_BLOCK_LENGTH
;
541 /* There's left-overs, so save 'em */
542 MEMCPY_BCOPY(context
->buffer
, data
, len
);
543 context
->bitcount
+= len
<< 3;
546 usedspace
= freespace
= 0;
549 void ldns_sha256_final(sha2_byte digest
[], ldns_sha256_CTX
* context
) {
550 sha2_word32
*d
= (sha2_word32
*)digest
;
554 assert(context
!= (ldns_sha256_CTX
*)0);
556 /* If no digest buffer is passed, we don't bother doing this: */
557 if (digest
!= (sha2_byte
*)0) {
558 usedspace
= (context
->bitcount
>> 3) % LDNS_SHA256_BLOCK_LENGTH
;
559 #if BYTE_ORDER == LITTLE_ENDIAN
560 /* Convert FROM host byte order */
561 REVERSE64(context
->bitcount
,context
->bitcount
);
564 /* Begin padding with a 1 bit: */
565 context
->buffer
[usedspace
++] = 0x80;
567 if (usedspace
<= ldns_sha256_SHORT_BLOCK_LENGTH
) {
568 /* Set-up for the last transform: */
569 MEMSET_BZERO(&context
->buffer
[usedspace
], ldns_sha256_SHORT_BLOCK_LENGTH
- usedspace
);
571 if (usedspace
< LDNS_SHA256_BLOCK_LENGTH
) {
572 MEMSET_BZERO(&context
->buffer
[usedspace
], LDNS_SHA256_BLOCK_LENGTH
- usedspace
);
574 /* Do second-to-last transform: */
575 ldns_sha256_Transform(context
, (sha2_word32
*)context
->buffer
);
577 /* And set-up for the last transform: */
578 MEMSET_BZERO(context
->buffer
, ldns_sha256_SHORT_BLOCK_LENGTH
);
581 /* Set-up for the last transform: */
582 MEMSET_BZERO(context
->buffer
, ldns_sha256_SHORT_BLOCK_LENGTH
);
584 /* Begin padding with a 1 bit: */
585 *context
->buffer
= 0x80;
587 /* Set the bit count: */
588 *(sha2_word64
*)&context
->buffer
[ldns_sha256_SHORT_BLOCK_LENGTH
] = context
->bitcount
;
590 /* final transform: */
591 ldns_sha256_Transform(context
, (sha2_word32
*)context
->buffer
);
593 #if BYTE_ORDER == LITTLE_ENDIAN
595 /* Convert TO host byte order */
597 for (j
= 0; j
< 8; j
++) {
598 REVERSE32(context
->state
[j
],context
->state
[j
]);
599 *d
++ = context
->state
[j
];
603 MEMCPY_BCOPY(d
, context
->state
, LDNS_SHA256_DIGEST_LENGTH
);
607 /* Clean up state data: */
608 MEMSET_BZERO(context
, sizeof(ldns_sha256_CTX
));
613 ldns_sha256(unsigned char *data
, unsigned int data_len
, unsigned char *digest
)
616 ldns_sha256_init(&ctx
);
617 ldns_sha256_update(&ctx
, data
, data_len
);
618 ldns_sha256_final(digest
, &ctx
);
622 /*** SHA-512: *********************************************************/
623 void ldns_sha512_init(ldns_sha512_CTX
* context
) {
624 if (context
== (ldns_sha512_CTX
*)0) {
627 MEMCPY_BCOPY(context
->state
, sha512_initial_hash_value
, LDNS_SHA512_DIGEST_LENGTH
);
628 MEMSET_BZERO(context
->buffer
, LDNS_SHA512_BLOCK_LENGTH
);
629 context
->bitcount
[0] = context
->bitcount
[1] = 0;
632 #ifdef SHA2_UNROLL_TRANSFORM
634 /* Unrolled SHA-512 round macros: */
635 #if BYTE_ORDER == LITTLE_ENDIAN
637 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
638 REVERSE64(*data++, W512[j]); \
639 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
642 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
646 #else /* BYTE_ORDER == LITTLE_ENDIAN */
648 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
