[apple/network_cmds.git] / unbound / compat / sha512.c

/*
 * FILE:	sha2.c
 * AUTHOR:	Aaron D. Gifford - http://www.aarongifford.com/
 * 
 * Copyright (c) 2000-2001, Aaron D. Gifford
 * All rights reserved.
 *
 * Modified by Jelte Jansen to fit in ldns, and not clash with any
 * system-defined SHA code.
 * Changes:
 * - Renamed (external) functions and constants to fit ldns style
 * - Removed _End and _Data functions
 * - Added ldns_shaX(data, len, digest) convenience functions
 * - Removed prototypes of _Transform functions and made those static
 * Modified by Wouter, and trimmed, to provide SHA512 for getentropy_fallback.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the copyright holder nor the names of contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
 */
#include "config.h"

#include <string.h>	/* memcpy()/memset() or bcopy()/bzero() */
#include <assert.h>	/* assert() */

/* do we have sha512 header defs */
#ifndef SHA512_DIGEST_LENGTH
#define SHA512_BLOCK_LENGTH		128
#define SHA512_DIGEST_LENGTH		64
#define SHA512_DIGEST_STRING_LENGTH	(SHA512_DIGEST_LENGTH * 2 + 1)
typedef struct _SHA512_CTX {
	uint64_t	state[8];
	uint64_t	bitcount[2];
	uint8_t	buffer[SHA512_BLOCK_LENGTH];
} SHA512_CTX;
#endif /* do we have sha512 header defs */

void SHA512_Init(SHA512_CTX*);
void SHA512_Update(SHA512_CTX*, void*, size_t);
void SHA512_Final(uint8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*);
unsigned char *SHA512(void *data, unsigned int data_len, unsigned char *digest);


/*** SHA-256/384/512 Machine Architecture Definitions *****************/
/*
 * BYTE_ORDER NOTE:
 *
 * Please make sure that your system defines BYTE_ORDER.  If your
 * architecture is little-endian, make sure it also defines
 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
 * equivilent.
 *
 * If your system does not define the above, then you can do so by
 * hand like this:
 *
 *   #define LITTLE_ENDIAN 1234
 *   #define BIG_ENDIAN    4321
 *
 * And for little-endian machines, add:
 *
 *   #define BYTE_ORDER LITTLE_ENDIAN 
 *
 * Or for big-endian machines:
 *
 *   #define BYTE_ORDER BIG_ENDIAN
 *
 * The FreeBSD machine this was written on defines BYTE_ORDER
 * appropriately by including <sys/types.h> (which in turn includes
 * <machine/endian.h> where the appropriate definitions are actually
 * made).
 */
#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
#endif

typedef uint8_t  sha2_byte;	/* Exactly 1 byte */
typedef uint32_t sha2_word32;	/* Exactly 4 bytes */
#ifdef S_SPLINT_S
typedef unsigned long long sha2_word64; /* lint 8 bytes */
#else
typedef uint64_t sha2_word64;	/* Exactly 8 bytes */
#endif

/*** SHA-256/384/512 Various Length Definitions ***********************/
#define SHA512_SHORT_BLOCK_LENGTH	(SHA512_BLOCK_LENGTH - 16)


/*** ENDIAN REVERSAL MACROS *******************************************/
#if BYTE_ORDER == LITTLE_ENDIAN
#define REVERSE32(w,x)	{ \
	sha2_word32 tmp = (w); \
	tmp = (tmp >> 16) | (tmp << 16); \
	(x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
}
#ifndef S_SPLINT_S
#define REVERSE64(w,x)	{ \
	sha2_word64 tmp = (w); \
	tmp = (tmp >> 32) | (tmp << 32); \
	tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
	      ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
	(x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
	      ((tmp & 0x0000ffff0000ffffULL) << 16); \
}
#else /* splint */
#define REVERSE64(w,x) /* splint */
#endif /* splint */
#endif /* BYTE_ORDER == LITTLE_ENDIAN */

