source: trunk/minix/servers/inet/sha2.c@ 11

Last change on this file since 11 was 9, checked in by Mattia Monga, 14 years ago

Minix 3.1.2a

File size: 31.7 KB
Line 
1
2/*
3 * sha2.c
4 *
5 * Version 1.0.0beta1
6 *
7 * Written by Aaron D. Gifford <me@aarongifford.com>
8 *
9 * Copyright 2000 Aaron D. Gifford. All rights reserved.
10 *
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
13 * are met:
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the copyright holder nor the names of contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 *
35 */
36
37
38#include <sys/types.h>
39/* #include <sys/time.h> */
40/* #include <sys/systm.h> */
41/* #include <machine/endian.h> */
42#include "sha2.h"
43
44/*
45 * ASSERT NOTE:
46 * Some sanity checking code is included using assert(). On my FreeBSD
47 * system, this additional code can be removed by compiling with NDEBUG
48 * defined. Check your own systems manpage on assert() to see how to
49 * compile WITHOUT the sanity checking code on your system.
50 *
51 * UNROLLED TRANSFORM LOOP NOTE:
52 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
53 * loop version for the hash transform rounds (defined using macros
54 * later in this file). Either define on the command line, for example:
55 *
56 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
57 *
58 * or define below:
59 *
60 * #define SHA2_UNROLL_TRANSFORM
61 *
62 */
63
64#if defined(__bsdi__) || defined(__FreeBSD__)
65#define assert(x)
66#endif
67
68
69/*** SHA-256/384/512 Machine Architecture Definitions *****************/
70/*
71 * SHA2_BYTE_ORDER NOTE:
72 *
73 * Please make sure that your system defines SHA2_BYTE_ORDER. If your
74 * architecture is little-endian, make sure it also defines
75 * SHA2_LITTLE_ENDIAN and that the two (SHA2_BYTE_ORDER and
76 * SHA2_LITTLE_ENDIAN) are equivilent.
77 *
78 * If your system does not define the above, then you can do so by
79 * hand like this:
80 *
81 * #define SHA2_LITTLE_ENDIAN 1234
82 * #define SHA2_BIG_ENDIAN 4321
83 *
84 * And for little-endian machines, add:
85 *
86 * #define SHA2_BYTE_ORDER SHA2_LITTLE_ENDIAN
87 *
88 * Or for big-endian machines:
89 *
90 * #define SHA2_BYTE_ORDER SHA2_BIG_ENDIAN
91 *
92 * The FreeBSD machine this was written on defines BYTE_ORDER
93 * appropriately by including <sys/types.h> (which in turn includes
94 * <machine/endian.h> where the appropriate definitions are actually
95 * made).
96 */
97#if !defined(SHA2_BYTE_ORDER) || (SHA2_BYTE_ORDER != SHA2_LITTLE_ENDIAN && SHA2_BYTE_ORDER != SHA2_BIG_ENDIAN)
98#error Define SHA2_BYTE_ORDER to be equal to either SHA2_LITTLE_ENDIAN or SHA2_BIG_ENDIAN
99#endif
100
101/*
102 * Define the followingsha2_* types to types of the correct length on
103 * the native archtecture. Most BSD systems and Linux define u_intXX_t
104 * types. Machines with very recent ANSI C headers, can use the
105 * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
106 * during compile or in the sha.h header file.
107 *
108 * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
109 * will need to define these three typedefs below (and the appropriate
110 * ones in sha.h too) by hand according to their system architecture.
