6 * Written by Aaron D. Gifford <me@aarongifford.com>
8 * Copyright 2000 Aaron D. Gifford. All rights reserved.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the copyright holder nor the names of contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 #include <sys/cdefs.h>
36 #include <sys/endian.h>
37 #include <sys/types.h>
45 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
48 * Macro for incrementally adding the unsigned 64-bit integer n to the
49 * unsigned 128-bit integer (represented using a two-element array of
52 #define ADDINC128(w,n) { \
53 (w)[0] += (sha2_word64)(n); \
59 /*** ENDIAN REVERSAL MACROS *******************************************/
60 #if BYTE_ORDER == LITTLE_ENDIAN
61 #define REVERSE32(w,x) { \
62 sha2_word32 tmp = (w); \
63 tmp = (tmp >> 16) | (tmp << 16); \
64 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
66 #define REVERSE64(w,x) { \
67 sha2_word64 tmp = (w); \
68 tmp = (tmp >> 32) | (tmp << 32); \
69 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
70 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
71 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
72 ((tmp & 0x0000ffff0000ffffULL) << 16); \
74 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
76 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
77 #define R(b,x) ((x) >> (b))
78 /* 32-bit Rotate-right (used in SHA-256): */
79 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
80 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
81 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
83 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
84 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
85 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
87 /* Four of six logical functions used in SHA-384 and SHA-512: */
88 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
89 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
90 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
91 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
93 typedef u_int8_t sha2_byte; /* Exactly 1 byte */
94 typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
95 typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
97 /* Initial hash value H for SHA-384 */
98 static const sha2_word64 sha384_initial_hash_value[8] = {
99 0xcbbb9d5dc1059ed8ULL,
100 0x629a292a367cd507ULL,
101 0x9159015a3070dd17ULL,
102 0x152fecd8f70e5939ULL,
103 0x67332667ffc00b31ULL,
104 0x8eb44a8768581511ULL,
105 0xdb0c2e0d64f98fa7ULL,
106 0x47b5481dbefa4fa4ULL
109 /* Initial hash value H for SHA-512 */
110 static const sha2_word64 sha512_initial_hash_value[8] = {
111 0x6a09e667f3bcc908ULL,
112 0xbb67ae8584caa73bULL,
113 0x3c6ef372fe94f82bULL,
114 0xa54ff53a5f1d36f1ULL,
115 0x510e527fade682d1ULL,
116 0x9b05688c2b3e6c1fULL,
117 0x1f83d9abfb41bd6bULL,
118 0x5be0cd19137e2179ULL
123 * Constant used by SHA256/384/512_End() functions for converting the
124 * digest to a readable hexadecimal character string:
126 static const char *sha2_hex_digits = "0123456789abcdef";
129 /* Hash constant words K for SHA-384 and SHA-512: */
130 static const sha2_word64 K512[80] = {
131 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
132 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
133 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
134 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
135 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
136 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
137 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
138 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
139 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
140 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
141 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
142 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
143 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
144 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
145 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
146 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
147 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
148 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
149 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
150 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
151 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
152 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
153 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
154 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
155 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
156 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
157 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
158 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
159 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
160 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
161 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
162 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
163 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
164 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
165 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
166 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
167 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
168 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
169 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
170 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
172 /*** SHA-512: *********************************************************/
173 void SHA512_Init(SHA512_CTX* context) {
174 if (context == NULL) {
177 bcopy(sha512_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
178 bzero(context->buffer, SHA512_BLOCK_LENGTH);
179 context->bitcount[0] = context->bitcount[1] = 0;
182 /* Unrolled SHA-512 round macros: */
183 #if BYTE_ORDER == LITTLE_ENDIAN
185 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
186 REVERSE64(*data++, W512[j]); \
187 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
190 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
194 #else /* BYTE_ORDER == LITTLE_ENDIAN */
196 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
197 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
198 K512[j] + (W512[j] = *data++); \
200 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
203 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
205 #define ROUND512(a,b,c,d,e,f,g,h) \
206 s0 = W512[(j+1)&0x0f]; \
207 s0 = sigma0_512(s0); \
208 s1 = W512[(j+14)&0x0f]; \
209 s1 = sigma1_512(s1); \
210 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
211 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
213 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
217 SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
218 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
219 sha2_word64 T1 = 0, /*T2 = 0, */*W512 = (sha2_word64*)context->buffer;
