HCoop / ntk / apt.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge remote-tracking branch 'upstream/debian/sid' into debian/sid
[ntk/apt.git] / apt-pkg / contrib / sha2_internal.cc
CommitLineData
84a0890e
MV		 1/*
2 * FILE: sha2.c
3 * AUTHOR: Aaron D. Gifford - http://www.aarongifford.com/
4 *
5 * Copyright (c) 2000-2001, Aaron D. Gifford
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the copyright holder nor the names of contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTOR(S) ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTOR(S) BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 *
32 * $Id: sha2.c,v 1.1 2001/11/08 00:01:51 adg Exp adg $
33 */
ea542140 34#include <config.h>
84a0890e 35
453b82a3 36#include <endian.h>
84a0890e
MV		 37#include <string.h> /* memcpy()/memset() or bcopy()/bzero() */
38#include <assert.h> /* assert() */
39#include "sha2_internal.h"
40
41/*
42 * ASSERT NOTE:
43 * Some sanity checking code is included using assert(). On my FreeBSD
44 * system, this additional code can be removed by compiling with NDEBUG
45 * defined. Check your own systems manpage on assert() to see how to
46 * compile WITHOUT the sanity checking code on your system.
47 *
48 * UNROLLED TRANSFORM LOOP NOTE:
49 * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
50 * loop version for the hash transform rounds (defined using macros
51 * later in this file). Either define on the command line, for example:
52 *
53 * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
54 *
55 * or define below:
56 *
57 * #define SHA2_UNROLL_TRANSFORM
58 *
59 */
60
61
62/*** SHA-256/384/512 Machine Architecture Definitions *****************/
63/*
64 * BYTE_ORDER NOTE:
65 *
66 * Please make sure that your system defines BYTE_ORDER. If your
67 * architecture is little-endian, make sure it also defines
68 * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
1e3f4083 69 * equivalent.
84a0890e
MV		 70 *
71 * If your system does not define the above, then you can do so by
72 * hand like this:
73 *
74 * #define LITTLE_ENDIAN 1234
75 * #define BIG_ENDIAN 4321
76 *
77 * And for little-endian machines, add:
78 *
79 * #define BYTE_ORDER LITTLE_ENDIAN
80 *
81 * Or for big-endian machines:
82 *
83 * #define BYTE_ORDER BIG_ENDIAN
84 *
85 * The FreeBSD machine this was written on defines BYTE_ORDER
86 * appropriately by including <sys/types.h> (which in turn includes
87 * <machine/endian.h> where the appropriate definitions are actually
88 * made).
89 */
90#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
91#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
92#endif
93
94/*
95 * Define the followingsha2_* types to types of the correct length on
96 * the native archtecture. Most BSD systems and Linux define u_intXX_t
97 * types. Machines with very recent ANSI C headers, can use the
98 * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
99 * during compile or in the sha.h header file.
100 *
101 * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
102 * will need to define these three typedefs below (and the appropriate
103 * ones in sha.h too) by hand according to their system architecture.
104 *
105 * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
106 * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
107 */
108#ifdef SHA2_USE_INTTYPES_H
109
110typedef uint8_t sha2_byte; /* Exactly 1 byte */
111typedef uint32_t sha2_word32; /* Exactly 4 bytes */
112typedef uint64_t sha2_word64; /* Exactly 8 bytes */
113
114#else /* SHA2_USE_INTTYPES_H */
115
116typedef u_int8_t sha2_byte; /* Exactly 1 byte */
117typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
118typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
119
120#endif /* SHA2_USE_INTTYPES_H */
121
122
123/*** SHA-256/384/512 Various Length Definitions ***********************/
124/* NOTE: Most of these are in sha2.h */
125#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
126#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
127#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
128
129
130/*** ENDIAN REVERSAL MACROS *******************************************/
131#if BYTE_ORDER == LITTLE_ENDIAN
132#define REVERSE32(w,x) { \
133 sha2_word32 tmp = (w); \
134 tmp = (tmp >> 16) | (tmp << 16); \
135 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
136}
137#define REVERSE64(w,x) { \
138 sha2_word64 tmp = (w); \
139 tmp = (tmp >> 32) | (tmp << 32); \
140 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
141 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
142 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
143 ((tmp & 0x0000ffff0000ffffULL) << 16); \
144}
145#endif /* BYTE_ORDER == LITTLE_ENDIAN */
146
147/*
148 * Macro for incrementally adding the unsigned 64-bit integer n to the
149 * unsigned 128-bit integer (represented using a two-element array of
150 * 64-bit words):
151 */
152#define ADDINC128(w,n) { \
153 (w)[0] += (sha2_word64)(n); \
154 if ((w)[0] < (n)) { \
155 (w)[1]++; \
156 } \
157}
158
159/*
160 * Macros for copying blocks of memory and for zeroing out ranges
161 * of memory. Using these macros makes it easy to switch from
162 * using memset()/memcpy() and using bzero()/bcopy().