649 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
650 K512[j] + (W512[j] = *data++); \
652 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
655 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
657 #define ROUND512(a,b,c,d,e,f,g,h) \
658 s0 = W512[(j+1)&0x0f]; \
659 s0 = sigma0_512(s0); \
660 s1 = W512[(j+14)&0x0f]; \
661 s1 = sigma1_512(s1); \
662 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
663 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
665 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
668 static void ldns_sha512_Transform(ldns_sha512_CTX
* context
,
669 const sha2_word64
* data
) {
670 sha2_word64 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
671 sha2_word64 T1
, *W512
= (sha2_word64
*)context
->buffer
;
674 /* initialize registers with the prev. intermediate value */
675 a
= context
->state
[0];
676 b
= context
->state
[1];
677 c
= context
->state
[2];
678 d
= context
->state
[3];
679 e
= context
->state
[4];
680 f
= context
->state
[5];
681 g
= context
->state
[6];
682 h
= context
->state
[7];
686 ROUND512_0_TO_15(a
,b
,c
,d
,e
,f
,g
,h
);
687 ROUND512_0_TO_15(h
,a
,b
,c
,d
,e
,f
,g
);
688 ROUND512_0_TO_15(g
,h
,a
,b
,c
,d
,e
,f
);
689 ROUND512_0_TO_15(f
,g
,h
,a
,b
,c
,d
,e
);
690 ROUND512_0_TO_15(e
,f
,g
,h
,a
,b
,c
,d
);
691 ROUND512_0_TO_15(d
,e
,f
,g
,h
,a
,b
,c
);
692 ROUND512_0_TO_15(c
,d
,e
,f
,g
,h
,a
,b
);
693 ROUND512_0_TO_15(b
,c
,d
,e
,f
,g
,h
,a
);
696 /* Now for the remaining rounds up to 79: */
698 ROUND512(a
,b
,c
,d
,e
,f
,g
,h
);
699 ROUND512(h
,a
,b
,c
,d
,e
,f
,g
);
700 ROUND512(g
,h
,a
,b
,c
,d
,e
,f
);
701 ROUND512(f
,g
,h
,a
,b
,c
,d
,e
);
702 ROUND512(e
,f
,g
,h
,a
,b
,c
,d
);
703 ROUND512(d
,e
,f
,g
,h
,a
,b
,c
);
704 ROUND512(c
,d
,e
,f
,g
,h
,a
,b
);
705 ROUND512(b
,c
,d
,e
,f
,g
,h
,a
);
708 /* Compute the current intermediate hash value */
709 context
->state
[0] += a
;
710 context
->state
[1] += b
;
711 context
->state
[2] += c
;
712 context
->state
[3] += d
;
713 context
->state
[4] += e
;
714 context
->state
[5] += f
;
715 context
->state
[6] += g
;
716 context
->state
[7] += h
;
719 a
= b
= c
= d
= e
= f
= g
= h
= T1
= 0;
722 #else /* SHA2_UNROLL_TRANSFORM */
724 static void ldns_sha512_Transform(ldns_sha512_CTX
* context
,
725 const sha2_word64
* data
) {
726 sha2_word64 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
727 sha2_word64 T1
, T2
, *W512
= (sha2_word64
*)context
->buffer
;
730 /* initialize registers with the prev. intermediate value */
731 a
= context
->state
[0];
732 b
= context
->state
[1];
733 c
= context
->state
[2];
734 d
= context
->state
[3];
735 e
= context
->state
[4];
736 f
= context
->state
[5];
737 g
= context
->state
[6];
738 h
= context
->state
[7];
742 #if BYTE_ORDER == LITTLE_ENDIAN
743 /* Convert TO host byte order */
744 REVERSE64(*data
++, W512
[j
]);
745 /* Apply the SHA-512 compression function to update a..h */
746 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] + W512
[j
];
747 #else /* BYTE_ORDER == LITTLE_ENDIAN */
748 /* Apply the SHA-512 compression function to update a..h with copy */
