]> git.saurik.com Git - apple/xnu.git/blob - bsd/crypto/sha2/sha2.c
projects / apple / xnu.git / blob
? search:


9ea6f468bbee9735350dc7ddca61785ada74564f
[apple/xnu.git] / bsd / crypto / sha2 / sha2.c
1 /* $FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.1 2001/07/03 11:01:36 ume Exp $ */
2 /* $KAME: sha2.c,v 1.6 2001/03/12 11:31:04 itojun Exp $ */
3
4 /*
5 * sha2.c
6 *
7 * Version 1.0.0beta1
8 *
9 * Written by Aaron D. Gifford <me@aarongifford.com>
10 *
11 * Copyright 2000 Aaron D. Gifford. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 * notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 * notice, this list of conditions and the following disclaimer in the
20 * documentation and/or other materials provided with the distribution.
21 * 3. Neither the name of the copyright holder nor the names of contributors
22 * may be used to endorse or promote products derived from this software
23 * without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 *
37 */
38
39
40 #include <sys/types.h>
41 #include <sys/time.h>
42 #include <sys/systm.h>
43 #include <machine/endian.h>
44 #include <crypto/sha2/sha2.h>
45
46 /*
47 * ASSERT NOTE:
48 * Some sanity checking code is included using assert(). On my FreeBSD
49 * system, this additional code can be removed by compiling with NDEBUG
50 * defined. Check your own systems manpage on assert() to see how to
51 * compile WITHOUT the sanity checking code on your system.
52 *
53 * UNROLLED TRANSFORM LOOP NOTE:
54 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
55 * loop version for the hash transform rounds (defined using macros
56 * later in this file). Either define on the command line, for example:
57 *
58 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
59 *
60 * or define below:
61 *
62 * #define SHA2_UNROLL_TRANSFORM
63 *
64 */
65
66 #ifndef assert(x)
67 #define assert(x)
68 #endif
69
70 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
71 /*
72 * BYTE_ORDER NOTE:
73 *
74 * Please make sure that your system defines BYTE_ORDER. If your
75 * architecture is little-endian, make sure it also defines
76 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
77 * equivilent.
78 *
79 * If your system does not define the above, then you can do so by
80 * hand like this:
81 *
82 * #define LITTLE_ENDIAN 1234
83 * #define BIG_ENDIAN 4321
84 *
85 * And for little-endian machines, add:
86 *
87 * #define BYTE_ORDER LITTLE_ENDIAN
88 *
89 * Or for big-endian machines:
90 *
91 * #define BYTE_ORDER BIG_ENDIAN
92 *
93 * The FreeBSD machine this was written on defines BYTE_ORDER
94 * appropriately by including <sys/types.h> (which in turn includes
95 * <machine/endian.h> where the appropriate definitions are actually
96 * made).
97 */
98 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
99 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
100 #endif
101
102 /*
103 * Define the followingsha2_* types to types of the correct length on
104 * the native archtecture. Most BSD systems and Linux define u_intXX_t
105 * types. Machines with very recent ANSI C headers, can use the
106 * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
107 * during compile or in the sha.h header file.
108 *
109 * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
110 * will need to define these three typedefs below (and the appropriate
111 * ones in sha.h too) by hand according to their system architecture.
112 *
113 * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
114 * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
115 */
116 #if 0 /*def SHA2_USE_INTTYPES_H*/
117
118 typedef uint8_t sha2_byte; /* Exactly 1 byte */
119 typedef uint32_t sha2_word32; /* Exactly 4 bytes */
120 typedef uint64_t sha2_word64; /* Exactly 8 bytes */
121
122 #else /* SHA2_USE_INTTYPES_H */
123
124 typedef u_int8_t sha2_byte; /* Exactly 1 byte */
125 typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
126 typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
127
128 #endif /* SHA2_USE_INTTYPES_H */
129
130
131 /*** SHA-256/384/512 Various Length Definitions ***********************/
132 /* NOTE: Most of these are in sha2.h */
133 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
134 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
135 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
136
137
138 /*** ENDIAN REVERSAL MACROS *******************************************/
139 #if BYTE_ORDER == LITTLE_ENDIAN
140 #define REVERSE32(w,x) { \
141 sha2_word32 tmp = (w); \
142 tmp = (tmp >> 16) | (tmp << 16); \
143 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
144 }
145 #define REVERSE64(w,x) { \
146 sha2_word64 tmp = (w); \
147 tmp = (tmp >> 32) | (tmp << 32); \
148 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
149 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
150 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
151 ((tmp & 0x0000ffff0000ffffULL) << 16); \
152 }
153 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
154
155 /*
156 * Macro for incrementally adding the unsigned 64-bit integer n to the
157 * unsigned 128-bit integer (represented using a two-element array of
158 * 64-bit words):
159 */
160 #define ADDINC128(w,n) { \
161 (w)[0] += (sha2_word64)(n); \
162 if ((w)[0] < (n)) { \
163 (w)[1]++; \
164 } \
165 }
166
167 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
168 /*
169 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
170 *
171 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
172 * S is a ROTATION) because the SHA-256/384/512 description document
173 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
174 * same "backwards" definition.
