3 * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/
5 * Copyright (c) 2000-2001, Aaron D. Gifford
8 * Modified by Jelte Jansen to fit in ldns, and not clash with any
9 * system-defined SHA code.
11 * - Renamed (external) functions and constants to fit ldns style
12 * - Removed _End and _Data functions
13 * - Added ldns_shaX(data, len, digest) convenience functions
14 * - Removed prototypes of _Transform functions and made those static
15 * Modified by Wouter, and trimmed, to provide SHA512 for getentropy_fallback.
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in the
24 * documentation and/or other materials provided with the distribution.
25 * 3. Neither the name of the copyright holder nor the names of contributors
26 * may be used to endorse or promote products derived from this software
27 * without specific prior written permission.
29 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
30 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
31 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
33 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
34 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
35 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
36 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
38 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
41 * $Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
45 #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
46 #include <assert.h> /* assert() */
48 /* do we have sha512 header defs */
49 #ifndef SHA512_DIGEST_LENGTH
50 #define SHA512_BLOCK_LENGTH 128
51 #define SHA512_DIGEST_LENGTH 64
52 #define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1)
53 typedef struct _SHA512_CTX
{
56 uint8_t buffer
[SHA512_BLOCK_LENGTH
];
58 #endif /* do we have sha512 header defs */
60 void SHA512_Init(SHA512_CTX
*);
61 void SHA512_Update(SHA512_CTX
*, void*, size_t);
62 void SHA512_Final(uint8_t[SHA512_DIGEST_LENGTH
], SHA512_CTX
*);
63 unsigned char *SHA512(void *data
, unsigned int data_len
, unsigned char *digest
);
66 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
70 * Please make sure that your system defines BYTE_ORDER. If your
71 * architecture is little-endian, make sure it also defines
72 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
75 * If your system does not define the above, then you can do so by
78 * #define LITTLE_ENDIAN 1234
79 * #define BIG_ENDIAN 4321
81 * And for little-endian machines, add:
83 * #define BYTE_ORDER LITTLE_ENDIAN
85 * Or for big-endian machines:
87 * #define BYTE_ORDER BIG_ENDIAN
89 * The FreeBSD machine this was written on defines BYTE_ORDER
90 * appropriately by including <sys/types.h> (which in turn includes
91 * <machine/endian.h> where the appropriate definitions are actually
94 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
95 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
98 typedef uint8_t sha2_byte
; /* Exactly 1 byte */
99 typedef uint32_t sha2_word32
; /* Exactly 4 bytes */
101 typedef unsigned long long sha2_word64
; /* lint 8 bytes */
103 typedef uint64_t sha2_word64
; /* Exactly 8 bytes */
106 /*** SHA-256/384/512 Various Length Definitions ***********************/
107 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
110 /*** ENDIAN REVERSAL MACROS *******************************************/
111 #if BYTE_ORDER == LITTLE_ENDIAN
112 #define REVERSE32(w,x) { \
113 sha2_word32 tmp = (w); \
114 tmp = (tmp >> 16) | (tmp << 16); \
115 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
118 #define REVERSE64(w,x) { \
119 sha2_word64 tmp = (w); \
120 tmp = (tmp >> 32) | (tmp << 32); \
121 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
122 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
123 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
124 ((tmp & 0x0000ffff0000ffffULL) << 16); \
127 #define REVERSE64(w,x) /* splint */
129 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
132 * Macro for incrementally adding the unsigned 64-bit integer n to the
133 * unsigned 128-bit integer (represented using a two-element array of
136 #define ADDINC128(w,n) { \
137 (w)[0] += (sha2_word64)(n); \
138 if ((w)[0] < (n)) { \
144 #define ADDINC128(w,n) /* splint */
148 * Macros for copying blocks of memory and for zeroing out ranges
149 * of memory. Using these macros makes it easy to switch from
150 * using memset()/memcpy() and using bzero()/bcopy().