111 *
112 * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
113 * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
114 */
115#if 0 /*def SHA2_USE_INTTYPES_H*/
116
117typedef uint8_t sha2_byte; /* Exactly 1 byte */
118typedef uint32_t sha2_word32; /* Exactly 4 bytes */
119typedef uint64_t sha2_word64; /* Exactly 8 bytes */
120
121#else /* SHA2_USE_INTTYPES_H */
122
123typedef u_int8_t sha2_byte; /* Exactly 1 byte */
124typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
125typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
126
127#endif /* SHA2_USE_INTTYPES_H */
128
129
130/*** SHA-256/384/512 Various Length Definitions ***********************/
131/* NOTE: Most of these are in sha2.h */
132#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
133#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
134#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
135
136
137/*** ENDIAN REVERSAL MACROS *******************************************/
138#if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
139#define REVERSE32(w,x) { \
140 sha2_word32 tmp = (w); \
141 tmp = (tmp >> 16) | (tmp << 16); \
142 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
143}
144#define REVERSE64(w,x) { \
145 sha2_word64 tmp = (w); \
146 tmp = (tmp >> 32) | (tmp << 32); \
147 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
148 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
149 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
150 ((tmp & 0x0000ffff0000ffffULL) << 16); \
151}
152#if MINIX_64BIT
153#undef REVERSE64
154#define REVERSE64(w,x) { \
155 u32_t hi, lo; \
156 REVERSE32(ex64hi((w)), lo); \
157 REVERSE32(ex64lo((w)), hi); \
158 (x) = make64(lo, hi); \
159}
160#endif /* MINIX_64BIT */
161#endif /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
162
163/*
164 * Macro for incrementally adding the unsigned 64-bit integer n to the
165 * unsigned 128-bit integer (represented using a two-element array of
166 * 64-bit words):
167 */
168#define ADDINC128(w,n) { \
169 (w)[0] += (sha2_word64)(n); \
170 if ((w)[0] < (n)) { \
171 (w)[1]++; \
172 } \
173}
174
175/*** THE SIX LOGICAL FUNCTIONS ****************************************/
176/*
177 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
178 *
179 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
180 * S is a ROTATION) because the SHA-256/384/512 description document
181 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
182 * same "backwards" definition.
183 */
184/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
185#define R(b,x) ((x) >> (b))
186/* 32-bit Rotate-right (used in SHA-256): */
187#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
188/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
189#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
190
191/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
192#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
193#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
194
195/* Four of six logical functions used in SHA-256: */
196#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
197#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
198#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
199#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
200
201/* Four of six logical functions used in SHA-384 and SHA-512: */
202#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
203#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
204#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
205#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
206
207/*** INTERNAL FUNCTION PROTOTYPES *************************************/
208/* NOTE: These should not be accessed directly from outside this
209 * library -- they are intended for private internal visibility/use
210 * only.
211 */
212void SHA512_Last(SHA512_CTX*);
213void SHA256_Transform(SHA256_CTX*, const sha2_word32*);
214void SHA512_Transform(SHA512_CTX*, const sha2_word64*);
215
216
217/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
218/* Hash constant words K for SHA-256: */
219const static sha2_word32 K256[64] = {
220 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
221 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
222 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
223 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
224 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
225 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