175 */
176 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
177 #define R(b,x) ((x) >> (b))
178 /* 32-bit Rotate-right (used in SHA-256): */
179 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
180 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
181 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
182
183 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
184 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
185 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
186
187 /* Four of six logical functions used in SHA-256: */
188 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
189 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
190 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
191 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
192
193 /* Four of six logical functions used in SHA-384 and SHA-512: */
194 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
195 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
196 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
197 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
198
199 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
200 /* NOTE: These should not be accessed directly from outside this
201 * library -- they are intended for private internal visibility/use
202 * only.
203 */
204 void SHA512_Last(SHA512_CTX*);
205 void SHA256_Transform(SHA256_CTX*, const sha2_word32*);
206 void SHA512_Transform(SHA512_CTX*, const sha2_word64*);
207
208
209 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
210 /* Hash constant words K for SHA-256: */
211 const static sha2_word32 K256[64] = {
212 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
213 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
214 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
215 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
216 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
217 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
218 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
219 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
220 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
221 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
222 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
223 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
224 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
225 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
226 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
227 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
228 };
229
230 /* Initial hash value H for SHA-256: */
231 const static sha2_word32 sha256_initial_hash_value[8] = {
232 0x6a09e667UL,
233 0xbb67ae85UL,
234 0x3c6ef372UL,
235 0xa54ff53aUL,
236 0x510e527fUL,
237 0x9b05688cUL,
238 0x1f83d9abUL,
239 0x5be0cd19UL
240 };
241
242 /* Hash constant words K for SHA-384 and SHA-512: */
243 const static sha2_word64 K512[80] = {
244 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
245 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
246 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
247 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
248 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
249 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
250 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
251 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
252 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
253 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
254 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
255 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
256 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
257 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
258 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
259 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
260 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
261 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
262 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
263 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
264 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
265 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
266 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
267 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
268 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
269 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
270 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
271 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
