3 * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/
5 * Copyright (c) 2000-2001, Aaron D. Gifford
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the copyright holder nor the names of contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * $Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
36 #include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
37 #include <assert.h> /* assert() */
38 #include "sha2_internal.h"
42 * Some sanity checking code is included using assert(). On my FreeBSD
43 * system, this additional code can be removed by compiling with NDEBUG
44 * defined. Check your own systems manpage on assert() to see how to
45 * compile WITHOUT the sanity checking code on your system.
47 * UNROLLED TRANSFORM LOOP NOTE:
48 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
49 * loop version for the hash transform rounds (defined using macros
50 * later in this file). Either define on the command line, for example:
52 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
56 * #define SHA2_UNROLL_TRANSFORM
61 /*** SHA-256/384/512 Machine Architecture Definitions *****************/
65 * Please make sure that your system defines BYTE_ORDER. If your
66 * architecture is little-endian, make sure it also defines
67 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
70 * If your system does not define the above, then you can do so by
73 * #define LITTLE_ENDIAN 1234
74 * #define BIG_ENDIAN 4321
76 * And for little-endian machines, add:
78 * #define BYTE_ORDER LITTLE_ENDIAN
80 * Or for big-endian machines:
82 * #define BYTE_ORDER BIG_ENDIAN
84 * The FreeBSD machine this was written on defines BYTE_ORDER
85 * appropriately by including <sys/types.h> (which in turn includes
86 * <machine/endian.h> where the appropriate definitions are actually
89 #if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
90 #error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
94 * Define the followingsha2_* types to types of the correct length on
95 * the native archtecture. Most BSD systems and Linux define u_intXX_t
96 * types. Machines with very recent ANSI C headers, can use the
97 * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
98 * during compile or in the sha.h header file.
100 * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
101 * will need to define these three typedefs below (and the appropriate
102 * ones in sha.h too) by hand according to their system architecture.
104 * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
105 * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
107 #ifdef SHA2_USE_INTTYPES_H
109 typedef uint8_t sha2_byte
; /* Exactly 1 byte */
110 typedef uint32_t sha2_word32
; /* Exactly 4 bytes */
111 typedef uint64_t sha2_word64
; /* Exactly 8 bytes */
113 #else /* SHA2_USE_INTTYPES_H */
115 typedef u_int8_t sha2_byte
; /* Exactly 1 byte */
116 typedef u_int32_t sha2_word32
; /* Exactly 4 bytes */
117 typedef u_int64_t sha2_word64
; /* Exactly 8 bytes */
119 #endif /* SHA2_USE_INTTYPES_H */
122 /*** SHA-256/384/512 Various Length Definitions ***********************/
123 /* NOTE: Most of these are in sha2.h */
124 #define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
125 #define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
126 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
129 /*** ENDIAN REVERSAL MACROS *******************************************/
130 #if BYTE_ORDER == LITTLE_ENDIAN
131 #define REVERSE32(w,x) { \
132 sha2_word32 tmp = (w); \
133 tmp = (tmp >> 16) | (tmp << 16); \
134 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
136 #define REVERSE64(w,x) { \
137 sha2_word64 tmp = (w); \
138 tmp = (tmp >> 32) | (tmp << 32); \
139 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
140 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
141 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
142 ((tmp & 0x0000ffff0000ffffULL) << 16); \
144 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
147 * Macro for incrementally adding the unsigned 64-bit integer n to the
148 * unsigned 128-bit integer (represented using a two-element array of
151 #define ADDINC128(w,n) { \
152 (w)[0] += (sha2_word64)(n); \
153 if ((w)[0] < (n)) { \
159 * Macros for copying blocks of memory and for zeroing out ranges
160 * of memory. Using these macros makes it easy to switch from
161 * using memset()/memcpy() and using bzero()/bcopy().
163 * Please define either SHA2_USE_MEMSET_MEMCPY or define
164 * SHA2_USE_BZERO_BCOPY depending on which function set you
167 #if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
168 /* Default to memset()/memcpy() if no option is specified */
169 #define SHA2_USE_MEMSET_MEMCPY 1
171 #if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
172 /* Abort with an error if BOTH options are defined */
173 #error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
176 #ifdef SHA2_USE_MEMSET_MEMCPY
177 #define MEMSET_BZERO(p,l) memset((p), 0, (l))
178 #define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
180 #ifdef SHA2_USE_BZERO_BCOPY
181 #define MEMSET_BZERO(p,l) bzero((p), (l))
182 #define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
186 /*** THE SIX LOGICAL FUNCTIONS ****************************************/
188 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
190 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
191 * S is a ROTATION) because the SHA-256/384/512 description document
192 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
193 * same "backwards" definition.