/*
 * Macro for incrementally adding the unsigned 64-bit integer n to the
 * unsigned 128-bit integer (represented using a two-element array of
 * 64-bit words):
 */
#define ADDINC128(w,n)	{ \
	(w)[0] += (sha2_word64)(n); \
	if ((w)[0] < (n)) { \
		(w)[1]++; \
	} \
}
#ifdef S_SPLINT_S
#undef ADDINC128
#define ADDINC128(w,n) /* splint */
#endif

/*
 * Macros for copying blocks of memory and for zeroing out ranges
 * of memory.  Using these macros makes it easy to switch from
 * using memset()/memcpy() and using bzero()/bcopy().
 *
 * Please define either SHA2_USE_MEMSET_MEMCPY or define
 * SHA2_USE_BZERO_BCOPY depending on which function set you
 * choose to use:
 */
#if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
/* Default to memset()/memcpy() if no option is specified */
#define	SHA2_USE_MEMSET_MEMCPY	1
#endif
#if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
/* Abort with an error if BOTH options are defined */
#error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
#endif

#ifdef SHA2_USE_MEMSET_MEMCPY
#define MEMSET_BZERO(p,l)	memset((p), 0, (l))
#define MEMCPY_BCOPY(d,s,l)	memcpy((d), (s), (l))
#endif
#ifdef SHA2_USE_BZERO_BCOPY
#define MEMSET_BZERO(p,l)	bzero((p), (l))
#define MEMCPY_BCOPY(d,s,l)	bcopy((s), (d), (l))
#endif


/*** THE SIX LOGICAL FUNCTIONS ****************************************/
/*
 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
 *
 *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
 *   S is a ROTATION) because the SHA-256/384/512 description document
 *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
 *   same "backwards" definition.
 */
/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
#define R(b,x) 		((x) >> (b))
/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
#define S64(b,x)	(((x) >> (b)) | ((x) << (64 - (b))))

/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
#define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
#define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))

/* Four of six logical functions used in SHA-384 and SHA-512: */
#define Sigma0_512(x)	(S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
#define Sigma1_512(x)	(S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
#define sigma0_512(x)	(S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
#define sigma1_512(x)	(S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))

/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
/* Hash constant words K for SHA-384 and SHA-512: */
static const sha2_word64 K512[80] = {
	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
};

/* initial hash value H for SHA-512 */
static const sha2_word64 sha512_initial_hash_value[8] = {
	0x6a09e667f3bcc908ULL,
	0xbb67ae8584caa73bULL,
	0x3c6ef372fe94f82bULL,
	0xa54ff53a5f1d36f1ULL,
	0x510e527fade682d1ULL,
	0x9b05688c2b3e6c1fULL,
	0x1f83d9abfb41bd6bULL,
	0x5be0cd19137e2179ULL
};

typedef union _ldns_sha2_buffer_union {
        uint8_t*  theChars;
        uint64_t* theLongs;
} ldns_sha2_buffer_union;

/*** SHA-512: *********************************************************/
void SHA512_Init(SHA512_CTX* context) {
	if (context == (SHA512_CTX*)0) {
		return;
	}
	MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
	MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH);
	context->bitcount[0] = context->bitcount[1] =  0;
}

static void SHA512_Transform(SHA512_CTX* context,
                                  const sha2_word64* data) {
	sha2_word64	a, b, c, d, e, f, g, h, s0, s1;
	sha2_word64	T1, T2, *W512 = (sha2_word64*)context->buffer;
	int		j;

	/* initialize registers with the prev. intermediate value */
	a = context->state[0];
	b = context->state[1];
	c = context->state[2];
	d = context->state[3];
	e = context->state[4];
	f = context->state[5];
	g = context->state[6];
	h = context->state[7];

	j = 0;
	do {
#if BYTE_ORDER == LITTLE_ENDIAN
		/* Convert TO host byte order */
		REVERSE64(*data++, W512[j]);
		/* Apply the SHA-512 compression function to update a..h */
		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
#else /* BYTE_ORDER == LITTLE_ENDIAN */
		/* Apply the SHA-512 compression function to update a..h with copy */
		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
#endif /* BYTE_ORDER == LITTLE_ENDIAN */
		T2 = Sigma0_512(a) + Maj(a, b, c);
		h = g;
		g = f;
		f = e;
		e = d + T1;
		d = c;
		c = b;
		b = a;
		a = T1 + T2;

		j++;
	} while (j < 16);

	do {
		/* Part of the message block expansion: */
		s0 = W512[(j+1)&0x0f];
		s0 = sigma0_512(s0);
		s1 = W512[(j+14)&0x0f];
		s1 =  sigma1_512(s1);