272 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
273 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
274 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
275 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
276 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
277 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
278 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
279 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
280 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
281 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
282 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
283 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
284 };
285
286 /* Initial hash value H for SHA-384 */
287 const static sha2_word64 sha384_initial_hash_value[8] = {
288 0xcbbb9d5dc1059ed8ULL,
289 0x629a292a367cd507ULL,
290 0x9159015a3070dd17ULL,
291 0x152fecd8f70e5939ULL,
292 0x67332667ffc00b31ULL,
293 0x8eb44a8768581511ULL,
294 0xdb0c2e0d64f98fa7ULL,
295 0x47b5481dbefa4fa4ULL
296 };
297
298 /* Initial hash value H for SHA-512 */
299 const static sha2_word64 sha512_initial_hash_value[8] = {
300 0x6a09e667f3bcc908ULL,
301 0xbb67ae8584caa73bULL,
302 0x3c6ef372fe94f82bULL,
303 0xa54ff53a5f1d36f1ULL,
304 0x510e527fade682d1ULL,
305 0x9b05688c2b3e6c1fULL,
306 0x1f83d9abfb41bd6bULL,
307 0x5be0cd19137e2179ULL
308 };
309
310 /*
311 * Constant used by SHA256/384/512_End() functions for converting the
312 * digest to a readable hexadecimal character string:
313 */
314 static const char *sha2_hex_digits = "0123456789abcdef";
315
316
317 /*** SHA-256: *********************************************************/
318 void SHA256_Init(SHA256_CTX* context) {
319 if (context == (SHA256_CTX*)0) {
320 return;
321 }
322 bcopy(sha256_initial_hash_value, context->state, SHA256_DIGEST_LENGTH);
323 bzero(context->buffer, SHA256_BLOCK_LENGTH);
324 context->bitcount = 0;
325 }
326
327 #ifdef SHA2_UNROLL_TRANSFORM
328
329 /* Unrolled SHA-256 round macros: */
330
331 #if BYTE_ORDER == LITTLE_ENDIAN
332
333 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
334 REVERSE32(*data++, W256[j]); \
335 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
336 K256[j] + W256[j]; \
337 (d) += T1; \
338 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
339 j++
340
341
342 #else /* BYTE_ORDER == LITTLE_ENDIAN */
343
344 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
345 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
346 K256[j] + (W256[j] = *data++); \
347 (d) += T1; \
348 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
349 j++
350
351 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
352
353 #define ROUND256(a,b,c,d,e,f,g,h) \
354 s0 = W256[(j+1)&0x0f]; \
355 s0 = sigma0_256(s0); \
356 s1 = W256[(j+14)&0x0f]; \
357 s1 = sigma1_256(s1); \
358 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
359 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
360 (d) += T1; \
361 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
362 j++
363
364 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
365 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
366 sha2_word32 T1, *W256;
367 int j;
368
369 W256 = (sha2_word32*)context->buffer;
370
371 /* Initialize registers with the prev. intermediate value */
372 a = context->state[0];
373 b = context->state[1];
374 c = context->state[2];
375 d = context->state[3];
376 e = context->state[4];
377 f = context->state[5];
378 g = context->state[6];
379 h = context->state[7];
380
381 j = 0;
382 do {
383 /* Rounds 0 to 15 (unrolled): */
384 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
385 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
386 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
387 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
388 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
389 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
390 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
391 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
392 } while (j < 16);
393
394 /* Now for the remaining rounds to 64: */
395 do {
396 ROUND256(a,b,c,d,e,f,g,h);
397 ROUND256(h,a,b,c,d,e,f,g);
398 ROUND256(g,h,a,b,c,d,e,f);
399 ROUND256(f,g,h,a,b,c,d,e);
400 ROUND256(e,f,g,h,a,b,c,d);
401 ROUND256(d,e,f,g,h,a,b,c);
402 ROUND256(c,d,e,f,g,h,a,b);
403 ROUND256(b,c,d,e,f,g,h,a);
404 } while (j < 64);
405
406 /* Compute the current intermediate hash value */
407 context->state[0] += a;
408 context->state[1] += b;
409 context->state[2] += c;
410 context->state[3] += d;