163 *
164 * Please define either SHA2_USE_MEMSET_MEMCPY or define
165 * SHA2_USE_BZERO_BCOPY depending on which function set you
166 * choose to use:
167 */
168#if !defined(SHA2_USE_MEMSET_MEMCPY) && !defined(SHA2_USE_BZERO_BCOPY)
169/* Default to memset()/memcpy() if no option is specified */
170#define SHA2_USE_MEMSET_MEMCPY 1
171#endif
172#if defined(SHA2_USE_MEMSET_MEMCPY) && defined(SHA2_USE_BZERO_BCOPY)
173/* Abort with an error if BOTH options are defined */
174#error Define either SHA2_USE_MEMSET_MEMCPY or SHA2_USE_BZERO_BCOPY, not both!
175#endif
176
177#ifdef SHA2_USE_MEMSET_MEMCPY
178#define MEMSET_BZERO(p,l) memset((p), 0, (l))
179#define MEMCPY_BCOPY(d,s,l) memcpy((d), (s), (l))
180#endif
181#ifdef SHA2_USE_BZERO_BCOPY
182#define MEMSET_BZERO(p,l) bzero((p), (l))
183#define MEMCPY_BCOPY(d,s,l) bcopy((s), (d), (l))
184#endif
185
186
187/*** THE SIX LOGICAL FUNCTIONS ****************************************/
188/*
189 * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
190 *
191 * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
192 * S is a ROTATION) because the SHA-256/384/512 description document
193 * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
194 * same "backwards" definition.
195 */
196/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
197#define R(b,x) ((x) >> (b))
198/* 32-bit Rotate-right (used in SHA-256): */
199#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
200/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
201#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
202
203/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
204#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
205#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
206
207/* Four of six logical functions used in SHA-256: */
208#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
209#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
210#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
211#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
212
213/* Four of six logical functions used in SHA-384 and SHA-512: */
214#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
215#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
216#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
217#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
218
219/*** INTERNAL FUNCTION PROTOTYPES *************************************/
220/* NOTE: These should not be accessed directly from outside this
221 * library -- they are intended for private internal visibility/use
222 * only.
223 */
ef25649c
ME		 224static void SHA512_Last(SHA512_CTX*);
225static void SHA256_Transform(SHA256_CTX*, const sha2_word32*);
226static void SHA512_Transform(SHA512_CTX*, const sha2_word64*);
84a0890e
MV		 227
228
229/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
230/* Hash constant words K for SHA-256: */
231const static sha2_word32 K256[64] = {
232 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
233 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
234 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
235 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
236 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
237 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
238 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
239 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
240 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
241 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
242 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
243 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
244 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
245 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
246 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
247 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
248};
249
250/* Initial hash value H for SHA-256: */
251const static sha2_word32 sha256_initial_hash_value[8] = {
252 0x6a09e667UL,
253 0xbb67ae85UL,
254 0x3c6ef372UL,
255 0xa54ff53aUL,
256 0x510e527fUL,
257 0x9b05688cUL,
258 0x1f83d9abUL,
259 0x5be0cd19UL
260};
261
262/* Hash constant words K for SHA-384 and SHA-512: */
263const static sha2_word64 K512[80] = {
