]> jfr.im git - irc/quakenet/newserv.git/blob - lib/sha2.c
projects / irc / quakenet / newserv.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
A4STATS: remove E style escapes and switch to createtable for indices
[irc/quakenet/newserv.git] / lib / sha2.c
1 /*
2 * FILE: sha2.c
3 * AUTHOR: Aaron D. Gifford <me@aarongifford.com>
4 *
5 * Copyright (c) 2000-2001, Aaron D. Gifford
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the copyright holder nor the names of contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 *
32 * $Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
33 */
34
35 #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
36 #include <assert.h> /* assert() */
37 #include "sha2.h"
38
39 /*
40 * ASSERT NOTE:
41 * Some sanity checking code is included using assert(). On my FreeBSD
42 * system, this additional code can be removed by compiling with NDEBUG
43 * defined. Check your own systems manpage on assert() to see how to
44 * compile WITHOUT the sanity checking code on your system.
45 *
46 * UNROLLED TRANSFORM LOOP NOTE:
47 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
48 * loop version for the hash transform rounds (defined using macros
49 * later in this file). Either define on the command line, for example:
50 *
51 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
52 *
53 * or define below:
54 *
55 * #define SHA2_UNROLL_TRANSFORM
56 *
57 */
58
59
60 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
61 /*
62 * BYTE_ORDER NOTE:
63 *
64 * Please make sure that your system defines BYTE_ORDER. If your
65 * architecture is little-endian, make sure it also defines
66 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
67 * equivilent.
68 *
69 * If your system does not define the above, then you can do so by
70 * hand like this:
71 *
72 * #define LITTLE_ENDIAN 1234
73 * #define BIG_ENDIAN 4321
74 *
75 * And for little-endian machines, add:
76 *
77 * #define BYTE_ORDER LITTLE_ENDIAN
78 *
79 * Or for big-endian machines:
80 *
81 * #define BYTE_ORDER BIG_ENDIAN
82 *
83 * The FreeBSD machine this was written on defines BYTE_ORDER
84 * appropriately by including <sys/types.h> (which in turn includes
85 * <machine/endian.h> where the appropriate definitions are actually
86 * made).
87 */
88 #if !defined(BYTE_ORDER)
89 #define BYTE_ORDER __BYTE_ORDER
90 #endif
91
92 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
93 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
94 #endif
95
96 /*
97 * Define the followingsha2_* types to types of the correct length on
98 * the native archtecture. Most BSD systems and Linux define u_intXX_t
99 * types. Machines with very recent ANSI C headers, can use the
100 * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
101 * during compile or in the sha.h header file.
102 *
103 * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
104 * will need to define these three typedefs below (and the appropriate
105 * ones in sha.h too) by hand according to their system architecture.
106 *
107 * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
108 * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
109 */
110 #ifdef SHA2_USE_INTTYPES_H
111
112 typedef uint8_t sha2_byte; /* Exactly 1 byte */
113 typedef uint32_t sha2_word32; /* Exactly 4 bytes */
114 typedef uint64_t sha2_word64; /* Exactly 8 bytes */
115
116 #else /* SHA2_USE_INTTYPES_H */
117
118 typedef u_int8_t sha2_byte; /* Exactly 1 byte */
119 typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
120 typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
121
122 #endif /* SHA2_USE_INTTYPES_H */
123
124
125 /*** SHA-256/384/512 Various Length Definitions ***********************/
126 /* NOTE: Most of these are in sha2.h */
127 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
128 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
129 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
130
131
132 /*** ENDIAN REVERSAL MACROS *******************************************/
133 #if BYTE_ORDER == LITTLE_ENDIAN
134 #define REVERSE32(w,x) { \
135 sha2_word32 tmp = (w); \
136 tmp = (tmp >> 16) | (tmp << 16); \
137 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
138 }
139 #define REVERSE64(w,x) { \
140 sha2_word64 tmp = (w); \
141 tmp = (tmp >> 32) | (tmp << 32); \
142 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
143 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
144 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
145 ((tmp & 0x0000ffff0000ffffULL) << 16); \
146 }
147 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
148
149 /*
150 * Macro for incrementally adding the unsigned 64-bit integer n to the
151 * unsigned 128-bit integer (represented using a two-element array of
152 * 64-bit words):
153 */
154 #define ADDINC128(w,n) { \
155 (w)[0] += (sha2_word64)(n); \
156 if ((w)[0] < (n)) { \
157 (w)[1]++; \
158 } \
159 }
160
161 /*
162 * Macros for copying blocks of memory and for zeroing out ranges
163 * of memory. Using these macros makes it easy to switch from
164 * using memset()/memcpy() and using bzero()/bcopy().