195 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
196 #define R(b,x) ((x) >> (b))
197 /* 32-bit Rotate-right (used in SHA-256): */
198 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
199 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
200 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
202 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
203 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
204 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
206 /* Four of six logical functions used in SHA-256: */
207 #define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
208 #define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
209 #define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
210 #define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
212 /* Four of six logical functions used in SHA-384 and SHA-512: */
213 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
214 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
215 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
216 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
218 /*** INTERNAL FUNCTION PROTOTYPES *************************************/
219 /* NOTE: These should not be accessed directly from outside this
220 * library -- they are intended for private internal visibility/use
223 static void SHA512_Last(SHA512_CTX
*);
224 static void SHA256_Transform(SHA256_CTX
*, const sha2_word32
*);
225 static void SHA512_Transform(SHA512_CTX
*, const sha2_word64
*);
228 /*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
229 /* Hash constant words K for SHA-256: */
230 const static sha2_word32 K256
[64] = {
231 0x428a2f98UL
, 0x71374491UL
, 0xb5c0fbcfUL
, 0xe9b5dba5UL
,
232 0x3956c25bUL
, 0x59f111f1UL
, 0x923f82a4UL
, 0xab1c5ed5UL
,
233 0xd807aa98UL
, 0x12835b01UL
, 0x243185beUL
, 0x550c7dc3UL
,
234 0x72be5d74UL
, 0x80deb1feUL
, 0x9bdc06a7UL
, 0xc19bf174UL
,
235 0xe49b69c1UL
, 0xefbe4786UL
, 0x0fc19dc6UL
, 0x240ca1ccUL
,
236 0x2de92c6fUL
, 0x4a7484aaUL
, 0x5cb0a9dcUL
, 0x76f988daUL
,
237 0x983e5152UL
, 0xa831c66dUL
, 0xb00327c8UL
, 0xbf597fc7UL
,
238 0xc6e00bf3UL
, 0xd5a79147UL
, 0x06ca6351UL
, 0x14292967UL
,
239 0x27b70a85UL
, 0x2e1b2138UL
, 0x4d2c6dfcUL
, 0x53380d13UL
,
240 0x650a7354UL
, 0x766a0abbUL
, 0x81c2c92eUL
, 0x92722c85UL
,
241 0xa2bfe8a1UL
, 0xa81a664bUL
, 0xc24b8b70UL
, 0xc76c51a3UL
,
242 0xd192e819UL
, 0xd6990624UL
, 0xf40e3585UL
, 0x106aa070UL
,
243 0x19a4c116UL
, 0x1e376c08UL
, 0x2748774cUL
, 0x34b0bcb5UL
,
244 0x391c0cb3UL
, 0x4ed8aa4aUL
, 0x5b9cca4fUL
, 0x682e6ff3UL
,
245 0x748f82eeUL
, 0x78a5636fUL
, 0x84c87814UL
, 0x8cc70208UL
,
246 0x90befffaUL
, 0xa4506cebUL
, 0xbef9a3f7UL
, 0xc67178f2UL
249 /* Initial hash value H for SHA-256: */
250 const static sha2_word32 sha256_initial_hash_value
[8] = {
261 /* Hash constant words K for SHA-384 and SHA-512: */
262 const static sha2_word64 K512
[80] = {
263 0x428a2f98d728ae22ULL
, 0x7137449123ef65cdULL
,
264 0xb5c0fbcfec4d3b2fULL
, 0xe9b5dba58189dbbcULL
,
265 0x3956c25bf348b538ULL
, 0x59f111f1b605d019ULL
,
266 0x923f82a4af194f9bULL
, 0xab1c5ed5da6d8118ULL
,
267 0xd807aa98a3030242ULL
, 0x12835b0145706fbeULL
,
268 0x243185be4ee4b28cULL
, 0x550c7dc3d5ffb4e2ULL
,
269 0x72be5d74f27b896fULL
, 0x80deb1fe3b1696b1ULL
,
270 0x9bdc06a725c71235ULL
, 0xc19bf174cf692694ULL
,
271 0xe49b69c19ef14ad2ULL
, 0xefbe4786384f25e3ULL
,
272 0x0fc19dc68b8cd5b5ULL
, 0x240ca1cc77ac9c65ULL
,
273 0x2de92c6f592b0275ULL
, 0x4a7484aa6ea6e483ULL
,
274 0x5cb0a9dcbd41fbd4ULL
, 0x76f988da831153b5ULL
,
275 0x983e5152ee66dfabULL
, 0xa831c66d2db43210ULL
,
276 0xb00327c898fb213fULL
, 0xbf597fc7beef0ee4ULL
,
277 0xc6e00bf33da88fc2ULL