264 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
265 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
266 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
267 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
268 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
269 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
270 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
271 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
272 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
273 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
274 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
275 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
276 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
277 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
278 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
279 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
280 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
281 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
282 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
283 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
284 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
285 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
286 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
287 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
288 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
289 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
290 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
291 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
292 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
293 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
294 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
295 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
296 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
297 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
298 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
299 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
300 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
301 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
302 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
303 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
304};
305
306/* Initial hash value H for SHA-384 */
307const static sha2_word64 sha384_initial_hash_value[8] = {
308 0xcbbb9d5dc1059ed8ULL,
309 0x629a292a367cd507ULL,
310 0x9159015a3070dd17ULL,
311 0x152fecd8f70e5939ULL,
312 0x67332667ffc00b31ULL,
313 0x8eb44a8768581511ULL,
314 0xdb0c2e0d64f98fa7ULL,
315 0x47b5481dbefa4fa4ULL
316};
317
318/* Initial hash value H for SHA-512 */
319const static sha2_word64 sha512_initial_hash_value[8] = {
320 0x6a09e667f3bcc908ULL,
321 0xbb67ae8584caa73bULL,
322 0x3c6ef372fe94f82bULL,
323 0xa54ff53a5f1d36f1ULL,
324 0x510e527fade682d1ULL,
325 0x9b05688c2b3e6c1fULL,
326 0x1f83d9abfb41bd6bULL,
327 0x5be0cd19137e2179ULL
328};
329
330/*
331 * Constant used by SHA256/384/512_End() functions for converting the
332 * digest to a readable hexadecimal character string:
333 */
334static const char *sha2_hex_digits = "0123456789abcdef";
335
336
337/*** SHA-256: *********************************************************/
338void SHA256_Init(SHA256_CTX* context) {
339 if (context == (SHA256_CTX*)0) {
340 return;
341 }
342 MEMCPY_BCOPY(context->state, sha256_initial_hash_value, SHA256_DIGEST_LENGTH);
343 MEMSET_BZERO(context->buffer, SHA256_BLOCK_LENGTH);
344 context->bitcount = 0;
345}
346
347#ifdef SHA2_UNROLL_TRANSFORM
348
349/* Unrolled SHA-256 round macros: */
350
351#if BYTE_ORDER == LITTLE_ENDIAN
352
353#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
354 REVERSE32(*data++, W256[j]); \
355 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
356 K256[j] + W256[j]; \
357 (d) += T1; \
358 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
359 j++
360
361
362#else /* BYTE_ORDER == LITTLE_ENDIAN */
363
364#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
365 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
366 K256[j] + (W256[j] = *data++); \
367 (d) += T1; \
368 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
369 j++
370
371#endif /* BYTE_ORDER == LITTLE_ENDIAN */