		/* Apply the SHA-512 compression function to update a..h */
		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
		     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
		T2 = Sigma0_512(a) + Maj(a, b, c);
		h = g;
		g = f;
		f = e;
		e = d + T1;
		d = c;
		c = b;
		b = a;
		a = T1 + T2;

		j++;
	} while (j < 80);

	/* Compute the current intermediate hash value */
	context->state[0] += a;
	context->state[1] += b;
	context->state[2] += c;
	context->state[3] += d;
	context->state[4] += e;
	context->state[5] += f;
	context->state[6] += g;
	context->state[7] += h;

	/* Clean up */
	a = b = c = d = e = f = g = h = T1 = T2 = 0;
}

void SHA512_Update(SHA512_CTX* context, void *datain, size_t len) {
	size_t freespace, usedspace;
	const sha2_byte* data = (const sha2_byte*)datain;

	if (len == 0) {
		/* Calling with no data is valid - we do nothing */
		return;
	}

	/* Sanity check: */
	assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0);

	usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
	if (usedspace > 0) {
		/* Calculate how much free space is available in the buffer */
		freespace = SHA512_BLOCK_LENGTH - usedspace;

		if (len >= freespace) {
			/* Fill the buffer completely and process it */
			MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
			ADDINC128(context->bitcount, freespace << 3);
			len -= freespace;
			data += freespace;
			SHA512_Transform(context, (sha2_word64*)context->buffer);
		} else {
			/* The buffer is not yet full */
			MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
			ADDINC128(context->bitcount, len << 3);
			/* Clean up: */
			usedspace = freespace = 0;
			return;
		}
	}
	while (len >= SHA512_BLOCK_LENGTH) {
		/* Process as many complete blocks as we can */
		SHA512_Transform(context, (sha2_word64*)data);
		ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
		len -= SHA512_BLOCK_LENGTH;
		data += SHA512_BLOCK_LENGTH;
	}
	if (len > 0) {
		/* There's left-overs, so save 'em */
		MEMCPY_BCOPY(context->buffer, data, len);
		ADDINC128(context->bitcount, len << 3);
	}
	/* Clean up: */
	usedspace = freespace = 0;
}

static void SHA512_Last(SHA512_CTX* context) {
	size_t usedspace;
	ldns_sha2_buffer_union cast_var;

	usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
#if BYTE_ORDER == LITTLE_ENDIAN
	/* Convert FROM host byte order */
	REVERSE64(context->bitcount[0],context->bitcount[0]);
	REVERSE64(context->bitcount[1],context->bitcount[1]);
#endif
	if (usedspace > 0) {
		/* Begin padding with a 1 bit: */
		context->buffer[usedspace++] = 0x80;

		if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
			/* Set-up for the last transform: */
			MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
		} else {
			if (usedspace < SHA512_BLOCK_LENGTH) {
				MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
			}
			/* Do second-to-last transform: */
			SHA512_Transform(context, (sha2_word64*)context->buffer);

			/* And set-up for the last transform: */
			MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2);
		}
	} else {
		/* Prepare for final transform: */
		MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH);

		/* Begin padding with a 1 bit: */
		*context->buffer = 0x80;
	}
	/* Store the length of input data (in bits): */
	cast_var.theChars = context->buffer;
	cast_var.theLongs[SHA512_SHORT_BLOCK_LENGTH / 8] = context->bitcount[1];
	cast_var.theLongs[SHA512_SHORT_BLOCK_LENGTH / 8 + 1] = context->bitcount[0];

	/* final transform: */
	SHA512_Transform(context, (sha2_word64*)context->buffer);
}

void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
	sha2_word64	*d = (sha2_word64*)digest;

	/* Sanity check: */
	assert(context != (SHA512_CTX*)0);