, 0xd5a79147930aa725ULL
,
278 0x06ca6351e003826fULL
, 0x142929670a0e6e70ULL
,
279 0x27b70a8546d22ffcULL
, 0x2e1b21385c26c926ULL
,
280 0x4d2c6dfc5ac42aedULL
, 0x53380d139d95b3dfULL
,
281 0x650a73548baf63deULL
, 0x766a0abb3c77b2a8ULL
,
282 0x81c2c92e47edaee6ULL
, 0x92722c851482353bULL
,
283 0xa2bfe8a14cf10364ULL
, 0xa81a664bbc423001ULL
,
284 0xc24b8b70d0f89791ULL
, 0xc76c51a30654be30ULL
,
285 0xd192e819d6ef5218ULL
, 0xd69906245565a910ULL
,
286 0xf40e35855771202aULL
, 0x106aa07032bbd1b8ULL
,
287 0x19a4c116b8d2d0c8ULL
, 0x1e376c085141ab53ULL
,
288 0x2748774cdf8eeb99ULL
, 0x34b0bcb5e19b48a8ULL
,
289 0x391c0cb3c5c95a63ULL
, 0x4ed8aa4ae3418acbULL
,
290 0x5b9cca4f7763e373ULL
, 0x682e6ff3d6b2b8a3ULL
,
291 0x748f82ee5defb2fcULL
, 0x78a5636f43172f60ULL
,
292 0x84c87814a1f0ab72ULL
, 0x8cc702081a6439ecULL
,
293 0x90befffa23631e28ULL
, 0xa4506cebde82bde9ULL
,
294 0xbef9a3f7b2c67915ULL
, 0xc67178f2e372532bULL
,
295 0xca273eceea26619cULL
, 0xd186b8c721c0c207ULL
,
296 0xeada7dd6cde0eb1eULL
, 0xf57d4f7fee6ed178ULL
,
297 0x06f067aa72176fbaULL
, 0x0a637dc5a2c898a6ULL
,
298 0x113f9804bef90daeULL
, 0x1b710b35131c471bULL
,
299 0x28db77f523047d84ULL
, 0x32caab7b40c72493ULL
,
300 0x3c9ebe0a15c9bebcULL
, 0x431d67c49c100d4cULL
,
301 0x4cc5d4becb3e42b6ULL
, 0x597f299cfc657e2aULL
,
302 0x5fcb6fab3ad6faecULL
, 0x6c44198c4a475817ULL
305 /* Initial hash value H for SHA-384 */
306 const static sha2_word64 sha384_initial_hash_value
[8] = {
307 0xcbbb9d5dc1059ed8ULL
,
308 0x629a292a367cd507ULL
,
309 0x9159015a3070dd17ULL
,
310 0x152fecd8f70e5939ULL
,
311 0x67332667ffc00b31ULL
,
312 0x8eb44a8768581511ULL
,
313 0xdb0c2e0d64f98fa7ULL
,
314 0x47b5481dbefa4fa4ULL
317 /* Initial hash value H for SHA-512 */
318 const static sha2_word64 sha512_initial_hash_value
[8] = {
319 0x6a09e667f3bcc908ULL
,
320 0xbb67ae8584caa73bULL
,
321 0x3c6ef372fe94f82bULL
,
322 0xa54ff53a5f1d36f1ULL
,
323 0x510e527fade682d1ULL
,
324 0x9b05688c2b3e6c1fULL
,
325 0x1f83d9abfb41bd6bULL
,
326 0x5be0cd19137e2179ULL
330 * Constant used by SHA256/384/512_End() functions for converting the
331 * digest to a readable hexadecimal character string:
333 static const char *sha2_hex_digits
= "0123456789abcdef";
336 /*** SHA-256: *********************************************************/
337 void SHA256_Init(SHA256_CTX
* context
) {
338 if (context
== (SHA256_CTX
*)0) {
341 MEMCPY_BCOPY(context
->state
, sha256_initial_hash_value
, SHA256_DIGEST_LENGTH
);
342 MEMSET_BZERO(context
->buffer
, SHA256_BLOCK_LENGTH
);
343 context
->bitcount
= 0;
346 #ifdef SHA2_UNROLL_TRANSFORM
348 /* Unrolled SHA-256 round macros: */
350 #if BYTE_ORDER == LITTLE_ENDIAN
352 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
353 REVERSE32(*data++, W256[j]); \
354 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
357 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
361 #else /* BYTE_ORDER == LITTLE_ENDIAN */
363 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
364 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
365 K256[j] + (W256[j] = *data++); \
367 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
370 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
372 #define ROUND256(a,b,c,d,e,f,g,h) \
373 s0 = W256[(j+1)&0x0f]; \
374 s0 = sigma0_256(s0); \
375 s1 = W256[(j+14)&0x0f]; \
376 s1 = sigma1_256(s1); \
377 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
378 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
380 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
383 static void SHA256_Transform(SHA256_CTX
* context
, const sha2_word32
* data
) {
384 sha2_word32 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