226 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
227 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
228 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
229 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
230 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
231 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
232 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
233 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
234 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
235 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
236};
237
238/* Initial hash value H for SHA-256: */
239const static sha2_word32 sha256_initial_hash_value[8] = {
240 0x6a09e667UL,
241 0xbb67ae85UL,
242 0x3c6ef372UL,
243 0xa54ff53aUL,
244 0x510e527fUL,
245 0x9b05688cUL,
246 0x1f83d9abUL,
247 0x5be0cd19UL
248};
249
250#if !NO_64BIT
251/* Hash constant words K for SHA-384 and SHA-512: */
252const static sha2_word64 K512[80] = {
253 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
254 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
255 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
256 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
257 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
258 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
259 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
260 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
261 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
262 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
263 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
264 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
265 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
266 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
267 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
268 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
269 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
270 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
271 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
272 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
273 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
274 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
275 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
276 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
277 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
278 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
279 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
280 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
281 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
282 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
283 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
284 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
285 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
286 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
287 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
288 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
289 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
290 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
291 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
292 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
293};
294
295/* Initial hash value H for SHA-384 */
296const static sha2_word64 sha384_initial_hash_value[8] = {
297 0xcbbb9d5dc1059ed8ULL,
298 0x629a292a367cd507ULL,
299 0x9159015a3070dd17ULL,
300 0x152fecd8f70e5939ULL,
301 0x67332667ffc00b31ULL,
302 0x8eb44a8768581511ULL,
303 0xdb0c2e0d64f98fa7ULL,
304 0x47b5481dbefa4fa4ULL
305};
306
307/* Initial hash value H for SHA-512 */
308const static sha2_word64 sha512_initial_hash_value[8] = {
309 0x6a09e667f3bcc908ULL,
310 0xbb67ae8584caa73bULL,
311 0x3c6ef372fe94f82bULL,
312 0xa54ff53a5f1d36f1ULL,
313 0x510e527fade682d1ULL,
314 0x9b05688c2b3e6c1fULL,
315 0x1f83d9abfb41bd6bULL,
316 0x5be0cd19137e2179ULL
317};
318#endif /* !NO_64BIT */
319
320/*
321 * Constant used by SHA256/384/512_End() functions for converting the
322 * digest to a readable hexadecimal character string:
323 */
324static const char *sha2_hex_digits = "0123456789abcdef";
325
326
327/*** SHA-256: *********************************************************/
328void SHA256_Init(SHA256_CTX* context) {
329 if (context == (SHA256_CTX*)0) {
330 return;
331 }
332 bcopy(sha256_initial_hash_value, context->state, SHA256_DIGEST_LENGTH);
333 bzero(context->buffer, SHA256_BLOCK_LENGTH);