165 *
166 * Please define either SHA2_USE_MEMSET_MEMCPY or define
167 * SHA2_USE_BZERO_BCOPY depending on which function set you
168 * choose to use:
169 */
170 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
171 /* Default to memset()/memcpy() if no option is specified */
172 #define SHA2_USE_MEMSET_MEMCPY 1
173 #endif
174 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
175 /* Abort with an error if BOTH options are defined */
176 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
177 #endif
178
179 #ifdef SHA2_USE_MEMSET_MEMCPY
180 #define MEMSET_BZERO(p,l) memset((p), 0, (l))
181 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
182 #endif
183 #ifdef SHA2_USE_BZERO_BCOPY
184 #define MEMSET_BZERO(p,l) bzero((p), (l))
185 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
186 #endif
187
188
189 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
190 /*
191 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
192 *
193 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
194 * S is a ROTATION) because the SHA-256/384/512 description document
195 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
196 * same "backwards" definition.
197 */
198 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
199 #define R(b,x) ((x) >> (b))
200 /* 32-bit Rotate-right (used in SHA-256): */
201 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
202 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
203 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
204
205 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
206 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
207 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
208
209 /* Four of six logical functions used in SHA-256: */
210 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
211 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
212 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
213 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
214
215 /* Four of six logical functions used in SHA-384 and SHA-512: */
216 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
217 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
218 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
219 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
220
221 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
222 /* NOTE: These should not be accessed directly from outside this
223 * library -- they are intended for private internal visibility/use
224 * only.
225 */
226 void SHA512_Last(SHA512_CTX*);
227 void SHA256_Transform(SHA256_CTX*, const sha2_word32*);
228 void SHA512_Transform(SHA512_CTX*, const sha2_word64*);
229
230
231 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
232 /* Hash constant words K for SHA-256: */
233 const static sha2_word32 K256[64] = {
234 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
235 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
236 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
237 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
238 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
239 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
240 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
241 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
242 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
243 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
244 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
245 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
246 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
247 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
248 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
249 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
250 };
251
252 /* Initial hash value H for SHA-256: */
253 const static sha2_word32 sha256_initial_hash_value[8] = {
254 0x6a09e667UL,
255 0xbb67ae85UL,
256 0x3c6ef372UL,
257 0xa54ff53aUL,
258 0x510e527fUL,
259 0x9b05688cUL,
260 0x1f83d9abUL,
261 0x5be0cd19UL
262 };
263
264 /* Hash constant words K for SHA-384 and SHA-512: */
265 const static sha2_word64 K512[80] = {
266 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
267 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
268 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
269 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
270 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
271 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
272 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
273 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
274 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
275 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
276 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
277 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