749 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] + (W512
[j
] = *data
++);
750 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
751 T2
= Sigma0_512(a
) + Maj(a
, b
, c
);
765 /* Part of the message block expansion: */
766 s0
= W512
[(j
+1)&0x0f];
768 s1
= W512
[(j
+14)&0x0f];
771 /* Apply the SHA-512 compression function to update a..h */
772 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] +
773 (W512
[j
&0x0f] += s1
+ W512
[(j
+9)&0x0f] + s0
);
774 T2
= Sigma0_512(a
) + Maj(a
, b
, c
);
787 /* Compute the current intermediate hash value */
788 context
->state
[0] += a
;
789 context
->state
[1] += b
;
790 context
->state
[2] += c
;
791 context
->state
[3] += d
;
792 context
->state
[4] += e
;
793 context
->state
[5] += f
;
794 context
->state
[6] += g
;
795 context
->state
[7] += h
;
798 a
= b
= c
= d
= e
= f
= g
= h
= T1
= T2
= 0;
801 #endif /* SHA2_UNROLL_TRANSFORM */
803 void ldns_sha512_update(ldns_sha512_CTX
* context
, const sha2_byte
*data
, size_t len
) {
804 size_t freespace
, usedspace
;
807 /* Calling with no data is valid - we do nothing */
812 assert(context
!= (ldns_sha512_CTX
*)0 && data
!= (sha2_byte
*)0);
814 usedspace
= (context
->bitcount
[0] >> 3) % LDNS_SHA512_BLOCK_LENGTH
;
816 /* Calculate how much free space is available in the buffer */
817 freespace
= LDNS_SHA512_BLOCK_LENGTH
- usedspace
;
819 if (len
>= freespace
) {
820 /* Fill the buffer completely and process it */
821 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, freespace
);
822 ADDINC128(context
->bitcount
, freespace
<< 3);
825 ldns_sha512_Transform(context
, (sha2_word64
*)context
->buffer
);
827 /* The buffer is not yet full */
828 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, len
);
829 ADDINC128(context
->bitcount
, len
<< 3);
831 usedspace
= freespace
= 0;
835 while (len
>= LDNS_SHA512_BLOCK_LENGTH
) {
836 /* Process as many complete blocks as we can */
837 ldns_sha512_Transform(context
, (sha2_word64
*)data
);
838 ADDINC128(context
->bitcount
, LDNS_SHA512_BLOCK_LENGTH
<< 3);
839 len
-= LDNS_SHA512_BLOCK_LENGTH
;
840 data
+= LDNS_SHA512_BLOCK_LENGTH
;
843 /* There's left-overs, so save 'em */
844 MEMCPY_BCOPY(context
->buffer
, data
, len
);
845 ADDINC128(context
->bitcount
, len
<< 3);
848 usedspace
= freespace
= 0;
851 static void ldns_sha512_Last(ldns_sha512_CTX
* context
) {
854 usedspace
= (context
->bitcount
[0] >> 3) % LDNS_SHA512_BLOCK_LENGTH
;
855 #if BYTE_ORDER == LITTLE_ENDIAN
856 /* Convert FROM host byte order */
857 REVERSE64(context
->bitcount
[0],context
->bitcount
[0]);
858 REVERSE64(context
->bitcount
[1],context
->bitcount
[1]);
861 /* Begin padding with a 1 bit: */
862 context
->buffer
[usedspace
++] = 0x80;
864 if (usedspace
<= ldns_sha512_SHORT_BLOCK_LENGTH
) {
865 /* Set-up for the last transform: */
866 MEMSET_BZERO(&context
->buffer
[usedspace
], ldns_sha512_SHORT_BLOCK_LENGTH
- usedspace
);
868 if (usedspace
< LDNS_SHA512_BLOCK_LENGTH
) {
869 MEMSET_BZERO(&context
->buffer
[usedspace
], LDNS_SHA512_BLOCK_LENGTH
- usedspace
);
871 /* Do second-to-last transform: */