334#if MINIX_64BIT
335 context->bitcount= cvu64(0);
336#else /* !MINIX_64BIT */
337 context->bitcount = 0;
338#endif /* MINIX_64BIT */
339}
340
341#ifdef SHA2_UNROLL_TRANSFORM
342
343/* Unrolled SHA-256 round macros: */
344
345#if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
346
347#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
348 REVERSE32(*data++, W256[j]); \
349 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
350 K256[j] + W256[j]; \
351 (d) += T1; \
352 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
353 j++
354
355
356#else /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
357
358#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
359 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
360 K256[j] + (W256[j] = *data++); \
361 (d) += T1; \
362 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
363 j++
364
365#endif /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
366
367#define ROUND256(a,b,c,d,e,f,g,h) \
368 s0 = W256[(j+1)&0x0f]; \
369 s0 = sigma0_256(s0); \
370 s1 = W256[(j+14)&0x0f]; \
371 s1 = sigma1_256(s1); \
372 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
373 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
374 (d) += T1; \
375 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
376 j++
377
378void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
379 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
380 sha2_word32 T1, *W256;
381 int j;
382
383 W256 = (sha2_word32*)context->buffer;
384
385 /* Initialize registers with the prev. intermediate value */
386 a = context->state[0];
387 b = context->state[1];
388 c = context->state[2];
389 d = context->state[3];
390 e = context->state[4];
391 f = context->state[5];
392 g = context->state[6];
393 h = context->state[7];
394
395 j = 0;
396 do {
397 /* Rounds 0 to 15 (unrolled): */
398 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
399 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
400 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
401 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
402 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
403 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
404 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
405 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
406 } while (j < 16);
407
408 /* Now for the remaining rounds to 64: */
409 do {
410 ROUND256(a,b,c,d,e,f,g,h);
411 ROUND256(h,a,b,c,d,e,f,g);
412 ROUND256(g,h,a,b,c,d,e,f);
413 ROUND256(f,g,h,a,b,c,d,e);
414 ROUND256(e,f,g,h,a,b,c,d);
415 ROUND256(d,e,f,g,h,a,b,c);
416 ROUND256(c,d,e,f,g,h,a,b);
417 ROUND256(b,c,d,e,f,g,h,a);
418 } while (j < 64);
419
420 /* Compute the current intermediate hash value */
421 context->state[0] += a;
422 context->state[1] += b;
423 context->state[2] += c;
424 context->state[3] += d;
425 context->state[4] += e;
426 context->state[5] += f;
427 context->state[6] += g;
428 context->state[7] += h;
429
430 /* Clean up */
431 a = b = c = d = e = f = g = h = T1 = 0;
432}
433
434#else /* SHA2_UNROLL_TRANSFORM */
435
436void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
437 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
438 sha2_word32 T1, T2, *W256;
439 int j;
440
441 W256 = (sha2_word32*)context->buffer;
442
443 /* Initialize registers with the prev. intermediate value */
444 a = context->state[0];
445 b = context->state[1];
446 c = context->state[2];
447 d = context->state[3];
448 e = context->state[4];
449 f = context->state[5];
450 g = context->state[6];
451 h = context->state[7];
452
453 j = 0;
454 do {
455#if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
456 /* Copy data while converting to host byte order */
457 REVERSE32(*data++,W256[j]);
458 /* Apply the SHA-256 compression function to update a..h */
459 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
460#else /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
461 /* Apply the SHA-256 compression function to update a..h with copy */
462 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
463#endif /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
464 T2 = Sigma0_256(a) + Maj(a, b, c);
465 h = g;
466 g = f;
467 f = e;
468 e = d + T1;
469 d = c;
470 c = b;
471 b = a;
472 a = T1 + T2;
473
474 j++;
475 } while (j < 16);
476
477 do {
478 /* Part of the message block expansion: */
479 s0 = W256[(j+1)&0x0f];
480 s0 = sigma0_256(s0);
481 s1 = W256[(j+14)&0x0f];
482 s1 = sigma1_256(s1);
483