278 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
279 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
280 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
281 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
282 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
283 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
284 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
285 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
286 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
287 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
288 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
289 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
290 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
291 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
292 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
293 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
294 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
295 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
296 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
297 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
298 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
299 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
300 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
301 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
302 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
303 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
304 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
305 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
306 };
307
308 /* Initial hash value H for SHA-384 */
309 const static sha2_word64 sha384_initial_hash_value[8] = {
310 0xcbbb9d5dc1059ed8ULL,
311 0x629a292a367cd507ULL,
312 0x9159015a3070dd17ULL,
313 0x152fecd8f70e5939ULL,
314 0x67332667ffc00b31ULL,
315 0x8eb44a8768581511ULL,
316 0xdb0c2e0d64f98fa7ULL,
317 0x47b5481dbefa4fa4ULL
318 };
319
320 /* Initial hash value H for SHA-512 */
321 const static sha2_word64 sha512_initial_hash_value[8] = {
322 0x6a09e667f3bcc908ULL,
323 0xbb67ae8584caa73bULL,
324 0x3c6ef372fe94f82bULL,
325 0xa54ff53a5f1d36f1ULL,
326 0x510e527fade682d1ULL,
327 0x9b05688c2b3e6c1fULL,
328 0x1f83d9abfb41bd6bULL,
329 0x5be0cd19137e2179ULL
330 };
331
332 /*
333 * Constant used by SHA256/384/512_End() functions for converting the
334 * digest to a readable hexadecimal character string:
335 */
336 static const char *sha2_hex_digits = "0123456789abcdef";
337
338
339 /*** SHA-256: *********************************************************/
340 void SHA256_Init(SHA256_CTX* context) {
341 if (context == (SHA256_CTX*)0) {
342 return;
343 }
344 MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
345 MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH);
346 context->bitcount = 0;
347 }
348
349 #ifdef SHA2_UNROLL_TRANSFORM
350
351 /* Unrolled SHA-256 round macros: */
352
353 #if BYTE_ORDER == LITTLE_ENDIAN
354
355 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
356 REVERSE32(*data++, W256[j]); \
357 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
358 K256[j] + W256[j]; \
359 (d) += T1; \
360 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
361 j++
362
363
364 #else /* BYTE_ORDER == LITTLE_ENDIAN */
365
366 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
367 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
368 K256[j] + (W256[j] = *data++); \
369 (d) += T1; \
370 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
371 j++
372
373 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
374
375 #define ROUND256(a,b,c,d,e,f,g,h) \
376 s0 = W256[(j+1)&0x0f]; \
377 s0 = sigma0_256(s0); \
378 s1 = W256[(j+14)&0x0f]; \
379 s1 = sigma1_256(s1); \
380 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
381 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
382 (d) += T1; \
383 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
384 j++
385
386 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
387 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
388 sha2_word32 T1, *W256;
389 int j;
390
391 W256 = (sha2_word32*)context->buffer;
392
393 /* Initialize registers with the prev. intermediate value */
394 a = context->state[0];
395 b = context->state[1];
396 c = context->state[2];
397 d = context->state[3];
398 e = context->state[4];
399 f = context->state[5];
400 g = context->state[6];
401 h = context->state[7];
402
403 j = 0;
404 do {
405 /* Rounds 0 to 15 (unrolled): */
406 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
407 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
408 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
409 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
410 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