	/* If no digest buffer is passed, we don't bother doing this: */
	if (digest != (sha2_byte*)0) {
		SHA512_Last(context);

		/* Save the hash data for output: */
#if BYTE_ORDER == LITTLE_ENDIAN
		{
			/* Convert TO host byte order */
			int	j;
			for (j = 0; j < 8; j++) {
				REVERSE64(context->state[j],context->state[j]);
				*d++ = context->state[j];
			}
		}
#else
		MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH);
#endif
	}

	/* Zero out state data */
	MEMSET_BZERO(context, sizeof(SHA512_CTX));
}

unsigned char *
SHA512(void *data, unsigned int data_len, unsigned char *digest)
{
    SHA512_CTX ctx;
    SHA512_Init(&ctx);
    SHA512_Update(&ctx, data, data_len);
    SHA512_Final(digest, &ctx);
    return digest;
}
Commit	Line	Data
89c4ed63 A	1	/*
	2	* FILE: sha2.c
	3	* AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/
	4	*
	5	* Copyright (c) 2000-2001, Aaron D. Gifford
	6	* All rights reserved.
	7	*
	8	* Modified by Jelte Jansen to fit in ldns, and not clash with any
	9	* system-defined SHA code.
	10	* Changes:
	11	* - Renamed (external) functions and constants to fit ldns style
	12	* - Removed _End and _Data functions
	13	* - Added ldns_shaX(data, len, digest) convenience functions
	14	* - Removed prototypes of _Transform functions and made those static
	15	* Modified by Wouter, and trimmed, to provide SHA512 for getentropy_fallback.
	16	*
	17	* Redistribution and use in source and binary forms, with or without
	18	* modification, are permitted provided that the following conditions
	19	* are met:
	20	* 1. Redistributions of source code must retain the above copyright
	21	* notice, this list of conditions and the following disclaimer.
	22	* 2. Redistributions in binary form must reproduce the above copyright
	23	* notice, this list of conditions and the following disclaimer in the
	24	* documentation and/or other materials provided with the distribution.
	25	* 3. Neither the name of the copyright holder nor the names of contributors
	26	* may be used to endorse or promote products derived from this software
	27	* without specific prior written permission.
	28	*
	29	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
	30	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	31	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	32	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
	33	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	34	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	35	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	36	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	37	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	38	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	39	* SUCH DAMAGE.
	40	*
	41	* $Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
	42	*/
	43	#include "config.h"
	44
	45	#include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
	46	#include <assert.h> /* assert() */
	47
	48	/* do we have sha512 header defs */
	49	#ifndef SHA512_DIGEST_LENGTH
	50	#define SHA512_BLOCK_LENGTH 128
	51	#define SHA512_DIGEST_LENGTH 64
	52	#define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1)
	53	typedef struct _SHA512_CTX {
	54	uint64_t state[8];
	55	uint64_t bitcount[2];
	56	uint8_t buffer[SHA512_BLOCK_LENGTH];
	57	} SHA512_CTX;
	58	#endif /* do we have sha512 header defs */
	59
	60	void SHA512_Init(SHA512_CTX*);
	61	void SHA512_Update(SHA512_CTX, void, size_t);
	62	void SHA512_Final(uint8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*);
	63	unsigned char SHA512(void data, unsigned int data_len, unsigned char *digest);
	64
65
66	/* SHA-256/384/512 Machine Architecture Definitions ***************/
67	/*
68	* BYTE_ORDER NOTE:
69	*
70	* Please make sure that your system defines BYTE_ORDER. If your
71	* architecture is little-endian, make sure it also defines
72	* LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
73	* equivilent.
74	*
75	* If your system does not define the above, then you can do so by
76	* hand like this:
77	*
78	* #define LITTLE_ENDIAN 1234
79	* #define BIG_ENDIAN 4321
80	*
81	* And for little-endian machines, add:
82	*
83	* #define BYTE_ORDER LITTLE_ENDIAN
84	*
85	* Or for big-endian machines:
86	*
87	* #define BYTE_ORDER BIG_ENDIAN
88	*
89	* The FreeBSD machine this was written on defines BYTE_ORDER
90	* appropriately by including <sys/types.h> (which in turn includes
91	* <machine/endian.h> where the appropriate definitions are actually
92	* made).