372
373#define ROUND256(a,b,c,d,e,f,g,h) \
374 s0 = W256[(j+1)&0x0f]; \
375 s0 = sigma0_256(s0); \
376 s1 = W256[(j+14)&0x0f]; \
377 s1 = sigma1_256(s1); \
378 T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
379 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
380 (d) += T1; \
381 (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
382 j++
383
ef25649c 384static void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
84a0890e
MV		 385 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
386 sha2_word32 T1, *W256;
387 int j;
388
389 W256 = (sha2_word32*)context->buffer;
390
391 /* Initialize registers with the prev. intermediate value */
392 a = context->state[0];
393 b = context->state[1];
394 c = context->state[2];
395 d = context->state[3];
396 e = context->state[4];
397 f = context->state[5];
398 g = context->state[6];
399 h = context->state[7];
400
401 j = 0;
402 do {
403 /* Rounds 0 to 15 (unrolled): */
404 ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
405 ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
406 ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
407 ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
408 ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
409 ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
410 ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
411 ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
412 } while (j < 16);
413
414 /* Now for the remaining rounds to 64: */
415 do {
416 ROUND256(a,b,c,d,e,f,g,h);
417 ROUND256(h,a,b,c,d,e,f,g);
418 ROUND256(g,h,a,b,c,d,e,f);
419 ROUND256(f,g,h,a,b,c,d,e);
420 ROUND256(e,f,g,h,a,b,c,d);
421 ROUND256(d,e,f,g,h,a,b,c);
422 ROUND256(c,d,e,f,g,h,a,b);
423 ROUND256(b,c,d,e,f,g,h,a);
424 } while (j < 64);
425
426 /* Compute the current intermediate hash value */
427 context->state[0] += a;
428 context->state[1] += b;
429 context->state[2] += c;
430 context->state[3] += d;
431 context->state[4] += e;
432 context->state[5] += f;
433 context->state[6] += g;
434 context->state[7] += h;
435
436 /* Clean up */
437 a = b = c = d = e = f = g = h = T1 = 0;
438}
439
440#else /* SHA2_UNROLL_TRANSFORM */
441
ef25649c 442static void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
84a0890e
MV		 443 sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
444 sha2_word32 T1, T2, *W256;
445 int j;
446
447 W256 = (sha2_word32*)context->buffer;
448
449 /* Initialize registers with the prev. intermediate value */
450 a = context->state[0];
451 b = context->state[1];
452 c = context->state[2];
453 d = context->state[3];
454 e = context->state[4];
455 f = context->state[5];
456 g = context->state[6];
457 h = context->state[7];
458
459 j = 0;
460 do {
461#if BYTE_ORDER == LITTLE_ENDIAN
462 /* Copy data while converting to host byte order */
463 REVERSE32(*data++,W256[j]);
464 /* Apply the SHA-256 compression function to update a..h */
465 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
466#else /* BYTE_ORDER == LITTLE_ENDIAN */
467 /* Apply the SHA-256 compression function to update a..h with copy */
468 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
469#endif /* BYTE_ORDER == LITTLE_ENDIAN */
470 T2 = Sigma0_256(a) + Maj(a, b, c);
471 h = g;
472 g = f;
473 f = e;
474 e = d + T1;
475 d = c;
476 c = b;
477 b = a;
478 a = T1 + T2;
479
480 j++;
481 } while (j < 16);
482
483 do {
484 /* Part of the message block expansion: */
485 s0 = W256[(j+1)&0x0f];
486 s0 = sigma0_256(s0);
487 s1 = W256[(j+14)&0x0f];
488 s1 = sigma1_256(s1);
489
490 /* Apply the SHA-256 compression function to update a..h */
491 T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
492 (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
493 T2 = Sigma0_256(a) + Maj(a, b, c);
494 h = g;
495 g = f;
496 f = e;
497 e = d + T1;
498 d = c;
499 c = b;
500 b = a;
501 a = T1 + T2;
502
503 j++;
504 } while (j < 64);
505
506 /* Compute the current intermediate hash value */
507 context->state[0] += a;
508 context->state[1] += b;
509 context->state[2] += c;
510 context->state[3] += d;
511 context->state[4] += e;
512 context->state[5] += f;
513 context->state[6] += g;
514 context->state[7] += h;
515
516 /* Clean up */
517 a = b = c = d = e = f = g = h = T1 = T2 = 0;