385 sha2_word32 T1
, *W256
;
388 W256
= (sha2_word32
*)context
->buffer
;
390 /* Initialize registers with the prev. intermediate value */
391 a
= context
->state
[0];
392 b
= context
->state
[1];
393 c
= context
->state
[2];
394 d
= context
->state
[3];
395 e
= context
->state
[4];
396 f
= context
->state
[5];
397 g
= context
->state
[6];
398 h
= context
->state
[7];
402 /* Rounds 0 to 15 (unrolled): */
403 ROUND256_0_TO_15(a
,b
,c
,d
,e
,f
,g
,h
);
404 ROUND256_0_TO_15(h
,a
,b
,c
,d
,e
,f
,g
);
405 ROUND256_0_TO_15(g
,h
,a
,b
,c
,d
,e
,f
);
406 ROUND256_0_TO_15(f
,g
,h
,a
,b
,c
,d
,e
);
407 ROUND256_0_TO_15(e
,f
,g
,h
,a
,b
,c
,d
);
408 ROUND256_0_TO_15(d
,e
,f
,g
,h
,a
,b
,c
);
409 ROUND256_0_TO_15(c
,d
,e
,f
,g
,h
,a
,b
);
410 ROUND256_0_TO_15(b
,c
,d
,e
,f
,g
,h
,a
);
413 /* Now for the remaining rounds to 64: */
415 ROUND256(a
,b
,c
,d
,e
,f
,g
,h
);
416 ROUND256(h
,a
,b
,c
,d
,e
,f
,g
);
417 ROUND256(g
,h
,a
,b
,c
,d
,e
,f
);
418 ROUND256(f
,g
,h
,a
,b
,c
,d
,e
);
419 ROUND256(e
,f
,g
,h
,a
,b
,c
,d
);
420 ROUND256(d
,e
,f
,g
,h
,a
,b
,c
);
421 ROUND256(c
,d
,e
,f
,g
,h
,a
,b
);
422 ROUND256(b
,c
,d
,e
,f
,g
,h
,a
);
425 /* Compute the current intermediate hash value */
426 context
->state
[0] += a
;
427 context
->state
[1] += b
;
428 context
->state
[2] += c
;
429 context
->state
[3] += d
;
430 context
->state
[4] += e
;
431 context
->state
[5] += f
;
432 context
->state
[6] += g
;
433 context
->state
[7] += h
;
436 a
= b
= c
= d
= e
= f
= g
= h
= T1
= 0;
439 #else /* SHA2_UNROLL_TRANSFORM */
441 static void SHA256_Transform(SHA256_CTX
* context
, const sha2_word32
* data
) {
442 sha2_word32 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
443 sha2_word32 T1
, T2
, *W256
;
446 W256
= (sha2_word32
*)context
->buffer
;
448 /* Initialize registers with the prev. intermediate value */
449 a
= context
->state
[0];
450 b
= context
->state
[1];
451 c
= context
->state
[2];
452 d
= context
->state
[3];
453 e
= context
->state
[4];
454 f
= context
->state
[5];
455 g
= context
->state
[6];
456 h
= context
->state
[7];
460 #if BYTE_ORDER == LITTLE_ENDIAN
461 /* Copy data while converting to host byte order */
462 REVERSE32(*data
++,W256
[j
]);
463 /* Apply the SHA-256 compression function to update a..h */
464 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] + W256
[j
];
465 #else /* BYTE_ORDER == LITTLE_ENDIAN */
466 /* Apply the SHA-256 compression function to update a..h with copy */
467 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] + (W256
[j
] = *data
++);
468 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
469 T2
= Sigma0_256(a
) + Maj(a
, b
, c
);
483 /* Part of the message block expansion: */
484 s0
= W256
[(j
+1)&0x0f];
486 s1
= W256
[(j
+14)&0x0f];
489 /* Apply the SHA-256 compression function to update a..h */
490 T1
= h
+ Sigma1_256(e
) + Ch(e
, f
, g
) + K256
[j
] +
491 (W256
[j
&0x0f] += s1
+ W256
[(j
+9)&0x0f] + s0
);
492 T2
= Sigma0_256(a
) + Maj(a
, b
, c
);
505 /* Compute the current intermediate hash value */
506 context
->state
[0] += a
;
507 context
->state
[1] += b
;
508 context
->state
[2] += c
;
509 context
->state
[3] += d
;
510 context
->state
[4] += e
;
511 context
->state
[5] += f
;
512 context
->state
[6] += g
;
513 context
->state
[7] += h
;
516 a
= b
= c
= d
= e
= f
= g
= h
= T1
= T2
= 0;
519 #endif /* SHA2_UNROLL_TRANSFORM */
521 void SHA256_Update(SHA256_CTX
* context
, const sha2_byte
*data
, size_t len
) {
522 unsigned int freespace
, usedspace
;
525 /* Calling with no data is valid - we do nothing */
530 assert(context
!= (SHA256_CTX
*)0 && data
!= (sha2_byte
*)0);
532 usedspace
= (context
->bitcount