411 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
412 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
413 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
414 } while (j < 16);
415
416 /* Now for the remaining rounds to 64: */
417 do {
418 ROUND256(a,b,c,d,e,f,g,h);
419 ROUND256(h,a,b,c,d,e,f,g);
420 ROUND256(g,h,a,b,c,d,e,f);
421 ROUND256(f,g,h,a,b,c,d,e);
422 ROUND256(e,f,g,h,a,b,c,d);
423 ROUND256(d,e,f,g,h,a,b,c);
424 ROUND256(c,d,e,f,g,h,a,b);
425 ROUND256(b,c,d,e,f,g,h,a);
426 } while (j < 64);
427
428 /* Compute the current intermediate hash value */
429 context->state[0] += a;
430 context->state[1] += b;
431 context->state[2] += c;
432 context->state[3] += d;
433 context->state[4] += e;
434 context->state[5] += f;
435 context->state[6] += g;
436 context->state[7] += h;
437
438 /* Clean up */
439 a = b = c = d = e = f = g = h = T1 = 0;
440 }
441
442 #else /* SHA2_UNROLL_TRANSFORM */
443
444 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
445 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
446 sha2_word32 T1, T2, *W256;
447 int j;
448
449 W256 = (sha2_word32*)context->buffer;
450
451 /* Initialize registers with the prev. intermediate value */
452 a = context->state[0];
453 b = context->state[1];
454 c = context->state[2];
455 d = context->state[3];
456 e = context->state[4];
457 f = context->state[5];
458 g = context->state[6];
459 h = context->state[7];
460
461 j = 0;
462 do {
463 #if BYTE_ORDER == LITTLE_ENDIAN
464 /* Copy data while converting to host byte order */
465 REVERSE32(*data++,W256[j]);
466 /* Apply the SHA-256 compression function to update a..h */
467 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
468 #else /* BYTE_ORDER == LITTLE_ENDIAN */
469 /* Apply the SHA-256 compression function to update a..h with copy */
470 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
471 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
472 T2 = Sigma0_256(a) + Maj(a, b, c);
473 h = g;
474 g = f;
475 f = e;
476 e = d + T1;
477 d = c;
478 c = b;
479 b = a;
480 a = T1 + T2;
481
482 j++;
483 } while (j < 16);
484
485 do {
486 /* Part of the message block expansion: */
487 s0 = W256[(j+1)&0x0f];
488 s0 = sigma0_256(s0);
489 s1 = W256[(j+14)&0x0f];
490 s1 = sigma1_256(s1);
491
492 /* Apply the SHA-256 compression function to update a..h */
493 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
494 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
495 T2 = Sigma0_256(a) + Maj(a, b, c);
496 h = g;
497 g = f;
498 f = e;
499 e = d + T1;
500 d = c;
501 c = b;
502 b = a;
503 a = T1 + T2;
504
505 j++;
506 } while (j < 64);
507
508 /* Compute the current intermediate hash value */
509 context->state[0] += a;
510 context->state[1] += b;
511 context->state[2] += c;
512 context->state[3] += d;
513 context->state[4] += e;
514 context->state[5] += f;
515 context->state[6] += g;
516 context->state[7] += h;
517
518 /* Clean up */
519 a = b = c = d = e = f = g = h = T1 = T2 = 0;
520 }
521
522 #endif /* SHA2_UNROLL_TRANSFORM */
523
524 void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
525 unsigned int freespace, usedspace;
526
527 if (len == 0) {
528 /* Calling with no data is valid - we do nothing */
529 return;
530 }
531
532 /* Sanity check: */
533 assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0);
534
535 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
536 if (usedspace > 0) {
537 /* Calculate how much free space is available in the buffer */
538 freespace = SHA256_BLOCK_LENGTH - usedspace;
539
540 if (len >= freespace) {
541 /* Fill the buffer completely and process it */
542 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
543 context->bitcount += freespace << 3;
544 len -= freespace;
545 data += freespace;
546 SHA256_Transform(context, (sha2_word32*)context->buffer);
547 } else {
548 /* The buffer is not yet full */
549 MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
550 context->bitcount += len << 3;
551 /* Clean up: */
552 usedspace = freespace = 0;
553 return;
554 }
555 }
556 while (len >= SHA256_BLOCK_LENGTH) {
557 /* Process as many complete blocks as we can */
558 SHA256_Transform(context, (sha2_word32*)data);
559 context->bitcount += SHA256_BLOCK_LENGTH << 3;
560 len -= SHA256_BLOCK_LENGTH;
561 data += SHA256_BLOCK_LENGTH;
562 }
563 if (len > 0) {
564 /* There's left-overs, so save 'em */
565 MEMCPY_BCOPY(context->buffer, data, len);
566 context->bitcount += len << 3;
567 }
568 /* Clean up: */
569 usedspace = freespace = 0;
570 }
571
572 void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
573 sha2_word32 *d = (sha2_word32*)digest;
574 unsigned int usedspace;
575
576 /* Sanity check: */
577 assert(context != (SHA256_CTX*)0);
578
579 /* If no digest buffer is passed, we don't bother doing this: */