411 context->state[4] += e;
412 context->state[5] += f;
413 context->state[6] += g;
414 context->state[7] += h;
415
416 /* Clean up */
417 a = b = c = d = e = f = g = h = T1 = 0;
418 }
419
420 #else /* SHA2_UNROLL_TRANSFORM */
421
422 void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
423 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
424 sha2_word32 T1, T2, *W256;
425 int j;
426
427 W256 = (sha2_word32*)context->buffer;
428
429 /* Initialize registers with the prev. intermediate value */
430 a = context->state[0];
431 b = context->state[1];
432 c = context->state[2];
433 d = context->state[3];
434 e = context->state[4];
435 f = context->state[5];
436 g = context->state[6];
437 h = context->state[7];
438
439 j = 0;
440 do {
441 #if BYTE_ORDER == LITTLE_ENDIAN
442 /* Copy data while converting to host byte order */
443 REVERSE32(*data++,W256[j]);
444 /* Apply the SHA-256 compression function to update a..h */
445 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
446 #else /* BYTE_ORDER == LITTLE_ENDIAN */
447 /* Apply the SHA-256 compression function to update a..h with copy */
448 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
449 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
450 T2 = Sigma0_256(a) + Maj(a, b, c);
451 h = g;
452 g = f;
453 f = e;
454 e = d + T1;
455 d = c;
456 c = b;
457 b = a;
458 a = T1 + T2;
459
460 j++;
461 } while (j < 16);
462
463 do {
464 /* Part of the message block expansion: */
465 s0 = W256[(j+1)&0x0f];
466 s0 = sigma0_256(s0);
467 s1 = W256[(j+14)&0x0f];
468 s1 = sigma1_256(s1);
469
470 /* Apply the SHA-256 compression function to update a..h */
471 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
472 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
473 T2 = Sigma0_256(a) + Maj(a, b, c);
474 h = g;
475 g = f;
476 f = e;
477 e = d + T1;
478 d = c;
479 c = b;
480 b = a;
481 a = T1 + T2;
482
483 j++;
484 } while (j < 64);
485
486 /* Compute the current intermediate hash value */
487 context->state[0] += a;
488 context->state[1] += b;
489 context->state[2] += c;
490 context->state[3] += d;
491 context->state[4] += e;
492 context->state[5] += f;
493 context->state[6] += g;
494 context->state[7] += h;
495
496 /* Clean up */
497 a = b = c = d = e = f = g = h = T1 = T2 = 0;
498 }
499
500 #endif /* SHA2_UNROLL_TRANSFORM */
501
502 void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
503 unsigned int freespace, usedspace;
504
505 if (len == 0) {
506 /* Calling with no data is valid - we do nothing */
507 return;
508 }
509
510 /* Sanity check: */
511 assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0);
512
513 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
514 if (usedspace > 0) {
515 /* Calculate how much free space is available in the buffer */
516 freespace = SHA256_BLOCK_LENGTH - usedspace;
517
518 if (len >= freespace) {
519 /* Fill the buffer completely and process it */
520 bcopy(data, &context->buffer[usedspace], freespace);
521 context->bitcount += freespace << 3;
522 len -= freespace;
523 data += freespace;
524 SHA256_Transform(context, (sha2_word32*)context->buffer);
525 } else {
526 /* The buffer is not yet full */
527 bcopy(data, &context->buffer[usedspace], len);
528 context->bitcount += len << 3;
529 /* Clean up: */
530 usedspace = freespace = 0;
531 return;
532 }
533 }
534 while (len >= SHA256_BLOCK_LENGTH) {
535 /* Process as many complete blocks as we can */
536 SHA256_Transform(context, (const sha2_word32*)data);
537 context->bitcount += SHA256_BLOCK_LENGTH << 3;
538 len -= SHA256_BLOCK_LENGTH;
539 data += SHA256_BLOCK_LENGTH;
540 }
541 if (len > 0) {
542 /* There's left-overs, so save 'em */
543 bcopy(data, context->buffer, len);
544 context->bitcount += len << 3;
545 }
546 /* Clean up: */
547 usedspace = freespace = 0;
548 }
549
550 void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
551 sha2_word32 *d = (sha2_word32*)digest;
552 unsigned int usedspace;
553
554 /* Sanity check: */
555 assert(context != (SHA256_CTX*)0);
556
557 /* If no digest buffer is passed, we don't bother doing this: */
558 if (digest != (sha2_byte*)0) {
559 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
560 #if BYTE_ORDER == LITTLE_ENDIAN
561 /* Convert FROM host byte order */
562 REVERSE64(context->bitcount,context->bitcount);
563 #endif
564 if (usedspace > 0) {
565 /* Begin padding with a 1 bit: */
566 context->buffer[usedspace++] = 0x80;
567
568 if (usedspace < SHA256_SHORT_BLOCK_LENGTH) {
569 /* Set-up for the last transform: */
570 bzero(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