>> 3) % SHA256_BLOCK_LENGTH
;
534 /* Calculate how much free space is available in the buffer */
535 freespace
= SHA256_BLOCK_LENGTH
- usedspace
;
537 if (len
>= freespace
) {
538 /* Fill the buffer completely and process it */
539 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, freespace
);
540 context
->bitcount
+= freespace
<< 3;
543 SHA256_Transform(context
, (sha2_word32
*)context
->buffer
);
545 /* The buffer is not yet full */
546 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, len
);
547 context
->bitcount
+= len
<< 3;
549 usedspace
= freespace
= 0;
553 while (len
>= SHA256_BLOCK_LENGTH
) {
554 /* Process as many complete blocks as we can */
555 sha2_byte buffer
[SHA256_BLOCK_LENGTH
];
556 MEMCPY_BCOPY(buffer
, data
, SHA256_BLOCK_LENGTH
);
557 SHA256_Transform(context
, (sha2_word32
*)buffer
);
558 context
->bitcount
+= SHA256_BLOCK_LENGTH
<< 3;
559 len
-= SHA256_BLOCK_LENGTH
;
560 data
+= SHA256_BLOCK_LENGTH
;
563 /* There's left-overs, so save 'em */
564 MEMCPY_BCOPY(context
->buffer
, data
, len
);
565 context
->bitcount
+= len
<< 3;
568 usedspace
= freespace
= 0;
571 void SHA256_Final(sha2_byte digest
[], SHA256_CTX
* context
) {
572 sha2_word32
*d
= (sha2_word32
*)digest
;
573 unsigned int usedspace
;
576 assert(context
!= (SHA256_CTX
*)0);
578 /* If no digest buffer is passed, we don't bother doing this: */
579 if (digest
!= (sha2_byte
*)0) {
580 usedspace
= (context
->bitcount
>> 3) % SHA256_BLOCK_LENGTH
;
581 #if BYTE_ORDER == LITTLE_ENDIAN
582 /* Convert FROM host byte order */
583 REVERSE64(context
->bitcount
,context
->bitcount
);
586 /* Begin padding with a 1 bit: */
587 context
->buffer
[usedspace
++] = 0x80;
589 if (usedspace
<= SHA256_SHORT_BLOCK_LENGTH
) {
590 /* Set-up for the last transform: */
591 MEMSET_BZERO(&context
->buffer
[usedspace
], SHA256_SHORT_BLOCK_LENGTH
- usedspace
);
593 if (usedspace
< SHA256_BLOCK_LENGTH
) {
594 MEMSET_BZERO(&context
->buffer
[usedspace
], SHA256_BLOCK_LENGTH
- usedspace
);
596 /* Do second-to-last transform: */
597 SHA256_Transform(context
, (sha2_word32
*)context
->buffer
);
599 /* And set-up for the last transform: */
600 MEMSET_BZERO(context
->buffer
, SHA256_SHORT_BLOCK_LENGTH
);
603 /* Set-up for the last transform: */
604 MEMSET_BZERO(context
->buffer
, SHA256_SHORT_BLOCK_LENGTH
);
606 /* Begin padding with a 1 bit: */
607 *context
->buffer
= 0x80;
609 /* Set the bit count: */
614 bitcount
.c
= &context
->buffer
[SHA256_SHORT_BLOCK_LENGTH
];
615 *(bitcount
.l
) = context
->bitcount
;
617 /* Final transform: */
618 SHA256_Transform(context
, (sha2_word32
*)context
->buffer
);
620 #if BYTE_ORDER == LITTLE_ENDIAN
622 /* Convert TO host byte order */
624 for (j
= 0; j
< 8; j
++) {
625 REVERSE32(context
->state
[j
],context
->state
[j
]);
626 *d
++ = context
->state
[j
];
630 MEMCPY_BCOPY(d
, context
->state
, SHA256_DIGEST_LENGTH
);
634 /* Clean up state data: */
635 MEMSET_BZERO(context
, sizeof(*context
));
639 char *SHA256_End(SHA256_CTX
* context
, char buffer
[]) {
640 sha2_byte digest
[SHA256_DIGEST_LENGTH
], *d
= digest
;
644 assert(context
!= (SHA256_CTX
*)0);
646 if (buffer
!= (char*)0) {
647 SHA256_Final(digest
, context
);
649 for (i
= 0; i
< SHA256_DIGEST_LENGTH
; i
++) {
650 *buffer
++ = sha2_hex_digits
[(*d
& 0xf0) >> 4];
651 *buffer
++ = sha2_hex_digits
[*d
& 0x0f];
656 MEMSET_BZERO(context
, sizeof(*context
));
658 MEMSET_BZERO(digest
, SHA256_DIGEST_LENGTH
);
662 char* SHA256_Data(const sha2_byte
* data
, size_t len
, char digest
[SHA256_DIGEST_STRING_LENGTH
]) {
665 SHA256_Init(&context
);
666 SHA256_Update(&context
, data
, len
);
667 return SHA256_End(&context