152 * Please define either SHA2_USE_MEMSET_MEMCPY or define
153 * SHA2_USE_BZERO_BCOPY depending on which function set you
156 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
157 /* Default to memset()/memcpy() if no option is specified */
158 #define SHA2_USE_MEMSET_MEMCPY 1
160 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
161 /* Abort with an error if BOTH options are defined */
162 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
165 #ifdef SHA2_USE_MEMSET_MEMCPY
166 #define MEMSET_BZERO(p,l) memset((p), 0, (l))
167 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
169 #ifdef SHA2_USE_BZERO_BCOPY
170 #define MEMSET_BZERO(p,l) bzero((p), (l))
171 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
175 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
177 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
179 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
180 * S is a ROTATION) because the SHA-256/384/512 description document
181 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
182 * same "backwards" definition.
184 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
185 #define R(b,x) ((x) >> (b))
186 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
187 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
189 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
190 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
191 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
193 /* Four of six logical functions used in SHA-384 and SHA-512: */
194 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
195 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
196 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
197 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
199 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
200 /* Hash constant words K for SHA-384 and SHA-512: */
201 static const sha2_word64 K512
[80] = {
202 0x428a2f98d728ae22ULL
, 0x7137449123ef65cdULL
,
203 0xb5c0fbcfec4d3b2fULL
, 0xe9b5dba58189dbbcULL
,
204 0x3956c25bf348b538ULL
, 0x59f111f1b605d019ULL
,
205 0x923f82a4af194f9bULL
, 0xab1c5ed5da6d8118ULL
,
206 0xd807aa98a3030242ULL
, 0x12835b0145706fbeULL
,
207 0x243185be4ee4b28cULL
, 0x550c7dc3d5ffb4e2ULL
,
208 0x72be5d74f27b896fULL
, 0x80deb1fe3b1696b1ULL
,
209 0x9bdc06a725c71235ULL
, 0xc19bf174cf692694ULL
,
210 0xe49b69c19ef14ad2ULL
, 0xefbe4786384f25e3ULL
,
211 0x0fc19dc68b8cd5b5ULL
, 0x240ca1cc77ac9c65ULL
,
212 0x2de92c6f592b0275ULL
, 0x4a7484aa6ea6e483ULL
,
213 0x5cb0a9dcbd41fbd4ULL
, 0x76f988da831153b5ULL
,
214 0x983e5152ee66dfabULL
, 0xa831c66d2db43210ULL
,
215 0xb00327c898fb213fULL
, 0xbf597fc7beef0ee4ULL
,
216 0xc6e00bf33da88fc2ULL
, 0xd5a79147930aa725ULL
,
217 0x06ca6351e003826fULL
, 0x142929670a0e6e70ULL
,
218 0x27b70a8546d22ffcULL
, 0x2e1b21385c26c926ULL
,
219 0x4d2c6dfc5ac42aedULL
, 0x53380d139d95b3dfULL
,
220 0x650a73548baf63deULL
, 0x766a0abb3c77b2a8ULL
,
221 0x81c2c92e47edaee6ULL
, 0x92722c851482353bULL
,
222 0xa2bfe8a14cf10364ULL
, 0xa81a664bbc423001ULL
,
223 0xc24b8b70d0f89791ULL
, 0xc76c51a30654be30ULL
,
224 0xd192e819d6ef5218ULL
, 0xd69906245565a910ULL
,
225 0xf40e35855771202aULL
, 0x106aa07032bbd1b8ULL
,
226 0x19a4c116b8d2d0c8ULL
, 0x1e376c085141ab53ULL
,
227 0x2748774cdf8eeb99ULL
, 0x34b0bcb5e19b48a8ULL
,
228 0x391c0cb3c5c95a63ULL
, 0x4ed8aa4ae3418acbULL
,
229 0x5b9cca4f7763e373ULL
, 0x682e6ff3d6b2b8a3ULL
,
230 0x748f82ee5defb2fcULL
