6 * Written by Aaron D. Gifford <me@aarongifford.com>
8 * Copyright 2000 Aaron D. Gifford. All rights reserved.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the copyright holder nor the names of contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 #include <sys/cdefs.h>
36 #include <sys/endian.h>
37 #include <sys/types.h>
45 #define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
48 * Macro for incrementally adding the unsigned 64-bit integer n to the
49 * unsigned 128-bit integer (represented using a two-element array of
52 #define ADDINC128(w,n) { \
53 (w)[0] += (sha2_word64)(n); \
59 /*** ENDIAN REVERSAL MACROS *******************************************/
60 #if BYTE_ORDER == LITTLE_ENDIAN
61 #define REVERSE32(w,x) { \
62 sha2_word32 tmp = (w); \
63 tmp = (tmp >> 16) | (tmp << 16); \
64 (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
66 #define REVERSE64(w,x) { \
67 sha2_word64 tmp = (w); \
68 tmp = (tmp >> 32) | (tmp << 32); \
69 tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
70 ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
71 (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
72 ((tmp & 0x0000ffff0000ffffULL) << 16); \
74 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
76 /* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
77 #define R(b,x) ((x) >> (b))
78 /* 32-bit Rotate-right (used in SHA-256): */
79 #define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
80 /* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
81 #define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
83 /* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
84 #define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
85 #define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
87 /* Four of six logical functions used in SHA-384 and SHA-512: */
88 #define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
89 #define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
90 #define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
91 #define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
93 typedef u_int8_t sha2_byte; /* Exactly 1 byte */
94 typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
95 typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
97 /* Initial hash value H for SHA-384 */
98 static const sha2_word64 sha384_initial_hash_value[8] = {
99 0xcbbb9d5dc1059ed8ULL,
100 0x629a292a367cd507ULL,
101 0x9159015a3070dd17ULL,
102 0x152fecd8f70e5939ULL,
103 0x67332667ffc00b31ULL,
104 0x8eb44a8768581511ULL,
105 0xdb0c2e0d64f98fa7ULL,
106 0x47b5481dbefa4fa4ULL
109 /* Initial hash value H for SHA-512 */
110 static const sha2_word64 sha512_initial_hash_value[8] = {
111 0x6a09e667f3bcc908ULL,
112 0xbb67ae8584caa73bULL,
113 0x3c6ef372fe94f82bULL,
114 0xa54ff53a5f1d36f1ULL,
115 0x510e527fade682d1ULL,
116 0x9b05688c2b3e6c1fULL,
117 0x1f83d9abfb41bd6bULL,
118 0x5be0cd19137e2179ULL
123 * Constant used by SHA256/384/512_End() functions for converting the
124 * digest to a readable hexadecimal character string:
126 static const char *sha2_hex_digits = "0123456789abcdef";
129 /* Hash constant words K for SHA-384 and SHA-512: */
130 static const sha2_word64 K512[80] = {
131 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
132 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
133 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
134 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
135 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
136 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
137 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
138 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
139 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
140 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
141 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
142 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
143 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
144 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
145 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
146 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
147 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
148 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
149 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
150 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
151 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
152 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
153 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
154 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
155 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
156 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
157 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
158 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
159 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
160 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
161 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
162 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
163 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
164 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
165 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
166 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
167 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
168 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
169 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
170 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
172 /*** SHA-512: *********************************************************/
173 int SHA512_Init(SHA512_CTX* context) {
174 if (context == NULL) {
177 bcopy(sha512_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
178 bzero(context->buffer, SHA512_BLOCK_LENGTH);
179 context->bitcount[0] = context->bitcount[1] = 0;
183 /* Unrolled SHA-512 round macros: */
184 #if BYTE_ORDER == LITTLE_ENDIAN
186 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
187 REVERSE64(*data++, W512[j]); \
188 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
191 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
195 #else /* BYTE_ORDER == LITTLE_ENDIAN */
197 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
198 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
199 K512[j] + (W512[j] = *data++); \
201 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
204 #endif /* BYTE_ORDER == LITTLE_ENDIAN */
206 #define ROUND512(a,b,c,d,e,f,g,h) \
207 s0 = W512[(j+1)&0x0f]; \
208 s0 = sigma0_512(s0); \
209 s1 = W512[(j+14)&0x0f]; \
210 s1 = sigma1_512(s1); \
211 T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
212 (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
214 (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
218 SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
219 sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
220 sha2_word64 T1 = 0, /*T2 = 0, */*W512 = (sha2_word64*)context->buffer;