484 /* Apply the SHA-256 compression function to update a..h */
485 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
486 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
487 T2 = Sigma0_256(a) + Maj(a, b, c);
488 h = g;
489 g = f;
490 f = e;
491 e = d + T1;
492 d = c;
493 c = b;
494 b = a;
495 a = T1 + T2;
496
497 j++;
498 } while (j < 64);
499
500 /* Compute the current intermediate hash value */
501 context->state[0] += a;
502 context->state[1] += b;
503 context->state[2] += c;
504 context->state[3] += d;
505 context->state[4] += e;
506 context->state[5] += f;
507 context->state[6] += g;
508 context->state[7] += h;
509
510 /* Clean up */
511 a = b = c = d = e = f = g = h = T1 = T2 = 0;
512}
513
514#endif /* SHA2_UNROLL_TRANSFORM */
515
516void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
517 unsigned int freespace, usedspace;
518
519 if (len == 0) {
520 /* Calling with no data is valid - we do nothing */
521 return;
522 }
523
524 /* Sanity check: */
525 assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0);
526
527#if MINIX_64BIT
528 usedspace= rem64u(context->bitcount, SHA256_BLOCK_LENGTH*8)/8;
529#else /* !MINIX_64BIT */
530 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
531#endif /* MINIX_64BIT */
532 if (usedspace > 0) {
533 /* Calculate how much free space is available in the buffer */
534 freespace = SHA256_BLOCK_LENGTH - usedspace;
535
536 if (len >= freespace) {
537 /* Fill the buffer completely and process it */
538 bcopy(data, &context->buffer[usedspace], freespace);
539#if MINIX_64BIT
540 context->bitcount= add64u(context->bitcount,
541 freespace << 3);
542#else /* !MINIX_64BIT */
543 context->bitcount += freespace << 3;
544#endif /* MINIX_64BIT */
545 len -= freespace;
546 data += freespace;
547 SHA256_Transform(context, (sha2_word32*)context->buffer);
548 } else {
549 /* The buffer is not yet full */
550 bcopy(data, &context->buffer[usedspace], len);
551#if MINIX_64BIT
552 context->bitcount= add64u(context->bitcount, len << 3);
553#else /* !MINIX_64BIT */
554 context->bitcount += len << 3;
555#endif /* MINIX_64BIT */
556 /* Clean up: */
557 usedspace = freespace = 0;
558 return;
559 }
560 }
561 while (len >= SHA256_BLOCK_LENGTH) {
562 /* Process as many complete blocks as we can */
563 SHA256_Transform(context, (const sha2_word32*)data);
564#if MINIX_64BIT
565 context->bitcount= add64u(context->bitcount,
566 SHA256_BLOCK_LENGTH << 3);
567#else /* !MINIX_64BIT */
568 context->bitcount += SHA256_BLOCK_LENGTH << 3;
569#endif /* MINIX_64BIT */
570 len -= SHA256_BLOCK_LENGTH;
571 data += SHA256_BLOCK_LENGTH;
572 }
573 if (len > 0) {
574 /* There's left-overs, so save 'em */
575 bcopy(data, context->buffer, len);
576#if MINIX_64BIT
577 context->bitcount= add64u(context->bitcount, len << 3);
578#else /* !MINIX_64BIT */
579 context->bitcount += len << 3;
580#endif /* MINIX_64BIT */
581 }
582 /* Clean up: */
583 usedspace = freespace = 0;
584}
585
586void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
587 sha2_word32 *d = (sha2_word32*)digest;
588 unsigned int usedspace;
589
590 /* Sanity check: */
591 assert(context != (SHA256_CTX*)0);
592
593 /* If no digest buffer is passed, we don't bother doing this: */
594 if (digest != (sha2_byte*)0) {
595#if MINIX_64BIT
596 usedspace= rem64u(context->bitcount, SHA256_BLOCK_LENGTH*8)/8;
597#else /* !MINIX_64BIT */
598 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
599#endif /* MINIX_64BIT */
600#if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
601 /* Convert FROM host byte order */
602 REVERSE64(context->bitcount,context->bitcount);
603#endif
604 if (usedspace > 0) {
605 /* Begin padding with a 1 bit: */
606 context->buffer[usedspace++] = 0x80;
607
608 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
609 /* Set-up for the last transform: */
610 bzero(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
611 } else {
612 if (usedspace < SHA256_BLOCK_LENGTH) {
613 bzero(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
614 }
615 /* Do second-to-last transform: */
616 SHA256_Transform(context, (sha2_word32*)context->buffer);
617
618 /* And set-up for the last transform: */
619 bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
620 }
621 } else {
622 /* Set-up for the last transform: */
623 bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
624
625 /* Begin padding with a 1 bit: */
626 *context->buffer = 0x80;
627 }
628 /* Set the bit count: */
629 *(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
630