, 0x78a5636f43172f60ULL
,
231 0x84c87814a1f0ab72ULL
, 0x8cc702081a6439ecULL
,
232 0x90befffa23631e28ULL
, 0xa4506cebde82bde9ULL
,
233 0xbef9a3f7b2c67915ULL
, 0xc67178f2e372532bULL
,
234 0xca273eceea26619cULL
, 0xd186b8c721c0c207ULL
,
235 0xeada7dd6cde0eb1eULL
, 0xf57d4f7fee6ed178ULL
,
236 0x06f067aa72176fbaULL
, 0x0a637dc5a2c898a6ULL
,
237 0x113f9804bef90daeULL
, 0x1b710b35131c471bULL
,
238 0x28db77f523047d84ULL
, 0x32caab7b40c72493ULL
,
239 0x3c9ebe0a15c9bebcULL
, 0x431d67c49c100d4cULL
,
240 0x4cc5d4becb3e42b6ULL
, 0x597f299cfc657e2aULL
,
241 0x5fcb6fab3ad6faecULL
, 0x6c44198c4a475817ULL
244 /* initial hash value H for SHA-512 */
245 static const sha2_word64 sha512_initial_hash_value
[8] = {
246 0x6a09e667f3bcc908ULL
,
247 0xbb67ae8584caa73bULL
,
248 0x3c6ef372fe94f82bULL
,
249 0xa54ff53a5f1d36f1ULL
,
250 0x510e527fade682d1ULL
,
251 0x9b05688c2b3e6c1fULL
,
252 0x1f83d9abfb41bd6bULL
,
253 0x5be0cd19137e2179ULL
256 typedef union _ldns_sha2_buffer_union
{
259 } ldns_sha2_buffer_union
;
261 /*** SHA-512: *********************************************************/
262 void SHA512_Init(SHA512_CTX
* context
) {
263 if (context
== (SHA512_CTX
*)0) {
266 MEMCPY_BCOPY(context
->state
, sha512_initial_hash_value
, SHA512_DIGEST_LENGTH
);
267 MEMSET_BZERO(context
->buffer
, SHA512_BLOCK_LENGTH
);
268 context
->bitcount
[0] = context
->bitcount
[1] = 0;
271 static void SHA512_Transform(SHA512_CTX
* context
,
272 const sha2_word64
* data
) {
273 sha2_word64 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
274 sha2_word64 T1
, T2
, *W512
= (sha2_word64
*)context
->buffer
;
277 /* initialize registers with the prev. intermediate value */
278 a
= context
->state
[0];
279 b
= context
->state
[1];
280 c
= context
->state
[2];
281 d
= context
->state
[3];
282 e
= context
->state
[4];
283 f
= context
->state
[5];
284 g
= context
->state
[6];
285 h
= context
->state
[7];
289 #if BYTE_ORDER == LITTLE_ENDIAN
290 /* Convert TO host byte order */
291 REVERSE64(*data
++, W512
[j
]);
292 /* Apply the SHA-512 compression function to update a..h */
293 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] + W512
[j
];
294 #else /* BYTE_ORDER == LITTLE_ENDIAN */
295 /* Apply the SHA-512 compression function to update a..h with copy */
296 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] + (W512
[j
] = *data
++);
297 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
298 T2
= Sigma0_512(a
) + Maj(a
, b
, c
);
312 /* Part of the message block expansion: */
313 s0
= W512
[(j
+1)&0x0f];
315 s1
= W512
[(j
+14)&0x0f];
318 /* Apply the SHA-512 compression function to update a..h */
319 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] +
320 (W512
[j
&0x0f] += s1
+ W512
[(j
+9)&0x0f] + s0
);
321 T2
= Sigma0_512(a
) + Maj(a
, b
, c
);
334 /* Compute the current intermediate hash value */
335 context
->state
[0] += a
;
336 context
->state
[1] += b
;
337 context
->state
[2] += c
;
338 context
->state
[3] += d
;
339 context
->state
[4] += e
;
340 context
->state
[5] += f
;
341 context
->state
[6] += g
;
342 context
->state
[7] += h
;
345 a
= b
= c
= d
= e
= f
= g
= h
= T1
= T2
= 0;
348 void SHA512_Update(SHA512_CTX
* context
, void *datain
, size_t len
) {
349 size_t freespace
, usedspace
;
350 const sha2_byte
* data
= (const sha2_byte
*)datain
;
353 /* Calling with no data is valid - we do nothing */
358 assert(context
!= (SHA512_CTX
*)0 && data
!= (sha2_byte