223 /* Initialize registers with the prev. intermediate value */
224 a = context->state[0];
225 b = context->state[1];
226 c = context->state[2];
227 d = context->state[3];
228 e = context->state[4];
229 f = context->state[5];
230 g = context->state[6];
231 h = context->state[7];
235 ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
236 ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
237 ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
238 ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
239 ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
240 ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
241 ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
242 ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
245 /* Now for the remaining rounds up to 79: */
247 ROUND512(a,b,c,d,e,f,g,h);
248 ROUND512(h,a,b,c,d,e,f,g);
249 ROUND512(g,h,a,b,c,d,e,f);
250 ROUND512(f,g,h,a,b,c,d,e);
251 ROUND512(e,f,g,h,a,b,c,d);
252 ROUND512(d,e,f,g,h,a,b,c);
253 ROUND512(c,d,e,f,g,h,a,b);
254 ROUND512(b,c,d,e,f,g,h,a);
257 /* Compute the current intermediate hash value */
258 context->state[0] += a;
259 context->state[1] += b;
260 context->state[2] += c;
261 context->state[3] += d;
262 context->state[4] += e;
263 context->state[5] += f;
264 context->state[6] += g;
265 context->state[7] += h;
268 a = b = c = d = e = f = g = h = T1 = 0;
271 void SHA512_Update(SHA512_CTX* context, const void *data_arg, size_t len) {
272 const sha2_byte *data = (const sha2_byte *)data_arg;
273 unsigned int freespace, usedspace;
276 /* Calling with no data is valid - we do nothing */
281 assert(context != NULL && data != NULL);
283 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
285 /* Calculate how much free space is available in the buffer */
286 freespace = SHA512_BLOCK_LENGTH - usedspace;
288 if (len >= freespace) {
289 /* Fill the buffer completely and process it */
290 bcopy(data, &context->buffer[usedspace], freespace);
291 ADDINC128(context->bitcount, freespace << 3);
294 SHA512_Transform(context, (sha2_word64*)context->buffer);
296 /* The buffer is not yet full */
297 bcopy(data, &context->buffer[usedspace], len);
298 ADDINC128(context->bitcount, len << 3);
300 usedspace = freespace = 0;
304 while (len >= SHA512_BLOCK_LENGTH) {
305 /* Process as many complete blocks as we can */
306 SHA512_Transform(context, (const sha2_word64*)data);
307 ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
308 len -= SHA512_BLOCK_LENGTH;
309 data += SHA512_BLOCK_LENGTH;
312 /* There's left-overs, so save 'em */
313 bcopy(data, context->buffer, len);
314 ADDINC128(context->bitcount, len << 3);
317 usedspace = freespace = 0;
321 void SHA512_Last(SHA512_CTX* context) {
322 unsigned int usedspace;
324 usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
325 #if BYTE_ORDER == LITTLE_ENDIAN
326 /* Convert FROM host byte order */
327 REVERSE64(context->bitcount[0],context->bitcount[0]);
328 REVERSE64(context->bitcount[1],context->bitcount[1]);
331 /* Begin padding with a 1 bit: */
332 context->buffer[usedspace++] = 0x80;
334 if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
335 /* Set-up for the last transform: */
336 bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
338 if (usedspace < SHA512_BLOCK_LENGTH) {
339 bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
341 /* Do second-to-last transform: */
342 SHA512_Transform(context, (sha2_word64*)context->buffer);
344 /* And set-up for the last transform: */
345 bzero(context->buffer, SHA512_BLOCK_LENGTH - 2);
348 /* Prepare for final transform: */
349 bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
351 /* Begin padding with a 1 bit: */
352 *context->buffer = 0x80;
354 /* Store the length of input data (in bits): */
355 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
356 *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
358 /* Final transform: */
359 SHA512_Transform(context, (sha2_word64*)context->buffer);
362 void SHA512_Final(unsigned char digest[], SHA512_CTX* context) {
363 sha2_word64 *d = (sha2_word64*)digest;
366 assert(context != NULL);
368 /* If no digest buffer is passed, we don't bother doing this: */
369 if (digest != NULL) {
370 SHA512_Last(context);
372 /* Save the hash data for output: */
373 #if BYTE_ORDER == LITTLE_ENDIAN
375 /* Convert TO host byte order */
377 for (j = 0; j < 8; j++) {
378 REVERSE64(context->state[j],context->state[j]);
379 *d++ = context->state[j];
383 bcopy(context->state, d, SHA512_DIGEST_LENGTH);
387 /* Zero out state data */
388 bzero(context, sizeof(*context));
392 char *SHA512_End(SHA512_CTX* context, char *buffer) {
393 sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
397 assert(context != NULL);
399 if (buffer != NULL) {
400 SHA512_Final(digest, context);
402 for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
403 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
404 *buffer++ = sha2_hex_digits[*d & 0x0f];
409 bzero(context, sizeof(*context));
411 bzero(digest, SHA512_DIGEST_LENGTH);
415 char* SHA512_Data(const void *data, size_t len, char *digest) {
418 SHA512_Init(&context);
419 SHA512_Update(&context, data, len);
420 return SHA512_End(&context, digest);
425 /*** SHA-384: *********************************************************/
426 int SHA384_Init(SHA384_CTX* context) {
427 if (context == NULL) {
430 bcopy(sha384_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
431 bzero(context->buffer, SHA384_BLOCK_LENGTH);
432 context->bitcount[0] = context->bitcount[1] = 0;
436 void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
437 SHA512_Update((SHA512_CTX*)context, data, len);
440 void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
441 sha2_word64 *d = (sha2_word64*)digest;
444 assert(context != NULL);
446 /* If no digest buffer is passed, we don't bother doing this: */
447 if (digest != NULL) {
448 SHA512_Last((SHA512_CTX*)context);
450 /* Save the hash data for output: */
451 #if BYTE_ORDER == LITTLE_ENDIAN
453 /* Convert TO host byte order */
455 for (j = 0; j < 6; j++) {
456 REVERSE64(context->state[j],context->state[j]);
457 *d++ = context->state[j];
461 bcopy(context->state, d, SHA384_DIGEST_LENGTH);
465 /* Zero out state data */
466 bzero(context, sizeof(*context));
470 char *SHA384_End(SHA384_CTX* context, char buffer[]) {
471 sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
475 assert(context != NULL);
477 if (buffer != NULL) {
478 SHA384_Final(digest, context);
480 for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
481 *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
482 *buffer++ = sha2_hex_digits[*d & 0x0f];
487 bzero(context, sizeof(*context));
489 bzero(digest, SHA384_DIGEST_LENGTH);
493 char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
496 SHA384_Init(&context);
497 SHA384_Update(&context, data, len);
498 return SHA384_End(&context, digest);
projects / dragonfly.git / blob