631 /* Final transform: */
632 SHA256_Transform(context, (sha2_word32*)context->buffer);
633
634#if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
635 {
636 /* Convert TO host byte order */
637 int j;
638 for (j = 0; j < 8; j++) {
639 REVERSE32(context->state[j],context->state[j]);
640 *d++ = context->state[j];
641 }
642 }
643#else
644 bcopy(context->state, d, SHA256_DIGEST_LENGTH);
645#endif
646 }
647
648 /* Clean up state data: */
649 bzero(context, sizeof(context));
650 usedspace = 0;
651}
652
653char *SHA256_End(SHA256_CTX* context, char buffer[]) {
654 sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest;
655 int i;
656
657 /* Sanity check: */
658 assert(context != (SHA256_CTX*)0);
659
660 if (buffer != (char*)0) {
661 SHA256_Final(digest, context);
662
663 for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
664 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
665 *buffer++ = sha2_hex_digits[*d & 0x0f];
666 d++;
667 }
668 *buffer = (char)0;
669 } else {
670 bzero(context, sizeof(context));
671 }
672 bzero(digest, SHA256_DIGEST_LENGTH);
673 return buffer;
674}
675
676char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
677 SHA256_CTX context;
678
679 SHA256_Init(&context);
680 SHA256_Update(&context, data, len);
681 return SHA256_End(&context, digest);
682}
683
684#if !NO_64BIT
685
686/*** SHA-512: *********************************************************/
687void SHA512_Init(SHA512_CTX* context) {
688 if (context == (SHA512_CTX*)0) {
689 return;
690 }
691 bcopy(sha512_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
692 bzero(context->buffer, SHA512_BLOCK_LENGTH);
693 context->bitcount[0] = context->bitcount[1] = 0;
694}
695
696#ifdef SHA2_UNROLL_TRANSFORM
697
698/* Unrolled SHA-512 round macros: */
699#if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
700
701#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
702 REVERSE64(*data++, W512[j]); \
703 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
704 K512[j] + W512[j]; \
705 (d) += T1, \
706 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
707 j++
708
709
710#else /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
711
712#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
713 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
714 K512[j] + (W512[j] = *data++); \
715 (d) += T1; \
716 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
717 j++
718
719#endif /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
720
721#define ROUND512(a,b,c,d,e,f,g,h) \
722 s0 = W512[(j+1)&0x0f]; \
723 s0 = sigma0_512(s0); \
724 s1 = W512[(j+14)&0x0f]; \
725 s1 = sigma1_512(s1); \
726 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
727 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
728 (d) += T1; \
729 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
730 j++
731
732void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
733 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
734 sha2_word64 T1, *W512 = (sha2_word64*)context->buffer;
735 int j;
736
737 /* Initialize registers with the prev. intermediate value */
738 a = context->state[0];
739 b = context->state[1];
740 c = context->state[2];
741 d = context->state[3];
742 e = context->state[4];
743 f = context->state[5];
744 g = context->state[6];
745 h = context->state[7];
746
747 j = 0;
748 do {
749 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
750 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
751 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
752 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
753 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
754 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
755 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
756 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
757 } while (j < 16);
758
759 /* Now for the remaining rounds up to 79: */
760 do {
761 ROUND512(a,b,c,d,e,f,g,h);
762 ROUND512(h,a,b,c,d,e,f,g);
763 ROUND512(g,h,a,b,c,d,e,f);
764 ROUND512(f,g,h,a,b,c,d,e);
765 ROUND512(e,f,g,h,a,b,c,d);
766 ROUND512(d,e,f,g,h,a,b,c);
767 ROUND512(c,d,e,f,g,h,a,b);
768 ROUND512(b,c,d,e,f,g,h,a);
769 } while (j < 80);
770
771 /* Compute the current intermediate hash value */
772 context->state[0] += a;
773 context->state[1] += b;
774 context->state[2] += c;
775 context->state[3] += d;
776 context->state[4] += e;
777 context->state[5] += f;
778 context->state[6] += g;
779 context->state[7] += h;
780
781 /* Clean up */