93	*/
94	#if !defined(BYTE_ORDER) \|\| (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
95	#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
96	#endif
97
98	typedef uint8_t sha2_byte; /* Exactly 1 byte */
99	typedef uint32_t sha2_word32; /* Exactly 4 bytes */
100	#ifdef S_SPLINT_S
101	typedef unsigned long long sha2_word64; /* lint 8 bytes */
102	#else
103	typedef uint64_t sha2_word64; /* Exactly 8 bytes */
104	#endif
105
106	/* SHA-256/384/512 Various Length Definitions *********************/
107	#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
108
109
110	/* ENDIAN REVERSAL MACROS *****************************************/
111	#if BYTE_ORDER == LITTLE_ENDIAN
112	#define REVERSE32(w,x) { \
113	sha2_word32 tmp = (w); \
114	tmp = (tmp >> 16) \| (tmp << 16); \
115	(x) = ((tmp & 0xff00ff00UL) >> 8) \| ((tmp & 0x00ff00ffUL) << 8); \
116	}
117	#ifndef S_SPLINT_S
118	#define REVERSE64(w,x) { \
119	sha2_word64 tmp = (w); \
120	tmp = (tmp >> 32) \| (tmp << 32); \
121	tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) \| \
122	((tmp & 0x00ff00ff00ff00ffULL) << 8); \
123	(x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) \| \
124	((tmp & 0x0000ffff0000ffffULL) << 16); \
125	}
126	#else /* splint */
127	#define REVERSE64(w,x) /* splint */
128	#endif /* splint */
129	#endif /* BYTE_ORDER == LITTLE_ENDIAN */
130
131	/*
132	* Macro for incrementally adding the unsigned 64-bit integer n to the
133	* unsigned 128-bit integer (represented using a two-element array of
134	* 64-bit words):
135	*/
136	#define ADDINC128(w,n) { \
137	(w)[0] += (sha2_word64)(n); \
138	if ((w)[0] < (n)) { \
139	(w)[1]++; \
140	} \
141	}
142	#ifdef S_SPLINT_S
143	#undef ADDINC128
144	#define ADDINC128(w,n) /* splint */
145	#endif
146
147	/*
148	* Macros for copying blocks of memory and for zeroing out ranges
149	* of memory. Using these macros makes it easy to switch from
150	* using memset()/memcpy() and using bzero()/bcopy().
151	*
152	* Please define either SHA2_USE_MEMSET_MEMCPY or define
153	* SHA2_USE_BZERO_BCOPY depending on which function set you
154	* choose to use:
155	*/
156	#if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
157	/* Default to memset()/memcpy() if no option is specified */
158	#define SHA2_USE_MEMSET_MEMCPY 1
159	#endif
160	#if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
161	/* Abort with an error if BOTH options are defined */
162	#error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
163	#endif
164
165	#ifdef SHA2_USE_MEMSET_MEMCPY
166	#define MEMSET_BZERO(p,l) memset((p), 0, (l))
167	#define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
168	#endif
169	#ifdef SHA2_USE_BZERO_BCOPY
170	#define MEMSET_BZERO(p,l) bzero((p), (l))
171	#define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
172	#endif
173
174
175	/* THE SIX LOGICAL FUNCTIONS **************************************/
176	/*
177	* Bit shifting and rotation (used by the six SHA-XYZ logical functions:
178	*
179	* NOTE: The naming of R and S appears backwards here (R is a SHIFT and
180	* S is a ROTATION) because the SHA-256/384/512 description document
181	* (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
182	* same "backwards" definition.
183	*/
184	/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
185	#define R(b,x) ((x) >> (b))
186	/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
187	#define S64(b,x) (((x) >> (b)) \| ((x) << (64 - (b))))
188
189	/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
190	#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
191	#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
192
193	/* Four of six logical functions used in SHA-384 and SHA-512: */
194	#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
195	#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
196	#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
197	#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
198
199	/* SHA-XYZ INITIAL HASH VALUES AND CONSTANTS **********************/
200	/* Hash constant words K for SHA-384 and SHA-512: */
201	static const sha2_word64 K512[80] = {
202	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
203	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
204	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
205	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
206	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
207	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