518}
519
520#endif /* SHA2_UNROLL_TRANSFORM */
521
522void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
523 unsigned int freespace, usedspace;
524
525 if (len == 0) {
526 /* Calling with no data is valid - we do nothing */
527 return;
528 }
529
530 /* Sanity check: */
531 assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0);
532
533 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
534 if (usedspace > 0) {
535 /* Calculate how much free space is available in the buffer */
536 freespace = SHA256_BLOCK_LENGTH - usedspace;
537
538 if (len >= freespace) {
539 /* Fill the buffer completely and process it */
540 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
541 context->bitcount += freespace << 3;
542 len -= freespace;
543 data += freespace;
544 SHA256_Transform(context, (sha2_word32*)context->buffer);
545 } else {
546 /* The buffer is not yet full */
547 MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
548 context->bitcount += len << 3;
549 /* Clean up: */
550 usedspace = freespace = 0;
551 return;
552 }
553 }
554 while (len >= SHA256_BLOCK_LENGTH) {
555 /* Process as many complete blocks as we can */
5149632e
DK		 556 sha2_byte buffer[SHA256_BLOCK_LENGTH];
557 MEMCPY_BCOPY(buffer, data, SHA256_BLOCK_LENGTH);
558 SHA256_Transform(context, (sha2_word32*)buffer);
84a0890e
MV		 559 context->bitcount += SHA256_BLOCK_LENGTH << 3;
560 len -= SHA256_BLOCK_LENGTH;
561 data += SHA256_BLOCK_LENGTH;
562 }
563 if (len > 0) {
564 /* There's left-overs, so save 'em */
565 MEMCPY_BCOPY(context->buffer, data, len);
566 context->bitcount += len << 3;
567 }
568 /* Clean up: */
569 usedspace = freespace = 0;
570}
571
572void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
573 sha2_word32 *d = (sha2_word32*)digest;
574 unsigned int usedspace;
575
576 /* Sanity check: */
577 assert(context != (SHA256_CTX*)0);
578
579 /* If no digest buffer is passed, we don't bother doing this: */
580 if (digest != (sha2_byte*)0) {
581 usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
582#if BYTE_ORDER == LITTLE_ENDIAN
583 /* Convert FROM host byte order */
584 REVERSE64(context->bitcount,context->bitcount);
585#endif
586 if (usedspace > 0) {
587 /* Begin padding with a 1 bit: */
588 context->buffer[usedspace++] = 0x80;
589
590 if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
591 /* Set-up for the last transform: */
592 MEMSET_BZERO(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
593 } else {
594 if (usedspace < SHA256_BLOCK_LENGTH) {
595 MEMSET_BZERO(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
596 }
597 /* Do second-to-last transform: */
598 SHA256_Transform(context, (sha2_word32*)context->buffer);
599
600 /* And set-up for the last transform: */
601 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
602 }
603 } else {
604 /* Set-up for the last transform: */
605 MEMSET_BZERO(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
606
607 /* Begin padding with a 1 bit: */
608 *context->buffer = 0x80;
609 }
610 /* Set the bit count: */
1f8fe502
DK		 611 union {
612 sha2_byte* c;
613 sha2_word64* l;
614 } bitcount;
615 bitcount.c = &context->buffer[SHA256_SHORT_BLOCK_LENGTH];
616 *(bitcount.l) = context->bitcount;
84a0890e
MV		 617
618 /* Final transform: */
619 SHA256_Transform(context, (sha2_word32*)context->buffer);
620
621#if BYTE_ORDER == LITTLE_ENDIAN
622 {
623 /* Convert TO host byte order */
624 int j;
625 for (j = 0; j < 8; j++) {
626 REVERSE32(context->state[j],context->state[j]);
627 *d++ = context->state[j];
628 }
629 }
630#else
631 MEMCPY_BCOPY(d, context->state, SHA256_DIGEST_LENGTH);
632#endif
633 }
634
635 /* Clean up state data: */
f58a9890 636 MEMSET_BZERO(context, sizeof(*context));
84a0890e
MV		 637 usedspace = 0;
638}
639
640char *SHA256_End(SHA256_CTX* context, char buffer[]) {
641 sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest;
642 int i;
643
644 /* Sanity check: */
645 assert(context != (SHA256_CTX*)0);
646
647 if (buffer != (char*)0) {
648 SHA256_Final(digest, context);
649
650 for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
651 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
652 *buffer++ = sha2_hex_digits[*d & 0x0f];
653 d++;
654 }
655 *buffer = (char)0;
656 } else {