571 } else {
572 if (usedspace < SHA256_BLOCK_LENGTH) {
573 bzero(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
574 }
575 /* Do second-to-last transform: */
576 SHA256_Transform(context, (sha2_word32*)context->buffer);
577
578 /* And set-up for the last transform: */
579 bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
580 }
581 } else {
582 /* Set-up for the last transform: */
583 bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
584
585 /* Begin padding with a 1 bit: */
586 *context->buffer = 0x80;
587 }
588 /* Set the bit count: */
589 *(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
590
591 /* Final transform: */
592 SHA256_Transform(context, (sha2_word32*)context->buffer);
593
594 #if BYTE_ORDER == LITTLE_ENDIAN
595 {
596 /* Convert TO host byte order */
597 int j;
598 for (j = 0; j < 8; j++) {
599 REVERSE32(context->state[j],context->state[j]);
600 *d++ = context->state[j];
601 }
602 }
603 #else
604 bcopy(context->state, d, SHA256_DIGEST_LENGTH);
605 #endif
606 }
607
608 /* Clean up state data: */
609 bzero(context, sizeof(context));
610 usedspace = 0;
611 }
612
613 char *SHA256_End(SHA256_CTX* context, char buffer[]) {
614 sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest;
615 int i;
616
617 /* Sanity check: */
618 assert(context != (SHA256_CTX*)0);
619
620 if (buffer != (char*)0) {
621 SHA256_Final(digest, context);
622
623 for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
624 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
625 *buffer++ = sha2_hex_digits[*d & 0x0f];
626 d++;
627 }
628 *buffer = (char)0;
629 } else {
630 bzero(context, sizeof(context));
631 }
632 bzero(digest, SHA256_DIGEST_LENGTH);
633 return buffer;
634 }
635
636 char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
637 SHA256_CTX context;
638
639 SHA256_Init(&context);
640 SHA256_Update(&context, data, len);
641 return SHA256_End(&context, digest);
642 }
643
644
645 /*** SHA-512: *********************************************************/
646 void SHA512_Init(SHA512_CTX* context) {
647 if (context == (SHA512_CTX*)0) {
648 return;
649 }
650 bcopy(sha512_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
651 bzero(context->buffer, SHA512_BLOCK_LENGTH);
652 context->bitcount[0] = context->bitcount[1] = 0;
653 }
654
655 #ifdef SHA2_UNROLL_TRANSFORM
656
657 /* Unrolled SHA-512 round macros: */
658 #if BYTE_ORDER == LITTLE_ENDIAN
659
660 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
661 REVERSE64(*data++, W512[j]); \
662 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
663 K512[j] + W512[j]; \
664 (d) += T1, \
665 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
666 j++
667
668
669 #else /* BYTE_ORDER == LITTLE_ENDIAN */
670
671 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
672 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
673 K512[j] + (W512[j] = *data++); \
674 (d) += T1; \
675 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
676 j++
677
678 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
679
680 #define ROUND512(a,b,c,d,e,f,g,h) \
681 s0 = W512[(j+1)&0x0f]; \
682 s0 = sigma0_512(s0); \
683 s1 = W512[(j+14)&0x0f]; \
684 s1 = sigma1_512(s1); \
685 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
686 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
687 (d) += T1; \
688 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
689 j++
690
691 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
692 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
693 sha2_word64 T1, *W512 = (sha2_word64*)context->buffer;
694 int j;
695
696 /* Initialize registers with the prev. intermediate value */
697 a = context->state[0];
698 b = context->state[1];
699 c = context->state[2];
700 d = context->state[3];
701 e = context->state[4];
702 f = context->state[5];
703 g = context->state[6];
704 h = context->state[7];
705
706 j = 0;
707 do {
708 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
709 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
710 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
711 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
712 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
713 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
714 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
715 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
716 } while (j < 16);
717
718 /* Now for the remaining rounds up to 79: */
719 do {
720 ROUND512(a,b,c,d,e,f,g,h);
721 ROUND512(h,a,b,c,d,e,f,g);
722 ROUND512(g,h,a,b,c,d,e,f);
723 ROUND512(f,g,h,a,b,c,d,e);