782 a = b = c = d = e = f = g = h = T1 = 0;
783}
784
785#else /* SHA2_UNROLL_TRANSFORM */
786
787void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
788 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
789 sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer;
790 int j;
791
792 /* Initialize registers with the prev. intermediate value */
793 a = context->state[0];
794 b = context->state[1];
795 c = context->state[2];
796 d = context->state[3];
797 e = context->state[4];
798 f = context->state[5];
799 g = context->state[6];
800 h = context->state[7];
801
802 j = 0;
803 do {
804#if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
805 /* Convert TO host byte order */
806 REVERSE64(*data++, W512[j]);
807 /* Apply the SHA-512 compression function to update a..h */
808 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
809#else /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
810 /* Apply the SHA-512 compression function to update a..h with copy */
811 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
812#endif /* SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN */
813 T2 = Sigma0_512(a) + Maj(a, b, c);
814 h = g;
815 g = f;
816 f = e;
817 e = d + T1;
818 d = c;
819 c = b;
820 b = a;
821 a = T1 + T2;
822
823 j++;
824 } while (j < 16);
825
826 do {
827 /* Part of the message block expansion: */
828 s0 = W512[(j+1)&0x0f];
829 s0 = sigma0_512(s0);
830 s1 = W512[(j+14)&0x0f];
831 s1 = sigma1_512(s1);
832
833 /* Apply the SHA-512 compression function to update a..h */
834 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
835 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
836 T2 = Sigma0_512(a) + Maj(a, b, c);
837 h = g;
838 g = f;
839 f = e;
840 e = d + T1;
841 d = c;
842 c = b;
843 b = a;
844 a = T1 + T2;
845
846 j++;
847 } while (j < 80);
848
849 /* Compute the current intermediate hash value */
850 context->state[0] += a;
851 context->state[1] += b;
852 context->state[2] += c;
853 context->state[3] += d;
854 context->state[4] += e;
855 context->state[5] += f;
856 context->state[6] += g;
857 context->state[7] += h;
858
859 /* Clean up */
860 a = b = c = d = e = f = g = h = T1 = T2 = 0;
861}
862
863#endif /* SHA2_UNROLL_TRANSFORM */
864
865void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
866 unsigned int freespace, usedspace;
867
868 if (len == 0) {
869 /* Calling with no data is valid - we do nothing */
870 return;
871 }
872
873 /* Sanity check: */
874 assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0);
875
876 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
877 if (usedspace > 0) {
878 /* Calculate how much free space is available in the buffer */
879 freespace = SHA512_BLOCK_LENGTH - usedspace;
880
881 if (len >= freespace) {
882 /* Fill the buffer completely and process it */
883 bcopy(data, &context->buffer[usedspace], freespace);
884 ADDINC128(context->bitcount, freespace << 3);
885 len -= freespace;
886 data += freespace;
887 SHA512_Transform(context, (sha2_word64*)context->buffer);
888 } else {
889 /* The buffer is not yet full */
890 bcopy(data, &context->buffer[usedspace], len);
891 ADDINC128(context->bitcount, len << 3);
892 /* Clean up: */
893 usedspace = freespace = 0;
894 return;
895 }
896 }
897 while (len >= SHA512_BLOCK_LENGTH) {
898 /* Process as many complete blocks as we can */
899 SHA512_Transform(context, (const sha2_word64*)data);
900 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
901 len -= SHA512_BLOCK_LENGTH;
902 data += SHA512_BLOCK_LENGTH;
903 }
904 if (len > 0) {
905 /* There's left-overs, so save 'em */
906 bcopy(data, context->buffer, len);
907 ADDINC128(context->bitcount, len << 3);
908 }
909 /* Clean up: */
910 usedspace = freespace = 0;
911}
912
913void SHA512_Last(SHA512_CTX* context) {
914 unsigned int usedspace;
915
916 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
917#if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
918 /* Convert FROM host byte order */
919 REVERSE64(context->bitcount[0],context->bitcount[0]);
920 REVERSE64(context->bitcount[1],context->bitcount[1]);
921#endif
922 if (usedspace > 0) {
923 /* Begin padding with a 1 bit: */
924 context->buffer[usedspace++] = 0x80;
925
926 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
927 /* Set-up for the last transform: */
928 bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
929 } else {
930 if (usedspace < SHA512_BLOCK_LENGTH) {
931 bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
932 }
933 /* Do second-to-last transform: */