580 if (digest != (sha2_byte*)0) {
581 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
582 #if BYTE_ORDER == LITTLE_ENDIAN
583 /* Convert FROM host byte order */
584 REVERSE64(context->bitcount,context->bitcount);
585 #endif
586 if (usedspace > 0) {
587 /* Begin padding with a 1 bit: */
588 context->buffer[usedspace++] = 0x80;
589
590 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
591 /* Set-up for the last transform: */
592 MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
593 } else {
594 if (usedspace < SHA256_BLOCK_LENGTH) {
595 MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
596 }
597 /* Do second-to-last transform: */
598 SHA256_Transform(context, (sha2_word32*)context->buffer);
599
600 /* And set-up for the last transform: */
601 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
602 }
603 } else {
604 /* Set-up for the last transform: */
605 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
606
607 /* Begin padding with a 1 bit: */
608 *context->buffer = 0x80;
609 }
610 /* Set the bit count: */
611 *(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
612
613 /* Final transform: */
614 SHA256_Transform(context, (sha2_word32*)context->buffer);
615
616 #if BYTE_ORDER == LITTLE_ENDIAN
617 {
618 /* Convert TO host byte order */
619 int j;
620 for (j = 0; j < 8; j++) {
621 REVERSE32(context->state[j],context->state[j]);
622 *d++ = context->state[j];
623 }
624 }
625 #else
626 MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH);
627 #endif
628 }
629
630 /* Clean up state data: */
631 MEMSET_BZERO(context, sizeof(SHA256_CTX));
632 usedspace = 0;
633 }
634
635 char *SHA256_End(SHA256_CTX* context, char buffer[]) {
636 sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest;
637 int i;
638
639 /* Sanity check: */
640 assert(context != (SHA256_CTX*)0);
641
642 if (buffer != (char*)0) {
643 SHA256_Final(digest, context);
644
645 for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
646 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
647 *buffer++ = sha2_hex_digits[*d & 0x0f];
648 d++;
649 }
650 *buffer = (char)0;
651 } else {
652 MEMSET_BZERO(context, sizeof(SHA256_CTX));
653 }
654 MEMSET_BZERO(digest, SHA256_DIGEST_LENGTH);
655 return buffer;
656 }
657
658 char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
659 SHA256_CTX context;
660
661 SHA256_Init(&context);
662 SHA256_Update(&context, data, len);
663 return SHA256_End(&context, digest);
664 }
665
666
667 /*** SHA-512: *********************************************************/
668 void SHA512_Init(SHA512_CTX* context) {
669 if (context == (SHA512_CTX*)0) {
670 return;
671 }
672 MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
673 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH);
674 context->bitcount[0] = context->bitcount[1] = 0;
675 }
676
677 #ifdef SHA2_UNROLL_TRANSFORM
678
679 /* Unrolled SHA-512 round macros: */
680 #if BYTE_ORDER == LITTLE_ENDIAN
681
682 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
683 REVERSE64(*data++, W512[j]); \
684 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
685 K512[j] + W512[j]; \
686 (d) += T1, \
687 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
688 j++
689
690
691 #else /* BYTE_ORDER == LITTLE_ENDIAN */
692
693 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
694 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
695 K512[j] + (W512[j] = *data++); \
696 (d) += T1; \
697 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
698 j++
699
700 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
701
702 #define ROUND512(a,b,c,d,e,f,g,h) \
703 s0 = W512[(j+1)&0x0f]; \
704 s0 = sigma0_512(s0); \
705 s1 = W512[(j+14)&0x0f]; \
706 s1 = sigma1_512(s1); \
707 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
708 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
709 (d) += T1; \
710 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
711 j++
712
713 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
714 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
715 sha2_word64 T1, *W512 = (sha2_word64*)context->buffer;
716 int j;
717
718 /* Initialize registers with the prev. intermediate value */
719 a = context->state[0];
720 b = context->state[1];
721 c = context->state[2];
722 d = context->state[3];
723 e = context->state[4];
724 f = context->state[5];
725 g = context->state[6];
726 h = context->state[7];
727
728 j = 0;
729 do {
730 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
731 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
732 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
733 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
734 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
735 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
736 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