724 ROUND512(e,f,g,h,a,b,c,d);
725 ROUND512(d,e,f,g,h,a,b,c);
726 ROUND512(c,d,e,f,g,h,a,b);
727 ROUND512(b,c,d,e,f,g,h,a);
728 } while (j < 80);
729
730 /* Compute the current intermediate hash value */
731 context->state[0] += a;
732 context->state[1] += b;
733 context->state[2] += c;
734 context->state[3] += d;
735 context->state[4] += e;
736 context->state[5] += f;
737 context->state[6] += g;
738 context->state[7] += h;
739
740 /* Clean up */
741 a = b = c = d = e = f = g = h = T1 = 0;
742 }
743
744 #else /* SHA2_UNROLL_TRANSFORM */
745
746 void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
747 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
748 sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer;
749 int j;
750
751 /* Initialize registers with the prev. intermediate value */
752 a = context->state[0];
753 b = context->state[1];
754 c = context->state[2];
755 d = context->state[3];
756 e = context->state[4];
757 f = context->state[5];
758 g = context->state[6];
759 h = context->state[7];
760
761 j = 0;
762 do {
763 #if BYTE_ORDER == LITTLE_ENDIAN
764 /* Convert TO host byte order */
765 REVERSE64(*data++, W512[j]);
766 /* Apply the SHA-512 compression function to update a..h */
767 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
768 #else /* BYTE_ORDER == LITTLE_ENDIAN */
769 /* Apply the SHA-512 compression function to update a..h with copy */
770 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
771 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
772 T2 = Sigma0_512(a) + Maj(a, b, c);
773 h = g;
774 g = f;
775 f = e;
776 e = d + T1;
777 d = c;
778 c = b;
779 b = a;
780 a = T1 + T2;
781
782 j++;
783 } while (j < 16);
784
785 do {
786 /* Part of the message block expansion: */
787 s0 = W512[(j+1)&0x0f];
788 s0 = sigma0_512(s0);
789 s1 = W512[(j+14)&0x0f];
790 s1 = sigma1_512(s1);
791
792 /* Apply the SHA-512 compression function to update a..h */
793 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
794 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
795 T2 = Sigma0_512(a) + Maj(a, b, c);
796 h = g;
797 g = f;
798 f = e;
799 e = d + T1;
800 d = c;
801 c = b;
802 b = a;
803 a = T1 + T2;
804
805 j++;
806 } while (j < 80);
807
808 /* Compute the current intermediate hash value */
809 context->state[0] += a;
810 context->state[1] += b;
811 context->state[2] += c;
812 context->state[3] += d;
813 context->state[4] += e;
814 context->state[5] += f;
815 context->state[6] += g;
816 context->state[7] += h;
817
818 /* Clean up */
819 a = b = c = d = e = f = g = h = T1 = T2 = 0;
820 }
821
822 #endif /* SHA2_UNROLL_TRANSFORM */
823
824 void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
825 unsigned int freespace, usedspace;
826
827 if (len == 0) {
828 /* Calling with no data is valid - we do nothing */
829 return;
830 }
831
832 /* Sanity check: */
833 assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0);
834
835 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
836 if (usedspace > 0) {
837 /* Calculate how much free space is available in the buffer */
838 freespace = SHA512_BLOCK_LENGTH - usedspace;
839
840 if (len >= freespace) {
841 /* Fill the buffer completely and process it */
842 bcopy(data, &context->buffer[usedspace], freespace);
843 ADDINC128(context->bitcount, freespace << 3);
844 len -= freespace;
845 data += freespace;
846 SHA512_Transform(context, (sha2_word64*)context->buffer);
847 } else {
848 /* The buffer is not yet full */
849 bcopy(data, &context->buffer[usedspace], len);
850 ADDINC128(context->bitcount, len << 3);
851 /* Clean up: */
852 usedspace = freespace = 0;
853 return;
854 }
855 }
856 while (len >= SHA512_BLOCK_LENGTH) {
857 /* Process as many complete blocks as we can */
858 SHA512_Transform(context, (const sha2_word64*)data);
859 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
860 len -= SHA512_BLOCK_LENGTH;
861 data += SHA512_BLOCK_LENGTH;
862 }
863 if (len > 0) {
864 /* There's left-overs, so save 'em */
865 bcopy(data, context->buffer, len);
866 ADDINC128(context->bitcount, len << 3);
867 }
868 /* Clean up: */
869 usedspace = freespace = 0;
870 }
871
872 void SHA512_Last(SHA512_CTX* context) {
873 unsigned int usedspace;
874
875 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
876 #if BYTE_ORDER == LITTLE_ENDIAN
877 /* Convert FROM host byte order */
878 REVERSE64(context->bitcount[0],context->bitcount[0]);
879 REVERSE64(context->bitcount[1],context->bitcount[1]);
880 #endif
881 if (usedspace > 0) {
882 /* Begin padding with a 1 bit: */
883 context->buffer[usedspace++] = 0x80;
884