*)0);
360 usedspace
= (context
->bitcount
[0] >> 3) % SHA512_BLOCK_LENGTH
;
362 /* Calculate how much free space is available in the buffer */
363 freespace
= SHA512_BLOCK_LENGTH
- usedspace
;
365 if (len
>= freespace
) {
366 /* Fill the buffer completely and process it */
367 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, freespace
);
368 ADDINC128(context
->bitcount
, freespace
<< 3);
371 SHA512_Transform(context
, (sha2_word64
*)context
->buffer
);
373 /* The buffer is not yet full */
374 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, len
);
375 ADDINC128(context
->bitcount
, len
<< 3);
377 usedspace
= freespace
= 0;
381 while (len
>= SHA512_BLOCK_LENGTH
) {
382 /* Process as many complete blocks as we can */
383 SHA512_Transform(context
, (sha2_word64
*)data
);
384 ADDINC128(context
->bitcount
, SHA512_BLOCK_LENGTH
<< 3);
385 len
-= SHA512_BLOCK_LENGTH
;
386 data
+= SHA512_BLOCK_LENGTH
;
389 /* There's left-overs, so save 'em */
390 MEMCPY_BCOPY(context
->buffer
, data
, len
);
391 ADDINC128(context
->bitcount
, len
<< 3);
394 usedspace
= freespace
= 0;
397 static void SHA512_Last(SHA512_CTX
* context
) {
399 ldns_sha2_buffer_union cast_var
;
401 usedspace
= (context
->bitcount
[0] >> 3) % SHA512_BLOCK_LENGTH
;
402 #if BYTE_ORDER == LITTLE_ENDIAN
403 /* Convert FROM host byte order */
404 REVERSE64(context
->bitcount
[0],context
->bitcount
[0]);
405 REVERSE64(context
->bitcount
[1],context
->bitcount
[1]);
408 /* Begin padding with a 1 bit: */
409 context
->buffer
[usedspace
++] = 0x80;
411 if (usedspace
<= SHA512_SHORT_BLOCK_LENGTH
) {
412 /* Set-up for the last transform: */
413 MEMSET_BZERO(&context
->buffer
[usedspace
], SHA512_SHORT_BLOCK_LENGTH
- usedspace
);
415 if (usedspace
< SHA512_BLOCK_LENGTH
) {
416 MEMSET_BZERO(&context
->buffer
[usedspace
], SHA512_BLOCK_LENGTH
- usedspace
);
418 /* Do second-to-last transform: */
419 SHA512_Transform(context
, (sha2_word64
*)context
->buffer
);
421 /* And set-up for the last transform: */
422 MEMSET_BZERO(context
->buffer
, SHA512_BLOCK_LENGTH
- 2);
425 /* Prepare for final transform: */
426 MEMSET_BZERO(context
->buffer
, SHA512_SHORT_BLOCK_LENGTH
);
428 /* Begin padding with a 1 bit: */
429 *context
->buffer
= 0x80;
431 /* Store the length of input data (in bits): */
432 cast_var
.theChars
= context
->buffer
;
433 cast_var
.theLongs
[SHA512_SHORT_BLOCK_LENGTH
/ 8] = context
->bitcount
[1];
434 cast_var
.theLongs
[SHA512_SHORT_BLOCK_LENGTH
/ 8 + 1] = context
->bitcount
[0];
436 /* final transform: */
437 SHA512_Transform(context
, (sha2_word64
*)context
->buffer
);
440 void SHA512_Final(sha2_byte digest
[], SHA512_CTX
* context
) {
441 sha2_word64
*d
= (sha2_word64
*)digest
;
444 assert(context
!= (SHA512_CTX
*)0);
446 /* If no digest buffer is passed, we don't bother doing this: */
447 if (digest
!= (sha2_byte
*)0) {
448 SHA512_Last(context
);
450 /* Save the hash data for output: */
451 #if BYTE_ORDER == LITTLE_ENDIAN
453 /* Convert TO host byte order */
455 for (j
= 0; j
< 8; j
++) {
456 REVERSE64(context
->state
[j
],context
->state
[j
]);
457 *d
++ = context
->state
[j
];
461 MEMCPY_BCOPY(d
, context
->state
, SHA512_DIGEST_LENGTH
);
465 /* Zero out state data */
466 MEMSET_BZERO(context
, sizeof(SHA512_CTX
));
470 SHA512(void *data
, unsigned int data_len
, unsigned char *digest
)
474 SHA512_Update(&ctx
, data
, data_len
);
475 SHA512_Final(digest
, &ctx
);