222 /* Initialize registers with the prev. intermediate value */
223 a = context->state[0];
224 b = context->state[1];
225 c = context->state[2];
226 d = context->state[3];
227 e = context->state[4];
228 f = context->state[5];
229 g = context->state[6];
230 h = context->state[7];
234 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
235 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
236 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
237 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
238 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
239 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
240 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
241 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
244 /* Now for the remaining rounds up to 79: */
246 ROUND512(a,b,c,d,e,f,g,h);
247 ROUND512(h,a,b,c,d,e,f,g);
248 ROUND512(g,h,a,b,c,d,e,f);
249 ROUND512(f,g,h,a,b,c,d,e);
250 ROUND512(e,f,g,h,a,b,c,d);
251 ROUND512(d,e,f,g,h,a,b,c);
252 ROUND512(c,d,e,f,g,h,a,b);
253 ROUND512(b,c,d,e,f,g,h,a);
256 /* Compute the current intermediate hash value */
257 context->state[0] += a;
258 context->state[1] += b;
259 context->state[2] += c;
260 context->state[3] += d;
261 context->state[4] += e;
262 context->state[5] += f;
263 context->state[6] += g;
264 context->state[7] += h;
267 a = b = c = d = e = f = g = h = T1 = 0;
270 void SHA512_Update(SHA512_CTX* context, const void *data_arg, size_t len) {
271 const sha2_byte *data = (const sha2_byte *)data_arg;
272 unsigned int freespace, usedspace;
275 /* Calling with no data is valid - we do nothing */
280 assert(context != NULL && data != NULL);
282 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
284 /* Calculate how much free space is available in the buffer */
285 freespace = SHA512_BLOCK_LENGTH - usedspace;
287 if (len >= freespace) {
288 /* Fill the buffer completely and process it */
289 bcopy(data, &context->buffer[usedspace], freespace);
290 ADDINC128(context->bitcount, freespace << 3);
293 SHA512_Transform(context, (sha2_word64*)context->buffer);
295 /* The buffer is not yet full */
296 bcopy(data, &context->buffer[usedspace], len);
297 ADDINC128(context->bitcount, len << 3);
299 usedspace = freespace = 0;
303 while (len >= SHA512_BLOCK_LENGTH) {
304 /* Process as many complete blocks as we can */
305 SHA512_Transform(context, (const sha2_word64*)data);
306 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
307 len -= SHA512_BLOCK_LENGTH;
308 data += SHA512_BLOCK_LENGTH;
311 /* There's left-overs, so save 'em */
312 bcopy(data, context->buffer, len);
313 ADDINC128(context->bitcount, len << 3);
316 usedspace = freespace = 0;
320 void SHA512_Last(SHA512_CTX* context) {
321 unsigned int usedspace;
323 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
324 #if BYTE_ORDER == LITTLE_ENDIAN
325 /* Convert FROM host byte order */
326 REVERSE64(context->bitcount[0],context->bitcount[0]);
327 REVERSE64(context->bitcount[1],context->bitcount[1]);
330 /* Begin padding with a 1 bit: */
331 context->buffer[usedspace++] = 0x80;
333 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
334 /* Set-up for the last transform: */
335 bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
337 if (usedspace < SHA512_BLOCK_LENGTH) {
338 bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
340 /* Do second-to-last transform: */
341 SHA512_Transform(context, (sha2_word64*)context->buffer);
343 /* And set-up for the last transform: */
344 bzero(context->buffer, SHA512_BLOCK_LENGTH - 2);
347 /* Prepare for final transform: */
348 bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
350 /* Begin padding with a 1 bit: */
351 *context->buffer = 0x80;
353 /* Store the length of input data (in bits): */
354 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
355 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
357 /* Final transform: */
358 SHA512_Transform(context, (sha2_word64*)context->buffer);
361 void SHA512_Final(unsigned char digest[], SHA512_CTX* context) {
362 sha2_word64 *d = (sha2_word64*)digest;
365 assert(context != NULL);
367 /* If no digest buffer is passed, we don't bother doing this: */
368 if (digest != NULL) {
369 SHA512_Last(context);
371 /* Save the hash data for output: */
372 #if BYTE_ORDER == LITTLE_ENDIAN
374 /* Convert TO host byte order */
376 for (j = 0; j < 8; j++) {
377 REVERSE64(context->state[j],context->state[j]);
378 *d++ = context->state[j];
382 bcopy(context->state, d, SHA512_DIGEST_LENGTH);
386 /* Zero out state data */
387 bzero(context, sizeof(*context));
391 char *SHA512_End(SHA512_CTX* context, char *buffer) {
392 sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
396 assert(context != NULL);
398 if (buffer != NULL) {
399 SHA512_Final(digest, context);
401 for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
402 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
403 *buffer++ = sha2_hex_digits[*d & 0x0f];
408 bzero(context, sizeof(*context));
410 bzero(digest, SHA512_DIGEST_LENGTH);
414 char* SHA512_Data(const void *data, size_t len, char *digest) {
417 SHA512_Init(&context);
418 SHA512_Update(&context, data, len);
419 return SHA512_End(&context, digest);
424 /*** SHA-384: *********************************************************/
425 void SHA384_Init(SHA384_CTX* context) {
426 if (context == NULL) {
429 bcopy(sha384_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
430 bzero(context->buffer, SHA384_BLOCK_LENGTH);
431 context->bitcount[0] = context->bitcount[1] = 0;
434 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
435 SHA512_Update((SHA512_CTX*)context, data, len);
438 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
439 sha2_word64 *d = (sha2_word64*)digest;
442 assert(context != NULL);
444 /* If no digest buffer is passed, we don't bother doing this: */
445 if (digest != NULL) {
446 SHA512_Last((SHA512_CTX*)context);
448 /* Save the hash data for output: */
449 #if BYTE_ORDER == LITTLE_ENDIAN
451 /* Convert TO host byte order */
453 for (j = 0; j < 6; j++) {
454 REVERSE64(context->state[j],context->state[j]);
455 *d++ = context->state[j];
459 bcopy(context->state, d, SHA384_DIGEST_LENGTH);
463 /* Zero out state data */
464 bzero(context, sizeof(*context));
468 char *SHA384_End(SHA384_CTX* context, char buffer[]) {
469 sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
473 assert(context != NULL);
475 if (buffer != NULL) {
476 SHA384_Final(digest, context);
478 for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
479 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
480 *buffer++ = sha2_hex_digits[*d & 0x0f];
485 bzero(context, sizeof(*context));
487 bzero(digest, SHA384_DIGEST_LENGTH);
491 char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
494 SHA384_Init(&context);
495 SHA384_Update(&context, data, len);
496 return SHA384_End(&context, digest);
nant's projects / dragonfly.git / blob