872 ldns_sha512_Transform(context
, (sha2_word64
*)context
->buffer
);
874 /* And set-up for the last transform: */
875 MEMSET_BZERO(context
->buffer
, LDNS_SHA512_BLOCK_LENGTH
- 2);
878 /* Prepare for final transform: */
879 MEMSET_BZERO(context
->buffer
, ldns_sha512_SHORT_BLOCK_LENGTH
);
881 /* Begin padding with a 1 bit: */
882 *context
->buffer
= 0x80;
884 /* Store the length of input data (in bits): */
885 *(sha2_word64
*)&context
->buffer
[ldns_sha512_SHORT_BLOCK_LENGTH
] = context
->bitcount
[1];
886 *(sha2_word64
*)&context
->buffer
[ldns_sha512_SHORT_BLOCK_LENGTH
+8] = context
->bitcount
[0];
888 /* final transform: */
889 ldns_sha512_Transform(context
, (sha2_word64
*)context
->buffer
);
892 void ldns_sha512_final(sha2_byte digest
[], ldns_sha512_CTX
* context
) {
893 sha2_word64
*d
= (sha2_word64
*)digest
;
896 assert(context
!= (ldns_sha512_CTX
*)0);
898 /* If no digest buffer is passed, we don't bother doing this: */
899 if (digest
!= (sha2_byte
*)0) {
900 ldns_sha512_Last(context
);
902 /* Save the hash data for output: */
903 #if BYTE_ORDER == LITTLE_ENDIAN
905 /* Convert TO host byte order */
907 for (j
= 0; j
< 8; j
++) {
908 REVERSE64(context
->state
[j
],context
->state
[j
]);
909 *d
++ = context
->state
[j
];
913 MEMCPY_BCOPY(d
, context
->state
, LDNS_SHA512_DIGEST_LENGTH
);
917 /* Zero out state data */
918 MEMSET_BZERO(context
, sizeof(ldns_sha512_CTX
));
922 ldns_sha512(unsigned char *data
, unsigned int data_len
, unsigned char *digest
)
925 ldns_sha512_init(&ctx
);
926 ldns_sha512_update(&ctx
, data
, data_len
);
927 ldns_sha512_final(digest
, &ctx
);
931 /*** SHA-384: *********************************************************/
932 void ldns_sha384_init(ldns_sha384_CTX
* context
) {
933 if (context
== (ldns_sha384_CTX
*)0) {
936 MEMCPY_BCOPY(context
->state
, sha384_initial_hash_value
, LDNS_SHA512_DIGEST_LENGTH
);
937 MEMSET_BZERO(context
->buffer
, LDNS_SHA384_BLOCK_LENGTH
);
938 context
->bitcount
[0] = context
->bitcount
[1] = 0;
941 void ldns_sha384_update(ldns_sha384_CTX
* context
, const sha2_byte
* data
, size_t len
) {
942 ldns_sha512_update((ldns_sha512_CTX
*)context
, data
, len
);
945 void ldns_sha384_final(sha2_byte digest
[], ldns_sha384_CTX
* context
) {
946 sha2_word64
*d
= (sha2_word64
*)digest
;
949 assert(context
!= (ldns_sha384_CTX
*)0);
951 /* If no digest buffer is passed, we don't bother doing this: */
952 if (digest
!= (sha2_byte
*)0) {
953 ldns_sha512_Last((ldns_sha512_CTX
*)context
);
955 /* Save the hash data for output: */
956 #if BYTE_ORDER == LITTLE_ENDIAN
958 /* Convert TO host byte order */
960 for (j
= 0; j
< 6; j
++) {
961 REVERSE64(context
->state
[j
],context
->state
[j
]);
962 *d
++ = context
->state
[j
];
966 MEMCPY_BCOPY(d
, context
->state
, LDNS_SHA384_DIGEST_LENGTH
);
970 /* Zero out state data */
971 MEMSET_BZERO(context
, sizeof(ldns_sha384_CTX
));
975 ldns_sha384(unsigned char *data
, unsigned int data_len
, unsigned char *digest
)
978 ldns_sha384_init(&ctx
);
979 ldns_sha384_update(&ctx
, data
, data_len
);
980 ldns_sha384_final(digest
, &ctx
);