737 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
738 } while (j < 16);
739
740 /* Now for the remaining rounds up to 79: */
741 do {
742 ROUND512(a,b,c,d,e,f,g,h);
743 ROUND512(h,a,b,c,d,e,f,g);
744 ROUND512(g,h,a,b,c,d,e,f);
745 ROUND512(f,g,h,a,b,c,d,e);
746 ROUND512(e,f,g,h,a,b,c,d);
747 ROUND512(d,e,f,g,h,a,b,c);
748 ROUND512(c,d,e,f,g,h,a,b);
749 ROUND512(b,c,d,e,f,g,h,a);
750 } while (j < 80);
751
752 /* Compute the current intermediate hash value */
753 context->state[0] += a;
754 context->state[1] += b;
755 context->state[2] += c;
756 context->state[3] += d;
757 context->state[4] += e;
758 context->state[5] += f;
759 context->state[6] += g;
760 context->state[7] += h;
761
762 /* Clean up */
763 a = b = c = d = e = f = g = h = T1 = 0;
764 }
765
766 #else /* SHA2_UNROLL_TRANSFORM */
767
768 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
769 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
770 sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer;
771 int j;
772
773 /* Initialize registers with the prev. intermediate value */
774 a = context->state[0];
775 b = context->state[1];
776 c = context->state[2];
777 d = context->state[3];
778 e = context->state[4];
779 f = context->state[5];
780 g = context->state[6];
781 h = context->state[7];
782
783 j = 0;
784 do {
785 #if BYTE_ORDER == LITTLE_ENDIAN
786 /* Convert TO host byte order */
787 REVERSE64(*data++, W512[j]);
788 /* Apply the SHA-512 compression function to update a..h */
789 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
790 #else /* BYTE_ORDER == LITTLE_ENDIAN */
791 /* Apply the SHA-512 compression function to update a..h with copy */
792 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
793 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
794 T2 = Sigma0_512(a) + Maj(a, b, c);
795 h = g;
796 g = f;
797 f = e;
798 e = d + T1;
799 d = c;
800 c = b;
801 b = a;
802 a = T1 + T2;
803
804 j++;
805 } while (j < 16);
806
807 do {
808 /* Part of the message block expansion: */
809 s0 = W512[(j+1)&0x0f];
810 s0 = sigma0_512(s0);
811 s1 = W512[(j+14)&0x0f];
812 s1 = sigma1_512(s1);
813
814 /* Apply the SHA-512 compression function to update a..h */
815 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
816 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
817 T2 = Sigma0_512(a) + Maj(a, b, c);
818 h = g;
819 g = f;
820 f = e;
821 e = d + T1;
822 d = c;
823 c = b;
824 b = a;
825 a = T1 + T2;
826
827 j++;
828 } while (j < 80);
829
830 /* Compute the current intermediate hash value */
831 context->state[0] += a;
832 context->state[1] += b;
833 context->state[2] += c;
834 context->state[3] += d;
835 context->state[4] += e;
836 context->state[5] += f;
837 context->state[6] += g;
838 context->state[7] += h;
839
840 /* Clean up */
841 a = b = c = d = e = f = g = h = T1 = T2 = 0;
842 }
843
844 #endif /* SHA2_UNROLL_TRANSFORM */
845
846 void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
847 unsigned int freespace, usedspace;
848
849 if (len == 0) {
850 /* Calling with no data is valid - we do nothing */
851 return;
852 }
853
854 /* Sanity check: */
855 assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0);
856
857 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
858 if (usedspace > 0) {
859 /* Calculate how much free space is available in the buffer */
860 freespace = SHA512_BLOCK_LENGTH - usedspace;
861
862 if (len >= freespace) {
863 /* Fill the buffer completely and process it */
864 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
865 ADDINC128(context->bitcount, freespace << 3);
866 len -= freespace;
867 data += freespace;
868 SHA512_Transform(context, (sha2_word64*)context->buffer);
869 } else {
870 /* The buffer is not yet full */
871 MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
872 ADDINC128(context->bitcount, len << 3);
873 /* Clean up: */
874 usedspace = freespace = 0;
875 return;
876 }
877 }
878 while (len >= SHA512_BLOCK_LENGTH) {
879 /* Process as many complete blocks as we can */
880 SHA512_Transform(context, (sha2_word64*)data);
881 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
882 len -= SHA512_BLOCK_LENGTH;
883 data += SHA512_BLOCK_LENGTH;
884 }
885 if (len > 0) {
886 /* There's left-overs, so save 'em */
887 MEMCPY_BCOPY(context->buffer, data, len);
888 ADDINC128(context->bitcount, len << 3);
889 }
890 /* Clean up: */
891 usedspace = freespace = 0;
892 }
893
894 void SHA512_Last(SHA512_CTX* context) {
895 unsigned int usedspace;
896
897 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
898 #if BYTE_ORDER == LITTLE_ENDIAN
899 /* Convert FROM host byte order */
900 REVERSE64(context->bitcount[0],context->bitcount[0]);
901 REVERSE64(context->bitcount[1],context->bitcount[1]);
902 #endif
903 if (usedspace > 0) {
904 /* Begin padding with a 1 bit: */