, digest
);
671 /*** SHA-512: *********************************************************/
672 void SHA512_Init(SHA512_CTX
* context
) {
673 if (context
== (SHA512_CTX
*)0) {
676 MEMCPY_BCOPY(context
->state
, sha512_initial_hash_value
, SHA512_DIGEST_LENGTH
);
677 MEMSET_BZERO(context
->buffer
, SHA512_BLOCK_LENGTH
);
678 context
->bitcount
[0] = context
->bitcount
[1] = 0;
681 #ifdef SHA2_UNROLL_TRANSFORM
683 /* Unrolled SHA-512 round macros: */
684 #if BYTE_ORDER == LITTLE_ENDIAN
686 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
687 REVERSE64(*data++, W512[j]); \
688 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
691 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
695 #else /* BYTE_ORDER == LITTLE_ENDIAN */
697 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
698 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
699 K512[j] + (W512[j] = *data++); \
701 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
704 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
706 #define ROUND512(a,b,c,d,e,f,g,h) \
707 s0 = W512[(j+1)&0x0f]; \
708 s0 = sigma0_512(s0); \
709 s1 = W512[(j+14)&0x0f]; \
710 s1 = sigma1_512(s1); \
711 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
712 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
714 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
717 static void SHA512_Transform(SHA512_CTX
* context
, const sha2_word64
* data
) {
718 sha2_word64 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
719 sha2_word64 T1
, *W512
= (sha2_word64
*)context
->buffer
;
722 /* Initialize registers with the prev. intermediate value */
723 a
= context
->state
[0];
724 b
= context
->state
[1];
725 c
= context
->state
[2];
726 d
= context
->state
[3];
727 e
= context
->state
[4];
728 f
= context
->state
[5];
729 g
= context
->state
[6];
730 h
= context
->state
[7];
734 ROUND512_0_TO_15(a
,b
,c
,d
,e
,f
,g
,h
);
735 ROUND512_0_TO_15(h
,a
,b
,c
,d
,e
,f
,g
);
736 ROUND512_0_TO_15(g
,h
,a
,b
,c
,d
,e
,f
);
737 ROUND512_0_TO_15(f
,g
,h
,a
,b
,c
,d
,e
);
738 ROUND512_0_TO_15(e
,f
,g
,h
,a
,b
,c
,d
);
739 ROUND512_0_TO_15(d
,e
,f
,g
,h
,a
,b
,c
);
740 ROUND512_0_TO_15(c
,d
,e
,f
,g
,h
,a
,b
);
741 ROUND512_0_TO_15(b
,c
,d
,e
,f
,g
,h
,a
);
744 /* Now for the remaining rounds up to 79: */
746 ROUND512(a
,b
,c
,d
,e
,f
,g
,h
);
747 ROUND512(h
,a
,b
,c
,d
,e
,f
,g
);
748 ROUND512(g
,h
,a
,b
,c
,d
,e
,f
);
749 ROUND512(f
,g
,h
,a
,b
,c
,d
,e
);
750 ROUND512(e
,f
,g
,h
,a
,b
,c
,d
);
751 ROUND512(d
,e
,f
,g
,h
,a
,b
,c
);
752 ROUND512(c
,d
,e
,f
,g
,h
,a
,b
);
753 ROUND512(b
,c
,d
,e
,f
,g
,h
,a
);
756 /* Compute the current intermediate hash value */
757 context
->state
[0] += a
;
758 context
->state
[1] += b
;
759 context
->state
[2] += c
;
760 context
->state
[3] += d
;
761 context
->state
[4] += e
;
762 context
->state
[5] += f
;
763 context
->state
[6] += g
;
764 context
->state
[7] += h
;
767 a
= b
= c
= d
= e
= f
= g
= h
= T1
= 0;
770 #else /* SHA2_UNROLL_TRANSFORM */
772 static void SHA512_Transform(SHA512_CTX
* context
, const sha2_word64
* data
) {
773 sha2_word64 a
, b
, c
, d
, e
, f
, g
, h
, s0
, s1
;
774 sha2_word64 T1
, T2
, *W512
= (sha2_word64
*)context
->buffer
;
777 /* Initialize registers with the prev. intermediate value */
778 a
= context
->state
[0];
779 b
= context
->state
[1];
780 c
= context
->state
[2];
781 d
= context
->state
[3];
782 e
= context
->state
[4];
783 f
= context
->state
[5];
784 g
= context
->state
[6];
785 h
= context
->state
[7];
789 #if BYTE_ORDER == LITTLE_ENDIAN
790 /* Convert TO host byte order */
791 REVERSE64(*data
++, W512
[j
]);
792 /* Apply the SHA-512 compression function to update a..h */