f58a9890 657 MEMSET_BZERO(context, sizeof(*context));
84a0890e
MV		 658 }
659 MEMSET_BZERO(digest, SHA256_DIGEST_LENGTH);
660 return buffer;
661}
662
663char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
664 SHA256_CTX context;
665
666 SHA256_Init(&context);
667 SHA256_Update(&context, data, len);
668 return SHA256_End(&context, digest);
669}
670
671
672/*** SHA-512: *********************************************************/
673void SHA512_Init(SHA512_CTX* context) {
674 if (context == (SHA512_CTX*)0) {
675 return;
676 }
677 MEMCPY_BCOPY(context->state, sha512_initial_hash_value, SHA512_DIGEST_LENGTH);
678 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH);
679 context->bitcount[0] = context->bitcount[1] = 0;
680}
681
682#ifdef SHA2_UNROLL_TRANSFORM
683
684/* Unrolled SHA-512 round macros: */
685#if BYTE_ORDER == LITTLE_ENDIAN
686
687#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
688 REVERSE64(*data++, W512[j]); \
689 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
690 K512[j] + W512[j]; \
691 (d) += T1, \
692 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
693 j++
694
695
696#else /* BYTE_ORDER == LITTLE_ENDIAN */
697
698#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
699 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
700 K512[j] + (W512[j] = *data++); \
701 (d) += T1; \
702 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
703 j++
704
705#endif /* BYTE_ORDER == LITTLE_ENDIAN */
706
707#define ROUND512(a,b,c,d,e,f,g,h) \
708 s0 = W512[(j+1)&0x0f]; \
709 s0 = sigma0_512(s0); \
710 s1 = W512[(j+14)&0x0f]; \
711 s1 = sigma1_512(s1); \
712 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
713 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
714 (d) += T1; \
715 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
716 j++
717
ef25649c 718static void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
84a0890e
MV		 719 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
720 sha2_word64 T1, *W512 = (sha2_word64*)context->buffer;
721 int j;
722
723 /* Initialize registers with the prev. intermediate value */
724 a = context->state[0];
725 b = context->state[1];
726 c = context->state[2];
727 d = context->state[3];
728 e = context->state[4];
729 f = context->state[5];
730 g = context->state[6];
731 h = context->state[7];
732
733 j = 0;
734 do {
735 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
736 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
737 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
738 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
739 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
740 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
741 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
742 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
743 } while (j < 16);
744
745 /* Now for the remaining rounds up to 79: */
746 do {
747 ROUND512(a,b,c,d,e,f,g,h);
748 ROUND512(h,a,b,c,d,e,f,g);
749 ROUND512(g,h,a,b,c,d,e,f);
750 ROUND512(f,g,h,a,b,c,d,e);
751 ROUND512(e,f,g,h,a,b,c,d);
752 ROUND512(d,e,f,g,h,a,b,c);
753 ROUND512(c,d,e,f,g,h,a,b);
754 ROUND512(b,c,d,e,f,g,h,a);
755 } while (j < 80);
756
757 /* Compute the current intermediate hash value */
758 context->state[0] += a;
759 context->state[1] += b;
760 context->state[2] += c;
761 context->state[3] += d;
762 context->state[4] += e;
763 context->state[5] += f;
764 context->state[6] += g;
765 context->state[7] += h;
766
767 /* Clean up */
768 a = b = c = d = e = f = g = h = T1 = 0;
769}
770
771#else /* SHA2_UNROLL_TRANSFORM */
772
ef25649c 773static void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
84a0890e
MV		 774 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
775 sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer;
776 int j;
777
778 /* Initialize registers with the prev. intermediate value */
779 a = context->state[0];
780 b = context->state[1];
781 c = context->state[2];
782 d = context->state[3];
783 e = context->state[4];
784 f = context->state[5];
785 g = context->state[6];
786 h = context->state[7];
787
788 j = 0;
789 do {
790#if BYTE_ORDER == LITTLE_ENDIAN
791 /* Convert TO host byte order */
792 REVERSE64(*data++, W512[j]);