208	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
209	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
210	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
211	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
212	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
213	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
214	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
215	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
216	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
217	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
218	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
219	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
220	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
221	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
222	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
223	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
224	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
225	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
226	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
227	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
228	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
229	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
230	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
231	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
232	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
233	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
234	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
235	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
236	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
237	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
238	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
239	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
240	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
241	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
242	};
243
244	/* initial hash value H for SHA-512 */
245	static const sha2_word64 sha512_initial_hash_value[8] = {
246	0x6a09e667f3bcc908ULL,
247	0xbb67ae8584caa73bULL,
248	0x3c6ef372fe94f82bULL,
249	0xa54ff53a5f1d36f1ULL,
250	0x510e527fade682d1ULL,
251	0x9b05688c2b3e6c1fULL,
252	0x1f83d9abfb41bd6bULL,
253	0x5be0cd19137e2179ULL
254	};
255
256	typedef union _ldns_sha2_buffer_union {
257	uint8_t* theChars;
258	uint64_t* theLongs;
259	} ldns_sha2_buffer_union;
260
261	/* SHA-512: *******************************************************/
262	void SHA512_Init(SHA512_CTX* context) {
263	if (context == (SHA512_CTX*)0) {
264	return;
265	}
266	MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
267	MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH);
268	context->bitcount[0] = context->bitcount[1] = 0;
269	}
270
271	static void SHA512_Transform(SHA512_CTX* context,
272	const sha2_word64* data) {
273	sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
274	sha2_word64 T1, T2, W512 = (sha2_word64)context->buffer;
275	int j;
276
277	/* initialize registers with the prev. intermediate value */
278	a = context->state[0];
279	b = context->state[1];
280	c = context->state[2];
281	d = context->state[3];
282	e = context->state[4];
283	f = context->state[5];
284	g = context->state[6];
285	h = context->state[7];
286
287	j = 0;
288	do {
289	#if BYTE_ORDER == LITTLE_ENDIAN
290	/* Convert TO host byte order */
291	REVERSE64(*data++, W512[j]);
292	/* Apply the SHA-512 compression function to update a..h */
293	T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
294	#else /* BYTE_ORDER == LITTLE_ENDIAN */
295	/* Apply the SHA-512 compression function to update a..h with copy */
296	T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
297	#endif /* BYTE_ORDER == LITTLE_ENDIAN */
298	T2 = Sigma0_512(a) + Maj(a, b, c);
299	h = g;
300	g = f;
301	f = e;
302	e = d + T1;
303	d = c;
304	c = b;
305	b = a;
306	a = T1 + T2;
307
308	j++;
309	} while (j < 16);
310
311	do {
312	/* Part of the message block expansion: */
313	s0 = W512[(j+1)&0x0f];
314	s0 = sigma0_512(s0);
315	s1 = W512[(j+14)&0x0f];
316	s1 = sigma1_512(s1);
317
318	/* Apply the SHA-512 compression function to update a..h */
319	T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
320	(W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
321	T2 = Sigma0_512(a) + Maj(a, b, c);
322	h = g;
323	g = f;
324	f = e;
325	e = d + T1;
326	d = c;
327	c = b;
328	b = a;
329	a = T1 + T2;
330
331	j++;
332	} while (j < 80);