793 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] + W512
[j
];
794 #else /* BYTE_ORDER == LITTLE_ENDIAN */
795 /* Apply the SHA-512 compression function to update a..h with copy */
796 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] + (W512
[j
] = *data
++);
797 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
798 T2
= Sigma0_512(a
) + Maj(a
, b
, c
);
812 /* Part of the message block expansion: */
813 s0
= W512
[(j
+1)&0x0f];
815 s1
= W512
[(j
+14)&0x0f];
818 /* Apply the SHA-512 compression function to update a..h */
819 T1
= h
+ Sigma1_512(e
) + Ch(e
, f
, g
) + K512
[j
] +
820 (W512
[j
&0x0f] += s1
+ W512
[(j
+9)&0x0f] + s0
);
821 T2
= Sigma0_512(a
) + Maj(a
, b
, c
);
834 /* Compute the current intermediate hash value */
835 context
->state
[0] += a
;
836 context
->state
[1] += b
;
837 context
->state
[2] += c
;
838 context
->state
[3] += d
;
839 context
->state
[4] += e
;
840 context
->state
[5] += f
;
841 context
->state
[6] += g
;
842 context
->state
[7] += h
;
845 a
= b
= c
= d
= e
= f
= g
= h
= T1
= T2
= 0;
848 #endif /* SHA2_UNROLL_TRANSFORM */
850 void SHA512_Update(SHA512_CTX
* context
, const sha2_byte
*data
, size_t len
) {
851 unsigned int freespace
, usedspace
;
854 /* Calling with no data is valid - we do nothing */
859 assert(context
!= (SHA512_CTX
*)0 && data
!= (sha2_byte
*)0);
861 usedspace
= (context
->bitcount
[0] >> 3) % SHA512_BLOCK_LENGTH
;
863 /* Calculate how much free space is available in the buffer */
864 freespace
= SHA512_BLOCK_LENGTH
- usedspace
;
866 if (len
>= freespace
) {
867 /* Fill the buffer completely and process it */
868 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, freespace
);
869 ADDINC128(context
->bitcount
, freespace
<< 3);
872 SHA512_Transform(context
, (sha2_word64
*)context
->buffer
);
874 /* The buffer is not yet full */
875 MEMCPY_BCOPY(&context
->buffer
[usedspace
], data
, len
);
876 ADDINC128(context
->bitcount
, len
<< 3);
878 usedspace
= freespace
= 0;
882 while (len
>= SHA512_BLOCK_LENGTH
) {
883 /* Process as many complete blocks as we can */
884 sha2_byte buffer
[SHA512_BLOCK_LENGTH
];
885 MEMCPY_BCOPY(buffer
, data
, SHA512_BLOCK_LENGTH
);
886 SHA512_Transform(context
, (sha2_word64
*)buffer
);
887 ADDINC128(context
->bitcount
, SHA512_BLOCK_LENGTH
<< 3);
888 len
-= SHA512_BLOCK_LENGTH
;
889 data
+= SHA512_BLOCK_LENGTH
;
892 /* There's left-overs, so save 'em */
893 MEMCPY_BCOPY(context
->buffer
, data
, len
);
894 ADDINC128(context
->bitcount
, len
<< 3);
897 usedspace
= freespace
= 0;
900 static void SHA512_Last(SHA512_CTX
* context
) {
901 unsigned int usedspace
;
903 usedspace
= (context
->bitcount
[0] >> 3) % SHA512_BLOCK_LENGTH
;
904 #if BYTE_ORDER == LITTLE_ENDIAN
905 /* Convert FROM host byte order */
906 REVERSE64(context
->bitcount
[0],context
->bitcount
[0]);
907 REVERSE64(context
->bitcount
[1],context
->bitcount
[1]);
910 /* Begin padding with a 1 bit: */
911 context
->buffer
[usedspace
++] = 0x80;
913 if (usedspace
<= SHA512_SHORT_BLOCK_LENGTH
) {
914 /* Set-up for the last transform: */
915 MEMSET_BZERO(&context
->buffer
[usedspace
], SHA512_SHORT_BLOCK_LENGTH
- usedspace
);
917 if (usedspace
< SHA512_BLOCK_LENGTH
) {
918 MEMSET_BZERO(&context
->buffer
[usedspace
], SHA512_BLOCK_LENGTH
- usedspace
);
920 /* Do second-to-last transform: */
921 SHA512_Transform(context
, (sha2_word64
*)context
->buffer
);
923 /* And set-up for the last transform: */
924 MEMSET_BZERO(context
->buffer
, SHA512_BLOCK_LENGTH
- 2);
927 /* Prepare for final transform: */
928 MEMSET_BZERO(context
->buffer
, SHA512_SHORT_BLOCK_LENGTH
);
930 /* Begin padding with a 1 bit: */