793 /* Apply the SHA-512 compression function to update a..h */
794 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
795#else /* BYTE_ORDER == LITTLE_ENDIAN */
796 /* Apply the SHA-512 compression function to update a..h with copy */
797 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
798#endif /* BYTE_ORDER == LITTLE_ENDIAN */
799 T2 = Sigma0_512(a) + Maj(a, b, c);
800 h = g;
801 g = f;
802 f = e;
803 e = d + T1;
804 d = c;
805 c = b;
806 b = a;
807 a = T1 + T2;
808
809 j++;
810 } while (j < 16);
811
812 do {
813 /* Part of the message block expansion: */
814 s0 = W512[(j+1)&0x0f];
815 s0 = sigma0_512(s0);
816 s1 = W512[(j+14)&0x0f];
817 s1 = sigma1_512(s1);
818
819 /* Apply the SHA-512 compression function to update a..h */
820 T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
821 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
822 T2 = Sigma0_512(a) + Maj(a, b, c);
823 h = g;
824 g = f;
825 f = e;
826 e = d + T1;
827 d = c;
828 c = b;
829 b = a;
830 a = T1 + T2;
831
832 j++;
833 } while (j < 80);
834
835 /* Compute the current intermediate hash value */
836 context->state[0] += a;
837 context->state[1] += b;
838 context->state[2] += c;
839 context->state[3] += d;
840 context->state[4] += e;
841 context->state[5] += f;
842 context->state[6] += g;
843 context->state[7] += h;
844
845 /* Clean up */
846 a = b = c = d = e = f = g = h = T1 = T2 = 0;
847}
848
849#endif /* SHA2_UNROLL_TRANSFORM */
850
851void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
852 unsigned int freespace, usedspace;
853
854 if (len == 0) {
855 /* Calling with no data is valid - we do nothing */
856 return;
857 }
858
859 /* Sanity check: */
860 assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0);
861
862 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
863 if (usedspace > 0) {
864 /* Calculate how much free space is available in the buffer */
865 freespace = SHA512_BLOCK_LENGTH - usedspace;
866
867 if (len >= freespace) {
868 /* Fill the buffer completely and process it */
869 MEMCPY_BCOPY(&context->buffer[usedspace], data, freespace);
870 ADDINC128(context->bitcount, freespace << 3);
871 len -= freespace;
872 data += freespace;
873 SHA512_Transform(context, (sha2_word64*)context->buffer);
874 } else {
875 /* The buffer is not yet full */
876 MEMCPY_BCOPY(&context->buffer[usedspace], data, len);
877 ADDINC128(context->bitcount, len << 3);
878 /* Clean up: */
879 usedspace = freespace = 0;
880 return;
881 }
882 }
883 while (len >= SHA512_BLOCK_LENGTH) {
884 /* Process as many complete blocks as we can */
5149632e
DK		 885 sha2_byte buffer[SHA512_BLOCK_LENGTH];
886 MEMCPY_BCOPY(buffer, data, SHA512_BLOCK_LENGTH);
887 SHA512_Transform(context, (sha2_word64*)buffer);
84a0890e
MV		 888 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
889 len -= SHA512_BLOCK_LENGTH;
890 data += SHA512_BLOCK_LENGTH;
891 }
892 if (len > 0) {
893 /* There's left-overs, so save 'em */
894 MEMCPY_BCOPY(context->buffer, data, len);
895 ADDINC128(context->bitcount, len << 3);
896 }
897 /* Clean up: */
898 usedspace = freespace = 0;
899}
900
ef25649c 901static void SHA512_Last(SHA512_CTX* context) {
84a0890e
MV		 902 unsigned int usedspace;
903
904 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
905#if BYTE_ORDER == LITTLE_ENDIAN
906 /* Convert FROM host byte order */
907 REVERSE64(context->bitcount[0],context->bitcount[0]);
908 REVERSE64(context->bitcount[1],context->bitcount[1]);
909#endif
910 if (usedspace > 0) {
911 /* Begin padding with a 1 bit: */
912 context->buffer[usedspace++] = 0x80;
913
914 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
915 /* Set-up for the last transform: */
916 MEMSET_BZERO(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
917 } else {
918 if (usedspace < SHA512_BLOCK_LENGTH) {
919 MEMSET_BZERO(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
920 }
921 /* Do second-to-last transform: */
922 SHA512_Transform(context, (sha2_word64*)context->buffer);
923
924 /* And set-up for the last transform: */
925 MEMSET_BZERO(context->buffer, SHA512_BLOCK_LENGTH - 2);
926 }
927 } else {
928 /* Prepare for final transform: */
929 MEMSET_BZERO(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
930
931 /* Begin padding with a 1 bit: */