905 context->buffer[usedspace++] = 0x80;
906
907 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
908 /* Set-up for the last transform: */
909 MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
910 } else {
911 if (usedspace < SHA512_BLOCK_LENGTH) {
912 MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
913 }
914 /* Do second-to-last transform: */
915 SHA512_Transform(context, (sha2_word64*)context->buffer);
916
917 /* And set-up for the last transform: */
918 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2);
919 }
920 } else {
921 /* Prepare for final transform: */
922 MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
923
924 /* Begin padding with a 1 bit: */
925 *context->buffer = 0x80;
926 }
927 /* Store the length of input data (in bits): */
928 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
929 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
930
931 /* Final transform: */
932 SHA512_Transform(context, (sha2_word64*)context->buffer);
933 }
934
935 void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
936 sha2_word64 *d = (sha2_word64*)digest;
937
938 /* Sanity check: */
939 assert(context != (SHA512_CTX*)0);
940
941 /* If no digest buffer is passed, we don't bother doing this: */
942 if (digest != (sha2_byte*)0) {
943 SHA512_Last(context);
944
945 /* Save the hash data for output: */
946 #if BYTE_ORDER == LITTLE_ENDIAN
947 {
948 /* Convert TO host byte order */
949 int j;
950 for (j = 0; j < 8; j++) {
951 REVERSE64(context->state[j],context->state[j]);
952 *d++ = context->state[j];
953 }
954 }
955 #else
956 MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH);
957 #endif
958 }
959
960 /* Zero out state data */
961 MEMSET_BZERO(context, sizeof(SHA512_CTX));
962 }
963
964 char *SHA512_End(SHA512_CTX* context, char buffer[]) {
965 sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
966 int i;
967
968 /* Sanity check: */
969 assert(context != (SHA512_CTX*)0);
970
971 if (buffer != (char*)0) {
972 SHA512_Final(digest, context);
973
974 for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
975 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
976 *buffer++ = sha2_hex_digits[*d & 0x0f];
977 d++;
978 }
979 *buffer = (char)0;
980 } else {
981 MEMSET_BZERO(context, sizeof(SHA512_CTX));
982 }
983 MEMSET_BZERO(digest, SHA512_DIGEST_LENGTH);
984 return buffer;
985 }
986
987 char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
988 SHA512_CTX context;
989
990 SHA512_Init(&context);
991 SHA512_Update(&context, data, len);
992 return SHA512_End(&context, digest);
993 }
994
995
996 /*** SHA-384: *********************************************************/
997 void SHA384_Init(SHA384_CTX* context) {
998 if (context == (SHA384_CTX*)0) {
999 return;
1000 }
1001 MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH);
1002 MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH);
1003 context->bitcount[0] = context->bitcount[1] = 0;
1004 }
1005
1006 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
1007 SHA512_Update((SHA512_CTX*)context, data, len);
1008 }
1009
1010 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
1011 sha2_word64 *d = (sha2_word64*)digest;
1012
1013 /* Sanity check: */
1014 assert(context != (SHA384_CTX*)0);
1015
1016 /* If no digest buffer is passed, we don't bother doing this: */
1017 if (digest != (sha2_byte*)0) {
1018 SHA512_Last((SHA512_CTX*)context);
1019
1020 /* Save the hash data for output: */
1021 #if BYTE_ORDER == LITTLE_ENDIAN
1022 {
1023 /* Convert TO host byte order */
1024 int j;
1025 for (j = 0; j < 6; j++) {
1026 REVERSE64(context->state[j],context->state[j]);
1027 *d++ = context->state[j];
1028 }
1029 }
1030 #else
1031 MEMCPY_BCOPY(d, context->state, SHA384_DIGEST_LENGTH);
1032 #endif
1033 }
1034
1035 /* Zero out state data */
1036 MEMSET_BZERO(context, sizeof(SHA384_CTX));
1037 }
1038
1039 char *SHA384_End(SHA384_CTX* context, char buffer[]) {
1040 sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
1041 int i;
1042
1043 /* Sanity check: */
1044 assert(context != (SHA384_CTX*)0);
1045
1046 if (buffer != (char*)0) {
1047 SHA384_Final(digest, context);
1048
1049 for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
1050 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
1051 *buffer++ = sha2_hex_digits[*d & 0x0f];
1052 d++;
1053 }
1054 *buffer = (char)0;
1055 } else {
1056 MEMSET_BZERO(context, sizeof(SHA384_CTX));
1057 }
1058 MEMSET_BZERO(digest, SHA384_DIGEST_LENGTH);
1059 return buffer;
1060 }
1061
1062 char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
1063 SHA384_CTX context;
1064
1065 SHA384_Init(&context);
1066 SHA384_Update(&context, data, len);
1067 return SHA384_End(&context, digest);
1068 }
1069
Unnamed repository; edit this file 'description' to name the repository.