885 if (usedspace < SHA512_SHORT_BLOCK_LENGTH) {
886 /* Set-up for the last transform: */
887 bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
888 } else {
889 if (usedspace < SHA512_BLOCK_LENGTH) {
890 bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
891 }
892 /* Do second-to-last transform: */
893 SHA512_Transform(context, (sha2_word64*)context->buffer);
894
895 /* And set-up for the last transform: */
896 bzero(context->buffer, SHA512_BLOCK_LENGTH - 2);
897 }
898 } else {
899 /* Prepare for final transform: */
900 bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
901
902 /* Begin padding with a 1 bit: */
903 *context->buffer = 0x80;
904 }
905 /* Store the length of input data (in bits): */
906 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
907 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
908
909 /* Final transform: */
910 SHA512_Transform(context, (sha2_word64*)context->buffer);
911 }
912
913 void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
914 sha2_word64 *d = (sha2_word64*)digest;
915
916 /* Sanity check: */
917 assert(context != (SHA512_CTX*)0);
918
919 /* If no digest buffer is passed, we don't bother doing this: */
920 if (digest != (sha2_byte*)0) {
921 SHA512_Last(context);
922
923 /* Save the hash data for output: */
924 #if BYTE_ORDER == LITTLE_ENDIAN
925 {
926 /* Convert TO host byte order */
927 int j;
928 for (j = 0; j < 8; j++) {
929 REVERSE64(context->state[j],context->state[j]);
930 *d++ = context->state[j];
931 }
932 }
933 #else
934 bcopy(context->state, d, SHA512_DIGEST_LENGTH);
935 #endif
936 }
937
938 /* Zero out state data */
939 bzero(context, sizeof(context));
940 }
941
942 char *SHA512_End(SHA512_CTX* context, char buffer[]) {
943 sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
944 int i;
945
946 /* Sanity check: */
947 assert(context != (SHA512_CTX*)0);
948
949 if (buffer != (char*)0) {
950 SHA512_Final(digest, context);
951
952 for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
953 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
954 *buffer++ = sha2_hex_digits[*d & 0x0f];
955 d++;
956 }
957 *buffer = (char)0;
958 } else {
959 bzero(context, sizeof(context));
960 }
961 bzero(digest, SHA512_DIGEST_LENGTH);
962 return buffer;
963 }
964
965 char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
966 SHA512_CTX context;
967
968 SHA512_Init(&context);
969 SHA512_Update(&context, data, len);
970 return SHA512_End(&context, digest);
971 }
972
973
974 /*** SHA-384: *********************************************************/
975 void SHA384_Init(SHA384_CTX* context) {
976 if (context == (SHA384_CTX*)0) {
977 return;
978 }
979 bcopy(sha384_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
980 bzero(context->buffer, SHA384_BLOCK_LENGTH);
981 context->bitcount[0] = context->bitcount[1] = 0;
982 }
983
984 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
985 SHA512_Update((SHA512_CTX*)context, data, len);
986 }
987
988 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
989 sha2_word64 *d = (sha2_word64*)digest;
990
991 /* Sanity check: */
992 assert(context != (SHA384_CTX*)0);
993
994 /* If no digest buffer is passed, we don't bother doing this: */
995 if (digest != (sha2_byte*)0) {
996 SHA512_Last((SHA512_CTX*)context);
997
998 /* Save the hash data for output: */
999 #if BYTE_ORDER == LITTLE_ENDIAN
1000 {
1001 /* Convert TO host byte order */
1002 int j;
1003 for (j = 0; j < 6; j++) {
1004 REVERSE64(context->state[j],context->state[j]);
1005 *d++ = context->state[j];
1006 }
1007 }
1008 #else
1009 bcopy(context->state, d, SHA384_DIGEST_LENGTH);
1010 #endif
1011 }
1012
1013 /* Zero out state data */
1014 bzero(context, sizeof(context));
1015 }
1016
1017 char *SHA384_End(SHA384_CTX* context, char buffer[]) {
1018 sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
1019 int i;
1020
1021 /* Sanity check: */
1022 assert(context != (SHA384_CTX*)0);
1023
1024 if (buffer != (char*)0) {
1025 SHA384_Final(digest, context);
1026
1027 for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
1028 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
1029 *buffer++ = sha2_hex_digits[*d & 0x0f];
1030 d++;
1031 }
1032 *buffer = (char)0;
1033 } else {
1034 bzero(context, sizeof(context));
1035 }
1036 bzero(digest, SHA384_DIGEST_LENGTH);
1037 return buffer;
1038 }
1039
1040 char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
1041 SHA384_CTX context;
1042
1043 SHA384_Init(&context);
1044 SHA384_Update(&context, data, len);
1045 return SHA384_End(&context, digest);
1046 }
1047
mirror of XNU