932 *context->buffer = 0x80;
933 }
934 /* Store the length of input data (in bits): */
1f8fe502
DK		 935 union {
936 sha2_byte* c;
937 sha2_word64* l;
938 } bitcount;
939 bitcount.c = &context->buffer[SHA512_SHORT_BLOCK_LENGTH];
940 bitcount.l[0] = context->bitcount[1];
941 bitcount.l[1] = context->bitcount[0];
84a0890e
MV		 942
943 /* Final transform: */
944 SHA512_Transform(context, (sha2_word64*)context->buffer);
945}
946
947void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
948 sha2_word64 *d = (sha2_word64*)digest;
949
950 /* Sanity check: */
951 assert(context != (SHA512_CTX*)0);
952
953 /* If no digest buffer is passed, we don't bother doing this: */
954 if (digest != (sha2_byte*)0) {
955 SHA512_Last(context);
956
957 /* Save the hash data for output: */
958#if BYTE_ORDER == LITTLE_ENDIAN
959 {
960 /* Convert TO host byte order */
961 int j;
962 for (j = 0; j < 8; j++) {
963 REVERSE64(context->state[j],context->state[j]);
964 *d++ = context->state[j];
965 }
966 }
967#else
968 MEMCPY_BCOPY(d, context->state, SHA512_DIGEST_LENGTH);
969#endif
970 }
971
972 /* Zero out state data */
f58a9890 973 MEMSET_BZERO(context, sizeof(*context));
84a0890e
MV		 974}
975
976char *SHA512_End(SHA512_CTX* context, char buffer[]) {
977 sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
978 int i;
979
980 /* Sanity check: */
981 assert(context != (SHA512_CTX*)0);
982
983 if (buffer != (char*)0) {
984 SHA512_Final(digest, context);
985
986 for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
987 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
988 *buffer++ = sha2_hex_digits[*d & 0x0f];
989 d++;
990 }
991 *buffer = (char)0;
992 } else {
f58a9890 993 MEMSET_BZERO(context, sizeof(*context));
84a0890e
MV		 994 }
995 MEMSET_BZERO(digest, SHA512_DIGEST_LENGTH);
996 return buffer;
997}
998
999char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
1000 SHA512_CTX context;
1001
1002 SHA512_Init(&context);
1003 SHA512_Update(&context, data, len);
1004 return SHA512_End(&context, digest);
1005}
1006
1007
1008/*** SHA-384: *********************************************************/
1009void SHA384_Init(SHA384_CTX* context) {
1010 if (context == (SHA384_CTX*)0) {
1011 return;
1012 }
1013 MEMCPY_BCOPY(context->state, sha384_initial_hash_value, SHA512_DIGEST_LENGTH);
1014 MEMSET_BZERO(context->buffer, SHA384_BLOCK_LENGTH);
1015 context->bitcount[0] = context->bitcount[1] = 0;
1016}
1017
1018void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
1019 SHA512_Update((SHA512_CTX*)context, data, len);
1020}
1021
1022void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
1023 sha2_word64 *d = (sha2_word64*)digest;
1024
1025 /* Sanity check: */
1026 assert(context != (SHA384_CTX*)0);
1027
1028 /* If no digest buffer is passed, we don't bother doing this: */
1029 if (digest != (sha2_byte*)0) {
1030 SHA512_Last((SHA512_CTX*)context);
1031
1032 /* Save the hash data for output: */
1033#if BYTE_ORDER == LITTLE_ENDIAN
1034 {
1035 /* Convert TO host byte order */
1036 int j;
1037 for (j = 0; j < 6; j++) {
1038 REVERSE64(context->state[j],context->state[j]);
1039 *d++ = context->state[j];
1040 }
1041 }
1042#else
1043 MEMCPY_BCOPY(d, context->state, SHA384_DIGEST_LENGTH);
1044#endif
1045 }
1046
1047 /* Zero out state data */
f58a9890 1048 MEMSET_BZERO(context, sizeof(*context));
84a0890e
MV		 1049}
1050
1051char *SHA384_End(SHA384_CTX* context, char buffer[]) {
1052 sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
1053 int i;
1054
1055 /* Sanity check: */
1056 assert(context != (SHA384_CTX*)0);
1057
1058 if (buffer != (char*)0) {
1059 SHA384_Final(digest, context);
1060
1061 for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
1062 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
1063 *buffer++ = sha2_hex_digits[*d & 0x0f];
1064 d++;
1065 }
1066 *buffer = (char)0;
1067 } else {
f58a9890 1068 MEMSET_BZERO(context, sizeof(*context));
84a0890e
MV		 1069 }
1070 MEMSET_BZERO(digest, SHA384_DIGEST_LENGTH);
1071 return buffer;
1072}
1073
1074char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
1075 SHA384_CTX context;
1076
1077 SHA384_Init(&context);
1078 SHA384_Update(&context, data, len);
1079 return SHA384_End(&context, digest);
1080}
1081
ntk's bugfix for apt