934 SHA512_Transform(context, (sha2_word64*)context->buffer);
935
936 /* And set-up for the last transform: */
937 bzero(context->buffer, SHA512_BLOCK_LENGTH - 2);
938 }
939 } else {
940 /* Prepare for final transform: */
941 bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
942
943 /* Begin padding with a 1 bit: */
944 *context->buffer = 0x80;
945 }
946 /* Store the length of input data (in bits): */
947 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
948 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
949
950 /* Final transform: */
951 SHA512_Transform(context, (sha2_word64*)context->buffer);
952}
953
954void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
955 sha2_word64 *d = (sha2_word64*)digest;
956
957 /* Sanity check: */
958 assert(context != (SHA512_CTX*)0);
959
960 /* If no digest buffer is passed, we don't bother doing this: */
961 if (digest != (sha2_byte*)0) {
962 SHA512_Last(context);
963
964 /* Save the hash data for output: */
965#if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
966 {
967 /* Convert TO host byte order */
968 int j;
969 for (j = 0; j < 8; j++) {
970 REVERSE64(context->state[j],context->state[j]);
971 *d++ = context->state[j];
972 }
973 }
974#else
975 bcopy(context->state, d, SHA512_DIGEST_LENGTH);
976#endif
977 }
978
979 /* Zero out state data */
980 bzero(context, sizeof(context));
981}
982
983char *SHA512_End(SHA512_CTX* context, char buffer[]) {
984 sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
985 int i;
986
987 /* Sanity check: */
988 assert(context != (SHA512_CTX*)0);
989
990 if (buffer != (char*)0) {
991 SHA512_Final(digest, context);
992
993 for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
994 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
995 *buffer++ = sha2_hex_digits[*d & 0x0f];
996 d++;
997 }
998 *buffer = (char)0;
999 } else {
1000 bzero(context, sizeof(context));
1001 }
1002 bzero(digest, SHA512_DIGEST_LENGTH);
1003 return buffer;
1004}
1005
1006char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
1007 SHA512_CTX context;
1008
1009 SHA512_Init(&context);
1010 SHA512_Update(&context, data, len);
1011 return SHA512_End(&context, digest);
1012}
1013
1014
1015/*** SHA-384: *********************************************************/
1016void SHA384_Init(SHA384_CTX* context) {
1017 if (context == (SHA384_CTX*)0) {
1018 return;
1019 }
1020 bcopy(sha384_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
1021 bzero(context->buffer, SHA384_BLOCK_LENGTH);
1022 context->bitcount[0] = context->bitcount[1] = 0;
1023}
1024
1025void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
1026 SHA512_Update((SHA512_CTX*)context, data, len);
1027}
1028
1029void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
1030 sha2_word64 *d = (sha2_word64*)digest;
1031
1032 /* Sanity check: */
1033 assert(context != (SHA384_CTX*)0);
1034
1035 /* If no digest buffer is passed, we don't bother doing this: */
1036 if (digest != (sha2_byte*)0) {
1037 SHA512_Last((SHA512_CTX*)context);
1038
1039 /* Save the hash data for output: */
1040#if SHA2_BYTE_ORDER == SHA2_LITTLE_ENDIAN
1041 {
1042 /* Convert TO host byte order */
1043 int j;
1044 for (j = 0; j < 6; j++) {
1045 REVERSE64(context->state[j],context->state[j]);
1046 *d++ = context->state[j];
1047 }
1048 }
1049#else
1050 bcopy(context->state, d, SHA384_DIGEST_LENGTH);
1051#endif
1052 }
1053
1054 /* Zero out state data */
1055 bzero(context, sizeof(context));
1056}
1057
1058char *SHA384_End(SHA384_CTX* context, char buffer[]) {
1059 sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
1060 int i;
1061
1062 /* Sanity check: */
1063 assert(context != (SHA384_CTX*)0);
1064
1065 if (buffer != (char*)0) {
1066 SHA384_Final(digest, context);
1067
1068 for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
1069 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
1070 *buffer++ = sha2_hex_digits[*d & 0x0f];
1071 d++;
1072 }
1073 *buffer = (char)0;
1074 } else {
1075 bzero(context, sizeof(context));
1076 }
1077 bzero(digest, SHA384_DIGEST_LENGTH);
1078 return buffer;
1079}
1080
1081char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
1082 SHA384_CTX context;
1083
1084 SHA384_Init(&context);
1085 SHA384_Update(&context, data, len);
1086 return SHA384_End(&context, digest);
1087}
1088
1089#endif /* !NO_64BIT */
1090
1091/*
1092 * $PchId: sha2.c,v 1.1 2005/06/28 14:29:23 philip Exp $
1093 */
Note: See TracBrowser for help on using the repository browser.