333
334	/* Compute the current intermediate hash value */
335	context->state[0] += a;
336	context->state[1] += b;
337	context->state[2] += c;
338	context->state[3] += d;
339	context->state[4] += e;
340	context->state[5] += f;
341	context->state[6] += g;
342	context->state[7] += h;
343
344	/* Clean up */
345	a = b = c = d = e = f = g = h = T1 = T2 = 0;
346	}
347
348	void SHA512_Update(SHA512_CTX* context, void *datain, size_t len) {
349	size_t freespace, usedspace;
350	const sha2_byte* data = (const sha2_byte*)datain;
351
352	if (len == 0) {
353	/* Calling with no data is valid - we do nothing */
354	return;
355	}
356
357	/* Sanity check: */
358	assert(context != (SHA512_CTX)0 && data != (sha2_byte)0);
359
360	usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
361	if (usedspace > 0) {
362	/* Calculate how much free space is available in the buffer */
363	freespace = SHA512_BLOCK_LENGTH - usedspace;
364
365	if (len >= freespace) {
366	/* Fill the buffer completely and process it */
367	MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
368	ADDINC128(context->bitcount, freespace << 3);
369	len -= freespace;
370	data += freespace;
371	SHA512_Transform(context, (sha2_word64*)context->buffer);
372	} else {
373	/* The buffer is not yet full */
374	MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
375	ADDINC128(context->bitcount, len << 3);
376	/* Clean up: */
377	usedspace = freespace = 0;
378	return;
379	}
380	}
381	while (len >= SHA512_BLOCK_LENGTH) {
382	/* Process as many complete blocks as we can */
383	SHA512_Transform(context, (sha2_word64*)data);
384	ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
385	len -= SHA512_BLOCK_LENGTH;
386	data += SHA512_BLOCK_LENGTH;
387	}
388	if (len > 0) {
389	/* There's left-overs, so save 'em */
390	MEMCPY_BCOPY(context->buffer, data, len);
391	ADDINC128(context->bitcount, len << 3);
392	}
393	/* Clean up: */
394	usedspace = freespace = 0;
395	}
396
397	static void SHA512_Last(SHA512_CTX* context) {
398	size_t usedspace;
399	ldns_sha2_buffer_union cast_var;
400
401	usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
402	#if BYTE_ORDER == LITTLE_ENDIAN
403	/* Convert FROM host byte order */
404	REVERSE64(context->bitcount[0],context->bitcount[0]);
405	REVERSE64(context->bitcount[1],context->bitcount[1]);
406	#endif
407	if (usedspace > 0) {
408	/* Begin padding with a 1 bit: */
409	context->buffer[usedspace++] = 0x80;
410
411	if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
412	/* Set-up for the last transform: */
413	MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
414	} else {
415	if (usedspace < SHA512_BLOCK_LENGTH) {
416	MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
417	}
418	/* Do second-to-last transform: */
419	SHA512_Transform(context, (sha2_word64*)context->buffer);
420
421	/* And set-up for the last transform: */
422	MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2);
423	}
424	} else {
425	/* Prepare for final transform: */
426	MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
427
428	/* Begin padding with a 1 bit: */
429	*context->buffer = 0x80;
430	}
431	/* Store the length of input data (in bits): */
432	cast_var.theChars = context->buffer;
433	cast_var.theLongs[SHA512_SHORT_BLOCK_LENGTH / 8] = context->bitcount[1];
434	cast_var.theLongs[SHA512_SHORT_BLOCK_LENGTH / 8 + 1] = context->bitcount[0];
435
436	/* final transform: */
437	SHA512_Transform(context, (sha2_word64*)context->buffer);
438	}
439
440	void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
441	sha2_word64 d = (sha2_word64)digest;
442
443	/* Sanity check: */
444	assert(context != (SHA512_CTX*)0);
445
446	/* If no digest buffer is passed, we don't bother doing this: */
447	if (digest != (sha2_byte*)0) {
448	SHA512_Last(context);
449
450	/* Save the hash data for output: */
451	#if BYTE_ORDER == LITTLE_ENDIAN
452	{
453	/* Convert TO host byte order */
454	int j;
455	for (j = 0; j < 8; j++) {
456	REVERSE64(context->state[j],context->state[j]);
457	*d++ = context->state[j];
458	}
459	}
460	#else
461	MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH);
462	#endif
463	}
464
465	/* Zero out state data */
466	MEMSET_BZERO(context, sizeof(SHA512_CTX));
467	}
468
469	unsigned char *
470	SHA512(void data, unsigned int data_len, unsigned char digest)
471	{
472	SHA512_CTX ctx;
473	SHA512_Init(&ctx);
474	SHA512_Update(&ctx, data, data_len);
475	SHA512_Final(digest, &ctx);
476	return digest;
477	}