931 *context
->buffer
= 0x80;
933 /* Store the length of input data (in bits): */
938 bitcount
.c
= &context
->buffer
[SHA512_SHORT_BLOCK_LENGTH
];
939 bitcount
.l
[0] = context
->bitcount
[1];
940 bitcount
.l
[1] = context
->bitcount
[0];
942 /* Final transform: */
943 SHA512_Transform(context
, (sha2_word64
*)context
->buffer
);
946 void SHA512_Final(sha2_byte digest
[], SHA512_CTX
* context
) {
947 sha2_word64
*d
= (sha2_word64
*)digest
;
950 assert(context
!= (SHA512_CTX
*)0);
952 /* If no digest buffer is passed, we don't bother doing this: */
953 if (digest
!= (sha2_byte
*)0) {
954 SHA512_Last(context
);
956 /* Save the hash data for output: */
957 #if BYTE_ORDER == LITTLE_ENDIAN
959 /* Convert TO host byte order */
961 for (j
= 0; j
< 8; j
++) {
962 REVERSE64(context
->state
[j
],context
->state
[j
]);
963 *d
++ = context
->state
[j
];
967 MEMCPY_BCOPY(d
, context
->state
, SHA512_DIGEST_LENGTH
);
971 /* Zero out state data */
972 MEMSET_BZERO(context
, sizeof(*context
));
975 char *SHA512_End(SHA512_CTX
* context
, char buffer
[]) {
976 sha2_byte digest
[SHA512_DIGEST_LENGTH
], *d
= digest
;
980 assert(context
!= (SHA512_CTX
*)0);
982 if (buffer
!= (char*)0) {
983 SHA512_Final(digest
, context
);
985 for (i
= 0; i
< SHA512_DIGEST_LENGTH
; i
++) {
986 *buffer
++ = sha2_hex_digits
[(*d
& 0xf0) >> 4];
987 *buffer
++ = sha2_hex_digits
[*d
& 0x0f];
992 MEMSET_BZERO(context
, sizeof(*context
));
994 MEMSET_BZERO(digest
, SHA512_DIGEST_LENGTH
);
998 char* SHA512_Data(const sha2_byte
* data
, size_t len
, char digest
[SHA512_DIGEST_STRING_LENGTH
]) {
1001 SHA512_Init(&context
);
1002 SHA512_Update(&context
, data
, len
);
1003 return SHA512_End(&context
, digest
);
1007 /*** SHA-384: *********************************************************/
1008 void SHA384_Init(SHA384_CTX
* context
) {
1009 if (context
== (SHA384_CTX
*)0) {
1012 MEMCPY_BCOPY(context
->state
, sha384_initial_hash_value
, SHA512_DIGEST_LENGTH
);
1013 MEMSET_BZERO(context
->buffer
, SHA384_BLOCK_LENGTH
);
1014 context
->bitcount
[0] = context
->bitcount
[1] = 0;
1017 void SHA384_Update(SHA384_CTX
* context
, const sha2_byte
* data
, size_t len
) {
1018 SHA512_Update((SHA512_CTX
*)context
, data
, len
);
1021 void SHA384_Final(sha2_byte digest
[], SHA384_CTX
* context
) {
1022 sha2_word64
*d
= (sha2_word64
*)digest
;
1025 assert(context
!= (SHA384_CTX
*)0);
1027 /* If no digest buffer is passed, we don't bother doing this: */
1028 if (digest
!= (sha2_byte
*)0) {
1029 SHA512_Last((SHA512_CTX
*)context
);
1031 /* Save the hash data for output: */
1032 #if BYTE_ORDER == LITTLE_ENDIAN
1034 /* Convert TO host byte order */
1036 for (j
= 0; j
< 6; j
++) {
1037 REVERSE64(context
->state
[j
],context
->state
[j
]);
1038 *d
++ = context
->state
[j
];
1042 MEMCPY_BCOPY(d
, context
->state
, SHA384_DIGEST_LENGTH
);
1046 /* Zero out state data */
1047 MEMSET_BZERO(context
, sizeof(*context
));
1050 char *SHA384_End(SHA384_CTX
* context
, char buffer
[]) {
1051 sha2_byte digest
[SHA384_DIGEST_LENGTH
], *d
= digest
;
1055 assert(context
!= (SHA384_CTX
*)0);
1057 if (buffer
!= (char*)0) {
1058 SHA384_Final(digest
, context
);
1060 for (i
= 0; i
< SHA384_DIGEST_LENGTH
; i
++) {
1061 *buffer
++ = sha2_hex_digits
[(*d
& 0xf0) >> 4];
1062 *buffer
++ = sha2_hex_digits
[*d
& 0x0f];
1067 MEMSET_BZERO(context
, sizeof(*context
));
1069 MEMSET_BZERO(digest
, SHA384_DIGEST_LENGTH
);
1073 char* SHA384_Data(const sha2_byte
* data
, size_t len
, char digest
[SHA384_DIGEST_STRING_LENGTH
]) {
1076 SHA384_Init(&context
);
1077 SHA384_Update(&context
, data
, len
);
1078 return SHA384_End(&context
, digest
);